Azure File Share : Issue mounting outside of the Azure region from Ubuntu Linux

Today I was setting up a deployment with two hosts ;

  • One in West Europe (“WE”)
  • One in North Europe (“NE”)

The objective was to have a shared mountpoint between both. So I created a storage account in the region West Europe. In this storage account I created a file share, and mounted it on to the VM located in WE. Though when using the exact same config in NE, I got the following error message ;

2016-03-30 13_49_01-kvaes@rancherne0_ ~

mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

Continue reading “Azure File Share : Issue mounting outside of the Azure region from Ubuntu Linux”

Advertisements

Public Speaking Engagement – Azure Bootcamp on 16/04/2016 – Docker Orchestration on Azure with Rancher

Today I got the confirmation that my proposal on “Docker Orchestration on Azure with Rancher” got accepted! Below you can find some more information about the event. I hope to see all of you there! Be sure to register up front though… The (free) ticket sales might skyrocket due to my presence. 😉

 

The fourth Global Azure Bootcamp is around the corner! On April 16, the global Azure community gets together. In Belgium AZUG and RealDolmen have teamed up to organise a free day for Belgian enthusiasts. Join one of the sessions or hack away on the global lab! There’s something for everyone to enjoy.

Sessions

09:00 – 09:20 Welcome + Lab instructions
09:20 – 09:30 Break
09:30 – 10:00 Not Steve, Just Jobs – Kris van der Mast
10:00 – 10:15 Break
10:15 – 11:15 Docker Orchestration on Azure with Rancher – Karim Vaes
11:15 – 11:30 Break
11:30 – 12:30 IOTing the cloud out of UWP – Nico Vermeir
12:30 – 13:30 Lunch
13:30 – 14:30 Hybrid Integration with the Azure Platform – Glenn Colpaert
14:30 – 14:45 Break
14:45 – 15:45 Polyglot Persistence in Microsoft Azure – Charalampos Karypidis
15:45 – 16:00 Break
16:00 – 17:00 Using Azure to simplify your disaster recovery strategy – Wouter Gevaert
17:00 – … Closing speech, prize draw (sponsor giveaway)

Practical details

Event date: Saturday, April 16, 2016 – full day, starts at 9:00 AM
Event location:
RealDolmen
A. Vaucampslaan 42
1654 Huizingen
Belgium

 

Also a bit shoutout to Azug for organising this event!

Docker & Azure : Testdriving the azure file storage volume driver

Introduction

A bit more than two months back I posted about “Azure & Docker : Shared storage anyone?“. Here I was using a storage pattern called “Hosted Mapped Volume, backed by Shared Storage”. Today we’ll basically do the same thing, but we’ll be using a more clean way by using a basic volume. This volume is (in turn) backed by a shared storage (namely a File Share on an Azure Storage Account). To realise this, we need to have the “docker volume driver for azure file storage” in place.

 

Topology

So we’ll be installing the volume driver on each host. And connect that driver to our Azure Storage Account.

kvaes-docker-azure-file-share-volume-driver

Continue reading “Docker & Azure : Testdriving the azure file storage volume driver”

Azure : Basic Network Hardening between a Webapp & the SQL Database

A quick tip on hardening your SQL database in combination with an Azure Webapp. Browse to the properties of your webapp. Copy the “outbound ip addresses” to your text editor.

2016-03-16 08_38_56-Properties - Microsoft Azure

Now browse to the “SQL Server” you have provisioned in Azure. Click on “Show firewall settings” and enter the IP addresses you just noted down.

2016-03-16 08_38_13-Firewall settings - Microsoft Azure

A small pointer ; You have to enter this an address at the time and save after each entry… Annoying as hell, though this is how the UI works.

Anyhow, let’s see how our webapp behaves…

2016-03-16 08_43_42-Welcome to CodeIgniter

As you probably do not believe my right off the bat. So let’s clear up the firewall rules…

2016-03-16 08_44_52-Firewall settings - Microsoft Azure

and test again! 2016-03-16 08_45_35-Database Error

Now we notice that the access to the database was denied. The address listed there is the one that was present in the outbound ip addresses listing from earlier on.

Have fun hardening!

Azure : Finding out the available metrics for autoscaling virtual machine scale sets

For those who have been test driving the autoscale on the virtual machines scale sets… You probably have run into the situation where you wanted to go beyond the quickstart examples!

A quick tip on how to find out which Metrics are available for your autoscaling ;

So now you have the list of metrics which you can use to tweak the vmss-autoscale templates (for example ; https://github.com/Azure/azure-quickstart-templates/blob/master/201-vmss-ubuntu-autoscale/azuredeploy.json )

Azure Networking : Do not forget the impact of Network Security Groups!

Introduction

In my last post I mentioned that the NSGs (Network Security Groups) had a serious impact on your deployment. So today I’ll be doing a quick demo a possible annoyance you might encounter.

The demo environment

About the same setup as the last time… One VNET, three subnets ; firewall in subnet 10.0.0.0/24, one server in 10.0.1.0/24 and another server in 10.0.2.0/24.

2016-03-14 20_08_17-Settings - Microsoft Azure

Continue reading “Azure Networking : Do not forget the impact of Network Security Groups!”

Azure Networking : Building a DMZ and adding Packet Inspection to all Traffic

Introduction

The last week I’ve been putting down a sweat on getting the following “basic” design working.

Azure-DMZ-kvaes-packet-inspection

What do we see here? A virtual network with three subnets. The subnet “SUBNET000” will act as our “External DMZ”. We’ll put the Firewall (and other security related appliances) in here. The other subnets can fulfil different roles, as you want… Let’s imagine that the “SUBNET001” is our “Internal DMZ” and the “SUBNET002” is our “Server Network”.

And what do I want to achieve today? I want all traffic to flow through the firewall. This so I can control / inspect all flows and act accordingly. As a basic test, I want to be able to ping from 10.0.1.4 (subnet001) to 10.0.2.4 (subnet002) and I want to be able to browse to “www.kvaes.be” (internet) from 10.0.1.4 (subnet001). Both tests need to be performed with the firewall als virtual network appliance routing all traffic. This is needed, as otherwise the whole test is useless from a security perspective. 🙂 If I can do those two things, then I can prove that the you can control / inspect all traffic from your Azure network.

Continue reading “Azure Networking : Building a DMZ and adding Packet Inspection to all Traffic”