mountainss Cloud and Datacenter Management Blog

Microsoft Hybrid Cloud blogsite about Management


Leave a comment

Managing and Working with #Azure Network Security Groups (NSG) #Security #IaC #AzureDevOps

Microsoft Azure Network Security Group (NSG)

When you are implementing your Microsoft Azure Design like a HUB-Spoke model you have to deal with security of your Azure environment (Virtual Datacenter). One of them are Network Security Groups to protect your Virtual networks and make communication between Azure subnets possible in a Secure Azure Virtual Datacenter.

You really have to plan your Azure Virtual networks and implement it by Architectural Design. Now I’m writing about Azure Network Security Groups which is important, but there are more items to deal with like :

  1.  Naming Conventions in your Azure Virtual Datacenter
  2.  Azure Subscriptions ( who is Owner, Contributor, or Reader? )
  3.  Azure Regions ( Where is my Datacenter in the world? )
  4.  Azure VNET and Sub-Nets ( IP-addresses )
  5.  Security of your Virtual Networks ( Traffic filtering, Routing )
  6.  Azure Connectivity ( VNET Peering between Azure Subscriptions, VPN Gateway )
  7.  Permissions (RBAC)
  8.  Azure Policy ( Working with Blue prints )

Here you can read more about these Microsoft Azure items

How to Manage Microsoft Azure Network Security Groups (NSG) ?

IMPORTANT: Before you start with Azure Network Security Groups, test every ARM JSON Script first in your Dev-Test Azure Subscription before you do production. Talk with your Cloud Administrators, because when you implement Infrastructure as Code (IaC) and work with ARM Templates you can delete manual settings in NSG’s for example, which will give you troubles like no protocol communication between subnets.

When you start new in Microsoft Azure, It’s easy to make your Azure security baseline for all of your Network Security Groups (NSG’s) by Azure Resource Manager (ARM) templates.

When you have a Microsoft Azure HUB-Spoke model with for example four Azure Subscriptions and a lot of Azure Virtual Networks – Subnets, you got a lot of NSG’s to manage and you don’t want to manage those manually. So there are different ways to manage Azure Network Security Groups via ARM Templates. For example :

ARM Templates from the Azure Portal

Make your ARM Baseline template.

Edit your parameters and Deploy.

Here you saw a standard Virtual Machine Deployment, but you can add of course all of your Azure Resource Manager templates here including your NSG Base Line template. In this way your deployments are documented ( Scripts).

Another awesome solution is Microsoft Azure DevOps for your Deployments in Azure.

Azure DevOps Services is a cloud service for collaborating on code development. It provides an integrated set of features that you access through your web browser or IDE client. The features are included, as follows:

  • Git repositories for source control of your code
  • Build and release services to support continuous integration and delivery of your apps
  • Agile tools to support planning and tracking your work, code defects, and issues using Kanban and Scrum methods
  • Many tools to test your apps, including manual/exploratory testing, load testing, and continuous testing
  • Highly customizable dashboards for sharing progress and trends
  • Built-in wiki for sharing information with your team

The Azure DevOps ecosystem also provides support for adding extensions and integrating with other popular services, such as: Campfire, Slack, Trello, UserVoice, and more, and developing your own custom extensions.
Choose Azure DevOps Services when you want the following results:

  • Quick set up
  • Maintenance-free operations
  • Easy collaboration across domains
  • Elastic scale
  • Rock-solid security

You’ll also have access to cloud load testing, cloud build servers, and application insights.

Azure DevOps Repo for your Templates

From here you can make your Infrastructure as Code (IaC) Pipelines together with your Cloud Administrator Team 😉

When you have your Azure DevOps Private Repository in place and you like to work with Visual Studio for example, you can connect to your Repo and Check-in your NSG ARM Script but Deploy with Visual Studio to your Azure Virtual Datacenter.

Azure NSG Template Deployment via Visual Studio

Microsoft Visual Studio 2019 Preview is available for download here

Here you can download Microsoft Visual Studio Community Edition

And there is Microsoft Open Source Visual Studio Code

Azure DevOps Repo in Visual Studio Code.

Microsoft Visual Studio Code work with Extensions :

Azure DevOps Repo Extension

Azure DevOps Pipelines Extension

So you see there are enough ways to deploy ARM Templates and this is not all, because you can also use Azure Cloudshell for example or other CLI command-line interfaces. But now we want to set the NSG Baseline for our Azure Subscription. A good start is to see the possibilities in the JSON scripting for Network Security Groups.
Here you find the settings and explanation of Azure Components.

For Microsoft Azure NSG Template :

Azure NSG Baseline Template

To create a Microsoft.Network/networkSecurityGroups resource, add the following JSON to the resources section of your template.
The Microsoft Azure Quick Create Templates on Github can help you to make your own NSG Template for example.

————————————————————————–

“apiVersion”: “2017-06-01”,
“type”: “Microsoft.Network/networkSecurityGroups”,
“name”: “[parameters(‘parkingzoneNSGName’)]”,
“location”: “[parameters(‘location’)]”,
“properties”: {
“securityRules”: [
/* {
“name”: “Allow_RDP_Internet”,
“properties”: {
“description”: “Allow RDP”,
“protocol”: “Tcp”,
“sourcePortRange”: “*”,
“destinationPortRange”: “3389”,
“sourceAddressPrefix”: “Internet”,
“destinationAddressPrefix”: “*”,
“access”: “Allow”,
“priority”: 500,
“direction”: “Inbound”
}, */
{
“name”: “AllowAzureCloudWestEuropeOutBound”,
“properties”: {
“protocol”: “*”,
“sourcePortRange”: “*”,
“destinationPortRange”: “*”,
“sourceAddressPrefix”: “*”,
“destinationAddressPrefix”: “AzureCloud.WestEurope”,
“access”: “Allow”,
“priority”: 999,
“direction”: “Outbound”
}
},
{
“name”: “DenyInternetOutBound”,
“properties”: {
“protocol”: “*”,
“sourcePortRange”: “*”,
“destinationPortRange”: “*”,
“sourceAddressPrefix”: “*”,
“destinationAddressPrefix”: “Internet”,
“access”: “Deny”,
“priority”: 2000,
“direction”: “Outbound”
}
}
]
}
},

————————————————————–

By Default is Internet available in a NSG ! So here you see that Internet is not allowed only the AzureCloud West Europe resources because some Azure SDK Component work via ” Public internet” ( Microsoft IP-Addresses).
(RDP protocol is marked and not set in this example for Security reasons)

Internet by Default Rules, so you must set your security Rules !

Conclusion :

You really have to implement Azure Security by Design, make your Base-line with ARM Templates in a Private Repo for your Azure Network Security Groups with the Correct RBAC Configuration for your Cloud Administrator Team. Don’t make them manually and do settings manually when you have a lot of NSG’s ! Versions of your ARM templates are documented in your Repository 😉
Test Always first in a Dev-Test Azure Subscription or in Azure DevOps with a Test plan before you implement in Production.

 

Advertisements


Leave a comment

#Microsoft Azure virtual datacenter HUB-Spoke Model: A network perspective #Cloud #Azure #Security

Microsoft Azure HUB-Spoke Model

When you have your Microsoft Azure Architectural Design in place like a HUB-Spoke model this Microsoft documentation can help you with the Security and networking design in Microsoft Azure Cloud services.

The Virtual Data Center (VDC) isn’t just the application workloads in the cloud. It’s also the network, security, management, and infrastructure. Examples are DNS and directory services. It usually provides a private connection back to an on-premises network or datacenter. As more and more workloads move to Azure, it’s important to think about the supporting infrastructure and objects that these workloads are placed in. Think carefully about how resources are structured to avoid the proliferation of hundreds of workload islands that must be managed separately with independent data flow, security models, and compliance challenges.

Read this Awesome Microsoft Azure Virtual Data Center documentation from a Network perspective here

Conclusion :

When you have your Microsoft Azure High Level Design, get your security and network in Azure in place in a manageable way for your Cloud Administrators and your Business. Here are some tips:

  • Understand the data workflows in your Azure Virtual Data Center.
  • Make a Detailed network and security design (Low level)
  • Keep it Simple but Secure.
  • Before you go into production, do a Security assessment (Pentest) by 3rd party Professionals
    ( For example via Company CQURE )

 


Leave a comment

#Microsoft Azure Hub-Spoke model by Enterprise Design 3 of 4 Data Migration #Azure #SQL

Hyper-V Clusters front tier with SQL Clusters in the Backend

SQL assessment and Data Migration to Azure

This blogpost is about SQL assessment and Data Migration to your Azure design in the Cloud in a secure way.
Before you begin with your Data assessment and getting your workloads together with Microsoft Azure ServiceMaps, I wrote these blogposts about Microsoft Azure HUB – Spoke model by Enterprise Design :

  1. Microsoft Azure Hub-Spoke model by Enterprise Design 1 of 4
  2. Microsoft Azure Policy and BluePrints Overview (Extra Blogpost)
  3. Microsoft Azure Hub-Spoke model by Enterprise Design 2 of 4 “Lift and Shift”

For Microsoft SQL databases there are different Azure Solutions in the Cloud possible, but first you need to know which versions of SQL do you have and how are they running now in your Datacenter?

SQL 2014 Virtual Guest Cluster with Shared VHDX

Here you can see a totally different SQL Cluster configuration, running on Hyper-V instead of physical Server nodes like you can see in the first picture with SQL 2008 R2 Clusters.
When you have a CMDB of your SQL versions running in your Datacenter, you can compare it with these SQL versions on this Great website.

What is also important to know, in which compatibility mode is your SQL Server running? Because you can have a recent SQL version but it’s running in a old compatibility version for the application.

SQL versions with Compatibility matrix

When you have all the insights of your SQL workload on-premises like :

Then you want to know to which Microsoft Azure SQL solution will I migrate my data ?

When you do a “Lift and Shift” first to the Azure-HUB subscription for the complete workload (Virtual Machines + SQL Databases) then you can implement SQL Always-On in Azure.

SQL Always-ON Availability Group

More information about SQL Always-On in Availability Groups in Azure

Or you can migrate to Azure SQL (PaaS) directly.
Later in this blogpost you see the Options with Microsoft Azure Data Migration Assistant (DMA)

Test & Acceptance and Production Azure Spoke

When you have “Lift and Shift” your workload to the Azure-HUB landing zone, then you can do the Optimize of your solutions included SQL to the Test & Acceptance and Production Spoke. For this it’s important where and how your SQL Backend is landing in Microsoft Azure by Design.

Microsoft Azure Data Migration Assistant (DMA)

Data Migration Assistant (DMA) enables you to upgrade to a modern data platform by detecting compatibility issues that can impact database functionality on your new version of SQL Server. It recommends performance and reliability improvements for your target environment. It allows you to not only move your schema and data, but also uncontained objects from your source server to your target server.

Azure SQL Data Migration Assistant

In the following Step-by-Step Guide we will Migrate a SQL 2016 SP2 Database to a Microsoft Azure SQL Database (PaaS):

first you have to download Microsoft Azure SQL Data Migration Assistant here

Click Next.

Click Next

Click Install

Ready for Assessments and Migrations.

  1. Here you can choose between the Assessment or the Migration.
  2. Here you can Choose for your Azure Target SQL Solution :
    – Azure SQL Database
    – Azure SQL Database Managed Instance
    – SQL Server on Azure Virtual Machines
    – SQL Server

Select the options for the Assessment.

In the following steps we will migrate the SQL 2016 SP2 database to Azure SQL :

Connect to the local SQL Instance and Select your Database

Connect and select your Azure SQL Database.

Select the Schema objects to migrate into Azure SQL

Here you see the Script to Deploy Schema.

Schema migration in progress

Schema Migration is Done, now you Click on Migrate Data

Select the Tables to Migrate and click on Start data Migration

Data Migration in progress

The SQL 2016 SP2 Migration from On-premisses to Azure SQL is Successful Completed 🙂

Connected to Azure SQL Database with my Data.

The SQL Query editor is a browser query tool that provides an efficient and lightweight way to execute SQL queries on your Azure SQL Database or Azure SQL Data Warehouse without leaving the Azure portal. This quickstart demonstrates how to use the Query editor to connect to a SQL database, and then use Transact-SQL statements to query, insert, update, and delete data in the database.

Here is my Data in Azure SQL with Query Editor of the Azure Portal.

This is just one Scenario with Azure SQL Data Migration Assistant. What you have learned is that you must have your Azure SQL Solution in place by Architectural Design before you do the SQL Data Migration.

Here you find more information about Data Migration to Microsoft Azure :

Microsoft Azure Data Migration Guide

 

Here you find Microsoft Azure Migration Center

Conclusion :

Microsoft Azure Architecture design like a Hub-Spoke model for example is important to have in place before you do your Data Migration to the Azure Cloud. You got different SQL Solutions in Microsoft Azure, like SQL Always-On in availability Groups and Microsoft Azure SQL Database with or without Managed Instances. Choose for the best scenario in your own Design. My next blogpost in this Serie will be on Optimize your Azure workloads
How can you make your solution smarter, more intelligent for your business and in Azure costs cheaper with Great benefits! Here we can think out of the box to get the best 😉


Leave a comment

via @MSAzureCAT Enterprise #Cloud Control Plane Planning #AzureDevOps #Pipelines

End-to-end Pipelines for Automating Microsoft Azure Deployments

 

Overview :

Imagine a fully automated, end-to-end pipeline for your cloud deployments—one that encompasses and automates everything:

• Source code repos.
• The build and release iterations.
• Agile processes supported by continuous integration and continuous deployment (CI/CD)
• Security and governance.
• Business unit chargebacks.
• Support and maintenance.

Azure services and infrastructure-as-code (IaC) make control plane automation very achievable. Many enterprise IT groups dream of creating or unifying their disparate automation processes and supporting a common, enterprise-wide datacenter control plane in the cloud that is integrated with their existing or new DevOps workflows. Their development environments may use Jenkins, Azure DevOps Services (formerly Visual Studio Team Services), Visual Studio Team Foundation Server (TFS), Atlassian, or other services. The challenge is to automate beyond the CI/CD pipeline to the management and policy layers. From a planning and architecture standpoint, it can seem like an overwhelming program of interdependent systems and processes. This guide outlines a planning process that you can use for automated support of your cloud deployments and DevOps workflows beyond the CI/CD pipeline. The Azure platform provides services you can use, or you can choose to work with third-party or open source options. The process is based on real-world examples that we have deployed with enterprise customers on Azure.

This whitepaper was authored by Tim Ehlen. It was edited by Nanette Ray. It was reviewed by AzureCAT.

Download the Awesome eBook here on the AzureCAT Team Blog

Follow AzureCAT and SQLCAT on Twitter


Leave a comment

Watch the Live Stream Today of #Microsoft Ignite 2018 in Orlando 24 – 28 September #MSIgnite #Azure #Cloud #DevOps and More


Don’t miss the Live Stream of Microsoft Ignite 2018

Get the latest insights and skills from technology leaders and practitioners shaping the future of cloud, data, business intelligence, teamwork, and productivity. Immerse yourself with the latest tools, tech, and experiences that matter, and hear the latest updates and ideas directly from the experts.

Watch live https://www.microsoft.com/en-us/ignite as Microsoft CEO Satya Nadella lays out his vision for the future of tech, then watch other Microsoft leaders explore the most important tools and technologies coming in the next year. After the keynotes, select Microsoft Ignite sessions will stream live—take a deep dive into the future of your profession.


More then 700+ Sessions and 100+ Expert-led and self-paced workshops


#MSIgnite



Leave a comment

Upgrading Azure #Kubernetes Cluster and Set #Azure monitor Alerts on #AKS


Current version of Kubernetes on Microsoft Azure.

Upgrading Microsoft Azure Kubernetes Services

Azure Kubernetes Service (AKS) makes it simple to deploy a managed Kubernetes cluster in Azure. AKS reduces the complexity and operational overhead of managing Kubernetes by offloading much of that responsibility to Azure. As a hosted Kubernetes service, Azure handles critical tasks like health monitoring and maintenance for you. In addition, the service is free, you only pay for the agent nodes within your clusters, not for the masters.

AKS clusters support Role-Based Access Control (RBAC). An AKS cluster can also be configured to integrate with Azure Active Directory. In this configuration, Kubernetes access can be configured based on Azure Active Directory identity and group membership.
For more information, see, Integrate Azure Active Directory with AKS.

From here I will do a step-by-step Upgrade of a Microsoft Azure Kubernetes Cluster to a newer version and set Azure Monitor alert rule active for the future to get an Alert notification when a colleague is upgrading the AKS Services.

Here you see all the newer versions of Kubernetes.

Upgrading to version 1.11.1 of Kubernetes.

IMPORTANT NOTE :

When upgrading an AKS cluster, Kubernetes minor versions cannot be skipped. For example, upgrades between 1.8.x -> 1.9.x or 1.9.x -> 1.10.x are allowed, however 1.8 -> 1.10 is not. To upgrade, from 1.8 -> 1.10, you need to upgrade first from 1.8 -> 1.9 and then another do another upgrade from 1.9 -> 1.10

KubeCluster Activity Log

At the green arrow on this picture you can download the activities into CSV file. At the Red arrow you see the User ID who initiated the Upgrade of the Kubernetes Cluster. This is important information for Azure Alert monitoring.

10 minutes later Kubernetes Cluster is Upgraded to version 1.11.1

Upgrade is done.

We now do a minor Upgrade of Kubernetes from version 1.11.1 to 1.11.2 to get the newest version on Azure.
Click on 1.11.2 version and hit Save.

 

Microsoft Azure Monitoring Alerts

When you click on the second activity of the Upgrade you see at arrow 2 that you can add an Activity Log Alert by Azure monitoring.

Creating Rule Alerts.

  1. Define Alert condition is already set. We want an Alert notification on Upgrading KubeCluster.
  2. Define Alert details, must be set.
  3. Define Action Group, must be set to create the Alert Rule.

2. Define the Alert Details.

3. Define Action Group : Click on + New Action Group

Click on OK

Created Action Group name AKSAdmins

An action group is a collection of notification preferences defined by the user. Azure Monitor and Service Health alerts are configured to use a specific action group when the alert is triggered. Various alerts may use the same action group or different action groups depending on the user’s requirements.

More information on Creating and managing action groups in the Azure portal can be found here

For information on how to use Azure Resource Manager templates to configure action groups, see Action group Resource Manager templates.

 

From here you can Create the Alert Rule and make it Active.

Azure Monitor Alerts with one rule Enabled.

Here is our Active KubeCluster Alert Rule.

Now we will get a notification when a Colleague is Upgrading our KubeCluster in the Future 😉

KubeCluster is now running the latest available version of Kubernetes.

Kubernetes Cluster nodes are Healthy and running version 1.11.2

Here you see in the Kubernetes Dashboard the Node version of Kubernetes.

For Developers and DevOps it’s Great to work with Microsoft Visual Studio Code and the Azure Kubernetes Services (AKS) to work in a CI/CD Pipeline, to create continuous business applications in the Cloud.

Here is my Azure KubeCluster running in Visual Studio Code 🙂

And at last, most important thing is that my Application is running on my Azure Kubernetes Cluster for the Business My Test Site.

Hope this blogpost is useful for you and your business to manage your AKS Cluster in the Microsoft Cloud.

More information About Azure Kubernetes Service (AKS) :

 Upgrade an Azure Kubernetes Service (AKS) cluster via Azure CLI

Azure Kubernetes Service (AKS) Docs

Monitor Azure Kubernetes Service (AKS) container health (preview)

Microsoft Azure Kubernetes Services website Start Free here

Follow Containers in the Cloud Community Group on LinkedIn


Leave a comment

Deep dive on Windows Server 2019 Updates by @WSV_GUY #Winserv #WAC #Hyperv

Deep Dive into Windows Server 2019 Updates with Jeff Woolsey Principal PM of the Windows Server Team.

What’s New in Windows Server 2019 Insider Preview Builds :

See here what’s New in Windows Server 2019 Insider Preview Builds

Windows Insider Program for Server allows you deploy the Windows Server 2019 Insider Preview builds in your enterprise. The docs cover the new enterprise features we’d like you to test and describes how to do the most common tasks.

Windows Insider Server program:
https://aka.ms/WindowsServerInsider
Download Windows Server 2019 preview:
https://aka.ms/WindowsServer2019Preview
Windows Admin Center:
https://aka.ms/DownloadWAC

Download Windows Server 2019 Insider Preview and Windows Admin Center Now !