There are few runbook in gallery which helps to schedule shutdown and reboot of Azure VM but they no longer work or for Classic Azure. Microsoft has given a easy way to implement this without having to learn any scripts.
Although Microsoft document explains on how to set Start/Stop VM under automation account, it is little vague for me and i found some Admins struggling to follow it. So i thought i can try and make that simple
The most sorted scenario is to schedule a Azure vm shutdown and reboot during off business hours or weekends. So i’ve implemented that solution through Azure automation.
To Start/Stop VM automatically to save cost, you need
If you don’t have them already, you can create them on the way of creating this VM reboot schedule.
Login to your Azure portal
Search for Automation account, Click ADD
I’ve named it as Start-StopVM and I have choose UK South, Make sure you say ‘Yes’ to Create Azure Run As Account (this will avoid complications to your reboot process)
Under the automation account, Look for
Click on “Learn more about and enable the
Once you choose to “Create”, you need to fill the following information. If you don’t already have OMS workspace, then you need to create one.
Workspace – TestingShutdownRestartVM
Automation Account – Start-StopVM
Target ResrouceGroup Names – *
VM Exclude List – None
Note:- The resource group and VM Exclude List can be setup here, but since we wanted to reboot one or group of VM, leave this as it is.
Schedule current date/time
Email functionality – if needed ‘Yes’ and email
address to receive the alert
Once you do that, you will see list of Runbooks
added to the automation account,
This is the place where we are going to customize, the following things
List of VM’s or VM needs to be rebooted
Schedule in which the VM needs to be rebooted
Click SequencedStartStop_Parent runbook -> Click Schedule and Click ‘Add a Schedule’
Click Schedule – Create a new Schedule, (I’ve named it as Sequenced-StartVM and Sequenced-StopVM and used it already under the schedule). You can customize the settings later if you want. Choose recurring if you want the start to happen every week, month, hour or Day.
The following is the place where you define the action and list the vm or vm’s
Action – Start
WhatIF – $ture or $false ($true, if you are testing)
ContinueOnError – $true
VMList – List the vm’s or vm (you can use , to add more than one VM)
Do the same thing again to Stop the VM. (I’ve named
it as Sequenced-StartVM and Sequenced-StopVM
and used it already under the schedule).
Note:- Remember this schedule is for “Runbook” not for Automation
After you have finish configuring,
it would like this under schedule.
Note:- The parameter cannot be changed after you schedule them. The schedule can be changed. If you’d like to remove/add/modify VM’s, you need to create a new schedule
My schedule is to stop the VM on Friday
night 8:00 PM and Start the VM on Monday morning 8:00 AM
If you go to automation account -> Runbooks
-> SequencedStartStop_Parent -> Jobs
You can go in to this log to find out what
happened during the stop and start process.
Sometime early last year Microsoft announced that Global peering is Generally available, that opened lot of possibilities.
One of the requirement that my client want to replace their existing VPN with Global Peering between UK West and UK South without using a Third party appliance to route the traffic.
The existing network looks like this,
FrontEndNetwork & Lab-Vnet are in UK West, DRNetwork is in UK South. Since they are in different region, there is a VPN between FrontEndNetwork and DRNetwork
There are 2 requirements,
To replace VPN with Global Peering
To make sure Lab-Vnet traffic to DRNetwork should be routed through FrontEndNetwork
The network should look like below.
There are few things that we need to achieve this goal.
1.Virtual Gateway subnet for FrontEndNetwork – That is subnet where all the traffic from Lab-Vnet to DRNetwork and viceversa should land.
2. Virtual Network Gateway for FrontEndNetwork – This is the ip address used by Lab-net and DRNetwork
3. Route Table, one for Lab-Vnet and One for DRNetwork
Before the implementation, i want to demonstrate the 2 vms on 2 different network doesn’t communicated with each other. The virtual machines are
TestBackEnd – 184.108.40.206 from DRNetwork
BackupServer – 10.0.0.4 from Lab-Vnet
Along with the 3 steps above, i’d like to show the peering between each network before we start creating other things.
Lab-vnet to FrontEndNetwork, from Lab-vent virtual network
DRnetwork to FrontEndNetwork from DRNetwork virtual network
FrontEndNetwork to Lab-vent from FrontEndNetwork Virtual network
FrontEndNetwork to DRNetwork from FrontEndNetwork Virtual network
Creation of Virtual Gateway subnet
Navigate to the FrontEndNetwork
Click Subnets under Settings
Click “Gateway Subnet” on the right
Fill the details as below. The gateway subnet for my lab is 10.1.1.0/24
Creation of Virtual Network Gateway for FrontEndNetwork
Create a new Virtual network and associate to the FrontEndNetwork
Creation of Route table
Search for Routing Table,
Create a new Route Table. I’ve filled the following information,
Go to TrafficToDrNetwork Route table, Click Configuration and fill in the following information
Assigning Route table to LAB-Vnet and DRNetwork
Navigate to Virtual Network – LAB-Vnet
Click on the subnet that you want to route the traffic to DRNetwork
Click on the RouteTable -> Choose the RouteTable that you have created through steps described above. In my case, Lab-vnet should send 220.127.116.11/24 traffic to 10.1.1.14 (RouteToDR)
Assigning Route table to LAB-Vnet and DRNetwork
Navigate to Virtual Network – DRNetwork
Click on the subnet that you want to route the traffic to Lab-Vent
Click on the RouteTable -> Choose the RouteTable that you have created through steps described above. In my case, Lab-vnet should send 18.104.22.168/24 traffic to 10.1.1.14 (RouteToProd)
Before you start testing, go back to Lab-vnet and DRNetwork, Make sure the peering with FronEndNetwork is “User Remote Gateway” is checked under “Configure remote gateway settings”. You dont have to do anything on FrontEndNetwork peering.
Once you have saved the settings, you should be able to ping. If you run the Tracert you can see that it is going through 10.1.1.4
What happens when your Token Signing Certificate is about to Expire and how you can recover from the situation.
The infrastructure is similar to the following,
Successful Authentication flow,
Application Authentication page -> Redirects to ADFS Sign page – > Users enters the username and password -> Credentials is validated by ADFS server with the Identity provider -> Issues a SAML token back to the User on Successful verification -> User is then redirected back to the application page with a successful sign in.
The flow works until the SAML is being issued to the web page but Application will fail to validate it with an error message SAML_RESPONSE_INVALID
Token signing certificate
Some application responded may respond with the error SAML_RESPONSE_INVALID or some of them just ask the user for the credentials.
At this point we can confirm that SAML issued is invalid or wrong.
You might find on the internal ADFS servers Two certificates (Primary and secondary)
If your ADFS properties shows, (Get-ADFSProperties), the following
What happens is, The Token Signing certificate is set to auto-enroll exactly before 20 days of the existing certificate expiry date. After the generation of the new certificate, it automatically bring the new certificate as primary on the 5th Day.
As per the screenshot,
The certificate set to expire on 10/2/2019. 10/2/2019 – 20 days is 20/1/2019 as per AutoCertificateRollOver ADFS property. On 20th certificate got renewed as per CertificateGenerationThreshold Property. 20/1/2019 + 5 Days, the certificate switch happened as per CertificatePromotionThreshold.
Set the autoenrollment to false by running the cmdlet, Set-ADFSProperties -AutoCertificateRollover $False
From ADFS Console, choose the old certificate as primary by “Set as primary” (“Set as Primary” option is disabled until first step is completed)
NPS extension for MFA helps to make use of Azure MFA for on VPN connectivity. Although the documentation from Microsoft is straight forward to explain how that work and how to configure, we don’t have much information online.
Let’s assume that you have a Radius server as
I have configured Cisoco-ASA to use lab-DCRadius. On NPS server, I have configured CiscoASA as Radius client to access connection
Test the VPN using Cisco AnyConnect to LabVPN.Lab.com
From the following diagram, illustrate the flow. (The above said registry keys play the role of transferring the secondary Auth to Azure MFA)
Once you confirm that VPN is working,
Install the NPS extension from here, there are 2 version 22.214.171.124 & 126.96.36.199 (188.8.131.52 is available but on request to Microsoft)
To make sure Azure MFA accept the request from the NPS server,
Once you install it you have to run the script that comes with the NPS extension
Run Windows PowerShell as an administrator.
cd “C:\Program Files\Microsoft\AzureMfa\Config”
Run the PowerShell script created by the installer.
Sign in to Azure AD as an administrator.
PowerShell prompts for your tenant ID. Use the Directory ID GUID that you copied from the Azure portal in the prerequisites section.
PowerShell shows a success message when the script is finished.
What this does is it
Sets the registry with a some values
Creates a self-signed certificate on your server and uploade the certificate on Azure.
Open MMC -> File- > Add/Remove Snap-in-> Certificate -> Local Computer, Click Ok
Navigate to Certificates -> Personal – >Certificates
You will find a certificate with the tenant Id.
Go to the properties of the certificate, under details tab, look for Thumbprint, Copy it somewhere.
Now open Azure module for Windows PowerShell
Run the command in the screenshot
Copy the value in to a notepad and save it as .cer (if you have more than one cert, you might see more values. You have to copy each one of them in to a separate file and save it as .cer)
Now open the save .cer file.
Now under details tab, look for Thumbprint property.
Computer these 2 thumbprint and make sure they matches.
What if registration fails – This usually happens either if your AD account doesn’t have access to local certificate store or Azure portal (GA admin is the requirement to upload the cert)
How do I disable MFA on one of the NPS server to test it?
You can disable the MFA on NPS server. This is essential to find out when you are troubleshooting to narrow down which NPS server is having the issue. To disable the MFA on a NPS server without de-registering it,
Navigate to the registry key, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Serevice\AuthSrv\Parameters, Empty the following key values
This will stop the NPS to look for Secondary Auth
How to renew the certificate when it expires
The certificate usually has 2 years of validity. You can renew it by simply running AzureMfaNpsExtnConfigSetup.PS1
Recently, I have seen the ver. 184.108.40.206 is causing performance issue. There is a newer version which fixes the problem 220.127.116.11.