Skip to main content


Showing posts from September, 2013

Set Network ACLs using Windows Azure Powershell Commands

In the latest update of Azure PowerShell commandlets, there is an option to set network ACLS for VM end points. Using this option, you can Allow/block access to an endpoint based on the IP address range Maximum of 50 ACL rules are possible per VM Lower numbered rules take precedence over higher number rules If you create a permit ACL, all other IP ranges are blocked. Similarly, if you define a Deny rule, All other Ips are permitted  If no ACLs are defined, it is permit all by default Steps for setting a permit ACL for a particular IP is given below. Before executing the same, make sure that you have set the subscriptions correctly as per my previous post. Create a new acl object $acl=New-AzureAclConfig Create the permit rule and add it to the acl Set-AzureAclConfig -AddRule -ACL $acl -Order 50 -Action Permit -RemoteSubnet "" -Description "Test-ACL confguration" Here I am explicitly permitting access from a public IP

Back to basics : Networking - Part 2

IPV6 Basics: IPV6 uses 32 bit address space whereas IPV6 uses 128 bit address space Represented by eight groups of hexadecimal quadrants and uses Classless Interdomain Routing(CIDR) First 48 bits of the address are the network prefix, next 16 characters are subnet ID and last 64 characters are interface identifiers There are three kinds of IPV6 addresses  are Unicast,Multicast and Anycast Unicast : Identifies a single interface, equalent to IPV4 address of a machine Multicast : Identifier for Multiple network interfaces. Commonly used for sending signals to a given group of systems or for braodcasting videos to multiple computers etc Anycast : The pacaket is delivered to the nearest(in terms of routing) device IPV6 does not have broadcast messages Unicast and Anycast addresses have the following scopes: Link-local : Scope is local link(ie nodes on same subnet).Prefix for link-local addresses is FE80::/64 Site-Local: Scope is organization ie private site addressing.Prefix

Managing Windows Azure using Powershell commandlets

Inorder to start managing your Azure subscriptions using Powershell commandlets, first you need to install the Windows Powershell from here Open the Azure PowerShell windows from Start-> all programs->Windows Azure->Windows Azure Powershell Inorder to manage a subscription, you will have to import the management certificate for the same . You can use the below commands for the same $cert = new-object System.Security.Cryptography.X509Certificates.X509Certificate2 $Filepath ="D:\certs\managementcert.pfx" --> Provide the path to your management cert here $password='Password' --> Give your certificate password here $cert.Import($Filepath,$password,'Exportable,PersistKeySet')   -->At this point the variable $cert will have your management certificate loaded Now you need to import your subscription id & subscription name. You can get the value from the management portal->Settings $subscriptionId = '1935b212-1179-4231-

Windows Azure fault domain and upgrade domain

Fault Domain: In simple words, fault domain can be considered as a single point of failure. For eg:, servers hosted in a rack in a data center can be considered as a fault domain, because power failure to the rack will bring down all the servers in it. During deployment time, the instances in a role are assigned to different fault domains, to provide fault tolerance (only when there are multiple fault domains) Upgrade Domain:  This concept is applicable during a deployment upgrade.Each upgrade domain can be considered as a logical unit of deployment. During an application upgrade, it is carried out on a per upgrade domain basis, ie the instances in the first upgrade domain are stopped, upgraded  , brought back to service, followed by the the second upgrade domain. Thsi ensures that the application is accessible during the upgrade process though with reduced capacity

Windows Azure storage concepts

You can create a storage accounts in windows Azure and provide your applications access to the tables, Blobs and queues in it. The maximum capacity of data for storage accounts is 200TB, if it was created after June 8th 2012 and 100 TB if created before that. Geo redundant Storage(GRS): Replicates the storage to a secondary, geographically separate location. Data is replicated asynchronously to the secondary location in the background. If there is any failure in primary location, storage will failover to the secondary location Locally redundant Storage(LRS) : For any storage, the data is replicated three times within the same datacentre. All Windows Azure storages are locally redundant Affinity group: It is a geographical grouping of cloud deployments and storage accounts.By grouping the services used by your application in a affinity group in  a particular geographical location, you can improve your service performance Storage account endpoints: Highest namespace for accessi

Windows Azure host and guest OS updates

Windows Azure host OS is the root partition, which is responsible for creating child partitions to execute Windows Azure services and guest OS. The host OS is updated atleast once in a quarter to keep the environment secure. Updating the Host OS means that the VMs hosted in it should be shutdown and then restarted. While the upgrade is done, Azure ensures that the VMs in different update domains are not down simultaneously thereby affecting the availability of hosted applications. An optimal order of updating the servers are identified first before proceeding with the upgrade. Windows Azure guest OS runs on the VMS that host your applications in Azure. The OS is updated periodically when each time a new update is released. You can choose to get this done automatically or manually upgrade it at a chosen period.Microsoft recommends automatic OS updates, so that known security vulnerabilities are taken care of and you application will run on an up-to-date environment. Inorder to con

Configuring Diagnostics for Windows Azure cloud service

Steps for configuring the Windows Azure diagnostics are as follows: Import the Diagnostics module in the csdef file     <Imports>       <Import moduleName="Diagnostics" />     </Imports> The option for tracing and debugging can be included in the Windows Azure application code Custom performance counters can be created for web and worker roles using powershell scripts in startup tasks. You can collect data from the existing performance counters as well Store dignostics data in an Azure storage, since the collected data is only cached and hence does not perisist. The diagnostics storage can be defined in the cscfg file using the following settings <Setting name="Microsoft.WindowsAzure.Plugins.Diagnostics.ConnectionString" value="DefaultEndpointsProtocol=https;AccountName= storagename ;AccountKey= storageaccesskey " /> Replace the storagename and storageaccesskey using the name and access key of your diagn

Input and Internal Endpoints in Windows Azure

Azure cloud services had two types of environments- Production and Staging. The production environment will have  permanent DNS name associated with it and it resolves to a Single Public Virtual IP. The DNS name of Staging environment will keep changing and it will also resolve to a Public VIP. Intput endpoints are defined for enabling external connections to the Public VIP of the cloud service. HTTP,HTTPS or TCP  protocol can be used for connection. The ports , protocols and certificates to be used for the connection can be defined in the csdef file in the <Endpoints> configuration session. Sample given below     <Endpoints>       <InputEndpoint name="httpsin" protocol="https" port="443" certificate="SSL" />       <InputEndpoint name="httpin" protocol="http" port="80" />     </Endpoints> Each defined endpoint must listen on a unique port A hosted service can have upto maxi

Configure RDP for Windows Azure cloud service instance

 In order to RDP to a windows azure cloud instances execute the steps given below: Generate an encryption certificate and upload to the respective cloud service. This certificate is used to encrypt the RDP communication Encrypt the RDP password using teh certificate thumbprint. You can use the csencrypt command line utility available with the Windows Azure SDk to encrypt the password- Ref: Import the RemoteAccess and RemoteForwarder modules in the csdef file     <Imports>       <Import moduleName="RemoteAccess" />       <Import moduleName="RemoteForwarder" />     </Imports> Update the Remote desktop connection configuration values in the cscfg file. The settings are <Setting name="Microsoft.WindowsAzure.Plugins.RemoteAccess.Enabled" value="true " /> <Setting name="Microsoft.WindowsAzure.Plugins.RemoteAccess.AccountUser

Windows Azure cloud services - Roles and config files

Windows Azure cloud service, is in simple terms an application designed to be hosted in a Cloud with a configuration file that defines how the service should be run. Two files decide the settings for the cloud service - Service definition  file(.csdef) & Service configuration file (.cscfg) Service definition file: This file defines the settings that will be sued for configuring a cloud service. It defines the following settings Sites - Definition of websites or applications hosted in IIS7 InputEndPoints - End points used for contacting the cloud service InternalEndPoints - Endpoints for role instances to talk to each other Configuration Settings - Settings specific for a role Certificates - Defines certificates used by a role Local Resources - Details of local storage, this will be a reserved directory in the file system of the virtual machine in which a role is running Imports - Defines the modules to be imported for a role. For eg: to enable the RDP connection

Back to basics : Networking - Part 1

Range of different classes of IP addresses: Based on the range of first octet Class A:  1-126 Class B:  128-191 Class C: 192-223 Private IP ranges Class A: to Class B: to Class C: to APIPA address: to MAC address: Media access control addree is associated with a  network adapater, often known as hardware address 12 digit hexadecimal, 48 bits in length Written in format- MM:MM:MM:SS:SS:SS First half is address of the manufacturer and second half is serial number assigned to adapter by manufacturer MAC address work at layer 2, Ip address at layer 3 OSI Model:(Open System Interconnection)  Physical: Defines the physical media ie cables, connectors etc Data Link: defines data format.Converts raw bits from physical layer to data frames for delivery to network layer. Common devices that work at this layer: Switch Network layer: Addressing, determining ro

DHCP superscope

DHCP superscopes is in simple terms a logical grouping of DHCP Scopes. They  are used in scenarios where there are multiple subnets created in a particular Vlan. In this case, your Vlan configuration would look like this: Interface vlan 107 ip address ip address secondary ip address secondary Create scopes for all the above subnets in your DHCP , then create a superscope and add the scopes to it. The ideal case is to have one subnet per Vlan and to create individual scopes in DHCP for these Vlans. You will have to configure IP helper address for these Vlans and point them to your DHCP IP address so that the clients in various subnets get IPs from the DHCP. Your Vlan configuration would look like this (assume that the Ip of your DHCP is vlan 12 interface vlan12 ip address vlan 13 interface vlan13 ip address ip helper-address vlan14 interface vlan14 ip address 10.120.14.

VMware data recovery troubleshooting

If the VDP backup fails , the following troubleshooting steps can be used SSH to the the VDP appliance and browse to the /usr/local/avamarclient Search for logs related to the VM :   grep -r -a "VM_NAME" ./* If you suspect it is snapshot related issue : grep -r -a " VM_name" ./* | grep "FATAL" To be more specific and to check messages for a certain date, try searching using the date : grep -r -a " VM_name" ./* | grep "2013-08-02" Sometimes we could get very useful information from the "info" messages as well. Inorder to narrow down to the same, you can use the command: grep -r -a "VM_name" ./var-* | grep "2013-07-03" The baove command will search only through the 'var-proxy' directories. It will display the entire log file. You can less it to view details for a specific date eg:  less ./var-proxy-5/VMGROUP1-1378306800496-35fj52c29f48eeejef090b27edaeba3d868719e8-4016-vmimagew.log /2013