Disaster Recovery – Do you really need one?

 Last week, Microsoft announced the Preview of Capacity Reservation for VMs. You can reserve VM capacity in your DR region to ensure that you have VM resources available to create or turn on your protected VMs using ASR. ASR does not guarantee that your VMs can be turned on in your DR region in the event of disaster recovery. So, capacity reservation is a welcome feature and much needed. However, this is increasing the cost of your solution again.

  • Cost factors
    • VM cost
    • ASR protected VM cost
    • Capacity Reservation Cost ( as same as your actual VM cost)
    • other costs

Note: DR is not just the VMs but including other components. I did not provide the details above because it applies to both the options.

Hmm.. Can we plan a DR cost-effectively in Azure? Let’s take a look:

Continue reading “Disaster Recovery – Do you really need one?”

Tips for passing Azure Security Engineer Certification (AZ- 500)

It was almost 2 years of break from the MS certifications before I tried AZ-500 early this week, it was an interesting one. It was the first MS certification I have ever appeared with hands on lab though it was bit of a surprise. I thought of sharing my experience on exam which might be helpful if you are trying get this certification.  

The exam is total 3 and half hours with 3 hours of exam time. I suggest you to go through exam skills outline before you starting the preparation. I started with course in the Linux Academy. I found it is especially good for Azure Active Directory as it covers all the features of AAD that is part of P2. The course covers almost all the subject required for the exam for us to start preparing for the exam. However, don’t stop it there…  we need to deep dive in to each subject with MS documentations. Importantly, you need to do lot of hands-on for each topic described in the exam skills outline.

Continue reading “Tips for passing Azure Security Engineer Certification (AZ- 500)”

Mapping of Security Services of Cloud Service Provider

The below is nice illustration of mapping security services from different Cloud Service Providers. I see Azure is clearly winning as you hardly see third party solution mapped in their security product list. It does not tell you which service serve better for the multiple customer use cases. It is interesting to see Alibaba is catching up with list of products.

Credits to : https://www.managedsentinel.com/2019/05/28/on-prem-vs-cloud/ . The original figure and online version are available there.

IDS/IPS – Azure Firewall is not a solution for this today we need to go with NVAs.

All about Application Security Group

What is Application Security Groups?

ASGs enable you to define fine-grained network security policies based on workloads, centralized on applications, instead of explicit IP addresses. Implementing granular security traffic controls improves isolation of workloads and protects them individually. If a breach occurs, this technique limits the potential impact of lateral exploration of your networks from hackers.

You may find the details in the MS site more about this which I do not want to copy and paste it here. Let’s talk about the use case and how we can make use of his in better way.

Deny all the communication and open the specific communication using ASG. Yes, you can create a Deny All rule with lower priority within your vNET. Then you create specific ports to open but you will select ASG as source and destination. This will open the communication between those servers have the specific ASG configured. Looks at the below pictures (figure1&2) to understand this better.

You do not have any option to add a server in the ASG but you need to go and select the required ASG from the vNIC of the VMs. You can add this option in the ARM templates to configure when you create this VM. This will reduce number NSG changes you need to make every time you add a server rather you select required ASG while you create the VM.

You need to remember few things about ASG.

  • You cannot make any settings on ASG but you can only add tags.
  • You can only select one ASG as source or destination in every NSG rules.
  • You can select multiple ASGs for single VM.
  • Limitations
    • 3000 per subscription
    • 20 per vNIC
    • 4000 IP configuration per ASG
  • You can only assign ASG from the same subscription.
  • You cannot have VMs from different vNETs in one ASG.
  • Both source and destination ASGs in your NSG rules should be in same vNET.

Continue reading “All about Application Security Group”