Recent Discussions
Understanding Cloud Cost Fluctuations with Power BI
Staying on top of your cloud costs requires regular reviews. There are many ways to slice and dice your cloud costs; one approach I find helpful is comparing daily and monthly cost deltas. Below is a visual from my Power BI report showing how my previous month’s costs compare to the month prior. The visual is filtered to only show delta increases/decreases over $1K. I can quickly see we spent $5K more on Azure SQL Database in the selected month compared to the previous month. I call this my 'large cost swings' graph. I understand that everything is not linear, nor do things translate nicely from one day or month to the next. However, the data has a story to tell. What I ask my team to focus on is the story the data is telling. In this case, we made some modifications to ADF and SQL, leading to a $4K net reduction in costs. Some stories explain the outcome of one or more actions. Then there are those stories which can help shape your future consumption and spending.
Modify the dropdown content in "Link type" for Work Items.
I open a Work Item, try to add a link of another Work Item to it. When we click on Add link, and then select Existing item, in the pop-up we see a drop-down called Link type. In the drop-down, there is a section called Remote Work. Is it possible to edit the dropdown contents? Can I remove the whole Remote Work section and the options under it? Or is it AzDO default and cannot be modified? If it is possible, what special role do I need in AzDO to do this?
Need assistance on KQL query for pulling AKS Pod logs
I am trying to pull historical pod logs using below kql query. Looks like joining the tables; containerlog and KubePodInventory didn't go well as i see lot of duplicates in the output. ContainerLog //| project TimeGenerated, ContainerID, LogEntry | join kind= inner ( KubePodInventory | where ServiceName == "<<servicename>>" ) on ContainerID | project TimeGenerated, Namespace, ContainerID, ServiceName, LogEntrySource, LogEntry, Name1 | sort by TimeGenerated asc Can someone suggest a better query?
an error occurred while accessing this resource
When trying to connect to a remote desktop connection in the Remote Desktop client app i get "an error occurred while accessing this resource." trying from browser (https://client.wvd.microsoft.com/arm/webclient/index.html) is less helpful: I have full owner RBAC on azure as well as the Desktop Virtualization User role i can login to the servers No specific ad join configuration: worth noting, if were to just use RDP to remote onto the server and not use AVD, i have to connect using an azure VPN and login with on-prem AD credentials. When i sign into the AVD platform i am using my entraID credentials.Windows App bug report and feature request
In Windows App for macOS, when the session disconnects due to unexpected condition, such as changing the network, the application often gets stuck and becomes unresponsive, it's like the dialog that's supposed to notify you to close it is hidden in some way, and the only way to continue is to force close Windows App. Also, it would be nice to have some way to send key combinations to remote session that are otherwise bound to a macOS keyboard shortcut, such as Cmd-Space -> WinKey+Space that is often used to switch languages, which is by default bound to Spotlight on mac, so some alternative keybinding for it or some other way to send it to the remote session is needed.Teams in AVD Best Practice?
Hello all, We currently have teams issues related to Teams Updates. I was wondering if there is a best-practice for teams deployment on AVD Multi Session Hosts with FS-Logix (without administative rights for users). Is the New Teams for VDI persistent per-machine installation the right one? How does the upgrade process look like (requires admin rights, complete uninstall/reinstall every 3 month)? Please let me know your best practice.How to update to DesktopVirtualization API v. 2024-04-08-preview or API v. 2024-04-03?
Hello everyone, The information from my side is also not clear. I understand that if ARM templates, Terraform, Bicep, or something similar are not used, it is not necessary, and Microsoft performs that operation transparently. The message is universal, meaning that all customers who have deployed AVD receive it, but they do not know who uses and specifies the API version. For example, when creating an AVD through the Azure portal, you do not specify the API version at any time. If we go to the Resource Provider and look for Microsoft.DesktopVirtualization, we see that the default API cannot be changed and is in version "2privatepreview." Interestingly and crazily enough, even with this default API, if you deploy an AVD, the system chooses an older version. So, if anyone has a clear response from Microsoft or has resolved this, it would be great if they could share it. Regards. At least until Microsoft indicates otherwise, I have conducted several tests in different environments and the result is the same and as follows: I deploy the Hostpool and here we see the Json file of the hostpool, as you can see the API version is 2019-12-10-preview. Now I am going to look inside the parameters used in the deployment and WOW, there we can see that the API used to deploy AVD is the latest one, 24-04-08-preview, which is the one Microsoft indicates to use. The 2019-04-01 is the schema version (another different one). To finish confirming this, we go to Resource Provider and as we see, if we go inside the resource type and select hostpool, we see that the default version that CANNOT be changed is 2022-01-12-preview. But among the eligible versions is the one that has been used for our hostpool deployment, that is, 2024-04-08-preview.How to Monitor New Management Group Creation and Deletion.
I am writing this post to monitor new Management group creation and Deletion using Azure Activity Logs and Trigger Incident in Microsoft Sentinel. You can also use it to Monitor the Subscription Creation as well using this Step. By default, the Dianostic settings for at the management group level is not enabled. It cannot be enabled using Azure Policy or from the Portal interface. Use the below article to enable the "Management Group Diagnostic Settings" Management Group Diagnostic Settings - Create Or Update - REST API (Azure Monitor) | Microsoft Learn Below is the screenshot of message body if you like to forward the logs only to the Log analytic workspace where sentinel is enabled. Also make sure you enable the Diagnostic settings at the tenant management group level to track all changes in your tenant. { "properties": { "workspaceId": "<< replace with workspace resource ID>>", "logs": [ { "category": "Administrative", "enabled": true }, { "category": "Policy", "enabled": true } ] } } Once you have enabled the Diagnostic settings, you can use the below KQL query to monitor the New Management group creation and Deletion using Azure Activity Logs. //KQL Query to Identify if Management group is deleted AzureActivity | where OperationNameValue == "MICROSOFT.MANAGEMENT/MANAGEMENTGROUPS/DELETE" | where ActivityStatusValue == "Success" | extend mg = split(tostring(Properties_d.entity),"/") | project TimeGenerated, activityStatusValue_ = tostring(Properties_d.activityStatusValue), Managementgroup = mg[4], message_ = tostring(parse_json(Properties).message), caller_ = tostring(Properties_d.caller) //KQL Query to Identify if Management group is Created AzureActivity | where OperationNameValue == "MICROSOFT.MANAGEMENT/MANAGEMENTGROUPS/WRITE" | where ActivityStatusValue == "Success" | extend mg = split(tostring(Properties_d.entity),"/") | project TimeGenerated, activityStatusValue_ = tostring(Properties_d.activityStatusValue), Managementgroup = mg[4], message_ = tostring(parse_json(Properties).message), caller_ = tostring(Properties_d.caller) This log can also be used to monitor the new subscription creation as well, using the below query AzureActivity | where OperationNameValue == "Microsoft.Management" and ActivityStatusValue == "Succeeded" and isnotempty(SubscriptionId) If you need to trigger incident on sentinel, use the above query in your custom scheduled analytical rule and create alert. Note: Enabling this API on the Mangement group diagnostic logs will also be inherited by the subscriptions downstream on the specific category.Best Practices for Designing a Hub-and-Spoke Architecture in Azure
A Hub-and-Spoke architecture is a widely used networking topology in Azure that helps organizations centralize network management, enhance security, and optimize connectivity. However, designing an efficient Hub-and-Spoke model requires careful planning regarding network security, scalability, and cost optimization. What are the core components of a Hub-and-Spoke architecture in Azure? What factors should be considered when designing the hub (e.g., Virtual Network Gateway, Firewall, Security controls)? What are the key challenges you've encountered while implementing a Hub-and-Spoke architecture in Azure, and how have you addressed them?how to integrate on-prem ADFS with Microsoft Entra App proxy for SSO? please anyone suggest.
i am trying to configure Microsoft Entra App proxy with on-prem ADFS. currently we are using on-prem application site with on-prem ADFS. now i want to publish site via Microsoft Entra App proxy with On-prem ADFS. please anyone suggest.
Azure update Manager - Schedule problem
Hi All I have two Maintenance schedules setup in Azure update manager for patching servers, one runs on the 4th Tuesday of the month and the 2nd runs 4th Thursday of the month. Both contain different servers. The problem I have, the Thursday schedule didn't run last night and I cant work out why. My Tuesday schedule ran fine. Here is my schedule maintenance window settings I have the following updates included. Can anyone help, I just can't work out why its didn't run last night.
LAB: Azure Arc with Private Endpoint
What is Azure Arc? Azure Arc is a set of technologies that extends Azure management and enables Azure services to run across on-premises, multi-cloud, and edge environments. It allows you to manage resources such as servers, Kubernetes clusters, databases, and applications running outside Azure using familiar Azure tools and services like Azure Policy, Azure Monitor, and Defender for cloud. With Azure Arc, you can bring these resources into Azure's control plane, standardize operations, and apply consistent security and governance across your entire IT landscape. This simplifies hybrid and multi-cloud management while leveraging Azure's features, making it easier to innovate and maintain control over your infrastructure. What is Azure Private Endpoint? Azure Private Endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link. By using a private IP address from your virtual network, the private endpoint brings the service into your virtual network, ensuring that traffic between your virtual network and the service remains private. This setup eliminates exposure from the public internet, enhancing security. Private endpoints can be used with various Azure services, such as Azure Storage, Azure SQL Database, and Azure Cosmos DB. They provide secure connectivity between clients on your virtual network and the service, using the same connection strings and authorization mechanisms as public endpoint. What are the benefits of configuring private link for your arc machines? Enabling Azure Arc for your machines involves several network and system requirements. Organizations are sometimes concerned about allowing certain public endpoints through their firewall and proxy. In this context, Private Endpoints can be used to ensure that some connections to Azure remain within the Microsoft backbone network. While this service does not eliminate the need for internet connectivity entirely, you will still need to allow public access for Microsoft Entra ID and Azure Resource Manager servers. However, this method significantly reduces the challenge of IP/FQDN whitelisting for internet access. When you create private endpoints in a virtual network for Azure Arc, it will create a resource with Azure Hybrid Compute as the target. Additionally, it will create several private DNS zones and assign them to the private endpoint. The private endpoint will have IPs assigned from the specified virtual network address range. See the screenshot below. These IPs are now directly linked to Azure Arc services, enabling private connectivity through Azure LAB Architectural Diagram LAB Pre-requisites An On-premises machine. (Internet traffic can be directed firewall or proxy for security) On-premises DNS An Azure Subscription VPN/Express-route Connection between On-premises and Azure Infrastructure Understand the Limitations and features The components that will be created as part of LAB A private endpoint which has Hybrid compute as source point Private DNS zones for Azure Arc services A private DNS resolver in Azure. Azure DNS doesnt accesspt dns queries coming from non-azure sources. Hence you need to configure azure private dns zone . You will get a private IP while creating inbound enpoint for resolver. DNS Forwarder need to be created in on-premise DNS to private IP of Azure private DNS resolver's inbound IP Powershell script to onboard machine Azure arc machine : Will be created once on premise machine gets connected to azure arc. Traffic flow There are three kind of traffic flow is involved here. DNS flow: To resolve the domain names of private endpoints Private endpoint flow: Actual traffic to Azure arc services Internet flow: Traffic to Microsoft Entra ID and Azure Resource manager control plane Private endpoint and private DNS Flow Let's suppose the Azure Arc agent initiates traffic to one of the Azure Arc services FQDNs, such as gbl.his.arc.azure.com. On-premises machines need to resolve the FQDN to an IP address, so they send a DNS request to the on-premises DNS server. The DNS forwarder is configured to send *.gbl.his.arc.azure.com DNS queries to the Private DNS resolver configured in Azure. The Private DNS resolver receives the DNS query and resolves it, as these domains are already linked to the virtual network where the resolver resides. Once the on-premises DNS server receives the IP resolution from the Azure DNS resolver, it sends it back to the on-premises machine. Now that the on-premises machine has the IP (private IP), it sends the actual traffic to the IP of the private endpoint. The private endpoint receives the traffic, and since this interface is directly linked to the Azure Arc services (the intended destination), the connectivity is successfully established. Steps: Generate Onboarding script. Private endpoint can be created while generating the script itself. Go to Azure Arc-->Machines-->Create You can select option which best suited for you. I am selecting Add multiple servers. Provide Resource Group,Region,OS details. Create Private endpoint using option provided Provide Virtual Network and subnet for private endpoint Provide or create new service principal. Note secret of service principal Goto Download and run script session. You can copy script and run it directly or you can download script and run it. Please do not forget to update service principal secret in script. You can verify the resources created as part of Private endpoint created There will be three private DNS zones created A private endpoint resource will be created with hybrid compute as target resource Create a private DNS resolver and inbound endpoint in it. Provide necessary details. Add inbound endpoint and click create Note the private IP of inbound endpoint, which is needed to specify DNS forwarder in on-premise Configure DNS forwarder in On-premise DNS Add all three private DNS zone domains Bypass private DNS zone domains (This step is required if you have internet proxy in your infrastructure. Now you are all set to deploy script generated in for onboarding Now you can see the onboarded machine in azure arc portalAzure Course Blueprints
Please refer to the updated document now in Azure Architecture Blog https://aka.ms/courseblueprint Overview The Course Blueprint is a comprehensive visual guide to the Azure ecosystem, integrating all the resources, tools, structures, and connections covered in the course into one inclusive diagram. It enables students to map out and understand the elements they've studied, providing a clear picture of their place within the larger Azure ecosystem. It serves as a 1:1 representation of all the topics officially covered in the instructor-led training. Links: Each icon in the blueprint has a hyperlink to the pertinent document in the learning path on Learn. Layers: You have the capability to filter layers to concentrate on segments of the course by modules. I.E.: Just day 1 of AZ-104, using filters in Visio and selecting modules 1-3 Enhanced Integration: The Visio Template+ for expert courses such as SC-100 and AZ-305 now features an additional layer that allows you to compare SC-100, AZ-500, and SC-300 within the same diagram. Similarly, you can compare any combination of AZ-305, AZ-204, AZ-700, and AZ-104 to identify differences and study gaps. Since SC-300 and AZ-500 are potential prerequisites for SC-100, and AZ-204 or AZ-104 for AZ-305, this comparison is particularly useful for understanding the extra knowledge or skills required to advance to the next level. Advantages for Students Defined Goals: The blueprint presents learners with a clear vision of what they are expected to master and achieve by the course’s end. Focused Learning: By spotlighting the course content and learning targets, it steers learners’ efforts towards essential areas, leading to more productive learning. Progress Tracking: The blueprint allows learners to track their advancement and assess their command of the course material. New Feature: A comprehensive list of topics for each slide deck is now available in a downloadable .xlsx file. Each entry includes a link to Learn and its dependencies. Download links Associate Level PDF Visio Released Updated Contents! AZ-104 Azure Administrator Associate Blueprint [PDF] Template 12/14/2023 10/28/2024 Contents AZ-204 Azure Developer Associate Blueprint [PDF] Template 11/05/2024 11/11/2024 Contents AZ-500 Azure Security Engineer Associate Blueprint [PDF] Template+ 01/09/2024 10/10/2024 Contents AZ-700 Azure Network Engineer Associate Blueprint [PDF] Template 01/25/2024 11/04/2024 Contents SC-300 Identity and Access Administrator Associate Blueprint [PDF] Template 10/10/2024 Contents Specialty PDF Visio Released Updated AZ-140 Azure Virtual Desktop Specialty Blueprint [PDF] Template 01/03/2024 02/05/2024 Expert level PDF Visio Released Updated AZ-305 Designing Microsoft Azure Infrastructure Solutions Blueprint [PDF] Template+ AZ-104 AZ-204 AZ-700 05/07/2024 12/09/2024 Contents SC-100 Microsoft Cybersecurity Architect Blueprint [PDF] Template+ AZ-500 SC-300 10/10/2024 Contents Skill based Credentialing PDF Visio Released Updated AZ-1002 Configure secure access to your workloads using Azure virtual networking Blueprint [PDF] Template 05/27/2024 Contents AZ-1003 Secure storage for Azure Files and Azure Blob Storage Blueprint [PDF] Template 02/07/2024 02/05/2024 Contents Benefits for Trainers: Trainers can follow this plan to design a tailored diagram for their course, filled with notes. They can construct this comprehensive diagram during class on a whiteboard and continuously add to it in each session. This evolving visual aid can be shared with students to enhance their grasp of the subject matter. Introduction to Course Blueprint for Trainers [10 minutes + comments] Real life demo AZ-104 Advanced Networking section [3 minutes] Visio stencils Azure icons - Azure Architecture Center | Microsoft Learn Subscribe if you want to get notified of any update like new releases or updates. My email ilan.nyska@microsoft.com LinkedIn https://www.linkedin.com/in/ilan-nyska/ Celebrating 30,000 Downloads! Please consider sharing your anonymous feedback <-- [~ 40 seconds to complete]
VMs not being added to host pool or AD
I've been provisioning session host monthly for the last year or so, but this month it started to fail. If I use the portal to add session host to a host pool, the VMs get created but most do not get added to the host pool and/or AD. From what I can tell the RDagent and RDagent bootloader are not being installed. If I manually install the two, it gets added to the host pool and I can manually add them to AD. If I create 40 new hosts, about 5 get added to the host pool without joining AD. The remaining 35 don't get the RD agents installed at all. This is new to me, so I'm struggling with how to troubleshoot. I don't know what changed from last month to this month. I've tried using the older golden image and I get the same result, so it doesn't appear to be anything that was installed recently (which would've been Windows patches). I've tried in three different regions; West Europe, Southeast Asia, US East. The inconsistency with the issue is throwing me off. Anyone have any ideas or suggestions on where to look?How to fix error in AVD with VMs not being added to host pool or AD
Problem Several users have commented and posted on different networks about the error that appears when adding virtual machines to their host pool, the error is when the VMs want to join to the AD. The first thing we need to know is that if we add or create a new hostpool (as in my case), the deployment will tell us Azure that everything is correct, that is, as if the machines have joined the AD. Here I show the deployment with everything correct. Now if we check the status of our hostpool machines, we will see that it tells us the total number of VMs and the option of which one we can connect to and which one we cannot. In my case we see that we can supposedly connect to one and not to the other. When testing the connection, it fails on both machines. This is normal since if we check the health status of both we see the following. Basically it tells us that there is a problem joining the domain with the VM. Solution Below I show the solution that has worked for me, from different tenants, different subscriptions that had the same problem. We are going to go to our subscription and in it, in the setting section, we are going to click on Resource provider as shown in the following image. Next we look for the provider "Microsoft.DesktopVirtualization" We select it and then click on "unregister" Now what we are going to do is re-register, that is, we click on "register" Confirm that register is correct again. Now we deploy AVD again and add the VMs we need to our Hostpool, and in this case I have chosen Enter ID to do the Join *you can select your preferens) Validate de new deployment As we see here, the deployment has also indicated that it was correct, so we are going to confirm it. Here we can see that we already have the machines ready for the session. I hope this helps you solve the problems you are having with VMs and hostpools.Best Practices for Designing a Hub-and-Spoke Architecture in Azure
The Hub-and-Spoke architecture is a common networking model in Microsoft Azure, designed to improve security, manageability, and scalability for enterprises and cloud workloads. By centralizing network resources in a hub and connecting multiple spoke virtual networks (VNets), organizations can enforce governance while enabling controlled communication across workloads. However, designing an optimal Hub-and-Spoke architecture requires careful planning to ensure security, performance, and cost efficiency. This post will explore the best practices to help you build a robust and scalable architecture in Azure. 1. Understanding the Hub-and-Spoke Model In this architecture: The Hub serves as the central point for connectivity, hosting shared services like firewalls, VPN/ExpressRoute gateways, and identity services. The Spokes are individual VNets that connect to the hub, typically representing isolated workloads, applications, or business units. Peering is used to establish communication between the hub and spokes, with the option to enable or restrict direct spoke-to-spoke communication. Key Benefit: Centralized management of network traffic, security, and hybrid connectivity. 2. Designing an Effective Hub The hub is the backbone of your architecture, so it must be designed with scalability and security in mind: ✅ Use Azure Virtual WAN if you need a global-scale Hub-and-Spoke deployment with automated routing and traffic management. ✅ Leverage Azure Firewall for centralized security and to enforce traffic control between spokes. ✅ Implement Network Security Groups (NSGs) to restrict inbound/outbound traffic and define granular security policies. ✅ Optimize traffic flow with Route Tables (UDRs) to avoid asymmetric routing and performance bottlenecks. ✅ Ensure high availability by deploying redundant VPN or ExpressRoute gateways in active-active mode. Tip: Avoid placing unnecessary workloads in the hub to prevent performance degradation. 3. Managing Spoke Communication and Isolation Each spoke VNet should be logically and securely isolated while allowing required communication paths. ✅ Limit direct spoke-to-spoke communication by routing traffic through the hub unless specific business requirements demand otherwise. ✅ Use Private Endpoints to securely access PaaS services without exposing them to the public internet. ✅ Enforce Zero Trust principles by using Azure Private Link and restricting access to critical workloads. Tip: Avoid transitive peering unless absolutely necessary; use the hub to manage inter-spoke traffic. 4. Performance and Cost Optimization An efficient Hub-and-Spoke design ensures minimal latency and optimized costs. ✅ Use Accelerated Networking on VMs to enhance throughput and reduce network latency. ✅ Implement Azure Route Server to dynamically manage routes between the hub and spokes. ✅ Monitor network traffic with Azure Monitor and Traffic Analytics to detect bottlenecks and optimize network flow. ✅ Optimize ExpressRoute or VPN usage by choosing the right SKU based on bandwidth and redundancy needs. Tip: Reduce unnecessary traffic through NSG rules and route tables to avoid extra processing costs. 5. Governance and Automation To maintain consistency and reduce human errors, use automation and governance best practices: ✅ Deploy infrastructure as code (IaC) using ARM templates, Bicep, or Terraform for reproducible deployments. ✅ Enforce security policies with Azure Policy to ensure compliance with networking standards. ✅ Use Role-Based Access Control (RBAC) to define strict access levels for managing network resources. ✅ Monitor and log network activity using Azure Sentinel and Azure Monitor to detect anomalies. Tip: Automate network provisioning using Azure DevOps or GitHub Actions for efficiency and consistency. Final Thoughts A well-designed Hub-and-Spoke architecture in Azure provides centralized security, simplified management, and scalable connectivity. However, to maximize its benefits, it's essential to carefully plan network security, routing, and cost optimization while leveraging Azure’s built-in automation and monitoring tools. 🔹 What challenges have you faced when implementing a Hub-and-Spoke model in Azure? 🔹 What best practices have worked well for your organization? Let’s discuss in the comments! 🚀
Recent Blogs
- Azure File Sync enables seamless tiering of data from on-premises Windows Servers to Azure Files for hybrid use cases and simplified migration. It also enables you to leverage the performance, flexib...Feb 21, 2025
- This blog was written in conjunction with Leo Furlong, Lead Solutions Architect at Databricks. Enhancing Security and Connectivity: Azure Databricks SQL, Unity Catalog, and Power BI Integration T...Feb 21, 2025
