Jump to content

proximagr

Moderators
 View Profile  See their activity

  • Posts

    2468

  • Joined

  • Last visited

  • Days Won

    12

 Content Type 

Blog Entries posted by proximagr

  1. proximagr
    ΑΣΦΆΛΙΣΕ ΤΗΝ AZURE SQL DATABASE ΜΈΣΑ ΣΕ ΈΝΑ VNET ΧΡΗΣΙΜΟΠΟΙΏΝΤΑΣ SERVICE ENDPOINTS
    February 6, 2018 Pantelis Apostolidis Microsoft, Ελληνικά Leave a comment
     
    Για πολλούς, ένα πρόβλημα στο να χρησιμοποιήσουν την Azure SQL, είναι η δημόσια πρόσβαση. Μετά τα τελευταία Azure updates μπορούμε να χρησιμοποιήσουμε τα service endpoints ώστε να ασφαλίσουμε την Azure SQL μέσα σε ένα VNET.
    Ας ξεκινήσουμε λοιπόν να βάλουμε την Azure SQL μέσα σε ένα VNET. Ανοίγουμε το Azure Portal και ξεκινάμε να δημιουργήσουμε ένα VNET. Στο τέλος της σελίδας δημιουργίας έχει προστεθεί μια νέα επιλογή που λέγετε service endpoints. Το ενεργοποιούμε και επιλέγουμε το Microsoft.Sql.

    Στη συνέχεια δημιουργούμε μια SQL Database. Πάλι από το Azure Portal επιλέγουμε New –> SQL Database και βάζουμε ότι στοιχεία θέλουμε.

     
    Αφού δημιουργηθεί η SQL Database, ανοίγουμε τις ρυθμίσεις και πηγαίνουμε στο Firewall / Virtual Networks. Εκεί απενεργοποιούμε το «Allow access to Azure Services». Με αυτήν την επιλογή κόβουμε την πρόσβαση στην SQL από την Public IP.
     

     
    Για να συνδέσουμε την SQL στο VNET πατάμε το «+Add existing virtual network» και δημιουργούμε έναν κανόνα όπου επιλέγουμε το VNET που δημιουργήσαμε με ενεργοποιημένα τα service endpoints.
     

    Η ώρα της δοκιμής. Ένας γρήγορος τρόπος να δοκιμάσουμε την συνδεσιμότητα μιας SQL είναι το «ODBC Data Source Administrator» το οποίο βρίσκετε στα Administrative Tools σε όλα τα λειτουργικά MS Windows Server & Professional clients. Αν προσπαθήσετε να συνδεθείτε over internet θα δείτε ότι η σύνδεση κόβετε σε επίπεδο TCP, δεν ανοίγει καν η σύνδεση, σαν να μην υπάρχει.
    Έφτιαξα λοιπόν ένα VM μέσα στο VNET για να έχω τοπική πρόσβαση. Ανοίγουμε το ODBC Data Source Administrator, και στα User DSN πατάμε new connection. Για όνομα δίνουμε ότι θέλουμε, δεν έχει σημασία και στο server δίνουμε το FQDN του Azure SQL Database.
     

     
    Στην επόμενη εικόνα δίνουμε username και password του Azure SQL Database και πατάμε «Test Data Source»
     

     
    Επίσης μπορούμε να συνδεθούμε με SMSS, βάζοντας το SQL Server FQDN, το username και το password
     

     
    και συνδέεται γρήγορα και με ασφάλεια!
     


  2. proximagr
    Puppet On Azure Προσθήκη Windows Agent Βήμα 1 Δημιουργία Windows VM Δημιουργούμε ένα Virtual Machine, από το Azure Management Portal πάμε στα Virtual Machines, πατάμε New και πατάμε «From Gallery” Διαλέγουμε Windows Server 2012 R2 Datacenter Δίνουμε όνομα, για το Lab: “puppetslave03”, size ένα A0, username & password Στην επόμενη οθόνη επιλέγουμε το ίδιο Cloud […]
    The post Puppet On Azure | Βήμα 3, Προσθήκη Windows Agent appeared first on Proxima's IT Corner.


    Source
  3. proximagr
    Connect two or more Azure Virtual Networks using one VPN Gateway
    Peering is a feature that allows to connect two or more virtual networks and act as one bigger network. At this post we will see how we can connect two Azure Virtual Networks, using peering and access the whole network using one VPN Gateway. We can connect Virtual Networks despite if they are in the same Subscription or not.
    I have created a diagram to help understand the topology.

    We have a Virtual Network with Site-2-Site VPN wto On Premises. It can also have Point-2-Site connection configured. The VNET A. We have another Virtual Network at the Same Subscription that we want to connect each other. The VNET B. Also we can have a third Virtual Network at a different subscription. The VNET C.

    In sort we need those peerings with the specific settings:
    At the VNETA Peering VNETA to VNETB with “Allow Gateway transit” At the VNETA Peering VNETA to VNET At the VNETB Peering VNETB to VNETA with “Use Remote Gateway” At the VNETB Peering VNETB to VNETC At the VNETC Peering VNETC to VNETA with “Use Remote Gateway” At the VNETC Peering VNETC to VNETB

    In order to be able to connect all those networks and also access them using the VPN Connection there are four requirements:
    The account that will be used to create the peering must have the “Network Contributor” Role. The Address Space must be different on each other and not overlap. All other Virtual Networks, except the one that has the VPN Connection must NOT have a VPN Gateway deployed. Of course at the local VPN device (router) we need to add the address spaces of all the Virtual Networks that we need to access.
    Lets lab it:
    HQ 192.168.0.0/16 –> The on-premises network VNET A 10.1.0.0/16 –> The Virtual Network that has the VPN Gateway (At my lab is named “devvn”) VNET B 10.229.128.0/24 –> THe virtual network at a different subscription of the Gateway (At my lab is named “Network prtg-rsg-vnet”) VNET C 172.16.1.0/24 –> The virtual network at the same subscription as the Gateway Network (At my lab is named “provsevnet)

    The on-premises network is connected with Site-to-site (IPsec) VPN to the VNETA

    Now we need to connect VNETA and VNETB using Vnet Peering. in order to have a Peering connection we need to create a connection from VNETA to VNETB and one from VNETB to VNETA.
    Open the VNETA Virtual Network, go to the Peerings setting and press +ADD
    Select the VNETB and check the “Allow Gateway transit” to allow the peer virtual network to use your virtual network gateway


    Then go to the VNETB, go to the Peerings setting and click +ADD.
    Select the VNETA Virtual Network and check the “Use Remote Gateway” to use the peer’s virtual network gateway. This way the VNETB will use the VNETA’s Gateway.


    Now we can contact the VNETB network from our on-premises network
    a multi-ping screenshot:
    From 10.229.128.5 (VNETB) to 192.168.0.4 (on-premises) & the opposite From 10..1.2.4 (VNETA) to 10.229.128.5 (VNETB) & to 192.168.0.4 (on-premises)

    The next step is to create a cross-subscription peering VNETA with VNETC
    Open the VNETA and create a peering by selecting the VNETC from the other Subscription and check the “allow gateway transit”

    Then go to the VNETC and create a peer with the VNETA and check the “use remote gaeway”

    With the two above connections we have connectivity between the on-premises network and the VNETC.
    The final step, to enable the connectivity between VNETB & VNETC. To accomplish this just create one peer from the VNETB to VNETC and one from VNETC to VNETB.
    Ping inception:

    In order to have client VPN connectivity to the whole network, create a Point-2-Site VPN at the VNETA. You can follow this guide: Azure Start Point | Point-to-Site VPN
    If you like my content you can follow my blog: e-apostolidis.gr
  4. proximagr
    Azure Policy | Limit the Azure VM Sizes Azure Governance
    This post, Azure Policy, is the first of a series of posts about Azure Governance. The idea is to explain through examples and how-to-guides, the tools that Microsoft Azure provides to help the administrators to enforce rules to all subscriptions. Some examples of those rules are, to help the organizations to stay compliant with their corporate standards, to standardize the resources creation and management, to manage the permissions and access controls, etc. Azure Policy
    Azure Policy is a powerful tool for Azure Governance. With Azure Policy we can define rules for all Azure Subscriptions the we manage. We can use this rules for simple limitation actions, like permitting only specific VM Series and Sizes that can be created and also more complex rule sets that helps you standardize the whole Azure deployment. Limit the Azure VM Sizes
    In this fist post we will go through a simple policy, the “Allowed virtual machine SKUs”. With this policy you can control what Azure VM series and sizes are permitted for deployment. You can apply this policy to a whole Management group, to a Subscription or to a single Resource Group. Step by Step Guide
    Open the Azure portal, https://portal.azure.com, and login with your account. At the top search box write “policy”. From the search results select the “policy”.

    At the Policy screen, select the “Definitions”. To create and apply a policy we need to start from a Policy Definition.

    At the Policy Definition screen, we can filter the definitions by scope, definition type, type and category. The “Allowed virtual machine SKUs” definition is under the “Compute” category. At the Category drop down menu, deselect everything and select only the “Compute”. Press the “Allowed virtual machine SKUs” definition.

    The “Allowed virtual machine SKUs” definition will open. Here we can see the code beneath the definition. It is written in json format. If we want to make changes at the definition we must first press “Duplicate definition”. This will create a copy of the definition. Then we can open the definition duplicatie and press “Edit definition. We will cover this at a future post.
    To select the VM sizes, the scope and apply the definition, press “Assign”
    Set the scope
    At the Assign policy screen, first we need to select the scope. The scope is where the policy definition will apply. To set the scope press the little blue box with the three dots.

    For scope, we can select a whole Management group, a whole subscription or a single Resource Group.
    Select the Azure VM SKUs
    After the scope, we need to select the allowed Azure VM SKUs. Open the drop down menu and select the SKUs that you will allow.

    At this test policy, I selected all Standard F1-4 series, the Standard F2s – 4s and the Standard F2s_v2 – 4s_v2.
    We can change the “Assignment Name” to easily find the specific assignment at the Assigned Policies list. I changed the name to “Allowed only F1-4 virtual machine SKUs”
    The next step is the “Managed Identity”. Managed identity creates an Azure AD Identity, like a service account, that is used for resource creation. We need this only for some specific policies that must create a resource if it is doesn’t exists.
    We don’t need a Managed Identity to limit the Azure VM SKU sizes. So now we can press “Assign”.

    A notification will inform you that the Policy will take effect after about 30 minutes. The policy needs this time to apply the rules to the selected scope.

    Back to the policy Assignments screen, hit refresh and you will see the new Policy Assignment’s name and the Scope.
    Test the policy
    To test the policy, I waited 30 minutes and tried to create a Standard DS1 v2 VM at the devrg Resource Group. Although I am the Subscription Owner, the Service admin, the one that created the policy assignment, the Azure Resource Manager doesn’t allow me to create this VM.

    And the error details: “disallowed by policy”

    You can find more about Azure Policy at Microsoft Docs: https://docs.microsoft.com/en-us/azure/governance/policy/
  5. proximagr
    <p style="text-align: justify;">ExpressRoute is a Microsoft Azure service that provides a private connection between an organization’s on-premises infrastructure and Microsoft Cloud services, such as Microsoft Azure, Office 365, and Dynamics 365.</p>
    <p style="text-align: justify;">Microsoft Azure ExpressRoute was general available back on 2014. To connect to Azure ExpressRoute you need a direct line with an ExpressRoute provider. Now Microsoft announced that Microsoft cloud services can be accessed with Azure ExpressRoute using satellite connectivity, breaking the direct line barriers, making it feasible to connect your data center directly to Microsoft Azure from all around the globe!</p>
    <p style="text-align: justify;"><img src="https://azurecomcdn.azureedge.net/mediahandler/acomblog/media/Default/blog/6fc8736b-b6e9-4959-8692-c602e9d931e4.png"alt="Infographic of High level architecture of ExpressRoute and satellite integration" /></p>
    <p><span style="font-size: 10px;">image from <a href="https://azure.microsoft.com/en-us/blog/satellite-connectivity-expands-reach-of-azure-expressroute-across-the-globe/">https://azure.microsoft.com/en-us/blog/satellite-connectivity-expands-reach-of-azure-expressroute-across-the-globe/</a></span></p>
    <p id="JXlaLtf" style="text-align: justify;">Azure ExpressRoute Satellite connectivity is currently provided by three Microsoft partners, Intelsat, SES, and Viasat. Microsoft expands its already large connectivity, adding Satellite connectivity options at the 54 Regions worldwide making <a href="https://azure.microsoft.com/en-us/global-infrastructure/global-network/">Microsoft’sglobal network</a> one of the largest in the world.</p>
    <p style="text-align: justify;">Source:</p>
    <p style="text-align: justify;"><a href="https://docs.microsoft.com/en-us/azure/expressroute/expressroute-introduction">https://docs.microsoft.com/en-us/azure/expressroute/expressroute-introduction</a></p>
    <p style="text-align: justify;"><a href="https://azure.microsoft.com/en-us/blog/satellite-connectivity-expands-reach-of-azure-expressroute-across-the-globe/">https://azure.microsoft.com/en-us/blog/satellite-connectivity-expands-reach-of-azure-expressroute-across-the-globe/</a></p>
    <p><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fazure-expressroute-adds-satellite-connectivity%2F&linkname=Azure%20ExpressRoute%20adds%20Satellite%20connectivity"title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_print" href="https://www.addtoany.com/add_to/print?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fazure-expressroute-adds-satellite-connectivity%2F&linkname=Azure%20ExpressRoute%20adds%20Satellite%20connectivity" title="Print" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share#url=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fazure-expressroute-adds-satellite-connectivity%2F&title=Azure%20ExpressRoute%20adds%20Satellite%20connectivity" data-a2a-url="https://www.e-apostolidis.gr/microsoft/azure/azure-expressroute-adds-satellite-connectivity/" data-a2a-title="Azure ExpressRoute adds Satellite connectivity"><img src="https://static.addtoany.com/buttons/share_save_171_16.png" alt="Share"></a></p><p>The post <a rel="nofollow" href="https://www.e-apostolidis.gr/microsoft/azure/azure-expressroute-adds-satellite-connectivity/">Azure ExpressRoute adds Satellite connectivity</a> appeared first on <a rel="nofollow" href="https://www.e-apostolidis.gr">Apostolidis IT Corner</a>.</p>


    <a href="https://www.e-apostolidis.gr/microsoft/azure/azure-expressroute-adds-satellite-connectivity/"class='bbc_url' rel='nofollow external'>Source</a>
  6. proximagr
    Working as a Cloud Consultant, Administrator, Architect, many companies will provide you guest (Azure AD B2B) access to their subscription. After completing the Admins of the subscriptions, many times, forget to remove this accesses and as a result you still have access to resources with no reason and also the list of your available subscriptions grows making it difficult to choose the right subscription to work.
    In this post we will walk through the steps of removing your account from those subscriptions. Since this is an identity matter, you need to login to the https://account.activedirectory.windowsazure.com portal and login with your account. I logged in with my account, [email protected]
    There you will see a list of all the applications that you have access at the Tenant that your account resides. Press the user icon, at the top right corner.

    Once you press the user icon, a drop down menu will appear and there you will see all the organizations that you have been provided access. Near the “ORGANIZATIONS” press the gear icon.

    You will redirected to the organizations section of the portal. There, in order to leave an organization subscription you need to sign in. Actually by clicking sign in to leave organization you will be redirected to that tenant. The tricky part here is to choose the right organization, since many organizations does not change the “Default directory” name. A, easy way to do this it to hover your mouse to the “sign in to leave organization” link and you will see the tenant id at the bottom of the page.

    Now, by navigating to the https://portal.azure.com and pressing the Subscription filter button, at the top par, near the notifications icon, you will have a list of all organizations tenant ids and names.

    After ensuring the organization id that you want to leave, go back to the organization selection portal and press “sign in to leave organization”. There, at the browser’s address bar you will see again the organization tenant id. Check again just to be sure.

    There you need again to press the user icon and the little gear icon

    Finally you have the option to “Leave organization”

    A final warning will appear, just to be sure, and by pressing “Leave” you instantly loose all access to that organization and it will not be listed at your subscription filter.

    After a while you will also receive an email from Microsoft invitations that you have left that organization.

  7. proximagr
    Use Azure Security Center to protect your workloads
    At this series of posts we will make a walk along the Azure Security Center, to see some common usage scenarios. Like how we can use it to protect from a Virtual Machine to a whole Data Center.
    To make it easier to understand we will start with a typical Azure IaaS scenario. A Virtual Machine with IIS role to act as Web Server. The steps to create the VM is out this post’s scope. I will simply describe the process. First we create a Windows Server 2016 Virtual Machine. Second we log in and add the Web Server (IIS) role. Third we open the port 80 at the VM’s Network Security Group (NSG) and voila we can browse at the Azure DNS name of the VM and see the IIS default landing page.

    At this point the security of the Web Server is relying on the Network Security Rule, a layer 3 firewall that allows access to the port 80 and of course the Windows Firewall that does exactly the same.
    Lets browse to the Azure Security Center from the Azure Portal. There we see an overview of security settings for the whole subscription.

    First, click the “Compute”. I will skip the overview and go directly to the “VMs and computers” tab. There we see the name of the VM and the five points of interest. Our VM is not monitored, it doesn’t have endpoint protection and it reports some vulnerabilities.
    Recommendation: Enable data collection for subscriptions
    To start resolving the issues click the VM to go to the Recommendations blade. The first recommendation says to enable data collection for the subscription. Of course this is the Log Analytics, OMS (Operations Management Suite) integration. This will enable the subscription resources to report to log analytics.

    Press the “Enable data collection for subscription”. The Data Collection blade will open. There we can enable or disable the automatic provision of the monitoring agent. This is the Microsoft Monitoring Agent that connects a Virtual Machine to Log Analytics and also we can use it for connecting to SCOM.

    The second option is to chose a workspace. IF you have already created an OMS workspace you can choose it. If not let it create a new one automatically. Finally press save.
    Returning to the previous blade you will see that the “Turn on data collection” recommendation, is now in Resolved state.

    Although this recommendation is resolved instantly, the Microsoft Monitoring Agent is not yet installed. Go back to the Compute / Data collection installation status to see the agent installation status.

    Stay tuned for the next Azure Security Center post to resolve more recommendations.
  8. proximagr
    <h1>Azure Bastion – Jump Server as a Service</h1>
    <p>Azure Bastion is a new Azure Platform (PaaS) service, at this time is still in Preview, that allows to have RDP and SSH access to Virtual Machines inside a Virtual Network directly from the Azure Portal. This eliminates the need to expose the Virtual Machines RDP and SSH ports to the internet.</p>
    <p>The logic comes from the Jump Servers, but you don’t need to deploy any VMs and you don’t have to worry about the hardening. It all ready on Azure as a Service.</p>
    <p>A jump server is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them. You can find more about jump servers at <a href="https://en.wikipedia.org/wiki/Jump_server">https://en.wikipedia.org/wiki/Jump_server</a></p>
    <p>The connection to the virtual machines is achieved directly from the Azure Portal over Secure Sockets Layer (SSL) just using the browser. The Bastion Host is</p>
    <h2>Azure Bastion Preview preparation</h2>
    <p>For the time, Azure Bastion Hosts are in Public Preview. To use them we need to Register the Azure Bastion Host provider. Open PowerShell and login to Azure or use the Cloud Shell from the Azure Portal.</p>
    <p>To register the provider run:</p>
    <p>Register-AzProviderFeature -FeatureName AllowBastionHost -ProviderNamespace Microsoft.Network</p>
    <p id="zOeDhIo"><img class="alignnone wp-image-2732 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/06/img_5d091fe6262cc.png"alt="register provider" width="821" height="165" /></p>
    <p>Then run:</p>
    <p>Register-AzResourceProvider -ProviderNamespace Microsoft.Network</p>
    <p id="DRILxeM"><img class="alignnone wp-image-2733 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/06/img_5d091ff460da0.png"alt="azure bastion register" width="646" height="84" /></p>
    <p>The provider takes some time to register. Run the following command to check when it is registered:</p>
    <p>Get-AzProviderFeature -FeatureName AllowBastionHost -ProviderNamespace Microsoft.Network</p>
    <p id="EZSfQTp"><img class="alignnone wp-image-2736 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/06/img_5d0923cdafb5e.png"alt="register check" width="797" height="78" /></p>
    <p>Once the Provider is Registered, access the Azure Portal using this link: <a href="http://aka.ms/BastionHost">http://aka.ms/BastionHost</a>in order to access the Bastions Preview.</p>
    <h2>Create the Bastion</h2>
    <p>From the Azure Portal search for bastions</p>
    <p id="IWWlOrg"><img class="alignnone wp-image-2727 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/06/img_5d0801333cf93.png"alt="portal azure bastion" width="496" height="222" /></p>
    <p>Hit “Add” to start the Bastion creation wizard</p>
    <p id="BZxMhhc"><img class="alignnone wp-image-2728 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/06/img_5d080140b2353.png"alt="azure bastion" width="520" height="329" /></p>
    <p>One thing to consider is that the Virtual Network must have an empty subnet with name “AzureBastionSubnet” and at least /27 range. This Subnet will be configured as a DMZ.</p>
    <p id="qwRNwdC"><img class="alignnone wp-image-2729 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/06/img_5d080183b9c91.png"alt="azure bastion" width="750" height="115" /></p>
    <p>At the Create a bastion wizard select the Subscription and the Resource group. I prefer to create a new Resource Group. Enter a name for the Bastion Host Instance and a Region. Of course the Virtual Network and the Region must be the same as the Virtual Machines that you want to access. Finally select a name for the Public IP of the Bastion Host and hit Review and Create to create the Bastion.</p>
    <p id="xZvMCkm"><img class="alignnone wp-image-2730 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/06/img_5d0801ea435a4.png"alt="azure bastion" width="843" height="870" /></p>
    <p>Once the Bastion is ready you can see its properties. Not much to configure, just the IAM.</p>
    <p id="dfkMDjH"><img class="alignnone wp-image-2739 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/06/img_5d092bdbb123f.png"alt="azure bastion" width="1162" height="645" /></p>
    <h2>Using the Bastion Host</h2>
    <p>And now the magic. Once you have a bastion deployed to a Virtual Network, browse a Virtual Machine and hit “Connect”. Beside the RDP and SSH, you will see a new option, the BASTION!</p>
    <p id="LiCqvkU"><img class="alignnone wp-image-2741 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/06/img_5d092c6bebb80.png"alt="azure bastion" width="1157" height="551" /></p>
    <p>Since the topology is Intternet –>Public IP of Bastion –> Bastion –> Virtual Network – NSG – Private IP –> VM you need to allow the RDP / SSH traffic from the Bastion VNET to the Virtual Machine and https traffic (no RDP / SSH needed) from the internet (or your public ip) to the Bastion Subnet.</p>
    <p>Enter the VMs username and password and hit connect and we have RDP over HTTPS</p>
    <p id="OphcKAS"><img class="alignnone wp-image-2742 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/06/img_5d093149258cf.png"alt="azure bastion" width="1379" height="1021" /></p>
    <h2>Copy Text to / from the VM</h2>
    <p>There a little icon >> at the right middle of the screen.</p>
    <p id="JTaxuWt"><img class="alignnone size-full wp-image-2748 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/06/img_5d09355db8db6.png"alt="" /></p>
    <p>Click it and the Copy / paste box will open. Any text you paste at that box it will be available at the VMs clipboard. Also the Fullscreen button is available there.</p>
    <p id="WQLZHRX"><img class="alignnone size-full wp-image-2749 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/06/img_5d0935877025c.png"alt="" /></p>
    <p>Also any text you copy from the VM will appear at that box, like the image below:</p>
    <p id="ZvVaJdz"><img class="alignnone size-full wp-image-2750 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/06/img_5d0935cf0a626.png"alt="" /></p>
    <p>The Remote Desktop experience is excellent! No RDP client needed, just your browser.</p>
    <p>Sources:</p>
    <p><a href="https://docs.microsoft.com/en-us/azure/bastion/bastion-faq">https://docs.microsoft.com/en-us/azure/bastion/bastion-faq</a></p>
    <p><a href="https://docs.microsoft.com/en-us/azure/bastion/bastion-nsg">https://docs.microsoft.com/en-us/azure/bastion/bastion-nsg</a></p>
    <p><a href="https://azure.microsoft.com/en-us/blog/announcing-the-preview-of-microsoft-azure-bastion/">https://azure.microsoft.com/en-us/blog/announcing-the-preview-of-microsoft-azure-bastion/</a></p>
    <p><a href="https://docs.microsoft.com/en-us/azure/bastion/bastion-create-host-portal">https://docs.microsoft.com/en-us/azure/bastion/bastion-create-host-portal</a></p>
    <p><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure-bastion-jump-server-as-a-service%2F&linkname=Azure%20Bastion%20%E2%80%93%20Jump%20Server%20as%20a%20Service"title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_print" href="https://www.addtoany.com/add_to/print?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure-bastion-jump-server-as-a-service%2F&linkname=Azure%20Bastion%20%E2%80%93%20Jump%20Server%20as%20a%20Service" title="Print" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share#url=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure-bastion-jump-server-as-a-service%2F&title=Azure%20Bastion%20%E2%80%93%20Jump%20Server%20as%20a%20Service" data-a2a-url="https://www.e-apostolidis.gr/microsoft/azure-bastion-jump-server-as-a-service/" data-a2a-title="Azure Bastion – Jump Server as a Service"><img src="https://static.addtoany.com/buttons/share_save_171_16.png" alt="Share"></a></p><p>The post <a rel="nofollow" href="https://www.e-apostolidis.gr/microsoft/azure-bastion-jump-server-as-a-service/">Azure Bastion – Jump Server as a Service</a> appeared first on <a rel="nofollow" href="https://www.e-apostolidis.gr">Apostolidis IT Corner</a>.</p>


    <a href="https://www.e-apostolidis.gr/microsoft/azure-bastion-jump-server-as-a-service/"class='bbc_url' rel='nofollow external'>Source</a>
  9. proximagr
    Azure Storage Advanced Thread Protection
    Azure Storage Advanced Threat Protection is a new security feature, currently in Preview. It monitors the Azure Blob Storage accounts. It detects anomalies and uncommon access to the Storage Account and notifies the admins through email.
    All the Azure Storage Advanced Threat Protection monitoring and logs are integrated to the Azure Security Center, including the well known ASC recommendations.
    It’s so easy to enable, just go to the Azure Portal, navigate to your storage account’s Advanced Threat Protection setting and switch it ON!

    After that you can view the alerts at the Security Center, under Threat Protection’s Security Alerts.


    First published at https://www.e-apostolidis.gr/microsoft/azure/azure-storage-advanced-thread-protection/
  10. proximagr
    Get early access to large disks support of Azure Backup & more
    Azure Backup’s 1TB limitation at last is over! Now you can backup VMs with disk sizes up to 4TB(4095GB), both managed and unmanaged. Also has improvements on backup and recovery performance that you can find here.
    Starting today login to the Portal, go to your Recovery Services vault and you will a notification saying “Support for >1TB disk VMs and improvements to backup and restore speed ->”

    Click the notification and the “Upgrade to new VM Backup stack” will open. Here click “Upgrade” to complete the upgrade.

    You can also upgrade all the Recovery Services vaults of a subscription using Azure PowerShell
    1. Select the subscription:
     



    1



    Get-AzureRmSubscription –SubscriptionName "SubscriptionName" | Select-AzureRmSubscription
    2. Register this subscription for the upgrade:
     



    1



    Register-AzureRmProviderFeature -FeatureName "InstantBackupandRecovery" –ProviderNamespace Microsoft.RecoveryServic
  11. proximagr
    Use Azure Security Center to protect your workloads
    At this series of posts we will make a walk along the Azure Security Center, to see some common usage scenarios. Like how we can use it to protect from a Virtual Machine to a whole Data Center.
    To make it easier to understand we will start with a typical Azure IaaS scenario. A Virtual Machine with IIS role to act as Web Server. The steps to create the VM is out this post’s scope. I will simply describe the process. First we create a Windows Server 2016 Virtual Machine. Second we log in and add the Web Server (IIS) role. Third we open the port 80 at the VM’s Network Security Group (NSG) and voila we can browse at the Azure DNS name of the VM and see the IIS default landing page.

    At this point the security of the Web Server is relying on the Network Security Rule, a layer 3 firewall that allows access to the port 80 and of course the Windows Firewall that does exactly the same.
    Lets browse to the Azure Security Center from the Azure Portal. There we see an overview of security settings for the whole subscription.

    First, click the “Compute”. I will skip the overview and go directly to the “VMs and computers” tab. There we see the name of the VM and the five points of interest. Our VM is not monitored, it doesn’t have endpoint protection and it reports some vulnerabilities.
    Recommendation: Enable data collection for subscriptions
    To start resolving the issues click the VM to go to the Recommendations blade. The first recommendation says to enable data collection for the subscription. Of course this is the Log Analytics, OMS (Operations Management Suite) integration. This will enable the subscription resources to report to log analytics.

    Press the “Enable data collection for subscription”. The Data Collection blade will open. There we can enable or disable the automatic provision of the monitoring agent. This is the Microsoft Monitoring Agent that connects a Virtual Machine to Log Analytics and also we can use it for connecting to SCOM.

    The second option is to chose a workspace. IF you have already created an OMS workspace you can choose it. If not let it create a new one automatically. Finally press save.
    Returning to the previous blade you will see that the “Turn on data collection” recommendation, is now in Resolved state.

    Although this recommendation is resolved instantly, the Microsoft Monitoring Agent is not yet installed. Go back to the Compute / Data collection installation status to see the agent installation status.

    Stay tuned for the next Azure Security Center post to resolve more recommendations.
    [/url]
    The post Use Azure Security Center to protect your workloads appeared first on Apostolidis IT Corner.


    Source
  12. proximagr
    Azure Start Point | Point-to-Site VPN
    In this post series we will go through some basic steps on how to start with Microsoft Azure. At this post we will see how we can create Point-to-Site VPN connection with Azure.
    If you don’t have an Azure Subscription, you can easily create a free trial by just going to https://azure.microsoft.com/en-us/free/
    Create typical a VIrtual Network

    In order to create Point-to-Site VPN connection it needs a Virtual Network Gateway. Go to the Virtual Network, Subnets and add a Gateway Subnet.

    FInally we can add the Virtual Network Gateway. From the portal, create a Virtual Network Gateway resource and add it to the previously created Virtual Network.

    The Virtual Network Gateway can take up to 45 minutes to be created.
    Once the Virtual Network Gateway is created we need one more step. To configure Point-to-site. Open the Virtual Network Gateway and press configure.

    We will need a root and a client self-signed certificate to complete the setup. Using a WIndows 10 or Windows Server 2016 machine we can make use of the New-SelfSignedCertificate cmdlet that makes the process easy. The whole process is described here: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site
    For the root certificate run the below PowerShell using ISE:
    $cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `-Subject "CN=prodevrootcert" -KeyExportPolicy Exportable `-HashAlgorithm sha256 -KeyLength 2048 `-CertStoreLocation "Cert:CurrentUserMy" -KeyUsageProperty Sign -KeyUsage CertSign
    For the client certificate run the below PowerShell using ISE:
    $cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `-Subject "CN=prodevrootcert" -KeyExportPolicy Exportable `-HashAlgorithm sha256 -KeyLength 2048 `-CertStoreLocation "Cert:CurrentUserMy" -KeyUsageProperty Sign -KeyUsage CertSign
    Export the root certificate public key in cer format using MMC, open the Certificates snap-in and select “current user”. Find the root certificate under Personal –> Certificates and right click –> All Tasks export

    Select to “not export the private key” and use Base64 encoded.

    Export the client certificate by selecting “export the private key” , select the “include all certificates in the certification path” and the “enable certificate privacy”. Add a password and export it to pfx file.

    this pfx file must be installed to all the client computers that will use this Point-to-Site connection.
    Now lets go back to the Point-to-Site configuration page. Add an address pool that the VPN clients will use. This subnet must be different from the Virtual Network address space.

    Then open the root certificate, the cer file, using notepad, copy the text between the Begin and End marks.

    Paste the certificate text to the “Root certificated” –> Public certificate data” field and add a name to the “Name” field.

    Press Save and the “Download VPN Client” button will be enabled and we can download the VPN client.
    In order to establish the VPN connection we need to install the VPN Client and the Client “pfx” certificate to the workstation.
    [/url]
    The post Azure Start Point | Point-to-Site VPN appeared first on Apostolidis IT Corner.


    Source
  13. proximagr
    Free e-book: Azure Strategy and Implementation Guide
    Microsoft Azure is giving free a Strategy and Implementation guide for Azure. This e-book provides guidance, architecture and advises to implement and integrate cloud technologies.
    This guide is directed to system administrators, cloud architects and project managers. It has for chapters, the Governance, the Architecture, the Application development and operations and the Service management.
    It will help you for starting with Azure or just doing a research regarding any cloud implementations.
    You can download your free copy from this link: https://azure.microsoft.com/en-us/resources/azure-strategy-and-implementation-guide/en-us/
  14. proximagr
    <h1 style="text-align: left;">Azure Policy | Enforce tags for resource creation</h1>
    <h2 style="text-align: justify;">Azure Governance</h2>
    <p style="text-align: justify;">After the previous post about <a href="https://www.e-apostolidis.gr/microsoft/azure-policy-limit-the-azure-vm-sizes/"target="_blank" rel="noopener noreferrer">how to use Azure Policy to limit the Azure VM sizes</a>, I continue the series of posts about Azure Governance with a video guide on how to enforce tags for resource creation. The idea is to explain through examples and how-to-guides, the tools that Microsoft Azure provides to help the administrators to enforce rules to all subscriptions. Some examples of those rules are, to help the organizations to stay compliant with their corporate standards, to standardize the resources creation and management, to manage the permissions and access controls, etc.</p>
    <h2 style="text-align: justify;">Azure Policy</h2>
    <p style="text-align: justify;">Azure Policy is a powerful tool for Azure Governance. We can define rules for all Azure Subscriptions the we manage. We can use this rules for simple limitation actions, like permitting only specific VM Series and Sizes that can be created and also more complex rule sets that helps you standardize the whole Azure deployment.</p>
    <h3 style="text-align: justify;">Enforce tags for resource creation</h3>
    <p style="text-align: justify;">So, why tags? Why we need to add tags to all Azure resources? The Microsoft Azure environments are getting bigger and bigger and managed by multiple people and teams. That makes it difficult to understand who created a resource and what is the purpose of that resource. Another critical matter that we need tags is Cost Management. At the Azure Cost Management Portal, we can sort and arrange the resource cost using the Tags. This way we can provide an expense dashboard with the actual cost of the resources per department, project or whatever tags we have added to the Resource.</p>
    <h3 style="text-align: justify;">Guide: Video</h3>
    <p style="text-align: justify;">View my video guide on how to use Azure Policy to enforce tags for resource creation</p>
    <p><iframe id="_ytid_65438" width="840" height="473" data-origwidth="840" data-origheight="473" src="https://www.youtube.com/embed/h6qXy20o0fY?enablejsapi=1&autoplay=0&cc_load_policy=0&iv_load_policy=1&loop=0&modestbranding=1&rel=0&fs=1&playsinline=0&autohide=2&theme=dark&color=red&controls=1&"class="__youtube_prefs__" title="YouTube player" allow="autoplay; encrypted-media" allowfullscreen data-no-lazy="1" data-skipgform_ajax_framebjll=""></iframe></p>
    <p style="text-align: justify;">You can find more at Microsoft Docs: <a href="https://docs.microsoft.com/en-us/azure/governance/policy/">https://docs.microsoft.com/en-us/azure/governance/policy/</a></p>
    <p style="text-align: justify;">
    <p><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fazure-policy-enforce-tags-for-resource-creation%2F&linkname=Azure%20Policy%20%7C%20Enforce%20tags%20for%20resource%20creation"title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_print" href="https://www.addtoany.com/add_to/print?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fazure-policy-enforce-tags-for-resource-creation%2F&linkname=Azure%20Policy%20%7C%20Enforce%20tags%20for%20resource%20creation" title="Print" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share#url=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fazure-policy-enforce-tags-for-resource-creation%2F&title=Azure%20Policy%20%7C%20Enforce%20tags%20for%20resource%20creation" data-a2a-url="https://www.e-apostolidis.gr/microsoft/azure/azure-policy-enforce-tags-for-resource-creation/" data-a2a-title="Azure Policy | Enforce tags for resource creation"><img src="https://static.addtoany.com/buttons/share_save_171_16.png" alt="Share"></a></p><p>The post <a rel="nofollow" href="https://www.e-apostolidis.gr/microsoft/azure/azure-policy-enforce-tags-for-resource-creation/">Azure Policy | Enforce tags for resource creation</a> appeared first on <a rel="nofollow" href="https://www.e-apostolidis.gr">Apostolidis IT Corner</a>.</p>


    <a href="https://www.e-apostolidis.gr/microsoft/azure/azure-policy-enforce-tags-for-resource-creation/"class='bbc_url' rel='nofollow external'>Source</a>
  15. proximagr
    Azure Start Point | Your first Web App
    In this post series we will go through some basic steps on how to start with Microsoft Azure. For start we will create a Web App.
    If you don’t have an Azure Subscription, you can easily create a free trial by just going to https://azure.microsoft.com/en-us/free/
    Let’s create our first Web App. Go to the Azure Portal by navigating to https://portal.azure.com and click “+ Create a resource”

    At the search box write “Web App” and press enter

    At the search results. click the “Web App” and at the next screen just press “Create”

    The “Web App Create” wizard will open.Enter a name for the App. This will be the Public name of your App. Azure by default provides the domain *.azurewebsites.net for free.
    So in my example the prowebdev.azurewebsites.net will be the URL of my App
    Select the Azure Subscription that will used to bill the Web App and a Resource Group. The Resource Group is used to organize the resources and provide role based access control among other.
    OS: Select the Operating System platform that will host your Web App. This can be Windows, Linux or a Docker Container. For the test I will select Windows.
    As you can see the wizard has selected an App Service Plan by default with a random name and location. The App Service Plan is actually the Web Server that will host out Web App. Click on the “App Service Plan/Location”
    Add a name for the Web Server, select the Location that is nearest to you (or your clients) and the Pricing Tier.
    By pressing OK you will return to the Web App create wizard and press Create. Now you can monitor the creating process of the App form the “Notifications” option at the top right of the portal, it is the button that has a ringing bell image. First you will see the “Deployment in progress…” message and as soon as the App is ready you will see the “Deployment completed” message.
    Now if you go to the Resource group you will see two resources. The App Service and the App Service Plan. In high level, the App Service Plan is the web server and the App Service is the Web Application.

    Now click the App Service and at its blade you can see your applications URL.

    Click the URL and you will see the Demo page

    [/url]
    The post Azure Start Point | Your first Web App appeared first on Apostolidis IT Corner.


    Source
  16. proximagr
    Monitor & Alert for your Azure VM
    Lets see how easy it is to monitor and create an alert, in order to be notified when your VMs are restarted, when they start, stop, get high CPU usage, memory and much more.
    First navigate to the Azure Portal https://portal.azure.com, and then click the Monitor button.

    You will be navigated to the Monitor blade. At the center of the screen you will see three mail buttons, each starts a wizard.

    Click the “Create Alert” under the Explore monitoring essentials, the first of the three buttons.

    The create rule wizard will start. First you need to Select target.

    Select the subscription, at the Filter resource type select Virtual machines and select the VM from the Resource list.

    Once you press the target VM you will see a preview of the selection and the available signals.

    After the alert target, select the criteria

    At the configure signal login blade, select the signal from the list. I have selected the Restart Virtual Machine.

    Once you select the signal you can select the severity level and also you will see the preview of the condition.

    After that give a name and a description for the alert. Also select the resource group where the alert will be saved and if you want the alert to be enabled upon creation.

    The next step is to create an action group. The action group is the list of accounts to get the notifications when the alert is triggered. The notification can be email, SMS, Push Notifications and Voice call. You can add many action groups and many action in each group.


    Now the alert is ready. Once the alert is triggered you will be notified. At this example I added an email alert and once the VM restarted I received the following email:

    More Microsoft Azure guides at Apostolidis IT Corner
  17. proximagr
    Create Azure File Shares at your ARM template using PowerShell
    Using Azure Resource Manage template deployment, you can create a Storage account but you cannot create File Shares. Azure File Shares can be created using the Azure Portal, the Azure PowerShell or the Azure Cli.
    Mainly, the idea is to run a PowerShell script that will create the File Shares. This script will be invoked inside the ARM Template. In order to use a PowerShell script from a template, the script must be called from a URL. A good way to provide this is using the Git repository. One major thing to consider is the Storage Account key must be provided to the PowerShell script securely, since the PowerShell script is at a public URL.
    The PowerShell script will run inside a Virtual Machine and we will use a CustomScriptExtension Extension to provide it. To use this, at the Virtual Machine Resource of the JSON file add a resources section.
    The Custom Script Exception is located at the Virtual Machine resource. Lets assume that the last part of the Virtual Machine resource is the “diagnosticsProfile” so after the closure of the “diagnosticsProfile” we can add the “resources”. Inside the “resources” add the “extensions” resource that will add the “CustomScriptExtension”, like below.The Template Part
    This will be the addition at the Virtual Machine resource:
    "diagnosticsProfile": { "bootDiagnostics": { "enabled": true, "storageUri": "[concat(reference(concat('Microsoft.Storage/storageAccounts/', variables('diagnosticStorageAccountName')), '2016-01-01').primaryEndpoints.blob)]" } } }, "resources": [ { "name": "AzureFileShares", "type": "extensions", "location": "[variables('location')]", "apiVersion": "2016-03-30", "dependsOn": [ "[resourceId('Microsoft.Compute/virtualMachines', parameters('VMName'))]", "[variables('AzureFilesStorageId')]" ], "tags": { "displayName": "AzureFileShares" }, "properties": { "publisher": "Microsoft.Compute", "type": "CustomScriptExtension", "typeHandlerVersion": "1.4", "autoUpgradeMinorVersion": true, "settings": { "fileUris": [ "https://raw.githubusercontent.com/######/#####/master/azurefiles.ps1" ] }, "protectedSettings": { "commandToExecute": "[concat('powershell -ExecutionPolicy Unrestricted -File ','azurefiles.ps1 -SAName ',parameters('AzureFilesStorageName'),' -SAKey ', listKeys(resourceId(variables('AzureFilesStorageAccountResourceGroup'),'Microsoft.Storage/storageAccounts', parameters('AzureFilesStorageName')), '2015-06-15').key1)]" } } } ] },
    The extension must be depended from the Virtual Machine that will run the script and the Storage Account that will bu used for the file shares.
    At the custom script properties add the public RAW url of the PowerShell script.
    Next lets see the Storage Account key and execution part. At the connandToExecute section, we will provide a variable that will pass the Storage Account key & Name inside the script for execution. The variable will get the Storage Account key from the Storage Account using the permissions of the Account running the Template Deployment.
    Of course to make the template more flexible I have added a variable for the Resource Group and a parameter for the AzureFilesStorageName, so the template will ask for the Storage Account name at the parameters.The PowerShell
    The PowerShell script is tested at Windows Server 2016 VM. You can find it below:
    Param ( [Parameter()] [String]$SAKey, [String]$SAName)Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -ForceSet-PSRepository -Name PSGallery -InstallationPolicy TrustedInstall-Module Azure -Confirm:$FalseImport-Module Azure$storageContext = New-AzureStorageContext -StorageAccountName $SAName -StorageAccountKey $SourceSAKey$storageContext | New-AzureStorageShare -Name #####
    [/url]
    The post Create Azure File Shares at your ARM template using PowerShell appeared first on Apostolidis IT Corner.


    Source
  18. proximagr
    At this post, we will create a Logic App that will query the Log Analytics workspace for the WAF logs of the last 24 hours and send the results in an email, using a free SendGrid account.
    A Web Application Firewall protects your application from common web vulnerabilities. Azure provides enterprise grade Web Application Firewall through the Application Gateway. You can read more at my previous post: https://www.e-apostolidis.gr/microsoft/azure/protect-your-web-application-with-azure-application-gateway-waf/ Use Log Analytics to Query the WAF Logs
    The Application Gateway WAF sends its logs to the Log Analytics workspace. You can see them using a typical query like the below, that will list all events at the past 24 hours.
    AzureDiagnostics | where Resource == “PROWAF” and OperationName == “ApplicationGatewayFirewall” | where TimeGenerated > ago(24h) | summarize count() by TimeGenerated, clientIp_s , TimeGenerated , ruleId_s , Message , details_message_s , requestUri_s, details_file_s , hostname_s
    You can save the query by clicking the Save button and give it a name and a Category.
    We can send those logs as email by using an Azure Logic App and a SendGrid account. You can see how to create a SendGrid free account at my previous post: https://www.e-apostolidis.gr/microsoft/azure/azure-free-smtp-relay-using-sendgrid/ Create a Logic App
    From the portal.azure.com, Create a resource and write “logic app”, click the “Logic App”and press “Create”
    At the Logic App creation wizard add Name, subscription, resource group, location and press Create
    Next the Logic App will be created. Open it and from the Logics App Designer select the “Recurrence” common trigger.
    Change the Recurrence Interval to “1” and the Frequency to “Day” and press the “+ New step”
    search for “log analytics” and select the “Run query and visualize results”
    I will proceed with “Sign in”, you can also use a Service Principal but we will cover this to another post.
    After you login select the Subscription, Resource Group and the Log Analytics Workspace. Next, add the query, for Chart Type select “Html Table” and add a “Next Step”

    search for “sendgrid” and select the “Send email (V2)”
    Add a name for the connection and the API key that you created at the SendGrid creation post and press create. https://www.e-apostolidis.gr/microsoft/azure/azure-free-smtp-relay-using-sendgrid/
    Fill the From address, To address and Subject. At the email body, add dynamic content and select the blocs of the previous set result.
    Press Save to save the Flow and Run to test it.
    The result at my email:

  19. proximagr
    <h1 style="text-align: justify;">Azure Portal | Playing with Disk Snapshot</h1>
    <p style="text-align: justify;">Disk Snapshot is a powerful tool to manage Azure VMs. It’s simple to create and can help the administrators in various tasks. It’s a fast and efficient way to have a crash-consistent Disk of a Virtual Machine, before performing tasks, updates, configuration changes, application installations, etc. Of course the last line of defence is the Azure Backup, but using the Snapshot you don’t need to wait the whole Backup / Restore times. With snapshots there are two main options to recover the VM. One is using the “swap OS Disk” functionality, which gives you the ease to swap the Operating System disk with one click. The other option is to create a new VIrtual Machine. Beware, if you want to make Azure VM clones, you need to generalize the VM with Sysprep and Capture the VM. Using the Snapshot option you will have an identical VM, with the same IDs.</p>
    <h2 style="text-align: justify;">Snapshot</h2>
    <p style="text-align: justify;">The first step is to create a snapshot from the Virtual Disk. Open the Azure VM, go to Disks, select the OS Disk and press “Create Snapshot”. You don’t actually need to stop the VM. Windows Server operating system stays fully consistent, but no one can guarantee the consistency of any databases currently running. Think of it like the Hyper V CheckPoint functionality. We make checkpoints all the time and we revert to them even in production.</p>
    <p id="yLMWzuR" style="text-align: justify;"><img class="alignnone wp-image-2884 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8c4f41af1.png"alt="disk snapshot" width="773" height="359" srcset="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8c4f41af1.png 773w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8c4f41af1-300x139.png 300w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8c4f41af1-768x357.png 768w" sizes="(max-width: 773px) 100vw, 773px" /></p>
    <p style="text-align: justify;">The Create snapshot screen will open. Fill in a name and disk account type (Standard / Premium) and press create.</p>
    <p id="Cvnyhoo" style="text-align: justify;"><img class="alignnone wp-image-2885 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8c81cf6be.png"alt="disk snapshot" width="635" height="448" srcset="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8c81cf6be.png 635w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8c81cf6be-300x212.png 300w" sizes="(max-width: 635px) 100vw, 635px" /></p>
    <p style="text-align: justify;">At this point I will create a folder at the VM for revision</p>
    <p id="RNUFdnD" style="text-align: justify;"><img class="alignnone wp-image-2886 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8d0eef630.png"alt="disk snapshot" width="580" height="303" srcset="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8d0eef630.png 580w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8d0eef630-300x157.png 300w" sizes="(max-width: 580px) 100vw, 580px" /></p>
    <h2 style="text-align: justify;">Create a Disk</h2>
    <p style="text-align: justify;">To make the snapshot functional, we need to create a Managed Disk resource.</p>
    <p id="TCxcFbJ" style="text-align: justify;"><img class="alignnone wp-image-2888 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8dbd6c9fb.png"alt="disk snapshot" width="614" height="296" srcset="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8dbd6c9fb.png 614w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8dbd6c9fb-300x145.png 300w" sizes="(max-width: 614px) 100vw, 614px" /></p>
    <p style="text-align: justify;">At the Create managed disk wizard, select the Region that the Snapshot resides. Then select “Source type” Snapshot and select it. At the Size, select a disk size at least the same as the source disk.</p>
    <p id="CYKOnDl" style="text-align: justify;"><img class="alignnone wp-image-2889" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8e03cea11.png"alt="disk snapshot" width="638" height="656" srcset="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8e03cea11.png 833w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8e03cea11-292x300.png 292w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8e03cea11-768x789.png 768w" sizes="(max-width: 638px) 100vw, 638px" /></p>
    <h2 style="text-align: justify;">Swap OS Disk</h2>
    <p style="text-align: justify;">Now that we have created the managed disk, it’s time to use the Swap OS Disk functionality. We have proceeded with the Azure VM’s updates, software updates, configuration changes, and finally we need to roll back those changes. Go to the VM’s Disks and press “Swap OS Disk”</p>
    <p id="pzuGeyg" style="text-align: justify;"><img class="alignnone wp-image-2887" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8d3ca65c2.png"alt="disk snapshot" width="633" height="390" srcset="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8d3ca65c2.png 852w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8d3ca65c2-300x185.png 300w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8d3ca65c2-768x472.png 768w" sizes="(max-width: 633px) 100vw, 633px" /></p>
    <p style="text-align: justify;">at the “Swap OS Disk” wizard, select the managed disk that we created.</p>
    <p id="qmhobOc" style="text-align: justify;"><img class="alignnone wp-image-2890 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8e6658951.png"alt="disk snapshot" width="449" height="399" srcset="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8e6658951.png 449w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8e6658951-300x267.png 300w" sizes="(max-width: 449px) 100vw, 449px" /></p>
    <p style="text-align: justify;">In the background, the Azure Platform will stop, deallocate the VM and it will re-crate it with the selected OS disk. As you see at the next screenshot the OS disk is the managed disk that we created from teh snapshot.</p>
    <p id="JASxLxW" style="text-align: justify;"><img class="alignnone wp-image-2891 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8eda544ed.png"alt="disk snapshot" width="955" height="484" srcset="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8eda544ed.png 955w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8eda544ed-300x152.png 300w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8eda544ed-768x389.png 768w" sizes="(max-width: 955px) 100vw, 955px" /></p>
    <p style="text-align: justify;">I Started the VM and logged in. The folder I created after the snapshot of course is missing <img src="https://s.w.org/images/core/emoji/12.0.0-1/72x72/1f642.png"alt="?" class="wp-smiley" style="height: 1em; max-height: 1em;" /></p>
    <p style="text-align: justify;"><img class="alignnone wp-image-2892 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8f86e1d8a.png"alt="disk snapshot" width="507" height="258" srcset="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8f86e1d8a.png 507w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8f86e1d8a-300x153.png 300w" sizes="(max-width: 507px) 100vw, 507px" /></p>
    <h2 style="text-align: justify;">New Azure VM</h2>
    <p style="text-align: justify;">The other option is to create a new Virtual Machine using the Snapshot. As I wrote before, beware, if you want to make Azure VM clones, you need to generalize the VM with Sysprep and Capture the VM. Using the Snapshot option you will have an identical VM, with the same IDs.</p>
    <p style="text-align: justify;">To create a VM from the Snapshot, just open the Managed Disk that you created from the Snapshot and press Create VM.</p>
    <h2 id="YVnQUGo" style="text-align: justify;"><img class="alignnone wp-image-2893 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8fe63bbc2.png"alt="disk snapshot" width="764" height="401" srcset="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8fe63bbc2.png 764w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8fe63bbc2-300x157.png 300w" sizes="(max-width: 764px) 100vw, 764px" /></h2>
    <p style="text-align: justify;">The Create a virtual machine wizard will open, and at the Operating System Image section, it will have selected the image from the disk. This process is identical to creating a new Hyper V VM from an existing virtual disk.</p>
    <p id="agkkViV" style="text-align: justify;"><img class="alignnone wp-image-2899 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b9dee55885.png"alt="disk snapshot" width="875" height="838" srcset="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b9dee55885.png 875w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b9dee55885-300x287.png 300w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b9dee55885-768x736.png 768w" sizes="(max-width: 875px) 100vw, 875px" /></p>
    <p style="text-align: justify;">Follow the Create a virtual machine wizard exactly the same as creating any Azure VM.</p>
    <p>More e-apostolidis.gr posts about managed disks: <a href="https://www.e-apostolidis.gr/tag/managed-disks/">https://www.e-apostolidis.gr/tag/managed-disks/</a></p>
    <p style="text-align: left;">Read more at: <a href="https://docs.microsoft.com/en-us/azure/virtual-machines/windows/managed-disks-overview#managed-disk-snapshots">https://docs.microsoft.com/en-us/azure/virtual-machines/windows/managed-disks-overview#managed-disk-snapshots</a></p>
    <p> </p>
    <p><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fazure-portal-playing-with-disk-snapshot%2F&linkname=Azure%20Portal%20%7C%20Playing%20with%20Disk%20Snapshot"title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_print" href="https://www.addtoany.com/add_to/print?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fazure-portal-playing-with-disk-snapshot%2F&linkname=Azure%20Portal%20%7C%20Playing%20with%20Disk%20Snapshot" title="Print" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share#url=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fazure-portal-playing-with-disk-snapshot%2F&title=Azure%20Portal%20%7C%20Playing%20with%20Disk%20Snapshot" data-a2a-url="https://www.e-apostolidis.gr/microsoft/azure/azure-portal-playing-with-disk-snapshot/" data-a2a-title="Azure Portal | Playing with Disk Snapshot"><img src="https://static.addtoany.com/buttons/share_save_171_16.png" alt="Share"></a></p><p>The post <a rel="nofollow" href="https://www.e-apostolidis.gr/microsoft/azure/azure-portal-playing-with-disk-snapshot/">Azure Portal | Playing with Disk Snapshot</a> appeared first on <a rel="nofollow" href="https://www.e-apostolidis.gr">Apostolidis IT Corner</a>.</p>


    <a href="https://www.e-apostolidis.gr/microsoft/azure/azure-portal-playing-with-disk-snapshot/"class='bbc_url' rel='nofollow external'>Source</a>
  20. proximagr
    Monitor & Alert for your Azure VM
    Lets see how easy it is to monitor and create an alert, in order to be notified when your VMs are restarted, when they start, stop, get high CPU usage, memory and much more.
    First navigate to the Azure Portal https://portal.azure.com, and then click the Monitor button.

    You will be navigated to the Monitor blade. At the center of the screen you will see three mail buttons, each starts a wizard.

    Click the “Create Alert” under the Explore monitoring essentials, the first of the three buttons.

    The create rule wizard will start. First you need to Select target.

    Select the subscription, at the Filter resource type select Virtual machines and select the VM from the Resource list.

    Once you press the target VM you will see a preview of the selection and the available signals.

    After the alert target, select the criteria

    At the configure signal login blade, select the signal from the list. I have selected the Restart Virtual Machine.

    Once you select the signal you can select the severity level and also you will see the preview of the condition.

    After that give a name and a description for the alert. Also select the resource group where the alert will be saved and if you want the alert to be enabled upon creation.

    The next step is to create an action group. The action group is the list of accounts to get the notifications when the alert is triggered. The notification can be email, SMS, Push Notifications and Voice call. You can add many action groups and many action in each group.


    Now the alert is ready. Once the alert is triggered you will be notified. At this example I added an email alert and once the VM restarted I received the following email:

    More Microsoft Azure guides at Apostolidis IT Corner
     
    [/url]
    The post Monitor & Alert for your Azure VM appeared first on Apostolidis IT Corner.


    Source
  21. proximagr
    Create an Ultra High Available on-prem <-> Azure VPN Connection
    At this post we will see how to make a high available connection between our on-premises network and Azure. This way we will have an Active-Active Dual-Redundancy VPN Connection.
    The idea behind this is that we have a router/firewall cluster,connected with two ISPs and we want to also have a VPN connection with Azure using both ISPs actively. I call this an end-to-end high available connectivity between our on-premises infrastructure and Azure. Actually the active-active dual redundant connections needs to have two different on-premises VPN devices, but we can accomplish almost the same functionality with one device and two different interfaces with two different ISPs.

    The requirement for this topology, except the router/firewall cluster and the two ISPs is that the Azure VPN Gateway must be Standard or HighPerformance SKU. The Basic SKU does not support Active-Active mode.
    As you can see at the above diagram, the Active-Active VPN Gateway created two Active VPN Nodes. The connection of each node to each on-premises network interface in a mesh topology. All network traffic is distributed through all the connections. In order to accomplish this connectivity we need to also enable BGP to both on-premises device and Azure VPN Gateway with different ASN. Lets lab it:
    Create a Virtual Network Gateway, VPN, Route Based and SKU VpnGw1 or larger
    Enable active-active mode, this will create two nodes, and give the names of the two Public IPs.
    Check the Configure BGB ASN and change the default ASN, I used 65510
    wait a lot… more than the typical 45 minutes, a lot more…

    When the gateway is created you will see that the public ip address is called “First public IP address”. If you click the “see more” link you will see the second IP too.

    You can see both IP form the Properties page too.

    Second we need to create two Local network Gateways, to represent the two interfaces of our on-premises device. Both must be created with the same ASN. This ASM must be different than the Gateways’ and this ASN must be configured at the configuration of the local devices VPN connection.
    ]
    Now, create the connection

    And remember to enable BGP at the Connection’s Configuration

    As soon as the local device is configured both connections became connected.

    From powershell we can see both local IPs of the two nodes of the Azure VPN Gateway,
    Test and Troubleshooting
    Currently the only way to see the connections between the Azure Gateway Nodes and the local devices interfaces is the below powershell command
    Get-AzureRmVirtualNetworkGatewayBGpPeerStatus -VirtualNetworkGatewayName “gatewayname” -ResourceGroup “resourcegroupname”

    Every time you run this command you get answer from one of the two nodes at random. At the above screenshot, first is one node and second is the other.
    The first node’s peer, 192.168.xx.9 shows that is connected to the 10.xx.xx.2 local network’s peer and connecting at the second peer 10.xx.xx.1
    The second node’s peer, 192.168.xx.8 shows that is connected to the 10.xx.xx.1 local network’s peer and connecting at the second peer 10.xx.xx.2

    The test I performed was to unplug one interface from the local device. The azure gateway’s first node State was both Connecting and the second node was the same, connecting to .2 and connected to .1. At this test I did lost a single ping.
    After that I plugged the cable back, waited less than a minute and unplugged the second cable. Now the first node shows still disconnected but the first node connected to the .2 local IP and connecting to .1. With this test I lost only one ping. Also I realized that it is random which node’s private IP will connect with the local device’s private IP. Both Azure Gateway’s IPs 192.168.x.8 & 9 can connect with the local device’s IP 10.x.x.1 & 2 and this is the magic of the Active-Active Dual Redundancy VPN connection.
  22. proximagr
    Μόλις έλαβα το πρώτο μου Microsoft Azure MVP award!
    Νοιώθω χαρούμενος και περήφανος που η προσπάθεια και η προσφορά μου στην κοινότητα ανταμείβεται. Πιστεύω στην κοινότητα και στον διαμοιρασμό της γνώσης και αυτό με έχει βοηθήσει πολύ στην ζωή μου και και εγώ με τη σειρά μου προσπαθώ να βοηθήσω στο μέγιστο.
    Όλα ξεκινάνε με αυτό το υπέροχο email Congratulations! We are extremely pleased to present you with the 2018-2019 Microsoft Most Valuable Professional (MVP) Award! This award is given to exceptional technical community leaders who share their remarkable passion, real-world knowledge, and technical expertise with others through demonstration of exemplary commitment. We appreciate your outstanding contributions in the Microsoft Azure technical communities during the past year.

    [/url]
    The post My First Microsoft Azure MVP award! appeared first on Apostolidis IT Corner.


    Source
  23. proximagr
    Get real insights about your Windows and Linux VMs & VMSSs performance and their dependencies with Azure Monitor. Integrate with Log Analytics for even more in depth analysis and retain the data over time. Health, Performance & Service Map of your VM in a dashboard.
    Deploy to Single VM
    For a single VM, go to the VMs blade, scroll down to the “Monitoring” section, select “Insights” and press “Try now”

    The Azure Monitor Insights Onboarding wizard will open. If your VM is already onboard at a Log Analytics workspace just click Enable. Otherwize select a Log Analytics workspace or create one.

    You will start seeing data form the VM in about 20-30 minutes. Deploy to multiple VMs using Azure Policy
    For deploying to multiple VMs, the easiest way is to use Azure Policy
    Go to the Azure Policy, select Assignments and press “Assign initiative”

    The first option is the Scope. Press the three dots “…” at the Scope field. You can choose a a Management Group, a Subscription or a Resource Group. So if you just select a Management Group (And don’t select subscription and resource group), this policy will apply to all Subscriptions under the Management Group and of course to all resources of the subscription. If you choose a Subscription (and don’t select a resource group then the policy will apply to all resources of the subscription. Finally if you choose a resource group then the policy will apply only to this resource group. Later we will see how to select specific VMs in the Subscription or Resource group.

    After selecting the Scope you can add exclusions. There you can check the VMs you don’t want this policy to apply.

    The next step is to select the Policy. At the BASICS section, press the three dots “…” near the “Initiative definition” and find the “Enable Azure Monitor for VMs”

    Next step is to configure the Parameters. There select the Log Analytics workspace that the VM will onboard, or create a new one. Optionally you can provide a list of VMs instead of adding all of them

    Finally press Apply. Back at the Azure Policy main menu you will see the new Definition Assignment.
    View the Health / Performance / Service Map of the VMs
    To view the Azure Monitor of the VMs, go to the VM that you have enabled Insights, select the Insights blade and you will be able to see the health status not only for the common CPU. Memory, Disk,

    But also for the services that run inside the VM and the Azure Monitor discovered.

    By clicking on any service you will have a list of all logs of this service

    At the performance section you have the ability to select time range and have performance analytics for a requisted period of time

    Finally at the MAp, you have a service map of the services and ports that are open and listening


    Product Documentation: https://docs.microsoft.com/en-us/azure/azure-monitor/insights/vminsights-overview
  24. proximagr
    Azure Start Point | Point-to-Site VPN
    In this post series we will go through some basic steps on how to start with Microsoft Azure. At this post we will see how we can create Point-to-Site VPN connection with Azure.
    If you don’t have an Azure Subscription, you can easily create a free trial by just going to https://azure.microsoft.com/en-us/free/
    Create typical a VIrtual Network

    In order to create Point-to-Site VPN connection it needs a Virtual Network Gateway. Go to the Virtual Network, Subnets and add a Gateway Subnet.

    FInally we can add the Virtual Network Gateway. From the portal, create a Virtual Network Gateway resource and add it to the previously created Virtual Network.

    The Virtual Network Gateway can take up to 45 minutes to be created.
    Once the Virtual Network Gateway is created we need one more step. To configure Point-to-site. Open the Virtual Network Gateway and press configure.

    We will need a root and a client self-signed certificate to complete the setup. Using a WIndows 10 or Windows Server 2016 machine we can make use of the New-SelfSignedCertificate cmdlet that makes the process easy. The whole process is described here: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site
    For the root certificate run the below PowerShell using ISE:
     



    1



    2



    3



    4



    $cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
    -Subject "CN=prodevrootcert" -KeyExportPolicy Exportable `
    -HashAlgorithm sha256 -KeyLength 2048 `
    -CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign
    For the client certificate run the below PowerShell using ISE:
     



    1



    2



    3



    4



    $cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
    -Subject "CN=prodevrootcert" -KeyExportPolicy Exportable `
    -HashAlgorithm sha256 -KeyLength 2048 `
    -CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign
    Export the root certificate public key in cer format using MMC, open the Certificates snap-in and select “current user”. Find the root certificate under Personal –> Certificates and right click –> All Tasks export

    Select to “not export the private key” and use Base64 encoded.

    Export the client certificate by selecting “export the private key” , select the “include all certificates in the certification path” and the “enable certificate privacy”. Add a password and export it to pfx file.

    this pfx file must be installed to all the client computers that will use this Point-to-Site connection.
    Now lets go back to the Point-to-Site configuration page. Add an address pool that the VPN clients will use. This subnet must be different from the Virtual Network address space.

    Then open the root certificate, the cer file, using notepad, copy the text between the Begin and End marks.

    Paste the certificate text to the “Root certificated” –> Public certificate data” field and add a name to the “Name” field.

    Press Save and the “Download VPN Client” button will be enabled and we can download the VPN client.
    In order to establish the VPN connection we need to install the VPN Client and the Client “pfx” certificate to the workstation.
  25. proximagr
    Secure your Azure SQL locally inside your vnet using service endpoints
    For many companies, a throwback of using Azure SQL was the Public Access. After the latest Azure updates you can use the service endpoints to Secure your Azure SQL locally inside your vnet! For the time, the feature is available only at the West Central US, West US 2, and East US regions but soon more will follow.
    So, lets secure your Azure SQL locally inside your vnet! At the VNET creation blade, select the Microsoft.Sql service endpoint from the list of the available service endpoints.

    Then create an SQL Database at the same region,

     
    Next, go to the SQL server firewall settings and turn Off the “Allow access to Azure services”. By doing this you disable the access to the SQL Server using the Public IP.

    Click the “Add existing virtual network” and create an access rule, in order to be able to access the SQL Server from your Virtual Network using the service endpoints.

    Now lets test. A fast way to test your SQL connectivity from a Virtual Machine on the VNET, without having the SQL management tools, is to open the “ODBC Data Source Administrator” and create a new connection. Add the Azure SQL Server IP

    at the next screen enter the username and password of your SQL Server and finally click the “Test Data Source”

    Of course we can also connect with the SMSS. Add the SQL Server FQDN, the username and the password

    and you are connected, fast and securely!

     
    You cannot yet add your SQL to a subnet, but you secure it’s access inside your VNET! all public access is denied.
    [/url]
    The post Secure your Azure SQL locally inside your vnet using service endpoints appeared first on Apostolidis IT Corner.


    Source
×
×
  • Create New...