Setting Azure Point to Site VPN

Posted: October 22, 2017 in Azure

A Point-to-Site (P2S) configuration is a secure connection from an individual client
computer to a virtual network. P2S is a VPN connection over SSTP (Secure Socket Tunneling
Protocol).

In this example i connected my home Windows 10 lap-top to Azure infrastructure via VPN (not via AzurePublic IP)

Creating Azure Virtual Network

New-Virtual Network

1.PNG

Creating Azure Virtual Network Gateway

Virtual Network Gateway will be used from outside connection into Azure (as edge router/firewall at Azure Network)

1.PNG

SKU-Pricing category

3

Create public IP

4.PNG

And gateway

5

Click create

While gateway is being created, create certificates on Windows 10 machine

Download ADK (needed for tool makecert.exe)

After ADK is installed go to tool’s path

cd 'C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64'
::Create root certificate
\.makecert.exe -sky exchange -r -n "CN=LabRootCA1" -pe -a sha1 -len 2048 -ss My "LabRootCA"
::Create client certificate
\.makecert.exe -n "CN=VPNtoAzure" -pe -sky exchange -m 96 -ss My -in "LabRootCA1" -is my -a sha1

 

Export root certificate

Right click Root CA-All tasks-Export

8.png

 

9

 

10.PNG

 

11

 

Open certificate with notepad

 

12.PNG

 

Go to Azure gateway-Point-to-site-configuration

 

13.PNG

Specify pool and paste key from notepad, click save and download VPN client

 

14.PNG

 

16.png

 

17

 

18.PNG

 

 

19

 

I created Azure VM

 

20

 

21.PNG

 

From my Lap-top i used private IP (10.0.0.4) to connect to Azure VM

 

22.PNG

Advertisements

Creating and configuring Azure Storage

Posted: October 20, 2017 in Azure

New-Storage-Storage Account

0

Installing AzCopy

AzCopy is a command-line utility designed for copying data to and from Microsoft Azure Blob, File, and Table storage using simple commands

Download and install tool from here

Creating system variable for AzureCopy

In system properties in advanced click Environment Variables

1

Under System variable click New

2

give variable a name and value (with quotes)

"C:\Program Files (x86)\Microsoft SDKs\Azure\AzCopy"

3

Sign Out and Sign in to apply changes and test it type %azcopy% in cmd

4

Creating folder in Azure

Add-AzureAccount

$shareName = "assets"

$storageAccountName = "invoices"

Declares variables named _$shareName_ for the file share 

$shareName = "assets"
$folderName = "invoices"

# Get the storage account key and context
$storageAccountKey = (Get-AzureRmStorageAccountKey -Name mystorage102017 -ResourceGroupName myrg1).Value[0]
$ctx = New-AzureStorageContext -StorageAccountName $storageAccountName -StorageAccountKey $storageAccountKey
# create a share
$s = New-AzureStorageShare -Name $shareName -Context $ctx
# create a new folder in the share

New-AzureStorageDirectory -Share $s -Path $folderName

Upload files to Azure

All Resources-Storage Account-Files

7.png

8.PNG

9

9-1

Copy files to Azure

destkey can be found by clicking to Acess keys in storage account properties

0

%AzCopy% /Dest:https://mystorage102017.blob.core.windows.net/asset-images /destkey:yS+7qMMIdhGwGYr+ssLnCCOiRt+oe2Ii/6Cco9ID8msrFna5UI9F73MEX8lAOOzPjcDJYF7EJOevoVTdreWdLg== /Source:"C:\Users\asset-images"

5

6.PNG

By default uploaded files are not visible by default

9-2

To enable access we need to create shared access signature (SAS)

by clicking Shared access signature, here we can set permission level-set SAS expiry date

Click Generate SAS and copy it somewhere

10

11.png

Copy link of files we want to have access to

9-1

and append SAS key

https://mystorage102017.file.core.windows.net/assets/Invoice00001.docx?sv=2017-04-17&ss=bfqt&srt=sco&sp=r&se=2017-10-20T07:35:21Z&st=2017-10-18T23:35:21Z&spr=https&sig=Ns3B6Z66AL3iTQMtIQaqT47cW3zNCGsyxTqIJpuF1O8%3D

12.PNG

Accessing share from Azure VM

net use z: \\storage_account.file.core.windows.net\assets /u:storage_account

 

14

when prompted, enter storage key

 

13.png

 

15

 

 

A virtual machine scale set allows us to deploy and manage a set of identical, auto-scaling virtual machines. We can scale the number of VMs in the scale set manually, or define rules to autoscale based on resource usage such as CPU, memory demand, or network traffic.

In Azure portal click new-type wmss

1

Set number of VM’s,instance size,public IP name,allocation methpd and domain name

1-1.PNG

We can also specify number of placement groups

1-2

Next, we need to set Virtual Machine scale set name,choose OS image and specify resource group

2

Specify maximum number of VM’s,scale out settings (if CPU usage exceeds 75 % a 1 machine will be added if it fails below 75 %, 1 will be removed

3

To make RDP to instance click on Load balancers-Inbound NAT rule to see port for connection, we can use IP or DNS name

6

Let’s say we installed IIS on one instance, how can we access to it:

#get load balncer
$lb=Get-AzureRmLoadBalancer -Name myscalesetLb -ResourceGroupName myrg1

Create a frontend IP pool
$lbfec=Get-AzureRmLoadBalancerFrontendIpConfig -LoadBalancer $lb

#get a backend ip pool
$bep=get-AzureRmLoadBalancerBackendAddressPoolConfig -Name bepool -LoadBalancer $lb

# Create a load balancer health probe on port 80
Add-AzureRmLoadBalancerProbeConfig -Name myHealthProbe -LoadBalancer $lb -Protocol tcp -Port 80 -IntervalInSeconds 15 -ProbeCount 2

# Create a load balancer rule to distribute traffic on port 80
Add-AzureRmLoadBalancerRuleConfig -Name myLoadBalancerRule -LoadBalancer $lb -FrontendIpConfiguration $lb.FrontendIpConfigurations[0] -BackendAddressPool $lb.BackendAddressPools[0] -Protocol Tcp -FrontendPort 80 -BackendPort 80

# Update the load balancer configuration
Set-AzureRmLoadBalancer -LoadBalancer $lb

 

Try to access from the outside by IP or DNS name:

 

7.PNG

 

8.PNG

High Availability in Azure

Posted: October 15, 2017 in Azure

0

Concepts

  • Load balancer can include one or more frontend IP addresses, otherwise known as a virtual IPs (VIPs). These IP addresses serve as ingress for the traffic.
  • Back-end address pool – these are IP addresses associated with the virtual machine Network Interface Card (NIC) to which load is distributed.
  • Load balancing rules – a rule property maps a given frontend IP and port combination to a set of backend IP addresses and port combination. A single load balancer can have multiple load balancing rules. Each rule is a combination of a frontend IP and port and backend IP and port associated with VMs.
  • Probes – probes enable you to keep track of the health of VM instances. If a health probe fails, the VM instance is taken out of rotation automatically.
  • Inbound  rules – NAT rules defining the inbound traffic flowing through the frontend IP and distributed to the backend IP.

Creating Availability Set

Availability set is logical grouping of 2 or more Azure VM’s.While placing your virtual machines into an availability set does not protect your application from operating system or application-specific failures, it does limit the impact of potential physical hardware failures, network outages, or power interruptions.

In Azure portal click New-Availability set

1

Give it name and specify Resource Group

A Fault Domain defines set of Hyper-V hosts that could be affected by a physical failure such as a power source or network failure. 2 VMs in the same availability set means Azure will provision them in to 2 different racks so that if say, the network or the power failed, only one rack would be affected.

Update domain is set of physical hosts that Azure fabric can update and reboot at the same time without disrupting VM’s availability.Upgrade domains exist so when Microsoft rolls out a new software feature or bug fix, each upgrade domain is upgraded at different times. This ensures that if you have at least 2 instances, your service will never go down as the result of an upgrade.

2

Create 2 VM and associate it to Availability Set

3

4

Specify Availability Set

5

Creating Load Balancer

Click New and type Load balancer

6

Create New Load Balancer IP

7

Creating Backed Pool

All resources-Load Balancers-click on Load Balancer

8

Click on Backed pools-Add

9

Select Availability set-Add a target network IP configuration add VM’s

10

11

Creating Health Probes

These VM’s will host web site so we need to define criteria for Availability

Under Load balancers click on LB then on properties click on Click Health probes-add

12

Protocol HTTP-port 80

Set Interval for check and number of checks after which Load balancer will consider node as unhealthy

13

Creating Load Balancer Rules

Click on Load balancing rules under Load balancing properties

14

Select port Backed pool and Health Probe

15

Installing IIS on VM’s

We’ll use desired state configuration (DSC)

IISinstall.ps1 will be pushed to both VM’s

Configuration IISInstall
{
    Node localhost
   {
	WindowsFeature IIS
        {
	    Name = "Web-Server"
	    Ensure = "Present"
        } 
    }
}

To apply DSC to Azure Resource manager we’ll use another script:

Login-AzureRmAccount

Get-AzureRmSubscription

$resourceGroupName = (Get-AzureRmResourceGroup).ResourceGroupName
$location =(Get-AzureRmResourceGroup).Location

$storageAccount = (Get-AzureRmStorageAccount | Where-Object {($_.Location -eq $location) -and ($_.ResourceGroupName -eq $resourceGroupName) })[0]
$storageAccountKey = (Get-AzureRmStorageAccountKey -ResourceGroupName $resourceGroupName -Name $storageAccount.StorageAccountName).Value[0]

 

# we are using default container
$containerName = 'windows-powershell-dsc'

$configurationName = 'IISInstall'
#path to previous script
$configurationPath = "C:\Users\lap-top\Desktop\IISInstall.ps1"
#publish Azure DSC configuration to Azure storage account (it will generate zip file containing all scripts and
#upload it to Azure account

$moduleURL = Publish-AzureRmVMDscConfiguration -ConfigurationPath $configurationPath -ResourceGroupName $resourceGroupName -StorageAccountName $storageAccount.StorageAccountName -Force

#creating a shared access signature token that will provide access to archive configuration file in Azure storage account

$storageContext = New-AzureStorageContext -StorageAccountName $storageAccount.StorageAccountName -StorageAccountKey $storageAccountKey

#shared access signature is digitally signed string that identifies azure storage object
$sasToken = New-AzureStorageContainerSASToken -Name $containerName -Context $storageContext -Permission r

#creating a variable that contains settings for DSC archive,DSC configuration function and shared access token
$settingsHashTable = @{
"ModulesUrl" = "$moduleURL";
"ConfigurationFunction" = "$configurationName.ps1\$configurationName";
"SasToken" = "$sasToken"
}

$vmName1= 'your machine name'
$vmName2= 'your machine name 2'
$extensionName = 'DSC'
$extensionType = 'DSC'
$publisher = 'Microsoft.Powershell'
$typeHandlerVersion = '2.1'

Set-AzureRmVMExtension -ResourceGroupName $resourceGroupName -VMName $vmName1 -Location $storageAccount.Location `
-Name $extensionName -Publisher $publisher -ExtensionType $extensionType -TypeHandlerVersion $typeHandlerVersion `
-Settings $settingsHashTable

Set-AzureRmVMExtension -ResourceGroupName $resourceGroupName -VMName $vmName2 -Location $storageAccount.location `
-Name $extensionName -Publisher $publisher -ExtensionType $extensionType -TypeHandlerVersion $typeHandlerVersion `
-Settings $settingsHashTable

 

Save script ,connect to Azure and run it  (for steps how to connect to Azure see one of previous posts

 

16

Log in to machines and check IIS is installed

Configuration is imported to Azure

 

17

Configuring inbound rules

Add rules for accessing web site to Azure VM’s

For each VM Network security group is created (NSG-it’s lightweight version of firewall)

18.PNG

Click inbound security rukes-Add

 

19

 

20

 

Do this for every VM

Locate Load balancer’s IP by clicking on it and observe IP address

 

21

and test it, as long as at least one VM is running, site will be accessible

22.PNG

 

Desired State Configuration in Azure VM

Posted: October 11, 2017 in Azure

Desired State Configurations (DSC) are PowerShell scripts that we can use to remotely configure Windows servers,for example we can deploy server roles to multiple server without need to directly manage them.

In this example we’ll deploy IIS to Azure VM using DSC

Deployment script (save it with ps1 extension):

configuration TestConfig
{
Node WebaServer
{
WindowsFeature IIS
{
Ensure = 'Present'
Name = 'Web-Server'
IncludeAllSubFeature = $true

}
}

Node NotWebServer
{
WindowsFeature IIS
{
Ensure = 'Absent'
Name = 'Web-Server'

}
}
}

I needed to name node as WebaServer, otherwise it won’t work (in fact we need to add any character between Web and Server-bug maybe ?)

Creating automation account

We need account under which DSC will run.In Azure portal click new-type automation

 

1

 

 

 

2.PNG

 

Now click All Resources-Automation Account

1.png

 

DSC configuration-Add Configuration

 

3.PNG

 

Upload deployment script and click compile (a mof file will be created in Azure automation DSC server)

 

4

Once job completed click on it

 

5.png

 

To see compilation details

 

6.PNG

Under automation account properties click DSC node configuration to see available configurations,in this example we have one which will install IIS and one which will remove it if it’s installed, my VM has no IIS so i’ll assign first configuration

 

1.png

Click DSC nodes-Add azure VM

 

8.png

 

 

9

Click Connect and from drop-down menu on right choose Configuration name (i need to install IIS so i chose WebaServer-click OK

 

10.png

After some minutes configuration should be deployed to Azure VM

 

12.PNG

 

Check it Out !

 

Log in to Azure VM, check logs

 

13

 

It seems IIS was indeed installed 🙂

 

14.PNG

I created B1MS standard (cheapest one 🙂 )

Capture.PNG

With 126 GB of C partition

1.png

$vm=Get-AzureRmVM -ResourceGroupName example -name win2016
#stop VM
Stop-AzureRmVM -Name win2016 -ResourceGroupName example -Force
#extend disk to 2TB
$vm.StorageProfile.OsDisk.DiskSizeGB=2048
Update-AzureRmVM -ResourceGroupName example -vm $vm
#start VM
Start-AzureRmVM -ResourceGroupName example -name win2016

We now need to expand partition

2.PNG

$MaxSize = (Get-PartitionSupportedSize -DriveLetter c).sizeMax
Resize-Partition -DriveLetter c -Size $MaxSize

3.PNG

Monitoring Azure Web Application-Part II

Posted: October 8, 2017 in Azure

On Application properties click Application insights under monitoring-Create new resources

1

Under All Resources Application insight is created, click on it

1.png

Then click Availability

3.png

We can create availability test for our application,click Add test

4.png

Select test criteria and location which will be tested

5.PNG

After 20 minutes i got first results

5-1.PNG

Getting log files

We can download log files locally:

On local machine open powerhsell as administrator (for details how to log on to azure see this post

import-module azure,azurerm
add-azureaccount
$sub=(Get-AzureRmSubscription).Name
Select-AzureSubscription -Default -SubscriptionName $sub
save-AzureWebsiteLog -Name 'moja-aplikacija' -Output 'c:\1.zip'

For real-time logging:

Get-AzureWebsiteLog -name 'moja-aplikacija' -tail</pre>

Capture.PNG

Creating Alerts

We can also create alerts for web application, from application properties click Alerts

6

Select metric

7.png

And trigger for alert

8

10

For this test i set really low treshold and after some seconds i got notification

11.PNG

Diagnostic

We can also see diagnostic and hints for improving web application performance

Under application properties click Diagnose and solve problems

12

13

14

15.PNG