Blog

Documentar con EPAC

Voy al grano: EPAC tiene una opción muy útil llamada "Document All Assignments" que genera Markdown y CSV con todas las asignaciones de policy. Pero hay dos detalles importantes que conviene saber:

1) Antes no se podían excluir tipos enteros de scope (por ejemplo: todas las subscriptions o resourceGroups) desde la configuración.

2) He subido una PR para solucionarlo: https://github.com/Azure/enterprise-azure-policy-as-code/pull/1056

Aquí lo que cambia, rápido y claro.

Problema

Si usas documentAllAssignments y quieres evitar documentar todo lo que hay a nivel de suscripción o de resource groups, la versión anterior obligaba a listar cada id con skipPolicyAssignments o a procesar el CSV resultante. En entornos grandes eso resulta muy tedioso y genera mucho ruido en los informes.

Qué hace la PR #1056

• Añade excludeScopeTypes en la configuración de documentAllAssignments. Con esto se puede indicar que no se documenten assignments que estén en subscriptions o en resourceGroups.
• Añade StrictMode (switch) en los scripts. Por defecto está activado. Si lo desactivas (-StrictMode:$false) el script no aborta cuando falta alguna definición; registra avisos y continúa. Útil en pipelines de prueba.
• Mejora el parsing y el manejo de skipPolicyAssignments/skipPolicyDefinitions (funcionan mejor con arrays u objetos) y corrige bugs menores (p. ej. convertir markdownMaxParameterLength a entero).

PR: https://github.com/Azure/enterprise-azure-policy-as-code/pull/1056

Antes / Después (ejemplo práctico)

Antes tenías que usar algo así:

{
  "documentAssignments": {
    "documentAllAssignments": [
      {
        "pacEnvironment": "EPAC-Prod",
        "skipPolicyAssignments": [],
        "skipPolicyDefinitions": ["/providers/.../policySetDefinitions/..."]
      }
    ]
  }
}

Después basta con añadir excludeScopeTypes:

{
  "documentAssignments": {
    "documentAllAssignments": [
      {
        "pacEnvironment": "EPAC-Prod",
        "excludeScopeTypes": ["subscriptions", "resourceGroups"],
        "skipPolicyAssignments": [],
        "skipPolicyDefinitions": ["/providers/.../policySetDefinitions/..."]
      }
    ]
  }
}

Y si quieres pruebas rápidas sin que el pipeline falle por referencias rotas:

./Build-PolicyDocumentation.ps1 -StrictMode:$false

Recomendaciones prácticas

• Usa excludeScopeTypes para reducir ruido cuando necesites una vista global.
• No confundas excludeScopeTypes con exemptions: esto solo evita que se documente; no evita que la policy se aplique. Para eso usa exemptions.
• Mantén StrictMode activado en producción (ayuda a detectar referencias rotas).
• Usa skipPolicyAssignments para exclusiones puntuales que conozcas por id.

Cierre

La mejora es pequeña pero práctica: menos limpieza manual, informes más útiles. Si quieres puedo:

• Añadir un ejemplo real con IDs/outputs.
• Hacer build local del sitio y comprobar cómo queda el Markdown final.

PR de referencia: https://github.com/Azure/enterprise-azure-policy-as-code/pull/1056

Analizando VNet Flow Logs en Azure

En este post explico qué son los VNet flow logs (logs de flujo de red de Azure), cómo habilitarlos y cómo analizarlos con un pequeño script PowerShell que desarrollé para facilitar la detección de anomalías y la generación de reportes.

Documentación oficial (Microsoft):

https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview

Resumen rápido

• Los VNet flow logs capturan información sobre el tráfico IP que atraviesa subredes y recursos dentro de una Virtual Network. Almacenan datos similares a los NSG flow logs pero a nivel de VNet.
• Se pueden enviar a una cuenta de almacenamiento, a Log Analytics o a Event Hub. El formato JSON resultante contiene un array records con campos que describen cada flujo y sus métricas (bytes, paquetes, acción, puertos, etc.).

Por qué analizarlos

• Identificar hosts con alto volumen de tráfico.
• Detectar intentos de escaneo de puertos o reintentos persistentes.
• Encontrar conexiones denegadas o patrones sospechosos.

Herramienta: script PowerShell

He incluido un script llamado Analyze-VNETFlowLogs.ps1 que procesa archivos JSON con VNet flow logs y genera un análisis en consola. Además puede exportar dos ficheros CSV con el detalle y el resumen del análisis.

(Opcional) Descarga de Flow Logs previa

Si tus logs están aún en la cuenta de almacenamiento, puedes usar el script de apoyo Download-FlowLogs.ps1 para:

• Descargar todos los blobs del contenedor (por defecto insights-logs-flowlogflowevent).
• Manejar rutas largas en Windows (hash si usas -AutoShorten).
• Reorganizar los archivos en una jerarquía YYYY-MM-DD/HH/FlowLog_<timestamp>_*.json.
• Facilitar un patrón único de entrada para el analizador.

Parámetros clave: - -StorageAccount (obligatorio): Nombre de la storage account. - -ContainerName: Contenedor (default: insights-logs-flowlogflowevent). - -DownloadPath: Carpeta destino local (default: ./FlowLogs). - -AutoShorten: Acorta automáticamente rutas demasiado largas mediante hashing. - -Force: Omite confirmaciones interactivas.

Variables de entorno soportadas: - AZ_STORAGE_KEY: Si está definida se usa esa clave directamente. - AZ_RESOURCE_GROUP: Permite intentar descubrir la key si no se pasó manualmente.

Si no hay clave disponible o el intento de descubrimiento falla, se intentará usar automáticamente --auth-mode login para la autenticación.

Ejemplo de uso completo (descarga + análisis):

# 1. Descargar y organizar
pwsh -File ./Download-FlowLogs.ps1 -StorageAccount mystorageacct -DownloadPath ./FlowLogs -AutoShorten -Force

# 2. Analizar todos los logs resultantes
pwsh -File ./Analyze-VNETFlowLogs.ps1 -LogFiles "./FlowLogs/**/*.json" -ExportCSV -OutputPath ./reports -ShowGraphs

Si ya tienes los JSON en local (por AzCopy u otro método), puedes saltarte el paso 1.

Dónde está el script y ejemplos

• Script: Analyze-VNETFlowLogs.ps1
• README con instrucciones: README.md
• Ejemplo de flow log (reducido) para pruebas: sample-flowlog.json
• Ejecuciones de ejemplo (reports) generadas: reports/

Cómo usar el script

1. Preparar archivos JSON descargados desde la cuenta de almacenamiento o exportados desde Log Analytics.
2. Abrir PowerShell (Windows) o pwsh (Linux/macOS) y ejecutar (ejemplo):

pwsh -File "./Analyze-VNETFlowLogs.ps1" -LogFiles "./samples/*.json" -ExportCSV -OutputPath "./reports" -ShowGraphs

Explicación rápida de parámetros

• -LogFiles: rutas a los JSON (acepta wildcards).
• -ExportCSV: exporta VNetFlowAnalysis_Details_<timestamp>.csv y VNetFlowAnalysis_Summary_<timestamp>.csv.
• -OutputPath: directorio para los CSV.
• -SpecificIPs: array de IPs para análisis centrado en hosts concretos.
• -ShowGraphs: muestra gráficas de barras simples en la consola.

Ejemplo práctico (archivo de ejemplo incluido)

• He añadido samples/sample-flowlog.json con varios flujos que cubren casos típicos (permitidos, denegados, varios BEGIN para simular reintentos/posible escaneo).
• Ejecutando el comando anterior sobre ese ejemplo se generan dos CSV de salida en reports/ y se muestra un resumen en consola.

Notas y recomendaciones

• El script agrupa los flows en memoria para facilitar el análisis; para datasets muy grandes conviene procesar por lotes o filtrar por rango de tiempo antes de ejecutar.
• Revisa la documentación oficial (enlace arriba) si tu flujo JSON tiene un formato distinto o campos adicionales; la función Parse-FlowTuple del script espera un orden concreto de campos, que puedes adaptar si es necesario.

Contribuciones y siguientes pasos

• Si quieres, puedo añadir un conjunto de tests que ejecuten el script sobre el ejemplo y verifiquen los CSV generados automáticamente.
• También puedo crear un pequeño tutorial paso a paso para habilitar VNet flow logs en Azure y obtener los JSON desde una cuenta de almacenamiento.

Archivos incluidos

• Analyze-VNETFlowLogs.ps1 — script principal.
• Download-FlowLogs.ps1 — utilidad para descargar y normalizar logs desde la cuenta de almacenamiento.
• README.md — instrucciones y referencia a la doc oficial.
• samples/sample-flowlog.json — ejemplo para pruebas.

Espero que esto te ayude a analizar flujos en tus VNets.

Scripts de Reporte para Credenciales Federadas de Azure: Visibilidad Total de tus Identidades Administradas

¡Hola a todos! En el mundo de la seguridad en la nube, mantener un control exhaustivo sobre las credenciales federadas es fundamental para una gestión de identidades robusta. Hoy quiero compartir con vosotros una solución que he desarrollado para resolver uno de los retos más comunes: generar reportes completos de las credenciales federadas de identidades administradas en Azure.

Si habéis trabajado con GitHub Actions, Azure DevOps, o cualquier sistema CI/CD que se integre con Azure usando identidades administradas, sabréis lo importante que es tener visibilidad sobre qué credenciales están configuradas, dónde y cómo.

El Problema: Falta de Visibilidad

Cuando gestionáis múltiples suscripciones de Azure con decenas o cientos de identidades administradas, es muy difícil responder a preguntas básicas como:

• ¿Qué credenciales federadas tengo configuradas en todas mis suscripciones?
• ¿Qué repositorios de GitHub tienen acceso a mis recursos de Azure?
• ¿Hay credenciales obsoletas que debería eliminar?
• ¿Cómo puedo auditar todas mis configuraciones de identidad federada?

El portal de Azure nos permite ver esto recurso por recurso, pero no hay una vista consolidada que nos permita tener el "big picture" de toda nuestra configuración de seguridad.

La Solución: Scripts de Reporte Automatizados

He desarrollado una solución completa que incluye scripts tanto en Python como en PowerShell para generar reportes detallados de todas las credenciales federadas de identidades administradas en vuestro entorno Azure.

Características Principales

✅ Soporte Multi-Suscripción: Procesa todas las suscripciones disponibles o las que especifiquéis
✅ Filtrado por Tenant: Permite filtrar suscripciones por tenant específico
✅ Múltiples Formatos: Exporta a JSON, CSV y Excel
✅ Logging Robusto: Logs detallados separados de los datos de salida
✅ Validación de Datos: Evita procesar identidades con datos inválidos
✅ Autenticación Flexible: Soporta Managed Identity, Azure CLI, MFA, etc.
✅ Archivo de Tuplas: Genera un archivo adicional con solo las tuplas de credenciales

¿Qué Información Captura?

Los scripts capturan información completa tanto de las identidades administradas como de sus credenciales federadas:

Información de la Identidad: - Nombre y ID de la identidad - Grupo de recursos y ubicación - Principal ID y Client ID - Tenant ID

Información de las Credenciales Federadas: - Nombre e ID de la credencial - Issuer (emisor) - Subject (sujeto) - Audiences (audiencias) - Descripción y tipo

Metadatos del Reporte: - ID y nombre de la suscripción - Tenant ID - Timestamp del reporte

¿Cómo Empezar?

Requisitos Previos

Para Python:

pip install azure-identity azure-mgmt-msi azure-mgmt-resource pandas openpyxl

Para PowerShell:

Install-Module -Name Az.Accounts, Az.ManagedServiceIdentity, Az.Resources, ImportExcel

Ejemplos de Uso

Script de Python:

# Reporte de todas las suscripciones
python federated-identity-credentials-report.py --all-subscriptions --format excel

# Reporte filtrado por tenant
python federated-identity-credentials-report.py --tenant-id "your-tenant-id" --all-subscriptions --format json

# Reporte de una suscripción específica
python federated-identity-credentials-report.py --subscription-id "12345678-1234-1234-1234-123456789012" --format csv

Script de PowerShell:

# Reporte de todas las suscripciones
.\federated-identity-credentials-report.ps1 -AllSubscriptions -Format Excel

# Reporte filtrado por tenant
.\federated-identity-credentials-report.ps1 -TenantId "your-tenant-id" -AllSubscriptions -Format JSON

# Reporte de un grupo de recursos específico
.\federated-identity-credentials-report.ps1 -SubscriptionId "12345678-1234-1234-1234-123456789012" -ResourceGroupName "my-rg" -Format CSV

Características Avanzadas

Archivo de Tuplas de Credenciales

Además del reporte principal, los scripts generan automáticamente un archivo adicional con solo las tuplas de credenciales (credential_issuer, credential_subject, credential_audiences, credential_type). Esto es especialmente útil para:

• Análisis de patrones de configuración
• Auditorías de seguridad
• Integración con otras herramientas de análisis

Logging Separado

Una característica importante es que los logs nunca se mezclan con los datos de salida. Los logs van a stderr y a un archivo de log separado, mientras que los datos puros van a stdout o al archivo especificado. Esto es crucial para la automatización y integración con pipelines de CI/CD.

Validación de Datos

Los scripts incluyen validación robusta para evitar procesar identidades con nombres vacíos o nulos, lo que puede ocurrir en ciertos escenarios de configuración incompleta.

Casos de Uso Reales

1. Auditoría de Seguridad

# Generar reporte completo en Excel para auditoría
python federated-identity-credentials-report.py --all-subscriptions --format excel --output security-audit-$(date +%Y%m%d).xlsx

2. Cleanup de Credenciales Obsoletas

# Exportar a CSV para análisis con herramientas de datos
python federated-identity-credentials-report.py --all-subscriptions --format csv | grep "old-repo-name"

3. Monitoreo Continuo

# Integrar en pipeline de CI/CD para monitoreo continuo
python federated-identity-credentials-report.py --tenant-id "$TENANT_ID" --all-subscriptions --format json > daily-report.json

Estructura de Archivos Generados

Archivo Principal (federated_identity_credentials_report_YYYYMMDD_HHMMSS.json/csv/xlsx):

[
  {
    "identity_name": "github-actions-identity",
    "identity_id": "/subscriptions/.../userAssignedIdentities/github-actions-identity",
    "identity_resource_group": "security-rg",
    "identity_location": "eastus",
    "credential_name": "GitHub-Main-Branch",
    "credential_issuer": "https://token.actions.githubusercontent.com",
    "credential_subject": "repo:myorg/myrepo:ref:refs/heads/main",
    "credential_audiences": "api://AzureADTokenExchange",
    "subscription_name": "Production",
    "tenant_id": "12345678-1234-1234-1234-123456789012",
    "report_timestamp": "2025-07-01T10:30:00"
  }
]

Archivo de Tuplas (credential_tuples_YYYYMMDD_HHMMSS.json/csv/xlsx):

[
  {
    "credential_issuer": "https://token.actions.githubusercontent.com",
    "credential_subject": "repo:myorg/myrepo:ref:refs/heads/main",
    "credential_audiences": "api://AzureADTokenExchange",
    "credential_type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials"
  }
]

Mejores Prácticas de Uso

1. Automatización

Integrad estos scripts en vuestros pipelines de CI/CD para generar reportes automáticos:

# GitHub Actions ejemplo
- name: Generate Federated Credentials Report
  run: |
    python federated-identity-credentials-report.py --all-subscriptions --format json --output report-${{ github.run_number }}.json

- name: Upload Report as Artifact
  uses: actions/upload-artifact@v3
  with:
    name: federated-credentials-report
    path: report-*.json

2. Monitoreo Regular

Ejecutad los scripts de forma regular (diaria o semanal) para detectar cambios no autorizados:

# Cron job ejemplo
0 6 * * 1 /usr/bin/python3 /path/to/federated-identity-credentials-report.py --all-subscriptions --format excel --output /reports/weekly-$(date +\%Y\%m\%d).xlsx

3. Análisis de Drift

Comparad reportes de diferentes fechas para detectar cambios de configuración:

# Comparar reportes para detectar cambios
diff <(jq -S . report-20250701.json) <(jq -S . report-20250708.json)

Consideraciones de Seguridad

⚠️ Permisos Mínimos: Los scripts requieren permisos de lectura sobre las identidades administradas y sus credenciales federadas
⚠️ Datos Sensibles: Los reportes contienen información de configuración sensible - almacenadlos de forma segura
⚠️ Logs: Revisad los logs regularmente para detectar errores de autenticación o acceso

Conclusión

Tener visibilidad completa sobre las credenciales federadas de vuestras identidades administradas es fundamental para mantener una postura de seguridad sólida en Azure. Estos scripts os permitirán:

• Reducir el riesgo de seguridad mediante auditorías regulares
• Cumplir con requisitos de compliance generando reportes detallados
• Optimizar la gestión identificando credenciales obsoletas o mal configuradas
• Automatizar el monitoreo integrando los scripts en vuestros procesos existentes

Los scripts están disponibles en mi repositorio y son completamente gratuitos y de código abierto. Si os resultan útiles, no dudéis en contribuir con mejoras o reportar issues.

¡Espero que esta herramienta os ayude a mantener vuestros entornos Azure más seguros y mejor documentados!

Enlaces útiles: - 📖 Documentación completa y scripts

Os presento inventariographdrawio: De vuestro Azure a un Diagrama, Automáticamente

¡Hola a todos! Como muchos profesionales que trabajáis día a día con la nube, seguro que os habéis enfrentado al mismo reto que yo una y otra vez: mantener una documentación visual de la infraestructura que sea fiel a la realidad. Dibujar diagramas a mano es tedioso y, peor aún, quedan obsoletos casi al instante.

Cansado de esta tarea manual y de la eterna duda de si un diagrama reflejaba o no el estado real de los recursos, decidí que tenía que haber una forma mejor de hacerlo.

Por eso, hoy quiero presentaros con mucha ilusión un proyecto personal en el que he estado trabajando: inventariographdrawio.

¿Qué es inventariographdrawio?

Es una herramienta de línea de comandos que he creado para solucionar este problema de raíz. Se conecta a una suscripción de Microsoft Azure, analiza los recursos que tienes desplegados y genera automáticamente un diagrama limpio y organizado en formato Draw.io (diagrams.net).

En pocas palabras, es mi solución para pasar de la infraestructura real en Azure a un diagrama editable, sin esfuerzo y en segundos.

¿Por qué lo creé? (Mis Objetivos Principales)

Cuando empecé a desarrollar esta herramienta, tenía varios objetivos en mente:

1. Ahorrar tiempo: Mi primer objetivo era eliminar las horas que todos perdemos en tareas de documentación repetitivas. Quería que el análisis y el dibujo lo hiciera una máquina, para poder dedicar mi tiempo a lo que de verdad importa: diseñar y mejorar la arquitectura.
2. Tener una fuente de la verdad: Necesitaba un diagrama en el que pudiera confiar. Con inventariographdrawio, el resultado es un reflejo exacto de lo que hay desplegado, perfecto para auditorías, revisiones o para explicarle la arquitectura a un nuevo compañero.
3. Mejorar la visibilidad: A veces, en el portal de Azure es difícil ver el "big picture". Representar los recursos de forma gráfica me ayuda a entender las dependencias y la estructura general de un solo vistazo.
4. Enfocarme en Azure: Decidí centrarme exclusivamente en Azure para poder ofrecer un buen nivel de detalle y precisión en los recursos y servicios específicos de la plataforma, que es donde trabajo principalmente.

¿Cómo podéis empezar a usarlo?

He intentado que sea lo más sencillo posible. Solo tenéis que seguir estos pasos:

1. Clonar el repositorio:

   git clone https://github.com/rfernandezdo/inventariographdrawio.git
   cd inventariographdrawio
   

2. Instalar las dependencias: La herramienta tiene unas pocas dependencias que podéis instalar fácilmente (revisad el fichero README.md para las instrucciones exactas).

3. Configurar el acceso a Azure: Aseguraos de tener vuestra sesión de Azure activa (por ejemplo, con az login desde Azure CLI) para que la herramienta pueda autenticarse y leer los recursos.

4. Ejecutar y ¡listo! Lanzad el script y veréis cómo aparece un nuevo fichero .drawio en la carpeta del proyecto, listo para abrir y editar.

Aquí un ejemplo navegable de un diagrama de Azure con iconos, creado con draw.io y exportado como un enlace para visualizarlo directamente en el navegador, es navegable:

Microsoft Entra Domain Services con Replica Set en una vpn Vnet2Vnet

El futuro

Este es solo el comienzo del proyecto. Mi idea es seguir ampliándolo para que sea compatible con más servicios de Azure y añadir nuevas funcionalidades que lo hagan aún más útil.

Al ser un proyecto de código abierto, cualquier ayuda es bienvenida. Si os animáis, podéis abrir issues con sugerencias o incluso enviar vuestros propios pull requests.

Espero de corazón que esta herramienta os resulte útil y os ahorre tanto tiempo como a mí.

¡Gracias por leer!

Streamline Your Workflow: Activate All Your PIM Roles with a Single Script Using the JAz.PIM Module

For professionals working with Azure, Privileged Identity Management (PIM) is a cornerstone of robust security hygiene. PIM enables just-in-time access to privileged roles, but manually activating multiple roles each morning can quickly become a repetitive and time-consuming task.

Fortunately, the PowerShell community provides powerful tools to automate such processes. This article introduces a script leveraging the JAz.PIM module, an excellent solution developed by Justin Grote, to simplify and accelerate role activation.

While the script is straightforward, its effectiveness is remarkable.

# Check if the JAz.PIM module is installed; if not, install it
if (-not (Get-module -ListAvailable -Name JAz.PIM)) {
    Install-Module -Name JAz.PIM -Force -Scope CurrentUser
}

# Import the JAz.PIM module if it is not already loaded in the session
if (-not (Get-module -Name JAz.PIM)) {
    Import-module JAz.PIM
}

# Verify Azure login status; if not logged in, initiate login
if (-not (Get-AzContext)) {
    Connect-AzAccount
}

# Set the default activation duration for roles to 8 hours
$PSDefaultParameterValues['Enable-JAz*Role:Hours'] = 8

# Retrieve and activate all eligible roles (Azure Resource and/or Azure AD roles)
Get-JAzRole | Enable-JAzRole -Justification "Administrative task"

This script ensures the JAz.PIM module is installed, connects to Azure if necessary, and activates all your eligible roles in a single command.

Key components: * Get-JAzRole: This cmdlet from the JAz.PIM module retrieves all roles for which you are eligible. * Enable-JAzRole: This command processes each role in the list, submitting an activation request with the specified justification.

Notably, JAz.PIM can manage both Azure Resource roles (Owner, Contributor, etc.) and Azure AD roles (Global Administrator, etc.).

Conclusion

Automation is essential for optimizing daily administrative tasks. This script, powered by the community-driven JAz.PIM module, exemplifies how a manual, repetitive process can be transformed into a quick and efficient command. Adopting such tools not only saves time but also helps maintain PIM security best practices with minimal friction.

If you found this article helpful, consider sharing it with your colleagues and continue exploring the capabilities of PowerShell and Azure. Your time is valuable—make every second count.

For more information about the JAz.PIM module, visit its GitHub repository.

How to set consistent naming in cloud with Azure Naming Tool and Terraform

Consistent naming across cloud resources is crucial for maintainability, clarity, and compliance. The Azure Naming Tool is a powerful tool that helps you define and enforce naming conventions for Azure resources. In this post, we will explore how to use the Azure Naming Tool in conjunction with Terraform to ensure consistent naming across your cloud infrastructure.

What is the Azure Naming Tool?

The Azure Naming Tool is an open-source project that provides a framework for defining and enforcing naming conventions for Azure resources. It allows you to create a set of rules that can be applied to various resource types, ensuring that all resources follow a consistent naming pattern. This is particularly useful in large organizations where multiple teams may be creating resources independently.

Really, the Azure Naming Tool is not only for Azure, it can be used for any cloud provider, as it is a generic tool that can be adapted to different environments if you define the rules correctly. You have the option Resource Type Editing documentation that allows you to define the rules for each resource type or create your own custom resource types, for AWS, GCP, or any other cloud provider.

Why Use Consistent Naming?

Consistent naming is essential for several reasons:

• Clarity: Clear and consistent names make it easier to understand the purpose of each resource.
• Maintainability: When resources are named consistently, it simplifies management and reduces the risk of errors.
• Compliance: Many organizations have compliance requirements that mandate specific naming conventions for resources.
• Automation: Consistent naming allows for easier automation and scripting, as you can predict resource names based on their types and roles.

What is the problem?

The problem with naming is the interfaces that we use to create resources, Azure Naming Tool portal is a great tool to define the rules, but it is not integrated with Terraform, so we need another way to apply the rules defined in the Azure Naming Tool to our Terraform code.

Solution

To solve the problem of integrating the Azure Naming Tool with Terraform, I created a Terraform module that allows you to use the naming rules defined in the Azure Naming Tool directly in your Terraform code. This module post a request to the Azure Naming Tool API to get the name of the resource based on the rules defined in the Azure Naming Tool.

This example shows how to use the module to create a resource group with a name generated by the Azure Naming Tool based on the rules defined in the Azure Naming Tool portal. The module uses the data.external and data.http resources to call the Azure Naming Tool API and get the name of the resource.

terraform apply -auto-approve
module.azurenamingtool.data.external.aad_token: Reading...
module.azurenamingtool.data.external.aad_token: Read complete after 0s [id=-]
module.azurenamingtool.data.http.name_generation_post: Reading...
module.azurenamingtool.data.http.name_generation_post: Read complete after 1s [id=https://azurenamingtool.azurewebsites.net/api/ResourceNamingRequests/RequestName]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # azurerm_resource_group.example will be created
  + resource "azurerm_resource_group" "example" {
      + id       = (known after apply)
      + location = "westeurope"
      + name     = "rg-spa-dev-auc-025"
      + tags     = {
          + "environment" = "example"
          + "project"     = "azurenamingtool"
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + generated_name = "rg-spa-dev-auc-025"
azurerm_resource_group.example: Creating...
azurerm_resource_group.example: Still creating... [00m10s elapsed]
azurerm_resource_group.example: Creation complete after 16s [id=/subscriptions/000000-0000-0000-0000-000000000000/resourceGroups/rg-spa-dev-auc-025]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Outputs:

generated_name = "rg-spa-dev-auc-025"

You can check the module in the Terraform Registry.

Conclusion

Using the Azure Naming Tool in conjunction with Terraform allows you to enforce consistent naming conventions across your cloud resources. By integrating the Azure Naming Tool API into your Terraform workflows, you can automate the naming process and ensure that all resources follow the defined rules. This not only improves clarity and maintainability but also helps meet compliance requirements.

Enjoy the benefits of consistent naming in your cloud infrastructure with the Azure Naming Tool and Terraform!

Azure Virtual Network Manager: Illustrative relationship between components

graph TD
    subgraph "Azure Scope"
        MG["Management Group / Subscription"]
    end
    subgraph "Azure Virtual Network Manager (AVNM)"
        AVNM_Instance["AVNM Instance"] -- Manages --> MG
        AVNM_Instance -- Contains --> NG1["Network Group A (e.g., Production)"]
        AVNM_Instance -- Contains --> NG2["Network Group B (e.g., Test)"]
    end
    subgraph "Virtual Networks (VNets)"
        VNet1["VNet 1"]
        VNet2["VNet 2"]
        VNet3["VNet 3"]
        VNet4["VNet 4"]
    end
    subgraph "Membership"
        Static["Static Membership"] -- Manually Adds --> NG1
        Static -- Manually Adds --> NG2
        VNet1 -- Member Of --> Static
        VNet4 -- Member Of --> Static
        Dynamic["Dynamic Membership (Azure Policy)"] -- Automatically Adds --> NG1
        Dynamic -- Automatically Adds --> NG2
        Policy["Azure Policy Definition (e.g., 'tag=prod')"] -- Defines --> Dynamic
        VNet2 -- Meets Policy --> Dynamic
        VNet3 -- Meets Policy --> Dynamic
    end
    subgraph "Configurations"
        ConnConfig["Connectivity Config (Mesh / Hub-Spoke)"] -- Targets --> NG1
        SecConfig["Security Admin Config (Rules)"] -- Targets --> NG1
        SecConfig2["Security Admin Config (Rules)"] -- Targets --> NG2
    end
    subgraph "Deployment & Enforcement"
        Deploy["Deployment"] -- Applies --> ConnConfig
        Deploy -- Applies --> SecConfig
        Deploy -- Applies --> SecConfig2
        NG1 -- Receives --> ConnConfig
        NG1 -- Receives --> SecConfig
        NG2 -- Receives --> SecConfig2
        VNet1 -- Enforced --> NG1
        VNet2 -- Enforced --> NG1
        VNet3 -- Enforced --> NG1
        VNet4 -- Enforced --> NG2
    end
    %% Removed 'fill' for better dark mode compatibility, kept colored strokes
    classDef avnm stroke:#f9f,stroke-width:2px;
    classDef ng stroke:#ccf,stroke-width:1px;
    classDef vnet stroke:#cfc,stroke-width:1px;
    classDef config stroke:#ffc,stroke-width:1px;
    classDef policy stroke:#fcc,stroke-width:1px;
    class AVNM_Instance avnm;
    class NG1,NG2 ng;
    class VNet1,VNet2,VNet3,VNet4 vnet;
    class ConnConfig,SecConfig,SecConfig2 config;
    class Policy,Dynamic,Static policy;

Diagram Explanation

1. Azure Scope: Azure Virtual Network Manager (AVNM) operates within a defined scope, which can be a Management Group or a Subscription. This determines which VNets AVNM can "see" and manage.
2. AVNM Instance: This is the main Azure Virtual Network Manager resource. Network groups and configurations are created and managed from here.
3. Network Groups:
   • These are logical containers for your Virtual Networks (VNets).
   • They allow you to group VNets with common characteristics (environment, region, etc.).
   • A VNet can belong to multiple network groups.
4. Membership: How VNets are added to Network Groups:
   • Static Membership: You add VNets manually, selecting them one by one.
   • Dynamic Membership: Uses Azure Policy to automatically add VNets that meet certain criteria (like tags, names, locations). VNets matching the policy are dynamically added (and removed) from the group.
5. Virtual Networks (VNets): These are the Azure virtual networks that are being managed.
6. Configurations: AVNM allows you to apply two main types of configurations to Network Groups:
   • Connectivity Config: Defines how VNets connect within a group (or between groups). You can create topologies like Mesh (all connected to each other) or Hub-and-Spoke (a central VNet connected to several "spoke" VNets).
   • Security Admin Config: Allows you to define high-level security rules that apply to the VNets in a group. These rules can override Network Security Group (NSG) rules, enabling centralized and mandatory security policies.

7. Deployment & Enforcement:

   • The created configurations (connectivity and security) must be Deployed.
   • During deployment, AVNM translates these configurations and applies them to the VNets that are members of the target network groups in the selected regions.
   • Once deployed, the VNets within the groups receive and apply (Enforced) these configurations, establishing the defined connections and security rules.

   And maybe this post will be published in the official documentation of Azure Virtual Network Manager, who knows? 😉

Test the proxy configuration in an AKS cluster

Variables

export RESOURCE_GROUP=<your-resource-group>
export AKS_CLUSTER_NAME=<your-aks-cluster-name>
export MC_RESOURCE_GROUP_NAME=<your-mc-resource-group-name>
export VMSS_NAME=<your-vmss-name>
export HTTP_PROXYCONFIGURED="http://<your-http-proxy>:8080/"
export HTTPS_PROXYCONFIGURED="https://<your-https-proxy>:8080/"

Get the VMSS instance IDs

# To get the instance IDs of all the instances in the VMSS, use the following command:
az vmss list-instances --resource-group $MC_RESOURCE_GROUP_NAME --name $VMSS_NAME --output table --query "[].instanceId"

# For one instance, you can use the following command to get the instance ID:
VMSS_INSTANCE_IDS=$(az vmss list-instances --resource-group $MC_RESOURCE_GROUP_NAME --name $VMSS_NAME --output table --query "[].instanceId" | tail -1)

Use an instance ID to test connectivity from the HTTP proxy server to HTTPS

az vmss run-command invoke --resource-group $MC_RESOURCE_GROUP_NAME \
    --name $VMSS_NAME \
    --command-id RunShellScript \
    --instance-id $VMSS_INSTANCE_IDS \
    --output json \
    --scripts "curl --proxy $HTTP_PROXYCONFIGURED --head https://mcr.microsoft.com"

Use an instance ID to test connectivity from the HTTPS proxy server to HTTPS

az vmss run-command invoke --resource-group $MC_RESOURCE_GROUP_NAME \
    --name $VMSS_NAME \
    --command-id RunShellScript \
    --instance-id $VMSS_INSTANCE_IDS \
    --output json \
    --scripts "curl --proxy $HTTPS_PROXYCONFIGURED --head https://mcr.microsoft.com"

Use an instance ID to test DNS functionality

az vmss run-command invoke --resource-group $MC_RESOURCE_GROUP_NAME \
    --name $VMSS_NAME \
    --command-id RunShellScript \
    --instance-id $VMSS_INSTANCE_IDS \
    --output json \
    --scripts "dig mcr.microsoft.com 443"

Test wagent logs

az vmss run-command invoke --resource-group $MC_RESOURCE_GROUP_NAME \
    --name $VMSS_NAME \
    --command-id RunShellScript \
    --instance-id $VMSS_INSTANCE_IDS \
    --output json \
    --scripts "cat /var/log/waagent.log"

Test wagent status

az vmss run-command invoke --resource-group $MC_RESOURCE_GROUP_NAME \
    --name $VMSS_NAME \
    --command-id RunShellScript \
    --instance-id $VMSS_INSTANCE_IDS \
    --output json \
    --scripts "systemctl status waagent"

Update the proxy configuration

az aks update -n $AKS_CLUSTER_NAME -g $RESOURCE_GROUP --http-proxy-config aks-proxy-config.json
az aks update --resource-group $RESOURCE_GROUP --name $AKS_CLUSTER_NAME --http-proxy-config aks-proxy-config.json

Azure Virtual Network Manager: A Comprehensive Guide

Azure Virtual Network Manager is a powerful management service that allows you to group, configure, deploy, and manage virtual networks across subscriptions on a global scale. It provides the ability to define network groups for logical segmentation of your virtual networks. You can then establish connectivity and security configurations and apply them across all selected virtual networks in network groups simultaneously.

How Does Azure Virtual Network Manager Work?

The functionality of Azure Virtual Network Manager revolves around a well-defined process:

1. Scope Definition: During the creation process, you determine the scope of what your Azure Virtual Network Manager will manage. The Network Manager only has delegated access to apply configurations within this defined scope boundary. Although you can directly define a scope on a list of subscriptions, it's recommended to use management groups for scope definition as they provide hierarchical organization to your subscriptions.

2. Deployment of Configuration Types: After defining the scope, you deploy configuration types including Connectivity and SecurityAdmin rules for your Virtual Network Manager.

3. Creation of Network Group: Post-deployment, you create a network group which acts as a logical container of networking resources for applying configurations at scale. You can manually select individual virtual networks to be added to your network group (static membership) or use Azure Policy to define conditions for dynamic group membership.

4. Connectivity and Security Configurations: Next, you create connectivity and/or security configurations to be applied to those network groups based on your topology and security requirements. A connectivity configuration enables you to create a mesh or a hub-and-spoke network topology, while a security configuration lets you define a collection of rules that can be applied globally to one or more network groups.

5. Deployment of Configurations: Once you've created your desired network groups and configurations, you can deploy the configurations to any region of your choosing.

Azure Virtual Network Manager can be deployed and managed through various platforms such as the Azure portal, Azure CLI, Azure PowerShell, or Terraform.

Key Benefits of Azure Virtual Network Manager

• Centralized management of connectivity and security policies globally across regions and subscriptions.
• Direct connectivity between spokes in a hub-and-spoke configuration without the complexity of managing a mesh network.
• Highly scalable and highly available service with redundancy and replication across the globe.
• Ability to create network security rules that override network security group rules.
• Low latency and high bandwidth between resources in different virtual networks using virtual network peering.
• Roll out network changes through a specific region sequence and frequency of your choosing.

Use Cases for Azure Virtual Network Manager

Azure Virtual Network Manager is a versatile tool that can be used in a variety of scenarios:

1. Hub-and-Spoke Network Topology: Azure Virtual Network Manager is ideal for managing hub-and-spoke network topologies where you have a central hub virtual network that connects to multiple spoke virtual networks. You can easily create and manage these configurations at scale using Azure Virtual Network Manager.

2. Global Connectivity and Security Policies: If you have a global presence with virtual networks deployed across multiple regions, Azure Virtual Network Manager allows you to define and apply connectivity and security policies globally, ensuring consistent network configurations across all regions.

3. Network Segmentation and Isolation: Azure Virtual Network Manager enables you to segment and isolate your virtual networks based on your organizational requirements. You can create network groups and apply security configurations to enforce network isolation and access control.

4. Centralized Network Management: For organizations with multiple subscriptions and virtual networks, Azure Virtual Network Manager provides a centralized management solution to manage network configurations, connectivity, and security policies across all subscriptions.

5. Automated Network Configuration Deployment: By leveraging Azure Policy and Azure Virtual Network Manager, you can automate the deployment of network configurations based on predefined conditions, ensuring consistent network configurations and compliance across your Azure environment.

Example connectivity and security configurations forcing a Network Security Rule

In Azure Virtual Network Manager:

In Azure Virtual Network:

Example Connectivity Configuration forcing a Hub-and-Spoke Network Topology

In Azure Virtual Network Manager:

In Azure Virtual Network:

Preview Features

At the time of writing, Azure Virtual Network Manager has some features in preview and may not be available in all regions. Some of the preview features include:

• IP address management: allows you to manage IP addresses by creating and assigning IP address pools to your virtual networks.

• Virtual Network verifier: Enables you to check if your network policies allow or disallow traffic between your Azure network resources.

• Configurations, creation of a routing is in preview, very interesting to manage the traffic between the different networks.

Conclusion

Azure Virtual Network Manager is a powerful service that simplifies the management of virtual networks in Azure. By providing a centralized platform to define and apply connectivity and security configurations at scale, Azure Virtual Network Manager streamlines network management tasks and ensures consistent network configurations across your Azure environment.

For up-to-date information on the regions where Azure Virtual Network Manager is available, refer to Products available by region.

GTD in Outlook with Microsoft To Do

In this post, we will see how to use GTD in Outlook.

Firs of all, let's define what GTD is. GTD stands for Getting Things Done, a productivity method created by David Allen. The GTD method is based on the idea that you should get things out of your head and into a trusted system, so you can focus on what you need to do.

The GTD workflow

The GTD workflow consists of five steps:

1. Capture: Collect everything that has your attention.
2. Clarify: Process what you've captured.
3. Organize: Put everything in its place.
4. Reflect: Review your system regularly.
5. Engage: Choose what to do and do it.

The detailed flowchart of the GTD method is shown below:

graph TD;
    subgraph Capture    
    subgraph for_each_item_not_in_Inbox
    AA[Collect everything that has your attention in the Inbox];
    end    
    A[Inbox]
    AA-->A
    end
    subgraph Clarify        
    subgraph for_each_item_in_Inbox
    BB[  What is this?
            What should I do?
            Is this really worth doing?
            How does it fit in with all the other things I have to do?
            Is there any action that needs to be done about it or because of it?]
    end
    end
    A --> BB
    subgraph Organize
    BB --> B{Is it actionable?}
    B -- no --> C{Is it reference material?}
    C -- yes --> D[Archive]
    C -- no --> E{Is it trash?}
    E -- yes --> FF[Trash it]
    E -- no --> GG[Incubate it]
    GG --> HH[Review it weekly]
    B -- yes --> F{Can it be done in one step?}
    F -- no --> G[Project]
    G --> HHH[Define a next action at least]
    HHH --> H[Project Actions]    
    end
    subgraph Engage
    H --> I
    F -- yes --> I{Does it take more than 2 minutes?}
    I -- no --> J[DO IT]
    I -- yes --> K{Is it my responsibility?}
    K -- no --> L[Delegate]
    L --> M[Waiting For]    
    K -- yes --> N{Does it have a specific date?}
    N -- yes --> O[Add to Calendar]
    N -- no --> P[Next Actions]
    O --> Q[Schedule. Do it at a specific time]
    P --> R[Do it as soon as possible]
    end

graph TD;
subgraph Reflect
    S[**Daily Review**
            - Review your tasks daily
            - Calendar
            - Next  actions
            - Urgent tasks]
    T[**Weekly Review**
            - Review your projects weekly, make sure you're making progress
            - Next actions
            - Waiting for
            - Someday/Maybe
            - Calendar]
    U[**Monthly Review**
            - Focus on your goals
            - Reference archive
            - Someday/Maybe
            - Completed projects]
    V[**Review your purpose annually**
            - Goals and purposes
            - Big projects
            - Historical archive]
    end

It's important to note that the GTD method is not a one-size-fits-all solution. You can adapt it to your needs and preferences. The key is to find a system that works for you and stick to it.

And now, let's see how to use GTD in Outlook and Microsoft To Do.

How to use GTD in Outlook with Microsoft To Do

When it comes to implementing the GTD method in Outlook, the key is to use the right tools and techniques. Microsoft To Do is a great tool for managing your tasks and projects, and it integrates seamlessly with Outlook.

You can use Outlook to implement the GTD method by following these steps:

1. Capture:
   • emails: Use the Inbox to collect everything that has your attention.
   • Other Things: Use Microsoft To Do Taks default list to capture tasks and projects.
2. Clarify: Process what you've captured by asking yourself the following questions:
   • What is this?
   • What should I do?
   • Is this really worth doing?
   • How does it fit in with all the other things I have to do?
   • Is there any action that needs to be done about it or because of it?
3. Organize: Put everything in its place by following these steps:
   • Inbox:
     • Move emails to the appropriate folder or delete them.
     • Categories: Use categories to organize your emails by context and folder to organize your emails by project or client.
     • Use search folders to find emails quickly by category or categories, you can clear categories after processing.
     • Flags emails to add to To Do.
     • Create rules to automate repetitive tasks when clarifying one type of email has allways the same action.
   • Tasks: Organize your tasks and projects in Microsoft To Do.
     • Lists: Create lists for different types of tasks, one by context or use #tags for that in one lists. For example:
       • In the case of lists: Agendas, Anywhere, Calls, Computed, Errands, Home, Office, Waiting For, Someday/Maybe.
       • In the case of tags, one list with: #Agendas, #Anywhere, #Calls, #Computed, #Errands, #Home, #Office, #WaitingFor, #SomedayMaybe.
     • Use tag #nextaction to identify the next task to do.
     • Use tag #urgent to identify urgent tasks.
   • Projects
     • Group Lists: Group lists by category of projects or client.
     • One list per project: Create a list for each project and add tasks to it.
     • Use #nextaction tag to identify the next task in each project.
   • Reference Material:
     • Store reference material in folders, better in OneDrive or SharePoint.
     • Use a folder structure to organize your reference material
     • Use search folders to find it quickly.
     • Use tags to identify the context of the reference material. You can use FileMeta to add tags to files in Windows for non-taggeable files.
4. Reflect: Review your system regularly to make sure it's up to date.
   • Daily Review
   • Weekly Review
   • Monthly Review
   • Annual Review
5. Engage: Choose what to do and do it.
   • Use the My Day Bar to see your tasks and events at a glance or in search bar type #nextaction to see all your next actions.

These are just some ideas to get you started. You can adapt the GTD method to your needs and preferences. The key is to find a system that works for you and stick to it.

My example of GTD in Outlook with Microsoft To Do:

Outlook:

To Do:

I'm using a mix of lists and tags with the same name to organize my tasks and projects. I have lists for different types of tasks, such as Agendas, Anywhere, Calls, Computed, Errands, Home, Office, Waiting For, and Someday/Maybe. I also use tags to identify the next action, urgent tasks and context of the task in projects.

In the case of emails, I use categories to organize them by context and folders to organize them by project or client. I also use search folders to find emails quickly by category or categories and filter by unreads. The reason for this is that I can clear categories after processing and in the mayorie of cases, I only need a quick review of the emails without the need to convert them into tasks.

By following these steps, you can implement the GTD method in Outlook and Microsoft To Do and improve your productivity and focus.

Good luck! 🍀

References

• How to use Microsoft To Do for Getting Things Done (GTD)
• Getting Things Done: The Art of Stress-Free Productivity
• Manage email messages by using rules in Outlook
• FileMeta