User Profile
Shashwat3105
Brass Contributor
Joined Jun 08, 2022
User Widgets
Recent Discussions
Azure Front Door
Hello Folks !! After a long time , I am back with a new topic explaining Azure's latest (but not so ) service to you ie Azure Front Door service. Let's go with it !! It is a global, scalable entry-point that uses the global edge network to create fast, secure, and widely used web applications. Basically it is a cloud Content Delivery Network (CDN) that provides fast, reliable, and secure access between you and your applications’ web content across the globe. It works at layer 7 using anycast protocol with split TCP and Microsoft’s global network to improve global connectivity. You can use your routing method to ensure that Front Door will route your client requests to the fastest and most available application backend. Now let's coming to "why we should use Azure front door " -- Azure Front Door enables internet-facing application to: Helps us to operate the architecture that have dynamic, high-quality digital experiences with highly automated, secure, and reliable platforms. To accelerate your application and scale to your users wherever they're creating opportunities for you to compete, weather change, and quickly adapt to new demand and markets. To secure your application against known and new threats with intelligent security that embrace a trustable framework What are the key benefits of using Azure Front End door -- To scale out and improve performance of your applications and content using Microsoft’s global Cloud CDN and WAN. It can improve your latency for apps by up to 3 times. Accelerating application performance by using Front Door’s anycast network and split TCP connections. Terminating SSL offload at the edge and use integrated certificate management . Natively support end-to-end IPv6 connectivity and the HTTP/2 protocol. Helps in delivering the modern architecture Modernize your internet first applications on Azure with Cloud Native experiences It integrates with you various azure functionalities and provided Azure IAC tools like - Azure Bicep, ARM templates, CLI and PowerShell. Provides the facility to define your own custom domain with flexible domain validation. Load balance and route traffic across origins and use intelligent health probe monitoring across apps or content hosted in Azure or anywhere. Integrate with other Azure services such as DNS, Web Apps, Storage and many more for domain and origin management. Log each Front Door request and failed health probes. It basically provides the ui for seeing the health checks of our application. Simple and cost-effective Unified static and dynamic delivery offered in a single tier to accelerate and scale your application . Free, autorotation managed SSL certificates that save time and quickly secure apps and content. Low entry fee and a simplified cost model that reduces billing complexity by having fewer meters needed to plan for. Azure to Front Door integrated egress pricing that removes the separate egress charge from Azure regions to Azure Front Door. Intelligent secure internet perimeter Secure applications with built-in layer 3-4 DDoS protection, seamlessly attached Web Application Firewall (WAF) , and Azure DNS to protect your domains . Protect your apps from malicious actors with Bot manager rules . Privately connect to your backend behind Azure Front Door with Private Link and embrace a zero-trust access model. Provide a centralized security experience for your application via Azure Policy and Azure Advisor . It also provides a rich set of advanced capabilities that enhance the DevOps experience, security posture, and cost-effectiveness for enterprise customers migrating and/or deploying high-performance, scalable, and secure applications on Azure or anywhere. Now what will happen to existing azure cdn services .. The existing Azure Front Door and Azure CDN from Microsoft will now be known as Azure Front Door (classic) and Azure CDN from Microsoft (classic) moving forward. Azure Front Door (classic), as well as Azure CDN from Microsoft (classic), will continue to be fully supported and you can continue to use them. There will be no big change as such , but there will be a slight modification in using Azure front door service as CDN .In the coming time , Azure zero downtime migrations from Azure Front Door (classic) and Azure CDN from Microsoft (classic) to Azure Front Door Standard and Premium. To summarise it up - Azure Front Door offers dynamic site acceleration (DSA ) as well as global load balancing with near real-time failover. For enterprises that have a global reach, the performance of their web applications is greatly impacted by the proximity of the consumer. For a better and more consistent experience, enterprises may use content delivery networks (CDNs ) with several distribution points and deliver content to consumers rapidly because of optimized connections and proximity. Azure Front Door leverages the anycast protocol that goes beyond providing traditional CDN capabilities and offers advanced security capabilities including DDoS attack prevention. The infrastructure for this globally distributed multi-tenant service is shared across all its customers.Azure AKS Security Hardening
Hello Folks !! I am back with a new blog . This time I will try give a brief overview about Azure AKS Security and Baseline. Lets gooo !!!! What is Azure AKS - Azure Kubernetes Service (AKS) offers the quickest way to start developing and deploying cloud-native apps in Azure, datacenters, or at the edge with built-in code-to-cloud pipelines and guardrails. It is mostly used as a scalable platforms nowadays. Current Application requirement includes the scaling , performing and most importantly zero downtime , which is covered by AKS service of Azure. Containerization of any application in AKS is the best way to reduce downtime and cost optimization of your infrastructure. AKS features and benefits The primary benefits of AKS are flexibility, automation and reduced management overhead for administrators and developers. For example, AKS automatically configures all of the Kubernetes nodes that control and manage the worker nodes during the deployment process and handles a range of other tasks, including Azure Active Directory (AD ) integration, connections to monitoring services and configuration of advanced networking features such as HTTP application routing. Users can monitor a cluster directly or view all clusters with Azure Monitor. Now having a brief overview of Azure AKS , lets move on Azure security features or we can call it as Azure Baseline for security of AKS , that it offer's - Security related to AKS Related to Networking - By default, a network security group and route table are automatically created with the creation of a Microsoft Azure Kubernetes Service (AKS) cluster. AKS automatically modifies network security groups for appropriate traffic flow as services are created with load balancers, port mappings, or ingress routes. Use AKS network policies to limit network traffic by defining rules for ingress and egress traffic between Linux pods in a cluster based on choice of namespaces and label selectors. Networking allows the filtering of traffic to not only to AKS but also entering it to current infrastructure. Since mentioned about the namespaces in AKS , it is a whole virtual environment that is separated within Kubernetes cluster , we can configure alert based networking rules for particular namespace also. 2) Using the traditional method ( i.e. auth from AD or role creation) for AKS - Kubernetes includes security components, such as pods , and nodes security . Meanwhile, Azure includes components like Active Directory, Azure Policy, Azure Key Vault, and orchestrated cluster upgrades. AKS combines these security components to: Provide a complete Authentication and Authorization story. Leverage AKS Built-in Azure Policy to secure your applications. Authenticating with the password and keys for developers using Azure key vault .Setting up Azure policy like conditional access policy for better security for Azure updates. 3) Using Azure Application Gateway and WAF - Use an Azure Application Gateway enabled Web Application Firewall (WAF) in front of an AKS cluster to provide an additional layer of security by filtering the incoming traffic to your web applications. Web Application firewall uses a set of rules for filtering out the traffic , which we will get injected into your cluster or nodes. Also Application gateway act as proxy for all the traffic , you can also configure route table for routing of the traffic , when the traffic injects inside the application gateway. Application gateway also provides an external IP , which helps to not expose our main ip in which our application or pods are running. Also using an API gateway for authentication, authorization, and monitoring for APIs used in your AKS environment. It acts as a front door to the microservices, , and decreases the complexity of your microservices by removing the burden of handling cross cutting concerns. 4) Configure central security log management - Enable audit logs from Azure Kubernetes Services (AKS) master components, kube-apiserver and kube-controller-manager, which are provided as a managed service. kube-auditaksService: The display name in audit log for the control plane operation masterclient: This is the display name in audit log for MasterClientCertificate, the certificate that you get from aks get-credentials node client: The display name for Client Certificate, which is used by agent nodes. You can also export these logs to Log Analytics . Use Log Analytics workspaces to query and perform analytics. Use Azure blob storage for storing of the logs and archiving them with various tiers options in Azure. 5) Locations approving in Azure - Use Conditional Access Named Locations to allow access to Azure Kubernetes Service (AKS) clusters from only specific logical groupings of IP address ranges or countries/regions. This requires integrated authentication for AKS with Azure Active Directory (Azure AD). Limit the access to the AKS API server from a limited set of IP address ranges, as it receives requests to perform actions in the cluster to create resources or scale the number of nodes. If you want to know how you can configure this named locations , you can go to this Azure link - https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/quickstart-configure-named-locations 6) Isolate the system which are storing data - Logically isolate teams and workloads in the same cluster with Azure Kubernetes Service (AKS) to provide the least number of privileges, scoped to the resources required by each team. Use the namespace in Kubernetes to create a logical isolation boundary. You can also implement separate subscriptions or working directory of the AKS cluster , which are containing the pods with sensitive information or any type of Database, which are prone to attacks. 7) Encryption of all the sensitive information - It is always good to encrypt our data that is exposable to internet in HTTPS. You can create an HTTPS ingress and use your own TLS certificates for your Azure Kubernetes Service (AKS) deployments. Kubernetes egress traffic is encrypted over HTTPS/TLS by default. You can review any potentially un-encrypted egress traffic from your AKS instances. This may include NTP traffic, DNS traffic, HTTP traffic for retrieving updates in some cases. Here are some of the methods , for hardening and maintaining your AKS cluster security. There are also many third party applications which you can integrate with your AKS cluster , but I will recommend to you use them wisely . Go through there files and changes that they will make to your cluster. Thanks !!!!!Load Balancer and Cross Region Load Balancer in Azure
Hello Folks !! I am back with my new blog regarding to azure networking service . This time I will discuss about Azure Load Balancer and What is Cross region load balancing !!! What is Load Balancer --- Azure Load Balancer operates at layer 4 of the (OSI) model. It's the single point of contact for clients. It distributes inbound flows that arrive at the load balancer's front end to backend instances . These flows are according to configured load-balancing rules and health probes. There are generally two type of load balancer's - Public - which provide traffic from outbound to inbound in virtual network . Internal - which route traffic to internal vnet. A Public load balancer is the one which can provide outbound traffic for virtual machines (VMs) inside your virtual network. These connections are accomplished by translating their private IP addresses to public IP addresses. Public Load Balancers are used to load balance internet traffic to your VMs. An Internal load balancer is used where private IPs are needed at the frontend only. They are used to load balance traffic inside a virtual network. A load balancer frontend can be accessed from an on-premises network in any scenario . Why we use Azure Load Balancer - The main key points why we use azure load balancer are - Standard load balancer are built with zero trust network security so it is very efficient . They are part of your vnet , vnet is secured and isolated from other networks . Load Balancer services can be configured on multiple ports and IP'S . You can scale your services and create highly scalable services and applications . Pricing - The main concern for every organization , whenever they there on-premise infra to cloud is pricing , so whenever its possible , I try to cover in my blog the pricing aspect of cloud services . So here we go -- Some of the key points that we need to know is - Inbound rules don't count in total number of rules , number of configured outbound and load balancing rules count. There is no hourly charge for load balancer where no rules are formed The data is charged about how much inbound or outbound processing is there Any traffic going through load balancer is charged . What is Cross region load balancing in azure - Cross-region Load Balancer is a Public layer-4 network load balancer serving as a single point of contact for global traffic. You can build any regional application by setting up a Cross-region Load Balancer in front of regional deployments. Main benefits of cross region load balancing is - The health probe of the cross-region load balancer gathers information about availability every 20 seconds. If one regional load balancer drops its availability to 0, cross-region load balancer will detect the failure. The regional load balancer is then taken out of rotation. Its algorithm is generally based on the geographic location of your users and your regional deployments. Traffic started from a client will hit the closest participating region and travel through the Microsoft global network backbone to arrive at the closest regional deployment. When you expose the global endpoint of a cross-region load balancer to customers, you can add or remove regional deployments behind the global endpoint without interruption. The backend pool of cross-region load balancer contains one or more regional load balancers. Add your existing load balancer deployments to a cross-region load balancer for a highly available, cross-region deployment. Some of the limitations relates to it are - The internal frontend ip is not supported currently Private or internal load balancer can't be added to the backend pool . A health probe can't be configured currently. Currently the cross region service is in preview ,and will get onboard till 2023.. Thanks....Azure Architecture Explaination
Hello Folks !! Today I have taken a something offbeat topic into my techspace discussion. I will explain a azure architecture , which I have used in my own scenario . I have taken this architecture from azure architecture weblog, which helped me a lot in my current scenario. This architecture is about DevSecops concept and I will explain each service , which I have used here. So lets go ----- This architecture is about GitHub security. Components Explanation - 1) GitHub - It is a place where developers or code designers will use to push or pull the code. It is a distributed version control system . The code can be pushed via visual studio code or through locally , here we have used Visual Studio code as GitHub code spaces. Along with GitHub we have put some security features associated with it like Microsoft Azure AD and GitHub security. 2) Azure Active Directory and Multifactor Auth - Is a multi-tenant, cloud-based identity service that controls access to Azure and GitHub. Azure AD can be configured as the identity provider for GitHub, and multi-factor authentication can be enabled for extra security. 3) GitHub Security - works to eliminate threats in many ways. Agents and services identify vulnerabilities in repositories and in dependent packages. They also upgrade dependencies to up-to-date, secure versions. It can be used for version maintaining. 4) GitHub Actions - It is used for deploying the ARM templates , that is used for deploying the code as well as structure provisioning in Azure. It can be used for deploying the PAAS platforms like web apps 5) Azure Resource Manager - It uses JSON templates to describe the resources involved in deployment. Teams can also manage these template documents by using DevOps tools, like version control, code collaboration, and CI/CD workflows. 6) Azure App Service - Provides a platform for building and deploying scaling web apps . This platform is often used for patching and scaling of the application in web apps. 7) Azure policy - Generally helps the IT team , for policy definitions that you make through . For example if you want to deploy web app of particular configuration and during the deployment the policy of making doesn't matches , then the alert which is configured for this get triggered and stops you for making deployment. 😎 Microsoft Defender for Cloud - Provides unified security management for hybrid cloud deployment. 9) Azure Monitor - Used providing a UI representation for logs and metrics . When this service of azure identifies any irregular conditions , it alerts all the apps and personnel that you have created. Working of this Architecture User pushes the code to GitHub repository and whether the user is authentic or not it gets identified by Azure AD where you get the MFA and identity of the user . Then GitHub actions get triggered with a check in GitHub security . GitHub security does the code scanning by the following ways - Secret Scanning - It inspects repositories or commits for any tokens, keys, or secrets that appear in code. Other users can be notified that secrets have leaked into public view, and service providers can be notified that one of their secrets leaked. Service providers can optionally revoke or renew the secrets. Code Scanning - It inspects code for known vulnerabilities and coding errors. As an example, if a developer leaves a database connection string exposed in code, this feature discovers the secret. GitHub starts the process of obtaining an uncompromised string after verifying its validity with the database. The GitHub actions start deploying the ARM templates to Azure in which we have written a json code for deploying the web app as infrastructure and the code is the deployed through GitHub actions . The most important concern how mush costlier this architecture will be... Cost optimization is always about looking at ways to reduce unnecessary expenses and improve operational efficiencies. It has been always a concern for the IT industries , the client needs a best security architecture with lowest expenses , so here we go - If possible use Linux to host actions. It can be a dual benefit because it is cost effective and as well as it can be security wise a good deal In addition, the choice of operating system that hosts Actions jobs affects the per-minute consumption rate and per-minute cost. Address issues during programming, rather than issuing at about a month . So that developers don't need to refresh their knowledge of the code. Please create a budget related alert in azure , so that you can get notified before it exceeds. Have a look at the configuration of the web apps that you have created. Scaling can be helpfull , but only when it is needed . Look at the region where you want to create the resource in azure . Thanks and any updates are welcomed...Updates in Azure Firewall
Hello Folks Today I will discuss about various features that are updated ( that I have used , in my work ) in Azure Firewall. Obviously in this dynamicity , everything changes in a second . But I here I am referring to those updates , which I have gone through in recent times. So Let's start . 1) IDPS signature's lookup - Perhaps this is the most interesting feature that , I found in azure firewall and that I have used it in my projects and labs . You can go to IDPS option in Azure Firewall and enable your own signature and set there mode a Alert or deny . What it does like , if you found a false positive where your request is blocked by faulty signature , you can use he signature id and set it to IDPS mode off. 2) TLS Certificate Auto generator - The second feature that I have worked on is TLS Certificate generator. For non-production you can use this mechanism , which generally creates this mechanism managed identity , key vaults , Self-signed CA certificate . 3) Web Categories Lookup - Web Categories is a filtering feature that allows administrators to allow or deny web traffic based on categories, such as gambling, social media, and more. They added tools that help manage these web categories: Category Check and MI's-Categorization Request. 4) IDPS Private range IP's - In Azure Firewall Premium IDPS, Private IP address ranges are used to identify if traffic is inbound or outbound. By default, only ranges defined by Internet Assigned Numbers Authority (IANA) RFC 1918 are considered private IP addresses. To modify your private IP addresses, you can now easily edit, remove or add ranges as needed.Azure VM Backup policy
Hello Folks !! Back with an update related to Azure VM updated policy of taking backup and snapshot !! As we know Azure has the policy to take Snapshots and backup of the VM . You can here found how we can proceed with backup - https://docs.microsoft.com/en-us/azure/backup/backup-azure-vms-first-look-arm Azure has now introduced a new feature of Low recovery point objective . Now what it is ? It is the maximum amount of data that can be lost after a recovery from a disaster or failure . It determines the maximum age of data or files in storage needed to be able to meet the objective specified by the RPO, should a network or computer system failure occur. With this you can define your duration , when the backup jobs will function and you can connect it with your working hours . This can store data for 7 days and maximum for 30 day's . This enable's minimum data loss and storage of data . You can create a policy in the recovery service vault's and configure the backup and snapshot of the virtual machine. Thanks ..Azure Certification Updates
Hello Folks !! As we all know Microsoft make the certification updates and course , in frequent time intervals. So here I am in my second blog , to discuss about Microsoft certifications . Here are the 5 new certifications that are announced at Microsoft Build . 1) Microsoft Power Automate RPA Developer - This aims to increase efficiency in automating Microsoft power automate. 2) Microsoft Cybersecurity Architect expert Prerequisite - Security Operations Analyst Associate certificate, Identity and Access Administrator Associate certificate. 3) Microsoft 365 Exchange Online Support Engineer Specialty certificate Prerequisite - None This exams mainly targets on support engineers and admins. 4) Microsoft Azure support Engineer Prerequisite - None This aims mainly at IT Admins and Azure support engineers. 5) Microsoft Azure Enterprise Data Analyst Prerequisite - None This exams focuses on data governance in Power BI and Azure. Some other certifications include the following - AZ 600 - Configuring a Hybrid cloud in Microsoft AZ 800 - Administrating Windows Server hybrid core AZ 801 - Advance Configuring Windows Server hybrid AZ DP-420 - Designing Cloud Applications using Microsoft Azure Cosmos DB Hope this information find you helpful !! Any updates are welcome... ThanksAzure monitor agent is now available on Ubuntu 22.04, Rocky Linux, and AlmaLinux.
Hello Folks !!! As we know that monitor agent installation on our VM's helps in improving key area's of data collection. It collects data from the guest operating system and deliver's it to Azure monitor. This help's us in analyzing our OS and the queries' related to it . Azure has announced its new updated monitor agent which is available on Rocky and AlmaLinux. You can also go through following links , if you have queries related to it . Overview of Azure monitor agents - https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview FaQ related to azure monitor agent - https://docs.microsoft.com/en-us/azure/azure-monitor/faq On next post , I will try to cover practical exposure and share the Docs related to it. Thanks ShashwatRe: Export list of users with registered Windows Hello for Business authentication method
Hello Husskeshawi, By default there is only 1 month default record available for user's , extraction either from KQL (in azure portal) , or directly through Office 365 Admin portal. Yes there might be a PowerShell script to find it. Not denying the fact , because Powershell scripting is very powerfull. Thanks Shashwat
