Tag Archives: Azure

Speaking with Thomas Naunheim at GermanyClouds Meetup about Azure Governance Best Practices

In the past Thomas Naunheim and I do a lot of architecture and designing prinicple for integrating Azure in company environments. We have the idea to create a Azure Governance Best Practices session in the last couple of months to give the community our insights and best practices for Starting/Integrating Azure environments. The goal is to give you insights, where you can find the best documentations to start with a Cloud journey and which technical Azure features help to bring and hold your environment in an compliant and secure state.

The session contains the following topics:

  • Cloud Adoption Framework
  • Well-architecture Framework
  • Insights about Azure Policies and Azure Security Center
  • Azure Enterprise Scale architecture
  • Azure Ops
  • Identity and Access Management

We are exited to hold the session at the GermanyClouds Meetup on november 26. Did you interested in this topics or you are in the beginning or implementig phase, join us. We will happy to see you there and get your questions.

The session will not been recorded.

Azure Bastion now supports VNET Peering

Azure Bastion is a service to avoid deployment own Jumphosts and reach Azure VMs over the Management Ports (SSH and RDP) in a secure way without the need to assign Public IPs directly to Azure VMs.

Azure Bastion got a really big improvement and now supports Azure VNET Peering. This includes all VNET peering models, inside a single subscription and VNET peering across different subscriptions.

Continue reading Azure Bastion now supports VNET Peering

Zu Gast beim Geeksprech Podcast zu Azure Files

Am vergangenen Freitag hatte ich das Vergnügen zu Gast beim Geeksprech Podcast von meinen Community Freunden Eric Berg und Alexander Benoit zu sein.

In der Folge gehen wir auf die vielfältigen Themen zu Azure Files ein. Dazu gehören natürlich u.a. die neuen Tiering Modelle, wie ich Azure Fileshares bereitstelle, welche Vorteile Azure File Sync mir bietet und wie ich vorhandene Fileserver nach Azure migriere und dort weiterhin die vorhandenen Windows ACLs nutzen kann. Sharepoint kam übrigens auch mehrfach zur Sprache – ich kann mich einfach nicht davon trennen 🙂

Es war mein erster Podcast und ich muss sagen, es war eine tolle Erfahrung und ich hatte viel Spaß mit Eric zu den verschiedenen Themen rund um Azure Files.

Wer reinhören mag findet unten die Folge. Weitere Spannende Folgen und viele Infos findet ihr direkt auf der Geeksprech Podcast Website.

Azure Files Improvements – new Tiers and Soft Delete

In the last couple of Months Microsoft brings a lot of new capabilites to Azure Files. From AD DS SMB autentication over new Tiers to Soft delete, there are many improvments for Azure Files. This article will introduce the latest announcement you need to know and which workloads are addressed with the new features.

Until now, Azure Files were divided into two Tiers – Standard and Premium. At the Ignite 2019, Microsoft announced additional Tiers in order to cover requirements more optimally. However, the integration of the new Tiers was delayed due to the challenges this year. These have been available for a few weeks now. Azure Files offers 4 different Tiers with different performance capabilities and pricing now. This Tiers are called:

  • Premium
  • Transaction optimized (formerly known as Standard)
  • Hot
  • Cool
Continue reading Azure Files Improvements – new Tiers and Soft Delete

Azure VPN AAD P2S Error Server did not respond properly to vpn control packets resolved

In the last few days I have created some Azure Landingzones. To secure access to Azure resources within the landing zone with different users, customers use a P2S connection through the Azure VPN Gateway using Azure AD for authentication.

Sometimes I see some mistakes in the Azure VPN Point-to-site configuration blade that results in the Error: “Server did not respond properly to vpn control packets” when trying to connect to the VPN Gateway over the Azure VPN Client.

These error messages are often due to incorrect settings in the basic settings. To resolve this issue it is really important to configure the three points: Tenant & Audience & Issuer correctly.

Please pay close attention to the following settings:

  • The Tenant field must be specified in the following notation “https://login.microsoftonline.com/your-Azuread-Tenant-ID-here/” at the end do not miss the backslash /
  • Audience field must be only contains the Enterprise Application ID of the Azure VPN client (this is the same for all Tenants) “41b23e61-6c1e-4545-b367-cd054e0ed4b4” without any other characters or spaces
  • The Issuer field must be specified in the following notation “https://sts.windows.net/your-Azuread-Tenant-ID-here/” at the end do not miss the backslash /

Please be aware of the difference between the Tenant- (begins with https://login….) and Issuer field (begins with https://sts.win…).

Please contact me if you have any questions or if you find further errors and solutions 🙂

Links

IdentitySummit 2020 is over – Thank you

Our 1st IdentitySummit is over and we had a amazing Summit with our powerfull Speakers and our attendees.

We (Azure Bonn Orga Team) started planning the Summit in March 2020. The Orga Team from the AzureBonn Meetup consists of Melanie Eibl, Thomas Naunheim and René de la Motte. The idea came from Thomas (our Identity Expert) and we can say that was a wonderful idea.

We meet together at the Debeka Innovation Center (DICE) in Koblenz to organize and streaming all the sessions from one central place. The current Corona situation has unfortunately not made a complete live event possible, so we have met under the rules in force to ensure a smooth process and bring a little live feeling.

Now after 6 session in 2 parallel Tracks we can say it was worth every minute of planning – Why?

The answer is simple: First of all because of our great speakers. Each session was planned with a minimum of 300, and each session went deep into the relevant topics, showing what needs to be considered, the pitfalls and best practices available.

Continue reading IdentitySummit 2020 is over – Thank you

My favorite Azure Announcements from the Microsoft Ignite 2020

The Microsoft Ignite 2020 has moved to a free, virtual conference with a lots of online sessions about the Microsoft Product world like Azure, Microsoft 365 and more. As every year Microsoft announced new services and new features for existing services. In this blog post I will report about my highlights of the last 48 hours of Microsoft Ignite.

First of all, I’m a little sad because this was to be my first Microsoft Ignite I was able to attend in person. However, I’m glad that Microsoft offers this conference as a virtual version and gives us the opportunity to participate for free and get in contact with the product owners.

Satya Nadella opened the MS Ignite with his Keynote about Challenging Times, Producivity and Modern Work and how Microsoft services can help in every section with different services.

My focus area is Azure, you know it 🙂 And there were a lot of new announcements before and during the Ignite.

This article will be updated after the MS Ignite ends.

Continue reading My favorite Azure Announcements from the Microsoft Ignite 2020

I am pleased to support the MS Ignite as an ATE (Ask The Experts)

Short note, I am pleased to announce that I support some Microsoft Ignite sessions as an ATE (Ask the Experts). Which this means? I support the Product Team in the Live sessions with answer additional questions. There are many possibilities to get in touch with the Microsoft Product owner of each service, so view the Session scheduler and join relevant sessions to ask the Product owner about services, features, possibilities and more.

I will support the following sessions:

Ask the Expert: disk storage, core compute and networking on Tuesday

Septemper 22 | 9:15 PM – 9:45 PM CEST

Ask the Expert: Be prepared for what´s next: kick start your cloud journey with Azure Migrate Program

September 23 | 10:45 PM – 11:15 PM CEST

My upcoming Community engagements in 2nd half of 2020

These times are challenging and I hope everyone is safe and healthy. Normally we have a lot of in person community conference, but actually we move a lot of this community meetings to online meetings. The good thing is we have more time for our family and need lees time for driving and so on.

In the 2nd half of 2020 I have the honor to speak at the following events:

Azure Bonn Meetup

Our Azure Bonn Meetup is also running as an virtual event and we have planned some exiting topics:

Are you interested in holding a session at our Azure Bonn Meetup – that sounds great. Please use the Microsoft form to let us know about you and your session and we look forward to welcoming you. Session language can be German or English 🙂

Virtual Cloud Identity Summit 2020

And finally the virtual Cloud Identity Summit 2020. This is our first event and we will focus only on Cloud Identity topics. This idea came up from Thomas Naunheim and we are really happy to realize this conference. The first speakers with great topics are announced and there coming more. Did you interested in how to secure your Cloud Identitys – this conference is a must see.

Howto Setup and Monitor the Break Glass Account in your Tenant

In the past I do a lot of Azure Governance workshop and one interesting topic is how to handle the Break Glass Account. Before we going deeper, first we take a look was is the Break Glass Account. For each Administrator role in Azure or Office365 is it best practice to use MFA to secure the account and get a better security for the Tenant. To realize this, normally we use Conditional Access and create a rule, that every Admin require MFA for login. But what can we do, when:

  • the MFA service is down
  • we create a Conditinal Access that with a wrong rule set and lost sign-in access
  • we do not regulary update our control list and the admin account goes lost

For this cases we need a Break glass account, an additional account with a high security password, to enter the Tenant in an emergeny case. For this account, there are some recommendations:

  • only use a generic account
  • create a complex password with more than 16 characters
  • up to 256 characters possible – the limit of 16 character is removed
  • for compliance reason divide the password into two parts
  • save each part in a different location
  • create a security group that contains the break glass accounts
  • create two break glass accounts with no standard username like breakglass@ or emergency
  • use the Tenant name for the account
  • do not use a custom domain name
  • in futher it will be possible to use FIDO2 security key for break glass (right now is in preview and not recommended for such critical scenario)

Now we can discuss in some ways a security gap – a service account with Global admin rights that do not require MFA for login. Now you see, why it is so important to monitor this accounts and get notified when they will be used for login.

Continue reading Howto Setup and Monitor the Break Glass Account in your Tenant