Affordable Azure DR for everyone

Disaster recovery is something we pray never to happen but unavoidable in certain situations. Every business organization regardless of their size need to plan for a disaster recovery plan to protect their key business assets. In this articles we’re look into how Azure Disaster Recovery (Cloud based DR)  can be used to protect critical business applications systems.

With recent updates there are several methods we can use Azure Site Recovery (ASR) to protect our on premise systems,

1. On-premises Hyper-V site to Azure protection with Hyper-V replication — Orchestrate replication, failover, and recovery from an on-premises site with one or more Hyper-V servers but without System Center VMM. Virtual machine data is replicated from a source Hyper-V host server to Azure.

2. On-premises VMM site to on-premises VMM site protection with Hyper-V replication — Orchestrate replication, failover, and recovery between on-premises VMM sites. Virtual machine data is replicated from a source Hyper-V host server to a target host server.

3. On-premises VMM site to on-premises VMM site protection with SAN replication — Orchestrates end-to-end replication, failover, and recovery using storage array-based replication between SAN devices that host virtual machine data in source and target on-premises sites.

4. On-premises VMM site to Azure protection — Orchestrate replication, failover, and recovery between an on-premises VMM site and Azure. Replicated virtual machine data is stored in Azure storage.

5. On-premises VMWare site to on-premises VMWare site with InMage — InMage Scout is a recent Microsoft acquisition that provides real-time replication between on-premises VMWare sites. Right now InMage is available as a separate product that’s obtained via a subscription to the Azure Site Recovery service.

Option 1 will be covered on this article. Most of the SMB business cannot afford to have SCVMM software but till need DR solution. Apart from that we didn’t forget our VMware fan base who need affordable DR solution. With the acquisition of the Inmage software company now Microsoft protect VMware environments as well.

To enable HYPER-V host to protect VM’s on Azure cloud we need to do few more steps earlier. High level steps are as follows,

Step 1: Create a vault—Create an Azure Site Recovery vault.

Step 2: Create a Hyper-V site—Create a Hyper-V site as a logical container for all the Hyper-V servers that contain virtual machines you want to protect.

Step 3: Prepare Hyper-V servers—Generate a registration key and download the Provider setup file. You run the file on each Hyper-V server in the site and select the key to register the server in the vault.

Step 4: Prepare resources—Create an Azure storage account to store replicated virtual machines.

Step 5: Create and configure protection groups—Create a protection group and apply protection settings to it. The protection settings will be applied to every virtual machine you add to the group.

Step 6: Enable protection for virtual machines—Enable protection for virtual machines by adding them to a protection group.

Step 7: Test the deployment—Run a test failover for a virtual machine.

Step 1 – Create a vault,
Sign in to the Azure Management Portal –> Expand Data Services, expand Recovery Services, and click Site Recovery Vault –> Click Create New and then click Quick Create –>In Name field enter a friendly name to identify the vault (in my case matrixvault) –>In Region select the geographic region for the vault –> Click Create vault
image

Step 2: Create a Hyper-V site,
In the Recovery Services page, click the vault to open the Quick Start page–>In the dropdown list, select Between an on-premises Hyper-V site and Azure –> In Create a Hyper-V Site click Create Hyper-V site. Specify a site name and save.
image

image

image

Step 3: Prepare Hyper-V servers,
In Prepare Hyper-V servers, click Download a registration key file –> On the Download Registration Key page, click Download next to the site –> Click Download the Provider to obtain the latest version

image

image image

image image

imageimage

In the last picture you can see two files has been installed. Their function is as follows,

Azure Site Recovery Provider—Handles communication and orchestration between the Hyper-V server and the Azure Site Recovery portal.
Azure Recovery Services Agent—Handles data transport between virtual machines running on the source Hyper-V server and Azure storage.

image

On the Vault Settings page, click Browse to select the key file. Specify the Azure Site Recovery subscription, the vault name, and the Hyper-V site to which the Hyper-V server belongs.

image

image

image

image

Step 4: Prepare resources – You need to have a storage account in Azure if not you can go ahead and create a one. Make sure the storage account having geo-replication enabled.
I also make sure there will be a dedicated virtual network created as well.

image

Step 5: Create and configure protection groups
Protection groups group the virtual machines togerhter and apply same protection settings. You apply protection settings to a protection group, and those settings are applied to all virtual machines that you add to the group.

image

imageimage
image

Step 6: Enable protection for virtual machines

Now its time to select which VM’s you need to protect from your HYPER-V host.
image 

image

image  image

ASR will start checking VM compatibility to be exported to the Azure side.

image

Now lets jump into the HYPER-V MMC console and check the VM replication status,
image

Depending on your internet connection speed VM replication time can be vary.
image

Step 7: Test the deployment
Now it’s time to test the VM failover to Azure side. To do that we need to we need to run a test failover for the protected virtual machine.
Protected Items –> Protection Groups –> protectiongroup_name –> Virtual Machines (select the virtual machine you want to fail over) –> and click Test Failover.

image

image

You can put the test VM into production virtual network in Azure or start the VM without a virtual network. In my case I’ll put into my production virtual network.

image image

Now series of actions will be carried out in orderly manner. Once that completed we will get our VM in Azure side active. In any case you’ll encounter any issues in this tasks you can get a detail report from the bottom of the Azure portal. This is useful for troubleshooting purpose.

Now VM creation is completed. We have to go and test the VM up and running properly. If things are ok once we confirm VM will be removed from the ASR since our ASR test is success.

image  image

image  image

Now ASR will remove the temporary test VM from the environment,

image

Some of our VM’s can be very large and replication via internet not feasible. In that situation you can courier the data to Microsoft Azure data center. Microsoft introduce a a service called as “Microsoft Azure Import/Export service” You can find more information about that here.

Affordable Azure DR for everyone

Azure VNet to VNet Connection

Extending your on-prem Private Cloud to Public Cloud is going to be highly anticipated on Year 2015. During such time I came across requirement of interconnecting two Azure subscriptions private networks. I assume by now most of you’ll are aware by leveraging Windows Azure platform you can extend your on-prem network to Azure by using Site to Site (S2S) VPN. If not you can get more information about that from here and if a picture makes it much more clear then it is as follows Smile

Now in my new challenge customer already having two Azure subscriptions. One subscription he is having database virtual machines and another Azure subscription he is having applications VMs. Now how is the earth he face such scenario by not having all the VM’s in same subscription? Well that is along story which will not bring any good for this article Smile

His requirement is to interconnect two Azure subscription via VPN connectivity. Again the picture story is as follows,

Azure vnet to vnet

Few months back this is not possible but again Microsoft keep on improving their services frequently. Once of that surprise is allowing Azure vNet to  vNet VPN connection.

What can I do with VNet to VNet connectivity?

Cross region geo-redundancy and geo-presence

  • You can set up your own geo-replication or synchronization with secure connectivity without going over internet-facing endpoints.
  • With Azure Load Balancer and Microsoft or third party clustering technology, you can setup highly available workload with geo-redundancy across multiple Azure regions. One important example is to setup SQL Always On with Availability Groups spreading across multiple Azure regions.

Regional multi-tier applications with strong isolation boundary

  • Within the same region, you can setup multi-tier applications with multiple virtual networks connected together with strong isolation and secure inter-tier communication.

Cross subscription, inter-organization communication in Azure

  • If you have multiple Azure subscriptions, you can now connect workloads from different subscriptions together securely between virtual networks.
  • For enterprises or service providers, it is now possible to enable cross organization communication with secure VPN technology within Azure.

So now it’s time to get our hands dirty and find out how to test this right Smile In my step-by-step guide below I’m demonstrating this by using my two Azure subscriptions.

Before that some considerations you need to be aware of,

Requirements and considerations

  • VNet to VNet supports connecting Azure Virtual Networks. It does not support connecting virtual machines or cloud services NOT in a virtual network.
  • VNet to VNet requires Azure VPN gateways with dynamic routing VPNs – Azure static routing VPNs are not supported. Connecting multiple Azure virtual networks together does NOT require any on premises VPN gateways, unless cross premises connectivity is required.
  • Virtual network connectivity can be used simultaneously with multi-site VPNs, with a maximum of 10 VPN tunnels for a virtual network VPN gateway connecting to ether other virtual networks or on premises sites.
  • The address spaces of the virtual networks and on premises local network sites MUST NOT overlap. Overlapping address spaces will cause the creation of virtual networks or uploading netcfg configuration files to fail.
  • The virtual networks can be in the same or different subscriptions.
  • The virtual networks can be in the same or different Azure regions (locations).
  • Redundant tunnels between a pair of virtual networks are not supported.
  • A cloud service or a load balancing endpoint CANNOT span across virtual networks even though they are connected together.
  • All VPN tunnels of the virtual network, including P2S VPNs, share the available bandwidth on the Azure VPN gateway and the same VPN gateway uptime SLA in Azure.

Before starting the steps I like to share with you all the steps high level,

  1. Plan your IP address ranges
  2. Create your virtual networks
  3. Add local networks
  4. Create the dynamic routing gateways for each VNet.
  5. Connect the VPN gateways

1. Plan your IP address ranges – Planning is the key on this part. If you ever plan to extend this setup to your on-prem private cloud then plan well ahead about your IP address ranges. Don’t allow them to be duplicate. Same goes among the Azure subscriptions as well. So in our scenario we’ll create two Virtual network between two Azure subscriptions as VNET1 & VNET2.

rom the perspective of VNet1, VNet2 is just another VPN connection that’s defined in the Azure platform. And from VNet2, VNet1 is just another VPN connection. They’ll both be identifying each other as a local network site. Keep in mind that you must make sure that none of your VNet ranges or local network ranges overlap in any way.

Below I’ve shown an example of how to define your VNets. Use the ranges below as a guideline only. Write down the ranges that you’ll be using for your virtual networks. You’ll need this information for later steps.

Table 1
image

2. Create your virtual networks – Following the above table we’ll go ahead and create VNET1 = 10.1.0.0/16 and region as SoutEast Asia,

Log into the Azure Management portal and in the lower left-hand corner of the screen click “New” click “Network Services” and then “Virtual Network”. Click “Custom Create” to begin the wizard,

image

image

image
You don’t have to select DNS server or do any configuration on this page. But if you’re planning to have name resolution between your virtual networks then you’ll need to configure your own DNS servers.

image

As pre planned I’ve change the IP address range for 10.1.0.0/16. Go ahead and complete the wizard. Now carry out the same task on your other subscription. Only changes are VNET1 will be VNET2 and IP address range is 10.2.0.0/16.

3. Add local networks – Now go back to the VNET1 in Azure portal. Click “Local Networks” You’ll find there is not local network exists. Go ahead and create one with the range of 10.2.0.0/16. Carry out same on the other Azure subscription (VNET2) with the value of 10.1.0.0/16

image

image

The VPN device IP address you provide in the above is not matter right now. Once we obtain the correct VPN IP address we’ll be entering that.

image

Note: Keep on eye about the naming convention and the IP address range I provided. Follow the same steps on the other Azure subscription as well. (Vales will be different)
Now on the first Azure subscription click VNET1. Click “Configure” Click “Connect to the local network” under Site-to-Site-connectivity section.
image

make sure “Gateway” has been added,
image

Click “Save” on the bottom of the screen.

4. Create the dynamic routing gateways for each VNet – Now we have configured the VNET now it’s time to configure the VNET Gateways,
go back to the dashboard of the VNET1. Bottom of the screen click “ Create Gateway” and select “Dynamic Routing”
image

image

Confirm the action. This will take around 10 –15 minutes time to complete. Carry out the same action on the other Azure subscription as well.

When the gateway status changes to Connecting, the IP address for each Gateway will be visible in the Dashboard. Write down the IP address that corresponds to each VNet, taking care not to mix them up. These are the IP addresses that will be used when you edit your placeholder IP addresses for the VPN Device in Local Networks.

5. Connect the VPN gateways  – When Gateway creation completed we can go ahead and setup IPsec/IKE pre-shared key (same key) in both side. This action has to be carried out in the PowerShell.
On the VNET1 side type the following PS command,

PS C:\> Set-AzureVNetGatewayKey -VNetName VNet1 -LocalNetworkSiteName VNet2 -SharedKey A1b2C3D4E6

on VNET2 side type the following PS command,

PS C:\> Set-AzureVNetGatewayKey -VNetName VNet2 -LocalNetworkSiteName VNet1 -SharedKey A1b2C3D4E6

Now give little bit of time and refresh the Azure portal page. You’ll find the VPN connection established.

image

Once that completed you can create two VM’s on each Azure subscription and try pining to each other. If your get the response you’ll know the connection has been established Smile

Azure VNet to VNet Connection

Extending on premise Active Directory to Azure

Microsoft Azure is one of the biggest buzz word in the technical world (at least in my world Smile ) Whenever I have conversation about this with my customers some of the questions and concerns they have as follows,

1. Why should I care about another directory service when I already have Active Directory to manage my users and computers

2. How can I extend my Active Directory

3. Can I dump my on-prem Active Directory and use 100% Azure active directory?

Most of the time I end up explaining Azure Active Directory using couple of pictures,

image

Above picture gives an idea about similarity between Azure AD and On-prem AD. This is an easy way to give someone an idea what is AD normally do (I’m talking about business owners)

Next picture about how Azure ID can be used in hybrid method and open whole new world on Cloud based Apps to an organization.

image

Now that is all about some nice icing layer before we start the work Smile

My first attempt is to help you guide through how we can setup Azure AD and then integrate that with you local Active Directory.

First you need to have an Azure subscription. If you already have Azure subscription then login to the main portal,

image

On the right hand side scroll down until you find the section called “Active Directory”

image

You can see couple of Active Directories created by my in the right hand side. Please note Default directory is pre-created by Microsoft Azure. You can start using that or create your own Azure Directory. to create you own AAD (Azure Active Directory) click new,

image

Select directory and click “Custom”

image

Put your own values for this, (Note: make sure the Domain name you provide is a unique one)

image

Once you complete the wizard you’ve completed with creating your AAD Smile

image

In the above picture you’ll spend time creating users and groups for the new AD. For more information about this area please visit here. In the next article we’ll talk about how to integrate Azure AD with on-prem AD.

Extending on premise Active Directory to Azure

The Altaro PowerShell Hyper-V Cookbook (Free)

Ok this is probably not a latest new but Altaro has release HYPER-V e-book with lots and lots of PowerShell commands. I found out this is really useful if you’re playing around or managing HYPER-V environments. Kudos to the author -Jeffery Hicks (PowerShell MVP)

You can download the free e-book from here and also don’t forget to download the sample PS commands freely available to download along with that e-book. You can get them from here. Also pay a visit to authors blog and you’ll find more latest updates and new PS commands Smile

If you’re new to the PowerShell world then you need to step into few places first to brush your knowledge. Believe me PowerShell is most important in your future career so spend some on it. You can start from here & here

The Altaro PowerShell Hyper-V Cookbook (Free)

System Center 2012 R2 DPM supported in an Azure Virtual Machine

DPM team recentely announced they’re supporting DPM running as a VM in the Azure Cloud. This means now you can protect your Azure workload within the Azure premise by locating DPM server in the cloud. With this option you’re getting more retention time period as well. This also means whoever having System Center license now they can use that and setup DPM in Azure Smile

Note from the DPM team released few weeks back,

We are pleased to announce that System Center Data Protection Manager (DPM) is now supported to run in Azure as an IaaS virtual machine. This announcement allows customers to deploy DPM for protection of supported workloads running in a Azure IaaS virtual machines. Customers with a System Center license can now protect workloads in Azure. Read more about it on the DPM blog.”

One of the question remains I the VM sizing for the DPM server in Azure. In my opinion it’s better to start with minimum 2 VCPU and 3.5 GB one and then keep on increasing the size of the VM based on the requirements.

If you’re having a Azure trial account this is another feature you should go ahead and give a try. Before starting setting up spend little bit time reading the blog post released by the DPM team and also refer to the FAQ.

System Center 2012 R2 DPM supported in an Azure Virtual Machine

Veeam Task Manager for HYPER-V

Veeam is a company who is famous for their backup and replication software for virtualization platform. Recently they have release a small utility which helps HYPER-V admins to understand each VM’s resource utilization at a glance from Windows Tsk Manager itself.

By default Microsoft Windows Server OS Task Manager will only show you the performance characteristics related to parent OS. For us to find VM level performance detail (Eg: CPU, Memory) either we open the hyper-v manager MMC or use VMM. With this nifty utility we can do that from the default Task Manager itself!

clip_image002

What more interesting is we can run this utility in client OS like Windows 7 and onwards and connect to HYPER-V servers and remotely view the resource usages (Tip: Make sure TCP port 445 is open for that)

Veeam Task Manager for HYPER-V

Microsoft Azure Virtual Machines: Built-in Anti-Virus Support

During the TechEd 2014 Microsoft announce anti-virus software support for Azure VMs. This service will be integrated through  VM agent coming along with all the Azure Virtual machines. Apart from using Microsoft anti-malware protection Microsoft has extend their arms to welcome two vendors for this server;

  • Symantec Endpoint Protection
  • TrendMicro’s Deep Security Agent

From my opinion this is a good move Microsoft carrying out. Most of the customers want third party applications and purchasing them and applying to Azure is not feasible if they’re planning to use the virtual machines for couple of months. Integrating anti-virus solution to Azure VM’s will make customers life one step easier :)

I test this our in my Azure MSDN subscription. During new VM creation,

image

you get the chance to select which VM agent you want to install plus the anti-virus software,

 

 image

Once you log into the VM you’re greeted with web site stating trial version of the Anti-virus is setup and it will work for XX days until we purchase and maintain that. But if you’re a customer who extend your on-prem network with Microsoft Azure then you can use your on-prem AV software in the cloud VM’s and manage them centrally via S2S connection.

Microsoft Azure Virtual Machines: Built-in Anti-Virus Support