OpenVPN is an open-source VPN protocol that is trusted by many cloud service providers to provide site-to-site, point-to-site, and point-to-point connectivity to cloud resources. Now Azure AD authentication also works with OpenVPN protocol. This means we can use Azure AD features such as conditional access, user-based policies, Azure MFA with VPN authentication. In this Demo, I am going to demonstrate how to configure OpenVPN for Azure point-to-site VPN and then how to integrate Azure AD authentication with it. 

Prerequisites

1. To configure OpenVPN, first, we need to have a working point-to-site setup. The native Azure point-to-site VPN setup uses Azure certificate authentication. I wrote an article about it before and it can be accessed using http://www.rebeladmin.com/2018/07/step-step-guide-azure-point-site-vpn/

So, before we start, please go ahead and configure the VPN gateway with certificate authentication.  

2. Also, I am going to use Azure PowerShell for configuration. Please make sure you have the Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-2.6.0

Configure OpenVPN for Azure P2S VPN

1. Launch PowerShell console and connect to Azure using Connect-AzAccount (Using Global Administrator Account)

2. Then I ran Get-AzVirtualNetworkGateway -ResourceGroupName REBELVPNRG to review my VPN gateway configuration. Here REBELVPNRG is the resource group it belongs to. 

3. Then let's go ahead and change the VPN client protocol to OpenVPN using,

$vpngw = Get-AzVirtualNetworkGateway -ResourceGroupName REBELVPNRG -name REBEL-VPN-GW

Set-AzVirtualNetworkGateway -VirtualNetworkGateway $vpngw -VpnClientProtocol OpenVPN

In the above, REBEL-VPN-GW is the VPN gateway name.

If we need to access an Azure VM using RDP or SSH, most commonly we use public IP method. In this way, the virtual machine will have a public IP address (static or dynamic) assigned to it. Also, RDP or SSH service ports will open to the public via NSG. This is easy but not a very secure method. 

If we have VPN or Express Route connectivity to Azure, we can connect to virtual machines using private IP addresses. It is secure than the public IP address method. However, it required additional configuration in-network level. 

Azure Bastion is a solution that we can use to access Azure VM securely without the use of public IP addresses or VPN connectivity. This is similar to using a jump-server to connect to resources in the remote network but instead of the traditional RDP method, it is using browser-based secure HTTP connectivity. Let's go ahead and explore a bit more about the Azure bastion solution. 

1. This service is now generally available (From 4th of Nov 2019). However, it is still only available for six Azure regions which are Australia East, East US, Japan East, South Central US, West Europe, and West US.

2. Azure bastion service deployment is per virtual network. 

3. Users can connect to Azure bastion service via the Azure portal. It is a browser-based connectivity. From the user end, only TCP port 443 needs to be open. 

4. Machines in the virtual network don't need to have public IP addresses assigned. Bastion service can connect to virtual machines using private IP addresses. 

5. Azure bastion is a fully managed PaaS service. We do not need to worry about the hardening or protection of it. 

In this post, I am going to demonstrate how we can enable Azure bastion service. 

Create Virtual Machines

Before we go into the Azure bastion service setup, I am going to create one windows 2019 virtual machine and one ubuntu Linux virtual machine. These machines will not have any public IP address assign. After that, I will demonstrate how we can access those securely using Azure bastion service. 

To begin,

1. Log in to Azure portal (https://portal.azure.com) as Global Administrator 

2. Go to Virtual Machines | + Add 

3. Create Windows Server 2019 Server with following settings,

Resource Group Name (new) : REBELBASTION

Virtual Machine Name : REBELWIN01

Region : East US

Image : Windows Server 2019 DataCenter

Size : Standard D2s v3

Public inbounds ports: None

Virtual network : REBELBASTION-vnet

Subnet : 10.0.3.0/24

Public IP : None

If we need to set up a connection between two independent networks (not between VLANs), we have to use a virtual private network (VPN) connections. In Azure, we use VNets to create private networks. If we need to communicate between two VNets, we have to use one of the following methods,

• VNet-to-VNet Connection – The communication happens between two VPN gateways. This is easy to set up, compare to the site-to-site VPN method.

• Site-to-Site VPN – This is similar to creating VPN connection to the on-premises network. It also uses VPN gateway, but it gives more control over the local network gateway. 

• VNet Peering – This method doesn't use VPN gateways and it routes the traffic via Microsoft backend infrastructure. More information about VNet peering is available on https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview

In this demo, I am going to demonstrate how to create a VNet-to-VNet connection. These types of connections can establish between,

• Virtual Networks in the same region

• Virtual Networks in different regions

• Virtual Networks in different subscriptions

In this demo, I am going to create a VNet-to-VNet VPN connection between two virtual networks in two different regions. 

According to the above diagram, EUSVnet1 virtual network will be running on East US Azure region and UKSVnet1 virtual network will be running on UK South Azure region. Let's see how we can establish a VPN gateway connection between these two networks. Before start, please make sure you have the following in place. 

• Valid Azure Subscription – You can also use free azure subscription for testing purpose. https://azure.microsoft.com/en-gb/free/ 

• Azure PowerShell Module – In this demo I am going to use PowerShell. Please make sure you have Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-2.6.0

Create Resource Groups

The first step of the configuration is to create new resource groups in different regions. 

To do that, 

1. Launch PowerShell console and connect to Azure using Connect-AzAccount

2. Then create EUSRG1 under East US Azure region by using,

New-AzResourceGroup -Name EUSRG1 -Location "East US" 

In the above command, -Name parameter specifies the resource group name and -Location parameter specify the Azure region. 

3. Next step is to create UKSRG1 resource group in UK South Azure region by using,

New-AzResourceGroup -Name UKSRG1 -Location "UK South"

Azure point-to-site VPN means VPN tunnel between end-point & Azure without using corporate firewall. I have already written a complete guide on how to create point-to-site VPN with Azure. You can access it using http://www.rebeladmin.com/2018/07/step-step-guide-azure-point-site-vpn/ 

The above method includes many different tasks which we need to perform in both azure and on-premise to get it going. With Windows Server 2019, Microsoft introduced Azure Network Adapter which can use to create point-to-site VPN in a straightforward way. In this demo, I am going to demonstrate how we can create a point-to-site VPN using Azure Network Adapter. 

This feature currently available via new Windows Admin Center. So, before you start you need to get it running in your environment. In my demo setup, I have a domain joined server which running latest Windows Admin Center (build 1809). 

1. Log in to the Server as Administrator

2. Launch Windows Admin Center 

3. Click on the relevant server from the list

4. Click on Network

5. Then click on Actions | Add Azure Network Adapter

In one of my previous article, I explain how we can create site-to-site VPN connection between local network and azure virtual network. This VPN connection is initiated in your edge firewall or router level. But what if you connecting from remote location such as home? we can use point-to-site method to do that. In this method it will use certificates to do the authentication between end point and azure virtual network. 

So, let’s go ahead and see how we can do that, 

Create Resource Group 

In this exercise, I like to use separate resource group for virtual network and other components. 

1. Log in to Azure portal as global administrator

2. Launch Cloud Shell

3. Then run New-AzureRmResourceGroup -Name REBELVPNRG -Location "East US". In here REBELVPNRG is RG group name and East US is the location.

Create Virtual Network

Now we need to create new virtual network. We can create virtual network using,

New-AzureRmVirtualNetwork -ResourceGroupName REBELVPNRG -Name REBEL-VNET -AddressPrefix 192.168.0.0/16 -Location "East US"

In above, REBEL-VNET is the virtual network name. it uses 192.168.0.0/16 IP address range.

When it comes to network security, we use firewalls for perimeter defense. It helps to define security boundaries for infrastructure. There are many conversations about validity of perimeter defense against modern security threats as its more about identities now. However, firewall is still the most commonly used tool to control in & out communications in a network. 

In Azure so far, we were using Azure Network Security Groups or host firewall to filter network traffic. But now Azure Firewall allow to filter traffic pass through Azure Virtual Networks. It works as fully stateful firewall. It is still in preview mode but it is not too early to test its capabilities. 

Features 

• Built-in High Availability – Firewall manages ingress and egress traffic of the network. So high-availability of edge firewall of your network is really important. Azure firewall is a cloud-based service and comes with built-in high availability. Users do not have to pay or do additional configurations for HA. 

• Domain Based Filtering – Traditional Firewall rules are based on IP addresses. We have to define the networks to allow or deny access. Azure firewall can block or allow access based on FQDN. It is also supported to use wild cards.

• Work as fully stateful firewall – Azure firewall allow to create inbound & outbound rules using networks, FQDN, protocols & ports. So, it can monitor nature of active connections and allow or deny relevant packets through firewall. 

• Outbound Source Network Address Translation (SNAT) – All outgoing traffic from virtual networks are translated in to Azure Firewall Public IP Address. It allows to identify and control traffic leaving from your network to other destinations. 

• Azure Monitor Integrations – All Firewall events are logged in to Azure monitor. If required we can send it to log analytics for further analysis. 

• No need to worry about upgrades – If it is hardware firewall, it has its own capacity limitation. It can be based on port utilization, ram or packet processing power. Since azure firewall is cloud-based service, none of those limitations applies to it. it can scale up whenever it needed. 

Licenses

Current license model for this service is based on size of traffic (of ingress & egress) travel through virtual network. 

Known Issues

As it is still on preview mode, it doesn’t come with any SLA. Therefore, do not use it in your production environment. Also, it has some know issues. You can read about those using https://docs.microsoft.com/en-gb/azure/firewall/overview . 

Demo

In this demo I am going to setup azure firewall and test it using few rules. 

In my previous post I have explained what is Azure Accelerated networking and how it works. If you didn’t read it yet, you can do it using http://www.rebeladmin.com/2018/01/azure-accelerated-networking/ . In this post I am going to show how we can create VM with AN and verify its actions. 

There are few limitations we need to aware before we use Azure Accelerated networking. 

1. Can’t use with existing VMs – In order to use AN feature, Virtual machines must be created with Accelerated Networking enabled. This feature cannot enable in existing VMs. 

2. A NIC with AN cannot attached to an existing VM –  A NIC with AN enabled only can attached during the VM creation process. It is not possible to attach it to existing VM. 

3. Azure Resource Manager only – This feature only can use with AR. It can’t use in classic portal. 

In my demo I am going to create new VM in new resource group with Azure Accelerated networking enable. Please note this feature can only enable using Azure CLI and Azure PowerShell.

Here I am going to use Azure CLI. More info about Azure CLI can be found in my blog post http://www.rebeladmin.com/2017/08/step-step-guide-start-azure-cli-2-0/ 

1. As first step I am going to create new resource group called ANTest in westus region. 

az group create --name ANTest --location westus

2. Then we need to create virtual network. In demo I am creating virtual network called ANTestVNet with address space 10.10.0.0/16

az network vnet create --name ANTestVNet --resource-group ANTest --location westus --address-prefix 10.10.0.0/16

3. Next step is to create a subnet under selected address space. In my demo I am creating 10.10.20.0/24 subnet with name ANTestsub1

az network vnet subnet create --address-prefix 10.10.20.0/24 --name ANTestsub1 --resource-group ANTest --vnet-name ANTestVNet

4. I like to access this vm from internet so I need a public ip attached to it. 

az network public-ip create --name ANTestpubip1 --resource-group ANTest --location westus --allocation-method dynamic

in above I am using dynamically assigned ip rather than static public ip.

5. Now we have everything ready to create NIC. This is the most important part of the job. So the command I am using for it is,

az network nic create --resource-group ANTest --name ANTestNic1 --vnet-name ANTestVNet --subnet ANTestsub1 --accelerated-networking true --public-ip-address ANTestpubip1

in above ANTestNic1 is the NIC name. –accelerated-networking true is the command to enable AN feature. 

6. Next step is to create VM with this new NIC attached. Please note there are only some OS and VM templates support this AN feature. So, make sure you select the correct size. if you use unsupported template, you can’t change enable AN by just changing the template. In my demo I am creating windows server 2016 server with Standard_DS4_v2 vm template.

az vm create --resource-group ANTest --location westus --nics ANTestNic1 --name REBELVM101 --image win2016datacenter --size Standard_DS4_v2 --admin-username rebeladmin --admin-password L0nd0n3322$

once it is completed we can log in to VM and verify. Once this feature enabled you will be able to see Mellanox ConnectX-3 Virtual Function Ethernet Adapter in device manager.

Let’s see how it affecting performance. I do have 2 VM created using old method and I am transferring a folder with 10Gb data between them. So, let’s see how the performance looks like. 

And when I do transfer same file between 2 VM with AN enabled I get following performance. 

It’s pretty amazing ha??? 

This marks the end of this blog post. Hope this was useful. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

DDoS attacks are the most commonly using method by attackers against resources which can access via internet. It can be website or application. DDoS attack can crash or slowdown service or application by sending large amount of access requests in short period of time. This applies to public cloud as well. There for Microsoft recently released Azure DDoS protection service to protect workloads in azure from DDoS attacks. This is currently in preview but it is not too early to check its capabilities. 

This feature comes as two versions,

Basic – This comes as part of the Azure subscription without any additional cost. This is same level of real time monitoring and mitigation applies to Microsoft services. This is applying to Azure global network across all region. This applies to Azure IPv4 and IPv6 public ip addresses. 

Standard – This comes with additional traffic monitoring and machine leaning algorithms tunes specifically to protect Azure virtual networks resources such as azure application gateway, azure load balancer. Real time monitoring data is available via Azure Monitor. Users also can enable alerting for the events. Standard protection is coming with additional fee. This applies to Azure IPv4 public ip addresses.

According to Microsoft, under standard subscription following type of DDoS attacks will be prevented. 

Volumetric attacks: The attack's goal is to flood the network layer with a substantial amount of seemingly legitimate traffic. It includes UDP floods, amplification floods, and other spoofed-packet floods. DDoS Protection Standard mitigates these potential multi-gigabyte attacks by absorbing and scrubbing them, leveraging Azure’s global network scale, automatically.

Protocol attacks: These attacks render a target inaccessible by exploiting a weakness in the layer 3 and layer 4 protocol stack. It includes, SYN flood attacks, reflection attacks, and other protocol attacks. DDoS Protection Standard mitigates these attacks, differentiating between malicious and legitimate traffic, by interacting with the client and blocking malicious traffic.

Application layer attacks: These attacks target web application packets to disrupt the transmission of data between hosts. It includes HTTP protocol violations, SQL injection, cross-site scripting, and other layer 7 attacks. Use the Azure Application Gateway web application firewall, with DDoS Protection Standard, to provide defense against these attacks.

Also, Standard version features include,

Native platform integration: Natively integrated into Azure and includes configuration through the Azure portal and PowerShell. DDoS Protection Standard understands your resources and resource configuration.

Always-on traffic monitoring: Your application traffic patterns are monitored 24 hour a day, 7 days a week, looking for indicators of DDoS attacks. Mitigation is performed when protection policies are exceeded.

Turn-key protection: Simplified configuration immediately protects all resources on a virtual network as soon as DDoS Protection Standard is enabled. No intervention or user definition is required. DDoS Protection Standard instantly and automatically mitigates the attack, once it is detected.

Adaptive tuning: Intelligent traffic profiling learns your application’s traffic over time, and selects and updates the profile that is the most suitable for your service. The profile adjusts as traffic changes over time.

Layer 3 to layer 7 protection: Provides full stack DDoS protection, when used with an application gateway.

Extensive mitigation scale: Over 60 different attack types can be mitigated, with global capacity, to protect against the largest known DDoS attacks.

Attack metrics: Summarized metrics from each attack are accessible through Azure Monitor.

Attack alerting: Alerts can be configured at the start and stop of an attack, and over the attack’s duration, using built-in attack metrics. Alerts integrate into your operational software like Microsoft Operations Management Suite, Splunk, Azure Storage, Email, and the Azure portal.

Cost guarantee: Data-transfer and application scale-out service credits for documented DDoS attacks.

Let’s see how we can get this feature enable and configure. 

In order to enable Azure DDoS Protection Preview service, first you need to request it using http://aka.ms/ddosprotection . This feature also only available for East US, East US 2, West US, West Central US, North Europe, West Europe, Japan West, Japan East, East Asia, and Southeast Asia regions.

Enable DDoS Protection Standard Preview in Existing Virtual Network 

 

1. Once you receive the confirmation email from Azure team, log in to Azure portal https://portal.azure.com as global administrator.

2. Then go to Virtual Networks and click on the Virtual Network that you like to enable DDoS protection. 

 

 

3. Then in properties window click on DDoS protection option. 

 

 

4. In next window, click on Enabled and then click on Save to enable the feature. 

 

Enable DDoS Protection Standard Preview in New Virtual Network

 

1. Once you receive the confirmation email from Azure team, log in to Azure portal https://portal.azure.com as global administrator.

2. Then go to Virtual Networks and click on Add

 

 

3. In new page, provide relevant info for virtual network, select a region which support by DDoS feature and then click on Enabled under DDoS protection.

 

 

4. At the end click on Create to complete the process. 

 

DDoS Monitoring 

 

Using Monitoring metrics, we can review historical DDoS threat related data for selected resources. Also, we can configure email alerts for events. 

In order to do so,

 

1. Log in to Azure portal https://portal.azure.com as global administrator.

2. Then go to Metrics | Monitor

 

 

3. In the page select the relevant subscription, resource group, resource type and resource to view the relevant data. 

 

 

4. Then under the available metrics you can select the metrics you like to review. In my demo I am going to use Under DDoS attack or not metric which going to show all the data. 

 

 

5. Then it will show the relevant metrics. Using Time Range window, we can change the time and review specific data sets. 

 

 

6. Using Char Type option we can change the view of the chart. 

 

 

7. In order to configure alerts, click on No alerts configured for this resource. Click to add an alert option. 

 

 

8. Then it opens up window where you can customize metric type, condition, threshold and notification type. 

 

 

As you can see the setup, configuration and maintenance of Azure DDoS Protection is straightforward. This marks the end of this blog post. Hope this was useful. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.