.NET Core 3.1 End of Life is on 13 December 2022 - You must migrate to .NET 6.0 before January 2023

.Net Core 3.1 will reach end of life on 13 December 2022. Any service using .Net Core 3.1 after December 2022 will be at immediate security and compliance risk starting on 13 January 2023. Because of this security impact, there are no extensions or deferrals for these dates.

Required action

Services using .Net Core 3.1 must migrate, recompile, and validate to .Net 6.0 before January 2023.

For more information please see these .Net documents:

• Breaking changes in .NET 6 - .NET
• Migrate from ASP.NET Core 3.1 to 6.0

大家在使用 Azure Web Apps 時, 公司的資安團隊會對 Web Apps 進行弱點描述.

常見是有些 TLS Cipher Suites 需要進行調整或停用.

詳細作法可以參考微軟文件，有詳細的步驟介紹 https://azure.github.io/AppService/2022/10/11/Public-preview-min-tls-cipher-suite.html

注意事項:

• 目前只支援 Premium 等級 App Service

HTH. By Jacky 2022-10-20

Azure Resource Graph to make cross-subscription queries to see if I have any upcoming expiring certificates.

Get all web app certificates

This will get you a list of all the app service certificates you have in your subscription(s).

1
2

resources
| where type == "microsoft.web/certificates"

To simplify the overview, we can limit the properties we return:

1
2
3

resources
| where type == "microsoft.web/certificates"
| project resourceGroup, name, subscriptionId, properties.expirationDate, properties.thumbprint, properties.subjectName, properties.issuer

Get the Expiration Date of certificates:

1
2
3
4
5

resources
| where type == "microsoft.web/certificates"
| extend ExpirationDate = todatetime(properties.expirationDate)
| project ExpirationDate, resourceGroup, name, subscriptionId, properties.expirationDate, properties.thumbprint, properties.subjectName, properties.issuer
| order by ExpirationDate asc                                         

Get the number of days until expiration:

1
2
3
4
5
6
7

resources
| where type == "microsoft.web/certificates"
| extend ExpirationDate = todatetime(properties.expirationDate)
| extend DaysUntilExpiration = datetime_diff("day", ExpirationDate, now())
| project DaysUntilExpiration, ExpirationDate, resourceGroup, name, subscriptionId, properties.expirationDate, properties.thumbprint, properties.subjectName, properties.issuer
| where ExpirationDate < now() + 60d
| order by DaysUntilExpiration

Group by month for easy visualization:

1
2
3
4
5
6
7
8

resources
| where type == "microsoft.web/certificates"
| extend ExpirationDate = todatetime(properties.expirationDate)
| extend ExpirationYear = getyear(ExpirationDate)
| extend ExpirationMonth = format_datetime(ExpirationDate, 'yyyy-MM')
| extend DaysUntilExpiration = datetime_diff("day", ExpirationDate, now())
| summarize count() by ExpirationMonth
| order by ExpirationMonth asc

You can also pin these results, and visualizations, to your Azure Dashboards(Private/Shared).

Azure Resource Graph

Azure Resource Graph is an Azure service designed to extend Azure Resource Management by providing efficient and performant resource exploration with the ability to query at scale across a given set of subscriptions so that you can effectively govern your environment.

Below are few Microsoft.web resource types supported by Azure Resource Graph:

• microsoft.web/apimanagementaccounts
• microsoft.web/apimanagementaccounts/apis
• microsoft.web/certificates
• Microsoft.Web/connectionGateways (On-premises Data Gateways)
• Microsoft.Web/connections (API Connections)
• Microsoft.Web/customApis (Logic Apps Custom Connector)
• Microsoft.Web/HostingEnvironments (App Service Environments)
• Microsoft.Web/KubeEnvironments (App Service Kubernetes Environments)
• Microsoft.Web/serverFarms (App Service plans)
• Microsoft.Web/sites (App Services)
• microsoft.web/sites/premieraddons
• Microsoft.Web/sites/slots (App Service (Slots))
• Microsoft.Web/StaticSites (Static Web Apps)
• Microsoft.Web/WorkerApps (Container Apps)

How to Explore Azure Graph Explorer on Azure portal:

Use Resource Graph Explorer for executing the queries

Azure Graph Queries

To see all sites across all subscriptions and resources groups:

1
2

resources
| where type == "microsoft.web/sites"

If you want to see all your sites that are located in West US:

1
2
3

resources
| where type == "microsoft.web/sites"
| where location == "westus"

If you want to see all your running sites, you can drill into the “properties” object:

1
2
3

resources
| where type == "microsoft.web/sites"
| where properties.state == "Running"

To get sites count by region:

1
2
3

resources
| where type == "microsoft.web/sites"
| summarize count() by location

All function apps were using Python 3.6
Filter on app settings of a site by filtering on properties.siteProperties.properties

1
2
3
4

resources
| where type == 'microsoft.web/sites'
| where subscriptionId =~ '<SubIdHere>'
| where properties.siteProperties.properties contains "Python|3.6"

Upgrade to Standard SKU public IP addresses in Azure by 30 September 2025—Basic SKU will be retired

On 30 September 2025, Basic SKU public IP addresses will be retired in Azure.
You can continue to use your existing Basic SKU public IP addresses until then, however, you’ll no longer be able to create new ones after 31 March 2025.

Standard SKU public IP addresses offer significant improvements, including:

1. Access to a variety of other Azure products, including Standard Load Balancer, Azure Firewall, and NAT Gateway.
2. Security by default—closed to inbound flows unless allowed by a network security group.
3. Zone-redundant and zonal front ends for inbound and outbound traffic.

If you have any Basic SKU public IP addresses deployed in Azure Cloud Services (extended support), those deployments will not be affected by this retirement and you don’t need to take any action for them.

Required action
To avoid any potential service disruptions, review pricing and then upgrade to Standard SKU public IP addresses by 30 September 2025.

請注意:
ACI 服務會保留下列Port來提供服務功能：22, 443, 1025-1027, 3389-3399, 9999, 19000, 19080, 19390, 191000, 20000-30000, 49152-65534.
ACI 的 image 沒有使用到這些port，如果有的話請嘗試使用其他的port，若 port 使用上有重覆, container 可能會發生重啟的問題

For more information:
https://learn.microsoft.com/en-us/azure/container-instances/container-instances-faq#does-the-aci-service-reserve-ports-for-service-functionality-

HTH. By Jacky 2022-9-20

有一個按兩下部署解決方案，用於使用 Logic App 備份 Azure 防火牆和防火牆策略。此解決方案在 Github 存儲庫中提供：Azure-Network-Security/Azure Firewall/Template - Logic App for Azure Firewall Backups
https://github.com/Azure/Azure-Network-Security/tree/master/Azure%20Firewall/Template%20-%20Logic%20App%20for%20Azure%20Firewall%20Backups

Logic App 已配置並計劃為每三天運行一次「備份防火牆和防火牆策略」，並將其存儲在創建的存儲帳戶中。我們可以根據需要修改此頻率。備份檔按時間順序排列的。

我們可以從存儲帳戶容器下載此備份（json 檔），並使用 cloud shell 的以下命令將其還原：

New-AzResourceGroupDeployment -name -ResourceGroupName -TemplateFile

此還原將要求提供兩個輸入，FirewallPublicIP 和 FirewallVnet：我們可以提供這些輸入，如下所示:

/subscriptions/YourSubscriptionId/resourceGroups/CxE-AzFWBackup-WebinarDemo/providers/Microsoft.Network/publicIPAddresses/FWPIPBDemo
/subscriptions/YourSubscriptionId/resourceGroups/CxE-AzFWBackup-WebinarDemo/providers/Microsoft.Network/virtualNetworks/AzFwVnet

此還原命令將從備份中同時還原防火牆和防火牆策略，即使它們已被刪除也是如此。通過選擇要還原的相應備份檔，此還原命令可以返回到特定日期的狀態。

在測試環境裡加入 rc02 如下圖:

PS /home/jacky> New-AzResourceGroupDeployment -name AzureFirewall_vhub-prod-jpe -ResourceGroupName rg-lab-candel -TemplateFile “backup-2022-08-22T09_24_01.1439684Z”

virtualHubs_vhub_prod_jpe_externalid: /subscriptions/YourSubscriptionId/resourceGroups/rg-lab-candel/providers/Microsoft.Network/virtualHubs/vhub-prod-jpe

DeploymentName : AzureFirewall_vhub-prod-jpe
ResourceGroupName : rg-lab-candel
ProvisioningState : Succeeded
Timestamp : 8/22/2022 10:02:52 AM
Mode : Incremental

執行還原的指令後, 還原 只有備份檔內的 rc01 , 如下圖:

在 Virtual Hub 中停止 Azure firewall

PS /home/jacky> Set-AzContext -Subscription “Your Subscription Id”
PS /home/jacky> $firewall = Get-AzFirewall -Name “AzureFirewall_vhub-prod-jpe” -ResourceGroupName “rg-lab-candel”
PS /home/jacky> $firewall.Deallocate()
PS /home/jacky> $firewall | Set-AzFirewall

需要稍等一下會看到 FQDNs , IpAddresses 為 null.
Name : AzureFirewall_vhub-prod-jpe
ResourceGroupName : rg-lab-candel
Location : japaneast
ThreatIntelWhitelist : {
“FQDNs”: null,
“IpAddresses”: null
}

Portal 上也會自到 相同的狀態.

在 Virtual Hub 中啟動 Azure Firewall
Set-AzContext -Subscription “Your Subscription Id”
$virtualhub = get-azvirtualhub -ResourceGroupName “rg-lab-candel” -name vhub-prod-jpe
$firewall = Get-AzFirewall -Name “AzureFirewall_vhub-prod-jpe” -ResourceGroupName “rg-lab-candel”
$firewall.Allocate($virtualhub.Id)
$firewall | Set-AzFirewall

App Service 現在 基本 (Basic) SKU 即 支援 VNet Integration 和 Private Endpoints。

通過此更新，您可以使用低成本SKU，並實現以前只能通過的高 SKU 實現的相同安全級別。
請注意，如果要降級現有應用服務計劃並仍使用 VNet Integration，則需要使用較新的App Service 集群，以確保 App Service Plan 支援 基本 (Basic) SKU 的 VNet Integration。

有關更多詳細資訊，請參閱: https://docs.microsoft.com/azure/app-service/overview-vnet-integration#limitations。

瞭解 如何啟用虛擬網路集成:https://docs.microsoft.com/azure/app-service/configure-vnet-integration-enable。

瞭解如何使用 Azure Private Endpoints 連接到 Web Service: https://docs.microsoft.com/azure/private-link/tutorial-private-endpoint-webapp-portal。

HTH. 2022-6-30 by Jacky

In my environment:

1. My database size is 4.31 GB.

2. Click “Backup” button in my Web App and it failed.
   Error message: Cannot backup database YourDatabaseName since it exceeds maximum allowable limit (4392.828125 MB > 4096 MB).

Solution:

Please check this blog that explain an additional steps you can take to setup a separate automated backup mechanism to your Azure SQL Databases https://techcommunity.microsoft.com/t5/azure-database-support-blog/how-to-automate-export-azure-sql-db-to-blob-storage-use/ba-p/368864that this blog cover the steps required to automate export Azure SQL Database to a .bacpac file and store it to Azure Storage account.

That doesn`t interfere or block the built-in automated backup feature in Azure SQL Database covered here for more details. Automatic, geo-redundant backups - Azure SQL Database & Azure SQL Managed Instance
https://docs.microsoft.com/en-us/azure/azure-sql/database/automated-backups-overview?tabs=single-database

HTH. 2021-11-2 By Jacky