Azure’s YAML provisioning templates

Azure’s ARM templates have been a rite of passage for all Azure engineers.  No one who has been working with the cloud at any depth will be without late-night stories of frustration.  The Azure Resource Manager is a service that accepts specially constructed JSON templates and uses those templates to provision each object represented within.

Programmatically retrieving ‘latest’ Azure REST API versions

Every object in Azure is identified by a unique, hierarchy-based Resource ID.

Every object type has an associated range of different API versions that act as different schemas for that object type.

Powershell, Graph API & Password Grant Type - example

The OAuth 2.0 Password Grant Type allows authentication (in this case to Graph) using a username and password.

Take note of the Resource Identifier used with REST queries as this changes based on te resources being accessed.



Azure Custom Script Extensions, Software Deployment and Package Management

Azure allows Virtual Machine extension objects to be attached to provisioned virtual machines.  As they are objects, they may be declared directly with Resource Manager templates.

Enabling Azure Point-to-site-VPN

Using Azure's Point-to-site vpn avoids having to expose ssh or winrm ports to the internet to get onto the systems.

Before a Point-to-site VPN can be established, a Virtual Network Gateway must be created.  This will be associated with the Virtual Network that will be accessible.

Access to the network will be controlled by certificates.

Create an Azure App Registration for Disk Encryption

Enabling Azure Disk Encryption requires the creation of a dedicated account to be able to access a Key Vault for the backup of disk encryption keys.  This occurs through enabling an Application Registration in the desired tenant and providing the associated Service Principal Key Wrap and Secret Set rights to the Key Vault in question.

Create an Azure Application & SPN with Certificate Authentication

This PowerShell code snippet creates an Azure AD application registration with an associated SPN and self-signed certificate for Azure authentication.

I've used this for generating certificates that Virtual Machines can use for authenticating to Azure as an alternative to Managed Identities.

Azure Disk Encryption Process

Architectural Overview

All virtual machine disks are accessible by WebAPI off their underlying Storage volume (either through Storage Account Access or through Snapshot usage with Managed Disks).  In the case of Storage Accounts, a single factor of access exists for retrieval of disk Images from the internet (knowledge of URI and Storage Account key).  Different controls may be implemented to reduce the threat of data loss.  Core to these controls is the requirement for all data to be encrypted at REST. 

Using Azure Automation to generate a certificate

Some time back I had cause to demonstrate the possibility of using Azure Automation in generating time limited certificates for use with Azure.  It turned out to be more difficult than I thought as certificate creation on a local server or desktop uses the COM based CryptoAPI... which isnt available for use with Automation Runbooks.

This example script used the brilliant "Bouncy Castle" library for creating certificates.

PowerShell DSC (Pull) Sequence

The PowerShell DSC sequence I’m using to deploy my Windows machines primarily uses script elements although a multitude of other elements (such as WindowsFeature shown below) could be used.  The Pull Server has PowerShell DSC installed as a feature.

With this example, I’m using Server 2016 in Azure against other Azure provisioned systems.


Subscribe to RSS - Azure