Thursday, December 16, 2021

LB Cash In Mobile (CIM) awarded the Silver for Best Business Model Innovation at FITIS digital excellence awards

LB Finance is the largest Non-Banking Finance organization in Sri Lanka.

State of the art digital wallet of LB Finance, which is named LB CIM was awarded the Silver award at the Federation of Information Technology Industry Sri Lanka (FITIS)


























LB Cash In Mobile (CIM) is available for both Android and IOS platforms and provides financial transactions at fingertips. 

















Core Finance system of LB Finance was revamped with the latest cutting edge technologies and tooling. It is designed with Microservice APIs and considering Open API/Banking API models. Furthermore it is designed and developed as a Cloud-First and Mobile-First solution. 

Availability of secure APIs enabled the business to introduce new unique features for the customer facing application which is LB CIM. Due to that, the CIM and LB Finance was able to report a rapid growth even under the COVID pandemic.


















I am privileged to lead the software development unit which is Center for Innovation and Technology (CIT) that revolutionized the direction of LB Finance and pioneered the use of technologies in the banking sector as a whole. The technical team at CIT consists of around 30 software development professionals, 15 quality assurance professionals and 10 professionals to analyze business requirements.

We are taking the initial steps to migrate the Core Finance system to a public cloud which would enhance the agility further

Wednesday, December 8, 2021

Azure Policy : How I managed to comply ISO 27001:2013 for my cloud workloads

We can have many resources in our cloud. How can we enforce compliance and governance out there?

Let's say that we are already compliant with ISO 27001:2013 for our on-premises workloads. How can we achieve it after the cloud migration?

Or how can we stay compliant if we have a hybrid setup?

If your cloud provider is Microsoft Azure, then you are lucky. You can use the features of Azure Policy to save you.

Azure Policy is a service provided by Microsoft Azure, where you can assign individual policies or initiative (collection of policies) to a targeted scope (e.g. Subscription) to ensure they are governed according to those policies.

Let's try out by creating an initiative. Luckily we have ISO27001:2013 as a built-in initiative






























Let's see the result.

In order to check the level of compliance, navigate to the initiative and click on View compliance link.

This was my initial score. Lot to improve, isn't it :)














As you can see below, we can see a summary of compliance split into following areas

  • Controls
  • Policies
  • Non-compliant resources
  • Events

Let's see a sample control.

Let's take the Password management system control













Now we know the current position. It's time to do some housekeeping to make our tenant compliant

Tuesday, December 7, 2021

Azure Durable Functions with retry options and retry operations

This is the third post of a serious of articles on Azure Functions/Durable functions. This is the continuation of my previous post on Durable Functions.

In this post we will discuss how we handle failures, specifically retry operations with Durable Functions.

Ability to handle failures is a key benefit that Durable Functions offer us. It is implemented using features of Durable Task Framework.

In order to illustrate retry operations we use the same example we used in previous article. Let's say saving contact details in CRM system is a heavy process and it is not under our control. Let's say it is a SaaS platform provided by a vendor. It can fail due to various reasons like

  • Network related failures
  • Planned/unplanned downtimes of the SaaS platform
  • etc..
Let's implement the retry pattern

Step 1: Instantiate RetryOptions object in our Orchestrator function. We have to specify retry interval and maximum retry attempts

We will filter out the exception and I will retry only when there is a network error. And we will retry three attempts

var retryOptions = new RetryOptions(System.TimeSpan.FromSeconds(5), 3)
{
    Handle = ex => ex.Message.Contains("Network Error")
};


Step 2: Instead of using CallActivityAsync function we will use CallActivityWithRetryAsync function. Following is the implementation of orchestration function after using retry options

[FunctionName("DurableCustomer")]
public static async Task RunOrchestrator(
[OrchestrationTrigger] IDurableOrchestrationContext context)
{
    Customer customer =  context.GetInput();


    int customerId = await context.CallActivityAsync("DurableCustomer_AddToSQL", customer);


    var retryOptions = new RetryOptions(System.TimeSpan.FromSeconds(5), 3)
    {
        Handle = ex => ex.Message.Contains("Network Error")
    };

    int returnId = await context.CallActivityWithRetryAsync("DurableCustomer_AddCRM",retryOptions,customerId);

    return returnId;
}

Step 3: Let's change the AddCRM function a little bit and generate a custom error

[FunctionName("DurableCustomer_AddCRM")]
public static int AddToCRM([ActivityTrigger] int customerId, ILogger log)
{
    //insert to CRM
    int returnId = customerId * 10; //return code from CRM insert
    throw new System.Exception("Network Error");
    //return returnId;
}

Step 4: Let's deploy and check in postman. In the same time we will navigate to Monitoring -> Log Stream section of the Function App in Azure portal.























Let's check log stream. Look, I got four error messages. Original error and three attempts just after that




















Durable Functions have other error handling mechanisms as well. We have discussed only the retry pattern in this article.

Hope this helps :)

Update 16-02-2022 : I've uploaded the code to this repository

Thursday, December 2, 2021

Azure Durable Functions to implement function chaining with custom data

In my previous post I explained how to post to Azure Function with .NET 6. Let's  complicate the scenario a little bit.

Let's say that we need to save a customer, but we will store customer id and name in our own SQL database and need to send the email address to a CRM system. 
Following are the steps
  • Insert customer name to Azure SQL instance
  • Generate auto increment id in Azure SQL
  • Insert customer contact in external CRM with auto increment customer id
  •  











Can we develop this logic in a single Function?

Yes it is possible. But it is not the best practice. Following are some of the issues and risks I can see
  • First of all it is violating the Single Responsibility concept. 
  • We should not start CRM insertion part until the SQL insertion is completed. So some sort of statefulness is required.
  • How can we ensure the durability and consistency. Let's say External CRM fails, what can we do for the entire transaction.
What would be the best solution then?

We can use Azure Durable Functions to achieve the functionality. 

What is Azure Durable Function?

Azure Durable Functions allow you to author stateful functions in a serverless compute environment. We need to break our logic into several functions.
  • Client Function (trigger)
  • Orchestrator Function
  • Activity Function
Let's implement our logic

Step 1: Create Function. We need to specify storage account during the creation process. This is to maintain the state. Scaffolding generates a sample base which is very helpful.


























Step 2: Let's add our customer class




















Step 3: Let's create our activity functions

[FunctionName("DurableCustomer_AddToSQL")]
[FunctionName("DurableCustomer_AddToSQL")]
public static int AddToSQL([ActivityTrigger] Customer customer, ILogger log)
{
    //insert to SQL logic
    int customerId = customer.id; //should be populated with the reusult
    return customerId;
}

[FunctionName("DurableCustomer_AddCRM")]
public static int AddToCRM([ActivityTrigger] int customerId, ILogger log)
{
    //insert to CRM
    int returnId = customerId * 10; //return code from CRM insert
    return returnId;
}

Step 4: Let's modify our orchestrator

[FunctionName("DurableCustomer")]
public static async Task RunOrchestrator(
[OrchestrationTrigger] IDurableOrchestrationContext context)
{
    Customer customer =  context.GetInput();

    int customerId = await context.CallActivityAsync("DurableCustomer_AddToSQL", customer);
    int returnId = await context.CallActivityAsync("DurableCustomer_AddCRM", customerId);

    return returnId;
}
 

Step 5: Let's do necessary amendments to our http trigger function to accept Customer object

public static async Task HttpStart(
[HttpTrigger(AuthorizationLevel.Anonymous, "post")] HttpRequestMessage req,
[DurableClient] IDurableOrchestrationClient starter,
ILogger log)
{
    // Function input comes from the request content.

    var customer = await req.Content.ReadAsAsync();

    string instanceId = await starter.StartNewAsync("DurableCustomer", customer);

    log.LogInformation($"Started orchestration with ID = '{instanceId}'.");

    return starter.CreateCheckStatusResponse(req, instanceId);
}

Step 6: Let's deploy our function













Step 7: Let's try this with Postman


















Step 8: Get the StatusQueryGetUri to check the status






















Great !!. We will discuss how to handle retry operation in my next post

Tuesday, November 30, 2021

Posting data to Azure Function using HTTP trigger with .NET 6

Serverless computing was out there for a long time. Microsoft Azure had adapted the concept with Azure Functions, Logic Apps and Event Grids.

We can use Azure Functions for event driven workloads with short lived processes. That means there should be a trigger that will initiate the function. For an example,

  • Blog is added to your container
  • Timer tick
  • New item added to queue
  • HTTP request
  • etc..

This is the first post of a serious of articles on Azure Functions/Durable functions.

In this post I'll guide how to respond to HTTP post request with an Azure Function. 

By the way shouldn't I be using a RESTful Web API in Azure Web App instead of Azure Function?

That can also be an option. But let's think about it's usage. If we have a small and well defined and short lived component, what's the harm of using a function. And I'll extend this article into another blog post to illustrate some cool features Azure Functions can bring to the table.

Let's start the journey

Step 1: Create Azure Function App in Azure portal. I use .Net as the runtime and 6 as the version
















Step 2: Open the VSCode in your directory and install following extensions if you had not already installed















Step 3: Let's navigate to Azure section and login to your subscription. Then click on the Azure Function App we just created. You can see the Function App















Step 4: Let's add our first Function there. Press F1 key and select Azure Functions: Create Function option































Step 5: This is the generated code with the scaffolding


namespace Company.Function
{
    public static class CustomerTrigger
    {
        [FunctionName("CustomerTrigger")]
        public static async Task Run(
            [HttpTrigger(AuthorizationLevel.Function, "get", "post", Route = null)] HttpRequest req,
            ILogger log)
        {
            log.LogInformation("C# HTTP trigger function processed a request.");

            string name = req.Query["name"];

            string requestBody = await new StreamReader(req.Body).ReadToEndAsync();
            dynamic data = JsonConvert.DeserializeObject(requestBody);
            name = name ?? data?.name;

            string responseMessage = string.IsNullOrEmpty(name)
                ? "This HTTP triggered function executed successfully. Pass a name in the query string or in the request body for a personalized response."
                : $"Hello, {name}. This HTTP triggered function executed successfully.";

            return new OkObjectResult(responseMessage);
        }
    }
}

Step 6: Let's add another class called Customer










Step 7: Let's modify the Function a bit now


public static class CustomerTrigger
{
        [FunctionName("CustomerTrigger")]
        public static async Task Run(
            [HttpTrigger(AuthorizationLevel.Function, "get", "post", Route = null)] HttpRequest req,
            ILogger log)
        {

            string requestBody = await new StreamReader(req.Body).ReadToEndAsync();
            Customer customer = JsonConvert.DeserializeObject(requestBody);


            return new OkObjectResult(customer.name);
        }
}

Step 8: Let's deploy the function to our Function App













Step 9: Great!! our function is deployed now. Let's get the URL











Step 10: Let's try this with Postman














Great!! Our sample is working perfectly !!

Thursday, November 25, 2021

Resolve error: Creation of System Topic has failed with error: The subscription is not registered to use namespace 'Microsoft.EventGrid'. See https://aka.ms/rps-not-found for how to register subscriptions. Event Subscription will not be created.

Recently I got the above error when creating an Event Grid subscription









Following are the steps I used to resolve the error

Using Azure Cloud Shell execute following commands

  • az account set --subscription "Visual Studio Enterprise Subscription"
  • az provider register --namespace Microsoft.EventGrid
  • az provider show -n Microsoft.EventGrid
This will register the provider in your subscription.

This format is applicable for registering any service providers in your subscription

Monday, November 15, 2021

Azure Application Insights - Smart Detection - Identify suspicious user activity

Now we can detect suspicious user activity using Azure Application Insights.

You need to navigate to Application Insights and click on Smart Detection. It will show potential security and performance issues.














We can click on the Suspicious user activity detected (preview) card to obtain more information on the issue. 

Then click on the Suspicious user activity link.








It'll show malicious users who accessed the system from multiple locations at the same time.











If we want we can construct an Alert Rule to notify an authority at a particular time





Furthermore we can see all requests from malicious users. For that you need to click on All requests from the most suspicious user link











You can modify the value for user_AuthenticatedId parameter to see what other users had accessed

Tuesday, October 19, 2021

Resolve - Microsoft 365 Compliance - Sorry we couldn't update your organizational settings. Please try again

When I navigated to Microsoft 365 compliance center to enable audit I encountered following error












Seems that there is a throttling enabled. I waited few minutes and it was successful after few attempts. I didn't need to do anything extra.



Tuesday, October 12, 2021

Azure Advisor : Your assistant in Cloud

You can have multiple workloads in your cloud. When time goes on you might find it difficult to manually check each and every resource. Most of the time Cloud housekeeping is neglected.

May be your resources are not provisioned with the best practices. Or may be you have security vulnerabilities. Furthermore your resources are not right sized, causing your cost to go up.

Azure Advisor is the centralized service which scans each and every workload and recommend you with best practices to optimize.















You get recommendations on following categories

  • Cost
  • Security
  • Reliability
  • Operational excellence
  • Performance
We will check few examples from each section

Let's first check on Cost section

As you can see I have two high impact recommendations








Let's first check the quick fix









This VM is not being used at all. We can shut down the VM and reduce our cost.

Let's check Security section

We have multiple security vulnerabilities there












Let's see Reliability findings

It'll show the improvements I can introduce to improve the reliability











Let's find out performance suggestions

Following are some suggestions









Wednesday, September 8, 2021

Azure Privileged Identity Management (PIM) to grant Just in Time (JIT) access to resources

We always want to follow the least privilege security principle when granting permissions. Is role based access control alone sufficient to achieve this?

There are several challenges

  • If permission given indefinitely without an expiry, it will cause a risk
    • Such users may leave the organization
    • Projects may end
  • Having higher permission without a need at the moment is also a risk
    • Credentials can be compromised at any moment
    • You may do mistakes with higher permissions
Privileged Identity Management (PIM) is the solution for this. Microsoft Azure also provides a PIM facility which is an Azure AD premium (P2) feature. This article will provide an overview of Azure PIM features.

Azure PIM allows you to grant users and groups elevated privileges to Azure AD and Azure resources whenever necessary.

We will take a scenario to explain the concept.

Lat's take Contoso, which is a Financial organization which has its workloads in Microsoft Azure. John is a systems engineer who works in the same organization. Time to time the business requires to build new VM workloads and to modify existing VM resources. John should not have permanent contribute access due to prevailing audit and compliance requirements. What would be the solution?

What we can do is to use PIM, and assign John as eligible for VM Contribute role. As per this solution John will not have permanent access to the resource. Whenever he needs the access, John would navigate to PIM console and requests for the desired access. He might be asked to provide a strong authentication (MFA) and approval might also be required. After the granted time window is elapsed his elevated privilege will be revoked.

Existing privileges

Currently John has read permission to the subscription. When he navigate to create a VM he will get following error message




















Steps to gain Just in Time (JIT) privileges to perform desired actions

Step 1 : Administrator would log into  PIM and click on Azure Resources















Step 2 : Click on Roles and click on add assignments


















Step 3 : Select the role and select the user

































Let's login to the PIM as John.

Step 1 : Navigate to My roles and Azure resources









Step 2 : John will activate the privilege for 1 hour







































Step 3 : Navigate to Active assignments in Azure resources blade in PIM









Now John should have access to VM resources, Let's see whether if he can create a VM.




















Great!! Now we don't get the previous error. John's access will be revoked automatically after the expiry date or he can manually deactivate the elevated access.