Tag: Virtual Machine

Last updated by at .

Azure Stack VM Update Management

Using Azure Update Management on Azure Stack

At Microsoft Ignite 2018, Microsoft announced the integration of Azure Update and Configuration Management on Azure Stack. This is a perfect example how Azure services from the public cloud can be extended into your datacenter using Azure Stack. Azure Update and Configuration Management brings Azure Update Management, Change Tracking and Inventory to your Azure Stack VMs. In the case of Azure Stack, the backend services and orchestrator like Azure Automation and Log Analytics, will remain to run in Azure, but it lets you connect your VMs running on Azure Stack.

Azure Update and Configuration Managemen Schemat

Today, the Azure Update and Configuration Management extension, gives you the following features:

  • Update Management – With the Update Management solution, you can quickly assess the status of available updates on all agent computers and manage the process of installing required updates for these Windows VMs.
  • Change Tracking – Changes to installed software, Windows services, Windows registry, and files on the monitored servers are sent to the Log Analytics service in the cloud for processing. Logic is applied to the received data and the cloud service records the data. By using the information on the Change Tracking dashboard, you can easily see the changes that were made in your server infrastructure.
  • Inventory – The Inventory tracking for an Azure Stack Windows virtual machine provides a browser-based user interface for setting up and configuring inventory collection.

If you want to use Azure Update Management and more on VMs on-premise (without Azure Stack) or running at another Cloud Provider, you can do this as well. Have a look at Windows Admin Center, which allows you to directly integrate with Azure Update Management. However, there will be a difference in pricing.



Azure Live Migration

Azure uses Live Migration for VMs

If you have worked with Azure in the past, you might have been aware that Azure didn’t have live migration for VMs hosted in Azure for a long time. This had an impact for customers in terms of VM up-time during host maintenance. You basically got emails, that the host your VMs were running is going into maintenance during a specific time, and you will have a possible outage. Microsoft Hyper-V, which is the Hypervisor in Azure, had Live Migration for a long time. Today, Microsoft revealed that they are using Live Migration in Azure since early 2018 to move virtual machines in cases of rack maintenance and software and BIOS updates, as well as hardware faults.

But Microsoft didn’t stop there, they made even better using Machine Learning. Predictive ML helps Microsoft to detect proactively failure and do failure predictions. And in case a hardware failure is predicted, Microsoft can move the virtual machines from that host without downtime, using live migration.

To further push the envelope on live migration, we knew we needed to look at the proactive use of these capabilities, based on good predictive signals. Using our deep fleet telemetry, we enabled machine learning (ML)-based failure predictions and tied them to automatic live migration for several hardware failure cases, including disk failures, IO latency, and CPU frequency anomalies.

 

We partnered with Microsoft Research (MSR) on building our ML models that predict failures with a high degree of accuracy before they occur. As a result, we’re able to live migrate workloads off “at-risk” machines before they ever show any signs of failing. This means VMs running on Azure can be more reliable than the underlying hardware.

Microsoft talks in a blog post more about Live Migration in Azure and goes more in details about the challenges and how live migration in Azure works. It is great to see Microsoft adding features to improve VM resiliency with features like live migration and machine learning technology.



Azure Stack Backup with Azure Backup Server

Protect Azure Stack Tenant Workloads with Azure Backup Server

If you are running Azure Stack in your datacenter, you also want to backup workloads running on Azure Stack. This blog post covers how you can backup Azure Stack tenant workloads with Azure Backup Server. Azure Backup allows you to protect on-premise workloads running on different platforms as well as on Azure Stack and store long-term data in Azure.

Why protecting Azure Stack workloads with Azure Backup Server

Microsoft Azure Backup Server is included as a free download with Azure Backup that enables cloud backups and disk backups for workloads like SQL, SharePoint and Exchange regardless if these workloads are running on Hyper-V, VMware, Physical servers or Azure Stack. It also provides a central console to protect these workloads. If you compare this to the Azure Backup Agent, where you have to configure the agent on every single server. The Azure Backup Server also allows you to not only do file backup, but also backup of applications like SharePoint, SQL Server, Exchange and more. This gives you flexibility and centralized management to back up your infrastructure as a service (IaaS) workloads on Azure Stack.



Inked Azure Security Center Just in time VM access_LI

Azure – Just in Time VM access

If you run virtual machines with public IP address connected to the internet, attackers immediately try to run attacks against it. Brute force attacks commonly target management ports, like RDP or SSH, to gain access to a VM. If the attacker is successful, he can take control over the VM and access other resources in the environment. To address that issue it is highly recommended to reduce the ports open, especially for the management ports. However, sometimes you will need to open to ports for some of the virtual machines for management tasks. Microsoft Azure has a simple way to address this issue, called Just in time virtual machine (VM) access. Just in time VM access can be used to lock down inbound traffic to your Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.

How does Azure Just in Time VM Access work

In the Azure Security Center you can enable just in time VM access, this will create a Network Security Rule (NSG) to lock down inbound traffic to the Azure VM. During the initial JIT VM access configuration, you will be configuring the ports specified, which will be managed by Azure Security Center, these ports will be locked down by the Azure Security Center using an NSGs.

Configure Azure just in time VM access

Inked Configure Just in time VM access_LI

Azure JIT VM access is configured in the Azure Security Center. To configure and enable JIT on a virtual machine open up the Azure Security Center and click on Just in time VM access.

Here you will find three states, Configured, Recommended and No recommendation.

  • Configured – VMs that have been configured to support just in time VM access. The data presented is for the last week and includes for each VM the number of approved requests, last access date and time, and last user.
  • Recommended – VMs that can support just in time VM access but have not been configured to. We recommend that you enable just in time VM access control for these VMs. See Configuring a just in time access policy.
  • No recommendation – Reasons that can cause a VM not to be recommended are:
    • Missing NSG – The just in time solution requires an NSG to be in place.
    • Classic VM – Security Center just in time VM access currently supports only VMs deployed through Azure Resource Manager. A classic deployment is not supported by the just in time solution.
    • Other – A VM is in this category if the just in time solution is turned off in the security policy of the subscription or the resource group, or that the VM is missing a public IP and doesn’t have an NSG in place.

To configure you click on Recommended and select the Virtual Machine, for which you want to enable JIT.

Click on Enable JIT on VMs and configure the ports which should be managed by Just in time VM Access. Just in time VM access will recommend some default ports like RDP, SSH and PowerShell Remoting. You can also add other ports to the virtual machine if you want or need to.

Requesting Just in time VM Access for Azure Virtual Machine

Request Just in time VM access

On the Configured section, you can select the VM you want to request access to and click on Request access. You can now select the ports you want to be open for a specific time and a specific IP address. This will open up the ports and after 2-3 minutes you will be able to access the virtual machine.

To send such a request, the user which requests access to the Virtual Machine needs to have write access to the virtual machines in the Azure Role-Based Access Control (RBAC).

Auditing Azure just in time VM access activity

Of course all the request get logged and can be reviewed in the Activity Log.

Licensing of Azure just in time VM access

Azure just in time VM access is licensed over Azure Security Center and needs the Standard Tier to be enabled for the specific virtual machine.

I hope this gives you an idea how you can leverage Just in time VM access in Azure for your workloads.



Create Ubuntu Hyper-V Generation 2 Virtual Machine

How to Install Ubuntu in a Hyper-V Generation 2 Virtual Machine

If you want to install Ubuntu or any other Linux inside a Hyper-V Generation 2 Virtual Machine you need to do a simple change to the VM so you can install it from ISO.  If you just create a Hyper-V Generation 2 Virtual Machine and try to start the Virtual Machine, the Virtual Machine will not boot from ISO. This is because of the Secure Boot feature which is included in Hyper-V Generation 2 Virtual Machines, and applies to all Linux operating systems running on Hyper-V.

How to Install Linux in a Hyper-V Generation 2 VM

Create a new Virtual Machine in the Hyper-V Manager

Create Ubuntu Hyper-V Generation 2 Virtual Machine

On the Hyper-V Virtual Machine Generation selection screen, choose Generation 2

Create Ubuntu Hyper-V Generation 2 VM

Attach the Ubuntu ISO Image to the virtual machine

Attach Ubuntu ISO to Hyper-V VM

After you have created the Virtual Machine using the wizard, go into the settings of the virtual machine. Switch to the Security section and choose the Microsoft UEFI Certificate Authority Secure Boot Template.

Now the Virtual Machine will boot from the Ubuntu ISO and you can install Ubuntu.



Hyper-V HVC SSH Direct for Linux VMs

HVC – SSH Direct for Linux VMs on Hyper-V

If you are running Hyper-V on Windows 10 or on Windows Server 2016, you probably know about a feature called PowerShell Direct. I also mentioned that PowerShell Direct is one of the 10 hidden features in Hyper-V you should know about. PowerShell Direct lets you remote connect to a Windows Virtual Machine running on a Hyper-V host, without any network connection inside the VM. PowerShell Direct uses the Hyper-V VMBus to connect inside the Virtual Machine. Of course this feature is really handy if you need it for automation and configuration for Virtual Machines. As this is great for Windows virtual machines, it does not work with Virtual Machines running Linux. In the latest Windows 10, Windows Server 1803 (RS4) and Windows Server 2019 (RS5) Insider Preview builds, Microsoft enabled a tool called HVC. HVC is at tool which allows you to do some command line VM management. HVC SSH is basically SSH Direct of Linux VMs.

This allows to connect to a Linux VM using SSH over the Hyper-V VMBus. You are also able to copy file inside a virtual machines using scp.

How to connect to Linux VMs using SSH Direct

HVC SSH on Hyper-V

To connect to Linux VMs using SSH Direct (HVC) simply type hvc.exe into the command line or PowerShell. This will give you all the possible command options. Of course SSH has to big configured inside the Linux virtual machine.

To make this work, the SSH server inside the VM needs to be configured.

Final Thoughts

Pretty cool tool which will be available in the official releases of Windows 10 and Windows Server 1803, released this spring. Later this year this feature will also be included in Windows Server 2019. If you want to try it out today, give the Windows Insider Preview builds a spin.

Thanks to Ben Armstrong for pointing this out 😉



Hyper-V Enhanced Session Mode

10 hidden Hyper-V features you should know about!

Microsoft added some amazing new features and improvements to Hyper-V over the past few years. A lot of them you can use in Windows Server 2016 Hyper-V today, but there are also a lot of features hidden in the user interface and they are also included in Windows 10 Pro or Enterprise. I think this list should you a good idea about some of them.

Nested Virtualization

Hyper-V Nested Virtualization

Hyper-V Nested Virtualization allows you to run Hyper-V in a Hyper-V Virtual Machine. This is great for testing, demo and training scenarios and it work on Windows Server 2016 and Windows 10 Pro and Enterprise. Microsoft Azure will also offer some new Virtual Machine which will offer the Nested Virtualization feature in the Azure public cloud. Nested Virtualization is not just great if you want to run virtual machines inside a virtual machine, it is also great (and I think this will be the largest use case in the future) you can also run Hyper-V Container inside a Hyper-V or Azure Virtual Machine. Hyper-V Containers are a feature will brings the isolation of a Virtual Machine to a fast, light and small footprint container. To enable Nested Virtualization you have the following requirements:

  • At least 4 GB RAM available for the virtualized Hyper-V host.
  • To run at least Windows Server 2016 or Windows 10 build 10565 (and higher) on both the physical Hyper-V host and the virtualized host. Running the same build in both the physical and virtualized environments generally improves performance.
  • A processor with Intel VT-x (nested virtualization is available only for Intel processors at this time).
  • Other Hypervisors will not work

Configure the Virtual Machine for Nested Virtualization follow the following steps:

  • disable Dynamic Memory on Virtual Machine
  • enable Virtualization Extensions on the vCPU
  • enable MAC Address Spoofing
  • set Memory of the Virtual Machine to a minimum of 4GB RAM

To enable the Virtualization Extensions on the vCPU you can run the following PowerShell command

PowerShell Direct

PowerShell Direct Enter-PSSession

Hyper-V PowerShell Direct is also one of the great new features in Windows 10 and Windows Server 2016 Hyper-V. PowerShell Direct allows you to connect to a Virtual Machine using PowerShell without connecting over the network. Instead of the network, PowerShell Direct uses the Hyper-V VMBus to connect from the Hyper-V host to the virtual machine. This is handy if you are doing some automation or you don’t have network access to the virtual machine. In terms of security, you will still need to provide credentials to access the virtual machine.

To use PowerShell Direct you have the following requirements:

  • The virtual machine must be running locally on the Hyper-V host and must be started.
  • You must be logged into the host computer as a Hyper-V administrator.
  • You must supply valid user credentials for the virtual machine.
  • The host operating system must run Windows 10, Windows Server 2016, or a higher version.
  • The virtual machine must run Windows 10, Windows Server 2016, or a higher version.

To use PowerShell Direct just use the Enter-PSSession or Invoke-Command cmdlets with the -VMName, -VMId or VM parameter.

Hyper-V Virtual Switch using NAT

Hyper-V Virtual Switch NAT Configuration

If you are running Hyper-V on your workstation, laptop you know that networking could have been kind of a problem. With the Hyper-V Virtual Switch using NAT, you can now create an internal network for your virtual machines and still allow them to for example have internet access, like you would run your virtual machines behind a router. To use this feature you have the following requirements:

  • Windows 10 and Windows Server 2016 build 14295 or later
  • Enabled Hyper-V role

To enable you can first create an internal switch using PowerShell, the the IP Address on the Virtual NIC on the Management OS and then set the NAT configuration:

To create NAT forwarding rules you can for example use the following command:

Virtual Battery for Virtual Machines

Hyper-V VM battery

With the Windows 10 Insider Build XXXX and later with the release of the Windows 10 Fall Creators Update, Microsoft enabled a Virtual Battery feature for Hyper-V Virtual Machines. This will allow Hyper-V VMs to see the battery status of the host. This is great when you are running Hyper-V on a notebook or if you have a SUV battery on your server

Hyper-V VMConnect – Enhanced Session Mode

Hyper-V Enhanced Session Mode

Interacting with Virtual Machines can be difficult and time consuming using the default VM console, since you can not copy paste or connect devices. VMConnect lets you use a computer’s local resources in a virtual machine, like a removable USB flash drive or a printer and in addition to this, Enhanced session mode also lets you resize the VMConnect window and use copy paste. This makes it almost as if you would use the Remote Desktop Client to connect to the Virtual Machine, without a network connection, instead you will make use of the VMBus.

The Enhanced Session Mode feature was introduced with Windows Server 2012 R2 and Windows 8.1. Enhanced session mode basically provides your Virtual Machine Connection with RDP (Remote Desktop Protocol) capabilities over the Hyper-V VMBus, including the following:

  • Display Configuration
  • Audio redirection
  • Printer redirection
  • Full clipboard support (improved over limited prior-generation clipboard support)
  • Smart Card support
  • USB Device redirection
  • Drive redirection
  • Redirection for supported Plug and Play devices

Requirements for the Enhanced Session Mode are:

  • The Hyper-V host must have Enhanced session mode policy and Enhanced session mode settings turned on
  • The computer on which you use VMConnect must run Windows 10, Windows 8.1, Windows Server 2016, or Windows Server 2012 R2 or higher
  • The virtual machine must have Remote Desktop Services enabled, and run Windows 8.1 (or higher) and Windows Server 2012 R2 (or higher) as the guest operating system.

You can simply use it, by pressing the enhanced session button (if you have all the requirementsOn the Windows 10 Client this is enabled by default on the “host”. On Windows Server you have to enable it first in the Hyper-V Manager under Hyper-V Settings

Hyper-V Manager Zoom Level

Hyper-V VMConnect Zoom Level

In the Windows 10 Creators Update, Microsoft introduced a new feature to the VMConnect Console. This feature allows you to control the zoom level of the Virtual Machine console, this is especially handy if you have a high DPI screen.

Virtual TPM Chip

Hyper-V Virtual TPM

If you are running Windows 10 or Windows Server 2016 or higher you can make use of a feature called Shielded Virtual Machines. This allows you to protect your virtual machines form being accessed from the outside. With this feature Microsoft added different levels of security enhancements. One of them is the possibility to add a Virtual TPM chip to the virtual machine. With that enabled you can use BitLocker or another encryption technology to encrypt your virtual machine disks from inside the VM.

Enable Hyper-V vTPM PowerShell

You can enable the Virtual TPM chip using the Hyper-V Manager or PowerShell. The virtual machine needs to be shut down.

Just to make sure, if you really need full protection, have a look at Shielded Virtual Machines with the Host Guardian Service (HGS).

VM Resource Metering

Hyper-V VM Resource Metering

With Windows Server 2012 Hyper-V Microsoft introduced a new feature in Hyper-V called VM Resource Metering which allows you to measure the usage of a virtual machine. This allows you to track CPU, Memory, Disk and network usage. This is a great feature especially if you need to do charge back or maybe even for trouble shooting.

You can enable VM Resource Metering using PowerShell

To measure the virtual machine, you can used the following command

Export and Share Hyper-V Virtual Machines

Export and Share Hyper-V Virtual Machine

Another feature a lot of people do not know about is that you can export Hyper-V Virtual Machines to copy them to another computer or server. The great thing about this, this can even be done while the virtual machine is running and you can even export the state of the virtual machine with it. You can use the UI to do this, or you just run PowerShell using the Export-VM cmdlet.

In the Windows 10 Fall Creators Update Microsoft also added a button to shared the Virtual Machine. This does not only export the virtual machine but it also create a compressed VM Export File (.vmcz).

Hyper-V Containers

Hyper-V Windows Containers

In Windows 10 and Windows Server 2016 you can run Windows Containers using Docker. While on Windows Server you can choose between running a Windows Container or a Hyper-V Container, you will always run a Hyper-V Container on Windows 10. While Hyper-V Containers and Windows Containers are fully compatible with each other, what means you can start a Windows Container in a Hyper-V Container runtime and the other way around, the Hyper-V Container gives you an extra layer of isolation between your containers and your operating system. This makes running containers not just much more secure but since the Windows 10 Fall Creators Update and Windows Server RS3 (Redstone 3), it will also allow you to run Linux Containers on a Windows Container Host, which will make Windows the best platform to run Windows Containers and Linux Containers side by side.

I hope this short list was helpful and showed you some features you didn’t know were there in Hyper-V. Some of these features are still in preview and are might not available in production versions of Hyper-V. Leave your favorite secret Hyper-V features in the comments!