mountainss Cloud and Datacenter Management Blog

Microsoft Hybrid Cloud blogsite about Management


Leave a comment

via @MSAzureCAT Enterprise #Cloud Control Plane Planning #AzureDevOps #Pipelines

End-to-end Pipelines for Automating Microsoft Azure Deployments

 

Overview :

Imagine a fully automated, end-to-end pipeline for your cloud deployments—one that encompasses and automates everything:

• Source code repos.
• The build and release iterations.
• Agile processes supported by continuous integration and continuous deployment (CI/CD)
• Security and governance.
• Business unit chargebacks.
• Support and maintenance.

Azure services and infrastructure-as-code (IaC) make control plane automation very achievable. Many enterprise IT groups dream of creating or unifying their disparate automation processes and supporting a common, enterprise-wide datacenter control plane in the cloud that is integrated with their existing or new DevOps workflows. Their development environments may use Jenkins, Azure DevOps Services (formerly Visual Studio Team Services), Visual Studio Team Foundation Server (TFS), Atlassian, or other services. The challenge is to automate beyond the CI/CD pipeline to the management and policy layers. From a planning and architecture standpoint, it can seem like an overwhelming program of interdependent systems and processes. This guide outlines a planning process that you can use for automated support of your cloud deployments and DevOps workflows beyond the CI/CD pipeline. The Azure platform provides services you can use, or you can choose to work with third-party or open source options. The process is based on real-world examples that we have deployed with enterprise customers on Azure.

This whitepaper was authored by Tim Ehlen. It was edited by Nanette Ray. It was reviewed by AzureCAT.

Download the Awesome eBook here on the AzureCAT Team Blog

Follow AzureCAT and SQLCAT on Twitter

Advertisements


Leave a comment

Using #Azure Pipelines for your Open Source Project #AzureDevOps

Azure Pipelines for your Open Source Projects

Damian speaks to Edward Thomson about how to get started with Azure Pipelines – right from GitHub. The deep integration and GitHub Marketplace app for Azure Pipelines makes it incredibly easy to build your projects no matter what language you’re using. You can even use the builds as part of your PR checks!

https://github.com/marketplace/azure-pipelines

Edward shows us the incredible (free!) offers for open and closed source projects, and walks through creating and running a new Azure Pipelines build from scratch in only a few minutes.

Subscribe to Azure DevOps on YouTube


Leave a comment

#Microsoft Azure Policy and BluePrints Overview #Azure #Cloud #Architecture #AzureBlueprints

Microsoft Azure Policy

Why is Azure Policy and Blueprints important ?

When you made your Enterprise Architecture Design like my last blogpost :

Microsoft Azure Hub-Spoke model by Enterprise Design Part 1 of 4

You want to keep in control of your Business policy’s and keep your Azure Virtual Datacenter consistent as by design.

Azure Policy is a service in Azure that you use to create, assign and, manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. Azure Policy does this by running evaluations of your resources and scanning for those not compliant with the policies you have created. For example, you can have a policy to allow only a certain SKU size of virtual machines in your environment. Once this policy has been implemented, it will then be evaluated when creating and updating resources, as well as over your already existing resources.

In Azure Policy, we offer some built-in policies that are available to you by default. For example:

  • Require SQL Server 12.0: This policy definition has conditions/rules to ensure that all SQL servers use version 12.0. Its effect is to deny all servers that do not meet these criteria.
  • Allowed Storage Account SKUs: This policy definition has a set of conditions/rules that determine if a storage account that is being deployed is within a set of SKU sizes. Its effect is to deny all storage accounts that do not adhere to the set of defined SKU sizes.
  • Allowed Resource Type: This policy definition has a set of conditions/rules to specify the resource types that your organization can deploy. Its effect is to deny all resources that are not part of this defined list.
  • Allowed Locations: This policy enables you to restrict the locations that your organization can specify when deploying resources. Its effect is used to enforce your geo-compliance requirements.
  • Allowed Virtual Machine SKUs: This policy enables you to specify a set of virtual machine SKUs that your organization can deploy.
  • Apply tag and its default value: This policy applies a required tag and its default value, if it is not specified by the user.
  • Enforce tag and its value: This policy enforces a required tag and its value to a resource.
  • Not allowed resource types: This policy enables you to specify the resource types that your organization cannot deploy.

Azure Policy Definitions

Resource policy definition used by Azure Policy enables you to establish conventions for resources in your organization by describing when the policy is enforced and what effect to take. By defining conventions, you can control costs and more easily manage your resources. For example, you can specify that only certain types of virtual machines are allowed. Or, you can require that all resources have a particular tag. Policies are inherited by all child resources. So, if a policy is applied to a resource group, it is applicable to all the resources in that resource group

Assign Azure Policy Definition.

Scope the Policy

Managed Identities in Azure Policy

A common challenge when building cloud applications is how to manage the credentials in your code for authenticating to cloud services. Keeping the credentials secure is an important task. Ideally, the credentials never appear on developer workstations and aren’t checked into source control. Azure Key Vault provides a way to securely store credentials, secrets, and other keys, but your code has to authenticate to Key Vault to retrieve them.
The managed identities for Azure resources feature in Azure Active Directory (Azure AD) solves this problem. The feature provides Azure services with an automatically managed identity in Azure AD. You can use the identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code.
The managed identities for Azure resources feature is free with Azure AD for Azure subscriptions. There’s no additional cost.

There are two types of managed identities:
A system-assigned managed identity is enabled directly on an Azure service instance. When the identity is enabled, Azure creates an identity for the instance in the Azure AD tenant that’s trusted by the subscription of the instance. After the identity is created, the credentials are provisioned onto the instance. The lifecycle of a system-assigned identity is directly tied to the Azure service instance that it’s enabled on. If the instance is deleted, Azure automatically cleans up the credentials and the identity in Azure AD.
A user-assigned managed identity is created as a standalone Azure resource. Through a create process, Azure creates an identity in the Azure AD tenant that’s trusted by the subscription in use. After the identity is created, the identity can be assigned to one or more Azure service instances. The lifecycle of a user-assigned identity is managed separately from the lifecycle of the Azure service instances to which it’s assigned.

Read here more about Azure Managed Identities

Here you find Azure Policy Samples:

Microsoft Azure Policy Samples are here

Microsoft Azure Policy Blueprints

Just as a blueprint allows an engineer or an architect to sketch a project’s design parameters, Azure Blueprints enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization’s standards, patterns, and requirements. Azure Blueprints makes it possible for development teams to rapidly build and stand up new environments with trust they’re building within organizational compliance with a set of built-in components — such as networking — to speed up development and delivery.

Blueprints are a declarative way to orchestrate the deployment of various resource templates and other artifacts such as:

  • Role Assignments
  • Policy Assignments
  • Azure Resource Manager templates
  • Resource Groups

How it’s different from Azure Policy?

  • A blueprint is a package or container for composing focus-specific sets of standards, patterns, and requirements related to the implementation of Azure cloud services, security, and design that can be reused to maintain consistency and compliance.
  • A policy is a default allow and explicit deny system focused on resource properties during deployment and for already existing resources. It supports cloud governance by validating that resources within a subscription adhere to requirements and standards.

Including a policy in a blueprint enables the creation of the right pattern or design during assignment of the blueprint. The policy inclusion makes sure that

  • only approved or expected changes can be made to the environment to protect ongoing compliance to the intent of the blueprint.

A policy can be included as one of many artifacts in a blueprints definition. Blueprints also support using parameters with policies and initiatives.

This video by Microsoft Sr. Program Manager Jim Britt  walks you through the process of exporting an existing Azure ARM Blueprint from a management group in your environment, and then importing that Blueprint into a new Management Group with a new Blueprint name as the target.

More information on the Script Manage-AzureRMBlueprint can be found here

More information about Microsoft Azure Policy BluePrints can be found here on Docs

Follow @satya_vel

 

Conclusion

Microsoft Azure Policy and Blueprints helps you to stay complaint to your Enterprise Architecture Design.


Leave a comment

#Microsoft Azure Hub-Spoke model by Enterprise Design 1 of 4 #Azure #Cloud

 

Azure Hub-Spoke Architecture

Microsoft Azure Hub-Spoke Architecture

This Enterprise reference architecture shows how to implement a hub-spoke topology in Azure. The hub is a virtual network (VNet) in Azure that acts as a central point of connectivity to your on-premises network. The spokes are VNets that peer with the hub, and can be used to isolate workloads. Traffic flows between the on-premises datacenter and the hub through an ExpressRoute or VPN gateway connection.

We only use the Azure Private peering

For this Hybrid Cloud Strategy we made four Microsoft Azure Subscriptions via the EA Portal :

  1. Azure HUB Subscription for the connectivity via Azure ExpressRoute to On-premises Datacenter.
  2. Azure Spoke 1 for Production workload and Cloud Services
  3. Azure Spoke 2 for Test and Acceptance Cloud Services
  4. Azure Spoke 3 for Future plans

The naming convention rules and restrictions for Azure resources and a baseline set of recommendations for naming conventions. You can use these recommendations as a starting point for your own conventions specific to your needs.

The choice of a name for any resource in Microsoft Azure is important because:

  • It is difficult to change a name later.
  • Names must meet the requirements of their specific resource type.

Consistent naming conventions make resources easier to locate. They can also indicate the role of a resource in a solution.The key to success with naming conventions is establishing and following them across your applications and organizations.

Azure connectivity and RBAC Identity

This tenant is federated with via ADFS and Azure Connect to Office 365. Identity management is provisioned
via Microsoft Identity Manager 2016 (MIM2016). With this already in place, we can Configure Microsoft Azure RBAC in the subscriptions.

Access management for cloud resources is a critical function for any organization that is using the cloud. Role-based access control (RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.

RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management of resources in Azure.

Business Development

For Business Development we have a separated Active Directory in one forest and also federated via ADFS to Microsoft Office 365. For this environment we build one Azure subscription with a temporary Site-to-Site VPN connection to On-premises datacenter for the “Lift and Shift” migration via Azure-Site-Recovery (ASR)

S2S VPN IKE v2 tunnel with Cisco and Azure.

Azure Virtual Networks

Next step is to build the connections between the Azure HUB Subscription and the Azure Spoke subscription(s) when every Microsoft Azure subscription has It’s own Virtual Network (VNET). This is called VNET peering.

Virtual network peering enables you to seamlessly connect two Azure virtual networks. Once peered, the virtual networks appear as one, for connectivity purposes. The traffic between virtual machines in the peered virtual networks is routed through the Microsoft backbone infrastructure, much like traffic is routed between virtual machines in the same virtual network, through private IP addresses only. Azure supports:

  • VNet peering – connecting VNets within the same Azure region
  • Global VNet peering – connecting VNets across Azure regions

Here you see my step-by-step VNET peering creation from HUB to Spoke 1 :

Go to the VNET of the Azure HUB Subscription. and then to Peerings => Add.

Here you make the connection with Spoke 1 Azure subscription.

For Azure HUB is Peering to Spoke 1 Done.

Now we go to the VNET of Azure Subscription Spoke 1 to make the connection.

Go to VNET => Peerings => Click on Add in the Azure Spoke 1 Subscription

Connect here to the Azure HUB

The VNET Peering between Azure HUB subscription and Spoke 1 is Connected.

In this order you have to make the other VNET Peerings from the Azure HUB subscription to the other Spoke Subscriptions so that the network connectivity between VNETs is working. Because we have the Azure Internet Edge in the HUB for the other subscriptions.

In the Azure Reference Architecture we also do Security by Design in the Cloud with Firewall and Azure Network Security Groups (NSG) and every Azure component get it’s own Tag for Security Groups and Billing – Usage.

Azure Storage

In every Microsoft Azure Subscription (HUB and Spoke ) we created a Storage Account. You can choose for different kind of storage in Microsoft Azure.

Durable and highly available. Redundancy ensures that your data is safe in the event of transient hardware failures. You can also opt to replicate data across datacenters or geographical regions for additional protection from local catastrophe or natural disaster. Data replicated in this way remains highly available in the event of an unexpected outage.
Secure. All data written to Azure Storage is encrypted by the service. Azure Storage provides you with fine-grained control over who has access to your data.
Scalable. Azure Storage is designed to be massively scalable to meet the data storage and performance needs of today’s applications.
Managed. Microsoft Azure handles maintenance and any critical problems for you.
Accessible. Data in Azure Storage is accessible from anywhere in the world over HTTP or HTTPS. Microsoft provides SDKs for Azure Storage in a variety of languages — .NET, Java, Node.js, Python, PHP, Ruby, Go, and others — as well as a mature REST API. Azure Storage supports scripting in Azure PowerShell or Azure CLI. And the Azure portal and Azure Storage Explorer offer easy visual solutions for working with your data.

Azure Storage includes these data services:
Azure Blobs: A massively scalable object store for text and binary data.
Azure Files: Managed file shares for cloud or on-premises deployments.
Azure Queues: A messaging store for reliable messaging between application components.
Azure Tables: A NoSQL store for schemaless storage of structured data.

Creating your Azure Storage accounts by Design.

One of our Architecture Security by Design policy, is to Encrypt all the storage in Azure via Microsoft Azure Key vault.

Deploying Azure IaaS Virtual Machine with ARM Templates

Enterprise organizations with more then ten employees managing IT datacenters are working by process and order to do the job for the business. When they are all using the Azure Portal and deploy Virtual Machines manually you will get a mess and things can go wrong. In Microsoft Azure you have the Azure Resource Manager for deploying  JSON ARM Templates. With these Azure Resource Manager Templates you can automate your workload deployments in Microsoft Azure. For example : We build a JSON template to deploy a Windows Server in the right Azure Subscription in the right Azure Resource Group and with the following extensions to it :

  • Antimalware agent installed
  • Domain joined in the right OU (Active Directory)
  • Azure Log analytics agent installed ( Connected to Azure Monitor and SCOM )
  • Encryption by default.

Using with our Azure naming conventions and Azure policy we always deploy consistent without making mistakes or by wrong typing in the Azure portal. When you write and make your ARM templates for different workloads, you can store them in Azure DevOps Repo ( Repository) and you can connect your private repo to GitHub.

Making ARM templates works really Awesome with Microsoft Visual Studio Code which is opensource and free of charge. You can add your favorite VSC extensions to work with like Azure Resource Manager.

 Our Azure ARM Template to deploy Virtual Machines into Azure HUB-Spoke model with VSC

Azure monitoring and Recovery Service Vault

To manage your Azure Hybrid Cloud environment you have to monitor everything to keep in control of your Virtual Datacenter. And of course you have to plan your business continuity with Azure Recovery Services (Backup) by Design. We made in every Azure Subscription an Azure Recovery Services Vault for making Backups. This is because you don’t want backup traffic over your VNET peering’s. In the Azure HUB subscription we made a second Azure Site Recovery (ASR) Vault for the “Lift & Shift” migration of On-premises Virtual Machines to the landing zone in Azure HUB.

With Microsoft Azure Monitor we use Log Analytics and Service maps and with the same OMS agent on the Virtual Machine, we still can use Microsoft System Center Operation Manager (SCOM) connected to the same agent 🙂

When you have 45 locations, 45.000 students with BYOD and 10.000 Managed workstations, you will monitor 24 x 7 to keep everything running for your Business. Monitoring Express Route with a Backup connection is a must for your Hybrid Virtual Datacenter. Here you have more information about monitoring Express Route Circuit

Monitoring our Express Route

With this all installed in Microsoft Azure by Design, we have the policy Security First !

Microsoft Azure Security Center

Azure Security Center provides unified security management and advanced threat protection across hybrid cloud workloads. With Security Center, you can apply security policies across your workloads, limit your exposure to threats, and detect and respond to attacks.

We are already installing Azure Threat Protection (ATP) for our On-premises Datacenter for Security.

Azure Security Center

We still have a lot to configure in Microsoft Azure to get the Basic Architecture Design in place. When that is done, I will make three more blogposts about this datacenter transformation :

  • “Lift and Shift” migration with ASR for Virtual Machines on Hyper-V and VMware.
  • SQL assessment and Data Migration to Azure
  • Optimize of all Workloads in Microsoft Azure.

Hope this blogpost will help you too with your Datacenter transition to Microsoft Azure Cloud.


Leave a comment

Watch the Live Stream Today of #Microsoft Ignite 2018 in Orlando 24 – 28 September #MSIgnite #Azure #Cloud #DevOps and More


Don’t miss the Live Stream of Microsoft Ignite 2018

Get the latest insights and skills from technology leaders and practitioners shaping the future of cloud, data, business intelligence, teamwork, and productivity. Immerse yourself with the latest tools, tech, and experiences that matter, and hear the latest updates and ideas directly from the experts.

Watch live https://www.microsoft.com/en-us/ignite as Microsoft CEO Satya Nadella lays out his vision for the future of tech, then watch other Microsoft leaders explore the most important tools and technologies coming in the next year. After the keynotes, select Microsoft Ignite sessions will stream live—take a deep dive into the future of your profession.


More then 700+ Sessions and 100+ Expert-led and self-paced workshops


#MSIgnite



Leave a comment

Installing #Azure Service Fabric Cluster on Windows Server 2019 Insiders #Containers #Winserv

Microsoft Azure Service Fabric Cluster

Azure Service Fabric is a distributed systems platform that makes it easy to package, deploy, and manage scalable and reliable microservices and containers. Service Fabric also addresses the significant challenges in developing and managing cloud native applications. Developers and administrators can avoid complex infrastructure problems and focus on implementing mission-critical, demanding workloads that are scalable, reliable, and manageable. Service Fabric represents the next-generation platform for building and managing these enterprise-class, tier-1, cloud-scale applications running in containers.

In the following Step-by-Step Guide I created a Standalone Microsoft Azure Service Fabric Cluster
on Windows Server 2019 Insiders Preview for DevOps testing :

First I downloaded the Contents of Service Fabric Standalone package for Windows Server here

Several sample cluster configuration files are installed with the setup package. ClusterConfig.Unsecure.DevCluster.json is the simplest cluster configuration: an unsecure, three-node cluster running on a single computer. Other config files describe single or multi-machine clusters secured with X.509 certificates or Windows security. You don’t need to modify any of the default config settings for this tutorial, but look through the config file and get familiar with the settings.

I made the Unsecure three-node Cluster running on Windows Server 2019 Insiders Preview in my MVPLAB.

 

Open Powershell in Administrator modus and run the Script :

.\CreateServiceFabricCluster.ps1 -ClusterConfigFilePath .\ClusterConfig.Unsecure.DevCluster.json -AcceptEULA

Connect-ServiceFabricCluster

 

Service Fabric Explorer (SFX) is an open-source tool for inspecting and managing Azure Service Fabric clusters. Service Fabric Explorer is a desktop application for Windows, macOS and Linux.

I Installed Azure Service Fabric Explorer to visualize the Cluster.

Here we got Azure Service Fabric 3-Node Cluster running on Windows Server 2019 Insiders

Azure Service Fabric CLI

The Azure Service Fabric command-line interface (CLI) is a command-line utility for interacting with and managing Service Fabric entities. The Service Fabric CLI can be used with either Windows or Linux clusters. The Service Fabric CLI runs on any platform where Python is supported.

Prior to installation, make sure your environment has both Python and pip installed.
The CLI supports Python versions 2.7, 3.5, 3.6, and 3.7. Python 3.x is the recommended version, since Python 2.7 will reach end of support soon.

You can download the latest Python version here

Check the Python version and the Pip version by typing :

python –version
Pip –version

The Pip version which is delivered via Python has to be updated with the following command :

python -m pip install –upgrade pip

We now have pip version 18.0 instead of 10.0.1

Installing Service Fabric CLI by command :

pip install -I sfctl

Done ! Service Fabric CLI is installed on my Windows 10 Surface.

sfctl -h 

Now we have installed Microsoft Azure Service Fabric Cluster on Windows Server 2019 Insiders Preview and the Service Fabric CLI on Windows 10, we now can connect to the 3-node Fabric Cluster via CLI.
Because we are working under Windows 10 and not on the host itself we have to set an endpoint connection :

sfctl cluster select –endpoint http://192.168.2.15:19080

sfctl cluster health

sfctl node list

Microsoft Visual Studio 2017 Enterprise and Service Fabric SDK

As a Developer or DevOps you like to work from Microsoft Visual Studio to deploy your Apps, Microservices or Containers to the Azure Service Fabric Cluster.

You need to install the Service Fabric SDK in Visual Studio before you can deploy :

Select Service Fabric Application at New Project

Visual Studio 2017 Enterprise : Service Fabric SDK must be installed

Installing Microsoft Azure Service Fabric SDK

Done.

Now you can make your Service Fabric Container.

Happy Developing 😉

More information on Microsoft Azure Service Fabric Cluster :

Service Fabric on GitHub

Add or remove nodes to a standalone Service Fabric cluster running on Windows Server :

Scaling your Azure Service Fabric Cluster

More info :

Microsoft Azure Service Fabric documentation

Microsoft Azure Service Fabric Cluster Learning Path


Leave a comment

Connecting Windows Admin Center to #Microsoft Azure Subscription #WAC #Azure

To allow the Windows Admin Center gateway to communicate with Azure to leverage Azure Active Directory authentication for gateway access, or to create Azure resources on your behalf (for example, to protect VMs managed in Windows Admin Center using Azure Site Recovery), you will need to first register your Windows Admin Center gateway with Azure. You only need to do this once for your Windows Admin Center gateway – the setting is preserved when you update your gateway to a newer version.

In the following Step-by-Step Guide you will connect Windows Admin Center to your Microsoft Azure Subscription.

From here you have to copy the device Code and hit the Link device login ( https://aka.ms/devicelogin )
This will make the connection between Windows Admin Center and your Azure Subscription.

Paste the Code into here and Click on Continue.

Sign in your Azure Subscription.

From here you are connected to your Azure Subscription.

Select the right Azure Tenant and Click on Register.

Go to the Azure AD App Registration link.

Click on Settings


Click on Required Permissions and then on Grant permissions

Click on Yes.

Windows Admin Center has now Permission.

Microsoft Windows Admin Center (WAC) Gateway is now registered to your Azure Subscription and you can use Azure AD Multi-Factor Authentication and Azure Site Recovery to protect your Virtual Machines with WAC.

IMPORTANT : Before you can add Microsoft Azure VM’s to Windows Admin Center, you have to set the Azure Network Firewall portal settings and also the Microsoft Windows OS Firewall of the VM.

Networking Settings of the Azure VM.

Open for http WAC port 5985 and for https 5986.

To make the port more Secure you have these Options in the Firewall rule.

Now you have done this for Azure Networking in the portal, you have to do the same in the Firewall settings of the Virtual Machine Inside.

Allow Port 5985 and 5986.

More information about Azure Integration in Windows Admin Center here

 

Here you see my Azure VM in Windows Admin Center On-Premises.

Here you see my Azure Data Science VM in the Cloud via Windows Admin Center 😉