OpenVPN is an open-source VPN protocol that is trusted by many cloud service providers to provide site-to-site, point-to-site, and point-to-point connectivity to cloud resources. Now Azure AD authentication also works with OpenVPN protocol. This means we can use Azure AD features such as conditional access, user-based policies, Azure MFA with VPN authentication. In this Demo, I am going to demonstrate how to configure OpenVPN for Azure point-to-site VPN and then how to integrate Azure AD authentication with it. 

Prerequisites

1. To configure OpenVPN, first, we need to have a working point-to-site setup. The native Azure point-to-site VPN setup uses Azure certificate authentication. I wrote an article about it before and it can be accessed using http://www.rebeladmin.com/2018/07/step-step-guide-azure-point-site-vpn/

So, before we start, please go ahead and configure the VPN gateway with certificate authentication.  

2. Also, I am going to use Azure PowerShell for configuration. Please make sure you have the Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-2.6.0

Configure OpenVPN for Azure P2S VPN

1. Launch PowerShell console and connect to Azure using Connect-AzAccount (Using Global Administrator Account)

2. Then I ran Get-AzVirtualNetworkGateway -ResourceGroupName REBELVPNRG to review my VPN gateway configuration. Here REBELVPNRG is the resource group it belongs to. 

3. Then let's go ahead and change the VPN client protocol to OpenVPN using,

$vpngw = Get-AzVirtualNetworkGateway -ResourceGroupName REBELVPNRG -name REBEL-VPN-GW

Set-AzVirtualNetworkGateway -VirtualNetworkGateway $vpngw -VpnClientProtocol OpenVPN

In the above, REBEL-VPN-GW is the VPN gateway name.

If we need to access an Azure VM using RDP or SSH, most commonly we use public IP method. In this way, the virtual machine will have a public IP address (static or dynamic) assigned to it. Also, RDP or SSH service ports will open to the public via NSG. This is easy but not a very secure method. 

If we have VPN or Express Route connectivity to Azure, we can connect to virtual machines using private IP addresses. It is secure than the public IP address method. However, it required additional configuration in-network level. 

Azure Bastion is a solution that we can use to access Azure VM securely without the use of public IP addresses or VPN connectivity. This is similar to using a jump-server to connect to resources in the remote network but instead of the traditional RDP method, it is using browser-based secure HTTP connectivity. Let's go ahead and explore a bit more about the Azure bastion solution. 

1. This service is now generally available (From 4th of Nov 2019). However, it is still only available for six Azure regions which are Australia East, East US, Japan East, South Central US, West Europe, and West US.

2. Azure bastion service deployment is per virtual network. 

3. Users can connect to Azure bastion service via the Azure portal. It is a browser-based connectivity. From the user end, only TCP port 443 needs to be open. 

4. Machines in the virtual network don't need to have public IP addresses assigned. Bastion service can connect to virtual machines using private IP addresses. 

5. Azure bastion is a fully managed PaaS service. We do not need to worry about the hardening or protection of it. 

In this post, I am going to demonstrate how we can enable Azure bastion service. 

Create Virtual Machines

Before we go into the Azure bastion service setup, I am going to create one windows 2019 virtual machine and one ubuntu Linux virtual machine. These machines will not have any public IP address assign. After that, I will demonstrate how we can access those securely using Azure bastion service. 

To begin,

1. Log in to Azure portal (https://portal.azure.com) as Global Administrator 

2. Go to Virtual Machines | + Add 

3. Create Windows Server 2019 Server with following settings,

Resource Group Name (new) : REBELBASTION

Virtual Machine Name : REBELWIN01

Region : East US

Image : Windows Server 2019 DataCenter

Size : Standard D2s v3

Public inbounds ports: None

Virtual network : REBELBASTION-vnet

Subnet : 10.0.3.0/24

Public IP : None

There are many different reasons to move Azure VMs from one region to another. 

• Operation Requirements – As an example, if organization open a branch in different region and want to move some operations to them, it is best to move infrastructure resource to the same geographical location as it will improve the reliability and availability of the services.

• Compliance requirements – Sometimes rules and regulations force businesses to keep the data/operations in the same country or continent.

• Azure feature requirements – Sometimes new Azure services & features are the first rollout to certain regions. If your current region has such limitations and still wants to use those features/services, you will need to move the resource to a supported region. 

In this post, I am going to demonstrate how to move Azure VM from one region to another using Azure site recovery. 

Prerequisites

Before start lets make sure we have the following in place, 

• Valid Subscription – Subscription should support to create resources in the target region. It also should have enough credit.

• Account Permission – We need to make sure we have enough permissions to create virtual machines, storage accounts, virtual networks in Azure. 

• Network layout – Make sure to check the source network setup including all the components such as NSG, public IP, load balancer. The failover process will create a virtual network automatically to match the source network. But we have to create all other resources manually after the migration.  

• Compatible regions – Make sure the source and target regions are part of compatible list https://docs.microsoft.com/en-gb/azure/site-recovery/azure-to-azure-support-matrix#region-support

In this demo, I am going to create windows server 2019 VM in East US region and then move it West US region using Azure site recovery.

Create Source VM

1. Launch PowerShell console and connect to Azure using Connect-AzAccount 

2. Create a new resource group using, 

New-AzResourceGroup -Name REBELRG -Location "East US"

In the above, REBELRG is the resource group name and East US is the resource group location.

3. Then create a new VM using,

$mylogin = Get-Credential

New-AzVm -ResourceGroupName REBELRG -Name "REBELVM01" -Location "East US" -VirtualNetworkName "REBELVNET1" -SubnetName "REBELVMSubnet1" -PublicIpAddressName "REBELVM01IP1" -OpenPorts 80,3389 -Image win2019datacenter -Size Standard_D2s_v3 -Credential $mylogin

In the above, REBELVM01 is the VM name. It is running windows server 2019 data center edition. I have specified it using -Image parameter. It also using Standard_D2s_v3 vm size.

Operating system updates include feature updates, bug fixes, and security improvements. It is important to update operating systems periodically. This is applying to desktop computers as well as servers. If it is windows operating systems, there are many tools out there that can use to manage the update process. But when it comes to Linux, we struggle as not many tools support Linux system updates. Luckily in Azure, we can manage updates for Linux VMs without any 3rd party tool.  

In this post, I am going to demonstrate how to enable patch management for Linux VM and how we can automate the patch deployment task. 

In my demo environment, I do not have any Linux machine. Let's go ahead and create one. 

1. Launch PowerShell console and connect to Azure using Connect-AzAccount

2. Then create a new resource group using,

New-AzResourceGroup -Name REBELRG -Location "East US"

In the above, REBELRG is the resource group name and East US is the resource group location.

3. Then we need to create a new Linux VM. In this demo, I am going to create one with Ubuntu operating system.

$mylogin = Get-Credential

New-AzVm -ResourceGroupName REBELRG -Name "REBELVM01" -Location "East US" -VirtualNetworkName "REBELVNET1" -SubnetName "REBELVMSubnet1" -PublicIpAddressName "REBELVM01IP1" -OpenPorts 22 -Image UbuntuLTS -Size Standard_D2s_v3 -Credential $mylogin

In the above, REBELVM01 is the VM name. It is running UbuntuLTS edition. I have specified it using -Image parameter. It also using Standard_D2s_v3 vm size. This also has SSH connection enabled.

So far in Azure Active Directory, if we need to add members to a group, we have to go through a few steps. 

To remove members from a group, we have to select members manually and then remove it. 

This process is still okay for small scale changes. But if it is large scale change, it will take time. Also, engineers can make mistakes by selecting the wrong users. Microsoft now allows us to add and remove users based on CSV files. This is still in the preview stage but it is not too early to test. In this demo, I am going to demonstrate how we can add/remove Azure AD group members using CSV files. 

Add Members 

To add members to Azure AD group using the new CSV method, 

1. Log in to Azure Portal (https://portal.azure.com) as Global Administrator or Group Owner.

2. Go to Azure Active Directory | Groups  

3. In this demo, I am going to add users to "Leadership" group. So, I went ahead and click on it. 

In my last few blog posts, I have explained how we can encrypt Azure VMs (Windows & Linux) using BitLocker & dm-crypt. You can access these articles using the following links, 

Step-by-Step Guide to Encrypt Azure Windows VM using BitLocker (PowerShell Guide) – http://www.rebeladmin.com/2019/09/step-step-guide-encrypt-azure-windows-vm-using-bitlocker-powershell-guide/http://www.rebeladmin.com/2019/09/step-step-guide-encrypt-azure-windows-vm-using-bitlocker-powershell-guide/

Step-by-Step Guide to Encrypt Azure Linux VM (PowerShell Guide) – http://www.rebeladmin.com/2019/09/step-step-guide-encrypt-azure-linux-vm-powershell-guide/

When we encrypt complete disks, it not only encrypting the files in there. It also encrypts file system information which uses by the operating system. The operating system itself doesn't have an issue accessing content as it is aware of the key information. But any other system can't access this content without the encryption key information. This is the same when it comes to backup and restore. In this demo, I am going to demonstrate how we can backup and restore an encrypted Azure VM using Azure Backup. 

As with any other backup solution, Azure backup also has a certain limitation when it comes to encrypted data backup/restore. 

1. Encrypted VM backup/restore only supported within the same region & same subscription. 

2. Azure backup only supports the VM which is encrypted using standalone keys. 

3. When it comes to data restore, Encrypted VM required full restore. It can't recover data in files or folders level. 

4. When restoring VM, Azure backup can't use replace existing VM option for encrypted VMs. 

In my demo environment, I already have an encrypted windows VM called REBELVM01. I am going to back up it and restore using Azure Backup. 

Create a Recovery Services backup vault

Before we go ahead with backup, first we need a recovery service backup vault. It can be created using,

New-AzRecoveryServicesVault -ResourceGroupName "REBELRG1" -Name "REBELRecoveryServicesVault" -Location "East US"

In the above, I am creating a recovery service vault called "REBELRecoveryServicesVault" in the same resource group as my encrypted VM. 

Disk encryption is a basic data protection method for physical & virtual hard disks. In one of my previous posts, I explained how we can encrypt Azure Windows VM using Azure Key Vault & BitLocker. This post can access via http://www.rebeladmin.com/2019/09/step-step-guide-encrypt-azure-windows-vm-using-bitlocker-powershell-guide/ . Similarly, we also can encrypt Azure Linux VM by using Azure Key Vault & dm-crypt. In this post, I am going to demonstrate how we can encrypt Azure Linux VM. 

Things to Consider

Before we move forward, make sure your Azure VM configurations comply with following, 

• Azure disk encryption for Linux VM is only going to work if you are running Azure-endorsed Linux distribution such as,

 Ubuntu 14.04.5, 16.04, 18.04

 RHEL 6.7, 6.8, 7.2, 7.3, 7.4, 7.5, 7.6

 CentOS 6.8, 7.2n, 7.3, 7.4, 7.5, 7.6

 openSUSE 42.3

 SLES 12-SP3, 12-SP4

• If you encrypting OS & Data volume in Linux VM and its root (/) file system usage is 4GB or less you need a minimum of 8GB Ram. Also, if root (/) file system usage is more than 4GB, it needs 2 * (/root file system usage). This is only required during the initial encryption process. 

• Azure Linux VM must have dm-crypt & vfat modules running. 

• Data disks of Linux VM (which required encryption) must be listed under /etc/fstab correctly. 

In this demo, I will be using PowerShell. Therefore, please make sure you have Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-2.6.0

Setup Resource Group

The first step of the configuration is to create a new resource group. 

To do that, 

1. Launch PowerShell console and connect to Azure using Connect-AzAccount

2. Then create a new resource group using, 

New-AzResourceGroup -Name REBELRG1 -Location "East US"

In the above, REBELRG1 is the resource group name and East US is the resource group location.

Data encryption is one of the basic requirements when it comes to data protection. Using Windows BitLocker, we can easily encrypt virtual and physical disks. We normally use group policies and system center configuration manager (SCCM) to centrally manage/configure BitLocker. 

We also can use Microsoft Intune to manage BitLocker on Azure AD joined Windows 10 devices. This is done by using Microsoft Intune Device configuration Profiles. I previously wrote an article about configuration profiles and explained how we can use it to standardize device configurations on Azure AD join devices. I highly recommend you to go through it before we continue further with this blog post as it explains the basics about configuration profiles. This aforementioned blog post can access using http://www.rebeladmin.com/2019/09/step-step-guide-standardize-desktop-devices-using-microsoft-intune-device-configuration-profiles/

In this demo, I am going to demonstrate how to manage BitLocker using Microsoft Intune. Before we start, we need to have devices enrolled with Intune. You can find more info about device enrollment using my previous blog posts http://www.rebeladmin.com/2018/11/step-step-guide-enroll-windows-10-devices-microsoft-intune-using-autopilot/

In my demo environment, I have Azure AD joined & Intune enrolled windows 10 device called W2007.

Let's go ahead and setup the relevant device configuration profile. 

To do that, 

1. Log in to Azure Portal (https://portal.azure.com) as Global Administrator and go to All services | Intune or else log in to Intune device management portal directly via https://devicemanagement.microsoft.com  

2. Then click on Device configuration | Profiles

3. In the profiles page, click on + Create profile

Disk encryption is a basic data protection method for physical & virtual hard disks. It falls under physical data security and it prevents data breaches from stolen hard disks (physical & virtual). If it is a Windows machine, we can simply use BitLocker for disk encryption. Also, there are other third-party vendors such as Thales e-Security which provides disk encryption solutions for organizations. 

Similar to on-premises Windows servers and computers, we can use BitLocker to encrypt Windows VM running on Azure. For Linux VMs, we can use DM-Crypt to encrypt virtual disks. More details about BitLocker is available on https://docs.microsoft.com/en-gb/windows/security/information-protection/bitlocker/bitlocker-overview. Azure VM encryption uses the Azure Key Vault to store encryption keys and secrets. 

In this demo, I am going to demonstrate how to encrypt Azure VM using BitLocker. For the configuration process, I will be using PowerShell. Therefore, please make sure you have Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-2.6.0 

Setup Resource Group

The first step of the configuration is to create a new resource group. 

To do that, 

1. Launch PowerShell console and connect to Azure using Connect-AzAccount

2. Then create a new resource group using, 

New-AzResourceGroup -Name REBELRG1 -Location "East US"

 In the above, REBELRG1 is the resource group name and East US is the resource group location. 

Configure Azure Key Vault

Next, we need to create a new key vault and encryption key. 

1. As the first step, let's go ahead and enable Azure Key Vault provider within the subscription by using, 

Register-AzResourceProvider -ProviderNamespace "Microsoft.KeyVault"

2. Then, we go ahead with Azure Vault setup,

New-AzKeyVault -Location "East US" -ResourceGroupName REBELRG1 -VaultName REBELVMKV1 -EnabledForDiskEncryption

In the above, REBELVMKV1 is the key vault name and it is created under REBELRG1 resource group which we created in the previous step. -EnabledForDiskEncryption is used to prepare the key vault to use with disk encryption. 

If we need to set up a connection between two independent networks (not between VLANs), we have to use a virtual private network (VPN) connections. In Azure, we use VNets to create private networks. If we need to communicate between two VNets, we have to use one of the following methods,

• VNet-to-VNet Connection – The communication happens between two VPN gateways. This is easy to set up, compare to the site-to-site VPN method.

• Site-to-Site VPN – This is similar to creating VPN connection to the on-premises network. It also uses VPN gateway, but it gives more control over the local network gateway. 

• VNet Peering – This method doesn't use VPN gateways and it routes the traffic via Microsoft backend infrastructure. More information about VNet peering is available on https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview

In this demo, I am going to demonstrate how to create a VNet-to-VNet connection. These types of connections can establish between,

• Virtual Networks in the same region

• Virtual Networks in different regions

• Virtual Networks in different subscriptions

In this demo, I am going to create a VNet-to-VNet VPN connection between two virtual networks in two different regions. 

According to the above diagram, EUSVnet1 virtual network will be running on East US Azure region and UKSVnet1 virtual network will be running on UK South Azure region. Let's see how we can establish a VPN gateway connection between these two networks. Before start, please make sure you have the following in place. 

• Valid Azure Subscription – You can also use free azure subscription for testing purpose. https://azure.microsoft.com/en-gb/free/ 

• Azure PowerShell Module – In this demo I am going to use PowerShell. Please make sure you have Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-2.6.0

Create Resource Groups

The first step of the configuration is to create new resource groups in different regions. 

To do that, 

1. Launch PowerShell console and connect to Azure using Connect-AzAccount

2. Then create EUSRG1 under East US Azure region by using,

New-AzResourceGroup -Name EUSRG1 -Location "East US" 

In the above command, -Name parameter specifies the resource group name and -Location parameter specify the Azure region. 

3. Next step is to create UKSRG1 resource group in UK South Azure region by using,

New-AzResourceGroup -Name UKSRG1 -Location "UK South"