Azure

Azure: Installing the Microsoft Antimalware and Log Analytics extensions on VM Scale Sets

I’ve been engaged with a customer over the the past few months that hosts multiple virtual machine scale sets across their Azure estate. For the most part, the scale sets are used to offer public facing web services.

Using scale sets allows them to provide redundancy and improved performance by distributing their web applications across multiple VM instances. Azure load balancers then sit above the scale sets distributing traffic.

Scale sets also give them the ability to scale the number of VM instances as required. Either manually or automatically using predefined auto scale rules based on resource usage like CPU, memory demand or network traffic. 

As with any virtual machine, it is important to protect the scale set VM instances by installing the latest security updates and running Antimalware to maintain a strong security posture. For scale sets running Windows 2016 VM instances , Windows defender is built into the OS but for Windows 2012 R2 this is something that needs to be managed.

The Azure marketplace offers many third party security extensions that can be implemented. But in this article I’m going to concentrate on the following two and how to go about installing them.

  • Microsoft Antimalware
  • Log Analytics

Installing the Microsoft Antimalware extension 

One way to install the Microsoft Antimalware extension is by browsing to the Extensions blade of the scale set, clicking on the + Add button and then selecting the extension from the popup list.

It’s worth noting that not all extensions are available via the portal so I tend to use the following PowerShell snippet which can be found on the Azure virtual machine scale set FAQ page. I have included the link for additional information.

https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-faq#how-do-i-turn-on-antimalware-in-my-virtual-machine-scale-set

Once the extension has been installed on the scale set reference image, the image then needs to be rolled out to all of the running VM instances. The simplest way I have found to do this is through the portal.

Browse to the Instances blade of the scale set and then simply select which instances need upgrading. Finally click the Upgrade button to upgrade them to the latest OS image. 

NOTE: If all instances are upgraded at once, the scale set will be offline during the upgrade process.  

Installing the Log Analytics extension

Having installed the chosen Antimalware extension, it’s important to have some visibility into the health of the scale set. Integration of scale sets into services such as Security Center and Log Analytics are still quite limited but viewing the logs that are produced can offer some invaluable insight.

Before we go ahead and install the Log Analytics extension, we first need to make note of the Log Analytics Workspace ID and one of the Workspace Keys. This can be found in a couple of ways, arguably the easiest is by browsing to the Advanced Settings blade of the chosen Log Analytics workspace.

Unlike the Antimalware extension, the Log Analytics extension does not appear in the list accessible through the portal and needs to be installed using either PowerShell or Azure CLI

The following script created by Tim Omta is the method I have tended to use. 

https://blogs.msdn.microsoft.com/timomta/2018/04/09/how-to-add-the-oms-client-to-a-vm-scale-set/

Alternatively the same things can be achieved by the following single line of Azure CLI

https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-faq#is-it-possible-to-integrate-scale-sets-with-azure-log-analytics

In the same way the VM instances required upgrading after the reference image had been updated with the Antimalware extension, the same is true for the Log Analytics extension.

In most production environments, I would recommend installing both extensions before upgrading the scale set once from the updated reference image.  

Deleting a virtual machine scale set extension

Having stepped through installing both extensions, it’s worth covering off how to remove them. Even though it’s not possible to install both via the portal, it is possible to remove them manually through the GUI.

For completeness, the following PowerShell script can also be used to remove extensions from VM scale sets.  

As a final note, I’m aware that over the coming months the integration between Azure Security Center and VM Scale Sets is likely to improve. As things change, I plan to feedback on the key improvements.

Active Directory

Azure: Azure Active Directory Business-to-Business (B2B)

As organisations move to the cloud, many try to adopt the same administrative processes and governance framework as they are comfortable with on-premises.

Most system administrators at one point or another have had the need to grant third party access to a businesses resource for either support or collaboration reasons. This probably involved creating a new account within the local AD and then permissioning the application using the newly created account.

In the past that might have been acceptable but not only is there now an extra account to manage for someone that the business has limited visibility of but the third party user has another set of account credentials to remember.

copyright Microsoft

With Azure AD B2B collaboration its possible to invite users from other organisations to access your resources, whilst using their own credentials.

Permissions can be assigned for guest users without the need to manage their accounts. The third party user is happy as they don’t have extra account details to remember and any account management such as password complexity or knowing when the user leaves the company and should have their account disabled is left in the hands of the users own organisation.

Key benefits:

  • Partners use their own credentials
  • No requirement for partners to use Azure AD
  • No external directories or complex set-up required
  • Provide access to any corporate app or data, while applying sophisticated, Azure AD-powered authorisation policies
  • No external account or password management

NOTE: If the guest user doesn’t have a Microsoft account or an Azure AD account, one is created for them when they redeem their invitation.

Manually adding B2B collaboration users using the portal

Manually adding a collaborated user is quite simple. Login in to the Azure portal and browse to the Users blade of Azure AD. From the top ribbon, select New guest user.

In the next blade, enter the users email address and if you wish a personnel message to be sent as part of the email invite. Finally click on the Invite button.

Once invited, the collaborated user will receive a welcome email containing any personnel message included in the original invite. Permissions can then be assigned in the same way as for any other user.

Should the guest user not receive their welcome invite, it is possible to resend. To do this browse to the users profile and click on the Resend Invitation button.

Using PowerShell to bulk invite users

Adding a single guest user through the postal is fine. For larger numbers it’s possible to use PowerShell to bulk-invite users based on the contents of a .CSV file. 

The first step is to create a .CSV file with the users names and email addresses. This should be in the following format.

       Name                                   InvitedUserEmailAddress
       John Smith                           jsmith@blueclouds.com
       Emma White                        ewhite@blueclouds.com

The next step is to import the details from the .CSV into Azure AD. The following Microsoft example script gives a good idea of how that can be achieved.

Licensing

Users invited as guests into your Azure AD can automatically make use of the capabilities that Azure AD Free edition offers. If you wish them to make use of a paid feature i.e. MFA then that user must be licensed. B2B collaboration guest users can be licensed in either of the following two ways.

  • The owner of the tenancy the guest user has been invited into has available paid licenses. These licenses can be used to cover the B2B users at a ratio of 5.1
  • The B2B guest user already has a paid Azure AD license assigned by their own organisation. 

For example: Inviting ten B2B collaboration guest users to access one of your LOB applications which is access using Azure MFA would require two Azure AD Premium P1 or P2 licences to be available.

NOTE: It is not currently possible to assign licenses directly to the B2B collaboration users. Licensing is automatically calculated and reported based on the 5:1 rule.

For more information on Azure AD B2B licensing checkout the following article https://docs.microsoft.com/en-us/azure/active-directory/b2b/licensing-guidance

Azure

Azure: Cost Optimisation – Enabling Hybrid Use Benefit (HUB)

I used to spend most of my time discussing with customers the benefits of moving business services to the cloud. Most no longer need to be convinced, in fact many have already dabbled with services and instead are looking for guidance on how to enforce governance and better manage costs.

Cost optimisation in Azure is a large topic and by adopting a number of technologies and processes it is possible to make rewarding cost savings.

Along with investing in reserved instances one of the biggest cost savers for Windows VMs can be make through the use of the Microsoft Hybrid Use Benefit (HUB).

What is Hybrid Use Benefit (HUB)

The Azure Hybrid Benefit helps you get more value from your Windows Server licences and save up to 40 per cent* on virtual machines. You can use the benefit with Windows Server Data Centre and Standard edition licences covered with Software Assurance or Windows Server Subscriptions. Depending on the edition, you can convert or re-use your licences to run Windows Server virtual machines in Azure and pay a lower base compute rate (Linux virtual machine rates).

* Actual savings may vary based on region, instance type or usage.

Paragraph from HUB FAQ

It’s worth noting that licensing entitlement is different between Windows Server Datacentre and Windows Server Standard editions.

  • Windows Server Datacentre with Software Assurance allows you to use the license on-premises and simultaneously in Azure
  • Windows Server Standard with Software Assurance allows you to use the license on-premises or in Azure

With both editions, each two-processor licence or each set of 16-core licences are entitled to two instances of up to 8 cores, or one instance of up to 16 cores.

Enabling Hybrid Use Benefit 

Hybrid Use Benefit can be enabled when deploying a Windows VM either from the marketplace, as part of an ARM template or PowerShell script. It can also be enabled post deployment.

I’ve focused on PowerShell and outlined below are a few commands that might be of use. Its also worth mentioning that its possible to do the majority of this through the portal or Azure CLI.

Dependencies

The first thing to do is make sure that you have the Azure PowerShell module installed.

If you already have the module installed, I would suggest checking that you are running the latest version. This can be done by running the following command.

How do I know if Hybrid Use Benefit is enabled on a VM?

Its possible to check if Hybrid Use Benefit is enabled on a machine by looking at the virtual machines blade in the Azure Portal.

Browse to the virtual machine blade, from the top ribbon select Edit columns and then add Azure Hybrid Benefit to the selected columns list.

Once the Hybrid Use Benefit column has been added to the blade view, its easy to scan down and see which machines have been enabled or not.


As you would expect, its also straight forward to pull back the same information across all machines using a simple PowerShell command.

The following PowerShell snippet outputs just the Windows machines that HUB is enabled for and ignores the rest.

This screenshot is of the above PowerShell snippet being run from within Azure Cloud Shell.

Converting an already deployed VM

For Windows machines deployed with Pay-as-you-go licensing, its a simple process to convert them to Hybrid Use Benefit. As before this can either be done from within the Azure portal or using a simple PowerShell command such as the one below.

NOTE: Changing the license type only updates the machines metadata flag. This means there is no downtime or service interruption to the system. 

Converting back to Pay-as-you-go Licensing

Reverting the VM to Pay-as-you-go licensing is done using the same command. This time, the licensing type needs to be changed to None before running.

Change the license type of every Windows VM in the subscription

Updating the license type of multiple VMs one at a time can be very time consuming. To speed things up, I would recommend reviewing the following script created by Neil Bird a Premier Field Engineer at Microsoft.

The script not only allows you to change the licensing type across all Windows VMs but it also offers a Simulate Mode where no changes are actually made. Instead, LOG and CSV export files are generated to show what changes the script would make if ran in Update Mode.

https://gallery.technet.microsoft.com/Azure-Enable-Hybrid-Use-1977e089

 

For more details checkout the Microsoft document site https://azure.microsoft.com/en-gb/pricing/hybrid-benefit/

Application Gateway

Azure: Application Gateway HTTP to HTTPS redirect

One key feature of the Application Gateway service is its support for Secure Sockets Layer (SSL) termination. This feature means that the overhead of encrypting and decrypting traffic can be offloaded to the gateway, rather than have this impact performance on the backend web server.

This does however mean that communication between the application gateway and the backend web server is unencrypted which in some cases, perhaps due to security or compliance requirements, may not be acceptable. For those situations, the application gateway also fully supports end to end SSL encryption.

For the purpose of this article, the assumption has been made that SSL termination is enabled on the gateway. Standard web traffic should now be redirected to the HTTPS listener so that web requests don’t just fail when they are unable to traverse the application gateway over HTTP.

Enabling HTTP to HTTPS redirection

When an application gateway is configured with SSL termination, a routing rule is used to redirect HTTP traffic to the HTTPS listener. The remainder of this article steps through configuring this routing rule.

Assumptions

The following assumptions have been made:

  • HTTP and HTTPS listeners already exist
  • Azure PowerShell module version 3.6 or later is installed.

NOTE: To check what version of PowerShell is installed and for help on upgrading it if required, see Install Azure PowerShell module.

Configuring the routing rule

1. The first thing we need to do is get the application gateway object and store it as a variable

2. Get the existing HTTPS listener

3. Get the existing HTTP listener

4. Now create a redirection configuration using a permanent redirect and targeting the existing listener

5. Get the newly created redirect configuration

6. Add a new rule to handle the redirect from the HTTP listener

7. Finally, update the application gateway

To make it a little simpler to copy all steps, they have been combined into one script below. A copy of the file can also be downloaded from my GitHub repository app-gateway-http-https-redirect.ps1

More information about the application gateway and all of its features can be found by following the link to Microsoft document repository – https://docs.microsoft.com/en-us/azure/application-gateway/

Automation

Azure: Using Azure Event Grid to trigger Automation Runbooks

A relatively new service that so far has been somewhat overlooked by many of the customers I have spoken with, is the Azure Event Grid. Event Grid closely resembles Amazons Simple Notification Service, albeit under the hood they function a little differently.

With the cloud becoming increasingly event-driven, Event Grid has been labelled as the event messaging service for the modern application.

Essentially, the service can be used to intelligently route events between event publishers and event subscribers. Using Event Grid, events generated by Azure resources can be subscribed to, in turn used to trigger a reaction using one of the serverless technologies like Azure Automation or Logic Apps.

The Microsoft graphic above gives a basic representation of the service, including some of the event sources and event handlers available at the time of writing. As with everything in Azure, Microsoft are continuously working behinds the scenes to develop the service further. As such, other event sources and event handlers are planned for later this year include Azure Active Directory, API Management, Azure Data Lake Store, Azure Cosmos DB, Azure Data Factory, and Storage Queues.

For the latest event sources and event handlers refer to the following Microsoft blog
https://docs.microsoft.com/en-gb/azure/event-grid/overview#event-sources

Use cases

Event Grid can be used to develop Serverless Application Architectures, Ops Automation and Application Integration with Ops Automation being the focus of this article.

To give a few examples of how the service might be used for Ops Automation:

  • Notifying when Azure resources have been created or changed i.e. Virtual Machines or SQL Databases
  • Converting Virtual Machines deployed using unmanaged disks into managed disk machines
  • Assigning resource tags to resources when deployed to specific Resource Groups.

Using this style of serverless architecture, opens the door to designing solutions with almost limitless functionality.

Using Event Grid

The remainder of this article steps through implementing a very basic Event Grid deployment. In the demo, every time a Virtual Machine is deployed to a specific Resource Group, Event Grid, using a Webhook, triggers an automation Runbook which sends out email notification.

Assumptions

The following assumptions have been made:

  • Azure Automation Account has been created
  • Runbook with the required workflow has already been created and published.


The first thing to do is add a Webhook to the Runbook that will be triggered on an event being raised. To do this, browse to the Runbook and from its blade select Webhooks.


Next click + Add Webhook.


Give the Webhook a name and copy its endpoint URL to one side to be used later. Then Click OK to move onto configuring parameters and run settings for the selected Runbook. In my case, I can leave all parameters as default for the purpose of the demo.

Finally go ahead and create the Webhook by clicking the Create button.


The next step is to plumb all the components together, which is done by configuring an Event Grid subscription.

Selecting the Automation Account in which the Runbook we need to trigger is associated, click on Event Grid from the blade of the Automation Accounts overview page.


Click on the + Event Subscription button at the top of the Event Grid window.


Start by giving the subscription a name and then fill in the remaining options. For the purpose of this article, the following configuration was used:

  • Topic Type – Azure Subscriptions
  • Subscribe to all event types – unchecked
  • Event Topics – Resource Write Success selected only
  • Subscriber Endpoint – Webhook URL made note of earlier
  • Prefix Filter – Location of where the new VMs will be created.
    /subscriptions/<subscription-id>/resourcegroups/<resource-group-name>/providers/Microsoft.Compute/virtualMachines

Once all required options have been completed, finally click Create to deploy the subscription.


Now it’s time to test!

Go ahead and create a new Virtual Machine in the Resource Group that was specified in the Event Grid subscription. In my case Production-VMs.


If everything has gone to plan, on completion, a Resource Write Success event was raised which the Event Grid subscription successfully intercepted. This in turn used the Webhook to trigger the Automation Runbook to send out email notification.


In my case the notification was very basic and prepopulated with static content but this could be updated to include Virtual Machine names and other more useful information.

As you can appreciate, this is a very basic example of what the service is capable of when in reality, the sky is the limit!

Pricing

Event Grid price model is based on operation performed, so you only pay for what you use as with many other of the Azure services. Operations can include ingress events, advanced match, delivery attempt and management calls.

  • The first 100,000 operations per month are free
  • Price per million operations £0.448 *

* Based on West Europe pricing on the 6th April 2018

The only thing to keep in mind is that although more regions will no doubt come online soon. At the time of writing, Event Grid is only available in the following regions:

West US, East US, West US 2, East US 2, West Central US, Central US, West Europe, North Europe, Southeast Asia, and East Asia.

SLA

Guaranteed 99.99% or greater uptime.

For more information on Event Grid checkout the following Microsoft Blog https://docs.microsoft.com/en-gb/azure/event-grid/

Azure

Azure: Using Service Health to alert about planned maintenance

Microsoft periodically perform updates to improve the reliability, performance, and security of their global cloud platform. Most of the updates that Microsoft apply have no impact on the hosted virtual machines and go unnoticed. However, there are some instances where the running virtual machines are affected, the most recent example of this being the Spectre and Meltdown CPU vulnerability.

When an update like this is applied, depending if the maintenance requires a rebooted or not, it can affect running virtual machines in one of two ways:

  • In-place migration – During an in-place migration the affected Azure virtual machine is paused (typically for 30 seconds or less) to preserve memory in RAM while the host environment is updated. Once the upgrade is complete the virtual machine is resumed and the system clocks synchronised
  • Maintenance requiring a reboot – During reboot maintenance, the virtual machine is moved to a node that has already been patched and then powered back on.

Under normal circumstances, when a virtual machine needs rebooting, you are notified in advance and given the option to start the maintenance at a preferred time during the initial self-service window. If the self-service window is missed, the scheduled maintenance window begins and it is no longer possible to manage the process.

NOTE: Datacentre in paired regions will not have maintenance performed at the same time; therefore, workloads balanced across paired regions will be unaffected.

Azure Service Health


Azure Service Health (in public preview at the time of writing) can be used to view problems with Azure services that may impact any of your cloud services. Service Health monitors three types of health event:

  • Service issues – Azure services that are currently experiencing problems
  • Planned maintenance – Any known future maintenance that may affect the availability of your services
  • Health advisories – Changes in services, for example, deprecated features or exceeded quota usage.

Using the Service Heath service, it is not only possible to view in one location any service problems but also setup Health alerts which are a vast improvement on the basic email notification. Service alerts can be configured to:

  • Send Email/SMS/Push/Voice notification
  • Send Webhooks to third party app i.e. ServiceNow or Azure Logic App
  • Send an IT Service Management Ticket
  • Trigger an Automation Runbook.

Creating planned maintenance alerts using Azure Service Health

To demonstrate the alerting capabilities of the Health Service, the rest of this article steps through the process involved in configuring a basic email alert to notify of any planned maintenance events.

1. Login into the Azure portal and select Service Health.
2. Select Health alerts followed by + Create service health alert from the top of the window on the right.


3. In the Edit Alert blade, give the alert a Name, Description, check the subscription is correct and choose a resource group.


4. The next step is to work through the Criteria section choosing which services, regions and types of event alerts should be monitored. For the purpose of this article all services and regions have been checked but only planned maintenance events.


5. Select or create an Action group. (An Action group is a group of actions to be taken, should an event be logged.)


6. Configure the actions to be taken. We are only configuring an email alert, so we first name the action, then chose Email/SMS/Push/Voice from the drop down list.


7. Enter the name and email address of the person who will be sent the notification. Then finally click OK twice to add the activity log alert.


It should now be possible to see the newly created alert, listed in the Health alerts blade.


Should action groups need to be edited or new actions added, either click on Edit this action group from the lower half of the Health alerts blade or browse to the Monitor service and select the Action groups tab.

For more details checkout the Microsoft document site https://docs.microsoft.com/en-us/azure/service-health/service-health-overview 

Azure

Azure: Installing GNOME desktop and xRDP to access an Ubuntu 17.10 Server

Microsoft are continually working with different Linux communities to add evermore distributions to the Azure Marketplace. Running Linux machines in the cloud brings with it a number of benefits such as additional stability, security and affordability over that of its Windows counterpart. With Linux now running on two out of every five server instances on Azure, interaction with Linux based systems is becoming an ever increasing occurrence for system administrators.

SSH is the default method when connecting to an Ubuntu server deployed from the Azure Marketplace. For seasoned Linux admin this is fine but for anyone new to the operating system or looking for a quick method of troubleshooting, this style of administration can initially seem daunting or time consuming.

This article shows the steps involved in installing the GNOME desktop and xRDP package on an Ubuntu virtual machine running in Azure. This makes available a more familiar and user friendly remote desktop style connection.

Assumptions

The following assumptions have been made:

    • Ubuntu Server version 17.10 has been deployed from the Azure Marketplace
    • GNOME will be the chosen desktop interface
    • SSH access is available
    • PuTTY will be used as the SSH client
    • Azure Portal access is available.

Installing Gnome Desktop

Although Ubuntu 17.10 “Artful Aardvark” has dropped the Unity 7 desktop, instead switching to GNOME Shell, the Azure Marketplace image is deployed without the desktop package installed. It is worth noting that it’s possible to install xRDP without installing a desktop first, however, the user experience would be similar to that of the terminal experience offered when connecting by an SSH client.

Installing GNOME desktop over a terminal session might sound difficult, although in reality it’s actually a relatively straightforward task. The first step of the process is to remotely connect to the server using an SSH client such as PuTTY and then install the applications from the Official Ubuntu Repository.

Open up PuTTY and using the IP address of the server which can be found on the Overview blade in Azure, configure and establish an SSH connection.


Once the SSH session has been established, go ahead and login to the server.


Before we look to install the desktop, let’s go ahead and update the package list to make sure we have information on the newest versions of the packages and their dependencies. To accomplish this, we run the following command.

sudo apt-get update


We can now begin the desktop install. This is again done by issuing a fairly simple apt-get command from within the terminal session.

sudo apt-get install ubuntu-gnome-desktop


Installing xRDP

Now the desktop has been installed, it’s time to install xRDP. This is an open source remote desktop protocol (RDP) server, which allows you to RDP to your Linux server from a Windows machine. It is capable of accepting connections from rdesktop, freerdp, and remote desktop clients.

To install the package, run the following command.

sudo apt-get install -y xrdp


Configuring  Console Access

Console access is restricted to root by default which essentially means that without making any further changes, connections by anyone else will be dropped. This is obviously not the required user experience, therefore access to the console will need to be configured for all users.

To change access from root only to all users we simply edit the file /etc/X11/Xwrapper.config

This can be done by using an editor such as nano to manually change the line allowed_users=console to allowed_users=anybody.

Alternatively, it can also be updated by running the following command to make the changes.

sudo sed -i 's/allowed_users=console/allowed_users=anybody/' /etc/X11/Xwrapper.config


Adding a Network Security Group rule for RDP traffic

This article is based on an Ubuntu server that has been deployed from the Marketplace. As such, the machine will have been deployed with an NSG that has been configured to manage inbound and outbound traffic. By default, this will only allow port 22 inbound for SSH communication, not 3389 which is required for an RDP connection.

From within the portal, select the servers networking settings before then clicking on “Add inbound port rule


At this point you will be presented with a new blade in which the following settings need to be configured.

  • Service
  • Priority
  • Name
  • Description


As with most things in Azure, it is worth noting that this could also be done through PowerShell or Azure CLI.

Connecting via RDP

Now it’s time to check if the server is configured correctly and allowing RDP connections.

If your connecting from a Windows machine, go ahead and start up the Remote Desktop Connection client. Enter the public IP address of the Ubuntu Server and click on connect.


At this point the xRDP login screen should appear. Go ahead and provide user credentials before selecting OK.


The first time you remotely login to the Ubuntu desktop, you will be presented with the following Authentication Required popup.


Clicking the cancel button a number of times will close the message and allow access to the desktop, although it will return on the next login. To subdue the message permanently, changes to the polkit configuration will need to be made.

To make the required changes, use the following command to create a file called 02-allow-colord.conf in the following location /etc/polkit-1/localauthority.conf.d/ remembering to use admin privileges.

sudo nano /etc/polkit-1/localauthority.conf.d/02-allow-colord.conf


Once nano has created and opened the file for editing, paste the following text into the file, before exiting and saving.

polkit.addRule(function(action, subject) {
if ((action.id == "org.freedesktop.color-manager.create-device" ||
action.id == "org.freedesktop.color-manager.create-profile" ||
action.id == "org.freedesktop.color-manager.delete-device" ||
action.id == "org.freedesktop.color-manager.delete-profile" ||
action.id == "org.freedesktop.color-manager.modify-device" ||
action.id == "org.freedesktop.color-manager.modify-profile") &&
subject.isInGroup("{group}")) {
return polkit.Result.YES;
}
});


If everything has gone to plan, the next time you login, no authentication message should be displayed.


Missing Gnome Desktop Dock

The other thing that you may notice when connecting remotely, is that the Ubuntu Dock is not visible. Having searched around the internet for a fix for this, the best solution I came across, was actually to install the Gnome Tweak tool which in turn then made it possible to enable both the Ubuntu appindicators and Ubuntu dock extensions. For some reason the extensions tab appears to be missing from the default Systems Settings menu.

To install the Gnome Tweak tool, run the following command.

sudo apt-get install gnome-tweak-tool -y

Once installed, simply open the Tweak tool, select the Extensions tab and enable both the appindicators and dock extensions.


Now when connecting to the GNOME desktop, the Dock should be visible on the left hand side of the screen.


That’s it!

In this post we took an Ubuntu server running in Azure, installed the GNOME desktop and xRDP package, then followed up by making the necessary tweaks required for a more streamlined user experience. Connecting to an Ubuntu server by remote desktop connection may not be enabled out of the box but hopefully this article goes to show that it is still an option when administering Linux based machines in the cloud.

 

Azure

Azure: Disabling the Windows Firewall on an virtual machine from the portal

The RDP client is one of the most heavily utilised tools in a system administrator’s toolkit. There are alternatives, for example, console access, PowerShell, iLO or in the case of a physical machine the locally connected keyboard and monitor. This is fine for on-premise machines but for machines running in the cloud, most of the alternative methods are not an option and RDP becomes a critical method of connectivity.

Over the past months I have seen an increase in the number of customers that have adjusted the guest Windows OS firewall, inadvertently locking themselves out and making it impossible to manage their Azure virtual machines.


The following article outlines one of the methods I have successfully used when restoring access. This method makes use of the Azure virtual machine Custom Script Extension and a snippet of PowerShell.

1. The first step is to open your preferred PowerShell editor and paste in the following code.

Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy
\DomainProfile' -name "EnableFirewall" -Value 0

Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\
PublicProfile' -name "EnableFirewall" -Value 0


Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\
Standardprofile' -name "EnableFirewall" -Value 0

These commands update local registry values which in turn disables the three firewall profiles on the next machine reboot.

A copy of the file can be downloaded from my GitHub disablefw.ps1.


2. Save the file as <filename>.ps1

3. Now login to the Azure portal and browse to the virtual machine that is having connectivity problems.

4. From the blade of the virtual machine, select Extensions


5. Click the +Add button and select Custom Script Extension from the popup menu.


6. Click on the folder icon to browse to where the <filename>.ps1 file has been stored and after selecting the file, click Open to upload it.


7. The virtual machine extension can now be installed by clicking OK.

NOTE: Additional Arguments are optional and for this task should be left blank.

8. Once the extension is installed, the Azure portal will report that provisioning has been successful.


9. It’s now time to restart the virtual machine before retrying an RDP connection.


This has proven to be very useful to me on a number of occasions, hopefully it will be of assistance to others.

As always, if any mistakes are spotted, feel free to leave me a comment.

App Services

Azure: Performance testing Web App using the portal

When deploying web app to Azure, one of the key design considerations is around load planning. Normally this is calculated on expected concurrent connections and resource requirements for the application. One of the great features that Microsoft offer is the ability to configure comprehensive load testing which can give a really quick and simple visual representation of how the deployed web app functioned under predetermined loads.

As with most things in Azure, its possible to author tests in a number of ways including Visual Studio, Visual Studio Team Services (VSTS) and using the Azure Portal. For the purposes of this article, I will be focusing on how quick and simple it is to setup such a load test through the Azure Portal.

Prerequisites

  • Azure subscription
  • Web app to test
  • Team Services account

I’m going to assume that an Azure subscription is in place and that a web app has already been deployed so the only other requirement is that of the Team Services account.

This can be provisioned in one of two ways:

  • Automatically created during the setup of the performance test
  • Manually created in advance

Linking the Team Services account

1. To set the Team Services account, browse to the web app and expand its properties.


2. Next, scroll through the menu and select Performance Test.


3. Finally, click on the Set Account button and either select a Team Services account that already exists or create a new one.


To create a new account, click on Or Create New from the next window.


Configuring the performance test

1. After the Team Services account has been set, the next step is to create a new test. To do this, firstly click on the + NEW button.


2. Next click on Configure test using, choose the test type and make sure the URL is of the website that the test should be run against.

There are two different types of test to choose from:

  • Manual Test
  • Visual Studio Web Test

The manual test allows you to run the performance test against a single URL where as the Visual Studio Web Test makes it possible to incorporating multiple URLs that represent an end-to-end user scenario.

Other settings that can be configured include the number of concurrent users to simulate and the duration the test should run over.


Once created, the test will appear in the list of Recent runs.


Double clicking on the test opens a new blade with a graphical view of its current state and how the test is progressing.


Once the test has completed, the results will be displayed in various formats. The Requests panel shows the total number of requests sent, with the breakdown between successful and failed attempts. By clicking on this box allows you to drill down further into the failure details.


It’s possible from this view to see exactly the type of failure, any context associated with each error and also the number of times each failure occurred.

For more details checkout the Microsoft document site https://docs.microsoft.com/en-us/vsts/load-test/overview