Step-by-Step: Getting Started with NEW Microsoft Azure Automation preview feature

UPDATE: Azure Automation has been updated to support Azure Active Directory authentication to simplify the steps for getting started! As an alternative to the steps below for configuring certificate-based authentication, check out this article by Joe Levy, Program Manager on the Azure Automation team, for getting started with Azure AD with Azure Automation..

Earlier this week, Microsoft Azure Automation was made available on the Microsoft Azure cloud platform as a public preview. This new feature allows you to automate the creation, monitoring, deployment and management of cloud resources in your Microsoft Azure subscription using a highly-available workflow execution engine. Azure Automation provides an orchestration feature set for public cloud resources that is similar to what the Service Management Automation (SMA) engine provides for on-premises private cloud resources via the Windows Azure Pack and System Center 2012 R2 Orchestrator.

Azure Automation is super-cool, because it allows us to perform automated cloud provisioning and management without needing to manually build and manage a separate set of automation servers. And … scalability and high availability of the Azure Automation engine is provided natively via the Microsoft Azure cloud platform without any extra configuration steps, which helps to make sure that your scheduled runbooks will always execute when needed.

Note: this week, we also announced support for Puppet and Chef for automated provisioning and configuration management of Microsoft Azure cloud resources. If you're currently using these tools as part of your DevOps strategy, be sure to look for upcoming articles that focus on these alternatives for cloud automation.

In this article, I’ll step through the process of getting started with Azure Automation. Along the way, we’ll build a runbook and PowerShell workflow for performing basic automation of Microsoft Azure virtual machines.

Activate the Preview Feature for Azure Automation

To leverage Microsoft Azure Automation, you’ll need an active Azure subscription with the Microsoft Azure Automation preview feature activated.

Activate a FREE Microsoft Azure subscription (if you don’t yet have an Azure subscription).
Activate the Azure Automation preview on the Preview Features page.

Click the Try it Now button.

Create an Azure Automation Account

After the Azure Automation preview feature has been activated, sign-in at the Azure Management Portal to manage this feature.

Scroll-down the left blue navigation bar and click Automation.
Click the Create button on the bottom black toolbar to define a new Azure Automation account for managing Runbooks.

After specifying an Account Name and Region, click the button to create the account.

Create and Export a Management Certificate

Azure Automation authenticates to Microsoft Azure subscriptions using certificate-based authentication. You can create and export a new management certificate using the Internet Information Services (IIS) Manager tool from any Windows Server installed with the IIS Web Server role and management tools.

Use the steps below to create and export a new management certificate from a server running Windows Server 2012 or 2012 R2. After creating a new certificate, you will export this certificate as a .CER file for uploading to your Microsoft Azure subscription and also as a .PFX file for uploading to your Azure Automation account.

If not already installed, you can install the IIS Web Server role and related management tools with the Install-WindowsFeature PowerShell cmdlet:

Install-WindowsFeature Web-Server –IncludeManagementTools
From the Server Manager tool, click on the Tools menu in the top-right menu bar and select Internet Information Services (IIS) Manager.
Click on your server name in the connections panel. If prompted to Get started with Microsoft Web Platform, click the No button.
In the center panel of the Internet Information Services (IIS) Manager tool, double-click on Server Certificates.
In the Actions panel located at the right, click Create Self-Signed Certificate. When prompted, enter the following information:

Friendly name for certificate: Azure Automation

Certificate store: Personal

Click the OK button to generate the new self-signed certificate.
On the Server Certificates page, right-click on the Azure Automation certificate and click on View… on the pop-up menu.
On the Certificate dialog box, click the Details tab and then click the Copy to File… button. This will launch the Certificate Export Wizard.
Navigate through the Certificate Export Wizard using the Next button. When prompted, enter the following information:

Export Private Key: No

Export File Format: default (DER encoded binary X.509 .CER)

File name: c:\AzureAutomation.cer

After specifying all of the above information, click the Finish button to complete the export process. Click the OK button twice to dismiss each open dialog box.
On the Server Certificates page, right-click on the Azure Automation certificate and click on Export… on the pop-up menu.
In the Export Certificate dialog box, enter the following information:

Export to: c:\AzureAutomation.pfx

Password: Enter and confirm a password to protect the Private Key exported in this certificate file.

After specifying all of the above information, click the OK button to complete the export process.

Upload the Management Certificate to Microsoft Azure

Now that you have a new management certificate created and exported, you’ll need to upload the exported .CER file to your Microsoft Azure subscription.

Sign in at the Microsoft Azure Management Portal with the logon credentials used when you activated your Microsoft Azure subscription.
Select Settings located on the side navigation panel on the Microsoft Azure Management Portal page. You may need to scroll down the side navigation panel to see this selection.
On the Settings page, click on the Management Certificates tab.
On the Management Certificates page, click on the Upload button located on the bottom black toolbar. When prompted, browse to c:\AzureAutomation.cer and click the button.

After uploading, your new certificate should now appear in the list of management certificates.
For your newly uploaded certificate, record the values listed in the Subscription and Subscription ID columns for later use in this Step-by-Step article.

Create a Management Certificate Asset

For your Azure Automation account to be able to authenticate to your Microsoft Azure subscription, you’ll also need to upload the certificate .PFX file. You’ll upload this certificate as an Asset in your Azure Automation account so that it can be consistently leveraged across multiple runbooks.

On the Automation page in the Azure Management Portal, click on the name on the new Azure Automation account to drill into the account properties.
Click on the Assets tab.
Click the Add Setting button on the bottom black toolbar. When prompted, select Add Credential.
On the Define Credential page, select Certificate in the Credential Type list and enter a name for this new credential.

Click the button to continue.
On the Upload a certificate file page, browse to C:\AzureAutomation.pfx in the File field and enter the Password used to protect the private key when previously exporting this file.

Click the button to upload this certificate to your Azure Automation account.

Create an Azure Connection Asset

You can also define the connection information for your Microsoft Azure subscription as an Asset in your Azure Automation account. Doing so allows you to easily relate your Microsoft Azure subscription name, subscription ID and management certificate together as a centralized definition for use in all of your runbooks.

On the Assets tab for your Azure Automation account, click the Add Setting button on the bottom toolbar. When prompted, click Add Connection.
On the Configure connection page, select Azure as the Connection Type and enter a Name that matches your Microsoft Azure subscription name recorded earlier.

Connection Type: Azure

Name: Enter the name of your Microsoft Azure subscription recorded earlier.

Click the button to continue.
On the Configure connection properties page, enter the name of the management certificate asset that you previously uploaded and enter your Microsoft Azure subscription ID that was recorded earlier.

Automation Certificate Name: Azure Automation

Subscription ID: Enter the subscription ID of your Microsoft Azure subscription recorded earlier.

Click the button to create this connection asset in your Azure Automation account.

Import and Publish a Connect-Azure Runbook

There's a few lines of code that are used to connect a runbook to your Microsoft Azure subscription using the management certificate asset and connection asset that were previously defined. To promote easy maintenance of runbooks, we recommend centralizing this code into one Connect-Azure runbook that other runbooks can reference.

Luckily, the Azure Automation team has made this approach super-easy by providing us with a standard runbook template on the Azure Automation Script Center.

Download the Connect-Azure runbook template from the Azure Automation Script Center.
On the details page of your Azure Automation account, click the Runbooks tab.
On the bottom toolbar, click the Import button. When prompted, browse to the Connect-Azure.ps1 runbook template that you previously downloaded.

Click the button to import this runbook template.
On the Runbooks tab, click on Connect-Azure to drill into the detailed property pages of the imported runbook.
On the Connect-Azure page, click on the Author tab followed by the Draft tab.
Click the Publish button on the bottom toolbar to publish the imported runbook. When prompted, click the Yes button to confirm publishing this runbook.

Create Your Runbook

We’re ready to create a runbook for automating the provisioning and management of cloud resources in your Microsoft Azure subscription. In this article, the runbook we’ll create will be used to automate the safe shutdown of on-demand lab virtual machines at the end of each day. This runbook will stop and deallocate each specified virtual machine so that compute charges for these lab VMs do not continue to accrue when they are not being used.

On the bottom toolbar, click New | App Services | Automation | Runbook | Quick Create to create a new runbook.

Use the following field values when creating this runbook:

Runbook Name: Stop-MyDemo

Note that runbook automation scripts are defined using PowerShell workflows. As such, it is a best practice to name runbooks using a PowerShell verb-noun cmdlet naming convention.

Automation Account: Select your previously created Azure Automation Account.

Click the button to create this new runbook.
On your Azure Automation account page, click on Stop-MyDemo to drill into the detailed property pages for the new runbook.
Click the Author tab, and then click the Draft tab to begin editing the PowerShell code for this new runbook.
Inside the Workflow code block, insert the PowerShell code that leverages the Connect-Azure runbook to connect to your Microsoft Azure subscription. Be sure to replace the values for the $subName variable with the value that you recorded earlier in this article.

workflow Stop-MyDemo
{

    # Specify Azure Subscription Name
    $subName = 'Enter Your Azure Subscription Name'

    # Connect to Azure Subscription
    Connect-Azure `
        -AzureConnectionName $subName

    Select-AzureSubscription `
        -SubscriptionName $subName

}

You’ll use this PowerShell code at the beginning of each Azure Automation runbook that provisions or manages cloud resources in a Microsoft Azure subscription.
Inside the Workflow code block, add the PowerShell code that you will use to automate cloud resources in your Microsoft Azure subscription. In our sample runbook, we’ll insert the code used to stop and deallocate several Microsoft Azure virtual machines.

workflow Stop-MyDemo
{
    # Specify Azure Subscription Name
    $subName = 'Enter Your Azure Subscription Name'

    # Connect to Azure Subscription
    Connect-Azure `
        -AzureConnectionName $subName

    Select-AzureSubscription `
        -SubscriptionName $subName

    # Shutdown Lab VMs
    $vmList = ('labvm01','labvm02','labvm03')
    $svcName = 'labvms'

    For ( $vmCount = 0; $vmCount -lt $vmList.Count; $vmCount++) {

        $vm = Get-AzureVM `
            -ServiceName $svcName `
            -Name $vmList[$vmCount]

        if ( $vm.InstanceStatus -eq 'ReadyRole' ) {

            Stop-AzureVM `
                -ServiceName $vm.ServiceName `
                -Name $vm.Name `
                -Force

        }

    }

}
When finished, click the Save button on the bottom toolbar to save your draft runbook.

Test the Runbook

After saving the draft runbook, you can test the new runbook to confirm that it executes successfully.

Click the Test button on the bottom toolbar.

Caution! When “testing” a runbook, the runbook is actually executed against your Microsoft Azure subscription. Be certain that you really do want to execute this runbook against provisioned cloud resources before clicking the Test button.
As the runbook executes, the Output Pane located at the bottom of the page will be refreshed with execution status and output.

When the runbook has completed, the Status value in the Output Pane will display Completed.

Publish the Runbook

When you’ve tested the runbook and confirmed that it executes successfully, you can publish the new runbook for running on a scheduled basis.

Click the Publish button on the bottom toolbar.
After the new runbook is published, click the Published tab to confirm that it has been published successfully.

Link the Runbook to a Schedule

We want this new runbook to execute at the end of every day, to make sure that our lab VM’s are automatically stopped and deallocated when not being used. To execute a runbook on a scheduled basis, we can link the runbook to a recurring schedule.

Click on the Schedule tab.
Click Link to a New Schedule and enter End-of-Day as the name of the new schedule.

Click the button to continue.
On the Configure Schedule page, define a scheduled Start Time and Recur Every value.

Click the button to add this new schedule and link it to the runbook.

Learn more about Azure Automation!

In this article, we’ve created a simple Azure Automation runbook to stop and deallocate lab VMs on the Microsoft Azure cloud platform. This runbook provides a great starting point, but it’s just one example of the power of this new preview feature. Azure Automation can leverage any of the Microsoft Azure PowerShell cmdlets for automating more sophisticated cloud tasks, and we can also extend Azure Automation by importing additional PowerShell modules.

When you’re ready to learn more about Azure Automation, be sure to check out the additional resources available on our Microsoft Azure documentation portal:

Azure Automation – Tutorials and Guides

What are your cloud scenarios?

Are there particular cloud scenarios in which you have interest? Feel free to leave your comments and feedback below, and we’ll try to write-up as many additional scenarios as possible in the coming weeks.

Learn more about Microsoft Azure ...

Step-by-Step: 20+ Key Cloud Scenarios for IT Pros

See you in the Clouds!

- Keith

KeithMayer.com