Archive for the ‘Azure’ Category

Secure DevOps Kit for Azure (AzSK) With Security Monitoring #Devops #Azure #AzSK #Security #LogAnalytics #PowerShell   Leave a comment

The Secure DevOps Kit for Azure is a collection of scripts, tools, extensions, automations.

image

The kit is based on Powershell and can be extended to Azure log analytics with some nice dashboarding. But if you have a large subscription the Powershell query can take some time. With this toolkit Devops teams using extensive automation and smoothly integrating security into native Devops workflows helping accomplish secure Devops with these 6 focus areas:

  • Secure the subscription: A secure cloud subscription provides a core foundation upon which subsequent development and deployment activities can be conducted. An engineering team should have the capabilities to deploy and configure security in the subscription including elements such as alerts, ARM policies, RBAC, Security Center policies, JEA, Resource Locks, etc. Likewise, it should be possible to check that all settings are in conformance to a secure baseline
  • Enable secure development: During the coding and early development stages, developers should have the ability to write secure code and to test the secure configuration of their cloud applications. Just like build verification tests (BVTs), we introduce the concept of security verification tests (SVTs) which can check for security of various resource types in Azure
  • Integrate security into CICD: Test automation is a core tenet of devops. We emphasize this by providing the ability to run SVTs as part of the VSTS CICD pipeline. These SVTs can be used to ensure that the target subscription used to deploy a cloud application and the Azure resources the application is built upon are all setup in a secure manner
  • Continuous Assurance: In the constantly changing dev ops environment, it is important to move away from the mindset of security being a milestone. We have to treat security as a continuously varying state of a system. This is made possible through capabilities that enable continuous assurance using a combination of automation runbooks, schedules, etc.
  • Alerting & Monitoring: Visibility of security status is important for individual application teams and also for central enterprise teams. We provide solutions that cater to the needs of both. Moreover, the solution spans across all stages of dev ops in effect bridging the gap between the dev team and the ops team from a security standpoint through the single, integrated views it generates
  • Cloud Risk Governance: Lastly, underlying all activities in the kit is a telemetry framework that generates events capturing usage, adoption, evaluation results, etc. This allows us to make measured improvements to security targeting areas of high risk and maximum usage before others.

Keep in mind that The OMS portal will is retired on January 15, 2019. You can continue to use your existing services and licensing in the Azure portal.

Even in the Azure portal you can still connect to OMS

Complete feature set of Secure DevOps Kit for Azure

Feature Area Secure DevOps Kit Feature
Secure the subscription
  • Subscription Health Check
  • Subscription Provisioning
    • Alerts Configuration
    • ARM Policy Configuration
    • Azure Security Center Configuration
    • Access control (IAM) Hygiene
Enable secure development
  • Security Verification Tests (SVT)
  • Security IntelliSense- VS Extension
Integrate security into CICD
  • AzSK VS Extension-executes SVTs in a CICD pipeline
Continuous Assurance
  • Security scanning via Azure Automation Runbooks
Alerting & Monitoring
  • OMS Solution for AzSK containing:
    • Security dashboard views covering security state/actions
    • Alerts with pertinent search queries
Cloud Risk Governance
  • Control/usage telemetry through Insights

Setting up Secure DevOps Kit for Azure (AzSK)

First make sure you have the right Azure modules installed, I noticed the automation module failed So I added this manualy.

Import-Module AzureRM.Automation

Get-AzSKAzureServicesSecurityStatus -SubscriptionId

image

Installing the Secure DevOps Kit for Azure (AzSK)

Install-Module AzSK -Scope CurrentUser

image

Now that the Powershell modules are installed we can start the (AzSK) Scan

Get-AzSKAzureServicesSecurityStatus –SubscriptionId  ID

image

In this subscription there are 44 items that are been checked

image

Items are been checked on the security issues

image

Nice detailed overview is shown. Also a log folder is been created with all the issues. per resource Item.

image

As you can see I have some failed items and with a High, so I need to take a good look at this and fix this.

image

This maybe one of the best Items here an excel sheet with al the issues listed with the solution mentioned and if this can be automated.

If needed there is an URL that points you to the right solution.

image

As Azure log analytics is great and it can be integrated with some OMS (Azure monitoring Dashboards)

The OMS portal will be retired on January 15, 2019. You can continue to use your existing services and licensing in the Azure portal. So the current documentation need some updating.

image

Pressing the OMS button in the Azure portal brings you to the OMS portal but then nothing. As it is now all Azure portal.

Setting up the dashboards failed on me during the first installation but when I did run this a second time the dashboard was there.  (Timing) 

image

Creating the OMS default dashboard we need to run some powershell scripts.

$omsSubId =”id”   #subscription hosting the OMS workspace

$omsWSId =’OMS ID’

$omsRGName =’omsrsg’     #RG where the OMS workspace is hosted

$azSkViewName = ‘MVP_AzSK_view’ #This will identify the tile for AzSK view in OMS.


    #This command will deploy the AzSK view in the OMS workspace.  
    Install-AzSKOMSSolution -OMSSubscriptionId $omsSubId `

                    -OMSResourceGroup $omsRGName `

                    -OMSWorkspaceId $omsWSId `

                    -ViewName $azSkViewName

image

Note:

1) The blades of the OMS view created by this command will start populating only after AzSK scan events become available in the corresponding OMS workspace.

To understand how to send AzSK events to an OMS workspace see https://aka.ms/devopskit/oms.

2) The OMS view installed contains a basic set of queries over DevOps Kit scan events. Please feel free to customize them once you get familiar with the que

ries.

We also periodically publish updated/richer queries at: https://aka.ms/devopskit/omsqueries.

image

Checking the OMS – log analytics workspace it has not much issues as this is a test subscription and if it was all perfect then there is no fun.

image

image

and with longer logging and more Items in azure you will get a different overview.

image

There are lots of options you can set and there is a detailed description on how to use this on Github

Setting up ARM policys is also one of the options

Set-AzSKARMPolicies –SubscriptionId

image

So get started with the DevOpsKit https://github.com/azsk/DevOpsKit-docs 

image

https://github.com/azsk/DevOpsKit-docs/tree/master/05-Alerting-and-Monitoring

AzSK Security Controls Portal @https://aka.ms/azskosstcp

With this it’s a nice tool and yes a bit time consuming but learned a lot and make me see things different in the Azure Subscription 

And If you combine this directly and not afterwards then this could be your time saver to fix all the security items

image

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Posted January 24, 2019 by Robert Smit [MVP] in Azure

Tagged with , , ,

Welcome to Olympia Set up your own Windows Insider Lab for Enterprise #Olympia #Office365 #EnterpriseMobility #WindowsServer #Microsoft #Azure #WindowsInsiders #SCCM   2 comments

 

Olympia V2 is the next step for enabling Windows Insiders to try new and pre-release Windows 10 Enterprise features. Windows Insider Lab for Enterprise v2 provides a complete Microsoft 365 deployment and management testing environment that can be run directly on your own machines. The lab features both client and administrative functionality, including System Center Configuration Manager Preview plus connectivity to Office 365 and Enterprise Mobility Security evaluation trials. Customers can also add the latest Windows 10 Insider Preview Enterprise build to the lab. 

This is a great lab toolkit, to start with the new features. It is easy to setup with a great learning curve.

First we download the entire Lab. it around 14GB

The table below lists the virtual machines, which will be imported and created in Hyper-V:

Server Name

Roles & Products

HYD -DC1

Active Directory Domain Controller, DNS, DHCP, Certificate Services

Windows Server 2016

HYD-CM1

System Center Configuration Manager Technical Preview Branch – Version 1808 (Note: After installing a baseline version, you can then use in-console updates to bring your installation up-to-date with the most recent preview version. See Section 4.)

Windows Deployment Services

Microsoft Deployment Toolkit

Windows 10 ADK

Windows Software Update Services

Microsoft SQL Server 2014

Windows Server 2016

HYD-APP1

Microsoft BitLocker Administration and Monitoring

Microsoft SQL Server 2014

Windows Server 2016

HYD-GW1

Remote Access for Internet Connectivity

Windows Server 2016

HYD-CLIENT1 (Optional)

If the Windows 10 Insider Preview ISO image is imported, this machine will be created with windows installed and will be Domain Joined

HYD-CLIENT2 (Optional)

If the Windows 10 Insider Preview ISO image is imported, this machine will be created with windows installed and will be Domain Joined

HYD-CLIENT3 (Optional)

If the Windows 10 Insider Preview ISO image is imported, this machine will be created with windows installed and will be on Workgroup

HYD-CLIENT4 (Optional)

If the Windows 10 Insider Preview ISO image is imported, this machine will be created with windows installed and will be on Workgroup

The VM list in Hyper-v

image

The table below lists the credentials and access type available in the default implementation:

Windows Insider Lab for Enterprise

After that just extract the files, keep in mind the setup extract the files at the current location of the setup files. You can move the VM’s afterwards

Windows Insider Lab for Enterprise

Starting the setup and extracting the VM’s

Windows Insider Lab for Enterprise

Select your Vswitch on the Hyper-v server

Windows Insider Lab for Enterprise

Select a insiders ISO or download one,

Windows Insider Lab for Enterprise

Plenty of room in the Windows Server 2019 Hyper-v server with Storage Spaces direct.

Windows Insider Lab for Enterprise

The extracting can take up some time depends on the disks and CPU speed for extraction

Windows Insider Lab for EnterpriseWindows Insider Lab for Enterprise

After the Extraction Several VM’s are added to the Hyper-v Server

image

The Gateway will route all the data to internet.

image

Windows Insider Lab for Enterprise

The setup is done the full lab is installed, there are several laps that you can do and setup

image

Windows Insider Lab for Enterprise

The domain structure that is created is the basic for all the labs

Windows Insider Lab for Enterprise

A SCCM site is created and ready for use. As this is the Technical preview I already got the 1812 Build

Windows Insider Lab for Enterprise

 

image

In the Azure Active directory we set some custom pictures.

image 

image

Customize these screens is easy done in the Azure portal

image

Next step is use SCCM and Intune to manage your systems. This lab is perfect for showing all the options.

 

The Setup is Complete and ready to use, this lab is a great way to self explore the new features.

     Lab Objectives

This guide is designed to provide step-by-step guidance in demonstrating the basic functionality of the feature.

·         Lab Setup

o   On-Premises Environment

o   Cloud Environment

o   On-Premises Environment Post Setup Manual Steps

·         Servicing

o   Windows Analytics Update Compliance

·         Deployment & Management

o   Modern Device Deployment

o   Modern Device Management with AutoPilot

o   Co-Management

o   Modern Application Management with Intune

o   Enterprise State Roaming

·         Security

o   Windows Information Protection

o   Windows Defender Advanced Threat Protection

o   Windows Defender Application Guard

o   Windows Defender Exploit Guard

o   Windows Hello

o   Credential Guard

o   Device Encryption (MBAM)

o   Device Guard – User Mode Code Integrity

·         Compatibility

o   Windows Analytics Upgrade Readiness

o   Browser Compatibility

o   Desktop Bridges

·         Additional Labs

o   MDM WINS over GP

o   MAM FAQ

The Windows Insider Lab for Enterprise was designed for Windows Insiders who want to try new experimental and pre-release Enterprise Privacy and Security features. There are two versions of the lab:

· Windows Insider Lab for Enterprise v1 – provides a client-side view of the latest Microsoft 365 enterprise features through access to Olympia Corp – a virtual corporation has been set up to reflect the IT infrastructure of real world business. 

· Windows Insider Lab for Enterprise v2 – provides a complete Microsoft 365 deployment and management testing environment that can be run directly on your own machines. The lab features both client and administrative functionality, including System Center Configuration Manager Preview plus connectivity to Office 365 and Enterprise Mobility + Security evaluation trials.

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Posted January 8, 2019 by Robert Smit [MVP] in Azure

Tagged with , ,

Extend you File server with Azure File Sync and Migrate with Windows Admin Center #WindowsServer #Azure #AFS #WAC #HybridCloud #FileServer   2 comments

In the former blog post :https://robertsmit.wordpress.com/2018/11/29/step-by-step-windows-server-2019-file-server-clustering-with-powershell-or-gui-cluster-ha-azure-windowsadmincenter-windowsserver2019/

I created a File share on a Cluster to make the share HA. This is more the traditional way to make the share HA. But what if you have multiple locations and you want to use this share in Azure. Big internal lines between the Datacenter and copy the files to Azure (DFS) method. but that’s old. Better use the Azure File Sync option the files are synced to all the Server and available in Azure. Better and faster.

#bettertogether  

 With Azure File Sync , shares can be replicated on-premises or in Azure and accessed through SMB or NFS shares on Windows Server. Azure File Sync is useful for scenarios in which data needs to be accessed and modified far away from an Azure datacenter, such as in a branch office scenario. Data may be replicated between multiple Windows Server endpoints, such as between multiple branch offices. Azure File Sync transforms Windows Server into a quick cache of your Azure file share. You can use any protocol that’s available on Windows Server to access your data locally, including SMB, NFS, and FTPS. You can have as many caches as you need across the world.

To get started with the Azure File Sync we need a Storage account in Azure.

Deploy Azure File Sync

We create a storage account in Azure.

Remember this works only on Windows Servers ! System Requirements:

  • A server running Windows Server 2012 R2, Windows Server 2016 or Windows Server 2019:

    Version
    Supported SKUs
    Supported deployment options

    Windows Server 2019
    Datacenter and Standard
    Full (server with a UI)

    Windows Server 2016
    Datacenter and Standard
    Full (server with a UI)

    Windows Server 2012 R2
    Datacenter and Standard
    Full (server with a UI)

 

Now that the storage account is created we are starting with the Azure File Sync creation in Azure.

Deploy Azure File Sync Deploy Azure File Sync

Name the Storage Sync Service , and create a resource group.

The next step is register the Onpremise server to Azure with the Azure File Sync Agent

Deploy Azure File Sync

Azure File Sync  Agent download https://go.microsoft.com/fwlink/?linkid=858257

The installation is in two steps.

  1. Installing the agent
  2. Configuring the Agent

Deploy Azure File Sync

After the download install the Agent on the File server, As I use a Cluster install the Agent on every node of the Cluster.

Deploy Azure File SyncDeploy Azure File SyncDeploy Azure File SyncDeploy Azure File Sync

Now that the agent is installed the Second wizard pops up for the configuration and if needed a update.

imageDeploy Azure File Sync

So far so good. As the Agent is connecting to Azure there are some additional components needed.

Deploy Azure File Sync

As this Cluster was a fresh installation and I did not used the PowerShell command for Azure here I need to install the AzureRM modules (or AZ module)

https://go.microsoft.com/fwlink/?linkid=856959

Installing and updating the modules.

Install-Module -Name AzureRM –AllowClobber

Deploy Azure File Sync

With this command you can see the current Powershell version

Get-Module -Name AzureRM -List | select Name,Version

 

Deploy Azure File Sync

Now that the PowerShell commands are installed we can refresh the page and the installation continues

Deploy Azure File Sync

If you are using a CSP subscription in Azure then you need to set this check box. and use your tenant ID

Deploy Azure File Sync

In all other subscriptions keep this default

Deploy Azure File Sync

Pick the right Resource group the one with the created Storage Sync services in it. else the field will be empty.

Deploy Azure File Sync

Select a resource group that contains a Storage Sync Service, or use the Azure portal to create one in this resource group.

Deploy Azure File Sync

When this process is done we can configure the rest in the Azure portal.

Deploy Azure File Sync

As you can see the Cluster CNO object is named here

In the pane that opens, enter the following information to create a sync group with a cloud endpoint:

  • Sync group name: The name of the sync group to be created. This name must be unique within the Storage Sync Service, but can be any name that is logical for you.
  • Subscription: The subscription where you deployed the Storage Sync Service.
  • Storage account: If you select Select storage account, another pane appears in which you can select the storage account that has the Azure file share that you want to sync with.
  • Azure file share: The name of the Azure file share with which you want to sync.

Next is creating the Sync group.

Deploy Azure File Sync

 

Deploy Azure File SyncDeploy Azure File Sync

Pick a name for the Sync group name. and the proper Storage account that we created earlier. In this storage account we did not create a File share this is needed to hold the Files. so the azure file share check box is not showing you anything.

Go the the storage account and create a File share

Deploy Azure File Sync

With this created the creation of the Sync group can be completed.

Deploy Azure File Sync

Next step is creating some endpoints. this means bind the local share to the services and sync this to the Azure storage account share.

Deploy Azure File Sync

Deploy Azure File Sync

Adding the endpoint and pick the registered server and the file share that will be synced.

Deploy Azure File SyncDeploy Azure File Sync

If you want to enable cloud Tiering and fill in the values. In this demo I don’t use this.

Note:

Only NTFS volumes are supported. ReFS, FAT, FAT32, and other file systems are not supported.

Failover Clustering

Windows Server Failover Clustering is supported by Azure File Sync for the "File Server for general use" deployment option. Failover Clustering is not supported on "Scale-Out File Server for application data" (SOFS) or on Clustered Shared Volumes (CSVs).

The Azure File Sync agent must be installed on every node in a Failover Cluster for sync to work correctly.

In my demo the Share is not listed, I already know why, As I used ReFS for the cluster disk.

This can be painful as you need to format that disk and move all the data to a temp location.

Deploy Azure File Sync        Deploy Azure File Sync

After changing the disk format and a refresh you can see that the deployment is pending and working.

Deploy Azure File SyncDeploy Azure File Sync

 

After this you have a full Hybrid file share Fully redundant on premise and a off load to Azure.

Deploy Azure File Sync

As last the best option to get the data into this HA file share is using the Windows Admin Center 

In Windows Admin Center there is a great options Storage Migration Services

image

Opening Windows admin Center and select the source this will be scanned and when done the files can be migrated. (the scanning can take some time)

image

image

When the scanning is done the files and shares are listed. more info can be found here https://youtu.be/WCWxAp27ERk

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Posted December 4, 2018 by Robert Smit [MVP] in Azure

Tagged with ,

How to Protect your #Azure resources from Distributed Denial of Service #DDoS attacks #Cloud #SDN #VNET #Security #Alerts #Analytics   Leave a comment

 

Distributed denial of service (DDoS) attacks are some of the largest availability and security concerns facing customers that are moving their applications to the cloud. A DDoS attack attempts to exhaust an application’s resources, making the application unavailable to legitimate users. DDoS attacks can be targeted at any endpoint that is publicly reachable through the internet.

image

What is DDoS Protection? Protecting applications from DDoS attacks has been one of the top security concerns for Azure customers. Azure DDoS protection service is an Azure Networking offering aimed at protecting publicly accessible endpoints from DDoS attacks. The offering gives customers access to the same protection that is used to protect Microsoft’s online assets, such as Xbox Live and Office 365. Azure DDoS protection service provides constant network flow monitoring of the protected endpoints, and when detecting a DDoS attack, automatically applies traffic scrubbing to make sure only legitimate requests are forwarded to the application.

Azure DDoS protection, combined with application design best practices, provide defense against DDoS attacks. Azure DDoS protection provides the following service tiers:

  • Basic: Automatically enabled as part of the Azure platform. Always-on traffic monitoring, and real-time mitigation of common network-level attacks, provide the same defenses utilized by Microsoft’s online services. The entire scale of Azure’s global network can be used to distribute and mitigate attack traffic across regions. Protection is provided for IPv4 and IPv6 Azure public IP addresses.
  • Standard: Provides additional mitigation capabilities over the Basic service tier that are tuned specifically to Azure Virtual Network resources. DDoS Protection Standard is simple to enable, and requires no application changes. Protection policies are tuned through dedicated traffic monitoring and machine learning algorithms. Policies are applied to public IP addresses associated to resources deployed in virtual networks, such as Azure Load Balancer, Azure Application Gateway, and Azure Service Fabric instances, but this protection does not apply to App Service Environments. Real-time telemetry is available through Azure Monitor views during an attack, and for history. Rich attack mitigation analytics are available via diagnostic settings. Application layer protection can be added through the Azure Application Gateway Web Application Firewall or by installing a 3rd party firewall from Azure Marketplace. Protection is provided for IPv4 Azure public IP addresses.

Azure DDoS Protection Basic vs. Standard

So how to start with DDoS in Azure.

First go to the Virtual Networks.

Azure and Microsoft Windows Server Blog

Next selecting the Network and in the left pane there is a section DDoS Protection.

Azure and Microsoft Windows Server Blog

Selecting the DDoS Protection there is the Basic and the Standard Setting

Azure and Microsoft Windows Server Blog

Pricing Details

There the Basic is the default and comes with free pricing.

The Standard is a different option and Cost you some real money! and these are monthly costs. For a demo I turned it on and forget to turned it of and spend 10K in 4 months so keep a track on your Azure costs.

Azure and Microsoft Windows Server Blog

The DDoS Protection service will have a fixed monthly charge, as well as a charge for data processed. The fixed monthly charge includes protection for 100 resources. Protection for additional resources will be charged on a monthly per-resource basis.

Monthly price for DDoS Protection (includes protection for 100 resources): €2,483/month

Overage charges (more than 100 resources): €25 per resource per month

 

When Enabling the DDoS Standard we need to create a DDoS protection plan first, if you have already one you can add the ID.

Azure and Microsoft Windows Server Blog

Check the create DDoS protection Plan

Azure and Microsoft Windows Server Blog

Now that we created a plan witch is more a resource place holder, we can add this to the DDoS protection plan

Azure and Microsoft Windows Server Blog

Azure and Microsoft Windows Server Blog

Now that the DDoS and the plan is in place we can create an alert rule in case we have a DDoS attack.

In the Azure Monitor we can create the alert rule and we can see the logging.

Azure and Microsoft Windows Server Blog

To see telemetry for a DDoS attack, log into the Azure Portal and navigate to the “Monitor” blade.

Within the monitor blade, click on “Metrics”, select the appropriate subscription, resource group, resource type of “Public IP” and the Public IP that was the target of the attack. After selecting the resource, a series of Available Metrics will appear on the left side. These metrics are selected and then will be graphed.

The metric names are relatively self-explanatory and the basic construct is that there are tag names on each metric as follows: • Dropped tag name (e.g. Inbound Packets Dropped DDoS): The number of packets dropped/scrubbed by the DDoS system

• Forwarded tag name (e.g: Inbound Packets Forwarded DDoS): The number of packets forwarded by the DDoS system to the destination VIP – traffic that was not filtered • No tag name (e.g: Inbound Packets DDoS): The total number of packets that came into the scrubbing system – representing the sum of the packets dropped and forwarded

image

The traffic shown in the Monitor dashboard.

Azure and Microsoft Windows Server Blog

To create a dashboard there are some options with counters. It all depends on your need.

 

Azure and Microsoft Windows Server Blog

now we create an alert rule.

Email Alerting To configure an email alert for a metric, click on the “Click to add an alert” text. An email alert can be created on any metric, but the most obvious metric to create an alert on is “Under DDoS attack or not”. This is a boolean value 1 or 0. “1” means you are under attack. “0” means you are not under attack. To be emailed when under attack, set the Metric for “Under DDoS attack or not” and “Condition” to “Greater than” zero (0) over the last 5 minutes. Similar alerts can be set up for other metrics. An example screenshot is provided below.

 

Azure and Microsoft Windows Server Blog

 

Azure and Microsoft Windows Server Blog

To divine the Severity I keep this as this is also be used in SCOM

Azure Monitor Alert Severity Levels

Sev 0 = Critical
Sev 1 = Error
Sev 2 = Warning
Sev 3 = Informational
Sev 4 = Verbose

Azure and Microsoft Windows Server Blog

Last part in selecting the email for this alert.

Azure and Microsoft Windows Server Blog

With this setup you got a good protection against DDoS attacks. below is the workflow how DDoS protection works.

Diagram of how DDoS Protection Standard works, with "Policy Generation" circled

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Posted November 27, 2018 by Robert Smit [MVP] in Azure

Tagged with ,

Azure portal VM creation Changed with a new layout is Awesome #Azure #Cloud #MSTCommunity #MVPBuzz   Leave a comment

In the Azure portal every day there are some changes some are big others are minor.

In this blog I show you the change in the VM creation.

image

When Creating a NEW VM you can see the change now there are several tabs and the best part is you can jump forward with out filling in all the fields.

image

Creating the NSG port rules.  Select which virtual machine network ports are accessible from the public internet. You can specify more limited or granular network access on the Networking tab.

image

Creating the NSG directly

image

The Identity Settings with the Auto-Shutdown and even select the backup

image

I think this layout is much better and gives you a better overview on the VM creation with all the options.  Hope this will be there for the Containers also

image

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Posted September 17, 2018 by Robert Smit [MVP] in Azure

Tagged with

End of support for #DirSync and #AzureAD Sync upgrade to #Azure AD Connect before end off 2017 #Cloud   Leave a comment

Azure AD Connect is the best way to connect your on-premises directory with Azure AD and Office 365. This is a great time to upgrade to Azure AD Connect from Windows Azure Active Directory Sync (DirSync) or Azure AD Sync as these tools are now deprecated and are no longer supported as of April 13, 2017.

image

The two identity synchronization tools that are deprecated were offered for single forest customers (DirSync) and for multi-forest and other advanced customers (Azure AD Sync). These older tools have been replaced with a single solution that is available for all scenarios: Azure AD Connect. It offers new functionality, feature enhancements, and support for new scenarios. To be able to continue to synchronize your on-premises identity data to Azure AD and Office 365, we strongly recommend that you upgrade to Azure AD Connect. Microsoft does not guarantee these older versions to work after December 31, 2017.

Suppose you are on an old version below is the link to get the latest version

Microsoft Azure Active Directory Connect

https://www.microsoft.com/en-us/download/details.aspx?id=47594

  • Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:
    • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
    • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
    • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
    • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

    Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

But where to find the current version of the Azure AD connect ? If we go to the management tool you can see this in the GUI

Go to the folder Microsoft Azure AD Sync

 

image

 

image

Now start the miisclient.exe and in the about there is your version number

image

Detailed Azure AD Connect: Version release history

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-version-history

If you need to upgrade you can do an in-place upgrade (Automatic upgrade)

High-level steps for upgrading from DirSync to Azure AD Connect
  1. Welcome to Azure AD Connect
  2. Analysis of current DirSync configuration
  3. Collect Azure AD global admin password
  4. Collect credentials for an enterprise admin account (only used during the installation of Azure AD Connect)
  5. Installation of Azure AD Connect
    • Uninstall DirSync (or temporarily disable it)
    • Install Azure AD Connect
    • Optionally begin synchronization

Remember Azure AD will stop accepting connections from DirSync and Azure AD Sync after December 31, 2017 Upgrade now to avoid downtime and start 2018 relaxed.

 

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Http://nl.linkedin.com/in/robertsmit

Google Me : https://www.google.nl

Bing Me : http://tinyurl.com/j6ny39w

LMGTFY : http://lmgtfy.com/?q=robert+smit+mvp+blog

Posted December 28, 2017 by Robert Smit [MVP] in Azure

Tagged with ,

Getting Started with #Azure Data Science Virtual Machine on Windows 2016 #DSVM #winserv #VSTS #DevOps   Leave a comment

 

The Data Science Virtual Machine (DSVM) is a ‘Windows Server 2016 with Containers’ VM & includes popular tools for data exploration, analysis, modeling & development.

Highlights:

  • Microsoft R Server – Dev. Ed. (Scalable R)
  • Anaconda Python
  • SQL Server 2017 Dev. Ed. – With In-Database R and Python analytics
  • Microsoft Office 365 ProPlus BYOL – Shared Computer Activation
  • Julia Pro + Juno Editor
  • Jupyter notebooks
  • Visual Studio Community Ed. + Python, R & node.js tools
  • Power BI Desktop
  • Deep learning tools e.g. Microsoft Cognitive Toolkit (CNTK 2.1), TensorFlow & mxnet
  • ML algorithm libraries e.g. xgboost, Vowpal Wabbit
  • Azure SDKs + libraries for various Azure Cloud offerings. Integration tools are included for: 
    1. Azure Machine Learning
    2. Azure Data Factory
    3. Stream Analytics
    4. SQL Data Warehouse
    5. Hadoop + Apache Spark (HDICluster)
    6. Data Lake
    7. Blob storage
    8. ML & Data Science tutorials as Jupyter notebooks

    Tools for ML model operationalization as web services in the cloud, using Azure ML or Microsoft R Server.

    Pre-configured and tested with Nvidia drivers, CUDA Toolkit, & NVIDIA cuDNN library for GPU workloads available if using NC class VM SKUs.

  •  

    Starting in the Azure Portal

    GO to New or +

    image

    Search for Data Science Virtual Machine (DSVM)

    image

    Select the {csp} Data Science Virtual Machine  – Windows 2016 option. 

    image

    Next fill in the username and password with resource group.

    image 

    Pick a machine type. When you pick a higher machine type when deploying every thing is way faster than just picking a Standard_A1 size.

    image

     

    As you can see there is a orange image mark in the text that the cost will be billed separately.

    Offer details

    Data Science Virtual Machine – Windows 2016

    0.0000 EUR/hr

    Good to know there are no cost and this is free. you need to pay for the Azure VM! in my case a E32s v3

    The highlighted Marketplace purchase(s) are not covered by your Azure credits, and will be billed separately.
    You cannot use your Azure monetary commitment funds or subscription credits for these purchases. You will be billed separately for marketplace purchases.

    image

    not bad 9 minute install with a long list of tools Office, visual studio , Visual studio Code,etc

    There is not a free license for the office and studio product but you can sign in with your credentials.

    image

    Thanks to the Big compute everything is running awesome.

    image

    As you can see all the tools are there, some needs a configuration so no default things that needs to be removed first just ready to start with out the long installation of all the tools.

    image

    What was missing on the Data Science Virtual Machine (DSVM) as it is a DevOps VM I installed the RSAT tools and project Honolulu single box for Azure management and development.

    https://robertsmit.wordpress.com/2017/09/25/projecthonolulu-the-new-future-of-windows-server-gui-management-servermgmt-smt-winserv/

     

    Follow Me on Twitter @ClusterMVP

    Follow My blog https://robertsmit.wordpress.com

    Linkedin Profile Http://nl.linkedin.com/in/robertsmit

    Google Me : https://www.google.nl

    Bing Me : http://tinyurl.com/j6ny39w

    LMGTFY : http://lmgtfy.com/?q=robert+smit+mvp+blog

    Posted October 30, 2017 by Robert Smit [MVP] in Azure

    Tagged with ,

  • Twitter

  • RSS Azure and Microsoft Windows Server Blog

  • %d bloggers like this: