The annual Azure Bootcamp Switzerland, a one-day conference driven by the community’s passion for Microsoft Azure, provides a perfect mix of learning and networking, particularly suited for Azure enthusiasts, whether novices or pros. With sessions that host a blend of practical lessons, success stories, and navigation through the changing digital landscape, the conference embodies an unmissable opportunity for professional growth and collaboration.
My colleague Flavio and I seized the chance to join the event this year on May 16th, and we were not disappointed. This post will sum up insights from the day’s events and my personal take on why the Azure Bootcamp is an appointment you should mark on your calendar, highlighted for next year’s date as well—5th of June, which coincidentally doubles as my birthday!
Sessions
Let’s take a deep dive into the specific sessions that Flavio and I chose to attend. There was so much on offer at the Azure Bootcamp that we just couldn’t cover it all, so we zeroed in on the ones that really lined up with what we’re into at work.
Welcome Note with the organizers and Azure Switzerland Update by Primo Amrein
The Azure Bootcamp kicked off in the WELLE 7 in Bern promptly at 8 AM, opening its doors to a crowd eager for registration and ready to immerse themselves in the world of Azure and Microsoft 365.
The ball set rolling at 9 AM with Stefan Johner, Manuel Meyer, and Stefan Roth delivering the welcome note. Their introduction marked the start of what promised to be an engaging and educational day for all. The organizers laid out the agenda, which was designed to provide comprehensive coverage of Azure-related topics, empowering attendees with knowledge and insights.
With a strong lineup of sessions and the backing from significant sponsors, the Azure Bootcamp was sure to offer a valuable and enriching experience to all cloud enthusiasts in attendance.
Furthermore, the Bootcamp served as a platform to highlight the upcoming Experts Live Europe conference taking place in Budapest this September. It’s an event well-known for its engaging content and networking opportunities. A special mention was given to Isidora Katanic, acknowledging her contribution and efforts within the community. Moreover, there was the opportunity to win a Full Pass Ticket. Unfortunately, neither of us won this year.
Following the introduction session of the Azure Bootcamp, Primo Amrein, the Cloud Lead at Microsoft, took center stage. With a blast from the past, that witnessed the launch of Azure in Switzerland over four years ago.
He proudly highlighted that Azure now boasts over 400 services available in the Swiss datacenters. In a particular boon for Swiss banks, he noted the recent general availability of Microsoft Defender for Endpoint and Microsoft Defender for Identity, which just went GA the previous day of the Bootcamp, signaling a strong commitment to empowering financial institutions with top-tier cybersecurity measures and data residency almost in front of everyone’s doorstep in Zurich or Geneva.
Since the last Bootcamp, there have been several noteworthy launches reinforcing Azure’s robust suite of services in Switzerland. The Azure VMware Solution brought about a seamless bridge between the cloud and on-premises VMware environments, while the introduction of NVv5 instances signaled an enhancement in Azure’s computing capabilities.
The Microsoft Developer Box, priced the same as in the European Union datacenters, has been launched to streamline the developer experience. Amrein also touched upon the advancements made with Arc-enabled Kubernetes and the Update Management Center for Arc-enabled servers, further expanding the management and scalability of Azure services and on-premise resources too.
Moreover, the Azure platform has strengthened its networking and notification capabilities with the addition of the Azure Virtual Network Manager and Azure Notification Hubs. Security also received a major boost with Azure Confidential Computing and an additional Express Route Point of Presence, expanding the Azure network services.
New redundancies have been introduced with SQL Database and SQL Managed Instances becoming zone redundant, alongside Storage Premium Files and Managed Disks, ensuring even greater data resiliency. The Archive Tier was also upgraded with Azure Backup, extending the archival capabilities of the platform.
A special mention was reserved for Azure OpenAI, now priced on par with other global regions, emphasizing Azure’s initiative to democratize AI applications in Switzerland.
Amrein rounded off his talk by sharing compelling customer stories, featuring innovative use cases like Rätische Bahn’s adoption of cloud services, Unique GPT’s groundbreaking work, the digital transformation of Argauische Kantonalbank’s ERP system, and the strides made by ÖKK and Compassana in leveraging Azure’s capabilities.
This overview by Primo Amrein was not just an account of Azure’s growth but also an affirmation of Microsoft’s continuing innovation and support for enterprises across Switzerland, ensuring they remain at the forefront of digital transformation.
Navigating the Azure Cloud at Digitec Galaxus: Our Journey and Lessons Learned
Olivier Girard, the Domain Architect for the Digitec Platform and Online Shop, alongside Gerald Schermann, Software Architect at Digitec Galaxus, shared an insightful speech titled “Navigating the Azure Cloud at Digitec Galaxus: Our Journey and Lessons Learned.” Their story painted a vivid picture of digital transformation over nine years, beginning in 2015 with a on-premises .NET monolith on Windows Server, supported by a single, hefty MS SQL database for the Webshop and their ERP system.
Fast forward to the present, and their system now operates as a highly distributed and modular cloud-based framework, capably handling a increase in data. The evolution included a cultural shift with a piratical approach, with services ranging from online shops and mobile applications to a tablet-optimized warehouse management system.
Their technological odyssey saw the initial monolithic architecture make way for microservices, GraphQL, ReactJS, and a company-wide shift to cloud infrastructure using Kubernetes. The journey wasn’t without its missteps, like facing down a notorious Black Friday meltdown, but such challenges led to critical improvements such as utilizing Redis for DB cache and introducing NGINX as a routing replacement for Load Balancer VMs.
As of 2019 and 2020, the team strategically transitioned from .NET full framework to core only, maintaining their ERP systems on VMs. Embracing DevOps practices early on with tools such as Azure DevOps, and forming an SRE team with policies like no deployment Fridays, were pivotal moves toward a more resilient and robust system.
Presently, the structure comprises 45 Scrum teams with Kubernetes sprawling across their operations, an approach mirrored by the use of multiple AKS clusters designed not to communicate directly with one another. Their toolset includes Terraform and Ansible for automation, Rancher for cluster management, and the innovative use of spot instances, node pools, and K-Native with Keda for scaling to zero (if resources are not used).
But not all days were smooth sailing. Girard and Schermann recounted “the day the routers died,” a significant incident in 2022 triggered by a security patch on Ubuntu, which led to a network lockout due to misconfigured interfaces. Despite such setbacks, they made impressive steps forward in data management, moving from using Service Bus to Kafka for propagating data and leveraging Big Query for analytical purposes.
Adopting Datadog for observability and transitioning to GitHub Actions, they have not only fortified their security using Kyverno and network policies but have also taken decisive steps towards better learnings. These learnings emphasized the balance between in-house development versus third-party solutions, the consideration of distribution versus modularization, and tailoring specific solutions over one-size-fits-all methods.
Looking to the future, Digitec Galaxus aims to enhance the developer experience through simplification and self-service, adopt a holistic system view that integrates an API catalogue and dataflow monitoring, pivot towards a multi/hybrid cloud architecture with service mesh, and invest in event-driven architecture.
Girard and Schermann’s tale is more than just a chronicle of technological transition; it’s a testament to the growth, resilience, and forward-thinking philosophy that has guided Digitec Galaxus to thrive in the cloud era.
Special Guest
After the interesting and comprehensive session of Digitec Glaxus we were treated to a unique and unexpected twist amidst the deep-dive sessions into Azure and AI. We enjoyed a special appearance by Dino Dorado, a mentalist, who veered away from the technical talks with his “Cork Game.” His performance offered a playful and mystifying experience, providing a refreshing mental exercise and a fascinating departure from the day’s technical focus.
Following the engaging mentalist act, we engaged in a well-deserved networking and coffee break.
Kill your IAM system now Entra ID is here
Emerging from the networking break with fresh connections and renewed focus, we then dived into the critical world of identity and access management (IAM). Marcel Zehner, a distinguished Microsoft Cloud Champion at SoftwareONE, Microsoft Regional Director, and Azure MVP, took the stage to address the evolving finesses of IAM within the cloud environment.
Marcel’s session aimed to enlighten the audience on how the rapidly changing IAM requirements posed by the adoption of cloud applications demand novel tools and streamlined processes. Underscoring the pitfalls of outdated, unwieldy IAM systems, he used real-world business cases to illustrate the capabilities of Entra ID — Microsoft’s modern IAM solution.
The agenda covered the myriad challenges currently facing the IAM landscape, from the sprawl of multiple platforms and apps lacking single sign-on (SSO) capabilities to the necessity for simplified identity protection with centralized monitoring. The discourse advanced into the complexities of accommodating self-service, role-based access, regular access reviews, and the assignment of temporary permissions.
Marcel offered insights into identity provisioning, considering scenarios ranging from cloud-only infrastructures to hybrid identities involving Active Directory Domain Services (ADDS) and third-party applications. He debated the merits of directory synchronization (Dir Sync) versus the more modern System for Cross-domain Identity Management (SCIM), proposing SCIM as a robust synchronization solution for HR systems, transcending geographical constraints and integrating with Entra ID Provisioning Service.
In cases where gallery apps were unavailable, Marcel highlighted the potential of API-driven provisioning to either Entra ID or ADDS, ensuring that SCIM provisioning inbound was still possible.
A crucial part of the talk hinged on access management, with Marcel focusing on how access packages, their accompanying policies, and regular access reviews can create a more secure and manageable environment for IAM.
To round off the session, workflow automation was addressed, specifically the life cycles of an employee — from onboarding (joiner), to internal role changes (mover), and finally offboarding (leaver). Marcel demonstrated how access groups could be seamlessly managed via access packages and underscored the importance of creating a comprehensive lifecycle workflow with pre-defined workflows to ensure seamless transitions across an employee’s tenure.
Marcel Zehner’s session was not merely informative; it was a practical guide towards envisioning a future where streamlined, elegant IAM solutions like Entra ID can effectively replace the cumbersome systems of the past, offering agility and security in a cloud-centric enterprise world.
Breaching the Cloud: How to Exploit and Migitate Common Security risks
In a session that was for all Azure Bootcamp participants concerned with cloud security, Hans-Peter Weiss and Jan Schneider, both Cloud Solution Architects at Swisscom, led an eye-opening discussion titled “Breaching the Cloud: How to Exploit and Mitigate Common Security Risks.”
The architects went on to showcase, through a live demonstration, the methodologies an attacker might employ to exploit security weaknesses and gain unauthorized access.
A critical segment of their presentation detailed the execution of a vulnerability scanner, highlighting the importance of identifying and rectifying security loopholes. They also addressed the vulnerability of server-side request forgery and the risks associated with SSH keys stored on Key Vault that are openly accessible through network security groups (NSGs) across all VMs.
With a focus on lateral movement within cloud environments, Hans-Peter and Jan pointed out the inherent dangers of liberal NSG rules such as AllowVNETInbound and Outbound. They classified security threats into distinct levels of criticality, with web app side request forgery topping the list, followed by high-level risks like inappropriate access control on Key Vaults and the lack of environment separation.
Moreover, they spoke on medium-level threats, underscoring issues like insecure credential management, the overuse of SSH, and negligence regarding NSG default rules. To aid in the identification of such vulnerabilities, they introduced tools such as Cloudsploit, Credscan for monitoring GitHub repositories, and Bloodhound for assessing permission configurations.
Throughout their talk, the architects iterated the rule of adopting a ‘deny by default’ stance for inbound and outbound traffic, encouraging higher NSG rule precedence as a fundamental best practice.
Hans-Peter and Jan concluded their session by proposing strategic preventive actions to safeguard against these identified risks, arming attendees not just with the knowledge of potential vulnerabilities, but also with the tools and strategies essential for maintaining robust security postures within their Azure cloud environments.
How Criminals Breach your Azure Environment
In a compelling session, Marco Schmidt, a Security Engineer at GrabX Solutions, alongside Manuel Meyer, an Azure Architect also at GrabX Solutions, enlightened us on “How Criminals Breach your Azure Environment.” Their dialogue revolved around Azure’s security vulnerabilities and showcased the sophisticated tactics used by cybercriminals to penetrate cloud defenses.
Drawing from the renowned Lockheed Martin Cyber Kill Chain model, which has its origins in military strategy, they began with the initial phase of reconnaissance. Here they explored various methods an attacker could employ to discover passwords—from Open Source Intelligence (OSINT) and phishing, to scouring the dark web, engaging in dumpster diving, coordinating password attacks, or deploying malware.
Addressing protection strategies, the speakers recommended tools such as Passkey and Smart Lockout in Entra ID as well as suites like M365 Defender. They emphasized the importance of user awareness training to control the human element of cybersecurity.
The session delved into the tactics of user enumeration, particularly brute-forcing via APIs, and revealed tools like AADInternals that malicious actors might use to infiltrate systems. Here, Marco and Manuel acknowledged the difficulty in providing absolute protection against these enumeration techniques.
They also explored initial access tactics like password spraying, demonstrating the vulnerability through Azure’s API endpoint and outlining how tools such as MSOLSpray and Fireprox (for IP rotation) can be utilized by attackers.
In combating such threats, the presenters advocated for passwordless authentication and the use of robust passwords as primary defences. Moving on to defence evasion, they highlighted conditional access vulnerabilities that could be exploited through varies vectors such as location, device platform, Man-in-the-Middle (MITM) attacks with tools like Evilginx, MFA bombing, and social engineering tactics.
To protect against such evasion techniques, they urged attendees to keep exclusion lists of Conditional Access policies minimal, create block rules for preventing access in unwanted scenarios, and utilize the Conditional Access Gap Analyser.
A live demonstration showcased privilege escalation, a stage ominously critical for attackers aiming to escalate their footholds within a target environment. The discussion on lateral movement revealed how attackers could further traverse the network once inside a tenant or an on-premise network.
By providing this in-depth examination, Marco and Manuel laid out not just the threats, but also the protective measures that all administrators can implement to secure their Azure environments against the tactics used by today’s cyber adversaries.
Top 10 Best Practices for YAML Pipelines in Azure DevOps
Marc Müller, a Principal Consultant at 4tecture GmbH, delivered a session on “Top 10 Best Practices for YAML Pipelines in Azure DevOps,”.
The session began with a focus on ‘Configuration as Code,’ a principle that underlines the YAML approach. Marc underscored the benefits of this method, such as the ability to build from older versions and cautioned against the pitfalls of code duplication, which can lead to maintenance issues down the line.
Flexibility in pipeline design should be considered as crucial, with an emphasis on the fact that linear staging does not always fit the complexity of real-world scenarios. Marc introduced the concept of multi-stage YAML pipelines, which offer greater control over the build and deployment process.
He then shared best practices centred around Platform continuous delivery, articulating the value of continuous delivery and the leveraging of Service CI using Pipeline Artifacts to store and manage information flow within pipelines.
The protection and handling of secrets were highlighted as a major concern. Marc advised attendees to merely reference secrets in code and ensure the secure storage of sensitive variables within Azure Key Vault or through service connections, mitigating risks of exposure.
Templates were presented as a method to promote reusability and consistency across pipelines. Marc explained how incorporating templates into YAML pipelines could significantly reduce overhead and streamline the construction of complex workflows.
Throughout his talk, Marc conveyed the importance of integrating these best practices to create scalable, secure, and maintainable Azure DevOps pipelines. We left the session equipped with actionable recommendations to optimize our DevOps strategies, reflecting a deeper understanding of the advanced capabilities of YAML within Azure.
This topic was almost too big to be held for 45 minutes. He had to make some shortcuts, unfortunately.
Azure AI deep dive with Ausgleichskasse Basel Stadt
In this informative session, we were ushered into the world of artificial intelligence applications within public administration. Jörg Bieri, CTO at GARAIO AG, and Ivan Babic, a Developer at the same firm, shared their experience with the implementation of an AI solution akin “ChatGPT” for the Ausgleichskasse Basel Stadt.
The team from GARAIO AG faced an intriguing challenge: to address the fact that 30% of the work effort at the Ausgleichskasse was consumed by research tasks performed by its employees. To overcome this, they developed an AI-based solution to answer frequently asked questions, thus streamlining operations and driving efficiency.
Their solution involved the preparation and training of an AI model focused on Q&A scenarios, crafted to respond to the most common inquiries. This involved creating “PDF chunks”—snippets of about 300 characters in length—using C# programming language, indexed and converted into vectors for efficient AI processing.
The presenters delved into the technical aspects, including the construction of a Retriever-And-Generator (RAG) model that was trained based on these Q&A interactions. The RAG model’s eventual ability to return the top five results from queries represented a significant achievement for the team.
An amusing yet candid acknowledgment was made about the approximately 1000 lines of “spaghetti code” in C#.
Throughout the session, Jörg and Ivan did not shy away from detailing their hands-on learnings, providing attendees with not just an understanding of the project’s success, but also the real-world coding challenges they encountered along the way. Their deep dive into Azure AI for a public sector case study illustrated the tangible benefits of AI and the potential it holds for organizational advancement.
Closing Note: Digitalization, people and money
As the Azure Bootcamp reached its finale, we were presented with a contemplative closing note on “Digitalization, people and money,” where two forward-thinking experts shared their perspectives on cryptocurrency and finance. Andreas Wenger, described as a Bitcoiner, economist, and humanist, and Patrick Kühni, also a Bitcoiner and avionic engineer, led this thought-provoking session.
Their talk, centred on “Bitcoin and the Future of Money,” shed light on the implications of Bitcoin and its transformative potential on the monetary systems and financial landscapes. They provided insights into how Bitcoin, as a decentralized digital currency, could influence traditional banking, investment strategies, and the very concept of asset management, especially in Switzerland.
Andreas and Patrick delved into the philosophical and economic underpinnings of Bitcoin’s rise, its value proposition, and the challenges it presents to established financial norms. They also considered the practical and ethical considerations of integrating such technologies into the core of societal transactions.
The bootcamp wrapped up in high spirits, with an Apero — a networking session accompanied by refreshments — allowing us to casually discuss the insights gained from the day’s broad array of topics, including the final notes on digitalization and the transformative role of cryptocurrencies like Bitcoin in shaping our approach to money and finance. This networking opportunity provided a perfect occasion for professionals to connect, expand their horizons, and reflect on how the Azure platform, and technology in general will form us in the future.
Summarization
The Azure Bootcamp proved to be an enlightening and engaging experience, packed with informative sessions that offered deep dives into various technical realms. From the exploration of cutting-edge AI implementations to best practices in Azure DevOps and the fascinating discussions on Bitcoin’s impact on finance, there was a wealth of knowledge to absorb. The enduring sentiment is one of appreciation for the accumulation of new insights and the anticipation of future advancements. The personal commitment for both of us to attend next year’s event on the 5th of June (my birthday) adds a note of personal significance and excitement. The hope of reconnecting with familiar faces and the prospect of welcoming newcomers is a testament to the community’s vibrant energy and the event’s contribution to continuous learning and professional growth.
Source: Azure Bootcamp Switzerland