Azure Policy to Restrict Storage Account Firewall Rules

Back in the Jan 2018, I posted a custom Azure Policy definition that restricts the creation of public-facing storage account – in another word, if the storage account you are creating is not attached to a virtual network Service Endpoint, the policy engine will block the creation of this storage account. You can find the original post here: https://blog.tyang.org/2018/01/08/restricting-public-facing-azure-storage-accounts-using-azure-resource-policy/. When a storage account is connected to a Service Endpoint, you can also white-list one or more IP address ranges to allow them accessing the storage account from the outside of your Azure virtual network (i.e. the Internet). Therefore, in order

Continue reading

My Views on the Native Source Control Option in Azure Automation

Few weeks ago, I saw a two separate discussions in different closed community channels regarding to the Source Control option in Azure Automation accounts, more specifically – when will the support for VSTS become available. In the Azure Portal, it has been showing “coming soon”. According to Wikipedia, “Visual Studio Online” has been renamed to Visual Studio Team Services (VSTS) in November 2015: On 13 November 2013, Microsoft announced the release of a software as a service offering of Visual Studio on Microsoft Azure platform; at the time, Microsoft called it Visual Studio Online. Previously announced as Team Foundation Services,

Continue reading

Pester Test Your ARM Template in Azure DevOps CI Pipelines

Introduction It is fair to say, I have spent a lot of time on Pester lately. I just finished up a 12 months engagement with a financial institute here in Melbourne. During this engagement, everyone in the project team had to write tests for any patterns / pipelines they are developing. I once even wrote a standalone pipeline only to perform Pester tests. One of the scenario we had to cater for is: How can you ensure the ARM template you are deploying only deploys the resources that you intended to deploy? In another word, if someone has gone rogue

Continue reading

Enforcing Code Signing for Azure Automation Runbooks on Hybrid Workers

Towards the end of last year, in order to solve a specific issue, we were planning to introduce Azure Automation Hybrid Workers to the customer I was working for back then. We planned to place the Hybrid Workers inside the on-prem network and execute several runbooks that required to run on-prem. The security team had some concerns – what if the Automation Accounts or Azure subscriptions get compromised? Then the bad guys can run malicious runbooks targeting on-prem machines. long story short, in the end, we managed to get the Hybrid Worker pattern approved and implemented because we can configure

Continue reading

Azure Policy–Restrict NICs From Connecting to Particular Subnets

I wrote this policy definition for a customer few weeks ago – to restrict VMs from connecting to particular subnets. The customer has several subnets that should not be used by VMs, i.e. dedicated subnet for Azure ADDS (which is not associated to any NSGs), or subnets that are using different NSGs, which normal users should not be using. Since the intension is not restricting users from using the entire VNet, but only particular subnets, we could not apply such restrictions using custom role definitions. Here’s the policy definition:

It is also located in my GitHub repo: https://github.com/tyconsulting/azurepolicy/tree/master/policy-definitions/restrict-vm-nic-from-connecting-to-subnet. From

Continue reading

Azure Policy Definition – Restricting Public IP for NIC

It has been a while since my last blog post. There were a lot going on outside of work, I couldn’t find time to write, and my blog to-do list is getting longer. Finally things are settled down a little bit. I will try to tackle my list in the coming days. To get started, I will target the easiest ones first. Few weeks ago, I had to write several custom Azure Policy definitions for a customer. One of them is to restrict Public IPs being provisioned for VMs in particular resource groups. I found a similar definition from the

Continue reading

PowerShell Script to Deploy Subscription Level ARM Templates

Introduction In my previous post, I demonstrated how to deploy Azure Policy definitions that require input parameters via ARM templates. as I mentioned in that post, at the time of writing, the tooling has not been updated to allow subscription level ARM template deployments. The only possible way to deploy such template right now is via the ARM REST API. I have a requirement to deploy subscription level templates in VSTS pipelines. since I can’t use the native AzureRM PowerShell module or the Azure Resource Group Deployment VSTS task, I had to create a PowerShell script that can be used

Continue reading

Using ARM Templates to Deploying Azure Policy Definitions That Requires Input Parameters

Recently, Kristian Nese from Microsoft published a sample subscription level ARM template that deploys Azure Policy definition and assignment on his GitHub repo. For me, this is good timing since I was just about to start a piece of work designing a collection of custom policy definitions. My end goal is deploying the custom definitions and assignments to multiple environment using VSTS CI/CD pipelines. After spending few days on this task, I finally got it working. During this process, I faced several challenges: At the time of writing, AzureRM PowerShell module and VSTS ARM deployment task has not been updated

Continue reading

Managing Azure VM Hybrid Use Benefit Configuration Using Azure Policy

The Azure Policy is a great tool to manage your standards and policies within your Azure subscriptions. In addition to the built-in policies from the Azure Portal, the product team also provides a public GitHub repository to share custom policy definitions to the community. At the time of writing this post, there are already 2 policy definitions in this GitHub repo for managing the Hybrid Use Benefit (BYO license) for Windows VMs: Enforce Hybrid Use Benefit: https://github.com/Azure/azure-policy/tree/master/samples/Compute/enforce-hybrid-use-benefit Deny Hybrid Use Benefit: https://github.com/Azure/azure-policy/tree/master/samples/Compute/deny-hybrid-use-benefit These 2 policy definitions are maturely exclusive. If you apply the Enforce policy, you will not be able

Continue reading

Creating Azure Monitor Alerts using Azure Log Analytics Query Language Based On Azure Automation Runbook Job Output

Well, this post has such a long title – but I’ve tried my best. It is based on an idea I had – We all have many “Health Check” PowerShell scripts in our collections, why not use them in OMS without too much modification and generate meaningful alerts based on the outputs of these scripts? I have been meaning to write this post for at least 4 months, I finally found some spare time this weekend so I can work on this. In the past, when I was still working on System Center Operations Manager, I always get requests from

Continue reading
%d bloggers like this: