Jump to content

proximagr

Moderators
  • Posts

    2468
  • Joined

  • Last visited

  • Days Won

    12

Everything posted by proximagr

  1. Azure Virtual Network Gateway provides the ability to connect to your Azure Virtual Network with Azure Client VPN (SSL) connections using your Azure AD or hybrid identity, with Multi Factor Authentication (MFA) and your Conditional Access policies. We can have an Enterprise grade SSL VPN, with Active Directory authentication and Single Sign on (SSO) from your corporate laptops and apply all your conditional access policies, like MFA, Compliance devices, trused locations, etc. How to create the VPN Gateway Go to your Virtual Network’s subnets and create a Gateway subnet by clicking the “+ Gateway subnet” Create a Virtual network gateway, by searching for the “Virtual network gateways” service and press Add. Select “VPN”, “Route-based” and at the SKU select any size except the Basic. Basic SKU does not support Azure AD authentication. Create a Public IP and leave all other settings default and create the Gateway. After about 20 minutes the VPN Gateway is ready. In the meantime we will prepare the Azure AD and give concern to use the Azure AD with the Azure client VPN. Using a Global Admin account, go to the “Azure Active Directory” and copy the “Tenant ID” from the Overview blade, and keep it on a notepad. Then copy the url and paste the below url to your browser’s address bar. You need to log in with a Global Admin non guest non Microsoft account. https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent With a guest or Microsoft account, even if it is Global Admin, you will be propted to login with an admin account, meaning a member work account. Once you login with a member work Global Admin account, you can accept the permissions to create the Azure VPN application You can navigate to the Azure Active Directory / Enterprise Application and view / manage the Azure AD application. Open the Azure VPN enterprise application and copy the “Application ID” to a notepad. Go to the VPN Gateway, select the “Point to site configuration” and click the “Configure now” Add the Address Pool that you want the VPN clients to have, for Tunnel type select “OpenVPN (SSL) as it is the only type that supports Azure AD authentication. Then use the details that you have copied to the notepad, the Tenant ID and the Application ID, and add them to the required fields and press save. Tenant: https://login.microsoftonline.com/paste-your-tenant-id-here Audience: paste-the-azure-vpn-application-id-here Issuer: https://sts.windows.net/paste-your-tenant-id-here/ How to Download the VPN Client and Connect to the Gateway Download the VPN client, using the button. Extrack the downloadded zip file And at the AzureVPN folder you will find the configuration xml. Open the Microsoft Store and get the Azure VPN Client Open the Azure VPN Client and at the lower left corner, press the + and Import the xml configuration file accept all the settings and press save The Azure VPN connection will appear at the Azure VPN client and also at the Windows 10 network connections, like any other VPN Azure VPN Client: Windows 10 Network Connections: Once you press connect, it will prompt you to connect using the account(s) that you are already using at your Windows 10 machine, or use a different account You will be prompted for MFA or any other conditional access policy you have applied, and the you will be connected. Conditional Access & Multi-Factor Authentication (MFA) You can add Conditional Access to the Azure client VPN connection. Go to Azure Active Directory / Security / Conditional Access and create a new Policy. Select the “Azure VPN” at the “Cloud apps or actions” section At the Access Controls / Grand section, you can require multi-factor authentication, or AD Joined device, or compliant device, or all of that At the “Conditions” section you can controll the location that the policy will apply. Lets say, you can apply the MFA requirement at “Any location” and exclude the “Trusted locations”, in order to not require MFA when the device is at a trusted location, like your company’s network. https://www.e-apostolidis.gr/microsoft/azure/azure-client-vpn-with-azure-ad-auth-mfa-step-by-step-guide/
  2. Compliance Report using Azure Policy Azure Policy is a powerful tool for Azure Governance. With Azure Policy we can define rules for all Azure Subscriptions the we manage. We can use this rules for simple limitation actions, like permitting only specific VM Series and Sizes that can be created and also more complex rule sets that helps you standardize the whole Azure deployment. At my previous posts, we learned How to limit the Azure VM Sizes and How to enforce tags for resources creation At the current post we will learn how to use Azure Policy to have a compliance report for our deployment. We will learn this by using an example. Then we will create two Virtual Networks and we will add a Network Security Group only to the first one. Finally we will use the Policy to audit whether the Subnets have assigned the NSG or Not. First we need two Virtual Networks. You can create the Virtual Networks using the Azure Portal or using ARM template, like mine from my Github account: https://github.com/proximagr/ARMTemplates/blob/master/2vnets.json After applying the template you will have two VNETs like that: Then we will a Network Security Group (NSG) only to the MyVNET01 Virtual Network. Again using Azure Portal, PowerShell or my ARM Template for NSG Assign the NSG to the MyVNET01 VIrtual Network Add the Policy Go to Azure Policy -> Definitions and click the “+ Policy definition” to create a new policy definition. At the New Policy definition page, select the subscription (location) that the policy will be saved, then add a name. in this case we will use the sample policy template from Microsoft docs so I will add the same name. Copy the policy Json text from https://docs.microsoft.com/en-us/azure/governance/policy/samples/nsg-on-subnet and paste it at the POLICY RULE below and Save. At the “effect” part of the Json, change the “deny” to “audit”. If you search for “NSG” you will see our new policy definition, ready to be assigned. Click on the definition’s name to open it and press Assign. I will just target the “ComplianceReport” Resource Group At the parameters, I added the Resource ID of the NSG, “MyNSG01” Evaluate the results To check the compliance, go to Policy – Compliance page and search for nsg. You have to wait for about 15 minutes for the compliance policy to evaluate the resources. If you search “nsg” you will see that the “Audit NSG on Subnet” policy is 50% compliant. Click on the policy’s name to view more details. The assignment details page will open where we can see what resources are not compliant. Click on the three dots (…) next to the non-compliant subnet and select “view compliance details” to check why this resource is not compliant. The compliance details reports that the value is null and what the required (target) value must be. If you want to trigger an on-demand compliance check, you need to make a POST request. You can follow my post Validate Azure Resource Move with Postman to create the access Token and then use it to make a POST request to the Resource Group sung this POST: https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{YourRG}/providers/Microsoft.PolicyInsights/policyStates/latest/triggerEvaluation?api-version=2018-07-01-preview Source: https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects https://docs.microsoft.com/en-us/azure/governance/policy/samples/nsg-on-subnet https://docs.microsoft.com/en-us/azure/governance/policy/how-to/get-compliance-data#evaluation-triggers The post Compliance Report using Azure Policy appeared first on Apostolidis IT Corner.
  3. Excited to be speaking at Microsoft Ignite The Tour in Milan on Jan 27-28. Join me to learn how to use Azure Platform As A Service (PaaS) to design your apps with Elasticity, Resiliency & High Availability and how to Accelerate your web applications with the Azure Front Door Service. IT industry-leading conference is going to Milan. Don’t miss the very latest in cloud technologies and developer tools with guest speakers, industry experts, and more. I will deliver two sessions: A 45 minutes Breakthrough session, where I will talk about how to use Azure Platform as a Service (PaaS): Design your apps with Elasticity, Resiliency and High Availability very easy, fast and secure. Session code: BRK30169 Session link: https://milan.myignitetour.techcommunity.microsoft.com/sessions/91113?source=sessions And a 15 minute Theater session, where I will talk about how to accelerate your web applications with Azure Front Door Service. Use the Azure WAN, 130+ edge sites with WAF & Layer 7 Load Balance at a global scale. Session code: THR30089 Session link: https://milan.myignitetour.techcommunity.microsoft.com/sessions/91114?source=sessions YFeel free to find me at the Microsoft Showcase, where I will answer all your questions, discuss about Cloud Technologies and the future of our industry! Grab your ticket at https://www.microsoft.com/it-it/ignite-the-tour/milan See you at Milan! The post Excited to be speaking at Microsoft Ignite The Tour in Milan! appeared first on Apostolidis IT Corner.
  4. Global AI Bootcamp, Athens 2019 December 14, 2019 we proudly carried out the Global AI Bootcamp, Athens 2019! IT was a day full of AI and Microsoft Azure. The Global AI Bootcamp is a free one-day event organized across the world by local communities that are passionate about artificial intelligence on Microsoft Azure. After all preparations with the assistance of Stoiximan.gr, our sponsor, the day begun at Athinais Cultural Center, at Athens, Greece. From early morning our sponsor was there with us to prepare the venue. People start coming at 10:00 am and we checked-in 62 attendees. We started with the keynote and then the presentations. There was time at launch for networking and people looked to have fun. After launch we have more presentations and then we proceeded with the workshop. We deliver the workshop with the assistance of two AI experts from Stoiximan. For ending we draw gifts that our vendor Stoiximan.gr provided. Judging from my personal experience with the attendees that day, and from their excellent evaluations, all had a great time and learn a lot about AI and Microsoft Azure. Looking forward for our next event! The post Global AI Bootcamp, Athens 2019 appeared first on Apostolidis IT Corner.
  5. Spin up Azure HDInsight clusters on demand This is my Global AI Bootcamp, Athens 2019 Presentation with title: Spin up HDInsight clusters on demand for ETL, IoT, Data Science & Machine Learning At my presentation I explained with a hands-on demo, how to use Azure Data Factory to spin up on-demand Azure HDInsight clusters to make a process and automatically delete them once they provide the result. Download the PowerPoint Presentation: download link And watch the Demo: The post Spin up Azure HDInsight clusters on demand appeared first on Apostolidis IT Corner.
  6. At the previous post we created an Azure Front Door to scale our web apps across Azure Regions and also publish them only through the Front Door’s URL. At this post we will create Web Application Firewall (WAF) rules, to protect our web apps. To add WAF functionality to the Front Door we need first to create WAF rules and then attach them to the Front Door Create the WAF Rule From the Azure Marketplace search for WAF and create a Web Application Firewall At the “Create a WAF policy” wizard select “Global WAF (Front Door) for policy, provide the subscription and resource group, give a name for the policy and select if you want it to be created enabled or disabled. At the next step select if the policy will prevent the action or just detect and report it. You can change this later too. You can provide a Redirect URL for rules that support redirection. The default status code is 403 but we can change it to e.g. 404. We can also add a custom response body. The next step is the rule. We can select one or more predefined rule sets and then customize at will. To customize, expand the rule set and select a rule. You can enable / disable the rule and you can change the action to Allow, Block, Lod or Redirect. WAF Custom Rule The next step is the custom rules. There’s a lot to customise here. First are the rule type settings. Select status of the rule, enabled or disabled. Select the Rule type between Match and Rate limit. If you select rate limit you will be prompt to set rate limit and threshold. The final rule tupe setting is to set the priority of the rule. Next is the Conditions (If this) and the action (then that). The condition can be Geolocation, IP address, Size or String. After selecting the Match Type the rest options are altered accordingly. The action can be Allow traffic, Deny traffic, Log traffic only or Redirect traffic For the demo I created a rule that will Deny all traffic from The Netherlands, because I can test it from an Azure VM located at the West Europe Region. The next step is to associate the rule to the Front Door. After that assign Tags if needed and create the rule. Once the Rule is ready, a “Front Door WAF policy” resource will be at the selected Resource Group. Inside the Front Door, at the Web application firewall section, you can review the assigned rules. Test 1 From an Azure VM at West Europe Region, I tried to access the Front Door’s URL and we can see my custom 403 body text! Test 2 From my Computer I tested a typical SQL Injection attack from https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005) . Again my custom 403 page! The post Use Web Application Firewall (WAF) Rules with the Front Door to protect your app appeared first on Apostolidis IT Corner.
  7. Securely scale your Web Apps with Azure Front Door There is a big buzz out there about Azure Front Door. Is it a Load Balancer? A CDN? A Traffic Manager? A Web Application Firewall ? A Reverse Proxy? An Application Gateway? So, what is Azure Front Door? Azure Front Door actually is all the above and more. It is a global service, that routes web traffic based on performance and availability. A Layer 7 multi-region load balancer with Web Application Firewall (WAF) capabilities, DDoS protection & CDN. Azure Front Door is the entry point, the edge, of all Microsoft’s WAN. All Microsoft services, like Office 365 & Bing, are using Azure Front Door. The services that Azure Front door provides are: Accelerate application performance Increase application availability with smart health probes URL-based routing Multi-site hosting URL redirection Session affinity SSL termination Custom Domain & certificate management Security via custom WAF rules DDoS protection URL rewrite IPv6 and HTTP/2 support At Azure Front Door documentation there is a paragraph that can help to understand the difference between Azure Front Door and other publishing / load balancing Azure solutions and where to use each. Azure provides a suite of fully managed load-balancing solutions for your scenarios. If you are looking for a DNS based global routing and do not have requirements for Transport Layer Security (TLS) protocol termination (“SSL offload”) or per-HTTP/HTTPS request, application-layer processing, review Traffic Manager. If you are looking for load balancing between your servers in a region, for application layer, review Application Gateway and for network layer load balancing, review Load Balancer. Your end-to-end scenarios might benefit from combining these solutions as needed. For pricing information, see Front Door Pricing. How to scale your web apps with Front Door Create two simple Azure Web apps. Check this guide for a simple guide on how to create Azure App Service: https://www.e-apostolidis.gr/microsoft/azure/azure-start-point-your-first-web-app/ One at West Europe: and one at North Europe: Using FTP, I deployed an one-page html site at both regions. I change the text of both site to say “This Web Site is located at North Europe Azure Datacenter” and “West Europe” to the other. Then create a Front Door. Search for Front Door at Azure marketplace and Create one. This is a high level diagram of the Front Door with two Web Apps design that we will create The “create a Front Door” wizard will start and we can configure it step by step. First we will create a Frontend host by clicking the + at the Step 1 At the frontend host we will create the URL that our apps will be available. I added the papostolidis.azurefd.net. of course later you can add your custom domain and add a CNAME to route the traffic to the Front Door. Then, at the Backend pools (Step 2), press the + to add the web apps. add a name for the backend pool, like “myapps” and press + ADD a backend to add the apps. Select host type, you can add app service, cloud service, storage and custom host (URL). I selected the app service. Select the subscription and the app service and add the correct ports for http and https traffic. The priority defines if the traffic will be routed to the host with the lower priority number (e.g. 1) and if that host fails will route to the next host with bigger priority number (e.g. 2). If you add the same priority to more than one host then it will follow the weight number. The weight number defines the percentage of requests that will be routed to each host. The same way add the second web app Finally select a path, protocol and interval for the probe that will do health checks to the app to define if it is active or not. The third step is to add the routing rules. At the routing rules you can specify: The accepted protocol, http or https. the frontend host for this rule the patterns that the route will accept, like www.e-apostolidis.gr/mysite/* or just /* ro root. Route type forward or redirect. The backend pool that this rule will direct the traffic The protocol that the traffic will be forwarded. Here we define the SSL Offload if we select HTTPs for frontend accepted protocol and HTTP for backend. URL Rewrite rules Caching, for static content caching like CDN. Once all steps are completed we can move on and create the Front Door When the Front Door is ready, we can see the URL at the Overview. And browse our web app using the Front Door URL: How to protect your web apps with Front Door Right now we scaled our web apps. If we use each app’s URL we can still access the app. The first security step is to lock the web apps to be accessed only through the Front Door URL. Checking the Azure Front Door FAQ page, https://docs.microsoft.com/en-us/azure/frontdoor/front-door-faq it lists the Front Door’s address rance. Front Door’s IPv4 backend IP space: 147.243.0.0/16 Go to the App Service, at the Networking section, select “Configure Access Restrictions” Add an allow access restriction with the IP range of the Front Door. Automatically a Deny rule will be created for everything else. Add the rule to both web apps and then try to access the apps with their direct links. Now on, we can access the apps only by using the Front Door URL: This is a high level diagram after the restrictions At the next article, we will see how to add Web Application Firewall (WAF) Rules to Front Door, Stay Tuned!! The post Securely scale your Web Apps with Azure Front Door appeared first on Apostolidis IT Corner.
  8. <h1 style="text-align: justify;">Azure Portal | Playing with Disk Snapshot</h1> <p style="text-align: justify;">Disk Snapshot is a powerful tool to manage Azure VMs. It’s simple to create and can help the administrators in various tasks. It’s a fast and efficient way to have a crash-consistent Disk of a Virtual Machine, before performing tasks, updates, configuration changes, application installations, etc. Of course the last line of defence is the Azure Backup, but using the Snapshot you don’t need to wait the whole Backup / Restore times. With snapshots there are two main options to recover the VM. One is using the “swap OS Disk” functionality, which gives you the ease to swap the Operating System disk with one click. The other option is to create a new VIrtual Machine. Beware, if you want to make Azure VM clones, you need to generalize the VM with Sysprep and Capture the VM. Using the Snapshot option you will have an identical VM, with the same IDs.</p> <h2 style="text-align: justify;">Snapshot</h2> <p style="text-align: justify;">The first step is to create a snapshot from the Virtual Disk. Open the Azure VM, go to Disks, select the OS Disk and press “Create Snapshot”. You don’t actually need to stop the VM. Windows Server operating system stays fully consistent, but no one can guarantee the consistency of any databases currently running. Think of it like the Hyper V CheckPoint functionality. We make checkpoints all the time and we revert to them even in production.</p> <p id="yLMWzuR" style="text-align: justify;"><img class="alignnone wp-image-2884 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8c4f41af1.png"alt="disk snapshot" width="773" height="359" srcset="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8c4f41af1.png 773w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8c4f41af1-300x139.png 300w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8c4f41af1-768x357.png 768w" sizes="(max-width: 773px) 100vw, 773px" /></p> <p style="text-align: justify;">The Create snapshot screen will open. Fill in a name and disk account type (Standard / Premium) and press create.</p> <p id="Cvnyhoo" style="text-align: justify;"><img class="alignnone wp-image-2885 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8c81cf6be.png"alt="disk snapshot" width="635" height="448" srcset="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8c81cf6be.png 635w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8c81cf6be-300x212.png 300w" sizes="(max-width: 635px) 100vw, 635px" /></p> <p style="text-align: justify;">At this point I will create a folder at the VM for revision</p> <p id="RNUFdnD" style="text-align: justify;"><img class="alignnone wp-image-2886 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8d0eef630.png"alt="disk snapshot" width="580" height="303" srcset="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8d0eef630.png 580w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8d0eef630-300x157.png 300w" sizes="(max-width: 580px) 100vw, 580px" /></p> <h2 style="text-align: justify;">Create a Disk</h2> <p style="text-align: justify;">To make the snapshot functional, we need to create a Managed Disk resource.</p> <p id="TCxcFbJ" style="text-align: justify;"><img class="alignnone wp-image-2888 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8dbd6c9fb.png"alt="disk snapshot" width="614" height="296" srcset="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8dbd6c9fb.png 614w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8dbd6c9fb-300x145.png 300w" sizes="(max-width: 614px) 100vw, 614px" /></p> <p style="text-align: justify;">At the Create managed disk wizard, select the Region that the Snapshot resides. Then select “Source type” Snapshot and select it. At the Size, select a disk size at least the same as the source disk.</p> <p id="CYKOnDl" style="text-align: justify;"><img class="alignnone wp-image-2889" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8e03cea11.png"alt="disk snapshot" width="638" height="656" srcset="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8e03cea11.png 833w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8e03cea11-292x300.png 292w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8e03cea11-768x789.png 768w" sizes="(max-width: 638px) 100vw, 638px" /></p> <h2 style="text-align: justify;">Swap OS Disk</h2> <p style="text-align: justify;">Now that we have created the managed disk, it’s time to use the Swap OS Disk functionality. We have proceeded with the Azure VM’s updates, software updates, configuration changes, and finally we need to roll back those changes. Go to the VM’s Disks and press “Swap OS Disk”</p> <p id="pzuGeyg" style="text-align: justify;"><img class="alignnone wp-image-2887" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8d3ca65c2.png"alt="disk snapshot" width="633" height="390" srcset="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8d3ca65c2.png 852w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8d3ca65c2-300x185.png 300w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8d3ca65c2-768x472.png 768w" sizes="(max-width: 633px) 100vw, 633px" /></p> <p style="text-align: justify;">at the “Swap OS Disk” wizard, select the managed disk that we created.</p> <p id="qmhobOc" style="text-align: justify;"><img class="alignnone wp-image-2890 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8e6658951.png"alt="disk snapshot" width="449" height="399" srcset="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8e6658951.png 449w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8e6658951-300x267.png 300w" sizes="(max-width: 449px) 100vw, 449px" /></p> <p style="text-align: justify;">In the background, the Azure Platform will stop, deallocate the VM and it will re-crate it with the selected OS disk. As you see at the next screenshot the OS disk is the managed disk that we created from teh snapshot.</p> <p id="JASxLxW" style="text-align: justify;"><img class="alignnone wp-image-2891 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8eda544ed.png"alt="disk snapshot" width="955" height="484" srcset="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8eda544ed.png 955w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8eda544ed-300x152.png 300w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8eda544ed-768x389.png 768w" sizes="(max-width: 955px) 100vw, 955px" /></p> <p style="text-align: justify;">I Started the VM and logged in. The folder I created after the snapshot of course is missing <img src="https://s.w.org/images/core/emoji/12.0.0-1/72x72/1f642.png"alt="?" class="wp-smiley" style="height: 1em; max-height: 1em;" /></p> <p style="text-align: justify;"><img class="alignnone wp-image-2892 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8f86e1d8a.png"alt="disk snapshot" width="507" height="258" srcset="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8f86e1d8a.png 507w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8f86e1d8a-300x153.png 300w" sizes="(max-width: 507px) 100vw, 507px" /></p> <h2 style="text-align: justify;">New Azure VM</h2> <p style="text-align: justify;">The other option is to create a new Virtual Machine using the Snapshot. As I wrote before, beware, if you want to make Azure VM clones, you need to generalize the VM with Sysprep and Capture the VM. Using the Snapshot option you will have an identical VM, with the same IDs.</p> <p style="text-align: justify;">To create a VM from the Snapshot, just open the Managed Disk that you created from the Snapshot and press Create VM.</p> <h2 id="YVnQUGo" style="text-align: justify;"><img class="alignnone wp-image-2893 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8fe63bbc2.png"alt="disk snapshot" width="764" height="401" srcset="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8fe63bbc2.png 764w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8fe63bbc2-300x157.png 300w" sizes="(max-width: 764px) 100vw, 764px" /></h2> <p style="text-align: justify;">The Create a virtual machine wizard will open, and at the Operating System Image section, it will have selected the image from the disk. This process is identical to creating a new Hyper V VM from an existing virtual disk.</p> <p id="agkkViV" style="text-align: justify;"><img class="alignnone wp-image-2899 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b9dee55885.png"alt="disk snapshot" width="875" height="838" srcset="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b9dee55885.png 875w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b9dee55885-300x287.png 300w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b9dee55885-768x736.png 768w" sizes="(max-width: 875px) 100vw, 875px" /></p> <p style="text-align: justify;">Follow the Create a virtual machine wizard exactly the same as creating any Azure VM.</p> <p>More e-apostolidis.gr posts about managed disks: <a href="https://www.e-apostolidis.gr/tag/managed-disks/">https://www.e-apostolidis.gr/tag/managed-disks/</a></p> <p style="text-align: left;">Read more at: <a href="https://docs.microsoft.com/en-us/azure/virtual-machines/windows/managed-disks-overview#managed-disk-snapshots">https://docs.microsoft.com/en-us/azure/virtual-machines/windows/managed-disks-overview#managed-disk-snapshots</a></p> <p> </p> <p><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fazure-portal-playing-with-disk-snapshot%2F&linkname=Azure%20Portal%20%7C%20Playing%20with%20Disk%20Snapshot"title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_print" href="https://www.addtoany.com/add_to/print?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fazure-portal-playing-with-disk-snapshot%2F&linkname=Azure%20Portal%20%7C%20Playing%20with%20Disk%20Snapshot" title="Print" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share#url=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fazure-portal-playing-with-disk-snapshot%2F&title=Azure%20Portal%20%7C%20Playing%20with%20Disk%20Snapshot" data-a2a-url="https://www.e-apostolidis.gr/microsoft/azure/azure-portal-playing-with-disk-snapshot/" data-a2a-title="Azure Portal | Playing with Disk Snapshot"><img src="https://static.addtoany.com/buttons/share_save_171_16.png" alt="Share"></a></p><p>The post <a rel="nofollow" href="https://www.e-apostolidis.gr/microsoft/azure/azure-portal-playing-with-disk-snapshot/">Azure Portal | Playing with Disk Snapshot</a> appeared first on <a rel="nofollow" href="https://www.e-apostolidis.gr">Apostolidis IT Corner</a>.</p> <a href="https://www.e-apostolidis.gr/microsoft/azure/azure-portal-playing-with-disk-snapshot/"class='bbc_url' rel='nofollow external'>Source</a>
  9. <p>Happy Friday! My blog post is featured at this week’s Friday Five!</p> <p>Check out this week’s <a href="https://techcommunity.microsoft.com/t5/Microsoft-MVP-Award-Program-Blog/Friday-Five-Azure-free-SMTP-relay-using-Sendgrid-Power-Platform/ba-p/894274">FridayFive section of the Microsoft MVP Award Program Blog!</a> My blog post about <a href="https://www.e-apostolidis.gr/microsoft/azure-free-smtp-relay-using-sendgrid/">using SendGrid for free SMTP relay from Azure</a> is featured !!!</p> <p id="swHBZZB"><img class="alignnone size-full wp-image-2880 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d97b481a29bb.png"alt="" srcset="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d97b481a29bb.png 1239w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d97b481a29bb-300x87.png 300w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d97b481a29bb-768x224.png 768w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d97b481a29bb-1024x298.png 1024w" sizes="(max-width: 1239px) 100vw, 1239px" /></p> <p><a href="https://techcommunity.microsoft.com/t5/Microsoft-MVP-Award-Program-Blog/Friday-Five-Azure-free-SMTP-relay-using-Sendgrid-Power-Platform/ba-p/894274">https://techcommunity.microsoft.com/t5/Microsoft-MVP-Award-Program-Blog/Friday-Five-Azure-free-SMTP-relay-using-Sendgrid-Power-Platform/ba-p/894274</a></p> <p><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fgeneral%2Fhappy-friday-my-blog-post-featured-at-this-weeks-friday-five%2F&linkname=Happy%20Friday%21%20My%20blog%20post%20featured%20at%20this%20week%E2%80%99s%20Friday%20Five%21"title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_print" href="https://www.addtoany.com/add_to/print?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fgeneral%2Fhappy-friday-my-blog-post-featured-at-this-weeks-friday-five%2F&linkname=Happy%20Friday%21%20My%20blog%20post%20featured%20at%20this%20week%E2%80%99s%20Friday%20Five%21" title="Print" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share#url=https%3A%2F%2Fwww.e-apostolidis.gr%2Fgeneral%2Fhappy-friday-my-blog-post-featured-at-this-weeks-friday-five%2F&title=Happy%20Friday%21%20My%20blog%20post%20featured%20at%20this%20week%E2%80%99s%20Friday%20Five%21" data-a2a-url="https://www.e-apostolidis.gr/general/happy-friday-my-blog-post-featured-at-this-weeks-friday-five/" data-a2a-title="Happy Friday! My blog post featured at this week’s Friday Five!"><img src="https://static.addtoany.com/buttons/share_save_171_16.png" alt="Share"></a></p><p>The post <a rel="nofollow" href="https://www.e-apostolidis.gr/general/happy-friday-my-blog-post-featured-at-this-weeks-friday-five/">Happy Friday! My blog post featured at this week’s Friday Five!</a> appeared first on <a rel="nofollow" href="https://www.e-apostolidis.gr">Apostolidis IT Corner</a>.</p> <a href="https://www.e-apostolidis.gr/general/happy-friday-my-blog-post-featured-at-this-weeks-friday-five/"class='bbc_url' rel='nofollow external'>Source</a>
  10. <h1>Azure Security Center</h1> <h2>Remediate security recommendations in 1 click</h2> <p>Azure Security Center provides unified security management and advanced threat protection across hybrid cloud workloads. Using advanced analytics, it helps you detect potentially malicious activity across your hybrid cloud workloads, and recommends potential remediation steps, which you can then evaluate, and take the necessary action.</p> <p id="DLQOMZB"><img class="alignnone size-full wp-image-2857 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d8ddac95fb1a.png"alt="" /></p> <p>One of the main features of Azure Security Center is that offers prioritized and actionable security recommendations so you can remediate security vulnerabilities before they can be exploited by attackers. To simplify remediation of security issues now allows you to remediate a recommendation on multiple resources with a single click.</p> <ul> <li>Quick access to 1-click fix<br />The 1-click fix label is shown next to the recommendations that offer this faster remediation tool.</li> <li>Logging for transparency<br />All remediation actions are logged in the activity log.</li> </ul> <p id="cYAerXE"><img class="alignnone size-full wp-image-2858 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d8ddaf03f635.png"alt="" /></p> <h2>How to use 1-click remediation</h2> <p>Look for the “1-click Fix !” Label at the recommendations!</p> <p id="aBGvMLk"><img class="alignnone size-full wp-image-2859 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d8ddb125f8f2.png"alt="" /></p> <p>Once you click the “1-click Fix !” Label, the recommendation information page will pen. Select the affected resources and click Remediate</p> <p id="ORTsWRv"><img class="alignnone size-full wp-image-2861 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d8ddfea3fdaa.png"alt="" /></p> <p>A final window will open that will inform you about the action that will be performed and what will affect. Check the information and if you agree click the final “Remediation” button</p> <p id="NiZsHKi"><img class="alignnone size-full wp-image-2863 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d8de03500959.png"alt="" /></p> <h2>Current 1-click remediation availability</h2> <p>Remediation is available for the following recommendations in preview:</p> <ul> <li>Web Apps, Function Apps, and API Apps should only be accessible over HTTPS</li> <li>Remote debugging should be turned off for Function Apps, Web Apps, and API Apps</li> <li>CORS should not allow every resource to access your Function Apps, Web Apps, or API Apps</li> <li>Secure transfer to storage accounts should be enabled</li> <li>Transparent data encryption for Azure SQL Database should be enabled</li> <li>Monitoring agent should be installed on your virtual machines</li> <li>Diagnostic logs in Azure Key Vault and Azure Service Bus should be enabled</li> <li>Diagnostic logs in Service Bus should be enabled</li> <li>Vulnerability assessment should be enabled on your SQL servers</li> <li>Advanced data security should be enabled on your SQL servers</li> <li>Vulnerability assessment should be enabled on your SQL managed instances</li> <li>Advanced data security should be enabled on your SQL managed instances</li> </ul> <p>Single click remediation is part of Azure Security Center’s free tier.</p> <p>Read more at: <a href="https://azure.microsoft.com/en-gb/blog/azure-security-center-single-click-remediation-and-azure-firewall-jit-support/">AzureSecurity Center single click remediation</a></p> <p>Sources:</p> <p><a href="https://azure.microsoft.com/en-gb/blog/azure-security-center-single-click-remediation-and-azure-firewall-jit-support/">AzureSecurity Center single click remediation</a></p> <p><a class="breadcrumbs__link" href="https://azure.microsoft.com/en-us/updates/one-click-remediation-for-security-recommendations/"data-event="global-navigation-body-clicked-breadcrumb" data-bi-area="content" data-bi-id="global-navigation-body-clicked-breadcrumb">Azure Security Center—1-click remediation for security recommendations is now available</a></p> <p><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fasc-remediate-security-recommendations-in-1-click%2F&linkname=ASC%20%7C%20Remediate%20security%20recommendations%20in%201%20click"title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_print" href="https://www.addtoany.com/add_to/print?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fasc-remediate-security-recommendations-in-1-click%2F&linkname=ASC%20%7C%20Remediate%20security%20recommendations%20in%201%20click" title="Print" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share#url=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fasc-remediate-security-recommendations-in-1-click%2F&title=ASC%20%7C%20Remediate%20security%20recommendations%20in%201%20click" data-a2a-url="https://www.e-apostolidis.gr/microsoft/azure/asc-remediate-security-recommendations-in-1-click/" data-a2a-title="ASC | Remediate security recommendations in 1 click"><img src="https://static.addtoany.com/buttons/share_save_171_16.png" alt="Share"></a></p><p>The post <a rel="nofollow" href="https://www.e-apostolidis.gr/microsoft/azure/asc-remediate-security-recommendations-in-1-click/">ASC | Remediate security recommendations in 1 click</a> appeared first on <a rel="nofollow" href="https://www.e-apostolidis.gr">Apostolidis IT Corner</a>.</p> <a href="https://www.e-apostolidis.gr/microsoft/azure/asc-remediate-security-recommendations-in-1-click/"class='bbc_url' rel='nofollow external'>Source</a>
  11. <h1>Azure Private Link | Private connection to Azure PaaS</h1> <p> </p> <p>Azure Private Link is a new service, currently in Preview, that provides private connectivity from a virtual network or an on-premises network with Site-2-Site VPN to Azure platform as a service (PaaS) Microsoft services. Azure Private Link makes the networking a lot more simple improving the security and eliminating the need for public access.</p> <p id="nAIxogs"><img class="alignnone size-full wp-image-2844 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d8145c21e8f8.png"alt="" /></p> <p> </p> <p><span style="font-size: 12px;">image from: <a href="https://azure.microsoft.com/en-us/services/private-link/">https://azure.microsoft.com/en-us/services/private-link/</a></span></p> <p>Azure Private Link is a Service mapped to Azure Virtual Networks through a private endpoint. This means that all traffic is routed internally, using private IPs and connectivity, eliminating the exposure to threats. Using Private Link helps an organization to meed the compliance standards.</p> <p>Azure Private Link is a Global service. It does not have regional restrictions. You can connect privately services from all the Azure Regions around the globe.</p> <h2>Lets Lab It!</h2> <p>Let’s see in practice how we can connect from an Azure VM and from our on-premises computer using VPN to an Azure SQL Database using private IPs. For the Lab I already have a Virtual Machine running Windows Server 2019 and an Azure SQL Database. The SQL Database is not connected to any networks.</p> <p>Open the Azure Portal, press New and search for “Private Link”, select it and press “Create”</p> <p id="wWRgRfz"><img class="alignnone size-full wp-image-2824 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d812bccdb08c.png"alt="" /></p> <p>A nice “Getting started page” will open. Click the “Build a private connection to a service”</p> <p id="YGbIKKC"><img class="alignnone size-full wp-image-2825 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d812c222bb50.png"alt="" /></p> <p id="hySxSQb"><img class="alignnone size-full wp-image-2826 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d812c2e18651.png"alt="" /></p> <p>The “Create a private endpoint” wizard will open. Select a name for the Private Link and a Region and press Next to go to the second step.</p> <p><code></code></p> <p id="vCwjsPb"><img class="alignnone size-full wp-image-2832 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d8130185f27f.png"alt="" /></p> <p>At the second step, select to connect to the azure resource in my directory, and select the subscription where the Azure SQL Database resides. Then select the SQL Server.</p> <p id="qmxqrJF"><img class="alignnone size-full wp-image-2833 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d81303297eff.png"alt="" /></p> <p>At the third step, select the VIrtual Network that the Private Link will be created. I selected the network where my Virtual Machine resides. If you don’t have your own DNS server select Yes to create an Azure private DNS zone.</p> <p id="nfoqivE"><img class="alignnone size-full wp-image-2835 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d813077e1d38.png"alt="" /></p> <p>At the final step, review the settings and create the Private Link</p> <p id="lHsjjBi"><img class="alignnone size-full wp-image-2836 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d81309adc037.png"alt="" /></p> <p>After the resource creation, you can check the DNS for the Azure SQL Server Private IP Address!</p> <p id="cSPyGGM"><img class="alignnone size-full wp-image-2837 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d81317ff3814.png"alt="" /></p> <p>And at the SQL Server, at the “Private endpoint connections” section you will see the new Private Link.</p> <p id="YnyPGra"><img class="alignnone size-full wp-image-2839 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d8132886dbdc.png"alt="" /></p> <p>Open a Remote Desktop Connection to the Azure VM, and run a nslookup for the SQL Server name. In my case the command is:</p> <p>PS C:> nslookup plsqlsrv.database.windows.net<br />Server: UnKnown<br />Address: 168.63.129.16</p> <p>Non-authoritative answer:<br />Name: plsqlsrv.privatelink.database.windows.net<br />Address: 10.0.2.5<br />Aliases: plsqlsrv.database.windows.net</p> <p id="zdWsPaP"><img class="alignnone size-full wp-image-2838 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d8131e47f882.png"alt="" /></p> <p>And it returned the Private IP address of the SQL Server.</p> <p>From my computer, i tried to connect to the Azure SQL Server, using the name plsqlsrv.database.windows.net and the connection failed since my Public IP Address is not allowed to access the server.</p> <p id="YMuBmUq"><img class="alignnone size-full wp-image-2840 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d813f72173a6.png"alt="" /></p> <p>From the Azure VM I managed to connect successfully and of course internally!</p> <p id="nVbBsVv"><img class="alignnone size-full wp-image-2841 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d813fab7a6a1.png"alt="" /></p> <p>After that, I added a Virtual Network Gateway to the Network and created a Point to Site VPN connection from my local computer to Azure. You can check my guide on how to do this: <a href="https://www.e-apostolidis.gr/microsoft/azure-start-point-point-to-site-vpn/"target="_blank" rel="noopener noreferrer">https://www.e-apostolidis.gr/microsoft/azure/azure-start-point-point-to-site-vpn/</a></p> <p>In order to connect to the Azure SQL you need to either use a local DNS server to map the SQl Server name to the Azure SQL IP or add an entry to the local host file for testing.</p> <p id="VbhUQVD"><img class="alignnone size-full wp-image-2849 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d8150b51c2d2.png"alt="" /></p> <h2>Conclusion</h2> <p>Azure Private Link is in Preview and currently supports Azure SQL Database and Storage accounts. Additional services coming in preview in next 3-6 months:</p> <ul> <li>· Cosmos DB</li> <li>· App Service Vnet Integration + App Service Environment</li> <li>· Azure Kubernetes Service</li> <li>· Azure Key Vault</li> <li>· PostgreSQL</li> <li>· MySQL</li> <li>· Maria DB</li> </ul> <p> </p> <p>Source:</p> <p><a href="https://azure.microsoft.com/en-us/services/private-link/">https://azure.microsoft.com/en-us/services/private-link/</a></p> <p><a href="https://azure.microsoft.com/en-au/blog/announcing-azure-private-link/">https://azure.microsoft.com/en-au/blog/announcing-azure-private-link/</a></p> <p> </p> <p><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fazure-private-link-private-connection-to-azure-paas%2F&linkname=Azure%20Private%20Link%20%7C%20Private%20connection%20to%20Azure%20PaaS"title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_print" href="https://www.addtoany.com/add_to/print?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fazure-private-link-private-connection-to-azure-paas%2F&linkname=Azure%20Private%20Link%20%7C%20Private%20connection%20to%20Azure%20PaaS" title="Print" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share#url=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fazure-private-link-private-connection-to-azure-paas%2F&title=Azure%20Private%20Link%20%7C%20Private%20connection%20to%20Azure%20PaaS" data-a2a-url="https://www.e-apostolidis.gr/microsoft/azure/azure-private-link-private-connection-to-azure-paas/" data-a2a-title="Azure Private Link | Private connection to Azure PaaS"><img src="https://static.addtoany.com/buttons/share_save_171_16.png" alt="Share"></a></p><p>The post <a rel="nofollow" href="https://www.e-apostolidis.gr/microsoft/azure/azure-private-link-private-connection-to-azure-paas/">Azure Private Link | Private connection to Azure PaaS</a> appeared first on <a rel="nofollow" href="https://www.e-apostolidis.gr">Apostolidis IT Corner</a>.</p> <a href="https://www.e-apostolidis.gr/microsoft/azure/azure-private-link-private-connection-to-azure-paas/"class='bbc_url' rel='nofollow external'>Source</a>
  12. <p style="text-align: justify;">ExpressRoute is a Microsoft Azure service that provides a private connection between an organization’s on-premises infrastructure and Microsoft Cloud services, such as Microsoft Azure, Office 365, and Dynamics 365.</p> <p style="text-align: justify;">Microsoft Azure ExpressRoute was general available back on 2014. To connect to Azure ExpressRoute you need a direct line with an ExpressRoute provider. Now Microsoft announced that Microsoft cloud services can be accessed with Azure ExpressRoute using satellite connectivity, breaking the direct line barriers, making it feasible to connect your data center directly to Microsoft Azure from all around the globe!</p> <p style="text-align: justify;"><img src="https://azurecomcdn.azureedge.net/mediahandler/acomblog/media/Default/blog/6fc8736b-b6e9-4959-8692-c602e9d931e4.png"alt="Infographic of High level architecture of ExpressRoute and satellite integration" /></p> <p><span style="font-size: 10px;">image from <a href="https://azure.microsoft.com/en-us/blog/satellite-connectivity-expands-reach-of-azure-expressroute-across-the-globe/">https://azure.microsoft.com/en-us/blog/satellite-connectivity-expands-reach-of-azure-expressroute-across-the-globe/</a></span></p> <p id="JXlaLtf" style="text-align: justify;">Azure ExpressRoute Satellite connectivity is currently provided by three Microsoft partners, Intelsat, SES, and Viasat. Microsoft expands its already large connectivity, adding Satellite connectivity options at the 54 Regions worldwide making <a href="https://azure.microsoft.com/en-us/global-infrastructure/global-network/">Microsoft’sglobal network</a> one of the largest in the world.</p> <p style="text-align: justify;">Source:</p> <p style="text-align: justify;"><a href="https://docs.microsoft.com/en-us/azure/expressroute/expressroute-introduction">https://docs.microsoft.com/en-us/azure/expressroute/expressroute-introduction</a></p> <p style="text-align: justify;"><a href="https://azure.microsoft.com/en-us/blog/satellite-connectivity-expands-reach-of-azure-expressroute-across-the-globe/">https://azure.microsoft.com/en-us/blog/satellite-connectivity-expands-reach-of-azure-expressroute-across-the-globe/</a></p> <p><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fazure-expressroute-adds-satellite-connectivity%2F&linkname=Azure%20ExpressRoute%20adds%20Satellite%20connectivity"title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_print" href="https://www.addtoany.com/add_to/print?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fazure-expressroute-adds-satellite-connectivity%2F&linkname=Azure%20ExpressRoute%20adds%20Satellite%20connectivity" title="Print" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share#url=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fazure-expressroute-adds-satellite-connectivity%2F&title=Azure%20ExpressRoute%20adds%20Satellite%20connectivity" data-a2a-url="https://www.e-apostolidis.gr/microsoft/azure/azure-expressroute-adds-satellite-connectivity/" data-a2a-title="Azure ExpressRoute adds Satellite connectivity"><img src="https://static.addtoany.com/buttons/share_save_171_16.png" alt="Share"></a></p><p>The post <a rel="nofollow" href="https://www.e-apostolidis.gr/microsoft/azure/azure-expressroute-adds-satellite-connectivity/">Azure ExpressRoute adds Satellite connectivity</a> appeared first on <a rel="nofollow" href="https://www.e-apostolidis.gr">Apostolidis IT Corner</a>.</p> <a href="https://www.e-apostolidis.gr/microsoft/azure/azure-expressroute-adds-satellite-connectivity/"class='bbc_url' rel='nofollow external'>Source</a>
  13. <h1 style="text-align: left;">Azure Policy | Enforce tags for resource creation</h1> <h2 style="text-align: justify;">Azure Governance</h2> <p style="text-align: justify;">After the previous post about <a href="https://www.e-apostolidis.gr/microsoft/azure-policy-limit-the-azure-vm-sizes/"target="_blank" rel="noopener noreferrer">how to use Azure Policy to limit the Azure VM sizes</a>, I continue the series of posts about Azure Governance with a video guide on how to enforce tags for resource creation. The idea is to explain through examples and how-to-guides, the tools that Microsoft Azure provides to help the administrators to enforce rules to all subscriptions. Some examples of those rules are, to help the organizations to stay compliant with their corporate standards, to standardize the resources creation and management, to manage the permissions and access controls, etc.</p> <h2 style="text-align: justify;">Azure Policy</h2> <p style="text-align: justify;">Azure Policy is a powerful tool for Azure Governance. We can define rules for all Azure Subscriptions the we manage. We can use this rules for simple limitation actions, like permitting only specific VM Series and Sizes that can be created and also more complex rule sets that helps you standardize the whole Azure deployment.</p> <h3 style="text-align: justify;">Enforce tags for resource creation</h3> <p style="text-align: justify;">So, why tags? Why we need to add tags to all Azure resources? The Microsoft Azure environments are getting bigger and bigger and managed by multiple people and teams. That makes it difficult to understand who created a resource and what is the purpose of that resource. Another critical matter that we need tags is Cost Management. At the Azure Cost Management Portal, we can sort and arrange the resource cost using the Tags. This way we can provide an expense dashboard with the actual cost of the resources per department, project or whatever tags we have added to the Resource.</p> <h3 style="text-align: justify;">Guide: Video</h3> <p style="text-align: justify;">View my video guide on how to use Azure Policy to enforce tags for resource creation</p> <p><iframe id="_ytid_65438" width="840" height="473" data-origwidth="840" data-origheight="473" src="https://www.youtube.com/embed/h6qXy20o0fY?enablejsapi=1&autoplay=0&cc_load_policy=0&iv_load_policy=1&loop=0&modestbranding=1&rel=0&fs=1&playsinline=0&autohide=2&theme=dark&color=red&controls=1&"class="__youtube_prefs__" title="YouTube player" allow="autoplay; encrypted-media" allowfullscreen data-no-lazy="1" data-skipgform_ajax_framebjll=""></iframe></p> <p style="text-align: justify;">You can find more at Microsoft Docs: <a href="https://docs.microsoft.com/en-us/azure/governance/policy/">https://docs.microsoft.com/en-us/azure/governance/policy/</a></p> <p style="text-align: justify;"> <p><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fazure-policy-enforce-tags-for-resource-creation%2F&linkname=Azure%20Policy%20%7C%20Enforce%20tags%20for%20resource%20creation"title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_print" href="https://www.addtoany.com/add_to/print?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fazure-policy-enforce-tags-for-resource-creation%2F&linkname=Azure%20Policy%20%7C%20Enforce%20tags%20for%20resource%20creation" title="Print" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share#url=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fazure-policy-enforce-tags-for-resource-creation%2F&title=Azure%20Policy%20%7C%20Enforce%20tags%20for%20resource%20creation" data-a2a-url="https://www.e-apostolidis.gr/microsoft/azure/azure-policy-enforce-tags-for-resource-creation/" data-a2a-title="Azure Policy | Enforce tags for resource creation"><img src="https://static.addtoany.com/buttons/share_save_171_16.png" alt="Share"></a></p><p>The post <a rel="nofollow" href="https://www.e-apostolidis.gr/microsoft/azure/azure-policy-enforce-tags-for-resource-creation/">Azure Policy | Enforce tags for resource creation</a> appeared first on <a rel="nofollow" href="https://www.e-apostolidis.gr">Apostolidis IT Corner</a>.</p> <a href="https://www.e-apostolidis.gr/microsoft/azure/azure-policy-enforce-tags-for-resource-creation/"class='bbc_url' rel='nofollow external'>Source</a>
  14. <p>Σήμερα δημοσιεύτηκε η συνέντευξή μου με τίτλο “<span data-offset-key="900n3-0-0">Το Azure εξελίσσεται”</span> στο NetFax τεύχος #4230, <span data-offset-key="900n3-0-0"> όπου συζητάω για τις τάσεις που θα μας απασχολήσουν στο Microsoft Azure & το Cloud! </span></p> <p><img class="alignnone size-full wp-image-2796" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/08/netfax4.jpg"alt="νετφαχ" width="568" height="1075" /></p> <p>Ευχαριστώ όλη την ομάδα που συνέβαλε για αυτήν την συνέντευξη & φυσικά <span data-offset-key="900n3-0-0">Read more @netfax </span></p> <p><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2F%25ce%25b5%25ce%25bb%25ce%25bb%25ce%25b7%25ce%25bd%25ce%25b9%25ce%25ba%25ce%25ac%2F%25cf%2584%25ce%25bf-azure-%25ce%25b5%25ce%25be%25ce%25b5%25ce%25bb%25ce%25af%25cf%2583%25cf%2583%25ce%25b5%25cf%2584%25ce%25b1%25ce%25b9-%25ce%25bf%25ce%25b9-%25cf%2584%25ce%25ac%25cf%2583%25ce%25b5%25ce%25b9%25cf%2582-%25cf%2580%25ce%25bf%25cf%2585-%25ce%25b8%25ce%25b1-%25ce%25bc%25ce%25b1%25cf%2582-%25ce%25b1%2F&linkname=%CE%A4%CE%BF%20Azure%20%CE%B5%CE%BE%CE%B5%CE%BB%CE%AF%CF%83%CF%83%CE%B5%CF%84%CE%B1%CE%B9%20%26%20%CE%BF%CE%B9%20%CF%84%CE%AC%CF%83%CE%B5%CE%B9%CF%82%20%CF%80%CE%BF%CF%85%20%CE%B8%CE%B1%20%CE%BC%CE%B1%CF%82%20%CE%B1%CF%80%CE%B1%CF%83%CF%87%CE%BF%CE%BB%CE%AE%CF%83%CE%BF%CF%85%CE%BD%21%20%40Netfax"title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_print" href="https://www.addtoany.com/add_to/print?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2F%25ce%25b5%25ce%25bb%25ce%25bb%25ce%25b7%25ce%25bd%25ce%25b9%25ce%25ba%25ce%25ac%2F%25cf%2584%25ce%25bf-azure-%25ce%25b5%25ce%25be%25ce%25b5%25ce%25bb%25ce%25af%25cf%2583%25cf%2583%25ce%25b5%25cf%2584%25ce%25b1%25ce%25b9-%25ce%25bf%25ce%25b9-%25cf%2584%25ce%25ac%25cf%2583%25ce%25b5%25ce%25b9%25cf%2582-%25cf%2580%25ce%25bf%25cf%2585-%25ce%25b8%25ce%25b1-%25ce%25bc%25ce%25b1%25cf%2582-%25ce%25b1%2F&linkname=%CE%A4%CE%BF%20Azure%20%CE%B5%CE%BE%CE%B5%CE%BB%CE%AF%CF%83%CF%83%CE%B5%CF%84%CE%B1%CE%B9%20%26%20%CE%BF%CE%B9%20%CF%84%CE%AC%CF%83%CE%B5%CE%B9%CF%82%20%CF%80%CE%BF%CF%85%20%CE%B8%CE%B1%20%CE%BC%CE%B1%CF%82%20%CE%B1%CF%80%CE%B1%CF%83%CF%87%CE%BF%CE%BB%CE%AE%CF%83%CE%BF%CF%85%CE%BD%21%20%40Netfax" title="Print" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share#url=https%3A%2F%2Fwww.e-apostolidis.gr%2F%25ce%25b5%25ce%25bb%25ce%25bb%25ce%25b7%25ce%25bd%25ce%25b9%25ce%25ba%25ce%25ac%2F%25cf%2584%25ce%25bf-azure-%25ce%25b5%25ce%25be%25ce%25b5%25ce%25bb%25ce%25af%25cf%2583%25cf%2583%25ce%25b5%25cf%2584%25ce%25b1%25ce%25b9-%25ce%25bf%25ce%25b9-%25cf%2584%25ce%25ac%25cf%2583%25ce%25b5%25ce%25b9%25cf%2582-%25cf%2580%25ce%25bf%25cf%2585-%25ce%25b8%25ce%25b1-%25ce%25bc%25ce%25b1%25cf%2582-%25ce%25b1%2F&title=%CE%A4%CE%BF%20Azure%20%CE%B5%CE%BE%CE%B5%CE%BB%CE%AF%CF%83%CF%83%CE%B5%CF%84%CE%B1%CE%B9%20%26%20%CE%BF%CE%B9%20%CF%84%CE%AC%CF%83%CE%B5%CE%B9%CF%82%20%CF%80%CE%BF%CF%85%20%CE%B8%CE%B1%20%CE%BC%CE%B1%CF%82%20%CE%B1%CF%80%CE%B1%CF%83%CF%87%CE%BF%CE%BB%CE%AE%CF%83%CE%BF%CF%85%CE%BD%21%20%40Netfax" data-a2a-url="https://www.e-apostolidis.gr/%ce%b5%ce%bb%ce%bb%ce%b7%ce%bd%ce%b9%ce%ba%ce%ac/%cf%84%ce%bf-azure-%ce%b5%ce%be%ce%b5%ce%bb%ce%af%cf%83%cf%83%ce%b5%cf%84%ce%b1%ce%b9-%ce%bf%ce%b9-%cf%84%ce%ac%cf%83%ce%b5%ce%b9%cf%82-%cf%80%ce%bf%cf%85-%ce%b8%ce%b1-%ce%bc%ce%b1%cf%82-%ce%b1/" data-a2a-title="Το Azure εξελίσσεται & οι τάσεις που θα μας απασχολήσουν! @Netfax"><img src="https://static.addtoany.com/buttons/share_save_171_16.png" alt="Share"></a></p><p>The post <a rel="nofollow" href="https://www.e-apostolidis.gr/%ce%b5%ce%bb%ce%bb%ce%b7%ce%bd%ce%b9%ce%ba%ce%ac/%cf%84%ce%bf-azure-%ce%b5%ce%be%ce%b5%ce%bb%ce%af%cf%83%cf%83%ce%b5%cf%84%ce%b1%ce%b9-%ce%bf%ce%b9-%cf%84%ce%ac%cf%83%ce%b5%ce%b9%cf%82-%cf%80%ce%bf%cf%85-%ce%b8%ce%b1-%ce%bc%ce%b1%cf%82-%ce%b1/">Το Azure εξελίσσεται & οι τάσεις που θα μας απασχολήσουν! @Netfax</a> appeared first on <a rel="nofollow" href="https://www.e-apostolidis.gr">Apostolidis IT Corner</a>.</p> <a href="https://www.e-apostolidis.gr/%ce%b5%ce%bb%ce%bb%ce%b7%ce%bd%ce%b9%ce%ba%ce%ac/%cf%84%ce%bf-azure-%ce%b5%ce%be%ce%b5%ce%bb%ce%af%cf%83%cf%83%ce%b5%cf%84%ce%b1%ce%b9-%ce%bf%ce%b9-%cf%84%ce%ac%cf%83%ce%b5%ce%b9%cf%82-%cf%80%ce%bf%cf%85-%ce%b8%ce%b1-%ce%bc%ce%b1%cf%82-%ce%b1/"class='bbc_url' rel='nofollow external'>Source</a>
  15. <h1>Govern your Azure environment</h1> <p>It was a day full of Microsoft Azure and technology, from both IT Pro & Dev perspective. A sunny day at Athens, with a lot of fun. For sure we had a great time!</p> <p>You can download my Athens Azure Bootcamp 2019 presentation, Govern your Azure environment, from this <a href="https://papostolidisgr-my.sharepoint.com/:p:/g/personal/pantelis_e-apostolidis_gr/EUS8pnejNdNEhrm0GVe4qaYBkFH2s_ZZKqGh9AaDY0NTFw?e=nQaNSD">link</a>:<a href="https://papostolidisgr-my.sharepoint.com/:p:/g/personal/pantelis_e-apostolidis_gr/EUS8pnejNdNEhrm0GVe4qaYBkFH2s_ZZKqGh9AaDY0NTFw?e=nQaNSD">https://papostolidisgr-my.sharepoint.com/:p:/g/personal/pantelis_e-apostolidis_gr/EUS8pnejNdNEhrm0GVe4qaYBkFH2s_ZZKqGh9AaDY0NTFw?e=nQaNSD</a></p> <p>Please find the demos of my presentation at the <a href="https://www.e-apostolidis.gr/videos/">Videos</a>page: <a href="https://www.e-apostolidis.gr/videos/">https://www.e-apostolidis.gr/videos/</a></p> <p>Standardize & enforce your company’s Azure Resources configuration, for regulatory compliance, cost control, security & design consistency</p> <p id="UWhJgpl"><img class="alignnone wp-image-2775 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/07/img_5d3de3d139c49.png"alt="aab" width="1188" height="665" /></p> <p><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fgovern-your-azure-environment%2F&linkname=Govern%20your%20Azure%20environment"title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_print" href="https://www.addtoany.com/add_to/print?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fgovern-your-azure-environment%2F&linkname=Govern%20your%20Azure%20environment" title="Print" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share#url=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fgovern-your-azure-environment%2F&title=Govern%20your%20Azure%20environment" data-a2a-url="https://www.e-apostolidis.gr/microsoft/azure/govern-your-azure-environment/" data-a2a-title="Govern your Azure environment"><img src="https://static.addtoany.com/buttons/share_save_171_16.png" alt="Share"></a></p><p>The post <a rel="nofollow" href="https://www.e-apostolidis.gr/microsoft/azure/govern-your-azure-environment/">Govern your Azure environment</a> appeared first on <a rel="nofollow" href="https://www.e-apostolidis.gr">Apostolidis IT Corner</a>.</p> <a href="https://www.e-apostolidis.gr/microsoft/azure/govern-your-azure-environment/"class='bbc_url' rel='nofollow external'>Source</a>
  16. <h1>Azure Bastion – Jump Server as a Service</h1> <p>Azure Bastion is a new Azure Platform (PaaS) service, at this time is still in Preview, that allows to have RDP and SSH access to Virtual Machines inside a Virtual Network directly from the Azure Portal. This eliminates the need to expose the Virtual Machines RDP and SSH ports to the internet.</p> <p>The logic comes from the Jump Servers, but you don’t need to deploy any VMs and you don’t have to worry about the hardening. It all ready on Azure as a Service.</p> <p>A jump server is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them. You can find more about jump servers at <a href="https://en.wikipedia.org/wiki/Jump_server">https://en.wikipedia.org/wiki/Jump_server</a></p> <p>The connection to the virtual machines is achieved directly from the Azure Portal over Secure Sockets Layer (SSL) just using the browser. The Bastion Host is</p> <h2>Azure Bastion Preview preparation</h2> <p>For the time, Azure Bastion Hosts are in Public Preview. To use them we need to Register the Azure Bastion Host provider. Open PowerShell and login to Azure or use the Cloud Shell from the Azure Portal.</p> <p>To register the provider run:</p> <p>Register-AzProviderFeature -FeatureName AllowBastionHost -ProviderNamespace Microsoft.Network</p> <p id="zOeDhIo"><img class="alignnone wp-image-2732 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/06/img_5d091fe6262cc.png"alt="register provider" width="821" height="165" /></p> <p>Then run:</p> <p>Register-AzResourceProvider -ProviderNamespace Microsoft.Network</p> <p id="DRILxeM"><img class="alignnone wp-image-2733 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/06/img_5d091ff460da0.png"alt="azure bastion register" width="646" height="84" /></p> <p>The provider takes some time to register. Run the following command to check when it is registered:</p> <p>Get-AzProviderFeature -FeatureName AllowBastionHost -ProviderNamespace Microsoft.Network</p> <p id="EZSfQTp"><img class="alignnone wp-image-2736 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/06/img_5d0923cdafb5e.png"alt="register check" width="797" height="78" /></p> <p>Once the Provider is Registered, access the Azure Portal using this link: <a href="http://aka.ms/BastionHost">http://aka.ms/BastionHost</a>in order to access the Bastions Preview.</p> <h2>Create the Bastion</h2> <p>From the Azure Portal search for bastions</p> <p id="IWWlOrg"><img class="alignnone wp-image-2727 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/06/img_5d0801333cf93.png"alt="portal azure bastion" width="496" height="222" /></p> <p>Hit “Add” to start the Bastion creation wizard</p> <p id="BZxMhhc"><img class="alignnone wp-image-2728 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/06/img_5d080140b2353.png"alt="azure bastion" width="520" height="329" /></p> <p>One thing to consider is that the Virtual Network must have an empty subnet with name “AzureBastionSubnet” and at least /27 range. This Subnet will be configured as a DMZ.</p> <p id="qwRNwdC"><img class="alignnone wp-image-2729 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/06/img_5d080183b9c91.png"alt="azure bastion" width="750" height="115" /></p> <p>At the Create a bastion wizard select the Subscription and the Resource group. I prefer to create a new Resource Group. Enter a name for the Bastion Host Instance and a Region. Of course the Virtual Network and the Region must be the same as the Virtual Machines that you want to access. Finally select a name for the Public IP of the Bastion Host and hit Review and Create to create the Bastion.</p> <p id="xZvMCkm"><img class="alignnone wp-image-2730 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/06/img_5d0801ea435a4.png"alt="azure bastion" width="843" height="870" /></p> <p>Once the Bastion is ready you can see its properties. Not much to configure, just the IAM.</p> <p id="dfkMDjH"><img class="alignnone wp-image-2739 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/06/img_5d092bdbb123f.png"alt="azure bastion" width="1162" height="645" /></p> <h2>Using the Bastion Host</h2> <p>And now the magic. Once you have a bastion deployed to a Virtual Network, browse a Virtual Machine and hit “Connect”. Beside the RDP and SSH, you will see a new option, the BASTION!</p> <p id="LiCqvkU"><img class="alignnone wp-image-2741 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/06/img_5d092c6bebb80.png"alt="azure bastion" width="1157" height="551" /></p> <p>Since the topology is Intternet –>Public IP of Bastion –> Bastion –> Virtual Network – NSG – Private IP –> VM you need to allow the RDP / SSH traffic from the Bastion VNET to the Virtual Machine and https traffic (no RDP / SSH needed) from the internet (or your public ip) to the Bastion Subnet.</p> <p>Enter the VMs username and password and hit connect and we have RDP over HTTPS</p> <p id="OphcKAS"><img class="alignnone wp-image-2742 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/06/img_5d093149258cf.png"alt="azure bastion" width="1379" height="1021" /></p> <h2>Copy Text to / from the VM</h2> <p>There a little icon >> at the right middle of the screen.</p> <p id="JTaxuWt"><img class="alignnone size-full wp-image-2748 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/06/img_5d09355db8db6.png"alt="" /></p> <p>Click it and the Copy / paste box will open. Any text you paste at that box it will be available at the VMs clipboard. Also the Fullscreen button is available there.</p> <p id="WQLZHRX"><img class="alignnone size-full wp-image-2749 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/06/img_5d0935877025c.png"alt="" /></p> <p>Also any text you copy from the VM will appear at that box, like the image below:</p> <p id="ZvVaJdz"><img class="alignnone size-full wp-image-2750 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/06/img_5d0935cf0a626.png"alt="" /></p> <p>The Remote Desktop experience is excellent! No RDP client needed, just your browser.</p> <p>Sources:</p> <p><a href="https://docs.microsoft.com/en-us/azure/bastion/bastion-faq">https://docs.microsoft.com/en-us/azure/bastion/bastion-faq</a></p> <p><a href="https://docs.microsoft.com/en-us/azure/bastion/bastion-nsg">https://docs.microsoft.com/en-us/azure/bastion/bastion-nsg</a></p> <p><a href="https://azure.microsoft.com/en-us/blog/announcing-the-preview-of-microsoft-azure-bastion/">https://azure.microsoft.com/en-us/blog/announcing-the-preview-of-microsoft-azure-bastion/</a></p> <p><a href="https://docs.microsoft.com/en-us/azure/bastion/bastion-create-host-portal">https://docs.microsoft.com/en-us/azure/bastion/bastion-create-host-portal</a></p> <p><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure-bastion-jump-server-as-a-service%2F&linkname=Azure%20Bastion%20%E2%80%93%20Jump%20Server%20as%20a%20Service"title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_print" href="https://www.addtoany.com/add_to/print?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure-bastion-jump-server-as-a-service%2F&linkname=Azure%20Bastion%20%E2%80%93%20Jump%20Server%20as%20a%20Service" title="Print" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share#url=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure-bastion-jump-server-as-a-service%2F&title=Azure%20Bastion%20%E2%80%93%20Jump%20Server%20as%20a%20Service" data-a2a-url="https://www.e-apostolidis.gr/microsoft/azure-bastion-jump-server-as-a-service/" data-a2a-title="Azure Bastion – Jump Server as a Service"><img src="https://static.addtoany.com/buttons/share_save_171_16.png" alt="Share"></a></p><p>The post <a rel="nofollow" href="https://www.e-apostolidis.gr/microsoft/azure-bastion-jump-server-as-a-service/">Azure Bastion – Jump Server as a Service</a> appeared first on <a rel="nofollow" href="https://www.e-apostolidis.gr">Apostolidis IT Corner</a>.</p> <a href="https://www.e-apostolidis.gr/microsoft/azure-bastion-jump-server-as-a-service/"class='bbc_url' rel='nofollow external'>Source</a>
  17. Validate Azure Resource Move with Postman At this post we will see how easily we can move azure resources to new resource groups or subscriptions and how we can validate if the azure resources are eligible to move without initiate the move. Move Azure Resources to new resource groups or subscriptions Azure Resource Manager allow you to easily move resources to new resource groups or subscriptions. It is a pretty simple process. From the Azure Portal, open a Resource Group, and from the top options click Move. You can select if you want to move to another resource group or subscription. On the next page you can select the resources you want to move and click OK. Once you click OK, the Azure Resource Manager starts to validate the move requests. Checks if the selected resources are eligible to move and also if they have any dependencies that will cause the move to fail. After the validation, and if the validation is successful, the resource move starts. There is no option in the portal to just validate the move request without starting the move. Validate Resource Move with Postman To validate the resources move you need to use post / get operations. The https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-move-resources#validate-move document descibes the parameters that we must use to validate is the resources are eligible to move. To validate if the resources are eligible to move we need to send a URI with Authorization token. A free and easy application to help us with the post /get requests is the Postman. You can download the latest release form this link: https://www.getpostman.com/downloads/ Download and install the Postman and open the application. We need to perform a Post request to ask the ARM if the specific resources are eligible to move and then a GET request to view the ARM response. At the Postman select POST and at the POST request URL enter: https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{sourceResourceGroupName}/validateMoveResources?api-version=2019-05-01 My test case URL: https://management.azure.com/subscriptions/784f8ed8-33f0-497c-b1c8-1ca9833be590/resourceGroups/devrg/validateMoveResources?api-version=2019-05-01 Then at the Body, select RAW -> json and paste the request: { “resources”: [“<resource-id-1>”, “<resource-id-2>”], “targetResourceGroup”: “/subscriptions/<subscription-id>/resourceGroups/<target-group>” } at my example that I want to validate two resources, the devrg VM and the Managed disk I entered: { “resources”: [“/subscriptions/784f8ed8-33f0-497c-b1c8-1ca9833be590/resourceGroups/devrg/providers/Microsoft.Compute/virtualMachines/devrgvm”, “/subscriptions/784f8ed8-33f0-497c-b1c8-1ca9833be590/resourceGroups/DEVRG/providers/Microsoft.Compute/disks/devrgvm_OsDisk_1_5da9dad62662418b9bb3f02496e88604”], “targetResourceGroup”: “/subscriptions/784f8ed8-33f0-497c-b1c8-1ca9833be590/resourceGroups/target” } Create Authorization Token Finally we need an authorization token to access the ARM API. At the Azure Portal open the cloud shell, buy clicking the icon at the top right menu bar. Enter the below command to create a service principal at the Azure Active Directory: az ad sp create-for-rbac -n “my-access-app” The output will be as the below screenshot: You will get the application ID, URL, tenant ID and password. Next at the Postman press the + button to create a new tab At the Postman’s new tab create a new POST and enter: https://login.microsoftonline.com/{{tenantId}}/oauth2/token My test: https://login.microsoftonline.com/85ed7d07-ffa3-44da-a22a-38c51ba14d0e/oauth2/token Then at the Body property, select “x-www-form-urlencoded” and enter the following KEYs: Key Value grant_type client_credentials client_id this is the appId of the access app client_secret this is the password of the access app resource https://management.azure.com my test: Once you press “Send” it will return the “access_tocket”. This is the Authorization: Bearer <bearer-token> needed for the resource move validation. Send the validation request Back to the first tab of the Postman, where we are preparing the move validation POST request, select “Authorization”, at the TYPE select “Bearer Token” and at the Token field paste the “access_tocken” from above. Then press “Send” If all the details are correct, it will return a status of “202 Accepted”. This means that the ARM has started the validation. Copy the “Location” value because we will need it below. The next step is to create a GET request to view the validation result. The GET request consists of the location URL and the Authorization token. As we did before, open a new Tab at the Postman, select GET request, at the GET URL paste the “Location” URL, at the TYPE select “Bearer Token” and at the Token field enter the “access_token”. Receive the validation results Press enter to GET the validation results. f the move operation validates successfully, you receive the 204 status code and nothing at the Body. If the move validation fails, you receive an error message, like the below. At my example the validation returned failed. The error message explains what caused the failure. At my example the VM is being backed up so the disks have restore points. Also at the message it gives us the link to check for more information.
  18. Azure VM CMD & PowerShell from the Portal Today I was trying to troubleshoot an Azure VM. This VM is behind a Network Virtual Appliance (NVA) and at the subnet it has User Defined Routes (UDR) that routes the traffic to the NVA. We was troubleshooting the NVA and it was not possible to connect with RDP to the VM. Serial Console This is an excellent scenario to use the Serial Console. From the Azure Portal, portal.azure.com, navigate to the Azure VMs blade, scroll down to the Support + Troubleshooting section and select “Serial Console” The Serial Console will initialise and after a while it will establish the connection and the prompt will be the SAC>. If you encounter any errors establishing the SAC link, please follow this link: https://aka.ms/serialconsolewindows At the SAC> prompt press help to list the available commands. Using the i command we can get the IP Address configuration of the VM Command Prompt To create a command prompt session, first enter “cmd”. This will create a session. To list the cmd sessions press “ch” to select & login to a cmd session press “ch -si #” where # is the channel number. At the below screen press Enter At the next screen enter the admin credentials and we have Command Prompt. At this command prompt we can use all cmd commands. Some examples: ping -t dir PowerShell at the command prompt enter “powershell” and press Enter to open a PowerShell Session PowerShell example, disable windows firewall: Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False and yes, its off of course, for the firewall we could disable it using CMD netsh advfirewall set allprofiles state off For more example commands follow this link: https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/serial-console-cmd-ps-commands
  19. Azure Policy | Limit the Azure VM Sizes Azure Governance This post, Azure Policy, is the first of a series of posts about Azure Governance. The idea is to explain through examples and how-to-guides, the tools that Microsoft Azure provides to help the administrators to enforce rules to all subscriptions. Some examples of those rules are, to help the organizations to stay compliant with their corporate standards, to standardize the resources creation and management, to manage the permissions and access controls, etc. Azure Policy Azure Policy is a powerful tool for Azure Governance. With Azure Policy we can define rules for all Azure Subscriptions the we manage. We can use this rules for simple limitation actions, like permitting only specific VM Series and Sizes that can be created and also more complex rule sets that helps you standardize the whole Azure deployment. Limit the Azure VM Sizes In this fist post we will go through a simple policy, the “Allowed virtual machine SKUs”. With this policy you can control what Azure VM series and sizes are permitted for deployment. You can apply this policy to a whole Management group, to a Subscription or to a single Resource Group. Step by Step Guide Open the Azure portal, https://portal.azure.com, and login with your account. At the top search box write “policy”. From the search results select the “policy”. At the Policy screen, select the “Definitions”. To create and apply a policy we need to start from a Policy Definition. At the Policy Definition screen, we can filter the definitions by scope, definition type, type and category. The “Allowed virtual machine SKUs” definition is under the “Compute” category. At the Category drop down menu, deselect everything and select only the “Compute”. Press the “Allowed virtual machine SKUs” definition. The “Allowed virtual machine SKUs” definition will open. Here we can see the code beneath the definition. It is written in json format. If we want to make changes at the definition we must first press “Duplicate definition”. This will create a copy of the definition. Then we can open the definition duplicatie and press “Edit definition. We will cover this at a future post. To select the VM sizes, the scope and apply the definition, press “Assign” Set the scope At the Assign policy screen, first we need to select the scope. The scope is where the policy definition will apply. To set the scope press the little blue box with the three dots. For scope, we can select a whole Management group, a whole subscription or a single Resource Group. Select the Azure VM SKUs After the scope, we need to select the allowed Azure VM SKUs. Open the drop down menu and select the SKUs that you will allow. At this test policy, I selected all Standard F1-4 series, the Standard F2s – 4s and the Standard F2s_v2 – 4s_v2. We can change the “Assignment Name” to easily find the specific assignment at the Assigned Policies list. I changed the name to “Allowed only F1-4 virtual machine SKUs” The next step is the “Managed Identity”. Managed identity creates an Azure AD Identity, like a service account, that is used for resource creation. We need this only for some specific policies that must create a resource if it is doesn’t exists. We don’t need a Managed Identity to limit the Azure VM SKU sizes. So now we can press “Assign”. A notification will inform you that the Policy will take effect after about 30 minutes. The policy needs this time to apply the rules to the selected scope. Back to the policy Assignments screen, hit refresh and you will see the new Policy Assignment’s name and the Scope. Test the policy To test the policy, I waited 30 minutes and tried to create a Standard DS1 v2 VM at the devrg Resource Group. Although I am the Subscription Owner, the Service admin, the one that created the policy assignment, the Azure Resource Manager doesn’t allow me to create this VM. And the error details: “disallowed by policy” You can find more about Azure Policy at Microsoft Docs: https://docs.microsoft.com/en-us/azure/governance/policy/
  20. Get real insights about your Windows and Linux VMs & VMSSs performance and their dependencies with Azure Monitor. Integrate with Log Analytics for even more in depth analysis and retain the data over time. Health, Performance & Service Map of your VM in a dashboard. Deploy to Single VM For a single VM, go to the VMs blade, scroll down to the “Monitoring” section, select “Insights” and press “Try now” The Azure Monitor Insights Onboarding wizard will open. If your VM is already onboard at a Log Analytics workspace just click Enable. Otherwize select a Log Analytics workspace or create one. You will start seeing data form the VM in about 20-30 minutes. Deploy to multiple VMs using Azure Policy For deploying to multiple VMs, the easiest way is to use Azure Policy Go to the Azure Policy, select Assignments and press “Assign initiative” The first option is the Scope. Press the three dots “…” at the Scope field. You can choose a a Management Group, a Subscription or a Resource Group. So if you just select a Management Group (And don’t select subscription and resource group), this policy will apply to all Subscriptions under the Management Group and of course to all resources of the subscription. If you choose a Subscription (and don’t select a resource group then the policy will apply to all resources of the subscription. Finally if you choose a resource group then the policy will apply only to this resource group. Later we will see how to select specific VMs in the Subscription or Resource group. After selecting the Scope you can add exclusions. There you can check the VMs you don’t want this policy to apply. The next step is to select the Policy. At the BASICS section, press the three dots “…” near the “Initiative definition” and find the “Enable Azure Monitor for VMs” Next step is to configure the Parameters. There select the Log Analytics workspace that the VM will onboard, or create a new one. Optionally you can provide a list of VMs instead of adding all of them Finally press Apply. Back at the Azure Policy main menu you will see the new Definition Assignment. View the Health / Performance / Service Map of the VMs To view the Azure Monitor of the VMs, go to the VM that you have enabled Insights, select the Insights blade and you will be able to see the health status not only for the common CPU. Memory, Disk, But also for the services that run inside the VM and the Azure Monitor discovered. By clicking on any service you will have a list of all logs of this service At the performance section you have the ability to select time range and have performance analytics for a requisted period of time Finally at the MAp, you have a service map of the services and ports that are open and listening Product Documentation: https://docs.microsoft.com/en-us/azure/azure-monitor/insights/vminsights-overview
  21. Azure Web Application Firewall (WAF) is a function of the Azure Application Gateway that detects and prevents exploits and attacks to a web application. Using a WAF we add an additional security layer in front of our application. To have a sneak peak at the most common web application attacks, take a look at the OWASP Top 10 Most Critical Web Application Security Risks . At my previous posts we have seen how to Protect your Web App using Azure Application Gateway Web Application Firewall and Use Log Analytics to Query the WAF Logs and email those logs to the Admins. At this post I want to share some tips on how to configure the Azure Web Application Firewall. The Azure Web Application Firewall, like all WAFs, needs a period of detection “the training period”, in order to gather logs about what is logged as blocked so to configure it accordingly before turning the WAF to Prevention mode. The Azure Web Application Firewall uses OWASP ModSecurity Core Rule Set (CRS). You can select version 2.2.9 or version 3.0 of the OWASP ModSecurity Core Rule Set. These rules include protection against attacks such as SQL injection, cross-site scripting attacks, and session hijacks. The configuration of the Azure Web Application Firewall has two parts. One part is the OWASP rules custom configuration, where we can check / uncheck the OWASP rules that the WAF will use to analyse the requests: and the second part is the Exclusions and the Request Size Limits: Let’s see how we can find out what to exclude and what to customize. Once you setup the Azure Application Gateway and Publish your web application turn of the Firewall in Detection mode. Enable the Diagnostic Logs and send the logs to Log Analytics and start using the we application. I have covered all those steps at my previous posts, Protect your Web App using Azure Application Gateway Web Application Firewall and Use Log Analytics to Query the WAF Logs and email those logs to the Admins. To make it more fun you can actually attack your application using sample attacks, like SQL Injection samples from this link: https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)and Cross-site Scripting (XSS) from this link: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS). Both links are from OWASP for testing. After a while run the query to check the Azure Web Application Firewall logs: 1 AzureDiagnostics | where Resource == "PROWAF" and OperationName == "ApplicationGatewayFirewall" | where TimeGenerated &gt; ago(24h) | summarize count() by TimeGenerated, clientIp_s , TimeGenerated , ruleId_s , Message , details_message_s , requestUri_s, details_file_s , hostname_s You will get the below results: At the Message part of the Log you will see the kind of attack that the WAF has detected. At the ruleId_s you can find the OWASP rule ID. With this information you can search the Rule ID at the Advanced rule configuration and uncheck the specific rule. Of course every rule you uncheck you open a security hole. So I recommend to first check if you can alter your application to comply with the rule and only if this is not possible to drop the rule. At the details_message_s column also you can find the matched pattern and configure the Exclusions Finally you can configure the request size limits according to your application Once you finalize your Azure Application Firewall configuration and you no longer have “Blocked” messages change it to “Prevention” mode to start protecting your web application. Reference: WAF Overview: https://docs.microsoft.com/en-us/azure/application-gateway/waf-overview WAF Configuration: https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-waf-configuration OWASP ModSecurity Core Rule Set (CRS): https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
  22. At this post, we will create a Logic App that will query the Log Analytics workspace for the WAF logs of the last 24 hours and send the results in an email, using a free SendGrid account. A Web Application Firewall protects your application from common web vulnerabilities. Azure provides enterprise grade Web Application Firewall through the Application Gateway. You can read more at my previous post: https://www.e-apostolidis.gr/microsoft/azure/protect-your-web-application-with-azure-application-gateway-waf/ Use Log Analytics to Query the WAF Logs The Application Gateway WAF sends its logs to the Log Analytics workspace. You can see them using a typical query like the below, that will list all events at the past 24 hours. AzureDiagnostics | where Resource == “PROWAF” and OperationName == “ApplicationGatewayFirewall” | where TimeGenerated > ago(24h) | summarize count() by TimeGenerated, clientIp_s , TimeGenerated , ruleId_s , Message , details_message_s , requestUri_s, details_file_s , hostname_s You can save the query by clicking the Save button and give it a name and a Category. We can send those logs as email by using an Azure Logic App and a SendGrid account. You can see how to create a SendGrid free account at my previous post: https://www.e-apostolidis.gr/microsoft/azure/azure-free-smtp-relay-using-sendgrid/ Create a Logic App From the portal.azure.com, Create a resource and write “logic app”, click the “Logic App”and press “Create” At the Logic App creation wizard add Name, subscription, resource group, location and press Create Next the Logic App will be created. Open it and from the Logics App Designer select the “Recurrence” common trigger. Change the Recurrence Interval to “1” and the Frequency to “Day” and press the “+ New step” search for “log analytics” and select the “Run query and visualize results” I will proceed with “Sign in”, you can also use a Service Principal but we will cover this to another post. After you login select the Subscription, Resource Group and the Log Analytics Workspace. Next, add the query, for Chart Type select “Html Table” and add a “Next Step” search for “sendgrid” and select the “Send email (V2)” Add a name for the connection and the API key that you created at the SendGrid creation post and press create. https://www.e-apostolidis.gr/microsoft/azure/azure-free-smtp-relay-using-sendgrid/ Fill the From address, To address and Subject. At the email body, add dynamic content and select the blocs of the previous set result. Press Save to save the Flow and Run to test it. The result at my email:
  23. Azure offers free smtp relay using the SendGrid application. SendGrid is a cloud service that provides email delivery and marketing campaigns. The specific offer is for up to 25.000 emails per month. Also this offers provides full reporting and analytics and 24/7 support. At this post we will see how to create a SendGrid free account that can be used for many purposes, like: Send emails through an application using the SendGrid API Send email campaigns, newsletters, etc using the SendGrid SMTP service At the Azure Portal, portal.azure.com, search for sendgrid and click the “SendGrid Email Delivery” The SendGrid account wizard will open. Fill the name and password, select subscription and resource group and choose the F1 free pricing tier. Also fill the contact information, accept the legal terms and press “Create” Once the SendGrid Account is created, navigate to it and select Manage The SendGrid portal will open. Navigate to the Settings / API Keys to Create an API Key. Enter a name for the key. For permissions you only need send emails So select Restricted Access and add “Mail Send”. Press create & view to create the key. You will only see the key once, upon creation. After that there is no way to see the key again, so copy and keep it safe. SMTP Service We are ready to send emails using any host that supports SMTP. The settings are: Server: smtp.sendgrid.net Username: apikey Password: “The API Key you created before” Ports: SSL 465, Unencrypted: 25 , TLS 586 More about SendGrid SMTP: https://sendgrid.com/docs/API_Reference/SMTP_API/integrating_with_the_smtp_api.html API Usage: https://sendgrid.com/docs/for-developers/sending-email/api-getting-started/
  24. Working as a Cloud Consultant, Administrator, Architect, many companies will provide you guest (Azure AD B2B) access to their subscription. After completing the Admins of the subscriptions, many times, forget to remove this accesses and as a result you still have access to resources with no reason and also the list of your available subscriptions grows making it difficult to choose the right subscription to work. In this post we will walk through the steps of removing your account from those subscriptions. Since this is an identity matter, you need to login to the https://account.activedirectory.windowsazure.com portal and login with your account. I logged in with my account, pantelis@e-apostolidis.gr There you will see a list of all the applications that you have access at the Tenant that your account resides. Press the user icon, at the top right corner. Once you press the user icon, a drop down menu will appear and there you will see all the organizations that you have been provided access. Near the “ORGANIZATIONS” press the gear icon. You will redirected to the organizations section of the portal. There, in order to leave an organization subscription you need to sign in. Actually by clicking sign in to leave organization you will be redirected to that tenant. The tricky part here is to choose the right organization, since many organizations does not change the “Default directory” name. A, easy way to do this it to hover your mouse to the “sign in to leave organization” link and you will see the tenant id at the bottom of the page. Now, by navigating to the https://portal.azure.com and pressing the Subscription filter button, at the top par, near the notifications icon, you will have a list of all organizations tenant ids and names. After ensuring the organization id that you want to leave, go back to the organization selection portal and press “sign in to leave organization”. There, at the browser’s address bar you will see again the organization tenant id. Check again just to be sure. There you need again to press the user icon and the little gear icon Finally you have the option to “Leave organization” A final warning will appear, just to be sure, and by pressing “Leave” you instantly loose all access to that organization and it will not be listed at your subscription filter. After a while you will also receive an email from Microsoft invitations that you have left that organization.
×
×
  • Create New...