Azure on Erwin Staal

Enforcing Microsoft Defender for Cloud Across 30+ Subscriptions With Bicep

Sun, 03 May 2026 00:00:00 +0000

Security posture management is one of those things that starts manually and stays manual for too long. Someone enables Defender for Cloud on a subscription in the portal, picks a few plans, saves. Six months later a new subscription appears, nobody remembers exactly which plans were enabled on the others, and the configuration drifts. An audit comes along and suddenly you’re comparing screenshots.

Digital Sovereignty in the Microsoft Azure Cloud: Why It Matters More Than Ever

Sun, 05 Apr 2026 00:00:00 +0000

With President Trump back in the White House, the topic of digital sovereignty has returned to the center of political and business discussions in Europe. Recent events have shown how dependent we are on non-European hyperscalers like Microsoft and how quickly foreign political decisions can impact European organizations. But what exactly is digital sovereignty, why is it such a hot topic now, and how is Microsoft addressing these concerns in its Azure cloud?

Installing COTS applications using Azure Gallery VM

Mon, 03 Mar 2025 00:00:00 +0000

When having the need to install COTS applications (Custom Off-The-Shelf) on virtual machines in Azure, you have multiple options to manage that. One of the options is to use the Azure Gallery VM Applications. As the name implies, its part of Azure Compute Gallery, formally known as Azure Shared Image Gallery. Azure Gallery VM Applications is a feature that simplifies the process of managing and deploying software packages on Virtual Machines (VMs) at scale.

Get all available patches for VMs on Azure

Fri, 20 Oct 2023 00:00:00 +0000

Managing patches across many virtual machines (VMs) in an Azure environment is critical for ensuring security and performance. In Azure, we now have a new product: Azure Update Manager. The service can help us keep our machines up-to-date. Implementing a patch schedule is an aspect of maintaining the security and stability of an IT environment. Critical and security patches are often applied to all machines as soon as possible. Updating test machines before production machines is an often-used practice for other patches.

Checking left over identities in Azure

Wed, 20 Sep 2023 00:00:00 +0000

Recently, I was working on a task where I had to delete a subscription because it was no longer needed. On that subscription, however, there were still some identities having permissions asigned. I wanted to check if those identities were still used in other subscriptions. Turns out there is no easy way to do this. So, I wrote a script to get all the principals on the subscription and check their permissions in all subscriptions in the tenant.

Creating reusable modules with Bicep, Terraform or Pulumi

Sun, 12 Mar 2023 00:00:00 +0000

Over the years, I’ve been working with several infrastructure as code tools. One of the things that I always find essential, no matter the tool, is to write readable and maintainable code. One way to do that is to create a proper structure for what you are building. All of the IaC tools I have used allow you to modularize your code somehow. A module is a piece of code responsible for one specific thing.

Installing multiple VM extensions on an Azure VM using Terraform

Sat, 25 Feb 2023 00:00:00 +0000

In a recent project, we used Azure Datafactory in a closed network and needed to access resources on-premises. That means that you cannot use the Autoresolve runtime of Datafactory. We thus used our own VM and installed the Self Hosted Integration Runtime software using a VM extension. So far, so good. We needed to install another piece of software on that VM a little later in the project. I started adding another VM extension only to find out that you can only install one VM extension per VM on Azure. We needed to find a way to install multiple dependencies on the VM using a single VM extension in a configurable and manageable way. This blog will describe how we did that using Terraform.

Custom Domain on Azure App Service using Terraform and Cloudflare

Mon, 09 Jan 2023 00:00:00 +0000

The other day, I was building some infrastructure on Azure that contained an Azure App Service. I wanted to use a custom domain so that users can use the application over a nice domain name instead of the *.azurewebsites.net. The infrastructure is built using Terraform; luckily, there is a provider for Cloudflare. Cloudflare is where the domain’s DNS is managed. This blog post will walk you through the steps to do all the configuration.

Run a script during deployment with DeploymentScripts in Bicep

Wed, 04 Jan 2023 00:00:00 +0000

On a recent project, I was using Terraform to build some infrastructure. It contained an Azure Web App with a custom domain configured. A custom domain name on a Web App allows you to access it using a friendly URL instead of the <your_name>.azurewebsites.net. In this project, the DNS records for the domain were hosted and managed on Cloudflare. Luckily, Terraform has a provider for both Azure and Terraform, and thus I could write a single module that would create the Web App, set the domain in Cloudflare, and configure the custom domain.

Passing variables between stages in Azure DevOps pipelines

Thu, 03 Mar 2022 00:00:00 +0000

The other day I was working on an Infrastructure as Code project that involved deploying an Azure Container registry. That ACR is typically a resource that you deploy just ones in your production environment and not one per environment. You do that because you want container images to be used as immutable artifacts that are progressively deployed across all your environments.

Terraform Azure DevOps to Azure example pipeline

Mon, 14 Feb 2022 00:00:00 +0000

I finally had the opportunity to work with Terraform on one of my recent projects. I have been building Infrastructure as Code with ARM templates or Bicep for years. Together with two friends, I even wrote a book on that! Terraform was always on my list of tools to work with. I had played around with it a little in my spare time but never got the opportunity to put it to use in an actual project. This blog will help you get started!

Functions in ARM Templates

Sat, 16 Oct 2021 00:00:00 +0000

To help build templates quicker, make them more expressive and reusable, there are many built-in functions at your disposal. And even if there isn’t a built-in function for your specific scenario, you can always write one on your own. The use of functions introduces pieces of logic into your templates, which can be used from expressions.

Automatically renew the image used in an Azure DevOps private agent

Sun, 25 Jul 2021 00:00:00 +0000

In a previous post, I wrote about creating your own hosted Build and Release agents in Azure DevOps. That process could be improved by regenerating the VM image, for example, every month. By doing that, you stay up-to-date with both the latest versions of all the tools installed as well as with security patches. This post will describe how to do that using an Azure DevOps pipeline which will be triggered monthly.

Configure Azure Security Center using Bicep

Fri, 25 Jun 2021 00:00:00 +0000

At a few of my recent clients, I’m working on moving their infrastructure to code using Bicep. Part of that is always the configuration of Azure Security Center. Things to configure are, for example, the services for which you want to enable Azure Defender or the email notifications. This blog will describe how to do just that.

ARM template: getting deeply nested resource properties

Mon, 15 Mar 2021 00:00:00 +0000

The other day I was deploying a private endpoint connected to a KeyVault using an ARM Template. By using a Private Endpoint one can assign a private IP address from your own Virtual Network to an Azure PaaS service like KeyVault, SQL, storage accounts, and others. To resolve the private IP using the service FQDN from within the VNET, I also needed to set an ‘A’-record in the private DNS zone.

Entity Framework Core and Migrations

Thu, 17 Dec 2020 00:00:00 +0000

Entity Framework could be a logical choice when building a .NET Core API that needs to talk to a database. In this blog, I’ll show you how to get started with EF and Migrations. We will create the models, the DbContext, and the migrations needed to upgrade your database when introducing changes. We will also see how we can deploy those changes in your Azure DevOps pipeline on each release.

Database per tenant infrastructure

Wed, 25 Nov 2020 00:00:00 +0000

In the first post in this series, we’re going to talk about the infrastructure. We need some database server to host each tenant’s database and the shared database that contains information on all the tenants (like which database belongs to whom). We also need infrastructure to host the API on and off course, need something for configuration and secret management. TL;DR: All templates and the pipeline can be found in my repository.

Multi tenant app with database-per-tenant

Sun, 15 Nov 2020 00:00:00 +0000

I recently started building an architecture for a multi-tenant app to support a database per tenant (customer) scenario for one of my customers. Splitting your data in multiple databases like that has a few benefits like easy backup and restore per customer, better security by separation of data, and potential performance benefits. Especially the separation of data was a hard requirement here. I found this to be a nice challenge as it involves many moving parts to get it right.

Using an Azure Virtual Machine Scale set as Azure DevOps agents

Fri, 02 Oct 2020 00:00:00 +0000

Over the past few weeks, I’ve been implementing a few new networking features in Azure for a client. We did that to make our infrastructure more secure. I’ve been playing around with VNET’s, Private Links, Services Endpoints and Access Restrictions on Azure Web App, SQL databases, Storage and KeyVault. One of the issues I stumbled upon quite quickly was the fact that when you restrict access to a resource, Azure DevOps can’t reach that anymore as well.

Disable Azure Security Center recommendations using ARM Templates

Tue, 08 Sep 2020 00:00:00 +0000

Azure Security Center gives you a great overview of the state of your workloads security hygiene and compliance. I recently got tasked with going through the recommendations, take action, and improve our overall security and compliance status. Some of the recommendations presented to me were in the ‘Enable advanced threat protection’-group, like ‘Advanced threat protection should be enabled on Azure App Service plans’.

My first look at Azure IoT Hub

Thu, 03 Sep 2020 00:00:00 +0000

I recently decided it was time for me to take a shot at passing another few Microsoft exams. While studying for one of them, I noticed that I didn’t knew too much about Azure IoT Hub. I had never come across it in my daily job. So I gave myself the following goal: have something that acts as an IoT device that sends data into Azure IoT Hub and have something read that data and does something useful with it. When talking about the data that comes out of IoT Hub we usually split that into a hot and/or cold analytics path, in this blog I’ll show you an example of both.

Generating API clients using NSwag and Azure DevOps

Mon, 10 Aug 2020 00:00:00 +0000

Whenever you create an API you probably want to be able to create some documentation around that API. Swagger has been around for a long time and allows you to explore and test your API using a nice UI in the browser. It also provides you with an OpenAPI spec in json format describing your service. OpenAPI is to REST what WSDL is to an SOAP-endpoint. Wouldn’t it be cool if you could generate your clients using that spec? Well, you can!

Azure App Configuration and KeyVault

Sun, 26 Jul 2020 00:00:00 +0000

Recently I started on a new project and therefor a whole new application. It’s build using .NET Core and like many apps, it needs some configuration that varies between deployments. Azure now has a service called Azure App Configuration that allows you to store and manage your configuration. Combined with Azure KeyVault to store your secrets, we get configuration management nearly for free. Let’s dive in!

Autoscaling .NET Core Azure Functions on Kubernetes

Tue, 16 Jun 2020 00:00:00 +0000

Everyone who worked with containers on Kubernetes probably agrees that there is a pretty steep learning curve in the beginning. Once you overcome that, you’ll find that it’s an awesome and very capable product and that it will make your life better (when used in the right context of-course). One area where Kubernetes is not so great is event-based autoscaling. That’s where KEDA comes in. KEDA stands for Kubernetes-based Event-driven Autoscaler.

Securing your Azure SQL DB using Azure Private Link

Wed, 27 May 2020 00:00:00 +0000

Whenever you create a new SQL Database on the Azure Cloud, one of the first things you probably do is set the ‘Allow Azure services and resources to access this server’-switch to ‘Yes’. This allows your App Service for example to access your database. It’s not very secure however since all an attacker then needs is your connections string. And although you are probably very careful with that, it might just accidentally get public.

Using an ARM template to deploy your SSL certificate stored in KeyVault on an Web App

Sun, 20 Oct 2019 00:00:00 +0000

Everyone knows it’s completely normal nowadays to have your website loaded over https. Troy Hunt explains why. There are quite some examples out there on how to use Let’s Encrypt certificates on your Azure web app, see this one by Henry Been for example. For most of us that’s a perfect and free solutions. It doesn’t work for all of us however.

Reading secrets from KeyVault in your Azure Cloud Service

Fri, 18 Oct 2019 00:00:00 +0000

Azure Cloud Service was one of the earliest Platform as a Service offerings by Microsoft Azure. With Cloud Services you can run web applications or run background applications. Since it is a PaaS offering, you dot not need to worry about the issues that comes with IaaS, patching for example and they offer a lot of flexibility. They are not officially deprecated, though Microsoft is pushing for the use of other PaaS offerings.

Reading secrets from KeyVault in your Azure Web App

Fri, 18 Oct 2019 00:00:00 +0000

Azure KeyVault is a great Azure offerring that allows you to store for example secrets or certificates. You are currently looking at the first post out of a series of posts on how to grab secrets or certificates from KeyVault in your web applications. This post wil focus on creating the KeyVault, giving access to you Azure Web App and retrieving a secret in two different ways. I will be using an ASP.