Tag: Azure VM

Last updated by at .

Azure Live Migration

Azure uses Live Migration for VMs

If you have worked with Azure in the past, you might have been aware that Azure didn’t have live migration for VMs hosted in Azure for a long time. This had an impact for customers in terms of VM up-time during host maintenance. You basically got emails, that the host your VMs were running is going into maintenance during a specific time, and you will have a possible outage. Microsoft Hyper-V, which is the Hypervisor in Azure, had Live Migration for a long time. Today, Microsoft revealed that they are using Live Migration in Azure since early 2018 to move virtual machines in cases of rack maintenance and software and BIOS updates, as well as hardware faults.

But Microsoft didn’t stop there, they made even better using Machine Learning. Predictive ML helps Microsoft to detect proactively failure and do failure predictions. And in case a hardware failure is predicted, Microsoft can move the virtual machines from that host without downtime, using live migration.

To further push the envelope on live migration, we knew we needed to look at the proactive use of these capabilities, based on good predictive signals. Using our deep fleet telemetry, we enabled machine learning (ML)-based failure predictions and tied them to automatic live migration for several hardware failure cases, including disk failures, IO latency, and CPU frequency anomalies.

 

We partnered with Microsoft Research (MSR) on building our ML models that predict failures with a high degree of accuracy before they occur. As a result, we’re able to live migrate workloads off “at-risk” machines before they ever show any signs of failing. This means VMs running on Azure can be more reliable than the underlying hardware.

Microsoft talks in a blog post more about Live Migration in Azure and goes more in details about the challenges and how live migration in Azure works. It is great to see Microsoft adding features to improve VM resiliency with features like live migration and machine learning technology.



Inked Azure Security Center Just in time VM access_LI

Azure – Just in Time VM access

If you run virtual machines with public IP address connected to the internet, attackers immediately try to run attacks against it. Brute force attacks commonly target management ports, like RDP or SSH, to gain access to a VM. If the attacker is successful, he can take control over the VM and access other resources in the environment. To address that issue it is highly recommended to reduce the ports open, especially for the management ports. However, sometimes you will need to open to ports for some of the virtual machines for management tasks. Microsoft Azure has a simple way to address this issue, called Just in time virtual machine (VM) access. Just in time VM access can be used to lock down inbound traffic to your Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.

How does Azure Just in Time VM Access work

In the Azure Security Center you can enable just in time VM access, this will create a Network Security Rule (NSG) to lock down inbound traffic to the Azure VM. During the initial JIT VM access configuration, you will be configuring the ports specified, which will be managed by Azure Security Center, these ports will be locked down by the Azure Security Center using an NSGs.

Configure Azure just in time VM access

Inked Configure Just in time VM access_LI

Azure JIT VM access is configured in the Azure Security Center. To configure and enable JIT on a virtual machine open up the Azure Security Center and click on Just in time VM access.

Here you will find three states, Configured, Recommended and No recommendation.

  • Configured – VMs that have been configured to support just in time VM access. The data presented is for the last week and includes for each VM the number of approved requests, last access date and time, and last user.
  • Recommended – VMs that can support just in time VM access but have not been configured to. We recommend that you enable just in time VM access control for these VMs. See Configuring a just in time access policy.
  • No recommendation – Reasons that can cause a VM not to be recommended are:
    • Missing NSG – The just in time solution requires an NSG to be in place.
    • Classic VM – Security Center just in time VM access currently supports only VMs deployed through Azure Resource Manager. A classic deployment is not supported by the just in time solution.
    • Other – A VM is in this category if the just in time solution is turned off in the security policy of the subscription or the resource group, or that the VM is missing a public IP and doesn’t have an NSG in place.

To configure you click on Recommended and select the Virtual Machine, for which you want to enable JIT.

Click on Enable JIT on VMs and configure the ports which should be managed by Just in time VM Access. Just in time VM access will recommend some default ports like RDP, SSH and PowerShell Remoting. You can also add other ports to the virtual machine if you want or need to.

Requesting Just in time VM Access for Azure Virtual Machine

Request Just in time VM access

On the Configured section, you can select the VM you want to request access to and click on Request access. You can now select the ports you want to be open for a specific time and a specific IP address. This will open up the ports and after 2-3 minutes you will be able to access the virtual machine.

To send such a request, the user which requests access to the Virtual Machine needs to have write access to the virtual machines in the Azure Role-Based Access Control (RBAC).

Auditing Azure just in time VM access activity

Of course all the request get logged and can be reviewed in the Activity Log.

Licensing of Azure just in time VM access

Azure just in time VM access is licensed over Azure Security Center and needs the Standard Tier to be enabled for the specific virtual machine.

I hope this gives you an idea how you can leverage Just in time VM access in Azure for your workloads.



Azure Nested Virtualization

Hyper-V Container and Nested Virtualization in Microsoft Azure Virtual Machines

Last week Microsoft announced some pretty cool new Azure Stuff, like the Azure Cloud Shell, Azure PowerShell 4.0, Azure Cosmos DB and much more. In the session about Azure Compute, Microsoft introduced a bunch of new features, like new VM sizes, new experiences and new integration technology as well as updates to Azure Service Fabric, Azure Container Service and Azure Functions. One which really got my interest was the announcement about the new Virtual Machines sizes for Dv3 and Ev3, which will enable customers to use Virtualization inside their Windows Server Virtual Machines on Azure, enabled by Nested Virtualization from Windows Server 2016 Hyper-V. With that Dv3 and Ev3 Azure Virtual Machines are Nested Virtualization enabled. This means you can now run Nested Virtualization in Microsoft Azure Virtual Machines.

Update: The new Azure Dv3 and Ev3 VM sizes are now available, and you can now use Nested Virtualization in Azure.

Azure Nested Virtualization and Hyper-V Containers

You can now run Hyper-V in Azure Virtual Machines and even more important you can now run Hyper-V Container inside Azure Virtual Machines. With the announcements for Windows Server 2016 supporting Hyper-V Containers running Linux and Windows Server this is great news. You will be able to create Container Hosts in Azure running Windows Server and create Windows and Linux Containers on the same Container Host.

Azure VM Sizes

By the way, if you want to run Hyper-V Container in Azure today, and you don’t want to wait until the Dv3 and Ev3 series are available you can run them inside Azure Service Fabric. So yes, Microsoft now allows you to run Hyper-V Containers in Azure Service Fabric.

Azure Nested Virtualization Demo

As you could see in the demo, they are offering quite large Virtual Machines with a lot of RAM, running on Intels Xeon E7 CPUs.



Veeam FastSCP for Microsoft Azure

Veeam FastSCP for Microsoft Azure

Veeam does some great products for your virtualization and datacenter environment such as their Veeam Backup & Replication suite, Veeam Endpoint Backup FREE and Management Packs for System Center Operations Manager. Now a couple of weeks ago Veeam released a cool free tool call Veeam FastSCP fro Microsoft Azure. With Veeam FastSCP (Secure Copy Protocol) for Microsoft Azure, IT Pros and Azure Developers can simply and reliably copy local files to Azure VMs, and copy files in Azure VMs to on-premises.

Veeam FastSCP for Microsoft Azure Diagram

The utility makes your life way easier when dealing with Virtual Machines running on Microsoft Azure IaaS.

  • Secure file copy with no independent encryption or VPN needed
  • Manual file copy to/from Azure VMs without the need to keep the UI open until the file copy completes
  • Automatic scheduling of file copy jobs for nightly or weekly copies to/from Azure VMs
  • A wizard-driven UI to copy files in just a few clicks – with no scripting needed

If you want to download it, check out the Veeam Website.

To set it up the tool connects to the PowerShell endpoint for your IaaS VM. Just add the Virtual Machine and you are ready to go! With that you can do some great things, like simply copy a file to an Azure IaaS VM or even doing scheduled backups of files from inside Azure VMs like Didier Van Hoye did.