Data Classification & Storage

Application Data can be classified into 3 ways:

  • Structured
  • Semi-Structured
  • Unstructured

Structured Data

Relational Data with Columns & Data Types.

Example: Financial Statements

Apt for SQL Server

Semi-Structured Data

Dynamic Columns with No pre-defined Data Types.

Example: Product Catalog

Apt for Cosmos DB

Unstructured Data

Files such as Images & Videos

Apt for BLOB Storage.

More Parameters

Following are more parameters which determine the storage of data.

Data Location

The location where data is stored like East-US, West-Europe etc..  In case of Data Compliance rules which demand Data should not cross country-boundaries more stringent location choice is required.

Data Redundancy

Data Redundancy ensures data will be copied to alternative location.  This is useful on disaster recovery scenarios.

VNETs

In case if the Data contains Proprietary Information – we can enforce restricted VNET (Virtual Network) Only access to the data.

Data Encryption

Data Encryption can be applied on Rest & Transit.  Encryption on Rest is supported by TDE (Transparent Data Encryption) of Azure SQL and Encryption by CosmosDB, Storage Accounts etc.  Encryption on Transit is provided by HTTPS enable.

Storage Accounts

Storage Accounts allows grouping of data management through blobs, files, tables & queues

Create VNET & VNET Peering in Azure using CLI

In this post we can learn how to create 2 VNET & enable VNET Peering between both.

Azure VNET

Azure VNET allows private network within Azure.  VNET should specify an Address Space.  VNET creates Subnets which are Segments within the Address Space.

VNET Peering

It is possible for 2 VNETs to communicate with each other using VNET Peering.  VNET Peering bypasses Internet, Public IP Addresses & Communicate with the Local Azure Network which is faster & higher bandwidth without any encryption.  Thus the VNET Peering is faster & safer too.

VNET allows Resources (eg: VMs) communicate with each other as if they are in the same network.

VNET can be configured across regions & subscriptions too.

image

Create VNET

Open Azure CLI command interface & Run the following commands.

az login

az network vnet create –resource-group “jp_azure” –name VNET1 –address-prefix 10.1.0.0/16 –subnet-name Apps –subnet-prefix 10.1.1.0/24 –location eastUS

az network vnet create –resource-group “jp_azure” –name VNET2 –address-prefix 10.1.0.0/16 –subnet-name Apps –subnet-prefix 10.1.1.0/24 –location eastUS

az network vnet list –output table

Create VMs

Now we can create VM in each of the VNETs.

az vm create \ –resource-group “jp_azure” \ –no-wait \ –name VM1 \ –location northeurope \ –vnet-name VNET1 \ –subnet Apps \ –image win2016datacenter \ –admin-username admin \ –admin-password administrator1!

az vm create \ –resource-group “jp_azure” \ –no-wait \ –name VM2 \ –location northeurope \ –vnet-name VNET2 \ –subnet Apps \ –image win2016datacenter \ –admin-username admin \ –admin-password administrator1!

Create VNET Peering

Now we can create VNET Peering using the following commands.

az network vnet peering create \ –name VNET1-TO-VNET2 \ –remote-vnet VNET1 \ –resource-group JP-Resource \ –vnet-name VNET2 \ –allow-vnet-access

Following is for reciprocal connection.

az network vnet peering create \ –name VNET2-TO-VNET1 \ –remote-vnet VNET2 \ –resource-group JP_azure \ –vnet-name VNET1 \ –allow-vnet-access

Testing

Login to the VM1 using Public IP and Ping to the VM2 using Private IP.  If the connection succeeded it means the VNET Peering was created successfully.

Summary

In this post we have explored how to create 2 VNET & enable VNET Peering between both.

Network Security Group (NSG)

NSG protects Azure resources from Unauthorized Access.  In this post we can see the Features of Azure NSGs.

Capabilities

You can restrict Database Servers are only accessed from Application Servers thus protecting Legacy business data.

Rules can be configured to Allow access.

Rules can be configured to Deny access.

Restrictions can be set based on VNET

Flexibility

NSG offers the following flexibilities:

  • Automatically created along with Azure Resources
    • Inbound & Outbound rules are automatically created
      • eg: Port 3359 Allow Rune for VM
  • Reusability possible with multiple Azure Resources
    • Create an NSG for VM and reuse across multiple VMs
  • Tagging based restriction possible
    • eg: VirtualMachine, AppService etc.

Example

Create a VM > Observe NSG automatically created.

image

Try accessing the VM from Windows RDP. You should be able to login.

image

Delete the rule 3359.  Wait for 1 minute for the NSG rule to be reflected. Try login again.  You should be denied.

image

Note

Inbound Rules restricts Incoming Traffic requests to the device.

Outbound Rules restricts Outgoing Traffic requests from the device.

Summary

In this post we have explored the features of NSGs and performed a Test experiment.

Azure Infrastructure – Connecting On-Premise Network to Azure

One of the challenges of Organizations migrating On-Premise resources to Azure is Security. 

  • How to transfer data securely over the Internet?
  • What are the Alternatives?

VPN Gateway

Virtual Private Network is a Private Interconnected which uses Encrypted Tunnel to communicate between 2 Private Networks.  The untrusted internet problem is resolved by Encrypting the communications.

VPN Gateway is similar to Virtual Network Gateway which allows Site-to-Site, Point-to-Site and Network-to-Network connections.

  • Site-to-Site connections allow On-premise datacenter to connect to Azure Virtual Networks
  • Point-to-Site connections allow User Devices connections to Azure Virtual Networks.
  • Network-to-Network connections allow Azure Virtual Network to other Azure Virtual Networks.

ExpressRoute

Azure ExpressRoute allows secured, dedicated, high-bandwidth connections between your On-Premises and Azure.  This will bypass the Internet and hence more secured.

Following are the Features of Express Route:

  • Layer-3 Connectivity
  • Faster Access due to Peering of Networks
  • More Security
  • Higher Bandwidth
  • Bypasses Public Internet
  • Available in all Locations
  • Office365 Connectivity through Microsoft Peering

Following are the Drawbacks of Express Route:

  • ExpressRoute Circuit which is a Physical Connection needs to be created from Internet Provider
  • Cost is More

Few ExpressRoute providers are listed below:

image

Virtual Network Gateway

Virtual Network Gateway is required to connect 2 Networks either as:

  • VPN
  • ExpressRoute

When to choose VPN Gateway?

Low Bandwidth requirements

Point-to-Site scenarios

Occasional Connectivity

Moderate Data Security

When to choose ExpressRoute?

Dedicated Connection Required

High Security for Data

Faster & Continuous Access

References

https://docs.microsoft.com/en-us/learn/modules/connect-on-premises-network-with-vpn-gateway/2-connect-on-premises-networks-to-azure-using-site-to-site-vpn-gateways

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways#a-namep2sapoint-to-site-vpn-over-sstp

Azure App Identity & Service Principal

Azure Service Principal is a Security Identity used for Apps & Background Services.  It will accomplish the Role of a User Identity require by Applications.  It is similar to Service Accounts of Windows in the past.

Advantages

Advantages of App Identity are following:

  • Allow multiple Apps to use the Same Identity
  • Can use Certificate to Authenticate instead of Passwords
  • No Password expiry overheads
  • Can restrict read/write access

image On App Registration two objects are create – App object & Service Principal object.

Setting Access at Subscription Level

We can set Access to the Service Principal object at the Subscription level.  Go to Home > Subscriptions > Access Control (IAM)

image

In the appearing window choose the App Registration created jus now & Select the Role.

image

Save changes for completing the Role assignment.

Access Scope

Access Scope is set at the following levels.

  • Subscription Level
  • Resource Group Level
  • Resource Level

References

https://docs.microsoft.com/en-us/azure-stack/operator/azure-stack-create-service-principals?view=azs-1910

Azure CLI

Azure CLI (Command Line Interface) is a Tool to manage Azure resources.  You can download it from following location.

https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest

Once installed you can open command prompt > type command az

image

Commands

Few common commands are following:

help to get list of commands

eg: az help

image

login to login to azure portal

eg: az login

image

group to operate on resource groups. (Sub command required)

eg: az group list

image

az interactive you can use this command to have Interactive Commands which will help with Auto-complete & Colored interfaces.

image

Under the Hood

Azure CLI uses Azure REST API for performing the actions.

Azure CLI is open source

Azure CLI is more readable compared with PowerShell

How to Add User in an Azure Enterprise Application?

In the world of Azure, adding Users to an Application is a bit different – You don’t need to create User Creation & User Roles management creation screens.  Yes! everything can be managed through Azure Portal.

Enterprise Applications

Enterprise Applications are those Applications deployed to your Organization, each one would have an App Registration. 

Go to Azure > Active Directory > Enterprise Applications blade to view them.

image

Create User

Now we can add a new user to the Enterprise Application selected.

Go to Azure > Active Directory > Users

image

Click the New User button on the right.  Add the new user

image

Save changes.

Select User

Now you can select the newly created User from the Enterprise Applications > Users blade.

image

Leave the Role as blank.  Click Add to continue.

Now you can see the New User got added.

image

Create Role

For assigning a Role to the user – you need to create the Role first.

Go to Azure > Active Directory > App Services > Your App > Manifest blade

Modify the roles property as shown below.

“appRoles”: [
     {
       “allowedMemberTypes”: [
         “User”
       ],
       “displayName”: “Author”,
       “id”: “abc2ade8-98f8-45fd-aa4a-6d06b947c66f”,
       “isEnabled”: true,
       “description”: “Authors can write blogs.”,
       “value”: “Author”
     }
   ],

Save Changes & Go back to the User adding screen in Enterprise Applications.

You will be now able to select the New Role from the screen.

image
Note

Whenever user is authenticated, you will get the Role too in the authentication token.  (Enable ID Token in App Registration for same)

Summary

In this article you found how to Add User & Role for an Enterprise Application.  This is really advantageous & can save hundreds of productivity hours where the Application Administrator can manage the Azure Portal for adding/editing users.   (Relying on Company Support Ticket Team may delay the whole things)