Hosting a static website with HTTPs and AFD in Azure Blob Storage

Configuring the Storage Account

To deploy static website, configure it within a storage account.

Select a storage account.
Navigate to "Data management" on the left panel.
Click "Static website" to enable the option.
Specify an Index document.
The inclusion of a custom 404 error page is optional.
Upon completion, click "Save" to apply the modifications.

Screenshot of the 'Static website' configuration pane in the Azure portal

A blob storage container named $web is automatically created in the storage account if it doesn't already exist. Upload your website's files to the "$web" container for accessibility through the static website's primary endpoint.

Screenshot showing the automatically created '$web' container under 'Containers'

Note:

Files located within the $web container are case-sensitive, accessible via anonymous requests, and restricted to read-only operations.

Uploading Files

Alternatively, one may utilize AzCopy, PowerShell, the Command Line Interface (CLI), or any bespoke application capable of uploading files to the $web container associated with your account.

I will begin with the portal.

In the Containers pane, select the $web container to open the container's Overview pane. Within the Overview pane, select the Upload icon to access the Upload blob pane. Subsequently, select the Files field within the Upload blob pane to initiate the file browser. Navigate to and select the desired file, then select Open to populate the Files field. Optionally, select the Overwrite if files already exist checkbox.

From Azure CLI/Azure Cloud Shell to upload files to $web container:

az storage blob upload-batch -s C:\myFolder -d '$web' --account-name <storage-account-name>

Note:

For common extensions like .txt/.html, this property automatically sets to text/html. Otherwise, manual setting is required; without it, browsers will prompt users to download the file instead of displaying its content, for CLI, you can append --content-type 'text/html; charset=utf-8' to the command.

Finding the Website UR

You can view the pages of your site from a browser by using the public URL of the website.

Enabling Metrics on Static Website Pages

Once you've enabled metrics, traffic statistics on files in the $web container are reported in the metrics dashboard. Click Metrics under the Monitor section of the storage account menu.

Click the Add filter button and choose API name from the Property selector.

Integrating with Azure CDN and Custom Domain

Create an Azure Content Delivery Network profile and endpoint.

A CDN profile is a container for CDN endpoints and specifies a pricing tier.

In the Azure portal, select Create a resource (on the upper left). The Create a resource portal appears. Search for and select "Front Door and CDN profiles", then select "Create".

Select "Azure Front Door" then select "Quick create". Select Continue to create a Front Door.

2-1 If you got an error like following image shows “Microsoft.Cdn is not registered for the subscription”

You have to registered resource provider in your subscription first. Your Azure subscription doesn't have every single service enabled by default. To prevent accidental use of services you don't need, many resource providers must be explicitly registered before you can use them.

2-1.1 Register resource provider

On the left menu and under Settings, select Resource providers. Enter "Microsoft.Cdn" in the filter bar, select the resource provider and select Register. To maintain least privileges in your subscription, only register the resource providers that you're ready to use.

Registering the Microsoft.Cdn resource provider

This registration is a one-time process per subscription. You can do it easily with the Azure CLI, PowerShell. To see all registered resource providers for your subscription, use:

az provider list --query "sort_by([?registrationState=='Registered'].{Provider:namespace, Status:registrationState}, &Provider)" --out table

After you registered the resource providers, continue the step 2, select your Subscription; Resource Group; Name; Tier; Endpoint Name; on the origin type options, choose storage(static website); Origin Host Name. Select Review + Create then Create to create the profile.

Create a new content delivery network endpoint

Upon establishing a content delivery network profile, one may proceed to utilize it for endpoint creation.

Access your content delivery network profile by selecting it from your Azure portal dashboard. If it's not readily visible, locate it either by opening the resource group where it was created or by using the portal's search bar at the top, entering the profile name, and selecting it from the results.

Locate "Pending" and record the domain verification's record name and value.

Domain verification record name and value

Connect your primary endpoint to the AFD endpoint. From the Azure Front Door profile page, select the setting section and Front Door manger. The "Add an endpoint" pane will subsequently be displayed.

Adding an endpoint in Front Door manager

Map a Custom Domain with HTTPS enabled

Step 1: Get the host name of your storage endpoint.

The host name is the storage endpoint URL without the protocol identifier and the trailing slash.

In the Azure portal, go to your storage account.
In the menu pane, under Settings, select Endpoints.
Copy the value of the Blob service endpoint or the Static website endpoint to a text file.
Remove the protocol identifier (For example: HTTPS) and the trailing slash from that string.

Step 2: Create a canonical name (CNAME) record with your domain provider.

Create a CNAME record to point to your host name. A CNAME record is a type of Domain Name System (DNS) record that maps a source domain name to a destination domain name.

Note: CNAME records must be accessible to public networks. If CNAME records are private, registration with Azure will not succeed.

Sign in to your domain registrar's website, and then go to the page for managing DNS setting. You might find the page in a section named Domain Name, DNS, or Name Server Management.
Find the section for managing CNAME records. You might have to go to an advanced settings page and look for CNAME, Alias, or Subdomains.
- The subdomain alias such as www or photos, etc. The subdomain is required, root domains are not supported.
- The host name that you obtained in the Get the host name of your storage endpoint section earlier in this article.

The image below displays my DNS configuration. I purchased this DNS from Namecheap. After acquiring a DNS, it's essential to configure it by adding a TXT Record for validation, a CNAME Record for a user-friendly website name, and installing SSL certificates for security. If your domain provider supports DNSSEC, enable it to safeguard your site's domain name from potential spoofing (man-in-the-middle) attacks on your DNS setup.

To confirm that DNSSEC is active and functioning, use 'dig' command in Bash:

dig www.dongan.cloud +short +dnssec

The long string of numbers and letters at the end (wvfBvh...) is the actual cryptographic signature.

Result of dig command for DNSSEC verification

Step 3: Register your custom domain with Azure

In the Azure portal, go to your storage account. In the menu pane, under Security + networking, select Networking. In the Networking page, choose the Custom domain tab. In the Domain name text box, enter the name of your custom domain, including the subdomain. To register the custom domain, choose the Save button.

Registering a custom domain in Azure networking

Finally, navigate to AFD, select "settings," then "Domains" to verify your domain's status.

Verifying domain status in Azure Front Door

Once Azure validation is complete, verify HTTPS and certificate validity by entering your domain name in a browser. Then, click on "connection is secure" to inspect the certificate details.

Verifying HTTPS connection and certificate

Troubleshooting & Outcomes:

The TXT record host name from the domain provider may vary (e.g., _dnsauth.www.dongan.cloud , _dnsauth.www , or _dnsauth ). If you encounter a "CNAME record not detected" error, validation state is approved, it may not a CNAME record issue. This error occurs because Azure cannot find your TXT record due to host name differences, preventing domain ownership verification.
If domain validation in AFD exceeds one hour, it indicates an issue, as TXT record values are only valid for that duration. In such cases, you must delete the domain in AFD. Then, generate a new record value, ensuring the TXT record hostname is correct. Delete the old TXT record from your domain provider, and subsequently add the new TXT record with its new value and the proper hostname.
Make sure your index and error document names are the same as the files in your $web container.
In your domain provider Consider adding an ALIAS record for the bare domain (@ host) with the value: Type: ALIAS record | Host: @ | Value: AFD-CDN-example.z22.azurefd.net. - Set TTL - only 1 min or 5 min are available.
You can use any DNS checker to verify the CNAME record was created correctly, such as: https://toolbox.googleapps.com/apps/dig/#CNAME/ Or use CMD: nslookup www.example.com; Bash shell: dig www.example.com
When you update your website files like a new index.html or CSS file in the $web container, the changes may not appear immediately. This is because the Azure CDN caches the old files on its edge servers. To force an update, you must perform a 'Cache Purge' from the Azure Front Door profile overview . Purging /* will clear all cached content and force the CDN to fetch the latest versions from your storage account."
503 Service Unavailable error, when you disable health probes, AFD stops checking if your website is actually online. It will blindly assume your origin (the storage account) is always healthy and will continuously send user traffic to it, even if it's down.
With Health Probes Enabled: If your primary origin in Region A goes down, the health probes fail. Azure Front Door instantly detects this, marks it as unhealthy, and automatically redirects 100% of your traffic to the healthy backup origin in Region B. Your users would experience zero downtime. This is seamless failover.
With Health Probes Disabled: If your primary origin in Region A goes down, Azure Front Door has no idea. It continues to send a percentage of your traffic (e.g., 50%) to the dead origin. This means half of your users will get errors, while the other half will be fine. The automatic failover mechanism is completely broken.
Public network access scope: “Enable from all networks” —This is a security risk! This setting means that anyone on the internet can bypass your Azure Front Door and access your website directly using the storage account's URL (e.g., sa1.z2.web.core.windows.net). This defeats the purpose of using AFD for security features like a Web Application Firewall (WAF). Changing "Public network access scope" to “Enable from selected networks” To enhance security, it is best practice to configure your storage account to accept traffic exclusively from Azure Front Door by adding its IP address ranges. This ensures all visitor traffic is routed through Azure Front Door.

Here is how the traffic should flow:

A user goes to my custom domain
Namecheap directs the traffic to my AFD/CDN endpoint.
The CDN checks if it has a fresh copy of my website(cache). If not, it goes to the Storage Account endpoint to grab the latest files.
The CDN delivers the website to the user from the closest and fastest location.

Why You should use the CDN Endpoint

Feature	Using CDN Endpoint (Correct Way)	Using Storage Endpoint (Incorrect Way)
🚀 Speed	Fast. Visitors get content from a server geographically close to them.	Slow. All visitors, regardless of location, must fetch content from the single storage account location.
🔒 Security	High. The CDN provides security features like DDoS protection and a managed SSL certificate for your custom domain.	Low. You bypass all the advanced security and certificate management features of the CDN.
✅ Reliability	High. The CDN is a globally distributed service designed to handle high traffic and provides better uptime.	Lower. You are relying on a single resource in a single region.

My Portfolio Website View Counts: Cloud-Based API

This project focuses on developing a cloud-based API designed to track and manage website view counts.

Prerequisites:

Get Storage Account Connection String: Go to sastaticwebapp1 storage account in the Azure portal. In the left menu under Security + networking, click on Access keys. Copy one of the connection strings.
Create a Table: In that same sastaticwebapp1 storage account, go to the Storage browser in the left menu. Select Tables, click + Add table, and name the new table counters.

Phase 1: Create The Function App

1.1. Navigate to Function App:

Sign in to the Azure portal.
In the top search bar, type "Function App" and select it from the services list.

1.2. Start the Creation Process:

On the Function App page, click the + Create button.

1.3. For the Hosting plans, I would go for the Consumption plan, because it doesn’t require a VNet and a minimum instance, which is more cost-effective compared to others. The Consumption plan is a purely serverless model. You are only billed for the milliseconds your function runs. If no one visits your website, your function doesn't run, and your cost is $0.

1.4. Configure the "Basics" Tab:

Subscription & Resource Group: Choose your subscription and a resource group (e.g., Webapp1).
Function App name: This must be globally unique (e.g., dongan-python-function). This name will become part of its default URL.
Operating System: Select Linux. This is the standard for Python functions.
Runtime stack: Select Python.
Version: Choose the latest available Python version (e.g., 3.12).
Region: Select a region close to you.

1.5. Configure the "Storage" Tab:

Select and let Azure create a new one for you. The default name is usually fine. Each Function App needs its own dedicated storage account for optimal performance and to avoid conflicts.
Uncheck Add an Azure Files connection(Continuous Integratoin-CI), For a simple HTTP-triggered function, it's not needed and will add unnecessary resources.
Diagnostic Settings, Select Configure later (Recommended for custom controls), For a simple view counter, basic logging provided by default is usually sufficient.

1.6. Configure the "Networking" Tab:

Enable public access: On. API needs to be publicly accessible from your website frontend.
VNet integration: Off. Virtual Network integration is for securing communication within private networks or connecting to resources that are not publicly exposed. The view counter API will be public, so this isn't needed.

1.7. Configure the "Monitoring" Tab:

Enable Application Insights: Yes. Application Insights is for monitoring function executions, errors, and performance.
Application Insights name: Let Azure create a new one with the default name.

1.8. Configure the "Deployment" Tab:

Continuous Deployment: Disable. Since I disabled Azure files, the Continuous deployment(CD) must be configured manuallly because the Azure Functions Github Action does not support apps without Azure Files.

1.9. Configure the "Authentication" Tab:

I would just use secrets. So "Anonymous" authorization for HTTP trigger. This means the API Gateway will protect it at the function level, not the entire Function App. Enabling App-level authentication here would add an unnecessary layer for a publicly accessible counter. I would only consider a user-assigned identity if I planned to create multiple applications that all needed to share the exact same permissions.

1.10. Review + create Tab:

Click Review + create, then review your settings one last time.

Phase 1.11: Create The Python Function

Develop the function to host the Python code.

1.11.1 Go to Function App:

Once the deployment is complete, navigate to newly created Function App.

1.11.2 Go to the Functions Blade:

In the left-hand menu of Function App, click on Functions.

1.11.3 Create a New Function:

Click the + Create button.
Select HTTP trigger template. This creates a function that can be run by making a web request.
New Function name: Give your function a name. This name will be part of its URL
Authorization level: Choose Anonymous for easy testing. This means anyone with the link can run it. For real applications, you would choose "Function" or "Admin" for security.
Click Create.

1.11.4 Add and Test the Initial Code:

The function currently contains placeholder code. This will be replaced with a simple script to confirm functionality before connecting to the database.

After the function is created, it will go to its overview page. In the left menu under "Developer", click on Code + Test.
Add function to function_app.py. Copy and paste following code:

import azure.functions as func
import json
import logging

# This creates a Function App instance
app = func.FunctionApp(http_auth_level=func.AuthLevel.FUNCTION)

# This defines your function
@app.route(route="GetVisitorCount", methods=["GET", "POST"])
def GetVisitorCount(req: func.HttpRequest) -> func.HttpResponse:
    logging.info('Python HTTP trigger function processed a request.')

    # A temporary response to test the function
    response_data = {
        "count": 123
    }

    # Return the response as a JSON object
    return func.HttpResponse(
        json.dumps(response_data),
        mimetype="application/json",
        status_code=200
    )

Click the Test/Run, don't need to change any settings, just hit Run for a test. The Output section at the bottom. An HTTP request successfully triggered the function, indicated by a HTTP response code: 200 and the message {"count": 123} in the response body.

Phase 2: Create The Azure Cosmos DB Account

First, I need the main Cosmos DB account, which will hold our databases and containers.

2.1. Navigate to Create Resource:

In the Azure Portal, click the + Create a resource button.
Search for Azure Cosmos DB and select it.
Click Create.

2.2 Choose the API:

You will see several API options. Find the Azure Cosmos DB for NoSQL box and click Create.

2.3. Configure the Account:

Workload Type: choosing Learning for the most cost-effective setup to complete the project.
Subscription / Resource Group: Choose your existing ones.
Account Name: Give it a globally unique name.
Location: Choose a region close to you.
Capacity mode: This is important for cost. Select Serverless.
Availability Zones: Disable. Can lower expenses.
In Backup Policy tab, Backup storage redundancy: For the most cost-effective option, select Locally-redundant backup storage.
Click Review + create, and then Create. Deployment will take 5-10 minutes.

Phase 2.4: Create Database and Container

Once the Cosmos DB account is deployed and go to the Cosmos DB account, use the Data Explorer to create the container that will hold the data.

2.4.1 Open Data Explorer:

In the left-hand menu of your Cosmos DB account, click on Data Explorer.

2.4.2 Create New Container:

In the Data Explorer pane, click the New Container.

2.4.3 Configure the Database and Container: A "New Container" panel will appear. Fill it out as follows:

Database ID: Select Create new and give it a name, for example, MyWebAppDB.
Container ID: This is the name of your "table". Let's call it Items.
Partition key: This is the most important setting. It's how Cosmos DB efficiently organizes data. For a general-purpose container, a great starting point is /id.
- /id to tell Cosmos DB to group the data based on each item's unique id field.
Click OK.

Phase 2.5: Add Data to The Table

Make a quick test to confirm functionality.

2.5.1 Navigate to Your Container:

In Data Explorer, expand it and click on Items container.
Under Items, click on Items.

2.5.2 Create a New Item:

Click the New Item button in the top bar.

2.5.3 Add some JSON Data for testing:

A new editor window will open with some default text. Replace it with the following simple JSON document. It has an id field, which matches the partition key I defined (/id).

{
    "id": "item001", 
    "category": "Laptops",
    "brand": "Contoso",
    "productName": "Contoso Laptop Pro", 
    "inStock": true 
}

Create a new object for item002

{
    "id": "item002",
    "category": "Laptops",
    "brand": "Fabrikam", 
    "productName": "Fabrikam Ultrabook", 
    "inStock": false 
}

2.5.4 Query the JSON Data:

From the Data Explorer blade, select "New SQL Query" from the top bar, then type SELECT * FROM c, and click Excute Query.

SELECT * FROM c where c.id = "item002" Get one item by its ID.

SELECT c.productName, c.brand FROM c WHERE c.inStock = true finds all products that are in stock and returns only their name and brand.

Phase 2.6: Connect The API To The Database

2.6.1. Get the Database Connection String

The Function App requires the database's connection string (password) to establish a connection.

In the Azure Portal, navigate to the Azure Cosmos DB account
In the left menu under "Settings", click on Keys.
Find the PRIMARY CONNECTION STRING and click the copy icon to its right.

2.6.2. Add the Connection String to Your Function App

Navigate to Function App (dongan-counter-api) in the Azure Portal.
In the left menu under "Settings", click on Environment variables.
click + App settings.
A window will pop up. Fill it out as follows:
- Name: CosmosDbConnectionString.
- Value: Paste the PRIMARY CONNECTION STRING copied from Cosmos DB.
Click Apply, and then at the top of the Configuration page, click Save. A confirmation to restart the app will appear; click Continue.

Phase 3: Trigger Azure Function From Static Site

3.1: Write the Python API Logic

The Python code to process data sent from the static site. I use a simple contact form submission as an example.

Open the __init__.py file inside new function folder (e.g., api/__init__.py) and replace the code with the following:

This code expects a POST request with a JSON body containing a name, email, and message. It then returns a JSON success or error message.

3.1.1: Configure CORS (Crucial Step!)

Browser security will block requests unless Cross-Origin Resource Sharing (CORS) is enabled, because the static website and the function app are on different domains.

Configure CORS in the Azure Portal after function deployment.
Go to the Azure Portal and find your deployed Function App.
In the left menu, under the "API" section, click on CORS.
In the "Allowed Origins" box, add the URL of your static website. Can also use * to allow all domains for testing, but it's more secure to specify the exact domain.
Click Save.

Phase 3.2:Call The API From The Static Site

Lastly, modify the JavaScript on the static website to invoke this new API endpoint.

document.getElementById('contactForm').addEventListener('submit', async function (event) {
    event.preventDefault(); // Prevent the default form submission

    const name = document.getElementById('name').value;
    const email = document.getElementById('email').value;
    const message = document.getElementById('message').value;
    const responseElement = document.getElementById('response');

    // IMPORTANT: Replace with your actual Azure Function URL
    const functionUrl = 'https://YOUR-FUNCTION-APP-NAME.azurewebsites.net/api/YOUR-FUNCTION-NAME';

    try {
        const response = await fetch(functionUrl, {
            method: 'POST',
            headers: {
                'Content-Type': 'application/json',
            },
            body: JSON.stringify({ name, email, message }),
        });

        const result = await response.json();

        if (response.ok) {
            responseElement.textContent = result.message;
            responseElement.style.color = 'green';
        } else {
            responseElement.textContent = `Error: ${result.message}`;
            responseElement.style.color = 'red';
        }
    } catch (error) {
        responseElement.textContent = 'An unexpected error occurred.';
        responseElement.style.color = 'red';
        console.error('Error:', error);
    }
});

Troubleshooting & Outcomes:

1.Azure Function Disappear:

Syntax Errors: Incorrect code syntax can cause deployment failures. Getting a 404 Not Found error and then seeing the function disappear
Missing requirements.txt: This file, which lists project dependencies, is crucial for successful cloud builds.
Inefficient Deployment (.funcignore): The .funcignore file should be used to exclude env and .venv folders to prevent slow or broken cloud builds.
Python Version Mismatch: Ensure the Python version in Stack settings matches your development environment.
Incorrect CosmosDB Connection String: The CosmosDbConnectionString must be the PRIMARY CONNECTION STRING for proper database identification and authentication.
Deployment Log Inspection: Always review the OUTPUT terminal window in VS Code for detailed deployment status and error messages.
Verify Azure deployment and output using the VS Code terminal.
Open the website and inspect the errors

2. Counter silent crash, keep loading, not responding: because the function cannot connect to Cosmos DB database.

To check for the real error, go to the functions page, click on Monitor then Invocations, and review the invocation details.

On the app settings, under Environment variables, verify the DB name and its value. Also, check if the DB primary key is being used for the DB key.

3. Stale CDN Cache, the counter not working,Error fetching view count: Error: Failed to fetch Stack: TypeError: Failed to fetch

Azure CDN cached a "permission denied" response from the function due to missing CORS settings. Even after fixing CORS on the function, browser still receives the old, cached "permission denied" response from the CDN. Need to force all Azure CDN servers to delete their cached version of the files and get the latest version from function. Go to AFD→Overview→Purge Cache→Select endpoint and domains→Click Purge

4. For cosmos DB:

Data cannot be appended a vaule after existing vaule. To add new vaule, you must create a completely new document for it, you can’t append value to one key-vaule pair, it won’t merge two different value into one single, invalid JSON object. Every item is its own separate, self-contained JSON document.

5. Binding:

AzureWebJobsStorage is for the Azure Functions system to work properly, while StaticWebAppStorage is for the specific application code to find its data. After the code deploy to Azure, it needs the path and password for the database.

Name: COSMOS_ENDPOINT Value: https://portfoliodb-viewer-counter.documents.azure.com:443/

Name: COSMOS_KEY Value: Cosmos DB Primary Key (qSUIQ...==)

6. Security Concern

Secrets (Connection Strings/API Keys): This involves storing sensitive credentials (like connection strings for storage or instrumentation keys for Application Insights) directly within your Function App's configuration. While functional, it carries a higher security risk because if someone gains access to the app's configuration, they get the secrets.

Managed Identity: This is Azure's recommended best practice for secure access between Azure services. Instead of storing credentials, Function App is automatically given an identity within Azure Active Directory. Then grant this identity specific permissions to other resources (like Application Insights or Storage Accounts) via Azure Role-Based Access Control (RBAC).

Benefits: No secrets to manage or rotate, greatly reduced risk of credential leakage, and seamless authentication handled by Azure.

6.1. System-Assigned Managed Identity

Lifecycle: It is created and deleted with the Azure resource it's assigned to. If you delete your Function App, its system-assigned identity is also deleted automatically.
Sharing: It cannot be shared. The identity is tied one-to-one with a single Azure resource (e.g., one Function App or one VM).
Use Case: This is perfect for workloads that are contained within a single Azure resource. For your simple view counter Function App, this is the ideal choice because the identity is only needed by that one app.

6.2. User-Assigned Managed Identity

Lifecycle: It is a standalone Azure resource that you create and manage separately. Deleting a Function App that uses it does not delete the user-assigned identity. You must delete it yourself.
Sharing: It is designed to be shared. You can create one user-assigned identity and assign it to multiple Azure resources (e.g., multiple Function Apps, VMs, and Logic Apps).
Use Case: This is useful when you have a group of resources that all need the same set of permissions. For example, if you had ten different Function Apps that all needed to access the same database, you would create one user-assigned identity, give it permission to the database, and then assign that identity to all ten functions. This simplifies permission management.

7. Security Concern

The public API, which is linked to the public website, currently lacks authentication. This makes it discoverable and directly accessible to anyone online, potential risks such as Denial-of-Service (DoS) attacks and injection attacks. To reduce these risks, I need to implement a Web Application Firewall (WAF) or an API Management solution.

Outcomes:

For my portfolio website, I designed and deployed a dynamic, highly scalable visitor counter using a modern, fully serverless architecture on Microsoft Azure. The solution is built for cost-efficiency and low maintenance, leveraging Azure Functions for backend compute, Cosmos DB for persistent data storage, and Azure Front Door as the content delivery network.

I specifically chose a serverless architecture for several key reasons:

Cost-Effectiveness: The primary driver was cost. By using Azure Functions and Cosmos DB in serverless/consumption mode, I only pay for the exact resources used per execution. For a portfolio with variable traffic, this is significantly cheaper than maintaining an always-on server, and the generous free tiers effectively make the solution free.
Scalability: Azure Functions automatically scale based on demand. Whether the site gets ten visits or ten thousand, the backend can handle the load without any manual intervention.
Low Operational Overhead: Being "serverless" means I don't have to manage virtual machines, operating systems, or patches. This allows me to focus purely on the application logic, which is a more efficient use of development time.

Deployment and Data Workflow:

1. Frontend Request and Delivery

User Visit: A user navigates to my website, https://www.dongan.cloud.
CDN Delivery: The initial request is handled by Azure Front Door (AFD), which acts as the global CDN. AFD serves the static assets (HTML, CSS, JavaScript) from the lowest-latency edge location to the user. These static files are stored securely and inexpensively in Azure Blob Storage.
Client-Side API Call: Once the page loads in the user's browser, the JavaScript fetch client is triggered. It makes an asynchronous POST request to the backend API endpoint to get the visitor count.

2. Backend API Processing

This is where the serverless components take over.

Request Routing: The API call from the browser (.../api/ViewCounter) is routed by Azure Front Door to the Azure Function App. In this architecture, the combination of AFD for routing and the function's own HTTP trigger serves the role of a lightweight, effective API gateway.
Function Execution: The HTTP request triggers the ViewCounter Azure Function. This is the core of the backend logic.
Database Interaction: The Node.js code within the function securely connects to Azure Cosmos DB using environment variables for the endpoint and primary key. It reads the current count from a document, increments the value by one, and writes the new value back.
Response Generation: The function receives the updated count from Cosmos DB.
Returning the Response: The function packages the new count into a JSON object and sends it back through the same chain: from the Function App, through Azure Front Door, and finally to the user's browser.
Dynamic Update: The website's JavaScript receives the JSON response and dynamically updates the counter element in the HTML, completing the workflow.

Serverless Web Application Data Flow:

User Request: A user opens their browser and navigates to your website.
Frontend Delivery: The request first hits Azure Front Door, which acts as the CDN. Front Door delivers the static frontend (your HTML, CSS, and JavaScript files) to the user's browser. These files are pulled from Azure Blob Storage.
API Call: The frontend (running in the user's browser) needs to perform a dynamic action, like submitting a form or fetching data. It makes an API call to a specific endpoint (e.g., /api/submitForm).
API Gateway Routing: The API Gateway receives this incoming request. Its job is to validate the request and route it to the correct piece of backend logic.
Backend Logic Execution: The API Gateway triggers the appropriate Azure Function. The function contains the server-side code to process the request (e.g., save the form data).
Database Interaction: The Azure Function connects to a managed database like Azure Cosmos DB or Azure SQL Database Serverless to read/write the necessary information.
Response: The function completes its task and sends a response (e.g., a success message) back through the same chain: to the API Gateway, then to the frontend, and finally displayed to the user.

Bicep Deployment for Azure Web App with Azure Front Door

1. Goal

The primary goal of this project is to automate the deployment of a secure, scalable, and high-performance web application infrastructure on Microsoft Azure. By leveraging Bicep as an Infrastructure as Code (IaC) tool, I create a repeatable, reliable, and version-controlled process for provisioning an Azure App Service fronted by an Azure Front Door (AFD) profile, which acts as a modern Content Delivery Network (CDN) and global load balancer.

This architecture ensures that the web application is not only hosted efficiently but is also delivered to end-users with low latency and enhanced security, regardless of their geographical location.

2. Architecture and Resource Relationships

The architecture is composed of two main logical blocks: the backend application (origin) and the global delivery network (front door).

Workflow:

A user requests the website using the public URL (e.g., endpoint-xyz.azurefd.net).
The request first hits the Azure Front Door Endpoint, which is a globally distributed point of presence.
Front Door's Route configuration matches the incoming request (e.g., /* for all paths).
The Route directs the traffic to the designated Origin Group.
The Origin Group contains our backend Origin—the Azure App Service. Front Door forwards the request to the App Service.
The Azure App Service processes the request and returns the response (e.g., the web page).
Front Door receives the response from the App Service. If the content is cacheable (like images, CSS), it stores a copy at the edge location.
Front Door returns the final response to the user. Subsequent requests for cached content are served directly from the edge, dramatically improving speed.

3. Key Concepts Explained

Azure App Service

What it is: A fully managed Platform-as-a-Service (PaaS) offering for building and hosting web applications, REST APIs, and mobile backends. You don't have to manage the underlying operating systems or web server software.
Its Role: In this project, the App Service is the origin. It is the core compute resource that runs our application code and serves the dynamic content. It lives in a specific Azure region.

Azure Front Door (AFD) / CDN

What it is: A modern cloud CDN service that provides a single, unified entry point for global web traffic. It combines the features of a traditional CDN, a global load balancer, and a Web Application Firewall (WAF).
Its Role:
- Performance: It caches static assets (images, CSS, JavaScript) at Microsoft's global edge locations, closer to users, which drastically reduces latency.
- Security: It acts as a shield for the App Service. All traffic must pass through Front Door first, hiding the App Service's direct URL. This allows us to apply security rules and a WAF at the edge.
- Availability: It routes traffic to the healthiest and closest backend, providing high availability.

Bicep and Infrastructure as Code (IaC)

What it is: Bicep is a domain-specific language (DSL) that uses a declarative syntax to deploy Azure resources. It is an abstraction over ARM Templates, making the code cleaner and more readable.
Why use it:
- Automation & Repeatability: Deploy the exact same infrastructure across different environments (dev, staging, prod) with a single command.
- Version Control: Store your infrastructure definition in a Git repository, track changes, and collaborate with a team.
- Modularity: Break down complex deployments into smaller, reusable modules (app.bicep, cdn.bicep), making the code easier to manage and understand.

The main.bicep file is to define the overall configuration and manage the flow of data between different modules.

Deployment Steps

Place Files: Ensure main.bicep, app.bicep, and cdn.bicep are in the correct folder structure (e.g., app.bicep and cdn.bicep inside a modules subfolder if referenced that way in main.bicep).
Login to Azure: Open a terminal and run az login to authenticate.
Create a Resource Group: All resources should be deployed into a resource group. Create one with: az group create --name "MyWebAppRG" --location "canadaeast".

Run the Deployment: Navigate to the directory containing main.bicep and execute the deployment command:

az deployment group create \
   --resource-group "MyWebAppRG" \
   --template-file "main.bicep" \
   --parameters deployCdn=true

deployCdn can be set to false if only the App Service needs to be deployed.

1. Check the Deployment Outputs

This is the most direct way to get the public URL for the application.

In the Azure portal, go to resource group.
Click on Deployments in the left-hand menu.
Select the main deployment.
Click on Outputs on the left. The output named websiteHostName with a URL is the main URL for testing.

2. Test the Website Hostname

The most important verification step is to see if the website is accessible through the Front Door/CDN endpoint.

Copy the websiteHostName URL from the deployment outputs.
Paste it into a new browser tab and press Enter.
Expected Result: The default "Microsoft Azure App Service" landing page should appear. It might take a few minutes for the CDN endpoint to become fully active and configured, so if an error occurs at first, wait 5-10 minutes and try again.

This test verifies the entire flow: User -> Front Door Endpoint -> Origin (App Service).

3. Inspect the Deployed Resources

Take a look at the resources that were actually created in your resource group.

Go to the Overview page of the resource group.
You should see:
- An App Service: This is the web application.
- An App Service plan: This provides the computing resources for app.
- A Front Door and CDN profile: This is the global entry point for traffic.

Confirming these resources exist shows that the Bicep deployment created all the components as defined in files.

4. Verify the Front Door Origin

This step confirms that Front Door knows how to find the web app.

In resource group, click on the Front Door and CDN profile resource.
Go to the Origin groups section.
Click on your origin group (e.g., endpoint-...-og).
Expected Result: An origin should display a hostname pointing to the App Service's default URL (e.g., example.azurewebsites.net). This confirms that when a request reaches the Front Door, it is correctly configured to forward that request to the App Service.

By completing these verification steps, the Bicep deployment succeeded, and the resulting infrastructure is fully functional and correctly configured.

Note:

To compare or copy files, refer to my GitHub repository:https://github.com/CymLim/azure-AFD-CDN-bicep.git

Outcomes:

In a recent project, I designed and implemented a fully automated, reusable infrastructure deployment for a modern web application using Bicep. The architecture involved deploying an Azure App Service, fronted by an Azure Front Door CDN to ensure high performance and global availability.

The goal was to establish a standardized, reliable pattern for deploying our web applications. Manual deployments were slow, prone to human error, and inconsistent across different environments. I needed a solution that was secure, scalable, and could serve a global audience efficiently.

My task was to automate the entire infrastructure provisioning process using Infrastructure as Code. The key requirements were:

Automate Everything: Create a hands-off deployment process.
Make it Reusable: The code needed to be modular so I could easily deploy other, similar applications in the future.
Ensure Performance & Security: The architecture had to include a Content Delivery Network (CDN) to cache content closer to users and provide a layer of security.
Make it Flexible: The solution needed to be configurable, for example, allowing us to deploy a test environment without a CDN to save costs.

To achieve this, I chose to use Bicep for its native integration with Azure and its clean, declarative syntax. I structured the project into three main files:

1. The main.bicep Orchestrator:

"First, I created a main.bicep file to act as the orchestrator. Its only job was to manage the overall deployment and pass information between the other components. It defined the high-level parameters, like the application name and whether to deploy the CDN.

2. The app.bicep Module (The Foundation):

Next, I built a dedicated module for the application infrastructure, app.bicep. This module was responsible for creating two core resources:

An App Service Plan, which defines the underlying compute resources—the CPU and memory.
An App Service App, which is the web application itself.

The dependency here is straightforward: the App Service App is dependent on the App Service Plan. In Bicep, I linked them by passing the id of the plan into the serverFarmId property of the app. The most crucial part of this module was its output: it exposed the default hostname of the created App Service. This hostname is the direct, private address of our application.

3. The cdn.bicep Module (The Global Entry Point):

The third piece was the cdn.bicep module, which handled the Azure Front Door deployment. This part is more complex due to the way Front Door resources are structured. The dependencies flow like this:

It starts with a CDN Profile, which is the top-level container for the entire configuration.
Inside the profile, I created an Endpoint. This is the resource that generates the public-facing URL that our users will access (e.g., my-app.azurefd.net).
I then defined an Origin, which represents our backend application. This is where the critical link happens. The hostName for this Origin resource was a parameter.
Finally, I created a Route. The Route is the most important piece of logic—it's the rule that connects everything. It says, When traffic arrives at the Endpoint, forward it to this specific Origin. This creates the dependency: the Route depends on both the Endpoint and the Origin to exist.

4. Wiring It All Together (The Critical Data Flow):

The real power of this design is how the main.bicep file connects these two modules.

The main file takes the appServiceAppHostName output from the app module and passes it directly into the originHostName input parameter of the cdn module.

This single line of code is the linchpin of the entire architecture. It tells the CDN exactly which backend service to protect and accelerate. It makes the entire system interconnected and functional.

5. Adding Flexibility:

To meet the flexibility requirement, I used a conditional deployment in main.bicep. An if statement wrapped the cdn module, which allowed us to deploy the entire stack with or without Front Door just by changing a single boolean parameter, deployCdn.

The result was a highly successful, fully automated deployment pipeline.

Efficiency: I reduced deployment time from hours to minutes.
Consistency: Every deployment was identical, eliminating the 'it works on my machine' problem.
Reusability: A proven Bicep module that can be used to deploy any new web application with a best-practice architecture in minutes.
Flexibility: The conditional deployment logic allowed us to easily manage costs in non-production environments while maintaining full performance and security in production.

Project 4

Phase 1: Build the Simulated On-Premises Environment

In this phase, my goal is to create the foundation of lab: a simulated on-premises network with a fully functional Active Directory Domain Controller. I will use Azure resources to build this environment, which is a common and cost-effective way to create isolated test labs.

At the end of this phase, I will have:

A dedicated virtual network in Azure representing the "On-Premises" datacenter.
A Windows Server 2022 virtual machine.
A fully configured Active Directory domain (e.g., corp.contoso.com).
Sample Organizational Units (OUs) and users, mimicking a real company structure.

Step 1: Create the Core Infrastructure

First, we need a resource group to hold all our lab components and a virtual network (VNet) to act as our private on-premises network.

Create a Resource Group: This is a logical container for Azure resources.
- Click Create a resource.
- Search for and select Resource group.
- Click Create.
- Subscription: Choose subscription.
- Resource group name: onprem-lab-rg
- Region: Choose a region close to you.
- Click Review + create, then Create.
Create a Virtual Network (VNet):
- Navigate to new onprem-lab-rg resource group.
- Click Create.
- Search for and select Virtual Network. Click Create.
- Basics Tab:
- IP Addresses Tab:
- Click Review + create, then Create.

Step 2: Deploy the Domain Controller VM

Now, create the Windows Server that will become Domain Controller (DC).

Navigate back to onprem-lab-rg resource group.
Click Create.
Search for Windows Server 2022 Datacenter: Azure Edition in the Marketplace and select it. Click Create.
Basics Tab:

Virtual machine name: onprem-dc01
Region: Same as VNet.
Image: Should be pre-selected as Windows Server 2022 Datacenter: Azure Edition.
Size: Select a cost-effective size. Standard_B2s is excellent for this lab.
Administrator account: Create a username and a strong password.
Inbound port rules: Select Allow selected ports and check RDP (3389).

Disks Tab: The default Standard SSD is sufficient for the lab.
Networking Tab:

Virtual network: Select onprem-vnet.
Subnet: Select onprem-subnet-1.
Public IP: Let Azure create a new one.
NIC network security group: Select Basic.

Review + create, then Create. Wait for the deployment to complete.

Step 3: Configure the VM's Network Settings

A domain controller needs a static (unchanging) IP address to function correctly.

Set Static Private IP:
- Once the VM is deployed, go to the resource.
- In the left menu, click Networking.
- Click on the Network Interface name.
- In the Network Interface menu, click IP configurations.
- Click on the ipconfig1 configuration.
- For Assignment, change it from Dynamic to Static.
- Note the Private IP address it has assigned (e.g., 10.0.0.4).
- Click Save.
Update VNet DNS Server:
- After a DC is created, all devices on the network must use it for DNS. I will update the VNet setting now so it's ready.
- Navigate to onprem-vnet resource.
- In the left menu, click DNS servers.
- Select Custom.
- Enter the static private IP address of the VM (e.g., 10.0.0.4).
- Click Save.

Step 4: Promote the Server to a Domain Controller

This is where I install Active Directory.

Connect to the VM:

Go to onprem-dc01 VM resource in the Azure Portal.
Click Connect and select RDP.
Download the RDP file and open it.
Use the labadmin username and the password to log in.

Install Active Directory Domain Services (AD DS):

Once logging in to the server desktop, Server Manager should open automatically.
Click Add roles and features.
Click Next through the wizard until reach the Server Roles page.
Check the box for Active Directory Domain Services. A pop-up will appear; click Add Features.
Click Next until the Confirm page, then click Install.

Promote to a Domain Controller:

After the installation finishes, a notification flag at the top of Server Manager. Click it, then click "Promote this server to a domain controller".
Select Add a new forest.
Root domain name: Enter a domain name. For this lab, corp.contoso.com is a standard practice name.
Click Next.
Create a Directory Services Restore Mode (DSRM) password. Save this password somewhere safe!
Click Next through the following screens (DNS Options, Additional Options, Paths), leaving the defaults.
On the Prerequisites Check page, once the check passes, click Install.

Step 5: Populate Active Directory

Finally, let's add some sample users and OUs to make our environment feel real.

Reconnect to DC using RDP. This time, sign in with domain administrator credentials.
Username: CORP\labadmin
Password: The same password created for the VM.
Open Active Directory Users and Computers:

In Server Manager, go to Tools > Active Directory Users and Computers.

Create Organizational Units (OUs):

Right-click on domain (corp.contoso.com).
Select New > Organizational Unit.
Name it CORP_Accounts.
Inside the CORP_Accounts OU, create three more OUs: Users, Groups, and Servers.

Create Users:

Right-click on the Users OU
Select New > User.
Create a user named Jane Doe.
First name: Jane
Last name: Doe
User logon name: j.doe
Click Next. Create a password for the user, uncheck "User must change password at next logon", and check "Password never expires" (this is for lab convenience only). Click Next, then Finish.
Create another user named John Smith (j.smith).

Phase 2: Establish Hybrid Identity and Network Connectivity

At the end of this phase, I will have:

A second virtual network in Azure (azure-vnet) representing cloud infrastructure.
A secure, private connection between onprem-vnet and azure-vnet using VNet Peering.
On-premises Active Directory users (Jane Doe, John Smith) synchronized and visible in Microsoft Entra ID.

Step 1: Create the Azure Production VNet

This network will house the resources I migrate or create in the cloud. It must have a different IP address range from the on-prem VNet to avoid conflicts.

Navigate to Resource Group: Open the onprem-lab-rg resource group. We will keep all lab resources here for simplicity.
Create a new Virtual Network:

In the resource group view, click Create.
Search for and select Virtual network. Click Create.
Basics Tab:

Name: azure-vnet
Region: This must be the same region as onprem-vnet

IP Addresses Tab:

IPv4 address space: Delete the default 10.0.0.0/16. We need a non-overlapping address range. Enter 172.16.0.0/16.
Click + Add a subnet.
Subnet name: azure-subnet-1
Subnet address range: 172.16.0.0/24.
Click Add.

Review + create, then Create.

Step 2: Connect the Networks with VNet Peering

VNet Peering is the simplest and most performant way to connect two Azure Virtual Networks. It uses Microsoft's private backbone network, so traffic never goes over the public internet.

Navigate to onprem-vnet resource in the Azure Portal.
Create the Peering Connection:

In the left menu under Settings, click Peerings.
Click + Add.
This virtual network section:

Peering link name: onprem-to-azure-peering

Remote virtual network section:

Peering link name: azure-to-onprem-peering
Subscription: Select subscription.
Virtual network: Select azure-vnet from the dropdown.

Leave all other settings as their defaults. Click Add.

This single action creates two linked peering connections, one from each VNet to the other. After a moment, the Peering status will update to Connected.

Step 3: Install and Configure Microsoft Entra Connect

This is the core tool that reads on-prem Active Directory and synchronizes users, groups, and more to Microsoft Entra ID. I will install it on the domain controller, onprem-dc01.

Connect to onprem-dc01 VM using RDP.
Disable IE Enhanced Security Configuration (for easier downloads):

In Server Manager, click Local Server on the left.
On the right side, find IE Enhanced Security Configuration and click On.
Select Off for Administrators, then click OK.

Download Microsoft Entra Connect:

Open a browser inside the VM.
Download the latest version of Microsoft Entra Connect V2.

Run the Installer and Configure:

Run the downloaded MicrosoftEntraConnect.msi file.
Agree to the license terms and click Continue.
Select Use express settings. This is perfect for a single-forest lab and automatically configures the most critical feature: Password Hash Synchronization (PHS). PHS securely syncs a hash of the user's on-prem password to the cloud, enabling a single sign-on experience.

Connect to Microsoft Entra ID:

You will be prompted for your cloud credentials. In Azure portal, create a new synchronization account within the Azure Tenant, go to the Entra ID portal → Users > All users > + New user → Assignments tab > Assign Global Administrator role or Hybrid Identity Administrator → Create.
Very Important: You must sign out of the Azure portal and sign back in as this new user to complete its first-time login.
Click Next.

Connect to Active Directory Domain Services:

You will now be prompted for on-premises credentials. This account needs to be an Enterprise Admin. Our labadmin account qualifies.
Username: CORP\labadmin
Password: The password you set for the labadmin user.
Click Next.

Finalize Configuration:

The wizard will show a screen indicating your on-prem UPN suffix (corp.contoso.com) isn't a verified domain in Azure. This is expected for our lab. Check the box "Continue without matching all UPN suffixes to verified domains" and click Next.

On the Ready to configure screen, ensure the box "Start the synchronization process when configuration completes" is checked.
Click Install.

The initial installation and complete synchronization process may take 5-10 minutes, as illustrated in the image below.

Step 4: Verify the Synchronization

Let's confirm that our on-prem users are now in the cloud.

Go back to the Azure Portal in local browser (or Microsoft Entra admin center in the VM).
In the top search bar, search for and navigate to Microsoft Entra ID.
In the left menu, click Users.
You should now see Jane Doe and John Smith in the user list.
Click on one of the new users. Under the Source property, you will see it's set to Windows Server AD. This confirms the user is a synchronized object and its source of authority is your on-premises onprem-dc01 server.

Phase 3: Server Assessment and Migration

In this phase, we will perform a full "lift-and-shift" migration. Since our "on-premises" lab is built in Azure, we don't have a VMware or Hyper-V environment. Therefore, we will follow the "Physical or other" migration path.

At the end of this phase, you will have:

A new "on-prem" file server VM (onprem-fs01) joined to domain.
A configured Azure Migrate project.
A deployed Azure Migrate appliance that is actively discovering file server.

Step 1: Create the "On-Prem" File Server

First, we need a server to migrate. Let's create a simple file server in our onprem-vnet and, importantly, join it to our domain.

Deploy a new Windows Server VM:

Navigate to onprem-lab-rg resource group.
Click Create and deploy a new Windows Server 2022 Datacenter: Azure Edition VM with these settings:

Virtual machine name: onprem-fs01
Size: Standard_B2s (to save cost)
Administrator account: Use the same labadmin username and password you created for onprem-dc01.
Networking > Virtual network: Select onprem-vnet.
Networking > Subnet: Select onprem-subnet-1.
Networking > Public IP: Select (new).
Inbound port rules: Select Allow selected ports and check RDP (3389).

Click Review + create, then Create.

Join the Server to the Domain (Critical Step):

Once onprem-fs01 is deployed, connect to it via RDP using the local labadmin account (username: labadmin).
On this server, Server Manager will open. Click Local Server.
Wait for the properties to load, then click on the link next to WORKGROUP.
In the System Properties window, click Change.
Select the Domain radio button and type corp.contoso.com.
Click OK.
When prompted for credentials, enter domain admin account:

Username: CORP\labadmin
Password: labadmin password.

Click OK. Click OK again and restart the VM when prompted.

Step 2: Set Up the Azure Migrate Project

Now, let's create the central management hub in Azure for our migration.

In the Azure Portal search bar, type Azure Migrate and select the service.
On the Azure Migrate page, click Create project.
Configure the project:

Subscription: Choose subscription.
Resource group: Select existing onprem-lab-rg.
Project name: Migration-Lab-Project
Geography: Choose region

Click Create.

Step 3: Add Migration Tools and Start Discovery

This is the step that connects project to the migration tools.

Wait for the Migration to deploy. You will land on the Servers, databases and web apps goal page.
Find the Migration and modernization tool box and click Create. This provisions the underlying tools (like an Azure Site Recovery vault) that the project needs.
Wait a moment for it to complete. The box will update.
Now, click the Start Discovery button inside the "Migration and modernization" box.

This will open the Discover servers blade. You must specify your source:

Are your servers virtualized? Select options:

Yes, with VMware vSphere Hypervisor;
Yes, with Hyper-V;
Physical or other.

Step 4: Deploy the Azure Migrate Appliance VM

The "appliance" is a dedicated server that will live in your "on-prem" network. Its job is to find your servers and coordinate the replication.

Open a new browser tab and go back to onprem-lab-rg resource group in the Azure Portal.
Deploy another new Windows Server 2022 VM. This will be our appliance.

Virtual machine name: onprem-migrate-appliance
Size: Standard_B2s.
Administrator account: Use the same labadmin credentials.
Virtual network: onprem-vnet
Subnet: onprem-subnet-1
Inbound port rules: Allow RDP (3389).

Click Review + create and Create. Wait for this new VM to finish deploying.

Step 5: Generate Key and Download Appliance Software

Now we get the "password" (the key) and the software for the appliance VM.

Go back to first browser tab
You should be on the page titled Discover servers | Physical or other.
Target region: Select regions where you want to migrate to. Click Confirm.
Click the blue Create resources button. This will take a few minutes.
Once complete, new sections will appear:
A. Download appliance software:

Provide a name for the appliance: lab-appliance-01
Click Generate key.
Wait for it to generate. When it appears, copy the project key and paste it into a Notepad file. You will need this in a moment.

B. Download appliance software:

Click the Download button. This will download a .zip file (e.g., AzureMigrateInstaller.zip).

Step 6: Install and Configure the Appliance

Now we RDP into the appliance VM and install the software.

Connect via RDP to your onprem-migrate-appliance VM (the one you created in Step 4).
Prerequisite: Disable IE Enhanced Security.

On the appliance VM, Server Manager will open. Click Local Server.
Find IE Enhanced Security Configuration (on the right) and click On.
Set it to Off for Administrators. Click OK.

Copy the AzureMigrateInstaller.zip file from your local machine onto the onprem-migrate-appliance VM's desktop.
On the appliance VM, extract the .zip file to a folder (e.g., C:\MigrateInstaller).
Open PowerShell as Administrator. Navigate to the folder where you extracted the files, and run the installer script: .\AzureMigrateInstaller.ps1
The script will check the VM, install all necessary prerequisites (like .NET, etc.), and may require a restart. If it restarts, log back in and run the script again.
Eventually, the script will complete and launch the Appliance Configuration Manager in browser (on the appliance VM).

Step 7: Register the Appliance and Start Discovery

This is the final setup step, done in the appliance VM's browser.

The Appliance Configuration Manager page will show "Set up prerequisites." Let it run its checks, then click Continue.
Register with Azure Migrate:

The page will ask for the project key. Paste the project key you saved in Notepad (from Step 5).
Click Login. A new browser tab will open with a device code.
Copy the device code.

Click the Copy code & Login button. A new tab opens to the Microsoft device login page.
Paste the code and click Next.
Log in with Azure account (the one with Global Administrator rights).
Once you see "You have signed in...", you can close this authentication tab.
The appliance configuration manager page will automatically detect the login and show "Registration successful." Click Continue.

Provide discovery credentials:

This is how the appliance will log in to the other servers (like onprem-fs01) to discover them.
Click Add credentials.
Operating system: Windows Server
Friendly name: onpremdomainadmin
Username: CORP\labadmin
Password: server admin password.
Click Save.

Start discovery:

Click Add discovery source.
Select Add single itme
IP address/FQDN: Enter the Private IP address of your file server (onprem-fs01).
Map Credentials: Select onprem-domain-admin credential from the dropdown.
Click Save.
Scroll down and click Start discovery

The appliance will now validate the credentials and begin discovery. You will see the status change from " Starting discovery to Discovery initiated”

Step 8: Assess the Discovered Server

Before migrating, we must run an assessment. This checks for any compatibility issues and recommends an appropriately sized (and priced) Azure VM.

Navigate to Azure Migrate Project: Go to Migration-Lab-Project.
On the Explore inventory blade, All inventory, you will see your onprem-fs01 server listed. Check the box next to it.
Click the Create assessment button at the top of the list.
A new pane will open. Configure the assessment:

Assessment name: Lab-Assessment-1
You can leave all other properties as their defaults for this lab. The defaults are set to "Azure VM" readiness.

Click Create.
The assessment will be created and will start running. Wait for a few minutes for the assessment to complete (you may need to click "Refresh").
Once the Status is "Ready", click on the assessment name (Lab-Assessment-1).
Explore the results. The two most important tabs are:

Azure readiness: This should show onprem-fs01 as Ready for Azure.
Cost details: This shows the estimated monthly cost for the recommended VM and storage.

Step 9: Replicate the Server

Now that we've confirmed the server is ready, we'll start the background replication. This copies the server's disk data to Azure storage.

Navigate back to the main page of your Migration-Lab-Project.
In the Excute blade, Migrations, click Replicate.
This opens the replication wizard. Configure it carefully:

Source settings Tab:

Are your machines virtualized? Select Physical or other (this must match your appliance setup).
On-premises appliance: Select lab-appliance-01 from the dropdown.

Virtual machines Tab:

Import migration settings from an assessment? Select Yes.
Assessment: Select Lab-Assessment-1.
A list of VMs from the assessment will appear. Check the box for onprem-fs01.

Target settings Tab:

Target region: Select region
Resource group: Select onprem-lab-rg (to keep all our lab resources together).
Virtual Network: Select azure-vnet.
Subnet: Select azure-subnet-1.

Compute Tab:

This should be pre-filled with the VM size recommendation from your assessment.

Disks Tab:

This shows which disks will be replicated. Leave as default.

Review + start replication Tab:

Review the summary and click Start replication.

Step 10: Run a Test Migration (Critical Validation)

Do not skip this step. A test migration (or "test failover") builds the VM in Azure from the replicated data without affecting your on-premises server. It's how you validate that the migration will work.

Go to Migration and modernization -> Replicating machines.
Wait until the Status for onprem-fs01 is Protected.
Click the ... (ellipsis) on the far right of the row for onprem-fs01 and select Test migration.
In the new blade:

Virtual Network: Select azure-vnet.
Click Test migration.

This will start an Azure job. Monitor the job status by clicking the "bell" icon in the Azure portal.
Verification:

Once the job is complete, go to the Virtual Machines service in the Azure portal.
You will see a new VM named onprem-fs01-test.
Note that it is running in azure-vnet. We can't log into it yet (we have no secure access to that VNet, which we'll fix in Phase 4), but seeing it successfully created and in the "Running" state proves the replication worked.

Troubleshooting & Outcomes:

When you Connect to Microsoft Entra ID, your account type should not be Personal Microsoft Account which uses the live.com identity provider, it’s not a member of any organization's Entra ID tenant by default.You may encounter an "AADSTS50020" error if you attempt to connect to Entra ID using a personal Microsoft account. This is because the Entra Connect wizard is designed as an enterprise application that requires a "Work or School" account, which is an account created within your Entra ID tenant.
For the sync account, assign the Hybrid Identity Administrator role for the principle of least privilege. Alternatively, the Global Administrator role can also be used.
If you encounter credential errors when connecting to AD DS, try changing the username to FQDN\username.
The easiest way to distinguish between cloud-only and on-premises synchronized users is looking for On-premises sync enabled column:

If Yes: This is an on-premises sync user. Their account originates from a local Windows Server Active Directory and is synchronized to the cloud.
If No: This is a cloud-only user. Their account was created directly in Microsoft Entra ID.

For internal error: Ensure the Microsoft.OffAzure resource provider is registered in your Azure subscription.

Classic AFD to Static Web App Migration

Effective April 1, 2025, new deployments of the classic Azure Front Door (AFD) service are no longer supported, with the classic AFD scheduled for retirement on March 31, 2027. The standard tier pricing for AFD, at CAD 48, was deemed excessive for a basic static website utilizing a simple function app. Consequently, the AFD service was terminated, and the project transitioned to a free-tier Static Web App (SWA), resulting in a substantial reduction in expenditures from CAD 48 to CAD 0.

Phase 1 : Prepare Local Project

Goal: Create a single project folder on computer that contains both static site and API code, ready for deployment.

Step 1: Create Project Structure

On local computer, create a main project folder. Inside that folder, create two subfolders:

static
api

The folder structure should look like this:

C:\dongan-swa-project\
├── static\
└── api\

Step 2: Add Static Site Files

Downloading all website files (HTML, CSS, JavaScript, images) from my afdstaticwebapp1 storage account's $web container and place them inside the static folder.

After this step, the static folder looks like this:

C:\dongan-swa-project\
├── static\
│   ├── index.html
│   ├── style.css
│   └── images folder
└── api\

Step 3: Prepare API Folder

Move the Code: Place the ViewCounter.js file to the api folder(local).
Install Dependencies: The API code requires two "packages" to work: @azure/functions and @azure/cosmos. You need to create a package.json file to tell Azure to install them.
- Open command prompt (e.g., PowerShell or cmd) and navigate into new api folder:
```
PowerShell:
cd C:\dongan-swa-project\api
```
- Run npm init -y. This creates a basic package.json file. Now, run command to install the packages and save them as dependencies:
```
PowerShell:
npm install @azure/functions @azure/cosmos
```

After this step, the api folder will have ViewCounter.js, package.json, and a node_modules folder.

Step 4: Get Database Keys

The ViewCounter.js code tells us exactly which secrets it needs: COSMOS_ENDPOINT and COSMOS_KEY.

Go to the Azure Portal.
Navigate to Cosmos DB, postfolioldb-viewer-cosmos(I previously created).
On its left-hand menu, under "Settings," click on "Keys".
There are 4 Read-write keys and 1 URI. You only need two values:
- URI: This is COSMOS_ENDPOINT. Copy it to notepad.
- PRIMARY KEY: This is COSMOS_KEY. Copy it to notepad.

Step 5: Install Deployment Tools

Node.js: Install the LTS version.

SWA CLI: In command prompt, run:

PowerShell:
npm install -g @azure/static-web-apps-cli

Phase 2: Deploy and Configure New SWA

Goal: Deploy project, set secret database keys, and test the site.

Step 1: Deploy the Project with SWA CLI

In Command Prompt, navigate to Project Root: Change the directory to main project folder (the one containing the static and api subfolders).
```
PowerShell:
cd C:\dongan-swa-project
```
Run the Deploy Command: run the swa create command. This command tells the SWA CLI where the static files and API files are.
- ./static tells it the static content is in the static folder.
- --api-location ./api tells it the API code is in the api folder.
- --app-name dongan-swa-free gives the new app a unique name.
```
PowerShell:
az staticwebapp create --name dongan-swa-free --resource-group donganswarg --location "eastus2" --sku Free
```
(Note: If you have trouble, you can also run swa deploy and it will interactively ask you for the static folder, the api folder, and the app name. The resource type is only available in the following regions: westus2, centralus, eastus2, westeurope, and eastasia.)
Upon visiting the new URL (defaultHostname) from the output, the appearance of the following web page confirms a successful deployment. However, to display your website correctly, you must still run 'swa deploy' with the deployment token to upload your site content.

Get the Deployment Token to allow the SWA CLI to upload files:

PowerShell:
az staticwebapp secrets list --name dongan-swa-free --query "properties.apiKey" --output tsv

Or you can get it from portal:

Copy the Token: This command will output a long string of characters. This is deployment token. Copy the entire token to notepad. It's a secret, so treat it like a password.
Run the Deploy Command with Token: Execute the command, specifying the static folder (./static), the API folder (./api), and pasting copied deployment token:
```
PowerShell:
swa deploy ./static --api-location ./api --deployment-token <TOKEN>
```
Wait for Deployment: The CLI should now directly start the deployment process withoutasking for login or which app to create/use, because the token provides all necessary information. It will upload the./static files and the./api code to the dongan-swa-free app. Note the URL it provides at the end (it should be something like: https://xxxx.azurestaticapps.net).

Step 2: Add Database Secrets (Environment Variables)

The deployed API code needs the COSMOS_ENDPOINT and COSMOS_KEY to connect to the database.

Go to the Azure Portal and navigate to the dongan-swa-free Static Web App resource.
On the left-hand menu, under Settings, click on Environment variables.
Add Secrets:
- Click + Add.
  - Name: COSMOS_ENDPOINT
  - Value: Paste copied URI value from Cosmos DB keys.
- Click Apply.
- Click + Add again.
  - Name: COSMOS_KEY
  - Value: Paste copied PRIMARY KEY value from Cosmos DB keys.
- Click Apply.
Click the main Apply button to save both variables.

Step 3: Test Live Site

Wait: Give the application minutes for the settings to take effect.
Browse: Open the Static Web App's defaultHostname URL (https://brave-xx.3.azurestaticapps.net).
Verify: The website should load, and the view counter should now be working correctly, interacting with Cosmos DB. Refresh the page to see the count increase.

Live site test with view counter working

Phase 3: Deploy and Configure New SWA

Pointing Custom Domain to the New Static Web App

Goal: Make website accessible via https://www.dongan.cloud.

Step 1: Add the Custom Domain in Azure Portal

Go to Azure Portal: Open the Azure portal and navigate to Static Web App.
Go to Custom Domains: On the left-hand menu, under Settings, click Custom domains.
Add Domain: Click Add, and Click Custom domain on other DNS.
(Note: Custom domain on Azure DNS: Only if you are using Azure's own DNS service to manage your dongan.cloud domain's records.
Custom domain on other DNS: Only if your domain's DNS records are managed by an external provider.
New Custom Domain: This option related to purchasing a domain directly through Azure.)
Enter Domain Name: In the Domain name field, type www.dongan.cloud. Click Next.
Validate: Azure now needs to verify that if you own this domain. It will present you with the details needed for a TXT record:
- Host name: www.dongan.cloud
- Hostname record type: TXT
- Click Generate code, copy the value to notepad
(Note: Keep this Azure portal window open, as you'll need this exact value for the domain provider. The CNAME record is generated by Azure, you don’t need to create it.)

Step 2: Add Records in domain provider(e.g., Namecheap)

Log in to Namecheap: Go to Namecheap account dashboard.
Go to Domain List: Find and click on domain dongan.cloud.
Advanced DNS: Click on the Advanced DNS tab.
Add New Records: In the Host Records section, click Add New Record.
- Type: Select CNAME Record.
- Host: www.
- Value: Paste the Value of Azure Static Web App hostname (e.g., xxx. azurestaticapps.net)
- TTL: Leave this as Automatic or set it to a short value like 5 min.
Add TXT record:
- Type: Select TXT Record.
- Host: www or _dnsauth.www
- Value: Paste the Value you generated from add custom domain section on Azure portal.
- TTL: Leave this as Automatic or set it to a short value like 5 min.
Add ALIAS record(optional):
- Type: Select CNAME Record.
- Host: @
- Value: Paste the Value of Azure Static Web App hostname (e.g., xxx. azurestaticapps.net)
- TTL: Leave this as Automatic or set it to a short value like 5 min.
Save Changes: Click the green checkmark (✓) to save the new CNAME record.

Step 3: Wait for Validation and Propagation

Wait: DNS changes need time to propagate across the internet. This usually takes anywhere from a few minutes to an hour, but can sometimes take longer (up to 48 hours in rare cases).
Check Azure Portal: Go back to the Azure portal window. Azure might automatically re-validate, or you might need to click a "Validate" or "Refresh" button. Once Azure detects the CNAME record you added from your domain provider, the status next to www.dongan.cloud in the Azure Custom domains list will change to "Validated".

Step 4: Test the Custom Domain

Browse: Once Azure shows the domain as validated, open a new browser tab and go to https://www.dongan.cloud.
Verify: The website should load, served securely over HTTPS. Azure Static Web Apps automatically provides and manages the SSL certificate for the custom domain for free.

Troubleshooting & Outcomes:

Azure Static Web App deployment status stuck at "Uploading":
- While the CLI defaults to Node 16, try specifying Node.js 18:
```
swa deploy ./static --api-location ./api --env production --deployment-token <TOKEN> --api-language node --api-version 18 --verbose
```
- Clear the Cache and Force Redeploy
- --app-location public —Critical for proper file structure
- Use --app-location public flag and ensure files are in /public folder
- --env production —Deploy directly to production, avoiding preview issues
Custom domain validation fails or is stuck on "Validating...".
- DNS propagation delay. DNS changes are not instant and can take anywhere from minutes to 48 hours to propagate globally.
- Use tools like nslookup or a website dnschecker.org to see if CNAME and TXT records are visible from different parts of the world.
```
nslookup -q=TXT www.dongan.cloud
nslookup -q=CNAME www.dongan.cloud
```
- double-check the records you created in Namecheap against the values Azure provided in the "Custom domains" blade.
  - CNAME: Host: www | Value: xxxx.azurestaticapps.net
  - TXT: Host: www (or _dnsauth.www) | Value: must be the validation code from Azure.
Web Content Updates
- Before running swa deploy, It's a good practice to get a fresh token just in case the old one has issues.
- Always use --verbose with swa deploy to obtain more detailed information, including extra progress, logging, or debugging output.

Moving On-Premises Data Servers To Azure SQL Server

Overview: This project details the initial setup for migrating an on-premise SQL server to Azure. It involves emulating the on-premise environment with a virtual machine, creating the target Azure SQL Database, and provisioning the core services required for the migration, such as the Azure Database Migration Service and a Cosmos DB account.

Phase 1: Initial Environment Setup

Setup 1: On-Premise SQL VM Emulation

The first step is setting up a SQL virtual machine to replicate the existing on-premise environment.

Log in to the Azure Portal and create a new resource.
Search for and select "SQL Server 2017 on Windows Server 2016".
Set the following basic parameters:
- VM Name: OnPremSQL
- Region: Use default
- Size: D2 v3
- Username: migrateadmin
- Password: password123
- Inbound Port Rules: Allow Selected Ports (RDP)
In SQL Server settings, set SQL Connectivity to Public" and Enable SQL Authentication.
Click Review and Create.

Setup 2: Database Migration Service

Next, create an Azure Database Migration Service instance to automate the data migration.

In the Azure Portal, add a new resource.
Search for and select "Azure Database Migration Service".
Enter the following parameters:
- Service Name: MigrationService
- Location: Use default
- Virtual Network: -vnet/default
- Pricing Tier: Standard 1v core
Click Create.

Setup 3: Create an Azure Cosmos DB account with Cloud Shell

Use the Azure Command Line Interface (CLI) via Cloud Shell to create a Cosmos DB account.

Open Azure Cloud Shell (Bash).

Create three Bash variables:


                    RESOURCE_GROUP_COSMOS=''
                    LOCATION_COSMOS=''
                    ACCOUNT_NAME_COSMOS='migrationcosmos'

Run the following command to create the account:

az cosmosdb create --name <AccountName> --resource-group <ResourceGroup> --locations <RegionName>

Setup 4: Target Azure SQL Server and Database

Create the "target" or "destination" database in Azure where the on-premise data will be migrated.

In the Azure Portal, create a new resource.
Search for and select "SQL Database".
Click Create.
Set the following parameters:
- Database Name: SQLDB
- Server: Click Create new.
  - Server Name: A globally unique name (e.g., sqlserver-dongan)
  - Server admin login: sqladmin
  - Password: Create a secure password.
- Workload Environment: Development.
- Compute + Storage: Select "Serverless" and "Gen5, 1 vCore" for the most cost-effective development option.
On the Networking tab:
- Connectivity Method: Public endpoint.
- Firewall Rules: Select YES for "Allow Azure services and resources to access this server".

Project 6 Image 64 - Create SQL Database Networking

Click Review + Create.

Phase 2: Evaluate and Execute DB Migration with Azure Database Migration Tool

Setup 5: Prepare the On-Premise Database

This setup involves connecting to the emulated on-premise VM and restoring the sample database that needs to be migrated.

Connect to the On-Premise VM:
- In the Azure Portal, navigate to your Resource Group and select the OnPremSQL Virtual Machine.
- Connect to the VM via RDP using the migrateadmin user and your password.
- Once on the VM, open Local Server. Click IE Enhanced Security Configuration and set it to Off for Administrators.
Restore the Database:
- Download the TailwindInventory database .bacpac file.
- Open SQL Server Management Studio (SSMS) from the start menu and connect to the local SQL instance.
- Right-click the Database folder and select Import Data-tier Application.
- Follow the wizard to import the .bacpac file. Once complete, refresh the database folder to see the TailwindInventory database.

Setup 6: Install Data Migration Assistant (DMA)

Download the Data Migration Assistant installer from the Microsoft website: https://www.microsoft.com/en-us/download/details.aspx?id=53595
Copy the installer to the OnPremSQL VM and run it.

Note:

You may need to install .NET Framework 4.8 or later before the DMA will install successfully.

Setup 7: Run the Database Assessment

With the database restored and the tool installed, the next step is to scan the local database for any compatibility issues with Azure SQL.

Open the Data Migration Assistant from the desktop.
Create a new project with the following settings:
- Project Type: Assessment
- Project Name: tailwind-migration
- Source server type: SQL Server
- Target server type: Azure SQL Database
On the options screen, checkCheck database compatibility and Check feature parity. Click Next

For the source server, enter localhost and use Windows authentication.
Un-check the Encrypt Connection box and check the Trust server certificate box.

Select the TailwindInventory database and click Start Assessment.

Note: Expect to see only one report on compatibility issues for this database, as Service Broker is enabled.

Setup 8: Migrate the Database Schema

Once compatibility is confirmed through the assessment, proceed with migrating the schema to Azure SQL Database.

In the Data Migration Assistant, create another new project:
- Project Type:Migration
- Project Name:tailwind
- Source server type:SQL server
- Target server type:Azure SQL Database
- Migration Scope:Schema Only
Configure the Source Server:
- Server:localhost
- Authentication:Windows
- Un-checkEncrypt Connection and click Connect.
- Select the TailwindInventory database and click Next.
Configure the Target Server:
- Server Name:Paste the server name from your Azure SQL Server resource (e.g., sqlserver.database.windows.net).
- Authentication:SQL Server Authentication
- User:CloudSA231e4168(something like this)
- Password:Secure password
- Click Connect.

Note:

You can find and copy the server name and server admin username on SQL server overview page

Once connected, select target database and click Next.
Select all tables and click Generate SQL script.
After reviewing the script, click Deploy Schema.
The schema is now successfully migrated to your Azure SQL DB.

Phase 3: Data Migration and Finalization

Now that we have the schema migrated, we now need to move the data. We will use the Azure Data Migration Service for this as it is much more robust option and can migrate the data with very minimal downtime.

Setup 9: Start the Migration Project

In the Azure Portal, navigate to your resource group and open your Azure Database Migration Service resource.
Select + New migration project.
On the New migration project blade, fill in the initial details:
- Source server type: SQL Server
- Target server type: Azure SQL Database
- Migration type: Offline
Click Create and run activity.

Setup 10: Install and Register the Integration Runtime

The appearance of an error message—"This scenario is currently disabled and requires a self-hosted integration runtime..."—is an expected outcome.
Look to the Configure integration runtime pane on the right side of the screen.
Download: Click the Step 1: Download and install the integration runtime link.
Install:Run the downloaded installer (.msi) on a machine that has network access to your source SQL Server. Follow the on-screen installation prompts.
Register: After installation, the Microsoft Integration Runtime Configuration Manager will open.
- Go back to the Azure portal and copy Key 1 from the Configure integration runtime pane.
- Paste this key into the Configuration Manager and click Register.

Setup 11: Complete and Run the Migration

Once the Configuration Manager shows a green checkmark and a Connected to the cloud service status, return to the Azure portal.

Wait a minute or two. The error message will disappear, and the Self-hosted integration runtime status will update to show it's registered.

Setup 12: Source Details

Complete this page as follows:

Is your source SQL Server instance tracked in Azure?
- Select No.
Source Infrastructure Type:
- Select Virtual Machine.
Select SQL Server instance details:
- Subscription: Azure subscription 1.
- Resource group: onprem-dataserver-rg
- Location: East US
- SQL Server Instance Name: tailwind.

Click Next: Connect to source SQL Server.

Setup 13: Connect to source SQL Server

This page connects the migration service to on-premises lab VM.

Source SQL Server instance name: Enter the IP address or Hostname of the on-premises SQL Server VM.
Authentication type: Select SQL Authentication.
User name: Enter the SQL admin username (e.g., sqladmin).
Password: Enter the SQL admin password.
Connection properties: "Encrypt connection" uncheck and "Trust server certificate" check.

Click Next: Select databases for migration.

Setup 14: Select databases for migration

The wizard will connect to source VM and list its databases.

Find the tailwind database in the list and check the box next to it.

Setup 15: Connect to target Azure SQL Database

The wizard will connect to source VM and list its databases.

Target server name: Select Azure SQL Database server from the dropdown.
Authentication type: Select SQL Authentication.
User name: Enter the Azure SQL admin username (e.g., sqladmin).
Password: Enter the password for Azure SQL server.

Click Next: Connect to target Azure SQL Database.

Setup 16: Map source and target databases

This screen confirms which source database maps to which target database.

Verify the source database is correctly mapped to the target database on Azure SQL server.

Click Next: Select database tables to migrate.

Setup 17: Select database tables to migrate

The wizard lists all tables from source tailwind database.

Check the box at the very top of the list to select all tables for migration.

Click Next: Database migration summary..

Setup 18: Database migration summary

This is the final review page.

Activity name: Give the migration a name, like tailwind-migration.
Review the Source and Target details to ensure everything is correct.

Click Start migration.Upon initiation of the migration, a new screen will appear, allowing you to track its progress.

Setup 19: Monitor and Verify the Migration

The migration status will now be displayed. Click the project name (tailwind) to see detailed progress.
The service will show the status of all tables. Wait for all tables to show a status of Completed.
Verification:
- Go to sqlserver resource in the Azure portal.
- Open the Query editor and log in.
- Run the following query to confirm the data has arrived: SELECT * FROM Payroll

Troubleshooting & Outcomes:

1. If the DMA connection fails, it is almost certainly a firewall issue.

The OnPremSQL VM's IP address is not allowed to access your Azure SQL server by default.
In the Azure Portal, SQL Server → Networking → Public access → Firewall rules.
Click Add your current client IP address button. This adds the VM's IP to the allow-list.
Click Save. Wait 1-2 minutes, then try connecting again in the DMA.

2. SQL Authentication fails, the following error may appear:

This means your Azure SQL Server is configured to only accept logins from Microsoft Entra ID.
It is set to reject all "SQL Server Authentication" attempts, which is what the Data Migration Assistant is trying to use.
In the Azure Portal, go to SQL server. In the Settings blade → Microsoft Entra ID.
Find the Microsoft Entra Authentication only, Uncheck the "Support only Microsoft Entra Authentication for this server" on that page.
This will re-enable SQL Authentication.

After this, you may still can’t make a connection to the target server, you can try to reset password on Azure SQL server within portal.

3. When encountering a "Login failed for user 'xxxxx' (Error: 18456)" message while configuring a connection to a source SQL server, consider the following:

❌ Windows Authentication: Usernames typically include a local host name prefix (e.g., OnPremSQL\XXX).
✅ SQL Server Authentication: Logins do not use a prefix.
In Microsoft SQL Server Management Studio (SSMS), accessible from VM, you can create a new login user for SQL Server Authentication.
The SQL Server Authentication's System Administrator (SA) is disabled by default but can be enabled for SQL Server Authentication.
On the server properties security page, choose "SQL Server and Windows Authentication mode" under server authentication.
The most effective method is to restart the SQL Server (MSSQLSERVER) service or reboot the server host.

Welcome to My Portfolio

About Me

My Projects

Azure Static Website Hosting

Cloud-Based API View Counter

Bicep Deployment for Azure Web App

Hybrid Identity with Entra Connect

Classic AFD to Static Web App Migration

Moving On-Premises Data Servers To Azure SQL Server

Accomplishments

Certifications

Volunteer Experience

Prevent Cyber Fraud Lecture

Get In Touch

My Azure Notes