Purge Azure AD Deleted Objects
Ever get the dreaded message: “The directory object quota limit for the Principal has been exceeded. Please ask your administrator to increase the quota limit or delete objects to reduce the used quota.” But when you go and look you only have a handfull of objects listed… certainly nowhere near the 250 allowed. In this post we’ll see one potential way to alleviate this issue. We’ll discover that what appears to be the case on the surface is not really the case with Azure AD. Azure AD actually doesn’t delete objects right away it marks them as “Deleted”. So if you really want to remove objects from Azure AD read on…
Authenticate GO CLI with Azure AD
Ever wonder how to integrate a command line application with Azure Active Directory? I happened to be working with a client recently who wanted to do just that and I took the opportunity to dive in a figure it out and in the process write it up for the website. In this post we’ll look at the Azure Golang SDK and how to use it for Azure AD authentication and we’ll also create an application registration in AAD and assign permissions to our CLI.
Whitelist Ingress Access into AKS Clusters
If you read my last post on setting up ExternalDNS and CertManager on AKS you may have noticed that ingress to published services is open to Internet traffic. In this post I’ll look at two simple ways to lock down services so that only specific addresses have ingress access. First we’ll cover how to setup a network security group on the agent pool subnet to limit access and then we’ll take a look at some features of NGINX that offer a bit more flexibility to who has access to what. We’ll also look at some changes we’ll need to make to cert-manager once ingress is locked down.
Automate DNS and SSL Certificates on AKS
In a recent project I was asked to configure Kubernetes so that it could create and manage DNS records automatically. This automatic management comes via Ingress objects created in Kubernetes. Hostnames specified in ingress objects automatically get DNS records created. This is exactly what the Kubernete’s project ExternalDNS does. Unfortuately, even though there is a section for configuring it on Azure, it wasn’t straightforward to get working. This post walks through getting it up and running and also demonstrates its usage in Azure Government.
Adding Auditd Logs to Azure Log Analytics
In my last post entitled Forwarding Syslog to Azure Log Analytics we setup our Linux VMs to send Syslog data for centralized collection to Azure Log Analytics. This allowed us to capture all our Syslog data as well as setup alerts for anomalous behavior in our logs. In this post we want to take it a step further and add auditd to our Linux VMs and setup some very specific auditing rules around file access and modifications and send those to Log Analytics as well.
Forwarding Syslog to Azure Log Analytics
I was recently tasked with coming up with a solution that enabled several different types of information related to Azure VMs to be collected and reported on. Types of information included application logs, operating system logs and Azure activity logs. Readers of this blog may not know that Azure has a product called Log Analytics that is similar to Splunk (except for the cost) that can capture and report on just about any kind of logs you can imagine. In this post we’ll take a look at what goes into getting syslog information into Log Analytics and then running some basic queries against those logs.
IO Performance in Azure Explained
I recently had a customer ask several questions about what IOPS and max throughput mean and how they could increase throughput so that their backup restore process in Azure would take less time. In this post we’ll look at how we can estimate our max throughput and IOPS based on VM size and disk configuration. Additionally, we’ll also look at ways to improve performance without increasing costs.
Migrating a non-HyperV VM to Azure
Let’s have some fun in this post moving a virtual machine from VirtualBox on MacOS to Azure. This can be a little tricky because not only do you have to prep the VM as you normally would for Azure but you also have to package up the HyperV modules so you can be used at boot time once moved. Personally, I would recommend Infrastructre as Code (IaC) and configuration management software typically for this kind of thing, however, sometimes that’s not an option so in this post we’ll look at moving a VM from MacOS (no HyperV) to Azure (HyperV) and what it takes to get there.
AKS with cert-manager and Prometheus
In this post we’ll take a look at a new script that I wrote to quickly build a Kubernetes (AKS) cluster with several core components preconfigured and installed out of the box. As a CSA for Microsoft I sometimes need to create an AKS cluster that goes beyond the cluster you get with the az command and I got tired of installing ingress controllers, cert-manager, and the like over and over. If your use case is similar to mine you should get some usefulness from this.
Azure Hub and Spoke Network with Terraform
In this post we’ll take a look at using Terraform to setup an Azure environment that implements a Hub and Spoke network topology using Linux as a Virtual Network Appliance (ie router). This post will setup the custom route tables that allow the individual spoke networks to communicate through the Hub VNet as well as provision an NVA in the Hub VNet.
Using SSH Tunnel with RDP
In this post we’ll take a look at what it takes to connect to an Azure DevTest Lab when you only have outbound access to connect to resources on port 443. I was recently working with a customer who could only connect outbound on port 443 and they wanted to use Remote Desktop Protocol (RDP) to connect to a Windows VM running in a DevTest Lab. There are a few different ideas that we came up with but using SSH was a quick and dirty solution that got them connected quickly.
Publish a Jekyll Website with Azure DevOps
Haven’t you always wanted to setup your website so that every change you make to your repo produces the cooresponding change in production automatically? Well in this post we’ll look at how to setup Azure DevOps to monitor a GitHub repository that contains a Jekyll website and compile and publish on every commit to master.
Query Log Analytics from the Command Line
I’ve been doing some work with Azure Log Analytics lately and found the az tool limiting as it relates to querying Log Analytics. So like anyone who gets an itch and needs to scratch it, I decided to put something together myself to help make it a bit easier for me. So using Python and some awesome modules I wrote a little utility that could query Log Analytics and provide data back in a few different formats.
Verizon CDN Rules for Redirects
In Part 1 of this post we setup a website using an Azure Storage Acct and configured the Verizon Premium CDN endpoint with SSL certificates to host our custom domain name. In this post we’ll look at the configuration necessary to redirect http to https using the Verizon tools provided via the Azure portal.
Azure Storage for Your Website
Use Azure Storage and Verizon CDN to create a custom website using your own domain name for a few cents a month. In this article we will also look at how to setup https for the website and redirect domain name requests to index.html. Seems like a piece of cake… until you actually try it.
Installing a Custom Certificate in Azure CDN
Today we are going to look at what it takes to install a custom certificate in an Azure CDN. In my last post I created a certificate using the Let’s Encrypt process that we’ll use in Azure CDN. Some folks may have a specific issuer they want to use or perhaps they want full control over how the certificates are issued. For whatever reason they want to bring their own cert (BYOC), this post should help navigate the pecularities of getting it installed.
Generating a Let's Encrypt Certificate
In this post we’re going to create our own certificate using Let’s Encrypt that we’ll eventually use with an Azure CDN instead of using the certificates that are provided for free. Now why would anyone do that? I’m sure there are some reasons I just can’t think of any at the moment ;).