How to : Azure Backup.

f you’re running Azure Virtual Machines in production, you’ll probably want to protect them with Azure Backup. The good news is Azure provides a simple way to protect an entire virtual machine, so you can easily restore it if things go wrong.

Protecting Virtual Machine instances differs from the typical Azure Backup client that is usually installed on client PCs and On-premises servers.

Here’s how to set Azure Backup for an Azure Virtual Machine:

1. Log into https://manage.windowsazure.com
2. Open Recovery Services
3. Click New
4. Choose Backup Vault, Quick Create, give it a name and choose to place it in the same region as the virtual machine you’ll be protecting.
5. The backup vault will appear in Recovery Services
6. Click on the vault and scroll down to Protect Azure Virtual Machines.
7. Click Discover Virtual Machines. It will take a view minutes. Once discovered, you’ll be notified that virtual machines were found in the same region. 
8. Click Register and choose the Virtual Machine that you want to protect.
9. Wait for the Virtual Machine status to change to Registered

1. Click Protect
2. Choose the virtual machine you just registered.
3. Choose the Default Policy Settings or configure your own and click Finish

How to Deploy Neo4j on Microsoft Azure, a Step-by-Step Guide

By Igor Borojevic, Director of Product Management | May 31, 2017
 

In the first post of this series covering Neo4j on Microsoft Azure, we announced the availability of Neo4j in the Azure Marketplace. Today, we’ll go into more detail on how to deploy Neo4j in your Azure environment.

Step 1: Sign-Up for an Azure Account

To deploy Neo4j in the Azure Marketplace, you need to have an Azure account. At the time of this writing, Azure is running a $200 promotion to sign-up for a free account.

Step 2: Launch the Neo4j Enterprise Edition Template

Once you are logged in to your Microsoft Azure account, you can search for the Neo4j Enterprise Edition template by Neo Technology, Inc. Clicking on “Continue” will take you to your Azure portal.

The first page you will see explains the licensing model (paid subscription) and provides useful links to training videos, the Neo4j website and the topology. Here we use a model called: Bring Your Own License (BYOL), which means you need to contact Neo Technology and purchase a license to use Neo4j.

If you do not have an existing agreement with Neo4j, a 30-day trial period will commence. You will need to remove and/or decommission your Neo4j instances after the 30-day period, or you will need to contact us to purchase a Neo4j license or extend your trial period.

As discussed in my earlier blog, the currently offered template will provision a High Availability (HA) cluster with at minimum three Azure virtual machines (VMs).

Later this year, we will introduce support for Causal Clustering, which adds options for ultra-large clusters and a wider range of cluster topologies.

Step 3: Configure Basic Settings

On the first page of the template, you create an account to access provisioned compute instances (VMs that will be running Neo4j) and the region where you want cloud resources deployed.

Step 4: Configure Neo4j Settings

On the second page, you get an opportunity to customize your Neo4j deployment. Here you can choose which version of Neo4j to deploy.

You need to provide an initial password for the DBMS admin user called neo4j. Additionally, you can upload an SSL certificate to ensure all data in transit (if accessing via the Bolt protocol remotely) is encrypted with your certificates; otherwise a self-generated certificate will be used.

The template allows you to choose the size of the cluster (number of instances) with a three-VM-cluster minimum. However, for scaling reads or higher availability, you can elect to run larger clusters.

Next, you need to select the Azure VM within which to run Neo4j. If you are new to Azure, note that you may get an error notifying that you have used more than the maximum of cores allowed to be provisioned (for me it was 10). I typically choose a DS2 v2 machine since it has 7GB of RAM which usually is enough for datasets I work with. Contact Azure support if you need this limitation removed.

When considering production use, evaluate the size of your dataset and provision a machine that has at least 30% more RAM to ensure all data will be loaded/cached in memory. A VM with 8-16 GBs of RAM can handle graphs with hundreds of millions of primitives, and a VM with 16-64 GBs can handle billions of primitives. We recommend VMs with SSDs for better performance with much larger graphs on less RAM.

Finally, you need to define a virtual network. Default is 10.0.0.0/24. You have flexibility in specifying the subnet for clustered VMs (the default uses the entire virtual network range). Here you can also define a public IP endpoint. If you choose “None,” then the Neo4j cluster will be deployed without a load balancer.

After clicking “OK,” the Azure Marketplace will run an automatic validation of all your inputs, and if everything is acceptable, you will have the option to download and save this configuration for future use.

Step 5: Agree to the License Agreement and Deploy Neo4j

The last page will review the licensing agreement and requires a valid Neo4j license to continue. Please note that you will need to remove and/or decommission your Neo4j instances after 30 days or contact us to purchase a Neo4j license or to extend your trial period.

Clicking on “Purchase” will start the deployment and provisioning process.

That’s it! Now Azure will provision all required resources defined in the template: VMs, private and public IP addresses, load balancers, etc.

Once the template has been successfully deployed, you can find the public IP address by clicking on the “Public IP” resource. This is the address where you can connect to Neo4j.

To access the Neo4j Browser, navigate to http://{configured public ip address}:7474/. For the Bolt URI use: bolt://{configured public ip address}:7687.

And lastly, SSH is available on port 22000 + instance_id. For a three-instance cluster, SSH ports open would be: 22000, 22001 and 22002.

Want to take your Neo4j skills up a notch? Take our advanced online training class, Neo4j in Production, and learn how to scale the world’s leading graph database to unprecedented levels.

Tip: How to Transfer Files to Azure VMs

After you’ve created some VMs in Azure the next thing you’ll need to do is put your applications and data on those VMs. However, unless you’ve setup a site-to-site VPN to Azure then your Azure VMs won’t be accessible from your local network. If you’re just getting started with Azure it’s unlikely that you have a working site-to-site VPN. So how can you transfer files to Azure VMs? One easy way is to use Azure’s Remote Desktop Connections feature to share your local drives with your new Azure VMs.

First, use your browser connect to the Azure management portal at http://portal.azure.com/.  Then display your Azure VMs and select the VM that you want to have access your local drives. Use the Connect to VM option that you can see in Figure 1.

Figure 1 - Connect to Azure VM

This will prompt you to Open or Save an RDP file that will allow a remote connection to Azure. Save the RDP file to your local system then right-click on it and select the option to Edit the RDP file’s settings. Select the Local Resources tab and then click the More button that you can see in Figure 2.

Figure 2 - Edit the RDP Local Resources

This will display the Local devices and resource dialog that you can see in Figure 3.

Figure 3 - Select the local drives to access in the Azure VM

Expanding the Drives node in the navigation tree will display the local drives that can be made available to the Azure VM. Check the drives you want the Azure VM to access then click OK and Connect to launch your Azure RDP session. Once the Azure RDP connection has opened you can use File Explorer to open the local drive and free drag-and-drop file between the local drive and the drives configured in the Azure VM.

Deep Dive Into Microsoft Cloud (Azure) Security

Today, we will discuss about Microsoft Cloud Security from a curious customer questions perspective, before moving towards detailed technical understanding.

1. Could we consider Cloud as a Secure Platform? 
   I really don’t have any idea, and neither could I promise that,  but what I understood from my learning is that ‘Cloud Environment’ has better security as compared to the ‘On Premises Data Center’. Some of the reasons for Security of the ‘Microsoft Data Centers’ are - 
   
   
   1. Controlled access/ Reachability to the Azure Data Centers. So far, no Azure Security breach has been reported.
   2. Technology perspective (Adhere to the Azure Security Development Lifecycle (SDL)).
   3. Authentication is managed by Multi-factor authentication (MFA).
      
      For more details, you have to navigate down.
      
2. Is Owning Cloud Services Cheap (Save Money)?
   I would say ‘Yes’, because Microsoft provides the best infra and as an individual customer, probably it would not be possible to invest the ‘huge amount’ for Infrastructure Services.
   
3. What are the major reasons which trigger you to choose Microsoft Cloud Security?
   I would say ‘Agility’ or ‘BUSINESS VALUE’. Please consider the real time issue of the ‘System Performance’ or ‘Application Performance’ of your ‘Production Server’.
   
   If you have an ‘On Premises Customer’, you may look over System Hardware, Server Configuration, Network Speed etc. Then, you would zero in on what exact changes the system needs, and then plan for the changes. It may take at least couple of weeks to months, as per Business Need.
   
   However, it would take only a couple of hours with the Cloud to ‘Scale Up’ your Servers. It’s a good gain from an organizational perspective. Indeed, it saves a couple of weeks/months and hence we have saved MONEY. Furthermore, it adds value to the business, which is ‘Super Important’. 
   
   So now, let’s have some understanding of how ‘Cloud Security’ works?

As businesses are needed to be built as secure as we can make them, clients may have some concerns over the Data security, specifically Bank / Financial Clients. They may think twice whether the ‘CREDIT CARD’ or the commercial data is safe at the Cloud. I feel, we as a Consultant should have knowledge before any suggestion/ commitments. 

So, as a customer, you could toss different questions.

• Is our data in the cloud as secure as on premises data/ more or less secure?
• How easily could someone  hack the cloud data?
• How much percentage of Data would be vulnerable on the Cloud?
• For hackers, I think cloud could be a ‘Golden Opportunity’ for data theft?

What you think, does Microsoft really don’t know about RISK or did they plan for this ‘At All’? 
Certainly, one thing I could say is that the capability, resources, and Infrastructure of any Cloud Provider are much higher than an ‘On Premise Data warehouse’. And security has been ensured by many statistics analysis tools and basic analysis tool. 

Security is ensured by various other means. For example, Cloud Active Directory (AD), which keeps a check about Login locations. If a customer logs in from North America in the morning, say 10 AM, he/she could not be logged in from Africa at 10:15 AM (example) and access would be restricted until further authentication.

So far, I have shared my way of thinking or my knowledge. Let's see what security mechanism Microsoft Cloud follows.

• Microsoft Azure is the cloud platform with many integrated tools, templates, and  services. 
  
• Azure leverages us to use our existing learning/expertise of the database, database warehouse, storage, web applications, networking, and computing services to build and manage applications aligned with the cloud. 
  
• Azure Security Development Lifecycle (SDL) ensures that everything from the initial phase to launch/deployment phase is secured. 
  
• Operational Security Assurance (OSA) provides us a platform to ensure secure operations throughout the lifecycle of the cloud based platform.
  
• Azure Security Center (for more details refer to Microsoft Azure website) offers continuous monitoring by
  
  
  1. Secure Identity
  2. Secure Infrastructure
  3. Secure Applications and Data

Secure Identity 
Azure Active Directory (AAD) ensures the access to only ‘Authorized Users’. So, Azure enables us to manage user credentials to protect abstract information. Furthermore, AAD ensures authentication, authorization, and access control etc.

Secure Infrastructure 
Precisely, this is the biggest part of the Microsoft Cloud Security and a lot of actors play vital roles to achieve Infrastructure Security. Many of them are Azure Virtual Networks that ensure a safe practice to extend on-premises network to the cloud via VPN or WAN (Azure Express Route). 

Unauthorized and unintentional exchange of the information between deployments in a multi-tenant architecture is averted by mentioned tactics.

• Using Virtual local area network (VLAN) isolation.
• Access control lists (ACLs), Load balancers.
• Network address translation (NAT) separates internal network traffic from external traffic.
• Regulated Traffic Flow procedures.

Microsoft Antimalware for Azure protects Azure Cloud Services and Virtual Machines, through web application firewalls, network firewalls, antimalware, intrusion detection and prevention systems (IDS/IPS), and many more. 

Secure apps and data
Azure adheres to the industry-best protocols of the data encryption in transition - Data travels between devices and Microsoft datacenters, within datacenters, as well as when the data is at rest in Azure Storage. Security is ensured by encryption for data, files, applications, services, communications, and drives. 

Another Data security features in Azure
We can also encrypt our data before pushing it into Azure, in addition,  ensure key security from on premises data centers.

Conclusion

Hopefully, you have understood the basics of Microsoft Cloud (Azure) Security. This is only the basics; you can get extensive knowledge by reading the Microsoft Azure website (https://azure.microsoft.com/) and get the latest information about Azure/Cloud Security. I would love to keep on sharing the Microsoft Technology stuff with you. Next time, I will discuss ‘Advanced Security with Microsoft Azure’. 

Until next time, Happy Coding and Keep Improving!!

Security Best Practices for Azure App Service Web Apps, Part 1

By Foundstone Services on Apr 29, 2016

Microsoft’s Azure App Service is a fully managed Platform as a Service for developers that provides features and frameworks to quickly and easily build apps for any platform and any device. In spite of its ease of use, developers still need to keep security in mind because Azure will not take care of every aspect of security. This post is the first in a short series of articles from Intel Security’s Foundstone Professional Services that offers advice for securing Azure App Service Web app development.

Developers can create four application types using the Azure App Service:

• Web apps
• Mobile apps
• API apps
• Logic apps

Azure App Service Web Apps take care of the infrastructure and its security. The developer needs to focus only on the application code. Azure App Service is different from typical cloud scenarios in which developers set up their own servers in the cloud, install their own web applications, and take full responsibility for performance and security. With Azure App Service Web Apps, Microsoft owns and manages the infrastructure. The developers need only ensure the security of their application code. Both approaches has their merits.

In this post we will focus on various security guidelines for web apps built using the Azure App Service, which supports major languages such as ASP.NET, PHP, Node.js, Java, and Python.

Get a custom domain name with HTTPS

When a web application is created using Azure App Service, it is assigned to a subdomain of azurewebsites.net. For example, if the app name is Demo, the URL is demo.azurewebsites.net. By default, Azure enables HTTPS with a wildcard certificate assigned to the *.azurewebsites.net domain. There creates multiple security issues:

• A phishing attack can be easily carried out by creating similar-looking web application and domain name, for example, an attacker could create the malicious web app demo1.azurewebsites.net, which is similar to the legitimate name demo.azurewebsites.net. Because the web application is assigned to a subdomain of azurewebsites.net, the name of the malicious application looks very convincing and hard to differentiate from the original name unless one looks very closely.
• If the DNS record for *.azurewebsites.net is entered by mistake or through DNS cache poisoning, then the application will be adversely affected.
• The wildcard certificate creates more headaches for the developer because they need to ensure the path and domain of cookies are properly constrained.
• The certificate is controlled by Microsoft. Thus for any certificate-related errors—such as expiration, strong or weak signing algorithms, trusted or untrusted certificate signing authorities, or certificates not self-signed—the developer will be dependent on Microsoft. Because the certificate is a wild card, extended validation of certificates can’t be enforced, which is preferred for financial applications.

Apart from security issues, most organizations want their customers to see a custom domain name instead a subdomain of azurewebsites.net. Thus it is necessary to create a custom domain name and get a certificate for that domain. Do not use self-signed certificates, rather buy one from a trusted certificate authority. Consider following while buying a certificate for a web app:

• The name of the certificate should match domain name. The certificate can be a single domain or multidomain but not a wildcard certificate.
• The certificate should be signed using a strong signing algorithm such as SHA-256.
• The certificate should be valid and not expired.
• For financial and other sensitive applications, it is best to have an extended validation for the certificate.

A custom domain name is not available with Microsoft’s free pricing plan, one of five plans. It is available with the other four. A custom domain name with HTTPS is available with the standard and premium pricing plans. To ensure the use of HTTPS, we recommend choosing either the standard or premium pricing plans when creating a web application with Azure App Service. (Microsoft has tie-in with GoDaddy to offer a custom domain name and a certificate from the Azure portal. Or you can buy a custom domain name and certificate from another domain registrar and use it with an Azure web app.)

For custom domain names purchased outside of Microsoft, follow these steps to configure it in the Azure portal:

• Log in to the Azure portal.
• Navigate to “App Services” in left navigation pane.
• Select your web application.
• Click on “Settings” and select “Custom domains and SSL.”
• A new frame will open on the right side. Click on “Bring external domains.”
• Note the IP address located at the bottom. Go to your domain registrar website and create DNS entries using this IP address. It can take some time for the changes to propagate, depending on your DNS provider.
• In the “Domain Names” text box, enter the custom domain name you bought from the domain registrar.
• Save the changes.
• Click on “Upload certificate.”
• Locate and upload your .pfx certificate file.
• Under “SSL bindings,” select the domain name to secure with SSL, and the certificate to use.
• Save the changes.
• You should be able to access the web app using your custom domain name over HTTPS.

For more details on how to set up a custom domain name and its certificate, follow these links from Microsoft:

https://azure.microsoft.com/en-in/documentation/articles/web-sites-custom-domain-name/

https://azure.microsoft.com/en-us/documentation/articles/web-sites-configure-ssl-certificate/

This blog post was written by Piyush Mittal.