Microsoft Azure AZ-801 — Section 19: Troubleshoot Windows Server virtual machines in Azure Part 3

116. Troubleshoot disk encryption issues

Let’s talk about the concepts now of dealing with disk encryption involving a virtual machine. There isn’t really too much here to worry about as far as troubleshooting this particular problem. There’s only a couple of things that can come up here that you can run into.

So, if we look at portal.azure.com, we’ll click the menu button here. I’m going to go to Virtual Machine and I’ve got one virtual machine I’ve got set up here called Windows Server two. And what I can do is click on disks and you can see the disk that are associated with this virtual machine. There’s only one. And Microsoft automatically encrypts the disk. In fact, you can’t disable encryption for disk and Azure. Everything gets encrypted.

Now, one thing, of course, and you should be aware of this already, is that you can allow Microsoft to manage the encryption or you can do what’s called a customer managed key. The problem one mistake sometimes people make is they come in here and they say, okay, well, I want to use I want I don’t want to do platform manage key. In other words, I don’t want Microsoft to manage the key. I want to manage myself. I want to do a customer manage key. But when you come in here, it’s grayed out. And there’s a reason for that. And it tells you right here. Changes to encryption settings can only be made when the disk is unattached or the managing virtual machines are de allocated.

So, you can turn, you can stop the virtual machine and then you’ll be able to alter this. However, before you can do that, you still have to have a Azure vault.

If you don’t have an Azure key vault, you’re not going to be able, even after you stop this, there’s not going to be anything for you to do.

So, you got to have an Azure Key Vault, which you should already be familiar with, Azure Key Vaults. That’s something that has already been explained. But I’m. And the other thing to consider is this right here. This is the second most important thing. If you’re dealing with encryption, you have to have the authority to change any of this stuff. So, you have to make sure the IAM versus access control. That’s identity and access management. You have to make sure you have proper role.

In my case, if I go to roll assignments, you can see if I scroll down to the bottom that I’m the owner, so I’ve got all the power I need in order to do this. But but if you go here to assign role, you can look at the various roles that you have available to you. All right. For example, you have contributor write contributor role is going to grant you full access to manage all the resources but does not allow you to assign roles in action. So, you’ll be fine if you’re a contributor, but you won’t be fine if you have reader permissions. So, that’s something to consider. So, you have to think about who has access over this. The disk, not just like the virtual machine, but the actual disk itself, which is what we’re looking at here. All right.

Again, there’s two major things here to think about. Number one, you have to you have to shut the virtual machine down or allocate the disk before you can change this. And you also have to have an Azure Key vault, which of course, you can always add an Azure key vault by going to all services and creating an Azure vault. Again, you should be familiar with that. And then the second thing is I am you’ve got to make sure you’ve got permissions for that. All right. If anybody’s messed with it, you can always go to activity log and you can look to see what changes somebody has made as well. Of course, in my case, I’ve made any changes. Right now, I’m. All right. Of course, another thing to consider is that you can enable BitLocker inside the virtual machine itself.

So, you can have multiple layers of encryption here. And so if I actually go and I go into the virtual machine, here’s the virtual machine. And I go to Server Manager here. Manage add roles and features. I can. I can enable the BitLocker capabilities right there. BitLocker Drive encryption is already installed, as you can see. Right. And if we go to control panel. Let’s pull that up and we go to BitLocker Drive encryption. There it is. If I try to turn it on. I got this problem right now. Why do I have this problem? Because I don’t have a TPM in module, which is in this case a virtual TPN module enabled for the host server.

Now, you can get around that using group policies using GP at MSK. If it’s part of a domain, you can go in. And so if you absolutely wanted to enable BitLocker on the virtual machine, you can go here under computer config, Administrative Templates, you can go under system or actually sorry, windows components and then BitLocker. And then you go to operating system drive and it’s this require additional authentication at startup you could basically enable that and this will allow you to do without TPMs. So, you click Okay on that and then at that point you should be able to turn this on.

That’s another troubleshooting technique to think about. If you absolutely had to turn it on, you didn’t have a TPMs access to a TPM chip in the server, then that would be a way to deal with it. All right. But those ultimately, not really a whole lot to worry about as far as dealing with disk encryption. Those are the things I would recommend though.

117. Troubleshoot storage

Let’s talk about troubleshooting storage regarding virtual machines in Azure. All right.

The first thing to be aware of here is we need to know where our disks are and what kind of disks we’ve got. And we need to know about how to check the activity log and all of that. So, let’s take a look at that.

So, here we are on portal.azure.com. We’ll click the menu button here. I’m going to go to virtual machines blade here and I do have a virtual machine called Windows Server two that I had set up previously. I’m going to click on that. All right. And then from there, I can look at my disk right here. All right.

Now, you might have heard me say before, but for you to modify a disk, usually you have to shut the virtual machine down.

So, you’re not going to be able to come in here and make a lot of changes or do a lot of configuration without the virtual machine shut down. Just like with encryption and all that, this is all grayed out. All right. As you can see, stuff is grayed out. All right.

The first step, if you are dealing with some kind of a disk issue, is you may have to shut the virtual machine down, which I can do very easily. Right? I can do very easily. I can come over here to my virtual machine and then just say, say stop, and that will shut it down. But I’m not going to shut it down right now. I’m going to come over here to disk, though, and then I’m going to click on the disk. And one thing that’ll help you deal with it is if you’re having issues of the disk, is look at the performance counters we have available to us. So, right now you can see you get a time frame, you can see the input output per second, you can see the disk bytes per second. So, if things are going slow, it could be because you’re getting a massive amount of rewrite going on that disk. All right. And so that would be something that you would definitely want to want to look into involving that. All right. And.

Another thing you can do. You can come over here to where it says monitoring. And this ties to the Azure monitoring. And you can look at different at various metrics right here.

Let’s take an even deeper look at what the disk is doing right now. Write some bytes per second so it gives you a little bit more information than what were just looking at. All right. And of course, you can save this information. You can actually create an alert as well if you need to have you alert if the disk is reaching a certain level. All right. I’m.

Those are the things to consider on that. Another would be a troubleshooting technique. If you are dealing with performance wise, you’re struggling performance wise., maybe, it’s because you’re pushing the disk too hard or, maybe, you don’t have enough space or something like that. Then you can readjust the size, you can shut the virtual machine down and you can readjust the size. You can go to a higher level. Of course, that is going to cost you some money to do that. As you can see, we’ve got premium standard, standard HDD, standard eight SSDs. You can price that out, see what that’s going to cost you a month and you could up the performance level if you needed to. And the last thing to consider when troubleshooting a disk is you can troubleshoot disk from within the virtual machine itself.

So, here I’m inside the virtual machine, it’s being hosted in Azure. And I have the same tools that we’ve got with our on-premises server. First, I could go to task manager here and I can see if I go over here to performance, I can see some performance counters, but the catch to that is it isn’t focused a lot on disks, but before I blame a problem on disk, I would always say check the CPU, the memory and all that. First, make sure it’s not something related to it. We’ve also got resource monitor here. We can open that up and you’ll see we do have a disk Tab on resource monitor so we can still dig a little bit into the disk and see what’s going on with it inside the virtual machine. And of course we have the other thing that’s always available to us is performance monitor, right? We can go to Server Manager, we can go into performance monitor and we can click the little plus sign. And we can go we can add physical disk, for example, drop that down and I can add the various counters involving physical disk. Right. Highlight which counter I’m looking at. Lots of different counters here. You can also do a data collector set and look at performance, start the performance and then go view the report after a minute or so.

So, there’s that. Those are some various things in. The last thing of course is just good old event viewer. We can go into event viewer. If the disk is having problems, it will log that into the system log right here. So, anything involving the disk, having some issues, it will log that into the into the event viewer right there in the system log. All right.

Those are the things that you would think about. Those are the things you would check. And speaking of check, don’t forget the check disk command. See HCD If there’s some kind of bad sector, you can run the check disk command, which will, of course, assist you in locating any kind of bad sectors that could be going on, which is not pretty calm. And it’s not common inside of an Azure virtual machine environment, but. It’s definitely something you can always consider if the machine wasn’t shut down properly. All right. All right. Well, ultimately, that’s it. Those are the different things that you would need to look into as far as troubleshooting disk problems or storage problems with Azure VMs.

118. Troubleshoot VM connection issues

Let’s talk about the concepts now of troubleshooting connections with your virtual machine.

So, this is going to involve with Azure virtual machines trying to connect out to something or something trying to connect into the Azure Virtual machine.

So, we’ll start with just something trying to connect out. Probably the most valuable tool for troubleshooting. This is going to be the network watcher. So, you can go to the menu button and go to all services and just search for Network Watcher. In my case, I’ve got it right here, so I’ll just click on it and then I have the topology generator, which gives me a visual of how my V and all that are set up. All right. Which I don’t have a very big environment in this case. I’ve just got one virtual machine connected to this virtual nick, which is connected to this subnet, which I can click on and go and look at. By the way, I’m. But that subnet is connected to this v net. And then I’ve got an SSG network security group, which is also very important for troubleshooting. And then right here is the public address that I’ve got. Right? So the network watcher is automatically enabled. If you have at least one vignette set up, it’ll, it’ll automatically enable the network watcher in the region where you’re at.

Now, these tools right here are the ones that come in handy, like I have IP flow verify if I wanted to test a. Connection., maybe, let’s do outbound and let’s say we wanted our machine to go and get to, let’s say, let’s say Google’s server.

So, here is Google’s IP address right here. I’m just going to copy that and I’ll just paste that in and then it’s going to be port four, four, three, four, four, three, and then we’ll click check. And so. Right there. And it’s just it’s running a test to tell us if that’s going to work. And as you can see, access is allowed.

Now, if I try to do this inbound, let’s see what happened. If Google tried to connect into my virtual machine, you’re going to see that it’s not going to allow it. It’s going to deny it and it’s going to tell me why, because I have a security rule that says deny all inbound, and that’s because of an SSG. So, in SSG is network security group and network security groups is an IP filter list. You can use this for troubleshooting even on your virtual machines. So, you can use this for troubleshooting some type of SSG if you’ve got an SSG for troubleshooting

For example, if I’ve got inbound, we’ve got an address like that and, maybe, port four, four, three, I can click check and it’s going to run an SSG diagnostic against that. It’s going to let me know if I’ve got some kind of an SSG that’s not allowing that connection to connect. And as you can see, it says it’s denied. And the reason it’s denied is because of this nag right here. So, I can click on that network security group and I can see what’s doing it.

So, the network watcher is telling me that there was not a match. There is only one match, and it was this one. I wasn’t using RDP, so it didn’t match that one. It’s not an internal V net, it’s not internal load balancer, so it’s going to get denied. And so that is what’s helping me troubleshoot, right? So that’s the idea. They’re connecting you. You could you could try various ports and you could see what kind of response you would get based on the various ports. This is a great solution for trying to figure out if there is some type of connectivity problem going on in your environment. You’ve got next hop as well. Next hop will tell you what the next hop is from somewhere.

So, like, for example, if I was trying to go to Google from my virtual machine, I click Next hop. It’s going to tell me, probably going to say I’m going to go right out to the Internet. That’s because in my V nets currently I don’t have a routing system set up where I’ve got a bunch of V nets connected to each other.

So, as you can see, the next hop is just right out to the internet. But if you did have a bunch of v nets connected together, then it’s got to route through those different v nets. It would tell you which what the next V net is. It would go through.

So, there could be that the reason traffic isn’t flowing is because you’ve got, maybe, an SG connected to a subnet on a V net that the traffic is having to go through and it’s being blocked. Here’s another thing involving in SDGS network security groups. You’ve got effective rules enabled. If there’s any type of effective rule, it’ll tell you. This will tell you what SDGs are associated with this virtual machine.

So, if you had multiple nags that your traffic was having to pass through this, this would assist you in figuring that out. As you can see, there’s only one in SSG that my traffic is having to pass through for this virtual machine. This right here is for VPN troubleshooting. If you’ve got a VPN connection, you can use that. And then packet filtering will allow you to capture packets. Keep in mind that in order to do that you can capture packets all you want, but it’s going to basically download. The packet capture and you can store it in a storage location or you could download it to a file. All right. Um. I could store it to packet cap and then from there I could use Wireshark to open that up after it’s done capturing traffic. You can download Wireshark, just go out to Google and do a search on Wireshark and you can download Wireshark and install it on your computer and then you can open up that packet capture. All right.

Those are the fundamental things you want to remember when it comes to troubleshooting your virtual machines. If you’re trying to connect into your virtual machine, let’s go over to virtual machines real quick here. Click on our virtual machine and we’ll click Connect. If you’re connecting in through 3389 in Windows, you’ve got to make sure your SSG is allowing 3389 on a public address.

So, you’ve got to make sure there isn’t something that’s blocking you. And there it is. There’s my rule right there. That rule wasn’t there. I wouldn’t be able to connect in through RDP, which is how I’m getting into my virtual machine. This is my virtual machine right here, and this is how I’m connected into it through that 3389 rule. All right. But ultimately, those are the things you want to consider when you are dealing with troubleshooting a connection issue in an Azure virtual machine.

Related posts:

  1. Advantages of Free IT Training: Top 6 Benefits That Will Bring You More Than You Think
  2. Fortinet NSE4_FGT-7.2 — FortiGate Firewall — Section 1: FortiGate Firewall V6.4 1 Part 15
  3. Fortinet NSE4_FGT-7.2 — FortiGate Firewall — Section 1: FortiGate Firewall V6.4 1 Part 36
  4. Fortinet NSE4_FGT-7.2 — FortiGate Firewall — Section 1: FortiGate Firewall V6.4 1 Part 4
  5. Fortinet NSE4_FGT-7.2 — FortiGate Firewall — Section 1: FortiGate Firewall V6.4 1 Part 47
  6. Microsoft Azure AZ-800 — Section 11: Manage Hyper-V and guest virtual machines Part 7
  7. Microsoft Azure AZ-800 — Section 3: Deploy and manage AD DS domain controllers Part 5
  8. Microsoft Azure AZ-800 — Section 5: Create and manage AD DS security principals Part 5
  9. Microsoft Azure AZ-801 — Section 19: Troubleshoot Windows Server virtual machines in Azure
  10. Microsoft Azure AZ-801 — Section 4: Secure a hybrid Active Directory (AD) infrastructure Part 4