A great way to start the year 2017 is with the Microsoft MVP Award for Azure ..
I am very honored and humbled and a big thanks to Lead MVPs and their nominations and for my family and friends who were being so much supportive to achieve this..
Azure Resource Manager
This is post aimed to provide introduction to the fundamental building blocks of the Azure Cloud platform Microsoft Azure Resource Manager (ARM) and using Azure Cross Platform CLI tool like PowerShell to manage your Azure resources.
Terminology
- Resource – Virtual Machines, Storage Account, Web App, Database, Virtual Network
- Resource Group – A container holdings Resources (from same or different region) that can be used for an Azure solution, to which common set of rules like Security Policies can be uniformly applied
- Resource Provider – The Service that provides Resources which can be deployed, example
- Microsoft.Storage – Storage Account Resources
- Microsoft.Compute – Virtual Machine Resources
- Microsoft.Azure.Management.TrafficManager – Traffic Management profiles
- Resource Manager Template -A JSON file that links one or more Resources to the Resource Group along with its dependencies between Resources
The Azure Resource Manager can be accessed and managed using different methods
- Azure Cross Platform CLI Tools – Azure Cross Platform CLI on OSX,Linux, Docker & PowerShell on Mac OSX, Linux
- PowerShell Module – The ARM PowerShell module can be installed from the PowerShell Gallery
- REST API – A REST interface to access & manage ARM
- Azure SDK for Python – Azure SDK for Python can be used to manage ARM
Access Controls
ARM natively supports OAuth and Role-Based Access Control (RBAC is by default deny, explicit allow), thus facilitating user access based on pre-defined platform or resource-specific roles.
Creating a Site2Site VPN using Azure Resource Manager (ARM)
A lot have changed between Azure Service Management (ASM) and Azure Resource Manager (ARM) and lets quick list the terminologies and details of ARM fundamentals
- Resource – Virtual Machines, Storage Accounts, WebApps, Databases, Virtual Networks etc
- Resource Group – A container which can hold resources that related.
- Resource Provider – Microsoft.Web, Microsoft.Compute, Microsoft.Storage are example of Resource Providers, which provides the services that you can deploy, manage through Resource Manager
- Resource Manager Template – A JSON files that defines one or more resources to deploy to a resource group, can define dependencies between deployed resources
With all the above review, lets see how we can establish a data connection from on-prem network to Azure Virtual Network by creating a Site2Site IPSec VPN. You can actually choose to deploy Resource Manager Template and PowerShell combination or use the Azure Portal GUI to create the VPN tunnel.
Pre-Requisites
- On-premises network gateway device capable of IPSec site to site VPN (specifically IKEv2 for Site2Site & IKEv1 if you plan to have Point2Site along with Site2Site)
- Azure Subscription with a GatewaySubnet and Server Subnet (Please note you need a least of two IP network address for Azure Subnets that don’t overlap with on-premise IP network addresses)
Upon completion of this configuration you network should look something similar to below schematic
Azure Configuration
The subsection will describe the various configuration process to create the Site2Site Azure end configuration
Step 1 – Azure Virtual Network
Navigate from +New -> Networking -> and select Virtual Network to create a ARM virtual network to facilitate communications between Azure Networks to On-premise data networks.
Make sure you select the deployment model as Resource Manager in the new blade and click Create
Fill in the needed information on the newly opened Blade for the new Virtual Network
Most Importantly select an Address Space that doesn’t overlap with your on-premises IP Network address. Also for the sake of simplicity of subneting, we choose 192.168.0.0/16 as Address Space and 192.168.1.0/24 for ServerNet and 192.168.0.0/24 for GatewaySubnet. Click on the blue Create button to start the Virtual Network creation process.
Step 2 – Subnets Configuration
Upon successful creation of Virtual Network we need to configure the required subnets, particularly the GatewaySubnet by Navigating to Virtual Networks -> AzureVNet -> Subnets -> and click on +GatewaySubnet
Step 3 – Local Subnet Gateway
Step 1 & 2 confirms the creation of Virtual Network named AzureVNet. Now we proceed to create the Local Subnet Gateway which essentially takes care of network routing between on-premise network and Azure Virtual Network.
Choose the Local Network Gateways and in the new blade fill in the needed details including the on-premise gateway public IP address and data network address space. Please replace IP address 11.22.33.44 with your actual on-premise network gateway’s public IP address.
Until now we have defined the network and subnets where new virtual machines can be added. Next we need to add Virtual Network Gateway
Step 4 – Virtual Network Gateway
Now we create the Virtual Network Gateway by navigating +New -> Networking -> Virtual Network Gateway and fill in the needed details on the newly opened blade and click the blue Create button.
after about 15-25 mins the Virtual Network Gateway will be created and you can see the assigned Public IP address. 
Step 5 – Connection
Now we need to complete the final step in the Azure end configuration of creating the Connection to on-premise network gateway. Navigate from Local Gateway Networks -> AzureLocalNetGW -> Connections -> Add
In the next configuration blade populate the needed information. Dont forget to create a complex Shared Key (PSK) that will be used in the IPSec VPN Phase 1 negotiation with the on-premises. Populate the Virtual Network Gateway and Local Network Gateway created in the previous steps and complete the configuration.
On-Prem Firewall Configuration
Based on the type of on-premise Network gateway device type, you can configure matching IPSec VPN Phase 1 and Phase 2 parameters. I am listing most popular configuration options which could vary for different devices. Please consult the network gateway device technical documentation for more details.
Phase 1 Proposal Options
IP Version 4, IKE Version 2, Diffie-Hellman Group 2, Authentication – PreShare Key (PSK)
Encryption – AES128 / SHA256, AES256 / SHA256, AES128 / SHA1, AES256 / SHA1
Phase 2 Proposal Options
Encryption – AES128 / SHA256, AES256 / SHA256, AES128 / SHA1, AES256 / SHA1
Windows Server 2016 – Part 1 Features
In this series of post we primarily focus on the enhancements and new feature sets in Windows Server 2016. In Part 1 plan is to get introduced to various versions and some of the important features.
Windows Server 2016 Versions
- Datacenter – Core based Licensing, for highly virtualized datacenter and cloud environments
- Standard – Core based Licensing, for Physical or minimally virtualized environments
- Essentials – Processor based Licensing, for SMB with 25 users and 50 devices
- MultiPoint Premium Server – Processor based Licensing, For Academic Volume Licensing Customers Only
- Storage Server 2016 – Processor based Licensing, For OEM Channel Only
- Windows Hyper-V Server 2016 – Free Hypervisor Download
Enhanced Security
There has been significant improvements or rather enhancements to the Windows 2016 server platform to improve secure computing environment and reduction of attack surfaces for improved security.
- Credential Guard to prevent administrative credentials from “pass-the-has” attacks
- Privileged Identity Management features to limit secure usage of Admin preivileges
- Shielded Virtual Machine feature to protect your virtual machines by Encrytion and tie to a specific Hypervisor
- Flow Guard, Code Integrity to protect against unknown vulnerabilites by allowing a permited set of binaries that can be executed.
- Hyper-V Containers for additional layer of containerized applications
- Azure Rights Management (Azure RMS) Connector to facilitate easy integration of on-premises Information Rights Management (IRM) with Azure RMS
- PowerShell security features like Script block logging, AntiMalware Integration, Constrained PowerShell and Transcript logging
Computing
With Windows Server 2016 you can run datacenter with a highly automated, resilient and Virtualized server operating system.
- Nano Server (25x smaller image than Windows Server 2016) helps you to reduce datacenter footprint
- Server automation with PowerShell 5 and Desired State Configuration (DSC)
- Using Mixed-mode cluster upgrades you can upgrade existing infrastructure clusters without requiring new hardware
- Cost effective Business Continuity & Disaster Recovery among datacenters using Storage Replica syncronus storage replication with features like Zero Data Loss, Block-level replication, SMB3
- Software-defined storage solutions can build highly available and scalable storage at a fraction of the cost of SAN or NAS
- Linux and FreeBSD virtual machines for Hyper-V, PowerShell Desired State Configuration for Linux
- Imporved Resilient File System (ReFS) (originally introduced in Windows 2012) is the preferred data volume with better Data Integrity and Resiliency & Availability
Networking
The Windows Server 2016 networking is built with the same set of feature from Microsoft Azure datacenters providing the much higher agility and availability to your datacenters.
- Dynamic Segementation of network and workloads using Layer 3, 5-tuple (source ip, destination ip, source port, destination port & protocol) Distributed Firewall Layer 3, 5-tuple & Network Security Groups (NSG), enforcing routing traffic to Firewalls to achieve higher levels of security.
- Scalable centralized Network Controller to provide policies for QoS, Load Balancing, Gateway, Switching in matter of seconds
- Support for VXLAN & NVGRE standards to support hybrod workloads running across containers, servers, racks and clouds.
- Support for Virtual Machine Mutli-Queue (VMMQ), to distribute higher network traffic across multiple cores on the host, virtual machine.
- As part of software-defined network stack Software Load Balancer (SLB) enables Layer 4 (TCP / UDP) load balancing services between multiple VMs
- Cluster Rolling Update is a new feature to allow administrator seamlessly upgrade cluster nodes (*support from Windows 2012 server clusters)
Application Platforms
Windows Server 2016 facilitates various ways to deploy and run your applications across on-premises or on Microsoft Azure
- Containerize your applications or micro services using Hyper-V containers
- With agility and density of containers in Windows ecosystem, developers can leverage agile application & management.
- OpenId Connect support
- Oauth support improvements
In the next part level explore more remaining features and installation guides to make use of the most powerful Server OS that Microsoft built, Windows Server 2016.
Azure Cross Platform CLI on OSX, Linux, Docker
In continuation to PowerShell on Mac OSX let see how we can connect to Azure from OSX CLI. Firstly you need to download the Azure Command Line Interface (Azure Cross Platform CLI) from here (direct download link)
Double click the downloaded file which will launch the package installer
Follow the on screen instruction and complete the installation of Azure CLI
Upon completion bring up the Terminal App on your OSX and issue azure to invoke the Azure CLI access to your Azure subscription.
After installing the Azure CLI on your OSX machine, lets connect to your existing Azure subscription, from you Terminal App issue azure login which will provide an URL and Code to get authentication your Azure CLI session
In this case you lets redirect the browser to https://aka.ms/devicelogin and enter the code HTFZEF4GX and click “Continue“
Follow the on screen instructions to provide credentials and complete the authentication
Upon successful authentication a confirmation message will be displayed
You can see all your Azure Subscriptions in the Terminal App window
Installing Azure CLI on Linux
To install Azure CLI on any Linux distribution you need npm (default package manager) and latest Node.js (open source, cross platform JavaScript runtime), you can install the Azure CLI (packaged and published by npmjs.com)
npm install -g azure-cli
If you prefer to download Linux tar file by yourself and install you can use the following command
npm install -g <path to tar file>
Azure CLI in a Docker Container
Assuming your computer is already configured as Docker host and you can run the Azure CLI in a Container
docker run -it microsoft/azure-cli
PowerShell on Mac OSX, Linux
In yesteryears Microsoft was primarily focused on .NET to PowerShell which was only available in Windows. But with the recent shift in Microsoft towards customer preferences .NET was ported to Linux (and variants including OSX) and by extension run PowerShell on Linux and OSX.
Most of us are already familiar enough with the PowerShell on Windows. Lets see how to run and make use of PowerShell from Mac OSX and Linux
Mac OSX
Though there is no minimum requirement for the OSX version, its recommended to have OSX 10.10 (Yosemite) and above.
First and foremost download the PowerShell package from the Official distribution page (https://github.com/PowerShell/PowerShell/releases), powershell-6.0.0-alpha.9.pkg in our case
To install PowerShell on you mac, double click the downloaded .pkg file which will launch the package installer
Follow the on screen instructions to complete the installation
Now open the Terminal App and issue the command powershell to invoke the PowerShell
Linux
Get the PowerShell package for Linux from the Official distribution page (https://github.com/PowerShell/PowerShell/releases), .deb or .rpm in this case. Issue to following command and install the dependency
sudo apt-get install libunwind8 libicu55
After successful install, issue the below command to get the PowerShell installed on your Linux host
sudo dpkg -i /path to powershell.deb
Some deep dive..
So we installed PowerShell on OSX or Linux, whats next?
- PowerShell is very powerful, full fledged scripting language that works directly from the command line.
- PowerShell helps to automate tasks with ease
- PowerShell bridges many technologies with the ability to interact with .NET, COM, WMI, XML, Active Directory, etc..
Structured Command (Cmdlets)
PowerShell supports commands called as Cmdlets (pronounced as Command-Lets), for example Get-Process -Name L* will give details about the running processing that starts with letter L
Some cool things, PowerShell natively supports all .NET methods right from your Mac OSX or Linux. You can count the length of a string by using same .NET method, also use it as calculator
Command Discovery
You can discover all the PowerShell commands using a particular Cmdlet Get-Command, below example Get-Command *process* will give information not only on Cmdlet but also any Functions, Methods that contains the word process
Piping a Get-Member Cmdlet will provide the list of Properties and Methods of the Object
Setting individual Office 365 user’s password not to expire
PasswordNeverExpires
Sometimes as an Office 365 admin you may be in a situation where you want to set password not to expire for a Office 365 account. The below steps will guide you to set the password not to expire for individual accounts..
Before connecting to the your Office 365 organization make sure the Azure Active Directory Module for Windows PowerShell is already installed and run the following PowrShell Cmdlets
Connect to Msol-Service and key in your Office 365 Tenant admin credentials.
Upon successful authentication run the following command
To set the Password Never Expires setting
Set-MsolUser -UserPrincipialName <useraccount@contoso.com> -PasswordNeverExpires $true
To remove the Password Never Expires setting
Set-MsolUser -UserPrincipialName <useraccount@contoso.com> -PasswordNeverExpires $false
To list all users whose password was set to never expire
Get-MsolUser | Select UserPrincipialName, PasswordNeverExpires
Important Notes
- The user password will eventually expire after 730 days (maximum password age for non-expiring passwords).
- Only passwords of user accounts that are not synchronized through Directory Sync can be set to never expire.
Blog by Sakthis Kumar 