Microsoft Build 2020 Learn…Connect…Code

Due to the Corona virus Microsoft Build is tranformed into a 2 day virtual event which you can join for free!

Microsoft Build

Here’s a little more of what you can expect at Build this year:

  • Two days of continuous learning in your time zone: Attend sessions, talks and demos carefully chosen to help developers be productive wherever you work, and drive innovation and transformation. You will hear from the engineers behind the products you use every day and connect with your peers in a digital event experience.
  • Build community connections: Expand your network and your perspective on what’s possible. Connect and collaborate with your peers from around the world and with the Microsoft engineers behind the tools and services you rely on.
  • Level up your coding: Discover new ways to take your code and application architecture to the next level with as we help you troubleshoot, optimize and secure your projects.
  • Helping developers today: We’re committed to support developers with cost-effective, efficient innovations that make people’s lives easier and better, especially in uncertain times. Today, we announced new lower pricing for Visual Studio Codespaces (formerly Visual Studio Online) so you can create cloud-hosted dev environments that are accessible from anywhere, from any device. Earlier this month, GitHub announced that all of its core features are now available for free to all users. You can expect more such announcements as we journey through Microsoft Build.

Register for the event here. I’ve registered and I’m looking forward to sharing it with you all!


How to assign Microsoft Cloud licenses the right way

Are you still manually assigning licenses to users and are users complaining they didn’t have a license or maybe the wrong license? Use the following steps to assign the right licenses (Office 365, Intune, etc) to your users :

Sign in to your Office 365 enviroment and go to admin/Azure Active Directory (or go directly to portal.azure.com and select Azure Active Directory in the left pane).

Go to Groups:

Azure-AD-Lic01

Now we are going to create a new Security group, fill in the necessary information. For this demo we’re first going to add an Assigned Membership type.

 

Azure-AD-Lic02

Select any user for this example.

After you’ve created the security group, go back to Azure Active Directory and select Licenses :

Azure-AD-Lic03

Choose + Assignments to assign Licenses (take notice of the Reprocess button, we’re going to use that button later this exercise :-))

Azure-AD-Lic04

Select the Appropriate License and their license option(s) you wish to assign to users which are a member of the security group you’ve just created :

Azure-AD-Lic05

Take notice that you can easily set specific license options to your users!

After you hit save you see that all the users beloning to that specific security group have their appropriate licenses.

Azure-AD-Lic06

Hold on! But that wasn’t the case! Do you manually want to add users to specific groups all the time?? Maybe…maybe not…. In the first case you information above is all you need. But let’s say you want all active users in Azure Active Directory automatically assign an Intune license (for example)… how we’re going to accomplish that!?

Well…. therefore you should create a Dynamic Security Group. You assign the expressions (the rules) and not all the users. For example, you could configure a Rule with the Property “accountEnabled” is true. The result is that all the users which are able to logon to Azure AD, automatically get an license assigned you’ve specified!

Azure-AD-Lic07


How to move downloaded torrent files to another computer or Seedbox

I decided to move my downloaded torrent files to another computer with more space available. I wanted to still seed these files to maintain my ratio (private trackers :-)).

After some trial and error (and crosscheck with a friend) I found out it was very easy. Just upload the files to your torrent download dir (download just one file to find out which directory you must upload those files to).

Now add all the .torrent files that belong to the files you’ve just uploaded and check the do not automatically download (niet automatisch downloaden) tickbox :

torrent01

After uploading, select all your files and do a force recheck:

torrent02

After the force recheck, ruTorrent or your torrent client of choice sees that all the files are in place. Select start to start seeding them :

torrent03

Problem solved!


How to use Azure Policy to automatically backup your IaaS VMs

In this blogpost you see how easy it is to automatically configure Azure Backup to protect your Azure IaaS workload.

For this blogpost I’m using the Azure portal, configuring using CLI and templates is ofcourse also possible. Open your azure portal and go to the Policy pane :

Policy01

Go to defintions, select the scope of your subscription and select only Backup from the Category option :

Policy02

 

You notice the Configure backup on VMs of a location to an excisting central Vault in the samen location option. Open this default policy. Choose the Assign option :

Now let’s fill in the Scope (Subscription of the Policy). This is the subscription name/ID you’re linking to this specific Azure Policy. You can also specify a specific Resource Group or leave this blank when you wish to apply this policy to all Resource Groups in this Subscription.

Ok…. now we have the possibility to add  exclusions (when applicable), a custom name and a description :

Let’s go through the other panes and fill in the necessary parameters. Choose the Location/Region, the Backup Policy name etc.

Servers already deployed can be remediated and have the Azure backup policy applied. So this applies for already created IaaS VMs as also for existing VMs.

Choose to create the policy. Wait some time. Now go to the Azure Policy pane and see your Policy results :


Help! I want to rename my Azure Resource Groups

Earlier this week someone asked my if it’s possible to rename Azure Resource Group for Governance purposes. Unfortunately you can’t rename resource groups, but… don’t wurry there are ways to achieve the same goal.

Option 1 Create and move..

The first option is that you create a resource group with the new name.

Just go to Resource Groups and hit that create button!

Create Resource Group

Now go to the resource group with the old name and select all resources and click move

Move resources resource group 1

Notice that you have 2 options, move to another subscription or to another resource group :

Move resources resource group 2

Choose to move to another resource group.

Move resources resource group 3

Now select the resource group you’ve just created and check the box. All the resources are now moved. Watch out for the completion notification. Now go to the old resource group, re-check that there are no more resources available and choose the delete option :

Move resources resource group 4

Notice that tools and scripts who use resource IDs hardcoded might fail because the newly created resource group has a different Resource ID.

Option 2 CLI baby…. 🙂

For the techies… it’s a easier way to do this. We could use CLI (oh yeahhh) :

First step, create a new resource group :

az group create -l westus -n MyResourceGroup

Now move all the resources from the old resource group to the new resource group:

Get-AzureRmResource -ResourceGroupName <sourceResourceGroupName> | Move-AzureRmResource -DestinationResourceGroupName <destResourceGroupName>

And finally delete the old resource group :

az group delete -n MyResourceGroup

Help! Someone disabled my virtual network adapter @ my Azure VM

Today someone asked my how to re-enable an Azure VM network adapter. Using an on-premise hypervisor like VMware you can use the console session to access and re-enable the virtual network adapter. In this blogpost I describe how to deal with this situation when it’s inside an Azure VM. Help is on the way!

You can use the Azure Portal or use Powershell to regain access to your virtual machine.

Resolve using the Azure Portal

Log on to the Azure portal and go to the virtual network adapter settings on the Virtual Machine pane :

Azure VM IP Address

Change the IP address to any other valid IP address in the same subnet. After changing Azure automatically re-enables the virtual network adapter. Better safe than sorry, reboot the virtual machine and change the IP address to the old value (when it needs to be static) and now you have access to the virtual machine again!

Resolve using Azure Powershell

Use these steps to use the command line. Go to shell.azure.com or open an Azure powershell environment.

Azure Cloud Shell

Find the NIC details of the VM that we need to fix using the following command :

Get-AzureRmNetworkInterface -ResourceGroupName “My-ResourceGroup”

Notice the network interface name, IP address and allocation method you are using.

Azure VM IP Address PS

Now we need to assign a different IP address to the same nic from the same subnet.

Use the following Powershell commands :

$Nic = Get-AzureRmNetworkInterface -ResourceGroupName "My-ResourceGroup" -Name "my_AzureVM"
$Nic.IpConfigurations[0].PrivateIpAddress = "10.2.5.197"
$Nic.IpConfigurations[0].PrivateIpAllocationMethod = "Static"
$Nic.Tag = @{Name = "Name"; Value = "Value"}
Set-AzureRmNetworkInterface -NetworkInterface $Nic

Reboot your virtual machine and change IP address back to the old value. You are all set!


How to find the Azure Site Recovery Passphrase 2

When you have to manually install the Azure Site Recovery agent you must provide the Passphrase. In this blogpost I describe how you can find the Passphrase.

  1. Sign in to your configuration server, and then open a command prompt window as an administrator.
  2. To change the directory to the bin folder, execute the command cd %ProgramData%\ASR\home\svsystems\bin
  3. To generate the passphrase file, execute genpassphrase.exe -v > MobSvc.passphrase.
  4. Your passphrase will be stored in the file located at %ProgramData%\ASR\home\svsystems\bin\MobSvc.passphrase.

Open this file using your favourite editor and you have found your passphrase. Good luck!


How to deploy WordPress using Azure Kubernetes Service (AKS)

As more developers work within distributed environments, tools like Kubernetes have become central to keeping application components standardized across dynamic build and production environments. With the increasing complexity of application ecosystems and the growing popularity of Kuberbetes, tools that help manage resources within Kubernetes clusters have become essential.

In this blogpost, I’m usingHelm for setting up WordPress on top of an AKS cluster, in order to create a highly-available website. In addition to leveraging the intrinsic scalability and high availability aspects of Kubernetes, this setup will help keeping WordPress secure by providing simplified upgrade and rollback workflows via Helm.

Like all major cloud vendors, Microsoft Azure has it’s own flavour/spin on Kubernetes in a managed platform aptly named, Azure Kubernetes Service. PaaS Kubernetes offerings are really fantastic way to take advantage of the benefits that Kubernetes without the traditional system administration overhead (securing, patching, scaling etc…).

In this blogpost I’m taking you on the journey of creating an AKS cluster, deploying a (default installation of) WordPress blog using Helm and updating the WordPress version also using Helm.

In this example I’m using the next-next-next installation of WordPress using MariaDB. By default, the WordPress chart installs MariaDB on a separate pod inside the cluster and uses it as the WordPress database. This works for demonstration purposes, but for a production environment I advice you to use an external MySql database. This and other configuration options (such as the default WordPress admin user and password) can be set at installation time, either via command-line parameters or via a separate YAML configuration file. In this example I’m not using a yaml file with specific values for WordPress.

Enter the following to create a Resource Group for the AKS service:

First login to your Azure subscription :

az login

AKS Login

Now make sure you have the right subscription :

az account set -s <mysubscriptionid>

Ok, let’s start by creating a resource group :

az group create --name AKS --location westeurope

Using the admin portal, I can see the resourcegroup is created :

AZ AKS Resourcegroup

Next, we are going to establish the managed Kubernetes cluster with 3 nodes and send the endpoint to the previously create Resource Group:

az aks create --name AKSCLUSTER --resource-group AKS--node-count 3 --generate-ssh-keys

Using the admin portal, I can see that the AKS cluster has been created :

AZ AKS Cluster created

After the cluster has been established, let’s get the generated keys into our shell’s profile with:

az aks get-credentials --name AKSCLUSTER --resource-group AKS

Ok, next step. We need to install the kubernetes-cli. I prefer this using chocolately. You can install chocolately using :

@"%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))" && SET "PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin"

Now let’s proceed install kubernets-cli using choco :

choco install kubernetes-cli

And now install helm using choco :

choco install kubernetes-helm

Now we are going to add the Azure Marketplace repo to the Helm repository :

helm repo add azure-marketplace https://marketplace.azurecr.io/helm/v1/repo

Check running config :

kubectl config get-contexts

Now let’s install a default installation of WordPress using Helm

helm install myblog azure-marketplace/wordpress

After a couple of minutes the WordPress website is deployed. You can check that using the using the following command :

kubectl get pods -w

AZ AKS running

You can use the kubectl get svc command to see which IP address is in use :

kubectl get svc

AKS getsvc.png

Here you see the WordPress website is available using the 51.105.X.X IP Address.

AKS WordPress live

Ok, now you probably want to login to WordPress to check if everything really works. 🙂 But where are my credentials?

You’ve noticed the following screen when deploying WordPress.

AZ AKS pass

 

By default the admin user is called User and the password is encrypted. This is how you can find the password beloging to the admin user called user. In this blogpost I’ve used the default next-next-next deployment of WordPress but you ofcourse would like to use specific values stored in a values.yaml file. (Will be in a future blogpost)

You can use the commands in the screenshot to find your password. In my case (because I’m using Powershell on a Windows 10 device) i didn’t have access to the base 64 –decode command. This is how to manually find your password :

kubectl get secret

AKS getsecretlist

You see the secrets stored for the myblog-wordpress website. Let’s get them! 🙂

kubectl get secret myblog-wordpress -o yaml

AKS passw

Ok, let’s copy that decoded password into a decrypter. When using Linux/Apple you can easily use decode64 for decrypting the password. You can also choose to install a decode64 encrypter/decrypter on your Windows 10 workstation or use any website which does the job for you. I’ve used www.base64decode.org (there is also an base64encode.org website)

AZ AKS Base

Now you see the decrypted password beloning to the specified admin user and we are able to login to the /wp-admin website.

Because of its popularity, WordPress is often a target for malicious exploitation, so it’s important to keep it updated. We can upgrade Helm releases with the command helm upgrade.

To list all of your current releases, run the following command:

helm list

AZ AKS helm list

If you want to upgrade a release to a newer version of a chart, first update your Helm repositories with:

helm repo update

Now you can check if there’s a newer version of WordPress avaiable on the specific repo:

helm inspect chart azure-marketplace/wordpress

When there is a new version available, you can easily upgrade using :

helm upgrade myblog azure-marketplace/wordpress

(In future blogpost I’m going into rolling back upgrades)

In this guide, we installed (a default installation of) WordPress on a Kubernetes cluster using the command-line tool Helm. We also learned how to upgrade a WordPress release to a new chart version, and how to find the credentials needed to logon to the WordPress website.


How I Passed the AZ-500 Exam

I’ve recently done and passed the Azure Security Engineer Associate AZ-500 Exam. This exam covers a wide range of topics and technologie. Before considering this exam, you should have good knowledge about Azure technology.

I advice you to use the following certification path  :

Azure Certifcations

My advice is first take the AZ-900 and AZ-103 exams before going for the AZ-500 exam. The Azure Security Engineer role was recently added to the list and is the newest exam so far.

Azure Security Engineer Associate

The following pre-requisites are in place :

  • Familiarity with the implementation of security controls on the Microsoft Azure platform
  • In-depth knowledge of virtualization, cloud N-tier architecture, Amazon Kubernetes Service, and networking
  • Ability to recognize and address vulnerabilities using several security tools; implementing security solutions for the protection of networks, applications, and data
  • Expertise in scripting and automation, identity and access management, and maintaining security status

A general understanding of the following areas is highly recommended :

  • Azure Portal
  • AzureCLI
  • Powershell
  • ARM Templates
  • Networking
  • Security Concepts

The following topics and their weight :

Domain % Weight
Manage Identity and Access 20-25%
Implement Platform Protection 35-40%
Manage Security Operations 15-20%
Secure Data and Applications 30-35%

The exam is both in Japanese and English language and costs 164 EUR/USD.

I found the exam relatively easy (for example, I found the AZ-400 exam much harder). I had a couple of cases and one lab containing 11 tasks. Because my mouse didn’t work in the lab environment I was unable to complete all the tasks. (I did score enough to pass although)

I used the following materials :

  • Official MCT material for AZ-500 exam
  • Pluralsight
  • edX
  • Youtube (there’s lot of interesting Azure stuff to be found there)
  • Study Notes found on the internet and combined on vWorld.nl 🙂

This as an addition to real life experience.

 


How to quickly encrypt/decrypt Azure VM disks using the portal

Some time ago Microsoft added the encryption option on the disk pane (Azure IaaS properties). Now you don’t need to use the CLI or Powershell commando’s to decrypt/encrypt your VM disks.

Encryption15102019-001

Just go to the encryption button and the options already speak for themselves. When you already have one disk encrypted and just added an extra disk you can easily use the (keyvault) settings  that are already in place. You can also choose to add an additional keyvault/Key/Version.

Encryption15102019-002

Using this command it’s also very easy to disable disk encryption. Just go to Disks to encrypt and choose None. The encryption will be removed.

Encryption15102019-003

Make sure that your VM must be up and running (and when you encrypt your OS disk your VM might reboot)