Technical Blog | REBELADMIN

Learn about Active Directory and Various Azure Services

Archives for November 2019

Step-by-Step Guide: Enable Azure AD Authentication for Azure Point-to-Site (P2S) VPN

Last Updated on November 18, 2019 by Dishan M. Francis

OpenVPN is an open-source VPN protocol that is trusted by many cloud service providers to provide site-to-site, point-to-site, and point-to-point connectivity to cloud resources. Now Azure AD authentication also works with OpenVPN protocol. This means we can use Azure AD features such as conditional access, user-based policies, Azure MFA with VPN authentication. In this Demo, I am going to demonstrate how to configure OpenVPN for Azure point-to-site VPN and then how to integrate Azure AD authentication with it. 

Prerequisites

1. To configure OpenVPN, first, we need to have a working point-to-site setup. The native Azure point-to-site VPN setup uses Azure certificate authentication. I wrote an article about it before and it can be accessed using https://www.rebeladmin.com/2018/07/step-step-guide-azure-point-site-vpn/

So, before we start, please go ahead and configure the VPN gateway with certificate authentication.  

2. Also, I am going to use Azure PowerShell for configuration. Please make sure you have the Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-2.6.0

Configure OpenVPN for Azure P2S VPN

1. Launch PowerShell console and connect to Azure using Connect-AzAccount (Using Global Administrator Account)

2. Then I ran Get-AzVirtualNetworkGateway -ResourceGroupName REBELVPNRG to review my VPN gateway configuration. Here REBELVPNRG is the resource group it belongs to. 

3. Then let's go ahead and change the VPN client protocol to OpenVPN using,

$vpngw = Get-AzVirtualNetworkGateway -ResourceGroupName REBELVPNRG -name REBEL-VPN-GW

Set-AzVirtualNetworkGateway -VirtualNetworkGateway $vpngw -VpnClientProtocol OpenVPN

In the above, REBEL-VPN-GW is the VPN gateway name. [Read more…] about Step-by-Step Guide: Enable Azure AD Authentication for Azure Point-to-Site (P2S) VPN

Step-by-Step Guide: How to access Azure VMs securely using Azure Bastion?

Last Updated on November 7, 2019 by Dishan M. Francis

If we need to access an Azure VM using RDP or SSH, most commonly we use public IP method. In this way, the virtual machine will have a public IP address (static or dynamic) assigned to it. Also, RDP or SSH service ports will open to the public via NSG. This is easy but not a very secure method. 

If we have VPN or Express Route connectivity to Azure, we can connect to virtual machines using private IP addresses. It is secure than the public IP address method. However, it required additional configuration in-network level. 

Azure Bastion is a solution that we can use to access Azure VM securely without the use of public IP addresses or VPN connectivity. This is similar to using a jump-server to connect to resources in the remote network but instead of the traditional RDP method, it is using browser-based secure HTTP connectivity. Let's go ahead and explore a bit more about the Azure bastion solution. 

1. This service is now generally available (From 4th of Nov 2019). However, it is still only available for six Azure regions which are Australia East, East US, Japan East, South Central US, West Europe, and West US.

2. Azure bastion service deployment is per virtual network. 

3. Users can connect to Azure bastion service via the Azure portal. It is a browser-based connectivity. From the user end, only TCP port 443 needs to be open. 

4. Machines in the virtual network don't need to have public IP addresses assigned. Bastion service can connect to virtual machines using private IP addresses. 

5. Azure bastion is a fully managed PaaS service. We do not need to worry about the hardening or protection of it. 

In this post, I am going to demonstrate how we can enable Azure bastion service. 

Create Virtual Machines

Before we go into the Azure bastion service setup, I am going to create one windows 2019 virtual machine and one ubuntu Linux virtual machine. These machines will not have any public IP address assign. After that, I will demonstrate how we can access those securely using Azure bastion service. 

To begin,

1. Log in to Azure portal (https://portal.azure.com) as Global Administrator 

2. Go to Virtual Machines | + Add 

3. Create Windows Server 2019 Server with following settings,

Resource Group Name (new) : REBELBASTION

Virtual Machine Name : REBELWIN01

Region : East US

Image : Windows Server 2019 DataCenter

Size : Standard D2s v3

Public inbounds ports: None

Virtual network : REBELBASTION-vnet

Subnet : 10.0.3.0/24

Public IP : None

[Read more…] about Step-by-Step Guide: How to access Azure VMs securely using Azure Bastion?

Step-by-Step Guide: How to move Azure VM from one region to another

Last Updated on November 3, 2019 by Dishan M. Francis

There are many different reasons to move Azure VMs from one region to another. 

Operation Requirements – As an example, if organization open a branch in different region and want to move some operations to them, it is best to move infrastructure resource to the same geographical location as it will improve the reliability and availability of the services.

Compliance requirements – Sometimes rules and regulations force businesses to keep the data/operations in the same country or continent.

Azure feature requirements – Sometimes new Azure services & features are the first rollout to certain regions. If your current region has such limitations and still wants to use those features/services, you will need to move the resource to a supported region. 

In this post, I am going to demonstrate how to move Azure VM from one region to another using Azure site recovery. 

Prerequisites

Before start lets make sure we have the following in place, 

Valid Subscription – Subscription should support to create resources in the target region. It also should have enough credit.

Account Permission – We need to make sure we have enough permissions to create virtual machines, storage accounts, virtual networks in Azure. 

Network layout – Make sure to check the source network setup including all the components such as NSG, public IP, load balancer. The failover process will create a virtual network automatically to match the source network. But we have to create all other resources manually after the migration.  

Compatible regions – Make sure the source and target regions are part of compatible list https://docs.microsoft.com/en-gb/azure/site-recovery/azure-to-azure-support-matrix#region-support

In this demo, I am going to create windows server 2019 VM in East US region and then move it West US region using Azure site recovery.

Create Source VM

1. Launch PowerShell console and connect to Azure using Connect-AzAccount 

[su_note]Please make sure you have Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-2.6.0[/su_note]

2. Create a new resource group using, 

New-AzResourceGroup -Name REBELRG -Location "East US"

In the above, REBELRG is the resource group name and East US is the resource group location.

3. Then create a new VM using,

$mylogin = Get-Credential

New-AzVm -ResourceGroupName REBELRG -Name "REBELVM01" -Location "East US" -VirtualNetworkName "REBELVNET1" -SubnetName "REBELVMSubnet1" -PublicIpAddressName "REBELVM01IP1" -OpenPorts 80,3389 -Image win2019datacenter -Size Standard_D2s_v3 -Credential $mylogin

In the above, REBELVM01 is the VM name. It is running windows server 2019 data center edition. I have specified it using -Image parameter. It also using Standard_D2s_v3 vm size. [Read more…] about Step-by-Step Guide: How to move Azure VM from one region to another