How to use Azure Policy to automatically backup your IaaS VMs

In this blogpost you see how easy it is to automatically configure Azure Backup to protect your Azure IaaS workload.

For this blogpost I’m using the Azure portal, configuring using CLI and templates is ofcourse also possible. Open your azure portal and go to the Policy pane :

Policy01

Go to defintions, select the scope of your subscription and select only Backup from the Category option :

Policy02

 

You notice the Configure backup on VMs of a location to an excisting central Vault in the samen location option. Open this default policy. Choose the Assign option :

Now let’s fill in the Scope (Subscription of the Policy). This is the subscription name/ID you’re linking to this specific Azure Policy. You can also specify a specific Resource Group or leave this blank when you wish to apply this policy to all Resource Groups in this Subscription.

Ok…. now we have the possibility to add  exclusions (when applicable), a custom name and a description :

Let’s go through the other panes and fill in the necessary parameters. Choose the Location/Region, the Backup Policy name etc.

Servers already deployed can be remediated and have the Azure backup policy applied. So this applies for already created IaaS VMs as also for existing VMs.

Choose to create the policy. Wait some time. Now go to the Azure Policy pane and see your Policy results :


Help! I want to rename my Azure Resource Groups

Earlier this week someone asked my if it’s possible to rename Azure Resource Group for Governance purposes. Unfortunately you can’t rename resource groups, but… don’t wurry there are ways to achieve the same goal.

Option 1 Create and move..

The first option is that you create a resource group with the new name.

Just go to Resource Groups and hit that create button!

Create Resource Group

Now go to the resource group with the old name and select all resources and click move

Move resources resource group 1

Notice that you have 2 options, move to another subscription or to another resource group :

Move resources resource group 2

Choose to move to another resource group.

Move resources resource group 3

Now select the resource group you’ve just created and check the box. All the resources are now moved. Watch out for the completion notification. Now go to the old resource group, re-check that there are no more resources available and choose the delete option :

Move resources resource group 4

Notice that tools and scripts who use resource IDs hardcoded might fail because the newly created resource group has a different Resource ID.

Option 2 CLI baby…. 🙂

For the techies… it’s a easier way to do this. We could use CLI (oh yeahhh) :

First step, create a new resource group :

az group create -l westus -n MyResourceGroup

Now move all the resources from the old resource group to the new resource group:

Get-AzureRmResource -ResourceGroupName <sourceResourceGroupName> | Move-AzureRmResource -DestinationResourceGroupName <destResourceGroupName>

And finally delete the old resource group :

az group delete -n MyResourceGroup

Help! Someone disabled my virtual network adapter @ my Azure VM

Today someone asked my how to re-enable an Azure VM network adapter. Using an on-premise hypervisor like VMware you can use the console session to access and re-enable the virtual network adapter. In this blogpost I describe how to deal with this situation when it’s inside an Azure VM. Help is on the way!

You can use the Azure Portal or use Powershell to regain access to your virtual machine.

Resolve using the Azure Portal

Log on to the Azure portal and go to the virtual network adapter settings on the Virtual Machine pane :

Azure VM IP Address

Change the IP address to any other valid IP address in the same subnet. After changing Azure automatically re-enables the virtual network adapter. Better safe than sorry, reboot the virtual machine and change the IP address to the old value (when it needs to be static) and now you have access to the virtual machine again!

Resolve using Azure Powershell

Use these steps to use the command line. Go to shell.azure.com or open an Azure powershell environment.

Azure Cloud Shell

Find the NIC details of the VM that we need to fix using the following command :

Get-AzureRmNetworkInterface -ResourceGroupName “My-ResourceGroup”

Notice the network interface name, IP address and allocation method you are using.

Azure VM IP Address PS

Now we need to assign a different IP address to the same nic from the same subnet.

Use the following Powershell commands :

$Nic = Get-AzureRmNetworkInterface -ResourceGroupName "My-ResourceGroup" -Name "my_AzureVM"
$Nic.IpConfigurations[0].PrivateIpAddress = "10.2.5.197"
$Nic.IpConfigurations[0].PrivateIpAllocationMethod = "Static"
$Nic.Tag = @{Name = "Name"; Value = "Value"}
Set-AzureRmNetworkInterface -NetworkInterface $Nic

Reboot your virtual machine and change IP address back to the old value. You are all set!


How to find the Azure Site Recovery Passphrase

When you have to manually install the Azure Site Recovery agent you must provide the Passphrase. In this blogpost I describe how you can find the Passphrase.

Go to your ASR installation directory (for example \\Program Files (x86)\Microsoft Azure Site Recovery\Agent.

Look for the genpassphrase.exe file and start it using administrator credentials.

genpassphrase

After executing you can find a file named connection.passphrase. Open this file using your favourite editor and you have found your passphrase. Good luck!

Phasphrase-location


How to deploy WordPress using Azure Kubernetes Service (AKS)

As more developers work within distributed environments, tools like Kubernetes have become central to keeping application components standardized across dynamic build and production environments. With the increasing complexity of application ecosystems and the growing popularity of Kuberbetes, tools that help manage resources within Kubernetes clusters have become essential.

In this blogpost, I’m usingHelm for setting up WordPress on top of an AKS cluster, in order to create a highly-available website. In addition to leveraging the intrinsic scalability and high availability aspects of Kubernetes, this setup will help keeping WordPress secure by providing simplified upgrade and rollback workflows via Helm.

Like all major cloud vendors, Microsoft Azure has it’s own flavour/spin on Kubernetes in a managed platform aptly named, Azure Kubernetes Service. PaaS Kubernetes offerings are really fantastic way to take advantage of the benefits that Kubernetes without the traditional system administration overhead (securing, patching, scaling etc…).

In this blogpost I’m taking you on the journey of creating an AKS cluster, deploying a (default installation of) WordPress blog using Helm and updating the WordPress version also using Helm.

In this example I’m using the next-next-next installation of WordPress using MariaDB. By default, the WordPress chart installs MariaDB on a separate pod inside the cluster and uses it as the WordPress database. This works for demonstration purposes, but for a production environment I advice you to use an external MySql database. This and other configuration options (such as the default WordPress admin user and password) can be set at installation time, either via command-line parameters or via a separate YAML configuration file. In this example I’m not using a yaml file with specific values for WordPress.

Enter the following to create a Resource Group for the AKS service:

First login to your Azure subscription :

az login

AKS Login

Now make sure you have the right subscription :

az account set -s <mysubscriptionid>

Ok, let’s start by creating a resource group :

az group create --name AKS --location westeurope

Using the admin portal, I can see the resourcegroup is created :

AZ AKS Resourcegroup

Next, we are going to establish the managed Kubernetes cluster with 3 nodes and send the endpoint to the previously create Resource Group:

az aks create --name AKSCLUSTER --resource-group AKS--node-count 3 --generate-ssh-keys

Using the admin portal, I can see that the AKS cluster has been created :

AZ AKS Cluster created

After the cluster has been established, let’s get the generated keys into our shell’s profile with:

az aks get-credentials --name AKSCLUSTER --resource-group AKS

Ok, next step. We need to install the kubernetes-cli. I prefer this using chocolately. You can install chocolately using :

@"%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))" && SET "PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin"

Now let’s proceed install kubernets-cli using choco :

choco install kubernetes-cli

And now install helm using choco :

choco install kubernetes-helm

Now we are going to add the Azure Marketplace repo to the Helm repository :

helm repo add azure-marketplace https://marketplace.azurecr.io/helm/v1/repo

Check running config :

kubectl config get-contexts

Now let’s install a default installation of WordPress using Helm

helm install myblog azure-marketplace/wordpress

After a couple of minutes the WordPress website is deployed. You can check that using the using the following command :

kubectl get pods -w

AZ AKS running

You can use the kubectl get svc command to see which IP address is in use :

kubectl get svc

AKS getsvc.png

Here you see the WordPress website is available using the 51.105.X.X IP Address.

AKS WordPress live

Ok, now you probably want to login to WordPress to check if everything really works. 🙂 But where are my credentials?

You’ve noticed the following screen when deploying WordPress.

AZ AKS pass

 

By default the admin user is called User and the password is encrypted. This is how you can find the password beloging to the admin user called user. In this blogpost I’ve used the default next-next-next deployment of WordPress but you ofcourse would like to use specific values stored in a values.yaml file. (Will be in a future blogpost)

You can use the commands in the screenshot to find your password. In my case (because I’m using Powershell on a Windows 10 device) i didn’t have access to the base 64 –decode command. This is how to manually find your password :

kubectl get secret

AKS getsecretlist

You see the secrets stored for the myblog-wordpress website. Let’s get them! 🙂

kubectl get secret myblog-wordpress -o yaml

AKS passw

Ok, let’s copy that decoded password into a decrypter. When using Linux/Apple you can easily use decode64 for decrypting the password. You can also choose to install a decode64 encrypter/decrypter on your Windows 10 workstation or use any website which does the job for you. I’ve used www.base64decode.org (there is also an base64encode.org website)

AZ AKS Base

Now you see the decrypted password beloning to the specified admin user and we are able to login to the /wp-admin website.

Because of its popularity, WordPress is often a target for malicious exploitation, so it’s important to keep it updated. We can upgrade Helm releases with the command helm upgrade.

To list all of your current releases, run the following command:

helm list

AZ AKS helm list

If you want to upgrade a release to a newer version of a chart, first update your Helm repositories with:

helm repo update

Now you can check if there’s a newer version of WordPress avaiable on the specific repo:

helm inspect chart azure-marketplace/wordpress

When there is a new version available, you can easily upgrade using :

helm upgrade myblog azure-marketplace/wordpress

(In future blogpost I’m going into rolling back upgrades)

In this guide, we installed (a default installation of) WordPress on a Kubernetes cluster using the command-line tool Helm. We also learned how to upgrade a WordPress release to a new chart version, and how to find the credentials needed to logon to the WordPress website.


How I Passed the AZ-500 Exam

I’ve recently done and passed the Azure Security Engineer Associate AZ-500 Exam. This exam covers a wide range of topics and technologie. Before considering this exam, you should have good knowledge about Azure technology.

I advice you to use the following certification path  :

Azure Certifcations

My advice is first take the AZ-900 and AZ-103 exams before going for the AZ-500 exam. The Azure Security Engineer role was recently added to the list and is the newest exam so far.

Azure Security Engineer Associate

The following pre-requisites are in place :

  • Familiarity with the implementation of security controls on the Microsoft Azure platform
  • In-depth knowledge of virtualization, cloud N-tier architecture, Amazon Kubernetes Service, and networking
  • Ability to recognize and address vulnerabilities using several security tools; implementing security solutions for the protection of networks, applications, and data
  • Expertise in scripting and automation, identity and access management, and maintaining security status

A general understanding of the following areas is highly recommended :

  • Azure Portal
  • AzureCLI
  • Powershell
  • ARM Templates
  • Networking
  • Security Concepts

The following topics and their weight :

Domain % Weight
Manage Identity and Access 20-25%
Implement Platform Protection 35-40%
Manage Security Operations 15-20%
Secure Data and Applications 30-35%

The exam is both in Japanese and English language and costs 164 EUR/USD.

I found the exam relatively easy (for example, I found the AZ-400 exam much harder). I had a couple of cases and one lab containing 11 tasks. Because my mouse didn’t work in the lab environment I was unable to complete all the tasks. (I did score enough to pass although)

I used the following materials :

  • Official MCT material for AZ-500 exam
  • Pluralsight
  • edX
  • Youtube (there’s lot of interesting Azure stuff to be found there)
  • Study Notes found on the internet and combined on vWorld.nl 🙂

This as an addition to real life experience.

 


How to quickly encrypt/decrypt Azure VM disks using the portal

Some time ago Microsoft added the encryption option on the disk pane (Azure IaaS properties). Now you don’t need to use the CLI or Powershell commando’s to decrypt/encrypt your VM disks.

Encryption15102019-001

Just go to the encryption button and the options already speak for themselves. When you already have one disk encrypted and just added an extra disk you can easily use the (keyvault) settings  that are already in place. You can also choose to add an additional keyvault/Key/Version.

Encryption15102019-002

Using this command it’s also very easy to disable disk encryption. Just go to Disks to encrypt and choose None. The encryption will be removed.

Encryption15102019-003

Make sure that your VM must be up and running (and when you encrypt your OS disk your VM might reboot)


Passed AZ-400 Microsoft Certified Azure DevOps Engineer

Last week I took the AZ-400 exam and I passed succesfully.

exam-az400-600x600.png

This exam counts for the Microsoft Certified Azure DevOps Engineer Expert certification track.  I found this exam quite challeging because it leans heavily on your dev experience. I’m not a very experienced developer so some topics were challeging. Nevertheless I passed the exam.

When you’re going to take the exam in the near future, please check out my collection of links I found on the internet which helped me alot. You can find the links on the menu or here.

Next exams this year : AZ-500 and MS-500 (for the Microsoft Security partner competence)

 

 


PowerCLI “The Aspiring Automater’s Guide” by Altaro

PowerCLI

If you currently use PowerCLI to automate basic tasks with pre-defined scripts, you’ll already know how powerful automation can be. However, taking the next step and customizing scripts to carry out tasks specifically designed for your needs opens a whole new world of opportunities. This new eBook from Altaro takes you there.

Written by VMware vExpert Xavier Avrillier, this free eBook presents a use-case approach to learning how to automate tasks in vSphere environments using PowerCLI. We start by covering the basics of installation, set up, and an overview of PowerCLI terms. From there we move into scripting logic and script building with step-by-step instructions of truly useful custom scripts, including:

  • How to retrieve data on vSphere objects
  • Display VM performance metrics
  • How to build HTML reports and schedule them
  • Basics on building functions
  • And more!

Stop looking at scripts online in envy because you wish you could build your own scripts. Download PowerCLI: The Aspiring Automator’s Guide now and get started on your path to automation greatness!

 


How to use Azure State Configuration to open specific firewall ports

Azure Automation State Configuration is an Azure service that allows you to write, manage and compile PowerShell Desired State Configuration and assign them to target nodes.  Just like in an on oremise environment you can easily manage (virtual) machines running on Azure and also On Premise.

Using DSC it’s possible to set an (security) baseline to all your virtual machines. In this blogpost I describe how to enable specific ports from the Windows Server firewall.

Here is an example of a configuration file I use. As you can see I’m making use of the xNetworking module.

First you have to import the xNetworking module to Azure. Therefore go to your automation account. Go to Shared Resources, Modules and select Modules :
DSC01
Notice the Browse gallery in the upper pane :
DSC02
Now import the xNetworking module,
Now you can the add the code above to open a firewall port. In my example I opened (incoming) port 80.
There are several options although. You can find more information here.
You can use the following command’s on your node to update the configuration :

(This command checks the pull server for an updated configuration and applies it)

(This command applies the configuration to the node)