DataProtection and scaling /8 #33104
Conversation
I think my statement was correct, but I agree that it could mislead new users and should be updated. It is true that someone has to decide and configure where that shared storage location will be, but that someone may not be the app author (e.g. in ACA or App Services on Windows). |
aspnetcore/security/data-protection/configuration/scaling/includes/scaling7.md
Show resolved
Hide resolved
| author: acasey | ||
| description: Learn how to configure Data Protection in ASP.NET Core for multi-instance apps. | ||
| ms.author: acasey | ||
| ms.custom: mvc |
There was a problem hiding this comment.
@Rick-Anderson Do you happen to know what this means/does? I just copied it from the overview.
| * Newly created Azure Container Apps built using ASP.NET Core Kestrel. For more information see [Autoscaling considerations | ||
| ](/azure/container-apps/dotnet-overview#autoscaling-considerations). | ||
|
|
||
| The following distributed environments do ***NOT*** provide automatic key storage in a shared location: |
There was a problem hiding this comment.
I think I might characterize these as scenarios where keys will not be shared across instances (even if they have a shared location).
| * Separate [deployment slots](/azure/app-service/deploy-staging-slots), such as Staging and Production. | ||
| * Azure Container Apps built using ASP.NET Core Kestrel 7.0 or earlier. For more information see [Autoscaling considerations | ||
| ](/azure/container-apps/dotnet-overview#autoscaling-considerations). | ||
| * Asp.net core apps hosted on multiple non-Azure VMs that don't use server affinity. |
There was a problem hiding this comment.
Server affinity doesn't get you shared storage, it makes shared storage unnecessary.
There was a problem hiding this comment.
Out of curiosity, how are we going to keep this up-to-date if/when non-Azure clouds add support for this (which they can straightforwardly do, if they're interested)?
There was a problem hiding this comment.
Out of curiosity, how are we going to keep this up-to-date if/when non-Azure clouds add support for this (which they can straightforwardly do, if they're interested)?
See #33108
Co-authored-by: Andrew Casey <[email protected]>
| The following distributed environments provide automatic key storage in a shared location: | ||
|
|
||
| * [Azure apps](/aspnet/core/security/data-protection/configuration/default-settings). For more information see <xref:security/data-protection/configuration/default-settings#key-management>. | ||
| * Newly created Azure Container Apps built using ASP.NET Core. For more information see [Autoscaling considerations |
There was a problem hiding this comment.
I've asked ACA for a date we can use in place of "newly created".
There was a problem hiding this comment.
Did you get a date?
| The following distributed environments provide automatic key storage in a shared location: | ||
|
|
||
| * [Azure apps](/aspnet/core/security/data-protection/configuration/default-settings). For more information see <xref:security/data-protection/configuration/default-settings#key-management>. | ||
| * Newly created Azure Container Apps built using ASP.NET Core. For more information see [Autoscaling considerations |
There was a problem hiding this comment.
@claudiaregio Can you remember how we scoped this? I've suddenly remembered that this might only affect Aspire apps for now?
There was a problem hiding this comment.
@claudiaregio Can you remember how we scoped this? I've suddenly remembered that this might only affect Aspire apps for now?
| * Newly created Azure Container Apps built using ASP.NET Core. For more information see [Autoscaling considerations | ||
| ](/azure/container-apps/dotnet-overview#autoscaling-considerations). | ||
|
|
||
| The following scenarios do ***NOT*** provide automatic key storage in a shared location: |
There was a problem hiding this comment.
This list still feels off to me. What if we framed it as a list of caveats and dropped the mention of non-Azure and ARR?
If ARR is important, we could say that it's an alternative (that applies everywhere, not just non-Azure) though, personally, I think we covered that adequately in the intro.
There was a problem hiding this comment.
@amcasey Can you use the suggestion feature to rough draft your approach? I can wordsmith your suggestion
Rick-Anderson
changed the title
|
|
||
| ## Managing Data Protection keys outside the app | ||
|
|
||
| An app with multiple instances may occasionally see an error like `System.Security.Cryptography.CryptographicException: The key {A6EF5BC2-FDCC-4C0C-A3A5-CDA9A1733D70} was not found in the key ring.`. This can happen when instances get out of sync and data protected on one instance (e.g. an anti-forgery token) is unprotected on another instance (e.g. because a form was served from the former and posted to the latter) that doesn't yet know about that key. When this happens, an app user may have to resubmit a form or re-authenticate (if it was an authentication token that couldn't be unprotected). |
|
|
||
| For example, with Azure blob storage as the key repository, the key manager could be a simple console app run on a schedule. | ||
|
|
||
| ```csharp |
There was a problem hiding this comment.
I'm sure there's a more conventional way to include code samples. Let me know if you want a zip of the project.
|
|
||
| Note that app instances will throw exceptions if they need to perform any `Protect` or `Unprotect` operations before the key manager has run for the first time, so it is preferable to execute it before creating app instances. | ||
|
|
||
| :::moniker-end |
There was a problem hiding this comment.
I couldn't figure out a nice way to phrase "ACA will do this for you automatically, if you let it".
There was a problem hiding this comment.
review my rewrite and use the suggestion feature if needed.
Co-authored-by: Andrew Casey <[email protected]>
aspnetcore/security/data-protection/configuration/scaling/includes/scaling7.md
Show resolved
Hide resolved
| The following distributed environments do ***NOT*** provide automatic key storage in a shared location: | ||
|
|
||
| * Separate [deployment slots](/azure/app-service/deploy-staging-slots), such as Staging and Production. |
There was a problem hiding this comment.
@amcasey @adityamandaleeka, for customers on the .NET 8+, the list where it doesn't work is just deployment slots. Is that the only place it doesn't work with .NET 8+
| The following distributed environments provide automatic key storage in a shared location: | ||
|
|
||
| * [Azure apps](/aspnet/core/security/data-protection/configuration/default-settings). For more information see <xref:security/data-protection/configuration/default-settings#key-management>. | ||
| * Newly created Azure Container Apps built using ASP.NET Core Kestrel. For more information see [Autoscaling considerations |
There was a problem hiding this comment.
@amcasey What's newly created? Can we be more precise?
|
|
||
| For example, with Azure blob storage as the key repository, the key manager could be a simple console app run on a schedule. | ||
|
|
||
| ```csharp |
|
|
||
| Note that app instances will throw exceptions if they need to perform any `Protect` or `Unprotect` operations before the key manager has run for the first time, so it is preferable to execute it before creating app instances. | ||
|
|
||
| :::moniker-end |
There was a problem hiding this comment.
review my rewrite and use the suggestion feature if needed.
|
|
||
| var hostBuilder = new HostApplicationBuilder(); | ||
|
|
||
| // hostBuilder.Configuration.AddJsonFile("appsettings.json", optional: false, reloadOnChange: false); |
There was a problem hiding this comment.
@amcasey not needed so commented out. Will remove line or comment characters.
| { | ||
| "AzureURIs": { | ||
| "BlobStorage": "https://<storage-account>.blob.core.windows.net/<container>/keys.xml", | ||
| "KeyVault": "https://<key-vault-name>.vault.azure.net/keys/<key-name>/" |
There was a problem hiding this comment.
| "KeyVault": "https://<key-vault-name>.vault.azure.net/keys/<key-name>/" | |
| "KeyVault": "https://<key-vault-name>.vault.azure.net/" |
Pls review my suggested change from your version.
| "Logging": { | ||
| "LogLevel": { | ||
| "Default": "Information", | ||
| "Microsoft.AspNetCore": "Warning" | ||
| } | ||
| }, | ||
| "AllowedHosts": "*" |
There was a problem hiding this comment.
I can remove this JSON but that's what the templates produce and in the article I yellow highlight the AKV URIs
Rick-Anderson
requested review from
amcasey and
claudiaregio
and removed request for
claudiaregio
Fixes #32530
Replaces #33086
@amcasey maybe I don't understand the topic, In your draft " However, when an app scales horizontally by adding more instances, it becomes necessary to explicitly configure Data Protection to establish a shared storage location for Data Protection keys. "
But not in all horizontal scaling (right). It's important to not assume much knowledge for newer users.
I think we can lower the friction if I use your draft to create the article.
Internal previews