paas

Joe Carlyle

What is Azure Bastion?

Microsoft released an introduction video to Azure Bastion a couple of days ago and today a new post has gone live giving us all the details of Azure Bastion in its preview state.

First up, what is a Bastion? Often referred to as a jumpbox, jumphost or bastion host, it’s a server which provides access to a private network from an external network, most commonly the Internet. As it’s exposed to potential attack, bastion hosts must be designed to minimize risk of penetration. As this connectivity function is so widely used, bastions are quite common in the majority of environments. The alternative is to increase your perimeter exposure by allowing public access to your private resources directly. Little tip from me, please don’t do this!

However, management and administration of these hosts can be a complex and time consuming task. Thankfully, Microsoft have introduced a new PaaS based service – Azure Bastion. Which allows managed, seamless access to VMs in your private network via RDP and SSH over SSL.

Azure Bastion

Azure Bastion is provisioned directly into a virtual network, which allows bastion host and integrated connectivity to all virtual machines within that vnet using RDP/SSH directly from and through your browser via the Azure Portal.

Microsoft list the following as key features available right now as part of the preview:

  • RDP and SSH from the Azure portal: Initiate RDP and SSH sessions directly in the Azure portal with a single-click seamless experience.
  • Remote session over SSL and firewall traversal for RDP/SSH: HTML5 based web clients are automatically streamed to your local device providing the RDP/SSH session over SSL on port 443. This allows easy and securely traversal of corporate firewalls.
  • No public IP required on Azure Virtual Machines: Azure Bastion opens the RDP/SSH connection to your Azure virtual machine using a private IP, limiting exposure of your infrastructure to the public Internet.
  • Simplified secure rules management: Simple one-time configuration of Network Security Groups (NSGs) to allow RDP/SSH from only Azure Bastion.
  • Increased protection against port scanning: The limited exposure of virtual machines to the public Internet will help protect against threats, such as external port scanning.
  • Hardening in one place to protect against zero-day exploits: Azure Bastion is a managed service maintained by Microsoft. It’s continuously hardened by automatically patching and keeping up to date against known vulnerabilities.

And they list the following as on the roadmap for future release:

The future brings Azure Active Directory integration, adding seamless single-sign-on capabilities using Azure Active Directory identities and Azure Multi-Factor Authentication, and effectively extending two-factor authentication to your RDP/SSH connections. We are also looking to add support for native RDP/SSH clients so that you can use your favorite client applications to securely connect to your Azure Virtual Machines using Azure Bastion, while at the same time enhance the auditing experience for RDP sessions with full session video recording.

There are a couple of things to note as the service is in preview. As always, be wary deploying for production, there is no SLA yet.

The preview is limited to the following Azure public regions:

  • West US
  • East US
  • West Europe
  • South Central US
  • Australia East
  • Japan East

You have to register the resource provider manually to make use of the preview, instructions on how to do that here.

To use the Azure Bastion service, you need the following roles:

  • Reader role on the virtual machine
  • Reader role on the NIC with private IP of the virtual machine
  • Reader role on the Azure Bastion resource

Once you’re OK with all of the above, you can simply click connect on any of your VM resources and a new Bastion tab is available. From here you can launch your session to the VM right in the browser, which is pretty slick as it provides copy and paste and full screen functionality already.

RDP via Azure Bastion within the browser

One item I noticed from the FAQ is that you may need to use the preview link to access the resource deployment blade from the portal – https://aka.ms/BastionHost

Also of note, pricing! On the FAQ it states you will be billed partially. Not 100% sure what that means, so watch those usage rates. The pricing page is live however so check it out in advance here.

Joe Carlyle

Windows Virtual Desktop – First Thoughts – Part 2

A few weeks ago, I published the first part of this post, get to it here.

In the first part, I wrote about the initial setup and config experience for creating and accessing Windows Virtual Desktop (WVD). Overall, I found the experience to be good, but at times, slightly basic. This is to be expected with a brand new service that is in preview, but for the second part of this post, I wanted to explore the more advanced options of configuration that are currently available.

So in this post, I am going to discuss the following:

  • fslogix profiles
  • Load balancing
  • Depolying using a custom image
  • Availabiltiy/configuration of SSO

Starting with fslogix, I think it’s kinda cool that you are given a free license as part of WVD to use the service. The actual install was quick and easy, download the client, run it, set up two reg keys, done. However, I wasn’t overly familiar with fslogix and as such thought it wasn’t working and I have a solid background in desktop virtualisation, so I understand profile redirection explicitly. I found the Microsoft docs for this are light currently, but clicking through to the fslogix docs I spotted the issue, the local profile cannot exist first or fslogix will ignore it. A quick tidy up and my profiles were redirecting, loading quickly and generally behaving as expected. So far so good, I’d like to see how it scales with a tonne of users, but the expectation is similar performance to Citrix UPM. One thing that is perhaps a bit annoying out of the box is, when you choose signout from the web client, it simply disconnects the user from an app group, this can be fixed with some Group Policy, but I would expect sign out to mean sign out.

A little tip, check out the reg key “FlipFlopProfileDirectoryName” for a quick way to make finding your user profiles within your file share a bit easier. There are also more advanced options like “SIDDirNamePattern”, more here.

Next up is load balancing the session hosts. This obviously only applies to non-persistent session hosts, as the persitent relationship is 1:1. You also need to understand two concepts:

  • Breadth-first
    • This distributes sessions evenly across all session hosts, a max session limit is optional.
  • Depth-first
    • This fills up a session host first before distributing sessions, a max session limit is required.

Both options are simple to setup via powershell and behave exactly as outlined. Instructions here.

Third, I created a new host pool. To do this I first needed a custom image. So I deployed a VM to Azure to convert later. I skipped a bit here by using the new W10 image with 365 proplus preinstalled for you, very handy. However, I then realised this wasn’t the multi-user version and even though all is good with image creation, it fails when trying to register with WVD (30 mins later…) So to save you some time, just use the W10 multi-user image instead! I installed my apps, then I made the following changes:

  • fslogix installed and enabled
  • configured session timeout policies
  • Additional language pack and region settings

Once I had this done, to get your custom image, follow the usual docs here.

Then, you can simply specify it as part of the same steps you followed previously to deploy as a host pool

Once your new host pool is deployed, you need to assign users, don’t forget you currently can’t assign a user to more than one App Group at any one time. So I removed one of my test users from it’s previous group and added it to the new one.

Once logged in, everything is as expected. Profiles, custom settings and my newly added apps. For my own terrible fun I added a special app, yes, I’, sorry, that is Windows 95 running in the HTML5 client on WVD!

Windows95 running via HTML5 client on Windows Virtual Desktop

One tip that could save you some time is relevant to SSO. You may notice that when signing in and launching and app/desktop you are prompted for credentials twice. This is the current expected experience. In the comments on docs, I spotted the following response from the program group:

So we’ll just have to wait and see how good/bad SSO functionality will be once released!

If you have any questions or would like to see a third part to this series, let me know!

Joe Carlyle

Windows Virtual Desktop – First Thoughts – Part 1

Last week, Microsoft released Windows Virtual Desktop (WVD) to the public in preview. The service was first announced back at Ignite 2018. Microsoft describe the service as follows:

Windows Virtual Desktop is a desktop and app virtualization service that runs on the cloud.

Here’s what you can do when you run Windows Virtual Desktop on Azure:

  • Set up a multi-session Windows 10 deployment that delivers a full Windows 10 with scalability
  • Virtualize Office 365 ProPlus and optimize it to run in multi-user virtual scenarios
  • Provide Windows 7 virtual desktops with free Extended Security Updates
  • Bring your existing Remote Desktop Services (RDS) and Windows Server desktops and apps to any computer
  • Virtualize both desktops and apps
  • Manage Windows 10, Windows Server, and Windows 7 desktops and apps with a unified management experience

One point not mentioned that is important, Azure is the only public cloud you can run Windows 10 workloads.

There are a couple of pre-requisites to deploying WVD. First up is licensing, below are the requirements for running WVD

OSRequired license
Windows 10 Enterprise multi-session or Windows 10 single-sessionMicrosoft E3, E5, A3, A5, Business
Windows E3, E5, A3, A5
Windows 7Microsoft E3, E5, A3, A5, Business
Windows E3, E5, A3, A5
Windows Server 2012 R2, 2016, 2019RDS Client Access License (CAL) with Software Assurance

Next, you’ll need the following infrastructure components:

  • Azure AD tenant to register the service against
  • AD Domain Services reachable by VMs in WVD pool, so either a domain controller in the vnet or enable AAD DS.
  • An Azure subscription to host and pay for the above 🙂

Once the above is all ready to go, you’ll want to start your deployment. First, you need to register your AAD tenant with the WVD service. This requires Global Admin rights and your tenant ID, full details here. I found the process quick, simple and well documented.

Second, you need to create a host pool. This links the IaaS resources to your domain and your WVD service. I opted for an isolated vnet with AADDS activated to domain join the VMs, using a server pool for applications. Full details for this step here.

After a little time, my host pool was deployed and I could access the service via the web client.

A Windows 10 desktop session running via the HTML5 client right in the browser

The experience was good but I wouldn’t call it seamless. Simple things jumped out straight away from the authentication side of things with the HTML5 client. After logging into the Azure AD app, I then have to login again to the desktop, I would have expected SSO here. The same lack of SSO is present in the RDS client on Windows 10.

However, once connected, performance and latency were good. Exactly as expected in fact. Even via the HTML5 client.

Next, I wanted to test some individual apps. Namely, the powerhouse of app virtualisation, Notepad. I created a new RemoteApp Group, following the instructions here, again they were easy to follow. Although, Notepad didn’t show up in the list of available apps, I just entered the location where I know it is installed and it worked.

Again performance was as expected however the issue I ran into here was the fact that I couldn’t assign the same user to multiple groups, it was one group or the other as I had a “desktop” group and an “app” group. Hopefully this is something that is fixed, or a workaround in place for GA.

Next on my list will be to test the FSlogix option for profiles, load balancing options and creating a pool with a customised image. But so far I am impressed with the simplicity of deployment. I will follow this post up with impressions relative to that next level of customisation required for a production environment.

One final note is that all of the customisation of the Windows Virtual Desktop service is done via Powershell. If you’re not familiar or comfortable with this, you may struggle to get a working POC in place. My advice is to follow the published guides exactly or ask on Twitter for help!

Joe Carlyle

Azure Monitor – Show me all the data!

A significant put possibly less exciting update to Azure over the past few months has been the revamp and update of Azure Monitor (AzMon). In my opinion, this is a resource that should be included in your design for all deployments. It is now a comprehensive solution for collecting, analysing, and acting on your telemetry from Azure as well as on-premises environments.

The below graphic gives an overview of AzMon and it’s three key areas. Left-to-right, you start with the six possible data ingestion sources for telemetry data. As you can see, everything from application to infrastructure is supported. The two key forms of data used is next, Metrics and Logs. The final area, highlights the processing functions available.

monitoroverview

AzMon collects the following data for processing:

  • Application monitoring data: Data about the performance and functionality of the code you have written, regardless of its platform.
  • Guest OS monitoring data: Data about the operating system on which your application is running. This could be running in Azure, another cloud, or on-premises.
  • Azure resource monitoring data: Data about the operation of an Azure resource.
  • Azure subscription monitoring data: Data about the operation and management of an Azure subscription, as well as data about the health and operation of Azure itself.
  • Azure tenant monitoring data: Data about the operation of tenant-level Azure services, such as Azure Active Directory.

As mentioned previously, the data slots neatly into two categories:

  1. Metrics – You can use Metrics Explorer to view resource performance among other things over periods of time. These can be presented immediately within the portal or additional dashboards can be created to visualise.
  2. Logs –  Using Log Analytics helps to quickly retrieve, consolidate, and analyse the collected log data. This can be then be re-used in visualisations as well as alerting.

The Docs site for AzMon is fantastic. It is filled with guidance on setup as well as tutorials relating to common scenarios, rather than regurgitate, below are my personal picks:

Visualise your log data

Respond to events using alerts

Application health alerts

Also hugely important is the level of integration with other services that AzMon offers, take a look here for the currently supported list.

Joe Carlyle

Azure App Service and Windows Containers

Containerisation of applications is something that is becoming more and more common. Allowing developers to “wrap” all requirements into an individual element which the infrastructure team can then deploy where resources are available opens a door to the most modern options in application deployment and management.

Enter Azure App Service, which for years now has been removing the need for an infrastructure management layer and allowing teams to focus on deployment and performance. Traditionally, you had to deploy your apps within the allowed parameters of your App Service Plan (ASP). However, you can now run containers as part of this platform.

Combine this with a Container Registry, such as Azure Container Registry and you can deploy images within minutes. These images can then be scaled within your ASP to meet demand and can be updated as required using your current CI/CD processes.

This had been limited to Linux based containers, but Microsoft have recently announced a public preview of the ability to run Windows containers within your ASP. This is targeted towards customers interested in migrating .NET applications to Azure, and hoping to avail of a PaaS service to get the many productivity benefits such as high availability within and across Azure regions. This can also increase application redundancy options by using integrated backup/restore and app cloning options.

WebAppForContainers
Example deployment scenario

The preview capabilities are appropriate for testing and POC environments, but there are of course some limitations and preview deployments are not recommended for production workloads in any scenario.

Within the preview the following is supported:

  • Deploy containerized applications using Docker Hub, Azure Container Registry, or private registries.
  • Incrementally deploy apps into production with deployment slots and slot swaps.
  • Scale out automatically with auto-scale.
  • Enable application logs and use the App Service Log Streaming feature to see logs from your application.
  • Use PowerShell and Win-RM to remotely connect directly into your containers.

For a quick start/how-to see the following link.