Jet Mariano

Tag: Azure

  • My Essential IT Troubleshooting Guide

    Simple Explanations for Real World Problems

    One of my favorite seasons of my life. Serving the city, keeping critical systems alive, and learning the foundations that shaped who I am as an engineer today. Every console screen taught me something new and every problem strengthened my desire to help others through technology.

    My Essential IT Troubleshooting Guide

    In every company I have worked for, the tools that saved the day were not fancy dashboards but simple commands and fundamentals I could trust.
    This is my personal troubleshooting arsenal, written so even a non technical reader can follow the logic behind what I do.

    Each section answers three things
    • What it is
    • Why it matters
    • How I use it in real life

    Name Resolution Basics

    A record

    What
    • A record is a phone book entry that says “this name belongs to this IP address.”

    Why
    • Users remember names better than numbers. If the A record is wrong or missing, they land in the wrong place or nowhere.

    How I use it
    • When a site is not loading, I ping the name and check if the IP address matches what we expect.
    • If it does not, I fix the A record in DNS and wait for it to replicate.

    CNAME

    What
    • A CNAME is a nickname that points one name to another name.

    Why
    • It lets you move services without breaking users. The public name stays the same while the target changes behind the scenes.

    How I use it
    • For services like autodiscover or app portals, I often see CNAMEs that point to Microsoft or another provider.
    • When something breaks after a cutover, CNAMEs are one of the first things I verify.

    DNS

    What
    • DNS is the global phone book that turns names into IP addresses.

    Why
    • If DNS fails, everything feels broken. Browsers, Outlook, file shares, all of them depend on DNS.

    How I use it
    • I run nslookup name.company.com to see which DNS server is answering and what IP it returns.
    • If users in one site can reach something and other users cannot, I compare DNS answers between locations.

    Hosts file

    What
    • The hosts file is a tiny local phone book on the computer.

    Why
    • It overrides DNS for that machine. One bad line can send traffic to the wrong place.

    How I use it
    • Location on Windows

    C:\Windows\System32\drivers\etc\hosts

    • I open it with Notepad as administrator.
    • If someone hard coded a testing IP and forgot about it, I comment it out or remove it, then flush DNS.

    Flush cache

    ipconfig /flushdns

    Nbtstat and TCP IP

    What
    • Nbtstat is an older tool for NetBIOS name resolution.
    • Hard coded TCP IP means a manual IP instead of DHCP.

    Why
    • Nbtstat helps when legacy name lookups act strange.
    • Hard coded IPs can cause conflicts or make VLAN changes painful.

    How I use it
    nbtstat -n to see local NetBIOS names.
    nbtstat -c to see the name cache.
    • When I find static IPs on client machines, I document them and move them to DHCP reservations so the network is easier to manage.

    Network control panel shortcut

    I still use this every week

    From Run

    ncp.cpl

    It opens the Network Connections window so I can quickly check adapters, enable or disable, or look at IPv4 settings.

    DHCP Essentials

    What
    • DHCP hands out IP addresses, gateways and DNS to clients.

    Why
    • If DHCP fails, users cannot get on the network or suddenly have duplicate addresses.

    Best practices
    • Use at least two DHCP servers where possible.
    • Define scopes with correct gateway and DNS.
    • Use reservations for printers and key servers.

    Commands I use on clients

    ipconfig /release
    ipconfig /renew

    If a user can reach the internet but not internal resources, I check that DNS from DHCP is internal and not a public resolver.

    MX, Autodiscover and Mail Flow

    MX record

    What
    • MX tells the world which server receives mail for your domain.

    Why
    • If MX points to the wrong place or has a low priority backup you forgot, email can vanish or queue.

    How I use it
    • I use MXToolbox to check MX records and verify that they point to Exchange Online or the correct email gateway.

    Autodiscover

    What
    • Autodiscover tells Outlook where to find the mailbox and settings.

    Why
    • A broken autodiscover record means constant password prompts or profile creation failures.

    How I use it
    • I verify the Autodiscover CNAME or SRV record.
    • I test with Outlook connectivity tools or Test-OutlookConnectivity when available.

    Hunting spam engines and bad SMTP

    Where malware hides
    • In browser extensions
    • In Outlook add ins
    • In unknown services or scheduled tasks that send mail through SMTP

    How I clean it without reimaging
    • Check Outlook add ins and disable anything suspicious.
    • Run msconfig and Task Manager to review startup items and tasks.
    • Review SMTP logs on the server to see which host is sending unexpected traffic.

    Certificates and SSL in Hybrid Environments

    Internal web apps depend on trusted certificates so browsers know the site is safe. When an SSL expires, internal apps stop working and Chrome or Edge will show warnings.

    Why we create new SSLs
    • Internal web apps must be trusted.
    • Intranet portals and legacy apps often stop working when an internal CA certificate expires.
    • External issued certs from DigiCert or GoDaddy are trusted by browsers.

    PowerShell to generate a CSR example

    $csr = New-ExchangeCertificate -GenerateRequest `
-SubjectName "CN=mail.contoso.com" `
-DomainName "mail.contoso.com","autodiscover.contoso.com"
Set-Content -Path "C:\Certs\mail_csr.req" -Value $csr

    After the CA signs it, import

    Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content "C:\Certs\mail_cer.cer" -Encoding byte -ReadCount 0)) -PrivateKeyExportable $true

    Enable for necessary services

    Enable-ExchangeCertificate -Thumbprint <Thumbprint> -Services IIS,POP,IMAP

    Where I keep it
    • C:\Certs or another controlled folder
    • Never leave certificates scattered in Downloads

    Core servers
    • I open Task Manager with Ctrl Shift Esc
    • File, Run, then mmc
    • Add the Certificates snap in and import there
    Or I import directly with PowerShell.

    Machine Trust Relationship Problems

    When Windows says “the trust relationship between this workstation and the primary domain failed,” the computer account and the domain no longer agree.

    On a traditional domain
    • Disable LAN and WiFi
    • Log in using cached credentials
    • Reset the local admin password if needed
    • Disjoin from the domain and put it in a workgroup
    • Reboot
    • Join it back to the domain

    For Azure AD joined devices

    Check status

    dsregcmd /status

    If broken

    dsregcmd /leave

    Then re join from Settings under Access work or school.

    RDP Session Cleanup

    Sometimes users cannot remote into their office desktop because a stale session is still connected.

    I run from my admin machine

    query session /server:192.168.10.25
logoff <SessionID> /server:192.168.10.25

    After that, they can reconnect without rebooting the server.

    Active Directory Tools

    ADSIEdit

    What
    • A low level editor for Active Directory objects.

    Why
    • Last resort for fixing broken attributes or lingering records when normal tools cannot reach them.

    How I use it
    • Only with full backups and a clear change plan.
    • I use it to clean up orphaned objects or legacy settings left behind.

    Event Viewer

    What
    • The black box recorder of Windows.

    Why
    • Every blue screen, login failure, replication problem and service crash leaves a trace here.

    How I use it
    eventvwr.msc
    • I focus on System and Directory Service logs on domain controllers, and Application logs on servers hosting apps.

    FSMO Roles

    What
    • Flexible Single Master Operations are special AD roles for schema, naming, PDC, RID and infrastructure.

    Why
    • These make sure there is one source of truth for sensitive changes.

    Best practice
    • Know exactly which DC holds each role.
    • Protect those DCs like crown jewels.

    If a FSMO owner is gone forever
    • You can seize the role to a healthy DC using ntdsutil.
    • After seizing you never bring the old DC back online.

    This is rare but every senior engineer should know the process in theory.

    AD and Entra ID Health

    On premise AD health

    dcdiag
    repadmin /replsummary
    repadmin /showrepl

    I always confirm
    • DNS is correct
    • SYSVOL is in sync
    • Time is correct and within a few minutes across all DCs

    Entra ID health

    Connect-MgGraph
    Get-MgUser
    Get-MgDirectoryAudit

    I check
    • Sign in logs for failures
    • Conditional Access for blocked locations
    • Device compliance for machines that suddenly appear non compliant

    AD controls computers and users on site.
    Entra controls cloud identity and device trust.
    In a hybrid world, both must be healthy.

    Azure and Terraform

    Azure CLI read only commands

    az login
    az account show
    az group list
    az vm list
    az storage account list

    These tell me what exists without changing anything.

    Terraform for infrastructure as code
    • Initialize the directory
    terraform init
    • Format
    terraform fmt
    • Validate
    terraform validate
    • Plan
    terraform plan

    Nothing changes until terraform apply is run.
    For interviews, being comfortable with init, plan and validate already shows good understanding.

    Microsoft 365 Services

    Group Policy

    Purpose
    • Central control of security and settings for on premise joined machines.

    How I create it
    gpmc.msc
    • New GPO
    • Edit with the settings I want
    • Link to the correct OU

    Universal Print

    What
    • Cloud based printing that removes the need for classic print servers.

    Why
    • Easier management for hybrid and remote users.

    I register printers in Universal Print and assign permissions based on groups, so users can get printers automatically.

    SharePoint Online

    Steps I follow
    • Go to Microsoft 365 admin center
    • Open SharePoint admin
    • Create a new site
    • Assign owners and members
    • Set sharing and retention policies

    This becomes the central place for team documents and intranet content.

    OneDrive and Data Migration

    OneDrive
    • Sync client installed on machines
    • Known Folder Move for Desktop, Documents and Pictures
    • Version history to protect from mistakes and ransomware

    Migrating data
    • I prefer SharePoint Migration Tool or Mover.
    • I clean old data first so I do not carry garbage into the cloud.
    • I communicate to users what will move and what will not.

    Why This Arsenal Matters

    These are the tools I have relied on in city government, banks, energy drinks, and manufacturing.
    They are not fancy, but they work.

    Every time I help a user reconnect, restore a service, or clean up a broken configuration, I am really doing three things

    • Protecting the company and its data
    • Supporting my teammates so they are not alone in the fire
    • Honoring the gift God gave me to understand and fix complex systems

    This arsenal is how I serve.
    Whether I am helping a small office or a multi site enterprise, the pattern is the same ask good questions, run the right checks, fix the root cause, and leave clear notes so the next engineer can see the path.

    © 2012–2025 Jet Mariano. All rights reserved.
    For usage terms, please see the Legal Disclaimer.

  • Terraform Made Simple, your first working configuration from install to Azure access

    Introduction
    Infrastructure as Code is not optional anymore. Terraform gives you a declarative way to build, modify, and destroy cloud resources cleanly. This tutorial shows exactly how to install Terraform, create your first configuration, and connect it to Azure without affecting your company’s production environment. I used these steps to rebuild my own skills after leaving California and stepping into Utah’s quiet season of learning.

    Step 1
    Install Terraform using Winget

    1. Open PowerShell as admin
    2. Run the installer
      winget install HashiCorp.Terraform –source winget
    3. Restart your PowerShell window
    4. Verify the installation
      terraform -version

    You should see something like
    Terraform v1.14.0

    Step 2
    Create your Terraform workspace

    1. Create a folder
      mkdir C:\terraform\test1
    2. Go inside the folder
      cd C:\terraform\test1
    3. Create a new file
      New-Item main.tf -ItemType File

    Leave the file empty for now. Terraform just needs to see that a configuration file exists.

    Step 3
    Write your first Terraform configuration

    Open main.tf and paste this:

    provider “azurerm” {
    features {}
    }

    Nothing created yet. This is read only.

    The goal is to connect Terraform to Azure safely.

    Save the file.

    Step 4
    Initialize Terraform

    Run
    terraform init

    This downloads the AzureRM provider and sets up your working directory.

    You should see
    Terraform has been successfully initialized

    Step 5
    Install the Azure CLI

    Terraform connects to Azure using your Azure CLI login. Install it with:

    winget install Microsoft.AzureCLI

    Verify it
    az –version

    Step 6
    Log into Azure

    Run
    az login

    A browser opens. Select your Azure account.

    Important note
    If you see Martin’s Azure subscription, stop here and do not run terraform apply.
    Terraform plan is safe because it does not make changes.

    Step 7
    Check your Azure subscription

    az account show

    This confirms who you are logged in as and which subscription Terraform will use.

    Step 8
    Run your first Terraform plan

    terraform plan

    This reads your main.tf and checks for any required changes.
    Since your config is empty, the output will say:
    No changes. Infrastructure is up to date.

    Step 9
    Useful Azure CLI commands for Cloud Engineers

    Check all resource groups
    az group list -o table

    Check all VMs
    az vm list -o table

    Check storage accounts
    az storage account list -o table

    Check virtual networks
    az network vnet list -o table

    Check VM status
    az vm get-instance-view –name VMNAME –resource-group RGNAME –query instanceView.statuses[1].displayStatus

    Check Azure AD users
    az ad user list –filter “accountEnabled eq true” -o table

    Check your role assignments
    az role assignment list –assignee <your UPN> -o table

    These commands show LC that you are comfortable with both Terraform and Azure CLI.

    Step 10
    Can Terraform check Defender?

    Terraform itself does not “check” Defender, but you can manage Defender settings as resources.

    For example:

    azurerm_security_center_contact
    azurerm_security_center_subscription_pricing
    azurerm_security_center_assessment
    azurerm_defender_server

    Meaning
    Terraform is for configuration
    Azure CLI is for inspection
    Graph / PowerShell is for deep security reporting

    If LC wants real Defender reporting, we use:

    Connect-MgGraph
    Get-MgSecurityAlert
    Get-MgSecuritySecureScore

    You already know these.

    Step 11
    Cleaning up safely

    Since we did not deploy anything, no cleanup is required.

    If you later create real resources, destroy them with
    terraform destroy

    Final thoughts
    Terraform is one of the most powerful tools in cloud engineering. Once you know how to initialize it, authenticate with Azure, and run plans, you are already ahead of many engineers who feel overwhelmed by IaC. LC will immediately see that you are not just an Exchange guy or a VMware guy. You are becoming a modern DevOps cloud engineer who can manage infrastructure in code.

    © 2012–2025 Jet Mariano. All rights reserved.
    For usage terms, please see the Legal Disclaimer.

  • Terraform for M365 & Azure (With Real Examples)

    Title:

    Terraform for M365 and Azure — Infrastructure-as-Code Made Simple

    Introduction

    Terraform is one of the most powerful tools for managing cloud environments because it lets you declare what you want and Azure builds it. No guessing. No clicking. No forgetting what you changed.

    Even if M365 doesn’t support Terraform natively for all workloads, you can still automate Azure AD, Conditional Access, Groups, SPNs, Networking, Key Vault, and App Registrations through the Microsoft Graph provider.

    I used IaC principles while supporting Church systems — Terraform makes environments repeatable, auditable, and consistent.

    1. Installing Terraform

    choco install terraform

    2. Azure Login Block

    provider "azurerm" {
  features {}
}

provider "azuread" {
}

    3. Creating an Azure Resource Group

    resource "azurerm_resource_group" "rg1" {
  name     = "M365AutomationRG"
  location = "WestUS2"
}

    4. Creating an Azure AD Group

    resource "azuread_group" "security_group" {
  display_name     = "M365-Automation-Admins"
  security_enabled = true
}

    5. Creating an App Registration + Secret

    resource "azuread_application" "app" {
  display_name = "Terraform-Automation-App"
}

resource "azuread_service_principal" "sp" {
  application_id = azuread_application.app.application_id
}

resource "azuread_application_password" "sp_secret" {
  application_object_id = azuread_application.app.id
  display_name          = "secret1"
}

    6. Conditional Access via Terraform (Yes, possible!)

    Uses the Microsoft Graph Terraform provider.

    resource "msgraph_conditional_access_policy" "block_non_us" {
  display_name = "Block Non-US IP"
  state        = "enabled"

  conditions {
    users {
      include_users = ["all"]
    }
    locations {
      include_locations = ["All"]
      exclude_locations = ["US"]
    }
  }

  grant_controls {
    operator         = "OR"
    built_in_controls = ["block"]
  }
}

    7. Create an M365 Group (Unified Group)

    resource "msgraph_group" "m365_group" {
  display_name     = "Engineering Team"
  mail_nickname    = "engineering"
  security_enabled = false
  mail_enabled     = true
  group_type       = ["Unified"]
}

    8. Create Azure Key Vault

    resource "azurerm_key_vault" "kv" {
  name                = "m365-keyvault-prod"
  location            = azurerm_resource_group.rg1.location
  resource_group_name = azurerm_resource_group.rg1.name
  tenant_id           = data.azuread_client_config.current.tenant_id
  sku_name            = "standard"
}

    Conclusion

    Terraform is the “blueprint” of modern cloud administration.
    Clicking creates inconsistencies — IaC creates reliable, repeatable deployments.

    © 2012–2025 Jet Mariano. All rights reserved.
    For usage terms, please see the Legal Disclaimer.

  • 💻 Path to Become a Developer (Ivy Falls)

    From coding late nights to building real solutions — proof that persistence pays off.
    DeveloperJourney #IvyFalls #NoBandAidFix

    Introduction: The Path Is the Practice

    My journey to development and infrastructure followed the same rhythm — discipline by day, learning by night.
    While working full-time at All Electronics Corporation in Van Nuys (1990–1995), I woke at 4 A.M. to catch two LA Metro buses from Western and 3rd Street to my 6:30 A.M. shift, then sometimes worked evenings at the Taco Bell drive-thru in Glendale.

    I wasn’t chasing titles; I was chasing understanding. At All Electronics, I became obsessed with the Integrated Circuit (IC) — the heartbeat of every computer. There was no Internet back then — only library books and endless curiosity. I crashed my own PCs, rebuilt them, and soon began fixing computers for free for anyone who needed help.

    Back then, I used to dream of a day when I wouldn’t have to wait for the bus in the rain just to get home. Years later, those same dreams became reality — not through luck, but through faith, discipline, and persistence. The rides changed — from buses to a BMW, an Audi, and now a Tesla — but what never changed was the purpose: to keep moving forward.

    Those early mornings and late nights opened the door to my first IT role at USC as a PC Specialist, then to GTE (now Verizon), Aerospace, and eventually to my own IT consulting business serving clients large and small across California and beyond.

    Season of Refinement

    While working full-time at USC, I entered what I call my season of refinement.
    By day I supported campus systems and users; by night I was a full-time student at Los Angeles City College (LACC) and a weekend warrior at DeVry University, studying Management in Telecommunications.

    It was during this time that Microsoft introduced the MCSE (Microsoft Certified Systems Engineer) program.
    One of my LACC professors encouraged me to earn it, saying, “Once you have that license, companies will chase you.”
    He was right — that MCSE became my ticket to GTE, my first step into enterprise-scale IT.

    My tenure at GTE was brief because Aerospace came calling with a six-figure offer just before Y2K — an opportunity too great to refuse.
    After Aerospace, I founded my own consulting firm — Ahead InfoTech (AIT) — and entered what I now call my twelve years of plenty.

    One of my earliest clients, USC Perinatal Group, asked me to design and implement a secure LAN/WAN connecting satellite offices across major hospitals including California Hospital Medical Center, Saint Joseph of Burbank and Mission Hills, and Hollywood Presbyterian Hospital.
    We used T1 lines with CSU/DSU units and Fortinet firewalls; I supplied every workstation and server under my own AIT brand.

    Through that success I was referred to additional projects for Tarzana and San Gabriel Perinatal Groups, linked by dedicated frame-relay circuits — early-era networking at its finest.
    Momentum carried me to new partnerships with The Claremont Colleges and the City of West Covina, where I served as Senior Consultant handling forensic and SMTP (email) engineering.

    Word spread further. An attorney client introduced me to an opportunity in American Samoa to help design and build a regional ISP, and later to a contract with Sanyo Philippines.
    During this period Fortinet was still new, and I became one of its early resellers. I preferred building AIT servers and workstations from the ground up rather than reselling mass-produced systems.
    DSL was just emerging, yet most clients relied on dedicated T1 lines — real hands-on networking that demanded patience and precision.

    Those were the twelve years of plenty — projects stretching from Los Angeles hospitals to overseas data links.
    By the time AWS launched in 2006 and Azure in 2010, I was already managing distributed networks and data replication.

    When I returned to Corporate America, my first full-time role was at Payforward, where I led the On-Prem to AWS migration, building multi-region environments across US-East (1a and 1b) and US-West, complete with VPCs, subnets, IAM policies, and full cloud security.
    That’s when I earned my AWS certifications, completing a journey that had begun with cables and consoles and matured in the cloud.

    Education, experience, and certification merged into one lesson:
    Discipline comes first. Validation follows.
    Degrees and credentials were never my starting line — they became the icing on the cake of years of practice, service, and faith.

    My Philosophy: Code Like a Craftsman

    Photography taught me patience. Martial Arts taught me form. IT taught me precision.
    All three share one secret: the art lies in repetition with awareness.

    As Ansel Adams said:

    “When words become unclear, I shall focus with photographs. When images become inadequate, I shall be content with silence.”

    Coding feels the same. When logic becomes unclear, I focus. When code seems inadequate, I find peace in understanding.

    The Developer Path

    1️⃣ Core Web Skills

    HTML | CSS | JavaScript (ES6+) | Git | GitHub
    Learn Free: freeCodeCamp | Traversy Media

    2️⃣ Frontend Framework

    Master React or Next.js.
    Courses: Max Schwarzmüller Udemy | Colt Steele Bootcamp | Jonas Schmedtmann JS Course

    3️⃣ Backend & APIs

    Choose Node.js or Python (Flask / FastAPI).
    Watch: Corey Schafer | Course: Angela Yu 100 Days of Code

    4️⃣ DevOps for Developers

    Learn Docker, GitHub Actions, and Cloud Deployments.
    Watch: TechWorld with Nana

    5️⃣ Labs & Simulators

    No hardware? Use Whizlabs Labs | Replit | Microsoft Sandboxes

    6️⃣ Portfolio

    Build three apps (CRUD, API, SPA) + README + screenshots + a short blog for each.

    Final Reflection

    From library nights in Koreatown to pushing code in the cloud, this path proves that curiosity and consistency still change lives.
    Keep learning, keep building, and remember — every keystroke is one more kick toward mastery.
    This blog will continue to grow as technology changes — come back often and build along with me.

    🪶 Closing Note

    I share this story not to boast but to inspire those still discovering their own path in technology.
    Everything here is told from personal experience and memory; if a date or detail differs from official records, it’s unintentional.
    I’m grateful for mentors like my LACC professor, who once told me to look up a name not yet famous — Bill Gates — and earn my MCSE + I.
    He was right: that single decision opened countless doors.

    I don’t claim to know everything; I simply kept learning, serving, and sharing.
    My living witnesses are my son, my younger brother, and friends who once worked with me and now thrive in IT.
    After all these years, I’m still standing — doing what I love most: helping people through Information Technology.

    ⚖️ Legal Disclaimer

    All events and company names mentioned are described from personal recollection for educational and inspirational purposes only. Any factual inaccuracies are unintentional. Opinions expressed are my own and do not represent any past or current employer.

    © 2012–2025 Jet Mariano. All rights reserved.
    For usage terms, please see the Legal Disclaimer.

  • 🖥️ Path to Become an Infrastructure Engineer (Ivy Falls)

    From Customer Service Rep to PC Specialist, Network Engineer, System Administrator, DevSecOps, and now Infrastructure Engineer — a journey built on faith, discipline, dedication, and gratitude.

    Introduction: The Path Is the Practice

    My story didn’t begin with servers or certifications.
    It began at All Electronics Corporation in Van Nuys, California, where I worked full-time from 6:30 A.M. to 3:00 P.M., taking two Metro buses and walking a block from the station — rain or shine — from December 1990 to late 1995.

    I woke as early as 4 A.M. to catch the first bus at Western and 3rd Street in Los Angeles, sometimes heading straight to my evening shift at the Taco Bell drive-thru in Glendale.
    Those were humble, exhausting days that taught me discipline and grit — lessons that would shape every part of my career.

    At All Electronics, I became fascinated by the IC — Integrated Circuit, the heart of every desktop computer. I wanted to understand it, not just sell it.

    Back in my Koreatown apartment, I turned curiosity into calling.
    No Google. No YouTube. No AI.
    Just library books and endless nights of self-study. I intentionally crashed my computers and rebuilt them until every fix became muscle memory.

    Once confident, I started offering free repairs and computer lessons to friends, relatives, and senior citizens — setting up printers, fixing networks, and teaching email basics. Those acts of service opened the door to my first full-time IT job at the University of Southern California (USC) as a PC Specialist.

    I still remember waiting at the bus stop in the dark, dreaming of the day I wouldn’t have to ride in the rain. Years later, those same dreams became reality — not through luck, but through faith, discipline, dedication, and gratitude.
    The rides changed — from buses to a BMW, an Audi, and now a Tesla — but what never changed was the purpose: to keep moving forward while staying grounded in gratitude.

    Season of Refinement

    While working full-time at USC, I entered what I call my season of refinement.
    By day I supported campus systems and users; by night I was a full-time student at Los Angeles City College (LACC) and a weekend warrior at DeVry University, studying Management in Telecommunications.

    It was during this time that Microsoft introduced the MCSE (Microsoft Certified Systems Engineer) program.
    One of my professors at LACC encouraged me to earn it, saying, “Once you have that license, companies will chase you.”
    He was right — that MCSE became my ticket to GTE (now Verizon), my first step into enterprise-scale IT.

    My tenure at GTE was brief because Aerospace came calling with a six-figure offer just before Y2K — an opportunity too good to refuse.
    After Aerospace, I founded my own consulting firm — Ahead InfoTech (AIT) — and entered what I now call my twelve years of plenty.

    One of my earliest major clients, USC Perinatal Group, asked me to design and implement a secure LAN/WAN connecting satellite offices across major hospitals including California Hospital Medical Center, Saint Joseph of Burbank and Mission Hills, and Hollywood Presbyterian Hospital.
    We used T1 lines with CSU/DSU units and Fortinet firewalls; I supplied every workstation and server under my own AIT brand.

    Through that success I was referred to additional projects for Tarzana and San Gabriel Perinatal Groups, linked by dedicated frame-relay circuits — early-era networking at its finest.
    Momentum led to new partnerships with The Claremont Colleges and the City of West Covina, where I served as Senior Consultant handling forensic analysis and SMTP/email engineering.

    Word spread. One attorney client introduced me to an opportunity in American Samoa to help design and build a regional ISP, and later to a contract with Sanyo Philippines.
    During this period Fortinet was still new, and I became one of its early resellers.
    Refusing to rely on mass-produced systems, I built AIT servers and workstations from the ground up for every environment.
    DSL was just emerging, yet most clients still relied on dedicated T1s — real hands-on networking that demanded precision and patience.

    Those were the twelve years of plenty — projects that stretched from local hospitals to overseas data links, from LAN cables to international circuits.
    By the time AWS arrived in 2006 and Azure followed in 2010, I had already been building and managing distributed networks for years.

    When I returned to Corporate America, my first full-time role was at Payforward, where I led the On-Prem to AWS migration, designing multi-region environments across US-East (1a and 1b) and US-West, complete with VPCs, subnets, IAM policies, and full cloud security.
    That’s when I earned my AWS certifications, completing a journey that had begun with physical servers and matured in the cloud.

    Education, experience, and certification merged into one lesson:
    Discipline comes first. Validation follows.
    Degrees and credentials were never my starting line — they were the icing on the cake of years of practice, service, and faith.

    My Philosophy: One Discipline, Many Forms

    Whether in Martial Arts, IT, or Photography, mastery comes from repetition, humility, and curiosity.
    As Ansel Adams wrote:

    “When words become unclear, I shall focus with photographs. When images become inadequate, I shall be content with silence.”

    Everyone can take a photo; not everyone captures a masterpiece.
    Everyone can study tech; not everyone understands its rhythm.
    Excellence lives in awareness — the moment when curiosity meets purpose.

    The Infrastructure Engineer Path

    1️⃣ Foundations

    Learn the essentials: Windows Server, Active Directory, DNS/DHCP, GPOs, Networking (VLANs, VPNs), Linux basics, and PowerShell.
    Free Resources:

    2️⃣ Cloud Platforms

    Start with AZ-104 Azure Administrator.
    Use free tiers to lab: Azure | AWS | GCP.
    Courses:

    3️⃣ Automation & DevOps

    Learn IaC (Terraform/Bicep), Docker, Kubernetes, and CI/CD.
    Watch TechWorld with Nana.

    4️⃣ Labs & Simulators

    No hardware? Try:

    5️⃣ Portfolio

    Document every lab, build diagrams, post scripts on GitHub, and write short lessons learned.

    Final Reflection

    From bus stops to boardrooms, from fixing desktops to deploying clouds — the principles never changed: serve first, learn always, and build things that last.
    This blog will continue to evolve as technology changes — come back often and grow with it.

    🪶 Closing Note

    I share this story not to boast, but to inspire those still discovering their own path in technology.
    Everything here is told from personal experience and memory; if a date or detail differs from official records, it’s unintentional.
    I’m grateful for mentors like my LACC professor, who once told me to look up a name not yet famous — Bill Gates — and earn my MCSE + I.
    He was right: that single decision opened countless doors.

    I don’t claim to know everything; I simply kept learning, serving, and sharing.
    My living witnesses are my son, my younger brother, and friends who once worked with me and now thrive in IT.
    After all these years, I’m still standing — doing what I love most: helping people through Information Technology.

    ⚖️ Legal Disclaimer

    All events and company names mentioned are described from personal recollection for educational and inspirational purposes only. Any factual inaccuracies are unintentional. Opinions expressed are my own and do not represent any past or current employer.

    © 2012–2025 Jet Mariano. All rights reserved.
    For usage terms, please see the Legal Disclaimer.

  • Secure Azure setup with Entra ID, Bastion, and private VM

    Scope

    Stand up a fresh Azure landing zone with a minimal but secure baseline: Entra ID (Azure AD) hardening, management structure, logging, networking, a Windows/Linux VM without public exposure, and safe access (Bastion + Entra sign-in).

    Placeholders to replace:
    TENANT_NAME · MG_ROOT · SUB_NAME · RG_CORE · RG_NET · RG_VM · LOCATION · VNET_NAME · SUBNET_APP · BASTION_SUBNET · VM_NAME · VM_SIZE · ADMIN_GROUP_OBJECTID

    0) Prereqs

    • Azure tenant & subscription created (via portal/Commerce).
    • Azure CLI logged in: az login az account set --subscription "SUB_NAME"
    • Optional SKUs: Entra ID P1/P2 for Conditional Access, PIM, Identity Protection.

    1) Entra ID (Tenant) Baseline

    • Create two break-glass cloud-only Global Admin accounts; long passwords; exclude from CA; store offline.
    • Turn on Security Defaultsor implement baseline Conditional Access:
      • Require MFA for admins.
      • Disable legacy/basic auth.
      • Require MFA for all users or at least privileged roles.
    • Enable SSPR, passwordless Authenticator (and FIDO2 keys if available).
    • Use PIM for role activation (P2).
    • Create AAD groups for RBAC (e.g., Azure-VM-Admins).

    (Portal-driven; no commands included to keep this redacted.)

    2) Management Structure & Tags

    • Create management group root and place the subscription under it.
    • Standardize tags (Owner, CostCenter, Env, DataClass).
    az account management-group create -n MG_ROOT
az account management-group subscription add --name MG_ROOT --subscription "SUB_NAME"

    3) Core Resource Groups & Logging

    az group create -n RG_CORE -l LOCATION
az group create -n RG_NET  -l LOCATION
az group create -n RG_VM   -l LOCATION

# Log Analytics workspace
az monitor log-analytics workspace create -g RG_CORE -n LAW-CORE -l LOCATION
LAW_ID=$(az monitor log-analytics workspace show -g RG_CORE -n LAW-CORE --query id -o tsv)

# Send Activity Logs to LAW
az monitor diagnostic-settings create \
  --name "activity-to-law" \
  --resource "/subscriptions/$(az account show --query id -o tsv)" \
  --workspace $LAW_ID \
  --logs '[{"categoryGroup":"allLogs","enabled":true}]'

    4) Guardrails with Azure Policy (minimal starter)

    # Require tags
az policy assignment create -g RG_CORE -n require-tags \
  --policy "Require a tag and its value on resources" \
  --params '{"tagName":{"value":"Owner"},"tagValue":{"value":"REDACTED"}}'

# Allowed locations
az policy assignment create -g RG_CORE -n allowed-locations \
  --policy "Allowed locations" \
  --params '{"listOfAllowedLocations":{"value":["LOCATION"]}}'

    Enable Microsoft Defender for Cloud and auto-provision agents (portal) to get JIT VM access recommendations and secure score.

    5) Networking (no public RDP/SSH)

    # VNet + subnets
az network vnet create -g RG_NET -n VNET_NAME -l LOCATION \
  --address-prefixes 10.10.0.0/16 \
  --subnet-name SUBNET_APP --subnet-prefix 10.10.10.0/24

# Dedicated Bastion subnet (must be exactly AzureBastionSubnet)
az network vnet subnet create -g RG_NET --vnet-name VNET_NAME \
  -n AzureBastionSubnet --address-prefixes 10.10.254.0/27

# NSG and rules (deny inbound by default; allow vnet)
az network nsg create -g RG_NET -n NSG-APP
az network nsg rule create -g RG_NET --nsg-name NSG-APP -n Allow-VNet \
  --priority 100 --access Allow --direction Inbound --protocol '*' \
  --source-address-prefixes VirtualNetwork --source-port-ranges '*' \
  --destination-address-prefixes VirtualNetwork --destination-port-ranges '*'

# Associate NSG to the app subnet
az network vnet subnet update -g RG_NET --vnet-name VNET_NAME -n SUBNET_APP \
  --network-security-group NSG-APP

    6) Bastion (safe console access)

    # Public IP for Bastion
az network public-ip create -g RG_NET -n pip-bastion -l LOCATION --sku Standard --zone 1 2 3

# Bastion host
az network bastion create -g RG_NET -n bas-VNET_NAME -l LOCATION \
  --public-ip-address pip-bastion --vnet-name VNET_NAME

    7) VM (managed identity, no public IP, Entra login)

    Windows example:

    # NIC (no public IP)
az network nic create -g RG_VM -n nic-VM_NAME \
  --vnet-name VNET_NAME --subnet SUBNET_APP

# VM
az vm create -g RG_VM -n VM_NAME \
  --image Win2022Datacenter --size VM_SIZE \
  --nics nic-VM_NAME --assign-identity \
  --admin-username "localadmin" --admin-password "GENERATE-STRONG-PASSWORD" \
  --enable-agent true --os-disk-size-gb 128

# Enable AAD login extension (Windows)
az vm extension set -g RG_VM -n AADLoginForWindows --publisher Microsoft.Azure.ActiveDirectory \
  --vm-name VM_NAME

# Grant Entra groups the VM login roles
VM_ID=$(az vm show -g RG_VM -n VM_NAME --query id -o tsv)
az role assignment create --assignee-object-id ADMIN_GROUP_OBJECTID \
  --role "Virtual Machine Administrator Login" --scope $VM_ID

    Linux example (SSH keys + AAD login):

    az vm create -g RG_VM -n VM_NAME \
  --image Ubuntu2204 --size VM_SIZE \
  --nics nic-VM_NAME --assign-identity \
  --authentication-type ssh --ssh-key-values ~/.ssh/id_rsa.pub

# Enable AAD SSH login (Linux)
az vm extension set -g RG_VM -n AADSSHLoginForLinux --publisher Microsoft.Azure.ActiveDirectory \
  --vm-name VM_NAME

# RBAC for login
az role assignment create --assignee-object-id ADMIN_GROUP_OBJECTID \
  --role "Virtual Machine Administrator Login" --scope $VM_ID

    Accessing the VM (no public IP):

    • Portal → Resource → ConnectBastion → Open session (RDP for Windows, SSH for Linux).
    • Optionally enable Just-In-Time in Defender for Cloud; keep NSG closed otherwise.

    8) Backup, Patching, and Keys

    # Recovery Services vault + VM backup
az backup vault create -g RG_CORE -n rsv-core -l LOCATION
az backup protection enable-for-vm -g RG_CORE -v rsv-core --vm VM_NAME --policy-name "DefaultPolicy"

# VM guest patching (Update Manager) – enable in portal for the RG/VM
    • Store secrets/keys in Azure Key Vault; use managed identity from the VM to fetch secrets.
    • Use Server-side encryption (SSE) with platform-managed keys (default) or customer-managed keys (CMK) via Key Vault if required.

    9) Monitoring (Guest + Platform)

    # Enable VM Insights / Diagnostics to LAW
az monitor diagnostic-settings create \
  --name "vm-to-law" \
  --resource $VM_ID --workspace $LAW_ID \
  --metrics '[{"category":"AllMetrics","enabled":true}]' \
  --logs '[{"categoryGroup":"allLogs","enabled":true}]'

    10) Cost Guardrails

    • Create a Budget in Cost Management with email alerts at 50/80/100%.
    • Consider Reservations and Auto-shutdown on dev/test VMs.

    11) Access Patterns to Prefer

    • Bastion or Private endpoints; avoid public RDP/SSH.
    • Entra sign-in to VMs with RBAC (Virtual Machine User/Administrator Login).
    • PIM + MFA for privileged roles.
    • JIT for any temporary inbound need.

    Minimal Tear-down (lab)

    # Danger: deletes resources
az group delete -n RG_VM  -y
az group delete -n RG_NET -y
az group delete -n RG_CORE -y

    Notes & Deviations

    • For domain-join scenarios, use Entra ID DS (managed domain) or a full AD DS in Azure; keep DCs on a separate subnet with restricted NSG.
    • For Intune/MDM of servers, consider Azure Arc + Defender for Endpoint.
    • Replace all placeholders and remove screenshots/IDs before publishing externally.

    For more info:
    Microsoft Entra ID overview/service description. Microsoft Learn
    • Connect to a VM using Azure Bastion (private IP). Microsoft Learn
    • Private Endpoint / Private Link overview & quickstart. Microsoft Learn+1

    © 2012–2025 Jet Mariano. All rights reserved.
    For usage terms, please see the Legal Disclaimer.

  • 🌥️ The Cloud Above Us

    PIMCO (Newport Beach HQ, CA) 🌍 — Global financial services supporting regions in NA, EMEA, APAC.
    Church (Riverton Office Building, UT) ⛪ — Worldwide infrastructure with 200k employees and over 80k missionaries.
    Monster Energy (Corona HQ, CA) ⚡ — Global enterprise IT operations across NA, EMEA, APAC.
    City National Bank (Downtown LA, CA) 🏙️ — U.S. banking systems at scale.

    A journey across scales: national (CNB), global (PIMCO & Monster Energy), and worldwide (The Church).

    Every IT career tells a story, and mine has moved through three different scales of impact:

    Company-Level Foundations → At PayForward, I migrated an entire OnPrem environment into AWS. That meant setting up VPCs, building HA Exchange clusters with load balancers, and proving the power of cloud for a fast-moving startup.

    Regional / Global Scale → At Monster Energy and PIMCO, the work stretched across North America, EMEA, and APAC. The systems never slept. VMware clusters and M365 tenants had to function as one, even though users were scattered across time zones and continents.

    Worldwide Reach → At the Church, the scale expanded beyond regions. Over 200,000 employees and over 80,000 missionaries, connected by systems that had to reach every corner of the globe, demanded both technical precision and spiritual responsibility.

    This journey shows that the “cloud above us” isn’t just AWS, Azure, or GCP — it’s the ability to design, secure, and sustain systems at every possible scale.

    A colleague once told me: “Automate, or eliminate.” In IT, that isn’t just a clever saying — it’s survival. At the scale of hundreds or even thousands of VMs, EC2 instances, or mailboxes, doing things manually is not just unrealistic — it’s risky. What automation can finish in under 10 minutes might take days or weeks by hand, and even then would be prone to errors.

    That’s why Python, PowerShell, Bash, and automation frameworks became part of my daily toolkit. Not to flaunt, but because without automation, no single engineer could handle the demands of environments as large as PIMCO, Monster Energy, or the Church.

    Snippet 1: AWS (My PayForward Days)

    import boto3

# Connect to AWS S3
s3 = boto3.client('s3')

# List buckets
buckets = s3.list_buckets()
print("Your AWS buckets:")
for bucket in buckets['Buckets']:
    print(f"  {bucket['Name']}")

    From racks of servers to a few lines of Python—that’s the power of AWS.

    Snippet 2: PowerShell + Azure (My Church Years, CNB)

    Connect-AzAccount
Get-AzResourceGroup | Select ResourceGroupName, Location

    One line, and you can see every Azure resource group spread across the world. A task that once required data center visits and clipboards is now just a command away.

    Snippet 3: PHP + GCP (Expanding Horizons)

    use Google\Cloud\Storage\StorageClient;

$storage = new StorageClient([
    'keyFilePath' => 'my-service-account.json'
]);

$buckets = $storage->buckets();

foreach ($buckets as $bucket) {
    echo $bucket->name() . PHP_EOL;
}

    Snippet 4: VMware + M365 (Monster Energy, PIMCO, and Beyond)

    # Connect to vCenter and list VMs across data centers
Connect-VIServer -Server vcenter.global.company.com -User admin -Password pass
Get-VM | Select Name, PowerState, VMHost, Folder

# Quick check of licensed users in M365 (global tenants)
Connect-MgGraph -Scopes "User.Read.All"
Get-MgUser -All -Property DisplayName, UserPrincipalName, UsageLocation |
    Group-Object UsageLocation |
    Select Name, Count

    One script, and suddenly you’re seeing footprints of users spread across the globe — NA, EMEA, APAC, or even worldwide. That’s the reality of modern IT infrastructure.

    The “cloud above us” is both a literal technology — AWS, Azure, and GCP that I’ve worked across — and a metaphor. It represents resilience, scalability, and unseen support. Just as automation carries workloads we could never handle by hand, life has storms we cannot carry alone.

    From startups making their first move to the cloud, to global financial institutions, to worldwide organizations with hundreds of thousands of users, the lesson is the same: we are not meant to fight every battle manually.

    We are given tools, teammates, and even unseen strength from above to keep moving forward. The same way a script can manage thousands of servers or accounts without error, trust and preparation help us navigate the storms of life with less fear.

    ☁️ Above every storm, there’s always a cloud carrying potential. And above that cloud, always light waiting to break through.

    Before my cloud journey, I also spent nine years in forensic IT supporting law enforcement — a grounding reminder that technology isn’t only about systems and scale, but about accountability and truth.

    © 2012–2025 Jet Mariano. All rights reserved.
    For usage terms, please see the Legal Disclaimer.

error: Content is protected !!