Azure Insights: Bastion; Active Directory Authentication Library; Terraform variables; Single-node AKS clusters

June 14 2022

Microsoft Azure pros discuss deploying Azure Bastion to a Virtual WAN Spoke, spotting Azure AD-integrated services relying on ADAL, setting up Terraform variables based on DevOps Pipeline variables, and creating single-node AKS clusters on Windows Server.

Deploying Azure Bastion to a Virtual WAN Spoke

Aidan Finn explained how to deploy Azure Bastion in a hub and spoke architecture with a virtual WAN hub, using Bastion to log into VMs in other spokes with RDH or SSH. Many organizations that rely on a PaaS-only Azure deployment use VMs. After network security, customers need VMs for DevOps build agents, GitHub runners, or migrated legacy workloads. However, customers may want to “air gap” PCs from servers with tools like Guacamole and RD Gateway. He wrote:

And along came Azure Bastion. At first reading, it seemed ideal. And then we started to discover warts. Many of those warts were cleaned up. Bastion got support for a desktop client through a CLI login. A hub deployment was possible – if you use a VNet-based hub – but it gave Bastion users (including external support) staff a map of your entire Azure network because they read access to the hub VNet – and all its peering connections. For many of us, that left us with deploying Bastion in every subnet – both costly and a waste of IP space.

Microsoft launched a new Standard tier feature for Bastion called IP-Based Connection that allows users to log into the same subnet or VNet, on-prem computers, or VMs in other Azure networks. Finn detailed his scenario and the process for a VNet based hub and a VWAN based hub.

Spotting Azure AD-integrated services relying on ADAL

Microsoft MVP Sander Berkouwer, writing on The Things That Are Better Left Unspoken, explained that the deprecation of Azure Active Directory Authentication Library (ADAL), which was originally slated for June 30, has been extended to December 2022. Microsoft recently deployed a workbook with versions of the planned for deprecation library.

According to Berkouwer, users should check which apps are integrated with and reliant on ADAL. Users need an Azure subscription other than the AD tenant with a Global administrator role, and then proceed to export AD sign-in logs to a Log Analytics workspace. He advised users to rely on Workbooks in the AD navigation menu and check for Apps using ADAL.

Setting up Terraform variables based on DevOps Pipeline variables

Thomas Thornton explored how to use pipeline variables as part of Terraform variables when deploying a DevOps pipeline.

About MSCN Reporter

More about MSCN Reporter