Adding an Azure Subscription in VMM

Since VMM 2012 R2 (update rollup 6), you can add Azure subscription to VMM and perform basic actions on Azure IaaS VMs.Both VMM 2012 R2 and VMM 2016 support only classic Azure VMs and you may find that even Management Portal button in the VMM console still points to an old Azure portal (manage.windowsazure.com) which is no longer available.

VMM 2016 doesn’t bring any new changes to this feature and provides the same functionality for Azure VMs management through VMM console. However, VMM 1801 (the latest version available in semi-annual channel)  introduced a support for ARM-based VMs and region specific Azure subscriptions.

So, you can manage both classic VMs and ARM-based VMs using Azure AD Authentication or management certificates in VMM 1801. In this article, we will cover how to manage classic Azure VMs from VMM 2012 R2/2016, and then we briefly discuss new changes in VMM 1801 release.

What do you need?

  •  The console computer where this feature will be installed must have connectivity to the Internet in order to connect to the Azure Subscription
  • An active Azure subscription. For example, I’m using the one which goes with my MSDN subscription. You can also use a free Azure subscription.
  • You must be at least a Service Administrator for the Microsoft Azure Subscription being added. For example, I’m an owner of my subscription and no actions needed.
  • Microsoft Azure Subscription must have a Management Certificate associated with it in order to allow VMM to use the service management API in Microsoft Azure (will complete this later in this post)
  • The certificate needs to be present in the Current User \ Personal store of the computer running the VMM console. (will complete this later in this post)
  • The Management Certificate that is associated with the Azure Subscription must be present in the local certificate store on the computer that the wizard is being run on (will complete this later in this post)

How to do it?

  • On the VMM Server, open PowerShell with administrative privileges, and run the following to request a new self-signed certificate and add it to Personal store :
#This password will be used for PFX file
$pass= ConvertTo-SecureString -String "P@ssw0rd1" -AsPlainText -Force 

#New self-signed certificate
$cert = New-SelfSignedCertificate -FriendlyName rlevchenko.com  -Subject rlevchenko.com -CertStoreLocation "Cert:\CurrentUser\My" -Type Custom -KeyExportPolicy ExportableEncrypted -KeyLength 4096 -KeySpec KeyExchange

#Export PFX (if you plan to connect from another machine, import this PFX to the Personal store on your computer)
Export-PfxCertificate -Cert $cert  -FilePath C:\Cert\AzuretoVMM.pfx -Password $pass

#Export CER file which will be uploaded to Azure
Export-Certificate  -Cert $cert  -Type CERT -FilePath C:\Cert\RLVMM.cer
  • In the Azure Portal, go to Subscriptions –> Management Certificates and select C:\Cert\RLVMM.cer to upload. Once uploaded, copy your subscription ID as shown in the picture:

add azure subscription_1

  • Switch back to the VMM Console, navigate to VMs and Services and right click on Azure Subscriptions and select Add Subscription; type a display name of the subscription, paste Subscription ID and select the certificate that has been already added to the Personal store (VMM console automatically discovers all eligible certificates). If no certificates are shown, check certificates and their thumbprints in the Personal store (certmgr.msc)

add azure subscription_2

Note: Certificates and subscription setting information is stored in the Registry under HKEY_CURRENT_USER and is per login specific. This means that subscriptions that are added are visible on a per-machine, per-login basis.

  • Verify that new subscription has been added. If you have classic VMs running under the subscription, you will see a list of such VMs in the VMM.

As you can see in the following screenshot, actions are limited to Start, Stop, Shut Down, Restart and Connect via RDP

image

Note: Public and Internal IP addresses as well as VM size and other information is shown on the details pane

  • Repeat the same steps to add another subscription if needed.

What’s new in VMM 1801?

Unlike VMM 2012R2/2016, VMM 1801 supports management of Azure subscriptions and ARM-based VMs (which are the default in Azure now) through Azure Active Directory and region-specific Azure subscriptions. (namely Germany, China,  US Government Azure regions). VMM 1801 has also updated Azure Subscription wizard and now you can select between two authentication types: certificate-based or Azure AD-based. If Azure AD is selected, you don’t need to create and upload the certificate to Azure. Otherwise, use the steps above to integrate VMM 1801 with Azure using management certificate authentication.

To enable Azure AD-based authentication, you need to create AD Application using Azure Portal. Use the following step to create the AD Application:

  • Click on Azure Active Directory, go to App Registrations and click on New Application Request, then type an app name (for example, VMM1801) and sign-on URL (I used “fake” – https://rllab.com/vmm1801 and it works. You can change it later)
  • Go back to App Registration, switch to All Apps and copy the Application ID of the app you have just created.
  • In the Application properties, click on Settings, and then Keys; provide key description and duration, and click on Save; copy the key value

add azure subscription_5

  • In the Azure Portal, go to Properties of Azure AD and copy the Directory ID
  • Assign application to Classic Virtual Machine Contributor and Virtual Machine Contributor roles (Subscription – Access Control (IAM) – Add)
  • Open VMM Console and press Add Subscription, paste Subscription ID, Application ID, Directory ID and Key Value to the corresponding fields as shown in the screenshot:

add azure subscription_4

Note: Using Select Azure cloud drop-down list you can choose Azure reqion (Public, China, Germany or Government)

Once subscription is added to VMM, you can manage both classic and ARM based VMs in VMM 1801:

add azure subscription_6

Note: you might have noticed that instead of Shutdown action VMM 1801 offers Stop and Deallocate which is more preferable for Azure VMs. Also, MS fixed Management Portal button and now it’s linked to portal.azure.com 🙂

That’s it. I hope this post will be helpful for someone Улыбка.

How to enable nested virtualization in Azure

We have already mentioned new Azure VM series Dv3 and Ev3 which enable running VMs inside Azure VMs or just nested virtualization. Today we are going to get it configured and to run our first nested VM in Azure.

But before we start, let’s review some Dv3 and Ev3 facts:

  • they introduce Hyper-Threading Technology running on the Intel® Broadwell E5-2673 v4 2.3GHz processor and Intel® Haswell 2.4 GHz E5-2673 v3
  • they made shift from physical core to virtual CPUs (thanks to HT technology) to support larger VM sizes
  • they are the first Azure VMs running on Windows Server 2016 hosts
  • Dv3 VMs are up to 64 vCPUs and 256 GB RAM
  • Ev3 VMs are up to 64 vCPUs and 432 Gb RAM
  • they are currently available only for certain regions (West Europe, US East, US West 2, Asia Pacific Southeast)
  • they already come with ExposeVirtualizationExtensions enabled. we don’t need to enable CPU extensions as we have to do for on-premises WS2016 hosts

To get started with “nesting” you need to create one or more Dv3/Ev3 VMs in Azure within compatible region. For quick demo purposes, I created D2S_V3  VM with Windows Server 2016 DC , standard managed disk with no data disks attached.

TIP: actually you can , for instance, create 2 or more VMs , add data disks and configure storage spaces between them to achieve higher IO performance.

Then you need to install Hyper-V role and restart VM to apply changes

Install-WindowsFeature Hyper-V -IncludeManagementTools -Restart

nested virtualization azure 1

Verify that Hyper-V role is installed and add internal switch. New adapter “vEthernet (switchname)” will be created under network connections list (ncpa.cpl)

Define a new IP address for this adapter (I’m using 192.168.0.0/24 subnet).  This network will be used as a NAT gateway for new VMs in order to allow internet access from nested VMs.

#Check Hyper-V role state
Get-WindowsFeature Hyper-V|ft InstallState, PostConfigurationNeeded

#Add new internal switch
New-VMSwitch -SwitchName "NSW01" -SwitchType Internal

# IP Configuration for vNIC
New-NetIPAddress -InterfaceAlias "vEthernet (NSW01)" -IPAddress 192.168.0.23 -PrefixLength 24

nested virtualization azure 2

Configure NAT rule to provide “access” to our nested VMs

New-NetNat -Name Nat_VM -InternalIPInterfaceAddressPrefix 192.168.0.0/24

image

Now our nested VMs can assign IP addresses from 192.168.0.0/24 subnet  (manual assignment). If you want to have dynamic IP assignment – create add. VM and configure DHCP. Continue reading “How to enable nested virtualization in Azure”