Makram.cloud

Cloud and Automation Blog

ORACLE CLOUD: A Cloud provider that won’t deceive you – PART1

Hello,

Cloud war is not a myth. Vendors are doing every day their best to provide the best solutions to answer their customer’s needs and to take as much as possible of the market share.

When we talk about cloud providers, most of us will think about AWS, Azure, GCP, or even Alibaba Cloud but we forget to think about a platform that as per Gartner is a “Viable Option When Evaluating Public Cloud Providers” which is OCI.

When oracle started the Cloud journey, its focus was to provide a platform designed for and dedicated to oracle solutions (DBs,…) but the focus changed to be a cloud infrastructure platform in order to compete with public cloud providers like AWS.

Oracle has provided a document on which they give the top 10 reasons to adopt their cloud.

One of these interesting arguments is the PRICE! in the following link, you will be able to understand how 8×8 or Zoom have done a huge economy on network egress cost.

In the next articles, I will start showcasing how to build your first infrastructure on OCI and how to use Terraform to automate this.

Stay Tuned! 🙂

HOW TO AUTOMATE CHOCOLATEY ON AZURE USING ANSIBLE? – PART2

Hello,

As a continuation of my previous post, I will show you how to install Ansible and how to install the win_chocolatey module.

We will focus on the VM in the purple circle in the following schema.

To start with, I have deployed a CentOs 8 VM on which I have used the following commands to install Ansible:

Ansible is available in the EPEL repository of CentOS 8. So, you can easily install Ansible on CentOS 8.

First, update the DNF package repository cache with the following command:

sudo dnf makecache

Now, to enable EPEL repository, install the epel-release package with the following command:

 sudo dnf install epel-release

To confirm the installation, press Y and then press <Enter>. After that, epel-release package should be installed and the EPEL repository should be enabled.

Now, update the DNF package repository cache again with the following command:

sudo dnf makecache

Now, install Ansible with the following command:

sudo dnf install ansible

To confirm the installation, press Y and then press <Enter>. Follow the process till you reach the end of the installation.

Now, run the following command:

 ansible --version

As you can see, I am running Ansible 2.9.17 and it’s working just fine.

For Centos7, please check this link to perform the installation process.

Now, I will install the chocolatey module.

ansible-galaxy collection install chocolatey.chocolatey

Stay tuned for the next article where we will define our target VMs and connect using winrm. 🙂

HOW TO AUTOMATE CHOCOLATEY ON AZURE USING ANSIBLE? – PART1

Hello,

A discussion with a dear friend triggered the idea of this article. We discussed together how to automate the usage of chocolatey in azure to maintain the homogeneity of an IT environment while using an internal repository instead of fetching files each time from the internet.

Once I get back home; I started a POC on my Azure subscription. Hereafter a simplified architecture schema of my solution.

Basically, we have a chocolatey server hosted in a separate virtual network that has access to the internet so it can be able to download chocolatey packages. In a separate network the ansible server and our target servers on which we need to deploy packages using ansible.

Humm, it is simple and easy, isn’t it? Well, the answer is yes and no 🙂 I will explain in the coming sections of the article.

I suppose that you know how to deploy the virtual networks, network security group, resource group, and virtual machines. If not hereafter some links to help you achieve that:

https://docs.microsoft.com/en-us/azure/virtual-network/quick-create-portal

https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-portal

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/quick-create-portal

Well enough documentation and let’s move to the installation of chocolatey server:

1- Install Chocolatey:

The installation is pretty easy, please check this link for pre-requisites.

https://docs.chocolatey.org/en-us/choco/setup

And then run this code with administrative rights on Powershell.

Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))

2Install Choco.server

Now, installing the server version is pretty easy.

https://chocolatey.org/packages/chocolatey.server

choco install chocolatey.server

Once the installation is done, you will be able to access the default page of the server using HTTP://[VM_IP]

In the next part of this article, I will continue discussing the deployment of Ansible, the configuration of the VM, and the execution of win_chocolatey. Stay tuned 🙂

Azure Advent Calendar

Today is the 25th of December and it’s my turn for the awesome initiative by Gregor Suttie and Richard Hooper that is the Azure Advent Calendar.

During 17 minutes, I discussed the automation on azure by giving details about the topics below:

•Common Scenarios for Automation

•ARM Templates

•Azure Automation

•Terraform

•Ansible

You will find all the full presentation and links on my Github:

https://github.com/makramjenayah/AzureAdventCalendar

Cheers 🙂

Passwordless – A new era is about to begin

A new era is about to begin in the world of IT. Passwords will be considered as a relic of the past.

With Quantum computing, even the strongest passwords will be easily predictable. The solution comes by eliminating authentication systems using passwords and moving to MFA (Multi-Factor Authentication) and passwordless authentication.

81% of hacking-related breaches used either stolen or weak passwords

Source: Verizon 2017 Data Breach Investigations Report

You can reduce your odds of being compromised by up to 99.9% by implementing multi-factor authentication(MFA).

Source: Microsoft 2018 Security Research

Advanced technologies are being put in place using biometrics, PIN, public/private key cryptography and Fast Identity Online (FIDO2). In my blog post, I will focus on the FIDO2 which is an open authentication standard, hosted by the FIDO Alliance, which consists of the W3C Web Authentication specification (WebAuthn API), and the Client to Authentication Protocol (CTAP).

CTAP is an application layer protocol used for communication between a client (browser) or a platform (operating system) with an external authenticator such as the YubiKey 5 Series, and the Security Key Series by Yubico. Yubico is a core contributor to the FIDO2 open authentication protocol.

Enough with the theory, let’s move to the practical part. 

I bought the security key by yubico from https://www.yubico.com/store/. The entry version is for 20$. I received it within a week.

and then I followed these steps:

1) First, I got to access this link yubico.com/start where I clicked on the picture Security key series

2)  Second, I  selected the app I want to apply the passwordless authentication on from the list below:

3) I have chosen GitHub

4) Github provided great documentation. Check out  this link https://help.github.com/en/articles/configuring-two-factor-authentication#configuring-two-factor-authentication-using-a-security-key

5) I followed the steps and I received the recovery codes in case I lose the physical key and then I enabled the SMS two-factor authentication

6) In my GitHub, I clicked on settings located in the parameter tab

7) then in the security key section, I entered a nickname for the security key and clicked on ADD. At this level, I was requested to insert my security key in the USB port.

8) The next step was to touch the security key

9) Finally, the key was registered.

10) I disconnected from my Github and tried to reconnect. The screen of Two-factor authentication  directed me to click on the Use security key

11) I inserted the key and finally, I successfully logged in to my GitHub

MFA and passwordless are the future of IT security, Companies must be aware of it and they need to implement these technologies.

To be continued…

Azure Portal App – Preview

Microsoft has published a desktop client to access your Azure portal.

In the beginning, I thought to myself that this would be an app that only loads the web UI. However, after using it for a couple of days, it proved to be delivering much better response time for loading UI and blades than the Web-based portal. This app includes also the Azure shell.

This App still in preview and it’s available for download through the link below:
https://preview.portal.azure.com/app/Download

The download and setup process is so easy, click on download the Azure portal app and then follow the instructions.

Finally, log in to your Microsoft account.

Here’s a screenshot of the main interface

and another screenshot for the azure shell.

Till now, I haven’t noticed any bugs but feel free to add any comments in case you faced some issues so that we can report them to Microsoft. 🙂

Azure Bastion – Automation using ARM Templates

I have given, in my previous article, a quick guide to using the Azure Bastion Service.

In the new article, I will focus on how to automate the deployment on Azure bastion using not only ARM templates but also  Hashicorp Terraform.

So let’s get started with some definitions! 🙂

Azure Bastion, now in preview, is a managed PaaS that connects customers’ VMs via the Remote Desktop Protocol (RDP) and Secure Shell (SSH) network protocols, and it uses Secure Sockets Layer encryption in the process, Microsoft said. It’s inspired by bastion hosts and jump boxes, long a networking staple for companies that want to place dedicated gateways between the public internet and their private networks.

source: https://searchcloudcomputing.techtarget.com/news/252465418/Microsoft-Azure-Bastion-service-seeks-to-secure-VMs

What’s an ARM template?

ARM Templates, stands for Azure Resource Manager templates, are a way to declare the objects you want, the types, names, and properties in a JSON file which can be checked into source control and managed like any other code file. ARM Templates are what gives us the ability to roll out Azure “Infrastructure as code”.

source: https://www.red-gate.com/simple-talk/cloud/infrastructure-as-a-service/azure-resource-manager-arm-templates/

ARM template Syntax

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "",
  "apiProfile": "",
  "parameters": {  },
  "variables": {  },
  "functions": [  ],
  "resources": [  ],
  "outputs": {  }
}

$schema, content version, apiProfile, and resources are required elements. below is a description of different parts of the template

parameters: Values that are provided when deployment is executed to customize resource deployment.

variables: Values that are used as JSON fragments in the template to simplify template language expressions.

functions: User-defined functions that are available within the template.

resources: Yes Resource types that are deployed or updated in a resource group or subscription.

outputs: No Values that are returned after deployment.

For more information take a look at https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authoring-templates

Now, let’s move to the ARM template to build the Azure Bastion.

In my git repository below, I uploaded two files :

https://github.com/makramjenayah/AzBastionARM

The first one is the template file, which containsthe resources that will be created:

1- The public IP address.

2- The virtual network associated with the AZ bastion and its different subnets.

3- The Azure Bastion.

The second one, contains the parameters needed to deploy the resources and which need to be personalized..

Now, let’s deploy the template.

  1. To deploy a customized template through the portal, select Create a resource, search for a template. and then select Template deployment.
  2. Select Create.
  3. You see several options for creating a template choose to Build your own template in the editor: create a template using the portal template editor. The editor is capable to add a resource template schema.
  4. Select the Edit template to explore the portal template editor. The template is loaded in the editor.
  5. Make a minor change to the template. For example, update the  {{changeIT }} by adding your subscription id.
  6. Select Save. Now you see the portal template deployment interface. Notice the two parameters that you defined in the template.
  7. Enter or select the property values:
  • Subscription: Select an Azure subscription.
  • Resource group: Select Create new and give a name.
  • I agree to the terms and conditions stated above: (select)

Finally, click on purchase and your Azure Bastion will be deployed.

I hope this article gives you an overview and a quick-start to deploy ARM template. Stay tuned for my next article, I will focus on how to deploy the Azure Bastion using Terraform.

Azure Bastion – The Guide

You don’t want to assign a public IP to each virtual machine on Azure? You want a secure way to manage your VMS? This article will help you implement the brand new Azure service to get a private and fully managed service which will allow you to access VMS directly from the Azure portal using your browser over the SSL protocol.

So let’s start with some theoretical aspects, the Azure bastion is advantageous in many ways :

  • RDP and SSH sessions over SSL on port 443 via the Azure portal; so from any modern browser you will be able to access your VMS.
  • Azure Bastion is fully managed by Microsoft which means that you will no longer need to manage Network security groups (NSGs) and much more administrative tasks.
  • Your VMs will be protected against port scanning.
  • No need to assign Public IP to your Azure VMs.

The Architecture as designed by Microsoft:

Azure Bastion is currently in public preview and limited to some regions:

  • West Europe
  • West US
  • East US
  • South Central US
  • Australia East
  • Japan East

To participate, you can click on the link below :

https://aka.ms/BastionHost

After the theoretical part, let’s answer the question How to deploy the AZ Bastion?

First, you will need to deploy the service in your virtual network ( a subnet called AzureBastionSubnet with at least /27 must be created) :

Second, since it’s natively integrated, the platform will automatically detect if the Azure Bastion is deployed on the virtual network your virtual machine and in the connect menu you will get Bastion as a connection option.

Now you can enter your username and password to log in. This will open a web-based SSL RDP Session in the Azure Portal.

And as previously mentioned in this article, there is no need to have a Public IP address assigned to your virtual machine.

I hope this article gives you an overview of the azure bastion. If you want to know more check out the Microsoft documentation. If you have any questions or feedback, feel free to leave a comment or contact me.

In my next article, I will explain how to automate the deployment of the Azure Bastion using ARM template and terraform.

Welcome to Makram.cloud!

Hello,

I’m starting a new blogging experience to share my experience around the cloud & automation.

In this blog, i will share with you on a weekly basis content and information related to cloud subjects:

  • Move to cloud & Load Migration
  • Automation [ Redhat Ansible Tower, OO .. ]
  • Public Cloud Provider [ GCP, Azure, AWS, Oracle ]
  • Containers [ Kubernetes, Docker ]

Stay Tuned!