Skip to main content

Build a Company in Azure (in ONE day!)


What do we want? The Azure Fundamentals Cert by February!
When do we want it? By Feb! Just said it, pay attention!


A very helpful guide by Daniel Baker (AzureDan).

You need a subscription (or trial) to make a resource group. But you can make a Markdown without it!

Markdown: The fancy image on the Dashboard.

Let's go!




Here is my Resource Group;



I poked around in the Policy section for a time.

Other things we're going to fill out here include:

  • Networking & Gateways
  • VMs
  • Containers
  • Authentication and Identity
  • Storage
  • DevTest Labs
  • Backup Solutions
Some things may need more than a free trial + 200$ credit can give, but that's what's happening in the video, or need mounted storage I don't have available right now. Situation may vary.

Virtual Network(ing and Gateways) in Azure

Enter your resource group, hit 'Add', search what you want (Here, a Virtual Network), fill  out the information, and there you go. Also helps to go back into the resource to the deployment, and pin it to the dashboard.

Let's make some Subnets!

The Gateway Subnet routes things through the Azure Cloud.

 You'll need to go into the Marketplace and get 'Virtual Machine Gateway' app. Remember to check the region you're working in!

There are certificates made an installed. I wonder if that process could be automated somehow. Would it be safe?

Domain Controller

In making a template, there is a script given, that outlines the template rules, parameters (names, network), variables (with values), and resources (objects to deploy).

When the template is made, it can be deployed.

Visual Studio

As I can't seem to find a Visual Studio Community 2017 Version, let's hit a random thing and roll with it.


See, it's in our Development subnet in our 31vNet Virtual Network.

Here it is, and all the stats:


And here's the Networking page, that shows our public and private IPv4 addresses.

You can also click the Update Management in the left hand panel to keep your VM up to date. It's our responsibility!



It takes some time to be enabled. When it's ready, you can see where we're failing at security wise. Meanwhile, I had to troubleshoot the actual Update Agent.

It's like when Task Manager is not responding.

I can at least walk through scheduling an update deployment. We can schedule a time, and what updates are to be included (None here).

There is the Inventory tab on this VM. It basically is tracking registry, file changes, and services to monitor baselines.

The Metrics options tracks the performance of a VM and lists the results in a very GUI, chart-happy kind of way.

The Adviser tab offers us a (probably AI) guide to offer suggestions to improve performance on our resources and be reasonable with our spending.




Resource health watches your resource and tells you if it's running as expected. 




A very cool option iunder Support + troubleshooting is Boot diagnostics, to see if there are any potential issues with booting up the VM, and the option to reset the password to the built-in admin account. Snazzy! You can also redploy your VM to a new Azure host.


Next, let's deploy a CentOS system through the command Line 

Authentication 

I'm tossing in this video as well: While it has no affiliation with the one at the top of the page...I was prepared to make another post about this until I remembered "Oh yes, already did some AzAD stuff!"



 Directory Services & Domain Controllers. 

Select Azure Active Directory from the Services group.


A new user is made; If we had a group, we could put her there, but let's not let that stop us!




Paola Zallegortio is not a real person. To my knowledge.

We can go to the groups section  and make an Accounting group for Ms. Zallegortio to join.


I can create or invite a user to join, and stick them in the made group;

 See the box? The group itself doesn't show, but he's in the Accounting group with Paola. You could probably put a user in more than one group, but then you get caught up in thorny stuff, like permissions creep.

 We can establish single sign-on for a user. Let's try with Twitter - 

Default Directory > Enterprise applications - all applications > Categories > add an application > Twitter. When Twitter is installed (click 'add'), this is what you get;



 Select single sign-on, hit password based (or whatever makes sense for you,) and hit save at the resulting screen. When you go to Users and Groups, you can now add a user to the Twitter, SSO group.

DevTest Labs

Visit a resource in the Resource Groups tab, 'new', and install DevTest Labs from the Marketplace after searching.



You can add VMs to your testing labs - There's a lot of options.


 Also includes Ubuntu in Kubernetes Containers.

I've also allowed the sizes for VMs that our developers can work with under Configurations and Policies > Allowed Virtual Machine Sizes.

I set the sizes, now time for the actual amount of VMs that are allowed to be spun up; I'll go with 2.




Under Configurations and Policies - Virtual Network, our test enviroment has already been set up in our dtlbacaid-devtestlab network, though we could go back to the Virtual Network pane and make a new one for it to inhabit if we wish. In fact, I think I will.



I don't know why the name doesn't show up in the 'Your deployment is complete' panel.

Marketplace images are "Hey, what .isos should your devs be allowed to download?" I selected Cent OS and Server 2012 R2. When you go to 'Formulas (reuseable base), those are the only options):

 A while back, I made a comment that Azure had a lot less silly names than AWS, so one didn't have to Google (or Bing, as the case may be) to find out what they were working with.

I take that back; In order to have programs pre-installed on a base you spin up, you have to add them on...and they're called Artifacts.


These are just plans, blueprints, so you don't waste time finangling around a GUI trying to get things set up. Nice idea. Odd name.

Azure Backups

Under your virtual machine, look to the left. Operations > Disaster Recovery. Make sure it's in the correct region.



You see a cache storage account setting, it's used before a source VM is replicated to the target. It will be made when this is deployed.

You can only set protections in one region;


The virtual machine 'kearosan' couldn't be protected to the region 'West US' as it is already protected to the region 'East US 2'.

 If you click the 'Failed' Hyperlink, that's the error that pops up, along with possible causes, recommendations, and Error ID.

Something did get backed up:


"Success - Task Failed."
 WebApps!


As a reminder, here is our Dashboard now;




I made a new resource group and pulled up the Web App service in the Marketplace to install.


Of interesting note is the Application Monitoring selection of my apps, network, and infrastructure. It's not available with my plan. 



 It took some time to deploy it because it simply did not like the settings in the region I was trying to put it in. It worked in West Europe but not West US. Interesting. 

I think I took a different turn somewhere. But I can at least show you something in this App Service:




Here are some application settings: Set rule for when data can be moved. With this set up, data will be stored and moved while encrypted.


Security and Monitoring Your Azure Cloud

 "Is the cloud safe?"

Let's be honest, attacks are growing more sophisticated, and end users just want things to work, and aren't concerned about security. Nothing personal - You have other things to do. Leave it to a cloud service to have multiple security options in place to protect your data they have stored. After all, it's Microsoft. They've been at this for quite a while. I think they know how to store data.

Onto the final lesson. 







It's a little scant looking.

Clicking Recommendations give a page with suggestions about how to have more secure resources. There's even an option to include your own custom policies. With AI, it probably knows what your policies intend to do, and know how to warn against things that may break them. Very neat.

Let's look at the suggestion for Compute:


'Web application should only be accessible from over HTTPS!'

You're right.

'Quick Fix' takes us to another screen, where you essentially scroll down and hit it again.


Another window pops up, explaining why this is beneficial. I appreciate the lesson, but let's actually implement it.

With the final click, the remediation is successful, and it will take a few minutes to update to a Healthy Resource in our Security Center.

There's far more to do with Azure (And in Security Center that I did not outline), and this is a little beyond the scope of AZ-900, but it was great to get a comprehensive, hands-on look at the service.

If you have any AZ-900 resources, feel free to comment.



FOR EMPLOYERS: It's learning.

Comments

Popular posts from this blog

Connecting IoT Devices to a Registration Server (Packet Tracer, Cisco)

 If you're seeing this post, I'm helping you, and you probably have LI presence: React and share this post to help me in return.   In Packet Tracer, a demo software made by Cisco Systems. It certainly has changed a lot since 2016. It's almost an Olympic feat to even get started with it now, but it does look snazzy. This is for the new CCNA, that integrates, among other things, IoT and Automation, which I've worked on here before. Instructions here . I don't know if this is an aspect of "Let's make sure people are paying attention and not simply following blindly", or an oversight - The instructions indicate a Meraki Server, when a regular one is the working option here. I have to enable the IoT service on this server. Also, we assign the server an IPv4 address from a DHCP pool instead of giving it a static one. For something that handles our IoT business, perhaps that's safer; Getting a new IPv4 address every week or so is a minimal step against an

Create a Simple Network (Packet Tracer) + A Walkthrough

Again; I've done this, but now there's so many new things, I'm doing it again. The truly new portions were...everything on the right side of this diagram; The cloud needed a coax connector and a copper Ethernet connector. It's all easy to install, turn off the cloud (Weird), install the modules. Getting the Cable section of Connections was an unusual struggle - The other drop down menu had nothing within. It required going into the Ethernet options and setting the Provider Network to 'cable', which is the next step AFTER the drop-downs. The rest was typical DHCP and DNS setups, mainly on the Cisco server down there. The post is rather short - How about adding a video to it? Find out what A Record means - This site says 'Maps a name to an IP address', which is DNS. So it's another name for DNS? You can change them (presumably in a local context) to associate an IP address to another name.

Securing Terraform and You Part 1 -- rego, Tfsec, and Terrascan

9/20: The open source version of Terraform is now  OpenTofu     Sometimes, I write articles even when things don't work. It's about showing a learning process.  Using IaC means consistency, and one thing you don't want to do is have 5 open S3 buckets on AWS that anyone on the internet can reach.  That's where tools such as Terrascan and Tfsec come in, where we can make our own policies and rules to be checked against our code before we init.  As this was contract work, I can't show you the exact code used, but I can tell you that this blog post by Cesar Rodriguez of Cloud Security Musings was quite helpful, as well as this one by Chris Ayers . The issue is using Rego; I found a cool VS Code Extension; Terrascan Rego Editor , as well as several courses on Styra Academy; Policy Authoring and Policy Essentials . The big issue was figuring out how to tell Terrascan to follow a certain policy; I made it, put it in a directory, and ran the program while in that directory