Azure Key Vault RBAC (Role Based Access Control) versus Access Policies!
Dear Microsoft Azure Friends, With an Azure Key Vault, RBAC (Role Based Access Control) and Access Policies always leads to confusion. Let me take this opportunity to explain this with a small example. First of all, let me show you with which account I logged into the Azure Portal. You can see this in the graphic on the top right. Now let's examine the subscription named "MSDN Platforms" by navigating to (Access Control IAM). In "Check Access" we are looking for a specific person. It is the Jane Ford, we see that Jane has the Contributor right on this subscription. So she can do (almost) everything except change or assign permissions. This is in short the Contributor right. Now we search for the Azure Kay Vault in "All resources", for this it is good to work with a filter. As you can see, Azure Key Vault (twkv77) is part of the "MSDN Platforms" subscription. We check again that Jane Ford has the Contributor Role (Inherited) by navigating to "Access Control IAM) in the Azure Kay Vault and clicking on "Role assignment". Now we navigate to "Access Policies" in the Azure Key Vault. As you can see there is a policy for the user "Tom" but none for Jane Ford. With an Access Policy you determine who has access to the key, passwords and certificates. This means that if there is no access policy for Jane, she will not have access to keys, passwords, etc. That's exactly what we're about to check. As you can see in the upper right corner I registered as "Jane Ford" (she gave me the authorization ;-)). If I now navigate to the keys we see immediately that the Jane has no right to look at the keys. There is no access policy for Jane where for example the right "List" is included, so she can't access the keys. With RBAC you control the so-called Management Plane and with the Access Policies the Data Plane. Now you know the difference between RBAC and an Access Policy in an Azure Key Vault! Sure this wasn't super exciting, but I still wanted to share this information with you. I hope this article was helpful for you? Thank you for taking the time to read this article. Best regards, Tom Wechsler
🚀 Azure Control, Data, & MGMT Planes: The Backbone of Cloud Efficiency 🌐
Azure operations can be divided into Three categories (Control Plane - Data Plane - Management Plane) This post describes the differences between those three types of operations. Tip : Suppose that the word "plane" means "function" understand this definition like this !! # Control Plane (Function) # @ The Control Plane is responsible for managing and configuring Azure resources. @ It handles administrative tasks such as creating, updating, and deleting resources. @ All requests for control plane operations are sent to the Azure Resource Manager URL For Azure global, the URL is " https://management.azure.comm. " @ Azure Resource Manager handles all control plane requests. It automatically applies the Azure features you implemented to manage your resources, such as: Azure role-based access control (Azure RBAC) - Azure Policy - Management Locks - Activity Logs @ After Azure Resource Manager authenticates the request, it sends the request to the resource provider, which completes the operation. @ The control plane includes two scenarios for handling requests - "green field" and "brown field". @ Green field refers to ---> new resources. Brown field refers to ---> existing resources. # Data Plane (Function) # @ The Data Plane is responsible for interacting with the actual data within Azure resources. @ Once a resource is created, operations like reading, writing, and processing data occur in the Data Plane. @ Requests for data plane operations are sent to an endpoint that's specific to your instance. Ex : "myaccount.blob.core.windows.nett " ---> for storage account @ Operates independently of the Control Plane, meaning even if the Control Plane is unavailable, the Data Plane remains accessible. # Management Plane (Function) # @ The Management Plane oversees monitoring, security, and configuration of Azure services. @ It ensures that resources are operating efficiently and securely. Ex : Azure Monitor: Collecting logs and metrics from resources Ex : Azure Security Center: Managing security policies and compliance. Ex : Azure Automation: Running scheduled tasks for resource management.Managing and Working with Azure Network Security Groups (NSG)
When you are implementing your Microsoft Azure Design like a HUB-Spoke model you have to deal with security of your Azure environment (Virtual Datacenter). One of them are Network Security Groups to protect your Virtual networks and make communication between Azure subnets possible in a Secure Azure Virtual Datacenter. You really have to plan your Azure Virtual networks and implement it by Architectural Design. Now I’m writing about Azure Network Security Groups which is important, but there are more items to deal with like : Naming Conventions in your Azure Virtual Datacenter Azure Subscriptions ( who is Owner, Contributor, or Reader? ) Azure Regions ( Where is my Datacenter in the world? ) Azure VNET and Sub-Nets ( IP-addresses ) Security of your Virtual Networks ( Traffic filtering, Routing ) Azure Connectivity ( VNET Peering between Azure Subscriptions, VPN Gateway ) Permissions (RBAC) Azure Policy ( Working with Blue prints ) How to Manage Microsoft Azure Network Security Groups (NSG) ? Read more on my blog about Infrastructure as Code (IaC) here with Azure DevOps and Visual StudioUse tags to organize your Azure resources (with the Azure CLI)!
Hi Azure friends, Start the CloudShell in the Azure portal or go to the following URL: https://shell.azure.com/ Please start with the following steps to begin the deployment (the Hashtags are comments): #Here you can find out which subscription you are working with az account show #View all subscriptions az account list --all --output table #change the subscription (if necessary) az account set --subscription "Name of the Subscription" # To overwrite the tags on a resource az resource tag --tags 'Dept=IT' 'Environment=Test' -g tw-rg01 -n vnet-base --resource-type "Microsoft.Network/virtualNetworks" # To append a tag to the existing tags on a resource az resource update --set tags.'Status'='Approved' -g tw-rg01 -n vnet-base --resource-type "Microsoft.Network/virtualNetworks" # To overwrite the existing tags on a resource group az group update -n tw-rg01 --tags 'Environment=Test' 'Dept=IT' # To append a tag to the existing tags on a resource group az group update -n tw-rg01 --set tags.'Status'='Approved' # To see the existing tags for a resource az resource show -n vnet-base -g tw-rg01 --resource-type "Microsoft.Network/virtualNetworks" --query tags # To see the existing tags for a resource group az group show -n tw-rg01 --query tags # To get all the resources that have a particular tag and value az resource list --tag Dept=Finance # To get resource groups that have a specific tag az group list --tag Dept=IT Now you have organized Azure Tags with the Azure CLI! Congratulations! I hope this article was useful. Best regards, Tom Wechsler P.S. All scripts (#PowerShell, @azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechslerA Beginner's Guide To Role-Based Access Control on Azure.
When creating access to systems, applications and environments it's important to keep security top of mind. Even working at a rapid pace it's important to consider what credentials and access we give to a resource. Examples of this kind of administration of roles could be access to a Windows Server or providing pull access to a Docker image from an Azure Kubernetes Cluster. These types of actions require some form of authentication and authorization in order to provide access. This guide provides you some information on getting started on understanding Azure RBAC with many of the articles you can find on Microsoft Docs and Microsoft Learn. Defining the difference Authorization and Authentication are the cornerstones of security for computing. Before we dig into examples, let's just define the words from Webster's dictionary. Authentication: an act, process, or method of showing something (such as an identity, a piece of art, or a financial transaction) to be real, true, or genuine : the act or process of authenticating something Authorization: The granting of power to perform various acts or duties To think about this in a practical sense, consider the hierarcy of a Wordpress CMS set of user roles. From Wordpress Docs, Summary of Roles Super Admin – somebody with access to the site network administration features and all other features. See the Create a Network article. Administrator – somebody who has access to all the administration features within a single site. Editor – somebody who can publish and manage posts including the posts of other users. Author – somebody who can publish and manage their own posts. Contributor – somebody who can write and manage their own posts but cannot publish them. Subscriber – somebody who can only manage their profile. When a user authenticates into Wordpress, the SQL database where user roles are stored then determines what rights the user will have when logged in. The Administrator user may be responsible for maintenance of plug-ins for the website. The admin would like to avoid users who are not part of the website maintenance plan to be able to install, delete or modify any of the plug-ins. By ensuring all of these users have a role that does not permit these rights, our website remains more reliable due to unplanned maintenance. The contributor role appears to be what's right: Contributor #Contributor delete_posts edit_posts read read Reusable Blocks In this case, the contributor role for someone who may be just posting new content update may make sense due to the specific set of roles the user is authorized to do. RBAC for Azure Role-Based Authentication (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources. Access management via RBAC on Azure allows you to better control the scope of what your users and applications can access along with what they authorized to do. What can I do with RBAC? Here are some examples of what you can do with RBAC: Allow one user to manage virtual machines in a subscription and another user to manage virtual networks Allow a DBA group to manage SQL databases in a subscription Allow a user to manage all resources in a resource group, such as virtual machines, websites, and subnets Allow an application to access all resources in a resource group Fundamentals The way you control access to resources using RBAC is to create role assignments. This is a key concept to understand – it's how permissions are enforced. A role assignment consists of three elements: security principal, role definition, and scope. User - An individual who has a profile in Azure Active Directory. You can also assign roles to users in other tenants. For information about users in other organizations, see Azure Active Directory B2B. Group - A set of users created in Azure Active Directory. When you assign a role to a group, all users within that group have that role. Service principal - A security identity used by applications or services to access specific Azure resources. You can think of it as a user identity (username and password or certificate) for an application. Managed identity - An identity in Azure Active Directory that is automatically managed by Azure. You typically use managed identities when developing cloud applications to manage the credentials for authenticating to Azure services. Azure RBAC roles Azure includes several built-in roles that you can use. The following lists four fundamental built-in roles. The first three apply to all resource types. Owner - Has full access to all resources including the right to delegate access to others. Contributor - Can create and manage all types of Azure resources but can't grant access to others. Reader - Can view existing Azure resources. User Access Administrator - Lets you manage user access to Azure resources. Different Azure resources also have built in roles to ensure secure access. By using RBAC we can ensure our DBA can log just into the development and UAT of our Azure SQL Database managed instances. We can assign them them with a the built in SQL Managed Instance Contributor role. This role permits users to manage SQL servers and databases, but not access to them, and not their security-related policies. How RBAC determines if a user has access to a resource The following are the high-level steps that RBAC uses to determine if you have access to a resource on the management plane. This is helpful to understand if you are trying to troubleshoot an access issue. A user (or service principal) acquires a token for Azure Resource Manager. The token includes the user's group memberships (including transitive group memberships). The user makes a REST API call to Azure Resource Manager with the token attached. Azure Resource Manager retrieves all the role assignments and deny assignments that apply to the resource upon which the action is being taken. Azure Resource Manager narrows the role assignments that apply to this user or their group and determines what roles the user has for this resource. Azure Resource Manager determines if the action in the API call is included in the roles the user has for this resource. If the user doesn't have a role with the action at the requested scope, access is not granted. Otherwise, Azure Resource Manager checks if a deny assignment applies. If a deny assignment applies, access is blocked. Otherwise access is granted. Next Steps You may want to learn more and get started you've got so many resources. Check out these links: What is role-based access control (RBAC) for Azure resources? Create custom roles for Azure resources with role-based access control (RBAC) Get $200 in Azure Credit
Azure REST API - $filter param for time delta throws ProviderError
Hello All, We are facing issues with the Azure API endpoint for fetching security alerts based on given time filter. https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Frest%2Fapi%2Fsecuritycenter%2Falerts%2Flistbyresourcegroup%23code-try-0&data=02%7C01%7Cannishprashan.stevi%40hcl.com%7Ce89ea1593b4247b8b13f08d70530766b%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636983578009379205&sdata=JavMX5P2vJPhQ5ERafc4kC5gxELv%2FEjtulWo%2B84xhIQ%3D&reserved=0 and screenshot for the API section, We encountered the following error while hitting the endpoint with the required params and Bearer access token. Error Details: { "error": { "code": "ProviderError", "message": "Resource provider 'Microsoft.Security' failed to return collection response for type 'alerts'." } } Endpoint URL: https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/{ResourceGroup}/providers/Microsoft.Security/alerts?api-version={version}}&$filter=properties.reportedTimeUtc eq '2019-07-06T08:00:51.8801218Z' NOTE: The URL gives response without specifying the time “filter” , but when using filter as one of the params, we get the above mentioned error. The param value used: $filter = properties.reportedTimeUtc eq '2019-07-06T08:00:51.8801218Z' Could anyone help in the resolution of this issue? Let me know for any additional details/clarifications. Thank You.Azure Managed Application
Hi all! During //Build a few weeks ago, we announced "Azure Managed Application". Azure Managed Applications provides an ecosystem that enables vendors to make a PaaS or SaaS services available as self-contained applications. Customers deploy managed applications in their subscriptions, but vendors can manage them. It enables vendors to bill customers using Azure's billing system, use templates to manage the lifecycle of deployed applications. On the other side, it allows customers to automatically acquire updates, and pay for support and maintenance. They do not have to maintain or update the application themselves or diagnose and fix issues when the application fails. The building blocks for an Azure Managed Application consist of: applianceMainTemplate.json This is the Resource Manager template, which will provision the apps and underlying Azure resources into a managed resource group mainTemplate.json This is the template the consumer will deploy (to deploy the managed app), which will be mapped towards the applianceMainTemplate.json applianceCreateUiDefinition.json This is the UI definition the consumer will interact with in the Azure portal, when deploying the managed app. We have a few samples published to github already - and we would love your feedback :-) -knAzure Cloud Shell Tips for SysAdmins Part II - Using the Cloud Shell tools to Migrate
As an Azure Advocate, one of the things I spend my time doing is learning the easiest ways for beginners to use Microsoft Azure. Today I want to share with you a few ways to utilize some tools that are built right into Azure. In my last blog post Azure Cloud Shell Tips for SysAdmins (bash) I discussed some of the tools that the Azure Cloud Shell for bash already has built into it. This time I will go a bit deeper and show you how to utilize a combination of the tools to create an UbuntuLTS Linux server. Once the server is provisioned, I will demonstrate how to use Ansible to deploy Node.js from the nodesource binary repository. Requirements for tutorial: Azure Account Azure Cloud Shell (bash) Some SSH and text editing What’s the point of all this? Good question. From my travels as a Cloud Advocate, I really have noticed that many users who’ve come from the world of System Administration need the tools and tutorials to walk before they can run. It’s great to use Kubernetes to orchestrate a complex distributed system. But if that’s not quite where you are in the steps of moving to the cloud, I can start with some “lift and shift” methodology. Migration Strategies I brought up “lift and shift” and should really go into a bit more because it’s used a lot when you discuss your migration strategy. For some companies, completely refactoring an application to a microservices or service mesh is not feasible. Setting a pace for your migration as an organization is a long term plan that requires learning for many roles in your IT organization. If you want to migrate the right way you need to understand the resources that are available to you. In the example of Microsoft Azure, there are nearly 600 different services being offered to the user. When determining how your apps are eventually going to run in the cloud it’s ideal to understand exactly how you’ll get them there. The idea of “Migrating and Modernizing” your applications has a few key strategies as noted in this document by Azure: Rehost - Often referred to as “lift and shift” migration, this no-code option lets you migrate your existing applications to Azure quickly. Each application is migrated as-is, which provides the benefits of the cloud without the risks or costs of making code changes. Refactor - Often referred to as repackage, this cloud migration strategy involves some change to the application design but no wholesale changes to the application code. Your application can take advantage of infrastructure as a service (IaaS) and platform as a service (PaaS) products, such as Azure App Service, Azure SQL Database Managed Instance, and containers. Rearchitect - Modify or extend your application's code base to scale and optimize it for the cloud. Modernize your app into a resilient, highly scalable, independently deployable architecture and use Azure to accelerate the process, scale applications with confidence, and manage your apps with ease… Rebuild - Rebuild an application from scratch using cloud-native technologies. Azure platform as a service (PaaS) provides a complete development and deployment environment in the cloud, without the expense and complexity of software licenses, the need for underlying application infrastructure, or middleware and other resources. With this cloud migration strategy, you manage the applications and services you develop, and Azure manages everything else. First Steps So here are a list of different ways of looking at how to migrate applications into the cloud. For this situation I’ve leaned into some tools in Cloud Shell that are going to help me essentially “Rehost” or “lift and shift” an application. This will be a basic step into the cloud that many SysAdmins can use to begin the process of building more cloud native applications. First, open a cloud shell, this can be done by going to the cloud shell logo in the portal, right of the search bar or navigate directly by going to https://shell.azure.com/. The Azure Cloud Shell contains all the tools used in this tutorial. The steps will be as follows: Use git to get the helper script and ansible repo (create-vm-tutorial) Review the script, execute it from the cloud shell to create a Ubuntu LTS Server Review and execute the Ansible playbook from the cloud shell to install Node.js SSH in, deploy demo-app For this example we’ll just use demo-app to show it’s all working. I’ve logged into my shell and now I will grab the create-vm-tutorial repo that contains the bash script and Ansible playbook I need. git clone [git@github.com](mailto:git@github.com):jaydestro/create-vm-tutorial.git cd create-vm-tutorial/ jay@Azure:~/create-vm-tutorial$ ls -al total 24 drwxr-xr-x 4 jay jay 4096 Jun 25 17:30 . drwxr-xr-x 34 jay jay 4096 Jun 25 17:30 .. drwxr-xr-x 2 jay jay 4096 Jun 25 17:30 ansible -rw-r--r-- 1 jay jay 2478 Jun 25 17:30 create-simple-vm.sh drwxr-xr-x 8 jay jay 4096 Jun 25 17:30 .git -rw-r--r-- 1 jay jay 838 Jun 25 17:30 README.md Now looking at the create-simple-vm.sh helper script, you can examine it’s basic tasks that create a resource group, create a VM and then open a few ports for you to ssh and bind the app to port 80. There are a few variables the script will ask you for upon execution. It’s best to get the subscription ID first before running the script, for my security I have modified some of the output: az account show --out json { "environmentName": "AzureCloud", "id": "fffffff-0000-42d3-a58b-fake", "isDefault": true, "name": "ca-jagord-demo-test", "state": "Enabled", "tenantId": "fffffff-0000-41af-91ab-fake", "user": { "cloudShellID": true, "name": "email@microsoft.com", "type": "user" } Let's execute our script! bash create-simple-vm.sh Your subscription ID can be looked up with the CLI using: az account show --out json Enter the subscription ID we just got before. Enter your subscription ID: Fffffff-0000-42d3-a58b-fake Give this a resource group, put everything into a box so we can delete it all at once! Enter a name for a resource group. This script will create a new group jgdemo Pick one of the Azure regions, in this case I use eastus : Enter the location for this deployment List of available regions is 'centralus,eastasia,southeastasia,eastus,eastus2,westus,westus2,northcentralus,southcentralus,westcentralus,northeurope,westeurope,japaneast,japanwest,brazilsouth,australiasoutheast,australiaeast,westindia,southindia,centralindia,canadacentral,canadaeast,uksouth,ukwest,koreacentral,koreasouth,francecentral,southafricanorth,uaenorth eastus Give the server a name! Enter front end VM name: jgdemoserver After these variables are entered, you’ll begin the process of provisioning the resource group and VM. You should see some output similar to this for each step: After only about sixty seconds I get the output info for my new UbuntuLTS Server: As you can see the VM is provided a fully qualified domain name and a public IP address upon deployment. I have specified that ssh keys be created for me and that the user ‘azureuser’ is created with sudo rights. The script will go on to open port 80 for our demo-app that will eventually be served from for http access. When completed the script will provide you with “destroy” commands: Youre done, when youre ready to delete this, execute this command in Cloud Shell az group delete -g jgdemo Hang on to that command, it becomes useful when you want to throw that box of resources away. Use the VM’s public IP address, to get that you can run this command in the cloud shell with your resource group (I’ve just modified the IP address for the example): az vm list-ip-addresses -g $RESOURCEGROUP | grep ipAddress "ipAddress": "1.2.3.4", Now that I have my IP address, I am ready to create an inventory host file for ansible to run. Let’s create a simple one with this command into my shell: mkdir ~/.ansible/ code ~/.ansible/hosts the contents of the ~/.ansible/hosts inventory file: [hosts] 1.2.3.4 Save the file and close the code editor. Now let’s go into the ansible directory in the repo: cd ansible The install_node.yaml ansible playbook contains directions to install a gpg key to permit new packages on the Operating System to be installed. Then it will install the LTS version of Node.js: ansible-playbook --inventory-file=~/.ansible/hosts -u azureuser install_node.yaml Let’s ssh in and take a look! ssh -l azureuser 40.117.152.205 azureuser@jgdemoserver:~$ npm -v 6.4.1 azureuser@jgdemoserver:~$ node -v v8.16.0 Pretty cool, let’s do the last step. App deploy time! Get the demo-app repo and clone it to your home directory: git clone https://github.com/jaydestro/demo-app.git cd demo-app npm install sudo npm start Now let’s check 40.117.152.205 in a browser: Done and Demolition That’s everything! The whole kit-and-kaboodle of getting a basic application on with the tools already built into the Azure Cloud Shell. You can store everything you create for your repository on your Cloud Shell and then create an ssh key to sync your repos with your Github or Azure DevOps repositories. Destroying it all! Remember back when I said to “keep that command” Let’s blow it all up and destroy our demo infrastructure: az group delete -g jgdemo Are you sure you want to perform this operation? (y/n): y You’ll then see “Running…” until the group deletion process is completed. There’s a ton of information in this tutorial. It’s meant to give the user who may be really not certain how to do some of these “lift and shift” tasks a first start in their world in the Cloud. Migrating to the cloud can be a huge undertaking, so having beginners info can really help. If you run into any issues, feel free to reach out to me on Twitter @jaydestro or here in the comments.
