This Azure template deploys a low-interaction network honeypot VM that acts as a canary detection sensor. It monitors and logs all incoming TCP connection attempts (TCP SYN packets), providing early warning of network reconnaissance and attack activities.

The deployment creates a minimal B1ls VM (1 vCPU, 0.5GB RAM) running Azure Linux 3. This demo deployment also deploys a public IP address to demonstrate functionality based on Internet port scans. The VM is configured with cloud-init to use nftables to log TCP SYN packets to the systemd-journal. Journal SYN probe logs are continuously read, transformed and stored

Until recently Azure Private Link has been restricted to specific Microsoft enabled resource types or your own Azure VM hosted resources.

A notable limitation has been the requirement for the destination to be a Standard Load Balancer with a backend pool configured by NIC. This excluded services such as VNet integrated Azure Container Instances, which do not support private endpoints and also do not provision a NIC in the VNet and therefore could only be routed by IP address.

Microsoft recently released in public preview Private Link Service [Direct Connect](https://learn.microsoft.com/en-us/azure/private-link/configur

Bicep v0.34.1 brings many great features to Bicep. One that I think is underrated by not having it as a highlighted feature is the new --pattern argument for faster batch operations on multiple files. Below is a comparison of a simulated linting of 100 Bicep files using a parallel invocation of bicep lint vs a single invocation of bicep lint --pattern. The difference is dramatic, with pattern based linting being 40 times faster in clock time on a 4 core system, and 261 times faster in CPU usage. I typically lint all Bicep files that are part of an IaC repository to ensure that module changes do not break upstream or downstream dependencies. This change will allow you to save CI runner resources and have your IaC PR checks completed faster.

> docker run --rm -it alpine /bin/sh -c 'apk add -q --no-progress libstdc++ icu-libs icu-data-full parallel && wget

The Azure AD B2C hash claims transformation takes the following form:

<ClaimsTransformation Id="MyHashClaimsTransformation" TransformationMethod="Hash">
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="myPlaintext" TransformationClaimType="plaintext" />
    <InputClaim ClaimTypeReferenceId="mySalt" TransformationClaimType="salt" />
  </InputClaims>
  <InputParameters>
    <InputParameter Id="randomizerSecret" DataType="string" Value="B2C_1A_MyRandomizerSecret" />
 

Performing .NET diagnostics such as memory dumps and process tracing can be challenging in some scenarios, for example when running distroless containers which do not have an interactive shell. Fortunately .NET provides several options for performing remote diagnostics. The options differ somewhat in their capabilities.

Did you know that you can acquire an access token for an Azure user-assigned identity using PowerShell and an Azure Storage account? You can achieve this by hosting a minimal OpenID Provider and delegating trust via workload identity federation. This post will also help you better understand the technical details of how federated credentials work.

The process in brief:

1. Create an RSA sign

Azure Key Vault keys secure the private key material in a way that is not exportable. Key Vault backups are encrypted and restricted to the same Azure subscription and Azure geography.

You can copy a key from one subscription to another by:

1. Taking a backup in the source subscription
2. Creating a new key vault in the source subscription (any region in the same geography) and restoring the backup
3. Moving the new key vault to the destination subscription

Some limitations:

This example shows setting up a Tailscale exit node running as a container on Azure Container Instances to provide global Internet egress. You can also use a similar setup to configure a Tailscale subnet router which would allow access to Azure private Virtual Networks, private endpoints, private DNS zone resolution as well as Azure service endpoints.

You can use exit nodes on several platforms including Android, iOS, Linux, macOS, tvOS and Windows.

[!NOTE]

Up until now you have been able to define a federatedIdentityCredential with the issuer, audiences and subject properties. For example to allow a GitHub Actions workflow running in the context of environment prod in the repository octo-org/octo-repo:

{
  "issuer": "https://token.actions.githubusercontent.com"
  "audiences": [
    "api://AzureADTokenExchange"
  ]

I wanted a way to report on current Entra ID principals in my tenant as well as the permissions granted to such principals across apps, the tenant directory and Azure subscriptions. Microsoft provides the separately licensed Entra Permissions Management which provides comprehensive principal and permissions discovery and reporting. I wanted something simpler.

The PowerShell script entra-id-principals-permissions-report.ps1 enumerates all principals and various permissions available in your current [Azure CLI login context](https://learn.microsoft.com/en-us/cli/azure/a