Topic: Tech Tips/
Enable JIT Access on Azure VMs
In this post we’ll take a look at a feature of Azure Security Center called Just-In-Time VM access. This feature will allow you to timebox when and who has access to your Azure VMs. Black Hats will invariably look for open management ports on your VMs. RDP and SSH are often used by hackers as a possible entry point for access to your environment. Using JIT Access you can block access to these ports and require users to submit a request in order to gain access during a specific timeframe.
Purge Azure AD Deleted Objects
Ever get the dreaded message: “The directory object quota limit for the Principal has been exceeded. Please ask your administrator to increase the quota limit or delete objects to reduce the used quota.” But when you go and look you only have a handfull of objects listed… certainly nowhere near the 250 allowed. In this post we’ll see one potential way to alleviate this issue. We’ll discover that what appears to be the case on the surface is not really the case with Azure AD. Azure AD actually doesn’t delete objects right away it marks them as “Deleted”. So if you really want to remove objects from Azure AD read on…
Authenticate GO CLI with Azure AD
Ever wonder how to integrate a command line application with Azure Active Directory? I happened to be working with a client recently who wanted to do just that and I took the opportunity to dive in a figure it out and in the process write it up for the website. In this post we’ll look at the Azure Golang SDK and how to use it for Azure AD authentication and we’ll also create an application registration in AAD and assign permissions to our CLI.
Whitelist Ingress Access into AKS Clusters
If you read my last post on setting up ExternalDNS and CertManager on AKS you may have noticed that ingress to published services is open to Internet traffic. In this post I’ll look at two simple ways to lock down services so that only specific addresses have ingress access. First we’ll cover how to setup a network security group on the agent pool subnet to limit access and then we’ll take a look at some features of NGINX that offer a bit more flexibility to who has access to what. We’ll also look at some changes we’ll need to make to cert-manager once ingress is locked down.
Automate DNS and SSL Certificates on AKS
In a recent project I was asked to configure Kubernetes so that it could create and manage DNS records automatically. This automatic management comes via Ingress objects created in Kubernetes. Hostnames specified in ingress objects automatically get DNS records created. This is exactly what the Kubernete’s project ExternalDNS does. Unfortuately, even though there is a section for configuring it on Azure, it wasn’t straightforward to get working. This post walks through getting it up and running and also demonstrates its usage in Azure Government.
Creating Jekyll Category Pages on GitHub
In this Post we’ll look at how to create some simple Category pages using Jekyll on GitHub Pages with GitHub’s default set of plugins. GitHub Pages supports a limited subset of Jekyll plugins and unfortunately this list doesn’t contain plugins like jekyll-category-pages or jekyll-archives which would make building category pages easier. We can, however, get category pages on GitHub with just a little added effort so keep reading.
Adding Auditd Logs to Azure Log Analytics
In my last post entitled Forwarding Syslog to Azure Log Analytics we setup our Linux VMs to send Syslog data for centralized collection to Azure Log Analytics. This allowed us to capture all our Syslog data as well as setup alerts for anomalous behavior in our logs. In this post we want to take it a step further and add auditd to our Linux VMs and setup some very specific auditing rules around file access and modifications and send those to Log Analytics as well.
Forwarding Syslog to Azure Log Analytics
I was recently tasked with coming up with a solution that enabled several different types of information related to Azure VMs to be collected and reported on. Types of information included application logs, operating system logs and Azure activity logs. Readers of this blog may not know that Azure has a product called Log Analytics that is similar to Splunk (except for the cost) that can capture and report on just about any kind of logs you can imagine. In this post we’ll take a look at what goes into getting syslog information into Log Analytics and then running some basic queries against those logs.
IO Performance in Azure Explained
I recently had a customer ask several questions about what IOPS and max throughput mean and how they could increase throughput so that their backup restore process in Azure would take less time. In this post we’ll look at how we can estimate our max throughput and IOPS based on VM size and disk configuration. Additionally, we’ll also look at ways to improve performance without increasing costs.
Query Log Analytics from the Command Line
I’ve been doing some work with Azure Log Analytics lately and found the az tool limiting as it relates to querying Log Analytics. So like anyone who gets an itch and needs to scratch it, I decided to put something together myself to help make it a bit easier for me. So using Python and some awesome modules I wrote a little utility that could query Log Analytics and provide data back in a few different formats.
The Mythical 40 Hour Workweek
Communication is crippling Corporate America. I know what you’re thinking, “That statement is preposterous. Communication is the bedrock of productivity today”, but if you bear with me I’ll explain my thinking on the subject. Communication may be the bedrock of business systems today, but it has also become an albatross around our necks and is draining us of our productivity. As organizations have flattened over the last two decades and command and control hierarchies have been replaced with matrix style organizations, communication between an ever increasing number of interested parties has sapped nearly all productivity from today’s corporations.
Flock Theory and Leadership
I have to admit that I’m a bit of a collaboration and community junkie and as such follow some obscure topics. One topic I’ve had on my radar for quite some time is Flock Theory. Flock theory tries to describe the self-organizing and emergent aspects of human behavior. Succinctly put, behavior in some cases is not a property of any individual person (or bird), but rather emerges as a property of a group or social network (flock). This concept can be used to describe aspects of both collaborative teams and open source communities. I’m not going to analyze the merits of the theory but I do want to introduce its concepts which I think have implications for team/community productivity and possibility even individual information relevance.