Posts

Demystifying System and User Define Routes of Azure

Image
As Virtual Network is created, Azure automatically create its own route tables for that Virtual Network, so that all the packets which enters the virtual network can traverse within its address prefix and leave the subnet for its destination. These are known as the Default Routes . We can’t modify these routes; however, we can add our custom routes on top of default routes for the traffic leaving the subnet. These custome route is known as User Define Routes . In this case, we are modifying the default behaviour of packets routing but still the internal and external routing of packet is done by virtual network to ensure that our packets are never hijacked.  In another word, we are adding routes and requesting virtual network to routes traffic in the way we want. So far its not possible to route the traffic independently bypassing the Azure Virtual Network routing mechanism and for security reason I do not think this will ever be possible. Common Use Case of UDR:  ...

Virtual Network Service Endpoints

Image
As of today, Virtual Network Service Endpoints is in Preview and publicly available. This is one of the most requested features in Azure. Before this, one of the common issues regarding PaaS including Azure SQL and Storage was Public EndPoint, though Azure provides multiple ways to protect our workload and data, it was accessible from the Internet. Image Source: Microsoft Now, there is the possibility of locking Azure SQL and/or Storage within the Vnet or further down into  Subnet level, removing the direct access to and from the Internet. This will ensure that all your traffic with remain within your network or Azure Backbone Network and egress/ingress traffic destined to Azure Services can be inspected and forced to on-prem using Forced Tunnelling . Limitation:   Support only ARM model VNets and should be in the same region.  Endpoints are enabled on Subnets configured in VNets. EndPoints can't be used for traffic originated from on-premises. ...

Azure Archive Storage and Blob-Level Tiering

Image
Storage is one of the members of Infrastructure either is the cloud or in on-premises followed by Compute and Networking. Every enterprise has heavily invested in storage to store and retain data for a various compliance reason as well as to run the day to day business. And, its growth is inevitable. As of to get competitive advantages, its time to consider the Cloud offerings rather than to look for SAN and maintain it. This will result in saving time, maintenance and manpower cost with affordable operational cost. Initially, there were two-tier: Hot and Cold and new offering is Archival Storage which is added on top of Azure Storage Blob. Thus, now there are 3 storage options available for General Purpose V2(GPV2) storage account. Choosing the best tier depends on the nature of data it will be holding. Remember you are paying for storage as well as for operations performed on those datasets. Storing the frequently used data on the cold tire may result in the unexpected bills as i...

Demystifying Azure Reserve Instance

Image
Microsoft offers numbers of ways to reduce the cost of workload running in the Azure. Initially, it started with AHUB benefits, low priority virtual machine and recently they had gone to GA of Reserve Instance. It offers huge price cut, we could save up to 72% and combined with AHUB benefits up to 82% saving can be achieved which is very luring factor for many. Source: Microsoft Off-course we all want to save money, but it comes at a cost. That cost is ‘Performance’. So, are we ready for that? Then, why Microsoft might have come up the idea of Reserve Instance? Microsoft has one of the world largest datacenters scattered throughout the world. And, those resources are not always fully utilized in some of the regions. At the same time, some regions might have been fully utilized.   Thus, they allocated some portion of their resources in the Reserve Instances, and let the customer take this offer on available location based on the availability at low cost. And, most imp...

Monitoring User Activities

With the maturity of cloud, usages of the Cloud Computing is rocketing as they are offering enrich services at affordable price. It's normal that an organization having multiple subscriptions and multiple users' managing it. Azure logs every user's activities that are performed against its resources including the action performed by pre-defined code using Runbook. What so ever the error collection domain the Microsoft gives, I prefer to group this into two. Logs auto-generated by System/Application or User Activates Log, which will trigger the previous logs. In this blog, I will discuss how user activities can be traced down to the various events so that anomalies (defined by the organizational norms) can be detected. User Login User's identity could be cloud only, federated or hybrid. Depending on their identity model, Azure Active directory will handle the authentication or will forward to the identity handler. For example, if ADFS is in place, then it will re...

Application Security Group - Enhancement on Network Security Group

Image
Application Security Group let us create and manage security rules for our Virtual Machine more intuitively. It provides the ability to bundle the VM's as per their workload and let us enforce rules on it as a group. So far we were applying Network Security Rules on individual VM using their IP. Now, we have the flexibility of grouping them and applying rules on them using Application Security Group name as source and destination. it eliminates the needs to remember IP address of resources. Working with Application Security Group requires planning as we need to define the security policies. These policies are similar with Network Security Group but this features add value to Network Security Group and become more useful when you have multiple virtual machines which perform the similar works and requires same rules. If it's combined with the Tag Policy, it increases the manageability as well as increase governance. This feature is in preview in US West Central, so we need to...

Deploy Palo Alto in Azure

Image
There are many ways to deploy Palo Alto Firewall in Azure. Out of those options today I will discuss how Palo Alto can be configured to protect your Azure workload. This setup is suitable for Proof of Concept only. Planning-Includes Minimum Requirement - Without HA Logical Diagram:  Create Virtual Network Name: PAN-VNet Address Space: 10.0.0.0/16 Subnet Name: Management Subnet Address Space: 10.0.1.0/24 Subnet Name: Untrust Subnet Address Space: 10.0.2.0/24 Subnet Name: Trust Subnet Address Space: 10.0.3.0/24 Resource Group: PA-VNet    Subnet Spin Web Server Virtual Machine  Name: SecureWebServices Image: Windows Server 2016 Resource Group: Services Network: PAN-VNet Subnet: Trust Role: Web Server (IIS) Installed Change NSG rules of Web Server to accept request on port 80, if you wish to test the web request. However, later on, this behaviour will be controlled through firewall. Spin Palo Alto Firewall Virtual Machine Na...