Get SSL Certificate Expiry Notification on Mail.

 There are multiple ways to get SSL Certification expiry details/alert. We all know if our SSL certificate get expire, how critical situation will be. So its always best to know before our certificate get expire, so that we can take necessary action on it, and replace with new one. This solution is mainly concentrating on your SSL certificates it will notify you before 30 days. Make sure you have active azure subscription with at-least contributor rights.

Mainly we will be using 3 components from Azure to implement this solution.

1. Create Log analytics service:  

Login to Azure portal, Link From home page, left top corner click create a resource. And search for Log Analytics Workspace. and click on it. 

Click Create button.

 

Name Resource Group and log analytics and select your region. Click on Review + Create. 

    1.1. Configure Log analytics.

Once Log analytics created go to the resource and click on Agents Tab.

And from right hand side expand the Log analytics agent instruction, you will get workspace ID and Primary Key. Please copy it we will be using in Automation variable.

Got to IAM and Add Role Assignment to logic app (Managed Identity) as “Log Analytics Reader” Role.

2. Create Automation Account:

From home page, left top corner click create a resource. And search for automation account. and click on it.

Select the automation account click Create.

Fill the basic details as mentioned below.

And Rest other Tabs leave as default. Hit Review + Create.

2.1. Automation account Configuration:

Once automation account created, go to automation account, and click on Variable tab.

And create variable with Name WorkspaceID and WorkspacePrimaryKey and the copied values from step 1. Respectively.

Now go to run book --> create a new Runbook and fill the details as mentioned below, then hit create.

Then copy the PowerShell script from Link and paste it here. And update the URLs Array very first line with your URLs where you have SSL Certificates. Save and publish it.

Now click on Link to schedule.

Then Click on Schedule --> Add a schedule.

Name the Schedule “Every15days”

Select the Time zone and Recurring type. Click Create. Now your Schedule is created so every 2 week on Monday run script will run and push data into Log analytics.

Note: Manually once or twice run the workbook and test its not giving any error. And if run successful it will create data on log analytics for our test also.

3. Create Logic App (Consumption):

From home page, left top corner click create a resource. And search for logic app. and click on it.

Select the Logic App click Create.

Click Create Button.

Select the plan type as Consumption. And Click on Review + Create

3.1. Configure Logic App:

Go to Logic app and enable the System Managed Identity.

Go to your logic app and click Logic App Designer.

Add Recurrence as mentioned below. Every 2 week run on Tuesday, because Monday you will get data into log analytics and Tuesday logic app will fetch the data from log analytics.

Next add Run query and visualize results From Azure Monitoring Logs

Define all details as mentioned above. Query you can find it from the link.

Connection should be Managed Identity.

Next action add Send an email from Office365.

Authenticate using O365 mail ID and password it will create a connection.

Click on Body right hand side you will find Dynamic content attachment content and Attachment Name add it to body. Email@domain.com Replace this by email ID to whom you wanna send this alert.

Hit Save and run it.

Azure Bastion

Azure Bastion introduced by Microsoft on 17^th June 2019 as PaaS service as preview. And azure Bastion (preview) is a fully managed PaaS service that provides secure and seamless RDP and SSH access to your virtual machines directly through the Azure portal. Azure Bastion is provisioned directly in your Virtual Network (VNet) and supports all VMs in your Virtual Network (VNet) using SSL without any exposure through public IP addresses.

Now no need to have public IP to your Virtual machines to access it over internet, it could be RDP or SSH access. All is Azure Bastion will take care, it will be single point of contact to access your VM over internet. Exposing the Bastion host as primary exposed public access helps lockdown of public Internet exposure and limit threats such as port scanning and other types of malware targeting your VMs.

Important

This public preview is provided without a service level agreement and should not be used for production workloads. Certain features may not be supported, may have constrained capabilities, or may not be available in all Azure locations. See the Supplemental Terms of Use for Microsoft Azure Previews for details.

Architecture

Create Azure Bastion Host

Step 1: Create Azure Bastion resource

Now go to this URL http://aka.ms/BastionHost which will redirect you to the Azure portal with preview features enabled. It looks something like the below picture.

Now search for Bastion and click on it, as shown below.

 

Click on Add.

 

Fill out the information according to your need.   

Note: 

             

                    If you are creating new/Existing VNet create one extra SubNet for Bastion with name “Azurebastionsubnet” Whichever VMs will be there on that Vnet all can be connected remotely using Azure Bastion, without public IP.

Once your azure bastion created, you can go the VM and click on connect, so you will get Azure Bastion option to connect with.

Once your name and password of the VM has been provided, you can able to login your VM on new Tab of the browser, make sure you allow the popup for this site.