Posts tagged Windows Azure Pack

Windows Azure Pack Remote Console – Create the RD Gateway Farm with PowerShell

 

The community is equivalent to sharing knowledge and helping each other. One of those super motivated community members is Carsten Rachfal. I finally met him at the MVP summit. Somewhere during that week we had to walk from one building to another. I noticed has was dragging along a mobile office. Carsten explained that it contained his complete datacenter. Or to be more precise, a laptop with some crazy specs that contained the complete Cloud OS. He did a lot of work creating a completely automated installation of all the Cloud OS components with HA and perform functional configuration to end up with an environment that was demo or (if it wasn’t for the hardware) even production ready. No single click needed after the deployment process. There was one piece missing in his complete puzzle.

01 Puzzle

He had asked me a couple of times if I had a solution to complete his masterwork. But that is another thing about the community. Time. Somehow you never have enough of it. This week another reminder popped up in a DL and I forced it to the top of my priority list. His question was

I want automate the configuration of a high available RD Gateway for Windows Azure Pack Remote Console. How can I set the RD Gateway server farm members with PowerShell?

Carsten is a smart man. He has been struggling with this issue for a couple of months and it was going to complete his masterwork. He had looked at all the possible angles already.

READ MORE »

New blood for Hyper-V.nu

I’m very happy to announce that three very talented young men have agreed to officially start blogging for Hyper-V.nu. This time not as guest bloggers, but as official Hyper-V.nu bloggers.

If you check Hyper-V.nu on a regular basis, you will have noticed that in recent weeks very few blogs have appeared on the site. This is largely due to the enormous success of Windows Azure Pack which is more or less keeping us fully occupied.

Apart from the many CloudOS related projects that Peter Noorderijk, Marc van Eijk and I run on a daily basis, we also maintain the Azure Pack Wiki, some of the Hyper-V hotfix lists, do presentations at IT events, write books, blog for the MS Building Clouds blog, evangelizing hybrid cloud with Azure Pack, and as MVPs have very regular meetings with Microsoft product teams. In other words, there are not enough hours in the day to make this all work.

So that’s enough explanation why we need more bloggers to help fill the pages of Hyper-V.nu. In the previous year, you may have already seen several guest blogs by Darryl van der Peijl, Ben Gelens and Mark Scholman. All three also happen to be colleagues at INOVATIV, but that is not why they join Hyper-V.nu. It is their real world experience with Azure and Azure Pack technology that makes them special and why we let them join as bloggers.

Let me quickly introduce Darryl, Ben and Mark.

Darryl van der Peijl

image

Darryl was working for a service provider where I met him during the deployment of what was then called Windows Azure Services for Windows Server. Darryl is a very clever young man and quickly came up to speed with the Microsoft System Center and Cloud offering. He is also very proficient in PowerShell which is of course a must-have knowledge these days. Darryl has been implementing Azure Pack ever since, often sharing scripts he developed such as the Azure Pack Tool , the Windows Azure Pack Update Script on the TechNet Gallery. After several guest blogs, he just submitted his first blog on Scale-Out File Servers.

Darryl tweets at @DarrylvdPeijl and has his own blog at http://www.darrylvanderpeijl.nl/

Ben Gelens

image

I met Ben virtually via Twitter and was amazed at the quality of this blogs on VMM, storage, bare metal deployment. I praised his blogs a couple of times and got to know more of what Ben was doing. He happens to be also very versed at PowerShell and PowerShell Workflow, which is as you might know the center of focus in Service Management Automation (SMA), which was first exposed via the Windows Azure Pack admin portal. We then talked about several guest blogs about Bare Metal Post-Deployment using SMA and VM Role.

Ben tweets at https://twitter.com/bgelens and blogs at http://mssecbyben.wordpress.com/

Mark Scholman

image

Mark also quickly made fame while promoting his blogs via Twitter on networking, Azure Pack, NVGRE and Network Virtualization. These are all qualities which are highly desirable if you start implementing Windows Azure Pack in the real world. Mark recently starting investigating Azure Pack Websites for one of the projects we currently engage in. Learning and writing always ends up in a great blog for Mark and the Installing and Configuring HA Azure Pack Websites series is just one example.

Mark tweets at https://twitter.com/markscholman and blogs at http://sysctr.nl/

Let me finish by saying that these three guys are worth following and hopefully they’ll share many blogs on Hyper-V.nu.

Hans Vredevoort
@hvredevoort

Windows Azure Pack authentication signing certificate expired

The Cloud OS was implemented in our lab environment directly after the release of the 2012 R2 bits. That was a little over a year ago. The Windows Azure Pack installer creates multiple self-signed certificates that are used for different websites. In a simple Windows Azure Pack express installation you will get fourteen self-signed certificate. Looking at these certificates you will notice two different types. Most certificates are web server certificates assigned to a Windows Azure Pack website in IIS. There are also two signing certificates. The signing certificates are used by the Windows Azure Pack authentication sites.

01 Signing Certificates

I’d like to point out that one of the post deployment tasks for every environment should be to replace the default self-signed certificates with trusted certificates. This is possible for all default certificates but not for the two signing certificates used for the authentication sites.

All self-signed certificates created by the Windows Azure Pack installer have an expiration date of one year after the deployment. If you are still using self-signed certificates and they have expired after a year, you can just delete the expired certificates from the personal computer store with a certificates snap-in in an MMC and rerun the Windows Azure Pack configuration wizard after that. My fellow MVP Stanislav Zhelyazkov  has already blogged about this previously here.

Unfortunately is the self-signed authentication signing certificate recreated with the information stored in the Windows Azure Pack database, including the original expiration date. Recreating the authentication signing certificate by deleting it from the personal computer store and recreating it by running the Windows Azure Pack configuration wizard results in the same issue. An expired self-signed authentication signing certificate.

02 Expired Signing Cert

After making some changes in the database I was able to recreate the certificate with a new expiration date. But as you might now, hacking the database is not supported.

Working with some smart folks from the WAP PG, we were able to convert my non supported database hacking and slashing into a supported procedure by using the following PowerShell script.

Designing VM Roles with SMA in mind

Blog by Ben Gelens who blogs at http://mssecbyben.wordpress.com 


SMA Runbooks can be triggered by Windows Azure Pack events like VM Role creation. You can configure this by going to the VM Cloud automation tab and linking a runbook to an Azure Pack known object like “Microsoft VMRole“.


The objects have actionable event like Create, Scale, Repair and Delete. You can link one runbook per actionable event per object.


A runbook is only available to linkup with an event if it is configured with the SPF tag.


When taking this information in mind, you can see that if you are going to build a dependency between actionable events and SMA runbooks you need to develop and commit to some standards. In this blog post I’ll show you some examples of what you could think off while developing your SMA Windows Azure Pack integration strategy for VM Roles.

Background information

In my daily job I see VM Roles being used by enterprise customers as a replacement for SCVMM service templates and VM templates. Although the VM Role is meant to be disposable, scalable, recyclable and easily replaceable, they are actually being used for VMs which will have long life spans and take advantage of some of the VM Role benefits like scaling and resource extension configuration.
READ MORE »

Windows Azure Pack Tenant Public API new cmdlets

Two months ago I published a blog on the Windows Azure Pack Tenant Public API. This API allows you to interact with your cloud services using PowerShell over the internet and certificate authentication. The Microsoft Azure PowerShell module provided cmdlets for Windows Azure Pack as well. As you might remember from that blog was the lack of VM Role cmdlets. There was a workaround that worked but was somewhat complex to configure and maintain.

A new version of the Microsoft Azure PowerShell module has been released. This new version also contains various new cmdlets  for Windows Azure Pack.

  • New-WAPackCloudService
  • Get-WAPackCloudService
  • Remove-WAPackCloudService
  • New-WAPackVMRole
  • Get-WAPackVMRole
  • Set-WAPackVMRole
  • Remove-WAPackVMRole
  • New-WAPackVNet
  • Remove-WAPackVNet
  • New-WAPackVMSubnet
  • Get-WAPackVMSubnet
  • Remove-WAPackVMSubnet
  • New-WAPackStaticIPAddressPool
  • Get-WAPackStaticIPAddressPool
  • Remove-WAPackStaticIPAddressPool
  • Get-WAPackLogicalNetwork

As you can see it also contains new cmdlets for interacting with cloud services and the VM Role.

You can download Microsoft Azure PowerShell module 0.8.6 through the Web Platform Installer with this link.

The VM Role is a custom configuration that can consist of many required and optional fields. As with the GUI wizard some values must be provided for the PowerShell cmdlet. Creating a new VM Role with the New-WAPackVMRole cmdlet requires some input.

image

If we take a look at the ResourceDefinition of an existing VM Role there is still some configuration requirement, but it is a huge improvement compared the previous procedure.

image

Windows Azure Pack configuration with a named instance and a non-default SQL port

Installing Windows Azure Pack in a lab environment is relatively easy. You control all the environment variables. Changes to operating systems, required permissions or other settings are within your own hands.

How different is this when you implement Windows Azure Pack in a Service Provider or Enterprise Organization environment. All kind of security requirements are in place. Each change in the environment is preceded by a request for change procedure. Planning, prerequisites and design documents are essential from the start of the project. If you have not invested in these upfront you will find yourself confronted with a new change each time that, in its turn, results in another RFC with accompanying handling time. Within a couple of days your teeth marks will be visible in the steering wheel of your car.

(Previously) a prerequisite for Windows Azure Pack:

  • Windows Azure Pack requires a SQL server running in mixed authentication mode and the SQL instance must be running on the default SQL port 1433

But the security policy at the Enterprise Organization or Service Provider dictates:

  • The SQL Server must be in Windows Authenticated mode only using a named instance and non-default SQL port

Most deployments start with an installation in a development environment that reflect the production environment. In the development environment the SQL configuration that is required for Windows Azure Pack is tolerated but flagged. Once we move to production the RFC can possibly block the implementation.

I contacted the folks from the Windows Azure Pack program group a couple of months ago. They provided the means to configure Windows Azure Pack with a named instance and against a non-default SQL port. It was OK to use this configuration for the development environments, but they needed some additional testing to validate that this configuration would not break in hotfix or upgrade scenarios.

Named instance and non-default SQL port

It is now supported to configure Windows Azure Pack with a named instance and a non-default SQL port. Configure the database connection in the configuration wizard with the following format.

<SQL Server>\<Instance>,<Port number>

In this example

SQL01\hypervu,10001

Custom SQL port

SQL Authentication

Windows Azure Pack does still require a SQL Server in mixed authenticated mode. During the installation SQL accounts are created that are used in the encrypted part of the web.config file of each Windows Azure Pack website. But if this SQL authentication discussion comes up in a project consider this:

A long time ago, Microsoft recommended “When possible, use Windows Authentication” for SQL databases. That recommendation was not based on security issues with SQL authentication. It was a best practice for applications which would work better with pass through user authentication rather than using a service principle. That statement was interpreted by most organizations with “you should never use SQL authentication”.

Is that statement (still) true or is SQL authentication a secure choice?

The best example of using SQL authentication for databases is Microsoft itself. Microsoft Azure SQL Database (database-as-a-service) supports only SQL Server Authentication. Windows Authentication (integrated security) is not supported.

If Microsoft wasn’t comfortable using SQL authentication, they wouldn’t run a few hundred thousand SQL servers. That are on the internet!!

Image taken from the new Microsoft Azure Portal that is in preview.

Azure SQL

More Information

Windows Azure Pack, SQL Always On, Listener and Port story

Microsoft SQL Server versions supported in a Windows Azure Pack deployment

Windows Azure Pack – Active Directory Design Choices

Darryl van der Peijl wrote this great guest blog on design considerations for Active Directory in a Windows Azure Pack environment:

In this blog I will discuss different Active Directory designs, focusing on the use of Windows Azure Pack. Since Windows Azure Pack is nothing different from a regular web service, these designs can be used in a very generic way.

When talking Active Directory, we are actually talking security. The design decisions you make can have a huge impact on the vulnerability of your infrastructure.

Windows Azure Pack is offering a number of services that can be accessed from the Internet like the Tenant Portal and Tenant Public API, and don’t forget the “Remote Console” feature which will need a Remote Desktop Gateway server accessible from the Internet as well.

It is recommended to put servers in a DMZ/Perimeter network which can be accessed from the outside. Since they are reachable from the potentially ‘hostile’ external world, these servers can become subject to intrusion or hijacking by attackers. The DMZ/Perimeter network is a containment area so that a breached server does not gain immediate access to your internal infrastructure.

So, let’s get started!

I will discuss the following four different Active Directory designs and sum up the advantages and disadvantages.

  • No Active Directory in DMZ / Perimeter Network
  • Extended Forest
  • Forest with child domains
  • Isolated Forests

The following terms will be used:

ADDS Active Directory Domain Services
DMZ / Perimeter Network The zone for external facing services
Local Network The zone for internal services
Local infrastructure Infrastructure (servers) in the Local Network
Perimeter infrastructure Infrastructure (servers) in the Perimeter Network

 

No Active Directory in DMZ / Perimeter Network

You can implement Windows Azure Pack without the use of Active Directory, so you don’t have to create a separate domain for WAP in the perimeter. Windows Azure Pack will use the local server’s Security Accounts Manager (SAM) database to authenticate identities and will use SQL authentication for the databases.

The security risk of this design is medium.

Advantages:

  • No ADDS needed (Advantage?)
  • No VMs for ADDS

Disadvantages:

  • Managing of users and the servers need to be done locally on each server
  • You cannot setup Failover Clusters without ADDS (Hyper-V, SQL Always on, ..)
  • The Kerberos protocol or certificates are not available for local SAM authentication.
  • Centralized updates (WSUS) cannot be implemented
  • No ability to use ADFS

Note:
For Windows Azure Pack build-in functionality like “Console Connect” or “Network Virtualization” you will need to build a Hyper-V cluster. READ MORE »

Windows Azure Pack: Infrastructure as a Service Jump Start

Date: July 16 & 17, 2014
Time: 9am–1pm PDT
CTA(s): Registration page: http://www.microsoftvirtualacademy.com/liveevents/windows-azure-pack-infrastructure-as-a-service-jump-start

Alternative link: http://aka.ms/WAPIaaS

IT Pros, you know that enterprises desire the flexibility and affordability of the cloud, and service providers want the ability to support more enterprise customers. Join us for an exploration of Windows Azure Pack’s (WAP’s) infrastructure services (IaaS), which bring Microsoft Azure technologies to your data center (on your hardware) and build on the power of Windows Server and System Center to deliver an enterprise-class, cost-effective solution for self-service, multitenant cloud infrastructure and application services.

WAP

Join Microsoft’s leading experts as they focus on the infrastructure services from WAP, including self-service and automation of virtual machine roles, virtual networking, clouds, plans, and more. See helpful demos, and hear examples that will help speed up your journey to the cloud. Bring your questions for the live Q&A!

Course Outline
Day 1

  • Introduction to the Windows Azure Pack
  • Install and Configure WAP
  • Integrate the Fabric
  • Deliver Self-Service

Day 2

  • Automate Services
  • Extend Services with Third Parties
  • Create Tenant Experiences

Metadescription: Free online course for IT Pros: Windows Azure Pack IaaS, including VM roles. Build and manage modern apps, unlock insights

Keywords: Windows Azure Pack, Microsoft Azure, Windows Server, System Center, SQL Server

Instructors

Andrew Zeller | Microsoft Senior Technical Program Manager

Andrew Zeller is a Technical Program Manager at Microsoft, focusing on service delivery and automation with Windows Server, System Center, and the Windows Azure Pack.

Symon Perriman | Microsoft Senior Technical Evangelist |@SymonPerriman

​As Microsoft Senior Technical Evangelist and worldwide technical lead covering virtualization (Hyper-V), infrastructure (Windows Server), management (System Center), and cloud (Microsoft Azure), Symon Perriman is an internationally recognized industry expert, author, keynote presenter, executive briefing specialist, and technology personality. He started in the technology industry in 2002 and has been at Microsoft for seven years, working with multiple teams, including engineering, evangelism, and technical marketing. Symon holds several patents and more than two dozen industry certifications, including Microsoft Certified Trainer (MCT), MCSE Private Cloud, and VMware Certified Professional (VCP). In 2013, he co-authored Introduction to System Center 2012 R2 for IT Professionals (Microsoft Press) and he has contributed to five other technical books. Symon co-hosts the weekly Edge Show for IT Professionals, and his technologies have been featured in PC Magazine, Reuters News, and The Wall Street Journal. He graduated from Duke University with degrees in Computer Science, Economics, and Film & Digital Studies, and he also serves as the technical lead for several startups and entertainment production companies.

Register today!

You can help shape the future of Windows Azure Pack

Windows Azure Pack delivers Microsoft Azure technologies for you to run inside your datacenter. It offers rich, self-service, multi-tenant services and experiences that are consistent with Microsoft’s public cloud offering.

You can help shape the future of Windows Azure Pack. The Windows Azure Pack team has created a user voice site where you can post feature suggestions and vote on the suggestions of others.

You can find the Azure Pack user voice site here http://feedback.azure.com/forums/255259-azure-pack

01 General

Sign in to track your submitted ideas and comments.

When you would like to submit a new suggestion, type in one or more relevant keyword. This will automatically filter the already submitted items. If somebody else already submitted the same suggestion, it allows you to vote on that suggestion. As a signed in user you will have a total of 10 votes. With these votes you can submit new suggestions or vote on existing ones.

Vote for existing suggestions

When you vote for existing items, you can choose to give 1, 2, or 3 votes for more weight. You are able to change your assigned votes afterwards. When suggestions are closed, the votes you assigned to that suggestion are available again.

02 Vote for exisiting idea

Submit a new suggestion

To submit a new suggestion, provide the title for the suggestion and optionally enter a description and category. Select to attach a file if that helps to explain the suggestion and choose how many votes you would like to put on this suggestion.

03 Post new idea

Help shape Windows Azure Pack with the user voice site http://feedback.azure.com/forums/255259-azure-pack

Windows Azure Pack Tenant Public API

Microsoft Azure and Windows Azure Pack are like two circles. These circles are moving towards each other and are already overlapping on certain parts. The CloudOS vision is those two circles completely merged into one.

Circles

So, when you work with Windows Azure Pack it is very interesting to keep an eye on Microsoft Azure, the public cloud solution from Microsoft. This gives a good idea of the features that are coming to Windows Azure Pack, but also gives more insight in the features that are already available in Windows Azure Pack today. In this blog we will cover a feature that is not very well known but can be very useful. The Windows Azure Pack Tenant Public API.

Most Windows Azure Pack deployments we see in production are in one way or another related to IaaS. Windows Azure Pack provides a powerful web portal that enables tenants to interact with their IaaS services. They can create, edit and delete Virtual Machines and Virtual Networks with just a few clicks.

The tenant portal experience is awesome, but there are scenarios where other methods are required. Take for example regression testing. A tenant want to schedule a deployment for a set of virtual machines with applications. When the virtual machines are deployed, an automated procedure runs tests against the applications, which logs the performed steps to a location for evaluation. After the tests are completed the virtual machines are decommissioned again. The regression tests are scheduled by the tenants and they make changes to the tests frequently.

The first thing that comes to mind with this example is a combination of the VM Role and Service Management Automation. The VM Role allows you to deploy a virtual machine with an application. Service Management Automation enables scheduling of PowerShell workflows that can deploy the VM Roles for the tenant and run the regression tests as well.

Unfortunately in this release of Windows Azure Pack you need access to the Windows Azure Pack Admin Site to edit or schedule an SMA runbook. This requires Admin interaction for each change in the runbook or each change in the schedule, which is not an option.

Microsoft Azure provides a powerful scripting environment with Azure PowerShell. It allows tenants to interact with the services in their Microsoft Azure subscription with PowerShell cmdlets. These cmdlets can be run from a remote client. The client authenticates to the services in the subscription by using certificates. As you expect from Microsoft Azure it works after some easy steps to get the certificates configured correctly.

WAPack

If you have a closer look at the cmdlets within the Azure PowerShell module you will notice that there are also cmdlets that contain WAPack in their name. This looks promising. READ MORE »