Azure – Tunecom

How to monitor Azure Migrate replication issues

admin.yannickd — Mon, 25 Jan 2021 18:32:53 +0000

When migrating virtual or physical servers to Microsoft Azure with Azure Migrate you would like to monitor replication health.

Azure Migrate does provide a built-in solution for this within the Azure Migrate project(s). You can manually review the status or use PowerShell to retrieve the replication health of your IaaS machines. However, this lacks some kind of notification or alerting mechanism.

If you’re interested in how to automatically get notified when something goes wrong, please continue reading below.

A look under the hood of Azure Migrate

When looking at the bundle of products included in an Azure Migrate project, one key product is Azure Site Recovery (ASR) which is part of Recovery Services Vault.

Azure Site Recovery is used to replicate your origin machines to Azure.
This means that when we encounter any replication issues, we will have to look at our replication product in place.

When browsing the Recovery Services Vault blade, scroll down to the “Monitoring” section and select “Site Recovery Events“

On the “Site Recovery Events” page you will see a very similar page as displayed in the Azure Migrate Events page. Select “E-mail Notifications“

Enable the “E-mail notifications” by selecting On, select “Other administrators” if you want to set up alerts to non-Azure Services admins/co-admins. Enter an e-mail address and select save.

Whenever a new site recovery event or alert is triggered you will receive a mail notification.

Powershell

#Select your Azure Site Recovery Services Vault
$rsv = Get-AzRecoveryServicesVault | Out-GridView -OutputMode Single

#Set the recovery services vault context
Set-AzRecoveryServicesAsrVaultContext -Vault $rsv

#Retrieve current alerting configuration
Get-AzRecoveryServicesAsrAlertSetting

#Set alerts (Remove -EnableEmailSubscriptionOwner if you do now want the default owners to be notified)
$EmailAddressess = "test.test@test.be"
Set-AzRecoveryServicesAsrAlertSetting -CustomEmailAddress $EmailAddressess -EnableEmailSubscriptionOwner

Thank you!

Thank you for reading through this blog post, I hope I have been able to assist in your Azure Migration journey.

If you encounter any new insights, feel free to drop me a comment or contact me via mail or other social media channels

The post How to monitor Azure Migrate replication issues appeared first on Tunecom.

How to clean up replica disks after VMWare Virtual Machine migration with Azure Migrate

admin.yannickd — Wed, 06 Jan 2021 11:08:32 +0000

During the lifecycle of an Azure IaaS migration project with Azure Migrate, it is advised to perform some additional cleanup actions once you have migrated a certain set of virtual machines.

The migration process

The following migration process is usually followed when migrating VMWare VM’s to Azure IaaS VM’s with Azure Migrate.

Deploy Azure Migrate appliance
Run Discovery Assessment
Verify Application Dependency
Create server migration groups
Start replication with associated replication parameters
Perform test migration
Cleanup test migration
Perform final migration
Cleanup obsolete ASR disks!

Step 5 demystified – start replication

Starting as of step 5, the Azure Migrate appliance will be using Azure Site Recovery to start replicating your on-premises VMDK (virtual disk) files to the Subscription & Resource Group that you have selected in the migration settings.

Azure Site Recovery Disks

As you can see, a specific naming convention is applied by default to the ASR disks.

asrseeddisk-(VMName)-GUID

Step 6 demystified – run test migration

Once the initial delta sync of your virtual machine has been completed, you are now able to perform a test migration.

There are multiple reasons why you should perform a test migration, a major one is to find out if your server and corresponding applications are working properly in Azure.

During the test migration, a snapshot is taken of the ASR disks and a new virtual machine is being created based upon your migration settings.

Please note that your VM is being created with a “test” suffix, to indicate that this machine is being “test migrated”.

The virtual disk names can be altered in the migration settings pane, however, it is advised to keep the disk names as is, to avoid any confusion.

At this point, you will have 3 replica sets of your virtual machine disks.

The source on-premises VMDK files
The replication Azure Site Recovery disks
The target Azure Virtual Machine disks

Step 7 demystified – clean up test migration

Once you’ve confirmed that your virtual machine is Azure capable and corresponds to your needs, you can clean up the test migration.

Before cleaning up the test migration, make sure that you have documented or automated the steps that you have performed on this virtual machine. All changes made on the “test migration” Virtual Machine will be lost.

When performing a clean up of the test migration, the virtual machine and corresponding managed disks are being deleted.

Step 8 demystified – Perform final migration

During the final migration step, a final sync of the on-premises virtual machine will be made.

It is advised to mark the “shutdown local machine” option when performing the migration, this ensures that no data is being altered on the machine which is being migrated

Like the test migration step, a new virtual machine is being created based on a snapshot of the latest version of the ASR disks. Once the migration has been completed. Make sure to validate the server en perform the necessary actions that you have performed during the test migration.

Your new virtual machine name will now have the exact naming convention as your on-premises virtual machine, including the attached virtual disks.

Step 9 demystified – Clean up ASR disks

When looking at your Azure Migrate project, you will find a mix of servers that have been migrated and/or are pending a test migration or clean up.

When browsing to your VM in Azure Migrate, select disks. Note down the replica disk names, these are the replica disks that are still stored as a managed disk within your target resource group.

To clean up the ASR disks, make sure to stop the replication as soon as your migration has been completed.

After having stopped the replication, the managed disks are deleted from your resource group.

Automation Script

Below script can be used in order to automate the clean up of migrated virtual machines.

#Migration Project Input Variables
$AzMigrateProjectName = "project name here"
$AzMigrateSubscriptionID = "subscription id here"
$AzMigrateResourceGroupName = "resource group name here"

#Required Modules
Write-Output "Required modules loading"
#Requires -Modules @{ ModuleName="Az.Accounts"; ModuleVersion="2.2.3" }
#Requires -Modules @{ ModuleName="Az.Migrate"; ModuleVersion="0.1.1" }

Import-Module Az.Accounts
Import-Module Az.Migrate

#Account Login
Disconnect-AzAccount
Login-AzAccount

Set-AzContext -SubscriptionId $AzMigrateSubscriptionID

#Clean up
$MigrationProject = Get-AzMigrateProject -Name $AzMigrateProjectName -SubscriptionId $AzMigrateSubscriptionID -ResourceGroupName $AzMigrateResourceGroupName

$MigrationStatus = Get-AzMigrateServerReplication -ResourceGroupName $AzMigrateResourceGroupName -ProjectName $AzMigrateProjectName -SubscriptionId $AzMigrateSubscriptionID | Where-Object {$_.MigrationState -eq "MigrationSucceeded"} | select MachineName, MigrationState, AllowedOperation, Id

foreach ($migrationobject in $MigrationStatus) {
    $ObjectID = Get-AzMigrateServerReplication -TargetObjectID $migrationobject.id
    Write-host "Following replication job will be removed: " $migrationobject.MachineName -foregroundcolor green
    Remove-AzMigrateServerReplication -InputObject $ObjectID
}

Thank you!

Thank you for reading through this blog post, I hope I have been able to assist in keeping your Azure Migration journey as lean and mean as possible.

If you encounter any new insights, feel free to drop me a comment or contact me via mail or other social media channels

The post How to clean up replica disks after VMWare Virtual Machine migration with Azure Migrate appeared first on Tunecom.

How to fix “The Azure Migrate unified appliance is in a disconnected state, Ensure that the appliance is running and has connectivity before proceeding” issue

admin.yannickd — Mon, 04 Jan 2021 14:05:24 +0000

When re-hosting or migrating traditional IaaS servers located on VMWare you might encounter one of the following issues when trying to setup your replication towards Azure.

The case

You have a single Azure Migrate appliance, which you have used to perform the suitability analysis and you’ve enabled the same appliance in the migration project as well.

Which means that we will be targeting an agentless migration.

The issue

The Azure Migrate Virtual Appliance ‘appliance name’ is in a disconnected state, please verify network connectivity.

The resolution

The following troubleshooting steps should help you resolve this issue.

Step 1: Verify agent health on the appliance

Step 2: Re-run the configuration wizard and verify your settings

Step 3: Re-enter your Azure Credential

Step 4: Restart de replication and gateway services

Run the following commands in an administrative powershell or cmd prompt.

Net Stop asrgwy
Net Start asrgwy
Net Stop dra
Net Start dra

Step 5: Verify service health

Check your connection status in the Appliances blade of the Azure Migrate resource on the Azure Portal.

Ready to migrate

Thank you!

Thank you for reading through this blog post, I hope I have saved you some time on researching the disconnected state issue.

If you encounter any new insights, feel free to drop me a comment or contact me via mail or other social media channels

The post How to fix “The Azure Migrate unified appliance is in a disconnected state, Ensure that the appliance is running and has connectivity before proceeding” issue appeared first on Tunecom.

Moving your data to a serverless infrastructure with Azure Files and Active Directory Authentication (Preview)

admin.yannickd — Fri, 28 Feb 2020 07:22:43 +0000

A couple of days ago, Microsoft announced the public preview of Windows Server Active Directory authentication / integration for Azure Files. Make sure to check-out the introduction video by Will Gries (Senior Program Manager) and Thomas Maurer (Senior Cloud Advocate)

This is probably one of the most requested feature releases since the ability to create file shares on Azure Storage.
In the recent past, Microsoft enabled Active Directory Authentication and setting ACLs coming from their Azure AD Domain Services solution.

Now it’s time to integrate this with our existing Windows Server Active Directory Infrastructure

Long story short

We are now able to set NTFS permissions and ACLs based on our existing Windows Server AD on an Azure Fileshare. This blogpost takes you through the necessary steps to automate the process shown below.

Now the long(er) story ?

Before we can activate all of this, we have a couple of prerequisites:

1. Windows Server Active Directory needs to be synchronized with Azure Active Directory

2. You need an Azure Storage account with an Azure File share which is NOT located in one of the following regions.

West US
West US 2
East US
East US 2
West Europe
North Europe

! Run the following script if you like to create a new storage account

Background info: Change the initial variables to meet your environment needs, I have chosen France Central as a region to deploy our Storage Account.

Download the script here, or copy paste the scriptblock below. After running the script you’ll see that new or additional file shares have been created.

Azure Files

Powershell Script

########################
#
# Name: Azure Files Create Storage Account
# Author: Yannick Dils
# Version: v0.1
#
########################

Write-Host "Let's get started" -ForegroundColor Magenta
Sleep 3

########################
#
# Install or import the required modules
#
########################

start-process powershell –verb runAs -ArgumentList "Install-Module -Name Az.Accounts  -RequiredVersion 1.6.4 -Force" -WindowStyle Hidden
Import-Module Az.Accounts
start-process powershell –verb runAs -ArgumentList "Install-Module -Name Az.Resources  -RequiredVersion 1.11.0 -Force" -WindowStyle Hidden
Import-Module Az.Resources
start-process powershell –verb runAs -ArgumentList "Install-Module -Name Az.Storage  -RequiredVersion 1.11.0 -Force" -WindowStyle Hidden
Import-Module Az.Storage

########################
#
# Create Naming Convention + Location and Name Variables
#
########################

Write-Host "Step 1 : Let's define some variables and naming conventions`n" -ForegroundColor Cyan

Write-Host "Enter a 3 letter word abbreviation for your customer or project (example: tuc, vdc) : " -ForegroundColor Yellow -NoNewline
$Cus = Read-Host
Write-Host "Enter a 3 letter word abbreviation for your environment (example: hub, prd, tst, dev, acc) : " -ForegroundColor Yellow -NoNewline
$Env = Read-host
$FullLocation = "France Central"
$NamingConv = "st" + "lrs" + $Cus + "frc" + $Env + "file"
$SAFILE = $NamingConv
$RGDATA = $Cus + "-hub-storage-rg"
Write-Host "Enter a name for your fileshare (example: fileserver, profiles,..) : " -ForegroundColor Yellow -NoNewline
$FileShareName = Read-host


Write-Host "`nStep 2 : Based on the naming convention provided in the script, the following has been identitfied:`n" -ForegroundColor Cyan
Write-Host "Location : $FullLocation"  -ForegroundColor Green
Write-Host "Storage Account Name : $SAFILE" -ForegroundColor Green
Write-Host "Fileshare Name : $FileShareName" -ForegroundColor Green

Write-Host "Resource Group Name : $RGDATA" -ForegroundColor Green


########################
#
# Login to Az Account
#
########################

Write-Host "`nStep 3 : Before we continue, we need to log you into your Azure Account" -ForegroundColor Cyan

Login-AzAccount

########################
#
# Select the Azure Subscription where you want to create your storage account
#
########################

$Subscriptions = Get-AzSubscription
Write-Host "Step 4 : These are your available subscriptions`n" -ForegroundColor Cyan
Write-host $Subscriptions.Name -ForegroundColor Cyan -BackgroundColor Black

Write-Host "`nStep 5 : Enter the subscription name : " -ForegroundColor Yellow -NoNewline
$SubscriptionName = Read-host
Select-AzSubscription -Subscription $SubscriptionName



########################
#
# Verify if an existing resource group exists with the name in variable $RGDATa, create a new one if not
#
########################


$RG = Get-AzResourceGroup -Name $RGDATA -ErrorAction SilentlyContinue

If ($RG)
        {
        Write-Host "Step 6 : A Resource Group already exists with the name $RGDATA, no need to create one" -ForegroundColor Cyan
        }
Else
        {
        Write-Host "Step 6 : A Resource Group is created with the name $RGDATA" -ForegroundColor Cyan
        New-AzResourceGroup -Name $RGDATA -Location $FullLocation
        }

########################
#
# Create a new Storage Account located in the $FullLocation region based on the input variables
#
########################

$SA = Get-AzStorageAccount -ResourceGroupName $RGDATA -Name $SAFILE.ToLower() -ErrorAction SilentlyContinue
$StorageShare = Get-AzStorageShare -Name $FileShareName -Context $sa.Context -ErrorAction SilentlyContinue

If ($SA)
        {
        Write-Host "Step 7 : A Storage Account already exists with the name $SAFILE, no need to create one" -ForegroundColor Cyan

        If ($StorageShare)
                {
                Write-Host "Step 8 : A File Share already exists with the name $FileShareName, no need to create one" -ForegroundColor Cyan
                }
        Else
                {
                Write-Host "Step 8 : A File Share is created with the name $FileShareName" -ForegroundColor Cyan
                New-AzStorageShare -Name $FileShareName -Context $SA.Context
                }




        }
Else
        {
        Write-Host "Step 7 : A Storage Account is created with the name $SAFILE" -ForegroundColor Cyan
        New-AzStorageAccount -ResourceGroupName $RGDATA -Name $SAFILE.ToLower() -Kind StorageV2 -SkuName Standard_LRS -Location $FullLocation -AccessTier Hot
        Write-Host "Step 8 : A File Share is created with the name $FileShareName" -ForegroundColor Cyan
        $ctx = Get-AzStorageAccount -ResourceGroupName $RGDATa -Name $SAFILE
        New-AzStorageShare -Name $FileShareName -Context $ctx.Context

         }

Write-Host "End of script" -ForegroundColor Magenta


########################
#
# End of script
#
########################

SLeep 5

3. You need to join your Azure Storage account to the domain

Since it’s still in public preview, you need to perform a couple of manual steps in order to join your Azure Storage account to your Windows Server Active Directory Domain. Looking at Azure AD Domain Services, this is an additional switch / parameters you need to provide in order to allow Azure AD DS authentication. I assume that the product team will try to provide the same type of deployment feature with regards to joining your traditional active directory domain.

The following link provides you a step by step guide in how to perform the required steps to join your domain. So feel free to read through it. But wait!

I’ve taken the opportunity to automate the necessary steps and put it in the following script. Note: Make sure to run it from a domain joined machine or directly on your domain controller.

Download the script here, or copy paste the scriptblock below. After running the script your Azure Storage Account will be joined to the domain, this is how it could look like.

Computer Account Object

Powershell Script

########################
#
# Name: Azure Files Domain Join Script
# Author: Yannick Dils
# Version: v0.1
#
########################

Write-Host "Let's get started" -ForegroundColor Cyan
Sleep 3

########################
#
# Install or import the required modules
#
########################

start-process powershell –verb runAs -ArgumentList "Install-Module -Name Az.Accounts  -RequiredVersion 1.6.4 -Force" -WindowStyle Hidden
Import-Module Az.Accounts
start-process powershell –verb runAs -ArgumentList "Install-Module -Name Az.Resources  -RequiredVersion 1.11.0 -Force" -WindowStyle Hidden
Import-Module Az.Resources
start-process powershell –verb runAs -ArgumentList "Install-Module -Name Az.Storage  -RequiredVersion 1.11.0 -Force" -WindowStyle Hidden
Import-Module Az.Storage
start-process powershell –verb runAs -ArgumentList "Install-Module -Name ActiveDirectory -Force" -WindowStyle Hidden
Import-Module ActiveDirectory


########################
#
# Change the execution policy to unblock importing AzFilesHybrid.psm1 module
#
########################

Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Currentuser -Force -ErrorAction SilentlyContinue

########################
#
# Download The AzFilesHybird powershell modules
#
########################

Write-Host "Step 1 : We will now download the Azure Files Hybrid powershell modules into a C:\Temp directory" -ForegroundColor Cyan


$DownloadLink = "https://github.com/Azure-Samples/azure-files-samples/releases/download/AzFilesHybrid-0.1.0.0/AzFilesHybrid.zip"
$TempDir = "C:\Temp"
$Output = "C:\Temp\AzFilesHybrid.zip"
$Path = Test-Path $TempDir

If ($Path -eq $true)
    {
    Write-Host "Step 2 : The C:\Temp path already exists, no need to create one" -ForegroundColor Cyan
    }
Else
    {
    Write-host "Step 2 : We are creating a temp directory C:\Temp" -ForegroundColor Cyan
    $DontShow = mkdir $TempDir

    }


(New-Object System.Net.WebClient).DownloadFile($DownloadLink, $output)

########################
#
# Navigate to where AzFilesHybrid is unzipped and stored and run to copy the files into your path
#
########################

cd $TempDir
Expand-Archive -LiteralPath $Output -DestinationPath $TempDir -Force
.\CopyToPSPath.ps1 

########################
#
# Import AzFilesHybrid module
#
########################


Import-Module -name AzFilesHybrid


########################
#
# Login with an Azure AD credential that has either storage account owner or contributer RBAC assignment
#
########################

Write-Host "Step 3 : Let's connect to our Azure Subscriptions" -ForegroundColor Cyan
Sleep 3
Connect-AzAccount

########################
#
# Select the Azure Subscription where your Storage Account is located
#
########################

$Subscriptions = Get-AzSubscription
Write-Host "Step 4 : These are your available subscriptions" -ForegroundColor Cyan
Write-host $Subscriptions.Name -ForegroundColor Cyan -BackgroundColor Black

Write-Host "Step 5 : Enter the subscription name : " -ForegroundColor Yellow -NoNewline
$SubscriptionName = Read-host
Select-AzSubscription -Subscription $SubscriptionName

########################
#
# Retrieve your current Windows Server Active Directory Domain Details
#
########################


$domaindetails = Get-ADDomain
#Register the target storage account with your active directory environment under the target OU
$Domain = $domaindetails.DNSRoot


########################
#
# Retrieve your Resource Groups and Storage Accounts located in your Azure Subscription
#
########################

#############
#
# Resource Groups
#
#############

$ResourceGroups = Get-AzResourceGroup | Select ResourceGroupName
Write-Host "Step 6 : These are the available resource groups: " -ForegroundColor Cyan
Foreach ($RG in $ResourceGroups)
    {
    Write-Host $RG.ResourceGroupName -ForegroundColor Cyan -BackgroundColor Black
    }
Write-Host "Step 7 : Enter the resource group name, where your Azure Files storage account is located: " -ForegroundColor Yellow -NoNewline
$ResourceGroup = Read-host 

#############
#
# Storage Accounts
#
#############


$StorageAccounts = Get-AzStorageAccount -ResourceGroupName $ResourceGroup

Write-Host "Step 8 : These are the available storage accounts : " -ForegroundColor Cyan

Foreach ($SA in $StorageAccounts)
        {
        Write-Host $SA.StorageAccountName -ForegroundColor Cyan -BackgroundColor Black
        }
Write-Host "Step 9 : Enter the storage account name, where your Azure Files share is located: " -ForegroundColor Yellow -NoNewline
$StorageAccount = Read-host

########################
#
# Create or use an Organizational Unit where our Azure Files storage account will be located
#
########################
$AzureFilesOUName = "AzureFiles"

Write-Host "Step 10 : We now want to join the Azure File Storage Accounts to the domain in an OU called $AzureFilesOUName" -ForegroundColor Cyan


$OU = Get-ADOrganizationalUnit -Filter 'Name -like $AzureFilesOUName'
If ($OU)
        {Write-Host "Step 11 : The AzureFiles OU Already Exists, no need to create one" -ForegroundColor Cyan}
Else
        {
        Write-Host "Step 11 : The OU needs to be created, we will now create a new OU called $AzureFilesOUName" -ForegroundColor Cyan
        $AzureFilesOU = New-ADOrganizationalUnit -Name $AzureFilesOUName
        }

########################
#
# Join the storage account into the domain, located in the required organizational unit
#
########################

Join-AzStorageAccountForAuth -ResourceGroupName $ResourceGroup -StorageAccountName $StorageAccount -Domain $Domain -DomainAccountType ComputerAccount -OrganizationalUnitName "Servers"

########################
#
# Verify Domain Join
#
########################

$azurefiles = Get-AzStorageAccount -ResourceGroupName $ResourceGroup -Name $StorageAccount

$ADService = $azurefiles.AzureFilesIdentityBasedAuth.DirectoryServiceOptions

Write-Host "Step 12 : Let us now verify if the directory service is ok" -ForegroundColor Cyan
Sleep 5

If ($ADService -eq "AD")
        {
        Write-host "Step 13 : All OK" -ForegroundColor Green
        }
Else
        {
        Write-host "Step 13 : Something went wrong ;)" -ForegroundColor Red
        }


Write-Host "Step 14 : Let us now verify if the directory authentication is ok" -ForegroundColor Cyan
Sleep 5

$ADInfo = $azurefiles.AzureFilesIdentityBasedAuth.ActiveDirectoryProperties

If ($ADInfo.DomainName -eq $Domain)
        {
        Write-host "Step 15 : All OK" -ForegroundColor Green
        }
Else
        {
        Write-host "Step 15 : Something went wrong ;)" -ForegroundColor Red
        }

Write-host "End of script" -ForegroundColor Cyan
Sleep 5

########################
#
# End of script
#
########################

4. Assign the required roles to your security principals.

Now that we have our storage account joined to the domain. We need to assign the right set of role based access controls on the Azure File Share level.

3 built-in roles can be identified to set access to the Azure File Share:

Storage File Data SMB Share Reader allows read access in Azure Storage file shares over SMB.
Storage File Data SMB Share Contributor allows read, write, and delete access in Azure Storage file shares over SMB.
Storage File Data SMB Share Elevated Contributor allows read, write, delete and modify permissions in Azure Storage file shares over SMB

The following script can assist you in setting the right set of permissions for a certain security principal. Note: The security principal must be entered in a UPN format (username@corp.something)

Download the script here, or copy paste the scriptblock below. After running the script you will be able to mount the Azure File share in the context of the security principal.

Powershell Script

########################
#
# Name: Azure Files RBAC
# Author: Yannick Dils
# Version: v0.1
#
########################


Write-Host "Let's get started" -ForegroundColor Cyan
Sleep 3

########################
#
# Set General Variables and Naming Conventions
#
########################

Write-Host "Step 1 : Let's define some variables and naming conventions" -ForegroundColor Cyan

Write-Host "Enter a 3 letter word abbreviation for your customer or project (example: tuc, vdc) : " -ForegroundColor Yellow -NoNewline
$Cus = Read-Host
Write-Host "Enter a 3 letter word abbreviation for your environment (example: hub, prd, tst, dev, acc) : " -ForegroundColor Yellow -NoNewline
$Env = Read-host
$FullLocation = "France Central"
$NamingConv = "st" + "lrs" + $Cus + "frc" + $Env + "file"
$SAFILE = $NamingConv
$RGDATA = $Cus + "-hub-storage-rg"
Write-Host "Enter a name for your fileshare (example: fileserver, profiles,..) : " -ForegroundColor Yellow -NoNewline
$FileShareName = Read-host



########################
#
# Set the names of the Azure Files Roles into Variables
#
########################

Write-Host "Step 2 : Let's store the Azure File Storage Roles into variables for later use" -ForegroundColor Cyan


$Reader = "Storage File Data SMB Share Reader" # R permissions
$Contributor = "Storage File Data SMB Share Contributor" # R W D permissions
$ElevatedContributor ="Storage File Data SMB Share Elevated Contributor" # R W D M permissions

########################
#
# Enter the specific group in UPN format and store them into variables
#
########################

Write-Host "Step 3 : Enter the security principal that needs to receive the required access controls (UPN format required):`n" -ForegroundColor Cyan
Write-Host "Read Group = Storage File Data SMB Share Reader # R permissions" -ForegroundColor Green
Write-Host "Contributor Group = Storage File Data SMB Share Contributor # R W D permissions" -ForegroundColor Green
Write-Host "ElevatedContributor = Storage File Data SMB Share Elevated Contributor # R W D M permissions`n" -ForegroundColor green

Write-Host "Enter the Reader Security Principal UPN Name : (Leave empty if not required) :" -ForegroundColor Yellow -NoNewline
$ReadGroup = Read-Host
Write-Host "Enter the Contributor Security Principal UPN name : (Leave empty if not required) :" -ForegroundColor Yellow -NoNewline
$ContributorGroup = Read-Host
Write-Host "Elevated Contributor Security Principal UPN name : (Leave empty if not required) :" -ForegroundColor Yellow -NoNewline
$ElevatedContributorGroup = Read-host

########################
#
# Set the scope onto our subscription and specific  Azure File Share
#
########################

Write-Host "`nStep 4 : Let's set our subscription scope`n" -ForegroundColor Cyan
Login-AzAccount
$Subscriptions = Get-AzSubscription
Write-Host "Step 5 : These are your available subscriptions`n" -ForegroundColor Cyan
Write-host $Subscriptions.Name -ForegroundColor Cyan -BackgroundColor Black

Write-Host "`nStep 6 : Enter the subscription name : " -ForegroundColor Yellow -NoNewline
$SubscriptionName = Read-host
Select-AzSubscription -Subscription $SubscriptionName
$Subscription = Get-AzSubscription -SubscriptionName $SubscriptionName

$SubScriptionID = $Subscription.SubscriptionId


$scope = "/subscriptions/$subscriptionID/resourceGroups/$RGDATA/providers/Microsoft.Storage/storageAccounts/$SAFILE/fileServices/default/fileshares/$fileShareName"

########################
#
# Let's assign the role to the specified security principal and scope
#
########################

##########
#
#  Reader Group
#
##########

If($ReadGroup -eq "")
        {
        Write-Host "You haven't entered any Reader Group, we will skip this role assignment for now" -ForegroundColor Yellow
        }
else
        {
        Write-Host "We are now verifying the  Reader Group role assignment for Security Principal $ReadGroup" -ForegroundColor Cyan
        $RoleAssignment = Get-AzRoleAssignment -SignInName $ReadGroup -RoleDefinitionName $Reader -Scope $scope -ErrorAction SilentlyContinue

        If ($RoleAssignment)
                {
                Write-host "The role assignment already exists, we don't need to add the specific assignment" -ForegroundColor Cyan
                }
        else
                {
                Write-Host "The role assignment is being created" -ForegroundColor Cyan
                New-AzRoleAssignment -SignInName $ReadGroup -RoleDefinitionName $Reader -Scope $scope
                }

        }




##########
#
#  Contributor Group
#
##########


If($ContributorGroup -eq "")
        {
        Write-Host "You haven't entered any Contributor Group, we will skip this role assignment for now" -ForegroundColor Yellow
        }
else
        {
        Write-Host "We are now verifying the  Contributor Group role assignment for Security Principal $ContributorGroup" -ForegroundColor Cyan
        $RoleAssignment = Get-AzRoleAssignment -SignInName $ContributorGroup -RoleDefinitionName $Contributor -Scope $scope -ErrorAction SilentlyContinue

        If ($RoleAssignment)
                {
                Write-host "The role assignment already exists, we don't need to add the specific assignment" -ForegroundColor Cyan
                }
        else
                {
                Write-Host "The role assignment is being created" -ForegroundColor Cyan
                New-AzRoleAssignment -SignInName $ContributorGroup -RoleDefinitionName $Contributor -Scope $scope
                }

        }



##########
#
# Elevated Contributor Group
#
##########

If($ElevatedContributorGroup -eq "")
        {
        Write-Host "You haven't entered any Elevated Contributor Group, we will skip this role assignment for now" -ForegroundColor Yellow
        }
else
        {
        Write-Host "We are now verifying the Elevated Contributor Group role assignment for Security Principal $ElevatedContributorGroup" -ForegroundColor Cyan
        $RoleAssignment = Get-AzRoleAssignment -SignInName $ElevatedContributorGroup -RoleDefinitionName $ElevatedContributor -Scope $scope -ErrorAction SilentlyContinue 

        If ($RoleAssignment)
                {
                Write-host "The role assignment already exists, we don't need to add the specific assignment" -ForegroundColor Cyan
                }
        else
                {
                Write-Host "The role assignment is being created" -ForegroundColor Cyan
                New-AzRoleAssignment -SignInName $ElevatedContributorGroup -RoleDefinitionName $ElevatedContributor -Scope $scope
                }

        }


   #Get-AzRoleAssignment -scope $scope

   Write-Host "`nEnd of Script" -ForegroundColor Cyan 

   Sleep 5

5. Mount the Azure File Share with elevated privileges and start configuring NTFS permissions.

In the previous section we’ve set the share level permissions, as with traditional file server installations or implementations, we would set an additional layer of security, called NTFS permissions.

By mounting the Azure File share together with storage access key you we are elevating our privileges, allowing us to set fine grained ACLs.

The following script will automatically mount the drive-letter you choose based on the Access Keys of your storage account

Download the script here or copy the scriptblock below.

Powershell Script

########################
#
# Name: Mount Azure File Share
# Author: Yannick Dils
# Version: v0.1
#
########################

Write-Host "Let's get started" -ForegroundColor Cyan
Sleep 3

########################
#
# Create Naming Convention + Location and Name Variables
#
########################


Write-Host "Step 1 : Let's define some variables and naming conventions`n" -ForegroundColor Cyan

Write-Host "Enter a 3 letter word abbreviation for your customer or project (example: tuc, vdc) : " -ForegroundColor Yellow -NoNewline
$Cus = Read-Host
Write-Host "Enter a 3 letter word abbreviation for your environment (example: hub, prd, tst, dev, acc) : " -ForegroundColor Yellow -NoNewline
$Env = Read-host
$FullLocation = "France Central"
$NamingConv = "st" + "lrs" + $Cus + "frc" + $Env + "file"
$SAFILE = $NamingConv
$RGDATA = $Cus + "-hub-storage-rg"
Write-Host "Enter a name for your fileshare (example: fileserver, profiles,..) : " -ForegroundColor Yellow -NoNewline
$FileShareName = Read-host
Write-Host "Enter a driveletter for your fileshare (example: F, G, P..) : " -ForegroundColor Yellow -NoNewline
$DriveLetter = Read-Host


########################
#
# Login with an Azure AD credential that has either storage account owner or contributer RBAC assignment
#
########################

Write-Host "Step 2 : Let's connect to our Azure Subscriptions" -ForegroundColor Cyan
Sleep 3
Connect-AzAccount

########################
#
# Select the Azure Subscription where your Storage Account is located
#
########################

$Subscriptions = Get-AzSubscription
Write-Host "Step 3 : These are your available subscriptions" -ForegroundColor Cyan
Write-host $Subscriptions.Name -ForegroundColor Cyan -BackgroundColor Black

Write-Host "`nEnter the subscription name : " -ForegroundColor Yellow -NoNewline
$SubscriptionName = Read-host
Select-AzSubscription -Subscription $SubscriptionName

########################
#
# Retrieve the Storage Account Details and Access Tokens
#
########################

Write-Host "Step 4 : We are now retrieving the storage account details and access tokens" -ForegroundColor Cyan

$storageAccount = Get-AzStorageAccount -ResourceGroupName $RGDATA -Name $SAFILE
$storageAccountKeys = Get-AzStorageAccountKey -ResourceGroupName $RGDATA -Name $SAFILE

########################
#
# Retrieve the FileShare Details
#
########################

Write-Host "Step 5 : We are now retrieving the file share details" -ForegroundColor Cyan


$fileShare = Get-AzStorageShare -Context $storageAccount.Context | Where-Object { 
    $_.Name -eq $fileShareName -and $_.IsSnapshot -eq $false
}

if ($fileShare -eq $null) {
    throw [System.Exception]::new("Azure file share not found")
}

########################
#
# Mount the Azure File Storage
#
########################

Write-Host "Step 6 : Your file share is being mounted" -ForegroundColor Cyan


$password = ConvertTo-SecureString -String $storageAccountKeys[0].Value -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential -ArgumentList "AZURE\$($storageAccount.StorageAccountName)", $password
New-PSDrive -Name $DriveLetter -PSProvider FileSystem -Root "\\$($fileShare.StorageUri.PrimaryUri.Host)\$($fileShare.Name)" -Credential $credential -Persist

Write-Host "Step 7 : Let's open up our file share in an explorer window" -ForegroundColor Cyan

$path = $DriveLetter + ":\" 
Invoke-Item $path

Write-Host "`nEnd of script" -ForegroundColor Cyan
Sleep 5

########################
#
# End of script
#
########################

6. Next Steps

Next steps could be defined as the following

Configure a private endpoint on the storage account to secure connectivity within your virtual networks
Setup Azure Filesync to start migrating your data
Create a new DFS namespace to allow easier translation of common names

Feel free to comment or provide additional insights on the scripts and documentation provided.

The post Moving your data to a serverless infrastructure with Azure Files and Active Directory Authentication (Preview) appeared first on Tunecom.

Virtual Datacenter Concept | 3 of 10 | Resource Groups

admin.yannickd — Mon, 17 Feb 2020 08:57:00 +0000

Welcome back to the Azure Virtual Datacenter Concept blog post series.

In our previous posts about naming conventions and Azure Governance, we’ve defined our rules of play. Now it’s time to start populating our Azure environment with some Resource Groups.

Azure Governance Scaffold : Resource Groups

Let’s talk resources!

When deploying new resources in Azure, they reside in the Azure Resource Manager model. The Azure Resource Manager model is the successor of the Azure Service Management model which is often referred to as Azure v1 or Azure Classic. Since we are deploying resources in Azure, we want some kind of containerization or logical management layer on top of that. And that is exactly why we need a resource group before we can deploy a resource in Azure.

A resource group is a logical boundary that can organize your resources based on the environment, application or other specific characteristics. We can harden our resource group from unwanted changes by implementing role based access controls and resource locks.

Azure Resource Manager Model

Stuff to think about

Prior to deploying our first resource in a resource group, we have a couple of recommendations and/or limitations that we need to take care of:

A resource can only exist in one resource group
Resources can be moved from one resource group to another group
Resources are able to communicate or connect to other resource groups

Resource groups can be controlled by specific RBAC controls or resource locks.
- Takeway: Our advice is to assign specific roles of access to the resource groups and apply a delete lock by default.
- Tip: We can force these roles and locks with Azure Policy

Resource groups can contain resources that are located in different regions
- Takeaway: Our advice is to keep your resources within the same region as your resource group.
- Tip: We can force this behavior via Azure Policy

Ready, set, GO? STOP! Let’s first take a couple of design decisions.

Taking the above information into account, we don’t want to go and start deploying resources and resource groups via the Azure Portal. Rule of thumb is to use the Azure Portal as much as you can for view / read only actions and perform your deployments with ARM templates, powershell or CLI.

Now before we are going to deploy our base set of resource groups, let’s have some thought on which resource groups we are going to deploy and why. Below table gives you an example that you can use in any of your Azure designs to provide an holistic overview of the required resource groups. Have a look here at how naming conventions are provisioned / enforced.

Resource Group Name	Resources
HUB
-hub-storage-rg	All components related to central storage
-hub-management-rg	All components related to central management tools
-hub-network-rg	All components related to central networking
-hub-mig-rg	All components related to migration workloads
-hub-backup-rg	All components related to the central backup instance
-hub-identity-rg	All components related to the central Identity instance
ENV
-dev-app-rg	All components related to the development application tier
-dev-web-rg	All components related to the development web tier
-dev-network-rg	All components related to the development network tier
-dev-db-rg	All components related to the development database tier
-dev-storage-rg	All components related to the development storage tier

The table above gives you guidance on how to deploy a central HUB for resources and create a set of resource groups per environment.

Our environment specific resource groups are designed in a way that we can re-utilize them for multiple purposes.

Design ready, let’s go!

Below PowerShell script can be used to deploy a tier based environment starting from a simple hub and production approach to a full blow DTAP (Development, Test, Acceptance, Production) environment.

Powershell Script

##################

Param(
  [string]$RG_PurposeHUB,
  [string]$RG_PurposePRD,
  [string]$RG_PurposeACC,
  [string]$RG_PurposeTST,
  [string]$RG_PurposeDEV,
  [string]$Cus,
  [string]$fullLocation,
  [string]$owner,
  [string]$EnvironmentTier

)


#####################################################################################
######## START OF NAMING CONVENTION RESOURCE GROUPS HUB,PRD,DEV,TST ########
#####################################################################################

################### HUB
$HUBRGID = $Cus + '-' + $RG_PurposeHUB + '-' + 'identity' + '-rg'
$HUBRGSTOR = $Cus + '-' + $RG_PurposeHUB + '-' + 'storage' + '-rg'
$HUBRGMGM = $Cus + '-' + $RG_PurposeHUB + '-' + 'management' + '-rg'
$HUBRGNET = $Cus + '-' + $RG_PurposeHUB + '-' + 'network' + '-rg'
$HUBRGMIG = $Cus + '-' + $RG_PurposeHUB + '-' + 'mig' + '-rg'
$HUBRGRSV = $Cus + '-' + $RG_PurposeHUB + '-' + 'backup' + '-rg'

################### PRD

$PRDRGAPP = $Cus + '-' + $RG_PurposePRD + '-' + 'app' + '-rg'
$PRDRGDB = $Cus + '-' + $RG_PurposePRD + '-' + 'db' + '-rg'
$PRDRGSTOR = $Cus + '-' + $RG_PurposePRD + '-' + 'storage' + '-rg'
$PRDRGNET = $Cus + '-' + $RG_PurposePRD + '-' + 'network' + '-rg'
$PRDRGWEB = $Cus + '-' + $RG_PurposePRD + '-' + 'web' + '-rg'

################### ACC

$ACCRGAPP = $Cus + '-' + $RG_PurposeACC + '-' + 'app' + '-rg'
$ACCRGDB = $Cus + '-' + $RG_PurposeACC + '-' + 'db' + '-rg'
$ACCRGSTOR = $Cus + '-' + $RG_PurposeACC + '-' + 'storage' + '-rg'
$ACCRGNET = $Cus + '-' + $RG_PurposeACC + '-' + 'network' + '-rg'
$ACCRGWEB = $Cus + '-' + $RG_PurposeACC + '-' + 'web' + '-rg'

################### TST

$TSTRGAPP = $Cus + '-' + $RG_PurposeTST + '-' + 'app' + '-rg'
$TSTRGDB = $Cus + '-' + $RG_PurposeTST + '-' + 'db' + '-rg'
$TSTRGSTOR = $Cus + '-' + $RG_PurposeTST + '-' + 'storage' + '-rg'
$TSTRGNET = $Cus + '-' + $RG_PurposeTST + '-' + 'network' + '-rg'
$TSTRGWEB = $Cus + '-' + $RG_PurposeTST + '-' + 'web' + '-rg'

################### DEV

$DEVRGAPP = $Cus + '-' + $RG_PurposeDEV + '-' + 'app' + '-rg'
$DEVRGDB = $Cus + '-' + $RG_PurposeDEV + '-' + 'db' + '-rg'
$DEVRGSTOR = $Cus + '-' + $RG_PurposeDEV + '-' + 'storage' + '-rg'
$DEVRGNET = $Cus + '-' + $RG_PurposeDEV + '-' + 'network' + '-rg'
$DEVRGWEB = $Cus + '-' + $RG_PurposeDEV + '-' + 'web' + '-rg'

#####################################################################################
######## END OF NAMING CONVENTION RESOURCE GROUPS HUB,PRD,DEV,TST ########
#####################################################################################



#####################################################################################
######## START OF CREATION RESOURCE GROUPS HUB,PRD,DEV,TST,ACC ########
#####################################################################################


function new-resourcegroups
{
Param ([string]$fullLocation,[string]$owner,[string]$rsgapp,[string]$rsgdb,[string]$rsgstor,[string]$rsgnet,[string]$rsgweb,[string]$rsgpurpose)

            New-AzResourceGroup -Name $rsgapp -Location $fullLocation -Tag @{Environment="$rsgpurpose";Purpose="Application";Owner="$owner"}
            New-AzResourceGroup -Name $rsgdb -Location $fullLocation -Tag @{Environment="$rsgpurpose";Purpose="Database";Owner="$owner"}
            New-AzResourceGroup -Name $rsgstor -Location $fullLocation -Tag @{Environment="$rsgpurpose";Purpose="Storage";Owner="$owner"}
            New-AzResourceGroup -Name $rsgnet -Location $fullLocation -Tag @{Environment="$rsgpurpose";Purpose="Networking";Owner="$owner"}
            New-AzResourceGroup -Name $rsgweb -Location $fullLocation -Tag @{Environment="$rsgpurpose";Purpose="Web";Owner="$owner"}
}


function new-hubresourcegroups
{
Param ([string]$fullLocation,[string]$owner,[string]$rsgmgm,[string]$rsgdb,[string]$rsgstor,[string]$rsgnet,[string]$rsgweb,[string]$rsgpurpose,[string]$rsgmig,[string]$rsgrsv,[string]$rsgidentity)

            ### HUB AZ Powershell
            New-AzResourceGroup -Name $rsgstor -Location $fullLocation -Tag @{Environment="$RG_PurposeHUB";Purpose="Storage";Owner="$owner"}
            New-AzResourceGroup -Name $rsgmgm -Location $fullLocation -Tag @{Environment="$RG_PurposeHUB";Purpose="Management";Owner="$owner"}
            New-AzResourceGroup -Name $rsgnet -Location $fullLocation -Tag @{Environment="$RG_PurposeHUB";Purpose="Networking";Owner="$owner"}        
            New-AzResourceGroup -name $rsgmig -Location $fullLocation -Tag @{Environment="$RG_PurposeHUB";Purpose="Migration";Owner="$owner"}
            New-AzResourceGroup -Name $rsgidentity -Location $fullLocation -Tag @{Environment="$rsgpurposeHUB";Purpose="Identity";Owner="$owner"}     
            New-AzResourceGroup -Name $rsgrsv -Location $fullLocation -Tag @{Environment="$rsgpurpose";Purpose="Backup";Owner="$owner"}   
          }



$EnvironmentTier
   
# Select the setup steps required for this environment
    Switch ($EnvironmentTier)
    {
        1 {
            # new HUB Resource Groups
            new-hubresourcegroups -fullLocation $fullLocation -owner $owner -rsgapp $HUBRGAPP -rsgdb $HUBRGDB -rsgstor $HUBRGSTOR -rsgnet $HUBRGNET -rsgweb $HUBRGWEB -rsgpurpose $RG_PurposeHUB -rsgmgm $HUBRGMGM -rsgmig $HUBRGMIG -rsgidentity $HUBRGID -rsgrsv $HUBRGRSV
            # new PRD Resource Groups
            new-resourcegroups -fullLocation $fullLocation -owner $owner -rsgapp $PRDRGAPP -rsgdb $PRDRGDB -rsgstor $PRDRGSTOR -rsgnet $PRDRGNET -rsgweb $PRDRGWEB -rsgpurpose $RG_PurposePRD 
          }
        2 {
            # new HUB Resource Groups
            new-hubresourcegroups -fullLocation $fullLocation -owner $owner -rsgapp $HUBRGAPP -rsgdb $HUBRGDB -rsgstor $HUBRGSTOR -rsgnet $HUBRGNET -rsgweb $HUBRGWEB -rsgpurpose $RG_PurposeHUB -rsgmgm $HUBRGMGM -rsgmig $HUBRGMIG -rsgidentity $HUBRGID -rsgrsv $HUBRGRSV
            # new PRD Resource Groups
            new-resourcegroups -fullLocation $fullLocation -owner $owner -rsgapp $PRDRGAPP -rsgdb $PRDRGDB -rsgstor $PRDRGSTOR -rsgnet $PRDRGNET -rsgweb $PRDRGWEB -rsgpurpose $RG_PurposePRD 
            # new ACC Resource Groups
            new-resourcegroups -fullLocation $fullLocation -owner $owner -rsgapp $ACCRGAPP -rsgdb $ACCRGDB -rsgstor $ACCRGSTOR -rsgnet $ACCRGNET -rsgweb $ACCRGWEB -rsgpurpose $RG_PurposeACC

          }
        3 {
            # new HUB Resource Groups
            new-hubresourcegroups -fullLocation $fullLocation -owner $owner -rsgapp $HUBRGAPP -rsgdb $HUBRGDB -rsgstor $HUBRGSTOR -rsgnet $HUBRGNET -rsgweb $HUBRGWEB -rsgpurpose $RG_PurposeHUB -rsgmgm $HUBRGMGM -rsgmig $HUBRGMIG -rsgidentity $HUBRGID -rsgrsv $HUBRGRSV
            # new PRD Resource Groups
            new-resourcegroups -fullLocation $fullLocation -owner $owner -rsgapp $PRDRGAPP -rsgdb $PRDRGDB -rsgstor $PRDRGSTOR -rsgnet $PRDRGNET -rsgweb $PRDRGWEB -rsgpurpose $RG_PurposePRD 
            # new ACC Resource Groups
            new-resourcegroups -fullLocation $fullLocation -owner $owner -rsgapp $ACCRGAPP -rsgdb $ACCRGDB -rsgstor $ACCRGSTOR -rsgnet $ACCRGNET -rsgweb $ACCRGWEB -rsgpurpose $RG_PurposeACC
            # new TST Resource Groups
            new-resourcegroups -fullLocation $fullLocation -owner $owner -rsgapp $TSTRGAPP -rsgdb $TSTRGDB -rsgstor $TSTRGSTOR -rsgnet $TSTRGNET -rsgweb $TSTRGWEB -rsgpurpose $RG_PurposeTST
           }
        4 {
            # new HUB Resource Groups
            new-hubresourcegroups -fullLocation $fullLocation -owner $owner -rsgapp $HUBRGAPP -rsgdb $HUBRGDB -rsgstor $HUBRGSTOR -rsgnet $HUBRGNET -rsgweb $HUBRGWEB -rsgpurpose $RG_PurposeHUB -rsgmgm $HUBRGMGM -rsgmig $HUBRGMIG -rsgidentity $HUBRGID -rsgrsv $HUBRGRSV
            # new PRD Resource Groups
            new-resourcegroups -fullLocation $fullLocation -owner $owner -rsgapp $PRDRGAPP -rsgdb $PRDRGDB -rsgstor $PRDRGSTOR -rsgnet $PRDRGNET -rsgweb $PRDRGWEB -rsgpurpose $RG_PurposePRD 
            # new ACC Resource Groups
            new-resourcegroups -fullLocation $fullLocation -owner $owner -rsgapp $ACCRGAPP -rsgdb $ACCRGDB -rsgstor $ACCRGSTOR -rsgnet $ACCRGNET -rsgweb $ACCRGWEB -rsgpurpose $RG_PurposeACC
            # new TST Resource Groups
            new-resourcegroups -fullLocation $fullLocation -owner $owner -rsgapp $TSTRGAPP -rsgdb $TSTRGDB -rsgstor $TSTRGSTOR -rsgnet $TSTRGNET -rsgweb $TSTRGWEB -rsgpurpose $RG_PurposeTST
            # new DEV Resource Groups
            new-resourcegroups -fullLocation $fullLocation -owner $owner -rsgapp $DEVRGAPP -rsgdb $DEVRGDB -rsgstor $DEVRGSTOR -rsgnet $DEVRGNET -rsgweb $DEVRGWEB -rsgpurpose $RG_PurposeDEV
          }
    }


#####################################################################################
######## END OF CREATION RESOURCE GROUPS HUB,PRD,DEV,TST ########
#####################################################################################

If we save the script as “1._Create_Az_ResourceGroups_v2.ps1” and run it with the parameters below this should give us the following result.

.\1._Create_Az_ResourceGroups_v2.ps1 -RG_PurposeHUB "hub" -RG_PurposePRD "prd" -RG_PurposeACC "acc" -RG_PurposeTST "tst" -RG_PurposeDEV "dev" -Cus "cus" -fullLocation "westeurope" -owner "Yannick Dils" -EnvironmentTier 4

View / Read-only on the Azure Portal

hub resource groups

prd resource groups

Summary

Thank you for reading through the resource groups blog post, our aim was to give you an overview and set of best practices on how to implement resource groups based on a couple of design standards. When looking at the virtual datacenter concept. We now have a clear naming standard with a set of policies that are being applied to our management groups, subscriptions and resource groups. Our resource groups have been pre-configured in order to facilitate the deployment of our future resources.

What’s next?

The following aspects of the virtual datacenter concept will be highlighted in the following upcoming posts:

Virtual Datacenter Concept – 4 of 10 – Virtual Networking
Virtual Datacenter Concept – 5 of 10 – Cloud Storage
Virtual Datacenter Concept – 6 of 10 – Identity Options
Virtual Datacenter Concept – 7 of 10 – Log Analytics
Virtual Datacenter Concept – 8 of 10 – Security
Virtual Datacenter Concept – 9 of 10 – Business Continuity
Virtual Datacenter Concept – 10 of 10 – Automation

Missed a part or want to review a previous section? Be sure to check out my previous posts:

The post Virtual Datacenter Concept | 3 of 10 | Resource Groups appeared first on Tunecom.

Virtual Datacenter Concept | 2 of 10 | Governance

admin.yannickd — Wed, 29 Jan 2020 08:20:00 +0000

This blogpost is part of a series of Azure Virtual Datacenter Concept blog posts.

Today let’s focus on probably the most important pillar of the Azure Governance scaffold: Azure Governance.
We will talk about Azure Policies and auditing, resource tagging, managing subscriptions, locking down resources and role based access controls.

What’s it all about? Policies on Azure? And more!

As stated before, this is probably the most important pillar, so what is it exactly?
Azure Governance allows you to define the rules of play to all your subscriptions within your Azure AD tenant. As with typical on-premises scenario’s, you would deploy group policies within your Windows Server Active Directory estate in order to meet your corporate requirements and standards. And most of all to make sure you’re gaining a certain amount of control over your infrastructure.

So, comparable with group policies you say? Not exactly, with Azure Policies we can do so much more and on different levels.

Before we start deploying policies, we need some kind of hierarchy to which we can apply our policies. And as with traditional group policies, we needed organizational units to group our resources into logical containers.

Management Groups

A management group is a logical container that can have policies, blueprints and role based access controls applied. Subscriptions can be added to a management group, so they can inherit the settings that are being applied to a management group. Below example provided by Microsoft, shows you how you can organize management groups, subscriptions and resource groups per Business Unit, Geo-location and environment type.

When on-boarding your first subscription into your tenant, it will be added to your root management group.

Best practice is to create a management group attached to the root management group and start from there. As with group policies, you usually start with a new OU and apply policies on that level. You never start with changing the default domain policies.

The following powershell demonstrates how to create a very simple management group hierarchy.

Powershell script

###########
#
# Let us define our variables here
#
###########

$ParentGroupname = "Contoso_Management_Group"
$ITManagementGroupname = "IT_OPS_Management_Group"
$PRDManagementGroupname = "Production_Environment_Management_Group"
$DEVManagementGroupname = "Development_Environment_Management_Group"

###########
#
# Create the parent management group which is located just below the root management group
#
###########

$ParentGroup = New-AzManagementGroup -GroupName $ParentGroupname -DisplayName $ParentGroupname
$parentobject = Get-AzManagementGroup -GroupName $ParentGroupname
$ParentID = $ParentGroup.ParentId

###########
#
# Create the IT Operations management group as a member of the parent group
#
###########

$ITGroup = New-AzManagementGroup -GroupName $ITManagementGroupname -DisplayName $ITManagementGroupname -ParentObject $parentobject
$ITGroupObject = Get-AzManagementGroup -GroupName $ITManagementGroupname

###########
#
# Create the Production and Development management groups as a member of the IT Operations management group
#
###########

$PRDGroup = New-AzManagementGroup -GroupName $PRDManagementGroupname -DisplayName $PRDManagementGroupname -ParentObject $ITGroupObject
$DEVGroup = New-AzManagementGroup -GroupName $DEVManagementGroupname -DisplayName $DEVManagementGroupname -ParentObject $ITGroupObject


###########
#
# Move our subscriptions to the correct management group
#
###########

$PRDsubscription = Get-AzSubscription | where {$_.Name -eq "Azure IT Ops Prd"}
$DEVsubscription = Get-AzSubscription | where {$_.Name -eq "Azure IT OPS Dev"}


New-AzManagementGroupSubscription -GroupName $PRDGroup.Name -SubscriptionId $PRDsubscription.SubscriptionId
New-AzManagementGroupSubscription -GroupName $DEVGroup.Name -SubscriptionId $DEVsubscription.SubscriptionId

###########
#
# End of script
#
###########

Subscriptions

In the previous example, we’ve added our production and development subscription to a management group. By adding our subscriptions to a management group, we can start defining our rules of play at 2 levels.

Top level: Management Group
Sub level: Subscription

A subscription is a billing and management boundary to deploy your resources in and manage them via the right set of role based access controls.

Your subscription(s) are linked to your Azure AD tenant and can be made available to your Administrators by delegating permissions on a per subscriptions basis.

Our previous example provisioned a Production and Development subscription. With RBAC we can assign our developers the Contributor role to the Development subscription, so they can deploy and manage their resources. That same developer can only be granted a Read-Only role, to make sure no changes are being made on our production platform. If we really want to utilize the power of Azure we will deploy the roles on management group level, so every subscription in the PRD and DEV managemen group is inheriting the right set of roles and permissions.

RBAC (Role Based Access Controls)

And yes, Role Based Access Control is exactly what is states. We are giving access to a set of resources based on the specific role a security principal has. A security principal can be one of the following.

Now how does this work in Azure? RBAC is applied at 2 levels.

Azure Active Directory
Azure Subscriptions or Management Groups

As an example, you can have a global administrator within your Azure Active Directory tenant. That global administrator will have the ability to perform everything within your Azure AD tenant. However, that same global administrator, doesn’t necessarily have the same amount of power within your Azure Subscriptions. Your Azure Subscriptions or Management Groups are using their own built-in roles. If you want your global administrator to have all the keys to the kingdom, you’ll have to grant him Subscription Owner rights within your Azure Subscription.

Below is an overview of the Global Administrator permissions.

Below is an overview of the Azure Owner permissions.

As an administrator, I would love to have the keys to the kingdom, for demo purposes, the below powershell script gives you an idea on how to assign the required roles to a user.

Best practice is to assign roles to a security principal based on the least privilege principle.

Powershell script (credits to Steve König for the password generator included in this script )

###########
#
# Connect to your Azure AD Tenant
#
###########

$MyAzureADTenant = Connect-AzureAD
$tenantname = $MyAzureADTenant.TenantDomain

###########
#
# Define our new admin user
#
###########

$DisplayName = "MyAdmin"
$MailNickName = "MyAdmin"
$CompanyName = "MyCompany"
$UPN = $MailNickName + "@" + $tenantname

###########
#
# Generate a new complex password
#
###########

function Get-RandomCharacters($length, $characters) {
    $random = 1..$length | ForEach-Object { Get-Random -Maximum $characters.length }
    $private:ofs=""
    return [String]$characters[$random]
}
 
function Scramble-String([string]$inputString){     
    $characterArray = $inputString.ToCharArray()   
    $scrambledStringArray = $characterArray | Get-Random -Count $characterArray.Length     
    $outputString = -join $scrambledStringArray
    return $outputString 
}
 
$password = Get-RandomCharacters -length 5 -characters 'abcdefghiklmnoprstuvwxyz'
$password += Get-RandomCharacters -length 1 -characters 'ABCDEFGHKLMNOPRSTUVWXYZ'
$password += Get-RandomCharacters -length 1 -characters '1234567890'
$password += Get-RandomCharacters -length 1 -characters '!"§$%&/()=?}][{@#*+'
 
 
$password = Scramble-String $password

###########
#
# Store the password in a password profile
#
###########


$PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
$PasswordProfile.Password = $Password

###########
#
# Create my new admin user
#
###########


New-AzureADUser -DisplayName $DisplayName -CompanyName $CompanyName -UserPrincipalName $UPN -AccountEnabled $true -PasswordProfile $PasswordProfile -MailNickName $MailNickName
$User = Get-AzureADUser -ObjectId $UPN

###########
#
# Assign the Azure AD Global Administrator Role
#
###########

$GlobalAdminRole = Get-AzureADDirectoryRole | Where-Object {$_.displayname -eq 'Company Administrator'}
Add-AzureADDirectoryRoleMember -ObjectId $GlobalAdminRole.ObjectId -RefObjectId $User.ObjectId

###########
#
# !!! Login with an account that has subcription owner permissions in order to add a new security principal to the role
# Grant permissions to my Azure Subscription within my Parent Management Group
#
###########

$MyAzureSubscriptionAccount = Login-AzAccount
$MyAzureSubscription = Get-azsubscription
New-AzRoleAssignment -SignInName $UPN -RoleDefinitionName "Owner" -Scope "/providers/Microsoft.Management/managementGroups/$($ParentGroupname)"


###########
#
# End of script
#
###########

Time for a small recap

Taking the above into account, we’ve made our environment ready with the following structure.

Management Groups
Subscriptions linked to our management groups
Subscription Owner assigned with RBAC at Management Group level

Let’s continue, Resource Locks

Now that we have our management structure up and running, let’s see how we can make use of Azure Policy to start locking down our environment.

Locking down… sounds like a plan, so let’s look at Resource Locks.
Now what is a resource lock and how is it applied.

There are 2 types of resource locks:

DoNotDelete – this will prevent deletion of your resources
ReadOnly – this will prevent changes or updates to your resources

Where can this be applied?

Subscription Level : Applies to all resource groups and resources
Resource Group: Applied to all resources in that specific resource group
Resource: Applied to a specific resource

When can this be applied?

You can apply a lock during the creation of the specific subscription, resource groups or resource. A lock can be applied via powershell or through the portal on existing resources. Or you can leverage Azure Policy to apply locks at scale.

Let us walk through the steps in order to make sure that a Delete lock is being applied to all of our resources.

Azure Policy

For the sake of this blogpost series, I won’t dig too deep into Azure Policies and how the policy structure is being assembled. My colleague @ThomasVanLaere has made a detailed blog-post on Azure Policy, make sure to check that one out as well.

We will make use of a predefined Azure Policy and let’s alter this one to meet our needs. What are our needs?

Audit Subscriptions / Resource groups that don’t have a Delete Lock applied
Remediate Subscriptions / Recource Groups so that a delete lock is applied

Below Policy Definition is exactly what we need to Audit and deploy is a resource lock is not available on our resource groups.

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Resources/subscriptions/resourceGroups"
        },
   "then": {
      "effect": "deployIfNotExists",
      "details": {
            "type": "Microsoft.Authorization/locks",
            "existenceCondition": {
               "field": "Microsoft.Authorization/locks/level",
               "equals": "CanNotDelete"
         },
         "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/0000-0000-0000-0000-0000000"
],
      "deployment": {
         "properties": {
            "mode": "incremental",
            "template": {
               "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
               "contentVersion": "1.0.0.0",
               "parameters": {
                  "location": {
                     "type": "string"
                  }
               },
               "resources": [
                  {
                     "type": "Microsoft.Authorization/locks",
                     "apiVersion": "2017-04-01",
                     "name": "ResourceLock",
                     "properties": {
                       "level": "CanNotDelete",
                       "notes": "Prevent accidental deletion of resource groups"
                     }
                  }
               ]
            }
         }
      }
   }
}
}

Now let’s apply this via Azure Policy. Create a new policy definition

Select a scope, since we are going to remediate a setting, we are forced to select a subscription. As of writing, management groups don’t support remediation tasks yet. Enter your details and create a new category if you like.

Now paste in the previous code

And here we go, we have our custom policy definition ready to be assigned.

Now navigate to policy assignments and select assign policy

Select your policy, enter a description and click next.

We have no parameters that need to be defined, so let’s continue.

Next up, yes we would like to remediate our policy. And this requires a managed identity in order to modify our settings. When applying a remediation task via the Azure Portal, the managed identity will receive the required permissions that are required to perform it’s remediating tasks.

Final step, review and create!

Now let’s wait for the assignment to kick in and review our compliance state.

It can take up to 30 minutes before your policy is evaluated. Once the policy is evaluated you see a compliance or non-compliance report.

In this case.. all our resource groups are compliant.

Ready for TAGS

Now that we’ve seen our first policy at work, it’s time to take a look at resource tags. And how we can benefit from applying a right set of tags to our environment. The below list represents a series of tags that we commonly use in our Azure environments.

Description	Tag Name	Values/Format
Cost Center	CostCenter	IT , HR, Finance, Sales, Marketing
Environment	Environment	PRD, ACC, TST, DEV, HUB
Owner	Owner	owner@company.com
Application	App	Public Website, Sales App, ..
Importance	Importance	Critical, high, medium, low

Tags are most used in the following 2 scenario’s:

Cost Management (Providing the ability to chargeback to a specific costcenter or owner)
Resource navigation and automation (automating start/stop schedules by defining out of hours within tags)

Before you start applying tags, make sure to go through the supported tag mechanisms. In our next blogpost we’ll talk about resource groups and as with resource locks we’ll have a look at how we can use Azure Policy to apply tags at scale.

Summary

This blogpost sort of includes the high level steps to start of with managing your subscriptions with management groups. Applying RBAC at scale and locking down your environment with Azure Policy.

What’s next?

The following aspects of the virtual datacenter concept will be highlighted in the following upcoming posts:

Virtual Datacenter Concept – 3 of 10 – Resource Groups
Virtual Datacenter Concept – 4 of 10 – Virtual Networking
Virtual Datacenter Concept – 5 of 10 – Cloud Storage
Virtual Datacenter Concept – 6 of 10 – Identity Options
Virtual Datacenter Concept – 7 of 10 – Log Analytics
Virtual Datacenter Concept – 8 of 10 – Security
Virtual Datacenter Concept – 9 of 10 – Business Continuity
Virtual Datacenter Concept – 10 of 10 – Automation

Missed a part or want to review a previous section? Be sure to check out my previous posts:

Virtual Datacenter Concept – Introduction
Virtual Datacenter Concept – 1 of 10- Naming Conventions
Virtual Datacenter Concept – 2 of 10 – Governance

The post Virtual Datacenter Concept | 2 of 10 | Governance appeared first on Tunecom.

Virtual Datacenter Concept | 1 of 10 | Naming Conventions

admin.yannickd — Tue, 07 Jan 2020 20:47:00 +0000

This blogpost is part of a series of Azure Virtual Datacenter Concept blog posts.

Let’s talk about one of the key pilars from the Azure Governance scaffold: naming conventions

Understanding which resource, what is does and where it is located

Naming standards and conventions have been around for decades.
They are commonly used to identify objects and are used in most industries.

Let’s take car manufacturer BMW as an example, their cars are named with certain key characteristics in mind.

BMW 118D Hatch
Brand = BMW
Motorization = 1800 CC
Fuel Type = Diesel
Bodywork = Hatch (5 doors)

Pretty simple example on how a well defined naming standard can immediately give you the necessary info about a certain object. In essence, that’s why naming conventions are used.

Azure Naming conventions

As with regular industry naming conventions, standardizing the way you define your Azure Resources is crucial.

Microsoft has a predefined set of “policies” that need to be met with regards to naming your resources, the following docs article gives you an overview on how naming standards can be applied.

Below you can find a couple of commonly used resources that need to be uniquely identified globally across Microsoft Azure.

! We will need some kind of generalization to keep our resources unique

Entity	Scope
API management	Global
Key vault	Global
Function app	Global
Web app	Global
Storage account name (data)	Global
Storage account name (disks)	Global
Data Lake Storage	Global
Container registry	Global
Service Bus namespace	Global
Event Hubs namespace	Global
Log Analytics Workspace	Global

Taking the above information into account, we’ve generated a set of scripts that allow you to easily define a naming policy.

Input variables

To start building our naming conventions we first need a couple of input variables that are unique to our setup.

#####################################################################################
#
# This script provides you with an overview of all naming conventions that are being used in the Virtual Datacenter Concept
# Version: 0.1
# Author: Yannick Dils
#
#####################################################################################

#####################################################################################
#
# Below is a set of variables that is being used in order to populate the naming conventions
#
#####################################################################################


# Variable abbreviation for the resource group that will be used for central shared services
$RG_PurposeHUB = "hub" 

# Variable abbreviation for the resource group that will be used for production workloads
$RG_PurposePRD = "prd"

# Variable abbreviation for the resource group that will be used for acceptance workloads
$RG_PurposeACC = "acc"

# Variable abbreviation for the resource group that will be used for test workloads
$RG_PurposeTST = "tst"

# Variable abbreviation for the resource group that will be used for development workloads
$RG_PurposeDEV = "dev"

# Variable abbreviation for the customer / environment
$Cus = ""

# Variable abbreviation for the resource location
$Location = "weu"

# Variable which provides the desired resource location
$FullLocation = "WestEurope"

# Variable abbreviation for the resource owner
$owner = "YD"

# Variable abbreviation for the environment tier
# 1 : HUB + PRD
# 2 : HUB + PRD + ACC
# 3 : HUB + PRD + ACC + TST
# 4 : HUB + PRD + ACC + TST + DEV
$EnvironmentTier = "4"

# Variable required for resource generalization
$Guid = [guid]::NewGuid()
$MyGUID = $Guid.Guid.Remove(8)

#####################################################################################
#####################################################################################

Resource Groups

Resource group naming conventions are provided as per below. A resource group should be able to clearly define the customer or project, the type of environment and the purpose of the resources that are being created in the resource group.

Customer or project (3 letter abbreviation)	–	Tier (3 letter abbreviation of the Tier, HUB; PRD, TST, ACC, DEV)		Purpose (Resource Group Purpose Abbreviation)	–	Resource Purpose
	–	hub	–	identity	–	rg

Powershell script

$HUBRGID = $Cus + '-' + $RG_PurposeHUB + '-' + 'identity' + '-rg'

Networking

Networking related naming conventions are provided as per below. In order to be able to perform smart discovery over your networking resources, Virtual Networks (VLANs), Subnets, Network Security Groups are named according to the endpoints and services that are located in the specified network topology.

Virtual Networks

Customer or project (3 letter abbreviation)	–	Tier (3 letter abbreviation of the Tier, PRD, TST, ACC, DEV)	–	Location (3 letter abbreviation of the location)	–	Resource Purpose
	–	hub	–	weu	–	vn

Powershell script

$virtualnetworkHUBname = $Cus + '-' + $RG_PurposeHUB + '-' + $Location + '-vn'

Subnets

Customer or project (3 letter abbreviation)	–	Tier (3 letter abbreviation of the Tier, PRD, TST, ACC, DEV)	–	Subnet purpose	–	Resource Purpose
	–	hub	–	identity	–	sn

Powershell script

$hubsubnetname1identity = $Cus + '-' + $RG_PurposeHUB + '-' + 'identity' + '-sn'

Network Security Groups

Customer or project (3 letter abbreviation)	–	Tier (3 letter abbreviation of the Tier, PRD, TST, ACC, DEV)	–	Subnet purpose	–	Resource Purpose
	–	hub	–	identity	–	nsg

Powershell script

$hubnsgid = $Cus + '-' + $RG_PurposeHUB + '-' + 'identity' + '-' +'nsg'

Public IP addresses

Public IP usage	–	Public IP abbreviation
resourcename	–	pip

Powershell script

$vmpip = $VirtMachName + '-pip'

Load Balancing

Azure provides several cloud native load balancing solutions, as with other Azure Resources, they require a logical naming convention.

Internal Load Balancer

Internal Load Balancer	–	Purpose
ilb	–	adfs
ilb	–	sql

Powershell script

$adfsintlb = 'ilb-' + 'adfs'

External Load Balancer

External Load Balancer	–	Purpose
elb	–	adfswap
elb	–	rdgw

Powershell script

$adfsextlb = 'elb-' + 'adfswap'

General Compute Resources

Compute resources contain virtual machines, availability sets, storage and everything related to the infrastructure you need to run your apps.

Storage Accounts

Storage Account	Redundancy level	Customer Abbreviation	Location	Tier	Purpose
st	lrs		weu	prd	logs

Powershell script

$SA_Logs = 'stlrs' + $Cus + $location  + $RG_PurposeHUB + 'logs'

Availability Sets

Customer Abbreviation	–	Tier	–	Purpose	–	Resource Purpose
	–	hub	–	sql	–	as

Powershell script

#$hubavsql = $Cus + '-' + $RG_PurposeHUB + '-' +  'sql' + '-' + 'as'

Virtual Machines

Customer Abbreviation	Location	Optional Tier	Purpose	##
	weu	prd	sql	01

Powershell script

$VMShortName = "sql01"
$VirtMachName = $Cus.ToLower() + $location.ToLower() + $RG_PurposePRD + $VMShortName

Virtual Machine Disks

Virtual Machine Name	–	Disk drive letter
	–	c
	–	e

Powershell script

$OSDiskName = $VirtMachName + '-c'

Summary

In this blogpost, we’ve provided some guidance with regards to naming conventions and standards. The powershell “script” provided can be used for your convenience. In the upcoming series of posts we will be re-using these variables in order to build our Virtual Datacenter Concept topology.

Checkout our previous blogpost to recap on the Virtual Datacenter Concept.

What’s next?

The following aspects of the virtual datacenter concept will be highlighted in the following upcoming posts:

Virtual Datacenter Concept – 2 of 10 – Governance
Virtual Datacenter Concept – 3 of 10 – Resource Groups
Virtual Datacenter Concept – 4 of 10 – Virtual Networking
Virtual Datacenter Concept – 5 of 10 – Cloud Storage
Virtual Datacenter Concept – 6 of 10 – Identity Options
Virtual Datacenter Concept – 7 of 10 – Log Analytics
Virtual Datacenter Concept – 8 of 10 – Security
Virtual Datacenter Concept – 9 of 10 – Business Continuity
Virtual Datacenter Concept – 10 of 10 – Automation

The post Virtual Datacenter Concept | 1 of 10 | Naming Conventions appeared first on Tunecom.

Virtual Datacenter Concept | Introduction

admin.yannickd — Tue, 31 Dec 2019 09:18:32 +0000

This blogpost is part of a series of Azure Virtual Datacenter Concept blog posts.

The following series of posts is a direct reference to the Virtual Datacenter Concept provided by Microsoft as part of the Cloud Adoption Framework.

My intention is to provide you with a holistic overview, lessons learned and best practices over the last couple of years during the design and implementation phase of the Azure Virtual Datacenter.

What is the Azure Virtual Datacenter Concept (VDC)?

VDC is a series of guidelines that can be interpreted in various ways, the main goal of the VDC is to be able to deploy and manage your Azure resources in a secure and proper fashion.

When looking at AzOps and AzSec we are striving to build an operational and security model that fits the customers needs and wishes, which can still provide the promised scalability, flexibility and cloud optimization benefits. AzOps and AzSec should play a supporting role in the application landscape

Taking into account the perspective of DevOps and DevSecOps the VDC should facilitate the application development team to perform CI/CD in a way that the entire IT infrastructure which is oriented around your Line-of-business applications closes the gap between the operations and deployment lifecycle.

Why should the Virtual Datacenter Concept matter to you?

Planning Cloud Adoption is key, we’ve often seen Cloud environments that have been setup with no clear vision of the future application and IT landscape, which ended up in consuming a lot of credits that could’ve been spent more wisely.

On your road to onboarding IaaS, PaaS and SaaS the Virtual Datacenter Concept is your hitchhikers guide to the galaxy. It’s often seen as a way to easily lift and shift your servers, when looking at the VDC from a broader perspective, it can be a good fit to start transitioning to PaaS and SaaS.

How does this all translate into practice?

Below infographic shows a typical scenario where a DTAP (Development, Test, Acceptance, Production) environment has been setup and during deployment, key components have gone missing.

In order to fix the above situation, we’ve got a couple of options, either deploy additional equipment on Azure or consolidate and optimize to make the best use of all Azure Resources.

Below IaaS overview shows how we can consolidate the central shared services and make use of unique Azure techniques like vnet peering to tie everything together in a secure way.

Extending your services to Azure

In the above example we’ve seen a full blow DTAP environment located on Azure infrastructure. However Cloud Adoption isn’t about moving virtual machines to the Cloud. When moving to the cloud our goal is to provide our end-customers with tools and applications that are always on and can meet the necessary capacity demands.

As a start we would primordially get started with the Virtual Datacenter Basic setup. This allows you to extend your on-premises workloads to Azure with a minimum amount of resources.

The basic setup consists of :

Hybrid cloud identity which can be setup in various ways that suits your business needs.
Virtual Private network connectivity based on Azure Virtual Network gateway
Resource Governance
Backup and business continuity additions

What’s next?

Hope you liked the introduction, and sort of know where we are working towards in this blogpost series.

The following aspects of the virtual datacenter concept will be highlighted in the following upcoming posts:

Virtual Datacenter Concept – 1 of 10- Naming Conventions
Virtual Datacenter Concept – 2 of 10 – Governance
Virtual Datacenter Concept – 3 of 10 – Resource Groups
Virtual Datacenter Concept – 4 of 10 – Virtual Networking
Virtual Datacenter Concept – 5 of 10 – Cloud Storage
Virtual Datacenter Concept – 6 of 10 – Identity Options
Virtual Datacenter Concept – 7 of 10 – Log Analytics
Virtual Datacenter Concept – 8 of 10 – Security
Virtual Datacenter Concept – 9 of 10 – Business Continuity
Virtual Datacenter Concept – 10 of 10 – Automation

The post Virtual Datacenter Concept | Introduction appeared first on Tunecom.