Tag Archives: azure

Talk: Are all these #Azure security features for me?

On Tuesday July, 30, 2019 I had the opportunity to speak at North Boston Azure. The talk was part of a series on Running Azure Securely and was called Are all these Azure security features for me? and was not really a “talk” in that it was highly interactive. For those who attended, you will recall we filled in some slides collaboratively. Thus, they may not appear so polished for those of you who did not join live. Either way, please find the slides (“collaborative” and all) below.

highres_483599366

This was an experimental approach for me and the feedback from the audience tells me it worked pretty well. The group at North Boston Azure was already knowledgeable and engaged, so hopefully made for a interesting experience for all involved (was certainly fun for me).

Azure-DefenseInDepth-BillWilder-2019-July-30

You can follow me on Twitter (@codingoutloud).

You can also follow Boston Azure on Twitter (@bostonazure).

 

Advertisements

Who logged into my #Azure SQL Database?

Ever try to figure out how to track who logged into your Azure SQL database? You checked all the usual ways you might handle that with a SQL Server database, but one-by-one find out they just don’t work. Here’s one way to do it.

To track who is logging into your Azure SQL database, enable auditing (here’s how to do that) with audit entries directed to an Azure storage blob. There are two ways to do this: at the database server level and at the individual database level. Either is fine, but for the example that follows, auditing is assumed to be at the db server level. The example query can be adjusted to work with auditing at the database level, but one of the two auditing options is definitely required to be on!

Run this query to find out all the principals (users) who have logged in so far today into your Azure SQL database.

The output is something like the following, assuming if I’ve logged in 12 times so far today with my AAD account (bill@example.com) and 1 time with a database-specific credential (myadmin):

09-Nov-2019 (Saturday) codingoutloud@example.com 12

09-Nov-2019 (Saturday) myadmin 1

The query might take a while time to run, depending on how much data you are traversing. In one of my test environments, it takes nearly 20 minutes. I am sure it is sensitive the amount of data you are logging, database activity, and maybe settings on your blob (not sure if premium storage is supported, but I’m not using it and didn’t test with it).

Note: There are other ways to accomplish this, but every way I know of requires use of Azure SQL auditing. In this post we pushed them to blobs, but other destinations are available. For example, you could send to Event Hubs for a more on-the-fly tracker.

Talk: Running Azure Securely — PART I — Boston Azure 18-Oct-2018

At most recent Boston Azure meeting I give (what turns out to be…) the first part of a multi-part talk on Running Azure Securely. Even though I did not cover all this content, I’ve attached the whole powerpoint deck below.

BostonAzure-RunningAzureSecurely-BillWilder-2018-Oct-18

Please watch for a Part II to be scheduled.

Talk: Cloud Architecture Anti-Patterns – O’Reilly Software Architecture Conference

I was pleased to speak at the O’Reilly Software Architecture Conference (#oreillysacon) in Boston today. My talk was Cloud Architecture Anti-Patterns: A concise overview of some bad ideas, delivered to an engaged, inquisitive audience.

Here is the deck:

Any feedback is welcome. Feel free to leave a comment or follow me on Twitter: @codingoutloud.

Talk: Failing in the Cloud – A How To Guide – Boston Code Camp 22

Earlier today I had the privilege of speaking at the 22nd Boston Code Camp. My talk was Failing in the Cloud: A How To Guide. Thanks to those who attended (and persevered through the A/V system from hell!).

I’m on twitter at @codingoutloud. My book is at http://bit.ly/billbook.

The slide deck is here:

Add-AzureAccount – The Data is Invalid

I am a heavy user of PowerShell and recently I ran across an annoying problem that I didn’t find anywhere mentioned in the google. I was running the Add-AzureAccount cmdlet from the Azure PowerShell module. (Want it too? Start here. Or simply install it from the mighty Web Platform Installer.)
The Add-AzureAccount command usually pops up a login dialog so I can authenticate against my Azure account. But the behavior I was seeing never made it to that pop-up dialog – rather it quickly dumped out the following error at the command line:
Add-AzureAccount : The data is invalid.
At line:1 char:1
+ Add-AzureAccount + ~~~~~~~~~~~~~~~~   + CategoryInfo : CloseError: (:) [Add-AzureAccount], AadAuthenticationFailedException    + FullyQualifiedErrorId : Microsoft.WindowsAzure.Commands.Profile.AddAzureAccount
As mentioned above, I could not find useful references to Add-AzureAccount “data is invalid” via search engine, so I tried a few things. I first updated to the latest module. Didn’t help me – but you can check which version you have installed as follows:
PS>    (Get-Module Azure).Version

Major  Minor  Build  Revision
-----  -----  -----  --------
0      8      11     -1
Then I tried both the -Debug and -Verbose command line options, which are often useful. But no difference in the output. So this was failing pretty early!
Since this might be related to some cached credentials, I tried deleting TokenCache.dat in case there was something funky there. Nope. Here is command to view – and then delete – TokenCache.dat:
gci "$env:APPDATA\Windows Azure Powershell\TokenCache.dat"
ri "$env:APPDATA\Windows Azure Powershell\TokenCache.dat"
Finally, a kind sole suggested I simply try hosing out cookies from IE. That worked! Since I was in a PowerShell kind of mood, here’s how I emptied the cookie jar:
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 2
(I learned of this technique on many web sites by searching for ‘clear IE browser cache command line’.)
My problem was solved, and I am back to productively using Add-AzureAccount.
Hope this helps someone!

Where’s Azure? Mapping Windows Azure 4 years after full General Availability.

On October 27, 2008, Windows Azure was unveiled publicly by Microsoft Chief Architect Ray Ozzie at Microsoft’s Professional imageDeveloper’s Conference.

Less than a year later, on November 17, 2009, Windows Azure was unleashed on the world – anyone could go create an account.

image

Only a couple of months later, on January 1, 2010, Windows Azure turned on its Service Level Agreement (SLA) – you could now get production support.

And finally, on Feb 1, 2010, Windows Azure became self-aware – billing was turned on, completing the last step in them being fully open as a business.

That was 4 years ago today. Happy Anniversary Azure! I am not calling this a “birthday” since it isn’t – it was born years earlier as the Red Dog project – but this is the fourth anniversary of it being a fully-operational, pay-as-you-go, public cloud platform.

At the time, there were 6 Windows Azure data centers available – 2 each in Asia, Europe, and North America: East Asia, SE Asia, North Europe, West Europe, North Central US, South Central US. (Ignoring the Content Delivery Network (CDN) nodes which I plan to cover another time.)

What about today? With the addition in 2012 of East US and West US data centers, today there are 8 total production data centers, but more on the way.

Here’s a map of the Windows Azure data center landscape. (Source data is in a JSON file in GitHub; pull requests with additions/corrections welcome. CDN data is TBD.)

The lines between data center regions represent failover relationships drawn from published geo-replication sites for Windows Azure Storage. Mostly they are bi-directional, except for Brazil which is one-directional; the metadata on each pushpin specifies its failover region explicitly.

NOTE: this is a work-in-progress that will be updated as “official” names are published for geos and regions.

Also, be sure to click on the map pushpins to see which data center regions are in production and where are coming attractions. Not all of these pushpins represent data centers you can access right now.

There are three insets in order – first a GeoJSON rendering, second a TopoJSON rendering (which should look identical to the GeoJSON one, but included for demonstration purposes, as it is lighter weight), and the third is the raw JSON data from which I am generating the GeoJSON and TopoJSON files. [All the code is here: https://github.com/codingoutloud/azuremap. I plan to blog in the future on how it works.]

The map data is derived from public (news releases and blog posts for coming data centers and Windows Azure documentation for existing production regions).

The city information for data centers is not always published, so what I’m using is a mix of data directly published, and information derived from published data. For example, it is well known there is a data center in Dublin, Ireland, but where city should I used for US West region that’s in California? For the latter, I used IP address geocoding of the published data center IP address ranges. This is absolutely not definitive, but just makes for a slightly nicer map. It was from this data that I made assumptions around Tokyo and Osaka locations in Japan and San Francisco in California for US West.

Finally, this map is at the region level which equates roughly to a city (see the project readme for terminology I am using). A region is not necessarily a single location, since there may well be multiple data centers per region and though they will be “near” each other, this is not necessarily in the same city – they could be 1 kilometer apart with a city border between them.