A complete guide on how to create a pfSense VM on a local Hyper-V server, prepare it for Microsoft Azure, upload the disk to Azure and create a multi-NIC VM.
Download the latest image from https://www.pfsense.org/download/
Open Hyper-V Manager create a Generation 1 VM. I added 4096 ram, 2 cores, use VHD, add an extra NIC (for second interface) and select the downloaded ISO. (create a fixed VHD as Azure supports only fixed VHDs for custom VMs)
Start the VM and at the first screen press enter.
At all screens I accepted the default settings. Finally at the reboot prompt remove the installation ISO.
There is no need to setup VLANs, select the second interface for WAN and the first for LAN.
Once the pfSense is ready press 2 and change the LAN (hn0) interface IP to one at your network. Then select the option 14 to enable SSH.
Now we can login with putty, with username admin password pfsense and press 8 for Shell access.
The first thing is to update the packages running:
1
|
pkg upgrade
|
Python
Then install Python, as it is requirement for the Azure Linux Agent.
Search for Python packages running:
1
|
pkg search python
|
Install the latest Python package, setup tools and bash:
1
|
pkg install –y python27–2.7.14
|
1
2
3
4
5
6
7
|
pkg search setuptools
pkg install py27-setuptools-36.2.2
ln -s /usr/local/bin/python /usr/local/bin/python2.7
pkg install -y bash
|
Azure Linux Agent
ref: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/classic/freebsd-create-upload-vhd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
pkg install git
git clone https://github.com/Azure/WALinuxAgent.gi
cd WALinuxAgent
git tag
git checkout WALinuxAgent–2.1.1
git checkout WALinuxAgent–2.0.16
python setup.py install
ln –sf /usr/local/sbin/waagent /usr/sbin/waagent
|
check the agent is running:
1
|
waagent –Version
|
One final step before uploading the VHD to Azure is to set the LAN interface as dhcp.
This can be done by the web interface, go to https://lanaddress, login using admin / pfsense, and go to interfaces / LAN and select DHCPas ipv4 configuration.
Now, shutdown the pfSense and upload it to Azure Storage.
I use the Storage Explorer, https://azure.microsoft.com/en-us/features/storage-explorer/ a free and powerful tool to manage Azure Storage. Login to your Azure Account and press Upload. Select as Blob type: “Page blob”
After the upload is completed we can create a multiple NIC VM. This cannot be accomplished from GUI. We will create this using PowerShell.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
$ResourceGroupName = “******”
$pfresourcegroup = “*******”
$StorageAccountName = “******”
$vnetname = “*****”
$NSGname = “******”
$location = “West Europe”
$vnet = Get-AzureRmVirtualNetwork -Name $vnetname -ResourceGroupName $ResourceGroupName
$backendSubnet = Get-AzureRMVirtualNetworkSubnetConfig -Name default -VirtualNetwork $vnet
$vmName=“pfsense”
$vmSize=“Standard_F1”
$vnet = Get-AzureRmVirtualNetwork -Name $vnetname -ResourceGroupName $ResourceGroupName
$pubip = New-AzureRmPublicIpAddress -Name “PFPubIP” -ResourceGroupName $pfresourcegroup -Location $location -AllocationMethod Dynamic
$nic1 = New-AzureRmNetworkInterface -Name “EXPFN1NIC1” -ResourceGroupName $pfresourcegroup -Location $location -SubnetId $vnet.Subnets[0].Id -PublicIpAddressId $pubip.Id
$nic2 = New-AzureRmNetworkInterface -Name “EXPFN1NIC2” -ResourceGroupName $pfresourcegroup -Location $location -SubnetId $vnet.Subnets[0].Id
$VM = New-AzureRmVMConfig -VMName $vmName -VMSize $vmSize
$VM | Set-AzureRmVMOSDisk
-VhdUri https://********.blob.core.windows.net/vhds/pfsensefix.vhd
-Name pfsenseos -CreateOption attach -Linux -Caching ReadWrite
$vm = Add-AzureRmVMNetworkInterface -VM $vm -Id $nic1.Id
$vm = Add-AzureRmVMNetworkInterface -VM $vm -Id $nic2.Id
$vm.NetworkProfile.NetworkInterfaces.Item(0).Primary = $true
New-AzureRMVM -ResourceGroupName $pfresourcegroup -Location $locationName -VM $vm -Verbose
|
Once the VM is created, go to the VM’s blade and scroll down to “Boot diagnostics”. There you can see a screenshot of the VM’s monitor.
Then go to the Networking section and SSH to the Public IP.
and also we can login to the Web Interface of the pfSense
In my case I have added both NICs at the same Subnet, but at a production environment add the LAN interface to the backend subnet and the WAN interface to the DMZ (public) subnet.
Of course more NICs can be added to the VM, one for each Subnet at our environment.
Route external traffic through the pfSense
We cannot change the gateway at an Azure VM, but we can use routing tables to route the traffic through the pfSense.
From the Azure Portal, select New and search for Route table.
We need to configure two things. One is to associate the Route table to a Subnet and the second is to create a Route.
Open the “Route table” and click the “Routes”. Press “Add route” and in order to route all outbound traffic through the pfSense then add for Address prefix “0.0.0.0”, next hop type Virtual appliance” and Net hop address the ip address of the pfSense’s LAN interface IP.
Then go to the “Subnets” and associate the required subnets.
- Published in Azure, Hyper-V, Microsoft, Virtualization
Microsoft Azure Nested Virtualization | Web Server
At my previous post, Microsoft Azure Nested Virtualization | Hyper-V VM inside Azure VM, I described how to create a Hyper-V VM inside an Azure VM with the new Dv3 and Ev3 VM sizes. Now we will see how to use a Hyper-V Nested VM as a Web Server that is hidden behind the Azure VM to secure access to your web application.
Starting we will add the IIS Role at the Nested VM. Go to the Server Manager, add Roles and Features and select the Web Server (IIS) Role.
Select the Features that your application requires and Install.
After that we will need to Forward the required ports to the Nested VMs. To accomplish this we will need to use PowerShell.
At my previews post I created a NAT in order to have network communication between the Host and the Nested VM. We will use that NAT to forward the port 80 and 443 to the Nested VM.
At the Host Azure VM open the PowerShell and rum:
1 |
Get-NetNat |
From the results we can see the NAT Name.
Now we can create the Rules:
1 2 |
Add-NetNatStaticMapping -NatName "NVMNat" -Protocol TCP -ExternalIPAddress 0.0.0.0 -InternalIPAddress 192.168.168.10 -InternalPort 80 -ExternalPort 80 Add-NetNatStaticMapping -NatName "NVMNat" -Protocol TCP -ExternalIPAddress 0.0.0.0 -InternalIPAddress 192.168.168.10 -InternalPort 443 -ExternalPort 443 |
A final step is to create a rule at the Azure VM’s NSG to allow port 80 & 443 and also open the ports at the Windows Firewall on both the Host and the Nested VMs.
Finally we can browse to the Public IP of the Azure VM and see the IIS Welcome Page of the Nested VM.
Just add an https binding to the IIS default website and also browse at the https page.
Stay tuned for more usage scenarios for the Microsoft Azure Nested Virtualization!
The post Microsoft Azure Nested Virtualization | Web Server appeared first on Apostolidis IT Corner.
Source: e-apostolidis.gr
- Published in Azure, Hyper-V, Microsoft, Virtualization
Microsoft Azure Nested Virtualization | Hyper-V Replica on Azure
After my Microsoft Azure Nested Virtualization | Hyper-V VM inside Azure VM post on how to create a Nested VM inside an Azure VM, I am following with how to have Hyper-V Replica on Azure.
To accomplish this we will use the Azure VM and the Nested VM from the Microsoft Azure Nested Virtualization | Hyper-V VM inside Azure VM post. The first step is to create an identical pair of Azure VM and Nested VM to use for replica server. The only requirement is that the two Azure VMs must have network connectivity. As you understand we can have Hyper-V Replica between two Azure VMs at different Azure Regions using VPN.
Next, at both Azure VMs open the 443 port at both the NSG and the Windows Firewall. For more security we can add the Public IPs of the VMs as Source.
Since the VMs are not part of a domain we need to use Certificate based authentication for the Hyper-V Replica. We will use the New-SelfSignedCertificate command to create both certificates.
The certificate process
First we need to create a root CA certificate, so login at the first host and run:
1 |
New-SelfSignedCertificate -Type "Custom" -KeyExportPolicy "Exportable" -Subject "CN=myazurerootca" -CertStoreLocation "Cert:LocalMachineMy" -KeySpec "Signature" -KeyUsage "CertSign" |
Next, using the certificate Thumbprint of the root CA certificate, create two server certificates, one for each Azure VM. To accomplish this run:
1 2 3 |
New-SelfSignedCertificate -type "Custom" -KeyExportPolicy "Exportable" -Subject "CN=anothertestvm" -CertStoreLocation "Cert:LocalMachineMy" -KeySpec "KeyExchange" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2") -Signer "Cert:LocalMachineMyA7196D9759FC2F7C49D62E08FA7195310DE5EB7" -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" New-SelfSignedCertificate -type "Custom" -KeyExportPolicy "Exportable" -Subject "CN=anothertestvm2" -CertStoreLocation "Cert:LocalMachineMy" -KeySpec "KeyExchange" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2") -Signer "Cert:LocalMachineMyA7196D9759FC2F7C49D62E08FA7195310DE5EB7" -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" |
The next step is to open the Certificates mmc (Local Computer) and at the Personal container you will find the three certificates created above.
Right click each certificate and Export it, including the Private key, to a folder
Copy the certificates to the second Azure VM and import them. The root CA certificate needs to be imported to he Trust Root Certification Authorities and the other two to the Personal (or just use automatic placement).
Finally we need to disable the Certificate revocation check for Replication on both Azure VMs. To do this run the following command on both Azure VMs:
1 |
REG ADD "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionVirtualizationReplication" /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f |
The Hyper-V Replica process
Lets start creating the Hyper-V Replica. Since Hyper-V Replica uses computer names, we need to use the host file to bind the Public IPs with the computer names. So, at the first Azure VM, open an elevated Notepad, browse to the path “C:WindowsSystem32driversetc”, and open the “hosts” file. Enter the Public IP of the second Azure VM following by the computer name. Do the same at the second Azure VM.
After saving the host file, go to the Hyper-V Settings, go to the “Replication Configuration” and check the “Enable this computer as a Replica Server”. Then check the “Use certificate-based Authentication (HTTPS)” and select the certificate created before. Finally check the “Allow replication from any authenticated servers” and press OK. Do this at both Azure VM Hyper-V Servers.
Next go to the Hyper-V manager, right click the Nested VM and choose “Enable Replica”. Enter the name of the second Azure VM and select the certificate.
I just used the defaults at all the next screens and finally press finish to enable the replication.
Once the replication is enabled you will see the “Replication enabled successfully” message and the Status will change to “Sending Initial Replica”.
After a very short period of time, the VM will complete the initial sync.
The post Microsoft Azure Nested Virtualization | Hyper-V Replica on Azure appeared first on Apostolidis IT Corner.
Source: e-apostolidis.gr
- Published in Azure, Hyper-V, Microsoft, Virtualization
Microsoft Azure Nested Virtualization | Hyper-V VM inside Azure VM
With the new Dv3 and Ev3 VM sizes Microsoft has released the Nested Virtualization, meaning you can simply have a Hyper-V VM inside an Azure VM. In this post I am testing the Nested Virtualization functionality creating a Hyper-V VM inside an Azure VM and have Network and Internet Connectivity. Of course nested virtualization is only supported in Windows Server 2016.
Lets get started. First of all we will need a Dv3 or Ev3 VM and for best Nested Virtualization performance make use of SSD Managed Disks. I created a D4s_v3 Standard (4Cores, 16GB Ram, SSD managed disks) and I attached a 1023GB SSD Data Disk for performance.
Now remote desktop to the VM to add the Hyper V Role. From the Server Manager, add Roles and Features and add the Hyper-V role
Since this is an one NIC VM select the NIC to create the Virtual Switch
Change the default Store location to the SSD Data Disk, in this case the E: drive.
Finally wait for the installation to complete and reboot the VM. After the VM reboots, Remote Desktop and open the Hyper-V manager. Now we have Hyper-V inside an Azure VM.
Lets create a VM. You can download a Trial Windows Server 2016 from https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2016 or use your Subscription (MSDN, EA, etc).
I created a VM Called NestedVM01, with 4GB Ram using the Trial Windows Server 2016 ISO
After the VM creation setup the Windows Server 2016 with all defaults and login.
The first thing to notice is that the Network Interface does not have a valid IP address, since Microsoft Azure will not provide one. In order to have the Nested VM to have Network connectivity we need to use NAT.
First change the Virtual Switch to “Internal network”
At the Host’s Network interfaces, open the vEthernet NIC and add a static IP, only IP & Mask
Now we will need PowerShell, since we cannot configure NAT form the GUI.
Open the PowerShell (still at the Host Azure VM) and run
1 |
New-NetNat –Name NVMNat –InternalIPInterfaceAddressPrefix 192.168.168.0/24 |
The result:
After that we can provide the Nested VMs with IPs form the 192.168.168.0/24 range. So login to the Nested VM and add an IP fron the Range and for Default Gateway add the Host’s IP.
For DNS add your AD DNS or a Public DNS server just to have internet.
Now from the Nested VM you can ping the Host:
And also browse the Internet:
Stay tuned, on my next post we will see how we can make the Nested VM a Web Server, a hidden Web Server in a VM inside an Azure VM!
Of course this Features opens the door for many more features to test, like Hyper-V Replica, Containers, etc, that we will see in future posts.
The post Microsoft Azure Nested Virtualization | Hyper-V VM inside Azure VM appeared first on Apostolidis IT Corner.
Source: e-apostolidis.gr
Recently i installed a Hyper-V 2012 R2 server (the free version) but my UPS doesn’t support Windows Core. No problem, we have PowerShell!! after some search on various sites – blogs – etc i end up creating the following script. It checks the battery status every 3 minutes, using WMI and when the battery drops below 50% is sends the shutdown signal. As long as you set the VMs to save on shutdown you are OK!
I also added a simple mail notification before the shutdown.
1 2 3 4 5 6 7 8 9 10 11 12 |
$batterystatus = (get-wmiobject -class CIM_Battery -namespace "root\CIMV2").EstimatedChargeRemaining DO { start-sleep -seconds 180 $batterystatus = (get-wmiobject -class CIM_Battery -namespace "root\CIMV2").EstimatedChargeRemaining $batterystatus } While ($batterystatus -gt 50) $login = "username" $password = "password" | Convertto-SecureString -AsPlainText -Force $credentials = New-Object System.Management.Automation.Pscredential -Argumentlist $login,$password Send-MailMessage -Body "UPS Started - Server will shutdown in 5 minutes" -From mail@domain.com -To mymail@domain.com -Subject "Power Loss - UPS Started" -SmtpServer mail.domain.com -Credential $Credentials shutdown /s /t 300 |
- Published in Hyper-V, Microsoft, Virtualization