Storage Service Encryption in Azure US Government

Azure Storage Service Encryption (SSE) for Data at Rest is now available as part of the deployment of the ARM storage resource provider in Azure US Government regions

The official documentation for SSE states:

Azure Storage Service Encryption (SSE) for Data at Rest helps you protect and safeguard your data to meet your organizational security and compliance commitments. With this feature, Azure Storage automatically encrypts your data prior to persisting to storage and decrypts prior to retrieval. The encryption, decryption, and key management are totally transparent to users.

Once a storage account is enabled for SSE all new blob data written to the storage account will be encrypted with 256-bit AES encryption managed by Microsoft.  Any existing blob data in the storage account will not be encrypted until some change occurs to the data which causes it to be written back to storage.

To get started with SSE in Azure US Government you first need to create a ARM storage account and place it in a new or existing resource group.  This can be accomplished with the
New-AzureRMStorageAccount PowerShell command.

Enabling SSE on an ARM storage account is done with the
Set-AzureRMStorageAccount PowerShell command and passing in Blob as a option for the EnableEncryptionService parameter.  For example, if you have a storage account named myencryptstorage in a resource group named storagerg you would run the following PowerShell command to enable SSE:

Set-AzureRMStorageAccount –Name myencryptstorage –ResourceGroupName storagerg –EnableEncryptionService Blob

To Verify that SSE is enabled on the storage account shown above you can run the command shown below.  A return of true indicates that encryption is enabled on the storage account.

(get-azurermstorageaccount –ResourceGroupName storagerg –Name myencryptstorage).Encryption.Services.Blob.Enabled

For a complete description of SSE and answers to frequently asked questions, please review the official Azure documentation.

ARM In Azure US Government

Yesterday afternoon Microsoft deployed providers for several Azure Resource Manager (ARM) services into all Azure US Government regions.  These new providers enable users to create and manage ARM storage, networking, compute  and data resources through Azure PowerShell.  Support for these new resource providers will be enabled in the Azure preview portal at a future date.

With this latest update the following ARM features have been enabled:

Compute (PowerShell)

  • Virtual Machines
  • Service Fabric

Networking (PowerShell)

  • Application Gateway
  • ExpressRoute
  • Load Balancer
  • Virtual Networks
  • VPN Gateway
  • Network Security Group

Data & Storage

These providers work hand in hand with the previously deployed ARM infrastructure which enables resource groups, tagging, templates and role base access control.

It is expected that additional resource providers will be deployed over the coming months which will enable even more capabilities in Microsoft Azure US Government regions.  To view the resource providers currently available in Azure US Government you can run the following PowerShell command: 
Get-AzureRmResourceProvider –ListAvailable

Azure SQL DB v12 Now in Azure US Gov

Today Microsoft has announced the general availability of the latest service version of Azure SQL Database (v12) in Microsoft Azure US Government.

Benefits of using Azure SQL v12

  • Compatible: Near-complete SQL Server 2016 engine compatibility.
  • Performant: Increased Premium performance levels at no additional cost and support for larger database sizes.
  • Secure: Intelligent security and protection including Azure Active Directory authentication support. 
  • Reliable: Improved backup, recovery, and replication times.  

More details can be found soon on the Azure Government Blog.

Using Resource Groups and Tagging in Azure Government

Azure Government is moving closer and closer to having the next generation portal and full Azure Resource Manager support.  Recent updates now make it possible to better organize and classify resources for lifecycle management, security and identification.  Below I would like to highlight some of these features and some best practices you can start using today.

Azure Resource Groups

Azure Resource Groups provide a mechanism to group together a collection of Azure Resources.  This enables administrators to manage the lifecycle as a single entity, assign tags (more on that in a moment), and apply role based access control.   Since Azure Resource Groups are not part of the original Azure classic environment, you will not see these exposed in the classic portal environment, however you will see them in the new portal.  The interesting thing is that when you create any resource in Azure, no matter if it is a classic resource or an upcoming Azure Resource Manager resource, they will always be placed in an Azure Resource Group. 

If you are creating classic resources using the classic portal or classic Azure PowerShell commands you will not have an option to choose what Azure Resource Group the resources are assigned to.  They will instead be assigned to default resource groups based upon the region and type of resource being created.   If you utilize the new portal or Azure Resource Manager PowerShell commands to create classic resources you have the ability to specify either an exiting resource group or to create a new resource group for your new resource.  

Best practice:  Always group resources together in a resource group if they share the same lifecycle or are resources related to a single solution.  This will enable easier management of the resources and provide role based access control and  group tagging for the resources.

If you already have a bunch of existing Azure classic resources you may wish to start moving them into Azure Resource Groups based upon the best practice noted above.   This will require you to utilize the new Azure Resource Manager PowerShell commands or the new portal.  

Best practice: Ensure you have a solid enterprise naming convention in place for naming resource groups and resources.  This will make navigating, locating, and managing resources much easier.

To create a new Azure Resource Group, you will need to utilize the new Azure Resource Manager (ARM) PowerShell commands.  Make sure you have installed the latest Azure PowerShell components from http://azure.microsoft.com before starting.  You will log into Azure Government with the following command to access the ARM commands:

Login-AzureRMAccount –EnvironmentName AzureUSGovernment

Once you are logged in you can get a list of your existing / default resource groups by running the command:

Get-AzureRMResourceGroup

You can also easily view a list of existing resource groups through the new Azure portal.   The portal also enables you to quickly drill down into a group to see what resources are already assigned. 

Unfortunately as of today (8/4/2016) the new preview portal does not allow you to create new resource groups.  To create a new resource group you will need to utilize PowerShell.  Below is an example of creating a new resource group in the US Government Virginia region with a name of MyDemoResourceGroup.

New-AzureRmResourceGroup -Location “USGov Virginia” -Name MyDemoResourceGroup

Now that we have a resource group we can begin creating new resources or move existing resources into it.   The simplest way to do this is by using the new portal.   Below are a few quick steps to move a resource from one group to another:

  1. Open up the new portal and drill down into a resource group that contains a resource you wish to move.
  2. Select the resource and from the settings panel choose properties.
  3. Under the resource group heading in the properties panel you will find a ling to Change resource group.  Clicking on this will provide you with a move resource panel.
  4. Choose the resources you wish to move, select the destination resource group, check the acknowledgement check box, and then click OK.   Within a few moments your resources will be moved into the destination resource group.

There are some limitations to moving resources between groups which are outlined in a documentation article titled “Move resources to new resource group or subscription”.   I highly recommend reading over this article.  You will also find examples of using PowerShell to move resources between groups in this article.

Tagging

Once the resources are well organized in a structure of resource groups it is now possible to utilize tagging for identification purposes.  Although classic resources do not support tagging, you can apply tags to resource groups.   This means that you can still utilize tags to help categorize and organize your classic Azure resources.

Tags are a simple collection of key – value pairs that are associated with a resource group or an Azure Resource Manager resource.   As mentioned above, it is not possible to apply tags directly to classic Azure resources.

Best practice: Identify a tagging standard for your organization.  Ensure that all new resource groups and resources (when applicable) have the same basic tag structure. 

Resource groups and Azure Resource Manager resources can be assigned multiple key – value tags.   This provides a maximum amount of flexibility to build out a standard that works best for an organization.   Below is a small sample of keys that you may wish to assign to a resource group:

  • Agency / Department
  • Project
  • Type (Dev/QA/Test)
  • Cost Center

The easiest way to apply tags to a resource group is through the new Azure portal.   With just a few steps you can add tags with values to your resource groups.

  1. Open up the new Azure portal and choose a resource group.
  2. In the resource group details panel, click on the tag graphic in the upper right section.
  3. Enter in your key-value tag pairs for the resource group.

Once you have tagged resources you can utilize PowerShell to quickly locate resource groups or resources with a specific tag key and value.   The PowerShell command below outputs all resource group names that have the tag name of Agency with a value of Finance.

Find-AzureRmResourceGroup -Tag @{ Name=”Agency”; Value=”Finance” } -WarningAction SilentlyContinue | %{ $_.Name }

Even though Azure classic resources cannot have tags on them directly, we can utilize Azure Resource Groups to group to tag a collection of Azure classic resources.  

Role Based Access Control

By combining Azure Resource Groups with Role Base Access Control (RBAC) your organization can quickly assign proper access permissions.  RBAC enables you to provide fine grain permissions to individuals that need access to view or manage Azure Resources.  This allows us to get away from the classic model where the only management roles were subscription administrator or subscription co-administrator.   Now we can enable a more delegated approach to resource management.

Unlike tagging, RBAC can be applied to classic resources along with resource groups and ARM resources.

Note: Users who are not subscription administrators or co-administrators but have been assigned RBAC permissions on a classic object cannot manage that object using Azure Classic Powershell or the classic portal.   They must use the Azure Resource Manager PowerShell login and commands or perform management actions using the new portal.

Going Forward

The future is looking great for Azure Government!  As more ARM resource providers are deployed we will have more and more great capabilities to utilize, including ARM templates.   My recommendation is that if you are an Azure Government customer , you should begin poking around in the new preview portal.  This will prepare you well for upcoming updates to Azure Government.

Azure PowerShell for documenting VNETs

During a recent conversation I had with one of my customers I was asked if there was a way to export VNet settings from their Azure US Government subscription.  Of course PowerShell provides us the answer, however, it is not a simple single command.  

There is one command which allows you to export out all subscription VNETs along with their subnets and gateway information to an XML file.  There is another set of commands that enables you to query and navigate XML data in PowerShell.  Finally there is a command for getting network security group (NSG) information that is assigned to a subnet.

By combining all of these commands together into a structured script you can get a very good picture of your VNET configurations across your subscription.   I have built a sample script which you can download from here.

The script is for demonstration purposes only and comes with no support.  Do not utilize the script for production purposes without fully reviewing and understanding the code.   The script only looks at NSGs which are associated to subnets.  Currently Azure US Government only supports the ASM deployment model.  This script was designed to only work with that model and therefore may not be useful to people running workloads in Azure commercial under ARM.

Using Azure AD Domain Services with Azure Government VMs

Azure Active Directory Domain Services lets you join Azure virtual machines to a domain without the need to deploy domain controllers. Users sign in to these virtual machines using their corporate Active Directory credentials and access resources seamlessly. To more securely administer domain-joined virtual machines, use Group Policy—an easy, familiar way to apply and enforce security baselines on all of your Azure virtual machines.

Before I go too far I want to be clear on this one point:  Azure AD Domain Services is  NOT available in Azure US Government today.   With that being said, it is possible to join Azure Virtual Machines in Azure Government to Azure Active Directory Domain Services hosted in Azure Commercial.    This means that customers who are already using Azure Active Directory as part of an Office 365 deployment can extend it to provide domain services to VMs in both Azure Commercial and Azure Government.

I am not going to go into all of the details to setup Azure Active Directory Domain Services (AAD DS) in Azure commercial.  There is great documentation available that already provides all of the information to get started.

Once you have AAD DS setup and associated with a virtual network (VNet) in Azure commercial you can extend it into Azure Government with a simple VNet to VNet connection.   Below are a few points to be aware of when setting this up:

  • AAD DS is only available in Azure commercial.  Today AAD DS is in a preview status which does not include a SLA.
  • VNets that are connected must have IP Address spaces that do not overlap.
  • You must add the AAD DS DNS IP addresses to all of the VNets, in both commercial and government, which will provide AAD DS features to virtual machines in the VNet.
  • I have not tested this with an ARM VNet in Azure commercial and an ASM (classic) VNet in Azure Government.  Based on this article it appears that establishing a VNet to VNet connection across the ARM and ASM should be possible.

To summarize, AAD DS enables organizations to quickly deploy domain joined virtual machines into Azure without having to deploy additional domain controllers in the cloud.   Currently AAD DS is in preview and does not have a SLA.   When architecting your solutions there may be situations where having full domain controllers in Azure will make more sense than using AAD DS.   Always ensure you are using an architecture that fits the solution instead of trying to fit a solution into a specific architecture.

 

 

StorSimple Virtual Array Failover Demo

In a previous post I  showed how you could create a Virtual StorSimple Array in Microsoft Azure Commercial which allows you to get started with hybrid storage.  Recently the Virtual StorSimple Array was made available in the Microsoft Azure US Government regions.   I thought that a great way to help people utilize StorSimple would be to show how simple it is to use the Virtual Array in a disaster recovery scenario.   In the video below I demonstrate how to prepare a secondary StorSimple Virtual Array and then perform a failover from the primary device to the backup device.

Azure Simple File Share

In my role at Microsoft I am working with State and Local Government customers.  My job is to help them understand and better utilize Microsoft Azure cloud services.  Recently I have had several conversations with my customers regarding a need to easily share files with the public.  These files might be government datasets, crime statics, or results of FOIA requests.  No matter what the content, the customers are concerned about the impact hosting such a solution internally would have on their infrastructure.  Sometimes these files are seldom downloaded, but other times a news story or other interest might cause massive downloads from locations all over the globe.

Sure there are lots of file sharing solutions out there.  OneDrive, Box, DropBox, just to name a few.   The problems with these solutions is that you have limited control over how the files are presented to the user and limited access to reporting.  Several of my customers have asked how Azure might help them with providing files at a large scale, enabling them to generate logging details, and to reduce risks of large download spikes.

Thinking over the requirements, I came up with several possible solutions.   The simplest involved setting up one or more virtual machines in Azure that would run IIS with directory browsing enabled.   This would work, but there is no branding options and the customer still has to manage and patch the virtual machines.

Another option  which is similar to the previous one is to utilize an Azure Web App with directory browsing enabled.  This would be just like the prior option with VMs  but the customer wouldn’t have to manage or patch the underlying system.  Unfortunately even with the largest Azure Web App size we are limited to 500GB of storage and the lack of branding is still an issue.

After looking at several other options I decided to create a quick simple .NET application that would utilize an Azure Web App along with an Azure Storage Account for public file sharing.   This would enable me to brand the site, store up to 500TB of data, and generate any necessary logging needed.   I call this demonstration solution Azure Simple File Share.

I have tested the application by loading just over 10,000 files into an Azure Storage account and I have been very impressed so far at the speed of rendering the file and folder structures.

If you would like to see the application in action, jump on over to: http://asfs.azurewebsites.net/

If you would like to learn more about how the application works or to grab a copy of the source code, head over to GitHub: https://github.com/mphacker/AzureSFS

If you build a production solution off of this, let me know!  I would love to see this in action in the real world.  If you make updates and would like to contribute code back, contact me using the comments section below.

Important note:  This application is not endorsed or supported by Microsoft.  No official support is provided by me or anyone else.  The application has not been code reviewed for security and/or nasty bugs.  If you choose to utilize this demonstration application or any of it’s source code, you are on your own.  Smile

Technology Blog