Category Archives: Microsoft

Database connection error using MySql in Azure App Service

Well, if you’ve gone full speed ahead using the preview of MySql in Azure App Service you’ve noticed that it doesn’t work. WordPress gives you the “Error connecting to database” error.

To fix it you’ll need to add some application settings on your application.

Key: WEBSITE_MYSQL_ARGUMENTS
Value: –default_password_lifetime=0

Click “Save” and you’re all done.

website_password

What is Azure Resource Manager anyway?

When we talk about Azure there’s always a lot of mentioning of “ARM” or “Classic”. “Oh, are you running in classic mode? You should migrate it to ARM instead”. If you have no idea what ARM is or what it can do for you, you usually just nod your head and your life continues anyway. But not knowing about ARM in the year 2016 could be bad. It makes your life easier! It makes your resources more secure! You can decide who can deploy what! Michael Jackson did a song called “Bad“! (Oh, sorry about that, couldn’t help myself.)

Azure Service Manager

The OLD way of deploying resources to Azure is usually referred to as “Classic”, the more technical name is “Azure Service Manager” or ASM for short. In ASM when you deployed for example a virtual machine it looked like this:

Azure Service Manager VM deployment
Azure Service Manager VM deployment

This deployment had a mandatory “Cloud Service” acting as a container for the VM. It could also have an external IP address with a load balancer. When running in ASM-mode you needed to add your co-workers as co-admins on your subscription. This gave them the same rights as the owner except removing the above mentioned owner of course. But they could effectively add / delete any kind of resources in the subscription. Sounds dangerous, right? Well, ARM to the rescue!

Azure Resource Manager

Azure Resource Manager, ARM, brings the power of resource providers. They do just that, provide resources. There are a bunch of different ones and you can list them and see their status for your subscription using PowerShell.

Registered providers in a subscription.
Registered providers in a subscription.

Of course you could unregister providers if you don’t want to be able to deploy resources from a specific provider. This effectively lets the subscription owner make sure that only allowed resource types are deployed. In the same fashion you can register providers if you want to deploy resources.

Terminology

There are a bunch of different terms to keep track of to follow this discussion.

We have:

  1. Resource – This could be a VM, nic, vnet, public ip or another entity. A resource group can only be a member of one resource group. One.
  2. Resource group – A resource group is a container of resources. This could be resources of the same type or different types. They could belong to the same application, or not.
  3. Resource provider – The resource provider provides resources of a specified type. For example “Microsoft.Compute” provides computing resources and “Microsoft.Network” provides, you guessed it, networking resources.

The picture below show one resource group with different resources in the same resource group. This could be a web app for example, letting the developer deploy the application as one entity.

OR

You could have the resources in different resource groups. For example if you have DBA:s managing your databases, the Windows or Linux-admins manage your virtual machines and your storage guys or gals manage storage.

Resource group with app or resources.
Resource group with app or resources.

How you decide to group your resources is totally up to you. When deciding you also must take into account if you’re going to have one or multiple subscriptions, and if you’re going to use Role Based Access Control (RBAC) to secure access to your resources or resource groups.

You can find more information about ARM at https://azure.microsoft.com/en-us/documentation/articles/resource-group-overview/

Role Based Access Control (RBAC)

Another benefit of using ARM is that is supports RBAC right out of the box. This means that you can apply different roles on resources or resource groups, effectively managing who can do what to your resources. For example you could have one resource group containing virtual machines, where only a specific group of users would be able to delete these for example. Or imagine a web app where a defined set of developers would be able to deploy code to your application but not edit any other settings.

RBAC - assigning users or groups to different roles.
RBAC – assigning users or groups to different roles.

More reading on the subject of RBAC can be found at https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-configure/ or https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-what-is/.

Conclusion (or executive summary)

Azure Resource Manager lets you create resources from different providers. Grouping these into resource groups will let you see the cost per group on your bill. You can also assign different roles to either single resources or to all resources in a resource group. If you would like to you can also assign different policies to different resource types, effectively blocking who can do what to which resource. The resources come from resource providers, these can be registered/unregistered which will remove the ability to create any kind of resource from that specific provider.

 

 

 

Getting Azure logs into your SIEM

When running different resources in Microsoft Azure, these resources together with Azure Resource Manager creates logfiles of different events. A resource could be a virtual machine, SQL database or storage account for example. These resources are provided by the resource manager which also creates events based on actions on these resources. An event could be write, delete or update for example.

The Azure Resource Manager

This video explains how the Azure Resource Group model works:

A short explanation of the resource provider can be found at https://azure.microsoft.com/en-us/documentation/articles/resource-group-overview/ and if you’re running workloads in classic mode you can find an explanation of the differences at https://azure.microsoft.com/en-us/documentation/articles/resource-manager-deployment-model/.

Enabling logging to storage account

To get the logfiles to your SIEM system you’ll need to enable logging to either a storage account or an event hub. A storage account is easier to manage and will let you use the Azure Log integrator. If you look at your resources, in the pictures I have a virtual machine and a web app, you can enable logging to a storage account.

log-mgmt-01
Enabling diagnostics logging from a virtual machine to a storage account. Note the various levels of logging you can select.
log-mgmt-02
Logging to a storage account from a web app.

Your workloads will start saving their logfiles to your storage account when you’ve saved the settings.

Getting the logs from Azure to your SIEM

That was the easy part. Now getting the logs from Azure storage to your SIEM requires some wizardry. Thank god for the Azure Log Integrator then, to the rescue!

Tom Shinder did a great job writing a guide getting started over at https://azure.microsoft.com/en-us/documentation/articles/security-azure-log-integration-get-started/. If you don’t like that one there another one: https://blogs.msdn.microsoft.com/azuresecurity/2016/07/21/microsoft-azure-log-integration-preview/.

Once you’ve configured your integration VM you’ll need to configure your SIEM. There’s a guide available for various systems available at https://blogs.msdn.microsoft.com/azuresecurity/2016/08/23/azure-log-siem-configuration-steps/.

 

Running WordPress in Azure Webapp with Mysql

In August Microsoft launced the preview of Mysql in-app for Azure webapps. This means that you can enable Mysql in your webapp and you’ll get immediate access to a Mysql database within your application. Running WordPress, Joomla or any other PHP/Mysql-based CMS have never been easier. Please note that this is at the moment not for production workloads due to the single-instance database. Read the article for more information at https://azure.microsoft.com/sv-se/blog/mysql-in-app-preview-app-service/.

So how do you get it up and running?

Create a new webapp.

webapp01

Name your webapp and if you don’t have one, create an App Service Plan.

webapp02

Once deployment is finished we need to edit some settings.

Switch to PHP 5.7, and turn off ARR. Click Save.

webapp05

The magic of turning on MySql is up next. Click “on” and if you’re just testing, don’t touch the logging settings. Click “Save”.

webabb06

Now you’ll need to head over to WordPress.org and download the package. Save it on your computer and unzip the files. You’ll also need an FTP client. Assuming you’re running Windows you can grab Filezilla for free.

Edit your deployment credentials if you don’t know then.

webapp04

Check the portal for your FTP hostname and enter the corresponding values in your FTP client.

webapp07

When the upload is done you can use the brand new editor to change wp-config-sample.php.

webapp09

 

You need to delete some code and paste in the following code:

$connectstr_dbhost = '';
 $connectstr_dbname = '';
 $connectstr_dbusername = '';
 $connectstr_dbpassword = '';

foreach ($_SERVER as $key => $value) {
 if (strpos($key, "MYSQLCONNSTR_localdb") !== 0) {
 continue;
 }$connectstr_dbhost = preg_replace("/^.*Data Source=(.+?);.*$/", "\\1", $value);
 $connectstr_dbname = preg_replace("/^.*Database=(.+?);.*$/", "\\1", $value);
 $connectstr_dbusername = preg_replace("/^.*User Id=(.+?);.*$/", "\\1", $value);
 $connectstr_dbpassword = preg_replace("/^.*Password=(.+?)$/", "\\1", $value);
 }

// ** MySQL settings - You can get this info from your web host ** //
 /** The name of the database for WordPress */
 define('DB_NAME', $connectstr_dbname);

/** MySQL database username */
 define('DB_USER', $connectstr_dbusername);

/** MySQL database password */
 define('DB_PASSWORD', $connectstr_dbpassword);

/** MySQL hostname : this contains the port number in this format host:port . Port is not 3306 when using this feature*/
 define('DB_HOST', $connectstr_dbhost);
Remove:
webapp10
Paste the code and save
webapp11
Rename the file wp-config-sample.php to wp-config.php. This can be done in your FTP client.
webapp12
Once done you can click your URL in the portal.
webapp13
If you’ve done everything right so far you’ll see the WordPress installation guide.
Select your language.
webapp14
Enter a username / password.
webapp15
Once it’s done you can visit your site and you’re all done. Now you can apply a custom theme and fill your site with content.
webapp16
Does it work? Well, this site runs in the exact same manner as the guide. So far, so good 🙂

Compare installed vs available Microsoft Azure PowerShell versions

When running Microsoft Azure PowerShell certain cmdlets and functions are only available in the latest version of Azure PowerShell. So how do you know if you have the latest version? Well, this snippet will check your currently installed version and then ask the Web Platform Installer for the available version. It’ll then display the version numbers, letting you know if you’re current or not.

Just paste the entire code snippet into your PowerShell-prompt or embed it and just call the function.

— Begin snippet —

function Get-WindowsAzurePowerShellVersion
{
[CmdletBinding()]
Param ()

## - CHECK INSTALLED VERSION
Write-Host "`r`nInstalled version: " -ForegroundColor 'Yellow';
(Get-Module -name "Azure" | Where-Object{ $_.Name -eq 'Azure' }) `
| Select Version, Name, Author | Format-List;

## - CHECK WEB PI FOR AVAILABLE VERSION
Write-Host "Available version: " -ForegroundColor 'Green';
[reflection.assembly]::LoadWithPartialName("Microsoft.Web.PlatformInstaller") | Out-Null;
$ProductManager = New-Object Microsoft.Web.PlatformInstaller.ProductManager;
$ProductManager.Load(); $ProductManager.Products `
| Where-object{
($_.Title -like "Microsoft Azure Powershell*") `
-and ($_.Author -eq 'Microsoft Corporation')
} `
| Select-Object Version, Title, Published, Author | Format-List;
};
Get-WindowsAzurePowerShellVersion

— End of snippet —

Azure PowerShell

Using different pre-shared keys for Azure virtual network tunnels

I get loads of questions on Azure networking, some of them are good and others are just a lack of the will to RTFM. But this one actually had me trying it out cause I wasn’t sure of the possibility.

The question was: Can you have different pre-shared keys on the tunnels in Azure?

Looking around I found lots of examples of multiple tunnels, but all with the same PSK (Pre-Shared Key).

No better way than trying then, is there?

The setup is three different virtual networks:

A-net, B-net and C-net.

01-virtual-networks

There is four different local networks. A local network is a definition of the address range and gateway address that you use to connect a vnet to.

We’ve got:

A-BC-local (connecting A to B with multihop-routing to C)
A-net-local (connecting B to A)
C-AB-local (connecting C to B with multihop-routing to A)
C-net-local (connecting B to C)

So it’s A – B – C if you didn’t figure that out 🙂
02-local-networks

A connected to A-BC-local.

03-anet

B connected to both A and C.

04-bnet

C connected to B.

05-cnet

When they’re all configured they won’t connect since the newly created gateways have automatically set PSK’s. You’ll need to use PowerShell to set the PSK for each tunnel.

 

Set-Azurevnetgatewaykey -vnet A-net -localnetworksitename A-BC-local -sharedkey 456
Set-AzureVnetGatewayKey -vnet B-net -localnetworksitename A-net-local -sharedkey 456
Set-Azurevnetgatewaykey -vnet B-net -localnetworksitename C-net-local -sharedkey 123
Set-azurenvetgatewaykey -vnet C-net -localnetworksitename C-AB-local -sharedkey 123

This will set the tunnel from a-b to 456 on both a-gw and b-gw. B to C will have 123.

Then connect the networks using

Set-AzureVnetGateway -vnet A-net -localnetworksitename A-BC-local -connect
Set-AzureVnetGateway -vnet C-net -localnetworksitename C-AB-local -connect

Conclusion: You can set your own PSK for each tunnel, no matter if it’s to on-premises or between networks in Azure.

Connecting to your Azure site-to-site VPN over NAT

Creating a site-to-site connection to your Azure virtual network is desired in a lot of scenarios. Think hybrid cloud, new workloads, communicating with internal systems from Azure and so on. And in demo scenarios when you’re out travelling you might need that access too. Well, looking at the list of supported devices (below) we can find Windows RRAS for example.

Supported VPN devices: https://msdn.microsoft.com/en-us/library/azure/jj156075.aspx

And reading the guide (below) we’ll see how it’s actually done.

Configure Site-to-site VPN: https://msdn.microsoft.com/en-us/library/azure/dn133795.aspx

According to the last link you’ll need an external IPv4 that’s not behind NAT: “Obtain an externally facing IPv4 IP for your VPN device. This IP address is required for a site-to-site configuration and is used for your VPN device, which cannot be located behind a NAT.

That last statement has been discussed quite a lot, and when you read the RFC (RFC 3715, http://tools.ietf.org/html/rfc3715)  of course that IPsec connection will work over NAT. It’s just not supported by Microsoft, meaning that we can’t help you configuring your firewall to allow passthrough, hence we want your gateway to be directly connected to the internet.

For IPsec to traverse your NAT you’ll need to forward some ports (often called port forwarding in your router).

IKE – UDP 500
Encapsulating Security Payload (ESP) – IP protocol 50
Authentication Header (AH) – IP protocol 51
IPsec NAT traversal – UDP 4500

My setup consists of a Telia router with an external IP of 78.72.172.xx, my internal ip range is 192.168.1.0/24. This is added as a local network in Azure.

azure_local2

I then create a new virtual network in Azure and create a dynamic gateway. This will be assigned an ip address.

azure_vnet_disconnected

After that I’ve installed a VM on my local network running Windows Server 2012 R2 and configured it with RRAS. If you download the VPN device configuration script from the Azure portal it’ll set everything up for you, including installing the role. I’ve also configured the port forwarding in my router.

portforward

 

As you can see in the screenshot above the rule “IPSEC_500” forwards all traffic to 192.168.1.150.

Once you have your port forwarding up and running you can have your RRAS server connect.

rras_connected

Give the portal some time (or refresh it) and it’ll show connected too

azure_vnet_connected

I’ve deployed two VM’s in Azure and turned off the firewall to be able to verify connectivity using ping.

 

connected

 

In the screenshot above I’ve verified connectivity to 10.0.0.5 in Azure with ping, and I’ve done a traceroute. The timeout is from the Azure gateway that doesn’t respond to ICMP. Internal address of RRAS server can be seen in the lower window.

Note that this is unsupported by Microsoft – but works according to RFC.

TechDays 2014 – Sessionsmaterial

Här kommer som utlovat (dock senare än sagt) sessionsmaterialet från min Azure-session på Techdays 2014. Jag skyller min sena postning på att jag faktiskt ramlade av scenen…

I filen hittar du ppt-presentationen. Du hittar även 4 XLM-filer för nätverkskonfigurationen i Azure. Notera att dessa inte går att importera i din befintliga subscription om du redan har nätverk konfigurerade, men du kan å andra sidan kika på hur jag löst det med flera nätverk eller multi-hop-routingen i fil 3 och 4. I PowerShell-filen hittar du hur du gör en virtuell maskin med flera nätverkskort och hur du konfigurerar Network Security Groups. Frågor? Posta dom i kommentarsfältet!

För att förgylla er dag kan jag även bjuda på inspelningen av min session, särskilt då fallet. Spola fram till 12:55 i filmen.

Presentationsmaterial: Presentationsmaterial TechDays2014

Creating and uploading your Azure RemoteApp template image

Creating and uploading the image for RemoteApp turned out to be a challenge for some odd reasons. For the script Upload-AzureRemoteAppTemplateImage.ps1 to work you need to make sure you fulfill the prereqs it needs. Which can be found if you read the script 😉

If Upload-AzureRemoteAppTemplateImage.ps1 fails for “odd” reasons you need to make sure that you’re running PowerShell as Admin and that you’re starting “Windows Azure PowerShell” or have the Azure module loaded.

Here’s my short list of what you need to do:

  • Create a new Hyper-V VM with a 40 GB FIXED dynamic (now supported) size disk.
  • Install Windows Server 2012 R2 (only OS supported)
  • Install RDSH role and Desktop Experience feature (both needed)
  • Reboot (needed to make sure application installations are aware of RDS)
  • Login
  • Install the applications you want to publish to your users
  • From an elevated CMD, run “fsutil behavior set disableencryption 1” (disables EFS encryption of file system)
  • Reboot (makes sure EFS disable is written to registry)
  • Login
  • Run “sysprep /oobe /generalize /shutdown”

Once your machine is turned off you need to start PowerShell as administrator with the Azure cmdlets.

Run the script provided by the portal, find your VHD-file and you should be on your way!

Uploading the file

upload4

 

 

The portal states the template status as “uploading”

upload3

Connecting an Azure RemoteApp virtual network to a virtual network

So you finally got your trial approved for RemoteApp and thought you’d connect your RemoteApp virtual network to the rest of your infrastructure in Azure? Well, I stepped in that pile too. But solved it in the usual way, with PowerShell and the new multi-vnet Configuration ability.

You need at least one existing virtual network, and you need to configure a virtual network in the RemoteApp part of the portal.

Click RemoteApp -> Virtual Networks -> Create

Enter a name for your network and select region.

01

Enter the address space you want for your RemoteApp server(s) and the address space for your local networks. With local networks I mean either your on-premises network or the other networks you have defined in Azure. In my case I’ll be connecting my RemoteApp network to my other networks in Azure.

02

Enter the DNS-servers you want your RemoteApp server to receive from DHCP. This is so your applications can resolve your local hostnames, for SQL connectivity or any other type of traffic. You also need to specify the address of the VPN device. I’ve entered the address to my gateway in Azure. If you’re connecting multiple virtual networks you MUST select “Dynamic” for VPN gateway type. Static routing only works between two networks in Azure.

03

Network created, now waiting for VPN Configuration.

04

Now we’ll click on “Manage key” and copy the address for the gateway. You might as well copy the key to a notepad file while you’re at it.

05

Add your RemoteApp network as a local network in the “Networks” part of the portal. Specify the gateway address you just copied.

08

When it’s saved, export the network configuration from the portal. Open the XML-file and edit the corresponding Virtual network, adding a connecction to your newly created “local” network. Mine is named RemoteAppVnet as you can see below.

09

Import your configuration to Azure. Networks -> New -> Network Services -> Import configuration

import

Once your information is imported you’ll see your new network as “Not connected” in the overview in the virtual network.

Open PowerShell (with the Azure cmdlets) and run the following two commands. Substituting the vnetname and local network name and key for your values of course.

07

Once those are run your networks should be connected and all green!

06