Author Archives: Ajay Kakkar

#Azure – Resource groups, Access control (IAM)


Resource groups in Microsoft Azure is a logical container and help customers to manage multiple resources in constructive manner. When you deploy multiple resources in a logical container then it is necessary to consider the security measures as well. Resource groups provide an option to manage the access control through Access control (IAM).

It offers multiple pre-defined RBAC (role based access control) roles. When you create a new subscription first time in Microsoft Azure, by default azure creates and associates it with an automatically created azure active directory. For example if I create my subscription with email address xyz@hotmail.com then an azure active directory with xyzhotmail will be created in the background. Going forward you can add multiple subscriptions into it.

However, once you are logged in to the Microsoft Azure then you can switch between the directories if you have multiple. But keep a note in your mind that one subscription belongs to only one directory in azure while one directory can belongs to multiple subscription.

RBAC roles can be assigned to the users and groups that are part of the associated azure active directory. Groups can be created in azure active directory while users either can be created in azure active directory or can be associated with their public email addresses.

Here is the list and their one line descriptions provided by Microsoft Azure.

Role name

Description

API Management Service Contributor

Can manage API Management service and the APIs

API Management Service Operator Role

Can manage API Management service, but not the APIs themselves

API Management Service Reader Role

Read-only access to API Management service and APIs

Application Insights Component Contributor

Can manage Application Insights components

Automation Operator

Able to start, stop, suspend, and resume jobs

Backup Contributor

Can manage backup in Recovery Services vault

Backup Operator

Can manage backup except removing backup, in Recovery Services vault

Backup Reader

Can view all backup management services

Billing Reader

Can view all billing information

BizTalk Contributor

Can manage BizTalk services

ClearDB MySQL DB Contributor

Can manage ClearDB MySQL databases

Contributor

Can manage everything except access.

Data Factory Contributor

Can create and manage data factories, and child resources within them.

DevTest Labs User

Can view everything and connect, start, restart, and shutdown virtual machines

DNS Zone Contributor

Can manage DNS zones and records

Azure Cosmos DB Account Contributor

Can manage Azure Cosmos DB accounts

Intelligent Systems Account Contributor

Can manage Intelligent Systems accounts

Logic App Contributor

Can manage all aspects of a Logic App, but not create a new one.

Logic App Operator

Can start and stop workflows defined within a Logic App.

Monitoring Reader

Can read all monitoring data

Monitoring Contributor

Can read monitoring data and edit monitoring settings

Network Contributor

Can manage all network resources

New Relic APM Account Contributor

Can manage New Relic Application Performance Management accounts and applications

Owner

Can manage everything, including access

Reader

Can view everything, but can’t make changes

Redis Cache Contributor

Can manage Redis caches

Scheduler Job Collections Contributor

Can manage scheduler job collections

Search Service Contributor

Can manage search services

Security Manager

Can manage security components, security policies, and virtual machines

Site Recovery Contributor

Can manage Site Recovery in Recovery Services vault

Site Recovery Operator

Can manage failover and failback operations Site Recovery in Recovery Services vault

Site Recovery Reader

Can view all Site Recovery management operations

SQL DB Contributor

Can manage SQL databases, but not their security-related policies

SQL Security Manager

Can manage the security-related policies of SQL servers and databases

SQL Server Contributor

Can manage SQL servers and databases, but not their security-related policies

Classic Storage Account Contributor

Can manage classic storage accounts

Storage Account Contributor

Can manage storage accounts

Support Request Contributor

Can create and manage support requests

User Access Administrator

Can manage user access to Azure resources

Classic Virtual Machine Contributor

Can manage classic virtual machines, but not the virtual network or storage account to which they are connected

Virtual Machine Contributor

Can manage virtual machines, but not the virtual network or storage account to which they are connected

Classic Network Contributor

Can manage classic virtual networks and reserved IPs

Web Plan Contributor

Can manage web plans

Website Contributor

Can manage websites, but not the web plans to which they are connected

Source: Microsoft

Now, you should know how the permission works here. There are three basic RBAC roles that apply to all resource types.

Owner: As suggested by name itself, full access to all the resources and has rights to manage the delegation for others.

Contributor: who can read, write/create and manage but can’t delegate rights to others.

Reader: who can view existing resources but can’t make any changes.

Now, let’s look at the inheritance of the resources. Same as other Microsoft technologies, permission inheritance works in a downwards manner here.

It means Subscription à Resource groups à Resources.

If pre-defined RBAC roles do not fulfill your requirement then you can create your own custom roles through Azure PowerShell, Azure CLI and the Rest API.

Advertisements

#Azure – Base Operating System


Microsoft Azure supports multiple base operating system for VMs. There are many other supported scenarios where you get the base OS with application from the portal itself or you can use your customize image either for base OS only or base OS with application. In this blogpost, I’ll cover the list of base operating systems available for VMs.

List of supported operating systems in Microsoft Azure:

Operating Systems

Provided By

Pricing

Window Server 2016 (Datacenter, Datacenter – Sever Core, Nano Server, with Containers)

Microsoft

Free*

Windows Server 2012 R2 (Datacenter, Essentials)

Microsoft

Free*

Windows Server 2012 Datacenter

Microsoft

Free*

Windows Server 2008 R2 SP1

Microsoft

Free*

Ubuntu Server

Canonical

Free*

Red Hat Enterprise Linux 7

Red Hat

$0.06/hour

SUSE Linux Enterprise Server

SUSE

Free*

Debian Linux

Credativ

Free*

Oracle Linux 7

Oracle

BYOL

CentOS-based 7.3

Rogue Wave Software

Paid

Container Linux by CoreOS

CoreOS

Free*

Free BSD 10.3

Microsoft

Paid

Clear Linux OS

Clear Linux Project

BYOL

Open SUSE Leap 42.2

SUSE

Paid

Windows 7 Enterprise N with SP1 (x64)

Microsoft

Paid

Windows 8.1 Enterprise N (x64)

Microsoft

Paid

 

Free*: OS Price has included with VM pricing.

BYOL: Bring your own license

Paid: Additional OS cost will be added.

 

Note: The above information is true at present when I am writing this blog. List can be modified any time by Microsoft and therefore it doesn’t guarantee any accuracy for future use.

#Azure – Resource Group


Microsoft Azure is one of the leading cloud platform and growing continuously. This post will cover the resource group concept, which is integral part of any resource in Azure IaaS. Microsoft Azure platform has been spread across multiple geographical locations and once you create any resource in MS Azure IaaS, basically it belongs to a particular region that you had selected at the time of deployment.

In layman’s language, resource group is nothing but it is just like a logical container that makes your life easier after deployment of multiple resources. Let’s take an example of virtual machine. When you create a virtual machine, you can observe that it is a combination of multiple resources such as compute, storage, networking etc. In case of traditional datacenter you can touch and feel these items but in case of virtual machine you can presume that your cpu cores and memory is your compute, virtual hard disks are your storage and virtual networks are your networking components. As you know each resource in a virtual machine gives complement to another resource and for us it is advisable to keep all of them in a single pool for better interaction. Once you create these resources such as storage account or virtual network, you specify a resource group and location. If you have an existing resource group then the location will be selected by default as per the resource group.

Now, let’s discuss the same thing in technical language. A resource groups allows you to create and manage multiple resources in a single container so that you can manage them easily by grouping them together. A resource group facilitates that all the resources in a resource group belongs to same region, where the resource group was located but you can still change the resource location if you want. This feature make sure that multiple resources are located nearby to each other to provide better performance. With the help of resource group, you can easily deploy, update, and delete multiple resources within the resource group by a single or few clicks. Resource group provides you an ability to secure your resources by configuring user and administrator roles through “Access control (IAM)”. There are many other cool features such as policies, monitoring etc. that you can explore by playing with it.

Therefore now let’s see how to create a resource group.

Go to the https://portal.azure.com and click on “Resource groups”.

Click on “Add” to create a new resource group.

Fill the required information such as “Resource group name”, select “Subscription” and select “Resource group location”.

Once resource group has been created, you can see multiple options such as “Access control”, “Resource costs”, “Policies” etc.

To understand better, you can take an example of cluster/pool. Multiple components such as VMs, storage pools and virtual networks make a single cluster/pool and if you need to manage these multiple components, it is better always to keep them in a single place called resource group so that you can have a single view from the application point of view such as cluster manger and from the baseline infrastructure point of view as well that is resource group. Now, you should start playing with it to learn more about each option given under resource group.

#Skype4b: Standard vs. Enterprise Edition


This is an on-demand article, I am writing it because one of the follower was asking about it and definitely it will help others as well. J I hope it will motivate others as well to ask any thing on Insidemstech.com and I’ll try my best to help each one of you.

Lync/Skype for Business server comes in two different editions i.e. Standard Edition and Enterprise Edition. Both the editions offer same features and functionalities. I would say end user can’t recognize the version of Lync/Skype for Business. Let me explain the difference through comparison.

The above comparison shows very high level difference but these are core differentiation points between standard and enterprise edition. * shows that these are technical possibilities and support matrix but doesn’t guarantee any performance. For example, if you collocate Mediation server with Front End servers then concurrent call reduces. For more details and in-depth information you can search role specific blog posts here and if don’t find any information please let me know, I’ll try to help you out.

#Skype4b: Error while requesting certificate


Requesting and assigning a certificate to Lync/Skype for Business server is a crucial process. Any kind of ignorance while requesting the certificate can trouble end-user services. If you are requesting the certificate for Lync/Skype for Business server, you may notice “WARNING: The chain of the certificate “xxxxxxxxxxxxxxxxxxxx” is invalid”.

If you will look into the logs then you can easily find it out that the process couldn’t find certificate chain and it happens because of root certificate. It simply means that the root certificate of certification authority does not exist on the local server from where the request is being generated.

Note: To reproduce this problem you should not install and configure local AD CS before Lync/Skype for Business Server installation. Install and configure AD CS after Lync/Skype for Business installation and try to request certificate without restarting the Lync/Skype for Business server. Most probably you will see the same error.

Now, let me use step by step process to identify and resolve this problem.

Below snapshot shows warning message while requesting certificate.

Open certificate snap-in through MMC and look for the root certificate of certification authority by which you are trying to request certificate.

You will not find the root CA in both “Current User” and “Local Computer”.

Now, Reboot the Lync/Skype for Business server and check again, now you may find the root certificate. In my case, certification authority name is “dcloud-AD-CA”. If you could not find the root certificate or not using AD CS then install the root certificate chain manually.

You can check this root certificate chain in both the locations “Local Computer” and “Current User”.

Now, you should try to request and assign the certificate.

Hope, it helps you.

#Skype4b: Key planning considerations for SfB on Azure IaaS Part III


Part I and Part II of this blog post series covers basic of key designs considerations, typical server configuration in traditional datacenter environment, Azure IaaS nomenclature and mapping Azure IaaS components with traditional datacenter. This part of the blog post covers the limitation of Azure IaaS for Skype for Business Server.

First, let me describe the Skype for Business role wise limitations.

Skype for Business Server Role Limitations on Azure IaaS
Front End Technically feasible
Back End Supported
Mediation Technically not feasible
Director Technically feasible
Persistent Chat Technically feasible
Video Interop Technically not feasible
Edge Technically not feasible

Supported: Server role such as Back End server is fully supported because it uses SQL server in the background and SQL server is a supported application on Azure IaaS.

Technically feasible: Technically feasible server roles are those server role that can be deployed but there is no performance study data exist.

Technically not feasible: Technically not feasible server role are those server roles their recommended configuration can’t be met on Azure IaaS. However, technically you may deploy these roles on Azure IaaS VM.

Above mentioned “technically not feasible” server roles are lacking technically because of network configuration most of the time. As everybody knows that Lync/Skype for Business is network intensive application and network requirement are little complex for Skype for Business deployment. Following are the key limitations in Skype for Business deployment on Azure IaaS:

  • All the VMs type doesn’t support more than one NIC. If you don’t select right VM in the beginning, you will have to redeploy the VM to support more than one NIC.
  • Azure IaaS doesn’t support multiple VNet for single VM.
  • Quality of Services can’t be configured as you can’t access Network switch deployed in Azure datacenter.
  • Enterprise Voice can’t be configured.
  • Video Integration Server configuration is difficult if you have Skype for Business infra on Azure IaaS.

Though, these functionality may be enabled in future but as of now not available. Therefore, Microsoft doesn’t recommend or support Lync / Skype for Business deployment on Azure IaaS.

#Skype4b: Key planning considerations for SfB on Azure IaaS – Part II


Part I of this blog post series covers basic of key designs considerations and typical server configuration in traditional datacenter environment. Now, let’s discuss first thing first.

Create a mind map or sketch a rough design diagram of Skype for Business deployment and collect all the information that you need to size the application.

Create a rough Bill of Material and Bill of Quantity in your mind or note it down somewhere.

Create a list of things that you need to finish the deployment process such as DNS and Certificate requirement.

Look at the end user connectivity as well because at the end of the day end users have to consume these services.

Now, start mapping your rough design diagram component with Azure IaaS components.

Traditional datacenter and Azure IaaS uses the same logic but has different naming conventions. Below table shows you the right set of Azure IaaS services/component mapping with traditional datacenter.

Traditional Datacenter

Azure IaaS

Server – Physical / Virtual Machine

Server – Virtual Machine

Storage – External (SAN/NAS) / Internal

Storage – Storage Account and Disks

Network – NIC and LAN

Network – NIC and VNet

Load Balancer

Load Balancer

Firewall

Network Security Group

Reverse Proxy

Reverse Proxy

Voice Gateway

NA

Based on the table above, it really looks simple. But in actual, it is not. There are many limitations which you can find while deploying Lync / Skype for Business on Azure IaaS. As of now, you should get familiar with all the terminologies. Next part of this blog post will cover the limitations and will describe why Microsoft does not recommend Lync / Skype for Business on Azure IaaS.