Jump to content

proximagr

Moderators
 View Profile  See their activity

  • Posts

    2468

  • Joined

  • Last visited

  • Days Won

    12

 Content Type 

Blog Entries posted by proximagr

  1. proximagr
    The exchangeserverpro.com site has the below excellent articles,
    to create the certificate request:
    to compete the pending request:and to enable it:
    The post Exchange 2013 Add public certificate and enable it appeared first on Proxima's IT Corner.

    <a href="http://www.e-apostolidis.gr/microsoft/exchange/exchange-2013-add-public-certificate-enable/"class='bbc_url' rel='nofollow external'>Source</a>
  2. proximagr
    Validate Azure Resource Move with Postman
    At this post we will see how easily we can move azure resources to new resource groups or subscriptions and how we can validate if the azure resources are eligible to move without initiate the move. Move Azure Resources to new resource groups or subscriptions
    Azure Resource Manager allow you to easily move resources to new resource groups or subscriptions. It is a pretty simple process. From the Azure Portal, open a Resource Group, and from the top options click Move. You can select if you want to move to another resource group or subscription.

    On the next page you can select the resources you want to move and click OK. Once you click OK, the Azure Resource Manager starts to validate the move requests. Checks if the selected resources are eligible to move and also if they have any dependencies that will cause the move to fail.

    After the validation, and if the validation is successful, the resource move starts. There is no option in the portal to just validate the move request without starting the move. Validate Resource Move with Postman
    To validate the resources move you need to use post / get operations. The https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-move-resources#validate-move document descibes the parameters that we must use to validate is the resources are eligible to move. To validate if the resources are eligible to move we need to send a URI with Authorization token. A free and easy application to help us with the post /get requests is the Postman. You can download the latest release form this link: https://www.getpostman.com/downloads/
    Download and install the Postman and open the application. We need to perform a Post request to ask the ARM if the specific resources are eligible to move and then a GET request to view the ARM response.

    At the Postman select POST and at the POST request URL enter:
    https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{sourceResourceGroupName}/validateMoveResources?api-version=2019-05-01
    My test case URL:
    https://management.azure.com/subscriptions/784f8ed8-33f0-497c-b1c8-1ca9833be590/resourceGroups/devrg/validateMoveResources?api-version=2019-05-01
    Then at the Body, select RAW -> json and paste the request:
    { “resources”: [“<resource-id-1>”, “<resource-id-2>”], “targetResourceGroup”: “/subscriptions/<subscription-id>/resourceGroups/<target-group>” }
    at my example that I want to validate two resources, the devrg VM and the Managed disk I entered:
    {
    “resources”: [“/subscriptions/784f8ed8-33f0-497c-b1c8-1ca9833be590/resourceGroups/devrg/providers/Microsoft.Compute/virtualMachines/devrgvm”, “/subscriptions/784f8ed8-33f0-497c-b1c8-1ca9833be590/resourceGroups/DEVRG/providers/Microsoft.Compute/disks/devrgvm_OsDisk_1_5da9dad62662418b9bb3f02496e88604”],
    “targetResourceGroup”: “/subscriptions/784f8ed8-33f0-497c-b1c8-1ca9833be590/resourceGroups/target”
    }
    Create Authorization Token
    Finally we need an authorization token to access the ARM API. At the Azure Portal open the cloud shell, buy clicking the icon at the top right menu bar.

    Enter the below command to create a service principal at the Azure Active Directory:
    az ad sp create-for-rbac -n “my-access-app”
    The output will be as the below screenshot:

    You will get the application ID, URL, tenant ID and password. Next at the Postman press the + button to create a new tab

    At the Postman’s new tab create a new POST and enter:
    https://login.microsoftonline.com/{{tenantId}}/oauth2/token
    My test:
    https://login.microsoftonline.com/85ed7d07-ffa3-44da-a22a-38c51ba14d0e/oauth2/token
    Then at the Body property, select “x-www-form-urlencoded” and enter the following KEYs: Key Value grant_type client_credentials client_id this is the appId of the access app client_secret this is the password of the access app resource https://management.azure.com
    my test:

    Once you press “Send” it will return the “access_tocket”. This is the Authorization: Bearer <bearer-token> needed for the resource move validation.
    Send the validation request
    Back to the first tab of the Postman, where we are preparing the move validation POST request, select “Authorization”, at the TYPE select “Bearer Token” and at the Token field paste the “access_tocken” from above. Then press “Send”

    If all the details are correct, it will return a status of “202 Accepted”. This means that the ARM has started the validation. Copy the “Location” value because we will need it below.

    The next step is to create a GET request to view the validation result. The GET request consists of the location URL and the Authorization token. As we did before, open a new Tab at the Postman, select GET request, at the GET URL paste the “Location” URL, at the TYPE select “Bearer Token” and at the Token field enter the “access_token”.
    Receive the validation results
    Press enter to GET the validation results. f the move operation validates successfully, you receive the 204 status code and nothing at the Body.
    If the move validation fails, you receive an error message, like the below. At my example the validation returned failed. The error message explains what caused the failure. At my example the VM is being backed up so the disks have restore points. Also at the message it gives us the link to check for more information.

  3. proximagr
    A simple way to test if the Exchange server is processing emails is by using telnet & SMTP commands. First open a telnet client. The simplest is to open a Command Prompt and type: “telnet yourexchangeserver 25” and press Enter The Command Prompt will start the telnet client and try to connect to the mail […]
    The post Test Exchange mail submission using SMTP commands appeared first on Proxima's IT Corner.


    Source
  4. proximagr
    Add multiple managed disks to Azure RM VM
    In this post I have created a PowerShell script to help add multiple managed disks to an Azure RM Virtual Machine.
    The script to add multiple managed disks will prompt you to login to an Azure RM account, then it will query the subscriptions and ask you to select the desired. After that it will query the available VMs and promt to select the target VM from the VM list.
    At this point I am checking the OS disk and define the storage type of the data disk. If we need to change the storage type we can check the comments at step 4. e.g. If the OS disk is Premium and you want Standard data disks.
    The next step is to ask for disk size. You can check the sizes and billing here: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/managed-disks-overview#pricing-and-billing
    Finally it will ask for the number of the disk we need to create. After this input the script will create the disks, attach them to the VM and update it. The Script:

     



    1



    2



    3



    4



    5



    6



    7



    8



    9



    10



    11



    12



    13



    14



    15



    16



    17



    18



    19



    20



    21



    22



    23



    24



    25



    26



    27



    28



    29



    30



    31



    32



    33



    34



    35



    36



    # 1. You need to login to the Azure Rm Account

    Login-AzureRmAccount

    # 2. The script will query the Subscriptions that the login account has access and will promt the user to select the target Subscription from the drop down list

    $subscription = Get-AzureRmSubscription | Out-GridView -Title "Select a Subscription" -PassThru
    Select-AzureRmSubscription -SubscriptionId $subscription.Id

    # 3. The script will query the available VMs and promt to select the target VM from the VM list

    $vm = Get-AzureRmVM | Out-GridView -Title "Select the Virtual Machine to add Data Disks to" -PassThru

    # 4. I set the storage type based on the OS disk. If you want to spesify somehting else you can cahnge this to: $storageType = StandardLRS or PremiumLRS etc.

    $storageType = $VM.StorageProfile.OsDisk.ManagedDisk.StorageAccountType

    # 5. The script will promt for disk size, in GB

    $diskSizeinGB = Read-Host "Enter Size for each Data Disk in GB"

    $diskConfig = New-AzureRmDiskConfig -AccountType $storageType -Location $vm.Location -CreateOption Empty -DiskSizeGB $diskSizeinGB

    # 6. Enter how many data disks you need to create

    $diskquantity = Read-Host "How many disks you need to create?"

    for($i = 1; $i -le $diskquantity; $i++)
    {
    $diskName = $vm.Name + "-DataDisk-" + $i.ToString()
    $DataDisk = New-AzureRmDisk -DiskName $diskName -Disk $diskConfig -ResourceGroupName $vm.ResourceGroupName
    $lun = $i - 1
    Add-AzureRmVMDataDisk -VM $vm -Name $DiskName -CreateOption Attach -ManagedDiskId $DataDisk.Id -Lun $lun
    }

    Update-AzureRmVM -VM $vm -ResourceGroupName $vm.ResourceGroupName
    You can download the script from here: AddManagedDisks
  5. proximagr
    Microsoft Azure Nested Virtualization | Hyper-V VM inside Azure VM
    With the new Dv3 and Ev3 VM sizes Microsoft has released the Nested Virtualization, meaning you can simply have a Hyper-V VM inside an Azure VM. In this post I am testing the Nested Virtualization functionality creating a Hyper-V VM inside an Azure VM and have Network and Internet Connectivity.
    Lets get started. First of all we will need a Dv3 or Ev3 VM and for best Nested Virtualization performance make use of SSD Managed Disks. I created a D4s_v3 Standard (4Cores, 16GB Ram, SSD managed disks) and I attached a 1023GB SSD Data Disk for performance.

    Now remote desktop to the VM to add the Hyper V Role. From the Server Manager, add Roles and Features and add the Hyper-V role

    Since this is an one NIC VM select the NIC to create the Virtual Switch

    Change the default Store location to the SSD Data Disk, in this case the E: drive.
     

    Finally wait for the installation to complete and reboot the VM. After the VM reboots, Remote Desktop and open the Hyper-V manager. Now we have Hyper-V inside an Azure VM.

    Lets create a VM. You can download a Trial Windows Server 2016 from https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2016or use your Subscription (MSDN, EA, etc).
    I created a VM Called NestedVM01, with 4GB Ram using the Trial Windows Server 2016 ISO

    After the VM creation setup the Windows Server 2016 with all defaults and login.

    The first thing to notice is that the Network Interface does not have a valid IP address, since Microsoft Azure will not provide one. In order to have the Nested VM to have Network connectivity we need to use NAT.
    First change the Virtual Switch to “Internal network”

    At the Host’s Network interfaces, open the vEthernet NIC and add a static IP, only IP & Mask

    Now we will need PowerShell, since we cannot configure NAT form the GUI.
    Open the PowerShell (still at the Host Azure VM) and run
    New-NetNat –Name NVMNat –InternalIPInterfaceAddressPrefix 192.168.168.0/24
    The result:

    After that we can provide the Nested VMs with IPs form the 192.168.168.0/24 range. So login to the Nested VM and add an IP fron the Range and for Default Gateway add the Host’s IP.
    For DNS add your AD DNS or a Public DNS server just to have internet.

    Now from the Nested VM you can ping the Host:

    And also browse the Internet:

    Stay tuned, on my next post we will see how we can make the Nested VM a Web Server, a hidden Web Server in a VM inside an Azure VM!
    Of course this Features opens the door for many more features to test, like Hyper-V Replica, Containers, etc, that we will see in future posts.
     
    [/url]
    The post Microsoft Azure Nested Virtualization | Hyper-V VM inside Azure VM appeared first on Apostolidis IT Corner.


    Source
  6. proximagr
    Azure Update Management
    Have you checked the update management system for your Azure and On-Premises server that supports both Windows and Linux operating systems? And it is completely free! Please find the full list of supported operating systems and prerequisites here: https://docs.microsoft.com/en-us/azure/operations-management-suite/oms-solution-update-management#prerequisites.
    Lets get started. The easiest way is to start from an Azure VM. Go to the VMs blade and find “Update management”. You will see a notification that the solution is not enabled.

    Click the notification and the “Update Management” blade will open. The “Update Management” is an OMS solution, so you will need to create a “Log analytics” workspace, you can use the Free tier. If you don’t have a Log analytics workspace the wizard will create a default for you. Also it will create an automation account. Pressing enable will enable the “Update Management” solution.

    After about 15 minutes, at the “Update Management” section of the VM you will see the report of the VM’s updates.

    After that process the Automation Account is created and we can browse to the “Automation Accounts” service at the Azure Portal. There click the newly created Automation Account and scroll to the “Update Management” section. There we can see a full report of all VMs that we will add to the Update Management solution. To add more Azure VMs simply click the “Add Azure VM” button.

    The Virtual Machines blade will open and will list all Virtual Machines at the tenant. Select each VM and press Enable.

    After all required VMs are added to the Update Management solution click the “Schedule update deployment” button. There we will select the OS type of the deployment, the list of computers to update, what type of updates will deploy and the scheduler. More or less this is something familiar for anyone that has worked with WSUS.

    Press the “Computers to Update” to select the Azure VMs for this deployment from the list of all VMs enabled.

    Then select what types of updates will deploy.

    If you want to exclude any specific update you can add the KB number at the “Excluded updated” blade.

    And finally select the schedule that the update deployment will run.

    Back to the “Update Management” blade, as we already said, we have a complete update monitoring of all Virtual Machines that are part of the “Update Management” solution.

    You can also go to the “Log Analytics” workspase and open the “OMS Portal”

    There, among other, you will see the newly added “System Update Assessment” solution.

    and have a full monitoring and reporting of the updates of your whole environment.

    [/url]
    The post Azure Update Management appeared first on Apostolidis IT Corner.


    Source
  7. proximagr
    Protect your Web App using Azure Application Gateway Web Application Firewall
    Web Application Firewall was always a big investment for a small or growing company as most of the top branded companies are charging a lot of money A Web Application Firewall protects your application from common web vulnerabilities and exploits like SQL Injection or Cross site scripting. Azure provides enterprise grade Web Application Firewall through the Application Gateway. It comes in two pricing models, Medium and Large. More about sizes and instances you can find here, and more about pricing here
    We can add the Application Gateway Web Application Firewall to protect our Azure Web App (PaaS) and our Web Application inside a VMs web server (IaaS). At this post we will see how to protect them both.

    One difference in order to fully protect the Azure Web App (PaaS) is to create an App Service Environment with internal VIP to host the Web App in order to hide it inside a VNET. First things first, create a VNET with one subnet for the Application Gateway WAF.App Service Environment
    After the VNET create the App Service Environment, from the Azure Portal, New –> App Service Environment and select VIP Type “Internal”. Add it to the VNET created before and create a subnet for the ASE. You need to be patient here because the deploy will take more than an hour, almost two.
    Web App
    As soon as the App Service Environment is ready we can create our Web App. Create a Web App from Azure Portal with one difference, on the App Service Plan location instead of selecting a Region select he App Service Environment.

    As you realize, the Web App resides at the internal VNET with no access from the internet. So, in order to access the application at this point we need a VM ( a small one just to test and deploy our application ). Create a small VM and add it to this VNET. One small detail, in order to be able to browse to the site’s URL we need to enter the FQDN, in our case papwaf3app.funniest.gr. In order to do this we need an entry at the VM’s host file. This way we can access the new born Web App.
    Web Application Firewall
    Lets create the Secure public entry point for our Web App. Create an application gateway, select WAF Tier, select the required SKU, add it to the WAF subnet we created before, select Public IP configuration and WAF enabled.


    When the Application gateway is ready we need to do some configuration. First at the Backend pools, open the default created backend pool add the Internal Load Balancer IP address of the ASE as target.

    Then add a health probe. For host add the FQDN of the Web App.

    at the HTTP settings check the “Use custom probe” and select the previously created probe.

    And that’s all. Now we can try our Web App from the Internet. In order to do so we need to browse to the Web App’s URL, that is now published by the Application Gateway, from the Internet. So, we need to create a Public DNS record to point the FQDN to the Application Gateway’s FQDN. In this case we need to crate a CNAME papwaf3app.funniest.gr to point to the 8b0510c1-47e9-4b94-a0ff-af92e4455840.cloudapp.net. In order to test the app right now we can just add a host file to our computer pointing to the Public IP Address of the application gateway and we can access the Web App behind the WAF.

    Logging
    In order to be able to see the Application Gateway and Web Application Firewall logs we need to turn on diagnostics. The easiest way to see the logs is by sending them to Log Analytics (OMS).



    With the Firewall at “Detection” mode, if we try an SQL Injection (?id=10||UTL_INADDR.GET_HOST_NAME( (SELECT user FROM DUAL) )–), the Web App still servers the landing page.

    By switching the Firewall to “Prevention” mode, the same SQL injection attach stops by the WAF before accessing our Web App.
    Protect an IaaS Web Application
    To add a Web Application that runs inside a VM behind the Application Gateway Web Application Firewall, first add the VM as a Back End Pool. Create a new Backend Pool and select “Virtual Machine”. Select the Virtual Machine that runs the Web Application.

    Then create a new probe adding the URL of the Web Application
    next add HTTP settings and add custom probe the new created probe “vmsite”

    Next step is to create two multi-site listeners, one for each host name

    After the listener, add a Basic rule using the Listener, Backend Pool and HTTP settings we created for the VM Web Application,

    Finally one extra step is to change the default rule1 to listen to the WeB App listener

    Finally the Application Gateway Web Application Firewall provides secure access to both the Web App (PaaS) and the VM Web Application (IaaS)

    [/url]
    The post Protect your Web App using Azure Application Gateway Web Application Firewall appeared first on Apostolidis IT Corner.


    Source
  8. proximagr
    <h1>Govern your Azure environment</h1>
    <p>It was a day full of Microsoft Azure and technology, from both IT Pro & Dev perspective. A sunny day at Athens, with a lot of fun. For sure we had a great time!</p>
    <p>You can download my Athens Azure Bootcamp 2019 presentation, Govern your Azure environment, from this <a href="https://papostolidisgr-my.sharepoint.com/:p:/g/personal/pantelis_e-apostolidis_gr/EUS8pnejNdNEhrm0GVe4qaYBkFH2s_ZZKqGh9AaDY0NTFw?e=nQaNSD">link</a>:<a href="https://papostolidisgr-my.sharepoint.com/:p:/g/personal/pantelis_e-apostolidis_gr/EUS8pnejNdNEhrm0GVe4qaYBkFH2s_ZZKqGh9AaDY0NTFw?e=nQaNSD">https://papostolidisgr-my.sharepoint.com/:p:/g/personal/pantelis_e-apostolidis_gr/EUS8pnejNdNEhrm0GVe4qaYBkFH2s_ZZKqGh9AaDY0NTFw?e=nQaNSD</a></p>
    <p>Please find the demos of my presentation at the <a href="https://www.e-apostolidis.gr/videos/">Videos</a>page: <a href="https://www.e-apostolidis.gr/videos/">https://www.e-apostolidis.gr/videos/</a></p>
    <p>Standardize & enforce your company’s Azure Resources configuration, for regulatory compliance, cost control, security & design consistency</p>
    <p id="UWhJgpl"><img class="alignnone wp-image-2775 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/07/img_5d3de3d139c49.png"alt="aab" width="1188" height="665" /></p>
    <p><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fgovern-your-azure-environment%2F&linkname=Govern%20your%20Azure%20environment"title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_print" href="https://www.addtoany.com/add_to/print?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fgovern-your-azure-environment%2F&linkname=Govern%20your%20Azure%20environment" title="Print" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share#url=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fgovern-your-azure-environment%2F&title=Govern%20your%20Azure%20environment" data-a2a-url="https://www.e-apostolidis.gr/microsoft/azure/govern-your-azure-environment/" data-a2a-title="Govern your Azure environment"><img src="https://static.addtoany.com/buttons/share_save_171_16.png" alt="Share"></a></p><p>The post <a rel="nofollow" href="https://www.e-apostolidis.gr/microsoft/azure/govern-your-azure-environment/">Govern your Azure environment</a> appeared first on <a rel="nofollow" href="https://www.e-apostolidis.gr">Apostolidis IT Corner</a>.</p>


    <a href="https://www.e-apostolidis.gr/microsoft/azure/govern-your-azure-environment/"class='bbc_url' rel='nofollow external'>Source</a>
  9. proximagr
    <h1>Azure Private Link | Private connection to Azure PaaS</h1>
    <p> </p>
    <p>Azure Private Link is a new service, currently in Preview, that provides private connectivity from a virtual network or an on-premises network with Site-2-Site VPN to Azure platform as a service (PaaS) Microsoft services. Azure Private Link makes the networking a lot more simple improving the security and eliminating the need for public access.</p>
    <p id="nAIxogs"><img class="alignnone size-full wp-image-2844 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d8145c21e8f8.png"alt="" /></p>
    <p> </p>
    <p><span style="font-size: 12px;">image from: <a href="https://azure.microsoft.com/en-us/services/private-link/">https://azure.microsoft.com/en-us/services/private-link/</a></span></p>
    <p>Azure Private Link is a Service mapped to Azure Virtual Networks through a private endpoint. This means that all traffic is routed internally, using private IPs and connectivity, eliminating the exposure to threats. Using Private Link helps an organization to meed the compliance standards.</p>
    <p>Azure Private Link is a Global service. It does not have regional restrictions. You can connect privately services from all the Azure Regions around the globe.</p>
    <h2>Lets Lab It!</h2>
    <p>Let’s see in practice how we can connect from an Azure VM and from our on-premises computer using VPN to an Azure SQL Database using private IPs. For the Lab I already have a Virtual Machine running Windows Server 2019 and an Azure SQL Database. The SQL Database is not connected to any networks.</p>
    <p>Open the Azure Portal, press New and search for “Private Link”, select it and press “Create”</p>
    <p id="wWRgRfz"><img class="alignnone size-full wp-image-2824 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d812bccdb08c.png"alt="" /></p>
    <p>A nice “Getting started page” will open. Click the “Build a private connection to a service”</p>
    <p id="YGbIKKC"><img class="alignnone size-full wp-image-2825 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d812c222bb50.png"alt="" /></p>
    <p id="hySxSQb"><img class="alignnone size-full wp-image-2826 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d812c2e18651.png"alt="" /></p>
    <p>The “Create a private endpoint” wizard will open. Select a name for the Private Link and a Region and press Next to go to the second step.</p>
    <p><code></code></p>
    <p id="vCwjsPb"><img class="alignnone size-full wp-image-2832 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d8130185f27f.png"alt="" /></p>
    <p>At the second step, select to connect to the azure resource in my directory, and select the subscription where the Azure SQL Database resides. Then select the SQL Server.</p>
    <p id="qmxqrJF"><img class="alignnone size-full wp-image-2833 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d81303297eff.png"alt="" /></p>
    <p>At the third step, select the VIrtual Network that the Private Link will be created. I selected the network where my Virtual Machine resides. If you don’t have your own DNS server select Yes to create an Azure private DNS zone.</p>
    <p id="nfoqivE"><img class="alignnone size-full wp-image-2835 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d813077e1d38.png"alt="" /></p>
    <p>At the final step, review the settings and create the Private Link</p>
    <p id="lHsjjBi"><img class="alignnone size-full wp-image-2836 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d81309adc037.png"alt="" /></p>
    <p>After the resource creation, you can check the DNS for the Azure SQL Server Private IP Address!</p>
    <p id="cSPyGGM"><img class="alignnone size-full wp-image-2837 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d81317ff3814.png"alt="" /></p>
    <p>And at the SQL Server, at the “Private endpoint connections” section you will see the new Private Link.</p>
    <p id="YnyPGra"><img class="alignnone size-full wp-image-2839 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d8132886dbdc.png"alt="" /></p>
    <p>Open a Remote Desktop Connection to the Azure VM, and run a nslookup for the SQL Server name. In my case the command is:</p>
    <p>PS C:> nslookup plsqlsrv.database.windows.net<br />Server: UnKnown<br />Address: 168.63.129.16</p>
    <p>Non-authoritative answer:<br />Name: plsqlsrv.privatelink.database.windows.net<br />Address: 10.0.2.5<br />Aliases: plsqlsrv.database.windows.net</p>
    <p id="zdWsPaP"><img class="alignnone size-full wp-image-2838 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d8131e47f882.png"alt="" /></p>
    <p>And it returned the Private IP address of the SQL Server.</p>
    <p>From my computer, i tried to connect to the Azure SQL Server, using the name plsqlsrv.database.windows.net and the connection failed since my Public IP Address is not allowed to access the server.</p>
    <p id="YMuBmUq"><img class="alignnone size-full wp-image-2840 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d813f72173a6.png"alt="" /></p>
    <p>From the Azure VM I managed to connect successfully and of course internally!</p>
    <p id="nVbBsVv"><img class="alignnone size-full wp-image-2841 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d813fab7a6a1.png"alt="" /></p>
    <p>After that, I added a Virtual Network Gateway to the Network and created a Point to Site VPN connection from my local computer to Azure. You can check my guide on how to do this: <a href="https://www.e-apostolidis.gr/microsoft/azure-start-point-point-to-site-vpn/"target="_blank" rel="noopener noreferrer">https://www.e-apostolidis.gr/microsoft/azure/azure-start-point-point-to-site-vpn/</a></p>
    <p>In order to connect to the Azure SQL you need to either use a local DNS server to map the SQl Server name to the Azure SQL IP or add an entry to the local host file for testing.</p>
    <p id="VbhUQVD"><img class="alignnone size-full wp-image-2849 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d8150b51c2d2.png"alt="" /></p>
    <h2>Conclusion</h2>
    <p>Azure Private Link is in Preview and currently supports Azure SQL Database and Storage accounts. Additional services coming in preview in next 3-6 months:</p>
    <ul>
    <li>· Cosmos DB</li>
    <li>· App Service Vnet Integration + App Service Environment</li>
    <li>· Azure Kubernetes Service</li>
    <li>· Azure Key Vault</li>
    <li>· PostgreSQL</li>
    <li>· MySQL</li>
    <li>· Maria DB</li>
    </ul>
    <p> </p>
    <p>Source:</p>
    <p><a href="https://azure.microsoft.com/en-us/services/private-link/">https://azure.microsoft.com/en-us/services/private-link/</a></p>
    <p><a href="https://azure.microsoft.com/en-au/blog/announcing-azure-private-link/">https://azure.microsoft.com/en-au/blog/announcing-azure-private-link/</a></p>
    <p> </p>
    <p><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fazure-private-link-private-connection-to-azure-paas%2F&linkname=Azure%20Private%20Link%20%7C%20Private%20connection%20to%20Azure%20PaaS"title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_print" href="https://www.addtoany.com/add_to/print?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fazure-private-link-private-connection-to-azure-paas%2F&linkname=Azure%20Private%20Link%20%7C%20Private%20connection%20to%20Azure%20PaaS" title="Print" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share#url=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fazure-private-link-private-connection-to-azure-paas%2F&title=Azure%20Private%20Link%20%7C%20Private%20connection%20to%20Azure%20PaaS" data-a2a-url="https://www.e-apostolidis.gr/microsoft/azure/azure-private-link-private-connection-to-azure-paas/" data-a2a-title="Azure Private Link | Private connection to Azure PaaS"><img src="https://static.addtoany.com/buttons/share_save_171_16.png" alt="Share"></a></p><p>The post <a rel="nofollow" href="https://www.e-apostolidis.gr/microsoft/azure/azure-private-link-private-connection-to-azure-paas/">Azure Private Link | Private connection to Azure PaaS</a> appeared first on <a rel="nofollow" href="https://www.e-apostolidis.gr">Apostolidis IT Corner</a>.</p>


    <a href="https://www.e-apostolidis.gr/microsoft/azure/azure-private-link-private-connection-to-azure-paas/"class='bbc_url' rel='nofollow external'>Source</a>
  10. proximagr
    Thank you all for participating at my session today at Athens Azure Bootcamp, about how to Protect your data with a modern backup, archive and disaster recovery solution.
     

     
    Bad things happen, even to good people. Protect yourself and avoid costly business interruptions by implementing a modern backup, archive and disaster recovery strategy. See how you can securely extend your on-premises backup storage and data archive solutions to the cloud to reduce cost and complexity, while achieving efficiency and scalability. Be ready with a business continuity plan that includes disaster recovery of all your major IT systems without the expense of secondary infrastructure. You leave this session with a set of recommended architectures showing how to implement a modern backup, archive and disaster recovery solution and an understanding of how to quickly get something in place in your organization.
     
    PANTELIS APOSTOLIDIS
     
    you can download my presentation from this link: https://1drv.ms/p/s!AvpafHi49lqjgdd4ixVWNS6nqZIZSw
  11. proximagr
    Αυτό δεν είναι ένα από τα συνηθισμένα μου posts. Απλά θέλω να μοιραστώ την εμπειρία της καθαρής εγκατάστασης του Exchange 2016 για όποιον θέλει να δημιουργήσει ένα lab και να εξασκηθεί. Για το δικό μου lab χρησιμοποίησα έναν Windows Server 16 TP3, ο οποίος είναι Domain Controller & DNS στο Domain mylab.lab Η εγκατάσταση του […]
    The post Microsoft Exchange 2016 | Από το 0 στο 1ο email appeared first on Proxima's IT Corner.


    Source
  12. proximagr
    Microsoft Azure Nested Virtualization | Hyper-V Replica on Azure
    After my Microsoft Azure Nested Virtualization | Hyper-V VM inside Azure VM post on how to create a Nested VM inside an Azure VM, I am following with how to have Hyper-V Replica on Azure.
    To accomplish this we will use the Azure VM and the Nested VM from the Microsoft Azure Nested Virtualization | Hyper-V VM inside Azure VM post. The first step is to create an identical pair of Azure VM and Nested VM to use for replica server. The only requirement is that the two Azure VMs must have network connectivity. As you understand we can have Hyper-V Replica between two Azure VMs at different Azure Regions using VPN.
    Next, at both Azure VMs open the 443 port at both the NSG and the Windows Firewall. For more security we can add the Public IPs of the VMs as Source.
    Since the VMs are not part of a domain we need to use Certificate based authentication for the Hyper-V Replica. We will use the New-SelfSignedCertificate command to create both certificates.The certificate process
    First we need to create a root CA certificate, so login at the first host and run:
    New-SelfSignedCertificate -Type "Custom" -KeyExportPolicy "Exportable" -Subject "CN=myazurerootca" -CertStoreLocation "Cert:LocalMachineMy" -KeySpec "Signature" -KeyUsage "CertSign"

    Next, using the certificate Thumbprint of the root CA certificate, create two server certificates, one for each Azure VM. To accomplish this run:
    New-SelfSignedCertificate -type "Custom" -KeyExportPolicy "Exportable" -Subject "CN=anothertestvm" -CertStoreLocation "Cert:LocalMachineMy" -KeySpec "KeyExchange" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2") -Signer "Cert:LocalMachineMy6A7196D9759FC2F7C49D62E08FA7195310DE5EB7" -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider"New-SelfSignedCertificate -type "Custom" -KeyExportPolicy "Exportable" -Subject "CN=anothertestvm2" -CertStoreLocation "Cert:LocalMachineMy" -KeySpec "KeyExchange" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2") -Signer "Cert:LocalMachineMy6A7196D9759FC2F7C49D62E08FA7195310DE5EB7" -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider"

    The next step is to open the Certificates mmc (Local Computer) and at the Personal container you will find the three certificates created above.

    Right click each certificate and Export it, including the Private key, to a folder

    Copy the certificates to the second Azure VM and import them. The root CA certificate needs to be imported to he Trust Root Certification Authorities and the other two to the Personal (or just use automatic placement).

    Finally we need to disable the Certificate revocation check for Replication on both Azure VMs. To do this run the following command on both Azure VMs:
    REG ADD "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionVirtualizationReplication" /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f
    The Hyper-V Replica process
    Lets start creating the Hyper-V Replica. Since Hyper-V Replica uses computer names, we need to use the host file to bind the Public IPs with the computer names. So, at the first Azure VM, open an elevated Notepad, browse to the path “C:WindowsSystem32driversetc”, and open the “hosts” file. Enter the Public IP of the second Azure VM following by the computer name. Do the same at the second Azure VM.

    After saving the host file, go to the Hyper-V Settings, go to the “Replication Configuration” and check the “Enable this computer as a Replica Server”. Then check the “Use certificate-based Authentication (HTTPS)” and select the certificate created before. Finally check the “Allow replication from any authenticated servers” and press OK. Do this at both Azure VM Hyper-V Servers.

     
    Next go to the Hyper-V manager, right click the Nested VM and choose “Enable Replica”. Enter the name of the second Azure VM and select the certificate.
     

     
    I just used the defaults at all the next screens and finally press finish to enable the replication.

     
    Once the replication is enabled you will see the “Replication enabled successfully” message and the Status will change to “Sending Initial Replica”.

     
    After a very short period of time, the VM will complete the initial sync.

    [/url]
    The post Microsoft Azure Nested Virtualization | Hyper-V Replica on Azure appeared first on Apostolidis IT Corner.


    Source
  13. proximagr
    Save 40% on Windows Azure VM made easy
    creating a new Windows Azure VM you will notice a new selection at the Basics step. It is the Hybrid Use Benefit. Using this benefit you can save up to 40% on a Windows Azure VM cost using your own license with software assurance. You just need to have a Windows Server Standard or Datacenter license with Software Assurance, and it is not restricted to any specific licensing program, it is available to all licenses with Software Assurance.
    At the final step, the Summary, you will see a notification about the Hybrid Use Benefit, explaining the limitations of the benefit, saying:
    “Each Windows Server with Software Assurance (either via each 16-Core license or two-processor license) is entitled to two instances of up to 8 cores, or one instance of up to 16 cores. Please always refer to your Windows Server license count with Software Assurance, your Hybrid Use Benefit entitlements, and your Hybrid Use Benefit deployments to use this benefit while maintaining compliance.“


    once the Azure VM is ready and login you will notice that the Operating System is not activated

    so you need to press Activate Windows and add your key to activate the Azure VM

    for more details visit the official page at https://azure.microsoft.com/en-us/pricing/hybrid-use-benefit/
  14. proximagr
    <h1>Azure Security Center</h1>
    <h2>Remediate security recommendations in 1 click</h2>
    <p>Azure Security Center provides unified security management and advanced threat protection across hybrid cloud workloads. Using advanced analytics, it helps you detect potentially malicious activity across your hybrid cloud workloads, and recommends potential remediation steps, which you can then evaluate, and take the necessary action.</p>
    <p id="DLQOMZB"><img class="alignnone size-full wp-image-2857 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d8ddac95fb1a.png"alt="" /></p>
    <p>One of the main features of Azure Security Center is that offers prioritized and actionable security recommendations so you can remediate security vulnerabilities before they can be exploited by attackers. To simplify remediation of security issues now allows you to remediate a recommendation on multiple resources with a single click.</p>
    <ul>
    <li>Quick access to 1-click fix<br />The 1-click fix label is shown next to the recommendations that offer this faster remediation tool.</li>
    <li>Logging for transparency<br />All remediation actions are logged in the activity log.</li>
    </ul>
    <p id="cYAerXE"><img class="alignnone size-full wp-image-2858 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d8ddaf03f635.png"alt="" /></p>
    <h2>How to use 1-click remediation</h2>
    <p>Look for the “1-click Fix !” Label at the recommendations!</p>
    <p id="aBGvMLk"><img class="alignnone size-full wp-image-2859 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d8ddb125f8f2.png"alt="" /></p>
    <p>Once you click the “1-click Fix !” Label, the recommendation information page will pen. Select the affected resources and click Remediate</p>
    <p id="ORTsWRv"><img class="alignnone size-full wp-image-2861 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d8ddfea3fdaa.png"alt="" /></p>
    <p>A final window will open that will inform you about the action that will be performed and what will affect. Check the information and if you agree click the final “Remediation” button</p>
    <p id="NiZsHKi"><img class="alignnone size-full wp-image-2863 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/09/img_5d8de03500959.png"alt="" /></p>
    <h2>Current 1-click remediation availability</h2>
    <p>Remediation is available for the following recommendations in preview:</p>
    <ul>
    <li>Web Apps, Function Apps, and API Apps should only be accessible over HTTPS</li>
    <li>Remote debugging should be turned off for Function Apps, Web Apps, and API Apps</li>
    <li>CORS should not allow every resource to access your Function Apps, Web Apps, or API Apps</li>
    <li>Secure transfer to storage accounts should be enabled</li>
    <li>Transparent data encryption for Azure SQL Database should be enabled</li>
    <li>Monitoring agent should be installed on your virtual machines</li>
    <li>Diagnostic logs in Azure Key Vault and Azure Service Bus should be enabled</li>
    <li>Diagnostic logs in Service Bus should be enabled</li>
    <li>Vulnerability assessment should be enabled on your SQL servers</li>
    <li>Advanced data security should be enabled on your SQL servers</li>
    <li>Vulnerability assessment should be enabled on your SQL managed instances</li>
    <li>Advanced data security should be enabled on your SQL managed instances</li>
    </ul>
    <p>Single click remediation is part of Azure Security Center’s free tier.</p>
    <p>Read more at: <a href="https://azure.microsoft.com/en-gb/blog/azure-security-center-single-click-remediation-and-azure-firewall-jit-support/">AzureSecurity Center single click remediation</a></p>
    <p>Sources:</p>
    <p><a href="https://azure.microsoft.com/en-gb/blog/azure-security-center-single-click-remediation-and-azure-firewall-jit-support/">AzureSecurity Center single click remediation</a></p>
    <p><a class="breadcrumbs__link" href="https://azure.microsoft.com/en-us/updates/one-click-remediation-for-security-recommendations/"data-event="global-navigation-body-clicked-breadcrumb" data-bi-area="content" data-bi-id="global-navigation-body-clicked-breadcrumb">Azure Security Center—1-click remediation for security recommendations is now available</a></p>
    <p><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fasc-remediate-security-recommendations-in-1-click%2F&linkname=ASC%20%7C%20Remediate%20security%20recommendations%20in%201%20click"title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_print" href="https://www.addtoany.com/add_to/print?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fasc-remediate-security-recommendations-in-1-click%2F&linkname=ASC%20%7C%20Remediate%20security%20recommendations%20in%201%20click" title="Print" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share#url=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fasc-remediate-security-recommendations-in-1-click%2F&title=ASC%20%7C%20Remediate%20security%20recommendations%20in%201%20click" data-a2a-url="https://www.e-apostolidis.gr/microsoft/azure/asc-remediate-security-recommendations-in-1-click/" data-a2a-title="ASC | Remediate security recommendations in 1 click"><img src="https://static.addtoany.com/buttons/share_save_171_16.png" alt="Share"></a></p><p>The post <a rel="nofollow" href="https://www.e-apostolidis.gr/microsoft/azure/asc-remediate-security-recommendations-in-1-click/">ASC | Remediate security recommendations in 1 click</a> appeared first on <a rel="nofollow" href="https://www.e-apostolidis.gr">Apostolidis IT Corner</a>.</p>


    <a href="https://www.e-apostolidis.gr/microsoft/azure/asc-remediate-security-recommendations-in-1-click/"class='bbc_url' rel='nofollow external'>Source</a>
  15. proximagr
    Azure Web Application Firewall (WAF) is a function of the Azure Application Gateway that detects and prevents exploits and attacks to a web application. Using a WAF we add an additional security layer in front of our application. To have a sneak peak at the most common web application attacks, take a look at the OWASP Top 10 Most Critical Web Application Security Risks .
    At my previous posts we have seen how to Protect your Web App using Azure Application Gateway Web Application Firewall and Use Log Analytics to Query the WAF Logs and email those logs to the Admins. At this post I want to share some tips on how to configure the Azure Web Application Firewall.
    The Azure Web Application Firewall, like all WAFs, needs a period of detection “the training period”, in order to gather logs about what is logged as blocked so to configure it accordingly before turning the WAF to Prevention mode. The Azure Web Application Firewall uses OWASP ModSecurity Core Rule Set (CRS). You can select version 2.2.9 or version 3.0 of the OWASP ModSecurity Core Rule Set. These rules include protection against attacks such as SQL injection, cross-site scripting attacks, and session hijacks.
    The configuration of the Azure Web Application Firewall has two parts. One part is the OWASP rules custom configuration, where we can check / uncheck the OWASP rules that the WAF will use to analyse the requests:
    and the second part is the Exclusions and the Request Size Limits:
    Let’s see how we can find out what to exclude and what to customize. Once you setup the Azure Application Gateway and Publish your web application turn of the Firewall in Detection mode. Enable the Diagnostic Logs and send the logs to Log Analytics and start using the we application. I have covered all those steps at my previous posts, Protect your Web App using Azure Application Gateway Web Application Firewall and Use Log Analytics to Query the WAF Logs and email those logs to the Admins. To make it more fun you can actually attack your application using sample attacks, like SQL Injection samples from this link: https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)and Cross-site Scripting (XSS) from this link: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS). Both links are from OWASP for testing.
    After a while run the query to check the Azure Web Application Firewall logs:
     



    1



    AzureDiagnostics | where Resource == "PROWAF" and OperationName == "ApplicationGatewayFirewall" | where TimeGenerated &gt; ago(24h) | summarize count() by TimeGenerated, clientIp_s , TimeGenerated , ruleId_s , Message , details_message_s , requestUri_s, details_file_s , hostname_s
    You will get the below results:
    At the Message part of the Log you will see the kind of attack that the WAF has detected.
    At the ruleId_s you can find the OWASP rule ID. With this information you can search the Rule ID at the Advanced rule configuration and uncheck the specific rule. Of course every rule you uncheck you open a security hole. So I recommend to first check if you can alter your application to comply with the rule and only if this is not possible to drop the rule.
    At the details_message_s column also you can find the matched pattern and configure the Exclusions
    Finally you can configure the request size limits according to your application
    Once you finalize your Azure Application Firewall configuration and you no longer have “Blocked” messages change it to “Prevention” mode to start protecting your web application.
    Reference:
    WAF Overview: https://docs.microsoft.com/en-us/azure/application-gateway/waf-overview
    WAF Configuration: https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-waf-configuration
    OWASP ModSecurity Core Rule Set (CRS): https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
  16. proximagr
    High Level Steps to Create a Syslog Server for Azure OMS (Log Analytics)
     
    This post is a gathering of TechNet articles and 3rd party blog posts that my college John Dandelis followed to create a linux Syslog server in order to monitor network devices on Operations Management Suite (OMS). Its not a complete step-by-step guide but it is very useful as a reference.
     
    -Install Ubuntu server VM.
    Use any Bash Shell to connect to Ubuntu Server. (http://win-bash.sourceforge.net/)
    To install Bash shell in windows 10: From updates and security enable for developers, developer mode. From add remove windows components add windows subsystem for Linux.
     
    -Connect to Ubuntu server: ssh <syslog username>@<syslogIP>
     
    -Setup Ubuntu Syslog
    https://msandbu.wordpress.com/2016/02/22/monitoring-syslog-from-oms-with-non-oms-agents/
     
    Edit rsyslog.conf file: (to edit press “insert”. To quit press “esc” and type “:q” to quit, “:wq” to save and quit, “:q!” to quit without saving )
    sudo vim /etc/rsyslog.conf
     
    Uncomment Lines (remove # sign):
    #$ModLoad imudp
    #$UDPServerRun 514
     
    -Create a templatefor log receipt
    Add Lines Before GLOBAL DIRECTIVES
    $template RemoteLogs,”/var/log/%HOSTNAME%/%PROGRAMNAME%.log” *
    *,* ?RemoteLogs
     
    (The $template RemoteLogs directive (“RemoteLogs” string can be changed to any other descriptive name) forces rsyslog daemon to write log messages to separate local log files in /var/log/, where log file names are defined based on the hostname of the remote sending machine as well as the remote application that generated the logs. The second line (“*.* ?RemoteLogs”) implies that we apply RemoteLogs template to all received logs.)
     
    -Restart syslog service
    sudo service rsyslog restart
     
    Install OMS Agent from OMS–>Overview–>Settings–>Connected Sources–>Linux Servers
    Copy the “DOWNLOAD AND ONBOARD AGENT FOR LINUX” field and paste into Ubuntu Bash.
     
    Add Syslog Facilities from Overview–>Settings–>Data–>Syslog
    local0 or whatever is the device facility you collect logs from.
     
    Show Most Recent Logs
    tail -f /var/log/syslog
     

    Χρήσιμα Site:
     
    Create syslog in Ubuntu Server
    http://blogbt.net/index.php/2013/11/syslog-server-on-ubuntu/ </p>
    Setting up SysLog Server on Ubuntu – BlogBT.net
    blogbt.net<p>Setting up a syslog server on ubuntu for easy troubleshooting and log keeping
     

    VIM Editor:
    https://stackoverflow.com/questions/11828270/how-to-exit-the-vim-editor
    Hit the Esc key; vim goes into command mode. Then you can type:qto quit (short for :quit) :q!to quit without saving (short for :quit!) :wqto write and quit (think write and quit) :wq!to write and quit even if file has only read permission (if file does not have write permission: force write) :xto write and quit (similar to :wq, but won’t write if there are no changes) :qato quit all (short for :quitall)
    OMS Agent for Linux
    https://github.com/Microsoft/OMS-Agent-for-Linux/blob/master/installer/conf/omsagent.d/syslog.conf
     
    https://blogs.technet.microsoft.com/msoms/2016/05/12/syslog-collection-in-operations-management-suite/
     
    Install Azure Power Shell
    https://docs.microsoft.com/en-us/powershell/azure/install-azurerm-ps?view=azurermps-4.0.0
     
    Install Agent For log analytics
    https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-linux-agents
     

    The post High Level Steps to Create a Syslog Server for Azure OMS (Log Analytics) appeared first on Apostolidis IT Corner.


    <a href="http://www.e-apostolidis.gr/microsoft/azure/high-level-steps-create-syslog-server-azure-oms-log-analytics/"class='bbc_url' rel='nofollow external'>Source</a>
  17. proximagr
    Azure Start Point | Your first Web App
    In this post series we will go through some basic steps on how to start with Microsoft Azure. For start we will create a Web App.
    If you don’t have an Azure Subscription, you can easily create a free trial by just going to https://azure.microsoft.com/en-us/free/
    Let’s create our first Web App. Go to the Azure Portal by navigating to https://portal.azure.com and click “+ Create a resource”

    At the search box write “Web App” and press enter

    At the search results. click the “Web App” and at the next screen just press “Create”

    The “Web App Create” wizard will open. Enter a name for the App. This will be the Public name of your App. Azure by default provides the domain *.azurewebsites.net for free.

    So in my example the prowebdev.azurewebsites.net will be the URL of my App
    Select the Azure Subscription that will used to bill the Web App and a Resource Group. The Resource Group is used to organize the resources and provide role based access control among other.
    OS: Select the Operating System platform that will host your Web App. This can be Windows, Linux or a Docker Container. For the test I will select Windows.
    As you can see the wizard has selected an App Service Plan by default with a random name and location. The App Service Plan is actually the Web Server that will host out Web App. Click on the “App Service Plan/Location”
    Add a name for the Web Server, select the Location that is nearest to you (or your clients) and the Pricing Tier.
    By pressing OK you will return to the Web App create wizard and press Create. Now you can monitor the creating process of the App form the “Notifications” option at the top right of the portal, it is the button that has a ringing bell image. First you will see the “Deployment in progress…” message and as soon as the App is ready you will see the “Deployment completed” message.
    Now if you go to the Resource group you will see two resources. The App Service and the App Service Plan. In high level, the App Service Plan is the web server and the App Service is the Web Application.

    Now click the App Service and at its blade you can see your applications URL.

    Click the URL and you will see the Demo page

  18. proximagr
    Use Service Endpoints to protect an Azure Storage Account inside an Azure Azure Virtual Network
    As we have already saw at a previews post, we can use the Service Endpoints to protect an Azure SQL Server inside an Azure Virtual Network. Today we will see how we can protect a Storage Account.
    First we need to enable the Microsoft.Storage Service Endpoint to an existing Virtual Network or create a new Virtual Network and enable it. At this port I am creating a new Virtual Network, so at the Azure Portal press New and at the search box type “Virtual Network”.
    Enter the name of the Virtual Network and all the required fields. The only difference is to click “Enable” at the Service Endpoints and select the “Microsoft.Storage”.

    After the Virtual Network we can proceed with the Storage Account. Create a Storage Account by going to Azure Portal, press New, search for “Storage Account” and press Create. At the “Create storage account” blade enter all the required fields. The difference here is to click “Enable” at the “Virtual Networks” and select the Virtual Network that you have enabled “Service Endpoints” and select the desired subnet.

    After the Storage Account creation, open the Storage Account and go to the “Firewall and virtual network” setting. and you will see that the selected Virtual Network and Subnet are configured and all other networks and the Internet access are forbidden.

    Now if you go to the File Service of the Storage Account you will get an “Access Denied” message, since you are accessing from the Internet.

    In order to access the Storage Account File Service (And all other services like blob) I created a Virtual Machine inside the Virtual Network and opened the Portal from it. Now I can access the Storage Account services.

    Of course we can add our Public IP and access the Storage Account configuration, make the required changes and then remove it.

    Also we can add / remove existing and new networks

  19. proximagr
    Use Service Endpoints to protect an Azure Storage Account inside an Azure Azure Virtual Network
    As we have already saw at a previews post, we can use the Service Endpoints to protect an Azure SQL Server inside an Azure Virtual Network. Today we will see how we can protect a Storage Account.
    First we need to enable the Microsoft.Storage Service Endpoint to an existing Virtual Network or create a new Virtual Network and enable it. At this port I am creating a new Virtual Network, so at the Azure Portal press New and at the search box type “Virtual Network”.
    Enter the name of the Virtual Network and all the required fields. The only difference is to click “Enable” at the Service Endpoints and select the “Microsoft.Storage”.

    After the Virtual Network we can proceed with the Storage Account. Create a Storage Account by going to Azure Portal, press New, search for “Storage Account” and press Create. At the “Create storage account” blade enter all the required fields. The difference here is to click “Enable” at the “Virtual Networks” and select the Virtual Network that you have enabled “Service Endpoints” and select the desired subnet.

    After the Storage Account creation, open the Storage Account and go to the “Firewall and virtual network” setting. and you will see that the selected Virtual Network and Subnet are configured and all other networks and the Internet access are forbidden.

    Now if you go to the File Service of the Storage Account you will get an “Access Denied” message, since you are accessing from the Internet.

    In order to access the Storage Account File Service (And all other services like blob) I created a Virtual Machine inside the Virtual Network and opened the Portal from it. Now I can access the Storage Account services.

    Of course we can add our Public IP and access the Storage Account configuration, make the required changes and then remove it.

    Also we can add / remove existing and new networks

    [/url]
    The post Use Service Endpoints to protect an Azure Storage Account inside an Azure Azure Virtual Network appeared first on Apostolidis IT Corner.


    Source
  20. proximagr
    Puppet On Azure Puppet Automation – Δημιουργία αρχείου στους Servers που κάνουμε Manage Έχουμε εγκαταστήσει το Puppet και τους Agents, τώρα είναι η ώρα να δούμε ένα test automation. Παράδειγμα «Δημιουργία αρχείου» Στον Puppet Master τρέχουμε: nano /etc/puppet/manifests/site.pp και δίνουμε όνομα του αρχείου και το path το security “mode” και το περιεχόμενο του αρχείου ”content” […]
    The post Puppet On Azure | Βήμα 4, Puppet Automation appeared first on Proxima's IT Corner.


    Source
  21. proximagr
    SQL Failover Cluster with AlwaysOn Availability Groups Η ιδέα είναι να έχουμε ένα SQL Flailover Cluster στο Primary Site και στο υπάρχον Cluster να προσθέσουμε ένα AlwaysOn Availability group για το DR. Λόγο του μεγέθους της υλοποίησης θα γίνει τρία Posts. Ένα το Failover Cluster, ένα η εγκατάσταση της SQL σε Failover Clster και ένα η υλοποίηση του […]
    The post SQL Failover Cluster with AlwaysOn Availability Groups appeared first on Proxima's IT Corner.


    Source
  22. proximagr
    Azure Blob Storage… Recycle Bin!!!!!!!
    Remember all that red alerts when comes to deleting blobs? Ah, forget them! Microsoft Azure brought the Windows Recycle Bin to Azure and named it Soft delete.
    The soft delete feature basically is similar to the Windows recycle bin. Deleting a file from the Windows explorer, the Operating System instead of actually removing the file it moves it to the recycle bin. The file stays there and it can be undeleted at any time. The soft delete feature in Microsoft Azure does the same thing for blob storage. When data is deleted or overwritten, the data is not actually gone. Instead, the data is soft deleted, thereby making it recoverable if necessary.
    It’s not enabled by default, but it’s very easy to enable it. Go to the Storage Account, scroll down to the Blob Service and select “Soft delete”. Select the Retention policy and Save, that’s all!

    Let’s delete and test. Browse a container and click the “Show delete blobs”. The current blob will show as active.

    deleting the blob it will change the status to “deleted”

    Click the three little dots and you can undelete, the blob, in Azure!!!

    Active again!

    Be careful, if you delete the whole container, the storage account or the Azure Subscription there is no return. The Soft delete feature is at blob level inside a container.
    For more deltails visit the docs: https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-soft-delete
    [/url]
    The post Azure Blob Storage… Recycle Bin!!!!!!! appeared first on Apostolidis IT Corner.


    Source
  23. proximagr
    Azure offers free smtp relay using the SendGrid application. SendGrid is a cloud service that provides email delivery and marketing campaigns. The specific offer is for up to 25.000 emails per month. Also this offers provides full reporting and analytics and 24/7 support.
    At this post we will see how to create a SendGrid free account that can be used for many purposes, like:
    Send emails through an application using the SendGrid API Send email campaigns, newsletters, etc using the SendGrid SMTP service


    At the Azure Portal, portal.azure.com, search for sendgrid and click the “SendGrid Email Delivery”

    The SendGrid account wizard will open. Fill the name and password, select subscription and resource group and choose the F1 free pricing tier. Also fill the contact information, accept the legal terms and press “Create”
    Once the SendGrid Account is created, navigate to it and select Manage
    The SendGrid portal will open. Navigate to the Settings / API Keys to Create an API Key.
    Enter a name for the key. For permissions you only need send emails So select Restricted Access and add “Mail Send”. Press create & view to create the key.
    You will only see the key once, upon creation. After that there is no way to see the key again, so copy and keep it safe.
    SMTP Service
    We are ready to send emails using any host that supports SMTP. The settings are:
    Server: smtp.sendgrid.net Username: apikey Password: “The API Key you created before” Ports: SSL 465, Unencrypted: 25 , TLS 586 More about SendGrid SMTP: https://sendgrid.com/docs/API_Reference/SMTP_API/integrating_with_the_smtp_api.html

    API Usage:
    https://sendgrid.com/docs/for-developers/sending-email/api-getting-started/
  24. proximagr
    Create Azure File Shares at your ARM template using PowerShell
    Using Azure Resource Manage template deployment, you can create a Storage account but you cannot create File Shares. Azure File Shares can be created using the Azure Portal, the Azure PowerShell or the Azure Cli.
    Mainly, the idea is to run a PowerShell script that will create the File Shares. This script will be invoked inside the ARM Template. In order to use a PowerShell script from a template, the script must be called from a URL. A good way to provide this is using the Git repository. One major thing to consider is the Storage Account key must be provided to the PowerShell script securely, since the PowerShell script is at a public URL.
    The PowerShell script will run inside a Virtual Machine and we will use a CustomScriptExtension Extension to provide it. To use this, at the Virtual Machine Resource of the JSON file add a resources section.
    The Custom Script Exception is located at the Virtual Machine resource. Lets assume that the last part of the Virtual Machine resource is the “diagnosticsProfile” so after the closure of the “diagnosticsProfile” we can add the “resources”. Inside the “resources” add the “extensions” resource that will add the “CustomScriptExtension”, like below. The Template Part
    This will be the addition at the Virtual Machine resource:
     
     
     
    "diagnosticsProfile": {
    "bootDiagnostics": {
    "enabled": true,
    "storageUri": "[concat(reference(concat('Microsoft.Storage/storageAccounts/', variables('diagnosticStorageAccountName')), '2016-01-01').primaryEndpoints.blob)]"
    }
    }
    },
    "resources": [
    {
    "name": "AzureFileShares",
    "type": "extensions",
    "location": "[variables('location')]",
    "apiVersion": "2016-03-30",
    "dependsOn": [
    "[resourceId('Microsoft.Compute/virtualMachines', parameters('VMName'))]",
    "[variables('AzureFilesStorageId')]"
    ],
    "tags": {
    "displayName": "AzureFileShares"
    },
    "properties": {
    "publisher": "Microsoft.Compute",
    "type": "CustomScriptExtension",
    "typeHandlerVersion": "1.4",
    "autoUpgradeMinorVersion": true,
    "settings": {
    "fileUris": [
    "https://raw.githubusercontent.com/######/#####/master/azurefiles.ps1"
    ]
    },
    "protectedSettings": {
    "commandToExecute": "[concat('powershell -ExecutionPolicy Unrestricted -File ','azurefiles.ps1 -SAName ',parameters('AzureFilesStorageName'),' -SAKey ', listKeys(resourceId(variables('AzureFilesStorageAccountResourceGroup'),'Microsoft.Storage/storageAccounts', parameters('AzureFilesStorageName')), '2015-06-15').key1)]"
    }
    }
    }
    ]
    },
     
    The extension must be depended from the Virtual Machine that will run the script and the Storage Account that will bu used for the file shares.
    At the custom script properties add the public RAW url of the PowerShell script.
    Next lets see the Storage Account key and execution part. At the connandToExecute section, we will provide a variable that will pass the Storage Account key & Name inside the script for execution. The variable will get the Storage Account key from the Storage Account using the permissions of the Account running the Template Deployment.
    Of course to make the template more flexible I have added a variable for the Resource Group and a parameter for the AzureFilesStorageName, so the template will ask for the Storage Account name at the parameters. The PowerShell
    The PowerShell script is tested at Windows Server 2016 VM. You can find it below:
     
    Param (
    [Parameter()]
    [string]$SAKey,
    [string]$SAName
    )
    Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
    Set-PSRepository -Name PSGallery -InstallationPolicy Trusted
    Install-Module Azure -Confirm:$False
    Import-Module Azure
    $storageContext = New-AzureStorageContext -StorageAccountName $SAName -StorageAccountKey $SourceSAKey
    $storageContext | New-AzureStorageShare -Name #####
     
    read
  25. proximagr
    Bulletproof manage your Azure VMs
    Continuing the Azure Security Center posts, today we will see a new feature of the Security Center, called Just in Time VM Access.
    As best security practice, all the management ports of a Virtual Machine should be closed using Network Security Groups. Only the ports required for any published services should be opened, if any.
    However there are many occasions that we are requested to open a management port for administration or a service port for some tests for short time. This action has two major problems, first it requires a lot of administration time, because the administrator must go to the Azure Portal and add a rule at the VM’s NSG. The second problem is that many time the port is forgotten open and this is a major vulnerability since the majority of the Brute Force attacks are performed to the management ports, 22 and 3389.
    Here comes the Azure Security Center, with the Just in Time VM Access feature. With this feature we can use the RBAC of the azure Portal and allow specific users to Request a predefined port to be opened for a short time frame.JIT Configuration
    Lets see how we configure the JIT. First we need to go to the Azure Security Center. Scroll down to the ADVANCED CLOUD DEFENSE and click the “Just in time VM Access”. Since it is at a Preview you need to press the “Try Just in time VM access”

    After we enable JIT, the window displays tree tabs, the Configured, the Recommended and the No recommendation. The Configured tab displays the Virtual Machines that we have already enabled JIT. The recommended are VMs that have NSGs and are recommended to be enabled for JIT. The No recommendation are Classic VMs or VMs that don’t have attached NSG.

    To enable JIT for a VM, go to the Recommended tab, select one or more VMs and press “Enable JIT on x VMs”

    At the “JIT VM access configuration” the Security Center proposes rule with the default management ports. We can add other ports that we need and also remove any of them that are unnecessary.
    At each rule we can configure the Port, the Protocol, the Source IP and the Maximum request time.
    If we leave the “Allowed source IPs” to “Per request” then we allow the requester to decide. One very interesting setting here is that when a user requests access it has the option to allow only the Public IP that he is using at that time automatically.
    With the last option, the “Max request time” we narrow down the maximum time that we will allow a port to be opened.

    After we configure all the parameters we click Save and the VM moves to the Configured tab. At any time we can change the configuration by selecting the VM, press the three dots at the end of the line (…) and click Edit.

    The Propertied button opens the VM’s blade, the Activity log shows all the users that requested access and the Remove of course disabled the JIT.Behind the scene
    What really happens to the VM? if you browse to the NSG that is attached to the VM you will see that all the port rules configured at the JIT are added as NSG Rules with lower priority than all the other rules. All other rules automatically changed priority to higher.

    Lets see how we request access and what happens in the background. To request access go to the Security Center / JIT , select the VM and press “Request Access”

    At the “Request access” blade switch on the desired port, select “My IP” or “IP Range” and the Timerange, all according to the JIT configuration of the VM. Finally press “Open Ports”

    At the above example I select “My IP” so if you go to the VM’s NSG you will see that the 3389 port rule changed to “Allow” and for Source has my current Public IP. Also it moved at first priority.

    After the expiration of the time rage the port will change to “Deny” and move back to its prior priority.
     
    [/url]
    The post Bulletproof manage your Azure VMs appeared first on Apostolidis IT Corner.


    Source
×
×
  • Create New...