I am attempting to automate the creation of a database server and database using an Azure powershell runbook.
I have managed to create the server ok, but when I then try to connect to it to create the database and user, I hit firewall issues.
I cannot find a way to get the IP address of the runbook so I can add a firewall exclusion.
Any help appreciated!
After you create the server add the firewall rule that allows Azure services access to it.
New-AzureSqlDatabaseServerFirewallRule -ServerName [your_server_name] -AllowAllAzureServices
Related
I am trying to wrap up my mind around this process.
I have a SQL Server in azure. This server has a Azure Active Directory Admin enable using an azure group to authenticate using MFA.
Further more, in the same blade, I have enabled the Support only Azure Active Directory Authentication for this server.
Everything works just fine, and I am able to connect to my server by using MFA as I am part of the Active directory.
Now, I am a disaster and most of the time I forget to update my database schema, and when I deploy some tests, everything explodes.
I have been looking around for an automation process to authenticate with azure DevOps and run a sql script every time my release pipeline is triggered.
I came across this documentation
https://learn.microsoft.com/en-us/powershell/module/sqlserver/invoke-sqlcmd?view=sqlserver-ps
Which seems to be just what a need as it has the --InputFile.
but I am having some problems to understand how I can authenticate my release pipeline and perform those changes using an AAD to access the DB without having to expose username and password.
If anyone can help me to understand what its the best approach here iw ill be grateful.
And please if my question is not 100% clear, just let me know and I will explain better
An alternative would be to write a script which will do all the sql queries instead of doing it in pipeline. This way we can using azure ad to authenticate.
Register the sql service to the azure ad then we can get tokens to authenticate the sql queries.
finally run the script in pipeline using command line task
Reference:
how to run script
authenticate using azure ad
I am creating Yaml Pipeline to deploy AAS.
Now I want to know how to add database credentials for AAS while deploying. the Source is Azure sql db and it doesn't have username/pw. It is configured using AAD.
I would like to know various options of configuring this as source for AAS in Powershell script. I would like to avoid using username and p/w if possible.
Currently, AAD credentials are not supported in AAS. You have to connect using a username and password.
I am using VSTS (Visual Studio Team Services, formerly known as Visual Studio Onine) for continuous deployment to an Azure VM using an Azure File Copy task in my build definition.
The problem I am having is that I have an ACL setup on the Azure VM that is only allowing connections from my office for Remote Powershell.
With the ACL in place, the Azure File Copy task fails with an error like "WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that the firewall exception for the WinRM service is enabled and allows access from this computer." With the ACL removed, everything works.
To be clear, this is not a problem with WinRM configuration or firewalls or anything like that. It is specifically the ACL on the VM that is blocking the activity.
So the question is, how can I get this to work without completely removing the ACL from my VM? I don't want to open up the VM Powershell endpoint to the world, but I need to be able to have the Azure File Copy task of my build succeed.
You can have an on-premises build agent that lives within your office's network and configure things so that the build only uses that agent.
https://msdn.microsoft.com/library/vs/alm/release/getting-started/configure-agents#installing
Azure File Copy Task need to use WinRM Https Protocol, so when you enable the ACL, the Hosted Build Agent won't be able access to the WinRM on Azure VM and that will cause Azure File Copy Task fail.
When copying the files from the blob container to the Azure VMs,
Windows Remote Management (WinRM) HTTPS protocol is used. This
requires that the WinRM HTTPS service is properly setup on the VMs and
a certificate is also installed on the VMs.
There isn't any easy workaround for this as I know. I would recommend you to setup your own build agent in your network that can access to Azure VM WinRM.
In the new Azure portal you have the option to use Role Based Access (RBAC). I want to give a user rights to startup and shutdown a virtual machine in Azure. I also don't want that is it possible for this user to create new VM's in Azure so I don't want to make this user Administrator. I gave the user the required rights in the new Azure portal (owner for: the VM, Cloud Service and storage).
When I open PowerShell with the user that has rights on Azure. I first execute the command Add-AzureAccount. After this I execute the following command: Start-AzureVM -ServiceName "MyVM" -Name "MyVM". Then I receive the following error: ForbiddenError: The server failed to authenticate the request. Verify that the certificate is valid and is associated with this subscription.
When I perform this scenario for a Subscription Administrator everything works fine.
Is the described scenario supported by the Azure PowerShell cmdlets? What are possible alternatives?
Thanks in advance
Unfortunately, RBAC through Powershell is currently only available for ARM-resources, i.e. non-"classic" resources in the preview portal, and users needs to have accounts in the Azure AD tenant associated with the subscription. Federated Microsoft accounts will won't work.
I'm trying to deploy services to Azure with a powershell script. They will need access to an SQL database also created programmatically.
For external requests, you can specify firewall rules using:
New-AzureSqlDatabaseServerFirewallRule -ServerName $serverName -StartIpAddress $startIP -EndIpAddress $endIP -RuleName $ruleName
In the portal, you can specify access from inside the network using
"Allowed Services: WINDOWS AZURE SERVICES" [Yes/No] (defaults to No)
How to set the last to "Yes" from powershell?
If you use this command, it accomplishes the same mission. I would recommend using this just in case Azure changes the ip range that references Azure traffic.
New-AzureSqlDatabaseServerFirewallRule -ServerName $AzureSqlServer.ServerName.ToString() -AllowAllAzureServices
If you use the New-AzureSqlDatabaseServerFirewallRule command with the StartIpAddress and EndIpAddress set to 0.0.0.0, the portal will interpret this as "allow windows azure services to access this SQL database."