ExpressRoute is a Microsoft Azure service that provides a private connection between an organization’s on-premises infrastructure and Microsoft Cloud services, such as Microsoft Azure, Office 365, and Dynamics 365.

Microsoft Azure ExpressRoute was general available back on 2014. To connect to Azure ExpressRoute you need a direct line with an ExpressRoute provider. Now Microsoft announced that Microsoft cloud services can be accessed with Azure ExpressRoute using satellite connectivity, breaking the direct line barriers, making it feasible to connect your data center directly to Microsoft Azure from all around the globe!

image from https://azure.microsoft.com/en-us/blog/satellite-connectivity-expands-reach-of-azure-expressroute-across-the-globe/

Azure ExpressRoute Satellite connectivity is currently provided by three Microsoft partners, Intelsat, SES, and Viasat. Microsoft expands its already large connectivity, adding Satellite connectivity options at the  54 Regions worldwide making Microsoft’s global network one of the largest in the world.

Source:

https://docs.microsoft.com/en-us/azure/expressroute/expressroute-introduction

https://azure.microsoft.com/en-us/blog/satellite-connectivity-expands-reach-of-azure-expressroute-across-the-globe/

The post Azure ExpressRoute adds Satellite connectivity appeared first on Apostolidis IT Corner.

Source: e-apostolidis.gr

Azure Policy | Enforce tags for resource creation

Azure Governance

After the previous post about how to use Azure Policy to limit the Azure VM sizes, I continue the series of posts about Azure Governance with a video guide on how to enforce tags for resource creation. The idea is to explain through examples and how-to-guides, the tools that Microsoft Azure provides to help the administrators to enforce rules to all subscriptions. Some examples of those rules are, to help the organizations to stay compliant with their corporate standards, to standardize the resources creation and management, to manage the permissions and access controls, etc.

Azure Policy

Azure Policy is a powerful tool for Azure Governance. We can define rules for all Azure Subscriptions the we manage. We can use this rules for simple limitation actions, like permitting only specific VM Series and Sizes that can be created and also more complex rule sets that helps you standardize the whole Azure deployment.

Enforce tags for resource creation

So, why tags? Why we need to add tags to all Azure resources? The Microsoft Azure environments are getting bigger and bigger and managed by multiple people and teams. That makes it difficult to understand who created a resource and what is the purpose of that resource. Another critical matter that we need tags is Cost Management. At the Azure Cost Management Portal, we can sort and arrange the resource cost using the Tags. This way we can provide an expense dashboard with the actual cost of the resources per department, project or whatever tags we have added to the Resource.

Guide: Video

View my video guide on how to use Azure Policy to enforce tags for resource creation

You can find more at Microsoft Docs: https://docs.microsoft.com/en-us/azure/governance/policy/

The post Azure Policy | Enforce tags for resource creation appeared first on Apostolidis IT Corner.

Source: e-apostolidis.gr

Σήμερα δημοσιεύτηκε η συνέντευξή μου με τίτλο “Το Azure εξελίσσεται” στο NetFax τεύχος #4230,  όπου συζητάω για τις τάσεις που θα μας απασχολήσουν στο Microsoft Azure & το Cloud! 

Ευχαριστώ όλη την ομάδα που συνέβαλε για αυτήν την συνέντευξη & φυσικά Read more @netfax

The post Το Azure εξελίσσεται & οι τάσεις που θα μας απασχολήσουν! @Netfax appeared first on Apostolidis IT Corner.

Source: e-apostolidis.gr

Govern your Azure environment

It was a day full of Microsoft Azure and technology, from both IT Pro & Dev perspective. A sunny day at Athens, with a lot of fun. For sure we had a great time!

You can download my Athens Azure Bootcamp 2019 presentation, Govern your Azure environment, from this link: https://papostolidisgr-my.sharepoint.com/:p:/g/personal/pantelis_e-apostolidis_gr/EUS8pnejNdNEhrm0GVe4qaYBkFH2s_ZZKqGh9AaDY0NTFw?e=nQaNSD

Please find the demos of my presentation at the Videos page: https://www.e-apostolidis.gr/videos/

Standardize & enforce your company’s Azure Resources configuration, for regulatory compliance, cost control, security & design consistency

The post Govern your Azure environment appeared first on Apostolidis IT Corner.

Source: e-apostolidis.gr

Azure Bastion – Jump Server as a Service

Azure Bastion is a new Azure Platform (PaaS) service, at this time is still in Preview, that allows to have RDP and SSH access to Virtual Machines inside a Virtual Network directly from the Azure Portal. This eliminates the need to expose the Virtual Machines RDP and SSH ports to the internet.

The logic comes from the Jump Servers, but you don’t need to deploy any VMs and you don’t have to worry about the hardening. It all ready on Azure as a Service.

A jump server is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them. You can find more about jump servers at https://en.wikipedia.org/wiki/Jump_server

The connection to the virtual machines is achieved directly from the Azure Portal over Secure Sockets Layer (SSL) just using the browser. The Bastion Host is

Azure Bastion Preview preparation

For the time, Azure Bastion Hosts are in Public Preview. To use them we need to Register the Azure Bastion Host provider. Open PowerShell and login to Azure or use the Cloud Shell from the Azure Portal.

To register the provider run:

Register-AzProviderFeature -FeatureName AllowBastionHost -ProviderNamespace Microsoft.Network

Then run:

Register-AzResourceProvider -ProviderNamespace Microsoft.Network

The provider takes some time to register. Run the following command to check when it is registered:

Get-AzProviderFeature -FeatureName AllowBastionHost -ProviderNamespace Microsoft.Network

Once the Provider is Registered, access the Azure Portal using this link: http://aka.ms/BastionHost in order to access the Bastions Preview.

Create the Bastion

From the Azure Portal search for bastions

Hit “Add” to start the Bastion creation wizard

One thing to consider is that the Virtual Network must have an empty subnet with name “AzureBastionSubnet” and at least /27 range. This Subnet will be configured as a DMZ.

At the Create a bastion wizard select the Subscription and the Resource group. I prefer to create a new Resource Group. Enter a name for the Bastion Host Instance and a Region. Of course the Virtual Network and the Region must be the same as the Virtual Machines that you want to access. Finally select a name for the Public IP of the Bastion Host and hit Review and Create to create the Bastion.

Once the Bastion is ready you can see its properties. Not much to configure, just the IAM.

Create using ARM Template

We can also include the Bastion Hosts at our ARM Templates. This is an export from the Azure Portal Export Template.

"apiVersion": "2018-10-01",
"type": "Microsoft.Network/bastionHosts",
"name": "[parameters('bastionHostName')]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId(parameters('resourceGroup'), 'Microsoft.Network/publicIpAddresses', parameters('publicIpAddressName'))]",
"[resourceId(parameters('resourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]"
],
"properties": {
"ipConfigurations": [
{
"name": "IpConf",
"properties": {
"subnet": {
"id": "[parameters('subnetId')]"
},
"publicIPAddress": {
"id": "[resourceId(parameters('resourceGroup'), 'Microsoft.Network/publicIpAddresses', parameters('publicIpAddressName'))]"
}
}
}
] },
"tags": {}
}

Using the Bastion Host

And now the magic. Once you have a bastion deployed to a Virtual Network, browse a Virtual Machine and hit “Connect”. Beside the RDP and SSH, you will see a new option, the BASTION!

Since the topology is Intternet –>Public IP of Bastion –> Bastion –> Virtual Network – NSG – Private IP –> VM you need to allow the RDP / SSH traffic from the Bastion VNET to the Virtual Machine and https traffic (no RDP / SSH needed) from the internet (or your public ip) to the Bastion Subnet.

Enter the VMs username and password and hit connect and we have RDP over HTTPS

Copy Text to / from the VM

There a little icon >> at the right middle of the screen.

Click it and the Copy / paste box will open. Any text you paste at that box it will be available at the VMs clipboard. Also the Fullscreen button is available there.

Also any text you copy from the VM will appear at that box, like the image below:

The Remote Desktop experience is excellent! No RDP client needed, just your browser.

Sources:

https://docs.microsoft.com/en-us/azure/bastion/bastion-faq

https://docs.microsoft.com/en-us/azure/bastion/bastion-nsg

https://azure.microsoft.com/en-us/blog/announcing-the-preview-of-microsoft-azure-bastion/

https://docs.microsoft.com/en-us/azure/bastion/bastion-create-host-portal

The post Azure Bastion – Jump Server as a Service appeared first on Apostolidis IT Corner.

Source: e-apostolidis.gr

Validate Azure Resource Move with Postman

At this post we will see how easily we can move azure resources to new resource groups or subscriptions and how we can validate if the azure resources are eligible to move without initiate the move. The idea came from my colleague John Dandelis, who also helped with the https://www.e-apostolidis.gr/microsoft/azure/high-level-steps-create-syslog-server-azure-oms-log-analytics/ post.

Move Azure Resources to new resource groups or subscriptions

Azure Resource Manager allow you to easily move resources to new resource groups or subscriptions. It is a pretty simple process. From the Azure Portal, open a Resource Group, and from the top options click Move. You can select if you want to move to another resource group or subscription.

On the next page you can select the resources you want to move and click OK. Once you click OK, the Azure Resource Manager starts to validate the move requests. Checks if the selected resources are eligible to move and also if they have any dependencies that will cause the move to fail.

After the validation, and if the validation is successful, the resource move starts. There is no option in the portal to just validate the move request without starting the move.

Validate Resource Move with Postman

To validate the resources move you need to use post / get operations. The https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-move-resources#validate-move document descibes the parameters that we must use to validate is the resources are eligible to move. To validate if the resources are eligible to move we need to send a URI with Authorization token. A free and easy application to help us with the post /get requests is the Postman. You can download the latest release form this link: https://www.getpostman.com/downloads/

Download and install the Postman and open the application. We need to perform a Post request to ask the ARM if the specific resources are eligible to move and then a GET request to view the ARM response.

At the Postman select POST and at the POST request URL enter:

https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{sourceResourceGroupName}/validateMoveResources?api-version=2019-05-01

My test case URL:

https://management.azure.com/subscriptions/784f8ed8-33f0-497c-b1c8-1ca9833be590/resourceGroups/devrg/validateMoveResources?api-version=2019-05-01

Then at the Body, select RAW -> json and paste the request:

{ “resources”: [“<resource-id-1>”, “<resource-id-2>”], “targetResourceGroup”: “/subscriptions/<subscription-id>/resourceGroups/<target-group>” }

at my example that I want to validate two resources, the devrg VM and the Managed disk I entered:

{
“resources”: [“/subscriptions/784f8ed8-33f0-497c-b1c8-1ca9833be590/resourceGroups/devrg/providers/Microsoft.Compute/virtualMachines/devrgvm”, “/subscriptions/784f8ed8-33f0-497c-b1c8-1ca9833be590/resourceGroups/DEVRG/providers/Microsoft.Compute/disks/devrgvm_OsDisk_1_5da9dad62662418b9bb3f02496e88604”],
“targetResourceGroup”: “/subscriptions/784f8ed8-33f0-497c-b1c8-1ca9833be590/resourceGroups/target”
}

Create Authorization Token

Finally we need an authorization token to access the ARM API. At the Azure Portal open the cloud shell, buy clicking the icon at the top right menu bar.

Enter the below command to create a service principal at the Azure Active Directory:

az ad sp create-for-rbac -n “my-access-app”

The output will be as the below screenshot:

You will get the application ID, URL, tenant ID and password. Next at the Postman press the + button to create a new tab

At the Postman’s new tab create a new POST and enter:

https://login.microsoftonline.com/{{tenantId}}/oauth2/token

My test:

https://login.microsoftonline.com/85ed7d07-ffa3-44da-a22a-38c51ba14d0e/oauth2/token

Then at the Body property, select “x-www-form-urlencoded” and enter the following KEYs:

my test:

Once you press “Send” it will return the “access_tocket”. This is the Authorization: Bearer <bearer-token> needed for the resource move validation.

Send the validation request

Back to the first tab of the Postman, where we are preparing the move validation POST request, select “Authorization”, at the TYPE select “Bearer Token” and at the Token field paste the “access_tocken” from above. Then press “Send”

If all the details are correct, it will return a status of “202 Accepted”. This means that the ARM has started the validation. Copy the “Location” value because we will need it below.

The next step is to create a GET request to view the validation result. The GET request consists of the location URL and the Authorization token. As we did before, open a new Tab at the Postman, select GET request, at the GET URL paste the “Location” URL, at the TYPE select “Bearer Token” and at the Token field enter the “access_token”.

Receive the validation results

Press enter to GET the validation results. f the move operation validates successfully, you receive the 204 status code and nothing at the Body.

If the move validation fails, you receive an error message, like the below. At my example the validation returned failed. The error message explains what caused the failure. At my example the VM is being backed up so the disks have restore points. Also at the message it gives us the link to check for more information.

The post Validate Azure Resource Move with Postman appeared first on Apostolidis IT Corner.

Source: e-apostolidis.gr

Azure VM CMD & PowerShell from the Portal

Today I was trying to troubleshoot an Azure VM. This VM is behind a Network Virtual Appliance (NVA) and at the subnet it has User Defined Routes (UDR) that routes the traffic to the NVA. We was troubleshooting the NVA and it was not possible to connect with RDP to the VM.

Serial Console

This is an excellent scenario to use the Serial Console. From the Azure Portal, portal.azure.com, navigate to the Azure VMs blade, scroll down to the Support + Troubleshooting section and select “Serial Console”

The Serial Console will initialise and after a while it will establish the connection and the prompt will be the SAC>. If you encounter any errors establishing the SAC link, please follow this link: https://aka.ms/serialconsolewindows

At the SAC> prompt press help to list the available commands.

Using the i command we can get the IP Address configuration of the VM

Command Prompt

To create a command prompt session, first enter “cmd”. This will create a session.

To list the cmd sessions press “ch”

to select & login to a cmd session press “ch -si #” where # is the channel number. At the below screen press Enter

At the next screen enter the admin credentials

and we have Command Prompt. At this command prompt we can use all cmd commands.

Some examples:

ping -t

dir

PowerShell

at the command prompt enter “powershell” and press Enter to open a PowerShell Session

PowerShell example, disable windows firewall:

Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False

and yes, its off

of course, for the firewall we could disable it using CMD

netsh advfirewall set allprofiles state off

For more example commands follow this link: https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/serial-console-cmd-ps-commands

The post Azure VM CMD & PowerShell from the Portal appeared first on Apostolidis IT Corner.

Source: e-apostolidis.gr

Azure Policy | Limit the Azure VM Sizes

Azure Governance

This post, Azure Policy, is the first of a series of posts about Azure Governance. The idea is to explain through examples and how-to-guides, the tools that Microsoft Azure provides to help the administrators to enforce rules to all subscriptions. Some examples of those rules are, to help the organizations to stay compliant with their corporate standards, to standardize the resources creation and management, to manage the permissions and access controls, etc.

Azure Policy

Azure Policy is a powerful tool for Azure Governance. With Azure Policy we can define rules for all Azure Subscriptions the we manage. We can use this rules for simple limitation actions, like permitting only specific VM Series and Sizes that can be created and also more complex rule sets that helps you standardize the whole Azure deployment.

Limit the Azure VM Sizes

In this fist post we will go through a simple policy, the “Allowed virtual machine SKUs”. With this policy  you can control what Azure VM series and sizes are permitted for deployment. You can apply this policy  to a whole Management group, to a Subscription or to a single Resource Group.

Step by Step Guide

Open the Azure portal, https://portal.azure.com, and login with your account. At the top search box write “policy”. From the search results select the “policy”.

At the Policy screen, select the “Definitions”. To create and apply a policy we need to start from a Policy Definition.

At the Policy Definition screen, we can filter the definitions by scope, definition type, type and category. The “Allowed virtual machine SKUs” definition is under the “Compute” category. At the Category drop down menu, deselect everything and select only the “Compute”. Press the “Allowed virtual machine SKUs” definition.

The “Allowed virtual machine SKUs” definition will open. Here we can see the code beneath the definition. It is written in json format. If we want to make changes at the definition we must first press “Duplicate definition”. This will create a copy of the definition. Then we can open the definition duplicatie and press “Edit definition. We will cover this at a future post.

To select the VM sizes, the scope and apply the definition, press “Assign”

Set the scope

At the Assign policy screen, first we need to select the scope. The scope is where the policy definition will apply. To set the scope press the little blue box with the three dots.

For scope, we can select a whole Management group, a whole subscription or a single Resource Group.

Select the Azure VM SKUs

After the scope, we need to select the allowed Azure VM SKUs. Open the drop down menu and select the SKUs that you will allow.

At this test policy, I selected all Standard F1-4 series, the Standard F2s – 4s and the Standard F2s_v2 – 4s_v2.

We can change the “Assignment Name” to easily find the specific assignment at the Assigned Policies list. I changed the name to “Allowed only F1-4 virtual machine SKUs”

The next step is the “Managed Identity”. Managed identity creates an Azure AD Identity, like a service account, that is used for resource creation. We need this only for some specific policies that must create a resource if it is doesn’t exists.

We don’t need a Managed Identity to limit the Azure VM SKU sizes. So now we can press “Assign”.

A notification will inform you that the Policy will take effect after about 30 minutes. The policy needs this time to apply the rules to the selected scope.

Back to the policy Assignments screen, hit refresh and you will see the new Policy Assignment’s name and the Scope.

Test the policy

To test the policy, I waited 30 minutes and tried to create a Standard DS1 v2 VM at the devrg Resource Group. Although I am the Subscription Owner, the Service admin, the one that created the policy assignment, the Azure Resource Manager doesn’t allow me to create this VM.

And the error details: “disallowed by policy”

You can find more about Azure Policy at Microsoft Docs: https://docs.microsoft.com/en-us/azure/governance/policy/

The post Azure Policy | Limit the Azure VM Sizes appeared first on Apostolidis IT Corner.

Source: e-apostolidis.gr

Athens Azure Bootcamp 2019 | A day full of Azure by the IT Pro / Dev community!

This Saturday, May 11, 18 speakers, 2 concurrent sessions, 10 volunteers and more than 250 attendees gathered at the Gazarte Cultural Club for the greatest Azure event of Greece. A day dedicated to IT pros & Developers.

I am more than proud to be part of the organizing team for one more year, with Konstantinos Pantos & Paris Polyzos. A great team committed to community and technology.

It was a day full of Microsoft Azure and technology, from both IT Pro & Dev perspective. A sunny day at Athens, with a lot of fun. For sure we had a great time!

Getting Ready with Paris & Kostas, Gazarte about 8:30 am

This years banner, with our sponsors and communities

The volunteers dream team!

The first registrations at about 9:30 am

Presentations in a full Gazarte stage

Getting ready for the launch break

Happy me

Break time

So long… until next year!

The post Athens Azure Bootcamp 2019 appeared first on Apostolidis IT Corner.

Source: e-apostolidis.gr