Windows Admin Center is now available in Azure to manage Azure Stack HCI on-premises.

Register Windows Admin Center with Azure – Azure Stack HCI | Microsoft Docs

With Windows Admin Center on Azure, you gain another option to manage Azure Stack HCI and also use the Azure Portal to administrate Azure Stack HCI. But, because the Azure Portal is limited to its capabilities and not every configuration can be set in Azure Stack HCI remotely, Windows Admin Center on Azure is limited.

In this post, I’m going to explain the differences between HCI administration and how to connect it to your Azure Stack HCI nodes.

How to Connect Windows Admin Center to Azure Stack HCI

The Installation is rather simple. First, your Cluster needs to be connected to Azure and Azure ARC.

For steps to configure ARC, use the following guides.

• • Integrate Azure Arc and Azure Stack HCI – Learn | Microsoft Docs

• • Connect Azure Stack HCI to Azure – Azure Stack HCI | Microsoft Docs

After you connect Azure Stack HCI to ARC, you select the cluster you want to manage and use Windows Admin Center on Azure.

Beneath the settings of that cluster, you will find the Windows Admin Center (Preview) option.

Now you can just click “Set Up” and the configuration will be deployed. There is no VPN or client configuration needed.

The traffic for Windows Admin Center will directly use the port you configured in the deployment and encryption via HTTPs, plus it will configure Windows Remote Management.

The configuration and installation will take around 15 to 20 minutes, get a coffee and take a break.

After a successful configuration, you should see the option to connect to Azure Stack HCI using the Azure Portal.

After connecting to the cluster, you will see a similar interface as you have with Windows Admin Center installed as a Gateway on Windows Server but as you can see, there isn’t one hundred percent feature parity between both Windows Admin Centers.

Let’s cover a few of the differences today (this is in preview after all).

Differences between Windows Admin Center Gateway and Azure Portal

One of the main differences is the deployment. In order to connect Windows Admin Center Portal on Azure to your Azure Stack HCI Cluster, you need to have the Cluster installed.

The installation requires either PowerShell or Windows Admin Center Gateway.

Deploy the Azure Stack HCI operating system – Azure Stack HCI | Microsoft Docs

That continues with most of the deployment parts, as you can see in the screenshot below, network deployments, as well as service deployments, are missing within the Windows Admin Center Portal on Azure.

As you can see, most of the crucial deployment options are missing, like GPU and Security Extension deployment. So, from a management point of view, it seems more like a Portal to view the status right now while the Windows Admin Center Gateway stays the main option for Administration.

Let us continue and investigate settings.

In settings, the limited administration options are also visible.

As you can see from the screenshot and side-by-side comparison, we are seeing crucial options missing. You are still able to configure the nodes and cluster behaviour, Migrations, Affinity rules etc. but you are missing the options you would need to add the additional Azure Stack HCI features.

The only option for Azure Stack HCI feature configuration left within the Windows Admin Center in the Azure Portal is Monitoring data and the option to Join the preview channel.

As we already saw with the Windows Admin Center Gateway main screen, most of the important configurations are only available there. There are several I consider important for example Active Windows Server VMs, Azure Benefits, Resource Bridge or Service Health Data that aren’t there (yet).

Conclusion

The Windows Admin Center on Azure is a good option for day-to-day administration work but it is yet not suitable for configuration and deeper administration tasks.

What I really like is the option to use Role Base Access Management to give users general access to Windows Admin Center without setting up the Azure Sign in on Windows Admin Center Gateway on Windows Server. To do so is much more complex than using the Azure Portal.

Register Windows Admin Center with Azure – Azure Stack HCI | Microsoft Docs

The post Gateway Server vs. Windows Admin Center to Admin Azure Stack HCI appeared first on Altaro DOJO | Hyper-V.

Azure Benefits is an offer from Microsoft that enables customers to use older operating systems and extend their support free of charge.

You can see the major three benefits listed below.

Personally, I think the Extended Security Update is the most important for customers staying on-premises and who are still required to run older versions of Windows Server and Microsoft SQL.

How to enable Azure Benefits on Azure Stack HCI?

If you wish to use Azure Benefits, you need to connect your cluster to Azure first.

The guides below explain to you how to make the connection.

Manage Azure Stack HCI cluster registration with Azure – Azure Stack HCI | Microsoft Docs

Afterwards, you need to enable them, select Azure Benefits in the Settings Menu of your cluster and then click Turn on.

You can now decide if every Virtual Machine which is currently deployed in the cluster should be enabled or if you want to do it later.

The activation takes around 10 minutes, afterwards that screen should change to the following view.

Afterwards, you just select the VMs you want to enable Azure Benefits.

There are also other options available to enable Azure Benefits, for example, the use of PowerShell, which is explained here:

Azure Benefits on Azure Stack HCI – Azure Stack HCI | Microsoft Docs

To check the status in Azure, navigate to the Cluster Resource in the Azure Portal and select the Configuration of the Cluster. Here you should find the option “Host Attestation: Enabled” if everything went well.

You can find more information in the FAQ if necessary.

Azure Benefits on Azure Stack HCI – Azure Stack HCI | Microsoft Docs

How does it work?

Now you may ask, how does this work and why can Microsoft Support older operating systems on Azure and Azure Stack and not on Windows Server?

It’s a rather simple answer. Azure and Azure Stack are using the same magic under the hood. The Service is called IMDS Attestation Service. Together with the validated or integrated Hardware beneath both platforms, Microsoft gains a known and controlled ecosystem to support and maintain those older applications and Operating Systems.

Such an environment makes it easier for Software Vendors to invest in extended Support and Updates for their customers.

Let me give you a short overview of the IDMS Attestation Service.

The Azure Stack Attestation service is built the same way as the IMDS Attestation service that runs in public Azure. Microsoft’s intention was to enable some of the same workloads and benefits available in Azure to Azure Stack Customers on-premises. Azure Benefits returns an almost identical payload. The main difference is that it runs on-premises, and therefore guarantees that VMs are running on Azure Stack HCI instead of Azure.

If you want to learn more about the service, please consult the documentation.

Azure Benefits on Azure Stack HCI – Azure Stack HCI | Microsoft Docs

How to enable Windows Server Licensing through Azure Subscription?

Another Azure Stack HCI Benefit which I would like to highlight is the subscription-based licensing model. With Azure Stack HCI, you can choose between a classic key-based licensing like with Windows Server Hyper-V or subscription-based license where you pay a certain amount of money for the license per Month.

As the license is billed by the hour, it might be a good fit when you have highly flexible Windows Server Workloads, which are not running 24/7. Those workloads could be Azure Virtual Desktop or GPU Processing for like content creation.

Normally you have lots of those running during working hours, but they are not used during out-of-business hours. So, you can shut them down and save license costs during that time.

To enable a cluster for either subscription-based or with a Key-based Licensing, you need to activate it within the Cluster Settings of that specific Azure Stack HCI Cluster.

You should then see the following options to choose from.

Currently, a Windows Server License is about 10$ per physical core per month.

Pricing – Azure Stack HCI | Microsoft Azure

Here you can find more about the activation of Windows Server Virtual Machines on Azure Stack HCI in general.

Activate Windows Server VMs using Automatic Virtual Machine Activation – Azure Stack HCI | Microsoft Docs

Are There any Drawbacks?

Following the idea to make Windows Server more a perfect guest and application Operating System to host all kinds of applications and Azure Stack HCI the perfect and most performant Infrastructure Operating System, makes sense if you look at how overloaded the Windows Server kernel already is.

Infrastructure Operating Systems need to be fast, reliable, and easy to update and manage. That’s something Windows Server with all its options, no longer is.

I also like is the fact that you now can rent hardware or scale it on demand with licenses from vendors like Dell or HPE, which works great with Azure Stack HCI deployments.

Examples include HPE’s Greenlake or Dell’s AX-Series.

Microsoft Azure Stack (MAS) | Dell Technologies US

HPE GreenLake For Hyperconverged Infrastructure (HCI) | HPE

Even with some downsides and issues, you may encounter with Azure Stack HCI, overall, it’s a great solution and brings Microsoft a step closer to a fully integrated hybrid experience.

The post How to Enable Azure Benefits for Azure Stack HCI Virtual Machines appeared first on Altaro DOJO | Hyper-V.

Normally your Azure Stack HCI environment consists of the following components:

• Azure Stack HCI Server Hardware
• Azure Stack HCI Network Equipment
• Azure Stack HCI Operating System
• Windows Admin Center
• Azure Stack HCI Cluster
• Azure Stack HCI Azure Integration
• Services Running on Azure Stack HCI

Depending on your deployment, the support will be given by these three parties:

• Microsoft Support
• Hardware Support of the Server Vendor
• Hardware Support of the Network Vendor

Support for Network Equipment

The network equipment is normally supported by the network vendor, there is currently no implication or integration into Microsoft Support or Server Vendor Support.

Support for the Server Hardware

When it comes to server hardware, the support models can be different as Azure Stack HCI is supported on two different types of Hardware.

• Validated System: The hardware is validated and supported to run Azure Stack HCI operating system. The customer must install the Operating System himself and there is no joined support system between Microsoft and the Hardware Vendor
• Integrated System: The hardware is validated and supports running Azure Stack HCI Operating System. The Operating System comes either directly installed from the fabric or is installed by the Professional Services of the Hardware Vendor or one of his partners. Microsoft and the Hardware Vendor have joined a support system. If manufacturer-independent support is needed, Microsoft and the Vendor will cooperate and share tickets. You can either open a Support Case with Microsoft or the Hardware Vendor.

You can find the list of integrated and validated Systems here.

Azure Stack HCI Solutions | Microsoft

Normally you can buy Integrated Systems from Dell, Lenovo or DataOn. Validated Systems are delivered for example by HPE, Secureguard or SuperMicro plus many other Vendors.

If you want to open a request for a Hardware issue, you can do that via the regular support processes of your Vendor. The screenshot below shows the options with Dell.

Contact Information | Dell US

Example of how you can create a support request online.

How to Create a Support Request Online for Dell EMC | Dell Deutschland

As said, if you have an Integrated System, the support system is shared between Microsoft and the Vendor.

Support Azure Stack HCI Operating System not connected to Azure and Windows Admin Center

First to notice here, the Azure Stack HCI support is always with Microsoft Azure Support and every case is created via the Azure Portal. At the end of every Azure Stack HCI deployment is the connection to Azure and the Resource creation for Azure ARC.

Connect Azure Stack HCI to Azure – Azure Stack HCI | Microsoft Docs

But while deploying Azure Stack HCI, you can still run into issues or bugs with Azure Stack HCI Operating System or Windows Admin Center.

Windows Admin Center Overview | Microsoft Docs

At that point in time, you will not have an Azure Resource to create a support ticket from. You will need to create a generic support ticket. You can do that via the Azure Portal. The screenshot below shows you how.

It works the same for Windows Admin Center in the context of Azure Stack HCI, you just open it via Service Type Azure Stack HCI and detail the Windows Admin Center issue in the support ticket comments.

Azure Stack HCI connected to Azure and other Services deployed on Azure Stack HCI

With Azure Stack HCI connected to Azure, it works like every other Azure Service. You navigate to the Azure Resource representing the Azure Stack HCI Hardware. Afterwards, you create a regular support ticket like shown below.

The difference here is that most of the basic information will be automatically filled in.

Cloud Solution Provider Customers

Customers who have an Azure Subscription from a Cloud Solution Provider, are not within the Microsoft direct support model.

Cloud Solution Provider program overview – Partner Center | Microsoft Docs

They will see the following message when creating a support case.

To create a support request for your Azure Stack HCI, you need to do that with your Cloud Solution Provider. They then can support you directly and solve the issue or escalate the issue to Microsoft. Either way, that can take longer than being in Microsoft Direct Support Agreement.

A customer with an Integrated System can bypass the Cloud Solution Provider by creating a support ticket via the Hardware Provider and asking them to escalate the ticket to Microsoft. They will then use the interconnected support system to work on the case.

You can find a list of Microsoft Direct Support offerings here.

Azure Support Options | Microsoft Azure

Here you can find the price comparison for all plans.

Azure Support Plans Comparison | Microsoft Azure

Cloud Solution Provider Support offerings differentiate from Microsoft Cloud Solution Provider to Cloud Solution Provider. You should always check your contracts with that specific partner.

The Cloud Solution Provider Program varies also in its kind of Partner level.

Cloud Solution Provider program overview – Partner Center | Microsoft Docs

You can find more information on how Cloud Solution Providers need to support customers.

Providing support to your customers – Partner Center | Microsoft Docs

Conclusion

So, as you can see, the support process is simple and already well tested during the private and public previews. Hopefully, that quick guide helps you choose the right support option if you are in a support situation at any point in the future.

To keep honest with this post, especially with new solutions like Azure Stack HCI or complex solutions like Azure Virtual WAN or Azure ExpressRoute, I prefer the Microsoft Support Model over the Cloud Solution Provider Model. Normally Partners and Cloud Solution Providers need some time to ramp up on a new Service and Azure publishes many of them throughout the year. So, there is high pressure on those partners and supporting an Azure Service requires more than developing architectures or deploying services. Normally it ends with Microsoft and Cloud Solution Provider playing “Ticket Ping Pong” and no one wants to be accounted.

With direct support, Microsoft is internally and externally accounted for the case and all cases are reviewed by the responsible product group. So, in the end, it also helps make the product better and reduces the number of issues to be fixed.

The post How to Create a Support Request for Azure Stack HCI appeared first on Altaro DOJO | Hyper-V.

In 1999, Microsoft previewed the first version of Active Directory in Windows Server 2000. Later, in April 2003, they improved it in Windows Server 2003. Since then, Active Directory has been a critical part of any size network.

The evolution of Active Directory didn’t stop with the development of cloud services. It became even more critical and agile. If you are running your workloads in the Azure cloud, there are three common ways to use Active Directory. Although all three solutions are based on Active Directory, they are used for different customer demands.

You can choose between Azure Active Directory, Azure Active Directory Domain Services, and Active Directory Domain Services. What’s the difference, and when do you prefer one over another: you will learn in this article.

What is Active Directory? For the folks not familiar with the topic, Active Directory is a directory-based service developed by Microsoft for Windows domain machines. The AD database contains critical information about your environment, users, computers, and who can do what. It offers centralized management of users, computers, and rights. It’s a must-have technology in any size network.

In the traditional way, you install Active Directory Domain Services (AD DS) role on Windows Server, making that server a domain controller (DC). You can learn more about all the different AD DS components in the Microsoft article Active Directory Domain Services Overview.

Azure Active Directory (AAD or Azure AD)

Azure Active Directory (AAD) is a cloud-based identity and access management service that provides your employees with a single sign-on (SSO). It is used to log in to Azure, Office365, Intune, and other third-party directory-aware applications. Azure AD supports multifactor authentication, security reports, audits, alerts, and conditional access policies.

For example, you may not need to deploy a dedicated AD DS for cloud-only users that run cloud services. Instead, your can use Azure AD. If you are running legacy directory-aware applications on-premise, you can migrate them to Azure and integrate with Azure Active Directory.

Before using it, you need to create an Azure AD tenant. You can deploy it in minutes using the Azure portal. Choose the resource group, tenant type, organization, initial domain name, country, and data center location. If you want to dig deep into details, check the Microsoft article about it.

Azure AD tenant created in minutes

Azure AD doesn’t include all the features as an on-premise AD DS (and vice versa). You will get access to some or all of the features listed in the article.

How much does it cost? Azure AD comes into four plans, including Free, Office 365 apps, Premium P1, and Premium P2. The free version is included with a subscription to a commercial online service (Azure, Dynamics 365, Intune, Power Platform). You can compare the different Azure Active Directory (Azure AD) pricing plans.

Sync your on-premises AD DS to Azure AD

As Microsoft fully manages Azure AD, that means you can use it as cloud AD-only services, or you can use it in combination with your on-premise Active Directory. Azure AD can be synced with an on-premises AD DS using Azure AD Connect to provide Single Sign On (SSO) to users who natively work in the cloud.

You need to install Azure ADConnect on an on-premise Active Directory joined server (member server is preferred but it can run on a DC). The installation tool will guide you in selecting a solution (password hash sync or federation with AD), establishing identity synchronization, and other Microsoft software components required for deployment. You need to specify Azure AD and AD DS credentials.

Azure AD Connect

You can install Azure AD using express or customized settings. If you have a single forest, you use express settings and use the same password using password sync. The customized settings are used when you have multiple forests and need pass-through authentication, ADFS for federation, or use a 3rd party identity provider.

Using Azure AD Connect express settings to sync with an on-premises AD DS

Once you are connected, the wizard will do a few automated tasks, including installing a synchronization engine, configuring the Azure AD connector, enabling password hash synchronization, enabling auto-upgrade, and configuring synchronization services on AD DS.

However, Azure AD does not have capabilities like group policies, application containers, or extensible schema, which is sometimes required by some workloads. For that, you need Active Directory Domain Services or Azure Active Directory Domain Services (AADDS): both covered in the next part.

An alternative to AAD Connect is AAD Connect Cloud Sync (yes – someone at Microsoft really has a sense of humour when they try to confuse us with all these names). This is a simpler solution than AAD Connect which is managed from Azure and only requires simple agents installed on-premises. The two can also be used together in a situation where you have a merger, for instance, your main organization is synced using AAD Connect but users and groups in the other forest need to be brought into your Azure AD through AAD Connect Cloud Sync.

Azure Active Directory Domain Services (AADDS)

Azure Active Directory Domain Services (AADDS) provides managed domain services such as domain join, NTLM, Kerberos, LDAP, group policy, and it is fully compatible with Windows Server AD DS. It is a PaaS cloud service available in Azure; you deploy it without deploying domain controllers. AADDS can synchronize with Azure AD, so if you have user accounts that are cloud-only, they’ll appear in your AADDS domain Alternatively, if you need on-premises AD accounts to appear in your AADDS instance, you’ll synchronize them to Azure AD through AAD Connect (described above) and from there they’ll be synchronized into AADDS.

The managed domain is something you create in the Azure portal in a few minutes using Azure AD Domain Services (AADDS). It is associated with your Azure tenant. That will create DNS name, subscription, resource group, virtual network, subnet, and forest type. The complete guide on how to do it is covered in this article.

AADDS successfully created in the resource group

Once you deploy it, Microsoft creates two domain controllers for you and patches them accordingly. This deployment is known as a replica set. If you want to dig deep into details, check the Microsoft article about it.

How much does it cost? It’s is subscription-based. There are no upfront costs and termination fees. You only pay for what you use. The price depends on the performance plan you choose; Standard, Enterprise, and Premium. You can check all the details here. The other option is to create a self-managed domain, simply by deploying a dedicated virtual machine in Azure and installing AD DS. That sounds fine, but how can you make the connection between on-premise and cloud possible? You will need to set up a site-to-site VPN or use ExpressRoute to facilitate the replication of self-managed regular AD domain controllers.

ExpressRoute provides direct connectivity between on-premises environments and Azure via private tunnels. It happens through a third-party connectivity provider, and it supports bandwidth up to 10 Gbps (or 100 Gbps with ExpressRoute Direct).

Azure VPN gateway works like the traditional VPN; the connection between on-premise and cloud happens via the Internet using IPSec protocol.

Azure VPN Gateway

In the table below, you can see the difference between Azure Active Directory Domain Services (AADDS) and self-managed Active Directory Domain Services (ADDS).

Azure AD DS and self-managed AD DS

Run Active Directory within the Azure VM

If you are running an on-premise Active Directory, you are already familiar with this procedure. Running Active Directory within the Azure VM means creating a dedicated Azure VM instance that includes Windows Server 2012 R2/2016/2019/2022 and then installing the Active Directory role on it. Basically, the Active Directory in the cloud runs the same way as it runs in the on-premise machine.

Before installing it, you need to prepare your Azure environment. That includes a resource group where you want to install VM, virtual network, subnet, network security group, and enabled RDP to connect to your VM. The components created upon creating Azure VM are shown in the screenshot below.

Azure resource group with all the components created upon creating “dc-on-premise” VM

As in the premise environment, to provide high availability of your Active Directory, you also need to deploy at least two virtual machines (Active Directory + DNS). Azure provides you with the high availability of your VM, but not services that you are running within the VM. So, that is up to you.

Once you install the Active Directory Domain Services (ADDS), you need to set up the forest and configure domain controllers. You can do it using Azure portal (GUI) or Azure CLI. The complete Microsoft guide on installing is available here.

Virtual machine backed up from onsite location to Azure cloud

To properly protect your Hyper-V virtual machines, use Altaro VM Backup to securely backup and replicate your virtual machines. We work hard perpetually to give our customers confidence in their Hyper-V backup strategy.

To keep up to date with the latest Hyper-V best practices, become a member of the Hyper-V DOJO now (it’s free).

Want to do more with Azure IaaS?

Whether you’re making new VMs directly in the cloud, have VMs in your own datacenter and are looking to migrate to Azure, or you’re looking to manage VMs with cloud-based tools regardless of where they live, The SysAdmin Guide to Azure Infrastructure as a Service (Iaas) will teach you to set up and maintain a high-performing Azure IaaS environment.

Written, and now updated, by Paul Schnackenburg, veteran IT consultant and trainer, grab your free 100+ page guide now!

As always, I hope you enjoyed reading the article at hand, as well as learning something from it. Feel free to leave a comment or ask any questions you might have. Also, feel free to connect with me and check out the latest content on my personal blog.

The post Extending AD to Azure with Azure IaaS appeared first on Altaro DOJO | Hyper-V.

Hybrid cloud is taking the IT world by storm. Major vendors like Microsoft have been making significant strides towards Hybrid cloud technologies over the last several years, and many customers find themselves in the planning phases of implementing this new technology. While many organizations are unable to make the leap to 100% cloud native architecture, it’s clear that many organizations see value in hybrid cloud deployments. In fact, the majority of respondents from our recent hybrid cloud survey stated that they see hybrid deployments as a destination, not a temporary state.

Many IT Pros See Hybrid as a Destination instead of a Temporary State

Revisit the Webinar

In spirit of this shift in the industry, we hosted a webinar (now available on demand!) focused specifically on Azure Stack HCI, which is Microsoft’s key entry into the hybrid cloud space. In this webinar, Carsten Rachfahl and I (Andy Syrewicze) discussed a number of key points such as:

• What is Azure Stack HCI?
• How to Install Azure Stack HCI
• Storage and Networking Consideration for Azure Stack HCI
• Licensing Azure Stack HCI
• And more!

As seems to be the norm with the webinars we run, we didn’t have a chance to get to all the questions that were asked during the session. So with that in mind, we’ve provided a full list of the questions and their associated answers below!

Carsten and I also recorded and extended webinar Q & A for the The Sysadmin DOJO Podcast! You can listen or watch for more discussion on the questions.

Finally, if you have any follow-up questions or asked a question during the webinar that you do NOT see below, please use the comments form at the bottom of this post to ask your question, and we’ll be sure to get you an answer!

Enjoy!

The Questions

Q: What backup vendors are supported by Azure Stack HCI?
A: While we can’t speak for other backup vendors, Azure Stack HCI is a fully supported backup source when using Altaro VM Backup!

Q: Our infrastructure is heavily reliant on VMware. What considerations do we need to have in mind on how we go about implementing/adopting Azure Stack HCI in our environment?
A: Best recommendation I can give here is to make sure your team is up to speed on Hyper-V and Storage Spaces Direct. Once you’ve got that knowledge under your belt, the VMware knowledge and virtualization concept info you already know about will “migrate” more easily into an Azure Stack HCI implementation.

Q: How can I go about learning Azure Stack HCI without spending a bunch of money?
A: You can run Azure Stack HCI for free for up to 60-days. Additionally, you can sign up for a free Azure trial subscription if you haven’t done so already. This would help you address some of the monthly cost. Finally, if you join the Azure Stack HCI Preview Channel you can run Azure Stack HCI for free. That said, as that particular version is in “preview” be sure to not run it in production scenarios.

Q: Can you deploy any Azure solutions into your HCI stack (e.g. Log Analytics), or only VMs and Kubernetes?
A: A lot of container-based azure services will be available on Azure Stack HCI. At the moment there are Data Services and Cognitive Services with more to come!

Q: Can I Manage Azure Stack HCI from SCVMM?
A: Yes! See this Microsoft Docs entry for more information!

Q: Is it possible to migrate existing workloads to Azure Stack HCI
A: Sadly there isn’t a native live migration option for this. Currently, your options are to use the documented Robocopy process that Microsoft has laid out here, or use a third-party tool (such as Altaro VM Backup!)

Q: Can Azure Stack HCI run as a standalone setup instead of having to connect to Azure?
A: The solution needs to be able to connect to Azure at least every 30 days to process billing and licensing, but otherwise can function quite independently.

Q: *I am not sure how to ask this, Since we are a SMB customer it seems that Azure Stack HCI would be a more cost-effective solution for us, vs using full-blown Azure. Am I understanding this correctly?
A: This really comes down to a costing exercise. You’d need to determine the cost of the services you would need to run in Azure vs. the monthly $10/core/month licensing for your Azure Stack HCI hosts along with whatever Windows Server guest licensing you would need. If you’re small enough to where you can license your guest VMs using standard edition licensing, the costing could be quite competitive.

Q: Are there additional costs over and above the monthly service fee of $10/core/month?
A: This depends on the services you intend on running. Any of the extra services in Azure would require additional cost. If you intend on running Windows Server VMs on your Azure Stack HCI Cluster then you must also handle the Windows OS Guest licensing.

Q: *Do you have any documentation for Windows 2022 server with the same setup, like stretched cluster and S2D for example?
A: Unfortunately, stretched clustering with S2D is currently not supported in Windows Server 2022 S2D like it is on Azure Stack HCI.

Q: Can Azure Stack do multi-tenant deployments?
A: While the technology to do so is certainly “in the box”, there are licensing restrictions with service provider SPLA licensing that would make this nearly impossible. Our suggestion is to reach out to your Microsoft licensing rep for more information on this scenario.

Q: Can we deploy Azure Stack HCI in a nested environment for a home lab?
A: Yes! This works well!

Q: What is the minimum number of nodes needed to deploy Azure Stack HCI?
A: 2-nodes is the minimum.

Q: Do the cluster nodes in Azure Stack HCI have to be the same hardware spec, CPU, HDD, RAM, etc?
A: Best practices would say yes, but I know it doesn’t always work that way in the real world. It should work with different kinds of hardware. That said, if you have very different CPUs you’ll want to pay special attention to the CPU compatibility settings in your VM Settings.

Q: Hi, does Azure Stack HCI have something like Full Mirroring for the VM layer? Something like full HA whereas if one of the node fails the activity of the VMs is not affected? Similar to Fault Tolerance in VMware?
A: Not at this time. Currently, Azure Stack HCI provides HA, in that if a node fails, the other nodes in the cluster will recover and restart the affected VMs.

Q: How do you deploy vms/workloads to Azure Stack HCI?
A: you can interact with and deploy VMs in the same way you would with Hyper-V. You can use any of the Hyper-V Management tools, or you can use Windows Admin Center as well!

Q: Is Hyper-V Replica Supported with Azure Stack HCI?
A: No

Q: Can I Install Azure Stack HCI on a Single Node?
A: This isn’t currently supported today, but this would certainly be a nice deployment option!

Q: What spec VMs are needed for a nested VM cluster running Azure Stack HCI?
A: I would recommend following the MSLab GitHub project. It has a lot of useful information and scripts for deploying Azure Stack HCI in lab environments and there is some sizing info present there as well!

Q: Are 2-Node Azure Stack HCI Stretch Clusters Supported?
A: Not at this time, No.

Q: With the integration Of Azure Stack HCI with Azure, apart from the disconnected scenarios, do we really need azure stack hub?
A: There are really different use-cases between Azure Stack HCI, and Azure Stack Hub. This link has some details concerning the differences between the two.

Q: What does the GPU support look like for Azure Stack HCI?
A: More information can be found on GPU support here

Q: Can you mix Azure Stack HCI Nodes of Different Versions?
A: While it’s certainly possible, it’s not recommended outside of patching windows. This is primarily due to the fact that Microsoft will not support versions of Azure Stack HCI that are more than 6 months old.

Q: Is it possible to expand a cluster from 2 nodes to 3 nodes automatically without rebuilding the storage volumes? Or do we need to first create a 3 way mirror volume, copy VMs, and then remove the 2 way mirror volume?
A: If you want to switch from 2-way mirror to 3-way mirror you have to create new volumes and move the workload live with storage migration. If you stay at 2-way mirror you don’t have to do anything.

Q: One of the use cases of Azure Stack HCI is VDI, So what is the added value of Azure VDI on Azure Stack HCI?
A: One of the benefits is being able to select your hardware of choice. Additionally, there are some benefits in the realm of licensing when it comes to VDI on Azure Stack HCI. Check with your Microsoft licensing rep for more information on this scenario.

Q: Will Azure Blog Storage be Coming to Azure Stack HCI?
A: Currently it is not available, nor have we heard any news that it’s in the pipeline.

Q: What do you recommend for monitoring HCI Stack on-prem servers and for monitoring Hyper-V performance?
A: You can certainly use the usual Windows built in tools like Perfmon, taskmgr…etc. For larger monitoring scenarios, I’d recommend looking at monitoring using the native Azure integrations.

Q: Does Azure Stack HCI run on uncertified hardware for lab use?
A: Yes it can. Certainly this isn’t preferred for production cases, but should be fine in a lab.

Q: The 60 day trial, is that per Azure tenancy, or is that per installation? ie: Do we need to sign up a Lab Azure account to repeat the trial?
A: Microsoft states, that you only can register a hardware cluster once. So with that in mind, we can’t say one way or the other as we haven’t tested this specifically.

Wrap-Up

That wraps up our questions from the webinar. Again, if you asked a question that you don’t see above, or you think of a follow-up question, by all means let us know below! We’ll be sure to get you an answer one way or the other!

As always, thanks for reading!

The post Your Azure Stack HCI Questions Answered appeared first on Altaro DOJO | Hyper-V.

Launched in “early preview” in November 2021 the next version of System Center is going to be released in the first quarter of 2022.

In this article, we’ll look at what’s new in each of the main components, Virtual Machine Manager, Operations Manager and Data Protection Manager and make some predictions around the finished product.

Virtual Machine Manager 2022

If you have a medium to large deployment of Hyper-V clusters, VMM is a must for management. Somewhat equivalent to vCenter in the VMware world this is the server product that lets you manage templates for VMs, including templates with multiple VMs (called a service) and other artefacts as well as automated deployments. VMM also manages your Software Defined Networking (SDN) stack and your backend storage (SANs and S2D). Notably, it also manages VMware virtualization hosts and clusters and can also integrate with Azure for light VM management.

SC Virtual Machine Manager 2022 Installation

There are a few new features in this version but the running theme throughout System Center 2022 (unless there’s a surprise reveal at GA) is that this is mostly about finishing little details and ensuring compatibility with current platforms. VMM 2022 runs on Windows Server 2022 and can manage Windows Server 2022 hosts.

On the networking side, the SDN stack gets support for dual-stack IPv4 and IPv6. You’ll need to be using the SDN v2 stack but that’s been where any new features have appeared since System Center 2016. In case you’re not familiar, up to System Center 2012R2 / Windows Server 2012R2 Microsoft built their own network virtualization stack and protocol but in 2016 they offered VXLan from VMware as an alternative. They also switched to an Azure inspired architecture where there’s a set of Network Controller VMs running on your cluster, managing all the virtualized networks. There are also Software Load Balancer VMs managing incoming network traffic, plus a Gateway providing connectivity from a virtualized network to the wider world. The dual-stack support covers all of these components, including site to site VPN (IPSec, GRE tunnel and L3 tunnels) so if your datacenter is adopting IPv6 – VMM is all ready to go. Note that you’ll need to provide both IPv4 and IPv6 address pools when setting this up.

VMM Logical Network with IPv4 and IPv6 subnets

The other big-ticket item is support for Azure Stack HCI (version 20H2 and 21H2) and Windows Server 2022. Note that VMM 2019 Update Release 3 (UR3) does provide support for Azure Stack HCI 20H2. If you missed our Windows Server 2022 webinar and haven’t heard of Azure Stack HCI realize that it’s got very little to do with Azure. This is a special version of Windows Server and Hyper-V that you cluster on top of Storage Spaces Direct (S2D) which you can then manage from Azure. The benefit of Azure Stack HCI is that all the latest features in Windows Server (and Hyper-V) are released for it (unlike “normal” Windows Server) and the downside is that you pay a subscription fee per core, per month, for it.

You can add existing Azure Stack HCI clusters, and you can also create new ones from within VMM. You can manage the entire VM lifecycle, set up VLAN based networks, deploy/manage the SDN controller and manage storage, creation of virtual disks and cluster shared volumes (CSVs) and application of storage QoS. There are new PowerShell cmdlets to handle Azure Stack HCI (Register-SCAzStackHCI).

Note that disaggregated Azure Stack HCI clusters (for Scale Out File Server, SOFS) aren’t supported, nor is Live Migration from an Azure Stack HCI cluster to a Windows Server cluster (although quick migration should work).

I installed the “early preview” on a Windows Server 2022 VM, and it works as advertised, with no visual differences from VMM 2019.

Operations Manager

Apart from VMM, I think SCOM is probably the strongest part of System Center. This venerable product keeps an eye on everything in your virtualized datacenter. Using Dell/HP/Lenovo servers? Just install the free management pack and you’ll get hardware monitoring, down to individual fans in your servers. The same goes for your networking and storage gear. Properly configured, SCOM provides visibility into your entire datacenter stack, from physical hardware to user-facing application code.

There are two new RBAC roles: Read-only Administrator which does what it says on the tin, including reporting. The Delegated Administrator profile doesn’t include report viewing but you can customize exactly what it should be able to do by adding one or more of:

• Agent management
• Account management
• Connector Management
• Global settings
• Management pack authoring
• Notification management
• Operator permissions
• Reporting permissions

If you have disabled NTLM in your organization, SCOM 2016/2019 reporting services are impacted, 2022 has a new authentication type (Windows Negotiate) that fixes this issue.

An interesting twist is the ability to choose the alert closure behavior, in 2019 you can’t close an alert when the underlying monitor is unhealthy, now you can choose to be able to close the alert and reset the monitor health, which will let you bulk close alerts. This brings back the behavior from earlier versions of SCOM. Alternatively, you can choose to stay with the 2019 behavior.

There are improvements to the upgrade process where registry key settings and custom install location of the Monitoring Agent is maintained when going from SCOM 2019 to 2022.

Alerts can now be sent to Teams channels, instead of Skype for Business.

SCOM can also monitor Azure Stack HCI deployments, using a new MP, which is actually a grouping of current Management Packs (BaseOS, Cluster, Hyper-V, SDN and Storage).

There are also some other minor fixes such as running the SCOM database on SQL Always On (no post configuration changes required), SHA256 encryption for certificates for the Linux agent, the FQDN source of alerts is now shown when tuning Management Packs and you can view the alert source for active alerts. Newer Linux distros such as Ubuntu20, Debian 10 and Oracle Linux 8 are also now supported for monitoring.

The dependency on the LocalSystem account on Management Servers has been removed and just like the other System Center components, SCOM 2022 runs on Windows Server 2022.

Data Protection Manager

Apart from running on Windows Server 2022, there are a few improvements in DPM. The main one (depending on your restore scenarios) is removing the requirement of file catalogue metadata for individual file and folder restores and instead uses an iSCSI based approach which improves backup times and restores.

If you’re using DPM to protect VMware vCenter you can now restore VMs in parallel, the default value is up to 8 VM simultaneously but you can up that limit with a simple registry change. Speaking of vCenter, VMware 7.0, 6.7 and 6.5 are supported and you can now separate the VDDK logs that relate to VMware operations from the rest of the DPM logs and store them in a user-defined file.

Another “big” improvement is the change of the maximum data storage for a DPM server from 120 TB to 300 TB. As before, it’s recommended to have tiered storage with a small amount of SSD cache and the rest hard-drive-based and use the ReFS file system.

Should you be Excited?

It seems that System Center Orchestrator will come in a 64-bit version although the bits weren’t part of the Early Preview, nor were System Center Service Manager 2022.

Overall, for me there’s nothing that we’ve covered in this article that’s a “must-have” to entice me to upgrade but if I’m upgrading to Windows Server 2022 anyway, or considering Azure Stack HCI, it’s a natural step.

I often express it like this – System Center is on life support. Microsoft isn’t looking to gain more market share against other datacenter management suites, they’re simply keeping System Center up to date and able to manage the latest OSs so that if you’re already a customer – you have a comfortable upgrade path. All System Center products also incorporate various levels of Azure/Microsoft 365 integration to tick the box of being “hybrid” and helping enterprises in their journey to the cloud.

The post What’s New in System Center 2022? appeared first on Altaro DOJO | Hyper-V.

This article will discuss the most expensive way to host a virtual machine within Microsoft Azure; Nested Virtualization. While I say this with a glint of humor, it is also true. Nested Virtualization is not cheap. Nested virtualization consists of hosting a Virtual Machine inside another premium virtual machine. It does enable you to solve some problems you can’t solve otherwise or may not want to solve otherwise; however, we will attempt to unpack that within this article.

Nested Virtual Machines are not new. Microsoft announced Nested Virtualization in Azure in July 2017 by introducing Dv3 and Ev3 Virtual Machine sizes. These virtual machines support Intel processors with VT-x and EPT technology and operating system support in Windows Server 2016/2019/2022.

A big caveat to note on Nested Virtualization is that the Nested Virtualization Host is supported; however, the nested virtual machines are not. The Microsoft documentation that introduced this topic carries the following note:

Wait, but why?

The “how-to” with technology is often the most accessible explanation. Before we unpack the technicalities and how easy it is to achieve nested virtualization, we want to understand why we may want to do this. The note above mentions, “Labs, testing environments, demo environments, etc., are more of its purpose.”

Familiarity with tools

You like Hyper-V, and you can’t deny…. While this may be true, there are drawbacks to using this approach. Cost becomes an issue, and so does supportability. Unless you have Azure Credit burning a hole in your pocket, this is not the best way to provision virtual machines. Azure supports a vast array of options here, including the Azure Resource Manager Web GUI, several command-line options that include PowerShell, Azure CLI, bash, etc. If Infrastructure as code is more of your game, consider Terraform, Ansible, or Microsoft’s Bicep to build your virtual machines.

Legacy migrations

The most significant risk to mitigate in a legacy environment old enough to host Server 2003 virtual machines is often the hardware age. Nested virtualization lets us migrate a Windows Server 2008 R2 Hyper-V host containing Windows Server 2003 guests into a nested Windows Server 2016 Hyper-V host. The resulting Hyper-V host may be new on-premises hardware or an Azure Virtual machine of sufficient size.

Microsoft supports the Hyper-V role and Failover Clustering on Windows Server 2008 R2 and later operating system versions in Azure Ev3 and Dv3 series VMs. Microsoft does not support the Azure Virtual Machine Agent for virtual machines running Windows Server 2003. However, Microsoft does support the deployment of the Operating System, making management of the OS tricky.

Windows Server 2012 and Windows Server 2008 both support integration services on Windows Server 2003 guest virtual machines. Server 2003 guest virtual machines may be managed through the host operating system or System Center Virtual Machine Manager, providing clear avenues for support.

A stretched Hyper-V cluster to move an environment into Azure is also possible, considering Hyper-V supports shared-nothing replication and failover. Building such a stretch cluster may allow you to move your legacy Server 2008 R2 hosts onto supported hardware and then move that hardware to Azure, where the Windows Server virtual machine host is still supported.

Disaster Recovery

Disaster Recovery is why you may want to use the nested virtual machine scenario. Consider an on-premises virtual environment stretching into Azure using the same kind of stretch cluster logic we mentioned above. But instead of migrating a legacy platform onto Azure, you’re considering using Azure as the disaster recovery failover destination.

After all, it makes sense since Azure gives you great network, storage, etc., options. However, I would like to suggest this option only if Azure Site Recovery’s lack of support for migrating clients containing Hyper-V disqualifies it from providing a DR option that fits. I prefer Azure Site Recovery over nested virtualization as it is vastly cheaper.

Lab training

Azure Lab Services offer the ability to set up training labs and run them in Azure, including support for nested virtualization where required.

Developers, Developers, Developers?

In my opinion, this may be the thinnest reason of them all to deploy nested virtualization. Developers like infrastructure folks like to stick with the tools they know. In the cloud, nested virtualization is probably the bluntest tool of them all, considering what we discussed above in the “familiarity with tools” section. Besides the magic of Bicep and Terraform, Azure DevLabs and Dev tier costing mitigates any familiarity Hyper-V may bring.

Size does matter

Since Large Virtual Machines are expensive, thus we use the Azure Start/Stop VMs during off-hours feature to help us with cost containment and switch off nested virtual machine hosts outside of business hours.

Not every virtual machine is capable of nested virtualization. At the time of writing this article, v3 virtual machine families and later are Hyper-threaded and capable of running nested virtualization.

Networking!

A significant restriction or parameter for the practical use case of the nested virtualization scenario is networking. Due to fabric restrictions, External Virtual Switches do not function in the same way as they do on your local LAN. DHCP broadcasts don’t propagate, and manually assigned IP addresses are not honored by Azure Networking. While double NAT workarounds to separate subnets do exist, in my mind, they range into the realm of the impractical.

For this reason, the rest of this article will be written to use Internal Virtual Switches, which are well understood and easy to manage. Remember, though, that internal address spaces need to be defined; for this reason, we include DHCP services with Hyper-V for our install guide.

But what about….?

Outside of the cost argument, there are definite benefits to nested virtualization, which include enabling scenarios that cannot be accommodated otherwise, including the use of nearly unlimited amounts of hardware. Nested virtualization enables otherwise un-supported guest operating systems, like Windows 2000, Server 2003, unsupported Linux builds, etc., or even un-supported scenarios that are impossible to achieve within a native Azure VM, such as custom or experimental drivers.

How to Use Nested VMs in Azure

First, we will build a Virtual Machine to the specification required to support your use case, consider how much RAM and CPU you may need. In my case, I’m demonstrating the concept and need very light virtual hardware. Windows Server 2019 running on a standard D2s V3 will do nicely. Depending on your needs, you may need a larger Azure Virtual Machine SKU. As we configure this Virtual Machine, allow Inbound RDP during the setup, as we will restrict it immediately.

As we mentioned above, ensure that Auto-shutdown settings are configured unless your host is required to run 24×7.

Next, navigate to Networking settings, click on the first rule, and change it to reflect your external IP address, restricting RDP access to this Virtual Machine from your network only.

Navigate to the connect tab, download, and connect using the RDP file option.

As you connect and authenticate, allow your machine to be discoverable by external networks.

Using elevated PowerShell for all of our examples, install both DHCP as well as Hyper-V.

Install-WindowsFeature -Name DHCP,Hyper-V –IncludeManagementTools

Next, enable DISM to work with Hyper-V.

dism /Online /Enable-Feature /FeatureName:Microsoft-Hyper-V /All

Note that we have installed Hyper-V and DHCP, as demonstrated by the screenshot showing our management tools.

Using elevated PowerShell using Get-NetAdapter, we show that the default network interface is enabled. In the screenshot below, you’ll notice that Windows recognizes one interface only. We also show that our host machine can ping Google DNS.

Next, we need a virtual switch for our virtual machines to connect to, and configure an address range. We create an internal virtual switch called “vSwitchInternal” and set a NAT rule and gateway for the same switch. Execute the following commands in the same PowerShell window to preserve the Powershell variable values.

$switchName = “vSwitchInternal“

New-VMSwitch -Name $switchName -SwitchType Internal

New-NetNat –Name $switchName –InternalIPInterfaceAddressPrefix “192.168.0.0/24”

$ifIndex = (Get-NetAdapter | ? {$_.name -like “*$switchName)”}).ifIndex

New-NetIPAddress -IPAddress 192.168.0.1 -InterfaceIndex $ifIndex -PrefixLength 24

Next, in the same PowerShell window, we configure DHCP services using the same switch for a limited range, assign a gateway IP of 192.168.0.1, external DNS IP, and restart the DHCP service.

Add-DhcpServerV4Scope -Name “DHCP-$switchName” -StartRange 192.168.0.50 -EndRange 192.168.0.100 -SubnetMask 255.255.255.0

Set-DhcpServerV4OptionValue -Router 192.168.0.1 -DnsServer 168.63.129.16

Restart-service dhcpserver

Once the command completes successfully, create a child virtual machine using the configured internal switch. If you need help at this point, consider reading our article on this topic.

In the following screenshot, we have built a Windows Server 2022 virtual machine, which received a DHCP address in the configured range and can browse the internet successfully.

On legacy Support

I built a Windows Server 2003 virtual machine next to a Server 2022 on a Server 2019 host Virtual Machine in Azure to prove the point that it can be done. The virtual machine works, except that the integration services offered by Windows Server 2019 Hyper-V are limited, and is of course completely unsupported.

Conclusion

This article has shows you how to use nested virtualization in Azure for some very specific use cases, hope you enjoyed reading it. Feel free to comment or ask any questions that you might have.

The post How to Use Nested VMs in Azure appeared first on Altaro DOJO | Hyper-V.

It’s an interesting time to be an IT professional. The cloud is seeing increasing adoption for a number of reasons. On-prem infrastructure is now being influenced by cloud technologies (not the other way around) and the rate of change is faster than ever! What is an IT pro to do? How does one keep up with the modern IT ecosystem? These are all questions that I (Andy Syrewicze) posed to my good friends and highly intelligent fellow IT pros Didier Van Hoye and Thomas Maurer. But, before we get to that, a little background is needed.

A Look Back

A few years back, we ran a round-table-style webinar featuring the three of us that covered the increasingly cloud-centric IT industry and how IT Pros could adapt and begin to use new technologies in their day-to-day. We talked about several key items in the Microsoft stack including new management tools (like Windows Admin Center), Azure Stack, Azure IaaS, Containerization and more. The webinar was well received and can be watched on-demand. Also related, we have an updated eBook on Azure IaaS as well in case you’d like to dive further into that topic. While the mentioned webinar covers a lot of the theory-work behind the industry’s use of IaaS, the eBook provides all the nitty-gritty details about the technology and its applications.

Windows Server and Azure Stack HCI

That all said, with the release of Windows Server 2022 and Azure Stack HCI, things feel a bit different these days. Unlike previous releases of core Windows technologies, this iteration of the Windows Server stack no longer feels like a simple upgrade. We’re starting to see a VERY real push towards cloud technologies instead of the kindly nudge we’ve seen in previous years. With this push comes concern and angst, and I’ve talked with many a technology professional over the last year that is concerned about where the industry is moving and how to adapt.

All of these conversations caused me to keep thinking back to the webinar Thomas, Didier and I did all those years ago, and I kept asking myself the question…. Did we get it right? Were our predictions on point? It was this thought process that ultimately led me to the idea for the main piece of content I have for you today.

In the video below, the three of us sit down once again and revisit our discussion on cloud technologies 3 and a half years later. Not only do we talk about whether we were right or not, but we also discussed where the industry is going and how today’s technology professionals can keep pace with the crazy state of the industry today. I hope you enjoy this video, and as always, feel free to share your comments and questions in the comments section below and we’ll be sure to respond!

Watch the Video

The post 3 Microsoft Experts Evaluate Hybrid Cloud Technology Trends appeared first on Altaro DOJO | Hyper-V.

In this article, we’re going to look at Virtual Private Networks in Azure and how you can use them. As you may know, a Virtual Private Network or VPN is an encrypted tunnel over the Internet or other shared networks, for example, a telco provider network.

VPNs use different technologies to encrypt the traffic, the most common ones are IPSec and OpenVPN SSL.

VPNs can connect branches (“sites”), and/or clients devices to a corporate network. Branch and Site VPN connections are most called Site-to-Site or S2S VPNs and are generally permanently connected. User and Device VPN tunnels are called Point-to-Site or P2S VPNs and are normally initiated by the user or automatically by an application but are disconnected after they’re no longer in use.

In Azure, you can have and use both types of VPNs but depending on the solution of choice it can be a different setup.

Let us first explore the VPN Service and Device Options you have in Azure.

VPN Services and Devices

In Azure there are three different options to build VPNs:

• • Using Virtual Network Gateways

• • Using Azure Virtual WAN

• • Using Network Virtual Appliances

All of them are capable of both Point-to-Site and Site-to-Site connections but they have different infrastructures underneath each of them.

Virtual Network Gateway

Virtual Network Gateways are a classic approach, that many network architects are familiar with. You deploy one VPN Virtual Network Gateway Service within a Virtual Network. That service combines Point-to-Site and Site-to-Site Gateways and can be deployed in different sizes.

Here’s a list of different VPN Gateway SKUs:

As you can see, picking the right size depends on several factors, including the expected number of connected users/sites as well as your aggregate bandwidth internet connections.

Depending on the SKU, gateways are deployed with different sets of features. Normally Virtual Network Gateways are deployed in a pair, in an active/standby configuration without using Availability Zones in Azure. To use Availability Zones, you need to use a SKU with AZ at the end. If you want to switch from one SKU to another, that will require a 45-minute downtime. A switch from non-Availability Zone to Availability Zone will require a complete redeployment of the Virtual Network Gateway, which can take up to 2 hours.

Azure Virtual Network Gateway supports the following encryption standards for Site-to-Site tunnels.

IPsec/IKE policy for S2S VPN & VNet-to-VNet connections: PowerShell – Azure VPN Gateway | Microsoft Docs

If you want to use Point-to-Site it supports OpenVPN (SSL/TLS-based), Secure Sockets Tunneling Protocol (SSTP) or IKEv2 VPN, more information is available here:

About Azure Point-to-Site VPN connections – Azure VPN Gateway | Microsoft Docs

Azure Virtual Network Gateways are a traditional and proven way to deploy VPN solutions Azure, but they are not as flexible as other solutions.

Virtual WAN

In comparison to Azure Virtual Network Gateways, Virtual WAN Gateways work differently. The first major difference is that Virtual WAN makes a distinction between Point-to-Site Gateways and Site-to-Site Gateways. While in Azure Virtual Network Gateways both Gateways are one service, in Virtual WAN you have different Gateways for each use case.

Another major difference is that Azure Virtual WAN Gateways are deployed in scale units. These units can be scaled up and down on-demand, without any service interruption.

Another great feature is, that Virtual WAN Network Gateways are always deployed as highly available as possible. These Gateways are deployed in Virtual Machine Scale Sets and are by default deployed in Availability Zones if the Azure Region supports them. If an Azure Region does not yet support Azure Availability Zones, the Virtual Network Gateways are deployed in Availability Sets and as soon as the region supports Availability Zones, the backend is updated automatically.

Azure Virtual WAN Site-to-Site Gateways supports the following IPSec encryption standards.

Virtual WAN Site-to-site IPsec policies – Azure Virtual WAN | Microsoft Docs

Virtual WAN Site-to-Site Gateway can scale up to 20 Gbps throughput and 1.25 Gbps encryption capacity per VPN tunnel.

Point-to-Site Virtual WAN Gateways support IPSec and OpenVPN as listed below.

Virtual WAN Point-to-site IPsec policies – Azure Virtual WAN | Microsoft Docs

You can have up to 200 Scale units supporting 100,000 clients. The payment model for Virtual WAN Point-to-Site Clients is by connected users per minute. So, it’s completely paid as you go per connected user plus the amount of Gateway Scale Units.

With Virtual WAN, there is another very important point, routing between Site-to-Site VPN, Point-to-Site VPN and ExpressRoute Gateways is enabled by default without any additional efforts by the customer. You can get more details via the link below.

Architecture: Global transit network architecture – Azure Virtual WAN | Microsoft Docs

Network Virtual Appliances

Network Virtual Appliances are Virtual Machines running in a classical Virtual Network or Azure Virtual WAN. Those Appliances are third party and are available via the Microsoft Azure Marketplace.

Azure Virtual WAN: About Network Virtual Appliance in the hub | Microsoft Docs

Deploy highly available NVAs – Azure Architecture Center | Microsoft Docs

Those appliances are harder to integrate and make highly available. The configuration is completely the responsibility of the customer, but for certain scenarios, they can offer major benefits for customers. One major selling point is if your organization has already standardized on a particular vendor/appliance, using the same one in Azure will ensure consistency and lower the learning curve for your network engineers.

Those appliances are mostly supporting additional features like Quality of Service, special encryption protocols or VPN Client tunnel optimization. For example, Barracuda Networks uses its own VPN Tunnel and encryption protocol TINA between their appliances and devices.

TINA VPN Tunnels | Barracuda Campus

Then there are appliance partners who offer great VPN clients with additional features like filtering, split tunnelling by service or traffic optimization. Examples are Palo Alto Global Protect or FortiGate FortiClient.

GlobalProtect App for Windows (paloaltonetworks.com)

Product Downloads | Fortinet Product Downloads | Support

Those appliances are much harder to integrate into a classic hub and spoke environment, with Virtual WAN the process of deployment is more automated. If you use those NVAs, you also have additional license costs for the appliances, which must be paid to the OEM.

As already mentioned, feature sets of those Network Virtual Appliances are often much richer than with bare Azure Virtual Network Gateways and Virtual WAN Gateways.

How to Deploy a VPN

Let me guide you on how to deploy a VPN Tunnel with the different service offerings. As the nature of the three solutions is completely different, I will split them up into three separate parts.

Virtual Network Gateway

As there is already a lot of deployment documentation out there, I will not create a new one. Let me just point you to the right resources, so that you can start and deploy according to Microsoft best practices.

Tutorial – Create and manage a VPN gateway: Azure portal – Azure VPN Gateway | Microsoft Docs

Tutorial – Connect on-premises network to virtual network: Azure portal – Azure VPN Gateway | Microsoft Docs

Configure an Always-On VPN user tunnel – Azure VPN Gateway | Microsoft Docs

Configure an Always-On VPN tunnel – Azure VPN Gateway | Microsoft Docs

Additional documentation is available here.

VPN Gateway documentation | Microsoft Docs

Virtual WAN

With Virtual WAN, you also have a bunch of great documentation which goes into more detail. You can find the necessary documentation linked below.

Tutorial: Use Azure Virtual WAN to Create Site-to-Site connections | Microsoft Docs

Tutorial: Use Azure Virtual WAN to create a Point-to-Site connection to Azure | Microsoft Docs

Additional configurations for Point-to-Site in Virtual WAN can be found here.

Configure a P2S User VPN connection using Azure Active Directory authentication – Azure Virtual WAN | Microsoft Docs

Azure AD tenant for User VPN connections: Azure AD authentication – Azure Virtual WAN | Microsoft Docs

Configure an Always-On VPN user tunnel – Azure Virtual WAN | Microsoft Docs

Configure an Always-On VPN tunnel – Azure Virtual WAN | Microsoft Docs

I would also encourage you to take an additional look at the guides already available here on the DOJO.

What is Azure Virtual WAN? (altaro.com)

Azure Virtual WAN vs. Azure Route Server (altaro.com)

Deploy Azure virtual WAN in 2,5 Hours (altaro.com)

How to configure Azure virtual WAN VPN Site-2-Site with unmanaged VPN device (altaro.com)

As an additional option, you can pick a Network Virtual Appliance, if the Appliance of your choice is available in Virtual WAN. I would encourage you to make use of the more PaaS like the approach of Azure Virtual WAN.

Azure Virtual WAN: Create a Network Virtual Appliance (NVA) in the hub | Microsoft Docs

Network Virtual Appliance

The deployment of VPN Connections with Network Virtual Appliances is pretty diverse and depends on the vendor itself. Before I can point you to some example documentation, start with the documentation on how to deploy NVAs.

This documentation describes how to deploy an NVA in Azure.

Deploy highly available NVAs – Azure Architecture Center | Microsoft Docs

You should follow that guide to ensure that the NVA is deployed according to supported standards. As there are a lot of partners out there, please contact the vendor of your choice to get additional guidance.

Palo Alto

The first vendor with very good documentation on the deployment is Palo Alto. You can find their guides below.

Site-to-Site VPN – Set Up Site-to-Site VPN (paloaltonetworks.com)

Point-to-Site VPN – GlobalProtect (paloaltonetworks.com)

FortiNet

Another good NVA partner is FortiNet. You can find their docs below

Site-to-Site VPN – Administration Guide | FortiGate / FortiOS 7.0.1 | Fortinet Documentation Library

Point-to-Site VPN – Administration Guide | FortiGate / FortiOS 7.0.1 | Fortinet Documentation Library

Barracuda Networks

Barracuda is not that common among enterprise customers in Europe but offers a great portfolio of features including their own tunnelling protocol. Please find their docs below.

Site-to-Site VPN – Site-to-Site VPN | Barracuda Campus

Point-to-Site VPN – Client-to-Site VPN | Barracuda Campus

Troubleshooting Azure VPN

Within the Troubleshooting part, I will only concentrate on the troubleshooting guides for Azure Services, as the troubleshooting on NVA is extremely specific to the vendor.

For Azure Virtual Network Gateways, there are two good troubleshooting guides available in Microsoft’s Documentation.

One focuses on connections to Azure Virtual Network Gateways dropping or being unable to connect.

Troubleshoot an Azure site-to-site VPN connection that cannot connect – Azure VPN Gateway | Microsoft Docs

The other guide looks into the stability issues of a VPN tunnel.

Troubleshoot Azure Site-to-Site VPN disconnects intermittently – Azure VPN Gateway | Microsoft Docs

When looking into Azure Virtual WAN is more difficult, as you may not have access to the Monitoring and Troubleshooting logs. So, if you have the need for deeper troubleshooting, it makes sense to engage with Microsoft Support. In any case, you should have good monitoring in place according to documentation.

Monitoring Azure Virtual WAN | Microsoft Docs

Monitoring Virtual WAN using Azure Monitor Insights | Microsoft Docs

VPN Compared to other Microsoft Solutions

Sometimes Customers can confuse Azure VPN with other services available. Most commonly customers confuse Virtual Network Peering and Azure ExpressRoute with VPN Solutions.

Virtual Network Peering

Azure Virtual Network Peering is “only” a peering connection via the Microsoft Global Network between two Virtual Networks in Azure. It uses Software Defined Network technologies to connect the two networks and there is no Virtual Gateway necessary to do so. Virtual Network Peering is only used for interconnecting Virtual Networks within Azure and there is no option to use Virtual Network Peering to connect to the world outside of Microsoft Azure.

To learn more about peering, please visit the documentation below.

Azure Virtual Network peering | Microsoft Docs

Azure ExpressRoute

Microsoft Azure ExpressRoute is like VPN a connection to networks outside of the Microsoft Global Network. Its build to connect Customer Networks with the Microsoft PaaS Network via Peering or the Customer Private IaaS infrastructure using peering and private gateways.

The difference between Azure ExpressRoute and VPN is the fact that ExpressRoute is not leveraging internet connections or shared networks. With ExpressRoute you get a private end to end connection from your on-premises location to the Microsoft Global Network.

Those connections are more expensive but can offer more bandwidth or better Service Level Agreements, depending on your location and network service provider. ExpressRoute is not always better than VPN, always check your use case and your needs.

To be honest, Network Providers like to sell ExpressRoute due to better margins than with premium Internet connections. If you are interested in more information about that topic, you can visit some other articles here on the DOJO.

Microsoft Azure Peering Services Explained (altaro.com)

How to Use Azure ExpressRoute Global Reach to Interconnect Datacenters (altaro.com)

How to use Microsoft Global Network with Oracle, Google or AWS (altaro.com)

To learn more about Microsoft Azure ExpressRoute, you should also consult Microsoft Documentation on ExpressRoute.

ExpressRoute documentation | Microsoft Docs

Decision Tree

As is often the case with Microsoft’s service offerings there are several ways to achieve the same goal, here’s a flowchart I use when talking to customers about this.

That chart should help, at least for the initial discussion and understanding, which solution is best for your situation.

Conclusion

The “right” solution depends on what you want to achieve with your architecture. Often, it’s a decision driven by costs and features. Please also take complexity and maybe newer security requirements and approaches into account.

For example, if you’re searching for RADIUS integration, and the only solution might be costly, maybe it’s better to reconsider the requirement and check if you can achieve the same security requirements with Azure Active Directory Authentication instead.

Enable MFA for VPN users: Azure AD authentication – Azure VPN Gateway | Microsoft Docs

Try to stay open-minded and don’t do things because that’s how it’s been done for years. Always prove requirements against our changing IT world.

The post How to Use Virtual Private Networks (VPNs) on Azure appeared first on Altaro DOJO | Hyper-V.

It’s been a big year for Microsoft. Major structural decisions have forged a new path forward for Hyper-V and Azure. Let’s look back on the most significant developments of 2021 and what they mean for system administrators and IT professionals for 2022. Let’s get stuck in!

Hyper-V in 2021

Possibly the most significant thing for Hyper-V in 2021 is actually the lack of developments. This speaks volumes to the direction Microsoft want to take with the hypervisor. Contrasting the breathtaking pace of new features in Azure with the glacial changes to Windows Server serves as a good reminder of where Microsoft’s focus is. We got Windows Server 2022 which does bring some strong security features if you run it on new bare metal.

We ran a well-attended webinar that covered all the new features, but the reality is that there really aren’t a lot of them. Microsoft’s focus is on Azure Stack HCI, which builds on Windows Server but adds new features in exchange for a monthly subscription fee based on the number of CPU cores across your clusters.

While there weren’t a whole lot of new features, Hyper-V is still a strong virtualization platform, especially when combined with Storage Spaces Direct across a cluster and over 1.2 million page views on our Hyper-V section in 2021 shows how many IT pros devour our articles on Hyper-V and its related technologies.

Top Articles for Hyper-V Admins in 2021

The Best Virtual Machine for Windows 10

What’s New in Windows Server 2022

PsExec: The SysAdmin’s Swiss Army Knife

Azure in 2021

In contrast to Hyper-V, the pace of new features and services in Azure exploded in 2021 and apparently hasn’t been slowed down by the pandemic, rather the opposite. As businesses accelerate their digital transformation journey to the (hybrid) cloud to manage resiliency in the face of these uncertain times, Azure is  growing fast, both in size and capability.

There are now (December 2021) 60 Azure regions worldwide, with announced new ones coming in Belgium and Malaysia. 23 of these regions support Availability Zones which means there are at least three separate datacenters in a single region, each with separate power, network, and cooling supply to provide redundancy should a whole datacenter experience an outage.

Azure Arc

The biggest highlights for me over this year has been Azure Arc and Azure Virtual Desktop. Let’s look at Arc first, it’s a truly hybrid approach to cloud management, no matter where the resource is actually located. It started with servers, any VM or physical server, Linux or Windows in any datacenter or public cloud location, anywhere (on Earth), if it has the Azure Arc agent installed will appear in an Azure Resource Group in your tenant. You can apply Azure Policy to it, control access to it with Azure RBAC etc. But Microsoft didn’t stop with servers, they’ve expanded Arc to Kubernetes clusters, data services (Azure SQL Managed Instance and PostgreSQL Hyperscale) and SQL Server. There are also more Arc services coming. This is a truly different approach, AWS’s and GCP’s approach to hybrid is providing a rack of AWS hardware for your own datacenter (Outpost) or managed Kubernetes environments but neither is as comprehensive as what Arc offers. This is where Microsoft’s long heritage of being in your datacenter shines, they really understand that hybrid cloud isn’t just a transition phase, it’s the destination for many businesses.

Azure Virtual Desktop

The other standout is Azure Virtual Desktop which is Microsoft’s third crack at “here’s a virtual desktop in the cloud for your end users”. The first one was built in-house but suffered from scalability and manageability issues, the second one relied on Citrix in Azure so wasn’t all Microsoft provided. This third iteration has nailed all the important features and had the timing just right as the pandemic swept the world. Most importantly it’s got the security right (no open RDP ports to the internet, easily add MFA to each login) which opens the possibility of people working from their personal devices, as the data itself never leaves Azure.

Azure Virtual Desktop RDP settings

Azure Security Developments

Another powerful service that we’ll see more of over the coming years is confidential computing, again Azure is a leader in this space. We’re all familiar with protection for data at rest (Bitlocker, encrypted data in a database etc.) and data in flight (TLS encryption for nearly everything as it traverses the network). Confidential computing brings another dimension by protecting data while it’s being processed, both from administrators (server and SQL DBAs) and Microsoft’s own engineers. Both AMD and Intel have processors that support this today with the memory of the individual processes being encrypted. Until recently you had to (re-)write your applications to take advantage of Confidential Computing, this year Microsoft unveiled full VM encryption where you can lift and shift workloads from on-premises to the cloud and make them opaque to everyone except your trusted administrators by encrypting the entire VM memory footprint.

Microsoft 365 has had the ability to scan the content of Office files / PDFs and many other document types for sensitive data for quite a few years. You can then build DLP and Information Protection policies around the detection of different types of sensitive data and automatically block sharing or encrypt the document on the fly. Over the last year, Azure has added Purview, which brings the same “scan and find sensitive data” to your data storage. Databases, cloud storage and data lakes, both in Azure, AWS and on-premises can be scanned and actions taken when PII data is found for instance.

I must also mention Azure Sentinel, now Microsoft Sentinel as it’s turning into an amazing SIEM for small and big businesses alike. Since it’s cloud-based, it scales with your log sources and it’s a powerful way of gaining visibility into your digital estate.

Microsoft Sentinel Dashboard

An honourable mention goes to Azure Virtual Network Manager, released in public preview in November 2021, a centralized way of managing connectivity and security rules for large estates in Azure.

Outages

It’s not all roses though, I think it’s fair to call out a couple of high-profile outages in Azure such as the DNS issue on the 1^st of April that took out large swathes of Azure and related services due to the DNS infrastructure being overloaded. There was also a large Azure AD outage in March, which (along with others in 2020) has prompted Microsoft to redesign Azure AD into much smaller cells (from 5 to 117) to minimize the blast radius when issues happen to a much smaller subset of customers.

Top Articles for Azure Admins in 2021

Why Azure and not AWS?

Key Takeaways from Microsoft Ignite 2021

What is Azure Virtual WAN?

What to Expect in 2022

Azure is “the world’s computer” according to Microsoft and there sure were MANY new and improved features this year. I think public cloud computing is the only way small, medium and gigantic businesses can transform digitally successfully so if you’re still holding on to your on-premises servers, 2022 is the time to get on the Azure and Microsoft 365 train before it leaves you behind.

The post Hyper-V and Azure in 2021: Year in Review appeared first on Altaro DOJO | Hyper-V.