Azure a custom number of vCPUs use Virtual machines selector #Azure #MVPBuzz #Scale #Compute

Some database workloads like SQL Server require high memory, storage, and I/O bandwidth, but not a high number of cores. Many database workloads are not CPU-intensive. Azure offers pre-defined VM sizes with lower vCPU count which can help to reduce the cost of software licensing, while maintaining the same memory, storage, and I/O bandwidth.

The available vCPU count can be reduced to one half or one quarter of the original VM specification. These new VM sizes have a suffix that specifies the number of available vCPUs to make them easier for you to identify. There are no additional cores available that can be used by the VM.

For example, the Standard_E32s_v5 VM size comes with 32 vCPUs, 256 GiB RAM, 32 disks, and 80,000 IOPs or 2 GB/s of I/O bandwidth. The pre-defined Standard_E32-16s_v5 and Standard_E32-8s_v5 VM sizes comes with 16 and 8 active vCPUs respectively, while maintaining the memory, storage, and I/O bandwidth specifications of the Standard_E32s_v5.

The licensing fees charged for SQL Server are based on the avaialble vCPU count. Third party products should count the available vCPU which represents the max to be used and licensed. This results in a 50% to 75% increase in the ratio of the VM specs to available (billable) vCPUs. At this time, the VM pricing, which includes OS licensing, remains the same as the original size. 

Configure a custom number of vCPUs to reduce the number of vCPUs that are available to the virtual machine. This can help you save on vCPU software-based licensing costs. This may have performance and cost implications.

https://azure.microsoft.com/en-us/pricing/vm-selector/

Try the Virtual machine selector to get the right Virtual machine. there are many option to pick the right VM size, at the end the main thing is you application needs to run optimal, and yes the finance department want to have minimal costs. finding the sweet spot is not always easy, do not start with a B type SKU as these are limited in CPU this is perfect if you already know it doesn’t need 90% CPU all the time.

There are many Azure sku types and all based on ACU keep a close look on ACU and cost vs performance, lower vm cost does not mean lower operation costs. try to install a large package on a B SKU and on a Standard_E2bds_v5 and size back if you can. Learn more about how Azure compute units (ACU) can help you compare compute performance across Azure SKUs.

See the link below for more about VM sizes

https://learn.microsoft.com/en-us/azure/virtual-machines/sizes/?WT.mc_id=AZ-MVP-4025011

Start with Cloud Adoption Framework enterprise-scale landing zones #CAF #Azure #Cloud #MVPBuzz

The Cloud Adoption Framework for Azure enterprise-scale landing zone architecture varies between customers. So there is no one size fits all but there is a lot in common that can be reused next time.

Often I hear Azure Enterprise-scale is not for me it is enterprise. Wrong anyone can use the CAF and Azure Enterprise-scale. as it is modular by design. But if you have just 1 VM there is still some usage that you could use say the management groups or monitoring ,RBAC.

Source :

The enterprise-scale approach to construct landing zones includes three sets of assets to support cloud teams:

• Design guidelines: Guide to the critical decisions that drive the design of the Cloud Adoption Framework for Azure enterprise-scale landing zone.
• Architecture: Conceptual reference architecture that demonstrates design areas and best practices.
• Implementations: Azure Resource Manager template of the architecture to accelerate adoption.

But how do we start with this what to build Well Microsoft made this easy there is a accelerator that I will explain below.

With this solution accelerator you can setup the foundation in one process.

Often there is this error showing even if you are an Azure subscription owner

You don’t have authorization to perform action ‘Microsoft.Resources/deployments/validate/action’.

This can be fixed by adding the user account to the Owner role at Tenant root scope. This can only be done with powershell assign Owner role at Tenant root scope (“/”) as a User Access Administrator to current user
New-AzRoleAssignment -Scope ‘/’ -RoleDefinitionName ‘Owner’ -ObjectId “user objectID”

go to the user and grab the object ID

Now that everything is ready we can start.

Choose where the instance needs to land, pick the proper region for your azure resources. If your default is west europe then choose west europe here

As I did not want to deploy it in a dedicated subscription, I’ll pick my own. the prefix for the management groups is based on the text that is visible later.

The management groups holds the subscriptions and policys can be placed on the management groups.

Here are the options for the log analytics and the policys. to keep a good governance you need logging and policy’s in the Azure Microsoft defender for cloud you can see later the policys and the secure score.

At this time I don’t want to use the devops pipeline. but it is a great add on and you can start from there with the pipeline deployment

Now you need to choose the deployment go for a hub spoke or Azure virtual wan. Depending on your needs, personally I’m a big fan of Azure virtual wan so I’ll choose this. As optional resources can be added as:

• DDoS Protection Standard
• Azure Private DNS Zones for Azure PaaS services
• VPN and ExpressRoute Gateways
• Azure Firewall

With these options you may need to choose the right sku and a proper subnet and or zone redundancy.

I choose the standard sku, this is without the IDS and TLS inspection, best option is choose premium.

Always use a NSG on your network, never never never add a vm direct to the web.

In the Enterprise-scale it is best practice to use multiple subscriptions, see also the enterprise-scale layout

Now that the deployment is ready we can view de Azure virtual wan with the firewall.

The deployment of the resources are easy to find as the prefix is used on all the resources

Looking at the log analytics and de policys, always check this. maybe you need to adjust the workload and or add extra settings on the workload the make things compliant.

Overall the template is a great starter, and yes you need to configure a lot more than just the foundation, but this gives you a good understanding on what is needed and what to connect and play with the resources.

Go here for the github template of the enterprise scale

Look on my blog for how to configure the VPN and Azure firewall.

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Backup Azure Firewall with virtual wan #Azure #SDWAN #Backup #Runbook

Azure Backup can’t backup the Azure firewall directly additional steps need to be done before you can backup the Firewall rules. If you create all the rules with PowerShell or an ARM / bicep template then it is easy to add all the rules again, but often in time manual rules are changed or added. There for a good backup is needed of the rules to make sure the latest setup is been backuped.

Azure Firewall is a managed stateful network security service

Organizations can leverage Premium stock-keeping unit (SKU) features like IDPS and TLS inspection to prevent malware and viruses from spreading across networks in both lateral and horizontal directions. To meet the increased performance demands of IDPS and TLS inspection, Azure Firewall Premium uses a more powerful virtual machine SKU. Like the Standard SKU, the Premium SKU can seamlessly scale up to 30 Gbps and integrate with availability zones to support the service level agreement (SLA) of 99.99 percent. The Premium SKU complies with Payment Card Industry Data Security Standard (PCI DSS) environment needs.

Details about the Azure firewall can be found here on the microsoft doc site Azure Firewall documentation | Microsoft Docs

A setup in my testlab with some rules and keep in mind the current runbook works only if the Firewall , policys, and the storage account is in the same resource group. In this blog post I may use different naming across the screenshots, it is the method that you need and the things that can go wrong.

Requirements

• Automation account
• Storage Account
• Runbook

Overview of my demo lab empty shell with rules.

When you are in need to get quickly all the firewall rules and settings you can export the template in the policy manager. as below on my policy’s for the Azure Virtual Machines

Manual is the quick and easy when we want to do this automatically we need an automation account and some runbook that will create a full backup on a storage account, and the storage account can be backup-ed with Azure backup

First we need to setup an Automation Account

Now that the Automation Account is created we can configure it to our needs.

Go to the Automation account and in the Settings blade, under Account settings, create a “Run As” account. This provide the service principal access that will be used to auto-login.

adding the run-as account

This provide the service principal access that will be used to auto-login into the runbook.

The runbook is a PowerShell module and we need to confirm that we have access to network and resources modules. It is important to check if the AZ modules are there else the PowerShell script won’t run. But all you need is already available

The modules that we need are Az.Account, Az.Network, Az.Resources

As you can see all the Az modules are there with the +model from the menu you can add your own modules that you may need.

When running the PowerShell script it needs a storage location, A storage account will be used as storage, keep in mind that the storage account needs to be globally unique It can be also on a storage account that you already have for backup or management then that account can be used.

Create a blob storage account.

This can be done with PowerShell or manual

#Create new RG for the firewall backup

• $location=”west europe”
• $ResourceGroupName=”name”

#Create new RG for the firewall backup
New-AzResourceGroup -Name $ResourceGroupName -Location $Location

#Create new Storage account for the firewall backup
New-AzStorageAccount -ResourceGroupName $ResourceGroupName -Name $saname
-Location $location -SkuName Standard_LRS
-Kind BlobStorage

Now we save the account name and storagekey and we create a blobcontainer

Press on show keys to make the key visible

Now that the blob is created we create a folder in the blob, you can also do this in the runbook

Now that the Storage account is created we go back to our automation account created earlier and create a runbook, this runbook is used for backup all the firewall rules to the storage account.

create a runbook

just give it a name and choose powershell 5

We are using the Runbook that is on the github page

Select the just created runbook and copy the text into the runbook section https://raw.githubusercontent.com/Azure/Azure-Network-Security/master/Azure Firewall/Runbook – Back Up Azure Firewall/Runbook.txt

Into the new created runbook and click save.

We need to test the runbook to see if it works.

Here we use the created resource group and storage account that we have created for this. you can also make this fixed in the runbook but this is better and also very handy if you want to backup more firewall policy’s

In my case I played to much, if if the folder already exist you will see an error in the test. Also I like to show what kind of errors you could get.

Starting database backup...
Logging in to Azure...
Creating 'firewallbackup' blob container space for storage...
Container 'firewallbackup' already exists
Starting Azure Firewall current configuration export in json...

Starting database backup...
Logging in to Azure...
Creating 'firewallbackup1' blob container space for storage...

CloudBlobContainer : Microsoft.WindowsAzure.Storage.Blob.CloudBlobContainer
Permission         : Microsoft.WindowsAzure.Storage.Blob.BlobContainerPermissions
PublicAccess       : Off
LastModified       : 2/8/2022 11:33:12 AM +00:00
ContinuationToken  : 
Context            : Microsoft.WindowsAzure.Commands.Common.Storage.AzureStorageContext
Name               : firewallbackup1
Container 'firewallbackup1' created
Starting Azure Firewall current configuration export in json...

Second error that could be there

Failed
The running command stopped because the preference variable “ErrorActionPreference” or common parameter is set to Stop: The remote server returned an error: (403) Forbidden. HTTP Status Code: 403 – HTTP Error Message: Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.

you probably need to change the storage key that is used, or change the access to that storage account .

But when it all run’s

Starting database backup...
Logging in to Azure...
Creating 'firewallbackup' blob container space for storage...

CloudBlobContainer : Microsoft.WindowsAzure.Storage.Blob.CloudBlobContainer
Permission         : Microsoft.WindowsAzure.Storage.Blob.BlobContainerPermissions
PublicAccess       : Off
LastModified       : 2/8/2022 1:05:04 PM +00:00
ContinuationToken  : 
Context            : Microsoft.WindowsAzure.Commands.Common.Storage.AzureStorageContext
Name               : firewallbackup
Container 'firewallbackup' created
Starting Azure Firewall current configuration export in json...

Path                                                          
----                                                          
C:\Users\Client\Temp\AzureFirewall_MVPCentral202202081305.json
Submitting request to dump Azure Firewall configuration
Removing backups older than '7' days from blob: 'firewallbackup'
Azure Firewall current configuration back up completed.

Now that the testing is complete and working we can publish the runbook

Remember if you don’t publish the runbook it won’t work.

As you run the test runbook it will keep asking would you like to save etc when you want to switch to the schedule blade. just say no save. Our final step is to schedule the backup of the firewall

Create the schedule and the retention time

We create a new schedule

Noe we need to fill in all the parameters just as in the test

ok

if you want to turn this off just click on the line on

Looking into the storage blob we see all the json files

With this json file you can redeploy the firewall rules or use it for a new deployment with a different name.

Hope it was helpfull thanks for visiting my blog.

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Http://nl.linkedin.com/in/robertsmit

How to use Azure proximity placement groups #Azure #SAP #Latency

When moving to Azure or building new infrastructure workloads latency is important and where do I find the numbers of how do I configure it for the best and what is the difference between Azure Availability groups or Azure Availability zones or do I need Azure Site Recovery. Well as a Consultant IT depends.

Availability Sets

Availability Sets takes the virtual machine and configures multiple copies of it.  Each copy is isolated within a separate physical server, compute rack, storage units and network switches within a single datacentre within an Azure Region.

When you create your virtual machine you can specify the Availability Set, you can’t change it or move it in or out of an Availability Set after creation.  If you wanted to make changes you would need to start again and recreate the virtual machine.  Availability Sets only apply to virtual machines, they can’t be used for any other type of resource within Azure. So Local Datacenter redundancy.

Availability Zone

The next level of availability for your virtual machines within Azure is Availability Zones.  With Availability Zones utilized your acceptable downtime a month moves to less than 5 minutes as you’ve got a 99.99% SLA.With Availability Zones you are starting to use zone aware services. Your workload will be spread out across the different zones that make up an Azure region.  An Azure region is made up of multiple datacenters and each zone is made up of one or more datacenters.  Each datacenter is equipped with independent power, cooling and networking.

You Can imaging when using this there could be some extra latency between the VM’s it all depends on the zone where you are deploying this but that can be tested .

In many Azure regions, the number of datacenters has grown. Azure datacenter latency could be tested here. https://www.azurespeed.com/Azure/Latency

In the next setup I use a Azure VM both in west europe and we test the latency in the same region between vm’s. The tool I use is Latte

On the Server sender we placed the remote receiver IP

Here on the receiver we use the local vm IP and after the test the latency is shown. this is a common setup. If we want to improve this or to make sure that these numbers are not getting worse we need to change the setup.

516 Latency(usec)

When running SAP latency is important, Azure has an option that is called Proximity placement groups. An Azure proximity placement group is a logical construct. When a proximity placement group is defined, it’s bound to an Azure region and an Azure resource group.

A single Azure resource group can have multiple proximity placement groups assigned to it. But a proximity placement group can be assigned to only one Azure resource group.

Proximity placement groups offer co-location in the same data center. However, because proximity placement groups represent an additional deployment constraint, allocation failures can occur (for example, you may not be able to place your Azure Virtual Machines in the same proximity placement group.)

When you ask for the first virtual machine in the proximity placement group, the data center is automatically selected. In some cases, a second request for a different virtual machine SKU may fail since it does not exist in the data center already selected. In this case, an OverconstrainedAllocationRequest error will be returned. To troubleshoot, please check to see which virtual machines are available in the chosen region or zone using the Azure portal or APIs. If all of the desired SKUs are available, try changing the order in which you deploy them.

In the case of elastic deployments, which scale out, having a proximity placement group constraint on your deployment may result in a failure to satisfy the request.

If you want to use availability zones together with placement groups, you need to make sure that the VMs in the placement group are also all in the same availability zone.

In this sample we gona make an Azure proximity placement group and place Two VM’s in it As an sample I also use a Azure Virtual desktop machine

How to create an Azure proximity placement group, In the azure portal type proxi and the Azure proximity placement group are there.

Select Create , add resource group and pick a name that fits your name convention

Add some tags and that is all or do this in powershell

$resourceGroup = "rg-proxim-demo-weu-01"
$location = "West Europe"
$ppgName = "ppg-avd-sap-01"
New-AzResourceGroup -Name $resourceGroup -Location $location
$ppg = New-AzProximityPlacementGroup `
   -Location $location `
   -Name $ppgName `
   -ResourceGroupName $resourceGroup `
   -ProximityPlacementGroupType Standard

Adding a VM to the new created Azure proximity placement group is selecting the configuration of the VM and add it to the VM. In my case I have an availability set added to my VM. So I must upgrade the entire Availability set to add the Azure proximity placement group

Now that we added the Azure proximity placement group to the VM we need to run the same test again.

Both machines are already in the same availability set that is now added with the Azure proximity placement group

testing from outside the avail from a B2 vm to a D2v3 sku

running this on a d4ds_4 as this is in the av set I need to choose what is in the limit of this set so bound to the VM sku

as you can see it really depends vm sku type what kind of latency you will get but basically it is lower when you are using Azure proximity placement groups

Interesting to see in the PowerShell commands from the Azure proximity placement groups there is also an ultra section, this is currently in preview but can give you even better results but keep in mind you can’t fix it with just one setting check your chain and fix that instead of fixing just one link.

-ProximityPlacementGroupType

Specifies the type of the proximity placement group. Possible values are: Standard or Ultra

$resourceGroup = “rg-proxim-demo-weu-02”
$location = “West Europe”
$ppgName = “ppg-avd-sapultra-02”
New-AzResourceGroup -Name $resourceGroup -Location $location
$ppg = New-AzProximityPlacementGroup -Location $location
-Name $ppgName -ResourceGroupName $resourceGroup
-ProximityPlacementGroupType Ultra

New-AzProximityPlacementGroup: The subscription is not registered for private preview of Ultra Proximity Placement Groups.

Think I need to do some research for this to add my subscription to this preview. Hope it was helpfull thanks for visiting my blog.

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Http://nl.linkedin.com/in/robertsmit

Step By Step Troubleshooting Azure Arc-enabled servers with agent connection issues #Windows #WindowsServer #WinServ #Azure #AzureArc #Cloud

Azure Arc-enabled servers enables you to manage your Windows and Linux physical servers and virtual machines hosted outside of Azure, on your corporate network, or other cloud provider. This management experience is designed to be consistent with how you manage native Azure virtual machines. When a hybrid machine is connected to Azure, it becomes a connected machine and is treated as a resource in Azure. Each connected machine has a Resource ID enabling the machine to be included in a resource group. Now you can benefit from standard Azure constructs, such as Azure Policy and applying tags.

When running Azure Arc for some time and suddenly the response stopped you need to dig a bit deeper into the how things are working instead of just kicking off an MSI and the issue is still not fixed.

This is all test So it may look different in your site.just to say so.

Here I have my two servers managed by Arc

As you can see “Something went wrong while getting your resources. Please try again later.”

yes let me get more info about this as currently I know nothing about the error.

So It is all OK according to the Azure troubleshooter and still it doesn’t work

Let me click around and see if there is and error ( I could see the local event log of the server but that’s no fun Who uses this ? post some comments in the blog post) Eventlogs are extremely helpful on finding issues or hidden issue’s Often people for get to look at his and see the problem right there. and yes it needs to be fixed also. 

Will that be the issue ?  checking already running the latest version, so what is this error or did it go wrong when updating the agent, well I did skip patching for some time on these servers and upgraded these to Windows server 2022

Let me check the agent version,  well the latest version for now..

How is this Azure arc be configured anyway, there is no console other than in azure and an MSI with an agent,

let me check the configuration of this and see if I can find something there.

C:\ProgramData\GuestConfig

Perfect lots of log files and a config let me check this all

time="2021-09-01T16:32:17+02:00" level=error msg="Could not acquire token from cert: FromAssertion(): http call(https://login.windows.net/-d391a79950b1/oauth2/v2.0/token)(POST) error: reply status code was 401:\n{\"error\":\"invalid_client\",\"error_description\":\"AADSTS700027: Client assertion contains an invalid signature. [Reason – The key used is expired., Thumbprint of key used by client: ‘C2FA453DD43C16E584868C1C762DC91EBEC63232’, Found key ‘Start=11/12/2019 15:45:00, End=02/10/2020 15:45:00’, Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id ‘a16df9d0-f012-45ae-8a92-1d0ad72e045e’. Review the documentation at https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as ‘https://graph.microsoft.com/beta/applications/].\\r\\nTrace ID: 932-2ba8-4098-813e-05a2900\\r\\nCorrelation ID: 66a070fe-6ae4-4a25-ad3f-\\r\\nTimestamp: 2021-09-01 14:32:07Z\",\"error_codes\":[700027],\"timestamp\":\"2021-09-01 14:32:07Z\",\"trace_id\":\"932e7194-2ba8-4098-813e-343df05a2900\",\"correlation_id\":\"-4a25-ad3f-160f98c9fd9e\",\"error_uri\":\"https://login.windows.net/error?code=700027\"}"

Seeing the Config and also see the issue here — Client assertion contains an invalid signature. [Reason – The key used is expired–

As I did not update the agent the certificate got expired make sense.

But the device has already the new agent So reconnect ? but how ?

Looking at the Config I see all the details how the agent is been registered and the resource group etc

C:\ProgramData\AzureConnectedMachineAgent\Config

agentconfig.json

{"subscriptionId":"f34","resourceGroup":"AzureBackupRG_westeurope_1","resourceName":"Hyperv1201","tenantId":"0b1","location":"westus2","vmId":"9659193c-f4d8-4a77-b8f9baad507ce9a9","certificateThumbprint":"c2fa453dd43c16e584868c1c762dc91ebec63232","clientId":"0-f012-45ae-8a92-1045e"}

Let me open powershell and maybe I got more details. and reactivate the Agent

With the azcmagent command you can get more details.

let me get all the logs

azcmagent logs

now we have all the logs in a zip file this could be handy for a next time.

As I reconfigure the agent with the following command

& "$env:ProgramFiles\AzureConnectedMachineAgent\azcmagent.exe" connect –resource-group "AzureBackupRG_westeurope_1" –tenant-id "your tenant id" –location "westus2" –subscription-id "errryh934" –verbose

With the reconnect we need to log in again and all goes well

But in the logging there is suddenly another error

When looking here I see there is an Azure Policy that demands a TAG and this is currently not available on the resource group So I Can’t onboard my Azure Arc server.

Thought this was about an Agent that has an expired Certificate.

Seems there is a Azure policy that is blocking as the hyperv1201 has no tags set the mvpdc02 has only a tag set.

After a quick change I rerun the command line and it worked perfectly and it showed up in the console again.

& "$env:ProgramFiles\AzureConnectedMachineAgent\azcmagent.exe" connect –resource-group "MVPRSG-Azure-Arc" –tenant-id "3078684f-d143-440a-ae40-d391a79950b1" –location "West US 2" –subscription-id "df1e2f32-7adf-48f6-b969-f02376152934" –verbose

Starting client connection on: \\\\.\\pipe\\himds"
time="2021-09-01T17:12:53+02:00" level=debug msg="Awaiting status message from agent…"
time="2021-09-01T17:12:53+02:00" level=debug msg="Status Message received"

As I have a second machine with the same issue I removed the machine directly in the arc portal and rerun the registration as the agent was also already installed. (this would be the quick fix for this)

Perfect reconnecting and waiting for the Agent.

Now I can look at the Azure Arc Insights again.

Flickr Tags: Windows Server 2022,CloudOS

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Http://nl.linkedin.com/in/robertsmit

 

Azure Firewall and starting with Azure Firewall Manager step away from Classic #Azure #Firewall #classic #policy #security #AVD

In Azure there are multiple options to add a Firewall to your Azure landing zone. But the standard Azure firewall comes with an option Classic or firewall policy, and there is a good change that you already have an Azure firewall classic then you can migrate to a premium SKU see the link to get the process  https://docs.microsoft.com/en-us/azure/firewall/premium-migrate?WT.mc_id=AZ-MVP-4025011

Azure Firewall pricing

https://azure.microsoft.com/en-us/pricing/details/azure-firewall?WT.mc_id=AZ-MVP-4025011

Azure Firewall Standard

• Stateful firewall as a service
• Built-in high availability with unrestricted cloud scalability
• Centralized network and application level connectivity policy
• Threat intelligence-based filtering
• Support for hybrid connectivity through deployment behind VPN and ExpressRoute Gateways

Azure Firewall Premium (Public Preview)

• Built-in TLS Inspection for customer’s selected encrypted applications
• Ability to detect and block malicious traffic through advanced IDPS engine
• Restrict access to Web content via built-in URL Filtering for both plain text and encrypted traffic
• Web Categories provide enhanced content filtering capabilities
• IDPS signatures and Web categories are fully managed and constantly updated

Initial I setup a Azure Firewall premium

Premium firewalls support additional capabilities, such as SSL termination and IDPS. Additional costs may apply. Migrating a Standard firewall to Premium will require some down-time.

As you can see there is an option standard or premium and use the Firewall policy or the Classic.  In premium there is no classic any more the only option is firewall policy.

Choosing the Premium and the option firewall management is gray out.

As I already have some Firewall policy’s I can already attach these to my new firewall, this is one of the great options, In the firewall manager you can create Firewall policy’s with out having a azure firewall running, you can already prepare the landing zone with all kind of rules .

Keep in mind that the firewall must be in the same resource group as your vnet.

Setting up a Azure Firewall with PowerShell is easy but you need to have the resources already in place

# Create the firewall
$Azfw = New-AzFirewall `
    -Name $FirewallName `
    -ResourceGroupName $rgNamevnet `
    -Location $Location `
    -VirtualNetworkName $VnetName `
    -PublicIpName $pip01 `
    -SkuTier Premium

Now that The Firewall I created We can see the policy’s attached in the Firewall manager.

Azure Firewall Manager is a security management service that provides central security policy and route management for cloud-based security perimeters.

Firewall Manager can provide security management for two network architecture types:

Secured virtual hub

An Azure Virtual WAN Hub is a Microsoft-managed resource that lets you easily create hub and spoke architectures. When security and routing policies are associated with such a hub, it is referred to as a secured virtual hub.

Hub virtual network

This is a standard Azure virtual network that you create and manage yourself. When security policies are associated with such a hub, it is referred to as a hub virtual network. At this time, only Azure Firewall Policy is supported. You can peer spoke virtual networks that contain your workload servers and services. You can also manage firewalls in standalone virtual networks that aren’t peered to any spoke.

Azure Firewall Premium Preview in the Azure portal | Microsoft Docs

So now that the firewall is in place and we already had an policy attached but you can change that real quick.

Go to the Firewall blade and her you can see the policy and change it directly

Or if you go to the firewall manager and select the virtual networks you can see a good overview of where and what is attached to the vnet

Remember the firewall need to be in the same resource group as your network, and there come’s also the hard part if you want to switch policy’s

Looking at the firewall policys from here you can add them to a hub or a vnet

 

here you see an overview of the firewall policy’s

When associate a policy to a vnet or multiple vnets we got a good overview on what is available and what not.

Adding the Policy to a network,

The firewall manager blade with all the rules and options

You can  add rule collection groups and rule collections, In a rule collection group can hold multiple rule collections, I would advise you to build these collections as it is real handy if you want to change later some item or you want to export a collection and import them in a different collection group

Also new is the application rules here you can set web category’s that are allowed or denied.

using the application rules with the internet categories is still in preview but is a great addition for Azure virtual desktop #AVD

Setting up the web categories is easy selectable in the destination type. and then select one or multiple.

Remember the naming if you want to find this later in your rules, keep it clean and neat

Keep in mind that when you are selecting multiple categories the naming field is also corresponding to that 

Removing the Firewall does not mean that you will loose the policy’s  or removing the policy and loose the firewall unless…

Keep in mind when you remove a policy and you will set the little checkbox the firewall will be removed. If it is added to multiple vnets you may have a failure on the firewall deletion as there is still a policy attached

Overall the firewall manager is a great step to a modern security management in Azure, there a multiple items that I could wish for in the Firewall manager like management of all the NSG’s who nice would that be and traffic logging etc one thing is clear Azure is getting better and better and true the more options we get the more complex items we are building, and that’s fine keeps me off the streets and my work is never gets boring

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

 

Step by Step Create a User P2S VPN using Azure Secured Virtual Hub and Azure Active Directory #SDWAN #Azure #Secure

There are multiple ways on how to use a VPN and how to connect and use this. In this blog I use an Azure Virtual WAN Hub with associated security and routing policies configured by Azure Firewall Manager.

When connecting to your Virtual Hub over the IKEv2 protocol, you can use certificate-based authentication or RADIUS authentication. However, when you use the OpenVPN protocol, you can also use Azure Active Directory authentication.

I will use the open VPN with Azure Active Directory authentication. Remember this is only supported on Windows 10 as you will need the Azure VPN client from the microsoft store.

For giving the vpn application the proper permissions, you need to register the application to your Azure AD first.

below is the default URL that can be used to trigger the registration, use the proper rights to create an enterprise App in you Azure AD

https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent

Sign in with the proper credentials

Using the wrong account will end up in

AADSTS50020: User account  from identity provider ‘live.com’ does not exist in tenant ‘Microsoft’ and cannot access the application ‘4b4′(Azure VPN) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

When Accepted the you will be redirected to the Azure portal.

In the Azure portal you can go to the Azure active directory and

Enterprise applications | All applications  and search for Azure VPN

Now that the basics are in place, we can configure our Site to Site VPN profile the following information is needed.

Go to your Virtual Wan and select the user VPN configuration

Create User VPN ##### I noticed during the writing of this blog post the screens may differ as the portal changed the layout#######

• Configuration name – Enter the name you want to call your User VPN Configuration.
• Tunnel type – Select OpenVPN.
• Authentication method – Select Azure Active Directory.
• Audience – Type in the Application ID of the Azure VPN Enterprise Application registered in your Azure AD tenant.
• Issuer – https://sts.windows.net/tenantID/
• AAD Tenant – https://login.microsoftonline.com/TenantID

Select open VPN

go to the Azure Active Directory <> properties and grab the Tenant ID

Set the switch to yes and new fields will open.

 

• Audience – Type in the Application ID of the Azure VPN Enterprise Application registered in your Azure AD tenant.
• Issuer – https://sts.windows.net/3078684f/   ## remember the /  this must be at the end
• AAD Tenant – https://login.microsoftonline.com/3078684f

#the number is your tenant ID

Now that the VPN user profile is created we can configure the HUB

Now that the user vpn profile is created we can create the P2S VPN.  Select your hub

Select the user VPN point to site VPN  select create

Creating a VPN gateway you need to select the just created User profile.  

Select a proper IP subnet and if needed a DNS server for the workload into that network

Updating a hub can take 30 minutes or more.

Download User VPN profile as we need this on the Windows 10 client later.

Use the VPN profile to configure your clients.

1. On the page for your Virtual WAN, click User VPN configurations.
2. At the top of the page, click Download user VPN config.
3. Once the file has finished creating, you can click the link to download it.
4. Use the profile file to configure the VPN clients.

To download the Azure VPN client on your windows 10 test device.

Use this link to download the Azure VPN Client.

Open the VPN Client you can add a new VPN or import a Connection

 

For Importing the Connection we need the just downloaded zip file and extract this in the AzureVPN folder there is a XML that holds the vpn configuration.

 

 

If any thing goes wron with the import it is 99% your pbk file,

 

go to the following folder and delete the files – this will probably also remove your other vpn connections it you had any.

%userprofile%\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk

C:\Users\admin\AppData\Local\Packages\Microsoft.AzureVpn_8wekyb3d8bbwe\LocalState

Now that the Import worked and you are ready to connect to the VPN in Azure.

  Use your Azure AD credentials or your FIDO2 key

 

  Now we are fully connected to the Secure Virtual WAN in Azure

It can take some time to see your connection in the portal

Showing the above it all is easy to setup this but I already see the questions yes but I need to do this on 5000 Windows 10 devices.  

Microsoft Endpoint Management is your best friend.

Deploy VPN with Microsoft Endpoint Management 

We create a Custom Template and do not select the VPN option as this is not for uploading the XML

In our Custom settings we add the Following settings

• Name: Enter a name for the configuration.
• Description: Optional description.
• OMA-URI: ./User/Vendor/MSFT/VPNv2/demo01_hub-weu/azurevpnconfig.xml (this information can be found in the azurevpnconfig.xml file in the tag Name).
• Data type: String (XML file).

Now that this is done we can create some assign ments and test this on the pilot group

 

As you can see there are a few steps involved and are linked together

 

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Distributed Application Runtime Dapr version 1.0 #Dapr #Azure #Kubernetes #DevOps #Developers #Microservices #AzOps

Dapr is an open source, portable, event-driven runtime that makes it easy for developers to build resilient, microservice stateless and stateful applications that run on the cloud and edge. Dapr embraces the diversity of all programming languages and developer frameworks and simplifies building applications.

Dapr building blocks

 

• Service Invocation – Resilient service-to-service invocation enables method calls, including retries, on remote services wherever they are running in the supported hosting environment.
• State management – With state management for key/value pairs, long running, highly available, stateful services can be easily written, alongside stateless services in the same application. The state store is pluggable and can include Azure Cosmos or Redis, with others such as AWS DynamoDB on the component roadmap.
• Publish and subscribe messaging between services – Publishing events and subscribing to topics between services enables event-driven architectures to simplify horizontal scalability and make them resilient to failure.
• Event driven resource bindings – Resource bindings and triggers build further on event-driven architectures for scale and resiliency by receiving and sending events to and from any external resources such as databases, queues, file systems, blob stores, webhooks, etc. For example, your code can be triggered by a message on an Azure EventHub service and write data to Azure CosmosDB.
• Virtual actors – A pattern for stateless and stateful objects that make concurrency simple with method and state encapsulation. Dapr provides many capabilities in its virtual actor runtime including concurrency, state, life-cycle management for actor activation/deactivation and timers and reminders to wake up actors.
• Distributed tracing between services – Easily diagnose and observe inter-service calls in production using the W3C Trace Context standard and push events to tracing and monitoring systems.

 

 

You can read more about Dapr at http://dapr.io, get started with code and samples at https://github.com/dapr/dapr and reach out on gitter.im/Dapr or Twitter @daprdev.

 

Getting started with Dapr is easy and you can start with a few steps described below

How to get up and running with Dapr in minutes

The following steps in this guide are:

1. Install the Dapr CLI
2. Initialize Dapr
3. Use the Dapr API
4. Configure a component
5. Explore Dapr quickstarts

 

 

powershell -Command "iwr -useb https://raw.githubusercontent.com/dapr/cli/master/install/install.ps1 | iex"

Important is to close the powershell window and reopen this. Else the module won’t be active

type dapr

Open Powershell 

type dapr

dapr

         __
    ____/ /___ _____  _____
   / __  / __ ‘/ __ \/ ___/
  / /_/ / /_/ / /_/ / /
  \__,_/\__,_/ .___/_/
              /_/

======================================================
A serverless runtime for hyperscale, distributed systems

Usage:
  dapr [command]

Available Commands:
  completion     Generates shell completion scripts
  components     List all Dapr components
  configurations List all Dapr configurations
  dashboard      Start Dapr dashboard
  help           Help about any command
  init           Setup dapr in Kubernetes or Standalone modes
  invoke         Invokes a Dapr app with an optional payload (deprecated, use invokePost)
  invokeGet      Issue HTTP GET to Dapr app
  invokePost     Issue HTTP POST to Dapr app with an optional payload
  list           List all Dapr instances
  logs           Gets Dapr sidecar logs for an app in Kubernetes
  mtls           Check if mTLS is enabled in a Kubernetes cluster
  publish        Publish an event to multiple consumers
  run            Launches Dapr and (optionally) your app side by side
  status         Shows the Dapr system services (control plane) health status.
  stop           Stops multiple running Dapr instances and their associated apps
  uninstall      Removes a Dapr installation

Flags:
  -h, –help      help for dapr
      –version   version for dapr

Use “dapr [command] –help” for more information about a command.
subcommand is required

dapr init

PS C:\Windows\system32> dapr init
Making the jump to hyperspace…
Downloading binaries and setting up components…
Unable to find image ‘openzipkin/zipkin:latest’ locally
latest: Pulling from openzipkin/zipkin
docker: no matching manifest for windows/amd64 10.0.17763 in the manifest list entries.
See ‘docker run –help’.

Quickstarts and Samples

• See the quickstarts repository for code examples that can help you get started with Dapr.
• Explore additional samples in the Dapr samples repository.

You can try out the Dapr quickstarts right here to begin your own personal journey into Microservices on Azure. 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Windows Virtual Desktop metadata now available in West Europe #WVD #Azop #Azure #VDI #CloudComputing #metadata

 

When Creating a new windows virtual desktop I noticed that the meta locations are also available in europe.

When creating a new WVD host pool you can select the Metadata location. this is a great option as many customers ask me why is this in a non europe location, and can this be changed.

Well there are now 2 europe locations

Creating a new Host pool

 

An overview from the Host pools and now also one in europe

Metadata will be stored in Azure geography associated with (Europe) West Europe

How ever not everything is updated yet

Source : Azure Products by Region | Microsoft Azure

 

Changing the Host pool location with the Update-azwvdhostpool is not possible

 

The –location option is not a valid option.

 

It is nice to see the meta data is stored in europe and with this Windows virtual desktop is getting better and better all the time.

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

How to change Azure Public IP SKU upgrade Basic to Standard #Azure #IP #SKU #Blog

Azure public IP addresses now support the ability to be upgraded from Basic to Standard SKU.  Additionally, any Basic Public Load Balancer can now be upgraded to a Standard Public Load Balancer, while retaining the same public IP address.  So what could be the reason to change the SKU.

First the Difference and the price between Standard and basic

Standard

Standard SKU public IP addresses:

• Always use static allocation method.
• Have an adjustable inbound originated flow idle timeout of 4-30 minutes, with a default of 4 minutes, and fixed outbound originated flow idle timeout of 4 minutes.
• Secure by default and closed to inbound traffic. Allow list inbound traffic with a network security group.
• Assigned to network interfaces, standard public load balancers, or Application Gateways. For more information about Standard load balancer, see Azure Standard Load Balancer.
• Can be zone-redundant (advertized from all 3 zones) or zonal (can be created zonal and guaranteed in a specific availability zone). To learn more about availability zones, see Availability zones overview and Standard Load Balancer and Availability Zones. Zone redundant IPs can only be created in regions where 3 availability zones are live. IPs created before zones are live will not be zone redundant.
• Can be used as anycast frontend IPs for cross-region load balancers (preview functionality).

Cost of single IP Sample

Basic

All public IP addresses created before the introduction of SKUs are Basic SKU public IP addresses.

With the introduction of SKUs, specify which SKU you would like the public IP address to be.

Basic SKU addresses:

• Assigned with the static or dynamic allocation method.
• Have an adjustable inbound originated flow idle timeout of 4-30 minutes, with a default of 4 minutes, and fixed outbound originated flow idle timeout of 4 minutes.
• Are open by default. Network security groups are recommended but optional for restricting inbound or outbound traffic.
• Assigned to any Azure resource that can be assigned a public IP address, such as:
  • Network interfaces
  • VPN Gateways
  • Application Gateways
  • Public load balancers
• Don’t support Availability Zone scenarios. Use Standard SKU public IP for Availability Zone scenarios. To learn more about availability zones, see Availability zones overview and Standard Load Balancer and Availability Zones.

Cost of single IP Sample

With this Standard seems to have more and better options but is 1 euro more expensive So you could think Always use standard But A public IP address is assigned to the VPN Gateway to enable communication with the remote network. You can only assign a dynamic basic public IP address to a VPN gateway.

So it really depends on what you want to use, suppose you start with basic and need standard you can change this now with PowerShell or cli but not in the GUI

Limitations

• In order to upgrade a Basic Public IP, it cannot be associated with any Azure resource. Please review this page for more information on how to disassociate public IPs. Similarly, in order to migrate a Reserved IP, it cannot be associated with any Cloud Service. Please review this page for more information on how to disassociate reserved IPs.
• Public IPs upgraded from Basic to Standard SKU will continue to have no availability zones and therefore cannot be associated with an Azure resource that is either zone-redundant or zonal. Note this only applies to regions that offer availability zones.
• You cannot downgrade from Standard to Basic.

In my fresh created IP called demo We change this to a standard IP address

Using the portal to run some powershell commands.

## Variables for the command ##
$rg =”rg-demo-weu-01”
$name = “demo”
$newsku = ‘Standard’
$pubIP = Get-AzPublicIpAddress -name $name -ResourceGroupName $rg

basic resource group and IP address name

 

## This section is only needed if the Basic IP is not already set to Static ##
$pubIP.PublicIpAllocationMethod = ‘Static’
Set-AzPublicIpAddress -PublicIpAddress $pubIP

 

## This section is for conversion to Standard ##
$pubIP.Sku.Name = $newsku
Set-AzPublicIpAddress -PublicIpAddress $pubIP

 

Fixed IP address SKU changed from Basic to Standard.  Remember there is no option to undo this.

 

Now testing with an used IP and connected to an VM. ( this VM is currently deallocated) as these changes can only be done offline.

With this the resource changed from basic to Standard.

 

Try to undo this then the following message is there

Set-AzPublicIpAddress -PublicIpAddress $pubIP

Set-AzPublicIpAddress: Sku property is set at creation time and cannot be changed from Standard to Basic on resource update for resource

 

Changing the SKU is a nice option, that way you can keep the IP and lift the needed options with zero downtime.

 

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Step by Step Azure Stack Edge – Azure Data Box Gateway for a Hybrid Cloud #Azure #AzureDataBox #Cloud #Storage #MVPBuzz #WiMVP

Azure Data Box Gateway Where is the difference between Azure Files Sync or Azure file share or even a StorSimple now a Data Box. As you may know a Azure Data box the the ultimate device to bring data fast to the Azure Cloud.

This blog was long pending as I did many Azure migrations and new stuff came up every time.  Now that there is a Azure Data Box Gateway that you can run on your favorite hypervisor Hyper-V you can create a virtual instance to bring your data to a  Azure storage account. Now days there is a lot of overlap in products.

• Azure Files (Sync) sync’s your data to an Azure Storage account  – Auto Sync.
• Azure files uses Net use to connect to a storage account  – Manual copy and writes direct to Azure
• StorSimple (old but still seen in the wild)
• Azure Data Box Gateway    

One of the primary advantages of Data Box Gateway is the ability to continuously ingest data into the device to copy to the cloud, regardless of the data size. Keep in mind this is not a file server replacement. but my first impression is this could replace a storsimple as this may not the goal for this. As you could run a virtual StorSimple.

As the data is written to the gateway device, the device uploads the data to Azure Storage. The device automatically manages storage by removing the files locally while retaining the metadata when it reaches a certain threshold. Keeping a local copy of the metadata enables the gateway device to only upload the changes when the file is updated. Keep in mind the Azure Storage account limits https://docs.microsoft.com/nl-nl/azure/databox-online/data-box-gateway-limits#azure-object-size-limits

there is a thin line between the products and I must say I was impressed by the speed of the upload it was fast and I could used the whole bandwidth.

So let us start building.

To create any Azure Stack Edge / Data Box Gateway resource, you should have permissions as a contributor (or higher) scoped at resource group level. You also need to make sure that the DataBoxEdge provider is registered.

In the Azure portal we go to the Data Box Gateway.

Do Add to create a new BOX below is the Databox blade and not the Gateway option

Selecting the DataBox gateway gives you the option to select the hypervisor this option is not available in the DataBox.

 

I used the Hypervisor

In this we pick the DataBox Gateway. the Cost are $105 per month not a big price.

 

We create a resource group as for all Azure resources. and a location

PAYG-Azure Sponsorship

Resource group

rg-databox-gw-001

Name

mvp-databox-gateway-001

Region

West Europe

Details above easy setup in Azure.

Now that the Azure Databox Gateway is bought in the Marketplace we can setup the device. First we need to download the VHDX file for our VM

So We download the 5GB image and use this in our Hyper-v Server

 On the Download image tile, select the virtual device image corresponding to the operating system on the host server used to provision the VM. The image files are approximately 5.6 GB.

• VHDX for Hyper-V on Windows Server 2012 R2 and later.
• VMDK for VMware ESXi 6.0, 6.5, or 6.7.

Extract the File and use the VHDX as an Gen 2 VM

Some basic specs for the VM

I played with the settings a bit to see if I could lower the VM’s Specs. You will see that later in a screenshot.

You may have to wait 10-15 minutes for the device to be ready. A status message is displayed on the console to indicate the progress. After the device is ready, go to Action. Press Ctrl + Alt + Delete to sign in to the virtual device.

The default user is EdgeUser and the default password is Password1.

Use Password1 as default password.

as you can see I used 1 CPU the setup stopped and I changed it to 8 CPU and 8 GB memory.

Now that the VM is setup we can go to the management page that runs on the IP.

 

 

Using the default password Password1

Chaning the Pasword in eh is something that you can remember

There are not much settings that you can change as time and IP and stop or reboot but the configuration is done from the Azure portal.

The one thing that is needed is to activate the VM

 

In the portal you can set the name and get the key.

Generate a key and use the keyvault name if you lose the key

 

 

When activating the device with the key the device is live!

There are 3 modes for the device I used the full connected setting.

There is some diagnostics in the VM and for now it all looks good.

Our Next steps are creating a share and an extra user and test some performance

 

We add a user that can be used to connect to the Share as it is not AD or AADDS

Our next step is to create a share

make sure the storage account where the files need to land is already created

In the Azure portal, select your Data Box Gateway resource and then go to Overview. Your device should be online. Select + Add share on the device command bar.

You’re notified that the share creation is in progress. After the share is created with the specified settings, the Shares tile updates to reflect the new share.

Connect to the SMB share

On your Windows Server client connected to your Data Box Gateway, connect to an SMB share by entering the commands:

1. In a command window, type:

   net use \\<IP address of the device>\<share name> /u:<user name for the share>

   Enter the password for the share when prompted.

net use * \\192.168.1.96\agwfiles001 /u:mvpadmin

now that the device is up and running we can push some data to the cloud. as the gateway is the man in the middle and the extra drive is holding the files and then transferred to Azure.

I had no limit set and I was surprised that it could eat the full line. this makes it more fun.

just a few files to test, but I need more files to test this. and let me set some bandwidth limits

Setting a limit from 200Mbps did limit the speed

Think I need to see and play a bit more as the 200 Mbps is not really working, it is more that I have still 200 Mbps over.  but there is a schedule and that is really nice so these files or backup can be transferred in the night hours at high speed.

now back to no limit

yeb it is working and I think I need a bigger internet line. Remember this

If we had Azure in these days

Deleting the files from the Gateway did not remove the files from the storage account and showed as a nice archive, If you need to copy a large amount of files than this is a great solution and cheaper than the big data box.

Some extra links to Azure Data migration

Azure Migration Center

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

 

How to create an Azure Windows Server FCI File Cluster If you don’t want to use Azure Files. #Winserv #Azure #Azurefiles #netapp #oldskool

In the past I build a lot of how to build stuff on a cluster or troubleshooting can’t think of any thing or I did add this on a cluster, but with Azure this whole workload went to the past.

A bit feels it that Windows server FCI is a legacy feature but is it ? well lots of items are still using this and not everyone is in the cloud.

But what if you still want to build a cluster in Azure. yes SQL  – AlwaysOn is still a good and valid option. But talking a failover file server ? or some other easy workload. Well in this blog I show you how to build this cluster and the workload is up to you. For a long time it was not possible to create a FCI in Azure as there where no shared disk available and If you want to build a FCI you need some extra software from SIOS.  https://us.sios.com/

In this post I create a Two node Failover Cluster FCI.  with a file server role

So what  do we need to build a cluster in Azure

• Two Windows server 2019 Vm’s
• atleast one Shared premium disk
• Azure Internal loadbalancer
• Some time 

Building the 2 Vm’s and domain joined need no explanation, If you need help just post a comment and I will help. 

Two Azure VM’s mine are deallocated for now for a reason, as we need to adjust the disk and this can only be done when the vm is deallocated.

 

This is just a basic VM one network card.  but make sure you choose a SKU that support a Premium SSD ! with out that it won’t run and Size does matter.

In my created VM I use a 256 GB disk I may not need this size but it is the minimum supported disk for creating a cluster

Enabling shared disks is only available to a subset of disk types. Currently only ultra disks and premium SSDs can enable shared disks. Each managed disk that have shared disks enabled are subject to the following limitations https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disks-shared?WT.mc_id=AZ-MVP-4025011

as you can see there is a MaxShares list For each disk, you can define a maxShares value that represents the maximum number of nodes that can simultaneously share the disk. For example, if you plan to set up a 2-node failover cluster, you would set maxShares=2. The maximum value is an upper bound. Nodes can join or leave the cluster (mount or unmount the disk) as long as the number of nodes is lower than the specified maxShares value

The maxShares value can only be set or edited when the disk is detached from all nodes that is why my VM’w are deallocated for now.

How to create such a Shared disk  There are multiple ways create a disk in the disk blade. or run a powershell script it’s all up to you

creating the disk in the portal is quick and easy but it can also be done in a ARM or posh or CLI script. Personally I use often PowerShell instead of ARM. 

In the Advanced options there you can enable this shared disk setting

There is no other GUI method that can set this

Or if you have already created and added this disk to a node you can create another disk on that node. But remember that does not enable the Maxshared option.

A resize does not help you.

There is no option to set this afterwards in the Portal keep that in mind. you can only set this with powershell

Sample Idea.  in my case

$vmDisks1 = get-azdisk -ResourceGroupName rg-cluster01 -DiskName demo01
$vmDisks1.MaxShares=2
$vmDisks1 | Update-AzDisk

as the error show the disk need to be detached.  of all machines!

Ok now that the Disk has changed or recreated and has the setting maxshared=2

We first go to node001 and add the disk to that node

Make sure you attach the same disk to both nodes as this disk was configured as a shared disk

Keep in mind creating the disk here does not enable the MaxShares

now on the second node we add the same disk as it is a shared disk you can see this now 1 used and one share is open. And remember the VM’s need to be deallocated !!

now that the disk is been added to both nodes we can start to build our cluster

After the VM’s are started we install the failover and the file server feature see also my other cluster blogs https://robertsmit.wordpress.com/2018/11/29/step-by-step-windows-server-2019-file-server-clustering-with-powershell-or-gui-cluster-ha-azure-windowsadmincenter-windowsserver2019/

Install-WindowsFeature –Name Failover-Clustering,file-services –IncludeManagementTools

or do this in the GUI. or run this from the domain member server in my case the Dc

$nodes = ("node001","node002")
Invoke-Command  $nodes {Install-WindowsFeature Failover-Clustering -IncludeAllSubFeature -IncludeManagementTools}

Now building the Cluster with the wizard is not the best method. As in this case we want to set some different options than default.

The distributed network name (DNN) replaces the virtual network name (VNN) as the connection point when used with an Always On failover cluster instance on SQL Server VMs. This negates the need for an Azure Load Balancer routing traffic to the VNN, simplifying deployment, maintenance, and improving failover.

With an FCI deployment, the VNN still exists, but the client connects to the DNN DNS name instead of the VNN name.

Limitations

• Currently, a DNN with FCI is supported only for SQL Server 2019 CU2 and later on Windows Server 2016 and later.
• There might be more considerations when you’re working with other SQL Server features and an FCI with a DNN. For more information, see FCI with DNN interoperability.

https://docs.microsoft.com/en-us/azure/azure-sql/virtual-machines/windows/failover-cluster-instance-distributed-network-name-dnn-configure

Distributed server name as CNO this is perfect for SQL workloads

The big difference is that now the CNO is not an DNN

New-Cluster -Name AzCluster001 -Node ("node001","node002") –StaticAddress 10.80.0.100 -NoStorage -ManagementPointNetworkType Singleton |Set-ClusterQuorum -NodeAndFileShareMajority \\RDSDC01\cluster

The Static IP Address that you appoint to the CNO is not for network communication. The only purpose is to bring the CNO online due to the dependency request. Therefore, you cannot ping that IP, cannot resolve DNS name, and cannot use the CNO for management since its IP is an unusable IP.

Now that we have created the cluster and set the Fileshare Witness we can make the preparations for the file server

Adding the Disks

Before we move on we first add a Azure internal load ballancer. this is needed for the access in the azure subscription.

For creating a loadbalancer we need a loadbalancer and configure the backend pools with a health probe configured to a load balancing rule.

Creating a new loadbalancer is just a quick process but make sure you choose a Internal and a standard one

And place this LB also on the network where the Cluster nodes are.

In the backend pool we added both VM’s that are the cluster noded.

Press save and the cluster nodes are added to the loadbalancer.

In the loadbalancer we need to create a probe that is checking the port and as we are using a file server that is SMB traffic we use the SMB 445 port

 

Set the interval to 10- seconds and you can keep the rest default – I changed the threshold to 31

last we make a loadballancer rule give this a name and add the backend pool to this.

and the health probe that we just created is also attached.

keep the floating IP on disabled

Now that the Load Balancer is in place we can create the File server role in the Cluster, You can do all this in random order but the powershell script at the end of this blog must run after you configure all of this.

Doing this in the wizard or PowerShell makes the different here, as we need the file server based on a DNS record that’s why we made the Azure LB. We do this with PowerShell

Add-ClusterFileServerRole -Storage "Cluster Disk 1" -Name FS01 -StaticAddress 10.80.0.211

Remember here the IP that is the same IP that is been used in the Azure Load balancer!

But remember, that IP Address is the same unusable IP address as the CNO’s IP. (Cluster IP) You can use it to bring the resource online but that is not a real IP for network communication. If this is a File Server, none of the VMs except the owner node of this VCO can access the File Share.  The way Azure networking works is that it will loop the traffic back to the node it was originated from.  So it works only on the node where the resource is running.

The Continuous availability is not supported in Azure.

Our next step is creating the File shares. and test the file server.  Using the create file share in the Cluster is not working create the file share on the node that holds the Cluster disk.  as it may work for you now but as soon as we configured the rest it will not work any more !!

Testing the file share on node 2 and it worked.

as you can see it works BUT you can see I’m logged in into node 2 and test also from node 2.  moving the role to node 1 it breaks the file server. 

as Azure can’t handle this we need to implement a little fix in PowerShell.

keep in mind that Pinging the CNO or the VCO will not work, as the cluster needs an IP to start but has no function further.

get the cluster properties

So the cluster is running and the fileserver is running but you can only connect on the node where the file share is hosted, That is not how it should work.

We need to utilize the Load Balancer in Azure so this IP Address is able to communicate with other machines in order to achieving the client-server traffic. This can only be don with PowerShell  

Load Balancer is an Azure IP resource that can route network traffic to different Azure VMs. The IP can be a public facing VIP, or internal only. Each VM needs have the endpoint(s) so the Load Balancer knows where the traffic should go. In the endpoint, there are two kinds of ports. The first is a Regular port and is used for normal client-server communications.

We used port 445 is for SMB file sharing  Another kind of port is a Probe port. The default port number for this is 59999. Probe port’s job is to find out which is the active node that hosts the VCO (Fileserver) in the Cluster. Load Balancer sends the probe pings over TCP port 59999 to every node in the cluster, by default, every 10 seconds. When you configure a role in Cluster on an Azure VM, you need to know out what port(s) the application uses because you will need to add the port(s) to the endpoint. Then, you add the probe port to the same endpoint. After that, you need update the parameter of VCO’s IP address to have that probe port. Finally, Load Balancer will do the similar port forward task and route the traffic to the VM who owns the VCO.

Setting this for our File Cluster and here comes the complicated part, If you have only one nic it is easy the default is cluster network 1

getting the IP resource Name can be found   get-clusterresourcename

 

***here is a different IP 150 as took later the screenshot and rebuild this a couple of times for the blog*

$ClusterNetworkName = “Cluster Network 1”
$IPResourceName = “IP Address 10.80.0.0”

# The IP address that is used in the Load balancer that should be the same than on the Fileserver cluster role.

$ILBIP = “10.80.0.150”
$params = @{"Address"="$ILBIP";
          "ProbePort"="59999";
          "SubnetMask"="255.255.255.255";
          "Network"="$ClusterNetworkName";
          "OverrideAddressMatch"=1;
          "EnableDhcp"=0}
Get-ClusterResource $IPResourceName | Set-ClusterParameter -Multiple $params

Running this should set everything to work.

WARNING: The properties were stored, but not all changes will take effect until IP Address 10.80.0.211 is taken offline
and then online again. So I Stopped the Cluster and Started it again

A quick test on my domain controller and test server and it all worked.

As you can see it is rather complicated to run a file cluster in Azure and the question is why ? there are better options for this as netapp files.

https://robertsmit.wordpress.com/2019/08/01/starting-with-azure-netapp-files-is-it-better-than-storage-spaces-direct-in-azure-azure-netapp-storagespaces-s2d-diskspd-wvd-cloud-mvpbuzz-wimvp/

Or using Azure files with Azure AD  Support 

Step By Step Azure Files share SMB with native AD support

https://robertsmit.wordpress.com/2020/05/11/step-by-step-azure-files-share-smb-with-native-ad-support-and-more-microsoft-azurefiles-smb-snapshotmanagement-azure-cloud-mvpbuzz-wimvp/

Sometimes you need just the cloud mind and step away from what you have. live can get easier and less management.

Thanks for your Support and If you use this let ne know why just a quick post in the comments Thanks!

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

 

PerfInsights self-help diagnostics tool in Azure Troubleshooting and reporting #Reports #Diskspd #performance #problems #Azure #Azurefiles #S2D

Running DiskSPD is a great tool and gives you a lot of detail on how fast or what the performance is of the Storage. With the PerfInsights you get more info and a nice graphic.  Also you get also some recommendations about the issues on the devices.

PerfInsights is a self-help diagnostics tool that collects & analyzes the diagnostic data, and provides a report to help troubleshoot Windows virtual machine performance problems in Azure. PerfInsights can be run on virtual machines as a standalone tool, or directly from the portal by installing Azure Performance Diagnostics VM Extension.
If you are experiencing performance problems with virtual machines, before contacting support, run this tool. PerfInsights collects various information about the virtual machine, disks/storage pools configuration and performance logs such as:

• System event logs
• Network status for all incoming and outgoing connections
• Task list for all applications currently running on the system
• SQL Server database configuration settings and error logs (if the VM is identified as a server that is running SQL Server)
• Storage reliability counters
• Important Windows hotfixes
• Installed filter drivers
• Firewall Rules

Looking at the options you can do the /? or /List to get more info.

The \list

You can start with the tool here 

1. Download PerfInsights from https://aka.ms/PerfInsightsDownload
2. Extract the content to a folder of your choice
3. Open a CMD/PowerShell instance, browse to the folder where the binaries were extracted to and run: “PerfInsights.exe /r benchmark /AcceptDisclaimerAndShareDiagnostics"

This scenario runs the Diskspd benchmark test (IOPS and MBPS) for all drives that are attached to the VM

With this you get the basic information and give you some insights. Playing with the options is the best way to get some more insights about the performance

Running the tool is reporting the steps that are tested.

Now that the Tool has run the output is a zip file with the captured data. this can be extracted and there is a HTML that opens the report. The Zip files are stored in the root of the perfinsights folder.

Opening the Report brings you a detailed report.

Looking at the Disk performance reports

Showing the IOPS of the Disk.

There is great info in the report and is often used also by Microsoft product support.

####################

# Not supported options!!

But looking at the tool I was curious on how it creates the diskspd reports and in what is the basic values.

In the RuleEngineConfig.json you can find the DiskSPD test and these where not my common settings.  8KB block size and 1GB file.

This can be changed but the file will be overwritten when the  tool get updated as these should normally not be changed.

"$type": "Microsoft.Azure.Performance.Diagnostics.Contracts.DiskSpdRunnerConfiguration, Microsoft.Azure.Performance.Diagnostics",
      "Name": "DiskSpdRunner",
      "Enabled": false,
      "DatFilePath": "_diskSpd_test",
      "DatFileName": "testfile.dat",
      "DatFileSize": "1024M",
      "RunDurationSec": 90,
      "WarmupDurationSec": 30,
      "OSDiskRunSession": {
        "Enabled": true,
        "Runs": [
          {
            "Name": "IOPS",
            "Iterations": 3,
            "QueueDepth": 16,
            "WriteRatio": 100,
            "BlockSize": "8k"
          }

 

Next that this can be changed and get some great reports Some components are also turned off    "Enabled": true,  or  "Enabled": false keep in mind changing the setting also change the output.  the log files can get BIG!

Ii is a funny tool with some nice options to have a quick overview of the server.

 

Download PerfInsights from https://aka.ms/PerfInsightsDownload

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Azure Migration Services – Easy Cloud Migration Services #Azure #Cloud #ASR #Migrate #azops #VMware #Database

This blog post is a bit long sorry for this tons of screen shots to give you more detail. This is all based on Hyper-v but the same steps are there for Vmware! I could have create two blog post one based on the Assessment and one on the Replication. but now you have all the details together.

Azure Migrate is there for sometime this tool makes your life easier when you want to migrate to Azure. This can migrate Vmware or Hyper-v to Azure. The process is similar as the Azure Site Recovery Process but this is only for Disaster. In the old days it is used also for migration but the Azure Migrate is much more flexible. placing VM’s on the existing network or on a different one.  New functions are released every month . https://docs.microsoft.com/en-us/azure/migrate/whats-new

For this Blog I used a Hyper-v Server and some VM’s that are migrated to an existing network in Azure. I also used 2 methods one with the Azure Migrate: Server Assessment and Azure Migrate: Server Migration  the big difference is with the Azure Migrate: Server Migration there is just a cut over no upfront assessment it creates a replica and place this in Azure.

In most of the initial migrations Customers want lift and shift. This is a method if you want to move quickly to Azure. better is to do a Server Assessment before the migration or rebuild the server on a new OS if needed.

Step 1 is in the Azure portal type Azure Migrate and check the assess and migrate.

I create a new Project for this and create a new resource group. and I choose also the geo location.

Based on hyper-V we download the Exported VM from the Azure portal and import this VM into the Hyper-v server.

select the right platform. The migration process for VMware is similar than the Hyper-V VM once the VM is connected to the portal.

We select the Hyper-v VM   in the preparation we choose to download the 9GB Migration Appliance.

When doing this on a Migration Server directly you get a warning that IE is not supported anymore.  I used Edge chromium instead. As the connections with IE failed, So a better Browser is needed.  Get Edge https://www.microsoft.com/en-us/edge?form=MA13DE&OCID=MA13DE

Importing the VM with the Hyper-v Wizard is an easy and quick step use the Hyper-v manager to import the VM

Then start the VM and the EULA is displaying and it is also the start of the migration Wizard.

Remember to use a different browser than IE. Currently IE is in the Migration server.  Get Edge https://www.microsoft.com/en-us/edge?form=MA13DE&OCID=MA13DE

We start the Migration Configuration Wizard – Remember not use IE

With the basic configuration steps we start connecting the Migration server to the Hyper-v server.

In this connection wizard we select the just created Migration project in the Azure portal. ( if you have multiple the select the right one as this is been connected to this hyper-v server)

If you have trouble to register the server Check your DNS / user account / Browser / WMI ( in a standalone site could this be an issue)

These credentials will connect to my Server. not the VM’s

You can use FQDN or the IP to connect to the Hyper-V server.

I changed the DNS to get some common errors.

Setting the DNS correctly These are common errors and often seen in standalone configurations.

This can take some time as mentioned below.

After the registration we can follow the steps in the Azure Portal.

We let this run for some time and come back later… and we move to the Database migration.

We do a different step. As the migrate tool is not showing you all the pieces

Setting up the Database Migrate. is in the same steps. but in the Azure migration blade some screens are only found in the resource groups.

Setup the Database migration project.

In this I choose the Preview option things may change when it is GA. But lets see how it works.

When this is done, I noticed that the download is not always starting https://www.microsoft.com/en-us/download/details.aspx?id=53595

When the project is created you can see the Database overview but see the real config you need to go to the resource group.

The fun part here is I created first the screenshots and add later the text but doing this I had a hard time on finding the configured items as not all components are in the migration blade. So back to the resource group there I find the hints.

The Azure Database Migration Service can be opened from the resource group as shown above.

The Discovery

When the discovery is done, then we can start with the fun part.

Here my 33 VM’s are scanned and all without an Agent.

Now that the Hyper-v Host is completely scanned we can start with the assessment of the VM’s

First we create some profiles on region and size that the VM’s will get.

This can be changed if needed

We create some Scan profiles and target location, I used the Dv4 machine types with no temp disks.

These machines are indexed and now I pick 2 for an assessment. and place them into a group

When this is ready we can see the scan results. estimated price details and the VM SKU choice

For best result you can install an agent to get more in-depth information

When the machine is not connected to an OMS workspace (Azure log analytics ) not all the info can be displayed as the service dependency’s

Add the VM to a new Workspace or to an Excising one Configure the right steps. I add a new Workspace for the Migration as this data can be removed after the migration SO I don’t want it in my current workspace.

Once the Agent is reporting to the workspace and you run a new assessment a Service map can be displayed.

Nice dashboard on the Cost and migration status, after this it is easy to migrate to Azure or you may need to do some extra work to migrate this server to Azure.

Azure Replication Migration

When Looking in the portal We can also create a Different Migration direct replication the lift and shift method. This uses the ASR tooling but with a difference here you can choose on what network the VM must land.

Installing the ASR agent on the Hyper-v Server.

Don’t forget to Finalize your registration ! this can be done after the Agent installation

Installing the ASR agent

Now that the Agent is installed we need to register this to Azure. Make sure You have downloaded the Credential file

Load the Cred file into the Agent and finishes the installation

Now we can start the Replication of the VM’s

important here to finish de registration I was forgotten this so the replication did not work.

I choose a demo VM that Can be migrated to Azure.

The Migration

Pick hyper-v or Vmware depending what you using.

I pick a VM

Selecting the resource group and Network where the VM lands. This is great now you can place the VM direct in the right spot.

My VM name is “windows” we these names are not allowed in Azure and are protected names. therefor I need to rename the VM

The replication is started and we do a Test migration.

There are no issues SO we start the test migration from the Azure blade.

Now that the failover is successful we do the cutover and run the VM in Azure. Similar as in ASR but there is no replication back.

In the Azure portal we can see the machine is running, login into the machine and check everything runs smoothly.

The VM is migrated Lift and shift. and placed on a selected network.

The replication is set to normal

Now that the VM is migrated and running we can remove this from the Hyper-v server. as the machine is not deleted on-premises.

Download this e-book to learn about Azure Migrate, Microsoft’s central hub of tools for cloud migration. In this e-book, we’ll cover:

• What is Azure Migrate
• How Azure Migrate can help your migration journey
• Running a datacenter discovery and assessment
• Migrating your infrastructure, applications, and data
• Additional learning resources

Download

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Free E-Book on Microsoft Azure Migrate, E-Book for your Cloud Migration. #Azure #Migrate #Ebook #Cloud #App #Assure

Azure Migrate provides a centralized hub to assess and migrate to Azure on-premises servers, infrastructure, applications, and data. It provides the following:

• Unified migration platform: A single portal to start, run, and track your migration to Azure.
• Range of tools: A range of tools for assessment and migration. Azure Migrate tools include Server Assessment and Azure Migrate: Server Migration. Azure Migrate also integrates with other Azure services and tools, and with independent software vendor (ISV) offerings.
• Assessment and migration: In the Azure Migrate hub, you can assess and migrate:
• Servers: Assess on-premises servers and migrate them to Azure virtual machines or Azure VMware Solution (AVS) (Preview).
• Databases: Assess on-premises databases and migrate them to Azure SQL Database or to SQL Managed Instance.
• Web applications: Assess on-premises web applications and migrate them to Azure App Service by using the Azure App Service Migration Assistant.
• Virtual desktops: Assess your on-premises virtual desktop infrastructure (VDI) and migrate it to Windows Virtual Desktop in Azure.
• Data: Migrate large amounts of data to Azure quickly and cost-effectively using Azure Data Box products.

 

Download this e-book to learn about Azure Migrate, Microsoft’s central hub of tools for cloud migration. In this e-book, we’ll cover:

• What is Azure Migrate
• How Azure Migrate can help your migration journey
• Running a datacenter discovery and assessment
• Migrating your infrastructure, applications, and data
• Additional learning resources

Download

 

Great tips and tricks in this ebook.

The migration planning is key, do not start in the wild and test before you go into production.

Sometimes it is better to rebuild the machine, than a lift and shift and if you can avoid don’t use any other OS than the latest.  And if you really need support than there is some assistance from Microsoft Called App Assure. take a look at his.

When you purchase any of the Windows 10 or Microsoft 365 services (as detailed in Eligible Services and Plans), FastTrack Specialists provide advisory and remediation guidance if you encounter app compatibility issues as you deploy newer Microsoft products as outlined in Supported Microsoft products.

To get help, complete the App Assure service request.

Partners can also get help through the FastTrack site on behalf of a customer. To do so, the partner signs into the site, selects the customer record, clicks Services, and completes the Request for Assistance for App Assure form.

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile