Mark's IT Blog

ITOps Random

OpenVPN – Docker Quick Start

Post author By mark
Post date June 26, 2024
No Comments on OpenVPN – Docker Quick Start

Quick and easy VPN setup using OpenVPN Docker image, on Amazon Linux 2023.

References

Installation steps

Install docker on amazon linux 2023

dnf update -y dnf install docker -y systemctl enable docker systemctl start docker

OpenVPN Access Server Docker Image

# see: https://openvpn.net/as-docs/docker.html#run-the-docker-container docker pull openvpn/openvpn-as docker run -d \ –name=openvpn-as –cap-add=NET_ADMIN \ -p 943:943 -p 4443:4443 -p 1194:1194/udp \ -v /root/openvpn-server:/openvpn \ openvpn/openvpn-as # Modify ports and hostname as appropriate
cd /root/openvpn-server/etc vim ./config-local.json
docker restart openvpn/openvpn-as # Get Temp password docker logs openvpn-as | grep -i “Auto-generated pass” # Scroll to find the line, Auto-generated pass = “[password]”. Setting in db..

Configure your OpenVPN services

# Use the generated password sign in to the Admin Web UI. # username: openvpn https://[my_hostname_or_pubip].com:943/admin/ # Check the hostname setting.. put in yourhostname… https://[my_hostname_or_pubip]:943/admin/network_settings # Stop the VPN services and start to ensure changes loaded and persistent: https://[my_hostname_or_pubip]:943/admin/status_overview # Create a user and a new Token Url for the user to import the profile

Windows Client set up

# Install with winget: winget install -e –id OpenVPNTechnologies.OpenVPNConnect # Once installed, get the token which will be something like: openvpn://https://[my_hostname_or_pubip]:043/ConnectClient/[token].ovpn # Put in browser and should open up the OpenVPN client and import the profile, and connect

Checkout your traffic routing

Random

Writing ‘modern’ PowerShell Modules [2024]

Post author By mark
Post date May 8, 2024
No Comments on Writing ‘modern’ PowerShell Modules [2024]

Context

PowerShell was… initially a Windows component only, known as Windows PowerShell, it was made open-source and cross-platform on August 18, 2016, with the introduction of PowerShell Core. The former is built on the .NET Framework, the latter on .NET (previously .NET Core). PowerShell – Wikipedia

Differences between Windows PowerShell 5.1 and PowerShell 7.x – PowerShell | Microsoft Learn
- What is PowerShell? – PowerShell | Microsoft Learn
  - PowerShell Support Lifecycle – PowerShell | Microsoft Learn
- What is Windows PowerShell? – PowerShell | Microsoft Learn
  - The latest version is Windows PowerShell 5.1. Microsoft is no longer updating Windows PowerShell with new features. Support for Windows PowerShell is tied to the version of Windows you are using.

As Microsoft is no longer updating Windows PowerShell with new features it makes sense to use the procedure for ‘Developing modern modules‘ which are (hopefully) portable to any OS running PowerShell.

If creating a new module, the recommendation is to use the .NET CLI.

Create module from ‘Standard Template’

# Install .NET SDK > winget install Microsoft.DotNet.SDK.8 Found Microsoft .NET SDK 8.0 [Microsoft.DotNet.SDK.8] Version 8.0.204 … Successfully installed # Install a ‘template library to generate a simple PowerShell module’ > # Install .NET SDK > winget install Microsoft.DotNet.SDK.8 Found Microsoft .NET SDK 8.0 [Microsoft.DotNet.SDK.8] Version 8.0.204 … Successfully installed # Install a ‘template library to generate a simple PowerShell module’ ## Requires NuGet source enabled > dotnet nuget add source https://api.nuget.org/v3/index.json -n nuget.org > dotnet new install Microsoft.PowerShell.Standard.Module.Template # Create a new module project > mkdir myPSModule; cd .\myPSModule > dotnet new ps5module

Random

Azure Virtual Secure Administration Workstation – Part 4 – Configuring Entra SSO

Post author By mark
Post date November 18, 2023
2 Comments on Azure Virtual Secure Administration Workstation – Part 4 – Configuring Entra SSO

Azure Secure Admin Workstation posts:

Part 1 – VDI Environment
- Resource Group, Host pool, Workspace, Application Group, created an Entra Group with the ‘Desktop Virtualization User’ role and tie them all together.
Part 2 – Firewalls and VNets
- Vnets, Subnets, IPs AzureFirewalls, Routes, FW rules etc.
Part 3 – Session hosts and access
- Adding our SAW VM to the HostPool, connecting and authenticating
Part 4 – Configuring Entra SSO
- Solving authentication and session establishment issues
- Getting Entra SSO working!
Public GitHub project:
- zoak-solutions/AzureVirtualSAW (github.com)

Context and References

After deploying a session host, was able to connect with the local administrator created with the VM, but not the Entra users in the group created.
Got things working after reading these docs and applying the following:
- Enforce Microsoft Entra multifactor authentication for Azure Virtual Desktop using Conditional Access – Azure | Microsoft Learn
- Configure single sign-on for Azure Virtual Desktop using Microsoft Entra authentication – Azure | Microsoft Learn

Troubleshooting and Errors

After not being able to sign in with an Entra user, took a look at:

Error: Unable to connect right now

Likely related to the AVD VM’s ability to talk to required Entra endpoints
- An easy way to validate this is to add a temporary allow all outbound TLS

Tags AzureVirtualSAW

ITOps Random

Mounting CloudShell Persistence Storage locally

Post author By mark
Post date November 9, 2023
No Comments on Mounting CloudShell Persistence Storage locally

Context

CloudShell is very handy for working with Azure and M365, it removes the issues of PowerShell versioning/modules/authentication and is hosted within you Azure infrastructure boundary, providing some mitigation to privileged access and administrator device risks.
When implementing an Azure Virtual Secure Administration Workstation solution I ended up wasting a bunch of time editing files via the Azure CloudShell instead of locally, this resulted in silly typos (due to lack of syntax highlights, error correction and all the other goodness of an IDE like Visual Studio Code.
To solve this issue I want to mount my CloudShell persistent storage locally, enabling me to edit files locally and immediately test in CloudShell, without pushing/pulling and inevitable conflicts between local and remote.
Turns out that this is much easier than expected using
- VSCode Extension: Azure Account – Visual Studio Marketplace

References

Procedure

Install the Azure Account and Azure Storage extensions for VSCode:
- Azure Account – Visual Studio Marketplace
- Azure Storage – Visual Studio Marketplace
Sign in with the extension in VScode:
- CTRL+SHIFT+P > Azure: Sign in
  - Opens browser AuthFlow
Open Azure Cloud Shell (PowerShell) in VSCode Terminal:
- CTRL+SHIFT+P > Terminal: Create New Terminal (With Profile)
  - If you don’t have NodeJS installed the extension will ask you to install (providing button to click..) the link the extension provided was to an older version of NodeJS and not latest… suggest just using: Node.js (nodejs.org)

Mount your CloudDrive share locally

I had some issues doing this with VScode following: How to Use Cloud Shell in Visual Studio Code
Instead I am just using the Azure Extensions Resource Explorer (SHIFT+ALT+A), navigating to the fileshare and selecting files (which opens them in VScode local window)
NOTE: The CloudDrive is not your enitire CloudShell homedir, its ~/clouddrive

Tags azure

ITOps

Azure Virtual Secure Administration Workstation – Part 3 – Session hosts and access

Post author By mark
Post date November 4, 2023
2 Comments on Azure Virtual Secure Administration Workstation – Part 3 – Session hosts and access

Azure Secure Admin Workstation posts:

Part 1 – VDI Environment
- Resource Group, Host pool, Workspace, Application Group, created an Entra Group with the ‘Desktop Virtualization User’ role and tie them all together.
Part 2 – Firewalls and VNets
- Vnets, Subnets, IPs AzureFirewalls, Routes, FW rules etc.
Part 3 – Session hosts and access
- Adding our SAW VM to the HostPool, connecting and authenticating
Part 4 – Configuring Entra SSO
- Getting Entra SSO working!
Public GitHub project:
- zoak-solutions/AzureVirtualSAW (github.com)

Context

In the interest of enabling source control and potentially automation, the deployment is conducted using PowerShell commands. In this example I am using Azure CloudShell, for manual and exploratory activities it is handy as it is secure, includes all required modules, removes any authentication faff.

If you want to create Microsoft Entra joined session hosts, we only support this using the Azure portal with the Azure Virtual Desktop service. (Add session hosts to a host pool | Microsoft Learn)
You can create session hosts and register them to a host pool in a single end-to-end process with the Azure Virtual Desktop service using the Azure portal or an ARM template. You can find some example ARM templates in our GitHub repo

Reference Materials

Key Terms

Session Host: An Azure VM to the Application Group that we created in Part 1, this is what authorised users connect to.
Registration Key: When you add session hosts to a host pool, first you’ll need to generate a registration key. A registration key needs to be generated per host pool and it authorizes session hosts to join that host pool. It’s only valid for the duration you specify. (maximum of 30 days validity), see: Add session hosts to a host pool – Azure Virtual Desktop | Microsoft Learn

Deployment Procedure

When using Azure CLI or Azure PowerShell you’ll need to create the virtual machines outside of Azure Virtual Desktop, then add them as session hosts to a host pool separately.

Add members to the saw_user_group
- NOTE: handled in zoak-solutions/AzureVirtualSAW (github.com)
Generate a registration key
- When you add session hosts to a host pool, first you’ll need to generate a registration key. A registration key needs to be generated per host pool and it authorizes session hosts to join that host pool. It’s only valid for the duration you specify. If an existing registration key has expired, you can also use these steps to generate a new key.
Create and register session hosts with the Azure Virtual Desktop service
- Can only be conducted via the Azure portal
- Add session hosts to a host pool – Azure Virtual Desktop | Microsoft Learn

Add Entra joined Session Host

Following is direct from Add session hosts to a host pool – Azure Virtual Desktop | Microsoft Learn:

Sign in to the Azure portal.
In the search bar, enter Azure Virtual Desktop and select the matching service entry.
Select Host pools, then select the name of the host pool you want to add session hosts to.
On the host pool overview, select Session hosts, then select + Add.
The Basics tab will be greyed out because you’re using the existing host pool. Select Next: Virtual Machines.
On the Virtual machines tab, complete the following information:

(this is for our use case and assumes you followed Part 1, of course customise this as appropriate)
- Name prefix: SAW
- Availability options: No infrastructure redundancy required
- Security Type: Trusted launch virtual machines
- Enable secure boot: True
- Enable vTPM: True
- Integrity monitoring: True
- Image: Latest Windows 11 Enterprise multi-session
  - If we select Personal instead of Pooled in Part 1, we would have non-Enterprise options here…
- Virtual machine size, Number of VMs, OS disk type
  - Use case dependent with no impact on procedure/security
- Boot diagnostics: Enabled with managed storage account
- Network and security
  - Virtual Network: SAWVnet
  - Subnet: SAWSubNet
  - Network security group type: Basic
  - Public inbound ports: No
- Domain to join
  - Select which directory you would like to join: Microsoft Entra ID
  - Enroll VM with Intune: Yes
- Virtual machine administrator account
  - Required for Azure to provision the VM, once it joins Entra and Intune your Configuration Profile should remove the local administrator
- Custom configuration
  - Custom configuration script url: None for now…
Tags?
- Suggest adding ‘ResougeTag:AzureSAW’ for now… tags can be handy
Download a template for automation, suggest doing this as a default behaviour
Create!

Post Host Deployment

After launching your first Session Host, Azure will take several (20?!) mins to deploy the session host and add it to the Host Pool. You can verify this was successful via Host pools – Microsoft Azure:

Enable Entra ID SSO

Whilst this should be included in the scripts (at some point)… ensure the host pool -> RDP Properties (Noting: Configure single sign-on for Azure Virtual Desktop using Microsoft Entra authentication – Azure | Microsoft Learn)
Didn’t work out of the box for me so made Part 4 – Configuring Entra SSO to track what needed to be done.

Troubleshooting

Azure Virtual Desktop unable to access required network endpoints for provisioning
- Fix in test case: Ensure Azure Firewall Policy has all required endpoints allowed
  - Use Azure Firewall to protect Azure Virtual Desktop | Microsoft Learn
    - RDS-Templates/AzureFirewallPolicyForAVD at master · Azure/RDS-Templates · GitHub
If you are able to connnect to the SAW, but unable to authenticate, check

Disk Encryption???

Does enrollement in Entra and Intune enable Intune managed Bitlocker? (removing need for Azure managed Bitlocker?)
Enable Azure Disk Encryption for Windows VMs – Azure Virtual Machines | Microsoft Learn
Server-side encryption of Azure managed disks – Azure Virtual Machines | Microsoft Learn

PowerShell

Assumes using an appropriately authenticated user with sufficient privileges
zoak-solutions/AzureVirtualSAW (github.com)
- Source file below: AzureVirtualSAW/scripts/CreateRegKey.ps1 · GitHub
NOTE: This is just for generating a Registration key, as we want Microsoft Entra joined session hosts, we can only create them via the Azure Portal as per: Add session hosts to a host pool | Microsoft Learn

RAW_https://raw.githubusercontent.com/zoak-solutions/AzureVirtualSAW/master/scripts/CreateRegKey.ps1

After creating the Registration Key we can completed the Session Host deployment as per Add Entra joined Session Host
zoak-solutions/AzureVirtualSAW (github.com)
- Source file below: AzureVirtualSAW/scripts/AddMembersToGroup.ps1 · GitHub

RAW_https://raw.githubusercontent.com/zoak-solutions/AzureVirtualSAW/master/scripts/AddMembersToGroup.ps1

Connect to my Azure Virtual SAW!

Assuming your session host deployed successfully and your user has been added the $SAWUserGroup you can now access the SAW. As we are using the Azure Virtual Desktop Service:
- Microsoft manages the infrastructure and brokering components, enterprise customers manage their own desktop host virtual machines (VMs), data, and clients.
  - See: Azure Virtual Desktop for the enterprise – Azure Architecture Center | Microsoft Learn
So.. to connect we can use any/all of:

Extras

Set up Azure Virtual Desktop Client

Download and install the Client App (or deploy to users via Add Microsoft Store apps to Microsoft Intune | Microsoft Learn)
- MS Store link: Azure Virtual Desktop Preview – Microsoft Apps
Run it, on first run, assuming you installed unconfigured from the MS store you will be asked to subscribe (do this with your SAW access user)
- …. Thats it… you will see Session Host to connected to if all worked!
Noting that Entra SSO was not working for me so… Part 4 – Configuring Entra SSO

Validate Session Host can talk to required Azure endpoints

You can validate that your session host VMs can connect to these URLs by following the steps to run the Required UR L Check tool.

Tags AzureVirtualSAW

ITOps

Azure Virtual Secure Administration Workstation – Part 2 – Firewalls and VNets

Post author By mark
Post date November 4, 2023
2 Comments on Azure Virtual Secure Administration Workstation – Part 2 – Firewalls and VNets

Azure Secure Admin Workstation posts:

Part 1 – VDI Environment
- Resource Group, Host pool, Workspace, Application Group, created an Entra Group with the ‘Desktop Virtualization User’ role and tie them all together.
Part 2 – Firewalls and VNets
- Vnets, Subnets, IPs AzureFirewalls, Routes, FW rules etc.
Part 3 – Session hosts and access
- Adding our SAW VM to the HostPool, connecting and authenticating
Public GitHub project:
- zoak-solutions/AzureVirtualSAW (github.com)

Context and References

Azure Firewall denies all traffic by default, until rules are manually configured to allow traffic.
- Azure Firewall rule processing logic | Microsoft Learn
Azure Firewall includes a built-in rule collection for infrastructure FQDNs that are allowed by default. These FQDNs are specific for the platform and can’t be used for other purposes. For more information, see Infrastructure FQDNs.
- Deploy and configure Azure Firewall using Azure PowerShell | Microsoft Learn
Your session hosts and users need to be able to connect to the Azure Virtual Desktop service. These connections also use TCP on port 443 to a specific list of URLs. For more information, see Required URL list. You must make sure these URLs aren’t blocked by network filtering or a firewall in order for your deployment to work properly and be supported. If your users need to access Microsoft 365, make sure your session hosts can connect to Microsoft 365 endpoints.
- Prerequisites for Azure Virtual Desktop | Microsoft Learn

Deployment procedure

Stage 2 – Create Azure Network Components

This section provides context for the PowerShell commands are below… strongly suggest reviewing description of steps first.

Procedure

Primary source for this bit: Deploy and configure Azure Firewall using Azure PowerShell | Microsoft Learn

Noting Azure states that for ‘production’ deployments, a hub and spoke model is recommended, where the firewall is in its own VNet.
- For our use case, I don’t believe the hub and spoke model will provide any benefit regarding security or otherwise.

Create a Vnet and add FWsubnet + SAWsubnet
- NOTE: The AzureFWSubnet must be a /26
Create a Public IP Address for the Azure FW and deploy the firewall
Create a route table and associate routes to SAW subnet ensuring SAW traffic is routed via the Azure Firewall
Create rules for outbound internet connectivity, some MS doc still has commands for deploying Application and Network firewall rules directly on the Azure Firewall despite the Azure Well-Architected Framework review – Azure Firewall | Microsoft Learn stating that Azure Firewall Manager and Policies should be used
- … so the PowerShell script below has been updated to create an Azure Firewall Policy instead of assigning rules directly to the firewall

PowerShell

Assumes using an appropriately authenticated user with sufficient privileges
Working with prep for automation:
- zoak-solutions/AzureVirtualSAW (github.com)
  - Source file below: AzureVirtualSAW/scripts/CreateSAWNets.ps1 · GitHub

RAW_https://raw.githubusercontent.com/zoak-solutions/AzureVirtualSAW/master/scripts/CreateSAWNets.ps1

Tags AzureVirtualSAW

ITOps

Azure Virtual Secure Administration Workstation – Part 1 – VDI Environment

Post author By mark
Post date November 3, 2023
3 Comments on Azure Virtual Secure Administration Workstation – Part 1 – VDI Environment

Azure Secure Admin Workstation posts:

Part 1 – VDI Environment
- Resource Group, Host pool, Workspace, Application Group, created an Entra Group with the ‘Desktop Virtualization User’ role and tie them all together.
Part 2 – Firewalls and VNets
- Vnets, Subnets, IPs AzureFirewalls, Routes, FW rules etc.
Part 3 – Session hosts and access
- Adding our SAW VM to the HostPool, connecting and authenticating
Part 4 – Configuring Entra SSO
- Solving authentication and session establishment issues
- Getting Entra SSO working!
Public GitHub project:
- zoak-solutions/AzureVirtualSAW (github.com)

Context

We have numerous clients and our own systems that require:

Access only from appropriately hardened and monitored hosts
Inbound and outbound network security including the ability to ‘AllowList’ and ‘BlockList’ based on IPs/URLs/Hostnames/other ‘NGFW‘ methods… although this can be achieved with host-based only controls… does not seems like a very layered defence.
Idempotent deployment solution (deployment code can be run regularly and if no changes to code, no changes to deployment)
- PowerShell is not ideal for doing idempotency proper… but it can, will see how I go for time.

At this stage I am not sure how much additional protection / value adding Azure Firewall to the environment will add… will add it for now and find out! Microsoft’s doc doesn’t make the benefits very clear for me:

A host pool is a collection of Azure virtual machines that register to Azure Virtual Desktop as session hosts. These virtual machines run in your virtual network and are subject to the virtual network security controls. They need outbound Internet access to the Azure Virtual Desktop service to operate properly and might also need outbound Internet access for end users. Azure Firewall can help you lock down your environment and filter outbound traffic. (Use Azure Firewall to protect Azure Virtual Desktop | Microsoft Learn)
The diagram below shows a suggested architecture, going to try avoid getting stuck without a required component later and stay somewhat close to this. Though it should be noted that a potentially valid architecture is just a SAWVnet as inbound connectivity is managed by Azure (via the AVD Instructure: Users connecting to Azure Virtual Desktop securely establish a reverse connection to the service, which means you don’t need to open any inbound ports. (Azure Virtual Desktop | Microsoft Learn)

Reference Material

Key Terms

Resource groups: Logical containers that you use to group related resources in a subscription. Each resource can exist in only one resource group. Resource groups allow for more granular grouping within a subscription. They’re commonly used to represent a collection of assets that are required to support a workload, application, or specific function within a subscription.
Host pools: A host pool is a collection of Azure virtual machines that register to Azure Virtual Desktop as session hosts when you run the Azure Virtual Desktop agent. All session host virtual machines in a host pool should be sourced from the same image for a consistent user experience. You control the resources published to users through application groups. A host pool can be one of two types:
- Personal, where each session host is assigned to an individual user. Personal host pools provide dedicated desktops to end-users that optimize environments for performance and data separation.
- Pooled, where user sessions can be load balanced to any session host in the host pool. There can be multiple different users on a single session host at the same time. Pooled host pools provide a shared remote experience to end-users, which ensures lower costs and greater efficiency.
Application groups: An application group is a logical grouping of applications installed on session hosts in the host pool. An application group can be one of two types:
- RemoteApp, where users access the applications you individually select and publish to the application group. Available with pooled host pools only.
- Desktop, where users access the full desktop. Available with pooled or personal host pools.
- NOTE: We don’t support assigning both the RemoteApp and desktop application groups in a single host pool to the same user.
Workspaces: logical grouping of application groups in Azure Virtual Desktop. Each Azure Virtual Desktop application group must be associated with a workspace for users to see the desktops and applications published to them.
Desktop Virtualization User: Built-in Azure RBAC roles Azure Virtual Desktop | Microsoft Learn

Out of scope

Planned but not in this post
- VMTemplate with pre-applied hardening controls
  - Deploying a privileged access solution | Microsoft Learn
  - GitHub – Azure/securedworkstation: Intune managed Secured workstation
Monitoring and Logging

Deployment procedure

Stage 1 – Create Azure Virtual Desktop Environment

This section provides context for the PowerShell commands are below… strongly suggest reviewing description of steps first.

Azure Virtual Desktop Environment

Prerequisites for Azure Virtual Desktop | Microsoft Learn
- NOTE: Azure Virtual Desktop is available only in some specific Regions/Locations
Launch the Azure Cloud Shell in the Azure portal with the PowerShell terminal type
- Ensure your Azure context is set to the subscription you want to use
Create a Resource Group
- Parameters:
  - Name, Location
Create a Host Pool
- Use the New-AzWvdHostPool cmdlet with the following examples to create a host pool. More parameters are available; for more information, see the New-AzWvdHostPool PowerShell reference.
- Parameters:
  - Location: must be one of LocationN ames Class (Microsoft.Azure.Documents) and match your Resource Group
  - HostPoolType: can be one of two types:
    - Personal, where each session host is assigned to an individual user. Personal host pools provide dedicated desktops to end-users that optimize environments for performance and data separation.
    - Pooled, where user sessions can be load balanced to any session host in the host pool. There can be multiple different users on a single session host at the same time. Pooled host pools provide a shared remote experience to end-users, which ensures lower costs and greater efficiency.
    - See also: Azure Virtual Desktop terminology – Azure | Microsoft Learn
Create a workspace
- Parameters:
  - Name, Location, ResourceGroupName
Create an Application Group
- Name, ResourceGroupName, Location
- HostPoolArmPath: Azure Resource Manager Path
- ApplicationGroupType: As above, RemoteApp / Desktop
Add Application Group to Workspace
Create Entra User Group if it doesn’t exist
Assign Entra Group to an Application Group

Next Steps:

PowerShell Script

Assumes using an appropriately authenticated user with sufficient privileges
Working with prep for automation:
- zoak-solutions/AzureVirtualSAW (github.com)
  - Source file below: AzureVirtualSAW/scripts/CreateAzureVDIEnv.ps1 (github.com)

RAW_https://raw.githubusercontent.com/zoak-solutions/AzureVirtualSAW/master/scripts/CreateAzureVDIEnv.ps1

Sundry

Upload and Run PowerShell script in CloudShell

Configure CloudShell
Open CloudShell – https://portal.azure.com/#cloudshell
Upload your script using the upload button
- File is now persistent in your CloudShell home dir

Rules for Azure FW protecting Azure Virtual Desktop

Some of these could be stricter
See exact requirements:
- Required URLs for Azure Virtual Desktop | Microsoft Learn
- RDS-Templates/AzureFirewallPolicyForAVD at master · Azure/RDS-Templates (github.com)
Below is config file which the script above references
- For rules see: $SAWFWAppRules, $SAWFWNetRules

RAW_https://raw.githubusercontent.com/zoak-solutions/AzureVirtualSAW/master/config/EXAMPLE_SAWDeployerConfigItems.ps1

Tags AzureVirtualSAW

Random

Excel report with all ECR vulnerabilities

Post author By mark
Post date October 8, 2023
No Comments on Excel report with all ECR vulnerabilities

Testing and gaining familiarity with PowerShell!

ITOps Random

Unable to delete Azure Firewall?

Post author By mark
Post date June 29, 2023
No Comments on Unable to delete Azure Firewall?

TLDR: Fix it

If you have removed/deleted a Firewall policy or attachment to the Azure Firewall – re-attach it, or create the policy/attachment with the same name (you will see the name in the CLI output as detailed below).
Once you have re-attached, re-created (just empty policy with same name) you can then delete the Firewall (recommended using Azure Cloud PowerShell) with command:
- Obviously updating -Name and -ResourceGroup parameters.

Remove-AzFirewall -Name "ZOAK-SecureGateway-Firewall" -ResourceGroupName "ZOAK-SecureAccessGateway-ResourceGroup" -Force

Remove-AzFirewall: Long running operation failed with status ‘Failed’

The Azure UI does not give must detail regarding error messaged

$ Remove-AzFirewall -Name "ZOAK-SecureGateway-Firewall" -ResourceGroupName "ZOAK-SecureAccessGateway-ResourceGroup"

...
Remove-AzFirewall: Long running operation failed with status 'Failed'. Additional Info:'The Resource 'Microsoft.Network/firewallPolicies/ZOAK-SecureGateway-Firewall-BasicPolicy' under resource group 'ZOAK-SecureAccessGateway-ResourceGroup' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix'
StatusCode: 200
ReasonPhrase: OK
Status: Failed
ErrorCode: ResourceNotFound
ErrorMessage: The Resource 'Microsoft.Network/firewallPolicies/ZOAK-SecureGateway-Firewall-BasicPolicy' under resource group 'ZOAK-SecureAccessGateway-ResourceGroup' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix

Was creating a test environment implementing Use Azure Firewall to protect Azure Virtual Desktop | Microsoft Learn.
Went to apply RDS-Templates/AzureFirewallPolicyForAVD at master · Azure/RDS-Templates · GitHub to enable the Virtual Desktop hosts to talk to MS endpoints… which failed because the Azure firewall SKU I chose when initiatlly deploying was of type: ‘basic’
I tried changing the SKU but didn’t read: Azure Firewall easy upgrade/downgrade | Microsoft Learn…. which states:
- This new upgrade/downgrade capability doesn’t currently support the Azure Firewall Basic SKU (why have the ‘Change SKU’ button then??)
So… when to delete the firewall… which seemed to hang (was only looking via the UI).
- Went to use CLI from my workstation… and ran into SSL error when trying to authenticate with MFA (which I couldn’t work around quickly….) so used the Azure Cloud PowerShell which I would recommend for anyone getting frustrated (or blocked by workstation restrictions) with local PowerShell – you can upload scripts and inputs simply and there are no issue with auth, modules, versions, dependencies, etc.

Once attempting to delete via CLI I actually got a meaningful error message:

Additional Info:'The Resource 'Microsoft.Network/firewallPolicies/ZOAK-SecureGateway-Firewall-BasicPolicy' under resource group 'ZOAK-SecureAccessGateway-ResourceGroup' was not found.

That resource had already been deleted… so, re-recreate (just and empty policy) with same name… attached it, then I could delete.

Tags Azure Firewall unable to delete

ITOps

Output/Export query to file with Oracle on RDS

Post author By mark
Post date May 17, 2022
No Comments on Output/Export query to file with Oracle on RDS

There are several different ways to do this, I find the easiest is to create a view then use SQL Developer’s Database Export wizard.

Requirements:

SQL Developer

Step 1: Create a view

https://docs.oracle.com/en/database/oracle/oracle-database/19/sqlrf/CREATE-VIEW.html

Step 2: Use SQL Developer’s Database Export wizard to export the view to your desired file format

In SQLDeveloper, Tools → Database Export

Select the correct DB connection
Uncheck ‘Export DDL’
Under ‘Export Data’ change Format to CSV or XLSX (or whatever file type is desired)
1. Adjust file names and output dir as desired, click Next
Uncheck all except ‘Views’, Next
Ensure that you select the correct schema selected, if the schema is not the default schema for your user, click ‘more’ – select the correct schema and change type from ‘All Objects’ to ‘View’
Click ‘Lookup’ and you will see the view you created in Step 1
Select the View and hit the blue arrow to move the view into the lower box, then click next, review and Finish.. your export will now run with a status box for the task.