Microsoft Azure Nested Virtualization | Web Server

At my previous post, Microsoft Azure Nested Virtualization | Hyper-V VM inside Azure VM, I described how to create a Hyper-V VM inside an Azure VM with the new Dv3 and Ev3 VM sizes. Now we will see how to use a Hyper-V Nested VM as a Web Server that is hidden behind the Azure VM to secure access to your web application.

Starting we will add the IIS Role at the Nested VM. Go to the Server Manager, add Roles and Features and select the Web Server (IIS) Role.

Select the Features that your application requires and Install.

After that we will need to Forward the required ports to the Nested VMs. To accomplish this we will need to use PowerShell.

At my previews post I created a NAT in order to have network communication between the Host and the Nested VM. We will use that NAT to forward the port 80 and 443 to the Nested VM.

At the Host Azure VM open the PowerShell and rum:

From the results we can see the NAT Name.

Now we can create the Rules:

A final step is to create a rule at the Azure VM’s NSG to allow port 80 & 443 and also open the ports at the Windows Firewall on both the Host and the Nested VMs.

Finally we can browse to the Public IP of the Azure VM and see the IIS Welcome Page of the Nested VM.

Just add an https binding to the IIS default website and also browse at the https page.

Stay tuned for more usage scenarios for the Microsoft Azure Nested Virtualization!

The post Microsoft Azure Nested Virtualization | Web Server appeared first on Apostolidis IT Corner.
Source: e-apostolidis.gr

Microsoft Azure Nested Virtualization | Hyper-V Replica on Azure

After my Microsoft Azure Nested Virtualization | Hyper-V VM inside Azure VM post on how to create a Nested VM inside an Azure VM, I am following with how to have Hyper-V Replica on Azure.

To accomplish this we will use the Azure VM and the Nested VM from the Microsoft Azure Nested Virtualization | Hyper-V VM inside Azure VM post. The first step is to create an identical pair of Azure VM and Nested VM to use for replica server. The only requirement is that the two Azure VMs must have network connectivity. As you understand we can have Hyper-V Replica between two Azure VMs at different Azure Regions using VPN.

Next, at both Azure VMs open the 443 port at both the NSG and the Windows Firewall. For more security we can add the Public IPs of the VMs as Source.

Since the VMs are not part of a domain we need to use Certificate based authentication for the Hyper-V Replica. We will use the New-SelfSignedCertificate command to create both certificates.

The certificate process

First we need to create a root CA certificate, so login at the first host and run:

Next, using the certificate Thumbprint of the root CA certificate, create two server certificates, one for each Azure VM. To accomplish this run:

The next step is to open the Certificates mmc (Local Computer) and at the Personal container you will find the three certificates created above.

Right click each certificate and Export it, including the Private key, to a folder

Copy the certificates to the second Azure VM and import them. The root CA certificate needs to be imported to he Trust Root Certification Authorities and the other two to the Personal (or just use automatic placement).

Finally we need to disable the Certificate revocation check for Replication on both Azure VMs. To do this run the following command on both Azure VMs:

The Hyper-V Replica process

Lets start creating the Hyper-V Replica. Since Hyper-V Replica uses computer names, we need to use the host file to bind the Public IPs with the computer names. So, at the first Azure VM, open an elevated Notepad, browse to the path “C:WindowsSystem32driversetc”, and open the “hosts” file. Enter the Public IP of the second Azure VM following by the computer name. Do the same at the second Azure VM.

After saving the host file, go to the Hyper-V Settings, go to the “Replication Configuration” and check the “Enable this computer as a Replica Server”. Then check the “Use certificate-based Authentication (HTTPS)” and select the certificate created before. Finally check the “Allow replication from any authenticated servers” and press OK. Do this at both Azure VM Hyper-V Servers.

Next go to the Hyper-V manager, right click the Nested VM and choose “Enable Replica”. Enter the name of the second Azure VM and select the certificate.

I just used the defaults at all the next screens and finally press finish to enable the replication.

Once the replication is enabled you will see the “Replication enabled successfully” message and the Status will change to “Sending Initial Replica”.

After a very short period of time, the VM will complete the initial sync.

The post Microsoft Azure Nested Virtualization | Hyper-V Replica on Azure appeared first on Apostolidis IT Corner.
Source: e-apostolidis.gr

Microsoft Azure Nested Virtualization | Hyper-V VM inside Azure VM

With the new Dv3 and Ev3 VM sizes Microsoft has released the Nested Virtualization, meaning you can simply have a Hyper-V VM inside an Azure VM. In this post I am testing the Nested Virtualization functionality creating a Hyper-V VM inside an Azure VM and have Network and Internet Connectivity. Of course nested virtualization is only supported in Windows Server 2016.

Lets get started. First of all we will need a Dv3 or Ev3 VM and for best Nested Virtualization performance make use of SSD Managed Disks. I created a D4s_v3 Standard  (4Cores, 16GB Ram, SSD managed disks) and I attached a 1023GB SSD Data Disk for performance.

Now remote desktop to the VM to add the Hyper V Role. From the Server Manager, add Roles and Features and add the Hyper-V role

Since this is an one NIC VM select the NIC to create the Virtual Switch

Change the default Store location to the SSD Data Disk, in this case the E: drive.

Finally wait for the installation to complete and reboot the VM. After the VM reboots, Remote Desktop and open the Hyper-V manager. Now we have Hyper-V inside an Azure VM.

Lets create a VM. You can download a Trial Windows Server 2016 from https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2016 or use your Subscription (MSDN, EA, etc).

I created a VM Called NestedVM01, with 4GB Ram using the Trial Windows Server 2016 ISO

After the VM creation setup the Windows Server 2016 with all defaults and login.

The first thing to notice is that the Network Interface does not have a valid IP address, since Microsoft Azure will not provide one. In order to have the Nested VM to have Network connectivity we need to use NAT.

First change the Virtual Switch to “Internal network”

At the Host’s Network interfaces, open the vEthernet NIC and add a static IP, only IP & Mask

Now we will need PowerShell, since we cannot configure NAT form the GUI.

Open the PowerShell (still at the Host Azure VM) and run

The result:

After that we can provide the Nested VMs with IPs form the 192.168.168.0/24 range. So login to the Nested VM and add an IP fron the Range and for Default Gateway add the Host’s IP.

For DNS add your AD DNS or a Public DNS server just to have internet.

Now from the Nested VM you can ping the Host:

And also browse the Internet:

Stay tuned, on my next post we will see how we can make the Nested VM a Web Server, a hidden Web Server in a VM inside an Azure VM!

Of course this Features opens the door for many more features to test, like Hyper-V Replica, Containers, etc, that we will see in future posts.

The post Microsoft Azure Nested Virtualization | Hyper-V VM inside Azure VM appeared first on Apostolidis IT Corner.
Source: e-apostolidis.gr

Azure VM Image

Following one of my earlier posts, about Azure Managed Disks, lets see how easy it is to create an Azure VM Image from an Azure VM that uses Managed Disks.

The first step it to Sysprep/Generalize the source VM. Otherwise the VM that will be created will not start. Select Generalize and “Shutdown”.

After that wait the VM to shut down and go to the Azure Porta, at the VM’s blade and click “Capture”.

Now, the “Create Image” blade will open. Enter a name, select a Resource Group and choose if the source VM will be deleted or not. Then press create.

As soon as the Image is created you can find it at the “Images” service.

Now lets create a VM from our Image

Click the image name from the Images Blade to open the desired image Blade and just press “Create VM”.

Of course at the image’s blade we can see if the image is Windows or Linux, if it has any Data Disks and the Location.

After clicking the “Create VM” the classic “Create virtual machine” wizard will start, just like any other Virtual Machine creation. You will notice the difference at the final step that shows the name of your image instead of the VM’s OS.

If you want to automate the process of creating an Azure VM from your images you can use Azure Template. You can find a quick start template at Azure’s GitHub repository.

Create a Virtual Machine from a User Image: https://github.com/Azure/azure-quickstart-templates/tree/master/101-vm-from-user-image

The post Azure VM Image appeared first on Apostolidis IT Corner.
Source: e-apostolidis.gr

Azure Log Analytics | CPU Performance Monitor

In this article we will create a CPU Performance monitor View for our servers at the Azure Log Analytics (OMS) Portal.

At the Microsoft Operations Management Suite (OMS) portal press the + button to create a new View

The View Designer workspace will open. Select the “Line chart & callout”

At the Properties blade enter a Name, something like “CPU Performance Monitor”, add the below query and press Apply

Type:Perf CounterName=“% Processor Time” InstanceName=“_Total” | measure avg(CounterValue)by Computer Interval 10Minutes

Pressing Apply you will see at the Preview window the “Name” and the CPU Performance of all the Windows servers that are monitored by OMS agent.

The next step is to press the “+ View” tab and add a “Stack of line charts

The “Stack of line charts” will add three charts per row and we can use it to add our servers. We will create something like that:

So, at the Properties blade add a name and a query for each server needs to be monitored and press Apply. For more than three servers add more “Stack of line charts”.

The query is the below, just change the Computer = “server.domain.local” with your servers.

Type:Perf CounterName=“% Processor Time” InstanceName=“_Total” AND Computer =“server.domain.local” | measure Avg(CounterValue) as ‘CPU_Percentage’ by Computer Interval10Minutes

Finally press “Save” at the View Designer

The result is a CPU Performance monitor for all servers at the OMS Portal.

And when you press it you have the CPU Performance Monitor of all added servers.

Stay tuned for the next part

SOURCE: http://www.e-apostolidis.gr/microsoft/azure/azure-log-analytics-cpu-performance-monitor/

Azure AD | Secure Web Application Publishing

Azure Active Directory Application Proxy is a very easy and secure way for web application publishing using the extremely secure Azure AD authentication mechanism. There are a tone of features, like SSO and 2 Factor Authentication. But lets see the basic here. You have a web application that you are using internal to your network, not even https, or you have developed a web application and you want an easy and safe way to publish it without having to wary about authentication or VPN. Use the Azure AD Application Proxy following the following simple steps.

For this example I have used a Windows Server 2016 with IIS and the SugarCRM application using the IIS Web Platform Installer. The internal link is http://appproxy01/sugarcrm/ that opens the SugarCRM login page.

Lets start

Navigate to Azure Portal and go to Azure Active Directory. Mind that Azure Active Directory Basic or Premium license is required. You can start a trial Azure AD Premium or Enterprise Mobility Suite E3 that includes Azure AD Premium.
Fist of all you need to enable Application proxy. Select Enterprise applications –> Application proxy and click Enable & Download the connector clicking the “Connector” link.

Next, install the connector to the web server or to an other domain member server. It requires Windows Server 2012 R2.

At the installation process it will ask to login with an Azure AD account that has access to publish applications.

Once installed, Run the Connector Troubleshooter to verify that the connector will run properly.

After the successful installation,back to the Azure Portal the server FQDN and the Public IP will appear under the Default Connector.

Now it is time to publish the application. Go to “All applications” –> +ADD –> On-premises application.

Give a name, the internal Url that is used to access the application at your local network and press Add. Note the External URL.

The next step is to assign users. Following the quick steps, press “Assign a user for testing”

an add at least a user and you are ready to test the application.

Now lets test the published application

Open your favorite browser and navigate the the External URL. You will be navigated to the Microsoft online service logon page. Once authenticated with your Azure AD account the SugarCRM login page will be served.

This is the simplest way to publish a web application without having to wary for Authentication and Security.

Of course if the application supports active directory authentication then it is very easy to setup SSO, but we will analyze that at the next post.

Source: http://www.e-apostolidis.gr/microsoft/azure/azure-ad-secure-web-application-publishing/

Azure VM Backup directly from VM’s blade

Azure makes the VMs’ administration simpler every time. Today we will view a very nice new feature, the Backup shortcut at the VM’s blade.

Just click on the VM and select Backup

All you have to configure is the Backup Vault name and the Backup policy at the next easy step and press Enable Backup at the bottom of the “Enable backup” blade and that’s all!!

Now the next time that we will click the Backup shortcut it will show directly the VM’s Backup Settings and run an instant backup. After the first backup we will be able to Restore the VM and also see logging about the backup jobs, like the latest and oldest restore point among others.

Stay tuned for more Azure features

source: http://www.e-apostolidis.gr/microsoft/azure/azure-vm-backup-directly-vms-blade/

Recently i installed a Hyper-V 2012 R2 server (the free version) but my UPS doesn’t support Windows Core. No problem, we have PowerShell!! after some search on various sites – blogs – etc i end up creating the following script. It checks the battery status every 3 minutes, using WMI and when the battery drops below 50% is sends the shutdown signal. As long as you set the VMs to save on shutdown you are OK!

I also added a simple mail notification before the shutdown.

This post is part of a general idea, to create an end-to-end high available application infrastructure solution in Azure using internal load balancer with the new AzureRm commands and Azure PowerShell v.1.0 preview.

We will create a Gateway, request a Public IP and establish a Site to Site VPN. At the time I am writting this post there is no option to create the VPN ising the Portal, the only way is using PowerShell. Also there is no option to download the configuration  for the local firewall/router, like the classic deployment.

The AzureRm commands are installed directly from the PowerShell using the Install-Module AzureRM & Install-AzureRM commands.

So lets start:

Finally, since there is no way to download the configuration script at this time, the sample configurations can be found here: https://github.com/Azure/Azure-vpn-config-samples

After the creation of the VPN, that can be done only using PowerShell, we can use the portal to view the status and the settings

Azure blob storage is billed based to how much data you use. So you can have an 1023 GB disk but if you use only 20 GB you will be billed for 20 GB. But, ???? , if you write more data, lets say 50 GB and then you erase them, the free space will not automatically be released.

sandrinodimattia, https://github.com/sandrinodimattia, released an app that allows to check the actual size of a VHD on Azure. It works on both ASM and ARM.

You can download the executable at: https://github.com/sandrinodimattia/WindowsAzure-VhdSize/releases

The command is:

wazvhdsize.exe “storageaccountname” “storageaccountaccesskey==” containername

Source: https://github.com/sandrinodimattia/WindowsAzure-VhdSize