Jump to content

proximagr

Moderators
  • Posts

    2468
  • Joined

  • Last visited

  • Days Won

    12

Blog Entries posted by proximagr

  1. proximagr
    Monitor & Alert for your Azure VM
    Lets see how easy it is to monitor and create an alert, in order to be notified when your VMs are restarted, when they start, stop, get high CPU usage, memory and much more.
    First navigate to the Azure Portal https://portal.azure.com, and then click the Monitor button.

    You will be navigated to the Monitor blade. At the center of the screen you will see three mail buttons, each starts a wizard.

    Click the “Create Alert” under the Explore monitoring essentials, the first of the three buttons.

    The create rule wizard will start. First you need to Select target.

    Select the subscription, at the Filter resource type select Virtual machines and select the VM from the Resource list.

    Once you press the target VM you will see a preview of the selection and the available signals.

    After the alert target, select the criteria

    At the configure signal login blade, select the signal from the list. I have selected the Restart Virtual Machine.

    Once you select the signal you can select the severity level and also you will see the preview of the condition.

    After that give a name and a description for the alert. Also select the resource group where the alert will be saved and if you want the alert to be enabled upon creation.

    The next step is to create an action group. The action group is the list of accounts to get the notifications when the alert is triggered. The notification can be email, SMS, Push Notifications and Voice call. You can add many action groups and many action in each group.


    Now the alert is ready. Once the alert is triggered you will be notified. At this example I added an email alert and once the VM restarted I received the following email:

    More Microsoft Azure guides at Apostolidis IT Corner
  2. proximagr
    ΑΣΦΆΛΙΣΕ ΤΗΝ AZURE SQL DATABASE ΜΈΣΑ ΣΕ ΈΝΑ VNET ΧΡΗΣΙΜΟΠΟΙΏΝΤΑΣ SERVICE ENDPOINTS
    February 6, 2018 Pantelis Apostolidis Microsoft, Ελληνικά Leave a comment
     
    Για πολλούς, ένα πρόβλημα στο να χρησιμοποιήσουν την Azure SQL, είναι η δημόσια πρόσβαση. Μετά τα τελευταία Azure updates μπορούμε να χρησιμοποιήσουμε τα service endpoints ώστε να ασφαλίσουμε την Azure SQL μέσα σε ένα VNET.
    Ας ξεκινήσουμε λοιπόν να βάλουμε την Azure SQL μέσα σε ένα VNET. Ανοίγουμε το Azure Portal και ξεκινάμε να δημιουργήσουμε ένα VNET. Στο τέλος της σελίδας δημιουργίας έχει προστεθεί μια νέα επιλογή που λέγετε service endpoints. Το ενεργοποιούμε και επιλέγουμε το Microsoft.Sql.

    Στη συνέχεια δημιουργούμε μια SQL Database. Πάλι από το Azure Portal επιλέγουμε New –> SQL Database και βάζουμε ότι στοιχεία θέλουμε.

     
    Αφού δημιουργηθεί η SQL Database, ανοίγουμε τις ρυθμίσεις και πηγαίνουμε στο Firewall / Virtual Networks. Εκεί απενεργοποιούμε το «Allow access to Azure Services». Με αυτήν την επιλογή κόβουμε την πρόσβαση στην SQL από την Public IP.
     

     
    Για να συνδέσουμε την SQL στο VNET πατάμε το «+Add existing virtual network» και δημιουργούμε έναν κανόνα όπου επιλέγουμε το VNET που δημιουργήσαμε με ενεργοποιημένα τα service endpoints.
     

    Η ώρα της δοκιμής. Ένας γρήγορος τρόπος να δοκιμάσουμε την συνδεσιμότητα μιας SQL είναι το «ODBC Data Source Administrator» το οποίο βρίσκετε στα Administrative Tools σε όλα τα λειτουργικά MS Windows Server & Professional clients. Αν προσπαθήσετε να συνδεθείτε over internet θα δείτε ότι η σύνδεση κόβετε σε επίπεδο TCP, δεν ανοίγει καν η σύνδεση, σαν να μην υπάρχει.
    Έφτιαξα λοιπόν ένα VM μέσα στο VNET για να έχω τοπική πρόσβαση. Ανοίγουμε το ODBC Data Source Administrator, και στα User DSN πατάμε new connection. Για όνομα δίνουμε ότι θέλουμε, δεν έχει σημασία και στο server δίνουμε το FQDN του Azure SQL Database.
     

     
    Στην επόμενη εικόνα δίνουμε username και password του Azure SQL Database και πατάμε «Test Data Source»
     

     
    Επίσης μπορούμε να συνδεθούμε με SMSS, βάζοντας το SQL Server FQDN, το username και το password
     

     
    και συνδέεται γρήγορα και με ασφάλεια!
     


  3. proximagr
    <p>First we need to create a certificate request</p>
    <p>Open the Microsoft Exchange Management Console and navigate to Microsoft Exchange -> Server Configuration.</p>
    <p>On the right panel press the “New Exchange Certificate”</p>
    <p id="IcnajXr"><img class="alignnone size-full wp-image-1027 " src="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b27be99f9e.png"alt="" /></p>
    <p>The “New Exchange Certificate” wizard will start. Enter a friendly name, just a name to remember what this certificate is about.</p>
    <p id="JDRaiCG"><img class="alignnone size-full wp-image-1028 " src="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b27fdbb3cf.png"alt="" srcset="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b27fdbb3cf.png 591w, http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b27fdbb3cf-300x130.png 300w" sizes="(max-width: 591px) 100vw, 591px" /></p>
    <p>no need to check the wildcard option</p>
    <p id="EtdTZXg"><img class="alignnone size-full wp-image-1029 " src="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b2865f2737.png"alt="" srcset="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b2865f2737.png 582w, http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b2865f2737-300x123.png 300w" sizes="(max-width: 582px) 100vw, 582px" /></p>
    <p>At the next page select the services that you want, in most cases select all “Client Access Server”,</p>
    <p id="ZkhorfF"><img class="alignnone size-full wp-image-1031 " src="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b28e1b354b.png"alt="" srcset="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b28e1b354b.png 592w, http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b28e1b354b-300x259.png 300w" sizes="(max-width: 592px) 100vw, 592px" /></p>
    <p>Next add all the alternative names that you want to include to the certificate</p>
    <p id="YlDGuRt"><img class="alignnone size-full wp-image-1032 " src="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b2937afb28.png"alt="" srcset="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b2937afb28.png 588w, http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b2937afb28-300x179.png 300w" sizes="(max-width: 588px) 100vw, 588px" /></p>
    <p>fill the Organization form and select the save path</p>
    <p id="fQORogU"><img class="alignnone size-full wp-image-1033 " src="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b29920a85a.png"alt="" srcset="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b29920a85a.png 585w, http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b29920a85a-300x242.png 300w" sizes="(max-width: 585px) 100vw, 585px" /></p>
    <p>finally press “new” to create the certificate request</p>
    <p id="utNSVvF"><img class="alignnone size-full wp-image-1034 " src="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b29c869221.png"alt="" srcset="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b29c869221.png 589w, http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b29c869221-300x256.png 300w" sizes="(max-width: 589px) 100vw, 589px" /></p>
    <p>after this at the Exchange Certificates windows of the Exchange Management Console you will see a new item that will say “Pending request”.</p>
    <p>Open the exported file with notepad and save it as “ASCII” encoding (the original is Unicode)</p>
    <p id="SZuTWJF"><img class="alignnone size-full wp-image-1035 " src="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b2b03bfcb1.png"alt="" srcset="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b2b03bfcb1.png 319w, http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b2b03bfcb1-300x119.png 300w" sizes="(max-width: 319px) 100vw, 319px" /></p>
    <p>Now we need to go to our Domain’s Active Directory Certification Authority and open an elevated command prompt.</p>
    <p>Run the command:</p>
    <p>certreq.exe -submit -attrib CertificateTemplate:WebServer</p>
    <p id="UdQDUvn"><img class="alignnone size-full wp-image-1036 " src="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b2b42f3883.png"alt="" srcset="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b2b42f3883.png 622w, http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b2b42f3883-300x37.png 300w" sizes="(max-width: 622px) 100vw, 622px" /></p>
    <p>It will ask you to select the request file, select the ACHII encoded file</p>
    <p id="hloRRHj"><img class="alignnone size-full wp-image-1037 " src="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b2b6875e43.png"alt="" srcset="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b2b6875e43.png 504w, http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b2b6875e43-300x105.png 300w" sizes="(max-width: 504px) 100vw, 504px" /></p>
    <p>and then select the Certification Authority</p>
    <p id="xKWCLlX"><img class="alignnone size-full wp-image-1038 " src="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b2bc027538.png"alt="" srcset="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b2bc027538.png 371w, http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b2bc027538-300x184.png 300w" sizes="(max-width: 371px) 100vw, 371px" /></p>
    <p>finally it will produce a cer file.</p>
    <p>Go back to the Exchange Certificates window of the Exchange Management Console, select the “pending certificate request” and press “complete pending request”. Select the cer file, select the services needed (IIS, SMTP, POP, IMAP) and the wizard will create the certificate and enable it for the services.</p>
    <p id="tWSVZDr"><img class="alignnone size-full wp-image-1039 " src="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b2d1220d47.png"alt="" srcset="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b2d1220d47.png 606w, http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b2d1220d47-300x51.png 300w" sizes="(max-width: 606px) 100vw, 606px" /></p>
    <p> </p>
    <p><a class="a2a_button_email" href="http://www.addtoany.com/add_to/email?linkurl=http%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fexchange%2Fexchange-2010-add-local-domain-ca-certificate%2F&linkname=Exchange%202010%20%7C%20add%20local%20domain%20CA%20certificate"title="Email" rel="nofollow" target="_blank"><img src="http://www.e-apostolidis.gr/wp-content/plugins/add-to-any/icons/email.png" width="16" height="16" alt="Email"/></a><a class="a2a_button_print" href="http://www.addtoany.com/add_to/print?linkurl=http%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fexchange%2Fexchange-2010-add-local-domain-ca-certificate%2F&linkname=Exchange%202010%20%7C%20add%20local%20domain%20CA%20certificate" title="Print" rel="nofollow" target="_blank"><img src="http://www.e-apostolidis.gr/wp-content/plugins/add-to-any/icons/print.png" width="16" height="16" alt="Print"/></a><a class="a2a_dd a2a_target addtoany_share_save" href="https://www.addtoany.com/share#url=http%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fexchange%2Fexchange-2010-add-local-domain-ca-certificate%2F&title=Exchange%202010%20%7C%20add%20local%20domain%20CA%20certificate" id="wpa2a_2"><img src="http://www.e-apostolidis.gr/wp-content/plugins/add-to-any/share_save_171_16.png" width="171" height="16" alt="Share"/></a></p><p>The post <a rel="nofollow" href="http://www.e-apostolidis.gr/microsoft/exchange/exchange-2010-add-local-domain-ca-certificate/">Exchange 2010 | add local domain CA certificate</a> appeared first on <a rel="nofollow" href="http://www.e-apostolidis.gr">Proxima's IT Corner</a>.</p>


    <a href="http://www.e-apostolidis.gr/microsoft/exchange/exchange-2010-add-local-domain-ca-certificate/"class='bbc_url' rel='nofollow external'>Source</a>
  4. proximagr
    Working as a Cloud Consultant, Administrator, Architect, many companies will provide you guest (Azure AD B2B) access to their subscription. After completing the Admins of the subscriptions, many times, forget to remove this accesses and as a result you still have access to resources with no reason and also the list of your available subscriptions grows making it difficult to choose the right subscription to work.
    In this post we will walk through the steps of removing your account from those subscriptions. Since this is an identity matter, you need to login to the https://account.activedirectory.windowsazure.com portal and login with your account. I logged in with my account, [email protected]
    There you will see a list of all the applications that you have access at the Tenant that your account resides. Press the user icon, at the top right corner.

    Once you press the user icon, a drop down menu will appear and there you will see all the organizations that you have been provided access. Near the “ORGANIZATIONS” press the gear icon.

    You will redirected to the organizations section of the portal. There, in order to leave an organization subscription you need to sign in. Actually by clicking sign in to leave organization you will be redirected to that tenant. The tricky part here is to choose the right organization, since many organizations does not change the “Default directory” name. A, easy way to do this it to hover your mouse to the “sign in to leave organization” link and you will see the tenant id at the bottom of the page.

    Now, by navigating to the https://portal.azure.com and pressing the Subscription filter button, at the top par, near the notifications icon, you will have a list of all organizations tenant ids and names.

    After ensuring the organization id that you want to leave, go back to the organization selection portal and press “sign in to leave organization”. There, at the browser’s address bar you will see again the organization tenant id. Check again just to be sure.

    There you need again to press the user icon and the little gear icon

    Finally you have the option to “Leave organization”

    A final warning will appear, just to be sure, and by pressing “Leave” you instantly loose all access to that organization and it will not be listed at your subscription filter.

    After a while you will also receive an email from Microsoft invitations that you have left that organization.

  5. proximagr
    <h1>Azure Bastion – Jump Server as a Service</h1>
    <p>Azure Bastion is a new Azure Platform (PaaS) service, at this time is still in Preview, that allows to have RDP and SSH access to Virtual Machines inside a Virtual Network directly from the Azure Portal. This eliminates the need to expose the Virtual Machines RDP and SSH ports to the internet.</p>
    <p>The logic comes from the Jump Servers, but you don’t need to deploy any VMs and you don’t have to worry about the hardening. It all ready on Azure as a Service.</p>
    <p>A jump server is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them. You can find more about jump servers at <a href="https://en.wikipedia.org/wiki/Jump_server">https://en.wikipedia.org/wiki/Jump_server</a></p>
    <p>The connection to the virtual machines is achieved directly from the Azure Portal over Secure Sockets Layer (SSL) just using the browser. The Bastion Host is</p>
    <h2>Azure Bastion Preview preparation</h2>
    <p>For the time, Azure Bastion Hosts are in Public Preview. To use them we need to Register the Azure Bastion Host provider. Open PowerShell and login to Azure or use the Cloud Shell from the Azure Portal.</p>
    <p>To register the provider run:</p>
    <p>Register-AzProviderFeature -FeatureName AllowBastionHost -ProviderNamespace Microsoft.Network</p>
    <p id="zOeDhIo"><img class="alignnone wp-image-2732 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/06/img_5d091fe6262cc.png"alt="register provider" width="821" height="165" /></p>
    <p>Then run:</p>
    <p>Register-AzResourceProvider -ProviderNamespace Microsoft.Network</p>
    <p id="DRILxeM"><img class="alignnone wp-image-2733 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/06/img_5d091ff460da0.png"alt="azure bastion register" width="646" height="84" /></p>
    <p>The provider takes some time to register. Run the following command to check when it is registered:</p>
    <p>Get-AzProviderFeature -FeatureName AllowBastionHost -ProviderNamespace Microsoft.Network</p>
    <p id="EZSfQTp"><img class="alignnone wp-image-2736 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/06/img_5d0923cdafb5e.png"alt="register check" width="797" height="78" /></p>
    <p>Once the Provider is Registered, access the Azure Portal using this link: <a href="http://aka.ms/BastionHost">http://aka.ms/BastionHost</a>in order to access the Bastions Preview.</p>
    <h2>Create the Bastion</h2>
    <p>From the Azure Portal search for bastions</p>
    <p id="IWWlOrg"><img class="alignnone wp-image-2727 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/06/img_5d0801333cf93.png"alt="portal azure bastion" width="496" height="222" /></p>
    <p>Hit “Add” to start the Bastion creation wizard</p>
    <p id="BZxMhhc"><img class="alignnone wp-image-2728 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/06/img_5d080140b2353.png"alt="azure bastion" width="520" height="329" /></p>
    <p>One thing to consider is that the Virtual Network must have an empty subnet with name “AzureBastionSubnet” and at least /27 range. This Subnet will be configured as a DMZ.</p>
    <p id="qwRNwdC"><img class="alignnone wp-image-2729 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/06/img_5d080183b9c91.png"alt="azure bastion" width="750" height="115" /></p>
    <p>At the Create a bastion wizard select the Subscription and the Resource group. I prefer to create a new Resource Group. Enter a name for the Bastion Host Instance and a Region. Of course the Virtual Network and the Region must be the same as the Virtual Machines that you want to access. Finally select a name for the Public IP of the Bastion Host and hit Review and Create to create the Bastion.</p>
    <p id="xZvMCkm"><img class="alignnone wp-image-2730 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/06/img_5d0801ea435a4.png"alt="azure bastion" width="843" height="870" /></p>
    <p>Once the Bastion is ready you can see its properties. Not much to configure, just the IAM.</p>
    <p id="dfkMDjH"><img class="alignnone wp-image-2739 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/06/img_5d092bdbb123f.png"alt="azure bastion" width="1162" height="645" /></p>
    <h2>Using the Bastion Host</h2>
    <p>And now the magic. Once you have a bastion deployed to a Virtual Network, browse a Virtual Machine and hit “Connect”. Beside the RDP and SSH, you will see a new option, the BASTION!</p>
    <p id="LiCqvkU"><img class="alignnone wp-image-2741 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/06/img_5d092c6bebb80.png"alt="azure bastion" width="1157" height="551" /></p>
    <p>Since the topology is Intternet –>Public IP of Bastion –> Bastion –> Virtual Network – NSG – Private IP –> VM you need to allow the RDP / SSH traffic from the Bastion VNET to the Virtual Machine and https traffic (no RDP / SSH needed) from the internet (or your public ip) to the Bastion Subnet.</p>
    <p>Enter the VMs username and password and hit connect and we have RDP over HTTPS</p>
    <p id="OphcKAS"><img class="alignnone wp-image-2742 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/06/img_5d093149258cf.png"alt="azure bastion" width="1379" height="1021" /></p>
    <h2>Copy Text to / from the VM</h2>
    <p>There a little icon >> at the right middle of the screen.</p>
    <p id="JTaxuWt"><img class="alignnone size-full wp-image-2748 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/06/img_5d09355db8db6.png"alt="" /></p>
    <p>Click it and the Copy / paste box will open. Any text you paste at that box it will be available at the VMs clipboard. Also the Fullscreen button is available there.</p>
    <p id="WQLZHRX"><img class="alignnone size-full wp-image-2749 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/06/img_5d0935877025c.png"alt="" /></p>
    <p>Also any text you copy from the VM will appear at that box, like the image below:</p>
    <p id="ZvVaJdz"><img class="alignnone size-full wp-image-2750 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/06/img_5d0935cf0a626.png"alt="" /></p>
    <p>The Remote Desktop experience is excellent! No RDP client needed, just your browser.</p>
    <p>Sources:</p>
    <p><a href="https://docs.microsoft.com/en-us/azure/bastion/bastion-faq">https://docs.microsoft.com/en-us/azure/bastion/bastion-faq</a></p>
    <p><a href="https://docs.microsoft.com/en-us/azure/bastion/bastion-nsg">https://docs.microsoft.com/en-us/azure/bastion/bastion-nsg</a></p>
    <p><a href="https://azure.microsoft.com/en-us/blog/announcing-the-preview-of-microsoft-azure-bastion/">https://azure.microsoft.com/en-us/blog/announcing-the-preview-of-microsoft-azure-bastion/</a></p>
    <p><a href="https://docs.microsoft.com/en-us/azure/bastion/bastion-create-host-portal">https://docs.microsoft.com/en-us/azure/bastion/bastion-create-host-portal</a></p>
    <p><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure-bastion-jump-server-as-a-service%2F&linkname=Azure%20Bastion%20%E2%80%93%20Jump%20Server%20as%20a%20Service"title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_print" href="https://www.addtoany.com/add_to/print?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure-bastion-jump-server-as-a-service%2F&linkname=Azure%20Bastion%20%E2%80%93%20Jump%20Server%20as%20a%20Service" title="Print" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share#url=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure-bastion-jump-server-as-a-service%2F&title=Azure%20Bastion%20%E2%80%93%20Jump%20Server%20as%20a%20Service" data-a2a-url="https://www.e-apostolidis.gr/microsoft/azure-bastion-jump-server-as-a-service/" data-a2a-title="Azure Bastion – Jump Server as a Service"><img src="https://static.addtoany.com/buttons/share_save_171_16.png" alt="Share"></a></p><p>The post <a rel="nofollow" href="https://www.e-apostolidis.gr/microsoft/azure-bastion-jump-server-as-a-service/">Azure Bastion – Jump Server as a Service</a> appeared first on <a rel="nofollow" href="https://www.e-apostolidis.gr">Apostolidis IT Corner</a>.</p>


    <a href="https://www.e-apostolidis.gr/microsoft/azure-bastion-jump-server-as-a-service/"class='bbc_url' rel='nofollow external'>Source</a>
  6. proximagr
    Bulletproof manage your Azure VMs
    Continuing the Azure Security Center posts, today we will see a new feature of the Security Center, called Just in Time VM Access.
    As best security practice, all the management ports of a Virtual Machine should be closed using Network Security Groups. Only the ports required for any published services should be opened, if any.
    However there are many occasions that we are requested to open a management port for administration or a service port for some tests for short time. This action has two major problems, first it requires a lot of administration time, because the administrator must go to the Azure Portal and add a rule at the VM’s NSG. The second problem is that many time the port is forgotten open and this is a major vulnerability since the majority of the Brute Force attacks are performed to the management ports, 22 and 3389.
    Here comes the Azure Security Center, with the Just in Time VM Access feature. With this feature we can use the RBAC of the azure Portal and allow specific users to Request a predefined port to be opened for a short time frame. JIT Configuration
    Lets see how we configure the JIT. First we need to go to the Azure Security Center. Scroll down to the ADVANCED CLOUD DEFENSE and click the “Just in time VM Access”. Since it is at a Preview you need to press the “Try Just in time VM access”

    After we enable JIT, the window displays tree tabs, the Configured, the Recommended and the No recommendation. The Configured tab displays the Virtual Machines that we have already enabled JIT. The recommended are VMs that have NSGs and are recommended to be enabled for JIT. The No recommendation are Classic VMs or VMs that don’t have attached NSG.

    To enable JIT for a VM, go to the Recommended tab, select one or more VMs and press “Enable JIT on x VMs”

    At the “JIT VM access configuration” the Security Center proposes rule with the default management ports. We can add other ports that we need and also remove any of them that are unnecessary.
    At each rule we can configure the Port, the Protocol, the Source IP and the Maximum request time.
    If we leave the “Allowed source IPs” to “Per request” then we allow the requester to decide. One very interesting setting here is that when a user requests access it has the option to allow only the Public IP that he is using at that time automatically.
    With the last option, the “Max request time” we narrow down the maximum time that we will allow a port to be opened.

    After we configure all the parameters we click Save and the VM moves to the Configured tab. At any time we can change the configuration by selecting the VM, press the three dots at the end of the line (…) and click Edit.

    The Propertied button opens the VM’s blade, the Activity log shows all the users that requested access and the Remove of course disabled the JIT. Behind the scene
    What really happens to the VM? if you browse to the NSG that is attached to the VM you will see that all the port rules configured at the JIT are added as NSG Rules with lower priority than all the other rules. All other rules automatically changed priority to higher.

    Lets see how we request access and what happens in the background. To request access go to the Security Center / JIT , select the VM and press “Request Access”

    At the “Request access” blade switch on the desired port, select “My IP” or “IP Range” and the Timerange, all according to the JIT configuration of the VM. Finally press “Open Ports”

    At the above example I select “My IP” so if you go to the VM’s NSG you will see that the 3389 port rule changed to “Allow” and for Source has my current Public IP. Also it moved at first priority.

    After the expiration of the time rage the port will change to “Deny” and move back to its prior priority.
  7. proximagr
    Use Azure Security Center to protect your workloads
    At this series of posts we will make a walk along the Azure Security Center, to see some common usage scenarios. Like how we can use it to protect from a Virtual Machine to a whole Data Center.
    To make it easier to understand we will start with a typical Azure IaaS scenario. A Virtual Machine with IIS role to act as Web Server. The steps to create the VM is out this post’s scope. I will simply describe the process. First we create a Windows Server 2016 Virtual Machine. Second we log in and add the Web Server (IIS) role. Third we open the port 80 at the VM’s Network Security Group (NSG) and voila we can browse at the Azure DNS name of the VM and see the IIS default landing page.

    At this point the security of the Web Server is relying on the Network Security Rule, a layer 3 firewall that allows access to the port 80 and of course the Windows Firewall that does exactly the same.
    Lets browse to the Azure Security Center from the Azure Portal. There we see an overview of security settings for the whole subscription.

    First, click the “Compute”. I will skip the overview and go directly to the “VMs and computers” tab. There we see the name of the VM and the five points of interest. Our VM is not monitored, it doesn’t have endpoint protection and it reports some vulnerabilities.
    Recommendation: Enable data collection for subscriptions
    To start resolving the issues click the VM to go to the Recommendations blade. The first recommendation says to enable data collection for the subscription. Of course this is the Log Analytics, OMS (Operations Management Suite) integration. This will enable the subscription resources to report to log analytics.

    Press the “Enable data collection for subscription”. The Data Collection blade will open. There we can enable or disable the automatic provision of the monitoring agent. This is the Microsoft Monitoring Agent that connects a Virtual Machine to Log Analytics and also we can use it for connecting to SCOM.

    The second option is to chose a workspace. IF you have already created an OMS workspace you can choose it. If not let it create a new one automatically. Finally press save.
    Returning to the previous blade you will see that the “Turn on data collection” recommendation, is now in Resolved state.

    Although this recommendation is resolved instantly, the Microsoft Monitoring Agent is not yet installed. Go back to the Compute / Data collection installation status to see the agent installation status.

    Stay tuned for the next Azure Security Center post to resolve more recommendations.
    [/url]
    The post Use Azure Security Center to protect your workloads appeared first on Apostolidis IT Corner.


    Source
  8. proximagr
    Use Service Endpoints to protect an Azure Storage Account inside an Azure Azure Virtual Network
    As we have already saw at a previews post, we can use the Service Endpoints to protect an Azure SQL Server inside an Azure Virtual Network. Today we will see how we can protect a Storage Account.
    First we need to enable the Microsoft.Storage Service Endpoint to an existing Virtual Network or create a new Virtual Network and enable it. At this port I am creating a new Virtual Network, so at the Azure Portal press New and at the search box type “Virtual Network”.
    Enter the name of the Virtual Network and all the required fields. The only difference is to click “Enable” at the Service Endpoints and select the “Microsoft.Storage”.

    After the Virtual Network we can proceed with the Storage Account. Create a Storage Account by going to Azure Portal, press New, search for “Storage Account” and press Create. At the “Create storage account” blade enter all the required fields. The difference here is to click “Enable” at the “Virtual Networks” and select the Virtual Network that you have enabled “Service Endpoints” and select the desired subnet.

    After the Storage Account creation, open the Storage Account and go to the “Firewall and virtual network” setting. and you will see that the selected Virtual Network and Subnet are configured and all other networks and the Internet access are forbidden.

    Now if you go to the File Service of the Storage Account you will get an “Access Denied” message, since you are accessing from the Internet.

    In order to access the Storage Account File Service (And all other services like blob) I created a Virtual Machine inside the Virtual Network and opened the Portal from it. Now I can access the Storage Account services.

    Of course we can add our Public IP and access the Storage Account configuration, make the required changes and then remove it.

    Also we can add / remove existing and new networks

    [/url]
    The post Use Service Endpoints to protect an Azure Storage Account inside an Azure Azure Virtual Network appeared first on Apostolidis IT Corner.


    Source
  9. proximagr
    SQL Failover Cluster with AlwaysOn Availability Groups
     
    Αυτό είναι το δεύτερο Post της τριλογίας SQL Failover Cluster with AlwaysOn Availability Groups. Είναι η ώρα της SQL.
    Windows Server 2012 R2 Failover Cluster with FreeNAS 9.3 (Page 1, Page 2) Microsoft SQL 2012 on Failover Cluster (Page 1, Page 2, Page 3) Add AlwaysOn AG to SQL Failover Cluster Instance (Page 1, Page 2, Page 3)

    Microsoft SQL 2012 on Failover Cluster (Page 3)
     

    Στο Cluster Network Configuration ελέγχουμε ότι έχει βρει την IP του SQL Cluster και πατάμε next

    Στο Service Accounts δίνουμε το password του Account Που έχουμε ήδη δηλώσει για SQL Engine & Agent

    Περνάμε τους ελέγχους και πατάμε install για να προσθέσει το Node στο Cluster και περιμένουμε μέχρι να να δούμε το Completed successful μήνυμα.

    Πάμε τώρα να δοκιμάσουμε ότι το SQL Role Μπορεί να κάνει failover και στα δύο Nodes.
    Ανοίγουμε το Failover Cluster Manager πηγαίνουμε στο Roles, επιλέγουμε το “SQL Server …”, δεξί click / Move και πατάμε “Select Node…”

    Διαλέγουμε το δεύτερο Node και πατάμε OK

    Περιμένουμε στο Status να γίνει Pending και μετά Running. Πλέον στο “Owner Node” πρέπει να αναφέρει στο δεύτερο Node, στο Lab, Win2012R202

     
    Πηγή http://www.e-apostolidis.gr/%ce%b5%ce%bb%ce%bb%ce%b7%ce%bd%ce%b9%ce%ba%ce%ac/microsoft-sql-2012-on-failover-cluster/
  10. proximagr
    Azure Start Point | Your first Web App
    In this post series we will go through some basic steps on how to start with Microsoft Azure. For start we will create a Web App.
    If you don’t have an Azure Subscription, you can easily create a free trial by just going to https://azure.microsoft.com/en-us/free/
    Let’s create our first Web App. Go to the Azure Portal by navigating to https://portal.azure.com and click “+ Create a resource”

    At the search box write “Web App” and press enter

    At the search results. click the “Web App” and at the next screen just press “Create”

    The “Web App Create” wizard will open.Enter a name for the App. This will be the Public name of your App. Azure by default provides the domain *.azurewebsites.net for free.
    So in my example the prowebdev.azurewebsites.net will be the URL of my App
    Select the Azure Subscription that will used to bill the Web App and a Resource Group. The Resource Group is used to organize the resources and provide role based access control among other.
    OS: Select the Operating System platform that will host your Web App. This can be Windows, Linux or a Docker Container. For the test I will select Windows.
    As you can see the wizard has selected an App Service Plan by default with a random name and location. The App Service Plan is actually the Web Server that will host out Web App. Click on the “App Service Plan/Location”
    Add a name for the Web Server, select the Location that is nearest to you (or your clients) and the Pricing Tier.
    By pressing OK you will return to the Web App create wizard and press Create. Now you can monitor the creating process of the App form the “Notifications” option at the top right of the portal, it is the button that has a ringing bell image. First you will see the “Deployment in progress…” message and as soon as the App is ready you will see the “Deployment completed” message.
    Now if you go to the Resource group you will see two resources. The App Service and the App Service Plan. In high level, the App Service Plan is the web server and the App Service is the Web Application.

    Now click the App Service and at its blade you can see your applications URL.

    Click the URL and you will see the Demo page

    [/url]
    The post Azure Start Point | Your first Web App appeared first on Apostolidis IT Corner.


    Source
  11. proximagr
    Azure Blob Storage… Recycle Bin!!!!!!!
    Remember all that red alerts when comes to deleting blobs? Ah, forget them! Microsoft Azure brought the Windows Recycle Bin to Azure and named it Soft delete.
    The soft delete feature basically is similar to the Windows recycle bin. Deleting a file from the Windows explorer, the Operating System instead of actually removing the file it moves it to the recycle bin. The file stays there and it can be undeleted at any time. The soft delete feature in Microsoft Azure does the same thing for blob storage. When data is deleted or overwritten, the data is not actually gone. Instead, the data is soft deleted, thereby making it recoverable if necessary.
    It’s not enabled by default, but it’s very easy to enable it. Go to the Storage Account, scroll down to the Blob Service and select “Soft delete”. Select the Retention policy and Save, that’s all!

    Let’s delete and test. Browse a container and click the “Show delete blobs”. The current blob will show as active.

    deleting the blob it will change the status to “deleted”

    Click the three little dots and you can undelete, the blob, in Azure!!!

    Active again!

    Be careful, if you delete the whole container, the storage account or the Azure Subscription there is no return. The Soft delete feature is at blob level inside a container.
    For more deltails visit the docs: https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-soft-delete
  12. proximagr
    File Server in-place Domain Migration
    When migrating to a new domain a major part is the file server, especially if there are a lot of data and different permissions.
    Thankfully Microsoft has a very helpful tool called SubInACL. This tool can be used to read and update security permissions and is much helpful for file server in-place domain migration. The tool can be downloaded here: https://www.microsoft.com/en-us/download/details.aspx?id=23510
    But after searching a lot there is not a specific guide that someone has followed and worked. So I started testing and came up with the following steps that worked for me:
    Open an elevated Command Prompt window and navigate to the folder containing the subinacl.exe Export the permissions of the drive’s root:
    subinacl /noverbose /output=C:permissionsE.txt /file E: Export the permissions of the all subfolders and files:
    subinacl /noverbose /output=C:permissionsEsub.txt /subdirectories E: Copy the contents of the “permissionsE.txt” to the start of the “permissionsEsub.txt” file. Open the “permissionsEsub.txt” file and replace the old domain name with the new domain name. View the shares:
    net view computername Export the shares’ permissions:
    subinacl /noverbose /output=C:shares.txt /share \computernamefileshare Disjoin and join the Server to the new domain Import the NTFS permissions
    Subinacl /playfile C:permissionsEsub.txt Import the shares’ permissions:
    Subinacl /playfile C:shares.txt

    Some commends from the field
    The export process is very fast but the import process takes much longer time.
    The subinacl process is single threaded (uses only one core) so in order to speed up the whole process you can split the permissions file and run it multiple times on different command prompt windows. Every subinacl.exe will create a single process that will use one core so if you have four cores create four processes.
    The import process completely removes the permissions and applies the new ones. So no User IDs will stay at the files/folders.
     


    The post File Server in-place Domain Migration appeared first on Proxima's IT Corner.
     
    Source
  13. proximagr
    High Level Steps to Create a Syslog Server for Azure OMS (Log Analytics)
     
    This post is a gathering of TechNet articles and 3rd party blog posts that my college John Dandelis followed to create a linux Syslog server in order to monitor network devices on Operations Management Suite (OMS). Its not a complete step-by-step guide but it is very useful as a reference.
     
    -Install Ubuntu server VM.
    Use any Bash Shell to connect to Ubuntu Server. (http://win-bash.sourceforge.net/)
    To install Bash shell in windows 10: From updates and security enable for developers, developer mode. From add remove windows components add windows subsystem for Linux.
     
    -Connect to Ubuntu server: ssh <syslog username>@<syslogIP>
     
    -Setup Ubuntu Syslog
    https://msandbu.wordpress.com/2016/02/22/monitoring-syslog-from-oms-with-non-oms-agents/
     
    Edit rsyslog.conf file: (to edit press “insert”. To quit press “esc” and type “:q” to quit, “:wq” to save and quit, “:q!” to quit without saving )
    sudo vim /etc/rsyslog.conf
     
    Uncomment Lines (remove # sign):
    #$ModLoad imudp
    #$UDPServerRun 514
     
    -Create a templatefor log receipt
    Add Lines Before GLOBAL DIRECTIVES
    $template RemoteLogs,”/var/log/%HOSTNAME%/%PROGRAMNAME%.log” *
    *,* ?RemoteLogs
     
    (The $template RemoteLogs directive (“RemoteLogs” string can be changed to any other descriptive name) forces rsyslog daemon to write log messages to separate local log files in /var/log/, where log file names are defined based on the hostname of the remote sending machine as well as the remote application that generated the logs. The second line (“*.* ?RemoteLogs”) implies that we apply RemoteLogs template to all received logs.)
     
    -Restart syslog service
    sudo service rsyslog restart
     
    Install OMS Agent from OMS–>Overview–>Settings–>Connected Sources–>Linux Servers
    Copy the “DOWNLOAD AND ONBOARD AGENT FOR LINUX” field and paste into Ubuntu Bash.
     
    Add Syslog Facilities from Overview–>Settings–>Data–>Syslog
    local0 or whatever is the device facility you collect logs from.
     
    Show Most Recent Logs
    tail -f /var/log/syslog
     

    Χρήσιμα Site:
     
    Create syslog in Ubuntu Server
    http://blogbt.net/index.php/2013/11/syslog-server-on-ubuntu/ </p>
    Setting up SysLog Server on Ubuntu – BlogBT.net
    blogbt.net<p>Setting up a syslog server on ubuntu for easy troubleshooting and log keeping
     

    VIM Editor:
    https://stackoverflow.com/questions/11828270/how-to-exit-the-vim-editor
    Hit the Esc key; vim goes into command mode. Then you can type:qto quit (short for :quit) :q!to quit without saving (short for :quit!) :wqto write and quit (think write and quit) :wq!to write and quit even if file has only read permission (if file does not have write permission: force write) :xto write and quit (similar to :wq, but won’t write if there are no changes) :qato quit all (short for :quitall)
    OMS Agent for Linux
    https://github.com/Microsoft/OMS-Agent-for-Linux/blob/master/installer/conf/omsagent.d/syslog.conf
     
    https://blogs.technet.microsoft.com/msoms/2016/05/12/syslog-collection-in-operations-management-suite/
     
    Install Azure Power Shell
    https://docs.microsoft.com/en-us/powershell/azure/install-azurerm-ps?view=azurermps-4.0.0
     
    Install Agent For log analytics
    https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-linux-agents
     

    The post High Level Steps to Create a Syslog Server for Azure OMS (Log Analytics) appeared first on Apostolidis IT Corner.


    <a href="http://www.e-apostolidis.gr/microsoft/azure/high-level-steps-create-syslog-server-azure-oms-log-analytics/"class='bbc_url' rel='nofollow external'>Source</a>
  14. proximagr
    Azure Managed Disks | Easy Scale, High Available, Secure
    Azure Managed Disks is almost five months old, start using it, its simple, easy to scale, high available and secure. As Microsoft says, “Let Azure take care of your disks”.
    The idea is simple, choose the performance tier and the size you want. After that you are free to change your mind! You can change the performance tier (yes, switch between SSD & HDD) and the size just with click.
    Lets get it started. First of all we need to enable the managed disks at the VM creation. Specifically at the third step select “Yes” at the “Use managed disks” setting. After that you don’t have to wary about storage account, Azure takes care of this.

    Once the VM is deployed, go to the VM’s blade and click “Disks” and “+ Add data disk”

    After that, the “Create managed disk” blade opens and there are some interesting settings to choose. Lets have a closer look.

    First choose a name for the Data Disk, choose a Resource Group and Account type. This is the performance tier, SSD or HDD.
    Next, at the Source type drop down menu, we can choose to create an empty disk, by selecting the None. Also, we can select to use a Snapshot that we have already created or a Storage blob to select a disk.

    After that it is the size. The Managed Disks have specific price, IOPS and price. Type the Size in Gigabytes and see the estimated performance instantly.
    You can find the details here: https://azure.microsoft.com/en-us/pricing/details/managed-disks/
    Standard Managed Disks:

    All standard managed disks have 500 IOPS and 60MB/sec throughput
    Premium Managed Disks:

    And what happens with the existing VMs that have “classic” unmanaged disk? No worries, just a bit of PowerShell and you can convert that to managed disks.
    How to do it? First Stop the VM, not just show down, we need to Stop (Deallocate it). Then run just this line of PowerShell code:
    ConvertTo-AzureRmVMManagedDisk -ResourceGroupName rgname -VMName vmname
    Now some magic. SSD to HDD to SSD to HDD and go on!
    Lets say you have created a Standard disk, HDD, but now you need performance. Just go to the VM blade, first Stop the VM and then select the “Disks” find the disk and change the “Account type”

    Just save, and voila! you have SSD, from 500 IOPS to 5000 IOPS! Any time, you can Stop the VM and change the disk back to Standard (HDD)
    Export
    Some more magic? Click “Export” at the disk properties, set an expiration time and Generate URL. You need to Stop the VM first.

    A PUBLIC URL is generated. You can use it to download the VHD without having to login to the Portal.
    Create snapshot
    At the disk properties click “Crete snapshot”
    http://www.e-apostolidis.gr/wp-content/uploads/2017/06/img_5938635086f51.png
    Enter a Name, select Resource group and Account type
    http://www.e-apostolidis.gr/wp-content/uploads/2017/06/img_5938639b0ffd7.png
    Now, under the Resources of the Resource Group you will find the Snapshot
    http://www.e-apostolidis.gr/wp-content/uploads/2017/06/img_59386471e209c.png
     

    https://static.addtoany.com/buttons/share_save_171_16.png
    The post Azure Managed Disks | Easy Scale, High Available, Secure appeared first on Apostolidis IT Corner.
     
    Source
  15. proximagr
    Thank you all for participating at my session today at Athens Azure Bootcamp, about how to Protect your data with a modern backup, archive and disaster recovery solution.
     

     
    Bad things happen, even to good people. Protect yourself and avoid costly business interruptions by implementing a modern backup, archive and disaster recovery strategy. See how you can securely extend your on-premises backup storage and data archive solutions to the cloud to reduce cost and complexity, while achieving efficiency and scalability. Be ready with a business continuity plan that includes disaster recovery of all your major IT systems without the expense of secondary infrastructure. You leave this session with a set of recommended architectures showing how to implement a modern backup, archive and disaster recovery solution and an understanding of how to quickly get something in place in your organization.
     
    PANTELIS APOSTOLIDIS
     
    you can download my presentation from this link: https://1drv.ms/p/s!AvpafHi49lqjgdd4ixVWNS6nqZIZSw
  16. proximagr
    Secure your Azure SQL locally inside your vnet using service endpoints
    For many companies, a throwback of using Azure SQL was the Public Access. After the latest Azure updates you can use the service endpoints to Secure your Azure SQL locally inside your vnet! For the time, the feature is available only at the West Central US, West US 2, and East US regions but soon more will follow.
    So, lets secure your Azure SQL locally inside your vnet! At the VNET creation blade, select the Microsoft.Sql service endpoint from the list of the available service endpoints.

    Then create an SQL Database at the same region,

     
    Next, go to the SQL server firewall settings and turn Off the “Allow access to Azure services”. By doing this you disable the access to the SQL Server using the Public IP.

    Click the “Add existing virtual network” and create an access rule, in order to be able to access the SQL Server from your Virtual Network using the service endpoints.

    Now lets test. A fast way to test your SQL connectivity from a Virtual Machine on the VNET, without having the SQL management tools, is to open the “ODBC Data Source Administrator” and create a new connection. Add the Azure SQL Server IP

    at the next screen enter the username and password of your SQL Server and finally click the “Test Data Source”

    Of course we can also connect with the SMSS. Add the SQL Server FQDN, the username and the password

    and you are connected, fast and securely!

     
    You cannot yet add your SQL to a subnet, but you secure it’s access inside your VNET! all public access is denied.
    [/url]
    The post Secure your Azure SQL locally inside your vnet using service endpoints appeared first on Apostolidis IT Corner.


    Source
  17. proximagr
    MICROSOFT AZURE BLOG: WHAT IS ARTIFICIAL INTELLIGENCE?
    August 10, 2018 Pantelis Apostolidis Azure Leave a comment
     
    This post is reposted from the Microsoft Azure Blog : What is Artificial Intelligence? <azure.microsoft.com/blog/what-is-artificial-intelligence/>
    Aug 9th 2018, 12:00, by Theo van Kraay
    It has been said that Artificial Intelligence will define the next generation of software solutions. If you are even remotely involved with technology, you will almost certainly have heard the term with increasing regularity over the last few years. It is likely that you will also have heard different definitions for Artificial Intelligence offered, such as:
    *“The ability of a digital computer or computer-controlled robot to perform tasks commonly associated with intelligent beings.”* – Encyclopedia Britannica
    *“Intelligence demonstrated by machines, in contrast to the natural intelligence displayed by humans.”* – Wikipedia
    How useful are these definitions? What exactly are “tasks commonly associated with intelligent beings”? For many people, such definitions can seem too broad or nebulous. After all, there are many tasks that we can associate with human beings! What exactly do we mean by “intelligence” in the context of machines, and how is this different from the tasks that many traditional computer systems are able to perform, some of which may already seem to have some level of *intelligence* in their sophistication? What exactly makes the *Artificial Intelligence* systems of today different from sophisticated software systems of the past?

    It could be argued that any attempt to try to define “Artificial Intelligence” is somewhat futile, since we would first have to properly define “intelligence”, a word which conjures a wide variety of connotations. Nonetheless, this article attempts to offer a more accessible definition for what passes as Artificial Intelligence in the current vernacular, as well as some commentary on the nature of today’s AI systems, and why they might be more aptly referred to as “intelligent” than previous incarnations.
    Firstly, it is interesting and important to note that the technical difference between what used to be referred to as Artificial Intelligence over 20 years ago and traditional computer systems, is close to zero. Prior attempts to create intelligent systems known as *expert systems* at the time, involved the complex implementation of exhaustive rules that were intended to approximate* intelligent behavior*. For all intents and purposes, these systems did not differ from traditional computers in any drastic way other than having many thousands more lines of code. The problem with trying to replicate human intelligence in this way was that it requires far too many rules and ignores something very fundamental to the way *intelligent beings* make *decisions*, which is very different from the way traditional computers process information.
    Let me illustrate with a simple example. Suppose I walk into your office and I say the words “Good Weekend?” Your immediate response is likely to be something like “yes” or “fine thanks”. This may seem like very trivial behavior, but in this simple action you will have immediately demonstrated a behavior that a traditional computer system is completely incapable of. In responding to my question, you have effectively dealt with ambiguity by making a prediction about the correct way to respond. It is not certain that by saying “Good Weekend” I actually intended to ask you whether you had a good weekend. Here are just a few possible* intents* behind that utterance:
    – Did you have a good weekend? – Weekends are good (generally). – I had a good weekend. – It was a good football game at the weekend, wasn’t it? – Will the coming weekend be a good weekend for you?
    And more.

    The most likely intended meaning may seem obvious, but suppose that when you respond with “yes”, I had responded with “No, I mean it was a good football game at the weekend, wasn’t it?”. It would have been a surprise, but without even thinking, you will absorb that information into a mental model, correlate the fact that there was an important game last weekend with the fact that I said “Good Weekend?” and adjust the probability of the expected response for next time accordingly so that you can respond correctly next time you are asked the same question. Granted, those aren’t the thoughts that will pass through your head! You happen to have a neural network (aka “your brain”) that will absorb this information automatically and *learn* to respond differently next time.
    The key point is that even when you do respond next time, you will still be making a prediction about the correct way in which to respond. As before, you won’t be certain, but if your prediction *fails* again, you will gather new data which leads to my definition of Artificial Intelligence:
    “Artificial Intelligence is the ability of a computer system to deal with ambiguity, by making predictions using previously gathered *data*, and learning from errors in those predictions in order to generate newer, more accurate predictions about how to behave in the future”.
    This is a somewhat appropriate definition of Artificial Intelligence because it is exactly what AI systems today are doing, and more importantly, it reflects an important characteristic of human beings which separates us from traditional computer systems: human beings are prediction machines. We deal with ambiguity all day long, from very trivial scenarios such as the above, to more convoluted scenarios that involve *playing the odds* on a larger scale. This is in one sense the essence of *reasoning*. We very rarely know whether the way we respond to different scenarios is absolutely correct, but we make reasonable predictions based on past experience.
    Just for fun, let’s illustrate the earlier example with some code in R! First, lets start with some data that represents information in your mind about when a particular person has said “good weekend?” to you.

    In this example, we are saying that *GoodWeekendResponse* is our *score label* (i.e. it denotes the appropriate response that we want to predict). For modelling purposes, there have to be at least two possible values in this case “yes” and “no”. For brevity, the response in most cases is “yes”.
    We can fit the data to a logistic regression model:
    library(VGAM) greetings=read.csv(‘c:/AI/greetings.csv’,header=TRUE) fit <- vglm(GoodWeekendResponse~., family=multinomial, data=greetings)
    Now what happens if we try to make a prediction on that model, where the expected response is different than we have previously recorded? In this case, I am expecting the response to be “Go England!”. Below, some more code to add the prediction. For illustration we just hardcode the new input data, output is shown in bold:
    response <- data.frame(FootballGamePlayed=”Yes”, WorldCup=”Yes”, EnglandPlaying=”Yes”, GoodWeekendResponse=”Go England!!”) greetings <- rbind(greetings, response) fit <- vglm(GoodWeekendResponse~., family=multinomial, data=greetings) prediction <- predict(fit, response, type=”response”) prediction index <- which.max(prediction) df <- colnames(prediction) df[index] * No Yes Go England!! 1 3.901506e-09 0.5 0.5 > index <- which.max(prediction) > df <- colnames(prediction) > df[index] [1] “Yes”*
    The initial prediction “yes” was wrong, but note that in addition to predicting against the new data, we also incorporated the actual response back into our existing model. Also note, that the new response value “Go England!” has been *learnt*, with a probability of 50 percent based on current data. If we run the same piece of code again, the probability that “Go England!” is the right response based on prior data increases, so this time our model *chooses* to respond with “Go England!”, because it has finally learnt that this is most likely the correct response!
    * No Yes Go England!! 1 3.478377e-09 0.3333333 0.6666667 > index <- which.max(prediction) > df <- colnames(prediction) > df[index] [1] “Go England!!”*
    Do we have Artificial Intelligence here? Well, clearly there are different *levels* of intelligence, just as there are with human beings. There is, of course, a good deal of nuance that may be missing here, but nonetheless this very simple program will be able to react, with limited accuracy, to data coming in related to one very specific topic, as well as learn from its mistakes and make adjustments based on predictions, without the need to develop exhaustive rules to account for different responses that are expected for different combinations of data. This is this same principle that underpins many AI systems today, which, like human beings, are mostly sophisticated prediction machines. The more sophisticated the machine, the more it is able to make accurate predictions based on a complex array of data used to *train* various models, and the most sophisticated AI systems of all are able to continually learn from faulty assertions in order to improve the accuracy of their predictions, thus exhibiting something approximating human *intelligence*. Machine learning
    You may be wondering, based on this definition, what the difference is between *machine learning* and *Artificial intelligence*? After all, isn’t this exactly what machine learning algorithms do, make predictions based on data using statistical models? This very much depends on the definition of *machine learning*, but ultimately most machine learning algorithms are* trained* on static data sets to produce predictive models, so machine learning algorithms only facilitate part of the dynamic in the definition of AI offered above. Additionally, machine learning algorithms, much like the contrived example above typically focus on specific scenarios, rather than working together to create the ability to deal with *ambiguity* as part of an *intelligent system*. In many ways, machine learning is to AI what neurons are to the brain. A building block of intelligence that can perform a discreet task, but that may need to be part of a composite *system* of predictive models in order to really exhibit the ability to deal with ambiguity across an array of behaviors that might approximate to *intelligent behavior*. Practical applications
    There are number of practical advantages in building AI systems, but as discussed and illustrated above, many of these advantages are pivoted around “time to market”. AI systems enable the embedding of complex decision making without the need to build exhaustive rules, which traditionally can be very time consuming to procure, engineer and maintain. Developing systems that can “learn” and “build their own rules” can significantly accelerate organizational growth.
    Microsoft’s Azure cloud platform offers an array of discreet and granular services in the AI and Machine Learning domain <docs.microsoft.com/en-us/azure/#pivot=products&panel=ai>, that allow AI developers and Data Engineers to avoid re-inventing wheels, and consume re-usable APIs. These APIs allow AI developers to build systems which display the type of *intelligent behavior* discussed above.
    If you want to dive in and learn how to start building intelligence into your solutions with the Microsoft AI platform, including pre-trained AI services like Cognitive Services and the Bot Framework, as well as deep learning tools like Azure Machine Learning, Visual Studio Code Tools for AI, and Cognitive Toolkit, visit AI School <aischool.microsoft.com/learning-paths>.
  18. proximagr
    Azure offers free smtp relay using the SendGrid application. SendGrid is a cloud service that provides email delivery and marketing campaigns. The specific offer is for up to 25.000 emails per month. Also this offers provides full reporting and analytics and 24/7 support.
    At this post we will see how to create a SendGrid free account that can be used for many purposes, like:
    Send emails through an application using the SendGrid API Send email campaigns, newsletters, etc using the SendGrid SMTP service


    At the Azure Portal, portal.azure.com, search for sendgrid and click the “SendGrid Email Delivery”

    The SendGrid account wizard will open. Fill the name and password, select subscription and resource group and choose the F1 free pricing tier. Also fill the contact information, accept the legal terms and press “Create”
    Once the SendGrid Account is created, navigate to it and select Manage
    The SendGrid portal will open. Navigate to the Settings / API Keys to Create an API Key.
    Enter a name for the key. For permissions you only need send emails So select Restricted Access and add “Mail Send”. Press create & view to create the key.
    You will only see the key once, upon creation. After that there is no way to see the key again, so copy and keep it safe.
    SMTP Service
    We are ready to send emails using any host that supports SMTP. The settings are:
    Server: smtp.sendgrid.net Username: apikey Password: “The API Key you created before” Ports: SSL 465, Unencrypted: 25 , TLS 586 More about SendGrid SMTP: https://sendgrid.com/docs/API_Reference/SMTP_API/integrating_with_the_smtp_api.html

    API Usage:
    https://sendgrid.com/docs/for-developers/sending-email/api-getting-started/
  19. proximagr
    Validate Azure Resource Move with Postman
    At this post we will see how easily we can move azure resources to new resource groups or subscriptions and how we can validate if the azure resources are eligible to move without initiate the move. Move Azure Resources to new resource groups or subscriptions
    Azure Resource Manager allow you to easily move resources to new resource groups or subscriptions. It is a pretty simple process. From the Azure Portal, open a Resource Group, and from the top options click Move. You can select if you want to move to another resource group or subscription.

    On the next page you can select the resources you want to move and click OK. Once you click OK, the Azure Resource Manager starts to validate the move requests. Checks if the selected resources are eligible to move and also if they have any dependencies that will cause the move to fail.

    After the validation, and if the validation is successful, the resource move starts. There is no option in the portal to just validate the move request without starting the move. Validate Resource Move with Postman
    To validate the resources move you need to use post / get operations. The https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-move-resources#validate-move document descibes the parameters that we must use to validate is the resources are eligible to move. To validate if the resources are eligible to move we need to send a URI with Authorization token. A free and easy application to help us with the post /get requests is the Postman. You can download the latest release form this link: https://www.getpostman.com/downloads/
    Download and install the Postman and open the application. We need to perform a Post request to ask the ARM if the specific resources are eligible to move and then a GET request to view the ARM response.

    At the Postman select POST and at the POST request URL enter:
    https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{sourceResourceGroupName}/validateMoveResources?api-version=2019-05-01
    My test case URL:
    https://management.azure.com/subscriptions/784f8ed8-33f0-497c-b1c8-1ca9833be590/resourceGroups/devrg/validateMoveResources?api-version=2019-05-01
    Then at the Body, select RAW -> json and paste the request:
    { “resources”: [“<resource-id-1>”, “<resource-id-2>”], “targetResourceGroup”: “/subscriptions/<subscription-id>/resourceGroups/<target-group>” }
    at my example that I want to validate two resources, the devrg VM and the Managed disk I entered:
    {
    “resources”: [“/subscriptions/784f8ed8-33f0-497c-b1c8-1ca9833be590/resourceGroups/devrg/providers/Microsoft.Compute/virtualMachines/devrgvm”, “/subscriptions/784f8ed8-33f0-497c-b1c8-1ca9833be590/resourceGroups/DEVRG/providers/Microsoft.Compute/disks/devrgvm_OsDisk_1_5da9dad62662418b9bb3f02496e88604”],
    “targetResourceGroup”: “/subscriptions/784f8ed8-33f0-497c-b1c8-1ca9833be590/resourceGroups/target”
    }
    Create Authorization Token
    Finally we need an authorization token to access the ARM API. At the Azure Portal open the cloud shell, buy clicking the icon at the top right menu bar.

    Enter the below command to create a service principal at the Azure Active Directory:
    az ad sp create-for-rbac -n “my-access-app”
    The output will be as the below screenshot:

    You will get the application ID, URL, tenant ID and password. Next at the Postman press the + button to create a new tab

    At the Postman’s new tab create a new POST and enter:
    https://login.microsoftonline.com/{{tenantId}}/oauth2/token
    My test:
    https://login.microsoftonline.com/85ed7d07-ffa3-44da-a22a-38c51ba14d0e/oauth2/token
    Then at the Body property, select “x-www-form-urlencoded” and enter the following KEYs: Key Value grant_type client_credentials client_id this is the appId of the access app client_secret this is the password of the access app resource https://management.azure.com
    my test:

    Once you press “Send” it will return the “access_tocket”. This is the Authorization: Bearer <bearer-token> needed for the resource move validation.
    Send the validation request
    Back to the first tab of the Postman, where we are preparing the move validation POST request, select “Authorization”, at the TYPE select “Bearer Token” and at the Token field paste the “access_tocken” from above. Then press “Send”

    If all the details are correct, it will return a status of “202 Accepted”. This means that the ARM has started the validation. Copy the “Location” value because we will need it below.

    The next step is to create a GET request to view the validation result. The GET request consists of the location URL and the Authorization token. As we did before, open a new Tab at the Postman, select GET request, at the GET URL paste the “Location” URL, at the TYPE select “Bearer Token” and at the Token field enter the “access_token”.
    Receive the validation results
    Press enter to GET the validation results. f the move operation validates successfully, you receive the 204 status code and nothing at the Body.
    If the move validation fails, you receive an error message, like the below. At my example the validation returned failed. The error message explains what caused the failure. At my example the VM is being backed up so the disks have restore points. Also at the message it gives us the link to check for more information.

  20. proximagr
    Application Security Groups to simplify your Azure VMs network security
    Application Security Groups helps to manage the security of the Azure Virtual Machines by grouping them according the applications that runs on them. It is a feature that allows the application-centric use of Network Security Groups.

    An example is always the best way to better understand a feature. So let’s say that in a Subnet we have some Web Servers and some Database Servers. The access rules of the Subnet’s Network Security Group to allow http, https & database access to those servers will be something like this:

    Using only the Network Security Groups functionality we need to add the IP addresses of the servers to use them to the access lists. There are two major difficulties here:
    For every rule we need to add all the IPs of the servers that will be included. If there is an IP address change (e.g by adding or removing a server) then all the relative rules must change.
    Use Application Security Groups
    Now, lets see how we can bypass this complexity by using Application Security Groups, combined with Network Security Groups.
    Create two Application Security Groups, one for the Web Servers and one for the Database Servers
    At the Azure Portal, search for Application Security Groups

    Provide a name and a Resource Group

    Create one more with name Database Servers and at the Resource Group you will have those two Application Security Groups:

    Then go each Virtual Machine and attach the relevant ASG.
    Click the Virtual Machine and then go to the Networking settings blade, and press the “Configure the application security groups”

    Select the relevant ASG and press save:

    Do the same for all your servers. Finally open the Network Security Group. Open the https rule, at my example is the “https2WebServers” rule. Change the Destination to “Application Security Group” and for Destination application security group select the Web Servers.

    Same way change the database access rule and for Source add the “Database Server” ASG and for destination the “Web Servers” ASG. Now the NSG will look like this:

    Now on when removing a VM from the Web Servers farm of the Database servers cluster there is no need to change anything at the NSG. When adding a new VM, the only thing we need to do is to attach the VM to the relative Application Security Group.
    A Virtual Machine can be attached to more than one Application Security Group. This helps in cases of multi-application servers.
    There are only two requirements:
    All network interfaces used in an ASG must be within the same VNet If ASGs are used in the source and destination, they must be within the same VNet

  21. proximagr
    <p>I was looking for a way to have a list with many details about VMs of Azure Classic deployment. Some of the details are VM Name, HostName, Service Name, IP address, Instance Size, Availability Set, Operating System, Disk Name (OS), SourceImageName (OS), MediaLink (OS), HostCaching (OS), Subnet, DataDisk Name, DataDisk HostCaching, DataDisk MediaLink, DataDisk Size.</p>
    <p>I started with PowerShell ISE and some technet search and after a lot of test I created this script:</p><pre class="crayon-plain-tag">Add-AzureAccount
    Select-AzureSubscription -SubscriptionId xxxxxxx-xxxxxxxx-xxxxxx-xxxxxx
    $VMlist = ForEach ($VM in (Get-AzureVM))
    { Get-AzureOSDisk -VM $VM | Select @{Label="VM";Expression={$VM.Name}},`
    @{Label="HostName";Expression={$VM.HostName}},`
    @{Label="Service";Expression={$VM.ServiceName}},`
    @{Label="IP";Expression={$VM.IpAddress}},`
    @{Label="InstanceSize";Expression={$VM.InstanceSize}},`
    @{Label="AvailabilitySet";Expression={$VM.AvailabilitySetName}},`
    OS,DiskName,SourceImageName,MediaLink,HostCaching, `
    @{Label="Subnet";Expression={(Get-AzureSubnet -VM $VM)}},`
    @{Label="DataDiskName";Expression={(Get-AzureDataDisk -VM $VM).DiskName}},`
    @{Label="DDHostCaching";Expression={(Get-AzureDataDisk -VM $VM).HostCaching}},`
    @{Label="DDMediaLink";Expression={(Get-AzureDataDisk -VM $VM).MediaLink}},`
    @{Label="DDSize";Expression={(Get-AzureDataDisk -VM $VM).LogicalDiskSizeInGB}}
    }
    $VMlist | Sort VM,SourceImageName | Export-CSV C:vms_alldata.csv -NoTypeInformation</pre><p>Just open the vms_alldata.csv with Excel, convert test to columns and insert table and voila:</p>
    <p><a href="http://www.e-apostolidis.gr/wp-content/uploads/2016/05/allvms.jpg"><imgclass="alignnone wp-image-990 size-full" src="http://www.e-apostolidis.gr/wp-content/uploads/2016/05/allvms.jpg" alt="allvms" width="1017" height="58" srcset="http://www.e-apostolidis.gr/wp-content/uploads/2016/05/allvms.jpg 1017w, http://www.e-apostolidis.gr/wp-content/uploads/2016/05/allvms-300x17.jpg 300w, http://www.e-apostolidis.gr/wp-content/uploads/2016/05/allvms-768x44.jpg 768w, http://www.e-apostolidis.gr/wp-content/uploads/2016/05/allvms-660x38.jpg 660w" sizes="(max-width: 1017px) 100vw, 1017px" /></a></p>
    <p><a class="a2a_button_email" href="http://www.addtoany.com/add_to/email?linkurl=http%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fclassic-azure-vm-details%2F&linkname=Classic%20Azure%20VM%20Details"title="Email" rel="nofollow" target="_blank"><img src="http://www.e-apostolidis.gr/wp-content/plugins/add-to-any/icons/email.png" width="16" height="16" alt="Email"/></a><a class="a2a_button_print" href="http://www.addtoany.com/add_to/print?linkurl=http%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fclassic-azure-vm-details%2F&linkname=Classic%20Azure%20VM%20Details" title="Print" rel="nofollow" target="_blank"><img src="http://www.e-apostolidis.gr/wp-content/plugins/add-to-any/icons/print.png" width="16" height="16" alt="Print"/></a><a class="a2a_dd a2a_target addtoany_share_save" href="https://www.addtoany.com/share#url=http%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fclassic-azure-vm-details%2F&title=Classic%20Azure%20VM%20Details" id="wpa2a_2"><img src="http://www.e-apostolidis.gr/wp-content/plugins/add-to-any/share_save_171_16.png" width="171" height="16" alt="Share"/></a></p><p>The post <a rel="nofollow" href="http://www.e-apostolidis.gr/microsoft/azure/classic-azure-vm-details/">Classic Azure VM Details</a> appeared first on <a rel="nofollow" href="http://www.e-apostolidis.gr">Proxima's IT Corner</a>.</p>


    <a href="http://www.e-apostolidis.gr/microsoft/azure/classic-azure-vm-details/"class='bbc_url' rel='nofollow external'>Source</a>
  22. proximagr
    After my previous post, the internal load balancer with two VMs, this is a scenario using the External Load Balancer. The configuration includes a Load Balancer with a Static Public IP at the frond end and two VMs at the back end. The load balancer has two static routes for RDP, one for each VM and one load balance rule, the TCP port 80, common for web sites and applications. It uses a probe that checks a web page on both hosts to verify if they are active.
     
    Lets start. First we need to install the AzureRm module. If not Windows 10 then first install the https://www.microsoft.com/en-us/download/details.aspx?id=48729<br/>Then Open Powershell ISE and execute the following commands. I have added a lot of comments to help customize based to the needs.
    Set-ExecutionPolicy RemoteSigned
    Install-Module AzureRM
    Login-AzureRmAccount
     
    #Define the variables
    $ResourceGroupName = "myresourcegroup"
    $StorageAccountName = "mystorageaccount"
    $vnetname = "VNET-01"
    $NSGname = "NSG-01"
    $locationName = "West Europe"
    $publicipname = "mypublicip"
    $vnet = Get-AzureRmVirtualNetwork -Name $vnetname -ResourceGroupName $ResourceGroupName
     
    #Create a new resource group
    New-AzureRmResourceGroup -Name $ResourceGroupName -Location $locationName
     
    #Create storage account
    New-AzureRmStorageAccount `
    -ResourceGroupName $resourcegroupName `
    -Name $storageaccountName `
    -Type Standard_LRS `
    -Location $locationName
     
    #Create Virtual Network and a private IP address for front end IP pool
    $FESubnet = New-AzureRmVirtualNetworkSubnetConfig -Name FE-SUBNET -AddressPrefix 10.0.0.16/28
    $BESubnet = New-AzureRmVirtualNetworkSubnetConfig -Name BE-SUBNET -AddressPrefix 10.0.0.32/28
     
    $vnet = New-AzureRmVirtualNetwork `
    -Name $vnetname `
    -ResourceGroupName $ResourceGroupName `
    -Location $locationName `
    -AddressPrefix 10.0.0.0/24 -Subnet $FESubnet,$BESubnet
     
    $FESubnet = Get-AzureRmVirtualNetworkSubnetConfig -Name FE-SUBNET -VirtualNetwork $vnet
    $BESubnet = Get-AzureRmVirtualNetworkSubnetConfig -Name BE-SUBNET -VirtualNetwork $vnet
     
    #Create Public IP
    $publicIP = New-AzureRmPublicIpAddress `
    -Name PublicIp `
    -ResourceGroupName $ResourceGroupName `
    -Location $locationName `
    –AllocationMethod Static `
    -DomainNameLabel $publicipname
     
    #Create FrontEnd IP pool and BackEnd address pool
    $APPfrontendIP = New-AzureRmLoadBalancerFrontendIpConfig `
    -Name APP-LB-Frontend `
    -PublicIpAddress $publicIP
     
    $APPbeaddresspool= New-AzureRmLoadBalancerBackendAddressPoolConfig -Name "APP-LB-backend"
     
    #Create load balancer rules, NAT rules, probe and load balancer
    $APPinboundNATRule1= New-AzureRMLoadBalancerInboundNatRuleConfig `
    -Name "RDP1" `
    -FrontendIpConfiguration $APPfrontendIP `
    -Protocol TCP `
    -FrontendPort 33389 `
    -BackendPort 3389
    $APPinboundNATRule2= New-AzureRMLoadBalancerInboundNatRuleConfig `
    -Name "RDP2" `
    -FrontendIpConfiguration $APPfrontendIP `
    -Protocol TCP `
    -FrontendPort 33390 `
    -BackendPort 3389
    $APPhealthProbe = New-AzureRMLoadBalancerProbeConfig `
    -Name "HealthProbe" `
    -RequestPath "/index.aspx" `
    -Protocol http `
    -Port 80 `
    -IntervalInSeconds 15 `
    -ProbeCount 2
    $APPlbrule = New-AzureRMLoadBalancerRuleConfig `
    -Name "HTTP" `
    -FrontendIpConfiguration $APPfrontendIP `
    -BackendAddressPool $APPbeAddressPool `
    -Probe $GAPPhealthProbe `
    -Protocol Tcp `
    -FrontendPort 80 `
    -BackendPort 80
    $APPLB = New-AzureRMLoadBalancer `
    -ResourceGroupName $ResourceGroupName `
    -Name "APP-LB" `
    -Location $locationName `
    -FrontendIpConfiguration $APPfrontendIP `
    -InboundNatRule $APPinboundNATRule1,$APPinboundNATRule2 `
    -LoadBalancingRule $APPlbrule `
    -BackendAddressPool $APPbeAddressPool `
    -Probe $APPhealthProbe
     
    #Create the network interfaces for the backend VMs
    $vnet = Get-AzureRMVirtualNetwork -Name $vnetname -ResourceGroupName $ResourceGroupName
    $APPbackendSubnet = Get-AzureRMVirtualNetworkSubnetConfig -Name FE-SUBNET -VirtualNetwork $vnet
     
    #Create 1st NIC with first NAT rule for RDP
    $APPbackendnic1 = New-AzureRMNetworkInterface `
    -ResourceGroupName $ResourceGroupName `
    -Name APP-lb-nic1-be `
    -Location $locationName `
    -PrivateIpAddress 10.0.0.21 `
    -Subnet $APPbackendSubnet `
    -LoadBalancerBackendAddressPool $APPLB.BackendAddressPools[0] `
    -LoadBalancerInboundNatRule $APPLB.InboundNatRules[0]
    #Create 2nd NIC with second NAT rule for RDP
    $APPbackendnic2 = New-AzureRMNetworkInterface `
    -ResourceGroupName $ResourceGroupName `
    -Name APP-lb-nic2-be `
    -Location $locationName `
    -PrivateIpAddress 10.0.0.22 `
    -Subnet $APPbackendSubnet `
    -LoadBalancerBackendAddressPool $APPLB.BackendAddressPools[0] `
    -LoadBalancerInboundNatRule $APPLB.InboundNatRules[1]
     
    #Create a Virtual Machine and assign the NIC
    # Set the existing virtual network and subnet index
    $subnetIndex=0
    $vnet=Get-AzureRMVirtualNetwork -Name $vnetName -ResourceGroupName $resourcegroupName
     
    #Create Availability Set
    $availabilitysetName="APP-AS"
    New-AzureRmAvailabilitySet –Name $availabilitysetName –ResourceGroupName $resourcegroupName -Location $locationName
     
    # First VM
    # Specify the name, size, and existing availability set
    $vmName="APP-01"
    $vmSize="Standard_A1"
    $availabilitysetName="APP-AS"
    $availabilitysetSet=Get-AzureRmAvailabilitySet –Name $availabilitysetName –ResourceGroupName $resourcegroupName
    $vm=New-AzureRmVMConfig -VMName $vmName -VMSize $vmSize -AvailabilitySetId $availabilitysetSet.Id
     
    #Add a 1023 GB additional data disk
    $diskSize=1023
    $diskLabel="AS1Data"
    $diskName="AS1Data"
    $storageAccount=Get-AzureRmStorageAccount -ResourceGroupName $resourcegroupName -Name $storageaccountName
    $vhdURI=$storageAccount.PrimaryEndpoints.Blob.ToString() + "vhds/" + $vmName + $diskName + ".vhd"
    Add-AzureRmVMDataDisk -VM $vm -Name $diskLabel -DiskSizeInGB $diskSize -VhdUri $vhdURI -CreateOption empty
     
    #Specify the image and local administrator account, and then add the NIC
    #To find the Publisher, Offer and SKU use the Get-AzureRmVMImagePublisher, Get-AzureRmVMImageOffer and Get-AzureRmVMImageSku commands
    $pubName="MicrosoftWindowsServer"
    $offerName="WindowsServer"
    $skuName="2012-R2-Datacenter"
    $cred=Get-Credential -Message "Type the name and password of the local administrator account."
    $vm=Set-AzureRmVMOperatingSystem -VM $vm -Windows -ComputerName $vmName -Credential $cred
    $vm=Set-AzureRmVMSourceImage -VM $vm -PublisherName $pubName -Offer $offerName -Skus $skuName -Version "latest"
    $vm=Add-AzureRmVMNetworkInterface -VM $vm -Id $backendnic1.Id
     
    #Specify the OS disk name and create the VM / For Create NEW OS Disk
    $diskName="OSDisk"
    $storageAccount=Get-AzureRmStorageAccount -ResourceGroupName $resourcegroupName -Name $storageaccountName
    $osDiskUri=$storageAccount.PrimaryEndpoints.Blob.ToString() + "vhds/" + $vmName + $diskName + ".vhd"
    $vm=Set-AzureRmVMOSDisk -VM $vm -Name $diskName -VhdUri $osDiskUri -CreateOption fromImage
    New-AzureRmVM -ResourceGroupName $resourcegroupName -Location $locationName -VM $vm
     
    #Second VM
    # Specify the name, size, and existing availability set
    $vmName="APP-02"
    $vmSize="Standard_A1"
    $availabilitysetName="APP-AS"
    $availabilitysetSet=Get-AzureRmAvailabilitySet –Name $availabilitysetName –ResourceGroupName $resourcegroupName
    $vm=New-AzureRmVMConfig -VMName $vmName -VMSize $vmSize -AvailabilitySetId $availabilitysetSet.Id
     
    #Add a 1023 GB additional data disk
    $diskSize=1023
    $diskLabel="AS2Data"
    $diskName="AS2Data"
    $storageAccount=Get-AzureRmStorageAccount -ResourceGroupName $resourcegroupName -Name $storageaccountName
    $vhdURI=$storageAccount.PrimaryEndpoints.Blob.ToString() + "vhds/" + $vmName + $diskName + ".vhd"
    Add-AzureRmVMDataDisk -VM $vm -Name $diskLabel -DiskSizeInGB $diskSize -VhdUri $vhdURI -CreateOption empty
     
    #Specify the image and local administrator account, and then add the NIC
    #To find the Publisher, Offer and SKU use the Get-AzureRmVMImagePublisher, Get-AzureRmVMImageOffer and Get-AzureRmVMImageSku commands
    $pubName="MicrosoftWindowsServer"
    $offerName="WindowsServer"
    $skuName="2012-R2-Datacenter"
    $cred=Get-Credential -Message "Type the name and password of the local administrator account."
    $vm=Set-AzureRmVMOperatingSystem -VM $vm -Windows -ComputerName $vmName -Credential $cred
    $vm=Set-AzureRmVMSourceImage -VM $vm -PublisherName $pubName -Offer $offerName -Skus $skuName -Version "latest"
    $vm=Add-AzureRmVMNetworkInterface -VM $vm -Id $backendnic2.Id
     
    #Specify the OS disk name and create the VM / For Create NEW OS Disk
    $diskName="OSDisk"
    $storageAccount=Get-AzureRmStorageAccount -ResourceGroupName $resourcegroupName -Name $storageaccountName
    $osDiskUri=$storageAccount.PrimaryEndpoints.Blob.ToString() + "vhds/" + $vmName + $diskName + ".vhd"
    $vm=Set-AzureRmVMOSDisk -VM $vm -Name $diskName -VhdUri $osDiskUri -CreateOption fromImage
    New-AzureRmVM -ResourceGroupName $resourcegroupName -Location $locationName -VM $vm
     
    Source: http://www.e-apostolidis.gr/microsoft/azurerm-create-external-load-balancer-with-two-vms/
  23. proximagr
    Custom pfSense on Azure Rm | a complete guide
    A complete guide on how to create a pfSense VM on a local Hyper-V server, prepare it for Microsoft Azure, upload the disk to Azure and create a multi-NIC VM.
    Download the latest image from https://www.pfsense.org/download/

    Open Hyper-V Manager create a Generation 1 VM. I added 4096 ram, 2 cores, use VHD, add an extra NIC (for second interface) and select the downloaded ISO. (create a fixed VHD as Azure supports only fixed VHDs for custom VMs)

    Start the VM and at the first screen press enter.

    At all screens I accepted the default settings. Finally at the reboot prompt remove the installation ISO.
    There is no need to setup VLANs, select the second interface for WAN and the first for LAN.


    Once the pfSense is ready press 2 and change the LAN (hn0) interface IP to one at your network. Then select the option 14 to enable SSH.

    Now we can login with putty, with username admin password pfsense and press 8 for Shell access.

    The first thing is to update the packages running:
    pkg upgrade Python
    Then install Python, as it is requirement for the Azure Linux Agent.
    Search for Python packages running:
    pkg search python

    Install the latest Python package, setup tools and bash:
    pkg install -y python27-2.7.14
    pkg search setuptoolspkg install py27-setuptools-36.2.2ln -s /usr/local/bin/python /usr/local/bin/python2.7pkg install -y bash Azure Linux Agent
    ref: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/classic/freebsd-create-upload-vhd
    pkg install gitgit clone https://github.com/Azure/WALinuxAgent.gicd WALinuxAgentgit taggit checkout WALinuxAgent-2.1.1git checkout WALinuxAgent-2.0.16python setup.py installln -sf /usr/local/sbin/waagent /usr/sbin/waagent
    check the agent is running:
    waagent -Version

    One final step before uploading the VHD to Azure is to set the LAN interface as dhcp.
    This can be done by the web interface, go to https://lanaddress, login using admin / pfsense, and go to interfaces / LAN and select DHCPas ipv4 configuration.

    Now, shutdown the pfSense and upload it to Azure Storage.
    I use the Storage Explorer, https://azure.microsoft.com/en-us/features/storage-explorer/ a free and powerful tool to manage Azure Storage. Login to your Azure Account and press Upload. Select as Blob type: “Page blob”

    After the upload is completed we can create a multiple NIC VM. This cannot be accomplished from GUI. We will create this using PowerShell.
    $ResourceGroupName = "******"$pfresourcegroup = "*******"$StorageAccountName = "******"$vnetname = "*****"$NSGname = "******"$location = "West Europe"$vnet = Get-AzureRmVirtualNetwork -Name $vnetname -ResourceGroupName $ResourceGroupName$backendSubnet = Get-AzureRMVirtualNetworkSubnetConfig -Name default -VirtualNetwork $vnet$vmName="pfsense"$vmSize="Standard_F1"$vnet = Get-AzureRmVirtualNetwork -Name $vnetname -ResourceGroupName $ResourceGroupName$pubip = New-AzureRmPublicIpAddress -Name "PFPubIP" -ResourceGroupName $pfresourcegroup -Location $location -AllocationMethod Dynamic$nic1 = New-AzureRmNetworkInterface -Name "EXPFN1NIC1" -ResourceGroupName $pfresourcegroup -Location $location -SubnetId $vnet.Subnets[0].Id -PublicIpAddressId $pubip.Id$nic2 = New-AzureRmNetworkInterface -Name "EXPFN1NIC2" -ResourceGroupName $pfresourcegroup -Location $location -SubnetId $vnet.Subnets[0].Id$VM = New-AzureRmVMConfig -VMName $vmName -VMSize $vmSize$VM | Set-AzureRmVMOSDisk ` -VhdUri https://********.blob.core.windows.net/vhds/pfsensefix.vhd ` -Name pfsenseos -CreateOption attach -Linux -Caching ReadWrite$vm = Add-AzureRmVMNetworkInterface -VM $vm -Id $nic1.Id$vm = Add-AzureRmVMNetworkInterface -VM $vm -Id $nic2.Id$vm.NetworkProfile.NetworkInterfaces.Item(0).Primary = $trueNew-AzureRMVM -ResourceGroupName $pfresourcegroup -Location $locationName -VM $vm -Verbose
    Once the VM is created, go to the VM’s blade and scroll down to “Boot diagnostics”. There you can see a screenshot of the VM’s monitor.

    Then go to the Networking section and SSH to the Public IP.

    and also we can login to the Web Interface of the pfSense


    In my case I have added both NICs at the same Subnet, but at a production environment add the LAN interface to the backend subnet and the WAN interface to the DMZ (public) subnet.
    Of course more NICs can be added to the VM, one for each Subnet at our environment.Route external traffic through the pfSense
    We cannot change the gateway at an Azure VM, but we can use routing tables to route the traffic through the pfSense.
    From the Azure Portal, select New and search for Route table.

    We need to configure two things. One is to associate the Route table to a Subnet and the second is to create a Route.

    Open the “Route table” and click the “Routes”. Press “Add route” and in order to route all outbound traffic through the pfSense then add for Address prefix “0.0.0.0”, next hop type Virtual appliance” and Net hop address the ip address of the pfSense’s LAN interface IP.

    Then go to the “Subnets” and associate the required subnets.

     
    [/url]
    The post Custom pfSense on Azure Rm | a complete guide appeared first on Apostolidis IT Corner.


    Source
  24. proximagr
    Azure File Sync & DFS Namespace
    Azure File Sync is a new Azure feature, still in preview, that allows to sync a folder between your local file server and Azure Files. This way your files are accessible both locally at your file server and publicly at Azure Files using an SMB 3.0 client. Also the files can be protected online using Azure Backup.
    The idea of this post is to have the files of two file servers to sync to Azure Files using Azure File Sync and in addition use the DFS Namespace feature to achieve common name and availability. This is not something officially supported, it is just an idea on using two different technologies to help for a service.
    The requirement before starting the Azure File Sync is to create an Azure File share. We have covered this at a previews post, check here
    Once the Azure Files share is ready, proceed with the Azure File Sync resource. At the Azure Portal press New and search for it and create it.

    At the Deploy Storage Sync blade select a name for the Resource, subscription, resource group and location.

    When the Azure File Sync is ready we need to create a Sync group. Sync group is something like the DFS Replication Group. It is a group that consists of an Azure File Share and many local file servers that syncs a folder.

    Press “+Sync group” it will open the new “Sync group” blade. There provide a name for the Sync group and select the storage account and the Azure File Share created before.

    The Sharegroup is ready with the cloud endpoint. The next step is to add the first local file server.Register the local servers
    Navigate to https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-server-registration for information on how to download the agent, install it and register the server. After that press “Add server endpoint”

    At the “Add server endpoint” blade, select the registered server and add the path to the folder that has the data you want to sync. With Cloud Tiering you select a percent of the volume of the local server. When the capacity of the volume reaches this number then Azure File Share makes the files that are less frequently accessed cloud only. The file icon on the server get transparent and if anyone double clicks the file then it is downloaded instantly.

    Register the second server the same way as the first and finally the share group will have two server endpoints. At my example the second server had no data, just the folder, and the Azure File Sync synced all files from server A.
    Create a DFS Namespace
    The next step is to create a DFS Namespace, just the namespace with the two local servers. Add the folders of both servers and you are ready.

    Also if you browse the Azure File Share, all files are accessible

    Notes from the field
    Adding or changing a file at the first server, almost instantly replicates to Azure File Share and to the second server.
    Altering a file at both servers instantly it will keep the last accessed by timestamp as is and the other file will be renamed by adding the server name at the file name, as the example “enaneoarxeio-AzureFS2.txt” where AzureFS2 is the server name.
    You can add an Azure Backup and have a Cloud Backup of all your files.
    [/url]
    The post Azure File Sync & DFS Namespace appeared first on Apostolidis IT Corner.


    Source
  25. proximagr
    Microsoft Azure Nested Virtualization | Hyper-V VM inside Azure VM
    With the new Dv3 and Ev3 VM sizes Microsoft has released the Nested Virtualization, meaning you can simply have a Hyper-V VM inside an Azure VM. In this post I am testing the Nested Virtualization functionality creating a Hyper-V VM inside an Azure VM and have Network and Internet Connectivity.
    Lets get started. First of all we will need a Dv3 or Ev3 VM and for best Nested Virtualization performance make use of SSD Managed Disks. I created a D4s_v3 Standard (4Cores, 16GB Ram, SSD managed disks) and I attached a 1023GB SSD Data Disk for performance.

    Now remote desktop to the VM to add the Hyper V Role. From the Server Manager, add Roles and Features and add the Hyper-V role

    Since this is an one NIC VM select the NIC to create the Virtual Switch

    Change the default Store location to the SSD Data Disk, in this case the E: drive.
     

    Finally wait for the installation to complete and reboot the VM. After the VM reboots, Remote Desktop and open the Hyper-V manager. Now we have Hyper-V inside an Azure VM.

    Lets create a VM. You can download a Trial Windows Server 2016 from https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2016or use your Subscription (MSDN, EA, etc).
    I created a VM Called NestedVM01, with 4GB Ram using the Trial Windows Server 2016 ISO

    After the VM creation setup the Windows Server 2016 with all defaults and login.

    The first thing to notice is that the Network Interface does not have a valid IP address, since Microsoft Azure will not provide one. In order to have the Nested VM to have Network connectivity we need to use NAT.
    First change the Virtual Switch to “Internal network”

    At the Host’s Network interfaces, open the vEthernet NIC and add a static IP, only IP & Mask

    Now we will need PowerShell, since we cannot configure NAT form the GUI.
    Open the PowerShell (still at the Host Azure VM) and run
    New-NetNat –Name NVMNat –InternalIPInterfaceAddressPrefix 192.168.168.0/24
    The result:

    After that we can provide the Nested VMs with IPs form the 192.168.168.0/24 range. So login to the Nested VM and add an IP fron the Range and for Default Gateway add the Host’s IP.
    For DNS add your AD DNS or a Public DNS server just to have internet.

    Now from the Nested VM you can ping the Host:

    And also browse the Internet:

    Stay tuned, on my next post we will see how we can make the Nested VM a Web Server, a hidden Web Server in a VM inside an Azure VM!
    Of course this Features opens the door for many more features to test, like Hyper-V Replica, Containers, etc, that we will see in future posts.
     
    [/url]
    The post Microsoft Azure Nested Virtualization | Hyper-V VM inside Azure VM appeared first on Apostolidis IT Corner.


    Source
×
×
  • Create New...