Anthony Chu Contact Me

ASP.NET Web.config Transforms in Windows Containers - Revisited

Wednesday, November 15, 2017

When I last blogged about ASP.NET 4.x applications and web.config transformations in Windows containers, I was baking the transform files in the container images themselves. While this worked, the secrets were stored inside the container images. A much better approach is to supply the transformation at the time of container startup; we can do this by mounting a file when starting the container.

Continue Reading...


Overriding Web.config Settings with Environment Variables in Containerized ASP.NET Applications (with No Code Changes)

Friday, November 10, 2017

It's a common and useful practice to configure a container using environment variables. However, ASP.NET 4.7 and older versions use Web.config files for configuration, and there's no built-in mechanism to override those settings using environment variables. ASP.NET 4.7.1 adds an extensibility point called configuration builders that allows overriding configuration from sources including environment variables, but this requires us to upgrade the app to 4.7.1 and needs some minor changes to the codebase.

So I started thinking if it's possible to containerize ASP.NET applications in a way that allows us to override configuration using environment variables without the need to upgrade the app to 4.7.1 or change any code. This would make it much easier to lift and shift existing ASP.NET workloads to containers.

Continue Reading...


Keeping Secrets Safe in ASP.NET Core with Azure Key Vault and Managed Service Identity

Monday, October 9, 2017

In Azure, the recommended place to store application secrets is Azure Key Vault. ASP.NET Core makes it easy for an application to read secrets from Key Vault, but the application needs to be given valid credentials to do so. These credentials are often stored in plain text in an app setting, allowing anyone with access to the application to see them.

Managed Service Identity (MSI) was created to solve this problem. We can use it to access Key Vault without storing any secrets or credentials information in our web application.

Today, we'll take a look at how to use ASP.NET Core with MSI and Key Vault to properly secure and access secrets.

Continue Reading...


Changing Cosmos DB Write Locations on a Schedule with Azure Functions and Managed Service Identity

Sunday, September 24, 2017

Azure Cosmos DB can replicate a single account's data to as many of Azure's 30+ regions as we desire. Applications around the world can read from the closest location to minimize latency. Write operations, however, are still sent to a single designated write region.

Thankfully, the write region can be changed. A read region can be designated as the new write region in a matter of seconds, and this change can be initiated programmatically via a REST API. If our application's dominant workload changes regions based on time of day, we can respond by changing the write region to the one with the most activity. Sometimes this strategy is called "follow the sun" or "follow the clock".

Today, we'll look at how to use Azure Functions to automatically change a Cosmos DB account's write region on a schedule. We'll do this using Azure's newly announced Managed Service Identity feature.

Continue Reading...


Joining Microsoft as a Cloud Developer Advocate

Monday, July 24, 2017

Today, I begin a new chapter in my career as a Cloud Developer Advocate at Microsoft.

I'll be joining a new and rapidly growing group of advocates led by Jeff Sandquist (there has been a constant stream of announcements like this one recently). I'll be on Scott Cate's team; our focus is on helping .NET developers get the most out of Azure.

Cloud Advocacy Photo of the sweet lights in Bryan Liston's office (used with permission)

Continue Reading...