Archive for the ‘Azure’ Category

Step By Step Troubleshooting Azure Arc-enabled servers with agent connection issues #Windows #WindowsServer #WinServ #Azure #AzureArc #Cloud   Leave a comment

Azure Arc-enabled servers enables you to manage your Windows and Linux physical servers and virtual machines hosted outside of Azure, on your corporate network, or other cloud provider. This management experience is designed to be consistent with how you manage native Azure virtual machines. When a hybrid machine is connected to Azure, it becomes a connected machine and is treated as a resource in Azure. Each connected machine has a Resource ID enabling the machine to be included in a resource group. Now you can benefit from standard Azure constructs, such as Azure Policy and applying tags.

When running Azure Arc for some time and suddenly the response stopped you need to dig a bit deeper into the how things are working instead of just kicking off an MSI and the issue is still not fixed.

This is all test So it may look different in your site.just to say so.

Here I have my two servers managed by Arc

Azure Arc-enabled server

As you can see “Something went wrong while getting your resources. Please try again later.”

Azure Arc-enabled server

yes let me get more info about this as currently I know nothing about the error.

image

Azure Arc-enabled server

So It is all OK according to the Azure troubleshooter and still it doesn’t work

Let me click around and see if there is and error ( I could see the local event log of the server but that’s no fun Who uses this ? post some comments in the blog post) Eventlogs are extremely helpful on finding issues or hidden issue’s Often people for get to look at his and see the problem right there. and yes it needs to be fixed also. 

image

Will that be the issue ?  checking already running the latest version, so what is this error or did it go wrong when updating the agent, well I did skip patching for some time on these servers and upgraded these to Windows server 2022

Let me check the agent version,  well the latest version for now..

image

How is this Azure arc be configured anyway, there is no console other than in azure and an MSI with an agent,

let me check the configuration of this and see if I can find something there.

C:\ProgramData\GuestConfig

imageimage

Perfect lots of log files and a config let me check this all

image

time="2021-09-01T16:32:17+02:00" level=error msg="Could not acquire token from cert: FromAssertion(): http call(https://login.windows.net/-d391a79950b1/oauth2/v2.0/token)(POST) error: reply status code was 401:\n{\"error\":\"invalid_client\",\"error_description\":\"AADSTS700027: Client assertion contains an invalid signature. [Reason – The key used is expired., Thumbprint of key used by client: ‘C2FA453DD43C16E584868C1C762DC91EBEC63232’, Found key ‘Start=11/12/2019 15:45:00, End=02/10/2020 15:45:00’, Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id ‘a16df9d0-f012-45ae-8a92-1d0ad72e045e’. Review the documentation at https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as ‘https://graph.microsoft.com/beta/applications/].\\r\\nTrace ID: 932-2ba8-4098-813e-05a2900\\r\\nCorrelation ID: 66a070fe-6ae4-4a25-ad3f-\\r\\nTimestamp: 2021-09-01 14:32:07Z\",\"error_codes\":[700027],\"timestamp\":\"2021-09-01 14:32:07Z\",\"trace_id\":\"932e7194-2ba8-4098-813e-343df05a2900\",\"correlation_id\":\"-4a25-ad3f-160f98c9fd9e\",\"error_uri\":\"https://login.windows.net/error?code=700027\"}"

Seeing the Config and also see the issue here — Client assertion contains an invalid signature. [Reason – The key used is expired–

As I did not update the agent the certificate got expired make sense.

But the device has already the new agent So reconnect ? but how ?

Looking at the Config I see all the details how the agent is been registered and the resource group etc

C:\ProgramData\AzureConnectedMachineAgent\Config

agentconfig.json

{"subscriptionId":"f34","resourceGroup":"AzureBackupRG_westeurope_1","resourceName":"Hyperv1201","tenantId":"0b1","location":"westus2","vmId":"9659193c-f4d8-4a77-b8f9baad507ce9a9","certificateThumbprint":"c2fa453dd43c16e584868c1c762dc91ebec63232","clientId":"0-f012-45ae-8a92-1045e"}

Let me open powershell and maybe I got more details. and reactivate the Agent

With the azcmagent command you can get more details.

image

let me get all the logs

azcmagent logs

image

now we have all the logs in a zip file this could be handy for a next time.

Azure Arc-enabled server

As I reconfigure the agent with the following command

& "$env:ProgramFiles\AzureConnectedMachineAgent\azcmagent.exe" connect –resource-group "AzureBackupRG_westeurope_1" –tenant-id "your tenant id" –location "westus2" –subscription-id "errryh934" –verbose

With the reconnect we need to log in again and all goes well

imageimage

But in the logging there is suddenly another error

image

When looking here I see there is an Azure Policy that demands a TAG and this is currently not available on the resource group So I Can’t onboard my Azure Arc server.

Thought this was about an Agent that has an expired Certificate.

Azure Arc-enabled server

Seems there is a Azure policy that is blocking as the hyperv1201 has no tags set the mvpdc02 has only a tag set.

image

image

image

After a quick change I rerun the command line and it worked perfectly and it showed up in the console again.

& "$env:ProgramFiles\AzureConnectedMachineAgent\azcmagent.exe" connect –resource-group "MVPRSG-Azure-Arc" –tenant-id "3078684f-d143-440a-ae40-d391a79950b1" –location "West US 2" –subscription-id "df1e2f32-7adf-48f6-b969-f02376152934" –verbose

image

Starting client connection on: \\\\.\\pipe\\himds"
time="2021-09-01T17:12:53+02:00" level=debug msg="Awaiting status message from agent…"
time="2021-09-01T17:12:53+02:00" level=debug msg="Status Message received"

image

As I have a second machine with the same issue I removed the machine directly in the arc portal and rerun the registration as the agent was also already installed. (this would be the quick fix for this)

Azure Arc-enabled server

Perfect reconnecting and waiting for the Agent.

Azure Arc-enabled server

Now I can look at the Azure Arc Insights again.

Flickr Tags: Windows Server 2022,CloudOS

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Http://nl.linkedin.com/in/robertsmit

 

Posted September 2, 2021 by Robert Smit [MVP] in Azure

Tagged with ,

Azure Firewall and starting with Azure Firewall Manager step away from Classic #Azure #Firewall #classic #policy #security #AVD   Leave a comment

In Azure there are multiple options to add a Firewall to your Azure landing zone. But the standard Azure firewall comes with an option Classic or firewall policy, and there is a good change that you already have an Azure firewall classic then you can migrate to a premium SKU see the link to get the process  https://docs.microsoft.com/en-us/azure/firewall/premium-migrate?WT.mc_id=AZ-MVP-4025011

image

Azure Firewall pricing

https://azure.microsoft.com/en-us/pricing/details/azure-firewall?WT.mc_id=AZ-MVP-4025011

Azure Firewall Standard

  • Stateful firewall as a service
  • Built-in high availability with unrestricted cloud scalability
  • Centralized network and application level connectivity policy
  • Threat intelligence-based filtering
  • Support for hybrid connectivity through deployment behind VPN and ExpressRoute Gateways

Azure Firewall Premium (Public Preview)

  • Built-in TLS Inspection for customer’s selected encrypted applications
  • Ability to detect and block malicious traffic through advanced IDPS engine
  • Restrict access to Web content via built-in URL Filtering for both plain text and encrypted traffic
  • Web Categories provide enhanced content filtering capabilities
  • IDPS signatures and Web categories are fully managed and constantly updated

Initial I setup a Azure Firewall premium

image

Premium firewalls support additional capabilities, such as SSL termination and IDPS. Additional costs may apply. Migrating a Standard firewall to Premium will require some down-time.

image

As you can see there is an option standard or premium and use the Firewall policy or the Classic.  In premium there is no classic any more the only option is firewall policy.

image

Choosing the Premium and the option firewall management is gray out.

image

As I already have some Firewall policy’s I can already attach these to my new firewall, this is one of the great options, In the firewall manager you can create Firewall policy’s with out having a azure firewall running, you can already prepare the landing zone with all kind of rules .

Keep in mind that the firewall must be in the same resource group as your vnet.

image

image

Setting up a Azure Firewall with PowerShell is easy but you need to have the resources already in place

# Create the firewall
$Azfw = New-AzFirewall `
    -Name $FirewallName `
    -ResourceGroupName $rgNamevnet `
    -Location $Location `
    -VirtualNetworkName $VnetName `
    -PublicIpName $pip01 `
    -SkuTier Premium

Now that The Firewall I created We can see the policy’s attached in the Firewall manager.

Azure Firewall Manager is a security management service that provides central security policy and route management for cloud-based security perimeters.

Firewall Manager can provide security management for two network architecture types:

Secured virtual hub

An Azure Virtual WAN Hub is a Microsoft-managed resource that lets you easily create hub and spoke architectures. When security and routing policies are associated with such a hub, it is referred to as a secured virtual hub.

Hub virtual network

This is a standard Azure virtual network that you create and manage yourself. When security policies are associated with such a hub, it is referred to as a hub virtual network. At this time, only Azure Firewall Policy is supported. You can peer spoke virtual networks that contain your workload servers and services. You can also manage firewalls in standalone virtual networks that aren’t peered to any spoke.

Azure Firewall Premium Preview in the Azure portal | Microsoft Docs

So now that the firewall is in place and we already had an policy attached but you can change that real quick.

Go to the Firewall blade and her you can see the policy and change it directly

image

Or if you go to the firewall manager and select the virtual networks you can see a good overview of where and what is attached to the vnet

image

Remember the firewall need to be in the same resource group as your network, and there come’s also the hard part if you want to switch policy’s

image

Looking at the firewall policys from here you can add them to a hub or a vnet

image 

here you see an overview of the firewall policy’s

image

When associate a policy to a vnet or multiple vnets we got a good overview on what is available and what not.

image

Adding the Policy to a network,

image

The firewall manager blade with all the rules and options

image

You can  add rule collection groups and rule collections, In a rule collection group can hold multiple rule collections, I would advise you to build these collections as it is real handy if you want to change later some item or you want to export a collection and import them in a different collection group

Also new is the application rules here you can set web category’s that are allowed or denied.

image

using the application rules with the internet categories is still in preview but is a great addition for Azure virtual desktop #AVD

image

Setting up the web categories is easy selectable in the destination type. and then select one or multiple.

imageimage

Remember the naming if you want to find this later in your rules, keep it clean and neat

image

Keep in mind that when you are selecting multiple categories the naming field is also corresponding to that 

Removing the Firewall does not mean that you will loose the policy’s  or removing the policy and loose the firewall unless…

image

Keep in mind when you remove a policy and you will set the little checkbox the firewall will be removed. If it is added to multiple vnets you may have a failure on the firewall deletion as there is still a policy attached

Overall the firewall manager is a great step to a modern security management in Azure, there a multiple items that I could wish for in the Firewall manager like management of all the NSG’s who nice would that be and traffic logging etc one thing is clear Azure is getting better and better and true the more options we get the more complex items we are building, and that’s fine keeps me off the streets and my work is never gets boring

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

 

Posted June 28, 2021 by Robert Smit [MVP] in Azure

Tagged with ,

Step by Step Create a User P2S VPN using Azure Secured Virtual Hub and Azure Active Directory #SDWAN #Azure #Secure   Leave a comment

There are multiple ways on how to use a VPN and how to connect and use this. In this blog I use an Azure Virtual WAN Hub with associated security and routing policies configured by Azure Firewall Manager.

When connecting to your Virtual Hub over the IKEv2 protocol, you can use certificate-based authentication or RADIUS authentication. However, when you use the OpenVPN protocol, you can also use Azure Active Directory authentication.

I will use the open VPN with Azure Active Directory authentication. Remember this is only supported on Windows 10 as you will need the Azure VPN client from the microsoft store.

https://docs.microsoft.com/en-us/learn/modules/introduction-azure-virtual-wan/?WT.mc_id=AZ-MVP-4025011

For giving the vpn application the proper permissions, you need to register the application to your Azure AD first.

below is the default URL that can be used to trigger the registration, use the proper rights to create an enterprise App in you Azure AD

https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent

Sign in with the proper credentials

image

Using the wrong account will end up in

AADSTS50020: User account  from identity provider ‘live.com’ does not exist in tenant ‘Microsoft’ and cannot access the application ‘4b4′(Azure VPN) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

https://docs.microsoft.com/en-us/learn/modules/introduction-azure-virtual-wan/?WT.mc_id=AZ-MVP-4025011

When Accepted the you will be redirected to the Azure portal.

image

In the Azure portal you can go to the Azure active directory and

Enterprise applications | All applications  and search for Azure VPN

https://docs.microsoft.com/en-us/learn/modules/introduction-azure-virtual-wan/?WT.mc_id=AZ-MVP-4025011

Now that the basics are in place, we can configure our Site to Site VPN profile the following information is needed.

Go to your Virtual Wan and select the user VPN configuration

imageimagehttps://docs.microsoft.com/en-us/learn/modules/introduction-azure-virtual-wan/?WT.mc_id=AZ-MVP-4025011

Create User VPN ##### I noticed during the writing of this blog post the screens may differ as the portal changed the layout#######

  • Configuration name – Enter the name you want to call your User VPN Configuration.
  • Tunnel type – Select OpenVPN.
  • Authentication method – Select Azure Active Directory.
  • Audience – Type in the Application ID of the Azure VPN Enterprise Application registered in your Azure AD tenant.
  • Issuerhttps://sts.windows.net/tenantID/
  • AAD Tenanthttps://login.microsoftonline.com/TenantID

https://docs.microsoft.com/en-us/learn/modules/introduction-azure-virtual-wan/?WT.mc_id=AZ-MVP-4025011

Select open VPN

go to the Azure Active Directory <> properties and grab the Tenant ID

image

image

Set the switch to yes and new fields will open.

https://docs.microsoft.com/en-us/learn/modules/introduction-azure-virtual-wan/?WT.mc_id=AZ-MVP-4025011

 

#the number is your tenant ID

image

Now that the VPN user profile is created we can configure the HUB

image

Now that the user vpn profile is created we can create the P2S VPN.  Select your hub

https://docs.microsoft.com/en-us/learn/modules/introduction-azure-virtual-wan/?WT.mc_id=AZ-MVP-4025011

Select the user VPN point to site VPN  select create

image

Creating a VPN gateway you need to select the just created User profile.  

https://docs.microsoft.com/en-us/learn/modules/introduction-azure-virtual-wan/?WT.mc_id=AZ-MVP-4025011

Select a proper IP subnet and if needed a DNS server for the workload into that network

Updating a hub can take 30 minutes or more.

image

Download User VPN profile as we need this on the Windows 10 client later.

Use the VPN profile to configure your clients.

  1. On the page for your Virtual WAN, click User VPN configurations.
  2. At the top of the page, click Download user VPN config.
  3. Once the file has finished creating, you can click the link to download it.
  4. Use the profile file to configure the VPN clients.

imageimage

To download the Azure VPN client on your windows 10 test device.

Use this link to download the Azure VPN Client.

https://docs.microsoft.com/en-us/learn/modules/introduction-azure-virtual-wan/?WT.mc_id=AZ-MVP-4025011image

Open the VPN Client you can add a new VPN or import a Connection

image https://docs.microsoft.com/en-us/learn/modules/introduction-azure-virtual-wan/?WT.mc_id=AZ-MVP-4025011

For Importing the Connection we need the just downloaded zip file and extract this in the AzureVPN folder there is a XML that holds the vpn configuration.

image

image https://docs.microsoft.com/en-us/learn/modules/introduction-azure-virtual-wan/?WT.mc_id=AZ-MVP-4025011

 

If any thing goes wron with the import it is 99% your pbk file,

 

image

go to the following folder and delete the files – this will probably also remove your other vpn connections it you had any.

%userprofile%\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk

C:\Users\admin\AppData\Local\Packages\Microsoft.AzureVpn_8wekyb3d8bbwe\LocalState

imageimage

Now that the Import worked and you are ready to connect to the VPN in Azure.

image

  Use your Azure AD credentials or your FIDO2 key

imageimage

 

image

  Now we are fully connected to the Secure Virtual WAN in Azure

https://docs.microsoft.com/en-us/learn/modules/introduction-azure-virtual-wan/?WT.mc_id=AZ-MVP-4025011

It can take some time to see your connection in the portal

image

Showing the above it all is easy to setup this but I already see the questions yes but I need to do this on 5000 Windows 10 devices.  

Microsoft Endpoint Management is your best friend.

Deploy VPN with Microsoft Endpoint Management 

We create a Custom Template and do not select the VPN option as this is not for uploading the XML

image

image

In our Custom settings we add the Following settings

  • Name: Enter a name for the configuration.
  • Description: Optional description.
  • OMA-URI: ./User/Vendor/MSFT/VPNv2/demo01_hub-weu/azurevpnconfig.xml (this information can be found in the azurevpnconfig.xml file in the tag Name).
  • Data type: String (XML file).

https://docs.microsoft.com/en-us/learn/modules/introduction-azure-virtual-wan/?WT.mc_id=AZ-MVP-4025011

Now that this is done we can create some assign ments and test this on the pilot group

image

 

As you can see there are a few steps involved and are linked together

https://docs.microsoft.com/en-us/learn/modules/introduction-azure-virtual-wan/?WT.mc_id=AZ-MVP-4025011

 

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Posted May 24, 2021 by Robert Smit [MVP] in Azure

Tagged with ,

Distributed Application Runtime Dapr version 1.0 #Dapr #Azure #Kubernetes #DevOps #Developers #Microservices #AzOps   Leave a comment

Dapr is an open source, portable, event-driven runtime that makes it easy for developers to build resilient, microservice stateless and stateful applications that run on the cloud and edge. Dapr embraces the diversity of all programming languages and developer frameworks and simplifies building applications.

https://docs.dapr.io/getting-started/

Dapr building blocks

 

  • Service Invocation – Resilient service-to-service invocation enables method calls, including retries, on remote services wherever they are running in the supported hosting environment.
  • State management – With state management for key/value pairs, long running, highly available, stateful services can be easily written, alongside stateless services in the same application. The state store is pluggable and can include Azure Cosmos or Redis, with others such as AWS DynamoDB on the component roadmap.
  • Publish and subscribe messaging between services – Publishing events and subscribing to topics between services enables event-driven architectures to simplify horizontal scalability and make them resilient to failure.
  • Event driven resource bindings – Resource bindings and triggers build further on event-driven architectures for scale and resiliency by receiving and sending events to and from any external resources such as databases, queues, file systems, blob stores, webhooks, etc. For example, your code can be triggered by a message on an Azure EventHub service and write data to Azure CosmosDB.
  • Virtual actors – A pattern for stateless and stateful objects that make concurrency simple with method and state encapsulation. Dapr provides many capabilities in its virtual actor runtime including concurrency, state, life-cycle management for actor activation/deactivation and timers and reminders to wake up actors.
  • Distributed tracing between services – Easily diagnose and observe inter-service calls in production using the W3C Trace Context standard and push events to tracing and monitoring systems.

 

image

 

You can read more about Dapr at http://dapr.io, get started with code and samples at https://github.com/dapr/dapr and reach out on gitter.im/Dapr or Twitter @daprdev.

 

Getting started with Dapr is easy and you can start with a few steps described below

How to get up and running with Dapr in minutes

The following steps in this guide are:

  1. Install the Dapr CLI
  2. Initialize Dapr
  3. Use the Dapr API
  4. Configure a component
  5. Explore Dapr quickstarts

 

 

powershell -Command "iwr -useb https://raw.githubusercontent.com/dapr/cli/master/install/install.ps1 | iex"
 
image
 
Important is to close the powershell window and reopen this. Else the module won’t be active
 
 
type dapr
 
 
image
 
Open Powershell 
 
type dapr
 
 

dapr

         __
    ____/ /___ _____  _____
   / __  / __ ‘/ __ \/ ___/
  / /_/ / /_/ / /_/ / /
  \__,_/\__,_/ .___/_/
              /_/

======================================================
A serverless runtime for hyperscale, distributed systems

Usage:
  dapr [command]

Available Commands:
  completion     Generates shell completion scripts
  components     List all Dapr components
  configurations List all Dapr configurations
  dashboard      Start Dapr dashboard
  help           Help about any command
  init           Setup dapr in Kubernetes or Standalone modes
  invoke         Invokes a Dapr app with an optional payload (deprecated, use invokePost)
  invokeGet      Issue HTTP GET to Dapr app
  invokePost     Issue HTTP POST to Dapr app with an optional payload
  list           List all Dapr instances
  logs           Gets Dapr sidecar logs for an app in Kubernetes
  mtls           Check if mTLS is enabled in a Kubernetes cluster
  publish        Publish an event to multiple consumers
  run            Launches Dapr and (optionally) your app side by side
  status         Shows the Dapr system services (control plane) health status.
  stop           Stops multiple running Dapr instances and their associated apps
  uninstall      Removes a Dapr installation

Flags:
  -h, –help      help for dapr
      –version   version for dapr

Use “dapr [command] –help” for more information about a command.
subcommand is required

 
 
dapr init
 

PS C:\Windows\system32> dapr init
Making the jump to hyperspace…
Downloading binaries and setting up components…
Unable to find image ‘openzipkin/zipkin:latest’ locally
latest: Pulling from openzipkin/zipkin
docker: no matching manifest for windows/amd64 10.0.17763 in the manifest list entries.
See ‘docker run –help’.

 
 
 

Quickstarts and Samples

 
You can try out the Dapr quickstarts right here to begin your own personal journey into Microservices on Azure. 
 
 
 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Posted February 17, 2021 by Robert Smit [MVP] in Azure

Tagged with

Windows Virtual Desktop metadata now available in West Europe #WVD #Azop #Azure #VDI #CloudComputing #metadata   Leave a comment

 

When Creating a new windows virtual desktop I noticed that the meta locations are also available in europe.

When creating a new WVD host pool you can select the Metadata location. this is a great option as many customers ask me why is this in a non europe location, and can this be changed.

Well there are now 2 europe locations

image

Creating a new Host pool

image

 

An overview from the Host pools and now also one in europe

image

Metadata will be stored in Azure geography associated with (Europe) West Europe

How ever not everything is updated yet

image

Source : Azure Products by Region | Microsoft Azure

 

Changing the Host pool location with the Update-azwvdhostpool is not possible

image

 

The –location option is not a valid option.

image

 

It is nice to see the meta data is stored in europe and with this Windows virtual desktop is getting better and better all the time.

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Posted February 17, 2021 by Robert Smit [MVP] in Azure

Tagged with

  • Twitter

  • RSS Azure and Microsoft Windows Server Blog

  • %d bloggers like this: