Skip to content

Latest commit

 

History

History
134 lines (116 loc) · 5.22 KB

5.2 Compute - Virtual machines (VMs) - Deployment.md

File metadata and controls

134 lines (116 loc) · 5.22 KB
Raw

Deployment

  • Deployment tools
    • • Azure portal • Azure Cloud Shell • Azure PowerShell • Azure CLI • Azure SDKs • ARM templates
  • You can create from
    • User images
      • Uses unmanaged disks
    • Marketplace images

Create VM Image

Generalizing VM

  • Should be the first step
  • Generalization resets server-specific data: Computer name
    • Security identifiers (SIDs)
    • Local administrator/root identity
    • Device driver cache
    • Event logs
  • How to generalize
    • On Windows use sysprep, "System Preparation Tool"
    • On Linux run sudo waagent -deprovision+user
    • Take a VM backup first, because generalization is destructive and permanent

Create VM image from Azure VM

  • Managed Disk Concepts
    • Disks
      • No storage account (management) required
      • Pay for pre-allocated storage (P10 =128 GB SSD VHD)
    • Snapshots
      • Read-only full copy of a managed disks
      • You can create new VMs based on snapshots
    • Images
      • Generalized VM disk images
      • Snapshots can be converted into images
  • Flow
    1. Get an image
      • Get a snapshot image
        1. Go to Disks → Select OS disk → Create snapshot
        2. In snapshot → Click on Export → You will get SAS url → Download VHD
        3. Generalize the image
      • Or capture an image
        • In portal: VM → Overview → Capture
        • ❗ Not generalized
        • It appears in images
    2. Go to Images in portal, select the image, from there click on Deploy and it'll navigate you

VM Connection

  • You have different levels of security NSG, host firewall, options to have public IP or not

Just-in-time VM Access

  • Allowed by Azure Defender (formerly known as Azure Security Center Standard tier)
  • Locks down all administrator ports as default, when admin requests admin session then session is bounded by time limit and IP address restriction while granting access.
  • No need to have management port open all the time
  • 💡 Recommended to enable

Deploying Linux Server VM

  • Around 40% of workloads in Azure runs on Linux
  • Endorsed in Azure: CentOS, CoreOS, Debian, Oracle Linux, Red Hat Enterprise Linux, SUSE Enterprise Linux, openSUSE, Ubuntu
  • Connection
    • Secure Shell (SSH)
      • A popular client is PuTTy for SSH or you can install subsystem for Linux or git tools on Windows 10 to get SSH.
    • Remote Desktop Protocol (RDP)
      • You can install RDP on Linux.
      • Some do not believe in graphical shell:
        • Presents security vulnerability possible
        • Needlessly consumes CPU
      • Windows team ported RDP into linux.
    • Serial Console
      • COM1 serial port connection to VM
      • Low-level access
      • Helpful when e.g. your VM doesn't boot up
  • Authentication
    1. SSH Public Key
      • You keep private key and share public key with Azure.
    2. Password
      • You can reset those after deployment in portal: VM → Reset password

Deploying Windows Server VM

  • Windows Server 2019, 2016, 2012, 2008, Windows 10 Pro or Enterprise (for e.g. load testing, client-side testing, jump-box)
  • Connect
    • Remote Desktop Protocol (RDP)
      • Uses TCP 3389
      • You can connect directly from Portal: Overview → Connect
    • WinRM (PowerShell) Remoting
      • TCP 5985, 5986
    • Serial Console
      • Text console into VM
      • Can get to VMs that can't boot

Prepare environment with Azure Policy

  • RBAC vs Azure Policy
    • RBAC
      • Focuses on user actions at different scopes
      • VM Contributor can manage only VM
      • Built-in custom roles
    • Azure Policy
      • Focuses on resource properties during deployment for already existing resources
      • Uses default allow and explicit deny access system
    • Difference
      • You're not going to be able to create VM unless you have read & write abilities by RBAC
      • Azure Policy in contrast constrains what that RBAC can do when she/he attempts to create VM
  • Some built-in Azure Policy definitions are e.g. allowed locations, VM SKU, ensure MMS extension is deployed
  • You can create also own policies, or initiatives which are collections of policies.
  • Examples
    • Policy definition e.g. allowed locations
    • Parameters e.g. select which regions are allowed

Deploy with ARM templates

  • ARM templates are infrastructure as code foundation of automation and DevOps in Azure
  • 💡 Visual Studio is a good ARM template editor
    • Visual Studio Code can also be used.
  • Different ways to work with templates
    1. You can go to Portal → Templates → Usage existing usages or add a new template
    2. In Visual Studio → Cloud → Azure Resource Group → You can select template location (e.g. GitHub) → Select a template
    3. Deploy a VM then in the last step click on "Download template and parameters"
  • You can deploy with PowerShell, Cloud Shell, Azure CLI, or directly from Visual Studio
  • You can automate deployment actions such as VM access
  • Files
    • azuredeploy.json
      • Deployment template.
      • Defines resources and property such as allowedValues, defaultValue
      • You can refactor some values in variables and reuse in the file
      • copy element block in deployment script allows you to create e.g. 3 storages.
    • azuredeploy.parameters.json
      • Deployment parameters (required for deployment) to deploy azuredeploy.json