Altaro: First Impressions

In March 2018 Altaro announced v7.6 of their backup product, I thought it was time to give the product a whirl and provide feedback on my first impressions.

Lab

As those who follow my blog know, I switched to Server 2012 R2 running Hyper-V a while ago.  In this configuration I have a HPE DL360 G6 with some local SATA storage as the backup target for my Hyper-V virtual machines.

Installation

Altaro make the claim (see here) that you can be up and running, allowing you to back up your first virtual machine within 15 minutes.

Once I had completed the simple registration form to access the Unlimited Plus Edition for 30 Days, it was time to launch the installer.

A straight forward intuitive installer is completed within a couple of minutes we are ready to launch the management console.

Configuration

As soon as the management console is loaded, we just need to follow the 3 steps outlined below.

Altaro 01

Connecting to the Hvper-V Hosts is a straight forward process, entering the IP Address and credentials you would expect.

Altaro 02

After this I entered in the backup location and selected the VM which required backing up and clicked backup.

So far so good, Altaro have validated that backups can be started within 15 minute of installing the software.

CDP Settings

As we know all workloads are not equal and more critical application services require a lower restore point objective.  With Altaro,  I can set CDP settings as low as 5 minutes.  The part which is quite impressive is that they warn you of the impact on the hypervisor of taking such frequent snapshots.

Altaro 03

Offsite Backup

Another feature I wanted to validate was integration with Azure Storage Backups to undertake an ‘offsite backup copy’.

After entering the Connection String for one of my Azure Storage Accounts, it was simply a case of dragging and dropping the VM I wanted to protect into the ‘Offsite Location’ bucket and finally provide a Master Encryption Key.

I was interested to see the native format of the ‘Offsite Backup’ to see if this could be used to migrate VM’s to Azure.  Using Microsoft Azure Storage Explorer I browsed to the storage account and viewed the VM location.

The Offsite Backup VM isn’t easily identifiable, I’m assuming the VM name is encrypted by the Master Encryption Key and the backup files are held in Altaro format.

Altaro 06

Essentially this means that if you had a DR event on-premises and you needed to restore backups from Offsite, you would need to install and configure an Altaro Backup server which isn’t a big deal in itself but just adds to the overall time needed to restore business operations.

Schedules

When administering backups, an area which time and effort is spent is on backup scheduling.  I was pleased to see that the schedules are different for CDP and regular one off backups.

In this scenario, I wanted to perform an on-premises backup and then follow this up with an offsite copy.  A couple of click and this was ready to go!

Altaro 05

A bit of feedback for Altaro is it would be good to be able to name your backup schedules as I could see identifying the right schedule could become cumbersome.

Advanced Settings

Enables you to control features such as De-duplication, Encryption, Exclude ISO’s/Drives and use Change Block Tracking.

Linked back to the Offsite Backups, it would be great if you had the option to backup to Azure as a native VHD (without de-duplication) as you could then spin up your VMs in Azure and use this as a migration tool or for DR scenarios.

Restore

For me, on-premises restores are a given.  I’m more interested in restoring archive data from Azure (using Altaro Retention Policy to control this).

Selecting the Restore Icon, I can select Azure Storage Account, again with a decent prompt which states you will be charged for egress data.

Altaro 07.PNG It’s a case now of dragging the backup down your internet pipe to be re-hydrated by Altaro VM Backup on your selected Hyper-V Host.

One of the things I would like to see is a File Level Restore from an Azure Storage Account to avoid restoring an entire VM .

Final Thought

It’s clear that Altaro have invested heavily in a slick user experience to provide simplified backup operations with a clear and concise dashboard that is intuitive.

I’m sure that we will see further enhancements especially around the integration with public cloud.

If you’d like to try the software for your Hyper-V and/or VMware environments, you can download Altaro VM Backup to back up unlimited VMs for 30 days, then enjoy forever free backup for 2 VMs. Download Altaro VM Backup for free here.

Azure Announcements August 2018

azure

As you would expect quite a few changes within the world of Microsoft Azure since my last update in March 2018.

So without further delay, below is my take on the heavy hitters which have been announced.

Azure Database for MySQL and PostgreSQL

Generally availability was a announced in April 2018, which essentially means that for customers using either database service are no longer running at risk and are now protected by an SLA of 99.99%

Read more here.

Integration of Azure Backup into VM Create Experience

OK, this is quite a small thing but when you have deployed oodles of VMs and you have to make sure you undertake backup configuration separately, can lead to a bit of frustrating.

Quite pleased Microsoft have introduced this as it makes for an overall better VM creation workflow.

Azure Service Health

Put simply being able to see the affect of any Azure outages on your resources rather than a generic status update is a great step forward.

Read more here.

Azure Virtual Machine Serial Console

Wondering why your VM won’t power on, or is hung without knowing the status.  Well we finally have an answer thanks to Serial Console access.

Makes the diagnosis of issues far easier and transparent.  Read more here.

Application Security Groups

This makes managing Network Security Groups at scale far easier, no longer are we reliant on IP Addresses, we can group network interfaces into Application Security Groups to govern traffic flow.

Read more here.

Security Centre Overhaul

I have to admit it, Security Centre wasn’t the most pleasant place to be.  Microsoft have taken this on-board and given the UI an overhaul.  Now it’s easier to understand, find and remediate issues within your Azure environment.

Azure Firewall

When I read into Azure Firewall, it wasn’t the big news as I was expecting, more so a v0.1 release from Microsoft.

In a nutshell, it monitors interesting outbound traffic.  So a step in the right direction, but more to come soon hopefully.

Read more here.

Azure Management Groups

For those of us that work across customers with multiple subscriptions this makes life so much easier!

Quite a simple thing, but again a great time sizer.  Read more here.

Encrypted ExpressRoute Microsoft Peering

This was announced under the radar so to speak.  We now have the ability to natively encrypt ExpressRoute Microsoft Peering traffic to access PaaS services within Azure.

So if you are a department with a requirement to use Azure PaaS securely, this will likely be the solution you are looking for.

3 x New Azure Exams with 80% Off

azureMicrosoft have launched three new Azure exams with 80% off, aimed at Azure Administrators, focused on depth rather than breadth.

  • Taking the AZ-100 and AZ-101 will lead to the certification Microsoft Azure Administrator.
  • If you have the 70-533 already, you can take the AZ-102 to achieve the certification Microsoft Azure Administrator.

AZ-100: Microsoft Infrastructure & Deployment

Measures knowledge and experience of:

  • Azure Subscriptions and Resources
  • Implementing and Managing Storage
  • Deploy and Manage Virtual Machines
  • Configure and Manage Virtual Networks
  • Manage Identities

More information can be found here and the 80% discount code is AZ100TRAVELING

AZ-101: Microsoft Azure Integration & Security

Measures knowledge and experience of:

  • Evaluate and Perform Server Migration to Azure
  • Implement and Manage Application Services
  • Implement Advanced Virtual Networking
  • Secure Identities

More information can be found here and the 80% discount code is AZ101HIKING

AZ-102: Microsoft Azure Administrator Certification Transition

Measures knowledge and experience of:

  • Evaluate and Perform Server Migration to Azure
  • Implement and Manage Application Services
  • Implement Advanced Virtual Networking
  • Manage Identities
  • Evaluate and Perform Server Migration to Azure
  • Implement and Manage Application Services
  • Implement Advanced Virtual Networking
  • Secure Identities

More information can be found here and the 80% discount code is AZ102PLANS

App Service Environment or Web App

I have been asked a couple of times when should you consider using an App Service Environment over a standard App Service Web App?

App Service Environment

An App Service Environment (ASE) provides an isolated and dedicated container to run a number of services such as:

  • Web Apps
  • Mobile Apps
  • Functions

An ASE does not replace an App Service Web App, it just provides a secure space for this to run.

At a high level you should consider using an ASE, if you meet one of the following conditions:

  • Access to the management plane is only available within your VNET and not from the internet
  • The Web App cannot be internet facing and therefore should be behind a Web Application Firewall
  • Communication from the Web App to PaaS DB Service should be secured within your VNET
  • Communication from the Web App to VM should be secured within your VNET

This can be logically explained in the diagram below.

Azure ASE v0.1

App Service Web App

An App Service Web App is the PaaS service which without the ASE is accessible directly from the internet.

The instances you run sit on shared compute, which may or may not be on the same physical server or rack.

At a high level, an App Service Web App can be integrated into other Azure services such as:

Final Thought

Depending on the requirements of the application and the business will determine if your App Service Web App should run on a standard PaaS tier or within an App Service Environment.

It should be noted that even though an App Service Web App running App Service Environment is considerably more expensive than a standard App Service Web App, you can run multiple App Services within the App Service Environment.

Azure AD: Transfer Subscriptions or Directory?

With the increased uptake of Azure across both public and private businesses, we are starting to see identity gaps across business divisions creating pockets of isolation.

In the diagram below we have a single Enterprise Enrollment which has two Azure Accounts, one for Online Services and the another for Retail Stores.  Underneath these we then have two Azure Subscriptions, one for Development and the other for Production.

Azure Accounts & Subscrptions v0.1.png

You might wonder what the issue is?  Well in this scenario we have a single on-premises corporate directory that services ‘Online Services’ and ‘Retail Stores.

  • ‘Online Services’ have setup their on-premises corporate directory to integrate with Azure AD, so that their starters and leavers process is controlled using their existing directory service.
  • Whereas ‘Retail Stores’ have no integration to the on-premises corporate directory and are using the default on.microsoft.com accounts

Both business divisions have rolled out Production & Development services, but we need to close the security gap to ensure that both divisions are using the corporate directory as part of their identity model.

To achieve this we have two choices available to us, Transfer Directory or Subscription.

A subscription can only be associated to a single directory

The next part of this blog post has been written by my colleague Graham Lindsay, Lead Architect and one of our identity experts.

Transfer Directory

This will not change the Account Admin or the billing, it purely modifies which directory the subscription is linked and can be completed using portal.azure.com.

Create Guest B2B account in the receiving directory using the email address of the Service Admin of the subscription to be switched . This can be a standard non admin user.

Transfer 01

From the service admin account accept the B2B invite.

Transfer 02.jpg

Once the service admin account has accepted the B2B invite it will now be able to view the receiving directory within the directory switcher.

Transfer 03.jpg

Staying within the subscription hosting directory (TestCorp) locate the subscription to be transferred and choose change directory.

Transfer 04.jpg

From the drop choose the receiving directory being (GrahamLab).

Transfer 05.jpg

Once the change has occurred, the subscription will no longer be accessible in the in the TestCorp Directory.
Transfer 06.jpg

Using the directory switcher specify the receiving directory.

Transfer 07.jpg

 

Open Subscriptions and you will now see that the subscription has now moved.  You can now rebuild the RBAC on the subscription.

Transfer 08.jpg

Transfer Subscription

First of all it’s worth noting that only the following Subscriptions can be transferred.

  • Enterprise Agreement (EA) MS-AZR-0017P
  • Microsoft Partner Network MS-AZR-0025P
  • MSDN Platforms MS-AZR-0062P
  • Pay-As-You-Go MS-AZR-0003P
  • Pay-As-You-Go Dev/Test MS-AZR-0023P
  • Visual Studio Enterprise MS-AZR-0063P
  • Visual Studio Enterprise: BizSpark MS-AZR-0064P
  • Visual Studio Professional MS-AZR-0059P
  • Visual Studio Test Professional MS-AZR-0060P

Subscriptions can only be transferred to someone in the same country

When transferring the subscription this changes the entire subscription including billing.

  • For Enterprise Agreements this is done in the EA portal
  • For Non-Enterprise Agreements this is done in the billing portal

Within the billing portal locate the subscription to be transferred and choose transfer subscription.

Transfer 09.jpg

From here you can just change just the Account Admin or you can change the Account Admin and where the subscription is linked to. To transfer the whole thing and change the service administrator as well untick the retain this subscription with my AzureAD.

Transfer 10.jpg

Enter the name of the account who will be taking over the subscription (I chose to switch the AzureAD directory too)

Transfer 11.jpg

The following screen is shown saying that the transferred has started.

Transfer 12.jpg

The receiving party will also receive an email will a link to initiate the transfer. Clicking this link the following is shown with the following screens shown.

Transfer 13.jpg

The subscription is now shown as transferred in the sending portal as transferred.

Transfer 14.jpg

The subscription is now showing as active in the receiving portal.Transfer 16.jpg

 

 

 

 

 

 

 

 

 

 

As you can see the service admin is updated too.Transfer 20.png