View
322
Download
5
Category
Preview:
Citation preview
Azure IAAS how to
Herman KeijzerPTShermank@microsoft.com
Management models for IaaS Classic Model (v1) Resource Manager
(V2)
Storage Account
Virtual Network
Cloud Service
Subnet-1Disk (blob)
VM w/ IP
Address
Resource Group
VM NICVM IP
Address
Load Balancer w/ IP
Address Load Balanc
er
DependsOn
Reference Reference
Backend Pool (NICs)
VM IP Addres
s
Reference
Network Security Group
VNetSubnet
Storage
Account
Disk (blob)
ReferenceReference
Focus of thispresentation
Azure Templates can:• Ensure Idempotency• Simplify Orchestration• Simplify Roll-back• Provide Cross-Resource
Configuration and Update Support
Azure Templates are: • Source file, checked-in• Specifies resources and
dependencies (VMs, WebSites, DBs) and connections (config, LB sets)
• Parametized input/output
Instantiation of repeatable config.Configuration Resource Group
Power of Repeatability
SQL - A Website VirtualMachines
SQL-AWebsite[SQL CONFIG] VM (2x)
DEPENDS ON SQLDEPENDS ON SQL
SQLCONFIG
Why IaaS under ARM? Cloudformation Compete
Complex application templates Role based Access Control
Enterprise grade security Tags based billing
Superior cost management on the Cloud Deep Integration with
Azure Services Ex: Websites with Virtual Machines Enhanced Portal experiences
Azure Marketplace Solution templates
Regional ArchitectureIncreased Subscription ScaleIncreased throttling scaleEngineering Agility for features/fixes
Decoupled network modelClean separation of compute and network conceptsNetwork model resembles traditional physical devices
Reduced locking semanticsMassively parallel deployment of virtual machines
Enhanced Compute Capabilities Improved SSH Experience 3 fault domains and 20 update domains
Unified Azure StackOne single model to interact with the Microsoft Cloud
Simplified Manageability of Applications on IaaS
Upgrade
• complexity made simple• master template can be used to rollout
upgrades• imperative APIs, Client tools support to update
the resourcesManageability, Auditing
• operations can be tracked upto 90 days• management Locks to lock down resources from
deletion
Wide range of Quickstart Templates
Github Repo Indexed on Azure.com Community & Microsoft contributed
Integration of IaaS with Azure Services
Getting Started with Azure Templates
https://azure.microsoft.com/en-us/documentation/templates/
Github
https://github.com/Azure/azure-quickstart-templates
https://azure.microsoft.com/nl-nl/documentation/articles/powershell-install-configure/
https://www.microsoft.com/web/downloads/platform.aspx
Webplatforminstaller
Microsoft Azure Resource Providers Microsoft.Comput
e virtualMachines
Extensions vmSizes
availabilitySets Microsoft.Storage storageAccounts Microsoft.Network loadBalancers networkInterfaces networkSecurityGroups publicIPAddresses tranfficmanagerprofiles Virtualnetworks
Microsoft.Web geoRegions hostingEnvironments publishingUsers serverfarms sites
And many more…
Get-AzureRmResourceProvider -ListAvailable
Azure infrastructure services hierarchySubscriptionLocationResource groupStorage accountVirtual networkSubnetAvailability setLoad balancerNetwork security groupVirtual machine
LOB1
LOB2
38Azure regions2X the number of AWS regions
Atlanta
Chicago
Dallas
Silicon Valley Washington DC
AmsterdamDublin*
London
ChennaiHong Kong
Mumbai*
Melbourne*
Osaka
Singapore
Sydney
Tokyo
New York
US DoD West
US DoD East Korea
South
Korea Central
Coming Soon
Iist locations via powershell(Get-azureRMlocation | out-gridview -Title "Azure locations")
Resource groupsSubscriptionLocationResource groupStorage accountVirtual networkSubnetAvailability setLoad balancerNetwork security groupVirtual machine
LOB1
LOB2
Using resource groups Tagging
Name-value pairs assigned to resources or resource groups Tag by environment (dev/test/prod), role (web/cache/db), department
(finance/retail/legal), responsible party (Bob, Ted, Carol, Alice) RBAC
Allows secure access with granular permissions Assignable to Azure AD subscription users, groups, or service principals Built-in roles make it easy to get started
Why use multiple? Divide the administrative management for roles or IT departments
Resource Tags Name-value pairs assigned to resources
or groups Subscription-wide taxonomy Each resource can have up to 15 tags
Tagging Tips• Notes: Simple note for VM• Creator: track the “owner” of a VM• Department/Cost center: who pays• Environment: production vs. pre-production
vs. test
Tagging & Billing
When you download the usage CSV for services that support tags with billing, the tags will appear in the Tags column.
Resource Group LifecycleQuestion: Should these resources be in the same group or a different one?Hint: Do they have common lifecycle and management?
Answer: Up to you.
Azure Resource Group Limits
https://azure.microsoft.com/en-us/documentation/articles/azure-subscription-service-limits/
Create resource group
New-AzureRmResourceGroup -Name Azure101 -Location "West Europe"
TAGSAdding tags to the collectionNew-AzureRmTag -Name "Demo" -Value "azureworkshop"
Role Based Access Control Used only for
Azure administration
• Manage resource in Azure—i.e. Virtual Machines, storage, networks, etc.
• Remember that Azure AD is not an Azure resource
Roles composed of• Actions• Not Actions (excluded
operations)• Scopes
Role Based Access Control
Built-in RolesBUILT-IN ROLE ACTIONS NOT ACTIONS
Owner (allow all actions) *
Contributor (allow all actions except writing or deleting role assignments)
* Microsoft.Authorization/*/Write, Microsoft.Authorization/*/Delete
Reader (allow all read actions) */Read
Custom RolesCustom roles can be created using RBAC command-line tools in Azure PowerShell, and Azure Command-Line Interfacehttps://azure.microsoft.com/en-us/documentation/articles/role-based-access-built-in-roles/
RBAC
https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-manage-access-powershell/
Storage accountsSubscriptionLocationResource groupStorage accountVirtual networkSubnetAvailability setLoad balancerNetwork security groupVirtual machine
LOB1
LOB2
Multiple storage accountsSubscriptionLocationResource groupStorage accountVirtual networkSubnetAvailability setLoad balancerNetwork security groupVirtual machine
LOB1
LOB2
OS
Data
Let us Recap…
Put another way, each VM needs… A load balancer to distribute incoming traffic An availability set for high availability A network security group to protect it A VNet and subnet for addressing and
connectivity A storage account to store its disks A resource group for logical grouping
(management) A location for an Azure datacenter on which
to run A subscription for billing purposes
Put another way, each VM needs… A load balancer to distribute incoming traffic An availability set for high availability A network security group to protect it A VNet and subnet for addressing and
connectivity A storage account to store its disks A resource group for logical grouping
(management) A location for an Azure datacenter on which
to run A subscription for billing purposes
Required
Put another way, each VM needs… A load balancer to distribute incoming traffic An availability set for high availability A network security group to protect it A VNet and subnet for addressing and
connectivity A storage account to store its disks A resource group for logical grouping
(management) A location for an Azure datacenter on which
to run A subscription for billing purposes
Optional
The hierarchy for a virtual machine Subscription (required) Location (required) Resource group (required) Storage account (required) Availability set (optional) Load balanced set (optional) Virtual network (required) Subnet (required) Network security group (optional) Virtual machine
Start building
Major design steps1. Naming convention2. Connectivity3. Storage4. Virtual machines5. Identity6. Security
Web-based LOB application
Intranet SharePoint 2013 farm
Step 1: Determine your naming convention All of the Azure infrastructure elements
require unique names The scope of uniqueness varies
Names in the Azure hierarchy Subscription Location (specified by Azure) Resource group (unique to parent location) Storage account (globally unique) Availability set (unique to parent RG) Load balanced set (unique to parent
RG) Virtual network (unique to parent RG) Subnet (unique to parent virtual
network) Network security groups (unique to
parent RG) Virtual machine (15 character
maximum)
Examples of naming conventions Affixes
The beginning of the name (prefix) The end of the name (suffix)
Constructing names
Example: dev-usw-vm-sp04 (15-character maximum)
Name element ExamplesEnvironment or deployment role dev, stg, prdAzure location usw (West US), use (East US 2)Azure component, service, or product
rg for resource group, vnet for virtual network, vm for virtual machine
Role sql, ora, sp, iis Instance 01, 02, 03, etc.
Key questions for the naming convention Is there an existing naming convention for
your networking/machines/infrastructure elements?
How can this naming convention be extended to include new Azure IaaS elements? Resource groups, availability sets, storage accounts, network security
groups, load balancer sets, etc.
Resource: Azure implementation guidelines
Results of Step 1 Set of rules to define the names of:
Resource groups Storage accounts Availability sets Virtual networks Subnets Network security groups Load balancer instances Virtual machines
Step 2: Design your connectivity VNet types
Cloud-only or cross-premises VNet connections
Site-to-site VPN, ExpressRoute, VNet-to-VNet Within each VNet
Addressing Subnets DNS
For each VNet Routing to and from the intranet Routing to and from the Internet User-defined routing
Connection types
Cloud Customer Segment and workloads
Secure site-to-site VPN connectivity
• SMB, Enterprises• Connect to Azure
compute
Secure point-to-site connectivity
• Developers• POC Efforts• Small scale
deployments• Connect from
anywhere
ExpressRoute private connectivity
• SMB & Enterprises• Mission critical workloads• Backup/DR, media, HPC• Connect to all Azure
services
Internet Connectivity
• Consumers• Access over public IP• DNS resolution• Connect from anywhere
Key questions for connectivity Will you need multiple instances of the LOB app
in different geographic areas? Do you need direct network access to the VMs of
the LOB app? How will the VMs in the VNet register their
names and resolve names? What names do they need to resolve (each other, intranet, Internet)?
How will packets be routed to and from the intranet, the Internet, or other VNets?
Resource: Microsoft Cloud Networking for Enterprise Architects
https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-overview/
VnetAn Azure virtual network (VNet) is a representation of your own network in the cloud. It is a logical isolation of the Azure cloud dedicated to your subscription. You can fully control the IP address blocks, DNS settings, security policies, and route tables within this network. You can also further segment your VNet into subnets and launch Azure IaaS virtual machines (VMs) and/or Cloud services (PaaS role instances). Additionally you can connect the virtual network to your on-premises network using one of the connectivity options available in Azure
VnetOn-premise Azure
Firewalls are substituted by NSG
Virtual Network Benefits;Isolation. VNets are completely isolated from one another. That allows you to create disjoint networks for development, testing, and production that use the same CIDR address blocks.Access to the public Internet. All IaaS VMs and PaaS role instances in a VNet can access the public Internet by default. You can control access by using Network Security Groups (NSGs).Access to VMs within the VNet. PaaS role instances and IaaS VMs can be launched in the same virtual network and they can connect to each other using private IP addresses even if they are in different subnets without the need to configure a gateway or use public IP addresses.Name resolution. Azure provides internal name resolution for IaaS VMs and PaaS role instances deployed in your VNet. You can also deploy your own DNS servers and configure the VNet to use them.Security. Traffic entering and exiting the virtual machines and PaaS role instances in a VNet can be controlled using Network Security groups.Connectivity. VNets can be connected to each other, and even to your on-premises datacenter, by using a site-to-site VPN connection, or ExpressRoute connection.
Vnet
Results of Step 2 The set of VNets needed to host the LOB app For each VNet:
Type Connections (site-to-site VPN, ExpressRoute, VNet-to-VNet) Address space Subnets (gateway and VM-hosting) and their address spaces DNS configuration Gateways Local gateway devices Local Network address spaces for routing User-defined routes
Step 3: Design your storage Storage types
Standard Premium
Data replication Local/geo
Disk caching On by default for OS disks Off by default for data disks
Key questions for storage What level of data replication is required? Do any virtual machines need premium
storage? If so, they must be created from the DS series.
Do any of the extra disks for the virtual machines need to have disk caching enabled?
Resource: Azure implementation guidelines
Storage
Blob storage stores file data. A blob can be any type of text or binary data, such as a document, media file, or application installer.
Table storage stores structured datasets. Table storage is a NoSQL key-attribute data store, which allows for rapid development and fast access to large quantities of data.
Queue storage provides reliable messaging for workflow processing and for communication between components of cloud services.
File storage offers shared storage for legacy applications using the standard SMB 2.1 protocol. Azure virtual machines and cloud services can share file data across application components via mounted shares, and on-premise applications can access file data in a share via the File service REST AP
3 types- Page (harddisk image, vm’s)- Block (video, images)- Append (logging)
LRS, ZRS, GRS
Hot and Cold
Standard or Premium
https://docs.microsoft.com/en-us/azure/storage/storage-introduction
Premium for VM’s only
ZRS
LRS
Azure Virtual Machine Storage
• Based on page blobs in Azure Storage
• Up to 500 IOPS per disk• Up to 1 TB per disk storage
capacity• Support for geo-redundancy• Supports all instance sizes
• Based on low latency high performance SSD storage
• Up to 5,000 IOPS per disk• Support for local-redundancy only• Supports the DS and GS instance
sizes
Standard Storage Premium Storage
Standard Storage Capacity Planning IOPS Per Disk300 for Basic Tier500 for Standard Tier (60 Mbps)
IOPS Per Storage Account: 20,000Supports up to 40 data disks using maximum IOPS per disk
Group disks into striped sets to for more IOPS• Example: 4-disk X 500 IOPS = 2000 IOPS
~40xDisksperStorage Account
Azure Premium Storage Consistent low latency SSD based with predictable IO throughput Suitable for high-performance IO-intensive database workloads Single digit milliseconds latencies Supports up to 1 TB blob/disk size Stripe up to 32 disks for a total of 32TB and more than 80,000 IOPS Premium Storage Disks work in with DS and GS sizes
Disk Types P10 P20 P30Disk Size 128 GB 512 GB 1024 GB
IOPS per Disk 500 2300 5000
Throughput per Disk 100 MB/sec 150 MB/sec 200 MB/sec
Azure Storage Capacity Planning Standard Storage 300 IOPs per Disk with Basic Tier and Standard Storage 500 IOPs per Disk with Standard Tier and Standard Storage Up to 20,000 IOPs per Azure Storage Account (Standard) ~40 disks
Premium Storage Up to 5000 IOPs per disk with Standard Tier and Premium Storage
Up to 32 disks per Premium Storage Account
Note: On DS and GS instances you can mix standard and premium storage disks
Storage account
#storageaccount$stName = “workshopbin123"$locName = "West Europe"$rgName = “Azureworkshop“
$storageAcc = New-AzureRmStorageAccount -ResourceGroupName $rgName -Name $stName -Type "Standard_GRS" -Location $locName
Note:Storage account names must be between 3 and 24 characters in length and may contain numbers and lowercase letters only.Your storage account name must be unique within Azure. The Azure Portal will indicate if the storage account name you select is already in use
Storage accountStorage account endpointsEvery object that you store in Azure Storage has a unique URL address. The storage account name forms the subdomain of that address. The combination of subdomain and domain name, which is specific to each service, forms an endpoint for your storage account.For example, if your storage account is named mystorageaccount, then the default endpoints for your storage account are:
Blob service: http://mystorageaccount.blob.core.windows.netTable service: http://mystorageaccount.table.core.windows.netQueue service: http://mystorageaccount.queue.core.windows.netFile service: http://mystorageaccount.file.core.windows.net
Storage account
Azure storage explorerhttp://storageexplorer.com/
https://channel9.msdn.com/Blogs/Windows-Azure/Whats-new-on-Microsoft-Azure-Storage-Explorer-v07201603250
Blob access rights
New-AzureStorageContainer -Context $StorageContext -Permission Container -Name media
-- Off, which restricts access to only the storage account owner.-- Blob, which provides read access to blob data within a container through anonymous request, but does not provide access to container data. Clients cannot enumerate blobs within the container via anonymous request.-- Container, which provides full read access to a container and its blobs. Clients can enumerate blobs within the container through anonymous request, but cannot enumerate containers within the storage account.
Results of Step 3 The set of storage accounts for VMs and
their disks One for each LOB application Additional one for premium storage
For each storage account: Intended use Location Resource group Name Data replication Type (standard or premium)
For each extra disk Host caching setting
Step 4: Design your VMs Tiers of your LOB app Sizes and series
DS series if using premium storage High availability with multiple VMs at each
tier and availability sets Distribute incoming traffic to multiple VMs
with a load balancer Azure load balancer instance and inbound NAT rules Azure network appliance
Compute size options
HIGHEST VALUE LARGEST SCALE-UP
Av2Av2
Av2 L S N H ZAv
2Av2
Dv2A D F G
>80,000 IOPsPremium Storage
Dev/Test and entry-level workloadsEarliest generation, HDD100 ACU/core
Good combination of memory, SSD for most common production applicationsMemory-intensive variants210 ACU/core
Compute-intensive apps like Gaming, AnalyticsMore CPU to memory ratio210 ACU/core
Large VMs for large databases requiring fast StorageIntel Haswell processor with 0.5TB RAM180 ACU/core
https://azure.microsoft.com/en-us/documentation/articles/virtual-machines-windows-sizes/
Key questions for VMs What tiers do you need? How many VMs per tier for availability and
load? Do you need to provide load distribution
across the tier? DNS round robin Azure load balancing Network appliance in Azure
Which VMS need to run 24x7 and which do not
Resource: Azure implementation guidelines
Azure availability setFault DomainsRepresent groups of resources anticipated to fail together i.e. Same rack, same serverFabric spreads instances across min 2 fault domains
Update DomainsGroups of resources that will be updated togetherHost OS updates honour service update domainsSpecified in service definitionDefault of 5 (up to 20)
Availability SetsVMs in separate Fault DomainsSLA 99.95 | HW SW | Windows & Linux
Virtual machine storage architecture
Virtual MachineC:\
OS DiskE:\, F:\, etc.Data Disks
D:\Temporary Disk Dynamic VHDLocal Disk Cache
Azure Blobs
On shared local disk• Performance can be variable• Contents can be lost
Azure Blobs
Virtual Machine Disk LayoutOS Disk• Persistent• SATA• Drive C:
Virtual Machine Disk LayoutTemporary Storage Disk• Local (Not Persistent)• SATA• Drive D:
Virtual Machine Disk LayoutData Disk(s)• Persistent• SCSI• Customer Defined
Letter
Multiple Nics per VM
https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-multiple-nics/https://azure.microsoft.com/en-us/documentation/articles/virtual-network-deploy-multinic-arm-ps/?cdn=disable
The VM size determines the number of NICS that you can create for a VM!Configure only via Powershell, CLI or Template !
Adding disk to a VM
Results of Step 4 The set of VMs in their tiers The set of Azure settings for each tier
Resource group Subnet Availability set Load balancer
The set of Azure settings and elements for each VM Environment settings VM-specific settings
For each VM Azure environment
settings Location Resource group Storage account VNet Subnet Availability set Load balancer instance
VM-specific settingsNameImage (Publisher, Offer, Sku)Size (VM series)Extra disks w/host caching settingStatic IP addresses
Step 5: Design your identity tier Authentication provider and methods
Windows Active Directory or other Client authentication Server-to-server authentication
High availability for authentication requests Authentication request traffic distribution
DNS round robin Azure load balancer Network appliance in Azure
Key questions for your identity tier What is the identity provider? How will authentication/authorization request
traffic travel to the identity providers? How to provide availability and scalability?
Resource: Azure identity management
Results of Step 5 The set of VMs to support identity for the
LOB application The load distribution method The set of network security groups and
settings to allow authentication/authorization request traffic
Step 6: Design security Inbound and outbound traffic flows
Stateful, host-based firewalls Network security groups
Traffic flow inspection Azure network appliance
End-to-end encryption IPsec policies
Disk encryption Anti-malware
Agents running on virtual machines
Key questions for security How will you protect the virtual machines
from incoming traffic from the Internet? How will you protect the traffic traveling
between virtual machines (subnet isolation, end-to-end encryption)?
How will you protect your virtual machines from malware?
Resource: Virtual Machines-Security
NSG, Network Security GroepNetwork security group (NSG) contains a list of Access Control List (ACL) rules that allow or deny network traffic to your VM instances in a Virtual Network. NSGs can be associated with either subnets or individual VM instances within that subnet. When a NSG is associated with a subnet, the ACL rules apply to all the VM instances in that subnet. In addition, traffic to an individual VM can be restricted further by associating a NSG directly to that VM
https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/
Note:Endpoint-based ACLs and network security groups are not supported on the same VM instance. If you want to use an NSG and have an endpoint ACL already in place, first remove the endpoint ACL. For information about how to do this, see Managing Access Control Lists (ACLs) for Endpoints by using PowerShell
NSG
NSGDefault TAGS;VIRTUAL_NETWORKAZURE_LOADBALANCERINTERNET
https://azure.microsoft.com/nl-nl/documentation/articles/virtual-networks-create-nsg-arm-pportal/
NSG
Public IP ranges Microsoft azure datacenter
https://www.microsoft.com/en-in/download/confirmation.aspx?id=41653
Results of Step 6 The set of network security groups
VM interface or subnet-based, rules for inbound and outbound addresses and ports
The use of network appliances Enhanced firewalling Traffic inspection, intrusion detection, etc.
IPsec policies for end-to-end encryption Disk encryption policies Anti-malware agents for VMs
Results of the overall LOB application design process for Azure IaaS The set of Azure elements for the LOB
application and their settings Subscription Locations Resource groups Storage accounts Virtual networks Subnets Network security groups Availability sets Load balancers Virtual machines
subscriptionResourcegroup: HKTestRG
Storageaccount: hk193testcsp
Virtual Network
virtualnet;: TestnetSubnet:10.0.0.0/24PIP
Standard A1Windows server
2012 R2
#create the vm$stName = "hk193testcsp"$locName = "West Europe"$rgName = "HKTestRG“
New-AzureRmResourceGroup -Name $rgName -Location $locName$storageAcc = New-AzureRmStorageAccount -ResourceGroupName $rgName -Name $stName -Type "Standard_GRS" -Location $locName$singleSubnet = New-AzureRmVirtualNetworkSubnetConfig -Name singleSubnet -AddressPrefix 10.0.0.0/24$vnet = New-AzureRmVirtualNetwork -Name TestNet -ResourceGroupName $rgName -Location $locName -AddressPrefix 10.0.0.0/16 -Subnet $singleSubnet$pip = New-AzureRmPublicIpAddress -Name TestPIP -ResourceGroupName $rgName -Location $locName -AllocationMethod Dynamic$nic = New-AzureRmNetworkInterface -Name TestNIC -ResourceGroupName $rgName -Location $locName -SubnetId $vnet.Subnets[0].Id -PublicIpAddressId $pip.Id$cred = Get-Credential -Message "Type the name and password of the local administrator account."$vm = New-AzureRmVMConfig -VMName WindowsVM -VMSize "Standard_A1"$vm = Set-AzureRmVMOperatingSystem -VM $vm -Windows -ComputerName MyWindowsVM -Credential $cred -ProvisionVMAgent -EnableAutoUpdate$vm = Set-AzureRmVMSourceImage -VM $vm -PublisherName MicrosoftWindowsServer -Offer WindowsServer -Skus 2012-R2-Datacenter -Version "latest"$vm = Add-AzureRmVMNetworkInterface -VM $vm -Id $nic.Id$osDiskUri = $storageAcc.PrimaryEndpoints.Blob.ToString() + "vhds/WindowsVMosDisk.vhd"$vm = Set-AzureRmVMOSDisk -VM $vm -Name "windowsvmosdisk" -VhdUri $osDiskUri -CreateOption fromImageNew-AzureRmVM -ResourceGroupName $rgName -Location $locName -VM $vm
Built the VM using powershell prescriptive
Export resource group template
Deployment via ARM declarative
New-AzureRmResourceGroupDeployment -Name testDeployment -ResourceGroupName $rgname -TemplateUri https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/101-vm-simple-windows/azuredeploy.json -Mode Incremental
Cloud principles• Freedom of
choice• Marketplaces• Cloud Inspired
Infrastructure• Multi Vendor• Hybrid• Hyper scale• Self-service• Build in and on
top of Security• Build in
Compliancy• Automation
Continuous ChangeSharedSoftware definedScalablePay per UseBuild to failMulti VendorLock in ReductionOpen- and closed sourceBuild in Security
Thank you !
Appendix
Appendix: PowerShell command blocks
Specify the Azure subscription $subscrName="<subscription name>"
Get-AzureRmSubscription –SubscriptionName $subscrName | Select-AzureRmSubscription
Create a new resource group $locName="<an Azure location, such as West US>"
$rgName="<resource group name>"New-AzureRMResourceGroup -Name $rgName -Location $locName
Create a new storage account # Create a new standard storage account
$locName="<an Azure location, such as West US>"$rgName="<resource group name>"$saName="<storage account name>"New-AzureRMStorageAccount -Name $saName -ResourceGroupName $rgName –Type Standard_LRS -Location $locName
# Create a new premium storage account$locName="<an Azure location, such as West US>"$rgName="<resource group name>"$saName="<storage account name>"New-AzureRMStorageAccount -Name $saName -ResourceGroupName $rgName –Type Premium_LRS -Location $locName
Create a new availability set $locName="<an Azure location, such as West US>"
$rgName="<resource group name>"$avName="<availability set name>"New-AzureRMAvailabilitySet –Name $avName –ResourceGroupName $rgName -Location $locName
Create a new cross-premises VNet $locName="<an Azure location, such as West US>"
$rgName="<resource group name>" $vnetName="<VNet name>"$vnetAddrPrefix="<VNet address space>"$spSubnetName="<subnet name>"$spSubnetPrefix="<subnet address space>"$gwSubnetPrefix="<gateway subnet address space>"$dnsServers=@( "<DNS server IP address>", "<DNS server IP address>" )
$gwSubnet=New-AzureRMVirtualNetworkSubnetConfig -Name "GatewaySubnet" -AddressPrefix $gwSubnetPrefix$spSubnet=New-AzureRMVirtualNetworkSubnetConfig -Name $spSubnetName -AddressPrefix $spSubnetPrefixNew-AzureRMVirtualNetwork -Name $vnetName -ResourceGroupName $rgName -Location $locName -AddressPrefix $vnetAddrPrefix -Subnet $gwSubnet,$spSubnet -DNSServer $dnsServers
Create VNet gateways and a connection $locName="<an Azure location, such as West US>" $rgName="<resource group name>" $vnetName="<VNet name>" $vnet=Get-AzureRMVirtualNetwork -Name $vnetName -ResourceGroupName $rgName
# Attach a virtual network gateway to a public IP address and the gateway subnet $publicGatewayVipName="<name>" $vnetGatewayIpConfigName="<name>" New-AzureRMPublicIpAddress -Name $vnetGatewayIpConfigName -ResourceGroupName $rgName -Location $locName -AllocationMethod Dynamic $publicGatewayVip=Get-AzureRMPublicIpAddress -Name $vnetGatewayIpConfigName -ResourceGroupName $rgName $vnetGatewayIpConfig=New-AzureRMVirtualNetworkGatewayIpConfig -Name $vnetGatewayIpConfigName -PublicIpAddressId $publicGatewayVip.Id -SubnetId
$vnet.Subnets[0].Id
# Create the Azure gateway $vnetGatewayName="<name>" $vnetGateway=New-AzureRMVirtualNetworkGateway -Name $vnetGatewayName -ResourceGroupName $rgName -Location $locName -GatewayType Vpn -VpnType
RouteBased -IpConfigurations $vnetGatewayIpConfig
# Create the gateway for the local network $localGatewayName="<name>" $localGatewayIP="<public IP address of >" $localNetworkPrefix=@( <comma-separated, double-quote enclosed list of the local network address prefixes, example: "10.1.0.0/24", "10.2.0.0/24"> ) $localGateway=New-AzureRMLocalNetworkGateway -Name $localGatewayName -ResourceGroupName $rgName -Location $locName -GatewayIpAddress
$localGatewayIP -AddressPrefix $localNetworkPrefix
# Create the Azure virtual network VPN connection $vnetConnectionName="<name>" $vnetConnectionKey="<IPsec preshared key>" $vnetConnection=New-AzureRMVirtualNetworkGatewayConnection -Name $vnetConnectionName -ResourceGroupName $rgName -Location $locName -
ConnectionType IPsec -SharedKey $vnetConnectionKey -VirtualNetworkGateway1 $vnetGateway -LocalNetworkGateway2 $localGateway
Create a new load balancer instance # This example block assumes HTTP-based traffic to web servers. Modify as needed. $locName="<an Azure location, such as West US>" $rgName="<resource group name>" $vnetName="<VNet name>“ $subnetName="<subnet name>" $privIP="<available IP address on the subnet>"
$vnet=Get-AzureRMVirtualNetwork -Name $vnetName -ResourceGroupName $rgName $subnet=Get-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnetName -Name $subnetName
$frontendIP=New-AzureRMLoadBalancerFrontendIpConfig -Name WebServers-LBFE -PrivateIPAddress $privIP -Subnet $subnet
$beAddressPool=New-AzureRMLoadBalancerBackendAddressPoolConfig -Name WebServers-LBBE
$healthProbe=New-AzureRMLoadBalancerProbeConfig -Name WebServersProbe -Protocol "TCP" -Port 80 -IntervalInSeconds 15 -ProbeCount 2
$lbrule=New-AzureRMLoadBalancerRuleConfig -Name "WebTraffic" -FrontendIpConfiguration $frontendIP -BackendAddressPool $beAddressPool -Probe $healthProbe -Protocol "TCP" -FrontendPort 80 -BackendPort 80
New-AzureRMLoadBalancer -ResourceGroupName $rgName -Name "WebServersInAzure" -Location $locName -LoadBalancingRule $lbrule -BackendAddressPool $beAddressPool -Probe $healthProbe -FrontendIpConfiguration $frontendIP
Create Network Security Groups # This example creates two rules and two network security groups for two subnets # Set up key variables $rgName="<your resource group name>" $locName="<the Azure location, such as West US>" $vnetNam="<VNet name>" $feSubnetName="<name of the front end subnet>" $feSubnetAddrPref="<address prefix of the front end subnet>" $beSubnetName="<name of the back end subnet>" $beSubnetAddrPref="<address prefix of the back end subnet>"
# Rule to allow incoming RDP protocol traffic $rule1 = New-AzureRMNetworkSecurityRuleConfig -Name "RDPTraffic" -Description "Allow RDP to all VMs on the subnet" -Access Allow -Protocol Tcp -Direction
Inbound -Priority 100 -SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 3389 # Rule to allow incoming HTTP traffic only to the web servers on the front-end subnet $rule2 = New-AzureRMNetworkSecurityRuleConfig -Name "WebTraffic" -Description "Allow HTTP to the Web servers" -Access Allow -Protocol Tcp -Direction
Inbound -Priority 101 -SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix $feSubnetAddrPref -DestinationPortRange 80
# Create a new network security group for the front end subnet with the RDP and HTTP rules New-AzureRMNetworkSecurityGroup -Name "Front End LOB App" -ResourceGroupName $rgName -Location $locShortName -SecurityRules $rule1,$rule2 # Create a new network security group for the back end subnet with the RDP rule New-AzureRMNetworkSecurityGroup -Name "Back End LOB App" -ResourceGroupName $rgName -Location $locShortName -SecurityRules $rule1
$vnet=Get-AzureRMVirtualNetwork -ResourceGroupName $rgName -Name $vnetName
# Apply the new network security group to the front end subnet. $nsg=Get-AzureRMNetworkSecurityGroup -Name "Front End LOB App" -ResourceGroupName $rgName Set-AzureRMVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name $feSubnetName -AddressPrefix $feSubnetAddrPref -NetworkSecurityGroup $nsg
# Apply the new network security group to the back end subnet. $nsg=Get-AzureRMNetworkSecurityGroup -Name "Back End LOB App" -ResourceGroupName $rgName Set-AzureRMVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name $beSubnetName -AddressPrefix $beSubnetAddrPref -NetworkSecurityGroup $nsg
Create a new VM (generic basic) # Create a new virtual machine (generic, you must specify the publisher, offer, and sku values of the VM image)
$locName="<Azure location of your resource group>"$rgName="<resource group name>"$saName="<storage account name>"$vnetName="<VNet name>"$subnetName="<subnet name>"
$vmName="<virtual machine name>"$vmSize="<virtual machine size>"
$pubName="<VM image publisher name>" $offerName="<VM image offer name>" $skuName="<VM image SKU name>"
$vnet=Get-AzureRMVirtualNetwork -Name $vnetName -ResourceGroupName $rgName$subnet=Get-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnetName -Name $subnetName$nic=New-AzureRMNetworkInterface -Name ($vmName +"-NIC") -ResourceGroupName $rgName -Location $locName –Subnet $subnet$vm=New-AzureRMVMConfig -VMName $vmName -VMSize $vmSize
$storageAcc=Get-AzureRMStorageAccount -ResourceGroupName $rgName -Name $saName$cred=Get-Credential -Message "Type the name and password of the administrator account for this virtual machine." $vm=Set-AzureRMVMOperatingSystem -VM $vm -Windows -ComputerName $vmName -Credential $cred -ProvisionVMAgent -EnableAutoUpdate$vm=Set-AzureRMVMSourceImage -VM $vm -PublisherName $pubName -Offer $offerName -Skus $skuName -Version "latest"$vm=Add-AzureRMVMNetworkInterface -VM $vm -Id $nic.Id$storageAcc=Get-AzureRMStorageAccount -ResourceGroupName $rgName -Name $saName$osDiskUri=$storageAcc.PrimaryEndpoints.Blob.ToString() + "vhds/" + $vmName + "-OSDisk.vhd"$vm=Set-AzureRMVMOSDisk -VM $vm -Name "OSDisk" -VhdUri $osDiskUri -CreateOption fromImageNew-AzureRMVM -ResourceGroupName $rgName -Location $locName -VM $vm
Create a new VM (Windows Sever basic) WIndows) # Create a new Windows Server 2012 R2 Datacenter virtual machine
$locName="<Azure location of your resource group>"$rgName="<resource group name>"$saName="<storage account name>"$vnetName="<VNet name>"$subnetName="<subnet name>"
$vmName="<virtual machine name>"$vmSize="<virtual machine size>"
$vnet=Get-AzureRMVirtualNetwork -Name $vnetName -ResourceGroupName $rgName$subnet=Get-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnetName -Name $subnetName$nic=New-AzureRMNetworkInterface -Name ($vmName +"-NIC") -ResourceGroupName $rgName -Location $locName –Subnet $subnet$vm=New-AzureRMVMConfig -VMName $vmName -VMSize $vmSize
$storageAcc=Get-AzureRMStorageAccount -ResourceGroupName $rgName -Name $saName$cred=Get-Credential -Message "Type the name and password of the local administrator account for this virtual machine." $vm=Set-AzureRMVMOperatingSystem -VM $vm -Windows -ComputerName $vmName -Credential $cred -ProvisionVMAgent -EnableAutoUpdate$vm=Set-AzureRMVMSourceImage -VM $vm -PublisherName MicrosoftWindowsServer -Offer WindowsServer -Skus 2012-R2-Datacenter -Version "latest"$vm=Add-AzureRMVMNetworkInterface -VM $vm -Id $nic.Id$storageAcc=Get-AzureRMStorageAccount -ResourceGroupName $rgName -Name $saName$osDiskUri=$storageAcc.PrimaryEndpoints.Blob.ToString() + "vhds/" + $vmName + "-OSDisk.vhd"$vm=Set-AzureRMVMOSDisk -VM $vm -Name "OSDisk" -VhdUri $osDiskUri -CreateOption fromImageNew-AzureRMVM -ResourceGroupName $rgName -Location $locName -VM $vm
Create a new VM in an availability set# Create a new Windows Server 2012 R2 Datacenter virtual machine$locName="<Azure location of your resource group>"$rgName="<resource group name>"$saName="<storage account name>"$vnetName="<VNet name>"$subnetName="<subnet name>"$avName="<availability set name>"$vmName="<virtual machine name>"$vmSize="<virtual machine size>"
$vnet=Get-AzureRMVirtualNetwork -Name $vnetName -ResourceGroupName $rgName$subnet=Get-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnetName -Name $subnetName$nic=New-AzureRMNetworkInterface -Name ($vmName +"-NIC") -ResourceGroupName $rgName -Location $locName –Subnet $subnet$avSet=Get-AzureRMAvailabilitySet –Name $avName –ResourceGroupName $rgName $vm=New-AzureRMVMConfig -VMName $vmName -VMSize $vmSize -AvailabilitySetId $avset.Id
$storageAcc=Get-AzureRMStorageAccount -ResourceGroupName $rgName -Name $saName$cred=Get-Credential -Message "Type the name and password of the local administrator account for this virtual machine." $vm=Set-AzureRMVMOperatingSystem -VM $vm -Windows -ComputerName $vmName -Credential $cred -ProvisionVMAgent -EnableAutoUpdate$vm=Set-AzureRMVMSourceImage -VM $vm -PublisherName MicrosoftWindowsServer -Offer WindowsServer -Skus 2012-R2-Datacenter -Version "latest"$vm=Add-AzureRMVMNetworkInterface -VM $vm -Id $nic.Id$storageAcc=Get-AzureRMStorageAccount -ResourceGroupName $rgName -Name $saName$osDiskUri=$storageAcc.PrimaryEndpoints.Blob.ToString() + "vhds/" + $vmName + "-OSDisk.vhd"$vm=Set-AzureRMVMOSDisk -VM $vm -Name "OSDisk" -VhdUri $osDiskUri -CreateOption fromImageNew-AzureRMVM -ResourceGroupName $rgName -Location $locName -VM $vm
Create a new VM with a static IP address# Create a new Windows Server 2012 R2 Datacenter virtual machine with a static IP address$locName="<Azure location of your resource group>"$rgName="<resource group name>"$saName="<storage account name>"$vnetName="<VNet name>"$subnetName="<subnet name>"$avName="<availability set name>"$vmName="<virtual machine name>"$vmSize="<virtual machine size>"$staticIP="<static IP address>"
$vnet=Get-AzureRMVirtualNetwork -Name $vnetName -ResourceGroupName $rgName$subnet=Get-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnetName -Name $subnetName$nic=New-AzureRMNetworkInterface -Name ($vmName +"-NIC") -ResourceGroupName $rgName -Location $locName –Subnet $subnet -PrivateIpAddress $staticIP$avSet=Get-AzureRMAvailabilitySet –Name $avName –ResourceGroupName $rgName $vm=New-AzureRMVMConfig -VMName $vmName -VMSize $vmSize -AvailabilitySetId $avset.Id
$storageAcc=Get-AzureRMStorageAccount -ResourceGroupName $rgName -Name $saName$cred=Get-Credential -Message "Type the name and password of the local administrator account for this virtual machine." $vm=Set-AzureRMVMOperatingSystem -VM $vm -Windows -ComputerName $vmName -Credential $cred -ProvisionVMAgent -EnableAutoUpdate$vm=Set-AzureRMVMSourceImage -VM $vm -PublisherName MicrosoftWindowsServer -Offer WindowsServer -Skus 2012-R2-Datacenter -Version "latest"$vm=Add-AzureRMVMNetworkInterface -VM $vm -Id $nic.Id$storageAcc=Get-AzureRMStorageAccount -ResourceGroupName $rgName -Name $saName$osDiskUri=$storageAcc.PrimaryEndpoints.Blob.ToString() + "vhds/" + $vmName + "-OSDisk.vhd"$vm=Set-AzureRMVMOSDisk -VM $vm -Name "OSDisk" -VhdUri $osDiskUri -CreateOption fromImageNew-AzureRMVM -ResourceGroupName $rgName -Location $locName -VM $vm
Create a new VM with an extra disk# Create a new Windows Server 2012 R2 Datacenter virtual machine with a single extra disk$locName="<Azure location of your resource group>"$rgName="<resource group name>"$saName="<storage account name>"$vnetName="<VNet name>"$subnetName="<subnet name>"$avName="<availability set name>"$vmName="<virtual machine name>"$vmSize="<virtual machine size>"$diskSize=<size of the extra disk in GB>
$vnet=Get-AzureRMVirtualNetwork -Name $vnetName -ResourceGroupName $rgName$subnet=Get-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnetName -Name $subnetName$nic=New-AzureRMNetworkInterface -Name ($vmName +"-NIC") -ResourceGroupName $rgName -Location $locName –Subnet $subnet$avSet=Get-AzureRMAvailabilitySet –Name $avName –ResourceGroupName $rgName $vm=New-AzureRMVMConfig -VMName $vmName -VMSize $vmSize -AvailabilitySetId $avset.Id
$storageAcc=Get-AzureRMStorageAccount -ResourceGroupName $rgName -Name $saName$vhdURI=$storageAcc.PrimaryEndpoints.Blob.ToString() + "vhds/" + $vmName + "-ADDSDisk.vhd"Add-AzureRMVMDataDisk -VM $vm -Name "ADDSData" -DiskSizeInGB $diskSize -VhdUri $vhdURI -CreateOption empty
$cred=Get-Credential -Message "Type the name and password of the local administrator account for this virtual machine." $vm=Set-AzureRMVMOperatingSystem -VM $vm -Windows -ComputerName $vmName -Credential $cred -ProvisionVMAgent -EnableAutoUpdate$vm=Set-AzureRMVMSourceImage -VM $vm -PublisherName MicrosoftWindowsServer -Offer WindowsServer -Skus 2012-R2-Datacenter -Version "latest"$vm=Add-AzureRMVMNetworkInterface -VM $vm -Id $nic.Id$storageAcc=Get-AzureRMStorageAccount -ResourceGroupName $rgName -Name $saName$osDiskUri=$storageAcc.PrimaryEndpoints.Blob.ToString() + "vhds/" + $vmName + "-OSDisk.vhd"$vm=Set-AzureRMVMOSDisk -VM $vm -Name "OSDisk" -VhdUri $osDiskUri -CreateOption fromImageNew-AzureRMVM -ResourceGroupName $rgName -Location $locName -VM $vm
Create a new VM as an LB set member # Create a new Windows Server 2012 R2 Datacenter virtual machine with membership in a load balancer set$locName="<Azure location of your resource group>"$rgName="<resource group name>"$saName="<storage account name>"$vnetName="<VNet name>"$subnetName="<subnet name>"$avName="<availability set name>"$vmName="<virtual machine name>"$vmSize="<virtual machine size>"$lbName="<load balancer instance name>"$bePoolIndex=<index of the backend address pool,starting with 0>
$vnet=Get-AzureRMVirtualNetwork -Name $vnetName -ResourceGroupName $rgName$subnet=Get-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnetName -Name $subnetName$lb=Get-AzureRMLoadBalancer -ResourceGroupName $rgName -Name $lbName
$nic=New-AzureRMNetworkInterface -Name ($vmName +"-NIC") -ResourceGroupName $rgName -Location $locName –Subnet $subnet -LoadBalancerBackendAddressPool $lb.BackendAddressPools[$bePoolIndex]$avSet=Get-AzureRMAvailabilitySet –Name $avName –ResourceGroupName $rgName $vm=New-AzureRMVMConfig -VMName $vmName -VMSize $vmSize -AvailabilitySetId $avset.Id
$storageAcc=Get-AzureRMStorageAccount -ResourceGroupName $rgName -Name $saName$vhdURI=$storageAcc.PrimaryEndpoints.Blob.ToString() + "vhds/" + $vmName + "-ADDSDisk.vhd"Add-AzureRMVMDataDisk -VM $vm -Name "ADDSData" -DiskSizeInGB $diskSize -VhdUri $vhdURI -CreateOption empty
$cred=Get-Credential -Message "Type the name and password of the local administrator account for this virtual machine." $vm=Set-AzureRMVMOperatingSystem -VM $vm -Windows -ComputerName $vmName -Credential $cred -ProvisionVMAgent -EnableAutoUpdate$vm=Set-AzureRMVMSourceImage -VM $vm -PublisherName MicrosoftWindowsServer -Offer WindowsServer -Skus 2012-R2-Datacenter -Version "latest"$vm=Add-AzureRMVMNetworkInterface -VM $vm -Id $nic.Id$storageAcc=Get-AzureRMStorageAccount -ResourceGroupName $rgName -Name $saName$osDiskUri=$storageAcc.PrimaryEndpoints.Blob.ToString() + "vhds/" + $vmName + "-OSDisk.vhd"$vm=Set-AzureRMVMOSDisk -VM $vm -Name "OSDisk" -VhdUri $osDiskUri -CreateOption fromImageNew-AzureRMVM -ResourceGroupName $rgName -Location $locName -VM $vm
Getting publisher, SKU, offerhttps://blogs.msdn.microsoft.com/cloud_solution_architect/2015/05/05/creating-azure-vms-with-arm-powershell-cmdlets/
Get-AzureRmVMImageSku – get the SKUs for a publisher and offerGet-AzureRmVMImagePublisher – get the available publishersGet-AzureRmVMImageOffer – get the avalailable offers from a publisherGet-AzureRmVMImage – get the image for a specific SKUThe following ARM cmdlet get the details for a specific Windows Server source image:Get-AzureRmVMImage -Location “westus” ` -PublisherName “MicrosoftWindowsServer” ` -Offer “WindowsServer” -Skus “2012-R2-Datacenter” -Version “4.0.20150916”
Deploy arm template
-Verbose New-AzureRmResourceGroupDeployment -Name test1 -ResourceGroupName
$resourceGroupName -TemplateFile $templateFile -TemplateParameterFile $templatePrameterFile -Verbose
Authentication – ssh or password"parameters": { ... "authenticationType": { "allowedValues": [ "password", "ssh" ], "defaultValue": "password", "type": "string" },
"adminPassword": {"type": "securestring"
},
"sshPublicKey": { "defaultValue": "", "type": "string" }, ...
"variables": { ... "password": { "adminPassword": "[parameters('adminPassword')]", ... },
"ssh": { ... "linuxConfiguration": { "disablePasswordAuthentication": "true", "ssh": { "publicKeys": [ { "keyData": "[parameters('sshPublicKey')]", ... ...
"osProfileObj": "[variables(parameters('authenticationType'))]",
Example template at https://github.com/Azure/azure-quickstart-templates/blob/master/checkpoint-single-nic/azuredeploy.json#L11
VNET – existing or new{ "vnetNewOrExisting": { "type": "string", "defaultValue": "new", "allowedValues": [ "new", "existing" ] }, "vnetExistingRGName": { "type": "string", "defaultValue": "", }, ...}
Example template at https://github.com/Azure/azure-quickstart-templates/blob/master/mysql-replication/azuredeploy.json#L68
Setup connection gateway
https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-howto-site-to-site-resource-manager-portal/https://blogs.technet.microsoft.com/askpfeplat/2016/01/20/creating-a-site-to-site-vpn-connection-in-arm-through-the-new-azure-portal-2/
https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-about-vpn-devices/
Configuring windows server 2012R2 for as VPN devicehttps://technet.microsoft.com/en-us/library/dn641937(v=ws.11).aspx
Site2Site
https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-howto-point-to-site-rm-ps/
For ARM this is only possible via Powerhsell
You will be needing a certificate for the gatewayhttps://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-certificates-point-to-site/
Point2site
Security layers
Visualizing the security layers
Recommended