How to Learn Microsoft Azure in 2020
How to Learn Microsoft Azure in 2020 :party_popper:☁🎓 The year 2019 is almost over, and usually, we take the time to look back at the year and also to find some New Year’s resolutions for the new year. Why not take all that energy and prepare for the cloud computing era and advance your career by learning Microsoft Azure. In this post, I try to give you a quick look at how you can get started to learn Microsoft Azure in 2020. You can read more here: https://www.thomasmaurer.ch/2019/12/how-to-learn-microsoft-azure-in-2020/Managing and Working with Azure Network Security Groups (NSG)
When you are implementing your Microsoft Azure Design like a HUB-Spoke model you have to deal with security of your Azure environment (Virtual Datacenter). One of them are Network Security Groups to protect your Virtual networks and make communication between Azure subnets possible in a Secure Azure Virtual Datacenter. You really have to plan your Azure Virtual networks and implement it by Architectural Design. Now I’m writing about Azure Network Security Groups which is important, but there are more items to deal with like : Naming Conventions in your Azure Virtual Datacenter Azure Subscriptions ( who is Owner, Contributor, or Reader? ) Azure Regions ( Where is my Datacenter in the world? ) Azure VNET and Sub-Nets ( IP-addresses ) Security of your Virtual Networks ( Traffic filtering, Routing ) Azure Connectivity ( VNET Peering between Azure Subscriptions, VPN Gateway ) Permissions (RBAC) Azure Policy ( Working with Blue prints ) How to Manage Microsoft Azure Network Security Groups (NSG) ? Read more on my blog about Infrastructure as Code (IaC) here with Azure DevOps and Visual StudioMicrosoft System Center DPM 2019 and Azure Backup Services
Microsoft System Center Data Protection Manager 2019 In a Earlier blogpost I wrote about Backup – Restore – DR Strategy in a fast changing world Microsoft Products for Backup – Restore -DR, we have: Microsoft System Center Data Protection Manager Microsoft Azure Backup Microsoft Azure Site Recovery (DR) 1. Microsoft System Center Data Protection Manager (DPM) You can install Microsoft SCDPM on different solutions, like: As a physical standalone server As a Hyper-V virtual machine As a Windows virtual machine in VMWare As an Azure virtual machine If you don’t want to manage hardware like a physical Server, you can virtualize your DPM Server on-Premises on Hyper-V or VMware but you can also install DPM into the Cloud as an Azure VM. Here you can read What’s New in System Center DPM 2019 Before you begin you should know what Microsoft System Center Data Protection Manager support and can protect by Backup. Here you find the highlights. 2. Microsoft Azure Backup Use Azure Backup to protect the data for on-premises servers, virtual machines, virtualized workloads, SQL server, SharePoint server, and more. Because this is a Microsoft Cloud Service, you don’t have to buy expensive hardware like Physical Servers, Storage, Tape Library, you just pay for what you are using in Azure, Here you find the Microsoft Azure Calculator to calculate your Backup costs. Read the complete Blogpost on System Center DPM 2019 and Azure Backup hereCopy Files to Azure VM using PowerShell Remoting
There are a couple of different cases you want to copy files to Azure virtual machines. To copy files to Azure VM, you can use PowerShell Remoting. This works with Windows and Linux virtual machines using Windows PowerShell 5.1 (Windows only) or PowerShell 6 (Windows and Linux). Check out my blog post at the ITOpsTalk.com about copying files from Windows to Linux using PowerShell Remoting. If you want to know more about how to copy Files to Azure VM using PowerShell Remoting, check out my post.
Comparision on Azure Cloud Sync and Traditional Entra connect Sync.
Introduction In the evolving landscape of identity management, organizations face a critical decision when integrating their on-premises Active Directory (AD) with Microsoft Entra ID (formerly Azure AD). Two primary tools are available for this synchronization: Traditional Entra Connect Sync (formerly Azure AD Connect) Azure Cloud Sync While both serve the same fundamental purpose, bridging on-prem AD with cloud identity, they differ significantly in architecture, capabilities, and ideal use cases. Architecture & Setup Entra Connect Sync is a heavyweight solution. It installs a full synchronization engine on a Windows Server, often backed by SQL Server. This setup gives administrators deep control over sync rules, attribute flows, and filtering. Azure Cloud Sync, on the other hand, is lightweight. It uses a cloud-managed agent installed on-premises, removing the need for SQL Server or complex infrastructure. The agent communicates with Microsoft Entra ID, and most configurations are handled in the cloud portal. For organizations with complex hybrid setups (e.g., Exchange hybrid, device management), is Cloud Sync too limited?
Azure NSG Challenge : When NIC and Subnet Rules Collide
Imagine this real-world scenario: 🔹 A VM needs to connect outbound via RDP (TCP 3389) to an external server for management. 🔹 The NIC-level NSG allows outbound RDP, ensuring the VM can initiate connections. 🔹 However, the Subnet-level NSG has an inbound deny rule specifically for RDP. 💭 Question for IT Pros: 👉 Would the outbound RDP session succeed or be blocked due to the subnet-level NSG? 👉 How do you design NSG rules to prevent misconfigurations while maintaining security? ####################################################### Great challenge! Let's break it down: 🚦 Would the outbound RDP session succeed or be blocked? The outbound RDP session would succeed because the subnet-level NSG applies to inbound traffic coming into the subnet, not traffic leaving the VM. Since outbound RDP is explicitly allowed at the NIC level, the VM can initiate connections without issue. However, if the external server tries to respond back, the inbound deny rule at the subnet level would block the return traffic. This effectively disrupts the session, making it seem like the connection failed. 🔒 How to design NSG rules effectively? To prevent misconfigurations while maintaining security: 1- Understand NSG processing – Rules are evaluated independently at the NIC and Subnet levels, but both must allow the required traffic. 2- Use least privilege principles – Only allow necessary traffic and explicitly deny everything else. 3- Be careful with inbound rules at the subnet level – Blocking inbound traffic here can unintentionally interfere with legitimate outbound sessions. 4- Log traffic flows with NSG Flow Logs – Use diagnostic settings to capture insights for troubleshooting. 5- Consider Application Security Groups (ASGs) – These simplify NSG management by grouping resources dynamically.The year in review: Hybrid applications for developers
As 2018 comes to an end, we look at the technology landscape. We look at the kinds of hybrid scenarios our customers are developing. For example, we see Airbus transforming aerospace with Microsoft Azure Stack and I realize that this year has been amazing for developers that design, develop, and maintain cloud-based apps. Azure Stack has improved support for DevOps practices. You can use Kubernetes containers. You can use API Profiles with Azure Resource Manager and the code of your choice. You can review walkthroughs and tutorials on getting up and running with a development practice using a continuous integration pipeline. With Azure Stack, your apps can be developed in the cloud. You can code once and deploy to environments in Azure or in your local data center. We are now seeing some of your favorite services from Azure arrive on Azure Stack. The Azure Stack team is also excited to come together with other members of the Azure Edge family, which include Data Box Edge, IoT Edge, and Azure Sphere. If you didn’t get a chance to attend Ignite 2018’s session on the Intellgent Edge check out the “Delivering Intelligent Edge and Microsoft Azure Stack and Data Box” session. The Edge closes the gap between on-premises solutions and the cloud. You can write applications based on a consistent Azure model. You can deploy different parts of your apps to different locations that make the most sense for each solution. Read about it in the Azure blog.Using Azure Update Management on Azure Stack
At Microsoft Ignite 2018, Microsoft announced the integration of Azure Update and Configuration Management on Azure Stack. This is a perfect example how Azure services from the public cloud can be extended into your datacenter using Azure Stack. Azure Update and Configuration Management brings Azure Update Management, Change Tracking and Inventory to your Azure Stack VMs. In the case of Azure Stack, the backend services and orchestrator like Azure Automation and Log Analytics, will remain to run in Azure, but it lets you connect your VMs running on Azure Stack. Learn more here: https://www.thomasmaurer.ch/2018/12/azure-update-management-azure-stack/Considerations for deploying apps and services on Azure Stack
I work with a couple of customers on different Azure Stack projects. One of the main topics that always comes up, is what are the differences between Azure and Azure Stack when deploying applications and services. Obviously there are the high level differences, which I have written about it here: Microsoft Azure Stack – Azure Extension in your Datacenter. However, there are also small differences in features and services between Azure and Azure Stack. These differences can block customers form deploying and automating workloads. I tried to summarize the most common differences and considerations you should know, in a single blog post. Check out my blog here: https://www.thomasmaurer.ch/2018/12/considerations-using-azure-stack/Opening up the Azure Stack Development Kit's Networking
The Azure Stack Development Kit is awesome, allowing you to rapidly get up and running with Azure Stack services in your own datacenter for minimal cost. Unfortunately its services have been locked away behind a software defined networking infrastructure that you can only access by RDPing to the host. This means that many scenarios around hybrid apps, migration, integration, and more have just not been possible... until now. Here's a new blog post which walks you through how to open the ASDK up to your corporate network, without requiring any advanced network knowledge :) https://dell.to/2RxwAJ1
