Tag: Virtual Machine

Setup VM Protection in Windows Admin Center_LI

Configure Azure Site Recovery from Windows Admin Center

With the Hybrid Cloud effort Microsoft invested heavy to make Windows Server and Hyper-V better connect to Microsoft Azure. One way of doing that is with Windows Admin Center and Azure Site Recovery. The Azure Site Recovery integration in Windows Admin Center, allows you to easily replicate Hyper-V virtual machines to Microsoft Azure. The technology is not new, ASR does exist for a long time and allows you to not only replicate Hyper-V VMs, but also VMware VMs and physical servers. However, with the integration in Windows Admin Center, setting up Azure Site Recovery became super easy.

Set up Azure Site Recovery from Windows Admin Center

Setup VM Protection in Windows Admin Center_LI

In the Virtual Machines extension, you can already see a recommendation to setup ASR: “Help protect your VMs from disasters by using Azure Site Recovery.” Which will guide you through the onboarding steps. If you don’t see that banner, just click on the VM you want to protect and replicate to Azure. Click on More and select “Set up VM Protection“, this will guide you through the same wizard.

If you haven’t connected your Windows Admin Center to Microsoft Azure yet, the wizard will help you to go through and set up this connection.

Setup up Hyper-V ASR Host with Windows Admin Cenetr

After your WAC is connected to Azure, you will now setup Azure Site Recovery for the Hyper-V host in Azure. This can directly be done from Windows Admin Center. For example, this will let you select the Azure Subscription you want ASR to connect to. It will let you create a new Resource Group and Recovery Services Vault or use an existing one. After you have done the configuration part, WAC will create the specific Azure resources and configure the Hyper-V host for Azure Site Recovery. This can take up to 10 minutes depending if you are using existing resources or creating new once.

If you have a look at the Hyper-V Replica settings in Hyper-V Manager, you will see that ASR is completely setup and configured.



Hyper-V VM Configuration Version

Hyper-V VM configuration version supported features

A couple of months ago, I wrote an article about the new Microsoft Hyper-V UEFI in Windows Server 2019 and Windows 10 virtual machines. With that version Microsoft also released a new Hyper-V VM configuration version 9.0. This is not unusual, the Hyper-V teams usually bumps up the version number from release to release, since new Hyper-V features are introduced. In the comments, the question came up, what is new in this version of the Hyper-V VM configuration, Since the version was still a preview release of Windows Server and Windows 10, Microsoft didn’t share the full list of features per configuration version. However, now the documentation is ready and you can find the documentation here.

Supported features

The following table shows the minimum virtual machine configuration version required to use some Hyper-V features.

Windows ServerWindows 10VersionFeature
Windows Server 2016 Technical Preview 3Windows 10 15076.2Hot Add/Remove Memory
Windows Server 2016 Technical Preview 3Windows 10 15076.2Secure Boot for Linux VMs
Windows Server 2016 Technical Preview 3Windows 10 15076.2Production Checkpoints
Windows Server 2016 Technical Preview 3Windows 10 15076.2PowerShell Direct
Windows Server 2016 Technical Preview 3Windows 10 15076.2Virtual Machine Grouping
Windows Server 2016 Technical Preview 4 Windows 10 15117.0Virtual Trusted Platform Module (vTPM)
Windows Server 2016 Technical Preview 57.1Virtual machine multi queues (VMMQ)
Windows Server 2016Windows 10 Anniversary Update8.0XSAVE support
Windows Server 2016Windows 10 Anniversary Update8.0Key storage drive
Windows Server 2016Windows 10 Anniversary Update8.0Guest virtualization-based security support (VBS)
Windows Server 2016Windows 10 Anniversary Update8.0Nested virtualization
Windows Server 2016Windows 10 Anniversary Update8.0Virtual processor count
Windows Server 2016Windows 10 Anniversary Update8.0Large memory VMs
Windows Server 1803Windows 10 April 2018 Update8.3Increase the default maximum number for virtual devices to 64 per device (e.g. networking and assigned devices)
Windows Server 2019/1809Windows 10 October 2018 Update9.0Allow additional processor features for Perfmon
Windows Server 2019/1809Windows 10 October 2018 Update9.0Automatically expose simultaneous multithreading configuration for VMs running on hosts using the Core Scheduler
Windows Server 2019/1809Windows 10 October 2018 Update9.0Hibernation support

Source: Microsoft Docs (Thanks to Rene Moergeli for the link)

How to list the supported VM configuration versions

You can list all supported VM configuration versions on your Hyper-V host using the Get-VMHostSupportedVersion cmdlet.

Get-VM Hyper-V VM Configuration Version

If you want to see the version of a Hyper-V virtual machine, you can use Hyper-V Manager or the following PowerShell command:

Full list of Hyper-V VM versions

Here you have a full list of VM configuration versions of Hyper-V VMs together with the operating system.

Windows ClientWindows ServerVersion
Windows Server 20081.0
Windows Server 2008 SP12.0
Windows Server 2008 R23.0
Windows 8Windows Server 20124.0
Windows 8.1Windows Server 2012 R25.0
Windows 10 1507Windows Server 2016 Technical Preview 36.2
Windows 10 1511Windows Server 2016 Technical Preview 47.0
Windows Server 2016 Technical Preview 57.1
Windows 10 Anniversary UpdateWindows Server 20168.0
Windows 10 Creators Update8.1
Windows 10 Fall Creators UpdateWindows Server 17098.2
Windows 10 April 2018 UpdateWindows Server 18038.3
Windows 10 October 2018 UpdateWindows Server 2019 / 18099.0
Windows 10 April 2019 UpdateWindows Server 19039.1
PrereleasePrerelease254.0
ExperimentalExperimental255.0

How to upgrade Hyper-V VM configuration version

Hyper-V vNext Update VM Configuration Version

Upgrading the Hyper-V VM version is pretty straight forward. If the VM is running on a host supporting a newer version of Hyper-V VMs, you can right click the virtual machine in the Hyper-V Manager and click on upgrade or you can run the Update-VMVersion PowerShell cmdlet.

I hope this blog was help full for understanding Hyper-V VM versions, let me know if you have any questions in the comments!



Windows Sandbox

Windows Sandbox – Isolated Windows Desktop

Today Microsoft announced a new feature called Windows Sandbox. Windows Sandbox is built based on Windows Container technology, which allows you to spin up an isolated, temporary, desktop environment where you can run untrusted software. The software you run and install in the Windows Sandbox does not affect the host. If you shut down the Windows Sandbox all changes and all software you installed in the Sandbox are gone again. This sounds very similar to the technology Windows Defender Application Guard already used to build a sandbox environment for Microsoft Edge.

Windows Sandbox Overview

Windows Sandbox

Windows Sandbox has the following properties:

  • Part of Windows – everything required for this feature ships with Windows 10 Pro and Enterprise. No need to download a VHD!
  • Pristine – every time Windows Sandbox runs, it’s as clean as a brand-new installation of Windows
  • Disposable – nothing persists on the device; everything is discarded after you close the application
  • Secure – uses hardware-based virtualization for kernel isolation, which relies on the Microsoft’s hypervisor to run a separate kernel which isolates Windows Sandbox from the host
  • Efficient – uses integrated kernel scheduler, smart memory management, and virtual GPU

Windows Sandbox brings the advantages of Windows Containers and also adds a desktop. If you compare this to a Windows 10 Virtual Machine, the Windows Sandbox will consume much less resources, it starts up match faster and will be much more efficient with hardware resources. You can think of it as a lightweight virtual machine, which can share the same hardware but also the same kernel and memory as the host system (like a container).



Azure Stack VM Update Management

Using Azure Update Management on Azure Stack

At Microsoft Ignite 2018, Microsoft announced the integration of Azure Update and Configuration Management on Azure Stack. This is a perfect example how Azure services from the public cloud can be extended into your datacenter using Azure Stack. Azure Update and Configuration Management brings Azure Update Management, Change Tracking and Inventory to your Azure Stack VMs. In the case of Azure Stack, the backend services and orchestrator like Azure Automation and Log Analytics, will remain to run in Azure, but it lets you connect your VMs running on Azure Stack.

Azure Update and Configuration Managemen Schemat

Today, the Azure Update and Configuration Management extension, gives you the following features:

  • Update Management – With the Update Management solution, you can quickly assess the status of available updates on all agent computers and manage the process of installing required updates for these Windows VMs.
  • Change Tracking – Changes to installed software, Windows services, Windows registry, and files on the monitored servers are sent to the Log Analytics service in the cloud for processing. Logic is applied to the received data and the cloud service records the data. By using the information on the Change Tracking dashboard, you can easily see the changes that were made in your server infrastructure.
  • Inventory – The Inventory tracking for an Azure Stack Windows virtual machine provides a browser-based user interface for setting up and configuring inventory collection.

If you want to use Azure Update Management and more on VMs on-premise (without Azure Stack) or running at another Cloud Provider, you can do this as well. Have a look at Windows Admin Center, which allows you to directly integrate with Azure Update Management. However, there will be a difference in pricing.



Azure Live Migration

Azure uses Live Migration for VMs

If you have worked with Azure in the past, you might have been aware that Azure didn’t have live migration for VMs hosted in Azure for a long time. This had an impact for customers in terms of VM up-time during host maintenance. You basically got emails, that the host your VMs were running is going into maintenance during a specific time, and you will have a possible outage. Microsoft Hyper-V, which is the Hypervisor in Azure, had Live Migration for a long time. Today, Microsoft revealed that they are using Live Migration in Azure since early 2018 to move virtual machines in cases of rack maintenance and software and BIOS updates, as well as hardware faults.

But Microsoft didn’t stop there, they made even better using Machine Learning. Predictive ML helps Microsoft to detect proactively failure and do failure predictions. And in case a hardware failure is predicted, Microsoft can move the virtual machines from that host without downtime, using live migration.

To further push the envelope on live migration, we knew we needed to look at the proactive use of these capabilities, based on good predictive signals. Using our deep fleet telemetry, we enabled machine learning (ML)-based failure predictions and tied them to automatic live migration for several hardware failure cases, including disk failures, IO latency, and CPU frequency anomalies.

 

We partnered with Microsoft Research (MSR) on building our ML models that predict failures with a high degree of accuracy before they occur. As a result, we’re able to live migrate workloads off “at-risk” machines before they ever show any signs of failing. This means VMs running on Azure can be more reliable than the underlying hardware.

Microsoft talks in a blog post more about Live Migration in Azure and goes more in details about the challenges and how live migration in Azure works. It is great to see Microsoft adding features to improve VM resiliency with features like live migration and machine learning technology.



Azure Stack Backup with Azure Backup Server

Protect Azure Stack Tenant Workloads with Azure Backup Server

If you are running Azure Stack in your datacenter, you also want to backup workloads running on Azure Stack. This blog post covers how you can backup Azure Stack tenant workloads with Azure Backup Server. Azure Backup allows you to protect on-premise workloads running on different platforms as well as on Azure Stack and store long-term data in Azure.

Why protecting Azure Stack workloads with Azure Backup Server

Microsoft Azure Backup Server is included as a free download with Azure Backup that enables cloud backups and disk backups for workloads like SQL, SharePoint and Exchange regardless if these workloads are running on Hyper-V, VMware, Physical servers or Azure Stack. It also provides a central console to protect these workloads. If you compare this to the Azure Backup Agent, where you have to configure the agent on every single server. The Azure Backup Server also allows you to not only do file backup, but also backup of applications like SharePoint, SQL Server, Exchange and more. This gives you flexibility and centralized management to back up your infrastructure as a service (IaaS) workloads on Azure Stack.



Inked Azure Security Center Just in time VM access_LI

Azure – Just in Time VM access

If you run virtual machines with public IP address connected to the internet, attackers immediately try to run attacks against it. Brute force attacks commonly target management ports, like RDP or SSH, to gain access to a VM. If the attacker is successful, he can take control over the VM and access other resources in the environment. To address that issue it is highly recommended to reduce the ports open, especially for the management ports. However, sometimes you will need to open to ports for some of the virtual machines for management tasks. Microsoft Azure has a simple way to address this issue, called Azure JIT virtual machine (VM) access. Just in time VM access can be used to lock down inbound traffic to your Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.

How does Azure Just in Time VM Access work

In the Azure Security Center you can enable just in time VM access, this will create a Network Security Rule (NSG) to lock down inbound traffic to the Azure VM. During the initial JIT VM access configuration, you will be configuring the ports specified, which will be managed by Azure Security Center, these ports will be locked down by the Azure Security Center using an NSGs.

Configure Azure JIT VM access

Inked Configure Just in time VM access_LI

Azure JIT VM access is configured in the Azure Security Center. To configure and enable JIT on a virtual machine open up the Azure Security Center and click on Just in time VM access.

Here you will find three states, Configured, Recommended and No recommendation.

  • Configured – VMs that have been configured to support just in time VM access. The data presented is for the last week and includes for each VM the number of approved requests, last access date and time, and last user.
  • Recommended – VMs that can support just in time VM access but have not been configured to. We recommend that you enable just in time VM access control for these VMs. See Configuring a just in time access policy.
  • No recommendation – Reasons that can cause a VM not to be recommended are:
    • Missing NSG – The just in time solution requires an NSG to be in place.
    • Classic VM – Security Center just in time VM access currently supports only VMs deployed through Azure Resource Manager. A classic deployment is not supported by the just in time solution.
    • Other – A VM is in this category if the just in time solution is turned off in the security policy of the subscription or the resource group, or that the VM is missing a public IP and doesn’t have an NSG in place.

To configure you click on Recommended and select the Virtual Machine, for which you want to enable JIT.

Click on Enable JIT on VMs and configure the ports which should be managed by Just in time VM Access. Just in time VM access will recommend some default ports like RDP, SSH and PowerShell Remoting. You can also add other ports to the virtual machine if you want or need to.

Requesting Just in time VM Access for Azure Virtual Machine

Request Just in time VM access

On the Configured section, you can select the VM you want to request access to and click on Request access. You can now select the ports you want to be open for a specific time and a specific IP address. This will open up the ports and after 2-3 minutes you will be able to access the virtual machine.

To send such a request, the user which requests access to the Virtual Machine needs to have write access to the virtual machines in the Azure Role-Based Access Control (RBAC).

Auditing Azure JIT VM access activity

Of course all the request get logged and can be reviewed in the Activity Log.

Licensing

Azure just in time VM access is licensed over Azure Security Center and needs the Standard Tier to be enabled for the specific virtual machine.

I hope this gives you an idea how you can leverage Just in time VM access in Azure for your workloads.