Tag: Virtual machines

Hyper-V Nested Virtualization

Nested Virtualization in Windows Server 2016 and Windows 10

I already wrote a blog post bout Nested Virtualization in Windows 10 some weeks ago. With Technical Preview 4 of Windows Server 2016 Microsoft also introduced Nested Virtualization in Windows Server Hyper-V. Nested Virtualization allows you to run a Hypervisor inside a Virtual Machine running on a Hypervisor. This is a great case for demo and lab environment and also if you want to run Virtual Hyper-V servers in Microsoft Azure IaaS Virtual Machines (we will see if Microsoft will support this in Azure in the future).

Requirements

  • At least 4 GB RAM available for the virtualized Hyper-V host.
  • To run at least Windows Server 2016 Technical Preview 4 or Windows 10 build 10565 on both the physical Hyper-V host and the virtualized host. Running the same build in both the physical and virtualized environments generally improves performance.
  • A processor with Intel VT-x (nested virtualization is available only for Intel processors at this time).
  • Other Hypervisors will not work

How to set it up

To enable Nested Virtualization in Hyper-V, Microsoft created a script you can use which I already documented in my first blog post about Nested Virtualization. But of course you can do this also manual doing the following steps:

  • disable Dynamic Memory on Virtual Machine
  • enable Virtualization Extensions on the vCPU
  • enable MAC Address Spoofing
  • set Memory of the Virtual Machine to a minimum of 4GB RAM

To set the Virtualization Extension for the vCPU you can use PowerShell:

 
Set-VMProcessor -VMName "VMName" -ExposeVirtualizationExtensions $true

Limitations

With Nested Virtualization there are coming some limitations:

  • Once nested virtualization is enabled in a virtual machine, the following features are no longer compatible with that VM.
    These actions will either fail, or cause the virtual machine not to start if it is hosting other virtual machines:
    • Dynamic memory must be OFF. This will prevent the VM from booting.
    • Runtime memory resize will fail.
    • Applying checkpoints to a running VM will fail.
    • Live migration will fail — in other words, a VM which hosts other VMs cannot be live migrated.
    • Save/restore will fail.
  • Hosts with Device Guard enabled cannot expose virtualization extensions to guests.
  • Hosts with Virtualization Based Security (VBS) enabled cannot expose virtualization extensions to guests. You must first disable VBS in order to preview nested virtualization.

For more information check out the Microsoft page about Hyper-V Nested Virtualization.

 

 

 

 



Powershell

Move multipe Hyper-V Virtual Machines with Live Storage Migration via Windows PowerShell

Well I was working in on a Private Cloud Deployment where we had some temporary storage for our Hyper-V Virtual Machines and after we got the right storage ready, which was btw a Windows Server Scale-Out File Server Cluster running with Storage Spaces and DataON JBOD chassis, we had to migrate the storage of all virtual machines running on our Hyper-V hosts. Since Windows Server 2012 offers Live Storage Migration which allows us to move the Virtual Machine to a different storage location without downtime we would use that. But if you have to move around 20 virtual machines you think twice if you want to move that via the Hyper-V Manager GUI or Windows PowerShell.

Here is a pretty simple PowerShell foreach loop which moves the storage of all virtual machines running on the Hyper-V host.

 
#New Storage Location
$StoragePath = "\\SMB01\VMs01\"
#VMs which will be migrated Get-VM will migrate all VMs
$VMs = Get-VM
 
Foreach ($VM in $VMs) {
$VMStorage = $StoragePath + $VM.Name
Write-Host "Moving VM:" $VM.name "to" $VMStorage
Move-VMStorage -VMName $VM.name -DestinationStoragePath $VMStorage
}


Microsoft Exam 70-533 Implementing Microsoft Azure Infrastructure Solutions

Passed Microsoft Exam 70-533 Implementing Microsoft Azure Infrastructure Solutions

A couple of weeks ago I passed Microsoft Exam 70-533 Implementing Microsoft Azure Infrastructure Solutions, which is focused on implementing and designing Microsoft Azure Infrastructure solutions such as Azure Websites or Azure Virtual Machines (IaaS). I think taking this exam and preparing for it was a great idea. Even if I have already done a couple of projects on Azure I still learned a lot during the preparation and you can find some of the best practices. Since Azure is a huge beast and the rapid deployment of new features, you will definitely find some new stuff you didn’t know before during the preparation for the exam. And of course taking new Microsoft Certifications early helps you to stand out in the IT Pro or Developer world. Of course passing exams alone does not make you an expert, but if you have know-how on a topic it’s is always got to have some kind of paper to prove it.

So what are the skills measured for this exam. The exam 70-533 focuses on 6 topics, Azure Websites, Virtual Machines, Cloud Services, Storage, Azure Active Directory and Virtual Networks. To my surprise I got a really good score on Azure Websites and of course Virtual Machines, since I used to run several of them on Azure. I also found out that Azure Active Directory is one of the parts I have to invest a little more.

Skills measured

Implement websites (15-20%)

  • Deploy websites
    • Define deployment slots; roll back deployments, configure and deploy packages, deploy web jobs, schedule web jobs
  • Configure websites
    • Configure app settings, connection strings, handlers, and virtual directories; configure certificates, custom domains, and traffic manager; configure SSL bindings and runtime configurations; manage websites by using Windows PowerShell and Xplat-CLI
  • Configure diagnostics, monitoring, and analytics
    • Retrieve diagnostics data; view streaming logs; configure endpoint monitoring, alerts, and diagnostics; monitor website resources
  • Configure scale and resilience
    • Configure auto-scale using built-in and custom schedules; configure by metric; change the size of an instance
  • Manage hosting plans
    • Create hosting plans; migrate websites between hosting plans; create a website within a hosting plan

Implement virtual machines (15-20%)

  • Deploy workloads on Azure virtual machines (VMs)
    • Identify supported Microsoft workloads; deploy and connect to a Linux VM; create VMs
  • Implement images and disks
    • Create specialized and generalized images for Windows and Linux; copy images between storage accounts and subscriptions; upload VHDs
  • Perform configuration management
    • Automate configuration management by using PowerShell Desired State Configuration and custom script extensions; enable puppet and chef extensions
  • Configure VM networking
    • Settings include reserved IP addresses, access control list (ACL), internal name resolution, DNS at the cloud service level, load balancing endpoints, HTTP and TCP health probes, public IPs, firewall rules, direct server return, and Keep Alive
  • Configure VM resiliency
    • Scale up and scale down VM sizes; auto-scale; configure availability sets
  • Design and implement VM storage
    • Configure disk caching; plan storage capacity; configure operating system disk redundancy; configure shared storage using Azure File service; configure geo-replication; encrypt disks
  • Monitor VMs
    • Configure endpoint monitoring, alerts, and diagnostics

Implement cloud services (15-20%)

  • Configure cloud services and roles
    • Configure instance count and size, operating system version and family, upgrade and fault domains, ACLs, reserved IPs, and network access rules; configure local storage; configure dedicated and co-located caching, local and cloud configurations, and local disks; configure multiple websites; configure custom domains
  • Deploy and manage cloud services
    • Upgrade a deployment; VIP swap a deployment; package a deployment; modify configuration files; perform in-place updates; perform runtime configuration changes using the portal; scale a cloud service; create service bus namespaces and choose a tier; apply scalability targets
  • Monitor cloud services
    • Monitor service bus queues, topics, relays, and notification hubs; configure diagnostics

Implement storage (15-20%)

  • Implement blobs and Azure files
    • Read data; change data; set metadata on a container; use encryption (SSL); perform an async blob copy; configure a Content Delivery Network (CDN); implement storage for backup and disaster recovery; configure Azure Backup; define blob hierarchies; configure custom domains; configure the Import and Export Service
  • Manage access
    • Create and manage shared access signatures; use stored access policies; regenerate keys
  • Configure diagnostics, monitoring, and analytics
    • Configure retention policies and logging levels; analyze logs
  • Implement SQL databases
    • Choose the appropriate database tier and performance level; configure point in time recovery and geo-replication; import and export data and schema; design a scaling strategy
  • Implement recovery services
    • Create a backup vault; deploy a backup agent; back up and restore data

Implement an Azure Active Directory (15-20%)

  • Integrate an Azure AD with existing directories
    • Implement DirSync, O365 integration, and single sign-on with on-premises Windows Server 2012 R2; add custom domains; monitor Azure AD
  • Configure the Application Access Panel
    • Configure single sign-on with SaaS applications using federation and password based; add users and groups to applications; revoke access to SaaS applications; configure access; federation with Facebook and Google ID
  • Integrate an app with Azure AD
    • Web apps (WS-federation); desktop apps (OAuth); graph API

Implement virtual networks (15-20%)

  • Configure a virtual network
    • Deploy a VM into a virtual network; deploy a cloud service into a virtual network; configure static IPs; configure internal load balancing; design subnets
  • Modify a network configuration
    • Modify a subnet; import and export a network configuration
  • Design and implement a multi-site or hybrid network
    • Choose the appropriate solution between ExpressRoute, site-to-site, and point-to-site; choose the appropriate gateway; identify supported devices and software VPN solutions; identify networking prerequisites; configure regional virtual networks and multi-site virtual networks

Preparation

To prepare for the exam I used several different resources such as Microsoft Virtual Academy, TechNet, Channel9 and of course Microsoft Azure it self. I also found some great community blogs which have some link summaries:

If you are going to take this exam I wish you good luck.

Update: Microsoft retired some of the Azure exams and replace them by new ones. One of the is the AZ-100 series, which will give you the Microsoft Certified: Azure Administrator, and is addressing the 70-533.



Azure Preview Virtual Machines

Virtual Machines IaaS now available in the Azure preview portal

Some months ago Microsoft lunched a new preview portal for Microsoft Azure, with a cool new design and features. The IaaS or Virtual Machine services was missing from the portal. A week ago Microsoft announced to add some enhancements to the preview portal including Virtual Machines. Now today Microsoft rolled out the enhancements to the portal. with other improvements:

  • IaaS Functionality: Create, deploy, monitor and manage rich virtual machines’ based applications, and manage virtual networks within a fully customizable Portal experience. In addition to creating simple virtual machines, we are adding the ability to automate the deployment of rich multi-machine application templates with a few clicks. With this, deploying a multi-tier, highly-available SharePoint farm from the portal will be a few clicks away!
  • Resource Group enhancements: Manage infrastructure services like virtual machines and virtual networks along with platform services like web sites and databases, all within the same Resource Group, as a single application. This level of flexibility and control is an example of how Azure is leading the way in blurring the lines between infrastructure and platform services, giving customers the choice to pick the best platform for their application needs.
  • Azure Image Gallery Updates: The completely re-imagined Azure Gallery is more powerful with the addition of several new virtual machine images that enable you to provision dev/test servers or production applications in minutes. The new virtual machine images and templates take the guesswork out of building, orchestrating and deploying complex applications, thus letting you focus on creating business value instead of managing the infrastructure.
  • Azure SQL Database: Customers can manage their Azure SQL Databases within the Portal, consistent with other Azure services. This includes provisioning databases across Web and Business (currently in general availability) and Basic, Standard, and Premium (currently in preview).

Checkout the blog from  Director, Product Marketing, Microsoft Azure to learn more.

Azure Preview Portal Virtual Machine



Savision Cloud Advisor VMM Tuning Tips

Cloud Advisor for System Center Virtual Machine Manager

As you may know I do a lot of work around Hyper-V, System Center and Windows Azure Pack. One of the most critical parts of the Microsoft Cloud is System Center Virtual Machine Manager. VMM is the component where mostly everything comes together in some way. From the Fabric resource such as Storage, Compute and Networking up to the Virtual Machines and Services running on top of the Fabric layer. Virtual Machine Manager basically allows you to pool resources and offer them to tenants which can than deploy services and virtual machines to the pools.

This means VMM manages not only your Virtual Machines, Virtual Machine Manager also manages your network environment, your storage and a lot more. So wouldn’t it be great to use the data Virtual Machine Manager collects to review your environment and get some tips you can optimize it? This is exactly what Savision did with their Virtual Machine Manager Add-in called Cloud Advisor which includes tuning and optimization recommendations.

Savision’s Cloud Advisor looks for problems like:

  • “Virtual Machine Appears to be Unused”
  • “Prediction: All Available Memory Will Be Consumed By…”
  • “Virtual Guest Services Are Not Installed”
  • “Starting Memory Is Too High”
  • “Low Disk Space On Cluster Shared Volume”
  • “Dynamic Memory is not enabled”
  • and a lot more…

Most of you will think okay, this sounds great but how much will this thing cost. Well that’s the great part, the Savision Cloud Advisor for System Center Virtual Machine Manager is absolutely free. So there is absolutely no reason why you shouldn’t deploy the Savision Cloud Advisor in your Virtual Machine Manager environment.

Simply go the Savision homepage, download the Cloud Advisor and import it to VMM.

Import Cloud Advisor Addin into VMM

After that you will have to connect to the VMM database and to let the Savision Cloud Advisor his job, showing you tips and recommendations for your environment.

Savision Cloud Advisor VMM Tuning Tips

By the way there are other cool VMM Add-in from Cisco for their UCS Bladecenter and 5Nine for the Virtual Firewall Appliance.



Veeam Webinar

Veeam Hyper-V 2012 R2 Webinar recording available

Yesterday I had the chance to do a webinar on Windows Server 2012 R2 Hyper-V and Veeam Backup & Replication V7 R2 together with Moritz Höfer (System Engineer at Veeam). The webinar is in German and covers some of the new feature ins Hyper-V 2012 R2 and the Veeam Backup & Replication solution for Hyper-V with slides and live demos. You can watch the webinar for free on the Veeam website.

Veeam Webinar Hyper-V 2012 R2



5Nine Hyper-V Security Console

5nine Cloud Security for Hyper-V 4.0

Security is a critical part in your datacenter and with a high virtualization rate it gets even more critical and complex to manage. Gartner estimates that in 2014 roughly 75% of all servers will be virtual with the number continuing to rise, year after year. If you are working in a highly virtualized environment you know how difficult it can be to protect your virtual machines and networks. It is even harder if you are a cloud service provider and you want to protect your customer, sometimes you don’t even have access into the virtual machines and you cannot really make sure the customer does everything right.

For some customers I was looking for a solution with centralized management and a solution which has no impact on the performance of the virtual machines. Through some contacts I had the chance to talk with 5Nine Software which offer some great solutions for Hyper-V management and Hyper-V Security. And in December 5Nine Software released its latest beta version of Cloud Security for Microsoft’s Virtualization solutions called 5Nine Cloud Security for Hyper-V. The new version includes some new features like real-time active anti-virus protection, VM Security groups, a new LWF R2 VM Switch extension, role based access and most importantly support for NVGRE or in otherswords Hyper-V Network Virtualization support which will make especially service providers very happy.

5Nine Hyper-V Security Agentless

Some key details about the 5nine Cloud Security for Hyper-V:

  • Multi-tenant security
  • Agentless, host-based solution for AV scans
  • Supporting Windows Server 2012 R2 Hyper-V
  • Granular control over each virtual machine using Hyper-V Extensible Switch, no agent required
    • Configure the Advanced / Full Kernel mode Virtual Firewall for each VM individually
      • MAC Address filtering
      • ARP Rules
      • SPI (stateful packet inspection)
      • Network traffic anomaly analysis
      • Inbound and outbound per VM bandwidth throttling
      • MAC broadcast filtering
      • All filtering events logging with more data (UM logs only contain blocked events)
    • Configure network filtering rules on a per-VM basis
    • Set inbound/outbound traffic limits and bandwidth utilization by virtual machine
  • Meet the security demands of enterprise, management service providers (MSPs), public sector, and hosting providers who leverage Microsoft’s Hyper-V Server and Cloud Platform
  • Provide the first and only seamless agentless compliance and agentless security solution for the Hyper-V Cloud
  • Deliver multi-layered protection together with integrated, agentless antivirus and intrusion detection capabilities
  • Offer unmatched levels of industry-demanded protection and compliance (including PCI-DSS, HIPAA, and Sarbanes-Oxley)
  • Secure the Cloud environment with anti-virus technology that runs with virtually zero performance impact while simultaneously improving virtual machine density
  • Provide network traffic control between virtual machines
  • Enforce secure multi-tenancy and Virtual Machines Security Groups
  • Provide NVGRE support (Hyper-V Network Virtualization)
  • Detect and block malicious attacks
  • Supports any guest OS supported by Windows Hyper-V including Linux

Architecture

In my lab I had the chance to have a look at the latest beta and wow I was pretty impressed. Well the installation and the management is so easy, you don’t really need any documentation. That’s how a security product should work, it should not make your environment even more complex it should help you to keep your environment secure without adding extra complexity to it.

Let’s see first about the architecture of the environment which is pretty easy. Basically you have 3 components:

  • The Management Service – This would be your 5Nine management server which needs a SQL database (minimum MS SQL Express) and all Hyper-V Hosts are connected to this management server.
  • The Host Management Service – which is basically the software and agent running on the Hyper-V host itself.
  • The Management Console – The console where you can configure everything. The console is simply connected to the management server.

Some impressions

If we have a look at one of my Hyper-V Hosts after the installation you can see some new things on the server. Basically 5Nine Cloud Security adds some services to the Hyper-V hosts (not to the virtual machines) for management and malware protection.

5Nine Hyper-V Security Services

And if we have a look at the Hyper-V Virtual Switch, we can see a new extension added to it.

5Nine Hyper-V Virtual Switch Extension

 

The management console is where the magic happens and you configure your environment. the console in my opinion is pretty simple and you can easy find all the options you need.

5Nine Hyper-V Security Console

Besides the Virtual Firewall you can also configure Antivirus Protection, Firewall logging and a lot more.

5Nine Hyper-V Security Antivirus Settings

But wouldn’t it be great to just manage this from your favorite Datacenter Management tool, called System Center Virtual Machine Manager? Well in version 3 5Nine had created a plugin for Virtual Machine Manager which allows you so set all the settings directly from the VMM console.

5Nine Hyper-V Security System Center VMM Plugin

As I already mentioned I am pretty impressed and I think this is exactly what a lot of customers and service providers are looking for. It provides a simple, centralized and easy to manage Hyper-V Security solution and integrates perfectly in your datacenter.