Nullsession.com

Sometimes IT works

TechDays 2015 – Pre-conf and Azure Resource Manager

Just got an email confirming mine and Anders Bengtssons pre-conf for TechDays 2015, the “Azure IAAS Ninja Bootcamp”. We’ll teach you as much as you can consume about Azure IAAS during one day! I also got one session on Azure Resource Manager. ARM is by far the biggest leap in producing clean, nicely installed and repetitive environments in Azure. If you’re missing out on PowerShell and ARM along with DSC my guess is that you’ll be doing something else in the future!

Are you going to TechDays 2015 in Sweden?

Check out my sessions here: http://tdswe.kistamassan.se/Program-2015/Talare/(filter)/J

And don’t forget to register: http://tdswe.kistamassan.se/Anmal-dig

Compare installed vs available Microsoft Azure PowerShell versions

When running Microsoft Azure PowerShell certain cmdlets and functions are only available in the latest version of Azure PowerShell. So how do you know if you have the latest version? Well, this snippet will check your currently installed version and then ask the Web Platform Installer for the available version. It’ll then display the version numbers, letting you know if you’re current or not.

Just paste the entire code snippet into your PowerShell-prompt or embed it and just call the function.

— Begin snippet —

function Get-WindowsAzurePowerShellVersion
{
[CmdletBinding()]
Param ()

## - CHECK INSTALLED VERSION
Write-Host "`r`nInstalled version: " -ForegroundColor 'Yellow';
(Get-Module -name "Azure" | Where-Object{ $_.Name -eq 'Azure' }) `
| Select Version, Name, Author | Format-List;

## - CHECK WEB PI FOR AVAILABLE VERSION
Write-Host "Available version: " -ForegroundColor 'Green';
[reflection.assembly]::LoadWithPartialName("Microsoft.Web.PlatformInstaller") | Out-Null;
$ProductManager = New-Object Microsoft.Web.PlatformInstaller.ProductManager;
$ProductManager.Load(); $ProductManager.Products `
| Where-object{
($_.Title -like "Microsoft Azure Powershell*") `
-and ($_.Author -eq 'Microsoft Corporation')
} `
| Select-Object Version, Title, Published, Author | Format-List;
};
Get-WindowsAzurePowerShellVersion

— End of snippet —

Azure PowerShell

Azure Handbook

Are you or a customer thinking about Microsoft Azure and what it’s all about? Well, now we’ve saved your weekend and you can read the Azure Handbook. It’s not a lot about “how” but more “why” and “what”. Find it over here!

SWE: Missa inte Azure pre-conf på TechDays 2015!

Missade du min och Anders Bengtssons fyradagars Azure-workshop? Nu kan du gå en heldag i samband med TechDays där vi har kokat ner fyra dagar till en heldag fylld med ytterst lite teori och väldigt mycket labbar. Kan du redan allt om Azure finns det fler ämnen att fokusera på, t.ex. EMS, Office365 eller Datacenter.

Läs mer på http://tdswe.kistamassan.se/Program-2015/Pre-Conf

 

SWE: Presentationen från Riverbed Force 2015

På länken nedan hittar du presentationen från min session på Riverbed Force 2015 i Stockholm. Tack för alla intressanta frågor och diskussioner, glöm inte att maila de frågor vi inte hann med!

Länk till OneDrive

Using different pre-shared keys for Azure virtual network tunnels

I get loads of questions on Azure networking, some of them are good and others are just a lack of the will to RTFM. But this one actually had me trying it out cause I wasn’t sure of the possibility.

The question was: Can you have different pre-shared keys on the tunnels in Azure?

Looking around I found lots of examples of multiple tunnels, but all with the same PSK (Pre-Shared Key).

No better way than trying then, is there?

The setup is three different virtual networks:

A-net, B-net and C-net.

01-virtual-networks

There is four different local networks. A local network is a definition of the address range and gateway address that you use to connect a vnet to.

We’ve got:

A-BC-local (connecting A to B with multihop-routing to C)
A-net-local (connecting B to A)
C-AB-local (connecting C to B with multihop-routing to A)
C-net-local (connecting B to C)

So it’s A – B – C if you didn’t figure that out :)
02-local-networks

A connected to A-BC-local.

03-anet

B connected to both A and C.

04-bnet

C connected to B.

05-cnet

When they’re all configured they won’t connect since the newly created gateways have automatically set PSK’s. You’ll need to use PowerShell to set the PSK for each tunnel.

 

Set-Azurevnetgatewaykey -vnet A-net -localnetworksitename A-BC-local -sharedkey 456
Set-AzureVnetGatewayKey -vnet B-net -localnetworksitename A-net-local -sharedkey 456
Set-Azurevnetgatewaykey -vnet B-net -localnetworksitename C-net-local -sharedkey 123
Set-azurenvetgatewaykey -vnet C-net -localnetworksitename C-AB-local -sharedkey 123

This will set the tunnel from a-b to 456 on both a-gw and b-gw. B to C will have 123.

Then connect the networks using

Set-AzureVnetGateway -vnet A-net -localnetworksitename A-BC-local -connect
Set-AzureVnetGateway -vnet C-net -localnetworksitename C-AB-local -connect

Conclusion: You can set your own PSK for each tunnel, no matter if it’s to on-premises or between networks in Azure.

SWE: Presentation från V-Dagen 2015

Här kommer som utlovat presentationen från V-dagen i Malmö. Glöm inte att maila de frågeställningar ni hade men inte ville diskutera offentligt!

Trevlig helg!

Vdagen 2015 – Nässlander

/J

Connecting to your Azure site-to-site VPN over NAT

Creating a site-to-site connection to your Azure virtual network is desired in a lot of scenarios. Think hybrid cloud, new workloads, communicating with internal systems from Azure and so on. And in demo scenarios when you’re out travelling you might need that access too. Well, looking at the list of supported devices (below) we can find Windows RRAS for example.

Supported VPN devices: https://msdn.microsoft.com/en-us/library/azure/jj156075.aspx

And reading the guide (below) we’ll see how it’s actually done.

Configure Site-to-site VPN: https://msdn.microsoft.com/en-us/library/azure/dn133795.aspx

According to the last link you’ll need an external IPv4 that’s not behind NAT: “Obtain an externally facing IPv4 IP for your VPN device. This IP address is required for a site-to-site configuration and is used for your VPN device, which cannot be located behind a NAT.

That last statement has been discussed quite a lot, and when you read the RFC (RFC 3715, http://tools.ietf.org/html/rfc3715)  of course that IPsec connection will work over NAT. It’s just not supported by Microsoft, meaning that we can’t help you configuring your firewall to allow passthrough, hence we want your gateway to be directly connected to the internet.

For IPsec to traverse your NAT you’ll need to forward some ports (often called port forwarding in your router).

IKE – UDP 500
Encapsulating Security Payload (ESP) – IP protocol 50
Authentication Header (AH) – IP protocol 51
IPsec NAT traversal – UDP 4500

My setup consists of a Telia router with an external IP of 78.72.172.xx, my internal ip range is 192.168.1.0/24. This is added as a local network in Azure.

azure_local2

I then create a new virtual network in Azure and create a dynamic gateway. This will be assigned an ip address.

azure_vnet_disconnected

After that I’ve installed a VM on my local network running Windows Server 2012 R2 and configured it with RRAS. If you download the VPN device configuration script from the Azure portal it’ll set everything up for you, including installing the role. I’ve also configured the port forwarding in my router.

portforward

 

As you can see in the screenshot above the rule “IPSEC_500″ forwards all traffic to 192.168.1.150.

Once you have your port forwarding up and running you can have your RRAS server connect.

rras_connected

Give the portal some time (or refresh it) and it’ll show connected too

azure_vnet_connected

I’ve deployed two VM’s in Azure and turned off the firewall to be able to verify connectivity using ping.

 

connected

 

In the screenshot above I’ve verified connectivity to 10.0.0.5 in Azure with ping, and I’ve done a traceroute. The timeout is from the Azure gateway that doesn’t respond to ICMP. Internal address of RRAS server can be seen in the lower window.

Note that this is unsupported by Microsoft – but works according to RFC.

Uploading your RemoteApp image directory from Azure to RemoteApp

If you’ve been working with RemoteApp for a while you’ve most likely gotten tired of downloading and uploading that image by now. Most of us have probably set up a VM in Azure and added a disk to it, just bouncing the VHD off of that one. Saves a lot of time just staying in Azure. But still, downloading it IS time consuming so to get around that I’ve written a script. Before you download it there are some pointers:

There is NO error checking. Meaning you must remember to disable EFS, install all the roles/features and run sysprep manually. If you forget something you’ll notice that when you try to start your image. That’s VERY late in the process.

The script needs you to have the Azure Storage SDK installed. Same here, if the path to the DLL has changed it’ll fail. If my calendar decides to clear out I’ll give it some time and clean it up but for now it’s a quick and dirty fix… Copy below, save as .ps1 and off you go!

# Load Assembly – Without this file, it’ll all fail…
Add-Type -Path “C:Program Files (x86)Microsoft SDKsAzurePowerShellServiceManagementAzureNetworkMicrosoft.WindowsAzure.Storage.dll”

# Source information
# Information from storage account
$sourceStorageAccount = “storageaccountname” # <- Storage account name
$sourceStorageKey     = “yourstoragekey” # <- The key to your storage account
$sourceContainer      = “vhd” # <- Container name
$sourceFilename       = “RemoteAppTemplate.vhd” <- VHD name, can be seen in your container
$sourceContainerUri   = [String]::Format(“https://{0}.blob.core.windows.net/{1}”, $sourceStorageAccount, $sourceContainer)

# Destination information
# Information from RemoteApp upload script commandline
$destStorageAccount = “cdvne195334804rdcm”    # <- Destination name
$destStorageSAS     = “?sv=2012-02-12&sr=b&si=f6939bb2-a99d-43b6-823a-fe8ad44f5c20&sig=6q%2Bk8t7xzzC7DeICrWvb39rh4lUEijg93UFL7631V6s%3D” # <- SAS key
$destContainer      = “goldimages” # <- Container name
$destFilename       = “f6939bb2-a88d-43b6-811a-fe8ad41f5c20.vhd” # <- VHD name, can be seen in the command line from RemoteApp
$destUri            = [String]::Format(“https://{0}.blob.core.windows.net/{1}/{2}”, $destStorageAccount, $destContainer, $destFilename)

# This is where the magic happens

Write-host “Uploading your image…”
$sourceCredentials = New-Object Microsoft.WindowsAzure.Storage.Auth.StorageCredentials($sourceStorageAccount, $sourceStorageKey)
$sourceContainer = New-Object Microsoft.WindowsAzure.Storage.Blob.CloudBlobContainer($sourceContainerUri, $sourceCredentials)
$sourceBlob = $sourceContainer.GetBlobReferenceFromServer($sourceFilename)
$sourceStream = $sourceBlob.OpenRead()

$destCredentials = New-Object Microsoft.WindowsAzure.Storage.Auth.StorageCredentials($destStorageSAS)
$destBlob = New-Object Microsoft.WindowsAzure.Storage.Blob.CloudPageBlob($destUri, $destCredentials)
$destBlob.UploadFromStream($sourceStream)

$sourceStream.Close()
$destBlob.Metadata[“Status”] = “UploadComplete”
$destBlob.SetMetadata()

 

A good idea is to run this script from a VM in Azure too. That’ll speed up the process. Azcopy would be able to do the same thing if it supported SAS-usage across subscriptions.

SWE: Presentationer från TechX Azure

Här kommer som utlovat de två ppt-decken från TechX Azure. Den första är från sessionen “Where do you want to go today?” och den andra är från RemoteApp, sessionen där demon självdog samtidigt som min Samsung-platta gav upp. Sorry för det! Det positiva är ju att jag höll mig på scenen den här gången…

TechX – Enterprise Story

TechX -RemoteApp