Azure Powershell Setup and IaaS Mass Endpoint Creation

This is a two-purpose article, one general and one specific. Generally, we'll configure powershell to manage your Azure subscription, and then specifically how to configure many endpoints at once.  

When I was working on my article Experiment: Application Server on Windows Azure I noted one peculiar issue. Setting up Windows Azure Endpoints is easy to do one at a time, but doing en masse is seemingly complicated. Fortunately, there is a relatively easy workaround using powershell Azure management.

Setup Powershell to Manipulate Azure

 

Download Azure Powershell

 

You can get the Powershell management plugins from this link. The main link uses the Web Platform Installer and several non-critical items are marked as pre-requsites. If you use WPI it will download and install those as well. Note that despite this assertion, the only thing that is really needed for PowerShell is the stuff that is (by default on a 64 bit OS) installed to "C:\Program Files(x86)\Microsoft SDKs\Windows Azure\PowerShell\Azure\*.*" after installing using the WPI. For that reason, I actually put this folder in my Skydrive; the whole thing is only 8.55MB, and you can load it directly without "Installing"(see below).

Setup Powershell Management

1. Start Powershell as administrator
2. Ensure you have your execution policy set to RemoteSigned (or unrestricted) with the command "Set-ExecutionPolicy RemoteSigned"
3. Import the module with the command "Import-Module {Path to Install}\Azure.psd1"
4. Get your account settings by typing "Get-AzurePublishSettingsFile". This will open up a web browser and download your settings file. You may need to log-in. Note: Ensure you keep this file in a secure location or dispose of it after import.
5. Import that file by executing "Import-AzurePublishSettingsFile {path to downloaded .publishsettings file}"

You should now be able to manipulate your VMs and other services using powershell. To test this, try something like "Get-AzureVM"

Note: If you have multiple subscriptions in one account you'll need to use the command "Select-AzureSubscription {Subscription Friendly Name}>"

Now you should be good to go. Now let's set up some endpoints!

Mass Endpoint Creation

 

Let's say you want to create TCP port openings from 27000 to 27080 on one or many VMs. (This script will work for both scenarios) Creating them by hand would take quite some time. To accomplish this quickly with powershell, do the following:

If you haven't already, perform steps 1 and 3 above.

Here's the script with line by line discussion below. Note that this could be conflated to fewer lines but I've broken it out to be easier to understand. 

$VMs=Get-AzureVM -ServiceName "VMName"
foreach ($VM in $VMs)
{
    $p=27000
    do
    {
        Get-AzureVM $VM.name|Add-AzureEndpoint -LocalPort $p -PublicPort $p -Name TCP$p -Protocol TCP | Update-AzureVM
        $p+=1
    }
    until ($p -gt 27080)
}

note: PleaseKING below has a great example of how to get this to execute faster by not committing on a per port basis; check it out! 

Discussion:
$VM=Get-AzureVM -ServiceName "VMName" : Get the VM objects. To return all VMs and apply endpoints to all your VMs, just omit the "-ServiceName "VMName" portion.

foreach ($VM in $VMs) : Let's process these ports for each VM. Works with just 1.

$p=27000 : Start port. Change this to the first port you want to forward in.

Get-AzureVM $VM.name|Add-AzureEndpoint -LocalPort $p -PublicPort $p -Name TCP_$p -Protocol TCP | Update-AzureVM : Feed in the VM object | Add endpoint where -localport $p is the port, -Name TCP_$p is the defined port name, feel free to change and -Protocol TCP for TCP. Change to UDP if necessary | Commit changes

$p+=1 : Increment port by 1. Feel free to change the increment if you need to open different port groups

until($p -gt 27080) : The last port in the range to create.

That should do it! Note these will take awhile to setup; the per port provisioning is kinda slow.

Now that you've forwarded the endpoints, you'll need to open the ports on the VM firewall as well. To do this quickly, see Hey Scripting Guy!

Reference time:

• MSDN: Azure Powershell
• MSDN: Get-AzureVM
• MSDN: Add-AzureEndpoint
• Microsoft Social: Azure VM Endpoint Range
• Windows Azure Blog: Automating the Cloud with CLI (Glenn Block)
• MSDN: Getting started with Windows Azure Cmdlets

If you have any questions or comments please let me know!

Do You Need Virtual Machine Manager and VMM 2012 SP1 Installation

Do I need VMM?

 

That's a question I've heard many times and while there is alot of data out there I wanted to make a simple list to help those entertaining the same question. Here is the breakdown of what Microsoft offers with VMM above and beyond standard Hyper-V:

• Centralized management and configuration support for Hyper-V, Xen Server, and VMWare.
• It contains P2V Migration tools not included with standard Hyper-V.
• One console for managing multiple hosts. While using standard Hyper-V you can have multiple hosts in one MMC, but you need to switch between them. 
• Automatic "workload placement" i.e. automatically moving a guest from one host to another based on load. 
• Tools for environment consolidation. (Identify idle guests, etc.)
• Much more from a management perspective including tools facilitating hosting multiple clients. "Tenants". 

If any of these features are appealing to your business you should give VMM a try. Everything you need for a trial is available for free. (Win8 AEK, VMM, SQL Express) For licensing costs, see this blog post by the always sharp Scott Lowe and this FAQ published by Microsoft. Now that we covered that,let's install!

Installing VMM

 

Assumptions

• We're talking 2012 SP1 here, so you'll need Windows Server 2012 
• Internet Access to D/L the Win8 AEK (link below)
• Domain and preferably Enterprise Administrator access (You'll see why) 
• This has a SQL Database; I assume you know where you want to put that. "An intern with Excel" will not suffice.  

Prerequisites

1.  First you'll need to download and install the Windows 8 Assessment and Deployment Kit on the server on which you intend to install 2012. When installing select "Deployment Tools" and "Windows Preinstallation Environment" only. 

2. Service Account: This domain-based service account will need only Administrative access to the target server. Lesser access is not possible per Microsoft. For additional security lock the account down to being able to log onto that server only. While it is possible to run VMM with a non-domain account, I won't cover that because doing so loses functionality. If you haven't done a service account before make sure you create at least one dedicated OU and a good prefix or suffix for the account name. I use a prefix of S_.

3. A container for the Active Directory based crypto keys. By putting these in AD you facilitate moving the server or having a highly available environment. Again, I will not cover the "local" option. There is conflicting information on how to implement this, but through testing I determined that you DO need to pre-create the DKM container. This article is correct on the steps to configure, but here is a short list: 
1. Pick a location in AD for this container. Use ADSIEdit to create the container by navigating to where you would like it and right clicking target OU->New->Object->Container and name it. (I recommend VMMDKM to correspond with MFST doco) 
2. (If you're not an "Enterprise Admin", "Domain" not enough) Right click the new CN, select properties, and switch to the "Security" tab, and add the username of the installer to have full control to "this object and all descendant objects". Click OK. 
3. Make sure you take note of the distinguishedName; this can be copied easily by right clicking->properties->double click distinguishedName->copy to clipboard/paste to notepad or Edlin or vi or Lotus WordPro or WordStar.

 Let's Do This

1. Insert the DVD (image) and start setup.exe. Hit "Install".

2. Check "VMM Management server" and "VMM Console" if desired and hit "Next"
3. Enter your Name, Company, and ProductID. You can do a "evaluation" edition if you don't have a key yet. Hit next, accept the service agreement, and hit next again. 
4. Choose if you want to participate in the CEIP, and hit "Next". 
5. Select your install directory and hit "Next". As a rule of thumb I recommend using a drive other than the system drive for  all apps and logs.
6. Assuming you pass the pre-req check, note any warnings and hit "Next". 
7. Select your SQL server. As noted above your installer account will need to have sufficient permissions to add a database. If you're setting up a lab and don't have a "real" SQL server available, check out SQL Express. Enter the appropriate info and click "Next".

8. Now you'll need to enter the service account that we discussed above. Check the "Store my keys in Active Directory" and copy in the DN from earlier. Hit "Next". If you want to use the non-AD based option you can, but eventually your server will self destruct.

9. On the Port Configuration screen, accept the defaults unless you know you'll conflict with another service on the box and hit "Next".
10. Specify a location for the VMM Library share. Again, I recommend not putting this on the system drive. Don't worry about space at this time, you can always change this after the install. 
11. Hit "Install" on the Installation Summary screen. 
12. Make sure you update the server & VMM from Windows Update and party like it's 1999. 

Now that you've got it installed it's time to see what it can do. I'm not going to tackle that today, but here are a few other resources to get you started:

• Private Cloud Management with VMM Part 1 by Iftekhar Hussain
• Part 2 of the above
• VMM 2012: Virtual Management by Paul Schnackenburg
• Update: Here's the VMM networking poster. Cool stuff!

Have fun & if you have any questions, let me know!

Update 3/31/2013: Troubleshooting

• Host Performance Counters read 0!  I was having an issue where VMM was missing all or some of the performance counters. Fortunately Kristian Nese published a fix that works well here. 

New 2012 Powershell CmdLets: Role Focus on NPS (Radius) Server

This will be one in a series of posts highlighting the new Cmdlets available in Windows server 2012 that didn't previously exist. I'll be breaking them down on a role-by-role (or feature) basis for easier reading. The first we'll be focusing on is the NPS server included with Windows Server, which is often used for RADIUS authentication.

Load the module: (on a 2012 Server\Win8 machine with the NPS server role or management tools loaded)

import-module NPS

Get the commands:

get-command -module NPS

CommandType     Name                                  
-----------     ----                                            
Cmdlet          Export-NpsConfiguration
Cmdlet          Get-NpsRadiusClient
Cmdlet          Get-NpsRemediationServer
Cmdlet          Get-NpsRemediationServerGroup
Cmdlet          Get-NpsSharedSecretTemplate
Cmdlet          Import-NpsConfiguration
Cmdlet          New-NpsRadiusClient
Cmdlet          New-NpsRemediationServer
Cmdlet          New-NpsRemediationServerGroup
Cmdlet          Remove-NpsRadiusClient
Cmdlet          Remove-NpsRemediationServer
Cmdlet          Remove-NpsRemediationServerGroup
Cmdlet          Set-NpsRadiusClient


Let's walk through these:

Export-NpsConfiguration: This is great; exports all configuration of the NPS server EXCEPT templates to an XML file for backup or import to a different server. Anything containing template information will be converted to information specific to that configuration item and exported, i.e. if a client profile uses a template shared secret the shared secret will export successfully but it will be an asset of that client configuration rather than having the config linked to the template. This will remain true even if the target server for importing the profile already has the template elements defined by the same name. Also note that if you have a SQL server configured for auditing that information will not be exported either. Security Warning: All information including shared secrets will be stored in clear text. Command example:

Export-NpsConfiguration c:\temp\NPSConfig.xml

Get-NpsRadiusClient,Get-NpsRemediationServer,Get-NpsRemediationServerGroup,Get-NpsSharedSecretTemplate: Enumerates the Radiusclient, RemediationServer(groups), and shared secret templates on the local server. Only the Get-RemediationServer cmdlet requires an argument. The others will show all items on the server and you can use common parameters to parse. Security warning: Get-NpsSharedSecretTemplate will display shared secrets in clear text.

Import-NpsConfiguration: When supplied with an XML configuration file generated by the Export-NpsConfiguration(above) it will import an NPS server configuration. As noted above you cannot import information regarding templates or SQL auditing, but everything else will come over fine. These two commands could be used in a scheduled task if desired to sync configuration from a "master" NPS server to others within the organization. Command example:

Import-NpsConfiguration c:\temp\NPSConfigFromThatOtherServer.xml

New-NpsRadiusClient, New-NpsRemediationServer, New-NpsRemediationServerGroup, Remove-NpsRadiusClient, Remove-NpsRemediationServer,Remove-NpsRemediationServerGroup: Commands to setup and remove NPS/Radius clients, remediation servers, and remediation server groups. Pretty straightforward; here's a New-NpsRadiusClient example:

New-NpsRadiusClient -Name "NameOfMyClientGroup" -Address "10.1.0.0/16" -AuthAttributeRequired 0 -NapCompatible 0 -SharedSecret "SuperSharedSecretxyz" -VendorName "RADIUS Standard"

Set-NpsRadiusClient: All this does is change a value of an existing client specification. This would be useful for doing batch updates of all client profiles. Take, for example, this command which would disable all client profiles:

foreach ($i in Get-NpsRadiusClient){Set-NpsRadiusClient $i.name -Enabled 0}

So here's a fun idea: Automate config changes all your NPS/Radius servers to have a master/slave relationship using a shared storage space, powershell, and task scheduler. It's as easy as 1, 2, 3! (Sheesh, did I just say that?)

1. Create simple powershell scripts to export the configuration to a shared file space (on "master" NPS server) and import from the shared file space (on "slave" NPS servers)  You may want to version them...
2. Create Scheduled task on the "master" to export however often you like and one scheduled task on each "slave" NPS to import that config. Make sure the import comes after the export
3. Profit!

Quick notes: if doing this be aware that changes will flow automatically so if you ruin your master you'll ruin your slaves too. As noted above I'd recommend versioning the configuration files (use the date) so that you have a history of the changes, just make sure you're fully aware of the fact that the shared secret is in the clear. If you wanted to get really fancy to protect that you could use a common service account and EFS, but that's a little deep for this article. :) 

In the mood for some references? Me too!
Technet NPS Migration Guide
Technet NPS Server Migration (different)
Technet NPS Cmdlets (Note the referenced -full and -examples aren't actually in the files)
Technet: Export NPS Config

Any questions? Let me know. Have fun!