WP Microsoft Azure IaaS Book ALL Final PDF

Microsoft Azure IaaS Book
Integration, optimization
and automation
Anders Bengtsson
Microsoft Senior PFE
Pete Zerger
Microsoft MVP
John McCabe
Microsoft Senior PFE
Microsoft Azure IaaS Book. Integration, optimization and automation.
Contents
3.1 Basic network components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.1.1 IP Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.1.2 VNET . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.1.2.1 VNET Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.1.3 Network Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.1.3.1 Network Interface settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.1.4 Connecting to on-premises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.1.4.1 Point-to-site VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.1.4.2 ite-to-Site VPN and ExpressRoute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.1.5 Publish a service to the Internet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.1.6 Network Security Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.1.7 Traffic Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.1.8 Forced Tunneling and User Defined Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.1.9 User Defined Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
3.2 Networking Planning and Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.2.1 Network Design Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.2.2 Deploying a VNET (in the Azure Management Portal) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
3.2.3 Deploying a VNET (with Azure PowerShell) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Step 1: Connect and Authenticate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Step 2: Create Resource Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Step 3: Define Subnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Step 4: Deploy VNET . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.2.4 Deploying a VNET (with JSON template) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Step 1: Select Template Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Step 2: Paste json template into Edit template window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Step 3: Create Resource Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
2015 Veeam Software
Step 4: Fill in Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Step 5: Accept Terms and Deploy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
3.2.5 Configure Network Security Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
TABLE 3.2.1 DEFAULT NSG RULES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
7.1 Azure Resource Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
7.1.1 Overview of Azure Resource Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
7.1.2 Azure Resource Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
7.1.3 Template Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
7.1.4 Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
7.1.5 Role Base Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
7.2 Azure Virtual Machine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
7.2.1 VM Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
7.2.1.1 VM Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
7.2.1.2 Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
7.2.1.3 Network connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
7.2.1.4 VM security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
7.2.1.5 Marketplace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
7.3 Deploying and Configuring Virtual Machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
7.3.1 Deploying Virtual Machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
7.3.1.1 Deploying a Virtual Machine from the Portal (Windows and Linux) . . . . . . . . . . . . . . . . . . 62
1.3.1.2 Deploying a Virtual Machine from PowerShell (Windows and Linux) . . . . . . . . . . . . . . . . 78
1.3.1.3 Deploying additional disks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
1.3.1.4 Creating a NAT Rule to an existing Virtual Machine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
7.3.2 ARM Deployment Templates
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
7.3.2.1 Using Preconfigured Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

7.3.2.2 Authoring ARM JSON Templates in Visual Studio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
7.3.2.3 Deploying ARM Template from PowerShell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
7.3.2.4 Configuring Azure VMs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
2015 Veeam Software
7.3.2.5 VM Extensions
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
7.3.2.6 PowerShell DSC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

7.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
10.1 Self-Service Portal Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
10.1.1 SharePoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
10.2 App Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
10.3 Service Manager Self-Service portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
10.4 Windows Azure Pack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
10.5 Building Your Own versus Buying Commercial Portals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
10.5.1 Advantages of a Custom Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
10.5.2 Disadvantages of a Custom Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
10.5.3 Commercial Portals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
10.6 Self-Service Portal Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
10.7 Automation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
10.8 Identifying Candidates for Automation (business perspective) . . . . . . . . . . . . . . . . . . . . . 130
10.9 Identifying Candidates for Automation (technical perspective) . . . . . . . . . . . . . . . . . . . . 131
10.10 Choosing Your Automation Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
10.10.1 System Center Orchestrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
10.10.2 Service Management Automation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
10.10.3 Azure Automation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
10.11 Real World Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
10.11.1 Integration between Orchestrator and SMA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
10.11.2 Monitoring SharePoint and invoking an SMA runbook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
10.11.2.1 Build Azure VM and Invoke Orchestrator Runbook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
10.11.2.2 Updating the SharePoint list item . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
10.12 Invoking SMA from Service Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
10.12.1 SMA Runbook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
2015 Veeam Software
10.13 The Contoso Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

10.13.1 Common Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
10.13.2 Solution Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
10.14 Azure Automation Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
10.14.1 Restart a service with hybrid worker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
10.14.2 Shut down VMs with graphical authoring mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
10.15 Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
12.1 Terminology and Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
12.1.1 Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
12.1.2 Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
12.2 Pure Data Protection Manager Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
12.2.1 Hosting DPM in Azure VMs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
12.2.2 DPM-to-DPM Backup (Cyclic Protection) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
12.2.3 Limitations of DPM with Azure VMs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
12.3 Azure Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
12.3.1 Backing Up Azure VMs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
12.3.2 Backing Up On-premises Machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
12.3.3 DPM to Azure Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
12.4 Azure Site Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
12.4.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
12.4.2 Hyper-V to Hyper-V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
12.4.3 VMware to Azure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
12.5 Backing Up SQL Workloads to Azure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
12.5.1 SQL Database Backup to Azure Blob Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
12.5.2 Step-by-Step: Performing a SQL Database Backup to Azure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
12.5.2.1 Create Azure Storage Account: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
12.5.2.2 Create Azure Storage Container . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
12.5.2.3 Create Credential . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
2015 Veeam Software
12.5.2.4 Backup Using the Backup Task in SSMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

12.5.2.5 Backup Using T-SQL BACKUP DATABASE Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
12.5.2.6 Restoring from Windows Azure Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
12.5.3 Automated SQL Backup in Azure VMs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
12.6 3rd Party Azure-Integrated Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
12.6.1.1 Veeam Integration with StorSimple . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
12.6.1.2 Veeam Cloud Connect for Service Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
12.6.1.3 Veeam Cloud Connect for Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
12.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
13.1 Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
13.1.1 Monitoring with the Azure Management Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
13.1.2 System Center Operations Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Configuring the Azure Management Pack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Configuring Resource Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
13.1.3 Azure Operations Management Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
13.2 Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Enabling Chargeback or Showback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
13.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
About the Author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
About Veeam Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
2015 Veeam Software
Chapter 3:
Azure Virtual Networking
As cloud consumption grows, more and more of the cloud resources begin to depend on each other.
One of the key ways that Microsoft Azure (Azure) resources are tied together is through the use of
virtual networks (VNET). VNETs provide a mechanism for Azure resources to communicate, not just with
each other, but optionally with your on-premises resources via a site-to-site VPN or ExpressRoute.
Of course, with great capability comes great responsibility. How does one govern and secure outside
access to Azure resources? This chapter details some of the capabilities that will enable you to manage
and maintain your Azure VNETs efficiently and securely. Before going into network design, this chapter
will cover the core concepts of Azure virtual networking in Azure Resource Manager, also called ARM or
Azure v2, as well as common scenarios for networking in Azure.
A couple of important notes:
Before we get started, there are a couple of important points we need to touch on briefly:
W
hen working with Azure Resource Manager in the Azure Management Portal, you must always use
the Azure Preview Portal at https://portal.azure.com. These resources are not visible in the original
Azure Management Portal at https://manage.windowsazure.com.
C
onnectivity options between corporate networks and Azure, including site-to-site VPN and
ExpressRoute will be covered in depth in Chapter 5 Connecting Azure to Your Data Center. They
are mentioned briefly in this chapter in discussions related to hybrid connectivity.
2015 Veeam Software
3.1 Basic network components

Services and applications are comprised of many different components, like a storage account or a
network interface. These components reference each other and are presented as a single entity, for
example a virtual machine (VM). But if we take a closer look, the VM is actually a compute component,
a storage account, a network interface and maybe also a public IP address. All these components
are stored in a resource group, a logical container for grouping resources for an application, a project,
environment, etc. For more information about resource groups, see Chapter 2 Azure PowerShell.
Figure 3.1.1 show a resource group with a VM, including related components; in this example a storage
account and a network interface.
FIGURE 3.1.1 RESOURCE GROUP WITH COMPONENTS
In addition to the components seen in figure 3.1.1, the VM must be connected to a VNET. The VNET can be
created in the same resource group or in another resource group. One of the reasons to create the VNET in
another resource group is role-based security. For example, multiple application servers in different resource
groups may use a particular VNET, but only the network engineers have permissions to reconfigure the VNET.
Before we walk through an example of a VNET, we will discuss IP addressing in Azure networking.
2015 Veeam Software
3.1.1 IP Addressing
Azure networking uses a number of different types of IP addresses.
I nternal IP Address (DIP). An internal IP address, or DIP, is an internal IP address assigned to an
Azure resource, such as a network interface that is connected to a VM. A network interface has the
same function as a physical network card and in Azure Resource Manager, can be attached to a VM
or a load balancer. By default, this IP address is assigned dynamically and if the VM is de-provisioned,
it will lose its DIP. It is possible to configure a static DIP. The IP will be static from the standpoint that
the VM will always get the same IP address from the Azure fabric. However, it is not supported to
configure a static IP address inside the VM in the properties of the network interface. The guest OS
should always be configured to receive dynamic IP address assignment via DHCP.
On each subnet, Azure reserves the first three IP addresses for internal use. The first IP address that a
VM or other resource can use is .4.
I nstance Level Public IP Address (PIP). A PIP is a public IP address you assign directly to your
network interface. You can use the PIP to connect directly to your VM on the Internet.
V
irtual IP address (VIP). A VIP is a public IP address automatically assigned to a network load
balancer. This IP address can be used for load balancing or network address translation (NAT) to
network interfaces and VMs behind the network load balancer.
A
zure Data center IP Ranges. In some scenarios, you need to know all the public IP addresses
that different Azure data centers use. This list is frequently updated and can be downloaded in
XML format from the Microsoft Azure website. Search for Microsoft Azure Datacenter IP Ranges,
currently at http://www.microsoft.com/en-us/download/details.aspx?id=41653.
3.1.2 VNET
VNETs, are used in the same way as physical local area networks in your local data center. VNETs in
Azure provides the following capabilities:
Isolation. By default all machines within a VNET can communicate with each other. To totally isolate
VMs from each other, you can place them on different VNETs. A VNET can span a region (multiple
physical data centers) but not multiple regions.
Access. Access between VMs on a VNET is open, even if the VMs are on different subnets within the VNET.
Connectivity. VNETs can be connected to each other, as well as to on-premises data centers.
Connectivity to an on-premises data center is achieved with either Express Route or VPN. A single
VNET can be connected to multiple VNETs and on-premises data centers at the same time.
Previously, when creating a VNET, you were required to specify an affinity group. An affinity group
is a way to group resources together inside the data center to minimize latency. With the improved
performance in Azure data center networks today, affinity groups are no longer required. VNETs are
now associated with regions, which includes one or more physical data centers. You can still specify an
affinity group if your application requires it, but it is not otherwise required.
2015 Veeam Software
The number of VNETs you need depends on what you are planning to do in Azure. Changing VNET
settings on a resource after deployment can be complicated, so it is a good idea to plan the network
design before deploying any resources. You can redeploy your VMs to change VNET settings, but that
will result in downtime. In the end, it is better to spend time in planning before deploying your systems
or applications to Azure. Figure 3.1.2 shows a sample configuration with three resource groups
C
ONTOSO-HR. This resource group contains two VMs with related network
interfaces and a storage account that both servers share.
CONTOSO-WEB. This resource group contains one VM with
related network interface and storage account.
CONTOSO-INFRA. This resource group contains the VNET that all VMs are
connected to. The example in figure 3.1.2 use one VNET for all VMs.
FIGURE 3.1.2 VNET SETUP
2015 Veeam Software
10
Figure 3.1.3 shows another example with two VNETs. By default, all VMs within a VNET can communicate.
However, VNETs are totally isolated from each other, which allows administrators to easily create isolated
environments within the Azure subscription, such as in separating testing and production VMs.
FIGURE 3.1.3 MULTIPLE VNETS
3.1.2.1 VNET Settings

When configuring a VNET, you need to specify the following settings. The descriptions of these settings
will provide guidance on what to include when planning VNETs.
3.1.2.1.1Name
Name of the VNET. The name should describe the purpose or function of the VNET.
3.1.2.1.2 Location
The VNET will be bound to a location (region) hosting an Azure regional data center, for example North
Europe. A VNET in one region can be connected with VNET-to-VNET VPN to a VNET in another region. A
VNET cannot cover multiple regions, but can cover multiple data centers in the same region.
2015 Veeam Software
11
3.1.2.1.3 Address space and subnets

You need to configure which IP addresses to use for your VNET. All IP addresses will be dynamically
assigned to resources by default. It is important to select an address range that does not overlap with onpremises networks. Optionally, you can configure subnets for your VNET with the following rules in mind:
All subnet IPs must be within the VNET address space.
The smallest supported subnet is /29.
D
ivide different application tiers, for example backend (data tier), mid-tier (application tier) and
frontend (presentation tier), into different subnets. When using different subnets, it is easier to
administrate security access rules between the subnets.
I t is recommended to separate resources with static IP addresses from resources with dynamic IP
addresses. It is then easier to see which resources have static IP addresses, but it also prevents a new
instance from acquiring the static IP address from a resource that is in a stopped (Deallocated) state.
This does not happen if you have only VMs in your subnet, but can also affect PaaS instances on the
subnet, which use web and worker roles (basically non-persistent VMs).
T he gateway subnet can be either the first address space in your VNET or the last. If you use the first
address space as gateway subnet, you can modify all other subnets in that VNET, without affecting
the gateway subnet.
R
esources in different subnets within the same VNET can communicate with each other by default.
Resources in different VNETs cannot communicate with each other by default. You can enable
communication between VNETs by configuring a VNET-to-VNET VPN.
All RFC 1918 IP ranges can be used for internal addresses
10.0.0.0-10.255.255.255 (10/8 prefix)
172.16.0.0-172.31.255.255 (172.16/12 prefix)
192.168.0.0-192.168.255.255 (192.168/16 prefix)
Non-RFC 1918 addresses, public IP addresses, can also be used internally on subnets. It is important
to only use addresses that you own, and it is also important to remember that these addresses are
only used internally, not to route Internet traffic.
2015 Veeam Software
12
3.1.2.1.4 DNS Servers

A key capability of Azure VNETs is the ability to define DNS servers for your cloud-hosted VMs and Azure
resources. These DNS servers are defined as name and IP address pairs, separate from the VNETs, but
each DNS server can be bound to multiple VNETs. The capability is very similar to the implementation
of DNS properties on IP Pools in System Center 2012 Virtual Machine Manager (VMM), where VMs
deployed using that particular IP Pool have their DNS server address properties already set. There are
essentially two types of DNS servers that you can add to an Azure VNET:
Azure DNS. If you do not specify a DNS server, name resolution will be provided by Azure. Azure provides
name resolution for VMs within the same virtual network, based on fully qualified domain name (FQDN). If
you need name resolution between VNETs, you will need to provide your own DNS server.
DNS is also an Azure service that can host your domains in Azure. You can then manage your DNS
domains with the same credentials and support as with other Azure services. Microsoft Azure
includes a large global network of DNS servers for high availability and good performance. If you
configure DNS as a service, you can also use it as the DNS service for your virtual networks. A benefit
of using DNS as a service is the possibility to easy add and modify DNS settings when working
with other resources in Azure. For example, when you deploy a new set of VMs, you can also easily
configure DNS entries for these VMs.
Custom DNS. If you configure a list of custom DNS servers, make sure to verify they are working
correctly. If the first DNS server on the custom DNS list is able to communicate, the client or server
will use that DNS server regardless of whether the DNS server is functioning properly or not. To
change the DNS server order for your virtual network, remove the DNS servers from the list and add
them back in the correct order. If you change DNS settings, VMs need to restart to pick up the new
DNS Server settings. Custom DNS servers can be provided in multiple ways
Cloud-based DNS. In this scenario, you provision a VM with DNS services in the network, and
add a DNS server entry to the VNET, using the internal IP address of that VM. Other Azure VMs will
then use this Azure VM (or VMs) to perform name resolution. It is recommended to configure a
static IP address for VMs hosting DNS.
On-premises DNS. In this scenario, you have a VPN configured between the VNET and onpremises, and add a DNS server entry to the VNET using the on-premises internal IP address of
the DNS server. The Azure VMs communicate over the VPN or ExpressRoute to the on-premises
DNS server to perform their DNS lookups.
External DNS. In this scenario, you add a DNS server entry to the VNET, using the IP address or
addresses of externally hosted DNS services, such as OpenDNS. The Azure VMs will then connect
to this external DNS service to perform their lookups.
Of course, you can mix these three types DNS servers and utilize any combination of these, providing a very
flexible, robust DNS service to your Azure VMs. There is no recommendation to always use one type of DNS or
a specific order of DNS servers in a mix, as the best fit depends on the scenario and the environment.
2015 Veeam Software
13
3.1.2.1.5 Users
With the support for role-based access control (RBAC) on VNETs, you can grant appropriate access to
the VNET to support your administrative model. There are a number of default roles that can be used.
For example, you can give different teams (HR and Web) access to use the VNET, but not modify it.
Administrators of these resource groups will have permissions to connect network interfaces to the
VNET, but not modify the VNET itself.
3.1.2.1.6 Tags
In the Azure Management Portal, you can organize resources in resource groups. You can use role
based security to control access to these resource groups. To organize resources across resource
groups, you can use tags. Tagging resources with name or values to categorize them enables you to
then list and report on resources across resource groups by tag. Figure 3.1.4 shows tags for a VM. Three
tags have been added to the VM in this example; Budget, Function and Team.
FIGURE 3.1.4 TAGS FOR A VIRTUAL MACHINE
2015 Veeam Software
14
3.1.3 Network Interface

Introduced with Azure Resource Manager, the network interface is an independent resource that is
referenced (connected) to other resources, such as a VM or a load balancer. Building network interfaces
as independent resources brings many administrative benefits. For example, you can configure a
network interface with a public IP address and connect it to a VM. You can later move that network
interface, including the public IP, to a network load balancer, retaining all the settings.
3.1.3.1 Network Interface settings
When setting up a network interface you need to specify several settings. The descriptions of these
settings offered here will provide you with a good understanding of what to include when planning
network interfaces
3.1.3.1.1Name and VNET
A Name for the network interface is required and ideally should describe the purpose of the network
interface. When creating the new network interface you also select which VNET to connect to.
3.1.3.1.2 Attached to and Load Balancers
You can connect a network interface to a VM or to a load balancer. These settings are used to set the reference
between a network interface and the attached device, which is the device using the network interface.
3.1.3.1.3 IP Addresses
Each network interface can be configured in two different ways from an IP address point of view. They can be
configured to assign a public or static IP number from the VNET. If the network interface is configured with a
static IP address, you can configure which static IP address to use. If you configure the network adapter with a
dynamic IP address, the VNET will assign an address to the network adapter at boot.
The network adapter can also be configured with a public IP address. The Public IP address is an
independent resource in Azure, which is referenced to the network adapter. When configuring a
network adapter with a public IP address, you can choose either to get a new public IP address or use a
public IP address that you already have created in your Azure subscription.
3.1.3.1.4 DNS Servers
By default, a network adapter uses the DNS settings specified on the VNET. However, it is also possible
top specify a custom DNS setting per network adapter.
3.1.3.1.5 Users and Tags
Users and tags are used the same way as described earlier in the chapter under VNET settings.
2015 Veeam Software
15
3.1.4 Connecting to on-premises

Connecting VNETs in Azure to on-premises data centers is possible in a couple of different ways. You
can configure a VNET gateway after the VNET is created. The gateway will be used to connect either the
express route connection or a VPN connection.
3.1.4.1 Point-to-site VPN
Point-to-site VPNs can be used for remote workers, for example remote field engineers, to securely
connect to Azure networks from their laptops.
For more information, see 5.2 Point-to-Site VPN in Chapter 5: Connecting Azure to Your Data Center
3.1.4.2 ite-to-Site VPN and ExpressRoute
With a site-to-site VPN, you extend your local data center network to include the networks in Azure.
With a fully routed site-to-site VPN including DNS name resolution, the network in Azure will become
part of your corporate network.
When setting up site-to-site VPN you can configure a static or dynamic VPN gateway. You should
configure a dynamic VPN gateway if possible, if your on-premises hardware supports this features. A
dynamic VPN gateway is required for multi-site VPN (connecting multiple on-premises sites to one
VNET), VNET-2-VNET (connecting multiple VNETs), Point-to-Site (connecting from a VPN client to
an Azure VNET) and forced tunneling. For more information on forced tunneling, see 3.1.8 Forced
Tunneling and User Defined Routes later in this chapter.
When planning site-to-site VPN, evaluate the bandwidth required. The encryption overhead of the
VPN will use around 20% of the bandwidth. For example, if you pay for a 100 Mbit VPN connection, the
maximum bandwidth will be around 80 Mbit.
ExpressRoute is another option to connect on-premises networks with networks in Azure. ExpressRoute
connections do not use the public Internet. Instead, connectivity is provided through an ExpressRoutecarrier partner direct from your data center to the Azure data center, either with a private link or MPLS
network. ExpressRoute connections offer higher security, more reliability, faster speeds and lower
latencies than typical connections over the Internet.
A great benefit of using ExpressRoute instead of site-to-site VPN is the low latency. With Site-to-Site
VPN, even with one of the high performance SKUs, there will still be latency on the connection. An
ExpressRoute connection can also be used to access other Azure services, such as Office365.
For more information, see 5.3 Site-to-Site VPN and 5.5 ExpressRoute in Chapter 5: Connecting Azure
to Your Data Center in this book.
2015 Veeam Software
16
3.1.5 Publish a service to the Internet

VMs within the same VNET can communicate directly with each other. They can also communicate to
Internet, but the traffic must start on the VM. A client on the Internet cannot connect to a service on
the VM by default. There are two ways to publish a service to Internet; either with a public IP address
(PIP) on the network interface related to the VM, or with a load balancer. A load balancer can be
configured with a public IP address and then use NAT and load balancing rules to forward and control
incoming traffic. For example, a load balancer can be used to translate incoming traffic on port 4050 to
port 3389 for remote desktop (RDP) connectivity.
With a public IP address (PIP), traffic goes directly to the VM and is not routed through the Azure Load
Balancer. Traffic to the Internet from a VM with a PIP configured is sent over the PIP instead of a VIP. Therefore,
there is no need to configure a load balancer when using a PIP. When connecting an Azure VM directly to the
Internet, firewall protection is a requirement. When assigning a public IP address to a network interface, you
should review and configure the local firewall settings to protect against external threats.
Figure 3.1.5 shows traffic to and from two VMs. One VM has a network interface configured with a PIP (a public
IP address). The second VM is behind a load balancer, with the public IP address is assigned to the network
load balancer. The second VM network interface is configured as part of the address pool for the load balancer.
FIGURE 3.1.5 TRAFFIC TO VIRTUAL MACHINES (VM)
2015 Veeam Software
17
Figure 3.1.6 illustrates another example, with a load balancer configured to balance incoming traffic on
port 80 to three VMs.
FIGURE 3.1.6 LOAD BALANCING OF INCOMING TRAFFIC
The following parameters need to be configured when creating a load balancer:

F
ront end IP configuration. the public IP address on the front
of the load balancer to accept incoming traffic.
Backend address pool. the network interfaces which will receive the load balanced traffic.
Load balancing rules. source and local port configuration for the load balancer.
Probes. configures the health status probe for VMs.
Inbound NAT rules. configures port translation between public IP address and a VM.
When should you create a load balancer instead of static IP?
Publishing a service by using a PIP address is a quick solution. Traffic from Internet then connects
directly to the VM. However, if you need to publish a service from multiple VMs, you need to create a
load balancer in front of them. All the VMs can then share the public IP address. You can also use the
load balancer to configure network address translation (NAT) to forward different ports to different VMs.
2015 Veeam Software
18
3.1.6 Network Security Groups

A Network Security Group (NSG) is an object that can control traffic (i.e. deny or allow) to VM instances
or to a subnet within a VNET. When a NSG is applied to a VM, all traffic that is sent (outbound) and
received (inbound) by the VM instance is controlled by the NSG settings. When a NSG is applied to a
subnet in a VNET, NSG rules are applied to all traffic sent and received by ALL the VMs in that subnet.
A VM or a subnet can be affected by only one NSG, but a NSG can contain 200 rules. A supported
configuration is to associate one NSG on the VM and one NSG on the subnet. The result will be that the
VM gets two layers of protection. The NSG is an additional security layer that, together with a firewall
(such as the Windows Firewall on Windows VMs), Resource Groups, and VNET isolation ensure you can
build a secure network infrastructure in Azure.
When configuring NSG rules, the following settings need to be specified:
Name. A name that describes the rule.
Type. Specify if the rule is for outbound or inbound network traffic.
Priority. You can specify a priority between 100 and 4096. All rules are applied in the order of
priority, a rule with lower priority number (for example 10) is processed before rules with higher
priority number (for example 31).
Source IP address. Source IP address range.
Source port range. Specify a port or a range of ports between 0 and 65000.
Destination IP address. Destination IP address range.
Destination port range. Specify a port or a range of ports between 0 and 65000.
Protocol. Specify TCP, UDP or * (all).
Access. Access can be either Allow or Deny.
If you have a VM with multiple network interfaces, an NSG can be configured on each network interface.
How should VMs connected to the Internet be secured?
As with on-premises data centers, multiple layers of security is the best approach. While you can
connect an Azure VM directly to the Internet, you should not do so without configuring NSG, antivirus
and local firewall settings to protect against external threats.
2015 Veeam Software
19
3.1.7 Traffic Manager

Traffic manager is a network service that you can use to apply an intelligent policy engine to DNS
queries. It may help to think of Traffic Manager as intelligent DNS to facilitate high availability for
your applications across multiple Azure data centers. Traffic Manager simply requires you have your
application or service deployed in two or more Azure data centers. The process is illustrated in figure
3.1.7 and described in the steps below.
1. A
user on the Internet requests a webpage, for example www.contoso.se. The URL is resolved by
a DNS server and points to a traffic manager domain name. This is achieved by using a CNAME
resource record that maps the company domain name, in this case www.contoso.se, to the Traffic
Manager domain name, for example contoso.trafficmanager.net.
2. The user on the Internet sends a new DNS query to the Traffic Manager domain name, contoso.
trafficmanager.net, which is received by Traffic Manager. Traffic Manager uses the specified load balancing
profile to determine which Azure endpoint (or other endpoint) should service the request.
3. T raffic Manager sends back the CNAME record for the endpoint to the user. The users DNS server
resolves the record to its IP address.
4. T he user accesses the endpoint directly using its IP address. The user continues to use the endpoint
as the resolved IP address is cached on the client machine. The user will use the same endpoint until
the local DNS cache entry expires.
FIGURE 3.1.7 TRAFFIC MANAGER LOOKUP AND CONNECTION SEQUENCE
2015 Veeam Software
20
It is possible to nest up to 10 levels of traffic manager, and each profile can be configured with a
different method. Traffic Manager offers three load balancing methods
Failover. Use this profile when you have a primary endpoint you want to use for all traffic, but if that
endpoint is not available failover to a backup endpoint.
Round Robin. Use this profile if you want to distribute clients over a set of endpoints in the same
data center or in different data centers.
Performance. This profile is recommended when you have endpoints in different geographic
locations and you want the client to use the closest one to minimize latency.
You can learn more about Azure Traffic Manager in Chapter 12 Backup and Disaster Recovery.
3.1.8 Forced Tunneling and User Defined Routes

By default, VMs in Azure always have direct Internet access. With forced tunneling, you can configure
VNET subnet(s) to route Internet bound traffic back to your on-premises data center, through a site to
site VPN or ExpressRoute connection. This behavior is configured per-subnet in a VNET and is a critical
security requirement for many organizations to control all traffic bound to Internet. Forced tunneling
gives IT administrators an option to inspect and audit the Internet bound traffic.
When forced tunneling is used, remember it affects all outbound traffic for a complete subnet. A thought to
bear in mind is that on a subnet that uses forced tunneling, a request from an Internet client to a VM on the
subnet will result in the request being sent back through the corporate firewall. In this instance, it is better to
publish the VM service through the corporate firewall instead of directly to the VM in Azure.
Forced tunneling requires a Dynamic Routing VPN gateway, which for site-to-site VPNs means you will
need a VPN device that supports dynamic routing. For a list of supported devices and their support
for dynamic routing, see Known Compatible VPN Devices on the Microsoft website at https://msdn.
microsoft.com/en-us/library/azure/jj156075.aspx#bkmk_VPN_Devics.
Note: If forced tunneling is of interest to your organization, you can find step-by-step guidance in Configure
forced tunneling on the Microsoft site at https://azure.microsoft.com/en-us/documentation/articles/vpngateway-about-forced-tunneling/
More information on connecting your corporate networks to Azure is available in Chapter 5:
Connecting Azure to Your Data Center in this book.
2015 Veeam Software
21
3.1.9 User Defined Routes

User defined routes is another powerful feature in Azure Resource Manager. By default, VMs can
communicate according to a number of pre-defined system routes in Azure fabric:
VMs within the same subnet
VMs on different subnets within the same VNET
From VM to the Internet
From a VNET to another VNET through a VPN gateway
From a VNET to local data center through a VPN gateway
For most scenarios these routes work, but there are scenarios where traffic needs to be routed in a
different way. One example of this is when a virtual appliance is in use, which is a VM that runs a preinstalled application used to proxy or inspect network traffic in some way, such as a firewall. For each
virtual appliance, you need enable IP forwarding for the VM. IP forwarding is enabled in the Azure
Management Portal. You can configure multiple routing tables and a routing table can be used on
multiple subnets, but a subnet can only be associated with one routing table. Subnets rely on default
system routes until a custom routing table is associated to the subnet.
2015 Veeam Software
22
3.2 Networking Planning

and Deployment
Planning your networking strategy in Azure is a key task you should complete before you begin to deploy
resources to Azure. Failure to do so will result in much wasted effort and repeated work. You can identify the
optimal network design by answering the following key questions and reviewing the key considerations:
1. S
tart by reviewing capacity limitations for Azure. These limitations and capacity limits are
frequently updated and it is recommended you review them before each design. More information
is available in Azure Subscription and Service Limits, Quotas and Constraints at http://azure.
microsoft.com/en-us/documentation/articles/azure-subscription-service-limits/#networking-limits
2. R
eviewing network features in Azure. Microsoft is adding features to Azure with rapid release
cycles. You should take time to review the latest Azure network features before each design.
3. H
ow will you handle billing? If your organization requires an invoice per team or application,
it is easier to use multiple Azure subscriptions, tags or multiple resource groups. Each team or
application will then receive their own invoice.
4. I dentify the number of VNETs that will be needed. The main question for VNETs is if you need
to separate resources within a location. By default, resources on a VNET cannot communicate
with resources on another VNET. If there are no requirements for separate resources there is no
requirement for multiple VNETs. VNETs are per location, so if you planning to use multiple regions
you will also need multiple VNETs. A VNET in one location can be connected to VNETs in other
locations or the same location, with a VNET-to-VNET VPN.
5. W
hich VNETs will require connection to corporate networks or mobile users? Understanding
which networks will host resources accessed directly by users will help determine routing and
security requirements.
6. H
ow many subnets are needed? Depending on number of resources you will deploy, you
may need multiple subnets, each with a range of IP addresses. However, there are also other
considerations when designing subnets, such as whether you will use NSGs and forced tunneling.
Both forced tunneling and NSGs are applied per subnet. Therefore you need to think about server
roles to place together in each subnet. Resources with static IP addresses should be placed on a
separate subnet, as discussed earlier in this chapter.
7. O
nce regions, VNETs, and subnets are designed, you can think about use cases for load balancing
and/or Traffic Manager.
2015 Veeam Software
23
3.2.1 Network Design Example

A common network design for Azure networking is shown in figure 3.2.1. It is one Azure subscription
that contains multiple resource groups (HR Resource Group and Infrastructure Resource Group). The
Infrastructure resource group stores a VNET with four subnets. Three subnets for VM and one gateway
subnet. Each application or development team has its own resource group were they can create
resources and connect to the central VNET. Each team can logon to the Azure Management Portal
without the risk of affecting another teams resources.
The VNET is connected to an on-premises data center with a VPN or ExpressRoute connection. The
backend subnet is protected by an NSG.
FIGURE 3.2.1 AZURE NETWORK DESIGN
Figure 3.2.2 shows an example of subnet structure. Even if some subnets may not be in used in the
beginning, they are included for future use. The purpose of each subnet in the sample network design
is described here. In some scenarios, the different subnets are named after server roles, for example
database, web and system management. While naming strategies may vary, the key point is the names
should be descriptive of the subnets intended use.
2015 Veeam Software
24
The Gateway subnet is for VPN connectivity, handled by Azure fabric.

T he Frontend, Midtier and Backend subnets are for different components of a service. Separating
these components into different subnets allows use of NSGs to increase security.
The Reserved subnet is for resources with reserved IP addresses.
The Test subnet is for temporary resources that are used during test and development.
FIGURE 3.2.2 SUBNETS PER VNET
IMPORTANT: Even if you created a subnet with 256 available IP addresses, Azure fabric will use first 3 IP addresses for
each subnet. The first IP address you can use is number 4 - for example 10.1.4.4 in the Backend subnet.
There are three ways to build a VNET in ARM: The Azure Management Portal, PowerShell and with an
ARM json template. In the sections that follow, we will deploy the sample 3-subnet VNET described
above using each of these options. You can download the sample code for the PowerShell and json
options at the URLs provided for each example.
2015 Veeam Software
25
3.2.2 Deploying a VNET

(in the Azure Management Portal)
Follow these steps to build one of the VNETs with the subnets shown figure 3.2.6 in the Azure
Management Portal.
1. Browse to the Azure Management Portal, https://portal.azure.com.
2. In the Azure Management Portal, click NEW, Networking, VNET.
3. I n the VNET blade, change to Resource Manager deployment model and then click Create. The
deployment model switch is shown in figure 3.2.3.
FIGURE 3.2.3 DEPLOYMENT OF NEW VNET
2015 Veeam Software
26
4. In the Create VNET blade, input the following settings and click Create.
Name: Contoso-VNET01
Address space: 10.0.0.0/8
Subnet name: Frontend
Subnet address range: 10.1.2.0/24
Subscription: Choose suitable subscription
Resource Group: Create a new resource group, for example CONTOSO-Infrastructure
Location: Choose your closest location or based on design requirements
5. O
nce the new VNET is completed, (shown in figure 3.2.4), browse to the new VNET
in the Azure Management Portal.
FIGURE 3.2.4 NEW VNET BUILT
2015 Veeam Software
27
FIGURE 3.2.5 NEW VNET ON THE NEW VNET BLADE, ALL SETTINGS
6. On the Settings blade, click Subnets.

7. O
n the Subnets blade, click Add and add the two other subnets shown in figure 3.2.1,
also shown in figure 3.2.6.
FIGURE 3.2.6 SUBNETS IN VNET
The VNET is now configured and subnets are added. The next step is to add
a security group for the backend subnet.
2015 Veeam Software
28
3.2.3 Deploying a VNET

(with Azure PowerShell)
Rather than building VNETs in the Azure Management Portal, you can deploy a VNET more quickly and
consistently using Azure PowerShell with Azure Resource Manager. You can download the full script
from the GitHub repository provided in the link at the end of this section.
Step 1: Connect and Authenticate
You will begin by connecting and authenticating to your Azure subscription. This process is explained
in greater detail in Chapter 2: Azure PowerShell, but is also included here to provide a complete
example. This sample will also prompt you for which Azure subscription you wish to you use, easing the
process for users working with multiple subscriptions.
As a reminder, to use ARM with PowerShell, you must authenticate with an organizational account (one
created in the Azure Active Directory associated with your Azure subscription), not a Microsoft (Live) account.
# Authenticate to Azure Account
Add-AzureAccount
# Authenticate with Azure AD credentials
$cred = Get-Credential
Add-AzureAccount `
-Credential $cred
# Switch to Azure Resource Manager mode
Switch-AzureMode `
-Name AzureResourceManager
# Register the latest ARM Providers
Register-AzureProvider `
-ProviderNamespace Microsoft.Compute `
-Force
-ProviderNamespace Microsoft.Storage `
-Force
-ProviderNamespace Microsoft.Network `
2015 Veeam Software
29
-Force
# Confirm registered ARM Providers
Get-AzureProvider |
Select-Object `
-Property ProviderNamespace `
-ExpandProperty ResourceTypes
Get-AzureProvider |
Select-Object `
# Select an Azure subscription
$subscriptionId =
(Get-AzureSubscription |
Out-GridView `
-Title "Select a Subscription ..." `
-PassThru).SubscriptionId
Select-AzureSubscription `
-SubscriptionId $subscriptionId
Step 2: Create Resource Group
If the resource group does not already exist, you will need to create a resource group.
# Create Resource Group
New-AzureResourceGroup `
-Name 'Contoso-Infrastructure' `
-Location "West US"
2015 Veeam Software
30
Step 3: Define Subnets

Next, we will define the subnets that will exist within the VNET.
# Define Subnets
$frontendSubnet = New-AzureVirtualNetworkSubnetConfig `
-Name Frontend -AddressPrefix 10.1.2.0/24
$midtierSubnet = New-AzureVirtualNetworkSubnetConfig `
-Name Midtier -AddressPrefix 10.1.3.0/24
$backendSubnet = New-AzureVirtualNetworkSubnetConfig `
-Name Backend -AddressPrefix 10.1.4.0/24
Step 4: Deploy VNET
In the last step, we will deploy the VNET with the three subnets defined in step 3 to a new resource group.
#Deploy VNET and subnets
$vnet = New-AzurevirtualNetwork `
-Name Contoso-VNET01 `
-ResourceGroupName Contoso-Infrastructure `
-Location "West US" `
-AddressPrefix 10.0.0.0/8 `
-Subnet $frontendSubnet,$midtierSubnet,$backendSubnet
To check the results after running the script, go to the Azure Management Portal
and select Browse All -> Resource groups -> Contoso-Infrastructure.
Download the Code
You can download the full script from GitHub at https://github.com/insidemscloud/AzureIaasBook, in
the \Chapter 3 directory. The file name is Create3SubnetVNET.ps1.
2015 Veeam Software
31
3.2.4 Deploying a VNET (with JSON template)

Instead of building each resource separately in the Azure Management Portal, you can use an Azure Resource
Manager json template. A benefit with Azure Resource Manager templates is that Resource Manager will do
all the heavy lifting. In the JSON based template you define a state, all resources and settings you want to
deploy, including dependencies between resources to control the order in which they are deployed. When
compared to using a PowerShell script for deployment, deploying with Resource Manager is often the better
option, particularly when deploying complex scenarios where order of operations is critical. The benefits of
ARM json deployment templates and the template authoring experience will be covered in greater depth
in other chapters later in this book. However, a sample is provided for you here so you may see firsthand the
power and ease of deployment ARM json templates deliver.
The following example deploys a VNET and three subnets, with the same settings used earlier in the
portal example. For more information about JSON templates please see Chapter 7 - Virtual Machines.
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/
deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters" : {
"location": {
"type": "string",
"allowedValues": ["East US", "West US", "West Europe", "East
Asia", "South East Asia"],
"metadata" : {
"Description" : "Deployment location"
}
},
"addressPrefix":{
"type" : "string",
"defaultValue" : "10.0.0.0/8",
"metadata" : {
"Description" : "Address prefix"
}
},
"DCsubnetPrefix" : {
2015 Veeam Software
32
"type" : "string",
"defaultValue" : "10.1.2.0/24",
"metadata" : {
"Description" : "Frontend Subnet Prefix"
}
},
"SCsubnetPrefix" : {
"type" : "string",
"defaultValue" : "10.1.3.0/24",
"metadata" : {
"Description" : "Midtier Subnet Prefix"
}
},
"SQLsubnetPrefix" : {
"type" : "string",
"defaultValue" : "10.1.4.0/24",
"metadata" : {
"Description" : "Backend Subnet Prefix"
}
}
},
"resources": [
{
"apiVersion": "2015-05-01-preview",
"type": "Microsoft.Network/virtualNetworks",
"name": "Contoso-VNET01",
"location": "[parameters('location')]",
"properties": {
"addressSpace": {
2015 Veeam Software
33
"addressPrefixes": [
"[parameters('addressPrefix')]"
]
},
"subnets": [
{
"name": "FrontEnd",
"properties" : {
"addressPrefix": "[parameters('FrontendsubnetPrefix')]"
}
},
{
"name": "Midtier",
"properties": {
"addressPrefix": "[parameters('MidtiersubnetPref
ix')]"
}
},
{
"name": "Backend",
"properties" : {
"addressPrefix": "[parameters('BackendsubnetPrefix')]"
}
}
]
}
}
]
}
2015 Veeam Software
34
To deploy the VNET using the provided json template, perform the following steps. You will first need to
download the json template from the GitHub repository described below.
Download the Code
You can download the json template from GitHub at https://github.com/insidemscloud/
AzureIaasBook, in the \Chapter 3 directory. The file name is VNET-3subnets-azuredeploy.json.
Step 1: Select Template Deployment
You will begin by selecting the Template Deployment option, as detailed in the steps below.
1. Browse to the Azure Management Portal, https://portal.azure.com.
2. On the Azure Management Portal homepage, click Marketplace.
3. I n the search box provided, type template deployment (without quotes). The search will return the
template deployment option, shown in figure 3.2.7.
4. Select the template deployment and click Create.
FIGURE 3.2.7 TEMPLATE DEPLOYMENT IN AZURE MARKETPLACE
Step 2: Paste json template into Edit template window

Next, you will paste the json template into the space provided.
1. Select Edit Template (shown in figure 3.2.8) and paste the sample json template you downloaded
into the window provided, replacing any sample json that may be present.
2. Click Save to save your changes.
2015 Veeam Software
35
Step 3: Create Resource Group

The resource group is the container for deployment. Select an existing or create
1. I f you have not already created a resource group, you can click the Or create new link,
shown in figure 3.2.8.
2. For this example, create a resource group named Contoso-Infrastructure.
FIGURE 3.2.8 TRAFFIC MANAGER LOOKUP AND CONNECTION SEQUENCE
2015 Veeam Software
36
Step 4: Fill in Parameters

Since json templates often have parameters, you will need to fill in any required values.
1. Click Edit parameters. In this example, the only value not pre-populated is Location.
2. In the box provided, type West US. Click OK to save changes.
Step 5: Accept Terms and Deploy
Before deploying, you must review and accept the terms of the Azure Marketplace.
1. Click the Legal terms section shown in figure 3.2.8 and review the terms of the template.
2. T o accept, click Buy. You are not actually buying anything in this case (VNETs have no cost), but
once you add VMs, you do pay for compute resources by the minute.
3. Click Create to deploy the VNET defined in the sample json template. Deployment will typically
complete within 5 minutes.
4. T o check the results after the deploy is reported as complete in the Notifications section, go to the
Azure Management Portal and select Browse All -> Resource groups -> Contoso-Infrastructure.
3.2.5 Configure Network Security Groups

Once the VNET and its subnets are deployed, the next step is to create the appropriate NSGs. Follow
these steps to configure a NSG to only allow traffic on port 1433 from the subnet of the mid-tier to the
subnet for the backend (data tier).
NSGs can be created only with Azure PowerShell and REST API. Before you setup NSGs with Azure
PowerShell, you need to configure a connection to your Azure subscription. Visit the following
Microsoft webpage for more on how to configure Azure PowerShell http://azure.microsoft.com/en-us/
documentation/articles/powershell-install-configure/
1. Start Azure PowerShell.
2. S witch to Azure Resource Manager deployment model.
Switch-AzureMode -Name AzureResourceManager
3. C
reate the new network security group for the backend subnet.
New-AzureNetworkSecurityGroup -Name "Backend" `
-ResourceGroupName "Contoso-Infrastructure" `
-Location "West US"
4. R
un the following cmdlet to list all different locations if needed.
Get-AzureLocation | ft Name
5. The network security group is now created. We can now manage it from the Azure Management Portal.
2015 Veeam Software
37
The network security group contains a number of default rules, shown in table 3.2.1. These rules cannot
be deleted, they can only be superseded. All default rules are created with lowest priority (highest
number) and can be superseded by rules with higher priority (lower number).
Name
Protocol
Source
Port
Dest
Port
Source
Address
Dest
Address
Access
Priority
Direction
Allow
VnetIn
Bound
VNET
VNET
Allow
65000
Inbound
Allow
Azure Load
BalancerIn
Bound
Azure
Load
Balancer
Allow
65001
Inbound
Deny
65500
Inbound
VNET
Allow
65000
Outbound
Internet
Allow
65001
Outbound
Deny
65500
Outbound
Deny AllIn
Bound
Allow Vnet
Out Bound
Allow
Internet
Out Bound
VNET
Deny All
Out Bound
TABLE 3.2.1 DEFAULT NSG RULES

To associate the network security group to the backend subnet and create a rule to allow port 1433
follow these steps
1. Browse to the new network security group in the Azure Management Portal.
2. Click Settings and then Subnets.
3. O
n the Subnet associations blade, click Associate and select the CONTOSO-VNET01 and the
Backend subnet, click OK.
4. On the network security group settings blade, click Inbound security rules.
5. On the Inbound security rules blade, click Add.
6. Configure the new network security group rule with the settings displayed in figure 3.2.9, click OK.
2015 Veeam Software
38
FIGURE 3.2.9 NEW NETWORK SECURITY GROUP
The new VNET is now configured, including subnets and a network security group.
2015 Veeam Software
39
3.3 Summary
Networking in Azure is a key component in every hybrid and public cloud computing infrastructure
scenario. It is important to design and plan the network before starting to deploy resources and
maintain strong security when extending the local network to Azure data centers.
In this chapter, we have discussed the components of Azure networking in the context of common
networking scenarios, as well as reviewed best practices and recommendations for design, deployment
and security. We hope you have used the hands-on examples provided in the chapter as practice, as
the knowledge and experience you gain here will be useful in later chapters in this book, as well as your
career as an Azure administrator.
2015 Veeam Software
40
Chapter 7:
Azure Virtual Machines
Azure Virtual Machines (VM) are the primary touch point many new customers will use from their very
first day working with Microsoft Azure (Azure). In principal, this is where people feel naturally safe as the
concept of an Azure VM is in many ways like a traditional on premise VM. However, in Azure there are
further concepts that we need to understand in order to design and build enterprise grade workloads
in Azure Virtual Machines. Additionally, we need to explore topics that show us how we can use the
power and flexibility of the cloud to ease management of complex environments.
In this chapter, you will learn about Azure VM concepts, as well as basic and advanced deployment
options through hands-on examples, including the Azure Protal, Azure PowerShell, as well as the ARM
JSON template. You will learn how you can create ARM templates in Visual Studio 2013 / 2015, which
offers a bit of GUI authoring help for developers and IT Pros alike.
Once you have deployed VMs and other resources, you will learn how to perform VM configuration
using Azure VM Extensions, as well as PowerShell DSC integrated with Azure.
A couple of important notes:
As in previous chapters, we will focus on Azure Resource Manager (ARM) functionality, or Azure v2.
Before we get started, there are a couple of important points of clarify:
W
here you see the tag Classic in the Azure Preview Portal (Azure Portal, ARM Portal, or simply
portal) this refers to the original Azure Portal or Service management API located
at https://manage.windowsazure.com.
Examine the components for their Availability in the new Azure Portal located https://portal.azure.com.
Everything listed in this chapter is written specifically to to leverage the new ARM capabilities and the
Azure Portal at https://portal.azure.com unless specified in the text.
2015 Veeam Software
41
7.1 Azure Resource Manager

In this section, we will discuss ARM, introducing some of the most important topics related to ARM
features and functionality.
7.1.1 Overview of Azure Resource Manager

ARM, which can be located at https://portal.azure.com, is a completely new tenant experience,
designed to be flexible and agile to the ever-changing Azure Platform and the requirements from
Microsofts most demanding customers.
In Figure 7.1.1, you will see a screenshot of the Azure Resource Manager Portal.
FIGURE 7.1.1 AZURE RESOURCE MANAGER PORTAL
2015 Veeam Software
42
You might ask what was wrong with the old platform at https://manage.windowsazure.com (also
referred to as the Service Management Portal, or Azure v1). The answer really lies in some key limitations
related to deployment and management. Azure v2 was designed to make deployment not only of VMs,
but also of entire environments (VMs, VNETs and applications) easier, faster and more reliable.
The Azure Portal is a completely new framework and API model. This essentially means that at some
point, you will likely be migrating services from Azure v1 into ARM, allowing you to manage them with
the rich management capabilities of ARM.
The new API and framework allows you to enable many new features within Azure for tenants, including:
Template Deployment
Role Based Access Control
Tagging
Azure Resource Groups
We will discuss all of these components in the coming pages. The key take away is that ARM is the next step in
the Microsoft strategy to provide a consistent API and framework, which will span public and private cloud.
2015 Veeam Software
43
7.1.2 Azure Resource Groups

In Azure v1, the cloud service was the logical container for management when you deployed a VM into
Azure. The cloud service allowed you to store multiple VMs in the same container for management or
load balancing purposes or a variety of other different reasons we will not delve into here.
However, it was an inflexible model and did not allow association with already constructed
management domains within a customers environment. For example, many companies today have a
networking team, whose job is to look after the switches, the IP network, routing, firewalls etc. They do
not know about the servers or services except their switch port connections and IP assignments.
If they needed to access Azure to manage the virtual networks and gateways, previously via the
Service Management Portal, we would have to grant them co-administrator privileges for the Azure
Subscription. This would of course allow them to see all the resources in Azure, not just the networking
components, limiating our ability to apply the rule of least privilege. This security model opened the
door for accidents in which novice administrators might unintentionally cause problems.
As described in previous chapters, the new boundary for management is the resource group. Azure
resource groups allows you to combine resources together to manage them as you wish. Let us
revisit the previous example if you wanted to grant the network team rights to manage only virtual
networking components in Azure. With Azure resource groups, you can create a resource group,
which will contain all the networking resources in an Azure subscription. Subsequently, you can
assign permissions to this resource group so that only the network team can perform operations on
this group. In figure 7.1.2, we show you a logical model of two resource groups separating out the
management domains for storage and networking.
FIGURE 7.1.2 AZURE RESOURCE GROUPS FOR STORAGE AND NETWORKING
2015 Veeam Software
44
The choice on how resource groups are constructed and what resources exist is an important part of
the design process. It requires some thought when you are implementing services in Azure because
you need to design your resource group structure based on what types of services your organization
plans to deploy and your need to delegate administration.
IMPORTANT: Resources (i.e. VMs, VHDs, and VNETs, etc.) can only be part of one resource group at a time.
In Azure Portal by default, there are multiple default resource groups to help get you started. Figure
7.1.3 shows you the Default-Networking resource group.
FIGURE 7.1.3 DEFAULT-NETWORKING RESOURCE GROUP
2015 Veeam Software
45
In Figure 7.1.4, you can see that the resource group provides not only a boundary for management and
security, but can also provide a boundary to provide billing data about that service.
FIGURE 7.1.4 RESOURCE GROUP MONITORING AND BILLING
7.1.3 Template Deployment

ARM allows you to construct template-based deployments, which will allow customers to deploy an
application in a consistent state, repeatedly. These templates consist of JSON and expressions that you
can use to construct the values of your deployment. This is essential when you are moving an application
between environments. For example, moving an app from Development to a Test environment and
finally, to Production environment. Each stage of the move requires pre-requisite software installations
and potentially multiple post-deployment steps. The installation requirements of the pre-requisite
software and the post deployment steps may range from simple to extremely complex.
Why not just do this in PowerShell? Technically, you could, but your deployment would only be as
reliable as your PowerShell authoring skills, error checking and restart routines, etc. More importantly,
you would be missing out on some of the key benefits of ARM. A few of the key features of ARM that
make it the go-to option for complex deployments include:
Declarative. Instead of deploying resources individually, ARM Templates allow you to deploy an
entire environment programmatically to a single Resource Group. You can define dependencies
between resources to ensure various elements of your deployment do not begin too early. For
example, if a VM tried to join an Active Directory domain before the Active Directory domain was
fully deployed, the domain join operation (and all steps after) would fail. The ARM json template
capabilities allow you to describe these dependencies to deliver reliable results every time.
2015 Veeam Software
46
Idempotent. If a json-based deployment in ARM fails, you can restart and it will pick up where it left
off! This is a huge leap over Azure v1.
DISCLAIMER: It is important that we not overstate idempotence here. The fact of the matter is, if your
deployment fails in a custom script stage of your deployment, you will likely have to do some cleanup
before you attempt to restart. At this point, it is likely just as fast to delete the deployment and re-deploy.
Reusable. Once you have created and tested a template, you can share the template and related
resources (PowerShell scripts, DSC modules, etc.) with anyone who can then use the template to
deploy their own environment!
C
leanup. Not only does this allow you to deploy several resources very quickly in Azure, you are
also able to delete all the resources you deployed by simply deleting the Resource Group they were
deployed to. Having to worry about dependencies from using the Service Management Model in
Azure are no longer an issue.
This is not to say deploying with ARM via PowerShell does not have its place. There are many
deployment and configuration operations where this is going to be faster, easier and a better fit than
ARM json templates. Scenarios where you just want to deploy a VM to an existing environment, or
just do some bulk configuration or administration, PowerShell is still a great fit. Simply match the right
methodology to your situation using what we have shared here as guidelines.
In Figure 7.1.5 we show the basic outline of a JSON, for more information around the schema and
language please refer to Authoring Azure Resource Manager Templates on the Microsoft website at
https://azure.microsoft.com/en-us/documentation/articles/resource-group-authoring-templates/
FIGURE 7.1.5 JSON TEMPLATE OUTLINE
A simple example of how you can use a template is a 3-tier web application (app). This 3-tier web
app requires, a database server, a work tier, a web server. These components require resources, such
a storage account, virtual networks and public IP addresses. Under the resources section in the ARM
template, you can specify each resource as well as the dependencies of that resource. For example,
a VM will not be deployed without first a storage account and a virtual network being created. ARM
templates can also leverage PowerShell Desired State Configuration (DSC), enabling additional system
configuration and application deployment capabilities. .
This allows IT operations and application development teams to update their ARM templates as
their applications evolves. Then, as the application roles from development to test to production, the
dependencies and order-of-operations are already written into the application deployment, helping to
ensure consistent application deployment during the lifecycle process.
2015 Veeam Software
47
7.1.4 Tags
Earlier we described resource groups, with the resource groups we can group resources together and
manage them as a single item. However, this might not give us the views we want of our application
estate. For example, you may have a finance department who have multiple applications, as well sales
department who also have a number of applications, spread across multiple resource groups.
These applications are very different and we choose to represent the applications in multiple resource
groups to suit the application administrative and our delegation needs.
In this case, we have good visualization of the application, but no single view of what applications the
finance department or the sales department interact with on a frequent basis. To organize resources
across resource groups, you can use tags. Tags allow us to provide an additional piece of information so
we can achieve this view of our estate. In this example, we can use Dept:Sales to filter out the resources
and resource groups that belong to the sales department, as shown in Figure 7.1.6.
FIGURE 7.1.6 TAGS
2015 Veeam Software
48
7.1.5 Role Base Access Control

One of the most important additions in the ARM Portal is role-based access control (RBAC). Simply put,
this gives companies the ability to delegate administration, assigning appropriate rights for resources
to suit their management model.
In the previous section on Azure resource groups, we described a scenario where a company has a
storage team for managing the storage systems and a networking team for managing all network
elements. Now with RBAC, we can assign the network team the permissions they need to achieve their
administration tasks in Azure without giving them permissions to areas they do not need. In the ARM
Portal, there are a wide-ranging numbers of roles pre-created, as shown in Figure 7.1.7
FIGURE 7.1.7 PRE-CONFIGURED ROLES
As you can see from Figure 7.1.7 if you click the i icon, you will get a description of what tasks the role
allows a user to perform. You can assign users to multiple roles, as you require.
2015 Veeam Software
49
Another interesting thing in ARM is that you can assign permissions right down to the resource level. As
you will see in Figure 7.1.8, the resource group, as well as reserved IP resource have RBAC icons so that
you can assign permissions to them.
FIGURE 7.1.8 RBAC ON RESOURCE GROUPS AND RESOURCES
2015 Veeam Software
50
7.2 Azure Virtual Machine

Azure VMs are very similar in conceptually to the traditional VM you might have used on-premises in
Hyper-V. In many cases, you can move a VM to Azure, enabling a company to move an application and
host it on Azure without requiring them to re-develop the system to be cloud aware. Azure currently
supports generation 1 Hyper-V VMs with virtual disks in VHD format. This is important for many
companies as the investment to move these workloads to cloud aware is significant and often the
benefits do not justify the development costs.
In this section, we are going to describe a VM in detail. When you consider moving a workload to a
cloud that you do not control, it pays to do your homework before pushing any buttons. Gaining a
better understanding of the platform in advance will help you avoid potential migration issues and
identify timesaving deployment and management capabilities in the process.
In fact, the last major section of this chapter (7.3 - 7.4) contains information and hands-on examples
that can save your team days (or even weeks) of effort deploying and configuring VMs every year.
7.2.1 VM Architecture
The first area we need to understand is the architecture of the VM. In Figure 7.2.1, we show you the
basic layout of VM architecture
FIGURE 7.2.1 VIRTUAL MACHINE BASIC ARCHITECTURE
The VM, much like in Hyper-V, is a configuration container that references the resources it requires in
order to operate. In this section, we will discuss each component in detail.
2015 Veeam Software
51
7.2.1.1 VM Size
Azure VMs have a variety of different choices when it comes to the size of the VM you will select and
deploy. First, you need to choose your tier for the VM, currently (September 2015) there are two choices
Basic
Standard
You choose a tier based on your needs. Basic tier VMs do not allow high availability and limit the choice
of sizes you can select. A basic tier VM also restricts the amount of virtual disks you can attach to the VM
and limit the IOPS of the disk to approximately 300 IOPS per disk.
A standard tier VM will allow high availability and does not restrict the sizes of the VMs you can choose
to deploy. Virtual disk performance is also better, supporting up to 500 IOPS per disk. When choosing a
standard tier VM, you have currently (September 2015) a choice of machines rated by Series.
All VMs include a temporary disk (D: by default), designed to be used as a working area to store nonpersistent (temporary data).
Note: When designing services in Azure, it is very important to understand that the limit is consider an up to
limit not a guarantee or SLA.
The VM series available in Azure currently include the following:
A Series A Series range from an A0 to A11 with CPU cores that range from 1 to 16. Memory
ranges from 768MB to 112GB. In this series, there are no solid-state drive (SSD) options available.
D Series D Series range from D1 to D14 with CPU cores that range from 1 to 16. Memory ranges
from 3.5GB to 112GB. The Temporary disk is based on SSD and ranges from 50GB to 800GB. D Series
also have a DS range of machines, they have similar ranges as the D Series but allow you to achieve
higher performance and disk IOPS.
G Series G Series range from G1 to G5 with CPU Cores the range from 2 to 32. Memory ranges
from 28GB to 448GB. The Temporary disk is based on SSD ranging in size from 384GB to 6144GB. G
Series also have a GS range of machines, they have similar ranges as the G Series but allow you to
achieve higher performance and disk IOPS.
For a complete list and exact details of all the VM options currently available, refer to Sizes for virtual
machines on the Microsoft website at https://azure.microsoft.com/en-us/documentation/articles/
virtual-machines-size-specs/
Generally speaking, the higher the series of VM you choose the better performance you will get. For
example if you need a VM for a CPU intensive workload, like a large SQL Server instance, you may select
a G Series VM. The underlying physical hardware the virtual machine would be deployed on is specially
designed for CPU intensive workloads.
2015 Veeam Software
52
7.2.1.2 Storage
A VM will always have at least 2 disks by default. These are
Operating System Disk
Temporary Disk
As the name implies, the operating system disk is where the operating system lives and the VM book disk. This
disk has caching turned on by default and you cannot turn it off, the options you have are read, read/write.
The temporary disk is simply a scratch disk; this scratch disk comes from the underlying physical host.
The temporary disk should not be used as a persistent data store. The particulars of the temporary disk
are linked to the series of VM you select. The size of the temporary disk varies by VM image size. Larger
images have larger temporary disks.
VMs can also give you the option of high performance storage under pinning the workload. DS or
GS series of VMs deliver high-performance. These VMs will allow up to 50,000 IOPS in the correct
configuration. The temporary disk in this series of VM will also reside on SSD hosted by underlying
physical hardware to which the VM is deployed.
Finally, all storage that a VM accesses is via a network connection (through a RESTful API), this introduces an
imposed limit that needs to be taken into account. It is possible to achieve a throughput of up to around
3Gbps when you select a VM image size that enables remote direct memory access (RDMA).
You can read more about Azure storage, including storage architecture and disk cache options in
Chapter 2 Microsoft Azure Storage.
7.2.1.3 Network connectivity
In ARM, the network card of the VM is abstracted as a manageable resource. This is very important, as in
ARM you will associated services directly to the network card, as opposed to the VM, as was the case in
the Azure v1 Service Management Portal. An Azure VM can have up to 16 network cards assigned to a
VM. In Figure 7.2.2, you can see network cards listed as individual resources within resource groups.
FIGURE 7.2.2 NETWORK CARDS AZURE RESOURCES
2015 Veeam Software
53
Figure 7.2.3 illustrates some the network cards in this sample environment, which can be assigned (to
VMs or load balancers). As you can see, we can assign a public IP address directly to the network card of
the VM, as well as a network security group (NSG). For more details on NSGs, refer to Chapter 3 Azure
Virtual Networking.
FIGURE 7.2.3 NETWORK CARDS PROPERTIES
2015 Veeam Software
54
The public IP is represented as an assignable resource within the Azure resource group, as shown in
figure 7.2.4. This allows you to associate a public IP to a resource, as you need it and move it as you
need or as requirements change.
FIGURE 7.2.4 PUBLIC IP RESOURCE
Network cards can be associated to individual NSGs if it becomes a requirement to control the traffic
coming into a VM. This is essential if you have a public IP assigned to the VM.
If you require endpoints opened to a VM without assigning it a public IP directly, then you will need
to configure a network address translation (NAT) rule in an Azure Load balancer and associate it to a
network card. Endpoints still exist in ARM, but are controlled by the Azure load balancer.
2015 Veeam Software
55
7.2.1.4 VM security
Figure 7.2.5 illustrates the various layers of security you can implement to protect your VM.
Administrators can implement multiple layers of NSGs, utilize the Windows firewall (enabled by default
in Azure VMs), as well as install Microsoft Antimalware as part of the VM build process.
FIGURE 7.2.5 DEFENSE IN DEPTH FOR A VIRTUAL MACHINE
This ensures that from the moment you provision the VM into Azure you can enforce protection to
protect any workload on that system.
NSGs can be used to isolate a VMs traffic from other VMs, the internet or an IP source. NSGs can also
control the traffic flow outbound if required to. This allows you to enforce protection before traffic
leaves or arrives at a VM.
2015 Veeam Software
56
7.2.1.5 Marketplace
The Azure Marketplace is a single repository of prebuilt VMs ready for deployment into Azure. These VMs are
designed to be a click and deploy system for rapid deployment of services. Some of the VMs have software
licenses built into the runtime cost of the VM (such as with SQL Server VMs), while other VMs require you to
purchase a license after deployment. The Azure Marketplace homepage is shown in figure 7.2.6.
In the Azure Marketplace, available VMs are presented by category. A search function is also available,
enabling you to locate the VM you require through text-based search.
FIGURE 7.2.6 MARKETPLACE
Microsoft updates the Azure Marketplace regularly (and the VM images made available through the
Marketplace) with the latest patches and releases available from the vendors.
2015 Veeam Software
57
7.3 Deploying and Configuring

Virtual Machines
In the previous two sections, we have described the options available to you for Azure VMs with
ARM. In this section, we will dive deeper and show examples on how to deploy a VM, its associated
components and some of the available deployment options.
7.3.1 Deploying Virtual Machines

All the examples in the following section utilized Azure PowerShell module version 0.9.8, while all Azure
Portal examples leverage the ARM Portal located at https://portal.azure.com. You To check your version
of PowerShell before proceeding use the cmdlet get-module Azure to verify as shown in figure 7.3.1
FIGURE 7.3.1 AZURE POWERSHELL MODULE VERSION
To login to the Azure Portal, complete the following steps:

7. Open a browser and navigate to https://portal.azure.com
8. Enter an email address of an authorized account for the Azure subscription as show in figure 7.3.2.
FIGURE 7.3.2 LOGGING INTO PORTAL
2015 Veeam Software
58
9. Select the account type as shown in figure 7.3.3
FIGURE 7.3.3 SELECT ACCOUNT TYPE
10. Enter your password and click sign in

11. This should bring you into the main portal dashboard as shown in figure 7.3.4
FIGURE 7.3.4 MAIN AZURE DASHBOARD
2015 Veeam Software
59
To configure PowerShell for working with ARM, complete the following steps:
1. Open up an elevated PowerShell prompt (right click the prompt and select Run as administrator)
2. Type Add-AzureAccount and press enter
3. A sign-in prompt will appear, as shown in Fig 7.3.5, enter your email address and click continue.
FIGURE 7.3.5 SIGN IN PROMPT
IMPORTANT: When working with Azure PowerShell with ARM, a Windows Live Account will not do. You must
login with an organizational account an account that exists in the Azure Active Directory associated with
your Azure subscription that also has privileges in the subscription. Otherwise, authentication to your Azure
subscription will fail.
2015 Veeam Software
60
For testing purposes, granting an account administrator rights in an Azure trial or other non-production
subscription is easy.
4. Select the Account Type as shown in Figure 7.3.6. For Azure PowerShell, you must choose the Work
or school account option and enter an account present in the Azure Active Directory associated
with this subscription.
FIGURE 7.3.6 ACCOUNT TYPE
5. Confirm your password and click Sign in.
FIGURE 7.3.7 SIGN IN PASSWORD
2015 Veeam Software
61
6. Once sign in is complete, the account and the authorized subscriptions that it has access to will be
displayed as shown in figure 7.3.8.
FIGURE 7.3.8 SUCCESSFUL SUBSCRIPTION
7. To load the ARM-aware cmdlets type Switch-AzureMode AzureResourceManager and press enter.
Note: In September 2015, Switch-AzureMode was deprecated, and soon ARM cmdlets will have their own
native cmdlets. For example, Get-AzureVM in Azure resource manager will be Get-AzureRMVM
7.3.1.1 Deploying a Virtual Machine from the Portal (Windows and Linux)
For your first VM deployment, you will use the Azure Portal. This will help you gain some basic familiarity
with ARM features and the Azure Marketplace.
To create a VM in the Azure Portal, complete the following steps:
1. F rom the Azure Resource Manager Portal located at https://portal.azure.com Click + NEW as
shown in Figure 7.3.9
FIGURE 7.3.9 + NEW
2015 Veeam Software
62
2. From the New blade, all the options for deployment are listed. For a VM we need to select
Compute, as shown in figure 7.3.10
FIGURE 7.3.10 SELECT COMPUTE
2015 Veeam Software
63
3. The Compute blade presents the most recently used and most commonly requested images.
Marketplace provides an area where all the images available (Microsoft and 3rd Party published) in Azure
can be selected for Installation. Click Windows Server 2012 R2 Datacenter as shown in Figure 7.3.11.
FIGURE 7.3.11 WINDOWS SERVER 2012 R2 DATACENTER
2015 Veeam Software
64
4. After clicking on the Windows Server 2012 R2 Datacenter image, it will open up a summary blade
describing the image and ask you to confirm which deployment model you wish to use. As a reminder,
Classic is the Azure v1 Service Management Portal and Resource Manager is the ARM (Azure v2)
described in this chapter. Select Resource Manager and click Create, as shown in Figure 7.3.12.
FIGURE 7.3.12 CHOOSING DEPLOYMENT MODEL
5. In the Create Virtual Machine blade, the basics blade will automatically open, as shown in Figure 7.3.13.
FIGURE 7.3.13 BASIC SETTINGS FOR VM
2015 Veeam Software
65
Enter values for the following fields shown in this blade:

Enter Name (which is the name of the VM)
Enter Username (administrator is not allowed)
Enter Password (complex rules apply)
For Resource Group the field is by default setup to create a new resource group, if you enter a new
name there it will create a new resource group with that name and all the VM components will be
associated with it. Alternatively, you can click select existing and select a resource group that has
already been created. For this example, enter VMRG in the resource group field.
Select the correct Location for your deployment, in the examples case North Europe
6. Click OK. The Choose a Size blade will open, which by default will have recommended options
for the type of image you have chosen. In Figure 7.3.14, you can see we have two recommended
options listed. For this example, select A1 by clicking on A1 Standard and then click Select.
FIGURE 7.3.14 VM SIZE SELECTION
By Clicking View All, it will display all Size options available. Within each option, you should also see the
estimated monthly cost of running the VM.
2015 Veeam Software
66
7. Next we will configure VM settings in the Settings blade as shown in figure 7.3.15
FIGURE 7.3.15 VM SETTINGS
2015 Veeam Software
67
In this example, we use the following settings

Configure Disk Type for standard
Observe we are creating a new storage account; this will create a new storage account in the azure
resource manager deployment model
Observe we are creating a new virtual network; this will create a new virtual network in the azure
resource manager deployment model
We are accepting the default (10.0.0.0/24) subnet that is selected; this comes from the virtual
network which is being automatically created
For Public IP address we accept the default and create a New (TestingVM01) labeled public IP and
this will assign a Public IP address directly to the Virtual machine.
Note: For most installations, you will not assign a public IP to a VM. You will assign the IP address to the Azure
Load balancer and create a NAT rule.
For Network Security Groups, we accept the new Network Security Group that will be created.
Note: Network security groups when assigning public IP are essential as it filters the incoming public traffic
and stops malicious connections. If this was an internal only deployment, you may choose to turn off NSG for
the VM and apply it to the subnet on which the VM will be located
The additional options for Monitoring and Availability will be left as the default.
Click OK.
2015 Veeam Software
68
8. In the Summary blade, as shown in Figure 7.3.16, confirm the settings and click OK.
FIGURE 7.3.16 VIRTUAL MACHINE SUMMARY OF DEPLOYMENT
2015 Veeam Software
69
The VM will now deploy. Deployment time varies from 15 minutes to 45 minutes depending on the
workload and deployment options selected. Watch the Notifications area of the Azure Portal for a
message indicating whether your deployment was successful.
To create a Linux VM from the Portal, perform the following steps:
1. From the ARM Portal located at https://portal.azure.com Click + NEW as shown in Figure 7.3.17.
FIGURE 7.3.17 + NEW
2015 Veeam Software
70
2. From the New blade all the options for deployment are listed, for a VM we need to select Compute
as shown in figure 7.3.18.
FIGURE 7.3.18 SELECT COMPUTE
2015 Veeam Software
71
3. In the Compute blade the most recently used/most common images are presented for use.
Marketplace gives an area where all the images available (Microsoft and 3rd Party published) in
Azure can be selected for Installation. Click Ubuntu Server 14.04 LTS as shown in Figure 7.3.19
FIGURE 7.3.19 UBUNTU SERVER 14.04 LTS
2015 Veeam Software
72
4. A
fter clicking on the Ubuntu Server 14.04 LTS image, it will open up a summary blade describing the
image and ask you to confirm with deployment model you wish to use. Classic being the Service
Management Portal and Resource Manager being the ARM Portal. Select Resource Manager and
Click Create as shown in Figure 7.3.20.
FIGURE 7.3.20 DEPLOYMENT MODEL
2015 Veeam Software
73
5. In the Create Virtual Machine blade the basics blade will automatically open as shown in Figure 7.3.21.
FIGURE 7.3.21 CREATE VM
Enter Name (which is the name of the VM).

Enter Username (root is not allowed).
Select Authentication Type by default it is set to password, which will require the Password field
to be populated. You can select SSH Public Key as shown in Figure 7.3.22 and enter in the public key
you have to authentication.
FIGURE 7.3.22 SSH PUBLIC KEY
2015 Veeam Software
74
For Resource Group the field is by default setup to create a new resource group, if you enter a new
name there it will create a new resource group with that name and all the VM components will be
associated with it. Alternatively, you can click select existing and select a resource group that has
already been created. For this example Enter VMLINUXRG in the resource group field.
Note: if you are following directly on from the Windows Example listed in this chapter, you can select the
original VMRG Resource Group
Select the correct Location for your deployment, in the examples case North Europe.
Click OK.
6. The Choose a Size blade will open, by default it will have recommended options for the type of
image you have chosen. In Figure 7.3.23 you can see we have two listed and for this examples case
we will select A1. Click A1 Standard and click Select.
FIGURE 7.3.23 VM SIZE SELECTION
By clicking View All, it will display all size options available. Within each option, you should also see the
estimated monthly cost of running the VM.
2015 Veeam Software
75
7. Next we will configure VM settings in the Settings blade as shown in figure 7.3.24.
FIGURE 7.3.24 VM SETTINGS
2015 Veeam Software
76
In this example, we will use the following settings:

Configure Disk Type of standard.
O
bserve we are creating a new storage account; this will create a new storage account in the ARM
deployment model.
O
bserve we are creating a new virtual network; this will create a new virtual network in the ARM
deployment model.
W
e are accepting the default subnet (10.1.0.0/24) that is selected; this comes from the virtual
network which is being automatically created.
For Public IP address, we accept the default and create a new. public IP address labeled
TestLinuxVM01. This will assign a Public IP address directly to the VM.
Note: For most installations, you will not assign a public IP to a VM. You will assign the IP address to the Azure
Load balancer and create a NAT rule
For Network Security Groups, we accept the new network security group that will be created.
Note: Network security groups when assigning public IP are essential as it filters the incoming public traffic
and stops malicious connections. If this was an internal only deployment, you may choose to turn off
Network security group for the VM and apply it to the subnet the VM will be located
The additional options for Monitoring and Availability will be left at their default values.
Click OK.
8. In the Summary blade, confirm the settings and Click OK.
9. T he VM will now deploy. Deployment time varies from 15 minutes to 45 minutes depending on the
workload and deployment options selected. Watch the Notifications area of the Azure Portal for a
message indicating whether your deployment was successful.
CHALLENGE: Check your work by using an SSH client like Putty to connect to the Linux VM at its public IP
address. You can download the Putty SSH client free at http://www.chiark.greenend.org.uk/~sgtatham/
putty/download.html.
2015 Veeam Software
77
1.3.1.2 Deploying a Virtual Machine from PowerShell (Windows and Linux)

Now that you have completed a couple of VM deployments in the Azure Portal, you are ready to try your
hands at VM deployment through PowerShell. You will deploy both a Windows VM and a Linux VM.
Note: You can download the sample PowerShell scripts for this section (and entire chapter) using the link
provided under the Download the Code heading at the end of this section.
Example 1: Create a Windows VM from Azure PowerShell
You will begin by connecting and authenticating to your Azure subscription. This process is explained
in detail in Chapter 2: Azure PowerShell, but is also included here to provide a complete example. This
sample will also prompt you for which Azure subscription you wish to you use, easing the process for
users working with multiple subscriptions.
As a reminder, to use ARM with PowerShell, you must authenticate with an organizational account (one
created in the Azure Active Directory associated with your Azure subscription), not a Microsoft (Live) account.
# Authenticate to Azure Account
Add-AzureAccount
# Authenticate with Azure AD credentials
$cred = Get-Credential
Add-AzureAccount `
-Credential $cred
# Switch to Azure Resource Manager mode
Switch-AzureMode `
-Name AzureResourceManager
# Register the latest ARM Providers
-ProviderNamespace Microsoft.Compute `
-Force
-ProviderNamespace Microsoft.Storage `
-Force
-ProviderNamespace Microsoft.Network `
2015 Veeam Software
78
-Force
Get-AzureProvider |
Select-Object `
Get-AzureProvider |
Select-Object `
# Select an Azure subscription
$subscriptionId =
(Get-AzureSubscription |
Out-GridView `
-Title "Select a Subscription ..." `
-PassThru).SubscriptionId
Select-AzureSubscription `
-SubscriptionId $subscriptionId
1. The next step is to gather the details of the VM image we wish to deploy using the GetAzureVMImage cmdlet. In the examples instance we want to retrieve all Windows 2012 R2
Datacenter Image.
Get-AzureVMImage Location North Europe `
PublisherName MicrosoftWindowsServer `
Offer WindowsServer SKU 2012-R2-Datacenter
2015 Veeam Software
79
Figure 7.3.25 shows partial output. Locate the latest version and record the number.
FIGURE 7.3.25 ALL WINDOWS 2012 R2 DATACENTER IMAGES
2. Now we select the appropriate image and store it into a variable for later use, as shown here.
$vmimage = Get-AzureVMImage Location North Europe `
PublisherName MicrosoftWindowsServer
Offer WindowsServer SKU 2012-R2-Datacenter `
Version 4.0.20150825
3. Next, we create a resource group using the New-AzureResourceGroup cmdlet an example is as follows
New-AzureResourceGroup Name VMResourceGroup `
Location North Europe
Partial output is shown in Figure 7.3.26.
FIGURE 7.3.26 NEW RESOURCE GROUP
2015 Veeam Software
80
4. N
ext we create a storage account for the VM we want to create using the NewAzureStorageAccount cmdlet using the follow example
New-AzureStorageAccount ResourceGroupName `
VMResourceGroup Name mystoracct001 `
Location North Europe type standard_lrs
Note: The storage account name has to be lowercase and unique in all of azure. When repeating this
example change the name from what you see here to a unique value. For more info on storage accounts, see
Chapter 4 Microsoft Azure Storage.
Partial output is shown in figure 7.3.27
FIGURE 7.3.27 NEW STORAGE ACCOUNT
5. Next we create a virtual network VM where the VM will reside, using the following PowerShell:
$subnet = New-AzureVirtualNetworkSubnetConfig `
Name production AddressPrefix 10.0.50.0/24
$vnet = New-AzureVirtualNetwork Name CloudVNet `
ResourceGroupName VMResourceGroup Location North Europe `
AddressPrefix 10.0.0.0/16 Subnet $subnet
$subnet = Get-AzureVirtualNetworkSubnetConfig `
Name production VirtualNetwork $vnet
2015 Veeam Software
81
In figure 7.3.28 shows partial contents of the $vnet variable we created in this example.
FIGURE 7.3.28 NEW AZURE VIRTUAL NETWORK AND SUBNET
6. Next step is to create a public IP address using the following syntax

$pip = New-AzurePublicIPaddress ResourceGroupName `
VMResourceGroup Name WinVMPublicIP `
Location North Europe AllocationMethod Dynamic
In Figure 7.3.29 we show you the contents of the $pip variable
FIGURE 7.3.29 PUBLIC IP ADDRESS
2015 Veeam Software
82
7. N
ext we need to create a network interface for the VM and public IP address to bind to using the
following syntax
$netint = New-AzureNetworkInterface `
ResourceGroupName VMResourceGroup `
Name WinVMNic subnet $subnet Location North Europe `
PublicIPaddress $pip PrivateIPAddress 10.0.50.4
This will assign the static IP of 10.0.50.4 in the previously created subnet for this VM and assign it the
Public IP address we created earlier in the example. Figure 7.3.30 shows you the output
FIGURE 7.3.30 BINDING NETWORK INTERFACE TO PRIVATE AND PUBLIC IP ADDRESS
8. N
ext, we need to capture credentials for the VM, remember not to use the Administrator username.
Use the following syntax
$cred = get-credential
This will prompt you to enter credentials as shown in figure 7.3.31.
Enter a Username (not administrator) and a complex password
FIGURE 7.3.31 CAPTURING USERNAME AND PASSWORD
2015 Veeam Software
83
IMPORTANT: get-credential is used twice in this script, so you will be prompted twice to enter credentials into
a Windows-style logon prompt. The first time, you should enter the credentials for your Azure subscription
(your organizational account). The second prompt for credentials is for the name / password you would like
to specify as local administration in the VM you are deploying.
9. Next, we create a Virtual Machine configuration file, which will be then used to deploy the VM. The
following example outlines syntax required
$vmConfig = New-AzureVMConfig -VMName "VM001" `
-VMSize "Standard_A1" | `
Set-AzureVMOperatingSystem -Windows -ComputerName "VM001" `
-Credential $cred -ProvisionVMAgent -EnableAutoUpdate| `
Set-AzureVMSourceImage PublisherName ` $vmimage.publishername
-Offer $vmimage.offer `
-Skus $vmimage.skus -Version $vmimage.version | `
Set-AzureVMOSDisk -Name "VM001" -VhdUri ` "https://mystoracct001.
blob.core.windows.net/vhds/VMM001-os.vhd" `
-Caching ReadWrite -CreateOption fromImage | `
Add-AzureVMNetworkInterface -Id $netint.Id
To re-use this example ensure you copy this into PowerShell ISE to allow the piping to re-align. To Verify
the configuration, the partial output of $vmconfig is displayed in Figure 7.3.32
FIGURE 7.3.32 SAMPLE OUTPUT OF VMCONFIGURATION VARIABLE
2015 Veeam Software
84
10. Finally, to create the VM we use the following syntax

New-AzureVM ResourceGroupName VMResourceGroup `
Location North Europe VM $vmConfig
11. This will create the Windows VM and VNET with the parameters you specified.
To check the results after running the script, go to the Azure Management Portal and select
Browse All -> Resource groups -> VMResourceGroup.
Download the Code
the \Chapter 7 directory. The file name is DeployWinVM_Ntwk_PubIP.ps1.
Example 2: Create a Linux VM from Azure PowerShell
In this example, we will reduce the amount of outputs we show. To verify each step simply type the
variable name for its output. Also refer to the windows example previously to get same outputs
1. First, you need to authenticate to your Azure subscription using code provided in the previous example.
2. N
ext, we need to get all the Images related to Ubuntu server 14.04.2-LTS, for this we use the
following syntax
Get-AzureVMImage Location North Europe `
PublisherName Canonical Offer UbuntuServer `
Skus 14.04.2-LTS
This lists the following images as shown in Figure 7.3.33.
FIGURE 7.3.33 UBUNTU IMAGES
2015 Veeam Software
85
3. Now let us obtain the latest version and store it into a variable for later use, using the following syntax
$vmimage = Get-AzureVMImage Location North Europe `
PublisherName Canonical Offer UbuntuServer `
Skus 14.04.2-LTS Version 14.04.201507060
4. Next we create a resource group using the New-AzureResourceGroup cmdlet an example is as follows
New-AzureResourceGroup Name VMLinuxResourceGroup `
Location North Europe
5. Next we create a storage account for the VM we want to create using the NewAzureStorageAccount cmdlet using the follow example
New-AzureStorageAccount ResourceGroupName `
VMLinuxResourceGroup Name mystoracct002 `
Location North Europe type standard_lrs
6. Next, we create a virtual network to which we will connect the VM, as shown here.
$subnet = New-AzureVirtualNetworkSubnetConfig `
Name LinuxProd AddressPrefix 172.0.60.0/24
$vnet = New-AzureVirtualNetwork Name CloudLinuxVNet `
ResourceGroupName VMLinuxResourceGroup Location `
North Europe AddressPrefix 172.0.0.0/16 `
Subnet $subnet
$subnet = Get-AzureVirtualNetworkSubnetConfig `
Name LinuxProd VirtualNetwork $vnet
7. Next step is to create a public IP address using the following syntax
$pip = New-AzurePublicIPaddress ResourceGroupName `
VMLinuxResourceGroup Name LinuxVMPublicIP `
Location North Europe AllocationMethod Dynamic
2015 Veeam Software
86
8. Next we need to create a network interface for the VM and public IP address
to bind to using the following syntax
$netint = New-AzureNetworkInterface ResourceGroupName `
VMLinuxResourceGroup Name LinuxVMNic `
subnet $subnet Location North Europe `
PublicIPaddress $pip PrivateIPAddress 172.0.60.4
This will assign the static IP of 172.0.60.4 in the previously created subnet for this VM and assign it the
Public IP address we created earlier in the example.
9. Using the syntax shown here, we need to capture credentials for the VM, remember not to use the
root username.
$cred = get-credential
This will prompt you to enter credentials as shown in figure 7.1.46. Enter a Username (not root) and a
complex password.
IMPORTANT: As with the Windows VM deployment, get-credential is used twice in this script, so you will be
prompted twice to enter credentials into a Windows-style logon prompt. The first time, you should enter the
credentials for your Azure subscription (your organizational account). The second prompt for credentials is for
the name / password you would like to specify as local administration in the VM you are deploying.
10. Next, we create a VM configuration file which will be then used to deploy the VM. The following
example outlines syntax required.
$vmConfig = New-AzureVMConfig -VMName "LNX001"
-VMSize "Standard_A1" | `
Set-AzureVMOperatingSystem -Linux -ComputerName `
"LNX001" -Credential $cred | Set-AzureVMSourceImage `
PublisherName ` $vmimage.publishername `
-Offer $vmimage.offer -Skus $vmimage.skus `
-Version $vmimage.version |
Set-AzureVMOSDisk -Name "LNX001" -VhdUri `
"https://mystoracct002.blob.core.windows.net/vhds/LNX001-os.vhd" `
-Caching ReadWrite -CreateOption fromImage |
Add-AzureVMNetworkInterface -Id $netint.Id
2015 Veeam Software
87
11. Finally, to create the VM we use the following syntax

New-AzureVM ResourceGroupName VMLinuxResourceGroup `
Location North Europe VM $vmConfig
12. This will create the VM using the settings specified in the script.
To check the results after running the script, go to the Azure Management Portal and select Browse All
-> Resource groups -> VMLinuxResourceGroup.
Download the Code
the \Chapter 7 directory. The file name is DeployLinuxVM_Ntwk_PubIP.ps1.
1.3.1.3 Deploying additional disks
In this section, you will add an additional disk to both the Windows and Linux VMs you deployed in the
previous section. First, you will add a disk to the Windows VM through the Azure Portal. Then, you will a
disk to the Linux VM via Azure PowerShell.
To add an additional disk to the Windows VM you deployed in the previous section through the Azure
Portal, perform the following steps:
1. Open a browser and navigate to https://portal.azure.com
2. In the left hand menu, click Browse as shown in Figure 7.3.34.
FIGURE 7.3.34 BROWSING TO ARM VIRTUAL MACHINES
2015 Veeam Software
88
3. In the browse blade, type Virtual and select Virtual Machines as shown in Figure 7.3.35.
FIGURE 7.3.35 SELECT VIRTUAL MACHINES
4. In the Virtual Machines Blade click on VM001 as shown in Figure 7.3.36.
FIGURE 7.3.36 SELECT VM001 VIRTUAL MACHINE
5. This will open the VM001 Virtual Machine Blade, Click All Settings as shown in Figure 7.3.37.
FIGURE 7.3.37 ALL SETTINGS FOR VM001
2015 Veeam Software
89
6. In the Settings blade, click Disks as shown in figure 7.3.38.
FIGURE 7.3.38 SELECT DISKS
7. In the Disks Blade Click Attach New as shown in figure 7.3.39.
FIGURE 7.3.39 ATTACHING NEW DISKS
2015 Veeam Software
90
8. In the Attach new disk blade, the settings as listed in Figure 7.3.40. will need to be configured to
your needs. In this example, accept the defaults by clicking OK
FIGURE 7.3.40 CONFIGURING NEW DISK
2015 Veeam Software
91
9. After a couple of minutes your new disk will be created and attached as shown in Figure 7.3.41
FIGURE 7.3.41 NEW DISK ATTACHED
To add an additional disk to the Linux VM you deployed in the previous section through the Azure
Portal, perform the following steps:
1. F irst thing to add additional data disks to a VM is to get the VM we are interested in using the
following syntax
$VM = Get-AzureVM ResourceGroupName `
"VMLinuxResourceGroup" -Name "LNX001"
2. Next, we need to get the storage account in which the VM will be stored. This is contained within
the value stored in the $VM variable, but you can retrieve the value using the following syntax:
$storacct = $VM.StorageProfile.OsDisk.VirtualHardDisk.URI.split("/")[2]
3. Now we must construct the new URI for the new data disk with want to attach to the VM using the
following syntax
$datadiskURI = "https://$storacct/vhds/" + $vm.name + "-data-disk1.vhd"
4. Next we create the disk using the following syntax
Add-AzureVMDataDisk VM $vm Name "Data-Disk1" `
DisksizeInGB "100" VhdURI $datadiskURI `
CreateOption empty
2015 Veeam Software
92
5. Finally, we update the VM for the changes to take effect using the syntax
Update-AzureVM VM $vm `
ResourceGroupName "VMLinuxResourceGroup"
To check the results after running the script, go to the Azure Management Portal and select Browse All
-> Resource groups -> VMLinuxResourceGroup.
Download the Code
the \Chapter 7 directory. The file name is AddVMDisk.ps1.
1.3.1.4 Creating a NAT Rule to an existing Virtual Machine
There are many deployments where you will not assign a public IP to your VM directly. Previously, in the
Service Management Portal, you would achieve this end using endpoints and cloud services. These created a
NAT rule as such to allow you to connect to your VM. In ARM, you create all endpoints as part of the Azure load
balancer. We will walk through the steps to create a simple rule for Port 80 (HTTP) into a VM.
As with previous examples, a sample script is available for download as detailed in the Download the
Code at the end of this tutorial.
To create an Azure load balancer, a NAT rule and associate to an existing VM, utilize the following steps
and PowerShell sample:
1. First we need to get a public IP address using the following syntax
$vip = New-AzurePublicIPaddress ResourceGroupName VMResourceGroup
Name VMNATPublicIP Location North Europe AllocationMethod
Dynamic
2. N
ext, we need to create a Front End IP Configuration for the load balancer and use the public IP
address we created to bind to it, using the following syntax:
$feIPConf = New-AzureLoadBalancerFrontEndIPConfig Name ALBFEIP
PublicIpAddress $vip
3. Next we can create our Inbound NAT Rule using the following syntax
$httpnatrule = New-AzureLoadBalancerInboundNatRuleConfig Name Http
FrontEndIPConfiguration $feIPConf Protocol TCP FrontEndPort 80
BackendPort 80
4. N
ext we must tell give the load balancer the backend subnet which your VM will reside on, use the
following syntax
$lbbepool = New-AzureLoadbalancerBackEndAddressPoolConfig Name
BEPool01
2015 Veeam Software
93
5. Next we need to create our Load Balancer Rule using the following syntax
$lbrule = New-AzureLoadBalancerRuleConfig Name Http
FrontEndIPConfiguration $feIPConf BackEndAddresspool $lbbepool
Protocol TCP FrontEndPort 80 BackEndPort 80
6. Next we create the load balancer itself and use the rules and items we configure as base items
$azurelb = New-AzureLoadBalancer -ResourceGroupName
"VMResourceGroup" -Name "VM_LB" -Location "North Europe"
-FrontendIpConfiguration $feIpConf -InboundNatRule $httpnatrule
-LoadBalancingRule $lbrule -BackendAddressPool $lbbePool
7. Finally, you associate a Network card to the Load balancer rule using the following syntax
$vnet = Get-AzureVirtualNetwork Name CloudVNet ResourceGroupName
VMResourceGroup
$subnet = Get-AzureVirtualNetworksubnetconfig VirtualNetwork $vnet
Name production
$netint = Get-AzureNetworkInterface Name WinVMNic
ResourceGroupName VMResourceGroup
$netint.ipconfigurations[0].LoadBalancerBackendAddressPools.
Add($azurelb.backendaddresspools[0])
$netint | Set-AzureNetworkInterface
Download the Code
the \Chapter 7 directory. The file name is AddNATRule2VM.ps1.
2015 Veeam Software
94
7.3.2 ARM Deployment Templates

As mentioned in the first section of this chapter when you create a template you can define the
resources you require in azure, the order of installation and even call VM Extensions inside the VM for
additional configuration and deployment of an application. Deployment templates are designed for
repeatable, consistent deployment of applications / workloads to Microsoft cloud infrastructures.
It will help your understanding of the sections that follow if we first describe the ARM template schema.
In Figure 7.3.42, you will see the schema of the JSON file required.
{
$schema: http://schema.management.azure.com/
schemas/2015-01-01/deploymentTemplate.json#,
contentVersion: ,
parameters: { },
variables: { },
resources: [ ],
outputs: { }
}
FIGURE 7.3.42 JSON TEMPLATE OUTLINE
To give you a better understanding of the schema let us describe each section of the JSON file
$schema $schema is a required section of the JSON file and it points to the location of the JSON
schema file. This file will describe the version of the template language.
contentVersion contentVersion is a required section of the JSON file. The version number is in
the format of X.X.X.X ; For example, 1.0.0.0. The version number allows you to ensure that you can
select the right template.
parameters parameters are not a required section of the JSON file. Parameters are useful
elements as they all you to customize a template on deployment. For example, if you want to have a
template which deploys a VM you can request the VM name as a parameter.
2015 Veeam Software
95
The Format of the parameters section is as follows

parameters: {

<parameterName> :{
type : <type-of-parameter-value>,
defaultValue: <optional-default-value-of-parameter>
allowedValues: [ <optional-array-of-allowed-values> ]
}
}
The parameterName and type are required.
Type can be of the follow items
string or secureString
int
bool
object or secureObject
array
A sample parameters section is as follows:
parameters: {

Location :{
type : String,
defaultValue: North Europe
allowedValues: [
North Europe,
West Europe,
North US,
West US ],
}
}
2015 Veeam Software
96
variables Variables are not a required section of the JSON file. However, JSON templates can get
quite complex and if you want to simplify the references in the template variables become very
useful. For example, if you consistently want to reference a virtual network name, creating it as a
variable allows you to reference easily throughout the JSON template.
The format of the variables is a combined in a key pair value, as shown here:
variables: {

key: value
The following is a working example

variables: {

virtualnetwork: ProductionVnet01,
storageaccount: productionstorage
}
resources Resources are a required section of the JSON file. Resources allow you to specify what
you want deployed in the template, for example a VM, a network card, a storage account etc
The format of the resources sections is as follows:
resources: [
{
apiVersion: <api-version-of-resource>,
type: <resource-provider-namespace/resource-type-name>,
name: <name-of-the-resource>,
tags: <name-value-pairs-for-resource-tagging>,
dependsOn: [
<array-of-related-resource-names>
],
properties: <settings-for-the-resources>,
resources: [
<array-of-dependent-resources>
2015 Veeam Software
97
]
}
]
The apiVersion, type, name is required elements of the resources section. The location, tags,
dependsOn, properties, resources are optional elements. The apiVersion for the schemas available can
be located at the following URL: https://github.com/Azure/azure-resource-manager-schemas
TIP: The DependsOn section of the JSON template is the key to controlling deployment order. For a good
example of effective use of the DependsOn section, see the New Active Directory Domain deployment
template at https://github.com/Azure/azure-quickstart-templates.
DependsOn is used in at least 5 places in the azuredeploy.json template, so be sure to search on
DependsOn and review all instances to get a feel for how this option is used.
The type varies depending on the resource you are address, the following is a sample of the types of
resources and how you reference them.
Microsoft.Web/serverfarms
Microsoft.Web/sites
Extensions
Microsoft.Network/virtualNetworks
Microsoft.Network/networkInterfaces
Etc
A Sample resources section covering a virtual network and a storage account is as follows
"resources": [

{
"type": "Microsoft.Storage/storageAccounts",
"name": "[parameters('newStorageAccountName')]",
"location": "[variables('location')]",
"tags": {
"displayName": "StorageAccount"
},
2015 Veeam Software
98
"properties": {
"accountType": "[variables('storageAccountType')]"
}
},
{
"type": "Microsoft.Network/virtualNetworks",
"name": "[variables('virtualNetworkName')]",
"location": "[variables('location')]",
"tags": {
"displayName": "VirtualNetwork"
},
"properties": {
"addressSpace": {
"addressPrefixes": [
"[variables('addressPrefix')]"
]
},
"subnets": [
{
"name": "[variables('subnetName')]",
"properties": {
"addressPrefix":
"[variables('subnetPrefix')]"
}
}
]
}
},
2015 Veeam Software
99
Outputs outputs are not a required section of the JSON file. If you need the deployment to
return data after the deployment, you can specify the output in this section. This might include
a simple success / failure value, or perhaps something more dynamic, like a value constructed
(concatenated) from multiple parameters submitted to this template deployment time.

The format of the output section is as follows
outputs: {
<outputName>: {
type: <type-of-output-value>,
value: <output-value-expression>,
}
}
outputName, type and value is required. The type value allows the same input types
A sample ouput is as follows
outputs: {
operationResult: {
type: string,
value: "[parameters('location')]",
}
}
2015 Veeam Software
100
7.3.2.1 Using Preconfigured Templates

To get started quickly with Azure Templates, Microsoft have published QuickStart Templates located at
http://azure.microsoft.com/en-us/documentation/templates/
The templates are designed to help you get started quickly.
To deploy a pre-configured template in the Azure Portal using the Deploy to Azure button, complete the
following steps:
1. Open a browser and navigate to http://azure.microsoft.com/en-us/documentation/templates/
2. T he Azure QuickStart Template page, shown in Figure 7.3.43, displays some default or popular
templates and also provides a search function to find a template for your needs
FIGURE 7.3.43 AZURE QUICKSTART
2015 Veeam Software
101
3. I n the Search field type SharePoint and click the search glass, this will find 2 templates
as shown in figure 7.3.44
FIGURE 7.3.44 SHAREPOINT QUICKSTART TEMPALTES
4. Click the Create an new HA SharePoint Farm

5. R
eview the template and the parameters of the template as shown in Figure 7.3.45 and finally Click
Deploy to Azure
FIGURE 7.3.45 PARAMETERS AND DEPLOY TO AZURE
2015 Veeam Software
102
6. A
fter you click Deploy to Azure, this will re-direct you to the Azure portal and open up a Custom
Deployment blade as shown in Figure 7.3.46
FIGURE 7.3.46 CUSTOM DEPLOYMENT OPTIONS
7. Next, review and populate/select the parameters and click ok

8. Finally, select an appropriate resource group and click create which will deploy the SharePoint Farm.
7.3.2.2 Authoring ARM JSON Templates in Visual Studio
QuickStart templates are a good way to get started and for some people may be all that is required.
However, most organizations will have need to create custom templates tailored to their specific
deployment needs.
For this, we need to author a Template to cover the specific needs. There are several authoring options
depending on your needs and experience. Currently you can author in Visual Studio, the Azure Portal
in any text editor (such as Notepad or Notepad++).
Deployment in the Azure Portal
In this section, we will quickly demonstrate ARM template deployment capabilities in the Azure Portal
(without the Deploy to Azure button). While technically it is possible to author ARM templates in the
Azure Portal, ARM template authoring is not the portals strong suit. The following are the steps for
deploying an existing ARM template through the Azure Portal.
1. Open a browse and navigate to https://portal.azure.com.
2. Sign-in to Azure with your credentials.
3. Click +NEW from the left hand menu.
4. Click Compute and then Click Marketplace.
2015 Veeam Software
103
5. In the Search Compute field type Template and press Enter.

6. Click Template Deployment as shown in Figure 7.3.47.
FIGURE 7.3.47 SELECTING TEMPLATE DEPLOYMENT
7. Click Create as shown in Figure 7.3.48.
FIGURE 7.3.48 TEMPLATE DEPLOYMENT CREATE
2015 Veeam Software
104
8. In the Custom deployment blade, click Template (Edit Template) as show in Figure 7.3.49.
FIGURE 7.3.49 EDIT TEMPLATE
2015 Veeam Software
105
9. This drops you into a template editor, which presents you with the outline of the JSON file schema
and allows you to add your resources, parameters and variables in as required. See Figure 7.3.50.
FIGURE 7.3.50 TEMPLATE EDITOR
At this point, you can simply paste in an existing JSON template and deploy via the Azure Portal. This
is great when you want quick deployment, but do not have the one-click Deploy to Azure button
available with templates in the Azure Quickstart Template repository on Github.
10. To test this deployment capability, copy-and-paste a simple ARM template into the template
window, such a simple Windows VM deployment in https://github.com/Azure/azure-quickstarttemplates/blob/master/101-simple-windows-vm-data-disk/azuredeploy.json. Simply click the
Raw button, then copy-and-paste the JSON into the window.
11. Once you are finished, click Save. You can then deploy the template based on your customizations.
Authoring and Deployment in Visual Studio
In this section, we will author a more detailed template deployment of a VM and a virtual network in
Visual Studio 2013 or 2015. Regardless of which of these Visual Studio versions you choose, template
authoring in Visual Studio requires that you install the Azure SDK 2.5 or above. The Web Platform
Installer will allow you to install the latest version of the Azure SDK for the visual studio version you
have installed. You can download the Web Platform Installer at the following link: http://www.microsoft.
com/web/downloads/platform.aspx.
The following example is based on the supporting software listed Visual Studio 2013 Update 4 with
Azure SDK 2.7. The authoring experience in Visual Studio 2015 is virtually identical.
Step 1: Create a New Project
1. Start Visual Studio 2013.
2. Click File, Click New and click Project
2015 Veeam Software
106
3. Expand Templates, Click Cloud, Select Azure Resource Group as shown in Figure 7.3.51
FIGURE 7.3.51 CREATING AZURE RESOURCE GROUP
4. Enter Name and Click OK.

5. In the Select Azure Template window locate Blank Template and click OK as shown in Figure 7.3.52.
FIGURE 7.3.52 SELECT AZURE TEMPLATE
2015 Veeam Software
107
6. T he project is broken down as follows, in the left hand menu you have the JSON Outline, in the
center menu you have the JSON file and in the right hand menu you have the solution explorer for
the project you are authoring as shown in Figure 7.3.53
FIGURE 7.3.53 VISUAL STUDIO PROJECT
Step 2: Add resources to your JSON template

Next, we will use the visual JSON authoring feature in Visual Studio to add resources to an ARM template.
1. In the JSON Outline menu, right click on resources and Click Add Resources
2. In the Add Resource window, select Virtual Network and type a Name and click Add as shown in
Figure 7.3.54. In this example, we gave our VNET name TestVNet.
FIGURE 7.3.54 ADD RESOURCE
2015 Veeam Software
108
3. Review the DeploymentTemplate.json and the JSON Outline as shown in Figure 7.3.55.
FIGURE 7.3.55 JSON TEMPLATE WITH VIRTUAL NETWORK
5. In the Add Resource Window Select Storage Account and Type a Name and Click Add
6. Review the DeploymentTemplate.json and the JSON Outline for the additional
of the storage account
8. In the Add Resource window, select Windows Virtual Machine.
a. Type a Name in the space provided.
b. Enter the name for a new Storage Account.
c. Select a Virtual network/subnet, Click Add as shown in Figure 7.3.56.
FIGURE 7.3.56 WINDOWS VIRTUAL MACHINE
2015 Veeam Software
109
9. In the DeploymentTemplate.json, in figure 7.3.57, you will see the updated JSON added for the
Windows VM we have just added with the visual authoring aids in Visual Studio.
FIGURE 7.3.57 VIRTUAL MACHINE RESOURCE SECTION
Step 3: Deploy your JSON template from Visual Studio

With authoring complete, you can now test your template directly from Visual Studio.
1. In the Solution Explorer window, under Solution <solutionname> Right Click on the Name of the
solution and Click Deploy and the Click New Deployment
2. In the Deploy to Resource Group Window Click Sign In as shown in Figure 7.3.58.
FIGURE 7.3.58 DEPLOY TO RESOURCE GROUP
2015 Veeam Software
110
3. Sign In to Azure and follow the prompts

4. When sign in has completed, in the Deploy to Resource Group window you can select the
Subscription to which you want to deploy and select the Resource Group you want to deploy to,
as shown in Figure 7.3.59, then click Edit Parameters
FIGURE 7.3.59 SUBSCRIPTION AND RESOURCE GROUP SELECTION
5. In the Edit Parameters window, populate the fields and select the appropriate items for the
Storage Account and OS Version as shown in Figure 7.3.60 and Click Save
FIGURE 7.3.60 EDIT PARAMETERS
2015 Veeam Software
111
6. Click Deploy
7. When prompted enter a password for the admin account and click ok
8. Observe the Output Window as shown in Figure 7.3.61 for completion.
FIGURE 7.3.61 OUTPUT WINDOWS
9. Check the Portal for the Resources you are deploying

7.3.2.3 Deploying ARM Template from PowerShell
Once you have created a JSON template file you can save it and use it to deploy the authored or obtain
ARM template. When you deploy a JSON template with PowerShell, you will be prompted to supply
values for the parameters defined in the file.
The cmdlet New-AzureResourceGroupDeployment is the cmdlet you use to deploy the
template. You can deploy from a PowerShell prompt or the PowerShell ISE.
Syntax and Sample
This working sample will deploy a relatively simple JSON template from the Azure Quickstart Templates
repository on Github. This particular template will deploy an Ubuntu Linux VM to a new VNET with a
public IP address.
$URI = 'https://raw.githubusercontent.com/Azure/azure-quickstarttemplates/master/101-simple-linux-vm/azuredeploy.json'
New-AzureResourceGroupDeployment Name "VMDeployment" `
ResourceGroupName "VMResourceGroup" TemplateURI $URI
To deploy this template using the PowerShell snippet above, simply make sure you have first
authenticated and connected to your Azure subscription using code from the other samples you have
downloaded from this chapter.
2015 Veeam Software
112
7.3.2.4 Configuring Azure VMs

In this chapter, we have covered several aspects of deploying Virtual machines into Azure and
configuring various settings in relation to the VM. This is great, but what if we need to install or
configure a component inside the VM itself?
For example, if we want to deploy an application, or reset the local administrator password. In this
section, we will discuss how we can leverage VM Extensions and PowerShell DSC to achieve these
scenarios and many more!
7.3.2.5 VM Extensions
VM Extensions enables further customization of the Virtual machine after deployment. For example, if you
want to run a custom script or leverage a 3rd party utility like Chef or Puppet, to deploy an application. VM
Extensions can be enabled on a VM via PowerShell or more often, within an ARM template.
The list of VM Extensions available for Azure is growing all the time and include extension such as
BGInfo, Chef client, Puppet agent, as well as Microsoft and 3rd party anti-malware agents. To see the
up-to-date list of available VM Extensions, see Azure VM Extensions and Features on the Microsoft
website at https://msdn.microsoft.com/en-us/library/azure/dn606311.aspx.
In the ARM template, you specify a section, which matches the following, and call the appropriate extension.
This sample JSON snippet demonstrates how to configure the Microsoft Antimalware extension.

"type": "Microsoft.Compute/virtualMachines/extensions",
"name": "[concat(parameters('vmName'),'/', parameters('vmExtensionNa

me'))]",

"location": "[parameters('location')]",
"dependsOn": [
"[concat('Microsoft.Compute/virtualMachines/',
parameters('vmName'))]"
],

"properties": {
"publisher": "Microsoft.Azure.Security",
"type": "IaaSAntimalware",
"typeHandlerVersion": "1.1",
"settings": {

2015 Veeam Software
"AntimalwareEnabled": "true",
113
"Exclusions": {

"Paths": "C:\Users",

"Extensions": ".txt",
"Processes": "taskmgr.exe"
},

"RealtimeProtectionEnabled": "true",
"ScheduledScanSettings": {

"isEnabled": "true",
"scanType": "Quick",
"day": "7",

"time": "120"
}
},
"protectedSettings": null

}
TIP: For further samples of Azure VM extensions, check the Azure Quick Start Templates on Github and search
for Extensions. The Azure Quick Start Templates library is available on Github at https://github.com/Azure/
azure-quickstart-templates
To do this from PowerShell you can leverage the following sample code we show for enabling the DSC.
$settings = @{

SasToken =

ModulesUrl = https://mystoracct001.blob.core.windows.net/
windows-powershell-dsc/InstallIIS.ps1.zip

Configurationfunction = IISInstall.ps1\InstallIIS
$protectedsettings = @{PlaceHolder = }
2015 Veeam Software
114
Set-AzureVMExtension ResourceGroupName VMResourceGroup VMName VM001 Publisher

Microsoft.PowerShell Name dscextension ExtensionType DSC TypeHandlerVersion 1.9 Settings
$settings ProtectedSettings $protectedSettings Location North Europe
In the next section, we discuss PowerShell DSC in more detail
7.3.2.6 PowerShell DSC
PowerShell DSC is a declarative model for deployment and configuration of Windows resources.
PowerShell DSC enables creation of file-based configurations to enable a wide variety of Windows and
Linux roles, features and application. For example, if you wanted to install the Windows Active Directory
domain controller role on a VM and promote it to a domain controller in a new or existing domain, you
could do this with PowerShell DSC. PowerShell DSC allows you to download and install software from a
share or the internet.
The high-level process is as follows:
Download or create a PowerShell DSC configuration file
PowerShell DSC takes a configuration file and packages with the associated modules into a ZIP file.
You then upload this package to an artifact store on an azure storage account.
Y
ou can then reference this file in an ARM Template for use during a Virtual Machine deployment or
Associated with a Virtual Machine Extension to configure as necessary
IMPORTANT: Installing Prerequisites
The steps in this section assume you have installed the following prerequisites on your computer you
are using to perform these tasks:
T he Windows Management Framework (WMF) 5.0 Preview, available at http://www.
powershellgallery.com/.
T he xWebAdministration PowerShell DSC module. Installation is a single line of PowerShell.
Additional information is available at http://www.powershellgallery.com/packages/
xWebAdministration/.
Sample PowerShell DSC Deployment to an Azure VM
In this example, we will configure a sample PowerShell DSC file, deploy it to an Azure storage account
and then associate it to an Azure VM. You can download all the PowerShell components for this
example from the URL under the Download the Code heading at the end of this section.
1. Open PowerShell ISE, Click File New
2. Copy the following Code into the Window
configuration InstallIIS
{
2015 Veeam Software
115
Import-DscResource -Module xWebAdministration
# Install the IIS role

WindowsFeature IIS
{
Ensure = "Present"
Name = "Web-Server"
}
# Install the ASP .NET 4.5 role
WindowsFeature AspNet45
{
Ensure = "Present"
Name = "Web-Asp-Net45"
}
}
3. Click File, Select Save As and Type c:\temp\IISInstall.ps1 for file name.
4. Open an Elevated PowerShell prompt and type Switch-AzureMode AzureResourceManager and
press enter
5. Now type the following to publish the PowerShell DSC configuration you just created.
Publish-AzureVMDscConfiguration ResourceGroupName VMResourceGroup
ConfigurationPath C:\temp\IISInstall.ps1 StorageAccountName
mystoracct001 and press enter
Note: The command above assumes the storage account name provided to the StorageAccountName
parameter already exists.
6. Next, apply the PowerShell DSC configuration to the target VM.
Set-AzureVMDscExtension ResourceGroupName VMResourceGroup
VMName VM001 ArchiveBlobName IISInstall.ps1.zip
ArchiveStorageAccountName mystoracct001 ConfigurationName
IISInstall version 2.0 Location North Europe and press enter
2015 Veeam Software
116
7. To verify the state of deployment type the following code:

$status = Get-AzureVM ResourceGroupName VMResourceGroup Name VM001 Status Verbose
$status
8. Observe the output of $status to determine the status of your deployment.
Download the Code
You can download the full PowerShell code for the steps in this section from GitHub at https://github.
com/insidemscloud/AzureIaasBook, in the \Chapter 7 directory. The file name is PowerShell_DSC_
IISConfig.ps1.
7.4 Summary
In this chapter, we discussed Azure Resource Manager (ARM) and the new deployment model for VM and
application deployment. We discussed VM sizing and configuration options of VM images in the Azure
Marketplace. We explored ARM deployment options for Windows and Linux VMs in depth, including via the
Azure Portal, Azure PowerShell and the new ARM json template. With a few deployments completed, we
explored additional configuration capabilities of ARM, including VM Extensions and PowerShell DSC.
In chapter 8, we will explore options for migration from on-premises data centers to Microsoft Azure from
planning to implementation, including tips and tricks to ensure your migration to Azure is a success.
2015 Veeam Software
117
Chapter 10:
Automation
and Self-Service
Explained simply, an IT service is a group of IT systems, people and processes required to deliver
value to a customer. A service provides value to the customer, but a service cannot deliver value to
the customer if it is not available. To make services available more quickly and service delivery more
reliable, you can use automation and self-service. While automation is a key driver to reliable and
scalable execution of repeatable processes, it is only a small component of delivering an IT service.
As an example, building a runbook to reset a users password can be a great solution, quick and easy
for support engineers to use, instead of multiple administration tools. However, what is the real benefit
of automation if the customer still needs to call the service desk, the support engineer still needs to
fill in the incident, start the runbook manually and to deliver the new password to the customer? In
this example, the most time consuming part of the process is to call the service desk and create the
incident. Resetting the password is a quick job with or without an automated runbook.
If you instead focus on delivering a service to the customer that substantially reduces manual effort,
eliminates human error and reduces phone calls to the service desk, you can provide real business
value. As an example, a solution implementing a self-service portal were your customers can reset
passwords without the phone call to the service desk and the new password is delivered automatically
by a secured channel, provides closed loop automation with measurable cost reduction. A self-service
portal is a good way to provide customers an easy contact channel to the service provider, which in
this example is the internal IT department. A self-service portal can be used to request services, as well
as to update existing work items and configuration items.
Self-service can just as easily backfire if the user experience is not designed for the audience who will use
the solution. Another user in the same company can spend days thinking about whether they should
be running Windows X86 or X64 and if they should have 120 GB hard disk or 240 GB hard disk. Perhaps
they do not install Windows often, and perhaps have no clue what GB is. In this example, self-service can
actually become more expensive for the company, as the end-user may now waste time deciding on an
order instead of simply calling service desk and saying "I need a standard desktop with MS Office.
Focus must always be on delivering an easy-to-use service to our customer, not just to automate for the
sake of automation. Self-service must be delivered in a way that the customer understands, for example
"Small PC or Large PC", abstracting technical terms they may not understand, like GB and GHz. When
delivering automation and self-service in a good balance, with focus on service delivery, a great value
can be provided to the customer and the business.
2015 Veeam Software
118
This chapter will present several self-service and automation solution options, with examples of how to
utilize these together to deliver value to users and the business.
In this chapter, you will learn about:
D
ifferent self-service portals you might use when automating processes in Azure, as well as the pros
and cons of the different solutions in System Center 2012 R2 (System Center).
S ystem Center offers multiple runbook automation engines (three at the time of this writing). This
chapter will talk about the options available from Microsoft and possible use cases for each.
T hen, to help you better understand how to use the two together, we will discuss integration
between self-service portals and automation engines.
F inally, we will cover how to address a couple of common scenarios and you will create two Azure
Automation runbooks, including one in the new graphical authoring interface.
As with previous chapters, code samples presented within the chapter be downloadable from the Github
repository associated with this book. Look for the Download the Code sections throughout the chapter.
2015 Veeam Software
119
10.1 Self-Service Portal Options

When planning for self-service, there are a number of different portals to consider. There are a multiple
portals available in System Center, as well as a number of portal options from 3rd party vendors that
integrate with System Center. There are also scenarios where companies may choose to build their
own portal from the ground up. However, there are also native solutions from Microsoft (some of them
available for free) you can utilize to create effective self-service solutions.
10.1.1 SharePoint
SharePoint is a server product from Microsoft that can be used to create web sites, often non-Internet
facing web sites, such as project websites and Intranets. SharePoint can be used to store, sort, share and
give access to information from almost any device. SharePoint includes a free tool named SharePoint
Designer that can be used to design, create and adapt web sites, without any deep development skills.
SharePoint comes in two flavors: a free version, named SharePoint Foundation and a licensed version,
named SharePoint Server. SharePoint Server is built for large enterprises with advanced features,
including business intelligence and advanced search.
Often companies already have one or even multiple SharePoint installations. Customers are used to
using the SharePoint interface and the company may have internal resources to adapt and customize
SharePoint. SharePoint is also a reliable technology that has been on the market for a long time, and
there are a number of add-ons and well-tested solutions for any given scenario. This gives SharePoint an
edge when implementing a self-service portal where none exists. However, a disadvantage of running
SharePoint is that there is no real out-of-box integration or connector to System Center 2012 R2 Service
Manager (Service Manager or SCSM) or the Microsoft automation platforms, which include System Center
Orchestrator (Orchestrator), Service Management Automation (SMA) and Azure Automation. However,
it is possible for IT Pros to develop this integration with System Center. You will learn how to leverage
SharePoint for self-service later in this chapter, with focus on self-service for Azure services.
2015 Veeam Software
120
10.2 App Controller

System Center 2012 R2 App Controller (App Controller) is a self-service portal for managing cloud services
and virtual machines (VMs), running in both private clouds (managed through VMM) or in the public
cloud, specifically Microsoft Azure. Unfortunately, there are two significant challenges with App Controller.
First, App Controller does not offer a way to integrate with IT service management (ITSM) tools like
Service Manager. For example, you cannot access knowledge articles, incidents, change requests or
other work items directly from the App Controller portal.
Figure 10.2.1 shows the Virtual Machines view in App Controller.
FIGURE 10.2.1. APP CONTROLLER - VIRTUAL MACHINES VIEW
Second, App Controller only supports Azure Service Management (Azure v1), so it cannot leverage the
new features of Azure Resource Manager (Azure v2). In fact, App Controller is not listed on the System
Center 2016 roadmap, so it will no longer be an option for managing on-premises resources either.
If your organization is not already using App Controller, the authors recommend against introducing it
into your environment.
2015 Veeam Software
121
10.3 Service Manager

Self-Service portal
Service Manager, the IT service management (ITSM) component of System Center, comes with a selfservice portal. The Service Manager self-service portal offers the capabilities to:
Request service from a published service catalog.
Request help and submit an incident.
Work with approval activities, review or decline a request.
Read published knowledge articles.
Review submitted service requests or incidents.
The Service Manager self-service portal is a good choice if the out-of-box functionality meets are your
requirements. Extending or modifying the Service Manager self-service portal is far from simple, as
some knowledge of SharePoint is required. Additionally, only small customizations are possible, like
changing the portal color scheme or title. The Service Manager self-service portal runs on SharePoint
2010, which can be a disadvantage in many organizations that have moved to SharePoint 2013.
In terms of automation, Service Manager offers seamless integration to automation with Orchestrator
and integrates with other System Center and Microsoft technologies.
Figure 10.3.1 shows the default Service Manager Self-service portal interface, with one service offering
named Workstation offerings.
FIGURE 10.3.1. THE SELF-SERVICE PORTAL IN SERVICE MANAGER
2015 Veeam Software
122
The new Service Manager Self-Service Portal

Microsoft is planning to release a new self-service portal to Service Manager in late 2015. The new
portal will target end-users, offering request management and improved search capabilities. The
new portal is HTML 5 and does not require Silverlight or SharePoint, making it browser independent
and table and mobile device friendly. For an advance look at the new portal, see http://jhnr.
ch/2015/08/22/service-manager-lync-up-summary-august-2015-new-portal-sneak-preview/
10.4 Windows Azure Pack

Windows Azure Pack (WAP) is a collection of Microsoft Azure technologies, available at no extra cost
to customers, for use in your on-premises datacenter and private cloud. WAP runs on top of Windows
Server 2012 R2 and Hyper-V, System Center 2012 R2, and SQL Server, enabling organizations to host
Platform as-a-Service (PaaS) and Infrastructure as-a-Service (IaaS) services on-premises. WAP includes
the following capabilities:
Self-service portal a customizable self-service portal for tenants.
A
n administration portal to configure and manage resources. For example - clouds, user
accounts, offers, pricing and quotas.
A REST API which can be used in a large number of scenarios for custom portal and billing systems.
Web Site Clouds a service to build high-density web hosting platforms for web applications.
Virtual Machine Clouds a service to build IaaS for Windows and Linux machines.
Service Bus Clouds a service to provide messaging services between applications.
Hosted Database a service to provide hosted Microsoft SQL and MySQL database instances.
Automation using the Service Management Automation (SMA) component of WAP to build
runbooks to automate and integrate with other data center systems and applications.
WAP provides a fast, web-based interface for PaaS and IaaS services in your on-premises datacenter and
private cloud that provides an experience very much like the original Microsoft Azure portal (v1). One of
the disadvantages of WAP is that the current version does not integrate with Microsoft Azure or any ITSM
tools. If you want to offer your organization or customers the capability to deploy VMs in Microsoft Azure
from WAP, you will need to buy or build an add-on for WAP. Figure 10.4.1 shows the portal included in WAP.
2015 Veeam Software
123
FIGURE 10.4.1. THE WAP PORTAL
TIP: Gridpro, a Microsoft partner, sells a product called Request Management for WAP, which adds
integration between Service Manager and the WAP portal. With the Gridpro add-on, you can publish the
service catalog into the portal and also work with work items, like incidents and service requests, from the
WAP portal. More info can be found on the Gridpro website at www.gridpro.se.
2015 Veeam Software
124
10.5 Building Your Own versus

Buying Commercial Portals
Building your own self-service portal can deliver great benefits, but also comes with some disadvantages.
There are also a number of commercial packages that you can buy. When investigating whether to build
own portal or buy a third party solution, there are many factors to consider. Though price is often the first
consideration, it should not be the only deciding factor. In some scenarios, you can find a commercial
product that meets 85% of your requirements and when looking at the other 15%, you may realize that
instead of updating the product, you need to adjust your internal processes and services.
Another important aspect of this choice is the Software as-a-Service (SaaS) and PaaS market. The
number of solutions and services offered as SaaS and PaaS increase every month.
When looking at commercial products, it is a good idea to look at the product roadmap. What will they
release soon? Maybe they can cover 100% of your needs in the next release, which is sooner than you
can build an in-house developed portal.
10.5.1 Advantages of a Custom Portal

In-house developed portal solutions can offer several benefits over commercial solutions, including:
B
uilt-to-fit The portal can be customized to fit your organization perfectly. This is perhaps the greatest
benefit in developing your own custom portal. Any commercial product is built to fit many organizations.
A custom developed solution gives you full control over portal design, allowing you to cover many needs
without buying commercial add-ons. You can control the interface to fit your end-users needs.
In-house support Support should be a big win too, but this is not the case in all organizations. Some
in-house solutions are very poorly documented and all knowledge is dependent on one or a few people.
If these individuals leave the company, no one can maintain the in-house developed solution.
Product lifespan When developing the portal in-house you eliminate the risk that external
vendors will stop developing the solution, change focus of the product or increase the license fee to
a much higher price.
As with all in-house developed solutions, your mileage may vary. The above benefits may not seem like
benefits at all if processes and resources are not in place to properly support an in-house developed
solution. Before you recommend an in-house development, consider the points above in the context
of IT Operations, as it exists at your organization.
2015 Veeam Software
125
10.5.2 Disadvantages of a Custom Portal

In-house developed solutions often come with their own challenges. Some of the downsides of inhouse developed solutions include:
Quality of support In-house knowledge to support the desired end result. If your in-house
development team does not have the skills to design and build complex functionality to meet
requirements, the solution can lack features, or contain bugs that make it less reliable.
Product roadmap Upgrade paths and roadmap planning is often missing for in-house portals.
Differences among the various in-house development and product teams can cause issues. For
example, the portal development team may see no use in supporting the latest SQL Server version
or latest Windows Server version. The operating system team may want to, or need to, upgrade
to latest supported version of SQL Server and Windows, which could cause major functionality
problems in the in-house portal, or break it entirely.
Scalability In-house developed portals often lack support for scaling and also often lack
sufficient testing. A commercial product is often well tested for all devices and scenarios. Testing
software is a complex process and often requires expensive software.
Total cost of ownership (TCO) Even if the cost looks good at first glance, a complex in-house
solution often becomes much more expensive in the long run due to ongoing support effort.
Commercial solutions are often updated more frequently and the development costs are spread
across multiple customers. It is not unusual for businesses to choose a commercial package after a
number of years of working with in-house developed solutions.
If you need to integrate an in-house developed self-service portal with Orchestrator, SMA or Azure
Automation, you can use web services. Each of the three options includes a web service, which can
be used to start, stop and get status of runbooks. More info and examples on the MSDN website, visit
http://msdn.microsoft.com/en-us/library/hh921685.aspx.
To integrate with the SMA web service, there is a blog post from the product team at TechNet, http://
blogs.technet.com/b/orchestrator/archive/2013/12/11/service-management-automationintegrating-into-the-odata-web-service.aspx.
To integrate with Azure Automation, see https://msdn.microsoft.com/en-us/library/dn690262.aspx.
2015 Veeam Software
126
10.5.3 Commercial Portals

Two common solutions around self-service in System Center are Gridpro Request Management for
WAP, shown in Figure 10.5.1 and the Cireson Portal. Earlier in this chapter, we have talked about GridPro
Request Management for WAP.
FIGURE 10.5.1. GRIPRO REQUEST MANAGEMENT FOR WAP, OFFERING CATALOG
Figure 10.5.2 shows a service request that is in progress. The GridPro Request Management solution
uses the WAP portal, providing ITSM integration for organizations using WAP. The native Service
Manager portal can still be used side-by-side the WAP portal to provide self-service outside of IT, who
would not typically use the WAP portal.
FIGURE 10.5.2. SERVICE REQUEST IN GRIDPRO REQUEST MANAGEMENT FOR WP
2015 Veeam Software
127
Cireson is a Microsoft partner founded in San Diego with services partners around the world. The
Cireson Portal, shown in Figure 10.5.3 and 10.5.4, totally replaces the native self-service portal in
Service Manager. The portal provides features like service catalog, request management, work item
management and knowledge base. The Cireson portal is HTML 5 and does not require WAP, SharePoint
or Silverlight, making it browser independent and mobile device friendly.
FIGURE 10.5.3. CIRESON PORTAL SHOWING DIFFERENT OFFERINGS
Additionally, the Cireson Portal offers functionality enabling service desk analysts and change managers
to perform their job duties entirely in a web browser, dramatically reducing the need for the SCSM
Console. To augment the native reporting feature of Service Manager, the Cireson Portal also includes a
few built-in dashboards.
FIGURE 10.5.4. CIRESON PORTAL SHOW DASHBOARD FOR SERVICE DESK
2015 Veeam Software
128
10.6 Self-Service
Portal Summary
The following table shows a summary of the different portal alternatives in System Center 2012 R2 for
enabling self-service. It is important to evaluate each alternative for your specific use cases and the
functionality requirements of each.
Portal
Advantages
Disadvantages
SharePoint
SharePoint provides a great

platform. It is a well-known and
well-tested product with a lot of
knowledge at many companies,
partners and community.
SharePoint can be built into almost
any web based portal solution
Even if you can do much of the SharePoint

configuration by following wizards, well written
blog posts and TechNet articles, it has to be
done. There is no kind of self-service portal out
of the box.
App Controller
App Controller can be connected

to both Virtual Machine Manager
and to Microsoft Azure.
App Controller only support VMs and not

service templates. There is no support for
granular security roles for Microsoft Azure
subscriptions.
It has been announced that App Controller will
not be included in System Center 2016.
Service
Manager Portal
With the self-service portal in

Service Manager it is easy to
publish a service catalog and
connect it to automation
Deep customization of the self-service portal in

Service Manager requires development skills,
though customization is limited.
3rd Party
(Commercial)
Portal
When buying a commercial

product you can quickly fulfill
most or all of your requirements
A commercial product often does not

include the source code or an easy way to do
customization. If the product does not fulfill all
requirements out of the box, it often requires a
great deal of development, if even possible.
In-House
Developed
When building the portal solution

in-house it can be built to fulfill all
requirements and will support all
your processes.
Developing in-house if often a very expensive

solution in the long run.
Windows
Azure Pack
WAP supports building both IaaS

and PaaS.
WAP only supports on-premises clouds and

not Microsoft Azure.
Customization of the portal can require
significant development skills.
TABLE 10.6.1 SELF-SERVICE PORTAL OPTIONS FOR HYBRID CLOUD
2015 Veeam Software
129
10.7 Automation
With Orchestrator, Service Management Automation (SMA) and Azure Automation, you can automate
almost any manual process. However, before you try to do that, there are a number of questions that
should be asked and answered to ensure you are focusing on automating the processes that will
provide the most benefit to the organization.
The process of identifying the best candidates for runbook automation requires examining both the
financial benefits (return-on-investment) to the business, as well as the technical aspects of process
automation. As runbook automation attempts to replace human effort, you will find some processes
much easier to automate than others will. By identifying the best candidates from both financial and
technical perspectives, you will reduce the likelihood of success in automating processes that offer
clear value to the business.
10.8 Identifying
Candidates for Automation
(business perspective)
Regardless of which automation engine you choose, you should review the following questions to help
identify which processes, if automated, would offer the greatest return on investment.
W
hich processes are the most time-consuming?
With Orchestrator, it is easy to automate even complex scenarios, integrating with components
throughout the data center and into the cloud. However, as a start, it is generally much better idea
to look at the processes and tasks that are the most time-consuming today. This kind of information
can often be found in the reporting tool for service desk.
W
hich service levels are suffering the most?
Look into which service level agreements (SLAs) the organization most often breaches or deliveries
that seem to always push very close to deadlines. Remember, you do not necessarily need to
automate 100% of a multi-step process to realize the benefits of process automation. Can some of
the steps leading to SLA breach be automated? Can some of the steps in the process be automated
to speed up the delivery?
W
hich incidents recur most frequently?
Common incidents, for example Windows services that frequently stop unexpectedly, are good
candidates for automation.
2015 Veeam Software
130
W
hich incidents are most expensive for the company?
When an incident occurs that affects many users, such as a file server cluster going offline, there
is an inherent urgency to resolve the issue. Automating these incident resolutions can have an
exponentially greater payback based on reduction in work time lost across a large group of users.
W
hich processes result in significant delays for your customers?
For example, a project manager requests a new project site in SharePoint to kick off a new project. If
that work item sits in a support queue for a couple of days, it potentially delays the work of an entire
project team. In this case, even if it takes an engineer only 5-10 minutes to complete a manual task
to create the SharePoint site, this may be a good candidate for automation to eliminate the lag time
between request submission and fulfillment.
Identifying the best candidates from a financial perspective is only the first step. You must then identify
feasibility and level-of-effort from a technical perspective.
10.9 Identifying
Candidates for Automation
(technical perspective)
There are several questions that should be answered before authoring begins to identify the technical
feasibility of automating candidate processes. In evaluating the technical aspects of feasibility and
level-of-effort, you will notice the financial element involved. We are attempting to identify technically
suitable candidates for which the effort involved makes financial sense.
Is this task well suited for automation?
Many tasks can be executed with Microsoft automation engines, but you always need to ask if the task
is well suited for automation. At the end of the day, Orchestrator can install a software package to all our
Windows client PCs, but this task is most likely better done with Configuration Manager. Try to focus your
use of automation on augmenting the capabilities of your existing tools, not replacing them.
D
evelopment cost and effort?
Take an example where you have a task that you perform every quarter, and it takes about an hour
to complete the task manually. You want to build a solution to automate the task, but it would take
around 40 hours to develop and test the solution. Return on the investment of the development
costs would be around 10 years! Automating this process would not be a good investment of your
time. Always estimate development hours and return on investment time before starting. Also,
always plan for unexpected problems and challenges, as these happen in the real world. As a rule,
always add 25% on the development time for unexpected problems.
2015 Veeam Software
131
P
orts and permissions required?
Depending on integration and product, the solution will require access to different ports with
different accounts. Often these accounts require a high level of permissions, such as scenarios around
provisioning and de-provisioning in VMM, Active Directory and Azure. It is important to address needs
for both network firewall ports and service account requirements early in your planning process.
C
losing the loop with ITSM integration.
At the beginning of this chapter, we discussed how important it is to look at automation from a
service delivery perspective. In an early stage of automation, project, you should plan for integration
with the organizations ITSM tool, such as Service Manager.
Once you have found good automation candidates, you can as a final filter, look into the number of
exceptions and variances. More exceptions and variances in the process will make the automation
more difficult to automate. For example, maybe you are building automation for new virtual servers
and you use only one version of Windows Server and one version of SQL server. The number of
combinations would be one. In this case, it is a very easy scenario to automate.
Think about the same scenario, but with three different Windows Server versions and two different
SQL server versions. That will result in six different combinations. This would give you much more to
consider when building the automation around the process.
Automation does not transform a bad process into a good process. Validated, well-documented
processes are key to effective automation.
2015 Veeam Software
132
10.10 Choosing Your

Automation Engine
System Center 2012 R2 comes with two automation engines within the same component, Orchestrator.
Near the end of 2009, Microsoft acquired Opalis Software. Opalis had a product named Opalis
Integration Server, a platform for automation of processes within your datacenter. Opalis Integration
Server included integration for many non-Microsoft products like Remedy, VMware and Linux. After
acquisition by Microsoft, the product was renamed System Center Orchestrator. When System Center
2012 R2 was released, Microsoft released a new automation engine bundled with Orchestrator called
Service Management Automation (SMA). Orchestrator runs a 32-bit engine (developed by Opalis), while
SMA runs a 64-bit engine with runbook written in Windows PowerShell workflow.
A common decision point is determining when you should use each tool, which is easier if you
understand the capabilities of each. The following table show a summary of the three platforms.
Feature
Orchestrator
SMA
Azure Automation
Support for x64 PowerShell

Check pointing
Administration
support by PowerShell
Auditing
Source Control
Parallel execution
Runbook Gallery
Graphical Authoring Mode
Text based
Authoring Mode
Cloud based
Require local infrastructure
Data stored
(only Hybrid worker

is required)
Local
Local
In Azure
Note: For Orchestrator, there are many workarounds in the community for all the cons, such as state tracking,
checkpointing and parallel processing. If you choose Orchestrator as your automation solution and would
like more information, see Best Practices for Authoring and Managing Orchestrator at https://channel9.
msdn.com/events/MMS/2013/SD-B317 on the Microsoft Channel 9 website.
2015 Veeam Software
133
When choosing automation platform for automating in Azure, you should start by investigating if a
cloud based tool can be used, as there are often legal requirements or privacy concerns that must
be addressed in the decision process. Azure Automation has many features of on-premises solutions,
as well as some not available in the on-premises options. It is also the platform on which Microsoft
will focus the most development effort in the future. If Azure Automation is not an option for your
organization, evaluate the PowerShell scripting skills of your team. If you have limited PowerShell skills
and need to get started with automation quickly, the graphical authoring feature of Orchestrator makes
it a better option. If you have PowerShell skills on your IT Operations team, consider SMA, as it is the
most current on-premises automation platform from Microsoft. If you do select Orchestrator, know that
there will come a time when you need to migrate from Orchestrator to SMA or Azure Automation for
continued support from Microsoft.
10.10.1 System Center Orchestrator

When choosing your primary tool, it is important to consider that Microsoft has stated publicly that
going forward, they will not invest great effort in developing Orchestrator. Instead, all new features
will be released to Azure Automation first and then transferred to SMA where appropriate. Azure
Automation is the platform to use if access to the latest features is high on your list of priorities. Let us
focus for a moment on the core features and functionality of Orchestrator.
A runbook contains the instructions for an automated task or process. A runbook in Orchestrator is
represented by a number of icons (called activities) connected with links (called smart links). Activities
are like small tasks, for example querying a database or creating an incident in Service Manager. Out of
the box, Orchestrator includes around 70 generic, product agnostic activities (called standard activities),
such as activities to read a file, stop a service or copy a file. If more activities are needed, you can import
Integration Packs. An Integration Pack includes a number of activities often connected to one product
or technology, such as Service Manager. The Service Manager Integration Pack includes activities like
Create Incident, Get Object and Update Object.
2015 Veeam Software
134
Figure 10.10.1 shows the Orchestrator Runbook Designer. The Runbook Designer is used to author
runbooks in Orchestrator.
FIGURE 10.10.1. ORCHESTRATOR RUNBOOK DESIGNER
Figure 10.10.2 shows the activity pane with all the different activities and product-specific groups of
activities, called integration packs.
FIGURE 10.10.2. ACTIVITIES AND INTEGRATION PACKS IN ORCHESTRATOR RUNBOOK DESIGNER
2015 Veeam Software
135
A great benefit of the Runbook Designer is that no development skills are required to author
integration and automation. The runbook author can drag and drop activities into the workspace and
connect the activities with configurable links (called smart links). The runbook author then opens the
properties of each activity to configure the properties. Figure 10.10.3 shows filter properties of a Get
User activity that lists users from Active Directory.
FIGURE 10.10.3. PROPERTIES OF A GET USER ACTIVITY IN ORCHESTRATOR
All Orchestrator activities publish data output to a shared data area, called the data bus. Activities
executing later within the same runbook can read data from the data bus, and use it as input. In Figure
10.10.3, you can see that the value is contained within curly brackets {}. This means that the activity is
using a dynamic value from the data bus. The data bus is a key component of Orchestrator, used to
build runbooks that respond dynamically based on runtime conditions. For example, if Activity A in
Figure 10.10.4 is a Read File activity, it will publish information like File Path, File Size and Filename to the
data bus. Activity B and Activity C in Figure 10.10.4 can then read this data and use it as input.
FIGURE 10.10.4. ORCHESTRATOR DATA BUS
2015 Veeam Software
136
Figure 10.10.5 shows how you can select published data from earlier activities within the runbook.
FIGURE 10.10.5. SELECT PUBLISHED DATA
Table 10.10.1 shows the key components of an Orchestrator environment, with a brief explanation of
the function of each.
Component
Description
Management
Server
The Management Server is a layer between the database and Runbook Designer. The Management
Server is only needed when author new runbooks.
Runbook
Server
The Orchestrator Runbook Server is the server that execute the runbook. For example, if you have
built a runbook that integrate with Service Manager, then it is the runbook server that connects to
the Service Manager management server. You can install multiple runbook servers to support large
scale of running runbooks, fault tolerance or in some scenarios, you need to install multiple runbook
servers on different network zones or at different customers.
Orchestrator
Database
The Orchestrator database is a Microsoft SQL database that contains all settings, runbooks, logs and
status of runbooks. The database is critical for the environment and can be clustered to support fault
tolerance.
Runbook
Designer
Runbook Designer is the console shown earlier in figure 10.10.3, that is used to author runbooks.
Runbook
Tester
Runbook Tester is a console that can be used to test runbooks. It is not really testing runbooks, as the
runbook will run. However, the Runbook Tester can be used to step through a runbook and verify
each activity in a controlled manner. Two other important things to know about Runbook Tester
is that it will try to run the runbook on the computer were Runbook Tester is running, not on the
Runbook Server. In addition, the Runbook Tester will try to run the runbook with the account running
Runbook Tester and not the service account on the Runbook Server.
Orchestration
Console
The web based Orchestration Console can be used to start, stop and check status of runbooks. The
Orchestration Console support security roles and can be used to give a group or users to start one or
multiple runbooks.
Orchestrator
Web Service
The Web Service is a Representational State Transfer (REST)-based service that let applications
connect to Orchestrator to start, stop or get information about runbooks. The Orchestration Console
use the web service to connect to the Orchestrator Database.
Deployment
Manager
Deployment Manager is a tool that can be used to deploy new components of Orchestrator, for
example integration packs, runbook servers and Runbook Designer. Often these deployment
operations are blocked by firewalls ports and then you can install each component manually instead.
TABLE 10.10.1 ORCHESTRATOR COMPONENTS AND DESCRIPTIONS
2015 Veeam Software
137
The high-level application architecture and component interaction in Orchestrator

is illustrated in figure 10.10.6.
FIGURE 10.10.6. INTEGRATION BETWEEN ORCHESTRATOR COMPONENTS
For more information about Orchestrator architecture, see the following article on the Microsoft
TechNet website: http://technet.microsoft.com/en-us/library/hh420377.aspx.
2015 Veeam Software
138
10.10.2 Service Management Automation

Service Management Automation (SMA) is a feature of Orchestrator 2012 R2. SMA is primarily built
for supporting automation needs associated with WAP IaaS and PaaS scenarios. The idea is that
administrators of WAP can run, author and manage runbooks from the WAP portal. SMA is very different
from Orchestrator in that runbooks are 100% PowerShell workflow, and SMA has no visual authoring
experience. Figure 10.10.7 shows the SMA dashboard page inside of the WAP portal.
FIGURE 10.10.7. SMA DASHBOARD IN THE WAP PORTAL
Figure 10.10.8 shows the SMA runbook authoring interface. Because it is not a proper code editor, most
administrators use the PowerShell ISE for authoring SMA runbooks.
FIGURE 10.10.8. SMA AUTHORING INTERFACE
2015 Veeam Software
139
Table 10.10.2 shows all of the components of a SMA environment. All components can be deployed on
a single server or distributed on multiple servers.
As you can see in table 10.10.2, WAP is not a required component for SMA. However, without WAP there
is no graphical interface for SMA. Instead, all authoring, configuration and administration has to be
done through a PowerShell UI (PowerShell prompt, PowerShell ISE, etc.).
Component
Description
Web service
The web service is the primary channel into SMA. WAP uses the web service,
and you can use the web service to communicate with SMA from PowerShell
and Orchestrator.
Runbook worker
The Runbook worker role is the same as Runbook Servers in Orchestrator. It is

the role that execute the runbook. You can install multiple Runbook workers to
support large-scale numbers of running runbooks or for fault tolerance.
PowerShell module
The PowerShell module for SMA is an important component as you can do any
SMA task from PowerShell. For example, import and export runbooks.
Database
The SQL database stores all runbooks, settings, activities, runbook jobs and
integration modules.
TABLE 10.10.2 SMA COMPONENTS AND DESCRIPTIONS
The high level application architecture and component communication in SMA is illustrated in figure 10.10.9.
FIGURE 10.10.9. SMA ARCHITECTURE
For more information about Service Management Automation architecture, see http://technet.
microsoft.com/en-us/library/dn469259.aspx on the Microsoft TechNet website
2015 Veeam Software
140
10.10.3 Azure Automation

Azure Automation is a cloud-based automation platform, delivered from Azure with reach into both
your Azure subscription, as well as your corporate data center. The cost is based on number of minutes
that runbooks are actually running (consuming resources). From an architecture perspective, as an Azure
Automation customer you have nothing to worry about, because Azure Automation is Automation asa-Service. Microsoft delivers all scaling and fault tolerance in the background. Figure 10.10.10 shows the
automation account overview, the dashboard, in Azure Automation. The primary tool to work with Azure
Automation is a web browser. It is possible to administrate Azure Automation or trigger runbooks with
PowerShell, bit it is more common to use Internet Explorer or web browser of your choice.
Also in Figure 10.10.10, you can see two nodes with names that include DSC. These are Desire State
Configuration nodes, representing support for PowerShell DSC in Azure. With DSC you can describe a
desired state of a server, for example, that the server should have IIS enabled and have a C:\BACKUP folder.
DSC will then read the configuration and configure the server. DSC can also monitor the server and if
something is changed from the desire state, DSC will re-apply the configuration to the server. For example,
if someone deletes c:\backup, DSC will recreate the folder. DSC can be installed and used in the local
datacenter, but with the integration in Azure Automation, you get a good overview of the DSC status and
your servers can simply download settings from the a server in Azure Automation (called a pull server).
Since DSC in Azure Automation is delivered as-a-service, you do not need to setup any infrastructure yourself.
The Assets node, shown in Figure 10.10.11, hosts global resources that can be used in multiple
runbooks. Assets include schedules, PowerShell modules, certificates, connections, variables and
credentials. For example, if multiple runbooks need to authenticate to an Azure subscription, the
credentials for access can be stored as a credential assets. The username and password is then securely
stored and can be used in multiple runbooks.
2015 Veeam Software
141
FIGURE 10.10.10. AZURE AUTOMATION DASHBOARD
Source Control, shown in Figure 10.10.10, is a feature that integrates with GitHub. GitHub is a
collaboration platform for code management, and is commonly used in open source project. With
the integration to GitHub, you can centrally store all your code (runbooks) and track changes. You can
import and export versions between Azure Automation and GitHub quickly and easily.
2015 Veeam Software
142
FIGURE 10.10.11. TEXT-BASED AUTHORING MODE IN AZURE AUTOMATION
Azure Automation supports three different types of runbooks

PowerShell. These runbooks are built in the text based authoring mode.
In this case, the author writes PowerShell code.
PowerShell workflow. These runbooks are built in the text based authoring mode.
In this case, the code the author supplies must be PowerShell workflow. Figure 10.10.11 shows
the text based authoring mode.
Graphical. Graphical runbooks are runbooks built in the graphical authoring mode, shown
in Figure 10.10.12, and executed with PowerShell workflow. It is not possible to switch
between graphical and text based authoring.
FIGURE 10.10.12. GRAPHICAL AUTHORING MODE IN AZURE AUTOMATION
2015 Veeam Software
143
By default, Runbooks in Azure Automation are executed on runbook worker servers provided by
Microsoft in Azure. These servers cannot access resources inside of a VM or your local datacenter unless
you provide access over the Internet (Azure Automation is not Azure Site-to-Site VPN or ExpressRoute
aware). However, in many scenarios you need to execute runbooks on local servers, such as when
creating an account in Active Directory Domain Services on-premises. The hybrid worker, shown
in Figure 10.10.10, is a feature in Azure Automation to execute runbooks on a server in your Azure
subscription or even your local data center. Hybrid workers use the Microsoft Management Agent
(Installed with Operations Management Suite) and do not require any open firewall ports from Internet
to local network. Instead, all communication is outgoing traffic from agent to Azure Automation on
port 443. It is possible to target a runbook to a group of Hybrid workers, and then any member of the
hybrid worker group will execute the runbook.
Additional Reading: Though we will provide a couple of examples in this chapter, extensive coverage of
Azure Automation is outside the scope of this book. You can read more about Azure Automation and the new
hybrid worker role on the Microsoft website in Azure Automation Hybrid Runbook Workers at https://azure.
microsoft.com/en-us/documentation/articles/automation-hybrid-runbook-worker/.
2015 Veeam Software
144
10.11 Real World Examples

The next part of this chapter will show a couple of examples of how to use Orchestrator,
SMA and Azure Automation.
10.11.1 Integration between

Orchestrator and SMA
Sometimes, the best approach may not be to use Orchestrator or SMA, but to use the two together,
leveraging each for their strengths. In this example, Orchestrator and SMA are connected through each
web service, shown in figure 15. The scenario is described in detail in this section.
9. A new VM is requested on a SharePoint site, shown in Figure 10.11.2.
Note: Notice that when requesting a new VM in this scenario, the expiration date is collected and set as
part of the process. This date is used to manage the lifecycle of VMs. An expiration can be used to trigger a
reminder e-mail to the VM owner to make sure that all running servers are needed.
10. Orchestrator is monitoring the SharePoint site, and detects a new request and then invokes
a runbook. Orchestrator includes an integration pack for SharePoint that makes it easy to monitor
a SharePoint list.
11. The Orchestrator runbook invokes an SMA runbook or another Orchestrator runbook based on the
request. The SMA runbook builds the new VM in Microsoft Azure. SMA runs Windows PowerShell
workflows, which includes useful cmdlets for integrating with Azure.
Note: There is an integration pack for Microsoft Azure in Orchestrator. However, it does not support Azure v2.
12. Once the new VM has been provisioned, SMA invokes an Orchestrator runbook that updates the
request on the SharePoint site.
2015 Veeam Software
145
FIGURE 10.11.1. SMA AND ORCHESTRATOR CONNECTED THROUGH WEB SERVICES
The process described in these steps minimizes development effort, while at the same time, leveraging
each Microsoft automation engine for tasks to which it is well suited. Updating a SharePoint list is easy
to do with the Orchestrator integration pack for SharePoint as compared with writing an equivalent
runbook in PowerShell workflow for SMA. For automating complex deployments in Azure, the features of
PowerShell workflow leveraged in SMA provide greater control through parallel and serial processing, as
well as the ability to write checkpoints when major steps are completed within the runbook.
FIGURE 10.11.2. REQUESTING A NEW SERVER IN MICROSOFT AZURE
2015 Veeam Software
146
10.11.2 Monitoring SharePoint

and invoking an SMA runbook
Once a new list item is created (shown in Figure 10.11.2) on the SharePoint site the Orchestrator runbook
(shown in Figure 10.11.3) is triggered. The Orchestrator runbook includes the following workflow:
M
onitor for new list items This activity monitors the SharePoint list for new items. When there is
a new list item, it will trigger the rest of the runbook.
A
sk SP web service This runbook uses the Invoke Web Service activity () and Query XML
activity (renamed to Get Instance Size from SharePoint and Get Location from SharePoint) to
query the SharePoint web service and parse the output.
Note: When using drop down menus in SharePoint there is a known issue with the SharePoint integration
pack in Orchestrator. Orchestrator cannot read the value from a drop down menu, which is why runbook
instead calls the SharePoint web service to retrieve the value.
I nvoke VMM or Invoke SMA Depending on if Azure or Private Cloud was chosen when creating
the request in SharePoint, the runbook invokes either SMA or Virtual Machine Manager to deploy
the VM to the proper environment.
C
reate Alert in SCOM There are two Create Alert activities from the SCOM IP that generate an
alert in Operations Manager if the previous activity fails.
FIGURE 10.11.3. RUNBOOK THAT MONITORS THE SHAREPOINT LIST
2015 Veeam Software
147
Invoking a SMA runbook is not complicated, as there is a Windows PowerShell module for SMA. Figure
10.11.4 shows the Windows PowerShell code needed to invoke a SMA runbook from Orchestrator. The
script shown performs the following tasks:
1. Creates a remote session to WAP01
2. R
uns the Start-SMARunbook cmdlet. The SMA runbook is named Deploy_New_VM and it has
two parameters, VMName and InstanceSize.
3. Both parameters are picked up from the Orchestrator data bus and forwarded to the SMA runbook.
FIGURE 10.11.4. INVOKE A SERVICE MANAGEMENT AUTOMATION RUNBOOK FROM ORCHESTRATOR
10.11.2.1 Build Azure VM and Invoke Orchestrator Runbook

On the SMA side, the Deploy_New_VM runbook starts and deploys a new VM to Microsoft Azure. The
runbook receives the two parameters, VMName and InstanceSize, from the Orchestrator runbook,
and then starts to communicate with Microsoft Azure using the Microsoft Azure PowerShell module.
At the end of the Deploy_New_VM runbook, it invokes another SMA runbook named Update_
Sharepoint. The code for invoking the Update_Sharepoint runbook is shown in Figure 10.11.5.
FIGURE 10.11.5. INVOKE ONE SMA RUNBOOK FROM ANOTHER
2015 Veeam Software
148
In Figure 10.11.5, you can see that one parameter, VMName, is passed to the Update_Sharepoint
runbook. The PowerShell code for Update_Sharepoint is shown in Figure 10.11.6. The runbook is using
a script, first written by Tiander Turpijn at Microsoft.
TIP: There is a blog post that describes triggering an Orchestrator runbook from a SMA runbook on the
Microsoft TechNet website at https://blogs.technet.com/b/privatecloud/archive/2013/12/11/callingan-orchestrator-runbook-from-sma-part-2.aspx.
To follow the example, you need the GUID of each of your runbook parameters. To get them you can
run the following SQL query in your Orchestrator database:
SELECT CUSTOM_START_PARAMETERS.UniqueID, CUSTOM_START_PARAMETERS.
Value AS [Parameter Name], OBJECTS.Name AS [Activity Name],
POLICIES.Name AS [Runbook Name] FROM
CUSTOM_START_
PARAMETERS INNER JOIN OBJECTS ON CUSTOM_START_PARAMETERS.ParentID =
OBJECTS.UniqueID INNER JOIN POLICIES ON OBJECTS.ParentID = POLICIES.
UniqueID
In Figure 10.11.6, you can see that the runbook uses a user account named andersbe to invoke a
runbook named Update SharePoint in the \3. Azure\18\ folder. It connects to the Orchestrator server
named SCO01 and passes one parameter named Server.
FIGURE 10.11.6. SMA RUNBOOK TO INVOKE AN ORCHESTRATOR RUNBOOK
2015 Veeam Software
149
Download the Code

You can download the full script from GitHub at https://github.com/insidemscloud/AzureIaasBook,
in the \Chapter 10 directory. The file name is Invoke_ScoRB_fromSMA.ps1.
10.11.2.2 Updating the SharePoint list item
The Update SharePoint Orchestrator runbook, shown in Figure 10.11.7, receives the parameter
VMName from the SMA runbook.
1. The Update SharePoint runbook connects to SharePoint and gets the list item for the VM with the
name of the VMName parameter, and then the runbook updates the list item with the new status.
2. T he runbook then connects to Microsoft Azure and downloads a remote desktop connection
file for the new VM.
3. T he runbook uploads the remote desktop connection file to the SharePoint site and links it
to the VM request.
4. The runbook updates the SharePoint list item as it is completed.
FIGURE 10.11.7. ORCHESTRATOR RUNBOOK THAT UPDATES SHAREPOINT
As you can see in this example, you can use the best of both automation engines that Orchestrator
2012 R2 delivers.
Step-by-Step
You can review the step-by-step process for interacting with the SharePoint web service from Orchestrator in
SharePoint list and choice columns and the SharePoint IP at http://contoso.se/blog/?p=3845.
2015 Veeam Software
150
10.12 Invoking SMA from

Service Manager
Service Manager and Orchestrator have very strong integration right out of the box. Service Manager
includes an Orchestrator connector that can be used to import runbooks and later use the runbooks as
activities in any work item template.
Unfortunately, there is no native integration between Service Manager and SMA. From Orchestrator,
you can start a runbook in SMA as described in the previous example. In some scenarios, it might be
easier to invoke the SMA runbook directly from Service Manager. This can be accomplished with a
custom activity in Service Manager. The following example will show how to build an SMA activity in
Service Manager.
Note: While this section describes a functional homegrown solution for Service Manager integration with
SMA, you can also purchase an SMA connector from select System Center ISVs. Both GridPro (http://www.
gridprosoftware.com/) and Cireson (http://www.cireson.com) offer an SMA connector that enables
Service Manager to trigger runbooks in SMA.
The example will trigger an SMA runbook from Service Manager through the SMA web service. SMA
will then execute the runbook and update the Service Manager SMA activity, and mark it as completed.
In this example, you will invoke an SMA runbook that deploys new VMs in Microsoft Azure.
You could deploy new VMs with the Microsoft Azure integration pack in Orchestrator runbook
designer as well. However, as demonstrated in the previous example, it can be handy to use
PowerShell in this scenario. Moreover, if you have the need to deploy multiple VMs at the same
time, SMA can execute the VM deployments in parallel to save some time.
This solution leverages the SMLets cmdlets, which is a PowerShell module built by the Service
Manager community (and so are unsupported by Microsoft), along with the SMA PowerShell cmdlets.
You can use the two sets of cmdlets together to automate common tasks in Service Manager. You can
download SMLets from CodePlex at http://smlets.codeplex.com/. The SMA PowerShell module can
be found on the Orchestrator 2012 R2 installation media.
The high-level steps to implement this solution are as follows:
1. Install the SMA PowerShell module on the Service Manger management server running workflows.
2. Install SMLets on the Service Manger management server running workflows.
3. Create a custom activity that starts an SMA runbook in a new management pack.
4. Import the management pack containing your custom activity.
5. Use the new activity in a work item (service request).
2015 Veeam Software
151
TIP: You can also trigger an SMA runbook from an Orchestrator runbook through the SMA web service.
Tiander Turpijn, a Microsoft senior Program Manager, has shared an example of this on his blog
at http://blogs.technet.com/b/privatecloud/archive/2013/11/01/calling-an-orchestrator-runbookfrom-sma-part-1.aspx.
Next, you will complete the following steps in the Service Manager Authoring Tool to create a custom class.
1. Start the Service Manager Authoring Tool.
2. In the Service Manager Authoring Tool, click File and select New.
3. I n the New Management Pack dialog box, input the name for the new management pack, for
example Contoso.SMA. Click Save.
4. In the Management Pack Explorer, right-click Classes and select Create Other Class.
5. In the Base Class dialog box, select Activity and click OK.
6. In the Create Class dialog box, input Contoso.SMA.DeployVM, and click Create.
7. I n the class properties list, delete the default property named Proerty_XX (Property_33 in the
sample environment), shown in Figure 10.12.1.
FIGURE 10.12.1 DEFAULT PROPETY THAT NEEDS TO BE DELETED IN THIS SCENARIO
You will create two new properties on the new class, on for VM name VMName and one for VM
size VMSize. You will configure the VMSize property with data type List. In Service Manager you will
configure a list of values used to select VM size.
8. Click Create property and input VMName as internal name, click Create.
9. Click Create property and input VMSize as internal name, click Create.
10. In the Details pane for the VMSize property, change Data Type to List.
11. In the Select a list dialog box, click Create List.
12. In the Create List dialog box, input VMSizeList as internal name and VM Size as Display name. Click
Create.
13. In the Select a list dialog box, select the new VM Size list, click Ok. Your two new properties should
now look like Figure 10.12.2
FIGURE 10.12.2 TWO PROPERTIES FOR THE NEW ACTIVITY
2015 Veeam Software
152
14. In the Management Pack Explorer, right-click Workflows and select Create.
15. In the General page of the Create Workflow Wizard, input ContosoSMAInvokeRunbook
as name. Click Next.
16. On the Trigger Condition page, select Run only when click Next.
17. On the Trigger Criteria page, click Browse and select the Contoso.SMA.DeployVM class. Replace
Change event with When an object of the selected class is updated, then click Additional Criteria.
18. In the Pick additional criteria dialog box, click the Changed To tab, and add criteria as shown in
Figure 10.12.3 then click OK.
[Activity] Status equals In Progress
FIGURE 10.12.3. CONFIGURATION OF WORKFLOW CRITERIA
19. On the Trigger Criteria page, click Next.

20. On the Summary page, click Create.
21. On the Completion page, click Close.
2015 Veeam Software
153
22. Once you click Close, the workflow designer will be displayed. Add a Windows PowerShell Script
to the workflow, shown in Figure 10.12.4.
FIGURE 10.12.4. ADD A POWERSHELL ACTIVITY TO THE WORKFLOW
23. You will configure the WindowsPowerShell activity to run a PowerShell script to start the SMA
runbook. Select the Windows PowerShell activity, and in the Details pane click the ellipsis for Script
Body, shown in Figure 10.12.5.
FIGURE 10.12.5. DETAILS FOR THE POWERSHELL ACTIVITY
24. Configure a Script Activity, paste the following script to the Script Body text field.
IMPORT-MODULE SMLETS
$SIZE1 = $INSTANCESIZE
$SIZE2 = $SIZE1 -REPLACE {,
$SIZE3 = $SIZE2 -REPLACE },
$SIZE4 = GET-SCSMENUMERATION -ID $SIZE3
$SIZENAME = $SIZE4.DISPLAYNAME
2015 Veeam Software
154
START-SMARUNBOOK -WEBSERVICEENDPOINT HTTPS://WAP01 `

-NAME SCSM__DEPLOY_NEW_VM -PARAMETERS `
@{INSTANCESIZE=$SIZENAME; ` VMNAME=$VMNAME;ACTIVITYID=$AC
TIVITYID}
The script first imports the SMLets PowerShell module. The SMLets module is used to convert the GUID for
the list value (enum value) into the DisplayName property value. For example, from Service Manager the
workflow gets the GUID {300dfe04-a0a0-e5fc-8892-963e7146d86c} instead of Medium as the VM Size.
Download the Code
You can download this code snippet from the Github repository for this book at https://github.com/
insidemscloud/AzureIaaSBook. This snippet is in the \chapter 10 folder, file name Sec10.12_Step24.ps1.
However, before you can convert the GUID into a display string you must remove { and }, which the
two replace lines do. You then start the runbook and pass on three parameters, VM name, VM Size and
the activity ID. This example script starts an SMA runbook named SCSM__Deploy_New_VM and the
SMA web service has the address of https://wap01.
25. To configure the inputs for the Script Activity, click Script Properties. Create three parameters, as
shown in Figure 10.12.6. Use class properties from the Contoso.SMA.DeployVM class for all three
parameters. Use the ID property from the class for the ActivityID property. Click OK.
FIGURE 10.12.6. PARAMETERS FOR THE SCRIPT ACTIVITY
26. The activity and management pack is now ready to import. Great work! Save the management pack
in the Service Manager Authoring Tool.
2015 Veeam Software
155
27. Copy workflow.Dll and ContosoSMAInvokeRunbook.dll from the management pack folder to
Service Manager installation folder (C:\Program Files\Microsoft System Center 2012 R2\Service
Manager) and then restart the Microsoft Monitoring Agent on the Service Manager management
server running workflow.
28. You can now open SCSM Console and import the management pack.
29. In the SCSM Console, browse to Library and Lists, open the VM Size list.
30. In the List Properties dialog box, add the following items, which are all Azure VM sizes, and click OK.
ExtraSmall
Small
Medium
Large
ExtraLarge
TIP: For more information about Microsoft Azure VM sizes look at http://www.windowsazure.com/en-us/
pricing/details/virtual-machines/
31. In the SCSM Console, browse to Library and Templates, click Create Template.
32. In the Create Template dialog box, input a name, for example Contoso SMA Deploy Azure VM.
Select Contoso.SMA.DeployVM as the Class and click OK.
33. In the Contoso.SMA.DeployVM Properties dialog box, input Contoso SMA Deploy Azure VM as
Display Name and click OK.
2015 Veeam Software
156
34. You can now use the new activity anywhere you like, for example in a service request templates, as
shown in Figure 10.12.7.
FIGURE 10.12.7. CONTOSO SMA ACTIVITY IN A SERVICE REQUEST TEMPLATE
2015 Veeam Software
157
10.12.1 SMA Runbook

The important part of the runbook, which deserves some additional explanation, is the portion near
the end, shown in the excerpt below. This part creates a remote PowerShell session to the Service
Manager server (SM01) and marks the activity as completed. The work item will then move on to the
next activity.
Inlinescript {
$SESSION = NEW-PSSESSION -COMPUTERNAME SM01
INVOKE-COMMAND -SESSION $SESSION {
$WORKITEM = GET-SCSMOBJECT -CLASS (GET-SCSMCLASS -NAME `

CONTOSO.SMA.DEPLOYVM) | WHERE-OBJECT {$_.ID -EQ
$USING:ACTIVITYID}
$WORKITEM | SET-SCSMOBJECT -PROPERTY STATUS -VALUE COMPLETED
}
}
Download the Code
the \Chapter 10 directory. The file name is SCSM__Deploy_New_VM.ps1.
2015 Veeam Software
158
In the WAP portal, shown in Figure 10.12.8, you can see the SMA runbook start and you can also see the
input parameters coming from Service Manager:
FIGURE 10.12.8. MICROSOFT AZURE PACK PORTAL WITH RUNBOOK RESULT
This example is written in a simplified fashion, with no complicated configuration or requirements. For
example, you might want to add error handling in the script, to handle situations when the SMLets
cannot be loaded or Service Manager cannot be contacted. In both those cases, you would want to
set the activity status to failure in Service Manager. It is also a good practice to seal management packs
that include class structure, because a management pack cannot reference a class in an unsealed
management. If the class structure is in an unsealed management pack other management packs
cannot use the classes.
2015 Veeam Software
159
10.13 The Contoso Scenario

A common scenario for many organizations is addressing the challenges around test and development
environments. In this section, we were review some of the challenges faced by IT Operations at
Contoso Toys, a fictional organization used here for purposes of discussion.
10.13.1 Common Challenges

We discussed a few of common challenges in this chapter are present in the Contoso Toys
environment, including:
Agility Organizations need to deploy test and development environments much faster than they
do today. Developers need to have access to new VMs to test code and builds on within minutes or
hours rather than waiting days or weeks, as is still the case in some businesses.
Scaling to meet demand Current IT environment do not support scaling large or small. They need
to support fast scale, both scale up and down. For example if extreme compute power is needed one
week each month organizations dont want to pay for that compute power the rest of the month.
Financial accountability Another common requirement is the capability to generate reports to show
which team is using what kind of resources in the environment, both for show back and chargeback.
Because of the requirements to get new environments up and running very quickly and to scale in /
out and up / down, Microsoft Azure is the cloud to use. While accommodating these scenarios onpremises is possible, it requires developing custom automation. This adds complexity and cost to
achieve the end present natively in Microsoft Azure. We can build clouds locally as well, but using
Microsoft Azure would be cost effective in this scenario.
10.13.2 Solution Outline

To deliver a comprehensive solution with a both an intuitive user experience and accountability from
a process perspective, a good approach is to incorporate both a self-service portal and an automation
engine into the solution. For example:
1. The developer browses to the self-service portal and requests one or multiple new servers.
Developers can request an environment, for example a complete SharePoint farm including a test
Active Directory domain.
2. A service request in Service Manager is generated. Service Manager can also handle
approval steps if needed.
3. Service Manager starts a runbook that reads information from the service request and builds the
environment. The runbook can execute any custom configuration and can make sure naming
convention and other policies are fulfilled. If building the new request in Azure, Azure Resource Manager
(ARM) deployment templates can be used to complete the deployment easily and consistently.
2015 Veeam Software
160
4. O
nce the requested server or servers are deployed, the runbook can update the service request and
attach a remote desktop connection to the ticket or send the connection file to the requester in an
automated e-mail.
There are several advantages to this solution over stand-alone PowerShell scripting. First, developers
can now connect to the new machines in a secure way without having to think about which cloud
the server is running. Additionally, this solution brings control and auditing with the work item in
Service Manager. Finally, it is also possible to generate chargeback and showback reports based on the
information in Service Manager.
No solution is perfect, and this one is no exception. One disadvantage of this solution is that developers
cannot shut down VMs. They can shut down a server within the Windows OS, but when an Azure VM is
shut down in this manner, resources are not returned to the pool and Azure will continue to charge for
the VM until it is shut down outside the OS and the resources are released. Shutting down a VM in the
Azure portal or via PowerShell shuts down the VM and deallocates all resources, including IP address.
The VM is placed into the Shutdown deallocated state.
You could publish a new service in the self-service portal that lists all Microsoft Azure servers that the
portal user owns, and let the user order shut down of one of them. Service Manager can then invoke
a runbook that shut downs the server and release the VM resources. During step 3, you can configure
the runbook to create an object in Service Manager CMDB that later can be used for chargeback and
showback at the server level if desired.
2015 Veeam Software
161
10.14 Azure Automation

Examples
As with other Azure features, you will find that Azure Automation receives updates much more frequently
than SMA, its on-premises counterpart does. Two great examples of this are the introduction of DSC support
and the hybrid worker, both described earlier in this chapter. With this in mind, it pays for organizations who
want access to the latest management features to leverage Azure Automation in this scenario.
An example of DSC in Azure is available in Chapter 7 Azure Virtual Machines in section 7.3.26
PowerShell DSC. However, an example leveraging the new hybrid worker in shown here. In this section,
we will look at two examples of Azure Automation for your Azure VMs, delivering runbook automation
without any on-premises resources.
10.14.1 Restart a service with hybrid worker

In this example, Azure Automation hybrid worker will be used to restart a service on a Windows Server
in the local datacenter. Before you can build the runbook to restart the service, you need to deploy a
hybrid worker. The hybrid worker is using the Microsoft Management Agent service, which is deployed
together with Operations Management Suite (OMS). You can sign up and use the free tier of OMS at no
cost at http://microsoft.com/oms.
1. Browse to https://azure.microsoft.com/en-us/documentation/articles/automation-hybridrunbook-worker/ and follow the steps to deploy a hybrid worker. Once the hybrid worker has
connected to the Azure Automation account, continue to next step.
2. B
y default, the hybrid worker is executing runbooks with local system permissions. To access
another server from the hybrid you need credentials. It is recommended to store these credentials
as an asset in the Azure Automation account. In the Azure portal, navigate to your Azure
Automation account and click Assets and then click Credentials.
3. Click Add a credential and add the new credentials. Do not forget to insert a description.
4. Y
ou will now create the runbook that restarts a Windows service on the target machine. In the Azure
Automation account, click Runbooks and then Add a runbook. In the Add Runbook blade, click
Create a new runbook.
5. In the Runbook blade input the following information and then click Create
Name: RestartWinService
Runbook type: PowerShell workflow
2015 Veeam Software
162
6. In the text authoring space, paste the following runbook code

Workflow RestartWinService
{

param (
[Parameter(Mandatory=$false)]
[string] $servername,
[Parameter(Mandatory=$false)]
[string] $servicename
)
$login = Get-AutomationPSCredential -Name `

'SKYNET Super User'
$restart = inlinescript {
$s = New-PSSession -ComputerName $using:servername `
-credential $using:login
$remoterestart = Invoke-command -session $s `

-Scriptblock {
Restart-service -Name $args[0]
} -ArgumentList $using:servicename
Remove-PSSession $s
}
}
2015 Veeam Software
163
7. Click the Test Pane and test the runbook. In the Test blade, change Run on from Azure to Hybrid
Worker to execute the runbook on the Hybrid Worker. Once the runbook is tested click Published to
publish the runbook.
You have now installed a Hybrid Worker and authored a runbook to restart a Windows service on a
remote physical or virtual machine. Both server and service name are input as parameters to the runbook.
Download the Code
the \Chapter 10 directory. The file name is SvcRestart_HybrdWorker.ps1.
10.14.2 Shut down VMs

with graphical authoring mode
At the time of this writing, it is likely that if your organization is running VMs in Azure, you may be still
using Azure v1 for some of VMs. These would appear in the Virtual machines (classic) node of the Azure
preview portal. This example will demonstrate how to manage legacy Azure v1 VMs through Azure
Automation in Azure v2. This runbook will be used to shut down all the Azure v1 VMs in an Azure
subscription. The runbook will be linked to a schedule to shut down all machines every evening at
22:00. You will use the graphical authoring experience in Azure Automation to create this runbook.
Note: At the time of this writing, the Azure v2 cmdlets are not available in Azure Automation by default,
making managing Azure v2 resources more challenging. This is expected to be resolved in the 4th quarter of
2015, at which point you can easily create a runbook very similar to this one to manage your Azure v2 VMs.
To create this runbook, follow the detailed steps shown here.
1. T o access the Azure subscription from an Azure Automation runbook you need credentials. It is
recommended to store these credentials as an asset in the Azure Automation account. In the Azure
portal, navigate to your Azure Automation account and click Assets, and then click Credentials.
2. Click Add a credential and add the new credentials in the New Credentials blade. Do not forget
to insert a description to serve as a reminder of what environment (AD domain, local servers) these
credentials belong to.
3. In the Azure Automation account, click Runbooks and then Add a runbook.
4. In the Add Runbook blade, click Create a new runbook.
5. I n the Runbook blade input name, enter ShutdownVMs as the name and select Graphical as
Runbook type. Click Create.
2015 Veeam Software
164
6. In the graphical authoring space, add CMDLETS and smart links according to Figure 10.14.1.
FIGURE 10.14.1. GRAPHICAL RUNBOOK TO LIST AND STOP AZURE VMS
7. C
lick on the Add-AzureAccount activity and configure it according to the following settings. When
you click on an activity a configuration pane on the right side will appear.
8. Click Parameters, then under Parameter sets, click, User.
9. I n the Activity Parameter Configuration blade, under Parameters, click CREDENTIAL, as shown in
Figure 10.14.2.
FIGURE 10.14.2. PARAMETER CONFIGURATION FOR ADD-AZUREACCOUNT
2015 Veeam Software
165
10. In the Data source dropdown, select Credential asset, as shown in Figure 10.14.3. Then, choose the
credential you created in the previous steps. Click OK, and then OK again to save your selection.
FIGURE 10.14.3. SELECTING THE CREDENTIAL ASSET
11. Next, click on the Get-AzureVM activity and click on Parameters, Parameter sets, and then
ListAllVMs, as shown in figure 10.14.4. Click OK to save your changes.
FIGURE 10.14.4. LISTALLVMS PARAMETER OF GRAPHICAL RUNBOOK
12. Click on the Stop-AzureVM activity, then click Parameters.
2015 Veeam Software
166
13. In the Activity Parameter Configuration blade, click Choose a parameter set, as shown in Figure 10.14.5.
FIGURE 10.14.5. CHOOSE A PARAMETER SET OPTION
14. On the Parameter Set blade, choose ByName. This will cause the NAME and SERVICENAME areas to
display a visual indicator that these parameters are mandatory, as shown in figure 10.14.6.
FIGURE 10.14.6. MANDATORY PARAMETERS, SHUTDOWNVMS RUNBOOK
2015 Veeam Software
167
15. Next, click on NAME. In the Data source dropdown, choose Activity output.
16. From the Activity list, select Get-AzureVM.
17. In the box provided, enter Name, as shown in figure 10.14.7. Click OK to save your changes.
FIGURE 10.14.7. NAME PARAMETER INPUT, SHUTDOWNVMS RUNBOOK
18. Now select SERVICENAME. In the Data source dropdown, choose Activity output.
19. From the Activity list, select Get-AzureVM.
20. In the box provided, enter ServiceName, as shown in figure 10.14.8. Click OK to save your changes.
FIGURE 10.14.8. SERVICENAME PARAMETER INPUT, SHUTDOWNVMS RUNBOOK
2015 Veeam Software
168
21. Once all activities are configured click Save and then Publish.
If you want to test the runbook before publish it you can click Test pane and test the runbook.
Remember that test is not a dry run, instead the runbook will run normal.
WARNING: If the runbook is configured to change (add, update, or delete) anything, it will
implement the change also during a test run.
22. You have now built the runbook. The next step is to schedule the runbook to run every evening at
22:00. On the ShutdownVM runbook blade, shown in Figure 10.14.9, click Schedule.
FIGURE 10.14.9. SCHEDULE OPTION FOR SELECTED RUNBOOK
23. On the Schedule Runbook blade, click Link a schedule to your runbook, click Create a new
Schedule.
24. On the New Schedule blade, input the following settings and click Create.
Name: Every Day 2200
Starts: Enter your desired start date here
Recurrence: Daily
Runs every (number of days): 1
Click Create
25. On the Schedule Runbook blade, verify that the new Schedule is selected, click OK.
You have now authored a runbook in the graphical authoring mode that list all the Azure v1 VMs in
your Azure subscription. The runbook then shut down all VMs. You also configured a schedule to trigger
the runbook every day at 22:00.
2015 Veeam Software
169
10.15 Chapter Summary

This chapter started with a discussion of different self-service portals in System Center 2012 R2 and
SharePoint. During the self-service portal discussion, the chapter covered commercial portals, native
Microsoft portals and custom developed solutions using free Microsoft components. You learned
that there are a number of different solutions and each has its own advantages and disadvantages.
Later, the chapter discussed different automation engines within System Center 2012 R2 and Azure,
as well as how they work and how they can integrate with each other. The chapter also talked about
buying automation as a service with Azure Automation. You walked through a couple of examples of
how Orchestrator runbooks and SMA runbooks work together to deliver an integrated solution. Next,
we discussed the Contoso Toys scenario, with a couple of different solutions for meeting Contosos
challenges. Finally, you created your first two runbooks in Azure Automation, including one in the new
graphical authoring interface available in Azure Automation.
In the next chapter, you will learn about optimizing and managing Microsoft SQL workloads hosted in
Azure VMs.
2015 Veeam Software
170
Chapter 12: Backup and

Disaster Recovery
This chapter discusses the backup and recovery options for both your on-premises and Azure-based
workloads that leverage Microsoft Azure. Before we delve into your Azure-integrated backup options,
we will cover some terminology and concepts related to data and application backup and recovery. In
this chapter, you will learn about the various options available, including:
System Center Data Protection Manager (DPM)
Azure Backup
Backing Up Azure VMs
Backing Up On-Prem VMs
Azure Site Recovery
Backing Up SQL Workloads to Azure Blob Storage
Automated SQL Backup in Azure VMs
3rd Party Azure-Integrated Backup
While step-by-step implementation of some of these options is outside the scope of this book, we will
provide links to step-by-step planning resources for each of the options described. A couple of notable
exceptions are backing up Azure VMs and on-premises systems with Azure Backup, as well as SQL
database backup directly to Azure storage, which will be demonstrated in detail in this chapter.
2015 Veeam Software
171
12.1 Terminology and Concepts

When discussing recovery services, it is important to distinguish backup services from disaster
recovery (DR). Each of them is crucially important to the business, but very different in their goals and
approaches. Backups are designed as safe guards for data loss; disaster recovery processes are designed
to ensure business continuity.
12.1.1 Backup
Backup processes are designed to serve one purpose: prevent data loss in the event of a catastrophic failure.
In the event of a failure, data can be retrieved and restored to a separate location from the original source.
Two metrics typically govern backup processes: Recovery Point Objective (RPO), and Recovery Time
Objective (RTO). The RPO defines how many and how frequently backups are taken, and the RTO
defines how long it takes to restore the data to a fully functional state. For example, an RPO might be
defined to require a SQL server be backed up once a day, and those backups kept for the last 14 days
before they expire and the space is reclaimed. It might also require that once a month a full backup is
sent offsite. The RTO however, might be defined to require that any data from the last 14 days be able
to be restored within 30 minutes to avoid downtime, while data that needs to be restored from two
months ago needs to be restored within 24 hours.
12.1.2 Disaster Recovery

Disaster Recovery is designed to serve a larger goal: ensure the business is able to continue functioning
in the event of a disaster. For this reason, disaster recovery tends to be tightly intertwined with Business
Continuity Planning (BCP), as businesses today are largely unable to function without the technology
systems they have come to rely on in place and functioning.
When it comes to disaster recovery, there is one metric that is critical: the RTO. Since the business needs
to continue functioning, the RTO needs to be as short as possible. For this reason, services deemed
critical to the businesss success are often architected from the ground up to be highly available (HA).
However, solutions that are architected to be highly available are typically geographically constrained.
That is, they are typically built within the same data center due to latency or throughput requirements.
This is less than ideal in a disaster, where the entire data center might be entirely offline in the event of
a catastrophic failure (perhaps even including the backup systems!).
Availability is typically defined in 9s. Three 9s availability requires 99.9% uptime, while five 9s availability
requires 99.999% uptime. There is a corollary to this however: the more 9s are required, the more
expensive a solution becomes. There is delicate trade-off in which disaster recovery RTO is balanced
against budget constraints.
2015 Veeam Software
172
12.2 Pure Data Protection

Manager Options
With System Center 2012 R2 Data Protection Manager (DPM), you can configure multi-site, hybrid data
protection options leveraging Azure VMs without the aid of any other Azure-based service offerings.
These options are described in this section.
It is important to note that DPM only protects Microsoft application workloads with application level
consistency for all applications that support the Microsoft VSS service. You can backup and recover
Linux VMs with DPM 2012 R2, but only at a VM level. Linux backups are file system consistent, but not
application consistent. This is due to the lack of a Microsoft VSS equivalent in Linux. Organizations with
investments in applications running on Linux may need to leverage multiple tools to address all their
backup and recovery needs.
12.2.1 Hosting DPM in Azure VMs

While there are some Azure IaaS resources that by their very nature cannot be backed up via DPM as
of September 2014, DPM is a supported as a workload in Azure. This means that you can now run DPM
in Azure, backing up Azure resources, without needing to run DPM on-premise and backup your Azure
resources over a site-to-site VPN. This means fewer errors, faster backups, and more reliable backup
processes for your Azure-based IaaS resources. There are a couple of different methods you can employ
to get DPM up and running in an Azure VM:
Option 1: Upload a VHD with the DPM installation file to Azure, attach the disk
to an Azure VM and install DPM.
Option 2: Download the DPM trial ISO from the System Center evaluation website into an Azure
VM, install a DPM trial and then run the upgrade wizard to convert DPM into a production instance.
For a list of frequently asked questions and additional resources, see FAQ - Azure IaaS workload protection
using Data Protection Manager on the Microsoft web site at http://blogs.technet.com/b/dpm/
archive/2014/09/12/faq-azure-iaas-workload-protection-using-data-protection-manager.aspx.
Also, see the step-by-step guide: Install DPM as an Azure virtual machine
at https://technet.microsoft.com/en-us/library/jj852163.aspx.
2015 Veeam Software
173
12.2.2 DPM-to-DPM Backup

(Cyclic Protection)
DPM has grown more and more capable over the years, and supports a wide variety of backup sources.
These backup sources include everything from file servers and shares, to Active Directory, to Exchange,
to IIS & SQL, to Hyper-V. One of the features of DPM is that it allows replication of one DPM server to
another. This capability allows the DPM server itself to be redundant, so that in the event a DPM backup
server fails, it can be restored from the other, preferably a DPM server in another physical site. It is a
backup for your backup, enabling transport of backups offsite, providing a disaster recovery capability.
With DPM now being supported in Azure, you can now replicate your DPM servers to/from onpremises to a DPM server running on an Azure VM in an Azure regional data center. This means that if
you do not have multiple data centers, but do have Azure-based IaaS data center resources, you can
back up your on-premises DPM backups to your Azure DPM server, and back up your Azure DPM to
your on-premises DPM server. This ensures that if either DPM server fails, all your protected sources,
whether on-premises or in Azure, are still protected and recoverable.
For a step-by-step guide, see Back up DPM using a secondary server on the Microsoft web site at
https://technet.microsoft.com/en-us/library/jj244597.aspx.
2015 Veeam Software
174
12.2.3 Limitations of DPM with Azure VMs

While most of the application tier workloads have no change as they move to Azure Infrastructure as
a Service (IaaS), some of the sources that DPM can back up on-premises by their very nature cannot
be backed up from Azure. For example, Azure VMs are running on hypervisors, but tenant VMs are
abstracted away from the hypervisor and cannot access it. Azure SQL is a distributed, highly available
SQL service that is also by its very design abstracted away so that tenants are unable to access the
underlying resources (as Azure SQL is Platform-as-a-Service (PaaS) offering). This prevents DPM from
backing up Azure VMs (at the VM level) or Azure SQL Tables. Note that you can definitely backup an
Azure VM at the OS level, as well as applications hosted in the VM. Table 12.3.1 below outlines the Azure
IaaS resources that are and are not supported by the latest version of DPM.
Workload
DPM 2012 R2
Protection and Recovery
Windows Server 2012 R2

Datacenter and Standard
Volumes, Files, Folders
Windows Server 2012

Datacenter and Standard
Windows Server 2008 R2 SP1

Standard and Enterprise
SQL Server
2014, 2012 SP2, 2012, 2008 R2, 2008
SQL Server Database
SharePoint 2013, 2010
Farm, Database, Frontend web server content
Exchange All Versions
Microsoft announced Azure IaaS support for

Exchange 2013 back in May 2015.
Virtual Machine Instance
n/a
Azure SQL (PaaS)
Built-in (backup is provided as part of the

service)
TABLE 12.3.1 DPM 2012 R2 SUPPORTED FEATURES
In the next section, we will look at the native data protection capabilities of Azure in the Azure Backup feature.
2015 Veeam Software
175
12.3 Azure Backup

Of course, not everyone has DPM in place for backups. Azure Backup is a feature that enables
protection of both Azure IaaS VMs, as well as physical and virtual systems in your corporate data center.
As you will see in a moment, the process for protecting Azure VMs is streamlined versus the steps for
on-premises VMs.
Features and Limitations
Today, there are a few capabilities and limitations in Azure Backup to be aware of:
Supports client operating systems Windows 7 and later.
Supports server operating systems Windows 2008 R2 and later.
Only protects Azure IaaS v1 VMs. This is expected to change in the not-too-distant future.
Supports VM backup with application-level consistency, but only supports VM, file and folder backups.
S upports backup and recovery of Azure IaaS VMs running supported versions of Linux, but only with
file system-level consistency.
C
annot protect removable media, read-only volumes, network shares, Bitlocker protected volumes
and non-NTFS volumes.
Protects volumes up to 1 TB.
IMPORTANT: Technically, you can protect Azure IaaS v2 VMs, but you would protect them in the same
fashion you would configure backup for physical or virtual systems in your corporate data center.
12.3.1 Backing Up Azure VMs

Azure Backup for Azure VMs is a feature that makes protecting your Azure VMs a relatively simple task.
Azure Backup for Azure VMs provides application consistent backups for both Windows and Linux VMs
with no downtime.
High-level Steps
The high-level steps to configure Azure Backup to protect Azure VMs are:
Create an Azure Backup Vault in the same Azure regional data center as the VMs you wish to backup.
R
un VM discovery (which identifies unprotected VMs in the same Azure regional data center
as your backup vault)
Register the VMs that will be protected (backed up), including the backup policy
Set the backup and retention policy
Because this all runs as-a-service, you can perform all the configuration in the Azure Management
Portalno backup infrastructure required!
2015 Veeam Software
176
How it works
We should start with a brief description of how the service works under the hood. To back up an Azure VM,
you first need a point-in-time snapshot of the data. The Azure Backup service initiates the backup job at the
scheduled time, and triggers the backup extension to take a snapshot. The backup extension coordinates
with the Microsoft VSS service in the Azure VM to achieve consistency (Windows VMs only). Once
consistency is reached, the backup extension invokes the blob snapshot API of the Azure Storage service to
get a consistent snapshot of the disks of the virtual machine (VM), without having to shut it down.
After the snapshot has been taken, the data is transferred by the Azure Backup service into the backup
vault. The service handles the job of identifying and transferring only the blocks that have changed
from the last backup making the backups storage very efficient. When the data transfer is completed,
the snapshot is removed and a recovery point is created. You can view this recovery point in the Azure
management portal.
Prerequisites
The primary prerequisite to configuring backups is creating a backup vault. The backup vault is a
logical container that stores all the backups and recovery points that have been created over time. The
backup vault also contains the backup policies that will be applied to the VMs being backed up.
You can use the Quick Create option to create an Azure backup vault in only a few clicks, as you no
longer have to create an upload an x.509 v3 certificate. In the Azure Management Portal, click New >
Recovery Services > Backup Vault > Quick Create, as pictured in figure 12.3.1.
FIGURE 12.3.1 AZURE BACKUP VAULT QUICK CREATE OPTION
In case you need it, the step-by-step process for configuring a backup vault in the Azure management
portal is available on the Microsoft website in Azure virtual machine backup - Introduction at
https://azure.microsoft.com/en-us/documentation/articles/backup-azure-backup-create-vault/
Calculating data and cost protected instances
Azure VMs that are backed up using Azure Backup will be subject to Azure Backup pricing. The
Protected Instances calculation is based on the actual size of the VM, which is the sum of all the data in
the VM, excluding the resource disk. You are not billed based on the maximum size supported for each
data disk attached to the VM, but on the actual data stored in the data disk. Similarly, charges for the
backup storage are also based on the amount of data stored with Azure Backup, which is the sum of
the actual data in each recovery point.
2015 Veeam Software
177
The billing does not start until the first successful backup is completed. At this point, the billing for both
storage and protected instances will begin.
Next, we will review the steps for configuring backup of Azure VMs using Azure Backup.
Step 1: Discover Azure Virtual Machines
The discovery process queries Azure for the list of VMs in the subscription, along with additional
information like the cloud service name and the region.
To trigger the discovery process, do the following steps:
26. Click on All Items, and then click on your backup vault. Then, click on the Registered Items tab.
27. Choose the type of workload in the dropdown menu as Azure Virtual Machine, and click on the
checkbox to the right to select.
FIGURE 12.3.2 REGISTERED ITEM TYPE DIALOGUE
28. Click on the Discover button at the bottom of the screen.
FIGURE 12.3.3 DISCOVER BUTTON FOR AZURE VM DISCOVERY
29. The discovery process can run for a few minutes while the VMs not already protected by Azure
Backup are being identified. Once the discovery process is complete, a toast notification appears at
the bottom of the portal window.
Step 2: Register Azure virtual machine
Before a VM can be protected, it needs to be registered with the Azure Backup service. The registration
achieves two primary goals:
To have the backup extension connected to the VM agent in the Azure VM.
To associate the VM with the Azure Backup service so backup policies can be applied.
Note: The backup extension is not installed during the registration step. The installation and update of the
backup agent is now part of the scheduled backup job.
2015 Veeam Software
178
Registration is typically a one-time activity. Upgrade and patching of the Azure Backup extension is
handled in the background by Azure without any user intervention or downtime. This relieves your system
administrators of the agent management overhead that is typically associated with backup solutions.
To register virtual machines, complete the following steps:
1. Navigate to the backup vault, which can be found under Recovery Services in the Azure portal,
and click on the Registered Items tab
2. Choose the type of workload in the dropdown menu as Azure Virtual Machine and click on the
checkbox at the lower right of the window to select.
3. Click on the Register button at the bottom of the page.
4. In the Register Items pop-up, choose the VMs that you would like to register.
FIGURE 12.3.4 REGISTRATION OF DISCOVERED VIRTUAL MACHINES
NOTE: If there are two or more VMs with the same name use the cloud service to distinguish between the VMs.
The register operation allows you to select and register multiple VMs at once. This substantially reduces
the one-time effort spent in preparing the VM for backup. For each VM you register, Azure Backup
completes the following tasks:
A
job is created for each VM that should be registered. The toast notification shows the status of this
activity. Click on View Job to go to the Jobs page.
The VM also appears in the list of registered items and the status of the registration operation is shown.
Once the operation is completed, the status in the portal will change to reflect the registered state.
NOTE: Only the VMs that are not registered and are in the same region as the backup vault, will show up.
2015 Veeam Software
179
Step 3: Back up Azure virtual machines

This step involves setting up a backup and retention policy for the VM.
To protect a VM, do the following steps:
1. Navigate to the backup vault, which can be found under Recovery Services in the Azure portal,
and click on the Registered Items tab
2. Choose the type of workload in the dropdown menu as Azure Virtual Machine and click on the
checkbox at the right of the window to select. Click on the Protect button at the bottom of the
screen, as shown in figure 12.3.5.
FIGURE 12.3.5 PROTECT BUTTON FOR CONFIGURING AZURE VM PROTECTION
3. This will bring up a Protect Items wizard where the VMs to be protected can be selected. If there
are two or more VMs with the same name, use the cloud service to distinguish between the VMs.
FIGURE 12.3.6 CONFIGURING PROTECTION OF REGISTERED VIRTUAL MACHINES
As with the register operation, the protect operations allows you to select and protect multiple VMs at
once, which means that multiple VMs can be selected and configured.
NOTE: Only the VMs that have been registered correctly with the Azure Backup service and are in the same
region as the backup vault will show up here.
2015 Veeam Software
180
4. In the second screen of the Protect Items wizard, choose a backup and retention policy
to back up the selected VMs. Pick from an existing set of policies or define a new one (Create new),
FIGURE 12.3.7 CONFIGURING BACKUP POLICY FOR PROTECTED VMS
5. Click on the checkbox at the lower right of the window to save your changes.
NOTE: For preview, up to 30 days of retention and a maximum of once-a-day backup is supported.
In each backup vault, you can have multiple backup policies. The policies contain the details about
backup schedule and retention. For example, one backup policy could be for daily backup at 11:00PM,
while another backup policy could be for weekly backup at 2:00AM. While each backup policy can have
multiple VMs that are associated with the policy, a VM can be associated with only one policy at any given
point in time. Retention options include backup retention for daily, weekly, monthly and yearly backups.
2015 Veeam Software
181
6. A job is created for each VM to configure the protection policy and to associate the VM to the policy.
Click on the Jobs tab and choose the Configure Protection option in the Operation dropdown to
view the list of Configure Protection jobs.
FIGURE 12.3.8 VIEWING AZURE BACKUP JOBS
Once completed, the VMs are protected with a policy and must wait until the scheduled backup time
for the initial backup to be completed. The VM will now appear under the Protected Items tab and will
have a Protected Status of Protected (pending initial backup).
NOTE: Starting the initial backup immediately after configuring protection is not available as an option today.
At the scheduled time, the Azure Backup service creates a backup job for each VM that needs to be
backed up. Click on the Jobs tab to view the list of backup jobs. As a part of the backup operation, the
Azure Backup service issues a command to the backup extension in each VM to flush all writes and take
a consistent snapshot.
Once completed, the Protection Status of the VM in the Protected Items tab will show as Protected.
Viewing Backup Status and Details
Once protected, the VM count also increases in the Dashboard page summary. In addition, the
Dashboard page shows the number of jobs from the last 24 hours that were successful, failed, and still
in progress. Clicking on any one category will drill down into that category in the Jobs page.
For guidance on troubleshooting common errors with Azure Backup, see "Troubleshooting errors" of
the "Back up Azure virtual machines" page at https://azure.microsoft.com/en-us/documentation/
articles/backup-azure-vms/#troubleshooting-errors.
2015 Veeam Software
182
12.3.2 Backing Up On-premises Machines

Azure Backup also enables data protection for on premises hosts, both physical and virtual. Once you
have configured the backup value, you can install the Microsoft Azure Backup Agent.
Note: If you have not already created a backup vault, as described in section 12.3.1, go back and complete
this step before proceeding.
Step 1: Download the Vault Credentials and Install Agent
The vault credential file is downloaded through a secure channel from the Azure portal. The Azure
Backup service is unaware of the private key of the certificate and the private key is not persisted in the
portal or the service.
To download the vault credential file to a local machine, use the following steps:
1. Click on Recovery Services in the left navigation pane and select the backup vault you have
created. Click on the cloud icon to get to the Quick Start view of the backup vault.
2. On the Quick Start page, click Download vault credentials. The portal generates the vault credential
file, which is made available for download.
3. T he portal will generate a vault credential using a combination of the vault name and the current
date. Click Save to download the vault credentials to the local account's downloads folder, or select
Save As from the Save menu to specify a location for the vault credentials.
4. A
fter creating the Azure Backup vault, you will install the Microsoft Azure Recovery Services agent
on each of your on-premises servers (Windows Server, or Windows client) that enables back up of
data and applications to Azure.
5. I n the Azure Portal, click Recovery Services, then select the backup vault that you want to register
with a server. The Quick Start page for that backup vault appears.
6. On the Quick Start page, click the For Windows Server or System Center Data Protection Manager
or Windows client option under Download Agent, as shown in figure 12.3.9. Click Save to copy it to
the local machine.
2015 Veeam Software
183
7. Once the agent is installed, double click MARSAgentInstaller.exe to launch the installation of the
Azure Backup agent. Choose the installation folder and scratch folder required for the agent. The
cache location specified must have free space, which is at least 5% of the backup data.
The Azure Backup agent installs .NET Framework 4.5 and Windows PowerShell (if it is not available
already) to complete the installation.
8. If you use a proxy server to connect to the internet, in the Proxy configuration screen, enter the proxy
server details. If you use an authenticated proxy, enter the user name and password details in this screen.
2015 Veeam Software
184
9. O
n the Installation screen, click Install. Once the agent is installed, click the Proceed to
Registration button to continue with agent registration in Azure.
Step 2: Register the Agent
1. On the Vault Identification screen, browse to and select the vault credentials file you downloaded
previously, as shown in figure 12.3.12.
Note: The vault credentials file is valid only for 48 hours after it is downloaded from the portal.
2. On the Encryption setting screen, you can either generate a passphrase or provide a passphrase
(minimum of 16 characters), as shown in figure 12.3.13.
Note: Remember to save the passphrase in a secure location, because a backup copy is not stored in Azure.
2015 Veeam Software
185
3. Click Finish. When agent registration is complete, click the Close button to launch the Microsoft
Azure Recovery Services Agent.
Step 4: Configure Backup and Retention
1. In the Actions pane, click Schedule Backup, as shown in figure 12.3.14.
2. On the Getting started screen, click Next.

3. O
n the Select Items to Backup screen, click the Add Items button. Select the files and folders you
want to include in the backup job. Once you have made your selections, click OK.
4. I f there are files and folders you wish to exclude, click Exclusion Settings. Enter the folders, files and
file types to exclude in the space provided, then click Next.
5. On the Specify Backup Schedule screen, select up to three backup times per day. If you select the
Week radio button, you can select the days of the week you wish to perform backups as well.
2015 Veeam Software
186
6. On the Select Retention Policy screen, set desired daily, weekly, monthly and yearly retention
policies, then click Next.
7. On the Choose Initial Backup Type screen, select Automatically over the network or Offline
Backup, then click Next.
8. On the Confirmation screen, review your selections and click Finish.
Note: The initial backup will happen at the first scheduled time. If you want to take a backup immediately,
you can click the Back Up Now menu item.
12.3.3 DPM to Azure Backup

While DPM backups from one DPM server to another are useful, there is a third option: DPM integration
with Azure Backup. Not every business is large enough to have multiple data centers to which they can
replicate their backup data through DPM. In some cases, businesses are moving to a cloud-first strategy,
with no on-premises data center to replicate their cloud backups. This poses a disaster recovery
challenge for these customers.
Fortunately, Azure Backup offers a backup target for DPM. By installing a backup agent on the DPM
server, protected sources can be replicated to Azure, ensuring that should the DPM server be lost in a
catastrophic event, the backups are still available.
Backups to Azure are secured through encryption. A management certificate (generated outside of
Azure) is used to encrypt API communications to Azure Backup, and the backup data itself is encrypted
with a passphrase (that is also generated on-premises). This ensures that the communication channel is
always protected, and that the data at rest is always protected, and only accessible by you.
For step-by-step configuration guidance, see "Configure Azure Backup to quickly and easily back up Windows
Server" on the Microsoft web site at https://msdn.microsoft.com/en-us/library/azure/dn337332.aspx.
2015 Veeam Software
187
12.4 Azure Site Recovery

A key piece of any business continuity plan is a solid disaster recovery procedure. Azure provides a
robust disaster recovery engine via Azure Site Recovery, which is capable of orchestrating seamless
failover between your data centers. Whats more, Azure Site Recovery also provides easy-to-use tools
for testing your disaster recovery plan, ensuring that in the event of a critical event, your business
continuity plan is already well tested, and your plan executes as expected.
12.4.1 Overview
In Windows Server 2012, Microsoft introduced Hyper-V Replica. This technology is built in to the
Hyper-V hypervisor role, enabling encrypted replication of the VM data and configuration from one
Hyper-V host to another. Replication occurs at intervals of 30 seconds, 5 minutes, or 15 minutes. This
helps to ensure that standby servers are always recent copies of mission critical servers, shortening the
recovery time in the event of a disaster. Replica VMs can be configured to utilize the same IP addresses
as the source, or alternatively, use a different IP address space. Additionally, recovery points can be
created, enabling recovery to an earlier point in the day (up to the last 24 hours). This functionality is all
built-in free of charge in Windows Server 2012 and later.
Of course, in the event of a disaster, someone needs to make the decision to switch over to the replicas
and initiate the process. Often, applications must be failed over in a specific order to account for
dependencies (e.g. SQL services require Active Directory to authenticate service and user accounts),
opening up the possibility of human error in the failover process. In the event of a disaster, the human
factor can become a bottleneck to speedy recovery.
Fortunately, Azure Site Recovery (ASR) drastically simplifies the failover process, enabling administrators
to create groups of VMs that failover together, enabling single-click orchestrated failover in the event of
a data center going offline.
ASR leverages System Center Virtual Machine Manager (VMM), by monitoring the VMM servers, and
replicating configurations, snapshots, and data from one location to the destination. ASR can replicate
the on-premises data center VMs from Hyper-V to Azure IaaS, enabling cost savings by eliminating
the need for a second physical data center. This makes ASR a comprehensive, automated, and highly
capable disaster recovery tool.
ASR has a few unsupported scenarios you should be aware of
Unified Extensible Firmware Interface (UEFI)/Extensible Firmware Interface (EFI) boot is not supported.
Bitlocker encrypted volumes are not supported.
Clustered servers are also not supported.
Volumes larger than 1023 MB cannot be protected.
Step-by-step guidance on configuring ASR, as well as a list of FAQs, is available on the Microsoft site at
http://azure.microsoft.com/blog/2014/08/05/azure-site-recovery-enables-one-click-orchestratedfailover-of-virtual-machines-to-azure/.
2015 Veeam Software
188
12.4.2 Hyper-V to Hyper-V

The simplest, easiest implementation of ASR would be to use Hyper-V Replica. Using the native, out of
box functionality in Windows Server requires the least amount of effort to configure. At a high level, the
configuration process is roughly as follows:
1. Create an Azure Site Recovery Vault. The Site Recovery Vault is essentially a grouping of assets
and logical entities relating to your Site Recovery. It includes things like recovery plans, which define
automated recovery actions, and how/which VMs are failed over when the plan is executed.
2. Install the Azure Site Recovery Provider on your VMM servers. The Site Recovery Provider is essentially
a plugin for VMM, enabling the VMM installations in each data center to plug in to ASR. The provider is used
to synchronize information about the Hyper-V servers, VMM clouds, snapshots, and VMs to Azure.
3. Install the Azure Recovery Services Agent on your Hyper-V hosts. The Recovery Services a serves to
replicate data from Hyper-V to Azure. You can specify specific proxy connections for the agent to use, if you
do not want it to utilize the default internet settings on your Hyper-V host. The agent can be pushed out
through standard methods, such as Group Policy or System Center Configuration Manager (SCCM).
4. Configure protection settings for VMM clouds in the VMM console. You can specify which
VMM clouds you want to show up in Azure Site Recovery Manager, minimizing the amount of visual
noise in the Azure console. You can also define how the initial replications are performed, whether
it be offline or online. Settings, such as the frequency of replication and number of recovery points
in the last 24 hours can also be set, as well as the target cloud in the disaster recovery data center.
Data compression can be turned on in this step as well, enabling smaller amounts of data to be
transferred over the WAN, at the expense of additional CPU utilization on the source host. The
authentication mechanism and port can also be chosen, enabling you to define more granular
throttling policies at the network level. This ensures that WAN bandwidth is not completely
consumed during replications.
5. Configure network and storage mappings. Network mappings allow you to define which VM
Network a VM will be joined to when it fails over to the replica in the DR location, ensuring that it receives
appropriate connectivity during failover. Storage mappings allow you to define storage classification
mappings, ensuring that appropriate disk subsystems are available on the replicated VMs.
6. Enable protection for virtual machines. In the Azure Site Recovery Manager, you turn on protection for
VMs on a VM by VM basis, ensuring that only necessary VMs are replicated from one data center to another.
7. Configure recovery plans. The recovery plan defines how VMs are failed over, which VMs are
failed over, and in which order they failover. Scripts and manual actions can be added to the plan,
enabling automation of failover actions, as well as a pause for necessary manual actions. The manual
actions must be marked as complete before the recovery plan continues with further actions.
2015 Veeam Software
189
12.4.3 VMware to Azure

In 2014, Microsoft acquired a company called InMage Systems. InMage offered a product that would
replicate physical and VMware servers across the WAN between data centers. This acquisition led to
integration and development of InMage functionality into the ASR feature, resulting in an updated ASR
feature with support for disaster recovery of VMware VMs.
Key features of this new offering are:
H
eterogeneous workload support for multiple Windows and Linux editions with replication to and
recovery in Azure.
Automated discovery of VMware vCenter Server managed VMs for replication to and recovery in Azure.
C
ontinuous data protection with software-based replication to provide near-zero Recovery Point
Objectives (RPO).
O
n-the-fly conversion of source VMware Virtual Machine Disk (VMDK) files to bootable target Azure
Virtual Hard Disk (VHD) files, ensuring low Recovery Time Objectives (RTO).
M
ulti-VM consistency using ASR Protection Groups to ensure that all tiers in an n-tier application
replicate consistently and fail over at the same time.
F ailback to VMware infrastructure from Azure when on-premises data center returns
to service post-disaster.
Active-passive replication that does not require running target Azure VMs at the time of replication, unlike
other competitive disaster recovery products, thereby reducing the Total Cost of Ownership (TCO).
S ingle-Click Failovers with ASR Recovery Plans to provide end-to-end workload-aware disaster
recovery and orchestration at low Recovery Time Objectives (RTO).
Health monitoring for replication, failover and failback, with events and e-mail notifications.
For step-by-step documentation on configuring VMware protection with ASR, see "Set up protection
between on-premises VMWare VMs or physical servers and Azure" on the Microsoft web site
at https://azure.microsoft.com/en-us/documentation/articles/site-recovery-vmware-to-azure/.
2015 Veeam Software
190
12.5 Backing Up SQL

Workloads to Azure
Since SQL Server is one of the most common (and often most critical) workloads hosted in Azure,
coverage of options for protecting SQL server and databases instances in Azure VMs is warranted. Aside
from the Azure Backup service, there are multiple other ways you can leverage Azure as part of your
SQL backup and recovery strategy, including:
SQL Database Backup to Azure Blob Storage
Automated SQL Backup in Azure VMs
Both of these options are described in detail in this section, including a step-by-step tutorial on how
to configure SQL database backups directly to Azure Blob Storage. This is an easy-to-configure and
economical option.
12.5.1 SQL Database Backup

to Azure Blob Storage
You can actually perform backups of SQL databases directly to a blob in Azure storage, even without a
service like Azure Backup. This option will work for SQL Server instances running in on-premises VMs, as
well as SQL instances running in Azure VMs.
Benefits
You can back up your databases to Microsoft Azure without having to manage devices and manage
storage capacity on those devices. You can back up the databases to Microsoft Azure based on the
activity of your databases. You can take a SQL log backup only when needed, such as when space used
in database logs is running low. There are several benefits to this approach, including:
Off-site, highly redundant storage to meet compliance regulations and industry standards.
Lower management and operating costs, no hardware management and low cost storage.
More time to focus on other tasks and not spend time managing storage for backups.
Considerations
There are a few things to bear in mind as you prepare to leverage SQL backup to Azure:
A backup file can be a maximum of 1 TB in size.
B
ackup and restore times will vary based on the bandwidth and latency
of your network connection.
2015 Veeam Software
191
To backup databases from versions of SQL Server older than SQL Server 2012, you must download and
install the "Microsoft SQL Server Backup to Microsoft Windows Azure Tool". This tool enables backup
to Azure from SQL Server 2005, 2008 and 2008 R2 databases with encryption capabilities. You can
download this tool at http://www.microsoft.com/en-us/download/details.aspx?id=40740.
12.5.2 Step-by-Step: Performing a SQL

Database Backup to Azure
In order to configure SQL database backups to Azure blobs, there are a few things you will need In
Azure Storage:
Storage Account: The storage account is the starting point for all storage services. To access the
Windows Azure Blob Storage service, first create a Windows Azure storage account. The storage
account name and its access key properties are required to authenticate to the Windows Azure
Blob Storage service and its components.
Container: A container provides a grouping of a set of Blobs, and can store an unlimited number of
Blobs. To write a SQL Server backup to the Windows Azure Blob service, you must have at least the
root container created.
URL: A URL specifies a Uniform Resource Identifier (URI) to a unique backup file. The URL is used to
provide the location and name of the SQL Server backup file. In this implementation, the only valid
URL is one that points to a page Blob in a Windows Azure storage account. The URL must point
to an actual Blob, not just a container. If the Blob does not exist, it is created. If an existing Blob is
specified, backup fails, unless the WITH FORMAT option is specified.
Blob: A file of any type and size. There are two types of blobs that can be stored in the Windows
Azure Blob storage service: block and page blobs. SQL Server backup uses page blobs as the blob
type. Blobs are addressable using the following URL format: https://<storage account>.blob.core.
windows.net/<container>/<blob>.
IMPORTANT: If you choose to copy and upload a backup file to the Windows Azure Blob storage service, use
page blob as your storage option. Restores from Block Blobs are not supported. RESTORE from a block blob
type fails with an error.
Credential: A SQL Server credential is an object that is used to store authentication information
required to connect to a resource outside of SQL Server. SQL Server backup and restore processes
use the credential to authenticate to the Windows Azure Blob storage service. The Credential stores
the name of the storage account and the storage account access key values.
At a high level, the following are the steps for creating SQL workload backups:
Create Azure Storage Account
Create Azure Storage Container
2015 Veeam Software
192
Create Credential
Backup Using the Backup Task (in SSMS)
Backup Using T-SQL BACKUP DATABASE Command
Once you have a created a backup, you may interested in how to recover a database using a backup
hosted in Azure storage. The restore process will be covered in the Restoring Data from an Azure Blob
section later in this chapter.
12.5.2.1 Create Azure Storage Account:
If you are not already logged into the Azure Management Portal, open a supported web browser and
browse to https://manage.windowsazure.com/, then sign in using your Azure account.
1. Click on STORAGE
from the blue navigation pane on the left, as shown in figure 12.5.1.
FIGURE 12.5.1. STORAGE NODE IN THE AZURE MANAGEMENT PORTAL
2. At the bottom left of the screen, click + New

3. Select Data Services, Storage and click Quick Create, as shown in figure 12.5.2.
FIGURE 12.5.2. STORAGE CONTAINER QUICK CREATE
2015 Veeam Software
193
4. In URL, enter a friendly name to provide a unique path, shown in figure 12.5.3.
FIGURE 12.5.3. STORAGE CONTAINER PROPERTIES DIALOGUE
5. In Region, select the geographic region for the storage account.

6. Click Create Storage Account to create the new storage account.
12.5.2.2 Create Azure Storage Container
To create a storage container in Azure, perform the following steps:
1. I n the Azure Management Portal, select the storage account you previously created, then select the
Containers tab, as shown in figure 12.5.4.
FIGURE 12.5.4. STORAGE CONTAINERS TAB
2. At the bottom of the screen, click Add to open the New container dialogue.
2015 Veeam Software
194
3. E nter a unique value in the Name field, and set value of Access drop down to Private as shown in
Figure 12.5.5 below. Click the checkmark to create the container.
FIGURE 12.5.5. NEW CONTAINER DIALOGUE
12.5.2.3 Create Credential

To create a credential for accessing and writing backups to blobs in Azure storage, perform the
following steps:
1. Launch SQL Server Management Studio (SSMS).
2. Expand the Security node.
3. R
ight click the Credentials node and select New Credential from the context menu, as shown in
figure 12.5.6. This opens a New Credential window.
FIGURE 12.5.6. NEW CREDENTIAL MENU IN SSMS
2015 Veeam Software
195
4. In the New Credential window (shown in figure 12.5.7), specify the following values for ease of use:
Credential Name Use the name of the storage container
Identity Use the name of the storage account
Password The access key from the storage container. You can find this value by selecting the
storage container in the Azure portal, and at the bottom of the screen, selecting Manage Access
Keys. Copy the primary access key, as shown in figure 12.5.8.
FIGURE 12.5.7. NEW CREDENTIAL DIALOGUE
5. When you have filled in the values above, click OK.
FIGURE 12.5.8. MANAGE ACCESS KEYS DIALOGUE IN THE AZURE PORTAL
You are now ready to perform a SQL backup to Azure storage.
2015 Veeam Software
196
12.5.2.4 Backup Using the Backup Task in SSMS

The Backup task in SQL Server Management Studio has been enhanced to include URLs as one of the
destination options, and other supporting objects required to backup to Windows Azure storage, such
as the SQL Credential.
To back up a SQL database to Azure storage, perform the following steps:
1. Start SQL Server Management Studio and connect to the SQL Server instance. Select a database you
want to backup, right click on Tasks, and select Back Up..., as shown in figure 12.5.9. This opens the
Back Up Database dialog box.
FIGURE 12.5.9. SQL BACKUP WIZARD IN SSMS
2. On the general page, select the URL option to create a backup to Azure storage, as shown in figure
12.5.10. When you select this option, you see other options enabled on this page:
a. File Name: Name of the backup file.
2015 Veeam Software
197
b. SQL Credential: You can either specify an existing SQL Server Credential, or create a new one by
clicking on the Create next to the SQL Credential box.
FIGURE 12.5.10. BACK UP DATABASE DIALOGUE
NOTE: The dialog that opens when you click Create requires a management certificate or the publishing
profile for the subscription. SQL Server currently supports publishing profile version 2.0. It is easier to simply
create the credential as documented in the previous step.
c. Azure storage container: The name of the Windows Azure storage container to store the backup files.
d. URL prefix: This is built automatically using the information specified in the fields described
in the previous steps. If you do edit this value manually, make sure it matches with the other
information you provided previously. For example, if you modify the storage URL, make sure the
SQL Credential is set to authenticate to the same storage account.
2015 Veeam Software
198
12.5.2.5 Backup Using T-SQL BACKUP DATABASE Command

To back up a database to Azure storage using a T-SQL query, perform the following steps:
1. In SQL Server Management Studio, right click the database you want to back up and select New Query.
2. E nter the following T-SQL command into the query window, replacing the database name, URL and
Credential with the values from your environment. Specify a file name on the end of the URL, which
will be created at runtime. There are two examples below,
Backup (default compression, which is no compression)
BACKUP DATABASE Master
TO URL = 'https://insidemscloud.blob.core.windows.net/insidemscloudsql/MasterNoCompress.bak'
WITH CREDENTIAL = 'insidemscloud-sql'
,STATS = 1
To turn compression on, simply add the COMPRESSION option as shown below
BACKUP DATABASE Master
TO URL = 'https://insidemscloud.blob.core.windows.net/insidemscloudsql/MasterNoCompress.bak'
WITH CREDENTIAL = 'insidemscloud-sql'
,COMPRESSION
,STATS = 1
When finished, check the target Azure storage container to verify the backup is present. In figure
12.5.11, you will notice that the backup file created with COMPRESSION specified is much smaller than
when compression is not specified.
FIGURE 12.5.11. SQL BACKUP FILES IN AZURE STORAGE
TIP: Backing up with the COMPRESSION option means lower storage usage and thus, lower costs to store
your SQL database in Azure. Notice the size difference with and without compression shown in figure 12.5.11.
Now that you have created a database backup, you can attempt to restore a backup from Azure storage.
2015 Veeam Software
199
12.5.2.6 Restoring from Windows Azure Storage

If you are restoring a database, URL is included as the device to restore from. The following steps
describe the changes in the Restore task to allow restoring from Microsoft Azure storage:
1. Right click on the database you want to restore and select Tasks > Restore > Database,
FIGURE 12.5.12. LAUNCHING THE RESTORE DATABASE DIALOGUE
2. When you select Devices in the General page of the Restore task in SQL Server Management Studio, this
takes you to the Select backup devices dialog box, which includes URL as a backup media type.
3. W
hen you select URL and click Add. This opens the Connect to Azure storage dialog. Specify the
SQL Credential information to authenticate to Azure storage, as shown in figure 12.5.13.
FIGURE 12.5.13. CONNECT TO WINDOWS AZURE STORAGE DIALOGUE
4. SQL Server then connects to Azure storage using the SQL Credential information you provided and opens
the Locate Backup File in Windows Azure dialog. The backup files residing in the storage are displayed
on this page. Select the file you want to use to restore and click OK.
This takes you back to the Select Backup Devices dialog, and Clicking OK on this dialog takes you back to
the main Restore dialog (shown in figure 12.5.14) where you will be able complete the restore.
2015 Veeam Software
200
5. You can use the Script menu to create a T-SQL restore script and save to file, clipboard or open in
a new query editor window, as shown in figure 12.5.15. You can also select the Agent Job option,
which will bring your selections in the Restore Database wizard into the Schedule Job interface.
As you can see, backing up and recovering SQL databases from backups stored in Azure is a
straightforward process.
2015 Veeam Software
201
12.5.3 Automated SQL Backup in Azure VMs

A key piece of any business continuity plan is a solid disaster recovery procedure. Azure provides
a storage platform that enables organizations to store backups offsite. The following products are
compatible with the SQL Server IaaS Agent features.
Automated Backup:
Windows Server 2012
SQL Server 2014 Standard
SQL Server 2014 Enterprise
Automated Patching:
Windows Server 2012
SQL Server 2012
SQL Server 2014
NOTE: You can automate patching of both SQL 2012 and SQL 2014 VMs, but the automated backup feature
is only available for SQL 2014. You can learn more about the automated SQL patching feature in Chapter 11
SQL Server Deployment and Optimization.
Automated Backup automatically configures Managed Backup to Microsoft Azure for all existing and
new databases on an Azure VM running SQL Server 2014 Standard or Enterprise. This enables you to
configure regular database backups that utilize durable Azure blob storage. The actual configuration
steps vary depending on whether you use the Azure Portal (pictured in figure 12.5.16) or Azure
Windows PowerShell commands.
2015 Veeam Software
202
FIGURE 12.5.16. AUTOMATED SQL BACKUP OPTION IN AZURE PORTAL
To enable this feature on a VM that is already deployed, you will have to use Azure PowerShell to
complete the configuration. A sample script is included below. Be sure update the values in brackets
<> with values applicable to your environment.
$storageaccount = "<storageaccountname>"
$storageaccountkey = (Get-AzureStorageKey -StorageAccountName
$storageaccount).Primary
$storagecontext = New-AzureStorageContext -StorageAccountName
$storageaccount -StorageAccountKey $storageaccountkey
$autobackupconfig = New-AzureVMSqlServerAutoBackupConfig `
-StorageContext $storagecontext -Enable -RetentionPeriod 10
Get-AzureVM -ServiceName <vmservicename> -Name <vmname> | `

Set-AzureVMSqlServerExtension -AutoBackupSettings ` $autobackupconfig
| Update-AzureVM
2015 Veeam Software
203
It could take several minutes to install and configure the SQL Server IaaS Agent. View the status of the
VM in the Azure Management Portal. It should indicate that it is installing extensions. The extensions
area should also report that the Microsoft.SqlServer.Management.SqlIaaSAgent is being enabled. In
PowerShell, you can test that the extension has completely installed and configured by using the
following command:
(Get-AzureVM -ServiceName <vmservicename> | `
Get-AzureVMSqlServerExtension).AutoBackupSettings
To disable automatic backup, run the same script without the -Enable parameter to the NewAzureVMSqlServerAutoBackupConfig. As with installation, it can take several minutes to disable
Automated Backup.
Download the Code
the \Chapter 12 directory. The file name is SQLAutoBackup.ps1.
2015 Veeam Software
204
12.6 3rd Party Azure-Integrated

Backup
A popular independent software vendor (ISV) that provides Azure-integrated backup options is Veeam
Software. Their core enterprise backup solution is called Veeam Backup & Replication.
Veeam Backup & Replication is a solution built specifically for virtual environments. It operates at the
virtualization layer and uses an image-based approach for VM backup. To retrieve VM data, no agent
software needs to be installed inside the guest OS. Instead, Veeam Backup & Replication leverages VSS
snapshot capabilities. When a new backup session starts, a VSS snapshot is taken to create a cohesive
point-in-time copy of a VM including its configuration, OS, applications, associated data, system state
and so on. Veeam Backup & Replication uses this point-in-time copy to retrieve VM data. Image-based
backups can be used for different types of recovery, including Instant VM Recovery, full VM recovery, VM
file recovery and file-level recovery.
Veeam Backup and Replication supports the following operating systems, file systems and applications
vSphere 4.x and 5.x
ESX(i) 4.x and 5.x
All operating systems supported by Hyper-V and VMware
Any application
Any file system
You can protect both VMware and Hyper-V hosts directly. System Center software is optional.
When using Microsoft Azure for offsite backups, there are three implementation options for Veeam
Backup and Replication
Veeam Integration with StorSimple
Veeam Cloud Connect for Service Providers
Veeam Cloud Connect for Enterprise
Each option is described briefly in the sections that follow.
12.6.1.1 Veeam Integration with StorSimple
The StorSimple hybrid cloud storage solution adds dynamic storage tiering across SSD, SAS and Microsoft
Azure to ensure data growth requirements are always met. StorSimple uses Azure as an extension of its
on-premises storage arrays and automatically tiers data across on-premises storage and cloud storage.
2015 Veeam Software
205
StorSimple, make data protection and archiving to Azure easy and efficient. To Veeam, StorSimple
looks like any another connected, on-premises data repository. However, StorSimple is more than just
storageit automatically manages the movement of data to and from Azure for efficient availability.
Veeam Backup & Replication provides agentless image-level backup to help meet stringent RPOs and
RTOs while allowing more recovery options than you ever thought possible:
Recovery of a failed VM in as little as two minutes
Near-continuous data protection with built-in replication
F ast, agentless item recovery and e-discovery for Microsoft Exchange, SharePoint and Active
Directory, along with transaction level recovery of SQL databases
Automatic recoverability testing of every backup and every replica, every time
Veeam and StorSimple work in unison to mitigate the cost and management of data growth while
providing secure backup and recovery. Veeam ensures that backups are initially stored on a traditional
primary storage for short-term recovery, and depending on your availability needs, Veeam archives
older versions of backups to StorSimple for long-term compliance. StorSimple will, in turn, ensure that
backups are moved into Azure via cloud snapshot.
FIGURE 12.6.1. VEEAM BACKUP & REPLICATION COUPLED WITH STORSIMPLE
12.6.1.2 Veeam Cloud Connect for Service Providers

Veeam Cloud ConnectTM for Service Providers extends the functionality of Veeam Backup &
Replication, enabling service providers to provide storage and recovery of backup data in Microsoft
Azure. The Cloud Connect solution architecture is very simple, enabling service providers to provide
customers (tenants) a hosted backup repository in Microsoft Azure. The solution architecture is quite
simple, consisting of the following roles:
Cloud Gateway The Cloud Gateway is a network service running on a Windows server that
resides on the SP side and acts as a communication point in the cloud. It routes commands and
traffic between the SP, tenants and the cloud repository.
2015 Veeam Software
206
WAN Accelerator (optional) WAN accelerators are optional components in the Veeam Cloud
Connect infrastructure. Tenants may use WAN accelerators for Backup Copy jobs targeted at the cloud
repository. WAN accelerators deployed in the cloud run the same services and perform the same role
as WAN accelerators in an on-premises backup infrastructure. When configuring Veeam Backup Copy
jobs, tenants can choose to exchange data over a direct channel or communicate with the cloud
repository via a pair of WAN accelerators. To pass VM data via WAN accelerators, the service provider
and tenants must each configure WAN accelerator, with the source WAN accelerator located on tenant
side (in the tenant data center), the target WAN accelerator is configured on the SP side.
T
enant Veeam Backup Server To connect to the cloud and use the cloud repository service
provided by the SP, tenants utilize Veeam backup servers deployed on their side.
FIGURE 12.6.2. VEEAM CLOUD CONNECT POC ARCHITECTURE
Expanding the capacity of the single VM setup is easy to do leveraging the distributed model of Veeam
Backup & Replication, along with the rapid resource provisioning capabilities in Azure. The diagram
below illustrates a distributed model.
FIGURE 12.6.3. VEEAM CLOUD CONNECT PRODUCTION ARCHITECTURE
2015 Veeam Software
207
For systems integrators trying to build a successful business in the Microsoft cloud, Veeam Cloud
Connect offers another service partners can offer to create a recurring revenue stream.
As a Veeam Cloud Connect Service Provider, you deploy from the Azure Marketplace, where you will find
the Veeam Cloud Connect VM offering. If your company is not yet enrolled in the Veeam Cloud Provider
Program, you can click the link provided in the Azure Marketplace offering and receive a 30-day trial.
FIGURE 12.6.4. VEEAM CLOUD CONNECT PRODUCTION ARCHITECTURE
You will find multiple resources on the Veeam website to familiarize you with the solution, including
the following whitepapers, which cover everything from reference architecture to comprehensive
hands-on deployment guidance.
Veeam Backup & Replication v8: Cloud Connect Reference Architecture
http://www.veeam.com/wp-cloud-connect-reference-architecture-veeam-backup-replication-v8.html
Veeam Cloud Connect: Manual configuration guide for Microsoft Azure
http://www.veeam.com/wp-build-services-business-veeam-microsoft-azure.html
Veeam Cloud Connect: Pre-configured VM deployment from the Microsoft Azure Marketplace
http://www.veeam.com/wp-build-services-business-veeam-microsoft-azure-marketplace.html
These resources and a 30-day trial license make getting up to speed a manageable task.
12.6.1.3 Veeam Cloud Connect for Enterprise
Veeam Cloud ConnectTM for Enterprise, a new offering from Veeam, is a Cloud Connect option for
customers who would prefer to manage their own hybrid disaster recovery strategy. You will find the
Veeam Cloud for Enterprise offering in the Azure Marketplace as well. The VM is basically the same as
the Service Provider edition. It is the license that enables the Enterprise edition.
2015 Veeam Software
208
12.7 Summary
Microsoft offers a number of workload protection options in Azure, enabling organizations to ensure their
data is protected in event of a disaster, even if they dont have a second data center. With the Azure Backup
service, Microsoft has enabled a comprehensive, cloud-based offsite backup solution. Azure backup vaults
provide secure, encrypted backup targets for customers of all sizes. Whether an organization has more
complex backup and recovery configurations utilizing Data Protection Manager, or whether they have a
simpler, more basic need for offsite backup, Azure Backup enables offsite backup for everyone.
With Azure Site Recovery, Microsoft has enabled cloud-based disaster recovery orchestration. In what is
perhaps one of the simplest, most easy-to-use implementations of disaster recovery ever, Azure Site Recovery
enables effective disaster recovery for organizations of all sizes. With Azure Site Recovery, disaster recovery
plans can easily be tested, ensuring business continuity in the event of an actual disaster.
With multiple protection options for Microsoft SQL Server, organizations have greater flexibility in
planning and implementing high availability and disaster recovery strategies for one of the most
common (and often, most critical) workloads in a variety of scenarios.
For partners and customers looking to leverage capabilities of Azure as part of a hybrid disaster
recovery strategy for heterogeneous environments, Veeam offers options to suite a variety of needs.
In the next chapter, we will examine monitoring and reporting options for systems and applications
running in Microsoft Azure.
2015 Veeam Software
209
Chapter 13:
Monitoring
and Reporting
This chapter will focus on two key components of cloud computing: monitoring and reporting. Monitoring
will help us make sure all services are online and have the configuration and compute resources for optimal
performance. In the cloud era with quick scale in and out, monitoring can also deliver information about
capacity versus demand, which we can then use to automatically scale instances in and out to reduce
unnecessary spending on storage and compute resources. Because cost savings is often one of the
compelling benefits that drives cloud adoption, this deserves some attention as well.
Monitoring in this chapter will focus on monitoring of virtual machines (VMs) in Microsoft Azure and
connected storage accounts. In the reporting section of the chapter, we will focus on reporting of usage and
capacity of VMs running in Microsoft Azure. Data from monitoring tools are often the source of reporting
information. Therefore the chapter will begin with monitoring and conclude with reporting.
2015 Veeam Software
210
13.1 Monitoring
Monitoring of VMs running in Microsoft Azure can be accomplished in a couple of different ways.
Which method is best will be determined by your need for breadth and depth of monitoring data, as
well as your budget. Your options include:
Azure Management Portal The Azure management portal can provide us with light monitoring.
System Center 2012 R2 Operations Manager Provides deep monitoring inside of the VM.
Microsoft Operations Management Suite Provides deep configuration monitoring, performance
and event analysis, making sure all settings inside of our VMs are according to best practices.
When discussing monitoring of VMs in Microsoft Azure, it is important to remember that everything
above the hardware layer is still your responsibility. Microsoft Azure is responsible for maintenance of
the fabric (patching Hyper-V hosts, etc.) and running the VM. Everything above the hypervisor (VMs and
applications installed on them) is up to you to manage and monitor.
Another important topic regarding management of VMs in Microsoft Azure is that all outgoing traffic
(data egress) from a Microsoft Azure datacenter is billed (if not connected with ExpressRoute). In some
scenarios, a more practical option is to deploy the monitoring solution, such as System Center R2
Operations Manager (Operations Manager), in Microsoft Azure and connect to the monitoring solution
with a console, instead of sending all monitoring data to the on-premises data center. This option
nearly eliminates charges related to data egress from your Azure subscription.
Today, Operations Management Suite (OMS) cannot replace Operations Manager regarding real time
monitoring, but it might be a good alternative in the future. At present, OMS enhances the native
capabilities of Operations Manager.
The Microsoft support statement for System Center 2012 R2 is available in Microsoft server software
support for Microsoft Azure VMs at https://support.microsoft.com/en-us/kb/2721672.
2015 Veeam Software
211
13.1.1 Monitoring with

the Azure Management Portal
The Azure management portal (https://portal.azure.com) provides three features we can use around
monitoring: dashboarding, Azure Diagnostics, as well as alert rules. Even if these features are light, they
can provide valuable information and in some scenarios fulfill the monitoring requirements.
Note: You can read more about Azure Diagnostics on the Microsoft website in Microsoft Azure Virtual
Machine Monitoring with Azure Diagnostics Extension at https://azure.microsoft.com/en-us/blog/
windows-azure-virtual-machine-monitoring-with-wad-extension/.
The VM dashboard, shown in figure 13.1.1, provides you with a set of performance counters.
FIGURE 13.1.1. VIRTUAL MACHINE DASHBOARD
Figure 13.1.2 shows all performance counters available for a VM by default, as well as the configuration
options of the time range and chart type.
2015 Veeam Software
212
FIGURE 13.1.2 AVABILABLE PERFORMANCE COUNTERS
In the Microsoft Azure management portal, you can configure a rule to send a notification when a
performance counter hits a threshold. Follow these steps to configure a notification rule based on a
performance counter:
6. Open the Microsoft Azure management portal.
7. Click Virtual Machine.
8. Click on one of your VMs
9. On the virtual machine dashboard, click the ALL SETTINGS link shown in figure 13.1.1
10. On the Settings blade, click Alert rules
2015 Veeam Software
213
11. On the Alert rules blade, click Add alert

12. On the Add an alert rule blade, fill in name, select metrics and configure condition, then click OK.
13. To verify that alert rules are configured, you can navigate to the Settings blade and click Alert rules.
You can also configure the alert rule to send e-mail notification and invoke a webhook. A webhook
can be used to invoke an Azure Automation runbook that executes a number of activities, such as
performing corrective actions inside the VM. When configuring the condition, you have the option
to set the alert evaluation window. This is important to set properly as you dont want to generate
notifications for brief spikes of CPU performance.
If you want to send an e-mail to a recipient that is not an administrator or co-administrator of the Azure
subscription, you can use the additional administrator email option and uncheck Email service and
co-administrators. This is a good option if you want to notify a server owner.
Figure 13.1.3 shows an alert rule generating alert and e-mail notification when memory percentage is
greater than 80 for more than five minutes.
Note: You can read more about Webhooks in Azure Automation in Azure Automation Webhooks on the
Microsoft website at https://azure.microsoft.com/en-us/documentation/articles/automation-webhooks/.
FIGURE 13.1.3. ALERT RULE SETTINGS
2015 Veeam Software
214
Storage accounts are used by VMs to store virtual hard disks. If there is a performance issue with the
storage account, it may negatively impact VM performance. The storage account monitor dashboard,
shown in figure 13.1.4, provides a set of performance counters related to the storage account. To
monitor VM related performance counters, you only need to enable monitoring of blobs. VMs read and
write to their virtual hard disks by using the GetBlob and PutPage REST API commands. To add more
metrics, use Alert rules, just as you would with VMs, perform the following steps:
1. Browse to the Microsoft Azure management portal.
2. Find one of your storage account
3. Click All settings
5. On the Alert rules blade, click Add alert
6. On the Add an alert rule blade, fill in the name and the condition for the alert rule. Click OK to store the
new alert rule. Webhooks and e-mail notification can be used the same way as when monitoring VMs
FIGURE 13.1.4. MICROSOFT AZURE STORAGE ACCOUNT DASHBOARD
2015 Veeam Software
215
Verbose or Minimal monitoring, which one to use? Before monitoring blob performance, you need
to enable monitoring. Monitoring can be configured on two different levels; minimal/aggregate
and verbose/API metrics. When using minimal, only the aggregated value is available for each
performance counter. This is the recommended setting for daily monitoring.
Verbose monitoring is recommended for troubleshooting and detailed analysis only. The log file is
stored on the storage account in a hidden folder named $logs. You can also use this data to trace
requests, analyze usage trends, and diagnose issues within the storage account. You can use storage
tools such CloudBerry (http://www.cloudberrylab.com/) or CloudXplorer (http://clumsyleaf.com/
products/cloudxplorer) to access the log files. Figure 13.1.5 shows an example of a storage log file.
FIGURE 13.1.5. STORAGE ACCOUNT LOGFILE
It is possible to create notification rules for storage accounts the same way we did with VMs. An
interesting performance count to monitor is the E2E Latency counter. E2E Latency is the average endto-end latency of successful requests made to the storage account. This value includes the required
processing time within Windows Azure Storage to read the request, send the response, and receive
acknowledgement of the response. To add a rule to monitor E2E latency, follow these steps:
1. Browse to Microsoft Azure management portal.
2. Find the storage account
3. On the storage account, click All settings
5. On the Alert Rules blade, click Add Alert
6. On the Add an alert rule blade, fill in name and select the AverageE2ELatency
7. On the Add an alert rule blade, fill in condition, for example greater than 25 during 15 minutes.
8. S ave your changes. The alert rule is now configured and will generate an e-mail if the threshold
configured in the rule is breached.
You can configure a webhooks and e-mail notifications in the same manner as with VMs.
2015 Veeam Software
216
13.1.2 System Center Operations Manager

Operations Manager is the monitoring component in Microsoft System Center. The current version of
Operations Manager is 2012 R2. Operations Manager is a cross-platform monitoring solution focused
on service monitoring. Cross-platform support means that Operations Manager can monitor Windows
computers, UNIX/Linux computers and network devices. With its service-level monitoring focus, you
can configure Operations Manager to provide a dashboard presenting health status of your service,
including each component of the service, as well as status of the service as a whole. This provides
great value for todays complex applications and services delivered by modern datacenters. Instead of
needing multiple monitoring solutions, Operations Manager gives you one console for all components.
Out of the box, Operations Manager does not monitor anything except itself. You need to import
management packs to extend the default monitoring functionality. Each management pack includes
knowledge and technical information on how to monitor a product or a service, as well as how to resolve
common issues when they arise. For example, the SQL Server management pack includes information
about how to monitor SQL server components and utilization, like threshold for the CPU, but it also includes
reports on SQL health, performance and configuration. The management pack generally also includes
product knowledge describing possible causes and potential resolutions for the issue that raised the alert.
As management packs can be imported through a simple wizard, you can quickly import the management
packs you need to monitor the applications present in your environment. While all Operations Manager
management packs have default settings for monitoring, including monitor thresholds, each management
pack may need tuning to best adjust the thresholds and settings for your environment.
Microsoft has released an Operations Manager management pack for Microsoft Azure (although the
management pack is still named Windows Azure). The scope for this management pack is to monitor
availability and performance of your Microsoft Azure fabric resources. The management pack includes
the following functionality:
Microsoft Azure Cloud services
Discover cloud services
C
ollect and monitor performance information, Windows events and .NET Framework trace
message from each role instance
Changes to number of role instances in a cloud service
Microsoft Azure storage
Monitor performance, events and .NET Framework trace data
Monitor availability and size of storage accounts
If using Microsoft Azure Diagnostics, performance and event information is written to the
storage accounts that is never deleted. The management pack can be used to delete these files.
Virtual machine
Monitor status of role instances of a VM
2015 Veeam Software
217
Discover and map relationships between Microsoft Azure resources

Monitor management and cloud certificates
IMPORTANT: At the time of this writing, the Microsoft Azure Management Pack only monitors Azure Service
Management (Azure v1) resources. An updated management pack is expected sometime in the next few months.
The management pack uses various Microsoft Azure APIs (application programming interface) to
remotely discover and monitor resources in Microsoft Azure - for example, VMs. To set up monitoring of
resources in Microsoft Azure you need to perform the following steps:
1. Enable and configure Microsoft Azure diagnostics for all applications that you want to monitor.
2. Upload a certificate to the Microsoft Azure management portal.
3. Import the Microsoft Azure management packs into Operations Manager.
4. Set up a connection in the Operations Manager console to your Microsoft Azure subscription.
5. S et up monitoring with the Microsoft Azure monitoring template in the Operations Manager
console. By default, this management pack does not monitor anything. You will need to configure
which VMs, storage and cloud services you want to monitor.
Once you have completed setup and configuration, you can use different views in the Operations
Manager console to monitor state, health and performance of your Microsoft Azure resources.
For more information about enabling Microsoft Azure Diagnostics, see TechNet
http://go.microsoft.com/fwlink/?LinkId=186765.
To authenticate to Microsoft Azure APIs, Operations Manager uses a certificate. This certificate must be
uploaded to Microsoft Azure before trying to configure the management pack.
More information about how to configure the certificate can be found at MSDN
http://msdn.microsoft.com/en-us/library/azure/gg551722.aspx.
Configuring the Azure Management Pack
After you have configured Azure diagnostics and the management certificate, perform the following
steps to configure the Microsoft Azure management pack.
1. Navigate to http://www.microsoft.com/en-us/download/details.aspx?id=38414 and download
latest version of the management pack for Microsoft Azure. After you have downloaded the file,
extract it to a temporary folder on your hard disk.
2. I n the Operations Manager console, navigate to the Administration workspace and click
Management Packs.
3. In the Tasks pane click Import Management Packs.
4. In the Import Management Packs dialog box, select Add, Add from disk.
2015 Veeam Software
218
5. Select Yes in the Online Catalog Connection dialog box, as we want Operations Manager to
download required management pack if missing.
6. I n the Select Management Packs to import dialog box, navigate to the temporary folder where you
extracted the management pack files. By default the folder for the extracted management pack
files is C:\Program Files (x86)\System Center Management Packs\System Center Management Pack for
Windows Azure.
7. S elect both management pack files, Micrososft.SystemCenter.WindowsAzure.mpb and Microsoft.
SystemCenter.WindowsAzure.SLA.mpb and click Open.
8. I n the Import Management Packs dialog box, click Install. Once both management packs are
imported, click Close.
9. T o configure the management pack to work with your subscription, navigate to the Windows Azure
node in the Administration workspace.
10. In the Windows Azure Overview view, click Add subscription.
11. In the Add Windows Azure subscription wizard, input your subscription ID. This can be found in the
Microsoft Azure management portal, on the Settings page. Also specify the certificate file (in PFX
format) to use, as well as the password for the certificate file. In the Microsoft Azure management
portal you need to upload the certificate in CER format. Click Next.
12. In the Add Windows Azure subscription wizard, select a resource pool to use for the monitoring of
Azure resources. Click Add Subscription.
Note: Since you are monitoring public cloud resources, the resource pool must have Internet access.
2015 Veeam Software
219
13. In the Add Windows Azure subscription wizard, verify that the subscription has been successfully added
and then click Finish. Figure 13.1.6 show the wizard with successfully added Microsoft Azure subscription.
FIGURE 13.1.6. SUCCESSFULLY ADDED MICROSOFT AZURE SUBSCRIPTION IN OPERATIONS MANAGER
Before we configure monitoring, we need to verify that Operations Manager has discovered our
resources in Microsoft Azure. In the Operations Manager console, navigate to the Monitoring
workspace and expand the Windows Azure folder. In the Windows Azure folder, there is a sub-folder
named Azure Resource Inventory. This folder contains a number of views that will list all discovered
resources, such as VMs. These objects will have no health state, as shown in figure 13.1.7, as we are not
monitoring them yet. Note that the discovery can take up to an hour.
FIGURE 13.1.7. DISCOVERED VIRTUAL MACHINES, BUT NOT YET MONITORED
2015 Veeam Software
220
Configuring Resource Monitoring

You have now configured Operations Manager to communicate with your Microsoft Azure
subscription. We have also verified that discovery is working. The next step is to configure what to
monitor. The scope of this chapter is monitoring VMs in Microsoft Azure. Tightly connected with
VMs is storage, so we will configure monitoring for storage and VMs. Follow these steps to configure
monitoring of VMs:
1. In Operations Manager console navigate to the Authoring workspace.
2. In the Authoring workspace, click Add Monitoring Wizard.
3. In the Add Monitoring Wizard, monitoring type, select Windows Azure Monitoring and click Next.
4. I n the Add Monitoring Wizard, general properties, input a name, for example Contoso IT Azure.
Create a new management pack and store the settings. Click Next.
Best practice is to always create a separate management pack (override management pack)
for saving your customizations (overrides) for each sealed management pack that you import,
rather than saving your overrides to the Default Management Pack.
5. In the Add Monitoring Wizard, subscription page, select the Microsoft Azure subscription, click Next.
6. I n the Add Monitoring Wizard, Cloud Services, the scope is to monitor virtual machines. We will not
select any cloud services, click Next.
7. In the Add Monitoring Wizard, Virtual machines, click Add.
8. In the Select Virtual Machines dialog box, search and add all VMs you want to monitor. Click OK.
9. In the Add Monitoring Wizard, Virtual machines, as shown in figure 13.1.8, click Next.
FIGURE 13.1.8. VIRTUAL MACHINES TO MONITOR
2015 Veeam Software
221
10. In the Add Monitoring Wizard, Storage, click Add.

11. In the Select Storage dialog box, search and add all storage items you want to monitor. Click OK.
12. In the Add Monitoring Wizard, Storage, as shown in figure 13.1.9, click Next.
FIGURE 13.1.9. STORAGE ACCOUNTS TO MONITOR
13. In the Add Monitoring Wizard, Summary, verify all settings and click Create.
You have now configured Operations Manager to monitor VMs and storage in Azure. If you navigate to
the Virtual Machine State, under the Windows Azure folder in the Monitoring workspace, you will soon
see a health state on each VM, as shown in figure 13.1.10.
FIGURE 13.1.10. VIRTUAL MACHINES ARE NOW MONITORED BY OPERATIONS MANAGER
2015 Veeam Software
222
The Microsoft Azure management pack contains a large number of views out of the box. These views can be
used when monitoring Microsoft Azure resources. The management pack includes a number of performance
views, one of which is shown in figure 13.1.11, that can be used for both proactive and reactive work.
FIGURE 13.1.11. STORAGE ACCOUNT PERFORMANCE VIEW IN OPERATIONS MANAGER
Operations Manager is now monitoring your VMs and storage from the outside, from the Microsoft
Azure fabric perspective. The current monitoring we have configured for Azure resources is more or less
on the same level as monitoring a VM from Hyper-V host perspective.
To monitor deeper performance of the VM and applications, such as disk monitoring and application
specifics, you need to install an agent on each VM in the same way you install agents to VMs and
physical servers in your datacenter. As an example, for an Azure running SQL server, you will want to
install the Operations Manager agent on the VM, and import the Windows Server management pack
and the SQL Server management pack for monitoring the VM operating system and SQL application.
2015 Veeam Software
223
13.1.3 Azure Operations Management Suite

Operations Management Suite (OMS) is a cloud based system management solution. OMS brings value
in four themes today, automation, backup, log analytic and security. Operations Manager and OMS can
work together, or the OMS agent can be installed without Operations Manager. The agent collects data
from the server and sends it to OMS. If Operations Manager is used to connect managed servers with
OMS, some settings can be controlled from Operations Manager and the agent is shared between OMS
and Operations Manager. OMS then analyzes the data and presents the result in the OMS portal, shown
figure 13.1.12, and sends some of the results back to Operations Manager as alerts, as shown in figure
13.1.13. OMS includes a number of Solutions, formerly known as Intelligence packs or solution packs,
which are used to analyze the data. For example the SQL Assessment intelligence pack will review a
variety of settings and recommended values for SQL servers.
To access all data and information from OMS, you need to logon the portal, shown in figure 13.1.12 In
the portal you can generate reports, review issues, read knowledge and review collected data.
FIGURE 13.1.12 AZURE OPERATIONAL INSIGHTS MANAGEMENT PORTAL
OMS includes Solutions that can collect and analyze data related to the following:
Active Directory Assessment Assesses configuration state (based on MS best practices)
and health of Active Directory.
Malware Assessment Status of antivirus and antimalware. The current version of the solution support
collect status of Windows Defender and System Center Endpoint Protection (SCEP) real-time clients.
Backup View usage in Azure Backup vault, including total storage usage and number of executed jobs.
Capacity Planning Capacity planning and visibility into your private cloud. You can use this
solution to test what-if scenarios and identify over or under-allocated virtual machines. This
solution can also be useful when planning compute and storage for your private cloud.
Note: This solution requires Operations Manager and Virtual Machine Manager in an integrated
configuration to provide the necessary performance data to feed the Capacity Planning solution.
2015 Veeam Software
224
Security and Audit explore security related data and helps find security risks. This solution also
collect security and analyze security logs. With this solution you can track activates in for example
Active Directory, for example failed logons or user added to groups.
SQL Assessment Assesses configuration state (based on MS best practices) and health of
SQL Server instances. With this solution you can for example see if there is a recommended reconfiguration on your SQL servers, including knowledge why this setting is recommended.
Wire Data This solution collects data about your network, such as networks and subnets. It also
collects network traffic from monitored servers. In the OMS portal you can then analyze the traffic on
your networks, such as the amount of data sent by a server and which protocols the server is using to
communicate. This solution can help you identify servers communicating in unexpected ways.
A
lert Management Presents summary Operations Manager alert data and analyze Operations
Manager environment. With this solution, you can gain insights into trends in your Operations Manager
environment, such as most common alerts or which management packs generate the most alerts.
Note: This solution requires a connection to an Operations Manager management group to function.
Automation Review and monitor an Azure Automation account. From the OMS dashboard, you
can see the number of runbook jobs executed.
Change Tracking The change tracking solution keep track of changes made by Windows
Installer, such as if an MSI package has been installed or uninstalled. The solution also keeps track of
changes to Windows Services.
System Update Assessment Identifies missing updates and servers not recently updated.
A
zure Site Recovery Monitors replication status for Hyper-V and VMware VMs to Azure Site
Recovery Vault. The current version of Azure Site Recovery and Azure Backup solution support only
monitor one backup vault and one site recovery vault.
2015 Veeam Software
225
Deficiencies and other error conditions identified in OMS can then be fed into Operations Manager
where alerts are generated, as shown in figure 13.1.3.2.
FIGURE 13.1.13 ALERT IN OPERATIONS MANAGER GENERATED BY OMS
As you can see, there are many monitoring options for Azure VMs and related infrastructure, which can
be used together to meet a variety of monitoring needs.
2015 Veeam Software
226
13.2 Reporting
This section of the chapter will focus on reports, primary usage reports. Cost is often a big business
driver for moving to Microsoft Azure, which makes Microsoft Azure billing and usage reports highly
important. When talking about reporting for VMs running in Microsoft Azure, there are two different
native alternatives. Which is best depends on how the organization is using Microsoft Azure. We will
discuss reporting in the Microsoft Azure management portal, as well as reporting with System Center
2012 R2 Service Manager (Service Manager).
Service Manager is IT Service Management (ITSM) component and self-service user interface
described in Chapter 10 Automation. It also includes a reporting feature that can be
leveraged to provide basic showback reporting for Azure consumption.
Microsoft Azure will generate an invoice with all the compute hours that have been used for the
invoice time frame, such as last month. Figure 13.2.1 shows an invoice overview of all resources used
and the cost. The invoice shown in figure 13.2.1 has a pre-paid amount of dollars to spend each
month. The invoice will also specify storage, network and data operations. For example, read and write
transactions to the storage account. In the Azure management portal you can download usage details
in CSV file format. The format of these files is very raw, as shown in figure 13.2.2, and data often needs
to be manipulated before being published.
FIGURE 13.2.1. SUMMARY OF USED RESOURCES
2015 Veeam Software
227
FIGURE 13.2.2. DETAILED AZURE USAGE REPORT
Enabling Chargeback or Showback

Even with detailed information about usage for each VM and storage account, there is no information
about who owns each VM. In order to facilitate any kind of chargeback or showback reporting, you
will need to store information about VM ownership outside of Microsoft Azure, and correlate that
information with the detailed usage report information downloaded from Microsoft Azure yourself.
The other alternative is to use one Microsoft Azure subscription for each team. Then, each team will get a
bill and usage report directly from Microsoft. The drawback of this solution is that the IT organization has no
centralized control. Each team can access their own Azure subscription and deploy VMs in any way they see
fit, with no compliance or cost requirements or restrictions. The IT organization cannot guarantee that VMs
deployed in the various Azure subscriptions fulfill corporate IT policies - for example, security regulations
regarding antivirus. The challenges for this alternative are as large in their own way as the first alternative,
where we had one Microsoft Azure subscription for multiple teams and cost centers.
A third alternative is to use resource groups and tags within one Azure subscription. Azure resources are
stored in different resources, or each resource group can store multiple resources. Resources can then be
grouped by resource group on the invoice. You can also use tags on each resource to do cross-resource
group grouping for the invoice. With this alternative, you will get an invoice from Microsoft where all
resources are grouped by resource group, for example one for Test and one for Production resources.
A solution to control deployment in an Azure subscription can be to use System Center 2012 R2 Service
Manager together with an automation platform, such as SMA or Azure Automation. Automation
options for Azure are described in greater detail in Chapter 10 Automation. These two components
can provide a self-service portal and automation. Different team members can request new virtual
servers, and depending on the user or cost center, System Center can deploy the machines in different
subscriptions or resource groups. The IT organization can control access and usage of subscriptions and
easily generate billing reports at month-end.
It is important to remember that VMs in Microsoft Azure are just like VMs in your own datacenter.
Microsoft Azure does not manage them for you. You still have to administer everything within and
around the VM. Areas for which you are responsible include, but are not limited to implementing
security requirements, monitoring, data backup, self-service, and reporting.
2015 Veeam Software
228
With System Center components in place, the flow of a self-service request would be:
1. A request is placed in the System Center Service Manager (Service Manager) self-service portal.
2. In Service Manager, the request generates a service request work item.
3. When the service request is approved, Service Manager invokes the automation platform for
example Azure Automation.
4. Azure Automation builds the new VM in Microsoft Azure.
5. Azure Automation creates a new configuration item (CI) in the Service Manager CMDB.
6. The work item (the service request) is marked as completed in Service Manager.
The result will be a new VM in Microsoft Azure, added by Azure Automation to meet corporate IT policy
and compliance requirements, and a new CI is created in the CMDB for tracking the new VM. The CI in
the Service Manager CMDB is the key to reporting. With this CI, we can use Service Managers powerful
reporting mechanism to generate reports. Figure 13.2.3 shows a custom report in Service Manager
that shows all VMs in Microsoft Azure grouped by different Microsoft Azure subscriptions. Figure 13.2.4
shows the same report with detailed information for the Infrastructure subscription. Even if the usage
report and billing information is sent from Microsoft to the different cost centers directly, there is value
for the IT organization in keeping track of VMs running in Microsoft Azure.
FIGURE 13.2.3. SUMMARY REPORT FOR VIRTUAL MACHINES IN MICROSOFT AZURE
2015 Veeam Software
229
FIGURE 13.2.4. DRILL DOWN FOR THE INFRASTRUCTURE SUBSCRIPTION
In the report shown in figures 13.2.3 and 13.2.4, we have an Expire Date column implemented as part
of the automated self-service configuration. This property is used for lifecycle management of the VMs,
as well as to forecast costs. When a tenant requests a VM, they must supply an expiration date. Before
the expiration date, the automation platform can be configured with a runbook to send the requestor/
owner of the VM an e-mail asking if they want to extend the expire date for the VM. If the VM expires,
the automation platform can then be configured to automate the deletion of the VM.
How do we generate a performance report for a server running as a VM in Microsoft Azure? We do that the
same as in your on-premises datacenter with Operations Manager and OMS. As discussed earlier, Microsoft
Azure provides a VM, but it is up to you to manage it. If you install the Operations Manager agent on the VM
you can use all the different management packs in Operations Manager to monitor the VM, its applications
and generate reports. If you install the OMS agent on the VM, you can use solutions in OMS to provide light
monitoring of the VM. OMS can collect performance counters and display them in the OMS portal.
Availability reports can also be generated with Operations Manager. You can use VMs in Microsoft
Azure as monitoring gateways to check availability of your services. A benefit of using VMs running
in Microsoft Azure is that you can deploy VMs in different datacenters to run transactional availability
checks of your services from different parts of the world.
2015 Veeam Software
230
13.3 Summary
In this chapter we started by looking into different alternatives for monitoring of VMs running in
Microsoft Azure. We started with light monitoring in the Microsoft Azure management portal. We then
moved on to Operations Manager, which is part of Microsoft System Center and brings a great deal of
functionality for deep service monitoring. We also discussed the Operations Management Suite and
how it enhances native Operations Manager capabilities. Then we discussed reporting options for
Azure and how to generate reports for VMs and usage data. In the end of the chapter we touched on
performance and availability reports.
When working with reporting and monitoring of VMs running in Microsoft Azure, it is important
to remember that Microsoft Azure is just responsible for the VMs. We still need to provide system
management in the same manner as we do with VMs running in our on-premises datacenter.
2015 Veeam Software
231
About the Author

Anders Bengtsson is a Microsoft Senior PFE focused on System Center and
Microsoft Cloud OS. Last year Anders was involved in a number of projects
around building dynamic data centers and automated self-service solutions.
Anders has written a number of System Center training courses and workshops,
including the Service Manager and Operations Manager advanced courses for
Microsoft Learning. Anders was a co-author of both Orchestrator Unleashed
book and the Service Manager Unleashed book. Anders has presented and
worked at numerous Microsoft conferences and events, including Microsoft
TechDays, Microsoft Management Summit and Microsoft TechEd.
John McCabe works for Microsoft as a Senior Premier Field Engineer. In this
role he has worked with the largest customers around the world, supporting
and implementing cutting edge solutions on Microsoft Technologies.
Also to his role in Microsoft, he is responsible for developing core training
for the Global Business Support Engineering Teams. John has been a
contributing author to several books including Mastering Windows Server
2012 R2 from Sybex. John has spoken at many conferences around Europe
including delivering key notes. Prior to Microsoft John was an MVP in Unified
Communications with a consulting background of 15 years across many
different technologies including Network, Security and Architecture.
Pete Zerger is a consultant, author, speaker, and 10-time Microsoft MVP,

focusing on hybrid cloud design, management and architecture and data center
automation solutions. Pete has authored many whitepapers and co-author
of several books, including both the Orchestrator Unleashed and Operations
Manager Unleashed titles from Sams Publishing. Pete has presented and worked
at numerous technical conferences and events around the world, including the
Microsoft Management Summit, Microsoft TechEd and System Center Universe.
2015 Veeam Software
232
About Veeam Software

Veeam recognizes the new challenges companies across the globe face in enabling the AlwaysOn Business, a business that must operate 24/7/365. To address this, Veeam has pioneered a
new market of Availability for the Always-On Enterpriser by helping organizations meet recovery
time and point objectives (RTPO) of less than 15 minutes for all applications and data, through
a fundamentally new kind of solution that delivers high-speed recovery, data loss avoidance,
verified protection, leveraged data and complete visibility. Veeam Availability Suite, which
includes Veeam Backup & Replication, leverages virtualization, storage, and cloud technologies
that enable the modern data center to help organizations save time, mitigate risks, and
dramatically reduce capital and operational costs.
Founded in 2006, Veeam currently has 34,500 ProPartners and more than 168,000 customers
worldwide. Veeam's global headquarters are located in Baar, Switzerland, and the company has
offices throughout the world. To learn more, visit http://www.veeam.com.
2015 Veeam Software
233
COMING SOON
NEW Veeam
Availability
Suite v9
RTPO <15 minutes for

ALL applications and data
Learn more and preview

the upcoming v9 release
vee.am/v9
2015 Veeam Software
234

WP Microsoft Azure IaaS Book ALL Final PDF

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

WP Microsoft Azure IaaS Book ALL Final PDF

Загружено:

Авторское право:

Доступные форматы

Microsoft Azure IaaS Book

Microsoft Azure IaaS Book. Integration, optimization and automation.

2015 Veeam Software

Microsoft Azure IaaS Book. Integration, optimization and automation.

Step 4: Fill in Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

7.3.2.1 Using Preconfigured Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

2015 Veeam Software

Microsoft Azure IaaS Book. Integration, optimization and automation.

7.3.2.6 PowerShell DSC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

2015 Veeam Software

Microsoft Azure IaaS Book. Integration, optimization and automation.

10.13 The Contoso Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

2015 Veeam Software

Microsoft Azure IaaS Book. Integration, optimization and automation.

12.5.2.4 Backup Using the Backup Task in SSMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

2015 Veeam Software

Microsoft Azure IaaS Book. Integration, optimization and automation.

2015 Veeam Software

Microsoft Azure IaaS Book. Integration, optimization and automation.

3.1 Basic network components

FIGURE 3.1.1 RESOURCE GROUP WITH COMPONENTS

2015 Veeam Software

Microsoft Azure IaaS Book. Integration, optimization and automation.

2015 Veeam Software

Microsoft Azure IaaS Book. Integration, optimization and automation.

FIGURE 3.1.2 VNET SETUP

2015 Veeam Software

Microsoft Azure IaaS Book. Integration, optimization and automation.

FIGURE 3.1.3 MULTIPLE VNETS

3.1.2.1 VNET Settings

2015 Veeam Software

Microsoft Azure IaaS Book. Integration, optimization and automation.

3.1.2.1.3 Address space and subnets

2015 Veeam Software

Microsoft Azure IaaS Book. Integration, optimization and automation.

3.1.2.1.4 DNS Servers

2015 Veeam Software

Microsoft Azure IaaS Book. Integration, optimization and automation.

FIGURE 3.1.4 TAGS FOR A VIRTUAL MACHINE

2015 Veeam Software

Microsoft Azure IaaS Book. Integration, optimization and automation.

3.1.3 Network Interface

2015 Veeam Software

Microsoft Azure IaaS Book. Integration, optimization and automation.

3.1.4 Connecting to on-premises

2015 Veeam Software

Microsoft Azure IaaS Book. Integration, optimization and automation.

3.1.5 Publish a service to the Internet

FIGURE 3.1.5 TRAFFIC TO VIRTUAL MACHINES (VM)

2015 Veeam Software

Microsoft Azure IaaS Book. Integration, optimization and automation.

FIGURE 3.1.6 LOAD BALANCING OF INCOMING TRAFFIC

The following parameters need to be configured when creating a load balancer:

2015 Veeam Software

Microsoft Azure IaaS Book. Integration, optimization and automation.

3.1.6 Network Security Groups

2015 Veeam Software

Microsoft Azure IaaS Book. Integration, optimization and automation.

3.1.7 Traffic Manager

FIGURE 3.1.7 TRAFFIC MANAGER LOOKUP AND CONNECTION SEQUENCE

2015 Veeam Software

Microsoft Azure IaaS Book. Integration, optimization and automation.

3.1.8 Forced Tunneling and User Defined Routes