You’re a cloud operator for an Azure Stack Integrated system and for whatever reason you have the task of deploying the App Services Resource provider…
In this blog series, I’m going to take you through the considerations and deployment process of the App Services resource provider on an Azure Stack Integrated System. This should work on an ASDK but you’re probably going to make life tough for your single server instance.
Other posts in this series:
Highly Available App Service 1.4 on Azure Stack – Step 1: Design and planning
Highly Available App Service 1.4 on Azure Stack – Step 2: Deployment (this post)
Highly Available App Service 1.4 on Azure Stack – Step 3: Post-deployment setup (in process)
Highly Available App Service 1.4 on Azure Stack – Step 4: Updating App Service (in process)
Before we get into the nitty-gritty of it all, you should go an validate some marketplace items and if you don’t have them available you should kick off some marketplace downloads now…
- Windows Server 2016 Datacenter Core Image
- SQL Server 2016 SP2 on Windows Server 2016
- Latest SQL IaaS Extension 1.2.x (currently 1.2.30)
- Latest PowerShell Desired State Configuration Extension (currently 2.76.0)
Done? Welcome back 🙂
If you’re the studious type, then you’re probably going to get by with just the Microsoft documentation on this process, as these days it is fantastic and continually getting better. The last thing I want to do is reinvent the wheel and fill the internet up with another duplicated blog, but for those who want the perspective of a Cloud Operator who has deployed and is managing a production Azure Stack Integrated System perspective, then this blog is for you…
Firstly there are some assumptions made prior to embarking on this journey. It is assumed that:
- You know what Azure Stack is…
- You’re the Cloud Operator for an Azure Stack Integrated System
- You have a fundamental understanding of what App Services is
- Appropriate certificates have been sourced
Environment summary:
This blog series is based on an 4-node Azure Stack Integrated System that is Connected to Azure with Azure Active Directory as the Identity provider.
Deployment Steps:
- Setup deployment environment
- Create Azure AD application
- Deploy HA File & SQL environment
- Run the App Service 1.4 installer
Ok, let’s get started 🙂
1. Setup deployment environment
Cloud Operator VM
Prior to doing anything, we need to setup our deployment environment. I recommend this to be your Cloud Operator VM. You have a one of these right: 😉
On my Cloud Operator VMI create a working folder for all resource providers and a subfolder for each RP: i.e. C:\AzureStack-RPs\AppService. I will refer to this as the working folder.
Installer sources
First step is to have a read of this doc. It covers many of the considerations you need to make prior to pressing the deploy button:
App Service: Before you get started
https://docs.microsoft.com/en-us/azure/azure-stack/azure-stack-app-service-before-you-get-started
Essentially download (links in the above docs page) to your working folder:
App Service on Azure Stack deployment helper scripts
App Service on Azure Stack installer
Root certificate
Export the Azure Resource Manager root certificate for Azure Stack and save to the working folder.
PaaS certificates
Save your PaaS certificates to the working folder. If you don’t have these yet, stop what you’re doing and go read this blog post. I created a certs folder in the working folder and saved them all there.
2. Create an Azure Active Directory application
Use the script in the App Service helper files
cd C:\AzureStack-RPs\AppService\AppServiceHelperScripts $DirectoryTenantName = 'tenantname.onmicrosoft.com' $AdminArmEndpoint = 'adminmanagement.region.domain.com' $TenantArmEndpoint = 'management.region.domain.com' $CertificateFilePath = "C:\AzureStack-RPs\AppService\certs\sso.appservice.region.domain.com.pfx" $CertificatePassword = '$mascerts123' | ConvertTo-SecureString -AsPlainText -Force .\Create-AADIdentityApp.ps1 ` -DirectoryTenantName $DirectoryTenantName ` -AdminArmEndpoint $AdminArmEndpoint ` -TenantArmEndpoint $TenantArmEndpoint ` -CertificateFilePath $CertificateFilePath ` -CertificatePassword $CertificatePassword
All things being equal you should see something like the below when started
You’ll get prompted to authenticate to the directory tenant. Provide the details of a user with access to create Applications in the directory.
Copy the App ID info down, you’ll need it later
Now we need to grant the application permissions for the App Service application to the accounts in Active Directory.
In the portal, find the newly created application.
I filtered by the App ID.
Click Settings
Select Required permissions and select Azure Stack
Select Grant permissons and Yes
Done 🙂
Great. You’re now ready to move on to the App Services installation process
3. Deploy HA File & SQL environment
The template: https://github.com/Azure/AzureStack-QuickStart-Templates/tree/master/appservice-fileserver-sqlserver-ha
Create a resource > Template deployment
Select > Edit Template
On the github page for the template click the link to azuredeploy.json and view the raw text
Select all > copy
Paste in the template replacing all existing text and click save
Select Edit Parameters and modify to what suits you. Make sure you record down all changes including the passwords!
Create the resources in the default provider subscription and I suggest creating a dedicated resource group
Hit create and go find something else to do for an hour or so.
The template took about 1 hour and 12 minutes to deploy
Check and save your outputs.
First thing to do is create a group policy to disable automatic windows updates (I created a VM in the network that has all the pertinent management features).
If you don’t you’ll likely go to your portal one day in the next week or so and find errors in portal and find the app services components missing
4. Run the App Service 1.4 installer
Install App Services 1.4
Below is an abridged version of the install steps as we’ll skip the steps where we don’t need to make any modification
Next, Accept the Microsoft licence agreement
Next, Accept the 3rd party licence agreement
Enter your ARM endpoint URL. It should auto-populate the Tenant ARM and the Tenant Name
Next, click the Connect button and select the Default Provider Subscription and the Region
Because we deployed the HA template, choose use existing Virtual Network and Subnets and select the corresponding vnets and subnets as shown below
Enter the details provided by the Output from the ARM template deployment… You saved this right??? 😉
You will see the below error as the installer cannot verify access to the share.
Enter the app ID details noted earlier.
Enter the SSO cert details and the path for the ARM root certificate exported in the earlier steps
Same for the Domain, API and Publisher certs.
I suggest copy and paste the password as I have clumsy fingers 🙂 It will error if the PFX password is wrong, but still good practice to use clipboard
Enter the details of the SQL instance recorded earlier
Expect a similar error as the file share due to the installer being unable to validate the SQL details
Based on the your sizing requirements, select the VM sizing that suits your deployment. These can be changed later so if unsure use the values provided below. These are the recommendations provided on the documentation.
I recommend at least a minimum of 2 instances for each role.
Select the Server 2016 image downloaded to the marketplace earlier
Enter in your preferred credentials. Again make sure you’re recording all of this somewhere safe.
Review your deployment configuration and export. Save the JSON file in the working folder.
After reviewing, kick of the deployment.
Open the log file and review
Those that know me will know I like to use cmtrace.exe
Go and do something else. Maybe read about quotas, plans and offers as you’ll need to understand this before your tenants will be able to subscribe
All things being equal you should come back to a successful deployment.
Note: my deployment took longer than expected. Total of about 2 hours.
Refresh the Admin Portal page in your browser
Open App Service blade to confirm it works… Not a doubt in my mind 🙂
Virtual Machines deployed (you won’t see aps-mgmt as I deployed this to do some post deploy config & testing)
Take a look at the Virtual Machine Scale Sets deployed.
Last part of the deployment process requires the Web Worker NSG to be updated to allow the Workers to connect to our file server via SMB
Select Create a resource > Web + Mobile and see your new available app services
Create a web service and once complete, browse to the URL
Congratulations! You’ve successfully installed a HA App Service resource provider on your Azure Stack Integrated System
Next is the post-deployment configuration.
Highly Available App Service 1.4 on Azure Stack – Step 3: Post-deployment setup (in progress)
See you in the next post
Happy stacking!
Dan