Microsoft Azure AZ-800 — Section 10: Manage Windows Server and workloads by using Azure services Part 2
78. Understanding Azure Automation for hybrid workloads
One of the nice features that we get with Azure is the ability to do what’s called Azure Automation. Azure automation is going to consist of some different components and options that allow us to essentially automate certain processes, both in our Azure virtual machine environment as well as our on-premise environment.
Now, the first order of business, though, for understanding this to understand some of these different components. There are various components that are going to take part in dealing with Azure automation workloads. Number one, we have what is known as the Azure Log Analytics Workspace blog and other analytics workspace is basically like a repository where logged data can be gathered.
So for our cloud environment, as well as our on-premise environment, we can have agents that basically deliver log data into this log analytics workspace. And then of course, we can. We can generate all sorts of reports and gather information on the various things that are happening. Secondly, we have what’s called an automation hybrid worker solution.
So this for the use of what’s called a run book feature. And if you kind of look towards the bottom of the slide here, you’ll see it tells you what a run book is, is basically a collection of one or more action steps or, in other words, linked activities that need to be processed.
So whether having to have some kind of a service start or stop or something have a script run or whatever it may be, this what a run book can do.
So an automation hybrid worker solution. What this, is this going to allow you to create what are called run book workers that can automate this process of run books utilizing run books, and this will work in both the Azure cloud services as well as on-premise.
OK. The next thing is the automation account. The automation account is a component, a resource. Basically, you have to add in Azure that allows you to support automation.
So right out of the gate, there’s two resources you got to have here. You got to have a log analytics workspace and you have automation account. And from there, you can create everything else, including a hybrid run book worker. The hybrid one book worker is a feature that’s going to let you execute run books directly on a local environment as opposed to just a cloud environment. And you’ve also got what’s called a hybrid run book worker group, which is nothing more than just a group of runnable workers.
So, it’s just a way to group your run book workers together. They’re going to interact with your services and and of course, again, lastly, not only am I able to utilize this with my cloud services, I can also use this on-premise. And it also works not just with Windows, but also Linux devices as well. Here’s a nice little visual for you. Kind of gives you an idea of the flow of it all, so you’ve got the on-premise on the left side and Azure on the right side.
So you’ll notice that on previous I’ve got a I’ve got a local server, I’ve got some local resources I want to manage. From there, I could have the hybrid run, but worker group and you’ll see there’s two hybrid run book workers in the picture there. All right. They can be associated with these different services. They’re going to use Port four for three, which of course, is GPS to interact with Azure. And they can activate run books based on a sequence that I get to specify. They also can log everything that’s going on into the log analytics workspace. All right. Here is kind of a simple I would say look at the typical configuration steps that you would perform.
So you first start out by creating your log in analytics workspace. You can add the automation hybrid worker solution. You create your automation account. You’re going to basically link the automation account with the log analytics workspace. You’ll then deploy a log analytics agent and connect your log in analytics workspaces spaces.
So that’s how you’re going to connect your log analytics agent, for example, with your servers into your log analytics workspace, you’ll deploy a hybrid run book worker group and a run book worker on your on-premise windows computers or not just Windows, but Linux. You’ll then create a run book in Azure Automation. This going to be the series of steps you want to perform, and you can create a run as account for authentication so that when this run book automation is going to occur, it’s going to actually authenticate with the machines that it’s performing the action steps on. And then finally, you’re going to deploy run book on a hybrid run book worker group, which of course, is what’s going to activate all of it and get it all, get it all moving.
So that’s going to be a typical configuration steps. Obviously, some of this could happen in a slightly different order, but I would say that’s the typical way that you would actually perform this. But ultimately, what we’re gaining here is the ability to be able to automate a series of task and action steps in our environment based on certain situations that occur, such as some kind of alert gets generated or some kind of service stops, something gets triggered. We’re able to have these run books that can kick in and take over. And this going to be the key point behind why this azure automation is such a great thing.
79. Create runbooks to automate tasks on target VMs
It’s now time to take a look at how we can create run books using Azure Automation.
So, we’re going to do is we’re going to learn how to create a run book and we’re going to automate a PowerShell script that is going to be able to shut our VMS down our virtual machines down in a resource group whenever we want.
OK, so here we are on Portal Dot, as you recall. And the first thing we need to do is we need to create an automation account.
Now you may have already done this, but I’m just going to create a whole new automation account here.
So, I’m going to click the menu button here and I’m going to go to resource groups and I’m just going to go into this resource group here. It really doesn’t matter what resource group, but I’m going to use this one Azure Adesoji, and then I’m going to click to create a resource, and we’re just going to do a search for the word automation. All right, So, it’s going to pop everything up with automation, this what we want right here. This our automation account, So, we’re just going to click to create an automation account.
OK, says give it a name. It’s going to call this. Run book demo automation, and it’s going to be the name of it for east us. All right. From there, I’m just going to click, review and create and create, and it doesn’t take very long to create an automation account. But once the automation account is created, we’ll be able to go to the resource and we’ll be able to start adding our run books.
So here it is. It’s done. And if I want, I can click Go to resource. They’ll take me straight into the automation account.
So here is the automation account right here, and I want to show you a couple of things here. All right. First off, we have the standard stuff. We have the activity log in the access control for permissions on who can control all this, but we can go down here to where it says inventory. We click on inventory. It’s going to show us if we have a log analytics workspace associated with it.
So, if we wanted to, if we wanted to log everything going on with this automation, we could do that. We could associate we could create an associate of a log analytics workspace. We’ve got change tracking. We’ve got this DSC desired state configuration not getting into that just yet. And then we got update management. And then finally, what we care about right now is run books.
So, we’re going to go down and click on run books. All right. It comes with a couple of like tutorial ones that you can play around with. I’m going to click to create a run book. All right. And we’re just going to call this. Shut down my VM. That’s going to be the name of it. All right, says rhumba type. We’ll do a PowerShell, though you can’t have these other options here, especially if you’re going to do this with something like Linux. You can do a hybrid hybrid group for this, and you can actually do both. You do Linux and Windows at the same time. Pretty cool.
So run home version, you can choose the version. I was going to go with this latest version here and then give it a description if you want it to. And then when you click to create now, the next thing we need is we need in order for this run book to work. It’s got to be able to authenticate in order, vault and authenticate. I’m going to create a little run as a count that it’s going to be able to authenticate with instead of hard coding an actual user account into this that if somebody was to learn the password, they can utilize this way it’s going to use a service principle, basically a service account to do that.
So, we’ll just go back here. All right. And then from there, we’re going to scroll down, So, we’re we’re looking at a run book account again or I’m sorry, our automation account here, this the run book demo automation account. And again, if you forget how to get there, to get there, all you got to do is go to your research group, go to the research group where you created it and then find that automation account that you created.
OK, so there it is, right there. That’s how I get in there. And then if I scroll down, what I want to show you is down here, run as a count.
So, I need to create a run as a count to actually create the account. I’m going to click right here where it says create azure run ads that count. All right. From there, I’m going to click to create and it’s going to be creating me this Azure runners account. This going to again. This going to be the service principal account that it’s going to be able to authenticate it with in order to run the command against my virtual machines and all that fun stuff.
So once that’s done, we’ll be able to continue and we’ll we’ll be able to look at the credential itself.
Now that the account is created, I’m going to click on it and you can see this information right here tells you all about the display name, the thumb print application, I.D. All that fun stuff.
Now, some of the stuff is going to be important for when we utilize a PowerShell script, for example, the PowerShell script is going to grab this information. Namely, the things that are important is the thumbprint ID, which of course, is going to involve the digital certificate that’s going to be used for authenticating with this account and then the application I.D. And then the tenant ID is all going to play a role in that as well. But what will happen is in PowerShell is you can you can create a simple little command that tells you just to go grab all of this and stored in memory so that when the actual run book occurs, it’s actually able to authenticate no problem and grab all this information.
So you don’t necessarily have to write all this down, and I’ll show you this in a little script we’re going to write.
OK. All right.
So from there, I’m going to go back over here to the run book demo automation. We’re going to go back up to run books.
OK, run books plate in there, and there is the run book that we created, right? And then from there. We are ready to start creating the script right now. One thing I would want to say is if you’re going to test us out, you’re going to need a virtual machine to test this out on. Right? So what I’m going to do before I go any further with this I’m going to open up another Tab for my virtual machine.
So, I’m going to go right here. You know, I’ve got another Tab opening up that’s going to show my virtual machines. And I want to start my AVM, so, I have a VM here called Server AIDS demo that I’ve created earlier, and I want to make sure that that started. As you can see, the virtual machine is started, if it was not started, then this would be not. It would not be great out. I would be able to start it.
So, it is started right now, tells you the status is running.
OK, so now I’m going to jump back over here and we want to make sure we know the name of this virtual machine as well. And we also need to know the resource group that this virtual machine is in.
OK, so those are two things you’re going to need to know. When you write your script, you need to know the name of the VM and you need to know the resource group that the VM is in. Here is the resource group that the VM is in. All right, the virtual machine. All right.
So now that I’ve got that information? And I’ve created my run as a count. I’m going to go right here, I’m back over here on the run book demo automation. I’m on the run book.
OK. Remember all you got to do just to get here is go to the resource group, find the automation account, run vote, demo automation. Go to run books. And then find the run book that you created earlier, once that displays up on the screen, shut down my VMS, I’m going to go into that run book now and click Edit and I’m now ready to edit it now. I’ve actually got a script that I’m going to paste in, but here’s the thing. You can generally create your own scripts that do whatever activities you want involving PowerShell against your VMS. You just kind of have to learn the PowerShell code for what it is you want, but to use a run as a count, the beginning of your command is most definitely going to at least have this code right here in it.
So let’s look at what this code is doing.
So right here, I’m just declaring a variable. The variable is also, in connection, and equals is going to say, Well, this the stuff you want to store in that variable.
So get -Automation Connection -name Azure run as connection.
Now that’s the name of your run ads account.
So, if I go back over, I’m just going to right click right here, open a new Tab and it will pop back over. Let’s look at our Run Ads account again. All right, so here we are on our automation account. We’re going to go down to run books. I’m sorry, not run books. We’re going to go down to run ads. Here’s runners, and we’re going to click on our account and see what our account name is, so our account name is Azure run as connection and so that we want to make sure that that matches in our little script here, which it does. Then we’re saying Connect -A-Z account.
Now something else that’s important to understand here is that just like you normally do in on a server with PowerShell, you have to make sure you have the commands that are going to let you run all of the command lists that you want within PowerShell. These are known as modules, right? You have a modules like a package of commands.
So you need to make sure that these are supported by your run, but not to do that if we jump back over to our automation account, opening up another Tab here, pop popping back over to our automation account. We can scroll down here and there is a blade called modules under shared resources, and we can see all of the Azure module commands that are available. And as you can see, the A-Z Dot Automation is available.
So, I’ve got all that the A-Z commands are available. This the easy command they’re going to contain, what is needed to connect to Azure and all that stuff.
So, we’re good. But if we ever needed to add an additional module, we can say add module and Microsoft gives you access to their gallery and you can see all these different commands that you can import if you needed to.
OK.
So this definitely something you want to consider. All right, especially if you try to run the command and you get an error tells you that the command is missing.
So Kinect -A-Z account, then -service principle. That’s just to indicate that this going to be a service principal that’s using and then Tenet. And then here’s where things are fun because we don’t have to type all these crazy numbers out or paste them in because we declared this variable here at the beginning. We can just simply say either sign connection tenant idea. It’s going to grab the tenant ID and it’s going to grab the application ID. And if we scroll over. -certificate thumbprint. Dollar sign connection DOT Certificate thumbprint grabs all that information, so, I don’t I don’t have to go and paste all that in. You could paste it all in if you wanted to go back over to this run as account and paste all that stuff in. But you’re able to use that that variable that’s created on line no one here is going to make life easier.
OK, so then we’re declaring another variable called context.
OK. And then this going to equal and then context. Easy context. That’s just the azure context and subscription ID and all that that’s going to be involved in order to get your subscription ID. You have to know what Azure context you’re in. And so then you got dollar signs. Subscription equals DocuSign context dot subscription dot name that’s going to store that into memory.
So all of this just putting stuff into memory so that it can easily be identified when you’re running these commands.
So then finally, we’re declaring a new variable down here A-Z VM, which he calls get -VM and then the resource group name.
So then there is the resource group name I told you earlier, you need it, then your piping that to select name.
Now what’s interesting about that is it’s going to grab every name of every VM that’s in this resource group.
So what’s cool about this we’re not just saying, Hey, we want to stop one VM. We could have 20 VMS if we wanted inside this resource group, and we could have all of them get stopped at the same time. And so that’s what this really going to do. This n’t necessarily just going to stop one VM, it’s going to stop them all.
Now, if you just wanted to stop one VM, obviously you could. You could put a -name in the name of the VM in there and you would just stop that one VM. This way, it’s going to grab all the names of the victims, and then we’re going to do this little come in here. This a little bit of programming.
So, if you’re not familiar programming, you may not be familiar with this command. There’s a command called for each for each mean is a loop means I want to perform an action against multiple objects. And then this dollar sign is a variable, and it’s basically saying dollars son AI in a VM name. That means I want to perform an action against all of the items inside this variable.
OK. And the AI is going to represent each item individually as this command is being ran separately one at a time.
So then we’re saying stop as a VM resource group in Azure RV, that’s my resource group name Dawson. I -force and it’s forcing you to go through and not stopping for any confirmation messages or anything like that.
OK. And so this the actual command, of course, that’s going to be ran and it’s going to be ran against every one of the objects inside this. The AI is going to represent each object as it’s cycling through individually. At that point, we are officially ready. We can test this out, which I highly recommend that you test it out. Go over here to the test pane and then at that point you can click start and you’re just going to give it takes maybe 30 seconds and then you’ll get a message. All right. I paused the video for a few seconds so this could run through, and it looks like it’s complete. It did go through successfully, even though this it says errors, as read. This just to indicate that if there was any errors, it would have displayed those messages right here.
So, it did go through successfully. In fact, if we jump back over to the virtual machine and ask you to refresh my screens, I’m going to refresh my browser and see if it’s now stopped. And as you can see, it is now officially stopped.
So, it did go through successfully stopped the virtual machine, it would have actually stopped all virtual machines that were in that same resource group.
So from there, we go back over here. If we need to edit things even more anymore, we can click edit. But at that point where we can save it and then we can publish it if we want.
So, we’re ready to publish it and we’re going to go ahead and publish it.
So, it’s now published as an official run book. And then what we can do is we can schedule it if we want, so, we can go right here to add schedule and say, add a schedule.
So let’s schedule this. Maybe, let’s say, shut down. Timer and we could set the dates, we want this to happen for it to happen like re-occurring. Maybe, we want this to happen on a weekly basis every Friday, maybe one hour VMS to be shut down every Friday if we want, so, we can set the date that that’s going to start and then have it happen every Friday. We can even set an expiration period on that. But you can kind of play around with that anywhere you want. At that point, you click to create your little schedule and you now officially created your schedule. All right. All right.
So very, very cool stuff there, and then don’t forget also come back over here to our automation account. We can also do what’s called a hybrid worker group. A hybrid worker group allows us to essentially go in and we can we could support Linux. We could add machines, Linux, Windows and we could have Linux, Windows. We have our on-premise machines all tied into this run group as well.
So that’s what our hybrid worker group is going to do.
So you could set that up as well, and you could have a schedule for that also. All in all, the run books are really cool. They, of course, they can be complicated depending upon the type of scripting that you’re going to want to run. But this where you got to understand sort of start understanding PowerShell sort of in and out so that you can. If you needed to write some advanced scripting, you could don’t forget there are tons of this stuff out on the internet, where people have already written a lot of pretty advanced things, so pretty advanced processes.
So, if you ran into a situation where there was something fancy that you needed to do for your job, chances are somebody might have already created a script that could do that and you just got to go out there and do a little searching. But highly recommend run books. Run books are really cool and can definitely assist you in making your life easier in the automation world.
80. Implement DSC to prevent configuration drift in IaaS machines
Another great feature that we have with the Azure automation account, along with run books and update management, all that is a feature known as DSC. DSC is desired state configuration. It’s been in the Windows Server operating system for quite a while now, and what it essentially allows you to do is to prevent something known as configuration drift configuration. Drift is a scenario in which there’s a certain piece of configuration that absolutely needs to be on our servers and then somebody goes in. They change something by accident to stop and start something or uninstall the feature. Install a feature that shouldn’t be there. And DSC allows us to put some rules in place with the help of a PowerShell script that’s going to essentially monitor and make sure that certain features are always there, and you can have certain features also removed. If there, if there shouldn’t be there or a certain service that’s always that always needs to be started or stopped or whatever so desired. State configuration is a feature that within the automation center that we can deploy that will enforce certain criteria that is absolutely necessary for certain server environments.
OK, so to do this, we’re going to start out on Portal Dot Azure .com. We’re going to go to the menu button here and go to resource groups. We’re going to locate the resource group where we have automation account, and I have an automation account that I’ve created here called Run Run Bot Demo Automation, so, I’m going to click on that. And then from there, I’m going to click on state configuration. All right, which is DSC desired state configuration. All right. I’m then going to go and I’m going to click Add, and I’m going to add this virtual machine here. You want to make sure that that virtual machine is started.
So whatever virtual machine you’re going to add, you do need to make sure it’s started.
So Azure DC one is the virtual machine there, and the next thing I’m going to do is click to connect that virtual machine.
So from there, it’s going to use a read what’s called a registration key to register. It’s got two different keys that it can use a primary secondary. If for some reason there was a problem with your primary key, this going to help with the authentication process. I don’t have any kind of node configuration names here, so there’s going to refresh the frequency every 30 minutes and then configuration mode frequency every 15 minutes.
So, if you look at that, it tells you that the refresh mode frequency represents the frequency in minutes that the DSC local configuration manager is going to check with Azure.
OK. And then if you look at the second one, this configuration mode frequency. It tells you that this going to happen in minutes, and it’s basically a background application where DSC attempts to implement the current node and make sure that the target node is matching the configuration that we are configuring through the DSC. All right. It’s going to do apply and monitor it, which means it’s going to apply it and monitor it. You can also see just apply only or apply it and auto correct it.
OK, so, If there’s anything that it needs to fix, it can it can try and fix that from there? I’m going to go ahead and click, OK. And this going to take it usually takes about five minutes for this to process through.
So, we’re just going to go ahead and pulls the video while this connecting and then I’ll start it back up.
Now, after that completes, it should say status connected. We can click back on our automation account right here, where it says run both demo automation. We’re just going to click to refresh. And once we refresh it, you should see that the computer here has been added. All right. And So, we’re good to go on that.
Now we have to consider how we want to implement DSC and in what we want to implement with DSC.
Now, in my case, perhaps maybe there is a feature that I want to make sure is always installed on my server.
So, for example, if I pull up that server, this the server I’m remotely connected into. If I go to manage ADM’s and features next, next, next. Perhaps I want to make sure that the web service is always installed on this machine.
OK, so from there, I got to consider how I’m going to make that happen. All right.
Now there’s various ways that you can create configurations for observed state config. One is I can simply come up here with says compose configuration, give the configuration name and then I can use some of the existing ones that are already here. There are some pre created ones that you can utilize, for example, if I wanted to. Make sure that PowerShell’s execution policy was said, I could I could create one called peace execution and execution, and then I can click next. Here’s here’s a template, but what you’ll want to do is you’d want to alter the parameters right here to what you want those parameters to be. And then at that point, you would save and compile it.
Now another option would be to you can actually, if you go back over here, you can actually pull from their gallery.
So Microsoft actually gives us access to the gallery where we can upload to this.
So there’s a series of these that are available. And if you want to pull from their gallery, you can actually do that as well by clicking on the gallery button. And here’s a list of a bunch of these pre created configuration state estate configurations that you can add.
So that’s another nice way is to utilize their gallery. They’ve got lots and lots of uploaded options. Another option would be to go out to the internet, do like a Google search on something you’re wanting to do because people have created a lot of desired state configurations that you can use. Actually, it’s kind of like the one I’m going to use is right here. I’ve got a little very simple. One called configuration is no, this the name of the server that I’m going to do this to. And then it’s just going to make sure that ISIS is always present.
So, if it’s missing, it’s going to get installed.
So, I’m going to copy this, OK? And from there.
So this the final thing you can do. You can click add if you want. If you come back over two configurations, you can click Add and you can upload a file.
So, I’m just going to I’ve saved this little script to my desktop and I’m just going to go to it and I’ll upload it.
OK, so there’s the file. Upload it now. I’m just going to give it the name. The name needs to be the same as you labeled it right here.
So, if you label this, I guess that’s what the name needs to be.
So, I guess I’m going to click OK, and then this going to take just a moment. It’ll it’ll upload it and eventually it’ll show up right here. And as you can see, there it is right there. I should be able to click on that and. It will show you the status here. There’s no camp, a compilation jobs found at the moment, so, If I refresh my web browser.
Sometimes this does take just a moment. All right. And go back over to configurations. All right, so, we’ve got this, we’ve got this ready to go. There’s no errors or anything. It’s not giving me any errors.
So now what I’m going to do is let’s go back over to our nodes as your DC one, we’re going to click on it and we’re now going to click to assign a node configuration. And there it is. There is the one we just created. We’re going to select that. We’re going to click OK, and it’s officially going to deploy that configuration out and it’s going to recheck it. It’ll try and recheck it every 15 minutes, depending upon what you set your interval to. But ultimately, it’s now going to deploy this down to Azure DC one.
OK, so, I just jumped over to my Azure virtual machine here, and I did want to show you that after a few minutes going back in here in the server manager, you can see that ice is showing up. In fact, I can actually go to ADM’s and features. And next, next, next. And you can see the web services there.
OK. Interestingly enough, we could actually remove ice right now, and within a few minutes it would get added.
So your desired state configuration does work, and we’ve completed it successfully now.