Azure Application Gateway is an advance type of load-balancer. Where an Azure Load-balancer routes traffic on the transport layer (OSI Layer 4 | TCP + UDP) the Application Gateway is a way more advanced load-balancer. It can route based on URL as well on path’s. On top of that it can do much more, like SSL offloading, autoscaling, redirection, multiple site hosting and the most import of all, it can include a web application firewall (WAF)
With all the features that the Azure application gateway provides, we should be able to setup multiple websites listening on different ports and url’s behind one Azure Application Gateway with just one external IP address.
With this guide you should be able to setup an application gateway with multiple site hostname match and http to https redirect. In this manual we will be using Atlassian Jira and Confluence as an example.
So what are we going to setup:
Deploy Azure application gateway
Configure 2 external URL’s (jira.2azure.nl and confluence.2azure.nl)
We will redirect port 80 to 443 for both websites
Jira will be listening on port 8080 internally (Default port)
Confluence will be listening on port 8090 internally (Default port)
For this guide the VNET, subnets and the virtual machine hosting both websites have already been deployed. During this guide we will not deploy a Web Application Firewall, I will tell more about that in upcoming blog article.
Last week I came across another post about Azure Heatmap. Every time when I need to find out what’s new on a specific feature in Azure, I will use Azure Heatmap. Awesome tool, I would recommend it to everybody!
Also, check out the new region lookup function to find out what is changing in your Azure Region
With Azure Lighthouse it is possible to manage your customers portals from one portal. Microsoft has added cross-tenant management for Security Center making it easy to overview customer security status and settings.
This way Service providers can leverage security from their own tenant.
If you want to learn more about Security Center and Lighthouse go to Microsoft Docs
Last week I received the question from a customer where to get the SQL license key… By default you will see the key during SQL installation, but with an Azure deployed SQL virtual machine you will never get to see the key, as its deployed from the Azure Portal.
Retreive the key from DefaultSetup.ini
So within a few clicks you will be able to retreive the key.
If you still have doubts about moving to Azure because of compliance and regulatory requirements, they will now be gone with Azure Dedicated hosts. Still in preview but ready for testing. Azure dedicated hosts are physical machines that are single-tenant configured where you can run your Linux and Windows virtual machines. This includes your own infrastructure, as well as your own maintenance policies for that host.
Visibility and control
Azure Dedicated Hosts provide visibility over the server infrastructure running your Azure Virtual Machines. You get more control over the following:
The underlying hardware infrastructure
Processor brand, capabilities, and more
Number of cores
Type and size of the Azure Virtual Machines you want to deploy
You can mix and match different Azure Virtual Machine sizes within the same virtual machine series on a given host.
If you have any second thoughts, it is now open in preview for testing.
Last 2 months I’ve been working on renewing my Office 365 and Azure certifications. 4 years ago I already passed the “old” exams: 533, 534, 345, 346 and 347. This saved me a few exams. I was able to upgrade to Azure Administrator and Messaging administrator by passing the upgrade exams. For the Azure Solutions Architect I had to take the AZ-300 and AZ-301 exam as an upgrade exam was only valid for those who have passed the follow up exam of 534: 535.
So here is the final result, I will be looking into the Azure Security exam in the future (AZ-500) as well as the Microsoft 365 Certified Enterprise Administrator Expert (MS100 & MS101)
When you accidentally locked your self out from a Virtual Machine in Azure, there is no console access to login and help your self back in to the system.
In the last year I’ve seen a few cases where somebody accidentally locked himself out of a VM by wrongly adjusting the Windows Firewall, making it impossible to manage their virtual machine in Azure. But with Custom script extension it is possible to disable the Windows Firewall to gain access again!
Microsoft released Lighthouse last weekend, and since this is a great feature, I wanted to implement it as soon as possible, but the Microsoft docs might be a bit confusing, so I wanted to simplify the manual, so here it is! We will be using PowerShell, as this makes life so much easier, and faster.
Your admin tenant needs to have a valid Azure subscription
You need to have a native user account with the new Owner role in the tenant that you want to manage (Customer tenant)
Azure PowerShell module: AZ (Install-Module -Name az)
Did you ever wonder what’s new in Azure, or what is updated recently? Azure keeps all its updates to Azure in a cool overview, the Azure Heatmap! Check it out using the following url: https://azureheatmap.azurewebsites.net/
Recently I received the question if it is possible to monitor Azure Backup with PRTG. Now this might seem to be a bit weird, as we could use Azure monitoring. But in this case, it was a service provider that needed a single solution for all their services, including custom dashboards and monitoring.
So, challenge accepted, lets get this done! In this case the customer has a Azure Recovery Service Vault with 2 virtual machines, with a backup schedule of only once every 24 hours with a retention of 30 days.
Our goal will be to have 3 sensors in PRTG with the completed jobs, failed jobs and running jobs. If you follow the next steps you should be able to set this up your self as well.
Microsoft is working hard on improving Azure File sync. They just announced the new release of the v7 agent. For now only current installed agents get the update. Once all current clients have been updated, the update will be available on Microsoft Update and Microsoft Download Center
Improvements and issues that are fixed
Support for larger file share sizes
With the preview of larger, 100 TiB Azure file shares, we are increasing the support limits for file sync as well. In this first step, Azure File Sync now supports up to 50 million files in a single, syncing namespace. Other existing limits, for example the number of items per directory level, still apply.
Improved Azure Backup file-level restore
Individual files restored using Azure Backup are now detected and synced to the server endpoint faster.
Improved cloud tiering recall cmdlet reliability
The cloud tiering recall cmdlet (Invoke-StorageSyncFileRecall) now supports per file retry count and retry delay, similar to robocopy.
Support for TLS 1.2 only (TLS 1.0 and 1.1 is disabled)
Azure File Sync now supports using TLS 1.2 only on servers which have TLS 1.0 and 1.1 disabled. Prior to this improvement, server registration would fail if TLS 1.0 and 1.1 was disabled on the server.
Miscellaneous performance and reliability improvements for sync and cloud tiering
There are several reliability and performance improvements in this release. Some of them are targeted to make cloud tiering more efficient and Azure File Sync as a whole work better in those situations when you have a bandwidth throttling schedule set.
Today Microsoft has announced Azure Bastion. With this new service you will get improved security features and simplified IT managemend with a single click from your webbrowser using the HTML5 web client. This will eliminate the need for a jump server. I am looking forward in using this service in preview and GA.
Today we will learn how to deploy Azure AD Domain services. So let’s go to the Azure portal and let’s get you started!
Step 1: Go to Azure AD Domain Services and create a new Azure AD Domain services!
Step 2: Now we can start te setup of ADDS, fill in your preferred domain name. You can leave the default which is the same as your Azure Active Directory name ending with .onmicrosoft.com, but I would recommend a public URL like in my case adds.2azure.nl.
Where Azure MFA is only included in the paid Azure Active Directory Premium subscriptions (P1/P2 and EM+S suites), there is a free version for the Office 365 apps.
It is always a good idea to enable multi factor authentication, in case your credentials get stolen, the thief will not be able to use them because of the 2nd authentication factor. Microsoft is encouraging all their users to start using MFA, so the made it free of charge for all the apps of the office 365 suite, including Outlook, Teams, Excel, Word and many more.
The 2 factor authentication can be setup up fairly easily by the end users self. This can be enforced by the administrator by requiring 2 factor authentication. The first time a user logs on, he or she will get a notification message to setup MFA. Or you can redirect your users to the following portal to setup MFA: https://aka.ms/mfasetup
How to setup MFA for your end users?
In the office 365 portal go to the Active Users tab, and go to the Setup multifactor authentication page (see below)
You still have your old network drives? Still need to setup a VPN to access your file shares? Or have you migrated all your files to Azure file share but you need a higher performance for your Autocad files?
Wait no longer, Azure File Sync to the rescue! Where you would have your Azure File Share for sharing files, you can use Azure File Sync to make a local cache of your Azure files, or sync your local file server to Azure Files. In this manual we will help you setup Azure File Sync with a existing Azure File Share. I already have a Azure File Share, mapped as a network drive Z:
Enterprise Mobility + Security is a Microsoft solution specially developed for management and securing users, company data and applications. This gives you and your users always secured access to your company information without ever worrying about security!
With EM+S we are moving from a managed device to data management and security. This means that it will not only protect your device, but most important, it will take care of security on a document level where you can prevent that confidential data is readable by unauthorized persons.
By using this security suite you can prevent abuse of stolen credentials when one of your users is tricked by a phishing email. You can limit access to company data to only trusted devices (Company and BYOD) by using the Intune portal. But we can limit access to it as well with IP black / white listing. This includes Geoblocking as well, it is impossible to travel from the Netherlands to Russia for example in 5 minutes.
To protect your valuable company data I recommend to always use EM+S for optimal protection. If you want the security to be at its best, E5 is your way to go!
Simple management and security of your devices
Multifactor authentication (MFA)
Selfservice portal for password reset en securitygroep management
Application company portal
Mobile device management (MDM)
Integrated device management (Laptop/Desktop)
Securing company data en restrict access to company data
Conditional access (geo-blocking and more)
Advanced Threat Protection with reporting
Risk-Based conditional access (E5 only)
Privileged identity management (E5 only)
Intelligent data classification and labeling (E5 only)
Within Azure there are multiple ways to setup MFA. Where you would install MFA server in the past, there is a new extension. Microsoft is going to leave the MFA server behind in the near future (security updates will remain being published for now).
Besides the NPS extension and the MFA on-premise server the best practice is to run MFA from the Azure cloud where possible. But that isn’t always an option. So let’s move on to the NPS extension. Lets start with the requirements.
Requirements: – Server 2016/2019 with ADFS version 4 – Server 2016/2019 hosting NPS services which performs Radius authentication. – Users must be synchronized between local Active directory and Azure Active Directory – Azure AD Premium or EM+S license must be assigned to the user – NPS Extension for Azure MFA (Download link: https://aka.ms/npsmfa)
Recently I received an comparison from Azure with competitors. In the comparison there was stated that by default Azure provides an SLA of 99.95%. However, this is not entirely correct. By default a single basic virtual machine has no SLA at all!
I hear you thinking, what??? let me explain what the options are. First we need to know a bit more of the setup in Azure. For this explanation I will use West & North Europe. These regions do have Availability zones, but this might not always be the case. In the picture below you can review the Azure regions with their options.
So lets zoom in a bit further. In the picture below we have our 2 regions (West & North Europe). Within Region 1 we have 3 separated buildings, creating 3 availability zones.