Deploying Agents to Azure IaaS VMs using the Custom Script Extension

In an ideal world organizations should try to avoid creating custom images with their own special agents and configurations. This means a lot of image management as each time an agent is updated the image has to be updated in addition to the normal patching of OS instances. The Azure marketplace has a large number of OS images that are kept up-to-date which should be used if possible and any customization performed on top of that. I recently had a Proof of Concept where a number of agents needed to be deployed post VM deployment along with other configurations. Items such as domain join can be done with the domain join extension but for the other agent installs we decided to use the Custom Script Extension to call a bootstrap script which would do nothing other than pull down all content from a certain container using azcopy.exe and then launch a master script. The master script would be part of the downloaded content and would then perform all the silent installations and customization’s required.

A storage account is utilized with two containers:

Artifacts – This contains the master script and all the agent installers etc. This could use a zip file to enable a structure to be maintained of the various agents and the master script could unzip at the start
Bootstrap – This contains azcopy.exe (in my case version 10) and the bootstrap.ps1 file that does nothing other than call azcopy to copy everything from the artifacts container to the c:\ root, then launch the master script from the local copy

Below is my example bootstrap.ps1 file. Notice it has one parameter, the URI of the container which will be the shared access signature enabling access.

param($SourceURI)

$cmd = "&`".\azcopy.exe`" cp `"$SourceURI`" `"C:`" --recursive=true"
try {
    Invoke-Expression -Command $cmd -ErrorAction Stop
    if ($LASTEXITCODE -ne 0) {
        # Error.
    }
} catch {
    # Error.
}

c:\artifacts\MainScript.ps1

param($SourceURI)

$cmd = "&`".\azcopy.exe`" cp `"$SourceURI`" `"C:`" --recursive=true"

try {

Invoke-Expression -Command $cmd -ErrorAction Stop

if ($LASTEXITCODE -ne 0) {

# Error.

}

} catch {

# Error.

}

c:\artifacts\MainScript.ps1

Azcopy.exe was downloaded from https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10 and copied to the bootstrap container along with the bootstrap.ps1 file. In my case there is nothing sensitive in the file and so I made the container public. This would avoid having to have an access key as part of my ARM template that would ultimately call this script.

All the installers and the master script were uploaded to the artifacts container. For this container I wanted a shared access signature (SAS) that would give read and list rights. The idea would be some automation would generate a new SAS each week and write to a secret in key vault that only people that should deploy had access to. The SAS would have a lifetime of 2 weeks to have an overlap with the newly generated. In addition to generating and storing the complete SAS I needed a second version that was escaped for cmd.exe. This is because the SAS has & in it which was being interpreted during my testing breaking its use. I tried to use no parse (–%) but this did not work since it was being called by cmd.exe therefore the escape is to use ^&. The script below generates the SAS and the escaped SAS and writes both versions as secrets to key vault.

$resourceGroupName = "RG-Infra-SCUS"
$storageAccountName = "sasavpocscus"
$containerName = "artifacts"

# Get the access key for the Azure Storage account
$storageAccountKey = (Get-AzStorageAccountKey `
    -ResourceGroupName $resourceGroupName `
    -Name $storageAccountName)[0].Value

# Create an Azure Storage context
$storageContext = New-AzStorageContext `
    -StorageAccountName $storageAccountName `
    -StorageAccountKey $storageAccountKey

$expiryTime = (Get-Date).AddDays(14)

# Generates an SAS token for the Azure storage container
$SASToken = New-AzStorageContainerSASToken `
    -Name $containerName `
    -Permission "rl" `
    -ExpiryTime $expiryTime `
    -Context $storageContext

$fullSASURI = "$($storageContext.BlobEndPoint)$($containerName)$($SASToken)"
$fullSASURI

$secretvalue = ConvertTo-SecureString $fullSASURI -AsPlainText -Force
$secret = Set-AzKeyVaultSecret -VaultName 'SavKeyVault' -Name 'POCBLOBSASURI' -SecretValue $secretvalue

#Need an escaped for CMD since this is how passed when using the Custom Script Extension in Azure
$secretescapevalue = ConvertTo-SecureString $fullSASURI.Replace("&","^&") -AsPlainText -Force
$secret = Set-AzKeyVaultSecret -VaultName 'SavKeyVault' -Name 'POCBLOBSASURIEsc' -SecretValue $secretescapevalue

$resourceGroupName = "RG-Infra-SCUS"

$storageAccountName = "sasavpocscus"

$containerName = "artifacts"

# Get the access key for the Azure Storage account

$storageAccountKey = (Get-AzStorageAccountKey `

-ResourceGroupName $resourceGroupName `

-Name $storageAccountName)[0].Value

# Create an Azure Storage context

$storageContext = New-AzStorageContext `

-StorageAccountName $storageAccountName `

-StorageAccountKey $storageAccountKey

$expiryTime = (Get-Date).AddDays(14)

# Generates an SAS token for the Azure storage container

$SASToken = New-AzStorageContainerSASToken `

-Name $containerName `

-Permission "rl" `

-ExpiryTime $expiryTime `

-Context $storageContext

$fullSASURI = "$($storageContext.BlobEndPoint)$($containerName)$($SASToken)"

$fullSASURI

$secretvalue = ConvertTo-SecureString $fullSASURI -AsPlainText -Force

$secret = Set-AzKeyVaultSecret -VaultName 'SavKeyVault' -Name 'POCBLOBSASURI' -SecretValue $secretvalue

#Need an escaped for CMD since this is how passed when using the Custom Script Extension in Azure

$secretescapevalue = ConvertTo-SecureString $fullSASURI.Replace("&","^&") -AsPlainText -Force

$secret = Set-AzKeyVaultSecret -VaultName 'SavKeyVault' -Name 'POCBLOBSASURIEsc' -SecretValue $secretescapevalue

Once this was done I now had a SAS available in the key vault that would give read and list to the artifacts container. A test of this process to my local machine worked, i.e.

$BLOBSASURI = (Get-AzKeyVaultSecret -vaultName 'SavKeyVault' -Name 'POCBLOBSASURI').SecretValueText
.\bootstrap.ps1 $BLOBSASURI

1 2	$BLOBSASURI = (Get-AzKeyVaultSecret -vaultName 'SavKeyVault' -Name 'POCBLOBSASURI').SecretValueText .\bootstrap.ps1 $BLOBSASURI

Next I tried calling as I would via the Custom Script Extension which with the escaped version worked great (note its the escaped URL as this will get expanded in the template).

powershell.exe -ExecutionPolicy Unrestricted -Command .\BootStrap.ps1 -SourceURI 'https://sasavpocscus.blob.core.windows.net/artifacts?sv=2018-11-09^&sr=c^&sig=blahblahD^&se=2019-05-30T14%3A21%3A50Z^&sp=rl'

1	powershell.exe -ExecutionPolicy Unrestricted -Command .\BootStrap.ps1 -SourceURI 'https://sasavpocscus.blob.core.windows.net/artifacts?sv=2018-11-09^&sr=c^&sig=blahblahD^&se=2019-05-30T14%3A21%3A50Z^&sp=rl'

Initially my test was to an existing Azure VM so I used the following (note I’m getting the escaped version of the secret from Key Vault):

$BLOBSASURI = (Get-AzKeyVaultSecret -vaultName 'SavKeyVault' -Name 'POCBLOBSASURIEsc').SecretValueText

#Container has public access since no sensitive information in files therefore no account or key required in private configuration
$fileUri = @("https://sasavpocscus.blob.core.windows.net/bootstrap/BootStrap.ps1","https://sasavpocscus.blob.core.windows.net/bootstrap/azcopy.exe")

$ExtensionName = 'BootStrap'
$ExtensionType = 'CustomScriptExtension'
$Publisher = 'Microsoft.Compute'
$Version = '1.9'
$timestamp = (Get-Date).Ticks

$PrivateConfiguration = @{"commandToExecute" = "powershell.exe -ExecutionPolicy Unrestricted -Command .\BootStrap.ps1 -SourceURI '$BLOBSASURI'"}
$PublicConfiguration = @{"fileUris" = $fileUri;"timestamp" = "$timestamp"}

Set-AzVMExtension -ResourceGroupName RG-Infra-SCUS -Location southcentralus -VMName Savazuusscwin10 `
    -Name $ExtensionName -Publisher $Publisher -ExtensionType $ExtensionType -TypeHandlerVersion $Version `
    -Settings $PublicConfiguration -ProtectedSettings $PrivateConfiguration

$BLOBSASURI = (Get-AzKeyVaultSecret -vaultName 'SavKeyVault' -Name 'POCBLOBSASURIEsc').SecretValueText

#Container has public access since no sensitive information in files therefore no account or key required in private configuration

$fileUri = @("https://sasavpocscus.blob.core.windows.net/bootstrap/BootStrap.ps1","https://sasavpocscus.blob.core.windows.net/bootstrap/azcopy.exe")

$ExtensionName = 'BootStrap'

$ExtensionType = 'CustomScriptExtension'

$Publisher = 'Microsoft.Compute'

$Version = '1.9'

$timestamp = (Get-Date).Ticks

$PrivateConfiguration = @{"commandToExecute" = "powershell.exe -ExecutionPolicy Unrestricted -Command .\BootStrap.ps1 -SourceURI '$BLOBSASURI'"}

$PublicConfiguration = @{"fileUris" = $fileUri;"timestamp" = "$timestamp"}

Set-AzVMExtension -ResourceGroupName RG-Infra-SCUS -Location southcentralus -VMName Savazuusscwin10 `

-Name $ExtensionName -Publisher $Publisher -ExtensionType $ExtensionType -TypeHandlerVersion $Version `

-Settings $PublicConfiguration -ProtectedSettings $PrivateConfiguration

Once this worked I finally created an ARM template that included a reference to the secret and all worked as planned.

The parameter file (note I also get a secret to join the domain even though I’m not using the domain join extension in this example):

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "adminUsername": {
            "value": "demoadmin"
        },
        "adminPassword": {
            "value": "Pa55wordPa55word"
        },
        "virtualMachineSize": {
            "value": "Standard_DS2_v2"
          },
          "virtualNetworkName": {
            "value": "VNet-Infra-EUS"
          },
          "subnetName": {
            "value": "TestSub"
          },
          "virtualNetworkResourceGroup": {
            "value": "RG-Infra-EUS"
          },
          "domainAdminUserName": {
            "value": "savilltech\\savadmin"
          },
          "domainAdminPassword": {
            "reference": {
              "keyVault": {
                "id": "/subscriptions/414a658a207/resourceGroups/RG-Infra-SCUS/providers/Microsoft.KeyVault/vaults/SavKeyVault"
              },
              "secretName": "savadminpass"
            }
          },
          "domainFQDN": {
            "value": "savilltech.net"
          },
          "artifactURI": {
            "reference": {
                "keyVault": {
                    "id": "/subscriptions/414a658a207/resourceGroups/RG-Infra-SCUS/providers/Microsoft.KeyVault/vaults/SavKeyVault"
                },
                "secretName": "POCBLOBSASURIEsc"
            }
        }
   }
}

{

"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",

"contentVersion": "1.0.0.0",

"parameters": {

"adminUsername": {

"value": "demoadmin"

"adminPassword": {

"value": "Pa55wordPa55word"

"virtualMachineSize": {

"value": "Standard_DS2_v2"

"virtualNetworkName": {

"value": "VNet-Infra-EUS"

"subnetName": {

"value": "TestSub"

"virtualNetworkResourceGroup": {

"value": "RG-Infra-EUS"

"domainAdminUserName": {

"value": "savilltech\\savadmin"

"domainAdminPassword": {

"reference": {

"keyVault": {

"id": "/subscriptions/414a658a207/resourceGroups/RG-Infra-SCUS/providers/Microsoft.KeyVault/vaults/SavKeyVault"

"secretName": "savadminpass"

}

"domainFQDN": {

"value": "savilltech.net"

"artifactURI": {

"reference": {

"keyVault": {

"id": "/subscriptions/414a658a207/resourceGroups/RG-Infra-SCUS/providers/Microsoft.KeyVault/vaults/SavKeyVault"

"secretName": "POCBLOBSASURIEsc"

}

The actual template (note in the CSE extension at the end I need the single quotes around the URI or it once again tries to interpret it so you have to use two, i.e. ”, to get one ‘ when it actually executes):

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
      "adminUsername": {
        "type": "string",
        "metadata": {
          "description": "Username for the Virtual Machine."
        }
      },
      "adminPassword": {
        "type": "securestring",
        "metadata": {
          "description": "Password for the Virtual Machine."
        }
      },
      "vmName": {
        "type": "string",
        "defaultValue": "myVM",
        "metadata": {
          "description": "Name of the VM"
        }
      },
      "virtualMachineSize": {
        "type": "string",
        "defaultValue": "Standard_DS2_v2",
        "allowedValues": [
          "Standard_DS2_v2",
          "Standard_M8-2ms",
          "Standard_M8-4ms"
        ],
        "metadata": {
          "description": "Virtual Machine Size"
        }
      },
      "domainAdminUserName": {
        "defaultValue": "savilltech\\savadmin",
        "type": "string",
        "metadata": {
          "description": "Administrator Username for the domain join account"
        }
      },
      "domainAdminPassword": {
        "type": "securestring",
        "metadata": {
          "description": "Administrator password for the domain join account"
        }
      },
      "domainFQDN": {
        "type": "string",
        "metadata": {
          "description": "Domain FQDN where the virtual machine will be joined"
        }
      },
      "ouPath": {
        "type": "string",
        "defaultValue": "",
        "metadata": {
          "description": "Specifies an organizational unit (OU) for the domain account. Enter the full distinguished name of the OU in quotation marks. Example: \"OU=testOU; DC=domain; DC=Domain; DC=com\""
        }
      },
      "virtualNetworkName": {
        "type": "string",
        "metadata": {
          "description": "VNET Name"
        }
      },
      "virtualNetworkResourceGroup": {
        "type": "string",
        "metadata": {
          "description": "Resource Group VNET is deployed in"
        }
      },
      "subnetName": {
        "type": "string",
        "metadata": {
          "description": "Name of the subnet inside the VNET"
        }
      },
      "artifactURI": {
        "type": "securestring",
        "metadata": {
          "description": "URI for the artifact BLOB including SAS"
        }
      },
      "location": {
        "type": "string",
        "defaultValue": "[resourceGroup().location]",
        "metadata": {
          "description": "Location for all resources."
        }
      }
    },
    "variables": {
      "vnetID": "[resourceId(parameters('virtualNetworkResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]",
      "subnetRef": "[concat(variables('vnetID'),'/subnets/', parameters('subnetName'))]",
      "domainJoinOptions": 3,
      "nicName": "[concat(parameters('vmName'), 'Nic')]"
    },
    "resources": [
      {
        "apiVersion": "2018-04-01",
        "type": "Microsoft.Network/networkInterfaces",
        "name": "[variables('nicName')]",
        "location": "[parameters('location')]",
        "dependsOn": [],
        "properties": {
          "ipConfigurations": [
            {
              "name": "ipconfig1",
              "properties": {
                "privateIPAllocationMethod": "Dynamic",
                "subnet": {
                  "id": "[variables('subnetRef')]"
                }
              }
            }
          ]
        }
      },
      {
        "apiVersion": "2018-04-01",
        "type": "Microsoft.Compute/virtualMachines",
        "name": "[parameters('vmName')]",
        "location": "[parameters('location')]",
        "dependsOn": [
          "[variables('nicName')]"
        ],
        "properties": {
          "hardwareProfile": {
            "vmSize": "[parameters('virtualMachineSize')]"
          },
          "osProfile": {
            "computerName": "[parameters('vmName')]",
            "adminUsername": "[parameters('adminUsername')]",
            "adminPassword": "[parameters('adminPassword')]"
          },
          "storageProfile": {
            "imageReference": {
              "publisher": "MicrosoftWindowsServer",
              "offer": "WindowsServer",
              "sku": "2016-Datacenter",
              "version": "latest"
            },
            "osDisk": {
              "createOption": "FromImage"
            }
          },
          "networkProfile": {
            "networkInterfaces": [
              {
                "id": "[resourceId('Microsoft.Network/networkInterfaces',variables('nicName'))]"
              }
            ]
          }
        },
        "resources": [
          {
            "type": "extensions",
            "name": "CustomScriptExtension",
            "apiVersion": "2017-03-30",
            "location": "[parameters('location')]",
            "dependsOn": [
              "[parameters('vmName')]"
            ],
            "properties": {
              "publisher": "Microsoft.Compute",
              "type": "CustomScriptExtension",
              "typeHandlerVersion": "1.9",
              "autoUpgradeMinorVersion": true,
              "settings": {
                "fileUris": [
                  "https://sasavpocscus.blob.core.windows.net/bootstrap/BootStrap.ps1","https://sasavpocscus.blob.core.windows.net/bootstrap/azcopy.exe"
                ],
                "commandToExecute": "[concat('powershell.exe -ExecutionPolicy Unrestricted -Command .\\BootStrap.ps1 -SourceURI ''', parameters('artifactURI'),'''')]"
              }
            }
          }
        ]
      }
    ]
  }

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

{

"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",

"contentVersion": "1.0.0.0",

"parameters": {

"adminUsername": {

"type": "string",

"metadata": {

"description": "Username for the Virtual Machine."

}

"adminPassword": {

"type": "securestring",

"metadata": {

"description": "Password for the Virtual Machine."

}

"vmName": {

"type": "string",

"defaultValue": "myVM",

"metadata": {

"description": "Name of the VM"

}

"virtualMachineSize": {

"type": "string",

"defaultValue": "Standard_DS2_v2",

"allowedValues": [

"Standard_DS2_v2",

"Standard_M8-2ms",

"Standard_M8-4ms"

"metadata": {

"description": "Virtual Machine Size"

}

"domainAdminUserName": {

"defaultValue": "savilltech\\savadmin",

"type": "string",

"metadata": {

"description": "Administrator Username for the domain join account"

}

"domainAdminPassword": {

"type": "securestring",

"metadata": {

"description": "Administrator password for the domain join account"

}

"domainFQDN": {

"type": "string",

"metadata": {

"description": "Domain FQDN where the virtual machine will be joined"

}

"ouPath": {

"type": "string",

"defaultValue": "",

"metadata": {

"description": "Specifies an organizational unit (OU) for the domain account. Enter the full distinguished name of the OU in quotation marks. Example: \"OU=testOU; DC=domain; DC=Domain; DC=com\""

}

"virtualNetworkName": {

"type": "string",

"metadata": {

"description": "VNET Name"

}

"virtualNetworkResourceGroup": {

"type": "string",

"metadata": {

"description": "Resource Group VNET is deployed in"

}

"subnetName": {

"type": "string",

"metadata": {

"description": "Name of the subnet inside the VNET"

}

"artifactURI": {

"type": "securestring",

"metadata": {

"description": "URI for the artifact BLOB including SAS"

}

"location": {

"type": "string",

"defaultValue": "[resourceGroup().location]",

"metadata": {

"description": "Location for all resources."

}

"variables": {

"vnetID": "[resourceId(parameters('virtualNetworkResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]",

"subnetRef": "[concat(variables('vnetID'),'/subnets/', parameters('subnetName'))]",

"domainJoinOptions": 3,

"nicName": "[concat(parameters('vmName'), 'Nic')]"

"resources": [

{

"apiVersion": "2018-04-01",

"type": "Microsoft.Network/networkInterfaces",

"name": "[variables('nicName')]",

"location": "[parameters('location')]",

"dependsOn": [],

"properties": {

"ipConfigurations": [

{

"name": "ipconfig1",

"properties": {

"privateIPAllocationMethod": "Dynamic",

"subnet": {

"id": "[variables('subnetRef')]"

}

]

}

{

"apiVersion": "2018-04-01",

"type": "Microsoft.Compute/virtualMachines",

"name": "[parameters('vmName')]",

"location": "[parameters('location')]",

"dependsOn": [

"[variables('nicName')]"

"properties": {

"hardwareProfile": {

"vmSize": "[parameters('virtualMachineSize')]"

"osProfile": {

"computerName": "[parameters('vmName')]",

"adminUsername": "[parameters('adminUsername')]",

"adminPassword": "[parameters('adminPassword')]"

"storageProfile": {

"imageReference": {

"publisher": "MicrosoftWindowsServer",

"offer": "WindowsServer",

"sku": "2016-Datacenter",

"version": "latest"

"osDisk": {

"createOption": "FromImage"

}

"networkProfile": {

"networkInterfaces": [

{

"id": "[resourceId('Microsoft.Network/networkInterfaces',variables('nicName'))]"

}

]

}

"resources": [

{

"type": "extensions",

"name": "CustomScriptExtension",

"apiVersion": "2017-03-30",

"location": "[parameters('location')]",

"dependsOn": [

"[parameters('vmName')]"

"properties": {

"publisher": "Microsoft.Compute",

"type": "CustomScriptExtension",

"typeHandlerVersion": "1.9",

"autoUpgradeMinorVersion": true,

"settings": {

"fileUris": [

"https://sasavpocscus.blob.core.windows.net/bootstrap/BootStrap.ps1","https://sasavpocscus.blob.core.windows.net/bootstrap/azcopy.exe"

"commandToExecute": "[concat('powershell.exe -ExecutionPolicy Unrestricted -Command .\\BootStrap.ps1 -SourceURI ''', parameters('artifactURI'),'''')]"

}

]

}

]

}

And the execution (note the network and RG already existed in my environment).

New-AzResourceGroupDeployment -ResourceGroupName RG-Test-EUS `
    -TemplateFile 'vmdeploy.json' `
    -TemplateParameterFile 'vmdeploy.parameters.json'

New-AzResourceGroupDeployment -ResourceGroupName RG-Test-EUS `

-TemplateFile 'vmdeploy.json' `

-TemplateParameterFile 'vmdeploy.parameters.json'

Hope this helps!

Infrastructure as Code for the IT Admin

It’s a quiet Sunday morning and what else is there to do but create a 40 minute video walking through what Infrastructure as Code and DevOps really means for an IT admin. I walk through Azure examples and cover key concepts and tools including Visual Studio Code, Git and Azure DevOps. Enjoy 🙂

New Free Data Courses on Pluralsight Available!

Over the past two months I’ve been busy on some Data in Azure courses for Microsoft and Pluralsight. These are free and you just need to sign-up for a free account on Pluralsight. These will shortly be available via Azure as well but are available now through Pluralsight.

Design a Data Management Strategy for Microsoft Azure
https://app.pluralsight.com/library/courses/microsoft-azure-data-management-strategy-design
Design and Document Data Flows with Microsoft Azure
https://app.pluralsight.com/library/courses/microsoft-azure-data-flows-document-design
Design a Data Protection Strategy with Microsoft Azure
https://app.pluralsight.com/library/courses/microsoft-azure-data-protection-strategy-design
Plan for Data Warehousing with Microsoft Azure
https://app.pluralsight.com/library/courses/microsoft-azure-data-warehousing-plan
Identify Information Architecture Requirements with Microsoft Azure
https://app.pluralsight.com/library/courses/microsoft-azure-information-architecture-requirements-identify

Azure Stack Marketplace Management

Been doing some work with Azure Stack and wanted to easily update all the Microsoft provided extensions and a set of core images if there are new versions by running a simple script.

Script available at https://github.com/johnthebrit/AzureStack/blob/master/azurestackmarketplace.ps1. Simply run the script and after it downloads the assets it will check if there are older versions and prompt you if you want to delete the old ones.

Lots of new Azure Design and Identity free training available

I may have seemed to be very quiet over the past few months but that’s because I’ve been working pretty much every night and weekend on 11 new courses for azure.com that will shortly be available via the site but are immediately available for free via PluralSight. If you don’t have an account simply sign up for a free account and you can then access my (and other peoples tracks).

Planning Microsoft Azure Identity and Security

Planning Microsoft Azure Infrastructure

The identity track looks at identity management before diving into authentication, authorization, auditing, monitoring and risk. The infrastructure track looks at compute, storage, networking and monitoring.

I hope you find these courses useful and there are more to come.

On a side note I’m trying to raise money for Cure Childhood Cancer as part of my Ironman Chattanooga on 9/30/2018. This will be my 5th Ironman this year and 12th overall. If you can help even a little please head over to https://www.firstgiving.com/fundraiser/john-savill/IM2018 and maybe your company matches so if they do that helps as well. I’ll be trackable on the day via https://bat.live/track/imchattanooga2018?bib=356.

Thank you!

Delivering a Customizable, Graphical Insight into Azure VM Security, Health and Connectivity Using Several Azure Services Together

In this blog I want to walkthrough a solution I recently architected and implemented along with a two other MTC architects to deliver a solution we needed for two reasons:

To provide insight into the VMs hosted in Azure across the global Microsoft Technology Center environment
Showcase the use of some key Microsoft cloud technologies

The Requirement

The global MTC organization is made up of around 30 offices which each have several Azure subscriptions to host the projects they are working on and environments used in customer activities. Additionally, there are several global, shared Azure subscriptions that host core infrastructure and experiences. These subscriptions are tied to various Azure AD tenants depending on requirements. The primary subscription for each MTC also hosts a virtual network that is part of a global IP space that is connected via one of four regional ExpressRoute circuits to the MTC worldwide VPN that provides connectivity between all MTC offices.

While there is a standard governance and process guide each MTC has control of their own subscriptions and resources however from a central MTC organization perspective insight into several key factors was required.

Are the VMs registered with the central Log Analytics instance to report inventory and patch state. Log Analytics is part of the Operations Management Suite and is used to accept log information from almost any sort and then provides power analytical capabilities to use that information to provide insight into the environment. A number of solutions are included that provide visibility into best practices, patch status, anti-malware status and much more. For OS instance visibility Log Analytics uses the Microsoft Monitoring Agent (MMS) which is the same agent used by System Center Operations Manager.
What is the current patch status of the VM. This is provided by information to Log Analytics and to Azure Security Center if registered. Azure Security Center (ASC) provides a central security posture location for Azure resources including VM health, network health, storage health and more.
Is the VM connected to ExpressRoute. This can be found by checking the virtual network a VM is attached to and if that virtual network has an ExpressRoute Gateway connected.
Does the VM have a public IP and is it health. Public IP existence can be found through the properties of VM IP configurations and the health which is based on use of Network Security Groups to lock down communication through ASC.
Is the VM older than 30 days. Object creations are logged in Azure. By default, these are kept for 60 days which enables a search of the logs for the VM creation. If not found it would mean the VM is older than 60 days and if found the exact age can be determined. The age is useful as short-term VMs do not have the same levels of reporting requirements, i.e. does not have to be registered to OMS.

The insight into the health needed to be in the form to provide easy overall insight while allowing detail to be exposed through drilling down into the data.

The Solution

I started off crafting a solution in PowerShell through which I can access the full knowledge of the Azure Resource Manager via the AzureRM module and also other solutions such as Log Analytics, Azure Security Center and Azure Storage.

If you like to read the end of the book below is the final solution and what I will walk through is some of the detail you see in the picture.

The first challenge was the context to run the script under since multiple Azure AD tenants were utilized and I didn’t want to have to manage multiple credentials. Therefore, Azure AD B2B (business to business) was utilized. A single identity in the main Azure AD tenant was created and then a communication sent to each MTC to add that identity via Azure AD B2B to any local Azure AD tenant instances and then to give that account Read permissions to all subscriptions. This enabled a single credential to be used across every subscription, regardless of the Azure AD tenant the subscription was tied to. This same credential was also give rights to the Log Analytics instance all VMs reported to which enables queries to be run.

Now the access was available the next step was the actual PowerShell to gather the required information. A storage account was created that would be used to store the output of the execution which would be a basic execution report and two JSON files that contained custom objects representing the VM state and Azure subscription information.

The basic PowerShell flow is as follows:

Import the ASC and Log Analytics PowerShell modules
Access the credential that will be used
Connect to Azure using the credential
Store a list of every subscription associated to the credential in an array
Connect to the Azure Storage account to create a context for BLOB storage
Connect to the Log Analytics workspace and trigger two queries whose results were stored in two arrays
- List of all machines that report to the instance that are stored in Azure
- List of all machines that are missing patches that are stored in Azure

Create three files that contained todays date; log files, VM JSON files and subscription JSON file
Create two empty arrays that will store custom objects for VM state and subscription information
For every subscription perform the following:
- List the administrators and write to the log
- Retrieve the ASC status for the subscription and store in an array
- For every Resource Group
  - Find the virtual networks connected to ExpressRoute gateway and store in an array
  - For every VM in the Resource Group
    - Find the creation time by scanning the operational log of Azure. Save the creation time if found and if older than 30 days or report older than 30 days if no log found
    - For each NIC inspect the IP configurations
      - Is it connected to a virtual network that has ExpressRoute connectivity
      - Does it have a public IP address and if so what is the health of that public IP based on information previously saved from ASC
    - Is the VM registered in OMS
    - Is the VM missing patches based on information from OMS or ASC
    - Create a custom object using a hash table with all desired information about the VM and add to the VM object array
- Add a subscription information custom object to the subscription array
Upload the three data files generated to the Azure storage account as BLOBs

To actually run the PowerShell I used Azure Automation which not only provided a resilient engine to run the code but capabilities such as credentials which could securely store the identity that was used removing any need to hardcode it in the script itself. The schedule capability was used to trigger the runbook (the container for the PowerShell in Azure Automation) to right daily at 11pm.

At this point in an Azure Storage account was a report and two JSON files with one of them, the VM state JSON file, the most useful which enabled all information to be queried easily however the goal was to have it more easily digestible which meant PowerBI and ideally getting the data more easily available to everyone, e.g. Teams along with a notification that the nights execution was successful.

The solution was to use a Logic App (created by Ali Mazaheri, https://blogs.msdn.com/alimaz) which enables activities to be chained together using various connectors which include Azure Storage, Teams and SharePoint. The Logic App was designed with a recurrence trigger (but could also trigger based on object creations and other triggers) and to then perform the following:

List the blobs in the azurescan container (a container is like a folder in Azure Store)
For each object that is not empty
- Get the BLOB content
- Create a file containing that content in SharePoint
- Copy the BLOB to an archive BLOB
- Delete the original BLOB

Write a message to a team’s channel that the log migration was completed (Or send an email, notification to phone, etc.)

A great feature of Logic Apps is that they are implemented by adding the built-in connectors or your own API apps, Azure Functions and then graphically laying out the flow using conditions, branches and those connectors by passing output as an input for next connectors and in this case some custom expressions. Below is the key content of the Logic App (as an alternative we could have also used Azure Functions and EventGrid to achieve the same goal).

The final step was the Power BI portion to read in the file from SharePoint and provide a visualization of the data contained in the JSON. David Browne created this powerful dashboard that enabled various visualizations of the data and easy access to change the criteria of the data contained.

The Power BI Service can connect directly to SharePoint Online to read the files. Power Query in Power BI is used to identify the latest data files, convert them from JSON to a tabular format and to clean the data. The data is then loaded into an in-memory Tabular Model hosted by Power BI and configured for daily refresh.

Using the Azure PS Drive

If you leverage the Azure Cloud Shell in the Azure portal its a very convenient way to manage Azure resources using PowerShell and the CLI but you may have also noticed an actual Azure drive, i.e. Set-Location azure: and you can navigate around your Azure resources (this is actually the default location when the cloud shell opens). At the top level are subscriptions and you can then navigate to resource groups, VMs, WebApps and more.

The Azure drive is provided via the Simple Hierarchy in PowerShell (SHiPS) provider which you can see via Get-PSProvider.

The actual functionality is evolving, its a project on GitHub at https://github.com/PowerShell/SHiPS but this also means you can run this same provider outside of the Azure Cloud Shell.

You need to ensure you are running the latest version of the AzureRM module then download, install, add an Azure account and add the provider:

Update-Module AzureRM
Install-Module AzurePSDrive
Login-AzureRmAccount 
Import-Module AzurePSDrive
New-PSDrive -Name Azure -PSProvider SHiPS -root 'AzurePSDrive#Azure'

Update-Module AzureRM

Install-Module AzurePSDrive

Import-Module AzurePSDrive

New-PSDrive -Name Azure -PSProvider SHiPS -root 'AzurePSDrive#Azure'

You can now navigate to Azure: and enjoy the same feature as when in the Azure Cloud Shell.

Note this is completely different from the Azure Cloud Drive which is the persistent file storage you have in the Azure Cloud Shell that is backed by Azure Files and enables data to be saved and used between sessions. Use Get-CloudDrive to see the current configuration and if you wish to change it simply run Dismount-CloudDrive and then restart the shell and select Advanced options to customize the location.

Writing to files with Azure Automation

Azure Automation enables PowerShell (and more) to be executed as runbooks by runbook workers hosted in Azure. Additionally Azure Automation accounts bring capabilities such as credential objects to securely store credentials, variables, scheduling and more. When a runbook executes it runs in a temporary environment that does not have any persistent state and so if you want to work with files you need to save them somewhere, for example to an Azure storage account as a blob, before the runbook completes.

You can actually create and use files as normal using the default path within PowerShell during execution, just remember to save the files externally before the script completes.

For example create a file as usual:

$todaydate = Get-Date -Format MM-dd-yy 
$LogFull = "AzureScan-$todaydate.log" 
$LogItem = New-Item -ItemType File -Name $LogFull

"  Text to write" | Out-File -FilePath $LogFull -Append

$todaydate = Get-Date -Format MM-dd-yy

$LogFull = "AzureScan-$todaydate.log"

$LogItem = New-Item -ItemType File -Name $LogFull

" Text to write" | Out-File -FilePath $LogFull -Append

Then before ending the PowerShell, copy it to a blob (as an example storage place):

#Get key to storage account
$acctKey = (Get-AzureRmStorageAccountKey -Name onemtceastusfs -ResourceGroupName EastUS-Infra-RG).Value[0]

#Map to the reports BLOB context
$storageContext = New-AzureStorageContext -StorageAccountName "onemtceastusfs" -StorageAccountKey $acctKey

#Copy the file to the storage account
Set-AzureStorageBlobContent -File $LogFull -Container "azurescan" -BlobType "Block" -Context $storageContext -Verbose

#Get key to storage account

$acctKey = (Get-AzureRmStorageAccountKey -Name onemtceastusfs -ResourceGroupName EastUS-Infra-RG).Value[0]

#Map to the reports BLOB context

$storageContext = New-AzureStorageContext -StorageAccountName "onemtceastusfs" -StorageAccountKey $acctKey

#Copy the file to the storage account

Set-AzureStorageBlobContent -File $LogFull -Container "azurescan" -BlobType "Block" -Context $storageContext -Verbose

Easily create multiple subnets in an Azure Virtual Network

I recently needed to create a whole set of subnets in a large number of virtual networks of various sizes. I thought some variables would be a great way to quickly create the set of subnets in each virtual network which were each /20 networks in a shared class B IP which enabled 16 virtual networks per Class B IP space. The goal was to show that each subnet didn’t need to be a full class C (/24) in instead we could use smaller subnets based on the number of hosts actually required. I’ve included the comments which explains the subnets created and the number of hosts supported in each.

#10.x.y.0/26            Gateway subnet      255.255.255.192     reserved for gateway, no hosts
#10.x.y.64/26           Subnet1             255.255.255.192     59 usable
#10.x.y.128/26          Subnet2             255.255.255.192     59 usable
#10.x.y.192/26          Subnet3             255.255.255.192     59 usable
#10.x.y+1.0/25          Subnet4             255.255.255.128     123 usable
#10.x.y+1.128/25        Subnet5             255.255.255.128     123 usable
#10.x.y+2.0/24          Subnet6             255.255.255.0       251 usable
#10.x.y+3.0/27          Subnet7             255.255.255.224     27 usable
#10.x.y+3.32/27         Subnet8             255.255.255.224     27 usable
#10.x.y+3.64/27         Subnet9             255.255.255.224     27 usable
#10.x.y+3.96/27         Subnet10            255.255.255.224     27 usable
#10.x.y+3.128/26        Subnet11            255.255.255.192     59 usable
#10.x.y+3.192/26        Subnet12            255.255.255.192     59 usable
#
#As can be seen subnets can be a variety of sizes based on the number of IPs required in each. It is recommended to use the
#smallest subnet possible to optimize IP address space
#
#3rd octet increase by 16 for each virtual network

$BaseCIDR = "10.240.32.0/20" #This would change for each network
$IPSplit = $BaseCIDR.Split(".")
$First2Octet = "$($IPSplit[0]).$($IPSplit[1])"
$3rdOctet = [int]$IPSplit[2]

#Set the NSG, VNet and resource group names as variables $NSGName, $VNetName and $VNetRG

$NSG = Get-AzureRmNetworkSecurityGroup -Name $NSGName -ResourceGroupName $VNetRG
$VNet = Get-AzureRmVirtualNetwork -Name $VNetName -ResourceGroupName $VNetRG

$GWSubnet ="$First2Octet.$3rdOctet.0/26"
Write-Output "Creating GW Subnet: $GWSubnet"

$subnets = "$First2Octet.$3rdOctet.64/26","$First2Octet.$3rdOctet.128/26","$First2Octet.$3rdOctet.192/26","$First2Octet.$($3rdOctet+1).0/25",
    "$First2Octet.$($3rdOctet+1).128/25","$First2Octet.$($3rdOctet+2).0/24","$First2Octet.$($3rdOctet+3).0/27","$First2Octet.$($3rdOctet+3).32/27",
    "$First2Octet.$($3rdOctet+3).64/27","$First2Octet.$($3rdOctet+3).96/27","$First2Octet.$($3rdOctet+3).128/26","$First2Octet.$($3rdOctet+3).192/26"

$subnetno=1
foreach($subnet in $subnets)
{
    Write-Output "Creating subnet $subnet"
    Add-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $VNet -Name "Subnet$subnetno" `
        -AddressPrefix $subnet -NetworkSecurityGroup $NSG
    $subnetno++
}

Set-AzureRmVirtualNetwork -VirtualNetwork $VNet

Write-Output "A /24 gives 251 usable, a /25 gives 123 usable, /26 gives 59 usable and a /27 gives 27 usable"
Write-Output "These subnets are created as defaults and to give examples. You can create additional subnets up to $First2Octet.$($3rdOctet+15).x"

#10.x.y.0/26 Gateway subnet 255.255.255.192 reserved for gateway, no hosts

#10.x.y.64/26 Subnet1 255.255.255.192 59 usable

#10.x.y.128/26 Subnet2 255.255.255.192 59 usable

#10.x.y.192/26 Subnet3 255.255.255.192 59 usable

#10.x.y+1.0/25 Subnet4 255.255.255.128 123 usable

#10.x.y+1.128/25 Subnet5 255.255.255.128 123 usable

#10.x.y+2.0/24 Subnet6 255.255.255.0 251 usable

#10.x.y+3.0/27 Subnet7 255.255.255.224 27 usable

#10.x.y+3.32/27 Subnet8 255.255.255.224 27 usable

#10.x.y+3.64/27 Subnet9 255.255.255.224 27 usable

#10.x.y+3.96/27 Subnet10 255.255.255.224 27 usable

#10.x.y+3.128/26 Subnet11 255.255.255.192 59 usable

#10.x.y+3.192/26 Subnet12 255.255.255.192 59 usable

#As can be seen subnets can be a variety of sizes based on the number of IPs required in each. It is recommended to use the

#smallest subnet possible to optimize IP address space

#3rd octet increase by 16 for each virtual network

$BaseCIDR = "10.240.32.0/20" #This would change for each network

$IPSplit = $BaseCIDR.Split(".")

$First2Octet = "$($IPSplit[0]).$($IPSplit[1])"

$3rdOctet = [int]$IPSplit[2]

#Set the NSG, VNet and resource group names as variables $NSGName, $VNetName and $VNetRG

$NSG = Get-AzureRmNetworkSecurityGroup -Name $NSGName -ResourceGroupName $VNetRG

$VNet = Get-AzureRmVirtualNetwork -Name $VNetName -ResourceGroupName $VNetRG

$GWSubnet ="$First2Octet.$3rdOctet.0/26"

Write-Output "Creating GW Subnet: $GWSubnet"

$subnets = "$First2Octet.$3rdOctet.64/26","$First2Octet.$3rdOctet.128/26","$First2Octet.$3rdOctet.192/26","$First2Octet.$($3rdOctet+1).0/25",

"$First2Octet.$($3rdOctet+1).128/25","$First2Octet.$($3rdOctet+2).0/24","$First2Octet.$($3rdOctet+3).0/27","$First2Octet.$($3rdOctet+3).32/27",

"$First2Octet.$($3rdOctet+3).64/27","$First2Octet.$($3rdOctet+3).96/27","$First2Octet.$($3rdOctet+3).128/26","$First2Octet.$($3rdOctet+3).192/26"

$subnetno=1

foreach($subnet in $subnets)

{

Write-Output "Creating subnet $subnet"

Add-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $VNet -Name "Subnet$subnetno" `

-AddressPrefix $subnet -NetworkSecurityGroup $NSG

$subnetno++

}

Set-AzureRmVirtualNetwork -VirtualNetwork $VNet

Write-Output "A /24 gives 251 usable, a /25 gives 123 usable, /26 gives 59 usable and a /27 gives 27 usable"

Write-Output "These subnets are created as defaults and to give examples. You can create additional subnets up to $First2Octet.$($3rdOctet+15).x"

Use an Application Image from the Azure Marketplace using PowerShell

I recently needed to deploy a special type of VM from the Azure Marketplace using PowerShell and the deployment was not the same as regular Windows or Linux VM.

First I knew the app I wanted to use, e.g. https://azuremarketplace.microsoft.com/en-us/marketplace/apps/microsoft-ads.windows-data-science-vm but wasn’t sure of the publisher or offer. With hindsight it shows you right in the URL, Microsoft-ads is the publisher and windows-data-science-vm is the offer but I initially just searched for what I wanted using the following and looked for it (first part of the code), then got the detail as usual (last two lines):

$publishers = Get-AzureRmVMImagePublisher -Location $Region
foreach($publisher in $publishers)
{
    Get-AzureRmVMImageOffer -Location $Region -PublisherName $publisher.PublisherName | ft Offer,PublisherName -AutoSize
}
Get-AzureRmVMImageSku -Location $Region -PublisherName "microsoft-ads" -Offer "windows-data-science-vm"
Get-AzureRmVMImage -Location $Region -PublisherName "microsoft-ads" -Offer "windows-data-science-vm" -Skus "windows2016"

$publishers = Get-AzureRmVMImagePublisher -Location $Region

foreach($publisher in $publishers)

{

Get-AzureRmVMImageOffer -Location $Region -PublisherName $publisher.PublisherName | ft Offer,PublisherName -AutoSize

}

Get-AzureRmVMImageSku -Location $Region -PublisherName "microsoft-ads" -Offer "windows-data-science-vm"

Get-AzureRmVMImage -Location $Region -PublisherName "microsoft-ads" -Offer "windows-data-science-vm" -Skus "windows2016"

Now I knew the publisher, offer and SKU I could add that configuration to my VM.

$vm = Set-AzureRmVMSourceImage -VM $vm -PublisherName microsoft-ads -Offer windows-data-science-vm `
    -Skus windows2016 -Version latest

1 2	$vm = Set-AzureRmVMSourceImage -VM $vm -PublisherName microsoft-ads -Offer windows-data-science-vm ` -Skus windows2016 -Version latest

However, when using the application there are a few other steps. You need to set a plan and also accept the terms of the app. Fortunately it’s easy to do.

$vm = Set-AzureRmVMPlan -VM $vm -Name windows2016 -Product windows-data-science-vm -Publisher microsoft-ads

#Have to accept terms
Get-AzureRmMarketplaceTerms -Name windows2016 -Product windows-data-science-vm -Publisher microsoft-ads |
    Set-AzureRmMarketplaceTerms -Accept

$vm = Set-AzureRmVMPlan -VM $vm -Name windows2016 -Product windows-data-science-vm -Publisher microsoft-ads

#Have to accept terms

Get-AzureRmMarketplaceTerms -Name windows2016 -Product windows-data-science-vm -Publisher microsoft-ads |

Set-AzureRmMarketplaceTerms -Accept

That was it. Basically the only additional work is setting the plan and accepting the marketplace terms and the data needed for those commands are the same values used for the source image, just PublisherName > Publisher, Offer > Product and SKUs > Name. The exact same would apply if using JSON. Easy!

John Savill's Corner of the Web

Computer related thoughts from John

Microsoft Azure

Deploying Agents to Azure IaaS VMs using the Custom Script Extension

Infrastructure as Code for the IT Admin

New Free Data Courses on Pluralsight Available!

Azure Stack Marketplace Management

Lots of new Azure Design and Identity free training available

Delivering a Customizable, Graphical Insight into Azure VM Security, Health and Connectivity Using Several Azure Services Together

The Requirement

The Solution

Using the Azure PS Drive

Writing to files with Azure Automation

Easily create multiple subnets in an Azure Virtual Network

Use an Application Image from the Azure Marketplace using PowerShell