Start your DevOps pipeline in the Azure Cloud

by Scott Muniz | Aug 30, 2020 | Azure, Microsoft, Technology, Uncategorized

This article is contributed. See the original author and article here.

This blogpost can support your DevOps journey to make your Continuous Integration and Continuous Delivery (CI CD) for companies and or customers. What is DevOps? 

People, Process, and Technology to continually provide value to customers.

While adopting DevOps practices automates and optimizes processes through technology, it all starts with the culture inside the organization—and the people who play a part in it. The challenge of cultivating a DevOps culture requires deep changes in the way people work and collaborate. But when organizations commit to a DevOps culture, they can create the environment for high-performing teams to develop. 

My name is James van den Berg and I’m a MVP in Cloud and Datacenter Management on my DevOps journey as an IT Infrastructure Guy managing datacenters on-prem and in the Microsoft Azure Cloud. Today It’s not only a Virtual Machine or a Website to deploy for your customers, it’s much more then that like :

• Time to market, deploy your solution fast without waiting on dependencies because you automated your process with a CI CD Pipeline.
• Security and Monitoring to keep you in Controle.
• Working together with different Teams who are each responsible for a part of the solution.
• The complete DevOps Pipeline must be Compliant

Here you can start with Azure DevOps on Microsoft Learn platform.

In the following step-by-step guide, you will see how easy it can be to Build your own first pipeline.

Before you start, you need a Microsoft Azure Subscription to start with. 

1. Login your Azure subscription and type DevOps in your search bar.

 Click on DevOps Starter

From here you can start with a new application of your choice or bring your own code from Git Hub.
I will choose a new dot NET application, but when you have your Own Code on Git Hub for example it will integrate in your Azure Cloud Pipeline like this :

Your existing repository on Git Hub will integrate with your Azure DevOps Pipeline. But for this step-by-step guide we will make an ASP.NET Web application pipeline in Microsoft Azure Cloud.

Here you choose your Application Framework and you can select a SQL Database for your Solution.
More information about all the quick starts in Azure DevOps Starter.

The Next step is to select the right Azure services to run on your ASP.NET solution. I selected the Windows Web App fully managed compute platform.

Complete the last step and you can change your Service Plan at additional settings when you need more resources. From here the Azure DevOps Starter has enough information to Build your first Azure Pipeline solution in the Cloud. 

 Pipeline in Progress.

When you Click here on the Build link you will be redirected to your Azure DevOps environment.
Here you find more information about Microsoft Azure DevOps

 Azure DevOps Pipeline creation in Progress.

To monitor the creation of your Pipeline solution, you can see that in the live logs :

Live monitoring the deployment

 Your Azure DevOps Starter deployment is running.

Your ASP.NET Web App running with a Pipeline.

 Your Deployment in Azure DevOps.

From here is the baseline deployment of your solution done with Azure DevOps Starter and can you Configure the Pipeline environment with the other teams to get RBAC and Dashboards in place to work with.

 Azure DevOps Dashboard.

Conclusion :

Microsoft Azure DevOps Starter supports you with the basic of your Pipeline Solution. It’s a good start for your DevOps journey and to configure your solution with other teams to get your compliant result for your customer or business.

You can follow me on Twitter : @JamesvandenBerg

More information :

Blog : Microsoft Azure DevOps Blog

Follow on Twitter : @AzureDevOps 

Start here with Microsoft Azure DevOps

Setting Up Virtual Lab Environments Using Azure Lab Services

by Scott Muniz | Aug 28, 2020 | Azure, Microsoft, Technology, Uncategorized

This article is contributed. See the original author and article here.

This post was written by Sagar Chandra Reddy Lankalain in collaboration with Ji Eun Kwon. Sagar and Ji Eun currently serve as the Program Managers for VS and .NETat Microsoft.

Azure Lab Services is a managed cloud service that enables educators and IT to easily roll out cost-efficient labs with customizable virtual machines, without having to master the complexities of setting up cloud infrastructure.  

Azure Lab Services helps to quickly create virtual lab environments and enables to easily run a class, set up a training lab, or host a hackathon in the cloud so that users can access lab resources from anywhere, anytime. 

Azure Lab Services provides the following key capabilities:

• Simple User Experience – Provide immediate access to VMs for invited users. With one click users can connect and start working – no Azure subscription needed. 
• Flexibility – Use thousands of Azure Marketplace images or bring in your custom images to quickly provision lab VMs and use repeatedly across labs 
• Cost Optimization and Tracking – Manage your lab budget with usage control features. Schedule designated usage times or set up recurring auto-shutdowns and start times. Track individuals’ hourly usage or limit usage by setting up quotas. 
• Automatic Management and Scaling – Provisioning and scaling to hundreds of VMs with a single click, with the service managing all underlying infrastructure 

Azure Lab Services has recently rolled out new cost control features that will proactively prevent waste of virtual machine usage hours inside the labs! The combination of these three automatic shutdown and disconnect features will now catch most of the cases where users accidentally leave their virtual machines running:

These settings can be configured at both the lab account level and the lab level. If the settings are enabled at the lab account level, they will be applied to all labs within the lab account. Any changes to the settings made at the lab level will override the lab account level configuration. For all new lab accounts, these settings will be turned on by default. 

Let’s look at what each setting does in detail. 

1. Automatically disconnect users from virtual machines that the OS deems idle (Windows-only) 

This is a setting that is only available for Windows virtual machines. When the setting is turned on, any machines in the lab, including the template virtual machine, will automatically disconnect the user when the Windows OS deems the session to be idle. Windows OS’s definition of idle uses two criteria: 

• User absence – no keyboard or mouse input 
• Lack of resource consumption – all the processors and all the disks were idle for a certain % of time 

Users will see a message like this inside the virtual machines before they are disconnected: 

Please note that the virtual machine is still running when the user is disconnected. If the user reconnects to the virtual machine by signing in, windows or files that were open or unsaved work previous to the disconnect will still be there. In this state, because the virtual machine is running, it still counts as active and accrues cost. 

To automatically shut down the idle Windows virtual machines that are disconnected, use the combination of “Disconnect users when virtual machines are idle” and “Shut down virtual machines when users disconnect” settings. 

For example, if you configure the settings as follows: 

• Disconnect users when virtual machines are idle – 15 minutes after idle state is detected 
• Shut down virtual machines when users disconnect” – 5 minutes after user disconnects 

The Windows virtual machines will automatically shutdown 20 minutes after the user stops using them. 

2. Automatically shut down virtual machines when users disconnect (Windows & Linux) 

This setting now supports both Windows and Linux virtual machines. When this setting is on, automatic shutdown will occur when: 

• For Windows, Remote Desktop (RDP) connection is disconnected 
• For Linux, SSH connection is disconnected 

This feature utilizes the Linux Diagnostic Extension and is available for only the specific distributions and versions of Linux that the Linux Diagnostic Extension supports.  

You can specify how long the virtual machines should wait for the user to reconnect before automatically shutting down. 

3. Automatically shut down virtual machines that are started but users don’t connect 

Inside a lab, a user might start a virtual machine but never connect to it. For example: 

• A schedule in the lab starts all virtual machines for a class session, but some students do not show up and don’t connect to their machines.  
• A user starts a virtual machine, but forgets to connect. 

The “Shut down virtual machines when users do not connect” setting will catch these cases and automatically shut down the virtual machines.   

—- 

Please enable these settings to minimize waste in your labs and check out Azure Lab Services Blog for such important features and updates.  

AzUpdate: Azure Migrate new features, AzCopy new version and new features in Form Recognizer

by Scott Muniz | Aug 28, 2020 | Azure, Microsoft, Technology, Uncategorized

This article is contributed. See the original author and article here.

Another Friday is upon us, so time to share some of the headlines that have happened this week in terms of Azure news.  We have some new preview features in Azure as well as some going Generally Available (GA). 

Revised end of service date for Windows 10, version 1803: May 11, 2021

Microsoft are delaying the scheduled end of service date for the Enterprise, Education and IoT Enterprise editions of Windows 10, version 1803.  This means that if you are still running that version within your environment you will continued to receive security updates until May 11, 2021 instead of the previous November 2020 date.

Azure Migrate

Support to assess physical, AWS, GCP servers now generally available within Azure Migrate

The ability to assess your physical, AWS, GCP servers with Azure Migrate has been around for a while now and it’s now generally available to use.  So, it’s great for assessing those servers on another cloud provider you want to move to Azure or even those virtual machines that are hosted by a managed service provider and you can’t access the hypervisor layer on.  I actually covered this off in a blog post and video recently, check it out if you want to see it in action.

Cognitive Services

Public Preview: Cognitive Services Form Recognizer v2.1

Form Recognizer is a cognitive service that uses machine learning technology to identify and extract things like text from documents. In this latest public preview edition they team have introduced support for more languages, so as well as supporting English it now supports Chinese (Simplified), Dutch, French, German, Italian, Portuguese and Spanish.   It also has a new pre-built model that will help extract information from a business card.

Azure Storage Icon

AzCopy v10.6 released

A new version of AzCopy has been released, with some exciting features.  If you aren’t familiar with AzCopy it is a great command line tool that helps you move data in and out of Azure Storage.  One of the new features is the ability to query Blob Versioning, so you can download a specific version of a file or delete it.

MS Learn Module of the Week

MS Learn Banner

Improve incident response with alerting on Azure – responding to incidents and things that happen to your infrastructure in a timely manner is part of what makes and IT department successful.  In this MS Learn module you’ll learn how alerting in Azure can help you monitor and response to things happening in your environment.

Let us know in the comments below if there are any news items you would like to see covered in next week show.  Az Update streams live every Friday so be sure to catch the next episode and join us in the live chat.

Automation to Block Brute-force Attacked IP detected by Azure Security Center

by Scott Muniz | Aug 27, 2020 | Azure, Microsoft, Technology, Uncategorized

This article is contributed. See the original author and article here.

According to Microsoft Threat Intelligence Report, one of the most common attacks against IaaS VMs in Azure is the RDP brute-force attack. This attack usually take places for VMs that are exposing the RDP port (TCP 3389). Although RDP is the primary source, there are also brute-force against SSH (TCP 22).. Nowadays with COVID-19, with more employees working from home more often, threat actors are taking advantage of the increase of management ports open, which includes RDP and SSH. Users with weak passwords and without MFA enabled, are more susceptible to be compromised by and RDP brute force attack.. Keep in mind that compromising a server via RDP brute force is just the initial foothold, once the threat actors gain access to target machine, it will continue conducting malicious activities which may include coin mining and even ransomware type of attack.

One way to reduce the likelihood that your machine will be compromised via RDP brute-force is by reducing the exposure, in other words, limiting the amount of time that a port is open by securing your management ports using Just-in-time access, capability available in ASC Standard Tier.

This blog explain how to leverage automation to block traffic of specific IP to a VM in the NSG as a response to a Brute-force alert detected by Azure Security Center.

How does the automation work?

When Azure Security Center detects a Brute-force attack, it triggers an alert to bring you awareness that a brute force attack took place. The automation uses this alert as a trigger to block the traffic of the IP by creating a security rule in the NSG attached to the VM to deny inbound traffic from the IP addresses attached to the alert. In the alerts of this type, you can find the attacking IP address appearing in the ‘entities’ field of the alert.

The Logic App uses a system-assigned Managed Identity. You need to assign Contributor permissions or Security Reader and Network Contributor permissions to the Logic App’s Managed Identity so it is able to create an NSG rule once there is an attack detected. You need to assign these roles on all subscriptions or management groups you want to monitor and manage resources in using this playbook. Note: You can assign permissions only if your account has been assigned Owner or User Access Administrator roles, and make sure all selected subscriptions registered to Azure Security Center.

Refer to the Readme file in our GitHub Repository for detailed procedure.

Deployment process and details

Navigate to Azure Security Center GitHub repository and select “Deploy to Azure” or “Deploy to Azure Gov”, as shown in Image 1:

Image 1: Git Hub repository

Once you have clicked on ‘Deploy’ option in the screen above, you should automatically be redirected to the Azure portal Custom deployment page where you can fill in the details of requirement as shown in Image 2, as shown below:

Image 2: Azure portal, Custom Deployment

The ARM template will create the Logic App Playbook and an API connection to Office 365, and ASCalert.

You need to authorize the Office 365 API connection so it can access the sender mailbox and send the email notification from there.

Once you review and create from Image 2, you would notice below resources created from the ARM template (Refer Image 3)

Image 3: Summary of the resources created from the ARM template

Define when the Logicapp should automatically run:

Workflow automation feature of Azure Security Center can trigger Logic Apps on security alerts and recommendations. For example, you might want Security Center to email a specific user when an alert occurs. When you add the workflow automation and trigger conditions as show in Image 4, the triggers will initiate this automatic workflow. In this example, you want the Logic App to run when a security alert that contains “bruteforce” is generated.

Image 4: Workflow Automation

Note: Read more about workflow automation here

When a Bruteforce attack is detected by Azure Security Center as shown in Image 5, this would automatically apply the automation and blocks the traffic of the IP by creating a security rule in the NSG attached to the VM to deny inbound traffic from the IP addresses attached to the alert as shown in Image 6

Image 5: Brute force attack alert

Image 6: IP blocked by ASC

You would receive an email notification on the alert details as shown in Image 7:

Image 7: Email notification from the logicapp

This logic app as well as many other can be found here:

Direct Link to GitHub sample

Azure Security Center GitHub Repo

Most organizations lack the time and expertise required to respond to these alerts so many go unaddressed. Having this type of automation can address the threat immediately. I hope you enjoy reading this article and implementing, testing it as much as I enjoyed writing it.

Reviewer

Special thanks to:

Yuri Diogenes, @Yuri Diogenes, Senior Program Manager (CxE ASC Team)