Tags: Quick Post

Azure Automanage Preview

Hello! In this post I’ll be covering an overview of the Azure Automanage Preview – and giving an overview of how it can be used to simplify management, achieve best practice, and provide automation of Virtual Machines in a few quick steps.

What is Azure Automanage?

Azure Automanage is a service that removes the need to “discover, know how to onboard, and how to configure certain services in Azure that would benefit your virtual machine.” (Microsoft Docs – https://docs.microsoft.com/en-gb/azure/automanage/automanage-virtual-machines)

Essentially – it allows you to automate the configuration of your Azure VM as per best practice within the Microsoft Cloud Adoption Framework. This includes monitoring, backup, and monitors the drift of your VM away from best practice – and can automatically bring it back into the required state.

The key here is simplicity – the experience is simple and easy to use.

Prerequisites

  • Only Windows Server VMs are supported
  • VMs must be running
  • VMs must be in a Supported Region – currently (28/09/2020) this is West Europe, East US, West US 2, Canada Central, and West Central US.
  • The User must have the correct permissions (to configure Automanage from scratch you will need Owner or Contributor, along with User Access Administrator)
  • VMs must not link to a Log Analytics Workspace in a different Subscription
Note: this is a preview service - so these are likely to change!

Participating Services

At the current time, Automanage includes the following Services, which are automatically onboarded, configured, monitored for drift, and remediated as required when you use Automanage:

  • VM Insights Monitoring – Monitors the health and performance of your Virtual Machine
  • Backup – Provides backups of the Virtual Machine
  • Azure Security Center – Automanaged configures the free tier of Azure Security Center within the subscription your VM is inside.
  • Microsoft Antimalware – Real time protection for your VM against viruses, spyware, and malicious software.
  • Update Management – Provides automated updates for your VM
  • Change Tracking and Inventory – Combines change tracking and inventory to monitor and track VM changes.
  • Azure Automation Account – supports Azure Automation
  • Log Analytics Workspace – stores data in Log Analytics Workspace.

You can configure these services using one of the default configuration profiles with Automanage – or create your own.

Setting up Automanage

Setting up Automanage is really easy! For my test I have a single Azure VM running in the East US Region – and I am going to configure Automanage to look after this VM for me. From the Azure Portal – search for “Automanage”, and select Azure Automanage:

Then click on “Enable on existing VM”:

Note – you can also setup Automanage at the time of creation – see here. Next, we need to select the VMs to onboard into Automanage. To do this, click on “Select machines”:

Select the VM you want to enable and click Select:

We can then select the Profile that will be applied (which controls the configuration of Automanage):

By default there are two profiles – Dev/Test and Production. It is worth spending some time looking through these to make sure you are applying settings that are appropriate. You can also create custom profiles – by clicking on “Create new preferences”. See more about custom profiles here. For my test I will use the Production Profile – you can browse the settings and configuration that will be applied by this profile by exploring the highlighted section below:

Once we are ready to apply this – just click “Select”. The summary screen is then shown – and we are ready to enable. Note that the Automanage account is also created at this time. Click on Enable in the below screenshot – and the configuration will then be applied:

My test VM is now shown within Automanage – as you can see the deployment is still in progress:

The deployment takes some time – but as it progresses we can see the Automanage elements being created in a new Resource Group:

Once the deployment has completed – the status will change to “Configured”:

So we now have a Virtual Machine that is configured and managed by Automanage – let’s take a quick look at what this has configured for us:

In our Backup Vault (automatically created) we now have a protected VM that is backed up daily:

Our VM is being analysed for Updates:

We have an Automation Account that contains our VM:

Within Update Management we can also check on the Status of our Automanage enrolled VM:

We can also delve into this update data (and more!) via our (automatically created by Automanage) Log Analytics Workspace:

Obviously I’ve only scratched the surface of Automanage here – but hopefully this post helps to give an understanding and show some of the features of the Automanage preview. Until next time – thanks for reading!

A few links to useful documentation resources that may help:

Creating a secure Home/Guest/IOT Wifi environment with Ubiquiti

As many of my friends and colleagues will know, I am a big fan of Smart Home/IOT technology – plugs, lights, sensors, cameras… I like automating things around the house – partly for security reasons, partly for reasons of making my life easier, but mostly because I enjoy working with technology! 🙂

However, I am well aware of the security implications of Smart Technology – and in particular the risks associated with placing devices onto a home network, where devices with personal information are regularly used.

In this post I’ll give an overview of how I am securing my network – with minimal effort… (All of this can be configured in under 10 minutes)

I’m using the awesome Ubiquiti Unifi nanoHD APs:

Ubiquiti equipment and software is AWESOME, especially if you want effective and easy to use control over your network, without having to use complex configuration scripts or a confusing GUI. There are a few things you can do to secure Smart Technology items, and also to create a secure environment for Guest Users, Children, and anyone/anything else you may wish to restrict in some way. The key features that help here are:

  • Separate Wireless Networks – I have a Wireless Network setup for my own devices, another for Smart Tech items, and another for Guest Users – these are best off separated and kept apart! (These are all broadcast from the same AP too – with no need for extra hardware)
  • Time based Wireless Network access – this is more for those with children, whereby you can have a Wireless Network that is available only between certain times.
  • Throughput Control – this allows a Network to be restricted to a specified total bandwidth throughput. Useful for ensuring one device/user/network does not overload your internet connection
  • IP range restrictions – this allows devices on specific Networks to be restricted when trying to access certain IP ranges or addresses. This is great for Guest networks – and can be used to ensure those Guest users can only access the internet for example. Many Smart Tech devices also require only internet access, with no need for them to communicate with other items on your network.

Configuration of all of the above is extremely simply using the Ubiquiti Controller – I’m running this on my own server, but the Cloud Keys are worth a look if you don’t have this option or want a dedicated device. Thankfully all of the above is just a few clicks in the Controller interface too – no need for any configuration, cabling, or code!

Separate SSIDs

This is very easy to setup – from the settings interface, browse to Wifi Networks, and then create the networks you require:

Ensure that for any IOT or Guest Networks you mark these as Guest Networks – as the security restrictions (IP based) then apply:

Time based SSID access

Again, this is a breeze to setup – on the SSID you want to restrict select, Edit (shown below):

You can then control the time on a schedule:

This setting is probably more for those with children who’s access they are trying to limit – unless you have devices you don’t want online at certain times.

Throughput Control

Throughput control is based on creating User Groups – with a throughput limit assigned to the Group. I have the following Groups setup:

Personally I think I am quite generous with my Guest users…

Next – we need to associate the Groups with a Wireless Network, so that the bandwidth restrictions are applied to that Network. To do this, go back and edit the Wireless Network:

Within the User Group section – select the required Group:

Now your Wireless Network has a configured throughput limit!

IP Restrictions

These are also very easy to setup, browse to the Guest Control section of the Settings Menu – and then add any IP ranges or addresses you want to prevent Guest Users (any Wireless Network marked as Guest) accessing:

I’ve left this default – any private address is restricted – so my Guest Users and IOT Devices can only access the internet, and are prevented from accessing anything else on my networks.

Hope this helps – until next time!

Quick Post! – Using NetScaler responder policies/actions and backup vServers to notify users of Service Downtime

NetScaler, as I am sure you are aware, is a superbly powerful Application Delivery Controller. One of the most useful features is the use of Responder Policies/Actions, and Backup vServers to indicate that a service is down or to provide access to an alternative service for end users.

Let’s say – you have a load balancer configured that balances two Web Servers, which you then present for users to access. This load balancer could be configured with monitoring to check the health of the Web Servers, and also to ensure that the servers are loaded evenly with requests.

But – what happens when both servers are down? Maybe you have scheduled patching, or there is a fault. Leaving users with a blank page or one that times out is never ideal, and letting them know there is a fault is always best. This is especially relevant if the users are accessing pages of a commercial nature – for example, “The Online shop will be back open at 2pm” is a lot better than a blank page.

Both of the options below take less than 10 minutes configuration on a NetScaler – so if you need to get a page up quickly… these are very useful!

To do this – we can go down one of the two routes below:

Option 1

Use the Redirect URL option on the vServer – this redirects client requests to the custom URL when the service is down. So for example this could be a custom page on elsewhere, which explains that there is an issue.

This could be used for Scheduled patching for example – for times when we know the site will be down, we just add the URL to the vServer and any users who visit during the maintenance window will see the redirected page.

Option 2

Another option, is to use the Backup vServer feature within NetScaler – this is great because it can be used to direct traffic to a backup Data Center if our primary is unavailable. But also – we can use this feature to put up a NetScaler generated page informing the user that there is a problem with the backend service.

To do this – we need to create a new vServer to use for Maintenance. Create this with the following basic settings:

Then create a service for this – any local service bound to 127.0.0.1 will do. Assign a basic monitor so that the service shows as up.

Next – go to AppExpert, and then Responder, and create a Responder Action. Fill out the details as below – note: you will need to create a new HTML Page, this is the 2nd and 3rd screenshots below:

HTML Page:

Click on Done, and then Click Create for the Responder Action.

We can then go back to the vServer and assign this under the Policies option. Select the options as per the screenshot below and press Continue:

Next we are presented with the below screen, click on the Plus sign next to “Select Policy”:

Fill out the details as per the below:

Click on “Create” and then click on “Bind”. Finally, click “Done”. We can now apply this vServer as a backup vServer to others – so that if those vServers are down, this page will be shown to users.

This is configured on a per vServer basis as per the below:

Now when accessing the page, and with the services down – the following page is shown:

Obviously, you can customise the page a little more than I have – but hopefully this will help. It’s a quick step to setup and gives some extra information to users when there is scheduled work or an unexpected fault.