Category Archives: Azure

Azure Powershell

Quick Tip: Listing your Shared key in Azure VPN with Multisite configuration

Published by:

If you ever configured an Azure VPN, you may have used the trick of downloading the device script configuration from the portal to obtain the shared secret for your VPN device. However, if you have a multi-site configuration that procedure is not effective, since there are different secrets for each network. In that case, PowerShell to the rescue!

 

All you need to know is the name of you Azure VPN Gateway and run this (one liner) below. Make sure you are logged on to the Azure subscription containing the gateway (add-azureaccount) and that you’ve selected the right subscription (select-azuresubscription).

 

(Get-AzureVNetSite -VNetName “MyVPNGateway“).gatewaysites | foreach {Write-host “Local Site: $($_.name) Key: $((Get-AzureVNetGatewayKey -VNetName “MyVPNGateway” -LocalNetworkSiteName $_.Name).Value)” }

 

You’ll get then a list for each local site.

Easy. Quick. PowerShell.

 

Hope this helps!

Azure Recovery Services

Removing ASR Protection (V2 in the new Azure Portal)

Published by:

Once you are done with your ASR pilot, there is a certain order you should take to properly disconnect your on-premises Hyper-V host.

The first general rule is: do not remove the agent before cleaning up things in the portal. It is going to be harder. Start by deleting the configuration in this order.

– Unprotect any VMs you may be protecting:

1. Go to Replicated items in the Azure portal:

image

Click on the machine, them More Commands, then Delete:

image

Select as below:

image

This will disable the protection only but if needed, this machine will be still manageable later.

Wait until the protection is disabled:

image

image

Now for the Hyper-V server. Click on Site Recovery server:

image

Then select your Hyper-V server:

image

Click Delete and OK.

image

This will remove the configuration from the local Hyper-V host.

Now you would be ready to reconfigure your host, but I will go all the way and remove the agents from it:

image

image

image

And the second one:

image

And you are in the clear! Hope this helps!

Policies Resource Manager

Azure Resource Manager Policies

Published by:

In a real world scenario, policies and restrictions will be something you are going to need on a daily basis. In times of infinity capacity clouds, it is very important that you can control what and how much can be deployed. In the previous Azure portal, that task was very hard. With the addition of RBAC (Role Based Access Control), this task added an important capability to the mix. However, that was not enough to give more granular control on what kind of resources could be deployed.

Enters ARM Policies. With Policies you can essentially determine the conventions for specific subscriptions, resource groups or resources, in terms of what is allowed to be done or not.

With Policies, you can , for example, determine what types of resources a user (authorized with RBAC) can deploy and to which regions.

Let’s take a look at how it is done. In my example, I will create a resource group, then restrict the types of resources you can deploy in it.

First, creating the RG:

Add-AzureRmAccount
$RG=New-AzureRmResourceGroup -Location “East US” -Name “PolicyRG”

Now, let’s define a policy. Each policy contains basically conditions and effects:

$PolicyDef1=@”
{
  “if”: {
    “not” : {
      “field” : “tags”,
      “containsKey” : “costCenter”
    }
  },
  “then” : {
    “effect” : “deny”
  }
}
“@

This particular policy only allows deployment of resources that have a costCenter tag.

The next step is to create the actual policy object:

$policy = New-AzureRmPolicyDefinition -Name tagPolicyDefinition -Description “Policy to allow resource creation only with Tags” -Policy $PolicyDef1

And apply it to a certain scope. In this case, my resource group:

New-AzureRmPolicyAssignment -Name tagPolicyAssignment -PolicyDefinition $policy -Scope $RG.ResourceId

Now if you try to deploy any resource without the specific tag, you will be blocked:

image

If you use PowerShell and create, for example, an external IP with a tag, you will be ok (

$publicIP = New-AzureRmPublicIpAddress -Name $PublicIpName -ResourceGroupName $rgName -Location $locName –AllocationMethod Static -DomainNameLabel $domName –Tag @{Name=”costCenter”;Value=”Sales”}

image

If you want a complete log of what has been denied:

Get-AzureRmLog | where {$_.OperationName -eq "Microsoft.Authorization/policies/deny/action"} 

This is great stuff. The portal doesn’t let you pick a tag from creating time, so you may need to leverage PowerShell for that. Another example is in regards of what kind of resources you want people to deploy. Often enough, groups will only work with Infrastructure elements (Compute, Storage,etc). You don’t want them to accidentally spin up a SQL Database or a Logic App. The policy below only allows for specific types of resources:

{
  "if" : {
    "not" : {
      "anyOf" : [
        {
          "field" : "type",
          "like" : "Microsoft.Resources/*"
        },
        {
          "field" : "type",
          "like" : "Microsoft.Compute/*"
        },
        {
          "field" : "type",
          "like" : "Microsoft.Storage/*"
        },
        {
          "field" : "type",
          "like" : "Microsoft.Network/*"
        }
      ]
    }
  },
  "then" : {
    "effect" : "deny"
  }
}

Let’s apply this policy (and first remove the previous one) and test creating something fancy in our resource group. First, removing:

Get-AzureRmPolicyAssignment -Name “tagPolicyAssignment” -Scope $RG.ResourceId| Remove-AzureRmPolicyAssignment -Scope $RG.ResourceId

($RG contains my resource group object).

You will get this confirmation dialog:

image

Say yes.

Now let’s add another policy (3) in this case.

$PolicyDef3=@”
{
  “if” : {
    “not” : {
      “anyOf” : [
        {
          “field” : “type”,
          “like” : “Microsoft.Resources/*”
        },
        {
          “field” : “type”,
          “like” : “Microsoft.Compute/*”
        },
        {
          “field” : “type”,
          “like” : “Microsoft.Storage/*”
        },
        {
          “field” : “type”,
          “like” : “Microsoft.Network/*”
        }
      ]
    }
  },
  “then” : {
    “effect” : “deny”
  }
}
“@
$policy3 = New-AzureRmPolicyDefinition -Name tagPolicyDefinition3 -Description “Policy to allow resource creation only certain objects” -Policy $PolicyDef3
New-AzureRmPolicyAssignment -Name ResourcePolicyAssignment -PolicyDefinition $policy3 -Scope $RG.ResourceId

Let’s try and add a Network security group:

image

All good:

image

Now, let’s try, say, a SQL Database.

image

Details:

image

And bam! Denied!

image

image

In a nutshell, combining RBAC and Azure Resource Manager Policies gives you a lot of control and ability to create (and enforce) governance over subscriptions, resources groups and resources.

Hope this helps!

Azure Recovery Services Resource Manager

Azure Site Recovery–Onboarding in the New Azure portal–PREVIEW

Published by:

As many Azure features that come out, you just stumble upon it while casually browsing the (extensive) Azure portal. This was the case with the preview of Azure Site Recovery. Previously, you could see a reference to the ASM version, but it would through you back (in time) to the old portal.

Now a real interface to configure the service has been made available. Not this is a preview and shouldn’t be used in production.

It starts with creating a Vault:

image

(isn’t the little alien guy funny?)

Next you need to pick which scenario you want to use:

image

I’m going with Hyper-V Stand alone, since that’s all I can do at this time.

Next, create a Site:

image

Now you will need to install the bits to your Hyper-V hosts and use the credentials file as suggested:

image

Install the provider:

image

image

Register the Vault:

image

Done:

image

Now, to the portal! And there it is:

image

Add a Replication policy:

image

I’ve noticed the naming is more consistent with the PowerShell commands:

image

Create a Compute configuration. This is new:

image

Done:

image

Now moving to a different blade and option:

image

Enable replication through these steps:

image

Picking my usual suspect: CoreOS

image

Select storage account and OS:

image

And Replication policies:

image

[tense music plays]

image

Job completed:

image

And here is my VM being synchronized:

image

Hope this helps. I will be back with the testing procedures and how to set this up using PowerShell!

Azure PowerBI

Using Power BI to view your Azure Usage

Published by:

One of the challenges of understanding your Azure usage is to decipher the usage report from the Azure Portal. And I really needed that, since I was getting past my monthly cap consistently. Since I’m not an Enterprise user that can use this FREE amazing tool, I decided to figure out what was going on with my MSDN subscription. My first step was to download the usage report from the Azure account portal:

image

then:

image

Pick Version 2 – Preview.

Once done, the CSV file you download has two parts. The first shows the summary of utilization per Meter type.

image

Actually, it is based on these 3 items:

image

These 3 together are the key to find the utilization per resource. Column O has the Rate we need in order to find the final cost of single resource. But why is that necessary? Look at the example below, which comes from the second part of the CSV file:

image

Note that you don’t have a cost per line, only the Consumed quantity. So, how can we know? The answer is in columns D, E and F in the second table, which are exactly the same ones used in the first table:

image

Now, if I could grab the Rate from the first table and assign it to each line on the second one based on these 3 columns, wouldn’t it be great?

Enters a slight Excel tweak and Power BI. The first thing is to extract the first peace of the CSV file and turn into a separate tab. Let’s call it RateTable:

image

Now, the remaining rows need to be alone in another tab. Let’s call it azureusage:

image

Now let’s save the CSV as an Excel file and leave it ready.

If you don’t have Power BI Desktop, go here to get it. Once there, you can just add data to it:

image

Select Excel and point to your file:

image

You should see both tabs:

image

Now click on Edit and PBI will take you to the query editor view. There, we will need to execute a few steps to get the proper information out of our data.

1. The first thing is to remove blank rows from the RateTable query:

image

Also make sure you remove unused rows, like the Daily usage title that comes originally from the initial CSV file.

2. Next, we need to create a custom column on both queries, to create a unique key (just so we can relate both of them). We will start with the query we have opened. Select Meter Name, meter sub-category and meter zone columns, in this order, and select Merge Columns:

image

Give it a name:

image

You should now see a new column there:

image

3. Repeat the process for the azureusage query:

image

4. Now let’s create a relationship between the two queries. Click on Close and Apply to save your changes:

image

Once there, click on the relationship icon: image

Once there, you can try to detect the relationship. Click on Manage Relationship up-top and then Autodetect:

image

Isn’t it cool? Smile

You could have added it manually or even just connected the fields between the two tables:

image

6. Great. Back to Edit Queries.  In this step will add corresponding rate for each usage line, based on the type of meter (and meterkey) we have just created. To do that, go as follows:

– Click on Merge Queries up-top while in the azureusage query. This dialog will show:

image

Select as below (MeterKey on both of them):

image

This creates a new column. We don’t need all the tables returned. To select what we need (Rate), click on the arrows icon:

image

And select the Rate only:

image

Rename the column to Rate.

7. Now, all you need is something that calculates the cost for that entry, by multiplying the Rate by the Consumed Quantity. To do that, you click on Add Column:

image

And Add a Custom column:

image

Click Ok. Now set the type of the data in the column:

image

Now close and Apply.

8. Back in the main canvas, select on type of visualization and the Cost and Instance ID on the right side:

image

And there you have it: your cost per individual resource in Azure:

image

It is kind of a long tutorial, but might be a good way to visualize you detailed cost per instance.

 

Hope this helps!

Azure Resource Manager

Azure Resource Manager– Posts Reference

Published by:

Azure Resource Manager

Journey to ARM – Part V – Adding an external IP to an existing VM

Published by:

Differently from the classic model, when you create a VM it won’t have an external IP to access your VM (if you created it using the portal, yes, it will do it for you). In my case, I have migrated my VMs from the classic model using the method described in my previous articles, so, no external IP for me. However, you may want to temporarily enable access to that VM.

So, without further delay, here’s how you do it.

First, as usual, some variables:

image

Then, create the actual external IP:

image

Next, you need to assign the IP to the NIC:

image

And let us not forget about security. I will create a Network Security Group, create rules to allow RDP and deny everything else from the Internet and assign it to the NIC:

image

Once applied, it should look like this:

image

Yes! It will take a minute, no downtime.

Once you are done, you might want to remove the IP and Network Security group, if you want.

image

You can find the script here.

Hope this helps!

Azure Resource Manager

Journey to ARM–Part IV – Creating a VM from an existing VHD

Published by:

In my last blog, I have showed you how to copy the storage form your previous Classic storage account to brand new and shinny one. Now all you supposedly need is to create a new VM using that VHD.

So, a few assumptions before we go down to the needy-greedy:

– I already have a VNET to connect my VM to:

– You know the name of the VHD the VM is going to use

The script starts by setting some variables:

image

Then I get some VNET and subnet information:

image

Creates the NIC.

IMPORTANT NOTE! Make sure you don’t name your nic just ‘nic’ like I did on my first try.. You may have multiple nics in side the same resource group and you won’t know which one is which.

image

Then create the VM:

image

Make sure you get rid of the previous one in the classic model.

Find the final script here.

Hope this helps!

Azure Resource Manager

Journey to ARM–Part III – Copying Storage

Published by:

Previously, in the ASM2ARM saga, I have created the VPN gateway I will need to connect my Azure VMs to my on-premises resources. Today I will show you how to move existing VHDs storage in classic storage to new ARM based storage blobs. In my case, I have made a few assumptions:

– You have a machine in the classic model, with storage in classic mode.

– The machine is stopped

Here’s a few things you will need:

– A new storage account, provisioned in ARM;

– Name and storage keys for the classic and ARM storage accounts;

– Name of the old machine and Cloud Service

The script, which was based on this article here, goes like this:

First things first, some variable definitions:

image

In this example, I’m copying the OS hard disks only. Next I will define my source and destination storage accounts and keys (don’t worry, these are not the real keys):

image

Then the actual copy:

image

This might take a while, depending on where your storage accounts are stored and since we are switching modes (classic to arm), all your copies will likely take some time. You can use the last part in the script to monitor the progress of the copy:

image

Find the final script here.

In my net bit of ARM awesomeness, I’ll show you how to create the new VM having the VHD already stored in an ARM Storage account.

Stay tuned!

Hope this helps!

Azure Resource Manager

Journey to ARM–Part II – Creating the VPN gateway

Published by:

The starting point to create a connection between an Azure VNET and your on-premises environment is a VPN gateway. In the classic Azure portal, the experience is relatively easier and well documented on the internet. As you may know or not, there is no user interface to create the VPN gateway, so you have to use PowerShell to do so. Below you will find a script that will do it for you. Before you jump to it, take some time to understand the steps. For demo purposes, I will detail the creation of the gateway for a test VNET called overcastvnet in a resource group called demorg.

Let’s create the Resource Group and the VNET:

image

If your VNet already exists and you just need the gateway subnet to be added, you can run these lines below:

image

The next step is to create a local network, which basically tells the gateway which networks are on the other side of the connection.

image

After that, we need to create an external IP for the Azure gateway. Once provisioned, this will be the IP you are going to use on the other end (on-premises or another VNET)

image

Next, select which subnet will be used for the gateway and assign the configuration to the gateway:

image

And finally, create the gateway. Make sure you select the right type, being static or dynamic:

image

This should take a while.

The last step is to establish the actual connection:

image

And there you have it!

image

Find the script here.

The next article will discuss copying storage from your legacy storage accounts to the new ARM storage.

Hope it helps!