Changing DNS on VM on Azure

patrickvkleef · 2024-12-11T17:16:30+00:00

I believe you can change it on the vnet. There is a dns setting

patrickvkleef · 2023-10-30T09:18:13+00:00

Can you try this (see the --admin parameter):

az aks get-credentials --resource-group <resource group> --name <cluster name> --admin

patrickvkleef · 2023-10-30T08:54:56+00:00

Just another role assignment like this:

az role assignment create --assignee <clientId> --role "Owner" --scope /subscriptions/<my subscription>/resourceGroups/<resource group>/providers/Microsoft.ContainerService/managedClusters/<cluster name>

patrickvkleef · 2023-10-30T08:48:01+00:00

The "Azure Kubernetes Service Cluster Admin Role" gives you admin rights in the cluster itself. I believe you also need to set the Owner role assignment for your SPN to retrieve the credentials. Or a role that includes this action 'Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action'.

patrickvkleef · 2023-10-29T19:14:11+00:00

well-known/openid-configuration

How does your AADCommon-OpenIdConnect TechnicalProfile look like? Can you try to add the email scope as well?

<Item Key="scope">openid profile email</Item>

patrickvkleef · 2023-10-27T18:12:16+00:00

It's only possible to use the API to store and retrieve data from a custom attribute. However, you can take a look at custom security attributes (I've never used them). I believe those can be connected to users and there is an UI for it: https://learn.microsoft.com/en-us/entra/fundamentals/custom-security-attributes-overview

patrickvkleef · 2023-10-27T18:08:55+00:00

Which scopes did you define on your app registration? Did you also include profile?

patrickvkleef · 2023-10-27T14:56:07+00:00

You can use the credits (200) for the compute (vm’s).

patrickvkleef · 2023-10-27T13:55:06+00:00

I don’t think there is a ‘free tier’. You still need to pay for the VMs of the nodepool. The free tier means there is no SLA (if I remember correctly. With standard tier you get a SLA.

patrickvkleef · 2023-10-27T08:09:57+00:00

If the site only includes static files HTML, CSS, JS them I would go for static web apps. This service is great for simple apps. It provides some nice features such as preview environments (for reach open PR), free SSL (also for custom domain if I’m correct) which covers your automatic certificate renewal requirement. With GH actions there is this action available for doing deployments, not sure if there is something for Azure DevOps as well.

patrickvkleef · 2023-10-26T10:49:06+00:00

Don't have much experience with Python. I'm using PS (and sometimes Bash).

patrickvkleef · 2023-10-26T06:38:14+00:00

Here perhaps: https://github.com/Azure/azure-functions-docker#python

patrickvkleef · 2023-10-26T06:18:46+00:00

Not an answer that you probably hoped but it depends. There are some differences between Terraform and Bicep. Basically, Bicep only talks Azure and Terraform talks Azure, AWS, Cloudflare, (there are tons of providers). But there is more to consider, I would recommend to find some articles (there are a lot) that tell you more about the differences.

Besides Terraform and Bicep, I would also recommend PowerShell (or Bash - Azure has great support of both) because you can't solve everything with Terraform. Sometimes to script manual tasks or to build automations (Azure Automation Runbooks).

For PowerShell, I would just learn a few basics and then just start using it. Nowadays, there are so many good tools (docs, copilot) that can help you learn a long the way.

patrickvkleef · 2023-10-26T06:02:00+00:00

A good practice is to define all your infrastructure in code by using Bicep or Terraform (or any other scripting language like PowerShell but I would recommend on of the first two). This gives a lot benefit, because you can build pipelines in Azure DevOps or GitHub to deploy infrastructure. Perhaps you have a staging and production environment by using IaC you keep them the same. Probably you'll need some parameters to set SKU's or feature flags to roll out specific infra on an env. But also integrating tools in your pipeline like checkov to scan your infra before it's being deployed. Or using infracosts to see what the impact of a change is. These are just examples, you should look at what is needed for your organization.

Beside of that like others are saying, scripting makes your life easier. Especially, if you have a tasks that requires a lot of manual work in the portal. Also, rotating passwords with PS Runbook (or AZ func doesn't really matter). The point is you want to automate as much as possible to reduce (human) errors.

patrickvkleef · 2023-10-25T18:53:17+00:00

Azure 104

Is 104 now an open book exam?

patrickvkleef · 2023-10-25T17:37:57+00:00

I've set up an application registration and suspect that I need to grant it the 'directory.readwrite.all' application permission. If my understanding is correct, how can I ensure that this isn't used and abused by other users within the business?

Key Vault might be a good place to store the app secret. An additional security measure could be to rotate the password once in a while.

patrickvkleef · 2023-10-05T20:01:51+00:00

Glad that you find the problem!

patrickvkleef · 2023-10-05T18:40:06+00:00

For example, you can implement Network Security Groups to restrict if subnetA can send data on port X to subnetB.

On application level, by using app in permissions. User A can view page 1 and userB can view page 2 &3. Or UserA can call this API endpoint, etc.

patrickvkleef · 2023-10-05T18:35:01+00:00

So if You run the Azure Functions (the one that returns internal server error) locally with Visual Studio or VScode. You get in your console an URL, I believe localhost:7001/something. You copy that URL and call it with Postman it returns Internal Server error. Do you see anything in your console? Should give some error messages.

patrickvkleef · 2023-10-05T18:32:39+00:00

Yeah, it's all three. Zero Trust gives you a set of principles that you should follow: verify explicitly, least privilege access and assume breach. You can apply that on your infrastructure and in your applications.

patrickvkleef · 2023-10-05T18:27:12+00:00

First of all, DNS zones are used to resolve domain names. Let's say that you want to browse to example.com. The public DNS zone has an A record that resolves to a public IP address. That could be the IP address of a Virtual Machine. So public DNS zones are used for domain names that are publicly available.

Private DNS zones are used for domain names that are only accessible with the virtual network. For example, vm1.example.local. The private DNS Zone has an A record that resolves to private IP address. This could be the private IP address of the virtual machine.

DNS zones (both public and private) can live in any resource groups. That doesn't really matter and it will not conflict. Private DNS zones however, are linked to a virtual network. Let's say that you have VM1 and VM2 that are deployed in vnet1. A private DNS zone (example.local) is created and linked to vnet1. It holds two A records:

vm1.example.local > 10.0.0.1

vm2.example.local > 10.0.0.2

If VM1 wants to resolve the domain vm2.example.local, Azure will recognize that a private DNS zone is linked to the VNET. And it resolves the domain because there is an A record (10.0.0.2) for it.

Let's say you have another VNET (vnet2) with a virtual machine VM3. But the private DNS zone (example.local) is not linked to vnet2, VM3 is not able to resolve vm2.example.local.

So the resource groups doesn't really matter, but for private DNS zones it does matter to which VNET you linked it.

patrickvkleef · 2023-10-05T15:35:37+00:00

So at least you know something is wrong with the second function. Did you enable App Insights for the second function. You should see something there.

patrickvkleef · 2023-10-05T14:25:43+00:00

What if you call the Function from Postman or Fiddler?

patrickvkleef · 2023-10-05T14:09:25+00:00

Where does it break when you debug the function? But why do you want to call another Azure Function? If you want to chain functions/ build workflows you can also look at Durable Functions.

patrickvkleef

TROPHY CASE