January 2, 2020

Fixing the SQL / MySQL RP update procedure on Azure Stack Hub 1910

January 2, 2020

Anyone who has been running and operating Azure Stack Hub for a while is hopefully aware that there are a number of activities that need to take place to keep it up to date and supported. The most obvious one is updating the core infrastructure using the integrated update process. It’s made easier in that the main dashboard on the admin portal for your stamp informs you of the update status - if it’s up to date or if there’s an update to apply. When it comes to additional Resource Providers, you have to do the work your self. This post details how to fix the update process for the SQL and MySQL RP’s for systems running version 1910.

I’m making the assumption that you have already deployed the RP’s previously, and have access to the pfx file that contains the sqladapter certificate for your stamp.

Version 1910 of Azure Stack Hub requires version 1.1.47.0 of the SQL & MySQL Resource Providers.

The first thing you will need to do is download the respective RP install binaries:

SQL RP can be found here: https://aka.ms/azurestacksqlrp11470
MySQL RP can be found here: https://aka.ms/azurestackmysqlrp11470

Extract the contents of the downloaded file(s) on a system that has access to the PEP and also has the compatible Azure Stack Hub PowerShell modules installed for Azure Satck Hub 1910: https://docs.microsoft.com/en-us/azure-stack/operator/azure-stack-powershell-install?view=azs-1910

Create a directory in the location where you extracted the RP files called cert. You will need to copy the pfx file containing the certificate for the SQL adapter into this directory. This step is the same for both SQL and MySQL.

We need to modify the common.psm1 file in the Prerequisites folder, similar to an earlier blog post on deploying the RP (based on 1.1.33.0)

Taking a look at the file shows us the prerequisites for the function:

It expects the Azure RM module version to be 2.3.0 and that the installation path for the modules to be \SqlMyslPsh.
If following the official instructions for deploying the Azure Stack PowerShell module compatible with 1910, this will never work, so we need to modify the Test-AzureStackPowerShell function.

Change the $AzPshInstallFolder on line 82 from "SqlMySqlPsh" to "WindowsPowerShell\Modules"

Change the $AzureRmVersion on line 84 from "2.3.0" to "5.8.3"

We need some further changes to the function to ensure that the correct path for the module is evaluated:

Locate line 118/119 in the module.

We need to modify the path so it reflects that of the loaded module. Change the "AzureRM" to AzureRM.Profile", as highlighted in the images below.

N.B. - The instructions for the fix are also applicable for new SQL & MySQL Resource Provider deployments, as they use the common.psm1 module too.

Save the file and using the update script example tailored to your environment, the update should now work.

You should see status messages like below:

Overall, it takes approximately 50 minutes to run through the update.

Danny McDermott

December 9, 2019

Azure Stack Hub, Azure Stack

Rotating App Service Certificates on Azure Stack Hub

Danny McDermott

December 9, 2019

Azure Stack Hub, Azure Stack

If anyone has seen my previous post about using Lets Encrypt open source certificates with Azure Stack Hub may remember that those certs have a 90 day lifetime. This means that if you do use them, you’ll need to rotate your certificates on a more regular cadence than the normal 1 year with paid for third party cert authorities. For me, this isn’t a problem as it adds only a small amount of overhead to managing my stamps, assisted by helper scripts to generate the certs and some clear documentation on the process for rotating the core infra SSL Certs (found here).

What isn’t so clear is how to rotate the certs for your App Service PaaS infrastructure. I haven’t found any easily findable (is that a word?) reference to it in the online documentation. Not to worry, it’s actually a fairly simple process and I’ve recorded step-by-step how to perform it.

One thing I’ll point out first - you won’t find any alerts regarding impending App Service certificates expiration like you do with the core infrastructure, so you’ll have to make a note in your calendar for a suitable date to renew your certs, or just periodically check the admin portal.

From the Admin Portal, open up the App Service blade

Open the Secrets blade

From here you can check how many days you have left until your certs expire. As you can see in my case I have 11 days, so time to rotate!

Selecting the Rotate button brings up a new blade. From here you provide the locations of the Default App Service pfx cert, API pfx, FTP (or publishing) pfx and the SSO (or Identity Application) pfx, along with the corresponding passwords for these files.

Once you have entered these details and clicked OK, the Certificate Rotation status window will show you the progress of the task

You can navigate from this screen and do other tasks if you want. You can click on the Status button to check on the progress.

What you should see if the details you entered were validated.

The whole process took between 15-20 minutes. I wasn’t sure as I went and got a coffee!

Just to check that the certificates have actually been updated, I refreshed the Secrets blade and saw that the expiry was now 90 days, per the new Lets Encrypt certs I created.

Hopefully this is of some use to fellow Azure Stack Hub operators who haven’t had to update their App Service Certs yet, and remember, you won’t be alerted if they do expire!

Danny McDermott

December 6, 2019

Azure Stack Hub 1910 new private IP address range requirement

Danny McDermott

December 6, 2019

Anyone who follows Azure Stack Hub may well remember that back in update 1905, there were a couple of new infrastructure roles created (Infrastructure ring and Support Ring), in preparation for running containerized version of the infrastructure roles that run the AzsHub core. Here’s a screen grab of the release note for that release that I provide for convenience as the original article has been archived:

With update 1910, there is a new requirement before deploying the next update that an additional private /20 address is required for the containerized workloads. The release notes for the update gives some good detail on this requirement and why it is needed:

Once the 1910 update has been applied, you will soon see the following alert in the Admin portal:

The instructions link takes you to the release note link I posted above.

So, what do you have to plan for to implement this change? In reality, not much. The only requirements are to use a range in the IANA private IP Address ranges and that what you choose is not already in use within your network.

Private ranges you can use:

10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

With regards to checking whether the address range is already in use, you’ll have to check with your network team or consult your IPAM system.

With regards to actually adding the addresses, it is very straightforward.

Per the instructions in the release notes, you need to open a PEP session and run a simple PowerShell command.

For my environment, I chose 172.16.0.0/20 as the address range.

$creds = Get-Credential -Message "Enter cloud admin credentials" -UserName "mystamp\cloudadmin"
$pepIP = "mypepip"

$session = New-PSSession -ComputerName $pepIP -ConfigurationName PrivilegedEndpoint -Credential $creds

Invoke-Command -Session $Session -ScriptBlock {
    Set-AzsPrivateNetwork -UserSubnet 172.16.0.0/20

Here’s what you will see if the command has run successfully:

If you are lucky enough to have multiple stamps in your network, you can reuse the same address range for all installations. as it is only used internally by Azure Stack Hub.

Matthew Quickenden

November 6, 2019

Azure Stack, Azure Stack Hub, DevOps

Add a Service Connection to Azure Stack Hub in Azure DevOps

Matthew Quickenden

November 6, 2019

Azure Stack, Azure Stack Hub, DevOps

One of the key aspects of the system formally known as Azure Stack, now to be called Azure Stack Hub (ASH) is, that it is a target for automation. The chances are if you are considering running this at scale and you are deploying content through the portal UI, you’re probably doing it wrong.

ASH makes a great target for among other things a DevOps toolchain. I’m not sure if you have tried connecting from Azure DevOps portal but Azure DevOps has undergone a lot of changes and a lot of the documentation looks different.

I wanted to share the steps to create a ‘Service Connection’ from Azure DevOps. This is assuming you are using an Azure AD connected ASH Installation.

First, you’ll need to create a Service Principal in Azure AD.

The steps are shown here briefly below. Here are some detailed instructions if needed.
https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal

Navigate to your Azure AD and register a new application

Register an application - Microsoft Azure.png

Make sure to copy the Application ID or Client ID, the Directory ID or Tenant ID into some temporarily like notepad

Next click ‘Certificates & Secrets’
Select ‘+ New Client Secret’
Enter a description and key expiry length
Make sure to copy the secret

You need to add this SPN you have just created to your Azure Stack Subscription through the Access Control (IAM). At this stage you might want to capture the Azure Stack Subscription ID and name for later.

2019-11-06 18_48_12-Users - Microsoft Azure Stack.png

Regarding Azure DevOps I am going to assume you already have an organization and project configured.

If you go to the Project Settings page, under the Pipelines section,
then select 'Service Connections’
click ‘New service connection’

Finally we can create the ‘Service Connection’ using ‘Service Principal Authentication’

You need to click the hyperlink ‘Use the full version of the service connection dialog’

Select ‘Azure Stack’ from the drop down list (obviously Azure DevOps hasn’t been told about the name change just yet)Complete the form and select ‘Verify Connection’And you’re done | Good luck on your Pipeline — Select ‘Azure Stack’ from the drop down list (obviously Azure DevOps hasn’t been told about the name change just yet)
Complete the form and select ‘Verify Connection’
And you’re done | Good luck on your Pipeline

Matthew Quickenden

October 30, 2019

Storage

Extending Storage into Azure Stack with iSCSI

Matthew Quickenden

October 30, 2019

Storage

If you understand Azure Stack and its storage you may know, Azure Stack storage is highly redundant. Meaning, if you are using NVMe or other flash style storage you can end up consuming very expensive storage with content that may not need that level of redundancy or quality of speed.

Working with Microsoft we have created a pattern to help explore some options for using the iSCSI protocol to mount iSCSI disks into your Azure Stack environment. A simple start is to set up a server that can present iSCSI targets to your IaaS systems and mount iSCSI disk inside your VMs. This means you can use the storage without dealing with share permissions or complex authentication as the storage is secured by IP and Chap authentication. This allows it to be used inside the Azure Stack environment as you see fit. This does open up options for large storage scenarios where you can serve storage up from your existing infrastructure, perhaps being able to leverage your existing investments with SAN or NAS infrastructure.

Below is a high-level overview of how this is implemented.

You can find more details and deployment scripts to help deploy and integrate into your own deployments and environments. There are of course many ways to serve up iSCSI storage this is meant as a stepping stone for you to explore what solutions are right for you and your business.

https://github.com/Azure-Samples/azure-intelligent-edge-patterns/tree/master/storage-iSCSI

We hope this unlocks some value or creates some scenarios to expand the possibilities Azure Stack can offer.