Enable IaaS with Windows Azure Pack
Find out how to get VM provisioning working with Windows Azure Pack.
August 1, 2014
Q: What is required to enable virtual machine (VM) provisioning (i.e., IaaS) using Windows Azure Pack?
A: Windows Azure Pack enables the deployment of many types of services, emulating the Microsoft Azure experience. A clean Windows Azure Pack deployment doesn't offer any services but rather provides the foundation to connect to other components to enable other types of services. To enable VM provisioning, you need:
Service Provider Foundation (SPF) deployed. SPF is part of Microsoft System Center Orchestrator 2012 R2.
A System Center Virtual Machine Manager (VMM) 2012 R2 deployment, with clouds, tenants, and template Virtual Hard Disks (VHDs). Optionally, you can define VM templates, which will be exposed through Windows Azure Pack. The exact requirements are defined on TechNet's Requirements for using VM Clouds web page. You need to review these requirements thoroughly, as there are likely changes required for your cloud and template configurations (e.g., no capability profile selected). In addition, clouds that support highly available VMs need a custom property added, as shown in Figure 1.
Figure 1: Adding a Custom Property
Hyper-V hosts. Other hypervisors aren't supported by Windows Azure Pack for VM provisioning.
Most likely, you'll also want Orchestrator's Service Management Automation (SMA) and System Center Operations Manager deployed for the life-cycle management of the VMs. However, SMA and Operations Manager aren't mandatory.
Deploying SPF
The first task is to deploy SPF. To do so, follow these steps:
Create a service account in Active Directory (AD) for SPF, naming it something like SPFService. Configure this account with a non-expiring password and as a local administrator on SPF.
Prepare a new Windows Server 2012 R2 installation (you can use Windows Server 2012) and patch it to the latest version.
Create a new certificate for the SPF installation from an enterprise Certification Authority (CA) or external trusted party because the default self-signed certificate can cause warnings later on. (If you're using SPF in a development environment, you don't need to do this.) When I create this certificate, I like to add alternative names for the spf. on the Subject tab, as shown in Figure 2. That way, I can later use a shorter name by means of a DNS alias.
Figure 2: Adding Alternative Names
Install all the required prerequisites, which include IIS 7.5. You can install IIS 7.5 using the Windows PowerShell command:
Install-WindowsFeature Web-Server, Web-Mgmt-Tools, Web-Scripting-Tools, Web-Basic-Auth, Web-Windows-Auth, Web-Asp-Net45, NET-WCF-HTTP-Activation45, ManagementOdata
Install the VMM Administrator Console from the VMM 2012 R2 media.
Install Windows Communication Foundation (WCF) Data Services 5.0 for OData v3 from the Microsoft Download Center.
Install ASP.NET MVC 4 from Microsoft's ASP.NET website or the standalone installer from the Microsoft Download Center (my preference).
Access the Orchestrator 2012 R2 installation media and double-click SetupOrchestrator.exe to run the System Center 2012 - Orchestrator 2012 R2 Setup Wizard. Before doing so, though, disable Internet Explorer Enhanced Security Configuration (IE ESC) on the Local Server page in Server Manager to avoid any display problems with the wizard.
In the Standalone installations section, select Service Provider Foundation.
Click the Install button.
Check the option to confirm understanding of the license terms and click Next.
Review the results of the prerequisites check. If you don't pass this check, you can read about the prerequisites on the System Requirements for Service Provider Foundation for System Center 2012 SP1 web page. Click Next.
Configure the name of the SQL Server instance to use. The instance must be running SQL Server 2012 or SQL Server 2008 R2. Click Next.
Select the folder and port for the website, select the certificate to use, and click Next.
Specify the users of the Admin web service. I typically specify the Domain Admins group, but if you have a separate SPF admins group, you should specify that group. For the credentials, use the SPF service account created in step 1. Click Next.
Repeat step 15 for the Provider web service, VMM web service, and Usage web service. A good practice to follow for the Provider web service and VMM web service is to create a separate AD group containing those users who are allowed to use the service (e.g., an SPF Provider group and an SPF VMM group). Use the same SPF service account for all three services.
Indicate whether you want to be part of Microsoft's customer experience improvement program and whether you want to use Microsoft Update. Click Next.
Review the summary of your installation selections. If the selections are correct, click Install.
After the installation is complete, click Close.
After SPF is installed, you need to give the SPF service account (in this example, SPFService) the Administrator user role in VMM. To do so, follow these steps:
Launch the VMM management console.
Open the Settings workspace.
Select Security, then User Roles in the navigation pane.
Double-click Administrator in the details pane. Under Members, add the SPF service account, then click OK.
You also need to give the SPF service account the Sysadmin server role on the SQL Server instance housing the SPF database. You can do this in SQL Server Management Studio (SSMS). Open SSMS and navigate to Security, Logins. Select the SPF service account, choose Server Roles, and select the sysadmin check box.
Testing SPF
At this point, you should check that SPF can actually interact with VMM. The easiest way to do this is as follows:
Start PowerShell under the SPF service account. You can either log on using the SPF service account or right-click PowerShell and start it as a different user, entering the SPF service account credentials.)
Run the following commands and ensure you get responses without permission errors:
Import-Module virtualmachinemanagervirtualmachinemanager.psd1Get-VMMServer Get-VM | ft Name, HostName -AutoSize
Registering SPF with Windows Azure Pack
Assuming that SPF is working properly, you need to register SPF with Windows Azure Pack. In preparation, you need to:
Create a local user account on the SPF server (e.g., SPFLocalAdmin) using Computer Manager, then make that user account a member of all four of the SPF_ local groups that were created on the SPF server. This account will be used to connect SPF to Windows Azure Pack. Note that you can create a domain user account, but sometimes SPF and Windows Azure Pack are in different domains. Using a local user account is more resilient. Whatever account you use, it must be added to all four SPF_ local groups on the SPF server.
Add the SPF service account (e.g., SPFService) to all four SPF_ local groups on the SPF server. This helps remove synchronization problems when creating subscriptions.
The next task is to register SPF with Windows Azure Pack, which is documented on the Register the Service Provider Foundation Endpoint for Virtual Machine Clouds web page. Here's a high-level overview of the steps:
Navigate to the Windows Azure Pack administrative site (e.g., https://:30091).
Select VM Clouds.
Click the Register System Center Service Provider Foundation link.
Enter the URL for SPF and the SPF service account, then click the checkmark icon, as shown in Figure 3.
Figure 3: Registering SPF with Windows Azure Pack
If you now select Clouds, you'll get a message stating that no VM cloud providers were found. That's because no connections from SPF to VMM have been added yet. To add a connection, click the Use an existing virtual machine cloud provider to provision virtual machines link. Enter the name of the VMM server (and port if you aren't using the default), as Figure 4 shows. Optionally, you can enter a Remote Desktop Gateway URL, which would allow entry to VMs from outside the environment. Click the checkmark icon.
Figure 4: Entering the Name of the VMM Server
Your VMM server should now be listed under Clouds, along with all the clouds defined in VMM, as shown in Figure 5.
Figure 5: Reviewing the VM Clouds
Importing and Creating Gallery Resources
You now need to create or import Windows Azure Pack Gallery Resources. Here are some great resources discussing how to do that:
Basically, you need to download and install the Gallery Resources on the VMM server (or on another server and then make them available to VMM) using the Web Platform Installer. You can download this installer from the Microsoft Web Platform Installer 5.0 web page. After the Web Platform Installer is installed, click the Options link at the bottom of the screen. In the Custom Feeds area, enter the URL http://www.microsoft.com/web/webpi/partners/servicemodels.xml, click Add feed, then click OK. If you select the Service Models tab and select Gallery Resources, you'll be able to add multiple items, as Figure 6 shows. After you select the items, click Install.
Figure 6: Selecting Gallery Resources from the Service Models Tab
You should read the readme files for all the Gallery Resources you download because some resources require you to add resource extension packages to VMM. The readme file will tell you which resource extension packages are required. The readme file will also tell you the tag names (e.g., WindowsServer2012) that must be added to the VHD, along with other configurations. It's important your .vhd and .vhdx files are tagged and configured per the requirements. Otherwise, the files won't be used by the Gallery Resources during deployment.
As part of the configuration for the items in VMM to be used with a Gallery Resource, there are changes required to the template VHD file. These changes are discussed in-depth in the two resources listed previously. In a nutshell, you need to change the release value to meet the Azure versioning scheme of n.n.n.n, you need to set the OS, and you need to configure a tag. The first two items can be accomplished using the VMM management console (see Figure 7) or PowerShell.
Figure 7: Using the VMM Management Console to Change the Template VHD File
The last item, configuring the tag, can only be accomplished using PowerShell. The tags must be OS specific. The exact values required will be based on the Gallery Resources you use, and the readme file will give you this information. Here's an example of how to change a tag using PowerShell:
$myVHD = Get-SCVirtualHardDisk | where {$_.Name –eq 'win2012R2DatacenterG2.vhdx'} $tags = $myVHD.Tag if ( $tags -cnotcontains "WindowsServer2012" ) { $tags += @("WindowsServer2012") } if ( $tags -cnotcontains "R2" ) { $tags += @("R2") }Set-scvirtualharddisk –virtualharddisk $myVHD –Tag $tags
You can manually create your own Gallery Resources, but this is very hard to do, as they're defined in JavaScript Object Notation (JSON). Fortunately, the VM Role Authoring Tool is available on CodePlex. As Figure 8 shows, this tool has graphical interface, which makes it much easier to not only create but also edit resources.
Figure 8: Using the VM Role Authoring Tool
The VM Role Authoring Tool lets you edit existing Gallery Resources, such as those you might have already downloaded. When you download a Gallery Resource, you're downloading a resource definition package (a .resdefpkg file), which is actually a ZIP file. So, if you want to manually edit the files in a .resdefpkg file, you can rename the file to .zip. You can then extract files from it for editing.
If you want to create your own resource packages, you can add your files to a ZIP file, then rename it to .resdefpkg. The benefit of the resource definition package is you can include all the files needed for a Gallery Resource, which can even include entire setup structures copied from an .iso file. (The blog post "Windows Azure Pack VMRole Gallery Items for Collaboration Workloads" has examples of how to do this.)
The final task is to import the resource definition package into Windows Azure Pack, then publish it:
In the Server Admin Portal, navigate to VM Clouds, Gallery.
Click Import a gallery resource file.
Select the resource file (.resdefpkg) from your VMM server (or a share), click Open, then click the checkmark icon.
Select the New Gallery item and click the Make Public option, which you can see at the bottom of Figure 9.
Figure 9: Publishing the Resource Definition Package
Click Yes when prompted for confirmation.
Figure 10: Going to the Virtual Machine Clouds Page, Where You Can Configure Plan Details
You can now add this Gallery item to a plan in the portal using the Plans workspace. Alternatively, you can create a new plan, which can include both VM Gallery Resources and regular VM Templates from VMM. If you're creating a new plan, you'll need to configure the plan details once the basic plan is created. Go to the Dashboard tab and select Virtual Machine Clouds in the plan services section, as shown in Figure 10.
Figure 11: Configuring the Plan Details
You can now configure the plan details, including the VMM server and cloud, as shown in Figure 11. You can also add networks, VM templates, and any gallery items you want to make available.
After the plan is created, click the Change Access button at the bottom of the screen, then click Public. Note that you need to have subscriptions that allocate plans to groups of users. You now have VMs available to tenants!
It's important to mention that there's a tool—the Gallery Resource Import Tool—that does all the import and configuration steps in Windows Azure Pack and VMM for you, thereby removing a lot of the manual work. This tool is definitely worth using and is detailed in the blog post "Introducing the 'Gallery Resource Import Tool'."
Allocating Plans
You can create user accounts that can access plans through the tenant portal. You can also configure other types of authentication, such as federation with Windows Azure Pack using Active Directory Federation Services (ADFS). Users will then be able to select plans to use, or you can pre-assign plans, which will create subscriptions. Users can then access their subscriptions through the tenant portal. If you add a plan to a user and the plan's status gets stuck in "Active - Out of Sync" status, you likely didn't add the SPF service account to the four local SPF_ groups on the SPF server and didn't give the SPF service account the Sysadmin server role on the SQL Server instance. Fix those configurations, then try the synchronization again. If you still get stuck in the "Active - Out of Sync" status, verify on the SPF server that the SPF application pools in IIS (Admin, Provider, VMM, and Usage) are all configured to use the SPF service account and not the NetworkService account. (I've seen this happen after certain updates.) For more details, check out the Provision Virtual Machine Clouds web page and the blog post "Troubleshooting Windows Azure Pack, SPF & VMM" if you're experiencing problems.
About the Author
You May Also Like