Looking to establish a presence in Azure?

Direct connection to Azure through Microsoft ExpressRoute.

Written by Aram Sadeghi.

One of the key items in the shopping basket of businesses considering the move to the cloud or expanding their existing tenancy, is the connecting link between their infrastructure and the cloud.

In today’s topic, I am going to briefly cover a dedicated circuit, used to connect Azure customers to Microsoft cloud.

One of the most commonly used and easiest way to connect is using VPN.

We all know VPN and the numerous advantageous it has brought to the IT world by making end-to-end communication safer and cheaper to run.

Can we therefore conclude VPN connection to Azure is the right solution for business?

In my view, it certainly can and does provide some great benefits, however as with anything in life, it does come with some disadvantageous.

Whilst some might argue that internet is reliable, hence VPN can be seen as a reliable connection, in my view this is not the case. As a home user or a typical user browsing the internet you may not notice issues that commonly happen, which can be a nightmare for an organisation running business processes.

An example of this is would be whilst streaming a video, the video is progressively downloaded with most streaming platforms in advance thus if there is a hiccup, this might not be noticed by the end user.

Compare this with a business that is running hundreds of SQL queries or other tasks that are latency sensitive, what happens when there is a hiccup?

Well, loss of revenue, damage to reputation and the list goes on.

One of the key benefits for most organisations is the predictability of the circuit.

You can expect a stable and reliable latency in addition to throughput using ExpressRoute, also known as ER.

This becomes even more important when businesses have a hybrid model where part of the infrastructure in the cloud needs to communicate with an on-premise on latency sensitive application.

This is in comparison with traditional model of connecting to Azure using VPN where there is no guarantee on reliability of the circuit as it is crossing public network.

Another key item on the list is the support. As an enterprise, you will need to ensure that you can escalate any issues you have between two end points and any underlying infrastructure is supported by a business Service Level Agreement.

Often if you have any problems with VPN, it is quite difficult to troubleshoot it due to no visibility or in fact supportability of the underlying infrastructure.

One can still troubleshoot and debug any issues to the egress point of their infrastructure which is fine, however how about hops between egress and Microsoft?

This can quite easily be a blocker for most business as it is not possible to make the move towards cloud without having proper support on the transit link thus supporting the criticality of implementing an ER circuit.

There are also other advantageous to deploying ER:

  • Dynamic bandwidth scaling
  • Robust failover options
  • Dynamic routing

I am going to cover other aspects of ER in future posts so watch out this space.

If you are interested to know more or have any arising questions, drop us a message on the contact us section of the website and we will come back to you as soon as we can. Alternatively, drop Aram an e-mail direct at aram.sadeghi@coreazure.com.

Aram Sadeghi, Network Practice Lead, CoreAzure.


Speed Matters Workshop: Quickly Migrate to Azure

Secure your place at our workshop here.

Moving to the Cloud can often be a complex and time-consuming process. That’s why CoreAzure have partnered with Velostrata to make the transition to Cloud as simple and as quick as possible. Unlike replication-based approaches, Velostrata has an agentless platform that moves applications to the Cloud in just a matter of minutes.

Our solution enables accelerated Cloud migration and workload mobility with speed, scale, simplicity, and perhaps most importantly, safety. The software is easy to deploy and manage, and can significantly reduce the risks associated with migration.        

Are you interested in finding out more about how you can migrate workloads to Azure in minutes not days? Join CoreAzure, with guest speakers from CoreAzure and Velostrata on the 1st August for an afternoon workshop and discover how we can simplify and accelerate the process of migrating to Azure. The session will also feature a live demo on how to use our solution to migrate workloads to Azure in just a matter of minutes.

This is your opportunity to share and discuss, with the Cloud specialists, the pros and cons, and any concerns that you may have about migrating to Azure. The objective is to leave you with an understanding of how you can use Azure Virtual Machines for a wide range of computing solutions and realise the benefits of Cloud computing.


    • 12:30-1:30pm – Welcome & Lunch
    • 1:30-2:00pm – Introduction to CoreAzure & Velostrata
    • 2:00-2:45pm – Challenges in migrating to the Cloud
    • 2:45-3:00pm – Break
    • 3:00-4:00pm – Live Demonstrations
    • 4:00-4:30pm – Q&A with CoreAzure & Velostrata
    • 4:30-5:00pm – Wrap-up & Close
    • 5:00pm-onwards – Drinks

 Key Information:

  • Date: Tuesday 1st August 2017
  • Location: London
  • Time: 1:30pm-5pm. Drinks and networking session from 5pm onwards. Lunch on arrival and refreshments throughout the session.             

Interested in attending? Register here today!

If you have any questions before the workshop, please get in touch via the details below;

Charlie La Foret | Pre-Sales Consultant



One-click disaster recovery of applications using Azure Site Recovery

Disaster recovery is not only about replicating your virtual machines but also about the end to end application recovery that is tested multiple times, error free, and stress free when disaster strikes.

Automate most recovery tasks to reduce RTO

Recovering large applications can be a complex task. It can be difficult to remember the exact customisation steps post failover.  Sometimes, it is not you, but someone else who is unaware of the application intricacies, who needs to trigger the failover. Remembering too many manual steps in times in a disaster recovery scenario is difficult and error prone.

A recovery plan helps gives you a way to automate the required actions you need to take at every step, by using Microsoft Azure Automation runbooks. With runbooks, you can automate common recovery tasks like the examples given below. For those tasks that cannot be automated, recovery plans also provide you the ability to insert manual actions.

  • Tasks on the Azure virtual machine post failover – these are required typically so that you can connect to the virtual machine, for example:
    • Create a public IP on the virtual machine post failover
    • Assign an NSG to the failed over virtual machine’s NIC
    • Add a load balancer to an availability set
  • Tasks inside the virtual machine post failover – these reconfigure the application so that it continues to work correctly in the new environment, for example:
    • Modify the database connection string inside the virtual machine
    • Change web server configuration/rules

For many common tasks, you can use a single runbook and pass parameters to it for each recovery plan so that one runbook can serve all your applications.

Real-world example – WordPress disaster recovery solution

Watch a quick video of a two-tier WordPress application failover to Microsoft Azure and see the recovery plan with automation scripts, and its test failover in action using Azure Site Recovery.

  • The WordPress deployment consists of one MySQL virtual machine and one frontend virtual machine with Apache web server, listening on port 80.
  • WordPress deployed on the Apache web server is configured to communicate with MySQL via the IP address
  • Upon test failover, the WordPress configuration needs to be changed to communicate with MySQL on the failover IP address To ensure that MySQL acquires the same IP address every time on failover, we will configure the virtual machine properties to have a preferred IP address set to

The following video has been created by Microsoft – Channel 9.

When disaster recovery needs to be evoked, you need to ensure that you are able to successfully recover the those applications in a timely manner.  Azure Site Recovery provides  a platform to enable not just the  tier-1 applications to have a business continuity plan, but offers a compelling solution that empowers an orginisation to set up a working end to end disaster recovery plan for 100% of your organisation’s IT applications.

You can use the powerful replication capabilities of Azure Site Recovery for 31 days at no charge for every new physical server or virtual machine that you replicate, whether it is running on VMware or Hyper-V.  For more information,  please review the following URL additional product information  and if you would like to learn more about Azure Site Recovery and how it can help your business, please contact using the form below.

Send us mail


How to address the 14 UK Cloud Security Principles – Using Microsoft Azure

The National Cyber Security Centre (NCSC) is the UK’s authority on cyber security.

In its publication “Implementing the Cloud Security Principles,”  it lays out the 14 security principles that organisations should use when evaluating cloud services, and which cloud service providers should consider when offering those services to government customers (referred to as “consumers” in the principles).

The 14 principles are aligned with ISO 27001, an auditable, international, information security management standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). ISO 27001 formally defines requirements for a complete ISMS to help protect and secure an organisation’s data.

The principles defined by NCSC are:

  1. Data in transit protection. Consumer data transiting networks should be adequately protected
    against tampering and eavesdropping via a combination of network protection and encryption.
  2. Asset protection and resilience. Consumer data, and the assets that store or process it, should be
    protected against physical tampering, loss, damage, and seizure.
  3. Separation between consumers. Separation should exist between different consumers of the
    service to prevent one malicious or compromised consumer from affecting the service or data of
  4. Governance framework. The service provider should have a security governance framework that
    coordinates and directs their overall approach to the management of the service and information
    within it.
  5. Operational security. The service provider should have processes and procedures in place to
    ensure the operational security of the service.
  6. Personnel security. Service provider staff should be subject to personnel security screening and
    security education appropriate for their role.
  7. Secure development. Services should be designed and developed to identify and mitigate threats
    to their security.
  8. Supply chain security. The service provider should ensure that its supply chain satisfactorily
    supports all of the security principles that the service claims to implement.
  9. Secure consumer management. Consumers should be provided with the tools required to help
    them securely manage their service.
  10. Identity and authentication. Access to all service interfaces (for consumers and providers) should
    be limited to authenticated and authorised individuals.
  11. External interface protection. All external or less trusted interfaces of the service should be
    identified and have appropriate protections to defend against attacks through them.
  12. Secure service administration. The methods used by the service provider’s administrators to
    manage the operational service should be designed to mitigate any risk of exploitation that could
    undermine the security of the service.
  13. Audit information provision to consumers. Consumers should be provided with the audit records
    they need to monitor access to their service and the data held within it.
  14. Secure use of the service by the consumer. Consumers have certain responsibilities when using a
    cloud service in order for this use to remain secure, and for their data to be adequately protected.

To help find a way through the principles, Microsoft have released a number of Azure Blueprints, enabling the UK public sector to review and understand how solutions built on Azure can implement the 14 individual Cloud Security Principles supporting workloads with information designated as UK OFFICIAL level. The Azure Blueprint outlines how Azure implements security controls designed to satisfy each security principle and assists customers in understanding how they may implement safeguards within their Azure solution to fulfil the requirements of each principle where they hold a responsibility.

As an example, an Azure Virtual Network (VNet) allows full control of security policies and routing within virtual network architectures through deployment and configuration of subnets, network security groups, and user defined routes. Network security groups can be applied to subnets or individual machines, logically separating resources by workload, based on a multi-tier architecture, of for any other purpose.

In the reference architecture below, resources are grouped in separate subnets for the web, business, and data tiers, and subnets for Active Directory resources and management. Network security groups are applied to each subnet to restrict network traffic within the virtual network.

Network security groups can be applied to outgoing communications from subnets and virtual machines. This allows full control over communication between information system components in Azure and external information systems.  Network security group rule processing is implemented as a deny-all, permit-by-exception function. Further, user defined routes can be configured to route both incoming and outgoing communications from specific subnets and virtual machines through a virtual appliance such as a firewall or IDS/IPS, further managing system communications.

The reference architecture above demonstrates how Azure resources can be logically grouped into separate subnets with network security group rulesets applied to ensure that security functions and non-security functions are isolated. In this case, the three web-application tiers are isolated from the Active Directory subnet as well as the management subnet, which may host information system and security management tools and resources.

The reference architecture also implements managed access control points for remote access to the information system.  An Internet-facing load balancer is deployed to distribute incoming Internet traffic to the web application, and the management subnet includes a jumpbox, or bastion host, through which all management-related remote access to the system is controlled. Network security groups restrict traffic within the virtual network ensuring external traffic is only routed to designated public-facing resources.

Network security groups allow full control of communications between Azure resources and external host and systems, as well as between internal subnets and hosts, separating information system components that are designated publicly accessible and those that are not. In addition to the solutions in the reference architecture above, Azure enables deployment of virtual appliances, such as firewall and IDS/IPS solutions which, when used in conjunction with user defined routes, further secure and manage connections between Azure resources and external networks and information systems.

Rulesets for network security groups enable restrictions on specific network ports and protocols, which is a key component of ensuring that information systems are implemented in a manner that provides only essential capabilities.

Whilst this is just one example, there are lots of built-in features that can help organisations meet their security control compliance requirements to take full advantage of the security features offered by Azure.   The 14 Cloud Security Controls for the UK cloud whitepaper provides insight into how Azure services align with the fourteen cloud security principles set forth in the NCSC  publication Implementing the Cloud Security Principles.

If you would like to discuss how CoreAzure can help you take full advantage of the security features offered by Azure , then please get in touch with us using the form below.

Send us mail



Snapshot VMs in Azure Resource Manager

One of our most-popular blog posts (drawing almost a quarter of all visitors to our site) has been Mark Briggs’ excellent Snapshot VMs in Azure guide from August 2014. Although much of the content of this article is still relevant for virtual machines created using the classic Azure portal, there have been a number of major changes to the Microsoft Azure platform in the interim, including the introduction of the Azure Resource Manager (ARM) deployment model, along with significant changes to the Azure PowerShell modules which may result in unexpected behaviour and warnings about deprecated features.

I thought it would be useful to provide an updated guide for creating snapshots from virtual machines which have been created in the new Azure portal (https://portal.azure.com) using the Azure Resource Manager deployment model.


The following guide has been provided purely for informational purposes and should be thoroughly tested on non-critical systems. CoreAzure cannot be held responsible for any consequences arising from the use of this information.

Step 1: Install Azure PowerShell

If you haven’t already installed the latest Azure modules for PowerShell, you can do so using the following steps:

  1. Open an administrative Command Prompt. The easiest way is to right-click on the Start button and select Command Prompt (Admin).
  2. Enter the command powershell and press Return to start a Windows PowerShell session.
  3. Enter the command Install-Module AzureRM and press Return.
  4. If you are prompted to install the NuGet provider, type and press Return to confirm.
  5. If you receive a warning about an untrusted repository, type and press Return to add PSGallery to the list of trusted repositories.

Step 2: Validate current VM configuration

We now need to take a look at the configuration of the virtual machine we wish to snapshot as the script we will be using to perform the operation needs to know details such as the resource group which contains the VM, its network configuration, storage account and disk configuration as well as the Azure region which hosts the VM.

The easiest way to do this is to login to the new Azure portal (https://portal.azure.com) and open the resource group containing the VM you wish to snapshot. This will provide a list of all resources associated with the virtual machine.

For this demonstration, I have created a test resource group named snapshotrg in the UK South region containing the resources shown in the screenshot below:

Resource Group Properties

Resource Group Properties

As you can see, the resource group contains a virtual machine named snapshotvm connected to a virtual network called snapshotvn via a network interface named snapshotvm156. This network interface has a public IP address assigned named snapshotpip, along with a Network Security Group called snapshotnsg which contains a single rule to allow incoming RDP connections.

The virtual machine is connected to a storage account named snapshotsa which contains a single container named vhds. Inside this container is the virtual machine’s OS disk named snapshotvm20170221112834.vhd.

We can ignore the other storage account (snapshotrgdiag735) listed in the resource group as this has been automatically generated by Azure for boot logging purposes and does not need to be included in any snapshot operations.

Virtual Machine Properties

Virtual Machine Properties

If we look at the properties of the virtual machine itself, we can see that it is a Windows server with a VM size of Standard F1s. The public IP address it has been assigned is which has been given a DNS name of snapshotvm.uksouth.cloudapp.azure.com. We can also make a note of the Subscription Name.

The final piece of information we need to gather is the storage account key used to communicate with the storage account (as our script will be creating snapshots in the same container as the original OS disk). To do this, simply open the properties of the storage account (in my case, snapshotsa) and select the Access keys option. You should now be presented with two access keys, either of which can be copied into our script in Step 3.

Step 3: Populate local variables

We can now use the information gathered in Step 3 to start creating our snapshot script. Launch Windows PowerShell ISE and enter the following into the script pane (replacing the text in angled brackets with the details relevant to your environment). To see the code I used for the snapshotvm virtual machine, click on the Example tab:

$resourceGroupName = "<Insert Resource Group Name Here>"
$location = "<Insert Azure Region Here>"
$vmName = "<Insert VM Name Here>"
$vmSize = "<Insert VM Size Here>" 
$vnetName = "<Insert vNet Name Here>"
$nicName = "<Insert NIC Name Here>" 
$dnsName = "<Insert DNS Name Here>" 
$diskName = "<Insert Disk Name Here (omitting the .vhd extension)>" 
$storageAccount = "<Insert Storage Account Name Here>" 
$storageAccountKey = "<Insert Storage Account Key Here>" 
$subscriptionName = "<Insert Subscription Name Here>" 
$publicIpName = "<Insert Public IP Address Name Here>"
$resourceGroupName = "snapshotrg" 
$location = "UK South" 
$vmName = "snapshotvm" 
$vmSize = "Standard_F1s" 
$vnetName = "snapshotvn" 
$nicName = "snapshotvm156" 
$dnsName = "snapshotvm" 
$diskName = "snapshotvm20170221112834" 
$storageAccount = "snapshotsa" 
$storageAccountKey = "<OBFUSCATED>" 
$subscriptionName = "Pay-As-You-Go" 
$publicIpName = "snapshotpip"

We can concatenate some of the information provided above to give us the full name of the disk blob, target backup disk blob and full path to the VHD which will be stored in the following variables:

$diskBlob = "$diskName.vhd"
$backupDiskBlob = "$diskName-backup.vhd"
$vhdUri = "https://$storageAccount.blob.core.windows.net/vhds/$diskBlob"
$subnetIndex = 0

Step 4: Login to your Azure subscription

We now need to configure our script to login to Microsoft Azure and connect to the right subscription. For maximum security, Microsoft recommend using a service principal and certificate to login to Azure. This is especially true when you have created batch scripts or apps which need to run without prompting for additional credentials (and which you wouldn’t necessarily want to run under your own credentials). However, configuring this method of authentication falls outside the scope of this tutorial, so we will be using Azure AD credentials for simplicity.

To login to Azure and connect to the required subscription, we can use the Login-AzureRmAccount and Set-AzureRMContext commands in conjunction with the $subscriptionName variable we defined earlier:

Set-AzureRMContext -SubscriptionName $subscriptionName

When these commands are run, a window should automatically appear prompting you to login to Azure. Assuming the correct credentials are provided, the window will disappear and take you back to the active PowerShell session.

Step 5: Create backup disk

To create a snapshot of the disk, we first need to power off the virtual machine using the following command:

Stop-AzureRmVM -ResourceGroupName $resourceGroupName -Name $vmName -Force -Verbose

We can then check to see if a backup has already been created using the following commands:

$ctx = New-AzureStorageContext -StorageAccountName $storageAccount -StorageAccountKey $storageAccountKey
$blobCount = Get-AzureStorageBlob -Container vhds -Context $ctx | where { $_.Name -eq $backupDiskBlob } | Measure | % { $_.Count }

If no backup disk is currently found in the container, we can proceed with creating a copy. Although the copy operation should be relatively quick (as the target file is located in the same storage container), I’ve included a while loop to report the copy status every 10 seconds. This might prove useful if you want the snapshot to be copied to a different region or on a local file server:

if ($blobCount -eq 0)
$copy = Start-AzureStorageBlobCopy -SrcBlob $diskBlob -SrcContainer "vhds" -DestBlob $backupDiskBlob -DestContainer "vhds" -Context $ctx -Verbose
$status = $copy | Get-AzureStorageBlobCopyState
While($status.Status -eq "Pending"){
$status = $copy | Get-AzureStorageBlobCopyState
Start-Sleep 10

We can now check the vhd storage container in the portal to confirm that the copy has been created:

Original VHD and Backup

Original VHD and Backup

Step 6: Delete original resources

With our snapshot created, we can test the restore process by deleting some of the original resources. The following script should delete the original virtual machine, along with its disk, network interface and public IP address:

Remove-AzureRmVM -ResourceGroupName $resourceGroupName -Name $vmName -Force -Verbose
Remove-AzureStorageBlob -Blob $diskBlob -Container "vhds" -Context $ctx -Verbose
Remove-AzureRmNetworkInterface -Name $nicName -ResourceGroupName $resourceGroupName -Force -Verbose
Remove-AzureRmPublicIpAddress -Name $publicIpName -ResourceGroupName $resourceGroupName -Force -Verbose

To validate that the resources have been deleted, log back into the Azure portal and open the properties of your resource group. The only resources remaining should be the Network Security Group, Virtual Network and storage accounts:

Resource Group After Deletion

Resource Group After Deletion

Step 7: Recreate original disk

We still have the name of the original disk recorded in our $diskBlob variable, so we can easily recreate this disk by creating a copy of our backup disk using this name. Again, I’ve included a 10-second status check loop in case the copy operation takes longer than expected:

$copy = Start-AzureStorageBlobCopy -SrcBlob $backupDiskBlob -SrcContainer "vhds" -DestBlob $diskBlob -DestContainer "vhds" -Context $ctx -Verbose
$status = $copy | Get-AzureStorageBlobCopyState 
While($status.Status -eq "Pending"){
  $status = $copy | Get-AzureStorageBlobCopyState 
  Start-Sleep 10

Step 8: Recreate resources

With the original disk now back in place, we can proceed with recreating the virtual machine and its associated network resources:

$vnet = Get-AzureRmVirtualNetwork -Name $vnetName -ResourceGroupName $resourceGroupName
$pip = New-AzureRmPublicIpAddress -Name $publicIpName -ResourceGroupName $resourceGroupName -DomainNameLabel $dnsName -Location $location -AllocationMethod Dynamic -Verbose
$nic = New-AzureRmNetworkInterface -Name $nicName -ResourceGroupName $resourceGroupName -Location $location -SubnetId $vnet.Subnets[$subnetIndex].Id -PublicIpAddressId $pip.Id -Verbose
$vm = New-AzureRmVMConfig -VMName $vmName -VMSize $vmSize
$vm = Add-AzureRmVMNetworkInterface -VM $vm -Id $nic.Id
$vm = Set-AzureRmVMOSDisk -VM $vm -Name $diskName -VhdUri $vhdUri -CreateOption attach -Windows

Step 9: Examine the result

We can now repeat the checks we carried out in Step 2 to see how our environment has changed. If we open the properties of the snapshotrg resource group, we can see that the snapshotvm machine and the public IP address are now present and correct. However, it now has a new network interface named snapshotvm156:

Resource Group After Restore

Resource Group After Restore

If we look at the properties of the public IP address snapshotpip, we can see that a new public IP address of has been assigned. However, it has retained the correct DNS name (so anything which communicates with the server by DNS will still operate correctly). If we didn’t want the public IP address of the server to change, we could have left the old public IP address undeleted (and reassigned it after the new machine was created):

Public IP Address After Restore

Public IP Address After Restore

If we look at the properties of the virtual machine itself, we can see that the new virtual machine has been created with the correct VM size, location and subscription name:

Virtual Machine Properties After Restore

Virtual Machine Properties After Restore

Finally, looking at the disk configuration of the new virtual machine confirms that it is using the original disk name (although the backup file is still available in the vhds container should you need to restore the snapshot again in future):

Disk Configuration After Restore

Disk Configuration After Restore

I hope this guide proved useful. You can download the full PowerShell script using the button below:

Please do not hesitate to contact me using the form below if you have any queries.

Send us mail

4 + 3 = ?

Preview the new enhancements to Azure Security Centre

The unprecedented scale and sophistication of modern cyber threats, combined with the rapidly disappearing IT perimeter, means that while preventing an attack from becoming a breach is ideal, it is no longer realistic. 

While the cloud may have initially raised some security concerns among enterprises, Microsoft is changing those dynamics by applying prescriptive analytics to application and network data, learning the behaviour of a machine or a group of machines, and combining these insights with broad cloud reputation, Azure Security Centre empowers customers to realise the benefits of these controls without introducing any management overhead.

With this collective power of millions of cloud customers, Microsoft can help each customer more effectively defend against the increasing volume and sophistication of attacks. Azure Security Centre has released a number of new capabilities that leverage this collective intelligence to not only detect threats, but also do a better job of preventing them.

Microsoft security research and data science teams are constantly monitoring the threat landscape and adding new or enhancing current detection algorithms. Azure Security Centre customers benefit from these innovations as algorithms are continuously released, validated, and tuned without the need to worry about keeping signatures up to date.

Here are some of the most recent updates:    

  • Harnessing the Power of Machine Learning – Azure Security Center has access to a vast amount of data about cloud network activity, which can be used to detect threats targeting your Azure deployments. For example:
  • Brute Force Detections – Machine learning is used to create a historical pattern of remote access attempts, which allows it to detect brute force attacks against SSH, RDP, and SQL ports. In the coming weeks, these capabilities will be expanded to also monitor for network brute force attempts targeting many applications and protocols, such as FTP, Telnet, SMTP, POP3, SQUID Proxy, MongoDB, Elastic Search, and VNC.
  • Outbound DDoS and Botnet Detection – A common objective of attacks targeting cloud resources is to use the compute power of these resources to execute other attacks. New detection algorithms are generally available in Azure Security Center, which clusters virtual machines together according to network traffic patterns and uses supervised classification techniques to determine if they are taking part in a DDoS attack. Also, in private preview are new analytics that detect if a virtual machine is part of a botnet. It works by joining network data (IPFIX) with passive DNS information to obtain a list of domains accessed by the VM and using them to detect malicious access patterns.
  • New Behavioural Analytics Servers and VMs – Once a server or virtual machine is compromised, attackers employ a wide variety of techniques to execute malicious code on that system while avoiding detection, ensuring persistence, and obviating security controls. Additional behavioural analytics are now generally available in Azure Security Center to help identify suspicious activity, such as process persistency in the registry, processes masquerading as system processes, and attempts to evade application whitelisting. In addition, new analytics have been released to public preview that are designed specifically for Windows Server 2016, for example activity related to SAM and admin account enumeration. Over the next few weeks, many of the behavioural analytics available for Windows VMs will be available for Linux VMs as well. Operations Management Suite Security users will also benefit from these new detections for non-Azure servers and VMs.
  • Azure SQL Database Threat Detection – Threat Detection for Azure SQL Database, which identifies anomalous database activities indicating unusual and potentially harmful attempts to access or exploit databases, announced upcoming general availability in April 2017. You can view alerts from SQL Database Threat Detection in Azure Security Center, along with additional details and actions for investigating and preventing similar threats in the future.

To find out more and take advantage of these and other advanced detection capabilities, or if you would like to discuss your IT Security/ Cybersecurity requirements with one of CoreAzure National Cyber Security Centre (NCSC) Certified Professionals, then please contact with us.

The NCSC Certified Professional provides an independent assessment and verification process, based on the government’s approved standard of competence for cyber security professionals.

Send us mail


Safeguarding your cloud with Azure security services

While cloud security continues to be a top concern for many companies, Microsoft recently published insights from a survey that show overall concern has dropped significantly since 2015 reports Julia White Corporate Vice President Microsoft.

It is now at a stage where half of organisations contend the cloud is more secure than their on-premises infrastructure.

Maintaining a strong security posture for your cloud-based innovation is a shared responsibility between you and your cloud provider. With Microsoft Azure, securing cloud resources is a partnership between Microsoft and the customers, so it’s essential that the customer understands the comprehensive set of security controls and capabilities available on Azure.

Microsoft Azure is built on a foundation of trust and security. With significant investments in security, compliance, privacy, and transparency, Azure provides a secure foundation to host your infrastructure, applications, and data in the cloud. Microsoft also provides built-in security controls and capabilities to further help you protect your data and applications on Azure.

These can be classified broadly into four categories:

Manage and control user identity and access: Comprehensive identity management is the linchpin of any secure system. You must ensure that only authorized users can access your environments, data, and applications. Azure Active Directory serves as a central system for managing access across all your cloud services, including Azure, Office 365, and hundreds of popular SaaS and PaaS cloud services. Its federation capability means that you can use your on-premises identities and credentials to access those services, and Azure Multi-Factor Authentication provides for the most secure sign-on experience.

Increase network and infrastructure security: Azure provides you the security-hardened infrastructure to interconnect Azure VMs as well as make connections to on-premises datacentres. Additionally, you can extend your on-premises network to the cloud using secure site-to-site VPN or a dedicated Azure ExpressRoute connection. You can strengthen network security by configuring Network Security Groups, user-defined routing, IP forwarding, forced tunneling, endpoint ACLs, and Web Application Firewall as appropriate.

Encrypt communications and operation processes: Azure uses industry-standard protocols to encrypt data in transit as it travels between devices and Microsoft datacentres, and when it is stored in Azure Storage. You can also encrypt your virtual machine disks using Azure Disk Encryption. Azure Key Vault enables you to safeguard and control cryptographic keys and other secrets used by cloud apps and services. Azure Information Protection will help you classify, label, and protect your sensitive data.

Defend against threats: Microsoft enables actionable intelligence against increasingly sophisticated attacks using their network of global threat monitoring and insights. This threat intelligence is developed by analysing a wide variety of signal sources and a massive scale of signals. (For example, customers authenticate with Microsoft services over 450 billion times every month, and Microsoft scan 200 billion emails for malware and phishing each month.) Microsoft approach to protect the Azure platform includes intrusion detection, distributed denial-of-service (DDoS) attack prevention, penetration testing, behavioural analytics, anomaly detection, and machine learning. You can leverage additional services to develop a strong threat prevention, detection, and mitigation strategy.

Azure Active Directory Identity Protection helps you protect and mitigate against the risks from compromised identities. It offers a cloud powered, adaptive machine learning based identity protection system that can detect cyber-attacks, mitigate them in real time, and automatically suggest updates to your Azure AD configuration and conditional access policies. Services like Antimalware for Azure and Azure Security Center use advanced analytics to not only help in detecting threats but also prevent them. Azure Security Center helps you get a central view of the security state of all your Azure resources in real time, including recommendations for improving your security posture. You can use Operations Management Suite to extend the threat prevention, detection and quick response across Azure and other environments. Log Analytics service will give you real-time insights to readily analyse millions of records across all of your workloads regardless of their physical location.

These are just a few examples of the broad set of security controls and services available to you with Azure.

If you would like to discuss how Microsoft resources can help safeguard your cloud with Azure security services, please contact us.

Send us mail



Xen App, Xen Desktop and Xen Mobile are now tightly integrated with Microsoft Azure

Citrix and Microsoft have further strengthened their partnership this week by making it easier for customers to use Citrix’s application and desktop virtualization products, in the Microsoft Azure cloud.

Citrix has kicked off its annual partner Summit in Anaheim this week with news of new products available in Azure.

-Xen App Essentials: This new version of Citrix’s core application virtualization product lets customers host applications in Microsoft Azure’s IaaS public cloud and manage them with existing Xen App tools.

-Xen Desktop Essentials: Is the same idea as Xen App Essentials, but for full virtual desktops. It’s targeted specifically at running and managing Windows 10 remote desktops from Azure.

-Xen Mobile Essentials: This product integrates Citrix’s mobile management software with Microsoft’s Intune mobile management platform.

If you would like some more information or help in looking at the opportunities available, please get in touch.

Send us mail

1 + 2 = ?

Protection and recovery of Citrix XenDesktop and XenApp using Azure Site Recovery

Citrix XenDesktop is an industry leading desktop virtualisation solution that delivers desktops and applications as an on-demand service to any user, anywhere. With FlexCast delivery technology, XenDesktop can quickly and securely deliver applications and desktops to users.
But up until this week, Citrix XenApp did not provide any out-of-the-box disaster recovery capability. Regardless of the type and scale of a disaster, recovery involves the use of a standby data center that you can recover the farm to. Standby data centers are required for scenarios where local redundant systems and backups cannot recover from the outage at the primary data center.

Azure Site Recovery is Microsoft’s Disaster Recovery as a Service (DRaaS) solution and provides disaster recovery capabilities by orchestrating replication, failover and recovery of virtual machines. Azure Site Recovery supports a number of replication technologies to consistently replicate, protect, and seamlessly failover virtual machines to secondary site or to Azure.
With ASR, you can protect and recover the essential components of your on-premises XenDesktop and XenApp environment including:

• Citrix Delivery Controller
• StoreFront Server
• XenApp Master Virtual Delivery Agent (VDA)
• XenApp License Server
• AD DNS Server
• SQL Database Server

Additionally, ASR provides you the ability to:
• Recover to an application consistent point in time, which is useful to recover your multi-tiered Citrix VDI environment to an application-consistent state.
• Use flexible recovery plans to customize the order of recovery by grouping together machines that need to failover together, add automation scripts, and manual actions to be executed on a failover.
• Perform Non-disruptive recovery testing, that lets you test the failover of your Citrix VDI farm to Azure, without impacting on-going replication or the performance of your production environment.

A detailed step by step guidance for building a disaster recovery solution using ASR has been chalked out in close collaboration with Citrix. The whitepaper from Citrix detailing the process is; https://aka.ms/citrix-xenapp-xendesktop-with-asr

Azure Site Recovery, as part of Microsoft Operations Management Suite, enables you to gain control and manage your workloads no matter where they run (Azure, AWS, Windows Server, Linux, VMware or OpenStack) with a cost-effective, all-in-one cloud IT management solution.

If you would like some more information or help in looking at the opportunities available, please get in touch.

Send us mail

3 + 4 = ?

Microsoft’s customers are now able to use private internet connections with the company’s UK data centers.

Microsoft’s customers are now able to use private internet connections with the company’s UK data centers.
The Azure ExpressRoute combined with PSN/N3 Connectivity is just one of the new services Microsoft has unveiled since the company launched its Azure and Office 365 cloud offering in this country three months ago.

Since then, thousands of customers – including the Ministry of Defence, the Met Police and parts of the NHS – have signed up to take advantage of the sites, which offer UK data residency, security and reliability.

Microsoft has also announced the availability of a second ExpressRoute location in the UK – in Newport, Wales. This second location allows Azure customers to benefit from path diversity for High Availability and Disaster Recovery in their country.
Azure ExpressRoute lets you create private connections between Azure datacenters and infrastructure on your premises or in a colocation environment. ExpressRoute connections don’t go over the public Internet. They offer more reliability, faster speeds, and lower latencies, and higher security than typical Internet connections. In some cases, using ExpressRoute connections to transfer data between on-premises systems and Azure can yield significant cost benefits.

With ExpressRoute, establish connections to Azure at an ExpressRoute location, such as an Exchange provider facility, or directly connect to Azure from your existing WAN network, such as a multi-protocol label switching (MPLS) VPN, provided by a network service provider.

If you would like more information on Express Route and how we have configured it for our customers, please get in contact with us.