Skip to main content

64 posts tagged with "Azure"

View All Tags

· 6 min read
Hasan Gural

Greetings, In previous post, we have created the Azure Virtual Network Manager Resource. Now, we will try to understand concept of network groups and how to create them. In a nutshell, Network Groups are a collection of Virtual Networks. Network Groups are used to group Virtual Networks together. Once you have created a Network Group, you can add Virtual Networks statically or dynamically to the Network Group.

Let's start with the PowerShell Cmdlets for creating Network Groups. Hang on! We don't have virtual networks in our subscription yet. Let me share the PowerShell Cmdlets for creating Virtual Networks. I will create three Virtual Networks. You can carve out your own network map.

· 4 min read
Hasan Gural

Hey Folks, Let's start diving into the Azure PowerShell Module for creating Virtual Network Manager Resource. Initially, we will be creating the Azure Virtual Network Manager Instance. The goal of commands below is to have Resource Group and Virtual Network Manager in a region.

· 3 min read
Hasan Gural

Hey Friends, In this article series, I am aiming to touch on edge spots in the new Azure Virtual Network Manager. Many organizations are running their services on Azure and having multiple virtual networks in single or multiple subscriptions. There are different ways on Azure Infrastructure that communicate between Virtual Networks, such as Hub and Spoke or Mesh topology.

📄 Introducing Azure Virtual Network Manager (AVNM)

Azure Virtual Network Manager (AVNM) is a new feature and is in preview now. AVNM is a single pane of glass for your environment that solves the connectivity and management complexity if you have multiple Virtual Networks in your organization.

· 4 min read
Hasan Gural

Hello Folks, At some point, your organization will retrospectively analyze existing firewall rules due to security and compliance posture. Imagine that you’re using Azure Firewall in your organization to generate analytics reports for existing firewall rules requiring a bespoke solution. There are many ways that you can achieve these types of reports. I used to develop a tailored solution using PowerShell and KQL queries to fit that requirement, but it might be very complex if you would like to apply this solution to large-scale environments. Thankfully, Microsoft has announced a new Azure Firewall feature that allows us to generate that report quickly and natively. We now call that feature Azure Firewall Policy Analytics.

· 4 min read
Hasan Gural

Hello Folks, Welcome to the second part of the series. Previously, we discussed the fundamentals of session monitoring and management for Azure Bastion and how to get the active session and terminate the session using the REST API. In this article, we will talk about the PowerShell Function that we will use to manage the sessions. Let's get into it.

🌱Scaffolding the PowerShell Function

The Function name will be Remove-AzBastionActiveSessions and it will have the following parameters:

  • BastionHostNames (Array)
  • VMNames (Array)
  • SubscriptionId (String)

I tried to keep the parameters as simple as possible. The Function will have the following logic:

  • Iterates through the Bastion Hosts
  • Gets the active sessions for each Bastion Host
  • Filters the sessions based on the VM Names
  • Terminates the sessions

💻 The PowerShell Function

Function Remove-AzBastionActiveSessions {
<#
.SYNOPSIS
Author: Hasan Gural - Azure VMP
Version: BETA
.DESCRIPTION
There is no way for terminating the active sessions for the Bastion Host in the Azure PowerShell module. This function will hit the REST API directly to terminate the active sessions.
.NOTES
This function won't enable the shareable link feature for the Bastion Host. This needs to be done manually or see previous article on how to do this.
.EXAMPLE
Remove-AzBastionActiveSessions -VMNames @("vm-01", "vm-03", "vm-02") -BastionNames @("bastion-vnt-0001","bastion-vnt-0003") -SubscriptionId $subscriptionId
Function will support multiple VMs and Bastion Hosts. Just pass in the names of the VMs and Bastion Hosts and the subscription ID.
You can run the script multiple for removing the shareable links. Existing links will remain intact.
#>
[CmdletBinding()]
param (
[Parameter()]
[array]
$VMNames,

[Parameter()]
[array]
$BastionNames,

[Parameter()]
$SubscriptionId
)

$links = @() # Array to store deleted links

$header = @{

"Content-Type" = "application/json"
Authorization = ("Bearer " + (Get-AzAccessToken).Token)
}

ForEach ($bastion in $BastionNames) {

$getBastion = Get-AzBastion -ErrorAction SilentlyContinue | Where-Object { $_.Name -eq $bastion }

if ($getBastion.ProvisioningState -eq "Succeeded") {

$ResourceGroupName = $getBastion.ResourceGroupName
$Location = $getBastion.Location
$SubscriptionId = $getBastion.Id.Split('/')[2]
$Name = $getBastion.Name

Write-Output "[INFO] - ---------------------------------"
Write-Output "[INFO] - Bastion Host Name: $bastion "
Write-Output "[INFO] - Resource Group: $ResourceGroupName"
Write-Output "[INFO] - Subscription: $SubscriptionId"
Write-Output "[INFO] - Location: $Location"
Write-Output "[INFO] - ---------------------------------"

$uri = "https://management.azure.com/subscriptions/$($SubscriptionId)/resourceGroups/$($ResourceGroupName)/providers/Microsoft.Network/bastionHosts/$($Name)/getActiveSessions?api-version=2022-07-01"

$getOperationActiveSessions = (Invoke-WebRequest -Method Post -Uri $uri -Headers $header).Headers.Location[0]

Start-Sleep -Seconds 5 # Wait for retrieving the active sessions.

$getActiveSession = (Invoke-WebRequest -Method Get -Uri $getOperationActiveSessions -Headers $header).Content | ConvertFrom-Json

if ($getActiveSession) {

ForEach ($vm in $VMNames) {

$getVM = Get-AzVM -ResourceGroupName $ResourceGroupName -Name $vm -ErrorAction SilentlyContinue

$vmSessions = $getActiveSession | Where-Object { $_.targetHostName -eq $vm }

ForEach ($session in $vmSessions) {

$taskCount = 1 # Task counter

Write-Output "[TASK 1.$($taskCount)] - Retrieving the active sessions for $vm. Please wait."

if ($getVM.ProvisioningState -eq "Succeeded") {

if ($getVM.Name -eq $session.targetHostName) {

$requestBody = @{
"sessionIds" = @($session.sessionId)
}

$uri = "https://management.azure.com/subscriptions/$($SubscriptionId)/resourceGroups/$($ResourceGroupName)/providers/Microsoft.Network/bastionHosts/$($Name)/disconnectActiveSessions?api-version=2022-07-01"

$response = Invoke-WebRequest -Method Post -Uri $uri -Headers $header -Body (ConvertTo-Json $requestBody -Depth 10)

Write-Output "[TASK 1.$($taskCount)] - Terminating the active session for $vm. Please wait. This may take a while."
Start-Sleep -Seconds 5 # Wait for the link to be created. This is to avoid the error "The link is not ready yet. Please try again later."

}
else {

Write-Output "[Error] - Active Session does not exist for the Virtual Machine: $vm"
continue

}
}
else {

Write-Output "[Error] - Virtual Machine $vm does not exist. Please check the name and try again."
continue

}
}
}

}
else {

Write-Output "[Error] - There is no active session for the Bastion Host: $bastion"

}


}
else {

Write-Output "[Error] - Bastion Host $bastion does not exist. Please check the name and try again."
continue

}
}

}

🔌 Executing the Function

The Function will be executed as follows:


$params = @{

VMNames = @("vm-01", "vm-02") # Name of Virtual Machines that you want to terminate the sessions
BastionNames = @("bastion-vnt-0001") # Name of the Bastion Hosts
SubscriptionId = $subscriptionId
}

Remove-AzBastionActiveSessions @params

✨ Example Output

In the following example, we will terminate the active sessions for the Bastion Host bastion-vnt-0001 and the Virtual Machines vm-01 and vm-02. See the output below for active sessions before and after the execution of the Function.

image

I have executed the PowerShell Function below and you can see that it terminated the active sessions.

image

🚀 Conclusion

Imagine that you have a Bastion Host(s) that has multiple active sessions and you want to terminate them. You can use the PowerShell Function that I have shared in this article. You can also schedule this function to run periodically to terminate the active sessions. This will help you avoid running out of the Bastion Hosts.

Thanks for reading this through. For more improvements, please let me know. I will be happy to hear your feedback.

· 3 min read
Hasan Gural

Hello Friends, Happy to see you again. In this article, I will briefly talk about Azure Bastion Session Management. In the first part of the series, I will go over the basics of session monitoring and management for Azure Bastion. Let's get into it.

💬What is Bastion's Session Management?

You might want to manage the sessions if you're using Azure Bastion. For example, you wish to terminate the session or view the session details and so forth. Session Management is a feature that allows you to manage active sessions or terminate the sessions. If you're already using Azure Bastion, you should be sending the logs to Log Analytics. If you're not, please do that as soon as possible. Log analytics can help to see the session details and Bastion Audit Logs. The Diagnostics Logs can be sent to Log Analytics and Storage Accounts so that you can view the session details.

🌱How to Manage Azure Bastion Sessions?

It is evident that you can manage the sessions from the Azure Portal, but key point is that we would like to manage the sessions from PowerShell. In order to do that, we will interact with the Azure Bastion REST API. When you skim through the Azure Bastion REST API, you will see that there are two endpoints. One is for the getActiveSessions and the other one is for the disconnectActiveSessions.

🧑‍💻 Quick insight into the REST API endpoints

🔗 getActiveSessions

The GetActiveSessions endpoint is used to get the active sessions. It returns the list of active sessions. The endpoint is as follows:

Method: POST
"https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/bastionHosts/{bastionHostName}/getActiveSessions?api-version=2022-07-01"

When you send a request to the endpoint, you will probably get the following response:

{
"value": [
{
"sessionId": "sessionId",
"startTime": "2019-1-1T12:00:00.0000Z",
"targetSubscriptionId": "subid",
"resourceType": "VM",
"targetHostName": "vm01",
"targetResourceGroup": "rg1",
"userName": "user",
"targetIpAddress": "1.1.1.1",
"protocol": "SSH",
"targetResourceId": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Compute/virtualMachines/vm01",
"sessionDurationInMins": 0
}
]
}
tip

The result of the GetActiveSessions endpoint is a list of active sessions. The sessionId is the unique identifier of the session. Generally, the endpoint returns responses 200 and 202. If the response is 202, it means that the request is accepted, and the session details will be returned later. Bear in mind that you will need to send the request again to get the session details.

🔗 disconnectActiveSessions

Method: POST
"POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/bastionHosts/{bastionHostName}/disconnectActiveSessions?api-version=2022-07-01"

Once you get the session details, you can terminate the session by sending a request to the disconnectActiveSessions endpoint. When you send a request to the endpoint, you must send the sessionIds as a request body. The request body must be in the following format:

sessionIds: [

"session1",
"session2",
"session3"

]

Looks like Azure Bastion REST API is pretty straightforward for newcomers. The tricky part is that you will need to send the request again to get the session details. I look forward to finishing the PowerShell part in the following article. We are getting closer to the end of the article. Stay tuned for the next part.

· One min read
Hasan Gural

Hello Friends,

As a member of MsHowto who leads the Microsoft Community in Turkey, we will deliver multiple sessions on Azure Global BootCamp 2022. You can check out my session below. Please visit the Eventbrite registration page:

https://www.eventbrite.com/e/global-azure-istanbul-2022-tickets-313124552967

I will talk about #Azure Arc-enabled kubernetes'. Don't forget to claim your ticket.

· 5 min read
Hasan Gural

Many organizations seek to understand the cost impact when they want to use Azure Defender For Cloud (ADfC). I have been working on price estimates when I need to enable Azure Defender for Cloud services for specific resources in a tenant. However, I developed a PowerShell script that estimates the overall cost according to the ADfC resource coverage per subscription that does not include all estimation options.

Microsoft recently released a new Price Estimation Dashboard using the Azure Resource Graph and Resource metrics in order to provide a forecast for the candidate of ADfC Customers.

· 2 min read
Hasan Gural

Infrastructure as Code(IaC) is a crucial technique when you need to automate your environment end-to-end. If you're familiar with Terraform, you are probably familiar with the functionality of terraform plan. You might want to see the same capability before deploying Bicep or Azure Resource Manager templates. In order to have this functionality in your environment, you must have AZ CLI or Azure PowerShell. What-if is supported for the resource group, subscription, management group, and tenant-level deployments.

· 4 min read
Hasan Gural

If you haven't already used kind for deploying local Kubernetes, I strongly suggest you explore it and use it for testing the Kubernetes cluster itself. In this article, I am not going to dive into kind tool because this article is not intented to focus on this. If you are willing to learn kind tool, please search on the blog and get practice on it.

We will be primarily focusing how we can connect kind kubernetes cluster to Azure Arc. As you know, this demonstration is not for production usage but it will give you insights when you have connected kubernetes cluster to Azure Arc.