Erwin Staal

Enforcing Microsoft Defender for Cloud Across 30+ Subscriptions With Bicep

Sun, 03 May 2026 00:00:00 +0000

Security posture management is one of those things that starts manually and stays manual for too long. Someone enables Defender for Cloud on a subscription in the portal, picks a few plans, saves. Six months later a new subscription appears, nobody remembers exactly which plans were enabled on the others, and the configuration drifts. An audit comes along and suddenly you’re comparing screenshots.

Digital Sovereignty in the Microsoft Azure Cloud: Why It Matters More Than Ever

Sun, 05 Apr 2026 00:00:00 +0000

With President Trump back in the White House, the topic of digital sovereignty has returned to the center of political and business discussions in Europe. Recent events have shown how dependent we are on non-European hyperscalers like Microsoft and how quickly foreign political decisions can impact European organizations. But what exactly is digital sovereignty, why is it such a hot topic now, and how is Microsoft addressing these concerns in its Azure cloud?

Installing COTS applications using Azure Gallery VM

Mon, 03 Mar 2025 00:00:00 +0000

When having the need to install COTS applications (Custom Off-The-Shelf) on virtual machines in Azure, you have multiple options to manage that. One of the options is to use the Azure Gallery VM Applications. As the name implies, its part of Azure Compute Gallery, formally known as Azure Shared Image Gallery. Azure Gallery VM Applications is a feature that simplifies the process of managing and deploying software packages on Virtual Machines (VMs) at scale.

Get all available patches for VMs on Azure

Fri, 20 Oct 2023 00:00:00 +0000

Managing patches across many virtual machines (VMs) in an Azure environment is critical for ensuring security and performance. In Azure, we now have a new product: Azure Update Manager. The service can help us keep our machines up-to-date. Implementing a patch schedule is an aspect of maintaining the security and stability of an IT environment. Critical and security patches are often applied to all machines as soon as possible. Updating test machines before production machines is an often-used practice for other patches.

Checking left over identities in Azure

Wed, 20 Sep 2023 00:00:00 +0000

Recently, I was working on a task where I had to delete a subscription because it was no longer needed. On that subscription, however, there were still some identities having permissions asigned. I wanted to check if those identities were still used in other subscriptions. Turns out there is no easy way to do this. So, I wrote a script to get all the principals on the subscription and check their permissions in all subscriptions in the tenant.

Creating reusable modules with Bicep, Terraform or Pulumi

Sun, 12 Mar 2023 00:00:00 +0000

Over the years, I’ve been working with several infrastructure as code tools. One of the things that I always find essential, no matter the tool, is to write readable and maintainable code. One way to do that is to create a proper structure for what you are building. All of the IaC tools I have used allow you to modularize your code somehow. A module is a piece of code responsible for one specific thing.

Installing multiple VM extensions on an Azure VM using Terraform

Sat, 25 Feb 2023 00:00:00 +0000

In a recent project, we used Azure Datafactory in a closed network and needed to access resources on-premises. That means that you cannot use the Autoresolve runtime of Datafactory. We thus used our own VM and installed the Self Hosted Integration Runtime software using a VM extension. So far, so good. We needed to install another piece of software on that VM a little later in the project. I started adding another VM extension only to find out that you can only install one VM extension per VM on Azure. We needed to find a way to install multiple dependencies on the VM using a single VM extension in a configurable and manageable way. This blog will describe how we did that using Terraform.

Custom Domain on Azure App Service using Terraform and Cloudflare

Mon, 09 Jan 2023 00:00:00 +0000

The other day, I was building some infrastructure on Azure that contained an Azure App Service. I wanted to use a custom domain so that users can use the application over a nice domain name instead of the *.azurewebsites.net. The infrastructure is built using Terraform; luckily, there is a provider for Cloudflare. Cloudflare is where the domain’s DNS is managed. This blog post will walk you through the steps to do all the configuration.

Run a script during deployment with DeploymentScripts in Bicep

Wed, 04 Jan 2023 00:00:00 +0000

On a recent project, I was using Terraform to build some infrastructure. It contained an Azure Web App with a custom domain configured. A custom domain name on a Web App allows you to access it using a friendly URL instead of the <your_name>.azurewebsites.net. In this project, the DNS records for the domain were hosted and managed on Cloudflare. Luckily, Terraform has a provider for both Azure and Terraform, and thus I could write a single module that would create the Web App, set the domain in Cloudflare, and configure the custom domain.

Passing variables between stages in Azure DevOps pipelines

Thu, 03 Mar 2022 00:00:00 +0000

The other day I was working on an Infrastructure as Code project that involved deploying an Azure Container registry. That ACR is typically a resource that you deploy just ones in your production environment and not one per environment. You do that because you want container images to be used as immutable artifacts that are progressively deployed across all your environments.

Terraform Azure DevOps to Azure example pipeline

Mon, 14 Feb 2022 00:00:00 +0000

I finally had the opportunity to work with Terraform on one of my recent projects. I have been building Infrastructure as Code with ARM templates or Bicep for years. Together with two friends, I even wrote a book on that! Terraform was always on my list of tools to work with. I had played around with it a little in my spare time but never got the opportunity to put it to use in an actual project. This blog will help you get started!

Functions in ARM Templates

Sat, 16 Oct 2021 00:00:00 +0000

To help build templates quicker, make them more expressive and reusable, there are many built-in functions at your disposal. And even if there isn’t a built-in function for your specific scenario, you can always write one on your own. The use of functions introduces pieces of logic into your templates, which can be used from expressions.

Automatically renew the image used in an Azure DevOps private agent

Sun, 25 Jul 2021 00:00:00 +0000

In a previous post, I wrote about creating your own hosted Build and Release agents in Azure DevOps. That process could be improved by regenerating the VM image, for example, every month. By doing that, you stay up-to-date with both the latest versions of all the tools installed as well as with security patches. This post will describe how to do that using an Azure DevOps pipeline which will be triggered monthly.

Configure Azure Security Center using Bicep

Fri, 25 Jun 2021 00:00:00 +0000

At a few of my recent clients, I’m working on moving their infrastructure to code using Bicep. Part of that is always the configuration of Azure Security Center. Things to configure are, for example, the services for which you want to enable Azure Defender or the email notifications. This blog will describe how to do just that.

ARM template: getting deeply nested resource properties

Mon, 15 Mar 2021 00:00:00 +0000

The other day I was deploying a private endpoint connected to a KeyVault using an ARM Template. By using a Private Endpoint one can assign a private IP address from your own Virtual Network to an Azure PaaS service like KeyVault, SQL, storage accounts, and others. To resolve the private IP using the service FQDN from within the VNET, I also needed to set an ‘A’-record in the private DNS zone.

Manual approval in an Azure DevOps YAML-pipeline

Sun, 31 Jan 2021 00:00:00 +0000

Last week I was creating a YAML-pipeline in Azure DevOps to deploy some ARM Templates. Before deploying those changes to my production environment, I wanted to have a manual approval in place. Here’s how I did that.

Entity Framework Core and Migrations

Thu, 17 Dec 2020 00:00:00 +0000

Entity Framework could be a logical choice when building a .NET Core API that needs to talk to a database. In this blog, I’ll show you how to get started with EF and Migrations. We will create the models, the DbContext, and the migrations needed to upgrade your database when introducing changes. We will also see how we can deploy those changes in your Azure DevOps pipeline on each release.

Database per tenant infrastructure

Wed, 25 Nov 2020 00:00:00 +0000

In the first post in this series, we’re going to talk about the infrastructure. We need some database server to host each tenant’s database and the shared database that contains information on all the tenants (like which database belongs to whom). We also need infrastructure to host the API on and off course, need something for configuration and secret management. TL;DR: All templates and the pipeline can be found in my repository.

Multi tenant app with database-per-tenant

Sun, 15 Nov 2020 00:00:00 +0000

I recently started building an architecture for a multi-tenant app to support a database per tenant (customer) scenario for one of my customers. Splitting your data in multiple databases like that has a few benefits like easy backup and restore per customer, better security by separation of data, and potential performance benefits. Especially the separation of data was a hard requirement here. I found this to be a nice challenge as it involves many moving parts to get it right.

Using an Azure Virtual Machine Scale set as Azure DevOps agents

Fri, 02 Oct 2020 00:00:00 +0000

Over the past few weeks, I’ve been implementing a few new networking features in Azure for a client. We did that to make our infrastructure more secure. I’ve been playing around with VNET’s, Private Links, Services Endpoints and Access Restrictions on Azure Web App, SQL databases, Storage and KeyVault. One of the issues I stumbled upon quite quickly was the fact that when you restrict access to a resource, Azure DevOps can’t reach that anymore as well.

Disable Azure Security Center recommendations using ARM Templates

Tue, 08 Sep 2020 00:00:00 +0000

Azure Security Center gives you a great overview of the state of your workloads security hygiene and compliance. I recently got tasked with going through the recommendations, take action, and improve our overall security and compliance status. Some of the recommendations presented to me were in the ‘Enable advanced threat protection’-group, like ‘Advanced threat protection should be enabled on Azure App Service plans’.

My first look at Azure IoT Hub

Thu, 03 Sep 2020 00:00:00 +0000

I recently decided it was time for me to take a shot at passing another few Microsoft exams. While studying for one of them, I noticed that I didn’t knew too much about Azure IoT Hub. I had never come across it in my daily job. So I gave myself the following goal: have something that acts as an IoT device that sends data into Azure IoT Hub and have something read that data and does something useful with it. When talking about the data that comes out of IoT Hub we usually split that into a hot and/or cold analytics path, in this blog I’ll show you an example of both.

Generating API clients using NSwag and Azure DevOps

Mon, 10 Aug 2020 00:00:00 +0000

Whenever you create an API you probably want to be able to create some documentation around that API. Swagger has been around for a long time and allows you to explore and test your API using a nice UI in the browser. It also provides you with an OpenAPI spec in json format describing your service. OpenAPI is to REST what WSDL is to an SOAP-endpoint. Wouldn’t it be cool if you could generate your clients using that spec? Well, you can!

Azure App Configuration and KeyVault

Sun, 26 Jul 2020 00:00:00 +0000

Recently I started on a new project and therefor a whole new application. It’s build using .NET Core and like many apps, it needs some configuration that varies between deployments. Azure now has a service called Azure App Configuration that allows you to store and manage your configuration. Combined with Azure KeyVault to store your secrets, we get configuration management nearly for free. Let’s dive in!

Autoscaling .NET Core Azure Functions on Kubernetes

Tue, 16 Jun 2020 00:00:00 +0000

Everyone who worked with containers on Kubernetes probably agrees that there is a pretty steep learning curve in the beginning. Once you overcome that, you’ll find that it’s an awesome and very capable product and that it will make your life better (when used in the right context of-course). One area where Kubernetes is not so great is event-based autoscaling. That’s where KEDA comes in. KEDA stands for Kubernetes-based Event-driven Autoscaler.

Securing your Azure SQL DB using Azure Private Link

Wed, 27 May 2020 00:00:00 +0000

Whenever you create a new SQL Database on the Azure Cloud, one of the first things you probably do is set the ‘Allow Azure services and resources to access this server’-switch to ‘Yes’. This allows your App Service for example to access your database. It’s not very secure however since all an attacker then needs is your connections string. And although you are probably very careful with that, it might just accidentally get public.

Public Speaking

Sun, 24 May 2020 00:00:00 +0000

Current and previous speaking engagements

Using an ARM template to deploy your SSL certificate stored in KeyVault on an Web App

Sun, 20 Oct 2019 00:00:00 +0000

Everyone knows it’s completely normal nowadays to have your website loaded over https. Troy Hunt explains why. There are quite some examples out there on how to use Let’s Encrypt certificates on your Azure web app, see this one by Henry Been for example. For most of us that’s a perfect and free solutions. It doesn’t work for all of us however.

Reading secrets from KeyVault in your Azure Cloud Service

Fri, 18 Oct 2019 00:00:00 +0000

Azure Cloud Service was one of the earliest Platform as a Service offerings by Microsoft Azure. With Cloud Services you can run web applications or run background applications. Since it is a PaaS offering, you dot not need to worry about the issues that comes with IaaS, patching for example and they offer a lot of flexibility. They are not officially deprecated, though Microsoft is pushing for the use of other PaaS offerings.

Reading secrets from KeyVault in your Azure Web App

Fri, 18 Oct 2019 00:00:00 +0000

Azure KeyVault is a great Azure offerring that allows you to store for example secrets or certificates. You are currently looking at the first post out of a series of posts on how to grab secrets or certificates from KeyVault in your web applications. This post wil focus on creating the KeyVault, giving access to you Azure Web App and retrieving a secret in two different ways. I will be using an ASP.

My k3s OpenFaaS Raspberry Pi cluster

Tue, 10 Sep 2019 00:00:00 +0000

A few months ago I build a Raspberry Pi cluster running K3S. I build it because I wanted to have a nice environment the learn more about Kubernetes and OpenFaas. It always feels nice to have something you can actually touch in this all software world I normally live in. After tweeting and giving a session about my OpenFaas Raspberry Pi cluster people started asking what parts the cluster consists of and what software I use to run it.

Creating a simple OpenFaas template

Sat, 11 May 2019 00:00:00 +0000

Whenever you want to create a new function to run on OpenFaas your starting point would be an OpenFaas template. OpenFaas has a template engine build-in which can create new functions in a given programming language. There are the official/default templates and there are templates in the store provided by the community. If a language you would like to use isn’t available or it doesn’t suite your needs, you can always write your own!

Your first .NET Core Serverless function on OpenFaas

Wed, 08 May 2019 00:00:00 +0000

In my previous blog I described how to set-up OpenFaas on a Kubernetes cluster with a little help from Rancher. Now it’s time to deploy our first serverless function. In this blog we’ll create and deploy a .NET Core function that reads a bit of config using both an environment variable and Kubernetes secrets. Creating your first function In the previous blog we installed the OpenFaas cli. If you didn’t already, here are the instructions.

About

Thu, 28 Feb 2019 00:00:00 +0000

I am a Tech Lead and Azure Solution Architect at Xebia in the Netherlands, with over a decade of experience spanning startups, enterprise organizations, and international teams. I thrive at the intersection of technology, strategy, and leadership, helping companies deliver software to customers using DevOps practices and Cloud-Native architectures. Being on the line between IT and business is where I feel most at home—creating technical solutions that address real user needs while driving teams toward success.

Blog

Thu, 28 Feb 2019 00:00:00 +0000

Contact

Thu, 28 Feb 2019 00:00:00 +0000

Please fill out the form and I’ll get back to you! Feel free to reach out via social media or email as well.

Need help?

Thu, 28 Feb 2019 00:00:00 +0000

Hi, I’m Erwin Staal, a Azure Solution Architect, author of Azure Infrastructure as Code, and international conference speaker. I help organizations design, govern, and scale secure Azure platforms that actually work in practice, not just on paper. With nearly 20 years of experience in software engineering, DevOps, and cloud infrastructure, I guide teams through every stage of their Azure journey: from strategic planning and technical architecture to hands-on implementation, governance, and long-term platform maturity.

Octopus Deploy and Entity Framework migrations

Fri, 03 Feb 2017 00:00:00 +0000

A step that is very common in almost every deployment pipeline is the migration of the database. In this blog I’ll show you how to do this using Octopus Deploy and Entity Framework Migrations. I’ll be using a very simple ASP.Net MVC application called SimpleMVCApp. In the same solution, I’ve created a library project named SimpleMVCApp.Data in which my context, models, migrations and migration scripts reside. This application can be found on my GitHub account.

Continuous delivery bij SnelStart

Thu, 22 Dec 2016 00:00:00 +0000

Bij SnelStart ontwikkelen we boekhoudsoftware voor het midden en klein bedrijf. SnelStart doet dat al meer dan 30 jaar door middel van een desktopapplicatie en sinds kort ook met een online variant. Ongeveer drie jaar geleden zijn we bij SnelStart begonnen met de ontwikkeling van ons service platform. Dit is een Azure Cloud oplossing die onze klanten onder andere de mogelijkheid geeft om in te loggen vanuit hun desktop- of webapplicatie, online administraties aan te maken en belastingaangiften te versturen.