Azure

Step-by-Step Guide: Enable secure LDAP (LDAPS) for an Azure Active Directory Domain Services managed domain

In an on-premises Active Directory environment, there can be application or service which required integration with Active Directory. With AD integration, the application can search for AD users, allow login, assign permissions, etc. This integration part is usually done using the Lightweight Directory Access Protocol (LDAP). By default, traffic over LDAP is not encrypted. Due to the vulnerabilities, Microsoft now recommends only to use secure LDAP (LDAPS, LDAP over SSL) connections to Domain Controllers. Azure Active Directory Domain Services (Azure AD DS) also support for secure LDAP connections. Most of the time the LDAP connection to Azure AD DS will be initiated over the public internet. So, it is important to have encryption in place to prevent man-in-the-middle attacks.

In this post, I am going to demonstrate how to enable secure LDAP for Azure AD DS. Before we start make sure you have the following prerequisites in place.

1. Valid Azure Subscription
2. Valid Azure Active Directory Domain Services (Azure AD DS) setup – I assume you already have Azure Active Directory Domain Service configured. More info about Azure AD DS setup can find on this link
3. Valid SSL certificate – We need a valid SSL certificate to enable secure LDAP. If Azure Active Directory Domain Service uses custom domain name, we can use public CA (3rd party) or enterprise CA to issue a certificate for it. If Azure Active Directory Domain Service is using Microsoft default domain .onmicrosoft.com, we have to use self-sign certificate for it as public CA can’t issue certs for the default domain. In this demo, I will be using a self-sign certificate for the configuration.
4. Test PC – We need a PC to test the secure LDAP connectivity.

Before we enable secure LDAP, we need to create a certificate for it. In this demo, my Azure Active Directory Domain Service instance is using default Microsoft domain name rebeladmlive.onmicrosoft.com. So, I have to use a self-sign certificate for it. To generate a self-sign certificate, we can use the following PowerShell commands. This can be run from any PC.

$domainname=”rebeladmlive.onmicrosoft.com”
$certlife=Get-Date
New-SelfSignedCertificate -Subject *.$domainname -NotAfter $certlife.AddDays(365) -KeyUsage DigitalSignature, KeyEncipherment -Type SSLServerAuthentication -DnsName *.$domainname, $domainname

In above, replace rebeladmlive.onmicrosoft.com with your Azure Active Directory Domain Service instance name. As we can see, it created a wild card SSL for rebeladmlive.onmicrosoft.com under Computer account.

We need to export this certificate as .PFX file with private key to,

1. Use it during the secure LDAP setup and upload it to Azure
2. Import it to any other PC which like to initiate secure LDAP connection (The certificate must be imported into Computer Account\Personal\Certificates as well as Trusted Root Certification Authorities\Certificates. This is because the certificate is self-sign cert and it doesn’t have trusted root certificate)

To export certificate,

1. Right-click on the certificate and go to All Tasks | Export

2. It will open up the certificate export wizard, click on Next to start the process.

3. In the next window select Yes, export the private key, and click on Next.

4. In the Export file format window, match the following selection, and click on Next.

5. In the next window, define the password for the export file and click on Next.

6. Then, select the file path for the output and click on Next.

7. In the next window, click on Finish to complete the Export process.

Now we have the .PFX file. The next step is to import it again to Trusted Root Certification Authorities\Certificates. This is required as we are using a self-sign certificate for the exercise. [Read more…] about Step-by-Step Guide: Enable secure LDAP (LDAPS) for an Azure Active Directory Domain Services managed domain

Step-by-Step Guide: Reduce Latency between Azure VMs by using proximity placement group (PowerShell Guide)

The latency between two servers located in two regions is normally higher than the latency between two servers located in the same data center or the same rack. High latency between application servers has a direct impact on the overall performance of the application. By placing applications servers in the same physical location, we can reduce the latency. When it comes to Azure VMs, we can reduce the latency between servers by placing those in the same Azure region or in the same availability zone. But this doesn’t mean the servers are running from the same data center. As Azure grows a region can have multiple data centers. But now with proximity placement group, we can co-locate Azure VMs to the same data center.

The proximity placement group can have stand-alone VMs, VM scale sets or VM availability sets. Once the proximity placement group is created, we can deploy new servers to it or move existing servers to it. It is recommended to use accelerated networking with the virtual machine in proximity placement group to further reduce the latency. Also, if possible, use one VM template for virtual machines in the same proximity placement group. This is because some datacentres only support certain VM SKUs and sizes.

In this demo, I am going to demonstrate how we can create a proximity placement group and deploy a virtual machine to it. I also going to demonstrate how to move the existing virtual machine to the proximity placement group.

For the configuration process, I will be using PowerShell. Therefore, please make sure you have an Azure PowerShell module installed. More info about it can find here.

Create proximity placement group

Let’s start the configuration process by creating a new resource group.

1. Launch PowerShell console and connect to Azure using Connect-AzAccount as Global Administrator

2. Then create a new resource group using,

New-AzResourceGroup -Name REBELRG1 -Location “East US”

In the above, REBELRG1 is the resource group names and East US is the Azure region.

3. The next step is to create a new virtual network under REBELRG1 resource group.

$vmsubnet = New-AzVirtualNetworkSubnetConfig -Name vmsubnet -AddressPrefix “10.0.2.0/24”

New-AzVirtualNetwork -Name REBELVN1 -ResourceGroupName REBELRG1 -Location “East US” -AddressPrefix “10.0.0.0/16” -Subnet $vmsubnet

In the above, REBELVN1 is the new virtual network name. It has 10.0.0.0/16 address space. It also has a new subnet 10.0.2.0/24 (vmsubnet) for virtual machines

4. As the next step of the configuration, let’s go ahead and create proximity placement group using,

New-AzProximityPlacementGroup -Location “East US” -Name rebelpggrp01 -ResourceGroupName REBELRG1 -ProximityPlacementGroupType Standard

In the above, I created a ppg called rebelpggrp01. The group type is set to standard. [Read more…] about Step-by-Step Guide: Reduce Latency between Azure VMs by using proximity placement group (PowerShell Guide)

Step-by-Step Guide: Create Azure Windows Virtual Machine from a Snapshot (PowerShell Guide)

Virtual Machine Snapshots are the quickest way to recover a virtual machine from a disaster. Snapshot is a copy of the virtual machines’ disk file at a given point of time. There are situations where we may need to get certain data out from snapshot without restoring a complete virtual machine. The best way to do that is to create a virtual machine from the snapshot and then retrieve the relevant data. The same method also can use to test application upgrades or risky changes without affecting production servers. In this demo, I am going to demonstrate how we can create an Azure windows virtual machine from a snapshot.

For the configuration process, I will be using PowerShell. Therefore, please make sure you have an Azure PowerShell module installed. More info about it available on this link.

As part of the configuration, I am going to do following,

1. Create a new resource group
2. Create a new virtual network
3. Create Azure windows virtual machine
4. Log in to the new virtual machine and create few test files
5. Create snapshot
6. Create another virtual machine using the snapshot
7. Log in to this new Azure windows virtual machine and verify it has the test files created in original VM.

Create new Azure windows virtual machine

Let’s start the configuration process by creating a new resource group.

1. Launch PowerShell console and connect to Azure using Connect-AzAccount as Global Administrator
2. Then create a new resource group using,

New-AzResourceGroup -Name REBELRG1 -Location “East US”

In the above, REBELRG1 is the resource group names and East US is the Azure region.

3. The next step is to create a new virtual network under REBELRG1 resource group.

$vmsubnet = New-AzVirtualNetworkSubnetConfig -Name vmsubnet -AddressPrefix “10.0.2.0/24”

New-AzVirtualNetwork -Name REBELVN1 -ResourceGroupName REBELRG1 -Location “East US” -AddressPrefix “10.0.0.0/16” -Subnet $vmsubnet

In the above, REBELVN1 is the new virtual network name. It has 10.0.0.0/16 address space. It also has a new subnet 10.0.2.0/24 (vmsubnet) for virtual machines

4. As the next step of the configuration, I am going to create a new virtual machine under REBELRG1 resource group. This will be used for testing purposes.

$mylogin = Get-Credential

New-AzVm -ResourceGroupName REBELRG1 -Name “REBELTVM01” -Location “East US” -VirtualNetworkName “REBELVN1” -SubnetName “vmsubnet” -addressprefix 10.0.2.0/24 -PublicIpAddressName “REBELVM01IP1” -OpenPorts 3389 -Image win2019datacenter -Size Standard_D2s_v3 -Credential $mylogin

In the above, I am creating a virtual machine called REBELTVM01 in East US Azure region. It is running windows server 2019 data center edition. I have specified it using -Image parameter. It also using Standard_D2s_v3 vm size. For networking, it uses REBELVN1 virtual network and subnet 10.0.2.0/24. [Read more…] about Step-by-Step Guide: Create Azure Windows Virtual Machine from a Snapshot (PowerShell Guide)

Step-by-Step Guide: Control Inbound Internet traffic with Azure Firewall DNAT (PowerShell Guide)

I have a web server running in my on-premises network. I like to allow access to it from the internet via TCP port 443. To do that, I need to create two types of rules in my edge firewall. I need a NAT (Network Address Translation) rule to map a public IP address to the private IP address of the webserver. I also need an ACL rule to allow only relevant traffic (TCP 443). This ensures the traffic to web server from the public is protecting via edge firewall. In Azure, we can use the same topology to filter inbound internet traffic. For that, we have to use Azure Firewall Destination Network Address Translation (Azure Firewall DNAT). This is doing the same thing what NAT rule does but Microsoft calls it as DNAT. In this demo, I am going to demonstrate how to set up Azure Firewall and how to use it to filter incoming internet traffic.

In my demo environment, I have two virtual networks.

• EUSFWVnet1 – This network hosts the Azure firewall.
• EUSWorkVnet1 – This virtual network is the production network. This is where I create VMs.

The above two networks are connected using Azure VNet Peering method. With VNet peering, virtual networks are connected via the Azure backbone network. If we compare this with on-premises network, it is similar to the connection between your local network and edge firewall.

So, in this setup, I am going to allow RDP access to a virtual machine in EUSWorkVnet1 over the internet via Azure Firewall.

For the configuration process, I will be using PowerShell. Therefore, please make sure you have an Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-3.8.0

Setup Resource Group

The first step of the configuration is to create a new resource group. Both virtual networks and other services will be using the same resource group.
To do that,
1. Launch PowerShell console and connect to Azure using Connect-AzAccount
2. Create a new resource group using New-AzResourceGroup -Name REBELRG1 -Location “East US”. Here REBELRG1 is the resource group name and East US is the location.

Setup Azure Firewall Network

The next step is to create a new virtual network for Azure Firewall under REBELRG1 resource group.

$fwsubn1 = New-AzVirtualNetworkSubnetConfig -Name “AzureFirewallSubnet” -AddressPrefix 10.0.0.0/24
$eusfwvnet = New-AzVirtualNetwork -Name EUSFWVnet1 -ResourceGroupName REBELRG1 -Location “East US” -AddressPrefix 10.0.0.0/16 -Subnet $fwsubn1

EUSFWVnet1’s address space is 10.0.0.0/16. It is a class B IP address range. We have one subnet under it. AzureFirewallSubnet (10.0.0.0/24) will be used by Azure Firewall. Azure firewall only can be created in a subnet with name ‘AzureFirewallSubnet’

Setup Production Network

The next step of the configuration is to set up a virtual network for production workloads.

$worksubn1 = New-AzVirtualNetworkSubnetConfig -Name WorkSubnet -AddressPrefix 10.2.0.0/24
$workvnet = New-AzVirtualNetwork -Name EUSWorkVnet1 -ResourceGroupName REBELRG1 -Location “East US” -AddressPrefix 10.2.0.0/16 -Subnet $worksubn1

EUSWorkVnet1’s address space is 10.2.0.0/16. We have one subnet under it called WorkSubnet. This is the subnet we will use for the virtual machine.

Step-by-Step Guide: Azure Firewall to control access in Azure VNet-to-VNet connection (PowerShell Guide)

When we connect two networks via VPN connection, we only allow certain traffic to pass through (In most scenarios). This is the normal security best practice. We normally use a firewall to do this. When it comes to Azure, we may also need to connect virtual networks . In such situation, By using Azure Firewall, we can control the traffic between virtual networks. More info about Azure firewall also can find in one of my previous posts. In this post, I am going to demonstrate how we can control the traffic between two virtual networks in two regions by using Azure Firewall. This same method can use to control traffic between Azure and on-premises or between subscriptions.

In the demo setup, I am using three virtual networks across two Azure regions.

Azure Firewall – This network is purely to host the Azure firewall and VPN gateway. The gateway in this network will use to perform VNet-to-VNet connectivity with Remote network.

Workloads – This network is the back-end network that will hold the VM workloads. Remote network and workloads network will communicate via the Azure Firewall.

Remote network – This virtual network is in UK South region. It is just to represent the “other” network. This can be your on-premises network, virtual network in the same azure subscription, or virtual network in another azure subscription.

Connectivity

In the above two types of connection been used between virtual networks.

• VNet-to-VNet via Azure VPN Gateways – In this method, virtual networks are connected through public internet. In the demo, we are using the same method to connect Azure firewall network and Remote network.

• VNet Peering – With VNet peering, virtual networks are connected via the Azure network backbone. In our scenarios, we are using this method to connect Azure firewall network with workloads network. If we compare this with on-premises network, it is similar to the connection between your local network and edge firewall.
For the configuration process, I will be using PowerShell. Therefore, please make sure you have an Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-3.8.0

Setup Azure Firewall Network

The first step of the configuration is to create a new resource group in East US.

To do that,

1. Launch PowerShell console and connect to Azure using Connect-AzAccount
2. Create a new resource group using New-AzResourceGroup -Name REBELRG1 -Location “East US”. Here REBELRG1 is RG group name and East US is the location.

3. The next step is to create a new virtual network under REBELRG1 resource group.

$fwsubn1 = New-AzVirtualNetworkSubnetConfig -Name “AzureFirewallSubnet” -AddressPrefix 10.0.0.0/24

$gwsubn1 = New-AzVirtualNetworkSubnetConfig -Name “GatewaySubnet” -AddressPrefix 10.0.1.0/24

$eusfwvnet = New-AzVirtualNetwork -Name EUSFWVnet1 -ResourceGroupName REBELRG1 -Location “East US” -AddressPrefix 10.0.0.0/16 -Subnet $fwsubn1,$gwsubn1

EUSFWVnet1‘s address space is 10.0.0.0/16. It is a class B IP address range. We have two subnets under it.

• AzureFirewallSubnet (10.0.0.0/24) – This subnet will be used by Azure Firewall. Azure firewall only can be created in a subnet with name ‘AzureFirewallSubnet‘
• GatewaySubnet (10.0.1.0/24) – This subnet is going to be used by Azure VPN Gateway. The subnet must be named as ‘GatewaySubnet‘ to support the configuration.

Setup Azure VPN Gateway in Azure Firewall network

1. The next step of the configuration is to create public IP address to use with Azure VPN gateway. To do that,

$gatewayip1 = New-AzPublicIpAddress -Name EUSFWVnet1GW1 -ResourceGroupName REBELRG1 -Location “East US” -AllocationMethod Dynamic

In the above, EUSFWVnet1GW1 is the name for the new public IP address. VPN Gateway only supports Dynamic Public IP address allocation. So, it is been set using -AllocationMethod.
2. Before we create the gateway, we need to create ip configuration.

$fwvnet1 = Get-AzVirtualNetwork -Name EUSFWVnet1 -ResourceGroupName REBELRG1
$fwgwsubnet1 = Get-AzVirtualNetworkSubnetConfig -Name “GatewaySubnet” -VirtualNetwork $eusfwvnet
$eusfwgw1ipconf1 = New-AzVirtualNetworkGatewayIpConfig -Name eusfwgw1ipconf1 -Subnet $fwgwsubnet1 -PublicIpAddress $gatewayip1

In above, New-AzVirtualNetworkGatewayIpConfig command used to create an IP configuration for gateway (using previously created gateway subnet & public IP addresses)

3. Finally, we can create the gateway using,

New-AzVirtualNetworkGateway -Name EUSFWGW1 -ResourceGroupName REBELRG1 -Location “East US” -IpConfigurations $eusfwgw1ipconf1 -GatewayType Vpn -VpnType RouteBased -GatewaySku VpnGw1

In the above, the new VPN gateway is called EUSFWGW1. Its SKU is set to VpnGw1.

Azure

Step-by-Step Guide: Enable secure LDAP (LDAPS) for an Azure Active Directory Domain Services managed domain