#Azure Security Center: How to Protect Your Datacenter with Next Generation Security Free Webinar by @AltaroSoftware

Hi everyone,

I want to inform you about a new webinar from Altaro. 🙂

Azure Security Center: How to Protect Your Datacenter with Next Generation Security

Free Webinar by Altaro

Security is a major concern for IT admins and if you’re responsible for important workloads hosted in Azure, you need to know your security is as tight as possible. In this free webinar, presented by Thomas Maurer, Senior Cloud Advocate on the Microsoft Azure Engineering Team, and Microsoft MVP Andy Syrewicze, you will learn how to use Azure Security Center to ensure your cloud environment is fully protected.

The webinar covers:

  • Azure Security Center introductions
  • Deployment and first steps
  • Best practices
  • Integration with other tools
  • And more!

Being an Altaro-hosted webinar, expect this webinar to be packed full of actionable information presented via live demos so you can see the theory put into practice before your eyes. Also, Altaro put a heavy emphasis on interactivity, encouraging questions from attendees and using engaging polls to get instant feedback on the session. To ensure as many people as possible have this opportunity, Altaro present the webinar live twice so pick the best time for you and don’t be afraid to ask as many questions as you like!

There are certain topics in the IT administration world which are optional, but security is not one of them. Ensuring your security knowledge if ahead of the curve is an absolute necessity and becoming increasingly important as we are all becoming exposed to more and more online threats every day. If you are responsible for important workloads hosted in Azure, this webinar is a must.

Webinar:          Azure Security Center:

How to Protect Your Datacenter with Next Generation Security

Date:                 Tuesday, 30th July

Time:                 Webinar presented live twice on the day. Choose your preferred time:

  • 2pm CEST / 5am PDT / 8am EDT
  • 7pm CEST / 10am PDT / 1pm EDT

Save your seat

https://www.altaro.com/webinars/azure-security-center.php?LP=flo-webinar&C

Introduction into Azure Bastion

Hi everyone,

you maybe hear about Azure Bastion right now. With Azure Bastion you can directly open an HTTPs Session via the Azure Portal and RDP/SSH into a Azure VM without using a public IP for the VM. So there is no need for public IP at a VM or VPN within the VNet.

Basicly Azure Bastion is a Jump Server or Bastard Server as a Service within an Azure Network.

The following videos gives you a short introduction into Azure Bastion.

If you want to enable Azure Bastion into your subscription you will find a great resource with the Azure documentation following the below link.

https://docs.microsoft.com/en-us/azure/bastion/bastion-create-host-portal

Currently Bastion has a very limited feature set and only provides the service per VNet. Later down the roadmap Microsoft will add more Features like Multi Factor Authentaction and Azure AD support as well as support for VNet Peering.

My new article with @AltaroSoftware – How to Boost Network Performance Inside China’s Great Firewall

Together with Altaro, I wrote a new article about how to improve the performance for users inside of china using services and cloud services outside of china.

I hope you enjoy reading.

How to download VPN Device Configurations from Azure

Hi everyone,

as you may know IPSec VPN Config with Azure and different Firewall / VPN Device Vendors can become very tricky.

Some devices like from Palo Alto, Barracuda, FortiNet or CheckPoint are able to autonegotiate the VPN Configurations with an Azure Virtual Network Gateway but there are also the other like from Cisco or Ubiquiti Networks.

Microsoft published a very small but amazing new feature into the Azure Virtual Network Gateway Service. It happend very silently somewhen in the last weeks.

Since that update you are able to download the VPN configuration for some of those Vendors where you need a manuel configuration. You can easily replicate or upload the configuration into you device and it will do the rest.

Let me show you how to do it.

Select the connect of your Local Network Gateway / ExpressRoute Circuit to your Virtual Network Gateway

Afterwards you click on Download Configuration.

Now you select your vendor or the generic sample

Select the device

The firmware version

And at last download the configuration

The outcome will be a file with a configuration similar to this one.

! Microsoft Corporation
! ——————————————————————————————————————————————–
! Generic configuration templates
!
! IMPORTANT: This template is for Allied Telesis AR Series VPN Routers running on Firmware Version 5.4.7 or higher.
!
! This configuration template shows all the VPN configuration parameters associated with your S2S VPN connection.
! The script you need to copy onto your Allied Telesis AR Series VPN Router (5.4.7+) to setup a RouteBased IKEv2 VPN Tunnel to Azure with VTI Support (no BGP) is found below [#10]:
! ——————————————————————————————————————————————–

! [1] Resource names
! CONNECTION NAME : This field is the name of your connection resource
! VIRTUAL NETWORK GATEWAY : The name of your Azure VPN gateway resource for the connection
! LOCAL NETWORK GATEWAY : The name of your local network gateway resource for the connection
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/CONNECTION_NAME = Demo-GW01-Demo-LW01
/Data/VNG_NAME = b3b85211-0dd1-4850-87c9-1029cc4579da
/Data/LNG_NAME = Demo-LW01
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! [2] Public IP address of the Azure VPN gateway
! Active-Standby VPN gateway (single public IP address)
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/VNG_GATEWAYIP = 51.144.114.218
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! Active-Active VPN gateway (A/A mode if more than one public IP is listed below)
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

/Data/VNG_GATEWAYIPS/IpAddress/IP =
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! [3] Public IP address of the on-premises VPN device
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/LNG_GATEWAYIP =
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! [4] VNet address prefixes: a list of all VNet address prefixes in different formats
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

/Data/VnetSubnets/Subnet/SP_NetworkIpRange = 192.168.155.0
SP_NetworkSubnetMask = 255.255.255.0
SP_NetworkWildcardBits = 0.0.0.255
SP_NetworkCIDR = 192.168.155.0/24
SP_TunnelName = SP_TunnelName
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! [5] On-premises address prefixes: a list of all on-premises address prefixes defined in LNG
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

/Data/OnPremiseSubnets/Subnet/SP_NetworkIpRange = 172.20.100.0
SP_NetworkSubnetMask = 255.255.252.0
SP_NetworkWildcardBits = 0.0.3.255
SP_NetworkCIDR = 172.20.100.0/22
SP_TunnelName = SP_TunnelName
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! [6] Phase 1/Main Mode:
! IKE encryption algorithm
! IKE hashing algorithm
! IKE Diffie-Hellman group
! IKE SA lifetime (seconds)
! IKE SA data size (Kilobytes)
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/IKE_ENCRYPTION_1 = aes256
/Data/IKE_INTEGRITY_1 = sha1
/Data/IKE_DHGROUP_1 = 2
/Data/IKE_SALIFETIME_1 = 28800
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! [7] Phase 2/Quick Mode:
! IPsec encryption algorithm
! IPsec hashing algorithm
! PFS Group (Perfect Forward Secrecy)
! IPsec SA (QMSA) lifetime (seconds)
! IPsec SA (QMSA) lifetime (kilobytes)
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/IPsec_ENCRYPTION_1 = aes256
/Data/IPsec_INTEGRITY_1 = sha1
/Data/IPsec_PFSGROUP_1 = None
/Data/IPsec_SALIFETIME = 3600
/Data/IPsec_KB_SALIFETIME = 102400000
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! [8] Connection pre-shared key
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/CONNECTION_PSK = Abcd1234
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! [9] BGP parameters – Azure VPN gateway
! Enable BGP
! BGP ASN for Azure VPN gateway
! BGP speaker IP address for the Azure VPN gateway
! BGP peer IP address(es)
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/CONNECTION_BGP_ENABLED = False
/Data/VNG_ASN = VNG_ASN
/Data/VNG_BGPIP = VNG_BGPIP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! [10] BGP parameters – on-premises network / LNG
! BGP ASN for the on-premises network
! BGP speaker IP address for the on-premises network
!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/LNG_ASN = LNG_ASN
/Data/LNG_BGPIP = LNG_BGPIP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

! ########################################################################################################
! !!! Search for “REPLACE” to find the values that require special considerations
! ########################################################################################################
! ON-PREMISES ENVIRONMENT:
!
! – AR-Series WAN/Public Interface:
! INTERFACE: ETH1
! ZONE: VPN
! IP: VPN PUBLIC IP
! ISP Default GW: x.x.x.1
!
! – A.T ONPREMISES/LOCAL ENVIRONMENT:
! INTERFACE: VLAN1
! ZONE: PRIVATE
! On-Premises Addr Range: ON-PREMISES ADDRESS RANGE (ex. 192.168.1.0/24)
! A.T MGMT/LAN Interface: 192.168.1.254
!
! – AR-Series VPN BLADE:
! TUNNEL VTI IP: ex. 192.168.2.222/32
! TUNNEL INTERFACE: tunnel0
! ISAKMP PROFILE: AZURE-ISAKMP
! IPSEC PROFILE: AZURE-IPSEC
! ISAKMP PEER: AZURE GW PUBLIC IP
!
! AZURE VNET ENVIRONMENT:
!
! – AZURE VIRTUAL NETWORK:
! – ADDRESS RANGE: AZURE ADDRESS RANGE (ex. 10.10.0.0/16)
! – AZURE GATEWAY IP: AZURE GATEWAY PUBLIC IP

! ============================================================================================
! Example – Allied Telesis AR Series VPN Router (5.4.7+) in Active/Passive Azure GW Mode, with VTI Support (No BGP Router)
! ============================================================================================

! FOLLOW THESE STEPS TO CREATE YOUR IKEv2 TUNNEL TO AZURE:

! CREATE YOUR PRIVATE ZONE, CONTAINING YOUR ON-PREMISES/LAN NETWORK
! Note: REPLACE “vlan1” and “192.168.1.254” as needed. They are used here as examples for your LAN network and LAN Host/Management IP.

zone PRIVATE
network LAN
ip subnet 172.20.100.0/22 interface vlan1
host LAN_IP
ip address 192.168.1.254
!

! Note: REPLACE “eth1” as needed. It is used here as your WAN interface.
zone PUBLIC
network WAN
ip subnet 0.0.0.0/0 interface eth1
host WAN_IP
ip address
!

! Note: REPLACE “tunnel0” as needed. It is used here to denote your VTI tunnel interface.
zone VPN
network AZURE
ip subnet 192.168.155.0/24 interface tunnel0
!

application esp
protocol 50
!
application icmp
protocol icmp
!
application isakmp
protocol udp
sport 500
dport 500
!
! Below shows you how to enable the Web-Control Feature Function, in case you have a valid feature license key (commented out)
!web-control
! action permit
! provider digitalarts
!

! THESE ARE YOUR REQUIRED FIREWALL RULES FOR YOUR AZURE CONNECTION

firewall
rule 10 permit isakmp from PUBLIC.WAN.WAN_IP to PUBLIC.WAN
rule 20 permit isakmp from PUBLIC.WAN to PUBLIC.WAN.WAN_IP
rule 30 permit esp from PUBLIC.WAN.WAN_IP to PUBLIC.WAN
rule 40 permit esp from PUBLIC.WAN to PUBLIC.WAN.WAN_IP
rule 45 permit ping from PRIVATE to PRIVATE
rule 50 permit ping from VPN.AZURE to PRIVATE.LAN
rule 60 permit ping from PRIVATE.LAN to VPN.AZURE
rule 70 permit ping from PUBLIC.WAN to PRIVATE.LAN
rule 75 permit ping from PRIVATE to PUBLIC
rule 80 permit any from PRIVATE.LAN to VPN.AZURE
rule 90 permit any from VPN.AZURE to PRIVATE.LAN
protect
!

! NAT RULE
nat
rule 10 masq any from PRIVATE to PUBLIC
enable
!

! AZURE IPSEC PROFILE
crypto ipsec profile AZURE-IPSEC-Demo-GW01-Demo-LW01
lifetime seconds 3600
transform 1 protocol esp integrity SHA1 encryption AES256
!

! AZURE ISAKMP/IKEv2 PHASE 1 PROFILE
crypto isakmp profile AZURE-IPSEC-Demo-GW01-Demo-LW01
!
crypto isakmp profile AZURE-ISAKMP-Demo-GW01-Demo-LW01
version 2
lifetime 28800
transform 1 integrity SHA1 encryption AES256 group 2
!

! AZURE ISAKMP PRE-SHARED KEY
crypto isakmp key 8 Abcd1234 address
!

! AZURE ISAKMP PEER (AZURE GATEWAY)
crypto isakmp peer address <-> profile AZURE-ISAKMP-Demo-GW01-Demo-LW01
!

! MAKE SURE YOU HAVE CONFIGURED VPN WAN INTERFACE WITH A PUBLIC IP ADDRESS. BELOW IS AN EXAMPLE
! Note: REPLACE “eth1” if already used.
! Note: REPLACE subnet prefix “/24” below by the correct prefix (offered by your ISP) for your public IP block if it’s different.

interface eth1
description external wan
ip address 84.177.215.91/24

! MAKE SURE YOU HAVE CONFIGURED YOUR VPN MANAGEMENT/LAN INTERFACE, FOR YOUR ONPREMISES NETWORK. BELOW IS AN EXAMPLE
! Note: REPLACE “vlan1” if already used
! IMPORTANT:
! Ensure that the management interface for your onPremises network, that is used by your AR-Series LAN, is listed below !
! REPLACE “192.168.1.254” as needed (Azure does not have visibility over your MGMT IP).
! In this example, my management IP is 192.168.1.254, for my onPremises LAN network 192.168.1.0/24.

interface vlan1
description Internal LAN
ip address 192.168.1.254/24

! CREATE YOUR VTI INTERFACE FOR THE ROUTEBASED TUNNEL TO AZURE:
! REPLACE “Tunnel0” to something else, if already used.
! IMPORTANT: Ensure that the local network address space for your onPremises network, that is used by your AR-Series LAN interface, is listed under “tunnel local selector” !
! –> It is essential to list this one first in the Azure Portal, under your Local Network Gateway –> Configuration–>”Address Space” blade.
! –> Following this, you must also define your VTI interface next (/32), as a second entry under the same Azure blade mentioned above.
! (LNG –> Configuration–> “Address Space”)

! IMPORTANT NOTES:
! > Your VTI Interface IP below (192.168.2.222/32) is an example. REPLACE ‘192.168.2.222/32’ with a different /32 host IP, it if this range is already used by another interface.
! > As explained above, make sure that you have also added this IP to the “LOCAL NETWORK GATEWAY” object in the Azure Portal, following your actual LAN segment. When doing so, please
! add a /32 subnet mask to it, and ensure that this IP doesn’t overlap with your on-premises address range(s).

interface Tunnel10
ip address 192.168.2.222/32
ip tcp adjust-mss 1350
tunnel source
tunnel destination
tunnel local selector 1 172.20.100.0/22
tunnel remote selector 1 192.168.155.0/24
tunnel protection ipsec profile AZURE-IPSEC-PROFILE-Demo-GW01-Demo-LW01
tunnel mode ipsec ipv4
!

! CREATE YOUR STATIC ROUTES
! Note: The 0/0 route needs to have your ISP Default GW as your Next-Hop.
! REPLACE “x.x.x.1” by your assigned ISP Default GW IP.

ip route 0.0.0.0/0 x.x.x.1 eth1
ip route 192.168.155.0/24 tunnel0
!
line con 0
line vty 0 4
!
end
!————————————————–END——————————————————-!

I hope the post was helpful and if you have any questions, don’t hesitate to ask.

Cheers,
Flo

My current publishings with Packt /@PacktPub

Hi everyone,

I’m currently writing nearly 3 years for Packt. Within these years I published three books and two of my books were used to built courses from them.


Book #1 – Implementing Azure Solutions

Book #2 – Implementing Azur Solutions – Second Edition

Book #3 – Multi-Cloud for Architects

Course # 1 – Implementing Azure: Putting Modern DevOps to Use

Course #2 – Deployment of Microsoft Azure Solutions

Here you can find the books: https://search.packtpub.com/?query=klaffenbach&refinementList%5Breleased%5D%5B0%5D=Available

I hope you enjoy reading. If you want to buy a larger amount of books, you can reach out to me for some discount options beside Packts offering. 🙂

Cheers,

Flo