Create Gen 2 VM though VM Role

Since Update Rollup 6 of Windows Azure Pack, it is possible to deploy Gen2 virtual machines through VM Roles. So in the first place I set my VHDX syspreped from a Gen2 virtual machine. For that I run the below PowerShell script. This script set the Family Name, the tags, the release version, the product key and the Operating System on the VHDX located in the VMM library.

$LibraryServers = "library.home.net"
$VHDName = "Gen2-W2012R2"
$FamilyName = "Windows Server 2012 Datacenter"
$Release = "1.0.0.0"
$Tags = "WindowsServer2012"
$AVMAKey = "Y4TGP-NPTV9-HTC2H-7MGQ3-DV4TW"
$MyVHDX = Get-SCVirtualHardDisk | where {$_.Name –eq $VHDName}
$2K12DC = Get-SCOperatingSystem | where { $_.name –eq '64-bit edition of Windows Server 2012 Datacenter'}
Foreach ($Library in $LibraryServers){
    $MyVHDX = Get-SCVirtualHardDisk | where {($_.Name –eq $VHDName) -and ($_.LibraryServer -contains $Library)}
    $oTags = $myVHDX.Tag
    if ( $otags -cnotcontains $Tags ) { $otags += @($Tags) }
    Set-scvirtualharddisk –virtualharddisk $MyVHDX `
                          –OperatingSystem $2K12DC `
                          -FamilyName $FamilyName `
                          -Release $Release `
                          -Tag $oTags `
                          -ProductKey $AVMAKey
}

Then we have to configure a Custom “Cloud” Properties in order to enable the support of Gen2 VM though VM Role. So edit a Cloud from VMM console and select Custom Properties. Then click on Add. On the next window, select Cloud Object Type and click on create. Specify SupportedVMGenerationForVMRole as Name and specify a description. When you have clicked on ok, select your new property and click on Add.

To finish with the Cloud configuration, specify the value 2 on the SupportedVMGenerationForVmRole property.

Next, open the Windows Azure Pack tenant portal, and create a new VM Role. Now you should be able to select your Gen2 VHDX in Operating System Disk menu.

When the VM Role provisioning is finished, you should have a VM in Gen2 J.

The post Deploy Gen2 VM through VM Role in WAP UR6 appeared first on Tech-Coffee.

In the last topic, I have implemented the 5-Nine Cloud Security in a Windows Azure Pack environment. Now I will configure 5-Nine Cloud Security to work with the Windows Azure Pack.

• Part 1: Implement 5-Nine Cloud Security 5.1
• Part 2: Configure 5-Nine Cloud Security for Windows Azure Pack
• Part 3: Protect tenant VMs

Permissions Management

First of all we have to configure the service account with the right permissions. If you don’t configure the service account permissions, the Cloud Security service in the Windows Azure Pack will be Out-Of-Sync. Remember the part 1 of this series. When I have installed the Windows Azure Pack extension, I have used a service account to connect to the Management Service as below. This is this account that I will add to the permissions management.

So open a 5-Nine Cloud Security console and click on Settings and select Permissions Management.

Next click on Add and click on Select. Now select Global Group and Windows User. Then specify the service account (mine is called home\sa-sec-svc01). To finish select the Security Administrator role for this account.

Now in the Permissions Management you should have the service account as below. I have also added my account to manage the solution from the console.

Add Hyper-V hosts to 5-Nine Cloud Security

Now that the service account permissions are set, connect to your administrative portal of the Windows Azure Pack. Open the 5-Nine Cloud Security tab. In the Hosts tab, click on add as below.

Then specify the host name and if needed, the credential to connect to the Host Management Service. Repeat this operation for each Hyper-V host.

Now your Hyper-V hosts should be listed in the Hosts tab.

If you come back to the 5-Nine Cloud Security Console, the Hyper-V hosts should be added as below.

Now you should have all VMs listed in the 5-Nine Cloud Security as below.

And you have the same result in the 5-Nine Cloud Security console J.

Add the Cloud Security Service to a hosting plan

Now we can add the 5-Nine Cloud Security service to a hosting plan. So, navigate to your hosting plan and click on Add Service.

Select the Cloud Security Service and click on validate.

If all is well configured, you should have a new plan service called Cloud Security and Active. If your service is Out-Of-Sync, verify the permissions in 5-Nine Cloud Security console.

Check on the tenant portal

To verify if the tenants can access to the Cloud Security service, I’m connecting to to the tenant portal with Jason Bourne account (fabrikam\jbourne). First be sure that at least one VM is created by the tenant.

Now click on New, select Cloud Security and Add VM.

N.B: I have an issue at this moment. When I click on Add VM, the list of virtual machines is empty. Currently I’m asking to 5-Nine support how to resolve this issue. When I have the solution, I will edit this topic. For this example, I have linked the VM to the tenant from the 5-Nine Cloud Security Console.

Select the VM and validate. Now if you navigate to the 5Nine Cloud Security tab, you should have your VM listed.

If I come back to the admin portal, I have the tenant associated to the Virtual Machine.

And to finish, if I open the 5-Nine Cloud Security Console, I have a Virtual Machine member of the jbourne@fabrikam.com tenant.

Conclusion

In this part we have seen how to manage the 5-Nine Cloud Security from Windows Azure Pack. We have added the Hyper-V hosts from WAP and we have delivered the Cloud Security to our tenants to provide Security as a Service. In the next part, I will protect tenant VMs  with this solution.

The post Configure 5-Nine Cloud Security for Windows Azure Pack appeared first on Tech-Coffee.

In this topic, I will implement the 5-Nine Cloud Security in a Windows Azure Pack environment. This topic is the first of a series.

• Part 1: Implement 5-Nine Cloud Security 5.1
  
• Part 2: Configure 5-Nine Cloud Security for Windows Azure Pack
• Part 3: Protect tenant VMs

5-Nine Cloud Security 5.1 overview

5-Nine Cloud Security is composed of 5 features that have to be deployed on specific servers:

• Management Service: this feature should be deployed on a dedicated VM. This is the management server of the solution;
• Management Console: this feature enables to configure and manage the 5-Nine Cloud Security solution. This feature should be installed on the Management Service server and on console servers;
• Host Management Service: this component should be installed on Hyper-V hosts to have the visibility on Virtual Machines
• SC VMM compliance extension: this component should be installed on Virtual Machine Manager servers. Thanks to this feature, a configuration provider is added to Virtual Machine Manager. This enables to add a Cloud Security Network Service and extensions to logical switch.
• Extension for Windows Azure Pack: This feature should be installed on Windows Azure Pack servers. This enables to add 5-Nine Cloud Security tab on admin and tenant portals to make the configuration.

Below you can find a schema of the deployment that I have made in my lab.

You can download and request a trial license key of 5-Nine Cloud Security 5.1 here. For this topic, I have downloaded the Standalone with Kaspersky Antivirus version.

Management Service and Management Console installation

First, I have deployed a new virtual machine called vmsec01. On this server I have run 5nineCloudSecurityKAV.exe. Next I select Management Service and I have clicked on Install.

Next click on next many times and choose a destination folder.

Specify a domain service account and click on next.

Next specify a database server and credential. I have specified a SQL Server AlwaysOn endpoint based on SQL Server 2012 SP1.

When the installation is finished, you can select the Management Console and click on install.

Next I choose a destination folder and I click on next.

Then specify the management server address. Because I install the management console on the same server where is the management server, I specify localhost. If you install the management console on another server, you have to specify the FQDN of the management server.

When the management console is installed, you can open the console. You should have something like this.

To finish, I recommend you to create a firewall exception based on this program: D:\<InstallPath>\5nine\5nine Cloud Security for Hyper-V Management Service\5nine.VirtualFirewall.ManagementService.exe

Host Management Service installation

Local installation

Connect to a Hyper-V host and run 5nineCloudSecurityKAV.exe. Select Host Management Service and click on Install.

Click on next, choose a destination folder and specify a service account for the Host Management Service.

Then specify the management server FQDN.

Remote installation

You can also install the Host Management Service remotely. For that, run 5nineCloudSecurityKAV.exe, select Host Management Service and click on Remote Install.

Next specify the management server FQDN.

Next add each Hyper-V hosts where you want to install the service and the service account.

Click on next and the installation should be launched on each Hyper-V.

Virtual Machine Manager extension

Install SC VMM Compliance extension

Connect on each Virtual Machine Manager server and run 5nineCloudSecurityKAV.exe. Select SC VMM compliance extension and click on next.

Select a destination folder and click on next.

Once you have finished to install this feature, reboot the Virtual Machine Manager service.

Configure Virtual Machine Manager

Connect to your Virtual Machine Manager and navigate to settings. Click on Configuration Providers and verify that 5-nine Cloud Security Network Management Provider is active.

Next navigate to the fabric and add a network service. Give a name to the network service and click on next.

Select 5nine Software, Inc as Manufacturer and CloudSecurity Manager as Model.

Specify a RunAs account. I have created a RunAs account called CloudSecurity based on management server service account credential.

Then specify the Management Server FQDN and click on next.

Next validate the network service configuration provider by clicking on Test and if the test result is good, click on next.

Select the host groups where the network service will be available.

To finish, edit each logical switch and select 5nine Cloud Security Filter extension.

Now connect to Hyper-V Manager and verify if extensions are in the same order as VMM configuration:

To finish verifying if the related interface are compliances as below:

Windows Azure Pack extension installation

Now connect to your Windows Azure Pack servers and run 5nineCloudSecurityKAV.exe. Select Extension for Azure Pack and click on install.

Select the features to install regarding the Windows Azure Pack server roles.

Next specify the hostname and the credentials to connect to Management Server.

Next specify credentials for communication between the Windows Azure Pack and Cloud Security API web service.

Once you have finished installation of Windows Azure Pack extension, you should have a new tab in the Admin Portal.

In this next part, I will explain you how to configure 5-Nine Cloud Security in Windows Azure Pack.

The post Implement 5-Nine Cloud Security 5.1 in Windows Azure Pack appeared first on Tech-Coffee.

Fabrikam and Contoso forests represent two customers of my Cloud service. When a tenant from Fabrikam want to log on the WAP Tenant portal (www.dmzhome.net), here’s what happens:

1. The user from Fabrikam connects to www.dmzhome.net;
2. He is redirected to sts.dmzhome.net. This AD FS asks where come from the tenant (Microsoft Azure, Fabrikam or Contoso);
3. When the tenant has selected where he come from, he is redirected to the Fabrikam account AD FS (fs01.fabrikam.com);
4. The tenant specifies his credential and fs01.fabrikam.com send claims to sts.dmzhome.net;
5. sts.dmzhome.net verifies the claims and redirect the token to www.dmzhome.net;
6. If the tenant doesn’t exist in the Windows Azure Pack database, an account is created.

In this topic, I will configure each AD FS to authenticate tenants with their own Active Directory credential on Windows Azure Pack tenant portal.

Requirements

To follow this topic, you need:

• Three forests to simulate Fabrikam, Constoso and HomeCloud Active Directory;
• One server that hosts Active Directory Federation Service in each forest (fresh installation);
• A working Windows Azure Pack installation (cf. this topic).

Add a relying party trust to Account AD FS

First we will configure the account AD FS that are in each customer forest (Fabrikam and Contoso). So open the AD FS console and navigate to Relying Party Trusts. Select Add Relying Party Trust…:

Next specify the Federation Metadata address of the resource AD FS. Mine is called sts.dmzhome.net so I specify https://sts.dmzhome.net/federationmetadata/2007-06/federationmetadata.xml:

Next specify a Display Name:

In this topic I don’t configure the Multi-Factor authentication. So I leave the defaut settings and I click on next.

Leave the default setting on the below screen to permit all users to access this relying party.

When you are on Finish screen, tick the edit claims rules checkbox. Click on Add Rule in Issuance Transform Rules tab. Select Send LDAP Attributes as Claims:

Next specify a Claim rule name and select Active Directory as Attribute store. Map User-Principal-Name LDAP attribute to UPN claim type:

Next add again a rule based on Send LDAP Attributes as Claims template. Specify a claim rule name and select Active Directory as Attribute store. Map Token-Groups – Qualified by Domain Name LDAP attribute to Group claim type:

Next add again a rule and select Pass Through or Filter an Incoming Claim template:

Specify a claim rule name and select UPN in Incoming claim type menu:

Then add again a rule and select Pass Through or Filter an Incoming Claim template. Specify a claim rule name and select Group in Incoming claim type menu:

At the end you should have four transform rules as below:

Repeat the same procedure for the others Account AD FS.

Add claims Provider Trusts to Resource AD FS

Now that Account AD FS are set, we have to configure the resource AD FS in our perimeter to add claims provider trusts. In other word, this configuration enables to create federation trust From Resource AD FS to Account AD FS. In the below example, I create a federation trust with Fabrikam. First open the AD FS console and navigate to Claims Provider Trusts. Click on Add Claims Provider Trust…:

Next specify the account AD FS url in Federation metadata address field. In my example I specify https://fs01.fabrikam.com/.

Then specify a display name.

Once the Claims Provider Trust is created, edit the claim rules of this trust. Click on Add rule.

Select Send LDAP Attributes as Claims template.

Next specify a Claim rule name and select Active Directory as Attribute store. Map User-Principal-Name LDAP attribute to UPN claim type:

Next add again a rule based on Send LDAP Attributes as Claims template. Specify a claim rule name and select Active Directory as Attribute store. Map Token-Groups – Qualified by Domain Name LDAP attribute to Group claim type:

Next add again a rule and select Pass Through or Filter an Incoming Claim template:

Specify a claim rule name and select UPN in Incoming claim type menu:

Then add again a rule and select Pass Through or Filter an Incoming Claim template. Specify a claim rule name and select Group in Incoming claim type menu:

At the end you should have four transform rules as below:

Repeat the same procedure to add a Claims Provider Trust to Contoso.

Add a relying party trust to Resource AD FS

Next we have to add a relying party trust to the Windows Azure Pack tenant portal. So open the AD FS console and navigate to Relying Party Trusts. Then click on Add Relying Party Trust…:

Specify the federation metadata address of the Windows Azure Pack tenant portal. In my example I have specified https://www.dmzhome.net/federationmetadata/2007-06/federationmetadata.xml.

Next specify a display name.

Next I leave the default settings because I don’t want to configure the Multi-Factor Authentication.

Then leave the default setting to permit all users to access this relying party.

On the finish screen, tick the checkbox to edit claim rules.

Add issuance transform rules as previous parts. You should have four rules as below.

To finish, run this command on the resource AD FS:

Set-AdfsRelyingPartyTrust -TargetIdentifier 'https://azureservices/TenantSite' -EnableJWT $true

The AD FS configuration is now finished J.

Change WAP Tenant authentication site

Now connect to a Windows Azure Pack server and run the below script. It enables to reconfigure Windows Azure Pack to use the resource AD FS as authentication site instead of the default site.

$fqdn = 'sts.dmzhome.net'
$dbServer = 'SQLAAG02.home.net'
$dbPassword = 'password'
$portalConfigStoreConnectionString = [string]::Format('Data Source={0};Initial Catalog=Microsoft.MgmtSvc.PortalConfigStore;User ID=sa;Password={1}', $dbServer, $dbPassword)
Set-MgmtSvcRelyingPartySettings -Target Tenant `
                                -MetadataEndpoint https://$fqdn/FederationMetadata/2007-06/FederationMetadata.xml `
                                -ConnectionString $portalConfigStoreConnectionString

Authenticate tenants with AD FS

Now we can open a browser and navigate to the tenant portal (https://www.dmzhome.net on my side). On the below screen you can see the authentication portal. The both AD FS appears and the tenants have to select the company (Fabrikam or Contoso).

When the company is selected, the resource AD FS redirects the tenants to the related account AD FS.

Once the tenant has specified his credential, he is redirected to the resource AD FS and then this last redirects the tenant to the WAP tenant portal. If the account doesn’t exist, he is created.

Customize AD FS authentication page

Thanks to AD FS, it is possible to customize the authentication page. You can use below PowerShell commands:

Set-AdfsGlobalWebContent -CompanyName "HomeCloud"
Set-AdfsGlobalWebContent -ErrorPageSupportEmail "Report this error"
Set-AdfsGlobalWebContent -ErrorPageDescriptionText "Access Denied"
Set-AdfsGlobalWebContent -Homelink "//www.tech-coffee.net"
Set-AdfsGlobalWebContent -HomelinkText "Website"
Set-AdfsGlobalWebContent -PrivacyLink "//www.tech-coffee.net"
Set-AdfsGlobalWebContent -PrivacyLinkText "Privacy Statement"
Set-AdfsWebTheme -TargetName default -Logo @{path="C:\Temp\homecloud.png"}
Set-AdfsWebTheme -TargetName default -Illustration @{path="C:\Temp\Cloud-Computing.jpg"}
Set-AdfsGlobalWebContent -SignInPageDescriptionText "<p>Welcome to HomeCloud service. Enjoy <span style="font-family: Wingdings;">J</span>.</p>"
Set-AdfsGlobalWebContent -ErrorPageDeviceAuthenticationErrorMessage "We were unable to authenticate you. EAre you sure that you have authorization to access the service ?"
Set-AdfsGlobalWebContent -ErrorPageGenericErrorMessage "An unexpected error has occurred, please let the administrators know"

Set-AdfsGlobalWebContent -ErrorPageAuthorizationErrorMessage “Sorry, we were unable to authorize your access, please try again. If this error persists, please contact the administrators.”

And the result J:

So as we have seen on this topic, it is possible to manage which customers access the service thanks to the federation trusts. By removing the federation trust, the customers can no longer access to the Cloud service. Enjoy with yours AD FS J.

The post Windows Azure Pack – Authenticate tenants with AD FS appeared first on Tech-Coffee.

So to check why the service didn’t work I looked into the debug log of MgmtSvc-WebAppGallery. I saw this event:

To be sure that the web service Web App Gallery worked, I opened the database to verify if items was added to Marketplaceitems table.

Moreover, in the MgmtSvc-WebAppGallery debug log, I saw these events:

At this point, I knew that WebAppGallery web service fetched items from Internet to the marketplace database. So it was not a connectivity problem (proxy etc.). To explain you the mistake, I have to describe my Windows Azure Pack installation:

Below my endpoint dns addresses:

So to connect to the WebAppGallery service installed on my privilege servers, the tenant portal uses aapi.home.net:30018 endpoint. I have reconfigured my resource provider with the below script:

Import-Module MgmtSvcAdmin
## Environment settings
# SQL Server AlwaysOn DNS Listener containing the Windows Azure Pack databases
$server="SQLAAG02.home.net"

# Admin Authentication Site
$WinAuthSiteLB = "auth.home.net"
$WinAuthSitePort = "443"
# Admin API
$AdminApiLB ="aapi.home.net"
$AdminApiPort = "443"
$adminApiUri = "https://${AdminApiLB}:$AdminApiPort"
$windowsAuthSite = "https://${WinAuthSiteLB}:$WinAuthSitePort"

# credentials for performing actions
$password = ConvertTo-SecureString "password" -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential ("home\rserre",$password)
$token = Get-MgmtSvcToken -Type Windows -AuthenticationSite $windowsAuthSite -ClientRealm "https://azureservices/AdminSite" -User $credential -DisableCertificateValidation
# Get a list of resource providers with the current configured endpoint values
$rp = Get-MgmtSvcResourceProvider -IncludeSystemResourceProviders -AdminUri $adminApiUri -Token $token -DisableCertificateValidation
$rp | Select Name, @{e={$_.AdminEndPoint.ForwardingAddress}}, @{e={$_.TenantEndpoint.ForwardingAddress}}

# new fqdn for resource provider marketplace
$resourceProviderName = "marketplace"
$adminEndpoint = "https://${AdminApiLB}:30018/"
$tenantEndpoint = "https://${AdminApiLB}:30018/"
$usageEndpoint = $null
$healthCheckEndpoint = $null
$notificationEndpoint = $null
$rp = Get-MgmtSvcResourceProvider -Name $resourceProviderName -IncludeSystemResourceProviders -AdminUri $adminApiUri -Token $token -DisableCertificateValidation
if ($rp.AdminEndpoint -and $adminEndpoint) {
# update endpoint
$rp.AdminEndpoint.ForwardingAddress = New-Object System.Uri($adminEndpoint)
}
if ($rp.TenantEndpoint -and $tenantEndpoint) {
# update endpoint
$rp.TenantEndpoint.ForwardingAddress = New-Object System.Uri($tenantEndpoint)
}
if ($rp.UsageEndpoint -and $usageEndpoint) {
# update endpoint
$rp.TenantEndpoint.ForwardingAddress = New-Object System.Uri($usageEndpoint)
}
if ($rp.HealthCheckEndpoint -and $healthCheckEndpoint) {
# update endpoint
$rp.TenantEndpoint.ForwardingAddress = New-Object System.Uri($healthCheckEndpoint)
}
if ($rp.NotificationEndpoint -and $notificationEndpoint) {
# update endpoint
$rp.TenantEndpoint.ForwardingAddress = New-Object System.Uri($notificationEndpoint)
}
Set-MgmtSvcResourceProvider -ResourceProvider $rp -AdminUri $adminApiUri -Token $token -DisableCertificateValidation –Force

Below the resource provider endpoints after the reconfiguration run with this script:

And it is ….. wrong. The WAP team configured me that the tenant endpoint forwarding address for the marketplace must be https://<URL>:<PORT>/subscriptions.

So I run again the above script with these settings:

# new fqdn for resource provider marketplace
$resourceProviderName = "marketplace"
$adminEndpoint = "https://${AdminApiLB}:30018/"
$tenantEndpoint = "https://${AdminApiLB}:30018/subscriptions"
$usageEndpoint = $null
$healthCheckEndpoint = $null
$notificationEndpoint = $null

Below the result after that the script was run:

End Taaadaaaa my Website Gallery works:

So don’t forget to add the /subscriptions URI in the tenant endpoint forwarding address when you reconfigure your resource providersJ.

The post Windows Azure Pack – Website gallery issue appeared first on Tech-Coffee.

Verify the Public Tenant API site configuration

To follow this topic, you must have a working Windows Azure Pack installation (cf. this topic). Verify also that your Tenant Public API is well configured. For that connect to servers that host this service en verify the configuration in IIS. Ideally, a certificate signed by a PKI should be assigned to the service and a host name should be provided.

In my example I will use the below aliases:

To finish, make sure that you have run the below script to reconfigure the Tenant Public API endpoint:

Import-Module MgmtSvcAdmin
### VARIABLES
## Environment settings
# SQL Server AlwaysOn DNS Listener containing the Windows Azure Pack databases
$server="SQLAAG02.home.net"

## Define the desired FQDNs and Ports
# Tenant Site
$TenantSiteLB ="www.DMZHome.net"
$TenantSitePort = "443"
# Tenant Auth Site
$TenantAuthSiteLB ="auth.DMZHome.net"
$TenantAuthSitePort = "443"
# Tenant Public API
$TenantPublicApiLB = "api.DMZhome.net"
$TenantPublicApiPort = "443"

### MAIN CODE
# Define the federation endpoints
$TenantMetadataEndpoint="https://${TenantAuthSiteLB}:$AuthSitePort/federationMetaData/2007-06/FederationMetadata.xml"
$TenantSiteMetadataEndpoint="https://${TenantSiteLB}:$TenantSitePort/federationMetaData/2007-06/FederationMetadata.xml"

# Reconfigure Windows Azure Pack components to point to load balancers
Set-MgmtSvcFqdn -Namespace TenantPublicApi -FQDN $TenantPublicApiLB -Port $TenantPublicApiPort -Server $server

Install Microsoft Azure PowerShell module

First, run the Web Plateform Installer on the machine where you want run WAPack PowerShell command and install Microsoft Azure PowerShell.

Configure environment

Open a PowerShell command line in Administrator and run the below command.

Add-WAPackEnvironment -Name "<Give-a-Name>" `
                      -PublishSettingsFileUrl https://<URL-to-Tenant-Portal>/publishsettings `
                      -ServiceEndpoint https://<URL-to-Tenant-Public-API>

Next run the below command with the same name that you have provided in the Add-WAPackEnvironment command. Then download the file publishsettings file.

Get-WAPackPublishSettingsFile -Environment "<Give-a-Name>"

When you have downloaded the file, a certificate is added to management certificates in My Account.

Next go back to the PowerShell command line, and run the below command.

Import-WAPackPublishSettingsFile "<Path-to-the-publishsettings-file>" -Environment "<Give-a-Name>"

 Example 1: Create a Virtual Network

In this example, my tenant can only create virtual network from Hyper-V Network Virtualization. So I have to find the provider logical network to create virtual network. For that I run the below PowerShell command:

Get-WAPackLogicalNetwork

Now that I have the name of the Provider Address network, I can use it to create a Virtual Network with these commands.

$LogicalNetwork = Get-WAPAckLogicalNetwork -Name "Provider Address"
New-WAPackVNet -Description "Virtual Network 1" `
               -Name "vNet01" `
               -LogicalNetwork $LogicalNetwork

With the above commands, I have created a virtual network called vNet01. If I connect to the Windows Azure Pack portal, I can retrieve it:

Now that the virtual network is created, I have to create the subnet:

$vNet = Get-WAPackVNet -Name "vNet01"
New-WAPAckVMSubnet -Name "VMSubnet01" `
                   -Subnet "10.10.0.0/24" `
                   -VNet $vNet

 And if I come back to the Windows Azure Pack portal, I can see that the subnet is created:

To finish, I create a Static IP Address Pool:

$VMSubnet = Get-WAPackVMSubnet -Name "VMSubnet01" -vNet $Vnet
New-WAPackStaticIpAddressPool -IPAddressRangeStart "10.10.0.5" `
                              –IPAddressRangeEnd "10.10.0.250" `
                              -Name "IPP_VMSubnet01" `
                              –VMSubnet $VMSubnet

To finish, I delete the virtual network by running the below command:

$Vnet = Get-WAPackVNet vNet01
Remove-WAPackVNet $vNet

Example 2: Create a Virtual Machine

It is also possible to create virtual machines from PowerShell in Windows Azure Pack. You can create the virtual machines from template (Linux or Windows) or from OSDisk. I have chosen to create the VM from a Windows template:

# Get the VM Template
$StdPerfVMTemplate = Get-WAPackVMTemplate -Name "Standard Performance"
#Get Credential
$cred = Get-Credential
# Create VM
New-WAPackVM -Name "VMWEB01" -Template $StdPerfVMTemplate `
                             -Vnet $vNet `
                             -VMCredential $Cred `
                             -Windows `
                             -ProductKey "Y4TGP-NPTV9-HTC2H-7MGQ3-DV4TW"

Once the VM is created, you can retrieve it in the Windows Azure Pack portal.

 You can also run the below command to obtain the state of the Virtual Machine

To start, stop and remove the VM you can run the below PowerShell commands:

$VM = Get-WAPackVM VMWEB01
start-WAPAckVM $VM
stop-WAPAckVM $VM
Remove-WAPackVM $VM

The post Windows Azure Pack – PowerShell tenant API appeared first on Tech-Coffee.

Requirements

Before following this topic, you need below requirements:

• A server with JRE x64 1.7 installed (not 1.8 otherwise the Cloud Cruiser installation will fail)
  • Add environment variable called JAVA_HOME where the value is c:\program files\Java\jre7
• Virtual Machine Manager must be connected to Operations Manager (cf. this topic)
• A working Windows Azure Pack and VM Clouds (cf. this topic)

Verify configuration

First connect to your SPF server and open IIS management console (inetmgr). Navigate to application pools and verify that the identity of Usage is a domain account.

This account must be also in SPF_Usage local group as below:

Configure Windows Azure Pack Usage Service

Cloud Cruiser will connect to Windows Azure Pack Usage Service. with credentials. However The user name and the password are randomly generated while installing Windows Azure Pack. So with the below script, I configure my own credentials to connect to Usage Service. This script should be run on a server that hosts privilege Windows Azure Pack services.

Import-Module MgmtSvcAdmin
Set-MgmtSvcSetting -Namespace UsageService -Name Username -Value 'UsageClient'
Set-MgmtSvcSetting -Namespace UsageService -Name Password -Value 'password' –Encode

Add Operations Manager to Service Provider Foundation

First connect to a SPF server and run the below script to register Operations Manager (OM) Data Warehouse to Service Provider Foundation.

Import-module spfadmin
# Specify the SQL server that hosts OM Data Warehouse
$OMDWSqlServer = "SQLAAG02.home.net"
# Specify a OM Management server
$OMServer      = "VMOMG01.home.net"

$stamp         = Get-SCSPFStamp;
$server        = New-SCSPFServer -Name $OMServer `
                                 -ServerType OMDW `
                                 -Stamps $stamp[0];
$setting       = New-SCSPFSetting -Name $OMDWSqlServer `
                                  –Value "Data Source=$OMDWSqlServer;Initial Catalog=OperationsManagerDW;Integrated Security=True" `
                                  -SettingType DatabaseConnectionString –Server $server

Next run the command Get-SCSPFSetting to verify if the OM Data Warehouse is registered.

Configure Operations Manager Data Warehouse database

Now we have to give permissions on OM Data Warehouse database to the account that run the Usage application pools on SPF Server (mine is called home\sa-spf-svc02). So open management studio and navigate to security login and edit the properties of this account. Navigate to User Mapping and select OperationsManagerDW. Then select OpsMgrReader as database role membership.

Next edit the properties of OperationsManagerDW database. Verify that the account as Execute permission as below.

Register Service provider Usage

Open the administrative management portal of Windows Azure Pack and navigate to VM Clouds. Click on Use an existing VM Clouds endpoint to collect metering data.

Next I specify the service URL, and credentials to connect. I use a local account that is member of all SPF local groups.

Once the connection is successful, the table Records in Microsoft.MgmtSvc.Usage database should be filled as below.

Install Cloud Cruiser

Be sure that you are using a JRE 64bit version 1.7 and not a 1.8. Otherwise the installation will fail!

Download Cloud Cruiser Express here. Next run the installation of Cloud Cruiser. Then specify an install path and a working path.

Next specify a product name, a tomcat port and an E-mail address. The Admin user name and password will be used by Windows Azure pack to connect to Cloud Cruiser endpoint.

Choose a database type. In this case I choose SQL Server.

Next specify SQL Server settings. If you specify an Application User that doesn’t exist, it will be created in security login of the SQL Server instance.

Next enter the Usage Service information. You can specify the admin API URL of Windows Azure Pack. The user and password are those specified in Configure Windows Azure Pack Usage Service part.

To finish run this script to allow inbound connection on port TCP/8080.

New-NetFirewallRule -DisplayName "Tomcat" `
                    -Action Allow `
                    -Direction Inbound `
                    -LocalPort 8080 `
                    -Protocol TCP `
                    -Enabled True

Register Cloud Cruiser REST Endpoint

Connect to the administrative management portal and navigate to user costs. Next click on Register your Cloud Cruiser REST endpoint. Specify the Rest Endpoint as below and the user name and password that you have provided while installing Cloud Cruiser.

Once the Cloud Cruiser is registered in Windows Azure Pack, you should have something as below:

Add Cloud Cruiser to hosting plan

Now we have to add the Cloud Cruiser to a hosting plan. So browse to a hosting plan and click on Add Service.

Select Cloud Cruiser and click on ok.

After sometime, information should appear in User Costs.

Connect to Cloud Cruiser management portal

To configure financial plan, you can connect to cloud cruiser: https://<servername>:8080

The post Windows Azure Pack – Implement billing with Cloud Cruiser appeared first on Tech-Coffee.

Requirements

• A working SQL Server cluster using AlwaysOn (cf. this topic)
• A working Windows Azure Pack installation (cf. this topic)

Run this script on each SQL Server node:

sp_configure 'contained database authentication', 1;
GO
RECONFIGURE;
GO

SQL Server extension installation

On each node that hosts admin Windows Azure Pack services, run the Web Platform Installer. Next select Windows Azure Pack: SQL Server Extension and click on Add.

When the configuration webpage is opened, specify your database server settings.

At the end of installation, you should have something as below :

SQL Server group creation

Open your Administrative Console of Windows Azure Pack and navigate to SQL Servers. Navigate to Groups and click on Create a new SQL Server Group. In group type, select High Availability (Always on enabled). Specify a group name and a share to store database backup.

I have created two groups: one called Bronze and the other called Gold.

Add SQL Servers to Windows Azure Pack

Next we have to associate SQL Servers to the groups that we have previously created. So navigate to SQL Servers and select servers. Click on Add a new SQL Server. Specify the group, the AAG listener name, the credentials and size of hosting server.

Repeat the operation to add others SQL Servers.

So in my example I have two groups and two SQL Servers AAG.

Add the service to a hosting plan

Now we have to add the service to a hosting plan. Select a hosting plan and click on Add Service.

Select the SQL Servers service and click on next.

Then click on SQL Servers service to configure it.

Specify the settings regarding your needs and click on ok.

Now the service status should be Active.

Trying the service

To use the service, connect to the tenant portal and click on SQL Server Databases. Then select Add a new database.

Specify a database name and choose an edition.

Specify database credentials and click on ok.

Once the database is created, you can connect to your SQL Server with the management studio and open the AAG dashboard. As you can see below, the database is automatically added to the AAG.

The post Windows Azure Pack – SQL Server in AlwaysOn as a Service appeared first on Tech-Coffee.

This whitepaper explains how to implement a Private Cloud with Windows Azure Pack in high availability from scratch. So I talk about Scale-Out File Servers, SQL AlwaysOn, Virtual Machine Manager, Service Provider Foundation, NVGRE Gateway, RD Gateway and Windows Azure Pack.

I start this implementation just after to have deployed the Active Directory and a PKI and so almost from scratch. I hope this document will help you to implement your own private cloud.

Merry Christmas everyone

The post Whitepaper: Implement a highly available private cloud to host virtual machines appeared first on Tech-Coffee.

Some of VM Role resources can be downloaded from the Web Platform Installer. But if you need to make your own VM Role, you should use the VM Role Authoring Tool.
This tool provides user interface to create resource definition and extension packages. Before authoring a VM Role, it is important to understand these packages:

• Resource definition package (*.resdefpkg). This is a template that describes information asked to the tenants from the Self-Portal as VM size, VM Name, forest name and so on. These parameters are used by VMM to deploy the VM Role.
• Resource extension package (*.resextpkg). This is a package that can contain two components:
  • The Resource extension file (RESEXT): this is a template that describes how to deploy and configure the resource. Input parameters come from the resource definition.
  • The application payload: contains required resources to deploy the application (IIS, Exchange and so on). The resources can be binaries, scripts etc.

The resource extension package is not mandatory. You can deploy a resource definition package in the Windows Azure Pack and deploy the VM Role without an extension package. However no customization will be applied.

Authoring a VM Role

First of all download VM Role Authoring Tool (VRAT). Below you have a screenshot of the VRAT user interface.

To create a Resource Extension package, click on File and select New Windows Resource Extension Package. I call this package TC-WebServer.

Next I create a Resource Definition package. For that, click on File and select New Resource Definition Package. I call this package TC-WebServer.

Resource Extension package

In Resource Extension, I change the Publisher to Tech-Coffee. You can manage the versioning by modifying the Version field.

In resource requirements, indicate which tags you have to apply on a VHD to be recognized by the VM Role.

In Roles & Features specify which Windows components will be installed after the VM deployment. I select all Web Server features.

In Application Profile you can add a Web Application to be deployed just after VM deployment. You can also add a SQL Profile for SQL Deployment or just a script application.

Resource Definition Package

First I change the Publisher to Tech-Coffee. As the Resource Extension Package, you can manage the versioning by changing the Version Field.

In Extension References, I bind the Resource Definition with the Resource Extension. To make this binding, the name of the resource extension and the resource definition have to be the same.

In parameters, there are settings asked to tenants from the management portal.

In Scale Out, you can define the minimum and the maximum number of instances per VM Role.

On Hardware Profile you can specify the CPU and the memory of the VM. If you leave the default value as below, the tenant will have a scroll menu with several choices (Small, Medium, Large, A7 and so on) to set the VM size from the management portal.

On Storage Profile, you have to specify the VHDX required for the operating system and if needed, optional data disks. If you leave the default setting as below, the tenant will have a scroll menu containing each VHD tagged with the value defined in the resource extension.

In Network profile, you can configure Network Adapter. You can add or remove Network Adapter if you need more than one. You can configure the allocation method (from the IP Pool or DHCP), the state of IPV4/IPV6 and so on.

In Operating System Profile, you can customize the operating system. You can specify the Computer Name Pattern, the time zone and the administrator account credential. Moreover you can join automatically a domain. In the below example, these parameters will be set by the tenant from the Management portal when he will deploy a VM Role.

To finish you can add some custom logo for your VM Role. The settings in View Definition will be shown to the tenants in the VM Role gallery.

Once you have finished, you can save both files and close VM Role Authoring Tool.

Deploy the Extension Package

Copy the resource extension package onto your VMM server and run the below script:

## Specify your library share name
$LibraryShareName = "VMMLibrary$"
## Specify the path to resextpkg file
$resextpkg = "C:\Gallery Resources\TC-WebServer\TC-WebServer.resextpkg"
$Library = Get-SCLibraryShare | Where-Object {$_.Name -eq $LibraryShareName}
Import-CloudResourceExtension -ResourceExtensionPath $resextpkg -SharePath $Library -AllowUnencryptedTransfer
Get-CloudResourceExtension

At this point you have imported the resource extension to your VMM. Now you have to prepare your VHDX (mastered from Gen 1 VM):

## Specify your VHDX file name
$VHDName = "Gen1-W2012R2"
$FamilyName = "Windows Server 2012 DataCenter"
$Release = "1.0.0.0"
$Tags = "WindowsServer2012"
$AVMAKey = "Y4TGP-NPTV9-HTC2H-7MGQ3-DV4TW"
$MyVHDX = Get-SCVirtualHardDisk | where {$_.Name –eq $VHDName}
$2K12DC = Get-SCOperatingSystem | where { $_.name –eq '64-bit edition of Windows Server 2012 Datacenter'}
$oTags = $myVHDX.Tag
if ( $otags -cnotcontains $Tags ) { $otags += @($Tags) }
Set-scvirtualharddisk –virtualharddisk $myVHDX `
                      –OperatingSystem $2K12DC `
                      -FamilyName $FamilyName
                      -Release $Release `
                      -Tag $oTags `
                      -ProductKey $AVMAKey

This script adds a family name, a release a tag and the AVMA key in the VHDX.

Deploy the resource definition package

To add the resource definition to Windows Azure Pack, open an administrative management portal and navigate to VM Clouds and Gallery. Click on Import.

Upload the resource definition package.

Once the resource definition package is uploaded, a new row should appear with the name of your resource definition package.

Click on the VM Role and navigate to Plans. Add each hosting plan where you want this VM Role available.

To finish, navigate to dashboard and click on mark public.

Now the tenant can deploy this VM Role J.

Deploy the VM Role

First connect to the tenant management portal. Click on New, Virtual Machine Role and From
Gallery. Select your VM Role.

Specify a name for your VM Role.

Configure each settings. As you can see, these parameters are the same than I have specified in the resource definition.

Oups the WorkGroup label is malformed (VMRoleWorkGroupNameLabel). I will correct that in the resource definition package.

Once you have validated, the VM Role is provisioning.

Once the VM is created, we can see that each selected Windows Server role in resource extension package are installed.

To make an advanced VM Role, external scripts will be required. For example the Domain Controller VM Role available on Web Platform Installer enables to create a new forest but not to add domain controllers to the domain when the instance number is increased. So it is necessary to add a script that verifies if the domain exists and so add the domain controller to this domain.

If I have the time, I will try to create a Domain Controller VM Role to manage thatJ.

The post Windows Azure Pack – Authoring a VM Role appeared first on Tech-Coffee.