How do I know when my VM is ready to connectWhen you automatically provision VM instances, you might need to know when the initialization has completed so that you can connect to the VM or initiate the next deployment steps. There are a few ways to determine when a VM is ready, so let us explore what these are. Continue »
Creating a CI/CD pipeline with Azure Pipelines and Cloud RunAzure DevOps has come a long way since its humble beginnings as Visual Studio Team System. Especially its CI/CD component, Azure Pipelines, has made some major leaps over the past years and is now actually quite nice to use. Continue »
Goodbye RDCMan, hello IAP DesktopMicrosoft’s Remote Desktop Connection Manager (RDCMan) is gone, it and took the Google Cloud IAP for Remote Desktop plugin with it. But now there is IAP Desktop to supersede both of them. Continue »
Automatically joining a VM to Active Directory on Google CloudCloud computing is all about being able to dynamically scale, provision, and decommission resources or entire environments on demand. But the idea that infrastructure is dynamic clashes with some assumptions Active Directory is built around, and creates a challenge if you run Windows workloads in the cloud. Continue »
Understanding Windows VM initialization on Google CloudOn Google Cloud, a Linux instance boots in about 30 seconds while a Windows instance takes a full 2 minutes to turn up – why is Windows so much slower? Continue »
22 best practices for running Active Directory on Google CloudTwenty years have passed since Microsoft released Windows 2000 and introduced Active Directory to the market. The excitement about Active Directory has certainly ebbed since then – but at the same time, it is difficult to overstate the impact that Active Directory has had on the IT market. Continue »
Creating an image from an ISO fileIf you have been an MSDN, TechNet, or Action Pack subscriber in the past, you probably remember the binders full of discs that Microsoft used to ship. Continue »
Certificate enrollment: Creating a certificate signing request by using CertEnrollHaving covered the basics of certificate enrollment and relevant Windows APIs in previous posts, this post will look at how you can programmatically create a certificate signing requests by using the Certificate Enrollment API (CertEnroll). Continue »
Certificate enrollment: Crypto API, CNG, and other Windows APIsOne thing certreq and the Certificate Manager MMC snap-in have in common is that they rely heavily on Windows’ built-in APIs for managing certificates, encryption, and keys. This post takes a deeper look at which APIs Windows provides for cryptography, key management, certificate management, and certificate enrollment. Continue »
Certificate enrollment: Manually creating a certificate signing requestIn the last post, we looked at how certificates, private keys, and certificate signing requests relate to another. In this post, we’ll look at three common ways to create a certificate signing request (CSR) which can then be submitted to a certificate authority (CA) for signing. Continue »
Certificate enrollment: ConceptsMany of the protocols we use every day rely on certificates. The process to request and obtain a new certificate from a CA is called certificate enrollment. This post explains the basic concepts behind certificate enrollment. Continue »
Authenticating users in tools or desktop appsIf your plan is to develop a tool or desktop app instead of a server-side application, the benefits of application default credentials are less obvious and reusing the user’s personal gcloud credentials instead might seem attractive. But there are some pitfalls. Continue »
Application default credentials vs your personal gcloud credentialsgcloud manages two sets of credentials, your personal credentials and application default credentials. Having two separate credentials might seem redundant and can cause surprises the first time you use one of the Google Cloud client libraries. But the two credentials serve different purposes. Continue »
Installing Remote Desktop Connection Manager as limited userInstalling the Remote Desktop Connection Manager requires administrator privileges. That can be a problem in a corporate environment where you might not have local administrator rights. Fortunately, there is an easy way to overcome this limitation by performing an administrative installation. Continue »
Dealing with credentials when using the Google Cloud client libraries (.NET edition)Google APIs use OAuth 2.0 for authentication and authorization. To call an API, you first have to obtain an access token for the right scope and then pass it to the respective API by using the Authorization HTTP header.
But the trouble with access tokens is that they are short-lived, and you somehow have to deal with expiring tokens…
Continue »
Impact of GCP session length on OAuth clientsOnce you’ve signed in on google.com, the Cloud Console, or any other Google site, your browser session remains valid for multiple days. Not being prompted to sign in over and over again is convenient and at least in typical consumer scenarios, the risk that comes along with keeping the session is limited.
Things can look different in a corporate scenario where users might have access to sensitive data. Keeping sessions alive for 14 days (which is the default) might seem a little risky and might not be in line with an enterprise’s idea of security. G Suite Business and Cloud Identity Premium therefore allow you to change the default session length to a different period such as 8 hours. This setting applies to all Google services, not only GCP.
Recently, Google introduced another way to control session lifetime by allowing you to control the session length for Cloud Console and gcloud sessions.
Continue »
New version of the Cloud IAP plugin for Remote Desktop releasedA few days ago, I released version 1.1.22 of the Cloud IAP plugin for Remote Desktop on Github.
The three main new features in this release are:
Integrating with Cloud IAPIn the last post, we discussed that each request that Cloud IAP passes to a backend appliation contains a X-Goog-Iap-Jwt-Assertion header. This header contains an IAP JWT assertion that looks a bit like an IdToken, but is not an IdToken.
Continue »
Cloud IAP architectureConceptually, you can think of Cloud IAP as a reverse proxy that is deployed in front of your corporate application that intercepts all requests to perform authentication and authorization. Continue »
Cloud IAP and its role in zero-trustAt Google Cloud, we run a series of Cloud Summits each year. A Cloud Summit is essentially a mini-version of Cloud NEXT – it lasts one day, features multiple tracks of technical sessions, and is usually held in a location where there is plenty of space for booths where customers can ask questions.
One question that we frequently get at the Ask an Architect or Ask the Expert booth is about Cloud Identity-Aware Proxy - what is it for, how does it work, and how to use it?
In this series of blog posts, I am going to address these questions, one at a time: