Azure

Azure Private Endpoints, DNS Private Resolver, and Conditional Forwarders: Private Access End-to-End

by
Diagram of Azure DNS with Private Resolver, Private DNS Zone, and Conditional Forwarder

By default, most Azure services — storage accounts, key vaults, SQL databases, you name it — are reachable over the public internet. That’s fine for a quick lab, but not great when you want your on-premises workloads to talk to Azure resources without any of that traffic ever leaving your private network. Prerequisite: This walkthrough assumes you already have a VPN tunnel between your on-premises network and your Azure VNet. If you haven’t set that up yet, check out my guide on Deploying an Azure Virtual Network Gateway first. That’s where Private Endpoints come in. A Private Endpoint drops a Network Interface Card (NIC) directly inside your Virtual Network, giving your Azure resource a private IP address that’s only reachable from within your network. No public internet required. The catch? DNS. Your on-premises DNS servers still resolve that storage account’s hostname to its old public IP. We need to teach them to ask Azure’s private DNS instead. To bridge that gap we’ll use Azure’s DNS Private Resolver — a fully managed, serverless DNS forwarder that lives inside your VNet — and then configure a Conditional Forwarder on your Windows DNS server to point traffic for Azure domains at it. Here’s what we’re building end-to-end: Create a Private Endpoint for an Azure Storage Account (file share). Create a DNS Private Resolver with an inbound endpoint so on-prem DNS can reach it. Configure a Conditional …

Read more…

Deploying Azure Virtual Network Gateway Basic: A How-To Guide

by

If you’ve got an Azure subscription through Visual Studio Enterprise, you’ve basically been handed the perfect playground for testing and learning in the cloud. But once you start building resources inside a private Azure network, you quickly hit the next challenge: how do you securely connect it back to your home lab without exposing everything to the internet? In this post, I’m going to go through the process of how I deployed a Basic Azure Virtual Network Gateway and connected it to my Ubiquiti Dream Machine, creating a secure site-to-site VPN tunnel between my Azure VNet and my home network. I wanted to document what that process looked like for me and share it in case it helps someone else doing the same thing.

Read more…

How to Takeover an Unmanaged Directory in Azure

by

When trying to create an Azure subscription I received the following error:

This tenant is viral. If you are an IT admin, you can take over the directory.
This tenant is viral. If you are an IT admin, you can take over the directory.

After some reading a viral tenant is another meaning for an unmanaged directory. An unmanaged directory is a directory that was automatically created when a user with @virtuallyboring.com created an Azure account. Its a directory that has no global administrator. Microsoft created a Azure Active Directory (AAD) tenant in the background and is sitting there unmanaged. This is so users can create an account and use resources without it being a blocker that the domain isn’t claimed in AAD.

There are two ways to take over an unmanaged directory:

  • Internal admin takeover:
    • Your account gets elevated to global administrator
    • No users, domains, or service plans are migrated
  • External Admin Takeover:
    • Add the unmanaged domain name to a tenant where you are a Global Administrator
    • A mapping of users to resources is created in your managed Azure Active Directory
      • Users can continue to access services without interruption

Source: Admin takeover of an unmanaged directory – Azure AD | Microsoft Docs

For my example I will be using a internal admin takeover.

Read more…