Taswar Bhatti
The synonyms of software simplicity

I had the opportunity to speak at satazureday Azure Saturday here in Ottawa last week, and went through the topic of Azure Key Vault. I also had a co-presenter to share the talk with; an upcoming public speaker Petrica Mihai. He created most of the slides and the demo code in C# 🙂
You can view the code at https://github.com/mihaipetri/AzureKeyVaultNet

In any case if you are interested here are the slides on Azure Key Vault.

And the transcript:

  1. Azure Key Vault • What are we trying to solve with KeyVault?
    • Let’s step back and look at a Cloud Design Pattern
    • External Configuration Pattern
  2. External Configuration Pattern
  3. Typical Application
  4. Storing Configuration in file
  5. Multiple application
  6. External Configuration Pattern
    • Helps move configuration information out of the application deployment
    • his pattern can provide for easier management and control of configuration data
    • For sharing configuration data across applications and other application instances
  7. Problems
    • Configuration becomes part of deployment
    • Multiple applications share the same configuration
    • Hard to have access control over the configuration
  8. External Configuration Pattern
  9. When to use the pattern
    • When you have shared configuration, multiple application
    • You want to manage configuration centrally by DevOps
    • Provide audit for each configuration
  10. When not to use
    • When you only have a single application there is no need to use this pattern it will make things more complex
  11. Cloud Solution Offerings
    • Azure KeyVault (Today’sTalk)
    • Vault by Hashicorp
    • AWS KMS
    • Keywhiz
  12. What is Azure Key Vault ?
    • Safe1guard cryptographic keys and secrets used by cloud applications and services
    • Use hardware security modules (HSMs)
    • Simplify and automate tasks for SSL/TLS certificates
  13. Gemalto / SafeNet – Hardware Security Module
  14. How Azure Key Vault can help you ?
    • Customers can import their own keys into Azure, and manage them
    • Keys are stored in a vault and invoked by URI when needed
    • KeyVault performs cryptographic operations on behalf of the application
    • The application does not see the customers’ keys
    • KeyVault is designed so that Microsoft does not see or extract your keys • Near real-time logging of key usage
  15. Bring Your Own Key (BYOK)
  16. Create a Key Vault New-AzureRmKeyVault -VaultName ‘MihaiKeyVault’ -ResourceGroupName ‘MihaiResourceGroup’ -Location ‘Canada East’
  17. Objects, identifiers, and versioning
    • Objects stored in Azure KeyVault (keys, secrets, certificates) retain versions whenever a new instance of an object is created, and each version has a unique identifier and URL
    • https://{keyvault-name}.vault.azure.net/{object-type}/{object- name}/{object-version}
  18. Azure Key Vault keys
    • Cryptographic keys in Azure KeyVault are represented as JSONWeb Key [JWK] objects
    • RSA: A 2048-bit RSA key.This is a “soft” key, which is processed in software by KeyVault but is stored encrypted at rest using a system key that is in an HSM
    • RSA-HSM: An RSA key that is processed in an HSM
    • https://myvault.vault.azure.net/keys/mykey/abcdea84815e4ca8bc19c f8eb943ee88
  19. Create a Key Vault key $key = Add-AzureKeyVaultKey -VaultName ‘MihaiKeyVault’ -Name ‘MihaiFirstKey’ -Destination ‘Software’
  20. Azure Key Vault secrets
    • Secrets are octet sequences with a maximum size of 25k bytes each
    • The Azure KeyVault service does not provide any semantics for secrets; it accepts the data, encrypts and stores it, returning a secret identifier, “id”, that may be used to retrieve the secret
    • https://myvault.vault.azure.net/secrets/mysecret/abcdea54614e4ca7 ge14cf2eb943ab23
    • Create a Key Vault secret $secret = Set-AzureKeyVaultSecret -VaultName ‘MihaiKeyVault’ -Name ‘SQLPassword’ -SecretValue $secretvalue
    • Azure Key Vault certificates
      • Import/generate existing certificates, self-signed or Enroll from Public Certificate Authority (DigiCert, GlobalSign andWoSign)
      • When a KeyVault certificate is created, an addressable key and secret are also created with the same name
      • https://myvault.vault.azure.net/certificates/mycertificate/abcdea848 15e4ca8bc19cf8eb943bb45
    • Create a Key Vault certificate
    • Secure your Key Vault
      • Access to a key vault is controlled through two separate interfaces: management plane and data plane
      • Authentication establishes the identity of the caller
      • Authorization determines what operations the caller is allowed to perform
      • For authentication both management plane and data plane use Azure Active Directory
      • For authorization, management plane uses role-based access control (RBAC) while data plane uses key vault access policy
    • Access Control
      • Access Control based on Azure AD
      • Access assigned at theVault level
      • – permissions to keys
      • – permissions to secrets
      • Authentication against AzureAD
      • – application ID and key
      • – application ID and certificate
    • Azure Managed Service Identity (MSI)
      • Manage the credentials that need to be in your code for authenticating to cloud services
      • Azure KeyVault provides a way to securely store credentials and other keys and secrets, but your code needs to authenticate to Key Vault to retrieve them
      • Managed Service Identity (MSI) makes solving this problem simpler by giving Azure services an automatically managed identity in Azure Active Directory (Azure AD)
      • You can use this identity to authenticate to any service that supports AzureAD authentication, including KeyVault, without having any credentials in your code

      Azure Key Vault Logging

      • Monitor how and when your key vaults are accessed, and by whom
      • Save information in an Azure storage account that you provide
      • Use standard Azure access control methods to secure your logs by restricting who can access them
      • Delete logs that you no longer want to keep in your storage account
    • Azure Key Vault Pricing • Operations (Standard or Premium) $0.030 per 10000 operations
      • Advanced Operations (Standard or Premium) $0.150 per 10000 operations
      • Certificate Renewals (Standard or Premium) $3.00 per renewal
      • Hardware Security Module Protected Keys (Premium only) $1.00 per key
    • Azure Key Vault DEMO
      • Create KeyVault, Secrets, Keys and Certificates
      • Create AzureAD Application
      • Consuming Secrets and Keys https://azurekeyvaultnet.azurewebsites.net – live demo
      • https://github.com/mihaipetri/AzureKeyVaultNet – demo code
Taswar Bhatti - Cloud Design Patterns

This week I gave a talk on Cloud Design Patterns at the Ottawa .NET Community. I wanted to share the sides here and will most likely write on articles on the topic using real world examples. Samples in C# and node.js, in AWS and Azure.

For the talk I went through, what Cloud Design Patterns are and mainly focused on the patterns below without using any platform specifications. (i.e cloud agnostics)

  • The External Configuration Pattern
  • The Cache Aside Pattern
  • The Federated Identity Pattern
  • The Valet Key Pattern
  • The Gatekeeper Pattern
  • The Circuit Breaker Pattern

For each of them I also went through when you should use the pattern and when not to use it, I also provided Cloud Solutions Offering that one can use to implement the pattern.

Enjoy the slides 🙂

oauth and openid_

Wanted to share my DevTeach Montreal 2017 talk where I talked about OAuth and OpenId Connect. The types of OAuth Grants, how to consume them, the flows in OAuth and what OpenId Connect comes into play, what does it solve.

Hope you like the presentation and if you are interested in more security topics, ping me and let me know what would you be interested in.

elastic search

Wanted to share my DevTeach talk slides on Elastic Search. Where I went into introducing the Elastic Stack. Consisting of Elastic Search, Logstash and Kibana. I also went into the constraints that we had and the design approaches that we took.

Hope you enjoy and expect more ElasticSearch blogs this year 🙂

Taswar Bhatti Talk on MS Bot Framework

In May 2017 I did a talk in Ottawa .NET User Group on Introduction to Microsoft Bot Framework, it was a interesting turnout and lots of conversation on what a bot can do for a business and how to use them.

Below you will find the slides for my talk on Microsoft Bot Framework. The sample demo code can be find on github https://github.com/Microsoft/BotBuilder-Samples, where we demo searching of Real Estate, image search, etc.

Ottawa IT Meetup Community: https://www.meetup.com/ottawaitcommunity/events/235920172/

If you are interested in more on bot framework and like to see more articles on it, please let me know 🙂

Taswar Bhatti Xamarin Dev Days

Last week I did a presentation on Xamarin Dev Days here in Ottawa, the presentation was on Introduction to Xamarin, unfortunately my demo did not work, the demo gods were not with me that day 🙁
The demo code uses Microsoft Cognitive Service Bing Search to search for images to display on a mobile phone. Mainly I was doing a demo on the Android platform. The code base is on Github

The slides for my presentation are located here.

I also did another demo for Carleton University Business Program on Xamarin and if you wish to see more Xamarin related article please let me know 🙂


Redis Transactions

Redis provides a way to do Transactions, but the transactions are somewhat different than what you know from a SQL Relational Database perspective. In SQL Relation Database world you can executed partially and then rolled back the entire transaction. While Redis uses the MULTI and EXEC commands where every command passed as part of a transaction is executed one after another until they have all completed and only after they have completed then other clients may execute their commands. You can think of it more like a queue that stores all your commands and when you call EXEC it loops through the queue and execute the task on the queue one after the other while being locked in the loop i,e no other thread could come in.

Below is an example of a Client queuing up the calls to Redis using MULTI in Redis client library to make a call to Redis Server to process the commands in an EXEC.



Note: You see Client2 also making a call to Redis but the command is only executed after the process of Client commands.

One important thing to note is when using Redis Transaction one cannot make decisions inside the block, but you can use WATCH to prevent a key to be changed in a transaction. E.g We can WATCH the key “A” in our sample and when we try to use it in MULTI and EXEC it will fail to change A. A will be discarded as shown below, when A was set as 4, even inside of the block we were not able to make the change the EXEC was in some way ROLLBACKED i.e DISCARD

In Redis StackExchange library uses Conditions to mimic Watch since Redis StackExchange uses Multiplex. Commands can come in different stages but conditions can be used to detect changes.

C# code using Redis Transactions

So this covers the basic usage of Redis Transactions, in the next blog post I will cover how to use Lua in Redis.

For the code please visit

For previous Redis topics

  1. Intro to Redis for .NET Developers
  2. Redis for .NET Developer – Connecting with C#
  3. Redis for .NET Developer – String Datatype
  4. Redis for .NET Developer – String Datatype part 2
  5. Redis for .NET Developer – Hash Datatype
  6. Redis for .NET Developer – List Datatype
  7. Redis for .NET Developer – Redis Sets Datatype
  8. Redis for .NET Developer – Redis Sorted Sets Datatype
  9. Redis for .NET Developer – Redis Hyperloglog
  10. Redis for .NET Developer – Redis Pub Sub
  11. Redis for .NET Developers – Redis Pipeline Batching

Redis provides a way to use Pipeline Batching to send messages to Redis but first we must understand that Redis uses tcp request response protocol, some may know it as client server model. If you are coming from a web http world, you will have no issue understanding client server, where the browser acts like a client and the web server running (IIS, Nginx or Apache) as the server.

Below is an example of a Client calling the Redis library to make a call to Redis Server to store a value of 10.

In the above diagram as you can see there is a large amount of time where the client is just waiting for a response, the round trip time can have a significant impact if the latency between the network is long.

Redis Pipelining

Redis provides a mechanics called pipelining, which allows a client to send multiple messages to Redis Server without waiting for a reply on each message. Something like the diagram below. Note: Something to consider, Redis does stored these messages into queue such that it can reply to the client and as a result it is using memory on the server.

In .NET we are lucky that we have TPL and asycn/await built into our languages, so the design choice that StackExchange.Redis has done is to use the framework itself to handle such situations. One can simply use the Wait() keyword or ContinueWith() for completion of task. There is also another case, which is the CommandFlags.FireAndForget that you may have seen in my previous examples, the FireAndForget allows us to continue immediately in our code since we do not care about the response we get back from Redis Server.

C# code using Redis Pipeliine (TPL)

Redis Batching

StackExchange.Redis also provides a way to send batch request to Redis. What it allows us to do is to send a block of operations to the server together. The reason for this is that it will help reduce packet fragmentation when the connection to redis is slow. The downside is it will take a longer time to get the first operation complete to process, but overall it can improve the time to get all the operation processed. Below is an example of using Batching.


C# code using Redis batching

So this covers the basic usage of Redis Pipeline and Batching, the recommendation for StackExchange.Redis is to use the normal async/await of TPL to handle all the pipeline for you, since StackExchange.Redis does it best under the cover to handle multiplex connections. In the next blog post I will cover how to use Transactions in Redis.

For the code please visit

For previous Redis topics

  1. Intro to Redis for .NET Developers
  2. Redis for .NET Developer – Connecting with C#
  3. Redis for .NET Developer – String Datatype
  4. Redis for .NET Developer – String Datatype part 2
  5. Redis for .NET Developer – Hash Datatype
  6. Redis for .NET Developer – List Datatype
  7. Redis for .NET Developer – Redis Sets Datatype
  8. Redis for .NET Developer – Redis Sorted Sets Datatype
  9. Redis for .NET Developer – Redis Hyperloglog
  10. Redis for .NET Developer – Redis Pub Sub

Redis Pub Sub, somehow may sound weird that it provides such a functionality since when you think of Redis the first thing that comes to mind is of a cache key value store. But indeed Redis does allow us to use the messaging paradigm by using channels to publish messages and for subscribers to listen for notification of the message. Redis Pub Sub allows multiple subscribers to listen to one or more channels, and to only receive messages that are of interest. It decouples the subscriber from the publisher since the subscriber has no knowledge of whom the publishers are and vice versa there could be multiple publisher not knowing whom the subscribers are.

Sample Diagram of Redis Pub Sub


Redis Pub Sub

There are definitely certain restrictions of using Redis Pub Sub as a Messaging System, it will not be like RabbitMQ, Kafka or Azure MessageBus etc. Those message bus are able to store the message for durability or even replay of an old message for consumption. Redis uses a listener model where there are no listeners (subscribers) it will not receive those messages. But if you wish to have a simple pub sub without the heavy tools then Redis does quite a good job at it.

Redis Pub Sub – Operations

  • PUBLISH channels message: Posts a message to the given channel O(N+M)
  • SUBSCRIBE [channel]: Subscribe to a given channel for message, O(N) where N is the number of channels to subscribe to
  • PSUBSCRIBE [channel]: Subscribes the client to the given patterns, O(N) where N is the number of patterns the client is already subscribed to.
  • PUBSUB CHANNELS pattern: Currently active channels, O(N)
  • PUBSUB NUMSUB channel: Number of subscribers to the channels provided, O(N)
  • PUBSUB NUMPAT: Number of subscriptions to all the patterns O(N)
  • PUNSUBSCRIBE: Unsubscribes the client from a pattern, O(N+M)
  • UNSUBSCRIBE: Unsubscribes the client from a channel, O(N) where N is the number of clients already subscribed to a channel.

C# code using Redis PubSub

So this covers the basic usage of Redis PubSub, in the next blog post I will cover how to use Pipelines in Redis.

For the code please visit

For previous Redis topics

  1. Intro to Redis for .NET Developers
  2. Redis for .NET Developer – Connecting with C#
  3. Redis for .NET Developer – String Datatype
  4. Redis for .NET Developer – String Datatype part 2
  5. Redis for .NET Developer – Hash Datatype
  6. Redis for .NET Developer – List Datatype
  7. Redis for .NET Developer – Redis Sets Datatype
  8. Redis for .NET Developer – Redis Sorted Sets Datatype
  9. Redis for .NET Developer – Redis Hyperloglog
DevTeach Mntreal Speaker

Yeahhhh I am really exited that I have been selected to speak at DevTeach Montreal 2017 this year, July 3rd onward to July 7th in the lovely Montreal Canada.

I remember my first visit to DevTeach was in 2007 as an attendee, now 10 years later I am presenting in the conference. Looking back it has been one amazing ride of where things are for me. In 2007 when I was attending Roy Osherove presented on Agile Development and ended with singing a song at the end of the session, which was quite memorable moment. To JP Boodhoo session on refactoring code and Rules for Agile Design by Jeremy Miller, Oren Eini on MonoRails and Rhino Mocks. Those were quite the early days of ALT .NET and who would have known that .NET would now be open source and runs on Linux with dotnet core.

I wonder what the next 10 years would be like for .net community?

My two abstract which has been selected by DevTeach
– Store 2 million of audit a day into Elastic Search
– OAuth2 and OpenId Connect Demystified

You can read more on the abstract on the DevTeach site.

Come and join us at DevTeach Montreal, it would be an awesome event with the Jazz festival happening at the same time and one day you never know you may be speaking in DevTeach too….