Azure Archives

Access to Blob storage using Managed Identity in Logic…

23/01/202023/01/2020
by nadeemahamed

I am delighted to share the first guest post on my blog.
Nadeem Ahamed Riswanbasha is a cloud enthusiast and community contributor working for Serverless360 in India.

Please check out his Twitter and LinkedIn profile.

Access to Blob storage using Managed Identity in Logic Apps

By default, when we create a new blob storage container the level of public access will be set to “Private (no anonymous access)”. This is because to extend the security level of the blob container. Nevertheless, if the user wishes to set the level of public access to “container (anonymous read access to the container)” which allows accessing the file by anyone, then it can be modified at the time of creation.

Assume, the business use case needs a high level of security and wants to keep the container/blob more secure. In this case, there are a lot of ways to access the secured blob/container through proper authentication. One way of achieving authentication is through Managed Identity.

What is Managed Identity?

Managed Identity allows you to authenticate to Azure AD and access Azure resources. At the backend, the identity (credentials) will be managed and secured for you. The user doesn’t necessarily need to provide or rotate the secrets.

There are two types of Managed Identity

System-assigned

The lifecycle of a system-assigned identity is directly tied to the Azure service instance that it’s enabled on (Logic app here). So, if this Logic App is deleted, Azure automatically cleans up the credentials and the identity in Azure AD.

User-assigned

User-assigned managed identity is created as a standalone Azure resource i.e. Not tied to any service. So, it is the same as explicitly creating the AD app and can be shared by any number of services. Currently, Logic Apps only supports the system-assigned identity. Now, let us explore how to authenticate access to Azure Blob storage using Managed Identity in Logic Apps.

Enable managed identity in Logic Apps

First off, we need to enable the system-assigned identity in the logic app that you wish to access the blob storage through.
To do this, follow the steps below;

Go to the logic app menu and select the identity option under settings
A new window will be prompted under which switch the status option to ON and click Save.

enable system assigned identity in Logic App

Give managed identity access to Blob storage through RBAC

Switch to the Azure Blob Storage container menu
In the left pane, click on the Access control (IAM)
Go to the Role Assignments option and click Add
Now, a new blade will be opened on the right side of the window
Fill in the details as follows;
Role – Storage Blob Data Contributor
Assign access to – Logic App
Select – <your logic app>

You can now see that the Logic App has been assigned as a Storage Account Contributor in the role assignment section.

Design the Logic App to access the Blob

Now, let us jump in and design the logic app to access the blob storage container or files into it. But remember, not all the trigger and actions of the logic app supports managed identity feature. Here is the list of triggers and actions that supports it.

Now, let us head back to the logic app (here LinkedInTest) designer page
Add a Recurrence trigger for the logic app with a defined interval of time
Subsequently, add a new HTTP (it supports managed identity) action to the logic app
In the HTTP action, fill the following fields as follow;
- Method – Get
- URI – <the URI of the blob>
- Headers –
- x-ms-blob-type: BlockBlob
- x-ms-version: 2019-02-02
- Authentication – Managed Identity
- Audience – https://storage.azure.com (this sets the scope to all of your storage accounts)

Test your Managed Identity enabled Logic App

Save the logic app and run it. You can now see in the run history of the logic app that blob content has been successfully accessed through managed identity authentication.

Wrap-up

In this blog, we have seen how to access blob using a system-assigned managed identity in the Logic Apps.

On enabling the logic apps managed identity, an AD app gets created with the same name as that of the azure service (here LinkedInTest, logic app) in Active directory, you can check it in Enterprise Application.

Hope you enjoyed reading this article. Happy Learning!

Community

Speaking at NIC 2020 vision

17/01/202017/01/2020
by Martin Ehrnst

Nordic Infrastructure Conference, or NIC for short. It is a leading technology conference in the Nordics

If you have been to NIC previously, you already know that the conference is packed with great speakers from the entire industry. It doesn’t matter if you work with Microsoft Azure or AWS. Technology is the focus of NIC Conf.

Whether you are an IT pro, looking to step up your automation game. or just interested in new technology, I encourage you to attend my session about Azure serverless.

The two-day conference is held on February 6 and 7, Oslo Norway. Are you coming?

DevOps

Moving to Azure and team requirements

08/12/201908/12/2019
by Martin Ehrnst

Around ten years ago, traditional IT-professionals started to talk about losing their jobs due to the public cloud.
It’s no secret that people actually have lost their job in the last years. But I’m pretty confident those who managed to make some changes kept their job or got a better position in another company.

The specialists

In my job, working for a service provider, I have seen the change from many angles. Ten years ago, we helped companies with traditional IT infrastructure. Smaller companies running physical servers On-Premises, or larger companies with an ESX stack in their office. They were all managed by our specialists. Specialists on network devices knew everything about the hardware, and how to place them in the racks.
The server team was Windows Server specialists, but also knew ‘everything’ about storage. Disks, SAN, etc.

Cultural changes

Many companies hire new people to handle the infrastructure on Azure or other public and private clouds. But I think that is a bad idea. Investment in making cultural changes should be the main priority. Moving to Azure introduces a new platform and products to your ecosystem, but the knowledge from traditional infrastructure is still very valid. Subnetting and firewalls still exist, as do operating system patches and failed backups. Your existing team already knows your infrastructure, making them the best fit to manage it on Azure as well.

Moving to Azure or any other cloud will require a code-first approach to manage and deploy the infrastructure. Git, Pipelines and pull requests is now as normal as calculating subnets.

Team requirements

The team required to move your infrastructure, and successfully manage it should be familiar with the DevOps methodology, and how to define the infrastructure in code.

Another thing to keep in mind is that platform knowledge is very important for everyone managing the workloads running in Azure and other cloud platforms.
Let’s take a look at monitoring. In order to have a good monitoring platform, you require a few basics like alerting. Alerting is built into every monitoring platform out there, and is the foundation of monitoring. But alerts need to be handled. Hopefully, you have killed email alerts already, and you have other routines in place, like an ITSM platform or maybe your alert remediation is a PowerShell script.
To have an alert automatically remediated in Azure Monitor, you will need to learn a new product like Azure Functions to run your PowerShell script.

PS: Microsoft replaced SCOM for Azure monitor, driven by cultural changes and DevOps

Modern IT-Pro’s

At its core, IT hasn’t changed that much. It is still zero’s and one’s. The cultural changes and the desire to learn new technology and work methodology is, in my opinion, the biggest challenge.
The amount of pressure to adopt a new way of work and to learn new technology is not a joke.
If you can call your self a modern IT pro, you deserve many high fives, and you can be very proud of what you have achieved.

Azure

Azure Lighthouse why is it so important

15/08/201920/12/2019
by Martin Ehrnst

Working for a Managed Service Provider (MSP) I have many times faced the challenges of managing multiple separate customers from one single pane. Whether it is a multi-tenant active directory, single AD or a vanilla Azure tenant. An MSP is only good when they can build tools to manage all customers in a streamlined fashion.

In the Microsoft sphere, partners and large enterprises have faced many of the same challenges. If you are a large enterprise, you might be eligible for an Enterprise Agreement.
As a partner, you can apply to become a (tier 1) Cloud Solution Provider (CSP). The tools provided are are far from good enough. The challenge is that you are still bound to tenant isolation. If you wanted to have a view of all alerts in Azure Monitor for all your customers. You need to create a tool that authenticates against each individual tenant and retrieves this information. Similar to what I did with SCOM.

Project Towboat

Last year I attended a side meeting for MSPs at Ignite. We discussed at scale management in the Azure Portal. We were promised that something called Project Towboat was planned. Since then it have been dead silent.
Out of the blue, Microsoft announced Azure Lighthouse. Promising simplified cross tenant resource management. So what makes this so great?

Delegated resource access

Azure Lighthouse uses delegated resource access. In essence, the customer establishes a trust with your (management/master) tenant. This allows for the users in the management directory (tenant) to manage resources on behalf of their customers. Many use Azure AD B2b to manage resources across multiple tenants. With Azure Lighthouse, you can do that without changing the context of the user.

In my opinion. Here are some of the features that make Azure Lighthouse so important to MSPs, and others managing multiple tenants.

Cross tenant monitoring in Azure

Azure Monitor is now multi-tenant. As long as the resource group or subscription is available for the person using Azure Monitor. Application and infrastructure monitoring is available from a single pane of glass.

Multi-tenant Log Analytics queries

Log Analytics is a part of Azure Monitor and is called Azure Monitor Logs, the engine behind is Log Analytics.
Log Analytics is already capable of searching within multiple workspaces. Since Azure Lighthouse will surface your customer’s workspaces, you can run cross tenant queries, how cool is that?

Azure security center for all customers

The beauty with delegated resource management just continues. Another great thing for your security team apart from Log Analytics is Azure Security Center is available in Azure Lighthouse. This means that the team (or that one person) can look at one single dashboard, or write the integration against one tenant.

Summary

With Azure Lighthouse greatly simplifies at scale and cross tenant management. Being tightly integrated with Azure Resource Manager for deployment, as well as Azure Monitor and Security Center for monitoring infrastructure and security.

I am really looking forward to creating solutions and working more with Azure Lighthouse. It is a long-awaited product, and with this launch, Microsoft is way ahead of its competitors.
Expect more dedicated posts on how to manage and automate using lighthouse in the future.

You can read more and find examples on the official Azure Lighthouse documentation and Azure Lighthouse github examples

Azure Monitor

Metric alerts for Azure monitor logs

12/06/201912/06/2019
by Martin Ehrnst

A common thing for traditional companies is to have one team responsible for monitoring. A few years ago, this team where close friends with the team provisioning infrastructure. Now, more and more companies are shifting to the “DevOps” world. Even Microsoft have killed SCOM and are only using Azure Monitor. Meaning that the one deployed the code (and the infrastructure) should be responsible for monitoring. In essence, this is great. But this transition takes time, and one should not underestimate the knowledge of the team who have been responsible for monitoring your entire infrastructure for decades.

If you are familiar with SCOM, you know that rules and monitors is targeted against a class of objects. IE, Windows 2016 operating system. When we move our workloads to Azure, we want to use Azure Monitor to monitor our workloads and VMs.

Enter Log alerts

Log Alerts has been around for quite some time and is commonly used to alert on actual log data. IE custom application logs, Windows event log and so on. But Log alerts has a “hidden” feature, especially for your monitoring teams, not wanting to manage hundreds of duplicate rules.

By using Log alerts with metric measurements you can almost replicate the what discoveries in SCOM does- find resources of a specific type, and attach some kind of monitoring to them. For example, you can create a search query for all your IaaS VMs and alert on their CPU counter.

This will let your monitoring team recreate all their logic, and have control over the entire infrastructure, almost as they had on-permises. At the same time you can leverage more DevOps practices and at the end have every team responsible for their own work.

Kusto examlpe

Below is a simple example that will list all VMs and their processor time. You can create an alert straight from Azure Monitor logs (former Log Analytics) or start from a new alert.

 Perf | where ObjectName == "Processor" and CounterName == "% Processor Time" | summarize AggregatedValue = avg(CounterValue) by bin(TimeGenerated, 5m), Computer

Summary

You have the option to monitor multiple VMs using one Alert Rule in Azure Monitor already. But one limitation is that this solution will not add new VMs to the alert rule. And for the time being, it only supports virtual machines
Log alerts are dependent on your query. So as long as your data is available, you can alert on it. Whether it is a web app, a SQL server or a custom log.

With Log Alerts, the transition to a public cloud-based infrastructure might be easier. Your operations teams can use their knowledge and re-create their on-premises monitoring logic as searches.
Application alerts could still be handled by the developers, and you can provision those using ARM templates or similar.

PS: I was going to write a longer post on how to manage and programmatically create log alerts, but with these great examples in Microsoft docs, there’s no need to re-invent the wheel.

Access to Blob storage using Managed Identity in Logic…

Access to Blob storage using Managed Identity in Logic Apps

What is Managed Identity?

System-assigned

User-assigned

Enable managed identity in Logic Apps

Give managed identity access to Blob storage through RBAC

Design the Logic App to access the Blob

Test your Managed Identity enabled Logic App

Wrap-up

Share this:

Speaking at NIC 2020 vision

Share this:

Moving to Azure and team requirements

The specialists

Cultural changes

Team requirements

Modern IT-Pro’s

Share this:

Azure Lighthouse why is it so important

Project Towboat

Delegated resource access

Cross tenant monitoring in Azure

Multi-tenant Log Analytics queries

Azure security center for all customers

Summary

Share this:

Metric alerts for Azure monitor logs

Enter Log alerts

Kusto examlpe

Summary

Share this: