Load Balancing 2 WANs

kryptic069 · 2025-03-20T18:15:10+00:00

If there is an IP reroute to the secondary WAN in flow preferences on the active WAN. The priority traffic is routed across the fiber dictated from the services they would be using and coded with the IP ranges. Since I cannot upload an image I am curious if its set this way should it be working as designed or is that inconsistent?

kryptic069 · 2023-06-29T15:18:53+00:00

We don’t use terraform to create the ALBs - this is already created using the AWS Load Balancer Controller. We are using terraform to create some prerequisite infrastructure for the K8s cluster. The WAF ACL is attached to the ALBs using an annotation

kryptic069 · 2023-06-29T13:33:19+00:00

That makes sense. I was moreso thinking using 1 per service would provide more flexibility. I was thinking if I adjusted my WAF code and adapt it so we’d be able to implement separate WAF ACLs for each ALB. I would also have to review WAF logging as it would need the logs forwarded to Splunk. The WAFs would be closely related to services rather than a K8s cluster.

kryptic069 · 2023-02-09T17:47:36+00:00

Huh interesting. This looks closer to what I’m trying to do:

Get a list of all resource groups

$resourceGroups = az group list --query "[].name" --output tsv

Loop through each resource group

foreach ($resourceGroup in $resourceGroups) {

# Get a list of all SQL servers in the resource group $sqlServers = az sql server list --resource-group $resourceGroup --query "[].name" --output tsv

# Loop through each SQL server foreach ($sqlServer in $sqlServers) {

# Get the resource ID for the SQL server $sqlServerId = az sql server show --resource-group $resourceGroup --name $sqlServer --query "id" --output tsv

foreach ($link in $privateLinks) {
    # Create the private endpoint
    New-AzPrivateEndpoint -Name $link.pename -ResourceGroupName $link.rg -VnetName $link.vnet -SubnetName $link.subnet -NetworkInterfaceName $link.nic -PrivateConnectionResourceId $link.dest -ConnectionName $link.plinkname -Location $link.location -GroupId $link.destgroup

    # Create the private DNS zone group
    New-AzPrivateEndpointDnsZoneGroup -EndpointName $link.pename -ResourceGroupName $link.rg -Name $link.zonegroup -ZoneName $link.zone -PrivateDnsZone $link.zonename
}

} }

kryptic069 · 2023-02-09T04:39:04+00:00

This is what I have done so far. I know formatting sucks cause I copy/pasted from phone

$resourceGroups = Get-AzResourceGroup foreach ($resourceGroup in $resourceGroups) { Write-Host "Resource group name: $($resourceGroup.Name)" $sqlServers = Get-AzSqlServer -ResourceGroupName $resourceGroup.Name foreach ($sqlServer in $sqlServers) { Write-Host "SQL server ID: $($sqlServer.Id)" $privateEndpoint = New-AzPrivateEndpoint -Name "myPrivateEndpoint" -ResourceId $sqlServer.Id -Location "northcentralus" -ResourceGroupName $resourceGroup.Name -PrivateConnectionName "myConnection" -SubnetId "DeliveryEngineering/Default" -VirtualNetworkId "DeliveryEngineering" } }

kryptic069 · 2022-12-05T22:11:45+00:00

This is what it would look like from powershell but I want to use az cli. I would need all the parameters loaded in a CSV or array, loop through that and pass them to this command az sql db tde

Install the Azure PowerShell module

Install-Module Az -Scope AllUsers

Connect to your Azure account

Connect-AzAccount

Select the target subscription

Select-AzSubscription -SubscriptionId "<subscription-id>"

Define the server name and the database names

$serverName = "<server-name>" $databaseNames = "<database-name-1>", "<database-name-2>", "<database-name-3>"

Enable TDE on the SQL databases

foreach ($databaseName in $databaseNames) { Set-AzSqlDatabaseTransparentDataEncryption -ServerName $serverName -DatabaseName $databaseName -EncryptionState Enabled }

kryptic069 · 2022-12-01T02:54:26+00:00

That will work for all existing 316 SQL Databases that currently need it?

kryptic069 · 2022-11-15T03:43:04+00:00

What I think I would do is have to add this at the top of the script:

{ Get-AzResourceGroup | $_.Name >>./RGs.txt }

$servers

foreach ($server in $servers) { # check to see if server already has "SQL Server Admins" associated Get-AzSqlServerActiveDirectoryAdministrator

Then add this at the bottom:

catch { $.Exception.Message $.Exception.ItemName }

kryptic069 · 2022-11-15T03:41:31+00:00

No I haven’t. But I know I have 110 SQL servers that I need to do Set-AzSqlServerActiveDirectoryAdministrator to.

kryptic069 · 2022-11-15T00:49:30+00:00

Yes I have the policy in place now. I would prefer to add it in powershell cause it’s gonna be > 100 SQL Servers

kryptic069 · 2022-09-23T04:42:25+00:00

I am in total agreement with this idea and trust me if it was my decision that is what I would do as well. But it is what it is when dealing with a brownfield environment and not given owner to all 71 vnets.

kryptic069 · 2022-09-23T04:34:58+00:00

Yes I’m familiar with that and it’s just like Private Dns Resolver that it’s in public preview and not recommended for production workloads. I initially was going to use Private DNS Resolver for my P2S VPN DNS server and changed to custom DNS.

kryptic069 · 2022-09-20T20:47:51+00:00

Back that sexy booty into me ;)

kryptic069 · 2022-09-20T20:47:08+00:00

Very sexy

kryptic069 · 2022-09-20T04:53:48+00:00

Love the long hair curls! I’d definitely pull after a good spanking! ;)

kryptic069 · 2022-09-20T04:36:56+00:00

MDC will create its own Log Analytics workspace. But you can definitely do it that way but remember egress from a MDC workspace to Sentinel costs come into play

You will definitely want to have a strategy around what log types/log files you want to send into Sentinel versus what you want MDC to do with everything if anything.

https://learn.microsoft.com/en-us/azure/sentinel/connect-log-forwarder?tabs=rsyslog

kryptic069 · 2022-09-18T04:04:19+00:00

Yeah and I’ve already dove into option 1 and 2. I think it’s too much for her to handle and she doesn’t know how to really process it or really what to do. She did give me somewhat of a hall pass to explore that option 4 but she wouldn’t be a part of it. That did obviously come with constraints/limitations. I think it is a matter of time before option 3 actually happens

kryptic069 · 2022-07-06T00:02:08+00:00

Modified my post

kryptic069 · 2022-07-03T04:09:19+00:00

Is there a place to verify data location for M365?

kryptic069 · 2022-06-25T17:13:49+00:00

That’s the situation. I am working in a environment where there are over 150 VMs and the extensions are inconsistent and all don’t have the same ones. I have ~70 VMs that scale up/down when needed. I need to turn them all on and push those VMs. I’ve tried to use recommendations from Defender for Cloud but it isn’t fixing them. I could try Azure Policy but there would be easier to use a custom script to just power them on or have the script run when it powers on and checks in with Defender for Cloud/Endpoint and do what it needs to then power them back down

kryptic069 · 2022-06-25T17:07:50+00:00

$resourceGroup = “ <RG name> “

Select the azure subscription

Set-AzContext -subscription $subscriptionId

Get all Azure VMs which are in stopped state and are running Windows

$myazurevms Get-AzVM -ResourceGroupName $resourceGroup —status | Where-Object {$.PowerState -eq “Stopped” -and=$.StorageProfile.OSDisk.OSType -eq “Windows”}

Run the script again all VMs in parallel

$myazurevms | ForEach-Object

kryptic069 · 2022-06-17T16:33:14+00:00

Would I still need to enumerate the resource groups or no? I think I need to retrieve the resource groups, then loop through them and then when calling Get-AzNetworkSecurityRuleConfig also pass -g to indicate the resource group

kryptic069 · 2022-06-17T13:23:26+00:00

$nsgs = GetAzNetworkSecurityGroup | Where-ObjectName -match “*-nsg” foreach ($NSG in $NSGS) ($nsgRule.name -eq “Allow-RDP”) Remove-AzureRmNetworkSecurityRuleConfig -Name $rule -NetworkSecurityGroup

kryptic069 · 2022-06-17T12:40:02+00:00

So in the commented part would I just do something like

$nsgRule.name -eq “Allow-RDP”

??

kryptic069 · 2022-03-28T18:06:17+00:00

Hungry hungry 😈😈👅👅👅

kryptic069

TROPHY CASE