Jump to content

proximagr

Moderators
 View Profile  See their activity

  • Posts

    2468

  • Joined

  • Last visited

  • Days Won

    12

 Content Type 

Blog Entries posted by proximagr

  1. proximagr
    <div class="text geshifilter-text">this is something very common lately and always I follow this post: <a href="http://windowsitpro.com/windows-server-2003-end-support/migrating-dhcp-server-2003-server-2012-r2">http://windowsitpro.com/windows-server-2003-end-support/migrating-dhcp-server-2003-server-2012-r2</a></div>
    <div class="text geshifilter-text"></div>
    <div class="geshifilter">
    <div class="text geshifilter-text">Netsh<br />DHCP<br />Server \<DHCP_2003_Server_IP_Address><br />Export c:export2k3dhcp-database all</div>
    </div>
    <p>Performing this task will create a file in the c:export folder named 2k3dhcp-database</p>
    <p>Copy this file to the computer running Windows Server 2012 R2 that will function as the new DHCP server. You’ll need to install the DHCP server role on this computer and authorize the DHCP server in Active Directory before performing the following actions.</p>
    <p>Open an elevated command prompt and run the following commands (this assumes you’ve copied the file to a folder named c:import)</p>
    <div class="geshifilter">
    <div class="text geshifilter-text">Net stop DHCPserver<br />Del c:windowssystem32DHCPDHCP.mdb<br />Net start DHCPserver<br />Netsh<br />DHCP<br />Server \<DHCP_2012R2_Server_IP_Address><br />Import c:import2k3dhcp-database<br />Exit<br />Net stop DHCPserver<br />Net start DHCPserver</div>
    </div>
    <div class="text geshifilter-text">source: <a href="http://windowsitpro.com/windows-server-2003-end-support/migrating-dhcp-server-2003-server-2012-r2">http://windowsitpro.com/windows-server-2003-end-support/migrating-dhcp-server-2003-server-2012-r2</a></div>
    <p><a class="a2a_button_email" href="http://www.addtoany.com/add_to/email?linkurl=http%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fmigrating-dhcp-server-2003-server-2012-r2%2F&linkname=Migrating%20DHCP%20from%20Server%202003%20to%20Server%202012%20R2"title="Email" rel="nofollow" target="_blank"><img src="http://www.e-apostolidis.gr/wp-content/plugins/add-to-any/icons/email.png" width="16" height="16" alt="Email"/></a><a class="a2a_button_print" href="http://www.addtoany.com/add_to/print?linkurl=http%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fmigrating-dhcp-server-2003-server-2012-r2%2F&linkname=Migrating%20DHCP%20from%20Server%202003%20to%20Server%202012%20R2" title="Print" rel="nofollow" target="_blank"><img src="http://www.e-apostolidis.gr/wp-content/plugins/add-to-any/icons/print.png" width="16" height="16" alt="Print"/></a><a class="a2a_dd a2a_target addtoany_share_save" href="https://www.addtoany.com/share#url=http%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fmigrating-dhcp-server-2003-server-2012-r2%2F&title=Migrating%20DHCP%20from%20Server%202003%20to%20Server%202012%20R2" id="wpa2a_2"><img src="http://www.e-apostolidis.gr/wp-content/plugins/add-to-any/share_save_171_16.png" width="171" height="16" alt="Share"/></a></p><p>The post <a rel="nofollow" href="http://www.e-apostolidis.gr/microsoft/migrating-dhcp-server-2003-server-2012-r2/">Migrating DHCP from Server 2003 to Server 2012 R2</a> appeared first on <a rel="nofollow" href="http://www.e-apostolidis.gr">Proxima's IT Corner</a>.</p>


    <a href="http://www.e-apostolidis.gr/microsoft/migrating-dhcp-server-2003-server-2012-r2/"class='bbc_url' rel='nofollow external'>Source</a>
  2. proximagr
    Azure Log Analytics | CPU Performance Monitor
    In this article we will create a CPU Performance monitor View for our servers at the Azure Log Analytics (OMS) Portal.

    At the Microsoft Operations Management Suite (OMS) portal press the + button to create a new View

    The View Designer workspace will open. Select the “Line chart & callout”

    At the Properties blade enter a Name, something like “CPU Performance Monitor”, add the below query and press Apply
    Type:Perf CounterName="% Processor Time" InstanceName="_Total" | measure avg(CounterValue)by Computer Interval 10Minutes

    Pressing Apply you will see at the Preview window the “Name” and the CPU Performance of all the Windows servers that are monitored by OMS agent.

    The next step is to press the “+ View” tab and add a “Stack of line charts

    The “Stack of line charts” will add three charts per row and we can use it to add our servers. We will create something like that:

    So, at the Properties blade add a name and a query for each server needs to be monitored and press Apply. For more than three servers add more “Stack of line charts”.
    The query is the below, just change the Computer = “server.domain.local” with your servers.
    Type:Perf CounterName="% Processor Time" InstanceName="_Total" AND Computer ="server.domain.local" | measure Avg(CounterValue) as 'CPU_Percentage' by Computer Interval10Minutes

    Finally press “Save” at the View Designer

    The result is a CPU Performance monitor for all servers at the OMS Portal.

    And when you press it you have the CPU Performance Monitor of all added servers.


    Stay tuned for the next part
  3. proximagr
    Microsoft Azure Nested Virtualization | Hyper-V Replica on Azure
    After my Microsoft Azure Nested Virtualization | Hyper-V VM inside Azure VM post on how to create a Nested VM inside an Azure VM, I am following with how to have Hyper-V Replica on Azure.
    To accomplish this we will use the Azure VM and the Nested VM from the Microsoft Azure Nested Virtualization | Hyper-V VM inside Azure VM post. The first step is to create an identical pair of Azure VM and Nested VM to use for replica server. The only requirement is that the two Azure VMs must have network connectivity. As you understand we can have Hyper-V Replica between two Azure VMs at different Azure Regions using VPN.
    Next, at both Azure VMs open the 443 port at both the NSG and the Windows Firewall. For more security we can add the Public IPs of the VMs as Source.
    Since the VMs are not part of a domain we need to use Certificate based authentication for the Hyper-V Replica. We will use the New-SelfSignedCertificate command to create both certificates.The certificate process
    First we need to create a root CA certificate, so login at the first host and run:
    New-SelfSignedCertificate -Type "Custom" -KeyExportPolicy "Exportable" -Subject "CN=myazurerootca" -CertStoreLocation "Cert:LocalMachineMy" -KeySpec "Signature" -KeyUsage "CertSign"

    Next, using the certificate Thumbprint of the root CA certificate, create two server certificates, one for each Azure VM. To accomplish this run:
    New-SelfSignedCertificate -type "Custom" -KeyExportPolicy "Exportable" -Subject "CN=anothertestvm" -CertStoreLocation "Cert:LocalMachineMy" -KeySpec "KeyExchange" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2") -Signer "Cert:LocalMachineMy6A7196D9759FC2F7C49D62E08FA7195310DE5EB7" -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider"New-SelfSignedCertificate -type "Custom" -KeyExportPolicy "Exportable" -Subject "CN=anothertestvm2" -CertStoreLocation "Cert:LocalMachineMy" -KeySpec "KeyExchange" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2") -Signer "Cert:LocalMachineMy6A7196D9759FC2F7C49D62E08FA7195310DE5EB7" -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider"

    The next step is to open the Certificates mmc (Local Computer) and at the Personal container you will find the three certificates created above.

    Right click each certificate and Export it, including the Private key, to a folder

    Copy the certificates to the second Azure VM and import them. The root CA certificate needs to be imported to he Trust Root Certification Authorities and the other two to the Personal (or just use automatic placement).

    Finally we need to disable the Certificate revocation check for Replication on both Azure VMs. To do this run the following command on both Azure VMs:
    REG ADD "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionVirtualizationReplication" /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f
    The Hyper-V Replica process
    Lets start creating the Hyper-V Replica. Since Hyper-V Replica uses computer names, we need to use the host file to bind the Public IPs with the computer names. So, at the first Azure VM, open an elevated Notepad, browse to the path “C:WindowsSystem32driversetc”, and open the “hosts” file. Enter the Public IP of the second Azure VM following by the computer name. Do the same at the second Azure VM.

    After saving the host file, go to the Hyper-V Settings, go to the “Replication Configuration” and check the “Enable this computer as a Replica Server”. Then check the “Use certificate-based Authentication (HTTPS)” and select the certificate created before. Finally check the “Allow replication from any authenticated servers” and press OK. Do this at both Azure VM Hyper-V Servers.

     
    Next go to the Hyper-V manager, right click the Nested VM and choose “Enable Replica”. Enter the name of the second Azure VM and select the certificate.
     

     
    I just used the defaults at all the next screens and finally press finish to enable the replication.

     
    Once the replication is enabled you will see the “Replication enabled successfully” message and the Status will change to “Sending Initial Replica”.

     
    After a very short period of time, the VM will complete the initial sync.

    [/url]
    The post Microsoft Azure Nested Virtualization | Hyper-V Replica on Azure appeared first on Apostolidis IT Corner.


    Source
  4. proximagr
    Azure Backup Reports
    A new feature is in public preview, the Azure Backup Reports. Now we can have the Azure Backup Reports at the OMS Workspace, Event Hub and Power Bi. You can use Power BI to view report dashboard, download reports and create custom reports
    The configuration has two steps, one to configure the Azure Backup Reports connection with each service and the other is to get the data at each service.
    First go to a Recovery Services vault and select Backup Reports. Next press the Configure button.

    The Diagnostic settings blade will open. Change the Status to “On” and select the desired services to collect the Azure Backup Logs.

    For the Power Bi integration we need a Storage account. So check the “Archive to storage account” option and select a storage account. The storage account must be at the same region as the Azure Backup account.

    To integrate with OMS check the “Send to Log Analytics” option and select an OMS Workspace.

    An other option is to stream the Azure Backup logs to event hub. To configure it check the “Stream to an event hub” and select the event hub namespace and policy name.

    At the bottom part of the configuration blade select the Logs that you want to get. The retention days option is only for the Storage Account configuration.

    Press save and return to the Backup reports blade. Now press the “Sign in” to connect to Power Bi to configure the Service.

    At the lower left corner of the Power Bi Portal press “Get Data”

    At the AppSource press the “Get” button under the Services.

    Search and select the “Azure Backup”

    At the connect to Azure Backup page enter the Storage Account name. This is the storage account that we selected at the Azure Backup Reports configuration.

    Press next and Save. Now the Azure Backup workspace is ready. Be patient, it needs time to start reporting data.

    If you go back to the Azure Portal, the Backup Reports blade has changed and it only has the option to connect to your Power Bi dashboard.

    If you browse to your Power Bi dashboard, you can view the Azure Backup Reports Workspace as the below image.

    For the OMS integration, you only need to go to the Log Search and query “Category=”AzureBackupReport” and you will have all the Azure Backup Report logs. Following the OMS logic you can create a custom View, you can follow this post: Azure Log Analytics

  5. proximagr
    Add multiple managed disks to Azure RM VM
    In this post I have created a PowerShell script to help add multiple managed disks to an Azure RM Virtual Machine.
    The script to add multiple managed disks will prompt you to login to an Azure RM account, then it will query the subscriptions and ask you to select the desired. After that it will query the available VMs and promt to select the target VM from the VM list.
    At this point I am checking the OS disk and define the storage type of the data disk. If we need to change the storage type we can check the comments at step 4. e.g. If the OS disk is Premium and you want Standard data disks.
    The next step is to ask for disk size. You can check the sizes and billing here: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/managed-disks-overview#pricing-and-billing
    Finally it will ask for the number of the disk we need to create. After this input the script will create the disks, attach them to the VM and update it. The Script:

     



    1



    2



    3



    4



    5



    6



    7



    8



    9



    10



    11



    12



    13



    14



    15



    16



    17



    18



    19



    20



    21



    22



    23



    24



    25



    26



    27



    28



    29



    30



    31



    32



    33



    34



    35



    36



    # 1. You need to login to the Azure Rm Account

    Login-AzureRmAccount

    # 2. The script will query the Subscriptions that the login account has access and will promt the user to select the target Subscription from the drop down list

    $subscription = Get-AzureRmSubscription | Out-GridView -Title "Select a Subscription" -PassThru
    Select-AzureRmSubscription -SubscriptionId $subscription.Id

    # 3. The script will query the available VMs and promt to select the target VM from the VM list

    $vm = Get-AzureRmVM | Out-GridView -Title "Select the Virtual Machine to add Data Disks to" -PassThru

    # 4. I set the storage type based on the OS disk. If you want to spesify somehting else you can cahnge this to: $storageType = StandardLRS or PremiumLRS etc.

    $storageType = $VM.StorageProfile.OsDisk.ManagedDisk.StorageAccountType

    # 5. The script will promt for disk size, in GB

    $diskSizeinGB = Read-Host "Enter Size for each Data Disk in GB"

    $diskConfig = New-AzureRmDiskConfig -AccountType $storageType -Location $vm.Location -CreateOption Empty -DiskSizeGB $diskSizeinGB

    # 6. Enter how many data disks you need to create

    $diskquantity = Read-Host "How many disks you need to create?"

    for($i = 1; $i -le $diskquantity; $i++)
    {
    $diskName = $vm.Name + "-DataDisk-" + $i.ToString()
    $DataDisk = New-AzureRmDisk -DiskName $diskName -Disk $diskConfig -ResourceGroupName $vm.ResourceGroupName
    $lun = $i - 1
    Add-AzureRmVMDataDisk -VM $vm -Name $DiskName -CreateOption Attach -ManagedDiskId $DataDisk.Id -Lun $lun
    }

    Update-AzureRmVM -VM $vm -ResourceGroupName $vm.ResourceGroupName
    You can download the script from here: AddManagedDisks
  6. proximagr
    Microsoft Azure Nested Virtualization | VM in Nested VM in Azure VM
    After my main Microsoft Azure Nested Virtualization | Hyper-V VM inside Azure VM post, we saw two usage scenarios. One is running Hyper-V Replica and the other is running Web Server in nested VM on Azure. Now lets have some fun and try to run a VM nested inside a VM nested inside an Azure VM. As a fellow said, VM inception!
    We will use again the nested VM that we created at the Microsoft Azure Nested Virtualization | Hyper-V VM inside Azure VM post. First we need to run two commands, one command to enable the virtualization and one to enable the MAC address spoofing. More details you can find at the Nested Virtualization Microsoft article
     

    Set-VMProcessor -VMName <VMName> -ExposeVirtualizationExtensions $true
    Get-VMNetworkAdapter -VMName <VMName> | Set-VMNetworkAdapter -MacAddressSpoofing On
     

     
    After running the above commands we can go to the Server Manger and add the Hyper-V role.

     
    I just click next accepting all the defaults. One exception, I checked the NIC to use it for Virtual Switch.

     
    Finally we have a Hyper-V VM that is nested inside a Hyper-V VM that is nested inside an Azure VM

  7. proximagr
    Microsoft Azure Nested Virtualization | Web Server
    At my previous post, Microsoft Azure Nested Virtualization | Hyper-V VM inside Azure VM, I described how to create a Hyper-V VM inside an Azure VM with the new Dv3 and Ev3 VM sizes. Now we will see how to use a Hyper-V Nested VM as a Web Server that is hidden behind the Azure VM to secure access to your web application.
    Starting we will add the IIS Role at the Nested VM. Go to the Server Manager, add Roles and Features and select the Web Server (IIS) Role.

    Select the Features that your application requires and Install.
    After that we will need to Forward the required ports to the Nested VMs. To accomplish this we will need to use PowerShell.
    At my previews post I created a NAT in order to have network communication between the Host and the Nested VM. We will use that NAT to forward the port 80 and 443 to the Nested VM.
    At the Host Azure VM open the PowerShell and rum:
     



    1



    Get-NetNat
    From the results we can see the NAT Name.

    Now we can create the Rules:
     



    1



    2



    Add-NetNatStaticMapping -NatName "NVMNat" -Protocol TCP -ExternalIPAddress 0.0.0.0 -InternalIPAddress 192.168.168.10 -InternalPort 80 -ExternalPort 80
    Add-NetNatStaticMapping -NatName "NVMNat" -Protocol TCP -ExternalIPAddress 0.0.0.0 -InternalIPAddress 192.168.168.10 -InternalPort 443 -ExternalPort 443


    A final step is to create a rule at the Azure VM’s NSG to allow port 80 & 443 and also open the ports at the Windows Firewall on both the Host and the Nested VMs.

    Finally we can browse to the Public IP of the Azure VM and see the IIS Welcome Page of the Nested VM.

    Just add an https binding to the IIS default website and also browse at the https page.

    Stay tuned for more usage scenarios for the Microsoft Azure Nested Virtualization!
  8. proximagr

    Azure VM Image

    By proximagr,

    Azure VM Image
    Following one of my earlier posts, about Azure Managed Disks, lets see how easy it is to create an Azure VM Image from an Azure VM that uses Managed Disks.
    The first step it to Sysprep/Generalize the source VM. Otherwise the VM that will be created will not start. Select Generalize and “Shutdown”.

    After that wait the VM to shut down and go to the Azure Porta, at the VM’s blade and click “Capture”.

    Now, the “Create Image” blade will open. Enter a name, select a Resource Group and choose if the source VM will be deleted or not. Then press create.

    As soon as the Image is created you can find it at the “Images” service.

    Now lets create a VM from our Image
    Click the image name from the Images Blade to open the desired image Blade and just press “Create VM”.
    Of course at the image’s blade we can see if the image is Windows or Linux, if it has any Data Disks and the Location.

    After clicking the “Create VM” the classic “Create virtual machine” wizard will start, just like any other Virtual Machine creation. You will notice the difference at the final step that shows the name of your image instead of the VM’s OS.

    If you want to automate the process of creating an Azure VM from your images you can use Azure Template. You can find a quick start template at Azure’s GitHub repository.
    Create a Virtual Machine from a User Image: https://github.com/Azure/azure-quickstart-templates/tree/master/101-vm-from-user-image
  9. proximagr
    Azure VM Backup directly from VM’s blade

    By Pantelis Apostolidis | December 28, 2016
    0 Comment
     
    Azure VM Backup directly from VM’s blade
    Azure makes the VMs’ administration simpler every time. Today we will view a very nice new feature, the Backup shortcut at the VM’s blade.
    Just click on the VM and select Backup

    All you have to configure is the Backup Vault name and the Backup policy at the next easy step and press Enable Backup at the bottom of the “Enable backup” blade and that’s all!!

    Now the next time that we will click the Backup shortcut it will show directly the VM’s Backup Settings and run an instant backup. After the first backup we will be able to Restore the VM and also see logging about the backup jobs, like the latest and oldest restore point among others.

    Stay tuned for more Azure features
  10. proximagr
    Azure AD | Secure Web Application Publishing
    Application Publishing
    Azure Active Directory Application Proxy is a very easy and secure way for web application publishing using the extremely secure Azure AD authentication mechanism. There are a tone of features, like SSO and 2 Factor Authentication. But lets see the basic here. You have a web application that you are using internal to your network, not even https, or you have developed a web application and you want an easy and safe way to publish it without having to wary about authentication or VPN. Use the Azure AD Application Proxy following the following simple steps.
    For this example I have used a Windows Server 2016 with IIS and the SugarCRM application using the IIS Web Platform Installer. The internal link is http://appproxy01/sugarcrm/that opens the SugarCRM login page.
    Lets start
    Navigate to Azure Portal and go to Azure Active Directory. Mind that Azure Active Directory Basic or Premium license is required. You can start a trial Azure AD Premium or Enterprise Mobility Suite E3 that includes Azure AD Premium.
    Fist of all you need to enable Application proxy. Select Enterprise applications –> Application proxy and click Enable & Download the connector clicking the “Connector” link.

    Next, install the connector to the web server or to an other domain member server. It requires Windows Server 2012 R2.

    At the installation process it will ask to login with an Azure AD account that has access to publish applications.
    Once installed, Run the Connector Troubleshooter to verify that the connector will run properly.

    After the successful installation,back to the Azure Portal the server FQDN and the Public IP will appear under the Default Connector.

    Now it is time to publish the application. Go to “All applications” –> +ADD –> On-premises application.

    Give a name, the internal Url that is used to access the application at your local network and press Add. Note the External URL.

    The next step is to assign users. Following the quick steps, press “Assign a user for testing”

    an add at least a user and you are ready to test the application.
    Now lets test the published application
    Open your favorite browser and navigate the the External URL. You will be navigated to the Microsoft online service logon page. Once authenticated with your Azure AD account the SugarCRM login page will be served.

    This is the simplest way to publish a web application without having to wary for Authentication and Security.
    Of course if the application supports active directory authentication then it is very easy to setup SSO, but we will analyze that at the next post.
  11. proximagr
    Exchange 2013/16 Set Virtual Directories Notes

    By Pantelis Apostolidis | December 13, 2016
    0 Comment
     
    You can find all this info at many many blogs allover the internet, I just want to have a note here to have them gathered for ease.
     
    Outlook Anywhare
    Get-OutlookAnywhere | Select Server,ExternalHostname,Internalhostname
     
    Get-OutlookAnywhere | Set-OutlookAnywhere -ExternalHostname mail.mydomain.com -InternalHostname mail.mydomain.com -ExternalClientsRequireSsl $true -InternalClientsRequireSsl $true -DefaultAuthenticationMethod NTLM
     
    MAPI
    Get-MapiVirtualDirectory | Select Server,ExternalURL,InternalURL | fl
     
    Get-MAPIVirtualDirectory | Set-MAPIVirtualDirectory -ExternalUrl https://mail.mydomain.com/mapi-InternalUrl https://mail.mydomain.com/mapi
     
    OWA
    Get-OwaVirtualDirectory | Select Server,ExternalURL,InternalURL | fl
     
    Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -ExternalUrl https://mail.mydomain.com/owa-InternalUrl https://mail.mydomain.com/owa
     
    ECP
    Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -ExternalUrl https://mail.mydomain.com/ecp-InternalUrl https://mail.mydomain.com/ecp
     

    ActiveSync
    Get-ActiveSyncVirtualDirectory | select server,externalurl,internalurl | fl
     
    Get-ActiveSyncVirtualDirectory | Set-ActiveSyncVirtualDirectory -ExternalUrl https://mail.mydomain.com/Microsoft-Server-ActiveSync-InternalUrl https://mail.mydomain.com/Microsoft-Server-ActiveSync
     
    EWS
    Get-WebServicesVirtualDirectory | Select Server,ExternalURL,InternalURL | fl
     
    Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -ExternalUrl https://mail.mydomain.com/EWS/Exchange.asmx-InternalUrl https://mail.mydomain.com/EWS/Exchange.asmx
     
    OAB
    Get-OabVirtualDirectory | Select Server,ExternalURL,InternalURL | fl
     
    Get-OabVirtualDirectory | Set-OabVirtualDirectory -ExternalUrl https://mail.mydomain.com/OAB-InternalUrl https://mail.mydomain.com/OAB
     
    AUTODISCOVER SCP
    Get-ClientAccessServer | Select Name,AutoDiscoverServiceInternalURI
     
    Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://mail.mydomain.com/Autodiscover/Autodiscover.xml
  12. proximagr
    Azure Web Farm using IIS & Azure File storage
    This post is my view of a complete guide, from A to Z, including both the Windows Server part and the Azure Portal part on how to build a Web Farm using IIS & Azure File storage. Following this guide you will have a functional two server IIS Web Farm using Azure File storage.
    To create a Web Server Farm the mail requirement is a high available common storage. I see that when deploying on Azure, a lot of people are using DFSR for common storage. This solution has two major issues, the first is the cost, because you need at least two Windows Servers and second the replication speed that many times doesn’t cover the web servers needs.
    Azure File storage provides a very fast, high available and cheap solution to create a web server farm on Azure.
    Azure File storage supports both SMB 2.1 & 3.0 protocol. Every share can be up to 5TB, storing unlimited number of files and each file can be up to 1TB. Of course we can create as many shares as needed up to 500TB that is the Storage Account limit. Also every share provided 1000 IOPS.
    For this guide I used one Windows Server 2016 for Domain Controller, two Windows Server 2016 for web servers and one Standard Storage Account for Azure Files. Of course you can create an IIS Web Farm with workgroup server, but I will cover this at an other post.
    I will skip the part of creating the Azure VMs, the domain and joining the servers on it, so I assume that there is a domain and the other two servers are member servers of the domain.
    Just a note, when creating the Azure VMs that will be part of the IIS Farm remember to add them to the same Availability Set. This will inform the Azure Fabric to have the VMs to different update & fault domains
    Step 1. Add the Web Server role
    From the Server Manager, click Add roles and features and add the “Web Server (IIS)” role and at the next screen add all the features your app needs.
    Step 2. Add Application Request Routing
    For more feature and control over the IIS load balance add the Application Request Routing (ARR) using the Web Platform Installer. The Web Platform Installer uses the Internet Explorer engine so I disable the “IE Enhanced Security Configuration” just for the installation and then enable it. You can do it from the Server Manager, at the Server section.

    Next, open the IIS Manager and at the Actions Panel (on the right) click the “Get New Web Platform Components”


    Search for “arr”, and add the Application request routing 3.0
    Step 3. Create an Azure Storage Account for Azure File Storage
    To create the Azure File storage shares, go to the Azure Portal, click the + button and create a Standard Storage account (you can just search for storage account)

    Select General purpose and Standard performance (Premium does not support Azure Files)

    once the storage account is created, open it and click the “Files” button

    Click the “+ File share” to add a file share

    Give it a name and quota limit

    After clicking OK the share will be created and it will be listed at the shares blade.

    Click on it to get the connection string and then click Connect to get the access key. At this point copy the “Connecting from Windows” command. We will use this to mount the share to the web servers.

    Finally click the File Share and at the new blade press “+Add Directory” and create two directories, one Configuration and one Data
    Step 4. Configure Windows Firewall & NSG
    Open the port 80 (and nay other requires ports) at the Windows firewall and at the NSGs
    for the windows firewall, go to the Servers’s control panel, Windows Firewall and click “Advanced Settings”

    go to the Inbound Rules, add New Rule and select Port

    Select TCP 80 (and any other needed for your application/site)

    Allow the rule for all profiles, provide a name and press finish to create the rule

    For the NSGs , go to the Azure Portal, open the NSGs of the web servers and add an http allow rule like below
    Step 5. Create the IIS Shared Configuration
    Go back to the first web server, open Computer Manager and add a new user with username and password the same as the connection string of the Azure Files share. You will need this for the IIS Service to access the Azure File storage share.

    Add the user to the IIS_IUSRS group

    Then open the IIS Manager and click the “Shared Configuration”

    at the Action pane click “Export Configuration”

    add the Azure File storage Share UNC path and “Connect As” using the share’s credentials

    Enter a complex encryption key and press ok to export the configuration to the Azure File storage “configuration” share

    Now we can enable the Shared Configuration, add the Configuration Share path and the same credentials and click apply.

    it will ask for the encryption key and finally the Shared Configuration will be enabled. You will need to restart the IIS Manager console

    at this point we can change the path of application pools, ftp applications etc to the Data folder share of the Azure File storage. Just note that you will need to use the UNC path “\azurefilesol.file.core.windows.netiisfarmData” and not any mapped drive.
    Repeat the above steps to the second web server. At the Shared Configuration don’t export the configuration, just enable the Shared Configuration.
    Finally we can create the Farm, from the IIS Manager, right click at the “Server Farms” and click “Create Server Farm…”

    give a farm name,

    add both servers and press Finish

    Press NO at the URL rewrite rule auto creation

    And the farm is ready

    as mentioned before, deploy your Web Site, Web Application etc to the Data file share, always using the full UNC path “\azurefilesol.file.core.windows.netiisfarmData”. All the website data will reside at the Azure File storage.
    If you need more than 1000 IOPS create more Azure Files storage shares and divine your website/application data.
    Run the following command to allow access to the Azure File storage. Change the file://”path” as needed
    C:WindowsMicrosoft.NETFramework64v4.0.30319>caspol -m -ag 1. -url file://azurefilesol.file.core.windows.net/iisfarm/* FullTrust
    Step 5. Azure Load Balancer
    Finally, create a Load Balancer to distribute incomming traffic to the farm. For this guide I will create an External Load Balancer, but also an Internal Load Balancer is supported.
    First, find and create the Load Balancer from the Azure Portal

    provide a name, for external load balancer select Public, select Dynamic or Static IP, resource group, location and press Create

    Then go to the new load balancer and create a health probe

    create an http probe

    provide a name, select Availability Set for association and add both the Web Servers

    finally create a load balancing rule to load balance the TCP port 80 at the farm

    once the load balance rule is created you can browse the public ip / name of the load balancer

    Now, browse to the load balancer’s IP and you are good to go!

     
    [/url]
    The post Azure Web Farm using IIS & Azure File storage appeared first on Apostolidis IT Corner.


    Source
  13. proximagr
    SQL Failover Cluster with AlwaysOn Availability Groups
     
    Πάμε τώρα για το τελευταίο κομμάτι του lab, να προσθέσουμε AlwaysOn Availability Group στο υπάρχον SQL WSFC.
    Windows Server 2012 R2 Failover Cluster with FreeNAS 9.3 (Page 1, Page 2) Microsoft SQL 2012 on Failover Cluster (Page 1, Page 2, Page 3) Add AlwaysOn AG to SQL Failover Cluster Instance (Page 1, Page 2, Page 3)

    Add AlwaysOn AG to SQL Failover Cluster Instance (Page 2)
     

    Επίσης σε αυτό το σημείο να αναφέρω ότι επειδή χρησιμοποιούμε ένα Named instance, κάθε φορά που ξεκινάει το SQL Server service καταχωρεί ένα SPN record το οποίο χρειάζεται για να μπορέσουν οι εφαρμογές να κάνουν authenticate με τον SQL Server. Για να μπορέσει να γίνει αυτό πρέπει το account που τρέχει το SQL Server service να έχει δικαίωμα να διαβάζει και να γράφει serviceprinipalnames στο Active Directory. Στο lab χρησιμοποίησα Domain Admin account οπότε το SPN καταχωρείται σωστά.

    Μπορούμε πλέον να ξεκινήσουμε την διαδικασία να βάλουμε την βάση μας σε AlwaysOn Availability Group.
    Από το active node του WSFC ανοίγουμε το SQL Management Studio και συνδεόμαστε στο SCL Cluster Instance, στο LAB “SQLFCI”. Πρώτα κάνουμε ένα backup την βάση μας, μιας που είναι προαπαιτούμενο για να προχωρήσουμε. Παίρνουμε το backup και το κάνουμε restore στο τρίτο Node, Win2012R203 στο lab αλλά προσοχή, επιλέγουμε στο restore Options / Recovery state / RESTORE WITH NORECOVERY

    Αφού ολοκληρωθεί το restore η βάση θα πρέπει να έχει δημιουργηθεί και να είναι σε (Restoring…)

    Μετά πηγαίνουμε στο πρώτο Node, Win2012R201 στο lab, SQL Management Studio, στο “AlwaysOn High Availability” και με δεξί click στο Availability Groups πατάμε “New Availability Group Wizard…”

    Ανοίγει ο Wizard και μετά το πρώτο next δίνουμε Availability group name

    Στο επόμενο βήμα επιλέγουμε την βάση που θέλουμε να βάλουμε σε Availability Group

    Στο επόμενο βήμα πρέπει να ορίσουμε replicas. Έχει ήδη το SQFCI, και μάλιστα μας ενημερώνει ότι επειδή είναι Failover Cluster Instance δεν υποστηρίζει automatic failover. Αυτό σημαίνει ότι όταν χάσουμε όλο το Cluster (SQL Cluster Instance) θα πρέπει να πάμε στο τρίτο Node (Win2012R203 στο lab) στο SQL management studio / AlwaysON High Availability / Availability Groups / και με δεξί click πάνω στο “AG Aname” κάνουμε manual failover.

    Κάνουμε connect στο τρίτο Node, Win2012R203\MSSQLAG

    Αφού προστεθεί και ο Win2012R203, επιλέγουμε Readable Secondary και ανάλογα την χρήση επιλέγουμε Synchronous ή όχι Commit. Όπως είπα και στην αρχή του πρώτου Post, “Η ιδέα είναι να έχουμε ένα SQL Flailover Cluster στο Primary Site και στο υπάρχον Cluster να προσθέσουμε ένα AlwaysOn Availability group για το DR” η χρήση του Availability Group είναι για DR Site για να αποφύγουμε latency στο Commit το αφήνουμε unchecked. Έτσι θα έχουμε asynchronous commit και θα αποφύγουμε το latency με ένα “φόβο” για Data Loss τη στιγμή που θα χρειαστεί Failover.
    Τέλος πατάμε Next.

    Στην επόμενη καρτέλα επιλέγουμε το «Join only” αφού έχουμε κάνει ήδη restore την βάση, και πατάμε Next

     
    Συνέχεια στην επόμενη σελίδα
     
    Πηγή http://www.e-apostolidis.gr/%ce%b5%ce%bb%ce%bb%ce%b7%ce%bd%ce%b9%ce%ba%ce%ac/add-alwayson-ag-to-sql-failover-cluster-instance/
  14. proximagr
    Get early access to large disks support of Azure Backup & more
    Azure Backup’s 1TB limitation at last is over! Now you can backup VMs with disk sizes up to 4TB(4095GB), both managed and unmanaged. Also has improvements on backup and recovery performance that you can find here.
    Starting today login to the Portal, go to your Recovery Services vault and you will a notification saying “Support for >1TB disk VMs and improvements to backup and restore speed ->”

    Click the notification and the “Upgrade to new VM Backup stack” will open. Here click “Upgrade” to complete the upgrade.

    You can also upgrade all the Recovery Services vaults of a subscription using Azure PowerShell
    1. Select the subscription:
    Get-AzureRmSubscription –SubscriptionName "SubscriptionName" | Select-AzureRmSubscription
    2. Register this subscription for the upgrade:
    Register-AzureRmProviderFeature -FeatureName "InstantBackupandRecovery" –ProviderNamespace Microsoft.RecoveryServices
    [/url]
    The post Get early access to large disks support of Azure Backup & more appeared first on Apostolidis IT Corner.


    Source
  15. proximagr
    Free e-book: Azure Strategy and Implementation Guide
    Microsoft Azure is giving free a Strategy and Implementation guide for Azure. This e-book provides guidance, architecture and advises to implement and integrate cloud technologies.
    This guide is directed to system administrators, cloud architects and project managers. It has for chapters, the Governance, the Architecture, the Application development and operations and the Service management.
    It will help you for starting with Azure or just doing a research regarding any cloud implementations.
    You can download your free copy from this link: https://azure.microsoft.com/en-us/resources/azure-strategy-and-implementation-guide/en-us/
    [/url]
    The post Free e-book: Azure Strategy and Implementation Guide appeared first on Apostolidis IT Corner.


    Source
  16. proximagr
    <h1>Azure Private Link | Private connection to Azure PaaS</h1>
    <p> </p>
    <p>Azure Private Link is a new service, currently in Preview, that provides private connectivity from a virtual network or an on-premises network with Site-2-Site VPN to Azure platform as a service (PaaS) Microsoft services. Azure Private Link makes the networking a lot more simple improving the security and eliminating the need for public access.</p>
    <p id="nAIxogs"><img class="alignnone size-full wp-image-2844 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d8145c21e8f8.png"alt="" /></p>
    <p> </p>
    <p><span style="font-size: 12px;">image from: <a href="https://azure.microsoft.com/en-us/services/private-link/">https://azure.microsoft.com/en-us/services/private-link/</a></span></p>
    <p>Azure Private Link is a Service mapped to Azure Virtual Networks through a private endpoint. This means that all traffic is routed internally, using private IPs and connectivity, eliminating the exposure to threats. Using Private Link helps an organization to meed the compliance standards.</p>
    <p>Azure Private Link is a Global service. It does not have regional restrictions. You can connect privately services from all the Azure Regions around the globe.</p>
    <h2>Lets Lab It!</h2>
    <p>Let’s see in practice how we can connect from an Azure VM and from our on-premises computer using VPN to an Azure SQL Database using private IPs. For the Lab I already have a Virtual Machine running Windows Server 2019 and an Azure SQL Database. The SQL Database is not connected to any networks.</p>
    <p>Open the Azure Portal, press New and search for “Private Link”, select it and press “Create”</p>
    <p id="wWRgRfz"><img class="alignnone size-full wp-image-2824 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d812bccdb08c.png"alt="" /></p>
    <p>A nice “Getting started page” will open. Click the “Build a private connection to a service”</p>
    <p id="YGbIKKC"><img class="alignnone size-full wp-image-2825 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d812c222bb50.png"alt="" /></p>
    <p id="hySxSQb"><img class="alignnone size-full wp-image-2826 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d812c2e18651.png"alt="" /></p>
    <p>The “Create a private endpoint” wizard will open. Select a name for the Private Link and a Region and press Next to go to the second step.</p>
    <p><code></code></p>
    <p id="vCwjsPb"><img class="alignnone size-full wp-image-2832 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d8130185f27f.png"alt="" /></p>
    <p>At the second step, select to connect to the azure resource in my directory, and select the subscription where the Azure SQL Database resides. Then select the SQL Server.</p>
    <p id="qmxqrJF"><img class="alignnone size-full wp-image-2833 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d81303297eff.png"alt="" /></p>
    <p>At the third step, select the VIrtual Network that the Private Link will be created. I selected the network where my Virtual Machine resides. If you don’t have your own DNS server select Yes to create an Azure private DNS zone.</p>
    <p id="nfoqivE"><img class="alignnone size-full wp-image-2835 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d813077e1d38.png"alt="" /></p>
    <p>At the final step, review the settings and create the Private Link</p>
    <p id="lHsjjBi"><img class="alignnone size-full wp-image-2836 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d81309adc037.png"alt="" /></p>
    <p>After the resource creation, you can check the DNS for the Azure SQL Server Private IP Address!</p>
    <p id="cSPyGGM"><img class="alignnone size-full wp-image-2837 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d81317ff3814.png"alt="" /></p>
    <p>And at the SQL Server, at the “Private endpoint connections” section you will see the new Private Link.</p>
    <p id="YnyPGra"><img class="alignnone size-full wp-image-2839 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d8132886dbdc.png"alt="" /></p>
    <p>Open a Remote Desktop Connection to the Azure VM, and run a nslookup for the SQL Server name. In my case the command is:</p>
    <p>PS C:> nslookup plsqlsrv.database.windows.net<br />Server: UnKnown<br />Address: 168.63.129.16</p>
    <p>Non-authoritative answer:<br />Name: plsqlsrv.privatelink.database.windows.net<br />Address: 10.0.2.5<br />Aliases: plsqlsrv.database.windows.net</p>
    <p id="zdWsPaP"><img class="alignnone size-full wp-image-2838 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d8131e47f882.png"alt="" /></p>
    <p>And it returned the Private IP address of the SQL Server.</p>
    <p>From my computer, i tried to connect to the Azure SQL Server, using the name plsqlsrv.database.windows.net and the connection failed since my Public IP Address is not allowed to access the server.</p>
    <p id="YMuBmUq"><img class="alignnone size-full wp-image-2840 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d813f72173a6.png"alt="" /></p>
    <p>From the Azure VM I managed to connect successfully and of course internally!</p>
    <p id="nVbBsVv"><img class="alignnone size-full wp-image-2841 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d813fab7a6a1.png"alt="" /></p>
    <p>After that, I added a Virtual Network Gateway to the Network and created a Point to Site VPN connection from my local computer to Azure. You can check my guide on how to do this: <a href="https://www.e-apostolidis.gr/microsoft/azure-start-point-point-to-site-vpn/"target="_blank" rel="noopener noreferrer">https://www.e-apostolidis.gr/microsoft/azure/azure-start-point-point-to-site-vpn/</a></p>
    <p>In order to connect to the Azure SQL you need to either use a local DNS server to map the SQl Server name to the Azure SQL IP or add an entry to the local host file for testing.</p>
    <p id="VbhUQVD"><img class="alignnone size-full wp-image-2849 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d8150b51c2d2.png"alt="" /></p>
    <h2>Conclusion</h2>
    <p>Azure Private Link is in Preview and currently supports Azure SQL Database and Storage accounts. Additional services coming in preview in next 3-6 months:</p>
    <ul>
    <li>· Cosmos DB</li>
    <li>· App Service Vnet Integration + App Service Environment</li>
    <li>· Azure Kubernetes Service</li>
    <li>· Azure Key Vault</li>
    <li>· PostgreSQL</li>
    <li>· MySQL</li>
    <li>· Maria DB</li>
    </ul>
    <p> </p>
    <p>Source:</p>
    <p><a href="https://azure.microsoft.com/en-us/services/private-link/">https://azure.microsoft.com/en-us/services/private-link/</a></p>
    <p><a href="https://azure.microsoft.com/en-au/blog/announcing-azure-private-link/">https://azure.microsoft.com/en-au/blog/announcing-azure-private-link/</a></p>
    <p> </p>
    <p><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fazure-private-link-private-connection-to-azure-paas%2F&linkname=Azure%20Private%20Link%20%7C%20Private%20connection%20to%20Azure%20PaaS"title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_print" href="https://www.addtoany.com/add_to/print?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fazure-private-link-private-connection-to-azure-paas%2F&linkname=Azure%20Private%20Link%20%7C%20Private%20connection%20to%20Azure%20PaaS" title="Print" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share#url=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fazure-private-link-private-connection-to-azure-paas%2F&title=Azure%20Private%20Link%20%7C%20Private%20connection%20to%20Azure%20PaaS" data-a2a-url="https://www.e-apostolidis.gr/microsoft/azure/azure-private-link-private-connection-to-azure-paas/" data-a2a-title="Azure Private Link | Private connection to Azure PaaS"><img src="https://static.addtoany.com/buttons/share_save_171_16.png" alt="Share"></a></p><p>The post <a rel="nofollow" href="https://www.e-apostolidis.gr/microsoft/azure/azure-private-link-private-connection-to-azure-paas/">Azure Private Link | Private connection to Azure PaaS</a> appeared first on <a rel="nofollow" href="https://www.e-apostolidis.gr">Apostolidis IT Corner</a>.</p>


    <a href="https://www.e-apostolidis.gr/microsoft/azure/azure-private-link-private-connection-to-azure-paas/"class='bbc_url' rel='nofollow external'>Source</a>
  17. proximagr
    Connect two or more Azure Virtual Networks using one VPN Gateway
    Peering is a feature that allows to connect two or more virtual networks and act as one bigger network. At this post we will see how we can connect two Azure Virtual Networks, using peering and access the whole network using one VPN Gateway. We can connect Virtual Networks despite if they are in the same Subscription or not.
    I have created a diagram to help understand the topology.

    We have a Virtual Network with Site-2-Site VPN wto On Premises. It can also have Point-2-Site connection configured. The VNET A. We have another Virtual Network at the Same Subscription that we want to connect each other. The VNET B. Also we can have a third Virtual Network at a different subscription. The VNET C.

    In sort we need those peerings with the specific settings:
    At the VNETA Peering VNETA to VNETB with “Allow Gateway transit” At the VNETA Peering VNETA to VNET At the VNETB Peering VNETB to VNETA with “Use Remote Gateway” At the VNETB Peering VNETB to VNETC At the VNETC Peering VNETC to VNETA with “Use Remote Gateway” At the VNETC Peering VNETC to VNETB

    In order to be able to connect all those networks and also access them using the VPN Connection there are four requirements:
    The account that will be used to create the peering must have the “Network Contributor” Role. The Address Space must be different on each other and not overlap. All other Virtual Networks, except the one that has the VPN Connection must NOT have a VPN Gateway deployed. Of course at the local VPN device (router) we need to add the address spaces of all the Virtual Networks that we need to access.
    Lets lab it:
    HQ 192.168.0.0/16 –> The on-premises network VNET A 10.1.0.0/16 –> The Virtual Network that has the VPN Gateway (At my lab is named “devvn”) VNET B 10.229.128.0/24 –> THe virtual network at a different subscription of the Gateway (At my lab is named “Network prtg-rsg-vnet”) VNET C 172.16.1.0/24 –> The virtual network at the same subscription as the Gateway Network (At my lab is named “provsevnet)

    The on-premises network is connected with Site-to-site (IPsec) VPN to the VNETA

    Now we need to connect VNETA and VNETB using Vnet Peering. in order to have a Peering connection we need to create a connection from VNETA to VNETB and one from VNETB to VNETA.
    Open the VNETA Virtual Network, go to the Peerings setting and press +ADD
    Select the VNETB and check the “Allow Gateway transit” to allow the peer virtual network to use your virtual network gateway


    Then go to the VNETB, go to the Peerings setting and click +ADD.
    Select the VNETA Virtual Network and check the “Use Remote Gateway” to use the peer’s virtual network gateway. This way the VNETB will use the VNETA’s Gateway.


    Now we can contact the VNETB network from our on-premises network
    a multi-ping screenshot:
    From 10.229.128.5 (VNETB) to 192.168.0.4 (on-premises) & the opposite From 10..1.2.4 (VNETA) to 10.229.128.5 (VNETB) & to 192.168.0.4 (on-premises)

    The next step is to create a cross-subscription peering VNETA with VNETC
    Open the VNETA and create a peering by selecting the VNETC from the other Subscription and check the “allow gateway transit”

    Then go to the VNETC and create a peer with the VNETA and check the “use remote gaeway”

    With the two above connections we have connectivity between the on-premises network and the VNETC.
    The final step, to enable the connectivity between VNETB & VNETC. To accomplish this just create one peer from the VNETB to VNETC and one from VNETC to VNETB.
    Ping inception:

    In order to have client VPN connectivity to the whole network, create a Point-2-Site VPN at the VNETA. You can follow this guide: Azure Start Point | Point-to-Site VPN
    If you like my content you can follow my blog: e-apostolidis.gr
  18. proximagr
    <h1>Govern your Azure environment</h1>
    <p>It was a day full of Microsoft Azure and technology, from both IT Pro & Dev perspective. A sunny day at Athens, with a lot of fun. For sure we had a great time!</p>
    <p>You can download my Athens Azure Bootcamp 2019 presentation, Govern your Azure environment, from this <a href="https://papostolidisgr-my.sharepoint.com/:p:/g/personal/pantelis_e-apostolidis_gr/EUS8pnejNdNEhrm0GVe4qaYBkFH2s_ZZKqGh9AaDY0NTFw?e=nQaNSD">link</a>:<a href="https://papostolidisgr-my.sharepoint.com/:p:/g/personal/pantelis_e-apostolidis_gr/EUS8pnejNdNEhrm0GVe4qaYBkFH2s_ZZKqGh9AaDY0NTFw?e=nQaNSD">https://papostolidisgr-my.sharepoint.com/:p:/g/personal/pantelis_e-apostolidis_gr/EUS8pnejNdNEhrm0GVe4qaYBkFH2s_ZZKqGh9AaDY0NTFw?e=nQaNSD</a></p>
    <p>Please find the demos of my presentation at the <a href="https://www.e-apostolidis.gr/videos/">Videos</a>page: <a href="https://www.e-apostolidis.gr/videos/">https://www.e-apostolidis.gr/videos/</a></p>
    <p>Standardize & enforce your company’s Azure Resources configuration, for regulatory compliance, cost control, security & design consistency</p>
    <p id="UWhJgpl"><img class="alignnone wp-image-2775 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/07/img_5d3de3d139c49.png"alt="aab" width="1188" height="665" /></p>
    <p><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fgovern-your-azure-environment%2F&linkname=Govern%20your%20Azure%20environment"title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_print" href="https://www.addtoany.com/add_to/print?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fgovern-your-azure-environment%2F&linkname=Govern%20your%20Azure%20environment" title="Print" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share#url=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fgovern-your-azure-environment%2F&title=Govern%20your%20Azure%20environment" data-a2a-url="https://www.e-apostolidis.gr/microsoft/azure/govern-your-azure-environment/" data-a2a-title="Govern your Azure environment"><img src="https://static.addtoany.com/buttons/share_save_171_16.png" alt="Share"></a></p><p>The post <a rel="nofollow" href="https://www.e-apostolidis.gr/microsoft/azure/govern-your-azure-environment/">Govern your Azure environment</a> appeared first on <a rel="nofollow" href="https://www.e-apostolidis.gr">Apostolidis IT Corner</a>.</p>


    <a href="https://www.e-apostolidis.gr/microsoft/azure/govern-your-azure-environment/"class='bbc_url' rel='nofollow external'>Source</a>
  19. proximagr
    Azure Portal | Virtual Machines bulk actions
    Azure Portal is a great GUI tool to administer all your Azure Resources and it continues evolving. Here is a very useful Tip. Did you know that you can manage Virtual Machines in bulk using the Azure Portal VIrtual Machines section? We have virtual machines bulk actions!

    Not only we can Assign Tags, Start, Restart, Stop and Delete Virtual Machines in bulk but also configure Change Tracking, Inventory and Update Management!!
    Filter out the Virtual Machines needed and just click the “Change Tracking” to have a report off all changes that happens inside the VM, like changes to services for Windows, daemons for Linux, applications and file changes.
    Use the “Inventory” to have a complete inventory of all the installed applications of the VM. Enable consistent control and compliance of these virtual machines.
    Enable the “Update Management” to manage the Updates of the selected Virtual Machines. Create update policies and control the installation of the updates.
  20. proximagr
    Create an Ultra High Available on-prem <-> Azure VPN Connection
    At this post we will see how to make a high available connection between our on-premises network and Azure. This way we will have an Active-Active Dual-Redundancy VPN Connection.
    The idea behind this is that we have a router/firewall cluster,connected with two ISPs and we want to also have a VPN connection with Azure using both ISPs actively. I call this an end-to-end high available connectivity between our on-premises infrastructure and Azure. Actually the active-active dual redundant connections needs to have two different on-premises VPN devices, but we can accomplish almost the same functionality with one device and two different interfaces with two different ISPs.

    The requirement for this topology, except the router/firewall cluster and the two ISPs is that the Azure VPN Gateway must be Standard or HighPerformance SKU. The Basic SKU does not support Active-Active mode.
    As you can see at the above diagram, the Active-Active VPN Gateway created two Active VPN Nodes. The connection of each node to each on-premises network interface in a mesh topology. All network traffic is distributed through all the connections. In order to accomplish this connectivity we need to also enable BGP to both on-premises device and Azure VPN Gateway with different ASN. Lets lab it:
    Create a Virtual Network Gateway, VPN, Route Based and SKU VpnGw1 or larger
    Enable active-active mode, this will create two nodes, and give the names of the two Public IPs.
    Check the Configure BGB ASN and change the default ASN, I used 65510
    wait a lot… more than the typical 45 minutes, a lot more…

    When the gateway is created you will see that the public ip address is called “First public IP address”. If you click the “see more” link you will see the second IP too.

    You can see both IP form the Properties page too.

    Second we need to create two Local network Gateways, to represent the two interfaces of our on-premises device. Both must be created with the same ASN. This ASM must be different than the Gateways’ and this ASN must be configured at the configuration of the local devices VPN connection.
    ]
    Now, create the connection

    And remember to enable BGP at the Connection’s Configuration

    As soon as the local device is configured both connections became connected.

    From powershell we can see both local IPs of the two nodes of the Azure VPN Gateway,
    Test and Troubleshooting
    Currently the only way to see the connections between the Azure Gateway Nodes and the local devices interfaces is the below powershell command
    Get-AzureRmVirtualNetworkGatewayBGpPeerStatus -VirtualNetworkGatewayName “gatewayname” -ResourceGroup “resourcegroupname”

    Every time you run this command you get answer from one of the two nodes at random. At the above screenshot, first is one node and second is the other.
    The first node’s peer, 192.168.xx.9 shows that is connected to the 10.xx.xx.2 local network’s peer and connecting at the second peer 10.xx.xx.1
    The second node’s peer, 192.168.xx.8 shows that is connected to the 10.xx.xx.1 local network’s peer and connecting at the second peer 10.xx.xx.2

    The test I performed was to unplug one interface from the local device. The azure gateway’s first node State was both Connecting and the second node was the same, connecting to .2 and connected to .1. At this test I did lost a single ping.
    After that I plugged the cable back, waited less than a minute and unplugged the second cable. Now the first node shows still disconnected but the first node connected to the .2 local IP and connecting to .1. With this test I lost only one ping. Also I realized that it is random which node’s private IP will connect with the local device’s private IP. Both Azure Gateway’s IPs 192.168.x.8 & 9 can connect with the local device’s IP 10.x.x.1 & 2 and this is the magic of the Active-Active Dual Redundancy VPN connection.
  21. proximagr
    Azure Backup | Enable backup alert notifications
    Azure Backup generates alerts for all backup events, such as unsuccessful backups. A new option is to create backup alert notifications so Azure Backup will alert you firing an email when an alert is generated.
    To enable the backup alert notifications, navigate to the “Backup Alerts” section of the “recovery Services vault” and click the “Configure notifications”

    There switch the Email notification to On to enable the alerts. Enter one or more recipients separated with semicolon (. Choose Per Alert or Hourly Digest. Per Alert will fire an email for every alert instantly and the Hourly Digest means that the notification agent will check for alerts every hour and will fire an email with the active alerts.
    Finally choose the Severity of the alerts which you will be notified and press save.


    If you like my content you can follow my blog: e-apostolidis.gr
  22. proximagr
    Secure your Azure SQL locally inside your vnet using service endpoints
    For many companies, a throwback of using Azure SQL was the Public Access. After the latest Azure updates you can use the service endpoints to Secure your Azure SQL locally inside your vnet! For the time, the feature is available only at the West Central US, West US 2, and East US regions but soon more will follow.
    So, lets secure your Azure SQL locally inside your vnet! At the VNET creation blade, select the Microsoft.Sql service endpoint from the list of the available service endpoints.

    Then create an SQL Database at the same region,

     
    Next, go to the SQL server firewall settings and turn Off the “Allow access to Azure services”. By doing this you disable the access to the SQL Server using the Public IP.

    Click the “Add existing virtual network” and create an access rule, in order to be able to access the SQL Server from your Virtual Network using the service endpoints.

    Now lets test. A fast way to test your SQL connectivity from a Virtual Machine on the VNET, without having the SQL management tools, is to open the “ODBC Data Source Administrator” and create a new connection. Add the Azure SQL Server IP

    at the next screen enter the username and password of your SQL Server and finally click the “Test Data Source”

    Of course we can also connect with the SMSS. Add the SQL Server FQDN, the username and the password

    and you are connected, fast and securely!

     
    You cannot yet add your SQL to a subnet, but you secure it’s access inside your VNET! all public access is denied.
    [/url]
    The post Secure your Azure SQL locally inside your vnet using service endpoints appeared first on Apostolidis IT Corner.


    Source
  23. proximagr
    Protect your Web App using Azure Application Gateway Web Application Firewall
    Web Application Firewall was always a big investment for a small or growing company as most of the top branded companies are charging a lot of money A Web Application Firewall protects your application from common web vulnerabilities and exploits like SQL Injection or Cross site scripting. Azure provides enterprise grade Web Application Firewall through the Application Gateway. It comes in two pricing models, Medium and Large. More about sizes and instances you can find here, and more about pricing here
    We can add the Application Gateway Web Application Firewall to protect our Azure Web App (PaaS) and our Web Application inside a VMs web server (IaaS). At this post we will see how to protect them both.

    One difference in order to fully protect the Azure Web App (PaaS) is to create an App Service Environment with internal VIP to host the Web App in order to hide it inside a VNET. First things first, create a VNET with one subnet for the Application Gateway WAF. App Service Environment
    After the VNET create the App Service Environment, from the Azure Portal, New –> App Service Environment and select VIP Type “Internal”. Add it to the VNET created before and create a subnet for the ASE. You need to be patient here because the deploy will take more than an hour, almost two.
    Web App
    As soon as the App Service Environment is ready we can create our Web App. Create a Web App from Azure Portal with one difference, on the App Service Plan location instead of selecting a Region select he App Service Environment.

    As you realize, the Web App resides at the internal VNET with no access from the internet. So, in order to access the application at this point we need a VM ( a small one just to test and deploy our application ). Create a small VM and add it to this VNET. One small detail, in order to be able to browse to the site’s URL we need to enter the FQDN, in our case papwaf3app.funniest.gr. In order to do this we need an entry at the VM’s host file. This way we can access the new born Web App.
    Web Application Firewall
    Lets create the Secure public entry point for our Web App. Create an application gateway, select WAF Tier, select the required SKU, add it to the WAF subnet we created before, select Public IP configuration and WAF enabled.


    When the Application gateway is ready we need to do some configuration. First at the Backend pools, open the default created backend pool add the Internal Load Balancer IP address of the ASE as target.

    Then add a health probe. For host add the FQDN of the Web App.

    at the HTTP settings check the “Use custom probe” and select the previously created probe.

    And that’s all. Now we can try our Web App from the Internet. In order to do so we need to browse to the Web App’s URL, that is now published by the Application Gateway, from the Internet. So, we need to create a Public DNS record to point the FQDN to the Application Gateway’s FQDN. In this case we need to crate a CNAME papwaf3app.funniest.gr to point to the 8b0510c1-47e9-4b94-a0ff-af92e4455840.cloudapp.net. In order to test the app right now we can just add a host file to our computer pointing to the Public IP Address of the application gateway and we can access the Web App behind the WAF.

    Logging
    In order to be able to see the Application Gateway and Web Application Firewall logs we need to turn on diagnostics. The easiest way to see the logs is by sending them to Log Analytics (OMS).



    With the Firewall at “Detection” mode, if we try an SQL Injection (?id=10||UTL_INADDR.GET_HOST_NAME( (SELECT user FROM DUAL) )–), the Web App still servers the landing page.

    By switching the Firewall to “Prevention” mode, the same SQL injection attach stops by the WAF before accessing our Web App.
    Protect an IaaS Web Application
    To add a Web Application that runs inside a VM behind the Application Gateway Web Application Firewall, first add the VM as a Back End Pool. Create a new Backend Pool and select “Virtual Machine”. Select the Virtual Machine that runs the Web Application.

    Then create a new probe adding the URL of the Web Application
    next add HTTP settings and add custom probe the new created probe “vmsite”

    Next step is to create two multi-site listeners, one for each host name

    After the listener, add a Basic rule using the Listener, Backend Pool and HTTP settings we created for the VM Web Application,

    Finally one extra step is to change the default rule1 to listen to the WeB App listener

    Finally the Application Gateway Web Application Firewall provides secure access to both the Web App (PaaS) and the VM Web Application (IaaS)

  24. proximagr
    Ασφαλίστε την MySQL και την PostgreSQL με τη χρήση Service Endpoints
    Σε προηγούμενο post, Ασφάλισε την Azure SQL Database μέσα σε ένα VNET χρησιμοποιώντας service endpoints, είδαμε πως μπορούμε να χρησιμοποιήσουμε τα Service Endpoints του Azure Virtual Network για να ασφαλίσουμε μια Azure SQL για πρόσβαση μόνο από εσωτερικό δίκτυο.
     

    Σήμερα, το Microsoft Azure, ανακοίνωσε την γενική διαθεσιμότητα του Service Endpoints για MySQL και PostgreSQL. Αυτό δίνει την δυνατότητα να κόψουμε όλη την Public πρόσβαση στις MySQL & PostgreSQL και να επιτρέψουμε μόνο πρόσβαση απο το εσωτερικό μας δίκτυο. Φυσικά μπορεί να οριστεί συγκεκριμένο Subnet ή Subnets. Επίσης δεν υπαρχει επιπλέων χρέωση για την χρήση των Service Endpoint.
     

    Περισσότερα μπορείτε να δείτε στο Microsoft Azure Blog: Announcing VNet service endpoints general availability for MySQL and PostgreSQL
  25. proximagr
    Azure Policy | Limit the Azure VM Sizes Azure Governance
    This post, Azure Policy, is the first of a series of posts about Azure Governance. The idea is to explain through examples and how-to-guides, the tools that Microsoft Azure provides to help the administrators to enforce rules to all subscriptions. Some examples of those rules are, to help the organizations to stay compliant with their corporate standards, to standardize the resources creation and management, to manage the permissions and access controls, etc. Azure Policy
    Azure Policy is a powerful tool for Azure Governance. With Azure Policy we can define rules for all Azure Subscriptions the we manage. We can use this rules for simple limitation actions, like permitting only specific VM Series and Sizes that can be created and also more complex rule sets that helps you standardize the whole Azure deployment. Limit the Azure VM Sizes
    In this fist post we will go through a simple policy, the “Allowed virtual machine SKUs”. With this policy you can control what Azure VM series and sizes are permitted for deployment. You can apply this policy to a whole Management group, to a Subscription or to a single Resource Group. Step by Step Guide
    Open the Azure portal, https://portal.azure.com, and login with your account. At the top search box write “policy”. From the search results select the “policy”.

    At the Policy screen, select the “Definitions”. To create and apply a policy we need to start from a Policy Definition.

    At the Policy Definition screen, we can filter the definitions by scope, definition type, type and category. The “Allowed virtual machine SKUs” definition is under the “Compute” category. At the Category drop down menu, deselect everything and select only the “Compute”. Press the “Allowed virtual machine SKUs” definition.

    The “Allowed virtual machine SKUs” definition will open. Here we can see the code beneath the definition. It is written in json format. If we want to make changes at the definition we must first press “Duplicate definition”. This will create a copy of the definition. Then we can open the definition duplicatie and press “Edit definition. We will cover this at a future post.
    To select the VM sizes, the scope and apply the definition, press “Assign”
    Set the scope
    At the Assign policy screen, first we need to select the scope. The scope is where the policy definition will apply. To set the scope press the little blue box with the three dots.

    For scope, we can select a whole Management group, a whole subscription or a single Resource Group.
    Select the Azure VM SKUs
    After the scope, we need to select the allowed Azure VM SKUs. Open the drop down menu and select the SKUs that you will allow.

    At this test policy, I selected all Standard F1-4 series, the Standard F2s – 4s and the Standard F2s_v2 – 4s_v2.
    We can change the “Assignment Name” to easily find the specific assignment at the Assigned Policies list. I changed the name to “Allowed only F1-4 virtual machine SKUs”
    The next step is the “Managed Identity”. Managed identity creates an Azure AD Identity, like a service account, that is used for resource creation. We need this only for some specific policies that must create a resource if it is doesn’t exists.
    We don’t need a Managed Identity to limit the Azure VM SKU sizes. So now we can press “Assign”.

    A notification will inform you that the Policy will take effect after about 30 minutes. The policy needs this time to apply the rules to the selected scope.

    Back to the policy Assignments screen, hit refresh and you will see the new Policy Assignment’s name and the Scope.
    Test the policy
    To test the policy, I waited 30 minutes and tried to create a Standard DS1 v2 VM at the devrg Resource Group. Although I am the Subscription Owner, the Service admin, the one that created the policy assignment, the Azure Resource Manager doesn’t allow me to create this VM.

    And the error details: “disallowed by policy”

    You can find more about Azure Policy at Microsoft Docs: https://docs.microsoft.com/en-us/azure/governance/policy/
×
×
  • Create New...