John Savill's Corner of the Web

Using the Azure PS Drive

If you leverage the Azure Cloud Shell in the Azure portal its a very convenient way to manage Azure resources using PowerShell and the CLI but you may have also noticed an actual Azure drive, i.e. Set-Location azure: and you can navigate around your Azure resources (this is actually the default location when the cloud shell opens). At the top level are subscriptions and you can then navigate to resource groups, VMs, WebApps and more.

The Azure drive is provided via the Simple Hierarchy in PowerShell (SHiPS) provider which you can see via Get-PSProvider.

The actual functionality is evolving, its a project on GitHub at https://github.com/PowerShell/SHiPS but this also means you can run this same provider outside of the Azure Cloud Shell.

You need to ensure you are running the latest version of the AzureRM module then download, install, add an Azure account and add the provider:

Update-Module AzureRM
Install-Module AzurePSDrive
Login-AzureRmAccount 
Import-Module AzurePSDrive
New-PSDrive -Name Azure -PSProvider SHiPS -root 'AzurePSDrive#Azure'

Update-Module AzureRM

Install-Module AzurePSDrive

Import-Module AzurePSDrive

New-PSDrive -Name Azure -PSProvider SHiPS -root 'AzurePSDrive#Azure'

You can now navigate to Azure: and enjoy the same feature as when in the Azure Cloud Shell.

Note this is completely different from the Azure Cloud Drive which is the persistent file storage you have in the Azure Cloud Shell that is backed by Azure Files and enables data to be saved and used between sessions. Use Get-CloudDrive to see the current configuration and if you wish to change it simply run Dismount-CloudDrive and then restart the shell and select Advanced options to customize the location.

Writing to files with Azure Automation

Azure Automation enables PowerShell (and more) to be executed as runbooks by runbook workers hosted in Azure. Additionally Azure Automation accounts bring capabilities such as credential objects to securely store credentials, variables, scheduling and more. When a runbook executes it runs in a temporary environment that does not have any persistent state and so if you want to work with files you need to save them somewhere, for example to an Azure storage account as a blob, before the runbook completes.

You can actually create and use files as normal using the default path within PowerShell during execution, just remember to save the files externally before the script completes.

For example create a file as usual:

$todaydate = Get-Date -Format MM-dd-yy 
$LogFull = "AzureScan-$todaydate.log" 
$LogItem = New-Item -ItemType File -Name $LogFull

"  Text to write" | Out-File -FilePath $LogFull -Append

$todaydate = Get-Date -Format MM-dd-yy

$LogFull = "AzureScan-$todaydate.log"

$LogItem = New-Item -ItemType File -Name $LogFull

" Text to write" | Out-File -FilePath $LogFull -Append

Then before ending the PowerShell, copy it to a blob (as an example storage place):

#Get key to storage account
$acctKey = (Get-AzureRmStorageAccountKey -Name onemtceastusfs -ResourceGroupName EastUS-Infra-RG).Value[0]

#Map to the reports BLOB context
$storageContext = New-AzureStorageContext -StorageAccountName "onemtceastusfs" -StorageAccountKey $acctKey

#Copy the file to the storage account
Set-AzureStorageBlobContent -File $LogFull -Container "azurescan" -BlobType "Block" -Context $storageContext -Verbose

#Get key to storage account

$acctKey = (Get-AzureRmStorageAccountKey -Name onemtceastusfs -ResourceGroupName EastUS-Infra-RG).Value[0]

#Map to the reports BLOB context

$storageContext = New-AzureStorageContext -StorageAccountName "onemtceastusfs" -StorageAccountKey $acctKey

#Copy the file to the storage account

Set-AzureStorageBlobContent -File $LogFull -Container "azurescan" -BlobType "Block" -Context $storageContext -Verbose

Easily create multiple subnets in an Azure Virtual Network

I recently needed to create a whole set of subnets in a large number of virtual networks of various sizes. I thought some variables would be a great way to quickly create the set of subnets in each virtual network which were each /20 networks in a shared class B IP which enabled 16 virtual networks per Class B IP space. The goal was to show that each subnet didn’t need to be a full class C (/24) in instead we could use smaller subnets based on the number of hosts actually required. I’ve included the comments which explains the subnets created and the number of hosts supported in each.

#10.x.y.0/26            Gateway subnet      255.255.255.192     reserved for gateway, no hosts
#10.x.y.64/26           Subnet1             255.255.255.192     59 usable
#10.x.y.128/26          Subnet2             255.255.255.192     59 usable
#10.x.y.192/26          Subnet3             255.255.255.192     59 usable
#10.x.y+1.0/25          Subnet4             255.255.255.128     123 usable
#10.x.y+1.128/25        Subnet5             255.255.255.128     123 usable
#10.x.y+2.0/24          Subnet6             255.255.255.0       251 usable
#10.x.y+3.0/27          Subnet7             255.255.255.224     27 usable
#10.x.y+3.32/27         Subnet8             255.255.255.224     27 usable
#10.x.y+3.64/27         Subnet9             255.255.255.224     27 usable
#10.x.y+3.96/27         Subnet10            255.255.255.224     27 usable
#10.x.y+3.128/26        Subnet11            255.255.255.192     59 usable
#10.x.y+3.192/26        Subnet12            255.255.255.192     59 usable
#
#As can be seen subnets can be a variety of sizes based on the number of IPs required in each. It is recommended to use the
#smallest subnet possible to optimize IP address space
#
#3rd octet increase by 16 for each virtual network

$BaseCIDR = "10.240.32.0/20" #This would change for each network
$IPSplit = $BaseCIDR.Split(".")
$First2Octet = "$($IPSplit[0]).$($IPSplit[1])"
$3rdOctet = [int]$IPSplit[2]

#Set the NSG, VNet and resource group names as variables $NSGName, $VNetName and $VNetRG

$NSG = Get-AzureRmNetworkSecurityGroup -Name $NSGName -ResourceGroupName $VNetRG
$VNet = Get-AzureRmVirtualNetwork -Name $VNetName -ResourceGroupName $VNetRG

$GWSubnet ="$First2Octet.$3rdOctet.0/26"
Write-Output "Creating GW Subnet: $GWSubnet"

$subnets = "$First2Octet.$3rdOctet.64/26","$First2Octet.$3rdOctet.128/26","$First2Octet.$3rdOctet.192/26","$First2Octet.$($3rdOctet+1).0/25",
    "$First2Octet.$($3rdOctet+1).128/25","$First2Octet.$($3rdOctet+2).0/24","$First2Octet.$($3rdOctet+3).0/27","$First2Octet.$($3rdOctet+3).32/27",
    "$First2Octet.$($3rdOctet+3).64/27","$First2Octet.$($3rdOctet+3).96/27","$First2Octet.$($3rdOctet+3).128/26","$First2Octet.$($3rdOctet+3).192/26"

$subnetno=1
foreach($subnet in $subnets)
{
    Write-Output "Creating subnet $subnet"
    Add-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $VNet -Name "Subnet$subnetno" `
        -AddressPrefix $subnet -NetworkSecurityGroup $NSG
    $subnetno++
}

Set-AzureRmVirtualNetwork -VirtualNetwork $VNet

Write-Output "A /24 gives 251 usable, a /25 gives 123 usable, /26 gives 59 usable and a /27 gives 27 usable"
Write-Output "These subnets are created as defaults and to give examples. You can create additional subnets up to $First2Octet.$($3rdOctet+15).x"

#10.x.y.0/26 Gateway subnet 255.255.255.192 reserved for gateway, no hosts

#10.x.y.64/26 Subnet1 255.255.255.192 59 usable

#10.x.y.128/26 Subnet2 255.255.255.192 59 usable

#10.x.y.192/26 Subnet3 255.255.255.192 59 usable

#10.x.y+1.0/25 Subnet4 255.255.255.128 123 usable

#10.x.y+1.128/25 Subnet5 255.255.255.128 123 usable

#10.x.y+2.0/24 Subnet6 255.255.255.0 251 usable

#10.x.y+3.0/27 Subnet7 255.255.255.224 27 usable

#10.x.y+3.32/27 Subnet8 255.255.255.224 27 usable

#10.x.y+3.64/27 Subnet9 255.255.255.224 27 usable

#10.x.y+3.96/27 Subnet10 255.255.255.224 27 usable

#10.x.y+3.128/26 Subnet11 255.255.255.192 59 usable

#10.x.y+3.192/26 Subnet12 255.255.255.192 59 usable

#As can be seen subnets can be a variety of sizes based on the number of IPs required in each. It is recommended to use the

#smallest subnet possible to optimize IP address space

#3rd octet increase by 16 for each virtual network

$BaseCIDR = "10.240.32.0/20" #This would change for each network

$IPSplit = $BaseCIDR.Split(".")

$First2Octet = "$($IPSplit[0]).$($IPSplit[1])"

$3rdOctet = [int]$IPSplit[2]

#Set the NSG, VNet and resource group names as variables $NSGName, $VNetName and $VNetRG

$NSG = Get-AzureRmNetworkSecurityGroup -Name $NSGName -ResourceGroupName $VNetRG

$VNet = Get-AzureRmVirtualNetwork -Name $VNetName -ResourceGroupName $VNetRG

$GWSubnet ="$First2Octet.$3rdOctet.0/26"

Write-Output "Creating GW Subnet: $GWSubnet"

$subnets = "$First2Octet.$3rdOctet.64/26","$First2Octet.$3rdOctet.128/26","$First2Octet.$3rdOctet.192/26","$First2Octet.$($3rdOctet+1).0/25",

"$First2Octet.$($3rdOctet+1).128/25","$First2Octet.$($3rdOctet+2).0/24","$First2Octet.$($3rdOctet+3).0/27","$First2Octet.$($3rdOctet+3).32/27",

"$First2Octet.$($3rdOctet+3).64/27","$First2Octet.$($3rdOctet+3).96/27","$First2Octet.$($3rdOctet+3).128/26","$First2Octet.$($3rdOctet+3).192/26"

$subnetno=1

foreach($subnet in $subnets)

{

Write-Output "Creating subnet $subnet"

Add-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $VNet -Name "Subnet$subnetno" `

-AddressPrefix $subnet -NetworkSecurityGroup $NSG

$subnetno++

}

Set-AzureRmVirtualNetwork -VirtualNetwork $VNet

Write-Output "A /24 gives 251 usable, a /25 gives 123 usable, /26 gives 59 usable and a /27 gives 27 usable"

Write-Output "These subnets are created as defaults and to give examples. You can create additional subnets up to $First2Octet.$($3rdOctet+15).x"

Use an Application Image from the Azure Marketplace using PowerShell

I recently needed to deploy a special type of VM from the Azure Marketplace using PowerShell and the deployment was not the same as regular Windows or Linux VM.

First I knew the app I wanted to use, e.g. https://azuremarketplace.microsoft.com/en-us/marketplace/apps/microsoft-ads.windows-data-science-vm but wasn’t sure of the publisher or offer. With hindsight it shows you right in the URL, Microsoft-ads is the publisher and windows-data-science-vm is the offer but I initially just searched for what I wanted using the following and looked for it (first part of the code), then got the detail as usual (last two lines):

$publishers = Get-AzureRmVMImagePublisher -Location $Region
foreach($publisher in $publishers)
{
    Get-AzureRmVMImageOffer -Location $Region -PublisherName $publisher.PublisherName | ft Offer,PublisherName -AutoSize
}
Get-AzureRmVMImageSku -Location $Region -PublisherName "microsoft-ads" -Offer "windows-data-science-vm"
Get-AzureRmVMImage -Location $Region -PublisherName "microsoft-ads" -Offer "windows-data-science-vm" -Skus "windows2016"

$publishers = Get-AzureRmVMImagePublisher -Location $Region

foreach($publisher in $publishers)

{

Get-AzureRmVMImageOffer -Location $Region -PublisherName $publisher.PublisherName | ft Offer,PublisherName -AutoSize

}

Get-AzureRmVMImageSku -Location $Region -PublisherName "microsoft-ads" -Offer "windows-data-science-vm"

Get-AzureRmVMImage -Location $Region -PublisherName "microsoft-ads" -Offer "windows-data-science-vm" -Skus "windows2016"

Now I knew the publisher, offer and SKU I could add that configuration to my VM.

$vm = Set-AzureRmVMSourceImage -VM $vm -PublisherName microsoft-ads -Offer windows-data-science-vm `
    -Skus windows2016 -Version latest

1 2	$vm = Set-AzureRmVMSourceImage -VM $vm -PublisherName microsoft-ads -Offer windows-data-science-vm ` -Skus windows2016 -Version latest

However, when using the application there are a few other steps. You need to set a plan and also accept the terms of the app. Fortunately it’s easy to do.

$vm = Set-AzureRmVMPlan -VM $vm -Name windows2016 -Product windows-data-science-vm -Publisher microsoft-ads

#Have to accept terms
Get-AzureRmMarketplaceTerms -Name windows2016 -Product windows-data-science-vm -Publisher microsoft-ads |
    Set-AzureRmMarketplaceTerms -Accept

$vm = Set-AzureRmVMPlan -VM $vm -Name windows2016 -Product windows-data-science-vm -Publisher microsoft-ads

#Have to accept terms

Get-AzureRmMarketplaceTerms -Name windows2016 -Product windows-data-science-vm -Publisher microsoft-ads |

Set-AzureRmMarketplaceTerms -Accept

That was it. Basically the only additional work is setting the plan and accepting the marketplace terms and the data needed for those commands are the same values used for the source image, just PublisherName > Publisher, Offer > Product and SKUs > Name. The exact same would apply if using JSON. Easy!

Deploying an Azure IaaS VM using PowerShell

I recently had to deploy some new VMs and wanted to use PowerShell and also join them to a domain and get the anti-malware extension used. Below is the PowerShell I used. You would need to modify the variables in the below to match your own domains.

$Region = "EastUS"
$VNetName = "savilltech-vnet-east"
$VNetRG = "savilltech-vnets_rg"
$VNetSubnetName = "savilltech-vnet-east-savhybridinfra-vms"
$VNetSubnetCIDR = "10.244.3.64/26"
$NSGName = "savNSGLockdownEastUS"
$VMRG = "savilltech-savhybridinfra_rg"

$SQLVMName = "AZUUSESQL01"
$SQLVMSize = "Standard_DS3_v2" #4vcpu 16GB memory
$SQLVMIP = "10.244.3.68"

$VMDiagName = "savhybridinfradiag"

#Domain Join Strings
$string1 = '{
    "Name": "savilltech.net",
    "User": "savilltech.net\\adminname",
    "OUPath": "OU=Servers,OU=Hybrid,OU=Environments,DC=savilltech,DC=net",
    "Restart": "true",
    "Options": "3"
        }'
$string2 = '{ "Password": "rawpasswordhere" }'


#Get the network subnet
$NSG = Get-AzureRmNetworkSecurityGroup -Name $NSGName -ResourceGroupName $VNetRG
$VNet = Get-AzureRmVirtualNetwork -Name $VNetName -ResourceGroupName $VNetRG
$VNetSubnet = Get-AzureRmVirtualNetworkSubnetConfig -Name $VNetSubnetName -VirtualNetwork $VNet    

#Local Credential
$user = "localadmin"
$password = 'localadminpasshere'
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ($user, $securePassword) 

# Antimalware extension
$SettingsString = '{ "AntimalwareEnabled": true,"RealtimeProtectionEnabled": true}';
$allVersions= (Get-AzureRmVMExtensionImage -Location $Region -PublisherName "Microsoft.Azure.Security" -Type "IaaSAntimalware").Version
$typeHandlerVer = $allVersions[($allVersions.count)-1]
$typeHandlerVerMjandMn = $typeHandlerVer.split(".")
$typeHandlerVerMjandMn = $typeHandlerVerMjandMn[0] + "." + $typeHandlerVerMjandMn[1]


#Create the resource group
New-AzureRmResourceGroup -Name $VMRG -Location $Region

#Create the diagnostics storage account
New-AzureRmStorageAccount -ResourceGroupName $VMRG -Name $VMDiagName -SkuName Standard_LRS -Location $Region

# Create VM Object
$vm = New-AzureRmVMConfig -VMName $SQLVMName -VMSize $SQLVMSize 

$nic = New-AzureRmNetworkInterface -Name ('nic-' + $SQLVMName) -ResourceGroupName $VMRG -Location $Region `
    -SubnetId $VNetSubnet.Id -PrivateIpAddress $SQLVMIP

# Add NIC to VM
$vm = Add-AzureRmVMNetworkInterface -VM $vm -Id $nic.Id

# VM Storage
$vm = Set-AzureRmVMSourceImage -VM $vm -PublisherName MicrosoftWindowsServer -Offer WindowsServer `
    -Skus 2016-Datacenter -Version latest
$vm = Set-AzureRmVMOSDisk -VM $vm  -StorageAccountType PremiumLRS -DiskSizeInGB 512 `
    -CreateOption FromImage -Caching ReadWrite -Name "$SQLVMName-OS"
$vm = Set-AzureRmVMOperatingSystem -VM $vm -Windows -ComputerName $SQLVMName `
    -Credential $cred -ProvisionVMAgent -EnableAutoUpdate

$diskConfig = New-AzureRmDiskConfig -AccountType PremiumLRS -Location $Region -CreateOption Empty `
        -DiskSizeGB 2048
$dataDisk1 = New-AzureRmDisk -DiskName "$SQLVMName-data1" -Disk $diskConfig -ResourceGroupName $VMRG
$vm = Add-AzureRmVMDataDisk -VM $vm -Name "$SQLVMName-data1" -CreateOption Attach `
    -ManagedDiskId $dataDisk1.Id -Lun 1

$vm = Set-AzureRmVMBootDiagnostics -VM $vm -Enable -ResourceGroupName $VMRG -StorageAccountName $VMDiagName

# Create Virtual Machine
New-AzureRmVM -ResourceGroupName $VMRG -Location $Region -VM $vm

Set-AzureRmVMExtension -ResourceGroupName $VMRG -VMName $SQLVMName -Name "IaaSAntimalware" `
    -Publisher "Microsoft.Azure.Security" -ExtensionType "IaaSAntimalware" `
    -TypeHandlerVersion $typeHandlerVerMjandMn -SettingString $SettingsString -Location $Region

Set-AzureRmVMExtension -ResourceGroupName $VMRG -VMName $SQLVMName -ExtensionType "JsonADDomainExtension" `
    -Name "joindomain" -Publisher "Microsoft.Compute" -TypeHandlerVersion "1.0" -Location $Region `
    -SettingString $string1 -ProtectedSettingString $string2

$Region = "EastUS"

$VNetName = "savilltech-vnet-east"

$VNetRG = "savilltech-vnets_rg"

$VNetSubnetName = "savilltech-vnet-east-savhybridinfra-vms"

$VNetSubnetCIDR = "10.244.3.64/26"

$NSGName = "savNSGLockdownEastUS"

$VMRG = "savilltech-savhybridinfra_rg"

$SQLVMName = "AZUUSESQL01"

$SQLVMSize = "Standard_DS3_v2" #4vcpu 16GB memory

$SQLVMIP = "10.244.3.68"

$VMDiagName = "savhybridinfradiag"

#Domain Join Strings

$string1 = '{

"Name": "savilltech.net",

"User": "savilltech.net\\adminname",

"OUPath": "OU=Servers,OU=Hybrid,OU=Environments,DC=savilltech,DC=net",

"Restart": "true",

"Options": "3"

$string2 = '{ "Password": "rawpasswordhere" }'

#Get the network subnet

$NSG = Get-AzureRmNetworkSecurityGroup -Name $NSGName -ResourceGroupName $VNetRG

$VNet = Get-AzureRmVirtualNetwork -Name $VNetName -ResourceGroupName $VNetRG

$VNetSubnet = Get-AzureRmVirtualNetworkSubnetConfig -Name $VNetSubnetName -VirtualNetwork $VNet

#Local Credential

$user = "localadmin"

$password = 'localadminpasshere'

$securePassword = ConvertTo-SecureString $password -AsPlainText -Force

$cred = New-Object System.Management.Automation.PSCredential ($user, $securePassword)

# Antimalware extension

$SettingsString = '{ "AntimalwareEnabled": true,"RealtimeProtectionEnabled": true}';

$allVersions= (Get-AzureRmVMExtensionImage -Location $Region -PublisherName "Microsoft.Azure.Security" -Type "IaaSAntimalware").Version

$typeHandlerVer = $allVersions[($allVersions.count)-1]

$typeHandlerVerMjandMn = $typeHandlerVer.split(".")

$typeHandlerVerMjandMn = $typeHandlerVerMjandMn[0] + "." + $typeHandlerVerMjandMn[1]

#Create the resource group

New-AzureRmResourceGroup -Name $VMRG -Location $Region

#Create the diagnostics storage account

New-AzureRmStorageAccount -ResourceGroupName $VMRG -Name $VMDiagName -SkuName Standard_LRS -Location $Region

# Create VM Object

$vm = New-AzureRmVMConfig -VMName $SQLVMName -VMSize $SQLVMSize

$nic = New-AzureRmNetworkInterface -Name ('nic-' + $SQLVMName) -ResourceGroupName $VMRG -Location $Region `

-SubnetId $VNetSubnet.Id -PrivateIpAddress $SQLVMIP

# Add NIC to VM

$vm = Add-AzureRmVMNetworkInterface -VM $vm -Id $nic.Id

# VM Storage

$vm = Set-AzureRmVMSourceImage -VM $vm -PublisherName MicrosoftWindowsServer -Offer WindowsServer `

-Skus 2016-Datacenter -Version latest

$vm = Set-AzureRmVMOSDisk -VM $vm -StorageAccountType PremiumLRS -DiskSizeInGB 512 `

-CreateOption FromImage -Caching ReadWrite -Name "$SQLVMName-OS"

$vm = Set-AzureRmVMOperatingSystem -VM $vm -Windows -ComputerName $SQLVMName `

-Credential $cred -ProvisionVMAgent -EnableAutoUpdate

$diskConfig = New-AzureRmDiskConfig -AccountType PremiumLRS -Location $Region -CreateOption Empty `

-DiskSizeGB 2048

$dataDisk1 = New-AzureRmDisk -DiskName "$SQLVMName-data1" -Disk $diskConfig -ResourceGroupName $VMRG

$vm = Add-AzureRmVMDataDisk -VM $vm -Name "$SQLVMName-data1" -CreateOption Attach `

-ManagedDiskId $dataDisk1.Id -Lun 1

$vm = Set-AzureRmVMBootDiagnostics -VM $vm -Enable -ResourceGroupName $VMRG -StorageAccountName $VMDiagName

# Create Virtual Machine

New-AzureRmVM -ResourceGroupName $VMRG -Location $Region -VM $vm

Set-AzureRmVMExtension -ResourceGroupName $VMRG -VMName $SQLVMName -Name "IaaSAntimalware" `

-Publisher "Microsoft.Azure.Security" -ExtensionType "IaaSAntimalware" `

-TypeHandlerVersion $typeHandlerVerMjandMn -SettingString $SettingsString -Location $Region

Set-AzureRmVMExtension -ResourceGroupName $VMRG -VMName $SQLVMName -ExtensionType "JsonADDomainExtension" `

-Name "joindomain" -Publisher "Microsoft.Compute" -TypeHandlerVersion "1.0" -Location $Region `

-SettingString $string1 -ProtectedSettingString $string2

Using Azure Application Gateway to publish applications

I was recently part of a project to deploy SharePoint and Office Online Server (OOS) to Azure IaaS as part of a hybrid deployment. A requirement was to make the SharePoint available to the Internet in addition to the OOS (enabling editing of documents/previews online).

The deployment was very simple, 3 VMs were deployed to a subnet that has connectivity to an existing AD:

SQL Server – 10.244.3.68
SharePoint Server – 10.244.3.69, alias record sharepoint.onemtcqa.net
OOS Server – 10.244.3.70, alias oos.onemtcqa.net

The alias records were created on the internal DNS and external DNS, a split-brain DNS. We also had a wildcard certificate for onemtcqa.net which we could therefore use for https for both sites.

Azure has two built-in load balancer solutions (with more available through 3rd party solutions and virtual appliances).

The layer 4 Azure Load Balancer which could have been used by configuring the front-end as a public IP and supports any protocol
The layer 7 Azure Application Gateway that in addition to providing capabilities like SSL offload and cookie based affinity also has the optional Web Application Firewall to provide additional protection. More information on the Application Gateway can be found at https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-introduction. The front-end IP can be internal or public and the back end can load balance to multiple targets (like the layer 4 load balancer option).

Because the services being published were HTTP based, it made sense to utilize the Azure Application Gateway and would provide a great reason to get hands on with the technology. Additionally the added protection via the WAF was a huge benefit.

There are various SKU sizes available for the Azure Application Gateway along with the choice of Standard or WAF integration. Information on the sizes and pricing can be found at https://azure.microsoft.com/en-us/pricing/details/application-gateway/. I used the Medium size which is the smallest possible when using the WAF tier.

There are a number of settings related to the App Gateway which all relate to each other in a specific manner which provides the complete solution. A single App Gateway can publish multiple sites which meant I only needed a single App Gateway instance with a single public IP for both the sites I needed to publish.

Below is a basic picture of the key components related to an App Gateway that I put together to aid in my own understanding! The arrows show directions of link, so the Rule links to three other items which really bind everything together.

When deploying the Application Gateway through the portal there are some initial configurations:

The SKU
The virtual network it will connect to and you must specify an empty subnet that can only be populated by App Gateway resources. This should be at least a /29
The front end IP and if a public IP is created it must be dynamic and cannot have a custom DNS name
If the listener is HTTP or HTTPs and the port

Note, if using a public IP, because it is dynamic and cannot have a custom DNS name you can check its actual DNS name using PowerShell and then create an alias on the Internet to that DNS name. Use Get-AzureRmPublicIPAddress and use the DnsSettings.Fqdn attribute. For example:

(Get-AzureRmPublicIpAddress -Name HybridInfraAppGatewayQA -ResourceGroupName onemtcqa-exphybridinfra_rg |
    Select-Object -ExpandProperty DnsSettings).Fqdn

1 2	(Get-AzureRmPublicIpAddress -Name HybridInfraAppGatewayQA -ResourceGroupName onemtcqa-exphybridinfra_rg \| Select-Object -ExpandProperty DnsSettings).Fqdn

The name will be <GUID>.cloudapp.net. I created two alias records, sharepoint and oos, both pointing to this name on the public DNS servers.

Once created we need to tweak some things from those created by the portal wizard.

The virtual subnet that is used for the App Gateway needs its NSG modified as some additional ports must be opened from the Any source to the Virtual Network (this is in addition to the AzureLoadBalancer default inbound rule). Add an inbound rule to allow 65503-65534 TCP from Any to VirtualNetwork. Note this only needs to be enabled on the NSG applied to the Application Gateways subnet and NOT the subnets containing the actual back-end resources. Also ensure the Application Gateway subnet can communicate with the subnets hosting the services.

By default the built-in probe that checks if a backend target is healthy and a possible target for traffic looks for a response between 200 and 399 as a healthy response (per https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-probe-overview) however for the SharePoint site this won’t work as it prompts for authentication so we need to create a custom probe on HTTPS which accepts 200-401. This can be done with PowerShell (I’m using the internal DNS name here which is the same as external):

$gw = Get-AzureRmApplicationGateway -Name HybridInfraAppGatewayQA -ResourceGroupName onemtcqa-exphybridinfra_rg

# Define the status codes to match for the probe
$match=New-AzureRmApplicationGatewayProbeHealthResponseMatch -StatusCode 200-401

# Add a new probe to the application gateway
Add-AzureRmApplicationGatewayProbeConfig -name AppGatewaySPProbe -ApplicationGateway $gw -Protocol Https -Path / -Interval 30 -Timeout 120 -UnhealthyThreshold 3 -Match $match -HostName sharepoint.onemtcqa.net

Set-AzureRmApplicationGateway -ApplicationGateway $gw

$gw = Get-AzureRmApplicationGateway -Name HybridInfraAppGatewayQA -ResourceGroupName onemtcqa-exphybridinfra_rg

# Define the status codes to match for the probe

$match=New-AzureRmApplicationGatewayProbeHealthResponseMatch -StatusCode 200-401

# Add a new probe to the application gateway

Add-AzureRmApplicationGatewayProbeConfig -name AppGatewaySPProbe -ApplicationGateway $gw -Protocol Https -Path / -Interval 30 -Timeout 120 -UnhealthyThreshold 3 -Match $match -HostName sharepoint.onemtcqa.net

Set-AzureRmApplicationGateway -ApplicationGateway $gw

Open the HTTP Settings object, ensure it is HTTPS, upload the certificate and select to use a custom probe and select the probe that was just created.

A default listener was created but this can’t be used so instead create a new multi-site listener.

Use the existing frontend IP configuration and 443 port
Enter the hostname, e.g. sharepoint.onemtcqa.net
Protocol is HTTPS
Use an existing certified or upload a new certificate to use

Open the backend pool and add the internal IP address of the target(s).

The initial default rule created should work which links to the listener created, the backend pool and the HTTP setting that was modified.

If you open the Backend health under Monitoring it should show a status of healthy and you should be able to connect via the external name (that points to the DNS name of the public IP address).

Now the OOS has to be published which does not require authentication which means a different probe must be used which means a different listener and different targets. Even though it will be a different listener its not like old style listeners where only one can listen on a specific port. This is rather just a set of configurations and so multiple 443 listeners can share the same frontend configuration (and therefore public IP).

Create a new Backend pool with the OOS machines as the target
Create a new multi-site listener that uses the existing Frontend IP configuration and port with the OOS public hostname, HTTPS and OOS certificate (same if a wildcard or subject alternative names)
Create a new health probe. Use the OOS internal DNS name, HTTPS and for path use /hosting/discovery
Create a new HTTP setting that is HTTPS, uses the certificate and uses the new health probe
Create a new basic rule that uses the new listener, the new backend pool and the new HTTP setting

Click the below to see a large image of the OOS set of additional configurations.

Now your OOS should also be available and working! You have now published two sites through a single Application Gateway.

Migrate from ATA to Azure ATP with easy PowerShell

This week Azure Advanced Threat Protection (ATP) was made available as a product that is part of EMS E5 and is essentially ATA in the cloud. ATA is a service that takes a data feed from all domain controllers then uses that data to help identify various types of attack such as pass-the-hash, golden ticket, dumps of DNS and more. Now those capabilities are available using the Azure ATP service removing the need for the on-premises components. Like the lightweight gateway option for ATA where the agent runs on each DC (instead of the full gateway where port forwarding is used), with Azure ATP a sensor is deployed to each DC (however if you don’t want this a standalone sensor can be deployed with port forwarding from DCs just like the regular gateway for ATA) which sends only a fraction of the traffic with minimal overhead.

Head over to https://portal.atp.azure.com, create a new workspace then once you select that workspace, select Configurations – Sensors. From here you can download the sensor setup file and get the access key which will link your DCs to the specific workspace.

I already had ATA deployed in my environment and wanted to simply uninstall the ATA lightweight gateway and silently deploy the Azure ATP sensor on all DCs so I created a simple PowerShell script to do just that. You can pass it a list of DCs, it could read from a file or it can scan the Domain Controllers OU. Of course you could remove the part about uninstalling ATA and just use it to deploy Azure ATP. Note I have saved the agent to a file share so you would want to change the file share I use in this script in addition to adding your access key.

#$servers = Get-Content .\Documents\dcs.txt
#$servers = "AZUASEDC2","AZUEUEDC1","AZUEUEDC2","AZUUSWDC2","AZUUSWDC1","AZUASEDC1"
$servers = Get-ADComputer -SearchBase "OU=Domain Controllers, DC=savilltech, DC=net" -Filter * | Select-Object -ExpandProperty Name

$cred = Get-Credential #account used to map to share where the Azure ATP client is

foreach($server in $servers)
{
    Write-Output "Trying to move from ATA to Azure ATP for $server"
    Invoke-Command -ComputerName $server -ScriptBlock {
        Write-Output "   Uninstalling ATA"
        $app = Get-WmiObject -Class Win32_Product | Where-Object {
            $_.Name -match "Microsoft Advanced Threat Analytics Gateway" }
        $app.Uninstall()

        Write-Output "   Installing Azure ATP monitor"
        New-PSDrive -Name X -PSProvider FileSystem -Root \\AZUUSEDC1\Core -Credential $args[0] | out-null
        #https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-silent-installation
        & 'X:\ATP\Azure ATP Sensor Setup.exe' /quiet NetFrameworkCommandLineArguments="/q" AccessKey=WORKSPACEACCESSKEYHERE
        Start-Sleep -Seconds 60 #Enable the install to complete
        Remove-PSDrive X

    } -ArgumentList $cred
}

#$servers = Get-Content .\Documents\dcs.txt

#$servers = "AZUASEDC2","AZUEUEDC1","AZUEUEDC2","AZUUSWDC2","AZUUSWDC1","AZUASEDC1"

$servers = Get-ADComputer -SearchBase "OU=Domain Controllers, DC=savilltech, DC=net" -Filter * | Select-Object -ExpandProperty Name

$cred = Get-Credential #account used to map to share where the Azure ATP client is

foreach($server in $servers)

{

Write-Output "Trying to move from ATA to Azure ATP for $server"

Invoke-Command -ComputerName $server -ScriptBlock {

Write-Output " Uninstalling ATA"

$app = Get-WmiObject -Class Win32_Product | Where-Object {

$_.Name -match "Microsoft Advanced Threat Analytics Gateway" }

$app.Uninstall()

Write-Output " Installing Azure ATP monitor"

New-PSDrive -Name X -PSProvider FileSystem -Root \\AZUUSEDC1\Core -Credential $args[0] | out-null

#https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-silent-installation

& 'X:\ATP\Azure ATP Sensor Setup.exe' /quiet NetFrameworkCommandLineArguments="/q" AccessKey=WORKSPACEACCESSKEYHERE

Start-Sleep -Seconds 60 #Enable the install to complete

Remove-PSDrive X

} -ArgumentList $cred

}

Once deployment is finished complete the configuration via the Azure ATP portal, e.g. enable some sensors as domain synchronizer candidates. Bask in the great monitoring happening for your domain!

Azure NSG Integration with Storage and Other Services

Network Security Groups (NSGs) are a critical component in Azure networking which enable the flow of traffic to controlled both within the virtual network, i.e. between subnets (and even VMs), and external to the virtual network, i.e. Internet, other parts of known IP space (such as an ExpressRoute connected site) and Azure components such as load balancers. Rules are grouped into NSGs and applied to subnets (and sometimes vNICs however its easier management to apply at the subnet level). Rules are based on:

Source IP range
Destination IP range
Source port(s)
Destination port(s)
Protocol
Allow/Deny
Priority

In place of the IP ranges certain tags can be used such as VirtualNetwork (known IP space which includes IP spaces connected to the virtual network, e.g. an on-premises IP space connected via ExpressRoute), Internet (not known IP space) and AzureLoadBalancer. Additionally through the use of service tags other Azure services can be included in rules which include the IP ranges of certain services for example Storage, SQL and AzureTrafficManager. It is also possible to limit these to specific regions for the service, for example Storage.EastUS as the service tag to enable access only to Storage in EastUS. This could then be used in a rule instead of an IP range. This is very beneficial as now you can enable only specific machines in a specific subnet to communicate to specific services in specific regions. Without this functionality you would have to try and create rules based on the public IP addresses each service used. More information on service tags can be found at https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#service-tags.

Another useful feature is application security groups. Using application security groups you can create a number of groups for the various types of application tiers you have (using New-AzureRmApplicationSecurityGroup), use them in NSG rules (e.g. -DestinationApplicationSecurityGroupId) and then you assign a network interface for a VM to be part of a specific application security group (using the ApplicationSecurityGroup parameter at creation time). Now you don’t have to worry about the actual IP address or subnet of the VM in the NSG rules. The NIC is now part of the application security group and will automatically have the rules applied based on that membership. Imagine you created an application security group for all the VMs in a certain tier of the application and they would all automatically have the correct rules regardless of their IP address or subnet membership.

On the other side of the equation you have Azure services like Storage and SQL and by default they have public facing endpoints. While there are some ACLs to limit access it can be very difficult/impossible to try and restrict them to only specific Azure IaaS VMs in your environment. For example you may have a storage account or Azure SQL database instance you only want to be accessible from VMs in a specific subnet in a virtual network. This is now possible through a combination of service endpoints and the Azure service firewall capability.

Firstly on the virtual network, service endpoints are enabled for specific services (e.g. Storage) for specific subnets. This now makes that subnet available as part of the firewall configuration for that target service.(note that if you skip this step it can be done automatically when performing the configuration on the actual service!).

Next on the actual service (which must be in the same region as the virtual network) select the ‘Firewalls and virtual networks’ option, change the ‘Allow access from’ to ‘Selected networks’, ‘add existing virtual network’, select the virtual network and subnets and click Add and then Save. Now the service will only be available to the selected virtual subnets.

When you put all these various features together there are now great controls available between VMs in virtual networks and key Azure services to really help lock down access in a simple way.

More information on service endpoints can be found at https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview.

Quickly check who are Global Admins in your Azure AD with PowerShell

The code below will list the Global Admins in your Azure AD. Note that if using privileged identity management any users currently elevated would also show.

$role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Company Administrator'}
Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId

1 2	$role = Get-AzureADDirectoryRole \| Where-Object {$_.displayName -eq 'Company Administrator'} Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId

Also note the PowerShell/Graph API name for Global Admins is Company Administrator.

Checking the creation time of an Azure IaaS VM

I recently had a requirement to check the age of VMs deployed in Azure. As I looked it became clear there was no metadata for a VM that shows its creation time. When you think about this it may be logical since if you deprovision a VM (and therefore stop paying for it) then provision it again what is its creation date? When it was first created or when it last was provisioned.

As I dug in there is a log written at VM creation however by default these are only stored for 90 days (unless sent to Log Analytics) BUT if its within 90 days I could find the creation date of any VM. For example:

$logs = Get-AzureRmLog -ResourceProvider Microsoft.Compute -StartTime (Get-Date).AddDays(-90)
 
foreach($log in $logs)
{
    if(($log.OperationName.Value -eq 'Microsoft.Compute/virtualMachines/write') -and ($log.SubStatus.Value -eq 'Created'))
    {
        Write-Output "- Found VM creation at $($log.EventTimestamp) for VM $($log.Id.split("/")[8]) in Resource Group $($log.ResourceGroupName) found in Azure logs"
        # write-output "   - ID $($log.Id)"
        $vmCreationTime = $($log.EventTimestamp)
        #$log
    }
}

$logs = Get-AzureRmLog -ResourceProvider Microsoft.Compute -StartTime (Get-Date).AddDays(-90)

foreach($log in $logs)

{

if(($log.OperationName.Value -eq 'Microsoft.Compute/virtualMachines/write') -and ($log.SubStatus.Value -eq 'Created'))

{

Write-Output "- Found VM creation at $($log.EventTimestamp) for VM $($log.Id.split("/")[8]) in Resource Group $($log.ResourceGroupName) found in Azure logs"

# write-output " - ID $($log.Id)"

$vmCreationTime = $($log.EventTimestamp)

#$log

}

What if the VM was not created in the last 90 days? If the VM uses a managed disk you can check the creation date of the managed disk. If it is NOT using a managed disk then there is not creation time on a page blob however by default VHDs include the creation data and time as part of the file name. Therefore to try and find the creation data of a VM I use a combination of all 3 by first looking for logs for the VM, then look for a managed disk and finally try a data in unmanaged OS disk.

#Must run elevated

#Find any creation
#$logs = Get-AzureRmLog -ResourceProvider Microsoft.Compute -StartTime (Get-Date).AddDays(-30)
 
#OR

#Find creation for a specific VM
$vm = get-azurermvm -name 'testnotmanaged' -ResourceGroupName 'testunmanagedrg'
$logs = Get-AzureRmLog -ResourceId $vm.Id -StartTime (Get-Date).AddDays(-90)
$vmCreationTime = $null

foreach($log in $logs)
{
    if(($log.OperationName.Value -eq 'Microsoft.Compute/virtualMachines/write') -and ($log.SubStatus.Value -eq 'Created'))
    {
        Write-Output "- Found VM creation at $($log.EventTimestamp) for VM $($log.Id.split("/")[8]) in Resource Group $($log.ResourceGroupName) found in Azure logs"
        # write-output "   - ID $($log.Id)"
        $vmCreationTime = $($log.EventTimestamp)
        #$log
    }
}

#If could not find a match
if($vmCreationTime -eq $null)
{
    #Disk method

    #Managed Disk
    $osdisk = $null
    try {$osdisk = Get-AzureRmDisk -DiskName $vm.StorageProfile.OsDisk.Name -ResourceGroupName RGSavEastUSBurstDemo -ErrorAction SilentlyContinue
        $vmCreationTime = $($osdisk.TimeCreated)}
    catch {}
    
    if($osdisk -ne $null)
    { Write-Output "VM creation at $vmCreationTime for VM $($log.Id.split("/")[8]) in Resource Group $($log.ResourceGroupName) via managed disk creation time"  }

    #Obviously flaws here if used an existing disk but its good enough. For unmanaged looks like I can do:
    if($osdisk -eq $null)
    {
    #Unmanaged Disk
        $vmosdiskloc = $vm.StorageProfile.OsDisk.vhd.Uri
        $vmosdiskstorageact = $vmosdiskloc.Substring(8).Split(".")[0]  #extract out the storage account name by removing the https:// then finding the first part before period (.)
        $storaccount = Get-AzureRmStorageAccount | where {$_.StorageAccountName -eq $vmosdiskstorageact}
        $vmosdiskcontainer = $vmosdiskloc.Substring(8).Split("/")[1]  #extract the middle path between location and vhd which would be the container
        $vmosdiskname = $vmosdiskloc.Substring(8).Split("/")[2]
        $OSBlob = Get-AzureStorageBlob -Context $storaccount.Context -Container $vmosdiskcontainer -Blob $vmosdiskname 
        try {$vmCreationTime = [datetime]::ParseExact(($OSBlob.Name.Substring(($OSBlob.Name.Length-18),14)),'yyyyMMddHHmmss',$null)}
        catch { $vmCreationTime = $null}
        if($vmCreationTime -ne $null)
        {  Write-Output "VM creation at $vmCreationTime for VM $($log.Id.split("/")[8]) in Resource Group $($log.ResourceGroupName) via date in page blob for OS disk" }
    }
}

#Must run elevated

#Find any creation

#$logs = Get-AzureRmLog -ResourceProvider Microsoft.Compute -StartTime (Get-Date).AddDays(-30)

#OR

#Find creation for a specific VM

$vm = get-azurermvm -name 'testnotmanaged' -ResourceGroupName 'testunmanagedrg'

$logs = Get-AzureRmLog -ResourceId $vm.Id -StartTime (Get-Date).AddDays(-90)

$vmCreationTime = $null

foreach($log in $logs)

{

if(($log.OperationName.Value -eq 'Microsoft.Compute/virtualMachines/write') -and ($log.SubStatus.Value -eq 'Created'))

{

Write-Output "- Found VM creation at $($log.EventTimestamp) for VM $($log.Id.split("/")[8]) in Resource Group $($log.ResourceGroupName) found in Azure logs"

# write-output " - ID $($log.Id)"

$vmCreationTime = $($log.EventTimestamp)

#$log

}

#If could not find a match

if($vmCreationTime -eq $null)

{

#Disk method

#Managed Disk

$osdisk = $null

try {$osdisk = Get-AzureRmDisk -DiskName $vm.StorageProfile.OsDisk.Name -ResourceGroupName RGSavEastUSBurstDemo -ErrorAction SilentlyContinue

$vmCreationTime = $($osdisk.TimeCreated)}

catch {}

if($osdisk -ne $null)

{ Write-Output "VM creation at $vmCreationTime for VM $($log.Id.split("/")[8]) in Resource Group $($log.ResourceGroupName) via managed disk creation time" }

#Obviously flaws here if used an existing disk but its good enough. For unmanaged looks like I can do:

if($osdisk -eq $null)

{

#Unmanaged Disk

$vmosdiskloc = $vm.StorageProfile.OsDisk.vhd.Uri

$vmosdiskstorageact = $vmosdiskloc.Substring(8).Split(".")[0] #extract out the storage account name by removing the https:// then finding the first part before period (.)

$storaccount = Get-AzureRmStorageAccount | where {$_.StorageAccountName -eq $vmosdiskstorageact}

$vmosdiskcontainer = $vmosdiskloc.Substring(8).Split("/")[1] #extract the middle path between location and vhd which would be the container

$vmosdiskname = $vmosdiskloc.Substring(8).Split("/")[2]

$OSBlob = Get-AzureStorageBlob -Context $storaccount.Context -Container $vmosdiskcontainer -Blob $vmosdiskname

try {$vmCreationTime = [datetime]::ParseExact(($OSBlob.Name.Substring(($OSBlob.Name.Length-18),14)),'yyyyMMddHHmmss',$null)}

catch { $vmCreationTime = $null}

if($vmCreationTime -ne $null)

{ Write-Output "VM creation at $vmCreationTime for VM $($log.Id.split("/")[8]) in Resource Group $($log.ResourceGroupName) via date in page blob for OS disk" }

}