Microsoft Azure Virtual Training Day Implementing Hybrid Infrastructure Part 2

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hello and welcome to this virtual session we're glad you can join us today before we get started there's a few housekeeping items we'd like to go over with you now firstly you can resize the webinar windows to cater to your viewing preferences you can maximize minimize and drag the windows to your preferred viewing size if you look at the bottom middle of your screen you can click on the widgets that you'll need to get the most out of this virtual experience secondly microsoft specialists are on hand to answer your questions in real time so feel free to type in your questions using the q and a window and we'll answer them as soon as we can lastly we've provided some additional resources for you to supplement your learning you can access them by clicking on the links in this section without further ado i'll hand over to our speakers hi and welcome to the second section of our azure virtual training day on hybrid cloud infrastructure today we've got two sessions to talk about the first which i'll go into in a minute is all about hybrid cloud applications and data the second is about hybrid cloud security so in this session we're going to talk about hybrid cloud applications and data and how you can think about where do i put different tiers of the application do i put it up in the cloud do i put it on prem and what are the things that i need to think about when i'm actually doing that let's get into the session [Music] in this session we're going to talk about hybrid cloud applications so tailwind traders has a number of applications that they're going to have to think about what they're going to do when they move to this hybrid posture some of the applications it makes sense to move entirely to the cloud and some of them for a variety of reasons they want to keep the data on prem maybe they want to keep the application on prem so in this session we're going to talk about all of the hybrid technologies that you can use with applications to make them work not just migrating the entire application lock stock and barrel to azure but instead how you can have a hybrid application where parts of the application might run in azure parts might run on prem or where the application runs on premises but is accessible to clients out on the internet where they access that application through azure so let's talk about tailwind traders hybrid cloud application requirements basically their hybrid requirement is that they need to keep some workloads on premises and move some workloads to azure and there's a variety of reasons for this some of the data that they've got stored on premises needs to be kept on premises simply for regulatory reasons they can't go and put it into the public cloud and there can be a variety of reasons for that this is definitely something that you have to deal with when you're living outside the united states and of course azure is owned by an american company and that means that there might be compliance requirements about where the data can be and how the data center can be managed and in different jurisdictions or different geographies that is handled in different ways the communication between on-premises and azure needs to be secure and reliable if an application is in a hybrid posture what it cannot be is able to be intercepted if the traffic is passing from on-prem to azure so one of the other things that we're dealing with in this particular session is this question which hybrid application technologies is appropriate for tailwind traders to use in a given set of circumstances so when you walk away from this session what you should be able to do is be able to identify which is appropriate for a given scenario so tailwind traders has the following specific requirements the first is how can tailwind traders make applications that run on their internal network available to the internet without opening inbound ports on the perimeter firewall the next question is how can taiwan traders retire their current perimeter network and reverse proxy that is at the moment they are publishing some applications that sit on their perimeter network out to the internet and clients on the internet access those application through the perimeter network firewall because those applications are sitting on the perimeter network what taiwan traders really wants to do is shift those applications up so that those applications still sit on an internal network but instead of having a perimeter network the traffic comes in through azure now as part of their application modernization strategy carwin traders has moved some of the web tiers of their existing applications up to azure so instead of running on iis what these applications are doing are they're now running as web apps but what tailwind traders wants to do is wants to be able to allow these web applications to use on-premises data sources such as sql server that's running on-prem eventually they're intending to migrate some of these sql server databases into azure but at the moment they're very large and there is some issues around migrating those databases so what they want to do is i want to have the front end sitting in azure and i want to have the back end sitting on prem so the next thing is they want to simplify the management of on-premises kubernetes clusters at the moment they're running kubernetes clusters using windows containers but there's a linux infrastructure that basically serves as the command and control for those kubernetes clusters and this was very difficult for tailwind traders to set up and the person that set that up has left the company and is working for someone else and basically it's very hard to replace that expertise so what taiwan traders would like to do is come up with some way of simplifying the management of their on-premises kubernetes clusters similarly they want to simplify the management of their on-premises sql and postgres sql instances again that person that set all of that up has left the organization they don't have the necessary experience with management of those databases they've got people that know how to develop them but they don't have the sort of it operations experience with those particular products so let's talk about hybrid cloud applications what is a hybrid cloud application well the easiest answer is a hybrid cloud application is an application that runs in the cloud but practically what a hybrid cloud application is is an application that might have one tier in the cloud and another tier on premises maybe the front ends in the cloud and the back ends on prem now moving to a hybrid cloud applications allows organizations to retire the perimeter network whilst keeping some of those applications in on-premises data centers now the reason that they want to do that is if you think about one of the biggest security risks to an organization it's a perimeter network simply because a lot of perimeter networks aren't particularly well configured and they require a lot of expertise to run and to monitor if you can delegate that away to azure then you're probably saving your organization a lot of money in the long run the other thing that you might want to do is you might want to allow application access to applications hosted on-prem on an internal network without requiring a virtual private network one of the things that we learned in 2020 especially when people were working from home was that it was often very challenging to allow them access to line of business applications that were running internally without setting up a complicated vpn or remote desktop infrastructure so one of the things that tailwind traders would like to do as a part of their hybrid cloud posturing is allow access to those internal applications that might require for example active directory authentication but allow access to those through azure rather than setting up a vpn server on the perimeter network and allowing remote access through a vpn server instead is there a way to publish those applications so that azure can take care of all of the bits and pieces that allow access to that internal application so in this session we're going to look at azure relay we're going to look at azure app service hybrid connections we're going to look at azure ad application proxy we're going to look at azure arc enabled kubernetes and as your arc enabled data services so the first technology we're going to look at is azure relay in previous iterations of this technology this was sometimes called service bus relay and also was related to biztalk anyway so what does azure relay do it allows you to securely expose workloads that are running on your internal network to the public cloud now a way a lot of these technologies work is that you essentially install an agent on prem that the agent on-prem reaches out to azure and creates a secure connection to azure it doesn't go through your vpn you can have a single agent on-prem and that can actually reach out to a variety of different hosts that are on-prem so from the agent to azure there is an encrypted connection but it's not a traditional site to cite vpn now the other benefit of azure relay is it doesn't require you to open an inbound port on your perimeter network firewall so the agent establishes an outbound connection rather than azure establishing an inbound connection it also allows you to publish applications to clients on the internet whereas the endpoint will be in azure without configuring a vpn connection now there's another technology we're going to talk about a little later in this session called azure active directory application proxy and you use as your relay when your application doesn't require as your active directory authentication if it does require as your active directory authentication fall over and use as your ad application proxy if you've just got an on-prem application that you want to publish to the internet then use azure relay so as your relay supports the following scenarios between on-premises services and applications running in azure it supports the traditional one-way request response and peer-to-peer communication it supports event distribution to enable publish and subscribe scenarios and it supports bi-directional and unbuffered socket communication across network boundaries there's two types of azure relay there's hybrid connections and we will be coming back to hybrid connections when we look at app service hybrid connections and they're very very similar they actually use the same technology but here when we're talking about azure relay we're talking about the whole app being on premises when we're talking about hybrid connections we're talking only a tier of the app being on purposes so with hybrid connection it uses open standard web sockets and it can be used across platforms so with hybrid connections you can have an on-prem app running linux you can have an on-prem app running windows and it doesn't matter you can use a hybrid connection to publish that application so that it's available to clients on the internet through azure relay there's also the windows communication foundation relays so wcf relays use windows communication foundation to enable rpc or remote procedure calls this is an existing option that customers use with their wcf program it also supports wcf relay which is what this technology used to be called as well as the.net framework now let me talk you through the process that is illustrated in this diagram step one is that the listening client sends a listening request to the is your relay service and azure load balancer will route that request to one of the gateway nodes in step two the azure relay service will create a relay in the gateway store in step three the sending client sends a request to connect to the listening service in step four the gateway that receives the request looks up for the relay in the gateway store in step 5 the gateway forwards the connection request to the right gateway mentioned in the gateway store in step 6 the gateway sends the request to the listening client for it to create a temporary channel to the gateway node that's closest to the sending client in step 7 the listening client creates a temporary channel to the gateway that's closest to the sending client now that a connection is established between clients via the gateway the clients can exchange messages with each other in step 8 the gateway forwards any messages from the listening client to the sending client and in step nine the gateway forwards any messages from the sending client to the listening client so what i'll do now is i'll show you a demo of how we actually set up azure relay so here we are in the azure console i go to the search bar and i type relay i click on relays so we can see here that there's already a relay and that is an app service relay i'll talk about those a little later in this session what i'm going to do is i'm going to create a new relay so i select add [Music] this gives me the create namespace so what i need to do is create a service bus and namespace i select my subscription and my resource group in this case i'm selecting the resource group twt relay now the service bus namespace must be unique in the world so in this case i've just called it twt relay service bus dot windows dot net now it will perform a check for me and you'll see that little green check mark saying that it has validated that no one else is using that particular name i specify my location here i'm specifying as east u.s i click review and create and it creates that service bus relay namespace the deployment's in progress [Music] and the deployment succeeded so i've created the service bus relay name space or this relay once i have done that i can go to the resource and what i can do is i can add a hybrid connection or a wcf relay so if we select here on entities we've got no hybrid connections for this relay at the moment and no wcf relays for this service bus connection at the moment so i go back to hybrid connections and i add a new hybrid connection all i need to do is provide it with a name and select whether or not it requires client authorization i'll be able to connect to these later with my application so we can see that we've got twt web app and there i can see the hybrid connection url that is used when using that relay i can select wcf relays i can add a new wcf relay now i can choose between net tcp and http in the relay type and the one that you will choose will depend on how your wcf application is actually configured i click create it creates that wcf relay i can see the relay there and by selecting the relay i can see the properties of that relay so here we see the namespace the wcf relay url whether or not it requires client authentication and the number of listeners that have so far been configured for it so in that demonstration i showed you how to configure azure relay with a wcf relay and a hybrid connection so the next technology i wish to talk about in terms of hybrid cloud applications is the azure app service hybrid connection so the idea of this one is rather than as we did in the first one we created a full relay from azure to your on-premises application with an azure app service hybrid connection what it allows you to do is allows you to connect and there's your web app obviously running in azure to an application resource on any network that is able to forward outbound requests to azure on port 443 so that could be a virtual machine running on premises it could be a virtual machine running in someone else's cloud any resource that's able to send outbound requests it can communicate with any resource provided it can function as a tcp endpoint so clear and important here is that it's tcp rather than udp so the way that it works is you use a relay agent you install a relay agent that relay agent sits on your internal network and has direct line of sight to the data source as well as long as that data source has a tcp endpoint so it can be a sql database it can be a my sequel database it can be a postgres sql database anything that functions as a tcp endpoint can be used with as your app service hybrid connection again with this technology it's not necessary to open an inbound port on your perimeter network firewall and of course it doesn't require that you have a vpn or an express route connection so in this diagram you can see that you've got a web app running in the cloud you've got a system that's running on premises that's hosting the relay hybrid connection now if you want you can have the relay hybrid connection on the data source itself which is what i'm going to show you in the demo or you can have the data source on another system for example you can then configure hybrid connection manager to connect through to the endpoint such as a database so what i'll do now is i'll show you a demo of setting up as your app service hybrid connection to configure a connection between a web app running in azure and a database running on a vm on premises so we start here on our vm and what i'm doing on our vm and this vm is running on premises is i am verifying the ip address configuration we can see it's 192 168 dot this is important for when we're setting up our endpoint the thing i'm showing you here is that we've got a sql database installed on this specific virtual machine the one that's 192.168.0.33 as its ip address now we're going to configure it so that a web app can go and talk to this virtual machine that's running on prem so to do that what i do is i switch across to microsoft edge and you can see here that i've opened up an app service and this app service is called twt hyb app or tailwind traders hybrid application so in the properties of this app service that we're looking at in the azure portal we scroll down and under settings under tls ssl settings we can see that there's a networking section and this section has v-net integration hybrid connections and as your front door with web application firewall and as your content delivery network so what we do is we select hybrid connections configure your hybrid connection endpoints and on this page we've got the option of downloading the connection manager software so we select download connection manager we get the connection manager msi installer file we open that file we get the start of the hybrid connection manager setup wizard so i accept the terms of the license agreement and it goes and installs the connection manager software on this on-premises system now here i click finish what i've chosen to do is i've chosen to put the connection manager software on the same server that's hosting the database now i don't need to do that i could do it on another server as long as it's got tcp connectivity to the server that hosts the database so the next thing i'm going to do before i run the hybrid connection manager is i'm going to add a hybrid connection so i click create new hybrid connection i provide a name for the hybrid connection in this case twt sql on-prem i've not provided endpoint host now the important thing about setting up the endpoint host is that the endpoint host address needs to be resolvable from the system that you've installed the hybrid connection manager on so it can be an ip address or a fully qualified domain name but it needs to be a ip address or a fully qualified domain name that can be resolved from the computer or the host that has the hybrid connection manager installed so in this case i just put the ip address 192.168.0.33 the next thing i do is i put the endpoint port in this case it's sql so i'll put 1433 [Music] the next option i've got is whether or not i want to create a brand new service bus namespace or select an existing service bus namespace so we saw when we looked at the azure hybrid connection that we actually created a service bus namespace for that one this is a very similar technology but instead of just doing a connection down from azure for the whole app in this case we're connecting an app service to a particular tcp endpoint on-prem so to make this as simple as possible what i'm going to do is i'm going to create a new service bus namespace i'm going to create it in the east u.s data center and i'm going to provide it with the name twt sql on-prem i select ok it creates that hybrid connection [Music] once that connection is successfully created my next step is to go back to the computer that i've installed the hybrid connection manager on so i select hybrid connection manager ui and i'm going to add a new hybrid connection so i need to sign in to an account that's got permission to this resource that's primeadmin and taiwantraders.org click next i provide my password and i sign in it logs in and it says select a subscription that you're associated with i select a subscription and what it does there is it performs a query on all of the hybrid connections that are configured for that subscription so you just saw me create one where i specified that ip address and you can see it there 192 168 0.33 colon 1433 it's important that you configure that addressing when you set it up in the cloud so that when you're on prem and you're selecting that it knows all of the plumbing and the routing that it needs to use to connect to that tcp data source so i select that item i select save it saves that item and then what it'll do is it'll establish the connection so we can see now that it's got a status of connected and we can go in and view that connection details we can see where it's connected to we can also see the as your ip address that it's going out and connecting to on the internet as well as use your ports that it's using so in azure it's 191 236 32.191 and it's using ports 80 and 443 on that host in azure it's also connecting to the internal ip address 192.1680.33 port 1433 so it's created a connection between those two locations so i close that i minimize that and i can see that it's listed as connected in the azure console and i can see the service bus namespace and the properties of that hybrid connection so in that demonstration you saw me configure a app service hybrid connection that configured a connection between an app service and an on-premises data source so now that that is configured in the app service i can configure the app running in the app service to access that connection just based on the name here twg sql on-prem because as far as the app in the app service is concerned that connection exists and it doesn't care where that resource actually is so that allows me to connect that app service app running in azure with that on-prem database through that hybrid connection so the next technology i want to talk about is azure active directory application proxy so the idea of this technology is it allows you to provide secure remote access to web applications running on an on-premises network through an external url that is the clients on the internet use an external url they authenticate using their on-prem active directory credentials which are replicated up through as your ad connect to azure this can be used as a replacement for reverse proxies or vpns there's a lot of organizations as i mentioned earlier in the talk who are publishing applications through vpn where someone's got to authenticate to their vpn and that gives them that connection into an internal application that's running on-prem and you can configure this so that it can use remote access and single sign-on to web applications that use integrated windows authentication web applications that use header-based or forms-based authentication applications hosted through remote desktop gateway and on-premises sharepoint so in this particular diagram let me talk you through how this works in step one the user connects to the application through a publicly available endpoint when they do that they perform as your active directory sign on using their on-premises credentials step two are tokens forwarded to the user's device after the sign-on completes in step three the client device forwards that token to the application proxy service that proxy service returns the user principal name and security principle name from the token the application proxy then forwards the request to the application proxy connector if single sign-on is enabled the application proxy connector performs additional authentication in step 5 the application proxy connector forwards the request to the on-prem application and in step 6 a response is sent through the connector and the application proxy service to the user that's sitting in front of their browser on the internet in this demonstration i'm going to show you how you set that up in azure so important to understand just before i start the rest of this demonstration is that this environment already has on-premises active directory domain services configured to replicate to as your ad through as your ad connect that is necessary before you take this next step now the other thing about setting this up especially on windows server 2019 is that there's a number of steps that you must take before you configure the connector software and these involve editing the registry so i click the start button and i go into the registry editor i run it as administrator because i want to edit the registry so here we need to create some keys and modify some existing keys so the first key is hd local machine software microsoft windows current version internet settings win http and here i'm just using a bit of powershell to actually create a http 2 default enable key and we set that set to zero the next thing we need to do is we need to go in hk local machine system current control set control security providers s channel or secure channel protocols and what we need to do is we need to actually create some keys and set some registry entries so what i do first is i create a new key and that key is called tls 1.2 and a key is basically a folder in the registry if you want to think of it that way so within that tls 1.2 folder i create a d word and the d word is disabled by default and i leave that at the default setting of zero i then create a new registry entry another d word and this one is enabled and i set the enabled value to one to turn that on i then create a new key under tls 1.2 and this one is called server so within server i create the same registry items that i actually created under tls 1.2 so the first one is disabled by default and that's set to zero the next registry item is enabled and we set the value of that to one then we navigate to the final area of the registry that we need to configure and again this is a a little more into the weeds than it usually is when you're setting things up to work so here we go into the dotnet framework registry we go into the version pool point 0.303.19 we create a new registry entry called strong schuster and we set the value of that to one once we have configured all of those registry entries and we have to do it manually even on windows server 2019 we need to restart the server so we restart the server the server reboots and those registry entries will take effect [Music] some registry entries take effect automatically some it's better just to actually push through a reboot so now that we've performed the reboot and we've signed back on what we're going to do is we're going to open up microsoft edge we're going to sign in as prime admin at tailwindtraders.org we put in our password we're in the as your portal we go to azure active directory we scroll down and we select application proxy so application proxy does require azure ad premium we've already got that configured next thing we do is we download the connector service software that downloads the connector service software executable [Music] i click on that it starts the installation wizard i accept the license terms i click install and it runs the application proxy installer that requires me to again sign in with an account that's got appropriate permissions to azure active directory it needs global administrator permissions to do this i click sign in it then configures the connection between this particular system and as your active directory so if i do refresh i can see here that i've got a connector established and once i've got a connector established i can configure a new application so i give the application a name this is the internal active directory authentication app this is the internal url that is resolvable from the machine i just installed the connector on it's just https internal app we can see that it's given me an external url and we can configure some additional settings so http cookie only with our required secure cookie persistent cookie translate urls between the internal app and the external app that clients will be accessing this application to from the internet so if we look at the properties of this application here we can assign users and groups to that application we can turn on single sign-on we can provision user accounts we can configure a custom policy and we can configure whether or not that's self-service if we go to properties here we can see the home page url of that particular application and the user accessible url the application id whether or not user assignments required and all of the other settings that you would configure for this application in the same way that you would configure an application that was running just in azure okay so the next technology i want to talk about is azure arc enabled kubernetes so what is your arc enabled kubernetes does is instead of installing a linux headnode to run your windows server containers what it does is allows the management of kubernetes running on-prem through the azure portal so it's a lot simpler because you're just running kubernetes through as you're being your control node rather than doing it through basically hand built kubernetes it allows you to connect kubernetes clusters outside of azure and you can perform inventory grouping and tagging tasks you can deploy applications and apply configurations to kubernetes clusters using git ops based configuration management you can use as your monitor for containers to review and monitor your hybrid kubernetes clusters and you can apply as your policy for kubernetes policy to hybrid kubernetes clusters you can see in this diagram we've got azure on one side and we've got azure arc enabled kubernetes clusters now the advantage of azure arc enabled kubernetes clusters is all of the plumbing for that is done for you automatically by azure arc which means all you have to worry about is deploying the application and all of the kubernetes management itself is handled by azure the next topic i want to talk about is azure arc enabled data services so what this allows organizations to do is a run as your database for postgres sql servers and sql managed instances on-prem so what that means is instead of you being responsible for managing your postgres sql servers or sql server you can do what you do in the cloud which is you allow azure to manage postgres or as you were to manage sql server and you just worry about running the database on it so that it's running it on prem in a virtual machine except for you're not worrying about the care and feeding of that vm that's being handled by as your arc you can manage it through as your data studio as your portal or the azure cli and the advantage of this is it automates the patching and update processes for these on-premises database instances as i said you just worry about running the database the database engine and the operating system that hosts the database engine is all updated and managed automatically by as your arc it also when you light this up applies database advanced threat protection functionality in azure security center for managed sql instances on-prem which means that you get all of the security configuration and all the security monitoring functionality of azure security center for when you would use those things in azure for your on-prem instances it also uses container and kubernetes services to host the manage databases instance this is the way that it doesn't so it's not actually deploying a vm it's deploying postgres and sql in containers and the containers themselves are being managed by azure arc [Music] anyway in this session i talked about how you could use azure relay to make internal applications available to the internet without having to open inbound ports on your perimeter firewall in this session i showed you how you could use azure ad application proxy to allow tailwind traders to retire their reverse proxy for applications that required on-premises active directory authentication in this session i talked about how you could use as your app service hybrid connections to allow as your web apps to use on-premises data source in this session i talked about how you could use azure arc enabled kubernetes to simplify management of on-premises kubernetes clusters and i talked about how you can use as your arc enabled data service to simplify the management of on-premises sql and postgres sql instances on this page you can see an additional set of resources that'll take you to docs.microsoft.com and actually allow you to see in much more detail how to use azure relay as your app service hybrid connections as your ad application proxy as your arc enabled kubernetes and as you are arc enabled data services thank you very much for your attention okay so in that session we looked at hybrid cloud applications and we looked at hybrid cloud data now we're going to take a break for 10 minutes and when we come back from the break we're going to look at hybrid cloud security i hope to see you in the session [Music] [Music] wow [Music] oh [Music] so [Music] [Music] my [Music] [Music] [Music] [Music] foreign [Applause] hello so ah [Music] [Applause] [Music] [Applause] [Music] [Applause] [Music] [Applause] [Music] [Applause] [Music] so so bye [Music] welcome back from the break this is our fifth and final module of our microsoft virtual training day implementing hybrid infrastructure in this module called hybrid security we will have a look on things like how we can take advantage of azure management and security technology to have a look that our servers have the most recent updates installed and are compliant with our company policies so let's have a look in this session we are going to talk about hybrid cloud security i'm going to have a look how organizations can take advantage of cloud security from azure for their on premises or even multi-cloud systems we are again going to use our demonstration company tailwind traders which represents everyone and no one at the same time to make some examples of how you can actually implement hybrid cloud security in your environment and take some advantage of what the company and organization can actually do so to get started again i want to quickly highlight a couple of the requirements tailing traders has and again in this session we're going to talk about and focusing on security now tailwind trainers as mentioned before is a company which goes in a hybrid environment meaning that they are moving some of your workloads to azure but for other reasons some of their workloads need to stay on prem so they for example have workloads which can't move to azure because there's no network connectivity or they have a bad latency to the next azure region as well as some data sovereignty uh challenges as well where they can store data outside of their premises or outside of their country now however telling traders wants to take advantage of the azure cloud security because they saw how advanced their cloud security services in azure are and they want to use the same set of tools to all secure their on-premises workloads as well as their cloud workloads running in azure and even at other cloud providers so we're going to have a look on which hybrid security technologies tail and traders should use for their environment so in this session we're going to have a couple of different scenarios uh tailwind traders will have a look at and some of the challenges they're actually dealing with today and we're going to have a look how they can solve these challenges using some of our azure services so the first one is going to we are going to have a look at is how can telling traders ensure that all their servers um in their hybrid environment have the most recent software updates installed if you are a server admin you know ex which were responsible for patching your systems you know exactly what i'm talking about it's very difficult to actually like make sure that all the systems have the latest patches installed that are actually automatically patched especially when they're running at multiple different locations the next thing is we're going to talk about is how they can manage their hybrid cloud environments and their servers and their systems to check that all their configurations are compliant with their company policy we're also going to have a look at how they can actually see if important files on their hybrid cloud compute workloads have been alternate so we're going to check with for example different security tooling to make sure that if there is security threat we can actually detect that and then last but not least we're actually going to out and we're going to have a look at how they can take advantage of the event logs of your windows systems uh or also syslogs of your linux systems in a log analytics workspace and then actually scan the environment through these logs and have different information and take advantage of that and then from there even create alerts to see if when there is something happening so these are some of the scenarios we're going to have a look at with that we're looking at the following technologies in this session we're basically looking at azure update management we're going to have a look at azure arc enabled service especially together with azure guest configuration policies to actually manage the configuration of the operating systems and audit these machines to see if they are compliant with our company policies we're going to have a look how we can take advantage of azure security center not just for our workloads running in azure but also our workloads running on premises or at other cloud providers and then we're going to have a look at hybrid monitoring and how we can actually monitor our servers and then take advantage of the centralized log collection we have using azure log analytics and then basically run queries against these log logs and actually find out and then even create alerts from there so before we start with that i quickly want to talk about cloud security in general and again that doesn't really just mean for the workloads you run in azure it means your hybrid cloud as well right and we see that as a shared responsibility uh microsoft is obviously committed to secure the foundation meaning that we make sure that the physical assets like our data centers are protected that no one can access them at any time that you actually the data is protected that no one can steal data out of it and so on we also want to make sure that the same thing happens that our data center operations are secure to make sure that obviously the data centers are running on one hand but also that no one can access your data and the same thing is about obviously about the cloud infrastructure talking from hardware as well as software right we want to make sure that the software again and the hardware again running in our data centers but also the things with azure stack hci for example or windows server or azure stack hub or azure stack edge and all these devices that they are also secured and we actually want to make sure that they get the most security they can get but there are some parts where the customer needs to take action and that is where we see it as a joint responsibility right we don't we don't just want to give the customers the tool in place and then just see whatever the customers does with it because let's face it we all have enough to do and none of our companies probably has um enough security uh people in the company itself right and so microsoft we internally spend uh billions um on security and making sure that our assets are secure but also our customer assets are secure and so we want to take advantage of that of our knowledge and share that with our customers and provide our customers the built-in tools and controls uh to make their workloads and their deployments secure so even though we make sure that the platform is secure when it comes to virtual machines servers and virtual networks you need to make sure that you actually secure them when it comes to apps and workloads running in azure but also in your own data centers you want to make sure that they are secured and that they're configured in the right way and same thing with data you also want to make sure that this is encrypted right and again there's no difference from like running it in azure or running it in in your own data centers if you're using microsoft technology for example in in azure we want to provide you with the right tool set to actually uh take security measurements uh encryption and and so on to help you securing your workloads and again the same thing also applies obviously for hybrid workloads we want to extend that we don't just want to say okay we're going to help you with security when as soon as it runs in azure we also want to help you obviously with security when it runs in your own data center or even at another cloud provider now let's start with the first challenge we are seeing from tailoring traders one of the largest challenges is update management so what tailwind traders needs to do is they need to actually patch physical and virtual machines running on premises and in the cloud in azure but also other cloud providers and they're running windows server and linux workloads and again they need to make sure that they have the latest patches installed they want to have a possibility to get a compliance view to actually see which systems are not patched and which systems are patched so they know okay where they need to work on and then they also want to have a centralized dashboard if you will where they can actually start the update process and deploy these software updates to the specific machines and that is exactly where azure update management comes in so azure update management does a couple of different things if it's configured it actually goes out and checks the update compliance states of windows server and linux machines running on premise at other cloud providers or in azure it then can go out and even deploy and install software updates again running on windows on linux basically on any infrastructure and that really helps to avoid that tailbone traders needs to have different products depending on the operating system or the location that server is running so that is where azure update management comes in and if we have a look at the architecture here here's a quick architecture diagram how that can work you can see here on the right we have azure and then on the left we have on-premises or azure vms really depending on on where you run them now what are you actually doing we're taking azure automation and log analytics and have built the this update management solution with these products so we actually go out and install the log analytics agent which then reports the update status to the log analytics workspace the update management solution then goes through these logs and basically can find out okay which updates are installed on which specific system and which ones are missing and then with the deployment part of the update which i'm going to show you in a quick demo you can actually go out and trigger the updates on these specific machines and again in different environments again we can use azure but in a hybrid environment we have something called the hybrid runbook worker which then actually will go through and trigger these updates and you can even configure pre and post steps so if you for example need to actually like run the script before you install an update and then run the script after the update is installed you can do that as well so with that let's have a look at the azure update management demo now here i'm back in windows admin center and then what i'm going to show you is i'm going to onboard my on-premises systems here running in my local domain in my local data centers in the taylor and traders data center i'm also going to onboard one of the azure machines so you can actually see that we can then both see azure vms and non-azure vms side by side again here i could also add machines from other cloud providers if i needed to again it doesn't really matter where these machines are running at the end we can see them in a single pane of glass so let's start and let's onboard one of these servers now i'm going to do that using windows admin center i'm going to the update solution or the update extension there i can manage my updates locally i can go and say okay install the latest updates however i want to have that centralized view so i'm going to join that server um to azure update management so i click on the server i want to join i go to updates and here i can now click on update to onboard the server to update management i'm going to select the right subscription the region for the log analytics workspace i give the log analytics workspace a name i give the azure automation account a name and i create a new resource group or use an existing one in my case i have the hybrid rg and then i'm going to click on setup now what this will do is it will go out and create in my case a new log analytics workspace and then it will install the agent on that specific server and join that data to the log analytics workspace it will also create the azure automation account now in the meantime let's go to our server running in azure we also can do that using update management again do the same steps here to onboard that to update management you could also join a server or a vm running in azure directly within the azure portal you don't need to use windows admin center in this case but if you're using windows admin center you can do that as well you can see here i'm going to use the same log analytics workspace and azure automation account i'm using for the other machine as well so basically then we get the single control plane so this again will then download the agent and join it to specific log analytics workspace and if we go down to azure to our automation account and the update management solution we will now see here our two machines here one of them running in azure the other is non-azure vm and one of them is not compliant so let's fix that and create a new update deployment we provided the name we can select the operating system because depending on which operating system you're patching it's a little bit different you can then select a group of machines now a group can be different types and we can for example just select all the servers joined to a specific subscription we can also filter on tags for example and so on or locations and resource groups we can also do that similar to for example non-azure vms and can all filter that or we can i quickly show you that we can also just select single vms in this case i can just go and for example search or i can just list my machines here and then here you see the two machines and i could just add them as well like just separately as well in the most production case you will probably add a group based on for example tags and then you can select which update classification should be installed you can include and exclude updates if you need to you can then schedule the specific update so i can go that and i can also create a recurring update if i want to i can then configure pre and post scripts i can configure the length of the maintenance window and the reboot options so reboot if required sounds like a good idea and then i create that scheduled update deployment now this will go out and then start that deployment for my machines and you can see here one of the machines is not compliant but both of them have updates missing so this is now a deployment and we can see that under deployment schedules can see that and after a while after deployment has run we can do a quick for example refresh and now you will see that both servers or machines are now compliant because they have no updates left anymore they're fully patched in this in this case and we have basically all the updates installed now again this is great for a couple of scenarios uh makes it super easy you can even schedule and as i said these updates for the future so you can make them recurring updates what i usually do or what our customers very often do is they do that based on tax so you have for example if you have domain controllers or clusters you want to patch you don't want to patch all nodes at the same time so what we do is we create an update tag for upgrade group 1 whereas domain controller 1 and then update group 1 gets patched on a tuesday and then domain controller 2 is in upgrade group 2 which will be patched on the first day for example so you can work with that you can also do that dynamically and really it just goes out and checks on the specific text but depending really on how you integrate update management so this was the update management demo update management as mentioned does a couple of different things it goes out it basically assesses your systems you can then deploy updates to it it verifies the compliance of these systems and again assesses this and you can again deploy updates to it it works with windows server and linux vms it can run in azure other cloud providers or on premises you can do customer approval criteria you have that single pane of glass where you can see all your servers and the patch state of all your servers and again you can schedule these and do these update deployments for example weekly or monthly or whatever you prefer so the next thing i want to talk about are different pain points here what we can see here from tailwind traders right and i just want to cop highlight a couple of them um some of them of their environments they really want to have an overview make sure that they have a compliance right they actually can see that their infrastructure is compliant that their servers are compliant with different company policies also their compliant experts are coming and say hey we want to have a list of all the servers from a specific department i want to see that they're complying with that specific status and we actually need tools to measure that now you can imagine in azure for that we have azure policy and azure guest configuration policy but the question often came how can we do that for systems which are running outside of azure and the answer is easy we talked about that before it is azure an azure arc enabled service now i was showed you before how that actually works different things like how you can onboard servers we showed you different management tools like azure monitor you can easily then use with within azure now for this scenario i want to highlight you the governance and security features and we're going to have a look at the azure guest configuration policies we can assign to azure vms but also so to on-premises servers running azure arc the azure arc agent and then we can actually do a compliance check about our whole environment so this is the architecture i showed you before again on the left side you see our on-premises servers these could also run at all the cloud providers and we actually installed the azure arc server on these machines and they are now part of azure as an azure resource in the azure resource manager and we can onboard different azure management services like azure monitor azure update management or now what i'm going to show you now is azure policy so let's have a quick demo for azure arc configuration management with azure guest configuration policies so here i'm back in the azure portal and you can see here the machine we recently onboarded to azure arc and it again shows up as a azure resource and if you have a quick look at that machine you can see here the status of the machine is connected it's joined to resource group subscription so it is now an azure resource so let's switch to azure policy and azure policy lets me manage all these policies for my environment and let's create a new assignment so i'm going to assign a new policy i'm going to select the scope this can be a management group subscription resource group or even a resource so in our case we're just going to select a resource group and then i'm going to select the policy definition and we have some built-in ones here which you can leverage and so we're looking for one which basically checks if automatically update uh protection signatures are deployed so we can select that and then we can give that a description now these are built as i mentioned built in so you can just start using them you can also build your own um if you wanted to um so you we have a github repository where you actually can find examples how you build your own policies so i'm assigned that policy and this will take a while we can now go to compliance view it will actually check the compliance date of my systems within that resource group so we will take the power of video editing and come back a little bit later in time and you can see here now it says compliant so if i go to this um policy assignment now i can see here that for my microsoft anti-malware for azure should be configured to automatically update protection signatures is working and i can always then see all my compliant resources i can see i can if i have non-compliant resources i can also list those and i can actually figure out okay how many resources are actually uh not working i can then go out and see why are they not configured the right way and then actually take action on this now azure post is a great way and again with azure arc we could now see the different servers running in azure or also outside of azure next to each other and we get that single pane of glass where we can see the compliance view about that environment so that was a quick demo about azure arc guest configuration policy the next technology i want to talk about is azure security center now azure security center really helps us with a couple of different things uh when it comes to security it can actually go out and find threats uh and make us recommendation and alert us so this is a great service and you'll probably have seen if you configure your azure workloads um that you can enable that for your specific workloads and subscriptions to get all that information together what a lot of people don't know is that you can also connect your on-premises private cloud and other public cloud provider workloads as well so how we actually doing that is by using windows and linux agents which then can go and get the windows event log or syslogs or configurations from these specific servers um and other services as well we then do some normalization and we add some additional information to these locks with the agent because then we can make some smarter decisions and give you some smarter recommendations as well these will be then stored in a scalable log analytics platform which we're going to see a little bit later where you can then actually go out and you could already go and export these logs to excel or power bi and do your own analytics on it if you wanted to however reverse the security center we add a little bit more to it so what we do is we obviously can also add other azure services like networking and pass services as well and then we take advantage of our threat intelligence so we spend a lot of money on protecting our own cloud services our services like xbox live office 365 also azure obviously and we take all that and much much more information and we do some security analytics in it we can with that we can induce threat protect detections or we can see for example if one of your servers connects to an ip address which we clearly know is part of the dark net or is an infected pc or or our server or whatever we can actually tell you hey this system connects to an ip address which it should definitely shouldn't connect i wanted you want to take action on that and have a look why is it doing that we can then also give you recommendations uh to actually before something happens to make sure that your environment is configured in the the right way so this is all then done and then we will present that in azure security center where you have a security dashboard which delivers you um the insights into what is going on in your environment it gives you security recommendations again to take actions on these specific tasks and then you can even go out and do some like further investigation with lock search and so on or you can then go out and create security alerts like you can then for example just send notifications you can trigger some rest apis or build your own automation to actually do whatever you need to do for example send you a message in teams or send a message in a team's channel to a specific team so they can take action on it so pretty cool stuff and again not just available obviously for azure resources but also for hybrid resources as well and that is what we're going to show you in a quick demo so let's do a quick demo on azure security center so here i'm back in windows admin center and what i'm going to show you here is how we can onboard a machine which we haven't really used yet and onboard that to azure security center so we can actually send these logs into a lock analytics workspace and then from there we actually connect it to azure security center and secure security center will then give us security recommendations and obviously also alerts or something would happen so for that i want to show you how that is done so let's select server 2 here connect to that server and now we can simply go to for example azure security center that will help us easily to onboard that so i can select my azure subscription here so i create a new log analytics workspace again in your production environment you probably use the same log analytics workspace you also use for monitoring and other things but for demo wise we just create a new one we also create a new resource group for this demo and then we click on setup um and this will now create this new log analytics workspace this will create um this specific information like the resource group and then we'll download the agent then configure the agent on that machine and you can see here um here it would show then the recommendation it will take a while until actually these logs are analyzed in the meantime let's connect to another server and do the same thing as well but in this case we are just using an existing one so you can see here we have the workspace already selected so we're going to select that specific workspace and let's go back and let's also add our server running in azure this one again is our azure machine so we can select that as well again you can also directly onboard this from the azure portal as well if you want to so here again we just select the existing workspace click on setup and now this will set up azure security center on that specific machine as well now let's jump to the azure portal here we are in the azure security center where you get all the recommendations and the overview under inventory we can now see all the systems you have joined so you can see here a couple of virtual networks and virtual machines but also my on-premises machines so if i switch back to windows admin center as a server admin i can now go um into my server here with simon says go to the azure security center and i will get the recommendation directly for my system here and i can see what i need to do i can click on it and it will take me to the azure portal where i can find even more information about that recommendation so this was the azure security center demo now the next thing we want to have a look at is say hybrid security monitoring for your environment right and there are a couple of scenarios where we can actually go and we have a couple of different products here available which you can leverage in your environment so how we attach hybrid workloads which are running outside of azure is by using an agent right so we're going to deploy a agent on these hybrid operating system workloads and depending on the operating system itself we can then send the different um security locked data to for example large log analytics and then also to azure sentinel so what we can do here is we can actually go out and for example send windows security vent events with a connector um to azure security sentinel we can also send um for different connectors for identity to actually send on premises active directory domain service telemetry to azure sentinel we also have one for microsoft defender for endpoint to stream the alerts um to azure sentinel and then for linux we also have connectors for linux operating systems that can forward syslogs um and other data data sources basically to azure sentinel azure sentinel then is a service it's a cloud-based sim solution which can go and analyze this telemetry to detect and hunt and then prevent and respond to threats against our hybrid operating systems again azure sentinel is basically a hybrid service running in azure where we can connect different sources you also have for example connectors from different hardware network gear pro vendors which can also send locks there so it's really one place to get all your security logs together and then you can do some analyzers and and threat hunting there uh as well so to have a quick look on how that could look like in a more architectural way um you can see here on the left side we have resources living outside of azure this can be again if you look at it on premises uh systems it can be running um on on on your infrastructure can be physical machines or it can even be on like azure stack as well and then we can also onboard workloads which are running at all the cloud providers um and then they can be basically collected and then connected to azure to the log analytics workspace and then you can take advantage of things i just showed you like azure security center or azure sentinel um which will give you that that advanced security these advanced security services so i think it's quick time for a demo about hybrid security monitoring and again this is not just necessarily about security monitoring it's like i want to show you a little bit how monitoring in general can work for your hybrid systems so what i'm going to do here is we're back in the windows admin center and we are going to onboard a server to a lock analytics workspace and then we're going to use the keyword query language to basically do queries against these logs and we're going to show you that you actually can get everything out of these logs from different systems everything you actually added in the connector um and then you can go through and get all these locks out doesn't matter if it's security logs or performance logs or system events what not and then you can then do different things like create dashboards or you could create security alerts and much much more so let's get started first we move to the azure portal and let's create a new log analytics workspace we showed you that many many times in windows admin center but for now let's create a new log analytics workspace actually in azure um again in production you will probably use the same one so we give that a new resource group we give that log analytics workspace a name and we select the region where the log analytics data is stored pricing wise this is basically pay as you go so the more logs you send into the lock analytics workspace and the more you say store the more especially will that that service will be costing and so we create uh that deployment process and this will create a new log analytics workspace so let's switch back to our windows admin center and let's go to our files or one here and we can actually now configure azure monitor for that we click on azure monitor we select the server here and now we're going to select the subscription we're going to use an existing resource group so with that then we can also select an existing log analytics workspace and then we hit setup and this will now go out and download the agent connect that agent to the log analytics workspace and send these logs starting those sending logs to the log analytics workspace now when we back in the azure port let's go to that specific azure log analytics workspace and here we can do some advanced settings so we can obviously here configure like more data sources you can see that we can onboard more data but let's for the connected machines let's add a couple of logs we actually want to have so first of all i want to see the system log so let's add that and then we also want to have for example the application log so let's add that as well and then let's save this quickly and now the agent will send us even more logs right and then we can do the same thing for performance counters you can see here of a couple of them already as default um but i can actually go here and then have a look at the different other performance counters so you can actually go through all the performance counters on these different systems so whenever you need some performance data you can actually find that here in that specific collection and you can add that as well again there's more to add like syslogs and linux performance counters and and so on you can even do custom fields if you wanted to as well so now let's switch to logs and this is actually the the log editor if you will where i can actually create queries uh with the keyword query language some of you maybe remember it as custo so with performance here with this query i get the performance information in my log analytics workspace so you can see here this is all the different performance logs sent to that specific workspace with all that information here so you can see here if i drill in a little bit more i get even more information about what is it what this um information is i can also do other things i can for example do some more queries here so very simple one here is obviously with events so i can list all the events in my local analytics workspace and again this gives me provides me now all the events of all the servers joined to that log analytics workspace right i can then do obviously some more advanced queries so i can summarize them by count so i can actually go out and summarize them by source for example so i can see here how many events do i have depending on the different event logs and then i can also obviously drill into these and find some more information okay so what what is actually um depending on the different results i get here i can also do like if i go back and do just events again um i can then see uh and drill into the different events here for example so i have a dns event uh and so on i can then find all the information for that specific uh event entry not just necessarily like i showed you before from the performance part but also from the event itself now from here obviously this is great if i just want to search for something really specific but i can build some really um nice queries like really advanced queries where i can really find just the information i want and i can use that for reports i could also like just export these this data i can create new alert rules now from here i could say okay whenever a specific event for example happens or i could build a query which goes just for a specific event let's say a user logs a specific user logs in to a machine i could actually go out and build that query and then save that query and create a new alert rule so as soon as that give the new entry is created uh it will then actually create an alert which that means it could be just send an email a notification uh it could go out and kick off a run book it could go out and send a message to teams for example or whatever your automation basically is and you can get notified about this and again same thing happens so what like if for example the same thing on performance data if for example you're running out of disk space or other other stuff as well you can build these alertings as well again not just for security but also for performance data or other events you can create that now you can also go out and for example build some nice charts so if you just don't want to have this log information you can go out and build a chart which actually shows you uh all the performance informations from your specific set services um vms performance data storage data for example um you can also go and see like if all the backups are working and say okay how many backups did i do how many of them were successful how many backups did not work and build actually has some nice charts here you can then pin these charts for example on the azure portal page dashboard and then you can actually if you log in you can have multiple dashboards one is for example your monitoring dashboard for backup so you can click on that and you get all the overview about all the things you did and we have the same things we have examples for example for governance where you can actually build a governance dashboard also based on on these log queries right so very powerful tool um something you really should definitely have a look at um [Music] so this was the hybrid security monitoring demo let's do a quick summary of what we just saw so first of all we had a look look at how tailwind traders can use azure update management to ensure that all their hybrid cloud compute workloads have the most recent software updates installed again very um big task for a lot of it administrators and it departments to make sure that they have all the patches installed and actually can have that single pane of glass view where they can actually have a look at what update which updates are missing on which systems and then go out and trigger these update deployments as well as also autumn automate these update deployments another thing we had to look at is um on azure arc enabled servers and how we can actually um check that all our servers running on azure but also in a hybrid environment on premises and that other cloud providers have a compliant state right we checked how for simple settings we can also for example make sure that uh all the servers are in a specific time zone so that there's no configuration drift uh we can make sure that for example we have some advanced rules which checks for insecure password settings so we can make sure that all our servers have secure password settings enabled and it doesn't really matter where they are running if they're running in azure if they're running on premises in our own data center if they're running in a branch office in a retail store we can can keep control over all these servers and again also other cloud providers we also had a look how tailwind traders can actually use azure security center to take advantage of the azure security services and find out about notifications made to different files and get obviously recommendations to different challenges or different security alerts generated by by the system and then we had a look at how we can use azure sentinel um to be alerted when there is specific uh some suspicious activity or security events happening and to the event log or also some event log or monitoring information in general and actually you get like you can actually build alerts and dashboards and so on so with that we have some additional resources i want to share with you so if you want to know more about these services we just spoke about you can have here a look at for example azure update management azure security center monitoring hybrid security or azure arc configuration management with policy so we have all these aka ms links and as you can see then we have these shortcuts to bring you the right to the right documentation pages you can also follow our team here um [Music] on on our blog and if you want to reach out uh feel free to connect with our team to actually talk about we are here to help and get your feedback on what is working and what is not working so this concludes our microsoft azure virtual training day implementing hybrid infrastructure so let's do a quick recap of the content we have had a look today so first of all we got an overview about azure hybrid cloud technologies we had a look at hybrid networking implementation and how you can connect your on-premises environment to azure we had a look at how you can take advantage of the azure management technologies to manage your compute workloads we also had then a look at how you actually can manage and deploy apps and data in a hybrid environment and last but not least we also had a look at hybrid cloud security and how you can take advantage of azure management and security tools to make your on-premises environment even more secure so with that we want to say thank you for attendance and i hope you enjoyed these sessions if you want to go further with your learning journey i highly recommend to have a look at microsoft learn where you have your self-paced learning platform for free and then also make sure you check out the calendar for future microsoft azure virtual training days [Music] [Music] [Music] [Music] [Music] you [Music] [Music] that's [Music] me [Music] so [Music] um [Music] yes [Music] mmm [Music] oh [Music] [Music] so [Music] uh [Music] [Music] so [Music] [Music] so [Music] [Music] [Music] oh [Music] oh [Music] wow [Music] oh [Music] so [Music] [Applause] [Music] [Music] we will [Music] oh [Music] me [Music] [Music] you

Info

Channel: Microsoft Azure

Views: 106

Rating: undefined out of 5

Keywords: Microsoft Azure, Azure, Microsoft, Microsoft Azure Certification, Microsoft Azure Fundamentals, Microsoft azure fundamentals virtual training, webinar

Id: gJj0dqmx0rA

Channel Id: undefined

Length: 121min 1sec (7261 seconds)

Published: Tue Sep 28 2021