vNet Peering PowerShell

We have a hub and spoke design in Azure for our vNets and needed to peer the vNets together.

This can be done in an ARM template and we could have deployed all three networks in one go and peered them as part of the ARM template deployment.  For various reasons that approach didn’t really work for us, 1 reason was the customer is very sensitive to change control and having all 3 vNets being controlled by one ARM deployment didn’t sit very well with them and made them nervous.

So PowerShell was the obvious answer, and it’s very simple in PowerShell anyway.  So we deploy all 3 vNets using separate ARM templates and then peer them together with powershell.  Code also over on github

#Peering for hub and spoke network design
#Variables Section
$hubVnetResourceGroup = "RG_hubVnet"
$hubVnetName = "hubprodVnet"
$spoke1VnetResourceGroup = "RG_spoke1vnet"
$spoke2VnetResourceGroup = "RG_spoke2Vnet"
$spoke1VnetName = "spoke1prodVnet"
$spoke2VnetName = "spoke2prodVnet"
$hubVnet = Get-AzureRmVirtualNetwork -Name $hubVnetName -ResourceGroupName $hubVnetResourceGroup 
$spoke1Vnet = Get-AzureRmVirtualNetwork -Name $spoke1VnetName -ResourceGroupName $spoke1VnetResourceGroup
$spoke2Vnet = Get-AzureRmVirtualNetwork -Name $spoke2VnetName -ResourceGroupName $spoke2VnetResourceGroup
#End Variables

#Add Hub to spoke1 peer and allow gateway transit through hub1
Add-AzureRmVirtualNetworkPeering -Name 'hubtospoke1peer' -VirtualNetwork $hubvnet -RemoteVirtualNetworkId $spoke1vnet.id -AllowForwardedTraffic  -AllowGatewayTransit 

#Add spoke 1 to hub and use hub 1 gateways
Add-AzureRmVirtualNetworkPeering -Name 'spoke1tohubpeer' -VirtualNetwork $spoke1vnet -RemoteVirtualNetworkId $hubVnet.id -AllowForwardedTraffic  -UseRemoteGateways 

#Add hub to spoke2 peer and allow gateway transit through hub
Add-AzureRmVirtualNetworkPeering -Name 'hubtospoke2peer' -VirtualNetwork $hubvnet -RemoteVirtualNetworkId $spoke2vnet.id -AllowForwardedTraffic  -AllowGatewayTransit

#Add spoke 2 to hub and use hub 1 gateways
Add-AzureRmVirtualNetworkPeering -Name 'spoke2tohubpeer' -VirtualNetwork $spoke2vnet -RemoteVirtualNetworkId $hubVnet.id -AllowForwardedTraffic  -UseRemoteGateways 





Playing with Azure Firewall

What is Azure Firewall  – A fully stateful firewall as a service.

Before you can deploy Azure Firewall you need to register the provider in your subscription : https://docs.microsoft.com/en-us/azure/firewall/public-preview

Register-AzureRmProviderFeature -FeatureName AllowRegionalGatewayManagerForSecureGateway -ProviderNamespace Microsoft.Network

Register-AzureRmProviderFeature -FeatureName AllowAzureFirewall -ProviderNamespace Microsoft.Network

It can take up to 30 minutes for the feature registration to complete

The easy way to get going and play with Azure Firewall is to use the quickstart template https://github.com/Azure/azure-quickstart-templates/tree/master/101-azurefirewall-sandbox

I’ve used the above template to get up and running with Azure Firewall quickly, easily and so I don’t have to click around in the portal.

First up is Network Rules – the template deploys adds an example rule in which I have deleted so I can start from scratch.  At the moment I have no network rules in my firewall

netrule1

If I now try to telnet to another server of mine that has RDP open to the internet we can see the connection is not successful

telnet1

I now add a rule to my firewall:

netrule1

And now the telnet connection to 3389 to the target is successful:

telnet2

Next up is Application Rules.  Application Rules allow you to control what FQDNs can be accessed and, somewhat obviously, these rules are http and https based. Again the deployment I used created a single Application Rule which I have deleted to give me a clean slate from which to start:

apprules1

Now if I try to browse the web from my server in Azure I’m blocked.  Interestingly the message I get in the web browser depends on whether I’ve gone to a https site or http:

web1

web2

I now add a rule for http and https for *.microsoft.com

apprules2

I can now browse to Azure.microsoft.com

web3.PNG

 

To get the abilty to filter http/https traffic like this you’d have to deploy a Network Virtual Applicance (NVA) and to control what can route to where in your Azure infrastructure you’d require an NVA or something like a Linux IaaS server running iptables.

Azure firewall looks like a good solution to filtering internet traffic and for controlling routing between servers in Azure.  Compared to some NVA devices or iptables it may be more basic (at the moment) but it certainly does offer what I see a lot of people asking for.

VM Deployment with ARM Template

This ARM template will deploy x number of virtual machines (takes the number you need as a parameter), a storage account in the target resource group for boot diagnostics, deploys the VMs in an availability group and deploys x number of data disks per VM.  Both the number of data disks (per VM) and size are parameters.  It attaches the VMs to an existing vnet/subnet, both of which are parameters.  it also sets the Locale to UK on Windows servers using a custom script extension as per https://www.lewisroberts.com/2017/03/01/set-language-culture-timezone-using-powershell/

Template over on my Github page https://github.com/pagyP/AzARM/tree/master/VMs

This template will be updated over time to include additional functionality.

OMS Deployment with ARM Template

An ARM template to deploy a basic OMS workspace in Azure.  It deploys a workspace and two OMS solutions: Anti-Malware assessment and Updates.

Another template for OMS deployment, which is identical to the above, but links the workspace to an existing automation account.  Note it does not create the automation account, the automation account must already exist.

These templates are over on my Github page

Basic Active Directory Security

A large majority of breaches happen because of compromised credentials (https://blog.centrify.com/cause-of-data-breaches/) and so it stands to reason that a compromise of privileged credentials would be the worst case scenario. If someone gets hold of Domain Admin credentials the game is essentially over.

Because of this when I’m talking to customers about improving their security posture one of the first things I recommend is reducing the number of accounts in AD privileged groups such as Domain Admin, Enterprise Admin and Schema Admins as documented in the Best Practices for Active Directory Security.  What I often see is;

Lots of accounts in Domain Admins

IT administrators are often in Domain Admins.  Sometimes, but not always, this account is separate from their day to day ‘normal’ account.

Service accounts in Domain Admins

I often ask why so many accounts are put in these groups and the answer is usually along the lines of;

‘I need those permissions’ or ‘stuff just works when an account is in that group’.

For me one of the simplest things you can do to help reduce the attack surface of AD is to simply remove accounts from these privileged groups. Ideally the only account in there would be the built in Administrator (RID 500) account.

AD Security resources;

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory

http://adsecurity.org/

I’ll do another post soon on Group Policy settings to help secure and audit your AD and Windows environment.

 

 

 

Querying IIS SMTP Smarthost Settings

Had a request to throw something together to query multiple machines and find the smarthost server that IIS was configured to use.  All I had time for was ‘quick and dirty’ so this is what I came up with;

 

get-adcomputer -filter * | Select-Object dnshostname >c:\servers.txt
Get-WmiObject -Namespace “root\MicrosoftIISv2” -Class “IISSMTPServerSetting” -Filter “Name =’SmtpSvc/1′” -comp (Get-Content c:\servers.txt) | Select-Object smarthost,defaultdomain | export-csv c:\servers.csv -NoTypeInformation

Obvious problem with the above is there is no connectivity check in place so any servers not being enabled for PS Remoting or firewalls in the way will just generate an error

 

 

 

Event ID 12024 – Exchange Hybrid

 

In a hybrid mode with Exchange 2010 and when trying to send emails to on premises users the email was not getting delivered.  No bouncebacks or errors, just no delivery.

I checked out the connector from 365 to on premises and when validating the connector by setting an email address of an on premises user, the validation failed with a STARTTLS error.

The problem was I had not assigned my webmail.domain.com certificate to the SMTP service in Exchange.

After assigning the certificate – Server Configuration – Right click the webmail.domain.com certificate – Assign to services – SMTP;  email started being delivered to my on premises users.