Azure NSG security rule management like a boss with PowerShell and CSVs

Originally this blog post was posted on Lucian’s blog. Check it out, or check him out on @LucianFrango on Twitter.

* * *

Network Security Groups (NSG) are pretty good. I don’t mind them that much as for what they are, they do a good job. Designing them can be a little tricky, having to know all the nuances of working with them. When it comes to implementing them, changing them at scale… well that’s where things can be a little tiresome.… [Keep reading] “Azure NSG security rule management like a boss with PowerShell and CSVs”

Export Azure IaaS VM properties, including NIC IP address to CSV, #PromptPowerShell

Originally posted on Lucian.Blog. Follow Lucian on Twitter.

The other day I needed to export some data from Azure. I needed an output of all the IaaS VM instances high level configuration for a customer. Namely I needed the resource group, the hostname and the IP address of the instances to forward across for some cross reference analysis.

Now, I’ve had the unfortunate mishap of losing my PowerShell script repo during the change over / migration from my Macbook to my current Surface Pro.… [Keep reading] “Export Azure IaaS VM properties, including NIC IP address to CSV, #PromptPowerShell”

Quality of life user experience improvements to SharePoint Online through the use of 301 redirects and Azure App Service

Originally posted on Lucian.Blog. Follow Lucian on Twitter, @LucianFrango.

***

This is the third time in the last year that I’ve had to setup a HTTP 301 redirect in Azure for a customer.Doing so improves the general quality of life experience for users accessing various Microsoft 365 services, like for example specific SharePoint Online team sites, or Exchange Online OWA.

With each implementation I turned to Azure App Service to deliver the functionality needed.… [Keep reading] “Quality of life user experience improvements to SharePoint Online through the use of 301 redirects and Azure App Service”

AD FS 4.0 and the curious case of claim issuance policy naming: Notes from the field [Updated]

The other day a colleague at Kloud, asked for a second set of eyes to look over and help with an Relying Party Trust setup in AD FS 4 (Server 2016). I obliged and went through a bunch of questions to try and determine what this issue might be.

To cut a long story short, the following is a quick bit of guidance when it comes to the naming of Claim Issuance Policies. I’ve found over the years that this can have a detrimental impact on configuration of an RPT if not setup with certain formatting.… [Keep reading] “AD FS 4.0 and the curious case of claim issuance policy naming: Notes from the field [Updated]”

Office 365 URLs and IP address updates for firewall and proxy configuration, using Flow and Azure Automation

tl;dr

To use Microsoft Office 365, an organisation must allow traffic to [and sometimes from] the respective cloud services via the internet on specific ports and protocols to various URLs and/or IP addresses, or if you meet the requirements via Azure ExpressRoute.… [Keep reading] “Office 365 URLs and IP address updates for firewall and proxy configuration, using Flow and Azure Automation”

Azure ExpressRoute Public and Microsoft peering changes, notes from the field

I’ve been trying to piece all this together and get a single, concise blog post that covers all bases around the changes that have happened and are going to be happening for Microsoft ExpressRoute peering. That’s been a bit of a challenge because, I hope I don’t harp on this too much, but, communication could be a bit better from the product group team. With that said, though, it’s no secret for those that use ExpressRoute, Microsoft is looking to simply it’s configuration.… [Keep reading] “Azure ExpressRoute Public and Microsoft peering changes, notes from the field”

Why is the Azure Load Balancer NOT working?

Context

For most workloads that I’ve deployed in Azure that have required load balancing, for the Azure Load Balancer (ALB) used in those architectures, the out of the box experience or the default configuration was used. The load balancer service is great like that, whereby for the majority of scenarios it just works out of the box. I’m sure this isn’t an Azure only experience either. The other public cloud providers have a great out of the box load balancing service that would work with just about any service without in depth configuration.… [Keep reading] “Why is the Azure Load Balancer NOT working?”

PowerShell gotcha when connecting ASM Classic VNETs to ARM ExpressRoute

Recently I was working on an Azure ExpressRoute configuration change that required an uplift from a 1GB circuit to a 10Gb circuit. Now thats nothing interesting, but, of note was using some PowerShell to execute a cmdlet.
A bit of a back story to set the scene here; and I promise it will be brief.
You can no longer provision Azure ExpressRoute circuits in the Classic or ASM deployment model. All ExpressRoute circuits that are provisioned now are indeed Azure Resource Manager (ASM) deployments.… [Keep reading] “PowerShell gotcha when connecting ASM Classic VNETs to ARM ExpressRoute”

Azure ARM architecture pattern: a DMZ design with a firewall appliance

Im in the process of putting together a new Azure design for a client. As always in Azure, the network components form the core of the design. There was a couple of key requirements that needed to be addressed that the existing environment had outgrown: lack of any layer 7 edge heightened security controls and a lack of a DMZ.

I was going through some designs that I’ve previously done and was checking the Microsoft literature on what some fresh design patterns might look like, in case anythings changed in recent times.… [Keep reading] “Azure ARM architecture pattern: a DMZ design with a firewall appliance”

Azure ARM architecture pattern: the correct way to deploy a DMZ with NSGs

Isolating any subnet in Azure can effectively create a DMZ. To do this correctly though is certainly something that is super easy, but, something that can easily be done incorrectly.
Firstly, all that is required is a NSG and associating that with any given subnet (caveat- remember that NSGs are not compatible with the GatewaySubnet). Doing this will deny most traffic to and from that subnet- mostly relating to the tag “internet”. What is easily missed is not applying a deny all rule set in both the inbound and outbound rules of the NSG itself.… [Keep reading] “Azure ARM architecture pattern: the correct way to deploy a DMZ with NSGs”