Christoph Vollmann

Azure, Office 365 and SharePoint from a consultant perspective

Month: February 2020

Export your Azure inventory as CSV files

You can always use the Azure portal to export all your resources to one CSV file (Use the “All resources” blade and then click “Export to CSV”).

Script for exporting your inventory

Or you can use this script to export your Azure inventory. It builds different CSV files for each subscription with resources.

After downloading open your favorite PowerShell and type

.\Get-AzureInventory.ps1

Marketplace resources vs. CSP contracts

It also creates a CSV file thats contains only your marketplace items. This is most useful if you change your Azure contract model.

For example you switch from your EA/SCE or Pay-As-You-Go to a CSP contract then some of the marketplace resources aren’t available yet in CSP.

So you can send your CSP provider this files to give them an overview about your Azure environment and then discuss with them if all your resources will be available.

Download

Download ZIP file

or view the repository on GitHub:
https://github.com/cloudchristoph/AzureInventory

I’ve tested this with:

  • PowerShell 5.1
  • PowerShell 6.0 Core
  • Azure Az Module Version 3.3.0

Don’t hesitate to contact me if you have questions or ideas for this script.

What are the default security settings for an Azure VNet?

My client has asked me in our workshop:

What are the default security settings for an Azure VNet?

On an Azure VNet you cannot initially apply things like a Network Security Group, only things like allowed services (via Service endpoints or Private endpoints). So there are no default security settings except those that Microsoft itself always applies (e.g. DDoS Protection).

However, each VNet consists of at least one subnet. Network Security Groups (NSGs) can (and should) then be applied at the subnet level.

Whats a Network Security Group?

An NSG contains security rules in the form of a 5-tuple ACL.
So you define source IP (or IP range), destination IP (or IP range), source port, destination port and protocol (TCP or UPD). Furthermore you define the action – Allow or Deny.

The order is determined by priority. Higher priority (lower number) means that the rule will beat a rule with lower priority.

What are the default rules?

Default Network Security Group rules

For outgoing connections you’ll find these rules:

  • Allow any outgoing connections to other resources in the same VNet
  • Allow any outgoing connections to the Internet
  • Everything else outgoing? Deny

For incoming connections you’ll find these rules:

  • Allow any incoming connections from other resources in the same VNet
  • Allow any connections from Azure Load Balancer probes
  • Everything else incoming? Deny

“Unwritten rule” – Port 25

Port 25 (used for sending Emails over SMTP) is blocked by default if you’re not on an EA contract or your agreement was made after November 2017. If you want to send Mails from your VMs over Port 25, you’ll have to open a support case at Microsoft.
Why does this rule exist? I think that Microsoft wants to prevent spambots from running in Azure on a large scale and messing up the entire IP address space.

Should I adjust these default rules?

It depends (of course). For example, if you don’t want your resources in this VNet to communicate directly with the Internet, you have to adapt this rule.
Very often a rule is also set up that opens the RDP port for Windows or SSH for Linux. For this you should rather use modern methods like Azure Bastion or Just-in-time Access.

Learn more

Microsoft Docs about Network Security Groups

4 useful sites for your next Azure Workshop

Besides the Azure Portal of course, there are some useful and nicely done websites that I use during my workshops. Maybe they are also helpful for your next meeting.

Azure Charts

This site from Alexey Polkovnikov gives you a great overview over all Azure services and their latest updates. At this moment the region comparison tool is very useful to me. I use it for example to show my customers what services are still missing in the new Germany datacenters compared to West Europe.

Azure Speed

If my customers asking me about the “best” Azure region for they workloads from their location, i’ll open up Azure Speed and then discuss with them.

azureprice.net

When talking about different prices for the same service in each region, I’m opening azureprice.net/region and show them the difference in VM pricing.

AAD Application Proxy Port Check

“Are we ready for AAD App Proxy?” – Start with checking the connections from your designated server. It’s a nice starting point. 

If you have more useful sites, let me know!

© 2020 Christoph Vollmann

Theme by Anders NorenUp ↑