I have about 200+ VMs (Windows & Linux) already deployed in Azure. I want to know if it is possible to use either Powershell or Azure CLI to update the VMs to use KeyVault as a password/key manager.
It is possible. You could use az vm update -n shui -g shuikeyvault --set to configure it. You could check this answer.
In fact, you could create a VM to use Key Vault, then use az vm show to get this parameters and use az vm update --set.
Related
I am trying to configure my app service to use user assigned managed identity to pull image from ACR. I figured how to do it by using az cli tool.
az resource update --ids /subscriptions/<subscription-id>/resourceGroups/myResourceGroup/providers/Microsoft.Web/sites/<app-name>/config/web --set properties.acrUseManagedIdentityCreds=True
az resource update --ids /subscriptions/<subscription-id>/resourceGroups/myResourceGroup/providers/Microsoft.Web/sites/<app-name>/config/web --set properties.AcrUserManagedIdentityID=$clientId
For certain resons I cannot utilize az cli in my release pipelines. My question is if it would be possible to achieve the same by using Az.Websites, looks like Set-AzWebApp doesn't support this option.
As mentioned in the docs, the current version of the Azure PowerShell cmdlets for Azure App Service do not support user-assigned identities.
You could instead try setting those properties with the Set-AzResource cmdlet.
I have hosted a website in azure virtual machine scale set by following the below steps
Create a VM and do the necessary changes/installations in iis.
Create a snapshot of the VM. This ensure that the above instance can be used for future changes.
create a disk from the snapshot.
create a vm from the disk.
RDP to the instance and generalize the instance for deployment (sysprep)
Run %WINDIR%\system32\sysprep\sysprep.exe as admin.
Enter System Out-of-Box Experience (OOBE),
Generalize check box is selected
Shutdown Option = Shutdown
Create Image (capture) from the above instance.
Create VSS from the above image
Suppose their is a change in the web build , Is there a way to update the scale set without following these steps again ?
Azure virtual machine extensions provide capabilities such as post-deployment configuration and management, monitoring, security, and more. Production deployments typically use a combination of multiple extensions configured for the VM instances to achieve desired results.
This is also is a good way to ensure availability of your system. The scale set will apply the update to one VM at a time, leaving the other VMs up and running.
Below example taken from the learn:
Deploy the update by using a custom script extension
In the Azure portal, run the following command to view the current upgrade policy for the scale set:
Azure CLI:
az vmss show \
--name webServerScaleSet \
--resource-group scalesetrg \
--query upgradePolicy.mode
Verify that the upgrade policy is set to Automatic. You specified this policy when you created the scale set in the first lab. If the policy were Manual, you would apply any VM changes by hand. Because the policy is Automatic, you can use the custom script extension and allow the scale set to do the update.
Run the following command to apply the update script:
az vmss extension set \
--publisher Microsoft.Azure.Extensions \
--version 2.0 \
--name CustomScript \
--vmss-name webServerScaleSet \
--resource-group scalesetrg \
--settings "{\"commandToExecute\": \"echo This is the updated app installed on the Virtual Machine Scale Set ! > /var/www/html/index.html\"}"
I'm trying to list virtual machines in azure from inside another virtual machine in azure. I mean, what I want to do is list backend members from the frontent. BUT I don't want to use credentials in my front end and I want to use roles.
For example, in AWS you can assign roles (EC2::DescribeInstance) to instances and use this command:
aws ec2 describe-instances --query 'Reservations[].Instances[].[PrivateIpAddress]' --output text --filters Name=instance-state-name,Values=running Name=tag:myapp-member,Values=myapp-backend
I can run that command without expose my credentials in any place.
If I run something like this on Azure
az vm list
It says I need to login first.
And I can't find how to assign roles to the instance.
Thanks a lot
Cheers
For your purpose, you can use the VM Managed Identity to log in for the Azure CLI, this way will not store any credential in the VM. But first, you need to assign the roles to your VM. And to assign the roles, you can use the Azure CLI command az role assignment create and the steps in Assign a managed identity access to a resource using Azure CLI. Or just in the Azure Portal, you can follow the steps in Assign a managed identity access to a resource by using the Azure portal. The PowerShell command is also available.
When the role is created, you can use the Azure CLI command az login --identity to log in without credential.
Note: You need to install the Azure CLI in the VM first.
I've setup kubernetes in azure using the azure acs and the azure cli.
az account list
az account set --subscription foobar
az group create --name foobar --location westus
az acs create --orchestrator-type=kubernetes --resource-group foobar --master-count 1 --name=foobar --dns-prefix=foobar
I want to be able to setup a site to site vpn, so that kubernetes can reach internal services in my datacenter.
Unfortunatly azure acs sets up kubernetes on a 10.0.0.0 network which overlaps with other resources in azure and my datacenter.
I can't find any way to change which subnet kubernetes runs on in acs. Is there a way to change the prefered network?
There does not appear to be a way to choose network from the acs create command
az acs create --name
--resource-group
[--admin-password]
[--admin-username]
[--agent-count]
[--agent-vm-size]
[--client-secret]
[--dns-prefix]
[--generate-ssh-keys]
[--location]
[--master-count]
[--no-wait]
[--orchestrator-type {Custom, DCOS, Kubernetes, Swarm}]
[--service-principal]
[--ssh-key-value]
[--tags]
[--validate]
[--windows]
No, there's no way of doing that. There might be a way to create a new kubernetes to existing vnet, but I'm not aware of that.
Your another option would be to delete all vm's and recreate them in the new vnet. No guarantee it would work.
With ACS through its CLI you can specify subnet id so the acs is created in a particular VNET. However this is only available in certain regions
I want to deploy a VM in microsoft's azure with a new size.
Usually I use a json template for the vm with size 'Standard_DS3'
Now I would like to have another one with size a3 'A3', but this causes an error
statusMessage:{"error":{"code":"InvalidParameter","target":"vmSize","message":"The value of parameter vmSize is invalid."}}
So I was wondering where can I find valid vm sizes for deployments in a location and the correct name for the deployment with a template file?
One can list all vm-sizes available in specific location(e.g westus) from Azure CLI 2.0 using following command
az vm list-sizes --location "westus"
Since you mentioned json templates in your question then I assume that you are using Azure Resource Manager to provision resources. If that's the case, you can use the following REST API endpoint to list all available virtual machine sizes in a region.
https://management.azure.com/subscriptions/{subscription-id}/providers/Microsoft.Compute/locations/{location}/vmSizes?api-version={api-version}
This information is accessible using Azure CLI, i.e.: az vm list-sizes --location "eastus"
You can also reference Microsoft documentation to see the list of virtual machine sizes. Sounds like you need to use the "Large" size in your template to provision an A3 Standard VM.
This isn´t always true. I´ve got into a situation where this command gives me a VM size that wasn´t truely avalaible for my location. This is a known issue of the Azure CLI.
Here is the statement from Azure support:
Cause: It is known that the command az vm list-sizes can expose sizes that are actually unavailable and we are working on that situation.
Resolution: The best option is to mitigate this is to cross check the information provided by that query with the restrictions that you have in the subscription that can be analyzed by the command az vm list-skus. For your scenario, you can see the SKU restrictions in West Europe by using the following:
az vm list-skus --location WestEurope --output table
You can use Get-AzureRmVMSize commandlet in PowerShell. This doesn't change too often and I have a .NET library which contains a snapshot of those https://github.com/aloneguid/microsoft-azure-strongtyped