Thursday, January 17, 2019

RBAC-Custom Roles In Azure



Windows Azure storage is a cloud storage service that is highly durable, available, and scalable. Once your data is stored in Azure storage, you can access that data any time and from anywhere. It provides the following four abstractions (services)- Blob storage, Table storage, Queue storage, and File storage. Each of these has different role to play, you can get more information here…


If the built-in roles for Azure resources don't meet the specific needs of your organization, you can create your own custom roles. Just like built-in roles, you can assign custom roles to users, groups, and service principals at subscription, resource group, and resource scopes. Custom roles are stored in an Azure Active Directory (Azure AD) directory and can be shared across subscriptions. 


Exercise 1: Create Custom RBAC Role

The main tasks for this exercise are as follows:
1.      Download the closest built-in role which perform this task
2.      Open that file Role.json from given location and perform below updates
3.      Create the custom role from update file

 

Task 1: Download the closest built-in role which perform this task


Get-AzureRmRoleDefinition -Name "Virtual Machine Contributor" |ConvertTo-Json |Out-File "C:\Users\utkar\OneDrive\Desktop\Role.json"

Task 2: Open that file Role.json from given location and perform below updates


1.  As This will become Custom RBAC remove the section like Id & IsCustom
2.      Change the name and description of this file  
a.       "Name":  "Virtual Machine Operator",
b.      "Description":  "Allows user to monitor virtual machines, and restart them.",
3.      Update the entire Actions Section with below content-
"Actions":  [
                    "Microsoft.Authorization/*/read",
                                                     "Microsoft.Compute/*/read",
                    "Microsoft.Insights/alertRules/*",
                    "Microsoft.Network/*/read",
                                                     "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.Storage/*/read",
                    "Microsoft.Support/*",
                                                     "Microsoft.Compute/virtualMachines/start/action",
                                                     "Microsoft.Compute/virtualMachines/restart/action"
                ],

Note-> TO get the operation for a resource provider (Virtual machine)
             Get-AzureRmProviderOperation -OperationSearchString "Microsoft.Compute/VirtualMachines/*" |ft operation

Task 3: Create the custom role from update file-

New-AzureRmRoleDefinition -InputFile "C:\Users\utkar\OneDrive\Desktop\Role.json"




Exercise 3: Create a User and assign him the RBAC Role 


Task1-Create a user in Default Azure Active Directory.


1.          In the navigation pane on the left side of the Azure Portal, click All services.
2.          In the All services blade that displays, click Azure Active Directory.
3.          In the Azure Active Directory blade that displays, click on All users.
4.          At the top of the All Users blade, click the New User button.



4.      Fill in the details and click Create.

5.      Copy the user name and password, you will be prompted to update this password on you first login.

Task 2: Assign the early created custom role to this new User.


1.          In the navigation pane on the left side of the Azure Portal, click All services.
2.          In the All services blade that displays, click Subscription.
3.          Select the Subscription you want to assign this Role.
4.          In the Subscription blade that displays, click on Access Control (IAM).
5.          Click on Add and select Role Assignment



6.          Fill in the below details- 
o    Role -       Compute Operator
o    Assign Access to-              Azure AD users,groups or service principle
o    Select-                   Computer operator

7.          Click Save





Friday, October 19, 2018

Azure Storage - Detailed Specification



 Storage Life-Cycle Management 


As oppose to earlier days of Azure Storage, Microsoft has brought some degree of parity with its competition with respect to Blob Object Storage. To overcome the lack of options for delegating the importance of data in-conjunction with it acessibility it is with Azure Storage Account offer multiple access tiers.

These tiers are supported for all Azure Storage Account types.

Hot: Hot storage has higher storage costs than cool and archive storage, but the lowest access costs.

Cold: Cool storage tier has lower storage costs and higher access costs compared to hot storage. This tier is intended for data that will remain in the cool tier for at least 30 days.

Archive: Archive storage has the lowest storage cost and higher data retrieval costs compared to hot and cool storage. This tier is intended for data that can tolerate several hours of retrieval latency and will remain in the archive tier for at least 180 days.

A default Hot or Cold tier is set for each storage account. This is the default applied when creating a new blob. This can however be changed. Blobs can also be move into to Archive tier. The movement of Azure Blob can be performed manually or by using the Storage Lifecycle Management will not be used in this phase.


Saturday, July 28, 2018

Azure-Tips & Tricks We Should Know


Tip #01- Enablement Of Ping On Windows VM

Ping is widely used to communicate from one VM to another. It uses the Internet Control Message Protocol (ICMP), which is denied through the Windows Firewall, by default. you can enable the Internet Control Message Protocol (ICMP) through the Windows firewall so that you can ping the second server.Below is the powershell command to achieve he same-

New-NetFirewallRule -DisplayName "Allow ICMPv4-In"-Protocol ICMPv4 
Tip #02- Deny All To Internet 

Most of the times you might hear Architects designing their Security layers by Denying all traffic to the Internet( In case of Azure through NSG) though this will ensure the security of your network from data leakage or malware, but at times it can lead to frustration and can break things which are suppose to function smoothly. Some times your VM's do need access to Azure IP addresses(Service like Azure StorageAzure SQL Database, etc..).Now as these IPS also falls under the Internet tag, When you are blocking the internet unknowingly you are blocking access to these services as well. There is very good solution for such scenario by Microsoft’s Keith Mayer, you can refer his Article to have more comprehensive approach for this.

Tip #03- Storage Account Key Rotation

Any storage account creation automatically generates the Shared Key(Pair), this shared access key has proven to be a commonly used option to access Aforementioned Storage account. VNET integration with Storage account allows for access to this via VNET Service Endpoints. But this option has its operation radius which at times are limited to IaaS space only. In cases when an Azure Storage Account is accessible over the Internet (PaaS) it will make use of shared access key for accessibility.

Under given situation when an individual possessing these keys goes out of organization, it can leave them vulnerable & exposed.To mitigate this, Azure best practice warrants us to adopt robust key rotation policy, which means rotate them periodically.

When it comes Shared Access Keys they come in Pair, for enterprise grade key rotation solution, we shall integrate the Rotation policy with Azure Automation, Log Analytics and Key Vault.
  • Regenerate Key-2 for Given Storage Account
  • Wait for acceptable time period to ensure Key-2 is active
  • Update the secret in Azure Key Vault (with new value of Key-2)
  • Repeat exact steps for Key-1 Regeneration