In my previous blog post http://www.rebeladmin.com/2020/01/step-step-guide-setup-azure-load-balancer/, I explained how to setup an Azure load balancer. In that post, I used GUI method to set it up. In this post I am going to show how we can set azure load balancer using Azure PowerShell. 

In this demo, I am going to set up two virtual servers with IIS on it. Then I am going to set up Azure load balancer and load balance the web service access for external connections over TCP port 80. 

To do that I will need to do the following tasks,

1. Setup new resource group

2. Setup two new windows VM

3. Setup IIS with sample web page

4. Create Azure load balancer

5. Create a backend pool

6. Create health probes

7. Create load balancer rule

8. Testing

For the configuration process, I will be using Azure PowerShell. Therefore, please make sure you have Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-2.6.0

Setup new resource group

1. Launch PowerShell console and connect to Azure using Connect-AzAccount

2. Then create a new resource group using,

New-AzResourceGroup -Name REBELRG1 -Location "East US"

In the above, REBELRG1 is the resource group name and East US is the resource group location.

Setup two new windows VM

1. In this demo, I am going to use two back end servers. Before VM setup, let's go ahead and create a new virtual network. 

$vmsubnet  = New-AzVirtualNetworkSubnetConfig -Name vmsubnet -AddressPrefix "10.0.2.0/24"

New-AzVirtualNetwork -Name REBELVN1 -ResourceGroupName REBELRG1 -Location "East US" -AddressPrefix "10.0.0.0/16" -Subnet $vmsubnet

In the above, REBELVN1 is the new virtual network name. It has 10.0.0.0/16 address space. It also has a new subnet 10.0.2.0/24 (vmsubnet) for virtual machines.

2. Then I need to create a new availability set. To add back end servers to load balancer, those VMs need to be in the same availability set. 

New-AzAvailabilitySet -Location "East US" -Name "REBELAS1" -ResourceGroupName "REBELRG1" -Sku aligned -PlatformFaultDomainCount 2 -PlatformUpdateDomainCount 2

In above REBELAS1 is the availability group name. More info about scale sets can found here https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/availability

3. As the next step of the configuration, I am going to create two new virtual machines under REBELRG1 resource group. 

$mylogin = Get-Credential

New-AzVm -ResourceGroupName REBELRG1 -Name "REBELTVM01" -Location "East US" -VirtualNetworkName "REBELVN1" -SubnetName "vmsubnet" -addressprefix 10.0.2.0/24 -PublicIpAddressName "REBELTVM01IP1" -AvailabilitySetName "REBELAS1" -OpenPorts 3389,80 -Image win2019datacenter -Size Standard_D2s_v3 -Credential $mylogin

New-AzVm -ResourceGroupName REBELRG1 -Name "REBELTVM02" -Location "East US" -VirtualNetworkName "REBELVN1" -SubnetName "vmsubnet" -addressprefix 10.0.2.0/24 -PublicIpAddressName "REBELTVM02IP1" -AvailabilitySetName "REBELAS1" -OpenPorts 3389,80 -Image win2019datacenter -Size Standard_D2s_v3 -Credential $mylogin

In the above, I am creating two virtual machines called REBELTVM01 & REBELTVM02. It is running windows server 2019 data center edition. I have specified it using -Image parameter. It also using Standard_D2s_v3 vm size. For networking, It uses REBELVN1 virtual network and subnet 10.0.2.0/24.

The role of a load balancer is to improve the availability of services by distributing the load to a pool of back end servers. When it comes to load balancing, Azure has a few different products to choose from. 

• Azure Application Gateway – If you require a load balancer that can provide features such as SSL offloading, reverse proxy and works in the application layer (layer 7), Azure application gateway is the answer.

• Azure Traffic Manager – If you are looking for DNS level load balancing which can distribute traffic to global endpoints, Azure traffic manager will be the product to look at. 

• Azure Load Balancer – Azure load balancer works in layer 4 (transport layer) and can distribute network traffic to endpoints in the same Azure region. It can use to distribute internet traffic as well as internal traffic. In this post, we are going to look into this service in detail. 

Like many other load balancers, Azure load balancer also has the following components. 

• Frontend/Virtual IP address – This is the load balancer IP address that works as a front door to clients. After clients initiate connections to a frontend IP address, the traffic will be distributed to the back-end servers. 

• Server pool – The back-end application servers will be group together in a pool to serve an incoming request from a load balancer. 

• Rules – The incoming traffic will be distributed to the backend servers according to the rules defined in the load balancer.  

• Probes – If a back-end server is down, load balancer needs to know. Then it can stop distributing traffic to the faulty server. The load balancer uses probs to detect the health of the back-end servers. 

• Inbound NAT rules – Inbound NAT rules define how the traffic is forward from the load balancer to the back-end server. 

In this post, I am going to demonstrate how we can load balance a web application using Azure standard load balancer. This demo includes the following tasks,

1. Setup new resource group

2. Setup two new windows VM

3. Setup IIS with sample web page

4. Create Azure load balancer

5. Create a backend pool

6. Create health probes

7. Create load balancer rule

8. Testing

Setup new resource group

Let's go ahead and start the setup process by creating new Azure resource group. 

For the configuration process, I will be using Azure PowerShell. Therefore, please make sure you have an Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-2.6.0

1. Launch PowerShell console and connect to Azure using Connect-AzAccount

2. Then create a new resource group using,

New-AzResourceGroup -Name REBELRG1 -Location "East US"

In the above, REBELRG1 is the resource group name and East US is the resource group location.

Setup two new windows VM

1. In this demo, I am going to use two back end servers. Before VM setup, let's go ahead and create a new virtual network. 

$vmsubnet  = New-AzVirtualNetworkSubnetConfig -Name vmsubnet -AddressPrefix "10.0.2.0/24"

New-AzVirtualNetwork -Name REBELVN1 -ResourceGroupName REBELRG1 -Location "East US" -AddressPrefix "10.0.0.0/16" -Subnet $vmsubnet

In the above, REBELVN1 is the new virtual network name. It has 10.0.0.0/16 address space. It also has a new subnet 10.0.2.0/24 (vmsubnet) for virtual machines.

2. Then I need to create a new availability set. To add back end servers to load balancer, those VMs need to be in the same availability set. 

New-AzAvailabilitySet -Location "EastUS" -Name "REBELAS1" -ResourceGroupName "REBELRG1" -Sku aligned -PlatformFaultDomainCount 2 -PlatformUpdateDomainCount 2

In above REBELAS1 is the availability group name. More info about scale sets can found here https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/availability

3. As the next step of the configuration, I am going to create two new virtual machines under REBELRG1 resource group. 

$mylogin = Get-Credential

New-AzVm -ResourceGroupName REBELRG1 -Name "REBELTVM01" -Location "East US" -VirtualNetworkName "REBELVN1" -SubnetName "vmsubnet" -addressprefix 10.0.2.0/24 -PublicIpAddressName "REBELTVM01IP1" -AvailabilitySetName "REBELAS1" -OpenPorts 3389,80 -Image win2019datacenter -Size Standard_D2s_v3 -Credential $mylogin

New-AzVm -ResourceGroupName REBELRG1 -Name "REBELTVM02" -Location "East US" -VirtualNetworkName "REBELVN1" -SubnetName "vmsubnet" -addressprefix 10.0.2.0/24 -PublicIpAddressName "REBELTVM02IP1" -AvailabilitySetName "REBELAS1" -OpenPorts 3389,80 -Image win2019datacenter -Size Standard_D2s_v3 -Credential $mylogin

In the above, I am creating two virtual machines called REBELTVM01 & REBELTVM02. It is running windows server 2019 data center edition. I have specified it using -Image parameter. It also using Standard_D2s_v3 vm size. For networking, It uses REBELVN1 virtual network and subnet 10.0.2.0/24.

In infrastructure, there are many reasons for allowing traffic between virtual networks such as application requirements, backup/DR requirements, replication requirements and so on. If it is internal networks, we can do this using inter-VLAN routing. If it is between networks in different physical locations, we can do it using VPN & Firewalls. 

If it is Azure, how we can allow traffic between two virtual networks? Well, there are two options to choose from.

1. Azure VPN Gateways

2. Azure VNET Peering 

Azure VPN Gateways

If we are connecting virtual networks over the internet, we have to use VPN gateway option. This is the same for connecting Azure networks with on-premises networks. Also, if the encryption is a requirement, we have to use VPN gateways. 

Azure VNET Peering

Azure VNET peering allows connecting virtual networks seamlessly via Azure backbone infrastructure. This is similar to inter-VLAN routing in on-premises networks. The traffic will not pass via the public internet. It provides low latency, high bandwidth connectivity between virtual networks. VNET peering can use to connect virtual networks in the same Azure region or different Azure regions. 

In this demo, I am going to demonstrate how to connect two virtual networks using Azure VNET peering. 

For the configuration process, I will be using PowerShell. Therefore, please make sure you have an Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-2.6.0

Create two resource groups and new virtual networks

As the first part of the configuration, I am going to create two new resource groups and two virtual networks.

1. Launch PowerShell console and connect to Azure using Connect-AzAccount

2. Then create two new resource group using,

New-AzResourceGroup -Name REBELRG1 -Location "East US"

New-AzResourceGroup -Name REBELRG2 -Location "East US"

In the above, REBELRG1 & REBELRG2 are the resource group names and East US is the resource group location.

3. The next step is to create a new virtual network under REBELRG1 resource group.

$vmsubnet  = New-AzVirtualNetworkSubnetConfig -Name vmsubnet -AddressPrefix "10.0.2.0/24"

New-AzVirtualNetwork -Name REBELVN1 -ResourceGroupName REBELRG1 -Location "East US" -AddressPrefix "10.0.0.0/16" -Subnet $vmsubnet

In the above, REBELVN1 is the new virtual network name. It has 10.0.0.0/16 address space. It also has a new subnet 10.0.2.0/24 (vmsubnet) for virtual machines.

Each organization has different standards when it comes to server/desktop provisioning. These standards change based on the nature of the business, compliances, server/desktop role and so on. By keeping the customized OS image simplifies the provisioning process as well as prevent configuration errors. In the local environment, we can do this simply using WDS, System Centre or other 3rd party solutions. But what if need to do the same in Azure environment ?

In this blog post, I am going to demonstrate how to create a managed image in Azure and how to use it to deploy Azure VM. 

For the configuration process, I will be using PowerShell. Therefore, please make sure you have Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-2.6.0

Let's go ahead and start the configuration process by creating a new resource group. 

1. Launch PowerShell console and connect to Azure using Connect-AzAccount

2. Then create a new resource group using,

New-AzResourceGroup -Name REBELRG -Location "East US"

In the above, REBELRG is the resource group name and East US is the resource group location.

3. The next step is to create a new virtual network.

$vmsubnet  = New-AzVirtualNetworkSubnetConfig -Name vmsubnet -AddressPrefix "10.0.2.0/24"

New-AzVirtualNetwork -Name REBELVN1 -ResourceGroupName REBELRG -Location "East US" -AddressPrefix "10.0.0.0/16" -Subnet $vmsubnet

In the above, REBELVN1 is the new virtual network name. It has 10.0.0.0/16 address space. It also has a new subnet 10.0.2.0/24 (vmsubnet) for virtual machines. 

There are occasions where we need to move Azure Virtual Machines from one resource group to another. In this post, I am going to demonstrate how we can do that. Before start, there are a few things we should look in to.

• Not every resource can move from one resource group to another. More info about it can find under https://docs.microsoft.com/en-gb/azure/azure-resource-manager/move-support-resources

• If you are looking to move from one region to another, there is a separate process for that. I already wrote an article about it. You can access it using, http://www.rebeladmin.com/2019/11/step-step-guide-move-azure-vm-one-region-another/

• When you move resources, make sure to migrate all dependencies with it. 

• When a virtual machine is moved from one resource group to another, the system creates a new resource ID. If you use this value on scripts or other services, those will need to update after the move. 

• The same method also can use to move resources from one subscription to another. 

In this demo, I am going to create a new VM in one resource group and then move it to another.  

For the configuration process, I will be using PowerShell. Therefore, please make sure you have an Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-2.6.0

1. Launch PowerShell console and connect to Azure using Connect-AzAccount

2. Then create two new resource group using,

New-AzResourceGroup -Name REBELRG1 -Location "East US"

New-AzResourceGroup -Name REBELRG2 -Location "East US"

In the above, REBELRG1 & REBELRG2 are the resource group names and East US is the resource group location.

3. The next step is to create a new virtual network under REBELRG1 resource group.

$vmsubnet  = New-AzVirtualNetworkSubnetConfig -Name vmsubnet -AddressPrefix "10.0.2.0/24"

New-AzVirtualNetwork -Name REBELVN1 -ResourceGroupName REBELRG1 -Location "East US" -AddressPrefix "10.0.0.0/16" -Subnet $vmsubnet

In the above, REBELVN1 is the new virtual network name. It has 10.0.0.0/16 address space. It also has a new subnet 10.0.2.0/24 (vmsubnet) for virtual machines.

If we are in an Active Directory environment, we can use windows DNS services to manage DNS records. This allows us to connect to hosts using their FQDN. When a new host added or when host IP address updated, relevant DNS entries are get updated automatically. Also, the same DNS servers can use to create custom DNS records. 

If it is not an Active Directory environment and still wants to use DNS services, we have to use a custom DNS solution. In such a situation most of the time we need to manually add/update DNS records. 

So, what about Azure environment? Does the same apply to it? 

Azure DNS is a managed DNS solution. We can use it for public DNS records as well as for private DNS records. Using Azure private DNS, we can resolve DNS names in a virtual network. 

Azure Private DNS has following benefits, 

• No additional servers – We do not need to maintain additional servers to run DNS solution. It is a fully managed service. 

• Automatic Record Update – Similar to Active Directory DNS, we can configure Azure DNS to register/update/delete hostname records for virtual machines automatically. 

• Support common DNS records types – It supports common DNS records types such A, AAAA, MX, NS, SRV, TXT. 

• DNS resolution between virtual networks – Azure Private DNS zones can be shared between virtual networks.

In this demo, I am going to demonstrate how to create an Azure private DNS zone.

For the configuration process, I will be using PowerShell. Therefore, please make sure you have Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-2.6.0

Let's go ahead and start the configuration process by creating a new resource group. 

1. Launch PowerShell console and connect to Azure using Connect-AzAccount

2. Then create a new resource group using,

New-AzResourceGroup -Name REBELRG -Location "East US"

In the above, REBELRG is the resource group name and East US is the resource group location.

3. The next step is to create a new virtual network.

$vmsubnet  = New-AzVirtualNetworkSubnetConfig -Name vmsubnet -AddressPrefix "10.0.2.0/24"

New-AzVirtualNetwork -Name REBELVN1 -ResourceGroupName REBELRG -Location "East US" -AddressPrefix "10.0.0.0/16" -Subnet $vmsubnet

AzCopy is a command-line utility that can use to transfer data in or out from s storage account (blobs or files). This can be used in Windows, Linux or macOS systems. The same utility also can use to migrate data from one storage account to another. 

In this demo, I am going to demonstrate how to use AzCopy to,

• Upload data to the storage account

• Download data from the storage account

• Migrate data from one storage account to another 

Create Storage Account

Before using AzCopy, first, let's go ahead and create a storage account. I am going to use Azure PowerShell for this task. So, please make sure you have the Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-2.6.0

1. Launch PowerShell console and connect to Azure using Connect-AzAccount

2. Create a new resource group using, 

New-AzResourceGroup -Name REBELRG -Location "East US"

3. Then create a new storage account using,

New-AzStorageAccount -ResourceGroupName REBELRG -Name rebelstorageacc1 -Location "East US" -SkuName Standard_LRS -Kind StorageV2

In the above, rebelstorageacc1 is the storage account name. It is using Locally redundant storage (LRS) as the replication option. It is also created as general purpose v2 storage account. 

4. As the next step let's go ahead and create Azure file share.

$storageacc = Get-AzStorageAccount -ResourceGroupName REBELRG -Name rebelstorageacc1

New-AzStorageShare -Context $storageacc.Context -Name rebelshare1

In the above, rebelshare1 is the new file share name and it is created under rebelstorageacc1 storage account. 

OpenVPN is an open-source VPN protocol that is trusted by many cloud service providers to provide site-to-site, point-to-site, and point-to-point connectivity to cloud resources. Now Azure AD authentication also works with OpenVPN protocol. This means we can use Azure AD features such as conditional access, user-based policies, Azure MFA with VPN authentication. In this Demo, I am going to demonstrate how to configure OpenVPN for Azure point-to-site VPN and then how to integrate Azure AD authentication with it. 

Prerequisites

1. To configure OpenVPN, first, we need to have a working point-to-site setup. The native Azure point-to-site VPN setup uses Azure certificate authentication. I wrote an article about it before and it can be accessed using http://www.rebeladmin.com/2018/07/step-step-guide-azure-point-site-vpn/

So, before we start, please go ahead and configure the VPN gateway with certificate authentication.  

2. Also, I am going to use Azure PowerShell for configuration. Please make sure you have the Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-2.6.0

Configure OpenVPN for Azure P2S VPN

1. Launch PowerShell console and connect to Azure using Connect-AzAccount (Using Global Administrator Account)

2. Then I ran Get-AzVirtualNetworkGateway -ResourceGroupName REBELVPNRG to review my VPN gateway configuration. Here REBELVPNRG is the resource group it belongs to. 

3. Then let's go ahead and change the VPN client protocol to OpenVPN using,

$vpngw = Get-AzVirtualNetworkGateway -ResourceGroupName REBELVPNRG -name REBEL-VPN-GW

Set-AzVirtualNetworkGateway -VirtualNetworkGateway $vpngw -VpnClientProtocol OpenVPN

In the above, REBEL-VPN-GW is the VPN gateway name.

If we need to access an Azure VM using RDP or SSH, most commonly we use public IP method. In this way, the virtual machine will have a public IP address (static or dynamic) assigned to it. Also, RDP or SSH service ports will open to the public via NSG. This is easy but not a very secure method. 

If we have VPN or Express Route connectivity to Azure, we can connect to virtual machines using private IP addresses. It is secure than the public IP address method. However, it required additional configuration in-network level. 

Azure Bastion is a solution that we can use to access Azure VM securely without the use of public IP addresses or VPN connectivity. This is similar to using a jump-server to connect to resources in the remote network but instead of the traditional RDP method, it is using browser-based secure HTTP connectivity. Let's go ahead and explore a bit more about the Azure bastion solution. 

1. This service is now generally available (From 4th of Nov 2019). However, it is still only available for six Azure regions which are Australia East, East US, Japan East, South Central US, West Europe, and West US.

2. Azure bastion service deployment is per virtual network. 

3. Users can connect to Azure bastion service via the Azure portal. It is a browser-based connectivity. From the user end, only TCP port 443 needs to be open. 

4. Machines in the virtual network don't need to have public IP addresses assigned. Bastion service can connect to virtual machines using private IP addresses. 

5. Azure bastion is a fully managed PaaS service. We do not need to worry about the hardening or protection of it. 

In this post, I am going to demonstrate how we can enable Azure bastion service. 

Create Virtual Machines

Before we go into the Azure bastion service setup, I am going to create one windows 2019 virtual machine and one ubuntu Linux virtual machine. These machines will not have any public IP address assign. After that, I will demonstrate how we can access those securely using Azure bastion service. 

To begin,

1. Log in to Azure portal (https://portal.azure.com) as Global Administrator 

2. Go to Virtual Machines | + Add 

3. Create Windows Server 2019 Server with following settings,

Resource Group Name (new) : REBELBASTION

Virtual Machine Name : REBELWIN01

Region : East US

Image : Windows Server 2019 DataCenter

Size : Standard D2s v3

Public inbounds ports: None

Virtual network : REBELBASTION-vnet

Subnet : 10.0.3.0/24

Public IP : None

There are many different reasons to move Azure VMs from one region to another. 

• Operation Requirements – As an example, if organization open a branch in different region and want to move some operations to them, it is best to move infrastructure resource to the same geographical location as it will improve the reliability and availability of the services.

• Compliance requirements – Sometimes rules and regulations force businesses to keep the data/operations in the same country or continent.

• Azure feature requirements – Sometimes new Azure services & features are the first rollout to certain regions. If your current region has such limitations and still wants to use those features/services, you will need to move the resource to a supported region. 

In this post, I am going to demonstrate how to move Azure VM from one region to another using Azure site recovery. 

Prerequisites

Before start lets make sure we have the following in place, 

• Valid Subscription – Subscription should support to create resources in the target region. It also should have enough credit.

• Account Permission – We need to make sure we have enough permissions to create virtual machines, storage accounts, virtual networks in Azure. 

• Network layout – Make sure to check the source network setup including all the components such as NSG, public IP, load balancer. The failover process will create a virtual network automatically to match the source network. But we have to create all other resources manually after the migration.  

• Compatible regions – Make sure the source and target regions are part of compatible list https://docs.microsoft.com/en-gb/azure/site-recovery/azure-to-azure-support-matrix#region-support

In this demo, I am going to create windows server 2019 VM in East US region and then move it West US region using Azure site recovery.

Create Source VM

1. Launch PowerShell console and connect to Azure using Connect-AzAccount 

[su_note]Please make sure you have Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-2.6.0[/su_note]

2. Create a new resource group using, 

New-AzResourceGroup -Name REBELRG -Location "East US"

In the above, REBELRG is the resource group name and East US is the resource group location.

3. Then create a new VM using,

$mylogin = Get-Credential

New-AzVm -ResourceGroupName REBELRG -Name "REBELVM01" -Location "East US" -VirtualNetworkName "REBELVNET1" -SubnetName "REBELVMSubnet1" -PublicIpAddressName "REBELVM01IP1" -OpenPorts 80,3389 -Image win2019datacenter -Size Standard_D2s_v3 -Credential $mylogin

In the above, REBELVM01 is the VM name. It is running windows server 2019 data center edition. I have specified it using -Image parameter. It also using Standard_D2s_v3 vm size.