Yesterday a post was made on the Azure blog about SQL Server licensing on Azure VM’s. From May 26th 2016 it is possible for Enterprise Agreement customers from Microsoft to use their Microsoft SQL Server licenses in Azure on VM’s. That way you only pay in Azure for compute power instead of compute power and Microsoft SQL Server licenses.
Today, the first of January 2016 my new business officially starts. For a long time I have been thinking of starting my own business and in the last three months of 2015 I decided to make the big step. The last three months were busy ones, still my day time job and preparing SQLBrander.com B.V. so I could start on this day. Already some work is planned through people I already knew and I have to do work for Conclusion FIT, my former employer. Thanks to those for helping to start my business!
Of course I will keep blogging and hopefully we meet in person someday. My blog articles will always be in English.
A very good, healthy and successful year to all of you!
Prerequisites to connect an on premise network to Azure:
* A Microsoft Azure account with spending limit or a subscription
* A router that is supported by Microsoft to connect to Azure, in my situation I used the Cisco ASA 5505. A full list can be found here: https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-about-vpn-devices/
* A fixed IP address from your internet provide. A dynamic (DHCP) IP address wil work but when you get a new IP address from your provider the connection will be broken and some configuration changes must be made on the Azure site of the network. I will explain later what needs to be changed.
* To make a full Domain Network with on premise (virtual) machines and Azure virtual machines it would be nice to have a Domain Controller on the on premise site.
* Java Runtime 6.39 to configure the Cisco ASA 5505 (if you are a die hard you can use the console but because my Surface Pro 3 and my work laptop do not have a serial port available I went for the dummy easy way with a GUI)
To configure your Cisco ASA device it turned out that you need to have Java Runtime 7.51 installed. Do not use higher then the ASDM software may not work. An old and not supported version anymore from the date of 15th of April 2015. After you installed Java and the ASDM software you probably need to change the first part of the target in the shortcut to “C:\Program Files\Java\jre6\Bin\javaw.exe”, do not use “C:\Program Files (x86)\Java\jre6\Bin\javaw.exe” because than you keep stuck in “Contacting the device”. But when you use the x64 version of javaw.exe you get the error: “Unable to launch Device Manager from 192.168.1.1”. If you keep using the original first part of the target in the shortcut at “C:\Windows\SysWOW64\javaw.exe” you also keep stuck in “Contacting the device”
On Premise network: 192.168.1.0/24
On Premise network gateway (Cisco ASA 5505 router): 192.168.1.1
My (old) public IP address from my internet provider: 188.8.131.52
My On Premise network DNS Server name and IP address: HYP01 – 192.168.1.31
First you need to create a Virtual Network in Azure:
Click on +, Network Services, Virtual Network, Custom Create
Image 1: Custom Create Virtual Network
In the Virtual Network Details screen fill in the name for your Virtual Network (any name that describes you virtual network will do) and choose the location for your Virtual Network (West Europe for me because I live in West Europe). You will see the name you entered appear in the Network Preview image and click on the right pointed arrow in the lower right corner of the screen.
Image 2: Create Virtual Network (Details)
In the ‘DNS Servers and VPN Connectivity’ screen you need to fill in the name and IP address of you local DNS Server and optional a second (or third) DNS Server (for example a public DNS Server if you need to get to the Internet from the Virtual Network. Next you need to select ‘Configure a site-to-site VPN’ under ‘Site-to-site Connectivity’ The ‘Network Preview’ should display the network on Azure and On Premise with the DNS Servers. Click on the right pointed arrow in the lower right corner of the screen.
Image 3: DNS Server and VPN Connectivity
In the ‘Site-to-Site Connectivity’ screen the name for the On Premise network, the public IP address from your internet provider and the address space of your On Premise network must be filled in. Click on the right pointed arrow in the lower right corner of the screen.
Image 4: Site to Site Connectivity
In the ‘Virtual Network Address Spaces’ screen the information for your virtual Azure network must be specified. In my case I am using a 10.10.0.0/22 address space with three subnets; 10.10.1.0/24, 10.10.2.0/24 and a gateway subnet 10.10.3.0/29. You can use only one subnet for your Virtual Machines but just to be able to test with different subnets I created two. The third, the gateway subnet, is mandatory to be able to route through the networks to you on premise network. Click on the ‘V’ in the lower right corner of the screen.
Image 5: Virtual Network Address Spaces
In the Azure website under ‘Networks’ and then the Network you just created you would see an almost finished network. There is still missing a public gateway. To create the gateway click on the bottom of the screen on ‘Create Gateway’ and choose a ‘Static Routing’. The Cisco ASA series do not support ‘Dynamic Routing’. Click on ‘Yes’ at the question if the gateway should be created for the virtual network. Creating a gateway may take some time. Just sit it out and behold! When you get the message ‘Succesfully created a gateway for virtual network Azure_Network’ you are ready to go.
Image 6: Completed Azure Network overview
Next step is to configure the Cisco ASA 5505. To do so you need to download the VPN Device script from the ‘azure_network’ page. Click on the link ‘Download VPN Device Script’ Because in this situation I am using this type of router I select in the screen ‘Download a VPN Device Configuration Script’ for ‘Cisco Systems, Inc.’ at Vendor, ‘ASA 5500 Series Adaptive Security Appliances’ at Platform and ‘ASA Software 8.3’ at Operating System and click on the ‘V’. Save the script in your downloads location.
Image 7: Download a VPN Device Configuration Script
Next you can configure the ASA with this script so the connection can be established.
Azure Backup is a service from the Azure environment that can be used to back up on premise machines, on premise virtual machines and cloud virtual machines. My first test was if an IAAS VM from Azure could be backed up by Azure Backup. The Azure Backup service is not advertised to do the last option but a customer is planning on moving the Hyper-V environment partly to Azure and there also needed to be a backup in place for the environment. Of course you can use Data Protection Manager or other systems but the drawback is that you need an extra VM for DPM and it is not really with the cloud in mind if there is a service that is able to back up your environment. So I started to test Azure Backup with my home/test environment. No extra charges when you have a Visual Studio Ultimate subscription with MSDN. It has a 115 EURO free of charge limit for testing purposes.
Below is the complete process of configuring the Azure Backup solution. For cost reasons I have used a Self-Signed Certificate instead of a certificate that needs to be bought. So if you would like to try this out yourself the only thing you need is an Azure account with some spending room. There are test Azure offers where you are limited in what you can use. If you would like more spending room you can always get your credit card and test some further… It is all up to you.
In short the following steps are taken:
- Create a Self-Signed Certificate
- Create the Backup Vault and upload the certificate to Azure
- Export the certificate from MMC
- Import the certificate on the VM
- Run WBInstaller.exe on the Virtual Machine
- Register Server
- Schedule backup
The following steps need to be done once:
Create a Self-Signed Certificate
Start Visual Studio Command Prompt
%comspec% /k “”C:\Program Files (x86)\Microsoft Visual Studio 11.0\VC\vcvarsall.bat”” x86_amd64
Use the following statement to create a Self-Signed Certificate
makecert.exe -r -pe -n CN=AzureBackup -ss my -sr localmachine -eku 184.108.40.206.220.127.116.11.2 -e 12/12/2040 -len 2048 C:\Temp\AzureBackup.cer
Create the Backup Vault and upload the certificate to Azure
- Create new Backup Vault in Azure by clicking + and choose Data Services, Recovery Services, Backup Vault and Quick Create
- Enter a name for the Backup Vault and choose a region near you (Western Europe in my case) and click on Create Vault
- After the message is displayed that the Vault is created select the Vault
- Click on the Manage Certificate icon in the screen and browse to the CER file you created and click (V)
- After this is completed succesfully click on Download Agent (WBInstaller.exe)
Export the certificate from MMC
Start MMC and add Snap-In Security on the machine where the Certificate is created
- Right click on the AzureBackup certificate in Certificates\Personal\Certificates and choose All Tasks and Export
- Click Next in the Welcome to the Certificate Export Wizard screen
- Select Yes, export the private key in the Export Private Key screen (if this screen does not show, delete the AzureBackup certificate and start all over) and click Next
- Select Personal Information Exchange (PKCS #12 (.PFX) and Include all certificates in the certification path if possible in the Export File Format screen and click Next
- Select Password and enter a password twice and click Next
- Browse to the file location where you would like to save the exported file and name the file in the File tot Export screen and click Next
- Check the choices in the Completing the Certificate Export Wizard screen and click Finish if all is ok
- On the Certificate Import Wizard message: “The Export was successful” click OK
The following steps need to be done on every Virtual Machine that needs to be backed up by Azure Backup
Import the certificate on the VM
- Copy the PKF certificate file and the WBInstaller.exe to the virtual machine or create a network share accessible from the Virtual Machine where you place the files.
- Import the certificate (AzureBackupExport.PFX) in the Security MMC console on the Virtual Machine that needs to be backed up
- Start MMC and add Snap-In Security on the Virtual Machine
- Right click on Certificates(Local Computer)\Personal and choose All Tasks and Import
- Select Local Machine in the Welcome to the Certificate Import Wizard and click Next
- Browse to the file location where you saved the exported file and select the file type Personal Information Exchange (PFX) in the File tot Import screen and click Next
- Enter the Password for the PFX file and select Include all extended properties in the Private key protection screen and click Next
- Select Place all certificates in the following store [Personal] in the Certificat Store screen and click Next
- Check the settings in the Completing the Certificate Import Wizard screen and click Finish
- On the Certificate Import Wizard message: “The Import was successful” click OK
Run WBInstaller.exe on the Virtual Machine
- Click I accept the terms of the Supplemental Notice in the Supplemental Notice screen and click OK
- In the screen Prerequisites Check click on Next
- Change the Installation folder and the Cache Location at will or leave it default and click on Next
- Select Use Microsoft Update when I check for updates (recommended) or I do not want to use Microsoft Update and click Install
- Wait untill the WBInstaller completes and leave Check for newer updates in the Installation screen and click Finish
- In the Before You Begin screen click Next
- In the screen Upgrade Process click Finish
- Check for Updates and install these
- When finished installing updates start Windows Azure Backup (shortcut on the Desktop)
- Click on Register Server in the top right of the application
- Click on Next in the Proxy Configuration screen
- Click on Browse and select the correct certificate in the Vault Identification screen and click Next
- Select the Backup Vault in the Vault Identification screen and click Next
- Click on Generate Passfrphase or create one your own and Enter a location to save the passphrase in the Encryption Setting screen and click Register
- Click Close in the Server Registration screen
- Click on Schedule Backup in the top right of the application
- Click Next in the Getting Started screen
- Click on Add Items and select what you would like to backup in the Select Items to Backup screen
- Click on Exclusion Settings an select what files you do not want to backup
- Click Next in the Select Items to Backup Screen
- Select the days and times the backup needs to run in the Specify Backup Time screen and click on Next
- Select the number of days retention time in the Specify Retention Setting screen and click Next
- On the Confirmation screen click Finish
- Click Close in the Modify Backup Progress screen
- If needed click on Backup Now in the top right corner of the application
- In the Confirmation screen click Back Up
- You may close the Backup progress screen if needed. The backup will continue
Good luck! If you have any questions please let me know! Next blogpost will be on restoring your data.