Azure Policy Compliance Monitoring: A Solution in Bicep
This post has been moved to:
https://arlanblogs.medium.com/azure-policy-compliance-monitoring-a-solution-in-bicep-e5ae24e4e54f
Understanding and Using the Azure DevOps Capability Assessment
Policy as Code (PoC): Deploying and Managing Azure Policy in Bicep
This blog post has been moved here:
Comparing Azure Policy Deployment via ARM, Bicep and Terraform-Part 2
Comparing Azure Policy Deployment via ARM, Bicep and Terraform-Part 1
Azure Landing Zone in Bicep-Complete CAF IaC Solution
NOTE: This blog post has been moved: https://arlanblogs.medium.com/azure-landing-zone-in-bicep-complete-caf-iac-solution-d74d9b7144bd
Understanding and Using the Azure Strategic Migration Assessment and Readiness Tool
Azure Landing Zones for Canadian Public Sector-Part 3
Azure Landing Zones for Canadian Public Sector-Part 2
Azure Landing Zones for Canadian Public Sector-Part 1
Azure Policy Compliance Monitoring: A Solution in Terrafrom
NOTE: This blog post has been moved:
Azure Policy Regulatory Compliance and the CIS Microsoft Azure Foundations Benchmark-Part 3
Azure Policy Regulatory Compliance and the CIS Microsoft Azure Foundations Benchmark-Part 2
Azure Policy Regulatory Compliance and the CIS Microsoft Azure Foundations Benchmark-Part 1
Policy as Code (PoC): Deploying and Managing Azure Policy in Terraform
This blog post has been moved to:
Azure Policy Regulatory Compliance for Canada Federal PBMM-Part 3
Azure Policy Regulatory Compliance for Canada Federal PBMM-Part 2
Azure Policy Regulatory Compliance for Canada Federal PBMM-Part 1
Azure Landing Zone in Terraform-Complete CAF IaC Solution
This blog post has been moved to:
https://arlanblogs.medium.com/azure-landing-zone-in-terraform-complete-caf-iac-solution-c46e19664911
Understanding and Using the Azure Cloud Journey Tracker
Azure Policy Regulatory Compliance and the Azure Security Benchmark-Part 3
Azure Policy Regulatory Compliance and the Azure Security Benchmark-Part 2
Azure Policy Regulatory Compliance and the Azure Security Benchmark-Part 1
Understanding and Using the Azure Cloud Adoption Strategy Evaluator Assessment
Understanding and Using the Azure Well-Architected Framework Assessment
Converting Azure Architecture PowerPoint Slides to diagrams.net/draw.io Platform
Having decided to go forward using diagrams.net (formerly draw.io) as our online drawing platform (Read more about that here) for all new Azure Architecture and Concept diagrams. However, now our PowerPoint (PPT) slide decks of over 70 diagrams of Azure Architecture and Concepts have to be converted into the diagrams.net format. Can all of these PPT diagrams/slides be converted, or does each diagram have to be completely re-drawn?
The fast way to move everything from PPT would be to turn each PPT slide into an SVG image to be imported into diagrams.net and then saved to a new online repository, for export as needed. However, an SVG image of a PPT slide is a ‘solid’ image – the individual elements – icons, shapes, texts etc. are not able to be changed. We want fully customizable images that can be used and shared with others via Google Drive sharing features, or exported as a PDF, PNG or SVG to drop into a document or slide presentation.
There IS a conversion process of steps to be able to do this without having to completely redraw every diagram or concept from scratch. Diagrams.net will import Visio .vsdx files and the drawing elements will all be available to change as needed. At this point, its not an instant conversion, but a process of steps. To me, this is still better than starting all over with each diagram. I end up with a framework to add icons and text back into – but sizing & placement is already done!
Now Using ‘diagrams.net/draw.io’ for our Azure Architecture and Concept Drawings
Over the past few months we’ve reviewed 5 different online drawing platforms to determine which one would be best for us to begin using. Read more about all that here. Currently, we’ve been using locally installed PowerPoint as an alternative to Visio, to build up our repository of Azure Architecture and Concept diagrams for use with clients and for teaching presentations. Access those PPT drawings here.
We’ve decided to do all our Azure drawings with diagrams.net (formerly draw.io is now being moving to the new .net domain). In fact, over the next week or so, all of our Azure Architecture and Concept drawings will be converted over to the diagrams.net/draw.io platform. Read how that conversion happens, here.All our new Azure Architectural diagrams will be drawn in diagrams.net going forward.
CloudSkew: An Online Drawing Platform for Azure Architecture and concepts?
Overview:
CloudSkew is a new free online Cloud architecture drawing platform, that is still in pre-lease status:
The current and planned Features List outlines what to expect in features. Diagrams are auto-saved in CloudSkew cloud storage. Its all a good start. This will be the only online platform that focuses just on being a drawing platform for Cloud Architecture and Concepts.
I created a simple Azure concept diagram and discovered a number of ‘still to be added’ needs before I could draw a more complex Azure architecture diagram, such as Tim Warner’s IaaS class diagram. (see 2nd drawing below)
Resources for Azure Icon Sets
The first thing I do when starting an Azure architectural or concept drawing is to gather the most current Azure icons I’ll need for the project. This is a list of resources of Azure Icon Sets and Visio stencils to download. If you’re using an online draw program, you can search within these resources for any missing icons/symbols you need.
1. Microsoft Azure Cloud and AI Symbol / Icon Set – SVG:
- This is a free download from Microsoft which includes icons (SVG format only) icons for almost all Azure services and Microsoft cloud related technologies
- Microsoft no longer includes Visio stencils (since these are only in the subscription versions of Visio now) in the Azure Icon Set, so the Visio Stencils provided in resources #3-6 below are invaluable now!
2. Ben Coleman’s Azure Icon Collection:
- Ben Coleman provides a preview thumbnail gallery for all of these icon sets, with options to search, view on various light & dark backgrounds, download as SVG or PNG formats!
Review Cacoo as Online Drawing Platform for Azure Architecture Diagraming
Cacoo.com offers another online drawing platform that promotes itself as ready for collaborative use for creating Azure architectural drawings. As in the other online drawing programs that we’ve been reviewing, Tim Warner’s Azure IaaS drawing was used as the vehicle to test the ease of use, the pre-loaded current Azure Icon Set and other features noted here.
Cacoo.com UI with completed drawing:
NOTE: Source of diagram: https://github.com/timothywarner/azure-class-diagrams
This is Tim Warner’s Visio drawing done in Cacoo online. Replicating a detailed drawing like this helps to discover the platform’s functionality, ease of use, as well as the other review details outlined here.
Perform a Customized Install of Office 2019 Programs on Azure VM Desktop
While it is straight forward to install the entire Office 2019 Suite using a downloaded ISO file to a PC desktop, this is how to install only select programs of the Office 2019 Suite.
Office 2019, like Office 2016, is a Click-To-Run installation process, with no customization allowed on a basic install. All of the programs in the Office 2019 Suite are installed – including Publisher, Access, Skype for Business etc. Once the installation is complete, the extra unnecessary programs cannot be uninstalled, since the option is no longer available in the Control Panel using the ‘Change’ option. Change is not active – it reverts to only giving the Repair options now.
Complete Installation of all ProPlusOffice 2019 Suite – 8 programs:
Review of ‘Visual Paradigm Online’ for Azure Architectural Diagrams
Visual Paradigm Online is another online drawing platform in our series on reviewing various web apps as alternatives to Visio and PowerPoint, for creating Azure Architectural Diagrams. As in the other online drawing programs that we’ve been reviewing, Tim Warner’s Azure IaaS drawing was used as the vehicle to test the ease of use, the pre-loaded current Azure Icon Set and other features noted here.
VP Online UI with completed drawing:
NOTE: Source of diagram: https://github.com/timothywarner/azure-class-diagrams
This is Tim Warner’s Visio drawing re-done in VP Online. Replicating a detailed drawing like this helps to discover the platform’s functionality, ease of use, as well as some of the other review details outlined here.
Review LucidChart as Online Drawing Platform for Azure Architecture Diagrams
LucidChart is another online drawing platform in our series on reviewing various web apps as alternatives to Visio and PowerPoint, for creating Azure Architectural Diagrams. As in the other online drawing programs that we’ve been reviewing, Tim Warner’s Azure IaaS drawing was used as the vehicle to test the ease of use, the pre-loaded current Azure Icon Set and other features noted here.
LucidChart UI with completed drawing:
NOTE: Source of diagram: https://github.com/timothywarner/azure-class-diagrams
This is Tim Warner’s Visio drawing done in LucidChart. Replicating a detailed drawing like this helps to discover the platform’s functionality, ease of use, as well as the other review details outlined here.
Review ‘draw.io’ as Online Drawing Platform for Azure Architecture Diagrams
UPDATE NOTE: draw.io is now running as apps.diagram.net
Up to this point, we have been using locally installed PowerPoint successfully and efficiently to create all of the Azure concept and architectural diagrams used with clients (Read more about this here). There are a number of online drawing programs available now to create these and other technical drawings. There is no software to install; the diagrams are stored online (Although local copies of documents can also be saved).
Here we’ll review draw.io, the free single user version, as to how well it works to re-create this network diagram by Tim Warner:
draw.io with completed drawing:
NOTE: Source of diagram: https://github.com/timothywarner/azure-class-diagrams
This is Tim Warner’s Visio drawing done in draw.io… Replicating a detailed drawing like this helps to discover the platform’s functionality, ease of use, as well as the other review details outlined here.
Online Drawing Platforms for Azure Architecture and Concept Diagrams
We use Cloudockit for generating Azure Subscription Account documentation for our enterprise clients. For Azure architectural drawings we have been using PowerPoint, for a number of reasons.
PowerPoint (PPT) was originally chosen as an easy, effective drawing platform alternative to Visio (Read more about that here) for creating Azure architectural diagrams or concepts for clients or training presentations. Drawing diagrams with PPT is very simple, with a flat learning curve! Once a library of PPT is created, it is relatively easy to use any diagram as a template to be customized for the next client. Slides can easily be used as a separate drawing, or customized and added into a custom presentation, exported into Word or as a PDF. Collaboration is possible by saving a PPT slide or slide deck to a cloud location. However, there are some cons to using PowerPoint for drawing – a PowerPoint repository of commonly used Azure Icons must be built and maintained. Automatic versioning is not available. Connector styles are limited and its not possible to turn off the ‘snap-to-grid’ function making connecting easier in some cases.
There are a number of online drawing programs that will make drawing Azure architectural and concept diagrams even more efficient – and no software need be installed locally, although some of the programs do offer a desktop version for working off-line.
Azure Icons: Enable SVG Thumbnail Preview in File Explorer
While creating Azure architectural and concepts drawings, my first step is to gather the most current Azure Icons that I will be using in the diagram(s).
I prefer using SVG format icons/symbols for drawings, because their image quality is maintained no matter how they’re resized or moved. The problem is, having extracted a downloaded a zip file of the latest Azure icons/symbol set, the SVG format of all the icons cannot be previewed as thumbnails in Windows File Explorer. You can only see the name, as in the screen-shot below – I need to be able to see preview/overview thumbnails of all the SVG files – as I can for .PNG files! A thumbnail viewer will save a lot of time choosing the correct set of SVG icons needed for a drawing!
Go from this view in Windows File Explorer….
To This – Seeing Thumbnails of the Same SVG folder!
Security with Azure and NGINX
NGINX Management with NGINX Controller
NGINX Controller is a separate and optional product from NGINX, Inc. that manages the NGINX data plane and the entire lifecycle of NGINX Plus under these configurations:
- Load Balancer
- API Gateway
- Proxy in a service mesh environment
This optional and separate NGINX product is fully functional within Azure and provides an additional or exclusive way to manage NGINX without the use of Azure Security Center, Azure Monitor or the Azure Portal or PowerShell.
Monitoring NGINX in Azure
Azure Security Center with NGINX
Azure Security Center (ASC) is a service that comes in a free tier with limited functionality and a fee-based standard tier with a complete set of security capabilities for organizations that need enhanced functionality. The free tier monitors compute, network, storage, and application resources in Azure. It also provides security policy, security assessment, security recommendations, and the ability to connect with other security partner solutions. The standard tier includes all the capabilities of the free tier for on-prem environments (private cloud) as well as other public clouds such as AWS and Google Cloud Platform (GCP). The standard tier also includes many more security features along with the following critical security controls:
- Built-in and custom alerts
- Security event collection and advanced search
- Just-in-time VM access
- Application white listing
NGINX Plus and Microsoft Azure Load Balancers
Microsoft Azure have three options for load balancing:
- NGINX Plus,
- the Azure load balancing services, or
- NGINX Plus in conjunction with the Azure load balancing services.
The following aims to give you enough information to decide which best works for you and shows you how using NGINX Plus with Azure Load Balancer can give you a highly available HTTP load balancer with rich Layer 7 functionality.
Installing NGINX via ARM and PowerShell
Azure Resource Manager is the deployment and management service for Azure. It provides a consistent management layer that enables you to create, update, and delete resources in your Azure subscription. You can use its access control, auditing, and tagging features to secure and organize your resources after deployment.
There are no prebuilt ARM templates or PowerShell scripts available from NGINX currently. However, there is nothing preventing the creation of an ARM template and PowerShell script based on your custom deployment requirements for Azure using your custom VM images previously created.
The following provides an example of creating an Ubuntu 16.04 LTS marketplace image from Canonical along with the NGINX web server using the Azure Cloud Shell and the Azure PowerShell module.
Installing NGINX via Azure Marketplace
The Azure Marketplace is a software repository for pre-built and configured Azure resources from independent software vendors (ISVs). You will find open source and enterprise applications that have been certified and optimized to run on Azure.
NGINX, Inc. provides the latest release of NGINX Plus in the Azure Marketplace as a virtual machine (VM) image. NGINX OSS is not available from NGINX, Inc. but there are several options available from other ISVs in the Azure Marketplace.
Searching for “NGINX” in the Azure Marketplace will produce several results as shown below:
NGINX Plus on Azure
NGINX Open Source Software (OSS) is free while NGINX Plus is a commercial product that offers advanced features and enterprise-level support as licensed software by NGINX, Inc.
NGINX Plus combines the functionality of a high-performance web server, a powerful front-end load balancer and a highly-scalable accelerating cache to create the ideal end-to-end platform for your web applications. NGINX Plus is built on top of NGINX open source.
For organizations currently using NGINX open source, NGINX Plus eliminates the complexity of managing a “do-it-yourself” chain of proxies, load balancers and caching servers in a mission-critical application environment.
Load Balancing Options in Azure
Azure provides several options for managed load balancing services:
- Azure Load Balancer
- Azure Application Gateway
- Azure Traffic Manager
Each of these services will be reviewed to understand when to use each service effectively.
The OSI Model and Load Balancing
The Open System Interconnection (OSI) model defines a networking framework to implement protocols in seven layers:
- Layer 7: The application layer
- Layer 6: The presentation layer
- Layer 5: The session layer
- Layer 4: The transport layer
- Layer 3: The network layer
- Layer 2: The data-link layer
- Layer 1: The physical layer
The OSI model doesn’t perform any functions in the networking process. It is a conceptual framework to better understand complex interactions that are happening.
Introduction to Azure Load Balancing
Load balancers have evolved considerably since they were introduced in the 1990s as hardware-based servers or appliances. Cloud load balancing, also referred to as Load Balancing as a Service (LBaaS), is an updated alternative to hardware load balancers. Regardless of the implementation of a load balancer, scalability is still the primary goal of load balancing, even though modern load balancers can do so much more.
Optimal load distribution reduces site inaccessibility caused by the failure of a single server while assuring consistent performance for all users. Different routing techniques and algorithms ensure optimal performance in varying load-balancing scenarios.
Modern websites must support concurrent connections from clients requesting text, images, video, or application data, all in a fast and reliable manner, while scaling from hundreds of users to millions of users during peak times. Load balancers are a critical part of this scalability.
- Problems Load Balancers Solve
- The Solutions Load Balancers Provide
- The OSI Model and Load Balancing
Problems Load Balancers Solve
In cloud computing, load balancers solve three issues that fall under:
- Cloud Bursting
- Local Load Balancing
- Global Load Balancing
Cloud bursting is a configuration between a private cloud (i.e. on-prem compute environment) and a public cloud that uses a load balancer to redirect overflow traffic from a private cloud that has reached 100% of resource capacity to a public cloud to avoid decreases in performance or an interruption of service.
Windows Azure Website – Create CSR from W10!
It happened – an expired SSL certificate broke https security for the website! The Azure Web Job to automatically renew the quarterly LetsEncrypt SSL Certificate did not work (for a number of reasons, one being that an old subscription and deleted unused service principal’s information were still registered in the Application Settings for LetsEncrypt) and the website was now only avaible via http. Yikes!
Load Balancing In Microsoft Azure Series
Overview:
This series of 9 blog posts are suitable for cloud solution architects and software architects looking to integrate NGINX (pronounced en-juhn-eks) with Azure-managed solutions to improve load balancing, performance, security, and high availability for workloads. Software developers and technical managers will also understand how these technologies in the cloud have a direct impact on application development and application architecture for more cloud-native solutions. Load balancing provides scalability and a higher level of availability by distributing incoming network traffic efficiently across a group of backend servers, also known as a server pool or server cluster.
This series of blog posts provides a meaningful description of load-balancing options available natively from Microsoft Azure and the role NGINX can play in a comprehensive solution.
Even though the examples used are specific to Azure, these load balancing concepts and implementations using NGINX apply equally to other large public cloud providers such as Amazon Web Services (AWS), Google Cloud Platform, Digital Ocean, and IBM Cloud along with their respective cloud platform–native load balancers.
Speed Up Your Azure hosted WordPress site with Caching Plugin
A year ago, we had unsuccessfully tested a number of caching plugins on this Azure hosted WordPress blog. Because of ongoing frustrations with slow page loading speed, we tried installing WP Super Cache again – this time to a resounding YES! IT WORKS! While more work is still needed, the page load speed has dropped from 5.8 sec to 3.0 sec with the basic plugin install.
The caching plugin creates cached php files of website pages
WP Super Cache Setup – Quick and Easy!
- Install the plugin > Easy tab > Caching On That’s all that’s needed to get started!
- Check that the plugin is working > Test Cache The green text means go!
NINGX-Plus Cloud Architecture – Global Load Balancing (#3/3)
NINGX-Plus Cloud Architecture – Local Load Balancing (#2/3)
NINGX-Plus Cloud Architecture – Simple Cloud Bursting (#1/3)
NINGX-Plus HA Cluster
Conditional Access Control with MS Azure Active Directory (AAD) & NGINX Plus
Azure Traffic Manager and NINGX-Plus
Deliver Consistent High Performance Web Services from Microsoft Azure with NGINX Plus
SSL Verification Tools for Azure Web Apps
In a recent blog post, we discussed how we discovered that an SSL Certificate that was not accepted by all browsers had been inadvertently installed months ago on a publicly accessible WordPress DEV site hosted on Azure Web Apps. Only while checking on page load performance, was this discovered by an SSL Checker!
These are some of the free online versions of the tools that we use for testing SSL certificates. Its important to use them!!
Microsoft Azure and NGINX
Replacing LetsEncrypt SSL cert on an Azure Web App
When it was discovered that a ‘staging’ SSL certificate had been initially added to a website with the issuer set as ‘Fake LE Intermediate X1’, (Read about that here) we replaced the SSL Certificate with one that would be acceptable to all browsers.
Steps to Replace the Let’s Encrypt SSL certicate on Azure Web App (working in Azure Portal)
Azure hosted WordPress site has SSL from Fake LE Intermediate X1 issuer!
We recently discovered while using an SSL Checker, that the SSL certificate on a DEV website, had the issuer ‘Fake LE Root X1’ – not Lets Encrypt as had been set up 10 months earlier! Read here for how to prepare to install Lets Encrypt SSL Certificates on an Azure hosted WordPress site.
