6/10/2018 2:34 PM Dive deep into the VM Marketplace in Azure: Single VM images, solution templates, and VM extensions Daniel Sol Program Manager, Azure Compute Simon Davies Program Manager, Azure Resource Manager © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Objectives Illustrate how to and use Azure Virtual Machines, Virtual Machine extensions and ARM templates to provision applications Describe common issues that you may encounter and provide approaches to solve these Discuss Solution Templates, Managed Applications and Service Catalog

Agenda VM Customization with and without Extensions Marketplace VMs – key differences from Platform VMs Solution Templates and Managed Applications Publishing Solution Templates and Managed Applications Create UI Definition Azure AD Managed Service Identity Summary

VM Customizations with Extensions 6/10/2018 2:34 PM VM Customizations with Extensions CLI/REST ARM 1 What are extensions? What are the benefits? How do extensions work? 7 Status Blob CRP 6 2 6 Fabric Custom Script Extn Post Extn Provisioning Status GSD 6 5 3 VM Agent Windows Before User Action : Add Custom Script Extension (CSE) After © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Extensions Deep Dive Protected Settings Troubleshooting Agent logs: C:\WindowsAzure\Logs Plugin Logs: C:\WindowsAzure\Logs\Plugins\Microsoft.Compute.CustomScriptExtension\1.9 Extension Packages: C:\Packages\Plugins Example : Custom Script downloaded file(s): C:\Packages\Plugins\Microsoft.Compute.CustomScriptExtension\1.9\Downloads\0 Windows Protected Settings SecureStrings in ARM CustomScript Troubleshooting Agent Extension Proxy Support for Extensions Depends CSE (curl) Windows Proxy UDR Max Extension Execution Time Most 20mins For all max 90mins, common for malleable extensions How you can tell? Agent logs: /var/log/waagent.log Extension Logs: /var/log/azure/Microsoft.OSTCExtensions.CustomScriptForLinux/1.5.2.2/ Extension Packages: /var/lib/waagent/ Example : Custom Script download file(s): /var/lib/waagent/Microsoft.OSTCExtensions.CustomScriptForLinux-1.5.2.2/download/0 Linux

Extensions Deep Dive Connectivity Extension upgrades Minor 6/10/2018 2:34 PM Extensions Deep Dive Connectivity Agent connects to 168.63.129.16:32526 Host Plugin handles agent only traffic, if blocked outside of a guest VM FW. Redirect for traffic to 168.63.129.16 (except extension traffic) via the hosts. Linux Agent >=2.2.7 WinGA >= 2.7.1198.781 Testing Preview NSG Storage Tags : Stay Tuned CSE - But I really don’t want to use Azure Storage! FileURI’s is Optional Local file storage Extension upgrades Minor © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Extension Sequencing Single VMs VMSS ‘Depends on’ in ARM No sequencing option, but for CSE, you can poll for completion, before you start on another resource (Win Only). Use configuration management tool like Azure Automation(DSC)/OMS, DSC, Chef, Puppet, Ansible) Containerize app, so VM extension just installs container host, manage app from container orchestrator

Running Multiple Scripts Options Using Custom Script Extension Using VM Provisioning Time Script, and optional CustomScript. Multiple Scripts using Custom Script Extension Master & Slave Script model Waterfall model Create PowerShell Tasks Create Cron Jobs Alternative, use DSC Considerations Orchestration Error handling Retry logic You get status reporting for free

Demo 0 : MultiScriptCSE

VM Customization on Startup VM Creation, 2 parts: Provisioning Code – Setting up SSH Keys / UN’s, Certs, Disks, Network etc. VM Agent Code – CustomData, extension provisioning Customizing in VM Provisioning Code If no external dependencies, it is fast, reliable, and little variance on deployment times. Multiple ways to achieve this using different technology Differences in behavior, for example impact to provisioning time. You need to implement a ‘dial home’ mechanism for script status. Troubleshooting difficulty can vary. Does not require extensions.

Customization on Startup : Windows Injection into Unattend.xml AutoLogon FirstLogonCommands Troubleshooting Build your own logging Use non quiet commands Use portal perf graphs C:\Windows\Panther\UnattendGC C:\Windows\Panther\unattend.xml Impact to VM provisioning time or status : NONE

Customization on Startup : Windows Demo Steps: Update the OS profile Autologon Run script on remote share Why this pattern? Example : https://github.com/fabferri/azure-repo/tree/master/datasynapse-engines

Demo 1 : Customization on Startup - Windows

Customization on Startup : Linux/CustomData 6/10/2018 2:34 PM Customization on Startup : Linux/CustomData Use CustomData parameter to execute a script or cmd. Executed by the Linux Agent before extension This does not apply to Ubuntu/CoreOS) You need to customize the image This also allows you to bake in a script (reduce external dependency) Troubleshooting /var/log/waagent.log /var/lib/waagent/CustomData /var/lib/cloud/instance/user-data.txt Script failure does not cause a VM provisioning failure Impact to VM provisioning time or status : YES – Max 40mins! Or © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Customization on Startup : Linux/CustomData Steps Create VM - bake in script Modify agent Deprovision VM Create image from VM Create new VM from image 1 2 5 Note : not encrypted Creating Linux Custom Images : https://docs.microsoft.com/en-us/azure/virtual-machines/linux/capture-image

Customization on Startup : Linux/CustomData

CustomData on Windows You can pass customData command into ARM template BUT Windows will not execute it! Consider Create Custom Image with startup task and script that looks commands or parameters in : %SYSTEMDRIVE%\AzureData\CustomData.bin Needs to be Base64 encoded Will be decoded automatically Only for customized images Impact to VM provisioning time or status : NONE

Customization on Startup : Linux/Cloud-init Cloud-init – open source provisioning project, supported in Azure by Ubuntu / CoreOS Configure VM using cloud-config, module support RunCmds / Packages / Dial Home Use CustomData to pass in Base64 encoded cloud-config Troubleshooting ./var/lib/waagent/ovf-env.xml /var/log/cloud-init.log Impact to VM provisioning time or status : NONE

Customization on Startup : Linux/Cloud-init Demo Steps Examine a cloud-config Use cloud-config to provision a VM, see different modules Examine cloud-config troubleshooting For more details : https://docs.microsoft.com/en-us/azure/virtual-machines/linux/using-cloud-init

Customization on Startup : Linux/Cloud-init

Summary Agent and Extension framework Extension deep dive Protected settings, troubleshooting etc. Customize VMs without extensions

Marketplace VM Images

Marketplace VMs Differences that may impact deployment Plan Information Creation requires provision of plan information as part of the PUT request to ARM Commerce Marketplace VMs may have commerce constraints e.g. Azure account locations, Subscription Types, Subscription permissions, payment instrument requirements Acceptance of Terms Creation outside of the portal requires acceptance of terms before deployment

Demo: Finding Template Deployment Errors

Plan Information Status Code: BadRequest Error Code: ResourcePurchaseValidationFailed Error Message: Offer with PublisherId: <publisher> and OfferId: <offer> not found. If this offer has been created recently, please allow upto 30 minutes for this offer to be available for Purchase. If error persists, contact support Status Code: BadRequest Error Code: ResourcePurchaseValidationFailed Error Message: Plan with PublisherId: <publisher>, OfferId: <offer> and PlanId: <name> not found. If this plan has been created recently, please allow upto 30 minutes for this plan to be available for Purchase. If error persists, contact support Status Code: BadRequest Error Code: ResourcePurchaseValidationFailed Error Message: The resource operation completed with terminal provisioning state 'Failed'. Error Details: Code: VMMarketplaceInvalidInput Message: Creating a virtual machine from Marketplace image requires Plan information in the request. OS disk name is <OS_Disk_Name>'. Issue: Bad or missing Plan information:

Demo: Determining if Plan is needed

Commerce Issues Status Code: BadRequest Error Code: ResourcePurchaseValidationFailed Error Message: AccountRetrievalFailed This Enterprise enrollment is not enabled to purchase from Marketplace. Please contact your Enterprise Administrator to change your enrollment settings Status Code: BadRequest Error Code: ResourcePurchaseValidationFailed Error Message: CustomerDeniedServicePlanAccess The azure subscription Id (<subscription-id>) is not allowed to purchase this offer Status Code: BadRequest Error Code: ResourcePurchaseValidationFailed Error Message: We could not find a credit card on file for your azure subscription. Please make sure a valid credit card is associated to your Azure subscription. Status Code: BadRequest Error Code: ResourcePurchaseValidationFailed Error Message: CustomerDeniedServicePlanAccess The Offer is not sold in the account market (<country code>).

Acceptance of Terms Status Code: BadRequest Error Code: ResourcePurchaseValidationFailed Error Message: User failed validation to purchase resources. Error message: 'Legal terms have not been accepted for this item on this subscription. To accept legal terms, please go to the Azure portal (http://go.microsoft.com/fwlink/?LinkId=534873) and configure programmatic deployment for the Marketplace item or create it there for the first time’ Issues :Acceptance of terms is enabled in the portal Challenges: Solution templates depending hidden on VM Images Customer Deploys without using the portal Partner solution needs to create instances of the VM

Demo: Acceptance of terms API

Solution Templates and Managed Applications

Azure Marketplace Applications Can be solution templates or managed applications (preview) Combination of ARM Template(s), other assets (scripts, config etc.) and an Azure Portal User Interface Definition (createUIDefinition.json) Managed applications are managed by ISV, Service Provider Storage Network Publish UIDef VM Application Package (ZIP) Marketplace

Azure Service Catalog Applications Managed Applications only Combination of ARM Template(s), other assets (scripts, config etc.) and an Azure Portal User Interface Definition (createUIDefinition.json) Managed by IT or application publisher Storage Network Publish UIDef VM Application Package (ZIP) Service Catalog

Demo: Creating and Publishing a Managed Application

CreateUIDefinition for Managed Applications Provides a set of declarative UI elements and functions to collect user input e.g TextBox, UserName, Credentials, IP Address, location() Inputs are grouped in steps Basics step with optional custom step, each step is a blade in the UI. Output section defines the names and values of parameters used to deploy a template Full details at https://docs.microsoft.com/en-us/azure/azure-resource-manager/managed-application-createuidefinition-overview

Demo: Building a UI Definition

Azure AD Managed Service Identity Gives an Azure resource an automatically provisioned and managed identity Allows the Azure resource to use the identity to access services (e.g. ARM, Key Vault) For VMs and VMSS this enables code running in the VM to be able to access and use Azure Resources without having to be given or store secrets

Demo: Managed Service Idenity

Summary Azure Platform and Marketplace VMs can be customized at deployment time Used within ARM Templates and CreateUIDefinition applications can be created and published for customer consumption Demos will be available at https://github.com/simongdavies/ignite2017

Please evaluate this session Tech Ready 15 6/10/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite https://myignite.microsoft.com/evaluations Phone: download and use the Microsoft Ignite mobile app https://aka.ms/ignite.mobileapp Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6/10/2018 2:34 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.