Network Security Groups | Aidan Finn, IT Pro

Free Online Training – Azure Network Security

On June 19th, I will be teaching a FREE online class called Securing Azure Services & Data Through Azure Networking.

I’ve run a number of Cloud Mechanix training classes and I’ve had several requests asking if I would ever consider doing something online because I wasn’t doing the classes outside of Europe. Well … here’s your opportunity. Thanks to the kind folks at European Cloud Conference, I will be doing a 1-day training course online and for free for 20 lucky attendees.

The class, relevant to PaaS and IaaS, takes the best practices from Microsoft for securing services and data in Microsoft Azure, and teaches them based on real-world experience. I’ve been designing and implementing this stuff for enterprises and have learned a lot. The class contains stuff that people who live only in labs will not know … and sadly, based on my googling/reading, a lot of bloggers & copy/pasters fall into that bucket. I’ve learned that the basics of Azure virtual networking must be thoroughly understood before you can even attempt security. So I teach that stuff – don’t assume that you know this stuff already because I know that few really do. Then I move into the fun stuff, like firewalls, WAFs, Private Link/Private Endpoint, and more. The delivery platform will allow an interactive class – this will not be a webinar – I’ve been talking to different people to get advice on choosing the best platform for delivering this class. I’ve some testing to do, but I think I’m set.

Here’s the class description:

Security is always number 1 or 2 in any survey on the fears of cloud computing. Networking in The Cloud is very different from traditional physical networking … but in some ways, it is quite similar. The goal of this workshop is to teach you how to secure your services and data in Microsoft Azure using techniques and designs that are advocated by Microsoft Azure. Don’t fall into the trap of thinking that networking means just virtual machines; Azure networking plays a big (and getting bigger) role in offering security and compliance with platform and data services in The Cloud.

This online class takes you all the way back to the basics of Azure networking so you really understand the “wiring” of a secure network in the cloud. Only with that understanding do you understand that small is big. The topics covered in this class will secure small/mid businesses, platform deployments that require regulatory compliance, and large enterprises:

The Microsoft global network

Availability & SLA

Virtual network basics

Virtual network adapters

Peering

Service endpoints

Public IP Addresses

VNet gateways: VPN & ExpressRoute

Network Security Groups

Application Firewall

Route Tables

Platform services & data

Private Link & Private Endpoint

Third-Party Firewalls

Azure Firewall

Monitoring

Troubleshooting

Security management

Micro-Segmentation

Architectures

Level: 400

Topic: Security

Category: IT Professionals

Those of you who have seen the 1-hour (and I rarely stuck to that time limit) conference version of this class will know what to expect. An older version of the session scored 99% at NIC 2020 in Oslo in February with a room packed to capacity. Now imagine that class where I had enough time to barely mention things and give me a full day to share my experience … that’s what we’re talking about here!

This class is one of 4 classes being promoted by the European Cloud Conference:

If you’re serious about participating, register your interest and a lucky few will be selected to join the classes.

Azure-to-Azure Site Recovery Fails – Connection Cannot Be Established

In this post, I’ll explain how to fix the following errors when you attempt to replicate an Azure virtual machine from one Azure Region to another:

Error 151072: Connection cannot be established to Azure Site Recovery service endpoints.

And:

Error 539: The requested action couldn’t be performed by the ‘A2A’ Replication Provider.

The Cause

A2ASR (the abbreviation of the ASR service for Azure VMs) uses an extension (guest OS agent) called the Mobility Service to migrate disk contents from a source virtual machine to a target (secondary) region (or DR site). The Mobility Service is using the networking of the virtual machine to talk the ASR endpoints in the secondary region. That traffic is therefore going over the NIC and virtual network of the VM, and then to the target region via the Azure backbone.

if you have restricted outbound traffic for your virtual machines, then you might have blocked this traffic:

Third party firewall appliances
Using Network Security Groups (NSGs), as I documented here

The Fix

Woops! Don’t worry, you’ve already created exceptions to allow your virtual machine to boot up. You can create more exceptions to allow the virtual machines to talk to the ASR endpoints (see the below screenshot). Let’s imagine that I am replicating from North Europe to West Europe.

I’ll need at least one set of rules, enabling outbound traffic from my VNet/NICs in the source region, North Europe, to the two IP addresses of the target region, West Europe.

I will also have to enable inbound traffic from my target region, West Europe, to my destination region, North Europe. Why? Isn’t all my traffic going from North Europe to West Europe? That’s true – now. But if you failover to West Europe, you will need to reverse replication afterwards, so you might as well get things right now.

A Script

It all looks messy at first. It probably isn’t too bad. But if you’d like to deploy a canned script to update NSGs, you can. Microsoft has shared a script that you can run. You will need a few pieces of information:

NSG name
NSG resource group name
Subscription ID
Source region
Target region

Run the script (it will prompt you to log in) from source to target, and then reverse the details, treating the target as the source, and vice versa with the NSG(s) in the DR site.

Where’s the Service Tags?

Storage accounts and Azure SQL all have service accounts, but ASR does not. I believe that ASR should have service tags to avoid all of this IP messiness. If you agree, vote here, or forever stay quiet on the subject.

Was This Kind of Information Useful?

If you found this information useful, then imagine what 2 days of training might mean to you. I’m delivering a 2-day course in Amsterdam on April 19-20, teaching newbies and experienced Azure admins about Azure Infrastructure. There’ll be lots of in-depth information, covering the foundations, best practices, troubleshooting, and advanced configurations. You can learn more here.

Amsterdam – Starting Azure Infrastructure Course

I am happy to announce that our Cloud Mechanix venture is bringing my custom-written Starting Azure Infrastructure course to Amsterdam on April 19-20.

This course is intended for IT professionals and developers that wish to start working with or improve their knowledge of Azure virtual machines. The course starts at the very beginning, explaining what Azure is (and isn’t), administrative concepts, and then works through the fundamentals of virtual machines before looking at more advanced topics such as security, high availability, storage engineering, backup, disaster recovery, management/alerting, and automation. The frequently updated content is focused on real world applications, with a focus on best practices, security, stability, control, and uptime. I’ve also added lots of useful links to additional reading & how-to’s, as well as my own tips and tricks.

Cloud Mechanix has gotten off to a great start. We quickly sold 11 of 10 (!) seats in London for Feb 22-23. The room we booked actually can hold 24 people in classroom format. So we expanded that to 20 seats, and 19 of those seats were booked by early January – one seat is still available. That gave me some confidence to expand our operations, especially with some of the market knowledge I have about Azure’s success in Europe. So the next stop is Amsterdam!

The Location

Why Amsterdam? Obviously, the Netherlands is a big economy, but Amsterdam is one of Europe’s hubs – you can get to Amsterdam with a direct & cheap flight from almost every major city in Europe, and it’s easily driven to from a large part of western Europe.

The venue is the Radisson Blu hotel at Schiphol. This hotel:

Is on public transport.
Has a car park, an we are covering 25% of the day rate.
Is accessible by direct flights from large parts of Europe (and the World) thanks to being near Schiphol Airport – 866 NOK return from Oslo, 589 DKK from Copenhagen, £105 from London City, €150 from Rome.
Is just 9 minutes by taxi.
Provides a hotel shuttle from to/from the airport.
If you wish to stay in the hotel, check for prices on 3rd party sites, for as low as €114 per night.

All travel & accommodation prices were searched for on Jan 20th for the dates of Apr 18-20 using Skyscanner and Trivago.

The Class Agenda

This course spans two days, running on April 19-20, 2018. The agenda is below.

Day 1 (09:30 – 17:00):

Introducing Azure
Tenants & subscriptions
Azure administration
Admin tools
Intro to IaaS
Storage
Networking basics

Day 2 (09:30 – 16:00):

Virtual machines
Advanced networking
Backup
Disaster recovery
JSON
Diagnostics
Monitoring & alerting
Security Center

By the end of this course you should have new/additional knowledge to help you deploy business services using Azure virtual machines, with best practices on performance, security, and availability … in the real world.

Past Feedback

Here are some recent comments from courses that I have written and delivered:

“Aidan covers all the information and workarounds so that you know what not to do, rather than having to learn the hard way from your mistakes. Also happy to answer question and off-topic questions.”

“I found it very useful for my job. I especially liked that we covered aspects that weren’t in the course but provided useful context, e.g. applying learnings like MS Flow and MigAz. I learned a lot about networking – not just the tools but the aspects that the tools are applied to.”

“Excellent as always.”

Costs & Registration

You can read all about the course, venue, terms & conditions, and register here.

Further Dates & Private Training

Future dates will be announced in the EU. I’m investigating running training in the USA – accounting/tax is the challenge there! If you want private runs of this training, then please contact me.

Azure VMs–Block Outbound Traffic to the Internet (Updated)

In theory, it was possible to deny all outbound traffic to the Internet from an Azure VM. In theory, I can also place a loaded gun to my head, but my doctor disapproves of that.

Here’s what would happen:

You created an outbound rule to Deny all traffic to a service tag (location) called Internet.
The VM worked fine … for a while.
The VM was rebooted, maybe for a guest OS patch cycle.
The VM would not reboot.
Your boss screamed at you, if you were lucky.

The problem is that Azure included all Azure services under the service tag of “Internet”. And Azure VMs need to talk to Azure to boot up – to be specific, they need to talk to Azure Storage if the IaaSDiagnostics (Azure Performance Diagnostics) extension is configured. If a VM can’t talk to that storage account, the VM will fail to boot. There was a scripted workaround, but it was far from pretty.

Recently Microsoft made a Network Security Group service tags generally available. Service tags take those old locations and expand them to more than just Virtual Network, Load Balancer (probe), and Internet. Now you can specify Azure storage (storage account) and Azure SQL services, globally and locally (a specific region).

So for example, I can let a VM connect (Azure) Storage globally, in West Europe, or to connect to Azure SQL in North Europe. Now we can block outbound access to the Internet, but still allow access to Azure storage in the same region for diagnostics & metrics.

I’ve tested, and yes, my VM rebooted

Tag: Network Security Groups