Category Archives: Microsoft

How to configure multiple virtual network connections in Azure

When using infrastructure as a service in Microsoft Azure you could earlier only have one virtual network, which would be like it’s own little isolated island. A while back Microsoft enabled for its customers to connect multiple virtual networks together, both in the same datacenter, same region, cross region and cross subscription. This enables a whole lot of new scenarios, for example building your own global datacenter on top of Azure infrastructure.

So how do you go about doing it? Well, you need to start with planning. I know it’s boring but if you don’t you could end up having to tear everything down just to rebuild it, doesn’t sound too much fun either.

What you need before starting:

An ip-plan
A VPN device with a public IPv4 address (not necessary, but will let you enable a hybrid cloud scenario)
PowerShell cmdlets for Azure installed and configured

My ip-plan looks like this:

Local network name Subnet
HomeNet 10.0.0.0/24
AzureNet-Local 10.0.1.0/24
USNet-Local 10.0.2.0/24
JNNet-Local 10.0.3.0/24

Of the networks above HomeNet is my physical network location. The other three networks exists only in Azure. What you must make sure when you plan is that no range overlap anywhere, no matter if it’s in Azure or at any physical locations.

 

Once you’ve planned that I have a separate table for my topology so I know which networks to connect. When starting off you won’t know your gateway ip, so don’t worry.

Virtual Network Subnet Gateway Local network
AzureNet 10.0.1.0/24 137.117.227.xxx HomeNet 10.0.0.0/24
USNet 10.0.2.0/24 168.61.160.xxx JNNet 10.0.3.0/24
JNNet 10.0.3.0/24 23.97.77.xxx USNet 10.0.2.0/24

 

Getting started

Starting off I already have one network called AzureNet (10.0.1.0/24) which is connected to my physical network Homenet (10.0.0.0/24). You can follow this guide even if you don’t have that, just repeat the process.

vlcsnap-2014-06-13-09h38m57s199

 

 

Let’s create a new virtual network first

In the portal, click New -> Network Services -> Virtual Network -> Custom Create

Name your network and select a location. South Central is in Brazil so I’ve named my network BRnet.

 

newnet01

 

 

Select (or enter) your DNS servers ip and name for local name resolution.

newnet02

 

 

Enter your address space. Make sure there’s no overlapping subnets anywhere. Very important!

newnet03

 

 

Repeat this process for all the virtual networks you need.

When all your virtual networks are created it’ll look like this. Note the different locations in my setup, placing my networks in Japan, USA and Amsterdam.

vlcsnap-2014-06-13-09h38m43s56

 

 

Local networks

When the virtual networks are done we’ll create local networks of the virtual networks. This is because to be able to connect the networks they need to be defined as “local” in Azure.

 

vlcsnap-2014-06-13-09h40m17s223

 

 

Name your network, and specify 1.2.3.4 as VPN device address.

vlcsnap-2014-06-13-09h40m28s87

 

 

Specify the address space that you’ve planned beforehand.

vlcsnap-2014-06-13-09h40m51s54

 

 

Repeat this for each virtual network, re-defining it as local.

When you’re done it’ll look like this

vlcsnap-2014-06-13-09h41m17s60

 

 

Switch back to your virtual networks in the portal and go into the configure tab. Check the “connect to the local network”-box and select the corresponding “local network” that you planned before. Click save at the bottom. Repeat this process for each virtual network connecting it to the designated “local” network.

vlcsnap-2014-06-13-09h42m01s246

 

 

Next step is to create the dynamic gateway. You get the message “The gateway was not created” in the portal. At the bottom click “Create gateway” and select “Dynamic”. Do this for all your virtual networks. It’ll take 10-25 minutes to finish for each gateway. Coffee time!

vlcsnap-2014-06-13-09h42m39s112

 

 

When they’re all done, note the gateway ip address in your table for all your networks/gateways.

vlcsnap-2014-06-13-09h39m08s45

 

 

Edit your local networks and add the gateway ip address for each network.Click on the network, click Edit and enter your gateway ip.

vlcsnap-2014-06-13-09h44m40s40

 

 

When all virtual networks and their corresponding local networks are created it’s XML-time. Get some more coffee!

Click the Export-button and save the file.

Open it in Notepad / Notepad++ (if you haven’t tried it you must)

In the XML you’ll find the section <LocalNetworkSites> which contains all the networks defined as local.

<LocalNetworkSites>
<LocalNetworkSite name="AzureNet-Local">
<AddressSpace>
<AddressPrefix>10.0.1.0/24</AddressPrefix>
</AddressSpace>
<VPNGatewayAddress>137.117.227.238</VPNGatewayAddress>
</LocalNetworkSite>
<LocalNetworkSite name="HomeNet">
<AddressSpace>
<AddressPrefix>10.0.0.0/24</AddressPrefix>
</AddressSpace>
<VPNGatewayAddress>178.78.193.167</VPNGatewayAddress>
</LocalNetworkSite>
<LocalNetworkSite name="JNNet-Local">
<AddressSpace>
<AddressPrefix>10.0.3.0/24</AddressPrefix>
</AddressSpace>
<VPNGatewayAddress>23.97.65.15</VPNGatewayAddress>
</LocalNetworkSite>
<LocalNetworkSite name="USNet-Local">
<AddressSpace>
<AddressPrefix>10.0.2.0/24</AddressPrefix>
</AddressSpace>
<VPNGatewayAddress>168.61.160.90</VPNGatewayAddress>
</LocalNetworkSite>
</LocalNetworkSites>

If you look further down in the XML you’ll find the section <VirtualNetworkSites>. This contains subsections for each virtual network site <VirtualNetworkSite>, and in that section in turn you’ll see where to define the connections to each network.

 

<ConnectionsToLocalNetwork>
<LocalNetworkSiteRef name="HomeNet">
<Connection type="IPsec" />
</LocalNetworkSiteRef>
<LocalNetworkSiteRef name="JNNet-Local">
<Connection type="IPsec" />
</LocalNetworkSiteRef>
<LocalNetworkSiteRef name="USNet-Local">
<Connection type="IPsec" />
</LocalNetworkSiteRef>
</ConnectionsToLocalNetwork>

So for each virtual network you’ll need to copy and paste each local network as above.

If you look at my complete XML I’ve marked those sections in red.

<NetworkConfiguration xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/ServiceHosting/2011/07/NetworkConfiguration">
<VirtualNetworkConfiguration>
<Dns>
<DnsServers>
<DnsServer name="cmdc01" IPAddress="192.168.1.4" />
<DnsServer name="cmdemodc01" IPAddress="192.168.1.10" />
<DnsServer name="DC01" IPAddress="10.0.0.10" />
<DnsServer name="DC02" IPAddress="10.0.1.4" />
</DnsServers>
</Dns>
<LocalNetworkSites>
<LocalNetworkSite name="AzureNet-Local">
<AddressSpace>
<AddressPrefix>10.0.1.0/24</AddressPrefix>
</AddressSpace>
<VPNGatewayAddress>137.117.227.238</VPNGatewayAddress>
</LocalNetworkSite>
<LocalNetworkSite name="HomeNet">
<AddressSpace>
<AddressPrefix>10.0.0.0/24</AddressPrefix>
</AddressSpace>
<VPNGatewayAddress>178.78.193.167</VPNGatewayAddress>
</LocalNetworkSite>
<LocalNetworkSite name="JNNet-Local">
<AddressSpace>
<AddressPrefix>10.0.3.0/24</AddressPrefix>
</AddressSpace>
<VPNGatewayAddress>23.97.65.15</VPNGatewayAddress>
</LocalNetworkSite>
<LocalNetworkSite name="USNet-Local">
<AddressSpace>
<AddressPrefix>10.0.2.0/24</AddressPrefix>
</AddressSpace>
<VPNGatewayAddress>168.61.160.90</VPNGatewayAddress>
</LocalNetworkSite>
</LocalNetworkSites>
<VirtualNetworkSites>
<VirtualNetworkSite name="AzureNet" AffinityGroup="AzureNet">
<AddressSpace>
<AddressPrefix>10.0.1.0/24</AddressPrefix>
</AddressSpace>
<Subnets>
<Subnet name="Subnet-1">
<AddressPrefix>10.0.1.0/27</AddressPrefix>
</Subnet>
<Subnet name="Contoso-Subnet">
<AddressPrefix>10.0.1.200/27</AddressPrefix>
</Subnet>
<Subnet name="GatewaySubnet">
<AddressPrefix>10.0.1.32/29</AddressPrefix>
</Subnet>
</Subnets>
<DnsServersRef>
<DnsServerRef name="DC01" />
<DnsServerRef name="DC02" />
</DnsServersRef>
<Gateway>
<ConnectionsToLocalNetwork>
<LocalNetworkSiteRef name="HomeNet">
<Connection type="IPsec" />
</LocalNetworkSiteRef>
<LocalNetworkSiteRef name="JNNet-Local">
<Connection type="IPsec" />
</LocalNetworkSiteRef>
<LocalNetworkSiteRef name="USNet-Local">
<Connection type="IPsec" />
</LocalNetworkSiteRef>
</ConnectionsToLocalNetwork>
</Gateway>
</VirtualNetworkSite>
<VirtualNetworkSite name="CMDemo" AffinityGroup="CMDemo-AFG">
<AddressSpace>
<AddressPrefix>192.168.1.0/24</AddressPrefix>
</AddressSpace>
<Subnets>
<Subnet name="Infra">
<AddressPrefix>192.168.1.0/26</AddressPrefix>
</Subnet>
<Subnet name="Mgmt">
<AddressPrefix>192.168.1.64/26</AddressPrefix>
</Subnet>
<Subnet name="Clients">
<AddressPrefix>192.168.1.128/27</AddressPrefix>
</Subnet>
</Subnets>
<DnsServersRef>
<DnsServerRef name="cmdc01" />
</DnsServersRef>
</VirtualNetworkSite>
<VirtualNetworkSite name="JnNet" AffinityGroup="JnNet-AFG">
<AddressSpace>
<AddressPrefix>10.0.3.0/24</AddressPrefix>
</AddressSpace>
<Subnets>
<Subnet name="Subnet-1">
<AddressPrefix>10.0.3.0/28</AddressPrefix>
</Subnet>
<Subnet name="Subnet-2">
<AddressPrefix>10.0.3.24/29</AddressPrefix>
</Subnet>
<Subnet name="Subnet-3">
<AddressPrefix>10.0.3.32/27</AddressPrefix>
</Subnet>
<Subnet name="GatewaySubnet">
<AddressPrefix>10.0.3.16/29</AddressPrefix>
</Subnet>
</Subnets>
<DnsServersRef>
<DnsServerRef name="DC01" />
</DnsServersRef>
<Gateway>
<ConnectionsToLocalNetwork>
<LocalNetworkSiteRef name="USNet-Local">
<Connection type="IPsec" />
</LocalNetworkSiteRef>
<LocalNetworkSiteRef name="AzureNet-Local">
<Connection type="IPsec" />
</LocalNetworkSiteRef>
</ConnectionsToLocalNetwork>
</Gateway>
</VirtualNetworkSite>
<VirtualNetworkSite name="UsNet" AffinityGroup="CentralUS-AG">
<AddressSpace>
<AddressPrefix>10.0.2.0/24</AddressPrefix>
</AddressSpace>
<Subnets>
<Subnet name="Subnet-1">
<AddressPrefix>10.0.2.0/28</AddressPrefix>
</Subnet>
<Subnet name="Subnet-2">
<AddressPrefix>10.0.2.24/29</AddressPrefix>
</Subnet>
<Subnet name="GatewaySubnet">
<AddressPrefix>10.0.2.16/29</AddressPrefix>
</Subnet>
</Subnets>
<DnsServersRef>
<DnsServerRef name="DC02" />
</DnsServersRef>
<Gateway>
<ConnectionsToLocalNetwork>
<LocalNetworkSiteRef name="JNNet-Local">
<Connection type="IPsec" />
</LocalNetworkSiteRef>
<LocalNetworkSiteRef name="AzureNet-Local">
<Connection type="IPsec" />
</LocalNetworkSiteRef>
</ConnectionsToLocalNetwork>
</Gateway>
</VirtualNetworkSite>
</VirtualNetworkSites>
</VirtualNetworkConfiguration>
</NetworkConfiguration>

Note that for each network there is a corresponding section of <ConnectionsToLocalNetwork>.

When you’re done save the file and then it’s time to import it!

import

 

 

Wait for your networks to configure. Then it’s PowerShell-time!

Fire up PowerShell with the Azure cmdlets.

Run the cmdlet “Set-AzureVNetGatewayKey -VNetName AzureNet -LocalNetworkSiteName JNNet-Local -SharedKey a1b2c3d4” for each virtual network setting the key for each local network.

So I’d run:

Set-AzureVNetGatewayKey -VNetName AzureNet -LocalNetworkSiteName JNNet-Local -SharedKey a1b2c3d4
Set-AzureVNetGatewayKey -VNetName AzureNet -LocalNetworkSiteName USNet-Local -SharedKey a1b2c3d4
Set-AzureVNetGatewayKey -VNetName AzureNet -LocalNetworkSiteName HomeNet -SharedKey a1b2c3d4
Set-AzureVNetGatewayKey -VNetName JNNet -LocalNetworkSiteName USNet-Local -SharedKey a1b2c3d4
Set-AzureVNetGatewayKey -VNetName JNNet -LocalNetworkSiteName AzureNet-Local -SharedKey a1b2c3d4

And so on, switching the virtual network and the local network according to your topology.

When you’re done with that it’s time to connect your networks:

Set-AzureVNetGateway -VNetName AzureNet -LocalNetworkSiteName JNNet -Connect

And as before, substitute the vnetnames and local network names.

Once done it’ll (hopefully) look like this:

vlcsnap-2014-06-13-09h46m22s38

 

 

How did you do? Let me know in the comments!

Why Microsoft Azure should be on top of your learning list

Today was the opening keynote of TechEd in Houston. Regardless of what’s earlier been said about Houston there wasn’t any problems detected today. Instead Microsoft launched a number of new features in and around Azure.

So what’s been said today? And what does it mean for the IT-pro?

Bigger VM’s

A8 and A9. More CPU, more ram, faster interconnects. This allows those companies running HPC workloads or data mining to finish faster.

Azure Files

Your own SMB share in Azure. Accessible from multiple Virtual Machines simultaneously.

Microsoft SCEP and Symantec/Trend Micro partnership

Protecting your VM’s and cloud services. And not only with our products but with Symantec or Trends products. You can choose.

Network improvements

Internal Load balancing – load balancing with private IP’s

Multiple site-to-site VPN, and VNET-to-VNet connectivity.

Reserved IP’s and public IP’s for VM’s

Azure Site Recovery

Replicate your virtual machines to Azure and failover if you need to. A secondary site for EVERYONE…

Azure RemoteApp

Remote applications from Azure to your devices and computers.

And that’s not even the complete list. You can sign up for the preview features here!

So what does this mean for the IT-pro?

The landscape for the IT-pros is rapidly changing. A few years ago virtualization in-house was the frontline of IT, but those days are quickly vanishing. To stay relevant now, and in the future, a knowledge of hybrid cloud, PowerShell and people centric IT (as it’s called) will be needed. The business side of many companies are buying cloud services today, it might be projektplace or salesforce but the step to getting their own VM isn’t that big. If you can’t deliver services from IT as cheap and rapidly as cloud services can do it it’s time to start thinking about how to solve that problem.

If someone had told me 10 years ago, or 20 years ago when I started in this industry that I’d deploy servers on the internet through a web page I would’ve laughed.

Today I can deploy 50 servers in less than 15 minutes with 5 lines of PowerShell.

How are you going to stay ahead of the game?

Azure Automation – Using the assets

After yesterdays post about getting started I’ve gotten some questions about the assets library. Thought I’d explain how to use some of the assets (or at least how I’ve figured it out I’d say, might be totally off but at least it works)…

Looking at the assets library we have a “Connection”-object containing our subscription ID. This could be an ID to another subscription, might be useful for IT to deploy services to a developers subscription or something like that.

We also have a “Certificate”-object where we also uploaded the corresponding certificate to our collection of management certificates in Azure, this needs to be done on the right subscription then if you’re managing multiple ones, keep that in mind…

Automation assets

 

 

 

 

 


<# .DESCRIPTION .NOTES Author: Joachim Nässlander, TSP Datacenter, Microsoft #>

workflow Start_Azure_Demo_VM
{
param()

$MyConnection = “Internal Subscription Connection” # <— The name of your Connection object in assets
$MyCert = “InternalSubscriptionCertificate” # <— The name of your Certificate object in assets

# Get the Azure Automation Connection
$Con = Get-AutomationConnection -Name $MyConnection # <— Connect to your subscription
$SubscriptionID = $Con.SubscriptionID
$ManagementCertificate = $Con.AutomationCertificateName
$Cert = Get-AutomationCertificate -Name $Con.AutomationCertificateName # <— Get the certificate from assets

write-output “Subscription ID: $SubscriptionID”

write-output “Certificate Name: $Con.AutomationCertificateName”

}

 

And since this is the internet. How are you using Azure Automation and the assets library, feel free to comment!

Have a nice weekend, and don’t miss The Fratellis to keep you company over a beer!

Getting started with Azure Automation

Azure automation is currently in preview so you might not see it in your portal if you haven’t enrolled already. You can enroll for Azure Automation at http://azure.microsoft.com/en-us/services/preview/and also find all other services currently in preview. It’s a good place to frequently check out, fun things emerge here!

So what is Azure Automation? Well, it’s the ability to run PowerShell workflow scripts from Azure, targeted at your Azure resources.

Once you’re enrolled into the preview program you can create your first automation account. An account can be seen as a container that you can fill with runbooks and assets needed by the runbooks. An asset can be for example a certificate allowing you to connect to your (or another) Azure subscription.

 

Automation dashboardThe overview over your runbooks looks like this. It’ll show you the number of runbooks, number of activites,  number of minutes you’ve ran your scripts and a whole lot more.

 

 

 

 

 

 

 

Now that you’re enrolled you might want to quickly just test it out, personally I love just getting a feel for things before diving into documenation. You can find example scripts and a how-to at http://azure.microsoft.com/en-us/documentation/articles/automation-create-runbook-from-samples/. One thing to note when creating your runbook is that your scripts name in the portal need to correspond to your workflow name. Ie if your workflow is named “Join-Servers-Domain” your runbook must be named the same.

 

Automation runbooks overviewLooking more at the portal, if you click “runbooks” up top, you can see your runbooks listed with their latest run time and status. This gives you a quick overview without having to look at each runbook individually.

 

 

 

Detailed view of runbook

Selecting one specific runbook gives you a chart over how it has ran over the some periods of time. Here you can also drill down into each script run and view script output and any input parameters.

 

 

 

 

 

Published runbookClicking on “author” while in detailed view takes you to the published version of the script. Here you can view your script and start it manually if you want to.

 

 

 

 

 

Runbook draftIf you opt for “draft” instead you’ll be able to edit your script and insert things from your assets library or other runbooks, allowing for runbooks to interact with each other. Here you can also test your runbook before publishing it.

 

 

 

 

 

Automation assetsThe assets library contains building blocks needed for your scripts to function properly. And it’ll make it easier for you to develop scripts for multiple subscriptions too.

In my example we have:

  • Connection to a subscription
  • A certificate which allows us to connect to this subscription (find a guide for that here)
  • PowerShell credentials so we don’t have to enter username/password each time
  • A module containing PowerShell cmdlets

 

 

You can read more about getting started with PowerShell workflows at http://technet.microsoft.com/en-us/library/jj134242.aspx.

Can I restore my Active Directory in Windows Azure?

It seems like I get loads of questions about Windows Azure and the IAAS offering we’re running these days. The last one is about how to get into DSRM (Directory Services Restore Mode), if you’ve been running your AD for a while you remember the old F8 trick during boot but in Windows Azure there’s only RDP access, so no pressing F8 then… Well, there’s a solution for everything and our engineers thought of this too, long before Windows Azure.

One big prereq for this to work out. You must have set your DSRM password to something you remember 😉

Two ways of doing this:

1) Sync with the domain administrator password: http://technet.microsoft.com/en-us/library/jj713556.aspx

2) Set it manually: http://technet.microsoft.com/en-us/library/cc754363.aspx#BKMK_examples

Once that’s done you just use bcdedit to boot into DSRM the next boot, open up CMD and type:

1) bcdedit /set safeboot dsrepair
2) shutdown –r –t 0

Once it has rebooted you can logon to your server by using “hostnameadministrator” with your DSRM password.

When you’re done restoring your AD you’ll need to make sure it boots back to normal. Open up CMD and type:

bcdedit /deletevalue {current} safeboot

On the next boot it’ll boot into Windows normally and you’re hopefully all back to normal operations!

R2-releases for that rainy summer!

Ah, the joy of new releses! Now we’ve released R2-versions of both Windows Server 2012 and System Center. You can find it all over at TechNet as usual. http://technet.microsoft.com/en-US/evalcenter/dn205295

And hot from the press you’ll find the Azure pack too, complete with an eval guide to get you all cloudy from the start! http://www.microsoft.com/en-us/download/details.aspx?id=39297#tm

 

The blue badge!

Haven’t posted for quite a while, have been waiting for everything to settle down and become official. But as of November 1:st I’m employed by Microsoft and as such I’ve got my own blue badge. I’ll be working as a TSP with the System Center suite of software. This moves my focus away from cluster / hyper-v / server core a bit, but knowing myself I probably won’t let that go either.

At the moment I’m in the middle of the boarding process, getting my machine up to speed, parking permits, phone numbers, access to internal systems and all that. But soon I’ll be at a meeting near you, or at a conference or user group. Have any SC-related questions? Email me at jonas (at) microsoft.com!