Working as a Cloud Consultant, Administrator, Architect, many companies will provide you guest (Azure AD B2B) access to their subscription. After completing the Admins of the subscriptions, many times, forget to remove this accesses and as a result you still have access to resources with no reason and also the list of your available subscriptions grows making it difficult to choose the right subscription to work.

In this post we will walk through the steps of removing your account from those subscriptions. Since this is an identity matter, you need to login to the https://account.activedirectory.windowsazure.com portal and login with your account. I logged in with my account, pantelis@e-apostolidis.gr

There you will see a list of all the applications that you have access at the Tenant that your account resides. Press the user icon, at the top right corner.

Once you press the user icon, a drop down menu will appear and there you will see all the organizations that you have been provided access. Near the “ORGANIZATIONS” press the gear icon.

You will redirected to the organizations section of the portal. There, in order to leave an organization subscription you need to sign in. Actually by clicking sign in to leave organization you will be redirected to that tenant. The tricky part here is to choose the right organization, since many organizations does not change the “Default directory” name. A, easy way to do this it to hover your mouse to the “sign in to leave organization” link and you will see the tenant id at the bottom of the page.

Now, by navigating to the https://portal.azure.com and pressing the Subscription filter button, at the top par, near the notifications icon, you will have a list of all organizations tenant ids and names.

After ensuring the organization id that you want to leave, go back to the organization selection portal and press “sign in to leave organization”. There, at the browser’s address bar you will see again the organization tenant id. Check again just to be sure.

There you need again to press the user icon and the little gear icon

Finally you have the option to “Leave organization”

A final warning will appear, just to be sure, and by pressing “Leave” you instantly loose all access to that organization and it will not be listed at your subscription filter.

After a while you will also receive an email from Microsoft invitations that you have left that organization.

The post Leave an Azure Subscription – Directory appeared first on Apostolidis IT Corner.

Source: e-apostolidis.gr

At the 15# Azurehads meetup we talked about how to integrate our data using Azure Data Factory and from the Azure Data Factory to call an Azure HDInsights cluster that will be created on-demand. After the process ends, the HDInsights cluster will be automatically deleted.

Also we saw how we can copy and transform data from almost any source to almost any location.

Download the presentation: http://bit.ly/AH15Presentation

Download the demo video: http://bit.ly/AH15Video

Download the project files: http://bit.ly/AH15Projectfiles

At the demo, we created a data factory. At the data factory we created a pipeline that reads a Python script from an Azure Storage account folder. THe Azure Data FActory creates an on-demand HDInsights Spark cluster and runs the python script. The python script reads a text and provides for output a text with the word count of the input text. Finally the cluster is automatically deleted.

The post Azureheads #15 | Integrate your data to the cloud meetup resources appeared first on Apostolidis IT Corner.

Source: e-apostolidis.gr

Today Microsoft Azure announced the Simplified restore experience for Azure virtual machines https://azure.microsoft.com/en-us/updates/simplified-restore-of-azure-vms/

Now we can restore an Azure VM directly with managed disks with a truly single-click operation.

In addition, we can restore only the unmanaged disks to a storage account and the process will create a template for us to create the VM  on a later time.

So, at the recovery services vault, select a VM to restore and you will see two main options.

Create New: to create a new Virtual Machine with managed disks or to restore the disks with the ARM Template

Replace existing: To restore the VM in-place, replacing the current VM.

At both options you will need to select a Staging storage account, in order to restore the VHD files. Those file will be auto-converted to managed disks by the process.

The post New Azure VM Restore Experience appeared first on Apostolidis IT Corner.

Source: e-apostolidis.gr

Create an Ultra High Available on-prem <-> Azure VPN Connection

At this post we will see how to make a high available connection between our on-premises network and Azure. This way we will have an Active-Active Dual-Redundancy VPN Connection.

The idea behind this is that we have a router/firewall cluster,connected with two ISPs and we want to also have a VPN connection with Azure using both ISPs actively. I call this an end-to-end high available connectivity between our on-premises infrastructure and Azure. Actually the active-active dual redundant connections needs to have two different on-premises VPN devices, but we can accomplish almost the same functionality with one device and two different interfaces with two different ISPs.

The requirement for this topology, except the router/firewall cluster and the two ISPs is that the Azure VPN Gateway must be Standard or HighPerformance SKU. The Basic SKU does not support Active-Active mode.

As you can see at the above diagram, the Active-Active VPN Gateway created two Active VPN Nodes. The connection of each node to each on-premises network interface in a mesh topology. All network traffic is distributed through all the connections. In order to accomplish this connectivity we need to also enable BGP to both on-premises device and Azure VPN Gateway with different ASN.

Lets lab it:

Create a Virtual Network Gateway, VPN, Route Based and SKU VpnGw1 or larger

Enable active-active mode, this will create two nodes, and give the names of the two Public IPs.

Check the Configure BGB ASN and change the default ASN, I used 65510

wait a lot… more than the typical 45 minutes, a lot more…

When the gateway is created you will see that the public ip address is called “First public IP address”. If you click the “see more” link you will see the second IP too.

You can see both IP form the Properties page too.

Second we need to create two Local network Gateways, to represent the two interfaces of our on-premises device. Both must be created with the same ASN. This ASM must be different than the Gateways’ and this ASN must be configured at the configuration of the local devices VPN connection.

]

Now, create the connection

And remember to enable BGP at the Connection’s Configuration

As soon as the local device is configured both connections became connected.

From powershell we can see both local IPs of the two nodes of the Azure VPN Gateway,

Test and Troubleshooting

Currently the only way to see the connections between the Azure Gateway Nodes and the local devices interfaces is the below powershell command

Get-AzureRmVirtualNetworkGatewayBGpPeerStatus -VirtualNetworkGatewayName “gatewayname” -ResourceGroup “resourcegroupname”

Every time you run this command you get answer from one of the two nodes at random. At the above screenshot, first is one node and second is the other.

The first node’s peer, 192.168.xx.9 shows that is connected to the 10.xx.xx.2 local network’s peer and connecting at the second peer 10.xx.xx.1

The second node’s peer, 192.168.xx.8 shows that is connected to the 10.xx.xx.1 local network’s peer and connecting at the second peer 10.xx.xx.2

The test I performed was to unplug one interface from the local device. The azure gateway’s first node State was both Connecting and the second node was the same, connecting to .2 and connected to .1.  At this test I did lost a single ping.

After that I plugged the cable back, waited less than a minute and unplugged the second cable. Now the first node shows still disconnected but the first node connected to the .2 local IP and connecting to .1. With this test I lost only one ping. Also I realized that it is random which node’s private IP will connect with the local device’s private IP. Both Azure Gateway’s IPs 192.168.x.8 & 9 can connect with the local device’s IP 10.x.x.1 & 2 and this is the magic of the Active-Active Dual Redundancy VPN connection.

The post Create an Ultra High Available on-prem <-> Azure VPN Connection appeared first on Apostolidis IT Corner.

Source: e-apostolidis.gr

Save money following the Azure Advisor Recommendations

Microsoft Azure has a very helpful service, called Azure Advisor. Think it like your personal advices on Azure services. Azure Advisor has many advices and recommendations about operations, availability, performance, security and cost.

Following the Cost section of the Azure Advisor one can save a lot of money. Some of recommendations that you will see and it is very impressive is about VM sizes. It gets the performance metrics of the running VMs. If the VM uses less resources than the allocated you will see a recommendation to reduce the size of that VMs together with the actual yearly cost save.

Another impressive recommendation is the cost saving calculation of the reserved instances. You will get a yearly estimation about the savings of your VMs if you acquire Azure Reserved Instances.

The Azure Advisor can be accessed at the Azure Portal. It is one of the pinned options at the sidebar. Click the Advisor and after the recommendations update you will see the advises.

This is an example of a Subscription that can save money per year.

By clicking the Cost recommendation box, you will see the detailed recommendation. This says that you can save this amount of money by buying reserved instances.

The post Save money following the Azure Advisor Recommendations appeared first on Apostolidis IT Corner.

Source: e-apostolidis.gr

Have you tried the improved filtering and sorting Azure Portal Experience? Just “Try preview”

Once you enable the Preview the new left sidebar will appear with all the sorting and filtering options. A very improved user experience.

Check all the Octomber Azure Portal Updates at https://azure.microsoft.com/en-gb/blog/azure-portal-october-update/

The post Have you tried the improved filtering and sorting Azure Portal Experience? appeared first on Apostolidis IT Corner.

Source: e-apostolidis.gr

Serverless Computing | Check your expired public certificates

Check for expired public certificates serverless, using an Azure Function App. Magically run the required PowerShell script directly at the Portal without deploying VMs or App Services. At this post I combine Azure Function Apps, with a PowerShell script to check the certificate expirations and the Send-MailMessage PowerShell function for sending emails directly from the PowerShell script.

Setup the Azure Function App

At the Azure Portal, create a new Function App. Select Consumption Plan and .NET Runtime Stack

Once the Function App is created, we need to enable PowerShell language support. To do so, open it, select the Function App and at the Platform features tab, open the Application Settings

Change the FUNCTIONS_EXTENSION_VERSION to ~1 and delete the FUNCTIONS_WORKER_RUNTIME line

Before:

After:

Create the Function

Once you click Save, go back to the Function App, select the “Functions” and press “New function”

If we change the application settings correctly, the “Experimental Language Support” option will appear. Enable it and the templates will be able to support PowerShell (And more languages). To get started click the “Time trigger” template.

At the window, select “PowerShell” for language and set the schedule. “Enter a cron expression of the format ‘{second} {minute} {hour} {day} {month} {day of week}’ to specify the schedule.”

Entering 0 0 0 1 * * the function will run once per day

Add the PowerShell script

Once the Function is created, you will be directed to the “Function Name” run.ps1 file. There we can run PowerShell scripts.

Below is the script, change the required variables to fit your needs and paste it to the Function run.ps1 file. The variables that you need to change is:

$WebsiteURLs | This is the list, comma separated, of the URLs you want to check for certificate expiration
$From | The email address of the Sender
$To | The email address of the Recipient
$Cc | The email address of the CC Recipient
$Subject | The subject of the email
$SMTPServer | The email server you will use to send the emails. You can Use the SendGrid service from Azure that currenlty provides 25000 email per month for free. More details here: https://sendgrid.com/docs/API_Reference/SMTP_API/getting_started_smtp.html 
$SMTPPort | The port that the SMTP service requires
$username | The username to authenticate to the SMTP Service
$password = ConvertTo-SecureString “here you need to add the password in plain text” -AsPlainText -Force

$WebsiteURLs= @("e-apostolidis.gr","azureheads.gr")
$WebsitePort=443
$Threshold=120
$Severe=30
$ID=0

$body +=  "<html><body><br>"
$body +=  "<font color =""darkblue"">"
$body += "#	Website_URL:	Current Certificate:	Expiration Date:	Days Remaining:	Errors:"
foreach ($WebsiteURL in $WebsiteURLs){
$CommonName=$WebsiteURL
$ID+=1
Try{
$Conn = New-Object System.Net.Sockets.TcpClient($WebsiteURL,$WebsitePort) 
Try {
$Stream = New-Object System.Net.Security.SslStream($Conn.GetStream(),$false, {
param($sender, $certificate, $chain, $sslPolicyErrors) 
return $true
})
$Stream.AuthenticateAsClient($CommonName) 

$Cert = $Stream.Get_RemoteCertificate()
$CN=(($cert.Subject -split "=")[1] -split ",")[0]
$ValidTo = [datetime]::Parse($Cert.GetExpirationDatestring())

$ValidDays = $($ValidTo - [datetime]::Now).Days
if ($ValidDays -lt $Threshold) {
$fontcolor +=  "<font color =darkgreen>"
} 
if ($ValidDays -lt $Severe) {
$fontcolor +=  "<font color =darkred>"
}
$body += "<br />"
$body += $fontcolor
$body += "$ID	$WebsiteURL	$CN	$ValidTo	$ValidDays"
}
Catch { Throw $_ }
Finally { $Conn.close() }
}
Catch {
$body += "<br />"
$body +="<font color=red> gest </font>"
$body += " $ID	$WebsiteURL"
$body +=  "</body></html>"
}

}

$From = "alias@domain.gr"
$To = "alias@domain.gr"
$Cc = "alias@domain.gr"
$Subject = "check the certificates"

$SMTPServer = "mail.mailserver.gr"
$SMTPPort = "587"


$username = "username"
$password = ConvertTo-SecureString "password" -AsPlainText -Force
$mycred = New-Object System.Management.Automation.PSCredential($username, $password)
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { return $true }
Send-MailMessage -From $From -to $To -Cc $Cc -Subject $Subject -SmtpServer $SMTPServer -UseSSL -port $SMTPPort -Credential ($mycred) -Body $body -BodyAsHtml

Press SAve & Run and you are ready. Now on, once per day the script will run and it will sent an email with the certificates. Something like this:

Feel free to play with the colors on the script. I have added Dark Green for the valid certificates and Red for those that is about to expire.

Credits

Use this line to ignore the certificate check on the email server when sending the email

<span class="pun">[</span><span class="typ">System</span><span class="pun">.</span><span class="typ">Net</span><span class="pun">.</span><span class="typ">ServicePointManager</span><span class="pun">]::</span><span class="typ">ServerCertificateValidationCallback</span> <span class="pun">=</span> <span class="pun">{</span> <span class="kwd">return</span><span class="pln"> $true </span><span class="pun">}</span>

https://social.technet.microsoft.com/Forums/windows/en-US/d9e9af2b-3bb9-4cb4-8046-dd0a092bc456/send-email-by-powershell?forum=winserverpowershell

The basic script for checking for certificate revocation:

https://isc.sans.edu/forums/diary/Assessing+Remote+Certificates+with+Powershell/20645/

At his blog is the idea for sending emails with powershell with html:

http://www.techtrek.io/send-automated-email-with-powershell/

The post Serverless Computing | Check your expired public certificates appeared first on Apostolidis IT Corner.

Source: e-apostolidis.gr

Azure Storage Advanced Thread Protection

Azure Storage Advanced Threat Protection is a new security feature, currently in Preview. It monitors the Azure Blob Storage accounts. It detects anomalies and uncommon access to the Storage Account and notifies the admins through email.

All the Azure Storage Advanced Threat Protection monitoring and logs are integrated to the Azure Security Center, including the well known ASC recommendations.

It’s so easy to enable, just go to the Azure Portal, navigate to your storage account’s Advanced Threat Protection setting and switch it ON!

After that you can view the alerts at the Security Center, under Threat Protection’s Security Alerts.

The post Azure Storage Advanced Thread Protection appeared first on Apostolidis IT Corner.

Source: e-apostolidis.gr

Connect two or more Azure Virtual Networks using one VPN Gateway

Peering is a feature that allows to connect two or more virtual networks and act as one bigger network. At this post we will see how we can connect two Azure Virtual Networks, using peering and access the whole network using one VPN Gateway. We can connect Virtual Networks despite if they are in the same Subscription or not.

I have created a diagram to help understand the topology.

• We have a Virtual Network with Site-2-Site VPN wto On Premises. It can also have Point-2-Site connection configured. The VNET A.
• We have another Virtual Network at the Same Subscription that we want to connect each other. The VNET B.
• Also we can have a third Virtual Network at a different subscription. The VNET C.

In sort we need those peerings with the specific settings:

• At the VNETA Peering VNETA to VNETB with “Allow Gateway transit”
• At the VNETA Peering VNETA to VNET
• At the VNETB Peering VNETB to VNETA with “Use Remote Gateway”
• At the VNETB Peering VNETB to VNETC
• At the VNETC Peering VNETC to VNETA with “Use Remote Gateway”
• At the VNETC Peering VNETC to VNETB

In order to be able to connect all those networks and also access them using the VPN Connection there are four requirements:

• The account that will be used to create the peering must have the “Network Contributor” Role.
• The Address Space must be different on each other and not overlap.
• All other Virtual Networks, except the one that has the VPN Connection must NOT have a VPN Gateway deployed.
• Of course at the local VPN device (router) we need to add the address spaces of all the Virtual Networks that we need to access.

Lets lab it:

• HQ 192.168.0.0/16 –> The on-premises network
• VNET A 10.1.0.0/16 –> The Virtual Network that has the VPN Gateway (At my lab is named “devvn”)
• VNET B 10.229.128.0/24 –> THe virtual network at a different subscription of the Gateway (At my lab is named “Network prtg-rsg-vnet”)
• VNET C 172.16.1.0/24 –> The virtual network at the same subscription as the Gateway Network (At my lab is named “provsevnet)

The on-premises network is connected with Site-to-site (IPsec) VPN to the VNETA

Now we need to connect VNETA and VNETB using Vnet Peering. in order to have a Peering connection we need to create a connection from VNETA to VNETB and one from VNETB to VNETA.

Open the VNETA Virtual Network, go to the Peerings setting and press +ADD

Select the VNETB and check the “Allow Gateway transit” to allow the peer virtual network to use your virtual network gateway

Then go to the VNETB, go to the Peerings setting and click +ADD.

Select the VNETA Virtual Network and check the “Use Remote Gateway”  to use the peer’s virtual network gateway. This way the VNETB will use the VNETA’s Gateway.

Now we can contact the VNETB network from our on-premises network

a multi-ping screenshot:

• From 10.229.128.5 (VNETB) to 192.168.0.4 (on-premises) & the opposite
• From 10..1.2.4 (VNETA) to 10.229.128.5 (VNETB)  & to 192.168.0.4 (on-premises)

The next step is to create a cross-subscription peering VNETA with VNETC

Open the VNETA and create a peering by selecting the VNETC from the other Subscription and check the “allow gateway transit”

Then go to the VNETC and create a peer with the VNETA and check the “use remote gaeway”

With the two above connections we have connectivity between the on-premises network and the VNETC.

The final step, to enable the connectivity between VNETB & VNETC. To accomplish this just create one peer from the VNETB to VNETC and one from VNETC to VNETB.

Ping inception:

In order to have client VPN connectivity to the whole network, create a Point-2-Site VPN at the VNETA. You can follow this guide: Azure Start Point | Point-to-Site VPN

The post Connect two or more Azure Virtual Networks using one VPN Gateway appeared first on Apostolidis IT Corner.

Source: e-apostolidis.gr

New UI for the Azure VM Creation Wizard

Microsoft has revamped the UI around creating a new Azure VM. The information is now much more compact. Way less scrolling. And it’s easier to move along the dozens and dozens of options.

Its not only about UI. You will see much more options available at the VM creation, like adding data disks!!!

Also there is no need anymore to go through all the options, you can “Review & Create” the VM at any step since you have completed all the required fields or just accept the defaults.

The post New UI for the Azure VM Creation Wizard appeared first on Apostolidis IT Corner.

Source: e-apostolidis.gr