Sunday, August 9, 2020

 Install IIS on Azure Virtual machines using Azure PowerShell


1.Open the interactive shell and make sure that it's set to PowerShell.

Click on cloud shell icon appears next to global search as depicted in image below:

CloudShell

2.Run the following command to install IIS on the virtual machine:

Azure PowerShellCopy

*****************************************************

 $publicSettings = @{ "fileUris" = (,"https://raw.githubusercontent.com/Azure/azure-docs-powershell-samples/master/application-gateway/iis/appgatewayurl.ps1");  "commandToExecute" = "powershell -ExecutionPolicy Unrestricted -File appgatewayurl.ps1" }


    Set-AzVMExtension `

     -ResourceGroupName vm2_group`

     -Location eastus `

     -ExtensionName IIS `

     -VMName VM2 `

     -Publisher Microsoft.Compute `

     -ExtensionType CustomScriptExtension `

     -TypeHandlerVersion 1.4 `

     -Settings $publicSettings

*****************************************************

Kindly refer an image below for reference.



1.Ensure that provide resource Group name and virtual machines names Create two more virtual machines and install IIS using the steps. 


Once success message appears on the screen , Logged in to virtual machines and verify .


I hope it will help you who has started exploring Azure and would like to enable IIS feature in easiest manner.




Saturday, August 1, 2020

Secure Azure Infrastructure Practices

Secure Azure Infrastructure Practices

 

Secure Cloud Infrastructure

In Year 2020 cloud computing outcomes show that enterprises continue to embrace multi-cloud (Azure, AWS and Google) and hybrid cloud strategies. While consider

Infrastructure-as-a-Service (IaaS) adoption continues its upward trend as the fastest growing public cloud segment than PaaS.

More adaptability may lead towards more security concern. Here I embrace few aspects which can be consider while managing Azure Infrastructure which is the rapid adoption of IaaS providers. A adequate action may turn to more secure environment and mitigation of potential impact of an attempted break.

n secure your Azure infrastructure.

Security for Azure resources are further categories as mentioned below: 

  1.          Azure Security Center(ASC)
  2.          Security for virtual machines
  3.          Azure Identity and Access Management(IAM)
  4.          Azure Storage
  5.          SQL Server Databases
  6.          Azure Network Security
  7.          Azure Monitor
  8.          Azure Key Vault
  9.          Azure Governance
  10.         Azure Private Link

 

1.      Azure Security Center (ASC) : ASC is a PaaS based security management solution for Azure subscription. It extends advanced threat protection for across hybrid clouds workloads for both cloud and on-premise workloads.

·         Strengthen security posture: Security Center assesses cloud environment and shares cloud resources whether they are secure or not.

·         Protect potential threats: ASC evaluates assesses workloads and raises threat prevention recommendations and security alerts.

·         ASC secure faster: In Azure ASC is natively integrated so deployment of ASC is very easier and faster.

    2. Security for virtual machines:

  • MDATP : ASC extends its workload protection using Microsoft Defender Advanced Threat Protection(MDATP). MDATP generates an alerts after notice attacker tools, techniques, also its sensors for VM’s collects vast verities of signals
  • Operating System vulnerabilities -> Enable OS vulnerabilities recommendations for virtual machines
  • Endpoint protection-> Enable endpoint protection for Azure Virtual machines and on-premises VMs  to remove viruses, spyware, and other malicious software. Use ASC for this purpose.
  • Adequate Implementation of NSG-> All network ports should be restricted on NSG associated to your VM.
  • Adaptive Network Hardening(ANH): ASC recommends network hardening should be applied on internet facing virtual machines and should be limited to specific ip ranges.
  • Deploying the Qualys built-in vulnerability scanner-> Microsoft ASC advises to enable the built-in vulnerability assessment solution on virtual machines (powered by Qualys)
  • Enable latest OS patch updates for virtual machines-> Ensure Latest Operating system  Patches for virtual machines.
  • Enable disk encryption on virtual machines. ASC always recommends for this as high Severity alerts and Azure Disk Encryption(ADE) protects data to meet an organizational security and compliance needs. ASC always recommends for this as High Severity alerts.

  3. Azure Identify & Access Management (IAM): Points of consideration are listed here

·         Secure multi-factor authentication is enabled for all users -> Though for Global administrator and other potential users has already MFA enabled however we should consider to enable MFA for those users who have write access to Azure resources and may gain access to harm infrastructure.

  • Ensure Privilege Identity Management (PIM) -> PIM must be reviewed on a certain interval to review users access. User must be granted only JIT.
  • Conditional Access Policy -> Conditional access policy must be applied for Hybrid joined users or AD users to avoid all vulnerabilities.
  • Less numbers of admins/owners -> Less numbers of Owner/Admin role always beneficial and mitigates unavoidable circumstances which may happens.

4. Storage Accounts: Data is always a key component for any organization and should not be breach at all so Ensure the following are set to enabled:

  • Enable Advanced Threat Protection: ATP enables an extra layer of security intelligence that detects strange and potentially harmful attempts to access or tap storage account.
  • Storage Secure transfer: HTTPS is always considered as secure transfer so enable https to connect to azure storage through secure transfer.
  •  Storage service encryption: Storage service encryption protects your data at rest. Azure uses symmetric encryption to encrypt and decrypt  data when its written to storage and whenever you access it.

5. Azure SQL Services: On SQL database or servers, ensure the following are set to on:

  • SQL Auditing
    Auditing embraces activity, compliance, anomalies and conflicting facts. Auditing goes after database events and writes them to an audit log in your Azure storage account. It can be helpful to identify suspected security concerns. So it must be enabled.
  • Transparent Data Encryption on SQL databases: Transparent Data Encryption on SQL databases, Managed instances and azure synapse analytics should be enabled.
  • Threat detection . It enables an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit SQL databases.

6. Azure Networking : Ensure the following are disabled on network security groups from internet:

  • Disable RDP and SSH:
    Ensure RDP and SSH are allowed to certain set of users and JIT must be enabled during  rdp and ssh over the Internet as an attackers can use various brute-force ways to get access to Azure Virtual Machines.
  • Azure Bastion : Azure Bastion furnishes secure and seamless RDP/SSH connectivity to VMs directly in the Azure portal over SSL. You don’t require public IP while connect to VM’s through  Azure Bastion.
  • Web Application Firewall (WAF): Web application are always a risk area and can be tempered with brute force or malicious attacks . Few well known vulnerabilities are SQL injection and cross site scripting attacks A centralized WAF protects against such web attacks without incurring an additional application changes.

7. Azure Monitor:

·         Enabled Diagnostic: Resource log is indeed helpful to get an insights about azure resource internal operation and can be beneficial for root cause analysis, so ensure that diagnostic settings for azure resource is enabled and sending telemetry to LogAnalyticsWorkspace or azure storage or Event hubs.

·         Azure Monitor Alerts: Enterprise application must be designed considering metric alerts activity alert, cost alerts and log analytics alert are configured adequately. These alerts send an alerts in case any potential threshold meet criteria for azure resource and further can be integrated to SIEM tool.

  • Web Application Firewall (WAF): Web application are always a risk area and can be tempered with brute force or malicious attacks . Few well known vulnerabilities are SQL injection and cross site scripting attacks A centralized WAF protects against such web attacks without incurring an additional application changes.

8. Azure Key Vault: Azure key vault is  hardware security modules (HSMs) based technique and provides access to token ,password and apikey. Key Vault greatly reduces the chances that secrets may be accidentally leaked. E.g. An application may need to connect to DB and that connection string can be stored in Key Vault and can be access over URI.

9. Azure Governance: It’s a process to maintain an application and resources in Azure. Few main characteristics of azure governance depicts below:

·         Apply RBAC to prevent and control user access permission to mitigate undesirable actions se Grant permission to set of users to access application and resources. Azure Policy manages policy definitions to enforce rules for your resources within infrastructure and can be applied to identify complaint resources and take adequate action against non-compliant resources.

10. Azure Private Link: An objective of Azure private link is to secure connection with azure PaaS offerings. It promises private connectivity from Azure VNet to Azure PaaS, customer-owned service over Azure backbone network and avoid transmission on public network.

Private Link supports the following services in GA:

§  Azure Storage

§  Azure Data Lake Storage Gen 2

§  Azure SQL

§  Azure Synapse

§  Azure Cosmos DB

§  Azure Database for PostgreSQL

§  Azure Database for MySQL & MariaDB

§  Azure Key Vault

§  Azure Kubernetes Services

 

I hope it will assist you to get an understanding about some security practice.

Kindly Visit my channel for all video's

Thursday, July 2, 2020

Soft Delete for Azure Storage using ARM template , Azure CLI & PowerShell

Soft delete is an Azure offering which helps in data protection on Azure Blobs and Azure File Service to prevent accidental data deletion either by you or by someone. It’s a part of Azure backup.

Use Case:Assume a use case, You work in an enterprise application an somehow a user has gained access over a azure storage and accidentally deleted some blobs so how will you recover that.

Azure Storage soft delete enables you to achieve this.

Prerequisites:There should be already azure storage or Create a Azure storage on fly using ARM template.

If you have already create Azure storage just go to Azure Storage -> data Protection -> Enable blob soft delete.

Refer an image below for reference :

Azure Infrastructure as a Code (ARM Template)

An ARM template is an Infrastructure as a code (IaC) to provision a resource in Azure .In this section I’ll create a ARM template for storage account with soft a delete feature enable , Storage account is a resource type under Azure Storage provider Microsoft.Storage. Blob service is a sub resource with a single instance default. You can access this at Microsoft.Storage/storageAccounts/piperstorage/blobServices/default.

Following arm template creates a azure storage and enables soft delete for that.We will be running this using azure cli.

{
   "$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
   "contentVersion":"1.0.0.0",
   "parameters":{
      "location":{
         "type":"string"
      },
      "storageAccountName":{
         "type":"string"
      }
   },
   "variables":{

   },
   "resources":[
      {
         "type":"Microsoft.Storage/storageAccounts",
         "sku":{
            "name":"Standard_LRS",
            "tier":"Standard"
         },
         "kind":"StorageV2",
         "name":"[parameters('storageAccountName')]",
         "apiVersion":"2018-07-01",
         "location":"[parameters('location')]"
      },
      {
         "name":"[concat(parameters('storageAccountName'), '/default')]",
         "type":"Microsoft.Storage/storageAccounts/blobServices",
         "apiVersion":"2018-07-01",
         "properties":{
            "deleteRetentionPolicy":{
               "enabled":true,
               "days":30
            }
         },
         "dependsOn":[
            "[concat('Microsoft.Storage/storageAccounts/', parameters('storageAccountName'))]"
         ]
      }
   ],
   "outputs":{
   }
}

Once everything is setup , use az login command to get into your azure subscription. Create a resource group as per your choice. Follow below commands to Login , create resource group and execute azrue cli to create and enable storage account and soft delete for blob respectively.

Az Login

az group create --name cloudPipersRG --location "East US"

Deploy template using Azure CLI command :

az group deployment create --name StorageDeployment --resource-group cloudPipersRG --template-file "C:\Learning\Docs\ARM Templates\azureDeploy.Storage.json" --parameters storageAccountName=cloudpiperstorage location=eastus

Deploy template using Azure Powershell:

$resourceGroupName = cloudPipersRG

New-AzResourceGroup -Name $resourceGroupName -Location "centralus"

New-AzResourceGroupDeployment -ResourceGroupName $resourceGroupName -TemplateFile "C:\Learning\Docs\ARM Templates\azureDeploy.Storage.json" -storageAccountName "cloudpiperstorage" -location "westus"

Once it has succeeded , got to azure portal to verify the deployment and related things.

Jump to portal https://portal.azure.com/ - >cloudPipersRG-> deployment

Verify that storage account would have been created and looks like the below screen shot cloudpiperrg-deployment

Deployment using Azure CLI

Now go to recently create storage account , find data protection and click on that . it opens a new window as appears below enable-softdelete.png and shows that soft delete is enabled with the 30 days retention days.



Enabled soft delete with retention days



You can go through with video demonstration HERE:

https://www.youtube.com/watch?v=AXEeYUnpWB4

For more deep dive learning about disaster recovery and account failover follow this link:

https://docs.microsoft.com/en-us/azure/storage/common/storage-disaster-recovery-guidance

Tuesday, June 23, 2020

 

Step-by-Step Deploy ARM Templates Using Azure DevOps

with CI-CD Pipeline

In This video demo we are deploying Azure storage using YAML CI pipeline later we create Release pipeline to deploy using ARM deployment

For More Video Click Here : CloudPipers Youtube Channel


Sunday, June 7, 2020


Create Build Pipeline using YAML in Azure DevOps

This video covers the followings:


1. Explanation of Dot Net Core and Cosmos DB integration
2. Explanation of YAML file
3. Create build pipeline in Azure DevOps

#Azure #AzureDevOps #YAML #CosmosDB #NetCore


Reach for more Video's click here :

Wednesday, May 27, 2020

AZURE Service Principal using Azure CLI & Portal








AZURE Service Principal using Azure CLI & Portal


AZURE Service Principal using Azure CLI & Portal It helps to create SP to register user app to authenticate itself with specific role like contributor.



Wednesday, May 20, 2020

Resource provider registration using Azure Portal

Resource provider registration using Azure Portal


.
Each functionality in azure there is a resource provider like Microsoft.DataFactory. By default, your Azure Subscription is not registered with all resource providers and because your Subscription is not registered with Microsoft.DataFactory resource provider, you're getting this error

From the portal, select All services.
enter image description here
Select Subscriptions.
enter image description here
From the list of subscriptions, select the subscription you want to use for registering the resource provider. refer subscription.png 



 For your subscription, select Resource providers.Refer an image below for reference.
resource-provider.png

Look at the list of resource providers, and if necessary, select the Register link to register the resource provider of the type you're trying to deploy. As in my example I've installed Microsfot.DataFactory
Kindly refer an image Configure-resource-provider.png for reference




Hope it helps you o registered namespace Microsoft.Datafactory


Wednesday, April 1, 2020

Frequently use Docker commands

Frequently use Docker commands 


Docker is well-known and famous containerization platform , in this article i'll be sharing some frequently use docker command and which will help in your work. There are network and volume section which elaborates more with pictorial representation.

Here we go...

Docker Commands 

docker container ls

docker container ls -a

docker container run -d nginx

docker container inspect 182 | less    # to get an IP of running container

docker container pause 182

After pausing you wont be able to access this

docker container unpause 182

To Stop and Kill Container

docker container stop 182


To go inside the container

docker container exec -it ngnixContainer bash

Network in docker

docker network ls

docker network inspect add7666agsg

If you want to create your own network

docker network create -d bridge my-bridge-network

Image network.jpg

docker network inspect ba858ba01ad3

Image network-inspect.jpg



docker container run -d --name nginx3 -p 8081:80  --network my-bridge-network nginx
After this if you run the following command than it shows that newly created container is connected to that defined network

docker network inspect ba858ba01ad3

Image network-linking-container.jpg




Docker Volumes-> docker volume is use to persist data so in case if container goes down or delete than we can save the data
 To create a docker volume use the below command - volume 

docker volume create volume1

docker volume ls

To attach a volume to container and mount point which is created within container

docker container run -d –name nginx4 -v volume1:/volume1 -p 8085:80 nginx

in an above command left side keyword volume1 is host volume which stores on local host or local machine while right side "volume1" is mount point for within container

Refer an image below:  volume.jpg



TO go inside a volume , follow the below path

cd var -> cd lib -> cd docker -> cd volumes -> ls

image volume-list.jpg


To inspect a volume use the following command

docker volume inspect volume1

refer an image showing below: volume-inspect.jpg






If you notice in an image above mount point shows an exact path of volume along with Name.


docker image ls


docker image rm logstash

docker image history logstash

docker image save logstash > logstash.tar

To load image from standard input

docker image load < logstash.tar