azure

aries

toc

ward accounts (keepass)

• dudley@wardazureward.onmicrosoft.com
  • non-prod (uat/dev)
• dburrows@warddemo.onmicrosoft.com
  • prod

personal accounts

• blahthing@icloud.com
• dudleyburrows@ward.ie

az cli

docs

useful cmds

• show list of resource groups az group list --output table
• list resources in a resource group az resource list -g <group_name> --output table

create an Ubuntu vm called PP-WRD-TEST01 in the group P-WRD-RGRP on the PP-WRD-VNET vnet with no additional network security group, using username dburrows and public key for ssh

az vm create -g P-WRD-RGRP -n PP-WRD-TEST01 \
--vnet-name PP-WRG-VNET \
--nsg "" \
--image UbuntuLTS \
--ssh-key-value .ssh/dburrows.pub \
--admin-username dburrows

create debian machine with no private ip and in subnet

az vm create -g P-WRD-WIKI-RGRP -n P-WRD-WIKI-VM01 --vnet-name P-WRD-WIKI-VNET --nsg "" --image Debian --ssh-key-value .ssh/dburrows.pub --admin-username dburrows --tags created-by=dburrows --public-ip-address "" --subnet P-WRD-WIKI-SUBN

install the azure cli command {{az}} by running the following

curl -L https://aka.ms/InstallAzureCLI | bash

once installed login in to your account with

az login

to switch to a different account run

az logout

then run the login command again.

all the following steps can be run from the portal cli as well as your local machine once you have installed {{az}}.

changing subscriptions

check your subscriptions

az account list --output table

show which subscription you're currently using

az account show

then to change subscriptions run

az account set --subscription "Ward MS Partner Account"

show vm images

az image list

getting started

here is a quick run through of spinning up a centos virtual machine

• create resource group az group create --name D-TST-RGRP --location northeurope
• create Network Security Group az network nsg create --resource-group D-TST-RGRP --name D-TST-LAPP01
• create a network rule in an existing security group az network nsg rule create --resource-group D-TST-RGRP --nsg-name D-TST-NSGP --name allow-ward --description "Allow all traffic from Ward public range" --access Allow --protocol Tcp --direction Inbound --priority 102 --source-address-prefix "93.94.119.240/28" --source-port-range "*" --destination-address-prefix "*" --destination-port-range "*"
• create a virtual machine az vm create -g D-TST-RGRP -n D-TST-LAPP01 --image CentOS --generate-ssh-keys

once the VM is successfully created it will output some json. make note of the "publicIpAddress" value, and use this to {{ssh}} to the server.

advanced tools

the following are a collection of tools which have been played around with. some of these tools may require escalated privileges which your account may not have. if you are unable to action anything and really desperately need to then speak to one of the azure admins.

you can check your current role with the cli. first you need to make a note of the username for the subscription you're using

az account show
{
  "environmentName": "AzureCloud",
  "id": "b1447c5c-db40-4a01-9fc3-d56a740047b5",
  "isDefault": true,
  "name": "Ward MS Partner Account",
  "state": "Enabled",
  "tenantId": "89252e5d-2862-422f-8279-7d0a49e32e6a",
  "user": {
    "name": "dudley@wardazureward.onmicrosoft.com",
    "type": "user"
  }
}

copy the value from {{"user": "name":}}, then run the following replacing {{}} with the username (usually an email address)

az role assignment list --assignee <value>
[
  {
    "id": "/subscriptions/b1447c5c-db40-4a01-9fc3-d56a740047b5/providers/Microsoft.Authorization/roleAssignments/85f38488-d3f3-423b-afb7-77d8cadddd32",
    "name": "85f38488-d3f3-423b-afb7-77d8cadddd32",
    "properties": {
      "principalId": "5ad99088-9605-4a83-843c-71bc51bf53f6",
      "principalName": "dudley@wardazureward.onmicrosoft.com",
      "roleDefinitionId": "/subscriptions/b1447c5c-db40-4a01-9fc3-d56a740047b5/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
      "roleDefinitionName": "Contributor",
      "scope": "/subscriptions/b1447c5c-db40-4a01-9fc3-d56a740047b5"
    },
    "type": "Microsoft.Authorization/roleAssignments"
  }
]

your current role is under {{"properties": "roleDefinitionName":}}

show all resources in your subscription

az group list --output table

deploy a kubernetes cluster

we add the {{aks}} option to manage azure kubernetes services. Currently aks is only available in west europe

az group create --name D-K8S-RGRP --location westeurope
az aks create --name D-K8S-KCLU --resource-group D-K8S-RGRP --generate-ssh-keys
az aks get-credentials --name D-K8S-KCLU --resource-group D-K8S-RGRP
az aks browse --name D-K8S-KCLU --resource-group D-K8S-RGRP
az aks show --resource-group dudley-container-demo-rg --name dudley-container-demo-clu --query "servicePrincipalProfile.clientId" --output tsv

deploy webapp and enable for webhooks

az group create --name webapp-rg -l northeurope
az appservice plan create -g webapp-rg -n webapp-srvplan --is-linux
az webapp create -g webapp-rg -p webapp-srvplan -n webapp -i pyratebeard/container-webhook-demo
az webapp deployment container config -n webapp -g webapp-rg --enable-cd true
az webapp deployment container show-cd-url -n D-TST-APP-SRV -g D-TST-APP-RG

run script tool on VMs (under 'Operation')

create vpn - ref1

• virtual network
• virtual network gateway
• local network gateway
• public ip
• connection (under virtual network gateway)
• vpn not coming up in fortigate
  • running network watcher troubleshooting
  • need to add address space to connection
• connect through gateway to website (using peering?)

auto tagging

ref