User Profile
ibnmbodji
Iron Contributor
Joined Jan 31, 2020
User Widgets
Recent Discussions
Re: AKS Container Registry Vulnerabilities
Dean_Gross You might get your answers in the time being, but since you didn't get any answers yet I will do it If you attach the Azure container registry to an AKS cluster, you can leverage vulnerability assessment and management tools for images stored in Azure Container Registry In a multi-cloud scenario, you can even protect Elastic Container Registry from AWS Ref: Container security with Microsoft Defender for Cloud | Microsoft Learn You can also check : Azure security baseline for Container Registry | Microsoft Learn Depending on the SKU you might leverage many features in ACR such as the ability to sign your images .. Hope that help1.2KViews0likes0CommentsRe: Azure Keyvault and bastion integration
Hello there is no private link resource for Azure Bastion You can check the full list here : https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview. However, as Igor suggest you can try to link (virtual network link) the key vault private DNS zone to your bastion virtual network.7.8KViews0likes0CommentsRe: what will replace the OMS agent for collecting windows events from workstations?
Hi thenew AMA Azure Monitor Agent support Windows 11 client OS Windows 10 1803 (RS4) and higher Windows 10 Enterprise You can find the support matrix here https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview?tabs=PowerShellWindows Azure Arc is not a solution designed for workstations indeed1KViews0likes0Comments- 1.8KViews0likes0Comments
- 2KViews1like2Comments
Re: about routes
Hi Ensure that you have the proper peering enabled hub-to-spoke A with gateway transit spoke A-tohub : Default + Use this virtual network's gateway or Route Server hub-to-spoke B with gateway transit spoke B-tohub : Default Use this virtual network's gateway or Route Server If you want the incoming traffic (from the gateway ) to be filtered by the firewall attach a route table to the gateway subnet with the routes Adress Prefix 10.1.0.0/16 Next Hop Type : Virtual Appliance Next Hop IP address : Firewall private IP Adress Prefix 10.2.0.0/16 Next Hop Type : Virtual Appliance Next Hop IP address : Firewall private IP Ensure also that proper routes are present in spoke route tables Route Table associated to Subnet Spoke A Adress Prefix 10.0.0.0/16 Next Hop Type : Virtual Appliance Next Hop IP address : Firewall private IP Adress Prefix 10.1.0.0/16 Next Hop Type : Virtual Appliance Next Hop IP address : Firewall private IP Adress Prefix 192.168.0.0/24 Next Hop Type : Virtual Appliance Next Hop IP address : Firewall private IP Adress Prefix 0.0.0.0/0 Next Hop Type : Virtual Network Gateway (forced tunelling) Route Table associated to Subnet Spoke B Adress Prefix 0.0.0.0/0 Next Hop Type : Virtual Network Gateway (forced tunneling) Adress Prefix 10.2.0.0/16 Next Hop Type : Virtual Appliance Next Hop IP address : Firewall privat Adress Prefix 192.168.0.0/24 Next Hop Type : Virtual Appliance Next Hop IP address : Firewall private IP Read the full doc for forced tunneling if needed : https://docs.microsoft.com/fr-fr/azure/vpn-gateway/vpn-gateway-forced-tunneling-rm1.7KViews1like4CommentsRe: Azure AD Roles
Hi You could restrict the scope to an azure ad group for the custom role scope . You might need to consider the following license requirement : Using built-in roles in Azure AD is free, while custom roles requires an Azure AD Premium P1 license. https://docs.microsoft.com/en-us/azure/active-directory/roles/custom-overview?WT.mc_id=AZ-MVP-50042741.2KViews0likes0CommentsRe: problem update tfstate with resources
You need to disable the CI trigger by adding trigger: none https://docs.microsoft.com/en-us/azure/devops/pipelines/repos/azure-repos-git?view=azure-devops&WT.mc_id=AZ-MVP-5004274 Regarding the error in the screenshot it simply means that a resource with the same name has been created manually or by terraform but not kept in the state file . If the resource group empty the easiest way is to delete it and redeploy it . If it's not possible you need to do a terraform import an option documented here : https://www.terraform.io/cli/import/usage1.3KViews1like0CommentsRe: Peering between tw vnets accross subscription -- terraform
Hello you need to use aliases like this ( provider version to update) : In main.tf provider "azurerm" { alias = "vnet1" version = "=2.23.0" features {} client_id = var.vnet1_client_id tenant_id = var.vnet1_tenant_id client_secret = var.vnet1_client_secret subscription_id = var.vnet1_subscription_id } provider "azurerm" { alias = "vnet2" version = "=2.23.0" features {} client_id = var.vnet2_client_id tenant_id = var.vnet2_tenant_id client_secret = var.vnet2_client_secret subscription_id = var.vnet2_subscription_id } resource "azurerm_virtual_network_peering" "peer-to-vnet1" { name = "peer-to-${var.vnet1_name}" resource_group_name = var.vnet2_resource_group_name virtual_network_name = var.vnet2_name remote_virtual_network_id = var.vnet1_id allow_virtual_network_access = var.allow_virtual_network_access_vnet2_to_vnet1 allow_forwarded_traffic = var.allow_forwarded_traffic_vnet2_to_vnet1 allow_gateway_transit = var.allow_gateway_transit_vnet2_to_vnet1 use_remote_gateways = var.use_remote_gateways_vnet2_to_vnet1 provider = azurerm.vnet2 } resource "azurerm_virtual_network_peering" "peer-to-vnet2" { name = "peer-to-${var.vnet2_name}" resource_group_name = var.vnet1_resource_group_name virtual_network_name = var.vnet1_name remote_virtual_network_id = var.vnet2_id allow_virtual_network_access = var.allow_virtual_network_access_vnet1_to_vnet2 allow_forwarded_traffic = var.allow_forwarded_traffic_vnet1_to_vnet2 allow_gateway_transit = var.allow_gateway_transit_vnet1_to_vnet2 use_remote_gateways = var.use_remote_gateways_vnet1_to_vnet2 provider = azurerm.vnet1 } In variables.tf #Varibles related to Vnet 2 : spoke variable "vnet2_resource_group_name" { type = string description = "name of the ressource group" } variable "vnet2_name" { type = string description = "Names of the spoke virtual network" } variable "vnet2_id" { description = "Id of the spoke virtual network" } variable "allow_virtual_network_access_vnet2_to_vnet1" { type = bool description = "(Optional) Controls if the VMs in the remote virtual network can access VMs in the local virtual network. default to true." default = true } variable "allow_forwarded_traffic_vnet2_to_vnet1" { type = bool description = "(Optional) Controls if forwarded traffic from VMs in the remote virtual network is allowed. default to false." default = true } variable "allow_gateway_transit_vnet2_to_vnet1" { type = bool description = "(Optional) Controls gatewayLinks can be used in the remote virtual network’s link to the local virtual network." default = false } variable "use_remote_gateways_vnet2_to_vnet1" { type = bool description = "(Optional) Controls if remote gateways can be used on the local virtual network. If the flag is set to true, and allow_gateway_transit on the remote peering is also true, virtual network will use gateways of remote virtual network for transit. Only one peering can have this flag set to true. This flag cannot be set if virtual network already has a gateway. default to false." default = false } #variables related to Vnet 1 : hub variable "vnet1_resource_group_name" { type = string description = "name of the ressource group" } variable "vnet1_name" { type = string description = "Names of the hub virtual network" } variable "vnet1_id" { description = "Id of the spoke virtual network" } variable "allow_virtual_network_access_vnet1_to_vnet2" { type = bool description = "(Optional) Controls if the VMs in the remote virtual network can access VMs in the local virtual network. default to true." default = true } variable "allow_forwarded_traffic_vnet1_to_vnet2" { type = bool description = "(Optional) Controls if forwarded traffic from VMs in the remote virtual network is allowed. default to false." default = true } variable "allow_gateway_transit_vnet1_to_vnet2" { type = bool description = "(Optional) Controls gatewayLinks can be used in the remote virtual network’s link to the local virtual network." default = true } variable "use_remote_gateways_vnet1_to_vnet2" { type = bool description = "(Optional) Controls if remote gateways can be used on the local virtual network. If the flag is set to true, and allow_gateway_transit on the remote peering is also true, virtual network will use gateways of remote virtual network for transit. Only one peering can have this flag set to true. This flag cannot be set if virtual network already has a gateway. default to false." default = false } variable "vnet2_client_id" { description = "vnet2 SP creds for provider" } variable "vnet2_tenant_id" { description = "vnet2 SP creds for provider" } variable "vnet2_client_secret" { description = "vnet2 SP creds for provider" } variable "vnet2_subscription_id" { description = "vnet2 SP creds for provider" } variable "vnet1_client_id" { description = "vnet1 SP creds for provider" } variable "vnet1_tenant_id" { description = "vnet1 SP creds for provider" } variable "vnet1_client_secret" { description = "vnet1 SP creds for provider" } variable "vnet1_subscription_id" { description = "vnet1 SP creds for provider" }4.8KViews1like1CommentRe: Merge two companies on Azure
AZrockstar_2022 Hi You can achieve this in 3 steps Review role asignments and analyze what would be the potential impact to move the subscriptions to your tenant . Transfer the subscriptions to your tenant to have a single one Review the role assignments after the transfer and adjust if needed Transfer an Azure subscription to a different Azure AD directory | Microsoft Docs2.7KViews0likes0CommentsRe: Unable to Connect RDP (Mac & Windows)
ExcelExciting Hi in the virtual machine settings go to networking then add a rule that allow inbound connection on port 3389. You can leave any any for testing purpose only but ideally specify the public ip of your network for the source IP address (instead of any)3.6KViews0likes0CommentsRe: add a new vnet to the Fortigate on azure
hamma91 Hello - Create a route table and associate to all subnets of you virtual network (If you want to redirect the trafic for all subnets otherwise you can exclude one or more of them) - Create a user defined route with the following config - Name : Friendly Name (ex : To_Firewall) - Address prefix : 0.0.0.0/0 - Next Hop type : Virtual Appliance - Next Hop Ip address : Private IP of your Virtual appliance (here the fortinet) In the fortinet virtual appliance config - create the objects for the virtual network or subnets - create rules for the traffic that fit your needs7KViews1like3CommentsRe: Send Email for daily cost azure infra
Hi Access to schedule means your configuration is ok so unless you gave the wrong email it should work . However as every preview you can face some issues with features not working as expected . My be retry with another email but i think the feature is just not working for you .9KViews0likes0CommentsRe: MS Guidance on NSGs on NICs vs on Subnets
kellybush Hi i would say always use subnet when possible because of the recommendation below : Unless you have a specific reason to, we recommend that you associate a network security group to a subnet, or a network interface, but not both. Since rules in a network security group associated to a subnet can conflict with rules in a network security group associated to a network interface, you can have unexpected communication problems that require troubleshooting. https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works In fact if you decide to associate NSG to NIC you will need to do it for every NIC in the subnet to have rules applied in the overall subnet ( Say Hello to Management Overhead) . Also if subnet is already associated you will have risk of conflicts mentionned above since you will configure both .16KViews1like0Comments
Recent Blog Articles
No content to show