Saving your production workload on Azure using Azure Resource Locks

Think of a scenario where you spend hours or maybe days to setup an environment required for a software. This can be couple of VM’s with required resources and parameters. Now consider a scenario someone in your organization who have access to same Azure subscription or even you who accidently ran a PS command and delete that resource group accidently….OUCH!

To prevent some of the above scenarios we have RBAC (Role Based Access Control) and limit who can access resources but it will never eliminate all the possible scenarios. This is where Azure Resource Locks come into the picture. This nighty feature also shines if your organization have proper cloud management policies are in place.

Good thing is Microsoft Azure Team has introduce this feature everywhere in the Azure portal – you can apply at Subscription, Resource Group, and Resource level and there is a hierarchy. If you apply is on the subscription level every resource is protected from this policy. Or better you may only want to apply this to production Resource Groups and exclude rest, yep it’s possible thanks to Azure policies concept.

For deep dive into this feature please referrer to official Microsoft documentation. You can reach there from here.

Of let’s dive in my friends Smile

The Azure locks come in two flavors. Read-Only and Delete. Read-Only option will not allow you to perform and changes to the resources when applied. This is also really useful when you don’t want any changes carried out to the resources. Eg: Changing VM size or adding disks….etc

Whereas on the Delete option you’re prevented from deleting the resources in a resource group. If Read-Only option not combine then you’re allowed to carry out the changes to the resources.  

Note: Only Owner and User Access Administrator roles can create or delete management locks

Ok I mentioned resource lock option is everywhere on Azure portal. Reason being is Azure team allows you to go into object level and provide this feature. That being said let me share few screenshots to prove the point.

image

Picture 1: Above picture shows Lock option available for a vNet.

image

Picture 2: Above picture shows Lock option available for a virtual disk

image

Picture 3: Above pictures shows the Lock option available for Resource Group

Ok I assume you’re satisfied from my point Smile Now let’s dig down to this feature.

On this scenario we’re a Resource Group called “DemoRG001” which hosts one important VM for a organization and it’s associated resources. After creating this RG we want to make sure to protect the RG and it’s objects from accidental damages from internal team members who are supposed to look after the Azure subscription.

As we saw in the first part of this article, Azure locks can be defined by two types: Read-Only and Delete. Using Azure Portal, click on Resource Groups, and then click on the desired resource group, in our case DemoRG001, and then click on locks.

image

In the new window that is display provide a name for the Lock name section and Lock type and also Notes which can be useful for later review

image

image

Note: If you’re a PS junkie (who shouldn’t be Smile) below is the command to create the required outcome.

New-AzResourceLock -LockName <lockName> -LockLevel CanNotDelete -ResourceGroupName
<resourceGroupName>

Eg: New-AzResourceLock –LockName LCKRG001 -LockLevel CanNotDelete -ResourceGroupName
DemoRG001

Now we’re setup preventing delete option to the resource group. With this feature activated let’s try to delete one of the resource inside the Resource group and observe the outcome.

I’ve tried to delete the vNet and the outcome is as follows,

image

To verify above from PS try Get-AzResourceLock

Error message highlighting the reason as “operation because following scope are locked”

You can try doing this across and object inside the Resource group and the result will be the same.

Audit the actions

If we think carefully about the above scenario we can take into consideration about logs, alerts and security. Think carefully by wearing the security person’s hat. We would like to see who tried to access the resource group and especially try to do malicious activity. Since Activity log capture every activity we can monitor what really happened by observing the logs.

image

image

Azure Resource Lock is a nifty feature and very useful for production environment. Combined this with RBAC will be great combination for granular level control of the resources as well as for security.

Now I know demonstration values more so here goes the video for you Smile

https://www.youtube.com/watch?v=iy1jtyoP7Ok

Any questions lads?

Azure AD allows collaboration seamless for any user with any account (towards the dream)

In a world where collaboration rocks we always question the security boundary. By now I do hope all agree answer relies on identity. Our application access and controls should follow identity to allow people to truly provide the required flexibility to work from anywhere whilst maintaining the required security.

In Microsoft Azure Active Directory now they are towards to that dream. Today goes the public preview of allowing to share resources (Applications and data) with people from any organization, whether or not they have Azure AD or an IT department. Earlier Microsoft work closely with Google social IDs for this task.

Under this preview mode end user can use any of their e-mail ID type to access resources on another organization for true B2B collaboration. This is happening via email one-time passcodes (OTP).By using this new capability, you allow guest users to use their work email account for authentication while making sure your corporate resources are protected by the same security standards that are mandated by your partner organization. Once end user get the code and verified that session is valid for 24 hours. OTP codes are valid for 30 minutes. These settings carefully applied with security in mind.

In addition, we can apply additional security through conditional access and Multi-Factor Authentication (MFA) which available under AAP (Azure Active Directory Premium)

Guest user will get one-time passcode if below scenarios are true,

  • They do not have an Azure AD account
  • They do not have a Microsoft account
  • The inviting tenant did not set up Google federation for @gmail.com and @googlemail.com users

OTP 1
(Picture credits goes to Microsoft Techcommunity)

Ok let’s get into action to enable this feature now.

Log into Azure portal and go to Azure Active Directory –> Organizational relationships –> Users from other organizations –> Settings

select “Enable Email One-Time Passcode for Guests (Preview) after that save the changes.

image

Well that’s all you have to do. Head back to “Users from other organizations” and add the users. Once above task completed it might take little time to apply.

After that when you share the resources with the outside party.

image

When the first time user get the email he/she has to go through the redemption procedure and accept the company policies. Once completed when they try to access the company resources they will be request to sign in prompt and request for a code. Below is such example situation,

OTP 2OTP 3
(Picture credits goes to Microsoft Techcommunity)

What is exciting is the new doors this is opening for companies to allow securely access to their resources to external parties knowing the control they have.

Goodbye MVA and welcome “LEARN”

If you’re a technical person who loves Microsoft technology then you must have spend time on MVA. Microsoft Virtual Academy is one of my favorite place which I spend to learn about Microsoft technology. Starting from basic all the way to level 300 content is there plus do your own knowledge validation and exams. That bean said Microsoft has decided to close the learning site and come with new learning platform. Before I jump into that if you’re a MVA fan then you still have time to complete your pending learning and exams until end of January 2019. Best is visit the MVA site and complete your pending tasks Smile 

image

To view your progress visit Dashboard and complete any pending training courses,

image

So now you’re aware the future awaits for the MVA what that means to you with Microsoft Learn? What is Microsoft Learn?

Microsoft Learn is interactive learning environment that includes short step-by-step tutorials (I can see more in Azure Smile), interactive coding/scripting environments, and task-based achievements that help you advance your technical cloud skills. I like new idea but again change is not welcome by everyone at first glance. Best is you give a try and see how it matters to you.

image

I like the idea of role based training. Along with rapid changes in cloud technology it would be pretty difficult task to keep up with all the technology updates. Ideal would be to have small chunks and learn them. Even Microsoft Azure classroom training has to go through in that path in order to teach for students Smile

In case if you’re missing advance concepts training then Microsoft has provided external training partners web links for you to refer. Such learning partners are LinkedIn & Pluralsight.

image

I do hope Microsoft will not forget IT users who are interested in Windows Server, System Center technology. Fingers crossed for that.

Until that time arrives best is to start with “Azure Fundamentals” training Smile

https://docs.microsoft.com/en-us/learn/paths/azure-fundamentals/

How to migrate Public IP between Azure VM’s

This article created based on a challenge I faced on migrating Public IP [Static] to a different VM. There are many scenarios why you might want to keep static public IP to a Azure VM (Iaas). Despite being said to leverage DNS names we know in practical world static IP still wins

Smile

In this scenario I had a challenge of my customer’s VM has been attacked by ransomware. Lucky we had taken full backup of the VM. First tried restoring the disks to the same VM but problem still exists. Next solution is restoring the backup to a new VM (entire VM restore) How to do that you can find here.

Below video will share you how I manage to resolve the problem.

https://www.youtube.com/watch?v=-R63rlspMJU

Error ID 70094: ASR Protection cannot be enable for HYPER-V VM

I came across above error when tried to setup ASR using new portal. Every step went find until I get below error,

image

clearly this highlight I cannot replicate the VM successfully to the Azure Recovery Vault. I’ve tried re-registering the Azure Site Recovery agent on the HYPER-V host as well. Though HYPER-V host register properly on the Recovery Vault VM protection fails with above error. On the hyper-v console I can see VM replication is on error state.

So finally meddle around the host logs I found out ASR has been setup previously and has not been removed properly. This means each VM replication also not completed and hanging around on error state. Only way to proceed is to clear those unsuccessful replication data on the host side targeting individual VM’s which is effected.

You need to run below mention PS command on each host targeting the effected VMs,

“$vmName = “<VM Name>”
  $hostName  = “<Host name>”
  $vm = Get-WmiObject -Namespace “root\virtualization\v2” -Query “Select * From Msvm_ComputerSystem Where ElementName = ‘$vmName'” -computername $hostName
  $replicationService = Get-WmiObject -Namespace “root\virtualization\v2”  -Query “Select * From Msvm_ReplicationService”  -computername $hostName
  $replicationService.RemoveReplicationRelationship($vm.__PATH)“

PS: Replace the <VM Name> with your effected VM name, <Host name> with your HYPER-V server name and run on the HYPER-V host.

Once that completed go ahead and try enabling replication for each VM from Azure console side.

PS: If you need to know about how to setup ASR on the new portal you’re in luck. Stay tune for next blog article Smile

How to encrypt disks on Azure VM’s

“Information protection” no wonder this word has been making big buzz around the world regardless of the business size. We have seen major cyber attacks, malware attacks which even cripple the Enterprise companies finically and reputation wise. So in this article I’m looking at one area of prevention solution offered by Microsoft team long time back. Now it’s extended to Microsoft Azure VM’s as well. Disk encryption is not a new term, we always had heard under Information Security practices consultants highlight how vital to back the data and keep them offshore. Same time they request this data to be encrypted in case fall into wrong hand.

But have you thought about how to protect running VM’s in your data-center or on Azure? Actually there are couple of ways you can approach or that. I recommend all of them in phase method based on your budget and time.

Antimalware
Compliance
Hardware Security Module (HSM)
Virtual machine disk encryption
Virtual machine backup
Azure Site Recovery
Security policy management and reporting

List can be going on over the time with new addons Smile. In this article I’ll describe how we can protect virtual machines using disk encryption technology. If you’re a HYPER-V fan then read about Shielded VM’s as an additional information.

Ok back to the main topic. This technology is referred as Azure Disk encryption which leverage Microsoft Bitlocker disk encryption. (I do hope now it makes sense to you all). Azure supports encrypting Windows VM’s using Bitlocker technology as well as Linux VM’s using  dm-crypt feature which provides volume encryption for the OS and the data disks. All the disk encryption keys and secrets saved on Azure Vault on existing subscription. The data (or in our case VHD files) resides safely on the Azure storage. Read about Azure Key Vault technology here.

Disk encryption activity can be approached from several methods,

disk-encryption-fig1
Picture credits to the Azure team Smile

1. In case if you decided to upload a encrypted VM from your HYPER-V environment to Azure make sure to upload the VHD to storage account and copy the encryption key material to your key vault. Then, provide the encryption configuration to enable encryption on a new IaaS VM.
2. If you create the Azure VM from Azure marketplace template then just provide the encryption configuration to enable encryption on the IaaS VM.
3. In case if you’ve already created VM on subscription leveraging the Azure marketplace still you can follow the same steps thanks to Azure Security Center.

So let’s assume you already created the Azure VM using the marketplace and started using that for your requirement. Later stage you found out though Azure Security Center you’ve not followed the industry bet practices and it’s highlighting the potential security risk you’re exposed to. One scenario is disks are not encrypted!

image

As you can see I’ve 3 Azure hosted VM’s and they are having potential security issues and not enabling disk encryption is one of them. On this article I’ll focus on one VM (VM01) which is running server 2012 R2 enabling the disk encryption.

First things first you need to get Azure PowerShell modules setup to your desktop / laptop. You can download them from the Azure download page.

image

After that you’ll need to get a PowerShell script to do the job. You can get that script from here. Copy the script and save it with any name you prefer. Make sure it’s extension as PS1.

Now you need to open the script using PowerShell ISE.

image

When you run the script you need to provide following information (orderly manner)

Resource Group Name – This is the RG name where you’ve hosted your VMs

Key Vault Name – Place where your keys will be saved and protected. During the execution of the script it’ll ask for a Key vault. If you didn’t have one create just proceed and it will create a key vault automatically.

Location – Where you Resource Group location. In my scenario it would be “southeastasia”
Tip: notice there are no space between the name. This is very important to remember.

Azure Active Directory Application Name – This is for the Azure Active Directory application that will be used to write secrets to the Key Vault. If you haven’t created one script will create one for you.

Now you’re aware the information you need to provide. Let’s proceed with the execution of the script under PowerShell ISE

image

If you get above screen that mean phase 1 activity is completed Smile 

Now it’s time to get ready to target a VM and encrypt the disks. For this part you need to tell PowerShell which VM you’re targeting. In the PowerShell type below command

$vmName = “<VM name>”

Replace <VM Name> with your VM hosted in that resource group. In my case it’s $vmName = “VM01”

Now in the above PowerShell script line 185 highlight the command to encrypt the disks. Copy that and run it on the PowerShell window. Alternatively you can copy the command mentioned below.

Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $resourceGroupName -VMName $vmName -AadClientID $aadClientID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $keyVaultResourceId -VolumeType All

If things go smoothly you’ll get below message on your PowerShell window,
image

This process will take around 10-15 min time to complete. On above screenshot you can see the command execution and result completion is successful.

After that you can return the VM properties and check the disk status. you can see below both OS and Data disks has been encrypted.

image

So any given time you add more VM’s to that resource group all you have to do is target the VM name and run the command line given above.

Note: Disk encryption on Azure is a really good option but need to be weighted carefully. If you want to backup the encrypted VM’s then encrypting need to be completed using KEK method. For more in-depth of Azure IaaS disk encryption refer to this article.

Azure Site Recovery (ASR) in action to protect Azure IaaS VMs

Update 04th July 2017 11:00 p.m.: Today Microsoft ASR team allow replicating Server 2016 VM’s  (Azure-to-Azure DR) scenario as well. These VM’s can support Storage space technology. Can check my short video here.

Kindly note this feature still in preview mode. Being said that I believe this is very important option for some customers. Based on customer feedback Microsoft has identified following points to justify this feature.

  • You need to meet compliance guidelines for specific apps and workloads that require a business continuity and disaster recovery (BCDR) strategy.
  • You want the ability to protect and recover Azure VMs based on your business decisions, and not only based on inbuilt Azure functionality.
  • You need to test failover and recovery in accordance with your business and compliance needs, with no impact on production.
  • You need to fail over to the recovery region in the event of a disaster and fail back to the original source region seamlessly.

So being said that below are my observations on ASR for Azure IaaS VM’s.

  • Setup and configuration is very much easy (Of course careful planning is required)
  • VM’s with Managed disks are not supported (This option will be coming soon)
  • You Site Recovery Resource Group has to be created on different region and cannot be on the same region where you production VM’s exists.
  • Automated replication. Site Recovery provides automated continuous replication. Failover and failback can be triggered with a single click via GUI.
  • Minimum replication time interval is 5 min (Wish this will be improved soon)
  • Just like protecting and testing on-premise VM’s to Azure, you can run disaster-recovery drills with on-demand test failovers, as and when needed, without affecting your production workloads or ongoing replication.
  • You can use recovery plans to orchestrate failover and failback of the entire application running on multiple VMs. This can be controlled via runbooks (very nice feature)

Ok now let’s get back to action Smile

To make things easier I’ve went ahead and created two RG (Resource Groups) in advance in two regions. I hope name convention is easy to understand it’s purpose.

image

Inside the ASR-PROD I already created single Server 2012 R2 VM.

image

So now we have a production VM ready to b protected. Next step is to create Recovery Vault on destination RG.

image

image

Select the VMs you want to replicate, and then click OK.

image

if you want you can override the default target settings and specify the settings you like by clicking Customize.

image

Once given command to execute Azure Recovery service will go ahead and do the job Smile

image

Initial replication might take some time. It all depend on how many number of disk you have in your Iaas VM and their size. But I am pretty sure it’s lot faster than uploading your on-premise datacenter VM to Azure scenario. I have experience 3-4 days to upload single VM to Azure Smile

Finally the success results would be as follows,

image

Nice GUI work from Azure ASR team visually showing which to which region VM getting replicated to,

image

Experience the DR drill. For this under the Site Recovery click the “Test Failover” option. This will create VM on the ASR RG. Once the test is complete you can select the option called “Cleanup test failover” This will delete the VMs that were created during the test failover

image

Tips:

During my demo lab creation came-up with below mentioned error. Problem is newly added disk is not be initialized inside the guest OS. Due to that reason ASR unable to replicate that disk to DR site.

image