TL;DR: You can flip an existing ExpressRoute circuit from Standard (or Premium) to Local in minutes, but you’ll need to hop out of the Azure portal and run a couple of Az PowerShell commands. Here’s how we did it. Why bother with the Local SKU? If that sounds like your use-case, read on. The official word Microsoft’s docs spell it out: you can’t make this change in the portal. Use PowerShell or the Azure CLI instead. Microsoft Learn Before you start Running this first to check current SKU: The output would look something like this: To change the SKU –…
Category: Azure
Leveraging Azure VM System-Assigned Managed Identity to Map Azure Files Without Entra Domain Services
In many organisations, there is a need to map Azure Files shares to Windows virtual machines without deploying a traditional file server or a fully-fledged Entra Domain Services (Azure AD Domain Services) environment. One efficient and secure method is to use the system-assigned managed identity on your Azure VM. This approach eliminates the need to store credentials on the VM and ensures that access to your storage account is governed through Azure RBAC roles rather than static credentials. This guide will walk you through: This solution is especially useful for scenarios like FSLogix profile containers utilising Cloud Cache. By setting…
Assign Microsoft Graph permissions to Azure Managed Identity
I have a user assigned managed managed identity in Azure called ‘TestMI‘. I want to give this managed identity permissions to run Microsoft Graph PowerShell cmdlets. As a managed identity in Azure, this appears under enterprise applications in Entra. Normally with the old service principals, as these appeared under app registrations, you’d simply go into the Azure portal and navigate to API permissions, where you can assign the necessary Microsoft Graph permissions. But, managed identities in Azure are slightly different and fall under enterprise applications. As such, we don’t have the option in the Azure portal to assign API permissions…
Navigating Azure Savings Plans and Reserved Instances – Cost Optimisation
The Azure billing landscape is a labyrinthine one, with its share of twists, turns, and, occasionally, dead ends. For the uninitiated, the path through this maze is fraught with confusion, especially when it comes to optimising costs with Azure Savings Plans and Reserved Instances (RIs). This post aims to clear the fog and elucidate the sequence and strategy for applying these cost-saving mechanisms. Understanding the Lay of the Land At the heart of the matter is understanding how Azure Savings Plans and RIs reduce costs. Azure Savings Plans offer a reduced rate in exchange for committing to a consistent usage…
Microsoft Partner Guide
I get asked this all the time, how do I become a successful partner in the eyes of Microsoft…? You can either have a look here https://learn.microsoft.com/en-us/partner-center/ or below for a summary. Solutions Partner designations The Microsoft Cloud Partner Program offers Solutions Partner designations, which are aimed at demonstrating an organisation’s broad technical capabilities and experience in high-demand Microsoft Cloud solution areas. These designations reflect your ability to deliver successful customer outcomes and are measured by: There are six Solutions Partner designations available, each aligning with a specific Microsoft solution area: To attain a Solutions Partner designation, your organisation must…
Microsoft EA & MCA difference
Difference between Microsoft Enterprise Agreement (EA) and Microsoft Customer Agreement (MCA) Microsoft Enterprise Agreement (EA) The Microsoft Enterprise Agreement (EA) is a three-year commitment-based volume licensing agreement for commercial organizations signing a new enrollment with 500 or more users/devices and government organizations with 250 or more users/devices. EAs offer a number of benefits, including: Microsoft Customer Agreement (MCA) The Microsoft Customer Agreement (MCA) is a transactional volume licensing agreement for organizations with one or more users/devices that want to license Microsoft cloud services and/or on-premises software as needed—with no organization-wide commitment under a single, non-expiring agreement. The MCA offers a…
Azure Network Default Routes
Default routes in Azure can be anything like forced tunneling and advertising 0.0.0.0/0 from on-prem, BGP based NVAs inside of Azure vWAN hubs, or a FW in the vWAN hub. Here’s how it compares across both Azure vWAN and the traditional Azure vNets. Azure vWAN uses the concept of connections, which connects vNets to vWAN hubs and is where you configure the routes. Whereas traditional vNets make use of Route Tables where you configure the routes. While these settings are more of less the same, the slight difference is that with with vWAN Propagate Default Route, this allows the default…
Azure Cost Optimization
Ways that you can save money on Azure. Reservations You can scope a reservation to a subscription or resource groups. Setting the scope for a reservation selects where the reservation savings apply. When you scope the reservation to a resource group, reservation discounts apply only to the resource group—not the entire subscription. Single resource group scope — Applies the reservation discount to the matching resources in the selected resource group only. Single subscription scope — Applies the reservation discount to the matching resources in the selected subscription. Shared scope — Applies the reservation discount to matching resources in eligible subscriptions that are in…
Terraform-Azure-Virtual-WAN-no-Azure-Firewall
The Repo This blog focuses on this repo: https://github.com/marckean/Terraform-Azure-Virtual-WAN-no-Azure-Firewall Overview Multi-environment (Prod / Non-Prod / Shared Services) using Azure Virtual WAN, with 3 vWAN hubs in the same region to provide total isolation of the network. This focuses on the Azure side of things, as a second step to this, you would connect to this from on-prem using either ExpressRoute or VPN. Pretty much the requirement here is that Prod can talk to Shared Services, Non-Prod can talk to Shared Services, but Prod & Non-Prod can’t talk to each other. There is total isolation between Prod & Non-Prod. Deployment Instructions [!NOTE] In the real world for large enterprise companies, you would most likely…
Azure Shared Services | Multi environments
I had an enterprise customer that needed to setup a multi-environment (prod/non-prod) Azure network that also comprised of a separate Shared Services. The customer needed complete isolation between the Azure prod/non-prod vNets. The Azure Shared Services vNet had to be accessed as a direct connection from the Azure prod/non-prod vNets, but also could be accessed from on-prem directly if needed. Their requirements: Single region end-to-end redundancy This example uses Australia East (Sydney) On-prem datacenter redundancy, multiple ExpressRoute circuits terminating in different ExpressRoute peering locations. Azure vNets to be consolidated within each environment (Prod/Non-prod) using appropriate option (Hub vNet / Azure…
Marc Kean 
You must be logged in to post a comment.