Archive for the ‘Azure’ Category

Extend you File server with Azure File Sync and Migrate with Windows Admin Center #WindowsServer #Azure #AFS #WAC #HybridCloud #FileServer   Leave a comment

In the former blog post :https://robertsmit.wordpress.com/2018/11/29/step-by-step-windows-server-2019-file-server-clustering-with-powershell-or-gui-cluster-ha-azure-windowsadmincenter-windowsserver2019/

I created a File share on a Cluster to make the share HA. This is more the traditional way to make the share HA. But what if you have multiple locations and you want to use this share in Azure. Big internal lines between the Datacenter and copy the files to Azure (DFS) method. but that’s old. Better use the Azure File Sync option the files are synced to all the Server and available in Azure. Better and faster.

#bettertogether  

 With Azure File Sync , shares can be replicated on-premises or in Azure and accessed through SMB or NFS shares on Windows Server. Azure File Sync is useful for scenarios in which data needs to be accessed and modified far away from an Azure datacenter, such as in a branch office scenario. Data may be replicated between multiple Windows Server endpoints, such as between multiple branch offices. Azure File Sync transforms Windows Server into a quick cache of your Azure file share. You can use any protocol that’s available on Windows Server to access your data locally, including SMB, NFS, and FTPS. You can have as many caches as you need across the world.

To get started with the Azure File Sync we need a Storage account in Azure.

Deploy Azure File Sync

We create a storage account in Azure.

Remember this works only on Windows Servers ! System Requirements:

  • A server running Windows Server 2012 R2, Windows Server 2016 or Windows Server 2019:

    Version
    Supported SKUs
    Supported deployment options

    Windows Server 2019
    Datacenter and Standard
    Full (server with a UI)

    Windows Server 2016
    Datacenter and Standard
    Full (server with a UI)

    Windows Server 2012 R2
    Datacenter and Standard
    Full (server with a UI)

 

Now that the storage account is created we are starting with the Azure File Sync creation in Azure.

Deploy Azure File Sync Deploy Azure File Sync

Name the Storage Sync Service , and create a resource group.

The next step is register the Onpremise server to Azure with the Azure File Sync Agent

Deploy Azure File Sync

Azure File Sync  Agent download https://go.microsoft.com/fwlink/?linkid=858257

The installation is in two steps.

  1. Installing the agent
  2. Configuring the Agent

Deploy Azure File Sync

After the download install the Agent on the File server, As I use a Cluster install the Agent on every node of the Cluster.

Deploy Azure File SyncDeploy Azure File SyncDeploy Azure File SyncDeploy Azure File Sync

Now that the agent is installed the Second wizard pops up for the configuration and if needed a update.

imageDeploy Azure File Sync

So far so good. As the Agent is connecting to Azure there are some additional components needed.

Deploy Azure File Sync

As this Cluster was a fresh installation and I did not used the PowerShell command for Azure here I need to install the AzureRM modules (or AZ module)

https://go.microsoft.com/fwlink/?linkid=856959

Installing and updating the modules.

Install-Module -Name AzureRM –AllowClobber

Deploy Azure File Sync

With this command you can see the current Powershell version

Get-Module -Name AzureRM -List | select Name,Version

 

Deploy Azure File Sync

Now that the PowerShell commands are installed we can refresh the page and the installation continues

Deploy Azure File Sync

If you are using a CSP subscription in Azure then you need to set this check box. and use your tenant ID

Deploy Azure File Sync

In all other subscriptions keep this default

Deploy Azure File Sync

Pick the right Resource group the one with the created Storage Sync services in it. else the field will be empty.

Deploy Azure File Sync

Select a resource group that contains a Storage Sync Service, or use the Azure portal to create one in this resource group.

Deploy Azure File Sync

When this process is done we can configure the rest in the Azure portal.

Deploy Azure File Sync

As you can see the Cluster CNO object is named here

In the pane that opens, enter the following information to create a sync group with a cloud endpoint:

  • Sync group name: The name of the sync group to be created. This name must be unique within the Storage Sync Service, but can be any name that is logical for you.
  • Subscription: The subscription where you deployed the Storage Sync Service.
  • Storage account: If you select Select storage account, another pane appears in which you can select the storage account that has the Azure file share that you want to sync with.
  • Azure file share: The name of the Azure file share with which you want to sync.

Next is creating the Sync group.

Deploy Azure File Sync

 

Deploy Azure File SyncDeploy Azure File Sync

Pick a name for the Sync group name. and the proper Storage account that we created earlier. In this storage account we did not create a File share this is needed to hold the Files. so the azure file share check box is not showing you anything.

Go the the storage account and create a File share

Deploy Azure File Sync

With this created the creation of the Sync group can be completed.

Deploy Azure File Sync

Next step is creating some endpoints. this means bind the local share to the services and sync this to the Azure storage account share.

Deploy Azure File Sync

Deploy Azure File Sync

Adding the endpoint and pick the registered server and the file share that will be synced.

Deploy Azure File SyncDeploy Azure File Sync

If you want to enable cloud Tiering and fill in the values. In this demo I don’t use this.

Note:

Only NTFS volumes are supported. ReFS, FAT, FAT32, and other file systems are not supported.

Failover Clustering

Windows Server Failover Clustering is supported by Azure File Sync for the "File Server for general use" deployment option. Failover Clustering is not supported on "Scale-Out File Server for application data" (SOFS) or on Clustered Shared Volumes (CSVs).

The Azure File Sync agent must be installed on every node in a Failover Cluster for sync to work correctly.

In my demo the Share is not listed, I already know why, As I used ReFS for the cluster disk.

This can be painful as you need to format that disk and move all the data to a temp location.

Deploy Azure File Sync        Deploy Azure File Sync

After changing the disk format and a refresh you can see that the deployment is pending and working.

Deploy Azure File SyncDeploy Azure File Sync

 

After this you have a full Hybrid file share Fully redundant on premise and a off load to Azure.

Deploy Azure File Sync

As last the best option to get the data into this HA file share is using the Windows Admin Center 

In Windows Admin Center there is a great options Storage Migration Services

image

Opening Windows admin Center and select the source this will be scanned and when done the files can be migrated. (the scanning can take some time)

image

image

When the scanning is done the files and shares are listed. more info can be found here https://youtu.be/WCWxAp27ERk

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Posted December 4, 2018 by Robert Smit [MVP] in Azure

Tagged with ,

How to Protect your #Azure resources from Distributed Denial of Service #DDoS attacks #Cloud #SDN #VNET #Security #Alerts #Analytics   Leave a comment

 

Distributed denial of service (DDoS) attacks are some of the largest availability and security concerns facing customers that are moving their applications to the cloud. A DDoS attack attempts to exhaust an application’s resources, making the application unavailable to legitimate users. DDoS attacks can be targeted at any endpoint that is publicly reachable through the internet.

image

What is DDoS Protection? Protecting applications from DDoS attacks has been one of the top security concerns for Azure customers. Azure DDoS protection service is an Azure Networking offering aimed at protecting publicly accessible endpoints from DDoS attacks. The offering gives customers access to the same protection that is used to protect Microsoft’s online assets, such as Xbox Live and Office 365. Azure DDoS protection service provides constant network flow monitoring of the protected endpoints, and when detecting a DDoS attack, automatically applies traffic scrubbing to make sure only legitimate requests are forwarded to the application.

Azure DDoS protection, combined with application design best practices, provide defense against DDoS attacks. Azure DDoS protection provides the following service tiers:

  • Basic: Automatically enabled as part of the Azure platform. Always-on traffic monitoring, and real-time mitigation of common network-level attacks, provide the same defenses utilized by Microsoft’s online services. The entire scale of Azure’s global network can be used to distribute and mitigate attack traffic across regions. Protection is provided for IPv4 and IPv6 Azure public IP addresses.
  • Standard: Provides additional mitigation capabilities over the Basic service tier that are tuned specifically to Azure Virtual Network resources. DDoS Protection Standard is simple to enable, and requires no application changes. Protection policies are tuned through dedicated traffic monitoring and machine learning algorithms. Policies are applied to public IP addresses associated to resources deployed in virtual networks, such as Azure Load Balancer, Azure Application Gateway, and Azure Service Fabric instances, but this protection does not apply to App Service Environments. Real-time telemetry is available through Azure Monitor views during an attack, and for history. Rich attack mitigation analytics are available via diagnostic settings. Application layer protection can be added through the Azure Application Gateway Web Application Firewall or by installing a 3rd party firewall from Azure Marketplace. Protection is provided for IPv4 Azure public IP addresses.

Azure DDoS Protection Basic vs. Standard

So how to start with DDoS in Azure.

First go to the Virtual Networks.

Azure and Microsoft Windows Server Blog

Next selecting the Network and in the left pane there is a section DDoS Protection.

Azure and Microsoft Windows Server Blog

Selecting the DDoS Protection there is the Basic and the Standard Setting

Azure and Microsoft Windows Server Blog

Pricing Details

There the Basic is the default and comes with free pricing.

The Standard is a different option and Cost you some real money! and these are monthly costs. For a demo I turned it on and forget to turned it of and spend 10K in 4 months so keep a track on your Azure costs.

Azure and Microsoft Windows Server Blog

The DDoS Protection service will have a fixed monthly charge, as well as a charge for data processed. The fixed monthly charge includes protection for 100 resources. Protection for additional resources will be charged on a monthly per-resource basis.

Monthly price for DDoS Protection (includes protection for 100 resources): €2,483/month

Overage charges (more than 100 resources): €25 per resource per month

 

When Enabling the DDoS Standard we need to create a DDoS protection plan first, if you have already one you can add the ID.

Azure and Microsoft Windows Server Blog

Check the create DDoS protection Plan

Azure and Microsoft Windows Server Blog

Now that we created a plan witch is more a resource place holder, we can add this to the DDoS protection plan

Azure and Microsoft Windows Server Blog

Azure and Microsoft Windows Server Blog

Now that the DDoS and the plan is in place we can create an alert rule in case we have a DDoS attack.

In the Azure Monitor we can create the alert rule and we can see the logging.

Azure and Microsoft Windows Server Blog

To see telemetry for a DDoS attack, log into the Azure Portal and navigate to the “Monitor” blade.

Within the monitor blade, click on “Metrics”, select the appropriate subscription, resource group, resource type of “Public IP” and the Public IP that was the target of the attack. After selecting the resource, a series of Available Metrics will appear on the left side. These metrics are selected and then will be graphed.

The metric names are relatively self-explanatory and the basic construct is that there are tag names on each metric as follows: • Dropped tag name (e.g. Inbound Packets Dropped DDoS): The number of packets dropped/scrubbed by the DDoS system

• Forwarded tag name (e.g: Inbound Packets Forwarded DDoS): The number of packets forwarded by the DDoS system to the destination VIP – traffic that was not filtered • No tag name (e.g: Inbound Packets DDoS): The total number of packets that came into the scrubbing system – representing the sum of the packets dropped and forwarded

image

The traffic shown in the Monitor dashboard.

Azure and Microsoft Windows Server Blog

To create a dashboard there are some options with counters. It all depends on your need.

 

Azure and Microsoft Windows Server Blog

now we create an alert rule.

Email Alerting To configure an email alert for a metric, click on the “Click to add an alert” text. An email alert can be created on any metric, but the most obvious metric to create an alert on is “Under DDoS attack or not”. This is a boolean value 1 or 0. “1” means you are under attack. “0” means you are not under attack. To be emailed when under attack, set the Metric for “Under DDoS attack or not” and “Condition” to “Greater than” zero (0) over the last 5 minutes. Similar alerts can be set up for other metrics. An example screenshot is provided below.

 

Azure and Microsoft Windows Server Blog

 

Azure and Microsoft Windows Server Blog

To divine the Severity I keep this as this is also be used in SCOM

Azure Monitor Alert Severity Levels

Sev 0 = Critical
Sev 1 = Error
Sev 2 = Warning
Sev 3 = Informational
Sev 4 = Verbose

Azure and Microsoft Windows Server Blog

Last part in selecting the email for this alert.

Azure and Microsoft Windows Server Blog

With this setup you got a good protection against DDoS attacks. below is the workflow how DDoS protection works.

Diagram of how DDoS Protection Standard works, with "Policy Generation" circled

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Posted November 27, 2018 by Robert Smit [MVP] in Azure

Tagged with ,

Azure portal VM creation Changed with a new layout is Awesome #Azure #Cloud #MSTCommunity #MVPBuzz   Leave a comment

In the Azure portal every day there are some changes some are big others are minor.

In this blog I show you the change in the VM creation.

image

When Creating a NEW VM you can see the change now there are several tabs and the best part is you can jump forward with out filling in all the fields.

image

Creating the NSG port rules.  Select which virtual machine network ports are accessible from the public internet. You can specify more limited or granular network access on the Networking tab.

image

Creating the NSG directly

image

The Identity Settings with the Auto-Shutdown and even select the backup

image

I think this layout is much better and gives you a better overview on the VM creation with all the options.  Hope this will be there for the Containers also

image

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Posted September 17, 2018 by Robert Smit [MVP] in Azure

Tagged with

End of support for #DirSync and #AzureAD Sync upgrade to #Azure AD Connect before end off 2017 #Cloud   Leave a comment

Azure AD Connect is the best way to connect your on-premises directory with Azure AD and Office 365. This is a great time to upgrade to Azure AD Connect from Windows Azure Active Directory Sync (DirSync) or Azure AD Sync as these tools are now deprecated and are no longer supported as of April 13, 2017.

image

The two identity synchronization tools that are deprecated were offered for single forest customers (DirSync) and for multi-forest and other advanced customers (Azure AD Sync). These older tools have been replaced with a single solution that is available for all scenarios: Azure AD Connect. It offers new functionality, feature enhancements, and support for new scenarios. To be able to continue to synchronize your on-premises identity data to Azure AD and Office 365, we strongly recommend that you upgrade to Azure AD Connect. Microsoft does not guarantee these older versions to work after December 31, 2017.

Suppose you are on an old version below is the link to get the latest version

Microsoft Azure Active Directory Connect

https://www.microsoft.com/en-us/download/details.aspx?id=47594

  • Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:
    • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
    • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
    • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
    • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

    Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

But where to find the current version of the Azure AD connect ? If we go to the management tool you can see this in the GUI

Go to the folder Microsoft Azure AD Sync

 

image

 

image

Now start the miisclient.exe and in the about there is your version number

image

Detailed Azure AD Connect: Version release history

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-version-history

If you need to upgrade you can do an in-place upgrade (Automatic upgrade)

High-level steps for upgrading from DirSync to Azure AD Connect
  1. Welcome to Azure AD Connect
  2. Analysis of current DirSync configuration
  3. Collect Azure AD global admin password
  4. Collect credentials for an enterprise admin account (only used during the installation of Azure AD Connect)
  5. Installation of Azure AD Connect
    • Uninstall DirSync (or temporarily disable it)
    • Install Azure AD Connect
    • Optionally begin synchronization

Remember Azure AD will stop accepting connections from DirSync and Azure AD Sync after December 31, 2017 Upgrade now to avoid downtime and start 2018 relaxed.

 

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Http://nl.linkedin.com/in/robertsmit

Google Me : https://www.google.nl

Bing Me : http://tinyurl.com/j6ny39w

LMGTFY : http://lmgtfy.com/?q=robert+smit+mvp+blog

Posted December 28, 2017 by Robert Smit [MVP] in Azure

Tagged with ,

Getting Started with #Azure Data Science Virtual Machine on Windows 2016 #DSVM #winserv #VSTS #DevOps   Leave a comment

 

The Data Science Virtual Machine (DSVM) is a ‘Windows Server 2016 with Containers’ VM & includes popular tools for data exploration, analysis, modeling & development.

Highlights:

  • Microsoft R Server – Dev. Ed. (Scalable R)
  • Anaconda Python
  • SQL Server 2017 Dev. Ed. – With In-Database R and Python analytics
  • Microsoft Office 365 ProPlus BYOL – Shared Computer Activation
  • Julia Pro + Juno Editor
  • Jupyter notebooks
  • Visual Studio Community Ed. + Python, R & node.js tools
  • Power BI Desktop
  • Deep learning tools e.g. Microsoft Cognitive Toolkit (CNTK 2.1), TensorFlow & mxnet
  • ML algorithm libraries e.g. xgboost, Vowpal Wabbit
  • Azure SDKs + libraries for various Azure Cloud offerings. Integration tools are included for: 
    1. Azure Machine Learning
    2. Azure Data Factory
    3. Stream Analytics
    4. SQL Data Warehouse
    5. Hadoop + Apache Spark (HDICluster)
    6. Data Lake
    7. Blob storage
    8. ML & Data Science tutorials as Jupyter notebooks

    Tools for ML model operationalization as web services in the cloud, using Azure ML or Microsoft R Server.

    Pre-configured and tested with Nvidia drivers, CUDA Toolkit, & NVIDIA cuDNN library for GPU workloads available if using NC class VM SKUs.

  •  

    Starting in the Azure Portal

    GO to New or +

    image

    Search for Data Science Virtual Machine (DSVM)

    image

    Select the {csp} Data Science Virtual Machine  – Windows 2016 option. 

    image

    Next fill in the username and password with resource group.

    image 

    Pick a machine type. When you pick a higher machine type when deploying every thing is way faster than just picking a Standard_A1 size.

    image

     

    As you can see there is a orange image mark in the text that the cost will be billed separately.

    Offer details

    Data Science Virtual Machine – Windows 2016

    0.0000 EUR/hr

    Good to know there are no cost and this is free. you need to pay for the Azure VM! in my case a E32s v3

    The highlighted Marketplace purchase(s) are not covered by your Azure credits, and will be billed separately.
    You cannot use your Azure monetary commitment funds or subscription credits for these purchases. You will be billed separately for marketplace purchases.

    image

    not bad 9 minute install with a long list of tools Office, visual studio , Visual studio Code,etc

    There is not a free license for the office and studio product but you can sign in with your credentials.

    image

    Thanks to the Big compute everything is running awesome.

    image

    As you can see all the tools are there, some needs a configuration so no default things that needs to be removed first just ready to start with out the long installation of all the tools.

    image

    What was missing on the Data Science Virtual Machine (DSVM) as it is a DevOps VM I installed the RSAT tools and project Honolulu single box for Azure management and development.

    https://robertsmit.wordpress.com/2017/09/25/projecthonolulu-the-new-future-of-windows-server-gui-management-servermgmt-smt-winserv/

     

    Follow Me on Twitter @ClusterMVP

    Follow My blog https://robertsmit.wordpress.com

    Linkedin Profile Http://nl.linkedin.com/in/robertsmit

    Google Me : https://www.google.nl

    Bing Me : http://tinyurl.com/j6ny39w

    LMGTFY : http://lmgtfy.com/?q=robert+smit+mvp+blog

    Posted October 30, 2017 by Robert Smit [MVP] in Azure

    Tagged with ,

    Step by Step Azure File Sync – on-premises file servers to #Azure Files Storage Sync Service #AFS #Cloud #MSIgnite   13 comments

    Finally Azure File Sync is there in public preview, for the last months I had the pleasure to work with the Azure File Sync team and tested the product and thought about some great ideas where Azure File Sync (AFS) could be useful. And I guess you all have Ideas where you could use AFS. Placing your File server somewhere and get your files to the cloud.  Our use a Azure Data Box ADB https://azure.microsoft.com/nl-nl/updates/azure-data-box-preview/

    With Azure File Sync (preview), shares can be replicated on-premises or in Azure and accessed through SMB or NFS shares on Windows Server. Azure File Sync is useful for scenarios in which data needs to be accessed and modified far away from an Azure datacenter, such as in a branch office scenario. Data may be replicated between multiple Windows Server endpoints, such as between multiple branch offices.

    Azure File Sync (AFS)

    Azure File Sync is a multi-master sync solution, it makes it easy to solve global access problems introduced by having a single point of access on-premises, or in Azure by replicating data between Azure File shares and servers anywhere in the world. With Azure File Sync, we’ve introduced a very simple concept, the Sync Group, to help you manage the locations that should be kept in sync with each other. Every Sync Group has one cloud endpoint, which represents an Azure File share, and one or more server endpoints, which represents a path on a Windows Server. That’s it! Everything within a Sync Group will be automatically kept in sync!

      Azure File Sync enables organizations to:

      • Centralize file services in Azure storage
      • Cache data in multiple locations for fast, local performance
      • Eliminate local backup and DR

      The Azure File Sync agent is supported on Windows Server 2016 and Windows Server 2012 R2 and consists of three main components:

      • FileSyncSvc.exe: The background Windows service responsible for monitoring changes on Server Endpoints and initiating sync sessions to Azure.
      • StorageSync.sys: The Azure File Sync file system filter, responsible for tiering cold files to Azure Files (when cloud tiering is enabled).
      • PowerShell management cmdlets: PowerShell cmdlets for interacting with the Microsoft.StorageSync Azure Resource Provider. The cmdlets can be found at the following locations (by default):
    • %ProgramFiles%\Azure\StorageSyncAgent\StorageSync.Management.PowerShell.Cmdlets.dll
    • %ProgramFiles%\Azure\StorageSyncAgent\StorageSync.Management.ServerCmdlets.dll

    The Azure File Sync agent also includes a preview version of the Work Folders server feature which has been updated to support Azure File Sync. This preview version of Work Folders does not have a UI and must be managed via PowerShell: https://docs.microsoft.com/en-us/powershell/module/syncshare/?view=win10-ps

    But In the Preview I’m a bit Confused, what is the name of the product this Azure File Sync Or Storage Sync Service So looking it up in the Azure Store and in the quick list the name is not the Same.

    imageimage

    So when created the Azure File Sync <> you need to look under Storage Sync Services

    image

    Now that said how to built a Replica to Azure and back to my other Data Center ?

     

     Azure File Sync (AFS)

    So what do we need for this scenario, We need two File servers and a storage account in Azure.

    imageimage

    I created on a file server mvpafs01 with an extra disk that is hosted my onprem files. on the other server MVPAFS02 the share is in a different location.

    Azure File Sync extends on premises files servers into Azure providing cloud benefits while maintaining performance and compatibility.

    Azure File Sync provides:

    • Multi-site access – provide write access to the same data across Windows Servers and Azure Files
    • Cloud Tiering – store only recently accessed data on local servers
    • Integrates with Azure backup – no need to back up your data on premises
    • Rapid DR – restore file metadata immediately and recall data as needed

    Open your Azure subscription and look into the store for Azure File Sync.

    image

     

    image

    Create the Azure File Sync components

    imageAzure File Sync (AFS)

    First we make a New Storage Account, this storage account will hold the on premise files

    image

    image

    When the Storage account is created we create a file share on this storage account.

    image

    Currently the share has a maximum of 5TB !

    image

    Max size of a file share  5 TB

    Max size of a file in a file share 1 TB

    Max number of files in a file share Only limit is the 5 TB total capacity of the file share

    Max IOPS per share 1000

    Max number of files in a file share Only limit is the 5 TB total capacity of the file share

    image

    In this a limit of 4TB is more than enough to hold my files.

    image

    Now that the Azure File Sync is created we can configure the Azure File Sync.

    First we create a sync group in this group we can sync the files from one to many.

    image

    If you didn’t create the Storage account and the File share you will need to create this first.

    Create a sync Group

    A Sync Group contains a list of endpoints that define where a set of files sync to. Servers and Azure File Shares can participate in syncing the same set of files when they are listed in the same Sync Group.

    At the moment only one Azure File Share can participate in a Sync Group and it must be in the same region as this Storage Sync Service. Below you can create the Sync Group and its first and only Cloud Endpoint in one step. In the future you will be able to add more Cloud Endpoints. You can add Server Endpoints after this step completes.

    After creating this Sync Group and its first Cloud Endpoint, the next step is adding one or more Server Endpoints to the Sync Group.

     

    Azure File Sync (AFS)

    Next step is preparing the on premise file server and install the Agent and add the Azure PowerShell modules.

    To register a server:

    • Download the Azure Storage Sync agent and install it on all servers you want to sync.
    • After finishing the agent install, use the server registration utility that opens to register the server to this Storage Sync Service.

     

    image image

    When finishing the download of the right files we start the installation of the Agent.

    1. Download and run the StorageSyncAgent.msi.
    2. Follow the instructions to complete the installation.
    3. At the conclusion of the Azure File Sync agent installation, the Server Registration UI will auto-start.
    4. Follow the instructions to register the server with your Storage Sync Service.

    Before we start the Agent we need to disable the enhanced security ( for admins only)

     

    image

    The installation of the Agent is simple and Quick unless the Azure Modules are not on the Server.

    Azure File Sync (AFS)Azure File Sync (AFS)Azure File Sync (AFS)Azure File Sync (AFS)imageAzure File Sync (AFS)Azure File Sync (AFS) image

    Now that the Agent is installed we can register this server in Azure File Sync (AFS)

    Azure File Sync (AFS)

    I did not have the Azure PowerShell modules on this server So I need to install the modules first

    https://go.microsoft.com/fwlink/?linkid=856959

    image

    You can check the version with the Powershell command lets

    Get-Module PowerShellGet -list | Select-Object Name,Version,Path

    # Install the Azure Resource Manager modules from the PowerShell Gallery

    Install-Module AzureRM

    imageimage

    This can take sometime but you don’t need a reboot for this.

    image

    just login to your azure subscription where the Azure File Sync (AFS) is installed

    imageimage

    Pick the right subscription and Resource Group with the Storage Sync Service.

    image

    The next step after the registration of the server is creating an endpoint this End point is linking the File share to the Sync service

    image

     

    Creating an Endpoint is the final step but remember as soon as this is in place the Sync services on the on premise server starts the initial sync!

    image

    Creating the Azure File Sync (AFS) Endpoint

    image

    A Server Endpoint integrates a subfolder of a volume from a Registered Server as a location to sync. The following considerations apply:

    • Servers must be registered to the Storage Sync Service that contains this Sync Group before you can add a location on them here.
    • A specific location on the server can only sync with one Sync Group. Syncing the same location or even a part of it – with a different Sync Group doesn’t work.
    • Make sure that the path you specify for this server is correct and not the root of a volume before hitting Create.

    image

    • Cloud Tiering: A switch to enable or disable cloud tiering, which enables infrequently used or accessed files to be tiered to Azure Files.
    • Volume Free Space: the amount of free space to reserve on the volume on which the Server Endpoint resides. For example, if the Volume Free Space is set to 50% on a volume with a single Server Endpoint, roughly half the amount of data will be tiered to Azure Files. Note that regardless of whether cloud tiering is enabled, your Azure File share always has a complete copy of the data in the Sync Group.

    image

    Data traffic on the File server in this case it is just with one CPU. The upload speed is around the 300Mbps with almost 100% CPU

    imageimage

    After checking the same upload with 4 Cores and the upload is more than doubled so keep this in mind when uploading the files. Unless your line is the throttle neck

    imageimage

    Perfect the files are synced and ready for cloud usage.

    But I also want these files in my other datacenter, I could just copy those files and in a few days I run robocopy with the delta’s but I can also use a second endpoint in Azure File Sync (AFS) and keep all files in sync.

    The first step is the same as any server to register install the Azure File Sync (AFS)  Agent with the Powershell Modules

     

    image

    Connect with the same Azure subscription

    image

    As you can see the server is online and registered.

     

    image

    As this server doesn’t have a second disk I place all the files on a different share

    image

    But after filling in the share name and applied it the server gets very busy but there are no files in the folder.

    Check this : all the files are cached in the System volume information folder under HFS. After the caching it placed all the files in the right folder.

    Just keep in mind that this is the process and your Monitoring agents could alarm you for this. 

    image

    After the initial sync I have two file servers and a Azure Storage account with the same files. I can Edit files on 3 point and still it got synced.

    image

    The synced files on the Second server and as you can see that the System files are gone and placed in the share.

    image

    Hope this blog gives you the start on using the Azure File Sync (AFS) it is very useful as you could sync file between subscriptions or regions or just between your data centers.

     

    Follow Me on Twitter @ClusterMVP

    Follow My blog https://robertsmit.wordpress.com

    Linkedin Profile Http://nl.linkedin.com/in/robertsmit

    Google Me : https://www.google.nl

    Bing Me : http://tinyurl.com/j6ny39w

    LMGTFY : http://lmgtfy.com/?q=robert+smit+mvp+blog

    Posted September 28, 2017 by Robert Smit [MVP] in Azure

    Tagged with , , ,

    Step by Step Azure network security groups NSG – Security Center #Azure #NSG #Network   3 comments

    Now Days I see that people not fully understand  the security needs in Azure. There are a lot of options in Azure to improve the security.

    A great option is the Security Center. This is a great dashboard to get a quick over view an the security status of your subscription.

    image

     

    image

     

    But the other Option is setting up a network security group (NSG)

    image

    A network security group (NSG) contains a list of security rules that allow or deny network traffic to resources connected to Azure Virtual Networks (VNet). NSGs can be associated to subnets, individual VMs (classic), or individual network interfaces (NIC) attached to VMs (Resource Manager).

    When an NSG is associated to a subnet, the rules apply to all resources connected to the subnet. Traffic can further be restricted by also associating an NSG to a VM or NIC.

    Associating NSGs

    You can associate an NSG to VMs, NICs, and subnets, depending on the deployment model you are using, as follows:

    • VM (classic only): Security rules are applied to all traffic to/from the VM.
    • NIC (Resource Manager only): Security rules are applied to all traffic to/from the NIC the NSG is associated to. In a multi-NIC VM, you can apply different (or the same) NSG to each NIC individually.
    • Subnet (Resource Manager and classic): Security rules are applied to any traffic to/from any resources connected to the VNet.

    You can associate different NSGs to a VM (or NIC, depending on the deployment model) and the subnet that a NIC or VM is connected to. Security rules are applied to the traffic, by priority, in each NSG, in the following order:

    • Inbound traffic

      1. NSG applied to subnet: If a subnet NSG has a matching rule to deny traffic, the packet is dropped.

      2. NSG applied to NIC (Resource Manager) or VM (classic): If VM\NIC NSG has a matching rule that denies traffic, packets are dropped at the VM\NIC, even if a subnet NSG has a matching rule that allows traffic.

    • Outbound traffic

      1. NSG applied to NIC (Resource Manager) or VM (classic): If a VM\NIC NSG has a matching rule that denies traffic, packets are dropped.

      2. NSG applied to subnet: If a subnet NSG has a matching rule that denies traffic, packets are dropped, even if a VM\NIC NSG has a matching rule that allows traffic.

    image

    As most items in Azure there are Limits to the number of NSGs you can have in a subscription and number of rules per NSG. To learn more about the limits, read the Azure limits article.

    image

    Creating a network security group (NSG) is easy you can do this in the portal or with Powershell

    imageimage

    As I mentioned above you can set the network security group (NSG) on a subnet or VM. Add multiple items in a network security group (NSG)

    image

    By default all is set to basic just pick a service and open or close the port.

    imageimage

    But when checking the Advanced option the Rule pane will change into a rich and flexible option menu.

     

    image   Instead of selecting just a service You can also add a IP range to exclude others for accessing this machine.

    image

    Setting this in the GUI is nice but when you need to change or add a lot of these you will need Powershell or ARM templates.

    Below are just some examples on how to use them

    Login-AzureRmAccount
     
    # Select a subscription
    $subscriptionId = (Get-AzureRmSubscription | Out-GridView -Title ‘Select your Azure Subscription:’ -PassThru)
    Select-AzureRmSubscription -SubscriptionId $subscriptionId.Id
     
    # Select a Resource Group
    $rgName = (Get-AzureRmResourceGroup | Out-GridView -Title ‘Select your Azure Resource Group:’ -PassThru).ResourceGroupName
     
    # Set the NSG name and Azure region
    $nsgName = "Trusted-Nsg01"
    $location = "West Europe"
    $source1 = "8.8.8.8/32"
    $source2 = "8.8.4.4/32"
    $source3 = "*"
    $dest1="3389"
    $dest2="443"
    $dest3="80"
    $tag="blog"

    #Below are Sample Rules
    $rule1 = New-AzureRmNetworkSecurityRuleConfig -Name rdp-rule -Description "Allow RDP" `
    -Access Allow -Protocol Tcp -Direction Inbound -Priority 100 `
    -SourceAddressPrefix $source1 -SourcePortRange * `
    -DestinationAddressPrefix * -DestinationPortRange $dest1

    $rule2 = New-AzureRmNetworkSecurityRuleConfig -Name web-rule2 -Description "Allow Port" `
    -Access Allow -Protocol Tcp -Direction Inbound -Priority 101 `
    -SourceAddressPrefix $source2 -SourcePortRange * -DestinationAddressPrefix * `
    -DestinationPortRange $dest2

    $rule3 = New-AzureRmNetworkSecurityRuleConfig -Name web-rule3 -Description "Allow Port" `
    -Access Allow -Protocol Tcp -Direction Inbound -Priority 103 `
    -SourceAddressPrefix $source3 -SourcePortRange * -DestinationAddressPrefix * `
    -DestinationPortRange $dest3

    $rule4 = New-AzureRmNetworkSecurityRuleConfig -Name web-rule4 -Description "Allow Port" `
    -Access Allow -Protocol Tcp -Direction Inbound -Priority 104 `
    -SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix * `
    -DestinationPortRange 88

     

    Now that the port Rules are created we need to put them in a security group

    #applying the Rules
    $nsg = New-AzureRmNetworkSecurityGroup -ResourceGroupName $rgName -Location $location -Name $nsgName -SecurityRules $rule1,$rule2,$rule3,$rule4

    image

    # Display default and security rules for NSG
     
    (Get-AzureRmNetworkSecurityGroup -Name $nsgName -ResourceGroupName $rgName).SecurityRules | Select-Object * | Out-GridView
    (Get-AzureRmNetworkSecurityGroup -Name $nsgName -ResourceGroupName $rgName).DefaultSecurityRules | Select-Object * | Out-GridView

    #Remove NSG

    Remove-AzureRmNetworkSecurityGroup -Name $nsgName -ResourceGroupName $rgName

     

    Now that we created a network security group (NSG) we can add it to a VM this can also be done with PowerShell but there is a BUT.

    let me show you, Go to the VM and select the network card.

    image

    The Nic can be named nic245768323 something, I always use named NIC’s so that is easy but if not the NSG could be applied on an other VM and maybe it will fail.

    imageimage

    When selecting this manual you can see the nic and if you are sure on the other machines you can do this with PowerShell also.

     

    Follow Me on Twitter @ClusterMVP

    Follow My blog https://robertsmit.wordpress.com

    Linkedin Profile Http://nl.linkedin.com/in/robertsmit

    Google Me : https://www.google.nl

    Bing Me : http://tinyurl.com/j6ny39w

    LMGTFY : http://lmgtfy.com/?q=robert+smit+mvp+blog

    Posted September 11, 2017 by Robert Smit [MVP] in Azure

    Tagged with ,

  • Twitter

  • %d bloggers like this: