Harvesting Clouds

Windows Admin Center in the Azure portal - Index

Mon, 28 Mar 2022 00:00:00 +0500

This is the Index for the series of blog posts regarding the Windows Admin Center in the Azure portal .

Note that this Index is updated regularly as more posts are added around this topic.

An Easter Egg or hidden feature within the Azure Portal - Simplified View of all resources

Sun, 27 Mar 2022 00:00:00 +0500

My friend Eric Bogenschuetz first showed me about this hidden feature within the Azure portal. This is a borderline easter egg of some sort. Let's look at what it is and how to find it.

The hidden feature

The latest view to view all resources within a Resource Group or all resources for the whole environment within the Azure portal is very advanced with lots of async queries running behind the scene and a lot of features/filtering capabilities etc. Sometimes this view can take time to reflect the changes if there are lots of changes happening at the same time. You are required to refresh the whole page sometimes to circumvent this issue if after multiple refreshes the view still doesn't refresh for you. Luckily there is a "Simplified View" within the Azure portal that can tone down the optimizations and provide you with a very simplified view of all your resources.

How to access it

To access this hidden feature, simply click on the "Refresh" button 5 times within the Resource Group or All Resources in general. You will have to wait between each refresh to let it finish refreshing the view. When you will click the 5th time, instead of refreshing the page, the portal prompts you to switch to a simplified view, as shown below.

If you click on the blue button for "Switch to simplified view" you are shown the simplified view as shown below.

Give it a try yourself. Let me know if you find this interesting.

How to create and use the Storage Event Trigger in Azure Data Factory

Wed, 23 Mar 2022 00:00:00 +0500

In the Azure Data factory, you can create different types of triggers. Those are:

Schedule,
Tumbling window,
Storage events,
Custom events.

In this post, we will be talking about the Storage events type trigger.

Make sure the subscription is registered with the Event Grid resource provider, otherwise you will get an error while publishing the changes. How to register the event grid resource provider go to the link: Register Azure resource Providers.

How to create a trigger from the portal

Go to the author tab of the Azure Data Factory which is #1 in the screenshot and then select your main pipeline.

Step 1

Click on the ‘Add trigger’ then click on ‘New/edit’ to create the new trigger. From the Type dropdown, select the ‘Storage events’.

The next step is to select the subscription, storage account, and the container name within that storage account.

The next input parameters are “Blob path begins with” and “Blob path ends with properties” that allow you to specify the filters for the blob paths for which the events will trigger. One of the below properties needs to be defined for the storage event trigger to work.

Next, select the event on which you want to create the storage events trigger. You can select both or at least one type of event should be selected. If there are any blobs with 0 bytes then "Ignore empty blobs" will ignore those blobs to have a selection on them.

Click Continue to create the preview of the changes on the trigger. If there would be any blobs in the mentioned container that matches the conditions provided while configuring the trigger then it will show all the blobs that satisfied those conditions. Click continue to finish the preview.

If your pipeline has parameters, you can specify them on the "Trigger runs parameter" blade next. The storage event trigger captures the folder path and file name of the blob into the properties @triggerBody().folderPath and @triggerBody().fileName. To use the values of these properties in a pipeline, you must map the properties to pipeline parameters. After mapping the properties to parameters, you can access the values captured by the trigger through the @pipeline().parameters.parameterName expression throughout the pipeline.

To test the trigger, go to the container for which you have defined the trigger and upload any blob which matches with your ‘Blob path ends with’ filter. Once the upload is done, go to the monitor section of the Azure data factory and you will be able to see the trigger and pipeline run logs under the Trigger runs and Pipeline runs.

Below you can view the Trigger runs section:

Below you can view the Pipeline runs section:

As you can see the storage events trigger is very easy to set up in Azure Data Factory and provide a very powerful tool in your arsenal to automate various complex scenarios.

Azure Script Samples - Series Index

Sat, 19 Mar 2022 00:00:00 +0500

This blog is an Index of various blogs and related script samples in the series "Azure Script Samples":

Capacity Reservations experience now available within Azure Site Recovery (ASR)

Mon, 14 Mar 2022 00:00:00 +0500

Capacity Reservations ensure that you get the capacity (in terms of CPU and memory) to start your VMs when you need those. This is a most common requirement when you are performing a failover in a disaster scenario. At that time, chances are that everyone else will also try to perform a failover and there can be a capacity crunch. This often results in "Capacity Allocation" errors and your VMs will not come up. The solution is to either select an alternate SKU (if that is available) or reserve the capacity beforehand.

Now, this experience is inbuilt into Azure Site Recovery (ASR). You have two places where you can set this up.

During Enabling Replication

When you are enabling the replication, you can select the Capacity Reservation Settings. You will be reserving the capacity for the target region where you will failover during a Disaster Recovery scenario.

All you need to do is to select the Capacity Reservation Group. Click on the link above for the "View or Edit Capacity Reservation group assignment". This will open up a window as shown below. Select the group and you are done.

For Already Replicated VMs

For the VMs that are already being replicated, you also have the option to update the Capacity Reservation settings. To this navigate to your Recovery Services Vault. Then navigate to the "Replicated items" under "Protected items" -> then select the VM for which you want to update the settings. Then navigate to the Compute settings under General. This is where you will see the "Capacity Reservation Settings".

Similar to what you did during enabling the replication, you can select a Capacity Reservation Group here.

References:

Understanding Capacity Reservations in Azure

Sat, 12 Mar 2022 00:00:00 +0500

Capacity Reservations ensure that you get the capacity (in terms of CPU and memory) to start your VMs when you need those. This is a most common requirement when you are performing a failover in a disaster scenario. At that time, chances are that everyone else will also try to perform a failover and there can be a capacity crunch. This often results in "Capacity Allocation" errors and your VMs will not come up. The solution is to either select an alternate SKU (if that is available) or reserve capacity beforehand.

Differences

Capacity Reservation is different from Reserved Instances. Here are the key differences:

Time considerations (Term) - Reserved Instance is a commitment to use a resource for a period of time. You get a discount for this commitment. E.g. 1-year or 3-year commitment on a VM. Capacity Reservation doesn't have a time/term commitment. It can be for any duration of time. The capacity is reserved and available immediately until the reservation is deleted.
Linking - Reserved Instance is linked only to the VM size. The Capacity Reservation is defined with the combination of VM size, location, and quantity of instances to be reserved.
Capacity Guarantee (SLA) - Reserver Instances don't guarantee the capacity. If the VM SKU is out of capacity you will get a Capacity Allocation error. Capacity Reservation guarantees capacity availability.
Region vs Availability Zones - Capacity Reservations can be done for a region or an Availability Zone. Reserver Instances are available at the region level e.g. East US or Central US etc.
Billing - Reserved Instances provide you a discount by committing to a term. Capacity Reservations cost you with pay-as-you-go rates for the underlying VM. More on this in the next section.

Pricing

Capacity Reservations are priced at the same rate as the underlying VM size (with pay-as-you-go rates). E.g. You have 4 D4s_v3 VMs for which you reserve the capacity. Then you will be charged for 8 VMs. 4 running VMs (as per their usage) and 4 capacity reservations (regardless of whether you use these or not).

But if you have the Reserved Instances, then Reserved Capacity is provided free of cost.

Also, when you are using the capacity that you reserved via Capacity Reservations then there is no additional charge for the reservation (other than the VM cost for the up and running VM).

Caveats

While creating the Capacity Reservation, the capacity should be available in the target region or Availability Zone, otherwise, the reservation will fail (just like VM creation).
Spot VMs and Azure Dedicated Host Nodes are not supported
Availability Sets are not supported
Deployment constraints like Proximity Placement Group, Update domains, and UltraSSD storage are also not supported
Only Av2, B, D, E, & F VM series are supported right now. The SKUs will expand in near future.
Only the subscription that created the reservation can use it.
Reservations are only available to paid Azure customers

References:

Windows Admin Center in the Azure portal - 11 Automating deployment

Tue, 08 Mar 2022 00:00:00 +0500

This blog is a part of the Windows Admin Center in the Azure portal series. You can find the Index of this series here: Windows Admin Center in the Azure portal.

In this post, we will look at how to automate the deployment and how to extend that to perform deployment on multiple VMs at once. You can automated via different ways including ARM templates and PowerShell.

Automating with ARM Template

When using ARM Templates, all you need to do is to deploy a resource of type "Microsoft.Compute/virtualMachines/extensions". The extension name that you are deploying is "AdminCenter" and the publisher for the extension is "Microsoft.AdminCenter". Extension type is also "AdminCenter".

The latest template can be found here: Automate Windows Admin Center deployment using an ARM template

Automating with PowerShell

With PowerShell you are performing the below 3 operations to install the extension:

Getting the Network Security Group and adding the outbound rule to allow HTTPS traffic on port 443 to the WindowsAdminCenter Service Tag
Getting the Network Security Group and adding the inbound rule to allow traffic on the Windows Admin Center management port for allowed (or all) IP addresses. You should either not have this rule in case of connectivity on a private IP address. Or lock it down to specific IPs in case of connectivity via Public IP addresses.
Installing the "AdminCenter" extension using the "Set-AzVMExtension" PowerShell cmdlet.

Use the below PowerShell script from official Microsoft documentation:

$resourceGroupName = 
$vmLocation = 
$vmName = 
$vmNsg = 
$salt = 

$wacPort = "6516"
$Settings = @{"port" = $wacPort; "salt" = $salt}

# Open outbound port rule for WAC service
Get-AzNetworkSecurityGroup -Name $vmNsg -ResourceGroupName $resourceGroupName | Add-AzNetworkSecurityRuleConfig -Name "PortForWACService" -Access "Allow" -Direction "Outbound" -SourceAddressPrefix "VirtualNetwork" -SourcePortRange "*" -DestinationAddressPrefix "WindowsAdminCenter" -DestinationPortRange "443" -Priority 100 -Protocol Tcp | Set-AzNetworkSecurityGroup

# Open inbound port rule on VM to be able to connect to WAC
Get-AzNetworkSecurityGroup -Name $vmNsg -ResourceGroupName $resourceGroupName | Add-AzNetworkSecurityRuleConfig -Name "PortForWAC" -Access "Allow" -Direction "Inbound" -SourceAddressPrefix "*" -SourcePortRange "*" -DestinationAddressPrefix "*" -DestinationPortRange $wacPort -Priority 100 -Protocol Tcp | Set-AzNetworkSecurityGroup

# Install VM extension
Set-AzVMExtension -ResourceGroupName $resourceGroupName -Location $vmLocation -VMName $vmName -Name "AdminCenter" -Publisher "Microsoft.AdminCenter" -Type "AdminCenter" -TypeHandlerVersion "0.0" -settings $Settings

Extending PowerShell to deploy on multiple VMs

You can extend the PowerShell or the ARM Template to deploy the Windows Admin Center to multiple VMs. You can even leverage Azure DevOps pipelines to deploy these across different environments. I provide the below sample to deploy via PowerShell on multiple VMs in Resource Groups that are identified via a wildcard search. You can modify this script as per your requirements.

You can find the complete up to date script at GitHub here: https://raw.githubusercontent.com/HarvestingClouds/PowerShellSamples/master/Scripts/Enable-WindowsAdminCenter/Enable-WindowsAdminCenter.ps1

#Author: Aman Sharma @ http://HarvestingClouds.com

#Variables
$subscriptionName = "Your Subscription Name"
$salt = ""
$wacPort = "6516"
$Settings = @{"port" = $wacPort; "salt" = $salt}

try
{
    #Setting the Azure context
    $env = Get-AzEnvironment -Name "AzureCloud"
    Connect-AzAccount -Environment $env
    Set-AzContext -SubscriptionName $subscriptionName

    #Selecting all RGs that begins with the text. Notice the wildcard in the name
    #Update this as per your requirements
    $allRequiredRGs = Get-AzResourceGroup -Name "RG-*"

    #Iterating on the Resource Groups
    foreach($currentRG in $allRequiredRGs)
    {
        #Fetch all VMs in the current Resource Group
        $currentRGName = $currentRG.ResourceGroupName
        $VMs = Get-AzVM -ResourceGroupName $currentRGName

        #Iterating on all the VMs
        foreach ($vm in $VMs) 
        {
            $vmLocation = $vm.Location
            $vmName = $vm.Name

            #Finding VM's NSG dynamically
            $vmNsgId = (Get-AzNetworkInterface -ResourceId $vm.NetworkProfile.NetworkInterfaces.Id).NetworkSecurityGroup.Id
            $vmNsg = Get-AzResource -ResourceId $vmNsgId
            $vmNsgName = $vmNsg.Name

            # Open outbound port rule for WAC service
            $vmNsg | Add-AzNetworkSecurityRuleConfig -Name "PortForWACService" -Access "Allow" -Direction "Outbound" -SourceAddressPrefix "VirtualNetwork" -SourcePortRange "*" -DestinationAddressPrefix "WindowsAdminCenter" -DestinationPortRange "443" -Priority 100 -Protocol Tcp | Set-AzNetworkSecurityGroup

            # Install VM extension
            Set-AzVMExtension -ResourceGroupName $currentRGName -Location $vmLocation -VMName $vmName -Name "AdminCenter" -Publisher "Microsoft.AdminCenter" -Type "AdminCenter" -TypeHandlerVersion "0.0" -settings $Settings

            # Open inbound port rule on VM to be able to connect to WAC
            $vmNsg | Add-AzNetworkSecurityRuleConfig -Name "PortForWAC" -Access "Allow" -Direction "Inbound" -SourceAddressPrefix "*" -SourcePortRange "*" -DestinationAddressPrefix "*" -DestinationPortRange $wacPort -Priority 100 -Protocol Tcp | Set-AzNetworkSecurityGroup

        }

    }
}
catch 
{
    Write-Host -ForegroundColor Red "Error while installing extension."
    $Error[0]
    Write-Host -ForegroundColor Red "Error occured at:"
    $Error[0].InvocationInfo.PositionMessage
}

Windows Admin Center in the Azure portal - 10 Troubleshooting common issues

Mon, 07 Mar 2022 00:00:00 +0500

This blog is a part of the Windows Admin Center in the Azure portal series. You can find the Index of this series here: Windows Admin Center in the Azure portal.

In this post, we will look at troubleshooting common issues with the Windows Admin Center.

1. Dealing with the Security prompt while connecting to the Windows Admin Center

If you get a security prompt while connecting to the Windows Admin Center, then click on the "Advanced" button and then click on the link as shown below to continue.

PRO TIP: If you are not able to see the link or the complete text after clicking on the "Advanced" button, press F11 to enter the full-screen mode. This should make the entire text and the link visible. Another way is to set the zoom level to a low number to ensure the whole text is visible.

2. Tools Not loading or Not able to connect

If when trying to access the tools you keep getting the below spinning circle.

And then it keeps turning into "couldn't load" errors.

Solution

Navigate to other tools and then back to the required tool to check if the issue is not limited to the required tool or is across the board for all other tools. If this issue is prevalent with all the tools then try the following steps.

Step #1 - Try refreshing the browser and connecting again to the Windows Admin Center. I know it sounds basic but this saves you from unnecessary troubleshooting.
Step #2 - Make sure that the VM is in the up and running state. We have seen this issue multiple times in our environment.
Step #3 - Make sure that the NSG rules have not been altered and that the network connectivity is still there. If you are connecting from a different location than before, make sure that the inbound connectivity is allowed from your new location to the VM. Network connectivity is another big reason for connectivity failures.
Step #4 - Make sure that the Windows Admin Center service is running on your VM. RDP to the VM and check if ServerManagementGateway / Windows Admin Center service is in the Running state or not.
Step #5 - Make sure you are connecting from Microsoft Edge or Chrome and that you are not using incognito mode.

In most cases, step #2 or #3 will help you resolve the connectivity issues.

3. Windows Admin Center extension not installing

The most usual reason for this error is that your VM doesn't meet the requirements for the Windows Admin Center. Make sure that you are running the Windows Server 2016, 2019 or 2022 as the operating system on the VM and that you have a minimum of 3 GiB memory.

Review all the requirements here: Windows Admin Center requirements

The networking restrictions in your environment are another main cause of causing installation issues. If there are User Defined Routes (via Route Tables) and an Azure Firewall or any Network Virtual Appliance that may cause unsupported configuration.

Windows Admin Center in the Azure portal - 9 Securing inbound connectivity

Sun, 06 Mar 2022 00:00:00 +0500

This blog is a part of the Windows Admin Center in the Azure portal series. You can find the Index of this series here: Windows Admin Center in the Azure portal.

The security concern

As we saw in one of the previous posts, when setting up Windows Admin Center it opens the inbound connectivity on the port specified for "Any" Source. This is shown in the Inbound security rules of the Network Security Group (NSG) for the VM.

This is a potential security risk as it leaves the system vulnerable and the port open for access for all attackers on the public internet.

The Solution #1

The solution is very simple. The solution is to lock it down to only a specific IP address or a range of IP addresses. This limits which IP addresses can access Windows Admin Center on the VM.

To be able to do this, you will need to update the Inbound rule on the Network Security Group as shown above and then update the "Source" for the rule. Instead of "Any" change that to the public IP address of the VM from where you are connecting to the Windows Admin Center (within Azure portal). If you know a range of IPs that you will be using then you can specify the range instead.

How to find your current Public IP address

Your ISP will provide you with a dynamic public IP address (unless you purchased a static public IP). To be able to find your public IP address just search for "what is my IP address" and you will find many third-party websites that will show you your current public IP address and possible geographic location. One such website is provided below, just as a reference:

https://www.whatismyip.com/

The Solution #2

The second solution is to simply remove the inbound NSG rule and allow access only on the private IP address. This would mean that you would need to have connectivity to the VM's virtual network from where you are trying to access the Windows Admin Center on the VM (via Azure portal).

This is a much more secure solution and ensures that there is no connectivity allowed from the public IP to the VM.

Windows Admin Center in the Azure portal - 8 Caveats

Sat, 05 Mar 2022 00:00:00 +0500

This blog is a part of the Windows Admin Center in the Azure portal series. You can find the Index of this series here: Windows Admin Center in the Azure portal.

In the previous posts, we looked at different aspects of the Windows Admin Center from setting it up, to configuring it, and using various tools in it. In this post, we will look at various caveats and know limitations of this product.

1. Usage with Virtual Appliances

Inbound connectivity being redirected by another service (i.e. Network Virtual Appliances, Azure Firewall, etc.) is not supported. You must have inbound connectivity from the Azure portal to one of the direct IP addresses of your VM on the port Windows Admin Center is installed.

Network Virtual Appliance could be a third-party firewall like Palo Alto, Check Point, etc. Azure Firewall, a cloud-native network security service, is another solution that can exist between the communication. If via User Defined Routes (within Route Tables) or any other way the communication is not direct then the Windows Admin Center will not work. Hopefully, this restriction will be removed in near future.

2. Extending Windows Admin Center to Other VMs

Microsoft doesn't support extensions to Windows Admin Center in the Azure portal at the time of writing this post. If you manually installed Windows Admin Center in the VM to manage multiple systems, installing this VM extension reduces the functionality to managing just the VM in which the extension is installed. You will need to uninstall the extension to get back the functionality of managing multiple VMs at once.

3. Usage with Non-public cloud

Windows Admin Center is currently supported only on the Azure public cloud. It is not supported in Azure China, Azure Government, or other non-public clouds.

4. Supported Browsers/Apps

Windows Admin Center is currently supported only on the Microsoft Edge or Chrome browsers. Chrome Incognito mode isn't supported for now. Also, the Azure portal desktop app is not supported.

Reference: Use Windows Admin Center in the Azure portal to manage a Windows Server VM

Windows Admin Center in the Azure portal - 7 Various Tools - Part 2

Fri, 04 Mar 2022 00:00:00 +0500

This blog is a part of the Windows Admin Center in the Azure portal series. You can find the Index of this series here: Windows Admin Center in the Azure portal.

In the previous post, we looked at the first 9 tools in the Windows Admin Center. In this post, we will explore more tools present in it. These tools are what provide server management functionality.

10. Processes

With Processes, you can view all the processes on the VM. You can also start a new process or end an existing one.

11. Registry

In the Registry tool, you can view the existing registries. You can also export or create a new registry.

12. Remote Desktop

From the remote desktop, you can connect to the VM and perform VM operations (that you can't from the Windows admin center. First, you provide the credentials and connect to the VM.

Then, once you are connected you can perform operations on the VM, or disconnect. You also have the option to send the Ctrl+Alt+Del keyboard combination to the VM.

13. Roles & features

From roles and features, you can view current roles and features and also add/install new ones.

14. Scheduled tasks

With scheduled tasks, you can view the "Task Scheduler Library". Here you can view all the existing tasks or you can create new tasks. You can also enable and disable existing tasks.

15. Security

Security is where you can access the Virus and threat protection. You can create or schedule a new scan and view the protection history. You can schedule daily or weekly scans here.

16. Services

The Services tool is similar to the "services.msc" management tool on the VM. It lets you manage all the services. You can Start and Stop any service. You can also change different settings for a service like a startup mode, log-on account, recovery options, etc.

17. Storage

Storage tool is similar to disk management. You can view all the disks and volumes in the VM here. You can also create a new volume or initialize a disk here. Imagine you added or upgraded a disk in the Azure portal. You can then visit this tool and initialize that new disk and create a volume from the same.

18. Updates

Updates tool lets you manage the updates on the VM. You can view available updates and also trigger the installation of the same. You can also view the Update history.

These are all the tools that are available in the Windows Admin Center today. The best way to learn about each is to play around and experiment with these tools on a demo VM.

In the next post, we will look at some caveats with the Windows Admin Center.

Windows Admin Center in the Azure portal - 6 Various Tools - Part 1

Thu, 03 Mar 2022 00:00:00 +0500

This blog is a part of the Windows Admin Center in the Azure portal series. You can find the Index of this series here: Windows Admin Center in the Azure portal.

In the previous post, we looked at various sections of the Windows Admin Center. In this post, we will explore the different tools present in it. These tools are what provide server management functionality. Without waiting let's jump right into it.

1. Certificates

The certificates section allows you to review and manage the certificates on the VM. It shows you how many have expired and how many are healthy. It also allows you to view various certificates and to import certificates into a particular store. You can also view certificate-related events.

2. Devices

The devices tool is basically your "Device Manager". It lets you view and enable or disable devices. It also lets you update the driver for the selected device. You can view details regarding each device and it's driver e.g. driver date and version, etc.

3. Events

The events tool is essentially your "event viewer". It lets you view the following types of events:

Administrative logs
Windows logs
Applications and services logs

You can also export or clear the logs from here as well.

4. Files & file sharing

In the Files and file sharing you can manage the files on the VM. With Files, you can browse to the files, rename these, create new folders, delete files, move these, upload files, etc. With file shares, you can view different file shares, create new shares, edit the settings of the shares, grant permissions, enable SMB encryption, etc.

5. Firewall

The firewall tool lets you manage the firewall on the VM. It lets you view the firewall status for the Domain, Private and Public areas. It also lets you view the inbound and outbound rules. You can also create new rules for the incoming and outgoing traffic here.

6. Installed apps

In the installed apps, you can view all the installed apps. You can also remove any app directly from here as well.

7. Local users & groups

The tool for local users and groups you can manage all users and groups. For users, you can view current users, manage their memberships and create new local users. Under groups, you can view groups, add users to the existing groups, create new groups, delete existing groups, etc.

8. Performance Monitor

In performance monitor, you need to create a workspace to view the performance counters.

You can view all the counters that you can locally on the laptop. You can save the settings once you have set these up for easy viewing next time.

9. PowerShell

The PowerShell tool lets you connect to a PowerShell session as if you are logged into the VM. You can run all the PowerShell commands as if you are inside the VM.

In the next post, we will continue looking at more tools within Windows Admin Center.

Windows Admin Center in the Azure portal - 5 Working with it

Wed, 02 Mar 2022 00:00:00 +0500

This blog is a part of the Windows Admin Center in the Azure portal series. You can find the Index of this series here: Windows Admin Center in the Azure portal.

In the last post, we saw how to connect to the Windows Admin Center. In this post, we will explore it in detail. It helps you to manage the Windows Server directly from the Azure portal similar to the on-premises version of the Windows Admin Center.

Getting Familiar with the UI

Let's start by getting familiar with the User Interface (UI) of the Windows Admin Center.

As you see above, the various parts of the Windows Admin Center are as below. Note that the line item corresponds to the number in the above screenshot.

At the top you select the connection type. You have Server Manager selected. Other choices include Computer Management and Cluster Management. These choices are not relevant right now but will be helpful in the near future to manage the Computers and Clusters.
The main page can be accessed from the Overview screen. This is the default screen that is presented when you open Windows Admin Center. We will discuss more on this in points #5 and #6 below.
There are various tools in this section. Use the vertical scroll bar to view all of these tools.
You can view different Settings on the VM from here.
You can use the Connect option in the Overview page to either do Remote Desktop or open a PowerShell session to the computer.
The main page for the Overview provides lots of detail for the VM including internal computer name, domain, operating system, version, memory, disk space, processor, uptime, etc. This also provides the graph for CPU, memory, and network usage.
This option shows you various PowerShell script samples for the tool that you have selected from the #3 section above. E.g. for the Installed apps section, it shows you commonly used scripts like enabling and disabling features, removing apps, etc.
This is the notification section for the whole Windows Admin Center
This is the Settings section for the whole Windows Admin Center which includes accounts management (with which you connected to it), language/region selection, personalization (selection of light or dark modes), and various other settings.

Using Azure services in Windows Admin Center

To be able to use Azure services in the Windows Admin Center you need to register the gateway with Azure. You can do so by navigating to the settings and then going to Account i.e. the first setting. Then click on the link for "Register with Azure".

VM Settings

Navigate to the VM settings by clicking on the Settings under the tools section (on the left bottom corner). Here you can manage the below settings:

File Shares (SMB Server) settings
Environment Variables - both user and system variables
Power Configurations

You can not only view the settings but also add/update the settings. E.g. you can create a new environment variable for the user or system. Or you can update the power configuration to a balanced, high-performance, or power saver.

Windows Admin Center Settings

The Windows Admin Center Settings can be accessed by clicking on the gear icon on the top right section. These settings are clubbed into 3 categories which include:

User settings
Development settings
Gateway settings

User settings deal with the account, language, region, personalization-related settings. This is where you select if you want the default light mode or the dark mode.

The development settings section is where you can enable the toolset to build extensions for the Windows Admin Center itself. It allows you to collect performance data as well.

The gateway section allows you to control the gateway settings i.e. how you connect to the Windows Admin Center.

In the next post, we will look at various tools present in the Windows Admin Center.

Windows Admin Center in the Azure portal - 4 Connecting to it

Tue, 01 Mar 2022 00:00:00 +0500

This blog is a part of the Windows Admin Center in the Azure portal series. You can find the Index of this series here: Windows Admin Center in the Azure portal.

In the previous blogs, we saw how to set up the Windows Admin Center and looked at what happens under the hood in setting it up. Now let's look at how to connect to it.

Connecting

To connect to the Windows Admin Center:

Navigate to the VM, then under the Settings click on the "Windows Admin Center".
In the middle of the blade, select the public or private IP address of the VM to connect to.
And then click on the "Connect" button.

Next, it will ask you to log in to Windows Admin Center using your machine's admin credentials. Note these are the local machine admin credentials (and not the Azure portal user credentials).

If you get a security prompt, then click on "Advanced" and then click on the link as shown below to continue.

Finally, click on the gateway to connect.

You are now finally connected with the Windows Admin Center. Explore the different options available to you here to manage your server.

We will explore these options in detail in the upcoming posts.

Windows Admin Center in the Azure portal - 3 Under the hood

Mon, 28 Feb 2022 00:00:00 +0500

This blog is a part of the Windows Admin Center in the Azure portal series. You can find the Index of this series here: Windows Admin Center in the Azure portal.

In the previous post, we looked at how to set up the Windows Admin Center. In this post, we will take a look at what the setup performed under the hood.

There are various actions that are performed when installing the Windows Admin Center in the Azure portal. The primary actions are:

Updating the NSG (Network Security Group) for the VM to open inbound and outbound traffic
Installation of the relevant extension

Let's look at these in detail.

Extension Added

The setup installs the extension for the Admin Center as shown below. The name of the extension is "AdminCenter and the type of the extension is "Microsoft.AdminCenter.AdminCenter". Make sure that the status is set to "Provisioning succeeded". If not, then you won't be able to connect to the Windows Admin Center.

Outbound rule added in the NSG

Next, navigate to the NSG of the VM and look at the outbound rules. You will find that the setup added an outbound rule allowing the TCP traffic on port 443 i.e. HTTPS to the Service Tag for Windows Admin Center. The priority is set to the smallest i.e. 100 so that this rule will be evaluated first.

Inbound rule added in the NSG

Next, navigate to the NSG of the VM and look at the inbound rules. If you selected, the setup opened the management port e.g. 6516 for Windows Admin Center connectivity to the VM for any protocol, any source, and any destination. The priority is set to the smallest i.e. 100 so that this rule will be evaluated first.

NOTE: This is only good for testing. In a production scenario, you should either restrict this rule to a particular IP address or make sure you have connectivity to the virtual network where the VM is deployed.

Communication details

Traffic from the Azure portal to Windows Admin Center running on your VM uses HTTPS. Therefore all traffic is encrypted. Your Azure VM is managed using PowerShell and WMI over WinRM.

Implementation details

As we saw Windows Admin Center is installed via an extension on the VM. From official documentation this is how the extension provides the functionality: This extension connects to an external service that manages certificates and DNS records so that you can easily connect to your VM. Each Azure VM that uses the Windows Admin Center extension gets a public DNS record that Microsoft maintains in Azure DNS. We hash the record name with a salt to anonymize the VM's IP address when saving it in DNS - the IP addresses aren't saved in plain text in DNS. This DNS record is used to issue a certificate for Windows Admin Center on the VM, enabling encrypted communication with the VM.

Reference: Use Windows Admin Center in the Azure portal to manage a Windows Server VM

Now that we know how it works, in the next post, we will start working with the Windows Admin Center to manage our servers.

Windows Admin Center in the Azure portal - 2 Setting it up

Sat, 26 Feb 2022 00:00:00 +0500

This blog is a part of the Windows Admin Center in the Azure portal series. You can find the Index of this series here: Windows Admin Center in the Azure portal.

In the previous blog, we talked about what is Windows Admin Center. In this blog, we will look at setting it up in the Azure portal.

Setup

The setup for Windows Admin Center is very easy and most of the stuff is automated for you. Just navigate to the VM after ensuring that it meets the pre-requisites (as detailed in the previous blog). It can only be from one of these OS: Windows Server 2016, Windows Server 2019 or Windows Server 2022 and needs to have at least 3 GiB of memory. Right now it is available only in the Azure public cloud.

Follow these steps to set it up:

Under settings, navigate to the option for "Windows Admin Center" as shown below.
Select the Inbound port for connectivity to the Windows Admin Center. Also, select the first check box for opening inbound connectivity to this port. NOTE: This is only required if you don't have connectivity to the virtual network of the VM. Select the second check box to open the outbound connectivity for Windows Admin Center to install.
Once selections are made, click on the Install button.

That's all there is to the setup. Next, we will see what it does under the hood and how to connect to and work with the Windows Admin Center.

Windows Admin Center in the Azure portal - 1 Intro to the Easiest Server Management

Fri, 25 Feb 2022 00:00:00 +0500

This blog is a part of the Windows Admin Center in the Azure portal series. You can find the Index of this series here: Windows Admin Center in the Azure portal.

Performing administrative tasks on Windows servers is one of the main activities in the day-to-day life of a system admin. If you are managing Azure infrastructure and also performing server management then you need to go to the Azure portal daily and also need to log into the VMs from time to time. What if you can perform both activities from just one area without the need to log into the VM. This is where the Windows Admin Center comes into the picture.

Windows Admin Center is now available directly in the Azure portal for Windows server VMs. It helps you manage various aspects of the server without requiring you to log into the VM itself via RDP (remote desktop) or remote into it via PowerShell.

Cost

There is no cost to using the Windows Admin Center in the Azure portal.

Functionality support

At the time of writing of this post, the below functionality is supported:

Certificates
Devices
Events
Files and file sharing
Firewall
Installed apps
Local users and groups
Performance Monitor
PowerShell
Processes
Registry
Remote Desktop
Roles and features
Scheduled tasks
Services
Storage
Updates

Pre-requisities

To be able to install the Windows Admin Center in Azure, you need to ensure the following:

The OS of the VM should be Windows Server 2016, Windows Server 2019, or Windows Server 2022
At least 3 GiB of memory
Be in any region of an Azure public cloud (it's not supported in Azure China, Azure Government, or other non-public clouds)

There are also networking requirements to allow the traffic:

Outbound internet access or an outbound port rule allowing HTTPS traffic to the Windows Admin Center service tag
An inbound port rule if using a public IP address to connect to the VM (not recommended)

Note that the inbound rule is only required when using the Public IP address. If you are connected to the virtual network and have connectivity to the VM then the inbound rule is not required. These rules are auto-created when enabling the Windows Admin Center.

Requirements for connecting VM

The VM or laptop you will use to connect to the Windows Admin Center (via Azure portal), also has a couple of requirements:

You should be using a modern browser. Officially supported browsers are Edge and Chrome.
Either connectivity via the Public IP or access to the virtual network that's connected to the VM. The latter is the recommended and more secure approach.

In the next post, we will set it up and will also take a look under the hood.

Protecting Recovery Services Vaults with Resource Guard and Multi-user authorizations

Fri, 18 Feb 2022 00:00:00 +0500

You want to control access to Recovery Services Vault and what kind of operations are allowed on the same, you can now do so using the Resource Guard. It is another resource in Azure that you can

Scenario and Permissions

Let's assume that there are two people at your organization. One who is responsible for the security and another who is responsible for performing backup-related operations. The security wants to limit the backup administrator's operations. Let's classify these people into two roles:

Backup Admin - He is the owner of the Recovery Services Vault and needs to perform various operations.
Security Admin - He is the gatekeeper of the critical operations that occur on the vault and controls permissions that the Backup admin needs to perform his job.

Permissions on the Resource Guard - The Security admin needs to be the owner of the Resource Guard. The Backup admin must not have any permission to the Resource Guard.

Caveats

Below are some of the caveats that you should be aware of:

The Backup admin must not have Contributor permissions to the Resource Guard in any scenario. The Resource Guard must be owned by a different user than the backup admin.
You can place Resource Guard in a subscription or tenant different from the one containing the Recovery Services vault to provide better protection.
This feature is currently supported for Recovery Services vaults only and not available for Backup vaults.
Ensure that your subscriptions containing the Recovery Services vault as well as the Resource Guard (in different subscriptions or tenants) are registered to use Microsoft.RecoveryServices provider.

Resource Guard Creation

Just search for "Resource Guard" in the search box on the Azure portal and navigate to the section. Click on the "+ Create" button to create a new Resource Guard. Fill in the name and other defaults and hit Create. That's it.

Navigate to the resource guard resource once ready.

Enabling and Disabling Operations in Resource Guard

Follow the below steps to enable/disable the protected operations. The numbers correspond to the numbers in the screenshot.

Navigate to your Resource Guard resource. Then navigate to the properties section.
Provide a description. This would appear in the vaults that are protected using this Resource Guard.
Enable and Disable the protected operations next as shown below.

Adding Backup admin as Reader on the Resource Guard

To enable MUA on a vault, the backup admin of the vault must have a Reader role on the Resource Guard or subscription containing the Resource Guard. Grant the Reader role to the backup admin user from the "Role assignments" under the "Access control (IAM)" for the Resource Guard resource.

Enabling Multi-User Authorization on the Recovery Services Vault

To set up the Multi-User Authorization on the Recovery Services Vault, navigate to the vault and link it to the Resource Guard resource. To do this navigate to the properties of the vault and select the "Update" link under the Multi-User Authorization setting.

Next, select the check box for the "Protect with Resource Guard" and select the radio button for the "Select Resource Guard". To select the actual resource for the Resource Guard, click on the "Select Resource Guard" link.

In the next blade, select your directory and then the resource guard resource under that from the list. Hit select and then Save in the previous blade.

This should set it up for you. Now the operations you disabled can't be performed on the recovery services vault by the backup admin.

Authorize critical (protected) operations

If for any reason you want to allow the critical i.e. protected operations then the recommended approach is to leverage Privileged Identity Management (PIM) and have the backup admin elevate their access from Reader to a Contributor on the Resource Guard resource. An alternative is to manually update these role assignments on the Resource Guard resource. PIM is the recommended approach as it time bounds the authorization providing just-in-time (JIT) access that is auto-revoked after allowed time.

Official documentation link: Multi-user authorization using Resource Guard

Mount point changes and Non-standard SWAP disk creation on Linux VMs in Azure

Sat, 05 Feb 2022 00:00:00 +0500

When you try to modify the SWAP disk or work with the temporary disk and want to change the mount point and related configurations. For example, you may want to change the default mount point of "/mnt" to "/mnt/resources". The issue we have seen is that the changes work but only till you restart. Once you restart the VM then the configurations are reverted and the issue still persists. You always want to restart the VM to verify that the configurations stay as per your requirements after the reboot.

When searching online the official documentation takes you here: Swap file is not re-created after a Linux VM restarts. Make sure you have reviewed that and have tried the steps in that link.

General Relevant Linux Commands

Below commands are very helpful when troubleshooting this type of issues to check various configurations:

df -Th - This allows you to check the drives i.e. mapped formatted and partitioned drives. This command displays information about total space and available space on a file system formatted in a table.
free -h - This command allows you to check the memory and swap space. It shows you total, used, shared, cache, and available memory.
swapon -s - This command is used to check the swap status.
cat /etc/fstab - This shows you the content of the fstab in the "/etc" directory. This is the Linux system's filesystem table. This is a configuration table designed to ease the burden of mounting and unmounting file systems to a machine.
fdisk -l - This is for format disk. It is a dialog-driven command in Linux used for creating and manipulating disk partition table. "-l" option is used to list all disk partitions.
lsblk - This command lists information about all available or the specified block devices.

Use these commands to view the current state of your VM disks and to validate the settings.

The working fix

If your issue still persists then try the steps below.

Step 1 - Create the directory where you want to mount the temp (or ephemeral) disk

mkdir /mnt/resource

Step 2 - Create the configuration file for custom ephemeral disk mount in the cloud configuration daemon folder.

touch /etc/cloud/cloud.cfg.d/00-custom-ephemeral-mount.cfg

Step 3 - Update the contents of the file by using the below command.

echo "mounts:
- ["ephemeral0", "/mnt/resource"]" >> /etc/cloud/cloud.cfg.d/00-custom-ephemeral-mount.cfg

Step 4 - Edit the /etc/waagent.conf file and change the mount point over there using "string editing" tool command. Waagent is the Azure Agent configuration file.

sed -i 's/ResourceDisk.Format=n/ResourceDisk.Format=y/g' /etc/waagent.conf

Step 5 - Per the application/database requirements allocate the swap size in /etc/waagent.conf file. Search and update the below line as per your requirements

ResourceDisk.SwapSizeMB=x
#Replace x with your required Swap size in MBs e.g. ResourceDisk.SwapSizeMB= 2048MB

Step 6 - Reboot the server and validate the settings.

This should fix your settings. Let us know if it did or not. Share other tips that helped in your scenario in the comments below.

Finding certified VM SKUs in Microsoft Azure for SAP deployments

Tue, 25 Jan 2022 00:00:00 +0500

When dealing with the SAP deployments on Azure infrastructure you want to ensure that you select the VM SKUs that are certified by SAP. This ensures that your deployment is supported by SAP when you need it.

The Certified and Supported SAP HANA® Hardware are documented here: https://www.sap.com/dmc/exp/2014-09-02-hana-hardware/enEN/#/solutions?filters=v:deCertified;ve:24;range%23c:memorySize%23v:184cd506-70e0-43a7-b75b-67803ce28b06%23v:ms10

Note that the filters in the above link are set to memory size between 2800 GiB-4 TiB and the vendor is set to Microsoft Azure. You can alter the filters as per your requirements.

Microsoft has also documented SAP certifications and configurations running on Microsoft Azure here: https://docs.microsoft.com/en-us/azure/virtual-machines/workloads/sap/sap-certifications

To look for the availability by the region of the SKUs for HANA Large Instances you can find those here: https://docs.microsoft.com/en-us/azure/virtual-machines/workloads/sap/hana-available-skus

And finally, the SAP Note for the certified general VM SKUs can be found in note number 1928533 - SAP Applications on Azure: Supported Products and Azure VM types - SAP ONE Support Launchpad. The direct link to this SAP note can be found here: https://launchpad.support.sap.com/#/notes/1928533. Note that you will need an SAP ID to be able to view the SAP Note.

Hopefully, this information help you with the planning of the infrastructure in Azure for SAP deployments.

Enhanced Monitoring Agent for SAP workloads in Azure - Fix for a common issue

Thu, 20 Jan 2022 00:00:00 +0500

If you have followed our previous blog to validate and troubleshoot the SAP enhanced monitoring extension in Azure and are facing an issue where the extension gets installed and shows as provisioning succeeded but still doesn't integrate with the SAP system. When you run dump ccm for the SAP OS Collector you get the status as "False" for the "Enhanced Monitoring Access".

If you want to review the previous troubleshooting and validation blog you can visit the same here: Troubleshooting & Validating - Enhanced Monitoring Agent for SAP workloads in Azure

Easy fix

The easy fix for this is to restart the SAP Host Agent. Just run the below commands (as a user with root authorization) to restart the saphostexec process:

./saphostexec -restart

Now validate the integration status again by running the below commands:

cd /usr/sap/hostctrl/exe
./saposcol -d
dump ccm

The status should now be set to True for the "Enhanced Monitoring Access".

Problem with the Easy Fix

The problem that you may encounter is that when you reboot the VM, there are chances that the status can again switch back to False. The potential reason for this is that the SAP OS Collector becomes ready first before the Azure Enhanced Monitoring agent becomes ready. This causes the issue as the SAP OS Collector reports that the extension is not available even though it is installed. This is why restarting the host agent fixes the issue temporarily.

Permanent Resolution

The recommendation is to increase the Azure Extension wait time to 6 minutes. To set the wait time to 6 minutes, the below environment is needed to be set.

SAPOSCOL_AZURE_EXTENSION_WAITTIME=360

Run the below command to set the environment variable:

echo "export SAPOSCOL_AZURE_EXTENSION_WAITTIME=360" >> /etc/profile

This would update the system-wide profile.

Let us know if this fixed your issue. If you found alternate fixes, please post those in the comments below.

Troubleshooting & Validating - Enhanced Monitoring Agent for SAP workloads in Azure

Sun, 16 Jan 2022 00:00:00 +0500

In the previous blog post, we saw how to install the enhanced monitoring extension for SAP workloads in Azure. We looked at various caveats linked to the installation and pre-requisites etc. You can view that post here: Installing Enhanced Monitoring Agent for SAP workloads in Azure. In this post, we are going to troubleshoot the extension-related common issues for SAP workloads in Azure.

1. Checking the pre-requisites

As discussed in the previous post, ensure that the below pre-requisites are in place before you start:

This extension needs internet access to the URL "management.azure.com". If this is not set up or you have locked the access, please ensure that you open this access in your environment.
If you have already had an older version of the extension already installed, make sure to uninstall the older VM extension before switching between the standard and the new version of the Azure Extension for SAP.
Make sure you are using SAP Host Agent 7.21 PL 47 or higher.
You have SUSE SLES 15 or higher. Or you have Red Hat Enterprise Linux 8.1 or higher.
You are using Azure Ultra Disk or Standard Managed Disks for your SAP workloads

2. Validating the extension is installed successfully or not

Run the below command to search for the enhanced monitoring extension-related files.

ls -al /var/lib/waagent/ | grep AzureCAT

There should be 3 processing that should be installed:

Microsoft.AzureCAT.AzureEnahncedMonitoring.MonitorX64Linux_xxxxxx.zip
Microsoft.AzureCAT.AzureEnahncedMonitoring.MonitorX64Linux.xx.manifest.xml
Microsoft.AzureCAT.AzureEnahncedMonitoring.MonitorX64Linux-version

The output should look something like the below:

3. Validating the extension process is up and running or not

Command (requires sudo):

ps -ax | grep AzureCAT

The output should have an entry for the relevant process running as shown below:

4. Check Enhanced Monitoring status in SAP OS Collector

Run the below commands (may required sudo access):

cd /usr/sap/hostctrl/exe
./saposcol -d
dump ccm

Scroll down and check the output: Required result: The Enhanced Monitoring Access should have TRUE in front of it and the output will contain various metrics. If not then keep following the post for troubleshooting tips.

5. Validating the Extension is sending metrics

Validate the extension by running the below command from inside the SAP VM:

curl http://127.0.0.1:11812/azure4sap/metrics

This should output various metrics. If it doesn't then the extension is not working and you need to troubleshoot further.

6. Validating and Fixing the Extension

This step resolves most of the issues. Test the extension by just running the below cmdlet.

Test-AzVMAEMExtension -ResourceGroupName "Your-Resource-Group-Name" -VMName "Your-VM-Name"

The PowerShell cmdlet will deploy/redeploy the extension and fix any configuration issues. You might have to wait up to one hour until all counters start showing up.

Reboot the VM once and validate the extension again using the previous steps.

7. Still Having issues

If you are still having issues, then try this subsequent blog for a fix for a common issue: Enhanced Monitoring Agent for SAP workloads in Azure - Fix for a common issue

References

Troubleshooting SAP note: 2191498 - SAP on Linux with Azure: Enhanced Monitoring - SAP ONE Support Launchpad.

Link: https://launchpad.support.sap.com/#/notes/2191498

Installing Enhanced Monitoring Agent for Multiple SAP workloads in Azure - Code Sample

Fri, 14 Jan 2022 00:00:00 +0500

In the previous blog post, we saw how to install the enhanced monitoring extension for SAP workloads in Azure. We looked at various caveats linked to the installation and pre-requisites etc. You can view that post here: Installing Enhanced Monitoring Agent for SAP workloads in Azure. In this post, I want to share the script sample for installing the extension for multiple VMs in a single go.

Latest Sample Location on GitHub

You can find the latest script sample in my GitHub repository here: https://github.com/HarvestingClouds/PowerShellSamples/tree/master/Scripts/Install-SAPMonitoringExtensionInLoop

The raw version can be found directly here: https://raw.githubusercontent.com/HarvestingClouds/PowerShellSamples/master/Scripts/Install-SAPMonitoringExtensionInLoop/Install-SAPMonitoringExtensionInLoop.ps1

The script sample and details

Just like for a single VM, the script uses the "Set-AzVMAEMExtension" cmdlet to install the extension with the "InstallNewExtension" switch. In this scenario, we pull all VMs from a single or multiple resource groups. The resource group is selected either based on the wildcard match or you can specify a particular resource group name as well. Each VM is then checked if this is Linux or Windows. Make sure that all the VMs have SAP workloads before proceeding with the installation. You can also uninstall the extension if it is not aplicable on any of the VM later.

The script sample is also provided below for your easy reference.

<#  
 .NOTES
    ==============================================================================================
    File:       Install-MonitoringExtensionInLoop.ps1

    Purpose:    To Install Monitoring Extension In Loop

    Version:    1.0.0.0 

    Author:     Aman Sharma
    ==============================================================================================
 .SYNOPSIS
    Installs monitoring extension in loop on Linux VMs

 .DESCRIPTION
    This script is used to Installs monitoring extension in loop on Linux VMs

 .EXAMPLE
    C:\PS>  .\Install-MonitoringExtensionInLoop.ps1

    Description
    -----------
    This command executes the script with default parameters.

 .INPUTS
    None.

 .OUTPUTS
    None.

 .LINK
    https://docs.microsoft.com/en-us/azure/virtual-machines/workloads/sap/deployment-guide#2ad55a0d-9937-4943-9dd2-69bc2b5d3de0
#>

#Inputs
$subscriptionName = "you-subscription-name"

#Adding Azure Account and Subscription
$env = Get-AzEnvironment -Name "AzureCloud"
Connect-AzAccount -Environment $env
Set-AzContext -SubscriptionName $subscriptionName

#Selecting all RGs that begins with the text. Notice the wildcard in the name
#TODO: Update this to a specific resource group or a similar query with wildcards
$allSapRGs = Get-AzResourceGroup -Name "RG-IT-*"

foreach($currentRG in $allSapRGs)
{
    #Fetch all resources in the RG
    $currentRGName = $currentRG.ResourceGroupName
    $VMs = Get-AzVM -ResourceGroupName $currentRGName

    #Iterating on the VMs
    foreach ($vm in $VMs) 
    {
        $VMName = $vm.name
        $osType = $vm.StorageProfile.OsDisk.OsType
        Write-Host "Working on VM: $VMName"

        if ($osType -eq "Linux") {
            Write-Host "VM $VMName is a Linux VM. Proceeding with the installation."
            try {
                Set-AzVMAEMExtension -ResourceGroupName $currentRGName -VMName $VMName -InstallNewExtension

                Write-Host -ForegroundColor Green "Installed the extension on the VM $VMName"
            }
            catch {
                Write-Host -ForegroundColor Red "Error while installing extension."
                $Error[0]
                Write-Host -ForegroundColor Red "Error occured at:"
                $Error[0].InvocationInfo.PositionMessage
            }
        }
        else {
            Write-Host "VM $VMName is not a Linux VM"
        }

    }
}

Enhanced Monitoring Agent for SAP workloads in Azure - Details and Installation

Wed, 12 Jan 2022 00:00:00 +0500

For any SAP deployment in the Microsoft Azure, you want to deploy the enhanced Azure Extension for SAP, which is available in the Azure Extension Repository in the global Azure datacenters. The new extension was built to be able to monitor all Azure resources of a virtual machine. It supports additional storage options, for example, Standard Disks and operating systems.

Pre-requisites

The pre-requisites are as follows:

This extension needs internet access to the URL "management.azure.com". If this is not set up or you have locked the access, please ensure that you open this access in your environment.
If you have already had an older version of the extension already installed, make sure to uninstall the older VM extension before switching between the standard and the new version of the Azure Extension for SAP.
Make sure you are using SAP Host Agent 7.21 PL 47 or higher.
You have SUSE SLES 15 or higher. Or you have Red Hat Enterprise Linux 8.1 or higher.
You are using Azure Ultra Disk or Standard Managed Disks for your SAP workloads

Installing on a single VM

Before proceeding, you want to ensure that you have the Azure PowerShell module installed. You can do so by simply running the below cmdlet. You can learn more here: Install the Azure Az PowerShell module.

Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force

Installing on a single VM is as easy as running the "Set-AzVMAEMExtension" PowerShell cmdlet with the "InstallNewExtension" switch. Run the below script to install it on a specific VM.

#Set the Azure context
$env = Get-AzEnvironment -Name 
Connect-AzAccount -Environment $env
Set-AzContext -SubscriptionName 

#Install the Azure Enhanced Monitoring Extension
Set-AzVMAEMExtension -ResourceGroupName  -VMName  -InstallNewExtension

Installing on multiple VMs

You can loop on the above script and can install the Monitoring extension on multiple VMs. I will also provide a code sample to do this easily and will post a blog about the same. You can view that post and the sample code here: Installing Enhanced Monitoring Agent for Multiple SAP workloads in Azure - Code Sample.

Testing the extension

You can test the extension by running the below PowerShell cmdlet.

Test-AzVMAEMExtension -ResourceGroupName "Your-Resource-Group-Name" -VMName "Your-VM-Name"

Validating and Troubleshooting the extension

You can validate the extension and troubleshoot it in this subsequent blog in detail: Troubleshooting & Validating - Enhanced Monitoring Agent for SAP workloads in Azure.

Supportability for this Extension

Support for the Azure Extension for SAP is provided through SAP support channels. If you need assistance with the Azure VM extension for SAP solutions, please open a support case with SAP Support. Microsoft support cases are generally closed for this reason. We also look at troubleshooting this extension in an upcoming blog.

Details on the Metrics provided

The detail of the metrics provided is documented in the SAP Note 2178632. You can find this note located here: 2178632 - Key Monitoring Metrics for SAP on Microsoft Azure - SAP ONE Support Launchpad.

Other References:

Grant access to Azure Storage Accounts for Azure resource instances

Wed, 05 Jan 2022 00:00:00 +0500

You can now grant access to resource instances to Azure Storage Accounts. This further secures and restricts storage account access only to your application's Azure resources.

Resource instances must be from the same tenant as your storage account, but they can belong to any subscription in the tenant. Internally it uses system-assigned managed identity for the selected Azure resources.

Granting access

Follow the below steps to set up access to Resource Instances:

Step 1 - You can start by navigating to your Storage Account and then navigating to the Networking under "Security + networking"
Step 2 - Scroll down to the section named "Resource instances"
Step 3 - Select the Resource Type as per your requirements
Step 4 - Select the instance name.

You have various options for the instance name selection:

You can select an individual instance name.
You can also select "All in current tenant" to select all resources of that type in the current tenant's all subscriptions.
You can also select "All in current subscription" to select all resources of that type in the current subscription.
You can also select "All in current resource group" to select all resources of that type in the current resource group.

Controlling allowed operations

The types of operations that a resource instance can perform on storage account data are determined by the Azure role assignments of the resource instance. You can assign these using the system-assigned managed identity of the resource on the Storage Account's RBAC settings.

Reference: You can read more on the official documentation here: Grant access from Azure resource instances

Enabling Storage Account access to virtual networks in other regions

Mon, 03 Jan 2022 00:00:00 +0500

Within Azure Storage Accounts, the Service endpoints work with the virtual networks in the same region or the paired regions. You can extend this functionality to virtual networks in other regions by enabling the AllowGlobalTagsForStorage feature for your subscription.

Enabling the feature

You can enable the feature by running the below script. This essentially uses the "Register-AzProviderFeature" cmdlet to register the feature named "AllowGlobalTagsForStorage".

$subscriptionName = "Your-Subscription-Name"

#Adding Azure Account and Subscription
$env = Get-AzEnvironment -Name "AzureCloud"
Connect-AzAccount -Environment $env
Set-AzContext -SubscriptionName $subscriptionName

#Registering or Enabling the feature
Register-AzProviderFeature -ProviderNamespace Microsoft.Network -FeatureName AllowGlobalTagsForStorage

Caveats

If you registered the AllowGlobalTagsForStorage feature, and you want to enable access to your storage account from a virtual network/subnet in another Azure AD tenant, or in a region other than the region of the storage account or its paired region, then you must use PowerShell or the Azure CLI. The Azure portal does not show subnets in other Azure AD tenants or in regions other than the region of the storage account or its paired region, and hence cannot be used to configure access rules for virtual networks in other regions.

Reference: Configure Azure Storage firewalls and virtual networks

Quick Tip - Finding SLA of any Azure service

Wed, 29 Dec 2021 00:00:00 +0500

If you are architecting a solution around Azure services, you will need to find the Service-level agreements (SLA) for the related Azure services. This is important to be factored into your solution designs as it will impact the availability and uptime of the service in your solution.

Finding the SLA of Azure Services

To find the Service-level agreements (SLAs) for any Azure service navigate to this link: Service-level agreements for Azure services.

Here you can search for any Azure service and find the SLA for the same. E.g. to find the SLA for Azure Site Recovery (ASR) navigate to the Management category and then click on the "Azure Site Recovery" option.

This will take you to the SLA details link for the ASR.

Providing an internal SLA for the services

Note that in addition to Microsoft's SLA your internal department may need to follow some processes related to the services that will reduce the SLA further. Ensure that you factor these external factors into your solution and its related SLAs. E.g. for Azure Site Recovery (ASR) the SLA from Microsoft is very less, but your internal department may need to take additional steps post and pre-failover via ASR. You will need to factor these into your internal department's SLA for the service.

A general rule of thumb is to simulate failure and check how much time it takes for your solution or services to recover from the failure. Add some reasonable (and proportional) buffer to the observed times to formulate the internal SLAs. Ensure that any external factors, human errors, or one-time issues are not affecting these numbers during such exercises.

Hopefully, this helps you in better designing solutions in the cloud. Let us know your tips related to SLAs in the comments below.

Quick Tip - Understanding uptime and downtime linked to any Cloud SLA numbers

Tue, 28 Dec 2021 00:00:00 +0500

When you are in any conversation related to the Cloud SLAs you will hear numbers like the SLA is 99.9% or 99.99% or more. What are those numbers and how they translate into uptime and downtime in a year? Let's take a closer look to understand these details.

99.9% uptime SLA

Let's start with 99.9% SLA i.e. three nines. SLA level of 99.9% uptime/availability means that you can have up to the following periods of allowed downtime or unavailability.

Daily: 1m 26s
Weekly: 10m 4s
Monthly: 43m 49s
Quarterly: 2h 11m 29s
Yearly: 8h 45m 56s

99.99% uptime SLA

SLA level of 99.99% i.e. four nines uptime/availability means that you can have up to the following periods of allowed downtime or unavailability.

Daily: 8s
Weekly: 1m 0s
Monthly: 4m 22s
Quarterly: 13m 8s
Yearly: 52m 35s

Find uptime and downtime for any SLA

Use various online SLA calculators to determine the numbers easily for yourself. One such calculator is provided below (just as a reference): https://uptime.is/

This is very simple tip, but helps you in any cloud related SLA conversation to have better understanding of the related numbers.

Upgrade to Azure Storage account with Data Lake Gen2 easily with new feature

Tue, 21 Dec 2021 00:00:00 +0500

Now there is in-built capability in the Azure Storage Accounts to upgrade to the Data Lake Gen2. You no longer need to copy over the data. Note that this option is available only for the "StorageV2 (general purpose v2)" storage account types. It is not available for the v1 storage accounts.

Upgrade Experience

To find the upgrade option, simply navigate to your storage account and then navigate to the Settings section. You will see an option to perform the "Data Lake Gen2 upgrade". It gives you a step-by-step experience with this upgrade process.

More Details

The three steps for performing the upgrade are as below.

Step 1: Review account changes before upgrading - here you review and agree to the changes being performed as part of the upgrade.
Step 2: Validate account before upgrading - checking for any unsupported features and providing a report.
Step 3: Upgrade account - performing the actual upgrade.

During step 3, you are presented with all the unsupported configurations. These features are also checked during step 2 i.e. the validation step and a report is provided before the upgrade is performed. E.g. If you have versioning enabled then that will be found in the Validation step. You will have to navigate to the Data Protection and disable the same. After disabling you will be able to run through the wizard again.

If there are still errors, then an "error.json" file is created with blob-level error details. This is created in a container named "hnsonerror". E.g. If a Blob has auto-snapshot, or if it has an active lease, then these will be tracked in this error.json file. Rectify these errors at the blob level and then retry the experience.

Reference: Upgrade Azure Blob Storage with Azure Data Lake Storage Gen2 capabilities

Finding the optimal Availability Zone for your Microsoft Azure subscription

Sun, 12 Dec 2021 00:00:00 +0500

When you start designing your solutions in Microsoft Azure for high availability, you think of Availability Zones. Within a region, these are physically separate locations that are tolerant to local failures. For your business-critical workloads, availability zones help you achieve resiliency and reliability.

Need for identifying the right numbers

The biggest caveat with Availability Zones is that they don't correspond to a specific location within a region. These are enumerated when you create a subscription and are different for each subscription (even within the same tenant). Even within a subscription, these are different for each region.

Let's look at an example. Let's assume you have two subscriptions within the "East US" location. One for Dev and another for Prod. Generally, you will see three availability zones, numbered 1, 2, and 3. The location that is referred to as number 1, may or may not be the same location that is referred to as number 1 in the Prod subscription.

Therefore it is important that for every subscription and for every region you find the optimal zones.

How to define optimal Availability Zones

The most optimal Availability Zone is the one that is the best in the below 2 factors:

Latency - It should have the lowest latency
Bandwidth - It should have the highest latency

Not that these are important when deploying the solution in highly available designs. Another concept related to HA design is identifying the primary and the secondary zones.

Selecting primary Availability Zone - Not that the one with the lowest latency and highest bandwidth should become your primary Availability Zone.
Selection secondary Availability Zone - The next best availability zone becomes the secondary zone.

Determining the Optimal Availability Zones

To determine the Optimal Availability Zones, you want to deploy 3 VMs in your subscription. Each VM should be deployed in a different Availability Zone. Then run the Latency and Bandwidth tests between each pair of VMs. Also, ensure to run the tests in both directions. E.g. from VM1 to VM2 and then from VM2 to VM1.

Automated Script

The whole process for finding the optimal availability zones has been automated. This is now as easy as running the script from the below source:

Availability Zone Latency Test Script

The script should be run from a VM within the Virtual Network of the subscription (for which you are trying to identify the optimal zones). This script automatically creates 3 VMs in 3 different availability zones and then runs the latency and bandwidth tests. In the end, it deletes the VMs and also provides you with a detailed report.

The report looks something like this:

The top table shows you latency in micro seconds. Lower the number the better it is. As you can see zone 3 to zone 1 is the lowest latency of 56.1 micro seconds. Bandwith is shown in the bottom table and is measured in MBs transferred per second. Higher the number, the better it is. As you can see, zone 1 to zone 3, zone 3 to zone 2, show the highest number of 478 MB/sec. If you take both latency and bandwidth into consideration then zone 1 and zone 3 are the best combinations for this subscription.

Also, this test should be run at least 3 times and at different times of the day to get more in-depth and accurate results.

Changing an availability zone later is a tedious task. Hopefully, this post helps you determine the right availability zones from the start and lay a good foundation for your environment.

Automate locking of all resources of a particular type - Code Sample

Sun, 05 Dec 2021 00:00:00 +0500

Locking is a concept that is available on all Azure resources. Locks are a very important but very less known feature in Azure. This prevents unintended operation on a particular resource.

NOTE: We visited this concept in the past. Here we want to re-iterate this for our readers as I have observed many issues at various customers that could have been prevented if they were leveraging locks for all their critical resources.

You have two types of locks in Azure:

ReadOnly - You won't' be able to alter any configuration of the resource
DoNotDelete - You will be able to add configurations but will not be able to remove configurations or even delete the resource

Do Not Delete is the lock, that as a best practice, you should apply on all critical resources in the environment. Once this lock is there on the resources, even the global administrator will not be able to delete the resources. The only way to delete the resources will be to delete the lock first and then delete the resources.

The Script Sample Details

This script sample leverages this concept of locks and uses the below cmdlet to apply the locks on various critical resources in the environment.

New-AzureRmResourceLock -LockLevel CanNotDelete -LockName DoNotDelete -ResourceName $vNet.Name -ResourceType $vNet.Type -ResourceGroupName $vNet.ResourceGroupName -LockNotes "Do Not Delete Lock" -Confirm -Force

The above command uses New-AzureRmResourceLock cmdlet to create the Do Not Delete lock on a Virtual Network.

This script iterates through all subscriptions that your account has access to and then applies the lock to all resources of type:

Virtual Network
Route Tables
Express Routes
Virtual Network Gateways
Virtual Network Gateway Connections
Recovery Services Vaults (i.e. ASR Vaults)

You can add more resource types that you deem as critical in your environment.

Location of the Script

You can find this script in GitHub at this location: Apply-LocksOnVariousAzureResources.ps1

Automating the enabling of BYOS licensing for all SUSE VMs in Azure - Code Sample

Fri, 03 Dec 2021 00:00:00 +0500

In the previous post we looked at the difference between two deployment models to choose from when deploying SUSE Linux Enterprise VMs (SLES):

PAYG - Pay as you go
BYOS - Bring your own subscription

We also looked at the advantages of the BYOS over the PAYG model. You can review the previous post here: Switching SUSE VMs from PAYG to BYOS model.

In this post, we look at automating the process via a complete code sample.

Script Location

The complete script can be found on the GitHub here: Enable-SUSEBYOSLicense

Script Workings

The script works by setting the license type property of the VM to "SLES_BYOS".

$vm.LicenseType = "SLES_BYOS"

The script then leverages the "Update-AzVM" cmdlet to update the VM with the license property.

Update-AzVM -VM $vm -ResourceGroupName $currentRGName

Make sure you update the input subscription name and also the Resource Group name. In the script, it uses Wildcard to find all resource groups that start with the string mentioned before "*". You can use a similar wildcard match for the string or you can provide a specific Resource Group name.

Let me know if this helped you in any way in the comments below or at GitHub.

Switching SUSE VMs from PAYG to BYOS model

Thu, 02 Dec 2021 00:00:00 +0500

In Azure, you have two deployment models to choose from when deploying SUSE Linux Enterprise VMs (SLES):

PAYG - Pay as you go
BYOS - Bring your own subscription

If you selected Pay as you go in the beginning and want to switch to bring your own subscription (i.e. BYOS) model and do not want to do this per VM manually, then you can leverage the code sample from this post to automate the process easily.

Cost difference: We did the math and found that BYOS works out to be cheaper especially if you also are going to deploy SUSE Manager to manage your VMs in the environment. Let us know if you are interested and I can share the calculations.

Advantages with BYOS: Other than the cost difference there are two main advantages that you get with BYOS:

You get direct support from the SUSE support team. With the Pay-as-you-go model, you need to open a ticket with Microsoft, and then when Microsoft support deems that the issue pertains to SUSE OS, then SUSE subject matter expert is involved to help you.
You get extended support for the OS versions that are out of general support.

The second advantage itself is huge that even if you need to pay extra you would want that in your enterprise environments.

Switching to BYOS from the Portal

You can switch a VM from PAYG to BYOS directly from the Azure portal. To do this navigate to the VM within the Azure portal and navigate to the Configurations section as shown below. Then in the drop down select the option for "SUSE Enterprise Linux". Review and select "Yes" radio button to use an existing SUSE subscription. Select the checkbox to confirm that you have an eligible SUSE subscription that you can attach to this VM.

Automating the Process

In the next post, we will look at the code sample for automating the process of upgrading the licensing from PAYG to BYOS. You can check this out here: Automating the enabling of BYOS licensing for all SUSE VMs in Azure - Code Sample

Official Reference: How Azure Hybrid Benefit for PAYG Marketplace VMs applies for Linux virtual machines

Easily and automatically generate architecture diagrams in Azure with the Resource Visualizer

Mon, 29 Nov 2021 00:00:00 +0500

Imagine you are in a rush and you need to create a diagram of your environment urgently. You wish there was a way to just select the resources and generate the diagram, that not only shows all the resources in the environment but also shows you the relation between different resources. And now there is such a way in Azure.

Resource Visualizer is a new feature that is now integrated into the Azure portal. Access from any Resource Group's setting and quickly generate a diagram for all the resources in the resource group.

One of the neat features is that you can click on the "Choose resources" button at the top to select the resources you need in the visualizer (and exclude others). You can also zoom in and out by using the zoom controls at the bottom right corner. If you are not able to adjust and need to reset, you can click on the "Zoom to fit" button at the top.

I am sure this feature will become a go-to for quickly generating diagrams with dependencies for providing walk-throughs and creating architectural diagrams in Microsoft Azure.

Automating the enabling of BYOS licensing for all Red Hat Enterprise Linux (RHEL) VMs in Azure - Code Sample

Sat, 27 Nov 2021 00:00:00 +0500

In the previous post we looked at the difference between two deployment models to choose from when deploying Red Hat Enterprise Linux VMs (RHEL):

PAYG - Pay as you go
BYOS - Bring your own subscription

We also looked at the advantages of BYOS over the PAYG model. You can review the previous post here: Switching RHEL VMs from PAYG to BYOS model.

In this post, we look at automating the process via a complete code sample.

Script Location

The complete script can be found on the GitHub here: Enable-RHELBYOSLicense

Script Workings

The script works by setting the license type property of the VM to "RHEL_BYOS".

$vm.LicenseType = "RHEL_BYOS"

The script then leverages the "Update-AzVM" cmdlet to update the VM with the license property.

Update-AzVM -VM $vm -ResourceGroupName $currentRGName

Let me know if this helped you in any way in the comments below or at GitHub.

Switching Red Hat Enterprise Linux (RHEL) VMs from PAYG to BYOS model

Thu, 25 Nov 2021 00:00:00 +0500

In Azure, you have two deployment models to choose from when deploying Red Hat Enterprise Linux VMs (RHEL):

PAYG - Pay as you go
BYOS - Bring your own subscription

Cost difference: We did the math and found that BYOS works out to be cheaper. Although, the difference is not huge.

Advantages with BYOS: Other than the cost difference there are two main advantages that you get with BYOS:

You get direct support from the Red Hat support team. With the Pay-as-you-go model, you need to open a ticket with Microsoft, and then when Microsoft support deems that the issue pertains to RHEL OS, then RHEL subject matter expert is involved to help you.
You get extended support for the OS versions that are out of general support.

The second advantage itself is huge that even if you need to pay extra you would want that in your enterprise environments.

Switching to BYOS from the Portal

You can switch a VM from PAYG to BYOS directly from the Azure portal. To do this navigate to the VM within the Azure portal and navigate to the Configurations section. Then in the drop-down select the option for "Red Hat Enterprise Linux". Review and select the "Yes" radio button to use an existing RHEL subscription. Select the checkbox to confirm that you have an eligible RHEL subscription that you can attach to this VM.

Automating the Process

Official Reference: How Azure Hybrid Benefit for PAYG Marketplace VMs applies for Linux virtual machines

Azure policies now let you customize non-compliance messages

Sun, 21 Nov 2021 00:00:00 +0500

Azure policies now let you customize non-compliance messages. This looks like a small feature but helps a lot whenever a resource is not allowed by the policy. Instead of searching for why the policy denied the operation you can look at the non-compliance message and get a more in-depth idea.

That also means that the message should be descriptive enough in the first place. You should strategize and ensure that every policy assignment has a non-compliance message and that these messages are descriptive enough.

Where to provide the non-compliance message

You provide the non-compliance message when creating or editing the policy assignments. There is now a specific tab for the "Non-compliance messages" where you can provide a single text message. This message will give end-users an idea as to why the operation was denied for them.

Where do you see these in action

When your operation is denied by a policy e.g. creation of a resource group, then you can click on the "View error details ->" link at the top and then go to view the error details in the "Raw Error" tab. Here you will see a message property in the JSON that will have your descriptive non-compliance message.

I hope you will be able to proatively leverage this feature and enrich the end-user experience.

Find all preview features that you can try now in Azure easily

Mon, 15 Nov 2021 00:00:00 +0500

You can easily find all the preview features in Azure. You can also find detailed information about each of these features directly within the Azure portal. If you like a feature you can then try it out as well. Let's see where and how to do this.

Finding all the preview features

You can find all the preview features by navigating to the Azure subscription. Once within the subscription, you can scroll down in the settings and search for "Preview features". This is the less known area that shows you all the latest pre-release features that are available for you to try out.

Every feature has below details:

For every preview feature there is a column for State. This shows if you are already registered or not registered for this feature.
Next it shows the provider that features pertains to.
It also shows the release date of the feature.
Finally, there is a link to the documentation to this feature for more details.

You also have the option to filter the available features by text (at the top).

Review this section periodically to check the latest features that are available for you to try. I hope you find this tip useful.

Export all custom Azure Policies - Code Sample

Thu, 11 Nov 2021 00:00:00 +0500

Azure Policies are a key component in any Azure governance strategy. These help you allow or deny particular operations in your environment. These can also help you audit your environment for compliance with your standards (both out of the box and custom). There are two types of Azure policies:

Built-In - also called out of the box, that are provided by Microsoft
Custom - that you build for your environment as per your policies and standards.

It is a best practice to store all the custom policies in a version control system e.g. Azure DevOps repositories. If the policies were built directly within the Azure Policies definitions, then you would want to export all of the policies. Exporting one policy at a time can be time-consuming and also prone to end-user errors. You can leverage the script sample from this blog post to automate exporting all the custom policies in your environment (for all subscriptions).

Script location in GitHub

The complete script to export all the custom Azure policies across various subscriptions, can be found here:

Export-AllAzureCustomPolicies

Script working

The script works by iterating over various subscriptions and then fetching the Azure policies in that subscription. It filters on the "PolicyType" property to filter out only the policies that are Custom.

$policies = Get-AzPolicyDefinition | where {$_.Properties.PolicyType -eq 'Custom'}

Once all the custom policies have been fetched, the script then iterates through all policies using a "foreach" loop. For each policy, it sets the policy name to the subscription name then an underscore, and then the policy name. The file type is set to ".json".

$fileName = $currentSubscription.Name + "_" + $policyName + ".json"

The script then exports the policy to a JSON file using the ConvertTo-Json cmdlet.

$policy | ConvertTo-Json -Depth 10 | Out-File ".\Export-AzurePolicies\Output\$fileName"

Give it a try in your environment. Once you have exported JSON files for all the custom policies, make sure to move this into a version control system like Azure DevOps repositories.

Designing Tagging Strategy for Microsoft Azure - Index

Wed, 27 Oct 2021 00:00:00 +0500

This is the Index for the series of blog posts regarding Designing Tagging Strategy for Microsoft Azure.

Note that this Index is updated regularly as more posts are added around this topic.

Additinal Links:

Designing Tagging Strategy for Microsoft Azure - Part 7 - Enforcing tagging standards with Azure Policies

Wed, 20 Oct 2021 00:00:00 +0500

This blog is a part of the Designing Tagging Strategy for Microsoft Azure series. You can find the Index of this series here: Designing Tagging Strategy for Microsoft Azure.

Enforce the tagging standards

As discussed in the previous blogs, if you have any standards you want to enforce for the tagging you can do that directly within the Azure policy as well. E.g. for the ApplicationOwner Tag i.e. the owner of the application related to the resource deployed should be an email id. You can enforce this easily via an Azure policy.

You can also have naming conventions that you can enforce. Or you can have a set of values that you can have the tag value adhere to.

Sample 1 - Set of Allowed Values

You can specify allowed values for a tag. If the value provided is not from the list of values then the resource creation can be denied through the Azure policy. E.g. the below policy sample enforces the tag Environment's value to be only from the below list of allowed values. Note that the policy does not enforces the tag itself. It enforces that if the tag is specified then the allowed values can only be one of the below:

dev
test
prod

Policy sample:

{
    "mode": "Indexed",
    "policyRule": {
      "if": {
        "not": {
            "field": "tags['Environment']",
          "in": [
            "dev",
            "test",
            "prod"
          ]
        }
      },
      "then": {
        "effect": "deny"
      }
    },
    "parameters": {}
  }

Sample 2 - Allowing only an Email Id

You can also use wildcards and patterns within the Azure policy to enforce the naming standards etc. within the tags. E.g. if you want the tag for ApplicationOwner to be only an email id then you can easily do that by using "like" comparison to a text like "b>*@domain.com"

The below sample not only enforces the ApplicationOwner tag, but enforces it to have "xxxx@harvestingcloud.com" format, where xxxx could be anything as denoted by the "*" wildcard character in the policy below.

Policy sample:

{ "mode": "Indexed", "policyRule": { "if": { "not": { "allOf": [ { "field": "tags['ApplicationOwner']", "exists": "true" }, { "field": "tags['ApplicationOwner']", "like": "*@harvestingclouds.com" } ] } }, "then": { "effect": "deny" } }, "parameters": {} }

Complete Policy Samples on GitHub
You can find the complete policy samples on the GitHub in my policy samples repository here: AzurePolicySamples - Tagging.

Moving an Azure Virtual Machine (VM) to an Availability Zone the automated way - with complete Code Sample

Sat, 16 Oct 2021 00:00:00 +0500

Availability Zones is the new concept to increase the availability of an Azure Virtual Machine (VM). It provides different datacenter with independent cooling, power, and network within one Azure Region. If you have an application deployed redundantly across more than one VM, then you definitely want to leverage Availability Zones to increase the availability and SLA of the workload.

Unfortunately, you can't move an Azure VM from a non-availability zone deployment to an availability zone. You also can't switch the zone after deploying the VM into one zone. The script sample in this post, help you address both of these scenarios in an automated manner.

Word of Caution

The script works by deleting the VM and then recreating it within an availability zone. If the script errors out in the middle, then you will end up with no VM. The script exports the VM configurations into a JSON file for this situation as a fallback option. But you need to know how to use that to recreate your VM. You should do below two things to ensure you don't run into issues:

Try the script first for non-production and non-critical VMs. I recommend creating a dummy/temporary VM and then trying the script.

Ensure that there is a backup for any production/critical VMs before moving these into Availability Zones to ensure you have something to fail back to.

Script location in GitHub

You can view and download the latest version of the script, directly from GitHub here: Move-AzVMToAvailabilityZone.ps1

Script Working

The script has a custom function called Export-VMConfig. It uses this function to export the VM configurations into a JSON file. This file serves as a backup (only for the configurations) in case anything goes wrong during the script execution. You can use this to recreate the VM.

The script then stops the VM using the Stop-AzVM command. It then creates a snapshot of the OS disk and then, creates an Azure Disk with Zone information from that snapshot. Then the script performs the same thing for all of the data disks. Then it deletes the Azure VM using the Remove-AzVM cmdlet. Then it starts building the configurations for the new VM using the New-AzVMConfig cmdlet.

The script reapplies the tags and diagnostic profile information. Then it sets the OS disk as per the OS of the original VM. Then it adds the data disks. Then it adds NIC(s) and keeps the same NIC as primary. If there is a Public IP from the Basic SKU then the script removes it because it doesn't support zones.

Finally, the script recreates the VM using the New-AzVM cmdlet.

Manual action after the script execution

After the new VM has been validated, I recommend waiting anywhere from 24hrs to a week before cleaning up the residual non-availability zone resources. Once you are ready, delete the older OS and data disks and related snapshots. These should be not attached to any VMs.

I hope that the script helps you in moving your existing infrastructure to avail the redundancy options provided by the Availability Zones in Azure.

Designing Tagging Strategy for Microsoft Azure - Part 6 - Auto Calculate and Apply Tags

Fri, 15 Oct 2021 00:00:00 +0500

This blog is a part of the Designing Tagging Strategy for Microsoft Azure series. You can find the Index of this series here: Designing Tagging Strategy for Microsoft Azure.

Auto Calculate and Apply tags

As we discussed in the last post, whenever you can you should try to auto calculate and apply the tags in an automated fashion. Some examples include:

This could be based on the name of the resource group if you have a naming convention defined for a resource group (by using substring on the resource group name).

Another use case could be calculating date time. You can leverage utcNow() and substring() functions to find date time as per your formatting standards.

Let's look at the second use case as that is more generic and applicable to all scenarios. You can use this to apply the below tags:

BuildDate - date stamp when the resource is first deployed. Right now Azure does not store this metadata and without this tag, it is hard to find this down the line. So it is a good practice to tag each resource at the creation time.

UpdateDate - date and time stamp whenever the resource is updated.

Policy sample

Let's look at the BuildDate tag and how to apply this automatically for each and every resource.

Note:

The policy applies the tag in the MM/DD/YYYY format. This ensures that the BuildDate tag everywhere adheres to a standard.

The policy applies only when the tag does not exist on the resource. Once the tag is there, the policy will not apply to those resources (based on the if conditions specified below within the policy)

Let's jump into the policy sample now. A complete sample can be found at my GitHub repository (link provided at the bottom of this post).

"mode": "All", "policyRule": { "if": { "anyOf": [ { "field": "tags['BuildDate']", "exists": "false" }, { "field": "tags['BuildDate']", "notMatch": "##/##/####" } ] }, "then": { "effect": "modify", "details": { "roleDefinitionIds": [ "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" ], "operations": [ { "operation": "addOrReplace", "field": "tags['BuildDate']", "value": "[concat(substring(utcNow(),5,2),'/', substring(utcNow(),8,2),'/',substring(utcNow(),0,4))]" } ] } } }

You can also find the policy for the UpdateDate tag in GitHub with a timestamp along with the date stamp.

Complete Policy Samples on GitHub

You can find the complete policy samples on the GitHub in my policy samples repository here: AzurePolicySamples - Tagging.

Designing Tagging Strategy for Microsoft Azure - Part 5 - Combining strategies

Thu, 14 Oct 2021 00:00:00 +0500

This blog is a part of the Designing Tagging Strategy for Microsoft Azure series. You can find the Index of this series here: Designing Tagging Strategy for Microsoft Azure.

Combining strategies

In the previous few posts, we looked at individual tagging strategies. In this post, we will combine those strategies to build a custom tagging strategy for your environment. The combination looks at defining the tags at a higher level and then inheriting these tags at the resources under that level. This means that this combination tagging strategy will employ the following:

Applying highest level tags at the Subscription level and then inheriting those at the lower levels

Applying the group level tags at the Resource Group level and then inherit those at the individual resources

Applying specific tags at the individual resource level

Enforcing other tagging related standards

Auto calculate and apply tags (as many as you can)

Let's look at these in detail.

1. Planning tags at the subcription level

You want to apply the tags at the subscription level that are generic to the whole subscription. One example could be a tag for the Environment i.e. Dev, Test, Prod, etc. If you deploy different subscriptions for different environments then it is an easy one that you can apply in your environment.

2. Planning tags at the resource group level

Generally, you will want to group your resources by the department and a specific application within that department. Whatever is your grouping choice based on, you can have those tags planned for the resource group level and then inherit these automatically at the resource level. E.g. DepartmentName, ApplicationName, ApplicationOwner, etc. can be applied at the resource group level and then inherited below.

3. Planning tags at the resources level

There will be some information that needs to be tagged at the individual resource level. A couple of examples of this are:

BusinessCriticality - criticality of the resource based on the business requirements

UpdateDate - Timestamp when a resource is updated

4. Enforce the tagging standards

If you have any standards you want to enforce for the tagging you can do that directly within the Azure policy as well. E.g. for the ApplicationOwner Tag i.e. the owner of the application related to the resource deployed should be an email id. You can enforce this easily via an Azure policy.

You can also have naming conventions that you can enforce. Or you can have a set of values that you can have the tag value adhere to.

We will look at these in upcoming blogs.

5. Auto calculate and apply tags

Whenever you can you should try to auto calculate and apply the tags in an automated fashion. Some examples include:

This could be based on the name of the resource group if you have a naming convention defined for a resource group (by using substring on the resource group name).

Another use case could be calculating date time. You can leverage utcNow() and substring() functions to find date time as per your formatting standards.

We will look at these in detail in upcoming posts.

Complete Policy Samples on GitHub

You can find the complete policy samples on the GitHub in my policy samples repository here: AzurePolicySamples - Tagging.

Designing Tagging Strategy for Microsoft Azure - Part 4 - Enforcing Tags at the Resource Group level and Inheriting on underlying resources

Sun, 10 Oct 2021 00:00:00 +0500

This blog is a part of the Designing Tagging Strategy for Microsoft Azure series. You can find the Index of this series here: Designing Tagging Strategy for Microsoft Azure.

In the last post, we looked at enforcing the tags at the subscription level and inheriting those at the resource level. In this post, we are looking at policies and various nuances in implementing the third strategy i.e. enforcing tags at the Resource Group level and inheriting at each resource.

Require Tags on a Resource Group

You can require tags on a Resource Group by using the below Azure policy. This is an extension of the in-built policies. This extends the policy to leverage multiple tags in a single policy.

The below policy is enforcing the ApplicationOwner and DepartmentName tags on the Resource Groups. It denies the creation of Resource Groups if any one of the tag is not present.

Note: You can parameterize the tag name and its value as well very easily. You can check in-built policies for reference. Or let me know if this is something you want to see and I can create a parameterized sample.

"policyRule": { "if": { "allOf": [ { "field": "type", "equals": "Microsoft.Resources/subscriptions/resourceGroups" }, { "anyOf": [ { "field": "tags['ApplicationOwner']", "exists": "false" }, { "field": "tags['DepartmentName']", "exists": "false" } ] } ] }, "then": { "effect": "deny" } }

You will get an error similar to below when trying to create a resource group after you have defined and assigned this policy in your subscription.

When you get the above error after trying to create the Resource Group without tags (if you have the policy assigned already to enforce tags on RGs), then click on line #1 in the screenshot. In the pop-up blade that opens up, click on "Raw Error" as shown above as #2. Then scroll down to see the details of the policy that stopped the resource group creation.

Inheriting Tags from Resource Groups

You can easily inherit the tags from a Resource Group down to its underlying resources by using an Azure policy specifically for this purpose. You have three approaches for inheriting the tags from the resource group level:

Inherit the tags and their value only if this tag is missing from the resource

Inherit and replace the tag if it doesn't match the value of the same tag at the resource group level

Inheriting the tags regardless of what is specified at the resource level

Which approach works for you depends on your requirements. The first two approaches are identical to what we discussed in the last post for the subscription level. You can view those at this link and just replace subscription with resource group level functions: Enforcing Tags at the Subscription level and Inheriting on underlying resources.

We have seen approach 3 being the most common and we will discuss that next.

Inheriting the tags regardless of what is specified at the resource level

In the below policy, you check that all of the below conditions should be met before the action can be taken:

The ApplicationOwner and DepartmentName tags exist at the resource group level

Both of these tags does not have an empty value at the resource group level

If both of these conditions are true then the "modify" effect is applied. Within this effect, the tags from the resource group level are applied at the resource level.

Note: You can parameterize any values within this sample policy. Also, you can extend this policy to multiple tags (without creating additional policies).

"policyRule": { "if": { "allOf": [ { "value": "[resourceGroup().tags['ApplicationOwner']]", "exists": "true" }, { "value": "[resourceGroup().tags['ApplicationOwner']]", "notEquals": "" }, { "value": "[resourceGroup().tags['DepartmentName']]", "exists": "true" }, { "value": "[resourceGroup().tags['DepartmentName']]", "notEquals": "" } ] }, "then": { "effect": "modify", "details": { "roleDefinitionIds": [ "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" ], "operations": [ { "operation": "addOrReplace", "field": "tags['ApplicationOwner']", "value": "[resourceGroup().tags['ApplicationOwner']]" }, { "operation": "addOrReplace", "field": "tags['DepartmentName']", "value": "[resourceGroup().tags['DepartmentName']]" } ] } } }

Complete Policy Samples on GitHub

You can find the complete policy samples on the GitHub in my policy samples repository here: AzurePolicySamples - Tagging.

Designing Tagging Strategy for Microsoft Azure - Part 3 - Enforcing Tags at the Subscription level and Inheriting on underlying resources

Thu, 07 Oct 2021 00:00:00 +0500

This blog is a part of the Designing Tagging Strategy for Microsoft Azure series. You can find the Index of this series here: Designing Tagging Strategy for Microsoft Azure.

In the last post, we looked at enforcing the tags at the resource level. In this post, we are looking at policies and various nuances in implementing the second strategy i.e. enforcing tags at the Subscription level and inheriting at each resource.

Add or Replace Tags on a Subscription

As the subscription will already exist, it doesn't make sense to "require tags" on the subscription. Instead, you will "add or replace a tag" on the subscription level.

You can add or replace a tag on a subscription by using the below Azure policy. This is an extension of the in-built policies. This combines multiple policies into a single one to simplify the management of policies.

The below policy is enforcing the Environment tag on the Subscription. It adds the tag if it is not present. If it is present and the value is not "Dev" then it updates the the tag's value to Dev.

Note: You can parameterize the tag name and its value as well very easily. You can check in-built policies for reference. Or let me know if this is something you want to see and I can create a parameterized sample.

"policyRule": { "if": { "allOf": [ { "field": "type", "equals": "Microsoft.Resources/subscriptions" }, { "anyOf": [ { "field": "tags['Environment']", "exists": "false" }, { "field": "tags['Environment']", "notEquals": "Dev" } ] } ] }, "then": { "effect": "modify", "details": { "roleDefinitionIds": [ "/providers/microsoft.authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f" ], "operations": [ { "operation": "addOrReplace", "field": "tags['Environment']", "value": "Dev" } ] } } }

Inheriting Tags from Subscription

You can easily inherit the tags from a subscription down to its underlying resources by using an Azure policy specifically for this purpose. You have two approaches for inheriting the tags from the subscription level:

Inherit the tags and their value only if this tag is missing from the resource

Inherit and replace the tag if it doesn't match the value of the same tag at the subscription level

Which approach works for you depends on your requirements. For both these scenarios, there are in-built Azure policies provided by Microsoft. Let's look at both of these.

1. Inheriting the tag - only if it is missing

In the below policy, you check that all of the below conditions should be met before the action can be taken:

The Environment tag does not exist on the resource

The Environment tag at the subscription level is not equal to an empty value

If both of these conditions are true i.e. the Environment tag is missing and has a valid value at the subscription level, then the "modify" effect is applied. Within this effect, the tag from the subscription level is applied at the resource level.

Note: You can parameterize any values within this sample policy. Also, you can extend this policy to multiple tags (without creating additional policies).

"policyRule": { "if": { "allOf": [ { "field": "tags['Environment']]", "exists": "false" }, { "value": "[subscription().tags['Environment']]", "notEquals": "" } ] }, "then": { "effect": "modify", "details": { "roleDefinitionIds": [ "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" ], "operations": [ { "operation": "addOrReplace", "field": "tags['Environment']", "value": "[subscription().tags['Environment']]" } ] } } }

2. Inherit and replace the tag if it doesn't match the value of the same tag at the subscription level

In the below policy, you check that all of the below conditions should be met before the action can be taken:

The Environment tag at the resource level doesn't have the same value as the one at the subscription level

The Environment tag at the subscription level is not equal to an empty value

If both of these conditions are true i.e. the Environment tag doesn't have the same value as the one at the subscription level and it has a valid value at the subscription level, then the "modify" effect is applied. Within this effect, the tag from the subscription level is applied at the resource level.

Note: You can parameterize any values within this sample policy. Also, you can extend this policy to multiple tags (without creating additional policies).

"policyRule": { "if": { "allOf": [ { "field": "tags['Environment']]", "notEquals": "[subscription().tags['Environment']]" }, { "value": "[subscription().tags['Environment']]", "notEquals": "" } ] }, "then": { "effect": "modify", "details": { "roleDefinitionIds": [ "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" ], "operations": [ { "operation": "addOrReplace", "field": "tags['Environment']", "value": "[subscription().tags['Environment']]" } ] } } }

Complete Policy Samples on GitHub

You can find the complete policy samples on the GitHub in my policy samples repository here: AzurePolicySamples - Tagging/.

Designing Tagging Strategy for Microsoft Azure - Part 2 - Enforcing Tags at the Resource level

Mon, 04 Oct 2021 00:00:00 +0500

This blog is a part of the Designing Tagging Strategy for Microsoft Azure series. You can find the Index of this series here: Designing Tagging Strategy for Microsoft Azure.

In the last post, we looked at the importance of tagging in Azure and various tagging strategies. You can view that post here: Designing Tagging Strategy for Microsoft Azure - Part 1 - Basics. In this post, we are looking at policies and various nuances in implementing the first strategy i.e. enforcing tags at the resource level.

Requiring Tags on a resource

You can require a tag on a resource by using the below Azure policy. This is an extension of the in-built policy that requires one tag. This extends it to two tags and shows you how you can add even more tags using just one policy.

"policyRule": { "if": { "anyOf": [ { "field": "tags['ApplicationOwner']", "exists": "false" }, { "field": "tags['DepartmentName']", "exists": "false" } ] }, "then": { "effect": "deny" } }

The above policy requires two tags:

ApplicationOwner - Person responsible for the resource

DepartmentName - Name of the department to which the resource belongs

Requiring a Tag and also enforcing a format

Let's assume that you require the ApplicationOwner tag. But you also want to ensure that the user trying to deploy it are using an email id. E.g. if the domain is HarvestingClouds.com then the email id will look something like xxxx@harvestingclouds.com, where "xxxx" could be anything. In policy you will match this by using the "" wildcard character. The match should be then with "@harvestingclouds.com". The policy will look something like below:

"policyRule": { "if": { "not": { "allOf": [ { "field": "tags['ApplicationOwner']", "exists": "true" }, { "field": "tags['ApplicationOwner']", "like": "*@harvestingclouds.com" } ] } }, "then": { "effect": "deny" } }

Complete Policy Samples on GitHub

You can find the complete policy samples on the GitHub in my policy samples repository here: AzurePolicySamples - Tagging/.

Designing Tagging Strategy for Microsoft Azure - Part 1 - Basics

Sat, 02 Oct 2021 00:00:00 +0500

This blog is a part of the Designing Tagging Strategy for Microsoft Azure series. You can find the Index of this series here: Designing Tagging Strategy for Microsoft Azure.

One of the most useful yet most ignored features within Microsoft Azure is Tagging. Tags provide a way to add additional data to your resources. Having a strong tagging strategy from the beginning can provide more insights into your environment. They are especially helpful in understanding how the cost is distributed in your environment. In this post, we are going to look at a few strategies to implement tagging in your environment.

Where and What Tags to consider

Think of Tags as additional metadata that is added to the resources within Azure. Everything is a resource and therefore can have tags. At a bare minimum, any resource that generates billing should have a tag applied.

The first thing you need to define when it comes to tagging is what tags you should consider enforcing/applying in your environment. Here are some that I recommend:

ApplicationOwner - Owner of the application to which the resource belongs.

ContactDL - Distribution List (DL) that can be contacted by the cloud operations team in case there is any action that needs to be taken related to the resource.

DepartmentName - Department to which the resource belongs.

ApplicationName - Application name for which the resource has been deployed

CostCenter - Cost center that should be billed (within the organization).

ResourceBuildDate - Date when the resource was first deployed

ResourceUpdateDate - Date when the resource was updated in any way.

BusinessCriticality - Business criticality of the application. The highest criticality applications should be deployed in a redundant fashion.

Managing shared resources - There will be many resources (e.g. virtual networks) that will be used by various departments. These should be tied to the cloud operations team. The expense for these resources should either be shared equally by each department or a weighted distribution based on the overall cloud resources consumption.

How to enforce Tags

Once you have defined the tagging strategy, you will need to ensure that the tags are applied for each and every resource that should have tags on them. The easiest way to enforce this is by using Azure Policy. We will be looking at this in the next blog.

Strategy 1 - Applying Tags for each resource

The easiest and most basic strategy is to apply the tags for each and every resource. You simply define Azure policies to enforce the tagging for all resources. Also, you define the policy for each and every tag you want to enforce.

The downside to this policy are:

Some resources don't have the ability to apply tags when creating these from the Azure portal. So you will need to apply these resources programmatically via ARM Templates, Bicep configurations, Azure CLI, PowerShell, etc.

You will need to manage the tags at the resource level. Even if the basic tags like BusinessCriticality etc. are not specified, the resource creation will fail.

To enhance this strategy you can try to calculate some tags and auto-apply those when each resource is created or updated. E.g. Build Date can be auto-calculated, validated and applied to each resource during its creation time.

Strategy 2 - Applying Tags at the Subscription and inheriting at each resource

The next strategy is to specify the key tags at the subscription level and then apply these automatically at the lower levels. You can use Azure policies to auto-apply this. The biggest advantage of this strategy is that you don't need to apply these tags for each and every resource. You just apply the tags at the subscription level and then auto-apply these to each resource within the subscription when those resources are deployed. An example would be a tag for the environment. If you have a subscription for each environment (i.e. one for dev, another for test/QA, and another one for staging and a separate one for production), then you can have an environment tag defined at the subscription level and auto-applied to each resource deployed within that subscription.

The downside to this strategy is that you can use this only for the most generic resources. E.g. within your subscription, you will have different resource groups for different departments, so you can't have the tag for DepartmentName applied at the subscription level (unless you have a subscription corresponding to one department only).

Strategy 3 - Applying Tags at the Resource Groups and inheriting at each resource

Similar to the above strategy, in this third strategy, you enforce the tags at the resource group level and then automatically apply these to each resource that is deployed within the resource group.

Similar to the above strategy you get the advantage of auto applying tags and not think about those when planning to deploy individual resources. As a best practice, you should still plan for the tags for each resource, but these will be auto inherited if you miss any. E.g. If you are creating a Resource Group for a specific department and a specific application within that department then you can easily define the DepartmentName and ApplicationName at the Resource Group level and then auto inherits those for each resource that is deployed within that resource group.

The only disadvantage is that any resource-specific tags still need to be applied at the resource level. E.g. Business Criticality may vary for each resource even within a resource group.

Strategy 4 - A mix of the above strategies

The best strategy is a mix of all the above strategies as below:

The most generic tags should only be deployed at the subscription level and then auto inherited for all resources under that subscription

The Resource Group should enforce tags that are specific to that group and then auto inherit for all resources under that resource group

The resource-specific tags should be either auto-calculated and applied or enforced for each resource. You should also auto-calculate, validate, and auto-apply as many resources as you can.

E.g. you can have an environment tag at the subscription level, a department and application tag at the resource group level, a build data and update date at the resource level auto calculated and applied, and other tags enforced at the resource level.

In the next posts, we will look at ways to apply these strategies with policy samples.

Azure Backup Series - Index

Thu, 30 Sep 2021 00:00:00 +0500

This is the Index for the series of blog posts regarding the Azure Backup service.

Note that this Index is updated regularly as more posts are added around this topic.

Set Storage Redundancy for Recovery Services Vault

Cross Region Restore (CRR) for Azure Virtual Machines using Azure Backup

Soft Delete for Recovery Services Vault

Bring your own keys (BYOK) for recovery services vaults - 1 Overview

Bring your own keys (BYOK) for recovery services vaults - 2 Enable managed identity for your Recovery Services vault

Bring your own keys (BYOK) for recovery services vaults - 3 Assign permissions to the vault to access the encryption key in the Azure Key Vault

Bring your own keys (BYOK) for recovery services vaults - 4 Enable Soft Delete and purge protection on the Azure Key Vault

Bring your own keys (BYOK) for recovery services vaults - 5 Assign the encryption key to the Recovery Services vault

Backup Center in Microsoft Azure

Understanding the backup policy for SQL Server in Azure VM

Understanding the backup policy for SAP HANA in Azure VM (Database)

Troubleshooting the backup issues for SQL Server on Azure VM or SAP HANA on Azure VM (Database)

Configuring Azure Backup for Azure File Shares

Cross Region Restore (CRR) for Azure Virtual Machines is now generally available

Managing the backup-related alerts via the Azure Monitor

Simplifying the Azure Backup Center - Part 1

Simplifying the Azure Backup Center - Part 2

Azure Recovery Services Vaults vs Backup Vaults

Azure Recovery Services Vaults vs Backup Vaults

Tue, 28 Sep 2021 00:00:00 +0500

Azure Recovery Services Vaults has been the place where you configured all backups. Azure Backup Vaults is the new area where you configure any new backup features. Let's look at the difference between the two experiences when dealing with the backup of key resources and data.

The resources they protect

The key difference between the two vault types is the type of datasource that can be protected by that vault. Let's take a look at each vault's supported datasource types.

Azure Recovery Services vaults can protect the following types of datasources:

Azure Virtual machines

SQL in Azure VM

Azure Files (Azure Storage)

SAP HANA in Azure VM

Azure Backup Server

Azure Backup Agent

DPM

Azure Backup vaults can protect the following types of datasources:

Azure Database for PostgreSQL servers

Azure Blobs (Azure Storage)

Azure Disks

Kubernetes Service

AVS Virtual machines

Backup Center - a single pane of glass to backup management

Azure Backup Center is the place that unifies the management of the backup of all the datasources across different vaults. We explored this in detail in the below two blog posts. Check these out to learn more about the backup center:

Simplifying the Azure Backup Center - Part 1

Simplifying the Azure Backup Center - Part 2

New Feature Alert - Zone redundant storage (ZRS) for Azure Disk Storage and Azure Storage Accounts

Mon, 20 Sep 2021 00:00:00 +0500

With Availability Zones there is a new way for the data to be made redundant as well in a zone-aware deployment. This is known as "Zone Redundant Storage" or ZRS. This option replicates the data across different availability zones and therefore protects you against the datacenter level failures. It is highly recommended for the architecture involving highly available (HA) design/solution.

ZRS for Managed Disks

ZRS as an option for the managed disk is the new feature that has just been introduced.

Note that this option is available for:

Azure Premium SSDs

Standard SSDs

At the time of writing of this post, this option is only available for the below regions:

West Europe

North Europe

West US 2

France Central

When you will try to create a new managed disk, while selecting the disk size, you can modify its redundancy option. If you are using one of the region mentioned above, you will view "Zone-redundant storage" as the option for the disk SKU. You will have the option to select either premium SSD or Standard SSD only.

ZRS and GZRS options for Storage Accounts

For the Storage Accounts, this feature is more widely available across various regions. This feature has been available for some time now for the storage accounts.

When creating new storage accounts, you can select ZRS and GZRS for the storage account data redundancy. These stand for:

ZRS - Zone-redundant storage - data is replicated across different zones.

GZRS - Geo-zone-redundant storage - this is a mix of GRS and ZRS. In addition to data being replicated across zones, it is also replicated across different geo regions.

Biggest Advantages

There are lots of advantages to leveraging ZRS storage redundancy in your solutions. The big ones include:

If a virtual machine becomes unavailable in an affected zone, you can continue to work with the disk by mounting it to a virtual machine in a different zone.

You can also use the ZRS option with shared disks to provide improved availability for clustered or distributed applications E.g. SQL FCI, SAP ASCS/SCS, or GFS2.

References:

Zone redundant storage (ZRS) for Azure Disk Storage

Azure Storage redundancy in the primary region

Simplifying the Azure Backup Center - Part 2

Fri, 17 Sep 2021 00:00:00 +0500

In the previous post, we looked at the overview of the Backup Center. You can read the first part here: Simplifying the Azure Backup Center - Part 1

In this post, we will look closely at various sections and actions within it. When you launch Backup Center, as we saw in the previous post, you are presented with the Overview screen. This screen is powerful in itself in presenting you with a unified view of backup of various datasource types across your environment. Other parts of the Backup Center are clubbed into the following three main categories:

Management

Monitoring & Reporting

Policy and Compliance

Let's look at these three areas in detail.

1. Management

The management section lets you manage various aspects of your backup. The first aspect is the backup instances. Here you can view and manage various backup instances filtered by your datasource type. The key thing to note is that the view and various columns that are shown automatically update based on the datasource type selected. You can also set up new backup and /or trigger restore from the existing backup by using the buttons at the top of the page.

Next section "Backup Policies" let's you view and manage backup policies across your environment. You can make updates as required. You can also create new backup policies as well.

The third and the last section in this category is the ability to view Vaults (both backup and recovery services vaults) across your environment. You can navigate to those vaults by clicking on the corresponding row. You can also create a new vault from here.

2. Monitoring and Reporting

The monitoring and reporting section helps you with supporting your backup infrastructure. It has the following three sections:

Backup jobs - shows you all the backup-related jobs, across your environment.

Alerts - shows you all alerts related to your backup data across different vaults.

Metrics - provide monitoring of various metrics on the backup data. The main two metrics available are "Backup health events" and "Restore health events".

Backup reports - detailed reporting into the backup data linked to log analytics.

3. Policy and Compliance

The policy and compliance section is all about the governance of the backup data. The main sub-sections in this section are:

Backup compliance - it shows you the compliance of various resources related to backup based on the policies and initiatives applied in your environment. It looks for the backup category for the policies and initiatives.

Azure policies for backup - All the Azure policies, filtered by the "backup" category. You can also view the initiatives here by updating the drop down based filters.

Protectable datasources - These are all the resources that can be protected.

Protectable datasources is very important section as it helps you easily find all the resources for which you haven't configured the protection. Filter by datasource type to view the resources that can be protected for that type. E.g. in the image below it shows you all the VMs that can be protected via the backup services.

That is all there is to it. Explore all these sections one by one and play around with different options available in each. Backup Center is very powerful in unifying the backup experience and providing a single pane of glass to monitor and manage your backups.

References:

Overview of Backup center

Support matrix for Backup center

Simplifying the Azure Backup Center - Part 1

Tue, 14 Sep 2021 00:00:00 +0500

Azure Backup Center is the new one-stop-shop for all your backup management related tasks within Microsoft Azure. It unifies the backup data from various vaults across different subscriptions within your tenant.

Navigating to the Backup Center

To navigate to the Backup Center, just go to all Services and just search for it. Or better approach is to find it by searching for it at the top search bar. Once launched you get the view shown in the below image. Note at the middle top section that you can filter the data being shown by following categories:

Subscription (across your tenant that you have access to)

Resource Group

Location

Type (type of the backup data)

Vault (where it is being protected)

The Datasource types that you can manage directly from the Backup Center include:

Azure Virtual machines

SQL in Azure VM

Azure Files (Azure Storage)

SAP HANA in Azure VM

Azure Disks

Azure Blobs (Azure Storage)

Azure Datacenter for PostgreSQL servers

Allowed Actions

Let's check out what all you can do with the Backup Center.

Category Actions

Monitoring

View all Jobs

View all backup instances

View all backup policies

View all vaults

View Azure Monitor alerts at scale

View Azure Backup metrics and write metric alert rules

Actions

Configure backup

Restore Backup Instance

Create vault

Create backup policy

Execute on-demand backup for a backup instance

Stop backup for a backup instance

Execute cross-region restore job from Backup center

Insights

View Backup Reports

Governance

View and assign built-in and custom Azure Policies under category Backup

View datasources not configured for backup

Unsupported Scenario

Currently, the only unsupported scenario is updating the vault settings at scale. You have to navigate to each individual vault to update its settings.

In the next post, we will look more closely at various sections and actions within the Backup Center. You can read the second part here: Simplifying the Azure Backup Center - Part 2

References:

Overview of Backup center

Support matrix for Backup center

Automatically trigger on-demand SAP HANA on Azure VM Backup for multiple Databases - Code Sample

Tue, 24 Aug 2021 00:00:00 +0500

Let's assume you have various SAP HANA databases on Azure VMs that are being backed up in Azure Recovery Services Vault using the Backup services i.e. the daily backup. Before performing any major activity in your environment, you will want to take an on-demand backup. This helps you to have a fallback option if anything goes wrong during the activity. To extend the expiry date you may want to update the policy temporarily as the on-demand backup for SAP HANA on Azure VMs, doesn't allow the feature to specify the expiry date.

The script I present in this post automates the triggering of this on-demand backup for multiple SAP HANA databases. The script takes the name of VMs and related SAP HANA database information in a csv file as input.

NOTE: As the feature to trigger the SAP HANA database is available only with the CLI cmdlet, we are using the CLI command. Please ensure that you have AZ CLI also installed in your environment by following the instructions here: How to install the Azure CLI.

Script location

The latest version of the script can be found in GitHub here: Trigger-AzSAPHANAOnDemandBackup

The input CSV file sample is also located at the same location. Use this file to provide the VM names and related SAP HANA database information as an input to the script. Update the path to this file in the script input variables. Update this file as per your environment.

Script Working

The script starts by checking if the input config file (with VM names) exists or not. If not, then the script prints the message to check the path and exit. It then imports the CSV file. Then it sets the context to the right recovery services vault and starts iterating through the VMs. Then it sets the item and container variables as below.

$itemName = "SAPHanaDatabase;$instanceName;$databaseName" $containerName = "VMAppContainer;Compute;$VMResourceGroup;$vmName"

Finally, it triggers the on-demand backup using the below az cli command.

az backup protection backup-now --resource-group $rgOfVault --item-name $itemName --vault-name $vaultName --container-name $containerName --backup-type Full --output table

I hope this script helps you save lots of time during on-demand backup creation. If you have any improvements you would like to see in the script feel free to provide that as a comment here or a pull request on GitHub.

Automatically trigger on-demand Azure VM Backup for multiple VMs - Code Sample

Mon, 23 Aug 2021 00:00:00 +0500

Over the period of time, you will have multiple VMs being protected in Azure Recovery Services Vault using the Backup services i.e. the daily Azure VM Backup. Before performing any major activity in your environment, you will want to take an on-demand backup with an extended expiry date. This helps you to have a fallback option if anything goes wrong during the activity.

The script I present in this post automates the triggering of this on-demand backup for multiple VMs and also lets you specify a date for the expiry of this backup. The script takes the name of VMs in a csv file as input.

Script location

The latest version of the script can be found in GitHub here: Trigger-AzVMOnDemandBackup

The input CSV file is also located at the same location. Use this file to provide the VM names as an input to the script. Update the path to this file in the script input variables.

Script Working

The script starts by checking if the input config file (with VM names) exists or not. If not, then the script prints the message to check the path and exit. It then imports the CSV file. Then it sets the context to the right recovery services vault and starts iterating through the VMs. Then it fetches the backup container for the current VM using the below command.

$backupcontainer = Get-AzRecoveryServicesBackupContainer ` -ContainerType "AzureVM" ` -FriendlyName $vmName

It uses the container to fetch the backup item corresponding to the current VM.

$item = Get-AzRecoveryServicesBackupItem ` -Container $backupcontainer ` -WorkloadType "AzureVM"

Finally, it triggers the on-demand backup using the Backup-AzRecoveryServicesBackupItem cmdlet.

Backup-AzRecoveryServicesBackupItem -Item $item -ExpiryDateTimeUTC $dateTillExpiry

I hope this script helps you save lots of time during on-demand backup creation. If you have any improvements you would like to see in the script feel free to provide that as a comment here or a pull request on GitHub.

Automate Azure Route Table testing using Network Watcher and PowerShell scripting - Code Sample

Wed, 21 Jul 2021 00:00:00 +0500

In any enterprise environment, you will have lots of customer User Defined Routes or UDRs written within Azure Route Tables. You will want to test all of these route tables and check if the "Next Hop" is as per the route tables set by you or not. This could prove to be a tedious task if done manually. I have automated this task using PowerShell scripting. I am sharing the sample in this post.

NOTE: You should enable Network Watcher in your environment for this script sample to work. Also, note that you need to enable the Network watcher only in the region where your resources exist.

Script location

The latest version of the script can be found in GitHub here: Test-NetworkWatcherRouteNextHop.

A sample input CSV file is also located at the same location.

Script Working

For the script to work, make sure that you have filled the input CSV file as per your environment. In every test, there will be a source and a destination for the communication pair. The script primary looks for the below information from the csv file:

SourceSubscription - The subscription for the source.

SourceRG - The resource group of the source VM

SourceVMName - Name of the source VM

Source IP - Indicative - Actual IP address of the source VM. Please ignore the "indicative" text

DestinationIP-Actual - Actual IP address of the destination VM

SourceLocation - Azure region location of the source VM

NOTE: Within the script update the Network Watcher names as per your primary and secondary regions in Azure where "Get-AzNetworkWatcher" cmdlet is used. E.g. to fetch the Network Watcher in the East US 2 region the command used is as below.

$nw = Get-AzNetworkWatcher -Name NetworkWatcher_eastus2 -ResourceGroupName NetworkWatcherRG

The script then fetches the VM using the Get-AzVM cmdlet.

$vm = Get-AzVM -Name $SourceVMName -ResourceGroupName $SourceVMResourceGroupName

Finally, it executes the test by using the Get-AzNetworkWatcherNextHop command.

$nextHop = Get-AzNetworkWatcherNextHop -NetworkWatcher $nw -TargetVirtualMachineId $vm.Id -SourceIPAddress $SourceVMIPAddress -DestinationIPAddress $DestinationIPAddress

To get the results it uses the output of the above command.

$eachVM.NextHopType = $nextHop.NextHopType $eachVM.IPAddressResult = $nextHop.NextHopIpAddress $eachVM.RouteTableID = $nextHop.RouteTableId

You can then compare the output with the expected output to check if the test case passed or failed.

If you have any improvements you would like to see in the script feel free to provide that as a comment here or a pull request on GitHub.

Block all public access to Azure Storage Accounts - via Azure policy - with complete sample

Sat, 17 Jul 2021 00:00:00 +0500

In the last post, we looked at how to block all public access to Azure Storage Accounts via manual configurations on the Storage Account. You can view that post here: Block all public access to Azure Storage Accounts - via manual setting. In this post, we are looking at how to automatically enforce this in your environment not just for existing storage accounts but also for any new storage accounts that will be created in the future. As the title suggests, we are going to use Azure policy to achieve this.

You have two key options when it comes to any Azure policy. You can either use it only to audit which resources are not compliant. Or you can enforce the required settings. We ideally want the latter effect, so that if someone changes the settings the settings are auto-corrected.

Finding the required resources within the policy

You first need to find the relevant resources. The two conditions you need to apply within the policy are:

You need to filter for all Storage Account resources

Then you need to filter for Storage Accounts for which "allowBlobPublicAccess" is not equal to "false" i.e. for which the allow blob public access is enabled.

For the first condition i.e. to filter by Storage account resource you use the below condition within the policy:

{ "field": "type", "equals": "Microsoft.Storage/storageAccounts" }

For the second condition, i.e. to filter for Storage Accounts for which "allowBlobPublicAccess" is not equal to "false" you can use the below condition:

{ "not": { "field": "Microsoft.Storage/storageAccounts/allowBlobPublicAccess", "equals": "false" } }

Option 1 - Auditing for compliance

If you want to only Audit these storage accounts for which the allow blob public access is enabled, for the effect you can specify to only "audit" as shown below:

"then": { "effect": "audit" }

This will only show the non-compliant storage accounts under the compliance report.

Option 2 - Enforcing the setting (Recommended)

To go one step further you want to enforce the setting. You have two ways to do this:

Deny the operation

Reapply the settings.

To deny the operation simply specify the effect as "deny" as shown below:

"then": { "effect": "deny" }

To reapply the settings automatically you can use the below "modify" effect in the policy. You need to specify the guid for the role with which the effect will be applied. And then you specify the "addOrReplace" operation to update the setting as shown below:

"then": { "effect": "modify", "details": { "roleDefinitionIds": [ "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" ], "operations": [ { "operation": "addOrReplace", "field": "Microsoft.Storage/storageAccounts/allowBlobPublicAccess", "value": false } ] } }

NOTE: You can create Exemptions in the policy if you have a genuine case where the access needs to be opened. E.g. a public static website hosted on the Storage Account.

Complete Policy Sample GitHub Location

To find the complete policy sample can be found in the GitHub at this location: DisableBlobPublicAccess.json

Reference: Prevent anonymous public read access to containers and blobs

Block all public access to Azure Storage Accounts - via manual setting

Thu, 15 Jul 2021 00:00:00 +0500

In the recent past, there have been so many instances where critical data was unintentionally exposed because public access was enabled on the Azure Storage Accounts. Outside people were able to access the blobs and containers publically. Now there is a way to block all public access with just a click of a button.

Finding the setting - Allow blob public access

To find this setting, navigate to the storage account for which you want to enable this setting. Then navigate to Configuration under Settings. Find the configuration for "Allow Blob public access" and set it to "Disabled" to disable any public blob access.

More ways to secure the storage account

There are various ways to further lockdown and secure your storage account. Let's look at a few of these.

Locking the Networking to only selected networks

One of the most important settings is to update the Storage Account's networking settings to not allow access from "All Networks". You should lock it down to specific networks only or to specified Public IP addresses only.

Other security related settings

Another security-related configuration is to require secure transfer. This means that when the data travels to and from the storage account HTTPS should be used instead of HTTP. In the case of file shares, the encrypted connection should be used as well.

Next Steps

In the next post, we will look at automatically enforcing blocking of the public access to storage accounts across your subscription with Azure policies. We will have this policy apply for any existing and new Storage Accounts. You can view that post here: Block all public access to Azure Storage Accounts - via Azure policy - with complete sample.

Reference: Prevent anonymous public read access to containers and blobs

Getting a report for all VMs and it's related OS and Data Disks - Code Sample

Thu, 15 Jul 2021 00:00:00 +0500

In the past, I wrote a script sample to output all VMs related reports. Now, this report is easily available in the Azure portal when you are viewing the VMs. You can even apply any filters and add/remove any columns for more data. Then you can download the csv for the data you see.

One thing that is not available is a report of VMs and their related OS and Data disks. You may need this sometime as per your requirements. In this post, I am sharing one such script that pulls a report around all VMs and their all related disks.

Script location

The latest version of the script can be found in GitHub here: Get-AzResourceInfo-VMsAndAllRelatedDisks

A sample output CSV file and a sample excel report (based on the output csv) are also located at the same location.

Script Working

The script selects all subscriptions and iterates over those. Then within each subscription, it fetches all Resource Groups and iterates over those. The script also indicates a way for filtering over Resource Groups (while fetching these) by using wildcards.

For each Resource Group, it fetches all resources and iterates over these. Then it filters out the resources of type virtual machines. Specifically, it uses the filter to match the type to "Microsoft.Compute/virtualMachines".

$resource.Type -eq "Microsoft.Compute/virtualMachines"

Then for every VM, it fetches three different types of information and adds each as a separate row to the output CSV:

The VM itself

OS disk details

Data disk details - one-row entry for each data disk

The script uses a value/column for "attachedToVM" for all types of rows to indicate which VM the entry belongs to. The script also outputs "ResourceType" column that you can further use to filter data.

Now that you have the data, you can create custom reports as per your requirements. One such report is provided in the same location for your easy reference.

If you have any improvements you would like to see in the script feel free to provide that as a comment here or a pull request on GitHub.

Restricting resource types from creation in Azure via Azure Policy

Wed, 23 Jun 2021 00:00:00 +0500

As a best practice, you should restrict the type of resources that can be created in your environment. Even if these are required these should be created by creating an exemption in the policy temporarily. What this does is, it restricts end-users from accidentally creating those resources and disrupting your environment.

Resource Types to restrict

One such example is Route Tables. If someone in your organization with contributor rights creates a Route Table that is applied on a critical subnet then that user can divert all traffic from that subnet.

Public IP Addresses are another big one that you want to restrict. Any public IP in your environment needs to have a valid business justification. These are the connection to the outside world and therefore you need to ensure that if one exists in your environment then that has proper safeguards (like Firewall) etc. in place.

Classic resources should also be limited. You want to conform to the latest standards (ARM-based) and stay away from classic compute and storage resources within Azure.

We recommend the below resource types to consider restricting in your environment as a starting place. You can then extend these and add/remove any types as per your requirements:

Route Tables

Public IP addresses

DNS Zones

Network Watchers

Search Services

Bastion Hosts

Elastic Pools

Classic Compute

Classic Storage

Policy Sample

The below policy sample implements the restrictions and limits the resource types (that we discussed above) from being created at all. If any of the mentioned resource type is created then the policy denies that resource creation operation.

{ "mode": "All", "policyRule": { "if": { "anyOf": [ { "field": "type", "like": "Microsoft.Network/dnszones*" }, { "field": "type", "like": "Microsoft.Network/networkWatchers*" }, { "field": "type", "like": "Microsoft.Search/searchServices*" }, { "field": "type", "like": "Microsoft.Network/publicIPAddresses*" }, { "field": "type", "like": "Microsoft.Network/bastionHosts*" }, { "field": "type", "like": "Microsoft.Sql/servers/elasticpools*" }, { "field": "type", "like": "Microsoft.Network/routeTables*" }, { "field": "type", "like": "Microsoft.ClassicCompute/*" }, { "field": "type", "like": "Microsoft.ClassicStorage/*" } ] }, "then": { "effect": "deny" } }, "parameters": {} }

Additional Considerations - restricting VM SKUs

In addition to restricting the resource types, you should also restrict VM SKUs. A SKU from the high performance computing series like HBv3-series can eat up your budget very fast. So as a good practice you should be restricting the SKUs to only the ones that you allow. You will need to maintain the list and update it as different projects require additional SKUs or want to upgrade to the latest series. But that is easily done and hardly takes any time. The benefits far outweigh this one small downside.

Complete Policy Samples on GitHub

You can find the complete policy samples on the GitHub in my policy samples repository here: AzurePolicySamples - Enforcing Standards.

Enforcing Naming Convention for Resource Group via Azure Policy

Fri, 18 Jun 2021 00:00:00 +0500

Having the right naming convention is very important for your environment. If you already have a naming convention defined then you should try to enforce it in your environment. One such way to do this is via Azure policy. In this post, we will look at how we can do this with a policy sample.

Sample naming convention

Let's assume that the naming convention for the Resource Groups has the below features/restrictions:

The name should start with "RG-"

The name should end with the environment i.e. dev, test, or prod

The name should also end with the location i.e. US East, US West, etc.

E.g. the name should be something like RG-AccoutingRecordsApp-Dev-USE to denote that the resource group is for the accounting department for some "records app". This resource group is in a dev environment and within the US East location.

Enforcing the naming convention

To enforce the naming convention we will have negative conditions so that later we can apply the deny operation to stop the resource group from even creating. Also note that all of the conditions should be met. If any of the conditions is not met then the resource group creation will fail.

Policy sample:

{ "mode": "All", "policyRule": { "if": { "allOf": [ { "field": "type", "equals": "Microsoft.Resources/subscriptions/resourceGroups" }, { "anyOf": [ { "field": "name", "notLike": "RG-*" }, { "allOf": [ { "field": "name", "notLike": "*-DEV-USE" }, { "field": "name", "notLike": "*-DEV-USW" }, { "field": "name", "notLike": "*-TEST-USE" }, { "field": "name", "notLike": "*-TEST-USW" }, { "field": "name", "notLike": "*-PROD-USE" }, { "field": "name", "notLike": "*-PROD-USW" } ] } ] } ] }, "then": { "effect": "deny" } }, "parameters": {} }

Complete Policy Samples on GitHub

You can find the complete policy samples on the GitHub in my policy samples repository here: AzurePolicySamples - Enforcing Standards.

Enforcing resources to have the same location as the containing resource group via Azure Policy

Sat, 12 Jun 2021 00:00:00 +0500

In the previous post, we saw how to restrict the locations of resources and resource groups. You can view that post here: Enforcing location restrictions in your environment via Azure Policy . In this post, we will look at how to enforce the resources to adhere to the location of the containing resource groups. If a resource group is in the US East location then all the resources within that resource group can be enforced to be in the same location i.e. US East.

Implementing restrictions via Azure Policy

While trying to implement this restriction we need to consider the fact that the resource groups can only be in a geographical location while the resources have a special location called "global". So the restrictions will have:

The location field should be equal to the resource group's location. You can compare by using the function: resourceGroup().location

The location field can be equal to "global"

Policy sample:

{ "mode": "Indexed", "policyRule": { "if": { "allOf": [ { "field": "location", "notEquals": "[resourceGroup().location]" }, { "field": "location", "notEquals": "global" } ] }, "then": { "effect": "deny" } }, "parameters": {} }

Note that the policy has negative conditions as the effect is denying the resource creation/update operation.

Complete Policy Samples on GitHub

You can find the complete policy samples on the GitHub in my policy samples repository here: AzurePolicySamples - Location Restrictions.

Enforcing location restrictions in your environment via Azure Policy

Fri, 04 Jun 2021 00:00:00 +0500

You want to always deploy resources in a limited set of locations within Microsoft Azure that makes sense to your business. Usually, this decision is based on the following criteria:

The primary location within Azure that is closest to you

Optional - The location that provides the best cost for the Express Route, closest to you and based on your preferred provider

The secondary location that is usually a paired region for the primary location

Additional locations based on your extended offices or different geographical branches

Once you have defined the regions where your resources will be deployed, you want to lock this down via Azure policies so that even by accident, no one deploys resources to any other region. This helps with governance and supportability in the longer run. Let's look at how to apply this next. For this post, let's assume that the locations selected are East US and West US i.e. the resources can only be deployed within these two regions.

Location restrictions at the Resource Group level

For the resource group level you want to have the following conditions and then deny the operations if true:

The type of the resource is the Resource Group

The field for "location" is not in the allowed list of locations.

The "allOf" operator before all these conditions ensure that all the conditions should be met at the same time.

Policy sample:

{ "mode": "All", "policyRule": { "if": { "allOf": [ { "field": "type", "equals": "Microsoft.Resources/subscriptions/resourceGroups" }, { "field": "location", "notIn": [ "eastus", "westus" ] } ] }, "then": { "effect": "deny" } }, "parameters": {} }

Location restrictions at the Resource level

The one main caveat with some resources is that they are not deployed in a specific geographic region. They have a special region named "global" where such resources are deployed. We will factor this into the list of allowed locations when defining the policy.

Also we don't need to specify the type, which ensures that this policy is applied to all resource types.

Policy sample:

{ "mode": "Indexed", "policyRule": { "if": { "not": { "field": "location", "in": [ "eastus", "westus", "global" ] } }, "then": { "effect": "deny" } }, "parameters": {} }

Additional considerations

You also want to sometimes restrict the resources to the location of the resource group where they are deployed. We will be looking at this in our next blog post.

Complete Policy Samples on GitHub

You can find the complete policy samples on the GitHub in my policy samples repository here: AzurePolicySamples - Location Restrictions.

Azure Key Vault service SLA raised to 99.99% from 99.9%

Sat, 22 May 2021 00:00:00 +0500

Azure Key Vault service is now even more resilient. The SLA for this service has been raised to 99.99%. Earlier this SLA was only 99.9%.

With this update, Azure Key Vault guarantees that valid Key Vault requests will have availability 99.99% of the time.

Let's understand what that change translates to. The permissible downtime or unavailability time has been reduced as follows.

Daily: From 1m 26s to 8s

Weekly: From 10m 4s to 1m

Monthly: From 43m 49s to 4m 22s

Quarterly: From 2h 11m 29s to 13m 8s

Yearly: From 8h 45m 56s to 52m 35s

As you can see from the above numbers, even if the SLA doesn't look much bigger change, it actually is a very big difference in the allowed downtime.

Reference: Azure Key Vault SLA raised to 99.99%

Azure Site Recovery now supports cross-continental disaster recovery - although only for 3 region pairs

Tue, 11 May 2021 00:00:00 +0500

If you even had to create a strategy for your organization around Business Continuity/Disaster Recovery in Azure for Virtual Machines, the key product/offering you leverage is Azure Site Recovery or ASR. It actively replicates the data across different region and provides ability to failover in case of a disaster.

Azure Site Recovery now supports cross-continental disaster recovery giving a new meaning to failover. This feature is available for 3 region pairs. These pairs are:

Southeast Asia and Australia East

Southeast Asia and Australia Southeast

West Europe and South Central US

This means that a workload running in Southeast Asia can be replicated to Australia East and failed over across continents in case of a disaster.

Official announcement link: Azure Site Recovery now supports cross-continental disaster recovery for 3 region pairs.

Log analytics workspace name uniqueness is now per resource group

Wed, 05 May 2021 00:00:00 +0500

Azure monitor log analytics workspace name needed to be unique globally so far (similar to storage account names). Microsoft has implemented changes on the backend around how the names are handled in the background. The main change that is an outcome of this is that the log analytics workspace name no longer needs to be globally unique. Instead, it needs to be unique only within a resource group level.

This provides a lot more flexibility in providing whatever names you want to assign to the log analytics workspace and following your naming standards without worrying that someone else across the globe could be using the same name.

Workspace uniqueness updates

Workspace uniqueness is maintained as follow:

Workspace ID – global uniqueness remained unchanged.

Workspace resource ID – also needs to be globally unique.

Workspace name – needs to be unique per resource group.

Cross workspace queries

Cross workspace queries should now reference workspaces by either:

Qualified name, or

Workspace ID, or

Azure Resource ID

Cross workspace queries referenced by resource name (i.e. the workspace name) will fail due to ambiguous names when you have multiple workspaces with that name.

Official update link: Log analytics workspace name uniqueness is now per resource group.

Azure Bastion Series - Index

Sun, 25 Apr 2021 00:00:00 +0500

This is the Index for the series of blog posts regarding the Azure Bastion service.

Note that this Index is updated regularly as more posts are added around this topic.

What is Azure Bastion

Creating an Azure Bastion Host

Connecting to Windows VMs using Azure Bastion

Connecting to Linux VMs using Azure Bastion

Connecting to VM Scale Sets (VMSS) using Azure Bastion

Clipboard access and going full screen

NSG and Firewall configurations

Managing Azure Bastion - Session Management, Monitoring and Alerting

Simplifying Azure Bastion - 8 Managing Azure Bastion - Session Management, Monitoring and Alerting

Sat, 24 Apr 2021 00:00:00 +0500

This blog is a part of the Azure Bastion series. You can find the Index of this series here: Azure Bastion Series.

In the previous few posts, we looked at various aspects of the Azure Bastion service. In this post, we will look at various monitoring and alerting capabilities related to Azure Bastion.

Monitoring remote sessions

You can monitor all the remote sessions being facilitated by Azure Bastion. To do this navigate to the Azure Bastion host. Click on the "Sessions" under settings. On the right side, you will be able to view all the active sessions. Click on the Refresh button to update the list with any added or removed session.

Note that in the list you will see many pieces of valuable information. Few important ones are:

Target Host Name - Hostname of the VM that has an active session.

UserName - User name that was used to connect to the VM.

Protocol - RDP or SSH protocol, that is used to connect to the target VMs (by the Bastion host). It is ssh for Linux and RDP for Windows VMs.

Managing remote sessions - Deleting the sessions

If required, you can delete any session from the list of active sessions. To do this simply right-click on the session name in the list and click on the Delete in the pop-up menu.

The person connected to the VM via Azure Bastion will see a prompt similar to the below. Even after a reconnection attempt from this prompt the connection won't be successful. If the end-user wants to connect again then they will have to initiate the connection again from the Azure portal.

Monitoring Azure Bastion

The monitoring capabilities are integrated with Azure Monitor. Navigate to the Monitor service in the Azure portal and then click on the "Metrics" option in the left settings pane. On the right side, set the Scope to the Azure Bastion host, that you want to monitor. Next, select one of the available metrics from the list of Metric dropdown.

The options available for Metric are:

Availability - Bastion communication status

Saturation - Total memory

Saturation - Used CPU

Saturation - Used memory

Traffic - Session count

The one shown in the screenshot below is for "Traffic - Session count".

Creating Alerts on Azure Bastions

From the Monitor, you can also create Alerts related to Azure Bastion. This experience is also similar to creating an alert for any other service in Azure. To create a new alert, click on the "+ New alert rule" button under the Alert section.

In the "Create alert rule", select the scope and set it to the Azure Bastion service. Then click on the "Add condition" button. This will bring a pop-up blade to "Configure signal logic". This is the condition on which the alert will be triggered. Check all the signals available here.

Additionally, you can select or create an Action Group to send notifications and take actions whenever an alert is triggered.

Simplifying Azure Bastion - 7 NSG and Firewall configurations

Tue, 20 Apr 2021 00:00:00 +0500

This blog is a part of the Azure Bastion series. You can find the Index of this series here: Azure Bastion Series.

In the earlier posts, we saw how to set up the Azure Bastion service and how to connect to VMs using this service. In this post, we will see what ports are involved and on which side to allow this communication. That is which ports are involved in the outbound communication between the target VMs and Bastion host and which ports are involved in the inbound communication. You will need this information when dealing with any NSGs or Firewalls.

Key Points

Azure Bastion is a fully managed platform PaaS service from Azure that is hardened internally to provide you with secure RDP/SSH connectivity. You don't need to apply any NSGs on the Azure Bastion subnet. Because Azure Bastion connects to your virtual machines over private IP, you can configure your NSGs to allow RDP/SSH from Azure Bastion only. This removes the hassle of managing NSGs each time you need to securely connect to your virtual machines.

Note: UDR is not supported on an Azure Bastion subnet. You don’t need to force traffic from an Azure Bastion subnet to Azure Firewall because the communication between Azure Bastion and your VMs is private. Therefore unless you have a complex deployment you will need to define the rules only at the NSG levels.

Inbound rules for the Azure Bastion Subnet

Note: These are the rules for the Inbound or Ingress communication for the Azure Bastion host. These are applied to the NSG for the Bastion subnet.

Navigate to the "Inbound security rules" in the NSG and click on the "+ Add" button to add individual rules. As a best practice, leave a range of 10 or higher when providing priority to the rules. Ensure that the order is correct and in the required sequence.

Add the rules for the following:

Inbound on 443 from the Internet - Allow HTTPS inbound on port 443 for TCP protocol. Use the service tag of "Internet" for the Source and "Any" for the destination. This rule is required for you to be able to make HTTPS connections to the Azure Bastion host from the Azure portal.

Azure Bastion control plane - Allow 443 for TCP protocol. Use the service tag of "GatewayManager" for the Source and "Any" for the destination. This rule is required for the Azure Bastion control plane, i.e. Gateway Manager to be able to talk to Azure Bastion

Azure Bastion data plane communication - Allow 443 for TCP protocol. Use the service tag of "AzureLoadBalancer" for the Source and "Any" for the destination. This rule allows communication between the underlying components of Azure Bastion.

Azure Load Balancer Health probes - Allow 5701 and 8080 for "Any" protocol. Use the service tag of "VirtualNetwork" for the Source and also "VirtualNetwork" for the destination. This rule enables Azure Load Balancer to detect connectivity.

Outbound rules for the Azure Bastion Subnet

Note: These are the rules for the Outbound or Egress communication for the Azure Bastion host. These are applied to the NSG for the Bastion subnet.

Navigate to the "Outbound security rules" in the NSG and click on the "+ Add" button to add individual rules. As a best practice, leave a range of 10 or higher when providing priority to the rules. Ensure that the order is correct and in the required sequence.

Add the rules for the following:

Traffic to target VMs - Allow SSH and RDP outbound on ports 22 and 3389 for Any protocol. Use the "Any" for the Source and the service tag of "VirtualNetwork" for the destination. This rule allows Bastion to be able to connect to target VMs for SSH and RDP connectivity.

Azure Bastion data plane communication - Allow outbound on ports 443 for TCP protocol. Use the "Any" for the Source and the service tag of "AzureCloud" for the destination. This rule allows outbound communication for the components of Azure Bastion to talk to each other.

Azure Cloud communication - Allow outbound on ports 5701 and 8080 for Any protocol. Use the "VirtualNetwork" for the Source and also the service tag of "VirtualNetwork" for the destination. This rules is required for Azure Bastion to send diagnostics logs, metering logs, and other information to various public endpoints within Azure cloud.

Internet communication - Allow outbound on port 80 for Any protocol. Use the "Any" for the Source and the service tag of "Internet" for the destination. This rule is required for session and certificate validation.

Inbound rules for the Target VM's NSG

Note: These are the rules for the Inbound or Ingress communication for the Target VM that you will RDP to via the Bastion host. These are applied to the NSG for the subnet of the Target VM or directly to the network interface card of the VM.

You will need to allow ports 3389 (RDP) and 22 (SSH) inbound on the target VM. This needs to be allowed for the Bastion host to be able to make the RDP and SSH connections respectively to the target VM.

Note

You don't need both ports i.e. 3389 (RDP) and 22 (SSH). You should limit it to either one based on the operating system within the VM. For Windows VMs you will select the 3389 port and for the Linux VMs, you will select port number 22. This is shown as number 4 in the below screenshot.

You should update the Source IP address range to the address range of the Bastion subnet i.e. "AzureBastionSubnet" subnet only. This is shown as number 5 in the below screenshot.

You can read more about these in the official documentation here: Working with NSG access and Azure Bastion

Simplifying Azure Bastion - 6 Clipboard access and going Full screen

Sun, 18 Apr 2021 00:00:00 +0500

This blog is a part of the Azure Bastion series. You can find the Index of this series here: Azure Bastion Series.

When working with Azure Bastion you connect to various VMs via the Bastion host. For Windows VMs, you connect via RDP and for Linux VMs you connect via SSH. In both scenarios, you will need to copy and paste the text from the local machine to the remote VM. In Bastion this is managed via the Clipboard manager on the Bastion host.

Before you start make sure that you know how to connect to the VMs and various caveats linked to that as we discussed in the earlier posts.

Clipboard Access

When trying to connect for the first time or trying to connect on a new browser, the Bastion service will request you to allow the Text and Image related clipboard access. I highly recommend allowing this. If you opt to not allow this access then later, you won't be able to share any clipboard with the session.

Note: Only text copy/paste is supported.

When you are in the remote session, launch the Bastion clipboard access tool palette by selecting the two arrows on the left-center of the session.

In the pop-out window, any text you have copied on the local machine will automatically appear in the text box in this window. You can review or modify the text in this window and the clipboard in the remote VM will be updated automatically.

Full Screen

Another very useful option that is available in the pop-out option is to go full screen. Just click on the button as indicated below to enter the full-screen mode. This is recommended when you have to work on the remote VM for a long period of time.

Press the Escape button to exit the Full Screen.

Simplifying Azure Bastion - 5 Connecting to VM Scale Sets (VMSS) using Azure Bastion

Sat, 17 Apr 2021 00:00:00 +0500

This blog is a part of the Azure Bastion series. You can find the Index of this series here: Azure Bastion Series.

In the previous two posts, we saw how to RDP to a Windows VM and how to SSH to a Linux VM. In this post, we will see how to connect to the instances of a Virtual Machine Scale Set (VMSS). Note that in the case of VMSS, Bastion will automatically decide whether to use RDP or SSH based on the operating system of the instance.

To start, navigate to your Virtual Machine Scale Set (VMSS) and click on the Instances. Select the instance to which you want to connect.

To connect to the VM via Bastion, first, navigate to the Linux VM in Azure. Click on the Connect button. In the pop-out menu, click on the Bastion option.

Next, click on the Use Bastion button on the next screen.

In the "Connect using Bastion" screen, note the Bastion host being used to connect. This is only for information. You may need this information to troubleshoot if you run into any issues.

Next, I recommend leaving the check box for "Open in new window" checked. This ensures that the connection opens in a new tab or window and uses the maximum area. If you uncheck this then the connection will open in a new blade to the right and the view will be limited.

Provide the credentials of the instance that you are trying to connect.

Hit the Connect button to connect to the instance.

A new window/tab will open in the browser with the VM connected.

Simplifying Azure Bastion - 4 Connecting to Linux VMs using Azure Bastion over SSH

Sat, 10 Apr 2021 00:00:00 +0500

This blog is a part of the Azure Bastion series. You can find the Index of this series here: Azure Bastion Series.

In the previous blog, we saw how to RDP to a Windows VM using Bastion. In this post, we will look at how to SSH to a Linux VM using the Bastion service.

To connect to the VM via Bastion, first, navigate to the Linux VM in Azure. Click on the Connect button. In the pop-out menu, click on the Bastion option.

Next, click on the Use Bastion button on the next screen.

In the next screen to "Connect using Azure Bastion" make note of the following:

At the top you will see the Bastion host being used for the connection. This is for your information only. You do not need to take any action here. You may need this if you run into any issues and have to troubleshoot.

I recommend leaving the check box for "Open in new window" checked. This ensures that the connection opens in a new tab or window and uses the maximum area. If you uncheck this then the connection will open in a new blade to the right and the view will be limited.

Next provide the Username that will be used to connect via SSH to the Linux VM

Authentication type is important. Select the one that you want to leverage. The next entry will update as per the selection here.

Provide the additional information for the selection you made in the previous point.

The advanced settings are optional and can be skipped. This does not relate to all authentication types.

Finally click on the Connect button to connect to the VM

The options for authentication types are as follows:

Password - This is to use the normal username and password-based authentication

SSH Private Key - This option is used when you want to provide the key phrase manually

SSH Private Key from Local File - This is to upload the private key file from the local computer. You can optionally provide a passphrase for this.

SSH Private Key from Azure Key Vault - This is to use a private key file that you have previously uploaded to the Azure Key Vault.

Once you click on the Connect button, the SSH session to the VM opens up in a new tab.

Note: Almost all the Caveats from the previous blog for RDP to Windows VM also apply to the SSH to Linux VMs.

Simplifying Azure Bastion - 3 Connecting to Windows VMs using Azure Bastion

Thu, 08 Apr 2021 00:00:00 +0500

This blog is a part of the Azure Bastion series. You can find the Index of this series here: Azure Bastion Series.

In the last post, we deployed the Azure Bastion service. In this post, we will look at how to connect to a Windows VM via RDP using the Bastion service.

Connecting to the Windows VM via RDP

To start an RDP connection to a Windows host, navigate to the virtual machine that you want to connect to. Click on the Connect button. In the pop-out option, select the Bastion option. Click on the "Use Bastion" button on the next screen.

In the next screen to "Connect using Azure Bastion", enter the credentials for the VM to which you are trying to connect. Keep the check box for "Open in new window" checked. If you don't select this checkbox then the RDP session will open in another blade to the right. I prefer to open the RDP session in a new window for maximum screen space.

Your VM will open in a new tab. You will be able to perform many actions that you can do via direct RDP (with exception of a few).

Caveats during the connectivity

There are some caveats when connecting via the Bastion service. Here are a few that I have encountered or was able to generate.

The first one is the pop-up blocked alert. When you are trying to connect using the option to open in the new window, then if you have a pop-up blocker enabled and the Azure portal is not whitelisted then you will see the below alert in the portal when trying to connect. The connection will not succeed.

Solution: click on the small icon for blocked pop-up in the address bar of the browser, as shown below, and select to Allow the pop-ups from the Azure portal.

When trying to connect for the first time or trying to connect on a new browser, the Bastion service will request you to allow the Text and Image related clipboard access. I highly recommend allowing this. If you opt to not allow this access then later, you won't be able to share any clipboard with the session.

If for any reason the connection is interrupted then you will see a dialog saying "Disconnected". You will have the option to Reconnect or exit by clicking on the Close button.

Connection Error may come e.g. when restarting the VM. It will automatically attempt to reconnect in few seconds. You can also force reconnect by clicking on the "Reconnect" button.

As you can see that using the Bastion service to connect to the Windows VMs is a very easy and straightforward process. In the next post, we will look at how to connect to a Linux VM via SSH using the Bastion service.

Simplifying Azure Bastion - 2 Create an Azure Bastion Host

Wed, 07 Apr 2021 00:00:00 +0500

This blog is a part of the Azure Bastion series. You can find the Index of this series here: Azure Bastion Series.

In the previous post, we looked at what the Azure Bastion service is. We discuss its architecture, how it works, key benefits, pricing, etc. In this post, we will look at how to create the Azure Bastion service in the Azure portal.

As we noted in the previous post, the Azure Bastion host is linked to a particular virtual network. In this post, when we will perform the deployment, you will notice that the deployment will be done related to a particular virtual network that we will need to select. This should be the virtual network into which your virtual machines are also deployed which you want to RDP or SSH into via the Azure Bastion service.

Pre-requisites

Before you start setting up the Azure Bastion host, you need to have a subnet in your Virtual network where you are deploying it.

The subnet must be named AzureBastionSubnet.

The subnet must be at least /26 or larger.

In order to make a connection, the following roles are required:

Reader role on the virtual machine

Reader role on the NIC with private IP of the virtual machine

Reader role on the Azure Bastion resource

Creating the Azure Bastion host

To create a Bastion host, you can navigate to the Bastions section in the Azure portal. Click on the "+ Add" button to add a new Bastion host.

A new blade for "Create a Bastion" will open up. In this new blade, provide the details for:

Subscription and the Resource Group where you want to deploy the Bastion service.

Provide a name for the Bastion host and the region where it should be deployed. Note that the region should be the same as where the Virtual Network and the VMs are located.

Next, select the target Virtual network. It will automatically select the subnet with the name as AzureBastionSubnet. Note that this subnet should have the size as /27 or larger. If there is no such subnet then you will get an error.

Next, either create a new public IP address or use an existing public IP for the Bastion host.

In the next screen provide the Tags. Review all the settings and then create the Bastion host.

That's all there is to it. Once the deployment is complete we will be ready to leverage this to connect to the other VMs in the virtual network.

Note that we will not be able to connect to the Bastion host itself. It is a fully managed service and is used under the hood to connect to the VMs via RDP or SSH internally. We will be able to connect to other VMs in the network, over port 443 directly from the Azure portal, directly in the browser.

In the next post, we will look at how to connect to VMs using the Azure Bastion host.

Simplifying Azure Bastion - 1 What is Azure Bastion

Sat, 03 Apr 2021 00:00:00 +0500

This blog is a part of the Azure Bastion series. You can find the Index of this series here: Azure Bastion Series.

1. Details about Azure Bastion

Azure Bastion is a fully platform-managed PaaS service that provides RDP/SSH over TLS i.e. port 443 to all the VMs in the network. Think of this as a managed Jump Box or Jump Server service provided by Microsoft. The service is deployed via a managed host into your virtual network. This host is like a fully managed Jump box and is kept up to date by Microsoft.

Note that you will need to deploy one host for each of your virtual networks. Using one host, you will be able to connect to all the VMs in the same virtual network. The Bastion host needs a Public IP address. All the rest of the VMs don't need any public IP address.

Here are key points about Azure Bastion:

Azure Bastion provides an integrated platform alternative to manually deploying and managing jump servers or Jump boxes to shield your virtual machines.

It is a fully platform-managed PaaS service

Bastion host is provisioned inside your virtual network

Secure and seamless RDP/SSH connectivity to your virtual machines directly from the Azure portal over TLS

Virtual machines do not need a public IP address, agent, or special client software

One Bastion host is needed per virtual network

The public IP of the Bastion resource on which RDP/SSH will be accessed (over port 443)

You don't need an RDP or SSH client. Use the Azure portal to let you get RDP/SSH access to your virtual machine directly in the browser.

Azure Bastion doesn't move or store customer data out of the region it is deployed in.

2. Shortcomings or Areas of Improvement

The below features are currently either not available or are not supported:

IPv6 is not supported. Azure Bastion supports IPv4 only.

Only text copy/paste is supported. Features, such as file copy, are not supported yet.

It doesn't work with AADJ VM extension-joined machines using Azure AD users.

Azure Bastion currently supports only en-us-qwerty keyboard layout inside the VM.

3. Architecture - How Azure Bastion works

Bastion Hosts are Jump servers that are deployed with a public IP address. These reside at the perimeter of your network. All the other VMs do not need any public IP address. You will be able to connect to the VMs via this Bastion host. The VMs can be deployed in one or many different subnets in the same virtual network.

You need to have a dedicated subnet with the name as AzureBastionSubnet. This subnet must be at least /27 or larger. This subnet should be deployed before creating the Bastion host.

You connect to the Bastion server directly from within the browser on port 443. The Bastion host in turn connects to the VM at port 3389 for RDP and 22 for SSH.

The subnet for the Azure Bastion host needs to have connectivity to the rest of the subnets. This is available by default. If you have NSGs then Bastion-related communication should be allowed. We will look at these rules in detail in a later post.

Note that UDR is not supported on an Azure Bastion subnet. You don’t need to force traffic from an Azure Bastion subnet to Azure Firewall because the communication between Azure Bastion and your VMs is private.

Microsoft keeps Azure Bastion hardened and always up to date for you to ensure that it can withstand attacks from outside.

4. Benefits of using Azure Bastion

There are various benefits of using Azure Bastion. The main one being able to RDP/SSH to your VMs without exposing them via any public IP address. Below is the list of various benefits of having Azure Bastion in your virtual networks:

Secure and seamless RDP and SSH access to your virtual machines

No Public IP exposure on the VM

Help limit threats such as port scanning and other types of malware targeting your VMs

Fully managed, autoscaling, and hardened PaaS service

Uses a modern HTML5-based web client and standard SSL ports. This makes Firewall and other security rules very easy to manage.

Existing authentication works i.e. Existing credentials and SSH keys will still be used for connecting to the VMs

Same single pane of glass experience to connect to all the VMs

Bastion host servers are designed and configured to withstand attacks. The Azure platform protects against zero-day exploits by keeping the Azure Bastion hardened and always up to date for you.

5. Concurrency Considerations

Both RDP and SSH are a usage-based protocol. High usage of sessions will cause the bastion host to support a lower total number of sessions. The numbers below assume normal day-to-day workflows.

Workload Type* Limit**

Light 100

Medium 50

Heavy 5

These workload types are defined here: Remote Desktop workloads

6. Pricing

There are two components of the pricing related to Azure Bastion:

Fixed charge for the service. This is the charge billed hourly for deploying the service. E.g. in an East US location, this charge is around $0.19 per hour.

Outbound data transfer charges. This is the charge based on the total outbound data transfer. This is further tiered into various categories based on the total consumption.

The pricing details can be found here: Azure Bastion pricing

You can read more information about Azure Bastion in the official documentation here: Azure Bastion Overview.

Service Tags are now supported for Defining Routes in Route Tables

Sat, 27 Mar 2021 00:00:00 +0500

Let us assume that you have to define routing for a particular Azure service e.g. Azure Storage. Any communication to the Azure storage service should happen via your defined route e.g. a virtual appliance. To be able to define this route table you will need to define many routes for all the IP addresses corresponding to the Azure Storage service. Microsoft publishes all these IP addresses in a JSON format that you can leverage. This JSON file is available here: Azure IP Ranges and Service Tags – Public Cloud

This current process will involve around 504 routes corresponding to each IP address space published by Microsoft for Azure Storage service alone. To make matters even more complex, you have a limit on the total number of routes allowed in a subscription. You can have a max of 200 Route Tables and only 400 routes allowed per Route Tables. You can check all the service limits here: Azure subscription and service limits, quotas, and constraints

Solution

Microsoft has published the solution for this problem. You can now leverage the Service Tags when defining User Defined Routes (or UDRs) in a Route Table. I believe this addresses a long-requested feature and makes the task to route any Microsoft service-related communication easy.

This service is currently in Public Preview (at the time of writing this blog post). Also, this service is only available via APIs i.e. via REST, PowerShell, CLI, and can also be used in ARM templates. This feature is not currently available through the Azure Portal.

You can now specify a Service Tag for the address prefix parameter in a user-defined route for your route table. You can choose from tags representing over 60 Microsoft and Azure services to simplify route creation and maintenance.

You no longer need to manually update routes when services change or add to their list of endpoints. Routes with Service Tags will update automatically to include new changes.

This also eliminates the need for regularly updating routes based on the IP data in the weekly JSON file downloads that Microsoft provides.

This also helps reduce the likelihood of running into the routes per route table limit (400) which is common when configuring routing for multiple Microsoft and Azure services. By using Service Tags, you can avoid this, since the tag condenses all ranges for that service into one group.

For example, Microsoft lists more than 4,500 prefixes that collectively represent the Azure address space. You can now use one route with the AzureCloud Service Tag which will include all of these.

Learn more about this capability here: Public preview: Service Tags for User Defined Routing

Finding IP address ranges for SUSE Linux Enterprise images to work in Microsoft Azure behind Firewall or NSGs

Fri, 26 Mar 2021 00:00:00 +0500

For the SUSE Linux Enterprise Server (SLES) images to work in the Microsoft Azure environment, it needs to communicate with the SUSE servers. Specifically, it needs to communicate with the SUSE registration servers and the repository servers. If the VM deployed from SUSE images, is deployed behind a Firewall or NSG then this communication will be blocked by default and will need to be opened up.

So where will we get the IP addresses or URLs for the SUSE server?

Solution

The SUSE team publishes the required IP addresses in the below 2 XML files. These are dynamic links that the SUSE team keeps updating and should be referred if any communication is broken.

The URLs for the IP addresses are:

https://susepubliccloudinfo.suse.com/v1/microsoft/servers/smt.xml

https://susepubliccloudinfo.suse.com/v1/microsoft/servers/regionserver.xml

It is recommended to open the IP addresses for the regions where our VMs are deployed. The required communication occurs on Port 443 i.e. HTTPS.

Long term solution

Long term solution is to deploy a SUSE RMT (or Repository Mirroring Tool) server in the environment. For older versions of SLES, you may require SMT instead. It is highly recommended to upgrade and use RMT instead.

"RMT server establishes a proxy system for SUSE Customer Center with repositories and registration targets. This helps you to centrally manage software updates within a firewall on a per-system basis while maintaining your corporate security policies and regulatory compliance."

Here is a guide for configuring the RMT: Repository Mirroring Tool Guide.

How to Copy data from Google Cloud Platform (GCP) Storage to Microsoft Azure Storage Block Blob

Thu, 25 Mar 2021 00:00:00 +0500

Copying from Google Cloud to Microsoft Azure has been a challenge that Microsoft has addressed in the latest release of AzCopy. Via the latest release i.e. v10.9.0, Microsoft has brought the capabilities importing from Google Cloud Platform (GCP) Storage to Microsoft Azure Storage Block Blob. Additionally, this latest release will also have support for scanning logs that can have low or high output based on the requirements. Tags will be preserved when copying the blobs and the list command will include "Last Modified Time" related information.

General syntax to copy is as shown below:

azcopy copy 'https://storage.cloud.google.com//' 'https://.blob.core.windows.net//'

An example is as below:

azcopy copy 'https://storage.cloud.google.com/mybucket/myobject' 'https://mystorageaccount.blob.core.windows.net/mycontainer/myblob'

This feature is currently in preview at the time of writing of this blog. You can read more about how to practically use AzCopy to copy form the GCP Storage to Microsoft Azure Storage block blob here: Copy data from Google Cloud Storage to Azure Storage by using AzCopy.

Simplified process for publishing VM Images to Azure Marketplace

Tue, 23 Mar 2021 00:00:00 +0500

Microsoft has announced a new capability now to publish the VM Images to Marketplace. You can now publish a VM Image in Shared Image Gallery (SIG) to Azure Marketplace. This capability simplifies your image preparation, testing, and submission process as you no longer have to extract VHDs, upload them, and generate SAS URIs. With this capability, you can now manage the full image lifecycle within Azure. You can simply create your image from the VM or a VHD into Shared Image Gallery, then select the SIG Image to publish it in Partner Center.

Step by step process

Here is how the step by step process looks like:

Select an approved base image. This is the Windows or Linux Operating System image that Microsoft has approved to be leveraged as a base for the OS image.

Create a VM from the approved base image.

Configure the VM. In this step, you install the binaries and perform configurations as per your requirements. You also install all the required updates and patches on the VM and ensure that the VM meets the security standards.

Generalize the VM and Capture the image for the VM.

Publish the VM from the Shared Image Gallery (SIG) to the Marketplace

The option to Capture the image is from the VM blade click on the Capture button at the top.

During the Capture process ensure to use the option to "Share image to Shared image gallery"

To check the detailed walkthrough check this official documentation: How to create a virtual machine using an approved base

Dynamic data masking granular permissions for Azure SQL and Azure Synapse Analytics

Thu, 18 Mar 2021 00:00:00 +0500

Dynamic Data Masking now supports granular permissions. This support is now available for:

Azure SQL Database,

Azure Synapse Analytics, and

Azure SQL Managed Instance

This feature allows you to grant and deny UNMASK permission at the schema-level, the table-level, and the column-level. This enhancement provides a more granular way to control and limit unauthorized access to SQL assets on Azure and improve data security management.

You can read more about this feature towards the end of the doucmentation here: Dynamic data masking - Permissions section

SQL insights in Azure Monitor

Thu, 18 Mar 2021 00:00:00 +0500

Microsoft Azure Monitor now has SQL monitoring capabilities. This feature is provided out of the box now.

Using this you can monitor:

Azure SQL Databases

Azure SQL Managed Instance

SQL Server on Azure VM

Now you can monitor things like:

CPU Utilization percentage

Memory Utilization percentage

Data IO percentage

Number of User Connections

Active Temp Tables

Memory Grants Pending

Processes blocked

Deadlocks/sec

Total data file size

Total log file size

Total log file used size

Free space in tempdb

Memory broker clerk size, etc.

Where are the SQL Insights

You can access the SQL insights by navigating to the Monitor in the Azure portal. And then in the Insights section, you can navigate to the "SQL (preview)" option.

Pricing

There is no separate pricing for the SQL Insights. All costs are incurred by the virtual machines that gather the data, the Log Analytics workspaces that store the data, and any alert rules configured on the data.

You can learn more about the SQL insights from the official documentation here: Monitor your SQL deployments with SQL insights

Creating alerts based on Azure Forecasts for spending

Tue, 16 Mar 2021 00:00:00 +0500

You can now create alerts based on the Azure Forecasts. This can help adjust your spending before you hit the budget target. Think about it, if you are going to hit the budget on the 25th day of the month instead of the last day you would want to know about it as early as possible. The earlier you know, the better you can get to manage the spending.

You can customize notifications and also take action if the alert is triggered by leveraging the Action Groups in Azure. You can check how to create Action Groups in this post: Creating the Action Groups for alerts in Microsoft Azure.

How to configure Alerts based on Forecasts

Navigate to "Cost Management + Billing" and select the "Cost Management" option.

In the Cost Management blade, select the option for "Budgets" and then click on "+ Add".

In the next screen under "Create a budget" select the appropriate values for the following:

Budget scope

Budget name

Reset period - under most circumstances this should be Billing month

Creation date

Expiration date

Provide an amount for the Budget

In the next screen for "Set alerts", under the Alert conditions, select the type as "Forecasted". Provide the percentage of budget. E.g. if you provided the budget as $150 and selected the percentage of budget as 80% then the alert would be triggered at $120.

Provide the Action Group to alert via SMS or emails. You can alert via email by providing individual email ids or distribution list's id for "Alert recipients (email)" entry.

You can read more about this feature at the official blog here: Prevent exceeding Azure budget with forecasted cost alerts

Configuring the Azure Route Server

Mon, 15 Mar 2021 00:00:00 +0500

In the last 2 posts, we looked at what Azure Route Server is and how to configure it. You can view those posts here:

Understanding the Azure Route Server

Creating the Azure Route Server

In this post, we will look at configuring the Azure Route Server. The below steps are involved in configuring the Route Server:

Set up the peering by adding a Peer. This could be a Network Virtual Appliance or NVA.

Establish BGP session from the NVA

Optionally you can configure route exchange if you are trying to connect to ExpressRoute gateway or a VPN gateway.

Let's look at these steps in detail.

Set up the peering

Navigate to the Route server by click on this link: Azure Route Server.

Click on the "Peers" and then on the right side click on the "+ Add" button to add the peering. A pop-up window will open on the side to "Add Peer". In here enter the values for the NVA. Specifically, enter a name you want to give to this peering. And enter the ASN or Autonomous Systems Number for your NVA. Also, enter the IP address of the NVA the Route Server will communicate with to establish BGP.

Note: The virtual network where you deployed the Route Server should have connectivity to the IPv4 IP address of the NVA.

Establish BGP session from the NVA

The connection with the NVA will not be established until you finish the configurations on the NVA. These configurations will vary depending on the type of NVA (e.g. Check Point, Palo Alto, to name a few). To complete the connection you will need to provide the NVA team with 2 pieces of information regarding the Route Server. These are:

Peer IPs for the Route Server

ASN number of the Route Server

You can get this information from the Overview page of the Route Server as shown below.

Configure route exchange - for ExpressRoute gateway or a VPN gateway

If you have an ExpressRoute gateway or VPN gateway or both and you want them to exchange routes with the Route Server, you can enable route exchange. It is simply a toggle setting in the Route server. You can access this from the Configurations section under the settings. Select "Enabled" for the "Branch-to-branch" setting and click on the Save button to save the settings.

You can find all the Route Server related official documentation here: Azure Route Server documentation

Creating the Azure Route Server

Mon, 15 Mar 2021 00:00:00 +0500

In the previous blog post we looked at what an Azure Route Server is and what are its benefits. You can view the previous post here: Understanding the Azure Route Server

In this blog post, we will be setting up an Azure Route Server via the Azure Portal.

Pre-requisite

If you are setting up Azure Route Server for your Network Virtual Appliance or NVA, the two key pre-requisites are:

For you to be able to set up an Azure Route Server, you need to have an empty subnet in your virtual network with the name "RouteServerSubnet". This subnet should have an address space with a prefix of at least "/27" or higher.

The NVA should allow the BGP protocol to leverage the benefits of having the Azure Route Server.

Finding the Route Server section

To find the section for Route Server navigate to this direct link: Azure Route Server

To create a new Route Server, simply click on the "+ Create new route server" button.

Configurations

In the Basics section, provide the values for Subscription, Resource Group, Instance name of the route server, and Region for the deployment. Next you will need to select the Virtual network in the same region where you want to deploy the route server. The wizard will automatically select the subnet with the name "RouteServerSubnet". As noted earlier, this subnet should have at least a "/27" prefix for the address space.

Next, provide any Tags, and then click on "Review + create" and finally click on the "Create" button to create the route server.

Behind the scene it creates two resources of following types:

Microsoft.Network/virtualHubs

Microsoft.Network/virtualHubs/ipConfigurations

If you check the Resource Group that you used for deployment, it will look empty. But when you click on the check box for "Show hidden types" you will be able to view the Virtual Hub that was deployed for the Route Server.

In the next post, we will look at configuring the Route Server. You can view the post here: Configuring the Azure Route Server

Understanding the Azure Route Server

Thu, 11 Mar 2021 00:00:00 +0500

Azure Route Server is a new offering from Microsoft that simplifies the routing in your infrastructure, especially if you have a Network Virtual Appliance or NVA. It eliminates the need to manually configure or maintain route tables. It is a fully managed service and is configured with high availability.

This service works with:

Network Virtual Appliance or NVA

ExpressRoute

Azure VPN Gateway

You can enable or disable the route exchange on the Azure Route Server with a simple command. Also, you don't need to manually configure or maintain route tables.

With NVAs, it allows you to exchange routing information directly through Border Gateway Protocol (BGP) routing protocol between any NVA that supports the BGP routing protocol and the Azure Virtual Network.

Pre-requisite

For you to be able to set up an Azure Route Server, you need to have an empty subnet in your virtual network with the name "RouteServerSubnet". This subnet should have an address space with a prefix of at least "/27" or higher.

The NVA should allow the BGP protocol to leverage the benefits of having the Azure Route Server.

Benefits

Azure Route Server simplifies the configuration, management, and deployment of your NVA in your virtual network.

You no longer need to manually update the routing table on your NVA whenever your virtual network addresses are updated.

You no longer need to update User-Defined Routes manually whenever your NVA announces new routes or withdraw old ones.

You can peer multiple instances of your NVA with Azure Route Server.

The interface between NVA and Azure Route Server is based on a common standard protocol i.e. BGP.

You can deploy Azure Route Server in any of your new or existing virtual networks.

In the next blog post, we will create an Azure Route Server in the Azure portal. You can view that post here: Creating the Azure Route Server

Azure Backup - Managing the backup-related alerts via the Azure Monitor

Fri, 05 Mar 2021 00:00:00 +0500

You can now manage backup-related alerts via the standard Azure Monitor experience for alert management. This integration ensures that you can leverage the alert management experience within the "Azure Monitor" as a single pane of glass for managing all alerts in your environment.

This also means that you can leverage Action Groups to send notifications to email, SMS, Azure app push notifications, and voice calls. You can also leverage Action Groups to take actions when an alert is triggered.

All you need to do is navigate to the Alerts section in the Monitor and you will be able to monitor and manage the alerts directly from this pane.

Currently, this feature is supported for the following workloads: Azure Databases for PostgreSQL server, Azure Blobs, and Azure Managed Disks. Support for other workloads will be added in the near future. Alerts are currently generated for security-related scenarios and job failure scenarios, with more enhancements planned in the short term.

You can read more about this feature here: Azure Monitor alerts for Azure Backup

Auditing of Microsoft operations in an Azure SQL Database

Thu, 04 Mar 2021 00:00:00 +0500

Microsoft has added the capability to audit the actions of Microsoft support engineers when helping you to troubleshoot issues related to your Azure SQL Databases. This option is easy to configure and is available with the auditing capabilities of the Azure SQL Database from the Server level auditing.

To configure this, navigate to the Azure SQL Database and click on the "Auditing" option under the security settings. In the right pane, select the "View server settings".

In the server level auditing settings, toggle the setting for "Enable Auditing of Microsoft support operations" to audit all the activities done by the Microsoft support. You can select the target of the audit logs as either one or many selections from the below:

Storage

Log Analytics

Event Hub

This strengthens the security posture even further for your SQL Databases.

Microsoft retiring many older services by 29 February 2024

Thu, 25 Feb 2021 00:00:00 +0500

Microsoft has recently announced that they are retiring a lot of older services. They have provided a generous deadline of "29th February, 2024" for many services to move to the newer version of these services. On that day the older services will be deleted by Microsoft.

I have created a list of the prominent ones that Microsoft has announced will retire on 29th Feb, 2024 are:

Update your scripts to use Az PowerShell modules

Switch to Azure Data Lake Storage Gen2

Classic Application Insights

AKS legacy Azure AD integration

Jenkins plug-ins for Azure

Network Performance Monitor

Azure Network Watcher Connection Monitor (classic)

Azure Batch ‘CloudServiceConfiguration’ pools

Azure Application Gateway analytics

Switch Azure Media Services REST API and SDKs to v3

Classic Azure Migrate

Update the Azure Cosmos DB Java SDK

Azure Stack Edge Pro FPGA

Azure Batch rendering VM images & licensing

The standard version of Custom Voice

Azure Cognitive Services Text Analytics v2.x

Upgrade your Azure AD Connect sync to a newer version

Azure Batch Transcription and Customization Rest API v2

There are few other services that Microsoft has announced will retire a bit earlier.

At least the first one in the above list can be easily taken care of. You can automatically migrate your scripts at least to the newer Az PowerShell modules by leveraging the migration tool and steps from here: Automatically migrate PowerShell scripts from AzureRM to the Az PowerShell module.

Azure Backup - Cross Region Restore (CRR) for Azure Virtual Machines is now generally available

Sat, 20 Feb 2021 00:00:00 +0500

We discussed the Cross Region Restore (CRR) for Azure Virtual Machines in Azure Backup in an earlier post. You can view that post here: Cross Region Restore (CRR) for Azure Virtual Machines using Azure Backup

Now, this feature for Virtual Machines is generally available.

Note that:

Azure zonal pinned VMs that are backed up with RS vault enabled with this feature will now be provided with options to restore in any zone of customer choice.

Azure Backup supports all managed and unmanaged VMs for Cross Region Restore. Classic VMs remains to be unsupported.

Microsoft is starting with the replication RPO of up to 12 hours in the secondary region even though the storage SLA of geo-replication is 15 mins.

The pricing is unchanged and stays the same. This is really good of Microsoft to not increase the pricing of the feature.

While Microsoft has moved the preview of CRR for Azure VMs to GA, CRR for SQL/SAP HANA databases running in Azure VMs will continue to be in preview.

Enabling soft delete for blobs in an Azure Storage Account

Mon, 15 Feb 2021 00:00:00 +0500

Data protection is a key feature that should always factor into the security posture of your organization. Imagine if someone gets access to your Storage Account and deletes the contents of a Storage Account. Or if an employee accidentally deletes the contents of a container inside the Storage account.

Microsoft has added the support for soft delete. You can enable this while creating the storage account under the "Data protection". You have 4 key options that you can enable. These options are:

Turn on point-in-time restore for container

Turn on soft delete for blobs

Turn on soft delete for containers

Turn on soft delete for file shares

These options are shown below.

Accessing the Soft Delete capabilities for a blob

If you have enabled the soft delete for blobs, then you will view a toggle to "Show deleted blobs". Any deleted blobs which was deleted within the configured number of days during the creation of the storage account will show up with the status as "Deleted".

You can then either right-click or click on the three dots at the end of the line for the blob with Status as "Deleted". You will see the option for "View previous versions". Click on this option to see any deleted versions of this blob.

From the deleted versions of the blob, you can select any of the version and then you can either download that blob (by clicking on the Download version button) or restore it (by clicking on the Make current version button).

Alternatively, you can click on the deleted blob's name and a pane will open up. In this pane, you can click on the "Undelete" button. If you have multiple versions then to undelete you will have to select the version first.

After restoring the blob, it will show up with the status as Active.

Note:

The soft delete feature retains the data for only a fixed number of days. You define this number based on your recovery strategy during the creation of the storage account.

If you delete the Storage Account then you can't restore the blobs.

You can read more about this feature in the official documentation here: Soft delete for blobs

Setting up the Routing Preferences in Azure

Wed, 10 Feb 2021 00:00:00 +0500

Routing preferences determine how your traffic routes between Azure and the Internet. There are two options to select when it comes to routing:

Microsoft Network

Internet

Selecting Microsoft global network delivers traffic via Microsoft global network closest to the user. Internet route option uses transit ISP network. Egress data transfer price varies based on the routing selection. The Microsoft global network has lower latency and is very fast. It is also very secure and is the default choice. You should select this option for any enterprise customers. Internet option on the other hand provides a cost-optimized alternative.

How to set Routing Preferences for a VM

You can set the Route Preferences for a VM via its public IP address. The public IP address can be associated with resources such as virtual machines, virtual machine scale sets, internet-facing load balancers, etc.

While creating the public IP address, you can provide the preference as shown below.

How to set Routing Preferences for a Storage Account

You can also set the routing preference for Azure storage resources such as blobs, files, web, and Azure DataLake. This is done when creating the Azure Storage Account. The setting is under the Networking part of the creation wizard as shown below.

Note:

The routing preference option of a Public IP can’t be changed once created.

By default, traffic is routed via the Microsoft global network for all Azure services.

You can read more about Routing preferences here: Routing Preference - Microsoft documentation

Azure Backup - Configuring Azure Backup for Azure File Shares

Tue, 02 Feb 2021 00:00:00 +0500

Azure Recovery Services Vaults can backup File shares within the Azure Storage Accounts. This provides an additional layer of security from any accidental deletion of the File share contents or any corruption of the data on the files in the file share.

Note: This blog post assumes that you already have a recovery service vault. If you don't you can create one easily by navigating to the Recovery service vault section in the Azure portal.

Step by step backup configurations

To backup the file share, navigate to the backup vault and go to the "Protected items" and click on the "Backup items". On the right-hand side, click on the "Azure Storage (Azure Files)".

From the Backup items pane, you can select the "+ Add" button to add new backup items to the vault.

In the Backup Goal, select the "Azure File Share" for the question "What do you want to backup?". Click on the Backup button to start the configurations.

The next step is to select the Storage Account on which the File share exists. Once the storage account is selected, you can select the File share by clicking on the "Add" button, selecting the file share, and then clicking Ok in the popup.

The next step is to configure the backup policy. By default, a policy is created for you. It is highly recommended to customize this policy as per your business requirements. At a bare minimum, you should provide a unique and descriptive name for this policy. Remember that this policy can be reused multiple times for other File share backups as well.

Also, provide a backup schedule and the retention of daily backup points. Optionally, you can configure weekly, monthly, and yearly backup retention values.

Once the backup policy is created, click on the "Enable backup" button to submit the deployment to configure the backup.

Note that when you configure the backup it creates a lock on the Storage Account. You should not delete this lock otherwise the backup will not work as desired.

Connectivity Requirements for RDP Licensing Server Connectivity and Firewall Rules

Thu, 28 Jan 2021 00:00:00 +0500

If you deploy an RDP License on a VM in Azure, then that VM needs to be able to talk to the RDP Licensing Server. The RDP License allows multiple users to log into the VM at the same time. By default, only 2 users can log into the VM concurrently. RDP License lets you increase that number based on the license. This is a typical use case for a Jump box VM deployment in Microsoft Azure.

For the RDP license to work, it needs to validate with the RDP Licensing Server. For this, the Firewall needs to allow communication. To be able to allow this communication, you need to know the following:

The IP address of the VM where the RDP license is configured

The IP address of the RDP Licensing Server

The port numbers and the protocol on which to allow the communication

The port numbers on which the communication occurs are as below:

TCP on port number 135. This is the main port where communication occurs.

TCP on 49152–65535 i.e. RPC dynamic address range. A dynamic port is assigned from this range for validation-related communication.

Using this information ensure that the Firewall in your environment is configured appropriately to allow communication.

Azure Backup - Troubleshooting the backup issues for SQL Server on Azure VM or SAP HANA on Azure VM (Database).

Wed, 20 Jan 2021 00:00:00 +0500

When you have SQL databases on Azure VMs that are syncing with Azure Backup, you may run into various issues. These could be due to configurations or missing dependencies. In this blog post, we will take a look at a few of the common issues that I had faced and possible solutions to these issues.

1. First thing you should do for SAP HANA on Azure VM (Database).

Before you go down the path of troubleshooting, make sure that you have re-run the pre-registration script. You will either resolve the issues or will get more understanding of why the issues are coming. You can download the script form this link: Pre-registration Script

Note that you may need to re-discover the databases after running the script again. If you look in the official troubleshooting guide you will notice that most of the issues are resolved by this one thing i.e. re-running the pre-registration script.

2. Unhealthy status

Possible cause # 1:

The unhealthy status could simply mean that you have just configured the backup on a database and there is no backup for the database present in the Azure recovery services vault. In this scenario, you can either wait for the backup schedule to trigger and take the initial backup. Or you can trigger a manual backup.

Possible cause # 2:

Another reason could be that the Backup service is not able to take the backups of the SQL databases on the Azure VM. You should navigate to the Monitoring section in the recovery services vault and click on the Backup jobs. Filter the jobs by the name of the database or the Azure VM name. Look for any failed jobs and check the error details. These failed jobs will also contain the details about the reason why the job failed.

In one instance, my jobs were failing because the disk drive for Log was completely full. The resolution was to shut down the VM, expand the disk space via the Azure portal and then start the VM. Then expand the disk from the disk manager from within the VM. We manually triggered the full backup and it was successful. This in turn changed the status from Unhealthy to Healthy.

3. Unreachable or Not reachable status

The most common cause for this issue is that the Azure Backup service is not able to reach the VM. Chances are that the backup-related communication is being blocked somewhere in the network. The backup agent indicates to the VM that it should send the backup to Azure. The communication happens mostly Outbound from the VM to the below services in Azure:

Azure Backup

Azure Storage

Azure Active Directory

If any of the services is not allowed then the status changes to Unreachable.

You may have two or both scenarios in your environment:

Your VM has an NSG linked to the VM's network interface card or an NSG linked to the subnet in which the VM exists.

Your VM is in an environment where all communication is gated via a Network Virtual Appliance (NVA) or Firewall.

If you have NSGs then skip to the last section to see how to configure the NSGs for the backup service to work. If you have Firewall then continue here on how to troubleshoot.

You should look for outbound communication from the VM to these services in the Firewall if you have any. You will need to validate against the public IP addresses for these public services. But how will you find the IP addresses for these. We will look at that next.

4. How to find the IP addresses for Azure services

Microsoft publishes the public IP addresses for all of its services in a JSON file. This is categorized by Service tags. These service tags correspond to each of the Azure services.

You can download this JSON file by navigating to this link: Azure IP Ranges and Service Tags – Public Cloud

After downloading this JSON, search for "Storage", "Active Directory" and "Backup" services to find the section which defines a list of public IP addresses for that service. Note that there will be multiple IP address ranges for each service. Look for the region-specific ranges where you have deployed the VM and the backup vault.

If you find an IP address from the list being blocked for any of the 3 services mentioned above, then you should follow the next section and work with your Firewall team to open these required rules.

5. Configuration of the Firewall to allow Azure backup

Note this only applies to the backup of SQL Server on Azure VM or SAP HANA on Azure VM (Database). Allow access to the following services in the Firewall for the network infrastructure where the Azure VM exists.

Allow access to service FQDNs

Service Domain names to be accessed

Azure Backup *.backup.windowsazure.com

Azure Storage *.blob.core.windows.net

*.queue.core.windows.net

Azure AD Allow access to FQDNs under sections 56 and 59 according to this article

6. NSG configurations to allow Azure backup

Note this only applies to the backup of SQL Server on Azure VM or SAP HANA on Azure VM (Database).

Go to the NSG i.e. Network Security Group of the Azure VM which is either linked via subnet or via the network interface of the VM. Navigate to the Outbound rules and add three rules to allow communication to the below destination Service Tags on all ports:

Storage

Azure Backup

Azure Active Directory

The rules will look like below:

7. Permissions issue or UserErrorSQLNoSysadminMembership

If you are getting the error for "UserErrorSQLNoSysadminMembership" then that means the permissions for SQL Server on Azure VM have not been set appropriately. This usually happens if you built the SQL server on the Azure VM yourself. That is you didn't use any marketplace image for SQL on Azure VM.

You need to set the permissions as defined here: Set VM permissions.

More Information

If you are still facing issues, do refer the below links for official documentation:

Back up SAP HANA databases in an Azure VM

Back up a SQL Server database in an Azure VM

Troubleshoot SQL Server database backup by using Azure Backup

Troubleshoot backup of SAP HANA databases on Azure

Azure Backup - Understanding the backup policy for SAP HANA in Azure VM (Database)

Mon, 14 Dec 2020 00:00:00 +0500

Azure Backup can be leveraged to discover and backup the SAP HANA database deployed in the Azure VMs. The backup behavior is governed by the "Backup Policies". There are different policies specific to different kinds of workloads. In this post, we are looking at the backup policy for the backup of the SAP HANA in Azure VM (Database).

Policy Creation

Navigate to the recovery services key vault and then under the Manage, click on the Backup Policies. To create a new policy click on the "+ Add" button.

For the policy type, select "SAP HANA in Azure VM (Database)". This will open the blade to Create the policy for SAP HANA databases which are deployed in the Azure VMs.

In the blade to create the policy, you need to provide the below information:

Policy name - provide a descriptive name

Full Backup - this is the schedule and retention of the full backup of the databases

Differential Backup - this controls the differential backup of the databases

Incremental Backup - this controls the incremental backup of the databases

Log Backup - this defines the log backup for the databases

For the full backup in the policy, if you enable it then at minimum you need to define:

Frequency - daily or weekly

Time and Time zone - when the backup will occur

Retention for the daily backup. It can be a minimum of 7 days and up to a maximum of 9999 days.

Optionally you can also configure the monthly, weekly, and yearly backup retention policies.

The log backup policy determines the behavior of the log backups. At minimum you need to define:

The frequency of the log backups - it can range from a minimum of 15 minutes to a maximum of once every 24 hours

Retention of the log backups - it can range from a minimum of 7 days to a maximum of 14 days

Practical Backup Considerations

Below are some general backup considerations based on my experience in different projects. These are only generic considerations and should be evaluated against your organization's compliance standards and specific requirements.

The time for backup should be when the systems are not being used by any of the teams. If you work in global teams i.e. working around the clock, then ensure the timing when the system is under the least load.

Use smaller retention windows in the non-production environments than the production environments

If the data is not critical then usually Full backup is taken Daily and retained for around 14 days in non-prod environments. Weekly, Monthly, and Yearly retention periods are not required.

In the prod environment, the Full backup is still taken Daily but the retention period is increased to more than 30 days. Max you can select is 9999 days. Also, based on your SLAs and compliance standards you should enable the weekly, monthly, and yearly backup retention periods as well.

Differential backup can be skipped in the non-production environments based on the criticality of the data in the lower environments

Log backup can be reduced to once every 2 or 4 hours with a retention period of around 7 days in the non-prod environments.

In the prod environments the Log backup can be set to 1 hour or less. The retention should be around 14 days based on the SLAs. Note that 14 days is the max you can go.

Azure Backup - Understanding the backup policy for SQL Server in Azure VM

Fri, 11 Dec 2020 00:00:00 +0500

Azure Backup can be leveraged to discover and backup the SQL Server deployed in the Azure VMs. The backup behavior is governed by the "Backup Policies". There are different policies specific to different kinds of workloads. In this post, we are looking at the backup policy for the backup of the SQL Server in Azure VM.

Policy Creation

Navigate to the recovery services key vault and then under the Manage, click on the Backup Policies. To create a new policy click on the "+ Add" button.

For the policy type, select "SQL Server in Azure VM". This will open the blade to Create the policy for "SQL Server in Azure VM".

In the blade to create the policy, you need to provide the below information:

Policy name - provide a descriptive name

Full Backup - this is the schedule and retention of the full backup of the databases on the SQL Server in Azure VM.

Differential Backup - this controls the differential backup of the databases on the SQL Server in Azure VM

Log Backup - this defines the log backup for the databases

SQL Backup Compression - you can enable or disable the backup compression. The default value is disabled.

For the full backup in the policy, if you enable it then at minimum you need to define:

Frequency - daily or weekly

Time and Time zone - when the backup will occur

Retention for the daily backup

Optionally you can also configure the monthly, weekly, and yearly backup retention policies.

The log backup policy determines the behavior of the log backups. At minimum you need to define:

The frequency of the log backups - it can range from a minimum of 15 minutes to a maximum of once every 24 hours

Retention of the log backups - it can range from minimum of 7 days to a maximum of 35 days

Practical Backup Considerations

Below are some general backup considerations based on my experience in different projects. These are only generic considerations and should be evaluated against your organization's compliance standards and specific requirements.

The time for backup should be when the systems are not being used by any of the teams. If you work in global teams i.e. working around the clock, then ensure the timing when the system is under the least load.

Use smaller retention windows in the non-production environments than the production environments

If the data is not critical then usually Full backup is taken Daily and retained for around 14 days in non-prod environments. Weekly, Monthly, and Yearly retention periods are not required.

In the prod environment, the Full backup is still taken Daily but the retention period is increased to more than 30 days. Max you can select is 9999 days. Also, based on your SLAs and compliance standards you should enable the weekly, monthly, and yearly backup retention periods as well.

Differential backup can be skipped in the non-production environments based on the criticality of the data in the lower environments

Log backup can be reduced to once every 2 or 4 hours with a retention period of 7-14 days in the non-prod environments.

In the prod environments the Log backup can be set to 1 hour or less. The retention should be 14-35 days based on the SLAs. Note that 35 is the max you can go.

Azure SQL - Sync to other databases - 4 - Configure sync group

Thu, 03 Dec 2020 00:00:00 +0500

In our last post, we discussed how to add sync members. After the new sync group members are created and deployed, Configure sync group is highlighted in the New sync group page.

To begin navigate to the Azure SQL database and click on the "Sync to other databases" section. Click on the Tables section as highlighted below.

Click on the ellipse in the tables section. It will open up the blade and select the database to which we want to sync and refresh the schema.

As shown below, select the database and select the tables to sync along with columns selection, and click save.

To trigger the sync process navigate to the Database sync group page and click on sync as shown below. This will ensure that the databases are synced as per the direction you have specified.

To stop the syncing process, click on the Stop button as shown below.

After a successful syncing, you will be able to see the synced tables and related schema in the db_test01 database from the db_test02 database.

To read more about the sync groups, check the official documentation here: Set up SQL Data Sync between databases in Azure SQL Database and SQL Server

Azure SQL - Sync to other databases - 3 - Add sync members

Wed, 25 Nov 2020 00:00:00 +0500

In the previous post, we saw how to create the sync group for the Azure SQL Database. If you haven’t gone through the post on how to create a sync group then please check that post first. In this post, we will learn how to add the sync members for the already created sync group.

To begin, navigate to the existing sync group and click on it to open the new blade as shown below.

Click on the Databases section to add the databases as members of the sync group.

Next, click on “Add an Azure Database”. Provide the following details about the target database to add it as a member for syncing.

Once you click Ok, you will see the databases added under the "Member Database" section as shown below.

You can add more azure SQL databases by clicking on the “Add an Azure Database”. If you want to add the on-premises SQL database into the member database then go with the “Add an On-Premises Database” option.

Azure SQL - Sync to other databases - 2 - Create sync group

Tue, 17 Nov 2020 00:00:00 +0500

In the previous blog, you read about what is Sync to other databases features of the Azure SQL databases. In this blog, we will learn how to create the sync group.

To start navigate to the Azure SQL database on which you want to create the sync group. In this click on the "Sync to other databases" option. Click on the “New Sync Group” as shown below. It will open the “Create Data Sync Group” blade.

This will open the new blade for "Create Data Sync Group".

Following are the details you need to provide while creating the sync group:-

Provide the meaningful name to the sync group name.

Sync Metadata Database – Microsoft recommends creating a New database for this property. But for the sake of the demo, I am using the existing database.

Automatic Sync – If you select On, then enter a number and select Seconds, Minutes, Hours, or Days in the Sync Frequency section. The first sync begins after the selected interval period elapses from the time the configuration is saved.

Conflict Resolution – It has two options: Hub win and Member win. Hub win means when conflicts occur, data in the hub database overwrite conflicting data in the member database. Member win means when conflicts occur, data in the member database overwrite conflicting data in the hub database.

Private Link – This option is in preview mode as of now and will be managed by Microsoft. Once you click on Ok, It will create the Sync group as shown below.

You can add more azure SQL databases by clicking on the “Add an Azure Database”. If you want to add the on-premises SQL database into the member database then go with the “Add an On-Premises Database” option.

That's all there is to it. In the next posts, we will delve deeper into sync group and related options.

Azure SQL - Sync to other databases - 1 - Overview

Thu, 12 Nov 2020 00:00:00 +0500

“Sync to other databases” is a feature of the Azure SQL Databases. Azure SQL Data Sync is a service that is used to replicate the tables in the Azure SQL database to another Azure SQL database or on-premises databases. Data can be replicated one way or bidirectional. The important note is that Azure Managed Instance doesn’t support the Sync Data feature as of now.

The concept is around Hub and members databases. All the databases in the member group can sync up with the Hub. The member databases can be on-premises databases or on cloud databases.

Where to access this feature

Navigate to the SQL databases and click on the “Sync to other databases” in the settings as shown below.

In the upcoming posts, we will look into this feature in detail.

Azure Backup - Backup Center in Microsoft Azure

Sat, 10 Oct 2020 00:00:00 +0500

The Backup Center provides a single pane of glass into the whole backup posture of the Azure environment. It provides a single unified management experience in Azure for enterprises to govern, monitor, operate, and analyze backups at scale.

With the Backup Center you can manage:

Backup instances - all instances across different vaults

Backup policies - all policies across different vaults

Vaults - all Recovery Services Vaults

You can also monitor:

All backup jobs and filter for Failed jobs

Fetch backup reports

You can also control the policy compliance for Backup directly from the backup center.

The backup center is currently supported for Azure VM backup, SQL in Azure VM backup, SAP HANA in Azure VM backup, Azure Files backup, Azure Blobs backup, Azure Managed Disks backup, and Azure Database for PostgreSQL Server backup.

You can learn more about the Backup Center here: Overview of Backup center

Azure Backup - Bring your own keys (BYOK) for recovery services vaults - 5 Assign the encryption key to the Recovery Services vault

Sun, 05 Jul 2020 00:00:00 +0500

In this post, we will assign the key from a Key Vault to a Recovery Services vault. This is to use the custom key with the key vault.

First, make sure that you have a key in the key vault. Also, the key should be at least RSA 2048. The key should be in the Enabled state in the key vault. If you don't have one then you can generate one using the key vault. In a practical scenario, you should use your own custom keys.

You can generate a custom key in the Key Vault by navigating to the "Keys" under settings. Next, click on the "+ Generate/Import" button. In the next blade to "Create a key" you can provide the values similar to below to generate a key. Click Create button to create a key.

Now that you have a key in the Key vault, we can use this to encrypt the backup vault (i.e. the recovery services vault). Navigate to the recovery services vault and click on Properties. Here, click on the "Update" link under the Encryption Settings.

To use your own key, select the check box for "Use your own key". You can then either provide a URI for the key or select a key from a key vault. In this post, we will select the second option. Next, click on the "Select key from Key Vault" link to open a new blade.

In the new blade for "Select key from Azure Key Vault", select the subscription, Key vault, and the Key that you want to use to encrypt. Click on the Select button and then the Save button to save the settings.

When you click Save the setting is not final. It submits a job that you can monitor in the Backup Jobs section under Monitoring in the recovery services vault. Once this job completes successfully, as shown below, only then the configurations are complete.

Note that once you have enabled this setting you can't revert back to using the platform managed keys. The check box for "Use your own key" in the Encryption settings becomes disabled. You can however update the custom key being used to encrypt everything.

Azure Backup - Bring your own keys (BYOK) for recovery services vaults - 4 Enable Soft Delete and purge protection on the Azure Key Vault

Wed, 01 Jul 2020 00:00:00 +0500

Soft delete and purge protection provide key vault recovery features. These two features work together and differ only slightly.

Soft Delete - This is to prevent any accidental deletion of the key vault and its related objects like Keys, Secrets, and Certificates, etc. You can recover any deleted items up to a period that you define as a retention period (in a number of days). You can still purge the deleted resources and therefore permanently delete the resources.

Purge Protection - If you have purge protection, then the soft-deleted items can not be purged till a particular time (specified by the retention period for the Soft Delete). This along with the Soft delete setting ensures that the key vault-related resources that are deleted can not be purged before the time period is expired.

Note that both Soft Delete and Purge protection settings are required to use the key vault with the recovery services vault to provide your custom key for encryption.

These settings are in the Properties section of the Key Vault. When you enable the Soft delete option, you also provide the retention period in days for the deleted vaults.

You can set up the Soft delete and purge protection during the creation of the key vault as well.

When the key vault is deleted, which has the soft delete enabled, then:

You can not create any other vault with the same name as the deleted vault

You may list all of the key vaults and key vault objects in the soft-deleted state for your subscription as well as access deletion and recovery information about them. Users should be granted appropriate permissions to be able to list the keys of the deleted vaults.

Only a specifically privileged user may restore a key vault or key vault object by issuing a recover command on the corresponding proxy resource.

Only a specifically privileged user may forcibly delete a key vault or key vault object by issuing a delete command on the corresponding proxy resource.

Note:

Unless a key vault or key vault object is recovered, at the end of the retention interval the service performs a purge of the soft-deleted key vault or key vault object and its content. Resource deletion may not be rescheduled.

Once soft delete has been enabled, it cannot be disabled.

Azure Backup - Bring your own keys (BYOK) for recovery services vaults - 3 Assign permissions to the vault to access the encryption key in the Azure Key Vault

Mon, 29 Jun 2020 00:00:00 +0500

In the previous blog, we created a managed identity. Now that identity needs to have permissions to the Key Vault. This will be used by the Azure Backup service to access the keys in the target Key Vault.

Navigate to your Azure Key Vault that you want to use with the Backup vault. Click on the Access policies under Settings. Click on the "+ Add Access Policy" link.

In the new blade to "Add access policy" select the "Key permissions" by clicking on the drop down and selecting the below permissions:

Get and List under the Key Management Operations

Under the Cryptographic Operations select Unwrap Key and Wrap Key

Next, under the Select principal, click on the "None selected" link to bring up the blade to "Select a principal". Here provide the Object ID of the managed identity of the recovery services vault. This was created in the previous step. Once you enter the Id, the name of the Vault along with the id will appear. Click on the name and it will be added to the "Selected items". Click on the Select button at the bottom of the blade. Then click on the Add button to add the access policy.

Note that the policy has not been added yet. To finally add the policy ensure to click on the Save button as shown below. This is a common mistake that I have seen people making and I am guilty of this myself as well. If you navigate away from this screen the policy will not be saved.

Azure Backup - Bring your own keys (BYOK) for recovery services vaults - 2 Enable managed identity for your Recovery Services vault

Thu, 25 Jun 2020 00:00:00 +0500

Azure Backup uses system assigned managed identity to authenticate the Recovery Services vault to access encryption keys stored in the Azure Key Vault. We will be using this identity later to provide permissions inside the Key Vault.

To enable the managed identity for the Recovery Services vault, navigate to the vault and select "Identity" under Settings. Toggle the Status to On. Click the save button to save the settings.

You will get a warning explaining that you are setting up the managed identity for the vault and that the vault will be accessible via Active Directory managed identity. Hit Ok to proceed. Once the settings are saved, you will see an Object Id. Take a note of this Id. You will also see a button for "Azure role assignments" where you can manage the permissions for this managed identity.

Note:

A system assigned managed identity is restricted to one per resource.

It is tied to the lifecycle of this resource. This means that when the resource is deleted its managed identity will also be deleted.

You can assign permissions to this identity in RBAC similar to how you assign permissions to individual users

The managed identity is authenticated with Azure AD, so you don’t have to store any credentials in code.

Azure Backup - Bring your own keys (BYOK) for recovery services vaults - 1 Overview

Sun, 21 Jun 2020 00:00:00 +0500

You can bring your own keys (BYOK) to encrypt the data in the Azure Recovery Services vaults. These keys will be used to encrypt all the data stored for backup for all items. By default, the system uses "platform-managed keys". The custom keys that you provide are referred to as "customer-managed keys".

This provides you with more granular control over the encryption process. This also ensures that only you as a customer control the data encryption and decryption. It is highly recommended for any sensitive data that you are protecting in the cloud.

Please note that:

You should configure the keys before protecting any items in the vault

Once you have configured the keys these can not be changed afterward.

The Recovery Services vault can be encrypted only with keys stored in an Azure Key Vault, located in the same region.

Also, keys must be RSA 2048 keys only and should be in the enabled state.

To configure your vault to encrypt with customer-managed keys, the below steps must be followed. These steps should be followed in this order only:

Enable managed identity for your Recovery Services vault

Assign permissions to the vault to access the encryption key in the Azure Key Vault

Enable soft-delete and purge protection on the Azure Key Vault

Assign the encryption key to the Recovery Services vault

We will look at these steps in detail in the following posts.

Azure Backup - Soft Delete for Recovery Services Vault

Sun, 14 Jun 2020 00:00:00 +0500

Soft Delete provides an additional layer of security for the data in the recovery services vault. This is like a recycle bin for the data in the vault. It prevents any accidental deletions of the protected items. If this option is enabled then when you delete any protected item, the data for that is retained for 14 days.

Configurations

To configure Soft Delete for a recovery services vault, navigate to its Properties. In here, click on the "Update" link under the Security Settings. This will open a pop-up blade where you can enable or disable the soft delete option.

Note:

This option is enabled by default for new Recovery Services vaults. This section gives you the option to disable the setting if you require it.

The additional 14 days of retention for backup data in the "soft delete" state don't incur any cost to you.

Soft delete protection is available for these services:

Soft delete for Azure virtual machines

Soft delete for SQL Database in Azure VM

Soft delete for SAP HANA in Azure VM workloads

Soft Delete Behavior

Once you have the soft delete enabled, go ahead and delete a VM from the Backup items under the protected items (non-critical and demo only). After you have deleted the VM, you will see that it is marked as Deleted, as shown below. The VM will continue to appear in the protected items list for the next 14 days. Click on the VM item for more options.

In the next blade, you can see that there is an option for "Undelete" to recover the data for the VM's backups. There is also a message that says that when the protected item was deleted and for how long can you recover the data. After this period the data will be permanently deleted.

You can learn more in the official documentation here: Soft delete for Azure Backup

Azure Backup - Cross Region Restore (CRR) for Azure Virtual Machines using Azure Backup

Thu, 04 Jun 2020 00:00:00 +0500

In the last post, we looked at the redundancy options for a Recovery Services Vault. You can view that post here: Set Storage Redundancy for Recovery Services Vault

In this post, we will look at how to take control of the replicated data.

By default, the data that is replicated to the secondary region is available to restore in the secondary region only if Azure declares a disaster in the primary region. But now you can also control the cross-region restore (CRR) yourself. You can trigger a cross-region restore regardless of whether the primary region is available or not. Azure Backup now supports restoring Azure Virtual Machines as well as disks from a secondary region.

Behind the scene, Azure Backup leverages storage accounts’ read-access geo-redundant storage (RA-GRS) capability to support restores from a secondary region. If you enable cross-region-restore, Microsoft upgrades your backup storage from GRS to read-access geo-redundant storage (RA-GRS). Charges for storage are separate from the cost of Azure Backup.

Note that due to delays in storage replication from primary to secondary, there will be latency in the backed-up data being available for a restore in the secondary region.

Cross-Region Restore (CRR) supports the following data sources:

Azure VMs

SQL databases on Azure VMs

SAP HANA databases on Azure VMs

Configurations

To update the Cross-Region Restore (CRR) settings:

Navigate to the recovery services vault and click on the Properties under Settings

Then click on the "Update" link under the Backup Configuration

In the Backup Configurations blade, make sure that the setting for redundancy is set to "Geo-Redundant". Then select "Enable" for the "Cross Region Restore" setting.

Finally, click on the Save button to save the settings.

Note: Cross Region Restore is currently non-reversible storage property. This means that you won't be able to disable the property after enabling it.

Once you have the option enabled, when you will navigate to the Protected Items -> Backup Items -> Azure Virtual Machine -> select a VM that is protected and has a valid backup. You will view a new option to "Restore to Secondary Region".

To be able to use this option, you don't just need there to be a valid backup but also need that backup to be replicated to the secondary region. If your primary region is "East US" then you need to have at least one copy in the "West US" region. Also, note that you will only be able to restore to a secondary region that is a paired region of the region where you have deployed the resources.

You can find which is the secondary paired region based on the region where you have deployed the resources by referring the table in this link: Business continuity and disaster recovery (BCDR): Azure Paired Regions

Azure Backup - Set Storage Redundancy for Recovery Services Vault

Tue, 02 Jun 2020 00:00:00 +0500

When you create a Recovery Services Vault in Azure, the default for the Storage Redundancy now is "Geo-redundant". Earlier this was not a customizable setting and was default to Locally-redundant. As a Business Continuity and Disaster Recovery (BCDR) strategy it makes sense to have Backup as Geo-redundant. This will ensure that the backup will be replicated to a secondary paired region. In the event of disaster level event if the primary region goes down then you will have access to the data in the secondary region.

You can find which is the secondary paired region based on the region where you have deployed the resources by referring the table in this link: Business continuity and disaster recovery (BCDR): Azure Paired Regions

Where to update configurations

To update the redundancy settings:

Navigate to the recovery services vault and click on the Properties under Settings

Then click on the "Update" link under the Backup Configuration

In the Backup Configurations blade, the setting for redundancy is the first one and is available under the "Storage replication type"

Note: This setting can not be changed if you have any item being protected in the vault. You will only be able to modify if you don't have anything protected.

By default, the data that is replicated to the secondary region is available to restore in the secondary region only if Azure declares a disaster in the primary region. But now you can also control the cross-region restore (CRR) yourself. We will look at that feature in the next blog post that you can access here: Cross Region Restore (CRR) for Azure Virtual Machines using Azure Backup

How to get alerts based on your spending in Azure

Sat, 30 May 2020 00:00:00 +0500

Azure has very advanced Cost Management capabilities. One of these capabilities is to create alerts based on your spending. You can define budgets and if you are close to spending more than a percentage of that budget then you can get alerted via email, SMS, App push notification, or even a voice call. You can even take actions if the budget exceeds a certain percentage.

You take action if the alert is triggered by leveraging the Action Groups in Azure. You can check how to create Action Groups in this post: Creating the Action Groups for alerts in Microsoft Azure.

How to configure the Alerts

Navigate to "Cost Management + Billing" and select the "Cost Management" option.

In the Cost Management blade, select the option for "Budgets" and then click on "+ Add".

In the next screen under "Create a budget" select the appropriate values for the following:

Budget scope

Budget name

Reset period - under most circumstances this should be Billing month

Creation date

Expiration date

Provide an amount for the Budget

In the next screen for "Set alerts", under the Alert conditions, provide the percentage of the budget. E.g. if you provided the budget as $150 and selected the percentage of budget as 80% then the alert would be triggered at $120.

Provide the Action Group to alert via SMS or emails. You can alert via email by providing individual email ids or distribution list's id for "Alert recipients (email)" entry.

That's it! Now the alert is up and running. If you want to test the alert then update the budget and the alert percentage to close the spending and the alert should be triggered in short while.

This is a very helpful feature that lets you take the control of your spending and stay on top of the overall usage.

Creating the Action Groups for alerts in Microsoft Azure

Tue, 26 May 2020 00:00:00 +0500

In the previous post, we discussed what the Action Groups are and what they are used for. You can read the previous blog at this link: Understanding the Action Groups for alerts in Microsoft Azure. In this post, we are taking a look in the Azure portal to understand how to create the Action Groups.

Action Groups Location

The action groups are located under the Azure Monitor, in the Alerts section. Here, click on the "Manage actions" button to modify and create action groups.

Creating Action Groups

In the Manage actions blade, click on the "+ Add action group" button.

Enter the basics information in the first blade to Create an action group.

In the notifications tab, select the type of notifications. Also add additional information for Email, SMS, Azure app Push Notifications, and Voice, etc.

Under the Actions tab, select if you want to perform any action. The possible values for action are:

Automation Runbook

Azure Function

ITSM

Logic App

Secure Webhook

Webhook

Next, add the Tags and review the final information. Click on the Create button once done.

Now that the Action Group is ready, you can use this in any alerts that you will create. The notifications and actions inside the Action Group will be triggered whenever the alert is triggered.

For further details, you can refer the official documentation here: Create and manage action groups in the Azure portal

Understanding the Action Groups for alerts in Microsoft Azure

Mon, 25 May 2020 00:00:00 +0500

Action Groups is a very useful concept in Microsoft Azure. It is used to define two things when an alert is triggered. The first is to define how to send notifications and to whom when an action group is triggered via an alert. Secondly, it defines if any action should be taken when an alert is fired.

Using the Action Groups you can send notifications via the following methods when an action group triggers:

Group emails,

SMS,

Azure app notifications, and

Voice calls.

You can also send emails to an Azure Resource Manager role using Action Groups.

Optionally, you can also take actions using the following features of Azure, when an action group is triggered:

Automation Runbook

Azure Function

ITSM

Logic App

Secure Webhook

Webhook

Action Groups are located in the Azure Monitor under the "Alerts" section. Navigate to "Manage actions" to create or modify action groups.

In the next blog post, we will look at how to create Action Groups in the Azure Portal. You can check the next blog here: Creating the Action Groups for alerts in Microsoft Azure

Azure for AWS professionals - Index

Thu, 14 May 2020 00:00:00 +0500

This is the Index for the series regarding Microsoft Azure and Amazon's AWS services comparisons. This series takes a very practical and hands-on approach (rather than just focusing on the theory). You don't need to follow all the blog posts. You can only check the ones where you want to draw the comparison or check how to work with specific services.

If you are well versed with one platform this series is to cross-train you on the competitor platform. The intention is to know the pros and cons of each platform and begin with the basic services. You need to know the competition well before you can advocate any platform.

Disclaimer: I am a Microsoft Azure MVP and a bit biased towards Azure. I make every attempt to view both platforms impartially and list pros and cons as they are without any personal opinions.

Note that this Index is updated regularly as more posts are added around this topic.

Virtual Machines vs EC2 instances

a. Combined

Finding Resources

Differences in IOPS

b. Azure

Creating Azure Virtual Machines

Monitoring of Azure VMs

Boot Diagnostics of Azure VMs

Azure VM Insights

Backing up Azure VMs

Protecting Azure VMs

c. AWS

Creating EC2 Instances

Monitoring of EC2 instances

Backing up EC2 instances Part 1

Backing up EC2 instances Part 2

Backing up EC2 instances Part 3

Batch Services

a. Combined

Batch Services Comparision

b. Azure

Creating Batch account

Creating Batch Pool in an Account

Creating Job in the Batch Pool

Creating Tasks in a Batch Job

c. AWS

Working with AWS Batch Service

Auto Scaling

a. Combined

Azure VMSS vs AWS Auto Scaling

b. Azure

Creating Virtual Machine Scale Sets (VMSS) - Part 1

Creating Virtual Machine Scale Sets (VMSS) - Part 2

View Running Instances in VMSS

Updating the Scaling policies of VMSS

Viewing the Run History of VMSS

c. AWS

All Related Resources for Auto Scaling

Creating Launch Configurations

Creating Launch Templates

Creating Auto Scaling Groups - Part 1

Creating Auto Scaling Groups - Part 2

AWS Auto Scaling service

Disks

a. Combined

Azure Managed Disks vs AWS Elastic Block Store (EBS)

Storage

a. Combined

Microsoft Azure Storage Accounts vs AWS Simple Storage Service (S3)

b. Azure

Creating Azure Storage Account

Data Transfer Options

Event driven automation of Azure Storage accounts

Securely Accessing Storage Accounts

Configuring Firewall and vNet access on Storage accounts

Geo Replication on Storage accounts

c. AWS

Creating Simple Storage Service or S3 buckets

Working with S3 bucket and uploading files

Configuring S3 Bucket Properties

Setting Permissions on S3 Bucket

Adding Lifecycle Rules for S3 buckets

Configuring replication on S3 buckets

Setting up Access Points on S3 bucket

Networking

a. Combined

Azure Virtual Networks vs AWS Virtual Private Cloud (VPC)

b. Azure

Creating Virtual Network

Working with Virtual Networks (vNets) and Subnets

Service Endpoints

Creating Network Security Groups (NSGs)

Creating rules in NSGs and assigning NSGs

Using Service Tags to define rules in NSGs

c. AWS

Creating Virtual Private Cloud (VPC)

Working with VPCs and Subnets

Route Tables

Network ACLs

Security Groups

Network ACLs vs Security Groups

Azure for AWS professionals - Networking - Azure - 06 Using Service Tags to define rules in NSGs

Tue, 12 May 2020 00:00:00 +0500

In the Network Security Groups (or NSGs), if you want to define rules related to Azure Services e.g. allowing communication on a particular port to Azure Storage account. Then you can do so for each and every IP address published by Microsoft for Azure Storage service. This is a very cumbersome method and is not practical. Also, there is a limit to the number of rules you can write and the number of NSGs you can have in a subscription. You can have up to 1000 rules per NSG. Also, you can have only a maximum of 200 NSGs in a subscription. You can find these limits here: Azure subscription and service limits, quotas, and constraints.

Solution

Microsoft provides the capability to write NSG rules using Service Tag as a destination. When you leverage a Service tag the system ensures that it accounts for all the IP addresses for that service. Not only that, if any IP address changes or a new IP address is added then the Service Tag will account for that automatically. You can target whole services across different regions or services in a particular region. E.g. You can select Storage as a service or select "Storage.EastUS" to target the Storage service but only in the East US region.

Where is the Option

In the Inbound security rules, this option is available for the Source. In the Outbound security rules, this option is available for the Destination. Once you select the service tag as the option, then you are presented with a drop-down for the Service Tag selection. Internet is the default option for the Service Tag. You can type and search for the particular service tag e.g. Azure Storage, Azure Backup, etc.

You can read more about Service Tags here: Virtual network service tags.

eBook - 6 Step Migration Strategy – Systematic Approach to Migrating your Workloads to Microsoft Azure

Fri, 27 Mar 2020 00:00:00 +0500

I have authored this eBook titled "6 Step Migration Strategy – Systematic Approach to Migrating your Workloads to Microsoft Azure" which I am making available to everyone for free. It is a quick and short read that is meant to help set up the migration process for your department. Use this eBook as a blueprint to kickstart your migration to the cloud.

You can download the eBook by clicking on this link: 6 Step Migration Strategy – Systematic Approach to Migrating your Workloads to Microsoft Azure

Data Factory Basics and Azure SQL Basics Series - Index

Sat, 22 Feb 2020 00:00:00 +0500

This is the index for the Azure Data Factory and Azure SQL Basics. I received various requests to write posts around these Azure resources. This series is the practical and hands-on look at various features from creating the service to working with it in detail.

Below is the index for this series which is updated periodically.

Azure Data Factory related posts

Creating a Data Factory

Exploring the Azure Data Factory layout

Creation of Azure SSIS Integration Runtime (IR) into Azure Data Factory

Azure SQL related posts

Finding Azure SQL Databases in the Azure Portal

Creating Azure SQL Databases

Connecting to Azure SQL DB using SSMS

Enabling Geo-Replication for Disaster Recovery

Data Masking of sensitive information

Exploring the new Query Editor in the Azure Portal

Advanced Data Security

Query Performance Insights

Automatic Tuning and Performance recommendation

Creating Elastic Pool in Azure SQL Server

Azure Active Directory Admin - Manage Azure SQL via AD Users

Managing Backups for Azure SQL Database

Restoring Azure SQL Database from the backup

Setting up Private Endpoints on an Azure SQL Server

Azure SQL Basics - Setting up Private Endpoints on an Azure SQL Server

Thu, 20 Feb 2020 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure SQL and Data Factory Basics - Index

A Private Endpoint is a fundamental block for a private link in Azure. It enables Azure resources, like Virtual Machines (VMs), to communicate privately with linked resources. Under the hood, it creates a network interface card (NIC) on the Azure SQL Server and attaches that to your Virtual network. That way you get a private IP address assigned to your Azure SQL Server. Now from any other resource on this network, you can securely access the Azure SQL Server without the communication leaving the network at all.

Microsoft also goes one step further by creating a Private DNS integration. It leverages a private DNS zone to provide a DNS name for your Azure SQL Database Server which is mapped to the Private IP address (instead of the usual Public).

In this post, you will be setting up the private endpoints to the SQL server through Azure Portal. Then, you can securely access the Azure SQL Database Server from the VM.

Create a private endpoint

In this section, you will create a private endpoint to it.

On the upper-left side of the screen in the Azure portal, select Create a resource > Private Link Center (Preview).

In Private Link Center - Overview, on the option select Private Endpoints and click Add.

Enter or select this information:

Subscription - Select your subscription.

Resource group - Select myResourceGroup. You created this in the previous section.

Under instance details provide:

Name - Enter myPrivateEndpoint. If this name is taken, create a unique name.

Region - Select the geo region where you want to deploy the underlying resources

In the next screen for "Create a private endpoint - Resource", enter or select this information:

Connection method - Select the radio button for "Connect to an Azure resource in my directory"

Subscription - Select your subscription.

Resource type - Select Microsoft.Sql/servers.

Resource - Select your server

Target sub-resource - Select sqlServer

Click next once done.

In Create a private endpoint (Preview) - Configuration, enter or select this information:

Under the networking section, provide:

Virtual network - Select MyVirtualNetwork.

Subnet - Select mySubnet.

Under the Private DNS integration, provide:

Integrate with private DNS zone - Select Yes.

Private DNS Zone - Select (New)privatelink.database.windows.net

Select Review + create. You're taken to the Review + create page where Azure validates your configuration. When you see the "Validation passed" message, select Create.

Once the private endpoint is created your Azure SQL Server is ready to be connected via it's new Private IP address. This address will be in the Virtual network you connected it to. There will also be a network interface card (NIC) resource that actually links the Azure SQL Server to the Virtual Network.

Troubleshooting Azure Networking - Using Network Watcher

Tue, 11 Feb 2020 00:00:00 +0500

Network Watcher is like a swiss knife for various things related to networking. This is a one-stop-shop for monitoring and troubleshooting your networks and related components. In this post, we will be focusing on the troubleshooting related aspects of Network Watcher.

Enabling Network Watcher

First of all, you need to enable network watcher. You should do so for every region where you have a virtual network deployed or will deploy in the near future. To do so simply navigate to the Network Watcher service (by searching for it). In the Overview screen, expand the regions area as shown below. Right-click on the region for which you want to enable this service and select "Enable network watcher".

The first time you do this, it will create a new resource group called "NetworkWatcherRG". If you check this resource group after enabling network watcher for any region, it will look empty, but it actually contains hidden resources of type "microsoft.network/networkwatchers".

Once the network watcher is enabled, you are ready for consuming various mini tools (or different sections) that give you troubleshooting features.

IP Flow Verify

This is to check the IP Flow. If you want to check if the traffic is able to flow or is being blocked then this is the section you want to check. Select the VM and its network interface for which you want to check the IP Flow. The Local IP address will be auto-populated. Fill in the details for the Remote IP address and Remote port and click on the Check button. It will simulate the traffic and will let you know the results.

Next Hop

If you have various Route tables and you want to verify that the traffic follows a particular route or not then "Next Hop" is the section you want to check. You can check if traffic from a source to destination will go via network virtual appliance or not based on a route defined in a route table or not.

Simply select the source and destination. The Source IP address will populate based on the network interface selected. And the destination IP address will be input by you. Click on the "Next hop" button once you are ready. The output will show you what the next hop will be and the route along with the route table that is directing that traffic to that next hop.

Effective Security Rules

You may have various Network Security Groups (NSGs) applied to a VM i.e. one NSG applied directly on its network interface and another one applied at the subnet level. If you want to check what is the result set of these NSGs and which NSGs are effectively applied on your VM, then this is the section that you can use. Simply select your Virtual Machine (VM) and the effective security rules will be displayed in the bottom section.

For more information please check this link: Azure Network Watcher

Troubleshooting Azure Networking - Checking Allowed and Denied Traffic in Network Security Groups (NSGs) via Log Analytics Queries

Tue, 04 Feb 2020 00:00:00 +0500

In the last post, we set up the NSG Flow Logs to be sent to the Log Analytics workspace. In this post, we will run Log queries on this workspace to check the traffic data. We can easily see allowed vs denied traffic on the NSGs leveraging these queries.

To start first navigate to the Log Analytics workspaces. Click on the workspace which is the target for NSG Flow Logs in your Network Security Groups (NSGs). Within this workspace, click on the Logs section. If you are opening this for the first time, you will see a "Getting Started" button. Click on that and go through the tutorial if you want.

Once the Logs section is opened up (as shown below), you can type the queries we will discuss next in the main area (marked number 3 below). The results will appear in the bottom section. You can use the time filters (also shown below as number 2) to filter the data to a specific date and time range.

All the logs from NSG Flow Logs are sent to the "AzureNetworkAnalytics_CL" table in the Log Analytics. You can start querying this table for the data. Below are various queries that have helped me a lot in troubleshooting NSGs.

NOTE: In the below examples, "10.20." uniquely identify my virtual network. You will need to tweak this value as per the IP address space of your virtual network. You can even specify multiple address spaces for both sources and destinations.

Checking all Denied Traffic

AzureNetworkAnalytics_CL| extend NSGRuleAction=split(NSGRules_s,'|',3)[0]| extend NSGRuleName=tostring(split(NSGRules_s,'|',1)[0])| where NSGRuleAction == "D" | summarize count() by VM_s,VMIP_s,SrcIP_s,DestIP_s,DestPort_d

To extend the above query, we can also check the denied Traffic with Time Generated, NSG Name and Rule Name, Subnet Names and more info:

AzureNetworkAnalytics_CL| extend NSGRuleAction=split(NSGRules_s,'|',3)[0]| extend NSGRuleName=tostring(split(NSGRules_s,'|',1)[0])| extend NSGName=tostring(split(NSGList_s,'/',2)[0])| where NSGRuleAction == "D" | summarize count() by SourceIP=SrcIP_s, DestinationIP=DestIP_s, DestinationPort=DestPort_d, TimeGenerated, NSGName, NSGRuleName, SourceSubnet=Subnet1_s, DestinationSubnet=Subnet2_s

Intra vNet allowed traffic for a specific rule

AzureNetworkAnalytics_CL| extend NSGRuleAction=split(NSGRules_s,'|',3)[0]| extend NSGRuleName=tostring(split(NSGRules_s,'|',1)[0]) | extend NSGName=tostring(split(NSGList_s,'/',2)[0]) | where NSGRuleAction == "A" | where NSGRuleName == "privateipinbound-allow" | where SrcIP_s contains "10.20." | where DestIP_s contains "10.24." | summarize count() by SourceIP=SrcIP_s, DestinationIP=DestIP_s, DestinationPort=DestPort_d, TimeGenerated, NSGName, NSGRuleName, SourceSubnet=Subnet1_s, DestinationSubnet=Subnet2_s, L4Protocol_s

Query to review specific rule for specific IP and only Allowed traffic

AzureNetworkAnalytics_CL| extend NSGRuleAction=split(NSGRules_s,'|',3)[0]| extend NSGRuleName=tostring(split(NSGRules_s,'|',1)[0])| where NSGRuleAction == "A" | where NSGRuleName == "temp-allowall-inbound" | where SrcIP_s contains "10.20."

Intra vNet allowed traffic for a specific rule

AzureNetworkAnalytics_CL| extend NSGRuleAction=split(NSGRules_s,'|',3)[0]| extend NSGRuleName=tostring(split(NSGRules_s,'|',1)[0]) | extend NSGName=tostring(split(NSGList_s,'/',2)[0]) | where NSGRuleAction == "A" | where NSGRuleName == "privateipinbound-allow" | where SrcIP_s contains "10.20." | where DestIP_s contains "10.20." | summarize count() by SourceIP=SrcIP_s, DestinationIP=DestIP_s, DestinationPort=DestPort_d, TimeGenerated, NSGName, NSGRuleName, SourceSubnet=Subnet1_s, DestinationSubnet=Subnet2_s, L4Protocol_s

Intra vNet allowed traffic for a specific NSG

AzureNetworkAnalytics_CL| extend NSGRuleAction=split(NSGRules_s,'|',3)[0]| extend NSGRuleName=tostring(split(NSGRules_s,'|',1)[0]) | extend NSGName=tostring(split(NSGList_s,'/',2)[0]) | where NSGRuleAction == "A" | where NSGName contains "systemcenter" | where SrcIP_s contains "10.20." | where DestIP_s contains "10.20." | summarize count() by DestinationPort=DestPort_d, NSGName, NSGRuleName, SourceSubnet=Subnet1_s, DestinationSubnet=Subnet2_s, L4Protocol_s, TimeGenerated

Intra vNet allowed traffic for a specific NSG for Inbound Traffic Only

AzureNetworkAnalytics_CL| extend NSGRuleAction=split(NSGRules_s,'|',3)[0]| extend NSGRuleName=tostring(split(NSGRules_s,'|',1)[0]) | extend NSGName=tostring(split(NSGList_s,'/',2)[0]) | where NSGRuleAction == "A" | where NSGName contains "systemcenter" | where SrcIP_s contains "10.20." | where DestIP_s contains "10.20." | where FlowDirection_s == "I" | summarize count() by DestinationPort=DestPort_d, NSGName, NSGRuleName, SourceSubnet=Subnet1_s, DestinationSubnet=Subnet2_s, L4Protocol_s, TimeGenerated

Please note that the above queries are only to help you kick start the troubleshooting. These should be used as a reference. Note how the properties are expanded and details extracted (using split and extend functions). If you want me to explain any of these queries in detail, please mention so in the comments below and I can provide details.

Troubleshooting Azure Networking - Setting up Flow Logs Monitoring on Network Security Groups (NSGs)

Mon, 03 Feb 2020 00:00:00 +0500

To be able to troubleshoot traffic being allowed or blocked on the Network Security Group (NSGs), Flow Logs should be enabled and should be sent to a Storage Account and Log Analytics, etc. Setting this up is very easy. This needs to be set up on each of the NSG in your environment.

Note that the Network Watcher is a pre-requisite for this. It will be auto-enabled for the region of the NSG when the Flow Logs is set up.

To start, navigate to the Network Security Groups in the Azure Portal. Select the NSG for which you want to enable the Flow Logs. Scroll all the way down in the settings and select the "NSG Flow Logs" setting. Click on the Flow Logs in the middle area to open up the settings for it.

Flow logs status should be turned On to be able to log all the flow logs. Version 2 has more information for throughput etc. Click on the Storage option to configure the storage account to be used to export the flow logs.

Scroll down further to check the Log Analytics workspace settings. Turn on the traffic analysis status. For better and detailed logging set the "Traffic Analysis processing interval" to "Every 10 mins" instead of every 1 hour. Finally, select the Log Analytics workspace where you want the logs to be sent. Try to be uniform and select the same workspace for all NSG flow logs.

Now the flow logs will automatically capture and you are ready to start troubleshooting the traffic. We will check how to do this and common queries that you can reuse in the next few blog posts.

Azure for AWS professionals - Storage - Azure - 06 Geo Replication on Storage accounts

Tue, 21 Jan 2020 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

Based on the replication strategy selected on your storage accounts, you can leverage the geo-replication option to restore your storage accounts to a secondary location. Azure Storage replication copies your data so that it is protected from transient hardware failures, network or power outages, and natural disasters. If an outage renders the primary endpoint unavailable, then you can initiate a failover to the secondary endpoint to rapidly restore write access to your data.

You can access this option by navigating to your storage account and clicking on the "Geo-replication" option.

This option shows you the replication you selected for your storage account while creating it. By clicking on the Storage endpoints option, you can see what the endpoints will look like if you failover to the secondary region. You copy and can keep these handy to update your application using these endpoints.

Scroll down to view the primary and secondary regions and the button to prepare for the failover.

When you click on this button, a new popup will open and will give you the option to failover. The secondary region will become primary when you do.

This option is very useful to perform any disaster recovery if there are any issues in your primary region.

For more information click here: Disaster recovery and account failover

Leveraging Service Tags to define better rules in Network Security Groups

Sun, 12 Jan 2020 00:00:00 +0500

Service Tags comes in very handy when you want to specify Sources for Inbound rules and Destination for Outbound rules. It makes your life a lot easier to define a complete service without specifying each and every IP address in that service.

E.g. you can specify a complete Virtual Network or Microsoft Azure Backup as a source for Inbound rules very easily by simply leveraging Service tags. Even if the address space of that virtual network changes in the future, you will not need to alter its related Network Security Group (NSG) rules.

Simply navigate to any NSG and then go to Inbound rules (or Outbound rules). Edit one of the existing rules or create a new one. For Souce in case of inbound rules (and destination in case of outbound rules), select "Service Tag" from the drop-down. From the drop-down for the "Source service tag" select the service tag for the service, for which you need the rule.

Note from the arrow in the above screenshot that the vertical scrollbar is huge. Since this feature was launched, so many services have been configured as Service Tags and have made administrators' life easier in terms of configurations required.

For more information please check this link: Virtual network service tags

Azure Data Factory Basics - Creation of Azure SSIS Integration Runtime (IR) into Azure Data Factory

Fri, 10 Jan 2020 00:00:00 +0500

To run/migrate the SSIS packages to Azure Data factory, we need the Azure SSIS IR (Integration Runtime) in the Azure Data Factory. Azure-SSIS IR is the runtime environment that runs SSIS packages on Azure.

An Azure-SSIS IR provisions:

Running packages deployed into the SSIS catalog (SSISDB) hosted by an Azure SQL Database server or a managed instance (Project Deployment Model).

Running packages deployed into file systems, file shares, or Azure Files (Package Deployment Model).

You can create the self-hosted Azure-SSIS IR with your desired configuration or you can use the run time integration used by the Azure.

Let’s create the Azure-SSIS IR as per below steps:

1.) Go to data factory created in Azure Portal and Select the Author & Monitor tile to open its Let's get started a page on a separate tab. There, you can continue to create your Azure-SSIS IR.

2.) After clicking on Configure SSIS Integration, it will open the integration runtime setup window. It requires as following parameters:

Name – Provide the appropriate Name to your integration runtime

Description – it’s not a mandatory parameter to provide

Type is the default setting. You can’t change this one.

Set the location

Node size – Select the node size for your integration runtime cluster. Choose the higher number if you want to run packages that require more memory/computing power.

Node Number – Choose the number from the list. Higher number if you want to run the many packages in parallel.

Edition/license – Select the SQL server edition of your integration runtime. Select the enterprise if you want to choose the advanced features of integration runtime.

Save money - select the Azure Hybrid Benefit option for your integration runtime: Yes or No. Select Yes if you want to bring your SQL Server license with Software Assurance to benefit from cost savings with hybrid use.

Next is the Integration runtime setup general settings.

Next up we have the Integration runtime setup SQL settings.

Next up we have the Integration runtime setup Advanced settings.

Finally, we have a summary for the IR setup.

As you can see below in the screenshot, the self-hosted Azure-SSIS IR has been created.

Alternatively, to create the Azure-SSIS IR on Azure Data Factory UI portal go to Edit tab -> Connections -> Integration runtimes and click New.

In the Integration Runtime Setup panel, select the Lift-and-shift existing SSIS packages to execute in Azure tile, and then select Next and proceed to create IR setup from here, similar to what we did earlier.

Now once we have the Integration Runtime we can start importing and running SSIS packages.

Azure Data Factory Basics - Exploring the Azure Data Factory layout

Wed, 08 Jan 2020 00:00:00 +0500

In this post, we will be looking at the Data factories section in Azure in detail.

To manage the data factory pipelines, go to All resources -> Data factories. You will see all the data factories have been added or created. Select the data factory you want to manage.

Once you select the data factory, it will open the new window (known as a blade in Azure) where you can manage your Data Factory.

Let’s discuss a few sections of the Data Factory page.

Section 1: General properties

Overview: The first page when you land on this window is the overview page.

Activity log: Platform logs provide detailed diagnostic and auditing information for Azure resources and the Azure platform they depend on. They are automatically generated although you need to configure certain platform logs to be forwarded to one or more destinations to be retained.

Access Control (IAM): Review the level of access a user, group, service principal, or managed identity has to this resource.

Tags: This is used to provide some keywords to your resource.

Diagnostic and solve problems: This provides you the list of troubleshooting links for the known issues a user can come across.

Section 2 Getting Started

Quick Start: This provide the basic tutorial/videos link on how to work with the Data factory. They have been provided by Microsoft and you can see the documentation about the subject. It is really helpful as it gives a quick understanding of the topic.

Section 3 Monitoring

Alerts: Configure alert rules and attend to fired alerts to efficiently monitor your Azure resources.

Metrics: Configure alert rules and attend to fired alerts to efficiently monitor yourAzure resources. For more details, please refer to the Microsoft official documentation for Metrics at https://docs.microsoft.com/en-us/azure/azure-monitor/platform/metrics-getting-started

Diagnostic settings: They are used to collect platform logs and metrics in Azure. To get more information on how to create the diagnostic settings using Azure Portal/CLI/Powershell, please refer to the official Microsoft documentation at https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings

Section 4 Author & Monitor

Author and Monitor link is the most important link which takes you to the authoring console. This console opens up the new window. This is where you can create Azure-SSIS IR, pipelines, linked services, data sets, and data flow, etc. I will be explaining this more in the upcoming posts.

Section 5 Monitoring

This section is the summarization of the activities happening in the Azure Data Factory. Pipelines status whether it was successful or failed. TriggerRun information that when the pipelines ran. You can also check the CPU and Memory utilization of the IR. You can view or set up all these monitoring status on the Metrics mentioned in section 3.

Expose an Azure Function App via API Management

Tue, 07 Jan 2020 00:00:00 +0500

You can expose an Azure Function App via API Management directly from within an Azure Function app. This functionality is provided out of the box and all you need to do is, configure the link between an Azure Function App and an existing (or new) API Management App.

To start, navigate to your Azure Function and click on the "Platform Features" tab. Here you will see the option for "API Management" as shown below.

Once you click on API Management, it takes you to a new blade. Here you can simply link your Function app to an existing API Management or even create a new one and then link the app.

Now that the app is linked, you can now manage API operations, apply policies, edit and download OpenAPI specification files, or navigate to API Management instance for a full-featured experience.

For more information please check this link: Create an OpenAPI definition for a serverless API using Azure API Management

Azure Data Factory Basics - Creating a Data Factory

Sat, 04 Jan 2020 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure SQL and Data Factory Basics - Index

Azure Data Factory is a cloud-based ETL service to run the SSIS packages. You can lift and shift the existing SSIS packages in Azure and run them fully in ADF. It is code-free UI to run, monitor and manage the packages.

Using the Azure Data Factory, you can create and schedule data-driven workflows (called pipelines) that can ingest data from disparate data stores.

To start, navigate to All services - > Analytics -> Data Factories.

Click Add or Create Data Factory as highlighted below.

Provide the following details in the below screen:

Appropriate name to your data factory

Select the v2 version. This is the latest version which includes the latest features of Azure data factory

The next one is to select the subscription and resource group. Here you can create a new resource group in case you don’t want to use the existing resource group.

Select the Location

Enable GIT: If you have checked this option, you will need to provide the additional details about the GIT URL, repo URL, Branch Name and Root URL.

Click Create. The deployment will be done in a couple of mins or so to get this done.

You can see we have created the Data Factory. Now you are ready to create the workflow pipelines for this Azure data factory.

I will be explaining about its monitoring section and how to create pipelines in my next blogs. So keep tuning in!

Managing cost for both Microsoft Azure and AWS from within Azure

Wed, 18 Dec 2019 00:00:00 +0500

If you are leveraging both Microsoft Azure and Amazon's AWS for the cloud, you now have AWS Cloud connector to view your AWS billing data, directly from within the Microsoft Azure portal. Let's check out how to set this up.

Start by navigating to the "Cost Management + Billing" section. Click on the "Cost Management" management option. In the new blade, click on the "Connectors for AWS (Preview)" option under the settings menu. You will see the option to configure the sync from AWS to Azure here by clicking on the "Add connector" button.

Under basic settings, just provide a display name, management group and a subscription for the connector.

In the "AWS properties" section provide the value for:

Role ARN

External ID

Report Name

You need to take some steps in AWS to get these values. These steps are described in detail here: Create a role and policy in AWS for Billing Connector in Azure

Finally, review all the settings and create the connector. Now you can view all the cost and billing data for both Microsoft Azure and Amazon's AWS in one place.

For more information please check this link: For more information please check this link:

Azure SQL Basics - Restoring Azure SQL Database from the backup

Mon, 02 Dec 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure SQL and Data Factory Basics - Index

From time to time, you will need to restore your database from an earlier backup. In this post, we will be discussing the restoring the Azure SQL database from the backup file.

To restore the database, go to the Azure SQL database you want to restore. Once you select the SQL database, you can click on Restore as marked in the screenshot.

It will open the options to select the backfile for restore as shown below.

The first dropdown is to select the type of backup. You can either select Point-in-time or the LTR (Long Term backup retention) to select the file. When you select the Point-in-time, it shows the earliest date when the restore is taken. It is the first time the Azure has taken the back up of your SQL database. Database Name would be the name by which the database will be restored at the server. You can change the name as per your requirement.

The next one is the Restore point selection, it will show the dates highlighted for which backup is available.

Then it will ask on which server you want to restore the backup. Once selected, then you can set up the tiered pricing for the restored SQL database.

That's it! You are all set now. Hit that button and restore your database.

Azure SQL Basics - Managing Backups for Azure SQL Database

Fri, 29 Nov 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure SQL and Data Factory Basics - Index

In this post, we will discuss managing the backup for the Azure SQL database. Azure takes the back up at the most convenient time when the database is not much in use. We can’t control at what time the back up took but we can set up the days/week/years for how long we want to keep the backup files.

To manage the backup setting, go to the Azure SQL Server under which our Azure SQL Database has been created. Navigate to the "Manage Backups" option under the Settings. Select the Azure SQL database from the list. Once you select the Database, it will enable the "Configure retention" button.

The configurations have mainly four types of retentions configurations settings.

PITR – Point in time restore configuration – This allows you to set the number of days you want to keep the backup. All Azure SQL databases (single, pooled, and managed instance databases) have a default backup retention period of seven days. You can change it to 14/21/28/35 days.

Long-Term Retention Configurations

Weekly LTR backups – You can specify the number between 1 and 520. This is for how many weeks you want to retains the backup.

Monthly LTR backups – You must specify the number between 1 and 120 month(s) and select the Months from the dropdown.

Azure SQL Basics - Azure Active Directory Admin - manage Azure SQL via AD Users

Wed, 27 Nov 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure SQL and Data Factory Basics - Index

Azure active directory admin allows managing the other active directory user to manage the Azure SQL database. SSMS provides an option to connect with the server using the "Azure active directory authentication". To leverage this functionality, the Azure active directory admin has to provide access to the user.

In this post, we are looking at this option and checking the way to add the Azure Active directory admin through Azure Portal.

Go to All resources-> SQL server -> Settings-> Active Directory Admin-> Set Admin

Add the user from the select dropdown. Once selected, you will be able to see the added user on the home page of active directory admin.

Now you are ready to have this AD user manage the database. Now this user can add other AD users to the database (instead of simple SQL users)

To get more details about this, please refer to the Microsoft official link Use Azure Active Directory Authentication for authentication with SQL

Azure SQL Basics - Creating Elastic Pool in Azure SQL Server

Sat, 23 Nov 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure SQL and Data Factory Basics - Index

Azure SQL Database Elastic Pools are a simple, cost-effective solution for managing and scaling multiple databases that have varying and unpredictable usage demands. The databases in an elastic pool are on a single Azure SQL Database server and share a set number of resources at a set price.

Elastic Pools exist only at the SQL Server level in Azure. These help to pool resources when you are building multiple databases on the same server. In this post, we will be checking how to create the elastic pool in the Azure SQL Server.

To Navigate to the creation of an elastic pool, go to the server under which you want to create the elastic pool.

To create the elastic pool, mention the valid name in the Elastic pool name section. To select the compute and storage, click on the configure elastic pool and it will show below the blade.

Here you assign the total number of DTU’s and max database size of all the databases in the elastic pool.

In the Databases section, you can add the databases which you want to add into this elastic pool that we are creating.

In the ‘Per database settings’ section, you can provide the min and max DTU assigned to each database added in the elastic pool.

You can also apply Tags during the creation (which is highly recommended). Finally, you review and create the resources. The deployment will be submitted and the pool created for you.

Azure SQL Basics - Automatic Tuning and Performance recommendation

Thu, 21 Nov 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure SQL and Data Factory Basics - Index

In this post, we will be discussing the performance recommendation and automatic tuning provided by Azure. To make your SQL database perform better we need some insights to get better recommendations and it is provided by default by Azure.

Performance Recommendations

Performance overview provides a summary of your database performance and helps you with performance tuning and troubleshooting.

(Per Microsoft documentation) the performance recommendation options available for single and pooled databases in Azure SQL Database are:

Create index recommendations - Recommends the creation of indexes that may improve the performance of your workload.

Drop index recommendations - Recommends removal of redundant and duplicate indexes daily, except for unique indexes, and indexes that were not used for a long time (>90 days). Please note that this option is not compatible with applications using partition switching and index hints. Dropping unused indexes is not supported for Premium and Business Critical service tiers.

Parameterize queries recommendations (preview) - Recommends forced parameterization in cases when you have one or more queries that are constantly being recompiled but end up with the same query execution plan.

Fix schema issues recommendations (preview) - Recommendations for schema correction appear when the SQL Database service notices an anomaly in the number of scheme-related SQL errors that are happening on your SQL database. Microsoft is currently deprecating the "Fix schema issue" recommendations.

Automatic Tuning

Azure SQL Database automatic tuning provides peak performance and stable workloads through continuous performance tuning based on AI and machine learning. Automatic tuning is a fully managed intelligent performance service that uses built-in intelligence to continuously monitor queries executed on a database, and it automatically improves their performance. This is achieved by dynamically adapting the database to the changing workloads and applying tuning recommendations. Automatic tuning learns horizontally from all databases on Azure through AI and it dynamically improves its tuning actions. The longer a database runs with automatic tuning on, the better it performs. Azure SQL Database automatic tuning might be one of the most important features that you can enable to provide stable and peak performing database workloads.

What can automatic tuning do for you:

Automated performance tuning of Azure SQL databases

Automated verification of performance gains

Automated rollback and self-correction

Tuning history

Tuning action T-SQL scripts for manual deployments

Proactive workload performance monitoring

Scale-out capability on hundreds of thousands of databases

The positive impact to DevOps resources and the total cost of ownership

Azure SQL Basics - Query Performance Insights

Sun, 17 Nov 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure SQL and Data Factory Basics - Index

In this post, we will be discussing the Azure SQL Database query performance insights which provide intelligent query analysis for single and pooled databases. It helps identify the top resource consuming and long-running queries in your workload. This helps you find the queries to optimize to improve overall workload performance and efficiently use the resource that you are paying for.

To Navigate to the Query Performance Insight, navigate to All resources-> SQL Databases-> Select the database. Under the menu on the left hand side go to the Intelligent Performance category -> select Query Performance Insights

The panel describes the Deeper insight into your databases resource (DTU) consumption

Details on top database queries by CPU, duration, and execution count

The ability to drill down into details of a query, to view the query text and history of resource utilization

Annotations that show performance recommendations from database advisors

Optionally, you can select the Custom tab to customize the view for:

Metric (CPU, duration, execution count).

Time interval (last 24 hours, past week, or past month).

The number of queries.

Aggregation function.

Azure SQL Basics - Advanced Data Security

Fri, 15 Nov 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure SQL and Data Factory Basics - Index

In this post, we will be discussing the Advanced Data Security feature on the Azure SQL Servers. It is enabled at the server level and will be automatically enabled at the database level. It is a charged service. Once you enabled it, you will be charged per month for this service. To access the advanced data security, go to all resources and select the server for which you want to enable the ADS to feature and go to the Security section, and click on advanced data security.

Below are the settings for ADS:

Select the ‘On’ to enable the ADS.

Select the subscription from the subscripton dropdown. You need to have the storage account for this. If you don’t have a storage account previously created, it will ask you to create the new one.

Provide the appropriate email address to get any activity notification.

You can select the type of protection from the list as highlighted in the screenshot.

Different types of Advanced Thread Protection types include:

SQL Injection – to protect you from such attacks

SQL injection vulnerability – to check if there is any such vulnerabilities in the database

Data exfiltration

Unsafe action

Brute Force

Anomalous client logins

You can also view and update the Advanced Data Security settings from the Azure SQL Database as shown below.

Although, as the settings are applied and billed at the server level, you get more control to view the settings from the server. The graphs and analytics of data security are shown at the Database level.

Azure SQL Basics - Exploring the new Query Editor in the Azure Portal

Thu, 07 Nov 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure SQL and Data Factory Basics - Index

In this post, we will see how to use a query editor in the Azure portal. Query Editor helps us to query the tables, view and stored procedure on the selected SQL databases.

To navigate to the Query editor, go to the All Resources-> SQL database -> select the database.

On the left-hand side, you can select the "query editor(preview)" menu option. It will give you the option for providing the login credentials to connect to the Database within your SQL Server.

Once you log in, you can view all the tables, views and stored procedure resides in the selected SQL database. In the query panel, you can write down the query and see the results immediately at the bottom of the screen.

Azure SQL Basics - Data Masking of sensitive information

Sun, 03 Nov 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure SQL and Data Factory Basics - Index

In this post, we will be managing the security of data within Azure SQL Databases by implementing the data masking on data. Via this option, you can mask the sensitive information from your database like credit card details, email addresses, etc.

Select the Azure SQL Database on which you want to implement the data masking. As shown below, it is under the security section. Once you click on it, it will open the blade on which you can set up the mask for different schema under your database.

SQL Users excluded from masking (administrators are always excluded): This option means the data will be visible without any masking to the admin users. You can add other users to whom you want to make all the data visible.

Click ‘Add Mask’, Select the schema, table, and column on which you want to do masking.

We have different Masking field formats. These include, but not limited to Email addresses, Credit card information, etc.

Azure SQL Basics - Enabling Geo-Replication for Disaster Recovery

Tue, 29 Oct 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure SQL and Data Factory Basics - Index

In this post, we will be checking how to enable Geo-replication for the Azure SQL database. Through this feature, you set up active replication to a different Geo location. This enables you to recover your database in case there is a disaster level event in your primary region.

To begin, select the Azure SQL database for which you want to enable the geo-replication as shown below.

Once you click on the Azure SQL database, it will open up the properties of that SQL database. Click on the geo-replication as highlighted in the screenshot and it will open up the geo-replication window. #1 shows you the primary region we selected while creating the SQL database. #2 will provide the list of regions you can select for the replication. Once you select the region, the new blade will open to set up the secondary region for the SQL database.

Create the Target server and select the pricing tier for the new region.

It will take some time to set up the resources, but once it's done, you can switch between the primary and the secondary region in case of failover.

Azure SQL Basics - Connecting to Azure SQL DB using SSMS

Fri, 25 Oct 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure SQL and Data Factory Basics - Index

Connecting Azure SQL DB using SSMS

In this post, we will be showing how to connect SSMS (SQL Server Management Studio) to Azure SQL databases. Launch SSMS and the "Connect to Server" popup should open up automatically. Azure doesn’t support Windows Authentication. So you will need to log in using SQL server authentication with the username and password created in the Azure portal for the server or via AAD options.

Before login, you will need the connectivity details and to get that follow the below steps.

Get the server details to which you will connect. Make sure you get the server name instead of the database name. Sometimes people get confused. The server will have the naming convention as servername.Database.windows.net

Set up the server firewall in the Azure portal. Otherwise, you will not be able to connect with the server. It will throw an error.

To set up the Server Firewall: Go to all resources and select SQL Databases, it will show up all the databases you have created in your subscription.

Select the database to which you want the connectivity. Let’s take an example of the selected database below. Once you click on your database (test01 in the example below), it will open up the blade for that specific database. Go to the "Set server Firewall" option as selected.

Here you can add the IP ranges and/or specific IP addresses from where you want the access allowed to this Database. In the below example, we are adding the Client IP (i.e. the IP address of the client from where you are accessing the Azure portal.

By default, there will be no IP added under the Client IP address section. Once you click on step 1, then it will populate the IP address of your machine. In the large organization, you can set up the start and end IP.

Note that there is a radio button to allow Azure services and resources to access this server, this will ensure the azure services can monitor your database performance to do analytics for the diagnostic operations. Once you click Save, you should be able to connect the Azure SQL databases using SSMS.

Azure SQL Basics - Creating Azure SQL Databases

Mon, 21 Oct 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure SQL and Data Factory Basics - Index

In my previous blog, I showed you how to search for Azure SQL databases. In this post we will see how to create the databases. To create the Azure SQL database, you need to know the subscription under you want to create the Azure SQL database.

Below is the first screen to start with the creation of the SQL database. Here you do the following:

Select the Subscription under which you want to create the SQL database.

You can select the Resource group from the dropdown of already created resource groups or you can create a new one as highlighted below. The next section defines the properties of the new SQL database.

Give the appropriate name of the SQL database

Select the already existing server under which you want to create the SQL database or you can create the new server.

Select ‘No’ under the SQL Elastic pool option. Select ‘Yes’ if you want your resources to be shared between multiple databases.

The next one is compute and storage, Azure automatically selected the basic one for me. In case you want more powerful resources, you can change this configuration by clicking on the Configure database link.

The next screen is for Networking. Leave be the default setting as shown in the below screenshot.

Next Screen is Additional settings. This screen is used to set the Collation of the SQL database, data source, and advanced data security. Data source by default is None. If you want to import the backup file of some existing database then select the Backup. If you select the ‘Sample’ option then AdventureWorksLT will be created as the sample database.

Database Collation keeps the default one until unless you have another collation to select based upon different regions.

Advanced Data Security: Azure charges extra if you select this option. For the time being, I am selecting as ‘Not now’. We will revisit this setting in detail in a later blog post.

The next screen is about Tags. Tags are used to categorize your resources. These can later be used in billing and automation etc.

The final screen is ‘Review + Create’. You can review all the options selected in previous screens and it will provide you the estimated cost per month based upon your selection. If you are ok with it then click on the Create button at the bottom of the screen.

You can see the progress at the top right-hand side.

Once the deployment is done, You can see the newly created databases under All services -> SQL databases.

Azure SQL Basics - Finding Azure SQL Databases in the Azure Portal

Sun, 20 Oct 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure SQL and Data Factory Basics - Index

Azure SQL Database is Microsoft's Platform as a Service (PaaS) offering for the Microsoft SQL Server Database. In the next few weeks, we will be going back to the basics and delving into this service from basic to intermediate. We will visit all it's nitty gritty's and understanding in detail what this service has to offer.

Let's start with where to find Azure SQL Databases with the Azure Portal.

Start by going to http://portal.azure.com and clicking on the “All services” as shown below.

It will open up the featured services on the screen as shown below. You can select the SQL Databases from the featured services and if it's not there then you can search in the search box as highlighted in the image.

The next screen will give the option to create SQL databases and you can see previously created SQL databases in the current subscription or selected subscription.

That's all there is to it.

Azure for AWS professionals - Networking - Azure - 05 Creating rules in NSGs and assigning NSGs

Thu, 17 Oct 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

In the last post, we created a new Network Security Group or NSG. Now in this post, we will work with these NSGs and create some rules. We will also check how to assign these to a subnet (or network interface) in Azure.

There are two types of rules that you define in an NSG:

Inbound Rules - these rules dictate what incoming traffic will be allowed.

Outbound Rules - these rules determine what outgoing traffic will be allowed.

You define the source and destination for each rule along with the protocol and port information. For inbound traffic, the destination will be the associated subnet or network interface. Similarly, for the outbound traffic, the source will be the associate subnet or network interface.

The rules in an NSG has a priority number. Smaller the priority, the higher in the order it is and it will be executed first. When inbound or outbound traffic hits the NSG then the rules are evaluated in the order based on their priority. If a matching rule is found, then the subsequent rules are NOT evaluated. The traffic is either allowed or denied, as per what is defined in the matching rule.

Navigate to your Network Security Groups (NSGs) and check the overview screen. You will notice that there are default rules for both Inbound and Outbound rules. These allow connectivity between subnets within the same virtual network. You can update these as well, but the best practice is to overwrite these by writing another rule with higher priority. Note that a lower number means a higher priority.

Adding Inbound and Outbound Rules

You can add/update the Inbound and Outbound Rules from the settings. Since these two are very similar, we will only be looking at the Inbound security rules. These are more important as these dictate who can talk to the VM from the outside world( i.e. out of your virtual network).

Click on the "Inbound security rules" option under the Settings menu. Check all the default rules. To create a new rule, click on the "+Add" button.

One Inbound rule consists of:

Source (IP address in CIDR format) and it's port ranges

Destination (IP address in CIDR format) and it's port ranges

Protocol for the communication

Action - this is either allow or deny and based upon this select the traffic will be either allowed or dropped

Priority - a number depicting the priority of a rule in NSG. Lower this number, higher the priority of a rule

Provide a name and description for the rule as well.

For defining Source or Destination you have various template options that you can choose from. These include:

Any

IP Addresses

Virtual Network

Application security group

That's it! Hit create and the NSG rule is ready.

Assigning the NSGs

These NSGs can be assigned at two levels:

Subnet level - At this level, all the inbound and outbound rules in the NSG are applied to all the Network Interfaces (i.e. VMs) inside the subnet.

Network Interface level - At this level, the rules only apply to that particular network interface and other interfaces are not affected.

Simply navigate to either one of those as per your requirements. In the below screenshot, we are at the subnet level. Click on the "+Associate" button. In the popup select the virtual network and the subnet in it, with which you want to link this NSG. Hit Save to save these configurations.

That's it! You are all set. Now you can control the traffic via NSGs and allow only the traffic that adheres to the standard at your organizations with utmost importance to security aspects.

Azure for AWS professionals - Networking - Azure - 04 Creating Network Security Groups

Mon, 14 Oct 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

Network Security Groups or NSGs are kind of a firewall, where you define what traffic will be allowed and what traffic will be blocked.

Note that whereas AWS has Network ACLs at the subnet level and Security Groups at the EC2 instance level, Microsoft Azure only has NSGs. These can be applied both at the subnet level as well as at the network interface level (i.e. VM level). The way these are designed, they resemble Network ACLs a lot.

You start by navigating to all services -> Networking category -> Network security groups.

All your existing NSGs are listed here. To create a new one click on the "+Add" button.

Provide the subscription and resource group for the NSG. Also, provide a name and the region where the NSG will be deployed.

Provide the tagging information to better categorize the resources.

Review all the settings and hit create.

Now that the NSG is created for us we will see how we can define rules in this and assign it to subnets or network interfaces, in the next post.

Azure for AWS professionals - Networking - Azure - 03 Service Endpoints

Sun, 13 Oct 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

Service Endpoints in Azure Virtual Networks provide the ability to connect to various Microsoft public services (like Azure SQL and Azure storage) securely. From official documentation: "The endpoints also extend the identity of your VNet to the Azure services over a direct connection. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Traffic from your VNet to the Azure service always remains on the Microsoft Azure backbone network.".

When you enable Service Endpoints, the IP address for a Microsoft service, switches from a public IP address to a private IP address. If you have any firewall rules in place then those will need to be updated. E.g. a VM connecting to a Microsoft Azure SQL database.

Note that a service endpoint is always enabled on a Subnet level.

To begin, navigate to the Virtual Networks and select the virtual network you require. Under settings menu, click on the "Service endpoints". To create a new service endpoint click on the "+Add" button.

You are prompted to enter a service. You can pick from one of the service available. Microsoft.Storage and Microsoft.Sql are the most common use cases from the list. Microsoft keeps updating this list over a period of time.

Once the service is selected, next select the subnet for which you want to enable the service endpoint. Hit Ok and you are done. It will take some time for the configurations to finish at the backend, but now you will have connectivity from your network to the service leveraging private IP addresses internally (instead of public IP addresses).

For more information check this link: Virtual Network service endpoints

Azure for AWS professionals - Networking - Azure - 02 Working with Virtual Networks (vNets) and Subnets

Sat, 12 Oct 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

In this post, we will start working with the Virtual Networks (or vNets) and Subnets. To start, navigate to all services and then go to the Networking category. Find the option for Virtual network (the very first option) and click on this. All your vNets will be listed here. Find the one on which you want to work and click on the same.

Under the Settings category, you will find the option for "Address space". This is where you can view the complete address space for your virtual network. Also, this is where you can expand your virtual network by adding more address spaces.

Next up, you have:

Connected Devices - These are all the network interfaces (i.e. NIC cards on the virtual machines or VMs) that are connected to this virtual network. You can also filter through the data by name or even IP address.

Subnets - All the subnets on the virtual network are listed here.

Adding Subnets - You can add more subnets to the vNet by clicking on the "+ Subnet" button. E.g. you can have a subnet hosting an internet-facing application. And then you can have another subnet, hosting a database, that will only be accessible from the application.

IPv4 available addresses - These are the number of IP addresses available in a subnet. This gives you an indicator of how many devices can connect to a subnet and when your subnet is about to fill up.

There is much more that can be done on a virtual network and we will keep on exploring the key areas that will be most useful to you.

Azure for AWS professionals - Networking - Azure - 01 Creating Virtual Network

Thu, 10 Oct 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

Microsoft Azure's virtual network capabilities as part of the Infrastructure as a Service (IaaS) offering is called Virtual Network or unofficially known as vNet. It provides connectivity between various virtual machines (or VMs) in that network. It can also extend the connectivity to other networks. You can also extend the virtual networks to your on-premises networks.

In this post, we will be creating a new Virtual Network. To start creating the virtual networks, click on the 3 lines on the top left and then click on the "+New" button. Here click on the Virtual Network option under the Networking category.

Alternatively, you can navigate to all services and then go to the Networking category. Find the option for Virtual network (the very first option) and click on this. All your vNets will be listed here (as shown below). You can click on the "+Add" button to create a new virtual network.

To start with, provide the subscription and the Resource Group details. Provide a name for the virtual network and also the region where you want this to be deployed.

The second screen is the most important in the wizard. This is where you define the address spaces for your vNet in CIDR notation. You also define your subnets here. Every virtual network should have at least one subnet.

In the next screen for security, you can enable the DDoS protection (i.e. protection from the DDoS attacks on your network) and Firewall (i.e. Azure Firewall).

Next, provide the tags to categorize your network resource.

Finally, review all the settings and create the virtual network.

Now that the virtual network is created for us, in the next few posts, we will start working with this and perform more tweaks and configurations.

Azure for AWS professionals - Networking - AWS - 06 Network ACLs vs Security Groups

Mon, 07 Oct 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

Network ACLs (or Access Control Lists) and Security Groups are very similar in their functionality. Both are acting as a firewall and restricting the traffic. There are few key differences between the two that we need to understand so that we can create and apply this appropriately to any situation at hand.

Scope

Network ACLs are applied at the Subnet level. These restrict the traffic, coming in or out of the subnet. ACLs are therefore automatically applied to all resources (e.g. EC2 instances) in the subnet.

Whereas the Security Groups are applied at the EC2 instances level.

Network ACLs act as a secondary layer of defense. Also, if anyone forgets to apply Security Groups at the EC2 instances then Network ACLs assist in setting up standards in terms of allowed and blocked traffic in your environment.

(Image source: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html)

Rule Types

In a Security Group, all the traffic is automatically denied. You can only define "Allow" rules. And the traffic is allowed as per these rules.

Whereas in Network ACLs you decide and configure for each rule if the traffic is Allowed or Denied

Rules Evaluation

In a Security Group, all rules are evaluated, regardless of their order, to determine what traffic is allowed. As all traffic is denied by default and you can only specify allow rules (with no priority or rule number), all the rules need to be evaluated to determine if the traffic is allowed or not.

In contrast, in Network ACLs, the rules are evaluated in order. If a matching rule is found for the traffic, then subsequent rules are NOT evaluated and the traffic is either Allowed or Denied as mentioned in the first matching rule.

Statefulness

A Security Group is Stateful. Return traffic is automatically allowed, regardless of any rules. In contrast, the Network ACLs are Stateless. Return traffic must be explicitly allowed by the rules.

For more information please check the official information here: Internetwork Traffic Privacy in Amazon VPC

Azure for AWS professionals - Networking - AWS - 05 Security Groups

Sun, 06 Oct 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

Security Groups are another security feature in AWS Virtual Private Clouds (VPCs). It is like a firewall that restricts the traffic at the EC2 instance level. These are applied to the EC2 instances. Once the traffic is filtered by the Network ACLs at the subnet level, it is then filtered further by the security group.

NOTE: All the traffic is automatically denied in a Security Group. Only the traffic defined in a security group is allowed to EC2 instances.

To access the security groups, navigate to the VPC section in AWS and then click on the "Security Groups" option in the Security menu on the left. You can view all your security groups here. Select one and view its properties in the bottom panel. These properties include Description, Inbound rules, Outbound rules, and Tags. You can either right-click on the security group or click on the Actions button to view the action that you can take on this security group. The key actions we are interested in includes:

Edit Inbound rules

Edit Outbound rules

"Edit Inbound rules" option is to edit the inbound rules. These govern what traffic will be allowed coming into the EC2 instances. Each rule contains:

Type - this determines the protocol or type of traffic. You have loads of pre-defined types, or you can add a custom option from the list

Protocol - this is determined by the type

Port Range - this is also dependent on the type selected. For pre-defined types, this is auto-populated. For custom type, you can define a custom port range.

Source - this is the place from where the communication will originate (that is coming into the associated subnet). You can have source as Anywhere or can define a custom IP address range via a CIDR

Description - description of the rule.

"Edit Outbound rules" option is to edit the outbound rules. These govern what traffic will be allowed coming out of the EC2 instance. These rules are very similar to the inbound rules. The only difference is that now the traffic is originating from the EC2 instance and is going outbound. Hence we need to specify a Destination (instead of a Source) while defining the outbound rules.

Please Note that just like for Network ACLs, in a Security Group the address "0.0.0.0/0" means all IP addresses. This can be used for Source in inbound rules or Destination for outbound rules if the exact IP address or IP address range is unknown. Although this should be used with caution. As a best practice, this should be avoided at all costs and should be replaced with as small IP address ranges as possible.

Azure for AWS professionals - Networking - AWS - 04 Network ACLs

Fri, 04 Oct 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

Network ACLs or Access Control Lists is like a firewall for your subnets. There are inbound and outbound rules defined in these ACLs that determine what traffic is allowed in a subnet and what traffic will be blocked. These are great for the security of your network.

To access the Network ACLs, navigate to the VPC section in AWS and then click on the "Network ACLs" option in the Security menu on the left.

You can view all your ACLs here. Select one and view its properties in the bottom panel. These properties include Details, Inbound rules, Outbound rules, Subnet associations and Tags. You can either right-click on the ACL or click on the Actions button to view the action that you can take on this ACL. The key actions we are interested in includes:

Edit Subnet associations

Edit Inbound rules

Edit Outbound rules

"Edit Subnet associations" option is to edit the linking of ACL to a subnet. You can associate an ACL to one or multiple subnets.

"Edit Inbound rules" option is to edit the inbound rules. These govern what traffic will be allowed coming into the subnet. Each rule contains:

Rule number or Rule # - this is the order in which the rules are executed.

Type - this determines the protocol or type of traffic. You have loads of pre-defined types, or you can add a custom option from the list

Protocol - this is determined by the type

Port Range - this is also dependent on the type selected. For pre-defined types, this is auto-populated. For custom type, you can define a custom port range.

Source - this is the place from where the communication will originate (that is coming into the associated subnet)

Allow/Deny - this determines if the inbound communication defined by your rule will be allowed or denied.

"Edit Outbound rules" option is to edit the outbound rules. These govern what traffic will be allowed coming out of the subnet. These rules are very similar to the inbound rules. The only difference is that now the traffic is originating from within this subnet and is going outbound. Hence we need to specify a Destination (instead of a Source) while defining the outbound rules.

Please Note that the address "0.0.0.0/0" means all IP addresses. This can be used for Source in inbound rules or Destination for outbound rules, if the exact IP address or IP address range is unknown. Although this should be used with caution. As a best practice, this should be avoided at all costs and should be replaced with as small IP address ranges as possible.

Introducing Azure VMware Solutions

Wed, 02 Oct 2019 00:00:00 +0500

Microsoft and VMWare have been competitors in the private cloud space. But in the public cloud space, this is no less than revolutionary to see VMWare VMs being supported on the Microsoft Azure platform. These solutions help customers to extend (and maybe move) their on-premises VMWare environments to Azure.

When you go to create a new resource, search for VMWare and you will see the following 3 solutions:

VMware Solution by CloudSimple - Service - enables you to consume dedicated VMware Cloud environments on Azure.

VMware Solution by CloudSimple - Node - dedicated, isolated Azure bare metal infrastructure to create native VMware Cloud environments on Azure.

VMware Solution by CloudSimple - Virtual Machine - unified, consistent management of Virtual Machines deployed on your VMware Cloud.

For more information please check this link: Azure VMware Solutions

Azure for AWS professionals - Networking - AWS - 03 Route Tables

Wed, 02 Oct 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

A Route Table is just as the name suggests, it is a table consisting of the routes. This determines how the traffic is routed between the subnets and even out of the virtual network. Each entry in this table is called a "route". When you create a VPC, one main route table is automatically created for your VPC and is associated with the subnet of the VPC. You can create custom route tables. E.g. you may want to send all traffic to a network virtual appliance i.e. a firewall. You may have Palo Alto or CheckPoint or any other firewall in your environment and you want the traffic to route via that firewall. You can achieve this via route tables.

To start, navigate to your VPC section in AWS. Then from the left menu, click on the "Route Tables" option. You can create a new table here as well by clicking on the "Create route table" button. For now, we will work with an existing route table on our VPC. Select the route table that you want to view the details or edit.

At the bottom panel, you will be able to view the following settings for the selected route table:

Summary

Routes

Subnet Associations

Edge Associations

Route Propagation

Tags

You can also either right-click on your route table or click on the Actions button to view the options related to this route table. Two options that we are interested in are:

Edit subnet associations

Edit routes

Under the "Edit subnet associations" section, you can view the currently associated subnets. You can also link other subnets to the selected route table.

Under the Edit routes option, you can edit the current routes and can also add new routes to the route table. A single route simply defines a Destination, Target, Status and Propagated. The destination is where the traffic (that originated in your subnet) is headed. A destination of "0.0.0.0/0" means all traffic. Note that all zeros i.e. all traffic-related route should be the last one. These routes are evaluated in order.

If the traffic is destined for an IP address that is defined by 1st rule, then it will be sent to the device defined by the Target value of the route. The value "local" for the Target means to allow the traffic and keep it local, instead of sending anywhere else. You can also send the traffic to virtual appliances and gateways here.

Routes tables are very powerful in determining how the traffic will flow in your environment and should be designed appropriately and tested thoroughly.

Azure for AWS professionals - Networking - AWS - 02 Working with VPCs and Subnets

Tue, 01 Oct 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

Once we have a Virtual Private Cloud or VPC in AWS, we can now start getting familiar with the AWS console options and how to work with VPC and the subnets in it.

We will first need to navigate to VPC from All services and then the "Network & Content Delivery" category.

From the Dashboard, you can navigate to the "Your VPCs" option. Next, you select your VPC from the list of all VPCs. As a best practice, you should provide names for all the VPCs. As you can see from the screenshot below, the first VPC has a name but the second one does not. To provide a name you can simply hover over that VPC in the name column and it will give you an option to edit and provide a new name.

Once you have selected your VPC, you can view it's Description, CIDR blocks, Flow logs and Tags related details at the bottom part of the screen.

Next, you have your VPC selected, either right click on your VPC or click on the Actions menu at the top to view list of actions that you can perform on your VPC. One of this action is very useful. This is to "Edit CIDRs".

While editing CIDRs, you can add a new CIDR by clicking on the "Add IPv4 CIDR" button. You will do this (for example) if the number of available IP addresses are enough and for increasing demand, you need to expand your VPC.

For every VPC you have multiple Subnets under that VPC. You can view these under the Subnets menu from the left. As a best practice, here too you should have a name for each of the subnets. As you can see from the below screenshot, only one subnet has a name. When you select a subnet you can view it's details in the bottom part of the screen. These details include:

Description

Flow Logs

Route Table

Network ACL

Tags

Sharing

You can also right-click on the selected subnet or click on the Actions button at the top to view the list of actions that you can perform on this subnet. Most important ones are for:

Edit network ACL association

Edit route table association

We will look at other services related to VPCs and Subnets in the next few posts.

Azure for AWS professionals - Networking - AWS - 01 Creating Virtual Private Cloud (VPC)

Mon, 30 Sep 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

Virtual Private Cloud or VPC is Amazon's virtual network capabilities as part of the Infrastructure as a Service (IaaS) offerings. It provides connectivity between various EC2 instances in that network. It can also extend the connectivity to other networks or even on-premises.

Accessing VPCs and Launching Create Wizard

Let's start by creating one in AWS. We will first need to navigate to VPC from All services and then the "Network & Content Delivery" category.

Here in the Dashboard (or even the VPC tab), click on the "Launch VPC Wizard" button to launch the wizard to create a new VPC.

Different Pre-packaged Networking Scenarios

When the wizard launches to create a VPC, there are 4 pre-packaged scenarios to choose from. Note that these scenarios can be built by performing the settings manually and building VPCs separately. These are just like the starter packs (or pre-baked templates) to get you started.

The first one is to build a VPC with a Single Public Subnet. Here is the official description: "Your instances run in a private, isolated section of the AWS cloud with direct access to the Internet. Network access control lists and security groups can be used to provide strict control over inbound and outbound network traffic to your instances."

When you select this option it creates: A /16 network with a /24 subnet. Public subnet instances use Elastic IPs or Public IPs to access the Internet.

The next one is to build a VPC with Public and Private subnets. Here is the official description: "In addition to containing a public subnet, this configuration adds a private subnet whose instances are not addressable from the Internet. Instances in the private subnet can establish outbound connections to the Internet via the public subnet using Network Address Translation (NAT)."

When you select this option it creates: A /16 network with two /24 subnets. Public subnet instances use Elastic IPs to access the Internet. Private subnet instances access the Internet via Network Address Translation (NAT). (Hourly charges for NAT devices apply.)

The 3rd one is to build a VPC with Public and Private subnets and Hardware VPN access. Here is the official description: "This configuration adds an IPsec Virtual Private Network (VPN) connection between your Amazon VPC and your data center - effectively extending your data center to the cloud while also providing direct access to the Internet for public subnet instances in your Amazon VPC."

When you select this option it creates: A /16 network with two /24 subnets. One subnet is directly connected to the Internet while the other subnet is connected to your corporate network via IPsec VPN tunnel. (VPN charges apply.)

The last one is to build a VPC with a Private subnet only and Hardware VPN access. Here is the official description: "Your instances run in a private, isolated section of the AWS cloud with a private subnet whose instances are not addressable from the Internet. You can connect this private subnet to your corporate data center via an IPsec Virtual Private Network (VPN) tunnel."

When you select this option it creates: A /16 network with a /24 subnet and provisions an IPsec VPN tunnel between your Amazon VPC and your corporate network. (VPN charges apply.)

For this post, I have selected the first scenario and clicked Next.

Providing Key Details for VPC

In the next screen, you provide all the essential details to create your VPC along with the dependent resources like it's subnets etc. These settings are as follows (numbering follows the numbers in the screenshot below):

IPv4 address space for the whole VPC. This is provided in the CIDR notation.

Once you enter the IP address space for the VPC, this area shows you the number of available IP addresses. These are the maximum number of network interfaces that can join this virtual network (or EC2 instances that have these network interfaces). Note that this number is a little less than total number of IP addresses in the CIDR notation. This is because some IP addresses are reserved by AWS for it's own functionality.

A name for the VPC to identify it

Subnet's IPv4 CIDR address space. This should be contained inside the CIDR for the VPC and should be smaller than that. A subnet is a sub-part of the VPC and therefore will have lesser number of IP addresses than the complete VPC.

A name for the subnet

Service Endpoint, that allows your VPC to connect to a service like S3. You can set this up at a later point if you need.

Enable DNS hostnames to allow DNS hostnames for the instances that can be connected using these hostnames instead of just IP addresses.

Once you are done configuring, hit create to create the VPC. Now that we have a VPC we will start working with it next.

Azure for AWS professionals - Networking - Azure Virtual Networks vs AWS Virtual Private Cloud (VPC)

Sun, 29 Sep 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

Microsoft Azure and Amazon's AWS cloud platforms provide networking as part of the Infrastructure as a Service (IaaS). Both provide similar services with some differences in the implementation of these services. Microsoft has named it's service as "Virtual Networks", whereas Amazon calls its service as "Virtual Private Cloud" or most commonly called as "VPC".

Both Microsoft Azure Virtual Networks and AWS VPC have "Subnets" inside a network. The VMs in Azure or EC2 instances in AWS has network interfaces that connects to the subnets within the Virtual Networks (or VPCs) and receive an IP address from that subnet. The traffic route inside these networks is governed by "Route Tables".

Traffic restrictions are implemented slightly differently in the two platforms. Microsoft Azure has "Network Security Groups". These can be applied at either Subnet or Virtual Machine level. Whereas AWS has Network Access Control Lists or ACLs that are applied at the subnet level. Also, AWS has Security Groups that are applied to the EC2 instances.

Accessing Microsoft Azure Virtual Networks

To view Virtual Networks in Azure, navigate to All services and then "Virtual Networks" under the Networking category.

Accessing AWS Virtual Private Clouds or VPCs

To view the VPCs, navigate to All Services and then click on VPC under the Networking category.

We will be looking at how to work with these services in detail in the next few posts.

For more information, click on the below official links: Azure Virtual Network Amazon Virtual Private Cloud

Azure for AWS professionals - Storage - AWS - 07 Setting up Access Points on S3 bucket

Sat, 28 Sep 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

Access points can be used to provide access to your bucket securely from a network (VPC) or from the internet. To access bucket resources from a VPC access point, you’ll need to use the AWS CLI, AWS SDK, or Amazon S3 REST API.

To create a new access point, navigate to your S3 bucket and navigate to the "Access points" tab. Click on the "+Create access point" button.

Provide a name for the access point. Select if you want to create this access point for a virtual network (VPC) or the internet. If you select the former then provide an ID for the VPC.

That's all there is to it. Now you are ready to access your S3 bucket securely from a VPC.

For more information click here: Creating Access Points Restricted to a Virtual Private Cloud

Azure for AWS professionals - Storage - AWS - 06 Configuring replication on S3 buckets

Wed, 25 Sep 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

For any S3 bucket with critical objects, you should always set up the data to replicate to a different bucket in a different region. You can do both cross-region replication or same-region replication using the replication rules.

To begin, navigate to your S3 bucket and click on the "Management" tab. Then click on the "Replication" settings. Click on the "+ Add rule" to create a new rule.

Pre-requisite: Versioning is a pre-requisite on the S3 bucket for you to be able to set up replication. If you haven't done so the wizard will give you an option to enable this setting here.

Next, while setting sources, you can either set to replicate all the objects in the bucket or filter objects to be replicated based on the prefix or tags that they have.

Next, you have to select a destination bucket. This can be in the same region or a different region. This can even reside in a different account altogether.

If you don't have any bucket in the destination then you can create one right here while setting the destination.

While creating a new destination bucket, you can set its options like Storage class, object ownership, replication time control, etc.

Next up we have IAM role using which the data will be replicated. This should have appropriate access in both source and destination.

Finally, you review and create the replication rule.

Once the rule is set up the data will start getting copied over and protected.

Azure for AWS professionals - Storage - AWS - 05 Adding Lifecycle Rules for S3 buckets

Sat, 21 Sep 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

When you have object i.e. files in your S3 bucket, you are essentially paying for the space that these objects take up. After a certain period of time, you will either no longer need these objects or you may want to archive these. If we keep them lying and take actions manually then there are chances that we forget about these and end up paying for the extra space. Lifecycle within S3 buckets is a way to set an expiration date to the files and take automated actions at the expiration.

To start you navigate to your S3 bucket and go to the Management tab. Click on the Lifecycle here. To create a new lifecycle rule click on the "+Add lifecycle rule" button. A new popup launches to set up a new rule. You can have as many rules as you want.

To set up a lifecycle rule, set up a name for this rule. Also, set up a scope for this rule. You can either apply this rule to all objects in the S3 bucket or reduce the scope by using prefixes for the names or leveraging tags.

Transitions is the setting for moving the storage objects from one storage class to another. In the example below, the transition is set from Standard storage to Standard-IA after 90 days. You can set more transitions here. E.g. you can move the data to Glacier storage after 180 days.

Under Expiration settings, you can set the objects to delete after a certain period of time.

Finally, review the settings and create the lifecycle rules.

Setting up lifecycle rules is a great way to optimize costs in the longer run. It is a best practice to set up a policy at your organization and adhere to that for every bucket. It may seem like an extra but can help save costs big time.

Azure for AWS professionals - Storage - AWS - 04 Setting Permissions on S3 Bucket

Thu, 19 Sep 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

You can manage the access to the S3 bucket at a much granular level through its permission settings. You can access its settings by navigating to the S3 bucket and clicking on the "Permissions" tab.

Here you have the option to modify:

"Block public access" related policies

Access Control Lists - modifying and creating them

Bucket policies

CORS configurations - i.e. Cross-Origin Resource Sharing for HTTP access

The "Block public access" policies are those that you set up while creating the S3 bucket. You can modify these settings here by clicking on the Edit button and can set this up at a granular level.

You can set up much more granular access for the below using Access Control Lists:

Bucket Owner

Public access

S3 log delivery group

You can set up or revoke the access for below operations:

List objects

Write objects

Read bucket permissions

Write bucket permissions

Azure for AWS professionals - Storage - AWS - 03 Configuring S3 Bucket Properties

Wed, 18 Sep 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

There are various settings on the S3 bucket that you can either toggle or configure. These properties can make your S3 bucket more secure or optimize performance or can help you to manage it better.

To access these properties, simply navigate to your S3 bucket and click on the Properties tab.

When you click on anyone, it expands to show the details. Many of the properties are simply toggle switches. Others require a bit more configuration.

Below you can view the settings for;

Versioning - allows you to keep a history of the changes. This is required as a pre-requisite for some features (that we will discuss in upcoming posts)

Server access logging - to log all events at the Server level

Static website hosting - This is one of the most useful feature of S3 buckets that is not available in Microsoft Azure. If you have a static website, i.e. simple HTML pages with no database etc. you can provide this as a website by simply copying all your files to a bucket and enabling this option. It provides you with a public URL that you can use to browse your website, starting with a startup page.

Object-level logging - to log all events at the object level i.e. at the level of each file. It uses CloudTrail service which should be deployed in the same geo region as the bucket.

Below is the setting for:

Default encryption - You can select to encrypt your objects i.e. all files in the bucket using either AES-256 or AWS-KMS.

You can scroll further down to access more advanced settings like:

Object lock - prevents objects from accidental deletion

Tags - to organize resources and get better-categorized cost reporting

Transfer acceleration - enables optimizations to transfer data at fast speeds

Events - to set up notifications for specific events on the bucket

Requester pays - using this option, the requester pays for the data access instead of the owner of the data

Properties tab allows you loads of customizations on your S3 bucket in terms of how your data is stored and how it is accessed.

Azure for AWS professionals - Storage - AWS - 02 Working with S3 bucket and uploading files

Tue, 17 Sep 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

Once you have an S3 bucket in AWS, you can start uploading files to it and working with it. In this post, we will start working with the S3 bucket we created in an earlier post and will start uploading files to it.

To start, simply navigate to the S3 service and click on your bucket. It will take you to the Overview screen.

The first thing you should do is to create a folder. As a best practice, try to organize your files systematically as much possible. While creating the folder, you can set it's encryption settings.

Once inside the folder (or even from the root level), you can create more folders or directly upload files by clicking on the Upload button. This launches the upload files wizard. Simply drag and drop your files and folders here to start the upload.

You not only just upload files but set some properties to it that we will visit next.

Next, you set the permissions for the uploaded files. This defines who gets access to the files.

You can set the storage class for the files uploaded. Standard is the default option. There are various other options that you can choose from based on your performance and cost requirements. Glacier storage tier is for the archival data, that is not available immediately but you can keep it archived for a long period of time. Note that you are billed based on your selection here so make sure that you select the appropriate Storage class.

Scroll down to view more properties for Encryption, Metadata, and Tagging.

Finally, review all the settings and hit the Upload button to upload the files.

Once the files are uploaded, you can select on each of these files and access a lot of actions from the "Actions" menu. These include downloading the files, changing it's storage class, adding tags, deleting it, etc.

Now that we have started consuming the S3 bucket and it has some files in it, in the next few posts, we will delve a little deeper into the settings of an S3 bucket and it's functionality.

Azure for AWS professionals - Storage - AWS - 01 Creating Simple Storage Service or S3 buckets

Sun, 15 Sep 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

AWS Simple Storage Service or S3 is the managed service provided by the AWS environment for storing your blobs like your photos, videos, and any other files. In this service, you create S3 buckets as resources. These are very similar to Microsoft Azure storage accounts.

To start, navigate to S3 service from All services.

Here you will see the option to create a new bucket. Click on the button to get started.

Provide a name and region for the bucket. Note that the name can only contain small letters and numbers and has to be unique within AWS space. The region should be closer to where you or your customer is located.

When you scroll down you have settings to control the access to the S3 bucket. Default is to "Block all public access". You can tweak the settings and select more granular access by unchecking the main checkbox and then selecting the ones that applies to your situation.

Also, to help prevent accidental deletion of your data you can enable the object locks on the S3 bucket.

Once you hit the create button, the bucket is created for you. Next, we will start working with this S3 bucket.

Azure for AWS professionals - Storage - Azure - 05 Configuring Firewall and vNet access on Storage accounts

Tue, 10 Sep 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

To secure access to your Microsoft Azure Storage accounts, you can configure a firewall on these. You can allow only particular IP addresses or an address range (specified in CIDR format). Also, instead of specifying IP addresses you can configure access to only specific virtual networks (vNets) in your environment and therefore restrict access to other vNets.

To access these settings, navigate to your storage account and under the settings, click on the "Firewall and virtual networks" option.

Here you have multiple options and ways to configure the firewall. Let's look at these in a systematic way:

First, you can either leave the access open to all networks or limit it to a specific virtual network. If you select the latter option, you should also select your virtual network for which you want to provide access. You do so by clicking on the "+Add existing virtual network" option. It will open up a new blade and here you can find your existing vNet and add the same.

Next, you configure the Firewall and add IP addresses or a range of IP addresses (in CIDR format) for which the access needs to be opened up

Finally, you have the exceptions. Unless the data is very critical and confidential, I recommend that you should always allow access to the Microsoft services by selecting the first checkbox. It should be automatically checked by default. You can also allow access to storage account logging and metrics from any network here.

Firewall and vNet access is generally overlooked option. But you should always configure this in your environment to secure access to your storage accounts.

Azure for AWS professionals - Storage - Azure - 04 Securely Accessing Storage Accounts

Sat, 07 Sep 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

When working with Microsoft Azure Storage accounts, you will need to access these accounts either from a program or programmatically from a script or code. There are two primary ways to securely access your storage accounts. In this post, we will review these and find out how to access their settings from the portal.

Access Keys

The first is to use the Access keys. Linked to every storage account, there are two access keys. These are referred to as primary and secondary keys or simply key1 and key2. To access these keys, navigate to your storage account and then click on the "Access keys" under settings. Note that you only need one key (anyone) to be able to connect to the storage account. Now when you are using a tool like Storage Explorer or PowerShell scripts to connect to your storage account, you can use this key along with the name of the storage account to connect and perform operations.

Note that these keys are like keys to the kingdom for your storage accounts. You can't tweak the control and restrict it in any way. These keys are meant only for the administrators and should not be used by anyone else. You also can't set any kind of expiry on these keys. So once somebody has these keys they can keep on using these to access the storage accounts. The only way to change is to access the keys and click on the refresh arrow symbol next to the key1 or key2 text to regenerate these keys. As a best practice, you should always use SAS tokens i.e. Shared Access Signature keys to perform any operations.

Shared Access Signature (SAS tokens)

SAS tokens are the way you should be accessing the storage accounts, programmatically or otherwise. These are what you should be using (with an expiry date) to give temporary access to anybody in your organization or even outside if there is any sensitive data on your storage accounts.

From official page: "A shared access signature (SAS) is a URI that grants restricted access rights to Azure Storage resources. You can provide a shared access signature to clients who should not be trusted with your storage account key but whom you wish to delegate access to certain storage account resources. By distributing a shared access signature URI to these clients, you grant them access to a resource for a specified period of time. An account-level SAS can delegate access to multiple storage services (i.e. blob, file, queue, table). Note that stored access policies are currently not supported for an account-level SAS."

Once you tweak all the settings for what kind of access you want to provide, then click on "Generate SAS and connection string" it will generate a Shared Access Signature (SAS token), and a connection string and various URIs using that SAS token. These URIs for storage account's blob, file share, tables and queue services.

Now you know the best way to connect to your storage accounts securely. Depending upon your situation ensure to use the correct approach. If in confusion, always go with Shared Access Signatures.

Azure for AWS professionals - Storage - Azure - 03 Event driven automation of Azure Storage accounts

Tue, 03 Sep 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

Microsoft Azure Storage accounts generate various events. You can automate these events and can take action when these events occur.

Build reactive, event-driven apps with a fully managed event routing service that is built into Azure. Event Grid helps you build automation into your cloud infrastructure, create serverless apps, and integrate across services and clouds.

Few examples could be:

When a user uploads a large video file, a time-to-live value is assigned to that file and that file can either be archived or deleted after that time.

If some image is uploaded then immediately you can run Optical Character Recognition (OCR) on the image and can capture the data into a database.

If someone uploads a document file then automatically that is processed and the details captured can be input into a database if the document adheres to a certain format

Generating transcripts for video uploads etc.

Note that this feature is available out of the box in V2 storage accounts. To access, simply navigate to your storage account resource and click on the Events option.

The solution actually leverages other Azure resources to provide this automation. Some of these include:

Azure Event Grid - it has built-in support for events coming from Azure Storage blobs

Azure Logic Apps (serverless workflow and integration)

Azure Functions (serverless code)

You create a subscription to Event Grid. It receives the event notification and passes the information to the handlers to take some actions. Logic Apps and Azure Functions are two such handlers where you can write the automation. We will delve deeper with an example in a future post.

Azure for AWS professionals - Storage - Azure - 02 Data Transfer Options

Sun, 01 Sep 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

When you have a Storage account in Microsoft Azure, you want to transfer data to the blob storage to consume the storage. The initial data transfer can be huge and you want to optimize this data transfer.

Navigate to your Storage account and click on "Data transfer" setting to view all the options that you have. Use this section to define your estimated data size for transfer, approximate estimated network bandwidth and transfer frequency. Based on your selection this wizard will show you relevant options that will best suit you to transfer your data.

Let look at these options closely. The options you have are discussed below.

1. AzCopy

This is a command-line utility that allows the scripted or programmatic transfer.

A command-line data transfer utility

Copy data to and from Azure blobs, files, tables

Best use: Resilient bulk data transfer at high throughput

You can learn more about this service here: AzCopy

2. Azure PowerShell or Azure CLI

These are actually two different options for scripted or programmatic transfer.

A command-line interface to manage Azure Resources

Best use: Build scripts to manage Azure resources and small data sets

Azure PowerShell installs on Windows or use in browser with Azure Cloud Shell

Azure CLI installs on macOS, Linux, Windows or use in browser with Azure Cloud Shell

You can learn more about Azure PowerShell here: Azure PowerShell You can learn more about Azure CLI here: Azure CLI

3. Directly from the Azure Portal

This is the easiest option from all the options as using this you are directly uploading the data from the Azure portal.

A web-based interface

Explore files and upload new files one at a time

Best use: If you don’t want to install tools or issue commands

You can learn more about this service here: Data transfer for small datasets with low to moderate network bandwidth

4. Azure Data Factory

Here you are using managed data pipelines and have the most control over your data coming into the Azure storage account.

A hybrid data integration service with enterprise-grade security

Create, schedule, manage data integration at scale

Best use: Build recurring data movement pipelines

You can learn more about this service here: Azure Data Factory

5. Azure Storage Explorer

Another Graphical interface (GUI) option provided through a standalone software utility that you can install on your laptop or desktop.

A GUI-based cross-platform client

Upload or download from Azure blobs, files, tables, queues, and Azure Cosmos DB entities

Best use: Easy file management

You can learn more about this service here: Azure Storage Explorer

6. Azure Storage REST API/SDK

This option is directly leveraging the underlying APIs/SDK to transfer the data. This is a highly customizable option. You can even build your own utilities using this option. This option also allows for scripted or programmatic transfer by writing your own custom code to transfer the data.

Programmatic access to Blob, Queue, Table, and File services in Azure

Best use: Build your custom applications

You can learn more about this service here: Azure Storage REST API Reference

7. Azure File Sync

This is the continuous sync and site-local caching option.

Move files from a server to a cloud-native Azure file share with zero downtime

Up to 100 TiB capacity per Azure file share

Multi-site sync to multiple servers

You can learn more about this service here: Planning for an Azure File Sync deployment

8. Azure Data Box Edge and Data Box Gateway

Azure Data Box Edge is an on-premises device.

On-premises Microsoft physical network device. It supports SMB/NFS

Edge compute processes data in local cache before fast, low bandwidth usage transfer to Azure

Best use: Preprocess data, inference Azure ML, continuous ingestion, incremental transfer

Whereas, Azure Data Box Gateway is a virtual device, also sitting on-premises.

On-premises virtual network device in your hypervisor

Local cache-based fast, low bandwidth usage transfer to Azure over SMB/NFS

Best use: Continuous ingestion, cloud archival, incremental transfer

You can learn more about this service here: Azure Stack Edge

9. Azure Data Box and Data Box Disk

Azure Data Box is the offline transfer via a device.

Time to transfer: Typically 80 TB/order in 10-20 days

A 100 TB (80 TB usable) rugged, encrypted device shipped by Microsoft

Offline transfer to Azure Files, blobs, managed disks, over SMB/NFS/REST

Best use: Initial/recurring bulk data transfer for medium to large data sets

Azure Data Box Disk is very similar to Data Box. it is also offline transfer via a device (in this case a disk).

Time to transfer: Typically 35 TB/order in 5-10 days

A 40 TB (35 TB usable) set of up to five, encrypted, 8 TB SSDs shipped by Microsoft

Mount USB 3.0/SATA disks as drives for transfer to Azure Files, blobs, managed disks

Best use: Initial/recurring bulk transfer for small to medium data sets

You can learn more about Azure Data box service here: Azure Data Box

10. Azure Import/Export

This is another offline transfer device option. Key features are:

Ship up to 10 of your own disks to transfer data to and from Azure

Mount disks as drives for offline transfer to Azure Files, Blobs

Best use: Initial bulk transfer for small to medium data sets

You can learn more about this service here: Azure Import/Export

Azure for AWS professionals - Storage - Azure - 01 Creating Azure Storage Account

Wed, 28 Aug 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

Note: This blog has been updated with Private endpoints feature and latest screenshots.

As we saw earlier, Microsoft Azure's Storage account is a managed service for storing your blobs like your photos, videos, and any other files. Microsoft has bundled below services within Storage Accounts:

Blob storage - to securely store your blobs like photos, videos, and other files, etc.

File shares - SMB file shares

Table storage - Tabular storage to store non-relational data

Queue storage - to scale apps

These are very similar to the AWS S3 buckets.

To access Microsoft Azure Storage Accounts, navigate to All services -> Storage category -> Storage accounts.

Here you can view all your existing storage accounts (if you have any). Click on the "+Add" button to create a new Storage account.

For the basic settings, start with selecting the right subscription and creating or using an existing Resource Group.

Provide a name for the storage account. The name can only contain small letters and have to be unique in Microsoft DNS space. Select the geo location for the deployment. Next, you have the performance setting between standard and premium.

You also select between the two account kinds. There is version 1 and version 2. For all new storage accounts select Version 2.

You decide the replication strategy and select the type of storage account based on the replication. You have options like Zone redundant storage (ZRS), Locally redundant storage (LRS), Globally redundant storage (GRS) and Read Accessible - Globally redundant storage (RA-GRS). For maximum replication, select RA-GRS.

Next, decide if you want Hot or Cool access tier. The default is Hot. Cool is for archival storage.

Under networking you have 3 options for connectivity:

Public endpoint (all networks)

Public endpoint (selected networks)

Private endpoint

The private endpoint is the latest option that assigns a network interface (and therefore a private IP address) to your storage account. With this you can access your storage account leveraging the nic card, securely from your virtual network, as if it was just another resource on that network.

Under advanced settings, you select the security, large file shares, data protection, data lake storage etc.

You can apply tags next to categorize the resource. It is optional but is highly recommended as a best practice.

Finally, review and create the storage account.

Azure for AWS professionals - Storage - Microsoft Azure Storage Accounts vs AWS Simple Storage Service (S3)

Sat, 24 Aug 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

For storing your blobs like your photos, videos, and any other files, both the cloud platform have great services to offer. AWS calls its service as Simple Storage Service or more popularly known as S3. Microsoft Azure calls its service as Storage Accounts. Microsoft has bundled below services within Storage Accounts:

Blob storage - to securely store your blobs like photos, videos, and other files, etc.

File shares - SMB file shares

Table storage - Tabular storage to store non-relational data

Queue storage - to scale apps

From all these services, Azure blob storage within Storage accounts is the key comparable service to S3.

To access AWS S3, you can do so by navigating to all Services and navigating to S3 under the Storage category as shown below.

To access Microsoft Azure Storage Accounts, navigate to All services -> Storage category -> Storage accounts.

We will review how to get started with each of these services in the next couple of blogs.

Azure for AWS professionals - Azure Managed Disks vs AWS Elastic Block Store (EBS)

Wed, 21 Aug 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

Both Microsoft Azure and AWS provides a managed service for managing the disks of your virtual machine (or EC2 instance). It is the storage optimized for I/O intensive read/write operations. For use as high-performance Azure virtual machine storage. Microsoft Azure offering is called "Managed disk" whereas AWS calls it "Elastic Block Store (EBS) Volume".

AWS - Elastic Block Store (EBS) Volume

Let's look at AWS's offering first. When you create EC2 instances, you automatically get at least one volume (i.e. disk) for the OS disk. You can additionally add multiple volumes for the data disk. You can view all this data by navigating to EC2 and then under the settings go to the "Elastic Block Store" category. You will find your Volumes listed here.

There is also an option to view the Snapshots which shows you any snapshots taken on the volume, taken manually or from AWS Backup service.

Microsoft Azure Managed disks

Within Microsoft Azure, the disks of Virtual Machines or VMs used to be VHD files sitting on a Storage account (similar to S3 bucket). Microsoft upgraded its offering to Managed Disks with loads of granular controls and optimizations. These disks can be switched from standard HDD to premium SDD by just switching a value from a dropdown. You can also control role-based access control of individual disks (a feature that was not available before in Microsoft Azure).

You can find the managed disks under All services -> Compute category. Click on Disks to view all the disks in your environment.

If you want to view a specific disk on your VM then you can also navigate to your virtual machine and then find the Disks setting. The OS and any data disks will also be listed there.

When you click on any one of the managed disk, it takes you to the overview page and you can see various details about the disk including the "Owner VM" to which this disk is connected. You can directly take a snapshot of the disk from here.

Under settings of the disk, one notable setting is the Configuration of the disk. You can quickly select the Storage type and Size of the disk.

For more information, please use these links:

Azure managed disks

Elastic Block Store (EBS)

Azure for AWS professionals - Auto Scaling - AWS - 05 AWS Auto Scaling service

Mon, 19 Aug 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

AWS Auto Scaling is the latest offering from AWS that enables you to quickly discover all scalable resources in your environment and then set up application scaling for you. You can either choose one of the AWS recommended settings to optimize performance or cost or both. Or you can also define your own custom scaling conditions.

You start by navigating to the AWS Auto Scaling by going to All Services and then navigating to the Management and Governance section.

You can create multiple scaling plans here. Start creating your scaling plan by clicking on the "Get started" button.

Next, you find the scalable resources in the AWS environment. You can do so in various ways. You can search for resources on the AWS CloudFormation stack. Or you can search by Tags applied to the resources. Or you can directly select EC2 Auto Scaling groups.

As shown below, we have selected our auto scaling group, that we created in one of the previous blog posts.

In the next step, you have the option to specify the scaling strategy. You start by providing a name and then scroll down for more details.

You can either select one of the predefined auto scaling strategies optimized for availability or cost or both. You can even define your own Custom strategy and have more granular control over these settings.

Expand the Configuration details to view the applied settings.

Next up you have various advanced settings like dynamic scaling and predictive scaling. To configure, first, select your auto scaling group and then expand the category you want to tweak.

Finally, you review all the settings and create your scaling plan.

Once the scaling plan is ready, it will do most of the heavy lifting for you by automating the scaling in and scaling out of the instances based on the scaling strategies defined in your plan.

Azure for AWS professionals - Auto Scaling - AWS - 04 Creating Auto Scaling Groups - Part 2

Thu, 15 Aug 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

This is part 2 of the blog where we are creating the Auto Scaling Group in AWS. Let's dive right in, where we left off in the last blog.

Now we are at Step 3, here we define the optional Load balancing details and Health checks. Later is something you should always have configured as a best practice.

In Step 4 we will configure the group size and scaling policies. You provide a minimum and maximum no. of instances along with a desired capacity which becomes the default no. of instances.

Scrolling down you have the scaling policies. I recommend having a "Target tracking scaling policy". There are different criteria that you can configure. In the screenshot below, you have the policy based on the average CPU utilization.

You can configure various notifications on your auto scaling group next.

Finally, you have the option to configure tags on the auto scaling group.

Review all the settings and create the auto scaling group. That's all there is to it. Simulate some load on your application and monitor how the instances scale out and in compliance with your scaling policies.

Azure for AWS professionals - Auto Scaling - AWS - 04 Creating Auto Scaling Groups - Part 1

Wed, 14 Aug 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

Auto Scale Groups is how you can have multiple instances hosting the same application running at the same time in AWS. This is what provides you with high availability for your applications deployed on EC2 instances in AWS. These scale in and out based on your scaling conditions. You can create auto scale groups in AWS using any one of the Launch Template or Launch configurations. Templates are the recommended way to go.

You start by navigating to the EC2 in AWS.

Scroll all the way down and navigate to Auto Scaling Groups. Click on the "Create Auto Scaling group" to start the creation wizard.

Right on the first screen, you provide a name for the Auto Scaling group. You also select if you want to use Launch Template or Launch Configurations. Whichever you decide you select the appropriate value from the drop-down.

Once you select the template it shows you detailed settings that are configured inside the template.

Under Step2, you configure the purchase options and instance types. You have the option of adhering to the template configurations as shown below.

Or you have the option of combining purchase options and instance types along with the settings from the template. You can provide cost optimization and instance type details here.

We are only halfway here. We will continue creating the Auto Scaling Group in part 2 of this blog.

Azure for AWS professionals - Auto Scaling - AWS - 03 Creating Launch Templates

Sat, 10 Aug 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

Launch Templates is the information about how to create an EC2 instance. It has all the relevant information to launch a new EC2 instance. It contains other instance-level settings, such as the Amazon Machine Image (AMI), instance type, key pair, and security groups, etc. This helps you to provide a predictable and repeatable way of deploying multiple EC2 instances in your environment.

Please note that these provide similar functionality as Launch Configurations (which we will saw in the previous blog). Launch Templates is a new way of doing things. You can have multiple versions of a launch template but not for a launch configuration. Any new features are being added to the Launch Templates and that is what AWS recommends to use.

Launch Template (or Launch Configuration) is also required for creating Auto Scaling Groups in AWS.

Start by navigating to EC2 in AWS.

Navigate to the "Launch Templates" under the Instances category. If you will not have any templates here then you will be presented with the general information. Click on the "Create launch template" to start creating a new template.

You start by providing basic information like template name, version description,etc. Note that the version is one of the features that sets a launch template apart from a launch configuration in AWS. The later can not have any version.

If you want to use this template with the Auto Scaling then make sure to check the box to provide guidance as shown below.

Next provide the AWS Machine Image, Instance type details and Key pair information for login.

Next, you provide the networking details under Virtual Private Cloud to define the connectivity along with a security group. You also provide the Storage information.

Finally, you can add tags to your launch template. You also should configure at least one network interface for your EC2 instances. Click on "Create launch template" to create the launch template with all the selected settings.

Now that we have the Launch Template, we are ready to use it to create Auto Scaling Groups. We will check this in the upcoming blog.

Azure for AWS professionals - Auto Scaling - AWS - 02 Creating Launch Configurations

Mon, 05 Aug 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

Launch Configuration is the configuration information about how to create an EC2 instance. It has all the relevant information to launch a new EC2 instance. It also contains other instance-level settings, such as the Amazon Machine Image (AMI), instance type, key pair, and security groups, etc. This helps you to provide a predictable and repeatable way of deploying multiple EC2 instances in your environment.

Please note that these provide similar functionality as Launch Templates (which we will check in the next blog). This is the older way of doing things. You can have multiple versions of a launch template but not for a launch configuration. Any new features are being added to the Launch Templates and that is what AWS recommends to use.

This (or Launch Template) is also required for creating Auto Scaling Groups in AWS.

You start by navigating to EC2 in AWS and then clicking on Launch Configurations under "Auto Scaling" category as shown below. Click on "Create launch configuration" to launch the wizard.

The first thing you do, similar to creating a new EC2 instance, is to select an AWS Machine Image or AMI.

Next, you select the Instance type. This defines your vCPUs and Memory for the underlying EC2 instance (that will be built using these configurations).

Next, you provide a name for your launch configurations. You can also configure to use Spot instances here to save on cost (for any non-critical workloads). You can also configure CloudWatch detailed monitoring.

Next up are the Storage settings. You update the settings for the OS disk and add more volumes if you need.

Next, you provide the security group configurations. You can create a new one or reuse one of the existing ones.

Finally, you review the settings and create your launch configurations.

Before the launch configurations can be completed, you are also prompted to provide a key pair to be used to authenticate.

That's it! Now you have a reusable configuration that you can use to build multiple EC2 instances in a predictable fashion.

Azure for AWS professionals - Auto Scaling - AWS - 01 All Related Resources for Auto Scaling

Sat, 03 Aug 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

AWS has various features that provide autoscaling features. Each resource type has it's unique functionality and these resources can work with each other.

These services are:

Launch Templates - the latest addition - this is a template for the EC2 instances. It has all the relevant information to launch a new EC2 instance. You can configure the compute, storage, networking, etc. inside your launch template. It also contains other instance-level settings, such as the Amazon Machine Image (AMI), instance type, key pair, and security groups, etc. This helps you to provide a predictable and repeatable way of deploying multiple EC2 instances in your environment.

Launch Configurations - this is very similar to launch templates. This is the older way of doing things. You can have multiple versions of a launch template but not for a launch configuration.

Auto Scale Groups - This is how you can have multiple instances hosting the same application running at the same time in AWS. This is what provides you with high availability. These scale in and out based on your scaling conditions. You can create auto scale groups in AWS using any one of the Launch Template or Launch configurations. Templates are the recommended way to go.

AWS Auto Scaling - This is the latest offering from AWS that enables you to quickly discover all scalable resources in your environment and then set up application scaling for you. You can either choose one of the AWS recommended settings to optimize performance or cost or both. Or you can also define your own custom scaling conditions.

In the next few blog posts, we will take a practical look at these resources and how to work with each of these.

Azure AD activity logs now integrated with Log Analytics in Azure Monitor

Thu, 25 Jul 2019 00:00:00 +0500

I believe that there should be a single pane of glass approach to monitoring in Microsoft Azure where you can monitor different aspects of Azure in one place. Microsoft's latest logs integration is a step forward towards this vision. Now Azure AD activity logs are integrated with the Diagnostics Logs for Azure Monitor and Log Analytics in Azure Monitor. These Azure AD logs can now be retained for long term as well, leveraging Azure Storage accounts.

One side benefit is that these logs can now be sent to any 3rd party SIEM tools as well.

To get started with this service, simply navigate to your Azure Active Directory and then scroll all the way down to Diagnostic settings. Click on "+Add Diagnostic Setting" to get started.

Select the log type for "Audit logs" and for destination select "Send to Log Analytics" and configure your workspace. Save your settings.

Now the Azure AD logs will start appearing in the Log Analytics workspace. You can query this data and can analyze the data in various ways as well.

For more information check this official blog on this functionality in detail:

Azure Active Directory Activity logs in Azure Log Analytics

How to set up the integration

Azure SQL Database now has a Serverless Compute Tier

Wed, 24 Jul 2019 00:00:00 +0500

Azure SQL Database now has a Serverless Compute Tier. Note that this option is only available with the newer vCore based pricing. This provides you with loads of advantages as this optimizes the pricing and enables all the goodness of the Serverless architecture for your SQL Databases.

The key points are:

The underlying compute resources (i.e. CPU and memory) are auto-scaled based on the demand

The billing is done on a per-second basis based on the usage of vCores

When you go to Configure pricing on your database (either during the creation or afterward from the settings), under the vCore based pricing model you now select the Serverless option.

For more information please check this link: Azure SQL Database serverless

Azure for AWS professionals - Auto Scaling - Azure - 04 Viewing the Run History of VMSS

Sat, 20 Jul 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

When you have an active Microsoft Azure Virtual Machine Scale Set or VMSS it is imperative that you monitor how your VMSS has been running over the period of time. This helps you tweak the autoscaling settings of your VMSS. You should monitor this continuously for any critical applications in your environment. Ideally, to begin with, this should be done in a test or QA environment with a simulated load on your application running for a long period of time. And then you should keep doing this in upper environments as a best practice.

To access this setting, navigate to your VM scale set and navigate to the "Scaling" option under the Settings menu. Here click on the "Run history" tab. All the history for how the instances were scaled up and down will be visible here. You can filter the data based on time to reduce the window. At the bottom you also have Operations list view what operations occurred on the VMSS and at what times.

This option should be used in conjunction with the performance data for the app or workloads running on your VMSS for a complete picture. If you view any performance drops, you should tweak the settings to scale out earlier than what it is configured. E.g. If the scale out operation is configured if the Average CPU percentage goes above 75% and you still see performance hits, then you should tweak that setting from 75% to a lower value like 65%.

There may also be some times during the day or week when there will be more load on your application. To ease this, you can add a schedule for scaling based on time. Note that there is no single best combination. The best settings for you depends upon your application.

Azure for AWS professionals - Auto Scaling - Azure - 03 Updating the Scaling policies of VMSS

Thu, 18 Jul 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

In Microsoft Azure Virtual Machine Scale Sets or VMSS, understanding and setting up appropriate scaling settings is paramount. You have the option to either set the scaling settings manually or set them to auto-scale based on different criteria.

To access these settings, navigate to your VMSS and go to the Scaling option under Settings. Ensure that "Custom autoscale" is selected. Then click on the "Configure" button from the top.

In the next screen, you can "scale based on a metric" to scale based on different metrics on the VM. Examples of such metrics include CPU percentage, Memory consumption, etc. Here you define:

Scale out - This is the setting for how the instance count should increase. E.g. if the Average CPU percentage increases beyond 75% then increase the count by 1.

Scale in - This is the setting for how the instance count should decrease. E.g. if the Average CPU percentage decreases below 25% then decrease the count by 1.

You also have the option to scale to a specific instance count based on a time schedule.

Another setting you have control over here is to set the Instance Limits. You define a minimum and a maximum number of instances with what the default or an initial number of instances is going to be. Note that the default value can only be between a minimum and a maximum number of instances.

Another key point to note is that you can add multiple scaling conditions to ensure autoscaling occurs as you require. Now that you have the autoscaling set up, next you should simulate load on your application running on VMSS and validate that you are not facing any performance issues. If you do then you should tweak the autoscaling numbers.

Azure for AWS professionals - Auto Scaling - Azure - 02 View Running Instances in VMSS

Mon, 15 Jul 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

When you have a Microsoft Azure Virtual Machine Scale Set or VMSS you want to view how many and what instances are running in your VMSS. You can do so very easily by navigating to your VMSS.

From All Service -> go to Virtual machine scale sets. Click on your VMSS to open up in it's own blade. Then from the left hand menu, navigate to the Settings category and click on Instances. This will show you all the instances in your VMSS along with their status.

E.g. in the screen below, you can view 3 instances, 1 of which is in Running state and 2 are in Creating state.

Azure for AWS professionals - Auto Scaling - Azure - 01 Creating VMSS - Part 2

Fri, 12 Jul 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

This is part 2 of the post for creating Microsoft Azure Virtual Machine Scale Sets or VMSS. Let's dive right in.

In continuation of the creation of VMSS wizard, next up you have the Scaling options. You provide the initial instance count. If you want to set up autoscaling, I recommend you to set up Custom policy rather than manual. You can automate based on various conditions like CPU exceeding certain thresholds etc. You can also tweak these settings once the VMSS has been set up and can add multiple criteria.

Next, you have Management settings. Here you can provide Upgrade policies, set up monitoring for diagnostics, Identity, Automatic OS upgrades, Instance termination notifications etc.

To monitor health, you can set up rules here. E.g. Let's say you have a web app running on the VMs in VMSS. You can set to monitor health by monitoring port HTTP 80 at a particular path of the app running on your workloads.

Various advanced settings can be set up on the next screen. If you are running Linux VMs in your VMSS then you can leverage "Cloud init" to automate the configurations on the start-up of every new instance in VMSS. Proximity placement groups ensure that the different instances in your VMSS are deployed closer to each other physically in a datacenter.

You can also decide between the VM generation etc.

You can provide Tags next to better categorize the resources.

Finally, you review all the settings and hit Create to create the VMSS.

Azure for AWS professionals - Auto Scaling - Azure - 01 Creating VMSS - Part 1

Thu, 11 Jul 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

Microsoft Azure Virtual Machine Scale Sets or VMSS lets you deploy your workload into identical Virtual machines. These VMs are load-balanced internally and the load is also managed automatically for you. You can define various autoscaling schedules to scale your resources up and down based on the demand. E.g. if Average CPU percentage increases beyond a number then you can automate to increase the number of running instances i.e. scale up. Similarly, you can configure to reduce the instances i.e. scale down if the average CPU percentage goes down a certain number. This auto-scaling is provided out of the box with VMSS.

Let's start working with VMSS by creating one.

You will find VMSS under the Compute category.

When in the blade for VMSS, click on the "+Add" button

Provide the subscription and Resource Group just like for any other resource creation in Azure. Provide a name for the VMSS, a region where it will be deployed and Availability set if you want any.

Next, you provide the Instance details. This is very important. This is the underlying Image and it's compute size. This is the consumption that you will be having in your VMSS based on the number of instances running.

You also provide authentication information for connectivity.

Next, we need to provide the disk details (just like for a single VM). Here you can decide the type of disk to use for OS disk. You can also create and attach data disks here.

Next up we have networking details. You provide information regarding which virtual network the underlying VMs will be connected to in this VMSS. You also provide the Network Interface that VMSS will be using for connectivity.

In part 2 we will continue with the wizard and setting up of VMSS.

Azure for AWS professionals - Auto Scaling - Azure VMSS vs AWS Auto Scaling

Wed, 10 Jul 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

Autoscaling is a key aspect of Infrastructure as a Service (IaaS) in the cloud. The demand for the service and therefore the load on your applications will vary based on various factors. It will vary as per:

The time of the day

The day of the month

Any holidays

Any special events etc.

Your application needs to scale out or scale in based on the dynamic demands. You can NOT find a perfect mix and pre-determine the exact number of instances (of Virtual machines or EC2) that you need to run. If you will define the lower number then the performance will suffer. On the other hand, if you overestimate then you will be looking at costly bills. You always want to optimize between Cost and Performance.

This is where Autoscaling comes into the picture. With this, you can have rules in place that will automatically scale out or scale in your number of instances running the application.

As a pre-requisite, you need to have the application which can be deployed on multiple instances behind a load-balancer.

Both Azure and AWS provide out of the box services for this functionality. In both platforms, you can define rules as to how the scaling should occur in an automated fashion. E.g. you can have the number of instances increase by 1 if the average CPU percentage usage increases more than 75%. And also another rule for decreasing the number of instances by 1 if the average CPU percentage usage reduces below 25%.

Microsoft Azure has package everything into one service called Virtual Machine Scale Set or more popularly known as VMSS. Even the automation for autoscaling is also built directly into this service and is as easy as setting up a few configurations.

Amazon's AWS also has this capability, although this is scattered over different services. These include:

Launch Configurations - a pre-packaged set of configurations that define how to set up new EC2 instances

Launch Templates - newer way to do the same thing as Launch Configurations. These have more features like versioning, etc.

Auto Scaling Groups - a load-balanced group of EC2 instances

AWS Auto Scaling - a newer service providing the automation for scaling out and scaling in of EC2 instances

We will be working on these services in the next few posts and taking a closer look at each of these.

Azure for AWS professionals - Batch Services - AWS - Working with AWS Batch Service

Mon, 08 Jul 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

AWS Batch Service

AWS Batch Service has below main concepts:

Job - This is what is sent for execution to the Job Queue. This is the main work that you are trying to accomplish e.g. processing an image.

Job Queue - When you submit a job, it is sent to a job queue. This has linked compute resources. AWS Batch Scheduler places the job on a compute resource within a compute resource environment

Compute Environment - This is the logical grouping of compute resources i.e. EC2 instances that can receive jobs from a job queue

AWS Batch automatically scales out your compute resources when there are jobs to work upon. It later scales it back when the job queue is empty.

Working with the Service

AWS Batch service can be found under all Services and then navigating to the Compute category. Click on Batch to launch the AWS Batch service.

Here you are presented with the default "Getting Started" screen. It gives you an overview of how the service works.

Clicking on the Getting Started button takes you to the wizard to set up the service.

First, you define the Job and its details. You start with where you want to run your job and defining a run time for the job.

Next, you provide the container properties for the job. The command you define is what is executed when this job is run. This is where you define what compute power will be required to run the job. E.g. 2 vCPUs and 2000 MiB of Memory. You also define the number of attempts to be made to run the job successfully. Job Execution timeout is another thing you define here in the number of seconds. If the job does not finish up in this time then it is stopped and moved to the Failed queue.

You can optionally define parameters and environment variables as well.

Under Step 2, you define the compute environment and set up the Job queue. Compute environment is where the job is run. You define its behavior in this section. You can choose between:

On-Demand - for any critical and business impacting jobs. This is most predictable

Spot - very cost-effective option. The cost savings are up to 90% of the On-demand option. It uses the EC2 Spot instances to do so.

You can also define a minimum, desired and a maximum number of vCPUs here.

You set up your networking next. Also, this is where you define the Job Queue and link it to the Compute environment.

Hit Create and you should be all set. AWS creates the underlying resources and shows you the status.

Viewing the Resources and Logs

You can now navigate to the Dashboard and view the newly created resources.

You can navigate to the Jobs section and find your job that was executed. It will look like a guid. Click on this job. In the popup, click on "View logs". This will take you to the CloudWatch window and will show you the logs.

That's all there is to it. You can define simple jobs like execute some applications to very complex jobs like image and video processing.

For more information check these link:

AWS Batch service

Azure for AWS professionals - Batch Services - Azure - 4 Creating Tasks in a Batch Job

Fri, 05 Jul 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

So far we have seen that to consume Azure Batch service we need a Batch account. Within this Batch account, we create a Pool. Next, we create a Job that runs on this Pool. Finally, every Job has multiple Tasks that are actually executed within the Job (and on the Pool)

In this post, we will create on such Task in a Job.

To create a Task, you begin by navigating to your Batch account (if not there already). Next click on the Jobs option under the Features category. Find your job and click on the same.

Within the job, find the Tasks menu and click on that. You will see "+Add" option here to add a new Task.

Next, a wizard will open up to add a new Task. Here primarily you provide a task Id, display name and Command line. Note, that this command line is where you specify what to run.

A simple command line may look like below. This displays the Batch environment variable and then waits for 180 seconds. This is used in the screenshots and later output.

cmd /c "set AZ_BATCH & timeout /t 180 > NUL"

A more complex command line, to execute an app package may look like:

cmd /c %AZ_BATCH_APP_PACKAGE_app01#1.0%\\myapp.exe

You can configure more settings like environment settings, task dependencies, and Application packages etc. Hit Submit when ready to create the Task.

To check the output of the task execution we will check the output stream. Navigate to your task. And then under the "Task Files" section click on the "Files on node" option. Here you will find the "stdout.txt" file. Click on this file to view the output.

The output stream (for the simple command line from above) will look like below. You can download this for offline usage if you require it.

This concludes a brief overview of how to consume Azure Batch service.

For more information check this link: Azure Batch service

Azure App Service now has a free Linux tier and supports Python and Java

Sun, 30 Jun 2019 00:00:00 +0500

Azure App Service has expanded its capabilities to include Linux as it's hosting Operating System. With the goodness of Linux also comes the support for Python and Java natively.

Now when you will create a new App Service in Microsoft Azure, you can view different Python versions that are currently supported.

You can also view various supported Java versions.

Under the Operating System settings you can see the Linux as an option. Note that based on the Runtime stack selected, this option maybe pre-selected for you and you won't be able to change this setting. If you will select a Runtime Stack that is supported on both OS then you will have the option to switch between the two platforms. E.g. for .Net core you can select any one of the two platforms.

For more information please check this link:

Azure for AWS professionals - Batch Services - Azure - 3 Creating Job in the Batch Pool

Mon, 24 Jun 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

Once you have a Batch account set up with a Pool (of compute nodes) running, you will need a job running in this pool to consume all that computing power.

To create a Job in the Batch Pool, you first navigate to your Batch account (if not there already). Then scroll down and select Jobs. Click on "+Add" to add new jobs.

In the blade to Add Job, provide a unique Job Id. Add this job to the appropriate pool by clicking on the "Select a pool to run the job on". This will bring up another blade where all your pools will be listed. Selected the one you want and hit Select button.

Now that the job is also ready, you can start adding Tasks to this job. You can add multiple tasks to one job. We will check that next.

Azure for AWS professionals - Batch Services - Azure - 2 Creating Batch Pool in an Account

Fri, 21 Jun 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

Once we have a Batch account, we will need a pool of compute nodes. You can do that by creating a Pool in the Batch account.

First, we will need to navigate to the Batch account. To do this first go to All Services in the Azure portal menu.

Next, find Batch accounts under the Compute category.

Under Batch accounts, all your accounts will be listed. Click on the account in which you want to create the pool. Under the account settings, scroll down to the Features category and click on Pools. You will not have any pools. Click on "+Add" to create a new one.

"Add Pool" blade will open up. Provide a pool ID and an optional display name. Provide the Operating system details that you want to target. You can use custom images or one of the marketplace image. E.g. in the screenshot below, the marketplace image for windows server 2016 Datacenter with small disk is selected.

You can provide the node size for each compute node in the pool. You will be charged based on the no. of nodes and the size of each node. You can provide Scale settings. It can be pre-configured as shown below or can be set to auto-scale.

You can next configure a task to start on setting up the pool. You also have various other settings to customize the pool setup.

If you scroll down further, you will see the options to configure virtual network connectivity to the pool. E.g. if you want to run an app that has some network dependency, that you can also run that by configuring your pool to connect to your virtual network.

If you already own Windows Server licenses then you can configure Hybrid Use Benefit or HUB licensing. Note that this option will only show up for Windows server related compute nodes.

Click Ok to create the pool.

In the next post, we will create a Job in this pool.

For more information check this link: Azure Batch service

Azure for AWS professionals - Batch Services - Azure - 1 Creating Batch account

Thu, 20 Jun 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

To consume the Azure Batch service, you need a Batch account.

To create a Batch account navigate to Create a new service (from the 3 lines on the top left corner), then in the menu under the Compute category, find the "Batch Services" option.

Just like any other resource, you provide a Subscription and a Resource Group. You also provide a name for the account. This name should only contain lowercase letters and should be unique in Azure's DNS space. This is used to uniquely identify your Batch account. You also select the location for your Batch service account.

Next, you have advanced settings. Here you select the Pool allocation mode. You have a Batch Service or User subscription as two options. This setting specifies whether to provision compute node pools in a subscription managed by the Batch service, or in the subscription in which you are creating the new Batch account. In most cases, this should be set to default i.e. managed by Batch service.

Next, you can apply tags to categorize the resource and get better control over automation, reporting, and billing, etc.

Finally, you review the setting and create the Batch account. Note that you have the option to download the template here so that you can automate the deployment next time you need to deploy this or deploy it uniformly across different environments.

Azure immediately shows you the status of your deployment. This screen refreshes automatically and will update to show when the deployment is complete.

In the next post, we will look at creating a Pool within the Batch account.

For more information check this link: Azure Batch service

Azure for AWS professionals - Batch Services - Azure vs AWS

Wed, 19 Jun 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

Both Microsoft Azure and Amazon Web Services provide Batch service. These services are very similar in nature as they are trying to solve the same issue. Both are trying to run large-scale parallel and high-performance computing applications efficiently in the cloud.

Both the services leverage underlying computing infrastructure to execute the Jobs. Both have different mechanisms to save you cost. Where Microsoft leverages Hybrid Use Benefit (or HUB) licensing to reduce the cost of having Windows Server, AWS has integrated the usage of Spot instances directly to the AWS Batch service to reduce the cost of the underlying compute.

We will explore each platform's service in detail in the upcoming posts.

For more information check these link:

Azure Batch service

AWS Batch service

Azure for AWS professionals - Virtual Machines vs EC2 instances - 11 - Protecting Azure VMs

Sun, 16 Jun 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

For your mission-critical workloads, you can configure active replication of the VM to secondary geolocation. You can do so right from the settings of the VM. Under the hood it uses Azure Site Recovery to set up this disaster recovery.

Navigate to your VM and under the Operations category, click on the "Disaster recovery". Here you can select the Target region for the replication. This region becomes your secondary location and should be factored in your Disaster Recovery strategy. E.g. There should be appropriate infrastructure in place to allow for connectivity to this secondary location.

Next, you have Advanced Settings for the Disaster Recovery. You can select the settings for the Target, i.e. what the Resource Group, Virtual Network etc. is going to be in the target region, if we failover the VM to that region. You also have Storage settings, where you define the cache storage account (used to replicate the managed disks) and the source to target managed disk mappings.

Replication and Extension settings can also be updated here if you require. I recommend that under Replication settings you ensure that the vault selected is appropriate one if you have more than one vaults in your environment.

Finally, review all the settings and start the replication by click on the button as shown below. It triggers an initial replication.

You always have an active copy of the VM in the secondary location (delay of up to 15 mins, depending on your replication policy). You can trigger Failover if anything goes wrong in the primary region. Once the DR even is over, you can also Failback to the original location.

For more information check this link: Set up disaster recovery to a secondary Azure region for an Azure VM

Azure for AWS professionals - Virtual Machines vs EC2 instances - 10 - Backing up Azure VMs

Wed, 12 Jun 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

Backing up a VM is the best practice from an operations perspective. The VM should be backed up on periodic intervals and these backups should be retained for some time as well.

You can backup a VM, right from its settings. After you navigate to Azure Virtual Machines, click on the VM for which you want to configure backup. Then under the Operations category, click on the Backup option. Here to configure the backup, you select the Backup vault, Resource Group and the backup policy.

You can also create a new backup policy on the fly. To do so, you need to click on the "Create (or edit) a new policy" link.

Under the create or edit Backup policy, you can configure how often and when the backup should be taken. You also configure for how long the backup should be retained.

For more information check this link: Back up an Azure VM from the VM settings

Azure for AWS professionals - Virtual Machines vs EC2 instances - 09 - Backing up EC2 instances Part 3

Sun, 09 Jun 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

In this post, we will see how to create an on-demand backup. This type of backup is typically needed when you want to perform a critical operation and this can impact the functionality of the instance. Therefore, prior to performing such an operation, you want to ensure that you have the latest backup of the instance.

You access the option to create the on-demand backup by navigating to the AWS Backup service and then selecting the "Protected resources". You will see the button for creating the on-demand backup here.

In the wizard to create the on-demand backup, you provide the resource for which you want to create the on-demand backup. You can trigger the backup rightaway or delay the start by specifying a backup window. You can also set the expiration of the backup under Lifecycle. You can select an existing vault or create a new one.

Finally, you select the IAM role that backup service will use to impersonate while creating the recovery point. Optionally you can also create and apply Tags.

For more information please check this link: AWS Backup

Azure for AWS professionals - Virtual Machines vs EC2 instances - 09 - Backing up EC2 instances Part 2

Wed, 05 Jun 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

In the previous post, we configured the backup plans in AWS Backup. Now we will use those backup plans and assign some resources to that plan. Specifically, we will assign the EC2 instance to configure the backup for that instance

Assigning Resources

Once the Backup Plan has been created or there is one already in the system, then when you navigate to AWS Backup service, your view will be similar to below. From the left menu, click on Backup Plans (if not already selected). Click on "Assign Resources" button.

In the Assign Resources wizard, provide a name to the resource assignment. Also, provide an IAM role that the backup service will use to create the recovery points. Next, you select the resources you want to assign. Below is the combination of selections to select the EC2 instance.

You have two options for assigning resources. The first is to assign multiple resources by Tags. Second is to provide a Resource Id (which is unique for every resource).

You have different types of resources that you can backup using AWS Backup service. These include:

EC2 instances

Elastic Block Store or EBS

Relational Database Service or RDS

Elastic File System or EFS

Storage Gateway

Dynamo DB

Once you click on Assign resources, the ec2 instance will be assigned to the backup plan. It will not show up under the protected resources until the next schedule of the backup plan creates a recovery point for the resource.

For more information please check this link: AWS Backup

Azure for AWS professionals - Virtual Machines vs EC2 instances - 09 - Backing up EC2 instances Part 1

Tue, 04 Jun 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

To backup EC2 instances, you use the AWS Backup service. This is a fully managed, centralized backup service simplifying the management of your backups for your Amazon Elastic Block Store (EBS) volumes, your databases (Amazon Relational Database Service (RDS) or Amazon DynamoDB), AWS Storage Gateway and your Amazon Elastic File System (EFS) filesystems.

Configuring Backup Plans

To be able to use AWS Backup you need Backup Plans configured and created.

Let's first navigate to the service by going to Services and then "AWS Backup" service under the Storage category.

When you launch this service for the very first time, you are provided with loads of information regarding the service. The first thing that you need to do is to create a Backup Plan. Click on the button to "Create Backup plan".

You can either start from an existing plan (to copy all it's settings) or build a new plan. If you don't have anything configured then you will have to select the option to Build a new plan. Provide a name for the plan and scroll down.

Next, provide the Backup rule configurations. With every backup plan, you can have multiple backup rules. Basically, these define when a backup is taken, how often it is taken, when does this backup expires and so on. You start by specifying a name for the rule. Then you specify a Schedule for the backup. The options include Daily, Weekly, Monthly etc. You can also customize the backup window, i.e. at what hour of the day the backup is taken.

Under Lifecycle, you define when the backup should transition to Cold storage and when it should expire. You also select a Vault for the backup. This is the vault resource where the recovery points created by the Backup service are organized.

Next, you can copy the backup to multiple regions. In this way you get redundancy. If the backup primary region goes down, you can use the copy from a different region to restore.

Here you also specify the Tags to add to a backup plan to organize and categorize this in a better way.

Click on the "Create plan" button once done. As you can see from the two notes above, once the plan is created, you can assign resources to this backup plan. We want to add our EC2 instance to this plan. We will do this in the next blog post.

For more information please check this link: AWS Backup

Azure for AWS professionals - Virtual Machines vs EC2 instances - 08 - Azure VM Insights

Fri, 31 May 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

Azure Monitor for VMs or Insights is the enhanced version of the analytics on the VM. It includes the performance and dependencies related data for the virtual machines.

This is very similar to "Enable Detailed Monitoring" using CloudWatch in AWS.

Setting Up

To set this up navigate to your virtual machine and then click on the Insights section under the Monitoring category. Click on the Enable button to start. Note that the VM should be in the running state for you to be able to enable this setting.

If you get any error while clicking on the Enable button, ensure that the VM is running. If it is already running then wait and retry after few minutes. Sometimes the VM bootup takes time to finish (depending on the Compute capacity of the VM).

For the VM Insights to work, it needs to connect to a "Log Analytics Workspace". When you will click Enable button, it will ask to connect to a workspace. When you click Enable, a Microsoft Monitoring Agent (MMA) extension is installed on the VM and is connected to the workspace selected.

Analytics Data

Once successfully enabled and the extension deployed, the Insights data will update to show actual data from the VM. If you don't see it or can't refresh the view, then navigate to any other section and come back to this section to force the refresh.

The first tab is for the Performance data. This shows you interactive and filterable data. Some of the data includes Logical Disk Performance, CPU Utilization, Available Memory, Logical Disk analytics, Network data etc.

Next tab is for Map or Service Map. This shows you the dependencies data. This shows you a graphical and interactive view of how the VM interacts with other VMs and outside the network, what ports it is communicating on, etc.

For more information check this link:

Azure Monitor for VMs

Azure App Configuration Service

Thu, 30 May 2019 00:00:00 +0500

Azure App Configuration Service is a new service that let's application developers save their application related configurations separately in this service. These configurations are saved securely in this service. This service also allows for your application to scale without any dependency on the configuration data.

As the configurations are stored separately from the application code, the developers and designers now have the flexibility to modify the app behavior without them requiring to alter the code multiple time and performing multiple deployments of the application.

When you navigate to the new service creation wizard in Microsoft Azure, search for App Configurations. This should bring up this new service as shown below.

For more information please check this link: Azure App Configuration

Azure for AWS professionals - Virtual Machines vs EC2 instances - 07 - Boot Diagnostics of Azure VMs

Wed, 29 May 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

Azure VM Boot diagnostics lets you diagnose what is happening under the hood during the boot-up. If you face any issues with the boot-up of the VM then this is where you will go to find the diagnostics data.

Where is this setting

You can find this setting when you navigate to the Azure Virtual Machines section and click on your VM. Under the settings menu, scroll all the way down to the "Support + troubleshooting" category. You will find the Boot diagnostics option here.

Setting up Boot Diagnostics

If this is not set up for your VM then you can do so easily. All you need is a storage account. You can also change this anytime. Click on the settings button at the top. Click On and select the storage account. You can also create a new one if you require it.

Checking the Boot Diagnostics data

You can view the screenshot to check where the VM is at with the boot-up process under the hood. If you are not able to log into the VM then this is the main area you want to check to see if the VM is ready (or if there are any updates being applied to the VM).

You can download the Serial logs data for the VM as well if you need to do advanced troubleshooting. This is especially helpful in case of the Linux VMs.

For more information click here: How to use boot diagnostics to troubleshoot virtual machines in Azure

Azure for AWS professionals - Virtual Machines vs EC2 instances - 06 - Monitoring of Azure VMs

Sat, 25 May 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

Within Azure, when you click on the Virtual Machine, you have a lot of control of various aspects of the VM right from one screen. When you navigate to the Azure Virtual Machines section, you are presented with all the virtual machines in your environment. Here when you click on any one VM, a new screen pops up. Microsoft calls this as new Blade. In this blade, the Overview section is the first one and is selected by default. It shows you lots of information for the VM like it's a subscription, resource group, public and private IP address, a button to connect to the VM, etc.

When you scroll a little bit down you get the out of the box metrics for the VM. These metrics include CPU data, Network data, Disk IOPS, etc. You also have time filter at the top.

From the left-hand side menu of the selected Virtual Machine, scroll down to the Monitoring section. This has loads of information and options. The key option you want to explore is the "Metrics" option. Here you can build custom graphs to monitor different metrics by adding each one. Click on Add Metrics and select the same from the drop-down list. The graph will update to show all the selected matrices.

We will explore more options in the subsequent posts as well.

For more information, refer to the below links: Microsoft Azure Virtual Machines

New Tiers in Azure Application Gateway - Standard v2 and WAF v2 SKUs

Fri, 17 May 2019 00:00:00 +0500

New tiers have been made generally available since last week for Application Gateway. These tiers are:

Standard v2

WAF v2

These tiers are backed by Microsoft's SLA of 99.95% availability. These tiers have various optimizations in terms of Autoscaling, Zone redundancy, faster provisioning, improved performance, etc.

You can see these new tiers when creating a new Application Gateway. For the Tier settings, in the drop-down, now you will see these two new SKUs also listed and available as well.

For more information please check this link: Application Gateway

Azure for AWS professionals - Virtual Machines vs EC2 instances - 05 - Monitoring of EC2 instances

Wed, 15 May 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

Monitoring is centralized in AWS via Cloud Watch. Few out of the box metrics are integrated into the EC2 instances screen. Various in-depth and detailed metrics are available in the Cloud Watch product.

To view the monitoring data, navigate to the EC2 section and then go to the Instances section. Click on the EC2 instance for which you want to view the metrics. Then in the below section, you are showed the data for the instance. Here select the Monitoring tab. You have different settings here that can help you with monitoring your EC2 instance. The key settings include:

CloudWatch alarms - this is a way to set up the alarms or alerts

Enable Detailed Monitoring - this is to enable advanced diagnostics data capturing on the instance. With this, you get detailed monitoring of various metrics that you can also control

View all CloudWatch metrics - when you click on this option, it will take you to CloudWatch resource. There you can pick and choose various metrics for your EC2 instance and visualize the same.

The bottom pane is where by default the key metrics for the instance are displayed. These metrics include CPU Utilization, Disk Read and Writes, Network analytics etc.

For more information, refer to the below links: Microsoft Azure Virtual Machines

Amazon Elastic Compute Cloud (EC2)

Azure now supports GitHub identity single sign-on

Tue, 14 May 2019 00:00:00 +0500

Azure now supports GitHub identity single sign-on. Now when you will try to log into the Azure portal you can use GitHub as an identity provider. If you already have a GitHub account then you don't need to create a new account. You can use the same account to log into the Azure portal (provided someone has given you access on some subscription).

When you click on this link, it takes you to the GitHub website to authenticate you and then bring you back to the Azure portal once authenticated.

For more information please check this link: Azure now supports GitHub identity single sign-on

Azure for AWS professionals - Virtual Machines vs EC2 instances - 04 - Differences in IOPS

Thu, 09 May 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

Deciding the IOPS (Input/Output Operations Per Second, pronounced i-ops) is one of the most critical decisions when building your virtual machines. But this is also one of the most ignored aspects of the deployment. This performance measurement of your OS and Data Disks can alter your experience significantly. Let's see how it differs in the two platforms.

In AWS

For Provisioned IOPS (SSD) volumes, you can provision up to 50 IOPS per GiB. Provisioned IOPs (SSD) volumes can deliver up to 64000 IOPS and are best for EBS-optimized instances.

For General Purpose (SSD) volumes, baseline performance is 3 IOPS per GiB, with a minimum of 100 IOPS and a maximum of 16000 IOPS. General Purpose (SSD) volumes under 1000 GiB can burst up to 3000 IOPS.

Magnetic volumes, previously called standard volumes, deliver 100 IOPS on average and can burst into hundreds of IOPS.

If you remember when we were building the EC2 instances, you have the option to add/tweak the storage in Step 4. Here you can see that you can select between the different type of Storage disks that we discussed above.

When you select the "Provisioned IOPS SSD (io1)" option, the column for IOPS turns into a text box and you can tweak the IOPS to your hearts' content. Please note that you can not go beyond 50 IOPS per GiB. E.g. If the disk you selected is 8 GiB in Size then you can't go beyond a maximum of 400 IOPS (i.e. 8x50).

In Azure

Premium SSD disks offer high-performance, low-latency disk support for I/O-intensive applications and production workloads.

Standard SSD Disks is a cost-effective storage option optimized for workloads that need consistent performance at lower IOPS levels.

Use Standard HDD disks for Dev/Test scenarios and less critical workloads at the lowest cost.

You can directly update the type of disk for OS under the second screen of the Virtual Machine creation wizard i.e. under the Disks category. You can select between the three types. The OS Disk size is determined by the VM Size selected. This can be increased later. You can click on "Create and attach a new disk" link and add a Data Disk to the VM.

In the "Create a new disk" wizard, you can change the size of the disk. Now here you are shown based on the size, how much IOPS you will get. Microsoft defines different tiers and provides IOPS based on the tier selected i.e. based on the disk size selected.

Below you see the IOPS for Premium SSD tiers.

Below you see the IOPS for Standard SSD tiers.

Below you see the IOPS for Standard HDD tiers.

For more information, refer to the below links: Microsoft Azure managed disks

Amazon EBS Volume Types

PowerShell support in Azure Functions

Mon, 06 May 2019 00:00:00 +0500

PowerShell support is now available in Azure Functions. This is the feature that I have been waiting for and many others have as well. If you have any reusable functions in your PowerShell scripts, now you can run those in the Serverless way via Azure Functions. Microsoft announced that this includes native support for PowerShell Core 6 as well as the Azure Az modules.

To get started, create a new Function App in Azure. While you are creating a new one, now for the "Runtime stack" you can select "PowerShell Core" as the option.

For more information please check this link: Serverless automation using PowerShell preview in Azure Functions

Azure for AWS professionals - Virtual Machines vs EC2 instances - 03 - Creating Azure VMs

Thu, 02 May 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

In the previous post, we covered how to create EC2 instances in AWS. You can revisit that post here: Creating EC2 Instances in AWS

In this post, we will check how to create a Virtual Machine in Azure. If you know one, it is very easy to translate the information to another platform. The essential part is to look out for the quirks of each platform and note how these differ from each other. Let's dive in.

You can create the VM resource in one of the two ways. Either by navigating to "Create a resource" and then finding the VM you want to build.

Or you can navigate to the VMs section and then click on the Add button to build the VM.

You are presented with the "Create a virtual machine" wizard. Here you ensure that the subscription and the resource group is correct. Subscription is how to buy and use Azure. You have different plans like "Pay as you go" when subscribing to Azure. Resource Groups are nothing but a logical grouping of resources in Azure.

You also provide the Instance details like the name of the VM, the region where the VM will be deployed, any redundancy options etc.

You select the VM image that you want to build e.g. Windows Server 2016 Datacenter. This is similar to selecting the AMI or Amazon machine image in AWS. The Size decides how many vCPUs and Memory in GiB is allocated to the VM. This is also how you will be billed per month for the VM. Note that you only pay when the VM is running. If the VM is in Stopped and Deallocated state then you are not charged for the Compute consumption of the VM. Then you are only charged for the storage component of the VM.

When you scroll down, this is also where you provide the credentials to be used with the VM. You also configure allowed ports for the VM. E.g. RDP is opened here. You can tweak this further in the Networking section ahead.

The biggest difference here is that, if you own a Windows license on-premises then you can leverage that to save up to 49% in Azure via Azure Hybrid Benefit.

Next, you select the VM disks. Here based on your selection you get faster and slower IOPS. You can also add new or existing disks as data disks.

In the networking section, you can select an existing Virtual network or create a new one. You can select subnets within that network or create a new one as well. Same goes for the Public IP. This is also where you can tweak the network security group.

Under the management section, you can configure Monitoring options. You can also configure Auto-shutdown configurations on the VM as well.

Under Advanced settings, you can install Microsoft or Third party extensions like Chef, Puppet etc. You can also automate one time installations in your linux VMs via Cloud init.

Next, you can assign Tags to categorize the resources. These come in very handy when creating billing reports. Note that not just the VM but underlying resources like OS and Data disks, network interface cards, etc. will also be tagged.

Finally, you can review the settings. Azure also gives you the option to "Download a template for automation". This is your ARM Template including the JSON file, that you can leverage to automate or replicate the deployment of the instance multiple times across different environments.

Then you are prompted with a screen where you can check the deployment status. Once succeeded you are provided with a link to directly navigate to the virtual machine resource.

You can now view the provisioned VM under the Virtual Machines section.

For more information, refer to the below links: Microsoft Azure Virtual Machines

Azure for AWS professionals - Virtual Machines vs EC2 instances - 02 - Creating EC2 Instances

Mon, 29 Apr 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

In this post, we will look at how to create EC2 instances in Amazon Web Service (AWS).

You start by selecting the option to create or launch the instances.

In the Instance creation wizard, the breadcrumb at the top show you where in the wizard you are currently at. The first screen is to choose an image for the VM or EC2 instance. The image is called an Amazon machine image or AMI. You can also search for an AMI. Under the image name, you can view the details of the image. Make sure you select the right image. Click on the Select button once decided.

Next, select the instance type. Here you are selecting the actual compute details i.e. the number of vCPUs and the Memory in GiB. You are billed as per the instance type you select.

Next, you select various Instance details. This screen is very vast and makes your deployment very configurable. In this post we will not go into each of these settings. Here you can decide to create an Auto Scaling Group, request spot instances, add placement group, select domain join directory, decide shutdown behavior etc. One key setting that you select here is the Networking details. You select your VPC (Virtual Private Cloud) network and the subnet for the instance.

Next, you configure the Storage details. You can tweak the default storage assigned and can also add more storage. Based on the IOPS requirements you select the Volume type. You can encrypt the storage as well.

Next, you add tags to your instance and underlying volumes. Tags are a great way to categorize resources. Below is just an example of a couple of tags assigned to the instance and underlying volumes.

Now you configure the firewall on the Instance via Security Groups. You can create a new one or select an existing one. This is where you decide what can connect to your instance and what can not. In the screenshot below the RDP connectivity on port 3389 is open. Please note that the Source of "0.0.0.0/0" means that it is open for all internet. It is highly recommended that you change this setting to only your IP addresses from where you will connect.

Finally, you review the details. If you need to view the details in detail just expand that category. Click the Edit buttons on the right to edit that setting. Hit Launch to trigger the instance provisioning.

Before the instance can be provisioned, you are prompted with a popup to select a key pair or create a new one. This is a Private and Public key pair that is used to authenticate. You download and keep the Private key. Note that you can only download the Private key at the time of creation. You will not be able to access it later.

You can check the launch status on the next screen.

Finally, you can view and check your instance. It will be listed in the list under the Instances section under EC2 service.

For more information, refer to the below links: Amazon Elastic Compute Cloud (EC2)

Azure Updates: Azure Front Door Service

Sun, 28 Apr 2019 00:00:00 +0500

Azure Front Door is one of the latest services announced by Microsoft. This is a game-changer as it can do lot of heavy lifting for your applications. If your application is deployed in multiple regions then Front Door service is a no-brainer for your organization.

It works at the application layer, i.e. layer 7. It monitors the global routing and automatically routes to the best available host to optimize the performance. The routing is based on the URL paths. It also provides instant failover at the global level. It uses smart health probes to check if your application is available or not. It can also perform SSL offloading to encrypt all the traffic.

To configure a Front Door, you define:

Frontend host

Backend pools

Routing rules

For more information check this official links:

Azure Front Door

Front Door Overview

Azure Updates: ExpressRoute Direct and Global Reach

Sat, 27 Apr 2019 00:00:00 +0500

ExpressRoute Direct and ExpressRoute Global Reach are available to be used now. These services extend the capabilities of ExpressRoute.

ExpressRoute Direct gives you the ability to connect directly into Microsoft’s global network at peering locations strategically distributed across the world. This is different from simple ExpressRoute connectivity in the way that now you are not just connecting to one region but getting access to the complete Microsoft global network. It helps you with massive data ingestion to storage, physical isolation, dedicated capacity, and burst capacity to use Microsoft’s global backbone to access Azure regions at tremendous scale.

ExpressRoute Global Reach is the service where if you have two datacenters, which are located at different geo-locations and both are connected to Microsoft Azure via Express Route then these two datacenters can also connect to each other securely via Microsoft's backbone.

As shown in the below example, the two locations i.e. San Francisco and London are connected to Azure via ExpressRoute. Due to the Global Reach feature, now the traffic between these two datacenters can also traverse on the Microsoft backbone securely (as shown in the green color).

(Image source: Microsoft)

For more information check here:

ExpressRoute Direct

ExpressRoute Global Reach

Azure for AWS professionals - Virtual Machines vs EC2 instances - 01 - Finding resources

Wed, 24 Apr 2019 00:00:00 +0500

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

Virtual Machines is one of the key services for Infrastructure as a Service or IaaS. It is the virtualization of the OS and allows you to run your workloads in the cloud. Microsoft and Amazon have different branding and implementation of these services. Where Microsoft calls this as Azure Virtual Machines, Amazon refers to a similar offering as Elastic Compute Cloud or EC2.

Let's look at where you find the EC2 services. You navigate to the All Services section in AWS and then under the Compute category, you find the EC2 option.

EC2 category has loads of information and your virtual machines or Instances are not shown right away. You have to click on Instances under Instances category as shown below. Then you will be able to view all your existing instances. Here you will also have the option to create a new Instance by click on "Launch Instance".

Similarly, in Azure, you navigate to the 3 lines on the top left. Then you can either click on "All Services" (4th option) or you will see "Virtual machines" as an option directly. You can also drag and reorder these options as per your preference.

In the next screen, you can directly access all your Virtual machines or VMs. You can click on your VM or create a new one right from here. You just need to click on the Add button as shown below.

Next, we will dig deeper and view how the creation of these resources differ.

For more information, refer to the below links: Microsoft Azure Virtual Machines

Amazon Elastic Compute Cloud (EC2)

General Availability Alert - Azure AD Password Protection is now GA

Wed, 03 Apr 2019 00:00:00 +0500

Azure Active Directory (AD) Password Protection feature is now generally available.

In nutshell, this feature provides you with the ability to enforce or audit users who set passwords to common and weak passwords. When set in enforce mode this feature stops them from being able to set a weak or common password. E.g. you could stop the end users from using a password like "test123" or "password1" etc. You can add as many general passwords to ban. As a good practice, you should add your organization's name or any common internal password to this list with any variants you believe end users may use. The end goal is to try and make the password as much difficult and secure as possible.

This feature also allows you to specify the thresholds to lock a user in case of failed sign-in attempts. It allows you to set the time for which the user will be locked out before they can try signing in again.

This feature can be accessed by navigating to the Azure Active Directory and then selecting "Authentication methods" under the Security section. You will see the "Password Protection" option opened up in its own blade.

Note: Preview customers MUST update the agents to the latest version (1.2.116.0 or higher) immediately. The current agents will stop working after July 1, 2019.

For more information and the announcement blog from Microsoft, read here: Azure AD Password Protection is now generally available!

Azure Awareness Month - Webinar #5 Video - How to Use Azure Site Recovery for Backup, Migration, and Disaster Recovery

Sat, 30 Mar 2019 00:00:00 +0500

This last session in the Azure Awareness month covered Azure Site Recovery services which include Azure Backup and Azure Recovery Services. The session discussed how to provide Backup and Disaster Recovery. It also provided a brief strategy overview for Migration. As usual this is demo heavy session.

You can check the video here:

Windows Virtual Desktop in Azure - Public Preview Alert

Mon, 25 Mar 2019 00:00:00 +0500

Windows Virtual Desktop is a new service that is available as a Public Preview at the time of writing of this blog. This is a desktop and app virtualization service that runs on the cloud.

Pre-requisites

You need the following to be able to use this service:

Azure AD (Active Directory) - If you have an Azure subscription, then you already have this.

Windows Server Active Directory in sync with Azure Active Directory

Azure subscription, containing a virtual network that either contains or is connected to the Windows Server Active Directory - this is where the virtualization will be created and configured

Additionally, the Azure VM you create for Windows Virtual Desktop must be:

Standard domain-joined or Hybrid AD-joined. Virtual machines can't be Azure AD-joined.

Running one of the following supported OS images: Windows 10 Enterprise multi-session or Windows Server 2016

Working with the Service

At a very high level the steps involve the following:

Grant Azure Active Directory permissions to the Windows Virtual Desktop Preview service

Assign the TenantCreator application role to a user in your Azure Active Directory tenant

Create a Windows Virtual Desktop Preview tenant

Create a Windows Virtual Desktop Host Pool - available as an offering from the Azure Marketplace right now

You can learn more about this preview and detailed step by step getting started guide here: Windows Virtual Desktop Preview

Azure Awareness Month - Webinar #4 Video - Security in Azure - How to Make Your Environment More Secure

Sat, 23 Mar 2019 00:00:00 +0500

The fourth session in the Azure Awareness month was all about security in Azure. We discussed different options around security features available in Azure. The focus of this session was to make your environment more secure.

You can check the video recording here:

Differences between Azure Functions and Azure Logic Apps

Tue, 19 Mar 2019 00:00:00 +0500

Azure Functions and Azure Logic Apps are key offerings from Microsoft Azure that provide you Serverless Computing. They both can help run business logic for your applications and can also automate a lot of tasks in Azure. Azure Functions which can execute code in almost any modern language. Whereas Azure Logic Apps which are designed in a web-based designer and can execute logic triggered by Azure services without writing any code.

The major difference between the two is that Azure Functions provide you with lot more control over the code that gets executed but you have to author and manage that code. Whereas with Azure Logic Apps you are working only in a designer and configuring the activities. You get less control but at the same time, you do not have to manage the underlying code as well. You only need to manage the properties of your activities (or logic blocks) in your workflow.

Additionally, here are more differences between these two services:

Functions Logic Apps

State Normally stateless, but Durable Functions provide state Stateful

Development Code-first (imperative) Designer-first (declarative)

Connectivity About a dozen built-in binding types, write code for custom bindings Large collection of connectors, Enterprise Integration Pack for B2B scenarios, build custom connectors

Actions Each activity is an Azure function; write code for activity functions Large collection of ready-made actions

Monitoring Azure Application Insights, Log Analytics via Application Insights connector Azure portal, Log Analytics

Management REST API, Visual Studio Azure portal, REST API, PowerShell, Visual Studio

Execution context Can run locally or in the cloud Runs only in the cloud.

Azure Awareness Month - Webinar #3 Video - ARM Template Basics: Automated & Repeatable Deployments in Microsoft Azure

Sun, 17 Mar 2019 00:00:00 +0500

This third webinar in the Azure Awareness month series was around ARM Template Basics. In this session, I talked about how to perform automated & repeatable deployments in Microsoft Azure leveraging ARM Templates. We discussed how to author ARM Templates as well as how to kick start the development.

You can check the video recording here:

Azure Awareness Month - Webinar #2 Video - Automate Your Azure Environment with Azure Automation and Azure Functions

Sat, 09 Mar 2019 00:00:00 +0500

In this session around automating your environment, we looked at how to work with Azure Automation and Azure Functions. The session included demos to get you started in these technologies. You can check the video below.

Azure Awareness Month - Webinar #1 Video - Getting Started with Azure – Basics, Tips, and Tricks

Sun, 03 Mar 2019 00:00:00 +0500

We started the Azure Awareness month with the first webinar in the series last Friday. This session was about "Getting Started with Azure – Basics, Tips, and Tricks". If you missed this session then you can watch this recorded webinar below on YouTube.

In this session we talked about:

Cloud Computing and Azure - to understand the place of Microsoft Azure in the Cloud Computing world and how we fit in

Basic Concepts in Azure - to lay the right foundation on which all concepts will be built

General Services in Azure - to provide you with the most essential services in Microsoft Azure

Tips & Tricks - to give you that edge and make you more efficient in usage of Microsoft Azure

Azure Tips & Tricks - Series Index

Mon, 25 Feb 2019 00:00:00 +0500

Microsoft Azure has lots of services to offer. Sometimes you can feel overwhelmed and lost. These tips and tricks will be your guiding star to make your tasks a bit easier. These will increase your efficiency. Even if you save a few seconds on the task at hand it can accumulate to huge time savings over a larger period of time.

This blog is an Index of various blogs in the series "Azure Tips & Tricks":

Quickly run commands or script on an Azure Virtual Machine (VM) without logging into the VM

Bootstrap Automation for New resources for repeated deployments in multiple environments

Bootstrap Automation for Existing resources for repeated deployments in multiple environments

Find solutions to most common problems for any resource

Quickly navigate Azure Portal and search documentation with ease

Quickly assign and check the Azure Policy and Initiative Compliance status of your resources with new Azure feature

Azure Tips & Tricks - Quickly assign and check the Azure Policy and Initiative Compliance status of your resources with new Azure feature

Thu, 21 Feb 2019 00:00:00 +0500

Now you can assign policies, initiatives directly from the resource blade. You can also check the compliance status of the policies and take corrective actions on them. You can now access this feature, not just from the Subscriptions blade but also from the Resource Group and individual resources blade.

To access this information from the Resource Group level, just navigate to your resource group and search for "Policies" option under Settings of the blade.

To access this from a resource e.g. a Virtual Machine, navigate to the VM and search for "Policies" setting. This is under "Operations" section of the VM.

In the above example, the policy to apply tag is not compliant. You can click on individual policy names and investigate further.

As soon as I apply the tags and the policies compliance is checked next time, it will change the status to Compliant (as shown below). As a best practice, you should be reviewing the compliance status of your environment at periodic intervals.

Azure Updates - New VM-series for Confidential Computing

Mon, 04 Feb 2019 00:00:00 +0500

A new VM-series backed by specialized hardware, which will include the latest generation of Intel SGX.

Based on Trusted Execution Environments: Intel SGX, Virtualization Based Security (VBS)

Comm application patterns: Protect data confidentiality, integrity, and sensitive IP

Protect data and code in use: Isolated portion of processor and memory, code and data cannot be viewed/modified

Cloud offering: TEE-enabled compute platform, cloud attestation, first-party‒enabled services

Centrally combine data sources, Communicate with secure endpoints, licensing and DRM

At the time of writing of this blog, this feature is limited preview access under NDA (announced via blog) of a specialized Virtual Machine Series (DC-series) that will become part of the Azure Compute portfolio and the first installment of the broader Azure Confidential Computing (ACC) initiative. Put simply, confidential computing offers protection that to date has been missing from public clouds: encryption of data while in use.

You can read more about this here: Azure confidential computing

Azure Tips & Tricks - Quickly navigate Azure Portal and search documentation with ease

Fri, 01 Feb 2019 00:00:00 +0500

Navigating Azure Portal can become challenging. You want to navigate to different Azure Resources or Resource Groups or want to check a particular Service in Azure. Instead of going to "All Services" and searching for your resource, if you can save a little time by searching more efficiently, it can add up over time and make you more efficient as well. So here are few tips on how you can navigate with ease in Azure.

1. Pin/Favorite most common Services and re-ordering them

For a recent project, I was working with Azure Route Table a lot. I was navigating to these multiple times and making a lot of changes. Instead of going to "All Services" and searching for Route Table service every time, you search for it only once and Star it to mark it as Favorite. It will start showing up in the Services list to the left under Favorites.

Next, you want to re-order the Services under Favorites, so you don't have to scroll to navigate to most common services. You can do so by hovering the cursor on the service name under Favorites, and then click and drag on the ellipse (i.e. 3 dots to the right of the service name) as shown below.

Now you will have the most commonly visited service at the tip of your hands.

2. Pin most common Resources to your dashboard

Another scenario I faced in one of the projects was that every time I logged in, I had to make some changes to a VM and connect to the same using it's dynamically assigned Public IP. That meant navigating to this VM, every day and starting the VM and connecting to it. I had to start the VM as auto-shutdown was configured on the VM to save cost. Instead of navigating to the Virtual Machines and then searching for the VM and then navigating to it, you can simply Pin the VM to your dashboard. Next time you open the portal, the VM will be right there on the Dashboard.

You can similarly Pin other resources like SQL Databases, etc.

3. Searching for Resources, Resource Groups, Services and Documentation using the new Search bar

One of the cool features I stumbled upon is the new search bar in the Azure portal. It had made navigating Azure portal so much easier. You just start searching for the resource or Resource Group or Service name in the text box at the top of the portal. You don't even have to type the whole thing. Just start typing and the results will start popping up. Look for different sections in the suggestions box the pops up under the text box. Click on your desired resource or Resource Group or Service.

One advantage of this search box is that you can not just search for resources or resource groups or services, you can also search for Marketplace solutions and Documentation. I have leveraged this feature to search for documentation a lot. You can't remember everything and you have to reference documentation every now and then. Instead of googling the documentation, you can quickly search for it, without leaving the Azure portal and access it. You don't have to worry about navigating away from the Azure portal. The documentation will open up in a separate tab automatically.

I hope that these tips will help you increase your efficiency. Let us know which tip helped you and which you already knew about, in the comments below.

Azure Tips & Tricks - Find solutions to most common problems for any resource

Fri, 25 Jan 2019 00:00:00 +0500

When working with Azure resources, you will be faced with the challenge of diagnosing, troubleshooting and solving issues related to your resources. Opening a Microsoft Support case should be the last resort.

This tip is generic in nature that shows you where to look for various solutions to the most common problems related to a resource. You can find this option under any resource as "Diagnose and solve problems"

Troubleshooting Workflow

Using this a common troubleshooting workflow will look like this:

Click on the "Diagnose and solve problems" option under your resource's blade.

Look for Resource Health. I have had a scenario where after a lot of troubleshooting around Azure Automation, we came to know that the service was experiencing issues in our intended region (US South Central). A quick check from this will rule out the obvious.

Next, you want to check the "Activity logs". You can check those right from this screen. You can find if anybody changed the configurations which might have resulted in errors you are observing.

Next section shows you some of the most common issues and how to resolve these. Scroll through these. Sometimes these include step by step guides to help you. Follow these and ensure you did not miss a step.

If nothing works, you can finally open a Microsoft Support request right from this screen. Note: If you can't find your issue under common problems, I highly recommend that you search for it in forums like StackOverflow etc. before you open the Microsoft Support request. If it is a business critical issue, then I would recommend that you open the support ticket first and then search for the issue in the interest of time.

Azure Tips & Tricks - Bootstrap Automation for Existing resources for repeated deployments in multiple environments

Thu, 24 Jan 2019 00:00:00 +0500

When you want to automate resource deployment you will either create the automation templates for an existing set of resources or you will create templates for resources that have not been created yet. For former situation, e.g. you have performed a Proof of Concept and now you want to automate the deployment of these set of resources.

You want to automate this because you want to deploy these resources multiple times at different times. You want to deploy these in a predictive fashion without any errors due to manual mistakes creeping in. The number of resources can be fairly large and you will actually end up saving time on the creation of these automation templates instead of manually creating everything.

Generating Automation for an existing set of resources

To generate automation for an existing set of resources, either go to the resource group or to any of the resource. Under Settings look for the option for "Automation script". Depending upon number of resources and type of resources, it may take some time to generate the template.

Note: Even though the option says "Automation script" it still generates an ARM Template for the automation.

Once the template is ready you can do the following:

You can inspect the template right there on the screen.

You can download the template or directly add it to your library. Once in the library, you can modify it and share it with your team. Or you can directly Deploy it by clicking on the deploy button.

Look out for the errors regarding the resources that can't be exported. E.g. Key vault policies can't be exported by this wizard.

Next, the Template and Parameters are shown. You can also view, Azure CLI, PowerShell, .Net or Ruby code samples to deploy the template.

Make sure that you inspect the template thoroughly. Remove the resources that you don't need.

Also, there will be a lot of hard-coded values in this auto-generated template. It will still be better than starting everything from scratch and doing everything manually.

Azure Tips & Tricks - Bootstrap Automation for New resources for repeated deployments in multiple environments

Tue, 15 Jan 2019 00:00:00 +0500

When you want to automate resource deployment you will either create the automation templates for an existing set of resources or you will create templates for resources that have not been created yet. For the latter situation, e.g. automating the deployment of a new set of resources, you will have to start the automation from scratch. Instead of starting from scratch, you can bootstrap your automation via ARM Templates.

Reuse Existing

You can first search for your resources or scenarios in the Microsoft Quick Start templates. Note that these are sample templates from Microsoft and community members. These templates can be found here: Azure Quickstart Templates.

When you click on a template name you will see multiple files as shown below. Actual template file will always be named as "azuredeploy.json". The related parameters file will be named as "azuredeploy.parameters.json". All other files are optional and are the supporting files for the template.

You can download these files and edit them. You can fork them directly in GitHub and start editing in a source control environment, but your changes will be public (unless you change your repository to Private). If you do not want to make changes and want to directly deploy one of the template, simply click on the "Deploy to Azure" button. This will open Azure portal and you will need to sign into your subscription. Then the template deployment blade will open with the template information already populated. You will just need to select right Subscription, Resource Group and provide various parameters.

It is really simple and saves you lot of time instead of authoring the template from scratch. Why re-invent the wheel. Reuse instead!

Generating template for new resource creation in Azure

If you are creating new resource from the Azure portal and you have to perform this same action multiple times, you should consider using an ARM Template. If you want to create an ARM Template for a resource for which you can't find a template, even then you can use Azure portal to bootstrap the template creation, rather than starting from scratch.

Simple go ahead and start creating your resource from Azure portal. At the last screen, instead of actually creating the resource, look for a link with the name as "Download a template for automation". This will open another blade which will show you the template. You can download the template from here. It will also include the related parameters file and a script to perform the deployment of your template. The below screenshot shows you the option for Storage Account creation.

Note: This option will not be available for all resource types. Microsoft is adding this option to more and more resources everyday.

Azure Tips & Tricks - Quickly run commands or script on an Azure Virtual Machine (VM) without logging into the VM

Thu, 10 Jan 2019 00:00:00 +0500

When you are working with Azure Virtual Machines (VM), multiple times you will need to run some command on the VM. For this, you will need to connect to the VM, login and then open the console to run the command and then actually execute it. Instead of going through the trouble of connecting to the VM and logging in during the connection process, you can simple Run the command on the VM directly from the Azure portal.

Note 1: This feature uses the Azure VM Agent on the VM and will not work if the agent is missing.

To leverage this option navigate to your VM in the portal and select the option to "Run Command" under "Operations" section of the VM.

As shown above, you can Run Complete PowerShell script right from this screen. There are various options for common scenarios like checking IP Config which simply executes "ipconfig /all". You can check these common scenarios and the underlying script by clicking on them. If you want to execute then simply click "Run" in the popup blade.

Note 2: You will need to wait for the Output to appear. It takes some time and you just have to be patient. Once you click run, it gets disabled and the operation is running. Once the operation is complete you will see the output in the window. Do not navigate away from this popup blade/window.

Example of Running PowerShell Script

Let us say that you want to install IIS on the VM for quick testing. This can be done easily by running the below PowerShell:

Install-WindowsFeature -name Web-Server -IncludeManagementTools

Click on the "RunPowerShellScript" option. In the popup blade, type the script and hit Run. Wait for the output to appear. Do not navigate away from the window. You can check the status as indicated below.

That's all there is to it. For more information you can check the official documentation that can be found here: Run PowerShell scripts in your Windows VM with Run Command

Script Sample - Disassociate and Associate Subnets to Route Tables

Mon, 07 Jan 2019 00:00:00 +0500

If you need to test connectivity of your environment without the User Defined Routes then the easiest and most non-disruptive way is to simply disassociate the subnets from the Route Tables. Once your testing is complete, then you can simply reassociate the subnets back to the original Route Tables.

Note: Use these scripts with caution as these will affect the networking and communication between resources. Go through the scripts and ensure that you know what the scripts are doing before executing these in your environment. Also, always test these in a dev environment before running in any other environment.

Script samples and how they work

The scripts in this sample are:

Disassociate-SubnetsFromUDRs.ps1 - This script disassociates the subnets from the Route Tables

Associate-SubnetsToUDRs.ps1 - This script reassociates the subnets back to the Route Tables. This uses a CSV file as an input. A sample of the CSV file is also provided along with the script.

The disassociation script fetches the Route Tables and then gets the associated Subnet details from there. It then removes the association by setting the route table property on the subnet to $null as shown below:

Set-AzureRmVirtualNetworkSubnetConfig ` -Name $subnetName ` -VirtualNetwork $virtualNetwork ` -AddressPrefix $subnetAddressPrefix ` -RouteTable $null | Set-AzureRmVirtualNetwork

The association script works in an exactly opposite way. The major difference is that this script fetches the information from a CSV file as provided along with the sample. This can also be autogenerated (prior to disassociation). The script sample for generating this CSV can be found here: Generate Report for Route Tables with associated Subnets and related information

The command for creating the association of Subnet to the Route Table looks like below.

Set-AzureRmVirtualNetworkSubnetConfig ` -Name $subnetName ` -VirtualNetwork $virtualNetwork ` -AddressPrefix $subnetAddressPrefix ` -RouteTable $routeTable | Set-AzureRmVirtualNetwork

Location of the Scripts

You can find this script in GitHub at this location: User Defined Routes (UDRs) or Route Tables Related Scripts

Script Sample - Generate Report for Route Tables with associated Subnets and related information

Sun, 06 Jan 2019 00:00:00 +0500

When you have custom User Defined Routes (UDRs) in your environment on your Route Tables, you will have these Route Tables associated with various Subnets. If you want to report on the association of Route Tables with Subnets and any related information then you can use this sample script.

One use case is to use this script to export the associations so that if any association gets deleted then you can recreate later by reference to this report. Another script sample uses the output of this script to perform the association of the subnets to the Route Tables. That sample can be found here: Disassociate and Associate Subnets to Route Tables

Script Requirements and Workings

The script only requires you to update the path for the output csv report.

The script connects to the Azure and fetches all Route Tables by using the below command.

$routeTables = Get-AzureRmRouteTable

It then finds all the subnet linked on those Route Tables by using the Subnets property on the route table object as shown below.

$routeSubnets = $routeTable.Subnets

The script then iterates over all the subnets one by one. It then finds the related subnet information like Subscription id, the virtual network of the subnet and the Resource Group of the Virtual Network. It saves all this information to an array object named $results.

Finally, the script outputs all the results using the Export-Csv cmdlet:

$results | Export-Csv -Path $PathToOutputCSVReport -NoTypeInformation

Location of the Script

You can find this script in GitHub at this location: Report-UDRsWithSubnetInfo.ps1

Script Sample - Removing Locks from Azure Resources

Sun, 16 Dec 2018 00:00:00 +0500

In one of the earlier posts, we discussed the benefits of using locks and why you should apply these (to avoid accidental deletion) to any critical and important resources in Azure. We also saw a script sample to apply the locks on all key resources in your environment. The same can be reviewed again here: Apply Locks on Various Azure Resources.

Now once you have locks, you won't be able to remove the resources or remove configurations from them. To be able to remove configurations or to remove the resources itself you will need to remove the locks. You can do so in an automated fashion by using this script sample.

Script Requirements and Workings

The script does not have any specific requirements.

The script sample removes lock from all Azure Route Tables, but the same concept can be applied to any type of resource. It first fetches the Route Tables by using the below command:

$routeTables = Get-AzureRmRouteTable

Then it simply removes the lock by using the below command:

Remove-AzureRmResourceLock -LockName DoNotDelete -ResourceGroupName $routeTable.ResourceGroupName -ResourceName $routeTable.Name -ResourceType $routeTable.Type -Force

Location of the Script

You can find this script in GitHub at this location: Remove-Locks.ps1

Script Sample - VM Operations - Working with VM Snapshots and moving the Managed VMs across subscriptions and regions

Fri, 14 Dec 2018 00:00:00 +0500

This script sample is a combination of two scripts. At the time of the writing of this blog, the feature to move managed disks or images built using Managed disk VMs is not available in Azure. A workaround for this is as follows.

The two scripts

The two scripts provided are:

Copy-SnapshotToStorage.ps1 - This copies the Snapshot to a Storage account. This storage account can be in different subscription or even different region. The script uses the "Start-AzureStorageBlobCopy" cmdlet and also shows the progress of the copy operation.

Create-VMFromSnapshot.ps1 - This creates a VM from a Snapshot in a Storage account. It creates a Managed Disks VM leveraging the snapshot.

Scenario 1 - Moving a Managed VM or a Disk across subscriptions or regions

You will need to follow the below steps to move a VM built using Managed disks across subscriptions or regions:

First, create a snapshot on the VM

Then move the snapshot to a Storage account in the target area. Use the first script here.

Then create a VM using the snapshot by leveraging the second script provided in this post.

Scenario 2 - Moving the Image across subscriptions or regions

You will need to follow the below steps to move an Image built using Managed disks across subscriptions or regions:

Create a new VM using the image

Create a snapshot on the VM

Move the snapshot across to a Storage Account in the target area. Use the first script here.

Create a VM using the snapshot in the target area using the second script.

Finally, capture the VM to an image. Delete the image and snapshots from both source and target once image is created in the target area.

Location of the Script

You can find this script in GitHub at this location: Working with Azure VM Snapshots

Script Sample - VM Operations - Export VM Configurations

Tue, 11 Dec 2018 00:00:00 +0500

Exporting a VM configuration is a best practice that you should be doing before altering any configurations on the Virtual Machine. Any action that can corrupt the VM or its configurations should be preceded by exporting of VM's configurations. This allows you to be able to refer back to these configurations and recreate the VM in case of any unexpected scenario.

With the Script sample in this post, you can take the export of multiple VMs by providing the same in a csv configuration file. This file is very simple and the creation of this file itself can also be automated.

The script can also be altered to take an export of all the VMs in the environment.

Script Requirements

The script requires you to populate the configurations CSV file. The sample CSV file is also provided along with the script. This configurations file should have the following columns:

Computer - Name of the VM in Azure

ResourceGroupName - Resource Group of the VM

Script Working

This is a very simple but one of the most reusable script. It simply takes the export in two steps.

First it fetches the VM as shown below:

$currentVm = Get-AzureRmVM -ResourceGroupName $ResourceGroupName -Name $virtualMachineName -ErrorAction Stop

Then, it takes the export by using the below command.

$currentVm | ConvertTo-Json -Depth 100 | Out-File -FilePath $fileName

The Trick: The most important thing is the Depth parameter when using ConvertTo-Json cmdlet. If you do not specify this then nested properties may not export properly. Specifying a large enough depth ensures that all nested properties are also exported.

The script encapsulates all this logic into a reusable function. It also provides the best practices template to invoke this function. Note: Check the comments marked with "ToDo" where you should be making the changes.

Location of the Script

You can find this script in GitHub at this location: Export-VMConfig.ps1

Script Sample - VM Operations - Apply HUB Licensing to Existing VMs

Fri, 07 Dec 2018 00:00:00 +0500

If you have older VMs in the environment and you wan to leverage Microsoft's Hybrid Use Benefit i.e. HUB licensing then this script can update multiple VMs in your environment in an automated way for you.

NOTE:

Before you apply the HUB licensing, please make sure whether you are eligible for HUB licensing benefits or not. Refer the official documentation here: Azure Hybrid Benefit

Script Requirements

The script requires you to populate the configurations CSV file. The sample CSV file is also provided along with the script. This configurations file should have the following columns:

Computer - Name of the VM in Azure

OSType - Windows or Linux

ResourceGroupName - Resource Group of the VM

HUBLicensingNeeded - yes or no. The HUB Licensing is set for only the VMs for which this value is set to yes.

Script Working

In its entirety, the HUB licensing is just a switch for "LicenseType" on the VM. For Windows servers, if it's value is set to "Windows_Server" then this means that you own a Windows Server license and are claiming the HUB Licensing benefits on this VM.

The script applied the HUB licensing in 3 steps. First, it fetches the VM.

$currentVm = Get-AzureRmVM -ResourceGroupName $ResourceGroupName -Name $virtualMachineName -ErrorAction Stop

Then it applies the HUB licensing as shown below.

$currentVm.LicenseType = "Windows_Server"

Lastly, it updates the VM object.

Update-AzureRmVM -VM $currentVm -ResourceGroupName $ResourceGroupName

Note: As a best practice, the script also checks whether the HUB Licensing is already applied or not. If the HUB licensing is already there on the VM then the Script does applies it again. There may be small downtime when the VM is updating and therefore a short downtime should be planned when doing this operation.

The script encapsulates all this logic into a reusable function. It also provides the best practices template to invoke this function. Note: Check the comments marked with "ToDo" where you should be making the changes.

You can find more related details in official documentation here: Azure Hybrid Benefit for Windows Server

Location of the Script

You can find this script in GitHub at this location: Apply-HubLicensing.ps1

Script Sample - VM Operations - Change Azure VM Size

Mon, 03 Dec 2018 00:00:00 +0500

If you want to change the size of multiple Azure VMs in your environment, then you can leverage this script sample to update the sizes in one go. You will want to change the size of the VMs periodically after thoroughly reviewing the consumption. This can optimize your environment and can save you money in the process as well.

Script Requirements

The script requires you to populate the configurations CSV file. The sample CSV file is also provided along with the script. This configurations file should have the following columns:

Computer - Name of the VM in Azure

OSType - Windows or Linux

ResourceGroupName - Resource Group of the VM

SizeConversionNeeded - yes or no

NewVMComputeSize - new size of the VM. e.g. Standard_DS4_v2. This should conform to the VM size names. For Windows VMs these names can be found by navigating to one of the sizes related link here: Sizes for Windows virtual machines in Azure

Script Working

The script works in 3 simple steps. In the first step the script fetches the Azure VM using Get-AzureRmVM cmdlet and ensures that it exists.

$currentVm = Get-AzureRmVM -ResourceGroupName $ResourceGroupName -Name $virtualMachineName -ErrorAction Stop

The second step is to update the size property for the Hardware profile of the vm object.

$currentVm.HardwareProfile.VmSize = $vmSize

Lastly, the script updates the VM using the below command.

Update-AzureRmVM -VM $currentVm -ResourceGroupName $ResourceGroupName

Note that there will be a restart on the VM during the size conversion. Do plan for an outage although very minimal. Do keep some buffer in the outage window to account for any unforeseen issues that may occur during the conversion. I have converted various VMs and have never encountered any issues. Still, when I plan for an outage, as a best practice I do plan for a larger window.

The script encapsulates all this logic into a reusable function. It also provides the best practices template to invoke this function. Note: Check the comments marked with "ToDo" where you should be making the changes.

Location of the Script

You can find this script in GitHub at this location: Change-AzureVMSize.ps1

Script Sample - VM Operations - Convert VM to Managed Disk VM

Sun, 02 Dec 2018 00:00:00 +0500

If you want to convert multiple VMs from older Storage Account disks to Managed Disks you can leverage the automation capabilities provided by Microsoft via PowerShell. This script sample uses these capabilities in a managed and reusable way.

Script Requirements

The script requires you to populate the configurations CSV file. The sample CSV file is also provided along with the script. This configurations file should have the following columns:

Computer - Name of the VM in Azure

OSType - Windows or Linux

ResourceGroupName - Resource Group of the VM

ManagedDiskConversion - yes or no. Set this to yes for the VMs for which you want to perform the conversion from older disk type to Managed Disk VMs

Script Working

The process of Managed Disk conversion is different for a VM with Availability Set and one without it. For this reason the script first checks for the Availability Set of the VM.

$avSet = Get-AzureRmAvailabilitySet -ResourceGroupName $rgName -Name $asName -ErrorAction Stop

It then checks and sets the Managed flag on the Availability Set by using the following command.

Update-AzureRmAvailabilitySet -AvailabilitySet $avSet -Managed -ErrorAction Stop

It then stops the VM, converts it to Managed Disk Vm and then waits for 600 seconds. The conversion is performed by following command.

ConvertTo-AzureRmVMManagedDisk -ResourceGroupName $rgName -VMName $vm.Name

Note: The script does not start the VM to avoid unnecessary costs. E.g. if the VM was stopped to begin with and you didn't want to start it. Unnecessary starting of a VM will incur you charges that you do not want. You can still update the script to start the VMs by simply adding the cmdlet for Start-AzureRmVM if you want.

The script encapsulates all this logic into a reusable function. It also provides the best practices template to invoke this function. Note: Check the comments marked with "ToDo" where you should be making the changes.

Location of the Script

You can find this script in GitHub at this location: Convert-VMToManagedDisk.ps1

Script Sample - VM Operations - Setting up the VM Backup

Fri, 23 Nov 2018 00:00:00 +0500

If you want to set up VM Backup for multiple VMs in your environment you can leverage this script. This script lets you provide a CSV file as an input to the script and configures the Backup on all the VMs as per the configurations.

Script Requirements

The script requires you to populate the configurations CSV file. The sample CSV file is also provided along with the script. This configurations file should have the following columns:

Computer - Name of the VM in Azure

OSType - Windows or Linux

ResourceGroupName - Resource Group of the VM

EnableBackup - yes or no

RecoveryServicesVaultName - Recovery Services Vault Name for the Backup

BackupProtectionPolicy - Backup Protection Policy name inside the Recovery Services Vault. E.g. Daily-30--Weekly-8--Monthly-6

Script Working

The script first fetches the Azure Recovery Services vault using the below command.

$recoveryServicesVault = Get-AzureRmRecoveryServicesVault -Name $RecoveryServicesVaultName

It then uses this information to set the Recovery Services Vault Context as shown below.

$recoveryServicesVault | Set-AzureRmRecoveryServicesVaultContext -ErrorAction Stop

It then fetches the container for the VM Backup using below command. Through this, it checks if the Backup is already configured on the VM or not. If it is already configured then no further action is taken.

$namedContainerCheck = Get-AzureRmRecoveryServicesBackupContainer -ContainerType "AzureVM" -Status "Registered" -FriendlyName $virtualMachineName

The Backup policy is fetched next:

$policy = Get-AzureRmRecoveryServicesBackupProtectionPolicy -WorkloadType "AzureVM" | where {$_.Name -eq $BackupProtectionPolicy}

Finally, the Backup is configured on the VM using the below command.

Enable-AzureRmRecoveryServicesBackupProtection -Policy $policy -Name $virtualMachineName -ResourceGroupName $ResourceGroupName -ErrorAction Stop

Once the Backup is successfully configured, as a best practice, we need to trigger an initial Backup of the VM. The same is performed by the below commands.

Write-Host "Fetching the Recovery Services Backup Container" $namedContainer = Get-AzureRmRecoveryServicesBackupContainer -ContainerType "AzureVM" -Status "Registered" -FriendlyName $virtualMachineName Write-Host "Fetching the Recovery Services Backup Item" $item = Get-AzureRmRecoveryServicesBackupItem -Container $namedContainer -WorkloadType "AzureVM" Write-Host "Triggering a Backup on the VM" $job = Backup-AzureRmRecoveryServicesBackupItem -Item $item

The script encapsulates all this logic into a reusable function. It also provides the best practices template to invoke this function. Note: Check the comments marked with "ToDo" where you should be making the changes.

Location of the Script

You can find this script in GitHub at this location: Enable-VMBackup.ps1

Script Sample - Checking if the Prompt for current script is Elevated or not

Mon, 19 Nov 2018 00:00:00 +0500

Multiple times I have run into scenarios where the end users were reporting issues with the script but eventually, it turned out to be an access issue. The script required to be executed from an Elevated console (i.e. Run As Administrator) but the end user was trying to execute it as a normal user. Wouldn't it be nice if the script can check itself if it is being executed from an Elevated prompt or not and would report the same as a requirement.

This script sample can be reused in multiple scenarios and in multiple scripts. It will ensure that the script is executed only via an elevated prompt or else it will throw error with relevant details for the end user to take corrective action.

Script workings

The script first fetches the current Windows security principal by using the below commands:

$WindowsID = [System.Security.Principal.WindowsIdentity]::GetCurrent() $WindowsPrincipal = New-Object System.Security.Principal.WindowsPrincipal($WindowsID)

It then fetches the Administrator Role related details using below commands:

$adminRole = [System.Security.Principal.WindowsBuiltInRole]::Administrator

Now that it have both the required information, the script checks if the current Windows Principal is part of the Administrator role or not by using below condition:

if ($WindowsPrincipal.IsInRole($adminRole)) { return $True } else { return $False }

The complete script sample turns this into a reusable logic and provides a template for using this with other code.

Location of the Script

You can find this script in GitHub at this location: Get-IsElevated.ps1

Script Sample - Creating Multiple Resource Groups with RBAC Role Assignment

Thu, 15 Nov 2018 00:00:00 +0500

You can automate the creation of the Resource Groups and also assign RBAC roles to these Resource Groups. This script sample shows you how you can accomplish this. It serves as a starting point for the automation of the resource group creation. You can modify the script as per your requirements.

How the Script works

The script takes the names of the Resource groups to be created as an array. You can modify the script to take this input from a CSV file along with other parameters like the location of the Resource Group and the related role assignments.

The script uses the below command to create a Resource Group.

New-AzureRmResourceGroup -Name $rg -Location eastus

Note that the location is hard-coded in the above command. This can also be parameterized.

It then uses the below command to make the role assignments on this Resource Group.

New-AzureRmRoleAssignment -ObjectId $ADGroup01.Id -RoleDefinitionName "Contributor" -ResourceGroupName $rg

Note that you can use the same command to make the assignments for a group, user or an app registration. You just need to provide the appropriate Id for the ObjectId parameter.

Location of the Script

You can find this script in GitHub at this location: Create-ResourceGroupsWithRBACAssignments.ps1

Script Sample - Set Tags on Azure Resources

Wed, 07 Nov 2018 00:00:00 +0500

Earlier we fetches the Azure resources report with the Tagging related information. You can review that script to fetch the report here: Script Sample - Generate Azure Resources Report by Tags v3.0

The output CSV generate by that script can be updated. It can be corrected for missing tag values or incorrect tag values, etc. The updated csv then can become an Input to the script sample discussed in this blog. This script will read from the updated CSV file and will apply the tags back to the Azure.

Note: This script takes lot of time because the underlying cmdlet takes lot of time to set the tags (i.e. "Set-AzureRmResource" cmdlet). So it is advised that you filter to only the resources for which you want to update the tags.

Script Workings

As mentioned earlier, this script inputs the CSV file generated earlier. The schema for this input file can be checked from the output of Get script from the link mentioned above.

The script then connects to Azure and updates the Tags. If the Tags were not present already then it adds the tagging information. It uses the below command to update the tags.

Set-AzureRmResource -Tag $r.Tags -ResourceId $r.ResourceId -Force

Location of the Script

You can find this script in GitHub at this location: Set-AzureRmTags.ps1

Script Sample - Generate Azure Resources Report by Tags v3.0

Sat, 03 Nov 2018 00:00:00 +0500

This is version 3.0 of an older script which generates the report for Azure resources by Tags. This is one of the most important script that ensures that you are compliant in your environment. You can pull reports on the CSV generated by this script to see which resources are missing tags or which resources do not have the correct tags applied.

What is updated in this version: This version now can parse the Tags. It even factors for the spacing between the tag names. You will need to tweak the script to parse your own tags. Sample is provided in the script. You will need to modify the lines between 87 and 145 in the lined script.

You can still refer the older script here along with the details mentioned in that post: Script Sample - Generate Azure Resources Report by Tags

Location of the Script

You can find this script in GitHub at this location: Get-AzureRmTagsReport - v3.0.ps1

Next Steps - Setting the updated Tags

Now, what do you do witht he output CSV report that you got from running this script. You will update this csv file by making the corrections. If any resources will be missing any tags then you will add the same. After that this CSV file will become an input to another script, which will Set the changes for the Tags back to Azure resources. This script can be found here: Script Sample - Set Tags on Azure Resources.

Script Sample - Getting Azure Resource Reports

Thu, 25 Oct 2018 00:00:00 +0500

This post is for two script samples in one. You can fetch reports on Azure resources with the script sample in this post. The two scripts in this post are:

Get-AzureRmAllResourceReport - which fetches the report for all Azure resources in all subscriptions

Get-AzureRmResourceReportForOneResourceGroup - which fetches the report for Azure resources in a particular Resource Group

Script Inputs

All you need to do is to provide the path for the output csv file. In the second script you also need to provide the name of the Resource Group.

The script will iterate all Azure resources and will provide an output csv file. For Azure VM and SQL the script will also provide additional information.

Location of the Script

You can find this script in GitHub at this location: Scripts to Fetch Azure Resource Reports

Script Sample - Apply RBAC Role to Users on Resources

Mon, 22 Oct 2018 00:00:00 +0500

If you have to assign a role to users onto multiple resources, this script can reduce your workload and can do the heavy lifting for you. Simply provide the inputs and you can provide access to the users at any scope i.e. Subscriptions, Resource Group or individual resource.

Currently, the script factors in Virtual Machines as individual resources, but these can be replaced by any resource type.

Inputs and Script Requirements

The script takes in the following inputs:

csvLocation - this is the CSV containing the name of the resources on which you want to provide the role-based access. An example CSV is also provided with the script. It is simply two column CSV. The first column being the VM Name (or resource name if you want to generalize) and the second column is the Resource Group containing that resource.

role - This is the role that you want to assign. E.g. "Virtual Machine Operator"

Scope - this can be one of the 3 values viz. "VirtualMachine", "Subscription" or "ResourceGroup"

Usernames - this can be an array of the user names who will be assigned the access on the resources

Groupnames - if groups need to be assigned access then they can be mentioned here

RBACOperatorFlag - a boolean value with the default value of true. You set this to false when you are making changes and do not want the script to perform any actions. You do not need to worry about this parameter for most scenarios and can ignore this.

Example Execution

Example execution of the script will look like below.

Apply-RBACRoleToResources -csvLocation "C:\Users\aman\Documents\AzureVM.csv" -role "Virtual Machine Operator" -Scope "VirtualMachine" -UserNames "user1,user2" -GroupNames "abac"

The above command will read the VM names and their related REsource Groups form the AzureVM.csv file. This will assign "Virtual machine operator" role at the Virtual Macine level. This role will be assigned to the user1 and user2 users along with abac Group name.

Location of the Script

You can find this script in GitHub at this location: Apply-RBACRoleToResources.ps1

Script Sample - Check for Pending Reboots on various VMs in your environment

Mon, 15 Oct 2018 00:00:00 +0500

Often times you will need to check if there are any VMs/Servers in your environment which have Pending Reboot on them. You will want to schedule and perform a planned reboot on these VMs after going through proper processes.

The script sample in this post is about checking multiple Vms in your environment and check if there is any Pending Reboot on any of the VMs. The script uses WMI queries to check if there is any pending reboot on the machine.

This script was not authored by me. I received it from one of my colleagues and I couldn't track the original author of this script. Nevertheless, this is a very useful script for system administrators.

Script Usage

The script can be used as shown below:

C:\Users\aman\Downloads> import-module .\Get-PendingReboot.ps1 C:\Users\aman\Downloads> $Servers = Get-Content C:\Users\aman\Downloads\Servers.txt C:\Users\aman\Downloads> Get-PendingReboot -Computer $Servers | Export-Csv C:\Users\aman\Downloads\PendingRebootReport.csv -NoTypeInformation

In the 2nd command above, the Server.txt file should simply have the list of names of the computers in your environment with one computer name per line.

Location of the Script

You can find this script in GitHub at this location: Get-PendingReboot.ps1

Script Sample - Apply Locks on Various Azure Resources

Thu, 11 Oct 2018 00:00:00 +0500

Locks is a very important but very less known feature in Azure. This feature is available for all resources in Azure. This prevents unintended operation on a particular resource.

You have two types of locks in Azure:

ReadOnly - You won't' be able to alter any configuration of the resource

DoNotDelete - You will be able to add configurations but will not be able to remove configurations or even delete the resource

Do Not Delete is the lock, that as a best practice, you should apply on all critical resources in the environment. Once this lock is there on the resources, even the global administrator will not be able to delete the resources. The only way to delete the resources will be to delete the lock first and then delete the resources.

The Script Sample Details

This script sample leverages this concept of locks and uses the below cmdlet to apply the locks on various critical resources in the environment.

New-AzureRmResourceLock -LockLevel CanNotDelete -LockName DoNotDelete -ResourceName $vNet.Name -ResourceType $vNet.Type -ResourceGroupName $vNet.ResourceGroupName -LockNotes "Do Not Delete Lock" -Confirm -Force

The above command uses New-AzureRmResourceLock cmdlet to create the Do Not Delete lock on a Virtual Network.

This script iterates through all subscriptions that your account has access to and then applies the lock to all resources of type:

Virtual Network

Route Tables

Express Routes

Virtual Network Gateways

Virtual Network Gateway Connections

Recovery Services Vaults (i.e. ASR Vaults)

Location of the Script

You can find this script in GitHub at this location: Apply-LocksOnVariousAzureResources.ps1

Script Sample - Azure Automation - Check VM Availability

Fri, 05 Oct 2018 00:00:00 +0500

One of the most common scenarios is to check if a VM is available or not. If you want to connect to a VM and take some actions, it is a best practice to first check if the VM is available and responsive or not. This script sample performs multiple checks. You can tweak these checks to include only the ones that you need.

Also, there are some pieces of information that you can get only from inside the VM. E.g. the domain to which a VM is connected. This scripts ensures that the script is available. If it is available then it can also fetch such pieces of information for you.

What does the Script check

The script makes multiple checks which include:

Ping check using the Test-Connection cmdlet

PS Remoting checking by trying to open a PS Session using New-PSSession cmdlet

The script also tries to connect to the WMI and list various object using Get-Wmiobject cmdlet

Similar to the PS Remoting check it also checks for WS Man by using the Test-WSMan cmdlet

It can then fetch VM related information by either remoting into it or by using WMI. E.g. it can fetch domain of the VM by using below WMI cmdlet.

$Domain = $wmi.GetStringValue($HKLM, $MachineKey, "NV Domain").sValue

Script Inputs and Requirements

The script only takes below two input parameters:

NameOfTheVM

IPOfVM

The script requires a credential object with the name as "AutomationCredentialName". These credential should have login and remoting access into the VM.

Location of the Script

You can find this script in GitHub at this location: Check-VMAvailability.ps1

Script Sample - Azure Automation - Get VM Information from actual Azure Virtual Machine

Mon, 24 Sep 2018 00:00:00 +0500

Many times, when automating your infrastructure, you will need to work with Azure Virtual Machines. Based on just the name of the VM and it's Resource Group, you will need to know about it's Network Interfaces and it's IP address.

This Runbook sample connects to Azure using Service Principal and fetches various VM properties. The Runbook can be tweaked to fetch more or less information as per the requirements.

Script Input and Requirements

The script takes the below inputs:

VM Name - name of the VM

ResourceGroupNameofVM - name fo the Resource Group in which the VM exists

Azure Tenant Id - Id of the Tenant. This is the Azure Active Directory's Id which can be found in Azure AD properties in the portal

Subscription Id - Id of the Subscription in which the VM exists

The VM also requires a credential Object i.e. a Service Pricipal, which will have access to the Virtual machine.

Working of the Script

The script uses the below command to log into the Azure using the Service Principal.

$AzureRMConn = Login-AzureRmAccount -ServicePrincipal -Credential $Cred -TenantId $AzureTenantId -ErrorAction SilentlyContinue -ErrorVariable LoginError

If the connection is successful then the Subscription is selected using below cmdlet.

$ConnSubs = Select-AzureRmSubscription -SubscriptionId $SubscriptionID

Then the actual VM information is fetched using below cmdlet.

$VM = Get-AzureRmVM -ResourceGroupName $VMResourceGroup -Name $VMName

This fetches basic VM information. To fetch detailed information regarding the network interface of the VM, below cmdlets are used.

$nicId = $VM.NetworkProfile.NetworkInterfaces[0].Id $VMNetowrkInterface = Get-AzureRmNetworkInterface -ResourceGroupName $VMResourceGroup -Name $nicId.Split('/')[8] $VMMainIPConfig = $VMNetowrkInterface | Get-AzureRmNetworkInterfaceIpConfig $strVMMainNicName = $VMMainIPConfig.Name $strVMMainNicIPAddress = $VMMainIPConfig.PrivateIpAddress

The first cmdlet above fetches the Id of the first Network Interface on the VM. Then the second cmdlet uses this Id to fetch the actual network interface. The third cmdlet uses Get-AzureRmNetwrokInterfaceIpConfig to fetch the IP configuration on this network interface. Then last two lines use this Ip configuration to fetch the Private IP address on the VM.

Location of the Script

You can find this script in GitHub at this location: Get-VMInfoFromAzure.ps1

Script Sample - Azure Automation - Sending Email Notification

Sat, 22 Sep 2018 00:00:00 +0500

Sending email notifications from Azure Automation is a requirement that you will encounter a lot when working with any automation scenario. You may want to send an email notification on the completion of the job or on the failure of the job.

This script sample helps you bootstrap the Runbook for you.

Script Inputs and Requirements

The script takes the following input parameters:

SMTP Server URL

SMTP Server Port

User Credentials - Boolean value to check if user credentials are required or not

Credential Name - Credential name for the credential asset in your Azure Automation Account

EnableSsl - Boolean value to select if you want to enable SSL or not

Email From - From address for the email

Email To - Receipient of the email

Email Subject - Subject of the email 9 Message Body - This can be html. So you can compose your email to make it look more professional

The script also requires you to have a Credential asset in your Azure Automation Account. It's name is specified in the 4rth parameter above. This credential is used to connect to the SMTP server. In the sample this smtp server is an O365 email account.

Script Working

The script uses a SMTP Client to send the email. This client is created using the below cmdlet.

$SmtpClient = New-Object System.Net.Mail.SmtpClient $SMTPServerUrl, $SMTPServerPort

where $SMTPServerUrl is the URL of the SMTP server and $SMTPServerPort is the port number used by the SMTP server.

Later, this client is used to send the email by using it's send function as below.

$SmtpClient.Send($Message)

Location of the Script

You can find this script in GitHub at this location: Send-EmailNotificationFromAzureAutomationRunbook.ps1

Script Sample - Azure Automation - Get VM Information from ASR Recovery Plan Context

Wed, 12 Sep 2018 00:00:00 +0500

This script sample is to parse the Recovery Plan Context from Azure Site Recovery. When an Azure Automation Runbook is invoked directly from Azure Site Recovery, it passes an object called Recovery Plan Context. This has all the crucial information regarding the failover operation like:

Recovery Plan Name

Failover Type

Failover DIrection

Subscription Name

Resource Group Name

VM Name

Sample Recovery Plan Context

A sample Recovery Plan Context looks like below. Please note that this is formatted appropriately here. In the Runbook it will look flattened i.e. instead of multiple lines, the context will be contiguous and will be presented in a single long line. Its data type is Object when coming from ASR Recovery Plan.

{ "RecoveryPlanName":"RecoveryPlan-Test", "FailoverType":"Test", "FailoverDirection":"PrimaryToSecondary", "GroupId":"Group1", "VmMap":{ "aaaaaa-1111-1111-1111-aaaaaaaaaaa":{ "SubscriptionId":"bbbbbbbb-2222-2222-2222-bbbbbbbbbbb", "ResourceGroupName":"rg-dr-test-asr", "CloudServiceName":null, "RoleName":"VMName-test", "RecoveryPointId":"cccccccccc-3333-3333-3333-cccccccccccc", "RecoveryPointTime":"\/Date(1550773609103)\/" } } }

How does this Script work

The script first uses "ConvertFrom-Json" cmdlet to parses the object to valid PowerShell object. It then uses the VMMap property of the Recovery Plan Context object to get various pieces of the information.

The script also uses a foreach look to factor for multiple Vms in the Recovery Plan. It will output an array of the VMs with the required information, which can then be consumed in your logic to perform actual functions on the VMs. E.g. You can then connect to the VM and install some extensions on it.

How to Invoke This Runbook/Script

This script can be directly invoked from Azure Site Recovery (ASR)'s Recovery Plan or can be invoked from a master Runbook. It is a best practice to invoke this Runbook from a master Runbook. A sample for this Runbook is provided and discussed here: Script Sample - Azure Automation - Runbook for ASR Recovery Plan

Location of the Script

You can find this script in GitHub at this location: ASR-Get-VMSInfoFromASRContext.ps1

Script Sample - Azure Automation - Runbook for ASR Recovery Plan

Wed, 05 Sep 2018 00:00:00 +0500

When you are automating Azure Site Recovery, you will be working with Azure Automation Runbooks. You will invoke these from within the Azure Site Recovery Plan. The input parameter to this Runbook will be a Recovery Plan Context, that will automatically be passed by the ASR Recovery Plan. This Recovery plan context will contain information like:

Recovery Plan Name

Failover Type

Failover DIrection

Subscription Name

Resource Group Name

VM Name

The Azure Automation Runbook should be able to receive this information and parse it.

Best Practice and this Script Sample

As a best practice, you should leverage the main Runbook to perform operational functions. E.g. If the automation that you want to trigger on Failover, requires connection to the company's internal network, then you would want it to run on a Hybrid worker (which will be connected to your internal network). As such, I recommend that the parsing of the recovery plan context should be done in another Runbook, which should be invoked by the main Runbook.

This sample PowerShell Runbook accepts the Recovery Plan context and passes it to the second Runbook. That Runbook may or may not run on a Hybrid worker.

Sample Recovery Plan Context

A sample Recovery Plan Context looks like below. Please note that this is formatted appropriately here. In the Runbook it will look flattened i.e. instead of multiple lines, the context will be contiguous and will be presented in a single long line. Its data type is Object when coming from ASR Recovery Plan.

{ "RecoveryPlanName":"RecoveryPlan-Test", "FailoverType":"Test", "FailoverDirection":"PrimaryToSecondary", "GroupId":"Group1", "VmMap":{ "aaaaaa-1111-1111-1111-aaaaaaaaaaa":{ "SubscriptionId":"bbbbbbbb-2222-2222-2222-bbbbbbbbbbb", "ResourceGroupName":"rg-dr-test-asr", "CloudServiceName":null, "RoleName":"VMName-test", "RecoveryPointId":"cccccccccc-3333-3333-3333-cccccccccccc", "RecoveryPointTime":"\/Date(1550773609103)\/" } } }

Location of the Script

You can find this script in GitHub at this location: ASR-RunbookForRecoveryPlans.ps1

Runbook for Parsing the Recovery Plan Context

The Runbook for parsing the Recovery Plan Context is discussed here: Script Sample - Get VM's Information from ASR Context. The Runbook/script in that link is the one that is being invoked by the Runbook discussed in this blog post.

Updating a Custom RBAC Role in Azure

Wed, 29 Aug 2018 00:00:00 +0500

In one of the earlier blog, we saw how to add a custom role in Azure to manage Role Based Access Control (RBAC) at more granular level. You can review the earlier post here: Demystifying Azure Security - Custom RBAC Roles.

In this post, we will see how to make quick changes to this custom role leveraging Azure PowerShell script.

Making the updates

Just like any other Azure PowerShell script, you will connect to Azure and select the right subscription by using the following cmdlets.

Add-AzureRmAccount Select-AzureRmSubscription -SubscriptionName $SubscriptionName

Then you will fetch the current custom role by using the below cmdlet.

$role = Get-AzureRmRoleDefinition $roleName

Optionally, if you want to inspect the current role, then you can use below cmdlet to generate JSON file for the current custom role.

Get-AzureRMRoleDefinition -Name $roleName | ConvertTo-Json

Then you can make updates to the "$role" object. One such sample could be as outlined below which adds the action to allow stopping of the VMs and then updates the description of the custom role.

$role.Actions.Add("Microsoft.Compute/virtualMachines/deallocate/action") $role.Description = "Can monitor, Start, Stop and restart virtual machines."

Finally, the role is updated back to the Azure portal by using the below cmdlet.

Set-AzureRmRoleDefinition -Role $role

Location of the Complete Script

You can find this script in GitHub at this location: Update-CustomRoleSample.ps1

Script Sample - Set Azure Site Recovery (ASR) Prerequisite Services

Thu, 23 Aug 2018 00:00:00 +0500

When you want to use Azure Site Recovery (ASR) either for Migration or for Disaster Recovery (DR), you will need to enable replication. Under the hood, this involves installation of the Mobility Services agent. This has few pre-requisites for some services to be enabled and set up appropriately.

In the last script sample, we saw how to check remote computers if these services are set correctly or not. That sample can be found here: Script Sample - Check Azure Site Recovery (ASR) Pre-requisites.

In this sample, we will see how to set these services correctly on the remote computers.

How it works

This script will query the remote computers and set the service status for the 3 ASR Required services. These 3 services are:

Volume Shadow Copy(VSS)

COM+ System Application(COMSysApp)

Microsoft Distributed Transaction Coordinator Service (MSDTC)

The script will set the startup type of the services to "automatic" and will then "start" the service. It uses the below cmdlets to perform these actions.

Set-Service -name 'msdtc' -ComputerName $Computer -StartupType Automatic Start-Sleep -s 5 Get-Service -Name 'msdtc' -ComputerName $computer| Start-Service

The cmdlets to configure other two services is similar.

Location of the Script

You can find this script in GitHub at this location: Set-ASRPrerequisiteServivces.ps1 on GitHub

Script Sample - Check Azure Site Recovery (ASR) Prerequisite Services

Mon, 20 Aug 2018 00:00:00 +0500

When you want to use Azure Site Recovery (ASR) either for Migration or for Disaster Recovery (DR), you will need to enable replication. Under the hood, this involves installation of the Mobility Services agent. This has few pre-requisites for some services to be enabled and set up appropriately.

If you have a large environment then you can do this in an automated fashion by leveraging this script sample. You can learn more about these services related requirements by checking the "Checking Services" section in here: Troubleshooting Azure Site Recovery (ASR) - Data Replication Initiation Issues - Part 2

How it works

This script will query the remote computers and check for service status for the 3 ASR Required services, and export to CSV. These 3 services are:

Volume Shadow Copy(VSS)

COM+ System Application(COMSysApp)

Microsoft Distributed Transaction Coordinator Service (MSDTC)

The script uses WMI to fetch the data from the remote computer(s) and checks if these services are in the "running" state and whether or not the startup type is set to "automatic". If both conditions are not met then the state is reported as "Set Incorrectly". If both conditions are met then the result is reported as "Set Correctly"

Location of the Script

You can find this script in GitHub at this location: Check-ASRPrerequisiteServices.ps1 on GitHub

Next Script - Setting these services automatically

Next, we will check the script sample to set these services appropriately. This sample can be found here: Script Sample - Set Azure Site Recovery (ASR) Pre-requisite Services

Script Sample - Format EA Billing Usage Csv for Tags

Wed, 08 Aug 2018 00:00:00 +0500

As a system administrator, you will need to work with Enterprise Agreement (EA) related billing data a lot. As such you will need to pull lots of reports based on this consumption and usage related csv file that you get from the EA portal i.e. at address: https://ea.azure.com. Tagging is one of the important components. But it comes as a composite JSON in one column. You will want to split this into multiple columns, with one column for each tag.

The script sample in this blog performs exactly this parsing for you. You will need to tweak the script to include the tags as per your environment.

Note: The EA portal is only available to the EA customer. If you are not an EA customer, then if you try to login, you will get the following error:Invalid User: The account provided is not a valid user of the Microsoft Azure Enterprise Portal. Please sign in with a valid account. If you believe you have received this message in error, please contact Support.

Sample Input EA Azure Billing CSV

The tags section in the CSV will look similar to below JSON format key-value pairs under the column for "Tags":

{ "ApplicationOwner": "aman@domain.com", "BusinessUnit": "Infrastructure", "ApplicationType": "Test", "Department": "Infrastructure"}

Now as a requirement, you will want to split this to separate columns for the Tags for "Application Owner", "Business Unit", "ApplicationType" and "Department".

How does the script parse this JSON

The script parses the JSON by splitting it into multiple values and then saving the new object as an output CSV. Right now these tag values are hard coded into the script and needs to be tweaked as per your requirements. Look out for the names of the variables and output member names with same name as that of the Tags mentioned above. These are the ones that you will need to alter.

The script also takes into factor if the tag was added incorrectly with space in the name instead of pascal casing (i.e. name with no space between two words and first letter capital for each word).

Location of the Script

The script is located in the GitHub along with samples for Input and Output CSV files at this location: GitHub location for Format Billing CSV Script

Note: An alternative to using the billing related csv file is to leverage PowerBI and build dashboards by consuming the EA related billing APIs which are available out of the box. These are in preview at the time of the writing of this blog. Parsing tags is still an issue with these. We will cover these in one of the future blog post.

Script Sample - Export All OMS Log Analytics Saved Searches

Wed, 25 Jul 2018 00:00:00 +0500

If you work with OMS Log Analytics then you end up working with lots of queries. To manage the most used queries specific to your environment you save these as Saved Searches. These can be reusable in other projects as well. Therefore, you will want to export these saved searches.

How it works

This is the most simple but very useful script sample. It exports by simply using the below cmdlet. You can use the below cmdlet alone as well instead of using the whole script, if you are already logged into Azure and have the right subscription selected.

(Get-AzureRmOperationalInsightsSavedSearch -ResourceGroupName $ResourceGroupName -WorkspaceName $WorkspaceName).Value.Properties | ConvertTo-Json

Note that it uses "ConvertTo-Json" cmdlet to export the Saved Searches to JSON output. You can later reuse this JSON to import these saved searches into a different environment as well.

Location of the Script

You can find this script in GitHub at this location: Export Log Analytics Saved Searches

Script Sample - Export All Azure Automation Account Runbooks and Variables

Mon, 16 Jul 2018 00:00:00 +0500

When you work with Azure Automation, you build lots of Runbooks over time. When the volume grows, you can't just export each and every Runbook one by one. Add to it the fact, if you have multiple Azure Automation accounts. It becomes a nightmare to download all the Runbooks one by one.

There are two ways to export all the Runbooks all at once.

First method - Using Azure Automation PowerShell ISE Add-On

You can install the Azure Automation PowerShell ISE Add-on and connect to your Azure Automation Account. Then you can download all the Runbooks locally and copy the same. This Add-On can be downloaded from GitHub or PowerShell gallery as per the instructions provided here: Azure Automation PowerShell ISE Add-On

Second method - Using this script sample

This script sample requires you to update the input variables for your environment i.e. related to your subscription, Azure Automation account name etc. Then it connects to the Azure using below cmdlet.

Add-AzureRmAccount Select-AzureRmSubscription -SubscriptionName $SubscriptionName

Then it exports the Azure Automation Runbooks using below cmdlets. Here it first fetches all the Runbooks and then uses "Export-AzureRmAutomationRunbook" cmdlet to export these to a local folder.

$AllRunbooks = Get-AzureRmAutomationRunbook -AutomationAccountName $AutomationAccountName -ResourceGroupName $ResourceGroupName $AllRunbooks | Export-AzureRmAutomationRunbook -OutputFolder $OutputFolder

Finally, it exports the variables in the environment by using the below cmdlets. Here it first fetches the variables and then uses "Export-Csv" cmdlet to export the variables to a csv file.

$variables = Get-AzureRmAutomationVariable -AutomationAccountName $AutomationAccountName -ResourceGroupName $ResourceGroupName $variablesFilePath = $OutputFolder + "\variables.csv" $variables | Export-Csv -Path $variablesFilePath -NoTypeInformation

Location of the script

This script is located in the Github here: Export Azure Automation Runbooks and Variables

Book published on Amazon - Quick and Practical Guide to ARM Templates

Tue, 27 Mar 2018 00:00:00 +0500

Quick and Practical Guide to ARM Templates is a very non-conventional book. The objective of the book is to help you "Become Experts in Developing ARM Templates for Microsoft Azure without any prior knowledge". This book is for both a beginner and intermediate users.

Update [03-27-2018]: This book is available for FREE for a limited time only (on 27, 28 and 29th March, 2018 till midnight Pacific Time). Download Now!!!

This is a quick and practical approach to learning ARM Templates for Azure. It covers only the most essential topics that you will need 95% of the time while working with ARM Templates. The goal is to have you working faster and quicker on ARM Templates without compromising any of the best practices.

The book assumes that you do not have prior knowledge of ARM Templates. If you have no development background then this book is for you. It starts by building the fundamentals on which ARM Templates are built. The more practical approach means less theory and more focus on the practical aspects that can help you start working and delivering on ARM Templates.

You can view the book on Amazon.com here: https://www.amazon.com/dp/B07C8LSBSN

You can also search for the book in your local Amazon marketplace.

Getting Started with Virtual Machine Serial Console access

Mon, 26 Mar 2018 00:00:00 +0500

This is the feature we all have been waiting for. This gives power back to administrators in the cloud. Virtual Machine Console Access is now available in Preview in Azure. The console is called Special Administrative Console (SAC). With this you can perform advanced troubleshooting like correcting firewall rules by fixing iptables, recovering filesystems, locking down the network, interacting and modifying the bootloader etc.

Note: Windows images on Azure do not have Special Administrative Console (SAC) enabled by default. SAC is supported on server versions of Windows but is not available on client versions (e.g. Windows 10, Windows 8 or Windows 7).

How to Enable SAC on Windows VM

On a Linux VM, the serial access will be available but for Windows VM you need to perform additional steps in the VM to enable this. The steps to enable are:

Login to your VM via Remote Desktop

From an Administrative command prompt run the following commands

bcdedit /ems {current} on

bcdedit /emssettings EMSPORT:1 EMSBAUDRATE:115200

Reboot the system for the SAC console to be enabled

How to Access

Currently, this option (in Preview at the time of writing this blog) is available only via the portal. To access the Serial Console go to:

The Virtual Machine (VM) for which you want to access the Serial Console

Ensure that the VM is up and running

Navigate to the "Serial console (Preview)" option under "Support + Troubleshooting" section in VM settings

If the VM is not up and running then you will view the below error.

The serial console connection to the VM encountered an error: 'Bad Request' (400) - The VM is in a stopped deallocated state. Please start the VM and retry the serial console connection.

When the VM is starting you will see the below message, which you are connected to the Serial Console.

Once connected you can run commands like ch -? for information on using channels and simply type ? for general help.

Note: The console automatically will disconnect after a period of inactivity.

The access is being opened to more and more subscriptions and regions. If you don't see the access today, you just need to wait and it should be coming soon.

Demystifying Azure Security - Series Index

Tue, 20 Mar 2018 00:00:00 +0500

Understanding the security is of utmost importance in designing any application architecture. When bringing your applications or infrastructure to Azure or even designing new applications in Azure, you need to be aware of all the ways you can make your application/design more secure by leveraging various features Azure has to offer.

This series talks about various aspects of security as related to different aspects of Azure.

This blog is an Index of various blogs in the series "Demystifying Azure Security":

Understanding RBAC Roles

Custom RBAC Roles

Just In Time VM access

Azure Policies - Basics

Azure Policies - Assigning a Policy

Creating a Custom Policy - Part 1 - Viewing Definition of an existing Policy

Creating a Custom Policy - Part 2 - Understanding the Policy Structure

Creating a Custom Policy - Part 3 - Defining your Custom Policy

Azure Policies - Initiative Definitions

Azure SQL Database - Transparent Data Encryption

Azure SQL Database - Auditing & Threat Detection

Azure SQL Database - Set Server Firewall

Azure SQL Database - Firewall Rule for Virtual Networks

Azure SQL Database and Azure Storage - Service Endpoints on Virtual Network

Azure SQL Database - Dynamic Data Masking

Azure Site Recovery (ASR) - Series Index

Mon, 19 Mar 2018 00:00:00 +0500

Outages can happen anytime. There can be different reasons that you may encounter disruptions in the service. It is always good to be prepared. Azure Site Recovery (ASR) ensure business continuity by providing you with a backup plan in case of an outage or a disaster level event.

This series talks about various aspects of working with Azure Site Recovery or ASR.

This blog is an Index of various blogs in the series:

Troubleshooting Azure Site Recovery (ASR) - Data Replication Not Working

Troubleshooting Azure Site Recovery (ASR) - Data Replication Initiation Issues

Azure Site Recovery (ASR) - New feature added to target Resource Groups

Suspending and Resuming Azure Site Recovery (ASR) Replication on a single or multiple servers

ASR Setup for VMs running in VMWare without VMware level User Access

Getting Started - Azure Site Recovery (ASR) In New Azure Portal

Demystifying Azure Security - Azure SQL Database - Dynamic Data Masking

Sun, 11 Mar 2018 00:00:00 +0500

This blog post is part of the Demystifying Azure Security series. All posts in the series can be found here: Demystifying Azure Security - Series Index

Dynamic Data Masking is a feature of Azure SQL Databases, that allows you to hide the sensitive data. E.g. your database contains information regarding the Credit Cards of your customers. When exposing the database you want to ensure that the credit cards are not exposed. They should automatically be presented in the format "xxxx-xxxx-xxxx-1234" i.e. only exposing the last 4 digits.

Feature Basics

This feature can be accessed by navigating to your database and then clicking on the "Dynamic Data Masking" option under settings. By default, there are no masks applied. Click on "+ Add mask" to add a new mask.

Note that whatever masks you apply are not applied to the administrators. Additionally, you can provide the SQL users who should be excluded from masking.

Azure SQL Database will also automatically try to recommend the fields that should be masked.

Adding Masking Rules

When adding Masking Rules you provide below information:

Name for the mask is auto-populated (based on your selections)

Schema

Table in that schema

Column in the table, where mask should be applied

Masking Criteria

Note that the Masking criteria vary based on the type of the column. E.g. If a column does not have numerical value then the masking criteria for "Number (random number range)" will show as disabled.

The different masking criteria that you can apply are:

Default value (0, xxxx, 01-01-1900)

Credit Card value (xxxx-xxxx-xxxx-1234)

Email (aXXX@XXXX.com)

Number (random number range)

Custom string (prefix [padding] suffix)

Demystifying Azure Security - Azure SQL Database and Azure Storage - Service Endpoints on Virtual Network

Sat, 10 Mar 2018 00:00:00 +0500

This blog post is part of the Demystifying Azure Security series. All posts in the series can be found here: Demystifying Azure Security - Series Index

Azure Service Endpoints allow access to SQL or Storage services over the network, without going out of the network.

To configure this feature, you can navigate to your Virtual Network and then under the settings, select the "Service endpoints". Click on "+Add" to add a Service Endpoint.

In the popup, select the provider for which you want to configure the Service Endpoint.

Service Endpoints on the Virtual Networks are available for:

Microsoft.Sql provider

Microsoft.Storage provider

Also, select the subnet on which you want to configure the Service Endpoint and then hit "Add".

It will take some time (approximately 15 minutes) to configure the Service Endpoints at the backend. Once configured, you will see the configured endpoints in the portal as shown below.

Note that even after you configure service endpoint for SQL you will need to allow access at the SQL Server level as well. Service Endpoint ensures that the communication will happen at the network level. The Firewall configuration for the network is needed to allow that communication via Firewall on the SQL Server. This is explained in detail here: Azure SQL Database - Firewall Rule for Virtual Networks

Overall, this is a very powerful feature that is easy to configure and provides you with lots of flexibility.

Demystifying Azure Security - Azure SQL Database - Firewall Rule for Virtual Networks

Sun, 04 Mar 2018 00:00:00 +0500

This blog post is part of the Demystifying Azure Security series. All posts in the series can be found here: Demystifying Azure Security - Series Index

Before going through this blog, please make sure you have covered these:

Set Server Firewall for Azure SQL Databases

Service Endpoints for Azure SQL on Virtual Network. Note that this is pre-requisite for the firewall rules to be configured on the Virtual Network level.

Setting up the Firewall Rule for Virtual Networks, at the SQL Server level, enables you to allow access to a subnet in a Virtual Network in Azure on all the SQL Databases on the SQL Server. The firewall rules are always set at the server level, hence any rule you put will allow access on all the databases on the SQL Server.

Setting up the Rules is very simple. You navigate to the firewall settings for the SQL Database/SQL Server (as discussed in the previous blog). Then you focus on the lower section on the blade for Virtual Network Firewall rules as shown below.

Note that you can:

Add existing virtual network

Create a new virtual network (and provide access)

As a best practice, you should plan the virtual network and subnets before the configurations on the SQL Server Firewall.

When you click on "Add existing virtual network" you are presented with the below wizard. Here you select:

The name for the rule. This could be any descriptive name for the rule.

The Subscription where the virtual network exists

Virtual network where you want to allow the access

Subnet name within the Virtual network where you want to allow the access

Below, is the screenshot of the rule with values populated. If the Service Endpoint is not enabled for the "Microsoft.Sql" provider then you will view a message for the same and the wizard will attempt to enable the same.

Thats all there is to it. Just hit Ok and then hit Save to apply the rule.

Demystifying Azure Security - Azure SQL Database - Set Server Firewall

Fri, 02 Mar 2018 00:00:00 +0500

This blog post is part of the Demystifying Azure Security series. All posts in the series can be found here: Demystifying Azure Security - Series Index

Azure SQL Databases have a powerful layer of security at the SQL Server level. This layer is provided by the SQL Server Firewall. Azure provides you granular control to configure this firewall and to manage who gets access to your Azure SQL Database. By default, everything is blocked by the firewall. If you want to get access to Azure SQL Database then you will have to configure the Firewall at the SQL Server level. Only the IP addresses you configure have access to the SQL Databases on the Server.

Another key point to understand is that once you configure a rule then because that rule is applied at the server level, it is applied to all the SQL Databases on that Server. So it is important to ensure that you segregate your databases on different SQL Servers if you don't want to share the access to those databases.

Accessing the Firewall Settings

You can access the firewall settings by navigating to your Azure SQL Database. Then at the top of the blade, you will find the option for "Set server firewall". Click on this button to access the firewall settings.

Another way to access the settings is on Azure SQL Servers. Navigate to the related Azure SQL Server for your database. Under the settings, find the option for "Firewalls and virtual networks". Clicking on this will also take you to the same firewall settings as the settings are set at the server level in both ways.

Firewall Rule Settings

Let us look at the firewall rule settings in more details.

First, you have the option to enable or disable the access to Azure services as the toggle for "Allow access to Azure services". This is set to On by default when creating the Database and SQL server. You can disable it here. This option allows Azure services to provide monitoring data and recommend changes at the database level.

Second, you have the option to configure a Rule. This is where you configure which IP Addresses have access to the SQL Server.

One commonly used Rule is to open the access for Client IP. This is the IP address of the machine from where you are connected to the Azure Portal. This is provided for the common scenario where you want to connect and access the SQL database via SSMS (i.e. SQL Server Management Studio) or by any other way from your development box. There is a button to simply add the rule for allowing Client IP by clicking on "+Add client IP". The client IP is also authomatically displayed under the "Allow access to Azure services" section

Lastly, there is an option to allow access to the SQL databases from a particular Subnet in a Virtual Network in Azure, without having to manually configure their IP addresses. This feature requires Service Endpoints to be configured at the Virtual Network level. We will discuss this feature in a later blog.

A typical Rule contains:

A Rule Name - which could be any descriptive name for the rule. E.g. it could be name of the single VM for which you want to configure the access or it could be name of the network for which you are opening the access

Start IP - Start of the IP address range for which you want to open the access. E.g. if you want to open access for 10.20.1.0/24 then the Start IP will be 10.20.1.0

End IP - End of the IP address range for which you want to open the access. E.g. if you want to open access for 10.20.1.0/24 then the End IP will be 10.20.1.255

Note: If you want to provide access to only one IP address then provide that IP address for both Start and End IP fields.

Note in the image below that:

The client IP rule was added by clicking on the "+Client IP" button. Note that the Start and End IP are same for this rule

Second is a custom rule which allows access to the SQL Server from a specific VM hosting Website (which will need access to the database)

Once you are done configuring, just hit Save to apply the firewall rules.

Next, we will learn about setting up the Firewall Rule for Virtual Networks and also Service Endpoints for Azure SQL on Virtual Network

Resources - New Azure Log Analytics Language Cheat Sheets

Mon, 19 Feb 2018 00:00:00 +0500

Azure Log Analytics (part of the OMS suite) has a very versatile query language. To investigate and report on the data you need to know the query language at least at the basic level. Recently the language had a complete overhaul with new syntax coming in and various new features being incorporated into the new language. This blog post talks about the resources to quickly learn the new syntax. Specifically, if you know the older syntax or you know T-SQL syntax then how to translate that knowledge.

Older to new Query Language syntax

If you have been working with the older Log Analytics query syntax, then you have two options to convert that knowledge to newer query language syntax:

Use the in portal legacy syntax converter and learn as you convert

Use the Microsoft provided Cheat Sheet

When you navigate to OMS log analytics portal and go to the Log search section, there you will see a link above the query text window for "Show legacy language converter". When you click on this link a new text box will appear above the query text box. Type your legacy query and then click on "Convert" button. The query will be converted into the new language syntax. Click Run to execute the query. If there will be any errors in the query you will be notified of the same.

In the above example, "Event" type is being fetched and then only Source, EventLog, EventID properties are selected. In the older format the query syntax used to be:

Type=Event | select Source, EventLog, EventID

In the newer format the same query looks as below:

Event | project Source, EventLog, EventID

Pointers for key query syntax can be found in the complete cheat sheet which can be found here: Legacy to new Azure Log Analytics Query Language cheat sheet

T-SQL to new Query Language syntax

If you are well versed in the T-SQL query syntax and are new to OMS Azure Log Analytics, then you can easily translate that to the Log Analytics query language with the help of the cheat sheet provided by Microsoft for the key syntax.

E.g. if we want to select records for only columns name and resultCode from a table named dependencies then the query syntax in T-SQL will look like:

SELECT name, resultCode FROM dependencies

Syntax for the same query in newer Log Analytics language will look like:

dependencies | project name, resultCode

As you might have guessed already, "project" is a key word in newer language to select specific columns. Selecting a table is as simple as typing the name of the table.

The complete cheat sheet can be found here: SQL to Azure Log Analytics query language cheat sheet

Demystifying Azure Security - Azure SQL Database - Transparent Data Encryption

Sat, 17 Feb 2018 00:00:00 +0500

This blog post is part of the Demystifying Azure Security series. All posts in the series can be found here: Demystifying Azure Security - Series Index

Transparent Data Encryption (TDE) is the automated encryption of your data at rest. If configured it encrypts your database, backups of the database and transactional log files at rest. Normally this is configured by default to provide you with an additional layer of security. If this is not configured then you will get a recommendation to configure it in the Azure Security Center.

Turing Off Transparent data encryption will result in decryption of the complete database and will leave your data vulnerable. When you turn it back On then the database will be encrypted again. Depending upon the size of your database, it may take some time to turn the TDE on or off due to the underlying encryption/decryption process.

This service does not require any changes at the application level. Behind the scene, transparent data encryption performs real-time I/O encryption and decryption of the data at the page level. Each page is decrypted when it's read into memory and then encrypted before being written to disk.

Note: Even if the database is encrypted with TDE, when you take an export of the database (e.g. creation of BACPAK file) then the backup file is created without encryption. You need to ensure that you safeguard/encrypt the backup files before sharing these on an open network.

Configuring TDE at the Database level

Transparent Data Encryption (TDE) can be enabled or disabled at every individual Database level. The configuration is a very simple toggle between on and off. To configure this, navigate to your Azure SQL Database. In the settings, select "Transparent Data Encryption". The set the value for "Data Encryption" On or Off.

Notice the Encryption status. If you want your data to be encrypted, then the encryption status should say "Encrypted" with a green tick mark.

Configuring to use your own Key with TDE

You can use your own Key for encryption with Transparent Data Encryption. If you do not configure to use your own key, then a service managed certificate is used for encryption and decryption.

To do this you will need to upload your key to an Azure Key Vault or generate a new key within the Key Vault, which is very easy to configure. Once you have a key in an Azure Key Vault, you will be able to use the same with Transparent Data Encryption (TDE).

This setting can't be configured at a Database level. Instead, this has to be configured at the server level. Navigate to the underlying Azure SQL Server (where the SQL Database is hosted). Then follow the below steps:

In the settings, click on the Transparent Data Encryption

Select "Yes" to Use your own key.

Then click on "Select a Key" and then select the key from your Azure Key Vault. Alternatively, you can select to "Enter Key Identifier".

Once the key is configured, select "Save" to save the settings.

This option provides you with all the security at the data level (at rest) while ensuring you have complete control over the process.

Demystifying Azure Security - Azure SQL Database - Auditing & Threat Detection

Sat, 10 Feb 2018 00:00:00 +0500

This blog post is part of the Demystifying Azure Security series. All posts in the series can be found here: Demystifying Azure Security - Series Index

Auditing & Threat Detection in Azure SQL Database is a very simple to configure yet very powerful security feature. Auditing feature audits all activity on your database to a Storage Account. You can determine the number of days for which you want to retain the data. It helps you remain compliant. In an event of any failure or compliance breach, you can go to the audit logs and can pinpoint the exact cause of the issue if this feature is enabled.

Threat Detection is an advanced feature, where Microsoft runs various algorithms under the hood and determines the pattern and identifies any potential attacks on your data. E.g. SQL Injection or patterns like SQL Injection can be detected when this feature is enabled. Please note that the Threat Detection feature has additional cost linked to it. It costs $15/server/month. It will be free for the first 60 days. Note that you can enable Auditing without enabling Threat Detection. But you can't enable Threat Detection without enabling Auditing on the data first.

SQL Threat Detection integrates alerts with Azure Security Center. If any anomalous activity is detected an alert is raised, you can get notification via email and can also review the same within the portal. You get real-time actionable alerts. Each alert also contains the information regarding how to mitigate the alert.

Configurations

To configure Auditing and Threat Detection at the database level, navigate to the database. Then follow the below steps:

In the database settings, click on "Auditing and Threat Detection"

You can optionally configure the settings at the Server level by click on the link "View server settings"

Next, toggle the "Auditing" setting on or off. Select the storage account and retention in the number of days.

Next, you can configure the "Threat Detection" on or off. If you toggle it on, then you have the option of selecting which type of Threats you want to detect.

You also have the option of configuring Email notifications which work with the Threat Detection.

When configuring Audit Logs Storage, you can select any subscription under the tenant and a storage account in that subscription. You can then select Retention in number of Days. When this number is set to Zero then that means unlimited retention. You can select a maximum of 3285 number of days for this value. You can also select whether to use a Primary or Secondary key while accessing the Storage Account for writing the logs.

Under Threat Detection types, you can select any one or all of the following types:

SQL injection

SQL injection vulnerability

Anomalous client login

Enabling at Database level vs Server level

If Blob Auditing or Threat Detection are enabled on the server, they will always apply to the database, regardless of the database settings.

At the server level, the configuration is almost identical. You need to navigate to the related Azure SQL Server first (instead of the SQL Database). Notice at the top of the below screenshot, it says "SQL server" instead of "SQL database". Then navigate to it's "Auditing and Threat Detection" section and perform the configurations similar to above sections.

Demystifying Azure Security - Custom RBAC Roles

Sun, 04 Feb 2018 00:00:00 +0500

This blog post is part of the Demystifying Azure Security series. All posts in the series can be found here: Demystifying Azure Security - Series Index

Before going through this blog, please ensure that you have visited the basics of RBAC Roles in general, explained in a primer here: Demystifying Azure Security - RBAC Roles.

This blog explains an easy approach to understand and create your own Custom RBAC Roles in Azure (ARM model). We will inspect an existing simple role and will reverse engineer the way to create Custom RBAC Roles.

Inspecting Existing Role's Definition

Start by inspecting any existing Role's Definition. To do this run the cmdlet Get-AzureRMRoleDefinition and provide the name of any built-in RBAC Role. For this blog, run the below script to inspect the "Reader" and "Virtual Machine Contributor" roles.

Login-AzureRMAccount Get-AzureRMRoleDefinition -Name "Reader" | ConvertTo-Json | Out-File C:\rbacrole-reader.json Get-AzureRMRoleDefinition -Name "Virtual Machine Contributor" | ConvertTo-Json | Out-File C:\rbacrole-VMContributor.json

If you open and inspect the "rbacrole-reader.json" file you will see the JSON similar to below:

{ "Name": "Reader", "Id": "aaaa11a1-3333-48ef-bd42-f606fba81ae7", "IsCustom": false, "Description": "Lets you view everything, but not make any changes.", "Actions": [ "*/read" ], "NotActions": [ ], "AssignableScopes": [ "/" ] }

Notice above that there are below sections in the definition:

Name - Name of the role

Id - unique guid for the role

IsCustom - boolean value. "true" for the Custom Roles and "false" for the built-in roles

Description - description of the role

Actions - Allowed list of actions for the Role

NotActions - Not Allowed list of actions for the Role

AssignableScopes - Scope at which this role can be assigned. E.g. all the subscription Ids. It's mandatory that the RBAC role contains the explicit subscription IDs where it is used otherwise you will not be able to use the role.

Understanding Actions and NotActions

As mentioned before, Actions describe the allowed list of action for the Role whereas the NotActions describe the not allowed actions for the Role. You can use wildcard * and special syntax to define the Actions and NotActions, as per the Microsoft documentation here: Create custom roles for Azure Role-Based Access Control:

Operation strings that contain wildcards (*) grant access to all operations that match the operation string. For instance:

*/read grants access to read operations for all resource types of all Azure resource providers.

Microsoft.Compute/* grants access to all operations for all resource types in the Microsoft.Compute resource provider.

Microsoft.Network/*/read grants access to read operations for all resource types in the Microsoft.Network resource provider of Azure.

Microsoft.Compute/virtualMachines/* grants access to all operations of virtual machines and its child resource types.

Microsoft.Web/sites/restart/Action grants access to restart websites.

Use Get-AzureRmProviderOperation (in PowerShell) or azure provider operations show (in Azure CLI) to list operations of Azure resource providers. You may also use these commands to verify that an operation string is valid and to expand wildcard operation strings.

Get-AzureRMProviderOperation Microsoft.Compute/virtualMachines/*/action | FT Operation, OperationName Get-AzureRMProviderOperation Microsoft.Network/*

Defining a Custom role

Let's define a custom role, who can start or restart a VM in Azure but can't open a support ticket.

Save the following code as "yourCustomRole01.json" file on your C drive (or any other location).

{ "Name": "Virtual Machine Start and Restart", "Id": "7ed03a9f-b372-4341-ba8d-38ef8e614038", "IsCustom": true, "Description": "Can restart virtual machines but can't open support tickets.", "Actions": [ "Microsoft.Compute/virtualMachines/start/action", "Microsoft.Compute/virtualMachines/restart/action" ], "NotActions": [ "Microsoft.Support/*" ], "AssignableScopes": [ "/subscriptions/aaaaaaaa-1111-1111-1111-111111111111", "/subscriptions/aaaaaaaa-2222-2222-2222-222222222222", "/subscriptions/aaaaaaaa-3333-3333-3333-333333333333/resourceGroups/RG-Prod-USE2" ] }

Notice the Action and NotAction area are set as per the requirements.

Also, note that under Assignable Scope the role is available for assignment to all Resources and Resource Groups in the first two subscriptions but only in Resource Group named "RG-Prod-USE2" for the third subscription in the list.

Creating New Custom role

Once you have the definition ready in a JSON file, you can use the "New-AzureRMRoleDefinition" cmdlet to create the Custom Role Definition, as shown below. Make sure to alter the path to the json file as per your environment.

New-AzureRMRoleDefinition -InputFile "C:\yourCustomRole01.json"

Now you will be able to use this new Custom Role while assigning access to someone. You will be able to tweak the access and provide only the access that you need to your internal and external resources.

Demystifying Azure Security - Azure Policies - Initiative Definitions

Sun, 28 Jan 2018 00:00:00 +0500

This blog post is part of the Demystifying Azure Security series. All posts in the series can be found here: Demystifying Azure Security - Series Index

Initiative Definitions are a great way to combine and apply multiple policies together. They are a group of policy definitions to achieve a singular goal. These are the Microsoft recommended way to use the Policies.

E.g. You want to combine a set of policy definitions for the compute and related resources. You want to apply following set of policies:

Allowed locations - to restrict locations where resources can be deployed

Allowed SKUs - to restrict SKUs for the VMs e.g. VMs can be created with SKU Standard_DS2_v2 only

Enforce Tags and it's default value - to enforce the usage of Tags on resources

Instead of managing and assigning the policies separately, you can club these policies together in an Initiative Definition and then assign the same.

Defining Initiative Definition

To create a new Initiative Definition you go to your Subscription and then go to the Policies section under Settings. Within Policies go to the Definitions section under Authoring. Here you can click on the "Initiative Definitions" tab to view the existing definitions. Click on the "+Initiative definition" to create a new Initiative Definition.

The new Initiative Definition blade with open up. Here you can create the definition.

The first section, as shown below, is similar to a Policy definition. You will provide the basic information here like Definition location, Name, Description and Category.

On the right side, select the Policies which want to be part of this Initiative Definition in the section "Available Definitions". Select and Add all the policies that you want to group together.

Configure parameters for the selected Policies in the "Policies and Parameters" section. If you selected a wrong policy, you can delete the policy in this section as well.

Initiative Parameters

Continuing with the previous section of the Policy definition, you have lots of options when configuring parameters under the "Policies and Parameters" section. You can either "Set value" right within the Initiative Definition, or you can "Use Initiative Parameter". Set the values within the definition if you don't want to change during the assignment. If you want to set the values dynamically then use the Initiative Parameters.

Initiative Parameters are used to parameterize the Initiative Definition. These can be set from the list of allowed values (a subset of all the values) during the assignment.

When you select to use an Initiative Parameter for any value, then a parameter is automatically created.

You can create your own Initiative parmeters as well. If an Initiative parameter is not being used then you won't be able to save that definition. You will get "Bad Request" while trying to save the definition.

Assigning Initiative Definition

The Initiative assignment is exactly same as the Policy Assignment. All the options are similar as well. You provide value to the parameters within the Initiative Definition for all the policies, during the assignment.

Fixing the error - The subscription is not registered to use provider

Mon, 22 Jan 2018 00:00:00 +0500

This blog shows you simple step to resolve the provider registration error, that you can come across while working programmatically with Azure (in Azure Resource Manager model).

You can come across this error while running a PowerShell cmdlet or anywhere else: The subscription 'xxxxxx-xxxx-xxx-xxxx-xxxxxxxx' is not registered to use providername. E.g. in the below screenshot I got the error The subscription '8c665920-2c37-419f-81fb-99d737cc4697' is not registered to use microsoft.insights.

To resolve this error you will need to navigate to the Azure Portal (i.e. https://portal.azure.com ). Authenticate to the portal with your credentials. Navigate to Subscriptions section. If you don't see this section then click on "All Services" and then search for Subscription. Once in the subscriptions blade, select the subscription for which you have been getting the error. If there was only one subscription then click on that. In the selected subscription's blade follow the below steps:

Click on the Resource Providers

In the list of providers, find the one for which you have been getting error and then click on "Register" link in front of it

The provider will go into "Registering" state

Once completed, the provider will then go into "Registered" state

Now retry the cmdlet or API you were trying before. It will not generate the provider error now.

Demystifying Azure Security - Creating a Custom Policy - Part 3 - Defining your Custom Policy

Sun, 14 Jan 2018 00:00:00 +0500

This blog post is part of the Demystifying Azure Security series. All posts in the series can be found here: Demystifying Azure Security - Series Index

As discussed earlier, the policies provide a way to control what is allowed and what is not allowed in your environment. Earlier we looked at how to view the definition of existing policies and discussed the structure of the policies in detail. Now it's time to put the knowledge together and define a policy.

Getting the JSON ready for the Policy Definition

Have the JSON ready for the Policy Definition. If you are going to deploy the policy via Portal then all you need is the Policy Rule portion of the definition. For this post, let's use the sample policy definition for "Only allow a certain VM platform image" located here: https://docs.microsoft.com/en-us/azure/azure-policy/scripts/allow-certain-vm-image

Various other samples are provided by Microsoft at this link: Templates for Azure Policy

This sample policy, enforces the end users to use only a certain version of the Ubuntu only.

The policy definition looks as below:

{ "type": "Microsoft.Authorization/policyDefinitions", "name": "platform-image-policy", "properties": { "displayName": "Only allow a certain VM platform image", "description": "This policy ensures that only UbuntuServer, Canonical is allowed from the image repository", "parameters": {}, "policyRule": { "if": { "allOf": [ { "field": "type", "in": [ "Microsoft.Compute/disks", "Microsoft.Compute/virtualMachines", "Microsoft.Compute/VirtualMachineScaleSets" ] }, { "not": { "allOf": [ { "field": "Microsoft.Compute/imagePublisher", "in": [ "Canonical" ] }, { "field": "Microsoft.Compute/imageOffer", "in": [ "UbuntuServer" ] }, { "field": "Microsoft.Compute/imageSku", "in": [ "14.04.2-LTS" ] }, { "field": "Microsoft.Compute/imageVersion", "in": [ "latest" ] } ] } } ] }, "then": { "effect": "deny" } } } }

Look at the policy rule section. Let's look at various sections more closely.

if condition defines the policy condition

allOf ensures that all the conditions must be true

field type is specified as Disks, Virtual Machines and VM scale sets under Microsoft.Compute

Next section defines a nested condition, which evaluates true if actual VM image used is not equal to combination of all of the conditions specified.

then section defines what should happen. In this case it says to deny the operation, i.e. the VM provisioning will fail with validation error for not conforming to the policy.

Note that there are no parameters used in this policy definition.

Defining Policy using Portal

For defining the policies via Azure Portal, navigate to the Policies under settings of your Subscription. Click on the Definitions and then click on "+Policy Definition" at the top.

A new blade will open where you can define the policy. Provide the details as follows:

Provide the policy definition's location. This will be your subscription in which you want the definition to exist.

Provide a Display Name and Description of the policy. Try to be as descriptive as possible

Either create a new Category for the policy or use one of the existing ones

Copy and paste your policy definition. In the portal, only provide the "policyRule" section.

The section for policyRule will look something similar to below.

{ "policyRule": { all content here } }

Hit Save to create the Policy Definition. You can now start assigning this policy in your environment.

Defining Policy using PowerShell

Ensure that you have latest version of Azure PowerShell installed. Then using PowerShell to deploy the policy is as easy as executing below two cmdlets:

New-AzureRmPolicyDefinition - to create the policy definition

New-AzureRMPolicyAssignment - to use the policy and assign the policy at a scope defined

Store the policy in a json file on your computer. Ensure that you only save the "if-then" condition in curly parenthesis. This will be used as an input to the cmdlet. The file should look similar to below:

{ "if": { <>}, "then":{ <>} }

To create the policy definition use a code similar to below. Ensure to update the file name and path as per your environment.

$definition = $definition = New-AzureRmPolicyDefinition -Name "RestrictingUbuntuVMVersion" -DisplayName "Restrict Ubuntu version for VM Deployment" -Description "Detailed Description here" -Policy "C:\temp\CustomPolicyDefinition.json"

To use the policy, do the assignment using a code similar to below:

$assignment = New-AzureRMPolicyAssignment -Name -Scope -PolicyDefinition $definition

That is all there is to defining and using your custom policy.

Demystifying Azure Security - Just In Time VM access

Wed, 10 Jan 2018 00:00:00 +0500

This blog post is part of the Demystifying Azure Security series. All posts in the series can be found here: Demystifying Azure Security - Series Index

Just in time VM access is a feature under Azure Security Center. In simple terms it allows you to control access to a VM. When you enable JIT, all access is locked down on the VM on all ports. This is done via Network Security Group (NSG) rules. The access is granted only for the duration allowed and also only on the ports requested. And then everything is locked down again at the end of the duration.

The attackers are leveraging various ways to get into your environment. One such way is using Bots to automate and Brute Force method to attempt entering in your environment. If you need to access a VM, in your environment, from Internet without VPN (e.g. to change some files on a Web app VM) then you are potentially opening up 3389 port on the VM and that can become a target for the attackers. Locking down the VM except when you need it and only for the duration of the requirement, reduces these risks significantly.

Pre-requisites

The key pre-requisites to be able to use this feature are:

The Azure Security Center needs to be upgraded to Advanced Security as shown below

The VM on which you want to configure JIT access should have a Network Security Group (NSG) linked to it. If it doesn't have any then you can create one and associate it with the network interface of the VM.

The first pre-requisite requires you to upgrade the Security Center to Advanced Security that comes with Standard Tier. You can upgrade from any of the advanced features. The portal will automatically prompt you to upgrade as shown below:

How to Access and Configure it

To configure this go to Azure Security Center. Within Security Center go to the "Advanced Cloud Defense" category and then click on "Just in time VM access" link as shown below:

Next follow the below steps to enable JIT on a VM:

Ensure that you are in the JIT section of Security Center

Go to the "Recommended" tab. This will show you all the VMs in your environment.

Click on the VM for which you want to enable Just in Time access. You can select multiple VMs here.

Click on the "Enable JIT on x VMs" button

You will be presented with various settings for enabling JIT. These settings can be configured as:

By default, various common ports are configured for JIT access with 3 hours time range. E.g. 3389 for RDP. Click on any of the default ports to tweak the settings.

You can add more ports and protocols by clicking on the "Add" button at the top.

Tweak the settings on the new blade that opens up.

Click on "Save" to save your settings.

That's all there is to it. Once JIT is configured you can view the VM in the "Configured" tab.

Requesting access and activity log in JIT

You can request access and perform various other management operations by following below steps:

Once the JIT is configured, the VM will show up in the "Configured" tab as shown below.

Click on the VM that you want to manage or request access to.

As soon as you click, "Request access" button will start showing. You can click the button and it will ask for the number of hours that you need the access and the corresponding ports on which you need the access. Please note that only ports configured earlier can be granted access.

Click on the ellipse i.e. 3 dots in front of the VM record and you will see various options. Using these options you can view Properties. You can view the Activity log for previous requests and any attempts on attack. You can also Edit or Remove the access.

Adding non-Azure computers

You can add non-Azure computers for an extra fee per Node. Cost is calculated based on 15 USD/Node/Month. Resources that count as a node are VMs and computers. The selected security tier will be applied to current and new resources. For more information, visit Microsoft Security Center's Standard tier for enhanced security information page.

Ensure that you have onboarded the non-Azure computers to a linked Azure Log Analytics workspace. This is required in order to onboard non-Azure computers to Security Center.

Troubleshooting Azure Site Recovery (ASR) - Data Replication Initiation Issues - Part 2

Mon, 08 Jan 2018 00:00:00 +0500

This is the second part of troubleshooting Azure Site Recovery (ASR) Data replication issues. Part 1 is located here: Troubleshooting Azure Site Recovery (ASR) - Data Replication Not Working

Go through the part 1 before this blog as that talks about the location of logs and various preliminary steps. This blog talks about the issue where you are not even able to enable Data Replication for a server.

Preliminary Checks

Perform the following basic checks related to connectivity:

Ensure that the ASR management server has connectivity with Azure.

Ensure connectivity between the management server (process server) and the source machine which you are trying to replicate. Ensure that the source machine is accessible from the process server.

You will also need to enable and allow “File and Printer Sharing” on the source machine in the Windows Firewall.

Ensure that the account that you use for enabling the protection has administrator rights on the source machine. This is needed for installation of the Mobility services agent on the source machine.

Also allow Windows Management Instrumentation (WMI) in the Windows Firewall, if not already.

Disable remote User Account Control (UAC) if you are using local administrator account to install the mobility service.

Checking Services

Also, check whether the following services are running and configured correctly on the source machine:

If Volume Shadow Copy(VSS) service Startup Type is set to Disabled, change it to Automatic.

If COM+ System Application(COMSysApp) service Startup Type is to Disabled, change it to Automatic.

If the Microsoft Distributed Transaction Coordinator Service (MSDTC) Startup Type is set to Disabled, change it to Automatic.

If the service Startup Types were already set to Automatic, check if COM+ enumeration succeeds. a) You check COM+ enumeration by Component Services (comexp.msc) b) Browse to Component Service -> Computers -> My Computer -> COM+ Application. You should be able to expand the System Application node and see the contents under that node. c) Ensure that Volume Shadow Copy Service is listed under Component Service -> Computers -> My Computer -> DCOM config

Alternate Option

If for any reason you can't enable any of the above steps, e.g. if you can't provide admin access to the service account on the source machine or disable remote UAC, then you have an alternative option. You can install the Mobility services agent on the source machine prior to enabling the protection. You will still need the services to be configured appropriately but will not need admin access while enabling the protection. To install the mobility services agent, you have various options:

Install using software deployment tools like System Center Configuration Manager

Install with Azure Automation and Desired State Configuration (Automation DSC)

Install manually from the UI

Install manually from a command prompt

Install using the Site Recovery push installation

All these options are described in details here: Install the Mobility service

Next Steps

Restart the job after ensuring all the pre-requisites as described in previous sections. If you are still facing issues, revisit the Part 1 of the troubleshooting series as mentioned at the beginning of this blog. Let us know in comments below if the issue persists.

Demystifying Azure Security - Creating a Custom Policy - Part 2 - Understanding the Policy Structure

Sat, 30 Dec 2017 00:00:00 +0500

This blog post is part of the Demystifying Azure Security series. All posts in the series can be found here: Demystifying Azure Security - Series Index. Ensure that you have read earlier blogs about the basics of Azure Policies before reading this blog.

Structure of a Policy JSON Definition

Policy definitions are written in JSON. The policy definition contains elements for:

mode

parameters

display name

description

policy rule

logical evaluation

effect

Let's understand these components with the help of an example. Earlier we saw how to find the definition of existing policies. One such policy is: "Allowed locations". This policy restricts the location in Azure where resources can be deployed. The definition for the policy looks like below:

{ "properties": { "mode": "all", "parameters": { "allowedLocations": { "type": "array", "metadata": { "description": "The list of locations that can be specified when deploying resources", "strongType": "location", "displayName": "Allowed locations" } } }, "displayName": "Allowed locations", "description": "This policy enables you to restrict the locations your organization can specify when deploying resources.", "policyRule": { "if": { "not": { "field": "location", "in": "[parameters('allowedLocations')]" } }, "then": { "effect": "deny" } } } }

Mode tells you the type of resources for which the policy will be applied. Allowed values are "All" (where all Resource Groups and Resources are evaluated) and "indexed" (where policy is evaluated only for resources which support tags and location)

Parameters are used for providing inputs to the policy. They can be reused at multiple locations within the policy. You can refer to a parameter as: "[parameters('allowedLocations')]"

Display Name is used to show the policy in the portal or programmatically.

A description is used to provide details for the policy.

Policy Rule is which defines the policies. This is the section where the restrictions are defined in a Poicy Definition. To understand a policy you need to focus most of your efforts on this section. Every Policy rule has two key sections defined under "if-then" blocks.

Logical Evaluation is defined under the "if" block. It defines the condition which is evaluated to determine the policy should be applied or not.

Effect is defined in the "then" block. This defines what will happen if the condition is met.

Policy Rules

Let's look at the policy rules in more details. The general syntax of the "if-then" block is as shown below:

{ "if": { | }, "then": { "effect": "deny | audit | append" } }

Supported logical operators are:

"not": {condition or operator}

"allOf": [{condition or operator},{condition or operator}]

"anyOf": [{condition or operator},{condition or operator}]

Not operator means that the opposit of the condition should be true for the policy to be applied. AllOf requires all the conditions defined to be true at the same time. AnyOf requires any one of the conditions to be true for the policy to be applied.

In the previous example, the policy rule section is as shown below:

"policyRule": { "if": { "not": { "field": "location", "in": "[parameters('allowedLocations')]" } }, "then": { "effect": "deny" } }

In simple terms, the rule above says that if the location is not in the list of allowed locations, defined by the parameter allowedLocations, then the effect will be deny i.e. the resource creation will not be allowed.

You can find the complete list of operators and conditional constructs here: Azure Policy definition structure

Demystifying Azure Security - Creating a Custom Policy - Part 1 - Viewing Definition of an existing Policy

Fri, 29 Dec 2017 00:00:00 +0500

This blog post is part of the Demystifying Azure Security series. All posts in the series can be found here: Demystifying Azure Security - Series Index

Creating a custom policy to enforce your custom requirements in the Azure environment is very easy. This provides you with granular control over what a policy should perform and what should be allowed and what should be denied.

Policies are writing in JSON format. It is always good to base your custom policy definition on one of the built-in policies if one exists which is closer to what you are trying to do.

Viewing Definition of Existing Policies

You have two options to view the definition of an existing policy.

Using PowerShell

Using Azure Portal

Using PowerShell

Using PowerShell run the below cmdlet to view all the policies in your environment.

Get-AzureRmPolicyDefinition

Then go through the list and find the policy that you want to use. Find the ResourceId of that policy and then run the below cmdlet to fetch the details of that policy.

Get-AzureRmPolicyDefinition -Id "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c"

Using Azure Portal

Using Azure Portal to view the Definition is also very easy. Simply navigate to:

the Subscription section in the Azure Portal

Select your subscription

Click on "Policies" under settings.

Within the Policies blade, click on "Definitions"

Within the Policy Definitions, select the Policy from the list for which you want to view the definition. Click on the 3 dots to the right. From the context menu select "View definition".

This will open up another blade. Click on the "Json" tab at the top and this will show you the rule part of the definition of the policy. the rule is the most important part of the policy. We will look at other components of the policies later as well.

E.g. The JSON for "Allowed storage account SKUs" built-in policy looks as shown below.

{ "if": { "allOf": [ { "field": "type", "equals": "Microsoft.Storage/storageAccounts" }, { "not": { "field": "Microsoft.Storage/storageAccounts/sku.name", "in": "[parameters('listOfAllowedSKUs')]" } } ] }, "then": { "effect": "Deny" } }

Next, we will dissect and understand the Policy structure in details.

Demystifying Azure Security - Azure Policies - 2 - Assigning a Policy

Wed, 27 Dec 2017 00:00:00 +0500

This blog post is part of the Demystifying Azure Security series. All posts in the series can be found here: Demystifying Azure Security - Series Index

In this post, we will view the policies in action. Policy assignment is very easy on the Azure Portal. We will be assigning a built-in policy at a subscription scope.

Accessing the Policies in the Azure portal

Begin by accessing the Policies in the Azure Portal. To do this follow the below steps:

Navigate to Subscriptions (via All Services or the navigation sidebar)

Select the subscription for which you want to view the Policies

Scroll down to the "Settings" category in the menu of the subscription

Click on "Policies" to access the policies in Azure

Assigning the Built-in Policies

To perform the assignment, click on "Assign Policy" from either Compliance or the Assignment tabs.

In the new blade, provide the value for the:

Policy to be applied

Name and Description of the Policy. The name will be the name of the policy selected by default. As a best practice ensure to provide the detailed description.

Assigned by will be your name by default

You can select the pricing tier between Free and Standard. You will get the compliance evaluation of the resources in your environment against the policy with the Standard pricing tier

Scope for the Policy

Exclusions from the Policy

Any additional parameters related to the policy

To select from the policies, click on the blue button with an ellipse (i.e. 3 dots) in front of the Policy box. This will popup another blade for all the Policy definitions.

Scroll through various Built-in policies. Once we define any custom user-defined policies, they will also be displayed here. Select the policy "Allowed locations" from the list of the policies as an example. Click on "Select" once done.

Select the Scope for applying the policy. You can leave the default to the Subscription level. Or you can click on the blue button in front of scope text box and select the Resource Groups under the subscription on which you want to apply the policy.

You can also select the Exclusions if you require. These Resource Group or resources will not be evaluated against the policy.

Lastly, you will have additional parameters for the policy related values. These parameters will vary and will depend on the policy you have selected. E.g. For "Allowed locations" policy, you will see the parameter for allowed locations. Select "East US" and "East US 2" for the locations as an example.

Once you complete the configurations, click on the "Assign" button to apply the policy

Validating the Policy

To validate the policy for "Allowed locations" follow these steps:

Try to deploy a Storage Account or a VM or any other resource in a location that is NOT allowed. E.g. try deploying a storage account in the "West US" location. This should fail with the validation error stating the policy id.

Perform the same deployment but to one of the allowed location. E.g. try deploying a storage account in the "East US" location. This should succeed without any erros.

Demystifying Azure Security - RBAC Roles

Wed, 20 Dec 2017 00:00:00 +0500

This blog post is part of the Demystifying Azure Security series. All posts in the series can be found here: Demystifying Azure Security - Series Index

Azure RBAC Roles are a great way to securely provide access to users with limited actions in Azure. The focus is to provide only the access necessary so that an account in your organization doesn't have more access than needed. In case the account gets compromised, this will ensure that does not leave your environment too much vulnerable. This means that if you grant an employee access to manage Virtual Machines in your environment, that employee can't alter the virtual networks by mistake or have any access to delete the storage accounts in the environment.

Roles Hierarchy

The RBAC Roles can be assigned at the following three levels in the order of hierarchy:

Subscription

Resource Group

Resource

Any Resource in Azure, must belong to a Resource Group (under the ARM model). And every Resource Group in Azure must belong to a single subscription.

If a person is assigned scope at Subscription level then he/she will get access to all Resource Groups and to all resources within those resource groups. Next, if a person is assigned access at a Resource Group level then they will automatically get access to all the Resources within that Resource Group. Finally, if a person is provided access only to an individual Resource then they will get access only to that Resource.

Built-in Roles

There are various inbuilt roles for this purpose like:

Contributor - create and manage but can't grant access to others

Reader - can only view

Owner - full access

The complete list of Built-in roles can be viewed here: Built-in roles for Azure role-based access control

Viewing and Adding Access

To view or Add access, first decide the scope where you want to provide the access. Select the scope, e.g. a Resource Group on which you want to view existing access and grant the access to someone. Then follow these steps (as per the image below):

Click on "Access Control (IAM)" to access the RBAC access control

View the access in the center area. Scroll down to view all type of roles and Users, Groups or Apps with the access

Click on "+Add" button, as shown below, to add access to a new user, group or application

In the new popup blade, select the Role (e.g. Contributor), Assignment scope and name/email address of the user or app to whom you want to grant the access. You can select multiple users/apps as well.

Within each subscription, you can grant up to 2000 role assignments.

Learn about creating Custom RBAC Roles here: Demystifying Azure Security - Custom RBAC Roles

Demystifying Azure Security - Azure Policies - 1 - Basics

Sun, 10 Dec 2017 00:00:00 +0500

This blog post is part of the Demystifying Azure Security series. All posts in the series can be found here: Demystifying Azure Security - Series Index

Azure Policies are a great tool to make access to Azure more secure by prohibiting certain operations and enforcing various rules in your environment. The policies make your environment compliant and ensure that you adhere to the service level agreements and standards set within your organization. If the end user tries to deploy a resource violating the policies then the deployment fails at the validation step ensuring that your environment remains compliant. If you already have resources which are not compliant then you will be able to review those and take necessary actions.

Examples of Azure Policies

Here are a few of most commonly used policies:

Restricting the Allowed locations where a resource can be deployed. You can restrict the allowed locations where resources can be deployed to the ones that are closer to your geographic location. This also ensures that the users within your organization can't deploy resources to noncompliant locations.

Enforcing a Tag and it's Value. E.g. You have a Resource Group for the Finance department. You want to ensure that any resource deployed in that Resource Group should be tagged with a "CostCenter" and a specific value for that cost center. You can enforce this using a Policy.

Not Allowed Resource Types. Using this policy you can prohibit the deployment of certain resource types in your environment.

There are various other built-in Policies. You can also create your own policies which we will discuss in more detail later.

Scope where a Policy is Assigned

A Policy can be assigned at the below levels:

Subscription level - Applied to all Resource Groups and Resources within the subscription

Resource Group level - Applied only to the Resources within the selected Resource Groups

Exclusions: In addition to the assignment scope, you can exclude certain Resource Groups or individual Resources from the Policy assignments. The Policy will be applied to all the Resources in the scope except the ones excluded by defining the Exclusions.

How are Policies different from Role-Based Access Control (RBAC)

Through Role-Based Access Control (RBAC), you focus on the role and scope of access that a user can have in Azure. You provide the access control (IAM) within Azure for Subscription, Resource Group or an individual Resource. You define a role for the user/app/group like Contributor, Reader etc. You can use the built-in roles or can define custom roles.

With Policies, you focus on the properties of the resources with which the user can work at the defined scope. You define what properties are allowed and what is restricted. You can use the built-in policies or can define your own.

E.g. Through RBAC you define that a particular user has Reader role at the subscription and Contributor role at a particular Resource Group. This will mean that the user can view all the resources in the subscription but can only modify or create resources in the Resource Group where he has Contributor access.

Now if you define a policy which restricts the type of resources deployed ( as discussed in the examples above), the user will not be able to deploy the restricted resource types, even though he has contributor access to a Resource Group.

Accessing Policies in the Azure portal

To access the Policies in the Azure portal:

Navigate to Subscriptions (via All Services or the navigation sidebar)

Select the subscription for which you want to view the Policies

Scroll down to the "Settings" category in the menu of the subscription

Click on "Policies" to access the policies in Azure

We will be discussing more about the Azure Policies in later blogs.

Great Way to learn - 2018 Microsoft Azure Community Study Groups

Tue, 05 Dec 2017 00:00:00 +0500

How many times have you started preparation for any Azure certification and have left it midway because of any reason? We all need a little extra nudge. Microsoft Azure Community Study Groups is just the thing you need to create and fulfill your next year resolutions.

Here are the registration links, provided "as is":

Exam

Registration Link

Dates

70-532: Developing Microsoft Azure Solutions

https://aka.ms/532asg

March 23 – May 24, 2018

70-533: Implementing Microsoft Azure Infrastructure Solutions

https://aka.ms/533asg

January 12 – April 13, 2018

70-535: Architecting Microsoft Azure Solutions

https://aka.ms/535asg

January 12 – May 24, 2018

70-483: Programing in C#

https://aka.ms/483asg

January 12 – March 2, 2018

70-486: Developing ASP.NET MVC Web Applications

https://aka.ms/486asg

January 12 – March 23, 2018

70-487: Developing Microsoft Azure and Web Services

https://aka.ms/487asg

March 9 – May 11, 2018

You can access the main blog from here: 2018 Microsoft Azure Community Study Groups

Introducing the Harvesting Clouds YouTube channel

Wed, 29 Nov 2017 00:00:00 +0500

I am happy to introduce the YouTube channel for Harvesting Clouds. The channel can be accessed here: Harvesting Clouds YouTube Channel

Do Subscribe to the channel to get notified of any new content on the channel. Like the content if you learned something new or got new perspective on the things you knew.

Check out the author introduction video below:

The managed and ordered content via playlists can be found here: Playlists - Harvesting Clouds

All videos on the channel can be found here: All Videos - Harvesting Clouds

Video - Azure Automation - Introduction

Wed, 29 Nov 2017 00:00:00 +0500

This is the first video in the series of Azure Automation. This video provides the introduction and talks about the various theoretical concepts about Azure Automation

You can view and subscribe to the YouTube channel here: HarvestingClouds on YouTube

Introducing Azure Reserved VM Instances (RIs)

Sun, 12 Nov 2017 00:00:00 +0500

Azure Reserved VM Instances provides an easy option to save cost for predictive workloads. You commit to either one or three year options and pay the complete cost with discounts upfront.

When should you use this

If you know that your workload will be up and running then Azure Reserved VM instances are for you. The savings can be up to 72% with the use of Reserved VM instances. If your VM is not going to be up and running for most time and you have the option to automate and shut down the Virtual Machine then you don't need Reserved VM Instances.

How does the cost savings look like

The cost savings can be very significant especially when clubbed with Azure Hybrid Use Benefit. The below graphic is based on a Dv2 three-year RI with Azure Hybrid Benefit.

Other aspects

Other aspects of Azure Reserved VM Instances that you need to know are:

You can assign RI benefit at either the enrollment level or at the subscription level

The assignment is as easy as providing the Region, VM Series/size and providing the term. The two terms offered today are 1 year and 3 years

You can exchange to a new instance and location as you need in the future

You also have the option to cancel anytime directly with Microsoft for a pro-rated refund

Reference: Azure Reserved VM Instances

Why you should be using Azure Managed Disks now?

Sun, 05 Nov 2017 00:00:00 +0500

Azure Managed Disks bring lots of advantages and benefits to the table when compared to Azure Storage Account based VM disks. The first thing to note is that these are only related to VM disks and not general blob storage. In this post, lets take a look at what all benefits you get when you create your virtual machine with a managed disk instead of a storage account based disks.

More Controlled Access Management

Let's assume a scenario where all the disks for the virtual machines in your environment belonged to a particular storage account. Let us say that there are VMs belonging to Finance as well as HR departments. Now if you want to give access to a VHD file of a VM belonging to HR department, you will provide the access to the storage account. This was the lowest level where you could provide the access. This inadvertently opened the access to the Finance VM's VHD files as well.

Managed Disks are individual resources in Azure. If a VM has 1 OS disk and 2 data disks, all implemented as a managed disk, then you can even provide the access to one of the data disk and not provide access to any of the other disks.

No Storage account service limits

Earlier with storage accounts there were Service Limits related to IOPS at the storage account level. When the infrastructure grew and there comes a time the number of disks grew to a point that this service limit will be hit and this can affect your architecture. With managed disks, you are no longer limited by the storage account limits.

Ability to take Snapshot

Now with managed disks you have the capability to take snapshots on the fly. You can later restore from these snapshots as required. You can take these snapshots onto a different storage account.

Ability to Capture better images

The images that you capture on the Vms, which are created using managed disks, will not just include the OS disk, but will also include all the data disk.

Ability to convert a Standard disk to Premium disk and vice versa

Earlier if you wanted to convert a standard disk to a premium disk (or vice versa) you needed to create a new storage account and copy over the disk. Now with managed disks, this is as easy as shutting down the virtual machine and just changing a value in a drop down.

Other benefits

Other benefits include:

Better reliability for Availability Sets

Highly durable and available with design for 99.999% availability

Better Azure Backup service support with the ability to create a backup job with time-based backups, easy VM restoration, and backup retention policies

Reference:

Managed Disks product page

Managed Disks overview

Azure Cloud Shell - Embedding Cloud Shell in your Websites

Mon, 16 Oct 2017 00:00:00 +0500

Embedding Azure Cloud Shell in your websites gives your visitors an option to directly interact with Azure, without even leaving your website. Your website may be talking about a code sample that your visitor may want to try in Azure. Instead of opening a new instance of Azure Portal, the visitors can try the command right from your site if you have embedded the cloud shell in your website.

All you need is the embed code and you are all set. Just add this code to your site and then you will be able to launch the cloud shell right from there with just a click of a button.Behind the scene, this is nothing but hyperlinking to the URL: https://shell.azure.com

Embed Code

The embed code is as follows if you are using Markdown

[![Launch Cloud Shell](https://shell.azure.com/images/launchcloudshell.png "Launch Cloud Shell")](https://shell.azure.com)

If you are building a website in HTML then the embed code will look like:

Code in Action

Clicking on below image will open a popup. It will navigate you to the https://shell.azure.com URL within the popup. You can login to Azure and try any commands. I encourage to inspect the link below and compare with the above embed code.

Choosing Shell Type

The above examples will open the most recently used cloud shell. If you want to encourage visitors to experience a specific cloud shell, then update the URL section above embed code. Update as below by adding the last part to the URLs:

Bash Shell - https://shell.azure.com/bash

PowerShell Shell - https://shell.azure.com/powershell

Reference:

Embed Azure Cloud Shell

Azure Cloud Shell - Introduction

Sun, 08 Oct 2017 00:00:00 +0500

Azure Cloud Shell is a very convenient option to run your automation scripts against your subscriptions.

The shell is provided in two flavors:

Bash based shell

PowerShell in Cloud Shell (currently in Preview)

The Cloud Shell is a Browser based experience. What this means is that you do not need to install any dependencies for the Azure commands to run. Also, there is no dependency on your machine's hardware. You can work irrespective of your local machine's configurations.

Support for various tools

Azure Cloud Shell comes preloaded with various tools depending upon the shell type selected. It comes loaded with Linux tools like bash, sh, tmux and dig. The Azure tools which are preloaded are Azure CLI 2.0 and 1.0, AzCopy,etc.Text editors include vim and nano. Git source control tools are also included. Various other Build, Containers, Databases, etc. tools are also included. It also comes with language support for .net version 2.0.0, Java version 1.8, Node.js 6.9.4, PowerShell 6.0(beta) and Python 2.7 and 3.5 etc. Check the References section for the full list and up to date version of Tools and Language support.

Key Concepts

Below are some of the key concepts (in nutshell) about the cloud shell.

You can opt for any one of the two shell options available, as per your preferences. You can choose to have a Bash shell or PowerShell in Cloud shell

You can easily switch between the two shells at any time

If you are logged into Azure portal then you are also automatically authenticated into the Azure Cloud Shell

Other important concepts as per Microsoft documentation are:

Cloud Shell runs on a temporary host provided on a per-session, per-user basis

Cloud Shell times out after 20 minutes without interactive activity

Cloud Shell requires an Azure file share to be mounted

Cloud Shell uses the same Azure file share for both Bash and PowerShell

Cloud Shell is assigned one machine per user account

Bash persists $Home using a 5-GB image held in your file share

Permissions are set as a regular Linux user in Bash

Pricing

Cloud Shell does not have any direct cost linked to it. The charge for Cloud Shell is only for the usage of the underlying Azure Storage. The exact charge depends on the amount you store on that storage and the type of the storage. By default, Locally Redundant Storage is created.

References:

Azure Cloud Shell Overview

Azure Cloud Shell Features and Tools

Features & tools for PowerShell in Azure Cloud Shell

Script Sample - Generate Azure Resources Report by Tags

Thu, 26 Jan 2017 00:00:00 +0500

<<Update: This post and the sample script is now updated to support latest Azure PowerShell cmdlets>>

When managing resources in Azure, Tags are there to help you. They add very valuable metadata to the Azure resources. In nutshell, tags are Key-Value pairs. E.g. "Business Unit = Finance", "Site = Central US" are two such tags.

These tags help you to:

Organize your resources and manage the same

Get insights into Chargeback categorically

Tags go beyond the boundaries of deployments. You can have few resources deployed in one resource group and few other resources into the second resource group. If for these resources in both the resource groups you apply the same tag (i.e. same Key and value combination) then you can view and manage these resources in a single click.

Now once in a while, you want to take a health check of your Azure environment. You want to see what all resources are there and what are the tags applied to these resources. You want to extract this data to a CSV file so that you can apply filters and perform other business intellegence (BI) operations on it. The script below provides exactly that.

The script gives you a CSV output report with:

All the resources in your Azure Subscription

Type of each resource, so that you can filter on various types

Tags for each of the resource in Azure

The Columns in the Output CSV file (generated by the script) are:

Semi-colon separated list of tags

Resource Name

Resource Group Name

Location

Resource Type

Resource Id

Name

Subscription Id

You can find this script on GitHub here: Azure Resources Report by Tags

Direct Link to the Script here. Right click and choose Save As

You are welcome to make changes and submit Pull Requests to this script or even fork and make your modifications.

Azure Application Insights is now generally available

Tue, 29 Nov 2016 00:00:00 +0500

After a long time in Preview, Azure Application Insights is now generally available from Microsoft.

Azure Site Recovery (ASR) - New feature added to target Resource Groups

Thu, 17 Nov 2016 00:00:00 +0500

A new feature is now added to Azure Site Recovery (ASR) which enables you to target the Resource Groups for failover. You can target a separate Resource Group for each Server/VM being protected. Now post failover, this target Resource Group will be used. Earlier, during a failover, a new resource group was created with the same name as the server being failed over.

You can configure this setting in two ways:

When you are Enabling Replication of new servers then at the settings for "Target" you will have two new options.
The first option is "Post-failover resource group" along with a drop down. This is where you select the target Resource Group. You can select one of the existing Resource group here. If you haven't created the one you want to use as a target then please create before enabling replication.

The second new option is to select "Post-failover deployment model" which has only two options. These options are "Classic" and "Resource Manager". The later will be selected by default and should be the one you should be using to leverage all the new features which Azure has to offer.

If you have servers which were protected before this feature was introduced or if you configured wrong Resource Group during enabling of replication and now want to change the Resource Group then you can do so using this alternate way. Go to your ASR Vault and then go to Settings. Then go to the "Replicated Items" and click on the server for which you want to change the resource group. Click on "Compute and Network" in the server properties as shown below. You will see a new option here to select or change the target Resource Group. Click "Save" at the top of the blade after selecting or changing the value.

This new option makes the failover process in Azure Site Recovery (ASR) much more manageable and overall a better experience.

Troubleshooting Azure Site Recovery (ASR) - Data Replication Not Working

Mon, 14 Nov 2016 00:00:00 +0500

If you have the Azure Site Recovery (ASR) setup in your environment and are facing the issue where the data replication is stuck, then follow this blog to troubleshoot. The data replication can be stuck either during the initial replication or during the delta changes. This can occur for various reasons. We will inspect various components involved in ASR. Major of the troubleshooting is done on the Management Server i.e. the on-premise Configuration/Master target server.

1. Check Alerts Details

Go to the Azure Site Recovery Vault and navigate to the settings. Click on the Alerts and Events. Check the alerts for the data replication being blocked etc. Verify that the problem is related to data replication and not something else.

You can also navigate to the "Replicated Items" in the ASR Vault settings. On the blade for replicated items, click on the server for which the data is not being replicated. A new blade will open for this server's properties Then click on the Error Details on the server properties blade's context menu (which you can access by clicking on the top right ellipse i.e. 3 dots).

After verifying the issue, proceed to next sections to troubleshoot.

2. Check Resource Monitor

Check if you see any activity in the Resource Monitor. This is also to validate if the issue is there or not. Sometimes the Low Bandwidth and multiple servers configured against one Management server can cause this issue. Ensure that this is not the scenario in your case.

From the Task manager, go to performance view and check for the bandwidth consumption. Then click on the "Open Resource Monitor" button to launch the Resource Monitor. From the CPU section in the Overview tab, select the below two services:

cxps.exe

cbengine.exe

Then click on the Network tab and see if there is any traffic going out to Azure. If the data transfer is going on without issues then you should be able to view entries against cbengine going out to a URL which will look something like "blob.aaa1aaa1aa.core.windows.net" and entries against the csps service .

3. Check ASR Infrastructure Setup

First of all, check if the ASR infrastructure setup is correct and nothing is wrong there. To view this, navigate to the ASR Vault. Go to the settings and click on the "Site Recovery Infrastructure". In the next blade, click on the kind of infrastructure you have setup. E.g. If you are replicating from VMWare or Physical Machines from on-premise to Azure then click on the "Configuration Servers" under the "For VMWare & Physical Machines" section.

Here check if the Config Server is showing as "Connected". If not then the problem is in the communication between Configuration Server and the Azure. Ensure that you are able to connect to the Azure portal from the config server. Also, ensure that all the public URLs for Azure are accessible. Check this link for exact URLs: Verify URL Access.

Next, click on the configuration server. This will open another blade with details for the configuration server. Expand the section for "Associated Servers" as marked no. 2 in the screenshot below. Check if all the associated servers, i.e. Process Server, vCenter Server and Master Target servers are connected and showing green tick mark.

Next, check the configuration server health as shown at no. 3 below. Check if all the services are running and showing healthy. Ensure that you have sufficient free space on the configuration server to send the replication data. If you see any services not running then go to the next section to check and start the services on the Management Server on-premise.

You can try refreshing the server after making any configuration changes on it, e.g. increasing memory or freeing up disk space. Click on the "Refresh Server" button as shown at no. 4, at the top of the blade for the configuration server.

4. Checking Services on the Management Server

Check if the services on the Management Server are up and running. You need to check for the below services:

InMage PushInstall

InMage Scout Application Service

InMage Scout VX Agent - Sentinel/Outpost

INMAGE-AppScheduler

Microsoft Azure Recovery Services Agent

Microsoft Azure Site Recovery Service

cxprocessserver (This is important service. It is the service for the InMage CX Process Server)

tmansvc (This is the service for the InMage Volsync Thread Manager Service)

Start any service which is not running and check if the problem still exists. 90% of the time the problem is going to be because of something related to these services (e.g. a restart or patch stopped one of these services).

5. Checking Services on the Server being replicated

Check if the services on the Server being replicated are up and running. You need to check for the below services:

Azure Site Recovery VSS Provider

InMage Scout Application Service

InMage Scout VX Agent - Sentinel/Outpost

Start any service which is not running and check if the problem still exists.

6. Verify Service Account credentials are correct and have required access

The replication can stop if the service account is not correct or it doesn't have required access. Check if the service account's password expired or changed.

You can use the Configuration Server config tool to check and update the service accounts. This tool can be accessed from this directory path: "D:\Program Files (x86)\Microsoft Azure Site Recovery\home\svsystems\bin" where D is your install directory for ASR setup. The tool name under this directory is "cspsconfigtool.exe".

7. Check Logs

There are various ASR logs that gets generated in the Management server. Two key logs that you should check are as shown below. This assumes that D is the directory where ASR is installed.

Monitoring Logs - These logs are located at "D:\Program Files (x86)\Microsoft Azure Site Recovery\home\svsystems\var". Name of the file you should check is "monitor_ps".

VM-Specific ASR Logs - These logs are located at "D:\Program Files (x86)\Microsoft Azure Site Recovery\home\svsystems". Then there will be a folder with the name as a GUID for each VM. Navigate to the folder with the Guid and try to find the folder for your VM's GUID. One indication will be the number of disks and the disk sizes. Once you have located the folder for one of the VM having replication problems. Then navigate to internal folders and locate the perf.log file for your VM's disks. Check to see if there are any errors here.

These logs should give you an idea as to what may have been causing the issues.

In Conclusion

After all these steps and any changes you should Refresh the Configuration Server as shown in the point 3 above.

Let me know if this blog helped in your scenario.

General Availability - Azure Active Directory (AD) Domain Services

Thu, 27 Oct 2016 00:00:00 +0500

Azure Active Directory Domain Services are here to revolutionize the way Domain Services are used. They are here to reduce even further the infrastructure management for IT Administrators.

What is this service

Using this service you can now setup domains without having to setup the domain controllers. You can set up your Domain in Azure using Domain Services and then you can have virtual machines joining to that domain. At no point, you need to set up any domain controllers. You can also use Group Policy with this service to securely administer your domain joined infrastructure.

This service benefits all customers. For enterprise customers, they get the familiar enterprise grade service. For medium to small business customers, the service makes even more sense as they get enterprise level service for a smaller price due to small infrastructure and thus a small number of objects in AD.

This service is out of the box a highly available service. It is hosted in globally distributed datacenters.

When is this service available

This service is now Generally Available. The pricing for this service will start from 1st December 2016.

The payment model is Pay-As-You-Go. The usage will be charged per hour. The chargeback will be based on the total number of AD Objects in your AD Tenant. These objects include users, groups, and domain-joined computers. Directory size and hours are calculated and emitted daily. Usage is prorated to the minute.

Currently, there are 3 tiers.

Less than 25,000 directory objects

25,001 to 100,000 directory objects

more than 100,000 directory objects

Is this service available in my region

At the time of writing of this blog post, this service is available in the following regions:

East US

East US 2

Central US

South Central US

West US

Check this link for most updated availability: Azure Products by Region

Also, check the official ADDS page here: Azure Active Directory Domain Services And, check the upto date pricing here: Pricing

Now it is time for you to go and try this new service for yourself and enjoy it's benefits!

Suspending and Resuming Azure Site Recovery (ASR) Replication on a single or multiple servers

Tue, 25 Oct 2016 00:00:00 +0500

Let us assume that you have enabled the Azure Site Recovery (ASR) replication on various servers. These servers can be:

On Premise VMWare VMs

On Premise Physical Servers

Azure ASM (older portal) VMs

The purpose could be anything from setting up Disaster Recovery for your infrastructure or using ASR for Migrating workloads from on-premise to Azure. For any reason, you may need to suspend and resume ASR replication on one or more target servers.

Currently, ASR does not have the feature to allow you to suspend and resume the ASR replication. But you can do this manually as easily.

To Suspend the ASR replication on a particular server, all you need to do is:

Log into the server on which ASR replication is currently going on and you want to suspend the replication.

Open the Services (Run -> services.msc)

Locate the following services and Stop these services.

Azure Site Recovery VSS Provider

InMage Scout Application Service

InMage Scout VX Agent - Sentinel/Outpost

Checkout these servers below:

To Resume the ASR replication, just do the opposite, i.e. Log into the server and Start these services.

Until Azure adds this feature directly in the portal, this easy manual step is the workaround for suspending and resuming the replication on servers.

Step by Step ARM Templates - Creating ASR Template from an existing Azure Infrastructure and Modifying It

Mon, 24 Oct 2016 00:00:00 +0500

Index of all blogs in this Step by Step ARM Templates series is located here: Step by Step Azure Resource Manager (ARM) Templates - Index

This blog post is for you if:

You want to backup an Infrastructure configuration/setup in Azure and want to redeploy it to another environment then this blog is for you.

You want to create similar infrastructure as one of existing deployments in Azure

You want to modify the configurations of existing Azure IaaS infrastructure and redeploy various elements

This Power Tip is really easy if you know just the option.

If you want to make the template for all the resources in a Resource Group in Azure, then go to the properties of the Resource Group and find the option for "Automation Script".

If you want to get the template only for a particular resource, then navigate to that resource in the Azure Portal and then open it's settings. You will find the same "Automation Script" option.

You can check this option in the below screenshot.

Once you click on the Automation Script option in the settings (of a resource group or a resource) then you will be presented with the complete JSON template along with the JSON outline on the right side (marked 2 above in the image).

You have various options for the actions to take on the template (marked 3 in the image above):

You can download the template

Add to Library to deploy the same resources again and again in your subscription

To directly deploy the resources again with the modifications you make.

Normally, you would download the template to make edits to the same. After downloading, you should start cleaning up the template. There are only 4 major tasks that you need to perform as part of the cleanup:

Remove any hard-coded values for various dependent resources e.g. NIC for a VM, VHD for a VM etc.

Remove any resources and dependent parameters that you don't need.

Create Parameters for the values you want to change for each deployment and want the end user to provide during the deployment.

Create Variables for the values which can have fixed values but are being used at multiple locations in your template.

That's all there is to it. Using this tip you can spearhead your ARM Template developments. You don't need to start from scratch and can base your templates on the existing deployments.

Step by Step Azure Resource Manager (ARM) Templates - Index

Fri, 21 Oct 2016 00:00:00 +0500

Azure Resource Manager (ARM) Template is a JavaScript Object Notation (JSON) file that defines one or more resources to deploy to a resource group. It also defines the dependencies between the deployed resources. The template can be used to deploy the resources consistently and repeatedly.

ARM Templates can be used for the deployment of resources on both Azure and Azure Stack. Using these templates for all deployments provides you with various benefits including:

Declarative Deployment – All you need to do is declare what you need to deploy. You don't need to create any complex rules or write lengthy scripts.

Idempotency – You can deploy the same template over and over again without affecting the current resources.

Predictability - Using Templates you can have accurate predictability when performing large deployments. You reduce any manual errors.

Repitition without Errors - You can deploy the same infrastructure over and over again (e.g. in Dev-test environments and then in production).

This series of posts try to decode and understand the ARM Templates "Step By Step".

This post is an index of all the posts, in sequence, for understanding the Azure Resource Manager (ARM) Templates. This post will be updated regularly as more posts on this topic are added.

Index

JSON 101 for IT Administrators

What is in an ARM Template - Understanding All Components

What is in an ARM Template - Understanding Components 2 - Parameters

What is in an ARM Template - Understanding Components 3 - Variables

What is in an ARM Template - Understanding Components 4 - Resources

What is in an ARM Template - Understanding Components 5 - Outputs

Helper Functions in ARM Templates

Building your first ARM Template

Deploying Template Using Azure Portal

Deploying Template Using Azure PowerShell

Creating Parameters file for an ARM Template

Authoring ARM Templates using Visual Studio

Deploying ARM Templates using Visual Studio

Iterating and creating multiple instances of a resource

Visualizing ARM Templates and Generating Diagrams

Using Key Vault to Securely Provide Information in ARM Templates

Providing PowerShell Scripts to Run after VM deployment via ARM Template

Deploying a Windows VM with OMS integration

Creating ASR Template from an existing Azure Infrastructure and Modifying It

Step by Step ARM Templates - Providing PowerShell Scripts to Run after VM deployment via ARM Template

Wed, 19 Oct 2016 00:00:00 +0500

Index of all blogs in this Step by Step ARM Templates series is located here: Step by Step Azure Resource Manager (ARM) Templates - Index

By providing PowerShell Scripts to Run after VM deployment via ARM Template, you can accomplish various activities.

You can setup different features and roles on the VM.

You can setup web server.

You can setup SQL Database and configure it.

You can configure custom policies

And so on...

You first need to have PowerShell script files uploaded to a storage account. To do this you add an Extension resource (Microsoft.Compute/virtualMachines/extensions) nested inside a VM. This extension resource should be of type "CustomScriptExtension". You provide the URLs to the PowerShell scripts inside this custom script extension.

Preparation

As part of the preparation process you need to:

Ensure that the PowerShell scripts are uploaded to the Storage Account and that you have the complete URL to the blob.

Or you can upload the scripts to the GitHub and get the Raw file URL

If there are more than one scripts then there should be one master script amongst all ps1 files which will internally invoke other files. This master file will be triggered via the template. Information of all file URLs will also be provided via the Template

Providing and configuring Scripts to Run After VM Deployment

Define the below resource to provide PowerShell scripts to be run after VM deployment:

{ "type": "Microsoft.Compute/virtualMachines/extensions", "name": "MyCustomScriptExtension", "apiVersion": "2015-05-01-preview", "location": "[parameters('location')]", "dependsOn": [ "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'))]" ], "properties": { "publisher": "Microsoft.Compute", "type": "CustomScriptExtension", "typeHandlerVersion": "1.7", "autoUpgradeMinorVersion":true, "settings": { "fileUris": [ "http://Yourstorageaccount.blob.core.windows.net/customscriptfiles/start.ps1", "http://Yourstorageaccount.blob.core.windows.net/customscriptfiles/secondaryScript.ps1", ], "commandToExecute": "powershell.exe -ExecutionPolicy Unrestricted -File start.ps1" } } }

How it works:

Both the files i.e. start.ps1 and secondaryScript.ps1 are picked up from the storage account after VM deployment. Ensure to replace the URLs with your actual storage account blob URLs. You can add more files if needed.

The "start.ps1" is the main powerShell script which should be invoking the secondaryScript.ps1 internally

CommandToExecutre property is used to invoke the start.ps1 powerShell script on the deployed VM

Passing Parameters to the PowerShell Script dynamically

To pass the parameters to the PowerShell script use commandToExecute property.

One such example to pass the parameters is shown below:

"commandToExecute": "[concat('powershell.exe -ExecutionPolicy Unrestricted -File start.ps1', ' -domainName ', parameters('domainNameParameter')]"

Note the use of "concat" helper function to create the value of the "commandToExecute". Also note that there is starting and trailing space in the second argument of the concat i.e. " -domainName ".

The parameter "domainNameParameter" should already be defined in the template in the parameters section. If the value of parameter "domainNameParameter" is "testdomain.com" then the dynamically generated command will become:

powershell.exe -ExecutionPolicy Unrestricted -File start.ps1 -domainName testdomain.com

Securing the Access to the PowerShell Script File in Storage account

Let us assume you want to deploy Windows VM with Protected settings. Then use the below sample to provide the PowerShell files.

{ "publisher": "Microsoft.Compute", "type": "CustomScriptExtension", "typeHandlerVersion": "1.7", "settings": { "fileUris": [ "http: //Yourstorageaccount.blob.core.windows.net/customscriptfiles/start.ps1" ] }, "protectedSettings": { "commandToExecute": "powershell.exe -ExecutionPolicy Unrestricted -start.ps1", "storageAccountName": "yourStorageAccountName", "storageAccountKey": "yourStorageAccountKey" } }

Note the use of "protectedSettings" above. This time you also specify the Storage Account Name and the Storage Account Key.

You can also refer the official documentation here: Windows VM Custom Script extensions with Azure Resource Manager templates.

Step by Step ARM Templates - Using Key Vault to Securely Provide Information in ARM Templates

Tue, 18 Oct 2016 00:00:00 +0500

Index of all blogs in this Step by Step ARM Templates series is located here: Step by Step Azure Resource Manager (ARM) Templates - Index

When providing passwords and other secure and confidential information in ARM Templates, you need to ensure that you don't hard code these values anywhere. You don't need to compromise the security of the system while trying to automate deployments. Your end goal is to try to automate as much as possible and reduce manual involvement.

Key Vaults are there to solve this problem without compromising any security. In fact, they make the whole solution more secure with least manual intervention.

Setting up the Key Vault

We first need to setup the Key Vault in Azure to be able to use it via ARM Template parameters.

Create a Key Vault in Azure by going to New -> Security + Identity -> Key Vault. Provide a name, subscription, resource group etc. and provision the Key Vault. Once it is created navigate to it by clicking on "More Services" and searching for Key Vault. Click on the name of the vault you created. E.g. In this example we have named the key vault to "TestKeyVault101".
Note that this feature is in Preview at the time of writing of this blog.

Next, we need to Add a Secret in the key vault. Click on the Secrets and then the + Add button at the top, as shown below:

Next, in the "Create a secret" blade, set the Upload Options to Manual. Provide a name and value to the secret. Value is the password you want to securely save. Ensure that the Enabled is set to Yes. Optionally you can set the activation and expiration dates. In this example, we are setting the Secret Name to "DefaultAdminPasswordSecret".

Next, we will set the Access Policies to provide access to the user under the context of which the template will be deployed. This is the user which will be accessing the Key Vault. Go to Key Vault settings and select Access Policies. Add the new user as shown below:

Next, we will set the Advanced Access Policies to indicate that this key vault can be accessed via ARM Templates. Go to Key Vault settings and select Advanced Access Policies. Ensure that the checkbox for "Enable access to Azure Resource Manager for template deployment" is checked as shown below:

We are now all set with our Key Vault. Next, we will be using the secret we created to set the local Administrator user's password.

Using the Key Vault Secret in ARM Template

Let us assume that you have a JSON ARM Template which deploys a VM. One of the parameters in this template is AdminPassword. You want to use the Key Vault Secret to provide the value for this parameter.

First, ensure that the parameter is declared as securestring as shown below:

"adminPassword": { "type": "securestring", "metadata": { "description": "Password for local admin account." } }

Next, we need to use the parameters file for this template. If you don't have one already create a new one. We can provide the reference to the Key Vault Secret as the value of admin user's password parameter in this file. General Syntax of providing reference is as shown follow:

"adminPassword": { "reference": { "keyVault": { "id": "Key Vault Id Here" }, "secretName": "Name of the secret in Azure Key Vault" } }

Now the ID in the above Syntax can be provided as:

/subscriptions/{guid}/resourceGroups/{group-name}/providers/Microsoft.KeyVault/vaults/{vault-name}.

Note to replace the {guid} with actual GUID for the subscription (without the curly braces), replace {group-name} with the actual name of the resource group and {vault-name} with the actual name of the Key Vault.

You can also find the Resource ID for the Key Vault by navigating to it in the Azure Portal and then checking it's properties as shown below:

The complete parameter file looks like below:

{ "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", "contentVersion": "1.0.0.0", "parameters": { "OtherParameter": { "value": "otherValue" }, "adminPassword": { "reference": { "keyVault": { "id": "/subscriptions/11111aaa-1a11-1a11-a1aa-1a1111a111a1/resourceGroups/TestRG101/providers/Microsoft.KeyVault/vaults/TestKeyVault101" }, "secretName": "DefaultAdminPasswordSecret" } } } }

Next, deploy the template using PowerShell and pass this parameters file as explained here: Deploying Template Using Azure PowerShell.

Example PowerShell cmdlet to deploy will look like:

New-AzureRmResourceGroupDeployment -Name ExampleDeployment -ResourceGroupName TestResourceGroup01 -TemplateFile .\TemplateFile.json -TemplateParameterFile .\ParametersFile.json

Now that you know how to use values from Key Vaults, you can make the automated deployment of resources more secure in your environment.

Step by Step ARM Templates - Visualizing ARM Templates and Generating Diagrams

Mon, 17 Oct 2016 00:00:00 +0500

Index of all blogs in this Step by Step ARM Templates series is located here: Step by Step Azure Resource Manager (ARM) Templates - Index

When developing ARM Templates, from time to time you will need to:

Visualize your ARM Templates

Generate Diagrams for your ARM Templates

Microsoft has provided an Open Source tool for this named "ARMVIZ" (short for ARM Visualizer). This tool can be accessed by navigating to the below URL:

http://armviz.io/

Navigating ARMVIZ

ARMVIZ is a nice in-browser application to visualize all the components in a template. It also shows the dependencies between various components. Using this web application you can:

Either visualize your own developed template,

Or inspect existing templates on GitHub

Let's take a quick tour of the interface:

I have numbered various elements of the interface in the above diagram. Let's quickly review these elements:

Designer - This is represented by an "eye" icon on the left bar. This should be selected by default. If you are in the editor mode then you can click this and the diagram will be shown in the middle portion of the screen.

Editor - This is represented by "" text for code on the left bar. Clicking on this will take you to the editor portion of the ARMVIZ tool. In this area, you can edit your template while still in the tool. You can add or remove components. You can even edit the components or add dependencies.

Canvas area - This is the main screen (the middle area) where the template is displayed.

File Menu - This is the main and simple menu in the whole web application in the top bar. It has two options:

Open Local Template - You can open an ARM Template JSON from your local computer to visualize using this menu option.

Download Template - You can download the current template by using this menu option.

Quickstart ARM Templates - This is the link to external library of Quickstart ARM Templates on GitHub. These starter templates can help you save a lot of time. Instead of starting from scratch you can use these templates to fasten the ARM Templates Development.

This is how the Editor portion of the tool looks like. Use this area to edit or update your template. Note: If there will be mistakes, such as missing parenthesis in your template, the designer will not show any diagram.

You can zoom into and zoom out of your template diagram by rolling the mouse wheel. You can also drag and reposition various elements. Take a screenshot once you have repositioned the elements as per your requirements and have zoomed into an appropriate level.

Below screenshot is taken from a much more complex template.

In conclusion, ARMVIZ can enable you to easily visualize your ARM Templates. It can empower you to generate diagrams for your documentation and to present to your team.

Step by Step ARM Templates - Deploying a Windows VM with OMS integration

Sun, 16 Oct 2016 00:00:00 +0500

Index of all blogs in this Step by Step ARM Templates series is located here: Step by Step Azure Resource Manager (ARM) Templates - Index

You can deploy a Windows VM with OMS integration. You can have the OMS extension installed. And then you can onboard the VM to a specified workspace.

Prerequisites

You need already have an OMS workspace setup in your subscription. You need to have the following information about this OMS Workspace:

OMS workspace ID

OMS workspace Key

You may obtain the workspace ID and key by going to the Connected Sources tab in the Settings page in the OMS Portal or to the Direct Agent blade in the Azure portal.

In the Azure Portal go to the Log Analytics -> Click on the OMS Workspace you want to use. Click on the "OMS Portal" to navigate to the OMS Portal.

In the OMS portal, navigate to the Settings.

In Settings, go to the Connected Sources -> Windows Servers. Note the Workspace ID and the Primary Key as shown below:

ARM Template Sections for OMS integration

Within the VM resource, you need to define the OMS extension as shown below:

"resources": [ { "type": "extensions", "name": "Microsoft.EnterpriseCloud.Monitoring", "apiVersion": "[variables('apiVersion')]", "location": "[resourceGroup().location]", "dependsOn": [ "[concat('Microsoft.Compute/virtualMachines/', variables('vmName'))]" ], "properties": { "publisher": "Microsoft.EnterpriseCloud.Monitoring", "type": "MicrosoftMonitoringAgent", "typeHandlerVersion": "1.0", "autoUpgradeMinorVersion": true, "settings": { "workspaceId": "Your Workspace ID Here" }, "protectedSettings": { "workspaceKey": "Your Workspace Key Here" } } } ]

The above configures the OMS on the VM. Note that you need the nested extension resource of type "Microsoft.EnterpriseCloud.Monitoring".

Also, note the Workspace Id and Key in the template section above. Enter the values as per your environment which we found in the Prerequisites section above.

Providing the Workspace ID and Workspace Key Dynamically

You can also provide the Workspace Id and the Workspace Key dynamically by only using the OMS Workspace name. Follow the below sample. Note the use of reference, listKeys, and resourceId helper functions.

"settings": { "workspaceId": "[reference(resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName')), '2015-03-20').customerId]" }, "protectedSettings": { "workspaceKey": "[listKeys(resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName')), '2015-03-20').primarySharedKey]" }

Reference: You can check the complete quick starter template for OMS integration here: GitHub Sample - Deployment of a Windows VM with OMS Extension

Azure Automation Preview Solution - Start/Stop VMs during off-hours

Tue, 11 Oct 2016 00:00:00 +0500

Starting and Stopping VMs during off-hours can mean lots of cost optimizations for you. We have been implementing this via custom Runbooks and schedules for various customers. Now there is out of the box support for this within Azure. The feature is currently in Preview but you can build on this.

What do I need - Prerequisites

Before beginning check that your region has this feature available. Just like with any other automation solution, you will need to have:

OMS Workspace (or you can create new while adding the solution)

Automation Account (or you can create new)

Azure Run As account (and not the Microsoft Account)

For email support, Office 365 business-class subscription is required

Note: The VMs that you want to manage should be in the same subscription and resource group as where the Automation account resides.

How to Add

To Add the solution, click on "+ New" symbol and search for "Start/Stop VMs during off-hours". You will find the below solution available to be created:

What does it Contain

The solution is a combination of various automation assets:

Runbooks

Variables

Schedules

Credentials

You can change some configurations during and some after the deployment.

Find out more here: Start/Stop VMs during off-hours [Preview]

Azure RemoteApp is going away. New Purchases in portal are now stopped

Mon, 10 Oct 2016 00:00:00 +0500

Today I got an email saying "Action recommended: Deleting unnecessary RemoteApp collections can save you money". This email is also a reminder from Microsoft that the RemoteApp is going away. We need to plan for the migration for the existing RemoteApps to other platforms.

What this means

This means various things to you. Most prominently:

Over the next year, the support for Remote App is going away

You need to plan and migrate the existing RemoteApp application to other platforms

New Purchases in the Azure portal for RemoteApp are no longer available

When is the service coming to Stop

The service will have support through August 31st, 2017. That's when this service will come to a stop. New service purchase was stopped effective October 1st, 2016.

What are my Options

You have various options for migration. The option being recommended by Microsoft is using "Citrix XenApp express". In fact, Microsoft is partnering up with Citrix on this. This service is not yet available and is currently under development. As this will be the native option in Azure this will be your best bet once it is announced. You can learn more about this solution here on Citrix site: Citrix and Microsoft

The second option is to use Remote Desktop Services (RDS) deployed on Azure IaaS. This means to set up the infrastructure yourself and then deploy and host the RDS solution on that infrastructure in Azure. You can know more about the steps here: Host desktops and apps in Remote Desktop Services on Azure

Another option is to use hosted solutions from various 3rd party vendors. You can find such solution from various partners from the Azure marketplace. You can also read and get to know the complete list of these hosting partners here: RDS - Partners for hosting desktops and apps

In conclusion, I will recommend to wait and look out for Citrix XenApp express solution. If you need new remote application solutions then you need to either deploy your own solution or use one of the hosted solutions by 3rd party vendors. You can read more about the official announcement here: Application Remoting and the Cloud

Step by Step ARM Templates - Iterating and creating multiple instances of a resource

Tue, 27 Sep 2016 00:00:00 +0500

Index of all blogs in this Step by Step ARM Templates series is located here: Step by Step Azure Resource Manager (ARM) Templates - Index

In Azure Resource Manager (ARM) templates, you can define the variable once and then iterate/loop over that definition and create multiple instances of that resource. There are 3 special constructs in ARM templates to help you with this.

These constructs are:

copy - This is a property that is defined within the resource. This is the construct which when defined indicates that this resource needs to be looped over and created multiple times. It also specifies the number of times to iterate via "count" property.

copyIndex() - Used to access the current iteration value. Its value for the first iteration is zero. For the second iteration, its value is 1 and so on... You can pass it an integer (number) as a parameter. Whatever number you pass that will become the value for the first iteration and subsequent iterations. E.g. copyIndex(20) will compute to 20 in the first iteration, 21 in the second iteration and so on.

length - This is the method of arrays. It computes the number of elements in an array. It can be used to set the "count" property of "copy" construct.

Note: Arrays are always zero indexed. What that means is that the first element of the array is indexed at 0, the second element of the array is indexed at 1, and so on...

1. Simple Example

Let us understand these constructs using an example.

"parameters": { "count": { "type": "int", "defaultValue": 3 } }, "resources": [ { "name": "[concat('HarvestingClouds-', copyIndex(100))]", "type": "Microsoft.Web/sites", "location": "Central US", "apiVersion": "2015-08-01", "copy": { "name": "websitescopy", "count": "[parameters('count')]" }, "properties": { "serverFarmId": "hostingPlanName" } } ]

The above example will result in creation of below 3 web apps in Azure:

HarvestingClouds-100

HarvestingClouds-101

HarvestingClouds-102

Note the usage of "copy" property in the above code example:

"copy": { "name": "websitescopy", "count": "[parameters('count')]" }

As you can notice above, the value of this property is another JSON object. This object has further two properties:

First is the name property, which provides the name to the looping construct. This can be any meaningful name.

The second property is the count, which specifies how many times this resource definition should be deployed. Note that the value is set to the parameter named "count". The name of the parameter can be anything but the value of the parameter has to be a number (i.e. an integer).

Next, note how the name of the web application is constructed using the copyIndex() helper function.

"name": "[concat('HarvestingClouds-', copyIndex(100))]"

The above value uses two helper functions. First is the "concat()" which is concatenating (i.e. joining) two values. First value is the prefix string "HarvestingClouds-". Second parameter and the second helper function is copyIndex(100). This specifies the current iteration value, which is offset with 100. So for the first iteration, the value will be 0+100 = 100, for the second iteration the value will be 1+100 = 101 and so on...

2. Example with an Array

Let's assume that you want to deploy multiple web apps for different purposes. You need one web app for Production, one for Staging or testing and one for Development. You want to name the web apps deployed with the purpose concatenated. The below example uses an array to set the values for the web app name:

"parameters": { "purpose": { "type": "array", "defaultValue": [ "Production", "Staging", "Development" ] } }, "resources": [ { "name": "[concat('HarvestingClouds-', parameters('purpose')[copyIndex()])]", "type": "Microsoft.Web/sites", "location": "Central US", "apiVersion": "2015-08-01", "copy": { "name": "websitescopy", "count": "[length(parameters('purpose'))]" }, "properties": { "serverFarmId": "hostingPlanName" } } ]

The output of the above sample will be 3 web apps deployed in Azure with following names:

HarvestingClouds-Production

HarvestingClouds-Staging

HarvestingClouds-Development

Note in the above code sample that the parameter "purpose" is an array with 3 values i.e. Production, Staging, and Development. Then in the "copy" construct the count property is set using the length of this array as shown below. As there are 3 elements in the array, the value of count will be 3 and the resource will be deployed 3 times.

"count": "[length(parameters('purpose'))]"

Next, the name of the web app is set using the copyIndex() and the array itself as shown below:

"name": "[concat('HarvestingClouds-', parameters('purpose')[copyIndex()])]"

As earlier, it uses concat helper function to add two strings. The first string is simple text i.e. "HarvestingClouds-", which becomes the prefix for the web app name. Second is finding out the value of the array based on the current iteration. For the first iteration, copyIndex() will compute to zero, therefore the second parameter becomes parameters('purpose')[0]. This will fetch the 0th element of the array which is Production. Similarly, for the second iteration, copyIndex() will compute to 1, therefore the second parameter becomes parameters('purpose')[1]. This will fetch the second element of the array (or element at index value 1) which is Staging, and so on...

3. Depending upon resources being deployed by the copy Loop

Let's assume you want to deploy a storage account. But you want to deploy it only after all the web apps are deployed by the loop. In this scenario, the dependsOn property of a resource is set to the name of the "copy" property of the resource, rather than the resource itself.

{ "apiVersion": "2015-06-15", "type": "Microsoft.Storage/storageAccounts", "name": "teststorage101", "location": "[resourceGroup().location]", "properties": { "accountType": "Standard_LRS" } "dependsOn": ["websitescopy"] }

Note above that the dependsOn property is set to the name property of the copy in the earlier web app example. This storage account will not be deployed until all 3 web apps are not deployed.

4. Limitations

There are two limitations on the use of the copy to iterate and create multiple resource instances:

Nested Resources - You cannot use a copy loop for a nested resource. If you need to create multiple instances of a resource that you typically define as nested within another resource, you must instead create the resource as a top-level resource and define the relationship with the parent resource through the type and name properties.

Looping Properties of a Resource - You can only use copy on resource types, not on properties within a resource type. E.g. Creating multiple data disks within a VM.

That is all there is to iterate and creating multiple resources from a single definition. When your templates will start becoming complex then these constructs/helper functions will help you a lot. E.g. you may need to deploy multiple load balanced resources, then you can use the concepts defined in this post.

You can also refer the official documentation here: copy, copyIndex, and length

Step by Step ARM Templates - Deploying ARM Templates using Visual Studio

Tue, 20 Sep 2016 00:00:00 +0500

Index of all blogs in this Step by Step ARM Templates series is located here: Step by Step Azure Resource Manager (ARM) Templates - Index

In the last blog we saw How to use Visual Studio to author ARM templates. In this blog we will see how to use Visual Studio (VS) to deploy the template without leaving VS.

Deploying with Visual Studio is very simple, straightforward and very intuitive. Just follow the below steps.

Either go to the Solution Explorer -> Right Click on the project and select "Deploy -> New Deployment" as shown below:

Or you can go to the menu option Project -> Deploy -> New Deployment as shown below:

Once you click on the "New Deployment", you will be presented with the below Dialog for the deployment.

If you are not logged in then it will ask you to log into your Azure account.

In the Dialog for "Deploy to Resource Group" select the Subscription by clicking on the first drop down.

Next click on the drop down for the Resource Group. You can either select an existing Resource Group or you can click on "" option to create a new resource group for the current deployment.

If you click on "" option to create a new Resource Group then you will be presented with an additional popup.

In this additional popup, type the name for your new resoruce group and the location in Azure where this should be created. Click "Create" once done in the additional popup.

Next, we are going to provide the value for the parameters. Go ahead and click on the "Edit Parameters..." link in the "Deploy to Resource Group" dialog. This will open another popup to provide the parameters.
Button to edit parameters is shown below:

Additional dialog to provide parameters is shown below:

Note the following points in the parameters:

Corresponding to the string parameters, a text box is provided.

For the secure string parameters like password, a secure password text box is provided.

Corresponding to the parameters for which you have defined the "Allowed Values" in your template, a combo box (or drop Down) is provided with the "default Value" selected by default.

Click Ok once done

Next, click on the Deploy button to deploy the template to Azure.

You can check the results in the Outputs window in the Visual Studio. Along with time stamp, it will show you what steps Visual Studio took to perform the deployment. It uses the values of parameters you provided and uses the PowerShell script to deploy the resources. You will notice the PowerShell window opening and prompt for the Admin Password.
Note 1: The PowerShell window may not come above as active window. Just search and click on the window in your Taskbar.
Provide the password and hit Enter as shown below:

Note 2: It may take some time to complete the deployment after that. Wait and do not close the PowerShell window. It should automatically close once done.
Note 3: Once the deployment completes the last line in Output window in Visual Studio will be: "Successfully deployed template..." as shown below:

This is it! Navigate to the Azure portal and validate the deployed resources in your selected resource group.

Step by Step ARM Templates - Authoring ARM Templates using Visual Studio

Sat, 17 Sep 2016 00:00:00 +0500

Index of all blogs in this Step by Step ARM Templates series is located here: Step by Step Azure Resource Manager (ARM) Templates - Index

Visual Studio is a very powerful tool when it comes to authoring ARM Templates.

Key features which make it a tool of our choice are:

In-house support for ARM Templates

Smart IntelliSense

Pre-populated templates for various Azure resources

JSON Outlining

Easy Deployment options

The screenshots in this blog post are from Visual Studio 2013. You can use other newer versions as well.

Pre-Requisites

You need to have Azure SDK installed to get true power of Visual Studio with Azure integration. If you don't have it already, you can install the same from here: Azure SDK Downloads

Authoring First ARM Template in Visual Studio

Authoring with Visual Studio is very easy.

To get started just launch the Visual Studio from the Start menu.

Next, Create a new Project of type "Azure Resource Group" by navigating to Templates -> Visual C# -> Cloud

Next, you will be presented with a dialog to "Select Azure Template". If you want to author from scratch then choose a Blank Template. Else select one of the starter template. For this blog, we will be using "Windows Virtual Machine" Template.

Project is created with various folders and files. You can explore the project in the solution explorer in Visual Studio.

Let us see what these folders and files are:

Scripts: The single PS1 file is to create a new Resource Group and deploy the ARM Template. It uses "New-AzureRmResourceGroupDeployment" PowerShell cmdlet to deploy the template.

Templates: "WindowsVirtualMachine.json" is the main ARM Template file that we are interested in. Also, "WindowsVirtualMachine.parameters.json" is the parameters file for the ARM template.

Tools: This folder contains the "AzCopy.exe" file to help you copy any artifacts to Azure.

Double click and open the "WindowsVirtualMachine.json" file to open it. You will be presented with a huge JSON file. Collapse the section by clicking the small "-" signs to the left of the file. Also notice the JSON Outline panel to the left. This is your biggest friend in Visual Studio when authoring ARM Templates.

You can immediately notice that key sections both in the template in the middle and in the JSON Oultine panel on the left (in the image above) are:

parameters

variables

resources

You can click on any of the elements in the left JSON Outline panel and the same section will be highlighted in the center, in the JSON template file.

Next, let us look at JSON Outline panel and check how it can provide us more information and help us in authoring templates.

You can see that the panel provides a special icon for each type of the resource. In our current template the various resources listed are:

StorageAccount

PublicIPAddress

VirtualNetwork

NetworkInterface

VirtualMachine

Click on each of the resources and inspect how their JSON structure looks and differs. You will immediately notice that the major difference in each of these resources is in their Type and Properties.
Adding New Resource
Let's assume you want to add a new resource to this template. You have 2 ways to achieve the same:

Method 1 - Create a new resource by modifying and adding the JSON for the new resource in the template.

Method 2 - Let Visual Studio add the resource for you. Right click anywhere in the resources area of the JSON Outline Panel or the small "+" box at the top left of the panel (as shown in the image above) and VS will give you a new popup to add the resource from pre-defined resources as shown below.

Once you click Add the JSON for resource will be added to the template and the corresponding new element will appear in the JSON Outline Panel.

Deleting a Resource

If you need to delete a resource, simply right click on that resource in the JSON outline panel on the left and then select "Delete Resource".

Using Intellisense
The last thing to notice is the use of Intellisense in Visual Studio which helps you as you are editing the templates.

When you type quotes the closing quotes are automatically provided. Also, as you can see in the above image the various valid values, that can come there are also shown along with small tooltip about the data type. If the Intellisense doesn't come up automatically, then press Ctrl + Space to get Intellisense.

In the end, the Visual Studio makes authoring ARM templates much more manageable and easy for you.

In the next blog, we will see how to use Visual Studio to Deploy the templates.

Step by Step ARM Templates - Creating Parameters file for an ARM Template

Wed, 14 Sep 2016 00:00:00 +0500

Index of all blogs in this Step by Step ARM Templates series is located here: Step by Step Azure Resource Manager (ARM) Templates - Index

You can pass the input values for the Parameters in your ARM template using an additional JSON file. This additional file is what we will be referring to as Parameters File.

The only restriction on a parameters file is that the size of the parameter file cannot be more than 64 KB.

Parameters file follows a similar structure to the ARM Template. They are very simple as compared to the ARM template. In all they have 3 sections as explained below:

$schema - Required Object - Location of the JSON schema file that describes the version of the template language.

contentVersion - Required Object - Version of the template (such as 1.2.0.20). When deploying resources using the template, this value can be used to make sure that the right template is being used.

parameters - Required Object - This is a JSON object which contains various objects as it's members. Each object within the "parameters" object represent a value for a parameter corresponding to your ARM template.

Let's check how the parameters file will look like for the ARM template we have built earlier for deploying Storage Account and a Virtual Network.

{ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", "contentVersion": "1.0.0.0", "parameters": { "vhdStorageName": { "value": "harvestingstorage101" }, "virtualNetworkName": { "value": "testvNet101" } } }

Note that the only 2 parameter values are provided. These correspond to the parameters in the ARM template.

Note: The parameter names should match to the parameters defined in the ARM template.

Step by Step ARM Templates - Deploying Template Using Azure PowerShell

Sun, 11 Sep 2016 00:00:00 +0500

Index of all blogs in this Step by Step ARM Templates series is located here: Step by Step Azure Resource Manager (ARM) Templates - Index

In the previous blog you learned How to build your first ARM Template . Now that you have a fully functional ARM template we want to deploy this template to Azure.

There are various options to deploy a template to Azure. We already saw in the last blog How to deploy template using Azure Portal. Now we will look at Azure PowerShell as more programmatic and automated way to deploy the template.

Pre-requisites

Things you should know before deployment

Azure PowerShell - This should be installed on the machine from where the Steps will be followed. If you don't have this then use this link to get it: Get Azure PowerShell

Azure Subscription - where you want to deploy your template

Resource Group - This is the resource group in Azure where you will be deploying your template. You can create a new resource group (for the resources that will be deployed by the template) or use an existing one.

Parameters - Value of the input parameters to the template should be known to you for the deployment. Follow all your naming conventions when defining the parameters for deployments of resources in Azure.

Internet Connectivity - This should be present on the machine from where the Steps will be followed for connectivity to Azure

Steps for Deployment

First, launch a PowerShell window as an Administrator

Then, log into the Azure account.

Run the below cmdlet to log into Azure:

Add-AzureRmAccount

Select appropriate Azure Subscription

You have two choices here. You can either use below cmdlet to use Subscription ID

Set-AzureRmContext -SubscriptionID

Or you can use the Subscription name with the below cmdlet:

Select-AzureRmSubscription -SubscriptionName ""

Next, if you already have a resource group to which you want to deploy the template then skip this step. Else create a new resource group. A resource in Azure ARM architecture can only exist in a resource group.

Use below cmdlet to create a new Resource Group:

New-AzureRmResourceGroup -Name TestResourceGroup01 -Location "Central US"

Before deploying the Resource Template to Azure, you should Test it. This step is optional but highly recommended.

Use the below cmdlet to test and validate your template:

Test-AzureRmResourceGroupDeployment -ResourceGroupName TestResourceGroup01 -TemplateFile

Now comes the last step i.e. to deploy the template. You have two options when deploying the template. You can either deploy a template without any parameters (if none are required) or you need to specify the parameters. Let's check both these options next.

Deploying Template which doesn't need Parameters

You can deploy such template using New-AzureRmResourceGroupDeployment cmdlet. If the template file is on a local directory then use the below cmdlet:

New-AzureRmResourceGroupDeployment -Name ExampleDeployment -ResourceGroupName TestResourceGroup01 -TemplateFile

If the template file is uploaded to some hosted location and is accessible via a link, then use the below cmdlet to deploy the template:

New-AzureRmResourceGroupDeployment -Name ExampleDeployment -ResourceGroupName TestResourceGroup01 -TemplateUri

Deploying Template with Parameters

Deploying of the template is exactly similar as the previous section. You use the same cmdlet. To specify the parameter, you have 4 options. Use the below cmdlets for the option you want to use.

Option 1 - Using Inline Parameter

New-AzureRmResourceGroupDeployment -Name ExampleDeployment -ResourceGroupName TestResourceGroup01 -TemplateFile -myParameterName "parameterValue" -secondParameterName "secondParameterValue"

Option 2 - Using Parameter Object

$parameters = @{""=""} New-AzureRmResourceGroupDeployment -Name ExampleDeployment -ResourceGroupName TestResourceGroup01 -TemplateFile -TemplateParameterObject $parameters

Option 3 - Using Parameter file which is in local environment

New-AzureRmResourceGroupDeployment -Name ExampleDeployment -ResourceGroupName TestResourceGroup01 -TemplateFile -TemplateParameterFile

Option 4 - Using Parameter file which is located externally and can be referenced via Link

New-AzureRmResourceGroupDeployment -Name ExampleDeployment -ResourceGroupName TestResourceGroup01 -TemplateUri -TemplateParameterUri

Key Gotchas

If you provide values for a parameter in both the local parameter file and inline, the inline value takes precedence.

You cannot use inline parameters with an external parameter file. All inline parameters are ignored when you specify "TemplateParameterUri" parameter.

As a best practice, do not store sensitive infomation in the parameters file e.g. Local admin password. Instead either provide these dynamically using inline parameters. Or store them using the Azure Key vault and then reference the key vault in your parameters file.

You can find more details about these cmdlets here: Deploy resources with Resource Manager templates and Azure PowerShell

In the next blog, we will see how to create a Parameters File for providing parameters dynamically to the template.

Step by Step ARM Templates - Deploying Template Using Azure Portal

Thu, 08 Sep 2016 00:00:00 +0500

Index of all blogs in this Step by Step ARM Templates series is located here: Step by Step Azure Resource Manager (ARM) Templates - Index

In the last blog you learned How to build your first ARM Template . Now that you have a fully functional ARM template we want to deploy this template to Azure.

There are various options to deploy a template to Azure. Using Azure portal is by far the easiest and most intuitive option for the deployment. Follow the steps in this blog to deploy your template to Azure.

Pre-requisites

Things you should know before deployment

Azure Subscription - where you want to deploy your template

Resource Group - This is the resource group in Azure where you will be deploying your template. You can create a new resource group (for the resources that will be deployed by the template) or use an existing one.

Parameters - Value of the input parameters to the template should be known to you for the deployment. Follow all your naming conventions when defining the parameters for deployments of resources in Azure.

Steps for Deployment

First, log into the Azure Portal.

Next, go to "New" and type "Template deployment" in the search box and hit enter.

Next, click on the Template Deployment and then click on "Create"

Now click on the "Template (Edit Template)". It will open a panel to paste your template. Delete whatever is auto populated in the template area. Copy your whole json template and paste it here. Note that the left section in the new panel will update to show you what parameters, variables, and resources you have in the template. Click on "Save" once done.

Next, click on the "Parameters (Edit Parameters)" on the left side. The parameters will be automatically picked from the template. The parameters for which the default value is provided will be automatically populated. Rest you will have to provide the inputs. Click Ok once done.

Next, you have the option to select the Resource Group. You can either create a new resource group (for all the resources that will be deployed via the template) or you can use and existing resource group.

The last option is to click on the "Legal Terms" and read through the terms. If you agree then click on the "Purchase" button.

Finally, click on the Create to submit the deployment.

You can monitor the job performing the deployments and progress of the same. After some time the deployment will finish successfully and you can view the resources in the resource group you selected.

Step by Step ARM Templates - Building your first ARM Template

Sun, 04 Sep 2016 00:00:00 +0500

Index of all blogs in this Step by Step ARM Templates series is located here: Step by Step Azure Resource Manager (ARM) Templates - Index

In this blog post, we will use the knowledge learned in previous blogs and will build a basic ARM template. If you haven't checked previous blog posts then have a quick read of your preferred topics here: Step by Step Azure Resource Manager (ARM) Templates - Index

To follow this blog, you can use any text editor which can provide JSON syntax highlighting. We will be looking at using Visual Studio to author ARM templates in a future blog post. Visual Studio can provide JSON outlining and is a very powerful tool for authoring ARM templates.

Let us assume that you want to deploy a storage account and build a virtual network in Azure. You want to automate the process and need to repeat the process in various environments. ARM templates fit the bill for the solution of this problem.

In the next few sections, we will build each section of the template and then at the end will check the complete template.

1. Template Header

This section is very basic and contains just the schema and the content version. You can use the content version to manage the development versions of the template as you make changes to your templates in the future.

"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0",

2. Parameters

Here we define all the inputs we need from the end users. We provide default values for those parameters for which we know what the most common values will be based on our environment. For the current template we define two parameters:

vhdStorageName - This is the name of the storage account in Azure which will be created by the deployment of this template.

virtualNetworkName - This is the name of the Virtual Network which will be created by the deployment of this template.

As a best practice, provide the metadata, describing what each parameter is for. Also, note that we have used pascal casing to name the parameters with very descriptive names.

"parameters": { "vhdStorageName": { "type": "string", "minLength": 1, "defaultValue": "mystorage101", "metadata": { "description": "Name of the Storage Account." } }, "virtualNetworkName": { "type": "string", "metadata": { "description": "Name of the virtual network." } } },

3. Variables

Next, we add some variables for the values which will be reused later in the template in the resources section. We create variables for all those reusable values for which we know what their value at deployment will be. We define 4 variables in this template:

addressPrefix - Address prefix for the Virtual Network

subnetName - Subnet name which will be created under the virtual network

subnetPrefix - Subnet prefix for the subnet, which will be created under the virtual network

vhdStorageType - Type of the storage account. Here we used Standard locally redundant storage (LRS)

Variables section look as below:

"variables": { "addressPrefix": "10.0.0.0/16", "subnetName": "Subnet", "subnetPrefix": "10.0.0.0/24", "vhdStorageType": "Standard_LRS" },

4. Resources

Now comes the last and main section i.e. Resources. Here we define both the resources for our template:

Storage Account

Virtual Network

Let us look at each of these resources one by one.

A. Storage Account Resource

This resource has below properties (or key-value pairs):

Type - Type of the resource is set to Microsoft.Storage/storageAccounts. This is what tells the Azure that the current resource is a Storage Account

Name - This defines the name of the storage account to be deployed based on the parameter to the template

API Version - this is the standard version for the REST API in Azure

Location - This is the Azure location. The location is found dynamically based on the location of the resource group to which this template will be deployed.

tags - only one tag is defined for the display name. You should have more tags in case of a production ready template

properties - This is where you tell Azure what kind of storage account you need. Here the account type is set using the value of the variable vhdStorageType.

B. Virtual Network Resource

This resource has below properties (or key-value pairs):

Type - Type of the resource is set to Microsoft.Network/virtualNetworks. This is what tells the Azure that the current resource is a Virtual Network

Name - This defines the name of the virtual network to be deployed based on the parameter to the template

API Version - this is the standard version for the REST API in Azure

Location - This is the Azure location. The location is found dynamically based on the location of the resource group to which this template will be deployed.

tags - only one tag is defined for the display name. You should have more tags in case of a production ready template

properties - This is where you define the address space for the virtual network. You also define the subnet under the virtual network here.

The resources section look like below:

"resources": [ { "type": "Microsoft.Storage/storageAccounts", "name": "[parameters('vhdStorageName')]", "apiVersion": "2015-06-15", "location": "[resourceGroup().location]", "tags": { "displayName": "StorageAccount" }, "properties": { "accountType": "[variables('vhdStorageType')]" } }, { "apiVersion": "2015-06-15", "type": "Microsoft.Network/virtualNetworks", "name": "[parameters('virtualNetworkName')]", "location": "[resourceGroup().location]", "tags": { "displayName": "VirtualNetwork" }, "properties": { "addressSpace": { "addressPrefixes": [ "[variables('addressPrefix')]" ] }, "subnets": [ { "name": "[variables('subnetName')]", "properties": { "addressPrefix": "[variables('subnetPrefix')]" } } ] } } ]

Complete Template

Here is the complete template build from all the sections discussed above. You can copy and use this template for testing and working along with next deployment posts.

{ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "vhdStorageName": { "type": "string", "minLength": 1, "defaultValue": "mystorage101", "metadata": { "description": "Name of the Storage Account." } }, "virtualNetworkName": { "type": "string", "metadata": { "description": "Name of the virtual network." } } }, "variables": { "addressPrefix": "10.0.0.0/16", "subnetName": "Subnet", "subnetPrefix": "10.0.0.0/24", "vhdStorageType": "Standard_LRS" }, "resources": [ { "type": "Microsoft.Storage/storageAccounts", "name": "[parameters('vhdStorageName')]", "apiVersion": "2015-06-15", "location": "[resourceGroup().location]", "tags": { "displayName": "StorageAccount" }, "properties": { "accountType": "[variables('vhdStorageType')]" } }, { "apiVersion": "2015-06-15", "type": "Microsoft.Network/virtualNetworks", "name": "[parameters('virtualNetworkName')]", "location": "[resourceGroup().location]", "tags": { "displayName": "VirtualNetwork" }, "properties": { "addressSpace": { "addressPrefixes": [ "[variables('addressPrefix')]" ] }, "subnets": [ { "name": "[variables('subnetName')]", "properties": { "addressPrefix": "[variables('subnetPrefix')]" } } ] } } ] }

In the next blog, we will learn how to deploy this template.

Step by Step ARM Templates - Helper Functions

Wed, 31 Aug 2016 00:00:00 +0500

Index of all blogs in this Step by Step ARM Templates series is located here: Step by Step Azure Resource Manager (ARM) Templates - Index

ARM Templates has various dynamic constructs called Helper Functions which can make your template more generic. These constructs reduce the hard coded values in your templates. You can use the information from this blog to make your existing templates more dynamic and start writing new templates with a much generic approach.

Let's look at the most important helper functions and their practical usage one by one.

1. Resource Id - Resource Function

You use this function to determine the ID of a resource. This is only used when the resource (whose ID is needed) is not being deployed in the current template and it already exists in Azure.

The generic syntax to use this is:

resourceId ([subscriptionId], [resourceGroupName], resourceType, resourceName1, [resourceName2]...)

Only required parameters of this helper function are resourceType and resourceName1.

These parameters are as follows:

subscription ID - This is only needed if you want to refer a different subscription. Default value is the current subscription

resource Group Name - Name of the resource group where the resource exists. Default is the current resource group, in which you are deploying the template

resource Type - Type of resource including resource provider namespace

resource Name 1 - Name of the resource

resource Name 2 - Next resource name segment if resource is nested. E.g. a VM Extension

Example

"vnetId1": "[resourceId('AE06-Mgmt-RG','Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]", "vnetId2": "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworkName'))]"

The above example shows two ways of using the resource ID helper function to determine the Id of a virtual network. First one uses the resource group, resource type and resource name. Second example uses only the resource Type and resource name. Second example assumes the resource group to be same as the template being deployed to.

2. Resource Group - Resource Function

This helper function returns an object that represents the current resource group to which the template is being deployed.

The generic syntax to use this is:

resourceGroup()

No parameters are needed in this helper function.

Example

"vhdStorageName": "[concat('vhdstorage', uniqueString(resourceGroup().id))]", "storageAccountResourceGroup": "[resourcegroup().name]", "location": "[resourceGroup().location]"

The above example shows 3 uses of the resource group helper functions. First one uses the ID of the resource group, second uses the name property and third uses the location for the current resource group.

3. Subscription - Resource Function

The generic syntax to use this is:

subscription()

No parameters are needed in this helper function.

Example

"subscriptionId": "[subscription().subscriptionId]"

The above example is straightforward. It fetches the subscription Id of the current subscription.

4. Concat - String Function

This function is used to concatinate (i.e. combine) two or more values.

The generic syntax to use this is:

concat (array1, array2, array3, ...)

At least 1 array is needed for concat to work.

Example

"subnetRef": "[concat(variables('vNetId'), '/subnets/', variables('subnetName'))]"

The above example combines (or concatinates) 3 text values. First value is the value of variable vNetId. Second value is a string "/subnets/". Third value is the value of the variable subnet Name.

These are the most common Helper functions that you will use in 80%-90% of the templates.

To check the complete list of Helper Functions, check this official link: Azure Resource Manager template functions

Step by Step ARM Templates - What is in an ARM Template - Understanding Components 5 - Outputs

Tue, 30 Aug 2016 00:00:00 +0500

Index of all blogs in this Step by Step ARM Templates series is located here: Step by Step Azure Resource Manager (ARM) Templates - Index

If you haven't checked the previous blog on the overall structure of the ARM template, I suggest you give it a quick read before checking the component described in this post in detail.

Understanding all components

Parameters

Variables

Resources

Outputs - This blog post

Outputs

This section is used to output any values after the deployment of the ARM Template. This can output any Ids or connection strings based on the deployed resources.

This is a single JSON object with various output objects (just like Parameters. The overall JSON structure looks like below:

"outputs": { "output1" : { "type":"string", "value": "value1" }, "output2" : { "type":"string", "value": "value2" }, }

Each output object has 2 properties:

Type - Data type of the output

Value - value of the output

A real life example with look like below:

"outputs": { "adminUsername": { "type": "string", "value": "[parameters('adminUsername')]" } }

The above example will output the administrator Username using the parameter from the template.

That's all there is to Outputs in ARM Templates. If you have any doubts, please comment in the below section. Use the links at the Top to know all about other components in an ARM Template.

Step by Step ARM Templates - What is in an ARM Template - Understanding Components 4 - Resources

Mon, 29 Aug 2016 00:00:00 +0500

Index of all blogs in this Step by Step ARM Templates series is located here: Step by Step Azure Resource Manager (ARM) Templates - Index

If you haven't checked the previous blog on the overall structure of the ARM template, I suggest you give it a quick read before checking the component described in this post in detail.

Understanding all components

Parameters

Variables

Resources - This blog post

Outputs

Resources

This is the major section of the whole ARM template. This is where you define what resources should be deployed in Azure. You also define dependencies between resources in this section.

The resources section consist of an array of JSON Objects as shown below:

"resources": [ { }, { }, ]

Each object in the array (represented via curly braces) is an Azure resource. You can deploy multiple resources in a single ARM template. E.g. You can deploy a new Storage Account, new Virtual Network and three Virtual Machines in that virtual network within a single template. Within the object, various properties (and nested properties) are used to provide the configurations of each resource.

Elements

Different elements in a single resource object can be one of the following:

apiVersion - Required - Version of the API. e.g. "2015-06-15"

type - Required - Type of the resource. This value is a combination of the namespace of the resource provider and the resource type that the resource provider supports. e.g. Azure Storage Account will have type as "Microsoft.Storage/storageAccounts".

name - Required - Name of the resource. The name must follow URI component restrictions and also the Azure naming restrictions if any. E.g. Storage account name can only be in small letters and has to be unique.

location - Optional - Use supported geo-locations of the provided resource without any spaces. Or use the resource group's location dynamically.

tags - Optional - Tags that are associated with the resource.

dependsOn - Optional - Other resources in the same template, that the current resource being defined depends on. The dependencies between resources are evaluated and resources are deployed in their dependent order. When resources are not dependent on each other, they are attempted to be deployed in parallel. The value can be a comma-separated list of resource names or resource unique identifiers.

properties - Optional - Resource specific configuration settings. E.g. Account type property for a storage account name.

resources - Optional - Child resources that depend on the resource being defined. E.g. Extension resources for a Virtual Machine resource.

Examples

Let's look at two examples. First, we will take a simple resource example to deploy a storage account in Azure:

{ "type": "Microsoft.Storage/storageAccounts", "name": "[variables('vhdStorageName')]", "apiVersion": "2015-06-15", "location": "[resourceGroup().location]", "tags": { "displayName": "StorageAccount", "department" : "Finance", "application" : "database" }, "properties": { "accountType": "[variables('vhdStorageType')]" } }

Above example will deploy a storage account with the name from "vhdStorageName" variable. It will apply 3 tags to the resource after deployment. It will use the account type (i.e. standard or premium) based on the value of the "vhdStorageType" variable. If you want to deploy 2 or more similar storage accounts, then just copy and paste the json for the resource, separated by comma. It will become another object in the Resources array.

Now let's look at a complex and larger example of deploying a single virtual machine with one extension for Diagnostics.

{ "apiVersion": "2015-06-15", "type": "Microsoft.Compute/virtualMachines", "name": "[variables('vmName')]", "location": "[resourceGroup().location]", "tags": { "displayName": "VirtualMachine" }, "dependsOn": [ "[concat('Microsoft.Storage/storageAccounts/', variables('vhdStorageName'))]", "[concat('Microsoft.Network/networkInterfaces/', variables('nicName'))]" ], "properties": { "hardwareProfile": { "vmSize": "[variables('vmSize')]" }, "osProfile": { "computerName": "[variables('vmName')]", "adminUsername": "[parameters('adminUsername')]", "adminPassword": "[parameters('adminPassword')]" }, "storageProfile": { "imageReference": { "publisher": "[variables('imagePublisher')]", "offer": "[variables('imageOffer')]", "sku": "[parameters('windowsOSVersion')]", "version": "latest" }, "osDisk": { "name": "osdisk", "vhd": { "uri": "[concat('http://', variables('vhdStorageName'), '.blob.core.windows.net/', variables('vhdStorageContainerName'), '/', variables('OSDiskName'), '.vhd')]" }, "caching": "ReadWrite", "createOption": "FromImage" } }, "networkProfile": { "networkInterfaces": [ { "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nicName'))]" } ] }, "diagnosticsProfile": { "bootDiagnostics": { "enabled": true, "storageUri": "[concat('http://', variables('diagnosticsStorageAccountName'), '.blob.core.windows.net')]" } } }, "resources": [ { "type": "extensions", "name": "Microsoft.Insights.VMDiagnosticsSettings", "apiVersion": "2015-06-15", "location": "[resourceGroup().location]", "tags": { "displayName": "AzureDiagnostics" }, "dependsOn": [ "[concat('Microsoft.Compute/virtualMachines/', variables('vmName'))]" ], "properties": { "publisher": "Microsoft.Azure.Diagnostics", "type": "IaaSDiagnostics", "typeHandlerVersion": "1.5", "autoUpgradeMinorVersion": true, "settings": { "xmlCfg": "[base64(concat(variables('wadcfgxstart'), variables('wadmetricsresourceid'), variables('wadcfgxend')))]", "storageAccount": "[variables('diagnosticsStorageAccountName')]" }, "protectedSettings": { "storageAccountName": "[variables('diagnosticsStorageAccountName')]", "storageAccountKey": "[listkeys(variables('accountid'), '2015-06-15').key1]", "storageAccountEndPoint": "https://core.windows.net" } } } ] }

Note that the above code snippet defines a single virtual machine. Let us decode various sections of this complex resource:

It begins with simple properties like apiVersion, type, name, location and tags as discussed in the previous example. These are straightforward and thus values are provided to these attributes.

Next is the dependsOn section. This defines the dependency between resources. In the above example, the virtual machine resource is dependent on the storage account and a network interface, which are also defined in the template. These 2 resources will be created before the virtual machine creation/deployment. If these resources are not created in the template then it will check for the presence of these resources in the current subscription. If they are not present the template will not get deployed and will error out.

Next are various properties to configure the Virtual machine, like hardware profile, os profile, storage profile, os disk, network profile, diagnostics profile etc.

Next, we have additional sub-resources. These are Azure resources which will be created and linked to the current resource. Only one sub-resource is created in the above example which is an extension for VM diagnostics settings.

That's all there is to Resources in ARM Templates. If you have any doubts, please comment in the below section. Use the links at the Top to know all about other components in an ARM Template.

Step by Step ARM Templates - What is in an ARM Template - Understanding Components 3 - Variables

Fri, 26 Aug 2016 00:00:00 +0500

Index of all blogs in this Step by Step ARM Templates series is located here: Step by Step Azure Resource Manager (ARM) Templates - Index

If you haven't checked the previous blog on the overall structure of the ARM template, I suggest you give it a quick read before checking the component described in this post in detail.

Understanding all components

Parameters

Variables - This blog post

Resources

Outputs

Variables

Variables are values that you either know beforehand or you can construct from the input parameters. These variables can then be reused at multiple locations in the resources section. If you later want to change the value of a variable then it automatically gets updated at all other locations. They can be used to define a resource property.

Defining Variables

Variable is a one huge JSON object. Each property can be one of the simple data type (like integer, bool, string etc.) or can be another complex JSON object. The general structure is as shown below:

"variables": { "variable 1" : "value 1", "variable 2" : "value 2", "variable 3" : 1024, "variable 4" : {} }

Note that in the above example, the first 3 variables are of simple value type. The 4rth variable is however of a complex JSON object type.

Let's now check a real variables section from an actual ARM template:

"variables": { "vmSize": "Standard_A2", "virtualNetworkName": "MyVNETName", "vnetId1": "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworkName'))]", "vnetId2": "[resourceId(parameters('vNetRG'),'Microsoft.Network/virtualNetworks',parameters('virtualNetworkName'))]", "subnetRef": "[concat(variables('vnetId'), '/subnets/', variables('subnetName'))]", "vhdStorageName": "[concat('vhdstorage', uniqueString(resourceGroup().id))]", "storageAccountResourceGroup": "[resourcegroup().name]", "location": "[resourceGroup().location]", "subscriptionId": "[subscription().subscriptionId]" }

There are lots of key constructs in the above code snippet. I have tried to capture as many different constructs in this snippets as I could. Let us decode each variable one by one.

vmSize - Simple String

virtualNetworkName - Simple string name

vnetId1 - This uses a special function named "resourceId" to find out the resource ID of the virtual network. This function is invoked by using the syntax "[resourceId(Input)]" . This gets the resource ID of a resource which is defined by the Input to this. Also, note the use of another variable as an input to this.

vnetId2 - This also fetches the resource Id of a virtual network using "resourceId" method. Note the use of the value of a parameter in this to find out Resource Group of the existing Virtual network (parameter "vNetRG").

subnetRef - This variable uses another function "concat" in ARM template i.e. "[concat(input1,input2,...)]". This function can take many inputs and will concatinate (i.e. club together) the value of all the inputs provided. You can use parameters or another variable.

vhdStorageName - This also uses concat function to dynamically generate a storage name. However it uses "resourcegroup" function as "[resourcegroup()]". This function always returns the resource group to which you are deploying the current ARM template. Then the variable uses the id property of the resource group returned.

storageAccountResourceGroup - This uses the "name" property of the current resource group

location - This uses the "location" property of the current resource group.

subscriptionId - This uses the "subscription" function as "[subscription()]" to find out the current subscription to which the current ARM template is being deployed. Then it uses the subscription Id property of the subscription to get the required Id.

Note that these constructs are very powerfull and can be used to dynamically construct your ARM template. These constructs are also known as Helper Functions and are explained in detail here: Step by Step ARM Templates - Helper Functions

Using Variables

Using variables is very easy and is similar to using parameters. In fact, you already saw the usage of variables above, while defining other variables.

You use the square parenthesis to indicate to the ARM engine to evaluate whatever is inside the parenthesis. You use the "variable" keyword and then you pass the name of the variable as input. Check the example below.

"storageAccountName": "[variables('storageAccountName')]"

Best Practices

Best practices are similar to the Parameters.

Provide complete descriptive names, no matter how long.

Use Pascal Casing to name your parameters. i.e. First letter should be a small letter. Then every new word will have the first letter as a capital. No space between words. E.g. storageAccountName

Use the constructs explained in the previous section to dynamically generate variables. This reduces any human errors.

Anything that is used more than once and is not required to be entered by an end user, should be created as a variable. Later on, this helps by minimizing the number of places you need to change the value.

That's all there is to Variables in ARM Templates. If you have any doubts, please comment in the below section. Use the links at the Top to know all about other components in an ARM Template.

Step by Step ARM Templates - What is in an ARM Template - Understanding Components 2 - Parameters

Wed, 24 Aug 2016 00:00:00 +0500

Index of all blogs in this Step by Step ARM Templates series is located here: Step by Step Azure Resource Manager (ARM) Templates - Index

If you haven't checked the previous blog on the overall structure of the ARM template, I suggest you give it a quick read before checking the component described in this post in detail.

Understanding all components

Parameters - This blog post

Variables

Resources

Outputs

Parameters

As mentioned earlier, parameters are the way to customize the templates, each time you deploy it to create resources in Azure. These parameters are the end-user inputs for various aspects of the template. E.g. If you are deploying an Azure Virtual Machine via an ARM Template then the name of the VM can be an input parameter. Operating System type can be another parameter.

The parameters can be referred and used in other parts of the ARM Template.

1. Defining Parameters

Parameters is a one huge JSON object with multiple JSON properties. Each property is one parameter which is represented as another JSON object. Let us look at its structure at a high level.

"parameters": { "parameter 1" : {}, "parameter 2" : {}, "parameter 3" : {} }

E.g. If you are creating a template to deploy a Windows Virtual Machine then the parameters will look something like below:

"parameters": { "VMName" : {}, "AdminUserName" : {}, "AdminPassword" : {}, "WindowsOSVersion" : {} }

Now let us look at one of the parameters. E.g. The AdminUserName parameter will look like:

"adminUsername": { "type": "string", "minLength": 1, "metadata": { "description": "Username for the Virtual Machine." } }

The parameter object, as shown above, has following parts:

Type - This is the data Type of the parameter.

minLength - This is the minimum length the parameter must have

Metadata - This is just to provide a description as to what the parameter means.

The Data Type allowed for the parameter are:

string or secureString – any valid JSON string

int – any valid JSON integer

bool – any valid JSON boolean

object – any valid JSON object

array – any valid JSON array

A more complex parameter e.g. Windows OS Version, with few more properties, is shown below:

"windowsOSVersion": { "type": "string", "defaultValue": "2012-R2-Datacenter", "allowedValues": [ "2008-R2-SP1", "2012-Datacenter", "2012-R2-Datacenter" ], "metadata": { "description": "The Windows version for the VM. This will pick a fully patched image of this given Windows version. Allowed values: 2008-R2-SP1, 2012-Datacenter, 2012-R2-Datacenter." } }

It has additional below properties:

Default Value - This is the default value. End User will be able to change this value when deploying the template. If no value is provided then this value is picked.

Allowed Values - This is an Array of values which are allowed for the parameter. Only value from this set is allowed as an input.

2. Using Parameters

Using parameters is easy. Wherever in your template (in variables or resources section) you want to use the value of a parameter, just use the parameter function as shown below with the name of the parameter as input, enclosed in square brackets.

[parameters('windowsOSVersion')]

If the parameter value is assigned to a property, enclosing it in double quotes, as shown below:

"sku": "[parameters('windowsOSVersion')]"

3. Best Practices

Try to always provide Default Values

Provide metadata so that you can provide insight as to what the parameter is meant for

Provide complete descriptive names, no matter how long.

Use Pascal Casing to name your parameters. i.e. First letter should be a small letter. Then every new word will have the first letter as a capital. No space between words. E.g. windowsOSVersion

Use properties like minLength and Allowed values to impose restrictions. This reduces any human errors.

That's all there is to Parameters in ARM Templates. If you have any doubts, please comment in the below section. Use the links at the Top to know all about other components in an ARM Template.

Step by Step ARM Templates - What is in an ARM Template - Understanding All Components

Mon, 22 Aug 2016 00:00:00 +0500

Index of all blogs in this Step by Step ARM Templates series is located here: Step by Step Azure Resource Manager (ARM) Templates - Index

As we discussed earlier in the introduction Azure Resource Manager (ARM) Template is a JavaScript Object Notation (JSON) file that defines one or more resources to deploy to a resource group. It also defines the dependencies between the deployed resources.

In this post, we will deconstruct any basic ARM template and will understand it's various components.

Any ARM Template will look like below:

{ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": {}, "variables": {}, "resources": [ {}, {} ] }

Snapshot of the Template at root level, as generated via Visual Studio:

As you can see the components (or properties) of any ARM template includes:

Schema

Content Version

Parameters

Variables

Resources

Let's look at these in more detail.

Element name Required JSON Type Description

$schema Yes String Value Location of the JSON schema file that describes the version of the template language.

contentVersion Yes String Value Version of the template (such as 1.2.0.20). When deploying resources using the template, this value can be used to make sure that the right template is being used.

parameters No JSON Object Values that are provided by the end user (manually or via a parameters file) when deployment is executed to customize resource deployment.

variables No JSON Object Values that are reused multiple times in the template. You can update these values. They are different from Parameters as their value is known and they are not required as inputs from the end user.

resources Yes Array of Objects Types of services that are deployed or updated in a resource group. Each JSON object in this Array denotes an Azure Resource.

outputs No JSON Object Values that are returned after deployment.

Now that you know what each part is at a high level, in the next posts, we will look at the key 4 components in detail.

Parameters

Variables

Resources

Outputs

Step by Step ARM Templates - JSON 101 for IT Administrators

Wed, 17 Aug 2016 00:00:00 +0500

Index of all blogs in this Step by Step ARM Templates series is located here: Step by Step Azure Resource Manager (ARM) Templates - Index

Azure Resource Manager (ARM) templates are written in JSON or JavaScript Object Notation. To understand ARM templates, you need to understand few quick basics about JSON. These will enable you to lay a great foundation which will enable you to understand ARM templates very easily.

JSON or JavaScript Object Notation (pronounce like "Jay-son") is a text-based data format that's designed to be human-readable, lightweight, and easy to transmit between a server and a web client. Its syntax is derived from JavaScript. Think of this as an even more compact version of XML files.

JSON is a popular notation for transmitting data through RESTful web services. The official internet media type for JSON is application/json, and JSON files typically have a .json extension.

To understand JSON we need to understand 3 main components. These components are like building blocks, using which you can build very complex JSON files.

1. Objects

Objects are the heart of JSON. Object denotes a real life object, e.g. an Employee. Just like a real life object, these have various properties and a value for each of these properties. E.g. An Employee will have Name property with value as John. Further, an employee object can have various another properties like Age, Salary, Department etc. So to denote an object in JSON you:

One object will be represented by curly brackets. It will begin from opening curly bracket i.e. { and will end at closing curly bracket i.e. }

Denote the property and corresponding values as "key" : "value" or "property" : "value" pairs.

You can only use double quotes for Properties as they will always be of type string

You will have double quotes around Values if they are of string type. You will not have any quotes in case of a number or a boolean value.

Each property will be separated from next property by a comma

Note: Each JSON file is also a single JSON object. At root level it starts with an opening curly bracket i.e. { and will end with closing curly bracket i.e. }. There can't be any other objects at the root level. Think of this similar to how in an XML file there can be only one element at the root level.

Example Employee object is shown below:

{ "Name" : "John", "Age" : 34, "Department" : "Finance", "Salary" : "100000", "IsAdmin" : true }

2. Arrays

Simply put, arrays are a collection of items. In JSON the square brackets represents an Array. E.g. An array of 3 employees will look like below:

[ { "Name" : "John", "Age" : 34 }, { "Name" : "Mary", "Age" : 32 }, { "Name" : "Matthew", "Age" : 29 } ]

3. Nesting of Objects

Now things get more interesting with nesting of Objects. What Nesting means is that one object can have it's property as another complex object. Don't worry if that sounds confusing. Let's understand that statement using an example. An Address where a person lives can be represented by an object. This object will look like below:

{ "StreetNumber" : "50", "StreetName" : "Brian Harrison Way", "Unit Number" : 22, "City" : "Toronto", "Country" : "Canada" }

Now an Employee Object will have an Address object as one of it's property (because employee need to live somewhere). This new complex Employee object will look like below, with nested Address object as one of it's property:

{ "Name" : "John", "Age" : 34, "Department" : "Finance", "Salary" : "100000", "IsAdmin" : true, "Address" : { "StreetNumber" : "50", "StreetName" : "Brian Harrison Way", "Unit Number" : 22, "City" : "Toronto", "Country" : "Canada" } }

That's all there is to it. Now you can use these 3 components and build very complex json files/templates. Even the most complex template can be broken into these 3 components.

Below is a complex example with all 3 components.

{ "Department": "Finance", "TotalEmployees": 2, "Employees": [ { "Name": "John", "Age": 34, "Department": "Finance", "Salary": "100000", "IsAdmin": true, "Address": { "StreetNumber": "50", "StreetName": "Brian Harrison Way", "Unit Number": 22, "City": "Toronto", "Country": "Canada" } }, { "Name": "John", "Age": 34, "Department": "Finance", "Salary": "100000", "IsAdmin": true, "Address": { "StreetNumber": "50", "StreetName": "Brian Harrison Way", "Unit Number": 22, "City": "Toronto", "Country": "Canada" } } ] }

The above JSON object denotes one department with name as Finance and total number of employees as 2. Then the "Employees" object is an array of 2 emplyees. Each emplyee object further have a complex property as Address, which is another object.

If you understood each of the 3 components, you should be able to build/understand most complex JSON files with ease.

ASR Setup for VMs running in VMWare without VMware level User Access

Tue, 26 Jul 2016 00:00:00 +0500

Problem Statement

Recently I was setting up Azure Site Recovery (or ASR) in an environment. We had multiple VMs in VMWare environment. The environment was managed by Third Party who did not want to give any service account for VMWare as their environment was shared with different customers. So we had access only to the VMs. Without relevant access, ASR for VMWare was out of the question for us.

Solution

We treated the VMs, in such environment, as physical machines when setting up ASR to replicate these machines to Azure. We used the option of "Not virtualized/other" in the "Prepare Infrastructure" wizard of ASR. We treated the VMs as physical servers and did not face any issues during the migration.

Refer below screenshot for the exact option discussed above.

Later when enabling the Replication for any Server, run the "Enable Replication" wizard by clicking on "+Replicate" on the ASR vault's blade. Then select "Machine Type" as "Physical Machine" and add the Physical Machines by mentioning their IP addresses.

Note: For this approach to work, the Configuration server should be on the same network as the VM being considered as Physical Machine.

We were able to migrate many servers successfully and without any issues using this approach.

Uploading and Downloading files securely from Azure Storage Blob via PowerShell

Wed, 18 May 2016 00:00:00 +0500

Azure blob storage can provide a very highly available way to store your files in the cloud. You can dynamically add or remove the files in an automated fashion. These files can then be used for any number of purposes. E.g. A parameter file for ARM template can be kept in Azure blob storage and then dynamically read while creating resources from an ARM template.

The whole process can be broken down into 3 parts:

Generating the context to the storage container

Uploading the files using the context

Downloading the files using the context

1. Generating the context to the storage container

The context to the storage blob container can be created in one of the 3 ways, based on your security requirements. All methods use the New-AzureStorageContext cmdlet to generate the storage context. The methods differ on how you pass the parameters to this cmdlet.

A. Via fetching the Azure Storage Key

This first method uses the Get-AzureStorageKey to fetch the storage key. This key is then used to generate the context as shown below.

$StorageAccountName = "yourstorageaccount" $StorageAccountKey = Get-AzureStorageKey -StorageAccountName $StorageAccountName $Ctx = New-AzureStorageContext $StorageAccountName -StorageAccountKey $StorageAccountKey.Primary

B. Via fetching the Azure Storage Container SAS Token

This second method uses the New-AzureStorageContainerSASToken to create a new SAS token to securely access the storage container. This token is then used to generate the context as shown below.

$sasToken = New-AzureStorageContainerSASToken -Container abc -Permission rl $Ctx = New-AzureStorageContext -StorageAccountName $StorageAccountName -SasToken $sasToken

C. Via Connectin String

This third method uses a connection string, entered manually, which is then used to generate the context as shown below.

$ConnectionString = "DefaultEndpointsProtocol=http;BlobEndpoint=;QueueEndpoint=;TableEndpoint=;AccountName=;AccountKey=" $Ctx = New-AzureStorageContext -ConnectionString $ConnectionString

2. Uploading the files using the context

Now that you have the context to the storage account you can upload and download files from the storage blob container. Use the below code to upload a file named "Parameters.json", located on the local machine at "C:\Temp" directory.

#Uploading File $BlobName = "Parameters.json" $localFile = "C:\Temp\" + $BlobName $ContainerName = "vhds" #Note the Force switch will overwrite if the file already exists in the Azure container Set-AzureStorageBlobContent -File $localFile -Container $ContainerName -Blob $BlobName -Context $Ctx -Force

3. Downloading the files using the context

Download works in almost identical manner. You use the Get cmdlet instead of Set as shown below to download a file to a local folder, located at "C:\Downloads".

#Download File $BlobName = "Parameters.json" $localTargetDirectory = "C:\Downloads" $ContainerName = "vhds" Get-AzureStorageBlobContent -Blob $BlobName -Container $ContainerName -Destination $localTargetDirectory -Context $ctx

I hope this helps simplify the automated usage of Azure Storage container. Let us know your concerns or questions if any.

You can find the complete sample at the below link on GitHub. Right-click and select Save As to save the file: StorageAccountBlobManagement.ps1

Reference: Using Azure PowerShell with Azure Storage

Azure comes to Canada (along with Office 365)

Mon, 16 May 2016 00:00:00 +0500

Last week marked the general availability of Azure datacenter for Canada locations. Also Office 365 has been released last week. Microsoft has set up 2 new datacenters in Canada.

Where Exactly are these datacenters located

Canada Central - The first datacenter is located in Toronto.

Canada East - The second datacenter is located in Quebec City.

Now when you are creating a new resource (like a Virtual Machine) you will see these two options.

Check out the brief announcement video by Janet Kennedy, President of Microsoft Canada:

Key Resources:

These locations are also listed in the official Microsoft Regions list here: Azure Regions

Various resources and information for cloud in Canada are available here at Cloud Accelerate site for Canada.

You can read about this announcement and upcoming features here: Microsoft Cloud accelerates in Canada and expands to South Korea

NEW Feature - Azure Cool Blob Storage

Mon, 02 May 2016 00:00:00 +0500

Have you heard about the new Azure Cool Blob Storage?

If you haven’t heard about it, this is Microsoft's low-cost storage for Cool object data. “Example use cases for cool storage include backups, media content, scientific data, compliance and archival data. In general, any data which lives for a longer period of time and is accessed less than once a month is a perfect candidate for cool storage.” It is similar to what Glacier storage tier provides in Amazon Web Services.

Pricing: Its cost is as low as $0.01/GB.

Availability: 99% (as compared to 99.9% for Hot Storage). With Read-access geo-redundant storage (or RA-GRS) the SLA is 99.9% (as compared to 99.99% for Hot).

Deciding which AccessTier to use: If the objects in the storage account will be more frequently accessed, then go with Hot Tier. Select the Cold Tier for infrequently accessed data.

Now when you go to New -> "Data + Storage" -> Storage Account, and try to create a Blob Storage account then you can select from one of the options for Access Tier from Cold or Hot tier.

Also, note that at the time of this writing, Blob storage account is only available in these locations: Central US, East US 2, North Central US, North Europe, West Europe, Southeast Asia, Japan East, Japan West, Central India, South India, West India.

Resources to know more:

Official Announcement

Getting started guide

Taking Automatic Remediation Action on Azure VM Alert Generation

Wed, 27 Apr 2016 00:00:00 +0500

Using a new feature in Azure, now you can easily configure to trigger an Azure Automation Runbook when an Alert is triggered on an Azure Virtual Machine to take a remediation action. To leverage this feature all you need to do is link the alert on Azure VM to an already existing Azure Automation Runbook.

Note: This feature is supported only for the V2 Virtual Machines, i.e. the VMs created using ARM portal.

To access this feature open your Virtual Machine. Then go to the Manage alerts section in the Settings:

Then open an existing alert or click on "Add alert" to create a new one. Specify the criteria for the alert. Scroll down to the bottom and you can view the new section to link the alert to an Automation Runbook.

Under the hood

The alert will send data to your Runbook in a special format. Your Runbook should be expecting this. Under the hood this happens via WebHooks. The alert data is passed via a HTTP POST request. The Automation webhook service extracts the alert data from the POST request and passes it to the runbook in a parameter called "WebhookData". The Runbook will look like below:

[OutputType("PSAzureOperationResponse")] param ( [object] $WebhookData ) if ($WebhookData) { # Get the data object from WebhookData $WebhookBody = (ConvertFrom-Json -InputObject $WebhookData.RequestBody) #Rest of the script comes here }

In Nutshell, now you can now trigger Azure Automation Runbooks to take remediation actions on Virtual Machines in case an alert is triggered.

Reference with complete Runbook sample: Azure Automation solution - remediate Azure VM alerts

ROADMAP - Solutions to help with Migration from Azure ASM to ARM portal

Fri, 22 Apr 2016 00:00:00 +0500

In additional to the tool I mentioned yesterday regarding Migrating from Azure ASM to ARM portal there are various solutions in the pipeline. This post looks at the high level Roadmap for the same from Microsoft.

Microsoft has promised that they are committed to make the migration more easier from ASM (older) to ARM (newer) portal. Various solutions are already in the pipeline for this. Below are the details and roadmap for the tentative timelines for these solutions.

Solution

Customer Experience

Expected availability in 2016

Script migration

VM is rebooted as it is recreated in the Resource Manager model. While the Virtual Machines for the environment are recreated, the network is disconnected.

Q1

Virtual Machines, no VNET

As all Virtual Machines deployed in the Resource Manager model must be in a VNet, Virtual Machines will be migrated and placed in a new VNET. This will result in a change in network configuration, requiring a reboot to reconnect.

Q2

Virtual Machines with VNET

Starting in Q2, the platform will offer Virtual Machine migration from ASM to Resource Manager model without disrupting the running Virtual Machine. This will require disconnecting any VNets connected on-premises, whether via ExpressRoute or VPN, before doing the migration.

Q2

Virtual Machines with basic hybrid (one connection)

Starting in Q3, the platform will offer Virtual Machine migration from ASM to Resource Manager model without disrupting the running Virtual Machine and with minimal disruption to a basic hybrid connection, limited to just one connection back on-premises. More complex connections will require disconnecting before doing the migration.

Q3

Reference: Transitioning to the Resource Manager model

Migrating from Azure ASM to ARM portal

Thu, 21 Apr 2016 00:00:00 +0500

With co-existing Azure Service Management or ASM portal (older) and Azure Resource Manager or ARM portal (newer) there has been lots of confusions and problems for IT administrators. The bottom line of all the discussion around the two portals is that ARM is the future and is here to stay. It means that you need to plan and migrate your resources from ASM portal to the ARM portal.

The key resource is your infrastructure which primarily consists of virtual machines. To migrate a single Virtual Machine (VM) from ASM portal to ARM portal you can leverage a set of PowerShell scripts called ASM2ARM. You can download these scripts and check their description on GitHub here on the ASM2ARM page. You can check the detailed instructions there too.

To plan this right now is very important as the transitioning to Azure Resource Manager model is already underway. Any future development and investment seems to be happening only in the newer portal only.

Reference: ASM2ARM scripts on GitHub

PowerShell DSC - Partial Configurations

Wed, 20 Apr 2016 00:00:00 +0500

Partial Configurations is a new feature in PowerShell 5.0 Desired State Configuration or DSC. It allows the configurations to be delivered in parts or fragments. These configurations can come from various sources. The Local Configuration Manager or LCM on the target node puts these partial configurations from different sources together and after that apply the same as a single configuration.

This opens various possibilities for Enterprises to manage their infrastructure and designate the responsibility to various teams for a single node. The team expert in a particular field can focus on that feature without worrying about other features.

You can have partial configurations in following modes:

Push Mode

Pull Mode

Hybrid Mode (i.e. combination of Push and Pull)

Configuration for the PUSH Mode

You need to follow three steps to configure Partial configurations for the PUSH mode:

Configure the LCM, on the target node, to expect partial configurations

Push each partial configuration from different sources using Publish-DSCConfiguration cmdlet. Target node will automatically combine the partial configurations into single configuration.

Apply the configuration by calling the Start-DSCConfigurationcmdlet

Configuration for the PULL Mode

This is bit complex than the Push mode. In nutshell you only need couple of steps:

Configure the LCM, on the target node, to receive partial configurations but from PULL servers

Name and locate the configuration documents properly on the pull servers

To know more about DSC Partial configurations follow the below references:

Detailed Blog by AutomationNext with very valuable insights

Official MSDN Article

Azure Container Service hits General Availability

Tue, 19 Apr 2016 00:00:00 +0500

Azure Container Service has finally hit General Availability today.

If you don't know already, it is the "container hosting solution" which is optimized for Microsoft's Azure cloud. All the tools that you may be familiar with when working with a Container Service should work like Apache Mesos or Docker Swarm. It only uses open source components in the orchestration layers to give you portability of full applications.

You can find the announcement here: GA for Azure Container Service

You can learn more about the Container Service as offered by Azure on the product page here: Azure Container Service

Azure Authentication - Authenticating any Azure API Request in your Application

Fri, 15 Apr 2016 00:00:00 +0500

I have created a code sample to showcase how you can authenticate any request programatically with Azure. This also contains a Reusable Authentication Helper class which you can directly use in your code.

Where is the code

You can find the complete code sample along with the reusable Azure Authentication Helper class library from this GitHub repo: Azure Authentication Sample

What are my authentication Options

You have the following options

Authenticating by Prompting for Credentials from end user. (This needs end user interaction)

Authenticating by Credentials i.e. using a password. (This does not need any end user interaction)

Authenticating by using a Certificate ( This also does not need any end user interaction)

I have provided this functionality in 3 separate methods, in a separate class file along with it's interface. You can follow the instructions in the ReadMe file in the GitHub repo and start using any one of the method.

I hope you find this usefull and this will avoid the trouble of figuring things out, which I have already undergone.

Let me know in the comments below if you have any questions or anything to add to this.

Run Azure Automation Runbooks via PowerShell ISE

Thu, 14 Apr 2016 00:00:00 +0500

Today I came across this blog post from my friend: Azure Automation PowerShell ISE add-on

What I came to know is that now you can Run the Azure Automation Runbooks via PowerShell ISE. This solves a big pain point for all Azure developers. Now you will be able to develop and test your scripts right from the convenience of your laptop's local PowerShell ISE.

What you need to do

All you need to do is install the PowerShell Add-On using the below cmdlet:

Find-Module AzureAutomationAuthoringToolkit | Install-Module -Scope CurrentUser

Then import the module using below cmdlet:

Import-Module AzureAutomationAuthoringToolkit

You can configure the Add-On using a Configuration tab in the add-on and start getting your hands dirty.

Official Information from the Add-On Help

Capabilities

Test runbooks on your local machine and in the Azure Automation service:

Store and edit Automation Assets locally

Use Automation Activities (Get-AutomationVariable, Get-AutomationPSCredential, etc) in local PowerShell scripts

Sync changes back to your Automation Account

Run test jobs in Automation and view results

Notes

Assets

Secret values (passwords, encrypted variables) are not downloaded automatically; they need to be set manually the first time the account is synced

Values that haven't been downloaded will be highlighted

Asset values you enter locally will not get overwritten when you sync from the cloud

Runbooks

Native PowerShell and PowerShell Workflow runbooks are supported

Check the screenshot regarding this information below:

How much time it would take me

In all it would take you under 10 mins to get setup and rolling.

Where is more information on this and screenshots

Go to the official Technet blog by clicking HERE.

Start playing around and let us know your initial impression in the comments below. If you have any doubts and I will be happy to address them.

Various Options Added to Buy Microsoft Azure Active Directory Basic

Wed, 13 Apr 2016 00:00:00 +0500

Today Microsoft announced that they have added various options to buy Microsoft Azure Active Directory (AAD) Basic. You can now buy it through the Direct program as well as through following options:

Microsoft Enterprise Agreement

Open Volume License Program

Microsoft Cloud Solution Provider

To purchase, sign in to the Office 365 Administration Portal

You can also watch the below video for details. Although the video is for AAD Premium, the steps are essentially similar for AAD Basic.

You can also engage a partner to assist you with the purchase and your Azure Active Directory related any requirements. Infront Consulting Group (where I currently work) is one such partner who are highly respected in market and are Microsoft Gold Certified Partner.

Thanks for reading! If you have any questions please ask in the comments below.

Multiple Values In Grid.Mvc Single Column Filter via Checkboxes with Code Sample

Tue, 12 Apr 2016 00:00:00 +0500

I have been struggling to implement multiple filters in a single column in Grid.Mvc tool. I have solved this by altering the code and updating the custom widget. Note: The WithMultipleFilters() option will not help you in this. That option enables multiple filters on different columns. To have multiple filters in the same column you need to update the way filtering works in the tool itself.

I have used a list of checkboxes and any or all of the elements selected in this checkbox list will be used for filtering the column values.

You can find the code in my fork of the official Grid.Mvc repo at below link: Fork of Grid.Mvc repo with Advance Filters

I have also created a pull request for the same so that more people get benefit from this if they refer the master branch of the main repo.

What are the changes I have done?

I have made changes to two files:

DefaultColumnFilter.cs file in "GridMvc" class library project under the Filters folder. I have updated the GetFilterExpression method to create multiple expressions based on the pipeline character in filter values.

gridmvc.customwidgets.js file in "GridMvc.Site" web application project

Both of these paths are shown below: Location of DefaultColumnFilter.cs:

Location of gridmvc.customwidgets.js:

How the end result look like:

You can directly use the code if you want. Just honor the license of the original author.

Let me know in the comments below if you have any doubts and I will be happy to address them.

Getting Started - Azure Site Recovery (ASR) In New Azure Portal

Sat, 09 Apr 2016 00:00:00 +0500

Azure Site Recovery or ASR is now available in the new Azure Resource Manager or ARM portal (codename Ibiza) with modern user interface. It is in preview at this stage. But it is production ready for all the Hyper-V related scenarios. Your older Vaults (created via Classic ASM Azure Portal) will not be available in ASR preview feature.

What are the new features

The new features include:

All the goodness of Azure Resource Manager in ASR

Lean experience for various ASR scenarios

Enhancements to the specific Site Recovery scenarios

Lets take a quick look at some of these.

If you Browse and search for "Recovery" you get Recovery Services Vaults as Preview feature.

Clicking on it will open up the blade for "Recovery Services valuts". Notice that Microsoft has PREVIEW text in this.

Clicking on the Add button brings up the ASR vault creation blade. Notice the locations available for vault creation here.

After you hit create the Vault gets deployed really quickly. I tested for East US location and it was created in under 10 secs. Refresh to view your newly created vault. Click on it to open the NEW ASR Vault features. Notice that the Backup feature is also there in the ASR vault now.

To find the options for replication go to Settings -> Getting Started section -> Site Recovery -> Follow Wizard.

The Scenario Types available are only two. But all the scenarios are covered here:

From my site to Azure

From my site to another site

Based on the scenario you select you are asked for different options. The options for Virtualization/Management Server type for "From my site to Azure" are:

VMM

Stand alone Hyper-V hosts

vCenter

Physical machines (not virtualized)

Backup in ASR vault

Another feature is creation of Backups from the same vault. Click on the + icon for Backup in the Vault main blade and then follow the wizard for the preview feature. Notice in the screenshot above that the backup types available are:

Azure virtual machine backup

File Folder backup

System Center Data Protection Manager

Selecting each option provides you with details for next steps. You can then create a backup policy and configure Items to backup.

Give these features a try and let us know in comments below how you find the new features. Happy Exploring!

Coming Soon - Windows 10 Anniversary Update

Fri, 08 Apr 2016 00:00:00 +0500

Windows 10 Anniversary Update is coming this summary. It will be available for free download for the following devices (which is almost every device):

PCs

Tablets

Phones

Xbox One

Microsoft HoloLens

IoT

What this means to you:

Improved Biometric Security

Microsoft Edge browser

Windows Ink (where just one click of pen will bring up all the gamut available for use with your Pen device)

Universal Windows Platform or UWP apps are coming to XBox through a Unified Windows Store. Also if you own a XBox you will be able to turn it into a dev box and do development with it

Various improvements to Cortana

Check out more details here

Introducing Harvesting Clouds

Fri, 01 Apr 2016 00:00:00 +0500

Harvesting Clouds is a blog about all things Cloud. Be it Private Cloud or Public Cloud, I will try to cover various aspects of both.

Private Cloud

My key areas of interest in Private Cloud include the following:

PowerShell Scripting

Windows Azure Pack or WAP

Service Management Automation or SMA

Azure Stack

System Center Orchestrator

System Center VMM and other products like Service Manager, Ops Mgr, etc.

Public Cloud

In addition to the Private Cloud the areas of interest in Public Cloud are:

Microsoft Azure and Amazon Web Services - both IaaS and PaaS

Azure Automation

Desired State Configurations

Application Insights

Azure Web Apps

Web APIs

Azure Site Recovery and Backup

Migrations from Private to Public Clouds

Common Areas & Best of both worlds

I have also been involved in creating Hybrid clouds leveraging the best of both worlds. I will try to share my knowledge on this with you. The key aspects in this area are:

Building Hybrid Solutions

Developing Web or Desktop Applications targetting either or both the clouds (using MVC, Dot Net)

Using TFS Online, Visual Studio, GitHub to better collaborate and work in an automated fashion

Release Manager to automate your release workflows

Primary Focus

As you must have guessed by now, the primary focus for this blog will be Microsoft Technologies. We will also explore beyond this and will be talking about various emerging open source technologies and the new Better Together world with the amalgamation of various technologies in one solution.

I invite to take this journey with me! Keep learning!

Category	Actions
Monitoring	View all Jobs View all backup instances View all backup policies View all vaults View Azure Monitor alerts at scale View Azure Backup metrics and write metric alert rules
Actions	Configure backup Restore Backup Instance Create vault Create backup policy Execute on-demand backup for a backup instance Stop backup for a backup instance Execute cross-region restore job from Backup center
Insights	View Backup Reports
Governance	View and assign built-in and custom Azure Policies under category Backup View datasources not configured for backup

Service	Domain names to be accessed
Azure Backup	`*.backup.windowsazure.com`
Azure Storage	`.blob.core.windows.net` `.queue.core.windows.net`
Azure AD	Allow access to FQDNs under sections 56 and 59 according to this article

	Functions	Logic Apps
State	Normally stateless, but Durable Functions provide state	Stateful
Development	Code-first (imperative)	Designer-first (declarative)
Connectivity	About a dozen built-in binding types, write code for custom bindings	Large collection of connectors, Enterprise Integration Pack for B2B scenarios, build custom connectors
Actions	Each activity is an Azure function; write code for activity functions	Large collection of ready-made actions
Monitoring	Azure Application Insights, Log Analytics via Application Insights connector	Azure portal, Log Analytics
Management	REST API, Visual Studio	Azure portal, REST API, PowerShell, Visual Studio
Execution context	Can run locally or in the cloud	Runs only in the cloud.

Exam	Registration Link	Dates
70-532: Developing Microsoft Azure Solutions	https://aka.ms/532asg	March 23 – May 24, 2018
70-533: Implementing Microsoft Azure Infrastructure Solutions	https://aka.ms/533asg	January 12 – April 13, 2018
70-535: Architecting Microsoft Azure Solutions	https://aka.ms/535asg	January 12 – May 24, 2018
70-483: Programing in C#	https://aka.ms/483asg	January 12 – March 2, 2018
70-486: Developing ASP.NET MVC Web Applications	https://aka.ms/486asg	January 12 – March 23, 2018
70-487: Developing Microsoft Azure and Web Services	https://aka.ms/487asg	March 9 – May 11, 2018

Element name	Required	JSON Type	Description
$schema	Yes	String Value	Location of the JSON schema file that describes the version of the template language.
contentVersion	Yes	String Value	Version of the template (such as 1.2.0.20). When deploying resources using the template, this value can be used to make sure that the right template is being used.
parameters	No	JSON Object	Values that are provided by the end user (manually or via a parameters file) when deployment is executed to customize resource deployment.
variables	No	JSON Object	Values that are reused multiple times in the template. You can update these values. They are different from Parameters as their value is known and they are not required as inputs from the end user.
resources	Yes	Array of Objects	Types of services that are deployed or updated in a resource group. Each JSON object in this Array denotes an Azure Resource.
outputs	No	JSON Object	Values that are returned after deployment.

Solution	Customer Experience	Expected availability in 2016
Script migration	VM is rebooted as it is recreated in the Resource Manager model. While the Virtual Machines for the environment are recreated, the network is disconnected.	Q1
Virtual Machines, no VNET	As all Virtual Machines deployed in the Resource Manager model must be in a VNet, Virtual Machines will be migrated and placed in a new VNET. This will result in a change in network configuration, requiring a reboot to reconnect.	Q2
Virtual Machines with VNET	Starting in Q2, the platform will offer Virtual Machine migration from ASM to Resource Manager model without disrupting the running Virtual Machine. This will require disconnecting any VNets connected on-premises, whether via ExpressRoute or VPN, before doing the migration.	Q2
Virtual Machines with basic hybrid (one connection)	Starting in Q3, the platform will offer Virtual Machine migration from ASM to Resource Manager model without disrupting the running Virtual Machine and with minimal disruption to a basic hybrid connection, limited to just one connection back on-premises. More complex connections will require disconnecting before doing the migration.	Q3