Archive for the ‘Devops’ Tag

Distributed Application Runtime Dapr version 1.0 #Dapr #Azure #Kubernetes #DevOps #Developers #Microservices #AzOps   Leave a comment

Dapr is an open source, portable, event-driven runtime that makes it easy for developers to build resilient, microservice stateless and stateful applications that run on the cloud and edge. Dapr embraces the diversity of all programming languages and developer frameworks and simplifies building applications.

https://docs.dapr.io/getting-started/

Dapr building blocks

 

  • Service Invocation – Resilient service-to-service invocation enables method calls, including retries, on remote services wherever they are running in the supported hosting environment.
  • State management – With state management for key/value pairs, long running, highly available, stateful services can be easily written, alongside stateless services in the same application. The state store is pluggable and can include Azure Cosmos or Redis, with others such as AWS DynamoDB on the component roadmap.
  • Publish and subscribe messaging between services – Publishing events and subscribing to topics between services enables event-driven architectures to simplify horizontal scalability and make them resilient to failure.
  • Event driven resource bindings – Resource bindings and triggers build further on event-driven architectures for scale and resiliency by receiving and sending events to and from any external resources such as databases, queues, file systems, blob stores, webhooks, etc. For example, your code can be triggered by a message on an Azure EventHub service and write data to Azure CosmosDB.
  • Virtual actors – A pattern for stateless and stateful objects that make concurrency simple with method and state encapsulation. Dapr provides many capabilities in its virtual actor runtime including concurrency, state, life-cycle management for actor activation/deactivation and timers and reminders to wake up actors.
  • Distributed tracing between services – Easily diagnose and observe inter-service calls in production using the W3C Trace Context standard and push events to tracing and monitoring systems.

 

image

 

You can read more about Dapr at http://dapr.io, get started with code and samples at https://github.com/dapr/dapr and reach out on gitter.im/Dapr or Twitter @daprdev.

 

Getting started with Dapr is easy and you can start with a few steps described below

How to get up and running with Dapr in minutes

The following steps in this guide are:

  1. Install the Dapr CLI
  2. Initialize Dapr
  3. Use the Dapr API
  4. Configure a component
  5. Explore Dapr quickstarts

 

 

powershell -Command "iwr -useb https://raw.githubusercontent.com/dapr/cli/master/install/install.ps1 | iex"
 
image
 
Important is to close the powershell window and reopen this. Else the module won’t be active
 
 
type dapr
 
 
image
 
Open Powershell 
 
type dapr
 
 

dapr

         __
    ____/ /___ _____  _____
   / __  / __ ‘/ __ \/ ___/
  / /_/ / /_/ / /_/ / /
  \__,_/\__,_/ .___/_/
              /_/

======================================================
A serverless runtime for hyperscale, distributed systems

Usage:
  dapr [command]

Available Commands:
  completion     Generates shell completion scripts
  components     List all Dapr components
  configurations List all Dapr configurations
  dashboard      Start Dapr dashboard
  help           Help about any command
  init           Setup dapr in Kubernetes or Standalone modes
  invoke         Invokes a Dapr app with an optional payload (deprecated, use invokePost)
  invokeGet      Issue HTTP GET to Dapr app
  invokePost     Issue HTTP POST to Dapr app with an optional payload
  list           List all Dapr instances
  logs           Gets Dapr sidecar logs for an app in Kubernetes
  mtls           Check if mTLS is enabled in a Kubernetes cluster
  publish        Publish an event to multiple consumers
  run            Launches Dapr and (optionally) your app side by side
  status         Shows the Dapr system services (control plane) health status.
  stop           Stops multiple running Dapr instances and their associated apps
  uninstall      Removes a Dapr installation

Flags:
  -h, –help      help for dapr
      –version   version for dapr

Use “dapr [command] –help” for more information about a command.
subcommand is required

 
 
dapr init
 

PS C:\Windows\system32> dapr init
Making the jump to hyperspace…
Downloading binaries and setting up components…
Unable to find image ‘openzipkin/zipkin:latest’ locally
latest: Pulling from openzipkin/zipkin
docker: no matching manifest for windows/amd64 10.0.17763 in the manifest list entries.
See ‘docker run –help’.

 
 
 

Quickstarts and Samples

 
You can try out the Dapr quickstarts right here to begin your own personal journey into Microservices on Azure. 
 
 
 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Posted February 17, 2021 by Robert Smit [MVP] in Azure

Tagged with

Secure DevOps Kit for Azure (AzSK) With Security Monitoring #Devops #Azure #AzSK #Security #LogAnalytics #PowerShell   Leave a comment

The Secure DevOps Kit for Azure is a collection of scripts, tools, extensions, automations.

image

The kit is based on Powershell and can be extended to Azure log analytics with some nice dashboarding. But if you have a large subscription the Powershell query can take some time. With this toolkit Devops teams using extensive automation and smoothly integrating security into native Devops workflows helping accomplish secure Devops with these 6 focus areas:

  • Secure the subscription: A secure cloud subscription provides a core foundation upon which subsequent development and deployment activities can be conducted. An engineering team should have the capabilities to deploy and configure security in the subscription including elements such as alerts, ARM policies, RBAC, Security Center policies, JEA, Resource Locks, etc. Likewise, it should be possible to check that all settings are in conformance to a secure baseline
  • Enable secure development: During the coding and early development stages, developers should have the ability to write secure code and to test the secure configuration of their cloud applications. Just like build verification tests (BVTs), we introduce the concept of security verification tests (SVTs) which can check for security of various resource types in Azure
  • Integrate security into CICD: Test automation is a core tenet of devops. We emphasize this by providing the ability to run SVTs as part of the VSTS CICD pipeline. These SVTs can be used to ensure that the target subscription used to deploy a cloud application and the Azure resources the application is built upon are all setup in a secure manner
  • Continuous Assurance: In the constantly changing dev ops environment, it is important to move away from the mindset of security being a milestone. We have to treat security as a continuously varying state of a system. This is made possible through capabilities that enable continuous assurance using a combination of automation runbooks, schedules, etc.
  • Alerting & Monitoring: Visibility of security status is important for individual application teams and also for central enterprise teams. We provide solutions that cater to the needs of both. Moreover, the solution spans across all stages of dev ops in effect bridging the gap between the dev team and the ops team from a security standpoint through the single, integrated views it generates
  • Cloud Risk Governance: Lastly, underlying all activities in the kit is a telemetry framework that generates events capturing usage, adoption, evaluation results, etc. This allows us to make measured improvements to security targeting areas of high risk and maximum usage before others.

Keep in mind that The OMS portal will is retired on January 15, 2019. You can continue to use your existing services and licensing in the Azure portal.

Even in the Azure portal you can still connect to OMS

Complete feature set of Secure DevOps Kit for Azure

Feature Area Secure DevOps Kit Feature
Secure the subscription
  • Subscription Health Check
  • Subscription Provisioning
    • Alerts Configuration
    • ARM Policy Configuration
    • Azure Security Center Configuration
    • Access control (IAM) Hygiene
Enable secure development
  • Security Verification Tests (SVT)
  • Security IntelliSense- VS Extension
Integrate security into CICD
  • AzSK VS Extension-executes SVTs in a CICD pipeline
Continuous Assurance
  • Security scanning via Azure Automation Runbooks
Alerting & Monitoring
  • OMS Solution for AzSK containing:
    • Security dashboard views covering security state/actions
    • Alerts with pertinent search queries
Cloud Risk Governance
  • Control/usage telemetry through Insights

Setting up Secure DevOps Kit for Azure (AzSK)

First make sure you have the right Azure modules installed, I noticed the automation module failed So I added this manualy.

Import-Module AzureRM.Automation

Get-AzSKAzureServicesSecurityStatus -SubscriptionId

image

Installing the Secure DevOps Kit for Azure (AzSK)

Install-Module AzSK -Scope CurrentUser

image

Now that the Powershell modules are installed we can start the (AzSK) Scan

Get-AzSKAzureServicesSecurityStatus –SubscriptionId  ID

image

In this subscription there are 44 items that are been checked

image

Items are been checked on the security issues

image

Nice detailed overview is shown. Also a log folder is been created with all the issues. per resource Item.

image

As you can see I have some failed items and with a High, so I need to take a good look at this and fix this.

image

This maybe one of the best Items here an excel sheet with al the issues listed with the solution mentioned and if this can be automated.

If needed there is an URL that points you to the right solution.

image

As Azure log analytics is great and it can be integrated with some OMS (Azure monitoring Dashboards)

The OMS portal will be retired on January 15, 2019. You can continue to use your existing services and licensing in the Azure portal. So the current documentation need some updating.

image

Pressing the OMS button in the Azure portal brings you to the OMS portal but then nothing. As it is now all Azure portal.

Setting up the dashboards failed on me during the first installation but when I did run this a second time the dashboard was there.  (Timing) 

image

Creating the OMS default dashboard we need to run some powershell scripts.

$omsSubId =”id”   #subscription hosting the OMS workspace

$omsWSId =’OMS ID’

$omsRGName =’omsrsg’     #RG where the OMS workspace is hosted

$azSkViewName = ‘MVP_AzSK_view’ #This will identify the tile for AzSK view in OMS.


    #This command will deploy the AzSK view in the OMS workspace.  
    Install-AzSKOMSSolution -OMSSubscriptionId $omsSubId `

                    -OMSResourceGroup $omsRGName `

                    -OMSWorkspaceId $omsWSId `

                    -ViewName $azSkViewName

image

Note:

1) The blades of the OMS view created by this command will start populating only after AzSK scan events become available in the corresponding OMS workspace.

To understand how to send AzSK events to an OMS workspace see https://aka.ms/devopskit/oms.

2) The OMS view installed contains a basic set of queries over DevOps Kit scan events. Please feel free to customize them once you get familiar with the que

ries.

We also periodically publish updated/richer queries at: https://aka.ms/devopskit/omsqueries.

image

Checking the OMS – log analytics workspace it has not much issues as this is a test subscription and if it was all perfect then there is no fun.

image

image

and with longer logging and more Items in azure you will get a different overview.

image

There are lots of options you can set and there is a detailed description on how to use this on Github

Setting up ARM policys is also one of the options

Set-AzSKARMPolicies –SubscriptionId

image

So get started with the DevOpsKit https://github.com/azsk/DevOpsKit-docs 

image

https://github.com/azsk/DevOpsKit-docs/tree/master/05-Alerting-and-Monitoring

AzSK Security Controls Portal @https://aka.ms/azskosstcp

With this it’s a nice tool and yes a bit time consuming but learned a lot and make me see things different in the Azure Subscription 

And If you combine this directly and not afterwards then this could be your time saver to fix all the security items

image

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Posted January 24, 2019 by Robert Smit [MVP] in Azure

Tagged with , , ,

  • Twitter

  • RSS Azure and Microsoft Windows Server Blog

  • %d bloggers like this: