Login

r/AZURE

Stop copy-pasting Terraform modules, I built a tested registry for AWS, GCP, and Azure with Terratest and CI
▲ 0 r/AZURE+3 crossposts

Stop copy-pasting Terraform modules, I built a tested registry for AWS, GCP, and Azure with Terratest and CI

Disclaimer: I built this project and am sharing it as a free open-source tool.

Every project I join has the same problem: someone copied and pasted a VPC module from a blog post in 2019, nobody tested it properly, and now it's load-bearing infrastructure.

This registry has 9 modules across AWS, GCP and Azure, VPC/VNet, Kubernetes (EKS/GKE/AKS), and IAM/Workload Identity for each cloud.

Every module has:

- A Terratest that provisions real infrastructure and tears it down (no mocks)

- GitHub Actions CI (fmt, validate, tflint, Checkov)

- Secure defaults with every option exposed as a variable

- Working examples you can run in under 5 minutes

**Module list:**

- modules/aws/vpc: VPC, public/private subnets, NAT gateway, route tables

- modules/aws/eks: EKS cluster, managed node groups, OIDC, IRSA

- modules/aws/iam: roles, policies, IRSA binding

- modules/gcp/vpc: VPC, Cloud NAT, Private Google Access, firewall rules

- modules/gcp/gke: GKE cluster, node pools, Workload Identity

- modules/gcp/iam: service accounts, IAM bindings, WI federation

- modules/azure/vnet: VNet, subnets, NSGs, route tables

- modules/azure/aks: AKS, managed identity, OIDC, Workload Identity

- modules/azure/iam: managed identities, federated credentials, role assignments

**Quick start:**

git clone https://github.com/Cloud-Architect-Emma/terraform-module-registry

cd terraform-module-registry/examples/aws

terraform init && terraform plan

**Or reference directly in your code:**

module "vpc" {

source = "github.com/Cloud-Architect-Emma/terraform-module-registry//modules/aws/vpc?ref=main"

name = "production"

cidr = "10.0.0.0/16"

azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]

private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]

public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]

enable_nat_gateway = true

}

⭐ If this saves you time, a star on the repo helps others find it: https://github.com/Cloud-Architect-Emma/terraform-module-registry

PRs welcome, what module would you add first?

u/EmmaOpu — 12 hours ago
▲ 12 r/AZURE

running out of space on my 48MB free sql server db. any chance i could keep my hobby proj forever free, or scale up for less than $5/month (basic tier)

there's a small project i made during my programming classes, and i've been using it for the last ~8y running on the free webapp/db tier.

but last year i've opened it up for other people to use, and now the db is slowly running out of storage... the web app is very niche and up to 5 users might visit it per day (total of ~200 users in db).

any ideas what i could do to keep the db forever free, or find a cheaper alternative? just 100MB would keep it runnng for years. i've seen the pricing on aws, which is even worse than Azure Basic tier (12m free, $20/month later for the cheapest tier).

i'd appreciate any advice, thanks

upd:

thanks to u/NastyEbilPiwate i freed up 10mb. turns out my tables were only 1.77mb in size, everything else was consumed by azure metadata, and the query store - which was the largest one that i cleared up and turned off. so i'll stick with my 48mb plan for now.

if it wouldn't work - i would've tried u/irisos suggestion and creating a new db under another free tier that allows to have 100,000 vcore/s per month. with autopause it would've been a lifetime free working solution: https://learn.microsoft.com/en-us/azure/azure-sql/database/free-offer?view=azuresql

u/aenen4 — 15 hours ago
▲ 0 r/AZURE

How feasible is this idea for an entry level project in Azure/Terraform for my portfolio?

I'm trying to transition into Cloud Operations from IT Support, and I've been learning Azure and Terraform for a few months now. I keep hearing how it's best to include your own projects in your CV to increase your chances of finding a job, but tbh I've never been good at coming up on my own with feasible ideas for these things that wouldn't amount to be simply rehashing some guided projects/labs you can find online on Udemy and similar sites.

I've tried extending some concepts I've learned about in my Azure training, and so this is what I've come up with:

  • Deploy a storage account with a blob container, and then show 2 ways you can restrict access to it.
  • The first way is to disable public network access, and create a private endpoint connecting the storage account to a virtual network. I would then deploy a virtual machine on that network (with a key vault to store the login password to the VM in), remote to it through Bastion, and access the blob container from there.
  • The second way is to use RBAC. I would disable key access and default to Entra ID authentication, then create a group with a "Storage Account Contributor" role assigned to it in that storage account's scope, and assign users to that group.
  • Finally, I would convert this into IaC in Terraform to automate deployment, with an added option of using another storage account for storing remote state files through Azure backend. The Terraform code would be stored on GitHub.

I've already written and tested most of the code, but I can't shake the feeling that this whole idea is somewhat... crude. Would it really make sense to put something like this in my portfolio?

reddit.com
u/Xaneth_ — 13 hours ago
▲ 6 r/AZURE

Azure north europe compute quota s****show

Hi, is anyone else having issues deploying new compute resources in NE? Opened several tickets for quota increase (from zero) and getting the backlog response.
For now it’s affecting manage instance and logic apps.
Waiting to hit the wall with general compute🙈

reddit.com
u/EffectiveWindow3347 — 16 hours ago
▲ 2 r/AZURE

Router on a Stick

I'm setting up training labs and have this setup.

Attacker connects through WAN (10.0.2.4) on pfsense. Also have OPT1/DMZ at 10.0.4.4 with a webserver at 10.0.4.213. Now the tricky part.

LAN interface is 10.0.6.4.

I have two subnets 10.0.3.0 and 10.0.5.0 pointing to the 10.0.6.4. Goal is to build it out into more subnets like HR, Finance, Business, etc. I have UDRs set for each network and can reach each host just fine.

Problem: when I have a UDR set for 0.0.0.0/0 pointing to 10.0.6.4, I can't access the internet and pfsense does not see the traffic. Network watcher confirmed 10.0.6.4 is the next hop.

My goal is to build a network traffic analysis lab only focused on zeek and security onion. That works fine in 10.0.3.5, managed to setup port mirroring via open VPN on pfsense.

I want live web access to make noise, but hitting a wall. I may just give up and use inetsim to respond to the web/dns requests and stop fighting the routing/no internet. Internet works when the 0.0.0.0 rule is removed.

Any ideas what could be causing this? Or any ideas on a better way to do this? I'm slowly building out a network with VHDs I've configured and deploying via ARM templates.

Thank you in advance.

reddit.com
u/flyingincybertubes — 20 hours ago
▲ 0 r/AZURE

Azure deleted our critical Azure Batch infrastructure without consent

Our production Azure Batch pools, jobs, tasks and config are missing and were deleted by Azure. Our account was temporarily disabled for two hours due to a lapse in payment which was quickly updated to reactivate the account. In the email notice of disablement it said data would be deleted on 8/27/2026, over 3 months away, if payment wasn't made. It was made in two hours, but our Azure Batch infrastructure was deleted. Azure external support staff from India said to recreate the pool and jobs and they didn't know how to recover the batch data. We do backup task runtime logs and have scripts to recreate batch infrastructure, but want to recover the existing batch infrastructure, config, and task history.

Who can we escalate this to in order to get real effort into batch data and infrastructure recovery? Why would they delete our Azure Batch resources when it said no data would be deleted? I want to talk to the internal Azure Batch engineering team who builds and develops Batch, to an internal Azure backend data recovery specialist, or anyone else who has the required access level and expertise needed to help with this since azure standard support staff were not able to. How can we get our data back? Are there internal data recovery specialists?

It is not acceptable to delete customer infrastructure without warning of deletion and extremely prematurely within a 2 hour period when the given notice said any possible deletion would occur after about 100 days. Is this expected behavior for batch resources to be completely deleted when an azure account gets temporarily disabled? Azure should honor the disabled state and preserve batch resources, configurations, and history.

reddit.com
u/DeskFan9 — 1 day ago
▲ 4 r/AZURE

CVE-2026-45585 (YellowKey) — BitLocker bypass zero-day with public PoC. How are you handling TPM+PIN rollout at scale?

So CVE-2026-45585 dropped publicly on May 19 and I've been going through the technical details. The short version: an attacker with physical access can inject autofstx.exe into the BootExecute value inside the WinRE image. That binary runs pre-OS, completely before your EDR stack initialises, and it bypasses BitLocker's pre-boot authentication entirely.

Affected: Windows 11, Server 2022, Server 2025.
No patch yet — just Microsoft's 6-step manual WinRE mitigation (mount → load hive → remove autofstx.exe → unload → unmount/commit → reagentc disable/enable cycle) and the recommendation to move from TPM-only to TPM+PIN.

A few things I'm genuinely curious about from a practical ops standpoint:

  1. For those managing large Windows fleets — what's your current rollout strategy for TPM+PIN enforcement at scale? Intune, GPO, something else? Any gotchas with user PIN resets in a helpdesk-heavy environment?
  2. The WinRE mitigation has to be applied per-machine. Is anyone scripting this and if so how are you handling the fact that reagentc operations occasionally fail silently on certain hardware configs?
  3. Physical access attacks are often dismissed as "out of scope" in threat models. Does something like YellowKey — with a public PoC — change how your organisation frames physical device loss in risk assessments?

The public PoC on GitHub is the part that concerns me most. This isn't theoretical anymore — the barrier to exploitation just dropped significantly.

I previously covered the Microsoft MDASH story (AI finding 16 Windows zero-days) here if you want background on the broader Windows security picture: https://www.techgines.com/post/microsoft-mdash-agentic-ai-security-windows-vulnerabilities

Full technical breakdown at TechGines: https://www.techgines.com/post/cve-2026-45585-bitlocker-bypass-yellowkey-zero-day

u/Expert_Sort7434 — 23 hours ago
▲ 0 r/AZURE

Microsoft Now Makes a Linux Distro Based on Fedora

Azure Linux 4 may not be Microsoft's first Linux distribution... but it is their first general purpose one.

https://www.youtube.com/watch?v=SLuo20q7q1s

Did anyone manage to install it on their PC? How does it run? Is it good? Does it integrate well with NVIDIA drivers?

u/garageFou — 1 day ago
▲ 5 r/AZURE

How do you preemptively create a budget on a brand new resource group?

I'm looking for a pattern for app deployments I can reuse where the resource group holding the app's resources is constrained to a budget, but it looks like brand new resource groups cannot be tied to a budget through the portal UI.

Anyone have an approach for this pattern? Thanks.

reddit.com
u/SkiBikeDad — 1 day ago
▲ 0 r/AZURE

Chill guys Im new to this just curious not a sales pitch

For people working with cloud infra daily:

What’s the most mentally draining part of managing cloud systems?

Not the hardest technically.

The part that repeatedly burns attention and energy.

I’m noticing a lot of engineers spend more time managing complexity than actually building.just curious

reddit.com
u/OfficeOk8949 — 2 days ago
▲ 2 r/AZURE

Anyone else getting ZonalAllocationFailed when starting Azure VMs?

Start-AzVM fails with:

"Allocation failed. We do not have sufficient capacity for the requested VM size in this zone."

Region/Zone: North Europe / 1

VM size: Standard_D4as_v6

Did retrying work for you, or was resize / move zone the only fix?

reddit.com
u/ByteCode2408 — 1 day ago
▲ 12 r/AZURE+1 crossposts

File upload/download API behind private blob storage. Stream through or hand out SAS URLs?

Hi, really more of an API design question than an azure-specific one.

I'm building a mixed B2B/B2C file API. Customers/partners upload/download up to 500MB files. Storage account is locked down (currently) with no public access (publicNetworkAccess: Disabled) but I'm considering changing this.

Downloads: Two options:

  1. GET /files/:id/content streams bytes through the API (App Service, private endpoint to blob).

  2. MS Graph style: 302 w/ presigned URL, client downloads straight from blob. No streaming through app but storage needs public access.

Uploads:

Currently doing chunked upload sessions modeled on MS Graph createUploadSession. Client POSTs to create a session, gets back an upload URL with a 24h HMAC token, PUTs chunks. Server calls stageBlock. Token is the only auth on the PUT.

Chose this because:

  • 230s App Service request cap rules out single PUT
  • Chunked PUT direct to blob w/ SAS (like downloads option 2) means public storage
    • I'm still wondering if straight-to-SAS-URL is the right move instead of my chunked sessions
    • It makes it a little weird to use because you also have to tell the client what headers they need to include
    • User can upload ANY size to that endpoint (and we can only check when they commit)
    • User can their own storage tier etc. with the headers it seems?

Has anyone done this tradeoff? I see a lot of "just hand out the blob storage SAS URLs" for both but there seems to be some significant downsides for using them for either download or upload. Just looking for advice or examples.

edit: Thanks for all the feedback. Since security and control is much more important to me than a bit more load on my server, I think I'm going to settle on this set up:

  • publicNetworkAccess: Disabled / vnet-only access to the blob storage
  • app-level Bearer/cookie auth on all file endpoints (no presigned urls anywhere)
  • upload is ms graph-style with PUT /files/upload-sessions + PUT /files/upload-sessions/:id (loop) with auto-commit on the last byte uploaded
  • download is direct from a /files/:id/content with a Range: header supported to allow downloading huge files/resumable downloads despite the 230s request timeout.
reddit.com
u/nicemike40 — 2 days ago
▲ 66 r/AZURE+3 crossposts

Built a free OneDrive/SharePoint drive-letter sync client with thumbnails, real cloud quota in Explorer, local-first, and no telemetry

Disclosure first because the mods will catch it: I wrote this, MIT licence, link at the bottom, no upsell.

School IT background, but the use case generalises to any small-to-mid-size M365 estate (schools, small businesses, charities, roughly 20-500 users) wanting proper drive-letter mapping for OneDrive and SharePoint where the OneDrive sync client isn't the right shape. Wanted a drive-letter sync setup with a few specific things: image thumbnails that actually render in Explorer for cloud-mounted files (most existing tools don't), accurate cloud-quota numbers in the drive-properties dialog (refreshed from Graph), a local-first design where files always exist as real NTFS first and sync to the cloud in the background (rather than presenting the cloud as a virtual filesystem), one config.json that deploys to the whole estate, and zero telemetry. Didn't find one off the shelf with all of those, and was also curious whether I could build it myself. Side project that turned into a real thing.

It's called OneSync. .NET 8, Dokan for the FS bridge, MSAL + Graph SDK for auth and sync. Self-contained exe, Intune-deployable.

Highlights:

- True drive letters via Dokan (not subst, not "OneDrive sidebar entry under TenantName - LibraryName")
- One config.json deploys to the whole estate. OneSync probes Graph at startup and silently skips drives the signed-in user can't access, so different roles (staff/students, sales/finance/ops, whatever your split is) share one config
- Accurate cloud quota shown in Explorer drive properties (refreshed from Graph)
- Image thumbnails (JPG/PNG/HEIC) render like a local disk
- LRU eviction below a free-space threshold so shared/hot-desk laptops don't fill up over time
- Office desktop AutoSave + co-auth on docx/xlsx/pptx (via file-association redirect to ms-word:ofe with the direct SharePoint URL, slightly cursed but works)
- Zero telemetry. No analytics, no licence-server pings, no anonymous usage stats. Only outbound calls are to graph.microsoft.com and login.microsoftonline.com.

One war story while I'm here: Dokan's FindFiles callback enters synchronously from the kernel, so anything that blocks in there hangs Explorer. The first version called Graph synchronously to enumerate folders via .GetAwaiter().GetResult() (I know, I know). Worked fine until Graph went into 429 cooldown, at which point opening a folder hung Explorer for ten minutes while the cooldown lifted. I learned a lot in those ten minutes about how Explorer's UI thread feels under those conditions. Current behaviour: if Graph is in cooldown, folder browse returns immediately with on-disk placeholders and file hydration kicks off via Task.Run. Obvious in hindsight.

Repo: https://github.com/madeyouclickstudio/OneSync (DEPLOYMENT.md covers silent install switches and Intune detection rules)

Honest caveat: I'm running it with a handful of pilot users, not a full estate. The fleet-scale stuff is engineered for it but not battle-tested. Anyone deploying this to thousands of users is a pioneer at their own risk. Bug reports very welcome.

Yes I know about the OneDrive sync client. We tried it. The reasons it didn't fit (no real drive letters, every library is its own sidebar entry, no way to cap disk usage on shared laptops, no central deployment for which libraries each user sees) are exactly the reasons this exists. If those don't bother your fleet, OneDrive sync client is fine and you should ignore me.

Tell me what's wrong with it.

reddit.com
u/_temple_ — 2 days ago
▲ 8 r/AZURE+1 crossposts

Web Push userVisibleOnly bypass enabled silent persistent C2 on Chrome, Edge, and pre-26.5 Safari

Disclosure write-up on a Web Push spec violation across 7 browsers and 4 push backends. The userVisibleOnly: true requirement was not enforced at the Service Worker layer - a showNotification() followed by an immediate close() (or zero-byte body, or tag collision) passed the visibility check while displaying nothing to the user. Result: an attacker with notification permission could wake the Service Worker on a server-controlled schedule via FCM/WNS/APNs without any UI indicator, turning Web Push into a covert C2 channel.
Submitted to Apple, Microsoft, Google, and Mozilla in February 2026.
• Apple: shipped a fix in Safari 26.5 on May 11, mention only, no CVE, no bounty.
• Microsoft: closed twice, declined CVE, tied Edge’s fix to the upstream Chromium patch.
• Google: classified the underlying bug (485535962) as Sev-Low. Patch (CL 7767797) is green at patchset 11, CQ+1, awaiting merge. Embargo lifts May 20.
• Mozilla: not affected by the showNotification/close race in the same form.
Total payout across 4 vendors: $0.
Full write-up, PoC video, vendor timelines, and Chrome security team’s reasoning:
https://bountyy.fi/blog/sleeping-agent-web-push

u/More-Protection-821 — 2 days ago
▲ 20 r/AZURE+2 crossposts

Beginner Projects/Things I can do on Azure?

Hello everyone! IT/Tech noob here working to dip his toes into the industry. I have been working on a project the past couple months that allow me access to Microsoft Enterprise Applications/Platforms such as Azure, Intune, Entra, etc. Currently done with said project but still have a few more months of access. Are there any beginner projects/excercises/things I can do on Azure or any of the applications or on the VM i have on Azure to help increase my knowledge from a practical perspective? Thank you for your time

reddit.com
u/rizkhalifa34 — 3 days ago
▲ 0 r/AZURE

Should I just work in prod?

EDIT: I don't actually mean I'll work in prod, you don't need to ward me off of it. I'm just looking for different ways to develop so I don't duplicate efforts and raise costs. Probably not the best title to give it, but I was in a rush

Hello,

I'm developing a Data Warehouse project using Azure (Azure Data Factory, Azure SQL Server, VNets, VMs, Bastion, etc. etc.). I'm handling PHI in the Data warehouse, which is why there's so much infrastructure.

I basically plan to install a SHIR for the source (it's an on-premises server), link it to ADF, set up a VNet and use private endpoints for the connection from ADF to the actual data warehouse (Azure SQL Database). Since the database is closed from public connections, and I can't just 'whitelist my IP', I wanted to set up a Virtual Machine on the same VNet, get into it via Bastion, and do the necessary developing/querying there.

I also want to do this all in Bicep, using one version-controlled project so that I can use CI/CD and also not lose my head looking for files since I'm working solo.

The plan is good and all, but because we're cost conscious, I'm using my Azure free account to develop a smaller version to test and break before working on the official pay-as-you-go company account. I'm using different data and my own laptop.
However, the Azure free restrictions are so intense that I had to wire up extra modules and infrastructure just to get things working. I needed to set up another VNet in a different region because that's the only place SQL server and SQL database were available, I had to set up peering, and ultimately scrapped working with the VM and Bastion at all in dev because there were no available VM SKUs. On top of that, since I want to develop with DACPAC's and a sqlproj in my version controlled project, I have to use a mock database. ATP, my project doesn't even look like the structure of what I want prod to be anymore.

I feel like I'm literally chipping away at a different problem and not working on my actual project assigned to me. I don't even know how my dev and prod branches will look in practice with so intensely discordant environments. But I need to prioritize security, costs, and keeping things neat and organized for myself. I need a second opinion on this because it doesn't feel right.

reddit.com
u/HolidayWay6743 — 2 days ago
▲ 0 r/AZURE

I need ur help guys

What things in cloud services make you guys just be like do I really need this ?! Im asking for educational purposes

reddit.com
u/OfficeOk8949 — 2 days ago
▲ 0 r/AZURE

How we started testing our environment against CAF and WAF best practice

We always had this issue of not knowing if our environment was reflecting "What good looks like". We come from the on-prem world, so we did have general knowledge of security practices, but we did lack proper architectual knowledge when it came to Azure.

Besides us lacking we also have different teams spinning up new ressources in their environment and it was hard for us to keep track of potential misconfigurations.

We started using a tool called Anubion and it just helped with the insight and advise we needed to start setting up our environment towards best practice.

We were in the beta so I assume the tool is relatively new and just wanted to highlight something that helped our case

reddit.com
u/YuneroWow — 2 days ago
▲ 3 r/AZURE

Checking if 2 storage account containers have the same size/content?

Long story short: I downloaded the contents (i.e. files) of container "images" from Azure Account 1 and then uploaded all of it to container "gasolina" from Azure Account 2. Unfortunately, my internet connection is slow and spotty, and I want to make sure everything was uploaded correctly.

Using the Azure portal, can I check to see if these two containers have the same size? I would prefer this than using any command-line tools or Azure Storage Explorer (which currently isn't working for this new account).

https://preview.redd.it/7n57wqfbp42h1.png?width=1012&format=png&auto=webp&s=369ade1fe6787e3c9d93542aedd936771a2dc87d

reddit.com
u/East_Sentence_4245 — 2 days ago