Azure Subscription Management – Beyond the 101… aka The Advanced Topics

Introduction

Today’s post will cover three more advanced topics that I’ve seen surfacing on a regular basis ;

  • Transferring a Subscription versus Changing the Directory of a Subscription
  • Moving resources between subscriptions with different AAD (Azure Active Directory tenants
  • Understanding the relationships between components when leveraging an Enterprise Agreement (EA)
  • Various advanced scenarios on how AAD in intertwined between subscriptions & the EA

Transfer vs Change Directory

Apparently there is a bit of confusion between the “Transfer” and the “Change Directory” buttons for a subscription ;

In essence ;

Transfer Subscription = Change the Owner AND Change the Directory

What does that mean?

  • If you want to transfer the billing of a subscription, you do a “Transfer“.
    (Do note: Transferring a subscription will also change the directory to the one linked to the new owner. If this is a different one, then you’ll be linked to a new AAD Tenant.)
  • If you do not want to transfer the billing, and just change the directory, you do a “Change directory“.
    (Do note: Changing a directory will not remove the account owner. And (s)he’ll still have owner rights on it! Also be aware that all rights set linked to the previous tenant will disappear. So you’ll have to reinstate IAM. For which you can easily leverage management groups...)

Continue reading “Azure Subscription Management – Beyond the 101… aka The Advanced Topics”

What Azure Virtual Machine size should I pick?!?

Introduction

Remember the last time you went shopping for a shirt? Then you surely also recall the moment in time when you were looking to find the right shirt size for yourself…

You probably also noticed that sizes might differ a bit depending on the context. A ¬†woman’s size vs & men’s size is totally different. There are geographical differences… and some people just like to wear cloths that have more “free space”.

So is today’s post about buying cloths? Hell no… ūüėČ But it’s to point out that there are analogies between finding the right shirt for you, and finding the right Azure Virtual Machine. Today we’ll delve into the aspects that will guide you a given T-shirt size in Azure ; for instance, why choose an FS1 above an A1_V2, where they both have 1 core & 2GB of memory. Though there is a price difference of 10‚ā¨ per month on them.

Continue reading “What Azure Virtual Machine size should I pick?!?”

Azure : Pushing Azure Resource Manager Templates through a CI/CD (release) pipeline with Visual Studio Team Services

Introduction

From template code to deployment… If we really want to control this, then we’ll be pushing these templates through a CI/CD (continuous integration / continuous deployment) pipeline. What does that mean? We are going to put our template in a source code repository (like Github). Everytime we update the code, we’ll going to kick in a “build”. During this build we’ll be packaging it (read : create a zip file of it) and it is also strongly advised to do testing here too. Next up, if all goes well, we’ll be using that package to deploy to all our environments. And in the end, we want to be able to have a nice view on this too…

Why do it like this? Quality! We all make mistakes. We want to detect them early and not repeat them. And every change, we want to put it through the exact same process… time and time again!

 

Prerequisites

Starting off, I’m assuming you already have VSTS (Visual Studio Team Services) in place. If not, register for it! It’s free up till 5 users. And let’s be honest, at about 5‚ā¨ per user / month & 8‚ā¨ per build agent per month, … it’s still a steal! ūüėČ

Continue reading “Azure : Pushing Azure Resource Manager Templates through a CI/CD (release) pipeline with Visual Studio Team Services”

Azure : Deploying a domain controller via DSC pull

Introduction

Today’s blog post will showcase how you can leverage the DSC pull feature of Azure Automation when deploying workloads to Azure. To many, the following question will pop up ; “Why use a pull mechanism, whilst I could use the DSC extension to push my configs?”.¬†The answer is pretty simple ¬†The pull mechanism facilitates the lifecycle flow of workloads better. You can easily update the config of the virtual machine and do follow-up on the rollout of your configuration.

 

The Flow

Now how would such a flow go?

  1. We’ll use an ARM template to deploy (and afterwards keep) our Azure Automation Account (up-to-date)
  2. We’ll use a script to import the Powershell modules into our Azure Automation Account, which are needed to compile configurations.
  3. We’ll use a script to import & compile the DSC configurations into ou Azure Automation Account.
  4. We’ll use an ARM template to deploy the domain controller.
  5. This ARM template will also register the VM with the Azure Automation Account and link it with a given DSC configuration.
  6. The configuration will be applied and the updates will be reported back to the Azure Automation Account.

 

Deep-dive Demo

(EDIT 30/7/17  : Added network pre-req)

Continue reading “Azure : Deploying a domain controller via DSC pull”

Azure Governance – Policy Automation

Introduction

In my last post I talked about the possibility to manage “Azure Resource Manager Policies” via the¬†portal. Where the policy is a good location to view the policies, this is not the area you want to be managing your policies! In today’s post, we’ll look how we can automate these things. This to ensure that all policies are effective towards their scope and remain that way. Once your subscriptions grows, you can have way too many resources & resource groups at your hands. Setting up things manually is not the way to go…

Season 5 GIF - Find & Share on GIPHY

 

Microsoft Azure Enterprise Scaffold

How to do governance in Azure is a very common questions. So if you have found yourself asking questions in regards to that topic, do not feel strange! One of the prime resources I can recommend in this area is the “Microsoft Azure Enterprise Scaffold” ;

The scaffold is based on practices we have gathered from many engagements with clients of various sizes. Those clients range from small organizations developing solutions in the cloud to Fortune 500 enterprises and independent software vendors who are migrating and developing solutions in the cloud. The enterprise scaffold is “purpose-built” to be flexible to support both traditional IT workloads and agile workloads; such as, developers creating software-as-a-service (SaaS) applications based on Azure capabilities.

Continue reading “Azure Governance – Policy Automation”

Azure Governance – Policies in public preview on the portal

Introduction

Ever wondered if you can put policies on the deployment of resources in Azure? ¬†Yes you can via “Resource Policies“.

This used to be only possible via JSON deployments like the following ;

{
  "properties": {
    "parameters": {
      "allowedLocations": {
        "type": "array",
        "metadata": {
          "description": "The list of locations that can be specified when deploying resources",
          "strongType": "location",
          "displayName": "Allowed locations"
        }
      }
    },
    "displayName": "Allowed locations",
    "description": "This policy enables you to restrict the locations your organization can specify when deploying resources.",
    "policyRule": {
      "if": {
        "not": {
          "field": "location",
          "in": "[parameters('allowedLocations')]"
        }
      },
      "then": {
        "effect": "deny"
      }
    }
  }
}

The good news is that the preview portal shows a public preview shows that this feature will be available via the portal!

Continue reading “Azure Governance – Policies in public preview on the portal”

An alternative way to landscaping in Azure… Terraform!

Introduction

In the past I’ve noticed a lot of people are afraid of “Azure Resource Manager Templates“. I can imagine that a bulk of JSON code isn’t always that user friendly… So today we’ll take a look at another IaC (Infrastructure-as-Code) approach you might like. We’re going to do a small demo where we’ll be using¬†“Terraform” to deploy a network on Azure. So how to get started?

  • We’ll be creating a kind of service user in Azure which Terraform will use to log in.
  • We’ll be authoring a small configuration file that will serve as the input for our network
  • We’ll be applying that configuration file.

2017-03-01-11_48_07-select-windows-powershell

Seem simple enough? Let’s get started!

Continue reading “An alternative way to landscaping in Azure… Terraform!”

Azure : Auto Shutdown of Servers

Did you know that the “Dev/Test Labs” service in Azure had a neat feature where you could schedule the shutdown of servers? No, or yes… Now this features has been integrated in all virtual machines. Nice!

So just go to the details blade of a virtual machine and click on the “Auto-Shutdown”-tile. Here you can enable / schedule a shutdown.

2016-12-05-19_22_16-auto-shutdown-microsoft-azure

Via this method, you configure it per VM. You can always use Azure automation / runbooks and do it per resource groups.

Why do this? In Azure you are billed per minute for your compute runtime. So shutting down (and deallocating) will safe you a great bunch!

Domain Join : ARM Extension versus Azure Automation DSC

Introduction

So you’ve already deployed Windows based systems in Azure. Very good! You’ve probably joined those systems into a domain, as you’ve always done this by going through the GUI. Did you know you can join a machine without logging into the machine? No? Then today’s post will be very interesting for you!

If you knew this was possible, then I’ll show you that there are various methods of doing so. And that each approach will have clear advantages and even disadvantages. So let’s get ready to domainjoin those systems!

 

Continue reading “Domain Join : ARM Extension versus Azure Automation DSC”

Azure : Enumeration and reconnaissance activities for Security Officers

Introduction

A while back I saw a very interesting session on penetration testing on Azure at the Hope conference by Apostolos Mastoris.

A Penetration Tester’s Guide to the Azure Cloud
(45 mins) Apostolos Mastoris — The wide adoption and the benefits of cloud computing has led many users and enterprises to move their applications and infrastructure towards the Cloud. However, the nature of the Cloud introduces new security challenges, therefore organizations are required to ensure that such hosted deployments do not expose them to additional risk. Auditing cloud services has become an essential task and, in order to carry out such assessments, familiarization with certain components of the target environments is required. This talk will provide insight into the Microsoft Azure Cloud service and present practical advice on performing security assessments on Azure-hosted deployments. More specifically, it will demystify the main components of a cloud service and dive further into Azure-specific features. The main security controls and configurations associated with each of the mainstream Azure components will also be explored. Areas that will be covered include role-based security, secure networking features, perimeter security, encryption capability, auditing, and monitoring of activities within the Azure Cloud environment. Additionally, the talk will include the demonstration of a new tool that uses the Azure PowerShell cmdlets to collect verbose information about the main components within a deployment. The tool also provides functionality to visualize the components within a network infrastructure using an interactive representation of the topology and the associations between the deployment’s components.

And yesterday I saw that Azurite (the tool) was released! So let’s take a look at how this looks when running this against one of my lab¬†environments.

 

Prerequisites

Before engaging, be sure to have the following requisites on your system ;

 

Let’s get into¬†the action!

The summary of command’s we’ll be handling ;

# PS> Import-Module AzureRM
# PS> Import-Module ./AzuriteExplorer.ps1
# PS> Review-AzureRmSubscription
# CMD> C:\python27\python.exe AzuriteVisualizer.py azure-subscription__.json

Basically, ensure that the resource manager module is loaded and import the custom Azurite module. Afterwards startup the cmdlet “Review-AzureRmSubscription”; where you’ll enter your credential and select the targeted subscription.

Once done, use python toe parse the extracted json file. That’ll generate an “AzuriteVisualizer.html”-document. Open the latter with Firefox to see a nice visualization!

 

The screenshots of the action

Starting “Azurite Explorer”

2016-08-18 09_28_59-

Parsing the json file to generate the html

2016-08-18 09_29_27-Windows PowerShell

Taking a look at the output in Firefox

2016-08-18 09_29_45-Azurite Visualizer - Azure Subscription Topology Overview