• Microsoft Azure
  • Virtual Machine Manager
WAP Register SPF

Windows Azure Pack – Virtual Machine Cloud

One of the big features of Windows Azure Pack right now is the integration of a Infrastructure as a Service offering or in other words Virtual Machine Cloud. VM Cloud allows you to integrate your existing System Center Virtual Machine Manager 2012 R2 and Hyper-V environment over SPF (Service Provider Foundation) API, so you can create a offering similar to the Windows Azure IaaS experience.

I had the chance working on several Windows Azure Pack projects where we have integrated the Virtual Machine Cloud and created offerings for service providers as well as for enterprise companies for internal use. Two parts of I really like about the solution in the integration of Hyper-V Network Virtualization and the integration of VM Roles, which are basically a solution to deploy services instead of just Virtual Machines. Microsoft also finally fixed the issue we had in App Controller and other products to connect to a Virtual Machine via the Hyper-V Console from outside your organization by using a Remote Desktop Gateway.

Architecture

To deploy the VM Cloud or IaaS offering in Windows Azure Pack you need several roles, services and components. If you want to know more about the Windows Azure Pack Architecture, check out the following blog post.

Windows Azure Pack VM Cloud Architecture

Picture Source: TechNet

  • Hyper-V – You need a Hyper-V environment for hosting virtual machines.
  • System Center Virtual Machine Manager – In a VM Cloud environment you need your Hyper-V resources to connect to a Virtual Machine Manager. You can connect multiple Virtual Machine Manager servers so called VMM stamps. If you are using Hyper-V Network Virtualization (NVGRE) make sure you build a highly available VMM Cluster for each stamp.
  • Service Provider Foundation – To bring those VMM stamps inside Windows Azure Pack you need an API solution called Service Provider Foundation. Every VMM stamp has to be registered in Windows Azure Pack trough a Service Provider Foundation Endpoint.
  • Windows Azure Pack Tenant Portal – The Portal for tenants/customers to manage Virtual Machines
  • Windows Azure Pack Admin Portal – The Portal for Administrator to register new VMM stamps and create offerings for customers.
  • Service Management API – You always need this if you deploy Windows Azure Pack.
  • SQL Server – SQL Server for Windows Azure Pack, SPF and Virtual Machine Manager
  • RD Gateway – Remote Desktop Gateway for the Console Connection to the Virtual Machine
  • System Center Operations Manager – If you just want to monitor your VM environment or you want to do chargeback you need Operations Manager and Service Reporting.

How to setup VM Cloud in Windows Azure Pack

After you have setup your environment you have to register your Service Provider Foundation and VMM in Windows Azure Pack. Enter the address of the SPF Endpoint and the address of the VMM Server.

WAP Register SPF

You can than add VMM servers or VMM Stamps to the Windows Azure Pack.

VMMStamp in WAP

You can now select the Cloud you want to use for your offering. If you create a new plan you can select which VMM stamp and cloud should be used for the offering. You can limit resources like Virtual Machine count, CPU cores, RAM, Storage, VM Networks, Templates and more inside plans and add-ons. You can than offer these plans and add-ons to your customers.

WAP VM Cloud Plan

As another part you can extend the solution by adding a SMA Web Service endpoint to the Windows Azure Pack and configure it for the Virtual Machine Clouds. With this solution you can link SMA Runbooks to actions in Windows Azure Pack VM Cloud, SPF and Virtual Machine Manager.

WAP Link SMA Runbook to VMM Action

If you need to enable Console access to the Virtual Machine to the tenant users, you also have to register a Remote Desktop Gateway. This will allow user to access the Virtual Machine without having a IP address set inside the VM.

Tenant VM Console Access WAP

Remember there are much more steps you have to do. For example configuring the fabric in System Center Virtual Machine Manager or configuring the Remote Desktop Gateway to have access to the Hyper-V hosts. And if you are doing NVGRE (Hyper-V Network Virtualization) you may also want to have NVGRE Gateways in place so customers can leave the Virtual Network and connect to the physical network or the internet. So setting this thing up is one part but having it designed and configured the right way is another.



PowerShell NetAdpater Advanced Property

Hyper-V Network Virtualization NVGRE: No connection between VMs on different Hyper-V Hosts

I have worked on some project with Hyper-V Network Virtualization and NVGRE, and today I have seen an issue with Encapsulated Task Offloading on some HP Broadcom Network adapters.

 

Issue

I have Hyper-V Hosts running with 10GbE Broadcom Network Adapters (HP Ethernet 10Gb 2-port 530FLR-SFP+ Adapter) with driver version 7.8.52.0 (released in 2014). I have created a new VM Network based on Hyper-V Network Virtualization using NVGRE. VM1 is running on Host1 and VM2 is running on Host2. You can ping VM2 from VM1 but there is no other connection possible like SMB, RDP, HTTP or DNS. If you are using a NVGRE Gateway you can no even resolve DNS inside those VMs. If VM1 and VM2 are running on the same Hyper-V host everything between those VMs works fine.

Advanced Driver Settings

If you are using Server Core, which you should by the way, you can use the following command to check for those settings:

PowerShell NetAdpater Advanced Property

 

Resolution

The Broadcom Network adapters have a feature called Encapsulated Task Offloading which is enabled by default. If you disable Encapsulated Task Offloading everything works fine. You can disable it by using the following PowerShell cmdlet.

After that connection inside the VMs started to work immediately, no reboot needed.



Windows Azure Pack Architecture

Some days ago I wrote about Windows Azure Pack which basically brings Windows Azure Services to your datacenter on top of Windows Server and System Center. I also showed a little overview how the overall architecture looks like, including the different resource providers such as VM Cloud or SQL Server.

Overall Architecture

Windows Azure Pack Archtiecture Overview

Components

If you a look on the Windows Azure Pack you have 7 different components, which need to be installed.

Service Management APIs

  • Windows Azure Pack Admin API – The Windows Azure Pack Admin API exposes functionality to complete administrative tasks from the management portal for administrators or through the use of Windows PowerShell cmdlets.
  • Windows Azure Pack Tenant API – Windows Azure Pack Tenant API enables users, or tenants, to manage and configure cloud services that are included in the plans that they subscribe to.
  • Windows Azure Pack Tenant Public API – Windows Azure Pack Tenant Public API enables end users to manage and configure cloud services that are included in the plans that they subscribe to. The Tenant Public API is designed to serve all the requirements of end users that subscribe to the various services that a hosting service provider provides.

Authentication sites

  • Admin Authentication Site - This is the authentication site where Administrators authenticate against. By default, Windows Azure Pack uses Windows authentication for the administration portal. You also have the option to use Windows Azure Active Directory Federation Services (AD FS) to authenticate users.
  • Tenant Authentication Site – This is the authentication site where Tenants (Customers) authenticate against. Windows Azure Pack uses an ASP.NET Membership provider to provide authentication for the management portal for tenants.

Service Management portals

  • Management portal for administrators - A portal for administrators to configure and manage resource clouds, user accounts, tenant plans, quotas, and pricing. In this portal, administrators create Web Site clouds, virtual machine private clouds, create plans, and manage user subscriptions.
  • Management portal for tenants - A customizable self-service portal to provision, monitor, and manage services. In this portal, users sign up for services and create services, virtual machines, and databases.

Source: TechNet

In addition to the Windows Azure Pack components you also have the Resource providers such as VM Cloud (IaaS), Websites, SQL and more, which integrate in WAP.

Design

You can install all of the Windows Azure Pack components on different servers and also make them highly available and scalable. First you have to understand that there are multiple types of components, you have the Tenant Portal, Tenant authentication site and the tenant public API which are public and should be accessible for the customers, Tenant API, Admin API, Admin Portal, Admin Authentication site as well as the SQL database behind are so called privileged services which should be protected.

Windows Azure Pack ditributed deployment architecture

 

Microsoft describes several different scenarios which you can mix. The minimal installation shows you two “servers” or tiers, one for the public facing services and one for the privileged services. To make them highly available you would have two servers for each tiers behind a load balancer.

Windows Azure Pack minimal deployment architecture

The make the deployment more scalable you can split up the different components on different tiers.

Windows Azure Pack scaled deployment architecture

Well and Microsoft also offers you an express installation which should only be used for lab or proof of concept installations. This installs all the needed components on to a single server.

Windows Azure Pack Express Deployment

At the end you and the customer have to decide how you deploy your environment based on scale, availability and security. You can get more information about the Windows Azure Pack Architecture on TechNet.



Savision Cloud Advisor VMM Tuning Tips

Cloud Advisor for System Center Virtual Machine Manager

As you may know I do a lot of work around Hyper-V, System Center and Windows Azure Pack. One of the most critical parts of the Microsoft Cloud is System Center Virtual Machine Manager. VMM is the component where mostly everything comes together in some way. From the Fabric resource such as Storage, Compute and Networking up to the Virtual Machines and Services running on top of the Fabric layer. Virtual Machine Manager basically allows you to pool resources and offer them to tenants which can than deploy services and virtual machines to the pools.

This means VMM manages not only your Virtual Machines, Virtual Machine Manager also manages your network environment, your storage and a lot more. So wouldn’t it be great to use the data Virtual Machine Manager collects to review your environment and get some tips you can optimize it? This is exactly what Savision did with their Virtual Machine Manager Add-in called Cloud Advisor which includes tuning and optimization recommendations.

Savision’s Cloud Advisor looks for problems like:

  • “Virtual Machine Appears to be Unused”
  • “Prediction: All Available Memory Will Be Consumed By…”
  • “Virtual Guest Services Are Not Installed”
  • “Starting Memory Is Too High”
  • “Low Disk Space On Cluster Shared Volume”
  • “Dynamic Memory is not enabled”
  • and a lot more…

Most of you will think okay, this sounds great but how much will this thing cost. Well that’s the great part, the Savision Cloud Advisor for System Center Virtual Machine Manager is absolutely free. So there is absolutely no reason why you shouldn’t deploy the Savision Cloud Advisor in your Virtual Machine Manager environment.

Simply go the Savision homepage, download the Cloud Advisor and import it to VMM.

Import Cloud Advisor Addin into VMM

After that you will have to connect to the VMM database and to let the Savision Cloud Advisor his job, showing you tips and recommendations for your environment.

Savision Cloud Advisor VMM Tuning Tips

By the way there are other cool VMM Add-in from Cisco for their UCS Bladecenter and 5Nine for the Virtual Firewall Appliance.



Microsoft Cloud OS

Free Microsoft Cloud OS webinar series in March and April

In March and April I will present together with Microsoft and itnetx in webinars about the Microsoft Cloud OS. The webinars will be free and will cover an overview about the Microsoft Cloud OS. The Microsoft Cloud OS is the story behind the latest releases of Windows Server 2012 R2, Hyper-V System Center, Windows Azure Pack and Windows Azure. The webinar series will be split in three different sessions and will cover how you can plan, build and operate a Microsoft Cloud and how you can bring the Private & Public Cloud together to make use of a Hybrid Cloud model.

Webinar 1 - Microsoft Cloud OS: Overview

10:00
Presenter: Markus Erlacher, Marcel Zehner
ANMELDUNG

Webinar 2 - Microsoft Cloud OS: Planning & Architecture

25.März 2014, 09:00-10:00
Presenter: Thomas Maurer
ANMELDUNG

Webinar 1 - Microsoft Cloud OS: Operation

02.April 2014, 09:00-10:00
Presenter: Thomas Maurer, Philipp Witschi
ANMELDUNG

All three webinars will be free and will held in German.



E2EVC Copenhagen

Speaking at E2EVC 2014 Brussels

 

Some weeks ago my two sessions at the Experts 2 Experts Virtualization Conference (E2EVC) in Brussels this year got approved. After my first E2EVC in Hamburg in 2012 and two other E2E Virtualization Conferences in Copenhagen and Rome last year, I am proud to get another opportunity to present.

E2EVC Virtualization Conference is a non-commercial, virtualization community event. The main goal of the E2EVC is to bring the best virtualization experts together to exchange knowledge and to establish new connections. E2EVC is a weekend crammed with presentations, Master Classes and discussions delivered by both virtualization vendors product teams and independent experts. This is not just a Microsoft only event, this event covers products from all the big vendors in the virtualization area such as Citrix, VMware and Microsoft.

The event will take place from May 30 to June 1, and my session topics are still in development but I am proud to announced that I am presenting again together with Michael Rüefli.



Hyper-V Gernal Access dinied error

Hyper-V over SMB: Set SMB Constrained Delegation via PowerShell

When you are having configured a Hyper-V over SMB configuration, which means the virtual machines are running on Hyper-V host and are stored on a SMB file share, and you try to manage the virtual machine remotely from Hyper-V Manager or Failover Cluster Manager, you will run into access denied errors. The same error can also happen if you try live migrate the virtual machine. This error is caused because you are using the credentials from the machine which Hyper-V or Failover Cluster Manager is running on to access the file share via the Hyper-V host. This “double-hop” scenario is not by default not allowed because of security reasons. You can find more about Kerberos Authentication on TechNet.

To avoid this error you have to configure the SMB Constrained Delegation in Active Directory to allow this scenario for specific “double-hops”. In Windows Server 2012 Microsoft made setting up Kerberos constrained delegation much easier by introducing resource-based Kerberos Constrained Delegation. This it wasn’t that easy to deploy and required some step. In Windows Server 2012 R2 Microsoft introduced new Windows PowerShell cmdlets to configure SMB Constrained Delegation directly from PowerShell. These cmdlets are offered by the Active Directory PowerShell module.

On your management box or where ever you want to configure SMB Constrained Delegation you have to install the Active Directory PowerShell module. (You don’t need the module on the Hyper-V host or SMB file servers)

Now you can use the following cmdlets.

  • Get-SmbDelegation –SmbServer FileServer
  • Enable-SmbDelegation –SmbServer FileServer –SmbClient HyperVHost
  • Disable-SmbDelegation –SmbServer FileServer [–SmbClient HyperVHost] [-Force]

For example if you are running a two node Hyper-V cluster and you use a Scale-Out File Server cluster (SOFS01) as virtual machine storage, the configuration could look like this.

Because these cmdlets only work with the new resource-based delegation, the Active Directory forest must be in “Windows Server 2012” functional level. A functional level of Windows Server 2012 R2 is not required.

And as I mentioned before you can also use System Center Virtual Machine Manager (VMM) to manage your storage, which uses a different approach and does not need the configuration of Kerberos Constrained Delegation.