32 C
Dubai
Saturday, May 3, 2025
Home Blog Page 15

Deploy Azure App Service and MySQL with Private DNS Zone using Reusable Terraform Modules

Satheshwaran Manoharan
-
0
Deploy Azure App Service and MySQL with Private DNS Zone using Reusable Terraform Modules

We will deploy the resources below using Terraform reusable modules utilizing the Azure landing zone concept, part of the Cloud Adoption Framework (CAF). In this setup, we are talking about only infra resources; if you are new to Terraform, the same concept has been explained using the Azure Portal; I have spoken about Azure Management Groups and Subscription Planning in this link – Azure Management Groups and Subscriptions Design.

Azure landing zone design that accounts for scale, security governance, networking, and identity, which enables seamless application migration, modernization, and innovation at the enterprise scale in Azure. This approach considers all platform resources like infrastructure (Iaas) or platform as a service.

Benefits of Azure Landing Zones –

  • Good Governance ( Like you can place a policy in the overall environment that no internet-exposing storage accounts can be provisioned)
  • Security (Improved Security controls, Network segmentation, Identity management, Service Principals, Managed Identities)
  • Scalability (Multi Datacenter or Improving the design with Virtual WAN should be seamless)
  • Cost Savings (Segregated billing with subscriptions – Overall Control or like can apply Hybrid benefit using policies)

As the requirement to start from small, Azure Firewall or Azure Application Gateway is not consumed in this design

  • Resources Provisioned –

1. Virtual Networks ( 10.51.0.0/16)
2. Linux App Service Plan
3. Linux App Service with PHP 8.0
4. Virtual Network
5. Private DNS Zone

Modules are convenient to place into folders and reuse resource configurations with Terraform for multiple deployments.
Also, changing/upgrading specific resource configurations becomes easier.

Git Hub Repo link –

azure365pro/azure-hub-spoke-terraform (github.com)

Needed Resources –

  • Terraforms latest version is installed.
terraform -version
  • az CLI is installed / az login is completed
az login
  • Git is installed to clone the repository

Let’s clone the repository

git clone "https://github.com/azure365pro/azure-hub-spoke-terraform"

Get inside the repo

cd  .\azure-hub-spoke-terraform\

Rename

main-app-mysql-example.tf to main-app-mysql.tf
uncomment the main-app-mysql.tf file

Remove main.tf

Run Terraform init to create a local tfstate

terraform init

Make sure you are running on the right subscription. If you have access to multiple subscriptions

terraform plan

Now terraform apply command is used to create the resources.

terraform apply

Now terraform destroy command is used to clean up the resources.

terraform destroy

Running the same with Azure DevOps Releases with Muti Stage Approvals

In release pipelines, we utilize stages, triggers, approvers, and deployment options.

Verify Stage with run init/plan

Prod Stage with run init/plan / apply

Azure DevOps Pipelines for App Service with GitHub

Satheshwaran Manoharan
-
0
Azure DevOps Pipelines for App Service with GitHub

In this requirement. Dedicated Application Gateways and App services are needed without the usage of staging slots as multiple hardening rules have to be tested where a dedicated application gateway is chosen so that no one will mess with the production application gateway for testing.

Pipelines are integrated with GitHub Repo for CI / CD, and it deploys to UAT where they can be tested if it gets approved after testing it will be deployed to Production.

Let’s get started with a service connection. So that pipelines can have full permission over the subscription to modify resources in this case.

Add a Service Connection for GitHub –

Let’s create a new release pipeline.

Utilizing Source Type GitHub Artifact

For UAT App Service Deployment

Post Deployment Approval is set

Scenario #1 – For Production App Service Deployment ( PHP 8.0- Web Application is used in this scenario)

Scenario #2 – For Production App Service Deployment (Yii PHP Framework Web Application is used in this scenario collecting the files published from Artifact)

Let’s see how to Publish Artifacts So that Azure Pipelines can pick from above

Installing composer for YII framework to use

composer install
composer dump-autoload

Scenario #3 – For Production App Service Deployment (Node Js Web Application Front End is used in this scenario)

Let’s see how to Publish Artifacts So that Azure Pipelines can pick from above

$(Build.ArtifactStagingDirectory)/$(Build.BuildId).zip

The artifact location and zip name can be found here.

You can see releases shown below ,

Now if you create a new release

First, it deploys to UAT, and after approval, it gets to the Prod App service

Using Personal Access Tokens in GitHub for Azure DevOps

Satheshwaran Manoharan
-
0
Using Personal Access Tokens in GitHub for Azure DevOps

For Azure DevOps Service Connections you need personal access tokens to provide granular permissions, also if you are a consultant, you don’t want your account to get mapped into the customers service connection. it would be a decent way to keeping the tokens within the organization connections.

Go to your GitHub organization profile or your repo profile.

New Fine-grained Personal Access Token (github.com)

Choose specific Repo. –

Added repo permissions for the token

now you can use this access token in the azure DevOps service connection.

Azure Web-App with Azure SQL (Private Link)

Dinesh D P
-
0
Azure Web-App with Azure SQL (Private Link)

This document provides in-depth configuration of Azure App-Service with Azure SQL (Private Link)

  • Create a New Resource Groups for App-Service & Azure SQL
  • Create an App-Service(SQU: dotnet 6 LTS) with App-Service Plan
  • Search and Create Azure SQL
  • Create Azure SQL Database Server
  • Create Azure SQL Database
  • Create Virtual Network
  • Create New Resource Group for Virtual Network
  • Create two subnets for application & database
  • Creating a Private Link Endpoint on Azure SQL Server
  • Select the Azure Sql Resource Group
  • Select Database Subnet
  • Select Azure Sql Resource Group
  • Interacting App-service Network – Outbound Traffic
  • Select App Subnet

Testing Network Connection

  • Create a Azure Windows Virtual Machine connection to Database Subnet
  • On the Virtual Machine search for ODBC

Use the Azure SQL’s Connection Sting to Connect

Microsoft 365 Deployment Settings Check List

Satheshwaran Manoharan
-
0
Microsoft 365 Deployment Settings Check List

Microsoft 365 High-level deployment settings check List for Architects and Optimization teams: It covers many topics and requires extensive knowledge of various technologies before configuring them. Please do the appropriate research before changing any settings in a production tenant. It also requires multiple licenses to utilize some of the features part of the deployment settings.

.

  • Microsoft 365 Login Page Branding – In Azure Portal

.

  • Microsoft 365 Organization Profile Branding – In Admin Microsoft Portal

.

.

  • Restricting Users from creating Azure AD Tenants
  • Users can create Azure AD Tenants – Set to NO.
  • Users can create Security Groups – Set to NO ( For Large Enterprises)
  • Show keep user signed in – Set to No
.

Couldn’t save new migration state: you cannot move to migration complete until disabling all methods in the legacy SSPR policy.

.

As SMS is insecure, we recommend to keep it unchecked.

.

  • Enable Multifactor authentication registration policy.

.

  • Restricting users joining their Personal Devices to Azure AD

.

  • Moving Coexistence Mode from Islands to Teams Only

.

  • Allowing Admin Roles to Invite Guests to have SSO for External Users added to Azure AD IAM
  • Enable Admin Consent Requests with Reviewers – For Application Consents

.

  • Enabling Integration with Defender to Endpoint Manager to Test Defender Onboarding from Endpoint Manager

.

  • Configure Conditional Access

  • CA001: Require multifactor authentication for admins
  • CA002: Securing security info registration
  • CA003: Block legacy authentication
  • CA004: Require multifactor authentication for all users
  • CA005: Require multifactor authentication for guest access
  • CA006: Require multifactor authentication for Azure management
  • CA007: Require multifactor authentication for risky sign-ins
  • CA008: Require password change for high-risk users
  • CA009: Require compliant or hybrid Azure AD joined device for admins
  • CA010: Block access for unknown or unsupported device platform
  • CA011: No persistent browser session
  • CA012: Require approved client apps and app protection
  • CA013: Require compliant or hybrid Azure AD joined device or multifactor authentication for all users
  • CA014: Use application enforced restrictions for unmanaged devices

With Devices-based Conditional Access.

.

  • Enable Intune Advanced Features

.

  • Idle Session Timeout

.

  • Enable Self-Service Password Reset
  • Configure the Service Desk Link or email.
  • Enable DKIM for your domain
  • DMARC Sample Record
TXT _dmarc "v=DMARC1; p=reject; pct=100; fo=1;rua=mailto:dmarc@azure365pro.com; ruf=mailto:dmarc@azure365pro.com"

.

  • Device Clean-Up Rules

Delete devices based on last check-in date – Yes
Delete devices that haven’t checked in for this many days – 180

  • Security Setting Management

Allow security settings in Microsoft Endpoint Manager (MEM) to be enforced by Microsoft Defender for Endpoint (MDE).
This configuration setting will apply to devices not yet enrolled in Microsoft Endpoint Manager.
You’ll need to turn on the integration in Microsoft Defender for Endpoint connector settings under Microsoft Endpoint Manager.”

.

Use MDE (Microsoft Defender for Endpoint) to enforce security settings from MEM (Microsoft Endpoint Manager)
So that Servers and Client Policies can be managed from MEM (Microsoft Endpoint Manager) and not from SCCM

.

Setting Deletion Threshold on Azure AD Connect

It’s wise to reduce your Azure AD Connect deletion threshold from 500 to 50. suppose your total user base is from 3000 to 5000 users. So that you are Cloud environment is unaffected when something worse happens on your on-premises Active Directory.

The default value is 500.

Get-ADSyncExportDeletionThreshold
Enable-ADSyncExportDeletionThreshold -DeletionThreshold 50

if the action is intentional.

Disable-ADSyncExportDeletionThreshold

.

.

  • Add Anti-Phishing Policy

https://security.microsoft.com/antiphishing

.

Intune Customization Policy – Hide Reset

  • Hide remove button on corporate Windows devices
  • Hide reset button on corporate Windows devices
  • Hide remove button on corporate iOS/iPadOS devices
  • Hide reset button on corporate iOS/iPadOS devices

    Enter Organization Name and Privacy URL – Otherwise it will not allow to save

.

Enable Intune to access Windows Diagnostic Data

.

Questionable URLs detected in message – Microsoft 365

Azure REDHAT Expand Virtual Disks

Dinesh D P
-
0
Azure REDHAT Expand Virtual Disks

This document is on, How to utilize the azure attached virtual disk on REDHAT Environment.

sudo -i

Command to determine which logical volume (LV) is mounted on the root of the file system (/)

lsblk -f

Display Volume Group Size 

vgdisplay rootvg

Install the cloud-utils-growpart package to provide the growpart command, which is required to increase the size of the OS disk and the gdisk handler for GPT disk layouts This package is preinstalled on most marketplace images

yum install cloud-utils-growpart gdisk

Scan Physical Volume & Check Drives

Growpart, Select the volume SDA2.

growpart /dev/sda 2

Select Physical Volume SDA2 resize command 

pvresize /dev/sda2

Volume Resize ==> rootlv

lvresize -r -L +200G /dev/mapper/rootvg-rootlv

Example for Var & User Volume

lvresize -r -L +100G /dev/mapper/rootvg-varlv
lvresize -r -L +5G /dev/mapper/rootvg-usrlv
1...141516...113Page 15 of 113

EDITOR PICKS

POPULAR POSTS

POPULAR CATEGORY

ABOUT ME

Satheshwaran Manoharan - Microsoft MVP - Award-winning Technology Leader with a wealth of experience running large teams and diversified industry exposure in cloud computing. From shipping lines to rolling stocks.In-depth expertise in driving cloud adoption strategies and modernizing systems to cloud native. Specialized in Microsoft Cloud, DevOps, and Microsoft 365 Stack and conducted numerous successful projects worldwide. Also, Acting as a Technical Advisor for various start-ups.

Contact : Info@Azure365Pro.com

FOLLOW US

© Azure365Pro.com

× How can I help you?