Hi,
I was pleased to be a speaker in the Azure Virtual Community Day, where i presented how to use Private Links and Endpoints, and how important they are. If you want the slide deck, please message me.
Session Description
In this session will will show how to turn Public Azure PaaS services into Private using Private endpoints and links.
After this demo you will learn to reach services such like Azure Storage, Azure SQL or Azure Key Vault through a private IP address on your network
Hi,
Private Endpoints and Private Links are powerful services provided by Azure to allow you access PaaS services (Azure SQL, Azure Storage including Data Lake Gen2, Azure Web App…) via an IP address in your own network (your own Virtual Network).
See here an introduction of Private Endpoints / Private Links: https://buildwindows.wordpress.com/2019/09/17/introduction-of-azure-private-endpoints/
Supported Azure PaaS Services: https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview#private-link-resource
Unlike many are thinking, using Azure Private DNS is not required if you want to use PE/PL, but it’s recommended as it provides first party integration allowing your PE Private IP record to be automatically created in Private DNS zone, for future DNS resolution
Microsoft is ‘weirdly’ recommending using a specific Zone name for PE/PL (The full list can be found here). The following table shows some DNS zones for some services:
| Private Link resource type | Subresource | Zone name |
|---|---|---|
| SQL DB (Microsoft.Sql/servers) | Sql Server (sqlServer) | privatelink.database.windows.net |
| Azure Synapse Analytics (Microsoft.Sql/servers) | Sql Server (sqlServer) | privatelink.database.windows.net |
| Storage Account (Microsoft.Storage/storageAccounts) | Blob (blob, blob_secondary) | privatelink.blob.core.windows.net |
| Storage Account (Microsoft.Storage/storageAccounts) | Table (table, table_secondary) | privatelink.table.core.windows.net |
| Storage Account (Microsoft.Storage/storageAccounts) | Queue (queue, queue_secondary) | privatelink.queue.core.windows.net |
I’m saying ‘weirdly’ because we have found a scenario where this is unsupported.
The following picture shows:
Issue:
-> Microsoft recommendation is not recommended in fact, because this will create future issues. It’s like creating VNETs with the same address space, and then to peer them : Unsupported
The design recommendation is simple: Each Project (The scope of how resources are managed by the same team) must have its own DNS Zone.
In order to achieve this, you can use the following rules:
That’s it. Now you are sure that all your proejcts have unique private dns zones. I highly recommend that you create Azure Policies that enforce your naming conventions
Creating a PE/PL via the Azure Portal currently only shows the Private DNS zones with the recommended names, which makes you believe that a different naming is not supported.
In order to ‘hijack’ this behavior, use different deployment method than the Portal (ARM templates), or continue with the wizard and stop in the last step (do not deploy).
Hi,
It has been almost one year since Azure VNET integration v2 has been announced in preview.
Azure Vnet Integration v2 allows a direct peering between your App Service Plan (web apps) and your VNET without using p2s connections like the v1 integration.
You can now consume vnet and on-premises resources from your web apps and functions.
Announcement Link
Azure Private Links and Endpoints have been recently announced in Public Preview after months of Private Preview and testing. Private Link/Endpoint is a huge step in Azure Networking as it allows to make private any internet facing public service (Like PaaS services: Azure SQL, Azure Storage…), and provides a unified way to expose and consume services between tenants, partners or even within the same customer.
This post is an introduction of Private Endpoints
There are two terms that should be memorized:
One of the easiest/most requested scenario is the ability to each an Azure SQL Database privately from a Virtual Network, without exposing it to Internet, or using its Public IP address.
The following picture shows a Virtual Machine (SQLClient) deployed to a VNET/Subnet (VNETEastUS/VM), and an Azure SQL DB (azuresqlprivatedb01) deployed within an Azure SQL server (azuresqlpriavte).
The goal is that the VM (SQLClient) reaches the azuresqlprivate over a private connection, and not via internet (we will not allow any IP to consume the Azure SQL server through the firewall): The dotted line in orange is the goal
The solution is to create a Private Endpoint that will expose the Azure SQL server via a Private IP address on a Subnet. The following picture shows a Private Endpoint (PE) that is using an IP address from the Subnet Privatesubnet and connected to azuresqlprivate
1- Go to the Private Link Center –> Private endpoints –> Add
2- Type the required information like the Subscription, RG, Location…
3- Choose the resource that you want to create a Private Endpoint for (In my case, it’s the azuresqlprivate Azure SQL server
4- Choose a VNET/Subnet that will enable the access to your resource. Under the hood, a Network Interface (NIC) will be created, assigned an IP address and assigned to your resource. You can optionally integrate the resource with an Azure Private DNS Zone in order that you can call the private endpoint using a DNS name. This is not required as you can create your own DNS record on your own DNS service (A record)
5- After the deployment, you will notice the following:
* Approved means that the Azure SQL party has approved the Private Endpoint, this is useful when both parties are not from the same Team/Tenant, where the requester can ask for the Private Endpoint connection, and waits for the owner to approve it. In addition, you can Reject the connection at any time
On the SQLClient Virtual Machine, you can install SQL Server Management Studio and test the access to the DB
Note that the Private IP is resloved
Now that we have private access to a PaaS Service, there amy ways to secure the access to it:
The next blog post will introduce the Private Link concept, which is a service that allows your external customers/partners to securely access your services via a private connection, and using an Approval Process.
Hi,
If you trying to make a role assignment via ARM template and encountered this error, then please note that this something annoying and not very clear even on MS docs.
The solution:
1- Either notice that there is a small difference in how ResourceGroups is written: resourceGroups vs resourcegroups –> You need to use lowercase or use a replace to replace resourceGroups by resourcegroups
In my case, i have created a variable where i replace resourceGroups by resourcegroups
"variables": {
"factoryId": "[replace(resourceid('Microsoft.DataFactory/factories/', parameters('DataFactoryObject').name),'resourceGroups','resourcegroups')]",
}
2- If this does not then it means that you are likely using “type”: “Microsoft.Authorization/roleAssignments” for your role assignment. Unfortunately this does not work if you are making an assignment to anything else the resource group you are deploying in.
To solve this, you can something like:
{
"type": "/Microsoft.DataFactory/factories/providers/roleAssignments",
"name": "[variables('adfroleassignmentname')]",
"apiVersion": "2015-07-01",
"dependsOn": [
"[variables('factoryId')]"
],
"properties": {
"roleDefinitionId": "[variables('ADFRunpipelineRoleDefId')]",
"principalId": "[parameters('AzDcrbObjectId')]"
}
},
In orther words you will make a sub-resource deployment “ResourceType/providers/roleAssignments”
Hi all,
I have just published two scripts that will help you quickly automate the Azure DevOps agents installation.
Go to Github: https://github.com/SamirFarhat/Azure/tree/master/AzureDevOps/PrivateAgents/Unattend
Samir
Hi all,
When you author ARM Templates, and you are deploying a Key Vault and setting the Access Policies via the template, be careful about the content of the objectID.
"accessPolicies" : [ { "tenantId": "xxxxx-30d9-xxxxx-8015-ddddddd", "objectId": "rrrrr-tttt-rrrr-rrrr-tttttt", "permissions": {
"keys": ["all"],
"secrets": ["all"]
}
},
If you are assigning the policy to a user account, use the objectId value found on Azure AD:
If you are assigning the policy to a Service Principal, use the ObjectID of the Application that you can get from the Enterprise Application blade, and not the App Registration blade.
Good
Wrong
Hi,
During an operation to move Azure resources between Subscriptions (Or resource groups), we were obliged to delete the “Microsoft.Compute/restorePointCollections” in order to be able to move VMs protected by a Backup policy, as described here
Unfortunately, when deleting the
“Microsoft.Compute/restorePointCollections” resources, we were hit by the following error.
{X} goal seeking tasks failed.
It took us time to figure out that trying to delete the same resources multiple times ends by a successful operations. But because each operation took about 1 minute, it will be a waste of time of doing it by hand.
So today, i’m sharing with you a Powershell script that will allow you to make all the deletion operations, in parallel!!
Go here
Hi,
I have been asked to move an Azure DevOps organization resource from the original resource group (that by default takes the name of VS-{Orgnization Name}-Group to a new resource group. So the following are the needed permissions that you will require:
Once this done, you can move the to the new resource group, and then release the permissions.
Hi,
When using ADF (in my case V2), we create pipelines. Inside these pipelines, we create a chain of Activities.
In most cases, we always need that the output of an Activity be the Input of the next of further activity.
The following screenshot shows a pipeline of 2 activities:
How to get the output of a activity ?
The output of any activity at a given time is : @activity(“Activity Name”).output
So the output of my Get from Web activity will be : @activity(“Get from Web”).output
Example
If my Get from Web activity gets a json output from the http endpoint like this :
{
“name”: Samir,
“mail”: “samir.farhat@mvp.com”,
“age”: “30”,
“childrens”: [
{
“name”: “Mark”,
“age”: “7”
},
{
“name”: “Helena”,
“age”: “9”
}
]
}
@activity(“Get from Web”).output
will contain the json code above
@activity(“Get from Web”).output.childrens
@activity(“Get from Web”).output.childrens[0]
buildwindows 