mountainss Cloud and Datacenter Management Blog

Microsoft SystemCenter blogsite about virtualization on-premises and Cloud


Leave a comment

#Microsoft Azure CloudShell Bash in Visual Studio Code #Azure #VSC #DevOps

 

When you don’t have Microsoft Visual Studio Code, It’s a Awesome Open Source Free tool for DevOps and ITPro.

https://code.visualstudio.com/download

When you installed VSC you can add Extensions to your Visual Studio Code and one of them is Called Azure Account.
When you Add this extension you can connect to Microsoft Azure Cloud Shell in Visual Studio Code.
But before we can use this Extension to connect to Azure CloudShell we need NodeJS version 6 or higher installed on your OS.

Go to NodeJS and Download

Click Next.

Accept the Terms and click Next.

Click Next

Click Next

It will also install a Shortcut for the online documentation of this version of NodeJS v9.6.1

Click on Install

Click Finish

With Ctrl+Shift+P聽you will see all the Commands. (1)
Choose for Azure: Open Bash in CloudShell (2)

When you do this it will make a Microsoft Azure Device Login first to Connect to your Azure Subscription like this :

Type the code which is in VSC here

Azure will see that you connect with Visual Studio Code.
Click on Continue.

Login with your Azure Account of your Subscription.

The Connection with VSC and Azure is made.

Now when you choose Azure: Bash in CloudShell again it will show the Azure Cloud Shell in your VSC.

Your are Online with Azure Cloud Shell.

Just Awesome 馃槈
Cheers James

Advertisements


Leave a comment

#Microsoft Secure #DevOps Kit of #Azure to Secure your Cloud #Security

Overview

The “Secure DevOps Kit for Azure” (will be referred to as ‘AzSDK’ henceforth) is a collection of scripts, tools, extensions, automations, etc. that caters to the end to end Azure subscription and resource security needs for dev ops teams using extensive automation and smoothly integrating security into native dev ops workflows helping accomplish secure dev ops with these 6 focus areas:
1. Secure the subscription: A secure cloud subscription provides a core foundation upon which subsequent development and deployment activities can be conducted. An engineering team should have the capabilities to deploy and configure security in the subscription including elements such as alerts, ARM policies, RBAC, Security Center policies, JEA, Resource Locks, etc. Likewise, it should be possible to check that all settings are in conformance to a secure baseline.
2. Enable secure development: During the coding and early development stages, developers should have the ability to write secure code and to test the secure configuration of their cloud applications. Just like build verification tests (BVTs), we introduce the concept of security verification tests (SVTs) which can check for security of various resource types in Azure.
3. Integrate security into CICD: Test automation is a core tenet of devops. We emphasize this by providing the ability to run SVTs as part of the VSTS CICD pipeline. These SVTs can be used to ensure that the target subscription used to deploy a cloud application and the Azure resources the application is built upon are all setup in a secure manner.
4. Continuous Assurance: In the constantly changing dev ops environment, it is important to move away from the mindset of security being a milestone. We have to treat security as a continuously varying state of a system. This is made possible through capabilities that enable continuous assurance using a combination of automation runbooks, schedules, etc.
5. Alerting & Monitoring: Visibility of security status is important for individual application teams and also for central enterprise teams. We provide solutions that cater to the needs of both. Moreover, the solution spans across all stages of dev ops in effect bridging the gap between the dev team and the ops team from a security standpoint through the single, integrated views it generates.
6. Cloud Risk Governance: Lastly, underlying all activities in the kit is a telemetry framework that generates events capturing usage, adoption, evaluation results, etc. This allows us to make measured improvements to security targeting areas of high risk and maximum usage before others.

The Secure DevOps kit for Azure is here on Github

Provision Security in Subscription

聽聽聽聽聽聽 Subscription Health Scan

聽聽聽聽聽聽 Subscription Security Provisioning

聽聽聽聽聽聽 Subscription AccessControl Provisioning

聽聽聽聽聽聽 Subscription Activity Alerts

聽聽聽聽聽聽 Azure Security Center (ASC) configuration

聽聽聽聽聽聽 Subscription Security – ARM Policy

聽聽聽聽聽聽 Update subscription security baseline configuration

More information on each item can be found here on Github

Develop Security, Spot Check security via Scripts

鈥 Security Verification Tests (SVT)

Express Route-connected Virtual Networks (ER-vNet)

More information on these items on Github

Deploy securely from VSO Build/Release Pipeline

  • Security Verification Tests (SVTs) in VSTS pipeline
  • Security Verification Tests (SVTs) in Jenkins pipeline (Preview)

The AzSDK contains Security Verification Tests (SVTs) for multiple PaaS and IaaS services of the Azure platform. As we have seen so far, these SVTs can be manually run against one or more target resources held in resource groups or tagged via a {tagName, tagValue} pair. While it is invaluable to run these SVTs periodically from a PS console (to ensure that the subscription and the different resources that comprise your application are in a secure state), a key aspect of dev ops is to be able to automate such tests and integrate them as part of the dev ops workflows and release pipelines. In other words, while checking that SVTs pass in an ad hoc manner is a good practice, it is important to be able to also ensure that security control configuration remains intact in higher environments.
The CICD extensions feature of AzSDK makes automated security configuration enforcement possible by making SVTs available as a Visual Studio Extension in the Marketplace so that engineering teams can run them within build/release pipeline. Once the build/release task is configured, SVTs run against a target deployment in an Azure subscription. Upon completion, SVTs will report the pass/fail status for controls along with aggregate control results. Hereafter, all the different ‘out-of-box’ build/release workflow options from the CICD engine (e.g., VSTS) can be used as ‘next steps’ based on the outcomes of SVTs. (For instance, one can decide whether to fail the release outright or to continue despite failures while sending an email to the build/release owners or to hold progress until someone manually approves, etc. Furthermore, if all SVTs pass in the pre-prod environment, then a release can be ‘promoted’ to prod.)
Outcomes of the SVT execution can also be routed to an OMS workspace configured to receive various events generated by the AzSDK.

More information on Build / Release Pipeline

Periodically scan in production to watch for Drift

Baseline Continuous Assurance

鈥 Overview
鈥 Setting up Continuous Assurance – Step by Step
鈥 Continuous Assurance – how it works (under the covers)
鈥 Update existing Continuous Assurance Automation Account
鈥 Remove Continuous Assurance Automation Account
鈥 Fetch details of an existing Continuous Assurance Automation Account
鈥 Continuous Assurance through central scanning mode (Preview) – Step by Step
鈥 FAQ

More information on Baseline Continuous Assurance here on Github

Single Security Dashboard across DevOps Stages

OMS Solution for AzSDK

  • Overview
  • Components of the AzSDK OMS Solution
  • Setting up the AzSDK OMS Solution (Step by Step)
  • Next Steps
  • Appendix
  • Creating an OMS workspace
  • Testing OMS connectivity
  • Routing AzSDK events to OMS
  • Leveraging other OMS Solutions from the Solutions Gallery

The Alerting & Monitoring features of AzSDK empower dev ops teams with the following capabilities:
a single pane of glass view of cloud security across dev ops stages
visibility to control status for their Azure subscription and critical enterprise/application resources
pre-configured search queries for creating alerts to facilitate action on security drift
Out of the box, these capabilities can be leveraged via the Operations Management Suite (OMS) solution in AzSDK.
However, a dev ops team can equally easily leverage a different system for log analytics (e.g., Splunk) and view the AzSDK control evaluation events in the alternate system. This can be accomplished by using via connectors for Event Hubs or Webhooks in the AzSDK.

More information on Security Monitoring with a Single Dashboard here on Github

Make Data-driven Improvements to Security

Overview Security Telemetry

  • Control Telemetry
  • Organization Level Setup
  • Local Control Telemetry
  • Understanding Data in App Insights
  • App Insights Visualization
  • Usage Telemetry
  • Enable/Disable Usage Telemetry
  • FAQs

The Secure DevOps Kit generates telemetry events from all stages of dev ops. That is, events are generated when an engineer runs a scan ad hoc or when SVTs are run in CICD or subscriptions are scanned via Continuous Assurance (CA). The telemetry can be collected and aggregated across an organization. When combined with other organization metadata (e.g., a mapping of subscriptions to applications or service lines or business groups), this can yield a powerful platform for supporting a data-driven approach cloud risk governance and allow organizations to drive measured and targeted security improvement initiatives in a continuous and incremental fashion (just like the rest of dev ops). The telemetry data from AzSDK can be leveraged in two key ways:
Application Insights based 鈥 called Control Telemetry (will be renamed to Org Telemetry soon). There are two ways possible. One, configure it centrally, two, configure it specifically in end-user’s machine
API based 鈥 this is a custom solution using WebAPI and SQL to collect events and enrich it with organizational metadata. This lets an organization track and drive adoption and usage of the AzSDK and provides a window into the org’s DevSecOps Maturity. API based telemetry will be release in coming months when we release documents for how organization can customize AzSDK for their needs

More on Security Telemetry you find here on GitHub

Fetch information about various AzSDK components

  • Overview
  • Subscription information
  • Control information
  • Attestation information
  • Host information

This command provides overall information about the AzSDK which includes subscription information (alert/policies/ASC/CA version etc.), security controls information (severity, description, rationale etc.), attestation information (statistics, attestation justification, expiry etc.), host information (AzSDK settings/configuration, AzureRM Context etc.). ‘Get-AzSDKInfo’ command can be used with ‘InfoType’ parameter to fetch information.

More information about Get-AzSDKInfo on Github

Start with Microsoft Azure ARM Templates

Use Microsoft Visual Studio Code to work with JSON ARM Templates and Azure subscription

 

Hope these Microsoft DevOps Azure Security SDK resources are helpful for your organization.

 

 

Cheers James.

 


Leave a comment

What is New in Microsoft System Center version 1801 #Sysctr #SCOM #SCVMM #SCDPM

What is New in Microsoft System Center Virtual Machine Manager version 1801 ?

  • Nested virtualization
  • Migration of VMware VM (EFI firmware-based VM) to Hyper-V VM
  • Performance improvement in host refresher
  • Enhanced console session in VMM

Networking :

Security :

Azure Integration :

SCVMM 1801 supports management of ARM-based VMs, Azure Active Directory (AD) based authentication that is created by using the new Azure portal and region-specific Azure subscriptions (namely, Germany, China, US Government Azure regions).

Download here System Center Virtual Machine Manager version 1801 VHD

What is New in System Center Data Protection Manager version 1801 ?

The following features are either new to DPM, or are improved for DPM 2016.

Modern Backup Storage – Using Resilient File System (ReFS) block-cloning technology to store incremental backups, DPM 2016 dramatically improves storage utilization and performance. The storage consumed by backups grows and shrinks with the production data source, and there is no over-allocation of storage.
Resilient change tracking (RCT) – DPM uses RCT (the native change tracking in Hyper-V), which removes the need for time-consuming consistency checks. RCT provides better resiliency than the change tracking provided by VSS snapshot-based backups. DPM also uses RCT for incremental backup. It identifies VHD changes for virtual machines, and transfers only those blocks that are indicated by the change tracker.
Continued protection during cluster aware updates – Windows Server 2016 comes with the cluster OS rolling update, where a cluster can be upgraded to Windows Server 2016 without bringing it down. DPM 2016 continues to protect VMs during the upgrade, maintaining the backup service level agreement (SLA).
Shielded VM Backups – Shielded VMs in Windows Server 2016 help protect sensitive VMs from inspection, tampering, and data theft by malware and malicious administrators. DPM 2016 backups retain the protections provided by shielded VMs to ensure they can be recovered seamlessly and securely.
Hyper-V with Storage Spaces Direct – DPM recognizes and protects Hyper-V VMs deployed on Storage Spaces Direct, delivering seamless backup and recovery of VMs in disaggregated and hyper-converged scenarios.
Hyper-V with ReFS SOFS Cluster – DPM 2016 can back up Hyper-V VMs deployed on ReFS-based SOFS clusters. Backup and recovery of RCT-based VMs and non-RCT VMs is supported.
Upgrading a DPM production server to 2016 doesn’t require a reboot – When you upgrade to DPM 2016, you are not required to reboot the production server. To avoid rebooting the production server, upgrade to DPM 2016 and upgrade the DPM agent on the production servers. Backups continue and you reboot the production server when you want.

DPM to Azure Backup Vault.

Download here System Center Data Protection Manager version 1801 VHD

What is New in System Center Operations Manager version 1801 ?

  • Enter product key from the Operation Console
  • Linux monitoring
  • Improved HTML5 dashboarding experience
  • System Center Visual Studio Authoring Extension (VSAE) support for Visual Studio 2017
  • Enhanced SDK Client performance
  • Updates and recommendations for third-party Management Packs
  • Linux Kerberos support
  • Service Map integration

Microsoft Service Map automatically discovers application components on Windows and Linux systems and maps the communication between services. It automatically builds a common reference map of dependencies across your servers, processes, and third-party services. Integration between Service Map and System Center Operations Manager allows you to automatically create distributed application diagrams in Operations Manager that are based on the dynamic dependency maps in Service Map.

The Microsoft System Center Operations Manager Team published a great blogpost on the New SCOM Web Console version 1801

Download here System Center Operations Manager version 1801 VHD

Download here System Center Orchestrator version 1801 VHD

Download here System Center Service Manager version 1801 VHD

 

Here you find more information about System Center version 1801

Test today the new features of System Center version 1801 with the Evaluation VHD’s 馃槈


Leave a comment

#Microsoft Azure SQL Query Editor Preview in the #Cloud #Azure #SQL

This quick start tutorial walks through how to create a SQL database in Azure. Azure SQL Database is a 鈥淒atabase-as-a-Service鈥 offering that enables you to run and scale highly available SQL Server databases in the cloud. This quick start shows you how to get started by creating a SQL database using the Azure portal.

The SQL Query Editor is a browser query tool that provides an efficient and lightweight way to execute SQL queries on your Azure SQL Database or Azure SQL Data Warehouse without leaving the Azure portal. This quickstart demonstrates how to use the Query Editor to connect to a SQL database, and then use Transact-SQL statements to query, insert, update, and delete data in the database.

Query Editor Login

When you select a table you can edit the Data

You can edit the data here (preview)

Or delete a row.

This Feature in Microsoft azure is still in preview !


Leave a comment

#Microsoft Project Olympus #Cloud hardware #Innovation at Scale in #Azure

Microsoft鈥檚 Project Olympus delivers cloud hardware innovation at scale.

Deployed in Azure
Project Olympus hardware is now deployed in volume production with the Fv2 virtual machine (VM) family. The Fv2 family are the fastest VMs in Azure and offer the fastest Intel庐 Xeon庐 Scalable processors in the public cloud. It addresses the growing demand for massive large-scale computation from customers doing financial modeling, scientific analysis, genomics, geothermal visualization, and deep learning.
The Fv2 VM family is among the first Project Olympus designs productized in Azure. More deployments and silicon innovation will follow to support the exploding growth of cloud services and computing power needed for emerging cloud workloads such as big data analytics, machine learning, and Artificial Intelligence (AI).

This article describes the available sizes and options for the Azure virtual machines you can use to run your Windows apps and workloads. It also provides deployment considerations to be aware of when you’re planning to use these resources. This article is also available for Linux virtual machines.

the Project Olympus Sub-Group. Project Olympus is Microsoft’s next generation rack-level solution that is open-sourced through Open Compute Project

Project Cerberus is a NIST 800-193 compliant hardware root of trust specifically designed to provide robust security for all platform firmware. It provides a hardware root of trust for firmware on the motherboard (UEFI BIOS, BMC, Options ROMs) as well as on peripheral I/O devices by enforcing strict access control and integrity verification from pre-boot and continuing to runtime.

Specifically, Project Cerberus can help defend platform firmware from the following threats:

  • Malicious insiders with administrative privilege or access to hardware
  • Hackers and malware that exploit bugs in the operating system, application, or hypervisor
  • Supply chain attacks (manufacturing, assembly, in-transit)
  • Compromised firmware binaries

More information on GitHub here in Draft


Leave a comment

Free E-book Introduction to Windows #Containers #Winserv #Docker #DevOps

With the introduction of container support in Windows Server 2016, we open a world of opportunities
that takes traditional monolithic applications on a journey to modernize them for better agility.
Containers are a stepping stone that can help IT organizations understand what key items in modern
IT environments, such as DevOps, Agile, Scrum, Infrastructure as Code, Continuous Integration, and
Continuous Deployment, to name just a few, can do and how these organizations can adopt all of
these elements and more to their enterprises.
As a result of Microsoft鈥檚 strong strategic partnership with Docker鈥攖he de facto standard in container
management software鈥攅nterprises can minimize the time required to onboard and run Windows聽Containers.
Docker presents a single API surface and standardizes tooling for working across public
and private container solutions as well as Linux and Windows Container deployments.

Download this awesome Introduction to Windows Containers E-book here

Microsoft Azure Containers in the Cloud


Leave a comment

Docker CE for Windows10 Edge and #Kubernetes Feature Overview #Docker #Containers #DevOps

Docker CE for Windows is Docker designed to run on Windows 10. It is a native Windows application that provides an easy-to-use development environment for building, shipping, and running dockerized apps. Docker CE for Windows uses Windows-native Hyper-V virtualization and networking and is the fastest and most reliable way to develop Docker apps on Windows. Docker CE for Windows supports running both Linux and Windows Docker containers.

You can download Docker CE for Windows (Edge) here

After you installed Docker for Windows CE (Edge) on Windows 10, go to docker Settings for activating the New Feature Kubernetes..

Select Enable Kubernetes.
(I selected also Show system containers (Advanced ) to see more information.)

Click on Install

You can run the installation in the Background if you want.

Here you see the Status of the Kubernetes Cluster.

kubectl config get-context
Docker-for-desktop Kubernetes Cluster is active

You can see the Status in Docker Settings too.

kubectl get services

kubectl get nodes

Kubectl cluster-info

When you run docker images
You will see the Kubernetes images for the Cluster.

When you selected the Advanced feature in Docker settings earlier you can
see the running containers with Docker ps command

With Kitematic you get a GUI console to manage Docker Container Images, from here you can pull Container images from Docker HUB

Download Kitematic here and install.

 

When you installed Kitematic you can see on your left all the Kubernetes Containers and when you select a running Container you can see the active logs.

More settings to Explore.

When you start Powershell in Administrator modus, you can use the kubectl command line interface and with –help you get the information on the Kubernetes commands. Here you find more information with examples at Kubernetes site

With Microsoft Visual Studio Code you can use the Docker for Windows CE Edge Kubernetes Cluster to Develop your Apps.

Intstall the Visual Studio Code Kubernetes Tools extension.

Install Kubernetes-Snippets is handy for Developing

When your Kubernetes local project is successful, you can deploy an Azure Kubernetes Service (AKS) or a Microsoft Azure Container Service to run your project in the Cloud for production.

Azure Container Service (AKS)
Azure Container Service (AKS) manages your hosted Kubernetes environment, making it quick and easy to deploy and manage containerized applications without container orchestration expertise. It also eliminates the burden of ongoing operations and maintenance by provisioning, upgrading, and scaling resources on demand, without taking your applications offline.

Here you find more information on Microsoft Azure Container Services for Kubernetes

Hope this overview helps you with developing apps in Containers with Docker, Kubernetes and Azure.