Search This Blog

Wednesday, February 26, 2014

Establish Connection on Private Cloud to Windows Azure Using Point to Site VPN

 

There are three way of connecting resources on private cloud to Windows Azure

  • Site to Site VPN
  • Point to Site VPN
  • Express Route (new- Feb 2014)

Site to site VPN is relies on a IPSec VPN appliance to be deployed at the edge of your network for connectivity. This method allow any computers on your premises to connect any virtual machine / PaaS instance within the virtual network.

Next is Point to Site VPN. It work exactly like VPN client. You have to install a VPN client configuration package that enable your computer to connect to any virtual machine / PaaS within the virtual network. Point-to-site connectivity is over SSTP (Secure Sockets Tunneling Protocol) and support up to 250 VPN client.

Lastly Express Route is a dedicated private and high throughput network connectivity and guaranteed Network Qos to ensure faster speed, low network latency and complete network isolation. Check out here.

In today post, we are going to talk about Point to Site VPN so we can connect Active Directory at our premise to a virtual machine holding read only domain-controller roles. This allow us to have a non writable active directory running at  Windows Azure to use by any virtual machine. This is just an example that we are trying to simulate on our testing environment and just to let primary domain controller to communicate with the new VM.

image

It look like our scenario is not connected. New VM has created for read only domain controller but without the connection to our premises, we cannot replicate the active directory object. To do so, you need to

a) Configure Virtual Network

b) Create self signed root certificate

c) Deploy VPN Client Configuration

Configuration – Configure Virtual Network

Click +New | Network Services | Virtual Network | Custom Create

image

Enter Virtual Network Details

image

Make sure to select “Configure a point to site VPN”

image

Configure Virtual Network Address Space on your virtual network

imageimage

Once you have complete the wizard, you need to start create a dynamic routing gateway and this would take around 10 –20 min. Click on your virtual network that you’ve created on previous steps. Click + Create Gateway

image

image

After 20 minutes, this is how it look like . The system require us to proceed to next step.

image

Configuration – Create Self Signed Root Certificate

1. Download and Install Visual Studio Express 2013 for Windows Desktop to create self signed root certificate. In our example, we have created self signed root certificate and client certificate.

Create Self Signed Root Certificate

image

Create Client Certificate. Generate client certificate from the root certificate that does contain the private key and install on each client computer that you want to connect to VPN.

image

Install the self signed root certificate and client certificate on your primary domain controller. You can verify by using MMC Snap-in. Both certificates are listed there.

image

2. Upload root certificate .cer file (without private key) to Management Portal

image

We use SSTP (Secure Sockets Tunneling Protocol) to tunnel through firewalls. This tunnel will appear as a HTTPs connection.

Configuration – VPN Client Configuration

Certificate are uploaded and installed, you can download and install VPN client package on your primary domain controller.

image

On your network connection, a connection has created. Right click and select Connect

image

Click Connect to establish the connection.

image

If successful, you can view the status on the network mentioned “Connected”

image

To verify:- go to command prompt, type ipconfig /all.

Your domain controller will getting a virtual network ip address (10.0.0.2)

image

Back to Windows Azure Management Portal, refresh the dashboard. Voila! The connection is “Established”

image

With the connection established between our premises to Windows Azure, we can now start building read only domain controller VM at Windows Azure.

image

Please check on our other post:

Sunday, February 23, 2014

Secure Your Hyper-V Infrastructure By Using 5Nine Cloud Security

 

In this post, we are going to look into recently launched security product which using Hyper-V extensible switch and 5Nine Cloud Security. It provides agentless antivirus, compliance enforcement and traffic control/VM isolation

5Nine Cloud Security version 4 supported the following operating system:

  • Windows Server 2012 Hyper-V
  • Windows Server 2012 R2 Hyper-V
  • Windows 8 Professional with enabled Hyper-V role

For Guest VM:- any version

After install 5Nine Cloud Security- Host Management Service on the Hyper-V Server, you can view a new added 5Nine vFW extension on your virtual switch.

5nineextensible

We have tested few features of 5Nine Cloud Security and here is the outcome:-

User Management and Tenants

You can set Security Administrator or Auditor permission on VM and operation through the management console. With Security Administrator, a user can be granted Full permission on the Hyper-V Cloud.

Then Auditor right allow the user to view antivirus, active protection agent, virtual firewall and IDS log but won’t able to apply any changes

Desktop

Virtual Firewall

In term of virtual firewall, you can define Global rules or User Defined Groups.

It is recommended to define a global rules first as this is the default rules apply to entire VM which are sets to use virtual firewall. In our lab environment, we have define to allow RDP, ICMP Ping , LDAP and DNS traffic to RED-MAP01 Virtual machine and block other traffics. From our test, we cannot access to webpage hosted in this VM.

image

Next, is User Defined Group. These rules apply only to those VM that you assign. Remember that we want to access webpage located inside the RED-MAP01 VM. Previously we have create a global rules which block entire traffic except certain ports. Since we want to allow port HTTP so we can view the webpage, then we can create a group- Web and set to allow port HTTP. From there, you can apply that rules to RED-MAP01 Virtual machine.

From the screenshot below, a new user defined rules has added to allow inbound traffic to RED-MAP01 virtual machine. Then we was able to view the webpage after set the rules.

image

On the log, you also can view multiple unwanted traffic has been blocked and this ensure  VMs are secured from any threat.

image

Antivirus

There are 2 types of how antivirus work  on Cloud Security:

a) Agentless

Without install an agent into each VM, you can secure the VM by creating pre-defined schedules to run anti malware scan or on-demand an-malware scan. With version 4, it provides a fast incremental scan technology that are up to 50x faster than traditional full scans.

During our lab test to prove that it is fast as what they has claimed. We have ran a full scan and found no virus on 15 Feb 2014. Then we have injected “EICAR” – a test virus into one of the VM and run anti-malware scan on 16 Feb 2014. Immediately 5Nine detected the virus and quarantined it. This proved that it run an incremental scan rather than full scan to detect our test virus during on-deman scan.

image

b) Agent based

An new active protection is install to provide real time virtual machine protection including access file control.If you’ve an existing antivirus agent on the virtual machine, then we recommend that you don’t enable “Active Protection” to avoid BSOD or any potential problem.

image

For both antivirus method, you can define virus name, folder or path to block.

image

5Nine Cloud Security included several exclusion to excluded from anti-malware protection and allowed on your system. This is an option for you to add your own exclusion path, files and folder.

image

Intrusion Detection System (IDS)

The next features which available on 5Nine Cloud Security is IDS. It is using SNORT engine to check packet anomalies that could signify potential attack to the virtual machine.

Centralize Management or SCVMM Plug-in

At this moment, it is not available during our testing. Based on the information that we receive, the SCVMM plig-in should be ready on March 2014. We will test it out and let you know the outcome when it’s release to public.

Closing…

That’s all from our testing lab evaluation. Do give it a try and see if it’s work to protect your virtualization infrastructure.

For more information, please visit 5Nine website.

Friday, February 21, 2014

Upload a Virtual Machine to Windows Azure

 

Let have a look on how to upload your existing virtual machine to Windows Azure. This process may come handy when you want to migrate existing virtual disk running on Hyper-V to Windows Azure.

To do so , please read below pre-requisite

1. Assign a person as Service Administrator or Co-Administrator at Windows Azure Portal. Go to Settings | Administrator. The person who are going to upload the VHD must be Service Administrator or Co-Administrator role.

SNAGHTML1e1b93a

2. Require a management certificate. –Certificate can be self signed. Upload a certificate at Setting | Management Certificate. Make sure this certificate is at the machine that you plan to upload a VHD from.

image

3. Get Storage Account name url. You can get Storage Account URL from Storage | Storage Account Name | Containers

image

4. Use Windows Azure Power shell and use the command Add-AzureVHD to upload vhd. Before you upload, do take a few second to look into the this requirement of your virtual disk:-

  • Must in VHD virtual disk. Use Hyper-V Manager or “Convert-VHD” to convert VHDX to VHD
  • Only fixed disk. When upload a virtual disk, the disk can be in dynamic disk. Windows Azure will convert to fixed disk. Do not upload differencing disk as it is unsupported.
  • Allow RDP Access on your virtual disk so you can remote into the vm once the VHD has been uploaded.
  • Must in sysprep state and under supported Windows operating system stored in a .vhd file:-
    • Windows Server 2008 R2 with SP1 (all editions)
    • Windows Server 2012 (All editions)
  • Configure default subscription on which upload VHD to use
Import-AzurePublishSettingsFile ‘your subscription settings’

image

  • Configure default storage account on where to upload the VHD. You can get subscription name by using the command “Get-AzureSubscription”. To get storage container name, refer to step 3.
Set-AzureSubscription –SubscriptionName “Converted Windows Azure MSDN – Visual Studio Premium” –CurrentStorageAccountName “portalvhdscqm83jwmy4nzq”

image

image

Lastly use Add-AzureVHD command.

$sourcevhd= “C : \AzureWin2012R2Std.vhd”
$destinationvhd = “http://portalvhdscqm83jwmy4nzq.blob.core.windows.net/vhds/AzureWin2012R2Std.vhd”

Add-AzureVHD –LocalfilePath $sourcevhd –Destination $destinationvhd

SNAGHTML51f812d

The above diagram showed it has uploaded the dynamic disk to Azure Storage and convert to fixed disk. You can verify and check on Windows Azure Portal. Our dynamic disk is around 8 GB and has converted to fixed disk- 80GB.

SNAGHTML521949c

Last but not least after upload your VHD, you need to add an image to your list of custom images. From Management Portal, under All Items , click Virtual Machines | Images | Click Create. Enter the name and make sure select “I have run sysprep on the virtual machine associated with this VHD” to acknowledge that you generalized the operating system.

image

Now you can select your custom image from the Gallery and provision a virtual machine using own pre-installed operating system.

image

Wednesday, February 19, 2014

Windows Server 2012 R2 Products and Edition Comparison

 

Microsoft recently released a pdf document which compare on different Windows Server 2012 R2 Products and Edition. (Click the image to view in larger view). The chart includes information about locks and limits, which server roles are supported and which features are available.

It will come handy for those people who would like to have a glance on roles & features which is available.

As highlighted in green, Hyper-V roles is not available on the following products and edition:-

  • Windows Server 2012 R2 Foundation
  • Windows Server 2012 R2 Essential
  • Windows Storage Server 2012 R2 Workgroup

image

To download, click here

Monday, February 17, 2014

Virtual Machine Availability in Windows Azure

 

Lately, I’m configuring virtual machine in Windows Azure for my test lab. While playing around, I wonder what is the availability option to ensure application are highly available when Microsoft (service provider) perform hardware replacement, upgrade,network failures, etc. Let read further on how we can achieve availability.

Storage

image

You can set redundant of the storage that the store virtual disk of your virtual machine. By default, three copies of virtual hard disk are stored in the data center. When enabled geo-redundant, an additional three copies of virtual hard disk stored in different data center.

Locally Redundant option allow your data on the storage to replicated within the same region. Example for Southeast Asia region, the storage from Singapore datacenter is replicated to Hong Kong datacenter.

Mean while Geo-Redundant, allow your data replicate to secondary storage region to protect against outage in primary data center or datacenter failure.

You can enable this option when creating storage or after created storage.

Virtual machine

Next, let look in term of  virtual machine availability. To do so,

  • Add VMs to availability set
  • Create availability set
  • Add an existing VM to an availability Set

You can manage the availability of an application by creating at least two virtual machine and configure to use the same availability set.

Azure-Web

For example, we have created two virtual machines for web under Availability Set- Web and two virtual machine for database under Availability Set-Database.

Here is the end result: Availability Set- Web consists of two virtual machine “MS4UWeb01” and “MS4UWeb02”

3

Database availability end result: Availability Set-Database consists of two virtual machine “MS4UDb01” and “MS4UDb02”

4

Availability set are directly related to fault domain and update domain. A fault domain are equivalent to a rack of physical servers and it’s defined by avoiding a single point of failure like the power unit of the rack server, motherboard failure or network switch. When multiple virtual machine are put under the same Availability Set, each virtual machine will allocate to different fault domain.

Screenshot below display how Azure allocate Web & database VM under different update and fault domain.

1

2

Next, how about Update domain? Windows Azure constantly update the Hyper-V Host operating system to fix some OS system bugs. When operating system is been patched, the virtual machine is offline and will cause downtime. This is where Update Domain come into picture.

Update Domain is used to ensure that not all of the virtual machine are updated at the same time. When assigned to availability set, virtual machine are assigned to different update domain.

AS

The diagram above depicted on how each virtual machines of our described example has been assigned to availability set, fault domain and update domain to ensure virtual machine availability.

Wednesday, February 12, 2014

Unboxing StorSimple

 

This is weird post. Most people post when unboxing new smartphone or new tablet. But I’m posting about my experience on unboxing StorSimple Box. Anyway, let start unboxing

1st experience when unbox and take out the Storsimple unit:-

It’s heavy. The unit itself is 32 kg. Therefore it is recommended to have two people handle the box and mount to rack.

IMG_20140212_080938

This is how the StorSimple 2U box look like. The front panel and hard disk is in white color. You can look closer on the diagram below hard disk :

IMG_20140212_081058

IMG_20140212_081154

How about at the back? The unit came with two redundant power supply and two controller which is running as active/passive with four Ethernet connection

IMG_20140212_081241

IMG_20140212_081256 IMG_20140212_081248

Lastly the accessories:-

IMG_20140212_081554

First time configuration, you need to use the serial cable which provided. If you are using Windows 8.1, then you need to download Tera Term (terminal emulation) to configure management IP address. Once you’ve configure the management IP , then you can manage using web browser with Silverlight supported.

Power on

Here you need to get travel adapter to convert power socket(different country-not sure which country) to 3pin. Make sure to plug both or else the unit will keep giving continuously beep sound. Trust me, it is very annoying sound.

Before you proceed further, it is recommended to upgrade the firmware to the latest. You can get it from StorSimple site.

Once you have do that, make sure no hardware alert detected by the system. If got then you need to resolve it before can proceed for firmware upgrade.

Well, that’s all for now…Let me enjoy playing with the physical box.

Power off

After turn off the power supply, the box still got electricity for few minutes. Probably it is a protection mechanism to save the configuration to controller and avoid data corruption.

Do check out my previous post about StorSimple: