Azure


How to deploy WordPress using Azure Kubernetes Service (AKS)

As more developers work within distributed environments, tools like Kubernetes have become central to keeping application components standardized across dynamic build and production environments. With the increasing complexity of application ecosystems and the growing popularity of Kuberbetes, tools that help manage resources within Kubernetes clusters have become essential.

In this blogpost, I’m usingHelm for setting up WordPress on top of an AKS cluster, in order to create a highly-available website. In addition to leveraging the intrinsic scalability and high availability aspects of Kubernetes, this setup will help keeping WordPress secure by providing simplified upgrade and rollback workflows via Helm.

Like all major cloud vendors, Microsoft Azure has it’s own flavour/spin on Kubernetes in a managed platform aptly named, Azure Kubernetes Service. PaaS Kubernetes offerings are really fantastic way to take advantage of the benefits that Kubernetes without the traditional system administration overhead (securing, patching, scaling etc…).

In this blogpost I’m taking you on the journey of creating an AKS cluster, deploying a (default installation of) WordPress blog using Helm and updating the WordPress version also using Helm.

In this example I’m using the next-next-next installation of WordPress using MariaDB. By default, the WordPress chart installs MariaDB on a separate pod inside the cluster and uses it as the WordPress database. This works for demonstration purposes, but for a production environment I advice you to use an external MySql database. This and other configuration options (such as the default WordPress admin user and password) can be set at installation time, either via command-line parameters or via a separate YAML configuration file. In this example I’m not using a yaml file with specific values for WordPress.

Enter the following to create a Resource Group for the AKS service:

First login to your Azure subscription :

az login

AKS Login

Now make sure you have the right subscription :

az account set -s <mysubscriptionid>

Ok, let’s start by creating a resource group :

az group create --name AKS --location westeurope

Using the admin portal, I can see the resourcegroup is created :

AZ AKS Resourcegroup

Next, we are going to establish the managed Kubernetes cluster with 3 nodes and send the endpoint to the previously create Resource Group:

az aks create --name AKSCLUSTER --resource-group AKS--node-count 3 --generate-ssh-keys

Using the admin portal, I can see that the AKS cluster has been created :

AZ AKS Cluster created

After the cluster has been established, let’s get the generated keys into our shell’s profile with:

az aks get-credentials --name AKSCLUSTER --resource-group AKS

Ok, next step. We need to install the kubernetes-cli. I prefer this using chocolately. You can install chocolately using :

@"%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))" && SET "PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin"

Now let’s proceed install kubernets-cli using choco :

choco install kubernetes-cli

And now install helm using choco :

choco install kubernetes-helm

Now we are going to add the Azure Marketplace repo to the Helm repository :

helm repo add azure-marketplace https://marketplace.azurecr.io/helm/v1/repo

Check running config :

kubectl config get-contexts

Now let’s install a default installation of WordPress using Helm

helm install myblog azure-marketplace/wordpress

After a couple of minutes the WordPress website is deployed. You can check that using the using the following command :

kubectl get pods -w

AZ AKS running

You can use the kubectl get svc command to see which IP address is in use :

kubectl get svc

AKS getsvc.png

Here you see the WordPress website is available using the 51.105.X.X IP Address.

AKS WordPress live

Ok, now you probably want to login to WordPress to check if everything really works. 🙂 But where are my credentials?

You’ve noticed the following screen when deploying WordPress.

AZ AKS pass

 

By default the admin user is called User and the password is encrypted. This is how you can find the password beloging to the admin user called user. In this blogpost I’ve used the default next-next-next deployment of WordPress but you ofcourse would like to use specific values stored in a values.yaml file. (Will be in a future blogpost)

You can use the commands in the screenshot to find your password. In my case (because I’m using Powershell on a Windows 10 device) i didn’t have access to the base 64 –decode command. This is how to manually find your password :

kubectl get secret

AKS getsecretlist

You see the secrets stored for the myblog-wordpress website. Let’s get them! 🙂

kubectl get secret myblog-wordpress -o yaml

AKS passw

Ok, let’s copy that decoded password into a decrypter. When using Linux/Apple you can easily use decode64 for decrypting the password. You can also choose to install a decode64 encrypter/decrypter on your Windows 10 workstation or use any website which does the job for you. I’ve used www.base64decode.org (there is also an base64encode.org website)

AZ AKS Base

Now you see the decrypted password beloning to the specified admin user and we are able to login to the /wp-admin website.

Because of its popularity, WordPress is often a target for malicious exploitation, so it’s important to keep it updated. We can upgrade Helm releases with the command helm upgrade.

To list all of your current releases, run the following command:

helm list

AZ AKS helm list

If you want to upgrade a release to a newer version of a chart, first update your Helm repositories with:

helm repo update

Now you can check if there’s a newer version of WordPress avaiable on the specific repo:

helm inspect chart azure-marketplace/wordpress

When there is a new version available, you can easily upgrade using :

helm upgrade myblog azure-marketplace/wordpress

(In future blogpost I’m going into rolling back upgrades)

In this guide, we installed (a default installation of) WordPress on a Kubernetes cluster using the command-line tool Helm. We also learned how to upgrade a WordPress release to a new chart version, and how to find the credentials needed to logon to the WordPress website.


How I Passed the AZ-500 Exam

I’ve recently done and passed the Azure Security Engineer Associate AZ-500 Exam. This exam covers a wide range of topics and technologie. Before considering this exam, you should have good knowledge about Azure technology.

I advice you to use the following certification path  :

Azure Certifcations

My advice is first take the AZ-900 and AZ-103 exams before going for the AZ-500 exam. The Azure Security Engineer role was recently added to the list and is the newest exam so far.

Azure Security Engineer Associate

The following pre-requisites are in place :

  • Familiarity with the implementation of security controls on the Microsoft Azure platform
  • In-depth knowledge of virtualization, cloud N-tier architecture, Amazon Kubernetes Service, and networking
  • Ability to recognize and address vulnerabilities using several security tools; implementing security solutions for the protection of networks, applications, and data
  • Expertise in scripting and automation, identity and access management, and maintaining security status

A general understanding of the following areas is highly recommended :

  • Azure Portal
  • AzureCLI
  • Powershell
  • ARM Templates
  • Networking
  • Security Concepts

The following topics and their weight :

Domain % Weight
Manage Identity and Access 20-25%
Implement Platform Protection 35-40%
Manage Security Operations 15-20%
Secure Data and Applications 30-35%

The exam is both in Japanese and English language and costs 164 EUR/USD.

I found the exam relatively easy (for example, I found the AZ-400 exam much harder). I had a couple of cases and one lab containing 11 tasks. Because my mouse didn’t work in the lab environment I was unable to complete all the tasks. (I did score enough to pass although)

I used the following materials :

  • Official MCT material for AZ-500 exam
  • Pluralsight
  • edX
  • Youtube (there’s lot of interesting Azure stuff to be found there)
  • Study Notes found on the internet and combined on vWorld.nl 🙂

This as an addition to real life experience.

 


How to quickly encrypt/decrypt Azure VM disks using the portal

Some time ago Microsoft added the encryption option on the disk pane (Azure IaaS properties). Now you don’t need to use the CLI or Powershell commando’s to decrypt/encrypt your VM disks.

Encryption15102019-001

Just go to the encryption button and the options already speak for themselves. When you already have one disk encrypted and just added an extra disk you can easily use the (keyvault) settings  that are already in place. You can also choose to add an additional keyvault/Key/Version.

Encryption15102019-002

Using this command it’s also very easy to disable disk encryption. Just go to Disks to encrypt and choose None. The encryption will be removed.

Encryption15102019-003

Make sure that your VM must be up and running (and when you encrypt your OS disk your VM might reboot)


How to use Azure State Configuration to open specific firewall ports

Azure Automation State Configuration is an Azure service that allows you to write, manage and compile PowerShell Desired State Configuration and assign them to target nodes.  Just like in an on oremise environment you can easily manage (virtual) machines running on Azure and also On Premise.

Using DSC it’s possible to set an (security) baseline to all your virtual machines. In this blogpost I describe how to enable specific ports from the Windows Server firewall.

Here is an example of a configuration file I use. As you can see I’m making use of the xNetworking module.

First you have to import the xNetworking module to Azure. Therefore go to your automation account. Go to Shared Resources, Modules and select Modules :
DSC01
Notice the Browse gallery in the upper pane :
DSC02
Now import the xNetworking module,
Now you can the add the code above to open a firewall port. In my example I opened (incoming) port 80.
There are several options although. You can find more information here.
You can use the following command’s on your node to update the configuration :

(This command checks the pull server for an updated configuration and applies it)

(This command applies the configuration to the node)

How to backup Linux VM’s with large data disks (>4 TB)

Recently I ran into an issue on a project I’m working on. The customer has a Linux virtual machine running on Azure with a large data disk (20 TB). I knew – but forgot to remember – that Azure Backup doesn’t support disks larger then 4 TB (more info here). The specific drive is used for logging, so for a moment I thought that Azure files could be a solution but the specific Linux version (RHEL 6.7) isn’t supported for secure transportation towards Azure files. So I found another solution.

I decided to add multiple drives to this virtual machine (and split the needed size by the number of drives). In my example I added 3 disks to this virtual machine.

largedisk1.png

Now logon to the CLI of that specific virtual machine. The 3 datadisks were made available using /dev/sdc, /dev/sdd and /dev/sde.

First we have to create physical volumes on top of /sdc, /sdd and /sde using the following command :

pvcreate /dev/sdc /dev/sdd /dev/sde

You can check this using the following command :

pvs

of for detailed information:

pvdisplay /dev/sdc

Now we are going to create a volume group named logging using the 3 physical volumes with this command :

vgcreate logging /dev/sdc /dev/sdd /dev/sde

Now we create a logical volume using the following command:

lvcreate -n logs -l 100%FREE logging

Now let’s format the volume

mkfs.ext4 /dev/logging/logs default 0 0

Now we have to edit the /etc/fstab file. In my (demo) case I add the following line:

/dev/logging/logs /var/logging ext4 defaults 0 0

My fstab file looks als follows:

largedisk2

After rebooting the new volume is available on /var/logging (in my demo case)

As you can see there is one 9 TB disk (in my demo) which I can access :

largedisk3

Now we are able to use Azure Backup to backup this machine:

largedisk4

Thanks to BM for the feedback! #TheManWithTheSleeve


How to rename your Azure subscriptions (tip)

When you have – like me – multiple Azure subscriptions and they all have the same subscription name (something like Visual Studio Enterprise – MPN for example ) it can be difficult to separate them.

I advice you to rename your subcriptions and give them a clear name to identify them.

This is how you can do that :

2019-06-08 09_59_37-Microsoft Edge.png

Go to your subscriptions pane in the Azure Portal and select your Azure subscription. Click overview and there you find the Rename button. Just choose to rename your subscription and after 10 minutes or so your Subscription has a new name!


How to add a data disk to your Azure Linux VM the right way 2

In this blogpost I shall describe how you add an extra data disk to your Linux VM running on Azure.

Step 1 Add a new disk to your Linux VM using the Azure Portal

2019-06-08 07_55_11-Microsoft Edge.png

Choose Add data disk to add an extra data disk and choose create data disk.

2019-06-08 07_57_12-Microsoft Edge.png

For demo purposes I quickly entered a default 20 GiB HD, nothing fancy 🙂

Don’t forget to save your changes!

2019-06-08 07_58_27-Microsoft Edge.png

Step 2 Connect to your VM using SSH or use the Serial console on your VM Pane in the Azure Portal

2019-06-08 07_53_04-Microsoft Edge.png

Use the following command to find all your data drives :

You see all your drives and the newly created drive

2019-06-08 08_00_53-Microsoft Edge.png

Here, sdc is the newly added disk. Let’s continue.

Now we have to partition the added disk using the following command :

Use the n command to add a new partition. In this example, we also choose p for a primary partition and accept the rest of the default values. The output will be similar to the following example:

2019-06-08 08_04_33-Microsoft Edge.png

Now we are going to write a partition (format) the newly added disk using the following command :

2019-06-08 08_06_03-Microsoft Edge.png

Now we are going to mount the formatted drive using the following commands :

2019-06-08 08_07_45-Microsoft Edge.png

You see your newly created disk :

2019-06-08 08_08_55-Microsoft Edge.png

To ensure that the drive is remounted automatically after a reboot, it must be added to the /etc/fstab file. Herefore I’m going to use the blkid utility:

2019-06-08 08_10_11-VMLIN01 - Serial console - Microsoft Azure ‎- Microsoft Edge.png

Now copy the UUID :

2019-06-08 08_11_15-VMLIN01 - Serial console - Microsoft Azure ‎- Microsoft Edge.png

Now we are going to add the UUID to the /etc/fstab. You can use VI or (like I prefer to use) nano.

The format is als follows :

UUID=<YourUUID> /<YourMountPoint> ext4 defaults,nofail 1 2

In my case it looks as follows :

2019-06-08 08_13_41-Microsoft Edge.png

Ok, let’s reboot the VM and check if the drive still exists..

2019-06-08 08_15_22-Microsoft Edge.png

Use the following command to check

As you can see the /MyDataDrive is still available after reboot.


How to rename an Azure VM using Powershell

Recently I deployed some VMs on Azure. There was a small change to the naming convention afterwards so I wanted to rename the created VMs. This is how you can do this

After a couple of minutes (depending on the size of the VM) the newly created server with the old disks, NIC etc. is created. Currently this script doesn’t support renaming the NIC, disks to your naming convention. So they have the exact same name as before. When you assigned you NIC, disk etc a custom name you will see the old naming convention. Currently I’m working on it. 🙂


How to encrypt (and decrypt) your Azure VM disks after deployment

This is how you can encrypt your Azure virtual machine disks :

You can find your keyvault Resource ID here :
 
Keyvault resource ID
The reason that I used the Resource id instead of the keyvault name is that now it’s possible for the keyvault to be part of another resourcegroup.
 
Use the following command to decrypt your VM :
 

SMTP Relay on Azure using SendGrid

In this blogpost I’m going to explain how you can still be able to send SMTP from your IaaS server running on Azure. As you might already know since Nov 15th of 2017 it’s no longer always possible to send SMTP on port 25 (I dig into that later).

In that case Microsoft recommends that Azure customers employ authenticated SMTP relay services (typically connected via TCP port 587 or 443, but often support other ports too) to send e-mail from Azure VMs or from Azure App Services.  These services specialize in sender reputation to minimize the possibility 3rd party e-mail providers will reject the message.

Such SMTP relay services include but are not limited to SendGrid.  It is also possible you have a secure SMTP relay service running on premises that can be used. Use of these e-mail delivery services is in no way restricted in Azure regardless of subscription type.

Enterprise Agreement Customers

For Enterprise Agreement Azure customers, there is no change in the technical ability to send e-mail without using an authenticated relay.  Both new and existing Enterprise Agreement customers will be able to attempt outbound e-mail delivery from Azure VMs directly to external e-mail providers with no restrictions from the Azure platform.  While Microsoft cannot guarantee e-mail providers will accept inbound e-mail from any given customer, delivery attempts will not be blocked by the Azure platform for VMs in Enterprise Agreement subscriptions.  Customers will have to work directly with e-mail providers to resolve any message delivery or SPAM filtering issues with the specific provider.

Pay-As-You-Go Customers

For customers who signed up before November 15th, 2017 using the Pay-As-You-Go or Microsoft Partner Network subscription offers, there will be no change in the technical ability to attempt outbound e-mail delivery.  Customers will continue to be able to attempt outbound e-mail delivery from Azure VMs in these subscriptions directly to external e-mail providers with no restrictions from the Azure platform.  Again, Microsoft cannot guarantee e-mail providers will accept inbound e-mail from any given customer and customers will have to work directly with e-mail providers to resolve any message delivery or SPAM filtering issues with the specific provider.

For Pay-As-You-Go or Microsoft Partner Network subscriptions created after November 15, 2017, there will be technical restrictions blocking e-mail sent directly from VMs in these subscriptions.  Customers that need the ability to send e-mail from Azure VMs directly to external e-mail providers (not using an authenticated SMTP relay) can make a request to remove the restriction.  Requests will be reviewed and approved at Microsoft’s discretion and will be only granted after additional anti-fraud checks are performed.  To make a request, open a support case with the issue type Technical –> Virtual Network –> Connectivity –> Cannot send e-mail (SMTP/Port 25).  Be sure to add details about why your deployment needs to send mail directly to mail providers instead of going through an authenticated relay.

Once a Pay-As-You-Go or Microsoft Partner Network subscription gets exempted, VMs in that subscription only will be exempted going forward.  Microsoft reserves the right to revoke this exemption, should we determine a violation of our terms of service has occurred.

MSDN, Azure Pass, Azure in Open, Education, BizSpark, and Free Trial Customers

Customers who create MSDN, Azure Pass, Azure in Open, Education, BizSpark, and Free Trial subscriptions after November 15, 2017 will have technical restrictions blocking e-mail sent from VMs in these subscriptions directly to e-mail providers to prevent abuse.  No requests to remove the restriction can be made as they will not be granted.

Customers using these subscription types are encouraged to use SMTP relay services as outlined above.

Cloud Service Provider (CSP)

Customers that are consuming Azure resources via Cloud Service Provider (CSP) can create a support case with their Cloud Service Provider (CSP) of choice and request the CSP to create an unblock case on their behalf if a secure SMTP relay cannot be used.

SendGrid

SendGrid is a cloud-based email service that provides reliable transactional email delivery, scalability and real-time analytics along with flexible API’s that make custom intergation easy. Ideal for Azure!

First Step Configure your network security group (NSG)

You must allow your VM to send mail through port 587 (of 25). Therefore it’s a small task to allow that :

  1. Go to the networking pane of your Virtual Machine
  2. And choose to add an outbound port rule

NSG Port 587

Second step… create a SendGrid Account

Azure customers can unlock 25.000 (!) free emails each month. These 25.000 free monthly emails will give you access to advanced reporting and analytics and all API’s (Web, SMTP, Event, Parse and more).

Add the SendGrid Resource to your Azure account

  1. Sign in to the Azure portal.
  2. In the menu on the left, click Create a resource.

opdracht-balk-nieuw

3. Click Add-ons and then SendGrid Email Delivery.

sendgrid-opslaan

  1. Complete the signup form and select Create.
  2. sendgrid-maken
  3. Enter a Name to identify your SendGrid service in your Azure settings. Names must be between 1 and 100 characters in length and contain only alphanumeric characters, dashes, dots, and underscores. The name must be unique in your list of subscribed Azure Store Items.
  4. Enter and confirm your Password.
  5. Choose your Subscription.
  6. Create a new Resource group or use an existing one.
  7. In the Pricing tier section select the SendGrid plan you want to sign up for.sendgrid-prijzen
  8. Enter a Promotion Code if you have one.
  9. Enter your Contact Information.
  10. Review and accept the Legal terms.
  11. After confirming your purchase you will see a Deployment Succeeded pop-up and you will see your account listed in the All resources section.

    alle-resources
    After you have completed your purchase and clicked the Manage button to initiate the email verification process, you will receive an email from SendGrid asking you to verify your account. If you do not receive this email, or have problems verifying your account, please see this FAQ.

    beheren

    You can only send up to 100 emails/day until you have verified your account.

    To modify your subscription plan or see the SendGrid contact settings, click the name of your SendGrid service to open the SendGrid Marketplace dashboard.

    instellingen

    To send an email using SendGrid, you must supply your API Key.

To find your SendGrid API Key

  1. Click Manage.beheren
  2. In your SendGrid dashboard, select Settings and then API Keys in the menu on the left.API-sleutels
  3. Click the Create API Key.
  4. algemene-api-sleutel
  5. At a minimum, provide the Name of this key and provide full access to Mail Send and select Save.toegang
  6. Your API will be displayed at this point one time. Please be sure to store it safely.

To find your SendGrid credentials

  1. Click the key icon to find your Username.sleutel
  2. The password is the one you chose at setup. You can select Change password or Reset password to make any changes.

To manage your email deliverability settings, click the Manage button. This will redirect to your SendGrid dashboard.

beheren

You automatically will be logged on to the SendGrid page :

SendGrid Interface

Now go to settings, API keys to create an API key for SMTP relay. The API key is the password you need to authenticate. The SMTP server address is smtp.sendgrid.net:587 and the user is called apikey.

(Use these settings in your mailserver)