Azure FrontDoor (Global) -> Application Gateways (Regional load balancer) / API Management (APIM)
Azure Virtual Network VNet -> SubNet -> keep all private.
- For External (internet) access
- use NAT Gateway
- Azure Load Balancer (with public ip configuration)
- Give public ip address configuration directly.
- Use Azure filrewall / NVA - Network Virtual Appliance with a public ip
- Connect VNet in same or different regions by Netork Peering., Peering is no transitive.
- can also peer just Subnets
- Private Endpoint - to make subnet visible (and talk to) to PaaS services like Storage services
- Private Links - to disable public address of PaaS service & enable it via private link
To call downstream api from middle-tier api below configurations requires in Azure AAD:
In middle-tier api: API permissions -> Configured permissions -> Add a permission -> APIs my organization uses -> provide Client ID of downstream api -> select scope/permission E.g. */access_as_user -> Add Permission
In downstream api: Expose an API -> Authorized client applications -> Add a client application -> provide Client ID of middle-tier api with allowed scope E.g. */access_as_user
Note: this may help resolve issue/exception/error: MsalUiRequiredException: AADSTS65001: The user or administrator has not consented to use the application with ID '' named ''. Send an interactive authorization request for this user and resource. Trace ID: Correlation ID: Timestamp: The returned error contains a claims challenge. For additional info on how to handle claims related to multifactor authentication, Conditional Access, and incremental consent, see https://aka.ms/msal-conditional-access-claims. If you are using the On-Behalf-Of flow, see https://aka.ms/msal-conditional-access-claims-obo for details.
You create a trust relationship between an external identity provider (IdP) and an app in Microsoft Entra ID by configuring a federated identity credential.
The user-assigned managed identity or app registration in Microsoft Entra ID becomes an identity for software workloads running, for example, in on-premises Kubernetes or GitHub Actions workflows. Once that trust relationship is created, your external software workload exchanges trusted tokens from the external IdP for access tokens from Microsoft identity platform.
Your software workload uses that access token to access the Microsoft Entra protected resources to which the workload has been granted access. You eliminate the maintenance burden of manually managing credentials and eliminates the risk of leaking secrets or having certificates expire.
The federated identity credential creates a trust relationship between a user-assigned managed identity and an external identity provider (IdP).
The combination of issuer and subject must be unique on the app. issuer: is the URL of the Microsoft Entra tenant's Authority URL in the form https://login.microsoftonline.com/{tenant}/v2.0 subject: is the GUID of the Managed Identity's Object ID (Principal ID) assigned to the Azure workload. audience: list the audiences that can appear in the external token (Required)
MISE: MISE stands for Microsoft.Identity.ServiceEssentials which is a Microsoft internal nuget package provided by AAD team for token validation and acquisition,
and we will use it to replace our custom code for token validation.
Microsoft Identity Security Essentials [Microsoft.Identity.ServiceEssentials.AspNetCore][existing: Microsoft.Identity.Web]
-> S2S for internal Microsoft services
-> not fot user auth, can use MASL
Known issue: -> MISE SDK dependencies can break existing apps due to .NET 8 packages being used in .NET 6 -> MSAL still needed for on-behalf flows for users, or for getting tokens via federation with managed identity
"AzureAd": { "Instance": "https://login.microsoftonline.com/", "TenantId": "<tenant_id>", "ClientId": "<client_id>", "Audience": "api://<client_id>", },
Ans: return Content(res-data, response.Content.Headers.ContentType?.ToString() ?? "application/json");
In such conditions azure app is getting stopped due to some unhandled exception which are not logged since app is not running itself, to troubleshoot this we can run app as console in Azure, which will give unhandled exceptions if any on console log.
Production is the default value if DOTNET_ENVIRONMENT and ASPNETCORE_ENVIRONMENT have not been set. Apps deployed to Azure are Production by default. In production, appsettings.Production.json configuration overwrites values found in appsettings.json. For example, when deploying the app to Azure. To set the environment in an Azure App Service: provide Settings -> Environment variables, ASPNETCORE_ENVIRONMENT for the Name. For Value, provide the environment (for example, Staging)
For M365 agent / Copilot: Data enngineering, filtering, can be done via synapse pipiline. Process data from main database, transform for AI to query etc.