vNet Peering PowerShell

We have a hub and spoke design in Azure for our vNets and needed to peer the vNets together.

This can be done in an ARM template and we could have deployed all three networks in one go and peered them as part of the ARM template deployment.  For various reasons that approach didn’t really work for us, 1 reason was the customer is very sensitive to change control and having all 3 vNets being controlled by one ARM deployment didn’t sit very well with them and made them nervous.

So PowerShell was the obvious answer, and it’s very simple in PowerShell anyway.  So we deploy all 3 vNets using separate ARM templates and then peer them together with powershell.  Code also over on github

#Peering for hub and spoke network design
#Variables Section
$hubVnetResourceGroup = "RG_hubVnet"
$hubVnetName = "hubprodVnet"
$spoke1VnetResourceGroup = "RG_spoke1vnet"
$spoke2VnetResourceGroup = "RG_spoke2Vnet"
$spoke1VnetName = "spoke1prodVnet"
$spoke2VnetName = "spoke2prodVnet"
$hubVnet = Get-AzureRmVirtualNetwork -Name $hubVnetName -ResourceGroupName $hubVnetResourceGroup 
$spoke1Vnet = Get-AzureRmVirtualNetwork -Name $spoke1VnetName -ResourceGroupName $spoke1VnetResourceGroup
$spoke2Vnet = Get-AzureRmVirtualNetwork -Name $spoke2VnetName -ResourceGroupName $spoke2VnetResourceGroup
#End Variables

#Add Hub to spoke1 peer and allow gateway transit through hub1
Add-AzureRmVirtualNetworkPeering -Name 'hubtospoke1peer' -VirtualNetwork $hubvnet -RemoteVirtualNetworkId $spoke1vnet.id -AllowForwardedTraffic  -AllowGatewayTransit 

#Add spoke 1 to hub and use hub 1 gateways
Add-AzureRmVirtualNetworkPeering -Name 'spoke1tohubpeer' -VirtualNetwork $spoke1vnet -RemoteVirtualNetworkId $hubVnet.id -AllowForwardedTraffic  -UseRemoteGateways 

#Add hub to spoke2 peer and allow gateway transit through hub
Add-AzureRmVirtualNetworkPeering -Name 'hubtospoke2peer' -VirtualNetwork $hubvnet -RemoteVirtualNetworkId $spoke2vnet.id -AllowForwardedTraffic  -AllowGatewayTransit

#Add spoke 2 to hub and use hub 1 gateways
Add-AzureRmVirtualNetworkPeering -Name 'spoke2tohubpeer' -VirtualNetwork $spoke2vnet -RemoteVirtualNetworkId $hubVnet.id -AllowForwardedTraffic  -UseRemoteGateways 





Playing with Azure Firewall

What is Azure Firewall  – A fully stateful firewall as a service.

Before you can deploy Azure Firewall you need to register the provider in your subscription : https://docs.microsoft.com/en-us/azure/firewall/public-preview

Register-AzureRmProviderFeature -FeatureName AllowRegionalGatewayManagerForSecureGateway -ProviderNamespace Microsoft.Network

Register-AzureRmProviderFeature -FeatureName AllowAzureFirewall -ProviderNamespace Microsoft.Network

It can take up to 30 minutes for the feature registration to complete

The easy way to get going and play with Azure Firewall is to use the quickstart template https://github.com/Azure/azure-quickstart-templates/tree/master/101-azurefirewall-sandbox

I’ve used the above template to get up and running with Azure Firewall quickly, easily and so I don’t have to click around in the portal.

First up is Network Rules – the template deploys adds an example rule in which I have deleted so I can start from scratch.  At the moment I have no network rules in my firewall

netrule1

If I now try to telnet to another server of mine that has RDP open to the internet we can see the connection is not successful

telnet1

I now add a rule to my firewall:

netrule1

And now the telnet connection to 3389 to the target is successful:

telnet2

Next up is Application Rules.  Application Rules allow you to control what FQDNs can be accessed and, somewhat obviously, these rules are http and https based. Again the deployment I used created a single Application Rule which I have deleted to give me a clean slate from which to start:

apprules1

Now if I try to browse the web from my server in Azure I’m blocked.  Interestingly the message I get in the web browser depends on whether I’ve gone to a https site or http:

web1

web2

I now add a rule for http and https for *.microsoft.com

apprules2

I can now browse to Azure.microsoft.com

web3.PNG

 

To get the abilty to filter http/https traffic like this you’d have to deploy a Network Virtual Applicance (NVA) and to control what can route to where in your Azure infrastructure you’d require an NVA or something like a Linux IaaS server running iptables.

Azure firewall looks like a good solution to filtering internet traffic and for controlling routing between servers in Azure.  Compared to some NVA devices or iptables it may be more basic (at the moment) but it certainly does offer what I see a lot of people asking for.

VM Deployment with ARM Template

This ARM template will deploy x number of virtual machines (takes the number you need as a parameter), a storage account in the target resource group for boot diagnostics, deploys the VMs in an availability group and deploys x number of data disks per VM.  Both the number of data disks (per VM) and size are parameters.  It attaches the VMs to an existing vnet/subnet, both of which are parameters.  it also sets the Locale to UK on Windows servers using a custom script extension as per https://www.lewisroberts.com/2017/03/01/set-language-culture-timezone-using-powershell/

Template over on my Github page https://github.com/pagyP/AzARM/tree/master/VMs

This template will be updated over time to include additional functionality.

OMS Deployment with ARM Template

An ARM template to deploy a basic OMS workspace in Azure.  It deploys a workspace and two OMS solutions: Anti-Malware assessment and Updates.

Another template for OMS deployment, which is identical to the above, but links the workspace to an existing automation account.  Note it does not create the automation account, the automation account must already exist.

These templates are over on my Github page

Using Terraform for Azure deployments

Terraform – “Terraform enables you to safely and predictably create, change, and improve production infrastructure”

https://www.terraform.io/

Using Terraform I was able to deploy a virtual machine, virtual networks, sql server and an sql database to Azure.  It looks like a very useful tool for not only creating infrastructure via code in Azure but then also for adding/updating/removing pieces of that infrastructure (or deleting it entirely).

I only deployed a single VM with a single NIC but it seems simple enough to scale this number up, so with just a few lines of Terraform config we could deploy 100’s of virtual machines.  

What Terraform does not do is any state configuration of those servers, so you’d end up with 100 vanilla Windows or Linux servers.  So we would need another service to apply some configuration to the servers, something like Puppet, Chef or PowerShell DSC.  These would be used to install software such as anti virus, monitoring agents, Octopus tentacles etc etc.

More on Terraform https://blogs.msdn.microsoft.com/eugene/2016/11/03/creating-azure-resources-with-terraform/

 

SPN not found AAD Connect ADFS

During an install of AAD Connect I received an error saying that there wasn’t an SPN set on the ADFS service account.  Upon checking the user account I could see it did have an SPN set of host/sts.example.com.

Clicking retry on the ADFS install wizard got things going again and the install proceeded without any further problems.