Azure Stack Technology in-depth Shallow Series 3: Azure Stack Operations and Maintenance Tools Azure Stack Tools Use and Practice

Keywords: network VPN Windows Linux

Azure stack, originated from Azure, is the only hybrid cloud platform consistent with the leading public cloud platform in the industry, which can help enterprise customers deliver Azure cloud services from their own data centers. As the third article of "Azure Stack Technology in-depth series", this article will introduce how to manage and maintain the system environment quickly after Azure Stack deployment, including virtual machine management, remote VPN connection, transmission deployment mirror, remote monitoring, etc. This article will try to use and manage the Azure Stack cluster environment through a set of Azure Stack operation and maintenance tools, Azure Stack Tools.

Azure Stack Tools is an Azure Stack toolkit maintained on GitHub and a scripting tool based on Azure Resources Manager provided by Microsoft Azure Stack team for system developers and operators. In order to develop operational consistency for hybrid cloud management, it follows the instructions set of Azure Resource Managers design style, enabling developers and maintainers to use Azure Stack Tools as well as Azure RM modules. Unlike the Portal interface, Azure Stack Tools can batch related operations, monitor operations and save unnecessary work for related personnel.


In this article, we will discuss the following aspects:

  • Preparations: Pre-deployment preparation, acquisition of Azure Stack Tools

  • Functional introduction and examples: Azure Stack installation tool, remote connection, upload mirror, virtual machine deployment, deployment template

In the process of writing this article, Azure Stack Development Kit (the name after Azure Stack PoC version GA) GA and Azure Stack Tools were updated to a certain extent on July 10, 2017. Subsequently, we will update the relevant technical documents after testing according to the updated content.

Pre-deployment preparation

Before deployment, it is necessary to confirm whether the physical environment used for deployment can meet the basic requirements of deployment. <Azure-Stack-PoC-Deployment> Chapter 1, Pre-deployment Preparedness.

Obtaining Azure Stack Tools

First, we downloaded Azure Stack Tools from the code base through the git tool.

git clone https://github.com/Azure/AzureStack-Tools.git --recursive

Opening the Azure Stack-Tools folder, we see the Azure Stack Tools sub-module, which covers deployment, connection VPN, virtual machine management, monitoring and other different functions. In this article, we will focus on deployment, connection and virtual machine management.

III. Auxiliary Azure Stack Installation Tool

There are some scripts in Azure Stack Tools for Azure Stack deployment process. After Azure Stack Development Kit was released, a new GUI-based deployment model was introduced to simplify the deployment process. Interested readers can study the scripts provided by Azure Stack Tools, which will be helpful to understand the Azure Stack infrastructure.

Before using Azure Stack Tools, we must install the PowerShell module. The following code can be used to test whether modules have been installed:

Find-Module -Name azurerm.*
Find-Module -Name AzureStack.*

If the following situation occurs, the AzureRM module has been installed.

Otherwise, execute the following code to install AzureRM

Install-Module -Name 'AzureRm.Bootstrapper' -Scope CurrentUser
Install-AzureRmProfile -profile '2017-03-09-profile' -Force -Scope CurrentUser
Install-Module -Name AzureStack -RequiredVersion 1.2.9 -Scope CurrentUser

Now let's open PowerShell and start the installation process.

First install the Azure Stack TP3 support file. Then cd goes to the file directory and finally executes "PrepareBootFromVHD.ps1".

# Variables$Uri = 'https://raw.githubusercontent.com/Azure/AzureStack-Tools/master/Deployment/'$LocalPath = 'c:\AzureStack_TP3_SupportFiles'# Create folderNew-Item $LocalPath -Type directory# Download files'BootMenuNoKVM.ps1', 'PrepareBootFromVHD.ps1', 'Unattend.xml', 'unattend_NoKVM.xml' | foreach { Invoke-WebRequest ($uri + $_)`    
-Out File ($LocalPath + '\' + $_) } 

# Deploy from VHD.\PrepareBootFromVHD.ps1 -CloudBuilderDiskPath C:\CloudBuilder.vhdx -ApplyUnattendRestart-Computer -Force

After performing the above operations, you need to restart.

Restart-Computer-force

IV. Remote Connection

There are two ways to access the Azure Stack service. One is to access the MSA-CON01 machine in the Azure Stack host through the Remote Desktop (RDP). The second way, through the VPN tunnel, makes our computers part of the Azure Stack network and accesses Azure Stack. The advantage of connecting VPN is that multiple users can use Azure Stack at the same time. In this section, we will show you how to use VPN to connect Azure Stack.

Let's look at the Azure Stack VPN connection process

There are multiple modules in the Azure Stack Tools toolkit that are imported into Azure Stack. Connect. PSM1 in the Connect folder.

Import-Module .\ComputeAdmin\AzureStack.ComputeAdmin.psm1

Using window remote manager, add Azure Stack host and MAS-CA service trust mode to the local computer. Here, $hostIP is the host IP address where the Azure Stack platform is installed.

# stay Powershell Execute in winrm quickconfig# Add Azure Stack One Node host & CA to the trusted hosts on your client computerSet-Item wsman:\localhost\Client\TrustedHosts -Value $hostIP -Concatenate
Set-Item wsman:\localhost\Client\TrustedHosts -Value mas-ca01.azurestack.local -Concatenate

Connect the BGP-NAT server to get the NAT IP address. Password is the administrator password for the infrastructure virtual machine set up when installing the Azure Stack platform deployment

# Update Azure Stack host address to be the IP Address of the Azure Stack POC Host$natIp = Get-AzureStackNatServerAddress -HostComputer $hostIP -Password $Password

When we get NAT IP, add VPN connection and use the following code.

# Create VPN connection entry for the current userAdd-AzureStackVpnConnection -ServerAddress $natIp -Password $Password# Connect to the Azure Stack instance. This command can be used to reconnectConnect-AzureStackVpn -Password $Password

We opened the windows computer display network interface, and our computer was already connected to the Azure Stack network.

After completing the above operation, we open the windows computer display network interface, at this time our computer has been connected to the Azure Stack network.

# To test the portal connection, open an Internet browser and navigate to either the user portal https://publicportal.local.azurestack.external 
# the administrator portal, sign in and create resources.  https://portal.local.azurestack.external

We can now open the following address in the browser.

Before ending the VPN connection, we can add two environments for Azure Stack RM, which has the advantage of doing so. If we use PowerShell for Azure Stack script deployment and template building, these two environments can facilitate us to obtain tenant Id information, thus developing Azure Stack through AzureRM module tools.

# Remove existed EnviromentRemove-AzureRmEnvironment -Name AzureStack
Remove-AzureRmEnvironment -Name AzureStackAdmin# Set AzureStackAdmin ARM EndpointAdd-AzureStackAzureRmEnvironment -Name "AzureStack" -ArmEndpoint "https://management.local.azurestack.external" # Set AzureStackAdmin ARM Endpoint Add-AzureStackAzureRmEnvironment -Name "AzureStackAdmin" -ArmEndpoint "https://adminmanagement.local.azurestack.external"

Starting with TP3, Azure Stack separated the portals and endpoints of Admin and Tenant to ensure security in line with customer requirements. Only the administrator performs the operations of the management class, such as adding Resource Provider, Image, etc., need to log in to the AzureStackAdmin environment; while the tenant performs the operation itself, it logs in to the AzureStackUser, the tenant does not have Admin account privileges, and it is impossible to log in to the AzureStackAdmin.

# Get the AAD Tenant GUID$TenantID = Get-DirectoryTenantID -AADTenantName "<mydirectorytenant>.onmicrosoft.com" -EnvironmentName AzureStackAdmin 
#Get the ADFS Tenant GUID$Tenantid = Get-DirectoryTenantID -ADFS -EnvironmentName AzureStackAdmin# Sign-in Admin to AzureStackAdmin ARM Endpoint# e.g username: pengtest1@azurestack.localLogin-AzureRmAccount -EnvironmentName "AzureStackAdmin" -TenantId $TenantIDLogin-AzureRmAccount -EnvironmentName "AzureStack" -TenantId $TenantID

5. Uploading Mirrors

When we complete the installation of Azure Stack, we will find that there is nothing inside Azure Stack. There is no VHD image resource in the mirror library. If we need to add an image in MarketPlace, we can use the ComputeAdmin module in Azure Stack Tools to upload the image.

In the figure below, we see two mirrored resources in the Virtual Machines option, Ubuntu 14.02 and Windows Server 2016. For Linux and Windows systems, there are different ways to make mirrors. In this article, we focus on the operation of image upload. If you need to know how to make a mirror for children's shoes, click on this link.

Before creating the mirror resource, we need to load the Connect module and ComputeAdmin module.

Import-Module .\Connect\AzureStack.Connect.psm1Import-Module .\ComputeAdmin\AzureStack.ComputeAdmin.psm

In the previous section, we have opened the tunnel for Azure Stack through VPN. We continue to use the above environment to obtain the tenant's id.

# Get tenant id$Tenantid = Get-DirectoryTenantID -ADFS -EnvironmentName AzureStackAdmin

Then login to the Azure Stack Admin environment through the AzureRM module. Are we seeing a familiar usage environment here? Yes, this is the most basic script run code in PowerShell Azure development. In order to make Azure and Azure Stack consistent in development and operation, Microsoft basically followed the instructions of Azure Resource Manager. Included in the next chapter, the code we use to create virtual machines conforms to this specification.

Return to the topic and log in to Azure Stack using the following code:

# Login Administrator AccountLogin-AzureRmAccount -EnvironmentName "AzureStackAdmin" -TenantId $TenantID

A dialog box will pop up, requiring us to enter the password of the Azure Stack administrator account:

  • For ADFS mode: Azure Stack upload mirror needs to be uploaded through the azurestackadmin@azurestack.local account, and azure\Azure Stack Admin domain account cannot be used.

  • For AAD mode: you need to provide an international Azure account password for installing Azure Stack.

For Windows mirroring, we use the following code for installation:

$ISOPath = "<Path to ISO>"New-Server2016VMImage -ISOPath $ISOPath -TenantId $TenantID -EnvironmentName "AzureStackAdmin"

For Linux mirroring, we use this code to install:

$ISOPath = "<Path to ISO>"Add-VMImage -publisher "Canonical" -offer "UbuntuServer" -sku "14.04.3-LTS" -version "1.0.1" -osType Linux`  
-osDiskLocalPath $ISOPath -tenantID $TenantId -EnvironmentName "AzureStackAdmin"

Since the capacity of the image is usually large, it is slow to upload the image through remote VPN. Here's a clever way to log on to Azure Stack MAS-CON01's virtual machine through RDP. Now copy the image and install it in the virtual machine.

When we run the relevant code, PowerShell displays the following information. Through the component analysis of Azure Stack, we can understand. The process of uploading mirrors is divided into three steps:

After the image upload is completed, Gallery items are automatically created to allow users to create resources in the form of self-service through the GUI interface. Relevant custom image creation process, please pay attention to the follow-up "Azure Stack Technology in-depth shallow series" fourth. The following figure shows the process of image upload. We can see that Azure Stack Tools shows a JSON format information group, which is the basic information of image upload.

In the screenshot below, we can see that the uploaded image is placed in a container in a blob store in a storage account called addvmimagestorageaccount.

When all the above processes are completed, we can see that StatusCode displays Created, indicating that the image has been uploaded successfully. At this point, we can go back to the Azure Stack portal page and create customized images at will.

VI. Deployment of virtual machines

Deploying virtual machines in Azure Stack is the same as deploying virtual machines on Azure. We deploy virtual machines through Azure Stack through the following code.

First, we create resource groups.

# Create a resource groupNew-AzureRmResourceGroup -Name 'myResourceGroup1' -Location "local"

Note: - Location parameters need to use local or user-defined area location information, which is different from Azure public cloud.

Then create virtual networks and subnetworks, and configure public IP for the network.

############### Create networking resources ############################### Create a subnet configuration$subnetConfig = New-AzureRmVirtualNetworkSubnetConfig -Name 'mySubnet01'`
                -AddressPrefix 10.0.1.0/24# Create a virtual network$vnet = New-AzureRmVirtualNetwork -ResourceGroupName 'myResourceGroup1'`
        -Location 'local' -Name myResourceGroup1-vnet`
        -AddressPrefix 10.0.0/16 -Subnet $subnetConfig# Create a public IP address and specify a DNS name$pip = New-AzureRmPublicIpAddress -ResourceGroupName 'myResourceGroup1'`
       -Location 'local' -AllocationMethod Static`
       -IdleTimeoutInMinutes 4 -Name "test1-ip"

After adding the public network ip, we add the network security group for the virtual machine.

# Create a virtual network card and associate with public IP address and NSG$nic = New-AzureRmNetworkInterface -Name 'myNic'`
       -ResourceGroupName 'myResourceGroup1' -Location 'local' `
       -SubnetId $vnet.Subnets[0].Id -PublicIpAddressId $pip.Id`
       -NetworkSecurityGroupId $nsg.Id# Create an inbound network security group rule for port 3389$nsgRuleRDP = New-AzureRmNetworkSecurityRuleConfig`
              -Name myNetworkSecurityGroupRuleRDP  -Protocol Tcp `
              -Direction Inbound -Priority 1000 -SourceAddressPrefix *`
              -SourcePortRange * -DestinationAddressPrefix * `
              -DestinationPortRange 3389 -Access Allow# Create an inbound network security group rule for port 80$nsgRuleWeb = New-AzureRmNetworkSecurityRuleConfig -Name`
              myNetworkSecurityGroupRuleWWW  -Protocol Tcp `
              -Direction Inbound -Priority 1001 -SourceAddressPrefix *`
              -SourcePortRange * -DestinationAddressPrefix * `
              -DestinationPortRange 80 -Access Allow# Create a network security group$nsg = New-AzureRmNetworkSecurityGroup -ResourceGroupName myResourceGroup1`
       -Location local -Name test1-nsg -SecurityRules $nsgRuleRDP,$nsgRuleWeb# Create a virtual network card and associate with public IP address and NSG$nic = New-AzureRmNetworkInterface -Name myNic` 
       -ResourceGroupName myResourceGroup1 -Location local `
       -SubnetId $vnet.Subnets[0].Id -PublicIpAddressId $pip.Id`
       -NetworkSecurityGroupId $nsg.Id

Finally, add virtual machine in Azure Stack.

################################ Create VM ############################### Define a credential object$cred = Get-Credential# Create a virtual machine configuration$vmConfig = New-AzureRmVMConfig -VMName myVM -VMSize Standard_D1 | `
    Set-AzureRmVMOperatingSystem -Windows -ComputerName myVM `
    -Credential $cred | Set-AzureRmVMSourceImage -PublisherName `
    MicrosoftWindowsServer -Offer WindowsServer -Skus 2016-Datacenter `
    -Version latest | Add-AzureRmVMNetworkInterface -Id $nic.Id 

New-AzureRmVM -ResourceGroupName myResourceGroup -Location 'local' -VM $vmConfig

Finally, we will see the following new resources on the Azure Stack interface, indicating that they have been added successfully.

Deployment Template

Under the joint action of Azure Stack template tool and privilege tool, we can change the template obtained from Azure into Azure Stack template, so as to promote the better development of Azure Stack.

For Azure Stack's ARM template parameters, such as Location, storage endpoints, etc., the current use of examples specifically refers to the POC environment (POC environment endpoint default is azurestack.external, Location default is Local), if it is a production environment, these are defined by customers themselves, and the location and endpoint of each Azure Stack instance will not be the same.

Template Validator Tool (Template Validator Tool): There are different resources and configurations for Azure and Azure Stack, so template validation tools are provided in Azure Stack Tools. Its main function is to verify whether the transplanted ARM from Azure is correct and conforms to the Azure Stack specification. We can be at Azure Stack Template Find templates that conform to the Azure Stack specification.

The Azure Stack specification is as follows:

1. Azure Stack resource location

In ARM template, the location of Azure service is usually obtained from the resource group, and the physical location of the resource to be used by the template is determined by -location. In Azure, we will get more than 40 locations, such as "chinaeast, chinanorth, westus" and so on. In the Azure Stack environment, the default is "local" or user-defined location, as follows:

{ "resources":[
        {            "name": XXXXXXXX,            "type": XXXXXXXXXXXXXX,            "apiVersion": XXXXXXXXXXXXXXXX,            "location": "[resourceGroup().location]", //Incorrect Version: chinaeast            "comments": "This storage account is used to store the VM disks",            "properties":{                "accountType": "Standard_LRS"
            }
        }
    ]
}

2. Blob Storage Endpoint

In Azure, we use. blob.core.windows.net to represent Azure's blob storage endpoints. In Azure Stack, we use.blob.local.azurestack.external to identify storage addresses.

"osDisk":
{    "name": "osDisk",    "vhd": {        "uri": "[
            concat('Microsoft.Storage/storageAcounts/',
            parameters('newStroageAccountName'), //'.blob.core.windows.net'
            variables('vmStorageAccountContainerName'),'/'
            variables('OSDiskName'),'.vhd')
        ]",
    }    "caching": "ReadWrite",
    "createOption":  "FromImage"}

3. Provide the latest API version management

Azure Stack's underlying technology stack always follows Azure's technology and uses the latest version of Azure's API. The following table shows the latest API interfaces currently in use.

For more recent API version differences, please check the official website documentation:

4. Types of prompt support resources

At the same time, Azure Stack also checks the sku of resources, mirrors, extensions, etc. to open functions.

Policy Tool (Privilege Policy Tool): With the development of Azure Stack, more and more IaaS and PaaS services provided by Azure will be developed in Azure Stack, including App function, Blockchain and so on. Among Azure Stack's many services, if we want to limit the service and resource usage of a resource group, we can import the following policy file.

"policyRule": {      
     "if": {        
        "not": {          
        "field": "location",          
        "in": "[parameters('allowedLocations')]"
        }
      },      
        "then": {        
        "effect": "deny"
      }
    }

In Azure Stack Tools, we can use the Azure Stack. Policy. PSM1 file in Azure Stack Tools.

Import-Module .\AzureStack.Policy.psm1

Login-AzureRmAccount$s = Select-AzureRmSubscription -SubscriptionName "<sub name>"$subId = $s.Subscription.SubscriptionId$policy = New-AzureRmPolicyDefinition -Name AzureStack -Policy (Get-AzureStackRmPolicy)

New-AzureRmPolicyAssignment -Name AzureStack -PolicyDefinition $policy -Scope /subscriptions/$subId#Specify the resource group where you would like to apply the policy$rgName = 'AzureStack'New-AzureRmPolicyAssignment -Name AzureStack -PolicyDefinition $policy -Scope /subscriptions/$subID/resourceGroups/$rgNameRemove-AzureRmPolicyAssignment -Name AzureStack -Scope /subscriptions/$subId/resourceGroups/$rgNameRemove-AzureRmPolicyAssignment -Name AzureStack -Scope /subscriptions/$subId

VIII. Other Tools

In Azure Stack Tool, an administrator tool is provided. As mentioned before, there are service Admin, Compute Admin and Infra Admin in the administrator tools.

  • Service management module: Administrators can create service modules such as offer, plan and quota through this tool.

  • Computing module: add and delete virtual machine images.

  • Device Module: Provide Monitoring Interface and Data Interface in Azure Stack Device

Nine, summary

Through this talk, we understand the basic functions of Azure Stack Tools. We hope that after reading, users can upload virtual machine images and create virtual machines using Azure Stack Tools. For Azure Stack administrators, Azure Stack Tools can be used to restrict Azure Stack resources, distribute offer s in subscriptions, and monitor Azure Stack infrastructure. I believe that in the process of using Azure Stack Tools, children's shoes can experience the concept of Azure and Azure Stack consistent experience.


Author: Peng Yicheng


If you are interested in the content of the article, please contact: 
Azure Stack Technical Support Team of Yidian (Group) Co., Ltd. gaoc@rc.inesa.com / niuhx@rc.inesa.com)
Reproduced please note: reproduced from uuuuuuuuuuuu Azure Stack Notes Blog (http://a-stack.com)



Posted by wheakory on Sun, 06 Jan 2019 21:36:09 -0800