adaptive.run TECH BLOG

Cloud can be tricky sometimes. Find out what scenarios we've ran into that are worth being mentioned and explained.

How can you perform VM operations in Azure without relying on RDP?

Level: 300
Publishing date: 10-Jan-2023
Author: Catalin Popa

In the past, the conventional way to manage servers was by using RDP or SSH to access them and implement any necessary modifications. This approach was generally considered safe, assuming you were already within the office or data center. However, when dealing with servers located in a different data center or on the other side of the globe, relying on RDP may not be ideal. While you can permit RDP access for your IP address or a range of addresses, it is not recommended due to security risks.

According to the 2020 Unit 42 Incident Response and Data Breach Report by Palo Alto Networks, 50% of initial attacks were carried out via RDP. Azure offers several solutions to make RDP safer, such as Bastion or JIT-access. However, this article series will explore alternative Azure services that can be used to manage VMs without the need for RDP, with this introductory post serving as a starting point for further discussion.

Azure Portal offers several services that enable users to perform common operations on their VMs, here are some:

Execute scripts on VMs with Run Command
For instance, if you want to modify a registry key or reset a setting, you can use Run Command to accomplish this task. Microsoft provides a collection of pre-configured scripts, but users can also run custom scripts. Although Run Command supports both Windows and Linux VMs, more premade scripts are available for Windows.

However, there are a few limitations to custom scripts executed via Run Command. For example:

• The output is limited to the last 4,096 bytes;
• Users cannot terminate a running script;
• Only one script can run at a time, and the maximum runtime for a script is 90 minutes;
• Run Command does not support scripts that require user input.

To access Run Command, navigate to your VM in the portal, and scroll down the left-hand menu until you see the Run Command blade.

Troubleshoot network connections with the help of Network watcher
Using Azure's software-defined networking, troubleshooting network connections may not be as simple as physically checking cable connections. Fortunately, Azure provides a useful tool called Network Watcher, which is also known as "Connection Troubleshoot". This feature can assist with diagnosing network connection issues.

With Network Watcher, you can specify the direction of your desired network connection test (inbound or outbound) and select the source or destination. This can be your current IP address, a specific IP address, or an Azure service tag. Then, you can choose the port you want to test from a list of commonly used services and ports that are already configured. If you can't find the service or port you need, you can specify a custom port and its corresponding protocol.

When you initiate the connection test by clicking on "check connection", Network Watcher will verify whether the port and protocol specified are permitted for inbound or outbound traffic to the virtual machine (VM).

However, it's worth noting that Connection Troubleshoot only checks if the traffic is allowed or blocked in the Network Security Group for the VM and corresponding subnet. Even if Connection Troubleshoot reports that the traffic is allowed, it may not work as expected. To get a more detailed version of the connection troubleshooter, there is a link available on the connection troubleshoot page.

Update Management with Azure Automation
In addition to managing regular updates, you may also be concerned about security patches for your virtual machines (VMs) and want to have greater control over their installation. Fortunately, there is an easier way to accomplish this than by setting up a System Center Configuration Manager (SCCM) server and configuring Windows Server Update Services (WSUS) on all your servers.

Azure Automation offers a solution called Update Management, which is a free feature that allows you to patch both your Windows and Linux servers. With Update Management, you can access a centralized page where you can enable the feature on selected VMs, check their compliance status, define a deployment schedule, and monitor deployment status.

Azure compute galleries for deploying application to VMs
When setting up a new virtual machine (VM), you may need to install an application to make it fully functional. With the recent changes made by Microsoft, the Shared Image Gallery is now known as Azure compute gallery. This updated service not only stores and shares images, but also allows you to do the same for application packages.

Using Azure compute gallery, you can take advantage of the following benefits:

• Grouping and versioning of application packages
• Controlling access through Azure Role-Based Access Control (RBAC)
• Installing packages from storage accounts without requiring a direct internet connection
• Automating deployment with a DeployIfNotExists policy

For instance, if you need to update the antivirus software on all your servers, you can create an application package in Azure Compute Gallery and use an Azure Policy to automatically deploy the software to the servers. This eliminates the need to RDP into each server and manually install or update the software.

Collect logs with Azure VM Inspector

It is important to know when troubleshooting an application or service is often to examine the logs on the server. In Azure, you can use the VM Inspector feature to collect event logs, configurations, settings, and registry keys from your VMs and view the resulting report directly in the portal. However, as of January 2022, VM Inspector is still in preview, so you'll need to enable the feature for your subscription.

Please note that Microsoft recommends against using preview features in production, and that the price of a service may change when it is made globally available.
There are several prerequisites for using VM Inspector. For example, your VM must have managed disks and these disks cannot be encrypted. Additionally, since the feature is still in preview, it may not be available in all regions.

Once you have enabled VM Inspector on your subscription and connected it to a storage account (either an existing one or a new one), you can create your first report. The resulting report will be stored as a zip file in the connected storage account.
When combined with the Run Command feature, VM Inspector allows you to troubleshoot and fix most configuration and other simple errors remotely, without having to log in to each server individually.

Manage sensitive data with Azure Key Vault

Azure Key Vault provides a solution for managing certificates and secrets, which can often be a difficult and thankless task. This can involve waking up early on a Sunday morning to update a certificate and facing the consequences on Monday when an undocumented application using that certificate becomes partially unavailable to users. However, by leveraging the capabilities of Azure Key Vault, much of this headache can be avoided.

Using Azure Key Vault, it is possible to generate, import, or purchase a managed certificate, which can be configured for automatic renewal. By installing the Azure Key Vault extension on VMs, new versions of the certificate can be automatically deployed to those VMs.

Conclusion

In this blog post we want to emphasize how Azure offers a variety of powerful tools and features that can greatly simplify the management and maintenance of virtual machines in the cloud. These tools can save time and effort for IT professionals and developers. By taking advantage of these features, users can ensure the security, performance, and reliability of their Azure VMs, and focus on more important aspects of their business.

adaptive.run

Transform your business.
Run adaptive.

Contact

Phone: +40 73 523 0005
Email: hello@adaptive.run

Legal and Privacy

Privacy Policy - PPD
A.N.P.C.
A.N.P.C - SAL

© Copyright  2019-2024 adaptive.run- All Rights Reserved