Pachehra

Unmanaged OSDisk with Managed Data disk - AzureVM

Yesterday there was one scenario where my customer asked me to attach a managed disk to the AzureVM and when i oped the portal thought its just a single VM and click on the add disk , i did not get any option to create and attach the managed disk.

When i couldnt do it from Portal i thought lets try with Powershell. I created all the cmdlets and ran it and then absolute clear Error ever come up on my scree stating

" Managed disk not supported on Unmanaged OS disk & Vice Versa"

So yes this is not possible , Now seems like very short post , ok lets see few difference between Managed and unmanaged disk

Essentially, Managed Disks are easier to use because they don't require you to create a storage account. The benefit of not having to manage a storage account is that storage accounts have limits, like max IOPS, so that if you place too many disks in a storage account, it is possible that you will reach the IOPS limit. (500 * 40 = 20000 IOPS which is provided by one storage account so not more then 40 disks/ storage account )

if you have VMs in an Availability Set, Azure will make sure that disks are on different "stamps" ensuring that disks are spread out so that you don't have a single point of failure for the Managed disks.

When taking snapshots of managed disk they are Full Snapshots, not incremental, so this adds to storage cost.

Managed disk only supports LRS.

Azure VM image availability via PS

There are situations and scenerios where we need to check weather particular image is available in certain location or not, is certain image available in the market place or not and so many other where we need to dig out Image , Publisher , offer etc etc.

So below is the few cmdlets which can help you figure out image or publisher or version as per your requirement.

$locName="West US"
$pubName="MicrosoftWindowsServer"

Get-AzVMImagePublisher -Location $locName | Select PublisherName

$offerName="WindowsServer"

Get-AzVMImageSku -Location $locName -PublisherName $pubName -Offer $offerName | where { $_.Skus -like '*Smalldisk'}

$skuName="2016-Datacenter-smalldisk"

Get-AzVMImage -Location $locName -PublisherName $pubName -Offer $offerName -Sku $skuName | Select Version

Get-AzVMImagePublisher -Location $locName | Select PublisherName

$version = "2016.127.20190603"

Get-AzVMImage -Location $locName -PublisherName $pubName -Offer $offerName -Skus $skuName -Version $version

How to get the internet working on AzureVM's behind Internal Standard LB

I am pretty sure people has seen this issue , well yes i did encounter this one when establishing internal standard LN for one of my customer and back-end machines lost the internet connectivity.

Before we go ahead and fix this issue and talk about few interesting point lets understand Standard Load Balancer first -

Azure Load Balancer allows you to scale your applications and create high availability for your services. Load Balancer can be used for inbound as well as outbound scenarios and provides low latency, high throughput, and scales up to millions of flows for all TCP and UDP applications.

Standard Load Balancer is a new Load Balancer product for all TCP and UDP applications with an expanded and more granular feature set over Basic Load Balancer.

While Basic Load Balancer exists within the scope of an availability set, a Standard Load Balancer is fully integrated with the scope of a virtual network and all virtual network concepts apply.

Well will be discussing comparison in next post for now lets fix the issue as stated above.

To fix the backend VM's internet issue - you need to create one more standard Public LB and create the outbound rule which would allow the backend VM's talk to the internet via Public ip of LB.

When you configure backend pool if your VM has basic public Ip it wouldnt show to configure.
Backend VM's either should not have public IP or should have Standard Public IP.

you can create outbound rule via Azure CLI

az network lb outbound-rule create \
 --resource-group yourRG \
 --lb-name yourlb \
 --name outboundrule \
 --frontend-ip-configs yourfrontendip \
 --protocol All \
 --idle-timeout 15 \
 --outbound-ports 10000 \
 --address-pool your outboundpool

for details you can check the below link

https://docs.microsoft.com/en-us/azure/load-balancer/configure-load-balancer-outbound-cli

Azure VM Stuck

This happened with me alot of times as subject says AzureVM stuck , now thing is Azure VM gets stuck either in Starting , deallocating or in running state, it could be anything.

If machine is in starting or deallocating state then giving little time also helps sometimes or try to stop or start programmatically i.e Powershell or cloudshell , sometimes this works but the ultimate trick are below -

Re-size the VM and always try to re-size larger what is current.
Re-deploy the VM from the portal.

In both the above cases the underlying host changes which helps VM to come up fine.

There are situations where VM shows running perfectly fine on the portal and when you get the status via powershell it says succeeded and running but still you are unable to ping , unable to login and boot diagnostic shows login screen. Even in this situation above mentioned 2 solution helps.

Now if everything is failed and you want the VM up and running as there could be business loss or other reasons then the best option is - Delete the VM and re-create it from the disk.

https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/

Storage Life Cycle Management

Life-cycle management of Azure blob gives you ability to manage your blobs as per the blob requirement or data use by which you can transition your data from Hot tier >> cold >> archive and delete eventually.

Life management policy :

Transition blobs to hot to cold and cold to archive in order to optimize performance and cost.
Delete blobs at the end of their life-cycles
Define up to 100 rules
Run rule automatically once a day
Apply rules to containers or specific blobs or folders up to 10 prefixes per rule.

Life Cycle Management policy is available for GPv2 and Blob storage accounts only.
You can upgrade GPv1 to GPv2 and utilize the policies.

This is free of cost service and available in all regions.

Below is the code by which you can easily create and apply your rule or policies.

#Initialize the following with your resource group and storage account names
$rgname = "brg"
$accountName = "lifecyclepol"

#Create a new action object
$action = Add-AzStorageAccountManagementPolicyAction -BaseBlobAction Delete -daysAfterModificationGreaterThan 30
$action = Add-AzStorageAccountManagementPolicyAction -InputObject $action -BaseBlobAction TierToArchive -daysAfterModificationGreaterThan 2
$action = Add-AzStorageAccountManagementPolicyAction -InputObject $action -BaseBlobAction TierToCool -daysAfterModificationGreaterThan 1
$action = Add-AzStorageAccountManagementPolicyAction -InputObject $action -SnapshotAction Delete -daysAfterCreationGreaterThan 3

# Create a new filter object
# PowerShell automatically sets BlobType as “blockblob” because it is the only available option currently
$filter = New-AzStorageAccountManagementPolicyFilter -PrefixMatch ab,cd

#Create a new rule object
#PowerShell automatically sets Type as “Lifecycle” because it is the only available option currently
$rule1 = New-AzStorageAccountManagementPolicyRule -Name Test -Action $action -Filter $filter

#Set the policy
$policy = Set-AzStorageAccountManagementPolicy -ResourceGroupName $rgname -StorageAccountName $accountName -Rule $rule1

Once you run above code you need to go to the Storage account >> Blob service >> Lifecycle management and you can see your rule. You can also create rule from there as well. Below are the snippets -

Azure Bastion Host

Azure Bastion is amazing service which is in public preview and soon be in GA. I must say it would take alot of overhead burden of Jump server, you must be wondering why so its just Bastion

Well for starters - its PaaS service so you need to bother for maintaining Jump box that includes Patching , NSG's, Public IP etc etc.

It provides secure and seamless RDP/SSH connectivity to your VM's directly in the Azure portal over SSL.

When you connect via Bastion your VM doesnt need Public IP Address, doesn't need additional agent pt any piece of software.

You are not exposing your VM's to public internet so your VM's automatically protected again port scanning by malicious users.

Things to keep in mind while creating Azure Bastion :

You can create from Public preview link or register the provider.
You need a subnet of /27 with name AzureBastionSubnet
It takes little more time than VM creation may be because its in Preview.
While creating you need to select the Vnet where you want o place it.
Once created you need to go to that VM that you want to connect to and once you hit connect you would have Bastion option where you need to put your credential and RDP will open in the browser.
You only need to allow the RDP on NSGs from Bastion

Now lets register the provider and create Bastion :

Get-AzProviderFeature -FeatureName AllowBastionHost -ProviderNamespace Microsoft.Network

Now go to the Azure portal - preview and create Bastion

You need to fill the below details -

Once created you go to any VM that you want to connect via Bastion and you would have following options to work with , and your RDP will open in the browser.

Architect Azure Environment - Efficiency & Operations

This is the last but not the least point that we should keep in mind while designing any Azure environment. We would go in detail in latter post but for now we would understand how and why efficiency & operations are important for us.

Efficiency as name suggest is all about utilizing efficiently and eliminating waste with in your environment.

Cloud is all about paying for what you use and you can easily figure out what all resources you don't need or turn down the capacity as required as typically waste comes from provisioning more capacity than demand requires.

Few e.g. of waste :

A virtual machine that is always 90% idle
Paying for a license included in a virtual machine when a license is already owned
Retaining infrequently accessed data on a storage medium optimized for frequent access
Manually repeating the build of a non-production environment

Operationally, it's important to have a robust monitoring strategy. This helps you identify areas of waste, troubleshoot issues, and optimize the performance of your application.