Azure Learning

Recently announced is the new Microsoft learning site for all things Azure

 

 

“Introducing a new approach to learning

The skills required to advance your career and earn your spot at the top do not come easily. Now there’s a more rewarding approach to hands-on learning that helps you achieve your goals faster. Earn points, levels, and achieve more!

 

https://docs.microsoft.com/en-us/learn/

 

At first glance these new training and learning options seem very good.  I’ll be trying them out soon enough

Introducing Role-based Microsoft & Azure Certification Shakeup — Build Azure

Last July, Microsoft Learning announced some upcoming changes to the Microsoft Azure Certifications to make them more role-based. Recently, surrounding the Microsoft Ignite 2018 conference, they announced and released further information about these changes to transform the Azure certification tracks. This news includes more than just announcement of new Azure certification exams, but also the…

via Introducing Role-based Microsoft & Azure Certification Shakeup — Build Azure

vNet Peering PowerShell

We have a hub and spoke design in Azure for our vNets and needed to peer the vNets together.

This can be done in an ARM template and we could have deployed all three networks in one go and peered them as part of the ARM template deployment.  For various reasons that approach didn’t really work for us, 1 reason was the customer is very sensitive to change control and having all 3 vNets being controlled by one ARM deployment didn’t sit very well with them and made them nervous.

So PowerShell was the obvious answer, and it’s very simple in PowerShell anyway.  So we deploy all 3 vNets using separate ARM templates and then peer them together with powershell.  Code also over on github

#Peering for hub and spoke network design
#Variables Section
$hubVnetResourceGroup = "RG_hubVnet"
$hubVnetName = "hubprodVnet"
$spoke1VnetResourceGroup = "RG_spoke1vnet"
$spoke2VnetResourceGroup = "RG_spoke2Vnet"
$spoke1VnetName = "spoke1prodVnet"
$spoke2VnetName = "spoke2prodVnet"
$hubVnet = Get-AzureRmVirtualNetwork -Name $hubVnetName -ResourceGroupName $hubVnetResourceGroup 
$spoke1Vnet = Get-AzureRmVirtualNetwork -Name $spoke1VnetName -ResourceGroupName $spoke1VnetResourceGroup
$spoke2Vnet = Get-AzureRmVirtualNetwork -Name $spoke2VnetName -ResourceGroupName $spoke2VnetResourceGroup
#End Variables

#Add Hub to spoke1 peer and allow gateway transit through hub1
Add-AzureRmVirtualNetworkPeering -Name 'hubtospoke1peer' -VirtualNetwork $hubvnet -RemoteVirtualNetworkId $spoke1vnet.id -AllowForwardedTraffic  -AllowGatewayTransit 

#Add spoke 1 to hub and use hub 1 gateways
Add-AzureRmVirtualNetworkPeering -Name 'spoke1tohubpeer' -VirtualNetwork $spoke1vnet -RemoteVirtualNetworkId $hubVnet.id -AllowForwardedTraffic  -UseRemoteGateways 

#Add hub to spoke2 peer and allow gateway transit through hub
Add-AzureRmVirtualNetworkPeering -Name 'hubtospoke2peer' -VirtualNetwork $hubvnet -RemoteVirtualNetworkId $spoke2vnet.id -AllowForwardedTraffic  -AllowGatewayTransit

#Add spoke 2 to hub and use hub 1 gateways
Add-AzureRmVirtualNetworkPeering -Name 'spoke2tohubpeer' -VirtualNetwork $spoke2vnet -RemoteVirtualNetworkId $hubVnet.id -AllowForwardedTraffic  -UseRemoteGateways 





Playing with Azure Firewall

What is Azure Firewall  – A fully stateful firewall as a service.

Before you can deploy Azure Firewall you need to register the provider in your subscription : https://docs.microsoft.com/en-us/azure/firewall/public-preview

Register-AzureRmProviderFeature -FeatureName AllowRegionalGatewayManagerForSecureGateway -ProviderNamespace Microsoft.Network

Register-AzureRmProviderFeature -FeatureName AllowAzureFirewall -ProviderNamespace Microsoft.Network

It can take up to 30 minutes for the feature registration to complete

The easy way to get going and play with Azure Firewall is to use the quickstart template https://github.com/Azure/azure-quickstart-templates/tree/master/101-azurefirewall-sandbox

I’ve used the above template to get up and running with Azure Firewall quickly, easily and so I don’t have to click around in the portal.

First up is Network Rules – the template deploys adds an example rule in which I have deleted so I can start from scratch.  At the moment I have no network rules in my firewall

netrule1

If I now try to telnet to another server of mine that has RDP open to the internet we can see the connection is not successful

telnet1

I now add a rule to my firewall:

netrule1

And now the telnet connection to 3389 to the target is successful:

telnet2

Next up is Application Rules.  Application Rules allow you to control what FQDNs can be accessed and, somewhat obviously, these rules are http and https based. Again the deployment I used created a single Application Rule which I have deleted to give me a clean slate from which to start:

apprules1

Now if I try to browse the web from my server in Azure I’m blocked.  Interestingly the message I get in the web browser depends on whether I’ve gone to a https site or http:

web1

web2

I now add a rule for http and https for *.microsoft.com

apprules2

I can now browse to Azure.microsoft.com

web3.PNG

 

To get the abilty to filter http/https traffic like this you’d have to deploy a Network Virtual Applicance (NVA) and to control what can route to where in your Azure infrastructure you’d require an NVA or something like a Linux IaaS server running iptables.

Azure firewall looks like a good solution to filtering internet traffic and for controlling routing between servers in Azure.  Compared to some NVA devices or iptables it may be more basic (at the moment) but it certainly does offer what I see a lot of people asking for.

VM Deployment with ARM Template

This ARM template will deploy x number of virtual machines (takes the number you need as a parameter), a storage account in the target resource group for boot diagnostics, deploys the VMs in an availability group and deploys x number of data disks per VM.  Both the number of data disks (per VM) and size are parameters.  It attaches the VMs to an existing vnet/subnet, both of which are parameters.  it also sets the Locale to UK on Windows servers using a custom script extension as per https://www.lewisroberts.com/2017/03/01/set-language-culture-timezone-using-powershell/

Template over on my Github page https://github.com/pagyP/AzARM/tree/master/VMs

This template will be updated over time to include additional functionality.

OMS Deployment with ARM Template

An ARM template to deploy a basic OMS workspace in Azure.  It deploys a workspace and two OMS solutions: Anti-Malware assessment and Updates.

Another template for OMS deployment, which is identical to the above, but links the workspace to an existing automation account.  Note it does not create the automation account, the automation account must already exist.

These templates are over on my Github page

Certificates for Exchange

I needed to run up a lab environment to test an Exchange 2010 hybrid.  For this I needed certificates but I didn’t really want to purchase a SAN cert for what was to be a short period of testing.

This came to my rescue;

 https://github.com/Lone-Coder/letsencrypt-win-simple/wiki/Create-a-SAN-certificate-for-Microsoft-Exchange-2016,-2013-&-2010

Exchange 2010 – Office 365 Hybrid

Creating an Exchange 2010 to Office 365 hybrid;

Login to your Office 365 tenancy – Admin – Exchange Admin – Hybrid – Configure

This downloads the hybrid configuration wizard (HCW).  Do the above using IE, initially I used Chrome and I got an error when executing the exe after the download.

In first part the wizard detects the optimal Exchange server to use for the hybrid connection.  In my case I only have a single Exchange 2010 server;

hybrid1

Enter your on premises account info to connect to Exchange (you can see I left the tickbox selected to use the credentials I was signed in with.  And enter your global admin details for your 365 tenancy

hybrid2

hybrid3

The wizard collects some info and connects to Exchange on premises and Exchange online via PowerShell – then click next

hybrid5

I’ve chosen ‘Full Hybrid Configuration’ as I need fill free/busy, sharing and mail flow

hybrid6

 

Click ‘enable’ to create the federation trust

hybrid7

You will need to create a txt record in your DNS zone to prove domain ownership

hybrid9

After proving your domain ownership you are asked for information on the mail flow in the hybrid configuration.  The default is good for my needs

hybrid13

You are then asked to select the hub transport server for the transport configuration.  This is the server that weill host the send connectors for mail transport to Exchange online

hybrid14

You are then asked for the public IP of your hub transport servers.  In my case this is a NAT to the internal Ex2010 server

hybrid15

You then need to choose your transport certificate.  This needs to be a public cert

hybrid16

You then need to enter the FQDN of your Exchange org.  This tells Office 365 where to send email bound for on premises users i.e. before users have been migrated. It creates an outbound connector in Exchange online.

hybrid18

 

On the next page you simply click update – in the background a number of powershell commands are run which do the all configuration work.