Azure Storage CMS using AKV on diff AAD tenant

[GA] Encrypt storage accounts with customer-managed keys (CMK) using an Azure Key Vault hosted on a different Azure Active Directory tenant. You can use this solution to encrypt your customers’ data using an encryption key managed by your customers.

Documentation: https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview

這個功能即可以實現 加密 Storage Account 的 Key 是由 另一個 AAD Tenant 來控管.

HTH. By Jacky 2022-11-14

App Service 2022 end of support 的公告

某些版本的 Azure 服務將很快停用。我們希望您做好準備並遷移到較新版本,以確保生產正常運行。

以下是您可能感興趣的 4 項服務的資訊。

  • App Service (Linux) PHP v.7.4 End of Support (EoS) -> 11.28.2022
  • Azure Functions v2.x & v3.x EoS -> 12.3.2022
  • App Service .NET Core 3.1 EoS -> 12.3.2022
  • App Service (Linux) Python v.3.7 EoS -> 6.27.2023

For more information:
https://techcommunity.microsoft.com/t5/azure-developer-community-blog/winter-is-coming-keep-your-azure-services-up-to-date/ba-p/3667447

.NET 3.1 End of Life is on 13 December 2022

.NET Core 3.1 End of Life is on 13 December 2022 - You must migrate to .NET 6.0 before January 2023

.Net Core 3.1 will reach end of life on 13 December 2022. Any service using .Net Core 3.1 after December 2022 will be at immediate security and compliance risk starting on 13 January 2023. Because of this security impact, there are no extensions or deferrals for these dates.

Required action

Services using .Net Core 3.1 must migrate, recompile, and validate to .Net 6.0 before January 2023.

For more information please see these .Net documents:

Discover any expiring certificates for App Services using graph queries

Azure Resource Graph to make cross-subscription queries to see if I have any upcoming expiring certificates.

Get all web app certificates

This will get you a list of all the app service certificates you have in your subscription(s).

1
2
resources
| where type == "microsoft.web/certificates"

To simplify the overview, we can limit the properties we return:

1
2
3
resources
| where type == "microsoft.web/certificates"
| project resourceGroup, name, subscriptionId, properties.expirationDate, properties.thumbprint, properties.subjectName, properties.issuer

Get the Expiration Date of certificates:

1
2
3
4
5
resources
| where type == "microsoft.web/certificates"
| extend ExpirationDate = todatetime(properties.expirationDate)
| project ExpirationDate, resourceGroup, name, subscriptionId, properties.expirationDate, properties.thumbprint, properties.subjectName, properties.issuer
| order by ExpirationDate asc

Get the number of days until expiration:

1
2
3
4
5
6
7
resources
| where type == "microsoft.web/certificates"
| extend ExpirationDate = todatetime(properties.expirationDate)
| extend DaysUntilExpiration = datetime_diff("day", ExpirationDate, now())
| project DaysUntilExpiration, ExpirationDate, resourceGroup, name, subscriptionId, properties.expirationDate, properties.thumbprint, properties.subjectName, properties.issuer
| where ExpirationDate < now() + 60d
| order by DaysUntilExpiration

Group by month for easy visualization:

1
2
3
4
5
6
7
8
resources
| where type == "microsoft.web/certificates"
| extend ExpirationDate = todatetime(properties.expirationDate)
| extend ExpirationYear = getyear(ExpirationDate)
| extend ExpirationMonth = format_datetime(ExpirationDate, 'yyyy-MM')
| extend DaysUntilExpiration = datetime_diff("day", ExpirationDate, now())
| summarize count() by ExpirationMonth
| order by ExpirationMonth asc

You can also pin these results, and visualizations, to your Azure Dashboards(Private/Shared).

How to use Azure Resource Graph Explorer for Microsoft.Web resources

Azure Resource Graph

Azure Resource Graph is an Azure service designed to extend Azure Resource Management by providing efficient and performant resource exploration with the ability to query at scale across a given set of subscriptions so that you can effectively govern your environment.

Below are few Microsoft.web resource types supported by Azure Resource Graph:

  • microsoft.web/apimanagementaccounts
  • microsoft.web/apimanagementaccounts/apis
  • microsoft.web/certificates
  • Microsoft.Web/connectionGateways (On-premises Data Gateways)
  • Microsoft.Web/connections (API Connections)
  • Microsoft.Web/customApis (Logic Apps Custom Connector)
  • Microsoft.Web/HostingEnvironments (App Service Environments)
  • Microsoft.Web/KubeEnvironments (App Service Kubernetes Environments)
  • Microsoft.Web/serverFarms (App Service plans)
  • Microsoft.Web/sites (App Services)
  • microsoft.web/sites/premieraddons
  • Microsoft.Web/sites/slots (App Service (Slots))
  • Microsoft.Web/StaticSites (Static Web Apps)
  • Microsoft.Web/WorkerApps (Container Apps)

How to Explore Azure Graph Explorer on Azure portal:

Use Resource Graph Explorer for executing the queries

Azure Graph Queries

To see all sites across all subscriptions and resources groups:

1
2
resources
| where type == "microsoft.web/sites"

If you want to see all your sites that are located in West US:

1
2
3
resources
| where type == "microsoft.web/sites"
| where location == "westus"

If you want to see all your running sites, you can drill into the “properties” object:

1
2
3
resources
| where type == "microsoft.web/sites"
| where properties.state == "Running"

To get sites count by region:

1
2
3
resources
| where type == "microsoft.web/sites"
| summarize count() by location

All function apps were using Python 3.6
Filter on app settings of a site by filtering on properties.siteProperties.properties

1
2
3
4
resources
| where type == 'microsoft.web/sites'
| where subscriptionId =~ '<SubIdHere>'
| where properties.siteProperties.properties contains "Python|3.6"

On 30 September 2025, Basic SKU public IP addresses will be retired in Azure

Upgrade to Standard SKU public IP addresses in Azure by 30 September 2025—Basic SKU will be retired

On 30 September 2025, Basic SKU public IP addresses will be retired in Azure.
You can continue to use your existing Basic SKU public IP addresses until then, however, you’ll no longer be able to create new ones after 31 March 2025.

Standard SKU public IP addresses offer significant improvements, including:

  1. Access to a variety of other Azure products, including Standard Load Balancer, Azure Firewall, and NAT Gateway.
  2. Security by default—closed to inbound flows unless allowed by a network security group.
  3. Zone-redundant and zonal front ends for inbound and outbound traffic.

If you have any Basic SKU public IP addresses deployed in Azure Cloud Services (extended support), those deployments will not be affected by this retirement and you don’t need to take any action for them.

Required action
To avoid any potential service disruptions, review pricing and then upgrade to Standard SKU public IP addresses by 30 September 2025.

Azure Container Instance Reserve Ports

請注意:
ACI 服務會保留下列Port來提供服務功能:22, 443, 1025-1027, 3389-3399, 9999, 19000, 19080, 19390, 191000, 20000-30000, 49152-65534.
ACI 的 image 沒有使用到這些port,如果有的話請嘗試使用其他的port,若 port 使用上有重覆, container 可能會發生重啟的問題

For more information:
https://learn.microsoft.com/en-us/azure/container-instances/container-instances-faq#does-the-aci-service-reserve-ports-for-service-functionality-

HTH. By Jacky 2022-9-20

Backup and Restore Azure Firewall Policy

有一個按兩下部署解決方案,用於使用 Logic App 備份 Azure 防火牆和防火牆策略。此解決方案在 Github 存儲庫中提供:Azure-Network-Security/Azure Firewall/Template - Logic App for Azure Firewall Backups
https://github.com/Azure/Azure-Network-Security/tree/master/Azure%20Firewall/Template%20-%20Logic%20App%20for%20Azure%20Firewall%20Backups

Logic App 已配置並計劃為每三天運行一次「備份防火牆和防火牆策略」,並將其存儲在創建的存儲帳戶中。我們可以根據需要修改此頻率。備份檔按時間順序排列的。

我們可以從存儲帳戶容器下載此備份(json 檔),並使用 cloud shell 的以下命令將其還原:

New-AzResourceGroupDeployment -name -ResourceGroupName -TemplateFile

此還原將要求提供兩個輸入,FirewallPublicIP 和 FirewallVnet:我們可以提供這些輸入,如下所示:

/subscriptions/YourSubscriptionId/resourceGroups/CxE-AzFWBackup-WebinarDemo/providers/Microsoft.Network/publicIPAddresses/FWPIPBDemo
/subscriptions/YourSubscriptionId/resourceGroups/CxE-AzFWBackup-WebinarDemo/providers/Microsoft.Network/virtualNetworks/AzFwVnet

此還原命令將從備份中同時還原防火牆和防火牆策略,即使它們已被刪除也是如此。通過選擇要還原的相應備份檔,此還原命令可以返回到特定日期的狀態。

在測試環境裡加入 rc02 如下圖:

PS /home/jacky> New-AzResourceGroupDeployment -name AzureFirewall_vhub-prod-jpe -ResourceGroupName rg-lab-candel -TemplateFile “backup-2022-08-22T09_24_01.1439684Z”

virtualHubs_vhub_prod_jpe_externalid: /subscriptions/YourSubscriptionId/resourceGroups/rg-lab-candel/providers/Microsoft.Network/virtualHubs/vhub-prod-jpe

DeploymentName : AzureFirewall_vhub-prod-jpe
ResourceGroupName : rg-lab-candel
ProvisioningState : Succeeded
Timestamp : 8/22/2022 10:02:52 AM
Mode : Incremental

執行還原的指令後, 還原 只有備份檔內的 rc01 , 如下圖:

Deallocate and allocate Azure Firewall in Virtual WAN Hub

在 Virtual Hub 中停止 Azure firewall

PS /home/jacky> Set-AzContext -Subscription “Your Subscription Id”
PS /home/jacky> $firewall = Get-AzFirewall -Name “AzureFirewall_vhub-prod-jpe” -ResourceGroupName “rg-lab-candel”
PS /home/jacky> $firewall.Deallocate()
PS /home/jacky> $firewall | Set-AzFirewall

需要稍等一下會看到 FQDNs , IpAddresses 為 null.
Name : AzureFirewall_vhub-prod-jpe
ResourceGroupName : rg-lab-candel
Location : japaneast
ThreatIntelWhitelist : {
“FQDNs”: null,
“IpAddresses”: null
}

Portal 上也會自到 相同的狀態.

在 Virtual Hub 中啟動 Azure Firewall
Set-AzContext -Subscription “Your Subscription Id”
$virtualhub = get-azvirtualhub -ResourceGroupName “rg-lab-candel” -name vhub-prod-jpe
$firewall = Get-AzFirewall -Name “AzureFirewall_vhub-prod-jpe” -ResourceGroupName “rg-lab-candel”
$firewall.Allocate($virtualhub.Id)
$firewall | Set-AzFirewall