I am trying to setup my first Azure point-to-site VPN. If I'm reading things correctly, the URL I get from this PowerShell code:
$profile = New-AzVpnClientConfiguration -ResourceGroupName $ResourceGroup -Name $GWName -AuthenticationMethod "EapTls"
$profile.VPNProfileSASUrl
should download an executable called VpnClientSetupAMD64.exe that will be in the WindowsAmd64 folder of the downloaded zip file. That executable should do the setup on the native Win 10 1909 client.
The zip file I get doesn't have any executable in it and doesn't have that directory in it. I only get the XML and OVPN files with the config data for the VPN client.
I also tried using the Download VPN Client selection in the GUI Azure portal on the VnetGW/point-to-site page and I get the identical zip file - still no setup exe.
I looked for a way to either directly download the VpnClientSetupAMD64.exe file or to specify the azurevpnconfig.xml file that I do get as a parameter to setup the VPN client but I see nothing applicable.
I understand that I can manually configure the VPN client using the info I have but that doesn't scale.
Can someone give me any pointers?
I had the same issue trying to setup Azure P2S VPN today, the downloaded VPN client is just a configuration file.
Did a bit research and found the solution: https://learn.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-client
Open Windows store, and install a app "Azure VPN Client". Then you can run Azure VPN Client and import the configuration file.
Be default, the Tunnel type is OpenVPN(SSL) in the Point-to-site configuration UI. Before you generate files using PowerShell, you should select the VpnClientProtocol to SSTP and IKEv2, or one of them because they are used for Windows clients. So you will get the VpnClientSetupAMD64.exe file. You could get more details here.
You also could refer to create a VPN Gateway and add point-to-site configuration using PowerShell.
New-AzVirtualNetworkGateway -Name VNet1GW -ResourceGroupName TestRG1 `
-Location 'East US' -IpConfigurations $gwipconfig -GatewayType Vpn `
-VpnType RouteBased -GatewaySku VpnGw1 -VpnClientProtocol "IKEv2"
# Add the VPN client address pool
$Gateway = Get-AzVirtualNetworkGateway -ResourceGroupName $RG -Name $GWName
Set-AzVirtualNetworkGateway -VirtualNetworkGateway $Gateway -VpnClientAddressPool $VPNClientAddressPool
# Create a self-signed root certificate
$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
-Subject "CN=P2SRootCert" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign
# Export the root certificate to "C:\cert\P2SRootCert.cer"
# Upload the root certificate public key information
$P2SRootCertName = "P2SRootCert.cer"
$filePathForCert = "C:\cert\P2SRootCert.cer"
$cert = new-object System.Security.Cryptography.X509Certificates.X509Certificate2($filePathForCert)
$CertBase64 = [system.convert]::ToBase64String($cert.RawData)
$p2srootcert = New-AzVpnClientRootCertificate -Name $P2SRootCertName -PublicCertData $CertBase64
Add-AzVpnClientRootCertificate -VpnClientRootCertificateName $P2SRootCertName `
-VirtualNetworkGatewayname "VNet1GW" `
-ResourceGroupName "TestRG1" -PublicCertData $CertBase64
Related
I'm trying to register Windows client machine to a Azure Recovery Services Vault with a powershell script.
I'm having this error:
WARNING: Vault credentials validation failed.
Start-OBRegistration : Vault credentials file provided has expired. We recommend you download a new vault credentials file from the portal and use it within 2 days.
These are my commands:
$cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname aly20-srv.xxx.onmicrosoft.com -NotAfter (Get-Date).AddHours(8)
$certificate =[System.Convert]::ToBase64String($cert.RawData)
$Vault1 = Get-AzRecoveryServicesVault –Name "rsvault-staging"
$CredsPath = "C:\temp"
$CredsFilename = Get-AzRecoveryServicesVaultSettingsFile -Backup -Vault $Vault1 -Path $CredsPath -Certificate $certificate
Import-Module -Name 'C:\Program Files\Microsoft Azure Recovery Services Agent\bin\Modules\MSOnlineBackup'
Start-OBRegistration -VaultCredentials $CredsFilename.FilePath -Confirm:$false
It seems that the vault credentials file created in "C:\temp" is not valid.
If I try to get it directly from azure portal and run "Start-OBRegistration" command it works.
What's the problem? How can I solve?
Thank you.
It looks like you are using "-NotAfter (Get-Date).AddHours(8)"
This will make your certificate expire after 8 hours, the default is 1 year.
I've got a Windows container that's running in Azure that I'm trying to attach persistent storage to, however, I'm not able to find any documentation on how to do so.
Dockerfile:
FROM mcr.microsoft.com/dotnet/framework/aspnet:4.8-20190910-windowsservercore-ltsc2016
SHELL ["powershell"]
EXPOSE 443
WORKDIR /CompanyAPP
COPY WebPackage.zip .
RUN Expand-Archive WebPackage.zip . ; `
Rename-Item ./CustomerWebConfigurator ./WebConfigurator; `
Rename-Item ./Customer ./WebRoot; `
Rename-Item ./CustomerWebService ./WebService; `
Rename-Item ./CustomerWCFService ./WCFService; `
rm WebPackage.zip
ARG BUILD
RUN Add-WindowsFeature Net-WCF-HTTP-Activation45;`
Install-PackageProvider -Name Nuget -Force;`
Set-PSRepository -Name PSGallery -InstallationPolicy Trusted;`
Install-Module -Name AWSPowerShell;`
New-WebApplication -Site 'Default Web Site' -Name 'App' -PhysicalPath c:\CompanyAPP\WebRoot; `
New-WebApplication -Site 'Default Web Site' -Name 'AppWebService' -PhysicalPath c:\CompanyAPP\WebService; `
New-WebApplication -Site 'Default Web Site' -Name 'AppWCFService' -PhysicalPath c:\CompanyAPP\WCFService; `
New-WebApplication -Site 'Default Web Site' -Name 'AppWebConfigurator' -PhysicalPath c:\CompanyAPP\WebConfigurator; `
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters' -Name ServerPriorityTimeLimit -Value 0 -Type DWord;`
$cert = New-SelfSignedCertificate -Subject self; `
New-WebBinding -Protocol https -port 443 -name 'Default Web Site' -SSLFlags 0; `
$binding = Get-WebBinding -protocol https; `
$binding.AddSslCertificate($cert.Thumbprint, 'my');
RUN Set-WebConfiguration -PSPath 'IIS:\Sites\Default Web Site\App' -Filter '/system.web/customErrors' -Value #{mode='Off'};`
write-host 'got here!'
The storage is configured in an Azure Storage account, and using file storage, I'm attaching it in the configuration via path mappings, and am having no luck.
Hoping that someone can point me in a good direction to get this figured out.
I may be quite late to the party, but I stumbled upon this issue only today (mounting Azure File Volumes in a Windows Container still is not supported even a year later), and I found quite an easy workaround. I will share this here, because this question is one of the top results when searching for the error message.
You can mount your Azure File Volume via SMB. All you need is the UNC, a username and a password, which you can get from the properties of your Azure File Volume
So I created a small startup.cmd
#echo off
net use z: %MNTUNC% %MNTPASS% /user:%MNTUSER%
"c:\program files\myapp\myapp.exe"
and defined that startup.cmd as the entrypoint in the dockerfile
....
COPY ["startup.cmd", "c:/startup.cmd"]
ENTRYPOINT ["c:/startup.cmd"]
Pitfall: Be aware, that a drive mapped with net use (or New-PSDrive if you prefer PowerShell) is only visible to the user account under which the command was executed, so be sure to mount the drive with the same user, which is used to execute the service.
You can set the values for the environment variables during deployment like described here:
https://learn.microsoft.com/en-us/azure/container-instances/container-instances-environment-variables
For instance, when using a YAML file for deployment, you can set the environment variables as follows. Using secureValue makes the value of the environment variable accessible only from within the container and the values won't be shown for instance in the properties of the container on the azure portal.
....
containers:
- name: mycontainer
properties:
environmentVariables:
- name: 'MNTUNC'
secureValue: '\\myaccountname.file.core.windows.net\myvolume'
- name: 'MNTPASS'
secureValue: 'mysupersecretpassword'
- name: 'MNTUSER'
secureValue: 'Azure\myaccountname'
If you use the Azure Container Instance to deploy for Windows container, then the Azure File storage does not support the persistent volume., it's currently restricted to Linux containers. You can get more details about the note here:
Mounting an Azure Files share is currently restricted to Linux
containers.
Update:
With the message that the provided in the comment, you use the web app for the container with the Windows image. In this situation, it supports to mount the Azure File Share to the Windows Container. You can follow the steps in Configure Azure Files in a Windows Container on App Service.
To do this with a script that is publicly available this is no Problem using:
$publicSettings = #{
"fileUris" = (,"$uri");
"commandToExecute" = "powershell -ExecutionPolicy Unrestricted -File azure_cse_vm_initial_script.ps1 $argument"
}
Write-Host " ==> Add-AzureRmVmssExtension"
Add-AzureRmVmssExtension -VirtualMachineScaleSet $vmss `
-Name "customScript" `
-Publisher "Microsoft.Compute" `
-Type "CustomScriptExtension" `
-TypeHandlerVersion 1.8 `
-Setting $publicSettings
But how to do in case I use a storage account with a blob container? Can the access key be added to the Settings object? But how? And what to use for the URL.
The script I want to run should not be public accessible because it is the Installation script of my application.
Thanks,
Daniel
I would create a shared access signatur for that script (see Using shared access signatures). Then you can simple add the SAS token to the URI. E. g:
https://myaccount.blob.core.windows.net/sascontainer/sasblob.txt?sv=2015-04-05&st=2015-04-29T22%3A18%3A26Z&se=2015-04-30T02%3A23%3A26Z&sr=b&sp=rw&sip=168.1.5.60-168.1.5.70&spr=https&sig=Z%2FRHIX5Xcg0Mq2rqI3OlWTjEg2tYkboXr1P9ZUXDtkk%3D
You could also use storage account name and storage account key to download the script: https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-windows#extension-schema
I've been using the classic Azure Portal for a while now, and I know how to create a VM, customize it, then capture it as an Image and use that image to create more VMs.
Now I'm trying to use the new Azure Portal. I created the VM and customized it, now I want to capture an image so I can make more VMs exactly the same way. The problem is the new web portal doesn't capture option.
As far as I know, you can do it via Powershell:
Login-AzureRmAccount
Get-AzureRmSubscription
Select-AzureRmSubscription -SubscriptionId "<subscriptionID>"
Stop-AzureRmVM -ResourceGroupName <resourceGroup> -Name <vmName>
Set-AzureRmVm -ResourceGroupName <resourceGroup> -Name <vmName> -Generalized
Save-AzureRmVMImage -ResourceGroupName <resourceGroupName> -Name <vmName> `
-DestinationContainerName <destinationContainerName> -VHDNamePrefix <templateNamePrefix> `
-Path <C:\local\Filepath\Filename.json>
For more details visit: https://learn.microsoft.com/en-us/azure/virtual-machines/virtual-machines-windows-capture-image
Lightly related to How to add an SSL certificate to an azure website using powershell?
I am trying to add a certificate to an Azure RM website via Powershell.
I don't think there is a direct Azure Powershell command, and it will need to be done via New-AzureRmResource
In the latest release of Azure PowerShell v 1.1.0, there is a number of new commands to handle SSL certificates in Azure Web Apps
You can upload the certificate and bind it to hostname using
New-AzureRmWebAppSSLBinding -ResourceGroupName myresourcegroup -WebAppName mytestapp -CertificateFilePath PathToPfxFile -CertificatePassword PlainTextPwd -Name www.contoso.com
And then remove the binding but without removing the certificate, the app should be able to use it after you add a app setting referencing that cert (this should be done using the portal - the PowerShell command to do so will come soon - No ETA for now)
Remove-AzureRmWebAppSSLBinding -ResourceGroupName myresourcegroup -WebAppName mytestapp -Name www.contoso.com -DeleteCertificate $false
Looking through the ARM Template the "Microsoft.Web/certificates" template takes a pfxblob and a password.
It seems the easiest way of obtaining a pfxblob is via New-AzureRmApplicationGatewaySslCertificate (thanks to #vigneshaj for the pointer) reading the source, it seems that this is simply a local conversation cmdlet. So it doesn't matter that it is for an application gateway, all we need is the data it passes back.
$pfx = New-AzureRmApplicationGatewaySslCertificate -Name example `
-CertificateFile E:\PS\example.pfx `
-Password "bananas"
Once we have that data, we can simply plug it into New-AzureRmResource and it will create our certificate on Azure.
The small problem with this, is that if you're a cheapskate (like me) and you've obtained a free cert from that Chinese CA that gives sha256 certs, this process will strip off the certificate that signs pages with sha256, and so it falls back to TLS 1.2, which gives errors (on Chrome at least)
$ResourceLocation = "West Europe"
$ResourceName = "Newcertificate"
$PropertiesObject = #{
pfxBlob = $pfx.Data
password = $pfx.Password
}
New-AzureRmResource -Name $ResourceName -Location $ResourceLocation `
-PropertyObject $PropertiesObject `
-ResourceGroupName examplecomRG `
-ResourceType Microsoft.Web/certificates `
-ApiVersion 2015-08-01 -Force
The next job from there is configuring your Web App to use that cert. Because these properties are child objects of the hostNameSslStates array I created an inner hash table, and then attached that. I'm sure there's a more elegant way, but this worked!
$ResourceName = "ConfuseioWebapp"
$InnerPropertiesObject = #{
name = "www.example.com"
sslState = 1
thumbprint = "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
}
$PropertiesObject = #{
"hostNameSslStates" = [Object[]]$InnerPropertiesObject
}
New-AzureRmResource -Name $ResourceName `
-Location $ResourceLocation `
-PropertyObject $PropertiesObject `
-ResourceGroupName examplecomRG `
-ResourceType Microsoft.Web/sites `
-ApiVersion 2015-08-01 -Force
And that is pretty much it.
I came across the below article, which configures SSL through powershell, by creating Azure Application Gateway
https://azure.microsoft.com/en-us/documentation/articles/application-gateway-ssl/