Azure Disk Encryption

Disk Encryption** Updated post located here**

I deployed some VM’s using both JSON and PowerShell and enabled Storage Service Encryption to encrypt data at rest.  Now I want to enable Azure Disk Encryption (ADE) on these VM’s as an extra level of security.  In this post I will go over enabling Azure Disk Encryption with BitLocker on Windows Server.  More information on Azure Disk Encryption, including encrypting Linux can be found here.

There is a lot of information from Microsoft on configuring Disk Encryption.  Most of it covered different methods, such as PowerShell or CLI and different OS versions.  This post is sticking to the basics, encrypting existing Windows OS using the portal to get things started and PowerShell to do the encryption.  Check out this link if you want more information on Azure Encryption options. Continue reading “Azure Disk Encryption”

B-Series Azure VM’s Now Available

AzureVMI took some time off to chase fish on Lake Minnetonka this week and missed Microsoft’s announcement of Azure B-Series are now in preview.  The fish were not cooperating so I’m posting about Azure instead.  The B-Series VM significance is  their ability to “bank” CPU credits during time of low CPU usage and to use these credits during CPU spikes.  This will be helpful for test servers that may be idle during off hours or applications servers that have bursty work loads.  Any opportunity to save money without impacting performance is good news to my ears.

Next, maybe dynamic RAM allocation???

LINK: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/sizes-general

Azure RDP and Bitmap Caching

I had a problem this week when connecting to Azure VM’s.  When connecting by RDP parts of the screen were blocked out by black squares and rectangles like the image below.  This only happened when connected to Azure VM’s, I did not have the problem with VM’s in any of my other datacenters.

bitmap Continue reading “Azure RDP and Bitmap Caching”

Azure VM and Internet Access

I recently worked on a project to deploy several VM’s in Azure.  One of the requirements for this was to block all internet access from the Azure VM’s.  This is a prudent step in securing an environment; preventing malicious code from web based threats.

Update 1/2018 – Microsoft has implemented NSG Service Tags for storage and Azure SQL.  Information on that is located here.  Additional information and the opportunity to vote on adding other services can be found here.

 

To accommodate this, a Network Security Group (NSG) was created and applied to the VM Subnet.  Several rules were applied, including one similar to the picture below.  The rule simply blocked traffic from the VirtualNetwork out to the Internet on any source or destination port.

InternetBlock
After the rule was put in place and tested I began to setup the rest of the environment.  Right away I ran into trouble, the VM’s took up to 30 minutes to deploy and errored out with the message “New-AzureRmVm : Long Running Operation Failed with status ‘Failed’. Continue reading “Azure VM and Internet Access”

Static IP and Azure Resource Manager

If you deployed a VM using the new Resource Manager mode in Azure and need to find the IP and if it is static you may have ran across the “Get-AzureVM” command as an option to retrieve IP information.  This command is for “Clasic” mode and won’t work in Resource Manager mode.

To get IP information including the internal IP and if it is set dynamic or static, use this command:

Get-AzureRmNetworkInterface -name <NIC_Name> -ResourceGroupName <NIC_ResourceGroup>

Untitled picture

Notice that this does not specify the VM Name, it specifies the NIC attached to the VM.  The output will give you the IP address and indicate if it is static or dynamic.