Using Visual Studio to create and deploy Azure Resource Manager templates 

Azure Resource Manager (ARM) is Microsoft’s new way of provisioning Azure infrastructure and services.  One of the many great features of ARM is that it allows us to create JSON template files which describe the Azure services (and their relationships) we wish to deploy.   These templates can then be uploaded to Azure for deployment.
Once we have created an ARM template it is very easy to deploy the template across many  Azure subscriptions with out the potential errors that deploying the services by hand may result in.

There are many ways that ARM templates can be created but in this blog post I want to focus on using Visual Studio.  Why Visual Studio ? Well I am an IT Pro not a Programmer, so while I understand how to use the Azure portals and I get PowerShell and the Azure CLI.  I have never had any experience using Visual Studio and always thought it was a tool for Dev’s.   When I read that you could use Visual Studio to deploy ARM templates to Azure as well as create them, I was interested to find out more.

Now I don’t pretend to know how to use Visual Studio, and I am sure that I am only using a very small part of the software package, but what follows, are the steps that I have used to create an ARM template in Visual Studio and deploy the template to Azure.

First up you can download Visual Studio here

Once Visual Studio is installed select File, New, Project

Visual Studio New Project

Visual Studio Create New Project screen

The New Project screen will be displayed

Select Visual C#, Cloud, Azure Resource Group

VS-2

Visual Studio New Project popup

 

Next Visual Studio will display a list of pre made Azure Resource Manager templates, to select a blank template scroll to the bottom of the list and select Blank Template.

 

VS-3

Visual Studio Azure Template popup

 

Visual Studio will now create a new Azure Resource manager project.  On the right hand side of the screen the Solution Explorer box will show the contents of the project.  Under scripts is the PowerShell script that Visual Studio will use to deploy the template to Azure and in the templates folder you will find the ARM templates.  Double click on the DeploymentTemplate.json file to open it.

 

VS-4

Azure ARM Template

 

To add resources to the deployment template right click on the word resource as per the screenshot below and select ‘Add New Resource’

VS-5

Add New Resource to template

 

This will open the Add Resource pop up from which you can select the Azure Resources you wish to deploy.

VS-6

New Resource popup

 

Once you have added all the Azure Resources and linked them together you can test deploying your template to your Azure subscription.  To do this right click on the name of your project in the Solution Explorer and select Deploy, New Deployment.

VS-7

Deploy ARM Template to Azure

 

This will open the Deploy to Resource Group pop up and will prompt you to log in to your Azure subscription.  Clicking ‘Edit Parameters’ will bring up the Parameters dialog box which will allow you to add values for the parameters that you created when you made the ARM template.

VS-8

Subscription selection screen and parameters pop up window

 

Clicking Deploy will deploy your ARM template to the selected resource group in your Azure Subscription.

One last thing to note…..  Visual Studio uses PowerShell to deploy the ARM Template, which is all good, however with the release of Azure PowerShell 1.0 many of the Azure commands have changed.  Visual Studio creates a PowerShell deployment script that uses PowerShell 0.98 commands.  If you are using PowerShell 1.0 or greater you will need to update some of the commands in the PowerShell deployment script that gets created.  Check out the following blog post for more info

If an error is displayed stating that Switch-AzureMode is not recognised it is highly likely that you have PowerShell 1.0 installed and as such will need to follow the directions in the link above to update the deployment PowerShell script with the new 1.0 Azure commands.

Azure Security Center

This week Azure Security Center went from private preview to public preview, this new Azure service is designed to provide Azure administrators with a view of security across their Azure subscriptions.

The current public preview focuses on IaaS security, in particular VNets and virtual machines.  Azure Security Center comes with extensions that can be automatically installed in to your Azure VM’s (Windows and Ubuntu Linux with more distro’s supported in the future) which gives Azure Security center great visibility as to your security posture .

As well as reporting on the current security stance of the virtual machine the Azure Security Center also alerts if there are brute force attacks against your VM and if it is communicating with known malicious IP addresses.

Azure Security Center works with VM’s deployed using both Azure Service Manger (Classic VM’s) and Azure Resource Manager managed VM’s.

To find Azure Security Center log in to the new Azure portal http://portal.azure.com.  Using the navigation pane on the left hand side of the portal select Browse then scroll down and select Security Center.  (clicking the star will add Security Center to the left hand side navigation bar)

Azure Security Center 1

Once you have opened Security Center the first thing to do is enable the collection of information, clicking Security Policy will display your subscriptions and for each subscription you can enable the collection of security information, the storage account Security Center should store security logs for that subscription and the recommendations you wish to enable.

Enabling data collection will trigger the Security Center extension to be installed on all VM’s in that subscription.

Azure Security Center 2

Once the extensions are installed Security Center will show the security stance of your VM’s and recommend actions to remediate security issues.

Azure Security Center 3

Azure Security Center 4Some issues such as missing antimalware can be remediated from with in Azure Security Center.

Azure Security Center 6

Security Center will have more Azure services added to it over time and will be a key tool for monitoring the security of your Azure based services and infrastructure.

 

Azure – DevTest Labs

DevTestLab

One of the things about becoming an MVP is that you get notified about all sorts of interesting things coming in the world of Azure.  One new feature that caught my eye this week was Azure DevTest Labs, which is currently in preview.  Claude Remillard gave a great overview of DevTest Labs at the recent AzureCon event.

https://azure.microsoft.com/en-us/documentation/videos/azurecon-2015-introducing-azure-devtest-lab/

My interest in DevTest Labs (and the reason that I have registered for the preview) is the work the team has done to make it easy to spin up labs for testing purposes, they can be set to shutdown automatically when idle! (yay no more wasted spend!).

There are a couple of other functions that really caught my eye:

  • Ability to set quota’s for labs on machine sizes and spend plus usage monitoring so its easy to see if spend in the Lab is on track
  • Lab User security role which locks the user out of the rest of the Azure subscription and ensures they can only access the lab and its associated resources
  • Scheduled Lab shutdown (Scheduled Lab startup is coming)   — there is not point in my mind for paying for the running cost of machines that are not required or being used
  • Integration in to Visual Studio release pipeline so that code can easily be deployed to a Lab for testing

As well as Development teams I can see this being useful for Infrastructure teams.  One question I get asked  alot is how can we give our staff the ability to create a couple of VM’s in Azure but control the spend……Do we have to create a subscription for each of them?  I see DevTest Lab as solving this and allowing a single subscription to be used.  A customer can setup a Lab for each staff member with a quota attached, with the scheduled shutdown or shutdown on idle enabled compute costs would be hugely minimised.

If you are interested you can sign up for the private preview on the DevTest Labs page

Azure AD Domain Services – A First Look

AADDS

Earlier this week Microsoft announced the preview of Azure AD Domain Services (AADDS). This new functionality allows applications that are designed to run against your On Premise Active Directory to easily run in Azure (with out having to put in place domain controllers in Azure and VPN connections back to your on premise AD).

In simple terms at the click of a button you can have a ‘managed’ domain controller fully synced up with your Azure AD appear in one of your VNet’s.  You can then domain join your Azure servers in the same way you would your On Premise servers.

There are a number of steps that have to be undertaken to enable Azure AD Domain Services but Microsoft have written a great blog that steps you through the process.  You must complete all steps before attempting to join an Azure VM to the new AADDS domain.

Couple of points to note from my testing so far.

  • Azure AD Domain Services are not yet available in all regions. If you have all your Azure infrastructure running in the Australia regions you will need to create a new VNet in either the US, Europe or Asia region to be able to enable Domain Services.
  • Azure AD Domain Services uses password write back to sync passwords with Azure AD.  As with AD Connect a password reset using http://myapps.microsoft.com is generally required to generate the hashes in AD before the account can be used to authenticate against the Azure AD Domain Service.
  • Any user account that you put in to the AAD DC Administrators group will be added to the administrators group on any machines you join to the AADDS domain.
  • As Azure AD Domain Services its a managed service you can not have Domain Administrator or Enterprise Admin privileges over the AADDS domain.
  • Currently a single user and computer group policy is supported and the domain can be managed with the same tools that are used to manage on-premise AD.

Further Blog articles to come as I rebuild my Azure test environment using Azure AD Domain Services!

Have Office read your Emails and Documents back to you

First up a bit about me, I am dyslexic.

My kids know never to ask me to spell things for them (My wife warns them not to regularly).  One thing with my dyslexia which I find really annoying is that I miss out words when I am typing.  As good as spell checkers are they do not know what I was wanting to say, which means they are not that good at pointing out missing words.

The other thing spell checkers are not that good at is telling you when you have a correctly spelt word but it’s the wrong word. Usually for me that means that I have spelt it so badly that it’s something completely different!

When I was at school I was taught to leave a document for 30 min then proof read. Waiting means the brain is less likely to fill in the missing words and I am more likely to pick up mistakes.

I now have a new tool to add to my kit bag thanks to @nzregs from Microsoft!!

Use the Speak function in Microsoft Word and Outlook to read back what I have typed.

I have been trying it this week and I have been super impressed with the results.  It seems that while my brain adds missing words when I read documents, listening to Office read back my email or document, allows me to pick up almost all of the missing and incorrectly used words.

To add the speak icon to the quick access bar click on customise

Word Cust

Select ‘More commands’ and change drop down to ‘commands not in ribbon’

Word add speak to quick access

Simply highlight the text you want Office to read back and click on the speak icon.

HP Envy Ultrabook – Windows 10 Audio Fixed

I have been running Windows 10 on my HP Envy Ultrabook for the last 7 months and have always had choppy and very poor Audio that stuttered and cut in and out.  Interestingly when using VLC the audio was fine but when using IE, Edge, Groove or Films & Movies apps the audio was so bad that the applications where not usable for audio.

This evening I have hit upon a fix to my poor audio problem, by changing the default sample rate in the advanced tab of the audio output device from 16bit 44100Hz to 24bit 192000Hz.   Once I made this change youtube videos started playing correctly, Groove music was perfect and my Xbox Minecraft game even stopped crashing when loading!

To get to the default sample rate setting, right click on the speaker icon in the notification area, select playback devices, right click the playback device and select properties, click the advanced tab and increase the sample rate.

Now to see if tweaking my microphone settings will allow Cortana to hear me more clearly !

Azure AD Password Sync and Writeback – Security and Encryption 

People are often concerned regarding the risk of turning on Password Sync and Password Writeback between on premise AD and Azure AD.   This post looks to describe the password sync and password writeback processes and the encryption methods used to secure the password data in transit and at rest.

1) Password Sync to Azure AD

The password Sync agent (which is part of the Azure AD Connect tool) running on the on premises Azure AD Connect server makes an RPC call to its closest on premises DC and requests via the DC replication protocol the users password hash. The DC takes the users password hash and using an MD5 key (made up from the RPC session key and a random 128 bit salt) encrypts the password hash for transport over the wire. The DC then sends the encrypted password hash plus salt to the password sync agent over the RPC session. Note this is the same way Domain Controllers replicate password hashes.

The password sync agent then decrypts the encrypted password hash using the salt and RPC session key and immediately re-hashes the password hash to a SHA256 hashed password hash using the PBKDF2 key derivation algorithm as defined in RFC 2898.

The password sync agent then passes the hashed password hash over an SSL encrypted session to Azure AD. Azure AD then encrypts the hashed password hash using AES and stores it in its database.

2) Password Writeback

When password writeback is enabled Azure AD Connect creates a tenant specific service bus relay, protects it with a strong password and attaches to the service bus relay using TLS encryption.  Azure AD Connect also creates a public private key pair. The public key is placed in the tenant’s secret store in Azure AD and the private key stays on the on premise Azure AD Connect server.

When a password is reset in Azure AD, Azure AD encrypts the new password using the public key uploaded by Azure AD Connect and places the encrypted password on the service bus relay, Azure AD Connect picks up the encrypted password from the relay and decrypts it on the on premise Azure AD Connect server.   The Azure AD Connect server then attempts to reset the user’s password using the Active Directory DS SetPassword API.   If the password reset against the on premise AD succeeds the user is notified of the success and the resultant hashed password hash is encypted using AES and then stored in Azure AD.

If Azure AD connect is not successful in writing the password back to the on premise AD ( failing password complexity requirement for instance) or the Azure AD Connect server is down.  Azure AD will not be updated and the user attempting the password reset will be notified that the reset has not succeeded.

For further reading check out the following blogs and presentations:

http://blogs.technet.com/b/ad/archive/2014/06/28/aad-password-sync-encryption-and-and-fips-compliance.aspx

http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/DCIM-B301

  https://msdn.microsoft.com/en-us/library/azure/dn903642.aspx