Move your Azure VM across regions
Azure Resource Mover makes it really easy to move your resources, like Azure VMs, across regions. There are some minor details you need to take care to have the whole process run smoothly.
Let’s see how we can move our VM from a region to an other with simple steps
- At the Azure Portal search for “Azure Resource Mover”
2. At the Azure Resource Mover” wizard click “Move across regions”
3. Select the source & target region
4. select the resources you want to move
5. Accept the notification and start he process and go to the “Across Regions” option and press “Validate dependencies” button in the middle
6. After the validation, check the Issues column of all resources and resolve if any.
7. First we need to move the Resource Groups only. The move process has four steps, the Prepare, the Initiate Move , the Commit move and finally delete the source resources. So, select only all the “resources groups” and press “Prepare”
8. Select again the Resource Groups and press “Initiate Move”
9. Select gain the Resource Groups and press “Commit Move”
10. Now the Resource Groups are created at the target region, and is at pending deletion at the source. We can proceed with the rest resources. Select the rest resources and go through the same process, the Prepare, the Initiate Move , the Commit move and finally delete the source resources.
At the Prepare state, the Azure Site Recovery agent is installed at the VM and the data are replicated to the target region. This takes a lot of time, depending on the size of the data but it does not affect the VM.
Sneak peak: You can view the process of the VM, by navigating to the VM blade and go to the Disaster Recovery setting
11. Once all resources are in “Initiate move” pending state, select them and press “Initiate Move”. ATTENTION: at this state, there will be downtime to move the VMs. The source VMs will show down, a final data sync will be performed and finally the target VMs will start.
12. Wait until all resources are at the Commit Move state, select them and press “Commit Move”
at this state, we can see that we have two resource groups, the source and the target:
At the source resource group, the VMs will be stopped and at the target started. Note here that the target IP is not the same as the Source. Your Public IPs will be altered.
13. After the commit move, you will need to delete the source resources manually.
VMWare Workstation Player on Azure VM for testing
I had a request to run VMWare Workstation Player on an Azure VM for some testing and labs. Challenge accepted!
Azure VM Standard E4s_v4 running Windows 10 2004 Enterprise
Installed VMWare Workstation Player 16.0 free for non-commercial use
Tried to spin up a VM, but i got error for hyper-v conflict.
to solve it:
Extract to a local folder open an administrative PowerShell in this folder
execute: .DG_Readiness_Tool_v3.6.ps1 -enable
open again an administrative PowerShell in this folder
execute .DG_Readiness_Tool_v3.6.ps1 -disable
execute bcdedit /deletevalue hypervisorlaunchtype
execute bcdedit /set hypervisorlaunchtype off
(ignore all error messages from DG_Readiness_Tool_v3.6.ps1)
Finally the VM at the VMWare Workstation Player started and I managed to setup and run a Windows 10 VM.
Learn Azure for Free using Sandbox!
Did you know that you can use Azure for free for learning purposes? And when I say free, i am not talking about the free account where you need to add your credit card and have 170€ credit. I am talking about a completely free environment to learn the Azure services and resources, but only for Learning purposes.
The Azure Sandbox is offered by the Microsoft Learn platform. Microsoft Learn is a completely free, online training platform that provides interactive learning for Microsoft products and more.
The Microsoft Learn sandbox (sometimes called the Azure sandbox) is a free environment that you can use to explore Azure through Microsoft Learn content.
And the magic here is that you don’t need an Azure account to use a sandbox! All you need is a Microsoft account to sign in with. If you don’t have one, you can create one for free.
Take a look at this. This is the Microsoft Learn home page where you can select whatever learning path or module you want to follow.
When you start a module that needs Microsoft Azure Access, there is an “Activate sandbox” button
When you press is, the only thing that you will be asked is to enter a mobile phone number, just for verification. It will not ask for credit card!
Once you verify your number, it will ask you to Review and accept the permissions to use Microsoft Azure using your Microsoft Account
And the Sandbox environment is ready! You can have 10 Sandboxes per day, for 2 hours each.
You can use Bash, PowerShell and the Azure Poral at will:
You can use the Sandbox to complete the specific exercise, but you can also play around with the resources. You can see at the below screenshot, that except the two “webVM”s of the exercise, I have created a “test” VM directly from the portal.
Start your learning path at Microsoft Learn NOW!
And remember: The sandbox may only be used to complete training on Microsoft Learn.
Azure Application Gateway | WAF Policy per Listener
With Azure Application Gateway v2 coming, a lot of new features have been added. Much faster deployment and change times, auto-scaling and the ability to assign different Web Application Firewall (WAF) policies per Application Gateway’s listener. This feature provides more control over each listener and also can limit the number of different Application Gateways you need to deploy.
With a custom WAF policy we can control the firewall per listener (URL) with:
- Firewall mode, Prevention – Detection
- Request body properties
- WAF rule set category & version
- Custom Rules with If / Then conditions
- Match IP address, Number, String, Geo location
- Allow / Deny Traffic
This post scenario
We have on Azure Application Gateway with two Listeners (listens to two different URLs at its Public IP). The two listeners are forwarding the traffic to two different Web Apps, as shown at the below image.
My request is to allow all traffic to the first URL but allow traffic only from a specific IP to the second URL.
For the demo, I assume that you already have an Azure Application Gateway v2 in place and you have published two back ends (web apps, VMs, custom IP) and your web sites / apps are healthy and you can browse them behind the Application Gateway.
Since I am using the default azurewebsites.net domain, I added two hosts at my workstation’s host file, in order to route the traffic to the Application Gateway’s IP and not directly to the Web Apps.
I can browse both Web Apps, through the Application Gateway, from my browser. I am using http and not https for the demo since I am using the default domain and I cannot add a custom certificate.
We need to create two Web Application Firewall policies (WAF). One for each listener. To create a WAF policy, search the Azure Portal for waf and click the “Web Application Firewall policies (WAF)”.
At the “Web Application Firewall policies (WAF)” page click +Add
At the Project details select “Regional WAF (Application Gateway)”.
Select the Subscription that your Application Gateway resides, select Resource Group, add a name for the Policy and the same region as your Application Gateway. The policy must set to Enabled to apply. I named the policy URLNumber02 to start creating the policy for the second URL that I want the custom rule.
At the Policy Settings change the setting to Prevention from Detection and go to the Custom rules and Add custom rule
I named the rule “AllowOnlyOneIP”, since I want to allow only one IP to access the second URL (listener) of the gateway. Give a priority, I added 1 as it is the only one. At the conditions select:
- March Type: IP address
- Operation: Does not contain
- IP address or range: add the only IP that you want to allow access to the URL
At the “Then” condition, select “Deny Traffic”
This rule will allow traffic only of the IP is the IP address that we added to the condition. For all other IPs access will be denied.
Now that we created the policy, we need to assign it to the listener. At the next step of the WAF policy wizard we need to select the Application Gateway and the Listener.
First click the “Associate an application gateway” and select the Application Gateway. Remember that this policy will need to overwrite the default Application Gateway’s WAF policy. So before proceeding migrate your current WAF settings and customizations to the new WAF policy.
After you select the Application Gateway, associate the listener. I associate the “mylistener02” that is my second URL, with this policy.
After saving the policy, go to the Application gateway and check the “Web Application Firewall” settings. There you will see that all settings disappeared and you can only see that the gateway is associated with a WAF policy. We see that it is Associated to the URLNumber2 polily.
You need to create one more WAF rule for URL 01 for the correct functionality. Once you create a WAF policy and associate it to the other listener of the Application gateway, you will see that at the “Web application firewall” is associated to the new policy. Actually the Application gateway is associated to both WAF policies, one at each listener. You just cannot see this at the Azure Portal.
We can see the WAF rules that are associated to the Application Gateway’s Listeners using the PowerShell. Running the “Get-AzApplicationGateway -Name AppGw01 -ResourceGroupName AppGw01” command you can see that the “URLNumber01” WAF policy is associated to the “mylistener” and the “URLNumber2” is associated to the “mylistener02”.
To test the policies, I tried to access both URLs from a computer that don’t have the Public IP that I added tot he policy and I can access the URL 1 app but I cannot access the URL 2 app. From the computer that has the Public IP we added at the rule, I can browse both sites.
The WAF rules can be edited at the Web Application Firewall policies (WAF) blade and all settings will apply to the corresponding listener.
The post Azure Application Gateway | WAF Policy per Listener appeared first on Apostolidis Cloud Corner.
My presentation at SEP 7, 2020 at the BootCamp | Azure – Cloud Computing by the Microsoft Student Partners & the University of Lahore about how to deliver your App at Global Scale with Security & Resiliency with Azure Front Door
The post Deliver your app at global scale with security & resiliency with Azure Front Door appeared first on Apostolidis Cloud Corner.
Let’s have a Hackathon! The most epic one ever in Thessaloniki in 7-9th of December, designed for Thessaloniki’s students by StudentGuru Thessaloniki and Microsoft Hellas in partnership with Aristotle University of Thessaloniki.
This is the video of my presentation about Azure, Microsoft Cloud
Azure Front Door | Rules Engine
Azure Front Door Rules Engine is a new feature that gives you more control in how you define and enforce what content gets served from where. Rules Engine allows you to specify how HTTP requests are handled from the AFD. Different combinations of match conditions and actions give you fine-grained control over which users get which content and make the possible scenarios that you can accomplish with Rules Engine endless.
For example, you can use a match condition to:
- Filter requests based on a specific IP address, country, or region.
- Filter requests by header information.
- Filter requests from mobile devices or desktop devices.
The following match conditions are available to use in Front Door Rules engine:
- Device type
- Post argument
- Query string
- Remote address
- Request body
- Request header
- Request method
- Request protocol
- Request URL
- Request file extension
- Request file name
- Request path
- Standard operator list
How Rules Engine Works
The Rules Engine applies the routing roules at the Edge. Once the request is received from the AFD edge location, the Rules Engine routes it first through the WAF rules and right after it applies the route configuration. In the next picture, the Rules Engine desides if the request will redirected to the mobile site or it will be forwarded to the desktop site.
How to create a rules engine and add a rule
We will create a rule to redirect the requests to the Desktop or to the Mobile site, based on the clients device type.
Go to the Front Door, and select the “Rules engine configuration” at the Settings section. Press “+ Add” to create a rules engine.
Type a name for the Rules engine, and a name for the first rule. Once you press the “+Add a condition” a drop down menu will open with all the available condition types.
For our example I selected the “Device type” condition and I selected that the request is Equal to Mobile.
Then press the “+ Add an action” to view the available actions.
for our example I selected to forward the request to the /mobile.html, where is the mobile site.
Finally, you need to Associate the routing rule, by selecting the three dots at the right of the rule.
and select the front door that you want this rule to be applied.
You can find more AFD posts at my blog, like create an Azure Front Door to scale and secure our web apps, Azure Front Door add custom domain & certificate and we use Web Application Firewall (WAF) rules to protect our web apps.
Οptimize your Azure environment
Cloud optimization is the process of correctly selecting and assigning the right resources to a workload or application. When workload performance, compliance, and cost are correctly and continually balanced against the best-fit infrastructure in real time, efficiency is achieved to optimize your Azure environment.
Azure offers many ways to help ensure that you’re running your workloads optimally and getting the most out of your investment. There are many ways to get started optimizing your Azure environment. You can align as an organization on your cloud adoption strategy, you can review your workload architecture against the reference architectures we provide, or you can open up Advisor and see which of your resources have best practice recommendations. Those are just a few examples, ultimately it’s a choice only you and your organization can make.
Azure Advisor, a free Azure service that helps you optimize your Azure resources for high availability, security, performance, and cost. Advisor scans your resource usage and configuration and provides over 100 personalized recommendations. Each recommendation includes inline actions to make remediating your cloud resource optimizations fast and easy.
How to get Azure Advisor recommendations? Go to the Azure Portal and in the left pane, click Advisor.
If you do not see Advisor in the left pane, click All services. In the service menu pane, under Monitoring and Management, click Advisor.
The Advisor dashboard is displayed & automatically scans your Azure configuration and recommends changes to optimize deployments, increase security, and save you money. Wait untill the recommandations are updated.
You can download the recommendations in PDF and CSV. This way you can send the recommendations to the relevant teams for review and remediation.
The recommendations are seperated in five sections, Cost, Security, High Availability, Operational Excellence, Performance
Cost recommendation helps you optimize and reduce your overall Azure spend by identifying idle and underutilized resources, like correct sizing of VMs, deleting non used resources, reserve instances, etc.
More about cost recommendations: https://www.e-apostolidis.gr/microsoft/save-money-following-the-azure-advisor-recommendations/ & here
Security recommendation integrates with Azure Security Center to bring you security recommendations. Security Center helps you prevent, detect, and respond to threats with increased visibility into and control over the security of your Azure resources
High Availability recommendation helps you ensure and improve the continuity of your business-critical applications. Advisor identifies virtual machines that are not part of an availability set and recommends moving them into an availability set, identifies availability sets that contain a single virtual machine and recommends adding one or more virtual machines to it and many more.
More about high availability here
Operational Excellence recommendations help customer with process and workflow efficiency, resource manageability and deployment best practices.
More about operational excellence here
Performance recommendations help improve the speed and responsiveness of your business-critical applications.
More about performance recommendations here
Azure Architecture Center
Azure Architecture Center is a collection of free guides created by Azure experts to help you understand organizational and architectural best practices and optimize your workloads. This guidance is especially useful when you’re designing a new workload for the cloud or migrating an existing workload from on-premises to the cloud.
The guides in the Azure Architecture Center range from the Microsoft Cloud Adoption Framework for Azure, which can help guide your organization’s approach to cloud adoption and strategy, to Azure Reference Architectures, which provides recommended architectures and practices for common scenarios like AI, IoT, microservices, serverless, SAP, web apps, and more.
Azure Client VPN using Azure AD & MFA
Azure Virtual Network Gateway provides the ability to connect to your Azure Virtual Network with Azure Client VPN (SSL) connections using your Azure AD or hybrid identity, with Multi Factor Authentication (MFA) and your Conditional Access policies.
We can have an Enterprise grade SSL VPN, with Active Directory authentication and Single Sign on (SSO) from your corporate laptops and apply all your conditional access policies, like MFA, Compliance devices, trused locations, etc.
How to create the VPN Gateway
Go to your Virtual Network’s subnets and create a Gateway subnet by clicking the “+ Gateway subnet”
Create a Virtual network gateway, by searching for the “Virtual network gateways” service and press Add.
Select “VPN”, “Route-based” and at the SKU select any size except the Basic. Basic SKU does not support Azure AD authentication.
Create a Public IP and leave all other settings default and create the Gateway.
After about 20 minutes the VPN Gateway is ready. In the meantime we will prepare the Azure AD and give concern to use the Azure AD with the Azure client VPN. Using a Global Admin account, go to the “Azure Active Directory” and copy the “Tenant ID” from the Overview blade, and keep it on a notepad.
Then copy the url and paste the below url to your browser’s address bar. You need to log in with a Global Admin non guest non Microsoft account.
With a guest or Microsoft account, even if it is Global Admin, you will be propted to login with an admin account, meaning a member work account.
Once you login with a member work Global Admin account, you can accept the permissions to create the Azure VPN application
You can navigate to the Azure Active Directory / Enterprise Application and view / manage the Azure AD application.
Open the Azure VPN enterprise application and copy the “Application ID” to a notepad.
Go to the VPN Gateway, select the “Point to site configuration” and click the “Configure now”
Add the Address Pool that you want the VPN clients to have, for Tunnel type select “OpenVPN (SSL) as it is the only type that supports Azure AD authentication.
Then use the details that you have copied to the notepad, the Tenant ID and the Application ID, and add them to the required fields and press save.
- Tenant: https://login.microsoftonline.com/paste-your-tenant-id-here
- Audience: paste-the-azure-vpn-application-id-here
- Issuer: https://sts.windows.net/paste-your-tenant-id-here/
How to Download the VPN Client and Connect to the Gateway
Download the VPN client, using the button.
Extrack the downloadded zip file
And at the AzureVPN folder you will find the configuration xml.
Open the Microsoft Store and get the Azure VPN Client
Open the Azure VPN Client and at the lower left corner, press the + and Import the xml configuration file
accept all the settings and press save
The Azure VPN connection will appear at the Azure VPN client and also at the Windows 10 network connections, like any other VPN
Azure VPN Client:
Windows 10 Network Connections:
Once you press connect, it will prompt you to connect using the account(s) that you are already using at your Windows 10 machine, or use a different account
You will be prompted for MFA or any other conditional access policy you have applied, and the you will be connected.
Conditional Access & Multi-Factor Authentication (MFA)
You can add Conditional Access to the Azure client VPN connection. Go to Azure Active Directory / Security / Conditional Access and create a new Policy.
Select the “Azure VPN” at the “Cloud apps or actions” section
At the Access Controls / Grand section, you can require multi-factor authentication, or AD Joined device, or compliant device, or all of that
At the “Conditions” section you can controll the location that the policy will apply. Lets say, you can apply the MFA requirement at “Any location” and exclude the “Trusted locations”, in order to not require MFA when the device is at a trusted location, like your company’s network.
The post Azure Client VPN with Azure AD auth & MFA | Step by step guide appeared first on Apostolidis Cloud Corner.
Quickstart your Azure jurney!
Are you new to Azure? You don’t know how where to start? Get started with the Azure Quickstart Center, full of guides, best practices and learning guides without leaving the Azure Portal!
How to open the Azure Quickstart Center? You can use the global search box at the top of the Azure Portal, or using the All services menu.
The user friendly environment of the Quickstart Center opens and you can start your jurney to the Azure! The Quickstart Center has two basic sections. The “Get started” and the “Take an online course”.
The “Get started” section has two sub-sections. The “Start a project”, sub-section, where you will be able to discover many options, architecture, cost and prerequisites for creating resources, and the “Setup guides” where you will have access to steped guides on how build you environment based to best practices and the Cloud Adoption Framework.
The Get Strated / Create a virtual machine option will ask you to choose between Windows or Linux VM
If you press Create, information about options, benefits, architecture references, prising and free account options.
The Start a project / Azure setup guide will provide you with all the required information to build your Azure environment using Microsoft’s best practices and the Cloud Adoption Framework.
At the Take an online course section, you will find the learning path that Microsoft has prepared about Microsoft Azure. At the Microsoft Learn site you can learn new skills and discover the power of Microsoft products with step-by-step guidance.
You can learn more about Azure setup and migration in the Microsoft Cloud Adoption Framework for Azure.
More basic level guides: https://www.e-apostolidis.gr/tag/azure-start-point/