IT


How to deploy WordPress using Azure Kubernetes Service (AKS)

As more developers work within distributed environments, tools like Kubernetes have become central to keeping application components standardized across dynamic build and production environments. With the increasing complexity of application ecosystems and the growing popularity of Kuberbetes, tools that help manage resources within Kubernetes clusters have become essential.

In this blogpost, I’m usingHelm for setting up WordPress on top of an AKS cluster, in order to create a highly-available website. In addition to leveraging the intrinsic scalability and high availability aspects of Kubernetes, this setup will help keeping WordPress secure by providing simplified upgrade and rollback workflows via Helm.

Like all major cloud vendors, Microsoft Azure has it’s own flavour/spin on Kubernetes in a managed platform aptly named, Azure Kubernetes Service. PaaS Kubernetes offerings are really fantastic way to take advantage of the benefits that Kubernetes without the traditional system administration overhead (securing, patching, scaling etc…).

In this blogpost I’m taking you on the journey of creating an AKS cluster, deploying a (default installation of) WordPress blog using Helm and updating the WordPress version also using Helm.

In this example I’m using the next-next-next installation of WordPress using MariaDB. By default, the WordPress chart installs MariaDB on a separate pod inside the cluster and uses it as the WordPress database. This works for demonstration purposes, but for a production environment I advice you to use an external MySql database. This and other configuration options (such as the default WordPress admin user and password) can be set at installation time, either via command-line parameters or via a separate YAML configuration file. In this example I’m not using a yaml file with specific values for WordPress.

Enter the following to create a Resource Group for the AKS service:

First login to your Azure subscription :

az login

AKS Login

Now make sure you have the right subscription :

az account set -s <mysubscriptionid>

Ok, let’s start by creating a resource group :

az group create --name AKS --location westeurope

Using the admin portal, I can see the resourcegroup is created :

AZ AKS Resourcegroup

Next, we are going to establish the managed Kubernetes cluster with 3 nodes and send the endpoint to the previously create Resource Group:

az aks create --name AKSCLUSTER --resource-group AKS--node-count 3 --generate-ssh-keys

Using the admin portal, I can see that the AKS cluster has been created :

AZ AKS Cluster created

After the cluster has been established, let’s get the generated keys into our shell’s profile with:

az aks get-credentials --name AKSCLUSTER --resource-group AKS

Ok, next step. We need to install the kubernetes-cli. I prefer this using chocolately. You can install chocolately using :

@"%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))" && SET "PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin"

Now let’s proceed install kubernets-cli using choco :

choco install kubernetes-cli

And now install helm using choco :

choco install kubernetes-helm

Now we are going to add the Azure Marketplace repo to the Helm repository :

helm repo add azure-marketplace https://marketplace.azurecr.io/helm/v1/repo

Check running config :

kubectl config get-contexts

Now let’s install a default installation of WordPress using Helm

helm install myblog azure-marketplace/wordpress

After a couple of minutes the WordPress website is deployed. You can check that using the using the following command :

kubectl get pods -w

AZ AKS running

You can use the kubectl get svc command to see which IP address is in use :

kubectl get svc

AKS getsvc.png

Here you see the WordPress website is available using the 51.105.X.X IP Address.

AKS WordPress live

Ok, now you probably want to login to WordPress to check if everything really works. 🙂 But where are my credentials?

You’ve noticed the following screen when deploying WordPress.

AZ AKS pass

 

By default the admin user is called User and the password is encrypted. This is how you can find the password beloging to the admin user called user. In this blogpost I’ve used the default next-next-next deployment of WordPress but you ofcourse would like to use specific values stored in a values.yaml file. (Will be in a future blogpost)

You can use the commands in the screenshot to find your password. In my case (because I’m using Powershell on a Windows 10 device) i didn’t have access to the base 64 –decode command. This is how to manually find your password :

kubectl get secret

AKS getsecretlist

You see the secrets stored for the myblog-wordpress website. Let’s get them! 🙂

kubectl get secret myblog-wordpress -o yaml

AKS passw

Ok, let’s copy that decoded password into a decrypter. When using Linux/Apple you can easily use decode64 for decrypting the password. You can also choose to install a decode64 encrypter/decrypter on your Windows 10 workstation or use any website which does the job for you. I’ve used www.base64decode.org (there is also an base64encode.org website)

AZ AKS Base

Now you see the decrypted password beloning to the specified admin user and we are able to login to the /wp-admin website.

Because of its popularity, WordPress is often a target for malicious exploitation, so it’s important to keep it updated. We can upgrade Helm releases with the command helm upgrade.

To list all of your current releases, run the following command:

helm list

AZ AKS helm list

If you want to upgrade a release to a newer version of a chart, first update your Helm repositories with:

helm repo update

Now you can check if there’s a newer version of WordPress avaiable on the specific repo:

helm inspect chart azure-marketplace/wordpress

When there is a new version available, you can easily upgrade using :

helm upgrade myblog azure-marketplace/wordpress

(In future blogpost I’m going into rolling back upgrades)

In this guide, we installed (a default installation of) WordPress on a Kubernetes cluster using the command-line tool Helm. We also learned how to upgrade a WordPress release to a new chart version, and how to find the credentials needed to logon to the WordPress website.


How I Passed the AZ-500 Exam

I’ve recently done and passed the Azure Security Engineer Associate AZ-500 Exam. This exam covers a wide range of topics and technologie. Before considering this exam, you should have good knowledge about Azure technology.

I advice you to use the following certification path  :

Azure Certifcations

My advice is first take the AZ-900 and AZ-103 exams before going for the AZ-500 exam. The Azure Security Engineer role was recently added to the list and is the newest exam so far.

Azure Security Engineer Associate

The following pre-requisites are in place :

  • Familiarity with the implementation of security controls on the Microsoft Azure platform
  • In-depth knowledge of virtualization, cloud N-tier architecture, Amazon Kubernetes Service, and networking
  • Ability to recognize and address vulnerabilities using several security tools; implementing security solutions for the protection of networks, applications, and data
  • Expertise in scripting and automation, identity and access management, and maintaining security status

A general understanding of the following areas is highly recommended :

  • Azure Portal
  • AzureCLI
  • Powershell
  • ARM Templates
  • Networking
  • Security Concepts

The following topics and their weight :

Domain % Weight
Manage Identity and Access 20-25%
Implement Platform Protection 35-40%
Manage Security Operations 15-20%
Secure Data and Applications 30-35%

The exam is both in Japanese and English language and costs 164 EUR/USD.

I found the exam relatively easy (for example, I found the AZ-400 exam much harder). I had a couple of cases and one lab containing 11 tasks. Because my mouse didn’t work in the lab environment I was unable to complete all the tasks. (I did score enough to pass although)

I used the following materials :

  • Official MCT material for AZ-500 exam
  • Pluralsight
  • edX
  • Youtube (there’s lot of interesting Azure stuff to be found there)
  • Study Notes found on the internet and combined on vWorld.nl 🙂

This as an addition to real life experience.

 


How to quickly encrypt/decrypt Azure VM disks using the portal

Some time ago Microsoft added the encryption option on the disk pane (Azure IaaS properties). Now you don’t need to use the CLI or Powershell commando’s to decrypt/encrypt your VM disks.

Encryption15102019-001

Just go to the encryption button and the options already speak for themselves. When you already have one disk encrypted and just added an extra disk you can easily use the (keyvault) settings  that are already in place. You can also choose to add an additional keyvault/Key/Version.

Encryption15102019-002

Using this command it’s also very easy to disable disk encryption. Just go to Disks to encrypt and choose None. The encryption will be removed.

Encryption15102019-003

Make sure that your VM must be up and running (and when you encrypt your OS disk your VM might reboot)


Passed AZ-400 Microsoft Certified Azure DevOps Engineer

Last week I took the AZ-400 exam and I passed succesfully.

exam-az400-600x600.png

This exam counts for the Microsoft Certified Azure DevOps Engineer Expert certification track.  I found this exam quite challeging because it leans heavily on your dev experience. I’m not a very experienced developer so some topics were challeging. Nevertheless I passed the exam.

When you’re going to take the exam in the near future, please check out my collection of links I found on the internet which helped me alot. You can find the links on the menu or here.

Next exams this year : AZ-500 and MS-500 (for the Microsoft Security partner competence)

 

 


PowerCLI “The Aspiring Automater’s Guide” by Altaro

PowerCLI

If you currently use PowerCLI to automate basic tasks with pre-defined scripts, you’ll already know how powerful automation can be. However, taking the next step and customizing scripts to carry out tasks specifically designed for your needs opens a whole new world of opportunities. This new eBook from Altaro takes you there.

Written by VMware vExpert Xavier Avrillier, this free eBook presents a use-case approach to learning how to automate tasks in vSphere environments using PowerCLI. We start by covering the basics of installation, set up, and an overview of PowerCLI terms. From there we move into scripting logic and script building with step-by-step instructions of truly useful custom scripts, including:

  • How to retrieve data on vSphere objects
  • Display VM performance metrics
  • How to build HTML reports and schedule them
  • Basics on building functions
  • And more!

Stop looking at scripts online in envy because you wish you could build your own scripts. Download PowerCLI: The Aspiring Automator’s Guide now and get started on your path to automation greatness!

 


How to use Azure State Configuration to open specific firewall ports

Azure Automation State Configuration is an Azure service that allows you to write, manage and compile PowerShell Desired State Configuration and assign them to target nodes.  Just like in an on oremise environment you can easily manage (virtual) machines running on Azure and also On Premise.

Using DSC it’s possible to set an (security) baseline to all your virtual machines. In this blogpost I describe how to enable specific ports from the Windows Server firewall.

Here is an example of a configuration file I use. As you can see I’m making use of the xNetworking module.

First you have to import the xNetworking module to Azure. Therefore go to your automation account. Go to Shared Resources, Modules and select Modules :
DSC01
Notice the Browse gallery in the upper pane :
DSC02
Now import the xNetworking module,
Now you can the add the code above to open a firewall port. In my example I opened (incoming) port 80.
There are several options although. You can find more information here.
You can use the following command’s on your node to update the configuration :

(This command checks the pull server for an updated configuration and applies it)

(This command applies the configuration to the node)

How to force the Windows 10 May Update

After an extended period of testing in the Release Preview ring, Microsoft has finally started rolling out the May 2019 Update to Windows 10 users, albeit in a “measured and throttled” way.

You might be able to get it now by going through Settings > Update & Security > Windows Update or, failing that, via the Media Creation tool. There is a very simple way to force Windows 10 to start the upgrade process immediately however.

If the new feature update is not currently showing up in Windows Update, then go to the Download Windows 10 page, and click on the Update now button. Doing so will download the Windows 10 Update Assistant — a small 5.9MB file.

Windows 10 Update

Save and launch this and then click the Update Now button. It will check to make sure your PC is compatible in terms of CPU, memory and disk space, and then download and verify the files needed for the update.


SMTP Relay on Azure using SendGrid

In this blogpost I’m going to explain how you can still be able to send SMTP from your IaaS server running on Azure. As you might already know since Nov 15th of 2017 it’s no longer always possible to send SMTP on port 25 (I dig into that later).

In that case Microsoft recommends that Azure customers employ authenticated SMTP relay services (typically connected via TCP port 587 or 443, but often support other ports too) to send e-mail from Azure VMs or from Azure App Services.  These services specialize in sender reputation to minimize the possibility 3rd party e-mail providers will reject the message.

Such SMTP relay services include but are not limited to SendGrid.  It is also possible you have a secure SMTP relay service running on premises that can be used. Use of these e-mail delivery services is in no way restricted in Azure regardless of subscription type.

Enterprise Agreement Customers

For Enterprise Agreement Azure customers, there is no change in the technical ability to send e-mail without using an authenticated relay.  Both new and existing Enterprise Agreement customers will be able to attempt outbound e-mail delivery from Azure VMs directly to external e-mail providers with no restrictions from the Azure platform.  While Microsoft cannot guarantee e-mail providers will accept inbound e-mail from any given customer, delivery attempts will not be blocked by the Azure platform for VMs in Enterprise Agreement subscriptions.  Customers will have to work directly with e-mail providers to resolve any message delivery or SPAM filtering issues with the specific provider.

Pay-As-You-Go Customers

For customers who signed up before November 15th, 2017 using the Pay-As-You-Go or Microsoft Partner Network subscription offers, there will be no change in the technical ability to attempt outbound e-mail delivery.  Customers will continue to be able to attempt outbound e-mail delivery from Azure VMs in these subscriptions directly to external e-mail providers with no restrictions from the Azure platform.  Again, Microsoft cannot guarantee e-mail providers will accept inbound e-mail from any given customer and customers will have to work directly with e-mail providers to resolve any message delivery or SPAM filtering issues with the specific provider.

For Pay-As-You-Go or Microsoft Partner Network subscriptions created after November 15, 2017, there will be technical restrictions blocking e-mail sent directly from VMs in these subscriptions.  Customers that need the ability to send e-mail from Azure VMs directly to external e-mail providers (not using an authenticated SMTP relay) can make a request to remove the restriction.  Requests will be reviewed and approved at Microsoft’s discretion and will be only granted after additional anti-fraud checks are performed.  To make a request, open a support case with the issue type Technical –> Virtual Network –> Connectivity –> Cannot send e-mail (SMTP/Port 25).  Be sure to add details about why your deployment needs to send mail directly to mail providers instead of going through an authenticated relay.

Once a Pay-As-You-Go or Microsoft Partner Network subscription gets exempted, VMs in that subscription only will be exempted going forward.  Microsoft reserves the right to revoke this exemption, should we determine a violation of our terms of service has occurred.

MSDN, Azure Pass, Azure in Open, Education, BizSpark, and Free Trial Customers

Customers who create MSDN, Azure Pass, Azure in Open, Education, BizSpark, and Free Trial subscriptions after November 15, 2017 will have technical restrictions blocking e-mail sent from VMs in these subscriptions directly to e-mail providers to prevent abuse.  No requests to remove the restriction can be made as they will not be granted.

Customers using these subscription types are encouraged to use SMTP relay services as outlined above.

Cloud Service Provider (CSP)

Customers that are consuming Azure resources via Cloud Service Provider (CSP) can create a support case with their Cloud Service Provider (CSP) of choice and request the CSP to create an unblock case on their behalf if a secure SMTP relay cannot be used.

SendGrid

SendGrid is a cloud-based email service that provides reliable transactional email delivery, scalability and real-time analytics along with flexible API’s that make custom intergation easy. Ideal for Azure!

First Step Configure your network security group (NSG)

You must allow your VM to send mail through port 587 (of 25). Therefore it’s a small task to allow that :

  1. Go to the networking pane of your Virtual Machine
  2. And choose to add an outbound port rule

NSG Port 587

Second step… create a SendGrid Account

Azure customers can unlock 25.000 (!) free emails each month. These 25.000 free monthly emails will give you access to advanced reporting and analytics and all API’s (Web, SMTP, Event, Parse and more).

Add the SendGrid Resource to your Azure account

  1. Sign in to the Azure portal.
  2. In the menu on the left, click Create a resource.

opdracht-balk-nieuw

3. Click Add-ons and then SendGrid Email Delivery.

sendgrid-opslaan

  1. Complete the signup form and select Create.
  2. sendgrid-maken
  3. Enter a Name to identify your SendGrid service in your Azure settings. Names must be between 1 and 100 characters in length and contain only alphanumeric characters, dashes, dots, and underscores. The name must be unique in your list of subscribed Azure Store Items.
  4. Enter and confirm your Password.
  5. Choose your Subscription.
  6. Create a new Resource group or use an existing one.
  7. In the Pricing tier section select the SendGrid plan you want to sign up for.sendgrid-prijzen
  8. Enter a Promotion Code if you have one.
  9. Enter your Contact Information.
  10. Review and accept the Legal terms.
  11. After confirming your purchase you will see a Deployment Succeeded pop-up and you will see your account listed in the All resources section.

    alle-resources
    After you have completed your purchase and clicked the Manage button to initiate the email verification process, you will receive an email from SendGrid asking you to verify your account. If you do not receive this email, or have problems verifying your account, please see this FAQ.

    beheren

    You can only send up to 100 emails/day until you have verified your account.

    To modify your subscription plan or see the SendGrid contact settings, click the name of your SendGrid service to open the SendGrid Marketplace dashboard.

    instellingen

    To send an email using SendGrid, you must supply your API Key.

To find your SendGrid API Key

  1. Click Manage.beheren
  2. In your SendGrid dashboard, select Settings and then API Keys in the menu on the left.API-sleutels
  3. Click the Create API Key.
  4. algemene-api-sleutel
  5. At a minimum, provide the Name of this key and provide full access to Mail Send and select Save.toegang
  6. Your API will be displayed at this point one time. Please be sure to store it safely.

To find your SendGrid credentials

  1. Click the key icon to find your Username.sleutel
  2. The password is the one you chose at setup. You can select Change password or Reset password to make any changes.

To manage your email deliverability settings, click the Manage button. This will redirect to your SendGrid dashboard.

beheren

You automatically will be logged on to the SendGrid page :

SendGrid Interface

Now go to settings, API keys to create an API key for SMTP relay. The API key is the password you need to authenticate. The SMTP server address is smtp.sendgrid.net:587 and the user is called apikey.

(Use these settings in your mailserver)


How to check your Office 365 tenant for auto-forward rules

Use the following steps to check for any Office 365 auto-forward rules to external email addresses.

In this blogpost I’m using Powershell to check for any existing auto-forward rules to external email addresses.

Step 1 Logon to Office 365 using Powershell

Step 2 Export the mailbox(es) that have either redirect or forwarding

This produces a list of all mailboxes that exist in the organization where the forwaring or redirect flags are enabled

Step 3 Investigate which rules are in use

Step 4 Remove the inbox rule from a specific mailbox

Step 5 Remove all the available inbox rules from all mailboxes (if you prefer)


Howto update ESXi without vCenter (Update Manager)

Use the following steps to upgrade your ESXi version to the latest version without download patches first! We are going to use Putty to talk against the command line 🙂

First step, put your ESXi server into maintenance mode :

Now we are going to check the profile version we are running

Or check the build version using the UI:

Now enable the host firewall rule to allow web traffic

Run the following command to list the online depot profiles available :

When you run into an error using the above command. Check your DNS and Gateway settings. ESXi needs to resolve some information using the internet!

Now let’s install the appropriate update, in my case I found out that I’m currently running 20170601001s. In your situation that can be different!

You can see what version you’re running using the previous command :

Ok, let’s reboot!

After installation I noticed the latest build :

Now set the firewall rule to the previous setting :

Final step exit maintenance mode :