PacITPros November Meeting Resources

This month at the PacITPros meeting, I covered several of the ways you can create virtual machines in Azure and get started doing Infrastructure as Code. For a quick summary of the various ways to do this check out this bit of Azure documentation.

If you need to get started with Azure and don’t have a subscription yet, break out your Microsoft Account (aka LiveID, Hotmail account, etc) and pick one of these options:

Since I dove deeper on doing these deployments with ARM templates and JSON, here are some of the resources you might want to revisit (or check out if you missed the meeting).

Here is an example of the PowerShell command for getting an updated list of images for Windows Server or Ubuntu Server in a particular region:

Get-AzureRmVMImageSku -Location "west us" -PublisherName Microsoftwindowsserver -Offer WindowsServer 
Get-AzureRmVMImageSku -Location "West US" -PublisherName Canonical -Offer UbuntuServer

Finally, here is my “cheat sheet” of PowerShell commands to connect to your Azure account and deploy a template.

Login-AzureRmAccount
Get-AzureRmSubscription

$VSSubID = "7ebd5b2e-7d4b-49xe-bab6-4d593ed76x41" # copy the sub-id from the previous command
Set-AzureRmContext -SubscriptionID $VSSubID

# get the "raw" URL from GitHub for the template you want to deploy and break it up as follows:

$assetLocation = "https://raw.githubusercontent.com/techbunny/Templates/master/multiple_nano_server/" 
$templateFileURI  = $assetLocation + "nanoslabdeploy.json"  # deployment template
$parameterFileURI = $assetLocation + "SVCC.parameters.json" # parameters file

$RGName = "PacITPros"  # set your resource group name
New-AzureRmResourceGroup -Name $RGName -Location "West US"  # create your resource group

# deploy the template!
New-AzureRmResourceGroupDeployment -ResourceGroupName $RGName -TemplateParameterUri $parameterFileURI -TemplateUri $templateFileURI -verbose

Deconstructing JSON: Tale of Two VNETs (Linked templates with VNET peering!)

The last month or so has been packed with announcements and training! I’ve been to Ignite in Atlanta, as well as some internal training and some fun community events.  Finally, I’ve had some time to sit down and work on trying out a few things.  If you missed the announcement around Ignite time, Azure VNET Peering is now generally available.   With peering, you can now link virtual networks together without having to set up multiple VNET gateways.

This peering feature can be set up using the Azure Portal, but what fun is that, right?  Let’s do it with some ARM templates instead.  My goal was to create two VNETs with different address spaces (you can’t peer networks with an overlapping address space) then peer them together.  I could do this with one big template, but I wanted to also take some time to try out linking templates together – where one parent template calls others.  I also wanted to take advantage of parameters files to create the different VNETs.

For this example, I ended up with five JSON files:

  • azuredeploy.json – The deployment template for one VNET
  • vnet1.parameters.json – The parameters file for VNET1
  • vnet2.parameters.json – The parameters file for VNET2
  • peeringdeploy.json – Template to peer together the networks once created
  • parentdeploy.json – The template used to manage the complete deployment

Within the parentdeploy.json file we only need to define the schema and resources sections and the only resource I’m calling is the “Microsoft.Resources/deployments” type.  Within that, you’ll need to define a name, mode, template link (located in a repo or blob storage) and an optional parameters link.  For this deployment, I’m calling the deployment resource three times – once for each vnet, plus a final time to peer them. In the snippet below, you can see that I called the azuredeploy.json file and the vnet1.parameters.json file.

 { 
     "apiVersion": "2015-01-01", 
     "type": "Microsoft.Resources/deployments", 
     "name": "linkedTemplateA", 
     "properties": { 
       "mode": "Incremental", 
       "templateLink": {
          "uri":"https://raw.githubusercontent.com/techbunny/Templates/master/two_vnets_same_region/azuredeploy.json",
          "contentVersion":"1.0.0.0"
       }, 
       "parametersLink": { 
          "uri":"https://raw.githubusercontent.com/techbunny/Templates/master/two_vnets_same_region/vnet1.parameters.json",
          "contentVersion":"1.0.0.0"
       } 
     } 
  },

The second resource uses the same template link and uses the vnet2.parameters.json file.  Finally, the last one will only call the peeringdeploy.json template with no parameters file needed. Each deployment resource needs it’s own unique name and you can’t reference anything directly that isn’t included in the template itself.   There are also ways to share state between linked templates to be even more “elegant” in your template creation.

Within the peeringdeploy.json template we also only need to define resources which link the newly created VNETs together. In the snippet below, you can see BigNetA (created with vnet1 parameters) being connected to BigNetB (created with vnet2 parameters).

 {
    "apiVersion": "2016-06-01",
    "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings",
    "name": "BigNetA/LinkToBigNetB",
    "location": "[resourceGroup().location]",
  
    "properties": {
    "allowVirtualNetworkAccess": true,
    "allowForwardedTraffic": false,
    "allowGatewayTransit": false,
    "useRemoteGateways": false,
        "remoteVirtualNetwork": {
        "id": "[resourceId('Microsoft.Network/virtualNetworks', 'BigNetB')]"       
}

Finally, as with all my previous templates, I can deploy the whole thing with just one line of PowerShell!

 New-AzureRmResourceGroupDeployment -ResourceGroupName $RGName -TemplateUri $templateFileURI -verbose

 

Nano Server Management

Where has the time gone? I looked up from my computer and the summer is nearly over! One of the things I’ve been tinkering with as of late with some of my “infrastructure as code” projects is Nano Server. Not only is Nano Server gearing up to be a great Hyper-V host and a cool place to start dabbling in containers, it’s also great server to use when testing deployment scripts because it’s small and deploys quickly. When all I want to do is spin up and tear down to test my templates, I love being able to use a Windows server with a smaller footprint.

With Nano server being “headless”, it only supports remote administration, so this has also lead me to check out all the newish ways we can manage servers remotely. You’ll need to take a few steps so you can remotely manage a Nano server deployed in Azure.

  1. Open NSG on Azure for the Nano Server – If you created a VM from the Azure Portal and accept all the defaults (which include an NSG), that NSG doesn’t open the ports for WinRM by default.  It only opens RDP.  The OS firewall is open to accept WinRM and PowerShell, but the NSG blocks it.  You need to edit the NSG to include TCP ports 5985 (http) and/or 5986 (https) for remote management.
  2.  Add Nano External IP Address as a Trusted Host – Since you’ll be connecting to your VM remotely over the public internet, you’ll need to add that IP address to your trusted host list on your workstation. You can do that via PowerShell or via CMD (just pick one).
    1. winrm set winrm/config/client @{ TrustedHosts="13.88.11.166" }
    2. Set-Item WSMan:\localhost\Client\TrustedHosts "13.88.11.166"

At this point you should be able to remotely connect to your Nano Server using PowerShell. On your workstation, run (replacing the IP address and username as appropriate):

$ip = "13.88.11.166"
 $user = "$ip\sysadmin"
 Enter-PSSession -ComputerName $ip -Credential $user

You’ll be prompted for your password and then you’ll be given a remote PowerShell prompt to your Nano VM. But what if you want MORE than just a PowerShell prompt? What if you want access to event logs? Or some basic performance information? Or dare say, use “Computer Manager”??

You can use Server Manager tools from workstation or you can use the Azure Server Management Tools (and Gateway).

While your remotely connect to the server you want to manage, you may need to make a few other small changes, particularly if your servers aren’t domain joined or are on a different subnet than the machine you are connecting from. I recommend checking out this troubleshooting guide – https://blogs.technet.microsoft.com/servermanagement/2016/07/20/troubleshooting-problems-with-server-management-tools/

If you specify in Microsoft Azure the local administrator account to connect to the managed server, you have to configure this registry key on the managed server:
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1

If you are connecting from a different subnet:
NETSH advfirewall firewall add rule name=”WinRM5985″ protocol=TCP dir=in localport=5985 action=allow

If you want to use Computer Manager and other common Server Manager tools:
Set-NetFirewallRule -DisplayGroup ‘Remote Event Log Management’ -Enabled True -PassThru |
select DisplayName, Enabled

Happy Remoting!

Deconstructing JSON: Super Secrets

“Psst… Hey buddy, want to keep your plain text password in your source control?”

Hopefully, you answer is “No”, but if you’d been following along with this JSON/ARM template series of posts, you will have noticed that I’ve defaulted to deployments with straight up, plain text, username/passwords in my template examples. So before we go any further, lets secure this up a bit!

Goal: Deploy a Windows Nano VM using an ARM template in GitHub without having to put the Admin username or password anywhere in plain text.

To do this, we’ll need a place to hide the secrets. In this case, we’ll use Azure Key Vault. With Key Vault, you create a resource group and vault (using PowerShell or an ARM template) and then load up some secrets or keys. You can hide basic passwords or load certificates.

I’m going to create my Key Vault using PowerShell. I’m purposely creating my vault in its own Resource Group. You can create the Key Vault in the same Resource Group as the rest of your deployment, but then if you delete the whole group for during testing, you’ll have to recreate the vault each time.

  1. Log into Azure
  2. Get your Subscription details, copy the GUID of the subscription you want to use for the key vault into the $VSSubID variable.
  3. Customize the variables for the Resource Group name, Vault name and deployment region.
  4. Once the vault is created, customize the “SuperSecretPassword” and “FancyAdminName” to your liking and add those secrets to the vault.
Login-AzureRmAccount
Get-AzureRmSubscription
$VSSubID = {subcription_guid}  
Set-AzureRmContext -SubscriptionID $VSSubID

$RGName = "KeyVaultRG"
$VaultName = "MyVaultName"
$Location = "West US"

New-AzureRmResourceGroup -Name $RGName -Location $Location

New-AzureRmKeyVault -VaultName $VaultName -ResourceGroupName $RGName -Location $Location

Set-AzureRmKeyVaultAccessPolicy -VaultName $VaultName -EnabledForTemplateDeployment -ResourceGroupName $RGName

$secretvalue = ConvertTo-SecureString 'SuperSecretPassword' -AsPlainText -Force
$secret = Set-AzureKeyVaultSecret -VaultName $VaultName -Name 'ServerAdminPassword' -SecretValue $secretvalue

$secretvalue = ConvertTo-SecureString 'FancyAdminName' -AsPlainText -Force
$secret = Set-AzureKeyVaultSecret -VaultName $VaultName -Name 'ServerAdminName' -SecretValue $secretvalue

Now that my vault is crated, I’ll need to edit my ARM template to grab the secrets from the Key Vault when my VM is deployed. Make the change to your parameters.json file, not your deployment template. This way you can use the same template deployment with different subscriptions and vaults easily. Instead of using the basic string type for your adminUsername and adminPassword, reference the secrets you added to the vault.

"adminUsername": {
      "reference": {
      "keyVault": {
        "id": "/subscriptions/{guid}/resourceGroups/KeyVaultRG/providers/Microsoft.KeyVault/vaults/ImperfectKeyVault"
      }, 
      "secretName": "ServerAdminName" 
       } 
    },
   "adminPassword": {
      "reference": {
      "keyVault": {
        "id": "/subscriptions/{guid}/resourceGroups/KeyVaultRG/providers/Microsoft.KeyVault/vaults/ImperfectKeyVault"
      }, 
      "secretName": "ServerAdminPassword" 
       } 
    }

Now, when you run your deployment, the admin username and password will be pulled from the vault and passed to your VM during creation. If you go to log in that server directly, you’ll need to provide the plain text versions of those secrets just like usual.  It’s worth noting that not anyone can pull keys out of your vault.  By default only the subscription admin will be able to access the contents of the vault, but you can add additional permissions to a vault to allow for other users and automation tools to access the same secrets.

You can find the example of this template in my GitHub repo.

Learn more about Azure Key Vault at https://azure.microsoft.com/en-us/documentation/articles/key-vault-get-started/

 

Getting Started with Azure Automation

As a regular use of an MSDN account with Azure credits, I often find myself running out of credit before I expect and it’s often my own fault. It’s really easy to spin up a server or start experimenting with a service and forget to turn it off or delete it when done. If only a selection of my VMs would turn on during the day and off during the night…. Enter Azure Automation.

I looked at Azure Automation when it first came onto the scene, but admittedly struggled with getting it going. The certificate management related to the credentials was challenging, my PowerShell was less than stellar… and I just got frustrated and moved on to something else.

But after watching my subscription accidentally drain down to nothing 2 weeks before it reset, I had to revisit Azure Automation. The credential management is much easier now and the PowerShell required to start and stop VMs is minimal.

You’ll need two scripts… one to start and one to stop the desired VMs. You set a schedule for each one and sit back and relax. I’ve also been using GitHub a lot for source control and you can tie Azure Automation into that as well.

My scripts list out each VM I want on the nightly shut down schedule, because I didn’t want to have every VM in my subscription shut down automatically, in case I do have a need to keep something running for more than 24 hours. You may want to customize your scripts differently.

To get started, I recommend following the tutorial in the Azure documentation for “My First Runbook” . It walks you through all the steps of getting your automation account going as well as giving some sample scripts.

If you like to see the basic scripts I’m using for a few of my VMs, you can find them in my GitHub repo.

Automate Away!!

Happy Bastille Day!

Bastille Day is the name given in English-speaking countries to the French National Day, which is celebrated on July 14th each year. The French National Day commemorates the beginning of the French Revolution with the storming of the Bastille on July 14, 1789.
Now, 227 years later, Systems Administrators everywhere might remember this day as the day support ended for Windows Server 2003 in 2015.  The successor to Windows 2000 Server it included features from Windows XP that were well loved by IT Pros and consumers alike, leading to it’s wide-spread adoption.
Released on April 24, 2003, Windows Server 2003 was very security minded for the time, reducing the attack surface by limiting the number of features installed by default. It also included several compatibility modes to allow older applications to run with more stability and continued to support Window NT 4.0 networking. Improvements were also made to ease the transition from the NT 4.0 directory to Active Directory.
Windows Server 2003 was also the first operating system released by Microsoft after the announcement of its Trustworthy Computing initiative, and as a result, contains a number of changes to security defaults and practices. Some of the cutting edge features of the time included Internet Information Services (IIS) v6.0, the “Manage Your Server” administrative tool to help with server configuration and improvements to Active Directory and Group Policy administration.
Here are some other great milestones and inventions that we saw in 2003:
  • iTunes Music Store also opens in April 2003.
  • FluMist by MedImmune released as an alternative to the flu shot.
  • The Intelligent Oven (www.tmio.com) keeps your food refrigerated until the programmed cooking time. Can be remotely controlled via the Internet or by telephone.
  • Because the CD-ROM was the primary storage medium in the early 2000s, the CD-ROM shredder came onto the scene in 2003.
  • Java Logs (http://www.pinemountainbrands.com/products/pine-mountain-java-log-4-hour-firelogs) – for those of you who love the open fire but feel bad about burning wood.
If you are still running Windows Server 2003 in your datacenter (a solid year after support has ended), you might want to check out some current training on Microsoft’s latest server offerings. Enjoy!