Azure Network Security Groups (NSG) to Restrict Management Access

For security reasons it is good practice to lock down access to Azure resources and not leave management ports open to the internet.

One way to restrict access to remote access protocols like RDS / SSH is to create a Network Security Groups (NSG) and apply this to either virtual machines or virtual network subnets.

To create a NSG

Logon on to the Azure portal: https://portal.azure.com

Once logged on go to All Services > Network security groups

If you have created VM’s or other resources there might already be some pre-existing NSG’s. NSG1

To create a new NSG click on Add

Give the NSG a name, assign subscription, resource group and location NSG2

Once the deployment has completed, click on the NSG this will bring up the configuration page.

First part is to configure the inbound security rules. NSG4

Go to settings > Inbound security rules

Once in Inbound security rules. To add a rule click add.

I want to restrict access to a specific Public IP for RDP access. Set the source as IP Addresses and add in the IP that will be allowed this can be a full range or a single IP depending on network subnet bit. I am only going to add one address so I used /32 below is an example 10.10.10.92/32.

I left source port ranges and destination as default as I don’t want to restrict these. Choose the required port in this case its 3389, set protocol to Any if you require both TCP/UDP I only need TCP. Set action to allow, set priority value and last step is give the port a name / description. NSG5

Below is the updated rule I have marked out my public IP NSG6

The outbound rule is set to allow any/any by default so if there is a requirement to lock down certain ports then create a new rule here to block the required ports.

Last step once all rule have been configured is to apply the NSG against resources. I am going to apply the policy to both my subnet and NIC’s assigned to both my test VM’s.

The policy should only need to be applied to either the subnet or VM’s, I just want to show how to apply to both. If you apply a rule to both VM and subnet they need to match or any port that is not allowed on both wont be work.

To assign to subnet: go to settings > Subnets NSG7

Select virtual network and subnet. NSG8 NSG9

To apply to each VM Nic: Go to settings > network interfaces

As I already had NSG’s associated from the VM deployments I need to re-associate to the new NSG.

Select the NSG of the VM you want to move and go to network interfaces NSG10 NSG11

Chose the required NSG

NSG12

Once applied I can now only access the VM’s from my own network.

Azure VM Backup using Azure Recovery Service Vault

In this post I am going to go through setting up a weekly backup for VM’s using Azure Recovery Service Vault.

Recovery Services vaults protect:

Azure Resource Manager-deployed VMs
Classic VMs
Standard storage VMs
Premium storage VMs
VMs running on Managed Disks
VMs encrypted using Azure Disk Encryption
Application consistent backup of Windows VMs using VSS and Linux VMs using custom pre-snapshot and post-snapshot scripts

To backup a single VM we can click on the VM and go to backup and configure the Recovery Vault. I want to add all my servers at one time so I will create Recovery Vault first.

Logon on to the Azure portal: https://portal.azure.com

Once logged on go to All Services > Recovery Services vaults

Once in Recovery Services vaults click create RSV1

Give the Recovery Vault a Name, assign a subscription, resource group and location.

RSV2

Once the deployment has finished, click on the newly create object. RSV3

First thing I am going to set the backup configuration to locally-redundant as this is just for my Lab VM’s and it will save on cost.

Go to Manage > Backup Infrastructure and set to Locally-redundant. RSV4-1

I am going to create a custom policy as I only want to backup my test VM’s once a week. go to Manage > Backup policies and click Add. RSV3-2

Once in the new backup policy configure settings as required. I have set frequency to every sunday at 22:00 and set retention to 4 weeks backups. Click create once all settings are configured. RSV3-1

The policy should now be available to assign to backup jobs. Next step is to setup the backup. Go to Getting started > backup

Select where the work load is running (Azure or on prem), I only want to backup my Azure Lab VM so I selected Azure. Next select backup type

VM
Azure File Share (in preview at the time of the post)
SQL server in Azure VM (in preview at the time of the post)

Select the backup policy, I am using the policy created above. RSV5

Next select the VM’s that will be backed up. RSV6

Click enable backup to finish the config.

I will kick off a manual backup job to get an initial backup.

Click on backup Item > Azure Virtual Machine > Backup now RSV8 RSV9

To view backup jobs go to Monitoring > Backup Jobs RSV7

Once the backup is complete, the option to run VM restore or file level recovery becomes available. RSV10

Azure Automation “Run Login-AzureAccount to login”

When I was creating my Azure Automation account and tried to run a runbook that needed to logon to Azure, to start my VM’s I was getting an error:

Run Login-AzureAccount to login. AZAUError2

After looking on technet there where a few different recommendations but none worked.

In the end I just decided to try update the Azure modules. This fixed the issue.

Below is how to update the modules.

Go to Automation Accounts > select account > Modules

AZAUError1

There will be a prompt to update all Azure modules click yes to continue. AZAUError3

To view the progress click on below. AZAUError4

Click on all logs or output to view what is currently running. AZAUError5

Once completed the below will show. AZAUError6

After this I was successfully able to run my runbooks.

Azure Automation PowerShell Runbook

In this post I am going to go through setting up an Azure automation account and creating a runbook to PowerShell.

Azure Automation allows for process automation, configuration management, update management and PowerShell script execution on both Azure / Office 365. I like using Azure Automation as it allows me to save credentials in Azure for running task opposed to having them called in my script which is less secure.

I am going to setup a runbook to power on and off my LAB servers so that they only run during the day.

To start using Azure Automation

Go to All services > Automation Accounts

Once in Automation Accounts we need to create a new account. AZAU2

Give the Automation account a name, assign to a subscription, resource group and location. Leave create as yes and click crate.

AZAU3

Once the task has completed there will now be Automation account showing. AZAU10

Next step is to create a runbook to run the PowerShell command. Click on the Automation account and go to process automation and click on runbooks. AZAU4

Once in runbooks there will be some pre-configure runbooks that can be used as references.

To create a new runbook click Add a runbook AZAU11

Once in the runbook give a name and select the runbook type in this case it will be PowerShell. Then click create. AZAU5

Click on edit to modify the PowerShell script. AZAU6

The connection commands is generic and is copied from AzureAutomationTutorialScript runbook.

$connectionName = “AzureRunAsConnection”

try

{

# Get the connection “AzureRunAsConnection “

$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName

“Logging in to Azure…”

Add-AzureRmAccount -ServicePrincipal `

-TenantId $servicePrincipalConnection.TenantId `

-ApplicationId $servicePrincipalConnection.ApplicationId `

-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint

}

catch {

if (!$servicePrincipalConnection)

{

$ErrorMessage = “Connection $connectionName not found.”

throw$ErrorMessage

} else{

Write-Error -Message $_.Exception

throw$_.Exception

}

I have added the command I want to run at the bottom. Once finished, the runbook needs to be saved and published.

AZAU7

To test if the script will work as expected there is a test pane icon

Once in test click start and the script will be executed the output of the command will be returned to the console.

Once the runbook is saved, the start icon will become available so the runbook can be executed.

Last step is to schedule when the runbook will execute, click schedule.

Add a name, description, start time/date, time zone and if the task is a once of or a recurring task.

Once the schedule has been created it will show under schedules.

Azure VM deployment

In this post I am going to go through setting up an Azure resource group, VNet and deployment of a basic VM. There are many different VM version that can be deployed.

Below is a table with the current VM types, sizes and description:

Type	Sizes	Description
General purpose	B, Dsv3, Dv3, DSv2, Dv2, Av2, DC	Balanced CPU-to-memory ratio. Ideal for testing and development, small to medium databases, and low to medium traffic web servers.
Compute optimized	Fsv2, Fs, F	High CPU-to-memory ratio. Good for medium traffic web servers, network appliances, batch processes, and application servers.
Memory optimized	Esv3, Ev3, M, GS, G, DSv2, Dv2	High memory-to-CPU ratio. Great for relational database servers, medium to large caches, and in-memory analytics.
Storage optimized	Ls	High disk throughput and IO. Ideal for Big Data, SQL, and NoSQL databases.
GPU	NV, NVv2, NC, NCv2, NCv3, ND	Specialized virtual machines targeted for heavy graphic rendering and video editing, as well as model training and inferencing (ND) with deep learning. Available with single or multiple GPUs.
High performance compute	H	Our fastest and most powerful CPU virtual machines with optional high-throughput network interfaces (RDMA).

First step for deploying a VM is to create a resource group, a resource group is basically a container object that will hold Azure objects like VNet’s, VM and any other Azure serivces that will be added to the RG . A RG can be created while deploying a VM but I prefer to create them before hand.

Logon to the Azure portal, once in the Azure portal if the resource groups tab is not showing.

Go to All services > Resource Groups AZ1

Once on resource groups click on Add

AZ2

Give the resource group a name, select a subscription and set the location. AZ3

The resource group should only take a few seconds to create. Once created you should get an alert.

AZ4

Now that there is a resource group, we can move to the next step which is to create a new VNet. all services > Virtual networks AZ5

Once in Virtual network’s go to create virtual network. Give the Network a name, IP address space /Subnet mask, select subscription, location, added to a resource group and set the IP range that will be available for use.

AZ6

Once completed the new VNet will show under virtual networks. AZ7

Final step is to start creating VM’s go to all services > Virtual machines AZ8

Click on create new Virtual machine

Set the subscriptions that will be used, resource group, VM name & image type. We can also do availability options for high availability and resilience. AZ9

Select VM size, user name and allowed ports. AZ10

Next page allows you to change the disks used for the VM (premiere SSD, standard SSD or standard HHD) if the disk is change this may reset the VM type so I would usually leave this as is, unless there is a specific reason to change.

Next step is to select the VNet / subnet that will be used for the VM. AZ11

There is auto shutdown feature in Azure. I like to use this on my Lab as it saves credit as this is only a lab server, I want the VM to shut down at 12AM. I can start the VM up again when I want to do any further testing. AZ12

I wont add any guest config, tags so the last step is to review and validate the VM AZ13

The VM should now deploy it will take a while to deploy once completed the VM will now show under Virtual Machines. AZ14

If we check the resource group, we can now see all the object contained in the resource group. AZ15

SCCM 1806 Software Center Customisation

Since SCCM 1710 there was the addition to device settings to allow customisation of software center 1806 added an additional customisation to add a custom web page as an additional tab. As above you need to be at 1710 or above to have these customisation options.

by default the below would be the basic colour and appearance for the software center:

soft1

To start I usually create a new policy to test before pushing out to all users.

Open SCCM console
Go to Administration > Client settings

Right click and create a new policy (I called mine Custom Software Center) soft2

Click the Software Center check box in the policy soft3

Under device settings set select these new settings to specify company information to yes. soft4

Then go to customize. Edit company name, set color scheme and add a company picture. Below is the default settings. The logo image file needs to be a maximum size is 400×100 and 750kb soft5

Here is the updated settings soft6

To add a custom tab with URL to a support site or blog post. Go to tabs and put a check box on: Specify a custom tab for Software Center. (This is only available if SCCM is 1806 or above.)

Add a custom tab name
Add a URL

soft7

Once finished editing the policy it then needs to be deployed to the require collection. Right click on the custom policy and go to deploy. soft8

Then select the device collection to deploy to soft10

Once the policy is deployed, go to a device in the collection to update the machine policy. Go to Control Panel > Configuration Manager > Actions > Machine policy retrieval & Evaluation cycle and click run now. soft11

Once the policy is updated the Software Center should be updated with the new color scheme, company logo and custom URL