Jump to content

kavag

Administrators
  • Content Count

    218
  • Joined

  • Last visited

  • Days Won

    49

Blog Entries posted by kavag

  1. kavag
    Intro
    In this blog post I will describe a way to implement an architecture that includes a private Azure Kubernetes Service (AKS) Cluster by using Bicep, a declarative language for describing and deploying Azure resources.
    According to project’s page on GitHub, Bicep is a Domain Specific Language (DSL) for deploying Azure resources declaratively and It aims to drastically simplify the authoring experience with a cleaner syntax, improved type safety, and better support for modularity and code re-use. 
    The control plane or API server, in a fully private AKS cluster, has internal IP address and it communicates with the node pools through the private network, by leveraging the technology of Azure Private Link service. Furthermore, there is no need for the worker nodes to have a public IP assigned to a standard loadbalancer for egress the traffic as we are able to redirect the egress path through a Network Virtual Appliance or Azure Firewall.
    In a nutshell, a fully private AKS cluster does not expose or use any public IP.
    References
    The initial idea to create a Bicep script that deploys an architecture like the one mentioned in the architectural diagram section, was taken from the following articles:
    Baseline architecture for an Azure Kubernetes Service (AKS) cluster Fully private AKS clusters — without any public ips — finally! Create a “Fully private” AKS infrastructure with Terraform Architectural Diagram
    Bicep script
    The sources can be found at the following GitHub repository
    https://github.com/vakappas/private-aks-bicep
    The main Bicep script that deploys the architecture that is shown in the diagram, follows the modular approach and it has ‘subscription’ as its target scope.
    // set the target scope to subscription targetScope = 'subscription' / Create the hub vnet with all its components module hubvnet './modules/hub-default.bicep' = { name: 'hub-vnet' scope: resourceGroup(hubrg.name) params: { location: location hubVnetName: hubvnetName hubFwName: 'hub-fw' tags: tags } } there is a folder called ‘modules’ that contains the smaller parts of the whole implementation such as:
    The hub virtual network with all its components like the Azure Firewall and Azure Bastion The Virtual Network for the AKS cluster The Virtual Network for the Development Virtual Machines (agents) The VNET peering and route tables The private AKS cluster The AKS’s private DNS zone links to hub and dev Virtual Networks The dev VM which is an Ubuntu with Docker extension Running the script
    First you have to install the Bicep executable by following this guide:
    Setup your Bicep development environment
    Then, you will need to install either the Az CLI (2.20.0+) or the PowerShell Az module (v5.6.0+) that have Bicep support built-in.
    After that, you will need to run the following commands in an Azure CLI or PowerShell console:
    // Login to your Azure account az login // clone the repository git https://github.com/vakappas/private-aks-bicep.git // Start the deployment az deployment sub create -f ./private-aks.bicep -l northeurope As you see, you can use the standard deployment commands with your *.bicep files and the tooling will transpile the code and send it to ARM on your behalf.

  2. kavag
    The greatest, community driven, technical event in Greece for IT Professionals and Developers is back!
    It’s been long time since the last ITPRO|DEV Connections event  took place. There are a few reasons for that, but this does not matter anymore as we proudly bring it back to life and this time in virtual form!
    This event is community driven, and this year the number of the communities that take part are bigger than ever before. This signifies great momentum and deep commitment from the community members to help and support other community members. 
    More than 100 speakers with real-world experiences and different backgrounds, leaving in different parts of the world, as now we have grown outside Greek borders, are getting together and sharing their knowledge with all the members of 15 technical communities that are embracing the ITPRO|DEV Connections 2020!
    The event’s tracks
    It will be 2 full days with parallel tracks running from ~10am to ~6pm (local time, that is GMT+2) and it will cover the following categories (in alphabetical order):
    AI & ML Data & Analytics Development DevOps Infrastructure Learning & Certification Modern Workspace Networks & Security Project Management All sessions are 45 minute long.
    The event is FREE, but you have to register here: 

    The event’s details
    We have created the event on a platform that will have all the amenities of a normal conference, like sponsor booths, networking groups for 1-to-1 messaging and video calls, session evaluations, and of course a way to build your own personal schedule for your favorite sessions!
    The event comes with a very handy mobile app that you get to build your schedule and give session feedback and more. So make sure that you download the app and configure it with the 4-digit code that corresponds to our event. All this information is in the registration confirmation email!
    Also, this year is going to be delivered in 2 languages, so make sure you check the session tags for the tag “Lang: EL” or “Lang: EN” in a blue-ish color.
    Since we are in the tags area, there are mainly 4 different colors for tags:
    Dark blue: Session track Magenta: Session tags Light green: Session level Light blue: Session language I’m speaking!
    Apart from being in the organizing team, I have also a session, where I will talk about how the cloud is changing the way infrastructure is designed, and how you can build a highly available and scalable security perimeter by using Cisco Firepower Threat Defense virtual appliances.
    The session is called “Cisco NGFWv scalable design in Azure” and is on Saturday, 12th at 1 pm (GMT+2). The session is demo heavy as it is inspired by real customer project! Looking forward to welcome you if it happens to drop by.
    Call for action!
    What are you waiting for?
    Register here https://www.itprodevconnections.gr build your agenda and join us on 12-13 of December.
    Don’t forget to use the official hashtag of the event in any of your posts which is #itprodevgreece
  3. kavag
    What is Nano Server ?
    Nano Server is a new installation option that became available with the arrival of Windows Server 2016 Technical Preview. It is a purpose-built, stripped down operating system designed to run services and to be managed remotely.
    Windows Server 2016 will offer the following installation options:

    Nano Server has been designed according to Zero-Footprint model and its size on disk is around 500MB. It has no GUI, binaries or metadata in the OS image, it sets up significantly faster and requires far fewer updates and restarts than Windows Server.

    As an installation option cannot be selected during Windows Server Setup and in order to prepare and customize a VHD image with Nano Server, PowerShell should be used. Nano Server can run either as a Virtual or Physical Machine supporting the following Roles and Features:
    Role / Feature Physical / Virtual Description Compute Physical Hyper-V Role Storage Both Storage role Clustering Both Failover Clustering role Reverse Forwarders Both Helps in testing legacy tools Defender Both Anti-Malware Defender package OEM drivers Physical Selection of drivers that ship in-box with Server Core Guest drivers Virtual Drivers needed to run Nano Server as a VM In order to deploy Nano Server as a Virtual Machine into a Hyper-V host running Windows Server 2016, the following procedure could be used:
    Step 1 – Mount the ISO
    Mount the Windows Server 2016 Technical Preview ISO and copy the contents of \NanoServer folder. If the drive letter for the mounted image is G:\ run the following commands:
    md C:\NanoServer xcopy G:\NanoServer C:\NanoServer /s
    Step 2 – Dot-Source the Scripts
    The PowerShell Scripts that are included into the Installation folder need to be dot-sourced, in order to be used for the Nano Server VHD creation. Alternatively, it is possible to use another PowerShell Script that you will find at TechNet Library or GitHub, for that matter.
    cd C:\NanoServer . .\Convert-WindowsImage.ps1 . .\New-NanoServerImage.ps1
    Step 3 – Create a VHD
    Run the following command to prepare a Nano Server VHD:
    New-NanoServerImage -MediaPath G:\ -BasePath .\Base ` -TargetPath .\NSVM01 -ComputerName NSVM01 ` –GuestDrivers –language en-us -Storage -Clustering ` -EnableIPDisplayOnBoot -DomainName "MGMT.local" ` -EnableRemoteManagementPort New-NanoServerImage CmdLet allows us to specify Media and Target Path, set the Computer Name, add right set of drivers for Physical or Virtual Machine, select if the Nano Server will join an Active Directory Domain etc. Most important, it allows us to select which Roles or Features are going to be installed.
    Step 4 – Create a Virtual Machine
    As soon as the New-NanoServerImage.ps1 has been successfully completed, a new VHD with Nano Server will be available and can be attached as a boot device to a Generation 1 Virtual Machine.
    VM creation can be done with the following script:
    $VMName = "NSVM01" $VMPath = "F:\Hyper-V\"+$VMName $VirtualSwitchName = "vSwitch-INT" New-VM -Name $VMName -MemoryStartupBytes 1GB -SwitchName $VirtualSwitchName ` -VHDPath "$($VMPath)\NSVM01.vhd" -Generation 1 ` | Set-VM -ProcessorCount 2 Start-VM $VMName A couple of seconds after hitting the Start-VM Command, Nano Server will boot and the following screen will appear:

    Next, Login using Domain credentials and the Emergency Management Console will appear:
    Navigate using TAB, choose Networking and get Network Adapter’s Settings as shown below:
    How-to Manage the Nano Server
    Nano Server has no GUI or any other console, except of Emergency Management Console that right now is very restricted and can be used only to display Network Adapter’s Properties. So, how can we manage Nano Server?
    Can be managed Remotely using the following tools:
    Remote Graphical Tools (Server Manager, Hyper-V Manager, Disk Manager etc.) PowerShell Remoting PowerShell Direct Third Party Tools & Frameworks (Chef, ASP.NET 5 etc.) Enter a PowerShell remote Session, using the following command:
    Enter-PSSession -ComputerName NSVM01 -Credential MGMT\administrator Then run Get-Process Cmdlet and get the processes that are running to the Nano Server

    Resources
    More information about Nano Server and its deployment Scripts you can find at the following URLs:
    http://aka.ms/NanoServer PowerShell Script to build your Nano Server Image The post Getting Started with Nano Server appeared first on Vaggelis Kappas.


  4. kavag
    What is Nano Server ?
    Nano Server is a new installation option that became available with the arrival of Windows Server 2016 Technical Preview. It is a purpose-built, stripped down operating system designed to run services and to be managed remotely.
    Windows Server 2016 will offer the following installation options:
    http://vaggeliskappas.com/wp-content/uploads/2015/11/NanoServer01-1024x638.png
    Nano Server has been designed according to Zero-Footprint model and its size on disk is around 500MB. It has no GUI, binaries or metadata in the OS image, it sets up significantly faster and requires far fewer updates and restarts than Windows Server.

    As an installation option cannot be selected during Windows Server Setup and in order to prepare and customize a VHD image with Nano Server, PowerShell should be used. Nano Server can run either as a Virtual or Physical Machine supporting the following Roles and Features:
    Role / Feature Physical / Virtual Description Compute Physical Hyper-V Role Storage Both Storage role Clustering Both Failover Clustering role Reverse Forwarders Both Helps in testing legacy tools Defender Both Anti-Malware Defender package OEM drivers Physical Selection of drivers that ship in-box with Server Core Guest drivers Virtual Drivers needed to run Nano Server as a VM In order to deploy Nano Server as a Virtual Machine into a Hyper-V host running Windows Server 2016, the following procedure could be used:
    Step 1 – Mount the ISO
    Mount the Windows Server 2016 Technical Preview ISO and copy the contents of \NanoServer folder. If the drive letter for the mounted image is G:\ run the following commands:
    md C:\NanoServer xcopy G:\NanoServer C:\NanoServer /s
    Step 2 – Dot-Source the Scripts
    The PowerShell Scripts that are included into the Installation folder need to be dot-sourced, in order to be used for the Nano Server VHD creation. Alternatively, it is possible to use another PowerShell Script that you will find at TechNet Library or GitHub, for that matter.
    cd C:\NanoServer . .\Convert-WindowsImage.ps1 . .\New-NanoServerImage.ps1
    Step 3 – Create a VHD
    Run the following command to prepare a Nano Server VHD:
    New-NanoServerImage -MediaPath G:\ -BasePath .\Base ` -TargetPath .\NSVM01 -ComputerName NSVM01 ` –GuestDrivers –language en-us -Storage -Clustering ` -EnableIPDisplayOnBoot -DomainName "MGMT.local" ` -EnableRemoteManagementPort New-NanoServerImage CmdLet allows us to specify Media and Target Path, set the Computer Name, add right set of drivers for Physical or Virtual Machine, select if the Nano Server will join an Active Directory Domain etc. Most important, it allows us to select which Roles or Features are going to be installed.
    Step 4 – Create a Virtual Machine
    As soon as the New-NanoServerImage.ps1 has been successfully completed, a new VHD with Nano Server will be available and can be attached as a boot device to a Generation 1 Virtual Machine.
    VM creation can be done with the following script:
    $VMName = "NSVM01" $VMPath = "F:\Hyper-V\"+$VMName $VirtualSwitchName = "vSwitch-INT" New-VM -Name $VMName -MemoryStartupBytes 1GB -SwitchName $VirtualSwitchName ` -VHDPath "$($VMPath)\NSVM01.vhd" -Generation 1 ` | Set-VM -ProcessorCount 2 Start-VM $VMName A couple of seconds after hitting the Start-VM Command, Nano Server will boot and the following screen will appear:
    http://vaggeliskappas.com/wp-content/uploads/2015/11/NanoServer02-1024x950.png
    Next, Login using Domain credentials and the Emergency Management Console will appear:
    http://vaggeliskappas.com/wp-content/uploads/2015/11/NanoServer03-1024x953.pngNavigate using TAB, choose Networking and get Network Adapter’s Settings as shown below:
    http://vaggeliskappas.com/wp-content/uploads/2015/11/NanoServer04-1024x950.pngHow-to Manage the Nano Server
    Nano Server has no GUI or any other console, except of Emergency Management Console that right now is very restricted and can be used only to display Network Adapter’s Properties. So, how can we manage Nano Server?
    Can be managed Remotely using the following tools:
    Remote Graphical Tools (Server Manager, Hyper-V Manager, Disk Manager etc.) PowerShell Remoting PowerShell Direct Third Party Tools & Frameworks (Chef, ASP.NET 5 etc.) Enter a PowerShell remote Session, using the following command:
    Enter-PSSession -ComputerName NSVM01 -Credential MGMT\administrator Then run Get-Process Cmdlet and get the processes that are running to the Nano Server
    http://vaggeliskappas.com/wp-content/uploads/2015/11/NanoServer05-1024x699.png
    Resources
    More information about Nano Server and its deployment Scripts you can find at the following URLs:
    http://aka.ms/NanoServer PowerShell Script to build your Nano Server Image The post Getting Started with Nano Server appeared first on Vaggelis Kappas.
  5. kavag
    What is Nano Server ?
    Nano Server is a new installation option that became available with the arrival of Windows Server 2016 Technical Preview. It is a purpose-built, stripped down operating system designed to run services and to be managed remotely.
    Windows Server 2016 will offer the following installation options:


    Nano Server has been designed according to Zero-Footprint model and its size on disk is around 500MB. It has no GUI, binaries or metadata in the OS image, it sets up significantly faster and requires far fewer updates and restarts than Windows Server.
     
    Read More --->
  6. kavag
    Lately, I have been under the rock of work and that is why i didn’t write about this sooner. On October 1st I received an email saying: As you can imagine i was eagerly awaiting for this email and the…

    The post 2015Microsoft MVP Award on Hyper-V appeared first on href="http://vaggeliskappas.com">Vaggelis Kappas.


    class='bbc_url' rel='nofollow external'>Source
  7. kavag
    Lately, I have been under the rock of work and that is why i didn’t write about this sooner. On October 1st I received an email saying:

    As you can imagine i was eagerly awaiting for this email and the excitement i got was really great.
    I would like to thank all community members of autoexec.gr and friends, many of whom are or were fellow MVPs, for their help, support and guidance throughout this last year.
    Last but not least, I would like to thank my friends working at Microsoft Hellas for continuously supporting the community and for the confidence they showed me, ‘’pushing’’ me forward.
    I look forward to continuing my contribution to IT Pros community with the same passion for the years to come.
    The post 2015 Microsoft MVP Award on Hyper-V appeared first on Vaggelis Kappas.


  8. kavag
    Lately, I have been under the rock of work and that is why i didn’t write about this sooner. On October 1st I received an email saying:
    http://vaggeliskappas.com/wp-content/uploads/2015/10/MVP2015.png
    As you can imagine i was eagerly awaiting for this email and the excitement i got was really great.
    I would like to thank all community members of autoexec.gr and friends, many of whom are or were fellow MVPs, for their help, support and guidance throughout this last year.
    Last but not least, I would like to thank my friends working at Microsoft Hellas for continuously supporting the community and for the confidence they showed me, ‘’pushing’’ me forward.
    I look forward to continuing my contribution to IT Pros community with the same passion for the years to come.
    The post 2015 Microsoft MVP Award on Hyper-V appeared first on Vaggelis Kappas.
  9. kavag
    Recently 5nine Software released the version 7.1 of 5nine Manager. 5nine Manager is an easy-to-use and cost-effective management solution for Microsoft Hyper-V. It provides many of the features of Microsoft’s System Center Virtual Machine Manager that you need for everyday Hyper-V and cluster management, at a fraction of the cost.
     
    In this blog post we are going to explore the latest improvements and enhancements of 5nine Manager v7.1, so keep reading.
     
    5nine Manager v7.1 helps system administrators save time by automating multiple operations through various enhancements to 5nine Manager’s platform, views, wizards and antivirus features. The new version makes 5nine Manager look and feel like VMware vCenter and increases operational efficiency, enabling administrators that are new to Hyper-V to have an easier and more familiar management experience.
     
    Read More ...
  10. kavag
    In the unlikely event that you have not heard, Windows Server 2016 Technical Preview 3 (TP3) is now available for download.
    You can get it from TechNet Evaluation Center

    You can find it in Azure’s Image Gallery


    You can find it on your MSDN Subscription

    For more information about TP3 you can visit the following Microsoft blogs:
    What’s new in Windows Server 2016 and System Center 2016 Technical Preview 3
    New Windows Server Preview Fuels Application Innovation with Containers, Software-Defined Datacenter Updates
    Announcing Windows Server 2016 Containers Preview
    Enjoy !
    The post Windows Server 2016 Technical Preview 3 (TP3) is now available appeared first on Vaggelis Kappas.


  11. kavag
    In the unlikely event that you have not heard, Windows Server 2016 Technical Preview 3 (TP3) is now available for download.
    You can get it from TechNet Evaluation Center
    http://vaggeliskappas.com/wp-content/uploads/2015/08/WS2016TP3-Eval.png
    You can find it in Azure’s Image Gallery

    http://vaggeliskappas.com/wp-content/uploads/2015/08/WS2016TP3-Azure.png
    You can find it on your MSDN Subscription
    http://vaggeliskappas.com/wp-content/uploads/2015/08/WS2016TP3-MSDN.png
    For more information about TP3 you can visit the following Microsoft blogs:
    What’s new in Windows Server 2016 and System Center 2016 Technical Preview 3
    New Windows Server Preview Fuels Application Innovation with Containers, Software-Defined Datacenter Updates
    Announcing Windows Server 2016 Containers Preview
    Enjoy !
    The post Windows Server 2016 Technical Preview 3 (TP3) is now available appeared first on Vaggelis Kappas.
  12. kavag
    A client of mine has asked me if it would be possible to run pfSense as a Microsoft Azure IaaS Virtual Machine. pfSense® software is a free, open source customized distribution of FreeBSD, specifically tailored for use as a firewall and router that is entirely managed via web interface.
    At that time, I had in mind that running FreeBSD 10 under Hyper-V and in Microsoft Azure, is something that can be done. So, I decided to build a deployment as a Proof of Concept and to write a blog post about this deployment.

    This post will provide instructions and all the necessary steps to prepare, upload and run pfSense-2.2.3 in Microsoft Azure.
    Please note, that FreeBSD is not currently an endorsed distribution in Microsoft Azure and therefore is not supported.
    Resources
    Latest Stable Version of pfSense Running FreeBSD in Azure User Defined Routes and other Azure Virtual Network enhancements that announced at Microsoft Ignite 2015 Design
    Let’s put, what we want to achieve, into context. The deployment’s design is as follows:
     
    Procedure
    In order to prepare a pfSense image for Microsoft Azure, we should download the latest x64 image and install it locally, on a server with Windows Server 2012 R2, as a Hyper-V Virtual Machine:
    Download the latest x64 pfSense image from Latest Stable Version of pfSense (As of July 2015 the latest version is 2.2.3) Decompress the image file to extract the Installation ISO pfSense-LiveCD-2.2.3-RELEASE-amd64-20150623-1637.iso Attach the ISO file as a DVD Drive to newly created Hyper-V Virtual Machine
    Start the installation of pfSense
    After successful installation of pfSense, enable SSH
    Install Python 2.7 and required modules [2.2.3-RELEASE][admin@pfSense.localdomain]/: pkg install python27 py27-asn1 Updating FreeBSD repository catalogue... FreeBSD repository is up-to-date. All repositories are up-to-date. Checking integrity... done (0 conflicting) The following 3 package(s) will be affected (of 0 checked): New packages to be INSTALLED: python27: 2.7.10 py27-asn1: 0.1.7,1 py27-setuptools27: 17.0 The process will require 67 MiB more space. Proceed with this action? [y/N]: y [1/3] Installing python27-2.7.10... [1/3] Extracting python27-2.7.10: 100% [2/3] Installing py27-setuptools27-17.0... [2/3] Extracting py27-setuptools27-17.0: 100% [3/3] Installing py27-asn1-0.1.7,1... [3/3] Extracting py27-asn1-0.1.7,1: 100% Message for python27-2.7.10: ===================================================================== Note that some standard Python modules are provided as separate ports as they require additional dependencies. They are available as: bsddb databases/py-bsddb gdbm databases/py-gdbm sqlite3 databases/py-sqlite3 tkinter x11-toolkits/py-tkinter ===================================================================== [2.2.3-RELEASE][admin@pfSense.localdomain]/: You should symlink the new python 2.7 binary
    [2.2.3-RELEASE][admin@pfSense.localdomain]/: ln -s /usr/local/bin/python2.7 /usr/bin/python  Install sudo Typically on Azure, root account is disabled and we using uprovileged user to login. An unprivileged user should utilize sudo to run commands with elevated privileges.
    [2.2.3-RELEASE][admin@pfSense.localdomain]/: pkg install sudo Updating FreeBSD repository catalogue... FreeBSD repository is up-to-date. All repositories are up-to-date. The following 1 package(s) will be affected (of 0 checked): New packages to be INSTALLED: sudo: 1.8.14 The process will require 3 MiB more space. 796 KiB to be downloaded. Proceed with this action? [y/N]: y Fetching sudo-1.8.14.txz: 100% 796 KiB 815.0kB/s 00:01 Checking integrity... done (0 conflicting) [1/1] Installing sudo-1.8.14... [1/1] Extracting sudo-1.8.14: 100% [2.2.3-RELEASE][admin@pfSense.localdomain]/:  Install the Azure Linux Agent GitHub is the repository where you can find the latest version of Azure Linux Agent
    https://github.com/Azure/WALinuxAgent
    Version 2.0.10 or later is required for FreeBSD. Branch 2.0 is typically very stable and as of July 2015 the latest version is 2.0.14.
    [2.2.3-RELEASE][admin@pfSense.localdomain]/: wget https://raw.githubusercontent.com/Azure/WALinuxAgent/2.0/waagent --2015-07-23 13:25:16-- https://raw.githubusercontent.com/Azure/WALinuxAgent/2.0/waagent Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.31.17.133 Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.31.17.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 245087 (239K) [text/plain] Saving to: 'waagent' waagent 100%[======================================================>] 239.34K 624KB/s in 0.4s 2015-07-23 13:25:17 (624 KB/s) - 'waagent' saved [245087/245087] [2.2.3-RELEASE][admin@pfSense.localdomain]/: mv ./waagent /usr/sbin/ [2.2.3-RELEASE][admin@pfSense.localdomain]/: chmod 755 /usr/sbin/waagent [2.2.3-RELEASE][admin@pfSense.localdomain]/: /usr/sbin/wa [2.2.3-RELEASE][admin@pfSense.localdomain]/: /usr/sbin/waagent -install [2.2.3-RELEASE][admin@pfSense.localdomain]/:
    Set IP Addresses Configure WAN (hn0) Interface as DHCP client.
    Assign Static IP Address, 172.16.2.10, to LAN (hn1) Interface

     Shutdown The pfSense Virtual Machine Now the pfSense Virtual Machine is ready for running in Microsoft Azure.
    Upload the pfSense-2.3.3 VHD to Azure
    Using the following PowerShell commands, first we upload the pfSense VHD to Microsoft Azure Storage Account and then we create a custom image:
    # Variables Section $DestFile = "https://pfsa.blob.core.windows.net/vhds/pfSense-2.2.3-amd64.vhd" $SourceFile = "C:\Hyper-V\pfSense\Virtual Hard Disks\pfSense-2-2-3.vhd" # VHD Upload Add-AzureVhd -Destination $DestFile -LocalFilePath $SourceFile # Create an Image Add-AzureVMImage -ImageName "pfSense-2.2.3" -MediaLocation $DestFile -OS Linux Note that we are using OS type Linux instead of FreeBSD as it is not currently supported.
    Create a Multi-NIC Virtual Machine
    The custom image that we created previously, can be used in order to create a pfSense Virtual Machine with two Virtual Network Interfaces (vNIC), in Microsoft Azure. More details about creating a Virtual Machine with Multiple vNICs in Microsoft Azure, you can find in a previous post here:
    Create a Virtual Machine with Multiple NICs in Azure IaaS
    A pfSense Virtual Machine with two vNICs will be created by running the following PowerShell commands:
    $location = "West Europe" $serviceName = "pfsvc" $vnet = "pf-VNET" $subscriptionName = 'My MSDN Subscription' $storageAccount = 'pfsa' $adminUser = "adminuser" $pwd = "*********" $imageName = "pfSense-2.2.3" $MultiVM = New-AzureVMConfig -ImageName $ImageName ` -Name "pfSense-FW01" -InstanceSize ExtraLarge | Add-AzureProvisioningConfig -Linux -LinuxUser $adminUser ` -Password $pwd | Set-AzureSubnet -SubnetNames "Front-End" | Set-AzureStaticVNetIP -IPAddress "172.16.1.10" | Add-AzureNetworkInterfaceConfig -Name "LAN NIC" ` -SubnetName "LAN-Subnet" -StaticVNetIPAddress 172.16.2.10 New-AzureVM -ServiceName $serviceName ` -Location $location ` -VNetName $vnet ` -VMs $MultiVM
    Setup User Defined Routes
    With user defined routes, we have complete control over the traffic flow in our virtual network. Virtual network by default provides system routes for traffic flow between virtual machines. Now, we can customize the routing table by defining routes and that is allowing us to direct traffic through pfSense Virtual Machine that we have just created. Routes can be defined inside a routing table and applied to subnets. Every VM within a subnet automatically inherits the routes from the routing table.
    The following PowerShell commands, allowing us to:
    Create the routing tables Create routes in the routing tables Apply routing tables to subnets Enable IP Forwarding on pfSense’s vNICs # # Variables Section # $Location="West Europe" $VNetName="pf-VNET" $FrontendName="FE-Subnet" $LANName="LAN-Subnet" $ServiceName = "pfsvc" $VM = Get-AzureVM -Name "pfSense-FW01" -ServiceName $serviceName # Set the route table of the Frontend network: # $FrontRT = New-AzureRouteTable -Name $FrontendName ` -Location $Location -Label "FE-RT" Set-AzureRoute -RouteTable $FrontRT -RouteName "DMZ-Route" ` -AddressPrefix "172.16.2.0/24" -NextHopType "VirtualAppliance" ` -NextHopIpAddress "172.16.1.10" Set-AzureSubnetRouteTable -VirtualNetworkName $VNetName ` -SubnetName $FrontendName -RouteTableName $FrontendName # Set the route table of the LAN network: # $LANRT = New-AzureRouteTable -Name $LANName ` -Location $Location -Label "LAN-RT" Set-AzureRoute -RouteTable $LANRT -RouteName "FE-Route" ` -AddressPrefix 172.16.1.0/24 -NextHopType VirtualAppliance ` -NextHopIpAddress 172.16.2.10 Set-AzureRoute -RouteTable $LANRT -RouteName default -AddressPrefix 0.0.0.0/0 ` -NextHopType VirtualAppliance -NextHopIpAddress 172.16.2.10 Set-AzureSubnetRouteTable -VirtualNetworkName $VNetName -SubnetName $LANName ` -RouteTableName $LANName # Enable IP Forwarding on the main NIC and secondary NICs: # Set-AzureIPForwarding -ServiceName $ServiceName -VM $VM -Enable Set-AzureIPForwarding -ServiceName $ServiceName -VM $VM ` -NetworkInterfaceName "LAN NIC" -Enable The pfSense Virtual Machines must be able to receive incoming traffic that is not addressed to itself and this is the reason to enable IP forwarding. The post Running pfSense as an Azure IaaS Virtual Machine appeared first on Vaggelis Kappas.


  13. kavag
    A client of mine has asked me if it would be possible to run pfSense as a Microsoft Azure IaaS Virtual Machine. pfSense® software is a free, open source customized distribution of FreeBSD, specifically tailored for use as a firewall and router that is entirely managed via web interface.
    At that time, I had in mind that running FreeBSD 10 under Hyper-V and in Microsoft Azure, is something that can be done. So, I decided to build a deployment as a Proof of Concept and to write a blog post about this deployment.

    This post will provide instructions and all the necessary steps to prepare, upload and run pfSense-2.2.3 in Microsoft Azure.
    Please note, that FreeBSD is not currently an endorsed distribution in Microsoft Azure and therefore is not supported.
    Resources
    Latest Stable Version of pfSense Running FreeBSD in Azure User Defined Routes and other Azure Virtual Network enhancements that announced at Microsoft Ignite 2015 Design
    Let’s put, what we want to achieve, into context. The deployment’s design is as follows:
     http://vaggeliskappas.com/wp-content/uploads/2015/07/pfSense01.png
    Procedure
    In order to prepare a pfSense image for Microsoft Azure, we should download the latest x64 image and install it locally, on a server with Windows Server 2012 R2, as a Hyper-V Virtual Machine:
    Download the latest x64 pfSense image from Latest Stable Version of pfSense (As of July 2015 the latest version is 2.2.3) Decompress the image file to extract the Installation ISO pfSense-LiveCD-2.2.3-RELEASE-amd64-20150623-1637.iso Attach the ISO file as a DVD Drive to newly created Hyper-V Virtual Machine http://vaggeliskappas.com/wp-content/uploads/2015/07/pfSense02.png
    Start the installation of pfSense http://vaggeliskappas.com/wp-content/uploads/2015/07/pfSense03.png
    After successful installation of pfSense, enable SSH http://vaggeliskappas.com/wp-content/uploads/2015/07/pfSense04.png
    Install Python 2.7 and required modules [2.2.3-RELEASE][admin@pfSense.localdomain]/: pkg install python27 py27-asn1 Updating FreeBSD repository catalogue... FreeBSD repository is up-to-date. All repositories are up-to-date. Checking integrity... done (0 conflicting) The following 3 package(s) will be affected (of 0 checked): New packages to be INSTALLED: python27: 2.7.10 py27-asn1: 0.1.7,1 py27-setuptools27: 17.0 The process will require 67 MiB more space. Proceed with this action? [y/N]: y [1/3] Installing python27-2.7.10... [1/3] Extracting python27-2.7.10: 100% [2/3] Installing py27-setuptools27-17.0... [2/3] Extracting py27-setuptools27-17.0: 100% [3/3] Installing py27-asn1-0.1.7,1... [3/3] Extracting py27-asn1-0.1.7,1: 100% Message for python27-2.7.10: ===================================================================== Note that some standard Python modules are provided as separate ports as they require additional dependencies. They are available as: bsddb databases/py-bsddb gdbm databases/py-gdbm sqlite3 databases/py-sqlite3 tkinter x11-toolkits/py-tkinter ===================================================================== [2.2.3-RELEASE][admin@pfSense.localdomain]/: You should symlink the new python 2.7 binary
    [2.2.3-RELEASE][admin@pfSense.localdomain]/: ln -s /usr/local/bin/python2.7 /usr/bin/python  Install sudo Typically on Azure, root account is disabled and we using uprovileged user to login. An unprivileged user should utilize sudo to run commands with elevated privileges.
    [2.2.3-RELEASE][admin@pfSense.localdomain]/: pkg install sudo Updating FreeBSD repository catalogue... FreeBSD repository is up-to-date. All repositories are up-to-date. The following 1 package(s) will be affected (of 0 checked): New packages to be INSTALLED: sudo: 1.8.14 The process will require 3 MiB more space. 796 KiB to be downloaded. Proceed with this action? [y/N]: y Fetching sudo-1.8.14.txz: 100% 796 KiB 815.0kB/s 00:01 Checking integrity... done (0 conflicting) [1/1] Installing sudo-1.8.14... [1/1] Extracting sudo-1.8.14: 100% [2.2.3-RELEASE][admin@pfSense.localdomain]/:  Install the Azure Linux Agent GitHub is the repository where you can find the latest version of Azure Linux Agent
    https://github.com/Azure/WALinuxAgent
    Version 2.0.10 or later is required for FreeBSD. Branch 2.0 is typically very stable and as of July 2015 the latest version is 2.0.14.
    [2.2.3-RELEASE][admin@pfSense.localdomain]/: wget https://raw.githubusercontent.com/Azure/WALinuxAgent/2.0/waagent --2015-07-23 13:25:16-- https://raw.githubusercontent.com/Azure/WALinuxAgent/2.0/waagent Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.31.17.133 Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.31.17.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 245087 (239K) [text/plain] Saving to: 'waagent' waagent 100%[======================================================>] 239.34K 624KB/s in 0.4s 2015-07-23 13:25:17 (624 KB/s) - 'waagent' saved [245087/245087] [2.2.3-RELEASE][admin@pfSense.localdomain]/: mv ./waagent /usr/sbin/ [2.2.3-RELEASE][admin@pfSense.localdomain]/: chmod 755 /usr/sbin/waagent [2.2.3-RELEASE][admin@pfSense.localdomain]/: /usr/sbin/wa [2.2.3-RELEASE][admin@pfSense.localdomain]/: /usr/sbin/waagent -install [2.2.3-RELEASE][admin@pfSense.localdomain]/:
    Set IP Addresses Configure WAN (hn0) Interface as DHCP client.
    Assign Static IP Address, 172.16.2.10, to LAN (hn1) Interface
    http://vaggeliskappas.com/wp-content/uploads/2015/07/pfSense05.png
     Shutdown The pfSense Virtual Machine Now the pfSense Virtual Machine is ready for running in Microsoft Azure.
    Upload the pfSense-2.3.3 VHD to Azure
    Using the following PowerShell commands, first we upload the pfSense VHD to Microsoft Azure Storage Account and then we create a custom image:
    # Variables Section $DestFile = "https://pfsa.blob.core.windows.net/vhds/pfSense-2.2.3-amd64.vhd" $SourceFile = "C:\Hyper-V\pfSense\Virtual Hard Disks\pfSense-2-2-3.vhd" # VHD Upload Add-AzureVhd -Destination $DestFile -LocalFilePath $SourceFile # Create an Image Add-AzureVMImage -ImageName "pfSense-2.2.3" -MediaLocation $DestFile -OS Linux Note that we are using OS type Linux instead of FreeBSD as it is not currently supported.
    Create a Multi-NIC Virtual Machine
    The custom image that we created previously, can be used in order to create a pfSense Virtual Machine with two Virtual Network Interfaces (vNIC), in Microsoft Azure. More details about creating a Virtual Machine with Multiple vNICs in Microsoft Azure, you can find in a previous post here:
    Create a Virtual Machine with Multiple NICs in Azure IaaS
    A pfSense Virtual Machine with two vNICs will be created by running the following PowerShell commands:
    $location = "West Europe" $serviceName = "pfsvc" $vnet = "pf-VNET" $subscriptionName = 'My MSDN Subscription' $storageAccount = 'pfsa' $adminUser = "adminuser" $pwd = "*********" $imageName = "pfSense-2.2.3" $MultiVM = New-AzureVMConfig -ImageName $ImageName ` -Name "pfSense-FW01" -InstanceSize ExtraLarge | Add-AzureProvisioningConfig -Linux -LinuxUser $adminUser ` -Password $pwd | Set-AzureSubnet -SubnetNames "Front-End" | Set-AzureStaticVNetIP -IPAddress "172.16.1.10" | Add-AzureNetworkInterfaceConfig -Name "LAN NIC" ` -SubnetName "LAN-Subnet" -StaticVNetIPAddress 172.16.2.10 New-AzureVM -ServiceName $serviceName ` -Location $location ` -VNetName $vnet ` -VMs $MultiVM
    Setup User Defined Routes
    With user defined routes, we have complete control over the traffic flow in our virtual network. Virtual network by default provides system routes for traffic flow between virtual machines. Now, we can customize the routing table by defining routes and that is allowing us to direct traffic through pfSense Virtual Machine that we have just created. Routes can be defined inside a routing table and applied to subnets. Every VM within a subnet automatically inherits the routes from the routing table.
    The following PowerShell commands, allowing us to:
    Create the routing tables Create routes in the routing tables Apply routing tables to subnets Enable IP Forwarding on pfSense’s vNICs # # Variables Section # $Location="West Europe" $VNetName="pf-VNET" $FrontendName="FE-Subnet" $LANName="LAN-Subnet" $ServiceName = "pfsvc" $VM = Get-AzureVM -Name "pfSense-FW01" -ServiceName $serviceName # Set the route table of the Frontend network: # $FrontRT = New-AzureRouteTable -Name $FrontendName ` -Location $Location -Label "FE-RT" Set-AzureRoute -RouteTable $FrontRT -RouteName "DMZ-Route" ` -AddressPrefix "172.16.2.0/24" -NextHopType "VirtualAppliance" ` -NextHopIpAddress "172.16.1.10" Set-AzureSubnetRouteTable -VirtualNetworkName $VNetName ` -SubnetName $FrontendName -RouteTableName $FrontendName # Set the route table of the LAN network: # $LANRT = New-AzureRouteTable -Name $LANName ` -Location $Location -Label "LAN-RT" Set-AzureRoute -RouteTable $LANRT -RouteName "FE-Route" ` -AddressPrefix 172.16.1.0/24 -NextHopType VirtualAppliance ` -NextHopIpAddress 172.16.2.10 Set-AzureRoute -RouteTable $LANRT -RouteName default -AddressPrefix 0.0.0.0/0 ` -NextHopType VirtualAppliance -NextHopIpAddress 172.16.2.10 Set-AzureSubnetRouteTable -VirtualNetworkName $VNetName -SubnetName $LANName ` -RouteTableName $LANName # Enable IP Forwarding on the main NIC and secondary NICs: # Set-AzureIPForwarding -ServiceName $ServiceName -VM $VM -Enable Set-AzureIPForwarding -ServiceName $ServiceName -VM $VM ` -NetworkInterfaceName "LAN NIC" -Enable The pfSense Virtual Machines must be able to receive incoming traffic that is not addressed to itself and this is the reason to enable IP forwarding. The post Running pfSense as an Azure IaaS Virtual Machine appeared first on Vaggelis Kappas.
  14. kavag
    A client of mine has asked me if it would be possible to run pfSense as a Microsoft Azure IaaS Virtual Machine. pfSense® software is a free, open source customized distribution of FreeBSD, specifically tailored for use as a firewall and router that is entirely managed via web interface.
     
    At that time, I had in mind that running FreeBSD 10 under Hyper-V and in Microsoft Azure, is something that can be done. So, I decided to build a deployment as a Proof of Concept and to write a blog post about this deployment.
     
    This post will provide instructions and all the necessary steps to prepare, upload and run pfSense-2.2.3 in Microsoft Azure.
     
    Read More
  15. kavag
    5nine Cloud Security Version 6.0 for Hyper-V has just been released , so let’s start to explore what is new in this version.
    5nine Cloud Security is the first and only agentless security and compliance solution built specifically for the Microsoft Cloud Platform and Hyper-V virtual machines running Windows and Linux. The solution provides multi-layered protection with an integrated virtual firewall, agentless antivirus and malware protection, along with an Intrusion Detection System (IDS) all in one package.
    Analysis and Alerting for Network Traffic Anomalies

     
    Allowed and blocked packets statistics
     
    5nine Cloud Security will create a baseline of normal network traffic patterns for your virtualized environment, then when it identifies an anomaly it will alert the administrator that a threat could be present. You can detect a variety of threats from suspicious network behavior and other advanced threats. 5nine constantly logs and monitors statistics about your historical traffic, packets, and their sizes, and if the values exceed the configurable alert sensitivity setting it will immediately notify you about the possibility of an attack.
     
    With 5nine Cloud Security you can now meet the security and compliance requirements for your business by being able to analyze and report on your historical data as a network forensics tool.
     
    Read More
  16. kavag
    The way that Network Virtualization is implemented in Hyper-V and subsequently in Microsoft Azure IaaS, enables explicitly the Routing between Virtual Subnets. This is the reason why the traffic between Virtual Subnets, that are part of the same Virtual Network, is unrestricted unless we have applied Network Security Groups.
    Network Security Groups Is a way to control traffic between Virtual Subnets of an Azure Virtual Network as well as the Internet. Moreover, Network Security Groups provide segmentation within Azure Virtual Network, by applying rules according to our needs and design.

    Until Network Security Groups became Generally Available, the only way to control traffic was endpoint based Access Control Lists. By applying ACLs to a Virtual Machine’s public endpoint, we have a way to control the ingress traffic to this port of this particular Virtual Machine. Network Security Groups takes this capability a step ahead and enables us to control all inbound as well as outbound traffic of a Virtual Machine or a Virtual Subnet.
    How does a Network Security Group (NSG) work ?
    A Network Security Group has a name and a descriptive label and is associated to an Azure Region. It contains Inbound and Outbound traffic rules and can be applied to a Virtual Machine, a Virtual Subnet or both.

    Associating an NSG to a VM – When an NSG is directly associated to a VM, the Network access rules in the NSG are directly applied to all traffic that is destined to the VM.
    Associating an NSG to a Subnet – When an NSG is associated to a subnet, the Network access rules in the NSG are applied to all the VMs in the subnet.
    Associating an NSG to a Subnet and a VM – It is possible that you can associate an NSG to a VM and a different NSG to the subnet where the VM resides. This is supported and in this case the VM gets two layers of protection. On the Inbound traffic the packet goes through the access rules specified in the subnet followed by rules in the VM and in the Outbound case it goes through the rules specified in the VM first before going through the rules specified in the subnet.
    Priorities and Default Rules
    As we mentioned above, an NSG contains Inbound and Outbound traffic Rules that we create according to our needs. These Rules are processed in the order of priority. Rules with lower priority number are processed before those with higher priority number and so on. Default rules are also there for a Network Security Group. These rules cannot be deleted but they have the lowest priority and, normally, they will be overridden.
    Azure Virtual Network
    Let’s assume that we want to deploy a three-tier application in Microsoft Azure IaaS offering. In this case, we create a Virtual Network as illustrated in the following figure:


    By default, Virtual Machines that are deployed to the Virtual Subnets (Front, App, DB) can communicate to each other and can have access to the Internet. This default behavior in some cases is not enough and Security and Access Control needs to be applied. By using Network Security Groups, the Virtual Network’s security is strengthened and Access Control Rules to inbound and outbound traffic are enforced.
    Create and use Network Security Groups – Step-By-Step
    As a demonstration, we are going to use the Virtual Network that we’ve created in the previous example. Let’s assume that we want to implement a more restrictive scenario, like the one shown in the following figure:
    In order to achieve the designed security and access control we should create traffic rules, that they can be summarized in the following table:

      Front End
    Subnet Application
    Subnet Database
    Subnet Internet Front End
    Subnet - Allow - TCP/80 Deny - All Allow - All Application
    Subnet Allow - TCP/80 - Allow - TCP/1433 Allow - TCP/3389 Database
    Subnet Deny - All Allow - TCP/1433 - Allow - TCP/3389 Internet Allow - All Allow - TCP/3389 Allow - TCP/3389 - Network Security Groups can be created and applied using PowerShell and REST API. In this example we are going to use PowerShell. As always, we will use the latest PowerShell Azure Module which can be downloaded from Azure Portal.
    Using the following script we can create and apply Access Control Rules and Network Security Groups
    # Setting the variables $AzureRegion = 'West Europe' $AzureVNET = 'Three-Tier-VNET' # ---------------------Database Subnet Rules ------------------------- # Create a Network Security Group for Database Subnet New-AzureNetworkSecurityGroup -Name "DB-NSG" -Location $AzureRegion -Label "NSG for Database Subnet of $AzureVNET" # Adding a Rule to deny Inbound TCP traffic from Front End Subnet Get-AzureNetworkSecurityGroup -Name "DB-NSG" | Set-AzureNetworkSecurityRule -Name FEDeny -Type Inbound -Priority 100 ` -Action Deny -SourceAddressPrefix '172.16.1.0/24' -SourcePortRange '*' -DestinationAddressPrefix '172.16.3.0/24' ` -DestinationPortRange '*' -Protocol TCP # Adding a Rule to allow Inbound SQL (TCP/1433) traffic from Application Subnet Get-AzureNetworkSecurityGroup -Name "DB-NSG" | Set-AzureNetworkSecurityRule -Name SQL -Type Inbound -Priority 110 ` -Action Allow -SourceAddressPrefix '172.16.2.0/24' -SourcePortRange '*' -DestinationAddressPrefix '172.16.3.0/24' ` -DestinationPortRange '1433' -Protocol TCP # Adding a Rule to allow Inbound RDP (TCP/3389) traffic from Internet, for management Get-AzureNetworkSecurityGroup -Name "DB-NSG" | Set-AzureNetworkSecurityRule -Name RDP -Type Inbound -Priority 120 ` -Action Allow -SourceAddressPrefix 'INTERNET' -SourcePortRange '*' -DestinationAddressPrefix '172.16.3.0/24' ` -DestinationPortRange '3389' -Protocol TCP # Assign the Network Security Group to Database Subnet Get-AzureNetworkSecurityGroup -Name "DB-NSG" | Set-AzureNetworkSecurityGroupToSubnet -VirtualNetworkName $AzureVNET -SubnetName "Database" # Network Security Group Rules and details Get-AzureNetworkSecurityGroup -Name "DB-NSG" -Detailed # ---------------------Application Subnet Rules ------------------------- #Create a Network Security Group for Application Subnet New-AzureNetworkSecurityGroup -Name "APP-NSG" -Location $AzureRegion -Label "NSG for Application Subnet of $AzureVNET" # Adding a Rule to deny Inbound TCP traffic from Database Subnet Get-AzureNetworkSecurityGroup -Name "APP-NSG" | Set-AzureNetworkSecurityRule -Name DBDeny -Type Inbound -Priority 100 ` -Action Deny -SourceAddressPrefix '172.16.3.0/24' -SourcePortRange '*' -DestinationAddressPrefix '172.16.2.0/24' ` -DestinationPortRange '*' -Protocol TCP # Adding a Rule to allow Inbound WEB (TCP/80) traffic from Front End Subnet Get-AzureNetworkSecurityGroup -Name "APP-NSG" | Set-AzureNetworkSecurityRule -Name WEB -Type Inbound -Priority 110 ` -Action Allow -SourceAddressPrefix '172.16.1.0/24' -SourcePortRange '*' -DestinationAddressPrefix '172.16.2.0/24' ` -DestinationPortRange '80' -Protocol TCP # Adding a Rule to allow Inbound RDP (TCP/3389) traffic from Internet, for management Get-AzureNetworkSecurityGroup -Name "APP-NSG" | Set-AzureNetworkSecurityRule -Name RDP -Type Inbound -Priority 120 ` -Action Allow -SourceAddressPrefix 'INTERNET' -SourcePortRange '*' -DestinationAddressPrefix '172.16.2.0/24' ` -DestinationPortRange '3389' -Protocol TCP # Assign the Network Security Group to Database Subnet Get-AzureNetworkSecurityGroup -Name "APP-NSG" | Set-AzureNetworkSecurityGroupToSubnet -VirtualNetworkName $AzureVNET -SubnetName "Application" # Network Security Group Rules and details Get-AzureNetworkSecurityGroup -Name "APP-NSG" -Detailed We can get all the details about applied Network Security Groups using the command:
    Get-AzureNetworkSecurityGroup -Name "DB-NSG" -Detailed
    Get-AzureNetworkSecurityGroup -Name "APP-NSG" -Detailed References
    About Network Security Groups Network Security Groups  
    The post Secure Azure Virtual Network using Network Security Groups appeared first on Vaggelis Kappas.


  17. kavag
    The way that Network Virtualization is implemented in Hyper-V and subsequently in Microsoft Azure IaaS, enables explicitly the Routing between Virtual Subnets. This is the reason why the traffic between Virtual Subnets, that are part of the same Virtual Network, is unrestricted unless we have applied Network Security Groups.
    Network Security Groups Is a way to control traffic between Virtual Subnets of an Azure Virtual Network as well as the Internet. Moreover, Network Security Groups provide segmentation within Azure Virtual Network, by applying rules according to our needs and design.

    Until Network Security Groups became Generally Available, the only way to control traffic was endpoint based Access Control Lists. By applying ACLs to a Virtual Machine’s public endpoint, we have a way to control the ingress traffic to this port of this particular Virtual Machine. Network Security Groups takes this capability a step ahead and enables us to control all inbound as well as outbound traffic of a Virtual Machine or a Virtual Subnet.
    How does a Network Security Group (NSG) work ?
    A Network Security Group has a name and a descriptive label and is associated to an Azure Region. It contains Inbound and Outbound traffic rules and can be applied to a Virtual Machine, a Virtual Subnet or both.
    http://vaggeliskappas.com/wp-content/uploads/2015/06/NSG-01-300x265.png
    Associating an NSG to a VM – When an NSG is directly associated to a VM, the Network access rules in the NSG are directly applied to all traffic that is destined to the VM.
    Associating an NSG to a Subnet – When an NSG is associated to a subnet, the Network access rules in the NSG are applied to all the VMs in the subnet.
    Associating an NSG to a Subnet and a VM – It is possible that you can associate an NSG to a VM and a different NSG to the subnet where the VM resides. This is supported and in this case the VM gets two layers of protection. On the Inbound traffic the packet goes through the access rules specified in the subnet followed by rules in the VM and in the Outbound case it goes through the rules specified in the VM first before going through the rules specified in the subnet.
    Priorities and Default Rules
    As we mentioned above, an NSG contains Inbound and Outbound traffic Rules that we create according to our needs. These Rules are processed in the order of priority. Rules with lower priority number are processed before those with higher priority number and so on. Default rules are also there for a Network Security Group. These rules cannot be deleted but they have the lowest priority and, normally, they will be overridden.
    Azure Virtual Network
    Let’s assume that we want to deploy a three-tier application in Microsoft Azure IaaS offering. In this case, we create a Virtual Network as illustrated in the following figure:
    http://vaggeliskappas.com/wp-content/uploads/2015/06/NSG-02-1024x800.png
    http://vaggeliskappas.com/wp-content/uploads/2015/06/NSG-04-e1433178124170.png
    By default, Virtual Machines that are deployed to the Virtual Subnets (Front, App, DB) can communicate to each other and can have access to the Internet. This default behavior in some cases is not enough and Security and Access Control needs to be applied. By using Network Security Groups, the Virtual Network’s security is strengthened and Access Control Rules to inbound and outbound traffic are enforced.
    Create and use Network Security Groups – Step-By-Step
    As a demonstration, we are going to use the Virtual Network that we’ve created in the previous example. Let’s assume that we want to implement a more restrictive scenario, like the one shown in the following figure:
    http://vaggeliskappas.com/wp-content/uploads/2015/06/NSG-03-1024x740.pngIn order to achieve the designed security and access control we should create traffic rules, that they can be summarized in the following table:

      Front End
    Subnet Application
    Subnet Database
    Subnet Internet Front End
    Subnet - Allow - TCP/80 Deny - All Allow - All Application
    Subnet Allow - TCP/80 - Allow - TCP/1433 Allow - TCP/3389 Database
    Subnet Deny - All Allow - TCP/1433 - Allow - TCP/3389 Internet Allow - All Allow - TCP/3389 Allow - TCP/3389 - Network Security Groups can be created and applied using PowerShell and REST API. In this example we are going to use PowerShell. As always, we will use the latest PowerShell Azure Module which can be downloaded from Azure Portal.
    Using the following script we can create and apply Access Control Rules and Network Security Groups
    # Setting the variables $AzureRegion = 'West Europe' $AzureVNET = 'Three-Tier-VNET' # ---------------------Database Subnet Rules ------------------------- # Create a Network Security Group for Database Subnet New-AzureNetworkSecurityGroup -Name "DB-NSG" -Location $AzureRegion -Label "NSG for Database Subnet of $AzureVNET" # Adding a Rule to deny Inbound TCP traffic from Front End Subnet Get-AzureNetworkSecurityGroup -Name "DB-NSG" | Set-AzureNetworkSecurityRule -Name FEDeny -Type Inbound -Priority 100 ` -Action Deny -SourceAddressPrefix '172.16.1.0/24' -SourcePortRange '*' -DestinationAddressPrefix '172.16.3.0/24' ` -DestinationPortRange '*' -Protocol TCP # Adding a Rule to allow Inbound SQL (TCP/1433) traffic from Application Subnet Get-AzureNetworkSecurityGroup -Name "DB-NSG" | Set-AzureNetworkSecurityRule -Name SQL -Type Inbound -Priority 110 ` -Action Allow -SourceAddressPrefix '172.16.2.0/24' -SourcePortRange '*' -DestinationAddressPrefix '172.16.3.0/24' ` -DestinationPortRange '1433' -Protocol TCP # Adding a Rule to allow Inbound RDP (TCP/3389) traffic from Internet, for management Get-AzureNetworkSecurityGroup -Name "DB-NSG" | Set-AzureNetworkSecurityRule -Name RDP -Type Inbound -Priority 120 ` -Action Allow -SourceAddressPrefix 'INTERNET' -SourcePortRange '*' -DestinationAddressPrefix '172.16.3.0/24' ` -DestinationPortRange '3389' -Protocol TCP # Assign the Network Security Group to Database Subnet Get-AzureNetworkSecurityGroup -Name "DB-NSG" | Set-AzureNetworkSecurityGroupToSubnet -VirtualNetworkName $AzureVNET -SubnetName "Database" # Network Security Group Rules and details Get-AzureNetworkSecurityGroup -Name "DB-NSG" -Detailed # ---------------------Application Subnet Rules ------------------------- #Create a Network Security Group for Application Subnet New-AzureNetworkSecurityGroup -Name "APP-NSG" -Location $AzureRegion -Label "NSG for Application Subnet of $AzureVNET" # Adding a Rule to deny Inbound TCP traffic from Database Subnet Get-AzureNetworkSecurityGroup -Name "APP-NSG" | Set-AzureNetworkSecurityRule -Name DBDeny -Type Inbound -Priority 100 ` -Action Deny -SourceAddressPrefix '172.16.3.0/24' -SourcePortRange '*' -DestinationAddressPrefix '172.16.2.0/24' ` -DestinationPortRange '*' -Protocol TCP # Adding a Rule to allow Inbound WEB (TCP/80) traffic from Front End Subnet Get-AzureNetworkSecurityGroup -Name "APP-NSG" | Set-AzureNetworkSecurityRule -Name WEB -Type Inbound -Priority 110 ` -Action Allow -SourceAddressPrefix '172.16.1.0/24' -SourcePortRange '*' -DestinationAddressPrefix '172.16.2.0/24' ` -DestinationPortRange '80' -Protocol TCP # Adding a Rule to allow Inbound RDP (TCP/3389) traffic from Internet, for management Get-AzureNetworkSecurityGroup -Name "APP-NSG" | Set-AzureNetworkSecurityRule -Name RDP -Type Inbound -Priority 120 ` -Action Allow -SourceAddressPrefix 'INTERNET' -SourcePortRange '*' -DestinationAddressPrefix '172.16.2.0/24' ` -DestinationPortRange '3389' -Protocol TCP # Assign the Network Security Group to Database Subnet Get-AzureNetworkSecurityGroup -Name "APP-NSG" | Set-AzureNetworkSecurityGroupToSubnet -VirtualNetworkName $AzureVNET -SubnetName "Application" # Network Security Group Rules and details Get-AzureNetworkSecurityGroup -Name "APP-NSG" -Detailed We can get all the details about applied Network Security Groups using the command:
    Get-AzureNetworkSecurityGroup -Name "DB-NSG" -Detailed http://vaggeliskappas.com/wp-content/uploads/2015/06/NSG-05-e1433179942554.png
    Get-AzureNetworkSecurityGroup -Name "APP-NSG" -Detailed http://vaggeliskappas.com/wp-content/uploads/2015/06/NSG-06-e1433180072727.png References
    About Network Security Groups Network Security Groups  
    The post Secure Azure Virtual Network using Network Security Groups appeared first on Vaggelis Kappas.
  18. kavag
    The way that Network Virtualization is implemented in Hyper-V and subsequently in Microsoft Azure IaaS, enables explicitly the Routing between Virtual Subnets. This is the reason why the traffic between Virtual Subnets, that are part of the same Virtual Network, is unrestricted unless we have applied Network Security Groups.
     
    Network Security Groups Is a way to control traffic between Virtual Subnets of an Azure Virtual Network as well as the Internet. Moreover, Network Security Groups provide segmentation within Azure Virtual Network, by applying rules according to our needs and design.
     
    Until Network Security Groups became Generally Available, the only way to control traffic was endpoint based Access Control Lists. By applying ACLs to a Virtual Machine’s public endpoint, we have a way to control the ingress traffic to this port of this particular Virtual Machine. Network Security Groups takes this capability a step ahead and enables us to control all inbound as well as outbound traffic of a Virtual Machine or a Virtual Subnet.
    How does a Network Security Group (NSG) work ?
     
    A Network Security Group has a name and a descriptive label and is associated to an Azure Region. It contains Inbound and Outbound traffic rules and can be applied to a Virtual Machine, a Virtual Subnet or both.
     

    Read More ....
  19. kavag
    Every time I present a session about Microsoft Azure IaaS, the most common question is about Virtual Machines’ capability of getting more than one Virtual Network Interface (vNIC). At TechEd Europe 2014, Microsoft announced support for multiple Network Interfaces (vNICs) in Azure VMs, as well as other additions to Azure Virtual Networks like Network Security Groups.
    Moreover, the capability of adding more than one vNIC to a Virtual Machine will enable Virtual Appliances scenarios like Firewalls, Load Balancers etc.
    In this blogpost we are going to explore all the necessary steps for creating a Virtual Machine with multiple vNICs in Azure IaaS. So, let’s get started.

    How to create a Virtual Machine with multiple NICs
    According to our requirements we need to design our Virtual Network with all the required Subnets. The design phase should always precede every implementation. As an example, we can use the following diagram

    In this diagram, a Virtual Network for supporting a common three-tier application is displayed. This Virtual Network has three subnets, Front-End Subnet with network number 172.16.1.0/24, Mid-Tier Subnet with network number 172.16.2.0/24 and Back-End Subnet with network number 172.16.3.0/24. The scope of this blogpost is to create a Virtual Machine with three Network Interfaces, one in each subnet.
    Prerequisites and Constraints
    Multiple NICs can be added to any Azure Virtual Machine, except Basic Tier SKUs. However, the number of NICs, that can be created for a Virtual Machine, depends on its size and is shown in the following table:
     VM Size (Standard SKUs) NICs (max allowed per VM) Large (A3) and A6 2 Extra Large (A4) and A7 4 A9 2 D4 4 D13 4 – Multiple NICs can be added only to Virtual Machines belonging to a Virtual Network (VNET). Non-VNET VMs are not supported.
    – Every Azure Virtual Machine with Multiple NICs has a “default” NIC and additional ones. Internet traffic and its corresponding VIP is only supported on the “default” NIC. There is only one VIP to the IP of the default NIC.
    – A Virtual Machine with Multiple NICs cannot be used as an IP router. The IP packets must be destined to or sourced from one of its IP addresses.
    – The order of the NICs from inside the VM will be random, and could also change across Azure infrastructure updates. However, the IP addresses, and the corresponding Ethernet MAC addresses will remain the same. For example, assume Eth1 has IP address 10.1.0.100 and MAC address 00-0D-3A-B0-39-0D; after an Azure infrastructure update and reboot, it could be changed to Eth2, but the IP and MAC pairing will remain the same. When a restart is customer-initiated, the NIC order will remain the same.
    Create the required Virtual Network
    With the prerequisites and constraints being mentioned, let’s proceed to create the required Virtual Network. As written above, our VNET, with a name of DMZ-VNET, has three subnets: Front-End Subnet (172.16.1.0/24), Mid-Tier Subnet (172.16.2.0/24) and Back-End Subnet (172.16.3.0/24). We can use PowerShell or the management portal to create this VNET and once completed, it will look like this:
    Create the Multi-NIC VM
    The only way, for the time being, to create a Virtual Machine and add Multiple NICs to it, is via PowerShell. That is why we need the latest version of Azure PowerShell Module, which we can be found at http://azure.microsoft.com.

    Once the module is installed, we can use the following commands to create a new Virtual Machine (DMZ-GW) with three Network Interface Cards, each one connected to desired subnet. For better understanding, we have split the script in sections:
    # Create a Storage Account New-AzureStorageAccount -StorageAccountName dmzsa -Location "West Europe" New-AzureService -ServiceName "DMZCS" -Location "West Europe" # Select the Subscription we are going to work with Set-AzureSubscription -SubscriptionName "MSDN-Kappas" -CurrentStorageAccountName "dmzsa" Select-AzureSubscription -SubscriptionName "MSDN-Kappas" -Current # Setting some variables $location = "West Europe" $serviceName = "DMZCS" $vnet = "DMZ-VNET" $subscriptionName = 'MSDN-Kappas' $storageAccount = 'dmzsa' # Select an OS Image $imageFamily = "Windows Server 2012 R2 Datacenter" $imageName = Get-AzureVMImage | where { $_.ImageFamily -eq $imageFamily } | sort PublishedDate -Descending | select -ExpandProperty ImageName -First 1 # Enter required admin credentials $cred = Get-Credential -Message "Enter admin credentials for the VM(s)" $adminUser = $cred.UserName $pwd = $cred.GetNetworkCredential().Password # Define Virtual Machine's configuration $vm1 = New-AzureVMConfig -ImageName $ImageName -Name "DMZ-GW" -InstanceSize ExtraLarge | Add-AzureProvisioningConfig -Windows -AdminUsername $adminUser -Password $pwd | # Configure the "Default NIC" Set-AzureSubnet -SubnetNames "Front-End" | Set-AzureStaticVNetIP -IPAddress "172.16.1.10" | # Configure additional NICs Add-AzureNetworkInterfaceConfig -Name "MidTier NIC" -SubnetName "Mid-Tier" -StaticVNetIPAddress "172.16.2.10"| Add-AzureNetworkInterfaceConfig -Name "BackEnd NIC" -SubnetName "Back-End" -StaticVNetIPAddress "172.16.3.10" # Create the Virtual Machine New-AzureVM -ServiceName $serviceName ` -Location $location ` -VNetName $vnet ` -VMs $vm1 Multiple NICs Validation
    Once the Virtual Machine is created, we can connect via RDP in order to verify its Multiple NICs existence.


    As you can see, we have successfully created an Azure Virtual Machine with three NICs, as shown in the following diagram:


    The post Create a Virtual Machine with Multiple NICs in Azure IaaS appeared first on Vaggelis Kappas.


  20. kavag
    Every time I present a session about Microsoft Azure IaaS, the most common question is about Virtual Machines’ capability of getting more than one Virtual Network Interface (vNIC). At TechEd Europe 2014, Microsoft announced support for multiple Network Interfaces (vNICs) in Azure VMs, as well as other additions to Azure Virtual Networks like Network Security Groups.
    Moreover, the capability of adding more than one vNIC to a Virtual Machine will enable Virtual Appliances scenarios like Firewalls, Load Balancers etc.
    In this blogpost we are going to explore all the necessary steps for creating a Virtual Machine with multiple vNICs in Azure IaaS. So, let’s get started.

    How to create a Virtual Machine with multiple NICs
    According to our requirements we need to design our Virtual Network with all the required Subnets. The design phase should always precede every implementation. As an example, we can use the following diagram
    http://vkappas.cloudapp.net/wp-content/uploads/2015/01/Multi-NIC-01.png
    In this diagram, a Virtual Network for supporting a common three-tier application is displayed. This Virtual Network has three subnets, Front-End Subnet with network number 172.16.1.0/24, Mid-Tier Subnet with network number 172.16.2.0/24 and Back-End Subnet with network number 172.16.3.0/24. The scope of this blogpost is to create a Virtual Machine with three Network Interfaces, one in each subnet.
    Prerequisites and Constraints
    Multiple NICs can be added to any Azure Virtual Machine, except Basic Tier SKUs. However, the number of NICs, that can be created for a Virtual Machine, depends on its size and is shown in the following table:
     VM Size (Standard SKUs) NICs (max allowed per VM) Large (A3) and A6 2 Extra Large (A4) and A7 4 A9 2 D4 4 D13 4 – Multiple NICs can be added only to Virtual Machines belonging to a Virtual Network (VNET). Non-VNET VMs are not supported.
    – Every Azure Virtual Machine with Multiple NICs has a “default” NIC and additional ones. Internet traffic and its corresponding VIP is only supported on the “default” NIC. There is only one VIP to the IP of the default NIC.
    – A Virtual Machine with Multiple NICs cannot be used as an IP router. The IP packets must be destined to or sourced from one of its IP addresses.
    – The order of the NICs from inside the VM will be random, and could also change across Azure infrastructure updates. However, the IP addresses, and the corresponding Ethernet MAC addresses will remain the same. For example, assume Eth1 has IP address 10.1.0.100 and MAC address 00-0D-3A-B0-39-0D; after an Azure infrastructure update and reboot, it could be changed to Eth2, but the IP and MAC pairing will remain the same. When a restart is customer-initiated, the NIC order will remain the same.
    Create the required Virtual Network
    With the prerequisites and constraints being mentioned, let’s proceed to create the required Virtual Network. As written above, our VNET, with a name of DMZ-VNET, has three subnets: Front-End Subnet (172.16.1.0/24), Mid-Tier Subnet (172.16.2.0/24) and Back-End Subnet (172.16.3.0/24). We can use PowerShell or the management portal to create this VNET and once completed, it will look like this:
    http://vkappas.cloudapp.net/wp-content/uploads/2015/01/Multi-NIC-02.pngCreate the Multi-NIC VM
    The only way, for the time being, to create a Virtual Machine and add Multiple NICs to it, is via PowerShell. That is why we need the latest version of Azure PowerShell Module, which we can be found at http://azure.microsoft.com.
    http://vkappas.cloudapp.net/wp-content/uploads/2015/01/Multi-NIC-03.png
    Once the module is installed, we can use the following commands to create a new Virtual Machine (DMZ-GW) with three Network Interface Cards, each one connected to desired subnet. For better understanding, we have split the script in sections:
    # Create a Storage Account New-AzureStorageAccount -StorageAccountName dmzsa -Location "West Europe" New-AzureService -ServiceName "DMZCS" -Location "West Europe" # Select the Subscription we are going to work with Set-AzureSubscription -SubscriptionName "MSDN-Kappas" -CurrentStorageAccountName "dmzsa" Select-AzureSubscription -SubscriptionName "MSDN-Kappas" -Current # Setting some variables $location = "West Europe" $serviceName = "DMZCS" $vnet = "DMZ-VNET" $subscriptionName = 'MSDN-Kappas' $storageAccount = 'dmzsa' # Select an OS Image $imageFamily = "Windows Server 2012 R2 Datacenter" $imageName = Get-AzureVMImage | where { $_.ImageFamily -eq $imageFamily } | sort PublishedDate -Descending | select -ExpandProperty ImageName -First 1 # Enter required admin credentials $cred = Get-Credential -Message "Enter admin credentials for the VM(s)" $adminUser = $cred.UserName $pwd = $cred.GetNetworkCredential().Password # Define Virtual Machine's configuration $vm1 = New-AzureVMConfig -ImageName $ImageName -Name "DMZ-GW" -InstanceSize ExtraLarge | Add-AzureProvisioningConfig -Windows -AdminUsername $adminUser -Password $pwd | # Configure the "Default NIC" Set-AzureSubnet -SubnetNames "Front-End" | Set-AzureStaticVNetIP -IPAddress "172.16.1.10" | # Configure additional NICs Add-AzureNetworkInterfaceConfig -Name "MidTier NIC" -SubnetName "Mid-Tier" -StaticVNetIPAddress "172.16.2.10"| Add-AzureNetworkInterfaceConfig -Name "BackEnd NIC" -SubnetName "Back-End" -StaticVNetIPAddress "172.16.3.10" # Create the Virtual Machine New-AzureVM -ServiceName $serviceName ` -Location $location ` -VNetName $vnet ` -VMs $vm1 Multiple NICs Validation
    Once the Virtual Machine is created, we can connect via RDP in order to verify its Multiple NICs existence.
    http://vkappas.cloudapp.net/wp-content/uploads/2015/01/Multi-NIC-041.png
    http://vkappas.cloudapp.net/wp-content/uploads/2015/01/Multi-NIC-05.png
    As you can see, we have successfully created an Azure Virtual Machine with three NICs, as shown in the following diagram:
    http://vkappas.cloudapp.net/wp-content/uploads/2015/01/Multi-NIC-06.png

    The post Create a Virtual Machine with Multiple NICs in Azure IaaS appeared first on Vaggelis Kappas.
  21. kavag
    Every time I present a session about Microsoft Azure IaaS, the most common question is about Virtual Machines’ capability of getting more than one Virtual Network Interface (vNIC). At TechEd Europe 2014, Microsoft announced support for multiple Network Interfaces (vNICs) in Azure VMs, as well as other additions to Azure Virtual Networks like Network Security Groups.
     
    Moreover, the capability of adding more than one vNIC to a Virtual Machine will enable Virtual Appliances scenarios like Firewalls, Load Balancers etc.
     
    In this blogpost we are going to explore all the necessary steps for creating a Virtual Machine with multiple vNICs in Azure IaaS. So, let’s get started.
     
    Read More
  22. kavag
    One question that is coming up too often, at least at TecEd Europe 2014, is if it’s possible to integrate an Azure AD that you got when you signed up to Office 365 with the one you have got when you subscribed to Microsoft Azure. The short answer is yes, it is possible and if you want to learn how this integration happens, then keep reading!
    This scenario means that there are two separate directories. The first one was created when you setup your Office 365 Subscription, while the second one came with Microsoft Azure Subscription.
    If you want to integrate these two directories, Office 365 Tenant into the Microsoft Azure Subscription then you should follow these few easy and quick steps.
    Prerequisites
    Office 365 Subscription Global Administrator account. Microsoft Azure Subscription created by a Microsoft account. Steps:
    Logon to Microsoft Azure Management Portal
    https://manage.windowsazure.com Go to Active Directory | New | Directory | Custom Create
    3. Change the Directory dropdown from the default Create new directory to Use existing directory and click the Check box.

    What happens next is that you are logged out of the Microsoft Azure administrative account and you are redirected to the Office 365 portal logon.
    Next Steps:
    Logon with a Global Administrator account from the Office 365 tenant that you would like to integrate with. After sign-in you are prompted to add the Microsoft Azure administrator account as a global administrator for the Office 365 Tenant directory, click on Continue. Finally, logout of the Office 365 global administrator account and then logon to https://manage.windowsazure.com with your global administrator account. Now you have your directories integrated. Enjoy !  
     
    The post Integrate Microsoft Azure Active Directory tenant with Office 365 appeared first on Vaggelis Kappas.


  23. kavag
    One question that is coming up too often, at least at TecEd Europe 2014, is if it’s possible to integrate an Azure AD that you got when you signed up to Office 365 with the one you have got when you subscribed to Microsoft Azure. The short answer is yes, it is possible and if you want to learn how this integration happens, then keep reading!
    This scenario means that there are two separate directories. The first one was created when you setup your Office 365 Subscription, while the second one came with Microsoft Azure Subscription.
    If you want to integrate these two directories, Office 365 Tenant into the Microsoft Azure Subscription then you should follow these few easy and quick steps.
    Prerequisites
    Office 365 Subscription Global Administrator account. Microsoft Azure Subscription created by a Microsoft account. Steps:
    Logon to Microsoft Azure Management Portal
    https://manage.windowsazure.com Go to Active Directory | New | Directory | Custom Create
    http://vkappas.cloudapp.net/wp-content/uploads/2014/10/AAD-Integration01.png3. Change the Directory dropdown from the default Create new directory to Use existing directory and click the Check box.
    http://vkappas.cloudapp.net/wp-content/uploads/2014/10/AAD-Integration02.png
    What happens next is that you are logged out of the Microsoft Azure administrative account and you are redirected to the Office 365 portal logon.
    Next Steps:
    Logon with a Global Administrator account from the Office 365 tenant that you would like to integrate with. After sign-in you are prompted to add the Microsoft Azure administrator account as a global administrator for the Office 365 Tenant directory, click on Continue. Finally, logout of the Office 365 global administrator account and then logon to https://manage.windowsazure.com with your global administrator account. Now you have your directories integrated. Enjoy !  
     
    The post Integrate Microsoft Azure Active Directory tenant with Office 365 appeared first on Vaggelis Kappas.
  24. kavag
    What an exciting day October 1st was!
    I received an email saying:
    I’ m very proud and honored for this award as it shows that my work and effort have been recognized and this fact gives me the strength and the inspiration to continue my contribution to the IT Pros community.

    I would like to thank all community members, autoexec.gr and friends, many of whom are or were fellow MVPs, for their help, support and guidance throughout this last year.
    Last but not least I would like to thank my friends working at Microsoft Hellas for continuously supporting the community and for the confidence they showed me, ‘’pushing’’ me forward.
    I look forward to continuing my contribution to the IT Pros community with the same passion for the years to come.
    The post Microsoft Hyper-V MVP Award 2014 (EN) appeared first on Vaggelis Kappas.


×
×
  • Create New...