Virtual Machines – Tunecom

How to use SNAT (Source Network Address Translation) for outbound Windows Virtual Desktop connections

admin.yannickd — Thu, 11 Feb 2021 17:31:04 +0000

During the lifecycle of your Windows Virtual Desktop environment, you might encounter the following issues.

The issue

Users not being able to browse certain websites
Random WVD hosts not being able to connect to specific 3rd party hosted web apps

Normal behavior

Since there is no physical network hardware layer you can troubleshoot, one of the rather obvious cases which are often overlooked is SNAT (Source Network Address Translation). In a traditional on-premises environment you would have a reverse proxy or other networking equipment in place that would translate all of your internal workspace IP Addresses to a single public IP address.

Root cause

Windows Virtual Desktop is an Azure Native solution built on IaaS. Virtual Machines running on Azure have direct internet connectivity by using the Azure backplane. Just like Microsoft 365 a wide range of public IP addresses and ports is used to connect to online services.

This wide range of public IP addresses might just be the reason for the previously mentioned issues.

The solution: Configuring SNAT on your Windows Virtual Desktop Host Pool

What is SNAT? The following Microsoft Docs site explains more in detail all of the possible options & configurations for SNAT.
In our use case, we want to use SNAT to masquerade our back-end WVD Host IP Addresses to a single Public IP address.

What is required? We need a Standard Public Azure Loadbalancer configured on top of our WVD hosts and a SNAT rule configured to allow outbound connections.

Deploying the solution

Let’s get started with deploying the new load balancer and assigning the SNAT rules to the WVD hosts.

Powershell Script

You can run the powershell script provided below or review it on my GitHub Repo.

#region clear variables & in memory parameters
$slb = $null
$vm = $null
$NI = $null
$natrules = $null
$NIConfig = $null
$ELBPurpose =  $null
$ELBlocation = $null
$SKU =  $null
#endregion

#region input variables
$ELBPurpose = "enter the purpose of your loadbalancer (ex. wvd)"
$ELBlocation = "enter the location of your loadbalancer (ex. westeurope)"
$SKU = "enter the SKU of your loadbalancer (ex. standard)"
$ELBResourceGroup =  "enter the resource group name of your loadbalancer (ex. prd-network-rg)"
#endregion

#region naming convention
$ELBconvention = "-elb"
$PIPconvention = "-pip"
$FrontEndConvention = "-fep"
$BackEndConvention = "-bep"
$OutboundRuleConvention = "-obr"

$ELBname = $ELBPurpose + $ELBconvention
$ELBpip = $ELBname + $PIPconvention
$ELBFrontEndName = $ELBname + $FrontEndConvention
$ELDBackEndPoolName = $ELBname + $BackEndConvention
$ELBOutboundRulename = $ELBname + $OutboundRuleConvention
#endregion

#region loadbalancer deployment

# Step 1: Create a new static public IP address
$publicip = New-AzPublicIpAddress -ResourceGroupName $ELBResourceGroup -name $ELBpip -Location $ELBlocation -AllocationMethod Static -Sku $SKU

# Step 2: Create a new front end pool configuration and assign the public IP
$frontend = New-AzLoadBalancerFrontendIpConfig -Name $ELBFrontEndName -PublicIpAddress $publicip

# Step 3: Create a new back end pool configuration
$backendAddressPool = New-AzLoadBalancerBackendAddressPoolConfig -Name $ELDBackEndPoolName


# Step 4: Create the actual load balancer
$slb = New-AzLoadBalancer -Name $ELBname -ResourceGroupName $ELBResourceGroup -Location $ELBlocation -FrontendIpConfiguration $frontend -BackendAddressPool $backendAddressPool -Sku $SKU

# Step 5: Assign the back end VMs to the loadbalancer
$VMs = Get-AzVM | Out-GridView -PassThru -Title "Select your WVD hosts"

foreach ($vm in $VMs) {
    $NI = Get-AzNetworkInterface | Where-Object { $_.name -like "*$($VM.name)*" }
    $NI.IpConfigurations[0].Subnet.Id
    $bep = Get-AzLoadBalancerBackendAddressPoolConfig -Name $ELDBackEndPoolName -LoadBalancer $slb
    $NI.IpConfigurations[0].LoadBalancerBackendAddressPools = $bep
    $NI | Set-AzNetworkInterface
}

# Step 6: Assign the outbound SNAT rules
$myelb = Get-AzLoadBalancer -Name $slb.Name
$myelb | Add-AzLoadBalancerOutboundRuleConfig -Name $ELBOutboundRulename -FrontendIpConfiguration $frontend -BackendAddressPool $backendAddressPool -Protocol "All"

# Step 7: Configure the loadbalancer
$myelb | Set-AzLoadBalancer

#endregion

The end result will look similar to below screenshots.

Warning!

The scripts are provided as-is, please be very careful and test run the scripts on a “test” environment or an environment that allows you to perform some quick checks and tests. Adding a standard load balancer with no SNAT rules can cause internet connectivity loss for Windows Virtual Desktop users.

Thank you!

Thank you for reading through this blog post, I hope I have been able to assist in adding SNAT rules to WVD.

If you encounter any new insights, feel free to drop me a comment or contact me via mail or other social media channels

The post How to use SNAT (Source Network Address Translation) for outbound Windows Virtual Desktop connections appeared first on Tunecom.

How to monitor Azure Migrate replication issues

admin.yannickd — Mon, 25 Jan 2021 18:32:53 +0000

When migrating virtual or physical servers to Microsoft Azure with Azure Migrate you would like to monitor replication health.

Azure Migrate does provide a built-in solution for this within the Azure Migrate project(s). You can manually review the status or use PowerShell to retrieve the replication health of your IaaS machines. However, this lacks some kind of notification or alerting mechanism.

If you’re interested in how to automatically get notified when something goes wrong, please continue reading below.

A look under the hood of Azure Migrate

When looking at the bundle of products included in an Azure Migrate project, one key product is Azure Site Recovery (ASR) which is part of Recovery Services Vault.

Azure Site Recovery is used to replicate your origin machines to Azure.
This means that when we encounter any replication issues, we will have to look at our replication product in place.

When browsing the Recovery Services Vault blade, scroll down to the “Monitoring” section and select “Site Recovery Events“

On the “Site Recovery Events” page you will see a very similar page as displayed in the Azure Migrate Events page. Select “E-mail Notifications“

Enable the “E-mail notifications” by selecting On, select “Other administrators” if you want to set up alerts to non-Azure Services admins/co-admins. Enter an e-mail address and select save.

Whenever a new site recovery event or alert is triggered you will receive a mail notification.

Powershell

#Select your Azure Site Recovery Services Vault
$rsv = Get-AzRecoveryServicesVault | Out-GridView -OutputMode Single

#Set the recovery services vault context
Set-AzRecoveryServicesAsrVaultContext -Vault $rsv

#Retrieve current alerting configuration
Get-AzRecoveryServicesAsrAlertSetting

#Set alerts (Remove -EnableEmailSubscriptionOwner if you do now want the default owners to be notified)
$EmailAddressess = "test.test@test.be"
Set-AzRecoveryServicesAsrAlertSetting -CustomEmailAddress $EmailAddressess -EnableEmailSubscriptionOwner

Thank you!

Thank you for reading through this blog post, I hope I have been able to assist in your Azure Migration journey.

If you encounter any new insights, feel free to drop me a comment or contact me via mail or other social media channels

The post How to monitor Azure Migrate replication issues appeared first on Tunecom.

How to fix “The Azure Migrate unified appliance is in a disconnected state, Ensure that the appliance is running and has connectivity before proceeding” issue

admin.yannickd — Mon, 04 Jan 2021 14:05:24 +0000

When re-hosting or migrating traditional IaaS servers located on VMWare you might encounter one of the following issues when trying to setup your replication towards Azure.

The case

You have a single Azure Migrate appliance, which you have used to perform the suitability analysis and you’ve enabled the same appliance in the migration project as well.

Which means that we will be targeting an agentless migration.

The issue

The Azure Migrate Virtual Appliance ‘appliance name’ is in a disconnected state, please verify network connectivity.

The resolution

The following troubleshooting steps should help you resolve this issue.

Step 1: Verify agent health on the appliance

Step 2: Re-run the configuration wizard and verify your settings

Step 3: Re-enter your Azure Credential

Step 4: Restart de replication and gateway services

Run the following commands in an administrative powershell or cmd prompt.

Net Stop asrgwy
Net Start asrgwy
Net Stop dra
Net Start dra

Step 5: Verify service health

Check your connection status in the Appliances blade of the Azure Migrate resource on the Azure Portal.

Ready to migrate

Thank you!

Thank you for reading through this blog post, I hope I have saved you some time on researching the disconnected state issue.

If you encounter any new insights, feel free to drop me a comment or contact me via mail or other social media channels

The post How to fix “The Azure Migrate unified appliance is in a disconnected state, Ensure that the appliance is running and has connectivity before proceeding” issue appeared first on Tunecom.

Virtual Datacenter Concept | Introduction

admin.yannickd — Tue, 31 Dec 2019 09:18:32 +0000

This blogpost is part of a series of Azure Virtual Datacenter Concept blog posts.

The following series of posts is a direct reference to the Virtual Datacenter Concept provided by Microsoft as part of the Cloud Adoption Framework.

My intention is to provide you with a holistic overview, lessons learned and best practices over the last couple of years during the design and implementation phase of the Azure Virtual Datacenter.

What is the Azure Virtual Datacenter Concept (VDC)?

VDC is a series of guidelines that can be interpreted in various ways, the main goal of the VDC is to be able to deploy and manage your Azure resources in a secure and proper fashion.

When looking at AzOps and AzSec we are striving to build an operational and security model that fits the customers needs and wishes, which can still provide the promised scalability, flexibility and cloud optimization benefits. AzOps and AzSec should play a supporting role in the application landscape

Taking into account the perspective of DevOps and DevSecOps the VDC should facilitate the application development team to perform CI/CD in a way that the entire IT infrastructure which is oriented around your Line-of-business applications closes the gap between the operations and deployment lifecycle.

Why should the Virtual Datacenter Concept matter to you?

Planning Cloud Adoption is key, we’ve often seen Cloud environments that have been setup with no clear vision of the future application and IT landscape, which ended up in consuming a lot of credits that could’ve been spent more wisely.

On your road to onboarding IaaS, PaaS and SaaS the Virtual Datacenter Concept is your hitchhikers guide to the galaxy. It’s often seen as a way to easily lift and shift your servers, when looking at the VDC from a broader perspective, it can be a good fit to start transitioning to PaaS and SaaS.

How does this all translate into practice?

Below infographic shows a typical scenario where a DTAP (Development, Test, Acceptance, Production) environment has been setup and during deployment, key components have gone missing.

In order to fix the above situation, we’ve got a couple of options, either deploy additional equipment on Azure or consolidate and optimize to make the best use of all Azure Resources.

Below IaaS overview shows how we can consolidate the central shared services and make use of unique Azure techniques like vnet peering to tie everything together in a secure way.

Extending your services to Azure

In the above example we’ve seen a full blow DTAP environment located on Azure infrastructure. However Cloud Adoption isn’t about moving virtual machines to the Cloud. When moving to the cloud our goal is to provide our end-customers with tools and applications that are always on and can meet the necessary capacity demands.

As a start we would primordially get started with the Virtual Datacenter Basic setup. This allows you to extend your on-premises workloads to Azure with a minimum amount of resources.

The basic setup consists of :

Hybrid cloud identity which can be setup in various ways that suits your business needs.
Virtual Private network connectivity based on Azure Virtual Network gateway
Resource Governance
Backup and business continuity additions

What’s next?

Hope you liked the introduction, and sort of know where we are working towards in this blogpost series.

The following aspects of the virtual datacenter concept will be highlighted in the following upcoming posts:

Virtual Datacenter Concept – 1 of 10- Naming Conventions
Virtual Datacenter Concept – 2 of 10 – Governance
Virtual Datacenter Concept – 3 of 10 – Resource Groups
Virtual Datacenter Concept – 4 of 10 – Virtual Networking
Virtual Datacenter Concept – 5 of 10 – Cloud Storage
Virtual Datacenter Concept – 6 of 10 – Identity Options
Virtual Datacenter Concept – 7 of 10 – Log Analytics
Virtual Datacenter Concept – 8 of 10 – Security
Virtual Datacenter Concept – 9 of 10 – Business Continuity
Virtual Datacenter Concept – 10 of 10 – Automation

The post Virtual Datacenter Concept | Introduction appeared first on Tunecom.