torsdag, april 21, 2016

Azure Marketplace and BizSpark

If you are a startup you should be enjoying the BizSpark program from Microsoft! For BizSpark members Microsoft include five MSDN Subscriptions with free Azure resources that can be used for development, test and production (that last part is exclusive for BizSpark members).

One feature of Azure that might not be know to so many is the Azure Marketplace and this should be particularly interesting if you are a startup!

In Azure Marketplace you can find Virtual Machine solutions that are ready to deploy to your own Azure Subscription. You can either use free services, trials, bring your own license or pay as you go.

In a previous blog post I have written a detailed step by step guide to how to deploy a Barracuda Web Application Firewall thru Azure Marketplace.

Here are some other solutions that fit a starup perfectly. Just click on the link and you will be taken directly to the right place in Azure Marketplace:
https://portal.azure.com/#create/CanonicalandMSOpenTech.DockerOnUbuntuServer1404LTS

https://portal.azure.com/#create/Canonical.UbuntuServer1510

https://portal.azure.com/#create/bitnami.wordpress4-2

https://portal.azure.com/#create/bitnami.magento2-0

https://portal.azure.com/#create/bitnami.tom-cat7-0
 
https://portal.azure.com/#create/bitnami.squash20151209

Deploying Barracuda Web Application Firewall from Azure Marketplace

The Microsoft Azure Marketplace has been around for quite some time now and have a large selection of third party solutions. If you think of your Azure environment like a smart phone, Azure Marketplace is the app store. And what do you do on your phone when you need an app for a specific purpose? Do you write it yourself? No, you go in to the app store and download the app. The exact same thing can be done with Azure Marketplace but in this case it's not an app, it's can be anything from a Firewall to protect your web application to big data analytics solutions.


In the Azure Marketplace there are seven different categories of applications or services: Virtual Machines, Developer Services, API Apps, Azure Active Directory applications, Web Applications, Data Services and Microsoft Dynamics Solutions.

In this blog post I will focus on Virtual Machines.

To list all of the available Virtual Machines you can go here. You can filter on operating system (Linux and Windows), you can filter on the source of the Virtual Machine (Community, Partner and Microsoft) and you can filter the once that you can use for free if you have MSDN.

Let's go thru an example with some easy steps to deploy a Virtual Machine to your Azure Subscription.

Barracuda Web Application Firewall

The Barracuda Web Application Firewall blocks application layer DDoS and other attack vectors, directed at online applications hosted in Microsoft Azure. Simultaneously, it provides superior protection against data loss. It also has strong authentication and access control capabilities for restricting access to sensitive applications and data.


The Barracuda Web Application Firewall sits between your application tier and the built in load balancer in Azure.

Step by step deployment

  1. Sign in to your Azure Account http://portal.azure.com
  2. Click on the plus sign in the upper left corner to create a new resource and type Barracuda Web Application Firewall and hit Enter. You will now be presented with two options. One called Barracuda Web Application Firewall (Hourly) and one called Barracuda Web Application Firewall (BYOL). The Hourly version vill charge your for the Barracuda license at the same way that Azure charges your for the Virtual Machine. That is, if the machine is running you are paying for it and when you stop it, the charges stop. The BYOL verions means that you have your own existing license that you use. BYOL stands for Bring Your Own License.
  3. Choose the license that fits your need and move forward to create the Virtual Machine.
  4. Go thru the Basics, Size and Settings dialog and ensure that the validation passes on the Summary Page. Now you are all set for the final Buy-step.
  5. When you click on Buy you will be presented with a summary of what you will be charged. Here you should note that the total price consists of two different parts. One for the third party solution that you have chosen and one for the actual Virtual Machine that the solution will run on. If you are using an account with monetary commitment or free resrouces like MSDN you will not be able to charge to cost for the thrid party solution and will need to have some other form of payment method registered on your account.

In about five minutes your will now have your Barracuda Web Application Firewall ready for use in your own Azure Subscription!

To access your Barracuda Web Application Firewall you can choose one of these options:
  1. When you created your Virtual Machine a resource called Public IP Adress was also created. You can find this resource in resource group for you Virtual Machine. Use this IP adress to access the administration page of the Web Application Firewall. The administration page uses port 8000 by default.
  2. In the settings page for the Public IP Adress you can add a DNS name label. This can be found under Configuration. You will still need to add port 8000 when accessing the administration page.

tisdag, april 19, 2016

Certify your solution for Azure SQL Database

In March 2016 Microsoft released the possibility to certify solutions based on Azure SQL Database. This is a great opportunity for an ISV to set a label on that the database created is built according to high security standards and build for premium workloads.

To certify your database you start by downloading a tool called Certification Test Tool for Azure SQL Database.

Connect to your database

First step is to connect to your database by entering the connection details to your database in Microsoft Azure. Note that you need to specify the server name with protocol and port and that the User ID is on the format user@servername.
 
 
To be able to connect to you SQL Database in Azure you will also need to add your client ip address to the firewall for the server in Azure. In this example I have added the range from 1.1.1.1 to 255.255.255.255. This is NOT a recommended solution for a production database since it exposes your database for very broad access from outside of Azure. If you don't want to open a port in the firewall you can run the test from a VM inside of Azure instead.


After connecting its time to to the actual testing.The test consists of two parts. One static analysis and one self assessment. I will not give any advice to what features to activate or what the implications of this will be but rather point to documentation on how to activate and what these features mean.

Static Tests

The static tests are executed against your actual database. This means that if you change something and execute the tests again you will get a different result.

Use Premium / Pools
SQL DB should either have at least 1 Premium database OR use Elastic Pool.

Azure SQL Database Service Tiers
https://azure.microsoft.com/en-us/documentation/articles/sql-database-service-tiers/

Azure Elastic Database Pools
https://azure.microsoft.com/en-us/documentation/articles/sql-database-elastic-pool/

Security
SQL DB should have at least 1 of the following enabled: TDE, DDM, RLS:

Transparent Data Encryption (TDE)
https://msdn.microsoft.com/library/dn948096.aspx

Dynamic Data Masking (DDM)
https://azure.microsoft.com/en-us/documentation/articles/sql-database-dynamic-data-masking-get-started/

Row Level Security (RLS)
https://azure.microsoft.com/en-us/documentation/articles/sql-database-elastic-tools-multi-tenant-row-level-security/

Assessment

Security: Is auditing enabled in your database?
https://azure.microsoft.com/en-us/documentation/articles/sql-database-auditing-get-started/

DR Drill: Is your SQL DB using Geo-replication OR have done 1 or more Geo-restores?
https://azure.microsoft.com/en-us/documentation/articles/sql-database-disaster-recovery/
If you start with a database running on a S-tier and with no security features activated the easiest way to get passed the certification is to scale to a P-level, add Dynamic Data Masking, enable auditing and go thru the process of doing a geo-restore.

Other requirements

As for all application certifications with Microsoft, the company owning the product needs to be a member of Microsoft Partner Network and the application that is to be certified needs to be listed in Pinpoint.