azure

az cli

docs

useful cmds

  • show list of resource groups az group list --output table
  • list resources in a resource group az resource list -g <group_name> --output table

create debian machine with no public ip and in prebuilt subnet, with tags 

az vm create -g my-resource-group -n my-debian-vm --vnet-name my-vnet --nsg "" --image Debian --ssh-key-value .ssh/id_rsa.pub --admin-username pyratebeard --tags created-by=pyratebeard --public-ip-address "" --subnet my-subnet

install the azure cli command az by running the following 

curl -L https://aka.ms/InstallAzureCLI | bash

once installed login in to your account with 

az login

to switch to a different account run 

az logout

then run the login command again.

all the following steps can be run from the portal cli as well as your local machine once you have installed az.

changing subscriptions

check your subscriptions 

az account list --output table

show which subscription you're currently using 

az account show

then to change subscriptions run 

az account set --subscription "My Other Subscription"

show vm images

az image list

getting started

here is a quick run through of spinning up a centos virtual machine

  • create resource group az group create --name D-TST-RGRP --location northeurope
  • create Network Security Group az network nsg create --resource-group D-TST-RGRP --name D-TST-LAPP01
  • create a network rule in an existing security group az network nsg rule create --resource-group D-TST-RGRP --nsg-name D-TST-NSGP --name allow-access --description "Allow all traffic from my public range" --access Allow --protocol Tcp --direction Inbound --priority 102 --source-address-prefix "97.108.19.240/28" --source-port-range "*" --destination-address-prefix "*" --destination-port-range "*"
  • create a virtual machine az vm create -g D-TST-RGRP -n D-TST-LAPP01 --image CentOS --generate-ssh-keys

once the VM is successfully created it will output some json. make note of the "publicIpAddress" value, and use this to ssh to the server.

advanced tools

the following are a collection of tools which have been played around with. some of these tools may require escalated privileges which your account may not have. if you are unable to action anything and really desperately need to then speak to one of the azure admins.

you can check your current role with the cli. first you need to make a note of the username for the subscription you're using 

az account show
{
  "environmentName": "AzureCloud",
  "id": "",
  "isDefault": true,
  "name": "My Subscription",
  "state": "Enabled",
  "tenantId": "",
  "user": {
    "name": "dudley@onmicrosoft.com",
    "type": "user"
  }
}
copy the value from "user": "name":, then run the following replacing <value> with the username (usually an email address) 
az role assignment list --assignee <value>
[
  {
    "id": "/subscriptions/providers/Microsoft.Authorization/roleAssignments/",
    "name": "",
    "properties": {
      "principalId": "",
      "principalName": "dudley@onmicrosoft.com",
      "roleDefinitionId": "/subscriptions/providers/Microsoft.Authorization/roleDefinitions/",
      "roleDefinitionName": "Contributor",
      "scope": "/subscriptions/"
    },
    "type": "Microsoft.Authorization/roleAssignments"
  }
]
your current role is under "properties": "roleDefinitionName":

show all resources in your subscription

az group list --output table

deploy a kubernetes cluster

we add the aks option to manage azure kubernetes services. Currently aks is only available in west europe 

az group create --name D-K8S-RGRP --location westeurope
az aks create --name D-K8S-KCLU --resource-group D-K8S-RGRP --generate-ssh-keys
az aks get-credentials --name D-K8S-KCLU --resource-group D-K8S-RGRP
az aks browse --name D-K8S-KCLU --resource-group D-K8S-RGRP
az aks show --resource-group pyratebeard-container-demo-rg --name pyratebeard-container-demo-clu --query "servicePrincipalProfile.clientId" --output tsv

deploy webapp and enable for webhooks

az group create --name webapp-rg -l northeurope
az appservice plan create -g webapp-rg -n webapp-srvplan --is-linux
az webapp create -g webapp-rg -p webapp-srvplan -n webapp -i pyratebeard/container-webhook-demo
az webapp deployment container config -n webapp -g webapp-rg --enable-cd true
az webapp deployment container show-cd-url -n D-TST-APP-SRV -g D-TST-APP-RG

run script tool on VMs (under 'Operation')

create vpn - fortinet_cookbook

  • virtual network
  • virtual network gateway
  • local network gateway
  • public ip
  • connection (under virtual network gateway)
  • vpn not coming up in fortigate
    • running network watcher troubleshooting
    • need to add address space to connection
  • connect through gateway to website (using peering?)

auto_tagging