Windows Admin Center in the Azure portal - 11 Automating deployment
@20aman Mar 08, 2022This blog is a part of the Windows Admin Center in the Azure portal series. You can find the Index of this series here: Windows Admin Center in the Azure portal.
In this post, we will look at how to automate the deployment and how to extend that to perform deployment on multiple VMs at once. You can automated via different ways including ARM templates and PowerShell.
Automating with ARM Template
When using ARM Templates, all you need to do is to deploy a resource of type "Microsoft.Compute/virtualMachines/extensions". The extension name that you are deploying is "AdminCenter" and the publisher for the extension is "Microsoft.AdminCenter". Extension type is also "AdminCenter".
The latest template can be found here: Automate Windows Admin Center deployment using an ARM template
Automating with PowerShell
With PowerShell you are performing the below 3 operations to install the extension:
- Getting the Network Security Group and adding the outbound rule to allow HTTPS traffic on port 443 to the WindowsAdminCenter Service Tag
- Getting the Network Security Group and adding the inbound rule to allow traffic on the Windows Admin Center management port for allowed (or all) IP addresses. You should either not have this rule in case of connectivity on a private IP address. Or lock it down to specific IPs in case of connectivity via Public IP addresses.
- Installing the "AdminCenter" extension using the "Set-AzVMExtension" PowerShell cmdlet.
Use the below PowerShell script from official Microsoft documentation:
$resourceGroupName = <get VM's resource group name>
$vmLocation = <get VM location>
$vmName = <get VM name>
$vmNsg = <get VM's primary nsg>
$salt = <unique string used for hashing>
$wacPort = "6516"
$Settings = @{"port" = $wacPort; "salt" = $salt}
# Open outbound port rule for WAC service
Get-AzNetworkSecurityGroup -Name $vmNsg -ResourceGroupName $resourceGroupName | Add-AzNetworkSecurityRuleConfig -Name "PortForWACService" -Access "Allow" -Direction "Outbound" -SourceAddressPrefix "VirtualNetwork" -SourcePortRange "*" -DestinationAddressPrefix "WindowsAdminCenter" -DestinationPortRange "443" -Priority 100 -Protocol Tcp | Set-AzNetworkSecurityGroup
# Open inbound port rule on VM to be able to connect to WAC
Get-AzNetworkSecurityGroup -Name $vmNsg -ResourceGroupName $resourceGroupName | Add-AzNetworkSecurityRuleConfig -Name "PortForWAC" -Access "Allow" -Direction "Inbound" -SourceAddressPrefix "*" -SourcePortRange "*" -DestinationAddressPrefix "*" -DestinationPortRange $wacPort -Priority 100 -Protocol Tcp | Set-AzNetworkSecurityGroup
# Install VM extension
Set-AzVMExtension -ResourceGroupName $resourceGroupName -Location $vmLocation -VMName $vmName -Name "AdminCenter" -Publisher "Microsoft.AdminCenter" -Type "AdminCenter" -TypeHandlerVersion "0.0" -settings $Settings
Extending PowerShell to deploy on multiple VMs
You can extend the PowerShell or the ARM Template to deploy the Windows Admin Center to multiple VMs. You can even leverage Azure DevOps pipelines to deploy these across different environments. I provide the below sample to deploy via PowerShell on multiple VMs in Resource Groups that are identified via a wildcard search. You can modify this script as per your requirements.
You can find the complete up to date script at GitHub here: https://raw.githubusercontent.com/HarvestingClouds/PowerShellSamples/master/Scripts/Enable-WindowsAdminCenter/Enable-WindowsAdminCenter.ps1
#Author: Aman Sharma @ http://HarvestingClouds.com
#Variables
$subscriptionName = "Your Subscription Name"
$salt = "<unique string used for hashing>"
$wacPort = "6516"
$Settings = @{"port" = $wacPort; "salt" = $salt}
try
{
#Setting the Azure context
$env = Get-AzEnvironment -Name "AzureCloud"
Connect-AzAccount -Environment $env
Set-AzContext -SubscriptionName $subscriptionName
#Selecting all RGs that begins with the text. Notice the wildcard in the name
#Update this as per your requirements
$allRequiredRGs = Get-AzResourceGroup -Name "RG-*"
#Iterating on the Resource Groups
foreach($currentRG in $allRequiredRGs)
{
#Fetch all VMs in the current Resource Group
$currentRGName = $currentRG.ResourceGroupName
$VMs = Get-AzVM -ResourceGroupName $currentRGName
#Iterating on all the VMs
foreach ($vm in $VMs)
{
$vmLocation = $vm.Location
$vmName = $vm.Name
#Finding VM's NSG dynamically
$vmNsgId = (Get-AzNetworkInterface -ResourceId $vm.NetworkProfile.NetworkInterfaces.Id).NetworkSecurityGroup.Id
$vmNsg = Get-AzResource -ResourceId $vmNsgId
$vmNsgName = $vmNsg.Name
# Open outbound port rule for WAC service
$vmNsg | Add-AzNetworkSecurityRuleConfig -Name "PortForWACService" -Access "Allow" -Direction "Outbound" -SourceAddressPrefix "VirtualNetwork" -SourcePortRange "*" -DestinationAddressPrefix "WindowsAdminCenter" -DestinationPortRange "443" -Priority 100 -Protocol Tcp | Set-AzNetworkSecurityGroup
# Install VM extension
Set-AzVMExtension -ResourceGroupName $currentRGName -Location $vmLocation -VMName $vmName -Name "AdminCenter" -Publisher "Microsoft.AdminCenter" -Type "AdminCenter" -TypeHandlerVersion "0.0" -settings $Settings
# Open inbound port rule on VM to be able to connect to WAC
$vmNsg | Add-AzNetworkSecurityRuleConfig -Name "PortForWAC" -Access "Allow" -Direction "Inbound" -SourceAddressPrefix "*" -SourcePortRange "*" -DestinationAddressPrefix "*" -DestinationPortRange $wacPort -Priority 100 -Protocol Tcp | Set-AzNetworkSecurityGroup
}
}
}
catch
{
Write-Host -ForegroundColor Red "Error while installing extension."
$Error[0]
Write-Host -ForegroundColor Red "Error occured at:"
$Error[0].InvocationInfo.PositionMessage
}