Techorama 2017

Wow! That’s all I can say about Techorama 2017. Antwerp was a really nice city, the hotel was great and the conference was impeccably planned! I only had one session this year, but if they let me come back I’ll submit a few more next year.

Met some old friends, hi Jörgen, Sander and Aleksandar. And some new fun people, like Chrissy (from Canada), (with wife), Rob and Jakob to mention a few.

The session went ok apart from applying a policy effectively blocking two demos… At least it shows that policies are in effect immediately and that they work.

My presentation can be found at!AtuW9qIbRPwdpZtfe5wrdhG3xotxwg

Database connection error using MySql in Azure App Service

Well, if you’ve gone full speed ahead using the preview of MySql in Azure App Service you’ve noticed that it doesn’t work. WordPress gives you the “Error connecting to database” error.

To fix it you’ll need to add some application settings on your application.

Value: –default_password_lifetime=0

Click “Save” and you’re all done.


What is Azure Resource Manager anyway?

When we talk about Azure there’s always a lot of mentioning of “ARM” or “Classic”. “Oh, are you running in classic mode? You should migrate it to ARM instead”. If you have no idea what ARM is or what it can do for you, you usually just nod your head and your life continues anyway. But not knowing about ARM in the year 2016 could be bad. It makes your life easier! It makes your resources more secure! You can decide who can deploy what! Michael Jackson did a song called “Bad“! (Oh, sorry about that, couldn’t help myself.)

Azure Service Manager

The OLD way of deploying resources to Azure is usually referred to as “Classic”, the more technical name is “Azure Service Manager” or ASM for short. In ASM when you deployed for example a virtual machine it looked like this:

Azure Service Manager VM deployment
Azure Service Manager VM deployment

This deployment had a mandatory “Cloud Service” acting as a container for the VM. It could also have an external IP address with a load balancer. When running in ASM-mode you needed to add your co-workers as co-admins on your subscription. This gave them the same rights as the owner except removing the above mentioned owner of course. But they could effectively add / delete any kind of resources in the subscription. Sounds dangerous, right? Well, ARM to the rescue!

Azure Resource Manager

Azure Resource Manager, ARM, brings the power of resource providers. They do just that, provide resources. There are a bunch of different ones and you can list them and see their status for your subscription using PowerShell.

Registered providers in a subscription.
Registered providers in a subscription.

Of course you could unregister providers if you don’t want to be able to deploy resources from a specific provider. This effectively lets the subscription owner make sure that only allowed resource types are deployed. In the same fashion you can register providers if you want to deploy resources.


There are a bunch of different terms to keep track of to follow this discussion.

We have:

  1. Resource – This could be a VM, nic, vnet, public ip or another entity. A resource group can only be a member of one resource group. One.
  2. Resource group – A resource group is a container of resources. This could be resources of the same type or different types. They could belong to the same application, or not.
  3. Resource provider – The resource provider provides resources of a specified type. For example “Microsoft.Compute” provides computing resources and “Microsoft.Network” provides, you guessed it, networking resources.

The picture below show one resource group with different resources in the same resource group. This could be a web app for example, letting the developer deploy the application as one entity.


You could have the resources in different resource groups. For example if you have DBA:s managing your databases, the Windows or Linux-admins manage your virtual machines and your storage guys or gals manage storage.

Resource group with app or resources.
Resource group with app or resources.

How you decide to group your resources is totally up to you. When deciding you also must take into account if you’re going to have one or multiple subscriptions, and if you’re going to use Role Based Access Control (RBAC) to secure access to your resources or resource groups.

You can find more information about ARM at

Role Based Access Control (RBAC)

Another benefit of using ARM is that is supports RBAC right out of the box. This means that you can apply different roles on resources or resource groups, effectively managing who can do what to your resources. For example you could have one resource group containing virtual machines, where only a specific group of users would be able to delete these for example. Or imagine a web app where a defined set of developers would be able to deploy code to your application but not edit any other settings.

RBAC - assigning users or groups to different roles.
RBAC – assigning users or groups to different roles.

More reading on the subject of RBAC can be found at or

Conclusion (or executive summary)

Azure Resource Manager lets you create resources from different providers. Grouping these into resource groups will let you see the cost per group on your bill. You can also assign different roles to either single resources or to all resources in a resource group. If you would like to you can also assign different policies to different resource types, effectively blocking who can do what to which resource. The resources come from resource providers, these can be registered/unregistered which will remove the ability to create any kind of resource from that specific provider.




Getting Azure logs into your SIEM

When running different resources in Microsoft Azure, these resources together with Azure Resource Manager creates logfiles of different events. A resource could be a virtual machine, SQL database or storage account for example. These resources are provided by the resource manager which also creates events based on actions on these resources. An event could be write, delete or update for example.

The Azure Resource Manager

This video explains how the Azure Resource Group model works:

A short explanation of the resource provider can be found at and if you’re running workloads in classic mode you can find an explanation of the differences at

Enabling logging to storage account

To get the logfiles to your SIEM system you’ll need to enable logging to either a storage account or an event hub. A storage account is easier to manage and will let you use the Azure Log integrator. If you look at your resources, in the pictures I have a virtual machine and a web app, you can enable logging to a storage account.

Enabling diagnostics logging from a virtual machine to a storage account. Note the various levels of logging you can select.
Logging to a storage account from a web app.

Your workloads will start saving their logfiles to your storage account when you’ve saved the settings.

Getting the logs from Azure to your SIEM

That was the easy part. Now getting the logs from Azure storage to your SIEM requires some wizardry. Thank god for the Azure Log Integrator then, to the rescue!

Tom Shinder did a great job writing a guide getting started over at If you don’t like that one there another one:

Once you’ve configured your integration VM you’ll need to configure your SIEM. There’s a guide available for various systems available at


Running WordPress in Azure Webapp with Mysql

In August Microsoft launced the preview of Mysql in-app for Azure webapps. This means that you can enable Mysql in your webapp and you’ll get immediate access to a Mysql database within your application. Running WordPress, Joomla or any other PHP/Mysql-based CMS have never been easier. Please note that this is at the moment not for production workloads due to the single-instance database. Read the article for more information at

So how do you get it up and running?

Create a new webapp.


Name your webapp and if you don’t have one, create an App Service Plan.


Once deployment is finished we need to edit some settings.

Switch to PHP 5.7, and turn off ARR. Click Save.


The magic of turning on MySql is up next. Click “on” and if you’re just testing, don’t touch the logging settings. Click “Save”.


Now you’ll need to head over to and download the package. Save it on your computer and unzip the files. You’ll also need an FTP client. Assuming you’re running Windows you can grab Filezilla for free.

Edit your deployment credentials if you don’t know then.


Check the portal for your FTP hostname and enter the corresponding values in your FTP client.


When the upload is done you can use the brand new editor to change wp-config-sample.php.



You need to delete some code and paste in the following code:

$connectstr_dbhost = '';
 $connectstr_dbname = '';
 $connectstr_dbusername = '';
 $connectstr_dbpassword = '';

foreach ($_SERVER as $key => $value) {
 if (strpos($key, "MYSQLCONNSTR_localdb") !== 0) {
 }$connectstr_dbhost = preg_replace("/^.*Data Source=(.+?);.*$/", "\\1", $value);
 $connectstr_dbname = preg_replace("/^.*Database=(.+?);.*$/", "\\1", $value);
 $connectstr_dbusername = preg_replace("/^.*User Id=(.+?);.*$/", "\\1", $value);
 $connectstr_dbpassword = preg_replace("/^.*Password=(.+?)$/", "\\1", $value);

// ** MySQL settings - You can get this info from your web host ** //
 /** The name of the database for WordPress */
 define('DB_NAME', $connectstr_dbname);

/** MySQL database username */
 define('DB_USER', $connectstr_dbusername);

/** MySQL database password */
 define('DB_PASSWORD', $connectstr_dbpassword);

/** MySQL hostname : this contains the port number in this format host:port . Port is not 3306 when using this feature*/
 define('DB_HOST', $connectstr_dbhost);
Paste the code and save
Rename the file wp-config-sample.php to wp-config.php. This can be done in your FTP client.
Once done you can click your URL in the portal.
If you’ve done everything right so far you’ll see the WordPress installation guide.
Select your language.
Enter a username / password.
Once it’s done you can visit your site and you’re all done. Now you can apply a custom theme and fill your site with content.
Does it work? Well, this site runs in the exact same manner as the guide. So far, so good 🙂

Register resource providers in Azure

These lines of PowerShell will help you register ALL resource providers in Azure in the selected subscription:

# Login

# List subscriptions

# Select subscription
Select-AzureSubscription -SubscriptionName “INSERT NAME HERE”

# List all providers and register (if you only want specific ones, you must run commands manually)
$providers = @(Get-AzureRmResourceProvider -ListAvailable)
foreach ($x in $providers) {

Register-AzureRmResourceProvider -ProviderNamespace $x.ProviderNamespace -Force
write-host $x.ProviderNamespace
Write-Host “Done!”

Creating a VPN gateway in Azure ARM using PowerShell

Spent a few days at a customer site building stuff. Needed some gateways in ARM (Azure Resource Manager) mode. The code below will create a gateway and all artifacts it depends upon.
Use at your own risk 🙂
# Start here
# Variables
$location01 = “West Europe”
$networkname01 = “AzNet”
$rgname01 = “AzNetRG”
# Azure Network Address Space (/27 for VM use. /29 for gateway use)
# Your Azure network MUST have a subnet named “GatewaySubnet”
# Create your network in the portal, make sure to add all address spaces and subnets before running script. Do NOT forget to add “GatewaySubnet”.
$localSubnets01 = @(“”, “”)
# Remote Network Address Space
$remotenetwork01 = @(“”)
# Remote Network Gateway IP
$RemoteGwIP01 = “”
# Remote Connection Gateway Name
$RemoteConnectionGwName = “RemGW”
# Remote Connection Name
$RemoteConnectionName = “RemConn”
$VNET01 = Get-AzureRMVirtualNetwork -Name $networkname01 -ResourceGroupName $rgname01
$gwSubnet01 = Get-AzureRMVirtualNetworkSubnetConfig -Name GatewaySubnet -VirtualNetwork $VNET01
# Create a new public IP address.
$gwIP01 = New-AzurermPublicIpAddress -Name ($networkname01 + “-gwip”) -ResourceGroupName $rgname01 -Location $location01 -AllocationMethod Dynamic
# Create VPN gateway configuration.
$gwConfig01 = New-AzurermVirtualNetworkGatewayIpConfig -Name ($RemoteConnectionName + “-gwconfig”) -SubnetId (Get-AzurermVirtualNetworkSubnetConfig -VirtualNetwork $VNET01 -Name GatewaySubnet).Id -PublicIpAddressId $gwIP01.Id
# Create gateway. This will take up to 40 minutes, so be patient.
$gw01 = New-AzurermVirtualNetworkGateway -Name ($networkname01 + “-gw”) -ResourceGroupName $rgname01 -Location $location01 -IpConfigurations $gwConfig01 -GatewayType VPN -VpnType RouteBased -Tag $tags
$localGw01 = New-AzurermLocalNetworkGateway -Name $RemoteConnectionGwName -ResourceGroupName $rgname01 -Location $location01 -GatewayIpAddress $RemoteGwIP01 -AddressPrefix $remotenetwork01
$AzureGW = Get-AzureRmVirtualNetworkGateway -Name ($networkname01 + “-gw”)  -ResourceGroupName $rgname01
$RemoteGW = Get-AzurermLocalNetworkGateway -Name $RemoteConnectionGwName -ResourceGroupName $rgname01
New-AzurermVirtualNetworkGatewayConnection -Name $RemoteConnectionName -ResourceGroupName $rgname01 -Location $location01 -VirtualNetworkGateway1 $AzureGW -LocalNetworkGateway2 $RemoteGW -ConnectionType IPsec -RoutingWeight 10 -SharedKey $sharedKey01
# End here

TechDays 2015 – Pre-conf and Azure Resource Manager

Just got an email confirming mine and Anders Bengtssons pre-conf for TechDays 2015, the “Azure IAAS Ninja Bootcamp”. We’ll teach you as much as you can consume about Azure IAAS during one day! I also got one session on Azure Resource Manager. ARM is by far the biggest leap in producing clean, nicely installed and repetitive environments in Azure. If you’re missing out on PowerShell and ARM along with DSC my guess is that you’ll be doing something else in the future!

Are you going to TechDays 2015 in Sweden?

Check out my sessions here:

And don’t forget to register:

Sometimes IT works