Saturday, August 2, 2014

Azure Automation - shutdown azure virtual machine – step by step

Why?
Managing Azure resources using Management portal is cumbersome job for infrastructure guys. In one of my customers company (where I am supporting Azure Project as a consultant), the developer used start the Azure VM in the morning and many times they never stopped the azure VM while leaving from office. Ofcourse this used to incur huge cost for them. Therefore IT team guys used to check if their development Azure VM's are running, if yes then they used to shutdown it from azure portal to save on cost of running Azure VM overnight. The number of VM’s to stop was around 30 to 50. They had been performing this manually in combination of powershell script and few operations from management portal. This simple activity had consumed 25% of the IT people bandwidth and it was problem for them. Thanks to Azure Automation!!! IT guys don’t have to shutdown Azure VM anymore manually and they are happy now.
What?
So, Azure automation is the new service in preview. Well, Azure automation is not the only service that can automate the common activities of Azure. Powershell exists since long and in fact powershell is the basis behind Azure Automation service. You can automate the creation, deployment, monitoring, and maintenance of resources in your Microsoft Azure environment using runbooks, which ultimately uses Windows PowerShell workflows.
Ofcourse, Chef and Puppet are also doing the same automation job greatly however, I find them pretty complex. I know most of you may not agree, however, I feel Chef, Puppet is best for Linux, Unix OS based Azure VM. For Windows OS based Azure VM, Azure Automation with Powershell is your key.
In this post, I will be giving step by step approach to shutdown your Azure virtual machine using Powershell and Azure automation.  So let’s start!!
You may not have observed, but I feel the concept of Azure automation is very much similar to what Chef is doing for automation. See below comparison between Chef and Azure Automation –
Chef Jargons – Recipe, cookbook
Azure Automation Jargons – Job, Runbook
Cookbook – Runbook!!! Of course it is just an observation.
Runbook – Runbook is a set of powershell commands that gets executed based on schedule set in Azure automation. So the book has sentences (or commands) that run in Azure Automation service. In azure automation we always execute powershell scripts under runbook.
 
Activate
When I am writing this post, the Azure Automation is in preview mode and hence you need to enable is for your subscription from here - https://account.windowsazure.com/PreviewFeatures
If it becomes generally available then this step will not be required.
Automation Account
Create Automation Account first as shown in below screenshots –
 
 
As a preview feature, these are supported only in US region as of now.
Certificate Management
An Automation Credential is both a username and password that can be used with Windows PowerShell commands or a certificate that is uploaded to the server. We will use certificate based approach. Therefore we need certificate to authenticate azure subscription. Best way is to use self-signed certificate either created from makecert command or created from IIS itself.
Let’s see the way of using IIS. Open run Window and type INETMGR to open IIS window. Select the local machine name and double click on Server Certificates option as shown below –



Click on Create Self signed Certificate and name it as AzureAutomation and store as Personal.


Right click the newly created certificate and click on View as shown below –


Go to Details and Tab and click on Copy to file.


Click on Next-> do not export private key->DER Encoded binary X.509(.CER) file-> name as AzureAutomation and provide path of your choice to save the file as .CER file.
Now we need to export its .pfx file. Therefore right click on certificate name in IIS and select Export option. Provide the appropriate password and path of your choice.
Upload Certificate to Azure
Now we need to upload the .CER file to Azure Management Portal. Go to Settings tab on portal and upload certificate to Management Certificates as shown –
 
 
Record Subscription Id
On the same window, go to subscription tab and copy the subscription id for future use.
Create Automation Credentials Asset
Assets are available to all runbooks. As the name indicates, Assets can be reused over and over. Therefore we will create asset to establish the connection and credentials for authentication with Azure. Once this asset is ready it can be used in any runbook in future.
Now I click on Automation account that I created earlier and select the Assets tab and click on Add Settings as shown –
 

 
 
In above screenshot, the Azure module that comes as installed by default for your azure automation account. It is free and you will not be charged for this default module. However you will be charged for modules that are uploaded by you. Also, I see hardly any use of default Azure module.
On settings window select Add Credentials option as shown –


Now as we are using certificates as an authentication mechanism, select Certificate option in Credential Type dropdown and name the credential as Azure Automation Credentials. Provide description if you wish to otherwise it is optional.

On next page I uploaded the .pfx certificate that I created.

Create Automation Connection Asset
Now we will define connection information as an asset so that it can be used again in future runbooks. Therefore on assets tab itself select Add Settings as above and choose option of Add Connection.

Select Connection type as Azure, Name as “Your Subscription Connection” and optionally you can put description as well.
 

Provide the certificate name we created in above step and subscription id in which your automation account is created and then click to complete the configuration. 
 

 
 
Publish Connect-Azure runbook
Now I have setup credentials and connection. I need a powershell script which will avail the connection and credentials information to execute the azure vm backup powershell script in my subscription. This code to make connection to azure is readily available and can be downloaded from here - http://gallery.technet.microsoft.com/scriptcenter/Connect-to-an-Azure-f27a81bb
So connect-Azure is a powershell script and hence we will need to upload it as runbook. Click on Runbook option and click on Import. Provide the path of connect-azure.ps1 file and import.

 
 
 Select the uploaded Connect-Azure runbook and under Author tab select Draft option and then publish the Connect-Azure runbook.


This published Connect-Azure runbook now can be used in any custom runbook here after to make the connection to azure subscription. I will use it in my Backup Azure Virtual Machine runbook.
Note - Upto this point all above steps are common for authoring any runbook in Azure Automation.
Create Azure Virtual Machine shutdown runbook
Now I have created a powershell script that can shutdown the Azure Virtual Machine after 6PM of local time if at all the VM is running. This Azure VM shutdown powershell script we will upload as a runbook along with common code of Connect-Azure runbook.
To download the Azure VM shutdown automation powershell script code, please go to below link -
http://gallery.technet.microsoft.com/Azure-Automation-shutdown-3ece6e4d
Kindly download the Deallocate-AzureVM Powershell script and follow below steps.

Now we will upload the Deallocate-AzureVM in the same way as Connnect-Azure runbook. So like before, select RUNBOOKS tab and click on Import button at the bottom and select the Azure VM shutdown powershell file.

 
I clicked on Test button which is next to Publish to see if the script is working correct and the output of Test was awesome. As you can see below my VM was stopped and was showing Stopped(Deallocated) state on azure VM portal successfully.
After this, Select Author | Draft | Publish at the bottom to publish the Azure-Deallocate PowerShell run book.

Now we will schedule the published Azure VM shutdown script.  The schedule can be of daily, for the time being I am setting the job daily at 7PM so that when developer leaves the machine and offices by 6PM, VM will go shutdown automatically at 7PM. Click on Schedule tab and provide the values as below -
 

Next I need to start the Runbook Deallocate-AzureVM and provide the parameter which will be VM name to be shutdown and cloud service name. This is nothing but the creating job for runbooks. So on the published tab itself you will find Start button at the bottom, click on it and a pop up window will appear. This is where we need to specify cloud service name and VM name, as follows –


In above pop up provide the value of your VM to be shutdown and cloud service name in which your Azure VM resides. Note that the names are not fully qualified names. Means for example, I am not putting the name as myservice.cloudapp.net.
Now if you click on Jobs tab, you will observe the jobs that have run till date. These jobs will be created by schedule automatically and will check the status of VM and then if found running then the job will shut it down.


This completes the configuration of job for one VM. If you have more than 1 VM then you will need to create those many schedules. Or better way would be to have for-each loop to retrieve all VM's within subscription and shut them down in for loop in one schedule. If you are looking for such a script, then contact me.

That’s it guys. I hope now you understand how Azure Automation simplifies the Azure resource management and present itself as a powerful tool for Azure DevOps.
Hope this helps.
Cheers…
Happy Automating!!!


4 comments:

  1. I'll try to do it, but Test deallocate-azurevm show me error: Exception: Could not retrieve 'System.Collections.Hashtable.AutomationCertificateName' certificate asset. Check that you created this first in the Automation service.
    What's wrong?

    ReplyDelete
  2. Hi Antonio, Thanks for your comment. I guess the issue must be with your certificate. Can you try once more to create new self signed certificate and see if it works. Hope this helps.

    ReplyDelete
  3. Nice walkthrough. Just a note that Microsoft has recently started recommending to use Azure AD accounts rather than certificates for authentication. For those interested in an example that uses this for VM scheduled shutdown/startup, see:

    https://automys.com/library/asset/scheduled-virtual-machine-shutdown-startup-microsoft-azure

    ReplyDelete
  4. To learn how such Azure VM automation can be monitored and systematized, check out two blogs below:
    VMs can be shutdown or scaled down on a schedule.
    Shut-down Azure VMs on a schedule: http://cloudmonix.com/blog/how-to-automate-schedule-shutdowns-of-azure-vms/
    Scale-down Azure VMs on a schedule: http://cloudmonix.com/blog/how-to-automate-scaling-of-azure-vms/

    ReplyDelete