Cisco call-home CA Certificate expired on Cisco ASA

In the time I’ve been operating Cisco ASA platforms, I’ve never needed to take advantage of the Cisco call-home feature. Either through contractual commitment or through any support calls that I’ve placed with partners.

You can imagine how pleasing it is then to have your ASA alert you weekly in the run up to an expiry and daily on the expiration of a call-home certificate. It’s a vital device in your infrastructure and numbing your responses to its messages is an undesirable outcome.

The message manifests into your inbox with the following text;

<161>Feb 20 2020 07:48:28 UKHQFW01: %ASA-1-717055: The <CA> certificate in the trustpoint <_SmartCallHome_ServerCA> has expired. Expiration <23:59:59 GMT/BST Feb 7 2020> Subject Name <cn=VeriSign Class 3 Secure Server CA - G3,ou=Terms of use at (c)10,ou=VeriSign Trust Network,o=VeriSign\, Inc.,c=US> Issuer Name <cn=VeriSign Class 3 Public Primary Certification Authority - G5,ou=(c) 2006 VeriSign\, Inc. - For authorized use only,ou=VeriSign Trust Network,o=VeriSign\, Inc.,c=US> Serial Number <6ECC7AA5A7032009B8CEBCF4E952D491>

Simply, I’ve no interest in maintaining this construct and feature.
To remove the certificate, use the serial number that matches yours at the end of the above message to complete the below commands – for me “6ecc7aa5a7032009b8cebcf4e952d491” is the correct choice.

crypto ca certificate chain _SmartCallHome_ServerCA
no certificate ca 6ecc7aa5a7032009b8cebcf4e952d491

Once you’ve removed that, then you can disable call-home and reporting and finally do a clear configure on call-home.

no call-home
no call-home reporting anonymous
clear configure call-home

This should leave you with an ASA with the call-home feature disabled and no alerts generated by the device.
I hope this helps.

Cisco CCNP Route 300-101 exam preparation


Now, spending time with VIRL, VIRL is not able to do Frame Relay interfaces which is miserable in itself as who uses Frame Relay anyways.
So, to facilitate using Frame Relay, I’ve had to back out to GNS3.
THEN – I find that Hyper-V (enabled for Docker Desktop) and VMware Workstation for running the GNS3 VM are mutually exclusive.
So, it seems the GNS3 VM running on the same host – at distance – as the host that I’ve got for VIRL seems like the right ticket. I’ll update here as I play it out.
It seems a chap has found his own way of running Docker without requiring Hyper-V, but using VMware Workstation.


I’ve chosen to re-certify my Cisco Professional level certifications to maintain an employment advantage.

Out of all the 300-xxx exams, I’ve chosen the Route 300-101 exam because;

  1. I deal with Layer 3 the least on a day to day basis
  2. IPv6 re-education and/or update

Given I currently work least with routing protocols, the Route 300-101 feels like a really good choice for me and I’m really looking forward the challenge rather than working with relatively familiar Layer 2 technologies. I’m also concious it’s 2019 and the Route 300-101 has been around for quite some time. With that in mind, I’m not going to commit to booking the exam until July 2019 and whatever is the current version of the CCNP Layer 3 exam, then, I’ll commit to taking in September 2019.

The Lab for the Route exam will be everything. There’s a few choices to be made in 2019 for working with your lab;

  1. GNS3
  2. EVE-NG
  3. VIRL
  4. Physical Lab

Physical Lab

I’ve owned a physical lab in the past for my original CCNA and CCNP exams. It’s costly – even when buying second hand, requires its own troubleshooting, power and space. That being said, once it was setup, the INE CCIE workbooks made it great to operate. In an age where a great deal of our world is virtualised, I’ve little appetite for going through months of eBay purchases of routers, switches and ancillary devices again. Physical is definitely the least good option here.

Cisco VIRL

I tried out Cisco VIRL a few years back and I wasn’t bought into it.
It had a bad reputation and still carries that with it. Since then, the VIRL team have ironed out some big criticisms. The installation process is now trivial. There’s no need to use VM Maestro any more. Aswell as the long standing API, HTML and CLI operations are now possible. VIRL does have a learning curve which is slightly higher than GNS3 and is also has pay-for annual license. Hold on though. Cisco VIRL is available on Cisco DevNetFREE. All you need to do is register with Cisco DevNet. If you’ve already got a Cisco CCO account you’re already able to access DevNet with that.
The software available to simulate on DevNet is ;

  • IOSxrv 9000 (6.5.1)
  • NX-OSv 9k (9.2.2)
  • CSR1000v (16.9.1)
  • IOSv (15.7.3)

These software images can be deployed with the following topologies, pre-configured in the sandbox ;

  • 8 nodes datacenter
  • 2 ios router
  • 9 router mesh
  • extranet

Free and legal is a really low barrier to entry. And if you get your head round it, the annual Personal Edition license becomes less onerous, running it on your own tin or on Packet.

If you’d like some topologies contains some pre-baked topologies to get you going.
With OpenStack being the orchestrater running on top of Ubuntu, you can run any appliance or VM you desire as long as they are imported as KVM images. Aren’t happy with the appliances in VIRL? Import one.
If you’re familiar with Vagrant, VIRL has a devops style CLI available called virlutils built in Python to help code the entire build up configure, verify and teardown process of your environments.


EVE-NG is the least familiar to me but has gained interest and support in the networking community. It’s free – assuming you can work in the grey area similar to GNS3 of using proper IOS images to inject into the platform. After spinning it up briefly, I felt the learning curve was a bit much considering I’d already invested time into VIRL and with my conclusion to follow, you’ll see why I chose to leave EVE-NG behind.


Finally GNS3 which is well used and known by many engineers but has the grey area around legitimate use of images on the software. My experience with GNS3 this time round is that it’s come on leaps and bounds and should be seriously considered if you’re running your simulations on your laptop or desktop computer.


So, my preference, in order for learning in 2019 goes;

  • Cisco VIRL – both the Personal Edition (paid, 20 node version) and the Cisco DevNet free version.
  • GNS3 – If I were to learning on one device and not in different locations with different devices, I would have chosen GNS3, but this time round it’s my second choice.
  • EVE-NG – Unfamiliarity, learning curve and grey legal use of the image files were the basis on third place in this table.
  • Physical Lab – In 2019, there’s really no need for the physical lab and it shouldn’t be considered. There’s a fringe case to have a single switch kicking around for some PoE operations, but that’s about it.

Automated backups of a standalone Cisco ASA

In 2019, i’m still staggered that an archive feature available in Cisco IOS isn’t available in Cisco ASA code.

That being said, it’s possible to craft some code to take the edge off Cisco ASA devices which may not normally receive frequent administrative attention.

Embedded Event Manager is your friend in this case. A generic use case for EEM can be found here.

In this case though, I want a backup that’s written to an SFTP server infrequently. I would prefer a weekly backup, but in the case of the EEM absolute timer parameters, the only choice is the hh:mm:ss format, so daily it is.

PBUKFW01(config)# event manager applet daily-backup-sftp01

PBUKFW01(config-applet)# event timer absolute time 23:50:00

PBUKFW01(config-applet)# action 0 cli command "copy /noconfirm running-config scp://username:password@;int=inside"

PBUKFW01(config-applet)# output none

Without manually connecting first as a once off, you’ll find this process fails because the device won’t accept the Key fingerprint presented by the device on first connect, so to solve that quickly run the CLI command manually and accept the RSA Key if it’s correct.

PBUKFW01#copy running-config scp://infrastructure_sftp:weePAPAgrlrappaz@;int=inside

Source filename [running-config]?

Address or name of remote host []?

Destination username [infrastructure_sftp]?

Destination filename [PBUKFW01/PBUKFW01_Daily.cfg;int=inside]?
Cryptochecksum: fc9c7769 b4617799 58f55347 864f22e9
The authenticity of host ' (' can't be established.
RSA key fingerprint is (SHA256).
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '' (SHA256) to the list of known hosts.
23777 bytes copied in 4.540 secs (5944 bytes/sec)

The file on the remote server will be overwritten each time by the process, but you’ll have a config file with the most recent running configuration off the ASA in the case that that ASA goes bad.

Hope this helps.
Take care.

Microsoft Azure Integration and Security exam AZ-101 – Resources Part 4 – Secure Identities

Secure identities (25-30%)

AZ-100, AZ-101 and AZ-102 are all ceasing in favour of the AZ-103 single exam. See the link to the new exam syllabus – here

On 21st December 2018, MS published a minor change to the AZ-101 exam which removed “Enable MFA for an Azure Tenant” and replaced it with “Enable MFA by using bulk update”.

Implement Multi-Factor Authentication (MFA)

May include but not limited to:
Configure user accounts for MFA;

Enable MFA by using bulk update

Using the MFA portal for your tenant, choose the “Update in bulk” dialogue on the main screen. The portal then requests you upload a CSV file with the following format;


Or you could iterate through a list of users using PoSh:

$users = "","",""
foreach ($user in $users)
$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"
$st.State = "Enabled"
$sta = @($st)
Set-MsolUser -UserPrincipalName $user -StrongAuthenticationRequirements $sta

Configure fraud alerts;

MS Docs state that Fraud Alerts are only specific to the on-premises MFA Server at the time of writing. I’m not 100% clear on this though, so treat with caution.

Configure bypass options;

One-time-bypass is specific to the on-premises MFA server at the time of writing.

Configure trusted IPs;

The feature is available with the full version of Azure Multi-Factor Authentication (Azure AD P1/P2 SKUs), and not the free version for Global Administrators. This feature only works with IPv4 addressing as of January 2019.

Configure verification methods;

Nothing to do with Microsoft and their MFA service, but more for all services. Do consider that the tech community at large no longer considers text messaging as an okay verification method. The ability to compromise service providers SS7 protocols is widely known. Hardware tokens or smartphone apps like Microsoft, Google, LastPass or DUO authenticators are the most appropriate choices.

Manage role-based access control (RBAC);

Duplication! See below.

Implement RBAC policies;

Duplication! See below.

Assign RBAC Roles;

Duplication! See below.

Create a custom role;

Duplication! See below.

Configure access to Azure resources by assigning roles;

Duplication! See below.

Configure management access to Azure;

Duplication! See below.

Manage role-based access control (RBAC)

Owner is a powerful role in Azure RBAC. The key thing is that Owners can also grant further access to a resource they are Owners of. This probably isn’t great for you as the person administering the Azure tenant.
As a Global Administrator, I would suggest it’s much more likely that you’ll be choosing the Contributor role for granting access to resources. It lets you manage everything except access to the resource.

May include but not limited to:
Create a custom role;

When you create a custom role, it appears in the Azure portal with an orange resource icon.

Configure access to Azure resources by assigning roles;

Configure management access to Azure;

It’s difficult to see a great deal of value in this objective. I think it’s still here because the policy forcing all Azure Administrators through MFA is not yet default and until that time it’s useful to know how to configure management access to Azure.

Something that’s not part of the exam objective, but is pertinent, is the “break glass” accounts you should have setup for your Azure tenant.

Troubleshoot RBAC;

Implement RBAC policies;

I can’t find anything about RBAC policies, but Azure Policy does supplement RBAC, so I can only assume this is the intention of the objective.

Here’s the 2018 Ignite session BRK3085 – Deep dive into Implementing governance at scale through Azure Policy

Assign RBAC roles

Implement Azure Active Directory (AD) Privileged Identity Management (PIM)

Ammar Hasayen has a course on Pluralsight all about PIM

May include but not limited to:
Enable PIM;

PIM requires you to purchase Azure AD P2 or EMS E5 (which is a bundle which includes AAD P2) licenses for all the users which need to use PIM.
When enabling PIM, the Global Administrator that enabled PIM is the only user in the tenant who has PIM configuration access. It’s therefor critical that immediately after enabling PIM that you at least make all other Global Administrators eligible to be PIM administrator or assign them the role permanently. Again, though not an exam objective, consider your two “break glass” accounts to ensure you don’t lock yourself out of your tenant.

Activate a PIM role;

Configure just-in-time access, permanent access, PIM management access, and time-bound access;

Create a Delegated Approver account;

Process pending approval requests;

Microsoft Azure Integration and Security exam AZ-101 – Resources Part 3 – Implement Advanced Virtual Networking

Implement Advanced Virtual Networking 30-35%

John Savill has a fantastic course on designing an Azure Networking Strategy here. I hold John in high regard and would recommend any of his courses.

Before approaching the following two load balancing objectives, I recommend giving this a read.

Implement application load balancing

Regarding the Application Load Balancer and Load Balancer, I find it useful to draw parallels bettween these features and the HAProxy project.

HAProxy can get involved in TCP and HTTP flows. The HTTP mode draws parallels to the Azure Application Gateway. The TCP mode to the Azure Load Balancer. There’s not feature parity, but for sake of discussion, these are my analogies from HAProxy to Azure services.

May include but not limited to:
Configure Application Gateway and load balancing rules;

The application gateway pricing can be found here. It has a per-hour charge depending on the type (size), nominal data processing and outbound data charges.

The application gateway relies on being deployed in a subnet in a VNet. The VNet doesn’t have to be one of your existing VNets. You can craft a unique VNet for the sole purpose of hosting the Application Gateway. But, if you intend serving data from Virtual Machines or Scale Sets in an existing VNet, the Application Gateway must be in the same VNet as those resources. Using either a new VNet or existing, the subnet used for the Application Gateway should be an empty subnet or a subnet with no other resource types besides Application Gateways.
Each V1 (V2s scale slightly higher but are in preview in Jan 2019) Application Gateway, standard or WAF (Web Application Firewall) can be between one and seventy five VMs (instances). Your subnet should be big enough to cope with each Application Gateway or Gateways and any private frontend IP addresses you’re might choose to deploy.

Implement front end IP configurations;

Manage application load balancing;

Implement Azure load balancer

May include but not limited to:
Configure internal load balancer, load balancing rules, and public load balancer;

The Azure Load Balancer pricing only applies to the standard SKU, the basic SKU is free. But the features on basic are a little dissapointing.

Internal Load Balancer;

To make use of the Internal Load Balancer, you first need to talk about the constructs it can back off to. The basic SKU can only back off to Availability Sets, VM Scale Sets and a single VM. The standard SKU does things more as you’d expect.

Public Load Balancer;

For me, a key thing to mention is that you must whitelist traffic in any NSGs associated with VNet Subnets and/or IaaS VMs Network Interfaces which are in the path of the flow from the Load Balancer (perceived from their perspective as the Internet) to IaaS VMs on the port the Load Balancer is sending traffic to.

Manage Azure load balancing;

Monitor and manage networking

Azure Network Watcher pricing is dependent on your log volumes.

Tim Warner’s course on Pluralsight helps plenty with this subject

May include but not limited to:
Monitor on-premises connectivity;

Network Watcher only really works if you’re using the native Azure VPN Gateway. Any Network Virtual Appliances (NVAs) won’t be diagnosed by the VPN Troubleshoot tool within Network Watcher.

You’ll need a storage account and container to drop the logs for the VPN Troubleshoot tool to start monitoring the connection of the gateway.

You could also stand up a connection monitor from an IaaS VM to an on-premises VM endpoint. This is dependent on the Azure Network Watcher Extension being installed and available on the source IaaS VM.

Use network resource monitoring and Network Watcher;

Network resources? I guess this could count as using a connection monitor instance to monitor to/from a couple IaaS VMs Network Interfaces? Strictly speaking an Azure Network Interface is a resource, and subsequently a network resource. Sorry I can’t bring more clarity on this one.

IP Flow verify can give you a bottom-up view on whether NSGs are getting in the way of a flow you’re troubleshooting.

Effective Security Rules gives you a top-down view on what rules are in effect on any given IaaS VMs Network Interfaces.

Manage external networking and virtual network connectivity;

Integrate on premises network with Azure virtual network

May include but not limited to:
Create and configure Azure VPN Gateway;

From a real world perspective, I’ve operated an Azure Virtual Network Gateway on the “VpnGw1” SKU to an on-premises Cisco ASA running the latest ASA code. My experience wasn’t that pleasant in that we lost VPN connectivity a few times and that forced my hand into considering a Network Virtual Appliance (NVA). We now run a Cisco ASAv10 in Azure with a better track record. The VPN on the Azure side has remained stable with our on-premises ASAs causing us more trouble than the ASAv in Azure, now.

Create and configure site to site VPN;

The exam requires you to understand Azure’s own Virtual Nework Gateway (VNG) offering. This exam doesn’t cover any of the Network Virtual Appliances (NVAs) that are in the Virtual Machine marketplace and can be used instead of the VNG, such as Cisco ASAv/CSRv (BYOL) and PaloAlto VM-Series Next Generation Firewall (BYOL).
The Azure VNG is a pair of VMs for high availability that are spun up and invisible to you in the portal, abstracted away into the VNG resource. Whilst it’s possible to use a /29 “GatewaySubnet”, you should choose a /28 or /27 to support the possibility you may choose Azure ExpressRoute at a later date.
Do not apply any Network Security Groups to the “GatewaySubnet” resource.

Configure Express Route;

ExpressRoute is available because in comparison to Site-to-Site VPNs, it offers;

  • Consistent latency
  • Predictable performance
  • An SLA
  • Redundancy
  • Higher throughput options (9Gbps maximum)

It doesn’t use the Public Internet to pass your internal traffic to the Azure Virtual Networks, so there’s no IPSec involved in the flow.

Whilst I understand that there are organisations that might choose Express Route because of scale (attaching ExpressRoute to your existing MPLS cloud has benefits) or some other largesse, my steer, if you need access to Azure Virtual Networks, would be to use Site to Site VPN constructs using either the Azure VPN Gateway or Network Virtual Appliances (NVAs) where ever possible.

Verify on premises connectivity;

My belief is that both these exam objectives assume you’re using Azure Virtual Network Gateway or Express Route to connect your on-premises network to Azure.

If you are to use Network Performance Monitor for your ExpressRoute circuits, a pre-requisite is to have Azure Log Anaylytics extensions installed at both the on-premises site and the Azure tenant in which the ExpressRoute circuit terminates to generate data for OMS to report on.

Manage on-premises connectivity with Azure

This could mean either the Azure VPN Gateway or ExpressRoute. ExpressRoute is basically impossible to replicate in your own Azure tenant unless you have your organisation running ExpressRoute into your Managed WAN or on-premises environment.

Microsoft Azure Integration and Security exam AZ-101 – Resources Part 2 – Implement and manage application services

Implement and manage application services (20-25%)

AZ-100, AZ-101 and AZ-102 are all ceasing in favour of the AZ-103 single exam. See the link to the new exam syllabus – here

My background as an IT professional is infrastructure. With that in mind, the intention in this post is to help others with a similar background evolve their understanding of the PaaS or Serverless computing services in Azure.

I’ll start with a comparison of Azure Functions and Logic Apps from

“A popular comparison states that Azure Functions is code being triggered by an event, whereas Logic Apps is a workflow triggered by an event. This is reflected in the developer experience. Azure Functions are completely written in code, with currently supports JavaScript, C#, F#, Node.js, Python, PHP, batch, bash and PowerShell. In Logic Apps, workflows are created with an easy-to-use visual designer, combined with a simple workflow definition language in the code view. Each developer has of course his/her personal preference. Logic Apps is much simpler to use, but this can sometimes cause limitations in complex scenarios. Azure Functions gives a lot more flexibility and responsibility to the developer.”

Azure Logic Apps took its inspiration from the on-premises tool “BizTalk Server”. Up until this point of my career, I’ve never known what BizTalk Server was intended for. Logic Apps operates in a similar iPaaS (Integration Platform as a Service) market space as Dell Boomi and Mulesoft. How well the Microsoft serverless applications perform compared to others, I can’t judge. All said, Logic Apps is Microsoft’s offering in the iPaaS market. If you listen to Steef-Jan Wiggers, he reckons it’s doing alright.

If Logic Apps as described above by abstract the code away from  Function Apps by using a visual designer, Microsoft Flow takes that one step further and provides Software as a Service on top of Logic Apps. Flow operates in similar product space to ITTT, but with the ability to leverage Microsoft’s On-Premises Data Gateway.

Bringing it back to the exam subject matter, to allow your Azure Serverless applications to communicate with each other and pass data around, you can make use of the Azure messaging services; Azure Event Grid, Service Bus, and Event Hubs.  

Another comprehensive article about when to use Azure Functions or Logic Apps is available on DZone.

Here’s Sahil Malik’s Pluralsight course on Serverless Computing in Azure;

Before we dive into the exam objectives, I’ve switched round the order that I approach them because it made more sense. Creating Azure Functions before the App Service Plan doesn’t feel like the right way round.
In the exam the learning matter is listed;

  • Configure serverless computing
  • Manage App Service Plan
  • Manage App Services.

To facilitate a more natural progression, I’ve listed the objectives;

  • Manage App Service Plan
  • Configure serverless computing
  • Manage App services

Manage App Service Plan

Here’s Neil Morrisey’s great course on Managing Azure App Service plans;

Azure Functions run inside/on top of App Service Plans (as do many other App Services).
App Service Plans are collections of Virtual Machines which are abstracted away from you creating a Platform as a Service (PaaS).
The plan tier determines the resources available and billing constructs associated with those resources, so you can get on and drop your app or code into Azure.
Azure Logic Apps do not run in App Service Plans and are billed on a consumption model which is based on connectors and integration accounts.

A guiding factor in these App Service Plans is the ACU or Azure Compute Units. You should choose the right plan for you with sufficient compute units and features to achieve your outcome. For exam objectives the S1 tier is the cheapest tier because of the later feature requirements covered in “Manage App Services”.

May include but not limited to:

Configure application for scaling;

Scaling up (larger VM) versus scaling out (more of the same VMs) is the choice you need to make for scaling, for your scenario.

Enable monitoring and diagnostics;

Configure App Service plans;

Configure serverless computing

May include but not limited to:

Manage a Logic App resource;

Stephen Thomas’ courses on Logic Apps could be really helpful

Logic Apps are defined in JSON using the Workflow definition language.

Maybe use this Logic App as a demo to get you warmed up on what the hell a Logic App is!

Then you have both a VS Code and Visual Studio guide for managing the Logic App. This seems like a poor choice to me as Logic Apps lends itself less towards the “developer experience” and more towards a graphical workflow.

Manage Azure Function App settings;

There’s only one mention of Function Apps in these objectives, but do not underestimate the requirement for understanding them. Here’s an old but great use case of Function Apps by Troy Hunt.

Function Apps are created from the Azure Portal, by choosing either “Create a Resource” or “App Services” and choosing “Serverless Function App”. You can’t visit the Function App blade and add a Function App from the blade, strangely

To move data in and out of your Function App using FTP or FTPS, within your Function App, from the Function App blade, navigate through;

Platform Features | Deployment Center | FTP | Dashboard

You are then presented with your FTPS endpoint, app credentials and user credentials for moving content to/from the Function App using FTPS with a client like WinSCP.

Manage Event Grid;

An overview of Azure messaging services; Event Grid, Service Bus and Event Hub here;

Event Grid pricing, like Logic App pricing, is based on a consumption model.
For Event Grid, the first 100,000 operations per month are free.

There are five concepts in Event Grid that get you going, with the bold items being the Event Grid services you configure in Azure.

Events – What happened.
Event sources – Where the event took place.
Event Topics – The endpoint where publishers send events.
Event subscriptions – The endpoint or built-in mechanism to route events, sometimes to more than one handler. Subscriptions are also used by handlers to intelligently filter incoming events.
Event handlers – The app or service reacting to the event.

Manage Service Bus;

Azure Service Bus is another consumption based pricing model. There are certain volumes of use which are included in the base price, and then tiers of charges thereafter.

Manage App services

Again, Neil Morrisey has a great course, this time on Managing App Services

May include but not limited to:

Assign SSL certificates;

SSL Certs are charged per year, per domain. For four times the cost, you can choose a wildcard certificate.

For me, assigning an SSL cert makes the most sense if you’ve configured a custom domain. Please Microsoft, can you develop your services take advantage of LetsEncrypt? It feels like rent extraction of a captive audience that certificates cost money in the Azure portal. Delivering HTTPS everywhere is a solved problem. Please?!

Configure application settings;

There’s absolutely no guidance about which settings are pertitinent to the exam, but knowing things like Java is mutually exclusive to the other frameworks, 64bit is only available in the paid tiers, and knowing how to configure the default document settings, seems important.

Configure deployment slots;

Deployment slots are about to change (January 2019) but for now, continue to use whatever is not preview for the context of the exam.

Configure Azure content delivery network (CDN) integration;

Azure CDN is a consumption or usage pricing model.

Azure CDN feels not entirely dissimilar operationally to how DNS works with its TTL, caching and clearing of cache/purging.

A CDN profile is a collection of endpoints within the same pricing tier.
An endpoint is a name within <endpointname> that caches your resources.

Manage App Service protection;

Benjamin Culbertson’s course on protecting your Azure App service here;

You can protect access to your Web Apps very easily by choosing Azure Active Directory as your identity source. Google, FB etc, don’t look tough either as they are all choices in the turnkey Authentication/Authorisation service blade.

Backing up your app requires you to choose where and when. The where is which storage account to backup to and the when is either manually at your leisure or via a schedule.

Manage roles for an App service;

Create and manage App Service Environment

It’s weird this objective comes under “Manage App Services”. I can’t think why it isn’t under the first subject in this post “Manage App Service Plan”.
Anyway. App Service Environments (ASEs) are for when things get serious. You could be subject to governance that determines that you must run your workload in an isolated environment with worker VMs that are in no way shared with other Azure customers. ASEs can have Virtual IPs that are Internal or External. The language is that “Isolated” App Service Plans and ASEs are the same thing. Currently if I choose an App Service Plan and select Isolated as the pricing tier, I’m told that’s not supported. I’ve tried multiple regions and OSs but can’t select Isolated.
My take is that you get the outcome intended for the Isolated App Service Plan tier from going through the ASE blade and choosing the External Virtual IP.

ASEs, like VPN Gateways and Application Gateways require their own subnet. Having spent the time authoring these AZ-10x posts, it now seems critical that one understands upfront that there’s quite a few scenarios where single use subnets are required for Azure services. Don’t make your Azure VNet a /24 address space!

Microsoft Azure Integration and Security exam AZ-101 – Resources Part 1 – Evaluate and perform server migration to Azure

AZ-100, AZ-101 and AZ-102 are all ceasing in favour of the AZ-103 single exam. See the link to the new exam syllabus – here

After a friend on Reddit posted the recent Ignite video for the AZ-100 exam, I went looking for the AZ-101. As before, it would be a good idea to start here and hear from the horses mouth before starting on your journey.

Also, please consider this guide from Skylines Academy for your PowerShell skills to bolster your competency on Azure and for the AZ-10x exams.

Evaluate and perform server migration to Azure (15-20%)

From an Azure service perspective, this module is three services;
Evaluate = Azure Migrate
Perform = Azure Site Recovery into an Azure Recovery Services Vault

Azure Migrate does the cost and technical analysis about how much your invoice for the workload will be once it’s in Azure and whether the chosen workloads are compatible with Azure.
Azure Site Recovery is the (source) which is used to protect the workload and facilitate the migration piece, which is a failover operation executed from the Recovery Services Vault (destination) blade which never fails back to the source site.

Evaluate migration scenarios by using Azure Migrate

Azure migrate is focused on analyzing workloads for migration into Azure and is currently constrained to VMware vSphere analysis. Azure Site Recovery Deployment Planner is used for other workloads.

As I write this, I cannot see any PowerShell that drives Azure Migrate using the AzureRM module. The new AZ module may include commands but for the exam in the early part of 2019, I don’t believe the AZ command set will be in scope, yet. See the AzureRM to AZ annoucement here.

May include but not limited to:

Discover and assess environment;

Azure Migrate projects are now available in Europe and Asia, rather than just the US. The Azure Migrate project isn’t “where your VMs go”, it’s just where the analysis of your assessment is done.

Identify workloads that can and cannot be deployed;

Recent changes to Azure Site Recovery allow Windows 2012R2 and later VMs that are using a UEFI boot type to be converted to BIOS as part of the migration. Sadly though, everything else is still unsupported if the VM boot type is UEFI, for now.

Identify ports to open;

This is very simple in that TCP/443 is your friend, unless you’ve configured custom ports on your on-premises vSphere vCenter server.

Identify changes to network;

This is tough to interpret and the only text that works for me is the work that you might do in the migration stage around changes to the VMs network interfaces or Windows Firewall. Can you imagine doing all the work and the Windows Firewall is blocking RDP requests from the Internet on the “Public” profile? It’ll all be there, it’s just there’s some local config rejecting your connection attempts. In addition, the previous link about opening ports should suffice.

Identify if target environment is supported;

This is really difficult to interpret, but my assumption is that this page best fits.

Setup domain accounts and credentials;

Migrate servers to Azure

Recovery Services Vaults provide data services for protection and recovery. Azure Site Recovery, which gets deployed in the environment where the workload resides, includes technology that was part of an acquisition by Microsoft in 2014.

May include but not limited to:

Migrate by using Azure Site Recovery (ASR);

There are many PowerShell commands for the Azure Site Recovery service. The current module for the AzureRM seems to be AzureRM.SiteRecovery.

Migrate using P2V;

Configure storage;

Create a backup vault;

Prepare source and target environments;

Backup and restore data;

Deploy Azure Site Recovery (ASR) agent;

Prepare virtual network;

Microsoft Azure Infrastructure and Deployment exam AZ-100 – Resources Part 5 – Manage Identities

AZ-100, AZ-101 and AZ-102 are all ceasing in favour of the AZ-103 single exam. See the link to the new exam syllabus – here

Part 5 of 5 linking to the most appropriate documentation for learning how to achieve the objectives set in the new Azure AZ-100 exam. content that matches the objectives

Manage identities (15-20%)

Manage Azure Active Directory (AD)

May include but not limited to:
Add custom domains;

configure Azure AD Identity Protection, Azure AD Join, and Enterprise State Roaming;

configure self-service password reset;

implement conditional access policies;

manage multiple directories;

perform an access review

Manage Azure AD objects (users, groups, and devices)

May include but not limited to:
Create users and groups;

manage user and group properties;

(Get-AzureADUser -ObjectId $UserId).ToJson()
Set-AzureADUserExtension -ObjectId $UserId -ExtensionName "extension_0380f0f700c040b5aa577c9268940b53_MyNewProperty" -ExtensionValue "MyNewValue"

manage device settings;

perform bulk user updates

Implement and manage hybrid identities

May include but not limited to:
Install and configure Azure AD Connect;

configure federation and single sign-on;


Single Sign On

manage Azure AD Connect;

manage password sync and writeback

Password Sync

Password Writeback

Microsoft Azure Infrastructure and Deployment exam AZ-100 – Resources Part 4 – Configure and Manage Virtual Networks

AZ-100, AZ-101 and AZ-102 are all ceasing in favour of the AZ-103 single exam. See the link to the new exam syllabus – here

Part 4 of 5 linking to the most appropriate documentation for learning how to achieve the objectives set in the new Azure AZ-100 exam.

There’s a an addition I’d like to make for this objective and that is service endpoints.

It seems important to grasp this concept if your posture is one of using Azure services without exposing them to the Public Internet.

The new Azure Firewall – which deserves a post in its own right is also in preview as of August 2018.

As does the Azure VirtualWAN – or SD-WAN to everyone else in the world.

Configure and manage virtual networks (20-25%) content which matches the objectives for virtual networks.

Create connectivity between virtual networks

May include but not limited to:
Create and configure VNET peering;

create and configure VNET to VNET;

verify virtual network connectivity;

create virtual network gateway

Implement and manage virtual networking

May include but not limited to:
Configure private and public IP addresses, network routes, network interface, subnets, and virtual network

Configure name resolution

May include but not limited to:
Configure Azure DNS;

configure custom DNS settings;

configure DNS zones

Create and configure a Network Security Group (NSG)

May include but not limited to:
Create security rules;

associate NSG to a subnet or network interface;


identify required ports;

evaluate effective security rules