Migrating your IT infrastructure to the cloud has a ton of benefits. Whether you're looking to improve security and become GDPR compliant, cut your total cost of ownership, or promote teamwork and innovation by integrating AI capabilities, the cloud provides a solution to your IT problems.
Would you like to upgrade your IT infrastructure to the cloud? At CloudIQ Technologies, we have knowledgeable and professional team ready to help address any of your IT infrastructure upgrade needs. Contact us today to learn more.
Backing up on-premises resources to the cloud leverages the power and scale of the cloud to deliver high-availability with no maintenance or monitoring overhead. With Azure Backup service the benefits keep adding up, right from data security to centralized monitoring and management.
Azure Backup service uses the MARS agent to back up files, folders, and system state from on-premises machines and Azure VMs. The backups are stored in a Recovery Services vault.
In this article, we will look at how to back up on-premise files and folders using Microsoft Azure Recovery Services (MARS) agent.
There are two ways to run the MARS agent:
Directly on on-premises Windows machines.
On Azure VMs that run Windows side by side with the Azure VM backup extension.
Here is the step by step process.
Create a Recovery Services vault
1. Sign in to the Azure portal. 2. On the Recovery Services vaults dashboard, select "Add".
3. The Recovery Services vault dialog box opens. Provide values of the Name, Subscription, Resource group, and Location. 4. Select "Create".
Download the MARS agent
1. Download the MARS agent so that you can install it on the machines that you want to back up. 2. In the vault, select "Backup". 3. Select On-premises for “Where is your workload running?” 4. Select Files and folders for “What do you want to back up?” 5. Select "Prepare Infrastructure".
5. For “Prepare infrastructure”, under Install Recovery Services agent, download the MARS agent. 6. Select "Already downloaded or using the latest Recovery Services Agent", and then download the vault credentials. 7. Select "Save".
Install and register the agent
1. Run the MARSagentinstaller.exe file on the VM. 2. In the "MARS Agent Setup Wizard", select "Installation Settings". 3. Choose where to install the agent and choose a location for the cache. Select "Next".
The cache is for storing data snapshots before sending them to recovery services vault.
The cache location should have free space equal to at least 5 percent of the size of the data you'll back up.
4. For Proxy Configuration, specify how the agent that runs on the Windows machine will connect to the internet. Then select "Next".
5. For Installation, review, and select "Install". 6. After the agent is installed, select "Proceed to Registration".
7. In Register Server Wizard > Vault Identification, browse to and select the credentials file. Then select "Next".
8. On the "Encryption Setting" page, specify a passphrase(user-defined) which is used to encrypt and decrypt backups for the machine.
9. Save the passphrase in a secure location. It is needed while restoring a backup. 10. Select "Finish".
Create a backup policy
Steps to create a backup policy:
1. Open the MARS agent console. 2. Under "Actions", select "Schedule Backup".
3. In the "Schedule Backup Wizard", select "Getting started" and click "Next". 4. Under "Select Items to Back up", select "Add Items".
5. Select items to back up, and select OK.
6. On the "Select Items to Back Up" page, select "Next". 7. Specify when to take daily or weekly backups in the "Specify Backup Schedule" page and select "Next". 8. It is possible to schedule up to three daily backups per day and can run weekly backups too.
9. On the "Select Retention Policy" page, specify how to store copies of your data. And select "Next". 10. On the Confirmation page, review the information, and then select "Finish".
11. After the wizard finishes creating the backup schedule, select "Close".
We hope this step by step guide helps you back up on-premise files and folders using Microsoft Azure Recovery Services (MARS) agent.
Many businesses are struggling to find the talent and capacity to create and manage their machine learning models to actually unlock the insights within their data. Here is an infographic that shows how Microsoft Azure Machine Learning streamlines this process to make modeling accessible to all businesses.
What's holding your business back from using AI to turn your data into actionable insights? Azure Machine Learning makes AI more accessible to businesses of all sizes and experience levels by reducing cost and helping you create and manage your models. But you don't have to go it alone. We can help you assess your business needs and adopt the right AI solution. Contact us today to learn how we can help transform your business with AI.
The distributed nature of cloud applications requires a messaging infrastructure that connects the components and services, ideally in a loosely coupled manner in order to maximize scalability. In this article let’s explore the asynchronous messaging options in Azure.
At an architectural level, a message is a datagram created by an entity (producer), to distribute information so that other entities (consumers) can be aware and act accordingly. The producer and the consumer can communicate directly or optionally through an intermediary entity (message broker).
Messages can be classified into two main categories. If the producer expects an action from the consumer, that message is a command. If the message informs the consumer that an action has taken place, then the message is an event.
The producer sends a command with the intent that the consumer(s) will perform an operation within the scope of a business transaction.
A command is a high-value message and must be delivered at least once. If a command is lost, the entire business transaction might fail. Also, a command shouldn't be processed more than once. Doing so might cause an erroneous transaction. A customer might get duplicate orders or billed twice.
Commands are often used to manage the workflow of a multistep business transaction. Depending on the business logic, the producer may expect the consumer to acknowledge the message and report the results of the operation. Based on that result, the producer may choose an appropriate course of action.
An event is a type of message that a producer raises to announce facts.
The producer (known as the publisher in this context) has no expectations that the events will result in any action.
Interested consumer(s), can subscribe, listen for events, and take actions depending on their consumption scenario. Events can have multiple subscribers or no subscribers at all. Two different subscribers can react to an event with different actions and not be aware of one another.
The producer and consumer are loosely coupled and managed independently. The consumer isn't expected to acknowledge the event back to the producer. A consumer that is no longer interested in the events, can unsubscribe. The consumer is removed from the pipeline without affecting the producer or the overall functionality of the system.
There are two categories of events:
The producer raises events to announce discrete facts. A common use case is event notification. For example, Azure Resource Manager raises events when it creates, modifies, or deletes resources. A subscriber of those events could be a Logic App that sends alert emails.
The producer raises related events in a sequence, or a stream of events, over a period of time. Typically, a stream is consumed for statistical evaluation. The evaluation can be done within a temporal window or as events arrive. Telemetry is a common use case, for example, health and load monitoring of a system. Another case is event streaming from IoT devices.
A common pattern for implementing event messaging is the Publisher-Subscriber pattern.
Role and benefits of a message broker
An intermediate message broker provides the functionality of moving messages from producer to consumer and can offer additional benefits.
A message broker decouples the producer from the consumer in the logic that generates and uses the messages, respectively. In a complex workflow, the broker can encourage business operations to be decoupled and help coordinate the workflow.
Producers may post a large number of messages that are serviced by many consumers. Use a message broker to distribute processing across servers and improve throughput. Consumers can run on different servers to spread the load. Consumers can be added dynamically to scale out the system when needed or removed otherwise.
The volume of messages generated by the producer or a group of producers can be variable. At times there might be a large volume causing spikes in messages. Instead of adding consumers to handle this work, a message broker can act as a buffer, and consumers gradually drain messages at their own pace without stressing the system.
A message broker helps ensure that messages aren't lost even if communication fails between the producer and consumer. The producer can post messages to the message broker and the consumer can retrieve them when communication is re-established. The producer isn't blocked unless it loses connectivity with the message broker.
A message broker can add resiliency to the consumers in your system. If a consumer fails while processing a message, another instance of the consumer can process that message. The reprocessing is possible because the message persists in the broker.
Technology choices for a message broker
Azure provides several message broker services, each with a range of features.
Azure Service Bus
Azure Service Bus queues are well suited for transferring commands from producers to consumers. Here are some considerations.
A consumer of a Service Bus queue constantly polls Service Bus to check if new messages are available. The client SDKs and Azure Functions trigger for Service Bus abstract that model. When a new message is available, the consumer's callback is invoked, and the message is sent to the consumer.
Service Bus allows a consumer to peek the queue and lock a message from other consumers.
It's the responsibility of the consumer to report the processing status of the message. Only when the consumer marks the message as consumed, Service Bus removes the message from the queue. If a failure, timeout, or crash occurs, Service Bus unlocks the message so that other consumers can retrieve it. This way messages aren't lost in the transfer.
If you want consumers to get the messages in the order they are sent, Service Bus queues guarantee first-in-first-out (FIFO) ordered delivery by using sessions. A session can have one or more messages.
Service bus queues support temporal decoupling. Even when a consumer isn't available or unable to process the message, it remains in the queue.
Checkpoint long-running transactions
Business transactions can run for a long time. Each operation in the transaction can have multiple messages. Use checkpointing to coordinate the workflow and provide resiliency in case a transaction fails.
Service Bus bridges on-premises systems and cloud solutions. On-premises systems are often difficult to reach because of firewall restrictions. Both the producer and consumer (either can be on-premises or the cloud) can use the Service Bus queue endpoint as the pickup and drop off location for messages.
Topics and subscriptions
Service Bus supports the Publisher-Subscriber pattern through Service Bus topics and subscriptions.
Azure Event Grid
Azure Event Grid is recommended for discrete events. Event Grid follows the Publisher-Subscriber pattern. When event sources trigger events, they are published to Event grid topics. Consumers of those events create Event Grid subscriptions by specifying event types and an event handler that will process the events. If there are no subscribers, the events are discarded. Each event can have multiple subscriptions.
Event Grid propagates messages to the subscribers in a push model. Suppose you have an event grid subscription with a webhook. When a new event arrives, Event Grid posts the event to the webhook endpoint.
Create custom Event Grid topics, if you want to send events from your application or an Azure service that isn't integrated with Event Grid.
Event Grid can route 10,000,000 events per second per region. The first 100,000 operations per month are free.
Even though successful delivery for events isn't as crucial as commands, you might still want some guarantee depending on the type of event. Event Grid offers features that you can enable and customize, such as retry policies, expiration time, and dead lettering.
Azure Event Hubs
When working with an event stream, Azure Event Hubs is the recommended message broker. Essentially, it's a large buffer that's capable of receiving large volumes of data with low latency. The data received can be read quickly through concurrent operations. You can transform the data received by using any real-time analytics provider. Event Hubs also provides the capability to store events in a storage account.
Event Hubs are capable of ingesting millions of events per second. The events are only appended to the stream and are ordered by time.
Like Event Grid, Event Hubs also offers Publisher-Subscriber capabilities. A key difference between Event Grid and Event Hubs is in the way event data is made available to the subscribers. Event Grid pushes the ingested data to the subscribers whereas Event Hub makes the data available in a pull model. As events are received, Event Hubs appends them to the stream. A subscriber manages its cursor and can move forward and back in the stream, select a time offset, and replay a sequence at its pace.
A partition is a portion of the event stream. The events are divided by using a partition key. For example, several IoT devices send device data to an event hub. The partition key is the device identifier. As events are ingested, Event Hubs move them to separate partitions. Within each partition, all events are ordered by time.
Event Hubs Capture
The Capture feature allows you to store the event stream to Azure Blob storage or Data Lake Storage. This way of storing events is reliable because even if the storage account isn't available, Capture keeps your data for a period, and then writes to the storage after it's available.
We hope this quick start guide helps you get stated on azure messaging and event driven architecture.
Azure Databricks lets you spin up clusters and build quickly in a fully managed Apache Spark environment with the global scale and availability of Azure. And of course, for any production-level solution, monitoring is a critical aspect.
Azure Databricks comes with robust monitoring capabilities for custom application metrics, streaming query events, and application log messages. It allows you to push this monitoring data to different logging services.
In this article, we will look at the setup required to send application logs and metrics from Microsoft Azure Databricks to a Log Analytics workspace.
dbfs configure –token It will ask for Databricks workspace URL and Token Use the personal access token that was generated when setting up the prerequisites You can get the URL from Azure portal > Databricks service > Overview
dbfs cp <local path to spark-monitoring.sh> dbfs:/databricks/spark-monitoring/spark-monitoring.sh
Use Databricks CLI to copy all JAR files generated
dbfs cp --overwrite --recursive <local path to target folder> dbfs:/databricks/spark-monitoring/
Create and configure the Azure Databricks cluster
to your Azure Databricks workspace in the Azure Portal.
home page, click on "new cluster".
name for your cluster and enter it in the text box titled "cluster
"Databricks Runtime Version" dropdown, select 5.0 or later (includes
Apache Spark 2.4.0, Scala 2.11).
5 Under "Advanced Options", click on the "Init Scripts" tab. Go to the last line under the "Init Scripts section" and select "DBFS" under the "destination" dropdown. Enter "dbfs:/databricks/spark-monitoring/spark-monitoring.sh" in the text box. Click the "Add" button.
6 Click the "create cluster" button to create the cluster. Next, click on the "start" button to start the cluster.
Now you can run the jobs in the cluster and can get the logs in the Log Analytics workspace
We hope this article helps you set up the right configurations to send application logs and metrics from Azure Databricks to your Log Analytics workspace.
This infographic outlines a day in the life of a remote worker using Microsoft Teams to collaborate, create, and be more productive while working at home. See how this individual uses multiple features to stay connected with the team and work efficiently
The daily life of most workers has changed drastically as COVID19 has made employees move to home offices. But your team can still get work done. Microsoft Teams can make it possible. Contact us to enable MS teams for your organization.
Databricks is a web-based platform for working with Apache Spark, that provides automated cluster management and IPython-style notebooks. To understand the basics of Apache Spark, refer to our earlier blog on how Apache Spark works
Databricks is currently available on Microsoft Azure and Amazon AWS. In this blog, we will look at some of the components in Azure Databricks.
A Databricks Workspace is an environment for accessing all Databricks assets. The Workspace organizes objects (notebooks, libraries, and experiments) into folders, and provides access to data and computational resources such as clusters and jobs.
Create a Databricks workspace
The first step to using Azure Databricks is to create and deploy a Databricks workspace. You can do this in the Azure portal.
In the Azure portal, select Create a resource > Analytics > Azure Databricks.
Under Azure Databricks Service, provide the values to create a Databricks workspace.
a. Workspace Name: Provide a name for your workspace. b. Subscription: Choose the Azure subscription in which to deploy the workspace. c. Resource Group: Choose the Azure resource group to be used. d. Location: Select the Azure location near you for deployment. e. Pricing Tier: Standard or Premium
Once the Azure Databricks service is created, you will get the screen given below. Clicking on the Launch Workspace button will open the workspace in a new tab of the browser.
A Databricks cluster is a set of computation resources and configurations on which we can run data engineering, data science, and data analytics workloads, such as production ETL pipelines, streaming analytics, ad-hoc analytics, and machine learning.
To create a new cluster:
Select Clusters from the
left-hand menu of Databricks' workspace.
Select Create Cluster to
add a new cluster.
We can select the Scala and Spark versions by selecting the appropriate Databricks Runtime Version while creating the cluster.
A notebook is a web-based interface to a document that contains runnable code, visualizations, and narrative text. We can create a new notebook using either the “Create a Blank Notebook” link in the Workspace (or) by selecting a folder in the workspace and then using the Create >> Notebook menu option.
While creating the notebook, we must select a cluster to which the notebook is to be attached and also select a programming language for the notebook – Python, Scala, SQL, and R are the languages supported in Databricks notebooks.
The workspace menu also provides us the option to import a notebook, by uploading a file (or) specifying a file. This is helpful if we want to import (Python / Scala) code developed in another IDE (or) if we must import code from an online source control system like git.
In the below notebook we have python code executed in cells Cmd 2 and Cmd 3; a python spark code executed in Cmd 4. The first cell (Cmd 1) is a Markdown cell. It displays text which has been formatted using markdown language.
Even though the above notebook was created with Language as python, each cell can have code in a different language using a magic command at the beginning of the cell. The markdown cell above has the code below where %md is the magic command:
%md Sample Databricks Notebook
The following provides the list of supported magic commands:
%python - Allows us to execute Python code in the cell.
%r - Allows us to execute R code in the cell.
%scala - Allows us to execute Scala code in the cell.
%sql - Allows us to execute SQL statements in the cell.
%sh - Allows us to execute Bash Shell commands and code in the cell.
%fs - Allows us to execute Databricks Filesystem commands in the cell.
%md - Allows us to render Markdown syntax as formatted content in the cell.
%run - Allows us to run another notebook from a cell in the current notebook.
To make third-party or locally built code available (like .jar files) to notebooks and jobs running on our clusters, we can install a library. Libraries can be written in Python, Java, Scala, and R. We can upload Java, Scala, and Python libraries and point to external packages in PyPI, or Maven.
To install a library on a cluster, select the cluster going through the Clusters option in the left-side menu and then go to the Libraries tab.
Clicking on the “Install New” option provides us with all the options available for installing a library. We can install the library either uploading it as a Jar file or getting it from a file in DBFS (Data Bricks File System). We can also instruct Databricks to pull the library from Maven or PyPI repository by providing the coordinates.
During code development, notebooks are run interactively in the notebook UI. A job is another way of running a notebook or JAR either immediately or on a scheduled basis.
We can create a job by selecting Jobs from the left-side menu and then provide the name of job, notebook to be run, schedule of the job (daily, hourly, etc.)
Once the jobs are scheduled, the jobs can be monitored using the same Jobs menu.
6. Databases and tables
A Databricks database is a collection of tables. A Databricks table is a collection of structured data. Tables are equivalent to Apache Spark DataFrames. We can cache, filter, and perform any operations supported by DataFrames on tables. You can query tables with Spark APIs and Spark SQL.
Databricks provides us the option to create new Tables by uploading CSV files; Databricks can even infer the data type of the columns in the CSV file.
All the databases and tables created either by uploading files (or) through Spark programs can be viewed using the Data menu option in Databricks workspace and these tables can be queried using SQL notebooks.
We hope this article helps you getting started with Azure Databricks. You can now spin up clusters and build quickly in a fully managed Apache Spark environment with the global scale and availability of Azure.
To keep business critical applications running 24/7/365 it is important for organizations to have a sound business continuity and disaster recovery strategy. In this article we will discuss how to set up disaster recovery for Azure VM in secondary region.
We will use Azure Site Recovery that helps manage and orchestrate disaster recovery of on-premises machines and Azure virtual machines (VM), including replication, failover, and recovery.
Recovery services vault
A Virtual machine
To replicate a VM to secondary region, prepare site recovery infrastructure. In this case we are replicating from one azure region to another.
For replication from Azure to Azure, one can directly go to recovery service vault and replicate the VM.
Terraform is an open-source tool for managing cloud infrastructure. Terraform uses Infrastructure as Code (IaC) for building, changing and versioning infrastructure safely. Terraform is used to create, manage, and update infrastructure resources such as virtual machines, virtual networks, and clusters.
The Terraform CLI provides a simple mechanism to deploy and version the configuration files to Azure. And with AzureRM you can create, modify and delete azure resources in Terraform configuration.
The infrastructure that Terraform can manage, includes low-level components such as compute instances, storage, and networking, as well as high-level components such as DNS entries, SaaS features, etc.
Providers in Terraform
A provider is responsible for understanding API interactions and exposing resources. Providers generally are an IaaS
For each provider, there are many kinds of resourcesyou can create. Here is the general Syntax for terraform resources.
Where PROVIDER is the name of a provider (e.g., Azure), TYPE is the type of resources to create in that provider (e.g., Instance), NAME is an identifier you can use throughout the Terraform code to refer to this resource and CONFIG consists of one or more argumentsthat are specific to that resource.
Infrastructure as Code
Infrastructure is described using a high-level configuration syntax. This allows a blueprint of your datacenter to be versioned and treated as you would any other code. Additionally, infrastructure can be shared and re-used.
Terraform has a "planning" step where it generates an execution plan. The execution plan shows what Terraform will do when you call apply. This lets you avoid any surprises when Terraform manipulates infrastructure.
Terraform builds a graph of all your resources and parallelizes the creation and modification of any non-dependent resources. Because of this, Terraform builds infrastructure as efficiently as possible, and operators get insight into dependencies in their infrastructure.
Complex changesets can be applied to your infrastructure with minimal human interaction. With the previously mentioned execution plan and resource graph, you know exactly what Terraform will change and in what order, avoiding many possible human errors.
The primary module structure requirement is that a “root module” must exist. The root module is the directory that holds the Terraform configuration files that are applied to build your desired infrastructure. Any module should include, at a minimum, a “main.tf”, a “variables.tf” and “outputs.tf” file.
main.tf calls modules, locals, and data-sources to create all resources. If using nested modules to split up your infrastructure’s required resources, the “main.tf” file holds all your module blocks and any needed resources not contained within your nested modules.
variables.tf contains the input variable and output variable declarations.
outputs.tf tells Terraform what data is important. This data is outputted when “apply” is called and can be queried using the Terraform “output” command. It contains outputs from the resources created in main.tf.
TFVARS File - To persist variable values, create a file and assign variables within this file. Within the current directory, for all files that match terraform.tfvars or *.auto.tfvars, terraform automatically loads them to populate variables.
Modules are subdirectories with self-contained Terraform code. A module is a container for multiple resources that are used together. The root module is the directory that holds the Terraform configuration files that are applied to build your desired infrastructure. The root module may call other modules and connect them by passing output values from one as input values of another.
In production, we may need to manage multiple environments, and different products with similar infrastructure. Writing code to manage each of these similar configurations increases redundancy in the code. And finally, we need the capability to test different versions while keeping the production infrastructure stable.
Terraform provides modules that allow us to abstract away re-usable parts, which can be configured once, and used everywhere. Modules allow us to group resources, define input variables which are used to change resource configuration parameters and define output variables that other resources or modules can use.
Modules can also call other modules using a “module” block, but we recommend keeping the module tree relatively flat and using module composition as an alternative to a deeply nested tree of modules, because this makes the individual modules easier to re-use in different combinations.
Terraform Workflow :
There are steps to build infrastructure with terraform
Initialize the Terraform configuration directory using Terraform “init”.
Init will create a hidden directory “.terraform” and download plugins as needed by the configuration. Init also configures the “-backend-config” option and can be used for partial backend configuration.
backend-dev.config - This file contains the details shown in the screenshot below.
The terraform plan command is used to create an execution plan. The plan will be used to see all the resources that are getting created/updated/deleted, before getting applied. Actual creation will happen in the “apply” command.
The var file given will define resources that are unique for each team.
terraform plan -var-file="parentvarvalues.tfvars"
This file includes all global variables and Azure subscription details.
The Terraform “apply” command is used to apply changes in the configuration. You’ll notice that the “apply” command shows you the same “plan” output and asks you to confirm if you want to proceed with this plan.
The “-auto-approve” parameter will skip the confirmation for creating resources. It’s better not to have it when you want to apply directly, without “plan”.
Terraform stores the resources it manages into a state file. There are two types of state files: “remote” and “local”. While the “local” state is great for an isolated developer, the “remote” state is quite indispensable for a team, as each member will need to share the infrastructure state whenever there is a change.
Terraform compares those changes with the state file to determine what changes result in a new resource or resource modifications. Terraform stores the state about our managed infrastructure and configuration. This state is used by Terraform to map real-world resources to our configuration, keep track of metadata, and to improve performance for large infrastructures.
The terraform import command is used to import existing infrastructure. This allows you to take resources you've created by some other means and bring it under Terraform management. This is a great way to slowly transition infrastructure to Terraform.
You want to import the state that already exists, so that the next time you the “apply” command, terraform already knows that the resource exists, and any changes made going forward will be picked up as modifications.
79% of analytics users encounter data questions they can't solve each month. How are you helping your team to uncover insights from data?
Moving data isn't always easy. There are more than 340 types of databases in use today and moving data across them presents challenges for any IT team. At CloudIQ Technologies, we have years of experience helping businesses find the IT solutions that can keep up with their constantly evolving business practice. Whether you need a solution for storage, data transfer, or just need to gain better insights from your data, we can help.
KEXP is known internationally for their music and authenticity. To help bring their global audience the music they want, KEXP needed to find a solution that could bring all of their services online. While they eventually accomplished their goal, they did run into roadblocks along the way.
Your partners at CloudIQ Technologies and Microsoft can help you overcome any obstacle. With years of industry experience, you can be rest assured knowing your custom IT solution will be up and running in no time. Contact us today to find out more on how we can help.
Cloud security is a major challenge for organizations running mission critical applications on cloud. One of the biggest risks from hackers come via open ports, and Microsoft Azure Security Center provides a great option to manage this threat – Just-in-Time VM access!
What is Just-in-Time VM access?
With Just-in-Time VM access, you can define what VM and what ports can be opened and controlled and for how long. The Just-in-Time access locks down and limits the ports of Azure virtual machines in order to overcome malicious attacks on the virtual machine, therefore only providing access to a port for a limited amount of time. Basically, you block all inbound traffic at the network level.
When Just-In-Time access is enabled, every user's request for access will be routed through Azure RBAC, and access will be granted only to users with the right credentials. Once a request is approved, the Security Center automatically configures the NSGs to allow inbound traffic to these ports - only for the requested amount of time, after which it restores the NSGs to their previous states.
The just-in-time option is available only for the standard security center tier and is only applicable for VMs deployed via Azure resource manager.
What are the permissions needed to configure and use JIT?
To enable a user to:
Permissions to set
Configure or edit a JIT policy for a VM
Assign these actions to the role: On the scope of a subscription or resource group that is associated with the VM: Microsoft.Security/locations/jitNetworkAccessPolicies/write On the scope of a subscription or resource group of VM: Microsoft.Compute/virtualMachines/write
Request JIT access to a VM
Assign these actions to the user: On the scope of a subscription or resource group that is associated with the VM: Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action On the scope of a subscription or resource group that is associated with the VM: Microsoft.Security/locations/jitNetworkAccessPolicies/*/read On the scope of a subscription or resource group or VM: Microsoft.Compute/virtualMachines/read On the scope of a subscription or resource group or VM: Microsoft.Network/networkInterfaces/*/read
Why Just-in-Time access?
Consider the scenario where a virtual machine is deployed in Azure, and the management port is opened for all IP addresses all the time. This leaves the VM open for brute force attack.
The brute force attack is usually targeted to Management ports like SSH (22) and RDP (3389). If the attacker compromises the security, the whole VM will be open to them. Even though we might have NSG firewalls enabled in our Azure infrastructure, it’s best to limit the exposure of management port within the team for a limited amount of time.
How to enable JIT?
Just-In-Time access can be implemented in two ways,
Go to Azure security center and click on Just-in-Time VM
2. Go to the VM, then click on configuration and “Enable JIT”
How to set up port restrictions?
Go to Azure security center and click on recommendations for Compute &Apps.
Select the VM and click Enable JIT on VMs.
It will then show a list of recommended ports. It is possible to add additional ports as per requirement. The default port list is show below.
Now click on the port that you wish to restrict. A new tab will appear with information on the protocol to be allowed, allowed source IP (per IP address, or a CIDR range).
The main thing to note is the request time. The default time is 3 hours; it can be increased or decreased as per the requirement. Then click, OK.
Click OK and the VM will appear in the Just-in-Time access window in the security center.
What changes will happen in the infrastructure when JIT is enabled?
The Azure security center will create a new Deny rule with a priority less than the original Management port's Allow rule in the Network security group’s Inbound security rule.
If the VM is behind an Azure firewall, the same rule overwrite occurs in the Azure firewall as well.
How to connect to the JIT enabled VM?
Go to Azure security center and navigate to Just-in-Time access.
Select the VM that you need to access and click on “Request Access”
This will take you to the next page where extra details need to be provided for connectivity such as,
Click ON Toggle
Provide Allowed IP ranges
Select time range
Provide a justification for VM Access
Click on Open Ports
This process will overwrite the NSG Deny rule and create a new Allow rule with less priority than the Deny All inbound rule or the selected port.
The above-mentioned connectivity process includes two things
My IP options
In this option, we can provide either a single IP or a CIDR block.
Case 1: If you’re connected to Azure via a public network, i.e., without any IP sec tunnel, while selecting MY IP, the IP address that is to be registered will be the Public IP address of the device you're connecting from.
Case 2: If you’re connected to Azure via a VPN/ IP Sec tunnel/ VNET Gateway, you can’t possibly use MY IP option. Since the MY IP option directly captures the Public IP and it can’t be used. In this scenario, we need to provide the private IP address of VPN gateway for a single user, or to allow a group of users, provide private IP CIDR Block of the whole organization.
How to monitor who's requested the access?
The users who request access are registered as Activity. To view the activities in Log analytics workspace, link the Subscription Activity to Log analytics.
It is possible to view the list of users accessed in the log analytics workspace with the help of Kusto Query Language(KQL), once it is configured to send an activity log to log analytics.
CloudIQ is a leading Cloud Consulting and Solutions firm that helps businesses solve today’s problems and plan the enterprise of tomorrow by integrating intelligent cloud solutions. We help you leverage the technologies that make your people more productive, your infrastructure more intelligent, and your business more profitable.