Example of what you can see in an Azure Activity Log
- Event Initiated by
Example of what you can see in an Azure Activity Log
“Create a route table when you need to override Azure’s default routing.”
Scenario Example, if I want to force all traffic via a proxy / NGFW (zScaler) for SSL inspection, Web security, Internet security etc, to control, monitor and protect your business the internet traffic. You could even go one step further and restrict access to approved IP’s or the Proxy / zScaler for Microsoft 365 or Azure access further.
Create a route table > Add >
Set a name
Add route to your table and select the next hop
Example Route set
Security and Authentication method – Content Trust
You need a container registry to start with
Content trust in Azure Container Registry
“Azure Container Registry implements Docker’s content trust model, enabling pushing and pulling of signed images.”
ACRImageSigner ( role is used for signing permissions)
AcrPush ( role is used for ACR push)
For a list if built in roles and descriptions see here
Container registry roles see here
Azure CLI command to assign the ACRImageSigner role
az role assignment create –scope <registry ID> –role AcrImageSigner –assignee <user name>
Automate Container Image builds and ACR tasks info. An example use, for automating the build cycle. How “By executing az login with a service principal, your CI/CD solution could then issue az acr build commands to kick off image builds.”
Manage Resource Groups CLI
Azure Key Vault – Best Practices
Key Vault – A cloud service to store passwords, certificates, keys etc. Make sure its very secure.
Tips – Use Multiple Vaults to separate your key areas, Backup the vault, set logging and alerts, and use soft delete
How to create a key vault
GUI – Key Vaults > Add
Create a Resource Group
az group create –name “labstudy2020kv” –location uksouth
Create a Key Vault in the Resource Group
Add a secret to your key vault info
Next step, create a Role which can access the vault. Microsoft Example Info
Give a service principal access to your key vault
az keyvault set-policy -n labstudy2020Vault –spn <clientId-of-your-service-principal> –secret-permissions list get set delete purge
To remove the resource group example
az group delete –name labstudy2020kv
Additional Reference Meterial
How to create a Kubernetes Cluster with ACR Integration and Service Principal Authentication.
Create Kubernetes Cluster, Select the Kubernetes Services Blade> Cloud Shell
You will be prompted for storage if not already configured
Type “az” to use Azure CLI
Run script from Microsoft docs here
Create a new AKS cluster with ACR integration. If you haven’t got a service principal created, skip to the next section before creating the AKS cluster
# set this to the name of your Azure Container Registry. It must be globally unique
# Run the following line to create an Azure Container Registry if you do not already have one
az acr create -n
$MYACR -g myContainerRegistryResourceGroup –sku basic
# Create an AKS cluster with ACR integration
az aks create -n myAKSCluster -g myResourceGroup –generate-ssh-keys –attach-acr
To configure Registry authentication service principals – MS doc guide to create Service Principal, (script is formatted for the Bash shell)
Create a service Principal
# Modify for your environment.
# ACR_NAME: The name of your Azure Container Registry
# SERVICE_PRINCIPAL_NAME: Must be unique within your AD tenant
# Obtain the full registry ID for subsequent command args
ACR_REGISTRY_ID=$(az acr show --name $ACR_NAME --query id --output tsv)
# Create the service principal with rights scoped to the registry.
# Default permissions are for docker pull access. Modify the '--role'
# argument value as desired:
# acrpull: pull only
# acrpush: push and pull
# owner: push, pull, and assign roles
SP_PASSWD=$(az ad sp create-for-rbac --name http://$SERVICE_PRINCIPAL_NAME --scopes $ACR_REGISTRY_ID --role acrpull --query password --output tsv)
SP_APP_ID=$(az ad sp show --id http://$SERVICE_PRINCIPAL_NAME --query appId --output tsv)
# Output the service principal's credentials; use these in your services and
# applications to authenticate to the container registry.
echo "Service principal ID: $SP_APP_ID"
echo "Service principal password: $SP_PASSWD"
The author does not verify any of the scripts are test and everything should be done in Dev only.
Setting up Alerts in Azure Monitor.
How to create an action group configured with notifications via SMS and Email, actions and tags .
Monitor Blade, Alerts > Manage Actions > Create Action Group
When click the pencil to edit, enter the Email / SMS / Push / Voice options
There is more advanced automation options called “actions” which can also be defined
In the Azure portal, select the Security Center blade.
After you have activated the Security Center, start with the guide “Getting Started”.
You have the option to start installing agents on servers in Azure, “Configure Security Policies” and “Add non-Azure servers.”
Make sure you are aware of the Pricing tiers. Click settings “Pricing & Settings”
Review how many resources will be charged in this subscription.
Problem : Azure Conditional Access + “New policy” is greyed out.
Reason : To use Azure Conditional Access Policies, you require “Azure AD Premium”
Solution : License and Setup Azure AD Premium. You are able to setup Azure AD Premium on a 30 Day trial before incurring additional costs
Activate using Free 30 day trial option shown below.
Under B1 license features you have the option to use Custom domain names and SSL.
These can be configured under app service > settings > Custom Domains
You will need to verify the ownership of the domain name entered. Follow the on screen instructions.
Under TLS/SSL settings
You can define HTTPS & Minimum TLS Version.
You can also import the .pfx or .cer Certificates from this area
Deploying a web application and the difference between an F1 Dev/Test Free license and a B1 Dev/Test/ Production license features
Prep – Lab Resource Group
Start in App Services. To create a basic test app in the free tier using I’m using the prep resource group – lab_study_2020
Deployment takes a minute or two, so patients before jumping to the next steps
Now you have a basic app running and accessible via a URL from the internet.
If you delete and recreate the app you can change the license options to include more advanced features, try selecting Production B1.
Dev/Test or Production B1 Features
Stop Web App, Delete Web App > Enter Web App name and Delete
Redeploy using B1 license for additional options
Now you will see additional options