Jump to content


  • Posts

  • Joined

  • Last visited

  • Days Won


Blog Entries posted by proximagr

  1. proximagr
    SQL Failover Cluster with AlwaysOn Availability Groups Πάμε τώρα για το τελευταίο κομμάτι του lab, να προσθέσουμε AlwaysOn Availability Group στο υπάρχον SQL WSFC. Windows Server 2012 R2 Failover Cluster with FreeNAS 9.3 Microsoft SQL 2012 on Failover Cluster Add AlwaysOn AG to SQL Failover Cluster Instance Add AlwaysOn AG to SQL Failover Cluster Instance […]
    The post Add AlwaysOn AG to SQL Failover Cluster Instance appeared first on Proxima's IT Corner.

  2. proximagr
    SQL Failover Cluster with AlwaysOn Availability Groups
    Αυτό είναι το δεύτερο Post της τριλογίας SQL Failover Cluster with AlwaysOn Availability Groups. Είναι η ώρα της SQL.
    Windows Server 2012 R2 Failover Cluster with FreeNAS 9.3 (Page 1, Page 2) Microsoft SQL 2012 on Failover Cluster (Page 1, Page 2, Page 3) Add AlwaysOn AG to SQL Failover Cluster Instance (Page 1, Page 2, Page 3)

    Microsoft SQL 2012 on Failover Cluster (Page 1)
    Για το lab θα χρησιμοποιήσω τον Domain Administrator, αλλά δεν ενδείκνυται για παραγωγικό περιβάλλον!!!
    Βάζουμε το ISO της SQL 2012 SP2 και ξεκινάμε με “new SQL server failover cluster installation”

    Αφού περάσει τα checks δίνουμε key, για το lab φυσικά επέλεξα evaluation, και φτιάχνουμε στο install για να ξεκινήσουμε την εγκατάσταση.
    Αγνοούμε επιδεικτικά το MSDTC error (ήδη από τον 2008) και αν δεν έχουμε errors προχωράμε. Επιλέγουμε το SQL Feature installation και μετά επιλέγουμε μόνο Database Engine Services με τις υποκατηγορίες και το management tools

    Δίνουμε network name για το SQL Cluster και προχωράμε

    Δίνουμε όνομα για το cluster resource group ή αφήνουμε το default (όπως έκανα κι εγώ για το lab)

    Στο επόμενο βήμα μας ενημερώνει ότι δεν υπάρχει διαθέσιμος δίσκος για το SQL Cluster Disk, μιας και ο υπάρχον έγινε Cluster Quorum, οπότε πάμε να δώσουμε έναν ακόμη δίσκο στα Cluster Resources.
    Προσθέτουμε έναν ακόμα δίσκο στο FreeNAS μιας και ένας θα χρειαστεί για το Cluster Quorum και ο άλλος για SQL Cluster Disk. Αφού το δώσουμε στο VM πηγαίνουμε στο web interface του FreeNAS και πάμε στο Storage/Volume manager, διαλέγουμε τον δίσκο δίνουμε όνομα, έδωσα sql, και πατάμε add volume

    Μετά πάμε στο view volumes, επιλέγουμε το sql και πατάμε το create zvol κουμπί, όπως φαίνεται και στην εικόνα

    Δίνουμε όνομα και size και πατάμε Add zvol

    Μετά πάμε στο Sharing/ISCSI/extents και πατάμε add extent, δίνουμε όνομα, επιλέγουμε device το zvol που φτιάξαμε, διαλέγουμε Logical Block Size, για SQL DBs ενδείκνυται το 512, και πατάμε ok

    Τέλος πάμε στο associated targets, πατάμε add target/extent και προσθέτουμε τον extent που φτιάξαμε.
    Τώρα αν πάμε στους servers στο disk management και κάνουμε refresh τους δίσκους βλέπουμε τον νέο δίσκο και τον κάνουμε online, initiate και format, μόνο προσοχή να δώσετε allocation unit 512 για να συμβαδίζει με του FreeNAS αλλιώς η SQL θα γκρινιάξει.

    Ανοίγουμε το Failover Cluster Manager/Storage/Disks και πατάμε add Disk και προσθέτουμε τον νέο δίσκο.


    Συνέχεια στην επόμενη σελίδα
    Πηγή http://www.e-apostolidis.gr/%ce%b5%ce%bb%ce%bb%ce%b7%ce%bd%ce%b9%ce%ba%ce%ac/microsoft-sql-2012-on-failover-cluster/
  3. proximagr
    <h1>Azure Security Center</h1>
    <h2>Remediate security recommendations in 1 click</h2>
    <p>Azure Security Center provides unified security management and advanced threat protection across hybrid cloud workloads. Using advanced analytics, it helps you detect potentially malicious activity across your hybrid cloud workloads, and recommends potential remediation steps, which you can then evaluate, and take the necessary action.</p>
    <p id="DLQOMZB"><img class="alignnone size-full wp-image-2857 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d8ddac95fb1a.png"alt="" /></p>
    <p>One of the main features of Azure Security Center is that offers prioritized and actionable security recommendations so you can remediate security vulnerabilities before they can be exploited by attackers. To simplify remediation of security issues now allows you to remediate a recommendation on multiple resources with a single click.</p>
    <li>Quick access to 1-click fix<br />The 1-click fix label is shown next to the recommendations that offer this faster remediation tool.</li>
    <li>Logging for transparency<br />All remediation actions are logged in the activity log.</li>
    <p id="cYAerXE"><img class="alignnone size-full wp-image-2858 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d8ddaf03f635.png"alt="" /></p>
    <h2>How to use 1-click remediation</h2>
    <p>Look for the “1-click Fix !” Label at the recommendations!</p>
    <p id="aBGvMLk"><img class="alignnone size-full wp-image-2859 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d8ddb125f8f2.png"alt="" /></p>
    <p>Once you click the “1-click Fix !” Label, the recommendation information page will pen. Select the affected resources and click Remediate</p>
    <p id="ORTsWRv"><img class="alignnone size-full wp-image-2861 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d8ddfea3fdaa.png"alt="" /></p>
    <p>A final window will open that will inform you about the action that will be performed and what will affect. Check the information and if you agree click the final “Remediation” button</p>
    <p id="NiZsHKi"><img class="alignnone size-full wp-image-2863 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d8de03500959.png"alt="" /></p>
    <h2>Current 1-click remediation availability</h2>
    <p>Remediation is available for the following recommendations in preview:</p>
    <li>Web Apps, Function Apps, and API Apps should only be accessible over HTTPS</li>
    <li>Remote debugging should be turned off for Function Apps, Web Apps, and API Apps</li>
    <li>CORS should not allow every resource to access your Function Apps, Web Apps, or API Apps</li>
    <li>Secure transfer to storage accounts should be enabled</li>
    <li>Transparent data encryption for Azure SQL Database should be enabled</li>
    <li>Monitoring agent should be installed on your virtual machines</li>
    <li>Diagnostic logs in Azure Key Vault and Azure Service Bus should be enabled</li>
    <li>Diagnostic logs in Service Bus should be enabled</li>
    <li>Vulnerability assessment should be enabled on your SQL servers</li>
    <li>Advanced data security should be enabled on your SQL servers</li>
    <li>Vulnerability assessment should be enabled on your SQL managed instances</li>
    <li>Advanced data security should be enabled on your SQL managed instances</li>
    <p>Single click remediation is part of Azure Security Center’s free tier.</p>
    <p>Read more at: <a href="https://azure.microsoft.com/en-gb/blog/azure-security-center-single-click-remediation-and-azure-firewall-jit-support/">AzureSecurity Center single click remediation</a></p>
    <p><a href="https://azure.microsoft.com/en-gb/blog/azure-security-center-single-click-remediation-and-azure-firewall-jit-support/">AzureSecurity Center single click remediation</a></p>
    <p><a class="breadcrumbs__link" href="https://azure.microsoft.com/en-us/updates/one-click-remediation-for-security-recommendations/"data-event="global-navigation-body-clicked-breadcrumb" data-bi-area="content" data-bi-id="global-navigation-body-clicked-breadcrumb">Azure Security Center—1-click remediation for security recommendations is now available</a></p>
    <p><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fasc-remediate-security-recommendations-in-1-click%2F&linkname=ASC%20%7C%20Remediate%20security%20recommendations%20in%201%20click"title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_print" href="https://www.addtoany.com/add_to/print?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fasc-remediate-security-recommendations-in-1-click%2F&linkname=ASC%20%7C%20Remediate%20security%20recommendations%20in%201%20click" title="Print" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share#url=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fasc-remediate-security-recommendations-in-1-click%2F&title=ASC%20%7C%20Remediate%20security%20recommendations%20in%201%20click" data-a2a-url="https://www.e-apostolidis.gr/microsoft/azure/asc-remediate-security-recommendations-in-1-click/" data-a2a-title="ASC | Remediate security recommendations in 1 click"><img src="https://static.addtoany.com/buttons/share_save_171_16.png" alt="Share"></a></p><p>The post <a rel="nofollow" href="https://www.e-apostolidis.gr/microsoft/azure/asc-remediate-security-recommendations-in-1-click/">ASC | Remediate security recommendations in 1 click</a> appeared first on <a rel="nofollow" href="https://www.e-apostolidis.gr">Apostolidis IT Corner</a>.</p>

    <a href="https://www.e-apostolidis.gr/microsoft/azure/asc-remediate-security-recommendations-in-1-click/"class='bbc_url' rel='nofollow external'>Source</a>
  4. proximagr
    SQL Failover Cluster with AlwaysOn Availability Groups Αυτό είναι το δεύτερο Post της τριλογίας SQL Failover Cluster with AlwaysOn Availability Groups. Είναι η ώρα της SQL. Windows Server 2012 R2 Failover Cluster with FreeNAS 9.3 Microsoft SQL 2012 on Failover Cluster Add AlwaysOn AG to SQL Failover Cluster Instance Microsoft SQL 2012 on Failover Cluster Για […]
    The post Microsoft SQL 2012 on Failover Cluster appeared first on Proxima's IT Corner.

  5. proximagr
    Καλησπέρα στην κοινότητα. Θέλω να μοιραστώ μαζί σας τα προβλήματα που αντιμετώπισα σήμερα σε ένα Hybrid Configuration με Exchange 2010 SP3 UR6. Δεν είναι κάτι τραγικό, ούτε κάτι που δεν έχουμε αντιμετωπίσει στο παρελθόν αλλά πιστεύω ότι όσο μοιραζόμαστε τόσο μαθαίνουμε.
    Παραλείπω τα αρχικά, Domain verification, DirSync, Certificate request, το Outlook Anywhere ενεργό, όλα τα virtual directories φαίνονται μια χαρά, telnet 443 μια χαρά, OWA μια χαρά, γενικώς καλά και φτάνω στο Hybrid Wizard. Δημιουργία και πρώτο τρέξιμο για να φτιαχτεί το private certificate όλα καλά. Πάμε τώρα στο update για να βάλουμε credentials, IP, FQDN κλπ. Ξεκίνησα και εγώ όλο χαρά να τελειώσω το Hybrid Wizard. Αμ δε.
    Έχουμε και λέμε, φυσικά έσκασε, και ο πρώτος λόγος ήταν «Execution of the Get-FederationInformation cmdlet had thrown an exception” ή αλλιώς «βγάλε άκρη».
    Πολλά άρθρα, πολύ ωραία και όμορφα, κυρίως κατέληγαν στο εξής απλο… κάνε όλα τα test στο connectivity analyzer ευχαριστούμε τη Microsoft πολλά χρόνια για αυτό το πολυεργαλείο
    Θυμήθηκα που έλεγε ο Admin τους ότι «εμείς χρησιμοποιούμε VPN για να βλέπουμε τα mail από το Outlook από το σπίτι" και ξεκινάω με Outlook Connectivity, έπρεπε να το ψυλλιαστώ....
    The HTTP authentication test failed.
    Additional Details
    An HTTP 500 response was returned from Unknown
    Το https://mail.MyDomain.com/rpc/rpcproxy.dllέφερνε το 500 άρι. Με τα πολλά καταλήγω να κάνω επανεγκατάσταση RPC over HTTP με τα εξής βήματα:
    1.Απενεργοποίησα το Outlook Anywhere
    2.Απεγκατέστησα το RPC proxy (Σε 2012 & R2 Uninstall-WindowsFeature rpc-over-http-proxy)
    3.Επανεκκίνηση (Φυσικά)
    4.Εγκατάσταση RPC Proxy (Install-WindowsFeature rpc-over-http-proxy)
    5.Ενεργοποίηση Outlook Anywhere
    6.Επανεκκίνηση του Microsoft Active Directory Topology service
    Φυσικά και δεν έλυσε το πρόβλημα…. Ευτυχώς βρήκα αυτό το άρθρο https://support.microsoft.com/en-us/kb/2015129και πήγα με το χέρι και πρόσθεσα το "runtimeVersionv2.0" στο Applicationhost.config. Γιατί το aspnet_regiis.exe δεν παίζει σε 2012 και δεν βρήκα κάτι καλύτερο. Ως δια μαγείας έπαιξε με τι μία !!!!!
    Τι ωραία, τι καλά , τραλαλά, τρέχω τον Hybrid Wizard και .... ακριβώς το ίδιο error!
    Πάμε πάλι στον connectivity analyzer, τώρα έτρεξα το autodiscover test. Μια χαρά… όλα καλά, τρέχω και EWS test όλα καλά. Με τα πολλά λέω να κάνω reset το autodiscover, το λέγαν διάφοροι με πρόβλημα στο get-federatedinformation. Με τα πολλά τα βήματα είναι αυτά:
    •Reset the Autodiscover Virtual Directory
    •Reset the WSSecurityAuthentication to $true
    •IIS reset, then the get-federatedinformation worked!
    Ωραία λέω, πάμε από GUI να κάνω reset το autodiscover virtual directory http://technet.microsoft.com/en-us/library/ff629372.aspx. ΧΑΧΑΧΑΧΑΧΑΧΑΧΑ, ο exchange γελούσε με την πάρτη μου. Με το που πατάς το “reset virtual directories” από το GUI σκάει το Exchange Management Console (Exchange 2010 SP3 UR6). Έτσι απλά. Οπότε η δουλειά έγινε με Powershell και όλα καλά, έτρεξα το παρακάτω γιατι ήταν όλα Default:
    Get-AutodiscoverVirtualDirectory | Remove-AutodiscoverVirtualDirectory
    New-AutodiscoverVirtualDirectory -Websitename "Default Web Site" -BasicAuthentication:$true -WindowsAuthentication:$true
    Μετά το IISreset τρέχω να τρέξω το Hybrid Wizard!!! Όλο χαρά και πάλι, και φυσικά έσκασε!!! Αλλά αυτήν την φορά με άλλο error, το περάσαμε το get-federatedinformation!!!!
    Το νέο μας error: Subtask ValidateConfiguration execution failed: Configure Mail Flow, Ok λέω, αυτό το έχουμε ξαναδεί, όταν έχεις wildcard certificate φτιάχνει τους connectors με default server address, mail.domain.com, στην περίπτωσή μου τους έφτιαξε mail.xxxxx.gr αντί για mailx.xxxxx.gr που ήθελα.
    Πάω να τους διορθώσω, και στο check στον Outbound του Office 365 (mail flow/connectors/Hybrid Mail Flow Outbound Connector ) με κόβει στο verify. 450 4.4.101 Proxy session setup failed on Frontend with ‘451 4.4.0 Primary target IP address responded with: “451 5.7.3 STARTTLS is required to send mail.
    Χμ, μιλάω με τον Administrator τους να δει αν το Firewall Κάνει ESMTP inspection και μου λέει, «ααααα ξέρεις, το mail flow περνάει από το Symantec gateway μέσα και έξω…» όμορφα και ωραία το κάναμε bypass και από exchange και από firewall και διόρθωσα τους connectors. Μια χαρά.
    Με τα πολλά έκανα move ένα test mailbox στο office 365 και πήγε μια χαρά! Μεγάλες χαρές, στέλνει mail, λαμβάνει mail, κυριλέ. Mail flow πάνω κάτω, δεξιά αριστερά μια χαρά. Μεταφέραμε και μερικά ακόμα και η ζωή συνεχίζεται....
  6. proximagr
    When we create a VM on Azure, at the same time we create a Cloud Service. Later we can create more VMs on the same cloud service. Each cloud service has a unique Public IP. For as long the Cloud Service has at least one VS running this Public IP remains the same. If all VMs of a Cloud Service are off then the Public IP is released and next time the VM is powered on it will take a new Public IP.
    Using PowerShell we can reserve a Public IP for as long as the Cloud Service exists, with or without VMs.
    First we need to create a Virtual Network from the portal. Go to “Networks” and create a new Virtual Network. We can use the “Quick Create”.
    Second we need the Azure PowerShell installed, it can be found here: http://azure.microsoft.com/en-us/documentation/articles/install-configure-powershell/ and we connect using the username/password method, the command is Add-AzureAccount

    #Create the Public IP Reservation:$reservedIP = "reserved ip name"$location = "West Europe"New-AzureReservedIP -ReservedIPName $reservedIP -Location $location #Collect the configuration settings for the new VM:$serviceName = "azure service name for VM"$adminUser = "VM admin user name"$password = "VM admin password"$location = "West Europe"$reservedIP = "reserved ip name"$vmName = "VM name" #Choose the size of the VM. Use this list: https://msdn.microsoft.com/en-us/library/dn168976%28v=nav.70%29.aspx#$vmSize = "Medium" #Provide the Operating System. Use this post to get a list of the available images: https://msdn.microsoft.com/en-us/library/azure/jj157191.aspx?f=255&MSPPError=-2147217396$imageFamily = "Windows Server 2012 R2 Datacenter"$imageName = Get-AzureVMImage | where { $_.ImageFamily -eq $imageFamily } | sort PublishedDate -Descending | select -ExpandProperty ImageName -First 1 #Add the configuration settings for the new VM to a variable:$vm1 = New-AzureVMConfig -Name $vmName -InstanceSize $vmSize -imagename $imagename | Add-AzureProvisioningConfig -Windows -AdminUsername $adminUser -Password $password | set-azuresubnet subnet-1 #Create the VM and the Cloud Service with the Reserved Public IPNew-AzureVM -Location $location -VMs $vm1 -vnetname testnet2 -servicename $servicename -reservedipname $reservedipname Δίνουμε την εντολή για να ξεκινήσει η δημιουργία.
  7. proximagr
    How to disconnect a mailbox & re-assign it to new user in a Hybrid Scenario
    Scenario objectives: We have an Exchange Hybrid setup between on-premises and Exchange Online (Office 365). All users are synced and the mailbox is located at Exchange Online.
    We need to separate an existing mailbox from its user account and re-connect this mailbox to a new user account. If the mailbox in this scenario was located at the on-premises Exchange it would be an easy process just using the Exchange Management Console. But in a Hybrid scenario, the process includes many steps since the mailbox is not directory conencted to the Active Directory user account but it is conected to the Azure AD Synced User Account.
    For the ease of the guide we will name the Existing User Account: OLDUSER and the New User Account: NEWUSER.
    We will disconnect the Exchange Online Mailbox from the OLDUSER and connect it to the NEWUSER.
    Step 1.
    At the on-premises Active Directory, at an OU that is not synced with Azure AD, create the new user account. The “NEWUSER”. Ensure that you do not enter nothing at the email field. Just a user account with no email attributes.
    Step 2.
    Move the “OLDUSER” to an OU that is not synced with Azure AD
    Step 3.
    Run a Delta Sync. Go to the server that the AD Connect is installed, open the PowerShell and run “Start-ADSyncSyncCycle”
    Step 4.
    We need to get the GUID of the NEWUSER. To do so login to a Domain Controller, open PowerShell and run:



    [system.convert]::ToBase64String((Get-Aduser NEWUSER).objectGUid.ToByteArray())

    Copy the GUID to a Notepad
    Step 5.
    Open the Office 365 Admin Center and Restore the deleted user “OLDUSER”
    Go to Users –> Deleted Users –> Select the user “OLDUSER” –>Click Restore

    Step 6.
    Connect to Azure AD and set the GUID of the “NEWUSER” to the Office 365 “OLD USER”. Details for connecting to Azure AD “https://technet.microsoft.com/en-us/library/dn975125.aspx“






    Set-MsolUser -UserPrincipalName olduser@mydomain.com -ImmutableId vMZGJpW6CUGY09bduJ5dlw==

    Step 5.
    Open the Office 365 Admin Center and Delete the old user “OLDUSER”
    Go to Users –> Active users –> Select the “OLDUSER” –> click Delete user

    Step 6.
    Clean the on-premises Active Directory account of the old user “OLDUSER” from all attributes that will be added to the new user, like Proxy addresses, Target, address, Alias name, nickname etc.
    Step 7.
    Make the “NEWUSER” user account a Remote Mailbox object
    At the on-premises Exchange, open the Exchange Management Shell and run:



    Enable-RemoteMailbox -Identity NEWUSER -DisplayName "NEW USER" -RemoteRoutingAddress newuser@mydomain.onmicrosoft.com -Alias newuser -PrimarySmtpAddressnewuser@mydomain.com
    Step 8.
    Move the “NEWUSER” to an OU that is Synced with Azure AD and run a Delta Sync like Step 3.
    After that the “NEWUSER” active directory account will be connected with the “OLDUSER” Exchange Online mailbox and all attributes of the Exchange Online mailbox will be replaced with the “NEWUSER’s” values.
    I suppose there are other ways, maybe easier, to accomplish this task, but following this process you will have the desired result without problems.

  8. proximagr
    Azure App Service, get data from on-premises databases securely
    There are many scenarios where we want to have the Web Application on the Cloud but on the other hand, due to various limitations, the database stays on-premises. Azure has a service, called Azure Hybrid Connections, that allows the Web App to connect to on-premises databases, using internal IP address or the database server host name, without a complex VPN setup.
    The Connection diagram

    I have tested the connection with Microsoft SQL, PostgreSQL, MySQL, mongodb and Oracle. The databse requirements is to have a static port. So the first step in case of a Microsoft SQL instance is to assign a static port. In my test environment I have a Microsoft SQL 2016 and I assigned the default port 1433, using the Sql Server Configuration Manager / SQL Server Network Configuration / Protocols for INSTANCENAME (MSSQLSERVER)

    All paid service plans supports hybrid connections. The limits are on how many hybrid connections can be used per plan, as the below table shows. Pricing plan Number of Hybrid Connections usable in the plan Basic 5 Standard 25 Premium 200 Isolated 200
    To start creating the Hybrid Connections, go to the App Service / Networking / Hybrid Connections and press the “Configure your hybrid connection endpoints”

    At the Hybrid connections blade there are two steps, the first is to “Add hybrid connection” and the second is to “Download the connection manager”.

    First click the “Add hybrid connection” and then press “Create new hybrid connection”

    The “Create new hybrid connection” blade will open. Add a Hybrid connection name, this must be at least 6 characters and it is the display name of the connection. At the Endpoint host add the hostname of the database server and at the Endpoint port, the port of the database. At my case I added 1433, as this is the port I assign to my SQL instance before.
    Finally you will need to specify a name for a Servicebus namespace. As you realize, the hybrid connection uses Azure Servicebus for the communication, and press OK.

    Once the connection is created it will be shown at the portal as “Not connected”

    Now we need to download and install the hybrid connection manager by clicking the “Download connection manager”. For this test I will install the hybrid connection manager at the same server as the SQL database, but for a production environment it is recommended to install the hybrid connection manager to a different server that will have access to the database servers only to the required ports. For the best security install it to a DMZ server and open only the required ports to the database servers.
    Run the downloaded msi and just click Install.

    Open the “Hybrid connection manager” UI and press “Add a new Hybrid Connection.

    Sign in to your Azure account

    Once logged in, choose your Subscription and the hybrid connection configured previously will appear. Select it and press Save.

    Now at the connection manager status it will show “Connnected”

    The same at the Azure Portal and your Hybrid connection is ready.

    Test, test, test and proof of concept. Open the Console, form the Wep App Blade, and tcpping the SQL server’s hostname atthe port 1433

    and also sqlcmd

  9. proximagr
    Save 40% on Windows Azure VM made easy
    creating a new Windows Azure VM you will notice a new selection at the Basics step. It is the Hybrid Use Benefit. Using this benefit you can save up to 40% on a Windows Azure VM cost using your own license with software assurance. You just need to have a Windows Server Standard or Datacenter license with Software Assurance, and it is not restricted to any specific licensing program, it is available to all licenses with Software Assurance.
    At the final step, the Summary, you will see a notification about the Hybrid Use Benefit, explaining the limitations of the benefit, saying:
    “Each Windows Server with Software Assurance (either via each 16-Core license or two-processor license) is entitled to two instances of up to 8 cores, or one instance of up to 16 cores. Please always refer to your Windows Server license count with Software Assurance, your Hybrid Use Benefit entitlements, and your Hybrid Use Benefit deployments to use this benefit while maintaining compliance.“

    once the Azure VM is ready and login you will notice that the Operating System is not activated

    so you need to press Activate Windows and add your key to activate the Azure VM

    for more details visit the official page at https://azure.microsoft.com/en-us/pricing/hybrid-use-benefit/
  10. proximagr
    Azure Start Point | Point-to-Site VPN
    In this post series we will go through some basic steps on how to start with Microsoft Azure. At this post we will see how we can create Point-to-Site VPN connection with Azure.
    If you don’t have an Azure Subscription, you can easily create a free trial by just going to https://azure.microsoft.com/en-us/free/
    Create typical a VIrtual Network

    In order to create Point-to-Site VPN connection it needs a Virtual Network Gateway. Go to the Virtual Network, Subnets and add a Gateway Subnet.

    FInally we can add the Virtual Network Gateway. From the portal, create a Virtual Network Gateway resource and add it to the previously created Virtual Network.

    The Virtual Network Gateway can take up to 45 minutes to be created.
    Once the Virtual Network Gateway is created we need one more step. To configure Point-to-site. Open the Virtual Network Gateway and press configure.

    We will need a root and a client self-signed certificate to complete the setup. Using a WIndows 10 or Windows Server 2016 machine we can make use of the New-SelfSignedCertificate cmdlet that makes the process easy. The whole process is described here: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site
    For the root certificate run the below PowerShell using ISE:
    $cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `-Subject "CN=prodevrootcert" -KeyExportPolicy Exportable `-HashAlgorithm sha256 -KeyLength 2048 `-CertStoreLocation "Cert:CurrentUserMy" -KeyUsageProperty Sign -KeyUsage CertSign
    For the client certificate run the below PowerShell using ISE:
    $cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `-Subject "CN=prodevrootcert" -KeyExportPolicy Exportable `-HashAlgorithm sha256 -KeyLength 2048 `-CertStoreLocation "Cert:CurrentUserMy" -KeyUsageProperty Sign -KeyUsage CertSign
    Export the root certificate public key in cer format using MMC, open the Certificates snap-in and select “current user”. Find the root certificate under Personal –> Certificates and right click –> All Tasks export

    Select to “not export the private key” and use Base64 encoded.

    Export the client certificate by selecting “export the private key” , select the “include all certificates in the certification path” and the “enable certificate privacy”. Add a password and export it to pfx file.

    this pfx file must be installed to all the client computers that will use this Point-to-Site connection.
    Now lets go back to the Point-to-Site configuration page. Add an address pool that the VPN clients will use. This subnet must be different from the Virtual Network address space.

    Then open the root certificate, the cer file, using notepad, copy the text between the Begin and End marks.

    Paste the certificate text to the “Root certificated” –> Public certificate data” field and add a name to the “Name” field.

    Press Save and the “Download VPN Client” button will be enabled and we can download the VPN client.
    In order to establish the VPN connection we need to install the VPN Client and the Client “pfx” certificate to the workstation.
    The post Azure Start Point | Point-to-Site VPN appeared first on Apostolidis IT Corner.

  11. proximagr
    Connect two or more Azure Virtual Networks using one VPN Gateway
    Peering is a feature that allows to connect two or more virtual networks and act as one bigger network. At this post we will see how we can connect two Azure Virtual Networks, using peering and access the whole network using one VPN Gateway. We can connect Virtual Networks despite if they are in the same Subscription or not.
    I have created a diagram to help understand the topology.

    We have a Virtual Network with Site-2-Site VPN wto On Premises. It can also have Point-2-Site connection configured. The VNET A. We have another Virtual Network at the Same Subscription that we want to connect each other. The VNET B. Also we can have a third Virtual Network at a different subscription. The VNET C.

    In sort we need those peerings with the specific settings:
    At the VNETA Peering VNETA to VNETB with “Allow Gateway transit” At the VNETA Peering VNETA to VNET At the VNETB Peering VNETB to VNETA with “Use Remote Gateway” At the VNETB Peering VNETB to VNETC At the VNETC Peering VNETC to VNETA with “Use Remote Gateway” At the VNETC Peering VNETC to VNETB

    In order to be able to connect all those networks and also access them using the VPN Connection there are four requirements:
    The account that will be used to create the peering must have the “Network Contributor” Role. The Address Space must be different on each other and not overlap. All other Virtual Networks, except the one that has the VPN Connection must NOT have a VPN Gateway deployed. Of course at the local VPN device (router) we need to add the address spaces of all the Virtual Networks that we need to access.
    Lets lab it:
    HQ –> The on-premises network VNET A –> The Virtual Network that has the VPN Gateway (At my lab is named “devvn”) VNET B –> THe virtual network at a different subscription of the Gateway (At my lab is named “Network prtg-rsg-vnet”) VNET C –> The virtual network at the same subscription as the Gateway Network (At my lab is named “provsevnet)

    The on-premises network is connected with Site-to-site (IPsec) VPN to the VNETA

    Now we need to connect VNETA and VNETB using Vnet Peering. in order to have a Peering connection we need to create a connection from VNETA to VNETB and one from VNETB to VNETA.
    Open the VNETA Virtual Network, go to the Peerings setting and press +ADD
    Select the VNETB and check the “Allow Gateway transit” to allow the peer virtual network to use your virtual network gateway

    Then go to the VNETB, go to the Peerings setting and click +ADD.
    Select the VNETA Virtual Network and check the “Use Remote Gateway” to use the peer’s virtual network gateway. This way the VNETB will use the VNETA’s Gateway.

    Now we can contact the VNETB network from our on-premises network
    a multi-ping screenshot:
    From (VNETB) to (on-premises) & the opposite From 10..1.2.4 (VNETA) to (VNETB) & to (on-premises)

    The next step is to create a cross-subscription peering VNETA with VNETC
    Open the VNETA and create a peering by selecting the VNETC from the other Subscription and check the “allow gateway transit”

    Then go to the VNETC and create a peer with the VNETA and check the “use remote gaeway”

    With the two above connections we have connectivity between the on-premises network and the VNETC.
    The final step, to enable the connectivity between VNETB & VNETC. To accomplish this just create one peer from the VNETB to VNETC and one from VNETC to VNETB.
    Ping inception:

    In order to have client VPN connectivity to the whole network, create a Point-2-Site VPN at the VNETA. You can follow this guide: Azure Start Point | Point-to-Site VPN
  12. proximagr
    Azure Storage Advanced Thread Protection
    Azure Storage Advanced Threat Protection is a new security feature, currently in Preview. It monitors the Azure Blob Storage accounts. It detects anomalies and uncommon access to the Storage Account and notifies the admins through email.
    All the Azure Storage Advanced Threat Protection monitoring and logs are integrated to the Azure Security Center, including the well known ASC recommendations.
    It’s so easy to enable, just go to the Azure Portal, navigate to your storage account’s Advanced Threat Protection setting and switch it ON!

    After that you can view the alerts at the Security Center, under Threat Protection’s Security Alerts.

    First published at https://www.e-apostolidis.gr/microsoft/azure/azure-storage-advanced-thread-protection/
  13. proximagr
    Azure Update Management
    Have you checked the update management system for your Azure and On-Premises server that supports both Windows and Linux operating systems? And it is completely free! Please find the full list of supported operating systems and prerequisites here: https://docs.microsoft.com/en-us/azure/operations-management-suite/oms-solution-update-management#prerequisites.
    Lets get started. The easiest way is to start from an Azure VM. Go to the VMs blade and find “Update management”. You will see a notification that the solution is not enabled.

    Click the notification and the “Update Management” blade will open. The “Update Management” is an OMS solution, so you will need to create a “Log analytics” workspace, you can use the Free tier. If you don’t have a Log analytics workspace the wizard will create a default for you. Also it will create an automation account. Pressing enable will enable the “Update Management” solution.

    After about 15 minutes, at the “Update Management” section of the VM you will see the report of the VM’s updates.

    After that process the Automation Account is created and we can browse to the “Automation Accounts” service at the Azure Portal. There click the newly created Automation Account and scroll to the “Update Management” section. There we can see a full report of all VMs that we will add to the Update Management solution. To add more Azure VMs simply click the “Add Azure VM” button.

    The Virtual Machines blade will open and will list all Virtual Machines at the tenant. Select each VM and press Enable.

    After all required VMs are added to the Update Management solution click the “Schedule update deployment” button. There we will select the OS type of the deployment, the list of computers to update, what type of updates will deploy and the scheduler. More or less this is something familiar for anyone that has worked with WSUS.

    Press the “Computers to Update” to select the Azure VMs for this deployment from the list of all VMs enabled.

    Then select what types of updates will deploy.

    If you want to exclude any specific update you can add the KB number at the “Excluded updated” blade.

    And finally select the schedule that the update deployment will run.

    Back to the “Update Management” blade, as we already said, we have a complete update monitoring of all Virtual Machines that are part of the “Update Management” solution.

    You can also go to the “Log Analytics” workspase and open the “OMS Portal”

    There, among other, you will see the newly added “System Update Assessment” solution.

    and have a full monitoring and reporting of the updates of your whole environment.

    The post Azure Update Management appeared first on Apostolidis IT Corner.

  14. proximagr
    Create Azure File Shares at your ARM template using PowerShell
    Using Azure Resource Manage template deployment, you can create a Storage account but you cannot create File Shares. Azure File Shares can be created using the Azure Portal, the Azure PowerShell or the Azure Cli.
    Mainly, the idea is to run a PowerShell script that will create the File Shares. This script will be invoked inside the ARM Template. In order to use a PowerShell script from a template, the script must be called from a URL. A good way to provide this is using the Git repository. One major thing to consider is the Storage Account key must be provided to the PowerShell script securely, since the PowerShell script is at a public URL.
    The PowerShell script will run inside a Virtual Machine and we will use a CustomScriptExtension Extension to provide it. To use this, at the Virtual Machine Resource of the JSON file add a resources section.
    The Custom Script Exception is located at the Virtual Machine resource. Lets assume that the last part of the Virtual Machine resource is the “diagnosticsProfile” so after the closure of the “diagnosticsProfile” we can add the “resources”. Inside the “resources” add the “extensions” resource that will add the “CustomScriptExtension”, like below. The Template Part
    This will be the addition at the Virtual Machine resource:
    "diagnosticsProfile": {
    "bootDiagnostics": {
    "enabled": true,
    "storageUri": "[concat(reference(concat('Microsoft.Storage/storageAccounts/', variables('diagnosticStorageAccountName')), '2016-01-01').primaryEndpoints.blob)]"
    "resources": [
    "name": "AzureFileShares",
    "type": "extensions",
    "location": "[variables('location')]",
    "apiVersion": "2016-03-30",
    "dependsOn": [
    "[resourceId('Microsoft.Compute/virtualMachines', parameters('VMName'))]",
    "tags": {
    "displayName": "AzureFileShares"
    "properties": {
    "publisher": "Microsoft.Compute",
    "type": "CustomScriptExtension",
    "typeHandlerVersion": "1.4",
    "autoUpgradeMinorVersion": true,
    "settings": {
    "fileUris": [
    "protectedSettings": {
    "commandToExecute": "[concat('powershell -ExecutionPolicy Unrestricted -File ','azurefiles.ps1 -SAName ',parameters('AzureFilesStorageName'),' -SAKey ', listKeys(resourceId(variables('AzureFilesStorageAccountResourceGroup'),'Microsoft.Storage/storageAccounts', parameters('AzureFilesStorageName')), '2015-06-15').key1)]"
    The extension must be depended from the Virtual Machine that will run the script and the Storage Account that will bu used for the file shares.
    At the custom script properties add the public RAW url of the PowerShell script.
    Next lets see the Storage Account key and execution part. At the connandToExecute section, we will provide a variable that will pass the Storage Account key & Name inside the script for execution. The variable will get the Storage Account key from the Storage Account using the permissions of the Account running the Template Deployment.
    Of course to make the template more flexible I have added a variable for the Resource Group and a parameter for the AzureFilesStorageName, so the template will ask for the Storage Account name at the parameters. The PowerShell
    The PowerShell script is tested at Windows Server 2016 VM. You can find it below:
    Param (
    Install-PackageProvider -Name NuGet -MinimumVersion -Force
    Set-PSRepository -Name PSGallery -InstallationPolicy Trusted
    Install-Module Azure -Confirm:$False
    Import-Module Azure
    $storageContext = New-AzureStorageContext -StorageAccountName $SAName -StorageAccountKey $SourceSAKey
    $storageContext | New-AzureStorageShare -Name #####
  15. proximagr
    <h1 class="entry-title h1">Global Azure Bootcamp 2018 – Athens</h1>
    <p>This year I am very excited of being part of the organizers team of Global Azure Bootcamp 2018, Athens.</p>
    <p>This is a photo at the end of the event with all the Organizers, Speakers and Volunteers:</p>
    <p><img src="https://azureheadsassets.blob.core.windows.net/assets/2018/04/gab-126-990x526.jpg"/></p>
    <p>The day before the vent, the organizers, Kostas Pantos, Paris Polyzos and me preparing;</p>
    <p id="UUmNlfx"><img class="alignnone size-full wp-image-2089 " src="https://www.e-apostolidis.gr/wp-content/uploads/2018/09/img_5b9259bff3db1.png"alt="" srcset="https://www.e-apostolidis.gr/wp-content/uploads/2018/09/img_5b9259bff3db1.png 1296w, https://www.e-apostolidis.gr/wp-content/uploads/2018/09/img_5b9259bff3db1-300x173.png 300w, https://www.e-apostolidis.gr/wp-content/uploads/2018/09/img_5b9259bff3db1-768x444.png 768w, https://www.e-apostolidis.gr/wp-content/uploads/2018/09/img_5b9259bff3db1-1024x592.png 1024w, https://www.e-apostolidis.gr/wp-content/uploads/2018/09/img_5b9259bff3db1-600x347.png 600w" sizes="(max-width: 1296px) 100vw, 1296px" /></p>
    <p>Me and Paris Polizos, the two Azure MVPs of Greece:</p>
    <p id="mmabbEs"><img class="alignnone size-full wp-image-2088 " src="https://www.e-apostolidis.gr/wp-content/uploads/2018/09/img_5b92598f38ab2.png"alt="" srcset="https://www.e-apostolidis.gr/wp-content/uploads/2018/09/img_5b92598f38ab2.png 534w, https://www.e-apostolidis.gr/wp-content/uploads/2018/09/img_5b92598f38ab2-175x300.png 175w" sizes="(max-width: 534px) 100vw, 534px" /></p>
    <p>My presentation’s title was: <strong>Azure PaaS: Elasticity & Global Availability</strong></p>
    <p>And it is about how to have Resilient and Global Available apps using Microsoft Azure PaaS, that will keep alive even after a full Region failure.</p>
    <p>Feel free to download my presentation from here: <a href="https://aka.ms/GAB2018Presentation">https://aka.ms/GAB2018Presentation</a></p>
    <p>And the DEMO:</p>
    <p>Part1: <a href="https://aka.ms/GAB2018DEMOPart2">https://aka.ms/GAB2018DEMOPart2</a></p>
    <p>Part2: <a href="https://aka.ms/GAB2018DEMOPart01">https://aka.ms/GAB2018DEMOPart01</a></p>
    <p>More at the azureheads.gr blog: <a href="https://www.azureheads.gr/2018/04/global-azure-bootcamp-2018-athens-wrap-up/">https://www.azureheads.gr/2018/04/global-azure-bootcamp-2018-athens-wrap-up/</a></p>
    <p><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fgeneral%2Fglobal-azure-bootcamp-2018-athens%2F&linkname=Global%20Azure%20Bootcamp%202018%20%E2%80%93%20Athens"title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_print" href="https://www.addtoany.com/add_to/print?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fgeneral%2Fglobal-azure-bootcamp-2018-athens%2F&linkname=Global%20Azure%20Bootcamp%202018%20%E2%80%93%20Athens" title="Print" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share#url=https%3A%2F%2Fwww.e-apostolidis.gr%2Fgeneral%2Fglobal-azure-bootcamp-2018-athens%2F&title=Global%20Azure%20Bootcamp%202018%20%E2%80%93%20Athens" data-a2a-url="https://www.e-apostolidis.gr/general/global-azure-bootcamp-2018-athens/" data-a2a-title="Global Azure Bootcamp 2018 – Athens"><img src="https://static.addtoany.com/buttons/share_save_171_16.png" alt="Share"></a></p><p>The post <a rel="nofollow" href="https://www.e-apostolidis.gr/general/global-azure-bootcamp-2018-athens/">Global Azure Bootcamp 2018 – Athens</a> appeared first on <a rel="nofollow" href="https://www.e-apostolidis.gr">Apostolidis IT Corner</a>.</p>

    <a href="https://www.e-apostolidis.gr/general/global-azure-bootcamp-2018-athens/"class='bbc_url' rel='nofollow external'>Source</a>
  16. proximagr
    Azure VM CMD & PowerShell from the Portal
    Today I was trying to troubleshoot an Azure VM. This VM is behind a Network Virtual Appliance (NVA) and at the subnet it has User Defined Routes (UDR) that routes the traffic to the NVA. We was troubleshooting the NVA and it was not possible to connect with RDP to the VM. Serial Console
    This is an excellent scenario to use the Serial Console. From the Azure Portal, portal.azure.com, navigate to the Azure VMs blade, scroll down to the Support + Troubleshooting section and select “Serial Console”

    The Serial Console will initialise and after a while it will establish the connection and the prompt will be the SAC>. If you encounter any errors establishing the SAC link, please follow this link: https://aka.ms/serialconsolewindows
    At the SAC> prompt press help to list the available commands.

    Using the i command we can get the IP Address configuration of the VM
    Command Prompt
    To create a command prompt session, first enter “cmd”. This will create a session.

    To list the cmd sessions press “ch”

    to select & login to a cmd session press “ch -si #” where # is the channel number. At the below screen press Enter

    At the next screen enter the admin credentials

    and we have Command Prompt. At this command prompt we can use all cmd commands.

    Some examples:
    ping -t

    at the command prompt enter “powershell” and press Enter to open a PowerShell Session

    PowerShell example, disable windows firewall:
    Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False

    and yes, its off

    of course, for the firewall we could disable it using CMD
    netsh advfirewall set allprofiles state off
    For more example commands follow this link: https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/serial-console-cmd-ps-commands
  17. proximagr
    SQL Failover Cluster with AlwaysOn Availability Groups
    Πάμε τώρα για το τελευταίο κομμάτι του lab, να προσθέσουμε AlwaysOn Availability Group στο υπάρχον SQL WSFC.
    Windows Server 2012 R2 Failover Cluster with FreeNAS 9.3 (Page 1, Page 2) Microsoft SQL 2012 on Failover Cluster (Page 1, Page 2, Page 3) Add AlwaysOn AG to SQL Failover Cluster Instance (Page 1, Page 2, Page 3)

    Add AlwaysOn AG to SQL Failover Cluster Instance (Page 1)
    Για αρχή πρέπει να ενεργοποιήσουμε το “AlwaysOn High Availability” setting και στα δύο Nodes του υπάρχοντος Cluster. Εδώ να τονίσουμε πως η επιλογή υπάρχει μόνο στη Enterprise έκδοση και όχι στην Standard. Ανοίγουμε λοιπόν το SQL Server Configuration Manager / SQL Server Services / SQL Server (NAME) , δεξί click Properties και στην καρτέλα “AlwaysOn High Availability” επιλέγουμε το “Enable AlwaysOn Availability Groups”. Με το που θα πατήσουμε Apply θα μας ενημερώσει ότι η αλλαγή θα περάσει στον SQL στο επόμενο restart.

    Δεν κάνουμε restart.
    Τώρα για να γίνει η αλλαγή στο δεύτερο Node πρέπει να κάνουμε manual failover για να σηκωθεί το service της SQL. Όπως είχαμε κάνει και στο τέλος του προηγούμενου Post, όταν εγκαταστήσαμε το δεύτερο SQL Node, από το Failover Cluster Manager κάνουμε move το SQL Server Role στο δεύτερο Node. Τώρα άμα ανοίξετε το SQL Server Configuration Manager θα δείτε ότι το SQL Server service έχει γίνει stop και το SQL Server service τρέχει στο δεύτερο Node με ενεργοποιημένο με το AlwaysOn. Τέλος ξανακάνουμε move το SQL Server Role στο πρώτο Node.
    Στη συνέχεια πάμε να βάλουμε τον τρίτο server στο υπάρχον Windows Failover Cluster. Ανοίγουμε το Failover Cluster Manager από το πρώτο Node (Win2012R201 στο lab) και πατάμε Nodes / Add Node…

    Ξεκινάει ο Wizard, πατάμε το πρώτο Next και στο Select Servers επιλέγουμε τον τρίτο server (Win2012R203 στο lab) και πατάμε Next.
    Για να περάσει το verification πρέπει ο server να έχει ήδη το Failover Cluster feature, κάτι που στο lab υπάρχει από το template.

    Μιας και αυτό το Node δεν θα είναι ουσιαστικά μέρος του Failover Cluster αλλά το θέλουμε μόνο για το AlwaysOn, επιλέγουμε να μην κάνει τα validation test και να μην βάλει storage.

    Τώρα πρέπει να σιγουρεύουμε ότι δεν θα προσπαθήσει το Cluster να σηκώσει την SQL στο τρίτο Node που θα είναι για το AlwaysOn.
    Αφού προστεθεί το Node στο Cluster πρέπει να πάμε πρώτα στο Failover Cluster Manager / WSFCcomputername (sqlclus.sqllab.int για το lab), επιλέγουμε από τα Cluster Core Resources στο Server Name το computer name του sql cluster (sqlclus για το lab) και δεξί click properties.

    Πηγαίνουμε στο Advanced Policies tab και απόεπιλέγουμε το τρίτο Node, όπως στην εικόνα

    Στην συνέχεια στον SQL Server Ρόλο, δεξί click properties και να επιλέξουμε preferred owners τα δύο πρώτα Nodes μόνο.

    Το ίδιο κάνουμε και για τα δύο Cluster Disks

    Τώρα κάνουμε μια τυπική εγκατάσταση SQL Server 2012 στο τρίτο Node, με τα ίδια settings που κάναμε και για το Cluster, με τη διαφορά ότι θα κάνουμε Stand Alone Setup και όχι Cluster και πρέπει να δώσουμε διαφορετικό instance name γιατί το Default instane (MSSQLSERVER) υπάρχει στο Cluster. Επίσης δίνουμε έναν δίσκο στο Server με ίδιο γράμμα με αυτό που έχουν οι servers στο Cluster για την SQL. Στο lab είναι F:.

    Αφού ολοκληρωθεί η εγκατάσταση ενεργοποιούμε το AlwaysOn κι εδώ από το SQL Server Configuration Manager και κάνουμε restart το SQL server service.

    Συνέχεια στην επόμενη σελίδα
    Πηγή http://www.e-apostolidis.gr/%ce%b5%ce%bb%ce%bb%ce%b7%ce%bd%ce%b9%ce%ba%ce%ac/add-alwayson-ag-to-sql-failover-cluster-instance/
  18. proximagr
    Azure Policy | Limit the Azure VM Sizes Azure Governance
    This post, Azure Policy, is the first of a series of posts about Azure Governance. The idea is to explain through examples and how-to-guides, the tools that Microsoft Azure provides to help the administrators to enforce rules to all subscriptions. Some examples of those rules are, to help the organizations to stay compliant with their corporate standards, to standardize the resources creation and management, to manage the permissions and access controls, etc. Azure Policy
    Azure Policy is a powerful tool for Azure Governance. With Azure Policy we can define rules for all Azure Subscriptions the we manage. We can use this rules for simple limitation actions, like permitting only specific VM Series and Sizes that can be created and also more complex rule sets that helps you standardize the whole Azure deployment. Limit the Azure VM Sizes
    In this fist post we will go through a simple policy, the “Allowed virtual machine SKUs”. With this policy you can control what Azure VM series and sizes are permitted for deployment. You can apply this policy to a whole Management group, to a Subscription or to a single Resource Group. Step by Step Guide
    Open the Azure portal, https://portal.azure.com, and login with your account. At the top search box write “policy”. From the search results select the “policy”.

    At the Policy screen, select the “Definitions”. To create and apply a policy we need to start from a Policy Definition.

    At the Policy Definition screen, we can filter the definitions by scope, definition type, type and category. The “Allowed virtual machine SKUs” definition is under the “Compute” category. At the Category drop down menu, deselect everything and select only the “Compute”. Press the “Allowed virtual machine SKUs” definition.

    The “Allowed virtual machine SKUs” definition will open. Here we can see the code beneath the definition. It is written in json format. If we want to make changes at the definition we must first press “Duplicate definition”. This will create a copy of the definition. Then we can open the definition duplicatie and press “Edit definition. We will cover this at a future post.
    To select the VM sizes, the scope and apply the definition, press “Assign”
    Set the scope
    At the Assign policy screen, first we need to select the scope. The scope is where the policy definition will apply. To set the scope press the little blue box with the three dots.

    For scope, we can select a whole Management group, a whole subscription or a single Resource Group.
    Select the Azure VM SKUs
    After the scope, we need to select the allowed Azure VM SKUs. Open the drop down menu and select the SKUs that you will allow.

    At this test policy, I selected all Standard F1-4 series, the Standard F2s – 4s and the Standard F2s_v2 – 4s_v2.
    We can change the “Assignment Name” to easily find the specific assignment at the Assigned Policies list. I changed the name to “Allowed only F1-4 virtual machine SKUs”
    The next step is the “Managed Identity”. Managed identity creates an Azure AD Identity, like a service account, that is used for resource creation. We need this only for some specific policies that must create a resource if it is doesn’t exists.
    We don’t need a Managed Identity to limit the Azure VM SKU sizes. So now we can press “Assign”.

    A notification will inform you that the Policy will take effect after about 30 minutes. The policy needs this time to apply the rules to the selected scope.

    Back to the policy Assignments screen, hit refresh and you will see the new Policy Assignment’s name and the Scope.
    Test the policy
    To test the policy, I waited 30 minutes and tried to create a Standard DS1 v2 VM at the devrg Resource Group. Although I am the Subscription Owner, the Service admin, the one that created the policy assignment, the Azure Resource Manager doesn’t allow me to create this VM.

    And the error details: “disallowed by policy”

    You can find more about Azure Policy at Microsoft Docs: https://docs.microsoft.com/en-us/azure/governance/policy/
  19. proximagr
    Ασφαλίστε την MySQL και την PostgreSQL με τη χρήση Service Endpoints
    Σε προηγούμενο post, Ασφάλισε την Azure SQL Database μέσα σε ένα VNET χρησιμοποιώντας service endpoints, είδαμε πως μπορούμε να χρησιμοποιήσουμε τα Service Endpoints του Azure Virtual Network για να ασφαλίσουμε μια Azure SQL για πρόσβαση μόνο από εσωτερικό δίκτυο.

    Σήμερα, το Microsoft Azure, ανακοίνωσε την γενική διαθεσιμότητα του Service Endpoints για MySQL και PostgreSQL. Αυτό δίνει την δυνατότητα να κόψουμε όλη την Public πρόσβαση στις MySQL & PostgreSQL και να επιτρέψουμε μόνο πρόσβαση απο το εσωτερικό μας δίκτυο. Φυσικά μπορεί να οριστεί συγκεκριμένο Subnet ή Subnets. Επίσης δεν υπαρχει επιπλέων χρέωση για την χρήση των Service Endpoint.

    Περισσότερα μπορείτε να δείτε στο Microsoft Azure Blog: Announcing VNet service endpoints general availability for MySQL and PostgreSQL
  20. proximagr
    Protect your Web App using Azure Application Gateway Web Application Firewall
    Web Application Firewall was always a big investment for a small or growing company as most of the top branded companies are charging a lot of money A Web Application Firewall protects your application from common web vulnerabilities and exploits like SQL Injection or Cross site scripting. Azure provides enterprise grade Web Application Firewall through the Application Gateway. It comes in two pricing models, Medium and Large. More about sizes and instances you can find here, and more about pricing here
    We can add the Application Gateway Web Application Firewall to protect our Azure Web App (PaaS) and our Web Application inside a VMs web server (IaaS). At this post we will see how to protect them both.

    One difference in order to fully protect the Azure Web App (PaaS) is to create an App Service Environment with internal VIP to host the Web App in order to hide it inside a VNET. First things first, create a VNET with one subnet for the Application Gateway WAF. App Service Environment
    After the VNET create the App Service Environment, from the Azure Portal, New –> App Service Environment and select VIP Type “Internal”. Add it to the VNET created before and create a subnet for the ASE. You need to be patient here because the deploy will take more than an hour, almost two.
    Web App
    As soon as the App Service Environment is ready we can create our Web App. Create a Web App from Azure Portal with one difference, on the App Service Plan location instead of selecting a Region select he App Service Environment.

    As you realize, the Web App resides at the internal VNET with no access from the internet. So, in order to access the application at this point we need a VM ( a small one just to test and deploy our application ). Create a small VM and add it to this VNET. One small detail, in order to be able to browse to the site’s URL we need to enter the FQDN, in our case papwaf3app.funniest.gr. In order to do this we need an entry at the VM’s host file. This way we can access the new born Web App.
    Web Application Firewall
    Lets create the Secure public entry point for our Web App. Create an application gateway, select WAF Tier, select the required SKU, add it to the WAF subnet we created before, select Public IP configuration and WAF enabled.

    When the Application gateway is ready we need to do some configuration. First at the Backend pools, open the default created backend pool add the Internal Load Balancer IP address of the ASE as target.

    Then add a health probe. For host add the FQDN of the Web App.

    at the HTTP settings check the “Use custom probe” and select the previously created probe.

    And that’s all. Now we can try our Web App from the Internet. In order to do so we need to browse to the Web App’s URL, that is now published by the Application Gateway, from the Internet. So, we need to create a Public DNS record to point the FQDN to the Application Gateway’s FQDN. In this case we need to crate a CNAME papwaf3app.funniest.gr to point to the 8b0510c1-47e9-4b94-a0ff-af92e4455840.cloudapp.net. In order to test the app right now we can just add a host file to our computer pointing to the Public IP Address of the application gateway and we can access the Web App behind the WAF.

    In order to be able to see the Application Gateway and Web Application Firewall logs we need to turn on diagnostics. The easiest way to see the logs is by sending them to Log Analytics (OMS).

    With the Firewall at “Detection” mode, if we try an SQL Injection (?id=10||UTL_INADDR.GET_HOST_NAME( (SELECT user FROM DUAL) )–), the Web App still servers the landing page.

    By switching the Firewall to “Prevention” mode, the same SQL injection attach stops by the WAF before accessing our Web App.
    Protect an IaaS Web Application
    To add a Web Application that runs inside a VM behind the Application Gateway Web Application Firewall, first add the VM as a Back End Pool. Create a new Backend Pool and select “Virtual Machine”. Select the Virtual Machine that runs the Web Application.

    Then create a new probe adding the URL of the Web Application
    next add HTTP settings and add custom probe the new created probe “vmsite”

    Next step is to create two multi-site listeners, one for each host name

    After the listener, add a Basic rule using the Listener, Backend Pool and HTTP settings we created for the VM Web Application,

    Finally one extra step is to change the default rule1 to listen to the WeB App listener

    Finally the Application Gateway Web Application Firewall provides secure access to both the Web App (PaaS) and the VM Web Application (IaaS)

  21. proximagr
    Secure your Azure SQL locally inside your vnet using service endpoints
    For many companies, a throwback of using Azure SQL was the Public Access. After the latest Azure updates you can use the service endpoints to Secure your Azure SQL locally inside your vnet! For the time, the feature is available only at the West Central US, West US 2, and East US regions but soon more will follow.
    So, lets secure your Azure SQL locally inside your vnet! At the VNET creation blade, select the Microsoft.Sql service endpoint from the list of the available service endpoints.

    Then create an SQL Database at the same region,

    Next, go to the SQL server firewall settings and turn Off the “Allow access to Azure services”. By doing this you disable the access to the SQL Server using the Public IP.

    Click the “Add existing virtual network” and create an access rule, in order to be able to access the SQL Server from your Virtual Network using the service endpoints.

    Now lets test. A fast way to test your SQL connectivity from a Virtual Machine on the VNET, without having the SQL management tools, is to open the “ODBC Data Source Administrator” and create a new connection. Add the Azure SQL Server IP

    at the next screen enter the username and password of your SQL Server and finally click the “Test Data Source”

    Of course we can also connect with the SMSS. Add the SQL Server FQDN, the username and the password

    and you are connected, fast and securely!

    You cannot yet add your SQL to a subnet, but you secure it’s access inside your VNET! all public access is denied.
    The post Secure your Azure SQL locally inside your vnet using service endpoints appeared first on Apostolidis IT Corner.

  22. proximagr
    Azure Backup | Enable backup alert notifications
    Azure Backup generates alerts for all backup events, such as unsuccessful backups. A new option is to create backup alert notifications so Azure Backup will alert you firing an email when an alert is generated.
    To enable the backup alert notifications, navigate to the “Backup Alerts” section of the “recovery Services vault” and click the “Configure notifications”

    There switch the Email notification to On to enable the alerts. Enter one or more recipients separated with semicolon (. Choose Per Alert or Hourly Digest. Per Alert will fire an email for every alert instantly and the Hourly Digest means that the notification agent will check for alerts every hour and will fire an email with the active alerts.
    Finally choose the Severity of the alerts which you will be notified and press save.

    If you like my content you can follow my blog: e-apostolidis.gr
  23. proximagr
    Create an Ultra High Available on-prem <-> Azure VPN Connection
    At this post we will see how to make a high available connection between our on-premises network and Azure. This way we will have an Active-Active Dual-Redundancy VPN Connection.
    The idea behind this is that we have a router/firewall cluster,connected with two ISPs and we want to also have a VPN connection with Azure using both ISPs actively. I call this an end-to-end high available connectivity between our on-premises infrastructure and Azure. Actually the active-active dual redundant connections needs to have two different on-premises VPN devices, but we can accomplish almost the same functionality with one device and two different interfaces with two different ISPs.

    The requirement for this topology, except the router/firewall cluster and the two ISPs is that the Azure VPN Gateway must be Standard or HighPerformance SKU. The Basic SKU does not support Active-Active mode.
    As you can see at the above diagram, the Active-Active VPN Gateway created two Active VPN Nodes. The connection of each node to each on-premises network interface in a mesh topology. All network traffic is distributed through all the connections. In order to accomplish this connectivity we need to also enable BGP to both on-premises device and Azure VPN Gateway with different ASN. Lets lab it:
    Create a Virtual Network Gateway, VPN, Route Based and SKU VpnGw1 or larger
    Enable active-active mode, this will create two nodes, and give the names of the two Public IPs.
    Check the Configure BGB ASN and change the default ASN, I used 65510
    wait a lot… more than the typical 45 minutes, a lot more…

    When the gateway is created you will see that the public ip address is called “First public IP address”. If you click the “see more” link you will see the second IP too.

    You can see both IP form the Properties page too.

    Second we need to create two Local network Gateways, to represent the two interfaces of our on-premises device. Both must be created with the same ASN. This ASM must be different than the Gateways’ and this ASN must be configured at the configuration of the local devices VPN connection.
    Now, create the connection

    And remember to enable BGP at the Connection’s Configuration

    As soon as the local device is configured both connections became connected.

    From powershell we can see both local IPs of the two nodes of the Azure VPN Gateway,
    Test and Troubleshooting
    Currently the only way to see the connections between the Azure Gateway Nodes and the local devices interfaces is the below powershell command
    Get-AzureRmVirtualNetworkGatewayBGpPeerStatus -VirtualNetworkGatewayName “gatewayname” -ResourceGroup “resourcegroupname”

    Every time you run this command you get answer from one of the two nodes at random. At the above screenshot, first is one node and second is the other.
    The first node’s peer, 192.168.xx.9 shows that is connected to the 10.xx.xx.2 local network’s peer and connecting at the second peer 10.xx.xx.1
    The second node’s peer, 192.168.xx.8 shows that is connected to the 10.xx.xx.1 local network’s peer and connecting at the second peer 10.xx.xx.2

    The test I performed was to unplug one interface from the local device. The azure gateway’s first node State was both Connecting and the second node was the same, connecting to .2 and connected to .1. At this test I did lost a single ping.
    After that I plugged the cable back, waited less than a minute and unplugged the second cable. Now the first node shows still disconnected but the first node connected to the .2 local IP and connecting to .1. With this test I lost only one ping. Also I realized that it is random which node’s private IP will connect with the local device’s private IP. Both Azure Gateway’s IPs 192.168.x.8 & 9 can connect with the local device’s IP 10.x.x.1 & 2 and this is the magic of the Active-Active Dual Redundancy VPN connection.
  24. proximagr
    Azure Portal | Virtual Machines bulk actions
    Azure Portal is a great GUI tool to administer all your Azure Resources and it continues evolving. Here is a very useful Tip. Did you know that you can manage Virtual Machines in bulk using the Azure Portal VIrtual Machines section? We have virtual machines bulk actions!

    Not only we can Assign Tags, Start, Restart, Stop and Delete Virtual Machines in bulk but also configure Change Tracking, Inventory and Update Management!!
    Filter out the Virtual Machines needed and just click the “Change Tracking” to have a report off all changes that happens inside the VM, like changes to services for Windows, daemons for Linux, applications and file changes.
    Use the “Inventory” to have a complete inventory of all the installed applications of the VM. Enable consistent control and compliance of these virtual machines.
    Enable the “Update Management” to manage the Updates of the selected Virtual Machines. Create update policies and control the installation of the updates.
  25. proximagr
    <h1>Govern your Azure environment</h1>
    <p>It was a day full of Microsoft Azure and technology, from both IT Pro & Dev perspective. A sunny day at Athens, with a lot of fun. For sure we had a great time!</p>
    <p>You can download my Athens Azure Bootcamp 2019 presentation, Govern your Azure environment, from this <a href="https://papostolidisgr-my.sharepoint.com/:p:/g/personal/pantelis_e-apostolidis_gr/EUS8pnejNdNEhrm0GVe4qaYBkFH2s_ZZKqGh9AaDY0NTFw?e=nQaNSD">link</a>:<a href="https://papostolidisgr-my.sharepoint.com/:p:/g/personal/pantelis_e-apostolidis_gr/EUS8pnejNdNEhrm0GVe4qaYBkFH2s_ZZKqGh9AaDY0NTFw?e=nQaNSD">https://papostolidisgr-my.sharepoint.com/:p:/g/personal/pantelis_e-apostolidis_gr/EUS8pnejNdNEhrm0GVe4qaYBkFH2s_ZZKqGh9AaDY0NTFw?e=nQaNSD</a></p>
    <p>Please find the demos of my presentation at the <a href="https://www.e-apostolidis.gr/videos/">Videos</a>page: <a href="https://www.e-apostolidis.gr/videos/">https://www.e-apostolidis.gr/videos/</a></p>
    <p>Standardize & enforce your company’s Azure Resources configuration, for regulatory compliance, cost control, security & design consistency</p>
    <p id="UWhJgpl"><img class="alignnone wp-image-2775 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/07/img_5d3de3d139c49.png"alt="aab" width="1188" height="665" /></p>
    <p><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fgovern-your-azure-environment%2F&linkname=Govern%20your%20Azure%20environment"title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_print" href="https://www.addtoany.com/add_to/print?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fgovern-your-azure-environment%2F&linkname=Govern%20your%20Azure%20environment" title="Print" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share#url=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fgovern-your-azure-environment%2F&title=Govern%20your%20Azure%20environment" data-a2a-url="https://www.e-apostolidis.gr/microsoft/azure/govern-your-azure-environment/" data-a2a-title="Govern your Azure environment"><img src="https://static.addtoany.com/buttons/share_save_171_16.png" alt="Share"></a></p><p>The post <a rel="nofollow" href="https://www.e-apostolidis.gr/microsoft/azure/govern-your-azure-environment/">Govern your Azure environment</a> appeared first on <a rel="nofollow" href="https://www.e-apostolidis.gr">Apostolidis IT Corner</a>.</p>

    <a href="https://www.e-apostolidis.gr/microsoft/azure/govern-your-azure-environment/"class='bbc_url' rel='nofollow external'>Source</a>
  • Create New...