Archives mensuelles : juin 2017

Des certificats gratuits avec Let’s Encrypt dans IIS

Ça fait longtemps que j’avais ce billet dans les cartons, en fait depuis ma série de billets sur Let’s Encrypt avec les WebApp (plus d’un an déjà). Je l’utilise depuis longtemps dans mes machines virtuelles (tant qu’elles sont joignables sur Internet avec un nom public).

Let’s Encrypt, ce n’est pas tout jeune mais c’est toujours pas un citoyen de première classe dans IIS. La solution ne dispose pas d’un client natif, il faut en passer par un client tiers. Personnellement, je suis resté sur le premier que j’ai trouvé à l’époque : LetsEncrypt-Win-Simple, disponible sur Github. Comme MVP, j’ai beau avoir accès à des solutions gratuites comme Digicert mais je suis resté sur Let’s Encrypt, allez savoir, …

Avant de commencer, quelques rappels avec les limitations de Let’s Encrypt disponibles ici. Ceci posé, on va retenir la contrainte suivante :

The main limit is Certificates per Registered Domain (20 per week). A registered domain is, generally speaking, the part of the domain you purchased from your domain name registrar. For instance, in the name www.example.com, the registered domain is example.com. In new.blog.example.co.uk, the registered domain is example.co.uk. We use the Public Suffix List to calculate the registered domain.

Dans le contexte d’Azure, ça prend toute son importance car par défaut, mes machines virtuelles partagent toutes un même domaine DNS public : Azure.com. Si on tente d’utiliser Let’s Encrypt dans ces conditions, on arrive à la situation ci-dessous :

clip_image001

 

Ce point résolu, on sait maintenant il nous faut un nom DNS distinct. J’ai donc créé un enregistrement DNS de type CNAME dans mon domaine DNS public, pointant sur le FQDN public de ma machine virtuelle.

clip_image002

 

Dans ma machine virtuelle, j’ai choisi la simplicité en installant IIS. C’est la méthode la plus simple pour gérer un certificat. Il suffit juste d’ajouter un hostname à un site web existant. Je référence ici l’enregistrement DNS CNAME enregistré dans mon domaine public.

clip_image003

 

Le client Let’s Encrypt utilisé (LetsEncrypt-Win-Simple) détecte automatiquement le FQDN précédemment référencé dans IIS.

clip_image004

 

On notera que le certificat généré est bien exportable. C’est bien pratique.

clip_image005

 

La particularité des certificats délivrés par Let’s Encrypt, c’est leur durée de vie à 90 jours. Pour moi, ce n’est pas une contrainte vue la durée de vie de mes maquettes. Le client LetsEncrypt-Win-Simple propose tout de même de mettre en place une tâche planifiée qui se chargera du renouvellement à votre place, nice to have.

clip_image006

 

Les informations collectées (compte disposant du niveau de privilège administrateur local) sont nécessaires pour mettre en place une tâche planifiée pour gérer le renouvellement automatique de notre certificat tous les trois mois.

clip_image007

 

Dans IIS, on constate bien la présence d’un nouveau binding pour du SSL.

clip_image008

 

Petite subtilité, le certificat n’a pas été placé dans le magasin « LocalMachine\My » mais dans le magasin « LocalMachine\WebHosting ». C’est un peu différent mais c’est très utile quand on a une ferme de serveurs web devant partager le même certificat.

clip_image009

 

Au passage, on remarquera la durée de vie de trois mois. C’est tout pour let’s Encrypt. En même temps, ça respecte ma formule magique : Simple and secure by design but Business compliant.

 

BenoitS – Simple and Secure by design but Business compliant (with disruptive flag enabled)

Azure Site Recovery for Azure Virtual machines (Preview)

I’ve been a big fan of Azure Site Recovery service. The product has evolved a lot since initial release (only capable to orchestrate a failover between two on-premises sites), introducing replication of on-premises workloads to Azure and many more features. Until theses last days, we had to comply with some limitations (Max 64 disks of 1Tb each per protected workload) and a major scenario we could not address. Note that Larger disk sizes just been announced in preview, up to 4Tb per Disk.

Since introduction of ASR replication capabilities (for Hyper-V, VMware or physical), we were not able to protect an Azure Virtual machine with Azure Site Recovery. ASR Team, just announced a preview of Azure Site Recovery for Azure Virtual machines. That was one of the top customer requests about Azure Site Recovery. Introduction of this new Azure Site capability allow to respond to the following scenarios:

  • Can survive to a major Azure Region failure by replicating virtual machines to another region
  • Migrate virtual machines between Azure regions
  • Comply with regulations requesting a Disaster Recovery strategy
  • Ability to clone an application based on Virtual Machines to validate

Feature is now available for public preview. Let’s see how to protect an Azure Virtual machine and develop a Disaster Recovery Plan. Note that even if this preview is available in the Azure portal, it’s still a preview. For example, support for PowerShell and CLI is not yet available.

Prerequisites

  • An instance of the Azure Recovery Site service: We will need to have an instance of the service in the Azure region in which we want to replicate with. This can be strange. If you remember Azure backup limitations, Azure Backup instance service must be in the same region as virtual machines we wish to protect.
  • A resource group in the target Azure region to store
  • A virtual network (and subnet) to connect the future Network interface. It’s not mandatory if you plan to establish RDP between two paired Azure regions (Azure virtual Network span between paired Azure regions).
  • A storage account created in the target Azure region to store virtual machines
  • A storage account created in the source Azure region to cache content to be replicated to the Target storage account
  • An availability set depending of the destination Azure region if protected workloads in the source Azure regions are linked to an existing availability set.

 

Setup

This blog post aim to describe the setup Itself, but also:

  • The Failover of an Azure Virtual machine to the target Azure Region
  • The Rollback of an Azure Virtual machine to its initial Azure region

Enabling and managing this new feature is so simple and very attractive from a financial point of view (no extra-cost for compute), that would be a crime to do not use it.

If you know the Azure Site Recovery portal experience, you should discover Azure as a source of a protected workload. Note that service is now in preview. For this blog post, I will be having a workload to protect located in Central US Azure region. My goal is to use the West Europe Azure region for DRP plan.

clip_image001

Azure Site Recovery service instance cannot be in the same Azure region as workloads to be protected. It’s logic. On this first stage, we only select the source Azure region, the deployment model and the resource group containing the workloads you wish to protect. Azure Site Recovery instance must depend of the same Azure subscription (and of course Azure environment). While writing this blog-post, it was not yet possible to protect workloads from different subscriptions. That’s a scenario that Azure CSP vendors are waiting to offer services. At this stage UX experience does not change so much from protecting other workloads:

clip_image002

That’s here that many UX changes are introduced. For this blog post, I choose to select a target Azure region that is not paired with the source Azure Region. We are not limited to the paired Azure regions. Azure Site Recovery portal make some proposal for some resources:

clip_image003

 

If you click on the « Customize » link in the upper part of the UX, you will be able to change proposal for required resources:

  • A resource Group in the target Azure region
  • A virtual Network in the Target Azure region

 

For each Virtual machine to protect we can customize:

  • The Storage account to be used to store VHD to be used by future replicated virtual machines
  • The Storage account to be used for ASR cache purpose

 

For these two storage Accounts, you don’t need more than a Local Redundant Storage.

clip_image004

 

If your virtual machines to be protected is linked to an Availability set, you will need to select an availability Set in the destination Azure region to offer the same SLA for your virtual machine.

Each Azure Virtual machine to be protected must be associated to a replication Policy.

we can customize the following parameters:

  • Retention policy for the recovery points
  • Frequency for app-consistent snapshot

clip_image005

 

Initial configuration is now over. We can enable replication.

clip_image006

 

Once replication is enabled we can follow the Azure Site Recovery Jobs. Bellow we have all jobs related to the setup of the protection of your Azure virtual machine.

clip_image007

 

If we take a closer look at the jobs related to replication, we will discover that ASR deploy a virtual machine extension in our workload.

clip_image008

 

Watch out, it’s not because initial replication is considered as enabled that its completed. Initial replication will take some times.

clip_image009

 

In my case (standard Windows Virtual machine without any data disks), initial replication took around fifty minutes.

clip_image010

Once initial replication is terminated, we can consider that our workloads is protected.

clip_image011

 

If we take a closer look at virtual machine information page, we discover two type of recovery points:

  • Crash-consistent
  • App-Consistent

 

In DRP situation, we can choose to prefer RTO versus RPO.

clip_image012

If you are familiar with Azure SQL, you should be familiar with that map. Now I have an Azure Virtual machine located in Central US Azure region with a replica in East US Azure region.

clip_image013

 

Now you have a DRP, you can test it. Microsoft recommendation is to perform a test failover from times to times to validate our DRP plan. You can choose to ignore the recommendation is you wish but that’s a good idea to test a DRP.

clip_image014

 

We can select the recovery point using:

  • The latest recovery point (for a lowest RPO)
  • The latest processed (for the best recovery time)
  • The last app-consistent

 

For this test, recommendation is to select a dedicated Virtual Network that is not connected to the source Virtual Network (Virtual Network Gateway or Peering). In the jobs, we can track the progress.

clip_image015

 

At this stage of the test we have two virtual machines running: The original and the test. Because the second one is connected to an isolated network you can check the health of the application and validate the DR plan.

clip_image016

 

Test is now complete we can cleanup used resources.

clip_image017

 

Our workload is now protected. Let’s see how to initiate a « clean failover ».

 

The « Clean Failover »

We will be considering that failover is initiated manually. In fact, using Log Analytics we can:

  • Detect an unhealthy virtual machine and initiate a single failover
  • Detect a major outage in Azure Activity and initiate a complete relocation

 

When initiating the failover process, we need decide if fast service recovery is more important than full service restauration.

clip_image018

 

Because we have both App-Consistent snapshots and Recovery points (up to 24 hours with the default policy), custom recovery point allows us to choose a specific version of my application. That’s great because, nowadays, applications are distributed among many servers. In DR situation, we will need to restore many servers.

clip_image019

 

In Azure Site Recovery Jobs view we can notice that failover was initiated.

clip_image020

 

If we look at the details, we see that the virtual machine located in the source Azure region was shutdown properly and a new virtual machine was provisioned in the target Azure region. In my case, complete failover operation took five minutes and a half (I choose to minimize the Recovery Point objective).

clip_image021

 

Once terminated Job appear as completed in the Azure Site Recovery Jobs view. From a virtual machine point of view we now have two virtual machines but only the one located in the target Azure region is running.

clip_image022

 

Once failover is completed we need to commit the operation. Once commit is performed we select another recovery point.

clip_image023

 

The clean Rollback

Rollback process is named « re-protect ». In fact, it’s the same process but we switched the target and source parameters.

clip_image024

 

By default, ASR will use the same parameters but you can override them if necessary.

clip_image025

 

It’s a little bit longer than on the protection phase, but remain an acceptable

clip_image026

 

Disable replication

That’s the bonus. When failover is committed, you have the choice to disable replication. This option was designed to move a workload from an Azure region to another.

 

Additional readings

To have more information about the feature, I would recommend the following readings :

 

Conclusion

What to say. Even if it’s a preview, it’s almost feature complete (CLI & PowerShell support are missing, just like Managed disks). Once feature will be Generally Available, we will have first-class Disaster Recovery service we cannot not implement.

 

BenoitS – Simple and Secure by design but Business compliant (with disruptive flag enabled)