Tech Blog

Virtualization - Cloud

Page 3 of 8

WVD Common Implementation issues

Below are the common WVD build issues which I encountered during implementations

Issue 1 -Unable to create any Host Pool

Error

{“code”:”DeploymentFailed”,”message”:”At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.”,”details”:[{“code”:”Conflict”,”message”:”{\r\n \”status\”: \”Failed\”,\r\n \”error\”: {\r\n \”code\”: \”ResourceDeploymentFailure\”,\r\n \”message\”: \”The resource operation completed with terminal provisioning state ‘Failed’.\”,\r\n \”details\”: [\r\n {\r\n \”code\”: \”DeploymentFailed\”,\r\n \”message\”: \”At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.\”,\r\n \”details\”: [\r\n {\r\n \”code\”: \”Conflict\”,\r\n \”message\”: \”{\r\n \\”status\\”: \\”Failed\\”,\r\n \\”error\\”: {\r\n \\”code\\”: \\”ResourceDeploymentFailure\\”,\r\n \\”message\\”: \\”The resource operation completed with terminal provisioning state ‘Failed’.\\”,\r\n \\”details\\”: [\r\n {\r\n \\”code\\”: \\”VMExtensionProvisioningError\\”,\r\n \\”message\\”: \\”VM has reported a failure when processing extension ‘dscextension’. Error message: \\\\”The DSC Extension failed to execute: Error downloading https://wvdportalstorageblob.blob.core.windows.net/galleryartifacts/Configuration_9-11-2020.zip after 29 attempts: Unable to connect to the remote server.\\r\\nMore information about the failure can be found in the logs located under ‘C:\\\\WindowsAzure\\\\Logs\\\\Plugins\\\\Microsoft.Powershell.DSC\\\\2.80.1.0’ on the VM.\\\\”\\r\\n\\r\\nMore information on troubleshooting is available at https://aka.ms/VMExtensionDSCWindowsTroubleshoot \\”\r\n }\r\n ]\r\n }\r\n}\”\r\n },\r\n {\r\n \”code\”: \”Conflict\”,\r\n \”message\”: \”{\r\n \\”status\\”: \\”Failed\\”,\r\n \\”error\\”: {\r\n \\”code\\”: \\”ResourceDeploymentFailure\\”,\r\n \\”message\\”: \\”The resource operation completed with terminal provisioning state ‘Failed’.\\”,\r\n \\”details\\”: [\r\n {\r\n \\”code\\”: \\”VMExtensionProvisioningError\\”,\r\n \\”message\\”: \\”VM has reported a failure when processing extension ‘dscextension’. Error message: \\\\”The DSC Extension failed to execute: Error downloading https://wvdportalstorageblob.blob.core.windows.net/galleryartifacts/Configuration_9-11-2020.zip after 29 attempts: Unable to connect to the remote server.\\r\\nMore information about the failure can be found in the logs located under ‘C:\\\\WindowsAzure\\\\Logs\\\\Plugins\\\\Microsoft.Powershell.DSC\\\\2.80.1.0’ on the VM.\\\\”\\r\\n\\r\\nMore information on troubleshooting is available at https://aka.ms/VMExtensionDSCWindowsTroubleshoot \\”\r\n }\r\n ]\r\n }\r\n}\”\r\n }\r\n ]\r\n }\r\n ]\r\n }\r\n}”}]}

Root Cause:

There was no internet access for the subnet used for host pool creation

Resolution:

Internet connectivity required for WVD VNET as DSC extension need to download from Azure Websites. The DSC extension for Windows requires that the target virtual machine is able to communicate with Azure and the location of the configuration package (.zip file) if it is stored in a location outside of Azure.

Ref: https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-windows

Issue 2: Unable to create Host pool from Custom Image

Error

{“code”:”DeploymentFailed”,”message”:”At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.”,”details”:[{“code”:”Conflict”,”message”:”{\r\n \”status\”: \”Failed\”,\r\n \”error\”: {\r\n \”code\”: \”ResourceDeploymentFailure\”,\r\n \”message\”: \”The resource operation completed with terminal provisioning state ‘Failed’.\”,\r\n \”details\”: [\r\n {\r\n \”code\”: \”DeploymentFailed\”,\r\n \”message\”: \”At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.\”,\r\n \”details\”: [\r\n {\r\n \”code\”: \”Conflict\”,\r\n \”message\”: \”{\r\n \\”status\\”: \\”Failed\\”,\r\n \\”error\\”: {\r\n \\”code\\”: \\”ResourceDeploymentFailure\\”,\r\n \\”message\\”: \\”The resource operation completed with terminal provisioning state ‘Failed’.\\”,\r\n \\”details\\”: [\r\n {\r\n \\”code\\”: \\”VMExtensionProvisioningTimeout\\”,\r\n \\”message\\”: \\”Provisioning of VM extension dscextension has timed out. Extension provisioning has taken too long to complete. The extension did not report a message. More information on troubleshooting is available at https://aka.ms/VMExtensionDSCWindowsTroubleshoot\\”\r\n }\r\n ]\r\n }\r\n}\”\r\n },\r\n {\r\n \”code\”: \”Conflict\”,\r\n \”message\”: \”{\r\n \\”status\\”: \\”Failed\\”,\r\n \\”error\\”: {\r\n \\”code\\”: \\”ResourceDeploymentFailure\\”,\r\n \\”message\\”: \\”The resource operation completed with terminal provisioning state ‘Failed’.\\”,\r\n \\”details\\”: [\r\n {\r\n \\”code\\”: \\”VMExtensionProvisioningTimeout\\”,\r\n \\”message\\”: \\”Provisioning of VM extension dscextension has timed out. Extension provisioning has taken too long to complete. The extension did not report a message. More information on troubleshooting is available at https://aka.ms/VMExtensionDSCWindowsTroubleshoot\\”\r\n }\r\n ]\r\n }\r\n}\”\r\n }\r\n ]\r\n }\r\n ]\r\n }\r\n}”}]

Root Cause

Issue with Image which is captured from existing Host Pool

Resolution

Do not capture image from Hostpool Sessions as this breaks sometimes , always
Take new image from Market Place ->convert to Image ->Create Host pools -> For Host update , again use previous captured image

Issue 3: Host pools are able to create with fresh images but not  with applications installed on Image (custom)

Error

{“code”:”DeploymentFailed”,”message”:”At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.”,”details”:[{“code”:”VMExtensionProvisioningTimeout”,”message”:”Provisioning of VM extension joindomain has timed out. Extension provisioning has taken too long to complete. The extension did not report a message. More information on troubleshooting is available at https://aka.ms/vmextensionwindowstroubleshoot”}]}

Root Cause

Visual studio 2015 & 2017 , customer 3rd part application are blocking to create Host pool – Issue experienced with 2 customers

Resolution

Able to create Hostpools after uninstallation of Visual studio

Windows Virtual Desktop Environment structure

Windows Virtual Desktop is a service that gives users easy and secure access to their virtualized desktops and RemoteApps. This topic will tell you a bit more about the general structure of the Windows Virtual Desktop environment.

Host pools

A host pool is a collection of Azure virtual machines that register to Windows Virtual Desktop as session hosts when you run the Windows Virtual Desktop agent. All session host virtual machines in a host pool should be sourced from the same image for a consistent user experience.

A host pool can be one of two types:

  • Personal, where each session host is assigned to individual users.
  • Pooled, where session hosts can accept connections from any user authorized to an app group within the host pool.

You can set additional properties on the host pool to change its load-balancing behavior, how many sessions each session host can take, and what the user can do to session hosts in the host pool while signed in to their Windows Virtual Desktop sessions. You control the resources published to users through app groups.

App groups

An app group is a logical grouping of applications installed on session hosts in the host pool. An app group can be one of two types:

  • RemoteApp, where users access the RemoteApps you individually select and publish to the app group
  • Desktop, where users access the full desktop

By default, a desktop app group (named “Desktop Application Group”) is automatically created whenever you create a host pool. You can remove this app group at any time. However, you can’t create another desktop app group in the host pool while a desktop app group exists. To publish RemoteApps, you must create a RemoteApp app group. You can create multiple RemoteApp app groups to accommodate different worker scenarios. Different RemoteApp app groups can also contain overlapping RemoteApps.

To publish resources to users, you must assign them to app groups. When assigning users to app groups, consider the following things:

  • A user can be assigned to both a desktop app group and a RemoteApp app group in the same host pool. However, users can only launch one type of app group per session. Users can’t launch both types of app groups at the same time in a single session.
  • A user can be assigned to multiple app groups within the same host pool, and their feed will be an accumulation of both app groups.

Workspaces

A workspace is a logical grouping of application groups in Windows Virtual Desktop. Each Windows Virtual Desktop application group must be associated with a workspace for users to see the remote apps and desktops published to them.

End users

After you’ve assigned users to their app groups, they can connect to a Windows Virtual Desktop deployment with any of the Windows Virtual Desktop clients.

WVD Control Plane and User Connection Flow

Microsoft manages the following Windows Virtual Desktop services as part of Azure:


Web Access

The Web Access service within Window Virtual Desktop lets user’s access virtual desktops and remote apps through an HTML5-compatible web browser as they would with a local PC, from anywhere on any device. Web Access is secured for Diageo users using OKTA multifactor authentication.

Gateway

The Remote Connection Gateway service connects remote users to Windows Virtual Desktop apps and desktops from any internet-connected device that can run a Windows Virtual Desktop client. The client connects to a gateway, which then orchestrates a connection from a VM back to the same gateway.

Connection Broker

The Connection Broker service manages WVD user connections to virtual desktops and remote apps. The Connection Broker provides load balancing and reconnection to existing sessions.

Diagnostics

Remote Desktop Diagnostics is an event-based aggregator that marks each user and administrator action on the Windows Virtual Desktop deployment as a success or failure. WVD Administrators can query the event aggregation to identify failing components as per requirements.

Extensibility components

Windows Virtual Desktop includes several extensibility components. Windows Virtual Desktop can be managed using Windows PowerShell or with the provided REST APIs, which also enable support from third-party tools. WVD team is using Azure ARM/GUI for WVD management for this deployment.

WVD User Connection Traffic flow

WVD uses Reverse Connect, which means that no inbound ports need to be opened on the VM to setup the RDP connection. Once the connection flow proceeds, bidirectional communication between session hosts/host pools will go over port https (443).


Windows Virtual Desktop is a global load balanced service via Azure front-door. This means that the traffic flow always goes via the nearest management control-plane/service location.

User Connection Flow

  1. User launches RD client which connects to Azure AD, Azure MFA, user signs in, and Azure AD returns token
  2. RD client presents token to Web Access, Broker queries DB to determine resources authorized for user
  3. User selects resource, RD client connects to Gateway
  4. Broker orchestrates connection from host agent to Gateway
    RDP traffic now flows between RD client and session host VM over connections 3 and 4

Architecture of Azure Private DNS and name lookup in Azure

Guest Post – Thanks to Marius Sandbu for great information

Azure provides internal name resolution for VMs and role instances (including app services) for all services that reside within a virtual network. When setting up a virtual network it will by default use the internal Azure DNS service.

When you setup a virtual machine within this VNET it will automatically get assigned IP by a DHCP service and DNS lookup services by an internal IP address 168.63.129.16. This IP address is an internal VIP address by Microsoft (Which is only available internally from within Azure) https://docs.microsoft.com/en-us/azure/virtual-network/what-is-ip-address-168-63-129-16 (Traffic should not be blocked to this IP address, this address is static and will not change)

You can also change the DNS Server scope on a virtual network, but this will not affect other virtual networks that are peered or otherwise connected to the virtual network using VPN or ExpressRoute.

When it comes to providing DNS Servces in Azure, there are a couple of options.

  • Azure built-in DNS (Does not provide any ability to change or update record)
  • DNS Server running IaaS (Provides full flexibility, but requires that you have virtual machines that running to deliver DNS services)
  • DNS Proxy (Having a virtual machine or service which can provide DNS services for services in Azure but authoritative DNS servers are outside of Azure)
  • Azure DNS Private Zones (An internal DNS Service in Azure which can provide DNS lookup within a virtual network, allows you to manage records in Azure)

For more architecture ,download below guide

Difference between NTLM, Kerberos & LDAP authentication

NTLM: Authentication is the well-known and loved challenge-response authentication mechanism, using NTLM means that you really have no special configuration issues. As Microsoft likes to say, “It just works.”


Older than Kerberos, and is for authentication as well. Can still be used as a backup to Kerberos authentication being down.

Kerberos: It’s complex ticket-based authentication mechanism that authenticates the client to the server and authenticates the server to the client. While Kerberos is more secure, it can be a bit challenging to set up properly. Win 2003 with the latest SP can be configured to use either NTLM or Kerberos. Well, besides being more secure, Kerberos has two key advantages that make it worth consideration.


Authentication for ticket based domain authentication i.e. logging into the domain. Replaced NTLM.

Kerberos is the authentication protocol that is used in Windows 2000 and above where as NTLM was used in Windows Server NT 4 ad below. As for LDAP, it is the protocol that is used with Active Directory, Novell Directory Service, and newer Unix systems.. If you have older workstations you may still need to use NTLM, but if you only have Windows Me clients or below you can disable it using Group Policy. Windows 2000 professional and above used Kerberos

LDAP: It is primarily a directory access protocol. They do different things. LDAP has a primitive authentication mechanism called “simple bind” that applications can use to verify credentials if they can’t handle other authentication protocols. It gets tricky because LDAP also includes an extensible authentication framework called SASL that allows alternate authentication protocols to be added.
Protocol to allow other programs to access the Active Directory Framework, used in VBScript extensively. Think of it as a “hole to allow you to peek inside your Active Directory Domain”.

Advantages of Kerberos: Better Security, Faster authentication, Mutual authentication, Kerberos is an open standard, Support for authentication delegation, Support for the smart card logon feature.

  1. Performance – Kerberos caches information about the client after authentication. This means that it can perform better than NTLM particularly in large farm environments.
  2. Delegation – Kerberos can delegate the client credentials from the front-end web server to other back-end servers like SQL Server.
    Work Flows

In Active Directory (AD), two authentication protocols can be used:


NT LAN Manager (NTLM): This is a challenge-response authentication protocol that was used before Kerberos became available. However, an organization may still have computers that use NTLM, so it’s still supported in Windows Server.
Kerberos: This protocol works on the basis of tickets, and requires the presence of a trusted third party.

The basics of how NTLM works

Here’s a step-by-step description of how NTLM authentication works:


• The user provides their username, password, and domain name at the interactive logon screen of a client.
• The client develops a hash of the user’s password and discards the actual password.
• The client sends the username in plain text to the server it wants to access.
• The server sends a challenge to the client. This challenge is a 16-byte random number.
• The client then sends a response to the server. This response is the challenge encrypted by the hash of the user’s password.
• The server sends the challenge, response, and username to the domain controller (DC).
• The DC retrieves the hash of the user’s password from its database, and then encrypts the challenge using it.
• The DC compares the encrypted challenge it has computed (in the above step) to the response of the client. If these two match, the user is authenticated.

NTLMv2 – A big improvement over NTLMv1

NTLMv2 is a more secure version of NTLM (discussed above). It differs from its predecessor in the following ways:


• It provides a variable length challenge instead of the 16-byte random number challenge used by NTLMv1.
• In NTLMv2, the client adds additional parameters to the server’s challenge such as the client nonce, server nonce, timestamp and username. It then encrypts this with the hash of the user’s password with the HMAC-MD5 algorithm. In contrast, in NTLMv1, the client only adds the client nonce and the server nonce to the server’s challenge. It then encrypts this with the hash of the user’s password with the relatively weak DES algorithm.

NTLMv2 gives a better defense against replay attacks and brute-force attacks. However, Kerberos is an even more secure authentication protocol because of its use of encrypted tickets.

How Kerberos works

NTLMv2 – A big improvement over NTLMv1 NTLMv2 is a more secure version of NTLM (discussed above). It differs from its predecessor in the following ways:

Here is the step-by-step process of how Kerberos works:

The user attempts to join the network through the client’s interactive logon screen.
• The client constructs a package called an authenticator which has information about the client (username, date, and time). Except for the username, all the other information contained in the authenticator is encrypted with the user’s password.
• The client then sends the encrypted authenticator to the KDC.
• The KDC immediately knows the identity of the client that has sent the authenticator by looking at the username. The KDC will then look into its AD database for the user’s password, which is a shared secret. It then decrypts the authenticator with the password. If the KDC is able to decrypt the authenticator, it means that the identity of the client is verified.
• Once the identity of the client is verified, the KDC creates a ticket granting ticket (TGT), which is encrypted by a key that only the KDC knows.
• The KDC sends the TGT to the client. The client stores the TGT in its Kerberos tray. It can use this ticket whenever it needs to access a resource on a server on the network (within a typical time limit of eight hours).
• When the client needs to access another server, it sends the TGT to the KDC along with a request to access the resource.
• The KDC decrypts the TGT with its key. This step verifies that the client has previously authenticated itself to the KDC.
• The KDC generates a ticket for the client to access the shared resource. This ticket is encrypted by the server’s key. The KDC then sends this ticket to the client.
• The client saves this ticket in its Kerberos tray, and sends a copy of it to the server.
• The server uses its own password to decrypt the ticket
.

If the server successfully decrypts the ticket, it knows that the ticket is legitimate. The server will then open the ticket and decide whether the client has the necessary permission to access the resource by looking through the access control list (ACL).

Azure AD Connect setup

Guest Post -Thanks to cloudsapient blog

Azure AD Connect Authentication (sign-in) Options:
Below are the four different authentication (sign-in) mechanisms provided by Azure AD when you are using Azure AD Connect, based on your feasibility from security and compliance perspective you can choose the one appropriate. During Azure AD Connect installation wizard you will have the ability to choose one of the authentication mechanism.

1. Password Hash Synchronization (PHS):
–When we install Azure AD Connect with “Express Settings” then Password Harsh Synchronization (PHS) authentication mechanism is the default configuration.
–AAD Connect synchronizes a hash, of the hash, of an AD user’s password from an on-premises AD to Azure AD.
–To synchronize user’s password, Azure AD Connect sync extracts user’s password hash from the on-premises Active Directory. Extra security processing is applied to the password hash before it is synchronized to the Azure Active Directory.
–PHS process runs every 2 minutes and we cannot modify the frequency of this process.

2.Pass-through Authentication (PTA):
–Users credentials are validated by on-premises Active Directory Domain Controller via AAD Connect Authentication Agent, On-premises AD user’s passwords are not stored in Azure AD in any form.
–For Pass-through Authentication to work, users need to be provisioned into Azure AD from on-premises Active Directory using Azure AD Connect. Pass-through Authentication does not apply to cloud-only users.
–Communication between Authentication Agent and Azure AD is uses certificate-based authentication. These certificates are automatically renewed every few months by Azure AD.
–Microsoft recommends to have more than one AAD Connect Authentication Agent to provide high availability of authentication requests.
–PTA can also be used in conjunction with PHS for high availability scenarios, As per Microsoft “Enabling Password Hash Synchronization gives you the option to failover authentication if your on-premises infrastructure is disrupted. This failover from Pass-through Authentication to Password Hash Synchronization is not automatic. You’ll need to switch the sign-in method manually using Azure AD Connect. If the server running Azure AD Connect goes down, you’ll require help from Microsoft Support to turn off Pass-through Authentication.”

3. Federation with ADFS:
–In ADFS federation scenario, Azure AD will be redirecting authentication request to ADFS.

4. Federation with PingFederate:
–If you are already using PingFederate in your environment then you may choose this method for authentication. AAD Connect natively supports PingFederate, please refer below official document from PingFederate regarding implementation of this.
https://support.pingidentity.com/s/article/PingFederate-Microsoft-Azure-End-to-End-Integration

Azure Windows VirtualDesktop (WVD) – Step by Step Implementation Guides

WVD Implementation step by step guides in Non ARM(WVD 1.0) and ARM Model (WVD 2.0)

Ref:https://www.christiaanbrinkhoff.com/2020/05/01/windows-virtual-desktop-technical-2020-spring-update-arm-based-model-deployment-walkthrough/#Createahostpool

Quick differences between Azure NetApp Files and Azure Files

Azure NetApp filesAzure Files/ Premium Files
Fully managed, Highly performing enterprise class File Storage Service and easy to integrate with Modern applications like analytics,HPC,AI/ML, VDI  and mission critical application workloadsFully managed File shares Only
Provides both NFS and SMB . NFS versions supportedNFs3,NFSv4, NFSv4.1. SMB versions supported v2.1, v3.0 and v3.1.1.Primarily SMB, supports SMB 3.0 and above. Supports 2.1 but with lot of restrictions in terms of mounting and encryption of data.
Can be natively mounted to Linux machinesLinux distributions need to have SMB kernel client
SLA based tiering in terms of performance – Tiers are Standard, Premium and extremeTiering is storage media based with tier of Premium and standard.
Movement across ANF tiers can be done using Cloudsync. On the fly data in place tier changing in the RoadmapChanging of tiers requires data to be migrated to the new tier using Data migration tools
Minimum deployment is 4TB and max is 100TB max ANF capacity is limited by Storage Account limitation of 500TB.Minimum deployment min 100GB and maximum 100TB. For Standard files max is 5TB only
Max file size is 16TBMax File Size is 1TB only
Performance depends on the selected SLA tier.Max iops per share is 100K only.
Sub-quotas can be set.No quota management, basically works and provisioned capacity level
Snapshots are highly space efficient , included in the price of ANF. Upto 256 snapshots per volume(Snap.0 to snap.255)Snapshots are charged separately and are not space efficient. Snapshot charges $0.22 and $.0075 per used GB/month for Premium and Standard respectively
Data can be replicated using cross region replication ( azure marketing name for Snapmirror replication)No Data replication options
CloudSync can be used in case of NAS or File server as the Source. Very fast and very cost effective and schedule based or one time run options available. CloudSync is free of Cost with ANFData Migration to Azure premium Files/files require a combination of  Migration tools Filesync+AzureDatabox+Robocopy for Windows file server source and Robocopy only for NAS source. Robocopy inherently slow and manual monitoring is required.
Consistent sub milli sec latencyNo latency consistency
Restoration can be easily done through snapshots. NetApp is a pioneer with snapshot technology and proven industry acceptance for more than 25 years.No protection against accidental deletion ( Soft delete is in Preview as we speak and is not a mature technology in Azure)
Instant R/w Cloning with zero space occupancy until a unique write is made. Extremely useful in a devops and test dev environments.No Cloning Capability.Snapshots are the only option available, however they are read only
Compliance and reporting included with ANF. Automated data privacy controls for GDPR, CCPA and many more. Free for ANFVery good compliance template available. However reporting is not robust.

Mapping of Security Controls across Major Cloud Providers Services

ON-PREMISESAWSAZUREGOOGLEORACLEIBMALIBABA
Firewall & ACLsSecurity Groups

AWS Network ACLs
Network Security Groups

Azure Firewall
Cloud Armor

VPC Firewall
VCN Security ListsCloud Security GroupsNAT Gateway
IPS/IDS3rd Party OnlyAzure Firewall3rd Party Only3rd Party Only3rd Party OnlyAnti-Bot Service

Website Threat Inspector
Web Application Firewall
(WAF)
AWS WAF

AWS Firewall Manager
Application GatewayCloud ArmorOracle Dyn WAFCloud Internet ServicesWeb Application Firewall
SIEM &
Log Analytics
AWS Security Hub

Amazon GuardDuty
Azure Sentinel

Azure Monitor
Chronicle Backstory

Event Threat Detection
Oracle Security Monitoring and AnalyticsIBM Log Analysis

Cloud Activity Tracker
ActionTrail
Antimalware3rd Party OnlyMicrosoft Antimalware

Azure Security Center
3rd Party Only3rd Party Only3rd Party OnlyServer Guard
Data Loss Prevention
(DLP)
Amazon MacieInformation Protection
(AIP)
Cloud Data Loss Prevention API3rd Party Only3rd Party OnlyWeb Application Firewall
File Integrity Monitoring
(FIM)
3rd Party OnlyAzure Security Center3rd Party Only3rd Party Only3rd Party Only3rd Party Only
Key ManagementKey Management Service KMS)Key VaultCloud Key Management ServiceCloud Infrastructure Key ManagementKey Protect

Cloud Security
Key Management Service
Encryption At RestEBS/EFS Volume Encryption

S3 SSE
Storage Encryption for Data at RestPart of Google Cloud PlatformCloud Infrastructure Block VolumeHyper Protect Crypto ServicesObject Storage Service
DDoS ProtectionAWS ShieldBuilt-in DDoS defenseCloud ArmorBuilt-in DDoS defenseCloud Internet ServicesAnti-DDoS
Email Protection3rd Party OnlyOffice Advanced Threat ProtectionVarious controls embeded in G-Suite3rd Party Only3rd Party Only3rd Party Only
SSL Decryption
Reverse Proxy
Application Load BalancerApplication GatewayHTTPS Load Balancing3rd Party OnlyCloud Load BalancerServer Load Balancer (SLB)
Endpoint Protection3rd Party OnlyMicrosoft Defender ATP3rd Party Only3rd Party Only3rd Party OnlyServer Guard
Certificate ManagementAWS Certificate ManagerKey Vault3rd Party Only3rd Party OnlyCertificate ManagerCloud SSL Certificates Service
Container SecurityAmazon EC2 Container Service (ECS)Azure Container Service (ACS)Kubernetes EngineOracle Container ServicesContainers – Trusted ComputeContainer Registry
Identity and Access ManagementIdentity and Access Management (IAM)Azure Active DirectoryCloud Identity

Cloud IAM
Oracle Cloud Infrastructure IAMCloud IAM

App ID
Resource Access Management
Privileged Access Management (PAM)3rd Party OnlyAzure AD Privileged Identity Management3rd Party Only3rd Party Only3rd Party Only3rd Party Only
Multi-Factor AuthenticationAWS MFA (part of AWS IAM)Azure Active DirectorySecurity Key EnforcementOracle Cloud Infrastructure IAMApp IDResource Access Management
Centralized Logging

Auditing
CloudWatch

S3 Bucket Logging
Azure Audit LogsStackdriver Logging

Access Transparency
Oracle Cloud Infrastructure AuditLog Analysis with LogDNALog Service
Load BalancerApplication Load Balancer

Classic Load Balancer
Azure Load BalancerCloud Load Balancing

HTTPS Load Balancing
Cloud Infrastructure Load BalancingCloud Load BalancerServer Load Balancer
LANVirtual Private Cloud (VPC)Virtual NetworkVirtual Private Cloud NetworkVirtual Cloud Network (VCN)VLANsVirtual Private Cloud (VPC)
WANDirect ConnectExpressRouteDedicated InterconnectFastConnectDirect LinkVPN Gateway

Express Connect
VPNVPC Customer Gateway

AWS Transit Gateway
Virtual Network

SSTP
Google VPNDynamic Routing

Gateway (DRG)
IPSec VPN

Secure Gateway
VPN Gateway
Governance Risk and Compliance MonitoringAWS Security Hub

AWS Compliance Center
Azure Security Center

Azure Policy
Cloud Security Command Center3rd Party Only3rd Party OnlyActionTrail
Backup and RecoveryAWS Backup

Amazon S3 Glacier
Azure Backup

Azure Site Recovery
Object Versioning

Cloud Storage Nearline
Archive StorageIBM Cloud BackupHybrid Backup Recovery
Vulnerability AssessmentAmazon Inspector

AWS Trusted Advisor
Azure Security CenterCloud Security ScannerSecurity Vulnerability Assessment ServiceCloud Security Advisor

Vulnerability Advisor
Server Guard

Website Threat Inspector
Patch ManagementAWS Systems ManagerAzure Security Center

Update Management
3rd Party OnlyIBM Cloud Orchestrator3rd Party Only3rd Party Only
Change ManagementAWS ConfigAzure Automation (Change Tracking)3rd Party Only3rd Party Only3rd Party OnlyApplication Configuration Management (ACM)
« Older posts Newer posts »

© 2024 Tech Blog

Theme by Anders NorenUp ↑