Category: Azure

Hi everyone, I’m in the process of setting up an Azure firewall that will be centralized for multiple environments (uat, dev, prod). My task is to set up basic policies to only allow ports 22, 80, & 443. Our virtual machines have an app & web api running on them. Do I need to create additional policies to ensure the firewall isn’t blocking traffic that needs to go through for these api’s as well as DNS (Cloudflare)? We already have NSG’s for our VNets configured and work properly. submitted by /u/MyWeirdThoughtz [link] [comments]

We're testing out PIM and are having issues with notifications. In Azure, the Risky notifications aren't going to a PIM group created to assign the Global Administrator role. We have two users in this group, and two people with the access directly assigned and aren't in PIM. The two people with the access directly assigned are getting the notifications. I confirmed in the Users at risk detected alerts have the two people with the Global administrator role directly assigned to them, but not hose with the PIM group. According to the page in Security -> Identity Protection -> Users at risk detected alerts: " If a user is enrolled in PIM to elevate to one of these roles on demand then they will only receive emails if they are elevated at the time the email is sent. The Admin's configured email must be able to pass the validation checks for custom emails on the "Users at risk detected alerts" page." I'm not sure what "The Admin's configured email must be able to pass the validation checks for custom emails on the "Users at risk detected alerts" page." means since when the two users with the PIM Global Administrator group currently assigned to them were getting emails when they had the Global Administrator role directly assigned to them . Checked the page: Azure Active Directory Identity Protection notifications | Microsoft Docs which didn't help. Any guidance is much appreciated, thanks in advance for the advice! submitted by /u/Cloud_Comp_Admin [link] [comments]

I know they got rid of it but within Azure, what is there? I was just hired as a SharePoint Admin and was told to get a cert. nothing even specific. I'm looking through and it has to at least be an Associate so I may get the AZ900 anyhow, it's not enough. Anything out there that will help and be kinda basic enough to get through? I'm fresh to Azure but 10yrs IT experience. Thanks in advance! submitted by /u/aravena [link] [comments]

Azure Traffic Manager now enables you to specify minimum children property separately for IPv4 and IPv6 endpoints for MultiValue profiles.

Hello all and thank you for looking at my post. I am developing a mobile app (cross platform) which requires users to authenticate. My organization would like to use Azure AD (we have enterprise license). Here’s my issue. It doesn’t appear that with Azure AD I can create my own custom login screen inside the app. I understand I can create custom login views from the azure portal or even upload my own html files etc. That’s all good but what I am trying to do is have a screen inside the app with two fields (username and password) and when the user taps on the sign in button they log in upon successful authentication. All I could find right now was in my app registration to use a callback url so essentially the user will exit the app, be taken to a browser window to login to AAD and then be redirected back to the app. I really would prefer to avoid such a scenario. Am I going about this the wrong way? Thanks in advance - Leo submitted by /u/LeonardoDaWitchy [link] [comments]

Hello, I want to increase the tcp idle timeout but it's not possible because the vm is faulty (see attached image below). I tried the "Redeploy + reapply" option but it doesn't help. On a windows-system you can run "sysprep" via rdp but in this case it's a linux machine (CentOS) only with ssh-access. Does anyone know how can I remove the error? Thank you for your help! ​ ​ https://preview.redd.it/tnlixamicu191.png?width=1662&format=png&auto=webp&s=7f872aceb2c9a122acaa0c9ed5fec4d2f037d2e8 submitted by /u/farchris [link] [comments]

We have an Azure dashboard that we would like to add to a wall TV for monitoring but I was wondering if you could get "secure/authenticated" access in the same way a sas token works against a storage account to give read only live access? submitted by /u/famelton [link] [comments]

Anyone here know of good study guides for AZ-140 exam (https://docs.microsoft.com/en-us/learn/certifications/exams/az-140) ? I am looking for legitimate sources. I tried whizlabs once and it was just okay. Anyone have any suggestions of ones they used in the past? submitted by /u/Investigator7675 [link] [comments]

Another question about Azure Firewall 😉 I thought I understand how Azure Firewall integration with Public/Internal Load Balancer works but I think I miss something. Docs (https://docs.microsoft.com/en-us/azure/firewall/integrate-lb#asymmetric-routing) show some diagrams how the traffic flows when there is a Public Load Balancer and Azure Firewall and how to integrate these two together. Asymmetric routing is where a packet takes one path to the destination and takes another path when returning to the source. This issue occurs when a subnet has a default route going to the firewall's private IP address and you're using a public load balancer. In this case, the incoming load balancer traffic is received via its public IP address, but the return path goes through the firewall's private IP address. Since the firewall is stateful, it drops the returning packet because the firewall isn't aware of such an established session. Diagram: https://docs.microsoft.com/en-us/azure/firewall/media/integrate-lb/firewall-lb-asymmetric.png I think I understand this part and the necessity for DNAT rule. My understanding (numbers are flows shown on the diagram). Client makes a request to Azure Firewall Source IP: Client IP Destination IP: FW PiP Firewall DNATs and SNATs to Public Load Balancer Source IP: FW PiP Destination IP: LB PiP Public Load Balancer routes traffic to VM Private IP Source IP: FW PiP (as I understand, Azure Load Balancer always preserves Source IP) Destination IP: VM Private IP VM responds Source IP: VM Private IP Destination IP: FW PiP UDR routes flow to the Internet via FW PiP instead of routing it to FW Private IP Source IP: FW PiP Destination IP: Client IP So far so good. However, next docs describe how to integrate Azure Firewall with Internal Load Balancer: With an internal load balancer, the load balancer is deployed with a private frontend IP address. There's no asymmetric routing issue with this scenario. The incoming packets arrive at the firewall's public IP address, get translated to the load balancer's private IP address, and then returns to the firewall's private IP address using the same return path. And here I do not really understand why there's no asymmetrc routing with this scenario. What's the difference? Isn't it like I need a DNAT rule anyway in the step 2 to translate to Internal LB IP and then wherever I had LB PiP in the previous scenario now I will have Internal LB IP? If so, I do not understand why there is no asymmetric routing as incoming traffic enters Firewall using Public IP and then it's routed to Firewall Private IP. submitted by /u/0x4ddd [link] [comments]

I’ll preface by saying this is not my role and we likely don’t have the right resources. So are there any templates or guidelines that we can refer to when figuring out who should have what access. Our technical team seem to be looking for us to figure out and tell them lol. If anyone has resources they can point to that’ll be awesome. submitted by /u/mathjm [link] [comments]

Recently my az function app deploy has stated taking 26 min. ​ WARNING: Getting scm site credentials for zip deployment 21:31:16 WARNING: Starting zip deployment. This operation can take a while to complete ... 21:56:16 WARNING: Deployment endpoint responded with status code 202 21:56:24 INFO: Fetching changes. 21:56:28 INFO: Fetching changes. 21:56:38 INFO: Triggering recycle (preview mode disabled). 21:56:42 INFO: Command ran in 1550.888 seconds (init: 0.177, invoke: 1550.711) ​ How can I debug the cause? I already have it set to verbose but it doesn't show much... submitted by /u/spGT [link] [comments]

HI guys, I have a webapp that needs to connect to Azure SQL. I know that a private endpoint method works, but this can be costly since it costs $0.01/GB/Month, just for the data processed. I can telnet/tcpping the webapp from the console, or even the browser debug option, but this is not a valid test. From my understanding, you can telnet or TCP ping on 1433 to ANY Azure SQL connection URL, if public access is allowed, but then it will sift through the whitelisted public IPs after that. Meaning, you will always get a response unless you specifically deny public access. I have added my webapp to an outbound integration subnet, added the SQL Service Endpoint to that subnet, and cannot see any errors in the logs but am not sure if I am 100% connected. I am not familiar with the actual webapp or what database does what (that is on someone else)... my job is to just make sure connectivity is there. Thanks in advanced! submitted by /u/apdunshiz [link] [comments]

Passed the Az-500 last night. Bit of an odd one, I was getting stressed and demotivated at how hard the syllabus is and wanted to gauge how hard the exam actually is - it's got a rep as a very hard exam. Work pay for exams so I though best not get stressed, just have a demo sit through to see what it's like - no real expectation to pass. Exam was awful. On the 104 everything seemed quite fair as in you did not need to know specifics for many things, you needed to know the different between a load balances and app gateway, but not the entire different matrix between the SKU's. A lot of questions in this exam were like that, very very specific in nature. Also, a lot of things I could not even vaguely remember from the course prep, it was not like I remember reading it but the specific number had eluded me, I did not recognise the whole point of the question. Anyway, as it was a dummy run I did not put too much pressure on myself, I gave it a good pop but I was not getting stressed. I would say 1/3 of the exam I was confident in my answer, 1/3 was a 50/50 and 1/3 a complete and utter guess. This is a bad ratio. Finished the exam with 0% confidence I would pass, I was disheartened it had gone so badly. Low and behold passed in the high 700's. I have no idea how this happened, my only guess is that I got lucky with the weighting or something like that, no chance at all I got 80% of those questions correct. I used Az-500 official study guide, put these into remonote then practiced the flash cards, usual Youtube vids and Whizlabs for questions. The official exam labsd as well. It's hard to say if these are good tools as I feel I passed through luck rather than skill Anyway - say it with me "A pass is a pass" - chuffed I passed it but feel the exam experience was not great. Did not have the good experience feeling coming out of the 104. Good luck all future test takers! submitted by /u/jonsey39 [link] [comments]

We have a guest login with no password setup on about 100 computers that auto deletes and resets things when that account logs off. However, it also resets the printer that is needed by our clients, so each new login requires the user to double click the printer and install it. Is there a way to have that printer installed permanently to avoid this? Appreciate any thoughts/advice. submitted by /u/BBQingFool [link] [comments]

I've been reading about Gateway Load Balancer helping dealing with asymmetric routing problems when using firewalls/other NVAs. It looks great, however I'm curious if Gateway Load Balancer can work with Azure Firewall out-of-the box? Typically, the issue with Azure Firewall used only as an outbound firewall was that the Firewall was unaware of incoming packets and then it dropped outgoing packets. The resolution was to create public IPs on the Azure Firewall level and then route all incoming traffic through Azure Firewall. Then it had to DNAT to standard Load Balancer and application workload had an UDR routing all outbound traffic through firewall private IP address - https://docs.microsoft.com/en-us/azure/firewall/integrate-lb#fix-the-routing-issue Now, for several available NVAs it looks like this is possible to achieve with just a Gateway Load Balancer and chaining so we do not have to configure any DNAT or public IPs assigned to Gateway Load Balancer/NVAs. So the question is - does Azure Firewall work with Gateway Load Balancer? 😉 submitted by /u/0x4ddd [link] [comments]

We are attempting to simplify the OOBE process for users and I'm wondering if it is possible to pull dish the user related policies/applications during the autopilot stage. I've attempted to do this by assigning a user to the machine prior to the autopilot but it doesn't work. Any ideas? For context we are in a hybrid environment and want users to have their own primary device. submitted by /u/IronBalanski [link] [comments]

If yes then what are the steps for it ? Do I need to install anything on the host environment? submitted by /u/dipanshusheoran [link] [comments]

This is the only thread where you should post news about becoming certified. For everyone else, join us in celebrating the recent certifications!!! submitted by /u/AutoModerator [link] [comments]

I ran below command with success : az aks enable-addons -a monitoring -n <AKS Cluster> -g <resource group of AKS Cluster> --workspace-resource-id <resource-id-for loganalytics workspace> Then I also confirmed if omsagent is running: ​ https://preview.redd.it/v8x14cez7s191.png?width=1363&format=png&auto=webp&s=d5a4db05bc4c55ad578bf68e6b915a2a24c0d040 But while I am checking in the Loganalytics , I can not find the logs for my cluster: ​ https://preview.redd.it/2s9ejvqmks191.png?width=840&format=png&auto=webp&s=e920cd4d8cad451ff70802637223061c2dbf1be4 ​ https://preview.redd.it/rn1ikalans191.png?width=1426&format=png&auto=webp&s=2adbe4a4753f4f9a13a1af889a46cfee2492c5cd How can I see the pods or container logs. Do I need to enable containers to push the logs in Loganalytics or is there some easy way out. submitted by /u/Primary-Pace5228 [link] [comments]

Hello, I attended both Azure Cloud Week and Security Cloud Week and still didnt receive the vouchers. Has anyone got one already? Thanks submitted by /u/TechnicalJudge3 [link] [comments]