Azure Arc with Defender for cloud

Deploying external server to Defender for Cloud

Deploying those servers can be done with the following methods:

• Using Azure Arc-enabled servers (recommended)
• From Defender for Cloud's pages in the Azure portal

And this is the reason we are talking about Arc as an onboarding tools.

See more here

Connect your non-Azure machines to Microsoft Defender for Cloud

Learn how to connect your non-Azure machines to Microsoft Defender for Cloud

But as many use Azure for your VMs and once you do, you will have some troubles on connecting to some services that are supposed to be used for outside Azure servers, one of them being Azure Arc.

The error?

Add your server to Azure Arc, define RSGs, operating system version and connection type

And generate the script based on these parameters

When you onboard your resource to Arc and download the script, you will get this warning statement, what a huge bummer.

Why this happens?

For a couple of reason and one of them being

VM extensions

Extensions are compact programs that offer automation and post-deployment setup for Azure virtual machines. (VMs). Numerous extensions for VM configuration, monitoring, security, and utility apps are available on the Azure platform. The installation process is made simpler by publishers who take a program and wrap it in an extension.

The agent for Azure Arc-enabled servers cannot handle VM extensions that have already been deployed to the VM, despite the fact that they support many of the same extensions as Azure VMs. So, you have to remove them.

169.254.169.254 or IMDS IP

This IP is commonly used with all Cloud providers and in Azure it will give the VM the following Metadata information: the SKU, storage, network configurations, and upcoming maintenance events and more

So it it will check your Azure VM licensing and activation, this is the reason the blocking is meant for Evaluation purposes only. The following is one thing, you will surely see when you boot the VM for the first time.

See more from Learn

Azure Instance Metadata Service for virtual machines - Azure Virtual Machines

Learn about the Azure Instance Metadata Service and how it provides information about currently running virtual machine instances in Linux.

For AWS https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html

For Google https://cloud.google.com/compute/docs/metadata/querying-metadata

How to "fix" it?

Open you VM in Azure portal and choose Extensions from the left-hand pane. If the VM has any installed extensions, choose each one separately, then choose Uninstall.

Then run the following commands inside the VM.

# Set Azure guest agent to disable state Set-Service WindowsAzureGuestAgent -StartupType Disabled -Verbose # Stop the service Stop-Service WindowsAzureGuestAgent -Force -Verbose # Create a Windows Firewall rule to block access New-NetFirewallRule -Name BlockAzureIMDS -DisplayName "Block access to Azure IMDS" -Enabled True -Profile Any -Direction Outbound -Action Block -RemoteAddress 169.254.169.254 

Stopping the service

And the firewall block

And happy times!

And the server will magically appear in the portal

Defender for Cloud view

It takes some time for the server to be seen inside Defender for Cloud inventory.

If you open the server, you will those recommendations (Azure policies) that you should be compliant with based on the resource type

Testing it out

Because it is not a virus and contains no pieces of viral code, it is safe to spread.
It is also brief and easy to construct using a standard text editor because it is solely made up of readable ASCII characters.

As long as the file begins with the first 68 of the following characters and is precisely 68 bytes long, any antivirus program that supports the EICAR test file should be able to identify it in any file:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Read more from Eicar here,

You can down an test malware file here https://secure.eicar.org/eicar.com.txt

Or with this

# Define output file and path $path = "c:\folder\eicar.txt" # Define URI for the source $uri = "https://secure.eicar.org/eicar.com.txt" # Get the file to the path Invoke-WebRequest -Uri $uri -OutFile $path

Once you download (just download, don't have to run anything) the file and disable Defender for Endpoint and Antivirus or exclude the location that the file will be downloaded to, you will see this inside Defender for Cloud

Under alerts under the server, you can see the different alerts

And the details for the alerts and event Threat Information for Eicar

And it will be clearly saying that it's not a real threat https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Virus:DOS/EICAR_Test_File which is kind of funny.

Closure

How cool is that, testing things out in the comfort of your own Azure tenant. Don't have to go far from home to achieve this.

There is also other good news for the masses, masses meaning many SQL in this sentence. You can also onboard all your SQL-servers at scale with Azure Policy

Using Azure Policy to onboard multiple SQL Servers at scale to Azure Arc-enabled SQL Server - Part 1

The demand for deploying agents in bulk on on-premise SQL servers is increasing, and manual deployment of the agent in bulk is a highly time-consuming task. Azure Arc-enabled SQL Server extends Azure services to SQL Server instances hosted outside of Azure: in your data center, in edge site locati…

Happy times and happy Easter to all!

Share this: