John Savills Frequently Asked Questions on IT Pro: Windows

FAQs: Security of Shared Access Signatures and Understanding the B -Series

Three times a week (Monday/Wednesday/Friday), John Savill tackles your most pressing IT questions. Read through the FAQ archives, or send him your questions via email.

Three times a week (Monday/Wednesday/Friday), John Savill tackles your most pressing IT questions.

Read through the FAQ archives, or send him your questions via email.

In this group of FAQs we examine the security of Shared Access Signatures and understand the B-series.


Q. If I use a Shared Access Signature with Azure is the token sent in clear text since its part of the URL?
Dept - Azure

A. When using a Shared Access Signature a special token is used which is added to the end of the URL and that enables the specified level of access. This may make you believe that it is sent in cleartext over the Internet since its the URL and could therefore be sniffed and someone could use it. This is actually not the case if you look at how HTTPS actually works. HTTPS is basically HTTP over a TLS connection. TLS sits on top of TCP and before HTTP. The order of connection is

  1. TCP connection established (Transport)
  2. TLS connection established (Session)
  3. HTTP requests are sent over this connection which includes the URL with the SAS token (Application)

This means the SAS token is never sent unencrypted. Anyone sniffing the network would not see the token. The only information that could be gained would be the host being spoken to and the port (as this is required for the transport layer and is not yet encrypted).

Not even with this in mind its still good practice with SAS tokens to

  • Restrict them to specific IP sources
  • Limit their lifetime

Note storage access policies give better control over the lifetime of the SAS tokens.

This lack of URL being sent cleartext over HTTPS is not Azure specific and a core aspect of HTTPS.

Q. Why is the Azure B-series so cheap?
Dept - Azure

A. The B-series is a new type of Azure VM SKU. Ordinarily the vCPUs that you purchase are for the entire vCPU based on the Azure Compute Unit (ACU) of the VM series. You can run at 1% or 100% and it costs you the same since you are always paying for the full vCPU. The B series takes a different approach and instead is burstable. The idea works in a manner similar to a cell phone plan where you get so many minutes a week. Each week you get 100 minutes of talk time. If you use all 100 minutes that's fine, if you use less you can carry over the unused minutes so in a future week you could talk way more than 100 minutes, maybe 1000 minutes if you had accrued 900 minutes of carry over. You are bursting the amount of talk time.

The B-Series works in a similar way. Instead of having the entire vCPU it is based on an average amount of a vCPU consumed as outlined at For example the Standard_B1s (note the size is inbetween the series and s variant to avoid having a BS VM type :-) ) has a single vCPU with a base performance of 10% of the core. This means its expected run rate is to use 10% of the CPU. If it does use 10% it is net neutral however if it uses less than 10% it starts accruing banked credits. If it only ran at 5% CPU it would bank .05 per minute (100% would be 1 credit a minute). This means over time the VM will accrue banked credits which it can then use if needed, it could burst to 100% CPU if it had enough credit for a period of time. The full details of the B-series can be found at Note that like your cell phone plan, there is a maximum number of credits that can be banked/rolled over.

This is a very useful type of VM when you consider many workloads run a very low CPU most of the time but need to burst as required. With the B series this is now possible and will enable companies to optimize their Azure VM spend.

Q. How can I track on my B-series usage?
Dept - Azure

A. A B-series VM has a number of additional monitor values that show the consumption of the vCPU credit and the amount accrued for future bursting. Open up the Metrics and notice there are two key entries

  • CPU Credits Consumed (what you are using)
  • CPU Credits Remaining (what you are accruing)
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.