Azure Bastion – Jump Server as a Service

Azure Bastion is a new Azure Platform (PaaS) service, at this time is still in Preview, that allows to have RDP and SSH access to Virtual Machines inside a Virtual Network directly from the Azure Portal. This eliminates the need to expose the Virtual Machines RDP and SSH ports to the internet.

The logic comes from the Jump Servers, but you don’t need to deploy any VMs and you don’t have to worry about the hardening. It all ready on Azure as a Service.

A jump server is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them. You can find more about jump servers at https://en.wikipedia.org/wiki/Jump_server

The connection to the virtual machines is achieved directly from the Azure Portal over Secure Sockets Layer (SSL) just using the browser. The Bastion Host is

Azure Bastion Preview preparation

For the time, Azure Bastion Hosts are in Public Preview. To use them we need to Register the Azure Bastion Host provider. Open PowerShell and login to Azure or use the Cloud Shell from the Azure Portal.

To register the provider run:

Register-AzProviderFeature -FeatureName AllowBastionHost -ProviderNamespace Microsoft.Network

Then run:

Register-AzResourceProvider -ProviderNamespace Microsoft.Network

The provider takes some time to register. Run the following command to check when it is registered:

Get-AzProviderFeature -FeatureName AllowBastionHost -ProviderNamespace Microsoft.Network

Once the Provider is Registered, access the Azure Portal using this link: http://aka.ms/BastionHost in order to access the Bastions Preview.

Create the Bastion

From the Azure Portal search for bastions

Hit “Add” to start the Bastion creation wizard

One thing to consider is that the Virtual Network must have an empty subnet with name “AzureBastionSubnet” and at least /27 range. This Subnet will be configured as a DMZ.

At the Create a bastion wizard select the Subscription and the Resource group. I prefer to create a new Resource Group. Enter a name for the Bastion Host Instance and a Region. Of course the Virtual Network and the Region must be the same as the Virtual Machines that you want to access. Finally select a name for the Public IP of the Bastion Host and hit Review and Create to create the Bastion.

Once the Bastion is ready you can see its properties. Not much to configure, just the IAM.

Create using ARM Template

We can also include the Bastion Hosts at our ARM Templates. This is an export from the Azure Portal Export Template.

"apiVersion": "2018-10-01",
"type": "Microsoft.Network/bastionHosts",
"name": "[parameters('bastionHostName')]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId(parameters('resourceGroup'), 'Microsoft.Network/publicIpAddresses', parameters('publicIpAddressName'))]",
"[resourceId(parameters('resourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]"
],
"properties": {
"ipConfigurations": [
{
"name": "IpConf",
"properties": {
"subnet": {
"id": "[parameters('subnetId')]"
},
"publicIPAddress": {
"id": "[resourceId(parameters('resourceGroup'), 'Microsoft.Network/publicIpAddresses', parameters('publicIpAddressName'))]"
}
}
}
] },
"tags": {}
}

Using the Bastion Host

And now the magic. Once you have a bastion deployed to a Virtual Network, browse a Virtual Machine and hit “Connect”. Beside the RDP and SSH, you will see a new option, the BASTION!

Since the topology is Intternet –>Public IP of Bastion –> Bastion –> Virtual Network – NSG – Private IP –> VM you need to allow the RDP / SSH traffic from the Bastion VNET to the Virtual Machine and https traffic (no RDP / SSH needed) from the internet (or your public ip) to the Bastion Subnet.

Enter the VMs username and password and hit connect and we have RDP over HTTPS

Copy Text to / from the VM

There a little icon >> at the right middle of the screen.

Click it and the Copy / paste box will open. Any text you paste at that box it will be available at the VMs clipboard. Also the Fullscreen button is available there.

Also any text you copy from the VM will appear at that box, like the image below:

The Remote Desktop experience is excellent! No RDP client needed, just your browser.

Sources:

https://docs.microsoft.com/en-us/azure/bastion/bastion-faq

https://docs.microsoft.com/en-us/azure/bastion/bastion-nsg

https://azure.microsoft.com/en-us/blog/announcing-the-preview-of-microsoft-azure-bastion/

https://docs.microsoft.com/en-us/azure/bastion/bastion-create-host-portal

The post Azure Bastion – Jump Server as a Service appeared first on Apostolidis IT Corner.

Source: e-apostolidis.gr

Validate Azure Resource Move with Postman

At this post we will see how easily we can move azure resources to new resource groups or subscriptions and how we can validate if the azure resources are eligible to move without initiate the move. The idea came from my colleague John Dandelis, who also helped with the https://www.e-apostolidis.gr/microsoft/azure/high-level-steps-create-syslog-server-azure-oms-log-analytics/ post.

Move Azure Resources to new resource groups or subscriptions

Azure Resource Manager allow you to easily move resources to new resource groups or subscriptions. It is a pretty simple process. From the Azure Portal, open a Resource Group, and from the top options click Move. You can select if you want to move to another resource group or subscription.

On the next page you can select the resources you want to move and click OK. Once you click OK, the Azure Resource Manager starts to validate the move requests. Checks if the selected resources are eligible to move and also if they have any dependencies that will cause the move to fail.

After the validation, and if the validation is successful, the resource move starts. There is no option in the portal to just validate the move request without starting the move.

Validate Resource Move with Postman

To validate the resources move you need to use post / get operations. The https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-move-resources#validate-move document descibes the parameters that we must use to validate is the resources are eligible to move. To validate if the resources are eligible to move we need to send a URI with Authorization token. A free and easy application to help us with the post /get requests is the Postman. You can download the latest release form this link: https://www.getpostman.com/downloads/

Download and install the Postman and open the application. We need to perform a Post request to ask the ARM if the specific resources are eligible to move and then a GET request to view the ARM response.

At the Postman select POST and at the POST request URL enter:

https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{sourceResourceGroupName}/validateMoveResources?api-version=2019-05-01

My test case URL:

https://management.azure.com/subscriptions/784f8ed8-33f0-497c-b1c8-1ca9833be590/resourceGroups/devrg/validateMoveResources?api-version=2019-05-01

Then at the Body, select RAW -> json and paste the request:

{ “resources”: [“<resource-id-1>”, “<resource-id-2>”], “targetResourceGroup”: “/subscriptions/<subscription-id>/resourceGroups/<target-group>” }

at my example that I want to validate two resources, the devrg VM and the Managed disk I entered:

{
“resources”: [“/subscriptions/784f8ed8-33f0-497c-b1c8-1ca9833be590/resourceGroups/devrg/providers/Microsoft.Compute/virtualMachines/devrgvm”, “/subscriptions/784f8ed8-33f0-497c-b1c8-1ca9833be590/resourceGroups/DEVRG/providers/Microsoft.Compute/disks/devrgvm_OsDisk_1_5da9dad62662418b9bb3f02496e88604”],
“targetResourceGroup”: “/subscriptions/784f8ed8-33f0-497c-b1c8-1ca9833be590/resourceGroups/target”
}

Create Authorization Token

Finally we need an authorization token to access the ARM API. At the Azure Portal open the cloud shell, buy clicking the icon at the top right menu bar.

Enter the below command to create a service principal at the Azure Active Directory:

az ad sp create-for-rbac -n “my-access-app”

The output will be as the below screenshot:

You will get the application ID, URL, tenant ID and password. Next at the Postman press the + button to create a new tab

At the Postman’s new tab create a new POST and enter:

https://login.microsoftonline.com/{{tenantId}}/oauth2/token

My test:

https://login.microsoftonline.com/85ed7d07-ffa3-44da-a22a-38c51ba14d0e/oauth2/token

Then at the Body property, select “x-www-form-urlencoded” and enter the following KEYs:

my test:

Once you press “Send” it will return the “access_tocket”. This is the Authorization: Bearer <bearer-token> needed for the resource move validation.

Send the validation request

Back to the first tab of the Postman, where we are preparing the move validation POST request, select “Authorization”, at the TYPE select “Bearer Token” and at the Token field paste the “access_tocken” from above. Then press “Send”

If all the details are correct, it will return a status of “202 Accepted”. This means that the ARM has started the validation. Copy the “Location” value because we will need it below.

The next step is to create a GET request to view the validation result. The GET request consists of the location URL and the Authorization token. As we did before, open a new Tab at the Postman, select GET request, at the GET URL paste the “Location” URL, at the TYPE select “Bearer Token” and at the Token field enter the “access_token”.

Receive the validation results

Press enter to GET the validation results. f the move operation validates successfully, you receive the 204 status code and nothing at the Body.

If the move validation fails, you receive an error message, like the below. At my example the validation returned failed. The error message explains what caused the failure. At my example the VM is being backed up so the disks have restore points. Also at the message it gives us the link to check for more information.

The post Validate Azure Resource Move with Postman appeared first on Apostolidis IT Corner.

Source: e-apostolidis.gr

Azure VM CMD & PowerShell from the Portal

Today I was trying to troubleshoot an Azure VM. This VM is behind a Network Virtual Appliance (NVA) and at the subnet it has User Defined Routes (UDR) that routes the traffic to the NVA. We was troubleshooting the NVA and it was not possible to connect with RDP to the VM.

Serial Console

This is an excellent scenario to use the Serial Console. From the Azure Portal, portal.azure.com, navigate to the Azure VMs blade, scroll down to the Support + Troubleshooting section and select “Serial Console”

The Serial Console will initialise and after a while it will establish the connection and the prompt will be the SAC>. If you encounter any errors establishing the SAC link, please follow this link: https://aka.ms/serialconsolewindows

At the SAC> prompt press help to list the available commands.

Using the i command we can get the IP Address configuration of the VM

Command Prompt

To create a command prompt session, first enter “cmd”. This will create a session.

To list the cmd sessions press “ch”

to select & login to a cmd session press “ch -si #” where # is the channel number. At the below screen press Enter

At the next screen enter the admin credentials

and we have Command Prompt. At this command prompt we can use all cmd commands.

Some examples:

ping -t

dir

PowerShell

at the command prompt enter “powershell” and press Enter to open a PowerShell Session

PowerShell example, disable windows firewall:

Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False

and yes, its off

of course, for the firewall we could disable it using CMD

netsh advfirewall set allprofiles state off

For more example commands follow this link: https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/serial-console-cmd-ps-commands

The post Azure VM CMD & PowerShell from the Portal appeared first on Apostolidis IT Corner.

Source: e-apostolidis.gr

Azure Policy | Limit the Azure VM Sizes

Azure Governance

This post, Azure Policy, is the first of a series of posts about Azure Governance. The idea is to explain through examples and how-to-guides, the tools that Microsoft Azure provides to help the administrators to enforce rules to all subscriptions. Some examples of those rules are, to help the organizations to stay compliant with their corporate standards, to standardize the resources creation and management, to manage the permissions and access controls, etc.

Azure Policy

Azure Policy is a powerful tool for Azure Governance. With Azure Policy we can define rules for all Azure Subscriptions the we manage. We can use this rules for simple limitation actions, like permitting only specific VM Series and Sizes that can be created and also more complex rule sets that helps you standardize the whole Azure deployment.

Limit the Azure VM Sizes

In this fist post we will go through a simple policy, the “Allowed virtual machine SKUs”. With this policy  you can control what Azure VM series and sizes are permitted for deployment. You can apply this policy  to a whole Management group, to a Subscription or to a single Resource Group.

Step by Step Guide

Open the Azure portal, https://portal.azure.com, and login with your account. At the top search box write “policy”. From the search results select the “policy”.

At the Policy screen, select the “Definitions”. To create and apply a policy we need to start from a Policy Definition.

At the Policy Definition screen, we can filter the definitions by scope, definition type, type and category. The “Allowed virtual machine SKUs” definition is under the “Compute” category. At the Category drop down menu, deselect everything and select only the “Compute”. Press the “Allowed virtual machine SKUs” definition.

The “Allowed virtual machine SKUs” definition will open. Here we can see the code beneath the definition. It is written in json format. If we want to make changes at the definition we must first press “Duplicate definition”. This will create a copy of the definition. Then we can open the definition duplicatie and press “Edit definition. We will cover this at a future post.

To select the VM sizes, the scope and apply the definition, press “Assign”

Set the scope

At the Assign policy screen, first we need to select the scope. The scope is where the policy definition will apply. To set the scope press the little blue box with the three dots.

For scope, we can select a whole Management group, a whole subscription or a single Resource Group.

Select the Azure VM SKUs

After the scope, we need to select the allowed Azure VM SKUs. Open the drop down menu and select the SKUs that you will allow.

At this test policy, I selected all Standard F1-4 series, the Standard F2s – 4s and the Standard F2s_v2 – 4s_v2.

We can change the “Assignment Name” to easily find the specific assignment at the Assigned Policies list. I changed the name to “Allowed only F1-4 virtual machine SKUs”

The next step is the “Managed Identity”. Managed identity creates an Azure AD Identity, like a service account, that is used for resource creation. We need this only for some specific policies that must create a resource if it is doesn’t exists.

We don’t need a Managed Identity to limit the Azure VM SKU sizes. So now we can press “Assign”.

A notification will inform you that the Policy will take effect after about 30 minutes. The policy needs this time to apply the rules to the selected scope.

Back to the policy Assignments screen, hit refresh and you will see the new Policy Assignment’s name and the Scope.

Test the policy

To test the policy, I waited 30 minutes and tried to create a Standard DS1 v2 VM at the devrg Resource Group. Although I am the Subscription Owner, the Service admin, the one that created the policy assignment, the Azure Resource Manager doesn’t allow me to create this VM.

And the error details: “disallowed by policy”

You can find more about Azure Policy at Microsoft Docs: https://docs.microsoft.com/en-us/azure/governance/policy/

The post Azure Policy | Limit the Azure VM Sizes appeared first on Apostolidis IT Corner.

Source: e-apostolidis.gr

Athens Azure Bootcamp 2019 | A day full of Azure by the IT Pro / Dev community!

This Saturday, May 11, 18 speakers, 2 concurrent sessions, 10 volunteers and more than 250 attendees gathered at the Gazarte Cultural Club for the greatest Azure event of Greece. A day dedicated to IT pros & Developers.

I am more than proud to be part of the organizing team for one more year, with Konstantinos Pantos & Paris Polyzos. A great team committed to community and technology.

It was a day full of Microsoft Azure and technology, from both IT Pro & Dev perspective. A sunny day at Athens, with a lot of fun. For sure we had a great time!

Getting Ready with Paris & Kostas, Gazarte about 8:30 am

This years banner, with our sponsors and communities

The volunteers dream team!

The first registrations at about 9:30 am

Presentations in a full Gazarte stage

Getting ready for the launch break

Happy me

Break time

So long… until next year!

The post Athens Azure Bootcamp 2019 appeared first on Apostolidis IT Corner.

Source: e-apostolidis.gr

Azure VM Antimalware Extension Management

Azure VM Antimalware Extension Management has always been a tricky subject. You can easily enable the Microsoft Antimalware Extension from the Azure Portal upon the Azure VM creation or by using the Extensions blade. But after that, the management of the extension is somehow tricky. There is no way to manage the Microsoft Antimalware exclusion list and auto-scan setting from the portal or from inside the VM. Even using PowerShell there is not a single command to manage the Microsoft Antimalware settings.

There is no need to point out that all VMs must have an Endpoint Protection Solution. Azure provides the ability to add an Endpoint Protection Solution to all Azure VMs. Microsoft Antimalware for Azure Virtual Machines is a real-time protection capability that helps identify and remove viruses, spyware, and other malicious software, with configurable alerts when known malicious or unwanted software attempts to install itself or run on your system and it is absolutely free. For the 3rd party extensions you need to add your key.

For Windows Server VMs up to version 2012 R2, the extension will install the System Center Endpoint Protection client and apply the configuration policies. Windows Server 2016 and above have build-in the Windows Defender, so the extension will only apply the configuration.

Below we will walk through on how to deploy & manage the Microsoft Antimalware Extension Using the Azure Portal (Single VM), Using the Azure Security Center (Multiple VMs)and Using PowerShell for a Single VMand for Multiple VMs filtered by Resource Groups or Tags.

Deploy the Microsoft Antimalware Extension

Using the Azure Portal for single VM deployment

Using the Azure Security Center for multi VM deployment

Single VM

$ResourceGroupName = "devrg"
$VMName = "devrgvm"
$Location = "West Europe"
$PublisherName = "Microsoft.Azure.Security"
$Type = "IaaSAntimalware"

#view all versions for the West Europe location
Get-AzVMExtensionImage -Location $Location -PublisherName $PublisherName -Type $Type | fl Version
#view the latest major version
((Get-AzVMExtensionImage -Location $Location -PublisherName $PublisherName -Type $Type).Version[-1][0..2] -join '')
#add the latest major version in a variable called "amversion"
$amversion = ((Get-AzVMExtensionImage -Location $Location -PublisherName $PublisherName -Type $Type).Version[-1][0..2] -join '')

$amsettings = @'
{
    "AntimalwareEnabled": true,
    "RealtimeProtectionEnabled": true,
    "ScheduledScanSettings": {
        "isEnabled": true,
        "day": 7,
        "time": 120,
        "scanType": "Quick"
    },
    "Exclusions": {
        "Extensions": ".log;.ldf",   
        "Paths": "D:IISlogs;D:DatabaseLogs",
        "Processes": "mssence.svc"
    }
}
'@

Set-AzVMExtension -ResourceGroupName $ResourceGroupName -VMName $VMName -Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $Location -TypeHandlerVersion $amversio -ResourceGroupName $ResourceGroupName -VMName $Name -Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $Location -TypeHandlerVersion $amversio

Login-AzAccount
#variables
$ResourceGroupName = "devrg"
$VMName = "devrgvm"
$Location = "West Europe"
$PublisherName = "Microsoft.Azure.Security"
$Type = "IaaSAntimalware"
#Get the latest major version
$amversion = ((Get-AzVMExtensionImage -Location $Location -PublisherName $PublisherName -Type $Type).Version[-1][0..2] -join '')
#Antimalware extension settings, exclusions and schedules
$amsettings = @'
{
    "AntimalwareEnabled": true,
    "RealtimeProtectionEnabled": true,
    "ScheduledScanSettings": {
        "isEnabled": true,
        "day": 7,
        "time": 120,
        "scanType": "Quick"
    },
    "Exclusions": {
        "Extensions": ".log;.ldf",   
        "Paths": "D:IISlogs;D:DatabaseLogs",
        "Processes": "mssence.svc"
    }
}
'@
#enable the Microsoft Antimalware Extension with the above settings
Set-AzVMExtension -ResourceGroupName $ResourceGroupName -VMName $VMName-Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $Location -TypeHandlerVersion $amversio -ResourceGroupName $ResourceGroupName -VMName $Name -Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $Location -TypeHandlerVersion $amversio

Multi VM – All VMs in a Resource Group

#enable the Microsoft Antimalware Extension with the above settings to all VMs in the Resource Group
Get-AzVM -ResourceGroupName $ResourceGroupName | ForEach-Object {
    Set-AzVMExtension -ResourceGroupName $_.ResourceGroupName -VMName $_.Name -Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $_.Location -TypeHandlerVersion $amversion
    }

#Login-AzAccount
#variables
$Location = "West Europe"
$PublisherName = "Microsoft.Azure.Security"
$Type = "IaaSAntimalware"
#Get the latest major version
$amversion = ((Get-AzVMExtensionImage -Location $Location -PublisherName $PublisherName -Type $Type).Version[-1][0..2] -join '')
#Antimalware extension settings, exclusions and schedules
$amsettings = @'
{
    "AntimalwareEnabled": true,
    "RealtimeProtectionEnabled": true,
    "ScheduledScanSettings": {
        "isEnabled": true,
        "day": 7,
        "time": 120,
        "scanType": "Quick"
    },
    "Exclusions": {
        "Extensions": ".log;.ldf",   
        "Paths": "D:IISlogs;D:DatabaseLogs",
        "Processes": "mssence.svc"
    }
}
'@
#enable the Microsoft Antimalware Extension with the above settings to all VMs in the Resource Group
Get-AzVM -ResourceGroupName $ResourceGroupName | ForEach-Object {
    Set-AzVMExtension -ResourceGroupName $_.ResourceGroupName -VMName $_.Name -Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $_.Location -TypeHandlerVersion $amversion
    }

Using Tags instead of Resource Group to filter the VMs

Login-AzAccount
#variables (filter by tags)
$tagName = "Service"
$tagValue = "dev"
$Location = "West Europe"
$PublisherName = "Microsoft.Azure.Security"
$Type = "IaaSAntimalware"
#Get the latest major version
$amversion = ((Get-AzVMExtensionImage -Location $Location -PublisherName $PublisherName -Type $Type).Version[-1][0..2] -join '')
#Antimalware extension settings, excusions and schedules
$amsettings = @'
{
    "AntimalwareEnabled": true,
    "RealtimeProtectionEnabled": true,
    "ScheduledScanSettings": {
        "isEnabled": true,
        "day": 7,
        "time": 120,
        "scanType": "Quick"
    },
    "Exclusions": {
        "Extensions": ".log;.ldf",   
        "Paths": "D:IISlogs;D:DatabaseLogs",
        "Processes": "mssence.svc"
    }
}
'@
#enable the Microsoft Antimalware Extension with the above settings to all VMs of a spesific Tag
$tagResList = Get-AzResource -TagName $tagName -TagValue $tagValue
foreach($tagRes in $tagResList) { 
    Set-AzVMExtension -ResourceGroupName $tagRes.ResourceGroupName -VMName $tagRes.Name -Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $tagRes.Location -TypeHandlerVersion $amversion
    }

The post Azure VM Antimalware Extension Management appeared first on Apostolidis IT Corner.

Source: e-apostolidis.gr

Today Microsoft announced the Azure Backup for SQL Server in Azure Virtual Machines in General Availability! Azure Backup for SQL Server is an enterprise scale backup solutions that doesn’t need infrastructure deployment & management at all. With Azure Backup for SQL Server you can centrally manage and monitor SQL Server Standalone and Always On AG backups!

Some of the major features of Azure SQL Backup for SQL Server are 15 minute RPO, one click PIT restore, long term retention, encrypted database support, auto-protect new databases, centralized management and monitor and no infrastructure deployment and management!

Learn more at the announcement page: https://azure.microsoft.com/en-us/blog/azure-backup-for-sql-server-in-azure-virtual-machines-now-generally-available/

The post Backup SQL Server & AlwaysOn AG inside Azure VMs appeared first on Apostolidis IT Corner.

Source: e-apostolidis.gr

Get real insights about your Windows and Linux VMs & VMSSs performance and their dependencies with Azure Monitor. Integrate with Log Analytics for even more in depth analysis and retain the data over time. Health, Performance & Service Map of your VM in a dashboard.

Deploy to Single VM

For a single VM, go to the VMs blade, scroll down to the “Monitoring” section, select “Insights” and press “Try now”

The Azure Monitor Insights Onboarding wizard will open. If your VM is already onboard at a Log Analytics workspace just click Enable. Otherwize select a Log Analytics workspace or create one.

You will start seeing data form the VM in about 20-30 minutes.

Deploy to multiple VMs using Azure Policy

For deploying to multiple VMs, the easiest way is to use Azure Policy

Go to the Azure Policy, select Assignments and press “Assign initiative”

The first option is the Scope. Press the three dots “…” at the Scope field. You can choose a a Management Group, a Subscription or a Resource Group. So if you just select a Management Group (And don’t select subscription and resource group), this policy will apply to all Subscriptions under the Management Group and of course to all resources of the subscription. If you choose a Subscription (and don’t select a resource group then the policy will apply to all resources of the subscription. Finally if you choose a resource group then the policy will apply only to this resource group. Later we will see how to select specific VMs in the Subscription or Resource group.

After selecting the Scope you can add exclusions. There you can check the VMs you don’t want this policy to apply.

The next step is to select the Policy. At the BASICS section, press the three dots “…” near the “Initiative definition” and find the “Enable Azure Monitor for VMs”

Next step is to configure the Parameters. There select the Log Analytics workspace that the VM will onboard, or create a new one. Optionally you can provide a list of VMs instead of adding all of them

Finally press Apply. Back at the Azure Policy main menu you will see the new Definition Assignment.

View the Health / Performance / Service Map of the VMs

To view the Azure Monitor of the VMs, go to the VM that you have enabled Insights, select the Insights blade and you will be able to see the health status not only for the common CPU. Memory, Disk,

But also for the services that run inside the VM and the Azure Monitor discovered.

By clicking on any service you will have a list of all logs of this service

At the performance section you have the ability to select time range and have performance analytics for a requisted period of time

Finally at the MAp, you have a service map of the services and ports that are open and listening

Product Documentation: https://docs.microsoft.com/en-us/azure/azure-monitor/insights/vminsights-overview

The post Azure Monitor for VMs – Health, Performance & Service Map appeared first on Apostolidis IT Corner.

Source: e-apostolidis.gr

Today Microsoft Azure becomes 9 years old. Azure released on February 1, 2010, as “Windows Azure” before being renamed “Microsoft Azure” on March 25, 2014

Some major dates of Azure until now:

• October 2008 (PDC LA) – Announced the Windows Azure Platform
• March 2009 – Announced SQL Azure Relational Database
• November 2009 – Updated Windows Azure CTP, Enabled full trust, PHP, Java, CDN CTP and more
• February 1, 2010 – Windows Azure Platform commercially available! Azure is GA!
• June 2010 – Windows Azure Update, .NET Framework 4, OS Versioning, CDN, SQL Azure Update
• October 2010 (PDC) – Platform enhancements, Windows Azure Connect, improved Dev / IT Pro Experience
• December 2011 – Traffic manager, SQL Azure reporting, HPC scheduler
• June 2012 – Websites, Virtual machines for Windows and Linux, Python SDK, new portal, locally redundant storage
• April 2014 – Windows Azure renamed to Microsoft Azure, ARM Portal introduced at Build 2014.
• July 2014 – Azure Machine Learning public preview
• November 2014 – Outage affecting major websites including MSN.com
• September 2015 – Azure Cloud Switch introduced as a cross-platform Linux distribution.
• December, 2015 – Azure ARM Portal (codename “Ibiza”) released.
• March, 2016 – Azure Service Fabric is Generally Available (GA)
• September 2017 – Microsoft Azure gets a new logo and a Manifesto
• July 16, 2018 – Azure Service Fabric Mesh public preview
• September 24, 2018 – Microsoft Azure IoT Central is Generally Available (GA)
• October 10, 2018 – Microsoft joins the Linux-oriented group Open Invention Network.

Currently Microsoft Azure is available at 54 Regions Worldwide!

Happy Birthday Azure!

Source: https://en.wikipedia.org/wiki/Microsoft_Azure & https://azure.microsoft.com/en-us/global-infrastructure/regions/

The post Happy 9th Birthday Azure! appeared first on Apostolidis IT Corner.

Source: e-apostolidis.gr

Azure Web Application Firewall (WAF) is a function of the Azure Application Gateway that detects and prevents exploits and attacks to a web application. Using a WAF we add an additional security layer in front of our application. To have a sneak peak at the most common web application attacks, take a look at the OWASP Top 10 Most Critical Web Application Security Risks .

At my previous posts we have seen how to Protect your Web App using Azure Application Gateway Web Application Firewall and Use Log Analytics to Query the WAF Logs and email those logs to the Admins. At this post I want to share some tips on how to configure the Azure Web Application Firewall.

The Azure Web Application Firewall, like all WAFs, needs a period of detection “the training period”, in order to gather logs about what is logged as blocked so to configure it accordingly before turning the WAF to Prevention mode. The Azure Web Application Firewall uses OWASP ModSecurity Core Rule Set (CRS). You can select version 2.2.9 or version 3.0 of the OWASP ModSecurity Core Rule Set. These rules include protection against attacks such as SQL injection, cross-site scripting attacks, and session hijacks.

The configuration of the Azure Web Application Firewall has two parts. One part is the OWASP rules custom configuration, where we can check / uncheck the OWASP rules that the WAF will use to analyse the requests:

and the second part is the Exclusions and the Request Size Limits:

Let’s see how we can find out what to exclude and what to customize. Once you setup the Azure Application Gateway and Publish your web application turn of the Firewall in Detection mode. Enable the Diagnostic Logs and send the logs to Log Analytics and start using the we application. I have covered all those steps at my previous posts, Protect your Web App using Azure Application Gateway Web Application Firewall and Use Log Analytics to Query the WAF Logs and email those logs to the Admins. To make it more fun you can actually attack your application using sample attacks, like SQL Injection samples from this link: https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005) and Cross-site Scripting (XSS) from this link: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) . Both links are from OWASP for testing.

After a while run the query to check the Azure Web Application Firewall logs:

You will get the below results:

At the Message part of the Log you will see the kind of attack that the WAF has detected.

At the ruleId_s you can find the OWASP rule ID. With this information you can search the Rule ID at the Advanced rule configuration and uncheck the specific rule. Of course every rule you uncheck you open a security hole. So I recommend to first check if you can alter your application to comply with the rule and only if this is not possible to drop the rule.

At the details_message_s column also you can find the matched pattern and configure the Exclusions

Finally you can configure the request size limits according to your application

Once you finalize your Azure Application Firewall configuration and you no longer have “Blocked” messages change it to “Prevention” mode to start protecting your web application.

Reference:
WAF Overview: https://docs.microsoft.com/en-us/azure/application-gateway/waf-overview
WAF Configuration: https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-waf-configuration
OWASP ModSecurity Core Rule Set (CRS): https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project

The post Configure The Azure Web Application Firewall appeared first on Apostolidis IT Corner.

Source: e-apostolidis.gr