Tag: Azure IaaS

Azure Bastion Windows VM

Azure Bastion – Private RDP and SSH access to Azure VMs

Azure Bastion is a new service which enables you to have private and fully managed RDP and SSH access to your Azure virtual machines. If you wanted to access your Azure virtual machines using RDP or SSH today, and you were not using a VPN connection, you had to assign a public IP address to the virtual machine. You were able to secure the connection using Azure Just in Time VM access in Azure Security Center. However, this had still some drawbacks. With Azure Bastion you get a private and fully managed service, which you deploy to your Virtual Network, which then allows you to access your VMs directly from the Azure portal using your browser over SSL.

Azure Bastion Architecture

Source: Microsoft Docs

Azure Bastion brings a couple of advantages

  • Removes requirement for a Remote Desktop (RDP) client on your local machine
  • Removes element for a local SSH client
  • No need for local RDP or SSH ports (handy when your company blocks it)
  • Uses secure SSL/TLS encryption
  • No need to assign public IP addresses to your Azure Virtual Machine
  • Works in basically any modern browser on any device (Windows, macOS, Linux, etc.)
  • Better hardening and more straightforward Network Security Group (NSG) management
  • Can remove the need for a Jumpbox

If you want to know more directly here is the link to the Azure Bastion announcement blog and the Microsoft Docs.

Public Preview

Azure Bastion is currently in public preview. The public preview is limited to the following Azure public regions:

  • West US
  • East US
  • West Europe
  • South Central US
  • Australia East
  • Japan East

To participate in this preview, you need to register. Use these steps to register for the preview:

Register-AzureRmProviderFeature -FeatureName AllowBastionHost -ProviderNamespace Microsoft.Network
 
Register-AzureRmResourceProvider -ProviderNamespace Microsoft.Network
 
Get-AzureRmProviderFeature -ProviderNamespace Microsoft.Network

To use the Azure Bastion service, you will also need to use the Azure Portal – Preview.

How to set up an Azure Bastion host for a private RDP and SSH access to Azure VMs

Create Azure Bastion Host

First, you will need to deploy Bastion Host in your virtual network (VNet). The Azure Bastion Host will need at least a /27 subnet.

AzureBastionSubnet

Access Azure virtual machines using Azure Bastion

Azure Bastion integrates natively in the Azure portal. The platform will automatically be detected if Bastion is deployed to the virtual network your virtual machine is in. To connect to a virtual machine, click on the connect button for the virtual machine. Now you can enter your username and password for the virtual machine.

Azure Portal connect to Linux VM SSH

This will now open up a web-based SSL RDP session in the Azure portal to the virtual machine. Again, there is no need to have a public IP address assigned to your virtual machine.

Private access to Azure Linux VM

 

Roadmap – more to come

As Yousef Khalidi (CVP Azure Networking) mentions in his preview announcement blog, the team will add more great capabilities, like Azure Active Directory and MFA support, as well as support for native RDP and SSH clients.

The Azure networking and compute team are doing more great work on creating a great Azure IaaS experience. I hope this gives you an overview of how you can get a private RDP or SSH access to your Azure VM. If you want to know more about the Azure Bastion service, check out the Microsoft Docs for more information. If you have any questions, feel free to leave a comment.



Azure IaaS Webinar

Join me for a Azure IaaS Masterclass Webinar!

This Wednesday, Altaro have invited me to give a webinar on Infrastructure as a Service with Microsoft Azure and you’re invited – it’s free to join!

Implementing Infrastructure as a Service is a great way of streamlining and optimizing your IT environment by utilizing virtualized resources from the cloud to complement your existing on-site infrastructure. It enables a flexible combination of the traditional on-premises data center alongside the benefits of cloud-based subscription services. If you’re not making use of this model, there’s no better opportunity to learn what it can do for you than in this upcoming webinar.

I’ll be joined by me good friend from Altaro, Technical Evangelist and Microsoft MVP Andy Syrewicze. I’ve done a few webinars with Andy over the years and it’s always a fun experience to work with him. We have also received great feedback from attendees saying they learnt a lot and enjoy the format in which we present.

The webinar will be primarily focused on showing how Azure IaaS solves real use cases by going through the scenarios live on air. Three use cases have been outlined already, however, the webinar format encourages those attending to suggest their own use cases when signing up and the two most popular suggestions will be added to the list. To submit your own use case request, simply fill out the suggestion box in the sign up form when you register!

Like all Altaro webinars, this will be presented live twice on the day (Wednesday 13th February). So if you can’t make the earlier session (2pm CET / 8am EST / 5am PST), just sign up for the later one instead (7pm CET / 1pm EST / 10am PST) – or vice versa. Both sessions cover the same content but having two live sessions gives more people the opportunity to ask their questions live on air and get instant feedback from us.

Save your seat for the webinar and learn more about Azure IaaS

Altaro Webinar Azure IaaS VMs



Altaro Webinar Journey to the Clouds

Webinar: Journey to the Clouds – Masterclass on Cloud Migration

Together with Altaro and my MVP colleagues Andy Syrewicze and Didier Van Hoye, I will be part of a free webinar called Journey to the Clouds- Masterclass on Cloud Migration. In this webinar we will dicsuss differnent cloud scenarios.

There are two options available depending on which time zone you are in.

  • Session 1: 2pm CEST – 5am PDT – 8am EDT
  • Session 2: 6pm CEST – 9am PDT – 12pm EDT

Join Webinar Journey to the Clouds

Want to migrate your datacenter into the cloud but unsure how to make the transition successfully? 3 Microsoft MVPs discuss your options in this upcoming panel webinar. Join Andy Syrewicze, Didier Van Hoye, and Thomas Maurer for a crash course on how you can plan your journey effectively and smoothly utilizing the exciting cloud technologies coming out of Microsoft.

Want to migrate your datacenter into the cloud but unsure how to make the transition successfully? 3 Microsoft MVPs discuss your options in this upcoming panel webinar.

Join Andy Syrewicze, Didier Van Hoye, and Thomas Maurer for a crash course on how you can plan your journey effectively and smoothly utilizing the exciting cloud technologies coming out of Microsoft including:

  • Windows Server 2019 and the Software-Defined Datacenter
  • New Management Experiences for Infrastructure with Windows Admin Center
  • Hosting an Enterprise Grade Cloud in your datacenter with Azure Stack
  • Taking your first steps into the public cloud with Azure IaaS

With cloud technologies improving exponentially migrating to a cloud-based model is a dilemma facing most organizations today. Cloud services such as Microsoft Azure, Azure Stack, and the software defined datacenter, offer numerous benefits but moving existing infrastructure into a cloud model is a challenging step.

 

Many IT Pros are justifiably wary of new platforms and cloud services are particularly worrisome involving core infrastructure elements hosted offsite. This is why some of the new technologies coming from Microsoft are so compelling as they are designed to help organizations make that transition slowly and at their own pace. This webinar covers both fully-serviced cloud offerings as well as smaller-scaled solutions that provide more accessible steps to realizing the benefits without fully committing.

 

After watching the experts discuss the details, you’ll see that the cloud doesn’t have to be an all or nothing discussion. The journey from on-prem to the cloud is different for every organization, as is the destination. This webinar will prepare you for your unique journey by revealing the available options and how to make the most out of them.

 

Join us for some insightful discussion, use-case examples, and tips for getting started with these new technologies. Sign up today.

 

We hope to see you there!



WAP Register SPF

Windows Azure Pack – Virtual Machine Cloud

One of the big features of Windows Azure Pack right now is the integration of a Infrastructure as a Service offering or in other words Virtual Machine Cloud. VM Cloud allows you to integrate your existing System Center Virtual Machine Manager 2012 R2 and Hyper-V environment over SPF (Service Provider Foundation) API, so you can create a offering similar to the Windows Azure IaaS experience.

I had the chance working on several Windows Azure Pack projects where we have integrated the Virtual Machine Cloud and created offerings for service providers as well as for enterprise companies for internal use. Two parts of I really like about the solution in the integration of Hyper-V Network Virtualization and the integration of VM Roles, which are basically a solution to deploy services instead of just Virtual Machines. Microsoft also finally fixed the issue we had in App Controller and other products to connect to a Virtual Machine via the Hyper-V Console from outside your organization by using a Remote Desktop Gateway.

Architecture

To deploy the VM Cloud or IaaS offering in Windows Azure Pack you need several roles, services and components. If you want to know more about the Windows Azure Pack Architecture, check out the following blog post.

Windows Azure Pack VM Cloud Architecture

Picture Source: TechNet

  • Hyper-V – You need a Hyper-V environment for hosting virtual machines.
  • System Center Virtual Machine Manager – In a VM Cloud environment you need your Hyper-V resources to connect to a Virtual Machine Manager. You can connect multiple Virtual Machine Manager servers so called VMM stamps. If you are using Hyper-V Network Virtualization (NVGRE) make sure you build a highly available VMM Cluster for each stamp.
  • Service Provider Foundation – To bring those VMM stamps inside Windows Azure Pack you need an API solution called Service Provider Foundation. Every VMM stamp has to be registered in Windows Azure Pack trough a Service Provider Foundation Endpoint.
  • Windows Azure Pack Tenant Portal – The Portal for tenants/customers to manage Virtual Machines
  • Windows Azure Pack Admin Portal – The Portal for Administrator to register new VMM stamps and create offerings for customers.
  • Service Management API – You always need this if you deploy Windows Azure Pack.
  • SQL Server – SQL Server for Windows Azure Pack, SPF and Virtual Machine Manager
  • RD Gateway – Remote Desktop Gateway for the Console Connection to the Virtual Machine
  • System Center Operations Manager – If you just want to monitor your VM environment or you want to do chargeback you need Operations Manager and Service Reporting.

How to setup VM Cloud in Windows Azure Pack

After you have setup your environment you have to register your Service Provider Foundation and VMM in Windows Azure Pack. Enter the address of the SPF Endpoint and the address of the VMM Server.

WAP Register SPF

You can than add VMM servers or VMM Stamps to the Windows Azure Pack.

VMMStamp in WAP

You can now select the Cloud you want to use for your offering. If you create a new plan you can select which VMM stamp and cloud should be used for the offering. You can limit resources like Virtual Machine count, CPU cores, RAM, Storage, VM Networks, Templates and more inside plans and add-ons. You can than offer these plans and add-ons to your customers.

WAP VM Cloud Plan

As another part you can extend the solution by adding a SMA Web Service endpoint to the Windows Azure Pack and configure it for the Virtual Machine Clouds. With this solution you can link SMA Runbooks to actions in Windows Azure Pack VM Cloud, SPF and Virtual Machine Manager.

WAP Link SMA Runbook to VMM Action

If you need to enable Console access to the Virtual Machine to the tenant users, you also have to register a Remote Desktop Gateway. This will allow user to access the Virtual Machine without having a IP address set inside the VM.

Tenant VM Console Access WAP

Remember there are much more steps you have to do. For example configuring the fabric in System Center Virtual Machine Manager or configuring the Remote Desktop Gateway to have access to the Hyper-V hosts. And if you are doing NVGRE (Hyper-V Network Virtualization) you may also want to have NVGRE Gateways in place so customers can leave the Virtual Network and connect to the physical network or the internet. So setting this thing up is one part but having it designed and configured the right way is another.