In this article, we perform a simple experiment to better understand Azure Container Registry (ACR) geo-replication behavior.

Say we are using ACR premium-tier with geo-replication enabled and “docker push” image1:tag1 to the registry from East US 2 region. What happens when we try to “docker pull” image1:tag1 from Southeast Asia region before the replication is finished?

According to the “Considerations for using a geo-replicated registry”, Azure Traffic Manager is used internally by the registry to redirect the request to the registry in the closest region. …


In this article, we test a few ways in which a workload running in Azure Kubernetes Service (AKS) in one region can access Azure SQL Database that is deployed in another region.

We look at the following three approaches, but other approaches like VPN and VNet-to-VNet are also possible:

  • If our Azure SQL Database does not deny public network access, we can configure Azure SQL Server IP Firewall Rules to allow access from our specific Azure Public IPs in another region without enabling access to “all” Azure services.
  • If our Azure SQL Database is restricted to allow only private access, we can use cross-region private endpoints via Azure Private Link for Azure SQL Database. …

In this article, we look at a scenario where Azure Managed Application publisher (aka Independent Software Vendor or ISV) needs to be able to use their publisher identity to create/delete secrets (e.g. connection string) in Azure Key Vault that is in the Managed Resource Group (MRG) in the customer’s Azure subscription so that other resources (e.g. Web Apps, VMs) running in the MRG can use these secrets.

Challenge

Azure Key Vault resource and its data-plane access policies are tied to a specific Azure Active Directory tenant (i.e. there is a tenantId property in Azure Key Vault resource) and resources deployed in the managed resource group in the customer subscription need to be able to use the secrets in Azure Key Vault. …


In this article, we take a look at how to set “Incremental” deployment mode for Service Catalog Definition for Azure Managed Application.

If you are new to Azure Managed Applications, please see this article.

When developing and testing Azure Managed Applications, I usually use the “az managedapp definition create” Azure CLI command to create the service catalog definition in my Azure subscription for testing prior to publishing in Azure Marketplace. Currently, this CLI command does not provide a way to explicitly specify the Deployment Mode (i.e. …


This is my initial collection of useful resources for ISVs (Independent Software Vendors) and Startups building on Azure and Azure Marketplace.

If you are a developer, engineer, architect, or product manager working for an ISV (Independent Software Vendor) or a Startup and are tasked with creating or migrating your solution to Azure platform or publishing it as an “offer” in Azure Marketplace, you may find the following links and resources useful in your journey.

Azure Architecture


In this video, we look at how to refresh Azure Managed Application permissions (e.g. Owner, Contributor, or Customer Allowed Actions) and how, as a publisher, to obtain access token using the Managed Application’s Managed Identity.

If you are new to Azure Managed Applications, you may first want to watch the two videos in “Simple Azure Managed Application: creating, testing, and publishing in Partner Center”.

Reminder: When building your Azure Application ARM templates for submission to Azure Marketplace, please make sure to carefully follow all of the guidelines and best practices described here and be ready to make fixes and changes based on manual review feedback. …


In the following series of four videos, we look at a more advanced and “experimental” Azure Managed Application that deploys Azure Kubernetes Service (AKS), Azure Managed Identity, and performs some cross-resource group role assignments. We also walk through with using Azure Instance Metadata Service and AKS Pod Identity to obtain access tokens for interacting with Azure Data Lake Storage and ARM REST APIs.

Before diving into the videos below, you may first want to watch the two videos in “Simple Azure Managed Application: creating, testing, and publishing in Partner Center”.

You can see most of the sample commands and ARM templates used in the videos at https://github.com/arsenvlad/azure-managed-app-aks-managed-identity.


In the following two videos, we look at how to create and test a simple “Hello World”-style Azure Managed Application in the developer’s Azure subscription, and how to publish the same application in the Partner Center and deploy its “preview” in an end-customer Azure subscription under a different Azure Active Directory tenant.

In subsequent videos, we may go deeper and look at Azure Managed Application that includes an AKS resource, managed identities, deployment-time role assignments, etc.

You can see the sample code used in the videos below here.

Important: When building your Azure Application ARM templates for submission to Azure Marketplace, please make sure to carefully follow all of the guidelines and best practices described here and be ready to make fixes and changes based on manual review feedback. …

About

Arsen Vladimirskiy

Principal Engineer / Architect, FastTrack for Azure at Microsoft

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store