Topic:  Azure/

Getting Started with Azure OpenAI

Artificial intelligence (AI) has become an essential part of modern software development, and cloud providers like Microsoft Azure offer AI services to help developers build intelligent applications. In this blog post, we will explore how to use Azure to deploy OpenAI models and take a few small steps to exploring its potential.

Setting up SSL with the CSI Driver on AKS

I’ll bet you’re here because you started trying to setup SSL on AKS and wanted to use the CSI driver with Azure KeyVault and realized it wasn’t as easy as everyone led you to believe ;). In this post we’ll walk through the steps necessary to set it correctly using KeyVault. There is also a companion GitHub repo.

Azure DevOps Folder Permissions

Have you ever wanted to setup granular folder permissions in your Azure DevOps repos but couldn’t figure it out? I was working on a project where the customer wanted to setup their version of GitFlow and was trying to setup permissions in Git so that only certain groups of users could control writes to Main, Release, Develop and Feature branches at specific levels in the path of these branches. This post will walk you through how to do that in Azure DevOps.

Website Authentication for Blobs

I recently had a customer who wanted to authenticate user access to a basic website that was hosted in Azure Storage Accounts. The basic static website functionality that is bundled with Storage Accounts doesn’t provide this. There are a few ways we might have approached this, for instance we could have potentially used Static Web Apps, however what if we just used their existing App Service plan and the built in authentication for Web Apps.

Azure DevOps Bootstrap Script

Have you ever wanted to test out configuration of resources setup quickly in Azure using devops pipelines and been frustrated by how long it takes to get your project bootstrapped with a service principal, keystore, storage account and other goodies that are often required? If so, this is the post for you.

Azure AD Integration with AKS

Do you want to enable Azure AD integration with your Azure Kubernetes Service (AKS) but struggle with 403 Forbidden error messages in the Azure portal when trying to view Kubernetes objects? If you’re having these issues this could be a good post for you. We’ll look at what causes this and 3 solutions to fix it.

Azure Webhook and Alert Tips

In the last 2 posts we looked at building an Azure Automation that would shutdown VMs that were underutilized using runbooks, alerts and webhooks. There was quite a lot of information packed into those posts and in this post I want to unpack a few learnings I discovered along the way and explain them a bit better than perhaps the Microsoft documentation does.

Shutdown VMs with Low CPU Usage (Part 2)

In the second part of the post we’ll take the webhook and runbook we created in Part 1 and build on what we learned. This segment will focus on Azure Monitor Alerts and how to stitch together Signals with Action Groups to ultimately ensure that our VM is shutting down when it’s not in use or underutilized and like in Part 1 of the series we’ll do all this from the command line.

Shutdown VMs with Low CPU Usage (Part 1)

Sometimes it can be very beneficial to your budget to shutdown your VMs when they are idle or underutilized. In many cases there might be alternative strategies for processing workload like VM scalesets or Azure Functions that should be explored but in some situations shutting down an existing VM can make a lot of sense. In this part 1 of a 2 part series we’ll look at Azure Monitor and what Alerts are and we’ll even explore how to make REST API calls from the az command line. All this leading to part 2 where we put everything together to stop VMs based on a signal sent from Azure Monitor related to CPU usage.

Enable JIT Access on Azure VMs

In this post we’ll take a look at a feature of Azure Security Center called Just-In-Time VM access. This feature will allow you to timebox when and who has access to your Azure VMs. Black Hats will invariably look for open management ports on your VMs. RDP and SSH are often used by hackers as a possible entry point for access to your environment. Using JIT Access you can block access to these ports and require users to submit a request in order to gain access during a specific timeframe.

Purge Azure AD Deleted Objects

Ever get the dreaded message: “The directory object quota limit for the Principal has been exceeded. Please ask your administrator to increase the quota limit or delete objects to reduce the used quota.” But when you go and look you only have a handfull of objects listed… certainly nowhere near the 250 allowed. In this post we’ll see one potential way to alleviate this issue. We’ll discover that what appears to be the case on the surface is not really the case with Azure AD. Azure AD actually doesn’t delete objects right away it marks them as “Deleted”. So if you really want to remove objects from Azure AD read on…

Authenticate GO CLI with Azure AD

Ever wonder how to integrate a command line application with Azure Active Directory? I happened to be working with a client recently who wanted to do just that and I took the opportunity to dive in a figure it out and in the process write it up for the website. In this post we’ll look at the Azure Golang SDK and how to use it for Azure AD authentication and we’ll also create an application registration in AAD and assign permissions to our CLI.

Whitelist Ingress Access into AKS Clusters

If you read my last post on setting up ExternalDNS and CertManager on AKS you may have noticed that ingress to published services is open to Internet traffic. In this post I’ll look at two simple ways to lock down services so that only specific addresses have ingress access. First we’ll cover how to setup a network security group on the agent pool subnet to limit access and then we’ll take a look at some features of NGINX that offer a bit more flexibility to who has access to what. We’ll also look at some changes we’ll need to make to cert-manager once ingress is locked down.

Automate DNS and SSL Certificates on AKS

In a recent project I was asked to configure Kubernetes so that it could create and manage DNS records automatically. This automatic management comes via Ingress objects created in Kubernetes. Hostnames specified in ingress objects automatically get DNS records created. This is exactly what the Kubernete’s project ExternalDNS does. Unfortuately, even though there is a section for configuring it on Azure, it wasn’t straightforward to get working. This post walks through getting it up and running and also demonstrates its usage in Azure Government.

Adding Auditd Logs to Azure Log Analytics

In my last post entitled Forwarding Syslog to Azure Log Analytics we setup our Linux VMs to send Syslog data for centralized collection to Azure Log Analytics. This allowed us to capture all our Syslog data as well as setup alerts for anomalous behavior in our logs. In this post we want to take it a step further and add auditd to our Linux VMs and setup some very specific auditing rules around file access and modifications and send those to Log Analytics as well.

Forwarding Syslog to Azure Log Analytics

I was recently tasked with coming up with a solution that enabled several different types of information related to Azure VMs to be collected and reported on. Types of information included application logs, operating system logs and Azure activity logs. Readers of this blog may not know that Azure has a product called Log Analytics that is similar to Splunk (except for the cost) that can capture and report on just about any kind of logs you can imagine. In this post we’ll take a look at what goes into getting syslog information into Log Analytics and then running some basic queries against those logs.

IO Performance in Azure Explained

I recently had a customer ask several questions about what IOPS and max throughput mean and how they could increase throughput so that their backup restore process in Azure would take less time. In this post we’ll look at how we can estimate our max throughput and IOPS based on VM size and disk configuration. Additionally, we’ll also look at ways to improve performance without increasing costs.

Migrating a non-HyperV VM to Azure

Let’s have some fun in this post moving a virtual machine from VirtualBox on MacOS to Azure. This can be a little tricky because not only do you have to prep the VM as you normally would for Azure but you also have to package up the HyperV modules so you can be used at boot time once moved. Personally, I would recommend Infrastructre as Code (IaC) and configuration management software typically for this kind of thing, however, sometimes that’s not an option so in this post we’ll look at moving a VM from MacOS (no HyperV) to Azure (HyperV) and what it takes to get there.

AKS with cert-manager and Prometheus

In this post we’ll take a look at a new script that I wrote to quickly build a Kubernetes (AKS) cluster with several core components preconfigured and installed out of the box. As a CSA for Microsoft I sometimes need to create an AKS cluster that goes beyond the cluster you get with the az command and I got tired of installing ingress controllers, cert-manager, and the like over and over. If your use case is similar to mine you should get some usefulness from this.

Azure Hub and Spoke Network with Terraform

In this post we’ll take a look at using Terraform to setup an Azure environment that implements a Hub and Spoke network topology using Linux as a Virtual Network Appliance (ie router). This post will setup the custom route tables that allow the individual spoke networks to communicate through the Hub VNet as well as provision an NVA in the Hub VNet.

Using SSH Tunnel with RDP

In this post we’ll take a look at what it takes to connect to an Azure DevTest Lab when you only have outbound access to connect to resources on port 443. I was recently working with a customer who could only connect outbound on port 443 and they wanted to use Remote Desktop Protocol (RDP) to connect to a Windows VM running in a DevTest Lab. There are a few different ideas that we came up with but using SSH was a quick and dirty solution that got them connected quickly.

Publish a Jekyll Website with Azure DevOps

Haven’t you always wanted to setup your website so that every change you make to your repo produces the cooresponding change in production automatically? Well in this post we’ll look at how to setup Azure DevOps to monitor a GitHub repository that contains a Jekyll website and compile and publish on every commit to master.

Query Log Analytics from the Command Line

I’ve been doing some work with Azure Log Analytics lately and found the az tool limiting as it relates to querying Log Analytics. So like anyone who gets an itch and needs to scratch it, I decided to put something together myself to help make it a bit easier for me. So using Python and some awesome modules I wrote a little utility that could query Log Analytics and provide data back in a few different formats.

Verizon CDN Rules for Redirects

In Part 1 of this post we setup a website using an Azure Storage Acct and configured the Verizon Premium CDN endpoint with SSL certificates to host our custom domain name. In this post we’ll look at the configuration necessary to redirect http to https using the Verizon tools provided via the Azure portal.

Azure Storage for Your Website

Use Azure Storage and Verizon CDN to create a custom website using your own domain name for a few cents a month. In this article we will also look at how to setup https for the website and redirect domain name requests to index.html. Seems like a piece of cake… until you actually try it.

Installing a Custom Certificate in Azure CDN

Today we are going to look at what it takes to install a custom certificate in an Azure CDN. In my last post I created a certificate using the Let’s Encrypt process that we’ll use in Azure CDN. Some folks may have a specific issuer they want to use or perhaps they want full control over how the certificates are issued. For whatever reason they want to bring their own cert (BYOC), this post should help navigate the pecularities of getting it installed.

Generating a Let's Encrypt Certificate

In this post we’re going to create our own certificate using Let’s Encrypt that we’ll eventually use with an Azure CDN instead of using the certificates that are provided for free. Now why would anyone do that? I’m sure there are some reasons I just can’t think of any at the moment ;).