Get real insights about your Windows and Linux VMs & VMSSs performance and their dependencies with Azure Monitor. Integrate with Log Analytics for even more in depth analysis and retain the data over time. Health, Performance & Service Map of your VM in a dashboard.
Deploy to Single VM
For a single VM, go to the VMs blade, scroll down to the “Monitoring” section, select “Insights” and press “Try now”
The Azure Monitor Insights Onboarding wizard will open. If your VM is already onboard at a Log Analytics workspace just click Enable. Otherwize select a Log Analytics workspace or create one.
You will start seeing data form the VM in about 20-30 minutes.
Deploy to multiple VMs using Azure Policy
For deploying to multiple VMs, the easiest way is to use Azure Policy
Go to the Azure Policy, select Assignments and press “Assign initiative”
The first option is the Scope. Press the three dots “…” at the Scope field. You can choose a a Management Group, a Subscription or a Resource Group. So if you just select a Management Group (And don’t select subscription and resource group), this policy will apply to all Subscriptions under the Management Group and of course to all resources of the subscription. If you choose a Subscription (and don’t select a resource group then the policy will apply to all resources of the subscription. Finally if you choose a resource group then the policy will apply only to this resource group. Later we will see how to select specific VMs in the Subscription or Resource group.
After selecting the Scope you can add exclusions. There you can check the VMs you don’t want this policy to apply.
The next step is to select the Policy. At the BASICS section, press the three dots “…” near the “Initiative definition” and find the “Enable Azure Monitor for VMs”
Next step is to configure the Parameters. There select the Log Analytics workspace that the VM will onboard, or create a new one. Optionally you can provide a list of VMs instead of adding all of them
Finally press Apply. Back at the Azure Policy main menu you will see the new Definition Assignment.
View the Health / Performance / Service Map of the VMs
To view the Azure Monitor of the VMs, go to the VM that you have enabled Insights, select the Insights blade and you will be able to see the health status not only for the common CPU. Memory, Disk,
But also for the services that run inside the VM and the Azure Monitor discovered.
By clicking on any service you will have a list of all logs of this service
At the performance section you have the ability to select time range and have performance analytics for a requisted period of time
Finally at the MAp, you have a service map of the services and ports that are open and listening
Product Documentation: https://docs.microsoft.com/en-us/azure/azure-monitor/insights/vminsights-overview
The post Azure Monitor for VMs – Health, Performance & Service Map appeared first on Apostolidis IT Corner.
Today Microsoft Azure becomes 9 years old. Azure released on February 1, 2010, as “Windows Azure” before being renamed “Microsoft Azure” on March 25, 2014
Some major dates of Azure until now:
- October 2008 (PDC LA) – Announced the Windows Azure Platform
- March 2009 – Announced SQL Azure Relational Database
- November 2009 – Updated Windows Azure CTP, Enabled full trust, PHP, Java, CDN CTP and more
- February 1, 2010 – Windows Azure Platform commercially available! Azure is GA!
- June 2010 – Windows Azure Update, .NET Framework 4, OS Versioning, CDN, SQL Azure Update
- October 2010 (PDC) – Platform enhancements, Windows Azure Connect, improved Dev / IT Pro Experience
- December 2011 – Traffic manager, SQL Azure reporting, HPC scheduler
- June 2012 – Websites, Virtual machines for Windows and Linux, Python SDK, new portal, locally redundant storage
- April 2014 – Windows Azure renamed to Microsoft Azure, ARM Portal introduced at Build 2014.
- July 2014 – Azure Machine Learning public preview
- November 2014 – Outage affecting major websites including MSN.com
- September 2015 – Azure Cloud Switch introduced as a cross-platform Linux distribution.
- December, 2015 – Azure ARM Portal (codename “Ibiza”) released.
- March, 2016 – Azure Service Fabric is Generally Available (GA)
- September 2017 – Microsoft Azure gets a new logo and a Manifesto
- July 16, 2018 – Azure Service Fabric Mesh public preview
- September 24, 2018 – Microsoft Azure IoT Central is Generally Available (GA)
- October 10, 2018 – Microsoft joins the Linux-oriented group Open Invention Network.
Currently Microsoft Azure is available at 54 Regions Worldwide!
Happy Birthday Azure!
Azure Web Application Firewall (WAF) is a function of the Azure Application Gateway that detects and prevents exploits and attacks to a web application. Using a WAF we add an additional security layer in front of our application. To have a sneak peak at the most common web application attacks, take a look at the OWASP Top 10 Most Critical Web Application Security Risks .
At my previous posts we have seen how to Protect your Web App using Azure Application Gateway Web Application Firewall and Use Log Analytics to Query the WAF Logs and email those logs to the Admins. At this post I want to share some tips on how to configure the Azure Web Application Firewall.
The Azure Web Application Firewall, like all WAFs, needs a period of detection “the training period”, in order to gather logs about what is logged as blocked so to configure it accordingly before turning the WAF to Prevention mode. The Azure Web Application Firewall uses OWASP ModSecurity Core Rule Set (CRS). You can select version 2.2.9 or version 3.0 of the OWASP ModSecurity Core Rule Set. These rules include protection against attacks such as SQL injection, cross-site scripting attacks, and session hijacks.
The configuration of the Azure Web Application Firewall has two parts. One part is the OWASP rules custom configuration, where we can check / uncheck the OWASP rules that the WAF will use to analyse the requests:
and the second part is the Exclusions and the Request Size Limits:
Let’s see how we can find out what to exclude and what to customize. Once you setup the Azure Application Gateway and Publish your web application turn of the Firewall in Detection mode. Enable the Diagnostic Logs and send the logs to Log Analytics and start using the we application. I have covered all those steps at my previous posts, Protect your Web App using Azure Application Gateway Web Application Firewall and Use Log Analytics to Query the WAF Logs and email those logs to the Admins. To make it more fun you can actually attack your application using sample attacks, like SQL Injection samples from this link: https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005) and Cross-site Scripting (XSS) from this link: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) . Both links are from OWASP for testing.
After a while run the query to check the Azure Web Application Firewall logs:
AzureDiagnostics | where Resource == "PROWAF" and OperationName == "ApplicationGatewayFirewall" | where TimeGenerated &gt; ago(24h) | summarize count() by TimeGenerated, clientIp_s , TimeGenerated , ruleId_s , Message , details_message_s , requestUri_s, details_file_s , hostname_s
You will get the below results:
At the Message part of the Log you will see the kind of attack that the WAF has detected.
At the ruleId_s you can find the OWASP rule ID. With this information you can search the Rule ID at the Advanced rule configuration and uncheck the specific rule. Of course every rule you uncheck you open a security hole. So I recommend to first check if you can alter your application to comply with the rule and only if this is not possible to drop the rule.
At the details_message_s column also you can find the matched pattern and configure the Exclusions
Finally you can configure the request size limits according to your application
Once you finalize your Azure Application Firewall configuration and you no longer have “Blocked” messages change it to “Prevention” mode to start protecting your web application.
WAF Overview: https://docs.microsoft.com/en-us/azure/application-gateway/waf-overview
WAF Configuration: https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-waf-configuration
OWASP ModSecurity Core Rule Set (CRS): https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
At this post, we will create a Logic App that will query the Log Analytics workspace for the WAF logs of the last 24 hours and send the results in an email, using a free SendGrid account.
A Web Application Firewall protects your application from common web vulnerabilities. Azure provides enterprise grade Web Application Firewall through the Application Gateway. You can read more at my previous post: https://www.e-apostolidis.gr/microsoft/azure/protect-your-web-application-with-azure-application-gateway-waf/
Use Log Analytics to Query the WAF Logs
The Application Gateway WAF sends its logs to the Log Analytics workspace. You can see them using a typical query like the below, that will list all events at the past 24 hours.
AzureDiagnostics | where Resource == “PROWAF” and OperationName == “ApplicationGatewayFirewall” | where TimeGenerated > ago(24h) | summarize count() by TimeGenerated, clientIp_s , TimeGenerated , ruleId_s , Message , details_message_s , requestUri_s, details_file_s , hostname_s
You can save the query by clicking the Save button and give it a name and a Category.
We can send those logs as email by using an Azure Logic App and a SendGrid account. You can see how to create a SendGrid free account at my previous post: https://www.e-apostolidis.gr/microsoft/azure/azure-free-smtp-relay-using-sendgrid/
Create a Logic App
From the portal.azure.com, Create a resource and write “logic app”, click the “Logic App”and press “Create”
At the Logic App creation wizard add Name, subscription, resource group, location and press Create
Next the Logic App will be created. Open it and from the Logics App Designer select the “Recurrence” common trigger.
Change the Recurrence Interval to “1” and the Frequency to “Day” and press the “+ New step”
search for “log analytics” and select the “Run query and visualize results”
I will proceed with “Sign in”, you can also use a Service Principal but we will cover this to another post.
After you login select the Subscription, Resource Group and the Log Analytics Workspace. Next, add the query, for Chart Type select “Html Table” and add a “Next Step”
search for “sendgrid” and select the “Send email (V2)”
Add a name for the connection and the API key that you created at the SendGrid creation post and press create. https://www.e-apostolidis.gr/microsoft/azure/azure-free-smtp-relay-using-sendgrid/
Fill the From address, To address and Subject. At the email body, add dynamic content and select the blocs of the previous set result.
Press Save to save the Flow and Run to test it.
The result at my email:
The post Serverless Computing | Email Report Azure WAF Logs appeared first on Apostolidis IT Corner.
Azure offers free smtp relay using the SendGrid application. SendGrid is a cloud service that provides email delivery and marketing campaigns. The specific offer is for up to 25.000 emails per month. Also this offers provides full reporting and analytics and 24/7 support.
At this post we will see how to create a SendGrid free account that can be used for many purposes, like:
- Send emails through an application using the SendGrid API
- Send email campaigns, newsletters, etc using the SendGrid SMTP service
At the Azure Portal, portal.azure.com, search for sendgrid and click the “SendGrid Email Delivery”
The SendGrid account wizard will open. Fill the name and password, select subscription and resource group and choose the F1 free pricing tier. Also fill the contact information, accept the legal terms and press “Create”
Once the SendGrid Account is created, navigate to it and select Manage
The SendGrid portal will open. Navigate to the Settings / API Keys to Create an API Key.
Enter a name for the key. For permissions you only need send emails So select Restricted Access and add “Mail Send”. Press create & view to create the key.
You will only see the key once, upon creation. After that there is no way to see the key again, so copy and keep it safe.
We are ready to send emails using any host that supports SMTP. The settings are:
- Server: smtp.sendgrid.net
- Username: apikey
- Password: “The API Key you created before”
- Ports: SSL 465, Unencrypted: 25 , TLS 586
- More about SendGrid SMTP: https://sendgrid.com/docs/API_Reference/SMTP_API/integrating_with_the_smtp_api.html
Working as a Cloud Consultant, Administrator, Architect, many companies will provide you guest (Azure AD B2B) access to their subscription. After completing the Admins of the subscriptions, many times, forget to remove this accesses and as a result you still have access to resources with no reason and also the list of your available subscriptions grows making it difficult to choose the right subscription to work.
In this post we will walk through the steps of removing your account from those subscriptions. Since this is an identity matter, you need to login to the https://account.activedirectory.windowsazure.com portal and login with your account. I logged in with my account, email@example.com
There you will see a list of all the applications that you have access at the Tenant that your account resides. Press the user icon, at the top right corner.
Once you press the user icon, a drop down menu will appear and there you will see all the organizations that you have been provided access. Near the “ORGANIZATIONS” press the gear icon.
You will redirected to the organizations section of the portal. There, in order to leave an organization subscription you need to sign in. Actually by clicking sign in to leave organization you will be redirected to that tenant. The tricky part here is to choose the right organization, since many organizations does not change the “Default directory” name. A, easy way to do this it to hover your mouse to the “sign in to leave organization” link and you will see the tenant id at the bottom of the page.
Now, by navigating to the https://portal.azure.com and pressing the Subscription filter button, at the top par, near the notifications icon, you will have a list of all organizations tenant ids and names.
After ensuring the organization id that you want to leave, go back to the organization selection portal and press “sign in to leave organization”. There, at the browser’s address bar you will see again the organization tenant id. Check again just to be sure.
There you need again to press the user icon and the little gear icon
Finally you have the option to “Leave organization”
A final warning will appear, just to be sure, and by pressing “Leave” you instantly loose all access to that organization and it will not be listed at your subscription filter.
After a while you will also receive an email from Microsoft invitations that you have left that organization.
At the 15# Azurehads meetup we talked about how to integrate our data using Azure Data Factory and from the Azure Data Factory to call an Azure HDInsights cluster that will be created on-demand. After the process ends, the HDInsights cluster will be automatically deleted.
Also we saw how we can copy and transform data from almost any source to almost any location.
Download the presentation: http://bit.ly/AH15Presentation
Download the demo video: http://bit.ly/AH15Video
Download the project files: http://bit.ly/AH15Projectfiles
At the demo, we created a data factory. At the data factory we created a pipeline that reads a Python script from an Azure Storage account folder. THe Azure Data FActory creates an on-demand HDInsights Spark cluster and runs the python script. The python script reads a text and provides for output a text with the word count of the input text. Finally the cluster is automatically deleted.
The post Azureheads #15 | Integrate your data to the cloud meetup resources appeared first on Apostolidis IT Corner.
Today Microsoft Azure announced the Simplified restore experience for Azure virtual machines https://azure.microsoft.com/en-us/updates/simplified-restore-of-azure-vms/
Now we can restore an Azure VM directly with managed disks with a truly single-click operation.
In addition, we can restore only the unmanaged disks to a storage account and the process will create a template for us to create the VM on a later time.
So, at the recovery services vault, select a VM to restore and you will see two main options.
Create New: to create a new Virtual Machine with managed disks or to restore the disks with the ARM Template
Replace existing: To restore the VM in-place, replacing the current VM.
At both options you will need to select a Staging storage account, in order to restore the VHD files. Those file will be auto-converted to managed disks by the process.
Create an Ultra High Available on-prem <-> Azure VPN Connection
At this post we will see how to make a high available connection between our on-premises network and Azure. This way we will have an Active-Active Dual-Redundancy VPN Connection.
The idea behind this is that we have a router/firewall cluster,connected with two ISPs and we want to also have a VPN connection with Azure using both ISPs actively. I call this an end-to-end high available connectivity between our on-premises infrastructure and Azure. Actually the active-active dual redundant connections needs to have two different on-premises VPN devices, but we can accomplish almost the same functionality with one device and two different interfaces with two different ISPs.
The requirement for this topology, except the router/firewall cluster and the two ISPs is that the Azure VPN Gateway must be Standard or HighPerformance SKU. The Basic SKU does not support Active-Active mode.
As you can see at the above diagram, the Active-Active VPN Gateway created two Active VPN Nodes. The connection of each node to each on-premises network interface in a mesh topology. All network traffic is distributed through all the connections. In order to accomplish this connectivity we need to also enable BGP to both on-premises device and Azure VPN Gateway with different ASN.
Lets lab it:
Create a Virtual Network Gateway, VPN, Route Based and SKU VpnGw1 or larger
Enable active-active mode, this will create two nodes, and give the names of the two Public IPs.
Check the Configure BGB ASN and change the default ASN, I used 65510
wait a lot… more than the typical 45 minutes, a lot more…
When the gateway is created you will see that the public ip address is called “First public IP address”. If you click the “see more” link you will see the second IP too.
You can see both IP form the Properties page too.
Second we need to create two Local network Gateways, to represent the two interfaces of our on-premises device. Both must be created with the same ASN. This ASM must be different than the Gateways’ and this ASN must be configured at the configuration of the local devices VPN connection.
Now, create the connection
And remember to enable BGP at the Connection’s Configuration
As soon as the local device is configured both connections became connected.
From powershell we can see both local IPs of the two nodes of the Azure VPN Gateway,
Test and Troubleshooting
Currently the only way to see the connections between the Azure Gateway Nodes and the local devices interfaces is the below powershell command
Get-AzureRmVirtualNetworkGatewayBGpPeerStatus -VirtualNetworkGatewayName “gatewayname” -ResourceGroup “resourcegroupname”
Every time you run this command you get answer from one of the two nodes at random. At the above screenshot, first is one node and second is the other.
The first node’s peer, 192.168.xx.9 shows that is connected to the 10.xx.xx.2 local network’s peer and connecting at the second peer 10.xx.xx.1
The second node’s peer, 192.168.xx.8 shows that is connected to the 10.xx.xx.1 local network’s peer and connecting at the second peer 10.xx.xx.2
The test I performed was to unplug one interface from the local device. The azure gateway’s first node State was both Connecting and the second node was the same, connecting to .2 and connected to .1. At this test I did lost a single ping.
After that I plugged the cable back, waited less than a minute and unplugged the second cable. Now the first node shows still disconnected but the first node connected to the .2 local IP and connecting to .1. With this test I lost only one ping. Also I realized that it is random which node’s private IP will connect with the local device’s private IP. Both Azure Gateway’s IPs 192.168.x.8 & 9 can connect with the local device’s IP 10.x.x.1 & 2 and this is the magic of the Active-Active Dual Redundancy VPN connection.
The post Create an Ultra High Available on-prem <-> Azure VPN Connection appeared first on Apostolidis IT Corner.
Save money following the Azure Advisor Recommendations
Microsoft Azure has a very helpful service, called Azure Advisor. Think it like your personal advices on Azure services. Azure Advisor has many advices and recommendations about operations, availability, performance, security and cost.
Following the Cost section of the Azure Advisor one can save a lot of money. Some of recommendations that you will see and it is very impressive is about VM sizes. It gets the performance metrics of the running VMs. If the VM uses less resources than the allocated you will see a recommendation to reduce the size of that VMs together with the actual yearly cost save.
Another impressive recommendation is the cost saving calculation of the reserved instances. You will get a yearly estimation about the savings of your VMs if you acquire Azure Reserved Instances.
The Azure Advisor can be accessed at the Azure Portal. It is one of the pinned options at the sidebar. Click the Advisor and after the recommendations update you will see the advises.
This is an example of a Subscription that can save money per year.
By clicking the Cost recommendation box, you will see the detailed recommendation. This says that you can save this amount of money by buying reserved instances.
The post Save money following the Azure Advisor Recommendations appeared first on Apostolidis IT Corner.