We had a request to create a script which will take care of deleting a Virtual Machine from Azure subscription and perform the clean up of all the associated objects as a deleting the virtual machine from the azure portal will remove the VM object alone and does not delete… Continue Reading Script to Delete Azure ARM Virtual Machine

ver Migrating a SQL Server database to Azure SQL PaaS Microsoft SQL Server and Azure SQL PaaS service are compatible with each other, meaning that a database can be moved from a SQL server running on a physical or virtual machine to Azure SQL service and vice versa. Prerequisites and… Continue Reading Migrating a SQL Server database to Azure SQL PaaS

We had to create this guide after having multitude efforts to get a simple iLB (Internal Load Balancer) in Azure ARM for setting up the ADFS (Active Directory Federation Services) servers to connect and work via a load-balanced IP in Azure ARM.   The tricky part was to get this… Continue Reading Azure Internal Load Balancer Implementation Guide

Overview The following guide assumes that the user has basic knowledge of using Windows. Although some familiarity with PowerShell scripting and the Azure Portal would be beneficial, it is absolutely not necessary, as the scripts are being provided in their entirety and screenshots are shown as of where and how… Continue Reading EXPRESSROUTE PROVISIONING GUIDE

Pre-requisites The following prerequisites must be met, before performing the Core capacity check steps. Internet connection Valid Azure Subscription The person who will perform the below steps must have one of the following roles in the Azure subscription Owner Contributor Some familiarity with the Azure Portal would be beneficial, although… Continue Reading Create Windows Server 2003 Custom VHD for Azure VM Creation

The following guide assumes that the user has basic knowledge of using Windows. Although some familiarity with PowerShell scripting and the Azure Portal would be beneficial, it is absolutely not necessary, as the scripts are being provided in their entirety and screenshots are shown as of where and how to… Continue Reading Check Core Capacity for an Azure Subscription

Since Azure introduced their new Azure Resource Manager (ARM) deployment model, i have seen their Network Security Group (NSG) feature evolve to be very good and similar to a normal web GUI of a firewall device page used to configure the rules.

While working on an IT transformation project for a client in the UK where we are migrating their IaaS (Infrastructure as a Service) hosting from on premise DC to Azure, we hit upon a simple question which is generally asked by most Network support teams.

Can you please configure Azure NSG to allow ICMP traffic into the subnet?

We searched Microsoft Azure (official and unofficial) documentations, had asked  the Microsoft Support Engineers and have not got a valid response from them.   We decided to search the World Wide Web (www) for a possible answer and hit upon this blog which was hidden from normal search results which was posted by Thomas (Thanks a lot Thomas, you saved us…)

Azure Quick Tip: Block or Allow ICMP using Network Security Groups

We are set to test this over this weekend.  I am posting the most relevant content (the code taken as-is without any damage to IP and copyrights)


Now how can we block all traffic but allow ICMP? Simple, by explicitly denying UDP and TCP but allowing *. In this example I included the allow rule, but it should be covered by the default rules anyhow.

#allow ping, block UDP/TCP

 Get-AzureNetworkSecurityGroup -name "NSG-1" | Set-AzureNetworkSecurityRule -Name BlockTCP -Type Inbound -Priority 40000 -Action Deny -SourceAddressPrefix "*"  -SourcePortRange '*' -DestinationAddressPrefix '*' -DestinationPortRange '*' -Protocol "TCP"

Get-AzureNetworkSecurityGroup -name "NSG-1" | Set-AzureNetworkSecurityRule -Name BlockUDP -Type Inbound -Priority 40001 -Action Deny -SourceAddressPrefix "*"  -SourcePortRange '*' -DestinationAddressPrefix '*' -DestinationPortRange '*' -Protocol "UDP"

Get-AzureNetworkSecurityGroup -name "NSG-1" | Set-Azure

If we want to work the other way round: allow UDP/TCP but block ICMP we can turn the logic around:

 

The source/destination information is pretty open as I use * for those, but that’s just an example here. It’s up to you to decide for which ranges to apply this. And you might probably open up some additional ports for actual traffic to be allowed.

The current NSG rules only allow for protocols ‘TCP’ or ‘UDP’. There is not a specific tag for ‘ICMP’. However, ICMP traffic is allowed within a Virtual Network by default through the Inbound VNet rules that allow traffic from/to any port and protocol ‘*’ within the VNet.

#block ping, allow UDP/TCP Get-AzureNetworkSecurityGroup -name “NSG-1” | Set-AzureNetworkSecurityRule -Name AllowTCP -Type Inbound -Priority 40000 -Action Allow -SourceAddressPrefix “*”  -SourcePortRange ‘*’ -DestinationAddressPrefix ‘*’ -DestinationPortRange ‘*’ -Protocol “TCP” Get-AzureNetworkSecurityGroup -name “NSG-1” | Set-AzureNetworkSecurityRule -Name AllowUDP -Type Inbound -Priority 40001 -Action Allow -SourceAddressPrefix “*”  -SourcePortRange ‘*’ -DestinationAddressPrefix ‘*’ -DestinationPortRange ‘*’ -Protocol “UDP” Get-AzureNetworkSecurityGroup -name “NSG-1” | Set-AzureNetworkSecurityRule -Name BlockPing -Type Inbound -Priority 40002 -Action Deny -SourceAddressPrefix “*”  -SourcePortRange ‘*’ -DestinationAddressPrefix ‘*’ -DestinationPortRange ‘*’ -Protocol “*”

Again, we are really thankful for this post which has documented and a colleague of Thomas who has verified the same providing us to implement and confirm….We are waiting for an approval from the Change Management team to implement and provide a response.

 

 

 

I happen to browse the website of Bezerra de Menezes Spiritist Society UK and found this wonderful blog post. Lord, thank you so much! For the air that you give to us to breath, For the bread that feed us, For the clothes that we wear, For the joy that we possess,… Continue Reading Gratitude Poem by Amelia Rodrigues

Bitnami