Month: July 2020

Azure Default Service Principals vs Customer Created

· Leave a comment ·

The other day, a customer asked me to provide the number of Service Principals (SP) in their Azure tenant. Well, that is pretty easy right? Head over to the Azure AD service within the Azure Portal and browse the App registrations (Service Principals) here… But wait, I now want to extract the list of SPs to a file. Great, I can use the following CLI or PowerShell query “az ad sp list” or “Get-AzADServicePrincipal” to retrieve that information. Wait a second… now why do I see nearly 700 SPs in PowerShell, yet when I take a look at the Portal, I can see there are maybe 100 Service Principals at best. This cannot be right! Why is PowerShell/CLI generating a list of nearly 700 Service Principals, whereas the portal only shows me ~100 SPs? Something is up… Let’s take a deeper dive here.

Well, after some research, I ran into the following blog post from fellow Microsoft MVP, Rick Van Rousselt you can find that post HERE. Learning Microsoft creates a handful, ~600 Service Principals that are needed for various Azure services, ie. Azure AD, Office 365, Azure Policy, etc. This ia default behaviour for any Azure tenant, and is common for any tenant.

After you execute the following query (“az ad sp list” or “Get-AzADServicePrincipal“) you can see that for some of these ~600 SPs the Tenant ID does not match my customers… The appOwnerTenantId belongs to a Microsoft/Azure tenant. Interesting….

So how do you figure out which Service Principals are customer created/owned, and how do we differentiate between the customer and Microsoft?

Below is what I did, and this should help you identify which Service Principals belong to you (as the customer) and which belong to Microsoft/Azure.

  $result = az ad sp list --query "[].{ServicePrincipalName:appDisplayName,AppID:appId,TenantID:appOwnerTenantId}" --output table --all -o json | ConvertFrom-Json 
  $result | export-csv -Path "C:\temp\ServicePrincipals.csv"  -NoTypeInformation

Now I can filter the Service Principals based on the appOwnerTenantId to differentiate between customer created versus Microsoft/Azure created.

I hope this helped, and now you know Microsoft/Azure creates hundreds of Service Principals in every Azure tenant that are needed for various services, and roles.

Azure Virtual WAN – Now supports 3rd Party Network Virtual Appliances (NVA)

· Leave a comment ·

Following up on a previous post for Azure Virtual WAN, one of the key items I brought up was that lack of integration for 3rd Party Network Virtual Appliances (NVA) and how you are encouraged to use Azure’s Firewall service. Well, as of today, July 21, 2020, you can now deploy NVA’s within the vWAN. This is great news, as many customers prefer 3rd party firewalls, ie. Palo Alto, CheckPoint, etc.

Looking forward to testing this out.

For more information, read up on the following post HERE.

 

Azure Virtual WAN (Hub-Spoke v2.0)

· 3 Comments ·

Over the past few years I have been promoting customers to adopt the Microsoft/Azure’s Hub-Spoke (Hub and Spoke) network topology and its architecture. Not too long ago (Ignite 2019), Azure has made some significant improvements with their architecture and best practices by introducing “Virtual WAN“. I like to call this new service and evaluation as the new Hub-Spoke architecture version 2.0.

What is Azure Virtual WAN?

Azure Virtual WAN, or vWAN is a networking solution/service that allows you to integrate key functionalities such as networking, routing and security within a single pane. Azure vWAN is really a software-defined (SD) solution of WAN based technologies, and similar to service endpoints, and private links, Azure vWAN leverages the Microsoft network backbone to build a highly-available and high-speed global transit network. These functionalities include branch connectivity such as Site to Site VPNs, Point to Site VPN, ExpressRoute and intra-cloud/transitive networks, Azure Firewall and encrypted private connectivity.

Azure vWAN SKU Type

Microsoft has made it simple with the options you get with Azure vWAN, either basic or standard. Once you deploy Azure vWAN, you can get started with one of the use cases (as mentioned above) and add functionalities as your network evolves.

With Basic, you can only leverage vWAN for a Site to Site VPN connection. However once you go to the Standard SKU, you can now leverage all of the functionalities mentioned above, ie. Site to Site, Point to Site, ExpressRoute and Inter-Hub and VNet to VNet transiting via the vHUB.

Architecture (simplified) Overview

The image below depicts a high level but comprehensive with its capabilities on how Azure Virtual WAN can be integrated for various scenarios. With the “Any to Any” connectivity model, the Global transit network enables to connect your branch offices, remote users, datacenters, Azure VNets to one another. The image and model below, a spoke can be your Azure VNet, or a branch office, or a remote user, or perhaps the Internet. This architecture enables logical one-hop transit connectivity between the networking endpoints.

Source: https://docs.microsoft.com/en-us/azure/virtual-wan/media/virtual-wan-global-transit-network-architecture/figure1.png

Conclusion

The Azure vWAN architecture is a hub and spoke architecture that incorporates scalability, resilience and performance built in for branches (VPN/SD-WAN devices), users (Azure VPN/OpenVPN/IKEv2), ExpressRoute circuits, and Azure virtual networks (VNets). There are some excellent benefits of using Azure Virtual WAN within your architecture as it simplifies the overall network topology and provides a handful of opportunities to integrate your on-premises datacenters, branch offices, remote users into a global transit network architecture. There are some limitations I can already see today, and that being not being able to leverage 3rd party network virtual appliances (NVA) such as Palo Alto, Checkpoint, etc., however I am sure that is already within the roadmap.

(more…)