Category Archives: Resource Manager

Policies Resource Manager

Azure Resource Manager Policies

Published by:

In a real world scenario, policies and restrictions will be something you are going to need on a daily basis. In times of infinity capacity clouds, it is very important that you can control what and how much can be deployed. In the previous Azure portal, that task was very hard. With the addition of RBAC (Role Based Access Control), this task added an important capability to the mix. However, that was not enough to give more granular control on what kind of resources could be deployed.

Enters ARM Policies. With Policies you can essentially determine the conventions for specific subscriptions, resource groups or resources, in terms of what is allowed to be done or not.

With Policies, you can , for example, determine what types of resources a user (authorized with RBAC) can deploy and to which regions.

Let’s take a look at how it is done. In my example, I will create a resource group, then restrict the types of resources you can deploy in it.

First, creating the RG:

Add-AzureRmAccount
$RG=New-AzureRmResourceGroup -Location “East US” -Name “PolicyRG”

Now, let’s define a policy. Each policy contains basically conditions and effects:

$PolicyDef1=@”
{
  “if”: {
    “not” : {
      “field” : “tags”,
      “containsKey” : “costCenter”
    }
  },
  “then” : {
    “effect” : “deny”
  }
}
“@

This particular policy only allows deployment of resources that have a costCenter tag.

The next step is to create the actual policy object:

$policy = New-AzureRmPolicyDefinition -Name tagPolicyDefinition -Description “Policy to allow resource creation only with Tags” -Policy $PolicyDef1

And apply it to a certain scope. In this case, my resource group:

New-AzureRmPolicyAssignment -Name tagPolicyAssignment -PolicyDefinition $policy -Scope $RG.ResourceId

Now if you try to deploy any resource without the specific tag, you will be blocked:

image

If you use PowerShell and create, for example, an external IP with a tag, you will be ok (

$publicIP = New-AzureRmPublicIpAddress -Name $PublicIpName -ResourceGroupName $rgName -Location $locName –AllocationMethod Static -DomainNameLabel $domName –Tag @{Name=”costCenter”;Value=”Sales”}

image

If you want a complete log of what has been denied:

Get-AzureRmLog | where {$_.OperationName -eq "Microsoft.Authorization/policies/deny/action"} 

This is great stuff. The portal doesn’t let you pick a tag from creating time, so you may need to leverage PowerShell for that. Another example is in regards of what kind of resources you want people to deploy. Often enough, groups will only work with Infrastructure elements (Compute, Storage,etc). You don’t want them to accidentally spin up a SQL Database or a Logic App. The policy below only allows for specific types of resources:

{
  "if" : {
    "not" : {
      "anyOf" : [
        {
          "field" : "type",
          "like" : "Microsoft.Resources/*"
        },
        {
          "field" : "type",
          "like" : "Microsoft.Compute/*"
        },
        {
          "field" : "type",
          "like" : "Microsoft.Storage/*"
        },
        {
          "field" : "type",
          "like" : "Microsoft.Network/*"
        }
      ]
    }
  },
  "then" : {
    "effect" : "deny"
  }
}

Let’s apply this policy (and first remove the previous one) and test creating something fancy in our resource group. First, removing:

Get-AzureRmPolicyAssignment -Name “tagPolicyAssignment” -Scope $RG.ResourceId| Remove-AzureRmPolicyAssignment -Scope $RG.ResourceId

($RG contains my resource group object).

You will get this confirmation dialog:

image

Say yes.

Now let’s add another policy (3) in this case.

$PolicyDef3=@”
{
  “if” : {
    “not” : {
      “anyOf” : [
        {
          “field” : “type”,
          “like” : “Microsoft.Resources/*”
        },
        {
          “field” : “type”,
          “like” : “Microsoft.Compute/*”
        },
        {
          “field” : “type”,
          “like” : “Microsoft.Storage/*”
        },
        {
          “field” : “type”,
          “like” : “Microsoft.Network/*”
        }
      ]
    }
  },
  “then” : {
    “effect” : “deny”
  }
}
“@
$policy3 = New-AzureRmPolicyDefinition -Name tagPolicyDefinition3 -Description “Policy to allow resource creation only certain objects” -Policy $PolicyDef3
New-AzureRmPolicyAssignment -Name ResourcePolicyAssignment -PolicyDefinition $policy3 -Scope $RG.ResourceId

Let’s try and add a Network security group:

image

All good:

image

Now, let’s try, say, a SQL Database.

image

Details:

image

And bam! Denied!

image

image

In a nutshell, combining RBAC and Azure Resource Manager Policies gives you a lot of control and ability to create (and enforce) governance over subscriptions, resources groups and resources.

Hope this helps!

Azure Recovery Services Resource Manager

Azure Site Recovery–Onboarding in the New Azure portal–PREVIEW

Published by:

As many Azure features that come out, you just stumble upon it while casually browsing the (extensive) Azure portal. This was the case with the preview of Azure Site Recovery. Previously, you could see a reference to the ASM version, but it would through you back (in time) to the old portal.

Now a real interface to configure the service has been made available. Not this is a preview and shouldn’t be used in production.

It starts with creating a Vault:

image

(isn’t the little alien guy funny?)

Next you need to pick which scenario you want to use:

image

I’m going with Hyper-V Stand alone, since that’s all I can do at this time.

Next, create a Site:

image

Now you will need to install the bits to your Hyper-V hosts and use the credentials file as suggested:

image

Install the provider:

image

image

Register the Vault:

image

Done:

image

Now, to the portal! And there it is:

image

Add a Replication policy:

image

I’ve noticed the naming is more consistent with the PowerShell commands:

image

Create a Compute configuration. This is new:

image

Done:

image

Now moving to a different blade and option:

image

Enable replication through these steps:

image

Picking my usual suspect: CoreOS

image

Select storage account and OS:

image

And Replication policies:

image

[tense music plays]

image

Job completed:

image

And here is my VM being synchronized:

image

Hope this helps. I will be back with the testing procedures and how to set this up using PowerShell!

Azure Resource Manager

Azure Resource Manager– Posts Reference

Published by:

Azure Resource Manager

Journey to ARM – Part V – Adding an external IP to an existing VM

Published by:

Differently from the classic model, when you create a VM it won’t have an external IP to access your VM (if you created it using the portal, yes, it will do it for you). In my case, I have migrated my VMs from the classic model using the method described in my previous articles, so, no external IP for me. However, you may want to temporarily enable access to that VM.

So, without further delay, here’s how you do it.

First, as usual, some variables:

image

Then, create the actual external IP:

image

Next, you need to assign the IP to the NIC:

image

And let us not forget about security. I will create a Network Security Group, create rules to allow RDP and deny everything else from the Internet and assign it to the NIC:

image

Once applied, it should look like this:

image

Yes! It will take a minute, no downtime.

Once you are done, you might want to remove the IP and Network Security group, if you want.

image

You can find the script here.

Hope this helps!

Azure Resource Manager

Journey to ARM–Part IV – Creating a VM from an existing VHD

Published by:

In my last blog, I have showed you how to copy the storage form your previous Classic storage account to brand new and shinny one. Now all you supposedly need is to create a new VM using that VHD.

So, a few assumptions before we go down to the needy-greedy:

– I already have a VNET to connect my VM to:

– You know the name of the VHD the VM is going to use

The script starts by setting some variables:

image

Then I get some VNET and subnet information:

image

Creates the NIC.

IMPORTANT NOTE! Make sure you don’t name your nic just ‘nic’ like I did on my first try.. You may have multiple nics in side the same resource group and you won’t know which one is which.

image

Then create the VM:

image

Make sure you get rid of the previous one in the classic model.

Find the final script here.

Hope this helps!

Azure Resource Manager

Journey to ARM–Part III – Copying Storage

Published by:

Previously, in the ASM2ARM saga, I have created the VPN gateway I will need to connect my Azure VMs to my on-premises resources. Today I will show you how to move existing VHDs storage in classic storage to new ARM based storage blobs. In my case, I have made a few assumptions:

– You have a machine in the classic model, with storage in classic mode.

– The machine is stopped

Here’s a few things you will need:

– A new storage account, provisioned in ARM;

– Name and storage keys for the classic and ARM storage accounts;

– Name of the old machine and Cloud Service

The script, which was based on this article here, goes like this:

First things first, some variable definitions:

image

In this example, I’m copying the OS hard disks only. Next I will define my source and destination storage accounts and keys (don’t worry, these are not the real keys):

image

Then the actual copy:

image

This might take a while, depending on where your storage accounts are stored and since we are switching modes (classic to arm), all your copies will likely take some time. You can use the last part in the script to monitor the progress of the copy:

image

Find the final script here.

In my net bit of ARM awesomeness, I’ll show you how to create the new VM having the VHD already stored in an ARM Storage account.

Stay tuned!

Hope this helps!

Azure Resource Manager

Journey to ARM–Part II – Creating the VPN gateway

Published by:

The starting point to create a connection between an Azure VNET and your on-premises environment is a VPN gateway. In the classic Azure portal, the experience is relatively easier and well documented on the internet. As you may know or not, there is no user interface to create the VPN gateway, so you have to use PowerShell to do so. Below you will find a script that will do it for you. Before you jump to it, take some time to understand the steps. For demo purposes, I will detail the creation of the gateway for a test VNET called overcastvnet in a resource group called demorg.

Let’s create the Resource Group and the VNET:

image

If your VNet already exists and you just need the gateway subnet to be added, you can run these lines below:

image

The next step is to create a local network, which basically tells the gateway which networks are on the other side of the connection.

image

After that, we need to create an external IP for the Azure gateway. Once provisioned, this will be the IP you are going to use on the other end (on-premises or another VNET)

image

Next, select which subnet will be used for the gateway and assign the configuration to the gateway:

image

And finally, create the gateway. Make sure you select the right type, being static or dynamic:

image

This should take a while.

The last step is to establish the actual connection:

image

And there you have it!

image

Find the script here.

The next article will discuss copying storage from your legacy storage accounts to the new ARM storage.

Hope it helps!

Azure Resource Manager

Journey to ARM–Design and Migrate

Published by:

I’ve recently committed myself to migrate my (now former) azure classic VMs environment in Azure to the new Azure Resource Manager model. I then found out that there is no easy or ‘no downtime’ way to do it. There is some documentation and some interesting projects around to help with that, like the ASM2ARM project. Since I wanted to learn how the sausage is done, I’ve tried to come up with my own way, better or worse, so I took the Sinatra approach: did it my way!

What is all that?

If you notice in your current environment (and by that I mean the new Portal), everything is in a resource group already. Cloud Services got resource groups of their own, where you can see you old VMs in there, along with a Cloud Service Object:

image

In the new ARM model, a VM like this would require a few more items, like IPs, Nics,etc. The old model would make a few things easier by deploying cloud services kind of automatically, but it wouldn’t create clear relationships and dependencies between the objects. Before we dive in deeply, here is how I’ve planned my environment.

Planning

Yes, Azure is all about flexibility and having things ready to be used. However, you still need to know what you are doing! Surprise! Well, how I did. Since it is all new, I’m probably wrong, but it is all about the learning.

The things I usually keep ready in my Azure lab are:

– A Domain Controller – This DC is part of a domain, split between on-premises and the cloud (connected through a VPN).

– System Center Servers – SCOM, SCSM, SCORCH, VMM.

– Other things – test machines, Linux, website,etc.

So, my first attempt at all this will be having a basic infrastructure resource group, with my Storage Account, my Virtual Network (and VPN connection), as well as the domain controller:

image

Everything else that I build, unless it requires something special, should point to this infrastructure for Storage and Connectivity.

For the System Centre Servers, I have created another resource group, for all of them. One could argue that having separate ones, it would make things easier to manage later. It might be true. If the number of components was bigger, I’d probably go for that. In this case, most of the VMs will have only a VM and a NIC resource:

image

I have added a Network Resource Group to one of the VMs basically to allow external access.

For the remainder, I will probably create separate small Resource groups or maybe a one-fits-all RG called “other”, or “miscellaneous”.

And there you have it: my whole Azure environment is fully designed. Of course this is a very simple environment, but can get you stated in the ARM way of thinking. In my next Article, I will start with the basic connection between ARM and on-premises using a VPN gateway. Stay tuned!

 

Hope this helps!

Azure Resource Manager

Using JSON Edit to edit my ARM Templates

Published by:

I have just seen a Twitter about JSONEdit and have decided to give it a try. It can be a bit challenging to edit JSON using Visual Studio. Although you can see the tree, you can really interact with with, like copying and editing content. My expectations are that I will be able to do that with JSONEdit.

You can download it from here: http://tomeko.net/software/JSONedit/

Installation, well, there was no installation, actually. When I ran it, I’ve got this very screamy page:

image

I believe I can trust it, so, let’s run it anyways.

And there you have it. Let’s try opening some files. I have the files I have used for my ARM previous articles. On the first try, I had this error:

image

And it really seems that there is something funny there:

image

Even removing the characters, it won’t think this is a JSON file when asking to reformat the code:

 

image

Let’s try editing it with VS and then paste it directly to JSONEdit. Once I did that, I could easily see the tree:

image

The nice thing about the tree here is that you can edit the content:

image

You can also order the nodes and even better, copy and paste (as child or sibling):

image

Once you have it changed, you can paste it back to Visual Studio, for testing and deployment.

In summary, it seems like a nice tool to have, if you want to make sure you are replicating whole sessions or wants to better visualize some variables and resources. It seems Microsoft stored more data in the JSON files, which are not well understood by JSONEdit, but still good to have around when you are editing ARM Templates.

 

Hope this helps!

Azure Resource Manager

Azure Resource Manager–Step 3–The Load Balancer

Published by:

If you checked my previous articles about the two VMs with external IPs, you may have noticed that both VMs get an external IP and that there is no TCP port restriction to them. That won’t likely be the normal situation. Very commonly, you will want something balancing the load between those two identical machines, as well as some control over the ports that can be accessed. In order to accomplish that, we will first create a SINGLE publicIP and then apply to a load balancer entity.

First things first. The Public IP configuration. What I will do is remove the loop and make it a single public IP. This is what I had:

image

Now, after changing:

image

I have also changed the variable names, to represent better what we need to have (names, not prefixes).

image

Next I will remove the reference from the Nics, since the VMs themselves won’t have public IPs:

image

However, you will need to add a dependency on the Load Balancer and assigned NAT rules and backend LB pool:

image

Second, we should add the load balancer itself. It is a tough cookie this one, so let’s take the “Jack the Ripper approach”: Let’s cut it into pieces.

But first, let’s take a look from a high level. Here’s the skeleton of the beast:

image

Important information:

1. “type”: “Microsoft.Network/loadBalancers”, –> sort of obvious.

2. “dependsOn”: [     “[concat(‘Microsoft.Network/publicIPAddresses/’, variables(‘PublicIPName’))]”       ], –> it needs the external IP to work.

3. “frontendIPConfigurations” –> Contains the name of the external LB IP and a reference to the external IP we have created before.

image

4.  “backendAddressPools” -> This configuration will have the name and the backend IP addresses. In this case, the names are sort of hardcoded (allowing only two IPs).

image

5. “inboundNatRules” –> as the name states, this will create NAT rules to allow certain protocols through the load balancer. This used to be done with a cloud service in the old service model.

image

Notice that I’m basically mapping Port 50001 and 50002 to 3389 through the same external IP to the respective internal VM IPs.

6.  “loadBalancingRules” –> here’s where you’ll define which ports (services) will be load-balanced:

image

7. “probes”: And finally, how to detect the availability of the load-balanced services:

image

I have also added an Availability set, just so I can get guaranteed 99.95% availability:

image

It’s location:

image

And assigned the VMs:

image

Once deployed, you’ll hopefully see this:

image

And this:

image

 

Now for a quick testing. Let’s deploy IIS to both VMs, change the default website and test the LB. Notice that because I have a LB rule, I can Connect to the VM:

image

image

Just accept the the next question and there you are:

image

Let’s add IIS to both VMs:

Add-WindowsFeature Web-Server,web-mgmt-console

And add something to identify each one of the VMs:

imageimage

Now, when opening the page from the outside:

image and

image

So! That concludes or tutorial! You can find the template here.

I hope this helps!