People use safes, security boxes to protect their valuable things. In digital world “Data” is the most valuable thing. Passwords, Connection Strings, Secrets, Data encryption/decryption keys protects access to different data sets. Whoever have access to those will also have access to data behind it (of cause they need to know how to use those 😊). So how we can protect those valuable info? People use different methods. Some use third party software installed on PC to do it. If its large environment some use web application so multiple people have access to it. different vendors use different methods to protect these types of valuable data. Microsoft Azure Key vault is a service which we can use to protect Passwords, Connection Strings, Secrets, Data encryption/decryption keys uses by cloud applications and services. Keys stored in vaults is protected by hardware security modules (HSMs). It is also possible to import or generate keys using HSMs. Any keys process that way will be done according to FIPS 140-2 Level 2 guidelines. You can find about FIPS 140-2 Level 2 using https://www.microsoft.com/en-us/trustcenter/Compliance/FIPS

Benefits of using Key Vault

• Keys saved in vault will be served via URLs. Developers, engineers do not need worry about securing keys. Application or service do not see the keys as vault service process behalf of them.  

• Customers do not have to disclosure their keys to vendors or service providers. They can manage their own keys and allow to access those keys via urls in vendor or service provider applications. Vendor or service providers will not see the keys. 

• By design Microsoft can’t extract or see customer keys. So, its further protected in vendor level too. 

• HSMs are FIPS 140-2 Level 2 validated. So, any industry required to comply with these standards are protected by default. 

• Key usage details are logged. So, you know what’s happening with your keys.  

An Azure Administrator is allowed to do following using Azure Key Vault,

• Create or import a key or secret

• Revoke or delete a key or secret

• Authorize users or applications to access the key vault, which allow them to manage or use its own keys and secrets

• Configure key usage 

• Record key usage

More info about Azure Key vault can find under https://docs.microsoft.com/en-us/azure/key-vault/key-vault-overview 

Let’s go ahead and see how we can setup and use Azure Key Vault service. 

Create Azure Key Vault Instance  

 

1) Log in to Azure Portal as global admin.

2) Click on Cloud Shell icon in top right-hand corner. (You also can setup this using portal, Azure CLI or locally installed Azure PowerShell. In this demo I am using Azure PowerShell directly from portal)  

 

 

3) Then select PowerShell for the command type. 

4) Then type Get-AzureRmResourceGroup to list down resource groups. So, we can select the resource group to associate the new key vault. 

 

 

5) If you wish to create key vault under new resource group, you can do it using 

 

New-AzureRmResourceGroup -Name RGName -Location WestUS

 

In above command RGName specify the resource group name and WestUS define the region. You can find the available locations using Get-AzureRmLocation

 

6) Now it’s time to create the vault. We can create it using, 

 

New-AzureRmKeyVault -VaultName 'Rebel-KVault1' -ResourceGroupName 'therebeladmin' -Location 'North Central US'

 

In above VaultName defines the Key Vault name. ResourceGroupName defines the resource group it is associated with. Location defines the location of resource. 

 

 

7) We can view properties of existing key vault using,

 

Get-AzureRmKeyVault "Rebel-KVault1"

 

In above Rebel-KVault1 is the key vault name. 

 

 

Vault URI shows the URL which can use to access the key vault by applications and services. 

 

8) Next step is to create Access Policy for the key vault. Using access policy we can define who have control over key vault, what they can do inside key vault and also what a application or service can do with it. 

 

Set-AzureRmKeyVaultAccessPolicy -VaultName 'Rebel-KVault1' -UserPrincipalName 'user1@rebeladmlive.onmicrosoft.com' -PermissionsToKeys create,delete,list -PermissionsToSecrets set,list,delete -PassThru

 

In above command, user1@rebeladmlive.onmicrosoft.com can create,delete,list keys in Rebel-KVault1. He also can set,list,delete secrets under same vault. 

 

 

We also can set permissions for application to retrieve secrets or keys. 

 

Set-AzureRmKeyVaultAccessPolicy -VaultName 'Rebel-KVault1' -ServicePrincipalName 'http://crm.rebeladmin.com' -PermissionsToSecrets Get

 

In above, service running on http://crm.rebeladmin.com will have permissions to retrieve secrets from the vault. 

Azure Backup is capable of replacing typical on-premises backup solutions. It is cloud-based, secure, reliable solution. It has four components which can use to backup different types of data.

More details about azure backup and components limitations can be find on https://docs.microsoft.com/en-us/azure/backup/backup-introduction-to-azure-backup 

In this article we are going to look in to Azure VM backup (Azure IaaS VM Backup). 

How Azure VM Backup works? 

Azure VM backup doesn’t need any special agent installed in VM. It also does not need to have any additional components (backup server) install either to enable backup. When very first backup job is triggered, it installs backup extension inside the VM. If its Windows VM, it installs VMSnapshot extension and if its Linux VM, it installs VMSnapshotLinux extension. VM must be in running state in order to install extension. After extension in place, it takes point-in-time snapshot of the VM. If VM is not running during backup window, it takes snapshot of VM storage. If its windows VM, backup service uses Volume Shadow Copy Service (VSS) to get consistence snapshot of VM disk. If its Linux VM, users can create custom scripts to run before and after backup job to keep application consistency. Once snapshot is taken it will transfer to the backup vault. Service can identify the recent changes and only transfer the block of data which changed from last backup. Once the data transfer completes snapshot will removed and recovery point will be created. 

Image Source: https://docs.microsoft.com/en-us/azure/backup/media/backup-azure-vms-introduction/vmbackup-architecture.png 

Performance of backup depends on,

1) Storage account limitations 

2) Number of disks in VM

3) Backup Schedule – if all jobs running in same time it can create traffic jam

According to Microsoft following are recommended when you use Azure backup for Azure VMs. Reference: https://docs.microsoft.com/en-us/azure/backup/backup-azure-vms-introduction 

1) Do not schedule more than 40 VMs to backup same time.

2) Schedule VMs backup when minimum IOPs been used in your environment (In relevant storage accounts). 

3) Better not to back up more than 20 disks in single storage account. If you have more than 20 disks in single storage account spread those VMs across the multiple policies to maintain required IOPS. 

4) Do not restore a VM running on Premium storage to same storage account. Also try to avoid restore while backup process is running on same storage account.

5) For Premium VM backup, ensure that storage account that hosts premium disks has at least 50% free space for staging snapshot for a successful backup.

6) Linux VM needs python 2.7 enabled for backup.

Next step is to see this in action.

1) Log in to Azure Portal as Global Administrator

2) First step is to create Azure Recovery Service Vault. In order to do that, go to All Services and click on Recovery Service vaults under storage section. 

3) Then click on Add in new window

4) It will open up wizard and there provide vault name, subscription, resource group and location. Once done, click on Create.

5) Now we have vault created, next step is to create backup policy. To do that click on vault we just created from the Recovery service vault window.

6) Then click on Backup Policies 

7) There is default policy from Azure VM backup. It backup VMs daily and keep it for 30 days.

8) I am going to create new policy to do backup every day at 01:00 am and keep it for 7 days. To do that click on add option in policy window. 

9) Then select the policy type. for VMs, it should be Azure Virtual Machine

10) In next window we can define time and retention period of data. Once done with the details click on Create. 

11) Next step of the configuration is to enable backup. In order to do that, go to the VM you like to backup. Then click on the option Backup 

12) Then in new window select the vault and policy we created before and then click on enable backup

13) Once it is done we can run backup by going in to same backup window. If you like to take ad-hoc backup, click on Backup Now

14) We can see the progress of the backup job by clicking View All Jobs

15) Once backup jobs completed we can see the status of it in same backup window.

16) To test the restore I installed Acrobat Reader in this server and created test folder in desktop. 

17) Now I am going to do a restore to an earlier day. To do that go to VM backup page, then click on Restore VM

18) In next window it asks which backup to restore. I am selecting back up from 3 days.

19) In next window it allows me to restore it as new VM or as disk. In here I am going to restore it as new VM

20) Once selection is done click on Restore to begin the process.

21) We also can check the status of the job using backup job window.

22) Once restore completed, I can see a new VM. 

23) Once log in to the VM I can’t see the folder and application I installed, as expected. 

This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

In my previous post Azure virtual machine scale sets – part 01, we learned what is VM scale set and how we can create a scale set in Azure. if you not read it yet please go through it before we start on this post as reset of the steps in this post depend on it http://www.rebeladmin.com/2018/04/azure-virtual-machine-scale-sets-part-01/ 

In this post we are going to deploy a sample application to scale set. In my previous post I have created a new scale set using,

New-AzureRmVmss `

  -ResourceGroupName "rebelResourceGroup" `

  -Location "canadacentral" `

  -VMScaleSetName "rebelScaleSet" `

  -VirtualNetworkName "rebelVnet" `

  -SubnetName "rebelSubnet" `

  -PublicIpAddressName "rebelPublicIPAddress" `

  -LoadBalancerName "rebelLoadBalancer" `

  -BackendPort "80" `

  -VmSize "Standard_DS3_v2" `

  -ImageName "Win2012Datacenter" `

  -InstanceCount "4" `

  -UpgradePolicy "Automatic"

In above it created an Azure Load balancer and TCP port 80 been load balanced among 4 instances. Under Azure Load Balancer | Inbound NAT rules it does have default rules for port 3389 and 5985. Those ports are mapped to custom TCP ports in order to give external access. 

As an example, in above sample, I can RDP to instance0 using 52.237.8.186:50000. Likewise, we can connect to each instance and install apps if need. instead of that we can use centralized remote deployment, so the configuration is same across the instance. 

In my config I didn’t use static ip address. You can find public ip address by running following azure PowerShell command,

Get-AzureRmPublicIpAddress -ResourceGroupName rebelResourceGroup | Select IpAddress

In order to push application, first need to prepare app config. in my demo I got a file in GitHub repository. 

$customConfig = @{

  "fileUris" = (,"https://raw.githubusercontent.com/rebeladm/rebeladm/master/simplewebapp.ps1");

  "commandToExecute" = "powershell -ExecutionPolicy Unrestricted -File simplewebapp.ps1"

}

My config is very simple one. In PowerShell script I have following,

Add-WindowsFeature Web-Server

Set-Content -Path "C:\inetpub\wwwroot\Default.htm" -Value "Test webapp running on host $($env:computername) !"

It will install IIS and then create HTML file which will print text with the instance name. 

As next step lets go and retrieve info about scale set,

$vmss = Get-AzureRmVmss `

          -ResourceGroupName "rebelResourceGroup" `

          -VMScaleSetName "rebelScaleSet"

After that, lets create custom script extension

$vmss = Add-AzureRmVmssExtension `

  -VirtualMachineScaleSet $scaleconfig `

  -Name "customScript" `

  -Publisher "Microsoft.Compute" `

  -Type "CustomScriptExtension" `

  -TypeHandlerVersion 1.8 `

  -Setting $customConfig

In above,

 –Publisher specifies the name of the extension publisher. This can find using Get-AzureRmVMImagePublisher 

 –Type specify the extension type. we can use Get-AzureRmVMExtensionImageType find the extension type. 

–TypeHandlerVersion specify the extension version. It can view using Get-AzureRmVMExtensionImage.

Next step of the configuration is to update scale set with the custom extension,

Update-AzureRmVmss `

  -ResourceGroupName "rebelResourceGroup" `

  -Name "rebelScaleSet" `

  -VirtualMachineScaleSet $vmss

Now it is time to do testing. Let’s go to public IP address and see if it’s got the app we submit. 

As I refresh we can see the instance number get updated. That means script is successfully running on scale set as expected. 

This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.  

There are many different solutions available to load balance applications. It can be based on separate hardware appliances, virtual appliances or system inbuilt method such as NLB (Network Load Balancer). However, there are few common challenges on these environments. 

• If its third-party solution, additional cost involves for licenses, configuration and maintenance 

• Applications or services not always use all of the allocated resources. It may depend on demand and time. Since its fixed number of instance, infrastructure resource will be wasted in non-peak time. if its cloud service, it going to waste money!

• When the number of server instances increase, it makes it harder to manage systems. Too many manual tasks!

Azure virtual machine scale sets answers all above challenges. It can automatically increase and decreases number of vm instances running based on demand or schedule. No extra virtual appliances or licenses involves. It also allows to centrally manage, configure large number of instances. Following points are recognized as key benefits of Azure virtual machine scale sets.

• It supports Azure load balancer (Layer-4) and Azure Application Gateway (Layer-7) traffic distribution.

• It allows to maintain same VM configuration across the instance including VM size, Network, Disk, OS image, Application installs. 

• Using Azure Availability Zones, if required we can configure to distribute VM instances in scale set to different datacenters. It adds additional availability. 

• It can automatically increase and decrease number of vm instances running based on application demand. It saves money!

• It can grow up to 1000 vm instances, if its own custom images, it supports up to 300 vm instances. 

• It supports Azure Managed Disks and Premium Storage. 

Let’s see how we can setup Azure virtual machine scale set. In my demo I am going to use Azure PowerShell. 

1) Log in to Azure Portal as Global Administrator

 

2) Open Cloud shell (right hand corner)

 

 

3) Make sure you are using PowerShell Option

 

 

4) In my demo scale set configuration as following

 

New-AzureRmVmss `

  -ResourceGroupName "rebelResourceGroup" `

  -Location "canadacentral" `

  -VMScaleSetName "rebelScaleSet" `

  -VirtualNetworkName "rebelVnet" `

  -SubnetName "rebelSubnet" `

  -PublicIpAddressName "rebelPublicIPAddress" `

  -LoadBalancerName "rebelLoadBalancer" `

  -BackendPort "80" `

  -VmSize "Standard_DS3_v2" `

  -ImageName "Win2012Datacenter" `

  -InstanceCount "4" `

  -UpgradePolicy "Automatic"

 

In above,

 

Parameter	Description
New-AzureRmVmss	This is the command use to create Azure Virtual Machine Scale Set
-ResourceGroupName	This define the resource group name and it is a new one.
-Location	This defines the resource region. In my demo its Canada Central
-VMScaleSetName	This defines the name for the Scale Set
-VirtualNetworkName	This defines the virtual network name
-SubnetName	This defines the subnet name. if you do not define subnet prefix, it will use default 192.168.1.0/24
-PublicIpAddressName	This defines the name for public IP address. If not define allocation method using -AllocationMethod , it will use dynamic by default.
-LoadBalancerName	This defines the load balancer name
-BackendPort	This creates relevant rules in loadbalancer and load balance the traffic. in my demo I am using TCP port 80.
-VmSize	This defines the VM size. if this is not defined, by default it uses Standard_DS2_v2
-ImageName	This defines the VM image details. If no valuves used it will use default value which is Windows Server 2016 Datacenter
-InstanceCount	This defines the initial number of instance running on the scale set
-UpgradePolicy	This defines upgrade policy for VM instances in scale set

Once this is run it will ask to define login details for instances. After completes, it will create the scale set.

This also can do using Portal. In order to use GUI, 

1) Log in to Azure Portal as Global Administrator

2) Go to All Services | Virtual Machine Scale Set

3) In new page, click on Add

4) Then it will open up the form, once fill in relevant info click on create 

5) We also can review the existing scale set properties using Virtual machine scale sets page. On page click on scale set name to view the properties. If we click on Instances, we can see the number of instances running

6) Scaling shows the number of instances used. If need it can also adjust in here. 

7) Size defines the size of the VM, again if need values can change in same page. 

8) Also, if we go to Azure Portal | Load Balancers, we can review settings for load balancer used in scale set.

9) In my demo I used TCP port 80 to load balance. Those info can find under Load Balancing rules

10) Relevant public ip info for scale set can be find under inbound NAT rules

 

This marks the end of this blog post. In next post we will look in to further configuration of scale set. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Every business has different regulations, compliances that they need to comply with. These regulations and compliances are different from one industry to another. As an example, if its financial institute they will need to comply with PCI (Payment Card Industry Data Security Standard), if it’s a healthcare service they will need to comply with HIPPA (Health Insurance Portability and Accountability Act). Some of these compliances are must to comply and some will just add extra value to business. ISO certifications are good example for that. Some of these regulations and compliances are directly apply to computer infrastructures as well. Especially related to data protection and data governance. 

Apart from that most business has their own “Policies” to protect data and workloads in their infrastructures. Most of the time end goal of these policies is to make sure if “IT department” done their part to support business compliance requirements.  There are two great tools available from Microsoft to make it easier for enterprises to reach their corporate compliance requirements with in Azure environments. 

1. Compliance Manager – This service can scan your azure environment and provide report of your compliance level against most common industry standard such as GDPR, ISO 27000 etc. I already wrote detail article about it http://www.rebeladmin.com/2017/11/microsoft-compliance-manager-makes-easy-deal-compliance-challenges/ 

2. Azure Policy – This is more to review continues compliance in corporate infrastructure policies. As an example, a corporate need to make sure all their Azure resources are deployed under west us region. With help of Azure policy, we can continuously monitor resources and make sure it does stay compliance with that policy. in event of breach it will flag it up as well. 

In this post we are going to look in to Azure Policies and how it can help. 

Azure Policy does have 34 inbuilt policy definitions (at the time this article written). These are covering most infrastructure Management, Audit, and security requirements. Users can use these inbuilt policies or build their own. 

Azure Policy definition are JSON based. Each policy has following elements. 

• mode

• parameters

• display name

• description

• policy rule

               – logical evaluation

               – effect

Mode 

This is to define the resource type considered in the policy. There are two modes can use in a policy.

All – All resource types. This is the recommended mode for policies

Indexed –  Resource types that support tags and locations 

Parameters 

If you work with programming language or PowerShell I am sure you already know what parameter is. In here also it’s the same meaning. Parameter is special kind of variable which refer to piece of data. It simply the policy by reducing code. Following is extracted from a policy to show the parameter usage. 

"parameters": {

            "publisher": {

                "type": "String",

                "metadata": {

                    "description": "The publisher of the extension",

                    "strongType": "type",

                    "displayName": "Extension Publisher"

                }

Display name & Description

It is just to identify the policy. description also can use to add more meaning. 

{

    "type": "Microsoft.Authorization/policyDefinitions",

    "name": "allowed-custom-images", 

    "properties": {

        "displayName": "Approved VM images",

        "description": "This policy governs the approved VM images",

        "parameters": {

            "imageIds": {

                "type": "array",

                "metadata": {

                    "description": "The list of approved VM images",

                    "displayName": "Approved VM images"

                }

In above example, Approved VM images is policy display name and This policy governs the approved VM images is policy description. 

Policy Rule

It’s the heart of the policy. it is where it describes the policy using logical operators, conditions and effect. 

Under the policy rule following logical operators are supported. 

– "not"

– "allOf"

– "anyOf"

It also accepts following conditions types

– "equals"

– "notEquals"

– "like"

– "notLike"

– "match"

– "notMatch"

– "contains"

– "notContains"

– "in"

– "notIn"

– "containsKey"

– "notContainsKey"

– "exists"

Under a policy rule, following effects can use,

– Deny – Generate event in audit log and fail the request

– Audit – Only for auditing purpose and no request decision made

– Append – Add additional fields to the request

– AuditIfNotExists – Enable auditing if the resource not existing

– DeployIfNotExists – Deploy if resource is not existing (at the moment this only supported in built-in policies)  

  "policyRule": {

            "if": {

                "allOf": [

                    {

                        "field": "type",

                        "equals": "Microsoft.Compute/virtualMachines"

                    },

                    {

                        "not": {

                            "field": "Microsoft.Compute/imageId",

                            "in": "[parameters('imageIds')]"

                        }

                    }

                ]

            },

            "then": {

                "effect": "deny"

            }

In above example, it uses if, not and then policy blocks been used. It checks images id of virtual machines and if it’s not matching it will deny request based on effect. 

More info about policy templates can be found under

https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition

https://docs.microsoft.com/en-us/azure/azure-policy/json-samples

Policy Initiatives 

Azure Policy also allows to group policies together and apply it one scope. This is called Policy Initiative. This reduce the complexity of policy assignment. As an example, we can create policy initiative called “Infrastructure Security” and include all infrastructure security related policies to it.  

Using Azure Policy

Let’s see how we can use Azure Policy feature. 

1. Log in to Azure Portal as Global Administrator

2. Go to All Services and type Policy then click on policy tile. 

3. Then it will open up the feature tile.

4. In my demo I am going to assign pre-built policy to restrict resource region. In order to assign policy, click on Assignment 

5. Then click on Assign Policy

6. Then in it will open up Assign Policy Wizard. Click on Policy to list and select the relevant policy. in my demo I am using policy called “Allowed Locations”. Select the policy from list and then click on select to complete the action. 

7. Under Name and Description fields define policy name and description which explain its characteristics. 

8. Under the Pricing Tier select the pricing tier for evaluation. 

9. Scope field defines the scope of the policy. it will be subscription in use. 

10. Using exclusion, we can exclude resource groups which not going to exclude from the policy. in this demo I am not going to exclude any.

11. Then under the Parameters I select the region I like to use for my resources (In my demo I am using Canada Central as the region). 

12. At the end click on Assign to complete the policy assignment process. 

13. Not it is time for testing. In my demo I am trying to create a storage account under west us region. When I do that it gives me error saying “There were validation errors. Click here to view details”

When I click on it, it says it didn’t deploy as policy violation. (hope I will see more details when its GA)

Cool ha? It’s doing the job it supposed to do. Since policy effect is “deny” it should deny my request to create resource under other regions. 

Initiative Assignment

Assigning Initiative is same process as Policy assignment. But before do that you need initiative in place. There is only one in-built initiative in place currently. 

In order to create initiative,

1. Log in to Azure Portal as Global Administrator

2. Go to All Services and type Policy then click on policy tile. 

3. Then in policy feature window, click on Definition

4. After that click on Initiative definition option. 

5. in new window to start with, select Definition location. This is basically the targeted subscription. 

6. Under Name, define name for policy initiative. 

7. Under the category, you can either create new category or select existing one. 

8. After that click on available policy in left hand panel and click on Add it to initiative. 

9. Once it’s all done, click on Save to complete to process. 

10. Once it’s done, we can assign initiative, using Assignment | Assign Initiative Option

Create New Policy

Creating new policy is similar to creating initiative process. I can be done using Definition | Policy Definition option. 

Apart from that, using compliance option we can see the overall policy and initiative compliant status. It also allows to assign policies and initiative. 

This marks the end of this blog post. Hope it was useful for you. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

In one of my previous blog post I have explained what is Azure File Share and how it can use to replace traditional on-premises file server. if you not read it yet please check it before we go further on this post as this feature is depend on Azure File Share. You can access article using http://www.rebeladmin.com/2018/03/step-step-guide-create-azure-file-share-map-windows-10/ 

With Azure File Sync we can make on-premises windows server to act as a cache copy holder for your Azure file share.  It allows users to access files locally using protocol such as SMB, NFS and FTPS. In this blog we going to look in to Azure file sync implementation.

Before we start configuration, we need to familiarizes with some terms associated with this feature. 

Azure File Sync Agent

It is an agent which we need to install in on-premises windows server in order to enable sync with Azure file share. It includes three components, 

1. FileSyncSvc.exe – This is the service responsible for monitoring changes in local server initiate sync with Azure file share. 

2. StorageSync.sys – This component is responsible for tiering files to Azure files. Cloud tiering is additional feature of Azure File Sync. It can use with not frequently used files greater than 64Kb. When this enabled, local file replaced with url to files in Azure file share. When user access it, in background it recalls the file from Azure file share. End user will not have any difference experience as it all happens in back end. 

3. PowerShell cmdlets – This helps to manage Microsoft.StorageSync Azure resource provider using PowerShell commands. These cmdlet files are located in

C:\Program Files\Azure\StorageSyncAgent\StorageSync.Management.PowerShell.Cmdlets.dll

C:\Program Files\Azure\StorageSyncAgent\StorageSync.Management.ServerCmdlets.dll

This agent is only supported in Windows server 2012 R2 / 2016 standard and datacenter versions only. It is not supported on core version either. 

Storage Sync Service 

According to Microsoft “The Storage Sync Service is the top-level Azure resource for Azure File Sync. The Storage Sync Service resource is a peer of the storage account resource, and can similarly be deployed to Azure resource groups. A distinct top-level resource from the storage account resource is required because the Storage Sync Service can create sync relationships with multiple storage accounts via multiple sync groups. A subscription can have multiple Storage Sync Service resources deployed.”

Sync group 

Sync group defines the boundaries of sync job. A sync group includes cloud endpoint and server end point. Storage sync service can have multiple sync group. 

Cloud endpoint

Cloud endpoint represent an Azure file share. One cloud endpoint can only have one file share which means one Azure file share responsible for one sync group. 

Server endpoint

Server endpoint represent the local server directory which will cache files from Azure file share. A one server can hold multiple server endpoints but one endpoint can’t be part of multiple sync groups. If it’s still added, it will merge with the files belongs to other endpoints in same sync group. 

Registered Server 

Registered server represents the trust relationship between on-premise server and storage sync service. It is one-to-one connection. However, one storage sync service can have many servers registered with it. 

Now we know the component and how each component involves in sync operation between Azure file share and on-premises server. Next step is to get it configured. 

Setup Azure File Share

As first step of the demo I am going to create Azure file share. Steps for this task is already explained on one of my previous blog post. http://www.rebeladmin.com/2018/03/step-step-guide-create-azure-file-share-map-windows-10/

Azure file sync preview feature is only supported in Australia East, Canada Central, East US, Southeast Asia, UK South, West Europe, West US regions. There for azure file share also need to be in same regions. 

For this demo I have created a file share called “rebelshare”. It is associated with westus region. 

Create Storage Sync Service

 

1) Log in to Azure Portal as global administrator

2) Go to New | Create a resource | Azure File Sync (Preview) | Create

 

 

3) In new window type name for sync service and select relevant resource group for it. if required can create new resource group. once you fill in info, click on create. 

 

 

Install Azure File Sync Agent

 

Next step in configuration is to install azure file sync agent in on-premises server. In this demo I am using server which running windows server 2016 datacenter edition. 

 

Before install agent,

 

• Log in to server and disabled Internet Explorer Enhanced Security Configuration for administrators and users. This can re-enable after installation. 

 

 

• Verify PowerShell version its running. At least it need to run version 5.1

 

• Install Azure PowerShell Module – Guide for it available in https://docs.microsoft.com/powershell/azure/install-azurerm-ps 

 

 

Once above in place, go and download file sync agent from https://www.microsoft.com/en-us/download/details.aspx?id=55988

 

Once download is completed, double click to start the installation. In initial page, click Next to continue.

 

 

In next page, accept the license agreement and click on Next.

 

After that in next window we can select the path for installation.

 

 

In next window it asks in future how you need to update the agent version. It can be done using windows update. 

 

 

In next window, keep default settings and click on Install to begin installation. 

 

Once installation is completed, it opens up Azure File Sync agent wizard. First step is to register the server. in window click on Sign in to start the process. 

 

 

Then sign in using your Azure global administrator account. 

 

 

In next window select the Azure Subscription, Resource group, Storage Sync service and click on Register

 

 

Then it will ask again for login, once it is done it will complete the registration process. 

 

 

Create Sync Group

 

Next step of the process is to create sync group. to do that.

 

1) Log in to Azure Portal as global administrator

2) Go to All Services and search for Storage Sync Services

3) In Storage Sync Services page click on the Storage Sync Service we created on earlier step. 

 

 

4) In new window click on Sync Group icon.

 

 

5) In next window, define name for sync group and select the subscription. Then select the storage account and Azure file share. At the end click on Create

 

 

6) Once group is added, click on the new group. 

 

 

7) In new window, click on add server endpoint option. 

 

 

8) Then in new window select the registered server from the list and then define folder path for local cache copy. In my demo I am using E:\share path. I also enable cloud tiering feature. Once info is in click on create. 

 

 

9) After initial sync we can see same files in two endpoints. 

 

 

10) You also can review status of endpoint sync using Storage Sync Services | Sync_Account | Sync_group

 

This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Azure Files is a managed, cloud based file share that can access via SMB protocol. Once you create Azure File share it can be access from anyware using Windows, Linux or macOS. It can also can be mapped as a shared drive to the system.

Azure Files have following benefits, 

Simple – Easy to setup and easy to manage. It also can use with Azure Backup and Azure File Sync. It got everything to use as replacement for on-premises file server. 

Future Proof – When people are moving on-premises workload to Azure, sometime applications needed access to file shares. Azure Files allows to facilitate that requirements easily. Also, if you are maintaining on-premises file servers, when windows versions change, you need to upgrade those as well. Azure File is fully managed service which means no need to worry about versions.  

Reliable – High Availability of on-premises file share depend on many things such as power, File Sync between servers, Bandwidth etc. but with Azure Files you do not need to worry about it as it was already designed and operate with as high available service. You do not need to worry about keeping sync servers in different geographical locations either. 

Integration – Azure Files uses industry standard SMB protocol. It can be manage using Azure CLI, PowerShell, file system I/O APIs, Azure Storage Client Libraries and Azure Storage REST API. There for it allow developers to integrate it with existing systems or new systems easily. 

Let’s see how we can create Azure File Share and map it with Windows 10 PC.

In my demo I am going to use PowerShell for the setup. This is fully supported to setup via Azure Portal. 

Setup Storage Account

1) Log in to Azure Portal using Global Admin Account

2) Click on Cloud Shell in right hand corner

3) Make sure PowerShell console loaded. Same thing can be done by directly connecting to Azure using Azure PowerShell module. https://docs.microsoft.com/en-us/powershell/azure/install-azurerm-ps?view=azurermps-5.4.0

4) Before create storage account I need to find info about my resource group that I am going to use. to do that run Get-AzureRmResourceGroup it will list down the group details along with the location. 

5) Once we retrieve info, we can create new storage account using,

New-AzureRmStorageAccount -ResourceGroupName therebeladmin `

  -Name rebelsa1 `

  -Location northcentralus `

  -SkuName Standard_LRS

In above, -ResourceGroupName specify the resource group name that storage account will belongs to. -Name defines the name of the storage account.  -Location defines the location for storage account. -SkuName defines the storage types. 

Standard_LRS – Locally-redundant storage.

Standard_ZRS – Zone-redundant storage.

Standard_GRS – Geo-redundant storage.

Standard_RAGRS – Read access geo-redundant storage.

Premium_LRS – Premium locally-redundant storage.

Setup Azure File Share

1) Now we have storage account, before we create share, we need to find out storage access key for the account. To do that we can use

Get-AzureRmStorageAccountKey -ResourceGroupName "therebeladmin" -AccountName "rebelsa1"

2) Now we can create file share called “rebelshare” using 

$SAContext = New-AzureStorageContext “rebelsa1” “<storage key>”

New-AzureStorageShare rebelshare -Context $SAContext

In above, rebelsa1 is the storage key and <storage key> need to replace by storage account key found on previous step.

In here it used the default quote which is 5tb. 

Map it to Windows 10 

To map folder to the Windows PC, we can use following PowerShell command,

net use R: \\rebelsa1.file.core.windows.net\rebelshare <storage key> /user:Azure\rebelsa1

In above, it will map the Azure File share we created as R:\ drive. <storage key> need to replace with Azure storage key.

in above I successfully map the share and copied file from my local C: drive. 

Note – In order to map this, share you need to have communication to Azure via SMB ports. If your firewalls blocking it, you will not able to map the drive. This is bit of an issue if you using the map drive in most of public wifi networks. However, you still can access the share using portal. 

This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

In Hyper-V or VMware virtualization environment, Enable/Disable NIC in a VM is not a big deal. Even if you do not have NIC or valid IP configure, administrators still can connect to VM as it does have “Console” access. Few weeks ago, I received an email from one of my regular blog readers. He accidently disabled NIC in azure vm and he lost RDP access to it. since there is no console access like other on-premises virtualization solution, of cause he was panicking. In this blog post I am going to share what you can do to re-enable your Azure VM NIC in such scenario. 

In my demo setup, I have an active azure VM running with 10.5.2.33 private IP address. 

I logged in to VM as administrator and disable the NIC.

Now I need to regain the RDP access to server. in order to do that, log in to Azure Portal as Global Administrator and click on Cloud Shell button in right hand top corner. 

When window load up makes sure you are using PowerShell option. 

Now we need to find out the NIC details of the VM that we having issues with. We can do this using,

Get-AzureRmNetworkInterface -ResourceGroupName "REBELADMIN-DEMO" 

In this command, -ResourceGroupName represent the resource group that VM belongs to. In my demo setup I only have one VM under that resource group.  but if you have more VMs it can be hard to find the relevant info. In that case I recommend to use portal itself to view this info.

In here, note down the network interface name, IP address and allocation method you using. 

Now, we need to assign a new IP address to the same nic from same subnet. It can be done using,

$Nic = Get-AzureRmNetworkInterface -ResourceGroupName "REBELADMIN-DEMO" -Name "rebeladmin-vm1123"

$Nic.IpConfigurations[0].PrivateIpAddress = "10.5.2.34"

$Nic.IpConfigurations[0].PrivateIpAllocationMethod = "Static"

$Nic.Tag = @{Name = "Name"; Value = "Value"}

Set-AzureRmNetworkInterface -NetworkInterface $Nic

In above commands, rebeladmin-vm1123 represent the network interface name. 10.5.2.34 is the new ip address for the network interface. PrivateIpAllocationMethod define the ip allocation method. Set-AzureRmNetworkInterface cmdlet sets the network interface configuration. 

Great!! Now I got my RDP access back with new IP address.

But it is not the original IP it had, now we can change it back with,

$Nic2 = Get-AzureRmNetworkInterface -ResourceGroupName "REBELADMIN-DEMO" -Name "rebeladmin-vm1123"

$Nic2.IpConfigurations[0].PrivateIpAddress = "10.5.2.33"

$Nic2.IpConfigurations[0].PrivateIpAllocationMethod = "Static"

$Nic2.Tag = @{Name = "Name"; Value = "Value"}

Set-AzureRmNetworkInterface -NetworkInterface $Nic2

Once it is applied, I can access server via RDP and now it has same private IP address it had.

If you using dynamic IP allocation method, you need to make it static, then change the ip and go back to dynamic mode. 

This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

In most common scenarios hackers targets open ports in servers to gain access. It can be web server port, RDP ports, SQL ports etc. If genuine users also use same ports to access the system it’s hard to keep these ports closed. There are other methods such as firewalls that we can use to secure the access but it will still keep the ports open. when it comes to public clouds, its increase your infrastructure’s public facing part. Its clients, administrators may access services over the internet mostly. In that case it will give more time and room for attackers to target open ports. 

Azure Just-in-Time VM Access is a great option to control this. As an example, if engineers need to do work in their VM’s mostly they RDP in to the system. Let’s assume they work 1 hour per day on servers. so, keeping port open for 24 hours not giving any benefits rather than risk. Using Just-in-Time VM Access we can limit the time it keeps RDP ports open. 

When Just-in-Time VM Access enabled, we can define what VM and what ports will be controlled. In most scenarios you do not need to control access to ports used by your applications or services. It will be more in to ports related to management tasks. This all done by using azure network security group rules. You can find more about NSG using https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-nsg

When this feature used with VM, upon access request to a protected port, it will first check if the user have access permission to it using Azure Role based access control (RBAC). If it all good, then NSG automatically configure to allow access with the time you specified. Once it reached the allowed time limit, NSG will automatically revert configuration in to original state. 

This feature is still on preview but it is not too early to check its capabilities. Also, this feature is only can use with VMs created using Azure Resource Manager (ARM). 

Configuration

1. Log in to Azure Portal using Global Administrator account. 

2. Go to Security Center > Just-In-Time VM Access 

3. Then it will load the default page.

4. Click on Recommended Tab. It will list down the VMs you have. 

5. In order to enable JIT access, put a tick on the VM you like to protect and then click on Enable JIT on button. if need you can do it for multiple VMs in same time. 

6. Then it lists down the default ports protected with JIT access. 

7. We still can adjust settings for these services. As an example, I need to limit port 3389 (RDP) port Max request time to 1 hour. By default, it is 3 hours. In order to do that click on rule for 3389 and change Max request time value to 1 hour. To apply changes, click on OK at the end.

8. In next window we can see the new value, click on Save to save the config. 

9. If need we also can add our own ports to protection. Let’s assume we need to protect port 8080 access. To do that click on Add button in access configuration page. 

10. Then type port details in the window. Under Protocol we can select TCP, UDP or Any based-on requirement. Under Allowed source IPs access can controlled based on request or specific IP range. Max request time option is to limit the hours. Minimum time we can select is 1 hour. Once changes are done click on OK to apply changes

11. Then click on Save to save the config. 

12. After that, once we go to feature home page we can see the protected VM under Configured tab.

13. If need to edit the current configuration it can do using Edit option as below. 

14. Now configuration is done. Let’s test it out. According to my configuration I have RDP port protected. To request access, select the VM with tick box and then click on request access option. 

15. In next window, I am only going to request access to RDP port. To do that select the correct rule and click on On tab under toggle. Then click on Open Ports button. 

16. Then in the feature home page we can see it got 1 approved requests.

17. After configuration yes, I can access the server via RDP for 1 hour.

18. After one hour, I can’t initiate another new RDP connection. Using Activity log we can view logs related to past activities. 

This marks the end of this blog post. Hope now you have better understanding what is JIT VM access and how to use it. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

In my previous post I have explained what is Azure Accelerated networking and how it works. If you didn’t read it yet, you can do it using http://www.rebeladmin.com/2018/01/azure-accelerated-networking/ . In this post I am going to show how we can create VM with AN and verify its actions. 

There are few limitations we need to aware before we use Azure Accelerated networking. 

1. Can’t use with existing VMs – In order to use AN feature, Virtual machines must be created with Accelerated Networking enabled. This feature cannot enable in existing VMs. 

2. A NIC with AN cannot attached to an existing VM –  A NIC with AN enabled only can attached during the VM creation process. It is not possible to attach it to existing VM. 

3. Azure Resource Manager only – This feature only can use with AR. It can’t use in classic portal. 

In my demo I am going to create new VM in new resource group with Azure Accelerated networking enable. Please note this feature can only enable using Azure CLI and Azure PowerShell.

Here I am going to use Azure CLI. More info about Azure CLI can be found in my blog post http://www.rebeladmin.com/2017/08/step-step-guide-start-azure-cli-2-0/ 

1. As first step I am going to create new resource group called ANTest in westus region. 

az group create --name ANTest --location westus

2. Then we need to create virtual network. In demo I am creating virtual network called ANTestVNet with address space 10.10.0.0/16

az network vnet create --name ANTestVNet --resource-group ANTest --location westus --address-prefix 10.10.0.0/16

3. Next step is to create a subnet under selected address space. In my demo I am creating 10.10.20.0/24 subnet with name ANTestsub1

az network vnet subnet create --address-prefix 10.10.20.0/24 --name ANTestsub1 --resource-group ANTest --vnet-name ANTestVNet

4. I like to access this vm from internet so I need a public ip attached to it. 

az network public-ip create --name ANTestpubip1 --resource-group ANTest --location westus --allocation-method dynamic

in above I am using dynamically assigned ip rather than static public ip.

5. Now we have everything ready to create NIC. This is the most important part of the job. So the command I am using for it is,

az network nic create --resource-group ANTest --name ANTestNic1 --vnet-name ANTestVNet --subnet ANTestsub1 --accelerated-networking true --public-ip-address ANTestpubip1

in above ANTestNic1 is the NIC name. –accelerated-networking true is the command to enable AN feature. 

6. Next step is to create VM with this new NIC attached. Please note there are only some OS and VM templates support this AN feature. So, make sure you select the correct size. if you use unsupported template, you can’t change enable AN by just changing the template. In my demo I am creating windows server 2016 server with Standard_DS4_v2 vm template.

az vm create --resource-group ANTest --location westus --nics ANTestNic1 --name REBELVM101 --image win2016datacenter --size Standard_DS4_v2 --admin-username rebeladmin --admin-password L0nd0n3322$

once it is completed we can log in to VM and verify. Once this feature enabled you will be able to see Mellanox ConnectX-3 Virtual Function Ethernet Adapter in device manager.

Let’s see how it affecting performance. I do have 2 VM created using old method and I am transferring a folder with 10Gb data between them. So, let’s see how the performance looks like. 

And when I do transfer same file between 2 VM with AN enabled I get following performance. 

It’s pretty amazing ha??? 

This marks the end of this blog post. Hope this was useful. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.