Azure App configuration

Transcript

1. #StockholmAzure
   Meetup Sponsors
   

   View Slide

2. Who am I ?
   • Lead Cloud Solutions Architect at PwC Sweden
   • Leading Cloud Center for Enablement and
   Cloud-native transformation initiative for the
   organization.
   • Architecture Council at PwC
   • Microsoft Azure Advisory group
   • Blogger https://www.msajid.cloud/
   • Speaker (Swetugg, APIDays, Azure meetup)
   • Badminton
   • Photography
   • Ping pong
   2
   https://www.linkedin.com/in/musa/
   https://twitter.com/sajid_nazeer
   

   View Slide

3. Azure App
   Configuration and
   Feature management
   Presentation by Muhammad Sajid
   November 2019
   

   View Slide

4. 1. What is Azure App Configuration and why should you care
   2. Using App Configuration in .NET Core, ASP.NET Core and Azure Functions
   3. Integration with Azure Key Vault and Event Grid
   4. High Availability -> replication and failover using import/export feature
   5. Using App Configuration in Azure DevOps
   6. ETA and Pricing
   7. Feature management
   8. Key Takeaways
   4
   

   View Slide

5. What is Azure App
   Configuration
   1
   

   View Slide

6. What is Azure App Configuration
   https://docs.microsoft.com/en-us/azure/azure-app-configuration/overview
   6
   • Centralize management and distribution of hierarchical
   configuration data
   • At the core its a key-value store
   • Great fit for Event-driven microservices architecture
   • Control feature availability in real-time
   • Cloud Native Implementation of the “External
   configuration store” pattern
   

   View Slide

7. Why should we care
   • Cloud Native applications are
   mostly polyglot Microservices (with
   different programming languages,
   technology stacks etc) but every
   Micoservice needs some kind of
   configuration
   • According to 12 factor App, It is
   recommended to separate
   Configuration from the Code
   https://12factor.net/config
   https://content.pivotal.io/blog/beyond-the-twelve-factor-app
   7
   App Configuration supports:
   • Namespaces
   • Labeling
   • Extensive queries
   • Batch retrieval
   • History
   • feature-management
   • Event-driven Architecture
   Author: Kevin Hoffman
   https://learning.oreilly.com/library/view/beyond-th
   e-twelve-factor/9781492042631/
   Author: multiple authors
   https://www.amazon.in/Cloud-Native-Transforma
   tion-Pini-Reznik/dp/1492048909
   

   View Slide

8. Configuration information out of the application
   deployment package to a centralized location.
   This pattern is useful for:
   • Shared configuration between multiple
   applications or multiple instances of the same
   application.
   • A standard Key-Value configuration system
   • Simplify administration and monitoring of
   configuration settings
   External Configuration Store
   https://docs.microsoft.com/en-us/azure/architecture/patterns/external-configuration-store
   8
   

   View Slide

9. 9
   Search App Configuration in Azure Portal and
   Create
   Creating the resource
   

   View Slide

10. 10
    Name should be globally unique
    Choose subscription, resource group and
    location
    

    View Slide

11. 11
    Endpoint to use
    Configuration and feature
    management Import/export configuration
    

    View Slide

12. 12
    Use read-only keys
    

    View Slide

13. 13
    https://docs.microsoft.com/en-us/azure/azure-app-configuration/cli-samples
    

    View Slide

14. 14
    Resource type
    Microsoft.AppConfiguration/configurationStores
    Api Version
    2019-02-01-preview
    

    View Slide

15. Using Azure App
    Configuration in
    .NET Core, ASP.NET
    Core and Azure
    Functions
    2
    

    View Slide

16. 16
    .NET Core
    Add nuget package Microsoft.Extensions.Configuration.AzureAppConfiguration
    

    View Slide

17. 17
    ManagedIdentity or Connect with
    Connection string
    Key to watch and if changed refresh
    everything
    

    View Slide

18. 18
    KeyVault client using ManagedIdentity for
    fetching secrets using Configuration provider
    Configuration and KeyVault
    client Glue
    Namespace/prefix to watch
    Trigger refresh only when
    sentinel is changed to
    avoid splicing
    

    View Slide

19. 19
    Role of a Sentinel
    • Sentinel is just another key-value item in the
    App Configuration
    • It is used as a signal for configuration
    provider client that one or more properties
    have changed
    • Sentinel or any other configuration item will
    only be checked for changes if cache has
    expired. Cache expiry is 30 seconds by
    default
    

    View Slide

20. 20
    Use Managed Identity
    Same identity will work with fetching Key Vault Secret
    ASP.NET Core
    

    View Slide

21. 21
    Middleware responsible for refreshing the configuration
    based on activity
    

    View Slide

22. How does configuration Refresh works at runtime?
    22
    Timer-based watch (Old design)
    • Configuration was kept in sync with
    Azure App Configuration using a
    watch mechanism which ran on a
    timer.
    Flaws
    • On-demand invocation not possible.
    • Background activity even in the
    dormant application instances.
    • Polling
    Activity-based watch (New design)
    • Uses a middleware to determine
    activity
    • Works only in ASP.NET (middleware
    dependency)
    https://devblogs.microsoft.com/aspnet/redesigning-configuration-refresh-for-azure-app-configuration/?WT.mc_id=cloudnative-ch9-shboyer
    

    View Slide

23. Activity based refresh
    23
    

    View Slide

24. 24
    Azure Functions
    Use Azure functions Dependency injection to configure
    Azure App Configuration
    

    View Slide

25. 25
    Inject Settings using IOptionsSnapshot
    

    View Slide

26. 26
    Create a separate refresh function to refresh
    configuration.
    Refresh will only happen when Cache has expired
    

    View Slide

27. Integration with Azure
    Key Vault and Event
    Grid
    3
    

    View Slide

28. Azure Key Vault Integration
    28
    https://github.com/Azure/AppConfiguration-Announcements/issues/1#issue-504279728
    October 8, 2019
    Lisa Guthrie
    Senior Program
    Manager
    

    View Slide

29. Azure Key Vault Integration
    29
    https://github.com/Azure/AppConfiguration-Announcements/issues/1#issue-504279728
    • App Configuration and Key Vault are complementary services
    • App Configuration allows you to create Keys that reference
    value of Key Vault secrets
    • App Configuration stores the Uri or the secret not the Value
    • Client providers detect the key as a Key Vault secret and use
    Key Vault client to retrieve the actual value of the secret
    • App Configuration and Key Vault does not communicate to
    each other automatically
    Lisa Guthrie
    Senior Program Manager
    

    View Slide

30. 30
    App Configuration provider uses KeyVault client under the hood
    to fetch the value for a secret.
    Refresh works for both App Configuration Items and Key Vault
    Secret
    Use App Service token provider to get token for Accessing Key
    Vault
    

    View Slide

31. 31
    App Configuration provider will not know
    if you delete a secret from Key Vault until
    you restart. For running instances it will
    not crash or reload other configuration
    items.
    

    View Slide

32. 32
    How to handle transient errors?
    https://docs.microsoft.com/en-us/azure/architecture/best-practices/transient-faults
    • Due to the distributed nature of the cloud, transient
    faults are very common
    • Handling transient errors is very important for the
    building resilience applications
    • Use Polly to add retry policy while refreshing
    

    View Slide

33. 33
    Polly integration for Transient errors using custom refresh
    middleware
    Add Polly nuget package
    

    View Slide

34. 34
    Program.cs
    Configure App Configuration as usual
    

    View Slide

35. 35
    Startup.cs
    User custom middleware with Retry logic
    

    View Slide

36. 36
    

    View Slide

37. 37
    • Storing data in a different store and
    passing a reference to the original
    data along. The receiver is
    responsible for retrieving original
    data from the store (in this case
    from Key Vault).
    • The pattern can also be used if the
    payload should be accessed only
    by services that are authorized to
    see it. (Skinny payload)
    Claim check?
    Also known as Reference-Based Messaging
    https://www.enterpriseintegrationpatterns.com/patter
    ns/messaging/StoreInLibrary.html
    https://docs.microsoft.com/en-us/azure/architecture/
    patterns/claim-check
    Reference:
    {"uri":"https://abc1234keyvault.va
    ult.azure.net/secrets/testsecret"}
    Content Type:
    application/vnd.microsoft.appcon
    fig.keyvaultref+json;charset=utf-8
    

    View Slide

38. Event Grid Integration
    38
    

    View Slide

39. 39
    

    View Slide

40. 40
    

    View Slide

41. High availability
    4
    

    View Slide

42. Import/Export
    42
    

    View Slide

43. 43
    Event-driven Sync
    • Use Event-Grid to receive changes and replicate
    configuration items to secondary store
    • Use special Sync sentinel if you want to control
    sync
    • Use App Configuration SDK to replicate
    configuration items using C#
    

    View Slide

44. Configure Event-Grid for Receiving Sync Sentinel signal
    44
    

    View Slide

45. Configure Event-Grid for Receiving Sync Sentinel signal
    45
    Apply a filter to receive events only when
    Sync Sentinel is changed.
    Filter on subject suffix match
    You can specify empty labels as %00
    Api-version is always included
    

    View Slide

46. Receive Events in a Bus, Storage or directly to an Azure
    Function
    46
    User App Configuration SDK to manage key-value
    pairs and you can use ConfigurationClient to
    replicate primary store to secondary store
    

    View Slide

47. 47
    Replicator function takes primary and secondary connection.
    Replicate only when you receive “Sync Sentinel” trigger via Event Grid
    string primaryConnection = "Endpoint=https://abc1234configstore.azconfig.io;Id=XXXX;Secret=YYYYYYY";
    var primary = new ConfigurationClient(primaryConnection);
    

    View Slide

48. 48
    

    View Slide

49. Azure DevOps
    Integration
    5
    

    View Slide

50. Install App Configuration Task
    50
    

    View Slide

51. 51
    

    View Slide

52. 52
    

    View Slide

53. ETA and Pricing
    6
    

    View Slide

54. GA and Pricing
    Azure App Configuration Service is planned to be Generally available in January 2020
    54
    October 26, 2019
    Lisa Guthrie
    Senior Program
    Manager
    

    View Slide

55. PwC 55
    Free Standard
    Stores 1 / subscription Unlimited
    Keys 1000 or 1MB / store 20000 or 1GB / store
    History 7 days 30 days
    Requests / day 1000 Unlimited
    SLA N/A 99.9%
    Cost Free
    US$1.20/day + any
    additional changes at
    US$0.06/10000 requests
    ETA and Pricing
    Azure App Configuration Service is planned to be Generally available in January 2020
    

    View Slide

56. 7Feature management
    

    View Slide

57. 57
    

    View Slide

58. 58
    

    View Slide

59. 59
    

    View Slide

60. 60
    

    View Slide

61. 8Key takeaways
    

    View Slide

62. • Group keys using Prefixes and Labels
    • Design hierarchical namespaces
    • Always set a Content-Type
    • Use Sentinel to avoid splicing
    62
    

    View Slide

63. 63
    Jimmy Campbell
    • Use Labels as an extra dimension for organizing/grouping settings
    

    View Slide

64. • Create separate stores if you want to separately control the permissions
    • If permission is not a concern then use one multi-tenant store
    

    View Slide

65. • Another reason to have multiple stores would be for disaster recovery
    https://docs.microsoft.com/en-us/azure/azure-app-configuration/concept-disaster-recovery
    

    View Slide

66. • Beware of the key storage and request limitations per store
    • Beware of limitations of creating multiple stores per subscription
    66
    

    View Slide

67. • It is ok to store a secret in App Configuration but use Key Vault which is
    designed for this use case.
    67
    

    View Slide

68. • Beware of the configuration stacking
    68
    

    View Slide

69. • If an environment does not have possibility to fetch configuration at runtime
    (possibly due to a firewall) then inject the configuration using Azure DevOps
    69
    

    View Slide

70. • Listen to configuration changes using Azure Event Grid and react accordingly
    • Use managed identity for authentication
    70
    

    View Slide

71. • Sync configuration to multiple stores for high availability and disaster recovery
    • If you have a Key Vault referenced key you must add permission to Key Vault for
    both stores
    • Use Sync Sentinel
    71
    

    View Slide

72. 72
    Questions
    

    View Slide

73. PwC
    Presentation Title [View > Master and edit/delete on very top slide master] Date [View > Master and edit/delete on very top slide master]
    73
    References:
    Icons @SandroPereira -> repo, blog | @Azurekid -> repo | @BenCodeGeek -> project | @David Summers -> repo
    Documentation https://docs.microsoft.com/en-us/azure/azure-app-configuration/
    Feedback page https://feedback.azure.com/forums/920545-azure-app-configuration
    GitHub https://github.com/Azure/AppConfiguration/
    Slack https://aka.ms/azconfig/slack
    Announcements https://github.com/Azure/AppConfiguration-Announcements
    CloudNativeShow episode https://www.youtube.com/watch?v=DJqmA5PcfzE
    DOTNETConf https://www.youtube.com/watch?v=zRstfC3Nn7M
    Thank you
    https://www.linkedin.com/in/musa/
    https://twitter.com/sajid_nazeer
    

    View Slide