Posts

Showing posts from February, 2019

Easy and Free 2FA enabled Secure VPN solution in Azure

Image
Long have I looked for a secure and easy to setup alternative for a "Jumpbox" or bastion server solution in Azure. Secure access always seems to add a lot of management overhead and cost to a project. Either you have to create a separate RDS server and pay for the licenses or you have to use the Client VPN solution in Azure that is limited. Luckily, Pritunl has a great opensource VPN product which you can use to limit your exposure to the outside world. Under the hood Pritunl is built on the OpenVPN protocol which we all know and love, and you can easily enable 2FA with minimal setup. To setup Pritunl, simply create a new Ubuntu VM image from the Azure marketplace. I used the latest 18.04-LTS image, but all other flavors of Linux will work as shown in the  Installation documentation. There really isn't much to the setup, I simply ran the "Ubuntu Bionic" commands listed on their documentation: sudo tee /etc/apt/sources.list.d/mongodb-org-4.0

Azure - Helpful resources

A living list of helpful resources and links to Azure tools. Azure Resource Explorer  - A tool to view and edit the direct ARM JSON. Azure Speed test tool  - Runs speed tests and determine latency between regions. Azure Advisors Yammer  - Useful for questions - monitored directly from the product team often times. Learning Build Azure  - A great community centered around certification and learning. Whitepapers Whitepapers  - Customer engagement materials.

Azure - Check Invitation Status to guest user

Image
Often times you will need to invite a 3rd party to your Azure AD tenant to support your environment. When you add them to a resource, they will automatically be invited as a guest user in your Azure AD tenant, however they won't be able to access this until they accept the invitation email. If you send an invite to a guest user you can see if they have accepted the invitation or not. You also have the option to resend the invitation. From Azure AD you can search for guest users and drill down into an individual one. Here is what the email looks like - the key here is the email comes from " [email protected] " because it can be sent on behalf of this may end up in the junk or spam email folder, so be sure to have them check there.

AZ-102 Study notes - Part 4

Manage identities (15-20%) Manage Azure Active Directory (AD) Add custom domains  Add a purchased domain and add the MX or Text records. (ms=msXXXXXX) The person who creates the tenant is automatically the global administrator. TTL must be 60 minutes. Make suire you don't have any unmanaged PowerBI tenants. Configure Azure AD Identity Protection Azure AD identity protection is P2 level and above. You can force people to register for MFA - once everyone is register you can add everyone. User / sign on risk prevents or forces MFA sign in from compromised users. Azure AD Join, and Enterprise State Roaming With Azure AD settings you can enable local admin rights for Azure AD members. The local admins are set as device admins. ESR allows Windows 10 user data to be synced between devices. Data is encrypted. Requires "EMS". Configure self-service password reset Password reset - selected groups or all. One or two methods. Email / Office Phone

AZ-102 Study notes - Part 3

Continued from a previous series: Configure and manage virtual networks (15-20%) Create connectivity between virtual networks Create and configure VNET peering Vnet peering is private peering across region or subscriptions  but not tenants . 10 per vnet by default, but up to 50. Via Powershell: Add-AzureRmVirtualNetworkPeering /  az network vnet peering create Create and configure VNET to VNET Vnet to Vnet connections require public IPs Only Vnets in the same subscription from the portal. Add connection under the VNet. Use the New-AzureRMVirtualNetworkGatewayConnection CMDlet to setup via Powershell. Verify virtual network connectivity Get-AzureRmVirtualNetworkGatewayConnection az network vpn-connection show Network Watcher Agent extenion. Flow Logs require NGS rules, a log analytics work-space and a storage account. Create virtual network gateway Requires a DYNAMIC public IP address. Review the SKUs noted in the documentation for gateway : Basic S

AZ-102 Study notes - Part 2

Continued from a previous series. Here are my notes created from studying for the AZ-102 exam. The LinkedIn Series here was helpful: Implement and manage storage (5-10%) Configure Azure files Create Azure file share Simple process if you've done it before, create a storage account > file share > New File Share. Use connect to mount the share via CMD / powershell / Linux. Quota is 5 TiB Powershell you can create this with the key with the cmdlet New-AzureStorageShare after setting the storage context with New-AzureStorageShare Create Azure File Sync service Azure file sync is a "local" Windows Server copy of the Azure file share. Configure the service from the Azure portal - Create a new Azure File Sync resource from the marketplace. Configure the on-premise server - disable IE enhanced security. Install the Azure File Sync Agent. Register the server. Gotchas: Only local non-removable volumes are supported. Module is named Az.StorageSync Server

AZ-102 Study notes - Part 1

These are my AZ-102 study notes in taking the Microsoft Azure Administrator Certification Transition Exam (AZ-102) exam. Manage Azure subscriptions and resources (5-10%) Analyze resource utilization and consumption Use the Cost Management + Billing section to configure budgets and setup alerts to point to an Azure resource group. Credit alerts are generated automatically at 90% and at 100% of your Azure credit balance when using enterprise agreements with monthly commits. Configure diagnostic settings on resources From the Azure portal, select Azure Monitor and select diagnostic settings to enable this. Log to a storage account, Event Hub, or Log Analytics. Use the Set-AzureRMDiagnosticSetting cmdetlet and the -ResourceId switch to enable via Powershell. Create baseline for resources; create and rest alerts. Study up on DSC and using Azure Update management as well as update management via automation accounts. Analyze alerts across subscription; analyze metrics acro