Azure Traffic Manager: Geography Versus Latency

A recent #AzureTrivia question on Twitter asked how you would configure Azure Traffic Manager to redirect clients to the closest endpoint (a place hosting a web application). That question made me go hmm – how do you define closest?

image

Defining Closeness

Do  you measure closeness by kilometres as the crow flies or on the road? Or do you measure closeness by how packets travel across the Internet, from the client to the actual Azure data centre? Here’s a story I tell in my Azure training when talking about this topic.

I once worked for a hosting company in Dublin, Ireland. It was the end of a workday in December and we were all excited because it was the night of our Christmas party. We were going to a restaurant in the city and the MD was paying for everything. Fun times! Sales, engineering, support, etc were in the top floor and we piled down the stairs to the NOC to get the folks who were coming off their shift. A few of us walked into the NOC and the staff were in a bit of a tizzy. A customer, not very far away from us, claimed that we were offline. Earlier that year, we did have a catastrophic outage caused by an electrician’s mistake, so we were a bit touchy about things like this. Straight away, us engineers ran back upstairs and started doing tests. The networking guys quickly verified that we were actually online, but the customer was adamant. NOC got the customer (in Ireland, remember) to run a tracert. We quickly found that the customer’s ISP connected to the rest of the Internet in Germany, and that there was a router fault in Germany that was nothing to do with us – there was an infinite loop and packets were timing out.

image

So this customer, only a few kilometres from us, was connected to the rest of the world through Germany. We were geographically close to the customer, but in terms of latency, the customer could have had a “closer” hosting company in Germany. When you use a phrase such as “closest” in networking, that typically means latency, and is nothing to do with an atlas or map book.

Controlling Traffic Manager

Traffic Manager is a DNS redirection Azure feature for services running across multiple Azure/other locations. The redirection of each Traffic Manager profile works in one of 4 ways:

  • Priority: You can think of this as a failover method. Traffic goes to endpoint 1, if that fails it goes to endpoint 2. If endpoint 2 fails, it goes to endpoint 3, and so on.
  • Weighted: This is a weight-based distribution method, i.e. load balancing. You might set one endpoint with a weight of 40 (40% in this case) and two other endpoints each with a weight of 30 (30%).
  • Performance: I’ll use Microsoft’s definition here … when you have endpoints in different geographic locations and you want end users to use the “closest” endpoint in terms of the lowest network latency.
  • Geographic: Using Microsoft’s definition again … users are directed to specific endpoints (Azure, External, or Nested) based on which geographic location their DNS query originates from.

So if you want to configure Traffic Manager to send clients to the closest Azure region, you use the Performance routing method.

In my above Europe example, I might have a web application running in North Europe (Dublin) and West Europe (Netherlands), unified and abstracted at the DNS level by Traffic Manager. If I set Geographic as the routing method, the customer would normally be sent to North Europe. If I set the routing method as Performance, the customer would normally be sent to West Europe because it is closer in terms of latency.

Want to Learn More Azure Stuff Like This?

If you found this information useful, then imagine what 2 days of training might mean to you. I’m delivering a 2-day course in London on July 5-6, teaching newbies and experienced Azure admins about Azure Infrastructure. There’ll be lots of in-depth information, covering the foundations, best practices, troubleshooting, and advanced configurations. You can learn more here.

How To Remove Orphaned “Synced” Users/Groups From Azure AD

In this post, I will explain how to remove users or groups from Azure AD that were synchronized into Azure AD (your tenant) but are left behind after removing Azure AD Connect – typically this is a lab scenario.

Production Environment

Almost every search result you will find discusses this scenario, where you want to remove users/groups from Azure AD without removing Azure AD Connect. The solution is pretty simple:

  1. Create an OU(s) in the “on-premises” using Active Directory (Azure AD Users & Groups). This OU will be used to store objects that won’t be synchronized to Azure AD.
  2. Modify the sync configuration of Azure AD Connect to sync only required OUs – exempt your new OU(s).
  3. Move the unwanted objects to the new OU(s).
  4. Wait for the next Azure AD Connect sync cycle (every 30 minutes by default), or force it yourself.

The users/groups in the exempted OU(s) will automatically be removed from Azure AD.

But what about orphaned objects when Azure AD Connect has already been uninstalled/disconnected?

Removing Orphaned Synced Users/Groups

You are going to need Azure AD PowerShell to make this work. I tried it using the v1 cmdlets, it worked, and I haven’t tried the v2 cmdlets, which might also work. Basically, you cannot do this in the Azure Portal, but you can do it using Azure AD PowerShell.

First I signed into Azure AD using a tenant administrator (global admin):

Then I queried my groups:

I removed the unwanted groups one at a time:

I confirmed deletion using PowerShell – note that the Azure Portal will take a few minutes to realise that the groups were removed!

My example is done using groups, but the user version of the cmdlets should work too.

Did you Find This Post Useful?

If you found this information useful, then imagine what 2 days of training might mean to you. I’m delivering a 2-day course in London on July 5-6, teaching newbies and experienced Azure admins about Azure Infrastructure. There’ll be lots of in-depth information, covering the foundations, best practices, troubleshooting, and advanced configurations. You can learn more here.

Feedback Required By MS – Storage Replica in WS2019 STANDARD

Microsoft is planning to add Storage Replica into the Standard Edition of Windows Server 2019 (WS2019). In case you weren’t paying attention, Windows Server 2016 (WS2016) only has this feature in the Datacenter edition – a large number of us campaigned to get that changed. I personally wrecked the head of Ned Pyle (@NerdPyle) who, when he isn’t tweeting gifs, is a Principal Program Manager in the Microsoft Windows Server High Availability and Storage group – he’s one of the people responsible for the SR feature and he’s the guy who presents it at conferences such as Ignite.

What is SR? It’s volume based replication in Windows Server Failover Clustering. The main idea what to enable replication of LUNs when companies couldn’t afford SAN replication licensing. Some SAN vendors charge a fortune to enable LUN replication for disaster recovery and SR is a solution for this.

A by product of SR is a scenario for smaller businesses. With the death of cluster-in-a-box (manufacturers are focused on larger S2D customers) the small-medium business is left looking for a new way to build a Hyper-V cluster. You can do 2-node S2D clusters but they have single points of failure (4 nodes are required to get over this) and require at least 10 GBE networking. If you use SR, you can create an active/passive 2-node Hyper-V cluster using just internal RAID storage in your Hyper-V hosts. It’s a simpler solution … but it requires Datacenter Edition today, and in the SME & branch office scenario, Datacenter only makes financial sense when there are 13+ VMs per host.

Ned listened to the feedback. I think he had our backs Smile and understood where we were coming from. So SR has been added to WS2019 Standard in the preview program. Microsoft wants telemetry (people to use it) and to give feedback – there’s a survey here. SR in Standard will be limited. Today, those limits are:

  • SR replicates a single volume instead of an unlimited number of volumes.
  • Servers can have one partnership instead of an unlimited number of partners.
  • Volume size limited to 2 TB instead of an unlimited size.

Microsoft really wants feedback on those limitations. If you think those limitations are too low, then TALK NOW. Don’t wait for GA when it is too late. Don’t be the idiot at some event who gives out shite when nothing can be done. ACT NOW.

If you cannot get the hint, complete the survey!

Online Windows Server Mini-Conference – June 26th

Microsoft wants to remind you that they have this product called Windows Server, and that it has a Windows Server 2016 release, a cool new administration console, and a future (Windows Server 2019). In order to do that, Microsoft will be hosting an online conference on June 26th with some of the big names behind the creation of Windows Server called the Windows Server Summit.

This event will have a keynote featuring Erin Chapple, Director of Program Management, Cloud + AI (which includes Windows Server). Then the event will break out into a number of tracks with multiple sessions each, covering things like:

  • Hybrid scenarios with Azure
  • Security
  • Hyper-converged infrastructure (Storage Spaces Direct/S2D)
  • Application platform (containers on Windows Server)

The event, on June 26th, starts at 5pm UK/Irish time and runs for 4 hours (12:00 EST). Don’t worry if this time doesn’t suit; the sessions will be available to stream afterwards. Those who tune in live will also have the opportunity to participate in Q&A.

Disable Already Removed Azure AD Connect

It’s possible that someone removes your Azure AD Connect server(s), and you then want to remove Azure AD Connect synchronisation from Azure AD. However, the Azure Portal does not give you that option to remove synchronisation. To get around this, you can use Azure AD PowerShell. In my example, I used the v1 cmdlets, but it’s also possible that the v2 cmdlets will work too.

I logged into Azure AD:

Then I checked the current configuration:

I disabled Azure AD Connect synchronisation:

I then checked my work:

Straight over to the Azure Portal (Azure Active Directory > Azure AD Connect), and I verified that synchronisation was disabled:

image

Did you Find This Post Useful?

If you found this information useful, then imagine what 2 days of training might mean to you. I’m delivering a 2-day course in London on July 5-6, teaching newbies and experienced Azure admins about Azure Infrastructure. There’ll be lots of in-depth information, covering the foundations, best practices, troubleshooting, and advanced configurations. You can learn more here.

Azure Management Groups

Microsoft has created a new administrative model for organisations that have many Azure subscriptions called Management Groups. With this feature, you can delegate permissions and deploy Azure Policy (governance) to lots of subscriptions at once.

The contents of this post are currently in preview and will definitely change at some point. Think of this post as a means of understanding the concepts rather than being a dummy’s guide to mouse clicking. Also, there are problems with the preview release at the time of writing – please read Microsoft’s original article before trying this out.

Note: Microsoft partners working with lots of customers, each in their own tenant, won’t find this feature useful. But larger organisations with many subscriptions will.

The idea is that you can create a management/policy hierarchy for subscriptions, as shown in this diagram from Microsoft:

tree

The hierarchy:

  • Can contain up to 10,000 subscriptions in a single tenant.
  • It can span EA, CSP, MOSP, etc, as long as the subscriptions are attached to a single tenant.
  • There can be up to 6 levels of groups, not including the root (tenant) and the subscription.
  • A management group can have a single parent, but a parent can have many children.

Permissions

The tenant has a default root management group, under which all other management groups will be placed. Tenant = Azure AD so we see a cross-over from Azure to Azure AD administration here. By default, the Directory Administrator needs to elevate themselves to manage the default group. You can do this by opening the Azure Portal, browsing to Azure Active Directory > Properties, and setting Global Admin Can Manage Azure Subscriptions And Management Groups to Yes:

image

Now you have what it takes to configure management groups.

Administration

Allegedly today we can use Azure CLI or PowerShell to create/configure management groups, but I have not been able to from my PC (updated today) or from Azure Cloud Shell. However, the Azure Portal can be used. You’ll find Management Groups under All Services.

Creating a management group is easy; simply click New Management Group and give the new group a unique ID and name.

image

Here I have created a pair of management groups underneath the root:

image

To create a child management group, open the parent and click New Management Group:

image

I can repeat this as required to build up a hierarchy that matches my/your required administration delegation/policy model. How I’ve done it here isn’t probably how you’d do it.

image

This is what the contents of the Lab management group look like:

image

Delegating Permissions

In the old model, before management groups, permissions to subscriptions were created at the subscription level, leading to lots of repetitive work for large organisations with lots of subscriptions.

With management groups we can do this work once in the management group hierarchy, and then add subscriptions to the correct locations to pick up the delegations.

The “how” of managing the settings, memberships and permissions of a management group is not obvious. The buttons for managing a management group are hidden behind a “Details” link – not a button! See below:

image

Once you click Details, the controls for configuring the settings and subscription memberships of a management group are revealed in a new, otherwise hidden, blade:

image

Universal permissions should be assigned at the top level management group(s). For example, if I click Access Control (IAM) in the settings of the root management group, I can grant permissions to the root management group and, thanks to inheritance, I have implicitly granted permissions to all Azure subscriptions in my hierarchy. So a central Azure admin team would be granted rights at the default root management group, a division admin might be granted rights on a mid-level management group, and a dev might be given rights at a bottom-level management group.

Once you are in Details (settings) for a management group, click on Access Control (IAM) and you can grant permissions here. The users/groups are pulled from your Azure AD (tenant). As usual, users should be added to groups, and permissions should be assigned to well-named groups – I like the format of <management group name>-<role> for the group names.

image

Azure Policy

You can create a new Azure Policy and save it to a management group. Microsoft recommends that custom policy definitions are saved at a level higher than what you intend to assign it. The safe approach might be to save your custom policy definitions and initiative definitions at the root management group, and then assign them wherever they are required. Note that, just like permissions, any assigned initiative (recommended for easier ownership) or policy (not recommended due to ownership scaling issues) will be inherited. So if my organization requires Security Center to be enabled and OMS agents to be deployed for every VM, I can create a single initiative, stored at the root management group, and assign it to the root management group, and every VM in every subscription in the management group hierarchy will pick up this set of policies.

Here’s an example of where you can select a management group, subscription, or resource group as the target of an initiative definition assignment in Azure Policy:

image

Adding Subscriptions

Right now, we have a hierarchy but it’s useless because it does not contain any subscriptions. THE SUBSCRIPTIONS MUST COME FROM THE CURRENT TENANT.

Be careful before you do this! The delegated permissions and policies of the hierarchy will be applied to your subscriptions, and this might break existing deployments, administrative models, or governance policies. Be sure to build this stuff up in the management group hierarchy first.

To add a subscription, browse to & open the management group that the subscription will be a part of – a subscription can only be in a single management group, but it will inherit from parent management groups.

Click Add Existing to add a subscription as a member of this management group. This is also how you can convert an existing management group into a child of this management group. A pop-up blade appears. You can select the member object type (subscription or another management group). In this case, I selected a subscription.

image

The subscription will be registered in the management group hierarchy.

image

Wrap-Up

And that’s management groups. Don’t waste your time with them if:

  • You’re a Microsoft partner looking for a delegation model with customer’s tenants/subscriptions because it just cannot be done.
  • You have only a single subscription – just do your work at the subscription level unless you want to scale to lots of subscriptions later.

If you have a complex organisation with lots of subscriptions in a single tenant, then management groups will be of huge value for setting up your RBAC model and Azure Policy governance at the organisational and subscription levels.

Did you Find This Post Useful?

If you found this information useful, then imagine what 2 days of training might mean to you. I’m delivering a 2-day course in London on July 5-6, teaching newbies and experienced Azure admins about Azure Infrastructure. There’ll be lots of in-depth information, covering the foundations, best practices, troubleshooting, and advanced configurations. You can learn more here.

Azure Template DSC Never Starts

In this post, I’ll explain how I figured out a problem where I couldn’t get the Azure Resource Manager (ARM) JSON template DSC extension to execute. The problem below might explain why your DSC extension never appears to start, assuming that you have uploaded your DSC pack (zip file) to an accessible Internet location, and enter the URL and module names correctly in your template.

In my scenario, I wanted to deploy a domain controller as a VM on a virtual network. Normally, when you do this you would configure the DNS settings of the VNet to point at the desired static IP of the DC. For example, you’d create a NIC for the DC, set that NIC to have a static IP (10.0.0.4 for example), and then edit the settings of the VNet to be the IP address of the DC’s NIC. In am ARM template, the resource dependencies would order that process as below:

FailedDcDscAzureJSON

I configured my ARM template as above and everything was deploying … or so it appeared. The DSC extension appeared in the Portal and had a status of Created. However, when I used PowerShell to query things, I found it still had a status of Creating, and when I logged into the DC VM I found that nothing had happened. I don’t know how many hours I spent trying to figure out what I had done wrong. My emphasis on DNS above should give you a clue.

The virtual network has been configured to use the VM is it’s own DNS server, but the VM is still not a DNS server because the DSC extension hasn’t added the roles or done the DCPROMO. So when I tried to download the DSC pack (zip file) from the Internet, it wasn’t downloading. In fact, I couldn’t resolve any DNS names. I went looking at some of the sample ARM templates that do a DCPROMO and noticed a trend. They did the following using nested templates:

WorkingDcDscAzureJSON

What changed? A nested template is used to deploy the virtual network using the default Azure DNS addresses (no configuration required). Now the new DC VM can access Internet resources via DNS names – and the DSC pack can be downloaded from the Internet and applied – adding the roles and executing the DCPROMO to make the machine a domain controller. The final step is to fix up the virtual network – so another nested template is executed to modify the VNet’s DNS settings to use the static IP address of the DC.

Did you Find This Post Useful?

If you found this information useful, then imagine what 2 days of training might mean to you. I’m delivering a 2-day course in London on July 5-6, teaching newbies and experienced Azure admins about Azure Infrastructure. There’ll be lots of in-depth information, covering the foundations, best practices, troubleshooting, and advanced configurations. You can learn more here.

London July 5-6: My Next Azure VM Training Course

My company, Cloud Mechanix, recently announced our latest dates for my custom-written hands-on training course, Starting Azure Infrastructure. We’ll be coming back to London on July 5-6 in Lancaster Gate – a location with easy public transport access and just a few minutes walk from the express train from Heathrow Airport.

We wrapped up Amsterdam last Friday. It was great fun with an interactive class overlooking the comings and goings at Schiphol Airport. Sadly, the weather was beautiful outside and we were cooped up talking cloud inside. I enjoyed the class and the feedback was awesome – here’s a sample:

Aidan runs a relaxed class that is both accessible and technically uplifting. Even a more experienced person will come away with new knowledge of Azure. The training is so updated that new functions are added daily.

 

Really enjoyed the course over the last couple of days. I would highly recommend Aidan for your Azure Training needs.

The “Starting Azure Infrastructure” Cloud Mechanix class in Amsterdam

Like I said earlier, we’re coming back to London on July 5-6 at the Lancaster Gate Hotel. The venue is not too expensive to stay at (by London prices) and the broadband was good. Two Underground lines pass very nearby, there bus stop around the corner, and Paddington Station is 10 minutes walk away. If you want to see some of London then the hop-on/off tours are also around the corner and it’s not that far from the various palaces and Kensington.

As usual with these classes, I update the content and distribute it two weeks ahead of the class – and then hand-out further updates when we start if Microsoft adds anything – I added content on two new features that were added the night before we started in Amsterdam so our attendees had the very latest content. What’s the point in teaching something that some editor approved 9 months ago and is already out of date!?!? The content is suitable for anyone working with or planning to work with Azure VMs, IT pros or devs. Yes, newbies with some Windows Server/Linux and very basic networking knowledge will learn lots. But over the years, I’ve found that people who thought they knew Azure well have learned a lot too, particularly around best practices, design, security, and performance.

If you’re interested then please check out the course information.

Q&A Webinar with Ben Armstrong (Microsoft/Hyper-V)

Altaro are hosting an “AMA” webinar where you will get the chance to ask your burning questions to Ben Armstrong (previously known as The Virtual PC Guy), Principal Program Manager at Microsoft, and one of the brains behind Hyper-V … and thus the platform of Azure!

if you’ve ever wondered where some of my uber-detailed posts on odd little hyper-V details came from … it was from Ben. He’s got tonnes of stories, lots of info, and this shouldn’t be missed if you have the chance to tune in.

AidanFinn.Com Migrated To Azure App Services

I’ve just migrated AidanFinn.com from a Windows Server 2012 R2 Azure virtual machine to an App Service (web app) running on the same App Service Plan as CloudMechanix.com.

Drawing1

This site, AidanFinn.com has been running on an Azure VM for the last few years. That has given me a lot of experience with running a production workload in Azure. Azure worked well. What really irked me was MySQL, running in the VM by the way. MySQL blew up once, and wouldn’t restore, so I had to restore the entire VM. And MySQL continues to be a pain, causing the site to crash, requiring full VM reboots.

I was facing an eventual upgrade of the VM (a migration in Azure) so I made the decision to reduce my maintenance workload. I decided to switch to PaaS, and let Microsoft do the work. I previously blogged how I deployed the Cloud Mexchanix (my Azure training business) onto an Azure app service plan. I also created a stub WordPress site for AidanFinn.com, running on the same plan. The two WordPress site runs on different app services (application pools) on the same WS2016 machine, managed by Microsoft. I have auto-scaling enabled so a single (only in this case) load balanced VM instance can automatically be spun up if the CPU/memory load requires it. Both sites are using Azure Database for MySQL instances, where Microsoft looks after MySQL for me. In other words, the VM, the guest OS, and the database system are managed by Microsoft. I manage the web content. Perfect!

The migration of AidanFinn.com has always been a challenge, from it’s origins as a “Joe Elway” blog on Live Spaces all the way through to it’s previous existence as an Azure VM. I remember the bad old days of exporting and editing multiple XML files to get a migration to work once. And this time was no different. The built-in WordPress Import refused to work. I tried another third-party plug-in and that wouldn’t work. Then I tried the All-In-One WP Migration plugin. It took hours to do a 1 GB export of the content and database from the VM. When I tried to do an import, I exceeded the 512 MB free limit, so I had to pay for the professional edition ($69 or so). The import also took ages, but the site was lifted and shifted exactly as it was.

The it was time to add the custom domain names to the app service in the Azure Portal. A quick query with my DNS registrar (Blacknight) told me how to create @ records in their control panel, and I was done! I will look at hosting the domain in Azure, like I did with Cloud Mechanix, but all the Office 365 records will take time to create first.

image

What about the old machine? It can take up to 24 hours for DNS changes to be replicated around the world, so it will remain running until tomorrow afternoon. I have configured Auto Shutdown in the settings of the VM, with a notification to be sent to me by email first.

And that will be that! Both of my websites will be running on Azure App Services.

The App Service size is S1, costing ~€61.57/month. Each database will cost under €30 per month. Some blob storage (€0.02 per GB) is being used to backup the sites  – restores have been tested! While the total is well above a $10 web hosting plan, I cannot use such plans, because I was kicked off of that platform because AidanFinn.com generated too much load. So it’s either VM or PaaS, and PaaS suits me more because there is less for me to maintain now that I am there.