Menu

Virtual Geek

Tales from real IT system administrators world and non-production environment

WINDOWS VCENTER 6.5: VCENTER VPXD AND OTHER SERVICES MISSING OR NOT EXIST IN SERVICES.MSC

May 24, 2017 07:15PM

Recently while troubleshooting VMWare vCenter 6.5 on Microsoft windows, I found some necessary services either missing or does not exist. Crucial services like VMware vcenter (VPXD), Vmware Single sign on and other services simply missing. Earlier I thought this could be because it might have upgraded from previous version. but even on fresh installation I found same scenario. For already working VMware guy this will find odd as he generally will go to services for maintenance in case vCenter server not working, Here as it can be one of the major change in vCenter 6.5.

1 VMware vSphere vCenter 6.5 services missing in Services.msc, afd, amqp, certificate, directory, caf management, dns, lifecycle manager, vpxd, single sign on, sts, security token service

So there is a question where did those services gone and where are they. To find the answer, There is official KB from VMware which has detailed information. (How to stop, start, or restart vCenter Server 6.x services (2109881)). So in this article it is mentioned "Starting with vSphere 6.5, the vCenter Server services are not standalone services under Windows Service Control Manager (SCM). The vCenter Server Appliance services run as child processes of the VMware Service Lifecycle Manager service." Below are the Services display name and actual service name.

 vmware-imagebuilder
 VMware Image Builder Manager
 vmware-cm
 VMware Component Manager
 vmware-vpxd
 VMware vCenter Server
 vimPBSM
 VMware vSphere Profile-Driven Storage Service
 applmgmt
 VMware Appliance Management Service
 vmware-statsmonitor
 VMware Appliance Monitoring Service
 vmware-rhttpproxy
 VMware HTTP Reverse Proxy
 vmware-vapi-endpoint
 VMware vAPI Endpoint
 lwsmd
 Likewise Service Manager
 vmafdd
 VMware Authentication Framework
 vmware-vsm
 VMware vService Manager
 vmonapi
 VMware Service Lifecycle Manager API
 vmware-perfcharts
 VMware Performance Charts
 vmware-updatemgr
 VMware Update Manager
 vmware-vmon
 VMware Service Lifecycle Manager
 vmware-vsan-health
 VMware VSAN Health Service
 vsphere-client
 VMware vSphere Web Client
 vmware-vpostgres
 VMware Postgres
 vmware-eam
 VMware ESX Agent Manager
 vmcam
 VMware vSphere Authentication Proxy
 vmware-mbcs
 VMware Message Bus Configuration Service
 vmware-vcha
 VMware vCenter High Availability
 vsphere-ui
 VMware vSphere Client
 vmware-content-library
 VMware Content Library Service
 vmware-sca
 VMware Service Control Agent
 vmware-netdumper
 VMware vSphere ESXi Dump Collector
 vmware-vpxd-svcs
 VMware vCenter-Services
 vmware-rbd-watchdog
 VMware vSphere Auto Deploy Waiter

All the required commands are installed under InstallationDrive:\Program Files\VMware\vCemter Server\bin. In my case my installation is at, and it will show the list of services. 

c:\Program Files\VMware\vCemter Server\bin\service-control --list

2 VMware vsphere vCenter services missing services bin, image builder, vpxd stop start restart, syslog, vsan web client, service-control --list

To check the status of all services command service-control --status. and if instead need to view individual service service-control --status servicename. 

3 VMware vsphere vCenter services missing services bin, image builder, vpxd stop start restart, syslog, vsan web client, service-control --status services

If you want to restart particular service first it need to stop and start again using
service-control --stop servicename
service-control --start servicename 

If incase all services need to be restarted (stop and start) use.
service-control --stop -all
service-control --start -all

4 VMware vsphere vCenter services missing services bin, image builder, vpxd stop start restart, syslog, vsan web client, service-control --start --stop --status --all  services

POWERSHELL INSTALLING AND CONFIGURING MICROSOFT ISCSI TARGET SERVER

May 22, 2017 02:45PM

In my previous blog I configured Microsoft iSCSI Target Server using GUI way, Here in this chapter I am utilizing Powershell to do the task. First command is to check the status of FS-iSCSITarget-Server role. (Only running Get-WindowsFeature will show all the list of role and features), to show specific role name has to know, run commands in Powershell running as administrators. (I am running these commands directly on windows server 2012 R2)

Get-WindowsFeature -Name FS-iSCSITarget-Server

Next is installing actual role, with all sub features and required management tools.

Install-WindowsFeature -Name FS-iSCSITarget-Server -IncludeAllSubFeature -IncludeManagementTools

1 Powershell microsoft windows server 2012 R2, iSCSI target server installation, get-WindowsFeature, FS-iSCSITarget-Server, Install-WindowsFeature, include all sub features and management tools success failed, and true, restart no exit code success

Next step, Create Virtual disk before had so it can be mapped later to Target, Make sure you have enough disk space, This is dynamically expanding disk by default.

New-IscsiVirtualDisk -Path "E:\iSCSIDisks\Esxi001boot.vhdx" -SizeBytes 8GB

2 Powershell microsoft windows server 2012 R2, Iscsi Target server, New-IscsiVirtualDisk -path -sizebytes GB dynamic expanding

For nex step initiator IQN addresses are required. I have already shown how to find initiator IQN ID on Esxi server in my earlier blog, It will create target without any vdisk attached.

New-IscsiServerTarget -TargetName "Boot-Esxi001" -InitiatorIds @("iqn:initior01", "iqn:initior02")

3 Powershell microsoft windows server 2012 R2, Iscsi Target server, New-iscsiservertarget -targetname -initiatorids, iqn

This is final step mapping iscsi virtual disk to target.

Add-IscsiVirtualDiskTargetMapping -TargetName "Boot-Esxi001" -Path "E:\iSCSIDisks\Esxi001boot.vhdx"

4 Powershell microsoft windows server 2012 R2, Iscsi Target server, Add-IscsiVirtualDiskTargetMapping -targetName -path vhdx.png

 

MICROSFOT WINDOWS 2012 R2 ISCSI TARGET STORAGE SERVER FOR ESXI AND HYPERV

May 22, 2017 08:47AM

As Microsoft has introduced iSCSI server role since windows 2012, it can be used as iSCSI target (storage box). I use this instead of  openfiler, freenas or any other appliance for testing in my lab, I have even seen Dell vendor has come up with one of the storage NX3200 model and organizations are using it for production to store data over iscsi protocol, Although Microsoft iSCSI target 3.3 software was already existed and could be downloaded and installed separately for windows 2008 OS line. Now same thing is embedded in windows server 2012 and later as a role, no need to download and install it separately. I think Microsoft iSCSI target is better substitute for other small appliances as you can install this role along with other roles or features, and resources can be shared, so don't have to manage another server.

windows server 2012 r2 iscsi target storage server iscsi initiator esxi and hyperv iqn iscsi protocol port 3260 vhd

In common networking like Ethernet and switches when you want to connect to remote storage (SAN), iSCSI protocol is used over TCP/IP protocol. (Other protocol FC are used for SAN bet require special devices and hardware), In simple storage terms iSCSI Target is the storage box where it will provide LUN disk, and iSCSI initiator (Client like esxi, windows) will consume it over LAN. This is not the file share where it is mapped or mounted on os. It is block level storage, Block level storage is like local disk to OS and uses SCSI commands for I/O. so it can be formatted like local disk and can be put choice of file system, this is one of the main difference between Block and file level and. (mapped or mounted file level storage cannot be formatted and they use protocols like SMB, CIFS or NFS and etc). 

In the above diagram I have 2 NIC cards connected to different switches for redundancy purpose and it is a best practice. If any of the (storag'se or esxi's) Nic or switch goes down, data is still visible, and it is using normal networking to carry iSCSI protocol.

Below are the IP addressing scheme on my Windows iSCSI server using for connection, Management Ethernet adapter is purely for Management connectivity, ie RDP or any other sort of connectivity. Other 2 nics cards will streaming iSCSI data only.

1 Microsoft windows storage iscsi target server ip addressing to nic ethernet card lan 3 ips multipathing, management and iscsi network

To start installing iSCSI server role, open Server Manager from start if it is not opened. click Add roles and features. I am going through all the defaults without changing any option and clicked next for Before you Begin, Installation type and server selection. Once I reached to Server Roles Select check box on File Server and iSCSI Target Server under File and storage services (File and iSCSI Services). Once clicking next for other option Features and confirmation I pressed next and in the last Install button.

2 add roles and features file and storage servers, services, iscsi target server file server, default option server manager, Installation type, server selection

Once role installation is successful, Before going forward make sure 3260 ports for above iSCSI IPs are opened in firewall. Next step is configuration, on the server manager click File and Storage Services in the left pane, choose iSCSI, Click to create an iSCSI virtual disk, start the New iSCSI Virtual Disk Wizard, same option can be found under Tasks as well. In the wizard select virtual disk location, this can be any drive, I have selected C:\iSCSIDisks.

3 iSCSI storage server windows 2012 R2, to create iSCSI Virtual Disks wizard, storage location, custom path, target server name

Name the iSCSI virtual disk name, It is a vhdx file. check the file path,

4 iSCSI storage server windows 2012 R2, to create iSCSI Virtual Disks wizard, storage location, custom path, target server name, specify virtual disk name

Next window is interesting, It shows how much is the Free size is on the selected disk location, and up to that much size of disk can be created. If Fixed size is selected all the 8 GB will be allocated, similar to VMware lazy thick provisioned disk (if clear the virtual disk on allocation is selected it will full format (fill up the complete disk with 0's) takes some time similar to eager zero thick disk), Dynamically expanding is allocate the disk space when data written (VMware thin provisioned disk), 

Differencing has its own us case, it is as same as VMware linked clone disk, means it saves great amount of disk and time. once the base disk is created, it will use same disk but won't write anything to it and write changes to snapshot disk. If base disk is gone so everything is.

I am going with the Dynamically expanding, as data grows the vhdx disk size will grow and will same some space.

5 iSCSI storage server windows 2012 R2, to create iSCSI Virtual Disks wizard, Fixed size, clear the virtual disk on allocation, dynamically expanding

As this is a new deployment, create new iSCSI target and assign the disk created to this server, Multiple targets can be created to restrict or grant the access to initiators. (Access is granted to initiator server on per iSCSI target instead of on per virtual disk)

6 iSCSI storage server windows 2012 R2, to create iSCSI Virtual Disks wizard, iSCSI Target assigning disk to new iscsi target

Provide target name and description.

7 iSCSI storage server windows 2012 R2, to create iSCSI Virtual Disks wizard, iSCSI Target assigning disk to new iscsi target, name and description

For next step I need IQN name of the client initiator, for this I will be getting the same name from Esxi storage iSCSI software adapter, It is a kind of WWN or Mac address of the iSCSI adapter. Target will use it to identify initiator to grant access to virtual disks (LUN), it can be easily copy paste.

8 iSCSI storage server windows 2012 R2, to create iSCSI Virtual Disks wizard, Esxi storage adapter iscsi software adapter, vmhba, iqn name

Once IQN is identified and copied, Add initiator ID under IQN type value, There are other several type IP address and DNS name also can be added. For simplicity I am using IQN name.

9 iSCSI storage server windows 2012 R2, to create iSCSI Virtual Disks wizard, Esxi storage adapter iscsi software adapter, vmhba, iqn name, identify the initiator

Communication between iSCSI Target and initiator can be authenticated using CHAP protocol, This is a security option, for simplicity I am not using these option and clicking next.

10 iSCSI storage server windows 2012 R2, to create iSCSI Virtual Disks wizard, initiator enable reverse chap authentication, initiator authentication chap protocol

On the confirmation page verify the configuration and click create.

11 iSCSI storage server windows 2012 R2, to create iSCSI Virtual Disks wizard, confirmation vhdx virtual disk target iscsi security chap protocol

This is the end of successful configuration of windows iSCSI target. showing status as completed.

11 iSCSI storage server windows 2012 R2, to create iSCSI Virtual Disks wizard, confirmation virtual disk target iscsi security chap protocol result completed, set target access, assign iscsi virtual disk to target

This is last and important settings need to be configured, go to servers menu from the list, right click storage server, iSCSI Target Settings, and configure the IP address (Nic interfaces) to be used by iSCSI request.

12 iSCSI storage server windows 2012 R2, to create iSCSI Virtual Disks wizard, specify network addresses to be used for iSCSI Sotrage requests

As can see my target and virtual disks are in place, and I can see vhdx file with low size, as data is written disk will grow.

13 iSCSI storage server windows 2012 R2, to create iSCSI Virtual Disks wizard, cofiguration completed, iscsi virtual disks and targets

AWARDED VMWARE VEXPERT AGAIN FOR 2017

February 9, 2017 08:49AM

I am honored today again to see the announcement that I was awarded the title vExpert for the 4th year in a row.

vExpert is a title that VMware awards to those that have made significant contributions to the VMware community.  The title doesn’t show a particular level of technical expertise; but rather shows that those awarded have a strong desire to share what knowledge they have with others.  Most vExperts either blog, are VMUG leaders, speak at local events, contribute on the VMTN boards, or even speak at large events like VMworld.

vmware vexpert for all time vcloud-lab.com kunal udapi

See the entire list here: https://blogs.vmware.com/vmtn/2017/02/vexpert-2017-award-announcement.html

MICROSOFT AZURE POWERSHELL: CLONING (COPING) OR IMPORTING EXISTING NSG (NETWORK SECURITY GROUP) FROM EXCEL

January 26, 2017 07:14PM

CREATE NEW NSG (NETWORK SECURITY GROUP - VIRTUAL FIREWALL ACL) ON MICROSOFT AZURE
POWERSHELL - EXPORT AZURE NSG (NETWORK SECURITY GROUP) RULES TO EXCEL
MICROSOFT AZURE POWERSHELL: CREATING NEW NSG (NETWORK SECURITY GROUP)

Here I had got a task to clone or copy existing NSG in the Azure Powershell. I already have created one Template Network Security Group and all rules are created in it. As I required Rules, Need to run below command to know store all the rule in powershell variable. This will not copy default firewall rules, Only manually created rules information are stored.

$TemplateNSGRules =  Get-AzureRmNetworkSecurityGroup -Name 'Windows-NSG' -ResourceGroupName 'POC-VPN' | Get-AzureRmNetworkSecurityRuleConfig

Cloning, copying, Importing, copy, clone, import, Microsoft Azure NSG network security Group Template to another NSG, Get-azurermNetworkSecurityGroup, Get-AzureRmNetworkSecurityRuleConfig

As I need rules only I will create new NSG.

$NSG = New-AzureRmNetworkSecurityGroup -ResourceGroupName 'POC-VPN' -Location 'East US 2' -Name 'Copy-of-Windows-NSG'

Next with the help of foreach loop I will copy inject all the rules from Template NSG to newly created rules.

foreach ($rule in $TemplateNSGRules) {
    $NSG | Add-AzureRmNetworkSecurityRuleConfig -Name $rule.Name -Direction $rule.Direction -Priority $rule.Priority -Access $rule.Access -SourceAddressPrefix $rule.SourceAddressPrefix -SourcePortRange $rule.SourcePortRange -DestinationAddressPrefix $rule.DestinationAddressPrefix -DestinationPortRange $rule.DestinationPortRange -Protocol $rule.Protocol # -Description $rule.Description
    $NSG | Set-AzureRmNetworkSecurityGroup
}

Cloning, copying, Importing, copy, clone, import, Microsoft Azure NSG network security Group Template to another NSG, New-AzureRmNetworkSecurityGroup, Add-AzureRmNetworkSecurityRuleConfig, direction, source.png

Sane way importing NSG from excel file will work. follow this article to create CSV excel file - POWERSHELL - EXPORT AZURE NSG (NETWORK SECURITY GROUP) RULES TO EXCEL.to import.

$TemplateNSGRules = Import-CSV -Path C:\Temp\TestNSG01.csv 

Create new empty NSG firewall, and run the foreach script block as shown above.

MICROSOFT AZURE POWERSHELL: CREATING NEW NSG (NETWORK SECURITY GROUP)

January 23, 2017 02:18PM

This post is based on article CREATE NEW NSG (NETWORK SECURITY GROUP - VIRTUAL FIREWALL ACL) ON MICROSOFT AZURE. Although it is same, but in this I will be showing how to do the same task using PowerShell. Below command creates new NSG with no custom Security Rules. 3 parameters are required -Name, -ResourceGroupName and -Location and they are self explanatory. And new NSG information is stored into a $NSG Variable, which I require to add inbound and outbound rules.

$NSG = New-AzureRmNetworkSecurityGroup -Name 'Windows-NSG' -ResourceGroupName 'POC-VPN' -Location 'East US 2'

As currently no rules (There are by default three default security rules) are there in newly created network security group, I will creating one using below command.

$NSG | Add-AzureRmNetworkSecurityRuleConfig -Name 'rule-default-allow-RDP' -Direction Inbound -Priority 100 -Access Allow -SourceAddressPrefix '*'  -SourcePortRange '*' -DestinationAddressPrefix '*' -DestinationPortRange 3389 -Protocol Tcp  -Description 'RDP exception for Windows'

Parameters Breakdown
-Name: This is the Name for rule under NSG
-Direction: Direction will be either Inbound or Outbound
-Prioirty: Rule priority (should be between 100 - 4096), Lower The priority number, Higher the precedence. 
-Access: This will be either Allow or Deny
-SourceaddressPrefix: Provide the IP or subnet range, * means any IP can connect. Source is the machine from you will be generating connection to destination.
-SourcePortRange: Provide Port range of Source. * means any port.
-DestinationAddressPrefix: Provide the IP or subnet range, Destination is the Azure VM or services.
-DestinationPortRange: Here I am opening only 3389 port on azure virttual machine for RDP.
-Protocol: This can be TCP, UDP or Both
-Description: This option is not visible on Azure Resource manager portal, and can be set through only Powershell, It is good practice to put information about rule.

POWERSHELL - EXPORT AZURE NSG (NETWORK SECURITY GROUP) RULES TO EXCEL

Now Rule is created, but still changes are not committed into Azure, they are still on Local Powershell memory.

Microsoft Azure powershell create NSG, Network Security Group, New-AzureRmNetworkSecurityGrouP, Add-AzurermnetworkSecurityRuleConfig, NSG inbound outbound rules, tcp udp allow deny

To commit changes of new security rules into NSG, execute below command, Once successful It will show the new rules provisioningstate as succeeded, It can be compared with above and below screenshots.

$NSG | Set-AzureRmNetworkSecurityGroup

Microsoft Azure powershell create NSG, Network Security Group, Add-AzurermnetworkSecurityRuleConfig, NSG inbound outbound rules, tcp udp allow deny set-azurermnetworksecuritygroup commit changes

You can use below command on powershell to know about existing NSGs.

Get-AzureRmNetworkSecurityGroup -Name 'Windows-NSG' -ResourceGroupName 'POC-VPN'

Microsoft Azure powershell NSG, Network Security Group, Add-AzurermnetworkSecurityRuleConfig, NSG inbound outbound rules, tcp udp allow deny set-azurermnetworksecuritygroup, get-AzureRMNetworkSecurityGroup changes.png

Subsequently Use below One-Liner command to check Network Security rules under NSG.

Get-AzureRmNetworkSecurityGroup -Name 'Windows-NSG' -ResourceGroupName 'POC-VPN' | Get-AzureRmNetworkSecurityRuleConfig -Name 'rule-default-allow-RDP'

Microsoft Azure powershell NSG, Network Security Group, Add-AzurermnetworkSecurityRuleConfig, NSG inbound outbound rules, tcp udp allow deny Get-AzurermnetworkSecurityRuleConfig, get-AzureRMNetworkSecurityGroup change

Associating NSG to VM Nic is relatively easy with below commands.

$VMNetoworkInterface = Get-AzureRmNetworkInterface -Name 'NIC_Interface' -ResourceGroupName POC-VPN
$VMNetoworkInterface.NetworkSecurityGroup =  $NSG
$VMNetoworkInterface | Set-AzureRmNetworkInterface

Microsoft Azure associate NSG (Network Security Group) to Virtual Machine vm Nic interface, Network, Get-AzureRmNetworkinterface - NetworkSecurityGroup, Set-Azure RmNetworkInterfaces

Next is associating Network security group to virtual network subnet. First command I need information about existing vNet stored in $vNet variable

$vNet = Get-AzureRmVirtualNetwork -ResourceGroupName 'POC-VPN' -Name 'POC-VPN-vNet'

And set the existing vNet subnet, make sure you are using correct existing address prefix only.

Set-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vNet -Name 'Default' -NetworkSecurityGroup $NSG -AddressPrefix '10.0.0.0/24'

Associating, assigning NSG, network security group to a Virtual Network vNet subnet microsoft azure powershell get-azurermvirtualnetwork, set-azurermvirtualnetworksubnetconfig networksecuritygroup, virtualnetwork, vnet

This is the last piece of command, associating NSG in vNet subnet and need to commit the changes in azure.

Set-AzureRmVirtualNetwork -VirtualNetwork $vNet

Associating NSG network security group to a Virtual Network vNet subnet microsoft azure powershell get-azurermvirtualnetwork, set-azurermvirtualnetworksubnetconfig , Set-AzureRmVirtualNetwork -virtualNetwork.png

Useful Links
INSTALLING MICROSOFT AZURE POWERSHELL
PART 9: CREATING AND MANAGING VIRTUAL MACHINE (VM) USING MICROSOFT AZURE RESOURCE MANAGER PORTAL
POWERSHELL - EXPORT AZURE NSG (NETWORK SECURITY GROUP) RULES TO EXCEL
MICROSOFT AZURE POWERSHELL: CLONING (COPING) OR IMPORTING EXISTING NSG (NETWORK SECURITY GROUP) FROM EXCEL

CREATE NEW NSG (NETWORK SECURITY GROUP - VIRTUAL FIREWALL ACL) ON MICROSOFT AZURE

January 20, 2017 10:18AM

In my earlier blog POWERSHELL - EXPORT AZURE NSG (NETWORK SECURITY GROUP) RULES TO EXCEL I wrote on how to export NSG (Network Security Group) in CSV excel file using powershell, which can be used later to create new NSG using same rules or editing CSV file. NSG is nothing but a Virtual Firewall containing Inbound and outbound rules (ACLs). It is as similar as Microsoft Windows Firewall rules under control panel. New NSG is automatically created while creating new Azure Virtual Machine.

Network Security Groups can be associated to either VM Nic card or vNet (Virtual Network) subnets. To simply demonstrate I have below VISIO diagram, I have 2 Azure Virtual Machines, both are in same vNet subnets hosting IIS web server, I have applied one NSG to Azure Virtual Network subnet with Inbound rule allowing only Port 80 for HTTP to everyone from outside.

Next blog article MICROSOFT AZURE POWERSHELL: CREATING NEW NSG (NETWORK SECURITY GROUP)

 1. Microsoft Azure, NSG, network security group, Inbound firewall rule 80 http, vnet, virtual network.png

In another scenario, Most likely diagram is same but instead of attaching NSG to Virtual Network, I have created 2 separate NSGs and attached them to individual VM Nics with only required ports, Here I have 2 VMs with different OS flavors, and need to open only required ports on the different NSG for remote management for example On windows RDP 3389 and Linux SSH 22. Unlike above diagram I have applied NSG to VM directly, and can control Firewall ACLs per VM. It also gives me control which IP or Network can access the VM, Same rule can be created for Outbound rule as well. 

It is also possible to attach single NSG (Network Security Group) to multiple VMs. But per VM Nic or vnet subnet can have only one NSG resource.

2. Microsoft Azure, NSG, network security group, Open Inbound firewall rule 80 http,rdp 3389 linux, 22 ssh windows, vnet, virtual network.png

Whenever virtual machine is created one NSG is automatically created and attached to the respective VM. here Instead I will be creating NSG manually first and associate it with VM later. Open Resource Group, Click +Add button. 

Microsoft Azure Add new resource NSG Network Security Group in Resource group vcloud-lab.com

Search filter for Network Security group in the list and select it to create new one, There are many other third party Firewalls appliances also available in the list. 

Microsoft Azure create Add new resource manager firewall layer NSG Network Security Group in Resource group barracuda vcloud-lab.com

Provide Network Security Group some name, Once NSG is created and it will be reflected on Resource Group after refresh. Currently NSG is created but there are no rules in it. Click NSG to create new rules. 

Microsoft Azure newly created refresh resource Group NSG Network Security Group

There are two types of security rules we can create Inbound and Outbound. I will be creating Inbound (Incoming) rule only in this lab and enabling 3389 windows RDP port. 

Microsoft Azure NSG Network Security Group add Inbound security rules Firewall, Priority, Firewall Source destination, TCP UDP Ports

Once rules are created and refreshed page, rules will be visible in the list. 

Priority: Rules are processed in priority order; the lower the number, the higher the priority. For better design Microsoft recommends leaving gaps between rules - 100, 200, 300 etc. so it's easier to add new rules without having to edit existing rules. Also firewall rules priority must be between number range 100 and 4096.
Source: This the computer from where you will try to connect to Azure VM. * is equal to any, (Here you can mention single IP, or IP range) The source filter can be any, an IP address range, or a default tag. It specifies the incoming traffic from a specific source IP address range that will be allowed or denied by this rule.
Destination: This is the Azure VM. It specifies the outgoing traffic for a specific destination IP address range that will be allowed or denied by this rule.
Service:  This is port number (TCP, UDP or both), This specifies the destination protocol and port range for this rule. You can choose a predefined service, like RDP or SSH, or provide a custom port range.
Action: Can be either Allow or Deny.

Microsoft Azure NSG Network Security Group add Inbound security rules Firewall, Priority, Firewall Source destination, TCP UDP Ports advanced basic, port range allow deny, service

Same way Outbound NSG rule can be created. it will allow or deny (block) traffic leaving from VM. Here is the screenshot while creating new virtual machine, I can attach existing firewall network security group to to it. if VM has multiple network card, you can assign one NSG per NIC card. 

Microsoft Azure attaching or associating existing NSG Network Security Group on virtual machine vm in Settings Configure optional features choose firewall

You can create Virtual Machine VM without NSG policy defined or NSG can be attached to VM Nic later with below steps, under Resource group, select Network interface, and attach the NSG in Network security Group as shown.

Microsoft Azure deploy virtual network interface, attach assoicate existing network security group NSG to virtual machine vm

Here is another example NSG can be applied associated to Virtual Network (vNet) Subnet.

Microsoft Azure create new NSG, network security group attach, associate add it to vnet virtual network subnets

In this Visio, this is how Security rules works. Lower number of the priority, it will have higher precedence. In Inbound security rules Source is the computer who will be initiating connection, and in Destination will be remote computer (Azure) in most cases, on the Outbound Security rule below scenario will become complete opposite, Source will be Azure VM who is want to communicate on Destination remote computer (That can also be a Azure VM).

Microsoft Azure, Inbound and outbound firewall security rules, explained priority, Source and destination, allow deny

In the last, just for information, there are 3 default rules under every NSG (Inbound and OutBound both), They cannot be modified or deleted. in the list Last rule is Deny all traffic with least priority. upon that VMs or resources in Virtual network and Azure load balancers are allow to connect with higher priority than DenyAllinbound.

Microsoft windows Azure nsg, network security group, inbound and outbound default security rules cannot be modified

Useful Links
INSTALLING MICROSOFT AZURE POWERSHELL
PART 9: CREATING AND MANAGING VIRTUAL MACHINE (VM) USING MICROSOFT AZURE RESOURCE MANAGER PORTAL
POWERSHELL - EXPORT AZURE NSG (NETWORK SECURITY GROUP) RULES TO EXCEL
MICROSOFT AZURE POWERSHELL: CLONING (COPING) OR IMPORTING EXISTING NSG (NETWORK SECURITY GROUP) FROM EXCEL

POWERSHELL - EXPORT AZURE NSG (NETWORK SECURITY GROUP) RULES TO EXCEL

December 30, 2016 11:31AM

A network security group is a layer of security that acts as a virtual firewall for controlling traffic in and out of virtual machines (via network interfaces) and subnets. It contains a set of security rules that allow or deny inbound and outbound traffic using the following 5-tuple: protocol, source IP address range, source port range, destination IP address range, and destination port range. A network security group can be associated to multiple network interfaces and subnets, but each network interface or subnet can be associated to only one network security group.

POWERSHELL - EXPORT AZURE NSG (NETWORK SECURITY GROUP) RULES TO EXCEL
CREATE NEW NSG (NETWORK SECURITY GROUP - VIRTUAL FIREWALL ACL) ON MICROSOFT AZURE
MICROSOFT AZURE POWERSHELL: CREATING NEW NSG (NETWORK SECURITY GROUP)
MICROSOFT AZURE POWERSHELL: CLONING (COPING) OR IMPORTING EXISTING NSG (NETWORK SECURITY GROUP) FROM EXCEL

Security rules are evaluated in priority-order, starting with the lowest number rule, to determine whether traffic is allowed in or out of the network interfaces or subnets associated with the network security group. A network security group has separate inbound and outbound rules, and each rule can allow or deny traffic. Each network security group has a set of default security rules, which allows all traffic within a virtual network and outbound traffic to the internet. There is also a rule to allow traffic originating from Azure's load balancer probe. All other traffic is automatically denied. These default rules can be overriden by specifying rules with a lower priority number.

In the Classic deployment model, endpoints - with access control lists (ACLs) - were used to control traffic in and out of virtual machines. In the Resource Manager deployment model, traffic can be controlled by using either network security groups or load balancers with inbound NAT rules. While inbound NAT rules are functionally equivalent to endpoints, Azure recommends using network security groups for new deployments where NAT features (like port translation) are not required.

There are no additional charges for creating network security groups in Microsoft Azure.

Windows Export Microsoft Azure NSG network security group rules inbound and outbound rules export to excel csv

Export the NSG rules to excel is very easy with below Azure Powershell command. Mention the NSG Name and respective Resource Group Name and in the last Export-Csv Path name. (Make sure you have installed Microsoft Azure PowerShell module SDK and logged on Azure using Login-AzureRmAccount). For Inbound and Outbound rules script is same.

Get-AzureRmNetworkSecurityGroup -Name TestNSG01 -ResourceGroupName POC-VPN | Get-AzureRmNetworkSecurityRuleConfig | Select * | Export-Csv -NoTypeInformation -Path C:\Temp\TestNSG01.csv

Powershell Microsoft Azure export nsg network security group rules to excel csv get-azurermnetworksecuritygroup Get-AzureRmNetworkSecurityRuleconfig

I can use this exported CSV data to create another NSG (Network Security Group) with all the Rules as it is. Another benefit is csv file can be modified to add or remove Firewall rules.

Useful Links
INSTALLING MICROSOFT AZURE POWERSHELL
PART 9: CREATING AND MANAGING VIRTUAL MACHINE (VM) USING MICROSOFT AZURE RESOURCE MANAGER PORTAL

POWERSHELL FUN SEND KEYS ON THE SCREEN

December 29, 2016 08:34PM

Today I received weird request from one of my developer friend, He created some application but whenever screen was getting locked due to screen saver lock Group Policy after designated time, Application was not working as expected, Until he resolve the bugs in his application he was seeking help if there is any possibility that server won't get automatically locked due to screen saver policy, And I also need not to make any changes to group policy for single this single PC.

For this below is the small PowerShell Script, Which sends keyboard key NUMLOCK twice on the screen after every 60 seconds, which doesn't allow to lock the screen.

To run this script, copy it to notepad and save it as .PS1 extension using double quotes, 

save powershell ps1 file format extension from notepad with double quote

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
$Seconds = 60

$ObjShell =  New-Object -ComObject Wscript.Shell
$i=0
do
{
    Write-Host " " -BackgroundColor (Get-Random 'Black', 'DarkBlue','DarkGreen','DarkCyan', 'DarkRed','DarkMagenta','DarkYellow','Gray','DarkGray','Blue','Green','Cyan','Red','Magenta','Yellow','White') -NoNewline
    $ObjResult = $ObjShell.SendKeys("{NUMLOCK}{NUMLOCK}")
    Start-Sleep -Seconds $Seconds
}
while ($x -lt 0)

Once saved it in ps1 file. Run it using cmd with below one liner command.

PowerShell -NoProfile -File c:\temp\nolock.ps1 -ExecutionPolicy Unrestricted

run powershell from cmd, powershell -noprofile -file nolock.ps1 -executionpolicy unrestricted

I have added one more code for fun once run below code on the screen it shows some cool random colors on the screen. Same is in the script.

1..300 | foreach {Write-Host " " -BackgroundColor (Get-Random 'Black', 'DarkBlue','DarkGreen','DarkCyan', 'DarkRed','DarkMagenta','DarkYellow','Gray','DarkGray','Blue','Green','Cyan','Red','Magenta','Yellow','White') -NoNewline}

#Revised this code after got help on facebook.
1..300 | foreach {Write-Host " " -BackgroundColor ([ConsoleColor].GetEnumValues() | Get-Random) -NoNewline

vcloud-lab.com powershell fun with color code on the screens, fun friday

CONFIGURING AND MANAGING MICROSOFT WINDOWS NANO SERVER

December 28, 2016 05:27PM

From my previous article I created Nano server VHD image and deployed it as virtual machine on Vmware Workstation. This article I will be focusing on configuration of network settings, Currently I have only one network adapter, from main menu after login, Hit enter for Network settings and select the Ethernet card. While configuration I found it is some what same to Esxi DCUI based configuration.

HOW TO INSTALL WINDOWS NANO SERVER ON VMWARE WORKSTATION AND V2V CONVERTER

1 Powershell Microsoft Server 2016 nano server configuring Networking on console, nano recovery console, select network adapter to configure

Press F11 to setup IPV4 address settings.

2 Powershell Microsoft Server 2016 nano server configuring Networking Ethernet network adapter settings F11 ipv4 settings

Disable DHCP, and provide IP address, Hit enter to save the configuration.

3 powershell create windows 2016 nano server image, nano server image generator, nanoserverimagegenerator module, import-module nano server nanoserver.wim new-nanoserverimage, basepath, targetpath, packages

Once everything is successful, you will see Operation succeeded on IP configuration menu.

4 Powershell Microsoft Server 2016 nano server configuring Networking Ethernet network adapter settings F11 ipv4 settings, Ip configuration, operation succeeded

Next from the main screen Link, Go to the WinRM and configure it. Before proceeding go through the another article POWERSHELL PS REMOTING BETWEEN STANDALONE WORKGROUP COMPUTERS to understand the Windows Remote management (WINRM) and configuration. By configuring this step I am enabling ps remoting and opening required ports on firewall in one shot.

WinRM is the Microsoft implementation of the WS-Management (WS-Man) protocol which provides a secure way to communicate with local and remote computers using web services. If you have lost the ability to remotely manage this server over WinRM this option will allow you to reset the WinRM firewall and service configuration to their default settings and allow connections from ANY subnet.

In next few steps I will test the PowerShell remoting connectivity. 

5 Powershell Microsoft Server 2016 nano server configuring and enabling - windows Remote management (WINRM) ws-man protrocol.png

As I want to configure file server and need to do ping test, under Inbound Firewall Rules from previous main screen Link, I will enable File and Printer Sharing (Echo Request - ICMPv4-In), Hit enter. (Inbound is connection coming into Nano server, and Outboud is connection leaving from Nano server.)

6 Powershell Microsoft Server 2016 nano server configuring and enabling - windows Remote management (WINRM) ws-man protrocol enable firewall icmp ping inbound firewall rules.png

Firewall rule can be enabled and disabled using F4 key button, Allow and deny status can be seen on Action.

7 Powershell Microsoft Server 2016 nano server configuring and enabling - windows Remote management (WINRM) ws-man protrocol enable firewall icmp ping allow inbound firewall rules

First thing I will verify nano server is pinging from my desktop, as I can see it is successful and can go ahead with further configuration.

8 Powershell Microsoft Server 2016 nano server configuring and enabling - windows Remote management (WINRM) ws-man protrocol enable firewall icmp ping allow inbound firewall rules, ping successful.png

After opening required inbound firewall ports and enabling remote management Nano can be configured remotely using Server Manager, I am on my one of Windows 2012 R2 server, Opened Server Manger, click Create a Server Group, on the wizard select DNS,

I will search for the Nano server IP, as it doesn't exist in DNS server, It might throw an error Searching for the given IP. and shows, No DNS entry found matching your search text, and I will add it any way.

9 Microsoft Windows Nano server 2016 server manager add and create Server group dns for remote management

Provide Server group a name, I have named it NanoGroup, Once server is selected from the list, click OK to save it.

10 Microsoft Windows Nano server 2016 server manager add and create Server group dns for remote management, Manage nano server remotely.png

On the Left hand side of Server Manager, click the NanoGroup menu, choose the nano server from list, right click and select Manage as to Provide username and password, As server is in workgroup user name will be ~\administrator.

11 Microsoft Windows Nano server 2016 server manager add and create Server group dns for remote management, Manage nano server remotely, Winrm default authentication error manage as.png

Once Server is connected successfully, right click on the nano server again and go to the Add roles and features.

12 Microsoft Windows Nano server 2016 server manager add and create Server group dns for remote management, Manage nano server remotely, Add roles and Features nano server server manager.png

In the Add roles and Features Wizard, select the nano server, press next.

13 Microsoft Windows Nano server 2016 add and create Server group dns for remote management, Manage nano server remotely, Add roles and Features nano server server manager server selection 2016 datacenter nano remotely.png

If you see here there are very few roles, This is because, While creating NANO image I only had injected 2 packages in it, Storage and Hyper-V as shown in earlier blog HOW TO INSTALL WINDOWS NANO SERVER ON VMWARE WORKSTATION AND V2V CONVERTER.

14 Microsoft Windows Nano server 2016 add and create Server group dns for remote management, Manage nano server remotely, Add roles and Features nano server server manager datacenter nano remotely, select roles.png

POWERSHELL PS REMOTING BETWEEN STANDALONE WORKGROUP COMPUTERS

From the powershell, remote into the nano server, using command. Enter-PSSession -ComputerName 192.168.33.31 -Credential (Get-Credential), It pops up for the username password, as shown username will be ~\administrator.

15 Microsoft Windows Nano server 2016 remote management, Manage nano server remotely, Add roles and Features nano server server manager datacenter nano remotely, powershell remoting psremoting non domain wsman

If connection is successful, PowerShell prompt will change to Nano server IP or FQDN, I want to create and share one folder remotely on Nano server, For this I will change the directory using command cd \, next I am creating a empty directory Temp on C: with command mkdir c:\temp. With next command I am sharing this folder with Everyone user for demo purpose.

New-SmbShare -Name 'Temp' -Path 'C:\temp' -FullAccess 'Everyone'

15 Microsoft Windows Nano server 2016 remote management, Manage nano server remotely, Add roles and Features nano server server manager datacenter nano remotely, powershell remoting psremoting non domain wsman

In below screenshot I am accessing Shared drive and copied some files.

17 Microsoft Windows Nano server 2016, Manage nano server remotely, nano powershell datacenter, powershell remoting psremoting non-domain wsman enter-pssession, new-smbshare file server share path

View older posts »