At this post we will see how we can Visualise our Azure environment using the Resource Graph Explorer. Resource Graph Explorer allows you to run Resource Graph queries, create charts and pin them to the Azure Dashboard.
Resource Graph Explorer is part of Azure Governance. You can find more guides about Azure Governance at my posts like How to limit the Azure VM Sizes and How to enforce tags for resources creation using the Azure Governance tag.
Create a chart showing the number of VMs by Operating System at my tenant.
Open the Azure Portal and search for the Resource Graph Explorer and open it
The window that will open looks familiar because it uses the same query language like Log Analytics, the Kusto. On the right side, at the Resource Window, you can search for any resource type, click it and it will be added to the Query Window. We will start with the “resources” that will bring us all resources
Then we will search for virtual machines to find the correct type
clicking the microsoft.computer/virtualmachines it will automatically change the query to narrow the search to bring only the Virtual Machines
To see the results just press “Run Query”. At the Resources window you can see all the VMs properties, like name, location, tags, resourcegroup and a property named “properties”. If you open this you will see all the details of the VMs.
The Operating System property is under “storageProfile” / “osDisk” / osType. So we need to alter our query like this:
resources | where type == "microsoft.compute/virtualmachines" | summarize count() by tostring(properties.storageProfile.osDisk.osType)
Running the above query will bring the VMs by OS. Next Results you can click Charts to select the Chart you like.
You can save the query to add a name and also reuse it. The name will appear once we add the chart to the Azure Dashboard, it will be the title.
For our Dashboard I will use a Donut chart. To add it to the Azure Dashboard click “Pin to dashboard”
And this is the dashboard view
We can add more resources, like Public IP Addresses
Change the query to this:
Resources | where type == "microsoft.network/publicipaddresses"
Run it and you will get a result with all Public IP Addresses
To expand the properties, add the ” | project properties ” at the query and click the “see details” link.
View the properties details and find the name of the ip address key
To create a chart with all Public IP Addresses run the below query
Resources | where type == "microsoft.network/publicipaddresses" | summarize count() by tostring(properties.ipAddress)
And this is the result, pined to Azure Dashboard
Add a chart to show the location of all of my resources
summarize count() by location | project location, total=count_| order by total desc | where total > 1
Now at my Azure Dashboard I have VMs per OS, all Public IP Addresses and the location of all of my resources
Find more at the Azure Resource Graph documentation
The Microsoft Ignite The Tour in Milan 2020 ended and it is time for my recap. It was my first time speaking at Microsoft Ignite The Tour conference and I can say it was an amazing experience. I had the opportunity to connect with great people, speakers from all over the world, MIcrosoft employees and MVPs.
I was honored with two sessions, one 15 minutes Theater and one 45 minutes Breakthrough. Although I was very stressed about my presentations, it went very well and I have excellent evaluation scores.
My 15 minute Theater session at Microsoft Ignite The Tour Milan, where I talk about how to accelerate your web applications with Azure Front Door Service. Use the Azure WAN, 130+ edge sites with WAF & Layer 7 Load Balance at a global scale. Session code: THR30089
My 45 minutes Breakthrough session at Ignite The Tour Milan, where I will talk about how to use Azure Platform as a Service (PaaS): Design your apps with Elasticity, Resiliency and High Availability very easy, fast and secure. Session code: BRK30169
Vulnerability Assessment for Azure VMs included in ASC
Hackers and all kind of intruders takes advantage of weakness and mistakes of operating systems and application to get unauthorized access. Those weakness are caused due to lack of updates and patches, mistakes in design and implementation or just a human error. The prevention method of those weaknesses and mistakes is a Vulnerability Analysis that depends upon two processes. The Vulnerability Assessment and the Penetration Testing.
Microsoft Azure, in cooperation with Qualys, offers Vulnerability Assessment at no additional cost for Azure Security Center Standard Tier. The Vulnerability Assessment Azure VM extension reports its findings to Azure Security Center. We have analyzed more Azure Security Center features at previous posts:
- Use Azure Security Center to protect your workloads
- ASC | Remediate security recommendations in 1 click
- Bulletproof manage your Azure VMs
ATTENTION! To take advance of the Qualys offering that is included at the Azure Security Center Standard Tier, without any additional cost, the extension must be installed from the Azure Security Center “Enable the built-in vulnerability assessment solution on virtual machines (powered by Qualys)” recommendation and not by the “Vulnerability assessment solution should be installed on your virtual machines” recommendation.
Don’t worry if you don’t see this recommendation at your subscription yet. This is because it is a preview recommendation and it is being rolled-out slowly across all regions.
How to enable the Vulnerability Assessment extension
Go to Azure Security Center, at the “Resource Security Hygiene” and select the “Computer & apps”.
Find the “Enable the built-in vulnerability assessment solution on virtual machines (powered by Qualys)” recommendation and click it.
At the recommendation page, under the “Affected resources” section, there are three tabs. The “Unhealthy resources”, the “Healthy resources” and the “Not applicable resources”. The “Unhealthy resources, are Virtual Machines that are eligible but we have not enabled the extension yet. The “Healthy resources” tab includes the Virtual Machines that already have the extension installed. The “Not applicable resources” tab includes the Virtual Machines that are not eligible for the extension. This category includes images from third party companies or they are not enabled for ASC Standard tier.
Select the Virtual Machines that you want to enable the extension and press “Remediate”
Once the extension is installed, it will need several minutes for the Virtual Machine will move to the “Healthy resources” tab and the Vulnerability Assessment scan will start. Note that if the Virtual Machine is stopped the remediation will fail. The Virtual Machine must be running for the extension to install.
To check the VM extension health, go to the VM and check the Extensions tab for “WindowsAgent.AzureSecurityCenter | Qualys.WindowsAgent.AzureSecurityCenter”
Viewing the Vulnerability Assessment results
After the extension is installed, the scan will start but it will need about 24 to 48 before you will be able to view the results. After the scan finishes, it will report he results at the Azure Security Center, under the “Remediate vulnerabilities found on your virtual machines (powered by Qualys)” recommendation.
The post Vulnerability Assessment for Azure VMs included in ASC appeared first on Apostolidis Cloud Corner.
Azure Backup Explorer is a new Azure service that enables a consolidated dashboard of all backup items, jobs, policies & alerts for all recovery services vaults across all subscriptions. It provides a single dashboard to view the status of all backups of your subscriptions.
Until now, to view the backup status, you needed to open each recovery services vault and view only the status of the backup jobs of the specific recovery services job. Azure Backup Explorer allows to view the backup job status at scale, drill down to all backup items, jobs, alerts and policies and quickly troubleshoot and take actions,
How to use Azure Backup Explorer
Open any Recovery Services Vault and at the Overview screen, under the Backup , click the “Backup Explorer link.
A workbook view will open, displaying a summary of all Backup Items, Backup Jobs, Backup Alerts and Virtual Machines that are not enabled for backup. And all that info is a summary of all subscriptions and locations. You can filter the summary by subscription, vault location and vault and also you can change the time range.
The Backup Items button shows the protection state of the Virtual Machines that are backed up.
If you press the Backup Jobs button, it shows the Jobs by Status. There you can have a quick view off all backup status, like completed, completed with warnings or failed, and also the jobs by operation, like backup or restore.
Using the Backup Alerts button shows the alerts by severity and by alert type, if you have any alerts of course.
Finally the Backup not enabled button shows the Virtual Machines that are not at any backup job. You can view them by location and by resource group.
Read more at the Backup Explorer documentation
Compliance Report using Azure Policy
Azure Policy is a powerful tool for Azure Governance. With Azure Policy we can define rules for all Azure Subscriptions the we manage. We can use this rules for simple limitation actions, like permitting only specific VM Series and Sizes that can be created and also more complex rule sets that helps you standardize the whole Azure deployment. At my previous posts, we learned How to limit the Azure VM Sizes and How to enforce tags for resources creation
At the current post we will learn how to use Azure Policy to have a compliance report for our deployment. We will learn this by using an example. Then we will create two Virtual Networks and we will add a Network Security Group only to the first one. Finally we will use the Policy to audit whether the Subnets have assigned the NSG or Not.
First we need two Virtual Networks. You can create the Virtual Networks using the Azure Portal or using ARM template, like mine from my Github account: https://github.com/proximagr/ARMTemplates/blob/master/2vnets.json
After applying the template you will have two VNETs like that:
Then we will a Network Security Group (NSG) only to the MyVNET01 Virtual Network. Again using Azure Portal, PowerShell or my ARM Template for NSG
Assign the NSG to the MyVNET01 VIrtual Network
Add the Policy
Go to Azure Policy -> Definitions and click the “+ Policy definition” to create a new policy definition.
At the New Policy definition page, select the subscription (location) that the policy will be saved, then add a name. in this case we will use the sample policy template from Microsoft docs so I will add the same name.
Copy the policy Json text from https://docs.microsoft.com/en-us/azure/governance/policy/samples/nsg-on-subnet and paste it at the POLICY RULE below and Save.
At the “effect” part of the Json, change the “deny” to “audit”.
If you search for “NSG” you will see our new policy definition, ready to be assigned.
Click on the definition’s name to open it and press Assign.
I will just target the “ComplianceReport” Resource Group
At the parameters, I added the Resource ID of the NSG, “MyNSG01”
Evaluate the results
To check the compliance, go to Policy – Compliance page and search for nsg. You have to wait for about 15 minutes for the compliance policy to evaluate the resources.
If you search “nsg” you will see that the “Audit NSG on Subnet” policy is 50% compliant. Click on the policy’s name to view more details.
The assignment details page will open where we can see what resources are not compliant.
Click on the three dots (…) next to the non-compliant subnet and select “view compliance details” to check why this resource is not compliant.
The compliance details reports that the value is null and what the required (target) value must be.
If you want to trigger an on-demand compliance check, you need to make a POST request. You can follow my post Validate Azure Resource Move with Postman to create the access Token and then use it to make a POST request to the Resource Group sung this POST:
Excited to be speaking at Microsoft Ignite The Tour in Milan on Jan 27-28. Join me to learn how to use Azure Platform As A Service (PaaS) to design your apps with Elasticity, Resiliency & High Availability and how to Accelerate your web applications with the Azure Front Door Service.
IT industry-leading conference is going to Milan. Don’t miss the very latest in cloud technologies and developer tools with guest speakers, industry experts, and more.
I will deliver two sessions:
A 45 minutes Breakthrough session, where I will talk about how to use Azure Platform as a Service (PaaS): Design your apps with Elasticity, Resiliency and High Availability very easy, fast and secure. Session code: BRK30169
And a 15 minute Theater session, where I will talk about how to accelerate your web applications with Azure Front Door Service. Use the Azure WAN, 130+ edge sites with WAF & Layer 7 Load Balance at a global scale. Session code: THR30089
YFeel free to find me at the Microsoft Showcase, where I will answer all your questions, discuss about Cloud Technologies and the future of our industry!
Grab your ticket at https://www.microsoft.com/it-it/ignite-the-tour/milan
See you at Milan!
The post Excited to be speaking at Microsoft Ignite The Tour in Milan! appeared first on Apostolidis IT Corner.
Global AI Bootcamp, Athens 2019
December 14, 2019 we proudly carried out the Global AI Bootcamp, Athens 2019! IT was a day full of AI and Microsoft Azure. The Global AI Bootcamp is a free one-day event organized across the world by local communities that are passionate about artificial intelligence on Microsoft Azure.
After all preparations with the assistance of Stoiximan.gr, our sponsor, the day begun at Athinais Cultural Center, at Athens, Greece. From early morning our sponsor was there with us to prepare the venue.
People start coming at 10:00 am and we checked-in 62 attendees. We started with the keynote and then the presentations. There was time at launch for networking and people looked to have fun.
After launch we have more presentations and then we proceeded with the workshop. We deliver the workshop with the assistance of two AI experts from Stoiximan.
For ending we draw gifts that our vendor Stoiximan.gr provided.
Judging from my personal experience with the attendees that day, and from their excellent evaluations, all had a great time and learn a lot about AI and Microsoft Azure.
Looking forward for our next event!
This is my Global AI Bootcamp, Athens 2019 Presentation with title:
Spin up HDInsight clusters on demand for ETL, IoT, Data Science & Machine Learning
At my presentation I explained with a hands-on demo, how to use Azure Data Factory to spin up on-demand Azure HDInsight clusters to make a process and automatically delete them once they provide the result.
Download the PowerPoint Presentation: download link
And watch the Demo:
At the previous post we created an Azure Front Door to scale our web apps across Azure Regions and also publish them only through the Front Door’s URL. At this post we will create Web Application Firewall (WAF) rules, to protect our web apps. To add WAF functionality to the Front Door we need first to create WAF rules and then attach them to the Front Door
Create the WAF Rule
From the Azure Marketplace search for WAF and create a Web Application Firewall
At the “Create a WAF policy” wizard select “Global WAF (Front Door) for policy, provide the subscription and resource group, give a name for the policy and select if you want it to be created enabled or disabled.
At the next step select if the policy will prevent the action or just detect and report it. You can change this later too. You can provide a Redirect URL for rules that support redirection. The default status code is 403 but we can change it to e.g. 404. We can also add a custom response body.
The next step is the rule. We can select one or more predefined rule sets and then customize at will.
To customize, expand the rule set and select a rule. You can enable / disable the rule and you can change the action to Allow, Block, Lod or Redirect.
WAF Custom Rule
The next step is the custom rules. There’s a lot to customise here. First are the rule type settings. Select status of the rule, enabled or disabled. Select the Rule type between Match and Rate limit. If you select rate limit you will be prompt to set rate limit and threshold. The final rule tupe setting is to set the priority of the rule.
Next is the Conditions (If this) and the action (then that).
The condition can be Geolocation, IP address, Size or String. After selecting the Match Type the rest options are altered accordingly.
The action can be Allow traffic, Deny traffic, Log traffic only or Redirect traffic
For the demo I created a rule that will Deny all traffic from The Netherlands, because I can test it from an Azure VM located at the West Europe Region.
The next step is to associate the rule to the Front Door. After that assign Tags if needed and create the rule.
Once the Rule is ready, a “Front Door WAF policy” resource will be at the selected Resource Group.
Inside the Front Door, at the Web application firewall section, you can review the assigned rules.
From an Azure VM at West Europe Region, I tried to access the Front Door’s URL and we can see my custom 403 body text!
From my Computer I tested a typical SQL Injection attack from https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005) . Again my custom 403 page!
The post Use Web Application Firewall (WAF) Rules with the Front Door to protect your app appeared first on Apostolidis IT Corner.
Securely scale your Web Apps with Azure Front Door
There is a big buzz out there about Azure Front Door. Is it a Load Balancer? A CDN? A Traffic Manager? A Web Application Firewall ? A Reverse Proxy? An Application Gateway?
So, what is Azure Front Door?
Azure Front Door actually is all the above and more. It is a global service, that routes web traffic based on performance and availability. A Layer 7 multi-region load balancer with Web Application Firewall (WAF) capabilities, DDoS protection & CDN.
Azure Front Door is the entry point, the edge, of all Microsoft’s WAN. All Microsoft services, like Office 365 & Bing, are using Azure Front Door.
The services that Azure Front door provides are:
- Accelerate application performance
- Increase application availability with smart health probes
- URL-based routing
- Multi-site hosting
- URL redirection
- Session affinity
- SSL termination
- Custom Domain & certificate management
- Security via custom WAF rules
- DDoS protection
- URL rewrite
- IPv6 and HTTP/2 support
At Azure Front Door documentation there is a paragraph that can help to understand the difference between Azure Front Door and other publishing / load balancing Azure solutions and where to use each.
Azure provides a suite of fully managed load-balancing solutions for your scenarios. If you are looking for a DNS based global routing and do not have requirements for Transport Layer Security (TLS) protocol termination (“SSL offload”) or per-HTTP/HTTPS request, application-layer processing, review Traffic Manager. If you are looking for load balancing between your servers in a region, for application layer, review Application Gateway and for network layer load balancing, review Load Balancer. Your end-to-end scenarios might benefit from combining these solutions as needed.
For pricing information, see Front Door Pricing.
How to scale your web apps with Front Door
Create two simple Azure Web apps. Check this guide for a simple guide on how to create Azure App Service: https://www.e-apostolidis.gr/microsoft/azure/azure-start-point-your-first-web-app/
One at West Europe:
and one at North Europe:
Using FTP, I deployed an one-page html site at both regions. I change the text of both site to say “This Web Site is located at North Europe Azure Datacenter”
and “West Europe” to the other.
Then create a Front Door. Search for Front Door at Azure marketplace and Create one.
This is a high level diagram of the Front Door with two Web Apps design that we will create
The “create a Front Door” wizard will start and we can configure it step by step. First we will create a Frontend host by clicking the + at the Step 1
At the frontend host we will create the URL that our apps will be available. I added the papostolidis.azurefd.net. of course later you can add your custom domain and add a CNAME to route the traffic to the Front Door.
Then, at the Backend pools (Step 2), press the + to add the web apps. add a name for the backend pool, like “myapps” and press + ADD a backend to add the apps.
Select host type, you can add app service, cloud service, storage and custom host (URL). I selected the app service.
Select the subscription and the app service and add the correct ports for http and https traffic.
The priority defines if the traffic will be routed to the host with the lower priority number (e.g. 1) and if that host fails will route to the next host with bigger priority number (e.g. 2). If you add the same priority to more than one host then it will follow the weight number.
The weight number defines the percentage of requests that will be routed to each host.
The same way add the second web app
Finally select a path, protocol and interval for the probe that will do health checks to the app to define if it is active or not.
The third step is to add the routing rules. At the routing rules you can specify:
- The accepted protocol, http or https.
- the frontend host for this rule
- the patterns that the route will accept, like www.e-apostolidis.gr/mysite/* or just /* ro root.
- Route type forward or redirect.
- The backend pool that this rule will direct the traffic
- The protocol that the traffic will be forwarded. Here we define the SSL Offload if we select HTTPs for frontend accepted protocol and HTTP for backend.
- URL Rewrite rules
- Caching, for static content caching like CDN.
Once all steps are completed we can move on and create the Front Door
When the Front Door is ready, we can see the URL at the Overview.
And browse our web app using the Front Door URL:
How to protect your web apps with Front Door
Right now we scaled our web apps. If we use each app’s URL we can still access the app. The first security step is to lock the web apps to be accessed only through the Front Door URL.
Checking the Azure Front Door FAQ page, https://docs.microsoft.com/en-us/azure/frontdoor/front-door-faq it lists the Front Door’s address rance.
Front Door’s IPv4 backend IP space: 126.96.36.199/16
Go to the App Service, at the Networking section, select “Configure Access Restrictions”
Add an allow access restriction with the IP range of the Front Door.
Automatically a Deny rule will be created for everything else.
Add the rule to both web apps and then try to access the apps with their direct links.
Now on, we can access the apps only by using the Front Door URL:
This is a high level diagram after the restrictions
At the next article, we will see how to add Web Application Firewall (WAF) Rules to Front Door, Stay Tuned!!
The post Securely scale your Web Apps with Azure Front Door appeared first on Apostolidis IT Corner.