Managing Windows Azure with SMA

Managing Windows Azure with SMA

  • Comments 3
  • Likes

Hello readers, Jim Britt and Victor Arzate here. This time we will show you how you can manage Windows Azure services via Service Management Automation (a.k.a. SMA).

Up until now we have shown you many samples on how to leverage SMA for automating processes for on-premises deployments (take a look at the August 2013 was Automation Month at the Building Clouds Blog! blog post for a quick reference). In this blog post we will show you how service administrators can leverage the same investments in SMA, but extended to Windows Azure.

In a nutshell, the steps that need to be done are:

  • Step 1 – Install Windows Azure PowerShell
  • Step 2 – Configure the connection to the Windows Azure subscription
  • Step 2 – Create a connection object in SMA to Windows Azure
  • Step 3 – Create your Runbook

And you need to have the following prerequisites

  • An environment with WAP and SMA already integrated
  • A subscription to Windows Azure. If you don’t have one, please see this link.
  • An Active Directory service account that will be used for connecting to the Windows Azure subscription from your on premise WAP environment.

Okay, let’s get started!


Step 1 – Install Windows Azure PowerShell

Alright, first thing you need to do is to download and install the Windows Azure PowerShell module on a server (this can be your SMA server or another member server). You can obtain it from this link.

It will install and launch the Web Platform Installer and will prompt you to install Windows Azure PowerShell:

WIndows Azure PowerShell

Click on Install and the Web PI will display any dependencies that are needed in your system. Click on I Accept if you accept the terms and the Web PI will start the installation of Windows Azure PowerShell and all required dependencies. Once the process is complete click on Finish. The Web PI should indicate that the Windows Azure PowerShell components are installed:

WIndows Azure PowerShell-2

Click on Exit and restart the server. We have noticed that this is needed so that SMA Runbooks can see that the Windows Azure PowerShell module is installed.


Step 2 – Configure the connection to the Windows Azure subscription

Now we have to set up the connection to the Windows Azure subscription. You’ve different options here such as manually uploading a management certificate to Azure, authenticating using Windows Azure AD or using the certificate method.

The Windows Azure AD method was not an option as in this case the credentials are available to Windows Azure PowerShell for 12 hours. After these 12 hours the credentials expire and you’ll need to log in again.

Manually uploading a management certificate was another option, but in this case we had to obtain a certificate so that we could upload it to Windows Azure, and then we have to manually install it in the SMA server. While this option worked, we wanted to use a more slick option Hot smile

We used the certificate method, because Windows Azure PowerShell includes the cmdlets that help us to download and import the certificate (hence no need for manually getting and importing the certificate)! The cmdlets are:

  • Get-AzurePublishSettingsFile – this cmdlet opens a browser session, signs into your Windows Azure account, and automatically downloads a .publishsettings file that contains information and a certificate for your Windows Azure subscription.
  • Import-AzurePublishSettingsFile – this cmdlet imports a .publishsettings file that has been downloaded using the Get-AzurePublishSettingsFile cmdlet. This file contains settings and an encoded certificate that provides management credentials for the Windows Azure account.
Important: The publishsettings file contains the credentials (unencoded) that are used to administer your Windows Azure subscriptions and services. The security best practice for this file is to store it temporarily outside your source directories (for example in the Libraries\Documents folder), and then delete it after the settings have been imported. A malicious user gaining access to the publishsettings file can edit, create, and delete your Windows Azure services.

Now, you have to consider two important facts:

  • Those cmdlets need to be executed with administrative rights.
  • Those cmdlets need to be executed in the context of the user account that will be used whenever a connection to Windows Azure is needed.

Therefore, log on into the server where you installed Windows Azure PowerShell with the credentials of the service account that will be used when connecting to the Windows Azure Subscription, open a Windows PowerShell session as an administrator and type the following cmdlet:

001
Get-AzurePublishSettingsFile

As described above, this cmdlet will launch a browser session, and after signing in into your Windows Azure subscription, it will ask you to save a .publisingsettings file in your computer:

AzurePublishSettingsFile

Save the file in a secure location. If you go to Windows AzureSettingsManagement Certificates you will notice that there is a new certificate created for your subscription. Take note of the certificate thumbprint. Now return to Windows Azure PowerShell and execute the following cmdlet:

001
Import-AzurePublishSettingsFile -PublishSettingsFile 'C:\Azure\YourFileName.publishsettings'

This cmdlet will import a certificate into the Current UserPersonal Store container called Windows Azure Tools. If you open the certificate you will notice that it has the same certificate thumbprint as the certificate that was created in Windows Azure. Also, this cmdlet will configure common settings for the Windows Azure subscription (including subscription ID, management certificate) in the user account profile. To check these settings, type the following cmdlet in PowerShell:

001
Get-AzureSubscription

You will notice the settings saved for your Windows Azure subscription. Please take note of the SubscriptionName value as we will use it in Step 4 when we create the SMA Runbook (in our case, it is called: Windows Azure MSDN - Visual Studio Ultimate).

Now we need to extract some data from that certificate as we will use it in the next step. Execute the following script using a PowerShell session with administrative rights (replacing the #### string with the certificate thumbprint that you obtained from Windows Azure):

001
002
003
004
005
006
007

new-alias  Out-Clipboard $env:SystemRoot\system32\clip.exe
$Thumbprint = "###########################"
$mycert = Get-Item Cert:\CurrentUser\My\$Thumbprint
$certData = $mycert.GetRawCertData()
$convert = [System.Convert]
$certString = $convert::toBase64String($certData)
$certString | Out-clipboard

This script will get the data from your certificate and will copy it to the clipboard. We will use this data in Step 3. It would be a good idea to save the clipboard data in a notepad so that is not lost. Now delete the –publishsettings file and log into the WAP server (but this time with an account that has administrative rights on WAP/SMA).


Step 3 – Create a connection object in SMA to Windows Azure

Go to the Windows Azure Pack Admin PortalAutomationAssets and click on Add Setting

Add-Setting

In the Select the type of setting you want to add, click on Add Connection

Type of setting

In Connection Type select Azure. In Name type AzureConnection. Click on the arrow to continue the wizard.

Configure Connection

In the Configure connection properties, provide the following information:

  • Password – Provide the password of the AD service account that we used in step 2
  • Username – Provide the username of the AD service account that we used in step 2. The user should be provided as domain\username (for example: contoso\AzureSMASvc)
  • Computername – Provide the name of the server where Windows Azure PowerShell was installed and where the Azure Subscription certificate was imported.
  • CertificateStringBase64 – Here paste the certificate data that we generated in Step 2 of this blog as that should be in the clipboard (or in a notepad session as we suggested).
  • SubscriptionID – Provide your Windows Azure Subscription ID (you can obtain this string from the same screen where you obtained the certificate thumbprint in Windows Azure).

Click on the arrow to complete the Add Connection Wizard.


Step 4 – Create your Runbook

Go to the Windows Azure Pack Admin Portal and click on the + icon to create a new object. Select RunbookQuick Create and call it SMA-Get-AzureVMs and click on the check mark to create the Runbook.

In the Windows Azure Pack Admin Portal, go to AutomationRunbooks and click on the SMA-Get-AzureVMs runbook. Go to the Author tab, click on Draft and paste the following code:

001
002
003
004
005
006
007
008
009
010
011
012
013
014
015
016
017
018
019
020
021
022
023

workflow SMA-Get-AzureVMs
{
   
# Get the Azure connection
    $con = Get-AutomationConnection -Name 'AzureConnection'
 
    
   
# Convert the password to a SecureString to be used in a PSCredential object
    $securepassword = ConvertTo-SecureString -AsPlainText -String $con.Password -Force
 

   
# Create a PS Credential Object
    $cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $con.Username, $securepassword
 

   
inlinescript
 
    { 
       
Import-Module "Azure"
 
                
       
# Selects the Azure Subscription in PowerShell
        Select-AzureSubscription -SubscriptionName "Windows Azure MSDN - Visual Studio Ultimate"
 
        
       
# Run Azure commands to get all VMs in the Azure Subscription
        Get-AzureVM
        
        
    } 
-PSComputerName $con.ComputerName -PSCredential $cred 
}

Let us explain the code above Nerd smile

First, we obtain the data from the AzureConnection object we created so that we use the credentials required to execute the inlinescript section under the context of the AD service account that we used to configure the connection to Windows Azure.

001
002
003

$con = Get-AutomationConnection -Name 'AzureConnection'
$securepassword = ConvertTo-SecureString -AsPlainText -String $con.Password -Force
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $con.Username, $securepassword

Then we move to the inlinescript section. Here you can see the following code:

001
002
003
004
005
006
007
008
009
010
011

inlinescript 
{ 
   
Import-Module "Azure"
 
                
   
# Selects the Azure Subscription in PowerShell
    Select-AzureSubscription -SubscriptionName "Windows Azure MSDN - Visual Studio Ultimate"
 
        
   
# Run Azure commands to get all VMs in the Azure Subscription
    Get-AzureVM
        
        
} 
-PSComputerName $con.ComputerName -PSCredential $cred
  • The Import-Module “Azure” statement allows us to use the Windows Azure PowerShell cmdlets.
  • The Select-AzureSubscription PowerShell cmdlet selects the desired Windows Azure subscription as the current subscription (remember that our subscription was created in the user account profile when we ran the Import-AzurePublishSettingsFile cmdlet in step 2?).  In our sample, the subscription name is "Windows Azure MSDN - Visual Studio Ultimate" but you should change this string to reflect your subscription name.
  • Get-AzureVM retrieves the list of Virtual Machines under the subscription specified, but basically, here you can do whatever you want (and are allowed to do) in your Azure Subscription. You can Start/Stop Virtual Machines, Create new ones, and so on. This is up to you Open-mouthed smile
  • The last line of code (-PSComputerName $con.ComputerName -PSCredential $cred) indicates in which computer the script will be executed and with which credentials. These are taken from the AzureConnection object we created before.

And that’s it! If you save & run the Runbook you will see in the output window the list of Virtual Machines running under your subscription!

As a bonus, take this sample Runbook that stops all Virtual Machines running under a specified Azure Subscription. Following the steps described in this section (Step 4) create a new SMA Runbook, name it SMA-Stop-AzureVMs and paste the following code:

001
002
003
004
005
006
007
008
009
010
011
012
013
014
015
016
017
018
019
020
021
022
023

workflow SMA-Stop-AzureVMs
{
   
# Get the Azure connection
    $con = Get-AutomationConnection -Name 'AzureConnection'
 
    
   
# Convert the password to a SecureString to be used in a PSCredential object
    $securepassword = ConvertTo-SecureString -AsPlainText -String $con.Password -Force
 

   
# Create a PS Credential Object
    $cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $con.Username, $securepassword
 

   
inlinescript
 
    { 
       
Import-Module "Azure"
 
                    
       
# Selects the Azure Subscription in PowerShell
        Select-AzureSubscription -SubscriptionName "Windows Azure MSDN - Visual Studio Ultimate"
 
        
       
# Run Azure commands to stop all running VMs in the Azure Subscription
        Get-AzureVM | Where-Object {$_.Status -eq "ReadyRole"} | ForEach-Object {Stop-AzureVM -ServiceName $_.ServiceName -Name $_.Name -StayProvisioned
}      
        
    } 
-PSComputerName $con.ComputerName -PSCredential $cred 
}

Save & run the Runbook and it will stop all running VMs in the Azure subscription.

And if you need some ideas on operations that you could perform in Windows Azure with PowerShell, just take a look at this great blog post from Charles Joy: Automation–Automating Hybrid Clouds with Windows Azure and PowerShell (Part 3): Public Cloud Environment Provisioning PowerShell Workflow Examples.

Until next time,

Jim and Victor.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • thank you

  • Don't you require the Azure PowerShell components be installed on the SMA Runbook Workers that are executing the runbooks?

  • Hi Robert, for the scenario we presented in this blog post, as we’re using the Azure Connection Asset in SMA, you’ve to install the Azure PowerShell module in the computer specified in the Azure Connection asset (which could be your SMA Runbook Worker).