Az copy
reference
AzCopy. Server logs for Azure Storage are stored as blobs, so you can use AzCopy to copy the log blobs to a local directory for analysis using Microsoft Message Analyzer. See Transfer data with the AzCopy Command-Line Utility for more information about AzCopy.
Tuesday, June 30, 2020
For which virtual machine can you enable update management ?
Windows Server 2008 R2 Service Pack 1 (SP1)
Windows Server 2012R2
Ubuntu Server 18.04LTS
https://docs.microsoft.com/en-us/azure/automation/automation-update-management
Windows Server 2012R2
Ubuntu Server 18.04LTS
https://docs.microsoft.com/en-us/azure/automation/automation-update-management
azure disk encryption
In order to make sure the encryption dont cross regional boundaries, Azure Disk Encryption needs the Key Vault and the VMs to be co-located in the same region.
Create and use a Key Vault that is in the same region as the VM to be encrypted.
reference:
https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-overview
Create and use a Key Vault that is in the same region as the VM to be encrypted.
reference:
https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-overview
Data collection in Azure Security Center
Security Center collects data from your Azure virtual machines (VMs), virtual machine scale sets, IaaS containers, and non-Azure (including on-premises) computers to monitor for security vulnerabilities and threats. Data is collected using the Log Analytics agent, which reads various security-related configurations and event logs from the machine and copies the data to your workspace for analysis.
Examples of such data are: operating system type and version, operating system logs (Windows event logs), running processes, machine name, IP addresses, and logged in user.
reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection
Examples of such data are: operating system type and version, operating system logs (Windows event logs), running processes, machine name, IP addresses, and logged in user.
reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection
need to log the network traffic to an azure storage account
Steps:
Actions:
1) Enable Azure Network Watcher
2) Enable NSG flow logs
Description:
1) A network security group (NSG) enables you to filter inbound traffic to and outbound traffic from, a virtual machine (VM). You can log network traffic that flows through an NSG with Network
Watcher's NSG flow log capability. Steps include:
1. Create a VM with a network security group
2. Enable Network Watcher and register the Microsoft.Insights provider.
3. Enable a traffic flow log for an NSG, using Network Watcher's NSG flow log capability
4. Download logged data
5. View logged data
reference:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal
Actions:
1) Enable Azure Network Watcher
2) Enable NSG flow logs
Description:
1) A network security group (NSG) enables you to filter inbound traffic to and outbound traffic from, a virtual machine (VM). You can log network traffic that flows through an NSG with Network
Watcher's NSG flow log capability. Steps include:
1. Create a VM with a network security group
2. Enable Network Watcher and register the Microsoft.Insights provider.
3. Enable a traffic flow log for an NSG, using Network Watcher's NSG flow log capability
4. Download logged data
5. View logged data
reference:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal
system routes vs user defined routes
Although the use of system routes facilitates traffic automatically for your deployment, there are cases in which you want to control the routing of packets through a virtual applicance. You can do so by creating user defined routes that specify the next hop for packets flowing to a specific subnet to go to your virtual appliance instead, and enabling IP forwarding for the VM running as the virtual appliance.
Note: User Defined Routes.
For most environments you will only need the system routes already defined by azure. however, you may need to create a route table and add one or more routes in specific cases, such as: force tunneling to the internet via your on-premises network.
Use of virtual appliances in your azure environment.
In the scenarios above, you will have to create a route table and add user defined routes to it.
Note: User Defined Routes.
For most environments you will only need the system routes already defined by azure. however, you may need to create a route table and add one or more routes in specific cases, such as: force tunneling to the internet via your on-premises network.
Use of virtual appliances in your azure environment.
In the scenarios above, you will have to create a route table and add user defined routes to it.
Thursday, June 25, 2020
what is stored access policy ?
A stored access policy provides an additional level of control over service-level shared access signature on the server side.
Establishing a stored access policy server ti group shared access signatures and to provide additional restrictions for signatures that are bound by the policy. You can use a stored access policy to change the start time, expiry time or permissions for a signature, or to revoke it after it has been issued.
Note:
Note that a stored access policy on a container can be associated with a shared access signature granting permissions to the container itself or to the blobs it contains. Similarly, a stored access policy on a file share can be associated with a shared access signature granting permissions to the share itself or to the files it contains.
reference:
https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy
Establishing a stored access policy server ti group shared access signatures and to provide additional restrictions for signatures that are bound by the policy. You can use a stored access policy to change the start time, expiry time or permissions for a signature, or to revoke it after it has been issued.
Note:
Note that a stored access policy on a container can be associated with a shared access signature granting permissions to the container itself or to the blobs it contains. Similarly, a stored access policy on a file share can be associated with a shared access signature granting permissions to the share itself or to the files it contains.
reference:
https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy
Monday, June 22, 2020
role assignments
when you have multiple subscriptions in a tenant, it is very easy to configure the same role assignments for all the subscriptions in a tenant.
By using the Azure AD Privileged Identity Management ( PIM )
The Azure AD Privileged Identity Management ( PIM ) service also allows privileged role administrators to make permanent admin role assignments.
another example of using the role assignment:
when you create an AKS cluster, Azure also creates a service principal to support cluster operability with other azure resources. you can use this auto-generated service principal for authentication with an ACR registry. To do so, you need to create an Azure AD role assignment that grants the clusters service principal access to the ACR.
reference:
https://docs.microsoft.com/bs-latn-ba/azure/aks/cluster-container-registry-integration
By using the Azure AD Privileged Identity Management ( PIM )
The Azure AD Privileged Identity Management ( PIM ) service also allows privileged role administrators to make permanent admin role assignments.
another example of using the role assignment:
when you create an AKS cluster, Azure also creates a service principal to support cluster operability with other azure resources. you can use this auto-generated service principal for authentication with an ACR registry. To do so, you need to create an Azure AD role assignment that grants the clusters service principal access to the ACR.
reference:
https://docs.microsoft.com/bs-latn-ba/azure/aks/cluster-container-registry-integration
how to sync all on-prem identities to Azure AD ?
There is a smart way to sync all your on-prem users/identities to the Azure AD,
through the Synchronization Rules Editor
and we need to write the attribute-based filtering rule.
through the Synchronization Rules Editor
and we need to write the attribute-based filtering rule.
what is meant by password hash synchronization ?
It is one of the authentication method.
when to use this ?
example:
1. subscription is associated to the azure ad ( tenant ) named kaushik.com
2. my network contains an active directory forest named kaushik.com
recommended in this scenario,
1. ensures that password policies and user logon restrictions apply to user accounts that are synced to the tenant.
2. minimizes the number of servers required for the solution.
how many kinds of authentication methods are there ?
1. federated identity with active directory federation services ( ADFS )
2. password hash synchronization with seamless single sign-on ( SSO )
3. pass-through authentication with seamless single sign-on ( SSO )
why ?
1. password hash synchronization requires the least effort regarding deployment, maintainence and infrastructure.
2. This level of effort typically applies to organizations that only need their users to sign in to Office 365, SaaS apps and other Azure AD-based resources.
3. when turned on, password hash synchronization is part of the Azure AD Connect sync process and runs every two minutes.
other options ( but preferable for above scenario ).
what each authentication methods do for us and when we can use that ?
based on above recommendation, password hash synchronization is the best authentication method and suitable one.
1. A federated authentication system relies on an external trusted system to authenticate users. Some companies want to reuse their existing federated system investment with their Azure AD hybrid identity solution. The maintenance and management of the federated system falls outside the control of Azure AD. Its up to make sure its deployed securely and can handle the authentication load.
2. For pass-through authentication, you need one or more ( we recommend three ) lightweight agents installed on existing servers. These agents must have access to your on-premises Active Directory Domain Services, including your on-premises AD domain controllers. They need outbound access to the internet and access to your domain controllers. For this reason, its not supported to deploy the agents in a perimeter network.
Pass-through authentication requires unconstrained network access to domain controllers. All network traffic is encrypted and limited to authentication requests.
references:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta
when to use this ?
example:
1. subscription is associated to the azure ad ( tenant ) named kaushik.com
2. my network contains an active directory forest named kaushik.com
recommended in this scenario,
1. ensures that password policies and user logon restrictions apply to user accounts that are synced to the tenant.
2. minimizes the number of servers required for the solution.
how many kinds of authentication methods are there ?
1. federated identity with active directory federation services ( ADFS )
2. password hash synchronization with seamless single sign-on ( SSO )
3. pass-through authentication with seamless single sign-on ( SSO )
why ?
1. password hash synchronization requires the least effort regarding deployment, maintainence and infrastructure.
2. This level of effort typically applies to organizations that only need their users to sign in to Office 365, SaaS apps and other Azure AD-based resources.
3. when turned on, password hash synchronization is part of the Azure AD Connect sync process and runs every two minutes.
other options ( but preferable for above scenario ).
what each authentication methods do for us and when we can use that ?
based on above recommendation, password hash synchronization is the best authentication method and suitable one.
1. A federated authentication system relies on an external trusted system to authenticate users. Some companies want to reuse their existing federated system investment with their Azure AD hybrid identity solution. The maintenance and management of the federated system falls outside the control of Azure AD. Its up to make sure its deployed securely and can handle the authentication load.
2. For pass-through authentication, you need one or more ( we recommend three ) lightweight agents installed on existing servers. These agents must have access to your on-premises Active Directory Domain Services, including your on-premises AD domain controllers. They need outbound access to the internet and access to your domain controllers. For this reason, its not supported to deploy the agents in a perimeter network.
Pass-through authentication requires unconstrained network access to domain controllers. All network traffic is encrypted and limited to authentication requests.
references:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta
hybrid configuration of azure active directory (AzureAD)
Example:
1. Azure HDInsight cluster on a virtual network.
Plan:
to allow users to authenticate to the cluster by using their on-premises Active Directory credentials.
Aim:
you need to configure the environment to support the planned authentication.
Solution and steps:
1. Instead, you connect HDInsight to your on-premises network by using Azure Virtual Networks and a VPN gateway.
Note:
To allow HDInsight and resources in the joined network to communicate by name, you must perform the following actions.
1. Create Azure Virtual Network.
2. Create a custom DNS server in the Azure Virtual Network.
3. Configure the virtual network to use the custom DNS server instead of the default Azure Recursive Resolver.
4. Configure forwarding b/w the custom DNS server and your on-premises DNS server.
reference:
https://docs.microsoft.com/en-us/azure/hdinsight/connect-on-premises-network
1. Azure HDInsight cluster on a virtual network.
Plan:
to allow users to authenticate to the cluster by using their on-premises Active Directory credentials.
Aim:
you need to configure the environment to support the planned authentication.
Solution and steps:
1. Instead, you connect HDInsight to your on-premises network by using Azure Virtual Networks and a VPN gateway.
Note:
To allow HDInsight and resources in the joined network to communicate by name, you must perform the following actions.
1. Create Azure Virtual Network.
2. Create a custom DNS server in the Azure Virtual Network.
3. Configure the virtual network to use the custom DNS server instead of the default Azure Recursive Resolver.
4. Configure forwarding b/w the custom DNS server and your on-premises DNS server.
reference:
https://docs.microsoft.com/en-us/azure/hdinsight/connect-on-premises-network
Sunday, June 21, 2020
How to setup letsencrypt in aks cluster ?
https://github.com/fbeltrao/aks-letsencrypt
alternative ways to create ssl certificates and expose the services.
alternative-01
helm install --name nginx-ingress stable/nginx-ingress --set controller.nodeSelector."beta\.kubernetes\.io/os"=linux --set defaultBackend.nodeSelector."beta\.kubernetes\.io/os"=linux --namespace ingress-basic
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -out aks-ingress-tls.crt -keyout aks-ingress-tls.key -subj "/CN=*.kaushik.development.net/O=aks-ingress-tls"
kubectl create secret tls aks-ingress-tls --namespace ingress-basic --key aks-ingress-tls.key --cert aks-ingress-tls.crt
reference:
https://github.com/kubernetes/ingress-nginx/tree/master/charts/ingress-nginx/templates
alternative-02
1) helm install --name cert-manager --namespace edge --version v0.15.1 jetstack/cert-manager --set installCRDs=true
2) helm repo add jetstack https://charts.jetstack.io
reference : https://cert-manager.io/docs/configuration/acme/
3) create a yaml file called the clusterissuer.yaml file
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: external
spec:
acme:
# You must replace this email address with your own.
# Let's Encrypt will use this to contact you about expiring
# certificates, and issues related to your account.
email: user@example.com
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# Secret resource that will be used to store the account's private key.
name: example-issuer-account-key
# Add a single challenge solver, HTTP01 using nginx
solvers:
- http01:
ingress:
class: nginx
4) cert-manager.io/cluster-issuer: external in values.yaml in ingress block
example
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: external
# kubernetes.io/tls-acme: "true"
hosts:
- host: test.kaushikdevelopment.net
paths:
# NB: You may also want to set the basePath above
- /
tls:
- secretName: tlssecret # this secret is automatically created when you install the helm chart.
hosts:
- test.kaushikdevelopment.net
example app : https://github.com/bootc/netbox-chart/blob/master/values.yaml
currently, the fourth implementation is not working because of the DNS issue.
troubleshooting steps
nslookup <dnsname> <dnsserver>
nslookup devtls.netboxdevelopment.net ns1-02.azure-dns.com.
Server: ns1-02.azure-dns.com.
Address: 2603:1061::2#53
Name: devtls.netboxdevelopment.net
Address: 20.185.246.138
apiVersion: v1
kind: ConfigMap
metadata:
name: coredns-custom
namespace: kube-system
data:
test.server: |
netboxdevelopment.net:53 {
errors
cache 30
forward . ns1-02.azure-dns.com
}
# kubectl apply -f coredns.yaml
reference : https://docs.microsoft.com/en-us/azure/aks/coredns-custom
# kubectl delete pod --namespace kube-system -l k8s-app=kube-dns
command : host ns1-02.azure-dns.com
ns1-02.azure-dns.com has address 40.90.4.2
ns1-02.azure-dns.com has IPv6 address 2603:1061::2
kubectl get secret externaltlscert -n tlsnetbox -o yaml
Alternative-05
Alternative-06
https://github.com/Azure/application-gateway-kubernetes-ingress
How to generate the SSL certificates ?
https://app.zerossl.com/certificate/new
alternative ways to create ssl certificates and expose the services.
alternative-01
helm install --name nginx-ingress stable/nginx-ingress --set controller.nodeSelector."beta\.kubernetes\.io/os"=linux --set defaultBackend.nodeSelector."beta\.kubernetes\.io/os"=linux --namespace ingress-basic
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -out aks-ingress-tls.crt -keyout aks-ingress-tls.key -subj "/CN=*.kaushik.development.net/O=aks-ingress-tls"
kubectl create secret tls aks-ingress-tls --namespace ingress-basic --key aks-ingress-tls.key --cert aks-ingress-tls.crt
reference:
https://github.com/kubernetes/ingress-nginx/tree/master/charts/ingress-nginx/templates
alternative-02
2) helm repo add jetstack https://charts.jetstack.io
reference : https://cert-manager.io/docs/configuration/acme/
3) create a yaml file called the clusterissuer.yaml file
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: external
spec:
acme:
# You must replace this email address with your own.
# Let's Encrypt will use this to contact you about expiring
# certificates, and issues related to your account.
email: user@example.com
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# Secret resource that will be used to store the account's private key.
name: example-issuer-account-key
# Add a single challenge solver, HTTP01 using nginx
solvers:
- http01:
ingress:
class: nginx
4) cert-manager.io/cluster-issuer: external in values.yaml in ingress block
example
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: external
# kubernetes.io/tls-acme: "true"
hosts:
- host: test.kaushikdevelopment.net
paths:
# NB: You may also want to set the basePath above
- /
tls:
- secretName: tlssecret # this secret is automatically created when you install the helm chart.
hosts:
- test.kaushikdevelopment.net
example app : https://github.com/bootc/netbox-chart/blob/master/values.yaml
currently, the fourth implementation is not working because of the DNS issue.
troubleshooting steps
nslookup <dnsname> <dnsserver>
nslookup devtls.netboxdevelopment.net ns1-02.azure-dns.com.
Server: ns1-02.azure-dns.com.
Address: 2603:1061::2#53
Name: devtls.netboxdevelopment.net
Address: 20.185.246.138
apiVersion: v1
kind: ConfigMap
metadata:
name: coredns-custom
namespace: kube-system
data:
test.server: |
netboxdevelopment.net:53 {
errors
cache 30
forward . ns1-02.azure-dns.com
}
# kubectl apply -f coredns.yaml
reference : https://docs.microsoft.com/en-us/azure/aks/coredns-custom
# kubectl delete pod --namespace kube-system -l k8s-app=kube-dns
command : host ns1-02.azure-dns.com
ns1-02.azure-dns.com has address 40.90.4.2
ns1-02.azure-dns.com has IPv6 address 2603:1061::2
kubectl get secret externaltlscert -n tlsnetbox -o yaml
Alternative-05
An ingress controller is a piece of software that provides reverse proxy, configurable traffic
routing, and TLS termination for Kubernetes services.
References:
https://docs.microsoft.com/en-us/azure/aks/ingress-tls
Topic 3, Manage security operations
References:
https://docs.microsoft.com/en-us/azure/aks/ingress-tls
Topic 3, Manage security operations
Alternative-06
https://github.com/Azure/application-gateway-kubernetes-ingress
How to generate the SSL certificates ?
https://app.zerossl.com/certificate/new
Saturday, June 20, 2020
what is meant by conditional access ?
you can use conditional access policies to ensure users who sign-in from untrusted locations are prompted to authenticate using MFA.
reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview
reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview
what is network watcher ?
Packet capture tool available in Network watcher.
Variable packet capture in azure network watcher:
Network watcher variable packet capture allows you to create packet capture sessions to track traffic to and from a virtual machine.
Packet capture helps to diagnose network anomalies both reactively and proactively. other uses include gathering network statistics, gaining information on network intrusions, to debug client-server communications and much more.
Packet capture is a virtual machine extension that is remotely started through Network watcher.
reference:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-overview
Variable packet capture in azure network watcher:
Network watcher variable packet capture allows you to create packet capture sessions to track traffic to and from a virtual machine.
Packet capture helps to diagnose network anomalies both reactively and proactively. other uses include gathering network statistics, gaining information on network intrusions, to debug client-server communications and much more.
Packet capture is a virtual machine extension that is remotely started through Network watcher.
reference:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-overview
what is meant by adaptive application controls in security center ?
How to block
1. No unwanted software run on these virtual machines.
2. Block attempts to run malicious applications.
Azure security applications controls.
Adaptive application controls:
Adaptable indicates long-term changes; flexible more short-term alterations
other meaning to be adjustable in any kind of environments.
Adaptive application control is an intelligent, automated end-to-end application whitelisting solution from Azure Security Center.
It helps you control which applications can run on your azure and non-azure VMs (windows and linux) which, among other benefits, helps harden your VMs against malware.
Security Center uses machine learning to analyze the applications running on your VMs and helps you apply the specific whitelisting rules using this intelligence.
This capability greatly simplifies the process of configuring and maintaining application whitelisting policies, enabling you to:
1. Prevent specific software tools that are not allowed in your organisation.
2. avoid old and unsupported apps to run.
3. avoid unwanted software to be used in your environment.
4. Block or alert on attempts to run malicious applications.
reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-application
1. No unwanted software run on these virtual machines.
2. Block attempts to run malicious applications.
Azure security applications controls.
Adaptive application controls:
Adaptable indicates long-term changes; flexible more short-term alterations
other meaning to be adjustable in any kind of environments.
Adaptive application control is an intelligent, automated end-to-end application whitelisting solution from Azure Security Center.
It helps you control which applications can run on your azure and non-azure VMs (windows and linux) which, among other benefits, helps harden your VMs against malware.
Security Center uses machine learning to analyze the applications running on your VMs and helps you apply the specific whitelisting rules using this intelligence.
This capability greatly simplifies the process of configuring and maintaining application whitelisting policies, enabling you to:
1. Prevent specific software tools that are not allowed in your organisation.
2. avoid old and unsupported apps to run.
3. avoid unwanted software to be used in your environment.
4. Block or alert on attempts to run malicious applications.
reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-application
delete lock
you can use a delete lock to ensure no resources get deleted at the resource group level.
How does JIT access work ?
you can use Just-in-access so that IT administrators can request access which would open the required ports for the virtual machine.
When JIT is enabled, Security center locks down inbound traffic to your Azure VMs by creating an NSG rule. You select the ports on the VM to which inbound traffic will be locked down. These ports are controlled by the Just-in-time solution.
When a user requests access to a VM, Security Center checks that the user has RBACpermissions that permit them to successfully request access to a VM, if the request is approved, security center automatically configures the NSG and Azure firewall to allow inbound traffic to the selected ports and requested source IP addresses or ranges, for the amount of time that was specified. After the time has expired, security center restores the NSGs to their previous states. Those connections that are already established are not being interrupted.
reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time
When JIT is enabled, Security center locks down inbound traffic to your Azure VMs by creating an NSG rule. You select the ports on the VM to which inbound traffic will be locked down. These ports are controlled by the Just-in-time solution.
When a user requests access to a VM, Security Center checks that the user has RBACpermissions that permit them to successfully request access to a VM, if the request is approved, security center automatically configures the NSG and Azure firewall to allow inbound traffic to the selected ports and requested source IP addresses or ranges, for the amount of time that was specified. After the time has expired, security center restores the NSGs to their previous states. Those connections that are already established are not being interrupted.
reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time
how to create custom routes ?
azure routes traffic b/w all subnets with in a virtual network, by default. you can create your own routes to override azure's default routing. the ability to create custom routes is helpful if, for example, you want to route traffic b/w subnets through a network virtual appliance (NVA)
Create a route table, create a route, create a virtual network with multiple subnets, associate a route table to a subnet, create an NVA that routes traffic, deploy virtual machines (VM) into different subnets and route traffic from one subnet to another through an NVA.
reference:
https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-create-route-table-portal
Create a route table, create a route, create a virtual network with multiple subnets, associate a route table to a subnet, create an NVA that routes traffic, deploy virtual machines (VM) into different subnets and route traffic from one subnet to another through an NVA.
reference:
https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-create-route-table-portal
what is azure blueprints ?
if you want to deploy the same settings across subscriptions, you can go ahead, create an azure blueprint and then apply the blueprint to other subscriptions.
Blueprints are a declarative way to orchestrate the deployment of various resource templates and other artifacts such as:
1. Role assignments
2. Policy Assignments
3. Azure Resource Manager templates
4. Resource Groups
reference:
https://docs.microsoft.com/en-us/azure/governance/blueprints/overview
Blueprints are a declarative way to orchestrate the deployment of various resource templates and other artifacts such as:
1. Role assignments
2. Policy Assignments
3. Azure Resource Manager templates
4. Resource Groups
reference:
https://docs.microsoft.com/en-us/azure/governance/blueprints/overview
Azure SQL Database
Azure AD identities can be used for authentication to the Azure SQL database.
> if you need to create a SQL Server Administrator based on an existing Azure AD Account.
you need to create a secondary SQL Server Administrator that is based on an Azure AD Account.
This is required before you can start creating users based on Azure AD Accounts in the SQL database.
Create an Azure AD administrator for Azure SQL server
Each Azure SQL server ( which hosts a SQL Database or SQL Data Warehouse ) starts with a single server administrator account that is the administrator of the entire Azure SQL server. A second SQL Server administrator must be created, that is an Azure AD account.
This principal is created as a contained database user in the master database. As administrators, the server administrator accounts are members of the db_owner role in every database, and enter each user database as the dbo user. For more information about the server administrator accounts.
Note :
1. When using Azure Active Directory with geo-replication, the Azure Active Directory administrator must be configured for both the primary and secondary servers. If a server does not have an Azure Active Directory administrator, then Azure Active Directory logins and users receive a "Cannot connect" to server error.
2. users that are not based on an Azure AD account ( including the Azure SQL server administrator account), cannot create Azure AD-based users, because they do not have permission to validate proposed database users with the Azure AD.
How to prepare the database to authenticate by using identities defined in their Azure AD tenant ?
How to create a container user based off Azure AD in a SQL database ?
when you create a contained user based on an Azure AD Account,
you have to use the clause of "EXTERNAL PROVIDER".
To create an Azure AD-based contained database user ( other than the server administrator that owns the database), connect to the database with an Azure-AD identity, as a user with atleast the ALTER ANY USER permission.
The use the following Transact-SQL syntax:
CREATE USER <Azure_AD_principal> FROM EXTERNAL PROVIDER;
Reference:
https://docs.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure?tabs=azure-powershell
How to prepare the database to authenticate by using identities defined in their Azure AD tenant ?
How to create a container user based off Azure AD in a SQL database ?
when you create a contained user based on an Azure AD Account,
you have to use the clause of "EXTERNAL PROVIDER".
To create an Azure AD-based contained database user ( other than the server administrator that owns the database), connect to the database with an Azure-AD identity, as a user with atleast the ALTER ANY USER permission.
The use the following Transact-SQL syntax:
CREATE USER <Azure_AD_principal> FROM EXTERNAL PROVIDER;
Reference:
https://docs.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure?tabs=azure-powershell
just in time access
secure your management ports with just in time access
The port 3389 is the remote desktop protocol port that is used to connect to the virtual machine. This port should be enabled using just-in-time access.
Request JIT access to a VM : Assign these actions to the user
Role Based Access Actions need to be allowed for a user that would request for just-in-time access to a virtual machine.
on the scope of a subscription or Resource Group that is associated with the VM:
Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action
On the scope of a subscription or resource group or VM
Microsoft.Compute/virtualMachines/read
Configure or edit a JIT policy for a VM : Assign these actions to the role:
on the scope of a subscription or Resource Group that is associated with the VM:
Microsoft.Security/locations/jitNetworkAccessPolicies/write
On the scope of a subscription or resource group or VM
Microsoft.Compute/virtualMachines/write
reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time
The port 3389 is the remote desktop protocol port that is used to connect to the virtual machine. This port should be enabled using just-in-time access.
Request JIT access to a VM : Assign these actions to the user
Role Based Access Actions need to be allowed for a user that would request for just-in-time access to a virtual machine.
on the scope of a subscription or Resource Group that is associated with the VM:
Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action
On the scope of a subscription or resource group or VM
Microsoft.Compute/virtualMachines/read
Configure or edit a JIT policy for a VM : Assign these actions to the role:
on the scope of a subscription or Resource Group that is associated with the VM:
Microsoft.Security/locations/jitNetworkAccessPolicies/write
On the scope of a subscription or resource group or VM
Microsoft.Compute/virtualMachines/write
reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time
Thursday, June 18, 2020
Azure Sentinel - Analytics
Custom alerts rules have been retired from Azure Security Center and have to now be created via a tool known as Azure Sentinel.
Extension schema
The following JSON shows the schema for the log Analytics agent extension. The extension requires the workspace ID and workspace key from the target log Analytics workspace. These can be found in the settings for the workspace key should be treated as sensitive data, it should be stored in a protected setting configuration. Azure VM extension protected setting data is encrypted, and only decrypted on the target machine.
Note:
workspaceId and workspaceKey are case-sensitive
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/oms-windows
Note:
workspaceId and workspaceKey are case-sensitive
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/oms-windows
Create an ingress controller in AKS
An ingress controller is a piece of software that provides reverse proxy, configurable traffic routing, and TLS termination for Kubernetes services. Kubernetes ingress resources are used to configure the ingress rules and routes for individual Kubernetes services. Using an ingress controller and ingress rules, a single IP address can be used to route traffic to multiple services in a Kubernetes cluster.
This article shows you how to deploy the NGINX ingress controller in an Azure Kubernetes Service (AKS) cluster. Two applications are then run in the AKS cluster, each of which is accessible over the single IP address.
reference:
https://docs.microsoft.com/en-us/azure/aks/ingress-basic
This article shows you how to deploy the NGINX ingress controller in an Azure Kubernetes Service (AKS) cluster. Two applications are then run in the AKS cluster, each of which is accessible over the single IP address.
reference:
https://docs.microsoft.com/en-us/azure/aks/ingress-basic
Wednesday, June 17, 2020
How to secure Azure AD roles ?
Need to use Privileged Identity Management to secure Azure AD roles.
How to implement ?
1. verify your identity by using MFA.
2. Consent to Privileged Identity management.
3. Sign up Privileged Identity management for Azure AD Roles.
reference:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-getting-started
How to implement ?
1. verify your identity by using MFA.
2. Consent to Privileged Identity management.
3. Sign up Privileged Identity management for Azure AD Roles.
reference:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-getting-started
How to configure access reviews for an organization ?
who will be reviewing the reviews ?
answer : resource owners.
How to implement this ?
1. First you have to create a new access review program that can be used to host the collection of reviews.
( Identity Governance - Programs ).
2. Once the program is in place, you can then go ahead and create access reviews. These are all control reviews.
3. For the review, you can choose the reviews as 'Group Owners'
( Create an access review ).
reference:
https://docs.microsoft.com/bs-cyrl-ba/azure/active-directory/governance/create-access-review
answer : resource owners.
How to implement this ?
1. First you have to create a new access review program that can be used to host the collection of reviews.
( Identity Governance - Programs ).
2. Once the program is in place, you can then go ahead and create access reviews. These are all control reviews.
3. For the review, you can choose the reviews as 'Group Owners'
( Create an access review ).
reference:
https://docs.microsoft.com/bs-cyrl-ba/azure/active-directory/governance/create-access-review
what is the concept of risk events ?
Example:
The Microsoft documentation classifies the risk event of "signs in from an unfamiliar location" as of the risk level of "Medium"
reference:
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection
classifies the risk event of "signs in from an anonymous IP address" means what is the risk level ? = Medium
Example02:
classifies the risk event of "signs in from infected devices" means what is the risk level ? = low
The Microsoft documentation classifies the risk event of "signs in from an unfamiliar location" as of the risk level of "Medium"
reference:
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection
classifies the risk event of "signs in from an anonymous IP address" means what is the risk level ? = Medium
Example02:
classifies the risk event of "signs in from infected devices" means what is the risk level ? = low
What is meant by Synchronization Rules Editor ?
You can actually use the Synchronization Rules Editor to create custom rules for what gets synched to Azure AD.
Scenario:
Need to deploy Azure AD connect to integrate their on-premise Active Directory domain with Azure AD. They need to prevent users which have a givenName attribute that starts with 'KAU' from being synched to Azure AD.
how ? : Synchronization Rules Editor
reference:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-change-the-configuration
Scenario:
Need to deploy Azure AD connect to integrate their on-premise Active Directory domain with Azure AD. They need to prevent users which have a givenName attribute that starts with 'KAU' from being synched to Azure AD.
how ? : Synchronization Rules Editor
reference:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-change-the-configuration
Azure RBAC
Role Based Access Control ( RBAC ) is used to control access to resources in Azure. It can't be used to control authentication.
reference :
https://docs.microsoft.com/en-us/azure/role-based-access-control/overview
reference :
https://docs.microsoft.com/en-us/azure/role-based-access-control/overview
how to allow on-prem devices to communicate with azure resources ?
To accomplish authentication, Active Directory needs to connect with Azure AD. The on-premise Active Directory can then be used to authenticate users onto services in Azure. You can allow on-premise devices to communicate with Azure resources after AD sync.
Note: ( this is optional for knowledge purpose )
By having a site-to-site VPN connection, the connection is encrypted.
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal
Note: ( this is optional for knowledge purpose )
By having a site-to-site VPN connection, the connection is encrypted.
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal
what is meant by on-premises data gateway ?
The on-premises data gateway is used to provide a method to transfer data between an on-premises environment and microsoft services.
https://docs.microsoft.com/en-us/power-bi/connect-data/service-gateway-onprem
https://docs.microsoft.com/en-us/power-bi/connect-data/service-gateway-onprem
when you need to use a federated solution with your on-premises active directory
Scenario :
we have on-premises data center and an azure subscription. an azure sql database is in place that supports Azure AD authentication. The database developers need to authenticate to the database using microsoft sql server management studio.
They need to authenticate using their on-premise active directory account. which of the following authentication type should they use in microsoft sql server management studio to connect, ensuring the solution minimizes the authentication prompts ?
Active Directory - Integrated
Reference:
https://docs.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure?tabs=azure-powershell#configure-your-client-computers
we have on-premises data center and an azure subscription. an azure sql database is in place that supports Azure AD authentication. The database developers need to authenticate to the database using microsoft sql server management studio.
They need to authenticate using their on-premise active directory account. which of the following authentication type should they use in microsoft sql server management studio to connect, ensuring the solution minimizes the authentication prompts ?
Active Directory - Integrated
Reference:
https://docs.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure?tabs=azure-powershell#configure-your-client-computers
How to implement the always encrypted feature ?
Want to implement the "Always Encrypted" feature to encrypt a column within a table within the database
reference :
https://docs.microsoft.com/en-us/azure/azure-sql/database/always-encrypted-certificate-store-configure
How to store the master key ?
we can use either a windows certificate store or an azure key vault to store the master key.
reference :
https://docs.microsoft.com/en-us/azure/azure-sql/database/always-encrypted-certificate-store-configure
How to store the master key ?
we can use either a windows certificate store or an azure key vault to store the master key.
Tuesday, June 16, 2020
what is azure cosmos db and how to access it ?
Azure Cosmos DB is a fully managed NoSQL database service for modern app development.
Access:
two types,
1. Master keys
2. Resource tokens.
Scenario,
Backend (database) : Cosmos DB
Web application : Azure Web App
authentication purposes ?
create database users and generate resource tokens.
reference : https://docs.microsoft.com/en-us/azure/cosmos-db/secure-access-to-data
Access:
two types,
1. Master keys
2. Resource tokens.
Scenario,
Backend (database) : Cosmos DB
Web application : Azure Web App
authentication purposes ?
create database users and generate resource tokens.
reference : https://docs.microsoft.com/en-us/azure/cosmos-db/secure-access-to-data
managed service identity
Need to understand the remediate,
Please refer the microsoft documentation,
https://docs.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources
Please refer the microsoft documentation,
https://docs.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources
What is OAUTH2 implicit grant ?
Reference:
The quintessential OAuth2 authorization code grant is the authorization grant that uses two separate endpoints.
1. The authorization endpoint is used for the user interaction phase, which results in an authorization code. The token endpoint is then used by the client for exchanging the code for an access token, and often a refresh token as well. Web applications are required to present their own application credentials to the token endpoint, so that the authorization server can authenticate the client.
The OAuth2 implicit grant is a variant of other authorization grants. It allows a client to obtain an access token (and id_token, when using OpenId Connect) directly from the authorization endpoint, without contacting the token endpoint nor authenticating the client. This variant was designed for JavaScript based applications running in a Web browser: in the original OAuth2 specification, tokens are returned in a URI fragment. That makes the token bits available to the JavaScript code in the client, but it guarantees they won't be included in redirects toward the server. In OAuth2 implicit grant, the authorization endpoint issues access tokens directly to the client using a redirect URI that was previously supplied. It also has the advantage of eliminating any requirements for cross origin calls, which are necessary if the JavaScript application is required to contact the token endpoint.
An important characteristic of the OAuth2 implicit grant is the fact that such flows never return refresh tokens to the client.
Scenario:
I am developing a mobile application. The application will be using OAUTH2 implicit grant type to get Azure AD access tokens.
The application needs to be registered in Azure AD.
how to register the application in AzureAD ?
using the redirect URI
Network connectivity using the routes
Routes plays an important role in the networking world.
Why ?
To establish connectivity b/w the point A to point B
Scenario,
VnetName : KaushikHubVnet
Region : East US
Description :
This Virtual Network is connected to the on-premise network by using a site-to-site VPN that has BGP route propagation enabled. This network contains a subnet called SubnetA.
VnetName : KaushikSpokeVnet
Region : East US
Description:
This virtual network is connected to kaushikHubVnet by using the virtual network peering. This network contains a subnet named subnetB.
The virtual machines created in SubnetB can communicate with computers on the on-premises network.
how to deploy Azure Firewall to kaushikHubVnet ?
For this, we need the route table.
kaushikrt1 : This includes a user defined route that points to the private IP address of the Azure firewall as the next hop address
And we need to assign this route table(rt1) to the SubnetB.
kaushikrt2 : This disables BGP route propagation and defined the private IP address of the Azure Firewall as the default gateway.
And we need to assign this route table(rt2) to the GatewaySubnet.
Why ?
To establish connectivity b/w the point A to point B
Scenario,
VnetName : KaushikHubVnet
Region : East US
Description :
This Virtual Network is connected to the on-premise network by using a site-to-site VPN that has BGP route propagation enabled. This network contains a subnet called SubnetA.
VnetName : KaushikSpokeVnet
Region : East US
Description:
This virtual network is connected to kaushikHubVnet by using the virtual network peering. This network contains a subnet named subnetB.
The virtual machines created in SubnetB can communicate with computers on the on-premises network.
how to deploy Azure Firewall to kaushikHubVnet ?
For this, we need the route table.
kaushikrt1 : This includes a user defined route that points to the private IP address of the Azure firewall as the next hop address
And we need to assign this route table(rt1) to the SubnetB.
kaushikrt2 : This disables BGP route propagation and defined the private IP address of the Azure Firewall as the default gateway.
And we need to assign this route table(rt2) to the GatewaySubnet.
Why we need the Container network interface plug-in ?
Scenario,
we have a virtual machine called the kaushikvm to an kaushik azure subscription.
The VM will be created in a Vnet called the kaushik-network. The virtual network contains a subnet named "default".
A service endpoint has been created for the subnet.
The azure virtual machine will be based on the centos server image. The VM will be used to host Docker Containers.
we have a ensure, that the containers are able to access Azure storage resources and Azure SQL databases using the service point.
what we have to do ?
Install the container network interface plug-in
Reference:
https://docs.microsoft.com/en-us/azure/aks/configure-azure-cni?toc=%2Fazure%2Fvirtual-network%2Ftoc.json
https://docs.microsoft.com/en-us/azure/virtual-network/container-networking-overview
we have a virtual machine called the kaushikvm to an kaushik azure subscription.
The VM will be created in a Vnet called the kaushik-network. The virtual network contains a subnet named "default".
A service endpoint has been created for the subnet.
The azure virtual machine will be based on the centos server image. The VM will be used to host Docker Containers.
we have a ensure, that the containers are able to access Azure storage resources and Azure SQL databases using the service point.
what we have to do ?
Install the container network interface plug-in
Reference:
https://docs.microsoft.com/en-us/azure/aks/configure-azure-cni?toc=%2Fazure%2Fvirtual-network%2Ftoc.json
https://docs.microsoft.com/en-us/azure/virtual-network/container-networking-overview
Saturday, June 13, 2020
what is meant by SDP ?
SDP : Software Defined Perimeter
( this can function as a next generation VPN, there is no need to compromise ).
What are the pros and cons of Current Generation VPN ?
Current generation VPN has worked for years to make accessing resources remotely easier and more secure.
1. People can access resources from beyond their current network.
2. VPNs work to send all your network traffic to a separate network.
3. This allows you to access resources that are not locally available.
4. They also provide features like improved security through encryption, limited profiled based access and visibility and monitoring.
At the same time, the focus of the current generation of VPN remains upon protecting resources behind.
what has proven to be, an ineffective network perimeter.
For this reason, its time for a more cloud-friendly alternative that accounts for the need for internal security within both a network and the cloud instead if relying on a firewall to protect a network perimeter as this can lead to vulnerabilities.
What is network perimeter ?
A network perimeter is the secured boundary between the private and locally managed side of a network, often a company's intranet, and the public facing side of a network, often the Internet. A network perimeter includes: Border Routers: Routers serve as the traffic signs of networks.
How does SDP works ?
A Software-Defined Perimeter dynamically creates one-to-one network connections between the user and the resources they access. A Software-Defined Perimeter is built on three core pillars: ... Built for the cloud – It is engineered to operate natively in cloud networks and delivers scalable security.
Which are common perimeter network configurations ?
The three most common topology design options are as follows: (1) web server on the public Internet network, (2) web server on the internal side of the network, and (3) web server in the demilitarized zone.
What is the primary purpose of perimeter network ?
Software architecture plays a significant role in the discussion of a security infrastructure because the primary purpose of the network's perimeter is to protect the application's data and services. When securing the application, you should ensure that the architecture of the software and the network is harmonious.
SDP:
( this can function as a next generation VPN, there is no need to compromise ).
What are the pros and cons of Current Generation VPN ?
Current generation VPN has worked for years to make accessing resources remotely easier and more secure.
1. People can access resources from beyond their current network.
2. VPNs work to send all your network traffic to a separate network.
3. This allows you to access resources that are not locally available.
4. They also provide features like improved security through encryption, limited profiled based access and visibility and monitoring.
At the same time, the focus of the current generation of VPN remains upon protecting resources behind.
what has proven to be, an ineffective network perimeter.
For this reason, its time for a more cloud-friendly alternative that accounts for the need for internal security within both a network and the cloud instead if relying on a firewall to protect a network perimeter as this can lead to vulnerabilities.
What is network perimeter ?
A network perimeter is the secured boundary between the private and locally managed side of a network, often a company's intranet, and the public facing side of a network, often the Internet. A network perimeter includes: Border Routers: Routers serve as the traffic signs of networks.
How does SDP works ?
A Software-Defined Perimeter dynamically creates one-to-one network connections between the user and the resources they access. A Software-Defined Perimeter is built on three core pillars: ... Built for the cloud – It is engineered to operate natively in cloud networks and delivers scalable security.
Which are common perimeter network configurations ?
The three most common topology design options are as follows: (1) web server on the public Internet network, (2) web server on the internal side of the network, and (3) web server in the demilitarized zone.
What is the primary purpose of perimeter network ?
Software architecture plays a significant role in the discussion of a security infrastructure because the primary purpose of the network's perimeter is to protect the application's data and services. When securing the application, you should ensure that the architecture of the software and the network is harmonious.
SDP:
Next generation VPN benefits of SDP include the following:
- Provides a Zero Trust/least privilege model—authorize then connect
- Mutual TLS using a provided PKI
- No ports open for public snooping/hacking
- Microsegmentation—a tunnel of one
- Policy-based configuration ensures users can only access specific resources
- Integrates with your existing Identity Access Mechanism (SAML/AD/LDAP)
- No additional hardware or network integration required
- Consistent user experience on premise or off
- Lightweight client requires no end user configuration
- Control access whether applications are on premise or in the cloud
- Provides additional security without additional throughput degradation
- Additional security without significantly more experience
Monday, June 8, 2020
rbac for tiller
https://medium.com/@amimahloof/how-to-setup-helm-and-tiller-with-rbac-and-namespaces-34bf27f7d3c3
How to install tiller for the azure kubernetes cluster ?
image used in the below command tiller_image: "gcr.io/kubernetes-helm/tiller:v2.14.3"
2. install check the status
kubectl get pods -n kube-system | grep tiller | grep Running
3. kubectl create serviceaccount --namespace kube-system tiller
4. kubectl create clusterrolebinding tiller --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
5. helm init --history-max 200 --service-account tiller --node-selectors "beta.kubernetes.io/os=linux" --tiller-image {{tiller_image}} --tiller-connection-timeout 45
6. helm init --history-max 200 --service-account tiller --node-selectors "beta.kubernetes.io/os=linux" --tiller-image {{tiller_image}} --tiller-connection-timeout 45 --upgrade --force-upgrade
check the tiller is running or not by installing a helm chart
kubectl create ns kaushik
helm repo add nginx-stable https://helm.nginx.com/stable
helm repo update
helm install --name nginx-ingress stable/nginx-ingress --namespace kaushik --debug
How to install tiller for the azure kubernetes cluster ?
image used in the below command tiller_image: "gcr.io/kubernetes-helm/tiller:v2.14.3"
2. install check the status
kubectl get pods -n kube-system | grep tiller | grep Running
3. kubectl create serviceaccount --namespace kube-system tiller
4. kubectl create clusterrolebinding tiller --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
5. helm init --history-max 200 --service-account tiller --node-selectors "beta.kubernetes.io/os=linux" --tiller-image {{tiller_image}} --tiller-connection-timeout 45
6. helm init --history-max 200 --service-account tiller --node-selectors "beta.kubernetes.io/os=linux" --tiller-image {{tiller_image}} --tiller-connection-timeout 45 --upgrade --force-upgrade
if step 5 and step 6 is not working, please use the below command
reference :
https://github.com/helm/helm/issues/6374
https://stackoverflow.com/questions/58075103/error-error-installing-the-server-could-not-find-the-requested-resource-helm-k
helm init --service-account tiller --override spec.selector.matchLabels.'name'='tiller',spec.selector.matchLabels.'app'='helm' --output yaml | sed 's@apiVersion: extensions/v1beta1@apiVersion: apps/v1@' | kubectl apply -f -
check the tiller is running or not by installing a helm chart
kubectl create ns kaushik
helm repo add nginx-stable https://helm.nginx.com/stable
helm repo update
helm install --name nginx-ingress stable/nginx-ingress --namespace kaushik --debug
Sunday, June 7, 2020
sample custom netbox image with environment variables
FROM netboxcommunity/netbox:v2.8.3
ENV DB_HOST=
ENV DB_NAME=
ENV DB_PASSWORD=
ENV DB_USER=
ENV REDIS_DATABASE=
ENV REDIS_HOST=
ENV REDIS_PASSWORD=
ENV REDIS_SSL=
ENV SECRET_KEY=
ENV DB_HOST=
ENV DB_NAME=
ENV DB_PASSWORD=
ENV DB_USER=
ENV REDIS_DATABASE=
ENV REDIS_HOST=
ENV REDIS_PASSWORD=
ENV REDIS_SSL=
ENV SECRET_KEY=
using netbox plugins
To utilise plugins that have been created by users within the Netbox Community a custom image must be used.
https://github.com/netbox-community/netbox-docker/wiki/Using-Netbox-Plugins
https://github.com/netbox-community/netbox-docker/wiki/Using-Netbox-Plugins
Subscribe to:
Posts (Atom)