In previous post we deployed Application gateway.In this one we’ll host multiple sites on 2 test VM’s: app1 and app2

 

1.PNG

 

We need first to map Application gateway’s public IP to our  DNS (GoDaddy in my case)

 

12

 

I’ll simulate publishing of 2 sites.My domain is astrahome.xyz

so i created 2 host (A) records:

images.astrahome.xyz

text.astrahome.xyz

 

2

Then i simulated images site on app1 machine

3.PNG

 

and text site on app2

4

 

Creating Backed pool for image site

On application gateway properties click on Backed Pools-Add

Under targets specify Virtual machine and add app1

5.PNG

 

Creating backed pool for textiles site

Same as for above, just name is different

 

6.PNG

 

Creating listeners

 

On Application gateway properties click on Listeners-Multi-site

 

7.png

For text site

 

9.PNG

 

For imagesite

 

8.PNG

 

Creating Rules

On Application gateway properties click rules-Basic

 

9-1.png

 

 

9-2.PNG

 

 

9-3

We should be able now to reach text.astrahome.xyz

 

10.PNG

and images.astrahome.xyz

11.PNG

Advertisements

Azure Application gateway

Posted: June 18, 2018 in Azure

Azure Application Gateway is a web traffic load balancer that enables  manage traffic to web applications using.Application Gateway is a layer 7 load balancer, which means it works with web traffic only (HTTP/HTTPS/WebSocket)

In Azure portal click new-Application gateway

 

1.PNG

For application gateway dedicated subnet is created (10.0.3.0/24)

 

2.PNG

Create availability set

 

3.PNG

and create public address

4.PNG

Creating Backend Pool

Backend pools can be composed of NICs, virtual machine scale sets, public IPs, internal IPs, fully qualified domain names (FQDN), and multi-tenant back-ends like Azure Web Apps. Application Gateway backend pool members are not tied to an availability set.

In resource group click on Application gateway-Backend Pools.Default pool is created-click on it

 

5.PNG

On target drop-down list select Virtual machine

 

6.png

Select Virtual machines (in this case there are 2 VM’s:app1 and app2

7.PNG

Health probes

Azure Application Gateway by default monitors the health of all resources in its back-end pool and automatically removes any resource considered unhealthy from the pool. Application Gateway continues to monitor the unhealthy instances and adds them back to the healthy back-end pool once they become available and respond to health probes.

Click on Health probes (default one is created alongside with Application gateway)

 

8.PNG

For host type 127.0.0.1, for path type /index.txt

On app1 and app2 servers,IIS is installed and under c:\intetpub\wwwroot folder index.txt file is created.It will be used as “probe” to check backed server availability (HTTP response 200)

Content of index.txt

This is server 1-on app1 machine

This is server 2-on app2 machine

9.PNG

Interval:Configures the probe interval checks in seconds.

Timeout:Defines the probe time-out for an HTTP response check.

UnhealthyThreshold:The number of failed HTTP responses needed to flag the back-end instance as unhealthy.

 

HTTP settings

Click on default HTTP settings

 

10.PNG

Select health probe and port

 

11.PNG

When a user request is received, Application Gateway applies the configured rules to the request and routes it to a back-end pool instance. It waits for a configurable interval of time for a response from the back-end instance. By default, this interval is 30 seconds. If Application Gateway does not receive a response from back-end application in this interval, user request would see a 502 error.

In Application Gateway settings,in Overview properties we can see public IP

 

12.png

 

13.PNG

 

Azure Log Analytics

Posted: June 16, 2018 in Azure

Log Analytics is part of Microsoft Azure’s overall monitoring solution. Log Analytics monitors cloud and on-premises environments to maintain availability and performance.

In Azure portal, click new resource-Activity Log Analytics

 

1.PNG

Click Create New OMS workspace.Operations Management Suite (OMS) is a collection of cloud-based services for managing on-premises and cloud environments.All data collected by Activiry Log Analytics is stored in the OMS repository, which is hosted in Azure.

 

2.PNG

 

 

3.PNG

After resource is created, click on Solution we just created

 

4.png

Adding Azure Virtual Machine to OMS

Under Workspace data sources click Virtual Machines

 

5.PNG

Click connect-it will take few minutes to connect VM to OMS

 

6

From overview property click OMS portal

 

9.png

Click settings

 

10.png

Click Data-Windows Event Logs-add events which you want to monitor by OMS (in this case Application and System)

 

11.PNG

 

From OMS properties click Log Search

 

 

 

7.png

Click All collected data

 

13.PNG

After 15-20 minutes “Event” type should appear and log types we specified will appear in OMS

 

14.PNG

lThis script performs following:

Untitled.png


import boto3
import collections
import datetime
import time
import sys 

ec = boto3.client('ec2', 'eu-west-1')
ec2 = boto3.resource('ec2', 'eu-west-1')
from datetime import datetime
from dateutil.relativedelta import relativedelta

#create date variables 

date_after_month = datetime.now()+ relativedelta(days=7)
#date_after_month.strftime('%d/%m/%Y')
today=datetime.now().strftime('%d/%m/%Y')

def lambda_handler(event, context):
  #Get instances with Owner Taggs and values Unknown/known
    instance_ids = []
    reservations = ec.describe_instances().get('Reservations', []) 

    for reservation in reservations:
     for instance in reservation['Instances']:
        tags = {}
        for tag in instance['Tags']:
            tags[tag['Key']] = tag['Value']
        if not 'Owner' in tags or tags['Owner']=='unknown' or tags['Owner']=='Unknown':
              instance_ids.append(instance['InstanceId'])  

                #Check if "TerminateOn" tag exists:

              if 'TerminateOn' in tags:
                  #compare TerminteOn value with current date
                    if tags["TerminateOn"]==today:

                    #Check if termination protection is enabled
                     terminate_protection=ec.describe_instance_attribute(InstanceId =instance['InstanceId'] ,Attribute = 'disableApiTermination')
                     protection_value=(terminate_protection['DisableApiTermination']['Value'])
                     #if enabled disable it
                     if protection_value == True:
                        ec.modify_instance_attribute(InstanceId=instance['InstanceId'],Attribute="disableApiTermination",Value= "False" )
                    #terminate instance
                     ec.terminate_instances(InstanceIds=instance_ids)
                     print "terminated" + str(instance_ids)
                     #send email that instance is terminated

                    else:
                    #Send an email to engineering that this instance will be removed X amount of days (calculate the date based on today's date and the termination date."

                      now=datetime.now()
                      future=tags["TerminateOn"]
                      TerminateOn = datetime.strptime(future, "%d/%m/%Y")
                      days= (TerminateOn-now).days
                      print str(instance_ids) +  " will be removed in "+ str(days) + " days"

              else:
                 if not 'TerminateOn' in tags:#, create it
                  ec2.create_tags(Resources=instance_ids,Tags=[{'Key':'TerminateOn','Value':date_after_month.strftime('%d/%m/%Y')}])
                  ec.stop_instances(InstanceIds=instance_ids)

                  print "was shut down "+format(','.join(instance_ids))

Azure Key Vault

Posted: June 13, 2018 in Azure

In Azure Key Vault,which is a secure secrets store, we can store passwords, connection strings, and other pieces of information that are needed to keep your applications working. You want to make sure that this information is available but that it is secured.Key Vault allows you to create multiple secure containers, called vaults. These vaults are backed by hardware security modules (HSMs).

To create key vault in create resource type key vault-Create

 

1.PNG

Give it a name,specify resource group and location and click create

 

2.PNG

Once vault is created click on secrets to add a new secret

 

3.PNG

In this example i stored Storage account keys in vault-first copied storage account keys

4.PNG

Then pasted it into vault,optionally, Activation and expiration dates can be specified.

5

Now, we need to point our application to this Key Vault.I’m not a developer so i created some fake (web) application,for demonstration purpose

Azure Active Directory-App registration-New application registration

 

6.png

Give application name and specify URL

 

7.PNG

Once application is created, go to it’s properties and click Keys

 

8.PNG

Create a key,specify expiration period

 

9.PNG

Copy key to clipboard, you will use it in your code to connect to Key Vault

 

10.PNG

Now we need to create Key Vault access policy-go to resource group-locate Key Vault-click access policy

11.png

Add new

 

12.PNG

Select your application we created earlier-click on Select principal

 

13.png

Select action application can perform against vault-in this case it can only get secret key

 

14.PNG

Now web application can get storage key from Key Vault

Installing SQL database in Azure

Posted: June 10, 2018 in Azure

From Azure portal Click SQL Databases-new SQL Database-click on Server-Create new server-enter server name and credentials

 

1.PNG

Select Pricing Tier

1-2.PNG

Select tier

 

1-3.PNG

 

After database is created go to Connection String to see string for connecting to database

 

2.PNG

Connecting to the database

in DB settings click Query editor (preview)-Login

 

5.png

Enter credentials

 

6

Enter some T-SQL query and click Run

 

7.PNG

Firewall settings

On SQL database click Overview-Set server firewall

8.png

Add client IP-rule for allowing connection from Your local machine will be allowed to the SQL database

9.png

Configuring Geo-Replication

Active geo-replication enables configuring up to four readable secondary databases in the same or different data center locations (regions). Secondary databases are available for querying and for failover if there is a data center outage or the inability to connect to the primary database.On database settings click Geo-Replication, with blue check mark is selected current database region, click on any green circle where you want to create read-only database copy

10.PNG

 

Next windows will appear

11.PNG

 

SQLServer security settings

On SQL server settings click Advanced Threat Protection-Enable Advanced Threat Protection-click On-save

15.PNG

Click on storage details to configure Retentions

 

16.PNG

Click Threat Detection Type to select what you want to audit

 

17.PNG

Masking data

If you want to hide some database column, on database settings click Dynamic Data Masking

18.PNG

 

19.PNG

Creating Elastic Pool

It’s technique where you can place multiple Azure databases in to a pool where they all share resources. The pool is configured to over a maximum and minimum amount of computing resources. Microsoft has defined these available resources as a Database Throughput Unit, or DTU. In the case of elastic pools, they are defined as an Elastic Database Throughput Unit, or eDTU. DTUs and eDTUs are calculated essentially the same and are determined through a calculation of measured disk reads, disk writes, processor time and transaction log flushes.

Again, click on the SQL database

 

20.png

From overview click New Pool

 

21.png

 

22.PNG

 

23.PNG

Adding database to Pool

 

Once pools is created,click Configure

24

Click Database

 

25.PNG

select database

26.PNG

 

 

 

 

 

 

 

 

Azure managed service identity enables application code connection to storage account without providing credentials.More info here

Click on Azure VM-Configuration-Managed service identity-Click Yes-save

 

1

As a result,new extension will be created

 

2.PNG

Enabling Azure VM access to storage account

 

Click on storage account-Access control (IAM)

3.PNG

Role:Storage Account Key Operator Service Role

Assign access to:Virtual Machine

Subscription:Your subscription

Resource group:select resource group and select VM

 

4.PNG