- Solution Overview
- Configuration and setup for solution
- The Payment Processing Solution (PCI)
- Customer Samples, and monitoring
- Frequently Asked Questions
You require to create an AAD admin as identified in the document. This is required as a subscription admin does not automatically receive DS or AAD credentials. This is a security feature that enables RBAC and role separation in Azure.
Role based access control requires that a administrator grants themselfs administrative rights in AAD. Refer to this blog for a detailed explaination. Delegating Admin Rights in Microsoft Azure PowerShell - Connecting to Azure Active Directory using Microsoft Account
Consider reviewing the following artiles, and blogs. How to install a SSL certification on Azure Web sites configuring SSL certificate
Many of the features used in the solution are not available in an Azure trial account. You will also require to have access to manage the subscription as a Subscription Admins role and co-administrator of the subscription.
The installation requires a custom domain and SSL certificate to meet PCI DSS requirements and protect the client side traffic from snooping. Microsoft recommends that a custom domain be purchased with an SSL package. Microsoft offers the ability to create a domain and request an SSL certificate from a Microsoft partner.
This deployment assumes that VIP address [ASE ILB >> Properties >> Virtual IP Address] assinged to ASE ILB would be 10.0.3.8 (observed behaviour). However, it might get changed to 10.0.3.9. If the application gateway backend health is listed as
un-healthy, verify that ASE ILB VIP address and application backend pool targets are same. Update the application gateway backend pool targets with ASE ILB VIP. (https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-create-gateway-portal#add-servers-to-backend-pools)
Review the 'Configure your global admin for the solution' section of the installation guide
Review 'LOGGING INTO POWERSHELL WITH CORRECT CREDENTIALS' section of the installation guide
NOTE: Strong passwords (Minimum 15 characters, with Upper and Lower case letters, at least 1 number and 1 special character) are recommended throughout the solution.
Currently this solution requires that you deploy in US EAST. Limitation to service avalibility in all regions may prevent the solution from deploying storage accounts, or the AES. This solution was tested with the following resource group
New-AzureRmResourceGroup -Name [RESOURCE GROUP NAME] -Location "East US"
The total deployment of the services is estimated to take approximately 1.5 hours from when the you select Purchase on the ARM template. ASE takes 2 hours to provision. How to deploy ASE
This solution including the scripts, template, and documentation are designed to help you build a pilot or demo site. Utilizing this solution does not provide a customer ready to run solution, it only illustrates the components required to build for a secure and compliant end to end solution. For instance, Custom Host Names, SSL Certificates, Virtual network address spacing, NSG routing, existing Storage and Databases, existing enterprise-wide OMS workspaces and solutions, Key vault rotation policies, usage of existing AD Admins and RBAC roles, usage of existing AD Applications and Service Principals will require customization and change to meet your custom production ready solution.
####The scripts fail to run, I get a permission error XXXX, what do I do next? The following log-ons should be tested whenever you restart your PowerShell IDE session. This may not be required at all times, but strongly recommended to ensure the correct credentials are cached in your new session. ---at all times for this demo log in as the admin user in our example.
Logging in to the powershell administrative
- Connect to your Azure AD service running the following command, with your admin user such as admin@pcidemo.onmicrosoft.com
Connect-AzureAD- Connect to your Azure Active directory running the following command, with your admin user such as admin@pcidemo.onmicrosoft.com
Connect-MsolService- Connect to your Azure Resource manager running the following commands, with your admin user such as admin@pcidemo.onmicrosoft.com
login-azurermaccount- Retrieve your subscription information running the following commands
Get-AzureRmSubscriptionOnce the script has completed you should consider resetting your administrative passwords, including your ADsqladmin, and Admin users. The following command can be used to quickly reset passwords in PowerShell.
When I run the scripts, I receive the following error "New-Alias : The alias is not allowed, because an alias with the name 'Login-AzureRmAccount' already exists."
This error is related to conflicting PowerShell Modules. To fix, uninstall all PowerShell msi and modules.
Set-MsolUserPassword -userPrincipalName [sqladmin@yourdomain] -NewPassword [NEWPASSWORD] -ForceChangePassword $falseThe following examples in the marketplace partners that have solutions that can help with continous compliance efforts.
| Security Layer | Azure Marketplace Product(s) |
|---|---|
| Continuous Compliance Monitoring | Cloudneeti - Continuous Governance of Azure Assets |
| Network Security and Management | Azure Marketplace: Network Security |
| Extending Identity Security | Azure Marketplace: Security + Identity |
| Extending Monitoring and Diagnostics | Azure Marketplace: Monitoring + Diagnostics |
This solution is maintained in three repositories, one private, and two public. Currently Avyan Consulting team provided the development branch of this solution, any questions or concerns contact. azurecompliance@avyanconsulting.com
The current version of the solution is avalible in preview, no stable build has been commited. Please check back frequently for updates for the official release of this solution. The next version pre-release, fixes and updates are located at Avyan Consulting Git Repo
