There are a few different way to update to vCenter server appliance (VCSA). In this post we will be going through using CLI method to apply vCenter patches. Before updating VCSA make sure you have a current backup and take a snapshot before proceeding in case of any issues.
First we need to connect to the vCenter server. I will be using the inbuilt OpenSSH feature in PowerShell but you can use what ever SSH client you prefer.
Next we need to connect to the vCenter server using ssh.
Next we can run the below command to view the vCenter update history
software-packages list --history
We can use the below command. This will list the current update settings, if the vCenter server has no internet access then you could update the URL to use an internal web site that contains the update files.
We will be using the default URL from the update.get command when running the update
In this post we will be looking at creating a report to show what Azure App registrations have expiring client secret / certificate in the specified amount of days.
There is currently no in built way to report on expiring App registrations in the Azure portal other than checking the app registration, so we will be using Microsoft Graph SDK to automate the reporting.
First to automate the report we need to create an app registration to use for the Microsoft Graph connection. I have gone through this in a previous post.
The specific Microsoft GraphApi application permission required is Application.Read.All, this needs to be added to the App Registration that we use for Microsoft Graph.
Next we need to connect to Microsoft Graph using.
To list the app registration use
Once we have the list of apps we can use PasswordCredentials to view client secret details
and KeyCredentials to view the certificates details
Once we have the required properties, we can create the script to export the app registration details.
There are two parameters Reportonly which returns just the result to PowerShell window and ReportExport which will export the report to the specific folder specified.
In this post we will be going through deploying new SNMP configuration to a list of ESXi hosts using PowerCLI. We can add SNMP using ssh and esxcli commands but this will required SSH to be enabled and connecting to each host.
We can use Set-VMHostSNMP command to set the SNMP configuration by conecting to the host using connect-viserver which uses https to connect and does not required SSH to be enabled.
First we need to connect to the ESXi host
Connect-VIServer -Server esxihost.domain.local
use a local account like root to connect
If you get a certificate error and can’t connect you might need to update the PowerCLI Configuration or install the root cert to trust the self singed cert of the ESXi hosts.
Below is an example of what the csv file should look like if you want to use a different heading the script will need to be updated.
Each of the values will be called as parameter to allow easy re-use below is an example of the SNMP script running against my test hosts.
Using PowerCli can be a quicker way to set and enabled SNMP on a list of hosts rather than having to SSH and use esxcli command. This can also be used to update the existing SNMP configuration to a new traps target.
In this post we will be going through setting up and using storage access policy with Azure storage account. We can create SAS URL but each time we create one there is no way to revoke without rotating the storage keys.
A stored access policy can be used to control shared access signatures (SAS) on the server side. We can use a stored access policy to change the start time, expiry time, or permissions for a SAS URL that is generated from a storage account. We can also revoke access after it has been issued with out having to rotate the storage keys.
Below are the storage resources that support stored access policies:
First we will create a new storage account in Azure.
Logon to Azure and go to storage accounts. Click Create and add in the basic details and I left the rest as default.
Once the storage account is deployed, we will be creating a container in the below example its called files.
Go in to the container and create a policy under Access policy.
Give the policy a name, set the required permission and start / end date. Click ok and then save the policy.
Once the policy is create it will show under access policy.
Now that we have the access policy we will need to create a new SAS. There are two ways to create this.
First we can create it directly from Azure storage under Shared access tokens.
Select the Stored access policy. We can also restrict access down to a specific IP.
Next click on Generate SAS token and URL.
We can also use Azure Storage Explorer to create a new SAS.
Logon with an account that has access to the storage account.
Select the storage account that we want to create the SAS for.
Select the Access policy, this will then grey out all the options as we are now using the access policy for the SAS.
Click create and this will generate the URL with the SAS key and will also reference the access policy
To test access to the blob we can connect using Storage Explorer.
Click on the connect to Azure Storage and select Blob container.
Give the connection a name and add in the SAS URL generated earlier.
The last screen is a summary of details once all are confirmed, click connect.
We have now connected to the Files container we created with the storage policy and SAS.
To test the policy is working we can try delete the a file as I didn’t apply that permission in the policy I get access denied.
Now we can update the policy and add the delete permission. Click save the policy can take 30 seconds to update.
Now when delete the file it completes without issue.
Using a storage policy allow granular access control and also means if we need to change a permission or start / expiry time for an application or user that is using the SAS URL, we no longer have to re-issue each time we can just update the storage policy used for the SAS.
In the previous post we went through the process of deploying an Bicep template using parameter that where called directly from PowerShell.
This is ok when deploying resources that require only a few values to be set, but this can become difficult to manage when there are a lot of parameter like when deploying virtual machines or web apps.
A parameter file for Bicep is a json file that has the specific parameter names and values set.
I used this Microsoft document as a reference to create the parameter file.
Next we will create a template to deploy a virtual machine and it network interface. To create base template in visual studio code type
res-nic to populate the network interface:
Use res-vm-windows to populate the virtual machine.
I will be creating parameters for each part that requires customization and anything that doesn’t I will leave with the hardcode values like. The @descirpiton is a Parameter decorators that allow use to add a description of what the parameter is used for.
I create two variables for the vnetId and subnetref that are used for the network interface
Below is what the updated virtual machine resource template looks like.
Once we have the Bicep template file ready the next step is to configure the parameter file. I copied the default template file code from the above Microsoft document and added in each of the required parameters.
To get the virtual network ID that will be used in the parameters file go to the virtual network and click on properties > Resource ID.
Once we have that we can fill out the reset of the parameter values.
After the template file has been configured, we can test the deployment same way as the storage account and use the whatif to confirm there are no errors.
As I have not set the admin password in the template or parameter file the deployment will prompt for the admin password to be set on the VM.
If the test deployment comes back without any issues we can check the results from the whaif deployment to confirm all the are correct.
Since the template and parameter files have returned no error we are ready to run and deploy the new VM resource.
If we check the resource group the new VM, OSDisk and network interface should be created.
Now that we have all the template and parameter file working we can just create a new parameter file for each VM resource. We can now create fully customized VM’s pretty quickly instead of having to deploy using the Azure market place and manually select the options we want to set.
In a previous post we went through deploying resource using ARM templates. I have been recently working on creating some new templates to be used for additional deployment and decided to use Bicep templates instead as it seem to an easier and more straight forward way of writing template files to deploy resources in Azure.
Bicep uses a simpler syntax than creating templates using JSON, the syntax is declarative and specifies which resources and resource properties you want to deploy.
Below is a comparison of a JSON and Bicep template file to create a storage account.
We can see that the bicep file is an easier format to read and create.
To get started with Bicep we will first be installing the Bicep extension to Visual Studio Code so we can edit and modify Bicep templates.
The extension adds intellisense which makes it easier than looking up the full syntax for each resource.
To create a new template click on new file in VS code and select bicep as the language.
To create a template using intellisense either start typing the res-resource type or the resource type itself.
Click on the resource to pre populate the template.
The values can be hard code in the template file but this would require manual change each time the template is run.
We can add parameters to the template to make it more reusable. There are a few different types of parameters that can be used.
Below is a brief description of each type.
Single line value
Allow multiple values
Required true or false
Allows property types
Microsoft have a more in depth document on the different data types.
Once connected we can use the New-AzResourceGroupDeployment to deploy the template and specify the parameters values. To test the deployment for errors without running an actual deployment we can use the -whatif parameter.
During a recent project I have been deploying new VM to Azure, when trying to configure the Azure VM backup I was getting a failure at taking snapshot.
The error that showed in the reason was UserErrorRequestDisallowedByPolicy.
This was being caused by a policy that one of the Azure Admins had setup to require tags be configure on resource groups. When a initial backup is run it creates a resource group to save the restore point collection to and it is this resource group that is getting blocked by the Azure tag policy.
To view the policy details we can go to Policy > assignments
Click on the policy to view the parameter’s.
There are two option to work around this issue, either changing the policy from a Deny effect to a Modify effect, or create the resource group manually.
I will be creating a manual resource group as I am not that familiar with creating custom policy yet and this was the quicker workaround.
Below is the link to the Microsoft document on creating a manual resource group for restore collection point.
Here are the steps that I did to get around this, by manually creating the resource group that will be used for the backup.
This needs to be RG name with 1 as this starting number in my case I used TheSleepyAdmin_Backup_RG1.
In the backup policy we specify the new resource group. Go to Azure Backup center > Backup policies.
Put in the name of the resource group we create manually without the number. In my case this was TheSleepyAdmin_Backup_RG
Wait for the policy update to complete.
Now try the backup again and it should complete.
If we check the resource group we can see that the restore point collection has been created.
Any addtional backup should now also be successfully, if the resource group becomes full it will try to create a new RG so there maybe a need to create another RG in the future. I will be having a look at creating or updating the tag policy to apply a modify instead of a deny but that will be in a different post as this seems like it would be a better longer term solution.