DEV Community: John Friesen

2 Local machines 1 Dev VM

John Friesen — Sat, 16 Jan 2021 19:53:36 +0000

I recently wanted to connect a new laptop to one of the Azure virtual machines that I use for remote development. I realized this isn't something easy to do within the azure portal and I have limited knowledge in Linux (ubuntu) and SSL. So after I accomplished this I decided to share what I learned.

This blog post isn't just to learn how to connect a local machine to a VM. It will also give you a basic understanding of how to set up an SSH connection

Content:

What i am using
1. Create new VM (Optional)
2. Create new ssh keys on new local machine
- NOTE: SSH understanding
3. Add your public key to your Azure VM
- Integrity check!
4. Get ready for SSH connection
5. Actually do the SSH connection

What I am using

Azure VM (Ubuntu Release 18.XX / bionic)
Azure cli
VS code Remote Development extention pack
Windows 10 local machine

1. Create a new VM (Optional)

If you already have a VM you wish to do this on then you can skip this step.
Create a Linux VM in azure. Choose whichever size you need and in this article, I used Ubuntu Release 18.

// TODO az create VM code with ssh keys. what user does it create?
set a user varable to make it easier later $user = "%myuser%"
// TODO remember the user you created for this VM

2. Create new ssh keys on the new local machine

On windows I used this command ssh-keygen -t rsa
I add the path where to store the keys. i used C:\Users\UserName\.ssh\my-vs-code-vm
I then add in my passphrase (this is optional but adds security. If you choose to use it REMEMBER THE PASSPHRASE)

Great now we have our keys.

NOTE: SSH understanding

my-vs-code-vm

Your new private key
This stays on your machine and you need to keep it safe

my-vs-code-vm.pub

Your new public key
This is going onto your VM so your private key has something to unlock... like the ssh connection we want to establish

3. Add your public key to your Azure VM

Here we will be using the azure cli to add our new public key remotely execute commands remotely on our virtual machine.

Specifically, we will be using the az vm run-command.

Make sure you logged in az login.
Make sure you have the right Subscription active. az account show change with az account set -s //*correct subscription guid*//
Get our public key and put it into a variable

$publickey = cat ~/.ssh/my-vs-code-vm.pub

Integrity check!

make sure your $publickey value looks like this:

now that we have our public key ready let's send it off to our VM. We need to store our public key in the authorized_keys file for the user we will connect to.

az vm run-command invoke --name my-vs-code-vm --resource-group my-dev-vm-rg --command-id RunShellScript --scripts "echo '$publickey' >> /home/$user/.ssh/authorized_keys"

4. Get ready for SSH connection

We will need the ssh command to make the connection to the VM. The easiest way I generate it is from the Azure portal. all you need to do is add you Private Key Path in the Azure UI:

Copy the command from 4. Run the example command below to connect to your VM.
- NOTE: you have what you need to just ssh with your local terminal right now but let's keep going.
Now in VS Code open the Command Palette (Ctrl+Shift+P).
Select Remote-SSH: Add New SSH Host... and paste the ssh command we got from azure (if you don't see it you need to make sure you have the extension installed/enabled) // TODO make sure the remote extension is linked
Next you will be prompted to `Select SSH configuration file to update'. I use the first option that will store it under my local user

You will see this pop-up. Select Open Config and change the Host from the ip address to a friendly name like my-vs-code-vm. I highly recommend doing this!

Config file before:

Config file after:

5. Actually do the SSH connection

Open the VS Code Command Palette again (Ctrl+Shift+P).
Select Remote-SSH: Connect to Host... this time and select our config my-vs-code-vm and the rest should be straight forward.

Azure Alerts -> Secure Webhook -> Azure Functions with Authentication

John Friesen — Sat, 14 Nov 2020 19:26:21 +0000

Azure Alerts -> Secure Webhook -> Az Functions with Auth

I have been trying to implement Security in Azure Functions a lot recently and in the past but unfortunately, I can never accomplish it based on Microsoft documentation alone.

So, I am creating this article to help anyone trying to do the same with a nice rundown of how to set up a secure webhook between Azure Monitoring Alerts and an Azure Function HTTP endpoint.

1. Create an Azure function in your Subscription. I am calling my functions Alert-Action-Function. Any plan should work to accomplish this as we will only be creating 1 HTTP trigger function and enabling Authentication/Authorization

Run time .NET Core 3.1
Consumptions plan
Windows OS

2. Enable function Authentication/Authorization

Open your function resource and go to the section Settings and open Authentication/Authorization. Than turn App Service Authentication to On
Set Action to take when the request is not authenticated to Log in with Azure Active Directory
Under Authentication Providers click the Azure Active Directory Not Configured
Under Management Mode select Express. Notice the Create App field, this will provide you with an auto-generated App Registry name (I will be adding “AD-App” on the end to make it more clear).
Now click ok and save. Now we have enabled the Authentication part of our function

3. Add a HTTP Trigger function

... to do tests on your setup. I like to write to blob storage so I can view the request body if needed, also b/c you can use this to see if the request is finished in real-time.

Why I do this: Azure Monitoring with Application Insights and diagnostic settings setup properly will take around 5 mins to let you see logs and around 2 mins for metrics... and that is on a good day for Azure.

GitHub repo page for this code here

    using System;
    using System.IO;
    using System.Threading.Tasks;
    using Microsoft.AspNetCore.Mvc;
    using Microsoft.Azure.WebJobs;
    using Microsoft.Azure.WebJobs.Extensions.Http;
    using Microsoft.Azure.WebJobs.Extensions.Storage;
    using Microsoft.AspNetCore.Http;
    using Microsoft.Extensions.Logging;
    using Microsoft.Azure.Storage.Blob;
    /*
    ************************************************
    NOTE:
        make sure you have your AzureWebJobsStorage Environmental Variable is set when trying to run
        AND
        make sure you add this package

        dotnet add package Microsoft.Azure.WebJobs.Extensions.Storage

    ************************************************
    */

    namespace Company.Function
    {
        public static class HttpTrigger_test_blob_store
        {
            [FunctionName("HttpTrigger_test_blob_store")]
            public static async Task<IActionResult> Run(
                [HttpTrigger(AuthorizationLevel.Function, "get", "post", Route = null)] HttpRequest req,
                [Blob("blobverifycontainer")] CloudBlobContainer outputContainer,
                ILogger log)
            {
                log.LogInformation("C# HTTP trigger function processed a request.");

                string requestBody = await new StreamReader(req.Body).ReadToEndAsync();

                /// write to the blob storage
                await outputContainer.CreateIfNotExistsAsync();
                var blobName = Guid.NewGuid().ToString();
                var cloudBlockBlob = outputContainer.GetBlockBlobReference(blobName);
                await cloudBlockBlob.UploadTextAsync(requestBody);

                // return blob name for easy lookup
                return new OkObjectResult(blobName);
            }
        }
    }

4. Configure your AD App registration.

In Azure Active Directory -> App registrations find and open the name from step 2.4 (the express auto-generated name if you didn’t change it)
Maker sure to add yourself as the Owner
Now go to Manifest and you will be adding to the App Roles array in the JSON editor

Replace with provided JSON.

"appRoles": [
    {
        "allowedMemberTypes": [
            "Application"
        ],
        "description": "This is a role for Action Groups to join",
        "displayName": "ActionGroupsSecureWebhook",
        "id": "e14442ab-8bd5-47be-90af-695c413d9761 REPLACE WITH NEW GUID",
        "isEnabled": true,
        "lang": null,
        "origin": "Application",
        "value": "ServiceClient"
    }
],

BUT make sure to replace the id with a new GUID. If you don’t you will get this error!

Things to Note!!!

don’t worry about the tab formatting, after save and you come back it will be done for you. Just make sure your JSON is valid)
IMPORTANT: if you mess up the **appRoles and try to edit it later you may need to first set IsEnabled to “false”, save and then make your changes. This is something I found out the hard way.**

5. ALSO, ensure this (Integrity Check)

Make sure that the Application ID URL has been assigned to the base URL of your Azure Function.

If it has not this will an error when linking this AD App Registration to the Secure Webhook (you will get an azure notification that doesn’t give you a useful message and just says “undefined” error. (I was only able to see the real error was when I when into chrome devtools to investigate the corresponding Network call.)

6. Create Azure Function to Alert on

I created a little NoiseMaker project to be an easy way to test Azure Monitor Alerts in general.
Link this to Application Insights. I named mine NoiseMaker as well.
If nothing is passed to the query string it will return a 418 (“I’m a teapot”. Look it up, it’s real)
Github code is here

using System;
using System.IO;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Azure.WebJobs;
using Microsoft.Azure.WebJobs.Extensions.Http;
using Microsoft.AspNetCore.Http;
using Microsoft.Extensions.Logging;
using Newtonsoft.Json;

namespace Company.Function
{
    public static class HTTP_Noise_Maker
    {
        [FunctionName("HTTP_Noise_Maker")]
        public static async Task<IActionResult> Run(
            [HttpTrigger(AuthorizationLevel.Function, "get", "post", Route = null)] HttpRequest req,
            ILogger log)
        {
            log.LogInformation("C# HTTP trigger function *NoiseMaker* processed a request.");

            string pass = req.Query["pass"];
            string notfound = req.Query["notfound"];

            if (pass == "true")
            {
                var result = new ObjectResult("I'M OK 😁");
                result.StatusCode = StatusCodes.Status200OK;
                return result;
            }
            else if (notfound == "true")
            {
                var result = new ObjectResult("I'M NOT FOUND 😲");
                result.StatusCode = StatusCodes.Status404NotFound;
                return result;
            }
            else
            {
                var result = new ObjectResult("I'M A TEA POT 🍵");
                result.StatusCode = StatusCodes.Status418ImATeapot;
                return result;
            }
        }
    }
}

7. Create your alert

Go to Azure Monitor

Select Resource. I am using the NoiseMaker

Select the Condition. Server Requests are what we want to catch when a 418 happens. (You can do the same for other HTTP response codes as well)

Then...

Now Create the Action Group

Give it a name and add the Secure Webhook Action and Create

Now just finish the Alert Creation form with a Name, Description, Severity and make sure Enabled is checked. Should look like this.

8. Finally, test it

Trigger the NoiseMaker API endpoint a couple of times (either with a browser or Postman), wait a couple of minutes for the alert to show up on the Monitoring Alert page. Then go to the Storage Account linked to your “Alert-Action-Function” you created before and you should see a new blob in “blobverifycontainer” Container.

Let me know this tutorial worked out for you in the comments below. This is my first Dev.to article and I hope it helps but If improvements need to be made (or I just used too many pictures haha) let me know.

Happy Monitoring