Provisioning state blank when creating Backend Address Pool - azure

I am running the following commands to try and create a new Backend Address Pool in Azure's Application Gateway service.
$NewBackendPool = New-AzureRmApplicationGatewayBackendAddressPool -Name "MHA-DEVOPS-TEST-2" -BackendFqdns "test.com"
Write-Host "Provisioning state: $($NewBackendPool.ProvisioningState)" -ForegroundColor Magenta
$NewBackendPool
The output I get is as follows:
I receive no error, but the ProvisioningState value is blank and when I try to attach this to my Application Gateway using the Add-AzureRmApplicationGatewayBackendAddressPool, nothing fails but the Backend Address Pool is definitely not created/attached.
Where am I going wrong?


Try the command below, it will work fine.
$AppGw = Get-AzureRmApplicationGateway -Name "<Your ApplicationGateway Name>" -ResourceGroupName "<ResourceGroupName>"
$AppGw = Add-AzureRmApplicationGatewayBackendAddressPool -ApplicationGateway $AppGw -Name "test11" -BackendFqdns "test11.com"
Set-AzureRmApplicationGateway -ApplicationGateway $AppGw
Result snippet:
Check in the portal:

Related

Reset password on Azure VM scale set while extension exist

I referred to below link and succeeded to reset password on VM scale set with extension created
Reset password of a virtual machine scale set
Now, I want to reset the password again. However, if I perform the same as above, it will give me an error during Update-AzVmss
Update-AzVmss: On resource 'VMSS1', extension name 'VMAccessAgent' cannot be used for more than one extension.
ErrorCode: BadRequest
ErrorMessage: On resource 'VMSS1', extension name 'VMAccessAgent' cannot be used for more than one extension.
ErrorTarget:
StatusCode: 400
ReasonPhrase: Bad Request
OperationID : 53c2fea8-bf5a-47fe-a5e9-8e98eea1bb7b
How should I reset the password again? Does it mean I have to remove the extension and run the Powershell script again?

The error you are referring(On VM Scale Set 'VMSS1', extension name 'VMAccessAgent' cannot be used for more than one extension), I suspect this could be related to this one:"Multiple VMExtensions per handler not supported for OS type '{0}'. VMExtension '{1}' with handler '{2}' already added or specified in input."
Understand common error messages when you manage virtual machines in Azure
If the issue still persist, remove the extension and Process password update through script:
$vmss = ""
$vmssResourceGroup = ""
$publicConfig = #{"UserName" = ""}
$privateConfig = #{"Password" = ""}
$extName = "VMAccessAgent"
$publisher = "Microsoft.Compute"
$vmss = Get-AzVmss -ResourceGroupName $vmssResourceGroup
-VMScaleSetName $vmssName
$vmss = Add-AzVmssExtension -VirtualMachineScaleSet $vmss -Name
$extName -Publisher $publisher -Setting $publicConfig
-ProtectedSetting $privateConfig -Type $extName -TypeHandlerVersion "2.0" -AutoUpgradeMinorVersion $true
Update-AzVmss -ResourceGroupName $vmssResourceGroup -Name $vmssName
-VirtualMachineScaleSet $vmss

I was unable to remove the extension using any PowerShell commands. Ultimately I just deleted it in the portal and then was able to set the extension.

Link application insights to Azure web app through powershell

I'm trying to link new application insights to existing Azure web app through Powershell with the below script. I'm able to create a new app insight but unable to link the new app insight to the existing Azure web app.
$appInsights = New-AzResource -ResourceName 'MyWebsite09' -ResourceGroupName 'Test' `
-Tag #{ applicationType = 'web'; applicationName = 'sample1'} `
-ResourceType 'Microsoft.Insights/components' -Location 'North Central US' `
-PropertyObject #{'Application_Type'='web'} -Force
$appSetting = #{'APPINSIGHTS_INSTRUMENTATIONKEY'= $appInsights.Properties.InstrumentationKey}
Set-AzWebApp -Name 'sample1' -ResourceGroupName 'Test' -AppSettings $appSetting

Here is the Powershell commands to link application insights with exisiting azure web app . As your code will not enable the application insights , Follow the below code
$app = Get-AzWebApp -ResourceGroupName "AppMonitoredRG" -Name "AppMonitoredSite" -ErrorAction Stop
$newAppSettings = #{} # case-insensitive hash map
$app.SiteConfig.AppSettings | %{$newAppSettings[$_.Name] = $_.Value} # preserve non Application Insights application settings.
$newAppSettings["APPINSIGHTS_INSTRUMENTATIONKEY"] = "012345678-abcd-ef01-2345-6789abcd"; # set the Application Insights instrumentation key
$newAppSettings["APPLICATIONINSIGHTS_CONNECTION_STRING"] = "InstrumentationKey=012345678-abcd-ef01-2345-6789abcd"; # set the Application Insights connection string
$newAppSettings["ApplicationInsightsAgent_EXTENSION_VERSION"] = "~2"; # enable the ApplicationInsightsAgent
$app = Set-AzWebApp -AppSettings $newAppSettings -ResourceGroupName $app.ResourceGroup -Name $app.Name -ErrorAction Stop
You can Refer to this MS DOC for linking application insights to azure web-app fully.
or, You can even refer the SO thread for more details .

The below commands work for me in Azure portal CloudShell. After implementing the below code we were able to link New Application insight for existing webapp.
Code:
$resourceGroupName = "****"
$resourceName = "***"
$appInsightsInstrumentationKey = "***"
$app = Get-AzWebApp -ResourceGroupName $resourceGroupName -Name $resourceName -ErrorAction Stop
$newAppSettings = #{} # case-insensitive hash map
$app.SiteConfig.AppSettings | %{$newAppSettings[$.Name] = $.Value} # preserve non Application Insights application settings.
$newAppSettings["APPINSIGHTS_INSTRUMENTATIONKEY"] = $appInsightsInstrumentationKey; # set the Application Insights instrumentation key
$newAppSettings["APPLICATIONINSIGHTS_CONNECTION_STRING"] = "InstrumentationKey=$appInsightsInstrumentationKey"; # set the Application Insights connection string
$newAppSettings["ApplicationInsightsAgent_EXTENSION_VERSION"] = "~2"; # enable the ApplicationInsightsAgent
$app = Set-AzWebApp -AppSettings $newAppSettings -ResourceGroupName $app.ResourceGroup -Name $app.Name -ErrorAction Stop
Restart-AzWebApp -ResourceGroupName "*** " -Name "***"
Please update the values and try this code in Azure Portal CloudShell.
Note: The code is not working for me in Windows Powershell ISE application.

Not able to add my client IP in server firewall rule

I have two subscription plans QA-##### and Prod-########. First is used for QA environment and second one is used for the production environment. I am able to connect the Azure database on QA-###### subscription after adding my client IP in the server firewall list.
But I am not able to connect Azure SQL Database on Prod-######## subscription. When I am going to add my client IP in a server firewall rule, It's showing a success message but not listed there.
I also submitted a support ticket on azure help and support section but no response.

Sometimes there are issues with Azure portal that affect a small set of Azure customers. My suggestion is to use PowerShell to add the firewall rule needed while you wait for the issue to be fixed by Azure Support.
# Connect-AzAccount
# The SubscriptionId in which to create these objects
$SubscriptionId = ''
# Set the resource group name and location for your server
$resourceGroupName = "myResourceGroup-$(Get-Random)"
$location = "westus2"
# Set an admin login and password for your server
$adminSqlLogin = "SqlAdmin"
$password = "ChangeYourAdminPassword1"
# Set server name - the logical server name has to be unique in the system
$serverName = "server-$(Get-Random)"
$startIp = "0.0.0.0"
$endIp = "0.0.0.0"
# Set subscription
Set-AzContext -SubscriptionId $subscriptionId
# Create a resource group
$resourceGroup = New-AzResourceGroup -Name $resourceGroupName -Location $location
# Create a server with a system wide unique server name
$server = New-AzSqlServer -ResourceGroupName $resourceGroupName `
-ServerName $serverName `
-Location $location `
-SqlAdministratorCredentials $(New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $adminSqlLogin, $(ConvertTo-SecureString -String $password -AsPlainText -Force))
# Create a server firewall rule that allows access from the specified IP range
$serverFirewallRule = New-AzSqlServerFirewallRule -ResourceGroupName $resourceGroupName `
-ServerName $serverName `
-FirewallRuleName "AllowedIPs" -StartIpAddress $startIp -EndIpAddress $endIp

AzureRM application gateway backend pools - is there a way to specify an App Service instead of FQDNs/IPs?

I'm trying to create a new Backend Pool in PowerShell.
In Azure's UI, these Backend Pools can refer to an App Service (e.g. a single container).
The PowerShell cmdlet however doesn't appear to support this, as far as I can see:
$AppGw = Get-AzureRmApplicationGateway -Name "ApplicationGateway01" -ResourceGroupName "ResourceGroup01"
$AppGw = Add -AzureApplicationGatewayBackendAddressPool -ApplicationGateway $ AppGw -Name "Pool02" -BackendIPAddresses "10.10.10.10", "10.10.10.11"
$AppGw = Get-AzureRmApplicationGateway -Name "ApplicationGateway01" -ResourceGroupName "ResourceGroup01"
$AppGw = Add-AzureRmApplicationGatewayBackendAddressPool -ApplicationGateway $AppGw -Name "Pool02" -BackendFqdns "contoso1.com", " contoso1.com"
I was hoping that it would be something along the lines of...
$AppService = Get-AzureRmWebApp -Name 'WebApp01'
$AppGw = Add-AzureRmApplicationGatewayBackendAddressPool -ApplicationGateway $AppGw -Name 'Pool02' -BackendWebApp $AppService
Does anyone know if there's any way around this?

For PowerShell, it seems there no cmdlet can achieve it that you expected:
Add-AzureRmApplicationGatewayBackendAddressPool -ApplicationGateway $AppGw -Name 'Pool02' -BackendWebApp $AppService
In the Azure portal, it is just convenient for people to find the App Service with the type App Services and get the FQDN. But for PowerShell cmdlet, it is more direct to input the FQDN.
By the way, people usually use an FQDN to access Azure Web Service. You can get more details about Configure App Service Web Apps with Application Gateway here.

Azure Application Gateway 502 error

I being working with the Azure application gateway, and stuck at the following error.
Here, my Network Diagram
Here, the powershell script which I had configure
Poweshell Output
PS C:\Users\shabbir.akolawala> Get-AzureApplicationGateway sbr2appgateway
Name : sbr2appgateway
Description :
VnetName : Group Shabs-AppGateway2 sbag2vnet
Subnets : {sbag2subnet1}
InstanceCount : 2
GatewaySize : Small
State : Running
VirtualIPs : {104.41.159.238} <-- Note IP Here
DnsName : 01b9b0e4-4cd2-4437-b641-0b5dc4e3efe7.cloudapp.net
Here, public IP of the application gateway is 104.41.159.238
Now, if I hit for first time you hit the gateway, you get following output
Note, this website doesn't render correctly, as many request (css/images) fail with 502.
Now, when if I hit this second time, I straightway get the 502 error
But, when hit the cloud service IP, I get my website correctly
I had configure the Azure Gateway with following configuration XML
My Questions are,
1] Does one have an idea how how to access logs which are generated in Application Gateway (In theory, Application gateway runs on IIS 8.5 / ARR)
2] Any obvious error, I made in design or configuration?

It is because of timeout.
1, Probe has by default 30 seconds timeout. if you application needs authentication, you will have to set custom probe.
2, Application Gateway has default 30 seconds timeout as well. if your Application Gateway cannot get response from backend virtual machine. it will return HTTP 502. it can be changed via "RequestTimeout" configuration item.
PowerShell:
set-AzureApplicationGatewayConfig -Name <application gateway name> - Configfile "<path to file>"
Config file:
<BackendHttpSettings>
<Name>setting1</Name>
<Port>80</Port>
<Protocol>Http</Protocol>
<CookieBasedAffinity>Enabled</CookieBasedAffinity>
<RequestTimeout>120</RequestTimeout>
<Probe>Probe01</Probe>
For detail : https://azure.microsoft.com/en-us/documentation/articles/application-gateway-create-probe-classic-ps/

Just extending this #Lang's answer for people using the Resource Manager rather than Classic. The following Powershell script will update set a new requested timeout of 120 seconds for every BackendHttpSetting within the target app gateway.
# Variable setup
$agName = "my gateway name"
$rgName = "my resource group name"
$newRequestTimeout = 120
# Retrieve gateway obj
$appGW = Get-AzureRmApplicationGateway -Name $agName -ResourceGroupName $rgName
$allHttpBackendSettings = Get-AzureRmApplicationGatewayBackendHttpSettings `
-ApplicationGateway $appGW
foreach($s in $allHttpBackendSettings)
{
# Retreive existing probe
$probeName = $s.Probe.Id.Split("/") | Select-Object -Last 1;
$probe = Get-AzureRmApplicationGatewayProbeConfig -ApplicationGateway $appGW `
-Name $probeName
# Update http settings
$appGW = Set-AzureRmApplicationGatewayBackendHttpSettings -ApplicationGateway $appGW `
-Name $s.Name -RequestTimeout $newRequestTimeout -Port $s.Port -Protocol $s.Protocol `
-Probe $probe -CookieBasedAffinity Enabled -PickHostNameFromBackendAddress
}
# Persist changes to the App Gateway
Set-AzureRmApplicationGateway -ApplicationGateway $appGW

I created custom healthchecks, but never seen attempts in websever access-log.
So I just set route on backend to serve any domain including IP address and add htpasswd protection to real domains.
Azure application gateway check http://backend_ip:80/ and became happy gateway :)

Resources