Monday, November 29, 2021

Create Azure ExpressRoute Circuit - ARM template

 There are multiple steps and design decisions that go into the deployment of an ExpressRoute. This article will cover (mostly) one of these steps which is the deployment of the ExpressRoute (ER) circuit.

An ExpressRoute circuit is a logical connection between your on-premises datacenters and Azure via a connectivity provider, see diagram below:

If you are designing an ER setup with multiple ER providers for DR, one ER circuit is required for each of these providers.

Once you deploy the ER circuit there will be a monthly running cost (both for metered and unmetered connections). 

To deploy the ER circuit, you can use an ARM template available on Github, see this link (this is one that I've used at a client) or use this version from MS Github. You can also deploy it manually from the portal if needed.

Note that to ensure that you enter the correct parameters in the parameter json, you can go through the steps of creating a new ER circuit via the Azure portal but instead of clicking "Create" on the last tab, click on "Download the template for automation". This will give you the ARM template including the parameters file. From here, you can copy the correct parameter information. Below are shown the main parameter options:

For port type there is a choice between Provider and Direct. Provider is the option described in this article (and which most companies would use) whereas ER Direct circumvents the service provider and connects directly to Microsoft equipment at the local peering edge location, see more here (however, a connectivity provider such as Telia or Interxion will still be used to do the actual work of connecting the physical equipment). With ER Direct you can get speeds up to 100 Gpbs, via a connectivity provider max bandwidth is 10 Gbps.

Peering location is the physical datacenter location of the connectivity provider. This location will typically be as close to the physical location for the client datacenters or main office location. You can see a list of providers and locations here. An example could be a Danish based company using Azure resources in West Europe region. A choice of local peering location could be Copenhagen via the provider Interxion. When traffic reaches Copenhagen on provider managed lines it will continue on the Microsoft backbone to Amsterdam (West Europe).

For the SKU, there is choice between Standard and Premium. You can see the differences here. Likely, Standard SKU will suffice for most clients.

For Billing Model there is a choice between Metered and Unmetered, see prices here. For Metered connection, there is a cost for egress traffic (traffic leaving Azure) but not ingress.

When the connectivity provider has established the last mile and connected the client datacenter to a local peering edge, they will ask for a Service Key to be able to configure the circuit on their side. The Service Key is available from the portal once the ER circuit is provisioned, see screenshot below:

After creating the ER circuit, Private Peering (as opposed to Microsoft peering for Office 365) must be configured. See details here (This step can be set up either by the connectivity provider or or you so ask the provider how they usually do it).

Then verify Private Peering.

After this, create a connection to the ER GW (similar to a VPN gateway but for ExpressRoute) from portal: Circuit -> Connections -> Add. This can also be done via ARM, see this link.

Tuesday, October 5, 2021

Azure Firewall - Forced Tunneling not working for internet bound traffic

 At current client we have a use case that is not widely used. It's built around the Microsoft Enterprise-Scale AdventureWorks Hub/Spoke network infrastructure. The traffic from spokes is filtered via Azure Firewall to a VPN gateway in the Hub and from there to on-premise datacenters. Azure Firewall Forced tunneling is configured so that all traffic to on-prem including internet bound traffic is routed this way and will ultimately exit via an on-premise web proxy. The usual configuration would be to route internet bound traffic directly to the internet from the Azure Firewall (AZ FW).

Since we're currently building the environment we had only tested the connectivity to on-premise local addresses and not internet bound traffic. When testing we could see that traffic from the spokes reached the AZ FW and was correctly allowed by the network rules. But from there it sort of disappeared.

Then we set up a VPN packet capture on two of the VPN gateways (VPN GW), one was a control where traffic was not filtered via the AZ FW. We could see that internet bound traffic never reached the VPN GW and so the problem was introduced before that point either in the FW itself or the UDRs.

Microsoft Support suggested that we remove the UDR/route table associated with the AzureFirewallSubnet (which contains a default route,, to the virtual network gateway) since this should already be pushed from the VPN GWs.

Removing the UDR actually fixed the issue (so that no route tables are associated with the AzureFirewallSubnet). So having a double configuration which in itself is not incorrect results in internet traffic being dropped by the AZ FW.

While testing this we couldn't see the local source IP addresses of the test VMs in the on-prem firewall. Instead we saw an interface/IP address from the AzureFirewallSubnet range (which was not the configured IP of the local AZ FW interface but from same subnet so it belongs to the FW). The reason for this is that SNAT is configured by default for internet bound addresses but not for local addresses. This can be changed under AZ FW Policies and set to 'Never'. With this, the original source IPs are visible in the on-prem FW (they are not SNAT'ed or masked). See the configuration of SNAT in screen shot below.


Friday, October 9, 2020

Join a VM to an active directory domain in Azure with PowerShell

 At current client we have a hybrid setup with an on-prem datacenter and VPN connections to Azure. The on-prem active directory has been extended to Azure with an additional two domain controllers (classic active directory).

We have a generic virtual machine deployment template in PowerShell and want to be able to have VMs automatically join the domain as part of the deployment process.

A first learning is to make sure that the IP addresses of the DC's are specified as custom DNS servers on the VNets where they reside (assuming they also function as DNS servers). Otherwise, the VMs won't be able to resolve the domain (VNet -> DNS servers -> Custom).

Up front we have verified that a VM can be manually joined to the domain from the VM itself.

The PowerShell command for setting the domain is: Set-AzVMADDomainExtension

The MS documentation is not very thoroughly described for this command, unfortunately.

We got pretty far using this guide instead.

When using that example and trying jo join, the PowerShell script kept hanging and timing out. From the VM itself in the event log, it just stated NetJoin action failed. But no helpful error description.

We had to adjust two things to make it work:

1. For the JoinOption parameter, instead of using 0x00000001, we used 0x00000003 (which is similar to setting 0x00000001 and 0x00000002). This specifies joining a domain instead only a workgroup (option 1) and option 2 creates an account on the domain.

2. By using the Invoke-AzVMRunCommand command we set the DNS suffix from inside the VM using PowerShell before running the domain join command.

This works in our setup. The code examples can be seen below (first script calls the second script). It can be added to an existing VM deployment script or be run as a standalone script post VM install.

Join domain

# Update variables
$VMName = "XXVMname"
$ResourceGroupName = "XX-RGname"

# Do not update these variables
$DomainName = "XXdomainname.local"
$ServiceAcct = "XXdomainname\XXserviceaccountname"
$secretnameDomain = "XXnameofsecretinKeyVault"
$JoinOpt = "0x00000003" # specifies the options to join a domain, 0x00000001 + 0x00000002
$OU = "OU=XX,OU=XX,DC=XX,DC=Local" # Update string with corrrect OU path (not a requirement)
$kvname = "XXnameofKeyVault"
$LocationName = "westeurope"
$ScriptPathDNSsuffix = ".\SetDnsSuffixInVM.ps1"

Write-Host "Set DNS suffix in VM. $(Get-Date)"
# Set DNS suffix in VM (for domain join to work)
Invoke-AzVMRunCommand -ResourceGroupName $ResourceGroupName `
 -VMName $VMName `
 -CommandId 'RunPowerShellScript' `
 -ScriptPath $ScriptPathDNSsuffix

# Get service account password from key vault
$ServiceAcctPassword = (Get-AzKeyVaultSecret -vaultName $kvname -name $secretnameDomain).SecretValueText | ConvertTo-SecureString -AsPlainText -Force
$Credential = New-Object System.Management.Automation.PSCredential ($ServiceAcct, $ServiceAcctPassword);

Write-Host "Joining domain $DomainName. $(Get-Date)"
Set-AzVMADDomainExtension -DomainName $DomainName `
 -VMName $VMName `
 -ResourceGroupName $ResourceGroupName `
 -Location $LocationName `
 -Credential $Credential `
 -OUPath $OU `
 -JoinOption $JoinOpt `
 -Restart `
Write-Host "Script done at $(Get-Date)"

Set DNS Suffix in VM (SetDnsSuffixInVM.ps1)

$DnsSuffix = "XXDomainname.local"

$interfacealias = get-dnsclient | Where-Object {$_.InterfaceAlias -eq "Ethernet"}
set-dnsclient -Interfaceindex $interfacealias.Interfaceindex `
-ConnectionSpecificSuffix $DnsSuffix `
-RegisterThisConnectionsAddress $True

Thursday, October 1, 2020

Azure: Allowing Windows Server to activate via KMS through Azure Firewall

 At current client we have an Azure Firewall installed. And only outbound traffic on ports 80 and 443 is allowed. Today we found that Windows Servers do not activate (we're buying the licenses per Windows Server). 

The reason for this is that the VMs can't reach the KMS server for Azure Global cloud:

Azure Global KMS:  - IP: on port 1688. See here for more info. 

(I found a general activation troubleshooting guide here where they recommend testing with PsPing. I didn't get around to trying that, but it might be useful.)

I tried adding a network rule in the Azure Firewall using the FQDN, That failed.

But adding a rule using the IP address in stead worked fine (and that looks to be 'allowed' as well by MS).

The following rule was added in Azure Firewall via PowerShell:

 # Allow VMs to reach for Windows Server activation
 $NetRule2 = New-AzFirewallNetworkRule -Name "allow-kms" -Protocol TCP,UDP -SourceAddress `
  "", `
  "" `
 -DestinationAddress "" -DestinationPort "1688"

And remember to add the rule variable as well to the New-AzFirewallNetworkRuleCollection cmdlet:

$NetRuleCollection = New-AzFirewallNetworkRuleCollection -Name 'fw-rule-collection' -Priority 200 `
   -Rule $NetRule1,$NetRule2 -ActionType "Allow"

When done, I RDP'ed to a VM and went to activation. It wasn't activated. I clicked on troubleshoot and the VM activated. Likely after a while all VMs will activate automatically.

Azure: Create an availability set with two VMs with PowerShell

If you have two or more virtual machines in Azure running in a pair or a cluster (for example domain controllers), you want to make sure that the proper redundancy is in place.

There are two ways to go about this. One is to place the VMs in different availability zones (different datacenters in the region) and the other is availability sets which separate VMs on different hardware and in different maintenance groups - within the same physical datacenter.

An availability set is the combination of a fault domain (which is separate physical hardware within a given datacenter) and an update domain (specifies logical groups of hardware to avoid downtime during planned or unplanned MS maintenance, se here).

Availability set

The order in which you create the availability set is the following:
  • First you create the availability set
  • Then you create the individual VMs - and the important part is that the availability set has to be specified/set during VM creation using a parameter (AvailabilitySetName). If the VM has already been created without this parameter, then it cannot be added to the availability set later
If you are creating the VMs in PowerShell from scratch an not using the "New-AzVMConfig" cmdlet to specify VM settings in your script, then you can follow this MS guide. However, if you're using "New-AzVMConfig" then it has to be done slightly differently.

Create availability set

# Variables

$ResourceGroupName = "myRG"
$LocationName = "westeurope"
$AvailSetName = "AvailabilitySetAD01"

New-AzAvailabilitySet `
   -Location $LocationName `
   -Name $AvailSetName `
   -ResourceGroupName $ResourceGroupName `
   -Sku aligned `
   -PlatformFaultDomainCount 2 `
   -PlatformUpdateDomainCount 2

This creates the availability set with two fault domains and two update domains. In West Europe you can have up to three fault domains.

To create the VMs, make sure that the following lines are set in the script (copy/paste the snippet to get all the code):

$AvailSetName = "AvailabilitySetAD01"
# Get the availability set for domain controllers
$AvailSet = Get-AzAvailabilitySet -ResourceGroupName $ResourceGroupName -AvailabilitySetName $AvailSetName
# Create new VM config object and add it to the availability set
$VirtualMachine = New-AzVMConfig -VMName $VMName -VMSize $VMSize -AvailabilitySetID $AvailSet.Id

An example of a full VM script including the above three lines can be seen below. If using this in its entirety, make sure that the resource groups, key vault, and storage group are created in advance (or not use the specific parts about key vault and boot diagnostics).

# Update these variables:
# Update to correct RG name
$ResourceGroupName = "ad-RG"
$Vnetrgname = "vnet-RG"
$rgLogmon = "logmon-RG"
$secrgname  = "sec-RG"

$ComputerName = "myServer01" # Change this!
$VMName = "myServer01" # Change this!
$VMSize = "Standard_B2s"
$Vnetname = "MYvnet"
$SubnetName = "MyZone01"
$Disksize = "128"
$OSDiskName = $($VMName) + '-disk01'
$Publisher = "MicrosoftWindowsServer"
$Offer = "WindowsServer"
$Sku = "2019-Datacenter"
$DiskType = "StandardSSD_LRS"
$PrivateIP = "" # Change this!
$stgaccountname = "myStorageAccount"
$kvname = "MyKV"
$secretname = "localadmpwd"
$AvailSetName = "AvailabilitySetAD01"

# Do not update these variables
$VMLocalAdminUser = "localadmin"
# Will prompt for password during deploy
#$VMLocalAdminSecurePassword = ConvertTo-SecureString  -AsPlainText -Force
# Will get password from text file
#$VMLocalAdminSecurePassword = Get-Content ./vmos-sec-key.txt | ConvertTo-SecureString -AsPlainText -Force
# Will retrieve passwd from key vault
$VMLocalAdminSecurePassword = (Get-AzKeyVaultSecret -vaultName $kvname -name $secretname).SecretValueText | ConvertTo-SecureString -AsPlainText -Force
$LocationName = "westeurope"
$NICName = $($VMName) + '-nic01'
$OSDiskName = $($VMName) + '-OsDisk01'

Write-Host "Creating variables at $(Get-Date)"
# Get existing Vnet
$Vnet = Get-AzVirtualNetwork -Name $Vnetname -ResourceGroupName $Vnetrgname
# Get existing subnet
$Subnet = Get-AzVirtualNetworkSubnetConfig -Name $SubnetName -VirtualNetwork $Vnet
# Set static private IP address
$IPconfig = New-AzNetworkInterfaceIpConfig -Name "IPConfig1" -PrivateIpAddressVersion IPv4 -PrivateIpAddress $PrivateIP -SubnetId $Subnet.Id
# Create a new NIC for the VM and associate the private IP
$NIC = New-AzNetworkInterface -Name $NICName -ResourceGroupName $ResourceGroupName -Location $LocationName -IpConfiguration $IPconfig -Force

# Create credentials object
$Credential = New-Object System.Management.Automation.PSCredential ($VMLocalAdminUser$VMLocalAdminSecurePassword);
# Get the availability set for domain controllers
$AvailSet = Get-AzAvailabilitySet -ResourceGroupName $ResourceGroupName -AvailabilitySetName $AvailSetName
# Create new VM config object and add it to the availability set
$VirtualMachine = New-AzVMConfig -VMName $VMName -VMSize $VMSize -AvailabilitySetID $AvailSet.Id
# Set OS type and OS name and add to VM config object
$VirtualMachine = Set-AzVMOperatingSystem -VM $VirtualMachine -Windows -ComputerName $ComputerName -Credential $Credential -ProvisionVMAgent -EnableAutoUpdate
# Associate the NIC with the VM config object
$VirtualMachine = Add-AzVMNetworkInterface -VM $VirtualMachine -Id $NIC.Id
# Specify OS type for the VM config object
$VirtualMachine = Set-AzVMSourceImage -VM $VirtualMachine -PublisherName $Publisher -Offer $Offer -Skus $Sku -Version latest
# Set disk size in GB
$VirtualMachine = Set-AzVMOSDisk -VM $VirtualMachine -DiskSizeInGB $Disksize -Name $OSDiskName -StorageAccountType $DiskType -CreateOption FromImage
# Set storage account for boot diagnostics (udpate line below)
$VirtualMachine = Set-AzVMBootDiagnostic -VM $VirtualMachine -Enable -ResourceGroupName $rgLogmon -StorageAccountName $stgaccountname

Write-Host "Creating new VM...(this can take 10+ minutes). Starting at $(Get-Date)"
# Create the VM using VM config object 
New-AzVM -ResourceGroupName $ResourceGroupName -Location $LocationName -VM $VirtualMachine -Verbose
Write-Host "VM created"
Write-Host "Script done at $(Get-Date)"

When done, it will look like below in the portal:

Availability zones

In regions that support availability zones (e.g. West Europe), there can be up to three logical zones - named 1, 2, and 3 that each represent one physical datacenter (Microsoft states that a zone may be more than one DC but does not promise this, so we assume a zone is one DC).

Zone numbering is only consistent within a subscription, so you cannot rely on e.g. Zone 1 being the same physical location if deploying in different subscriptions.

According to MS documentation, there are two types of availability zones services:

  • Zonal services – where a resource is pinned to a specific zone (for example, virtual machines, managed disks, Standard IP addresses), or
  • Zone-redundant services – when the Azure platform replicates automatically across zones (for example, zone-redundant storage, SQL Database).

So for VMs one can pin or specify a zone for a VM using zonal services. This has to be done during deployment and cannot be change or updated after deploy. If nothing is specified, the Zone value will be empty you will not be in control of or be able to view zone placement.

If deploying with PowerShell, the '-Zone' parameter has to be used with a value of 1, 2, or 3. See example below:

# Create a virtual machine configuration

$vmConfig = New-AzVMConfig -VMName myVM -VMSize Standard_DS1_v2 -Zone 2 | `

    Set-AzVMOperatingSystem -Windows -ComputerName myVM -Credential $cred | `

    Set-AzVMSourceImage -PublisherName MicrosoftWindowsServer -Offer WindowsServer `

    -Skus 2016-Datacenter -Version latest | Add-AzVMNetworkInterface -Id $nic.Id

To add a managed disk to a specific zone, the same same -Zone parameter should be used, se here.

If deploying via the portal there is a redundancy option where you choose availability zone and zone number, see below:

It should be noted that there is a cost associated with datatransfer in and out of zones. But placing a VM in a zone does not have a cost on its own.

Tuesday, September 29, 2020

Azure: Encrypting VM disks with Powershell using Azure key vault

 Encrypting disks in Azure for virtual machines can be a good idea if you have sensitive data on them. At current client the decision is to encrypt disks for domain controllers but not for general purpose VMs (as it adds a bit of administrative overhead and might impact performance - I don't have specific numbers on this).

If you have a key vault in place with the -EnabledForDiskEncryption parameter set it is relatively easy to configure on the VM. The VM has to be already running so it is a post step after install.

From the VM deploy script you can add the below code snippet to your script:

# Encrypt VM disks (should only be done for AD VMs and VMs with highly sensitive data)
Write-host "Checking if disks are encrypted on VM"

# Get key vault
$KeyVault = Get-AzKeyVault -VaultName $kvname -ResourceGroupName $secrgname

# Check if disk already encrypted, if not then encrypt it
if (Get-AzVmDiskEncryptionStatus -VMName $VMName -ResourceGroupName $ResourceGroupName | Where-Object {$_.OsVolumeEncrypted -eq "Encrypted"}){
    Write-host "Disk already encrypted"
else {
    Write-host "Encrypting disks"
    Set-AzVMDiskEncryptionExtension -ResourceGroupName $ResourceGroupName `
     -VMName $VMName `
     -DiskEncryptionKeyVaultUrl $KeyVault.VaultUri `
     -DiskEncryptionKeyVaultId $KeyVault.ResourceId `


  • $kvname: Name of the key vault
  • $secrgname: Name of the resource group where key vault resides
  • $VMName: Name of the VM
  • ResourceGroupName: Name of resource group where VM resides
Assuming you have the correct permissions set on the key vault, then the secret will be created automatically in the key vault. During the encrypt process the VM will reboot and it takes about 10 minutes depending on the size of the disks.

Wednesday, September 23, 2020

Azure: Delete tags on resource groups and resources with Powershell

 At current client we've been pushing out standard tags via Azure Policy to both resource groups and resources. One policy adds tags to the resource groups and another poicy inherits the tags from the resource groups to the resources (to only have to update tags in one place).

After some evaluation we found that we'd pushed too many tags and needed to delete some of them from some of the subscriptions.

There is no easy way to do this in bulk from the portal but it can be done with Powershell.

The logical command to use would be Remove-AzTag but apparently that is only for unused tags and so it won't work if you've added values to your tags.

To delete tags with values added to them, you need two different scripts. One for resource groups and one for the resources.

If you have an 'inherit tags' policy enabled that force changes on updates, then make sure to delete first the tags on the resource groups and then on the resources. Otherwise the tags will be re-written to the resources immediately on update.

Both scripts below will traverse all or selected subscriptions and delete tags.


# This script will delete the specified tag including values only on resources groups.

# Update this variable with tag name to be deleted. No tag value required.
$DeleteTag = "ContactEmail"

# Get all subscriptions in tenant
# $subscriptions = Get-AzSubscription
# To get all subscriptions except subscription named: SUBS NAME
# Replace -notlike with -eq to get a specific subscription
$subscriptions = Get-AzSubscription | Where-Object {$_.Name -notlike "SUBS NAME"}

# Traverse through all subscriptions
Foreach ($subscription in $subscriptions ) {

# Select a subscription    
Select-AzSubscription -subscriptionid $subscription

# Get list of resource groups in subscription
$rg = Get-AzResourceGroup
# For each resource group, get the associated tags and put into a variable
Foreach ($i in $rg.ResourceGroupName)
 $Tags = (Get-AzResourceGroup -Name $i).Tags
 # Remove the tag with the Name specified
 # Set the tags on the resource group
 Set-AzResourceGroup -Name $i -Tag $Tags



# This script will delete tags on all resources in all subscriptions, 
# however not on the resource groups, see DeleteTagsOnRGs.ps1 for that.
# Must run as .ps1 script, pasting into Cloud Shell will not work.
# Note, there can be a delay of 20-30 mins from running script until Tags appear 
# as deleted in the Portal
# Before running this script, ensure that tags are deleted at RG level first 
# otherwise they'll be re-added via the Inherit policy (if applied)

# To get all subscriptions
# $subs = Get-AzSubscription
# Get only a specific subscription
# $subs = Get-AzSubscription | Where-Object {$_.Name -eq "SUBS NAME"}
# To get all subscriptions except SUBS NAME
$subs = Get-AzSubscription | Where-Object {$_.Name -notlike "SUBS NAME"}

# Specify tag name
$tagname = "ContactEmail"
# Specify tag value
$tagvalue = ""

# Through all subscriptions, get resources with specified tag and value, 
# remove the tag from the array and update the resource
$subs | ForEach-Object {
    Set-AzContext $_
    $rs = Get-AzResource -TagName $tagname -TagValue $tagvalue
    $rs | ForEach-Object {
        $_ | Set-AzResource -Force

That's it.