In-place upgrade of an Azure virtual machine

Introduction

In the cloud it’s all about economies of scale, automation, wipe and (redeploy). Servers are cattle to be destroyed and rebuild when needed. And “needed” here is not like in the past. It has become the default way. But not every one or every workload can achieve that operational level.

There are use cases where I do use in place upgrades for my own infrastructure or for very well known environments where I know the history and health of the services. An example of this is my blog virtual machine. Currently that is running on Azure IAAS, Windows Server 2016, WordPress 4.9.1, MySQL 5.7.20, PHP. It has never been reinstalled.

I upgraded my WordPress versions many times for both small incremental as major releases. I did the same for my MySQL instance used for my blog. The same goes for PHP etc. The principal here is the same. Avoid risk of tech debt, security risks and major maintenance outages by maintaining a modern platform that is patched and up to date. That’s the basis of a well running and secure environment.

In-place upgrade of an Azure virtual machine

In this approach updating the operating system needs to be done as well so my blog went from Windows Server 2012 R2 to Windows Server 2016. That was also an in place upgrade. The normal way of doing in place upgrades, from inside the virtual machine is actually not supported by Azure and you can shoot yourself in the foot by doing so.

The reason for this is the risk. You do not have console access to an Azure IAAS virtual machine. This means that when things go wrong you cannot fix it. You will have to resort to restoring a backup or other means of disaster recovery. There is also no quick way of applying a checkpoint to the VM to return to a well known situation. Even when all goes well you might lose RDP access (didn’t have it happen yet). But even if all goes well and that normally is the case, you’ll be stuck at the normal OOBE screen where you need to accept the license terms that you get after and upgrade to Windows Server 2016.

clip_image002

The default upgrade will boot to that screen and you cannot confirm it as you have no console access. If you have boot diagnostics enabled for the VM you can see the screen but you cannot get console access. Bummer. So what can you do?

Supported way of doing an in-place upgrade of an Azure virtual machine

Microsoft gives you two supported options to upgrade an Azure IAAS virtual machine in

An in-place system upgrade is not supported on Windows-based Azure VMs. These approaches mitigate the risk. The first is actually a migration to a new virtual machine. The second one is doing the upgrade locally on the VHD disk you download from Azure and then upload to create a new IAAS virtual machine. All this avoids messing up the original virtual machine and VHD.

Unsupported way of doing an in-place upgrade of an Azure virtual machine

There is one  way to do it, but if it goes wrong you’ll have to consider the VM as lost. I have tested this approach in a restored backup of the real virtual machine to confirm it works. But, it’s not supported and you assume all risks when you try this.

Mount your Windows Server 2016 ISO in the Windows Server 2012 R2 IAAS virtual machine. Open an administrative command prompt and navigate to the drive letter (mine was ESmile of the mounted ISO. From there you launch the upgrade as follows:

E:\setup.exe /auto upgrade /DynamicUpdate enable /pkey CB7KF-BWN84-R7R2Y-793K2-8XDDG /showoobe none

The key is the client KMS key so it can activate and the /showoobe none parameter is where the “magic” is at. This will let you manually navigate through the wizard and the upgrade process will look very familiar (and manual). But the big thing here is that you told the upgrade not to show the OOBE screen where you accept the license terms and as such you won’t get stuck there. So fare I have done this about 5 times and I have never lost RDP access due to the in-place upgrade. So this worked for me. But whatever you do, make sure you have a backup, a  way out, ideally multiple ways out!

Note that you can use  /Quiet to automate things completely. See  Windows Setup Command-Line Options

Nested virtualization can give us console access

Since we now have nested virtualization you have an option to fix a broken in-^lace upgrade but by getting console access to a nested VM using the VHD of the VM which upgrade failed. See:

Conclusion

If Microsoft would give us virtual machine console access or  DRAC or ILO capabilities that would take care of this issue. Having said all that, I known that in place upgrades of applications, services or operating systems isn’t the cloud way. I also realize that dogmatic purism doesn’t help in a lot of scenarios so if I can help people leverage Azure even when they have “pre cloud” needs, I will as long as it doesn’t expose them to unmanaged risk. So while I don’t recommend this, you can try it if that’s the only option you have available for your situation. Make sure you have a way out.

IAAS has progressed a tremendous amount over the last couple of years. It still has to get on par with capabilities we have not only become accustomed to but learned to appreciate over over the years. But it’s moving in the right direction making it a valid choice for more use cases. As always when doing cloud, don’t do copy paste, but seek the best way to handle your needs.

Using VEEAM FastSCP for Microsoft Azure to help protect my blog

My buddies in IT know about some of my mantras. The fact that I like “* in depth”. Backup in depth for example. Which is just my variant on the 3-2-1 rule in backups. Things go wrong and relying on one way to recover is risky. “One is none, two is one” is just one of the mantras I live by in IT. Or at least try to, I’m not perfect.

So besides backups in Azure I also copy the backup files I make for my blog outside of the VM, out of Azure. That means the BackWPup files and the MySQL dumps I create regularly via a scheduled job.

That copy is not made manually but is automated with VEEAM FastSCP for Microsoft Azure. It’s easy, free and it works.  I’ve blogged about it before but that blog might have been lost in the huge onslaught of Microsoft Ignite 2015 announcements.

It’s all quite simple. First of all you need to create a data dump location for the backups we do on our blog server. That’s copied out by but VEEAM FastSCP for Microsoft Azure ensures I have an extra copy do those which doesn’t rely on Azure

image

 

Add your VM in Azure to VEEAM FastSCP for Microsoft Azure

image

It’s easy, specify the information you can find about your VM on the Azure management portal. Optionally you can skip the SSL requirement and certificate verifications. Do note you need to use the correct PowerShell port (end point) for that particular VM in your Azure subscription.

image

When successful you can browse the file system of your Azure VM.

image

Create one or more jobs (depending on what & how you’re organizing your backups)

image

Give the job a descriptive name

image

Select what folders on the Azure VM you want to backup by simply browsing to it.

image

Select the target folder on the system where VEEAM FastSCP for Microsoft Azure is running by, again, simply browsing to it.

image

Set a schedule according to your needs

image

If you need to run some PowerShell before or after a download here’s the place to do so.

image

Click finish and hit Start Job to lick it of and test it. Here’s the WordPress Blog backup download job running.

image

By using VEEAM FastSCP for You can download folders and files to your system at home, to a virtual machine, whether this is on premise or also in the cloud. Perhaps even in AWS (IAAS) if you’re really paranoid. By doing a simple restore of your blog and changing your DNS entry you can even get it up and running if Azure would ever be the target of a major outage causing attack. You could even keep blogging about it Smile.

So do yourself a favor. Check it out!

Veeam FastSCP for Microsoft Azure IAAS went in to Beta

VEEAM is also keeping us on our toes here at Ignite in Chicago. They just publicly announced the beta of a new free tool that looks extremely handy, VEEAM FastSCP. It’s a tool that enables you to copy files in and out of Azure virtual machines without the need for a VPN. People who have been working with IAAS in Azure for labs or production known that sometimes even benign tasks on premises can be a bit convoluted in the cloud without a VPN or Express Route to Azure.

VeeamFastSCPforMicrosoftAzure

Until today our options without a VPN (to leverage file shares / SMB) are to use either RDP which gives us 2 options:

  1. Direct copy/paste (limited to 2GB)
  2. Mapped local drives in your VM

or leverage the portability of a VHD.

So why is VEEAM FastSCP a big deal? Well the virtual hard disk method is painstakingly tedious. Putting data into a VHD and moving that around to get data in and out of a virtual machine is a nice workaround but hardly a great solution. It works and can be automated with PowerShell but you only do it because you have no other choice.

The first RDP method (copy/paste) is fast and easy but it lacks ease of automation and it’s a bit silly to launch an RDP session to copy files. It also has a file size limit of 2GB. Anything bigger will just throw you an error.

clip_image001

Another option is to leverage your mapped local disks in the VM but that’s not a great option for automation either.

clip_image002

Sure you could start running FTPS or SFTP servers in all your VMs but that’s borderline silly as well.

VEEAM FastSCP for Microsoft Azure

VEEAM is offering this tools as a quick, secure and easy tool to copy files in and out of Azure virtual machines without the need for a VPN or turning your virtual machine into a free target to bad people in the world. Do note this is not meant for blob storage or anything else but an Azure virtual machine. Plenty of tools to go around for blob storage already.

clip_image002

The tool connects to the PowerShell endpoint port of your public IP address. No VPN, 3rd party tool or encryption required, it’s all self-contained. Inside the VM it’s based on winrm.

clip_image004

image

This will not interfere with your normal RDP or PowerShell sessions at all, so no worries there. When using this tool there is also no file size limit to worry about like with copy/paste over RDP.

Via the GUI you connect to the Virtual Machine with your credentials. After that you can browse the file system of that VM and copy data in and out. All of this is secured over SSL.

image

A nice thing is that you don’t need to keep the GUI open after you’ve started the copy just close it and things will get done. No babysitting required.

It’s all wizard driven so it’s very easy and to top it all off you can schedule jobs making it a perfect little automation tool bypassing the limitations we’re facing right now.

scheduler

Some use cases

Any one who has an IAAS lab in Azure will appreciate this tool I think. It’s quick and easy to get files in and out of your VMs and you can schedule this.

Backups. I create a backup of my WordPress blog and the MySQL database regularly to file. While these are protected in the cloud themselves I love backup in depth and have extra option incase plan A fails. Using the build in scheduler I can now easily download a copy of those files just in case Azure goes south longer than I care to suffer. Having an off-cloud copy is just another option to have when Murphy comes knocking.

This is another valuable tool in my toolkit courtesy of VEEAM and all I can say is: thank you! To get it you can register here and download the Beta bits.