Microsegmentation with Azure Stack HCI

by Contributed | Apr 28, 2021 | Technology

This article is contributed. See the original author and article here.

Have you deployed multiple applications in your HCI cluster? Do you have application workloads in your cluster that need access to the Internet? Do you have remote users accessing application workloads in your HCI cluster? If the answer to any of these questions is yes, please read on to find out how you can protect your workloads from unauthorized access and cyber-attacks (Internal or External).

Problem: Need for network security and issues with traditional approaches

Network security is a top concern for organizations today. We are faced with increasing breaches, threats, and cyber risk. Cyber criminals are targeting high business impact data with sophisticated attacks designed to bypass perimeter controls. Once inside the company network, attackers are free to move from one system to another, in search of sensitive or personally identifiable information. These breaches can go unnoticed for a long time.

Network segmentation has been around for a long time to isolate high value data and systems. In traditional networks, security is set at the edge, where North-south communication takes place (interactions that are travelling in and out of the datacenter). This secures intranet from outside world. But offers little protection in the modern hybrid cloud world, where the perimeter has all but evaporated and a large portion of the traffic flows east-west, or server to server, between applications.

If you look at the topology below, end points can communicate with each other freely within VLANs or subnets behind a firewall. Infections on one of these servers are not contained and can easily spread to other servers.

Organizations may use physical firewalls to protect east west traffic. But that has its own drawbacks. Significant network resource utilization bottlenecks are created by sending east-west communication through a physical firewall. If firewall capacity is exhausted, security can be scaled by replacing with larger firewall or adding additional physical firewall, which is cumbersome and expensive.

Moreover, the use of physical firewalls can also create additional latency for certain applications. All traffic must traverse a physical firewall to be segmented, even when residing on the same physical server.

Solution: Microsegmentation in Azure Stack HCI

The ideal solution to complete protection is to protect every traffic flow inside the data center with a firewall, allowing only the flows required for applications to function. This is the Zero Trust Model.

Microsegmentation is the concept of creating granular network policies between applications and services. This essentially reduces the security perimeter to a fence around each application or virtual machine. The fence can permit only necessary communication between application tiers or other logical boundaries, thus making it exceedingly difficult for cyber threats to spread laterally from one system to another. Logical boundaries can be completely custom. They can be your different environments: Dev, Test, Production. Or different types of applications, or different tiers within an application. This securely isolates networks from each other and reduces the total attack surface of a network security incident.

With Azure Stack HCI, you can define granular segmentation for your applications and workloads and protect them from both external and internal attacks. This is achieved through a distributed firewall, enabling administrators to define access control lists to restrict access for workloads attached to traditional VLAN networks and overlay networks. This is a network layer firewall, allowing or restricting access based on source and destination IP addresses, source and destination ports and network protocol. You can read more about this here.

IMPORTANT: The microsegmentation policies can be applied to all Azure Stack HCI workloads attached to traditional VLAN networks.

The firewall policies are configured through the management plane. You have multiple options here – standard REST interface, Powershell, Windows Admin Center (WAC) and System Center Virtual Machine Manager (SCVMM). The management plane sends the policies to a centralized control plane, Network Controller. This ships as a Server role in Azure Stack HCI OS. Network Controller pushes the policies to all the applicable Hyper-V hosts, and the policies are plumbed at the vSwitch port of virtual machines. Network Controller also ensures that the policies stay in sync, and any drift is remediated.

Configure and manage microsegmentation in Azure Stack HCI

There are two high level steps to configure microsegmentation for HCI. First, you need to setup the Network Controller and then, configure microsegmentation policies.

Setup Network Controller

Network Controller can be setup using SDN Express Powershell scripts or the Windows Admin Center (WAC) or through System Center Virtual Machine Manager (SCVMM).

Windows Admin Center

If you are deploying HCI for the first time, you can use the Windows Admin Center deployment wizard to setup Network Controller. SDN deployment is Step 5 of the wizard. This deploys the Network Controller component of SDN. Detailed instructions for launching this wizard, setting up the HCI cluster and setting up Network Controller is provided here.  In the default case, you need to provide only two pieces of input:

1. Path to the Azure Stack HCI OS vhdx file. This is used to deploy the Network Controller VMs.


2. Credentials to join the Network Controller VMs to the domain and local admin credentials.

If you do not have DHCP configured on your management network, you will need to provide static IP addresses for the Network Controller VMs. A demo of the SDN setup is provided below:

SDN Express Scripts

If you already have an existing HCI cluster, you cannot deploy SDN through Windows Admin Center today. This support is coming soon.

In this case, you can deploy Network Controller (NC) component of SDN using SDN Express scripts. The scripts are available in the official Microsoft SDN github repository. The scripts need to be downloaded and executed on a machine which has access to the HCI cluster management network. Detailed instructions for executing the script are provided here.

The script takes a configuration file as input. Template file can be found in the github repository here. You will need the provide/change the following parameters to setup Network Controller for microsegmentation on traditional HCI VLAN networks:

1. VHDPath: VHDX file path used by NC VMs. Script must have access to this file path.


2. VHDFile: VHDX file name used by NC VMs.


3. JoinDomain: domain to which NC VMs are joined.


4. Management network details (ManagementSubnet, ManagementGateway, ManagementDNS, ManagementVLANID): This is the management network of the HCI cluster.


5. DomainJoinUsername: Username to join NC VMs to the domain


6. LocalAdminDomainUser: Domain user for NC VMs who is also local admin on the NC VMs


7. RestName: DNS name used by management clients (such as Windows Admin Center) to communicate with NC


8. Details of NC VMs (ComputerName, HostName, ManagementIP, MACAddress): Name of NC VMs, Host name of Server where NC VMs are located, management network IP Address of NC VMs, MAC address of NC VMs


9. HyperVhosts: Host server names in the HCI cluster


10. NCUserName: NC Administrator account. Should have permission to do everything needed by someone administering the NC (primarily configuration and remoting). Usually, this can be same as LocalAdminDomainUser account.

Some other important points:

1. The parameters VMLocation, SDNMacPoolStart, SDNMacPoolEnd can use default values.


2. The following sections should be blank: Muxes, Gateways (Muxes = @())


3. If you are deploying microsegmentation for VLAN networks, you should keep the PA network details section blank. Otherwise, if you are deploying overlay networks, please fill in that section.


4. Rest of the parameters below the PA network section can be commented out.

A sample file is shown below:

Configure Microsegmentation Policies

Once Network Controller is setup, you can go ahead and deploy your microsegmentation policies.

1. The first step is to create a logical network for your workloads hosted on VLAN networks. This is documented here.


2. Next, you need to create the security ACL rules that you want to apply to your workloads. This is documented here.


3. Once the ACL rules have been created, you can apply them to the network or a network interface.
   
   
   
   1. For applying ACLs to a traditional VLAN network, see instructions here.
   
   
   2. For applying ACLs to a virtual network, see instructions here.
   
   
   3. For applying ACLs to a network interface, see instructions here.
   
   
   
   

After the ACL rules have been applied to the network, all virtual machines in that network will get the policies and will have restricted access based on the rules. If the ACL rule has been applied to a network interface, the network interface will get the policies and will have restricted access based on the rules.

So, as you can see, with microsegmentation, you can protect every traffic flow in your HCI cluster, allowing only the flows required for your applications to function. Please try this out and give us feedback at sdn_feedback@microsoft.com. Feel free to reach out for any questions as well.

Updates to Organizational Theming in Microsoft 365 admin center

by Contributed | Apr 28, 2021 | Technology

This article is contributed. See the original author and article here.

We are so excited to announce an enhanced theming experience for tenants. We have started rolling out the improvements and will be generally available by late May 2021. Through the Microsoft 365 admin center, start playing around with colors and logos and assign custom themes to different Microsoft 365 groups in your organization! The organizational theme is what appears in the top navigation bar for people in your organization.

Creating a new theme dialogue

How to get started

To get started, in the Microsoft 365 admin center navigate to Settings > Org Settings > Organizational profile click on Organizational Themes. From there you can add up to 4 custom themes. Each theme can be customized with different logos and colors. Admins can specify theme logos and specify the URL where users will navigate to when they select the logo.

Applying a custom theme

What is exciting about these improvements?

1. Specify a different logo for dark mode


2. Create themes for different groups


3. Get instant accessibility feedback on your theme

Read more about the exciting updates here!

Best practices for incorporating AZ-900 and AI-900 into the curriculum

by Contributed | Apr 28, 2021 | Technology

This article is contributed. See the original author and article here.

Best practices for incorporating AZ-900 and AI-900 into the curriculum with the University of Lincoln

Guest post by Derek Foster, Associate Professor in Computer Science at University of Lincoln, Microsoft Learn Educator Ambassador.

The School of Computer Science at the University of Lincoln is investing in ensuring students are equipped for excellent career opportunities in high-growth areas such as Cloud Computing and AI. An enabler of this is offering students certification courses such as AZ-900 Microsoft Azure Fundamentals and AI-900 Microsoft Azure AI Fundamentals as part of their degree programmes. Students at Lincoln have taken over 1500 Microsoft certification exams over the last 3 years with the current focus on the new cloud-based Microsoft Fundamentals courses.

Embedding certification in an academic programme is an optimal approach for sustaining a graduate pipeline that meets the needs of industry. This can be taken further by offering academic credit for certification, something Lincoln is working on now for its new MSc Cloud Computing programme. Programmes that include certification can be positioned as ‘industry ready’, an attractive attribute for prospective applicants.  Students benefit greatly from the industry-transferable skills they learn during a certification course and provide worthy additions to their graduate CV.

Student engagement is key for achieving certification. There are a number of approaches to support positive engagement when rolling out certification as part of a degree programme. These are outlined below:

Integrate inside a course– This includes integrating the learning materials of a Microsoft Fundamentals course within the academic course and mapping them to the academic learning objectives. This is the most involved approach and requires careful planning.

Integrate alongside a course – This approach is based on running a Fundamentals course alongside a separate academic course, with opportunities for sharing similar knowledge and understanding areas between both courses. This is a relatively low-barrier approach and offers a degree of flexibility.

Integrate as a standalone course – This is the most flexible approach and presents the lowest barriers for integration. A Fundamentals course is typically run as a standalone extra-curricular learning opportunity for your students, or as a short Continuing Professional Development (CPD) course for staff. It is not dependent upon any other academic course and can be run during, or outside a semester.

At Lincoln we find that regardless of the approach to rolling out certification, students much preferred certification courses to be run as academic-led, as opposed to student-led where all learning is undertaken independently. We also suggest that if your school is new to certification then start a pilot trial of your preferred Microsoft Fundamentals course and run it as a standalone, extra-curricular course. This will give you the experience and knowledge needed to think about next steps for your school and tighter integration if your programmes.

Students are keen to engage with activities during their programme that will enhance their career opportunities and can also support their studies in their academic modules. For example the Microsoft Azure Data Fundamentals course is suitable for aligning with Database and Data Science courses, while the Microsoft Azure AI Fundamentals course is great to align with academic AI courses.

Below are some quotes from our students at Lincoln on certification:

Giving students the opportunity to take certification courses and exams as part of their degree programme keen is a fantastic approach to support students with getting ready for industry.  The Microsoft Learn for Educators programme support educators with the tools and knowledge necessary to run certification courses. The School of Computer Science at the University of Lincoln is part of this programme and finds the learning materials and community around it an invaluable resource.

If you would like to find out more about incorporating Microsoft Fundamentals certification courses as part of a degree programme then please view the associated webinar here, which was part of the Microsoft Education Skills Webinar series.

Resources on Cloud Curriculum 

Published Papers in the ACM Digital Library

• 2018: https://dl.acm.org/doi/10.1145/3293881.3295781


• 2019:https://dl.acm.org/doi/10.1145/3344429.3372506


• 2020: https://dl.acm.org/doi/10.1145/3437800.3439206

End of Year Guides for Educators and IT Admins

by Contributed | Apr 28, 2021 | Technology

This article is contributed. See the original author and article here.

It’s that time of the year for northern hemisphere schools! Time to plan your end of year activities, close out the current school year and ensure you are set-up for success in the new school year or for summer school.

Geri Gillespy, from the Microsoft EDU customer engagement team, has collected many of the best practices and resources into a simple End of Year Guide for IT admins and educators to help make this transition as simple as possible. These guides include check lists with ideas for getting your systems ready and cover everything from archiving teams and collecting devices to updating your to communication procedures. There’s even information on supporting summer school programs for students and staff.

Download the guides below and start your end of school process today!

Download April, 2021 IT Admin Guide

Download April, 2021 Educator Guide

As always, we would love to hear from each of you to learn more about how you prepare for the end of a school year. Your unique experiences and insights are extremely valuable to Microsoft product teams and to other educators around the world. Please post your tips, comments and best practices below to share with the community. See you in the communities!