Azure Backup Vault retry failed backup jobs

If you ever need to kick off a re-try of multiple failed backups in Azure Recovery Services (VM Backup Vault), there is currently no way of initiating this through the Azure Portal, apart from via the VM or Recovery Services “blades”. That’s a lot of clicks and room for error if you have a lot of VMs with failed backups.

Fortunately, it is possible to do this operation through Powershell!

Note: This assumes you have the Powershell Azure Resource Manager pre-requisites setup.

The following script will detect failed backups across all vaults in a subscription and prompt before initiating a backup.

ForEach ($vault in $(Get-AzureRmRecoveryServicesVault)) {
    # set vault context
    Get-AzureRmRecoveryServicesVault -Name $vault.Name | Set-AzureRmRecoveryServicesVaultContext
    # step through all jobs found
    ForEach ($job in $(Get-AzureRmRecoveryservicesBackupJob)) {
			if ($job.Status -eq "Failed") {
        write-host " *" $Vault.Name "Backup failed for :" $job.WorkloadName -foregroundcolor "red"
        $confirmation = Read-Host "   -> Re-run backup job y/n "
        if ($confirmation -eq "y") {
          $item = Get-AzureRmRecoveryServicesBackupItem -BackupManagementType AzureVM -Name $job.WorkloadName -WorkloadType AzureVM
          $backup = Backup-AzureRmRecoveryServicesBackupItem -Item $item
          write-host "   -> Backup job re-run for :" $job.WorkloadName -foregroundcolor "green"
        }
      }
    }
}

ForEach ($vault in $(Get-AzureRmRecoveryServicesVault)) {

# set vault context

Get-AzureRmRecoveryServicesVault -Name $vault.Name | Set-AzureRmRecoveryServicesVaultContext

# step through all jobs found

ForEach ($job in $(Get-AzureRmRecoveryservicesBackupJob)) {

if ($job.Status -eq "Failed") {

write-host " *" $Vault.Name "Backup failed for :" $job.WorkloadName -foregroundcolor "red"

$confirmation = Read-Host " -> Re-run backup job y/n "

if ($confirmation -eq "y") {

$item = Get-AzureRmRecoveryServicesBackupItem -BackupManagementType AzureVM -Name $job.WorkloadName -WorkloadType AzureVM

$backup = Backup-AzureRmRecoveryServicesBackupItem -Item $item

write-host " -> Backup job re-run for :" $job.WorkloadName -foregroundcolor "green"

}

If you need to do this without manual confirmation then use this version.

ForEach ($vault in $(Get-AzureRmRecoveryServicesVault)) {
  # set vault context
  Get-AzureRmRecoveryServicesVault -Name $vault.Name | Set-AzureRmRecoveryServicesVaultContext
  # step through all jobs found
  ForEach ($job in $(Get-AzureRmRecoveryservicesBackupJob)) {
    if ($job.Status -eq "Failed") {
      write-host " *" $Vault.Name "Backup failed for :" $job.WorkloadName -foregroundcolor "red"
      $item = Get-AzureRmRecoveryServicesBackupItem -BackupManagementType AzureVM -Name $job.WorkloadName -WorkloadType AzureVM
      $backup = Backup-AzureRmRecoveryServicesBackupItem -Item $item
      write-host "   -> Backup job re-run for :" $job.WorkloadName -foregroundcolor "green"
    }
  }
}

ForEach ($vault in $(Get-AzureRmRecoveryServicesVault)) {

# set vault context

Get-AzureRmRecoveryServicesVault -Name $vault.Name | Set-AzureRmRecoveryServicesVaultContext

# step through all jobs found

ForEach ($job in $(Get-AzureRmRecoveryservicesBackupJob)) {

if ($job.Status -eq "Failed") {

write-host " *" $Vault.Name "Backup failed for :" $job.WorkloadName -foregroundcolor "red"

$item = Get-AzureRmRecoveryServicesBackupItem -BackupManagementType AzureVM -Name $job.WorkloadName -WorkloadType AzureVM

$backup = Backup-AzureRmRecoveryServicesBackupItem -Item $item

write-host " -> Backup job re-run for :" $job.WorkloadName -foregroundcolor "green"

}

September 23, 2016September 26, 2016

EC2 based Software VPN AWS Auto-Scaling Group

In some circumstances there may be a requirement to setup an IPSEC Site-to-Site VPN tunnel into an AWS VPC using something other than the AWS VPN Service. This usually means configuring an EC2 Instance based VPN endpoint and is what AWS refer to as a “Software VPN”.

Unlike the AWS VPN Service (which is managed as a service by AWS) this EC2 Instance is managed by the customer. As these Site-to-Site VPN connections tend to be mission critical it is a good idea to build a setup with some self-healing, monitoring and configuration backups.

This example used EC2 Instances running CentOS 7 with LibreSWAN (an Open Source project based on OpenSWAN). Focus is only on one side of the VPN and it is assumed that the “remote” side is a generic IPSEC capable device (Cisco ASA etc).

This example has the Software VPN running in an EC2 Instance configured in Auto-Scaling Groups, using secured s3 Buckets to hold the configuration files. These buckets will be accessed by the EC2 Instances using IAM roles. The config files in the buckets will be protected using Versioning and Lifecycle Rules.

Create the base AMI Template.

Spin up CentOS 7 EC2 instance from the AWS Marketplace and ssh in.

Remove / disable any firewalls (iptables / firewalld). By default the firewall should be completely open but in the event it isn’t then do the following (REF : https://www.liquidweb.com/kb/how-to-stop-and-disable-firewalld-on-centos-7/)

To disable firewalld, run the following command as root:

# systemctl disable firewalld

1	# systemctl disable firewalld

To stop firewalld, run the following command as root:

# systemctl stop firewalld

1	# systemctl stop firewalld

And finally, to check the status of firewalld, run the following command as root:

# systemctl status firewalld

1	# systemctl status firewalld

Disable SELinux

# vi /etc/selinux/config

1	# vi /etc/selinux/config

Change SELINUX=enforcing to:

SELINUX=disabled

1	SELINUX=disabled

Update the system:

# yum update -y

1	# yum update -y

Shutdown the Instance and create an AMI from it. This AMI will be used as the reference from the Auto-Scaling Group and can also be shared across regions or even different accounts (depending on the use case).

Once the AMI is created, Terminate the EC2 Instance.

Create s3 Bucket(s)

Create the s3 Bucket (or Buckets depending on the use case) to house the config files that the Auto-Scaling Group EC2 Instances will use to configure the VPN. We will create the Bucket and then place a policy on it to lock down access.

Click Create Bucket and give it a name.

To protect against accidental deletes from this Bucket, enable Versioning.

If there are concerns about cost over the long term then enable Lifecycle rules (although for the size of files and frequency of change this is probably not required). Do this by clicking Lifecycle > Add rule.

Further info on s3 Lifecycle rules can be found at http://docs.aws.amazon.com/AmazonS3/latest/UG/lifecycle-configuration-bucket-with-versioning.html.

Configure an access policy for the Bucket(s). Below is an example for access from a single account and access from multiple accounts. Make sure to use the AWS Account number in the appropriate field.

Example for single account access:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "SingleAccountVPNAccess",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::112233445566:root"
      },
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::dkb-test1-vpn-asg",
        "arn:aws:s3:::dkb-test1-vpn-asg/*"
      ]
    }
  ]
}

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "SingleAccountVPNAccess",

"Effect": "Allow",

"Principal": {

"AWS": "arn:aws:iam::112233445566:root"

"Action": "s3:*",

"Resource": [

"arn:aws:s3:::dkb-test1-vpn-asg",

"arn:aws:s3:::dkb-test1-vpn-asg/*"

]

}

]

}

Example for multiple account access:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "MultiAccountVPNAccess",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::112233445566:root",
          "arn:aws:iam::223344556677:root"
      },
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::dkb-test1-vpn-asg",
        "arn:aws:s3:::dkb-test1-vpn-asg/*"
      ]
    }
  ]
}

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "MultiAccountVPNAccess",

"Effect": "Allow",

"Principal": {

"AWS": [

"arn:aws:iam::112233445566:root",

"arn:aws:iam::223344556677:root"

"Action": "s3:*",

"Resource": [

"arn:aws:s3:::dkb-test1-vpn-asg",

"arn:aws:s3:::dkb-test1-vpn-asg/*"

]

}

]

}

Click Permissions > Add bucket policy.

Copy and paste the appropriate policy into the Bucket Policy Editor and click save.

IAM Role and Policies

Create an IAM role so the Instance in the Auto-Scaling Group can perform some actions automatically without having to store AWS keys on the AMI. The Instance will need to be able to:

Automatically grab an Elastic IP
Disable the source/destination check on the Instance (to allow traffic to traverse across it)
Alter the route table (so Instances inside the VPC know where to route traffic to the other CIDR block).

IAM Policies

In IAM create a new 2 new policies . The first policy will allow changes to routing tables and also allow access to claim Elastic IP Addresses.

Click IAM > Policies > Create Policies

Click Select on Create Your Own Policy

Create the 2 news policies with the details below. Take care to change the s3 Bucket references to the one created in the s3 Bucket step.

Policy Name : alternetworking
Description: Allow access to alter routing table and claim EIPs
Policy Document:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1447243435000",
      "Effect": "Allow",
      "Action": [
        "ec2:AssociateAddress",
        "ec2:AttachNetworkInterface",
        "ec2:DescribeRouteTables",
        "ec2:ReplaceRoute",
        "ec2:CreateRoute",
        "ec2:ModifyInstanceAttribute"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "Stmt1447243435000",

"Effect": "Allow",

"Action": [

"ec2:AssociateAddress",

"ec2:AttachNetworkInterface",

"ec2:DescribeRouteTables",

"ec2:ReplaceRoute",

"ec2:CreateRoute",

"ec2:ModifyInstanceAttribute"

"Resource": [

"*"

]

}

]

}

Policy Name : accesstovpnbucket
Description : Allow read access to s3 Bucket
Policy Document :

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
      "s3:GetObject",
      "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::dkb-test1-vpn-asg/*",
        "arn:aws:s3:::dkb-test1-vpn-asg"
      ]
    }
  ]
}

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": [

"s3:GetObject",

"s3:ListBucket"

"Resource": [

"arn:aws:s3:::dkb-test1-vpn-asg/*",

"arn:aws:s3:::dkb-test1-vpn-asg"

]

}

]

}

IAM Role

Create an IAM Role and associate the 2 new policies with that role. Click IAM > Role > Create Role. Give the role a name.

Select AWS Service Roles > Amazon EC2.

Attach the 2 policies we created in the previous step.

The final role should look something like this.

Elastic IP assignment

For the VPN to run in the VPC you will need a static IP which means creating an Elastic IP. Click on VPC > Elastic IPs and Allocate New Address. Make a note of the Allocation ID.

LibreSWAN Config files

LibreSWAN requires 2 config files to attempt to create a connection to a VPN peer. These files are the tunnel .conf and .secrets files and reside in the /etc/ipsec.d folder. In this example the tunnel is called AWSVPNTEST1 and next the various config files will be uploaded to the s3 bucket created earlier (this includes a sysctl.conf which is also required for system config changes to enable LibreSwan to run).

Create the .conf file:

conn : The tunnel name (i.e. AWSVPNTEST1)
leftid : This is the local externally visible IP (i.e. the Elastic IP Address)
leftsubnet : Local subnet (i.e. VPC CIDR Block)
right : Remote Peer IP Address
rightsubnet : Remote subnet CIDR Block

Upload the various config files used by cloud init to the s3 Bucket.

NOTE: I have experienced issues with uploading from Windows machine may corrupt your config files and cause LibreSWAN to not start but will not throw any error messages. If you do run into problems then try to edit and upload the config files from a Linux or MAC.

AWSVPNTEST1.conf:

conn AWSVPNTEST1
 type=tunnel
 authby=secret
 left=%defaultroute
 leftid=52.32.85.227
 leftnexthop=%defaultroute
 leftsubnet=172.16.100.0/24
 right=52.43.239.134
 rightsubnet=192.168.0.0/24
 phase2=esp
 phase2alg=aes256-sha2_256;modp1024
 ike=aes256-sha2_256;modp1024
 ikelifetime=3600s
 salifetime=3600s
 pfs=yes
 auto=start
 rekey=yes
 keyingtries=%forever
 dpddelay=10
 dpdtimeout=60
 dpdaction=restart_by_peer

conn AWSVPNTEST1

type=tunnel

authby=secret

left=%defaultroute

leftid=52.32.85.227

leftnexthop=%defaultroute

leftsubnet=172.16.100.0/24

right=52.43.239.134

rightsubnet=192.168.0.0/24

phase2=esp

phase2alg=aes256-sha2_256;modp1024

ike=aes256-sha2_256;modp1024

ikelifetime=3600s

salifetime=3600s

pfs=yes

auto=start

rekey=yes

keyingtries=%forever

dpddelay=10

dpdtimeout=60

dpdaction=restart_by_peer

AWSVPNTEST1.secrets:

52.32.85.227 52.43.239.134 : PSK "mysecretpass"

1	52.32.85.227 52.43.239.134 : PSK "mysecretpass"

sysctl.conf

# System default settings live in /usr/lib/sysctl.d/00-system.conf.
# To override those settings, enter new settings here, or in an /etc/sysctl.d/&lt;name&gt;.conf file
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Disable Source verificyation and send redirects to avoid Bogus traffic within OpenSWAN
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.eth0.rp_filter=0
net.ipv4.conf.lo.rp_filter=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv4.conf.eth0.send_redirects=0
net.ipv4.conf.lo.send_redirects=0
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.eth0.accept_redirects=0
net.ipv4.conf.lo.accept_redirects=0

# Enable IP forwarding in order to route traffic through the instances
net.ipv4.ip_forward=1

# System default settings live in /usr/lib/sysctl.d/00-system.conf.

# To override those settings, enter new settings here, or in an /etc/sysctl.d/<name>.conf file

# For more information, see sysctl.conf(5) and sysctl.d(5).

net.ipv4.conf.all.send_redirects = 0

net.ipv4.conf.default.send_redirects = 0

# Disable Source verificyation and send redirects to avoid Bogus traffic within OpenSWAN

net.ipv4.conf.all.rp_filter=0

net.ipv4.conf.default.rp_filter=0

net.ipv4.conf.eth0.rp_filter=0

net.ipv4.conf.lo.rp_filter=0

net.ipv4.conf.all.send_redirects=0

net.ipv4.conf.default.send_redirects=0

net.ipv4.conf.eth0.send_redirects=0

net.ipv4.conf.lo.send_redirects=0

net.ipv4.conf.all.accept_redirects=0

net.ipv4.conf.default.accept_redirects=0

net.ipv4.conf.eth0.accept_redirects=0

net.ipv4.conf.lo.accept_redirects=0

# Enable IP forwarding in order to route traffic through the instances

net.ipv4.ip_forward=1

Security Groups

Create the security groups needed for the EC2 Instances that will be running the VPN.

To allow all IPSEC traffic from the Remote Peer, open the following ports:

CUSTOM UDP RULE : UDP : 500
CUSTOM PROTOCOL : ESP (50) : All

Allow all traffic from VPC. This is to allow traffic from the VPC to hit the VPN Tunnel.

Allow SSH from your IP for admin access.

Auto-Scaling

LaunchConfiguration

Click EC2 > Launch Configurations > Create launch configuration and select the AMI created from My AMIs:

Choose Instance type (this really depends on how much traffic is expected to traverse the tunnel). This example uses t2.micro but Production a larger Instance will be required (i.e. an M4.large). If high traffic is expected then maybe the Network enhanced Instance is more appropriate. More details here:

Give the Launch Configuration a name (use a naming convention that allows for version numbers will help to keep track of which one is the latest).

Select your IAM Role from the drop down.

Input the initial EC2 Instance User data. This is a set of instructions that the Instance runs at boot time and in this example runs all the configuration for the tunnel on the fly from the the s3 hosted config files. More information on AWS User Data.

The bits that need to change for your config will be the hostname, Elastic IP Allocation, the route table id, region, the s3 Buckets and the config file names.

#!/bin/bash -x
sleep 30
hostname DKB-TEST1-VPN
echo 'hostname' &gt;&gt; /etc/hostname
instance_id=$(curl -s http://169.254.169.254/latest/meta-data/instance-id)
my_eni_id=$(aws ec2 describe-network-interfaces --region us-west-2 --filters Name=attachment.instance-id,Values=${instance_id} Name=attachment.device-index,Values=0 --output text | grep NETWORKINTERFACES | cut -f5)
yum install unzip libreswan tcpdump -y
curl "https://s3.amazonaws.com/aws-cli/awscli-bundle.zip" -o "awscli-bundle.zip"
unzip awscli-bundle.zip
./awscli-bundle/install -i /usr/local/aws -b /usr/local/bin/aws
export AWS_DEFAULT_REGION=us-west-2
/usr/local/bin/aws ec2 associate-address --instance-id $instance_id --allocation-id eipalloc-c5ba63a2 --region us-west-2
aws ec2 replace-route --route-table-id rtb-f9c82d9e --destination-cidr-block 192.168.0.0/24 --network-interface-id ${my_eni_id} --region us-west-2
/usr/local/bin/aws s3 cp s3://dkb-test1-vpn-asg/AWSVPNTEST1.conf /etc/ipsec.d/
/usr/local/bin/aws s3 cp s3://dkb-test1-vpn-asg/AWSVPNTEST1.secrets /etc/ipsec.d/
/usr/local/bin/aws s3 cp s3://dkb-test1-vpn-asg/sysctl.conf /etc/sysctl.conf
sysctl -p
systemctl enable ipsec
systemctl restart ipsec

#!/bin/bash -x

sleep 30

hostname DKB-TEST1-VPN

echo 'hostname' >> /etc/hostname

instance_id=$(curl -s http://169.254.169.254/latest/meta-data/instance-id)

my_eni_id=$(aws ec2 describe-network-interfaces --region us-west-2 --filters Name=attachment.instance-id,Values=${instance_id} Name=attachment.device-index,Values=0 --output text | grep NETWORKINTERFACES | cut -f5)

yum install unzip libreswan tcpdump -y

curl "https://s3.amazonaws.com/aws-cli/awscli-bundle.zip" -o "awscli-bundle.zip"

unzip awscli-bundle.zip

./awscli-bundle/install -i /usr/local/aws -b /usr/local/bin/aws

export AWS_DEFAULT_REGION=us-west-2

/usr/local/bin/aws ec2 associate-address --instance-id $instance_id --allocation-id eipalloc-c5ba63a2 --region us-west-2

aws ec2 replace-route --route-table-id rtb-f9c82d9e --destination-cidr-block 192.168.0.0/24 --network-interface-id ${my_eni_id} --region us-west-2

/usr/local/bin/aws s3 cp s3://dkb-test1-vpn-asg/AWSVPNTEST1.conf /etc/ipsec.d/

/usr/local/bin/aws s3 cp s3://dkb-test1-vpn-asg/AWSVPNTEST1.secrets /etc/ipsec.d/

/usr/local/bin/aws s3 cp s3://dkb-test1-vpn-asg/sysctl.conf /etc/sysctl.conf

sysctl -p

systemctl enable ipsec

systemctl restart ipsec

Tick Assign a public IP address to every instance (this allows the EC2 Instance to be able to communicate with the outside world prior to grabbing the Elastic IP).

Next on Add Storage tick the Delete on Termination box so when the Instance is shutdown and terminated it doesn’t leave volumes behind on your account (they cost $).

On Configure Security Groups, Select the VPC from the dropdown and assign the Security Groups created earlier. Click through to review and finish the creation of the Launch Configuration. Select the correct ssh keys at the final step.

Autoscaling Group

Click EC2 > Auto Scaling Groups > Create Auto Scaling Group > Create and Auto Scaling group from an existing launch configuration > select the new created configuration.

Give the group a name, choose the VPC and select the public subnets available in the VPC (in this example there are 2 public subnets configured in different Availability Zones for High Availability).

In Configure scaling policies just select Keep this group at its initial size as this will only be using ASG for HA (i.e. only require a single Instance running at any one time).

Skip over Add notifications as this will be covered in the next section about monitoring.

In Configure Tags set the Key Name to be something useful so that all Instances started up have to same tag.

Click Review and then Create Auto Scaling Group. The Instance should now start up. Check the status from Activity History in the ASG.

Once the Instance is booted it should run all the commands in User Data and attempt to establish the connection with the other side (as long as everything on both sides is configured correctly).

Troubleshooting

There are a number of elements that can go wrong with this type of setup so it is important to verify configuration settings.

Firewall / Security Groups

The first thing that is usually checked is a ping across the tunnel from devices / VMs on each subnet. Ensure that on the AWS side the EC2 Instance does have a Security Group that allows traffic inbound from the remote subnet. For example, a very open Security Group may open ALL traffic from 192.168.0.0/24. The same needs to happen on the remote end.

Obviously, in the real world you should lock down traffic to what is required rather than opening everything.

EC2 System Log

A common issue is with the commands running on boot via User Data. Verify Instance startup from the System Log by click EC2 > Running Instances. Right click on the EC2 Instance > Instance Settings > Get System Log:Check to see if any obvious errors occur. In the example below the EIP allocation failed! This was probably caused by a typo or maybe someone deleted the EIP…….

Source / Destination Check

If an EC2 Instance needs to route traffic across itself then it needs to have the Source / Destination Check flag disabled. NOTE: This should be done on the fly at boot by the Instance itself (via the AWS User Data settings).

Click EC2 > Running Instances. Right click on the EC2 Instance > Networking > Change Source/Dest. Check:

Should look like this:

Route Table check

To verify that the new VPN instance has altered the route table correctly click VPC > Route Tables > click the appropriate route table and click the Routes tab. The example below shows the Route Table used by the VPC has a route for 192.168.0.0/24 via the EC2 Instance running LibreSwan. NOTE: This should be done on the fly at boot by the Instance itself (via the AWS User Data settings).

LibreSwan Tunnel Status

To check what the tunnel is doing on the EC2 Instance side ssh in and check the following:

tail /var/log/secure

1	tail /var/log/secure

The main log file by default.

ipsec auto --status

1	ipsec auto --status

Shows the status of the tunnels configured. The above example everything is working.

ipsec look

1	ipsec look

This gives more detail on configured tunnels.

journalctl -xe

1	journalctl -xe

This error often indicates a corrupted config file.

Monitoring

More to come on Monitoring the status of your EC2 Instance and tunnel itself ……..

June 17, 2016September 9, 2016

AWS Simple Email Service (SES) Domain Verification in BIND zone file

Recently I had to verify a domain for use with AWS SES. Creating the initial Domain Verification request is simple in the AWS Console and if your domain is in Route53 then Domain Verification is automatic. However, the domain I needed to verify was running on DNS servers we manage ourselves (I work for a Service Provider) and these run BIND. So here is a quick copy / paste format for the entry in your zone file once you create the Domain Verification.

Create the AWS SES Domain Verification request:-

Grab the TXT verification details:-

Now go to your DNS server, edit the zone file and insert the new record in the following format (note the ” marks around the record):-

_amazonses      IN      TXT     "n5vae4N9fHBcIpdoSwFaxJx85Rmbv9L8unt27xd8pEM="

1	_amazonses IN TXT "n5vae4N9fHBcIpdoSwFaxJx85Rmbv9L8unt27xd8pEM="

To check your domain you can either run nslookup or dig (my personal preference is for dig). I also like to check DNS propagation and so bounce the query off an external DNS server (usually Google public DNS servers).

Dig method:-

dig @8.8.8.8 -t TXT _amazonses.mydomain.com

1	dig @8.8.8.8 -t TXT _amazonses.mydomain.com

NSlookup method

nslookup -type=TXT _amazonses.mydomain.com 8.8.8.8

1	nslookup -type=TXT _amazonses.mydomain.com 8.8.8.8

Google DIG Tool Method (https://toolbox.googleapps.com/apps/dig/):-

https://toolbox.googleapps.com/apps/dig/#TXT/_amazonses.mydomain.com@8.8.8.8

1	https://toolbox.googleapps.com/apps/dig/#TXT/[email protected]

After some time some when DNS has propagated a background AWS automated process will check your domain and then verify. At which point it should look like this:-

aws_ses_bind_4

March 8, 2016June 17, 2016

vSphere 6 Setting up vFlash Read Cache

This example is being performed on a Dell R630 with the Perc RAID controller running ESXi 6. I didn’t do anything special with the Flash disk in the RAID controller, I simply created a RAID 0 volume group with the single drive.

A lot of the inspiration for this fix is from this Yellow Bricks post.

Once the Host has ESXi installed, network configured, booted up, added to vCenter (and all the extra gubbins done), you will first need to mark the disk as a Flash disk …… ESXi won’t pick this up automatically.

Manage > Storage > Storage Devices > Highlight disk and click the F button to mark as Flash.

Now right-click the ESXi host > Storage > Add Virtual Flash Resource Capacity.

At this point I ran into a problem. As far as I can see you should simply be able to add the Flash drive as Virtual Flash Resource Capacity, however, by default it was greyed out and isn’t selectable……

…… and it only becomes selectable if you click the “Enable remote flash selection” tickbox.

When you click OK, vCenter tells you it has completed, however, there are no Flash Datastores available for use and I was getting the following error under the ESXi Host > Monitor > Events:-

Configuration on disk /vmfs/devices/disks/naa.614187704de041001e622fd406f5f19e failed. Reason : A specified parameter was not correct: naa.614187704de041001e622fd406f5f19e

This fix for this is to tag the disk from esxcli, so next SSH into your Host and run

esxcli storage vflash device list

1	esxcli storage vflash device list

You will see that ESXi has detected this disk as a remote SAS SSD.

If you try and add the disk as local (as per the comments in the Yellow Bricks post) you will get the following error:-

esxcli storage nmp satp rule add -s VMW_SATP_LOCAL -d naa.614187704de041001e622fd406f5f19e -o enable_local

1	esxcli storage nmp satp rule add -s VMW_SATP_LOCAL -d naa.614187704de041001e622fd406f5f19e -o enable_local

Error adding SATP user rule: Duplicate user rule found for SATP VMW_SATP_LOCAL matching device naa.614187704de041001e622fd406f5f19e PSP and PSP Options

So to resolve this you will need to remove the rules, readd them correctly, run reclaim and then (back in the Web Client) retag as flash.

esxcli storage nmp satp rule remove -s VMW_SATP_LOCAL -d naa.614187704de041001e622fd406f5f19e
esxcli storage nmp satp rule add -s VMW_SATP_LOCAL -d naa.614187704de041001e622fd406f5f19e -o enable_local
esxcli storage core claiming reclaim -d naa.614187704de041001e622fd406f5f19e

esxcli storage nmp satp rule remove -s VMW_SATP_LOCAL -d naa.614187704de041001e622fd406f5f19e

esxcli storage nmp satp rule add -s VMW_SATP_LOCAL -d naa.614187704de041001e622fd406f5f19e -o enable_local

esxcli storage core claiming reclaim -d naa.614187704de041001e622fd406f5f19e

Once this is done you should be able to add flash correctly.

March 1, 2016

vCenter 6 Appliance (vCSA) ESXi Net Dump Collector configuration

Login to your vCenter as [email protected] (or use an account which has been put into the “Administrators” group from Home > Administration > Single Sign-On > Users and Groups > Groups).

Now go to Home > Administration > Deployment > System Configuration > Services > VMWare vSphere ESXi Dump Collector

Now right click the service and tick Automatic so the services comes up at boot time.

Now right click the service and hit start.

Now to set your hosts to use the Dump Collector on the vCSA its probably easier to do via PowerCLi. The post below has a simple and quick way to do this:-

vSphere Dump / Syslog Collector: PowerCLI Script

So in powershell, you can grab the setting for all hosts in a datacenter like this:-

Foreach ($ESXi_host in (get-vmhost -Location My-DC)) {
 $esxcli = Get-EsxCli -VMHost $ESXi_host
 Write-Host "Getting Net Dump config for $ESXi_host"
 $esxcli.system.coredump.network.get()
}

Foreach ($ESXi_host in (get-vmhost -Location My-DC)) {

$esxcli = Get-EsxCli -VMHost $ESXi_host

Write-Host "Getting Net Dump config for $ESXi_host"

$esxcli.system.coredump.network.get()

}

And to set the Dump Collector, you can do something like this:-

Foreach ($ESXi_host in (get-vmhost -Location My-DC)) {
  $esxcli = Get-EsxCli -VMHost $ESXi_host
  Write-Host "Setting Net Dump config for $ESXi_host"
  $esxcli.system.coredump.network.set($null, “vmk0”, “

Foreach ($ESXi_host in (get-vmhost -Location My-DC)) {

$esxcli = Get-EsxCli -VMHost $ESXi_host

Write-Host "Setting Net Dump config for $ESXi_host"

$esxcli.system.coredump.network.set($null, “vmk0”, “

One thing I did notice was that if you go to to the vCenter > Manage > Settings and click on ESXi Dump Collector I got an “ESXi Dump Collector Service is not running. Enable ESXi Dump Collector and refresh”.

I double checked that the service is running in the GUI and via the appliance shell:-

Even a reboot didn’t fix it!

If / when I find a fix for this I will update this post …..

February 24, 2016February 26, 2016

vRealize Automation Windows Blueprint Administrator password set (via gugent)

Here is a very simple way (i.e. non Orchestrator workflow route) for allowing your users to define their own passwords for a Windows VM when they request it via the catalogue. This method uses the vRA Guest Agent.

An excellent walk through on vCAC 6.2 of how to do this for Linux VMs (and the main inspiration for this post) can be found here:-

http://www.virtualvcp.com/vmware-vrealize-automation-vcac/207-vrealize-automation-6-2-specifying-a-new-root-password-using-custom-properties

A good post on how to prepare your Linux and Windows Templates for the vRA Guest Agent (gugent) operations can be found here:-

vRA7 – Gugent on Linux

vRA7 – Gugent on Windows

So assuming you have all the pre-reqs in place you then need to create a small batch file on your Windows template in say c:\scripts.

My .bat file is:-

c:\scripts\vCACSetAdministratorPassword.bat

1	c:\scripts\vCACSetAdministratorPassword.bat

…. and the contents of the script (where %1 is the argument you pass from the Blueprint Request form):-

echo off
net user administrator %1

1 2	echo off net user administrator %1

You now need to create the Property Group, in vRA 7 this is in Administration > Property Dictionary > Property Groups.

Create a new group with the following script actions:-

[table]
Name,Value,Encrypted,Overridable,Show in Request
VMware.VirtualCenter.OperatingSystem,windows7Server64Guest,No,Yes,No
VirtualMachine.Customize.WaitComplete,true,No,Yes,No
VirtualMachine.Software0.Name,Generate new root password,No,Yes,No
InitialRootPassword,,No,Yes,No
VirtualMachine.Admin.UseGuestAgent,true,No,Yes,No
VirtualMachine.Software0.ScriptPath,c:\scripts\vCACSetAdministratorPassword.bat {InitialRootPassword},No,Yes,No
[/table]

When you’re done it should look like this:-

Now add your new Property Group to the Blueprint:-

Once you have saved the Blueprint, try a deploy and see if it works. If you are having problems then the first place to look is the gugent log files which by default are in:-

C:\VRMGuestAgent\GuestAgent.log

1	C:\VRMGuestAgent\GuestAgent.log

February 19, 2016February 19, 2016

post upgrade vRA 7 orchestrator endpoint won’t connect

I upgraded vCAC 6.2 to vRA 7 the other day. Everything looked good until I tested some blueprints which call custom workflows configured in the embedded Orchestrator.

I had my endpoint configured as per the documentation, listed here:-

http://pubs.vmware.com/vra-70/topic/com.vmware.vrealize.automation.doc/GUID-9E9E2393-A268-432C-B9EA-2CBEFA25361B.html#GUID-9E9E2393-A268-432C-B9EA-2CBEFA25361B

You can test if your Endpoint is working or not by either running a refresh or checking the logs. To force the endpoint to run a data collection login to vCAC as a Infrastructure Admin and go to Infrastructure > Endpoints > Endpoints, then select Data Collection and click Start to force a data collection run.

To check the logs go Infrastructure > Monitoring > Log and filter on Message for “endpoint”:-

As you can see I am getting the following error:-

Endpoint Data Collection failed for endpoint vCO-Embedded [Workflow Instance Id=588727]
Unable to connect to the remote server
Inner Exception: Unable to connect to the remote server

I checked the DEM log on my IaaS server. By default the logs can be found here:-

C:\Program Files (x86)\VMware\vCAC\Distributed Execution Manager\<DEM Worker>\Logs

And found the following errors:-

Endpoint Data Collection failed for endpoint vCO-Embedded [Workflow Instance Id=588727]
System.Net.WebException: Unable to connect to the remote server —> System.Net.WebException: Unable to connect to the remote server —> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it 172.22.4.61:8281

I tried a telnet from the IaaS machine and there is no connection available on port 8281. So a quick check with the client via:-

https://<vcac app fqdn>/vco/client/client.jnlp

and you are presented with the auto filled java client session, which points at 443 rather than 8281:-

So I edited the Endpoint, removed 8281 and ran the Data Collection again and it now works fine!

Conclusion

At the time of writing it looks like the VMware documentation is out of date but in short remove 8281 from your endpoint for the Embedded vCO and it should work fine.

I’ve left all the working out gumpf in this post on the off chance it helps others…..

February 16, 2016February 26, 2016

vSphere 6 Web Client TIPs and TRICKs

This post is just a collection of various TIPs and tricks to make the VMware vSphere web client more bearable.

To be fair to VMware it sounds like they are working hard to make the web client better and as of 6.0 U1 and 5.5 U3 there are some big improvements. This video from last years VMworld runs through the various changes they have made and are planning (INF5093):-

However, until the HTML5 version comes out this page will be here as a collection of as many tips as possible…….

Adobe Flash bitching about storage?

http://kb.vmware.com/kb/2109770

Want to see all users tasks in the web client (be warned this can have a knock on performance wise on busy setups).

http://kb.vmware.com/kb/2104914

Client integration plugin not working in FF (i.e. can’t upload files etc)

http://kb.vmware.com/kb/2125623

If you have more feel free to comment and I will update this page……

February 16, 2016February 18, 2016

vRA 7 Migration Tool

If you’re about to upgrade (or already have) to vRA 7.x and want to make sure your logins all work post upgrade then you will need to use the Migration Tool to shift your ID stores from the old SSO setup (whether this was a dedicated ID appliance or integrated with vCenter SSO etc) to the new vIDM system. If you don’t migrate the logins then you will have to create the SSO ID Stores manually which also requires creating a local vIDM user in the Tenant(s).

A good explanation of why VMware have moved from SSO to vIDM can be found here:-

vRealize Automation 7 – Part 5, Identity Management

How you perform the migration relies on which SSO method you were using for your 6.x system. For example if you were running of a Windows based 5.5 vCenter SSO service you will need to run the migration tool on the Windows server that is hosting it. Similarly if you were running a dedicated vCAC 6.x ID appliance you will need to run the linux version from the appliance.

In this example we will be running this migration from a dedicated appliance and as always make sure you have backups / snapshots etc before you go any further!!!

First off you will need to obtain the migration tool zip file URL:-

https://vra-app1.domain.local:5480 > vRA Settings > SSO and copy the migration tools URL.

SSH to your old SSO ID appliance (SSH can be enabled from https://<SSO ID Appliance IP>:5480 > Admin), cd /tmp, download and extract the zip:-

ssh root@172.22.4.60
cd /tmp
wget https://vra-app1.domain.local:5480/service/cafe/download/vra-sso-migration.zip --no-check-certificate
unzip vra-sso-migration.zip
unzip vra-sso-migration.zip -d vra-sso-migration

ssh root@172.22.4.60

cd /tmp

wget https://vra-app1.domain.local:5480/service/cafe/download/vra-sso-migration.zip --no-check-certificate

unzip vra-sso-migration.zip

unzip vra-sso-migration.zip -d vra-sso-migration

Now cd to the new dir and set your environment:-

cd vra-sso-migration/bin/
. setenv

1 2	cd vra-sso-migration/bin/ . setenv

Now migrate your ID Stores (you will be prompted at various points for passwords and confirmations):-

./migrate-identity-stores

1	./migrate-identity-stores

The script claimed to add everything but it wasn’t 100% clean. For some reasons it failed to sync my groups and when I got in to take a look it turns out the Group DN was missing. I didn’t look too deep into this as the previous step gave me enough access to start putting my AD logins back in the right place!

March 5, 2015February 16, 2016

vCloud Director Install and Setup – configuring vCD

In the first post vCloud Director Install and Setup – installing vCD, as the name suggests, we configured vCD.

Now I am going to run through the configuration of vCD.

First login to vCD:

Continue reading “vCloud Director Install and Setup – configuring vCD”

ubergeek

Posts

Azure Backup Vault retry failed backup jobs

EC2 based Software VPN AWS Auto-Scaling Group

Create the base AMI Template.

Create s3 Bucket(s)

IAM Role and Policies

IAM Policies

IAM Role

Elastic IP assignment

LibreSWAN Config files

Security Groups

Auto-Scaling

LaunchConfiguration

Autoscaling Group

Troubleshooting

Firewall / Security Groups

EC2 System Log

Source / Destination Check

Route Table check

LibreSwan Tunnel Status

Monitoring

AWS Simple Email Service (SES) Domain Verification in BIND zone file

vSphere 6 Setting up vFlash Read Cache

vCenter 6 Appliance (vCSA) ESXi Net Dump Collector configuration

vRealize Automation Windows Blueprint Administrator password set (via gugent)

post upgrade vRA 7 orchestrator endpoint won’t connect

vSphere 6 Web Client TIPs and TRICKs

vRA 7 Migration Tool

vCloud Director Install and Setup – configuring vCD