Tag: Management

Feb042020February 4, 2020February 5, 20202 Commentsby Thomas Maurer

Prevent Azure Resources from unexpected deletion using Locks

Posted in Cloud, Microsoft, Microsoft Azure, PowerShell

In this blog post, we will have a quick look at the basics of Azure Governance and how you can use Locks in Azure to govern your environment and protect resources from accidental deletion or changes. Cloud Computing is excellent, and you can deploy and delete services in seconds and go full speed. However, with that, there are also many challenges that are coming your way. Think about control over cost, security, or compliance. You don’t want everyone to be able to deploy a large Mv2-series virtual machine to test their application, and you might also not want people deploying services all over the world using one of the 55 Azure regions worldwide. The way to prevent things like this is called technical governance. However, it can be implemented in different ways.

Technical Governance

The traditional approach was that you set a team or a person in front of the cloud, which can be called a cloud custodian or cloud broker team. And this team then decided on which services are going to get deployed and how. Now with that approach, people and processes become the limiting factor if you look at speed and agility.

Traditional approach

To take advantage of speed and agility of the cloud, you want to give developers, operations people, or even teams and divisions in your company, but stay in control of the cloud environment. With Azure, we provide you with exactly these management tools, to make sure that you can keep control, but also keep the speed and agility the cloud promises.

Cloud-Native Governance

Azure Resource Manager offers a couple of different tools for Azure Governance like Management Groups, Azure Policies, Azure Blueprints, Cost Management, and many more. In this quick blog, we will have a look at one of the basics called Azure Locks, which are part of the foundation. If you need to get started with Azure and especially Azure Governance, I created a blog post with some useful links.

Lock resources to prevent unexpected changes and deletion of Azure resources

We all have been there, we wanted to clean up some resources quickly or quickly run a script which changes a couple of settings, and we realized we just made a huge mistake. That is why it is great to have some locks in place to prevent unexpected changes and deletion to happen. With locks in Azure, you can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources.

Lock Types

You can set the lock level to CanNotDelete or ReadOnly. In the portal, the locks are called Delete and Read-only, respectively.

CanNotDelete means authorized users can still read and modify a resource, but they can’t delete the resource.
ReadOnly means authorized users can read a resource, but they can’t delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.

You can find more information about the lock types here.

Permissions to create or delete locks

You will need to have access to Microsoft.Authorization/* or Microsoft.Authorization/locks/* to create or delete locks. By default, only the build-in roles Owner and User Access Administrator have these permissions.

Locks apply restrictions across all users and roles and are be applied to different scopes. These scopes are subscription, resource groups, or resources, and all resources within that scope inherit the same lock. If you have multiple locks in place, the most restrictive lock in the inheritance is applied. If you want to know more about permissions to set locks, you can find more information here.

How to lock a resource group

As an example of how locks can work, I wanted to show you how you can lock a resource group. You can create and assign locks using different methods and tools like the Azure Portal, Azure CLI, Azure PowerShell, Azure Resource Manager templates, or the REST API.

In the portal open up your resource group, in the settings blade, you click on Locks.

Azure Locks

After that, you can click on Add and configure the lock.

Add a lock to an Azure Resource Group

Now, if someone tries to delete this resource group, he will get the following error.

Azure Resource Group is locked and can’t be deleted

You can also set the lock using PowerShell:

New-AzResourceLock -LockName LockMyVNET -LockLevel CanNotDelete -ResourceGroupName azure-rg

Or the Azure CLI:

az lock create --name LockMyVNET --lock-type CanNotDelete --resource-group azure-rg

If you want to learn more about Azure Governance and especially Azure Locks, check out the following link to Microsoft Docs:

Microsoft Docs Lock resources to prevent unexpected changes
Microsoft Docs Azure governance documentation

I hope this gives you an understanding of locks in Azure if you have any questions, feel free to leave a comment.

Nov192019November 19, 2019November 18, 20190 Commentby Thomas Maurer

Run Azure Cloud Shell in Windows Admin Center

Posted in Azure Stack HCI, Cloud, Hyper-V, Microsoft, Microsoft Azure, Microsoft Azure Stack, PowerShell, Windows, Windows Admin Center, Windows Server, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Terminal

As you know Windows Admin Center enables you to not just manage Windows Server machines with a web-based user interface, but also to easily connect Azure Hybrid services to your on-premises Windows Server environment. Windows Admin Center allows you to connect services like Azure File Sync, Azure Update Management, Azure Backup, Azure Site Recovery and many more to your Windows Server and Azure Stack HCI environment. With the latest release of Windows Admin Center (WAC) which was announced at Microsoft Ignite 2019, we get another hybrid cloud feature. We get a new Azure Cloud Shell extension in Windows Admin Center. Azure Cloud Shell is an interactive, authenticated, browser-accessible shell for managing Azure resources. It provides the flexibility of choosing the shell experience that best suits the way you work, either Bash or PowerShell. We are able to use Cloud Shell directly from the Azure portal, shell.azure.com, in Visual Studio Code, in the new Windows Terminal or even in the Azure mobile app. Now with the new solution/extension, administrators can also run Cloud Shell directly within WAC.

How to run Azure Cloud Shell in Windows Admin Center

First, you will need to enable and install the new Azure Cloud Shell solution. For that open Windows Admin Center, go to Settings and in the menu click on Extensions.

Extensions

Under available extensions, you will find the new Azure Cloud Shell (Preview) extension. Click on Install, the WAC portal will refresh automatically.

After the page has refreshed, the Cloud Shell option will show up in the top menu.

Start Cloud Shell in Windows Admin Center

If you start Azure Cloud Shell for the first time, you will need to login to Azure.

After that, you can run the PowerShell or Bash experience, depending on what you prefer. You also have access to the clouddrive which comes with Cloud Shell.

Azure Cloud Shell in Windows Admin Center

In that, you can run tools like the Azure CLI, Azure PowerShell and much more. If you want to learn more about Azure Cloud Shell, check out my blog post, Mastering Azure with Cloud Shell. Windows Admin Center is a free download to use with your Windows Servers, you can download Windows Admin Center here. If you want to know more about the Hybrid capabilities, check out my blog post on ITOpsTalk.com.

I hope this gives you an overview of how you can run Azure Cloud Shell in Windows Admin Center. Let me know if you have any questions in the comments.

Nov042019November 4, 2019November 6, 20193 Commentsby Thomas Maurer

Azure Arc – Cloud-native Management for Hybrid Cloud

Posted in Azure Stack HCI, Cloud, Microsoft, Microsoft Azure, Microsoft Azure Stack, Windows, Windows Admin Center, Windows Server

Azure Hybrid is not just Azure Stack, it also includes a couple of other Azure Hybrid services like Azure Update Management, Azure File Sync and many more. Today, Microsoft will extend the hybrid cloud solutions in Azure and announced Azure Arc, which is designed to extend Azure Management to any infrastructure. In the new world where organizations run servers, containers, and applications across multi-cloud environments, on-premises locations, and the edge, managing these hybrid resources becomes challenging. Azure Arc enables cloud-native Azure management across any infrastructure and also allows you to run Azure data services to be deployed anywhere. It includes hybrid server management, Kubernetes and Azure data services.

Azure Arc Overview

As you can see Azure Arc consists of a set of different technologies and components like:

Organize and govern all your servers – Azure Arc extends Azure management to physical and virtual servers anywhere. Govern and manage servers from a single scalable management pane. You can learn more about Azure Arc for servers here.
Manage Kubernetes apps at scale – Deploy and configure Kubernetes applications consistently across all your environments with modern DevOps techniques.
Run data services anywhere – Deploy Azure data services in moments, anywhere you need them. Get simpler compliance, faster response times, and better security for your data. You can learn more here.
Adopt cloud technologies on-premises – Bringing cloud-native management to your hybrid environment.

In this blog post, we will have a closer look at hybrid server management. If you want to know more about Azure Arc, check out the announcement blog post by Jeremy Winter, Director of Program Management, Microsoft Azure.

Cloud-native Azure management for hybrid environments with Azure Arc

By extending Azure Resource Manager to support hybrid cloud environments, Azure Arc to make it easier to implement cloud security across environments with centralized role-based access control, security policies. Azure Management provides you now with a single control plane for Azure native and Azure Arc resources.

Azure Management Overview

Hybrid Server Management

Today Azure Arc allows you to onboard physical and virtual servers in your hybrid environment (on-premises, edge, and multi-cloud). By joining serves to Azure Arc, you get the benefits you are used from native Azure resources, like tags, RBAC, and many more. In the preview, you can now use Azure Management services like Azure Log Analytics and Azure Policy to make sure your servers are compliant across your hybrid environment.

Hybrid Server Management

I had the chance to have a very early chat with Jian Yan from the Azure Management team, a couple of weeks ago, about hybrid server management. Check out the video here:

Join the Preview

Azure Arc for Server is currently in public preview, while you can sign up for the preview to manage Kubernetes and data services. To enable hybrid server management, you must register the required Resource Providers.

Microsoft.HybridCompute
Microsoft.GuestConfiguration

You can register the resource providers with the following Azure PowerShell commands:

Login-AzAccount
Set-AzContext -SubscriptionId [subscription you want to onboard]
Register-AzResourceProvider -ProviderNamespace Microsoft.HybridCompute
Register-AzResourceProvider -ProviderNamespace Microsoft.GuestConfiguration

or with Azure CLI:

az account set --subscription "{Your Subscription Name}"
az provider register --namespace 'Microsoft.HybridCompute'
az provider register --namespace 'Microsoft.GuestConfiguration'

You can also run them from Azure Cloud Shell. If you want to know more, check out the following Microsoft Docs article.

Onboarding Servers to Azure Arc

As mentioned we will have a closer look here at how you can onboard Linux and Windows Server to Azure Arc. To onboard a server which can run Linux or Windows, physical or virtual, and can run on-premises or at another service provider, you open Azure Arc in the Azure Portal. There you can select manage servers.

Azure Arc Portal

Here you will see your existing servers which you have on-boarded.

Azure Arc Server in Portal

You can click on Add, to add another server. You will be able to add a single server or get instructions to onboard servers at scale.

Add server to Azure Arc

Here you can go through a wizard that will help you to generate a script, which you can copy or download to run it on your server. You can select the subscription and resource group, as well as the region where you want to join your server.

You will also be able to configure a proxy server if your server is behind a proxy. Since this will use the Azure Resource Manager, you will also be able to use tags. After you are done with the wizard, you are able to download or copy the command to run that on your server.

Generate Script

After you have run that command on your on-premises server, your server will show up as an Azure resource in a couple of minutes.

Use Windows Admin Center to onboard a server to Azure Arc

Windows Admin Center and Azure Stack HCI

If you are using Windows Admin Center on Windows Server or with Azure Stack HCI, you can also onboard servers directly from there. Go to the settings of the server and click on Azure Arc. Now you can sign in and select the specific subscription and resource group.

If you want to know more about the Azure Hybrid announcements at Microsoft Ignite 2019, check out the blog post of Julia White. If you want to know more about Azure Arc, check out the blog post from Jeremy Winter. If you have any questions about it feel free to leave a comment, or if you are at Microsoft Ignite, feel free to talk to me and the Azure team.

I will also host a Microsoft Ignite Live interview with Jian Yan, which you can watch live in Orlando or online.

Microsoft Ignite Live

Azure is built from the ground up to manage at-scale, cross-geography environments with multiple operational models and DevOps patterns. The vision is to keep Azure at the center of the enterprise as the control plane for governance, management, and modern development and bring the Azure management capabilities and services to any customer environment. In this session, we demo one of the extension services to enable you to bring servers from anywhere to Azure, and use Azure to get a compliance view for all your server assets.

Nov042019November 4, 2019November 4, 20190 Commentby Thomas Maurer

New Performance Monitor for Windows Server

Posted in Cloud, Hyper-V, Microsoft, PowerShell, Windows, Windows 10, Windows Admin Center, Windows Server, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019

In this blog post, I am going to show you the new Windows Performance Monitor feature in Windows Admin Center. This feature was announced publicly at Microsoft Ignite 2019. But before we are going to have a look at the new Windows Admin Center Performance Monitor extension, it is time for some history. If you have worked with Windows or Windows Server in the past, you almost certainly have used a tool called perfmon.exe, or Windows Performance Monitor.

You can use Windows Performance Monitor to examine how programs affect your computer’s performance, both in real-time and by collecting log data for later analysis. It uses performance counters, event trace data, and configuration information, which can be combined into Data Collector Sets. Perfmon exists already for a long time. It is super powerful for troubleshooting Windows. However, it is definitely if you look at the classic MMC user-interface and the user-experience in general, probably not your favorite tool to use. That is why we needed something better.

Perfmon.exe

Windows Reliability and Performance Monitor is a Microsoft Management Console (MMC) snap-in that provides tools for analyzing system performance. From a single console, you can monitor application and hardware performance in real time, customize what data you want to collect in logs, define thresholds for alerts and automatic actions, generate reports, and view past performance data in a variety of ways.

You can find more about the classic perfmon.exe here.

A couple of weeks ago, I was contacted by Windows Server Program Manager Cosmos Darwin, who works at great features in Windows Server like Storage Spaces Direct. He asked me if I remember my feedback item in user voice, which I created a couple of years ago.

Windows Server Windows Admin Center User Voice Feedback

Back then, I wasn’t working for Microsoft, but I was working in a couple of different projects where we were using Windows Server and needed to build a real-time performance monitoring system. Which allowed us to monitor remote servers and clusters.

And here it is, the shiny new Windows Admin Center Performance Monitor extension. This new UI is integrated into the web-based Windows Admin Center management tool.

Windows Admin Center Performance Monitor

Using the Performance Monitor extension in Windows Admin Center uses the same performance data as perfmon, like performance counters, which means that it will just work with your existing configuration. However, it adds a couple of benefits. No worries, the classic perfmon.exe is still there for you to use it.

Easy Remoting ✔ – You can easily use it on your remote machine. Windows Admin Center uses PowerShell remoting in the background to connect to the remote computer.
Share Workspaces ✔ – You can create workspaces that you can save and use for multiple systems within the same Windows Admin Center instance. But you can also export them and import them on other Windows Admin Center gateway installations.
Upload and Download Workspaces
Search and highlighting ✔ – You can easily search for objects and counters. Performance Monitor also highlights the useful objects for your system. So you don’t have to guess which counter to use.
Performance Monitor Search Counter
Different Graph Types ✔ – You can use different types of graphs, which make it easier to find and compare the right information depending on your scenario.
Min-Max View
Windows Server Performance Monitor Heatmap

I hope this gives you a quick overview of the new Performance Monitor extension in Windows Admin Center. You can get Windows Admin Center from here. If you have any questions, feel free to leave a comment. There is also a short survey, about different tools like perfmon, this will directly influence the work on Windows Admin Center. You can check out the official announcement blog here.

By the way, Windows Admin Center also offers a great set of Azure Hybrid services integration. Check out my blog post and videos about the Azure Hybrid services in Windows Admin Center.

Oct222019October 22, 2019October 22, 20192 Commentsby Thomas Maurer

Connect Azure VMs with Windows Admin Center

How to manage Azure VMs with Windows Admin Center

Posted in Azure Stack HCI, Cloud, Microsoft, Microsoft Azure, Windows, Windows Admin Center, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019

Windows Admin Center is a browser-based management tool to manage your servers, clusters, hyper-converged infrastructure, and Windows 10 PCs. You can deploy it anywhere you want. If you run on-prem, you can install it on a Windows Server running in your infrastructure, or you can also install Windows Admin Center on an Azure virtual machine (VM). In this post, we want to address scenarios where you have deployed Windows Admin Center on-premises, and you want to manage some Azure VMs. In this post, I am going to show you how you can manage Azure VMs with Windows Admin Center (WAC).

If you want to know more about Windows Admin Center in general, check out my blog post.

How to manage Azure IaaS VMs with your on-premises Windows Admin Center gateway

As mentioned before, you can also install a Windows Admin Center server running on Azure IaaS virtual machine, but more on that in another post. In this post, I will cover how you can connect to an Azure VM from your on-prem Windows Admin Center (WAC) installation. There are two ways you can connect from WAC to Azure VMs.

The first one would be using the public IP address of a virtual machine running in Azure. This would mean that you need to open the PowerShell remoting port in the network security group (NSG), to be able to connect. I wouldn’t recommend this scenario since this exposes your virtual machines to the public internet. However, if you want to know more about that solution, check out the Microsoft Docs.

What I wound recommend is that you use a VPN connection to connect to your Azure virtual network where your VM is running. However, I know that in a lot of cases, you might not have a Site-2-Site VPN connection to your Azure virtual network. To still be able to connect form Windows Admin Center to an Azure VM, you can use the Azure Network Adapter feature. The Azure Network Adapter will create a Point-2-Site VPN connection from your Windows Server to Azure. And we are going to use this feature on our WAC gateway, so the WAC gateway is able to reach the virtual machine in Azure.

Add Azure Network Adapter

First, you will need to add a new Azure Network Adapter. This can be done in the Network extension in Windows Admin Center. This will open up a wizard that will guide you through the setup and if needed also helps you to register WAC in Microsoft Azure.

Create Azure Network Adapter

The setup can take a while, depending on if you already have a VPN gateway in Azure or not. WAC will create all the necessary resources in Azure, and create the Point-to-Site VPN connection for you. Also, keep in mind that the VPN gateway is an additional resource and will have an additional cost.

Connect to an Azure Virtual network

Now you can add and connect to your virtual machine running in Azure, using the private IP address of the machine.

Connect Azure VMs with Windows Admin Center

You add a server by directly entering the IP address or you can use the Add Azure Virtual Machine wizard, to discover the VM in your Azure subscription.

Add Azure VM in Windows Admin Center

I hope this helps you to connect your Azure virtual machines security without exposing ports to the public internet. If you have a site-to-site VPN connection to your Azure virtual network, you can use this as well without the need of setting up Azure Network Adapter.

If you are interested in other Azure Hybrid services in Windows Admin Center, check out the following blog post including the video series: Configure Azure Hybrid Services in Windows Admin Center

Besides, you can also have a look at my other blog post about how to set up Azure hybrid cloud services.

If you want to download Windows Admin Center, check out the download page. If you have any questions, feel free to leave a comment.

Oct092019October 9, 2019October 9, 20190 Commentby Thomas Maurer

Experts Lounge at VeeamON Virtual 2019 Conference

Posted in Cloud, Events, Microsoft, Microsoft Azure, Speaking, Thomas Maurer, Virtualization, Windows Server, Windows Server 2019, Windows XP

I am happy to announce that I will be part of this year’s VeeamON Virtual Conference for Cloud Data Management. I will be part of the virtual expert’s lounge during the online event. As a Veeam Vanguard, this is a great opportunity and I am already looking forward to being part of this event. VeeamON Virtual will be on November 20, 2019, and you can find more information here.

Jul012018July 1, 2018August 14, 20180 Commentby Thomas Maurer

Microsoft MVP 2018-2019 Cloud and Datacenter Management

Posted in Awards, Certification, Cloud, Hyper-V, Microsoft, Microsoft Azure, Microsoft Azure Stack, Microsoft MVP, Private Cloud, System Center, Virtualization, Windows, Windows Server, Work

I am proud to announce that I was awarded today by Microsoft, with the Microsoft Most Valuable Professional (MVP) Award for 2018-2019 in two major categories Cloud and Datacenter Management and Microsoft Azure. This is my 7th Microsoft MVP award since 2012, and I couldn’t be more excited about this one.

Dear
Thomas Maurer,
We’re once again pleased to present you with the 2018-2019 Microsoft Most Valuable Professional (MVP) award in recognition of your exceptional technical community leadership. We appreciate your outstanding contributions in the following technical communities during the past year:

· Cloud and Datacenter Management

The Microsoft MVP award title is a huge honor and it stand for the contributions I have been doing in the IT community as an Microsoft expert for the past years. The Microsoft MVP award also comes with some benefits, like a NDA and access to the Microsoft Product Groups, as well as the yearly Microsoft MVP Global Summit on the Microsoft Campus in Redmond. But one of the biggest benefit overall is that it gives you the opportunity to speak at different conferences all over the world. This and having the chance to speak with people from all over the world, which share the same passion is priceless.

Who are MVPs?
Microsoft Most Valuable Professionals, or MVPs, are technology experts who passionately share their knowledge with the community. They are always on the “bleeding edge” and have an unstoppable urge to get their hands on new, exciting technologies. They have very deep knowledge of Microsoft products and services, while also being able to bring together diverse platforms, products and solutions, to solve real world problems. MVPs make up a global community of over 4,000 technical experts and community leaders across 90 countries and are driven by their passion, community spirit, and quest for knowledge. Above all and in addition to their amazing technical abilities, MVPs are always willing to help others – that’s what sets them apart.

Source https://mvp.microsoft.com/en-us/Overview

I need to thank many people which are helping me to achieve this and making the most out of it. I would like to thank my employer itnetX which is supporting me in the best possible way all these years, my current and former colleagues from which I can learn a lot, the Microsoft MVP community and of course Microsoft employees in Redmond and all over the world, to work with us and collect feedback. Last but definitely not least, I have to thank my girlfriend, which not only helps me out with many things, but also needs to be patient, with my extra work so many times. She is also one of my biggest and also most critical supporters. She helps me to understand things better, promote my activities better, fixing my blog post ;) and makes all the traveling more joyful.

If you want to know more about the Microsoft MVP Program, check out the Microsoft Most Valuable Professional website.

Follow Me
About
My name is Thomas Maurer. I am a Senior Cloud Advocate at Microsoft. I am part of the Azure engineering team (Cloud + AI) and engage with the community and customers around the world. I am located in Switzerland. I am focusing on Microsoft technologies, especially cloud and datacenter solutions based on Microsoft Azure, Azure Stack and Windows Server. Opinions are my own.
Get Updates
Email address:
Sponsor
Sponsor
Sponsor
Sponsor

Tag: Management

Prevent Azure Resources from unexpected deletion using Locks

Lock resources to prevent unexpected changes and deletion of Azure resources

Lock Types

Permissions to create or delete locks

How to lock a resource group

Run Azure Cloud Shell in Windows Admin Center

How to run Azure Cloud Shell in Windows Admin Center

Azure Arc – Cloud-native Management for Hybrid Cloud

Cloud-native Azure management for hybrid environments with Azure Arc

Hybrid Server Management

Join the Preview

Onboarding Servers to Azure Arc

Use Windows Admin Center to onboard a server to Azure Arc

More

Microsoft Ignite Live

New Performance Monitor for Windows Server

How to manage Azure VMs with Windows Admin Center

How to manage Azure IaaS VMs with your on-premises Windows Admin Center gateway

Experts Lounge at VeeamON Virtual 2019 Conference

Microsoft MVP 2018-2019 Cloud and Datacenter Management

Who are MVPs?

Follow Me

About

Get Updates

Sponsor

Sponsor

Sponsor

Sponsor