Virtual Network Service Endpoints

 Virtual Network (Vnet)  service endpoints extend your vnet private address space and the identity of your vnet to the azure services, over a direct connection. endpoints allow your to secure your critical azure service resources to only your virtual networks. traffic from your vnet to the azure service always remains on the microsoft azure backbone network.

generally available,

azure storage

azure sql database

azure sql data warehouse 

azure database for mysql server

azure database for mariadb 

azure cosmos db

azure key vault 

azure service bus

azure event hubs 

azure data lake store gen1 

conditional access policy

 End user protection : 

End User Protection is a risk based MFA baseline policy that protects all users in a directory, including all administrator roles. Enabling this policy requires all users to register for MFA using the authenticator App. Users can ignore the MFA registration prompt for 14 days, after which they will be blocked signing in until they register for MFA. Once registered for MFA, users will be prompted for MFA only during risky sign-in attempts. Compromised user accounts are blocked until their password is reset and risk events have been dismissed.

Block legacy authentication to Azure AD with conditional access:

To give your users easy access to your cloud apps, Azure AD supports a broad variety of authentication protocols including legacy authentication. however, legacy protocols dont support multi-factor authentication. MFA is in many environments a common requirement to address identity theft.

Baseline policy: Require MFA for service management:

you might be using a variety of azure services in your organization. These services can be managed through Azure Resource Manager API.

1. Azure Portal 

2. Azure PowerShell 

3. Azure CLI 

Using Azure Resource Manager to manage your services is a highly privileged action. Azure Resource Manager can alter tenant-wide configurations, such as service settings and subscription billing. Single factor authentication is vulnerable to a variety of attacks like phishing and password spray. Therefore, its important to verify the identity of users wanting to access azure resources manager and update configurations, by requiring multi-factor authentication before allowing access.

Require MFA for service management is a baseline policy. that will require MFA for any user accessing Azure portal, Azure PowerShell, or Azure CLI. This policy appiles to all users accessing Azure Resource Manager, regardless of if they are an administrator.

TXT DNS record

 After you add your custom domain to Azure AD, you must return to your domain registrar and add the Azure AD DNS information from your copied TXT file. Creating this TXT record for your domain verifies ownership of your domain name.

Azure Managed Disk

 An Azure Managed disk is a virtual hard disk ( VHD ). You can think of it like a physical disk in an on-premises sever but,  virtualized. Azure managed disks are stored as page blobs, which are a random IO storage object in Azure. We call a managed disk 'managed' because it is an abstraction overpage blobs, blob containers and azure storage accounts. with managed disks, all you have to do is provision the disk, and azure takes care of the rest.

Autoscaling and Zone-redundant Application Gateway v2

 Application Gateway and Web Application Firewall ( WAF ) are also available under a standard_v2 and WAF_V2_SKU. The v2 SKU offers performance enhancements and adds support for critical new features like autoscaling, zone redundancy and support for static VIPs. Existing features under the standard and WAF SKU continue to be supported in the new v2 SKU, with a few exceptions listed in comparsion section.

Azure Backup

 Traditional backup solutions have evolved to treat the cloud as an endpoint or static storage destination, similar to disks or tape. While this approach is simple, it is limited and does not take full advantage of an underlying cloud platform, which translates to an expensive, inefficient solution.

other solutions are expensive because you end up paying for the wrong type of storage or storage that you dont need.  Other solutions are often inefficient because they dont offer you the type or amount of storage you need or administrative tasks require too much time. In contrast, Azure Backup delivers these key benefits:

Multiple storage options:

An aspect of high-availability is storage replication.

Azure Backup offer two types of replications:

1. LRS : All copies of data exist within the same region 

2. GRS: GRS replicates your data to a secondary region which is Azure paired regions.

Long-term retention:

you can use recovery services vaults for short-term and long-term data retention. Azure does not limit the length of time data can remain in  a Recovery Services vault. You can keep data in a vault for as long as you like. Azure Backup has a limit of 9999 recovery points per protected instance. See the backup and retention section in this article for an explanation of how this limit may impact your backup needs.

Azure Notification Hubs

 To manage notifications on the azure platform from your mobile devices, you can use the Azure Notifications Hubs Service.

Why use Azure Notification Hubs ?

Notification hubs eliminates all complexities associated with pushing notifications on your own from your app back-end. Its multi-platform, scaled-out push notification infrastructure reduces push-related coding and simplifies your backend.

With notification hubs, devices are merely responsible for registering their PNS handles with a hub, while the backend sends messages to users or interest groups, 

And you can use the Azure Mobile Service for your application to be available on various mobile devices. 

Integration with App Service Mobile Apps:

To facilitate a seamless and unifying experience across Azure Services, App Service Mobile Apps has built-in support for push notifications using notification hubs. App Service Mobile apps offers a highly available mobile application development platform for enterprise developers and system integrators that brings a rich set of capabilities to mobile developers.

Azure Service Bus Queue

Message Sessions : First In First Out ( FIFO )

Microsoft Azure Service Bus enable joint and ordered handling of  unbounded sequences of related messages. To realize a FIFO guarantee in Service Bus, use Sessions. Service Bus is not prescriptive about the nature of the relationship b/w the messages and also does not define a particular model for determining where a message sequence starts or ends.

Alerts configurations in Action Group

 Rate limiting is a suspension of notifications that occur when too many are sent to a particular phone number, email address or device.

Rate limiting ensures that alerts are manageable and actionable.

The rate limit thresholds are:

SMS: No more than 1 SMS every 5 minutes 

Voice: No more than 1 Voice call every 5 minutes 

Email: No more than 100 emails in an hour

other actions are not rate limited.

Since there are no limits for email, the alert would send an email every minute. So 60 emails would be sent in a hour.

File Share redundancy

 Azure Files standard shares supports four data redundancy options:

1. LRS

2. ZRS

3. GRS

4. GZRS 

Azure Files premium shares support both LRS and ZRS, ZRS is currently available in a smaller subset of regions.

if you opt for read-access geo-redundant storage ( RA-GRS ), you should know that Azure File does not support read-access geo-redundant storage ( RA-GRS ) in any region at this time. File shares in the RA-GRS. storage account work like they would in GRS accounts and are charged GRS prices.

Azure Cosmosdb

 Data Store 

1. Ability to store JSON based items.

2. Ability to use SQL like queries on the data store.

3. Ability to provide low latency access to data items.

CosmosDB to provide low latency access to data.

You can use the SQL API to store JSON based objects.

SQL query examples for Azure Cosmos DB 

Azure Cosmos DB SQL API accounts supports querying items using Structured  Query Language ( SQL ) as a JSON query Language.

The design goals of the Azure Cosmos DB query language are to:

Support SQL, one of the most familar and popular query language, instead of inventing a new query language. SQL provides a formal programming model for rich queries over JSON items.

Consistency-level for the Cosmosdb account:

The ideal approach from a technical and cost requirement to choose the Consistent prefix consistency level.

Consistent prefix: Updates that are returned contain some prefix of all the updates, with no gaps. Consistent prefix consistency level guarantees that reads never see out-of-order writes.

What is local network gateway ?

what is TLS ?

 TLS - Transport Layer Security Encryption 

example : 

if you want to have a confidential conversation with someone you know, you might meet up in person and find a private place to talk.

But if you want to send data confidentially over the internet, you might have a few more considerations to cover.

TLS, or Transport Layer Security, refers to a protocol. "Protocol" is a word that means, "the way we have agreed to do things around here," more or less.

The "transport layer" part of TLS simply refers to host-to-host communication, such as how a client and a server interact, in the  Internet protocol suite model

Why TLS man ?

How do I know you are who you say you are ?

How do I know this message from you hasn't been tampered with ?

How can we communicate securely ?

"As with many successful interactions, it begins with a handshake"

Getting to know you,

The  basic process of a TLS handshake involves a client, such as your web browser, and a server, such as one hosting a website, establishing some ground rules for communication.

It begins with the client saying hello. Literally. its called a ClientHello message.

The ClientHello message tells the server which TLS protocol version and cipher suites it supports.

what is cipher suite ?

While "cipher suite" sounds like a fancy hotel upgrade, it just refer to a set of algorithms that can be used to secure communications.

The server, in a similarly named ServerHello message, chooses the protocol version and cipher suite to use from the choices offered. Other data may also be sent, for example a session ID, if the server supports resuming a previous handshake.

cartoon of a browser window and server saying hello

Depending on the cipher suite chosen, the client and server exchange further information in order to establish a shared secret.

often, this process moves the exchange from asymmetric cryptography to symmetric cryptography with varying levels of complexity. Lets explore these concepts at a general level and see why they matter to TLS.

Asymmetric beginning 

This is asymmetry 

Asymmetric cryptography is one method by which you can perform authentication. When you authenticate yourself, you answer the fundamental question, "How do I know you are who you say you are ?

In an asymmetric cryptographic system, you use a pair of keys in order to achieve authentication. These keys are asymmetric. One key is your public key, which, as you would guess, is public. The other is your private key, which – well, you know.

Typically, during the TLS handshake, the server will provide its public key via its digital certificate, sometimes still called its SSL certificate, though TLS replaces the deprecated Secure Sockets Layer (SSL) protocol.

Digital certificates are provided and verified by trusted third parties known as Certificate Authorities (CA), which are a whole other article in themselves.

While anyone may encrypt a message using your public key, only your private key can then decrypt that message.

The security of asymmetric cryptography relies only on your private key staying private, hence the asymmetry.

It's also asymmetric in the sense that it's a one-way trip. Alice can send messages encrypted with your public key to you, but neither of your keys will help you send an encrypted message to Alice.

Symmetric secrets

Asymmetric cryptography also requires more computational resources than symmetric cryptography.

Thus when a TLS handshake begins with an asymmetric exchange, the client and server will use this initial communication to establish a shared secret, sometimes called a session key. This key is symmetric, meaning that both parties use the same shared secret and must maintain that secrecy for the encryption to be secure.

Secure Sessions

By using the initial asymmetric communication to establish a session key, the client and server can rely on the session key being known only to them. For the rest of the session, they'll both use this same shared key to encrypt and decrypt messages, which speeds up communication.

The session is the duration of encrypted communication between the client and server. During this time, messages are encrypted and decrypted using the session key that only the client and server have. This ensures that communication is secure.

The integrity of exchanged information is maintained by using a checksum. Messages exchanged using session keys have a message authentication code (MAC) attached. This is not the same thing as your device's MAC address. The MAC is generated and verified using the session key.

Because of this, either party can detect if a message has been changed before being received. This solves the fundamental question, "How do I know this message from you hasn't been tampered with?"

Sessions can end deliberately, due to network disconnection, or from the client staying idle for too long. Once a session ends, it must be re-established via a new handshake or through previously established secrets called session IDs that allow resuming a session.

TLS and you

Let's recap:

• TLS is a cryptographic protocol for providing secure communication.
• The process of creating a secure connection begins with a handshake.
• The handshake establishes a shared session key that is then used to secure messages and provide message integrity.
• Sessions are temporary, and once ended, must be re-established or resumed.

This is just a surface-level skim of the very complex cryptographic systems that help to keep your communications secure. For more depth on the topic, I recommend exploring cipher suites and the various supported algorithms.

The TLS protocol serves a very important purpose in your everyday life. It helps to secure your emails to family, your online banking activities, and the connection by which you're reading this article.

The HTTPS communication protocol is encrypted using TLS. Every time you see that little lock icon in your URL bar, you're experiencing firsthand all the concepts you've just read about in this article.

Azure Storage account ( softdelete feature )

 Azure Storage now offers soft delete for blob objects so that you can more easily recover your data when it is erroneously modified or deleted by an application or other storage account user.

why we need this / how does it work ?

When turned on, soft delete enables you to save and recover your data when blobs or blob snapshots are deleted. This protection extends to blob data that is erased as the result of an overwrite.

When data is deleted, it transitions to a soft deleted state instead of being permanently erased.

Soft deleted objects are invisible unless explicitly listed. 

what is mean by coexisting connections ?

 S2S VPN connection ( VPN connection )

eXPRESSROUTE 

coexist : 

1. helps you configure expressroute and s2s connections that coexist.

2. you can configure s2s VPN as a secure failover path for expressroute or use s2s VPNs to connect to sites that are not connected through expressroute.

Advantages:

1. you can configure a s2s VPN as a secure failover path for expressroute

2. alternatively, you can use s2s VPNs to connect to sites that are not connected through expressroute.

reference:-

https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-coexist-resource-manager

Authentication Mechanism in AAD

 self-service passwords reset and MFA in Azure AD

authentication mechanism:

1. Mobile App Code 

2. Azure AD passwords 

3. Mobile Phone 

how to validate the client certificate in azure web app ( app service ) ?

 Azure Web App.

The Web App has been configured for TLS mutual authentication.

how to validate the client certificate in the web application ?

HTTP request header 

Access client certificate 

In App Service, SSL termination of the request happens at the frontend load balancer. When forwarding the request to your app code with client certificates enabled.

App Service Injects an  X-ARR-ClientCert request header with the client certificate.

App Service does not do anything with this client certificate other than forwarding it to your app.

your app code is responsible for validating the client certificate.

reference:

https://docs.microsoft.com/en-us/azure/app-service/app-service-web-configure-tls-mutual-auth

Encoding type:

Base64 Encoding for the client certificate.

Microsoft documentation for the code used to confirm the client certificate:

example code : 

protected void Page_Load(object sender, EventArgs e)

{

      NameValueCollection headers = base.Request.Headers;

      certHeader = headers["X-ARR-ClientCert"];

      if (!String.IsNullOrEmpty(certHeader))

 {

       try 

      {

            byte[] clientCertBytes = Convert.FromBase64String(certHeader);

            certificate = new X509Certificate2(clientCertBytes);

            certSubject = certificate.Subject;

            certIssuer = certificate.Issuer;

reference:

https://docs.microsoft.com/en-us/azure/app-service/app-service-web-configure-tls-mutual-auth

web application firewall for azure application gateway

 Azure Application gateway offers a web application firewall ( WAF ) that provides centralized protection of web applications from common exploits and vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities. SQL injection and cross-site scripting are among the most common attacks.

Preventing such attacks in application code is challenging. It can require rigorous maintanence , patching and monitoring mulitple layers of the application topology. A centralized web application firewall helps make security management much simpler.

A WAF also gives application administrator better assurance of protection against threats and intrusions.

reference :

https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview

SLA for Application gateway :

We guarantee that each application gateway cloud service having two or more medium or larger instances will be available at least 99.95% of the time.

How to generate the certs ?

 Create a Certificate Signing Request ( CSR ) : 

1. Generate the Private Key

2. Generate the CSR

Inorder to create a Certificate Signing Request you will need the Openssl tool.

Generate the Private Key

   website name :  devops.com

   Create a directory : ( same with the website name )

   cd devops.com 

1. create a random password : 

a. windows device : 

dd if=/dev/urandom bs=30 skip=100 count=1 | base64 -w20 > password.txt

or 

b. mac device:

dd if=/dev/urandom bs=30 skip=100 count=1 | base64 -b20 > password.txt

2. This command generates a new key pair stored in a PEM-encoded file, encrypted with the password.

/devops.com>

openssl genrsa -passout file:password.txt -des3 4096 > private.pem

the private.pem ( by default this is encrypted ) 

how to decrypt ?

openssl rsa -in private.pem -out private.pem

Optional : 

extract the public key:

openssl rsa -in private.pem -passin file:password.txt -pubout > public.pem

Generate the CSR

This command generates a CSR (Certificate Signing Request).  For a server certificate, the subject should usually be the fully-qualified DNS name of the server.

The leading forward-slash is required (/CN=Devopshub not CN=Devopshub).

openssl req -new -key private.pem -passin file:password.txt -out csr.pem -subj /CN=Devopshub

how to convert the certs/.pem in to base64 format ?

base64 -b 0 csr.pem

openssl req -in csr.pem -text -noout

ensure that SSL can be used to encrypt and decrypt traffic

Deploying a web application to azure.

web application consists of the following : azure blob storage for storage of images and azure app service to host the web application.

requirements:

All communications to the web application must be made via SSL.

The web application must support high traffic loads even if encryption is enabled.

the web application must be protected from web attacks.

the design should also cater to routing user requests to the endpoint with the lowest latency 

Azure Application Gateway 

SSL termination 

Application gateway supports SSL termination at the gateway, after which traffic typically flows unencrypted to the backend servers.

There are number of advantages of doing SSL termination at the application gateway.

1. Improved performance - The biggest performance hit when doing SSL decryption is the initial handshake. To improve performance, the server doing the decryption caches SSL session IDs and manage TLS session tickets.

If this is done at application gateway, all requests from the same client can use the cached values. If its done on the backend servers, then each time the client's requests go to a different server the client has to re-authenticate . The use of TLS ticket can help mitigate this issue, but they are not supported by all clients and can be difficult to configure and manage.

2.Better utilization of the backend servers: SSL/TLS is very CPU intensive and is becoming more intensive as key sizes increase. Removing this work from the backend servers allows them to focus on what they are most efficient at, delivering content.

3. Intelligent routing

By decrypting the traffic, the application gateway has access to the request content, such as headers, URL and so on, and can use this data to route requests.

4. Certificate Management

Certificates only need to be purchased and installed on the application gateway and not all backend servers . This saves both time and money.

Azure Service Bus

 Azure Service Bus queue system as the messaging service.

Microsoft Azure Service Bus is a fully managed enterprise integration message broker. Service Bus is most commonly used to decouple applications and services from each other, and is reliable and secure platform for asynchronous data and state transfer.

Data is transferred b/w different applications and services using messages. A message is in binary format, which can contain JSON, XML or just text.

Some common messaging scenarios are:

Messaging: transfer business data, such as sales or purchase orders, journals or inventory movements.

Decouple applications : improve reliability and scalability of applications and services ( client and service do not have to be online at the same time ).

Topics and subscriptions: enable 1:n relationships b/w publishers and subscribers.

Message sessions: implement workflows that require message ordering or message deferral.

reference:

https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-messaging-overview

Custom Script Extension Definition

 When you define a VMSS with an Azure template, the Microsoft.Compute/virtualMachineScaleSets resource provider can include a section on extensions. The extensionsProfile details what is appiled to the VM. instances in a scale set. To use the Custom Script Extension, you specify a publisher of Microsoft.Azure.Extensions and a type of CustomScript.

The fileUris property is used to define the source install scripts or packages. To start the install process, the required scripts are defined in commandToExecute.

Webjob types

What is WebJob ? 

WebJob is a feature of Azure App Service that enables you to run a program or script in the same context as a web app, API app or mobile app.

There is no additional cost to use WebJobs.

Which of the following type of web job would be used for the following scenario ?

Having the ability to run on all the instances that the web app runs on 

WebJob Types:

The following table describes the differences b/w continuous and triggered WebJobs.

Continuous 

1. Starts immediately when the WebJob is created. To keep the job from ending, the program  or script typically does it work inside an endless loop. If the job does end, you can restart it.

2. Runs on all instances that the web app runs on. You can optionally restrict the WebJob to a single instance.

3. Supports remote debugging.

Triggered

1. Starts only when triggered manually or on a schedule.

2. Runs on a single instance that Azure selects for load balancing.

3. Does not support remote debugging.

Site-to-Site VPN

 on-prem to the azure vnet 

vnet = 10.0.0.0/16 

subnet = 10.0.0.0/24 

Implement for Site to Site VPN connection :

1. Create a gateway subnet 

The Virtual network gateway uses specific subnet called the gateway subnet. The gateway subnet is part of the virtual network IP address range that you specify when configuring your virtual network. It contains IP addresses that the virtual network gateway resources and services use. The subnet must be named 'Gateway Subnet' in order for Azure to deploy the gateway resources. You cannot specify a different subnet to deploy the gateway resources to. if you dont have a subnet named 'GatewaySubnet' when you create your VPN gateway, it will fail.

2. Create a local gateway 

The local network gateway typically refers to your on-premises location. You give the site a name by which Azure can refer to it, then specify the IP address of the on-premises VPN device to which you will create a connection. You also specify the IPaddress prefixes that will be routed through the VPN gateway to the VPN device. The address prefixes you specify are the prefix located on your on-premises network. If your on-premises network changes or you need to change the public IP address for the VPN device, you can easily update the values later.

3. Create a VPN gateway 

4. Create a VPN connection 

Create the Site-to-Site VPN connection b/w your virtual network gateway and your on-premises VPN device.

reference:

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal

Azure App Service plan terminology

Scaling out = increase No.of VM in parallel to spread out a load 

Scaling in = decrease No. of VM in parallel to spread out a load 

Scaling up = keeps the same number of VMs, but makes the VMs more ("up") powerful. Power is measured in memory.CPU speed, disk space etc. 

( Vertical scaling has more limitations ).

Scaling down = keeps the same number of VMs, but makes the VMs less ("down") powerful. Power is measured in memory, CPU speed, disk space, etc 

( Vertical scaling has more limitations ).

How to add the custom domain to Azure AD ?

 Azure AD tenant with the domain name of  kaushik.onmicrosoft.com 

I purchased the domain kaushik.com from a domain registrar.

The want to now ensure that they can define users inAzure AD with the suffix of @kaushik.com

How to implement ?

1. Add your custom domain name to Azure AD.

2. Add your DNS information to the domain registrar

3. verify your custom domain name 

reference:

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain

Function app

 Azure Functions allows you to run small pieces of code ( called "functions" ) without worrying about application infrastructure. With  Azure functions, the cloud infrastructure provides all the up-to-date servers you need to keep your application running at scale.

When a Function App is created as part of the consumption plan, there are no instances provided as part of the plan which would allow the support of session affinity.

reference:

https://docs.microsoft.com/en-us/azure/azure-functions/functions-overview.

how to perform an assessment of the virtual machines in the on-premise environment ?

 we can do with the Azure Migrate.

resolution virtual networks

 we have to add the vnet or should be added as the resolution network for the private DNS zone.

In order for virtual machines in other networks to resolve virtual machines  in the DNS zone, the network must first be defined as the resolution network for the private DNS zone.

To publish a private DNS zone to your virtual network, you specify the list of virtual networks that are allowed to resolve records within the zone.

These are called resolution virtual networks.

You may also specify a virtual network for which Azure DNS maintains hostname records  whenever a VM is created, changes IP or is deleted. This is called a registration virtual network.

reference:

https://docs.microsoft.com/en-us/azure/dns/private-dns-overview