mountainss Cloud and Datacenter Management Blog

Microsoft Hybrid Cloud blogsite about Management


Leave a comment

#Microsoft Azure Hub-Spoke model by Enterprise Design 1 of 4 #Azure #Cloud

 

Azure Hub-Spoke Architecture

Microsoft Azure Hub-Spoke Architecture

This Enterprise reference architecture shows how to implement a hub-spoke topology in Azure. The hub is a virtual network (VNet) in Azure that acts as a central point of connectivity to your on-premises network. The spokes are VNets that peer with the hub, and can be used to isolate workloads. Traffic flows between the on-premises datacenter and the hub through an ExpressRoute or VPN gateway connection.

We only use the Azure Private peering

For this Hybrid Cloud Strategy we made four Microsoft Azure Subscriptions via the EA Portal :

  1. Azure HUB Subscription for the connectivity via Azure ExpressRoute to On-premises Datacenter.
  2. Azure Spoke 1 for Production workload and Cloud Services
  3. Azure Spoke 2 for Test and Acceptance Cloud Services
  4. Azure Spoke 3 for Future plans

The naming convention rules and restrictions for Azure resources and a baseline set of recommendations for naming conventions. You can use these recommendations as a starting point for your own conventions specific to your needs.

The choice of a name for any resource in Microsoft Azure is important because:

  • It is difficult to change a name later.
  • Names must meet the requirements of their specific resource type.

Consistent naming conventions make resources easier to locate. They can also indicate the role of a resource in a solution.The key to success with naming conventions is establishing and following them across your applications and organizations.

Azure connectivity and RBAC Identity

This tenant is federated with via ADFS and Azure Connect to Office 365. Identity management is provisioned
via Microsoft Identity Manager 2016 (MIM2016). With this already in place, we can Configure Microsoft Azure RBAC in the subscriptions.

Access management for cloud resources is a critical function for any organization that is using the cloud. Role-based access control (RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.

RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management of resources in Azure.

Business Development

For Business Development we have a separated Active Directory in one forest and also federated via ADFS to Microsoft Office 365. For this environment we build one Azure subscription with a temporary Site-to-Site VPN connection to On-premises datacenter for the “Lift and Shift” migration via Azure-Site-Recovery (ASR)

S2S VPN IKE v2 tunnel with Cisco and Azure.

Azure Virtual Networks

Next step is to build the connections between the Azure HUB Subscription and the Azure Spoke subscription(s) when every Microsoft Azure subscription has It’s own Virtual Network (VNET). This is called VNET peering.

Virtual network peering enables you to seamlessly connect two Azure virtual networks. Once peered, the virtual networks appear as one, for connectivity purposes. The traffic between virtual machines in the peered virtual networks is routed through the Microsoft backbone infrastructure, much like traffic is routed between virtual machines in the same virtual network, through private IP addresses only. Azure supports:

  • VNet peering – connecting VNets within the same Azure region
  • Global VNet peering – connecting VNets across Azure regions

Here you see my step-by-step VNET peering creation from HUB to Spoke 1 :

Go to the VNET of the Azure HUB Subscription. and then to Peerings => Add.

Here you make the connection with Spoke 1 Azure subscription.

For Azure HUB is Peering to Spoke 1 Done.

Now we go to the VNET of Azure Subscription Spoke 1 to make the connection.

Go to VNET => Peerings => Click on Add in the Azure Spoke 1 Subscription

Connect here to the Azure HUB

The VNET Peering between Azure HUB subscription and Spoke 1 is Connected.

In this order you have to make the other VNET Peerings from the Azure HUB subscription to the other Spoke Subscriptions so that the network connectivity between VNETs is working. Because we have the Azure Internet Edge in the HUB for the other subscriptions.

In the Azure Reference Architecture we also do Security by Design in the Cloud with Firewall and Azure Network Security Groups (NSG) and every Azure component get it’s own Tag for Security Groups and Billing – Usage.

Azure Storage

In every Microsoft Azure Subscription (HUB and Spoke ) we created a Storage Account. You can choose for different kind of storage in Microsoft Azure.

Durable and highly available. Redundancy ensures that your data is safe in the event of transient hardware failures. You can also opt to replicate data across datacenters or geographical regions for additional protection from local catastrophe or natural disaster. Data replicated in this way remains highly available in the event of an unexpected outage.
Secure. All data written to Azure Storage is encrypted by the service. Azure Storage provides you with fine-grained control over who has access to your data.
Scalable. Azure Storage is designed to be massively scalable to meet the data storage and performance needs of today’s applications.
Managed. Microsoft Azure handles maintenance and any critical problems for you.
Accessible. Data in Azure Storage is accessible from anywhere in the world over HTTP or HTTPS. Microsoft provides SDKs for Azure Storage in a variety of languages — .NET, Java, Node.js, Python, PHP, Ruby, Go, and others — as well as a mature REST API. Azure Storage supports scripting in Azure PowerShell or Azure CLI. And the Azure portal and Azure Storage Explorer offer easy visual solutions for working with your data.

Azure Storage includes these data services:
Azure Blobs: A massively scalable object store for text and binary data.
Azure Files: Managed file shares for cloud or on-premises deployments.
Azure Queues: A messaging store for reliable messaging between application components.
Azure Tables: A NoSQL store for schemaless storage of structured data.

Creating your Azure Storage accounts by Design.

One of our Architecture Security by Design policy, is to Encrypt all the storage in Azure via Microsoft Azure Key vault.

Deploying Azure IaaS Virtual Machine with ARM Templates

Enterprise organizations with more then ten employees managing IT datacenters are working by process and order to do the job for the business. When they are all using the Azure Portal and deploy Virtual Machines manually you will get a mess and things can go wrong. In Microsoft Azure you have the Azure Resource Manager for deploying  JSON ARM Templates. With these Azure Resource Manager Templates you can automate your workload deployments in Microsoft Azure. For example : We build a JSON template to deploy a Windows Server in the right Azure Subscription in the right Azure Resource Group and with the following extensions to it :

  • Antimalware agent installed
  • Domain joined in the right OU (Active Directory)
  • Azure Log analytics agent installed ( Connected to Azure Monitor and SCOM )
  • Encryption by default.

Using with our Azure naming conventions and Azure policy we always deploy consistent without making mistakes or by wrong typing in the Azure portal. When you write and make your ARM templates for different workloads, you can store them in Azure DevOps Repo ( Repository) and you can connect your private repo to GitHub.

Making ARM templates works really Awesome with Microsoft Visual Studio Code which is opensource and free of charge. You can add your favorite VSC extensions to work with like Azure Resource Manager.

 Our Azure ARM Template to deploy Virtual Machines into Azure HUB-Spoke model with VSC

Azure monitoring and Recovery Service Vault

To manage your Azure Hybrid Cloud environment you have to monitor everything to keep in control of your Virtual Datacenter. And of course you have to plan your business continuity with Azure Recovery Services (Backup) by Design. We made in every Azure Subscription an Azure Recovery Services Vault for making Backups. This is because you don’t want backup traffic over your VNET peering’s. In the Azure HUB subscription we made a second Azure Site Recovery (ASR) Vault for the “Lift & Shift” migration of On-premises Virtual Machines to the landing zone in Azure HUB.

With Microsoft Azure Monitor we use Log Analytics and Service maps and with the same OMS agent on the Virtual Machine, we still can use Microsoft System Center Operation Manager (SCOM) connected to the same agent 🙂

When you have 45 locations, 45.000 students with BYOD and 10.000 Managed workstations, you will monitor 24 x 7 to keep everything running for your Business. Monitoring Express Route with a Backup connection is a must for your Hybrid Virtual Datacenter. Here you have more information about monitoring Express Route Circuit

Monitoring our Express Route

With this all installed in Microsoft Azure by Design, we have the policy Security First !

Microsoft Azure Security Center

Azure Security Center provides unified security management and advanced threat protection across hybrid cloud workloads. With Security Center, you can apply security policies across your workloads, limit your exposure to threats, and detect and respond to attacks.

We are already installing Azure Threat Protection (ATP) for our On-premises Datacenter for Security.

Azure Security Center

We still have a lot to configure in Microsoft Azure to get the Basic Architecture Design in place. When that is done, I will make three more blogposts about this datacenter transformation :

  • “Lift and Shift” migration with ASR for Virtual Machines on Hyper-V and VMware.
  • SQL assessment and Data Migration to Azure
  • Optimize of all Workloads in Microsoft Azure.

Hope this blogpost will help you too with your Datacenter transition to Microsoft Azure Cloud.

Advertisements


Leave a comment

#Microsoft Azure Security Center Investigation Dashboard (Preview) #Azure #Security #ASC #Cloud


Yesterday I was playing with Mimikatz (Hackertool) for Security pen tests and it was not working because Azure Security Center Quarantined the file 🙂

On my Surface I got an Azure monitoring Agent running

Microsoft Azure Security Center Investigation Dashboard

The Investigation feature in Security Center allows you to triage, understand the scope, and track down the root cause of a potential security incident.
The intent is to facilitate the investigation process by linking all entities (security alerts, users, computers and incidents) that are involved with the incident you are investigating. Security Center can do this by correlating relevant data with any involved entities and exposing this correlation in using a live graph that helps you navigate through the objects and visualize relevant information.

Microsoft Azure Security Center found also a rare SVCHOST Service on my Surface, and the ASC investigation dashboard gives you great overview of the security risk.

You can Run a Playbook based on this alert Rare SVCHOST Service

Try it yourself, more information about Azure Security Center Investigation Dashboard (Preview) can be found here

Microsoft azure Security Center

 

 


Leave a comment

#Microsoft Azure #Security Center Standard for Hybrid Security #Azure #Cloud #SIEM


Azure Security Center Standard includes:

Hybrid security – Get a unified view of security across all of your on-premises and cloud workloads. Apply security policies and continuously assess the security of your hybrid cloud workloads to ensure compliance with security standards. Collect, search, and analyze security data from a variety of sources, including firewalls and other partner solutions.
Advanced threat detection – Use advanced analytics and the Microsoft Intelligent Security Graph to get an edge over evolving cyber-attacks. Leverage built-in behavioral analytics and machine learning to identify attacks and zero-day exploits. Monitor networks, machines, and cloud services for incoming attacks and post-breach activity. Streamline investigation with interactive tools and contextual threat intelligence.
Access and application controls – Block malware and other unwanted applications by applying whitelisting recommendations adapted to your specific workloads and powered by machine learning. Reduce the network attack surface with just-in-time, controlled access to management ports on Azure VMs, drastically reducing exposure to brute force and other network attacks.

To add On-premises Servers

When your workspace is added :

  1. + Add Computers
  2. Download the right agent for Windows or Linux
  3. When you installed the agent you need the workspace ID and the key to finish the connection.
  4. When your Server doesn’t have a Internet connection you can work with the OMS Gateway.

Connect computers without Internet access using the OMS Gateway

Here you see the 3 machines from On-Premises in Azure Security Center

Security Recommendations

Apply Azure Disk Encryption for example.

Azure Security Center Recommendations

Azure Security Center Overview
I have something to do in my Test LAB 😉

Here you find more Technical docs for Microsoft Azure Security Center 

Microsoft Intelligent Security Graph for Providers

Hope this information about Microsoft Intelligent Azure Security Center will help your Business to stay Secure.


Leave a comment

Enhancing Microsoft #Security using Artificial Intelligence E-book #AI #Azure #MachineLearning

At the Center of intelligent security management is the concept of working smarter, not harder. However, this is a significant undertaking when you consider the ever-evolving landscape of threats and security challenges, combined with the myriad of devices, apps, and user scenarios. In this e-book, learn how you can intelligently detect, protect, and respond to threats by leveraging the strong integration between Microsoft security solutions and our partners.
Read the full e-book to learn how Microsoft is using artificial intelligence (AI) in security features like:

  • Windows Hello
  • Azure Active Directory
  • Azure Advanced Threat Protection
  • Windows Defender SmartScreen
  • Windows Defender Network Protection
  • Exchange Online Protection and more…

You can download Enhancing Microsoft Security using Artificial Intelligence E-book here


Leave a comment

#Microsoft Azure DevOps Projects and Infrastructure as Code #Azure #IaC #DevOps


Microsoft Azure DevOps Project for CI/CD

The Azure DevOps Project presents a simplified experience where you bring your existing code and Git repository, or choose from one of the sample applications to create a continuous integration (CI) and continuous delivery (CD) pipeline to Azure. The DevOps project automatically creates Azure resources such as a new Azure virtual machine, creates and configures a release pipeline in VSTS that includes a build definition for CI, sets up a release definition for CD, and then creates an Azure Application Insights resource for monitoring.

Infrastructure as Code (IaC) gives you benefits like :

  • Consistency in naming conventions of Azure components
  • Working together in the same way with your company policies
  • Reusability of Templates
  • Automatic documentation and CMDB of deployments in your repository
  • Rapid deployments
  • Flexibility and Scalability in code for Azure Deployments

As an Large Enterprise Company you don’t want to Click and Type in the Azure Portal with lot of employees to get the job done in a consistent way. The changes and deployments will be different in time because people can make mistakes. For Developers it’s important to make your building process before you publish your application, so why not for DevOps and ITpro to do the same thing for Infrastructure.

In the following step-by-step guide you will learn how to make a Microsoft Azure DevOps Project and make a CI/CD Pipeline deploying a virtual machine with your ASP.net Application.

Prerequisites :
An Azure subscription. You can get one free through Visual Studio Dev Essentials.
Access to a GitHub or external Git repository that contains .NET, Java, PHP, Node, Python, or static web code.

Here you find the GitHub for Developer Guide

When you have your prerequisites in place you can start with the following steps :

Search for DevOps at All Services in the Azure Portal

Select .NET and Click on Next

You can see where you are in the flow of creating your CI/CD Pipeline, when you need a Azure SQL Database for your ASP.net application you can select Add a Database (Option). This will provide you Azure SQL as a Service (PaaS).

Database-as-a-Service
(I didn’t Choose for SQL)


In this step select Virtual Machine and click Next

From here you can create a VSTS account or your Existing account of Visual Studio Team Services. After selecting VSTS you can manage your Azure settings and by clicking on Change you can select the Azure options.

 

Select the Virtual Machine you need for your Application.

Here you see the Deployment Running

Important for Infrastructure as Code (IaC), the Deployment template can be saved into the library and / or you can download it for reusability or make your own policies into the template.

When you save it into the Azure Library you get the release notes and who’s the publisher

In the Microsoft Azure DevOps Project main Dashboard you will see the status of your CI/CD Pipeline and that release is in progress or not. On the right-side of the Dashboard you see the Azure resources like the Application endpoint, the Virtual Machine and Application Insights for monitoring. When the CI/CD Pipeline deployment is succeeded you can browse to your ASP.net Application.

Your Application.

Your Virtual Machine Running and in the Monitoring.


The Microsoft Azure DevOps Project CI/CD Pipeline is Completed.

Application Insights is an extensible Application Performance Management (APM) service for web developers on multiple platforms. Use it to monitor your live web application. It will automatically detect performance anomalies. It includes powerful analytics tools to help you diagnose issues and to understand what users actually do with your app. It’s designed to help you continuously improve performance and usability. It works for apps on a wide variety of platforms including .NET, Node.js and J2EE, hosted on-premises or in the cloud. It integrates with your DevOps process, and has connection points to a variety of development tools. It can monitor and analyze telemetry from mobile apps by integrating with Visual Studio App Center and HockeyApp.

You can drill down into the error to see what is happening.

Azure Application Insights topology

Application Insights is aimed at the development team, to help you understand how your app is performing and how it’s being used. It monitors:
Request rates, response times, and failure rates – Find out which pages are most popular, at what times of day, and where your users are. See which pages perform best. If your response times and failure rates go high when there are more requests, then perhaps you have a resourcing problem.
Dependency rates, response times, and failure rates – Find out whether external services are slowing you down.
Exceptions – Analyse the aggregated statistics, or pick specific instances and drill into the stack trace and related requests. Both server and browser exceptions are reported.
Page views and load performance – reported by your users’ browsers.
AJAX calls from web pages – rates, response times, and failure rates.
User and session counts.
Performance counters from your Windows or Linux server machines, such as CPU, memory, and network usage.
Host diagnostics from Docker or Azure.
Diagnostic trace logs from your app – so that you can correlate trace events with requests.
Custom events and metrics that you write yourself in the client or server code, to track business events such as items sold or games won.

You can also drill down into Microsoft Azure Log Analytics and run your analytics queries to get the right information you want for troubleshooting. More information on Azure Log Analytics and queries is on MSFT docs.

From App Insight we see it was an Exception error

Because the Azure DevOps Project is connected with VSTS you can follow the Build and Release here to and you got your documentation of the CI/CD Pipeline.

From here you can work with your Developers and DevOps and manage the User and Groups security in de CI/CD Pipeline for the next Build. Working together to build innovative apps via VSTS from one Dashboard :

VSTS Dashboard

Next day you see it was one time error and the Pipeline is running Fine 😉

For more information about all the possibilities with Microsoft Azure DevOps Project go to MSFT Docs

DevOps and Microsoft :

DevOps is the union of people, process, and products to enable continuous delivery of value to our end users.

To Learn DevOps please visit this Microsoft DevOps Site

Conclusion : 

Invest in your CI/CD Pipeline and make your own environment is important before you deploy into Azure production for your business. Make your ARM Templates and Code in repositories like Git or VSTS. When you have this all in place your are more in control of your consistent Deployments and Changes in the Azure Cloud. I hope this blogpost is useful for you and your Company. Start today with Infrastructure as Code (IaC) and get the benefits 😉


Leave a comment

#Microsoft Azure Log Analytics Query Playground Available #MSOMS #Azure #Analytics #HybridCloud

Azure Log Analytics

You can access Log Analytics through the OMS portal or the Azure portal which run in any browser and provide you with access to configuration settings and multiple tools to analyze and act on collected data. From the portal you can leverage log searches where you construct queries to analyze collected data, dashboards which you can customize with graphical views of your most valuable searches, and solutions which provide additional functionality and analysis tools.

If you have no current monitoring in place for your Azure environment, you should start with Azure Monitor which collects and analyzes monitoring data for your Azure resources. Log Analytics can collect data from Azure Monitor to correlate it with other data and provide additional analysis.
If you want to monitor your on-premises environment or you have existing monitoring using services such as Azure Monitor or System Center Operations Manager, then Log Analytics can add significant value. It can collect data directly from your agents and also from these other tools into a single repository. Analysis tools in Log Analytics such as log searches, views, and solutions work against all collected data providing you with centralized analysis of your entire environment.

Microsoft Azure log analytics is very powerful for Hybrid IT management and getting you in control of your Hybrid Cloud Datacenter(s).

Select Data by type

You can change the chart here

Computers sending Heartbeat with date and time

Here you can export to Excel, PowerBI or Share the Query

Set your Query in a Time range

Here you find Online documentation and Query Reference guide

Start Today with Azure Log Analytics !

To play free with Microsoft Azure Log Analytics and Query on all the solutions there is a Demo environment available.

More links for Microsoft Azure Log Analytics :

Azure Log Analytics Query Language

Azure Log Analytics Query Examples

Azure Log Analytics website

Azure Log Analytics tech Docs Online

Microsoft Azure Management Blog

Microsoft Operations Management Suit (OMS) Blog

Social Media :

Microsoft Azure on Twitter

Microsoft OMS on Facebook #MSOMS

Get started with the Microsoft Azure Log Analytics Query Language today to get you and your Business in Control with innovative Hybrid IT Management.

 

 


Leave a comment

Watch all those Awesome Microsoft #MSIgnite 2017 video sessions #Azure #AzureStack #MSOMS

Empower IT and developer productivity with Microsoft Azure with @scottgu

Microsoft Azure virtual machine infrastructure innovation and automation

Microsoft Azure Stack Development Kit and why it matters

Manage hybrid cloud and transform your workplace with PowerShell and Azure Automation

See here all the Microsoft Ignite 2017 video sessions

Thank you Microsoft and MVP’s for those Awesome sessions at Ignite 2017