Azure pros share their insights on the differences between Event Grid and Event Hubs, Sentinel, setting up PaaS connections, and more.
The difference between Event Grid and Event Hubs
Writing on the Serverless360 blog, Nadeem Ahamed went over the differences between Azure Event Grid and Event Hub. Although the names of the two services sound very similar, their purposes differ. Ahamed defined an Event as a lightweight notification, telling of a state or condition change, sent out from a publisher to a consumer. They take the form of discrete events, such as a file being placed in an account or series events, like a stream of events together in the case of IoT device telemetry readings. Messages by contrast are simply raw data to be consumed elsewhere.
Event Hubs is a managed and highly scalable data ingestion system that handles upwards of millions of events per second while Event Grid helps to build apps for event-based architectures. Ahamed recommends using Event Hub for capturing telemetry and saving Event Grid for shipping and moving scenarios. Azure Monitor ties in with both services to enable monitoring.
Getting going with Azure Sentinel
Bert Wolters, writing on AzureMan took a look at getting started with Azure Sentinel, which is generally available as of the end of September. The service is easy to add through Azure portal and users should plan to run it in conjunction with a Log Analytics workspace and align permissions for different scenarios. Sentinel is pre-loaded with a number of connectors to common Microsoft services, such as Azure Advanced Threat Protection, Active Directory, Office 365 or Cloud App Security and has the option to pull data from firewalls and endpoints.
Private Azure PaaS connections
Aidan Finn explained some of the options for setting up secure, private connections for Azure PaaS offerings. ExpressRoute is one option. It resembles a WAN connection for Azure VNets using virtual network gateways. Running VMs or App Service Environments often introduces latency, which service endpoints for key services can help to resolve.
Finn also mentioned one of the three common scenarios for Private Link, which is only available in the US and remains in-preview. Private Link supports a private IP address on a VNet subnet to route traffic to the virtual network. This globally unique record boosts private access from on-prem.
Working with Azure API Management
Gregor Suttie explained how to move a preexisting API into Azure API Management and then secure it with Okta. Third party vendor Okta, offers it Identity Cloud to help with multi-factor authentication, single sign-on and lifecycle management and Suttie had a chance to work with the Okta development tenant. He plugged in key details like the login redirect URL or client ID and then navigated within Azure to create a new API Management instance, selecting OAuth 2.0 under the security menu.
Following guidance from Microsoft documentation, Suttie imported a test API, launched the API Management developer portal, and clicked the “Try It” command. Resetting the system to demand an authorization code will connect to Okta, issuing a login prompt. He added:
Lastly we need to add whats called an in-bound policy to check the token is valid – otherwise the calls will always succeed with or without using Okta. To add an in-bound policy go to your Azure API instance within Azure, then the developer portal and select your api and then select All operations (or the api call you wish to secure) and then select Inbound processing…
Updating Azure Kubernetes Service credentials
Writing on Pixel Robots, Richard Hooper explained that all Azure Kubernetes Service (AKS) clusters are created with a service principal, with a one-year expiration date. He shared a command to track down the service principal and mentioned the importance of match the AKS cluster and resource group. From there, users need to update the service principal with a password automatically generated in Azure. The password typically gets saved to a variable to be easily finable later on with a password management system. Finally, Hooper added that users need to change both the AKS cluster and resource group names.