I’m wondering if anyone has experience in deploying Elixir apps (Phoenix apps or otherwise) to Microsoft Azure. If so, I would love to hear about your experience.

The company where I work is heavily invested in Azure from before, so I’m trying to determine whether it would be a viable option for Elixir apps as well.

Here are some of the types of questions I have in mind:

• How did your setup look like?
• Did you use Azure Container Instances or Azure Virtual Machines?
• Did you deploy to a single node or multiple nodes?
  • If multiple nodes: Did you have any issues connecting them?
• Were you using some kind of containers and orchestration, e.g. Docker and Kubernetes?
• Does Azure play well with BEAM instrumentation and debugging tools?
  • Is it possible to attach to an Azure environment with Erlang’s remote shell?
• Did you experience any significant difficulties?
• Are there any noteworthy caveats or drawbacks?

Any input on such topics would be greatly appreciated.

(full disclosure: I work for Microsoft, and love Elixir )

Hi,

I haven’t yet spent too much time on the actual runtime side of Elixir on Azure. One thing I did was to run a Distillery with multi-stage docker, then push the resulting image to Azure Web Apps (with Linux). Also Azure Kubernetes Service (AKS) is an obvious solution. When it comes to running an Erlang Cluster in a virtual network, there are no reasons why it should not be possible…

Regarding your question on whether Azure plays well with BEAM instrumentation, I would guess all BEAM things would be independent of or orthogonal to Azure?

As for the Elixir application side of things, I started to build libraries to interact with various Azure APIs:

• The chgeuer/ex_microsoft_azure_management_generator repo is a utility which auto-generates a big chunk of client-side proxies for the Azure Resource Manager (ARM) management API.
• You can find the generated code in ex_microsoft_azure_management.
• I have a sample project ex_microsoft_azure_management_samples which demonstrates how for example to list or create resource groups, or how to trigger an ARM deployment.
• The thing where I spend some more love was on the application plane, particularly with the Azure Storage API. The ex_microsoft_azure_storage project shows you how to interact with Azure blob storage. This is an early stage API client, but works for me ™.
• Ramon (a colleague) created an Azure KeyVault client ex_azure_key_vault

Feel free to ping me via mail (chgeuer@microsoft)…

How did your setup look like?

Terraform with its state stored on s3 (could be azure’s alternative), distillery with docker to build releases (on CI) and upload them to s3 (could be azure’s alternative), epmdless distribution over azure’s vpn (might later move to partisan).

Did you use Azure Container Instances or Azure Virtual Machines?

Azure Virtual Machines (mostly the spot instances)

Did you deploy to a single node or multiple nodes?

Multiple. No issues.

Were you using some kind of containers and orchestration, e.g. Docker and Kubernetes?

No, but we used some bash scripts though which would download the releases from s3 and then enable and start the apps via systemd.

Does Azure play well with BEAM instrumentation and debugging tools?

Since it’s just a linux instance, it works as any other linux instance (which is ok).

Did you experience any significant difficulties?

It would be a bit too expensive for us if it wasn’t for the spot instances.

Jackpot!

I’m not knowledgeable enough about the inner workings of the BEAM and surrounding tooling to answer that question. Based on what I’ve read and heard in various Elixir podcasts, some hosting services and cloud services impose certain restrictions, but I don’t know all of the details.

Thank you for taking the time to respond and sharing your work! This is very useful.

Hello @chgeuer how would you do this today? especially with releases introduced. I would love to know how you deploy docker images to Azure Web Apps, connect to a Postgres database on Azure, run migrations and seed the database.

I am also interested in your experiences @chgeuer . Automating it using Terraform would also be interesting I think… do you take this route?

Hi @dumadi, once your Elixir app is in a Docker image, you can host it (like any other workload) in Azure App Services, Azure Kubernetes Services or Azure Container Apps. When connecting to PostgreSQL on Azure, you just have to ensure that your workload uses TLS to connect to the PostgreSQL database.

@hoetmaaiers, apologies, not clear what the Q is. Terraform is kind-of the outer part. From an Elixir perspective, I guess the Azure-specific Qs are how can an Elixir workload talk to platform-specific services. Whether you deploy an Elixir workload to Azure using Bicep, ARM, Terraform, Pulumi or something seems not the big concern to me?

any chance you have a working TLS configuration? Because mine worked for months and now I just can’t connect to the database without anything changing. Tried updating certs, all kinds of conf combinations… i just don’t get it. Here’s what it is now:

  config :viru, Viru.Repo,
    url: database_url,
    pool_size: String.to_integer(System.get_env("POOL_SIZE") || "10"),
    socket_options: maybe_ipv6,
    ssl: [
      verify: :verify_peer,
      cacertfile: "/app/certs/DigiCertGlobalRootCA.crt.pem",
      server_name_indication: ~c"my-db-app-name.postgres.database.azure.com",
      versions: [:"tlsv1.2"]
    ]

and I keep getting the error

2024-11-13T13:09:00.381980945Z 13:09:00.346 [notice] TLS :client: In state :certify at ssl_handshake.erl:2177 generated CLIENT ALERT: Fatal - Unknown CA
2024-11-13T13:09:00.382128545Z 
2024-11-13T13:09:00.420272963Z 13:09:00.419 [error] Postgrex.Protocol (#PID<0.151.0>) failed to connect: ** (DBConnection.ConnectionError) ssl connect: TLS client: In state certify at ssl_handshake.erl:2177 generated CLIENT ALERT: Fatal - Unknown CA
2024-11-13T13:09:00.420344963Z  - {:tls_alert, {:unknown_ca, ~c"TLS client: In state certify at ssl_handshake.erl:2177 generated CLIENT ALERT: Fatal - Unknown CA\n"}}
2024-11-13T13:09:00.420351963Z 13:09:00.419 [error] Postgrex.Protocol (#PID<0.150.0>) failed to connect: ** (DBConnection.ConnectionError) ssl connect: TLS client: In state certify at ssl_handshake.erl:2177 generated CLIENT ALERT: Fatal - Unknown CA

And here as well

I wrote a quick blog article about it here

thanks for the effort @chgeuer . but i don’t really understand why is “Entra application” suddenly required in the first place? it seems to me i just need the correct SSL options.

edit: I was finally able to figure it out thanks to this thread: How to connect an elixir application with Azure Database for PostgreSQL using SSL certificate? - #14 by KristerV

but i’m still curious what is this Entra application stuff, why is it needed? does it simplify anything?

Various Azure services allow you to authenticate using 2 different ways, some sort of password-based authN, and using Entra ID (formerly known as Azure Active Directory).

First a bit of history: When storage accounts were released back in 2008/2009, you only had storage account keys (2 secrets), that you supplied per request. Then shared access signatures came out (where you derive a value from the secrets). Then AAD/Entra authN was introduced. Same for SQL database (and MySQL and PostgreSQL), where in early versions you had to pick an admin username and password, and later supported Entra authentication.

Now storing passwords for services is kind-of a bad thing: You need a different password/credential for each service you want to call. If your app calls storage, SQL, service bus, event hub, Key Vault, you have to store (and protect) 5 credentials. And if one of these credentials is compromised, you must rotate it for all callers. It’s in general messy.

If you on the other hand have an Entra credential (which still can be a username/password combo like in the example with client_id/client_secret), you still must protect that one. But if it’s compromised, you only rotate a single credential of a single app, all server-side ACLs remain as they are.

What’s even more important, if your app workload runs in the cloud, you can use “managed identity”, where you tie an Entra identity to the VM or web app or Kubernetes pod you’re running on, and your workload doesn’t have to store any cred at all. When you need a token, you just issue a token request to 169.254.169.254, say you need a token for PostgreSQL, and off you go.

If you don’t want to do Entra authN, just skip all the Entra bits in the blog article and just do your username/password thing like before…

However, I strongly recommend to use Entra authN. For example, in the words of the storage team:

For optimal security, Microsoft recommends using Microsoft Entra ID with managed identities to authorize requests against blob, queue, and table data, whenever possible. Authorization with Microsoft Entra ID and managed identities provides superior security and ease of use over Shared Key authorization. src

Using Entra authentication at the first glance makes it more complex: You must create an Entra app (setup takes longer), and prior authenticating to the DB you need to request a token. However, once you figure out you must rotate creds, or one credential is compromized, our you want to audit which app did what, you certainly start to appreciate having not used the same PostgreSQL password for all your workloads.

Added a short section here:

Fantastic article that just came in handy, thanks for sharing!

Thank you for sharing this, @chgeuer.

I assume the access tokens have an “expires_at” timestamp or the like.
Even if that’s not the case, the “usual” way (f.i. as generated with mix phx.new) to configure the database connection is pretty static via config :my_app, MyApp.Repo,..., i.e. Postgrex.start_link is invoked “behind the scenes”.

Could you point me to any resources about how to implement this more dynamic configuration?

Hey @jan-mb-me you’re right, EntraID does the standard OAuth2 issuance process and you can see the expires_at attribute. However AFAIK the PostgreSQL wire protocol has no way to re-authenticate or refresh a credential on an already established connection. So if your JWT token expires, you would need to re-establish the TCP connection to PostgreSQL with a fresh token. You might be able to do something like this (haven’t tried myself yet)

defmodule MyApp.RepoConfig do
  def configure(opts) do
    token = MyApp.TokenManager.get_valid_token()
    
    # Inject the fresh token as the password
    opts
    |> Keyword.put(:password, token)
    # Ensure SSL is still configured
    |> Keyword.put(:ssl_opts, MyApp.AzureCerts.ssl_opts(opts[:hostname]))
  end
end

and configure your repo to use that function

# config/runtime.exs

config :my_app, MyApp.Repo,
  hostname: "my-db.postgres.database.azure.com",
  username: "my-app-identity",
  # The magic line:
  configure: &MyApp.RepoConfig.configure/1,
  # Standard settings
  pool_size: 10,
  ssl: true

This works like a charm:

PostgreSQL

Mix.install(
  [
    {:x509, "~> 0.9.2"},
    {:postgrex, "~> 0.22.0"},
    {:ecto_sql, "~> 3.12"},
    {:req, "~> 0.5.17"},
    {:envious, "~> 1.4"},
    {:kino, "~> 0.18.0"}
  ]
)

Section

defmodule MicrosoftCerts do
  defmodule CompileHelpers do
    defp http_get(url) do
      %Req.Response{status: 200, body: body} = Req.get!(url: url)
      body
    end
  
    def download_certs_for_pinning() do
      # https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-networking-ssl-tls#download-root-ca-certificates-and-update-application-clients-in-certificate-pinning-scenarios
      """
      https://www.microsoft.com/pkiops/certs/microsoft%20azure%20rsa%20tls%20issuing%20ca%2004%20-%20xsign.crt
      https://www.microsoft.com/pkiops/certs/Microsoft%20RSA%20Root%20Certificate%20Authority%202017.crt
      https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem
      https://dl.cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem
      https://cacerts.digicert.com/DigiCertGlobalRootCA.crt
      """
      |> String.split(["\n"], trim: true)
      |> Enum.map(fn url ->
        {url, http_get(url)}
      end)
      |> Enum.map(fn {url, data} -> 
        cond do
          url |> String.ends_with?(".crt") -> 
            data 
          url |> String.ends_with?(".pem") -> 
            data
            |> X509.Certificate.from_pem!()
            |> X509.Certificate.to_der()
        end
      end)      
      |> Enum.uniq()
    end
  end

  @certs MicrosoftCerts.CompileHelpers.download_certs_for_pinning()

  def ssl_opts(hostname) do
    [
      protocol: :tls,
      protocol_version: :"tlsv1.3",
      verify: :verify_peer,
      cacerts: @certs,
      server_name_indication: String.to_charlist(hostname),
      depth: 3
    ]
  end
end

Path.join(System.get_env("HOME"), ".azure_creds.sh")
|> File.read!()
|> Envious.parse!(interpolate: true)
|> System.put_env()

defmodule MyApp.Repo do
  use Ecto.Repo,
    otp_app: :my_app,
    adapter: Ecto.Adapters.Postgres

  def configure_entra_token(tenant_id, client_id, client_secret) do
    fn opts ->
      {:ok, %Req.Response{status: 200, body: %{"token_type" => "Bearer", "access_token" => access_token}}} = 
        Req.request(
          method: :post,
          url: "https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token",
          path_params_style: :curly,
          path_params: [
          	tenant_id: tenant_id
          ],
          form: [
            grant_type: "client_credentials",
            client_id: client_id,
            client_secret: client_secret,
            scope: "https://ossrdbms-aad.database.windows.net/.default"
          ]
        )
  
      opts
      |> Keyword.put(:password, access_token)
      |> Keyword.put(:ssl, MicrosoftCerts.ssl_opts(opts[:hostname]))
    end
  end
end

Application.put_env(:my_app, MyApp.Repo,
  hostname: System.get_env("POSTGRESQL_SERVER_DOMAIN"),
  username: System.get_env("POSTGRESQL_ADMIN_ENTRA_APP_NAME"),
  database: "postgres",
  configure: MyApp.Repo.configure_entra_token(
    System.get_env("POSTGRESQL_ADMIN_ENTRA_TENANT_ID"), 
    System.get_env("POSTGRESQL_ADMIN_ENTRA_CLIENT_ID"),
    System.get_env("POSTGRESQL_ADMIN_ENTRA_CLIENT_SECRET")),
  pool_size: 10,
  ssl: true
)

{:ok, repo_pid} = MyApp.Repo.start_link()

defmodule MyApp.User do
  use Ecto.Schema
  import Ecto.Changeset

  schema "users" do
    field :username, :string
    field :email, :string
    field :password_hash, :string

    timestamps(type: :naive_datetime)
  end

  def changeset(user, attrs) do
    user
    |> cast(attrs, [:username, :email, :password_hash])
    |> validate_required([:username, :email, :password_hash])
    |> unique_constraint(:username)
    |> unique_constraint(:email)
  end
end

defmodule MyApp.Migrations.CreateUsers do
  use Ecto.Migration

  def up do
    create_if_not_exists table(:users) do
      add :username, :string, size: 50, null: false
      add :email, :string, size: 255, null: false
      add :password_hash, :string, size: 255, null: false

      timestamps(type: :naive_datetime, default: fragment("CURRENT_TIMESTAMP"))
    end

    create_if_not_exists unique_index(:users, [:username])
    create_if_not_exists unique_index(:users, [:email])
  end

  def down do
    drop_if_exists table(:users)
  end
end

# Run the migration
Ecto.Migrator.up(MyApp.Repo, 1, MyApp.Migrations.CreateUsers)

# To rollback:
# Ecto.Migrator.down(MyApp.Repo, 1, MyApp.Migrations.CreateUsers)

import Ecto.Query

# Insert a user
{:ok, user} = 
  %MyApp.User{}
  |> MyApp.User.changeset(%{
    username: "testuser",
    email: "test@example.com",
    password_hash: "hashed_password_here"
  })
  |> MyApp.Repo.insert()

# Query all users
MyApp.Repo.all(MyApp.User)

# Query with conditions
MyApp.Repo.all(from u in MyApp.User, where: u.username == "testuser")

# Get by id
MyApp.Repo.get(MyApp.User, 1)

# Delete all test users
MyApp.Repo.delete_all(MyApp.User)

Postgrex

create_table_query = 
  """
  CREATE TABLE IF NOT EXISTS users (
    id SERIAL PRIMARY KEY,
    username VARCHAR(50) NOT NULL UNIQUE,
    email VARCHAR(255) NOT NULL UNIQUE,
    password_hash VARCHAR(255) NOT NULL,
    created_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
    updated_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP
  );
  """

drop_table_query =
  """
  DROP TABLE users
  """

db_host = System.get_env("POSTGRESQL_SERVER_DOMAIN")

Kino.nothing()

{:ok, %Req.Response{status: 200, body: %{"token_type" => "Bearer", "access_token" => access_token}}} = 
  Req.request(
    method: :post,
    url: "https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token",
    path_params_style: :curly,
    path_params: [
    	tenant_id: System.get_env("POSTGRESQL_ADMIN_ENTRA_TENANT_ID")
    ],
    form: [
      grant_type: "client_credentials",
      client_id: System.get_env("POSTGRESQL_ADMIN_ENTRA_CLIENT_ID"),
      client_secret: System.get_env("POSTGRESQL_ADMIN_ENTRA_CLIENT_SECRET"),
      scope: "https://ossrdbms-aad.database.windows.net/.default"
    ]
  )

{:ok, entra_conn} = Postgrex.start_link(
  hostname: db_host,
  port: 5432, 
  database: "postgres",
  ssl: MicrosoftCerts.ssl_opts(db_host),  
  # The username here is the friendly name of our app...
  username: System.get_env("POSTGRESQL_ADMIN_ENTRA_APP_NAME"),
  password: access_token
)

Postgrex.query!(entra_conn, create_table_query, [])

Postgrex.query!(entra_conn, drop_table_query, [])

{:ok, password_conn} = Postgrex.start_link(
  hostname: db_host,
  port: 5432, 
  database: "postgres",
  ssl: MicrosoftCerts.ssl_opts(db_host),  
  username: System.get_env("POSTGRESQL_ADMIN_NAME"), 
  password: System.get_env("POSTGRESQL_ADMIN_PASSWORD")
)

Postgrex.query!(password_conn, create_table_query, [])

Postgrex.query!(password_conn, drop_table_query, [])