Azure

Azure Bastion – End of the Jumpbox?

A common headache facing customers migrating workloads to the public cloud is deciding how best to provide secure remote access to Windows and Linux VMs.

This is normally achieved using Remote Desktop Protocol (RDP) and Secure Shell (SSH) sessions connected over public IP addresses, either directly assigned to individual hosts or a shared Jumpbox. Another option is to only allow remote access from a trusted private network over an inter-site connection such as a site-to-site VPN or ExpressRoute.

Either way, enterprises are forced to compromise security or impact the user’s experience, limiting where they can access from or by forcing them to traverse numerous network levels to gain access to the required service.

The problem with adding public endpoints directly to a host or even to a Jumpbox is that it makes them susceptible to malicious attacks. Amongst other things, it’s possible to use port scanning to discover the public IP and then brute force attacks to compromise the machine.

In efforts to reduce risk, security features such as MFA, Just in Time Access (JiT) and ACL can be implemented, but this can be difficult to manage and not totally infallible.

Azure Bastion

In answer to this problem, Microsoft has released in public preview the Azure Bastion service. Bastion is a new managed PaaS service that provides seamless RDP and SSH connectivity for your VMs over Secure Socket Layer (SSL). The service does this without having to configure each VM with its own public endpoint.

Key features available during the public preview include:

  • RDP and SSH from the Azure portal: Initiate RDP and SSH sessions directly in the Azure portal with a single-click seamless experience
  • Remote session over SSL and firewall traversal for RDP/SSH: HTML5 based web clients are automatically streamed to your local device providing the RDP/SSH session over SSL on port 443
  • No public IP required on Azure Virtual Machines: Azure Bastion opens the RDP/SSH connection to your Azure virtual machine using a private IP, limiting exposure of your infrastructure to the public Internet
  • Simplified secure rules management: Simple one-time configuration of Network Security Groups (NSGs) to allow RDP/SSH from only Azure Bastion
  • Increased protection against port scanning: The limited exposure of virtual machines to the public Internet will help protect against threats, such as external port scanning
  • Hardening in one place to protect against zero-day exploits: Azure Bastion is a managed service maintained by Microsoft. It’s continuously hardened by automatically patching and keeping up to date against known vulnerabilities.

Is it ready for the Enterprise customer?

Whether VNets have been implemented due to project segmentation, business unit, location and so on, it’s very rare to encounter an enterprise customer that does not have to control VMs sprawled over multiple VNets.

At the time of writing, limitations of the Bastion service mean that it does not yet support VNet peering. It is also only possible to deploy a Bastion host within a single VNet.

The service roadmap highlights plans to add great capabilities like Azure AD integration, Seamless Single-Sign-on and Multi-Factor Authentication to the service. Further research of various blogs and community chat suggest that support for peered VNets is another feature also being explored.

For now, when trying to access VMs attached to VNets in unsupported regions or for customers that don’t wish to deploy a Bastion host for each VNet, the workaround is to simply adopt a hub-spoke network architecture. The Bastion host sits in the hub VNet which it shares with a Jumpbox, in essence replacing the need for a secure VPN connection. It’s then from the Jumpbox that remote access can be gained across the network peerings.

Before configuring the service, there are a couple of things with the public preview to bear in mind.

  • During the public preview, the service can only be deployed from the Azure Marketplace when accessed through the Bastion preview portal: Https://aka.ms/BastionHost
  • The service requires a dedicated subnet called AzureBastionSubnet of at least /27 in size
  • The preview is limited to West US, East US, West Europe, South Central US, Australia East and Japan East
  • Supported browsers are limited to Microsoft Edge (Windows), Google Chrome (Windows, Mac) and Microsoft Edge Chromium (Windows, Mac).

Configuring a Bastion Host

1. Log in to the Bastion preview portal and from the homepage, click on +Create a resource.

2. On the New page, type Bastion in the Search the Marketplace box and then press Enter.

3. Select the Bastion (preview) offering, then click on Create.

4. Fill in the Create a bastion web form and finally click Review + create

Connecting to a VM

1. Now the service has been created, simply choose a VM and click on the Connect button as normal.

2. A new BASTION tab is now active on the Connect to virtual machine blade. Select the tab, fill in the username and password details before finally clicking Connect.

The following image shows the RDP session running within the boundaries of the web browser and the Azure portal.

The user experience is the same for SSH sessions.

Conclusion

With console access lacking in Azure and many planned features on the road map, for the most part, I’m really excited about the service. Whether it completely replaces customers needs for a Jumpbox or just offers an alternative to a secure connection to a Jumpbox in place of the normal VPN or ExpressRoute offering, it’s definitely a big step in the right direction.

The one slight concern I have is that Windows or Linux admins who have previously only had access to the client OS and may know little or nothing about Azure, are suddenly going to be exposed to the Azure portal rather than accessing the client directly. Making sure the portal is locked down and security features are configured and in place will be essential. I’m sure though as the service matures, it’s likely that improvements will address this.

To answer the question above, is the Jumpbox dead? My gut feeling is that for now, probably not. In the not too distant future, well it’s looking possible.

To learn more about the Azure Bastion service, head over to Microsoft docs: https://docs.microsoft.com/en-gb/azure/bastion/bastion-overview

Azure

Azure: Installing the Microsoft Antimalware and Log Analytics extensions on VM Scale Sets

I’ve been engaged with a customer over the the past few months that hosts multiple virtual machine scale sets across their Azure estate. For the most part, the scale sets are used to offer public facing web services.

Using scale sets allows them to provide redundancy and improved performance by distributing their web applications across multiple VM instances. Azure load balancers then sit above the scale sets distributing traffic.

Scale sets also give them the ability to scale the number of VM instances as required. Either manually or automatically using predefined auto scale rules based on resource usage like CPU, memory demand or network traffic. 

As with any virtual machine, it is important to protect the scale set VM instances by installing the latest security updates and running Antimalware to maintain a strong security posture. For scale sets running Windows 2016 VM instances , Windows defender is built into the OS but for Windows 2012 R2 this is something that needs to be managed.

The Azure marketplace offers many third party security extensions that can be implemented. But in this article I’m going to concentrate on the following two and how to go about installing them.

  • Microsoft Antimalware
  • Log Analytics

Installing the Microsoft Antimalware extension 

One way to install the Microsoft Antimalware extension is by browsing to the Extensions blade of the scale set, clicking on the + Add button and then selecting the extension from the popup list.

It’s worth noting that not all extensions are available via the portal so I tend to use the following PowerShell snippet which can be found on the Azure virtual machine scale set FAQ page. I have included the link for additional information.

https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-faq#how-do-i-turn-on-antimalware-in-my-virtual-machine-scale-set

Once the extension has been installed on the scale set reference image, the image then needs to be rolled out to all of the running VM instances. The simplest way I have found to do this is through the portal.

Browse to the Instances blade of the scale set and then simply select which instances need upgrading. Finally click the Upgrade button to upgrade them to the latest OS image. 

NOTE: If all instances are upgraded at once, the scale set will be offline during the upgrade process.  

Installing the Log Analytics extension

Having installed the chosen Antimalware extension, it’s important to have some visibility into the health of the scale set. Integration of scale sets into services such as Security Center and Log Analytics are still quite limited but viewing the logs that are produced can offer some invaluable insight.

Before we go ahead and install the Log Analytics extension, we first need to make note of the Log Analytics Workspace ID and one of the Workspace Keys. This can be found in a couple of ways, arguably the easiest is by browsing to the Advanced Settings blade of the chosen Log Analytics workspace.

Unlike the Antimalware extension, the Log Analytics extension does not appear in the list accessible through the portal and needs to be installed using either PowerShell or Azure CLI

The following script created by Tim Omta is the method I have tended to use. 

https://blogs.msdn.microsoft.com/timomta/2018/04/09/how-to-add-the-oms-client-to-a-vm-scale-set/

Alternatively the same things can be achieved by the following single line of Azure CLI

https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-faq#is-it-possible-to-integrate-scale-sets-with-azure-log-analytics

In the same way the VM instances required upgrading after the reference image had been updated with the Antimalware extension, the same is true for the Log Analytics extension.

In most production environments, I would recommend installing both extensions before upgrading the scale set once from the updated reference image.  

Deleting a virtual machine scale set extension

Having stepped through installing both extensions, it’s worth covering off how to remove them. Even though it’s not possible to install both via the portal, it is possible to remove them manually through the GUI.

For completeness, the following PowerShell script can also be used to remove extensions from VM scale sets.  

As a final note, I’m aware that over the coming months the integration between Azure Security Center and VM Scale Sets is likely to improve. As things change, I plan to feedback on the key improvements.

Active Directory

Azure: Azure Active Directory Business-to-Business (B2B)

As organisations move to the cloud, many try to adopt the same administrative processes and governance framework as they are comfortable with on-premises.

Most system administrators at one point or another have had the need to grant third party access to a businesses resource for either support or collaboration reasons. This probably involved creating a new account within the local AD and then permissioning the application using the newly created account.

In the past that might have been acceptable but not only is there now an extra account to manage for someone that the business has limited visibility of but the third party user has another set of account credentials to remember.

copyright Microsoft

With Azure AD B2B collaboration its possible to invite users from other organisations to access your resources, whilst using their own credentials.

Permissions can be assigned for guest users without the need to manage their accounts. The third party user is happy as they don’t have extra account details to remember and any account management such as password complexity or knowing when the user leaves the company and should have their account disabled is left in the hands of the users own organisation.

Key benefits:

  • Partners use their own credentials
  • No requirement for partners to use Azure AD
  • No external directories or complex set-up required
  • Provide access to any corporate app or data, while applying sophisticated, Azure AD-powered authorisation policies
  • No external account or password management

NOTE: If the guest user doesn’t have a Microsoft account or an Azure AD account, one is created for them when they redeem their invitation.

Manually adding B2B collaboration users using the portal

Manually adding a collaborated user is quite simple. Login in to the Azure portal and browse to the Users blade of Azure AD. From the top ribbon, select New guest user.

In the next blade, enter the users email address and if you wish a personnel message to be sent as part of the email invite. Finally click on the Invite button.

Once invited, the collaborated user will receive a welcome email containing any personnel message included in the original invite. Permissions can then be assigned in the same way as for any other user.

Should the guest user not receive their welcome invite, it is possible to resend. To do this browse to the users profile and click on the Resend Invitation button.

Using PowerShell to bulk invite users

Adding a single guest user through the postal is fine. For larger numbers it’s possible to use PowerShell to bulk-invite users based on the contents of a .CSV file. 

The first step is to create a .CSV file with the users names and email addresses. This should be in the following format.

       Name                                   InvitedUserEmailAddress
       John Smith                           jsmith@blueclouds.com
       Emma White                        ewhite@blueclouds.com

The next step is to import the details from the .CSV into Azure AD. The following Microsoft example script gives a good idea of how that can be achieved.

Licensing

Users invited as guests into your Azure AD can automatically make use of the capabilities that Azure AD Free edition offers. If you wish them to make use of a paid feature i.e. MFA then that user must be licensed. B2B collaboration guest users can be licensed in either of the following two ways.

  • The owner of the tenancy the guest user has been invited into has available paid licenses. These licenses can be used to cover the B2B users at a ratio of 5.1
  • The B2B guest user already has a paid Azure AD license assigned by their own organisation. 

For example: Inviting ten B2B collaboration guest users to access one of your LOB applications which is access using Azure MFA would require two Azure AD Premium P1 or P2 licences to be available.

NOTE: It is not currently possible to assign licenses directly to the B2B collaboration users. Licensing is automatically calculated and reported based on the 5:1 rule.

For more information on Azure AD B2B licensing checkout the following article https://docs.microsoft.com/en-us/azure/active-directory/b2b/licensing-guidance

Azure

Azure: Cost Optimisation – Enabling Hybrid Use Benefit (HUB)

I used to spend most of my time discussing with customers the benefits of moving business services to the cloud. Most no longer need to be convinced, in fact many have already dabbled with services and instead are looking for guidance on how to enforce governance and better manage costs.

Cost optimisation in Azure is a large topic and by adopting a number of technologies and processes it is possible to make rewarding cost savings.

Along with investing in reserved instances one of the biggest cost savers for Windows VMs can be make through the use of the Microsoft Hybrid Use Benefit (HUB).

What is Hybrid Use Benefit (HUB)

The Azure Hybrid Benefit helps you get more value from your Windows Server licences and save up to 40 per cent* on virtual machines. You can use the benefit with Windows Server Data Centre and Standard edition licences covered with Software Assurance or Windows Server Subscriptions. Depending on the edition, you can convert or re-use your licences to run Windows Server virtual machines in Azure and pay a lower base compute rate (Linux virtual machine rates).

* Actual savings may vary based on region, instance type or usage.

Paragraph from HUB FAQ

It’s worth noting that licensing entitlement is different between Windows Server Datacentre and Windows Server Standard editions.

  • Windows Server Datacentre with Software Assurance allows you to use the license on-premises and simultaneously in Azure
  • Windows Server Standard with Software Assurance allows you to use the license on-premises or in Azure

With both editions, each two-processor licence or each set of 16-core licences are entitled to two instances of up to 8 cores, or one instance of up to 16 cores.

Enabling Hybrid Use Benefit 

Hybrid Use Benefit can be enabled when deploying a Windows VM either from the marketplace, as part of an ARM template or PowerShell script. It can also be enabled post deployment.

I’ve focused on PowerShell and outlined below are a few commands that might be of use. Its also worth mentioning that its possible to do the majority of this through the portal or Azure CLI.

Dependencies

The first thing to do is make sure that you have the Azure PowerShell module installed.

If you already have the module installed, I would suggest checking that you are running the latest version. This can be done by running the following command.

How do I know if Hybrid Use Benefit is enabled on a VM?

Its possible to check if Hybrid Use Benefit is enabled on a machine by looking at the virtual machines blade in the Azure Portal.

Browse to the virtual machine blade, from the top ribbon select Edit columns and then add Azure Hybrid Benefit to the selected columns list.

Once the Hybrid Use Benefit column has been added to the blade view, its easy to scan down and see which machines have been enabled or not.


As you would expect, its also straight forward to pull back the same information across all machines using a simple PowerShell command.

The following PowerShell snippet outputs just the Windows machines that HUB is enabled for and ignores the rest.

This screenshot is of the above PowerShell snippet being run from within Azure Cloud Shell.

Converting an already deployed VM

For Windows machines deployed with Pay-as-you-go licensing, its a simple process to convert them to Hybrid Use Benefit. As before this can either be done from within the Azure portal or using a simple PowerShell command such as the one below.

NOTE: Changing the license type only updates the machines metadata flag. This means there is no downtime or service interruption to the system. 

Converting back to Pay-as-you-go Licensing

Reverting the VM to Pay-as-you-go licensing is done using the same command. This time, the licensing type needs to be changed to None before running.

Change the license type of every Windows VM in the subscription

Updating the license type of multiple VMs one at a time can be very time consuming. To speed things up, I would recommend reviewing the following script created by Neil Bird a Premier Field Engineer at Microsoft.

The script not only allows you to change the licensing type across all Windows VMs but it also offers a Simulate Mode where no changes are actually made. Instead, LOG and CSV export files are generated to show what changes the script would make if ran in Update Mode.

https://gallery.technet.microsoft.com/Azure-Enable-Hybrid-Use-1977e089

 

For more details checkout the Microsoft document site https://azure.microsoft.com/en-gb/pricing/hybrid-benefit/

Application Gateway

Azure: Application Gateway HTTP to HTTPS redirect

One key feature of the Application Gateway service is its support for Secure Sockets Layer (SSL) termination. This feature means that the overhead of encrypting and decrypting traffic can be offloaded to the gateway, rather than have this impact performance on the backend web server.

This does however mean that communication between the application gateway and the backend web server is unencrypted which in some cases, perhaps due to security or compliance requirements, may not be acceptable. For those situations, the application gateway also fully supports end to end SSL encryption.

For the purpose of this article, the assumption has been made that SSL termination is enabled on the gateway. Standard web traffic should now be redirected to the HTTPS listener so that web requests don’t just fail when they are unable to traverse the application gateway over HTTP.

Enabling HTTP to HTTPS redirection

When an application gateway is configured with SSL termination, a routing rule is used to redirect HTTP traffic to the HTTPS listener. The remainder of this article steps through configuring this routing rule.

Assumptions

The following assumptions have been made:

  • HTTP and HTTPS listeners already exist
  • Azure PowerShell module version 3.6 or later is installed.

NOTE: To check what version of PowerShell is installed and for help on upgrading it if required, see Install Azure PowerShell module.

Configuring the routing rule

1. The first thing we need to do is get the application gateway object and store it as a variable

2. Get the existing HTTPS listener

3. Get the existing HTTP listener

4. Now create a redirection configuration using a permanent redirect and targeting the existing listener

5. Get the newly created redirect configuration

6. Add a new rule to handle the redirect from the HTTP listener

7. Finally, update the application gateway

To make it a little simpler to copy all steps, they have been combined into one script below. A copy of the file can also be downloaded from my GitHub repository app-gateway-http-https-redirect.ps1

More information about the application gateway and all of its features can be found by following the link to Microsoft document repository – https://docs.microsoft.com/en-us/azure/application-gateway/

Automation

Azure: Using Azure Event Grid to trigger Automation Runbooks

A relatively new service that so far has been somewhat overlooked by many of the customers I have spoken with, is the Azure Event Grid. Event Grid closely resembles Amazons Simple Notification Service, albeit under the hood they function a little differently.

With the cloud becoming increasingly event-driven, Event Grid has been labelled as the event messaging service for the modern application.

Essentially, the service can be used to intelligently route events between event publishers and event subscribers. Using Event Grid, events generated by Azure resources can be subscribed to, in turn used to trigger a reaction using one of the serverless technologies like Azure Automation or Logic Apps.

The Microsoft graphic above gives a basic representation of the service, including some of the event sources and event handlers available at the time of writing. As with everything in Azure, Microsoft are continuously working behinds the scenes to develop the service further. As such, other event sources and event handlers are planned for later this year include Azure Active Directory, API Management, Azure Data Lake Store, Azure Cosmos DB, Azure Data Factory, and Storage Queues.

For the latest event sources and event handlers refer to the following Microsoft blog
https://docs.microsoft.com/en-gb/azure/event-grid/overview#event-sources

Use cases

Event Grid can be used to develop Serverless Application Architectures, Ops Automation and Application Integration with Ops Automation being the focus of this article.

To give a few examples of how the service might be used for Ops Automation:

  • Notifying when Azure resources have been created or changed i.e. Virtual Machines or SQL Databases
  • Converting Virtual Machines deployed using unmanaged disks into managed disk machines
  • Assigning resource tags to resources when deployed to specific Resource Groups.

Using this style of serverless architecture, opens the door to designing solutions with almost limitless functionality.

Using Event Grid

The remainder of this article steps through implementing a very basic Event Grid deployment. In the demo, every time a Virtual Machine is deployed to a specific Resource Group, Event Grid, using a Webhook, triggers an automation Runbook which sends out email notification.

Assumptions

The following assumptions have been made:

  • Azure Automation Account has been created
  • Runbook with the required workflow has already been created and published.


The first thing to do is add a Webhook to the Runbook that will be triggered on an event being raised. To do this, browse to the Runbook and from its blade select Webhooks.


Next click + Add Webhook.


Give the Webhook a name and copy its endpoint URL to one side to be used later. Then Click OK to move onto configuring parameters and run settings for the selected Runbook. In my case, I can leave all parameters as default for the purpose of the demo.

Finally go ahead and create the Webhook by clicking the Create button.


The next step is to plumb all the components together, which is done by configuring an Event Grid subscription.

Selecting the Automation Account in which the Runbook we need to trigger is associated, click on Event Grid from the blade of the Automation Accounts overview page.


Click on the + Event Subscription button at the top of the Event Grid window.


Start by giving the subscription a name and then fill in the remaining options. For the purpose of this article, the following configuration was used:

  • Topic Type – Azure Subscriptions
  • Subscribe to all event types – unchecked
  • Event Topics – Resource Write Success selected only
  • Subscriber Endpoint – Webhook URL made note of earlier
  • Prefix Filter – Location of where the new VMs will be created.
    /subscriptions/<subscription-id>/resourcegroups/<resource-group-name>/providers/Microsoft.Compute/virtualMachines

Once all required options have been completed, finally click Create to deploy the subscription.


Now it’s time to test!

Go ahead and create a new Virtual Machine in the Resource Group that was specified in the Event Grid subscription. In my case Production-VMs.


If everything has gone to plan, on completion, a Resource Write Success event was raised which the Event Grid subscription successfully intercepted. This in turn used the Webhook to trigger the Automation Runbook to send out email notification.


In my case the notification was very basic and prepopulated with static content but this could be updated to include Virtual Machine names and other more useful information.

As you can appreciate, this is a very basic example of what the service is capable of when in reality, the sky is the limit!

Pricing

Event Grid price model is based on operation performed, so you only pay for what you use as with many other of the Azure services. Operations can include ingress events, advanced match, delivery attempt and management calls.

  • The first 100,000 operations per month are free
  • Price per million operations £0.448 *

* Based on West Europe pricing on the 6th April 2018

The only thing to keep in mind is that although more regions will no doubt come online soon. At the time of writing, Event Grid is only available in the following regions:

West US, East US, West US 2, East US 2, West Central US, Central US, West Europe, North Europe, Southeast Asia, and East Asia.

SLA

Guaranteed 99.99% or greater uptime.

For more information on Event Grid checkout the following Microsoft Blog https://docs.microsoft.com/en-gb/azure/event-grid/

Azure

Azure: Using Service Health to alert about planned maintenance

Microsoft periodically perform updates to improve the reliability, performance, and security of their global cloud platform. Most of the updates that Microsoft apply have no impact on the hosted virtual machines and go unnoticed. However, there are some instances where the running virtual machines are affected, the most recent example of this being the Spectre and Meltdown CPU vulnerability.

When an update like this is applied, depending if the maintenance requires a rebooted or not, it can affect running virtual machines in one of two ways:

  • In-place migration – During an in-place migration the affected Azure virtual machine is paused (typically for 30 seconds or less) to preserve memory in RAM while the host environment is updated. Once the upgrade is complete the virtual machine is resumed and the system clocks synchronised
  • Maintenance requiring a reboot – During reboot maintenance, the virtual machine is moved to a node that has already been patched and then powered back on.

Under normal circumstances, when a virtual machine needs rebooting, you are notified in advance and given the option to start the maintenance at a preferred time during the initial self-service window. If the self-service window is missed, the scheduled maintenance window begins and it is no longer possible to manage the process.

NOTE: Datacentre in paired regions will not have maintenance performed at the same time; therefore, workloads balanced across paired regions will be unaffected.

Azure Service Health


Azure Service Health (in public preview at the time of writing) can be used to view problems with Azure services that may impact any of your cloud services. Service Health monitors three types of health event:

  • Service issues – Azure services that are currently experiencing problems
  • Planned maintenance – Any known future maintenance that may affect the availability of your services
  • Health advisories – Changes in services, for example, deprecated features or exceeded quota usage.

Using the Service Heath service, it is not only possible to view in one location any service problems but also setup Health alerts which are a vast improvement on the basic email notification. Service alerts can be configured to:

  • Send Email/SMS/Push/Voice notification
  • Send Webhooks to third party app i.e. ServiceNow or Azure Logic App
  • Send an IT Service Management Ticket
  • Trigger an Automation Runbook.

Creating planned maintenance alerts using Azure Service Health

To demonstrate the alerting capabilities of the Health Service, the rest of this article steps through the process involved in configuring a basic email alert to notify of any planned maintenance events.

1. Login into the Azure portal and select Service Health.
2. Select Health alerts followed by + Create service health alert from the top of the window on the right.


3. In the Edit Alert blade, give the alert a Name, Description, check the subscription is correct and choose a resource group.


4. The next step is to work through the Criteria section choosing which services, regions and types of event alerts should be monitored. For the purpose of this article all services and regions have been checked but only planned maintenance events.


5. Select or create an Action group. (An Action group is a group of actions to be taken, should an event be logged.)


6. Configure the actions to be taken. We are only configuring an email alert, so we first name the action, then chose Email/SMS/Push/Voice from the drop down list.


7. Enter the name and email address of the person who will be sent the notification. Then finally click OK twice to add the activity log alert.


It should now be possible to see the newly created alert, listed in the Health alerts blade.


Should action groups need to be edited or new actions added, either click on Edit this action group from the lower half of the Health alerts blade or browse to the Monitor service and select the Action groups tab.

For more details checkout the Microsoft document site https://docs.microsoft.com/en-us/azure/service-health/service-health-overview 

Azure

Azure: Installing GNOME desktop and xRDP to access an Ubuntu 17.10 Server

Microsoft is continually working with different Linux communities to add evermore distributions to the Azure Marketplace. Running Linux machines in the cloud brings with it a number of benefits such as additional stability, security and affordability over that of its Windows counterpart. With Linux now running on two out of every five server instances on Azure, interaction with Linux based systems is becoming an ever increasing occurrence for system administrators.

SSH is the default method when connecting to an Ubuntu server deployed from the Azure Marketplace. For seasoned Linux admin this is fine but for anyone new to the operating system or looking for a quick method of troubleshooting, this style of administration can initially seem daunting or time consuming.

This article shows the steps involved in installing the GNOME desktop and xRDP package on an Ubuntu virtual machine running in Azure. This makes available a more familiar and user friendly remote desktop style connection.

Assumptions

The following assumptions have been made:

    • Ubuntu Server version 17.10 has been deployed from the Azure Marketplace
    • GNOME will be the chosen desktop interface
    • SSH access is available
    • PuTTY will be used as the SSH client
    • Azure Portal access is available.

Installing Gnome Desktop

Although Ubuntu 17.10 “Artful Aardvark” has dropped the Unity 7 desktop, instead of switching to GNOME Shell, the Azure Marketplace image is deployed without the desktop package installed. It is worth noting that it’s possible to install xRDP without installing a desktop first, however, the user experience would be similar to that of the terminal experience offered when connecting by an SSH client.

Installing GNOME desktop over a terminal session might sound difficult, although in reality, it’s actually a relatively straightforward task. The first step of the process is to remotely connect to the server using an SSH client such as PuTTY and then install the applications from the Official Ubuntu Repository.

Open up PuTTY and using the IP address of the server which can be found on the Overview blade in Azure, configure and establish an SSH connection.


Once the SSH session has been established, go ahead and log in to the server.


Before we look to install the desktop, let’s go ahead and update the package list to make sure we have information on the newest versions of the packages and their dependencies. To accomplish this, we run the following command.

sudo apt-get update


We can now begin the desktop install. This is again done by issuing a fairly simple apt-get command from within the terminal session.

sudo apt-get install ubuntu-gnome-desktop


Installing xRDP

Now the desktop has been installed, it’s time to install xRDP. This is an open source remote desktop protocol (RDP) server, which allows you to RDP to your Linux server from a Windows machine. It is capable of accepting connections from rdesktop, freerdp, and remote desktop clients.

To install the package, run the following command.

sudo apt-get install -y xrdp


Configuring  Console Access

Console access is restricted to root by default which essentially means that without making any further changes, connections by anyone else will be dropped. This is obviously not the required user experience, therefore access to the console will need to be configured for all users.

To change access from root only to all users we simply edit the file /etc/X11/Xwrapper.config

This can be done by using an editor such as nano to manually change the line allowed_users=console to allowed_users=anybody.

Alternatively, it can also be updated by running the following command to make the changes.

sudo sed -i 's/allowed_users=console/allowed_users=anybody/' /etc/X11/Xwrapper.config


Adding a Network Security Group rule for RDP traffic

This article is based on an Ubuntu server that has been deployed from the Marketplace. As such, the machine will have been deployed with an NSG that has been configured to manage inbound and outbound traffic. By default, this will only allow port 22 inbound for SSH communication, not 3389 which is required for an RDP connection.

From within the portal, select the servers networking settings before then clicking on “Add inbound port rule


At this point you will be presented with a new blade in which the following settings need to be configured.

  • Service
  • Priority
  • Name
  • Description


As with most things in Azure, it is worth noting that this could also be done through PowerShell or Azure CLI.

Connecting via RDP

Now it’s time to check if the server is configured correctly and allowing RDP connections.

If you’re connecting from a Windows machine, go ahead and start up the Remote Desktop Connection client. Enter the public IP address of the Ubuntu Server and click on connect.


At this point, the xRDP login screen should appear. Go ahead and provide user credentials before selecting OK.


The first time you remotely login to the Ubuntu desktop, you will be presented with the following Authentication Required popup.


Clicking the cancel button a number of times will close the message and allow access to the desktop, although it will return on the next login. To subdue the message permanently, changes to the polkit configuration will need to be made.

To make the required changes, use the following command to create a file called 02-allow-colord.conf in the following location /etc/polkit-1/localauthority.conf.d/ remembering to use admin privileges.

sudo nano /etc/polkit-1/localauthority.conf.d/02-allow-colord.conf


Once nano has created and opened the file for editing, paste the following text into the file, before exiting and saving.

polkit.addRule(function(action, subject) {
if ((action.id == "org.freedesktop.color-manager.create-device" ||
action.id == "org.freedesktop.color-manager.create-profile" ||
action.id == "org.freedesktop.color-manager.delete-device" ||
action.id == "org.freedesktop.color-manager.delete-profile" ||
action.id == "org.freedesktop.color-manager.modify-device" ||
action.id == "org.freedesktop.color-manager.modify-profile") &&
subject.isInGroup("{group}")) {
return polkit.Result.YES;
}
});


If everything has gone to plan, the next time you login, no authentication message should be displayed.


Missing Gnome Desktop Dock

The other thing that you may notice when connecting remotely, is that the Ubuntu Dock is not visible. Having searched around the internet for a fix for this, the best solution I came across, was actually to install the Gnome Tweak tool which in turn then made it possible to enable both the Ubuntu appindicators and Ubuntu dock extensions. For some reason, the extensions tab appears to be missing from the default Systems Settings menu.

To install the Gnome Tweak tool, run the following command.

sudo apt-get install gnome-tweak-tool -y

Once installed, simply open the Tweak tool, select the Extensions tab and enable both the appindicators and dock extensions.


Now when connecting to the GNOME desktop, the Dock should be visible on the left-hand side of the screen.


That’s it!

In this post, we took an Ubuntu server running in Azure, installed the GNOME desktop and xRDP package, then followed up by making the necessary tweaks required for more streamlined user experience. Connecting to an Ubuntu server by remote desktop connection may not be enabled out of the box but hopefully, this article goes to show that it is still an option when administering Linux based machines in the cloud.

Azure

Azure: Disabling the Windows Firewall on an virtual machine from the portal

The RDP client is one of the most heavily utilised tools in a system administrator’s toolkit. There are alternatives, for example, console access, PowerShell, iLO or in the case of a physical machine the locally connected keyboard and monitor. This is fine for on-premise machines but for machines running in the cloud, most of the alternative methods are not an option and RDP becomes a critical method of connectivity.

Over the past months I have seen an increase in the number of customers that have adjusted the guest Windows OS firewall, inadvertently locking themselves out and making it impossible to manage their Azure virtual machines.


The following article outlines one of the methods I have successfully used when restoring access. This method makes use of the Azure virtual machine Custom Script Extension and a snippet of PowerShell.

1. The first step is to open your preferred PowerShell editor and paste in the following code.

Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy
\DomainProfile' -name "EnableFirewall" -Value 0

Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\
PublicProfile' -name "EnableFirewall" -Value 0


Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\
Standardprofile' -name "EnableFirewall" -Value 0

These commands update local registry values which in turn disables the three firewall profiles on the next machine reboot.

A copy of the file can be downloaded from my GitHub disablefw.ps1.


2. Save the file as <filename>.ps1

3. Now login to the Azure portal and browse to the virtual machine that is having connectivity problems.

4. From the blade of the virtual machine, select Extensions


5. Click the +Add button and select Custom Script Extension from the popup menu.


6. Click on the folder icon to browse to where the <filename>.ps1 file has been stored and after selecting the file, click Open to upload it.


7. The virtual machine extension can now be installed by clicking OK.

NOTE: Additional Arguments are optional and for this task should be left blank.

8. Once the extension is installed, the Azure portal will report that provisioning has been successful.


9. It’s now time to restart the virtual machine before retrying an RDP connection.


This has proven to be very useful to me on a number of occasions, hopefully it will be of assistance to others.

As always, if any mistakes are spotted, feel free to leave me a comment.