Pachehra: July 2019

Capture Image - Azure VM

I was doing this project where i had to create clone of VM that we have migrated from On-prem and we follow this approach in order to avoid any mishap in future related to SID or Active Directory identities.

First , we logged in the VM and did the sysprep with Generalized box check and OOBE selected in the drop down - Sysprep removes PC-specific information from a windows installation , Genralizing the installation so it can be installed on different PC's.

Navigate to “C:\windows\system32\sysprep” and run sysprep.exe and shutdown the Azure VM.

Sysprep - generalizing the VM -

generalized-vm-in-azure

If you get any error that i did in one of my task and i have described in older post , if you do check the log and fix it and try again - you will find log at below location setupact.log
C:\windows\system32\sysprep\panther\

Once the Sysprep is done your VM is stopped and you are ready for the Capture which is provided by the azure on the overview of VM

Once you hit the Capture a new wizard will appear where you need to fill some basic information like name of the image and under last option type the virtual machine name -you need to type in the actual VM name that you sysprep above.

Once you hit the create you can check you image under images and you can create VM from the same plane , no need to do anything else or go anywhere -

https://pachehra.blogspot.com/2019/07/customized-azure-vm-image-powershell_29.html

https://pachehra.blogspot.com/2019/07/issue-creating-gold-image-on-azure-vm.html

How to connect Azure with AWS - VPN

This task i performed recently and i was fortunate that AWS started supporting IKEv2 , prior to this news we could perform subjected task by spinning 2016 server and enabking RDS but now we can use the cloud for this Site-to-Site VPN.

This task would be exactly same as any other Site-to-Site connectivity. Steps involved :-

Azure : AWS :

Create Virtual Network Create VPC
Create Gateway Subnet Create Customer Gateway
Create Virtual Network gateway Create Virtual Private Gateway
Create Local network Gateway Create VPN Connection Statically
Update gateway with Pre-shared Download configuration file for details
Update LNG with IP (config file AWS) Attach Virtual private gateway to VPC
Create Connection Update route tables for VPN

Below are the relevant snippet : -

This is the Vnet created in the Azure with different range of subnets including Gateway subnet.

This is Virtual Network gateway we created with static route and vpngwy1 sku -

Now once we have created vnet and gateway on Azure , simultaneously we created VPC , subnets and customer gateway(static) on AWS. IF you compare with Azure customer gateway is like Local network gateway where you add the Public IP of Virtual network gateway on Azure -

Now next step is creation of Virtual Private gateway on AWS , it is like Virtual Network Gateway on Azure but it will not show you Public IP and you need to attach this to VPC manually not like Azure

Now we would also update VPN connection on AWS where we would provide the details of Vnet address spaces & static routing and once its created you can download the configuration for LNG.on azure.

Now its time for Local network creation on Azure which would contain the address space of AWS VPC and Public IP of aws gateway. Azure details you can find once you will download the details from AWS VPN Connection pane at the top it says Download configuration inside that configuration you will find the Public IP and pre-shared key for IPsec tunnel # 1.

Now create the connection as all the relevant information is already completed -

you will see in few minutes it would show connected and you would be able to ping AWS machine if route tables are updated properly.

Customized Azure VM Image - Powershell

This in continuation of the last post on capturing or customizing image and deploy VM with the help of those images. Below is code that i used to create a customized image.

First we shutdown the VM and them generalized it and finally created the Image out of it.

$rgName = "RG"
$vmName = "Test-VM2"
$location = "west us"
$imageName = "testimage"

Stop-AzVM -ResourceGroupName $rgName -Name $vmName -Force

Set-AzVm -ResourceGroupName $rgName -Name $vmName -Generalized

$vm = Get-AzVM -Name $vmName -ResourceGroupName $rgName

$image = New-AzImageConfig -Location $location -SourceVirtualMachineId $vm.ID

New-AzImage -Image $image -ImageName $imageName -ResourceGroupName $rgName

Issue creating Gold Image on Azure VM

This situation i faced recently where i was doing migration from On-prem to Azure. Customer confirmed he has static App servers hence rather moving all the servers only move few servers , one for each app and latter we would create Image in Azure and deploy VM as many as required.

Now to accomplish this task we were using RM tool , its image based replication tool & we were able to replicate all the VM's from on-prem to Azure and things were under control.

Now we have Azure VM running and we need to create the Custom image or Gold image by -

Login to the VM
Run Sysprep -generalized & shutdown
Capture the Image
Create VM from the Captured image

All VM were good except one where we got the issue while doing sysprep , i couldnt capture the image for this error but it was saying unable to validate installation and check log - in logs it was saying pending reboot

C:\windows\system32\sysprep\panther\

After checking log setupact.log - we could figure out system is pending reboot due to updates but the worst part os we could already rebooted system twice.

So we did try couple of steps but no go, finally we tried to check the updates scan as machines was last update 6 months ago -

SFC /Scannow

Result of above command gave the clear instruction that there is some error and system is trying to fix and its pending , then we tried to rebuild it or fixed the corruption by -

DISM.exe /Online /Cleanup-image /Restorehealth

it took a while and after a reboot we ran the SFC /Scannow which gave the proper result and we could fix the Sysprep error & able to create the Gold Image successfully.

Migration of Static Application servers to Azure

This project i performed recently and it was fun. When i was talking to customer and they explained they have to migrate 165 VM's to Azure and these are app servers for various applications and i was like wow seems like a decent project to work with and during the scoping calls and assessment it become so easy.

Essence of the story my customer confirmed we only need to migrate 9 VM's and we can make clones latter in Azure as these VM's are running static website and nothing is going to change so no need to migrate all the machines but do only 9 VM's & latter clone them to match the count of 165 and he gave me the each VM count for clone. So as things changed so did the approach.

Plan -

We replicated all 9 VM with ASR.
AD was already extended as they were already operating in hybrid environment.
On all the 9 VM's we logged in and remove from domain and changed the name.
Provided details to customer for UAT

.
After go ahead -

Sysprep the VM's
Capture the Image
Created no. of VM required for each image.

It was a successful migration as i only wanted to focus on steps we took to-migrate static website and how we crested clones VM's from images and it worked. Sometimes its just the approach and assessment makes it very easy.

Create Managed Disk from Snapshot - PS

I was doing migration yesterday from on-prem to Azure with the help of one of the Image replication tool and everything was going as planned until that replication tool got failed in between but when i checked manually all the disk and VM was already been created on Azure. I thought rather calling for support why not work with what all replicated on Azure and my only problem was not all the disk was attached as it should be because as i mentioned it got failed after running half of the process.

So rather getting into the details and messed up the situation , lets talk what are we going to do in this post, as per situation i needed to create OS-disk from snapshot so that i could spin VM & here are the PS code that i used for it and worked as charm -

$resourceGroupName = "your RG"
$snapshotName = "Name of snapshot"
$storageType = "storage type for managed disk"
$location = "Location"
$diskName = "your disk name"

$snapshot = Get-AzSnapshot -ResourceGroupName $resourceGroupName -SnapshotName $snapshotName

$diskConfig = New-AzDiskConfig -AccountType $storageType -Location $location -CreateOption Copy -SourceResourceId $snapshot.Id -OsType Windows

New-AzDisk -Disk $diskConfig -ResourceGroupName $resourceGroupName -DiskName $diskName

Above code worked as expected and i could create the os-disk and created VM out of it.

How to preserve Disk Drive letter - Migrate to Azure

This is something always been asked and faced during migration as Drive Letter D is occupied by the temporary disk inside Azure VM hence when we migrate on-prem VM to Azure drive letter of additional data disk may change from their previous value.

There is a way by which you can retain the drive letter of attached storage devices when you import or migrate a VM via ASR to Azure.

By default , Drive D: is used by the temp disk on the Azure VM because of this drive assignment all other attached storage drive assignment incremented by one letter. e.g. If there is a data drive D: for application installation this drive would become E: on Azure ( increment by one letter).

Above discussed situation can be controlled by setting SAN policy to "OnlineAll". Once you change the SAN policy , the setting causes Azure to assign the next free drive letter to its temporary volume.
In this situation, the data drive maintains the drive D designation, and the Azure temporary drive is assigned drive E.

To view the current SAN policy from the guest system there are 2 ways : PS and CMD

PS : To check the policy and set the policy below are the PS commands :

Get-StorageSetting | select NewDiskPolicy

Set-StorageSetting -NewDiskPolicy omlineAll

CMD :

On the VM (not on the host server), open an elevated Command Prompt window.
Type diskpart.
Type SAN.

If the drive letter of the guest operating system is not maintained, this command returns either "Offline All" or "Offline Shared." To make it online run below cmd -

SAN POLICY=onlineAll

Let's check HA, FT & DR

*********** High Availability*** ***Fault Tolerance ******* DR ************

HA - Not to remove failure but the ability to recover from it. Correcting the fault and get back to work or ability of your system to recover from fault. It doesn't mean never have any fault but he ability to recover from it.

e.g Auto-scale if instance failed a new instance would be created.

FT - Situation where we can not repair or recover from failure but an emergency landing is required.

e.g. LB or caching instances

in FT - System assumes failure and work through failure - multiple things run in parallel in order to assume failure hence more expensive.

DR - previous situations where recovery from failure or operating through failure but DR is about Protecting critical system data so that you can use that to create new working system incase of DR.

***************** **********RTO & RPO **********************

RPO : Recovery point objective -

Time between when a disaster occurs and the last recoverable copy of key business data was created.

e.g. if last back done at 11PM Monday and disaster occur at 3AM Tuesday then RPO is 4 Hours.

Minimize the length of this time period via regular backups, snapshots and transaction logs to avoid business disruptive data loss.

Organization like financial , hospital ,eCommerce where data loss not acceptable RPO is going to be very less, that can be done regular snapshot or point in time backups regularly

RTO : Recovery Time Objective -

The time between when a disaster occurs and when the system can be restored to an operational state and handed over to the business for testing. lest see above e.g.

e.g. if last back done at 11PM Monday and disaster occur at 3AM Tuesday and systems came back active and operational at 10AM Tuesday then - RTO is 7 hours and RPO is 4.

RTO depends on several things not only on technical aspects e.g. locate where data is, staff available, knowledge available, hardware available and also how quickly system can be created or spin etc etc.

Terraform - random_id

This is a great resource type which you can utilize for the resources names which require unique name or strings for .e.g Storage account or s3 bucket.

Check the below code how you can add this resource type in your code and get benefited.

In the above snippet you can see random_id resource type defined first and latter added in the storage name to generate the unique string as storage name.

Why we need LB for Always on SQL - Azure

This question used to bother me alot that why we need Load Balancer for Always on SQL on Azure VM as we can configure just like on-premises sql cluster. My assumption was always-on is itself load balanced or do the trick internally we only need to configure the listener ip to the web app. However when I first set up the always-on on Azure VM by following the MS docs i created the ILB with static IP which is same as listener ip of Sql cluster.

After doing a lot of research i figured it out and would like to share it with all -

"Cloud doesnt allow Broadcast for security reasons, doesnt matter Azure , AWS or GCP"

To make it simple or more clear check this out -

We have primary and secondary node in the Always -on and whenever the fail-over task happens there is broadcast happens.

New primary replica should request and configure availability group listener IP address on its NIC whenever fail-over task happens.

After the Fail-over task, new primary replica broadcasts a request for listener Ip address & all devices receiving the request will update their ARP tables to map the physical address or MAC address of the node.

ARP = "Address Resolution Protocol" is a request-response protocol used to resolve MAC addresses with an IP address.

Essence of the story there is a broadcast activity happens in sql always-on AV-gp which is not allowed in Cloud hence the ILB - check below for further info

As discussed above to work around this behavior we need ILB as subject of this post suggested. Internal LB associated with a Vnet and has a front-end IP address & this IP address serves as a entry point for application connections.

There is also a back-end pool that associates the VM's with the ILB , allowing traffic to flow from frontend IP address to these VM's. To determine which machine is the primary replica, ILB probes each virtual machines on a user defined port, allowing the ILB to route the subsequent connections to the one that responds.

Internal LB that we use must have Static IP which is exactly same as Listener in SQL AV-group.
During ILB configuration we select floating IP which gives the port reuse flexibility.

reference links -

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/sql/virtual-machines-windows-portal-sql-ps-alwayson-int-listener

https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-multivip-overview

Terraform - Workspaces

In previous post we have discussed about maps and lookups and we used the example of environment variable (type = map) dev or prod where main file getting these variable by lookups and we discussed "tfstate" which has all the information of the current environment and is one the reason we should use workspaces.

So what is workspaces , well workspaces is nothing but the way Terraform differentiate between the efstate files as per the environment created in the above discussed example.

Let me explain a bit - when we select dev environment Terraform created dev and if we select prod it would overwrite the Dev resources to prod , check below pic when we choose prod after creating dev environment it says "forces new resources"

hence workspaces, which can be created by simple command and keeps the "tfstate" file for both the environmental variables in separate folders. Below are the commands and snippet

To create workspace

terraform workspace new <name>

To select workspace :

terraform workspace select <name>

You can see the commands run to create the workspace and at the left side you can see Terraform.tfstate folder got created which has 2 separate folders and tfstate file stored for the both the environment variables. This could help you and you need not to move the "tfstate" file and keep monitoring rather create workspace and only need to take care from which workspace you are running commands and select the correct workspace.

Terraform : Maps and lookups

Today we will be seeing lookups and map functions of Terraform which would help you give the functionality of looking up if there is a map variable in your code (like : Key = Value). You could use this functionality as per the need or requirement, in this post we would be utilizing this function to create Prod and Dev environment with same code check this out : -

Below is the snippet of variable.tf file which shows how you define the environment variable as map.

Below is the snippet of main.tf file which shows how we lookup the map variable :

Now you see how we define the variable and used lookup function in the main-tf & when we run the terraform plan you can see in the below snippet , it would ask env : and apply the code accordingly.

Below is the you-tube video for Variable

So this is how we use the Terrform maps and lookups which is a great way writing a code however its not a great way of keeping it together because "tfstate" file monitor whats in our environment and any info changes or contradict with it it would create a problem now either you can move this file to separate place which would increase the admin task or we would lets see "workspaces" in terraform.

When the Azure VM was created - Find out

It happened with me couple of times when somebody was creating noice when was this VM got created and who created the VM, i am sure even you guys looked for this information or somebody asked for. So lets find out how :-

Well Azure provides wonderful way to figure out that is Activity Logs , where we can find out when was VM got created and who created the VM but the catch is this information is available for last 90 days only. What if we need the info for more then that ?

Here is a workaround that could help us .i.e figure out the creation date of the disk and its very simple to do the with help of Powershell check it out -

get-azdisk -ResourceGroupName "yourRG" -DiskName "yourDiskname" |
select Name, TimeCreated,@{N="VMname"; e = {($_.managedby -split "/")[8]} }

Once you run the above command modified as per your environment it would give result as below

Name TimeCreated VMname
---- ----------- ------
osdisk54454321565425 5/10/2019 1:06:23 PM ACI-VM

above discussed method would only help if you have Managed disk but what if you also have unmanged disk.

Well for unmanaged disk you just need to change the way its name has random no. , Yes when you create VM with unmanged disk you give the name of storage account and Azure automatically creates Container name VHD and placed os-disk in it with name containing random numbers.

These random numbers is actually the time stamp when disk was created.

like in above picture you see the unmanaged disk name is "fordisk20190711194943.vhd" which is actually 11 july 2019 at 7:49:43 PM.

Now check this powershell cmdlet which could help you figuring this out :

$storaccount = Get-AzStorageAccount -Name "yourstrageaccount" -ResourceGroupName "yourresourcegroup"

$osblob = Get-AzStorageBlob -Context $storaccount.Context -Container "yourcontainername" -Blob "osdiskname"

$vmCreate = [datetime]::ParseExact(($OSBlob.Name.Substring(($OSBlob.Name.Length-18),14)),'yyyyMMddHHmmss',$null).tostring()

now $vmcreate will provide you the date and time and thats how you can figure out the unmanaged disk creation time stamp.

Please left comment below if you find something more in this regards ;)

What SQL is good for you - Azure Part - 2

In previous post we have discussed about all the options that we have on azure for SQL and the difference between them and in this post we will discussing what is best as per the requirement of the customer or team :-

SQL Database single databases and elastic pools	SQL Database managed instances	Azure virtual machines with SQL Server
Built-in high availability, disaster recovery, and upgrade for the database.	Built-in high availability, disaster recovery, and upgrade for the database.	Team needs to build or manage HA , DR , Patching and upgrade.
Do not want to manage the underlying operating system and configuration settings. (PaaS)	Do not want to manage the underlying operating system and configuration settings. (PaaS)	If you need customized environment with Full Admin rights.
Databases of up to 100 TB.	Databases of up to 8 TB	SQL Server instances with up to 64 TB of storage. The instance can support as many databases as needed.
Do not support all on-premises instance-level and database-level capabilities.	supports almost all on-premises instance-level and database-level capabilities.	Supports all on-premises capabilities.
Designing new app in cloud and want latest stable SQL server features. (all new feature come to PAAS Azure SQL first )	New applications or existing on-premises applications that want to use the latest stable SQL Server features and that are migrated to the cloud with minimal changes.	Existing applications that require fast migration to the cloud with minimal changes or no changes.
In addition to built-in fault tolerance infrastructure capabilities, Azure SQL Database provides features, such as automated backups, Point-In-Time Restore, geo-restore, Active geo-replication, and Auto-failover groups to increase business continuity. For more information, see SQL Database business continuity overview.	In addition to built-in fault tolerance infrastructure capabilities, Azure SQL Database provides features, such as automated backups, Point-In-Time Restore, geo-restore, Active geo-replication, and Auto-failover groups to increase business continuity. For more information, see SQL Database business continuity overview.	With SQL Server on Azure VMs, you can have applications that run partly in the cloud and partly on-premises. For example, you can extend your on-premises network and Active Directory Domain to the cloud via Azure Virtual Network. For more information on hybrid cloud solutions, see Extending on-premises data solutions to the cloud.
Eliminates hardware costs and reduces administrative costs.	Eliminates hardware costs and reduces administrative costs.	Eliminates hardware costs only as you need resources for other administrative tasks.

We have discussed a lot of important points as per the need to choose Azure Sql and for more information you can dig on MS Docs below are few reference links :-

https://pachehra.blogspot.com/2019/07/what-sql-is-good-for-you-azure.html
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-paas-vs-sql-server-iaas
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-managed-instance
https://docs.microsoft.com/en-us/azure/sql-database/replication-to-sql-database

SSMS doesnt work or Open

Yes i know its not exactly Azure but you know sql works on Azure VM and other ways we need ssms or management studio having said that i was testing sql migration and when i installed ssms 18.1 version i was unable to open it that's the today's issue.

So essence of the story : unable to open management studio 18.1 version even after restart system , uninstall install and tried all the basic troubleshooting and finally i come across the solution , no not my solution but provided by the MS because its a known issue. "Sad i wasted couple of hours "

The recommended workaround is you need to follow below steps :
1) Close all instances of SSMS
2) Edit ssms.exe.config (location below)

C:\Program Files (x86)\Microsoft SQL Server Management Studio 18\Common7\IDE

3) Remove the line that has the following text (should be line 38):
NgenBind_OptimizeNonGac enabled=“1”

After that save the file and restarted my computer and it worked but still unable to open from RUN but yes from management studio on desktop.

What SQL is good for you - Azure

While designing or during the meetings this is a very common question that customer asked. What is good for us regarding SQL as there are multiple options available in the Azure for SQL. Well the answer is obvious what yon want the most as per below points -

- Cost
DBaaS or PaaS is always cheaper then IAAS as administration of underlying OS and hardware is not yours. DB automatically configured , Patched and upgraded by MS which reduces Administrative cost in addition to this in-built capability of back-ups.

- Administration
PaaS SQL you only need to worry about Database but in IAAS you have full control over OS and Sql server instance configuration & you can decide when to update or upgrade and other admin tasks.

- SLA
Both IaaS and PaaS provide high, industry standard SLA. PaaS option guarantees 99.99% SLA, while IaaS guarantees 99.95% SLA for infrastructure, meaning that you need to implement additional mechanisms to ensure availability of your databases

- Time to move to the Azure
Both IAAS and managed instances are very easy to migrate just like on-prem from one server to another , may require little changes in managed. If we are moving to Paas / elastic pools we need tp be sure because certain features not supported e.g authentication and few other features.

- Size of DB
Size of DB also matters because managed instance dont support more then 8TB and Iaas VM 64 TB.

Lets discuss all the available option we have on azure :-

1 - Azure PaaS Sql Db ( elastic pool feature is there)
2 - Managed Instance
3 - SQL on Azure VM

Lets see the main difference between these 3 first and then will see what is best for you :

SQL Server on VM	Managed instance in SQL Database	Single database / elastic pool in SQL Database
You have full control over the SQL Server engine.	High compatibility with SQL Server on-premises.	The most commonly used SQL Server features are available.
Up to 99.95% availability.	99.99% availability guaranteed.	99.99% availability guaranteed.
Full parity with the matching version of on-premises SQL Server. Fixed, well-known database engine version.	Latest stable Database Engine version.	Latest stable Database Engine version.
Easy migration from SQL Server on-premises.	Easy migration from SQL Server.	Migration from SQL Server might be hard. Some SQL Server features are not available.
Private IP address within Azure VNet.	Private IP address within Azure VNet.	Private IP address cannot be assigned (you can limit the access using firewall rules).
You have ability to deploy application or services on the host where SQL Server is placed.	Built-in advanced intelligence and security. Online changes of resources ( CPU/Storage)	Built-in advanced intelligence and security. Online changes of resources ( CPU/Storage)
You need to manage your backups and patches.	No need to manage patches and inbuilt backup is there	No need to manage patches and inbuilt backup is there
You need to implement your own High-Availability solution.	Built-in HA that is deeply integrated with Azure platform. It is dependent on service fabric for failure and recovery in addition to that azure sql leverages AOAG	Built-in HA that is deeply integrated with Azure platform. It is dependent on service fabric for failure and recovery in addition to that azure sql leverages AOAG
There is a downtime while changing the resources(CPU/storage)	Online change of resources (CPU/storage).	Online change of resources (CPU/storage).

Post is getting little bigger hence , will be talking about the best use scenario in next post. After reading you would have pretty good idea who does what and where you can save money what serves all the features and where you can have administrator tasks etc etc. This would help you for sure to figure about what SQL service you need to opt for however you can easily do the assessment by DMA to be sure if you DB is good to migrate to Azure SQL if that is your choice.

Below is the reference link :

https://docs.microsoft.com/en-us/azure/sql-database/sql-database-paas-vs-sql-server-iaas

https://pachehra.blogspot.com/2019/07/what-sql-is-good-for-you-azure-part-2.html

Migration to Azure Lesson Learnt

This is the situation i faced because of lack of pro-activeness.
I was doing this migration via River-Meadow tool from on-prem (VMWare) to Azure. Lets not get into why i was using RM and not ASR thats a totally different discussion here , we will be only talking about the issue i faced and how we fixed it.

So here is the Architecture :-
- On-prem and Azure connected via Site-2-Site VPN
- On-prem AD extended to Azure VM

Now RM replicate or do the image based conning , means VM are replicating to the Azure with same name and already domain joined, only outside name and IP is changing (from Azure Vnet)

So i have started my migration after establishing the above mentioned points and as soon as VM replicated to Azure and started running before i could change the name and remove it from the domain , Source machine got removed from domain automatically worst part is this we couldn't know until customer opened the ticket stating migrating machines are getting out of the domain.

After digging little deep we come to the conclusion its happening because its image based migration and new VM with same and domain joined when gets the new IP from azure vnet , AD register the new VM and releases the old VM.

Resolution :

During Image based migration where AD is extended, we need to make sure either use the NSG which would break the traffic to the AD of new VM or remove the DNS from Vnet and apply on NIC once you changed the name and re-joing to the domain.

Pachehra