Shutdown VMs with Low CPU Usage (Part 2)

In the second part of the post we’ll take the webhook and runbook we created in Part 1 and build on what we learned. This segment will focus on Azure Monitor Alerts and how to stitch together Signals with Action Groups to ultimately ensure that our VM is shutting down when it’s not in use or underutilized and like in Part 1 of the series we’ll do all this from the command line.

Shutdown VMs with Low CPU Usage (Part 1)

Sometimes it can be very beneficial to your budget to shutdown your VMs when they are idle or underutilized. In many cases there might be alternative strategies for processing workload like VM scalesets or Azure Functions that should be explored but in some situations shutting down an existing VM can make a lot of sense. In this part 1 of a 2 part series we’ll look at Azure Monitor and what Alerts are and we’ll even explore how to make REST API calls from the az command line. All this leading to part 2 where we put everything together to stop VMs based on a signal sent from Azure Monitor related to CPU usage.

Enable JIT Access on Azure VMs

In this post we’ll take a look at a feature of Azure Security Center called Just-In-Time VM access. This feature will allow you to timebox when and who has access to your Azure VMs. Black Hats will invariably look for open management ports on your VMs. RDP and SSH are often used by hackers as a possible entry point for access to your environment. Using JIT Access you can block access to these ports and require users to submit a request in order to gain access during a specific timeframe.

Purge Azure AD Deleted Objects

Ever get the dreaded message: “The directory object quota limit for the Principal has been exceeded. Please ask your administrator to increase the quota limit or delete objects to reduce the used quota.” But when you go and look you only have a handfull of objects listed… certainly nowhere near the 250 allowed. In this post we’ll see one potential way to alleviate this issue. We’ll discover that what appears to be the case on the surface is not really the case with Azure AD. Azure AD actually doesn’t delete objects right away it marks them as “Deleted”. So if you really want to remove objects from Azure AD read on…

Authenticate GO CLI with Azure AD

Ever wonder how to integrate a command line application with Azure Active Directory? I happened to be working with a client recently who wanted to do just that and I took the opportunity to dive in a figure it out and in the process write it up for the website. In this post we’ll look at the Azure Golang SDK and how to use it for Azure AD authentication and we’ll also create an application registration in AAD and assign permissions to our CLI.

Whitelist Ingress Access into AKS Clusters

If you read my last post on setting up ExternalDNS and CertManager on AKS you may have noticed that ingress to published services is open to Internet traffic. In this post I’ll look at two simple ways to lock down services so that only specific addresses have ingress access. First we’ll cover how to setup a network security group on the agent pool subnet to limit access and then we’ll take a look at some features of NGINX that offer a bit more flexibility to who has access to what. We’ll also look at some changes we’ll need to make to cert-manager once ingress is locked down.

Automate DNS and SSL Certificates on AKS

In a recent project I was asked to configure Kubernetes so that it could create and manage DNS records automatically. This automatic management comes via Ingress objects created in Kubernetes. Hostnames specified in ingress objects automatically get DNS records created. This is exactly what the Kubernete’s project ExternalDNS does. Unfortuately, even though there is a section for configuring it on Azure, it wasn’t straightforward to get working. This post walks through getting it up and running and also demonstrates its usage in Azure Government.