Are your IaaS DC's Secured in Azure ?

by Contributed | Nov 26, 2020 | Azure, Microsoft, Technology

This article is contributed. See the original author and article here.

Hi Everyone,

Zoheb here again with my colleague Tim Beasley. Today, we will be sharing some best practices to help ensure that your VMs (virtual machines) (including Domain Controllers) are secure in your Azure/Cloud environment.

I would like to start this blog with an African Proverb “If you want to go fast, go alone. If you want to go far go together.”

This proverb is one of the principals we refer to internally at Microsoft (#OneMicrosoft). It helps us utilize the synergy to build / leverage great ideas from other Microsoft employees across the globe.

This proverb sums it up perfectly of what occurred during the creation of this blog post. There were multiple contributors (Tristan Kington, Akhlesh Sharma, Pierre Audonnet and Shobhit Garg) who also helped provide details and additional information in hopes of benefiting our customers.

The Initial Problem I found myself facing – I forgot my Administrator Password!

While working in my lab environment in Azure, I sometimes forget what the Administrator password is (This rarely happens. Am I right? :p). Considering this is an important environment I needed to regain access to, I started thinking about different ways of retrieving my password.

Initially, I tried guessing what password was using a few random ones. However, this did not work (I have Azure AD Password Protection configured in my lab to help protect against known passwords :smiling_face_with_smiling_eyes:). I then tried the VM Password Reset option, but that only works for members of the local Administrators group.

Suddenly, I had an epiphany! I remembered the Extensions setting that is available for VMs running in Azure where you can execute scripts running under the System Context.

To achieve this, I located and selected the Azure Virtual Machine I was targeting and clicked on Extensions which is located under Settings. Here is where I will upload and execute a Custom Script Extension as shown below:

 Figure 1. Click on Extensions.

 Figure 2. Select Custom Script Extension.

 Figure 3. Browse for the custom PowerShell script you wish to upload.

 Figure 4. Select Upload to upload your custom PowerShell script.

As you can see below, I uploaded the testreset.ps1 PowerShell script (to be added as a custom script extension) and ran it on the virtual machine in my lab environment. The PowerShell script uses the native Command Prompt utility Net.exe. In this example, we used Net User to reset the password for an Administrator account named zdcadm using DontKeepe@syPassw0rd$ as the password.

Net User zdcadm DontKeepe@syPassw0rd$

 Figure 5. Custom PowerShell script was uploaded.

After the extension was applied and executed against the VM, it successfully reset the password for my Administrator account (zdcadm), which allowed me to regain access to that VM.

We managed to achieve this because Azure VM Agent is installed by default on any Windows VM deployed from an Azure Marketplace image. When you deploy an Azure Marketplace image from the portal, PowerShell, Command Line Interface, or an Azure Resource Manager template, the Azure VM Agent is also installed.

Though I was happy that this allowed me to log back into the VM, it also started to concern me. So, I started thinking about how this could potentially affect our customers and whether they are protecting their environment from such risks where Privilege escalation can be gained by Azure operators to domain admin (and by extension, domain admin on-prem).

We found similar concerns that were raised / discussed for our traditional infrastructure (Hypervisors) where we provide broad guidance on how to secure them. You can learn more about this by reading the Virtualizing Domain Controllers using Hyper-V Microsoft article.

Why should you be concerned?

You as an organization who have DC’s in Azure or cloud you should check who has access to them in Azure & is the access to Subscription controlled well.

Do you have any Azure Operators who could do Privilege Escalation to become a Domain Admin?

Remember when you let someone else administer a lower layer than your own, you are implicitly trusting that person equivalently to yourself.

The 10 Immutable Laws of Security are applicable everywhere.

Increasingly we see permissions being mis managed in many organization and Identity team is not always managing subscriptions, this can lead to some loose permissions on your resources if left unmonitored/checked.

How can you check who has access to your Domain Controllers or Azure Resources ?

There are many ways you could see who has access to resources, I am listing one of the easier ways where you can get full information from a single dashboard.

Use the Azure Continuous Cloud Optimization dashboard, this can show the Azure RBAC (role-based access control) permissions from all the subscriptions a given Azure account has access to. You will be able to identify the roles applied to all Azure resources and if the subscriptions have custom roles. You can filter the information by:

• Tenant


• Subscription


• Object type


• User

The Solution to this little dilemma:

This made us think about the “Level of Protection” we should recommend to our customers that have important VMs (e.g. Domain Controllers) running in Azure. After several internal discussions along with reviewing publicly available Microsoft documentation, we decided that the following recommendations below will add an extra layer of protection to help secure your Azure IaaS VMs / environment (Not all, but heavy hitters)

1. Force MFA (Azure Multi-Factor Authentication) for Admins with access to Domain Controllers (no matter where they are at – on-premises and cloud) whenever they are accessing Azure Portal.
   
   
   
   1. This will ensure that access to Azure Portal has at least two factor Authentication.
   
   
   2. Use this policy for all the users who have access to Azure Subscription where DC’s are hosted.
      
      
   
   
   
   


2. Use Conditional access policies to define Admins location, Trusted machines to access Azure Portal for Domain Controller Subscriptions.
   
   
   
   1. You can further control the access to the Azure Portal/Subscription by using Conditional Access.
   
   
   2. You could define Trusted location, Trusted devices and many such parameters.
   
   
   3. This will help reduce the access to Domain Controllers.
      
      
   
   
   
   


3. Limit Highly privileged users and use RBAC permissions to allow access to only specific people to DC’s.
   
   
   
   1. This is probably the most crucial point of all, you need to review who has permission to do such an activity and if they really need this.
   
   
   2. You could review this using CCO dashboard.
   
   
   3. Alternatively you could navigate to Azure Portal and look for “Access Control”
   
   
   4. Check for important Role Assignments like “Contributors, Owners etc.
   
   
   5. Review these users on a regular basis
      
      
   
   
   
   


4. Where possible, use a Different Subscription for Domain Controllers or Tier 0 systems.
   
   
   
   1. Effective subscription design helps organizations establish a structure to organize and manage assets in Azure during cloud adoption.
   
   
   2. When possible use a dedicated subscription for all your Tier 0 assets
      
      
   
   
   
   


5. PIM (Azure Active Directory Privileged Identity Management) for elevation to Domain Controller VM Access and follow just enough Administration (Least Privilege principal)
   
   
   
   1. Setup appropriate permissions to the “Azure Resource” through PIM.
   
   
   2. Define Eligible Assignments
   
   
   3. This will ensure that only users who are eligible get access to Domain Controllers in Azure
   
   
   4. Follow Just Enough Administration and least privilege model
      
      
   
   
   
   


6. Use Azure ADDS (Active Directory Domain Services) when possible.
   
   
   
   1. When you create an Azure AD DS managed domain, you define a unique namespace.
   
   
   2. Two Windows Server domain controllers (DCs) are then deployed into your selected Azure region. This deployment of DCs is known as a replica set.
   
   
   3. You do not need to manage, configure, or update these DCs. The Azure platform handles the DCs as part of the managed domain, including backups.
   
   
   4. Since this is managed there is reduced risk also for this
      
      
   
   
   
   


7. Using PAW(Privileged Access Workstations) to access Azure portal
   
   
   
   1. Secured, isolated workstations are critically important for the security of sensitive roles like administrators, developers, and critical service operators.
   
   
   2. Use highly secured user workstations and/or Azure Bastion for administrative tasks for Azure.
   
   
   3. The secured workstations can be centrally managed to enforce secured configuration, including strong authentication, software and hardware baselines, and restricted logical and network access.
   
   
   4. Using conditional access allow only approved machines to have access to Azure portal.
   
   
   5. Alternatively manage these machines through hardened GPO’s & Intune
   
   
   
   

Hope this helps,

Tim & Zoheb

Azure Marketplace new offers – Volume 97

by Contributed | Nov 25, 2020 | Azure, Microsoft, Technology

This article is contributed. See the original author and article here.

We continue to expand the Azure Marketplace ecosystem. For this volume, 81 new offers successfully met the onboarding criteria and went live. See details of the new offers below:

Applications 7 Days to Die – Game Server on Ubuntu 18.04 LTS: Tidal Media offers this pre-configured image of 7 Days to Die game server on Ubuntu 18.04 LTS. 7 Days to Die is an open-world, voxel-based game that combines first-person shooter, survival horror, tower defense, and role-playing games. 7 Days to Die – Game Server on Windows Server 2016: Tidal Media offers this pre-configured image of 7 Days to Die game server on Windows Server 2016. 7 Days to Die is an open-world, voxel-based game that combines first-person shooter, survival horror, tower defense, and role-playing games. AgendaWeb TotalPack: AgendaWeb TotalPack is a cloud-based appointment scheduling solution that enables businesses to manage appointments for their branch locations online. Customers can enter contact information, select a branch, and choose from available dates and times. AIR Blob Explorer: Archive, Index, Retrieve: AIR Blob Explorer is designed to simplify the management of assets on Azure Blob storage. With a customizable skills pipeline, you can enrich the metadata associated with your assets, surfacing documents, videos, and assets that were previously unsearchable. Almentor.net B2B Offer: Almentor FZCO’s Almentor.net offers an online, video-based learning library in Arabic for professional service development. Different subscription and pricing models are available. arabot chatbot for Enterprise: arabot is an AI-powered chatbot from arabot Company LTD that supports English and numerous Arabic dialects. Support conversational experiences between always-on chatbots and your customers via web, mobile, messaging, or voice. Arma 3 – Combat Game Server on Windows Server 2016: Tidal Media offers this pre-configured image of Arma 3 game server on Windows Server 2016. Arma 3 is a massive military sandbox game featuring standalone and multiplayer content, 20 vehicles, 40 weapons, and numerous opportunities for content creation. Aruba ClearPass Policy Manager (CPPM): ClearPass Policy Manager (CPPM) from Aruba Networks provides secure network access control for corporate, guest, bring-your-own-device (BYOD), and IoT devices. Devices on networks can be secured when making wired, wireless, or VPN connections. Astroneer Game Server for Windows Server 2016: Tidal Media offers this pre-configured image of Astroneer game server on Windows Server 2016. Astroneer is set during the 25th century, when players explore outer space, risk their lives in harsh environments, and unearth rare discoveries. Astute Agent: Astute Agent is a consumer engagement CRM designed for consumer relations and customer care teams. Astute Agent’s features include integrated knowledge management, reputation management, workflow automation, and more. Automated Engineered SAP Landscape as Service: Vnomic provides automated, engineered SAP landscape deployments and governance as a service on Microsoft Azure. The end-to-end solution addresses enterprises’ needs with zero touch as they move to SAP HANA and SAP S4HANA. AvidXchange AP Automation: AvidXchange AP and payment automation solution for Microsoft Dynamics GP helps organizations eliminate inefficient, paper-based processes and easily pay their bills. AvidXchange provides bill-capture services, automated workflows, and bill approval from PC or mobile device. Azure Remote Access Management (ARAM): NET BRINEL SA’s Azure Remote Access Management (ARAM) is a cloud-based for secure remote management and support of customers through Azure virtual machines. Beehive – Task Automation Server on Ubuntu 18.04: Tidal Media offers this pre-configured image of Beehive on Ubuntu 18.04. Beehive is an event and agent system that allows you to create agents that perform automated tasks triggered by events and filters. Beehive interfaces with social media platforms, email, RSS, and more. Bindez Social Listening: Bindez Insights monitors and analyzes Facebook pages, producing sentiment analytics about your brand directly and in relation to your industry. This service is available in English and Burmese. CONTROL ACCESS WITH RAPID EMPLOYEE SCREENING: IT Convergence’s CARES (Control Access With Rapid Employee Screening) is an AI-powered solution that processes images from thermal cameras, scanning visitors and detecting their temperature variations without identifying individuals. CARES ensures safety compliance and supports advanced analytics. CorLife: CorLife provides screening, goal setting, education, and targeted coaching to help employees adopt healthy habits. CorLife exists to transform employee mental and physical health. Counter-Strike 1.6 Game Server on Ubuntu 18.04 LTS: Tidal Media offers this pre-configured image of Counter-Strike 1.6 game server on Ubuntu 18.04 LTS. Counter-Strike is a first-person shooter where two teams must fight each other to achieve a set objective. CrunchYard Gluster Cluster – Scalable Data Storage: CrunchYard’s Gluster provides a high-performance data cluster that is ideal for clients with high I/O throughput needs. Built on Microsoft Azure, Gluster creates large, distributed storage solutions suitable for engineering, financial, big data, and other uses. DayZ – Hardcore Game Server on Windows Server 2016: Tidal Media offers this pre-configured image of DayZ game server on Windows Server 2016. DayZ is an open-world survival game with survival mechanics, including hunting, crafting, building, health preservation, and resource management. Document management system – Enovatio Workflow: Enovatio Workflow is an Azure-based document management system designed for companies that strive to optimize business processes and improve workflows, regardless of industry. This product is available in English, German, and Polish. Don’t Starve Together – Game Server on Ubuntu: Tidal Media offers this pre-configured image of Don’t Starve Together game server on Ubuntu. Don’t Starve Together is a multiplayer wilderness survival game, where you gather resources to craft items and structures that match your survival style. DroneInch Drone Automation Platform: DroneInch’s automation software enables companies to plan, operate, analyze, and collaborate together on global drone missions. DroneInch integrates with Azure FarmBeats, enabling customers to view data collected from drones inside the FarmBeats IoT platform. dunnhumby Shop: dunnhumby London’s Shop empowers you to make confident, data-led decisions that improve customer experience and grow sales. Shop provides on-demand access to an array of customer insights relevant to both retailers and brand owners. ECommerce AI by Delvify: Delvify APAC’s ECommerce AI can increase revenues and deliver improved customer experiences using AI-powered visual technology for product recognition, discovery, and personalized recommendations to your customers. EcoStruxure IT Advisor: EcoStruxure IT Advisor is a datacenter infrastructure planning and modeling solution for large enterprises and colocation datacenters. This cloud-based solution provides datacenter managers with thorough insights into their infrastructure to improve profitability, efficiency, and availability. Enersight by Aucerna: Aucerna’s Enersight is a cloud-ready, comprehensive, integrated system for late-stage asset development and operational planning. Enersight was built to help asset level planners, engineers and economists make the right decisions with accurate data and defensible field development models. Excel integration for Jira Server/Data Center: Unlike Jira’s built-in export features, Midori’s Excel for Jira provides native Microsoft Excel exports, spreadsheet reports, and business intelligence for Jira. Improve your internal business processes with seamless Jira data export to Excel. Flogo – Event Processing System on Ubuntu 18.04: Tidal Media offers this pre-configured image of Flogo on Ubuntu 18.04. Flogo is a resource-efficient, Go-based ecosystem for building event-driven apps that enables developers to build once, consume from anywhere, and process using any of the supported actions. FME Server (Distributed Deployment, Windows): FME Server is a web-server application that automates data integration workflows by using the power of FME Desktop. FME is a data integration platform with support for spatial data and integration with over 450 systems. Fun Quick View: Fun Quick Watch is an AI-powered app that helps physical retail stores attract new customers with gamification centered on the customer experience. This app is available only in Chinese. Garry’s Mod Game Server on Windows Server 2016: Tidal Media offers this pre-configured image of Garry’s Mod (GMod) server on Windows Server 2016. GMod is a physics sandbox with no predefined goals. You spawn objects and weld them together to create your own contraptions. gcc-office-addin: Garden City Consultants’ gcc-office-addin SaaS provides the centralized and integrated services to enable GCC Office Add-ins for the online versions of Microsoft Excel and Microsoft Word. GCC Office Add-ins add data visualization options in Excel and productivity tools in Word. Ghost Nodes – Smart Integration of Everything: Gateway Host (GHOST) Nodes is a hybrid and distributed platform with centralized device management and edge intelligence. GHOST Nodes embeds advanced analytics services at endpoints, allowing you to deliver distributed digital services. Huginn – Workflow-Automation Server on Ubuntu: Tidal Media offers this pre-configured image of Huginn on Ubuntu. Huginn is a system for building agents that perform automated tasks for you online, such as reading web pages, watching for events, and taking actions on your behalf. IITC VLearn: IITC VLearn is a customizable, web-based learning management system (LMS) based on the Moodle open-source platform. This Azure-based system integrates with Microsoft Teams and provides a highly functional, secure, flexible, and interoperable digital learning solution. Intel Edge Software Hub: The Intel Edge Software Hub is a one-stop resource that allows developers to find software and tools that make it easier to develop, test, deploy, and maintain solutions at the edge. The solution provides tools and deployment-ready software packages that are pre-tested and pre-validated. Intelligence Platform – Integra Comex: Integra Comex provides information on how to operate in foreign trade, whether in the form of exports, imports, or cargo management. This solution consolidates data and speeds databases updates. This app is available only in Portuguese. Ipro: Ipro Enterprise is an e-discovery platform designed for large, complex, and early data assessments. IPro Enterprise lets your team quickly connect and assess live data without moving it, report, and stream relevant documents directly into review. Jedox for Dynamics 365 Finance & Operations: Jedox enables collaborative planning, budgeting, and forecasting in Microsoft Dynamics 365 by unifying core CRM and ERP processes. Jedox integrates FP&A processes, automates planning, creates continuous augmented forecasts, and more. Katana XR: Katana XR is a cloud-based mixed reality solution for the industrial sector. Katana XR gives project teams the ability to quickly and easily create mixed reality workflows and guides without requiring knowledge of coding. Lead Validation and Scoring for US and Canada: DOTS Lead Validation from Services Objects Inc. is a real-time API service that corrects and appends contact records and provides an actionable lead quality score. The service integrates with Microsoft Dynamics and Microsoft Azure. Left 4 Dead 2 – Game Server on Windows Server 2016: Tidal Media offers this pre-configured image of Left 4 Dead 2 game server on Windows Server 2016. Left 4 Dead 2 is a first-person survival horror game in which four survivors fight their way through levels filled with infected creatures. Mamoru Biz: Mamoru Biz is a business concierge tool that reduces anonymous tasks related to people, goods, and money, such as searching for people at free addresses, cash management in offices, and asset management. This app is available only in Japanese. Minerva Threat Prevention Platform: Minerva Labs LTD’s threat-prevention platform provides a zero-touch preemptive endpoint to defend against modern cyberthreats, such as file-less attacks, scripts, ransomware, malicious document macros, and more. Minerva blocks attacks before infection. Moneythor Data-Driven Banking: The Moneythor solution provides a set of software APIs enabling banks and fintechs to offer improved functionality and experience to their retail and business customers. Moneythor is powered by real-time data, machine learning, and behavioral science techniques. Network File System Server on Windows Server 2016: Tidal Media offers this pre-configured image of Network File System (NFS) service on Windows Server 2016. NFS is a protocol that allows you to share directories and files with Windows and non-Windows clients in a network. Network Monitoring: NeMo is a cloud-based monitoring solution for electricity networks. This Azure-based solution lets you manage conditions and maintenance at distribution grid stations, perform day-to-day forecasting of network quality, and more. This app is available in English and German. NFS Storage File Server on Windows Server 2019: Tidal Media offers this pre-configured image of Network File System (NFS) service on Windows Server 2019. NFS is a protocol that allows you to share directories and files with Windows and non-Windows clients in a network. NuWave Teams Direct Routing Voice: iPilot, an automated portal form NuWave Communications Inc., lets you quickly provision always-on calling plans and related carrier services for Microsoft Teams using shared public switched telephone networks (PSTNs). powercloud | A cloud native billing and CRM SaaS: powercloud GmbH offers a cloud-native, open-source SaaS solution customized for infrastructure and utility companies. powercloud takes care of the meter-to-cash value chain, including billing, regulatory processes, product management, meter data management, debt collection, and accounting. Praelexis Credit: Praelexis Credit offers a streamlined and integrated solution for the end-to-end credit modeling process. The toolkit’s flexibility allows state-of-the-art machine learning techniques to be combined with traditional credit modeling techniques. Prime Foray CSP: Prime Foray’s cloud service provider offering on Microsoft Azure Lighthouse is structured specifically for ISVs of all sizes from startups to public companies. Prime Foray will manage your Azure environment securely and safely, providing round-the-clock support. process.science Process Mining: process.science for Power BI is an add-in for Microsoft Power BI that lets you see your company from new perspectives. This app from process.science GmbH & Co. KG provides an overview of your processes by analyzing your organization’s process events compared with your targets. QuayChain: QuayChain is a digital marketplace for the marine fuel industry. The platform provides buyers, suppliers, and traders an easy, intuitive application for procuring and paying for marine fuel in a global market. Rendezvous desk booking and hoteling software: Rendezvous Workspace Desk Booking from NFS Technology Group makes desk booking an easy and safe process. The mobile app floorplan module makes it easy to select and book desks. This software integrates with Microsoft Outlook and a range of wayfinding and desk panel solutions. Rendezvous Meeting Room Booking Software: Rendezvous Workspace Meeting Booking from NFS Technology Group improves management of meeting room bookings. The software integrates with Microsoft Outlook, Office 365, and Microsoft Exchange and includes mobile and web-based apps. School Affairs Research Analysis Solution (IR Solution): Use these dashboards for Microsoft Power BI to get valuable insights into schools based on data from multiple public sources, including the Ministry of Education’s open data. The dashboard analyzes school enrollment, retirements, and available funds. This app is available in Chinese. SCONE platform for Azure confidential computing: SCONE is a solution platform that supports confidential, cloud-native applications and multi-party confidential computing. Built on Microsoft Azure, SCONE protects your applications including code and data during transmission, at rest, and during computation. SkypetoTeams by Cyclotron: SkypetoTeams.io by Cyclotron Inc. provides a full toolkit to migrate your enterprise from Skype for Business to Microsoft Teams. Features include templatized inputs, support for MFA and non-MFA authentication, and more. SPA: SPA is a document data utilization solution that enables document data conversion and document management automation by using AI-powered OCR. This app is available only in Japanese. Squid Proxy Server with Webmin GUI on Ubuntu 18.04: Tidal Media offers this pre-configured image with Squid proxy server with Webmin GUI on Ubuntu 18.04. Squid speeds up services by caching requests for web, DNS, and other computer traffic for a group of people on a shared network. Swim Continuum SaaS: Swim Continuum is an enterprise-grade platform for building and running continuous intelligence applications at scale. Providing performance and agility under high loads, Swim Continuum efficiently operationalizes high-frequency data analytics on massive amounts of streaming and batch data. SySearch AI Based Search for Healthcare: SySearch is a fully managed cloud search service with built-in AI capabilities that enrich health information to easily identify and explore healthcare data at scale. With SySearch, you can spend more time innovating and less time designing, maintaining, and querying a complex search solution. Team Fortress 2 Game Server on Ubuntu 18.04 LTS: Tidal Media offers this pre-configured image with Team Fortress 2 game server on Ubuntu 18.04. Team Fortress 2 is a multiplayer, first-person shooter video game with support for up to 32 players. Team Fortress 2 Game Server on Windows Server 2016: Tidal Media offers this pre-configured image with Team Fortress 2 game server on Windows Server 2016. Team Fortress 2 is a multiplayer, first-person shooter video game with support for up to 32 players. Tenjin for Enterprise: Tenjin for Enterprise enables virtual assistant creation in a few clicks and deploys the assistant in minutes. Using AI-driven conversational interactions, Tenjin streamlines access to common business services like knowledge, resetting passwords, and escalating support requests. Terraria – Adventure Sandbox Game Server on Ubuntu: Tidal Media offers this pre-configured image with Terraria game server on Ubuntu. Terraria is a sandbox game featuring action and adventure driven by the players choices and creativity. The server can be used for standalone or multiplayer gameplay. TIG: TIG is a next-generation video technology developed by Paronimu Co. Ltd. that allows you to obtain information about an object in a video simply by tapping the object on your smartphone screen. This app is available only in Japanese. Unturned – Adventure Sandbox Game Server on Ubuntu: Tidal Media offers this pre-configured image with Unturned game server on Ubuntu. Unturned is a multiplayer sandbox game in the apocalypse survival genre, in which players must work with friends and forge alliances to survive zombies. Wootric CX | NPS, CSAT and CES surveys: Wootric Customer Experience Management platform helps cloud-based companies increase retention, prioritize product improvements, and engage brand advocates. Wootric analytics and reporting use machine learning to deliver insights from high volumes of feedback. Consulting services AI discovery workshop (4h): If you are curious what type of benefits AI and advanced analytics can bring to your organization, join Unit8 SA for this exploration of AI in consideration of your industry. Unit8 will introduce you to AI services available on Microsoft Azure and help launch your AI journey. App Modernization – 2 week Implementation: Arinco has developed an application modernization accelerator service targeted at organizations that are focused on modernizing their application infrastructure and their developer experience on Azure App Services and Azure DevOps. Apps Modernization Plan: 1WK Assessment: Modernize your apps and realize the benefits of Microsoft Azure with this offering from vNEXT PTY LTD. The vNEXT App Modernization Plan will help you innovate faster, improve reliability, and keep pace with the agility of today’s modern applications. Citrix on Azure WVD: 1 Week Proof of Concept: Sayers experts will guide you through a proof of concept built to satisfy your business requirements and demonstrate the benefits of combining Citrix Virtual Apps and Desktops with Windows Virtual Desktop on Microsoft Azure. Computer Vision on Azure: 2-mths Proof of Concept: SEMANTIVE sp. z o. o. will validate your computer vision use case by building a working prototype deployed to Azure Machine Learning and will provide you with recommendations and a roadmap for next steps. Half-day free workshop on Azure Synapse Analytics: In this free workshop, Softcrylic LLC will help you understand how Azure Synapse Analytics can accelerate the responsiveness of your business by providing a secure, scalable environment for your data to support big data, analytics, business intelligence, and data science. ​ Horizon Cloud on Azure: 3-week Implementation: World Wide Technology (WWT) offers quick-start engagements for customers who want to provide desktops as a service (DaaS) by deploying VMWare Horizon Cloud on Microsoft Azure. WWT experts can demonstrate pre-built integration labs to speed customer evaluation. ISV App Migration – 10 days implementation: Sela Group will assess your on-premises and cloud environments for deployment of your application to the Microsoft Azure Marketplace. Sela will analyze your current situation, provide insights during migration, and support your team during implementation. Offer – QBot Implementation: QBot is an AI-powered program that answers student queries through a conversational chatbot. Integrated with Microsoft Teams, QBot provides a personalized learning experience and collaboration among students and teachers. Portiva Cybersecurity Maturity Assessment: Portiva will provide insight into how you can improve the cloud security of your organization. This assessment will identity cybersecurity risks based on your organization and industrial sector, then classify the risks based on impact and likelihood. This offer is available only in Dutch.

Azure CLI improvements for Azure Database for PostgreSQL – Single server

by Contributed | Nov 24, 2020 | Azure, Microsoft, Technology

This article is contributed. See the original author and article here.

With the new changes to the Azure CLI, building applications has become much easier. This blog post walks you through key changes that can help enhance your productivity.

Some major changes include:

1. A simplified single command for creating a new Postgres single server on Azure.


2. The ability to use contextual information between CLI commands to help reduce the number of keystrokes for each command.


3. New values for the parameter –public to create firewall rules as a part of the create experience.


4. New command – list connection strings.


5. Improved readable tabular formatted output for sku list and server list commands.

Note: Download the latest official release of the Azure CLI from the Azure CLI page or the dev build from the GitHub Azure CLI homepage.

Important: While this post focuses on Azure Database for PostgreSQL Single server, the changes described apply equally to our Flexible server deployment model.

1. Single command for creating a single server instance

Login to your Azure account using  `az login`, select your subscription (if different from default), and then run the command `az postgres server create’ to create a Postgres Single Server Instance on Azure.

Note the following key points:

• A resource group with a random name is created for you in the default region.


• A server-name, admin username, and password are auto-generated for you.


• The text in yellow indicates what is going on behind the scenes. The server gets created with the defaults which can be found using `az postgres server create –help`.


• Two new fields (password and connection-string) are introduced in the output.


• To override a default value, pass that parameter with the value of your choice.

2. Support for param-persist

Azure Database for PostgreSQL server CLI commands now support persisting values of parameters with the `az config param-persist` command , which locally stores information such as location, resource group, administrator login and server name for every sequential CLI command you execute. You can easily turn on param persist to store information using `az config param-persist on`. With param persist turned on, you can see the contextual information using `az config param-persist show`. You can always turn off support for param persist by using `az config param-persist off`.

A summary of points that you might find helpful is listed below:

• Fields commonly stored in param persist are location, resource group, server name and administrator login.


• The param persist is designed to hold only one value for any parameter – which is always from the latest executed command.


• Turning off the param persist does not automatically clear the stored fields. You can clear up all or specific values in the param persist using the commands in `az config param-persist delete`.


• An example of how param persist can reduce the effort is shown below.

• Note how there is no longer a need to supply the server name and resource group in the firewall creation command when you add a new firewall rule to the server you just created. 

az postgres server firewall-rule create -n firewall-rule-1 --start-ip-address 107.223.9.21 --end-ip-address 107.223.9.27

•  When in confusion about the values fetched from param persist – look for the text ‘Command argument values from local context’ field in the command output as shown below.

Local context is turned on. Its information is saved in working directory /home/aritra. You can run `az local-context off` to turn it off.
Command argument values from local context: --resource-group: group2029187709, --server-name: server905314632
{- Finished ..
  "endIpAddress": "107.223.9.27",
  "id": "/subscriptions/<your-subscription-id>/resourceGroups/group2029187709/providers/Microsoft.DBforPostgreSQL/servers/server905314632/firewallRules/firewall-rule-1",
  "name": "firewall-rule-1",
  "resourceGroup": "group2029187709",
  "startIpAddress": "107.223.9.21",
  "type": "Microsoft.DBforPostgreSQL/servers/firewallRules"
}

3. New values for the –public parameter in az postgres server create command

When creating a Postgres server using our managed database service on Azure, you want to get started quickly. You can now let the create experience take care of the accessibility based on the value you pass for the –public parameter in the create command. When a server is created with any of these newly supported values, a new field `firewallName` will show up in the output of the create command. In addition to the existing values of ‘Enabled’ and ‘Disabled’, we are now supporting the below values:

4. New command – az postgres server show-connection-string

`az postgres server show-connection-string`: Lists the connections string for connecting your Postgres database to applications such as ADO.NET, JDBC, JDBC Spring, Node.JS, PHP, Python, and Ruby.

az postgres server show-connection-string -s server905314632 -u flexibleHorse

All placeholder fields within {} in the connection string can be substituted with actual values when you pass them as parameters in the above command. 

{
  "connectionStrings": {
    "C++ (libpq)": "host=server905314632.postgres.database.azure.com port=5432 dbname={database} user=flexibleHorse@server905314632 password={password} sslmode=require",
    "ado.net": "Server=server905314632.postgres.database.azure.com;Database={database};Port=5432;User Id=flexibleHorse@server905314632;Password={password};",
    "jdbc": "jdbc:postgresql://server905314632.postgres.database.azure.com:5432/{database}?user=flexibleHorse@server905314632&password={password}",
    "node.js": "var client = new pg.Client('postgres://flexibleHorse@server905314632:{password}@server905314632.postgres.database.azure.com:5432/{database}');",
    "php": "host=server905314632.postgres.database.azure.com port=5432 dbname={database} user=flexibleHorse@server905314632 password={password}",
    "psql_cmd": "postgresql://flexibleHorse@server905314632:{password}@server905314632.postgres.database.azure.com/{database}?sslmode=require",
    "python": "cnx = psycopg2.connect(database='{database}', user='flexibleHorse@server905314632', host='server905314632.postgres.database.azure.com', password='{password}', port='5432')",
    "ruby": "cnx = PG::Connection.new(:host => 'server905314632.postgres.database.azure.com', :user => 'flexibleHorse@server905314632', :dbname => '{database}', :port => '5432', :password => '{password}')"
  }
}

5. Improved readable tabular format

For the commands below, the latest version of the Azure CLI supports viewing output in a tabular format, which provides you with a snapshot view.

• `az postgres server list-skus -l eastus -o table`


• `az postgres server list [-g <group_name>] [-n <server_name>] -o table`
  
  
  
  • Not supplying -g and –n would list all servers in the subscription.
  
  
  • Supplying -g and -n would list the details of a single server.
  
  
  • Supplying only -g would list the details of all servers in the resource group.
  
  
  
  

Use powerful Azure CLI utilities with single server CLI

Azure CLI has powerful utilities that can be used with PostgreSQL Server CLI commands from finding right commands, getting readable output or even running REST APIs.  

• az find to find the command you are looking.


• Use the –help argument to get a complete list of commands and subgroups of a group.


• Change the output formatting to table or tsv or yaml formats as you see fit.


• Use az interactive mode which provides interactive shell with auto-completion, command descriptions, and examples.


• Use az upgrade to update your CLI and extensions.


• Use az rest command that lets you call your service endpoints to run GET, PUT, PATCH methods in a secure way.

The improvements have been designed to support the best possible experience for developers to create and manage their PostgreSQL servers. We’d love for you to try out the improvements and share your feedback for new CLI commands or issues with existing ones.