Cloud war is not a myth. Vendors are doing every day their best to provide the best solutions to answer their customer’s needs and to take as much as possible of the market share.
When we talk about cloud providers, most of us will think about AWS, Azure, GCP, or even Alibaba Cloud but we forget to think about a platform that as per Gartner is a “Viable Option When Evaluating Public Cloud Providers” which is OCI.
When oracle started the Cloud journey, its focus was to provide a platform designed for and dedicated to oracle solutions (DBs,…) but the focus changed to be a cloud infrastructure platform in order to compete with public cloud providers like AWS.
Oracle has provided a document on which they give the top 10 reasons to adopt their cloud.
One of these interesting arguments is the PRICE! in the following link, you will be able to understand how 8×8 or Zoom have done a huge economy on network egress cost.
In the next articles, I will start showcasing how to build your first infrastructure on OCI and how to use Terraform to automate this.
As a continuation of my previous post, I will show you how to install Ansible and how to install the win_chocolatey module.
We will focus on the VM in the purple circle in the following schema.
To start with, I have deployed a CentOs 8 VM on which I have used the following commands to install Ansible:
Ansible is available in the EPEL repository of CentOS 8. So, you can easily install Ansible on CentOS 8.
First, update the DNF package repository cache with the following command:
sudo dnf makecache
Now, to enable EPEL repository, install the epel-release package with the following command:
 sudo dnf install epel-release
To confirm the installation, press Y and then press <Enter>. After that, epel-release package should be installed and the EPEL repository should be enabled.
Now, update the DNF package repository cache again with the following command:
sudo dnf makecache
Now, install Ansible with the following command:
sudo dnf install ansible
To confirm the installation, press Y and then press <Enter>. Follow the process till you reach the end of the installation.
Now, run the following command:
 ansible --version
As you can see, I am running Ansible 2.9.17 and it’s working just fine.
For Centos7, please check this link to perform the installation process.
A discussion with a dear friend triggered the idea of this article. We discussed together how to automate the usage of chocolatey in azure to maintain the homogeneity of an IT environment while using an internal repository instead of fetching files each time from the internet.
Once I get back home; I started a POC on my Azure subscription. Hereafter a simplified architecture schema of my solution.
Basically, we have a chocolatey server hosted in a separate virtual network that has access to the internet so it can be able to download chocolatey packages. In a separate network the ansible server and our target servers on which we need to deploy packages using ansible.
Humm, it is simple and easy, isn’t it? Well, the answer is yes and no 🙂 I will explain in the coming sections of the article.
I suppose that you know how to deploy the virtual networks, network security group, resource group, and virtual machines. If not hereafter some links to help you achieve that:
Once the installation is done, you will be able to access the default page of the server using HTTP://[VM_IP]
In the next part of this article, I will continue discussing the deployment of Ansible, the configuration of the VM, and the execution of win_chocolatey. Stay tuned 🙂
A new era is about to begin in the world of IT. Passwords will be considered as a relic of the past.
With Quantum computing, even the strongest passwords will be easily predictable. The solution comes by eliminating authentication systems using passwords and moving to MFA (Multi-Factor Authentication) and passwordless authentication.
81% of hacking-related breaches used either stolen or weak passwords
Source: Verizon 2017 Data Breach Investigations Report
You can reduce your odds of being compromised by up to 99.9% by implementing multi-factor authentication(MFA).
Source: Microsoft 2018 Security Research
Advanced technologies are being put in place using biometrics, PIN, public/private key cryptography and Fast Identity Online (FIDO2). In my blog post, I will focus on the FIDO2 which is an open authentication standard, hosted by the FIDO Alliance, which consists of the W3C Web Authentication specification (WebAuthn API), and the Client to Authentication Protocol (CTAP).
CTAP is an application layer protocol used for communication between a client (browser) or a platform (operating system) with an external authenticator such as the YubiKey 5 Series, and the Security Key Series by Yubico. Yubico is a core contributor to the FIDO2 open authentication protocol.
Enough with the theory, let’s move to the practical part.
I bought the security key by yubico from https://www.yubico.com/store/. The entry version is for 20$. I received it within a week.
and then I followed these steps:
1) First, I got to access this link yubico.com/start where I clicked on the picture Security key series
2)Â Second, IÂ selected the app I want to apply the passwordless authentication on from the list below:
5) I followed the steps and I received the recovery codes in case I lose the physical key and then I enabled the SMS two-factor authentication
6) In my GitHub, I clicked on settings located in the parameter tab
7) then in the security key section, I entered a nickname for the security key and clicked on ADD. At this level, I was requested to insert my security key in the USB port.
8) The next step was to touch the security key
9) Finally, the key was registered.
10) I disconnected from my Github and tried to reconnect. The screen of Two-factor authentication directed me to click on the Use security key
11) I inserted the key and finally, I successfully logged in to my GitHub
MFA and passwordless are the future of IT security, Companies must be aware of it and they need to implement these technologies.
Microsoft has published a desktop client to access your Azure portal.
In the beginning, I thought to myself that this would be an app that only loads the web UI. However, after using it for a couple of days, it proved to be delivering much better response time for loading UI and blades than the Web-based portal. This app includes also the Azure shell.
I have given, in my previous article, a quick guide to using the Azure Bastion Service.
In the new article, I will focus on how to automate the deployment on Azure bastion using not only ARM templates but also Hashicorp Terraform.
So let’s get started with some definitions! 🙂
Azure Bastion, now in preview, is a managed PaaS that connects customers’ VMs via the Remote Desktop Protocol (RDP) and Secure Shell (SSH) network protocols, and it uses Secure Sockets Layer encryption in the process, Microsoft said. It’s inspired by bastion hosts and jump boxes, long a networking staple for companies that want to place dedicated gateways between the public internet and their private networks.
ARM Templates, stands for Azure Resource Manager templates, are a way to declare the objects you want, the types, names, and properties in a JSON file which can be checked into source control and managed like any other code file. ARM Templates are what gives us the ability to roll out Azure “Infrastructure as code”.
The first one is the template file, which containsthe resources that will be created:
1- The public IP address.
2- The virtual network associated with the AZ bastion and its different subnets.
3- The Azure Bastion.
The second one, contains the parameters needed to deploy the resources and which need to be personalized..
Now, let’s deploy the template.
To deploy a customized template through the portal, select Create a resource, search for a template. and then select Template deployment.
Select Create.
You see several options for creating a template choose to Build your own template in the editor: create a template using the portal template editor. The editor is capable to add a resource template schema.
Select the Edit template to explore the portal template editor. The template is loaded in the editor.
Make a minor change to the template. For example, update the {{changeIT }} by adding your subscription id.
Select Save. Now you see the portal template deployment interface. Notice the two parameters that you defined in the template.
Enter or select the property values:
Subscription: Select an Azure subscription.
Resource group: Select Create new and give a name.
…
I agree to the terms and conditions stated above: (select)
Finally, click on purchase and your Azure Bastion will be deployed.
I hope this article gives you an overview and a quick-start to deploy ARM template. Stay tuned for my next article, I will focus on how to deploy the Azure Bastion using Terraform.
You don’t want to assign a public IP to each virtual machine on Azure? You want a secure way to manage your VMS? This article will help you implement the brand new Azure service to get a private and fully managed service which will allow you to access VMS directly from the Azure portal using your browser over the SSL protocol.
So let’s start with some theoretical aspects, the Azure bastion is advantageous in many ways :
RDP and SSH sessions over SSL on port 443 via the Azure portal; so from any modern browser you will be able to access your VMS.
Azure Bastion is fully managed by Microsoft which means that you will no longer need to manage Network security groups (NSGs) and much more administrative tasks.
Your VMs will be protected against port scanning.
No need to assign Public IP to your Azure VMs.
The Architecture as designed by Microsoft:
Azure Bastion is currently in public preview and limited to some regions:
After the theoretical part, let’s answer the question How to deploy the AZ Bastion?
First, you will need to deploy the service in your virtual network ( a subnet called AzureBastionSubnet with at least /27 must be created) :
Second, since it’s natively integrated, the platform will automatically detect if the Azure Bastion is deployed on the virtual network your virtual machine and in the connect menu you will get Bastion as a connection option.
Now you can enter your username and password to log in. This will open a web-based SSL RDP Session in the Azure Portal.
And as previously mentioned in this article, there is no need to have a Public IP address assigned to your virtual machine.
I hope this article gives you an overview of the azure bastion. If you want to know more check out the Microsoft documentation. If you have any questions or feedback, feel free to leave a comment or contact me.
In my next article, I will explain how to automate the deployment of the Azure Bastion using ARM template and terraform.
