What happens when a Certification Junkie lifes to near to a Testcenter? – Certification Overload!

Hi everyone,

since 10 months I life in a walking distance from about 20 minutes to a Microsoft Testcenter.

As resultate, I’m taking exams everytime my calender allows it. Currently I’m going for one exam per month, mainly without any preperation.

I only want to test my current knowledge which I gained by my job and personal interest.

As a resultate, I ended up with gaining following certifications in the last 12 months.

  • Microsoft Certified: Azure Security Engineer Associate
  • Microsoft Certified Solutions Expert: Core Infrastructure
    • Implementing a Software-Defined Datacenter
  • Microsoft Certified: Azure Fundamentals
  • Microsoft Certified: Azure Solutions Architect Expert
  • Microsoft Certified: Azure Administrator Associate
  • Microsoft Certified Solutions Associate: Cloud Platform
    • Configuring and Operating a Hybrid Cloud with Microsoft Azure Stack
  • Microsoft Certified Solutions Expert: Cloud Platform and Infrastructure

Next to go, will be the new Modern Workplace Certifications and maybe the Microsoft DevOps Certfications. πŸ™‚

Currently I save some money for the certified ethnical hacker certification. πŸ™‚ Donations are welcome :p

If you have any question regarding the exams, just drop me a comment or mail.

Cheers,
Flo

Storage Spaces Direct Series Part 2 & 3 via Altaro Blog

Hi everyone,

I want to inform you about my two new blogpots about Storage Spaces Direct that I wrote for Altaro.

In the second post I write about the technologies in focus of S2D

You can find the post by following the link below.

In the third post you will learn the following things:

  • Where Did S2D Come From?
  • Converged vs. Hyper-Converged Infrastructure
  • How to License Storage Spaces Direct

You can find the post by following the link below.

You can post feedback and questions in the comment sections of the Altaro Blogs. πŸ™‚

Cheers,

Flo

How to download VPN Device Configurations from Azure

Hi everyone,

as you may know IPSec VPN Config with Azure and different Firewall / VPN Device Vendors can become very tricky.

Some devices like from Palo Alto, Barracuda, FortiNet or CheckPoint are able to autonegotiate the VPN Configurations with an Azure Virtual Network Gateway but there are also the other like from Cisco or Ubiquiti Networks.

Microsoft published a very small but amazing new feature into the Azure Virtual Network Gateway Service. It happend very silently somewhen in the last weeks.

Since that update you are able to download the VPN configuration for some of those Vendors where you need a manuel configuration. You can easily replicate or upload the configuration into you device and it will do the rest.

Let me show you how to do it.

Select the connect of your Local Network Gateway / ExpressRoute Circuit to your Virtual Network Gateway

Afterwards you click on Download Configuration.

Now you select your vendor or the generic sample

Select the device

The firmware version

And at last download the configuration

The outcome will be a file with a configuration similar to this one.

! Microsoft Corporation
! ——————————————————————————————————————————————–
! Generic configuration templates
!
! IMPORTANT: This template is for Allied Telesis AR Series VPN Routers running on Firmware Version 5.4.7 or higher.
!
! This configuration template shows all the VPN configuration parameters associated with your S2S VPN connection.
! The script you need to copy onto your Allied Telesis AR Series VPN Router (5.4.7+) to setup a RouteBased IKEv2 VPN Tunnel to Azure with VTI Support (no BGP) is found below [#10]:
! ——————————————————————————————————————————————–

! [1] Resource names
! CONNECTION NAME : This field is the name of your connection resource
! VIRTUAL NETWORK GATEWAY : The name of your Azure VPN gateway resource for the connection
! LOCAL NETWORK GATEWAY : The name of your local network gateway resource for the connection
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/CONNECTION_NAME = Demo-GW01-Demo-LW01
/Data/VNG_NAME = b3b85211-0dd1-4850-87c9-1029cc4579da
/Data/LNG_NAME = Demo-LW01
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! [2] Public IP address of the Azure VPN gateway
! Active-Standby VPN gateway (single public IP address)
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/VNG_GATEWAYIP = 51.144.114.218
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! Active-Active VPN gateway (A/A mode if more than one public IP is listed below)
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

/Data/VNG_GATEWAYIPS/IpAddress/IP =
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! [3] Public IP address of the on-premises VPN device
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/LNG_GATEWAYIP =
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! [4] VNet address prefixes: a list of all VNet address prefixes in different formats
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

/Data/VnetSubnets/Subnet/SP_NetworkIpRange = 192.168.155.0
SP_NetworkSubnetMask = 255.255.255.0
SP_NetworkWildcardBits = 0.0.0.255
SP_NetworkCIDR = 192.168.155.0/24
SP_TunnelName = SP_TunnelName
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! [5] On-premises address prefixes: a list of all on-premises address prefixes defined in LNG
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

/Data/OnPremiseSubnets/Subnet/SP_NetworkIpRange = 172.20.100.0
SP_NetworkSubnetMask = 255.255.252.0
SP_NetworkWildcardBits = 0.0.3.255
SP_NetworkCIDR = 172.20.100.0/22
SP_TunnelName = SP_TunnelName
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! [6] Phase 1/Main Mode:
! IKE encryption algorithm
! IKE hashing algorithm
! IKE Diffie-Hellman group
! IKE SA lifetime (seconds)
! IKE SA data size (Kilobytes)
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/IKE_ENCRYPTION_1 = aes256
/Data/IKE_INTEGRITY_1 = sha1
/Data/IKE_DHGROUP_1 = 2
/Data/IKE_SALIFETIME_1 = 28800
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! [7] Phase 2/Quick Mode:
! IPsec encryption algorithm
! IPsec hashing algorithm
! PFS Group (Perfect Forward Secrecy)
! IPsec SA (QMSA) lifetime (seconds)
! IPsec SA (QMSA) lifetime (kilobytes)
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/IPsec_ENCRYPTION_1 = aes256
/Data/IPsec_INTEGRITY_1 = sha1
/Data/IPsec_PFSGROUP_1 = None
/Data/IPsec_SALIFETIME = 3600
/Data/IPsec_KB_SALIFETIME = 102400000
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! [8] Connection pre-shared key
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/CONNECTION_PSK = Abcd1234
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! [9] BGP parameters – Azure VPN gateway
! Enable BGP
! BGP ASN for Azure VPN gateway
! BGP speaker IP address for the Azure VPN gateway
! BGP peer IP address(es)
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/CONNECTION_BGP_ENABLED = False
/Data/VNG_ASN = VNG_ASN
/Data/VNG_BGPIP = VNG_BGPIP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! [10] BGP parameters – on-premises network / LNG
! BGP ASN for the on-premises network
! BGP speaker IP address for the on-premises network
!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/LNG_ASN = LNG_ASN
/Data/LNG_BGPIP = LNG_BGPIP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

! ########################################################################################################
! !!! Search for “REPLACE” to find the values that require special considerations
! ########################################################################################################
! ON-PREMISES ENVIRONMENT:
!
! – AR-Series WAN/Public Interface:
! INTERFACE: ETH1
! ZONE: VPN
! IP: VPN PUBLIC IP
! ISP Default GW: x.x.x.1
!
! – A.T ONPREMISES/LOCAL ENVIRONMENT:
! INTERFACE: VLAN1
! ZONE: PRIVATE
! On-Premises Addr Range: ON-PREMISES ADDRESS RANGE (ex. 192.168.1.0/24)
! A.T MGMT/LAN Interface: 192.168.1.254
!
! – AR-Series VPN BLADE:
! TUNNEL VTI IP: ex. 192.168.2.222/32
! TUNNEL INTERFACE: tunnel0
! ISAKMP PROFILE: AZURE-ISAKMP
! IPSEC PROFILE: AZURE-IPSEC
! ISAKMP PEER: AZURE GW PUBLIC IP
!
! AZURE VNET ENVIRONMENT:
!
! – AZURE VIRTUAL NETWORK:
! – ADDRESS RANGE: AZURE ADDRESS RANGE (ex. 10.10.0.0/16)
! – AZURE GATEWAY IP: AZURE GATEWAY PUBLIC IP

! ============================================================================================
! Example – Allied Telesis AR Series VPN Router (5.4.7+) in Active/Passive Azure GW Mode, with VTI Support (No BGP Router)
! ============================================================================================

! FOLLOW THESE STEPS TO CREATE YOUR IKEv2 TUNNEL TO AZURE:

! CREATE YOUR PRIVATE ZONE, CONTAINING YOUR ON-PREMISES/LAN NETWORK
! Note: REPLACE “vlan1” and “192.168.1.254” as needed. They are used here as examples for your LAN network and LAN Host/Management IP.

zone PRIVATE
network LAN
ip subnet 172.20.100.0/22 interface vlan1
host LAN_IP
ip address 192.168.1.254
!

! Note: REPLACE “eth1” as needed. It is used here as your WAN interface.
zone PUBLIC
network WAN
ip subnet 0.0.0.0/0 interface eth1
host WAN_IP
ip address
!

! Note: REPLACE “tunnel0” as needed. It is used here to denote your VTI tunnel interface.
zone VPN
network AZURE
ip subnet 192.168.155.0/24 interface tunnel0
!

application esp
protocol 50
!
application icmp
protocol icmp
!
application isakmp
protocol udp
sport 500
dport 500
!
! Below shows you how to enable the Web-Control Feature Function, in case you have a valid feature license key (commented out)
!web-control
! action permit
! provider digitalarts
!

! THESE ARE YOUR REQUIRED FIREWALL RULES FOR YOUR AZURE CONNECTION

firewall
rule 10 permit isakmp from PUBLIC.WAN.WAN_IP to PUBLIC.WAN
rule 20 permit isakmp from PUBLIC.WAN to PUBLIC.WAN.WAN_IP
rule 30 permit esp from PUBLIC.WAN.WAN_IP to PUBLIC.WAN
rule 40 permit esp from PUBLIC.WAN to PUBLIC.WAN.WAN_IP
rule 45 permit ping from PRIVATE to PRIVATE
rule 50 permit ping from VPN.AZURE to PRIVATE.LAN
rule 60 permit ping from PRIVATE.LAN to VPN.AZURE
rule 70 permit ping from PUBLIC.WAN to PRIVATE.LAN
rule 75 permit ping from PRIVATE to PUBLIC
rule 80 permit any from PRIVATE.LAN to VPN.AZURE
rule 90 permit any from VPN.AZURE to PRIVATE.LAN
protect
!

! NAT RULE
nat
rule 10 masq any from PRIVATE to PUBLIC
enable
!

! AZURE IPSEC PROFILE
crypto ipsec profile AZURE-IPSEC-Demo-GW01-Demo-LW01
lifetime seconds 3600
transform 1 protocol esp integrity SHA1 encryption AES256
!

! AZURE ISAKMP/IKEv2 PHASE 1 PROFILE
crypto isakmp profile AZURE-IPSEC-Demo-GW01-Demo-LW01
!
crypto isakmp profile AZURE-ISAKMP-Demo-GW01-Demo-LW01
version 2
lifetime 28800
transform 1 integrity SHA1 encryption AES256 group 2
!

! AZURE ISAKMP PRE-SHARED KEY
crypto isakmp key 8 Abcd1234 address
!

! AZURE ISAKMP PEER (AZURE GATEWAY)
crypto isakmp peer address <-> profile AZURE-ISAKMP-Demo-GW01-Demo-LW01
!

! MAKE SURE YOU HAVE CONFIGURED VPN WAN INTERFACE WITH A PUBLIC IP ADDRESS. BELOW IS AN EXAMPLE
! Note: REPLACE “eth1” if already used.
! Note: REPLACE subnet prefix “/24” below by the correct prefix (offered by your ISP) for your public IP block if it’s different.

interface eth1
description external wan
ip address 84.177.215.91/24

! MAKE SURE YOU HAVE CONFIGURED YOUR VPN MANAGEMENT/LAN INTERFACE, FOR YOUR ONPREMISES NETWORK. BELOW IS AN EXAMPLE
! Note: REPLACE “vlan1” if already used
! IMPORTANT:
! Ensure that the management interface for your onPremises network, that is used by your AR-Series LAN, is listed below !
! REPLACE “192.168.1.254” as needed (Azure does not have visibility over your MGMT IP).
! In this example, my management IP is 192.168.1.254, for my onPremises LAN network 192.168.1.0/24.

interface vlan1
description Internal LAN
ip address 192.168.1.254/24

! CREATE YOUR VTI INTERFACE FOR THE ROUTEBASED TUNNEL TO AZURE:
! REPLACE “Tunnel0” to something else, if already used.
! IMPORTANT: Ensure that the local network address space for your onPremises network, that is used by your AR-Series LAN interface, is listed under “tunnel local selector” !
! –> It is essential to list this one first in the Azure Portal, under your Local Network Gateway –> Configuration–>”Address Space” blade.
! –> Following this, you must also define your VTI interface next (/32), as a second entry under the same Azure blade mentioned above.
! (LNG –> Configuration–> “Address Space”)

! IMPORTANT NOTES:
! > Your VTI Interface IP below (192.168.2.222/32) is an example. REPLACE ‘192.168.2.222/32’ with a different /32 host IP, it if this range is already used by another interface.
! > As explained above, make sure that you have also added this IP to the “LOCAL NETWORK GATEWAY” object in the Azure Portal, following your actual LAN segment. When doing so, please
! add a /32 subnet mask to it, and ensure that this IP doesn’t overlap with your on-premises address range(s).

interface Tunnel10
ip address 192.168.2.222/32
ip tcp adjust-mss 1350
tunnel source
tunnel destination
tunnel local selector 1 172.20.100.0/22
tunnel remote selector 1 192.168.155.0/24
tunnel protection ipsec profile AZURE-IPSEC-PROFILE-Demo-GW01-Demo-LW01
tunnel mode ipsec ipv4
!

! CREATE YOUR STATIC ROUTES
! Note: The 0/0 route needs to have your ISP Default GW as your Next-Hop.
! REPLACE “x.x.x.1” by your assigned ISP Default GW IP.

ip route 0.0.0.0/0 x.x.x.1 eth1
ip route 192.168.155.0/24 tunnel0
!
line con 0
line vty 0 4
!
end
!————————————————–END——————————————————-!

I hope the post was helpful and if you have any questions, don’t hesitate to ask.

Cheers,
Flo

My current publishings with Packt /@PacktPub

Hi everyone,

I’m currently writing nearly 3 years for Packt. Within these years I published three books and two of my books were used to built courses from them.


Book #1 – Implementing Azure Solutions

Book #2 – Implementing Azur Solutions – Second Edition

Book #3 – Multi-Cloud for Architects

Course # 1 – Implementing Azure: Putting Modern DevOps to Use

Course #2 – Deployment of Microsoft Azure Solutions

Here you can find the books: https://search.packtpub.com/?query=klaffenbach&refinementList%5Breleased%5D%5B0%5D=Available

I hope you enjoy reading. If you want to buy a larger amount of books, you can reach out to me for some discount options beside Packts offering. πŸ™‚

Cheers,

Flo

@AltaroSoftware Webcast with @workinghardinit & @thomasmaurer – Journey to The Cloud: Masterclass on Cloud Migration

Hi everyone,

in behalf of Altaro, I would like to a free Webinar with three top of the edge speaker around Microsoft Software Defined Datacenter.

The transition to adopting cloud services is unique for every organization. What does yours look like?

Join Microsoft MVPs Andy Syrewicze (Technical Evangelist – Altaro), Didier Van Hoye (Infrastructure Architect – FGIA), and Thomas Maurer (Cloud Architect – itnetX) for a crash course on the possibilities of cloud technologies coming out of Microsoft including:

  • Windows Server 2019 and the Software-Defined Datacenter
  • New Management Experiences for Infrastructure with Windows Admin Center
  • Hosting an Enterprise Grade Cloud in your datacenter with Azure Stack
  • Taking your first steps into the public cloud with Azure IaaS

After watching the experts discuss the details, you’ll see that the cloud doesn’t have to be an all or nothing discussion. This webinar will prepare you for your journey by revealing the available options and how to make the most out of them!

Wednesday June 13th 2018 –

Presented live twice on the day – Registration

  • Session 1: 2pm CEST – 5am PDT – 8am EDT
  • Session 2: 6pm CEST – 9am PDT – 12pm EDT