Tag: VM

Last updated by at .

Azure Stack Backup with Azure Backup Server

Protect Azure Stack Tenant Workloads with Azure Backup Server

If you are running Azure Stack in your datacenter, you also want to backup workloads running on Azure Stack. This blog post covers how you can backup Azure Stack tenant workloads with Azure Backup Server. Azure Backup allows you to protect on-premise workloads running on different platforms as well as on Azure Stack and store long-term data in Azure.

Why protecting Azure Stack workloads with Azure Backup Server

Microsoft Azure Backup Server is included as a free download with Azure Backup that enables cloud backups and disk backups for workloads like SQL, SharePoint and Exchange regardless if these workloads are running on Hyper-V, VMware, Physical servers or Azure Stack. It also provides a central console to protect these workloads. If you compare this to the Azure Backup Agent, where you have to configure the agent on every single server. The Azure Backup Server also allows you to not only do file backup, but also backup of applications like SharePoint, SQL Server, Exchange and more. This gives you flexibility and centralized management to back up your infrastructure as a service (IaaS) workloads on Azure Stack.



Inked Azure Security Center Just in time VM access_LI

Azure – Just in Time VM access

If you run virtual machines with public IP address connected to the internet, attackers immediately try to run attacks against it. Brute force attacks commonly target management ports, like RDP or SSH, to gain access to a VM. If the attacker is successful, he can take control over the VM and access other resources in the environment. To address that issue it is highly recommended to reduce the ports open, especially for the management ports. However, sometimes you will need to open to ports for some of the virtual machines for management tasks. Microsoft Azure has a simple way to address this issue, called Just in time virtual machine (VM) access. Just in time VM access can be used to lock down inbound traffic to your Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.

How does Azure Just in Time VM Access work

In the Azure Security Center you can enable just in time VM access, this will create a Network Security Rule (NSG) to lock down inbound traffic to the Azure VM. During the initial JIT VM access configuration, you will be configuring the ports specified, which will be managed by Azure Security Center, these ports will be locked down by the Azure Security Center using an NSGs.

Configure Azure just in time VM access

Inked Configure Just in time VM access_LI

Azure JIT VM access is configured in the Azure Security Center. To configure and enable JIT on a virtual machine open up the Azure Security Center and click on Just in time VM access.

Here you will find three states, Configured, Recommended and No recommendation.

  • Configured – VMs that have been configured to support just in time VM access. The data presented is for the last week and includes for each VM the number of approved requests, last access date and time, and last user.
  • Recommended – VMs that can support just in time VM access but have not been configured to. We recommend that you enable just in time VM access control for these VMs. See Configuring a just in time access policy.
  • No recommendation – Reasons that can cause a VM not to be recommended are:
    • Missing NSG – The just in time solution requires an NSG to be in place.
    • Classic VM – Security Center just in time VM access currently supports only VMs deployed through Azure Resource Manager. A classic deployment is not supported by the just in time solution.
    • Other – A VM is in this category if the just in time solution is turned off in the security policy of the subscription or the resource group, or that the VM is missing a public IP and doesn’t have an NSG in place.

To configure you click on Recommended and select the Virtual Machine, for which you want to enable JIT.

Click on Enable JIT on VMs and configure the ports which should be managed by Just in time VM Access. Just in time VM access will recommend some default ports like RDP, SSH and PowerShell Remoting. You can also add other ports to the virtual machine if you want or need to.

Requesting Just in time VM Access for Azure Virtual Machine

Request Just in time VM access

On the Configured section, you can select the VM you want to request access to and click on Request access. You can now select the ports you want to be open for a specific time and a specific IP address. This will open up the ports and after 2-3 minutes you will be able to access the virtual machine.

To send such a request, the user which requests access to the Virtual Machine needs to have write access to the virtual machines in the Azure Role-Based Access Control (RBAC).

Auditing Azure just in time VM access activity

Of course all the request get logged and can be reviewed in the Activity Log.

Licensing of Azure just in time VM access

Azure just in time VM access is licensed over Azure Security Center and needs the Standard Tier to be enabled for the specific virtual machine.

I hope this gives you an idea how you can leverage Just in time VM access in Azure for your workloads.



Create Ubuntu Hyper-V Generation 2 Virtual Machine

How to Install Ubuntu in a Hyper-V Generation 2 Virtual Machine

If you want to install Ubuntu or any other Linux inside a Hyper-V Generation 2 Virtual Machine you need to do a simple change to the VM so you can install it from ISO.  If you just create a Hyper-V Generation 2 Virtual Machine and try to start the Virtual Machine, the Virtual Machine will not boot from ISO. This is because of the Secure Boot feature which is included in Hyper-V Generation 2 Virtual Machines, and applies to all Linux operating systems running on Hyper-V.

How to Install Linux in a Hyper-V Generation 2 VM

Create a new Virtual Machine in the Hyper-V Manager

Create Ubuntu Hyper-V Generation 2 Virtual Machine

On the Hyper-V Virtual Machine Generation selection screen, choose Generation 2

Create Ubuntu Hyper-V Generation 2 VM

Attach the Ubuntu ISO Image to the virtual machine

Attach Ubuntu ISO to Hyper-V VM

After you have created the Virtual Machine using the wizard, go into the settings of the virtual machine. Switch to the Security section and choose the Microsoft UEFI Certificate Authority Secure Boot Template.

Now the Virtual Machine will boot from the Ubuntu ISO and you can install Ubuntu.



Hyper-V HVC SSH Direct for Linux VMs

HVC – SSH Direct for Linux VMs on Hyper-V

If you are running Hyper-V on Windows 10 or on Windows Server 2016, you probably know about a feature called PowerShell Direct. I also mentioned that PowerShell Direct is one of the 10 hidden features in Hyper-V you should know about. PowerShell Direct lets you remote connect to a Windows Virtual Machine running on a Hyper-V host, without any network connection inside the VM. PowerShell Direct uses the Hyper-V VMBus to connect inside the Virtual Machine. Of course this feature is really handy if you need it for automation and configuration for Virtual Machines. As this is great for Windows virtual machines, it does not work with Virtual Machines running Linux. In the latest Windows 10, Windows Server 1803 (RS4) and Windows Server 2019 (RS5) Insider Preview builds, Microsoft enabled a tool called HVC. HVC is at tool which allows you to do some command line VM management. HVC SSH is basically SSH Direct of Linux VMs.

This allows to connect to a Linux VM using SSH over the Hyper-V VMBus. You are also able to copy file inside a virtual machines using scp.

How to connect to Linux VMs using SSH Direct

HVC SSH on Hyper-V

To connect to Linux VMs using SSH Direct (HVC) simply type hvc.exe into the command line or PowerShell. This will give you all the possible command options. Of course SSH has to big configured inside the Linux virtual machine.

To make this work, the SSH server inside the VM needs to be configured.

Final Thoughts

Pretty cool tool which will be available in the official releases of Windows 10 and Windows Server 1803, released this spring. Later this year this feature will also be included in Windows Server 2019. If you want to try it out today, give the Windows Insider Preview builds a spin.

Thanks to Ben Armstrong for pointing this out 😉



Azure to Azure Site Recovery

Disaster recovery for Azure IaaS virtual machines using ASR

Microsoft today announced the public preview of disaster recovery for Azure IaaS virtual machines. This is basically Azure Site Recovery (ASR) for the Azure-to-Azure scenario. With that you can replicate Azure virtual machines from one Azure Region to another Azure Region, without deploying any other infrastructure components such as software appliances. Cross-region DR feature is now available in all Azure public regions where ASR is available.

The Azure Documentation describes it the following way:

In addition to the inbuilt Azure infrastructure capabilities and features that contribute to a robust and resilient availability strategy for workloads running on Azure VMs, there are a number of reasons why you need to plan for disaster recovery between Azure regions yourself:

  • Your compliance guidelines for specific apps and workloads require a Business continuity and Disaster Recovery (BCDR) strategy.
  • You want the ability to protect and recover Azure VMs based on your business decisions, and not only based on inbuilt Azure functionality.
  • You need to be able to test failover and recovery in accordance with your business and compliance needs, with no impact on production.
  • You need to be able to failover to the recovery region in the event of a disaster and fail back to the original source region seamlessly.

Azure to Azure VM replication using Site Recovery helps you to do all the above.

Azure to Azure Site Recovery Setup

To set this up you have to create an Azure Recovery Vault. This Recovery vault cannot be in the same region as the source virtual machines, because if the region is down, you will not have access to the vault.

Azure ASR Configuration Settings

Form that you can choose to create a new Replication and select the virtual machines you want to replicate. You can select the virtual machines you want to replicate. At the end you choose the target location and create the needed target resources and start the replication.

This will now allow you to failover you virtual machines to another Azure region.

Azure ASR Failover

Source Microsoft

There are some limitations right now, like no support for managed disks or limited operating system support. Check out the Azure Site Recovery support matrix for replicating from Azure to Azure for more support information.

Azure Site Recovery now allows you to replicate Virtual Machines from:

Azure Site Recovery Overview

  • On-premise Hyper-V Servers
  • On-Premise Hyper-V using System Center Virtual Machine Manager
  • On-Premise Physical Servers
  • Virtual Machines from AWS
  • Virtual Machines from another Azure Region

 



Azure Nano Server PowerShell Package Management

How to deploy Nano Server in Azure

In some other post I have written how you can deploy a Nano Server on premise using PowerShell or the Nano Server Image Builder. In this post I will quickly show you how you can setup a new Nano Server in Microsoft Azure.

To deploy Nano Server in Azure, Microsoft offers you a Nano Server Image in the Marketplace.

Using the Azure Portal to deploy Nano Server on Microsoft Azure

There are also several ways you can deploy Nano Server, for example using the Azure Portal or PowerShell. First this will show you how you can create a Nano Server Virtual Machine using the Azure Portal.

Nano Server on Azure Marketplace

Simply follow the steps to create a new Azure Virtual Machine.

Nano Server on Azure VM Size

The most important part is to configure the Network Security Groups to allow PowerShell Remoting since Nano Server does not support RDP. There are two options to do this, using WinRM over http (5985) or using WinRM using https (5986). To be honest in production you should only use https, but for some demos or if you are configuring Nano Server to be used over a VPN you can also use WinRM over http. I also recommend that you remove the RDP port rule, since this is not really necessary. If the WinRM rule in the network security group is not already there, just create it. For easy setup you can use 5985 if you want to use SSL you will require additional steps.

Nano Server on Azure Network Security Groups NSG

Follow the rest of the wizard to deploy the new Nano Server VM. After the VM is created you will see it in the Azure Portal. You can now use the IP address to connect to the virtual machine using PowerShell remoting. If you don’t have a VPN connection to the Azure VM Network you will need to use the public IP address, if it is connected trough a VPN or from another machine running in the same VM Network, you can use the internal IP address. In my demo case I am using the public IP address to connect to the virtual machine. To make it easier I also created a Public DNS name for this Azure IP address.

Nano Server on Azure Public DNS Name

To connect to your Nano Server you also have to setup PowerShell Remoting on your machine and add the host to your trusted hosts group.

You can now connect to your Nano Server running in Azure.

Nano Server PowerShell Remoting Azure VM

Using the Azure PowerShell module to deploy Nano Server on Microsoft Azure

First you have to install the Azure PowerShell Module and get the NanoServerAzureHelper PowerShell Module (NanoServerAzureHelper_20160927) this will help you with the setup.

Time to fire up PowerShell and login to Azure

First create a new Azure Resource Group and a Key Vault if you don’t have them already available. The key vault will be helping you to use SSL configuration for your PowerShell remoting.

Import the NanoServerAzureHelper PowerShell module which you have downloaded before.

NanoServerAzureHelper PowerShell Module

This will give you some new PowerShell cmdlets to deploy Nano Server quickly on Azure.

The most important for creating new Nano Server VMs in Azure is simply the New-NanoServerAzureVM.

New-NanoServerAzureVM

Create a new Nano Server VM in Azure using the following PowerShell command:

New-NanoServerAzureVM Create Nano Server VM

To connect you can get the public IP address for the system you deployed and connect to it

 

Using PowerShell Package Management to Install Roles and Features on Nano Server

Since in Nano Server does not include any roles per default you can now use PowerShell Package Management to installed Nano Server Packages on your Azure Virtual Machine.

Azure Nano Server PowerShell Package Management

If you want to know more about PowerShell Package Management on Nano Server, check out my blog post. If you want to know more about Nano Server in general check this post here: Nano Server – The future of Windows Server – Just enough OS

 

 

 

 

 

 

 



Hyper-V Nested Virtualization

Hyper-V Nested Virtualization in Windows 10 Build 10565

This week Microsoft released a new Windows 10 Insider Preview build to the Windows Insiders. It brings a couple of new features to the OS, but Ben Armstrong (Hyper-V Program Manager at Microsoft) mentions in a blog post that it also brings a preview of Nested Virtualization to Hyper-V in Windows 10. Nested Virtualization allows you to run Hyper-V inside a VM. This is prefect for Lab and Training scenarios, so you can run multiple Hyper-V server without the need of a lot of physical hardware.

So how can you enable Nested Virtualization in this early preview build? Theo Thompson describes this in a blog post:

Step 1: Create a VM

Step 2: Run the enablement script

Given the configuration requirements (e.g. dynamic memory must be off), we’ve tried to make things easier by providing a PowerShell script.

This script will check your configuration, change anything which is incorrect (with permission), and enable nested virtualization for a VM. Note that the VM must be off.

Step 3: Install Hyper-V in the guest

From here, you can install Hyper-V in the guest VM.

Step 4: Enable networking (optional)

Once nested virtualization is enabled in a VM, MAC spoofing must be enabled for networking to work in its guests. Run the following PowerShell (as administrator) on the host machine:

Step 5: Create nested VMs

This is still a very early preview and this means this feature still has a lot of know issues:

  • Both hypervisors need to be the latest versions of Hyper-V. Other hypervisors will not work. Windows Server 2012R2, or even builds prior to 10565 will not work.
  • Once nested virtualization is enabled in a VM, the following features are no longer compatible with that VM. These actions will either fail, or cause the VM not to start:
    • Dynamic memory must be OFF. This will prevent the VM from booting.
    • Runtime memory resize will fail.
    • Applying checkpoints to a running VM will fail.
    • Live migration will fail.
    • Save/restore will fail.
  • Once nested virtualization is enabled in a VM, MAC spoofing must be enabled for networking to work in its guests.
  • Hosts with Virtualization Based Security (VBS) enabled cannot expose virtualization extensions to guests. You must first disable VBS in order to preview nested virtualization.
  • This feature is currently Intel-only. Intel VT-x is required.
  • Beware: nested virtualization requires a good amount of memory. I managed to run a VM in a VM with 4 GB of host RAM, but things were tight.