Configure Azure Site Recovery for VMware

Azure site recovery (ASR) is a DR / Migration tool from Microsoft and can be used to configure DR between data centers or Azure.

In this post we will be going through setting up ASR to replicate a VM from VMware to Azure.

There are some limitations for ASR these are listed the below link

https://docs.microsoft.com/en-us/azure/site-recovery/vmware-physical-azure-support-matrix

The main limits for VMware are guest disk need to be less than 4TB and vCenter needs to be at least 5.5.

I have a previous post on how to configured a recovery service vault so I wont be going over that again but if you need to configure here is the previous post.

https://thesleepyadmins.com/2018/11/23/azure-vm-backup-using-azure-recovery-service-vault/

Logon to Azure

Go to Recovery Services vaults

ASR1Go to the already configure vault, select Site Recovery and click on prepare infrastructureASR2Once the wizard has started select the require goalsASR3I am not running the planning tools as this is a test but it is recommended to run before starting a deployment to verify the required bandwidth. ASR4Next we will download the OVA appliance that will be imported to VMwareASR5Once the OVA has been downloaded and imported to VMware on boot up the server will require you to read / accept a licence agreement and provide an administrator password.

Give the server a name (this will show up in as the configuration server in Azure after the setup as been completed)ASR6Next step is to sign in to Azure tenant that the server will connect to for replicationASR8Next we will go through the configuration steps first step is to set the interface that will be used to connect to on-prem devices & connection back to Azure there can be two different NIC’s assigned if required. ASR9Next is to configure the Recovery vault that will be used, select the subscription, the recovery vault RG and recovery service vault that has been configured. ASR10Install the MySQL software ASR11Next a validation test will run. (I am getting a warring for memory and CPU as I didn’t have enough memory / CPU and had to edit the VM to run on less resource but it will still complete)ASR12Next is to connect to the vCenter server that is running the VM’s that are to be replicated to Azure. ASR13Last step will configure the configuration server in Azure.ASR15Once this has been completed we can go back to the Azure portal and we should now see the configuration server show under prepare infrastructure setupASR16

Select the subscription and deployment model to be used for failover I am using Resource ManagerASR17Next create a replication policy to apply to the ASR configuration server. ASR18ASR19Once the configuration is done we can now protect and replicate our on-prem VM’s , go back to site recovery and select step 1: Replicate Application ASR20Select source, source location (Configuration server on-prem)Machine type (Physical / virtual), vCenter (If virtual) and the process serverASR21Select the subscription, RG that the VM will replicate too and the deployment modelASR22Next select the server that will be replicated the VM must be powered on and be running VMware tools be available for replication other wise they will be grey-outASR23Select the required disk type, storage account ASR24last step is to assign the policy required (Multiple policy can be created base on the recovery time requirements and retention times)ASR25

Last step is to enabled replication

ASR26

Once enabled check the site recovery jobs to see the progressASR27Once replication has completed we can create a recovery plan, go to recovery Plans (Site Recovery and select Recovery planASR28Give the plan a name, select source, target , deployment type and select the VM’s that will be added to the recovery.ASR29ASR31

Azure Migrate Services Setup

With more companies looking to move workloads from on-prem to cloud providers, it can be difficult to work out the cost for current workloads.

In Azure we can utilize Azure Migrate Services.

At the time of this post VMware is only supported, this will be extended to Hyper-v in future releases. VMware VMs must be managed by vCenter Server version 5.5, 6.0, 6.5 or 6.7.

In this post we will be going through the process off assessing the on-prem VMware environment and view the assessment report.

The environment we will be assessing is VMware vCenter 6.7 and ESXi 6.7 and a VM running Windows Server 2016.

The architecture of the Azure Migrate Service is shown in the following diagram

AZMIG

Below is the process

  • Create a project: In Azure, create an Azure Migrate project
  • Discover the machines: Download collector VM as an OVA and import to vCenter
  • Collect the information: The collector collects VM metadata using VMware PowerCLI cmdlets. Discovery is agentless and doesn’t install anything on VMware hosts or VMs. The collected metadata includes VM information (cores, memory, disks, disk sizes, and network adapters). It also collects performance data for VMs
  • Assess the project: The metadata is pushed to the Azure Migrate project. You can view it in the Azure portal.

Logon to Azure

Go to All services search for migration projectAZMIG_1

Select Create migration project

AZMIG_2

Give the project a Name, subscription, Resource group & Geography

AZMIG_3

Select Discover & Assess AZMIG_4

Select Discover and Assess. then Discover machines AZMIG_5download OVA. The system requirement for the OVA are:

CPU: 8 vCPU’s; Memory: 16GB; HardDrive: 80GBAZMIG_6

Next step is to import the OVA to VMware

Go to vCenter

AZMIG_7

Browse to the OVA file location and selectAZMIG_8Select the Name and location of the OVAAZMIG_9Select the destination cluster AZMIG_10Click NextAZMIG_11Select destination data store and specify either thick or thin provisioned diskAZMIG_12Select the port group tha the VM will useAZMIG_13Review and confirm settingsAZMIG_14

Once the OVA is imported, power on the VM

Read and accept the license terms and give the collector an admin password.

Log into the VM and run the connector utility on the desktop.

AZMIG_15

Got through the prerequisites checksAZMIG_16

Next step is to connect to the vCenter. Put in the vCenter IP or hostname, Username / Password and once connect select the cluster or host that is currently running the VM’s that need to be assessed for migration.

AZMIG_17

Next step is to connect back to Azure using the migration project credentials that were generated when creating the projectAZMIG_19AZMIG_18

Click continue and the last screen will start the discovery this can take a while to complete (60 minutes or so)AZMIG_20

Once the discovery has completed, we then need to Create assessmentAZMIG_21

Create a new group and select the VM that will be assessedAZMIG_22

Once this has completed go to Overview and click on the assessmentAZMIG_23

Once in the assessment you can see the readiness of your VM and the Monthly estimated cost for running the workloads and AZMIG_24

Click on the VM to view specific details and performance statsAZMIG_25

We can now see what the cost will be for migrating workloads to Azure and this can be presented to give a better understanding of the cost savings that can be achieved with cloud migrations.

 

 

 

 

Azure Configure vNet peering

To allow communication between vNet’s in Azure we can set up peering connections. This is useful if there is a need to have different vNet’s for things like web app’s and backend database zones.

To configure peering we will require two different vNets both must be in the same Azure region.

Currently when I try to ping a VM that is running in a different vNet there is no communication.vNet01

Logon to Azure

Go to All services > Virtual networksvNet04

Once in Virtual networks select the network that will be configure for peeringvNet02

Once the network blade is open go to peering > AddvNet03

Enter a Name, select the Subscription that the other vNet is in. Then Select the Virtual Network. Under configuration select Enabled and the last step tick Allow forwarded trafficvNet05

Below are some details on three options:

Allow forwarded traffic: This setting allows the peer’s forwarded traffic (traffic not originating from inside the peer virtual network) into your virtual network.
Allow gateway transit: Allows the peer virtual network to use your virtual network gateway. The peer virtual network cannot already have a gateway configured, and must select ‘use remote gateway’ in its peering settings.
Use remote gateway: You will need to Select this option if you wish to use your peer’s virtual network gateway. The peer virtual network must have a gateway configured, as well as ‘allow gateway transit’ enabled. Only one peering in this virtual network can have this enabled. You cannot use this setting if you already have a gateway configured in your virtual network.

Once all settings are confirmed click ok to create the peeringvNet06vNet07

Two allow communication both ways, there will need to peering setup on the App network aswell.

Once both are enabled we can now see response to ping requestsvNet08

To lock down communication between the networks we can add NSG’s to restricted what inbound and outbound traffic is allowed from the subnet’s.

Configure MFA For Azure Application Proxy

On the last post we setup Azure Application Proxy to allow internal application’s to be made available externally using AAD integration.

To add additional security to the setup we can enable MFA for the group or users that will be allowed access.

To enable MFA we need to create a conditional access policy and enable on the application proxy.

First step Login to Azure

Go to Azure Active Directory (AAD)AZ1

Go to Enterprise applications

AZ3

Select the Application proxy that will require MFA to be enabledMFA6

Once in the Application proxy go to Conditional Access and select New policyMFA1

Give the policy a meaningful name as it will appear in the overall Conditional Access policy’s aswell as on the Application. This will make it easier to manage if there are multiple policy’s.

Then select Users and groups and select the required users or groupMFA2

Next select the cloud apps that will require MFA in this case it is the Exchange ECP application that was configured previouslyMFA3

We will not setup conditions but if this is required it can be set to only allow access from certain devices types, location & sign-in risk level.

Next go to Access controls and then Grant tab. Select Grant access, tick Require multi-factor authentication and Requires one of the selected controls MFA4

Last step is to Enable the policy

MFA7

Click create at the bottom of the policy

The policy should now show and have tick under Enabled MFA5

Now when we try to access the ECP Application proxy URL,

we should be prompted for MFA MFA8

and asked to register and verify a device to be use for MFAMFA9

It is a good idea to enable MFA for application as it gives an additional layer of security.

Configure Azure Application Proxy To Access Internal Application

To access internal applications we can use Azure Application proxy to integrate with Azure AD and allow remote access to internal resources.

To use Azure Application Proxy requires Azure AD basic,  Premium P1 or Premium P2 subscription.

An Account with Global administrator rights

The Azure application proxy connector requires Windows Server 2012 R2 or later

Below are pre-req ports and URL’s

Port number How it’s used
80 Downloading certificate revocation lists (CRLs) while validating the SSL certificate
443 All outbound communication with the Application Proxy service
URL How it’s used
*.msappproxy.net
*.servicebus.windows.net
Communication between the connector and the Application Proxy cloud service
mscrl.microsoft.com:80
crl.microsoft.com:80
ocsp.msocsp.com:80
http://www.microsoft.com:80
Azure uses these URLs to verify certificates
login.windows.net
login.microsoftonline.com
The connector uses these URLs during the registration process.

The following diagram shows how Azure AD and Application Proxy work together to provide single sign-on to on-premises applications.azureappproxxy

To start we need to download and configure the proxy connector

Login to Azure

Go to Azure Active Directory (AAD)AZ1

Once in AAD go to Application proxy

AZ2

Click Download connector serviceAPinstall0

Once downloaded run the MSI on the server that will be used as the application proxy connector (I used a server in a DMZ zone). It will prompt for an Azure account with Global admins rights.

Once configured the server should now show in the application proxy tabAPinstall4

Once connected and active next step is to configure application

Go to AAD and Enterprise applications

AZ3

Once in Enterprise applications click on New application APinstall7

Click on On-premises applicationAPinstall8

Below is a description for each field and option available in the application proxy

Field Description
Name The name of the application that will appear on the access panel and in the Azure portal.
Internal URL The URL for accessing the application from inside your private network. You can provide a specific path on the backend server to publish, while the rest of the server is unpublished. In this way, you can publish different sites on the same server as different apps, and give each one its own name and access rules.

If you publish a path, make sure that it includes all the necessary images, scripts, and style sheets for your application. For example, if your app is at https://yourapp/app and uses images located at https://yourapp/media, then you should publish https://yourapp/ as the path. This internal URL doesn’t have to be the landing page your users see. For more information, see Set a custom home page for published apps.

External URL The address for users to access the app from outside your network. If you don’t want to use the default Application Proxy domain, read about custom domains in Azure AD Application Proxy.
Pre Authentication How Application Proxy verifies users before giving them access to your application.

Azure Active Directory – Application Proxy redirects users to sign in with Azure AD, which authenticates their permissions for the directory and application. We recommend keeping this option as the default, so that you can take advantage of Azure AD security features like conditional access and Multi-Factor Authentication. Azure Active Directory is required for monitoring the application with Microsoft Cloud Application Security.

Passthrough – Users don’t have to authenticate against Azure Active Directory to access the application. You can still set up authentication requirements on the backend.

Connector Group Connectors process the remote access to your application, and connector groups help you organize connectors and apps by region, network, or purpose. If you don’t have any connector groups created yet, your app is assigned to Default.

If your application uses WebSockets to connect, all connectors in the group must be version 1.5.612.0 or later.

Fill out the details required. I am using passthrough for pre authentication for the web site but this can be changed to AAD which then requires authentication before the site can be accessed.

(I created a basic IIS page on an internal web server to test with)APinstall9

Next step copy the external URL and try to access the site. There should be no prompt and the site should load

(Yay my lovely test site is available 🙂 )APinstall13

I decided to also allow access to my internal Exchange server and to also test the AAD pre-authentication.

First create a second application proxy and set the Pre Authentication to Azure Active DirectoryAPinstall14

I wanted to use a custom domain name for the second application proxy so I changed the external URL to the custom domain name in Azure.

Once a custom domain is selected we can add a certificate to match the URL.

There will be a warning that a CNAME entry will be required to point from the custom URL to the msappproxy.net addressAPinstall18

(This will require a CNAME record to be created on public DNS server that will map the application proxy to msappproxy.net)CNAME

Once configured we need to add a user or group to allow access.

Go to the application proxy, select the required application proxy and click on Users and groups, Add user and select either the user or group that will be allowed accessAPinstall16APinstall15

Copy the link for the application proxy.

Unless a valid cert was also uploaded you will receive a cert error click continue to site.

It should now prompt for AAD authentication. Use an account that has access right to the proxyAPinstall11

Once logged in the ECP page should now show. APinstall10

 

 

Azure Network Security Groups (NSG) to Restrict Management Access

For security reasons it is good practice to lock down access to Azure resources and not leave management ports open to the internet.

One way to restrict access to remote access protocols like RDS / SSH is to create a Network Security Groups (NSG) and apply this to either virtual machines or virtual network subnets.

To create a NSG

Logon on to the Azure portal: https://portal.azure.com

Once logged on go to All Services > Network security groups

If you have created VM’s or other resources there might already be some pre-existing NSG’s.NSG1

To create a new NSG click on Add

Give the NSG a name, assign subscription, resource group and locationNSG2

Once the deployment has completed, click on the NSG this will bring up the configuration page.

First part is to configure the inbound security rules. NSG4

Go to settings > Inbound security rules

Once in Inbound security rules. To add a rule click add.

I want to restrict access to a specific Public IP for RDP access. Set the source as IP Addresses and add in the IP that will be allowed this can be a full range or a single IP depending on network subnet bit. I am only going to add one address so I used /32 below is an example 10.10.10.92/32.

I left source port ranges and destination as default as I don’t want to restrict these.  Choose the required port in this case its 3389, set protocol to Any if you require both TCP/UDP I only need TCP.  Set action to allow, set priority value and last step is give the port a name / description. NSG5

Below is the updated rule I have marked out my public IPNSG6

The outbound rule is set to allow any/any by default so if there is a requirement to lock down certain ports then create a new rule here to block the required ports.

Last step once all rule have been configured is to apply the NSG against resources. I am going to apply the policy to both my subnet and NIC’s assigned to both my test VM’s.

The policy should only need to be applied to either the subnet or VM’s,  I just want to show how to apply to both. If you apply a rule to both VM and subnet they need to match or any port that is not allowed on both wont be work.

To assign to subnet: go to settings > SubnetsNSG7

Select virtual network and subnet. NSG8NSG9

To apply to each VM Nic: Go to settings > network interfaces

As I already had NSG’s associated from the VM deployments I need to re-associate to the new NSG.

Select the NSG of the VM you want to move and go to network interfacesNSG10NSG11

Chose the required NSG

NSG12

Once applied I can now only access the VM’s from my own network.

 

 

 

 

Azure VM Backup using Azure Recovery Service Vault

In this post I am going to go through setting up a weekly backup for VM’s using Azure Recovery Service Vault.

Recovery Services vaults protect:

  • Azure Resource Manager-deployed VMs
  • Classic VMs
  • Standard storage VMs
  • Premium storage VMs
  • VMs running on Managed Disks
  • VMs encrypted using Azure Disk Encryption
  • Application consistent backup of Windows VMs using VSS and Linux VMs using custom pre-snapshot and post-snapshot scripts

To backup a single VM we can click on the VM and go to backup and configure the Recovery Vault. I want to add all my servers at one time so I will create Recovery Vault first.

Logon on to the Azure portal: https://portal.azure.com

Once logged on go to All Services > Recovery Services vaults

Once in Recovery Services vaults click createRSV1

Give the Recovery Vault a Name, assign a subscription, resource group and location.

RSV2

Once the deployment has finished,  click on the newly create object. RSV3

First thing I am going to set the backup configuration to locally-redundant as this is just for my Lab VM’s and it will save on cost.

Go to Manage > Backup Infrastructure and set to Locally-redundant.RSV4-1

I am going to create a custom policy as I only want to backup my test VM’s once a week. go to Manage > Backup policies and click Add.RSV3-2

Once in the new backup policy configure settings as required. I have set frequency to every sunday at 22:00 and set retention to 4 weeks backups. Click create once all settings are configured. RSV3-1

The policy should now be available to assign to backup jobs. Next step is to setup the backup. Go to Getting started > backup

Select where the work load is running (Azure or on prem), I only want to backup my Azure Lab VM so I selected Azure. Next select backup type

  • VM
  • Azure File Share (in preview at the time of the post)
  • SQL server in Azure VM (in preview at the time of the post)

Select the backup policy, I am using the policy created above. RSV5

Next select the VM’s that will be backed up. RSV6

Click enable backup to finish the config.

I will kick off a manual backup job to get an initial backup.

Click on backup Item > Azure Virtual Machine > Backup nowRSV8RSV9

To view backup jobs go to Monitoring > Backup JobsRSV7

Once the backup is complete, the option to run VM restore or file level recovery becomes available.RSV10

Azure Automation “Run Login-AzureAccount to login”

When I was creating my Azure Automation account and tried to run a runbook that needed to logon to Azure,  to start my VM’s I was getting an error:

Run Login-AzureAccount to login.AZAUError2

After looking on technet there where a few different recommendations but none worked.

In the end I just decided to try update the Azure modules. This fixed the issue.

Below is how to update the modules.

Go to Automation Accounts > select account > Modules

AZAUError1

There will be a prompt to update all Azure modules click yes to continue. AZAUError3

To view the progress click on below. AZAUError4

Click on all logs or output to view what is currently running. AZAUError5

Once completed the below will show. AZAUError6

After this I was successfully able to run my runbooks.

 

Azure Automation PowerShell Runbook

In this post I am going to go through setting up an Azure automation account and creating a runbook to PowerShell.

Azure Automation allows for process automation, configuration management, update management and PowerShell script execution on both Azure / Office 365. I like using Azure Automation as it allows me to save credentials in Azure for running task opposed to having them called in my script which is less secure.

I am going to setup a runbook to power on and off my LAB servers so that they only run during the day.

To start using Azure Automation

Go to All services > Automation Accounts

Once in Automation Accounts we need to create a new account.AZAU2

Give the Automation account a name, assign to a subscription, resource group and location.  Leave create as yes and click crate. 

AZAU3

Once the task has completed there will now be Automation account showing. AZAU10

Next step is to create a runbook to run the PowerShell command. Click on the Automation account and go to process automation and click on runbooks.AZAU4

Once in runbooks there will be some pre-configure runbooks that can be used as references. 

To create a new runbook click Add a runbookAZAU11

Once in the runbook give a name and select the runbook type in this case it will be PowerShell. Then click create. AZAU5

Click on edit to modify the PowerShell script. AZAU6

The connection commands is generic and is copied from AzureAutomationTutorialScript runbook.

$connectionName = “AzureRunAsConnection”
try
{
# Get the connection “AzureRunAsConnection “
$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName

 

“Logging in to Azure…”
Add-AzureRmAccount -ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
}
catch {
if (!$servicePrincipalConnection)
{
$ErrorMessage = “Connection $connectionName not found.”
throw$ErrorMessage
} else{
Write-Error -Message $_.Exception
throw$_.Exception
}
}
 

I have added the command I want to run at the bottom. Once finished, the runbook needs to be saved and published. 

AZAU7

To test if the script will work as expected there is a test pane icon 
AZAU12
 
Once in test click start and the script will be executed the output of the command will be returned to the console. 
AZAU13
 
Once the runbook is saved, the start icon will become available so the runbook can be executed. 
AZAU8
 
Last step is to schedule when the runbook will execute, click schedule.
 
Add a name, description, start time/date, time zone and if the task is a once of or a recurring task. 
 
AZAU14
 
Once the schedule has been created it will show under schedules. 
AZAU15
 

Azure VM deployment

In this post I am going to go through setting up an Azure resource group, VNet and deployment of a basic VM. There are many different VM version that can be deployed.

Below is a table with the current VM types, sizes and description:

Type Sizes Description
General purpose B, Dsv3, Dv3,
DSv2, Dv2,
Av2, DC
Balanced CPU-to-memory ratio. Ideal for testing and development,
small to medium databases, and low to medium traffic web servers.
Compute optimized Fsv2, Fs, F High CPU-to-memory ratio.
Good for medium traffic web servers,
network appliances, batch processes, and application servers.
Memory optimized Esv3, Ev3, M,
GS, G, DSv2,
Dv2
High memory-to-CPU ratio.
Great for relational database servers,
medium to large caches, and in-memory analytics.
Storage optimized Ls High disk throughput and IO.
Ideal for Big Data, SQL, and NoSQL databases.
GPU NV, NVv2, NC,
NCv2, NCv3,
ND
Specialized virtual machines targeted for heavy graphic rendering and video editing,
as well as model training and inferencing (ND)
with deep learning. Available with single or multiple GPUs.
High performance
compute
H Our fastest and most powerful CPU virtual machines
with optional high-throughput network interfaces (RDMA).

First step for deploying a VM is to create a resource group, a resource group is basically a container object that will hold Azure objects like VNet’s, VM and any other Azure serivces that will be added to the RG . A RG can be created while deploying a VM but I prefer to create them before hand.

Logon to the Azure portal, once in the Azure portal if the resource groups tab is not showing.

Go to All services > Resource GroupsAZ1

Once on resource groups click on Add

AZ2

Give the resource group a name, select a subscription and set the location.AZ3

The resource group should only take a few seconds to create. Once created you should get an alert.

AZ4

Now that there is a resource group, we can move to the next step which is to create a new VNet. all services > Virtual networksAZ5

Once in Virtual network’s go to create virtual network. Give the Network a name, IP address space /Subnet mask, select subscription, location,  added to a resource group and set the IP range that will be available for use.

AZ6

Once completed the new VNet will show under virtual networks.AZ7

Final step is to start creating VM’s go to all services > Virtual machinesAZ8

Click on create new Virtual machine

Set the subscriptions that will be used, resource group, VM name & image type. We can also do availability options  for high availability and resilience.AZ9

Select VM size, user name and allowed ports.AZ10

Next page allows you to change the disks used for the VM (premiere SSD, standard SSD or standard HHD) if the disk is change this may reset the VM type so I would usually leave this as is, unless there is a specific reason to change.

Next step is to select the VNet / subnet that will be used for the VM.AZ11

There is auto shutdown feature in Azure. I like to use this on my Lab as it saves credit as this is only a lab server, I want the VM to shut down at 12AM. I can start the VM up again when I want to do any further testing.AZ12

I wont add any guest config, tags so the last step is to review and validate the VMAZ13

The VM should now deploy it will take a while to deploy once completed the VM will now show under Virtual Machines.AZ14

If we check the resource group, we can now see all the object contained in the resource group.AZ15