Chapter 19 Azure Automation

This Chapter covers following Topic Lessons

• Azure Automation
• Process Automation Working and Architecture
• Automate configuration management using Desired State Configuration
• Update Management
• Inventory Management
• Change Tracking

This Chapter covers following Lab Exercises

• Create Automation Account
• Desired State Configuration (DSC) using Azure Automation
• PowerShell DSC Extension
• Enabling Update Management and Add Azure VM
• Scheduling Update Deployment
• Enabling Inventory Management and Add VM wvmportal
• Checking Change Tracking for VM wvmportal

Chapter Topology

In this chapter we will add Azure Automation to the Topology.

From Automation Dashboard we will configure Desired State Configuration. From Automation Dashboard we will also enable Update, Inventory and Change Tracking Management for Azure Virtual Machines.

Azure Automation

Azure Automation is a managed service that provides process automation, configuration management, update management, Inventory Management and Change Tracking. It automates manual processes (Process Automation) and enforces configurations for physical and virtual computers (Desired State Configuration) and Update/Inventory/change tracking for Azure VMs or On-premises VMs or Physical Servers

Figure below shows the architecture of Azure Automation. Azure Automation provides it functionality to both Azure and on-premises resources.

Log analytics workspace is required if you want to offer Update Management, change & Inventory tracking functionality and Hybrid worker solution. It also collects Runbook job status and receives configuration information from your Automation account.

Exercise 166: Create Automation Account

1. In Azure Portal click create a resource> Management Tools>Automation> Add Automation Account Blade opens>Enter a name, Select RGCloud in Resource Group and click create

2. Figure below shows Automation Account Dashboard.

   From Automation Dashboard you can configure Desired State Configuration and Process Automation. From Automation Dashboard you can also enable Update, Inventory and Change Tracking Management for Azure Virtual Machines or on-premises servers.

Process Automation Working and Architecture

Azure Process Automation automates manual processes using Runbooks against Azure Resources. Runbooks are containers for custom scripts and workflows. You can invoke and run runbooks on demand or according to schedule by using Automation Schedule assets or based on alerts in OMS Log Analytics.

Figure below shows Architecture of Process Automation.

Runbooks are created in Azure Automation Account and work against Azure Resources such as VMs, Azure SQL, Web Apps etc to automate manual process.

Runbooks can also run on-premises where-in you can install one or more Hybrid Runbook Workers in your data center which run runbooks against local resources. Each Hybrid Runbook Worker requires Microsoft Management Agent to be installed and an Automation account. The agent must have a connection to an Azure Log Analytics workspace.

Example of Process Automation

You want your Azure VMs to run only during office hours only (8 AM - 5 PM). To save money an administrator shuts down VMs at 5 PM and ReStarts at 8 AM. Using Azure Process Automation you can Automate shutdown and re-start activity. You can use Azure Process Automation to create Runbooks (containing Powershell scripts) to shutdown VMs and Restart VMs which run against your Azure VMs at Schedule time daily.

Automate configuration management using Desired State Configuration

Desired State Configuration (DSC) is a configuration management platform in Windows PowerShell that deploys and enforces the configuration on Windows VMs and Physical Servers.

PowerShell DSC configurations are PowerShell scripts that apply Desired Configurations to Windows VMs and Physical Servers. You can apply DSC to Azure VMs in following 2 ways:

1. Azure Automation DSC Service.
2. Add DSC Extension on Azure VM.

Azure Automation DSC Service

Azure Automation provides a pull server in the cloud that manages DSC configurations which nodes can access to retrieve required configurations.

PowerShell DSC configurations are PowerShell scripts that apply Desired configurations to DSC Nodes from a DSC Pull Server in the Azure cloud. If DSC nodes deviate from there desired configuration then you can manually or automatically update desired machine configuration on DSC nodes.

Azure VMs require Desired State Configuration agent extension. It is automatically deployed to Azure VMs when you add them as DSC nodes in Automation Account Dashboard. Non Azure VMs & Servers require Powershell DSC agents.

DSC Extension on Azure VM

The extension uploads and applies a PowerShell DSC Configuration on an Azure VM.

In this case node (Azure VM) is not centrally managed. DSC extension involves a singular action that occurs during deployment.

The other disadvantage of this approach is that you have to apply DSC Extension to each VM separately.

Important Note: DSC extension differs from Azure Automation DSC Service in a sense that this involves a singular action that occurs during deployment. No ongoing reporting or configuration management is available, other than locally in the VM.

Advantages of Using Desired State Configuration (DSC) with Azure Automation

Advantage 1 of Using DSC with Azure Automation is that you can apply configuration to Multiple nodes simultaneously.

Advantage 2 of Using DSC with Azure Automation is that if nodes drift from their configuration it is reapplied by DSC Pull Server.

Exercise 167: Desired State Configuration using Azure Automation

In this exercise we will enable IIS Web Server role on VM VMAD using Desired State Configuration (DSC). Recall that VM VMAD was created with AD DS role in Chapter 2, Exercise 32.

Step 1: Create a PS script which ensures either the presence or absence of the Web-Server Windows Feature (IIS).

I created below PS script in notepad and saved it as TestConfig.ps1 on my desktop.

configuration TestConfig
{
  Node IsWebServer
  {
    WindowsFeature IIS
    {
      Ensure = 'Present'
      Name = 'Web-Server'
      IncludeAllSubFeature = $true
    }
  }

  Node NotWebServer
  {
    WindowsFeature IIS
    {
      Ensure = 'Absent'
      Name = 'Web-Server'
    }
  }
}  

Note: You can download the above script from following link at Box.com.

https://app.box.com/s/x2vskf3oo9aluiavm6bmqjjrcdvm8m9q

Step 2: Import the Configuration into Azure Automation

1. In Azure Automation aaportal Dashboard click State Configuration (DSC) in left pane> DSC pane opens.

2. Click Configuration in right pane>Click + Add>Import Configuration blade opens>Upload TestConfig.ps1 from your desktop. This was created in step 1> Click Ok (Not Shown).

3. You can now see the Configuration which was imported. If required press Refresh tab.

Step 3 Compile the Configuration

1. Click the Configuration TestConfig as shown in above screen>TestConfig Pane opens.

2. Click Compile>Compile DSC Configuration box pops up>Click Yes.

3. It will take 1-2 minutes to compile the job. You can see compiled configuration. If required press Refresh screen.

Step 4 View the Node Configurations which were compiled

In Azure Automation aaportal Dashboard click State Configuration (DSC) in left pane> DSC pane opens>Click Compiled Configurations in right pane> You can see the 2 configurations options. No Node is assigned.

Step 5 Assign the Node VM VMAD to DSC Pull Configuration Server

1. In Azure Automation AACloud Dashboard click State Configuration (DSC) in left pane> DSC pane opens>Click Nodes in right pane>Currently no node is assigned.

2. Click + Add>Select VMAD>Connect pane opens>Click + Connect> Registration pane opens>Select your Configuration from Drop down box> I selected TestConfig.IsWebServer >Rest Select all default values>Click Ok.

3. It will, take 2-5 minutes for Node to get connected.

4. In Nodes screen you can see 1 Node added and configuration status is showing in progress.

5. After 3-5 Minutes you can see node is compliant.

Step 6 Check that IIS Role has been installed in VM VMAD

Go to VMAD dashboard and note down the DNS address. DNS address is vmad.westus2.cloudapp.azure.com> Open Browser and enter vmad.westus2.cloudapp.azure.com> Default Website opens.

Exercise 168: PowerShell DSC Extension

In this exercise we will just demonstrate on how to apply PowerShell DSC extension to Azure VM.

1. Go to VM VMFE1 dashboard>Click Extension in left pane>In Right pane click + Add> Add Extension blade opens>Select PowerShell Desired State Configuration> PowerShell Desired State Configuration blade opens in right pane.

2. In right pane click create> Install Extension Blade opens>Click folder icon and upload file for executing on VM VMFE1.

Disadvantage of this approach is that you have to apply PowerShell DSC extension to each Azure VM separately.

Update Management

The Update Management solution in Azure automation allows you to manage operating system security updates for your Windows and Linux computers deployed in Azure, on-premises environments, or other cloud providers.

Update Management Functionality requires Log analytics workspace.

With update management, you will always know the compliance status for Windows and Linux machines and you can create scheduled deployments to orchestrate the installation of updates within a defined maintenance window.

Exercise 169: Enabling Update Management and Add Azure VM

This exercise will enable Update Management and add Azure VM VMFE2 for Assessment. After this is enabled you can see the missing updates. This step will not deploy the updates.

We will create a new Log Analytics for this Exercise.

You can enable Update Management through Automation Account Dashboard or through Virtual Machine Dashboard. For this exercise we will use Automation Account Dashboard.

1. In Azure Automation Account AACloud Dashboard click Update Management in left pane>In right pane under Log Analytics Workspace select Create new workspace>Click enable.

2. After Deployment is enabled refresh the screen with F5. Make sure Update Management is selected in left pane. Currently there are no machines for assessment.

3. Click + Add Azure VMs in Right Pane> Enable Update Management pane opens>Select VM VMFE2> Click enable.

4. Wait 25-30 minutes for Virtual Machine to appear on Update Management pane. Just refresh the screen with F5 continously with update Management selected in left pane. It took 35 minutes for below screen to appear.

   In Figure below you can see one critical and security update and one other update is missing.

   Click on Missing updates > you can see the updates which are missing.

Exercise 170: Scheduling Update Deployment

1. In Update Management pane click schedule update deployment>New update Deployment pane opens>Enter a name> click Machine to update>In Right pane select Machines from Type dropdown box>Make sure VM VMFE2 appears under Machines >Click VM VMFE2 and it now also appears under selected items>Click Ok in right pane>In left pane in schedule settings select the start time and Recurrence as Once or Recurring and click ok>Click Create.

   Note : Readers are advised to check options in update classification pane. Also scroll down to see all the options.

2. Click on Deployment Schedules and you can see one deployment Job created in step 1 is scheduled for 5.04 PM.

3. In figure below shows 1 update was applied and 1 update failed. This step I did after scheduled deployment happened.

Inventory Management

Enabling inventory of your VMs in Azure Automation gives you visibility into installed applications as well as other configuration items you wish to track. Rich reporting and search is available to quickly find detailed information to help understand everything that is configured within the VM.

Change Tracking

Change tracking tracks changes across services, software, registry, daemons, and files to quickly identify what might be causing issues and to enable diagnostics and alerting when unwanted changes occur.

Note: When you enable Inventory for a VM then change tracking is also enabled automatically.

Exercise 171: Enabling Inventory Management and Add VM wvmportal

1. In Azure Automation Account AACloud Dashboard click Inventory in left pane> In Right pane select Log Analytics workspace created in Exercise 170>Click enable

2. After Deployment is enabled refresh the screen with F5. Make sure Inventory is selected in left pane.

3. Click Add Azure VMs in Right pane>Enable Inventory Blade opens>Check the VM VMFE2>Click enable> Close the enable inventory pane

4. After 30-40 minutes VM VMFE2 appeared in inventory pane. Keep on refreshing Automation Account Dashboard with inventory selected.

5. Click on the software tab in right pane> You can see software installed in last 24 hours.

Exercise 172: Checking Change Tracking for VM VMFE2

In Azure Automation Account AACloud Dashboard click Change tracking in left pane> In Right pane you can see changes which have occurred in Azure VM VMFE2.