Load Balanced and Availability Set with multiple VMs

When it comes to best practices to how to setup multiple virtual machines using a load balanced and availability set, the information out there is either outdated or hard to find.

What is the scenario? Imagine that you need to set a few VMs that need to be shared the configuration and some files between them. How you could do it?

After a few searches on the web, I come across with the IIS and Azure Files blog post. Although this post is dated of October 2015, and as you know, Azure is changing in a very fast pace. My first though was, is this still applicable? After a few tests on my test environment, I found that it’s! Surprisingly! So, if you follow all the steps in the post you may configured your environment.

In my case, there was a specific requirement that this approach wasn’t applicable. My workloads required low latency. So, I went again searching how I could achieve this. And then I found the solution on GitHub! Microsoft publish a template that the only thing you need is fill the blanks. THANK YOU!

This is the template that I’m referring too, 201-vmss-win-iis-app-ssl.

Solution overview and deployed resources

This template will create the following Azure resources

  1. A VNet with two subnets. The VNet and the subnet IP prefixes are defined in the variables section i.e. appVnetPrefix, appVnetSubnet1Prefix & appVnetSubnet2Prefix respectively. Set these two accordingly.
  2. A NSG to allow http, https and rdp access to the VMSS. The NSG is assigned to the subnets.
  3. Two NICs, two Public IPs and two VMSSs with Windows Server 2012 R2
    3.1) The first VMSS is used for hosting the WebSite and the 2nd VMSS is used for hosting the Services (WebAPI/WCF etc.) 3.2) The VMSSs are load balanced with Azure load balancers. The load balancers are configured to allow RDP access by port ranges 3.3) The VMSSs are configured to auto scale based on CPU usage. The scaled out instances are automatically configured with Windows features, application deployment packages, SSL Certificates, the necessary IIS sites and SSL bindings
  4. The 1st VMSS is deployed with a pfx certificate installed in the specified certificate store. The source of the certificate is stored in an Azure Key Vault
  5. The DSC script configures various windows features like IIS/Web Role, IIS Management service and tools, .Net Framework 4.5, Custom login, request monitoring, http tracking, windows auth, application initialization etc.
  6. DSC downloads Web Deploy 3.6 & URL Rewrite 2.0 and installs the modules
  7. DSC downloads an application deployment package from an Azure Storage account and installs it in the default website
  8. DSC finds the certificate from the local store and create a 443 binding
  9. DSC creates the necessary rules, so any incoming http traffic gets automatically redirected to the corresponding https end points

The following resources are deployed as part of the solution

A VNet with two subnet

The VNet and the subnet IP prefixes are defined in the variables section i.e. appVnetPrefix, appVnetSubnet1Prefix & appVnetSubnet2Prefix respectively. Set these two accordingly.

  • NSG to define the security rules – It defines the rules for http, https and rdp acces to the VMSS. The NSG is assigned to the subnets
  • Two NICs, two Public IPs and two VMSSs with Windows Server 2012 R2
  • Two Azure load balancers one each for the VMSSs
  • A Storage accounts for the VMSS as well as for the artifacts

Prerequisites

  1. You should have a custom domain ready and point the custom domain to the FQDN of the first public IP/Public IP for the Web Load balancer
  2. SSL certificate: You should have a valid SSL certificate purchased from a CA or be self signed
  3. Create an Azure KeyVault and upload the certificate to the KeyVault. Currently, Azure KeyVault supports certificates in pfx format. If the certificates are not in pfx format then import those to a windows cert store on a local machine and then export those to a pfx format with embeded private key and root certificate.

 

Cheers,

Marcos Nogueira
Azure MVP
azurecentric.com
Twitter: @mdnoga

 

Azure Updates Series – August 2017

From the all the enhances or new features that Azure releases on the month of August, there was 2 that will make our live easier, at least in my opinion/experience/area of work off course:

  • Public Preview of Azure Event Grid
  • Enhance of Azure Monitor with new capabilities for diagnostics

Azure Event Grid is an important solution how to handle the challenging world of IoT. Most of the actual application based on IoT are built using events, the way that you respond to those events and initiate business process can be really difficult. With the increase of the serverless platforms, comes the grow of the event-based applications, there is where Azure Event Grid will help you.

On the announcement, Microsoft says that, Event Grid has built-in support for events that come from Azure services, like storage blobs and resource groups. Event Grid also has built-in support for custom and third-party events, using custom topics and custom webhooks. You can use filters to route specific events to different endpoints, multicast to multiple endpoints, and make sure your events are reliably delivered.

For more information about the Azure Event Grid, just look at Introducing Azure Event Grid.

Microsoft just add two new capabilities into Azure Monitor, the creation of multiple resource diagnostic setting per resource (in this case, in public preview) and you can send the metrics and the logs to a different subscription.

Why those capabilities are important, you may thing. The first one, creation of multiple diagnostic settings per resource, it makes easier to create a template with all the setting that you want to monitor/alert related to a specific resource. For example, if you want to monitor the diagnostic of your storage account to see what is going on, you need to enable several times and you could only send those logs and metrics to one storage account.

The second new capability, send the metrics and logs to a different subscription, it will make your live easier, if you are a Managed Services (for example), that you can centralize all your metrics into this subscription, without affecting other subscriptions.

For more information about the new capabilities, just look at the announcement of Azure Monitor: Enhanced capabilities for routing logs and metrics

 

Cheers,

Marcos Nogueira
Azure MVP

azurecentric.com
Twitter: @mdnoga

Multiple Azure Subscriptions with one OMS Workspace

I was this week at one of my costumers, and one of the topics that came to the conversation was, how I can connect several Azure subscriptions within the same tenant to OMS?

One of the things that I like about Azure, is you have different ways to achieve the same goal. In this case, I found (once more), that Azure Monitor can really help on this one.

It is a simple process to implement:

  1. Enter into the Azure Portal
  2. Open Azure Security Center
  3. Click on Subcriptions (Step 1)
  4. Click on the Arrow down (Step 2)
  5. Select all the subscriptions that you want to add to OMS (Step 3)
  6. Add the Security and Audit on your OMS and point to the Security center.

Cheers,

Marcos Nogueira
Azure MVP

azurecentric.com
Twitter: @mdnoga

Multiple level alerts with ARM Template

If you run into the situation, that you want to set multiple activity alerts into a resource that you want to monitor, but when you configure or want to edit the alert, you only see a single level of alert (picture below), you normally create another alert into the same resource.

That is a way to solve the issue, but you can create or have multiple level of alerts into the same resource. On the other hand, you could create a multiple level alert through JSON file and then apply the template to the resource you want to monitor.

The Activity Log Alert language is actually pretty powerful if you are willing to get your hands a little dirty and write the “condition” property in JSON yourself. For example, if you create an alert in the portal, and then look at the “Create Activity Log Alert” event in your Activity Log, you will see in the properties field there is the full JSON (unfortunately, delimited and in one field) of the alert that was created, and the “condition” property for an alert looks fairly similar to the JSON for ARM policy. It can contain:

  1. Both allOf (ANDs) as well as anyOf (ORs)
  2. Equals (on a property that has a single value) or containsAny (on a property that is an Array)
  3. Either an explicit field name (eg “category”) or a JSON path with wildcards to any property that matches (eg. “properties.impactedServices[?(@.ServiceName == ‘Virtual Machines’)].ImpactedRegions[*].RegionName”)

Here’s a complex example of what you could put in the condition in raw JSON that would work correctly:

{

    “location”: “global”,

    “properties”: {

        “scopes”: [

            “/subscriptions/<SUBSCRIPTION_ID>”

        ],

        “description”: “TEST”,

        “condition”: {

            “allOf”: [

                {

                    “field”: “category”,

                    “equals”: “ServiceHealth”

                },

                {

                    “field”: “status”,

                    “equals”: “Active”

                },

                {

                    “field”: “properties.impactedServices[?(@.ServiceName == ‘Virtual Machines’)].ImpactedRegions[*].RegionName”,

                    “containsAny”: [

                        “EastUS2”,

                        “WestUS2”

                    ]

                }

            ],

            “anyOf”: [

                {

                    “field”: “level”,

                    “equals”: “Warning”

                },

                {

                    “field”: “level”,

                    “equals”: “Error”

                }

            ]

        },

        “actions”: {

            “actionGroups”: [

                {

                    “actionGroupId”: “/subscriptions/<SUBSCRIPTION_ID>/resourcegroups/default-activitylogalerts/providers/microsoft.insights/actiongroups/<GROUP_NAME>”,

                    “webhookProperties”: {}

                }

            ]

        },

        “enabled”: true

    }

}

This translates to: “Activate the alert if there is an Active Service Health event on Virtual Machines in either East US 2 or West US 2, but only if the level is either Warning or Error.”

Cheers,

Marcos Nogueira
Azure MVP

azurecentric.com
Twitter: @mdnoga