Jekyll2023-12-28T22:14:44+00:00https://erleonard.me/feed.xmlRandom thoughts in my trials to learn the cloudWrite an awesome description for your new site here. You can edit this line in _config.yml. It will appear in your document head meta (for Google search results) and in your feed.xml site description.Eric LeonardHow to use GitHub Actions and Azure Active Directory Federated Identity2023-06-05T17:00:00+00:002023-06-05T17:00:00+00:00https://erleonard.me/azure/github/GitHub-Actions-AAD<p>GitHub Actions is a powerful tool for automating workflows and deploying applications to various platforms. One of the challenges of using GitHub Actions is how to securely authenticate and authorize access to Azure resources without exposing secrets or keys. Fortunately, there is a solution: using OpenID Connect (OIDC) tokens with Azure Active Directory Federated Identity.</p>
<p>In this blog post, I will show you how to set up Federated Identity using the Azure CLI and use it in a GitHub repository to securely deploy to Azure.</p>
<h2 id="what-is-federated-identity">What is Federated Identity?</h2>
<p>Federated Identity is a feature of Azure Active Directory that allows you to trust tokens issued by external identity providers, such as GitHub, and use them to access Azure resources. This way, you don’t need to store any secrets or keys in your GitHub repository or workflow, and you can leverage the existing identity and permissions of your GitHub account.</p>
<h2 id="how-does-it-work">How does it work?</h2>
<p>The basic steps are:</p>
<ol>
<li>Create an Azure Active Directory application and a service principal that can access your Azure resources.</li>
<li>Add a federated credential for the Azure Active Directory application that trusts GitHub as an OIDC provider.</li>
<li>Create a GitHub Actions workflow that requests an OIDC token from GitHub and uses it with the azure/login action to authenticate with Azure.</li>
</ol>
<h2 id="prerequisites">Prerequisites</h2>
<ul>
<li>A GitHub account</li>
<li>An Azure Subscription
<ul>
<li>You must have sufficient permissions to deploy resources and assign RBAC</li>
<li>You must have sufficient permissions to register an application with your Azure AD tenant</li>
</ul>
</li>
<li>Azure CLI - <a href="https://learn.microsoft.com/en-us/cli/azure/install-azure-cli">installation instruction</a></li>
<li>GitHub CLI - <a href="https://cli.github.com/">installation instruction</a></li>
</ul>
<h2 id="step-0-set-variables">Step 0: Set Variables</h2>
<p>Set your variables that you will use in this script to create the Azure Active Directory application, federated credentials, assign RBAC permission for Azure and configure GitHub workflows.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">GH_ENVIRONMENT</span><span class="o">=</span><span class="s2">""</span>
<span class="nv">GH_USERNAME</span><span class="o">=</span><span class="s2">""</span>
<span class="nv">GH_REPO</span><span class="o">=</span><span class="s2">""</span>
<span class="nv">GH_BRANCH</span><span class="o">=</span><span class="s2">""</span>
<span class="nv">GH_OIDC_NAME</span><span class="o">=</span>GitHub-<span class="nv">$GH_USERNAME</span>-<span class="nv">$GH_ENVIRONMENT</span><span class="nt">-OIDC</span>
<span class="nv">GH_ACTION_NAME</span><span class="o">=</span><span class="nv">$GH_USERNAME</span>-<span class="nv">$GH_REPO</span><span class="nt">-Actions</span>
<span class="nv">AZURE_TENANT_ID</span><span class="o">=</span><span class="si">$(</span>az account show <span class="nt">--query</span> tenantId <span class="nt">--output</span> tsv<span class="si">)</span>
<span class="nv">AZURE_SUBSCRIPTION_ID</span><span class="o">=</span><span class="si">$(</span>az account show <span class="nt">--query</span> <span class="nb">id</span> <span class="nt">-o</span> tsv<span class="si">)</span>
<span class="nv">AZURE_RESOURCEGROUP</span><span class="o">=</span><span class="s2">""</span>
</code></pre></div></div>
<h2 id="step-1-create-an-azure-active-directory-application-and-a-service-principal">Step 1: Create an Azure Active Directory application and a service principal</h2>
<p>You create an Azure Active Directory application and a service principal using the Azure CLI.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">app_id</span><span class="o">=</span><span class="si">$(</span>az ad app create <span class="nt">--display-name</span> <span class="nv">$GH_OIDC_NAME</span> <span class="nt">--query</span> <span class="s2">"appId"</span> <span class="nt">-o</span> tsv<span class="si">)</span>
az ad sp create <span class="nt">--id</span> <span class="nv">$app_id</span>
</code></pre></div></div>
<h2 id="step-2-add-a-federated-credential-for-the-azure-active-directory-application">Step 2: Add a federated credential for the Azure Active Directory application</h2>
<p>You add the federated credential for the Azure Active Directory application using the Azure CLI.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">postBody</span><span class="o">=</span><span class="s1">'{"name":"'</span><span class="k">${</span><span class="nv">GH_ACTION_NAME</span><span class="k">}</span><span class="s1">'", '</span><span class="se">\</span>
<span class="s1">'"issuer":"https://token.actions.githubusercontent.com", '</span><span class="se">\</span>
<span class="s1">'"subject":"repo:'</span><span class="k">${</span><span class="nv">GH_USERNAME</span><span class="k">}</span><span class="s1">'/'</span><span class="k">${</span><span class="nv">GH_REPO</span><span class="k">}</span><span class="s1">':ref:refs/heads/'</span><span class="k">${</span><span class="nv">GH_BRANCH</span><span class="k">}</span><span class="s1">'", '</span><span class="se">\</span>
<span class="s1">'"description":"A GH federated id for the '</span><span class="k">${</span><span class="nv">GH_USERNAME</span><span class="k">}</span><span class="s1">'/'</span><span class="k">${</span><span class="nv">GH_REPO</span><span class="k">}</span><span class="s1">'", '</span><span class="se">\</span>
<span class="s1">'"audiences":["api://AzureADTokenExchange"]}'</span>
az ad app federated-credential create <span class="nt">--id</span> <span class="nv">$app_id</span> <span class="nt">--parameters</span> <span class="s2">"</span><span class="k">${</span><span class="nv">postBody</span><span class="k">}</span><span class="s2">"</span>
</code></pre></div></div>
<h2 id="step-3-role-assignment">Step 3: Role Assignment</h2>
<p>Assign the contributor role of the application on the Azure resource group.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>az role assignment create <span class="se">\</span>
<span class="nt">--role</span> contributor <span class="se">\</span>
<span class="nt">--subscription</span> <span class="nv">$AZURE_SUBSCRIPTION_ID</span> <span class="se">\</span>
<span class="nt">--assignee-object-id</span> <span class="nv">$app_id</span> <span class="se">\</span>
<span class="nt">--assignee-principal-type</span> ServicePrincipal <span class="se">\</span>
<span class="nt">--scope</span> <span class="s2">"/subscriptions/</span><span class="nv">$AZURE_SUBSCRIPTION_ID</span><span class="s2">/resourceGroups/</span><span class="nv">$AZURE_RESOURCEGROUP</span><span class="s2">"</span>
</code></pre></div></div>
<h2 id="step-4">Step 4:</h2>
<p>Add the Azure AD Application (client id), subscription (id) and tenant (id)</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gh secret <span class="nb">set </span>AZURE_CLIENT_ID <span class="nt">--app</span> actions <span class="nt">--body</span> <span class="nv">$app_id</span> <span class="nt">--repos</span> <span class="nv">$GH_USERNAME</span>/<span class="nv">$GH_REPO</span>
gh secret <span class="nb">set </span>AZURE_TENANT_ID <span class="nt">--app</span> actions <span class="nt">--body</span> <span class="nv">$AZURE_TENANT_ID</span> <span class="nt">--repos</span> <span class="nv">$GH_USERNAME</span>/<span class="nv">$GH_REPO</span>
gh secret <span class="nb">set </span>AZURE_SUBSCRIPTION_ID <span class="nt">--app</span> actions <span class="nt">--body</span> <span class="nv">$AZURE_SUBSCRIPTION_ID</span> <span class="nt">--repos</span> <span class="nv">$GH_USERNAME</span>/<span class="nv">$GH_REPO</span>
</code></pre></div></div>
<h2 id="step-5-create-a-github-actions-workflow-that-requests-an-oidc-token-from-github-and-uses-it-with-the-azurelogin-action">Step 5: Create a GitHub Actions workflow that requests an OIDC token from GitHub and uses it with the azure/login action</h2>
<p>You create a GitHub Actions workflow that requests an OIDC token from GitHub and uses it with the azure/login action to authenticate with Azure. The workflow should include the following steps:</p>
<ul>
<li>Set up permissions for requesting an OIDC token by adding <code class="language-plaintext highlighter-rouge">id-token: write</code> to your workflow</li>
<li>Set up permissions for actions/checkout by adding <code class="language-plaintext highlighter-rouge">contents: read</code> to your workflow</li>
<li>Request an OIDC token from GitHub by using environment variables</li>
<li>Use other Azure actions or commands to interact with your Azure resources</li>
</ul>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">name</span><span class="pi">:</span> <span class="s">azure-oidc-test</span>
<span class="na">on</span><span class="pi">:</span>
<span class="na">workflow_dispatch</span><span class="pi">:</span>
<span class="na">permissions</span><span class="pi">:</span>
<span class="na">id-token</span><span class="pi">:</span> <span class="s">write</span>
<span class="na">contents</span><span class="pi">:</span> <span class="s">read</span>
<span class="na">jobs</span><span class="pi">:</span>
<span class="na">build-and-deploy</span><span class="pi">:</span>
<span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span>
<span class="na">steps</span><span class="pi">:</span>
<span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Az</span><span class="nv"> </span><span class="s">CLI</span><span class="nv"> </span><span class="s">login'</span>
<span class="na">uses</span><span class="pi">:</span> <span class="s">azure/login@v1</span>
<span class="na">with</span><span class="pi">:</span>
<span class="na">client-id</span><span class="pi">:</span> <span class="s">$</span>
<span class="na">tenant-id</span><span class="pi">:</span> <span class="s">$</span>
<span class="na">subscription-id</span><span class="pi">:</span> <span class="s">$</span>
<span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Run</span><span class="nv"> </span><span class="s">Azure</span><span class="nv"> </span><span class="s">CLI</span><span class="nv"> </span><span class="s">commands'</span>
<span class="na">run</span><span class="pi">:</span> <span class="pi">|</span>
<span class="s">az account show</span>
<span class="s">az group list</span>
<span class="s">pwd</span>
</code></pre></div></div>
<h2 id="conclusion">Conclusion</h2>
<p>Using OpenID Connect tokens with GitHub Actions and Azure Active Directory Federated Identity is a secure and convenient way to access your Azure resources without exposing any secrets or keys. You can leverage your existing GitHub identity and permissions, and enjoy the benefits of automated workflows and deployments.</p>
<p>I hope you found this blog post helpful. If you have any questions or feedback, please let me know in the comments below.</p>
<p>Eric.</p>
<h3 id="reference">Reference</h3>
<p><a href="https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure">Connect GitHub and Azure</a>
<a href="https://learn.microsoft.com/en-us/azure/active-directory/workload-identities/workload-identity-federation-create-trust-user-assigned-managed-identity">Create a trust relationship between a user-assigned managed identity and an external identity provider</a>
<a href="https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure">Configuring OpenID Connect in Azure</a></p>Eric LeonardGitHub Actions is a powerful tool for automating workflows and deploying applications to various platforms. One of the challenges of using GitHub Actions is how to securely authenticate and authorize access to Azure resources without exposing secrets or keys. Fortunately, there is a solution: using OpenID Connect (OIDC) tokens with Azure Active Directory Federated Identity.Microsoft Azure MVP Update2019-07-06T19:17:12+00:002019-07-06T19:17:12+00:00https://erleonard.me/azure/MVPRenewwal<p>July 1st is a day of joy and anxiety for me as I celebrate Canada day with my family but also constantly refreshing my inbox to see if I got renew as a Microsoft MVP. I’m very proud and grateful to have received my 3rd Microsoft MVP award for Azure. This is a select group in Canada where we are about 20 and I look forward to continuing to collaborate with them and the broader community.</p>
<p><img src="https://erleonard.me/assets/images/2020/2020-07-06-mvpaward.png" alt="mvpAward" /></p>
<p>Looking forward to adding another ring to my award.</p>
<p>Happy Canada Day!</p>
<p>Eric.</p>Eric LeonardJuly 1st is a day of joy and anxiety for me as I celebrate Canada day with my family but also constantly refreshing my inbox to see if I got renew as a Microsoft MVP. I’m very proud and grateful to have received my 3rd Microsoft MVP award for Azure. This is a select group in Canada where we are about 20 and I look forward to continuing to collaborate with them and the broader community.Azure Blueprints: ISO27001 Shared Services2019-03-16T19:17:12+00:002019-03-16T19:17:12+00:00https://erleonard.me/azure/AzureBlueprint-ISO27001<p>This post is part of a series. The previous posts in the series can be found here:</p>
<ul>
<li><a href="http://erleonard.me/azure/AzureARMTemplates-SubstringFunction/">Azure Blueprints: Intro</a></li>
</ul>
<p>Microsoft recently released sample blueprints to help you accelerate your configuration the foundation of Azure to help you meet your compliance needs. Part of the recent release was the sample blueprints for ISO 27001: Shared Services.</p>
<p>When configuring an enterprise environment that needs to meet compliance and regulatory needs, you will often deploy the hub and spoke model for IaaS and PaaS services. This is where the sample blueprint for ISO 27001: Shared Services fits as it gives you the starting blueprint to create your hub.</p>
<p>The blueprint is jam-packed with configurations to help you move things along.</p>
<h2 id="iso27001-shared-services">ISO27001: Shared Services</h2>
<p>Let’s take a quick view as to what is included in the blueprint:</p>
<p><strong>Azure Security Center</strong></p>
<ul>
<li>Configure Azure security center with the standard pricing tier.</li>
</ul>
<p><strong>Log Analytics</strong></p>
<ul>
<li>Create diagnostic storage account</li>
<li>Deploy Log Analytics workspace</li>
<li>Set default log data retention to 365 days</li>
</ul>
<p><strong>Networking</strong></p>
<ul>
<li>Deploy and configure Azure firewall</li>
<li>Deploy virtual network with IP range and subnets</li>
<li>Deploy network security group and application security groups</li>
<li>Set user-defined routes (UDR).</li>
</ul>
<p><strong>Virtual Machines</strong></p>
<ul>
<li>Deploy two active directory domain services servers</li>
<li>Deploy one jumpbox</li>
<li>Availability sets</li>
</ul>
<p><strong>Policy</strong></p>
<ul>
<li>Require blob encryption for storage accounts</li>
<li>Deploy Log Analytics Agent for Windows VMs</li>
<li>Deploy Threat Detection on SQL servers</li>
<li>Deploy SQL DB transparent data encryption</li>
<li>Allowed virtual machine SKUs</li>
<li>Deploy Log Analytics Agent for Windows VM Scale Sets (VMSS)</li>
<li>Deploy Log Analytics Agent for Linux VMs</li>
<li>Deploy network watcher when virtual networks are created</li>
<li>Enforce encryption on Data Lake Store accounts</li>
<li>Allowed locations</li>
<li>Deploy Log Analytics Agent for Linux VM Scale Sets (VMSS)</li>
<li>Enforce automatic OS upgrade with app health checks on VMSS</li>
<li>Allowed storage account SKUs</li>
<li>Deploy default Microsoft IaaSAntimalware extension for Windows Server</li>
<li>Allowed locations for resource groups</li>
</ul>
<p><strong>Key Vault</strong></p>
<ul>
<li>Deploy Azure key vault</li>
<li>Add secrets to key vault</li>
</ul>
<p>As i said, this blueprint is packed with stuff and is pure gold for anybody who is looking into how to start there blueprint journey.</p>
<p>In the next steps, we will create the blueprint based on the ISO27001: Shared Services sample, make no modifications and just deploy it to a blank subscription.</p>
<h2 id="create-and-edit-blueprint">Create and Edit blueprint</h2>
<ol>
<li>Go to the <a href="https://portal.azure.com">Azure Portal</a></li>
<li>Select <strong>All services</strong> and search for blueprints.</li>
<li>Under <strong>blueprint definitions</strong>, click <strong>+ create blueprint</strong>.</li>
<li>On the choose a blueprint page, select <strong>ISO 27001: Shared Services</strong> sample blueprint.</li>
<li>On the create blueprint page, enter the following information:
<ul>
<li>Enter a <strong>blueprint name</strong> and make to only include letters, numbers or dashes.</li>
<li>Enter a description for the blueprint.</li>
<li>In <strong>definition location</strong>, select a management group or subscription.</li>
</ul>
</li>
<li>Once you have provided a name, description and location for your blueprint, select <strong>Save draft</strong>.</li>
<li>After your blueprint has been saved right-click on your blueprint and select <strong>Publish blueprint</strong>.</li>
<li>The <strong>Publish blueprint</strong> blade will appear and provide a version number, change notes and click <strong>Publish</strong>.</li>
</ol>
<p>You are now ready to assign your blueprint to a management group or subscription.</p>
<h2 id="assigned-blueprint">Assigned blueprint</h2>
<p>To assign a blueprint follows almost the same steps a publishing blueprints.</p>
<ol>
<li>Under <strong>blueprint definitions</strong>, right-click on the blueprint you have just created in the previous section, and select <strong>assign blueprint</strong>.</li>
<li>The <strong>Assign blueprint</strong> page will appear and enter the following information:
<ul>
<li>Assignment name: Enter a name</li>
<li>Location: Canada Central</li>
<li>Lock Assignment: select your lock preference. Since this is demo purposed, the lock assignment is set to “don’t lock”.</li>
<li>Managed Identity: System Managed</li>
</ul>
</li>
</ol>
<p>After managed identity is where the blueprint parameters are for the individual items. I will only cover the ones I changed and not cover the other items.</p>
<ul>
<li>Organization name: set a short company name</li>
<li>Log Analytics template
<ul>
<li>Service tier: PerGB2018</li>
<li>Location: Canada Central</li>
</ul>
</li>
<li>Virtual Network and Route Table template
<ul>
<li>Enable virtual network DDOS protection: false</li>
</ul>
</li>
<li>Key Vault template
<ul>
<li>Jumobx admin ssh key or password: enter a password.</li>
<li>Domain admin password: enter a password.</li>
<li>AAD object ID: Get AAD object ID of the user that requires access to Key Vault.
Jumpbox template</li>
<li>Key Vault resource id for jumpbox admin password: set to the following /subscriptions/<strong>subscription id</strong>/resourceGroups/<strong>org name</strong>-sharedsvcs-kv-rg/providers/Microsoft.KeyVault/vaults/<strong>org name</strong>-sharedsvcs-kv</li>
<li>Key Vault secret name for jumpbox admin password: must match the jumpbox username found in the key vault template section.
Active Directory Domain Services template</li>
<li>Key Vault resource id for domain admin password: set to the following /subscriptions/<strong>subscription id</strong>/resourceGroups/<strong>org name</strong>-sharedsvcs-kv-rg/providers/Microsoft.KeyVault/vaults/<strong>org name</strong>-sharedsvcs-kv</li>
<li>Key Vault secret name for domain admin password: must match the domain username found in the key vault template section.</li>
</ul>
</li>
<li>Select <strong>Assign</strong> and the blueprint will apply to the subscription you selected.</li>
</ul>
<p>Once the template gets assigned, it will take a little while for it to deploy and you can check the provisioning state or the activity logs for updates on the deployment.</p>
<h2 id="lessons-learned">Lessons Learned</h2>
<p>When I originally deployed the template for the first time, it kept failing because I didn’t read carefully the section for Key Vault.</p>
<p>The parameter “Key Vault secret name for domain(or jumpbox) admin password”, I kept adding the password I wanted but this parameter field needed to match the domain username found in the key vault template section.</p>
<p>Secondly, the blueprint failed on the first attempt when it is applying the DSC configuration for ADDS. I had to re-assign the blueprint another time for it to be successful.</p>
<p>Lastly, the Microsoft team really did a good job documenting the template at assignment time. If you are unsure of a parameter, hover the little information symbol for some useful information. Remember to be like Eric and read!</p>
<h2 id="whats-missing">What’s Missing</h2>
<p>The sample template is fantastic but after the deployment, i feel like there are a few things that are missing:</p>
<ol>
<li>There is no Azure Application Gateway deployed for ingress HTTP/S traffic.</li>
<li>Azure Backup is not deployed. All my conversations with people who take care of compliance, always ask about backups.</li>
</ol>
<h2 id="whats-awesome">What’s Awesome</h2>
<p>The ISO27001: Shared Services template is awesome but that’s not what makes it awesome, it’s the documentation. Microsoft included the control mapping documentation. You can find it here: <a href="https://docs.microsoft.com/en-ca/azure/governance/blueprints/samples/iso27001-shared/control-mapping">https://docs.microsoft.com/en-ca/azure/governance/blueprints/samples/iso27001-shared/control-mapping</a></p>
<p>In conclusion, I hope Microsoft continues to developping sample blueprints as I feel this can really help organizations accelerate their setup of there foundation of Azure.</p>Eric LeonardThis post is part of a series. The previous posts in the series can be found here: Azure Blueprints: IntroAzure Blueprints: Intro2019-03-15T19:17:12+00:002019-03-15T19:17:12+00:00https://erleonard.me/azure/AzureBlueprints<p>Governance for any cloud is very important and it’s imperative to take the time to put in place the proper guardrails to secure, control cost and monitor. Guardrails are put in place to set the boundary but not to stop progress.</p>
<p>Azure Blueprints allow you to create those guardrails on subscriptions. Blueprints allow you to orchestrate new environments quickly that meet policy and compliance needs of the customer.</p>
<p>Blueprints are composed of multiple artifacts into a single blueprint. Artifacts can be policy assignments, role assignments, ARM templates and resource groups.</p>
<ul>
<li>
<p>Policy assignments are Azure policies that you can assignment a policy or an initiative. # Azure policies can be set to allow only certain resources to be deployed. This can be even more refined with virtual machines by only selecting the approved VM size that you want to present.</p>
</li>
<li>
<p>Role assignments are role-based access control that you can add an existing user or group to a role.</p>
</li>
<li>
<p>ARM templates are where you have the most flexibility because you can create resources. An example of using arm templates can be to create a log analytics workspace or networking resources that will be shared across workloads.</p>
</li>
<li>
<p>Resource groups are resource groups, this allows you to create the structure you want for your environment.</p>
</li>
</ul>
<p>Let’s have a look at how we can create, edit, assigned and delete a blueprint.</p>
<h2 id="create-and-edit-blueprint">Create and Edit blueprint</h2>
<ol>
<li>Go to the <a href="https://portal.azure.com">Azure Portal</a></li>
<li>Select <strong>All services</strong> and search for blueprints.</li>
<li>Under <strong>blueprint definitions</strong>, click <strong>+ create blueprint</strong>.</li>
<li>On the choose a blueprint page, select <strong>start with blank blueprint</strong>.</li>
<li>On the create blueprint page, enter the following information:
<ul>
<li>Enter a <strong>blueprint name</strong> and make to only include letters, numbers or dashes.</li>
<li>Enter a description for the blueprint.</li>
<li>In <strong>definition location</strong>, select a management group or subscription.</li>
</ul>
</li>
<li>Select <strong>Next: Artifacts</strong>.</li>
<li>Artifacts page, this is where you can add policy assignments, role assignments, ARM templates and resource groups.</li>
<li>Once you are satisfied with your blueprint, select <strong>Save draft</strong>.</li>
</ol>
<h2 id="publish-blueprint">Publish blueprint</h2>
<p>Once you have finished making modifications to your blueprint, under <strong>blueprint definitions</strong>, right-click on your blueprint and select <strong>Publish blueprint</strong>.</p>
<p>The <strong>Publish blueprint</strong> blade will appear and provide a version number, change notes and click <strong>Publish</strong>.</p>
<p>You are now ready to assign your blueprint to a management group or subscription.</p>
<h2 id="assigned-blueprint">Assigned blueprint</h2>
<p>To assign a blueprint follows almost the same steps a publishing blueprints.</p>
<ol>
<li>Under <strong>blueprint definitions</strong>, right-click on the blueprint you have just created in the previous section, and select <strong>assign blueprint</strong>.</li>
<li>The <strong>Assign blueprint</strong> page will appear and enter the following information:
<ul>
<li>Subscription: Select a subscription</li>
<li>Assignment name: Enter a name</li>
<li>Location: select which Azure region you want to deploy to.</li>
<li>Blueprint definition version: select a version</li>
<li>Lock Assignment: select your lock preference. You can choose to not lock, create a read-only lock or a do not delete lock.</li>
<li>Enter the required parameters for the resources.</li>
<li>Select <strong>Assign</strong> and the blueprint will not apply to the subscription you picked.</li>
</ul>
</li>
</ol>
<p>That was a quick overview of how you can create, edit and assign blueprints to management groups or subscriptions. Keep in mind that Azure blueprints are still in preview.</p>
<p>In conclusion, Azure blueprints will make your governance journey much easier by orchestrating the deployments of new environments. But keep in mind that with any Governance projects the technical piece is always the smallest and you will spend the bulk of your time trying to figure out your customer’s compliance and regulatory requirements.</p>Eric LeonardGovernance for any cloud is very important and it’s imperative to take the time to put in place the proper guardrails to secure, control cost and monitor. Guardrails are put in place to set the boundary but not to stop progress.Error with Export Activity Log to storage account2019-02-15T19:17:12+00:002019-02-15T19:17:12+00:00https://erleonard.me/azure/Error-Export-Activity-Log<p>Activity log will write events that happen at the subscription level. There are 8 event categories: Administrative, Service Health, Resource Health, Alert, Autoscale, Recommendation, Security and Policy.</p>
<p>Depending on your security and compliance rules for your organization you may need to keep Azure activity logs longer then the default 90 day retention period. You can extend this retention using a variety of ways, but for my need I create a storage account and export the activity log and have a retention period of 365 days or 1 year.</p>
<p>The process is quite easy to do.</p>
<h2 id="export-activity-log">Export Activity Log</h2>
<p>In the Azure portal go to Activity Log
Click the button Export to Event Hub
A new blade will appear
Ensure the correct subscription is selected
Selected the appropriate regions.
Select Export to a storage account
Select the appropriate storage account
Set the retention period
Click Save.</p>
<h2 id="the-error">The Error</h2>
<p>Once I clicked saved, it immediately failed and got this message.
<img src="https://erleonard.me/assets/images/2019/2019-02-15-ActivityLogExportError.png" alt="ActivityLogError" /></p>
<p>I clicked on the message and clicked on the related events text to get more information on this error as I had no idea why this was happening.</p>
<p>After some time had passed, I check the resource providers and noticed that my monitoring provider (microsoft.insights) was not registered.
<img src="https://erleonard.me/assets/images/2019/2019-02-15-ResourceProvider.png" alt="ActivityLogError" /></p>
<p>I registered the provider and once it was completed and re-did the export activity log steps and it worked.</p>
<p>Not sure why the resource provider was not registered, the only thing I can come up with is that it was a new subscription.</p>Eric LeonardActivity log will write events that happen at the subscription level. There are 8 event categories: Administrative, Service Health, Resource Health, Alert, Autoscale, Recommendation, Security and Policy.Azure in the Government of Canada2018-12-05T19:17:12+00:002018-12-05T19:17:12+00:00https://erleonard.me/azure/Azure-In-GOC<p><a href="https://www.meetup.com/Ottawa-IT-Professionals/">Ottawa IT professionals</a> is a new user group that Colin Smith and I started late this year and we had our first meetup on December 4th. We are trying something different that is less formal but gives an opportunity for everyone to meet, discuss, share challenges and accomplishments. Each meetup will have a topic but no set agenda.</p>
<p>Our first topic was about <a href="https://www.meetup.com/en-AU/Ottawa-IT-Professionals/events/256210368/">Azure in the Government of Canada</a>, a big subject to talk about for public cloud and the Federal public sector challenges they are facing. I thought it was especially important to talk about this since the Government of Canada journey into public cloud is so new and how this is an exciting time for anyone who works in the public sector to architect, develop, deploy and maintain cloud resources.</p>
<p>There are many challenges that I face as a Cloud Solution Architect working with public sector clients, but none are as challenging as the IT security rules and to be honest, I love it. How do you architect something that is modern but still follows the rules! This is what I spoke about.</p>
<p>I was happy to talk about securing workloads and the challenges I faced but was equally grateful to hear from others that have had the same challenges but found another solution that I had not thought of.</p>
<p>Sharing knowledge is a wonderful thing.</p>
<p>Eric.</p>Eric LeonardOttawa IT professionals is a new user group that Colin Smith and I started late this year and we had our first meetup on December 4th. We are trying something different that is less formal but gives an opportunity for everyone to meet, discuss, share challenges and accomplishments. Each meetup will have a topic but no set agenda.Azure DevOps Community launch: Ottawa Edition2018-11-29T19:17:12+00:002018-11-29T19:17:12+00:00https://erleonard.me/azure/AzureDevOps-CommunityLaunch<p>This week was the last event I organized for 2018 with my partner in crime Joel Hebert for the Azure DevOps Community launch here in Ottawa. We had a lot of excitement locally for this event and we more than doubled our initial estimated attendance with just about 100 people coming in.</p>
<p>We had some amazing speakers at our event:</p>
<ul>
<li>Wes MacDonal / Keynote and demo</li>
<li>Tanya Janca / OWASP DevSlop: DevSecOps with Azure DevOps Pipelines</li>
<li>Frank Boucher / Build a complete CI/CD with Azure DevOps & Integrate GitHub In our Continuous Integration</li>
<li>Ahmed Al-Assad / Introduction to Git for Centralized Version Control users</li>
</ul>
<p><img src="https://erleonard.me/assets/images/2018/2018-11-29-AzureDevOps-CommunityLaunch.jpg" alt="EventPhoto" /></p>
<p>A successful event cannot happen without sponsors and a big thank you to our sponsors for the swag, catering and event space.</p>
<p><img src="https://erleonard.me/assets/images/Microsoft-logo.png" alt="Microsoft" height="50%" class="align-center" />
<img src="https://erleonard.me/assets/images/Syncfusion-logo.png" alt="Syncfusion" height="50%" class="align-center" />
<img src="https://erleonard.me/assets/images/Redgate-logo.png" alt="Redgate" height="50%" class="align-center" /></p>
<p>Organizing an event is a lot of hard work and I must say it was odd for me not to speak at an event. But it was nice to sit back and enjoy the event and see everyone learning about the great new features in Azure DevOps.</p>Eric LeonardThis week was the last event I organized for 2018 with my partner in crime Joel Hebert for the Azure DevOps Community launch here in Ottawa. We had a lot of excitement locally for this event and we more than doubled our initial estimated attendance with just about 100 people coming in.Move Managed Disks to another Subscription2018-10-14T19:17:12+00:002018-10-14T19:17:12+00:00https://erleonard.me/azure/ManagedDiskMove<p>I saw this question pop-up on one of the distribution lists that I am part of and I thought I would tackle it in this article on how to move a managed disk to another resource group or subscription.</p>
<p>Previously the way of moving a managed disk to another subscription was through a complex set of steps that you performed in the Azure CLI or PowerShell. As of September 24, 2018 this process is no longer required. You can simply move the managed disk to another subscription or resource group through the portal.</p>
<p>Just follow the steps to enable the move</p>
<h2 id="register-resource-provider-in-the-subscription">Register Resource Provider in the Subscription</h2>
<p>To be able to move managed disks to another subscription (or resource group) we will first need to register a resource provider:</p>
<div class="language-powershell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">Register-AzureRmProviderFeature</span><span class="w"> </span><span class="nt">-FeatureName</span><span class="w"> </span><span class="nx">ManagedResourcesMove</span><span class="w"> </span><span class="nt">-ProviderNamespace</span><span class="w"> </span><span class="nx">Microsoft.Compute</span><span class="w">
</span></code></pre></div></div>
<p>The status of the registration needs to be “Registered” before continuing. To check the status use the following command:</p>
<div class="language-powershell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">Get-AzureRmProviderFeature</span><span class="w"> </span><span class="nt">-FeatureName</span><span class="w"> </span><span class="nx">ManagedResourcesMove</span><span class="w"> </span><span class="nt">-ProviderNamespace</span><span class="w"> </span><span class="nx">Microsoft.Compute</span><span class="w">
</span></code></pre></div></div>
<p>Once the provider is “Registered” you need to register the Microsoft.Computer even if it was previously registered.</p>
<div class="language-powershell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">Register-AzureRmResourceProvider</span><span class="w"> </span><span class="nt">-ProviderNamespace</span><span class="w"> </span><span class="nx">Microsoft.Compute</span><span class="w">
</span></code></pre></div></div>
<h2 id="test-move">Test Move</h2>
<p>In this example, I’m going to move a virtual machine with two managed disks and an availability set.</p>
<ol>
<li>Go to the <a href="https://portal.azure.com">Azure Portal</a></li>
<li>Navigate to the resource group where the target virtual machine is.</li>
<li>In the menu select <strong>Move</strong>, <strong>Move to another subscription</strong>
<img src="https://erleonard.me/assets/images/2018/2018-10-14-AzureRGmenu.png" alt="AzureRGmenu" /></li>
<li>Select the managed disk. In this example, I’m going to move the virtual machine with the managed disk, availability set and networking resources.
<img src="https://erleonard.me/assets/images/2018/2018-10-14-AzureSelectResourcesMove.png" alt="ManagedDiskMove" /></li>
<li>Click <strong>Ok</strong>.</li>
</ol>
<p>Once you click ok, it will validate the resources and move the managed disks to the other subscription. The amount of time will depend how large the managed disk is.</p>Eric LeonardI saw this question pop-up on one of the distribution lists that I am part of and I thought I would tackle it in this article on how to move a managed disk to another resource group or subscription.Azure Site to Site VPN with Cisco Meraki vMX1002018-10-06T19:17:12+00:002018-10-06T19:17:12+00:00https://erleonard.me/azure/cisco/CiscoMeraki<p>The Cisco Meraki virtual MX can extend your physical MX deployment to Microsoft Azure in less than an hour through the same Meraki dashboard. vMx100 with Auto VPN can easily connect your network with Azure.</p>
<p>Cisco Meraki’s virtual MX extends your physical MX deployment in minutes through the same
Meraki dashboard. vMX100 can be used as your SD-WAN and Auto VPN node to easily connect your
network with your Azure deployed services. Leveraging the power of the cloud, Cisco Meraki’s virtual
MX can configure, monitor, and maintain your VPN so you don’t have to.</p>
<h2 id="meraki-dashboard-steps">Meraki dashboard steps</h2>
<ol>
<li>Log in to the Cisco Meraki dashboard</li>
<li>Click on your current network, it will expand to see a list of existing network and select “create a new network”.</li>
<li>Enter a <strong>network name</strong>, set the network type to <strong>security appliance</strong> and then click on the <strong>create network</strong> button.
<img src="https://erleonard.me/assets/images/2018/2018-10-06-MerakiNewNetwork.png" alt="MerakiNewNetwork" /></li>
<li>Once you created your network you will be able to add the vMX to the newly created network.
<img src="https://erleonard.me/assets/images/2018/2018-10-06-MerakiAddvMX.png" alt="MerakiNewNetwork" /></li>
<li>After it’s added to your network, you will need to “Generate authentication token”. The token will be used when you perform your vMX deployment in Azure.
<img src="https://erleonard.me/assets/images/2018/2018-10-06-MerakiGenerateToken.png" alt="MerakiNewNetwork" /></li>
</ol>
<h2 id="steps-prior-to-deployment-in-azure">Steps prior to deployment in Azure</h2>
<p><strong>PLEASE READ BEFORE YOU DEPLOY</strong></p>
<p>Deploying directly the Cisco Meraki vMX100 from the Azure Marketplace will result in the deployment of a <a href="https://docs.microsoft.com/en-us/azure/managed-applications/overview">Managed Application</a> resource in the resource group and the actual deployment of the vMX100 into a read-only resource group. To ensure you can successfully operate the vMX100 in the future, it is highly recommended that you create the virtual network.</p>
<ul>
<li>Create networking resource group and virtual network</li>
</ul>
<h2 id="azure-deployment-steps">Azure deployment steps</h2>
<ol>
<li>Select <strong>+ Create a resource</strong> on the upper, left corner of the Azure portal.</li>
<li>In the search box, type <strong>vMX100</strong>, hit <strong>Enter</strong> and select the <strong>Cisco Meraki vMX100</strong>.</li>
<li>Click <strong>Create</strong>.</li>
<li>Enter a <strong>VM name</strong>, <strong>Meraki Authentication Token</strong> (previously generated in the Meraki dashboard), <strong>resource group</strong> and <strong>location</strong>. Click <strong>Ok</strong>.
<img src="https://erleonard.me/assets/images/2018/2018-10-06-AzureVMX100Step1.png" alt="AzureVMX100" /></li>
<li>Select the appropriate <strong>virtual network</strong>, <strong>subnet</strong> and <strong>vm size</strong>. Click <strong>Ok</strong>.
<img src="https://erleonard.me/assets/images/2018/2018-10-06-AzureVMX100Step2.png" alt="AzureVMX100" /></li>
<li>Once validation has passed, click <strong>Ok</strong>.
<img src="https://erleonard.me/assets/images/2018/2018-10-06-AzureVMX100Step3.png" alt="AzureVMX100" /></li>
<li>Review the terms of use and privacy policy, click <strong>Create</strong>.
<img src="https://erleonard.me/assets/images/2018/2018-10-06-AzureVMX100Step4.png" alt="AzureVMX100" /></li>
</ol>
<h2 id="configure-auto-vpn">Configure Auto VPN</h2>
<ol>
<li>Verify that the vMX100 is showing online in the Meraki Dashboard</li>
<li>After verification is complete, go back to the Azure portal.</li>
<li>
<ol>
<li>Select <strong>+ Create a resource</strong> on the upper, left corner of the Azure portal.</li>
</ol>
</li>
<li>In the search box, type <strong>Route table</strong>, hit <strong>Enter</strong> and select the <strong>Route table</strong> from Microsoft.</li>
<li>Click <strong>Create</strong>.</li>
<li>Enter a <strong>VM name</strong>, <strong>resource group</strong> and <strong>location</strong>. Click <strong>Create</strong>.</li>
<li>Once the Route Table is creating, we will open it and add a route.</li>
<li>Enter a Route name, Address prefix (this is your on-premises network), next hope type as Virtual Appliance and next hope address as the IP address of your vMX100.
<img src="https://erleonard.me/assets/images/2018/2018-10-06-AzureRoutes.png" alt="AzureRouteTable" /></li>
<li>Last Step, under subnets, associate the subnet where the vMX100 was created.</li>
</ol>
<h2 id="conclusion">Conclusion</h2>
<p>The Cisco Meraki vMX100 is a great and easy to configure network virtual appliance that provides Auto VPN between on-premises locations and Azure. Also if you have a multi-cloud implementation with Azure and AWS this makes things a whole lot easier to configure and manage.</p>Eric LeonardThe Cisco Meraki virtual MX can extend your physical MX deployment to Microsoft Azure in less than an hour through the same Meraki dashboard. vMx100 with Auto VPN can easily connect your network with Azure.Microsoft Cloud Transformation Series: Lab Services2018-07-14T19:17:12+00:002018-07-14T19:17:12+00:00https://erleonard.me/azure/CloudTransformationSeries<p><img src="https://erleonard.me/assets/images/2018/2018-07-14-CTS.jpg" alt="CloudTransformationSeries" height="50%" class="align-center" /></p>
<p>Join me and Microsoft for how we can simply your lab deployment with Azure Lab Services.</p>
<p>In some cases full control of the DevTest infrastructure may be desired, but most often it’s NOT! Using Azure Lab Services, join this webinar to learn:</p>
<ul>
<li>How to create managed labs that don’t require you to create and maintain the lab and its resources</li>
<li>How to setup a classroom lab</li>
</ul>
<p>The webinar will be held on July 24th from 1:00 PM - 2:00 PM EST.</p>
<p><a href="https://info.microsoft.com/ca-azureinfra-wbnr-fy18-07jul-24-bringfunbacktodevtest-mcw0007674_01registration-forminbody.html?wt.mc_id=AID719456_QSG_EML_256392" class="btn btn--info align-center">Register</a></p>
<p><strong>What is the Cloud Transformation Series?</strong></p>
<p>The Cloud Transformation Series is designed especially for our Canadian technology community, bringing monthly webinars focusing on key themes. An opportunity to keep current with latest skills and updates, join us to see how we can help your organization transform using the power of Microsoft’s Cloud.</p>Eric Leonard