How to Upgrade SQL Azure Database to V12

Posted on February 1, 2015 by Thuru

Before upgrading we should check the the current SQL Azure version. Connect to your SQL Azure server and execute the following command to get the version and other information.

I got the below results

Note the version shows 11.0.9229.2, considering the major version number (in this case 11) we know that this SQL Azure Server is V11.

In order to get the full upgrade information see this web site, and the article describes the relation between exact version number and V terminology. (portion of the article below)

A.1 Version clarification

This document concerns the upgrade of Microsoft Azure SQL Database from version V11 to V12. More formally the version numbers are close to the following two values, as reported by the T-SQL statement SELECT @@version; :

11.0.9228.18 (V11)
12.0.2000.8 (or a bit higher, V12)

Upgrading

You can upgrade the SQL Azure server to V12 (meaning the version 12.0.2000.8 or higher) from the new Azure Portal. (http://portal.azure.com)

View this article for the step by step upgrading for the process with screenshots

Azure Account Management

Posted on January 30, 2015 by Thuru

This post explains about how an Azure account is managed, what are the different administrative roles , what they do in managing Azure subscriptions, and how Azure Active Directory (AAD) is connected in managing Azure accounts and subscriptions.

An Azure account is simply a container for managing subscriptions. All the services we use in Azure are contained in a subscription. One Azure account can have multiple subscriptions. Consider the below scenario to understand the concept.

I have marked few important rules, which I consider the rule of thumbs to remember in Azure account administration.

Azure Account

There are several ways that you can get access to Azure, you can start a free trial, you might get Azure credits from any of the enterprise licenses your company has with Microsoft or through any other non-documented or unclarified methods.

But let’s begin the story in a more simpler and practical way. Assume Bob wants to learn Azure and wanted to buy an Azure account. Bob entered his credit card detail and activated the Azure account, during this registration process Bob entered his personal email address bob@outlook.com.

Bob got an Azure Account.
Bob created a subscription in order to access Azure services since Azure account is a container for the subscriptions.
Bob named this subscription Dev Subscription.
One Azure account can have multiple subscriptions and each subscription can have different payment options as well.
Since Bob owns the Azure Account he becomes the Service Administrator for the Dev Subscription and also he is the Account Administrator.
Later Bob created another subscription for testing and he named it Test Subscription.
Bob is the Service Administrator for both subscriptions.
Then Bob added Kevin as a Co Administrator in the Dev Subscription using Kevin’s email address kevin@outlook.com.

After the above steps, this is the logical structure of the Bob’s Azure account.

Account Administrator: Account Administrator is the person who owns the Azure account, he is the only person who can manage subscriptions (create, edit, change payment plans).

Service Administrator: Service Administrator has full privileges inside the subscription. One subscription can have only one service admin. He has full rights in managing all the resources and services inside the subscription including adding / removing Co Administrators.

Co Administrator: Co Administrators have full rights in managing resources and services inside a subscription, except they cannot manage users, meaning they cannot manage other Co admins or Service admins.

Read this link for detailed information about the above administrator roles.

Rule #1

In order to login to Azure, a user should be either a Service Administrator or a Co Administrator of the subscription.

As you see Kevin is a Co Admin in the Dev Subscription and he has full rights in managing the resources in the Dev Subscription. But he doesn’t see the Test Subscription. Kevin can be an Account Administrator / Service Administrator of some other Azure Account with the same email address. In that case when he logs into the Azure Portal he will see all the subscriptions in the drop down. He can select the subscription he wants to work with. Any programmatic operation requires the subscription Id.

Azure Active Directory and Azure Account Management

Azure Active Directory (AAD) plays a major role in the Azure account management. Even in the scenario explained above, it has a big part though the process is totally transparent. This is where I put the second rule in.

Rule #2

In order to authenticate to Azure you need Azure Active Directory authentication, in the other terms Azure only trusts the Azure Active Directory authentications.

In the above example Bob and Kevin has no knowledge about AAD, they simply added their personal Microsoft email addresses and everything works.

Bob or Kevin logs into Azure portal using their personal Microsoft email addresses (bob@outlook.com / kevin@outlook.com). Technically they use the Microsoft email authentication to access Azure. This is a huge contradiction to the rule #2.

Answer is very simple, in order to make sure the customer experience smooth and non-cumbersome Microsoft has taken efforts that Azure Active Directory trusts the Microsoft consumer authentication tokens.

So when Bob / Kevin is authenticated via their consumer authentication credentials, the token is passed to the AAD, which trusts the consumer identity token and authenticates them to the Azure portal.

Azure automatically adds Service administrators and Co Administrators to the Azure Active Directory associated with the subscription.

Consider the below cases for the detailed clarification.

Service Administrator is a member and the Global Administrator of AAD

There’s a Service Administrator and he’s a member of AAD as well. The first image shows the Administrators section of the settings page and the second image shows the AAD users section. Azure has added the Service Administrator automatically in the AAD as a user, typically with the Global Administrator permission for the AAD.

Co Administrators are automatically added to the AAD with user roles

Now I want to add a Co Administrator to this subscription. When you click the Add button in the portal you will get a window with this message on top.

As you see the message is very clear. It is the combination of rule #1 and 2.

When you add a user with Microsoft account and add him / her as Co Administrator he / she will automatically be added to the AAD users. The first image shows the Administrators sections of the settings page and the second image shows the AAD users section.

AAD can have the following sources.

Microsoft Account
Azure Active Directory Account
Local Active Directory Account – when a local AD is synced with AAD

We were unable to find any subscriptions associated with your account.

The above is a very common message people get with the image below.

The reason is when you add a Co Administrator the user is added to the AAD, but when you remove a Co Administrator the user in the AAD remains undeleted. Because the user might have some other apps he/she has been accessing using AAD credentials.

In this case if the user tries to access the Azure portal they will get this message. Because here the rule #2 is true but rule #1 is false.

Azure Account Management Best Practices

It is highly recommended not to use Microsoft consumer identities especially the root accounts to access the Azure portal for the day to day tasks. In our case study bob@outlook.com is the root account. Always create a AAD users with specific roles and use them for development purposes.

Connecting to Ubuntu VM on Azure using Remote Desktop Connection

Posted on January 8, 2015 by Thuru

In order to connect to your Ubuntu VM from a Windows first we have to enable the XRDP in the Ubuntu in order enable the Remote Desktop Connection.

So to enable XRDP we should connect to the server, PUTTY is a the commonly used client for SSH. (SSH is enabled by default in the Ubuntu VM on Azure). Download PUTTY from here and follow the steps in this article to connect to the Ubuntu server.

Once connected with username (azureuser) and password execute the following shell command to enable XRDP on the server

sudo apt-get install xrdp

After executing the command go to Microsoft Azure management portal and Add the Remote Desktop Connection endpoint for the server. Once you’ve added this endpoint you can see the connect icon is back to live (earlier it was grayed out) click on the connect icon and download the RDP file for the Remote Desktop Connection.

Now you can connect to your Ubuntu VM from Windows.

Note still your Ubuntu environment has the shell, if you want to enable the interactive desktop execute the following commands in the connection you made.

First I executed this.

sudo apt-get install ubuntu-desktop

But things there was message saying to run the update, so I executed the update with this command and executed the install command again, everything was fine and smooth.

sudo apt-get update

Close the connection and connect again, (logoff and reconnect) you will be welcomed with the Ubuntu desktop experience.

For this demonstration I used Ubuntu Server 12.04 LTS

Microsoft Azure API Management Policies

Posted on December 9, 2014 by Thuru

This is the second post of the Microsoft Azure API Management tutorial. See the first post – Introduction to Microsoft Azure API Management. This post describes about the advance

Policies define the rules for the incoming and outgoing API requests. See this link for the full API Management Policy Reference. Different policies are applied at different levels of the API Management. In order to define a policy go to Policies tab, select a Product or a API or an Operation based on what the policy could be applied, then drag and drop the policy template and fill the parameters. (I think Microsoft Azure will come with a good UI for doing this in the near future).

For example I’ve explained how to create a policy to limit the number of calls to the API. I have the same API I explained in the previous post – Introduction to Microsoft Azure API Management. Go to Policies tab select the Product and in the right hand side you will the list of policies. Since you we haven’t configured any policies yet the work area will ask you to create a policy for the API. Click ‘Add Policy File’. Then click on the <inbound> section of the XML. The position of the cursor is important based on which policy you want to add; in this sample we’re adding a call limiting policy then its obvious we should add in in the inbound section of the XML if you keep the cursor in other areas and try to add the call limiting policy the interface will react numb. Unfortunately if won’t tell you what’s wrong but simply you cannot add the policies. API Management Policy Reference will guide you get the knowledge about the usage of the policies.

Call Rate Limiting Policy

Once the policy is added you can see the policy template and it’s a matter of filling the blanks. Notice that this policy is applied in the Product level in the configuration, but it provides the granularity to control the calls to Operations level in the XML. I have added few inputs and the final policy looks like the following.

The XML template is self descriptive. Here I have mentioned that only 10 calls could be made in 60 seconds from one subscriber (from one subscription key). And in that 10 calls Nebula Customers API would handle 6 and again even those 6 calls are equally divided to 2 Operations. After editing the template we save the configuration. Then let’s check that in the Developer Portal.

See the response when I try to make the 4th call to the operation it says me to wait for some time. I personally prefer this error message because it’s very helpful and developers can easily hook up any automatic retry call with an accurate timer event rather than randomly polling the service.

Content Serialization

Now let’s check another policy; notice that the API Management outputs the content in JSON as it is the default content format of our backend service. Suppose if I need the format in the XML I can use the ‘Convert JSON to XML’ policy. Make additional note here that this policy could be applied at API or Operations scopes. So we should select the API and create a new policy configuration.

Since I have applied this policy at the API level all the Operations in the API will return XML. Let’s check that by invoking the same Operation we invoked in the previous scenario and we get the response in XML as expected.

There are plenty of Policies available as templates including CORS access, IP restriction and others. Try different policies to get know them better in the implementation. I think soon Microsoft Azure team will come up with a new user interface for the Policy management.

Introduction to Microsoft Azure API Management – Step by Step tutorial

Posted on November 24, 2014 by Thuru

Introduction to API Management

Microsoft acquired a company named Apiphany last year (read about the acquisition) and jumped to the API Management market. So what is API Management ? Given below is the definition what Google gives for the question; indeed it’s a fairly well descriptive definition.

Microsoft Azure API Management is backed by the compute and the storage of Microsoft Azure. Rest of the post explains how to get started with the API Management.

Getting Started with Microsoft Azure API Management

Login to the Microsoft Azure portal, go to API Management and create a API Management service. In the first screen of the wizard you have to specify the URL, select the subscription (if you have more than one) and the region.

In the next screen you enter your organization name and the administration email. (you can simply enter your personal email here it doesn’t need to be the one with your organization domain specific one. I used my hotmail id).

In this screen you can select for the advance settings, which opens the third wizard panel. There you can select the tier. There are two tiers available; Developer and Standard. Default selection is Developer tier.

See the difference between the tiers : http://azure.microsoft.com/en-us/pricing/details/api-management/

Now the API Management service has been provisioned.

Creating APIs

Click on the arrow icon and get inside the service, then click on the Management Console. By default when you create a Azure API Management service it creates a sample API known as Echo API and sample Product. I deleted all the auto generated default APIs and Products and this article walk you through from the scratch.

API Management requires a back end service, which is our real web service we want to expose via API Management to developers. I created a simple REST service using Web API and hosted it in the Azure Websites. The URL http: //nebulacustomers.azurewebsites.net/

With those information we can now start using Azure API Management. First we have to create a API. In the management console click on APIs and create one.

Enter the name of the API and the web service URL. Web API URL suffix is a URL suffix which is to group and categorize the service endpoint as you create many APIs. It is optional but good to have because that will make your life easier as your number of APIs grows. By default HTTPS is selected.

Adding Operations

Technically speaking operations are trigger points of the web service in the API Management. Click on the API we created (Nebula Customers) and select the Operations tab and click on ADD Operation.

Here we can create operations and point them to our backend web service. Many operations can point to a single endpoint in our backend service. In my backend service I have only two endpoints.

http: //nebulacustomers.azurewebsites.net/api/customers – List of customers

http: //nebulacustomers.azurewebsites.net/api/customers?name=<name> – Gets the specified customer object.

We create 3 operations, two of them will point to the first endpoint and the last one will point to the endpoint with the name parameter.

Create three operations as follows.

Operation to list the customers

HTTP Verb – GET
URL Template – /customers
Rewrite URL Template – /api/customers
Display Name – List of customers

Operation for the cached customers

HTTP Verb – GET
URL Template – /cachedcustomers
Rewrite URL Template – /api/customers
Display Name – List of customers
And go to Cache tab and check the Enable.

Note that above 2 operations are pointing to the same endpoint in our backend service as the rewrite the URL templates are same. Here caching is done by the API Management and our backend service isn’t aware of it.

Third operation to get the customer with the specified name.

HTTP Verb – GET
URL Template – /customers/{name}
Rewrite URL Template – /api/customers?name={name}
Display Name – Get the customer by name

After adding all three operations you will have a similar screen like this.

Creating Products

Now we have our API and operations, in order to expose the API to developers as packed module we should create a Product and associate the API to it. One Product can have many APIs. Developers who subscribe to a Product get access to the APIs associated with the Product.

Go to Product tab and create new Product.

In this screen check the “Require subscription approval” if you need to get email requests for approving the subscription requests. You have to configure this email address in the notification section. Second checkbox “Allow multiple simultaneous subscriptions” allows the developers to create more than one subscription for the product. Each subscription is identified by a unique key and in this option you also can specify the maximum number of simultaneous subscriptions.

After creating the Product click to open that and associate the APIs to the Product. Click in ADD API to Product.

Go to Visibility tab in the product section and check Developers. Developers need to authenticated themselves in the Developer Portal, subscribe to Products and obtain subscription keys in order to use the API. Guests are unauthenticated users who allowed to view the APIs and operations but not to call them. Administrators are the people who create and manage APIs, Operations and Products.

After enabling the visibility to developers Publish the product in order to make it available in the Developer Portal.

Developer Portal

Now the API is built and published, now it’s the developers work to deal with the Developer Portal and subscribe to the product. Click on the Developer Portal link in on the right hand top corner. When you’re working as the administrator and click on the Developer portal you are logged into the Developer portal as administrator.

The above is the default view of the Developer Portal. You can do branding on the portal if required.

Go to Products and you can see the Product we created and as an administrator you’re already subscribed to this Product. So click on the APIS tab click on the specific API.

Click in the List of Customers operation and click on the Open Console in order to check test the service.

Click on th HTTP GET and invoke the service. The above URL is the full URL with the subscription key. Response comes in JSON (as this is the default of my backend service).

Now invoke the List of cached customers and check the response time.

First call it took 402ms.

Second call took only 15ms.

Similarly invoke the Get customer by name specifying a parameter. The coolest part of the Developer Portal is that it’s really helpful for the developers to test the endpoints and also it generates the code in may languages on how to consume those endpoints. Below is the code generated in Objective C for consuming the customer name endpoint.

Conclusion for the Introduction

Now our API Management service is working perfectly. We can control the input and output of the service in more granular ways using policies. We can configure notifications, customize email templates, security, assigning different identity management of developers and much more. These things I will cover in the API Management Advanced tutorial on another blog post.

If you want to try the exact demo I’ve explained here you need the exact backend service. You can download it here. (requires Visual Studio 2013)

How to programmatically create Azure Storage account – .NET SDK

Posted on October 6, 2014 by Thuru

Azure provides Management APIs to manage Azure subscriptions programmatically. Management APIs are available in many languages including PowerShell cmdlets and Java SDK.

In order to create a acting agent to manage the Azure (our application code is an agent) we do have to authenticate to Azure using a certificate or Azure Active Directory. Refer to this article on how to create a certificate authentication with Azure. This article describes how to create a certificate, associate it with the Azure subscription and how to programmatically retrieve the X.509 certificate from the local machine.

The below code shows the continuation on how to create Azure Storage programmatically. In order to do this add the references of Azure Management Libraries to your project.

Now we have the right references in place, now we have to create the certificate cloud credentials in order to invoke the Azure Management Client classes. We need two parameters to create the certificate cloud credentials.

Azure Subscription ID
Azure Authentication certificate (steps to obtain this are described in this link)

So based on the above article we have established the trust between Azure and our agent. And we have the certificate in .NET. Let’s assume our certificate variable is “certificate”.

Now create the CertificateCloudCredentials object using the subscription ID and X.509 certificate.

   1: string subscriptionId = "your id";
   2: CertificateCloudCredentials credentials = new CertificateCloudCredentials(subscriptionId,certificate);

Now we can create the storage account using the blow code.

private static void CreateStorageAccount()
{
    var storageClient = CloudContext.Clients.CreateStorageManagementClient(credentials);
    
    var response = storageClient.StorageAccounts.Create(new StorageAccountCreateParameters()
    {
        Location = LocationNames.EastAsia,
        Name = "storage name",
        Description = "storage from code"
    });
  
    Console.WriteLine(response.StatusCode);
}

Here the Create method is a blocking method, but Azure Management Libraries offer async methods as well as CreateAsync. So we can use them with Task<await>. Learn more about asynchronous programming here.

Configuring Azure CDN (Content Delivery Network)

Posted on October 2, 2014 by Thuru

Azure provides CDN. You can link websites, cloud services, mobile services, media services and storage accounts. Most of the cases we link the storage accounts to CDN. Because CDN is a very good choice for static content and in Azure mostly we keep the static content in the storage accounts (blobs).

CDN provides a greater network among different geographical network and place the content in the “Edge Servers” as they’re physically close to the users’ location. Azure Cache is a different service it offers in memory cache for high speed availability, it is relatively expensive compared to CDN. See this article on how to create Azure Cache.

Creating a CDN in Azure is fairly straight forward. Login to the Management Portal and Select the CDN and create new endpoint. You have the Quick Create option. You get the below screen. In the origin domain you can see your available services that could be linked as CDN endpoints under each category. Here I select my storage account as origin domain. You can notice that automatically the storage account’s blob storage service is linked with the CDN as it holds the static content. Neither the Table storage nor the Queue storage is linked as CDN.

I created a public container in the above blob storage and uploaded a simple text file. The public URI for the resource goes as http://qbemediasvc.blob.core.windows.net/publiccontainer/dfdf.txt

Out CDN endpoint URL goes as http://az673726.vo.msecnd.net/

In order to check the content is in CDN we can simply append the last part of the blob URI to the CDN endpoint URL and we get the CDN URL as this. http://az673726.vo.msecnd.net/publiccontainer/dfdf.txt

When you put a content in the storage it will take up to 60 minutes for that content to propagate to CDN and once the propagation is done you can access the CDN rather than the direct URL of the content.

How to create a certificate authentication with Azure Management Service

Posted on September 26, 2014 by Thuru

In order to carry out any management tasks in Azure using an agent (Visual Studio or any custom code), it should authenticate itself with Azure. Requests to the Azure Management API should be authenticated using on of the following methods.

Active Directory
Certificate Authentication

This article covers the certificate authentication. Azure Management Service (AMS) APIs require a X.509 certificate for the authentication. For the development purpose we can create a sample certificate in our machine using the following command line. Make sure you open the Visual Studio command line in administrator mode to execute this.

makecert -sky exchange -r -n "CN=<CertificateName>" -pe -a sha1 -len 2048 -ss My "<CertificateName>.cer"

This creates the certificate in the local machine under the Personal Certificates since I have specified “My”as location.

Open the Certificate Manager in your local machine (enter certmgr.msc in the Run). You can check for your new certificate.

We should upload this certificate to Azure to establish the trust and each and every API request should contain the certificate. Certificates are saved in Azure under subscriptions thus they are used to manage the subscription owner actions. Each subscription can contain up to 100 certificates as of this writing.

Export the certificate from certificate store, as a .cer file. Follow the screen shots below.

Once you have exported the certificate, next step is to upload it to the Azure subscription. Login to the Azure select the correct directory if you more than one under your login and select the correct subscription to which you need to upload the certificate. Then go Settings and go to Management Certificates tab, there you can upload your certificate.

After uploading the certificate you can view it in grid like this.

To summarize what we’ve done up to now,

We need establish a trust between Azure and the subscription agent via certificate authentication.
Subscription agent is the party / tool which programmatically carries our the tasks of a subscription owner.
First we generated a local certificate using certmgr.msc
We exported the certificate and put it in the Azure management certification store.
So now any subscription agent with the certificate can perform the subscription ownership tasks (using Azure Management API) thus authenticating using the certificate.

The below C# code shows how to retrieve the certificate from your local store by providing the thumbprint.

public X509Certificate2 GetStoreCertificate(string thumbprint)
{
    List<StoreLocation> locations = new List<StoreLocation>
    {
        StoreLocation.CurrentUser,
        StoreLocation.LocalMachine
    };

    foreach (var location in locations)
    {
        X509Store store = new X509Store("My", location);
        try
        {
            store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
            X509Certificate2Collection certificates = store.Certificates.Find(X509FindType.FindByThumbprint, thumbprint,false);

            if (certificates.Count == 1)
            {
                return certificates[0];
            }
        }
        finally
        {
            store.Close();
        }
    }

    throw new ApplicationException("No Certificate found");
}

The above code tries to get the certificate from the Personal certification location, as the parameter “My” has been passed to the X509Store constructor.

After obtaining the certificate, you should pass it through each and every Azure Management API request whether you use the REST API or any language SDK.

Versatile Digital DNA

Category Archives: Microsoft Azure

How to Upgrade SQL Azure Database to V12

A.1 Version clarification

Azure Account Management

Connecting to Ubuntu VM on Azure using Remote Desktop Connection

Microsoft Azure API Management Policies

Introduction to Microsoft Azure API Management – Step by Step tutorial

How to programmatically create Azure Storage account – .NET SDK

Configuring Azure CDN (Content Delivery Network)

How to create a certificate authentication with Azure Management Service

A.1 Version clarification

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: