Home / Nerdio Academy / Nerdio / Nerdio Fundamentals: Provisioning

Nerdio Fundamentals: Provisioning

0 commentsMay 15, 2019Videos

Joseph Landes:
In this session, we are going to walk you through how to provision an account using the Nerdio admin portal. This is the first action you will take in terms of onboarding a new customer into Azure. As you will see, this is easy as one, two, three. Connect to an Azure account, connect to an Office 365 account, click save, and your customer will be provisioned in Azure in two hours or less. We’ll talk specifically in this session about provisioning private networks and network security groups, as well as provisioning the storage environment. Enjoy the session.

Vadim Vladimirskiy
Provisioning is the process of building an initial account. Again, the context here is NFA, so this will be an Azure-based account. This is building up an account that ultimately ends up looking like this. You all have seen this diagram. It consists both of multiple layers as well as multiple components within each of those layers. We’re going to spend some time today looking at what actually happens behind the scenes when a provisioning job is submitted.

Vadim Vladimirskiy
Okay? First thing to look at is what the process of submitting the provisioning job looks like. We call it adding an account. Again, recall an account is a customer. It’s kind of a line listed here in the partners portal. To add an NFA account, you go to add NFA account. You get these three sections. Section number one is connecting to an existing Azure subscription. Remember this could be a subscription that’s really purchased in any way that you want. It could be a direct subscription. It could be a CSP subscription. All we need as a prerequisite is a user account that … If I remember the password here. Hold on one second. All you need is a user account that has owner rights on that subscription and is a global administrator inside of the Azure AD tenants.

Vadim Vladimirskiy
We’re going to look at the process of how this all gets built. The first thing we’ll look at is how the network is created, and then we’ll probably get a chance to also see how the storage environment is built. We’ll bring together some of the concept we talked about in previous sessions, when we went over the Azure resources on their network. We’re going to look at an actual account that has been provisioned in here. We’re going to see what the subnets and the virtual network looks like and what the security permissions are between each one of those. We’ll be looking in that in just a minute.

Vadim Vladimirskiy
All right, so we just connected to the Azure subscription. It is currently validating that those credentials are right. It shows you which tenants we’re connected to. Right? Remember, this is the tenant name. If there are multiple subscriptions in there, you can select which one you want to provision. So if you have a account with multiple customers of that subscription, you can select it here. You then get to select your region. Remember, there’s some regions that are grayed out. Those are the ones that the subscription isn’t entitled to. You get to give a name. If you’re provisioning multiple customers into the same subscription, the name of the resource group must be unique. By default, it’s going to be nerdioRG.

Vadim Vladimirskiy
You then get to select what the Azure hybrid usage is. Either a yes or no. If you say yes, it’s going to give you a little warning that you need to take responsibility for licensing. Then, finally, it validates how much core quota is available within your account. It looks at the three most common types of VMs that get deployed. You can see, because this is a CSP subscription, and it’s actually a sponsored subscription, we have a huge amount of cores available. This is very large in order of magnitude, more than a typical subscription would have. Normally, you see 10 to 20 in here. Then, on the bottom here — we’ll get to this section in a minute — it shows you how many cores you actually need.

Vadim Vladimirskiy
Okay. Then, the second step is connecting to an Office 365 account. What we can do is connect it to this. Okay. This is going to do something very similar. It’s going to validate that we are connected. It’s going to see how many licenses of E3 are available inside of the account. It says right there that we found 42 available E3 licenses. That’s how many are … Well, actually 100 is purchased and 42 are available, so, I mean, the balance had been assigned. Step one and step two, pretty easy. Not much else to do here. If somebody doesn’t have account, we provide them with a link where they can go on and sign up for an E3 trial account with 25 licenses to get started.

Vadim Vladimirskiy
Okay. Section number three. It automatically pre-filled the company name based on which Office account we connected it to, but this could be whatever account we give it. Then, here, you select your plan. For the enterprise plan, remember it’s the full-featured version of the product for larger organizations that want some of those advanced features. It requires seven D-series cores. Right? It will validate that this number is larger than this number, so we’re all good. Or you can select the professional version, and the professional version will have its own requirements. It needs one A-core and six B-cores. Again, we’re good with that. One A-core, 10 B-cores, or one A-core, four B-cores, and eight D-cores. Again, all of those would be able to be provisioned. Then, each one, each little tool tip here shows you what the various configurations are. This is our white label 2.0 functionality. What you can do here is you can specify an alternate name to the Nerdio active directory domain.

Vadim Vladimirskiy
By default, every environment gets provisioned with nerdio.int as the active directory domain. But if somebody wants to override that because they want to completely hide Nerdio from the picture, they can come in here and put a domain name. We recommend, you know, strongly keeping it this nerdio.int. The things we want to avoid here is people using either a public domain, like, for example, if they’re ACNE Corp and they have acnecorp.com, and they list acnecorp.com here, that’s going to mean that they won’t be able to access their website from inside of the environment unless they manually configure DNS. It’s pretty typical with active directory names, where you want to have a unique internal name, so .local, .int, .private, something that makes it a non-routable public domain is recommended.

Vadim Vladimirskiy
That’s a number one. The other limitation is … We’re going to talk about hybrid AD, which is the ability to connect an existing active directory deployment into Nerdio and let Nerdio manage that environment. If somebody deploys an environment, a Nerdio account, with the existing domain name as the AD domain, they will never be able to use hybrid AD. They’re going to close that door to be able to use hybrid AD in the future. That’s something we want them to avoid, so there is a little recommendation here. It must not match your existing AD domain name for that reason.

Vadim Vladimirskiy
Okay? By default, your recommendation is keep is as nerdio.int. Leave this thing collapsed. Then, you hit save, and it goes ahead and submits a provisioning job. Okay. I’m not going to do that. I will show you, you know, what actually happens during the provisioning process. When you provision a new account, it gets recorded under the provisioning task. Again, I’m logged in as an administrator, as a partner administrator, so I can go into provisioning task and I can see what happened. Let’s look at the account that was recently provisioned just a week or two ago, 5048.

Vadim Vladimirskiy
We click on that account and go under logs, provision tasks. We can see the actual steps that this went through to provision it. Step number one was creating the network. This didn’t take very long. You can see from the start of this task to the start of the next one was only a couple of minutes, so this one is not the one that takes a long time. Let’s see what that actually did. Visually, we have a network here, which is a 10.125/16. It encompasses both the LAN and the DMZ. Then, we segment the network into subnets. There is a LAN subnet and a DMZ subnet. The LAN subnet is a 10.125/17. The DMZ is 10.125.254/24. Okay. We basically take a 16-bit subnet mask, take the bulk of it, the /17 of that network, and make that the LAN, so you basically get whatever that number is of devices. You know, 60-some thousand devices that could get IP addresses on that network, so fairly scalable. It can have lots of VMs in servers to fit within that range.

Vadim Vladimirskiy
Then, you have a DMZ zone, which is really only a /24, which allows you to have up to 254 unique IP addresses in the DMZ. But typically, that’s more than enough. By default, there are only two devices that get added into the DMZ, that we’ll look at in a few minutes. The reason we chose this particular subnet, you know, this 10.125, is we wanted to pick something that’s unlikely to overlap with any existing network. Right? The reason for that is when you create a site-to-site VPN, between, let’s say, the LAN and some on-premise location, if that network overlaps with our network, then obviously the VPN, which is routable, cannot work. It cannot be created, so we picked something that we felt was obscure enough, that isn’t common. We didn’t go with 10.0, 10.1, or 192, 168, or anything common. We went with 10.125.

Vadim Vladimirskiy
Okay. Let’s take a look at what this looks like in Azure. Let’s go under the Azure resource manager here and find our virtual networks. Okay. If we go under virtual networks and we find our specific resource group that we are dealing with, which is this Nerdio university. All right, so there is that NerdioVnet. That’s the name of the virtual network that got created. Within the Vnet, you can go in and see the subnets that exist. There are two subnets, as I showed you. There’s the LAN, which is, as I mentioned, /17, and there is a DMZ, which is a /24. I guess I was wrong about the number of IPs. It’s half that amount, so 32,000 possible addresses and, you know, 254 over here that’s available. Again, still a large enough subnet where I don’t think we’re going to hit that limit on any one customer at any time soon.

Vadim Vladimirskiy
Then, there is this thing. We’re not going to get into it right now, but this is around VPN. When you add a VPN capability into Nerdio, it provisions a VPN gateway. In order to have the gateway, it adds its own subnet. This is another piece of the network that’s carved out for 10 IP addresses there, as well. Okay? You have, again, the Vnet, which is this outer box that contains both. Then, within that Vnet, you have your subnets. These subnets are, you know, contained within the Vnet.

Vadim Vladimirskiy
The other thing to note is DNS configuration. DNS configuration, if you leave it as default, then all of your servers will get DNS settings that are provided by Azure. It’s going to be, you know, some public Azure DNS server that gets handled by Microsoft. However, in our case, we want DNS to be handled by the domain controller. Right? This is the IP address of the domain controller. You can see back on the diagram here. If you look at the domain controller, this is its IP address.

Vadim Vladimirskiy
We want it to be serving as the DNS server for anything that goes into this Vnet, so that’s why we have this set custom. Now, what you could do, you could also specify DNS … I believe you can specify DNS on a per-subnet basis. Also, you can specify DNS on a per-virtual NIC basis, as well. In some cases, we do that. You never specify any IP settings inside of the operating system. So unlike in the traditional environment, you’ll recall you don’t type in the IP address or DNS settings as static parameters on the network card inside the OS. It’s always done on the object inside of Azure.

Vadim Vladimirskiy
Okay. Now, in addition to creating the Vnet and the subnets that are within it, there is also networking … I’m sorry. Network firewall rules are also called network security groups, that control the traffic flow between the outside world into the DMZ, and between the DMZ and the LAN, and then flow of traffic out, from LAN out, and from DMZ out. By default, if you just provision everything without any network security groups, all inbound traffic will be blocked. All outbound traffic will be allowed. That’s obviously not secure. I’m sorry. That’s obviously … That doesn’t allow connectivity in, so it is very secure, just not functional.

Vadim Vladimirskiy
What we do is we, as part of the network provisioning process, we create a network security group object. Let me show you what that looks like. We create two network security group objects — one for the DMZ and one for the LAN — and we attach them to each of those subnets. For instance … Again, that’s limited to just the resource group we’re interested in, which was this one. Okay, so you can see we have these two network security group objects. If we look at the one on the LAN … Let’s click on it … each network security group object consist of rules. Think of these as firewall rules.

Vadim Vladimirskiy
There is inbound rules and outbound rules. You can see a list in here of what it actually is. You can see, for example, inbound rules allow traffic for things like ADFS proxy, management traffic that allows the connectivity of the NAP into the environment, et cetera. You can see, you know, DMZ that allows DNS, RD gateway that’s allowed in. But public internet traffic, you can see there isn’t a source that’s public internet that’s allowed to come into the LAN. The LAN is completely isolated from the public internet. Then, on the … These are the default rules that exist. There is a default to deny all, and then there is a few system rules that allow for whatever functionality Azure deems necessary. These are … You know, we shouldn’t be messing with these.

Vadim Vladimirskiy
But at the bottom here is the deny all rule. This is what blocks everything other than what’s listed above. On the outbound side, you see there is a deny all outbound with the exception of allowing internet outbound and allowing Vnet outbound. Then, there’s also some DNS rules here that basically limit people from bypassing the content filter that we have installed through saved DNS. This allows only connectivity to the saved DNS servers and blocks connectivity to any other DNS servers. Without modifying the firewall rules, people can’t bypass the content filter that’s imposed on the environment.

Vadim Vladimirskiy
This is your NSG, network security group, for the LAN. There is also one for DMZ. Again, that consists of rules. You have your incoming rules. Now, you can see these are coming from the internet now, right? Because that’s DMZ. That’s the external part of the network right here. You have HTTP that’s allowed to come in, that goes to the RD gateway on the DMZ. You’ll recall this is the DMZ subnet. There is an https-allow for the proxy. I think this is the proxy … What do you call it? The ADFS proxy. This is the RD gateway. This allows RDP VDP screening traffic. This is the port over which the desktop streams. There is a management rule, and then there is everything else is blocked. Okay? Block, inbound DMZ’s completely blocked.

Vadim Vladimirskiy
Then, the outbound side, there are no custom rules. Everything is blocked except for outbound internet traffic and outbound Vnet traffic. Then, if we kind of put it all together, if we go back on the virtual networks, we click on our Vnet and we can see … We looked at subnets. We looked at address space. We can also see from here which security group is attached to each subnet. Any VM that gets created, you specify where it belongs in terms of its network, so it’s actively plugging in the network into the subnet. Then, this subnet, in here, it’s all the security associations from all of the rules inside of the security group.

Vadim Vladimirskiy
Once you configure all this, any VMs that a partner or customer creates inside of the NAP, they just basically have to select, “I want to put it on the LAN,” or, “I want to put it on the DMZ,” and then everything else is sort of automated. They don’t have to think about what traffic to allow, what traffic to deny. There’s a default set of rules that are in place.

Vadim Vladimirskiy
All right. Then, once we are done provisioning the network, which is a pretty quick process, but it’s, you know, hundreds of commands that actually build everything exactly the way it should be, the next step is configuring the storage environment. This is where some of those concepts that we discussed are going to come together around disk and storage. You can see this one took a little longer or a lot longer, because what’s happening from 10:26 to 11:26, for an hour, is that we have … If you look at these VMs, we have a file server. We have a proxy server, RD gateway, active directory server, which is DCO1. We have an RDSHO1 server and we have a golden image and a single desktop that gets provisioned.

Vadim Vladimirskiy
That’s one, two, three, four, five, six, seven VMs that get built. The way that happens is some of these VMs, especially the ones for active directory and RD gateway, are pre-configured to sort of an ideal configuration. They’re fully updated between those patches. They reside in a special template storage environment that we have in Azure in the south-central U.S. zone, which is obviously pretty centrally located, no matter where you’re provisioning it to. Then, during this storage environment setup step, what it’s actually doing is it’s copying those VMs … Or to be precise, the disk that those VMs are composed of … from the template environment into this new environment that’s being provisioned.

Vadim Vladimirskiy
Okay? The way that that looks is when the copy is done, what you see … Once again, select only the resource group that we need. Oops. That’s not the right one. Not the right one, again. This one. All right. What happens is that it copies these disks from the template’s location into the destination location. Now, there are more here than there are from the start, because it’s been customized a little bit. But you get the idea. There is a DCO1 OS disk. There is an FSO1 OS disk and data disk. There is a proxy server disk, RD gateway, WS00, which is the golden image template. All of them get copied. The sizes get inherited from the source disk, but the storage account type is specified when the VMs are copied.

Vadim Vladimirskiy
For instance, you know, we used to provision all VMs as premium SSD, which, for 128GB disk, is about $19 or $20 per month. Then, when standard SSD came out just a couple of months ago, we decided to change the default provisioning to start the VMs as standard SSD as opposed to premium SSD, which is about half the cost from Azure. You can see here when DCO1 was copied, it was copied into a storage type of standard SSD as opposed to premium SSD.

Vadim Vladimirskiy
Okay? That’s what happens primarily during this stage. You know, one other thing that happens during the network setup … Let me just go back for a minute. But in addition to the network environment, we also create IP addresses. Recall public IP addresses are sort of these independent objects that get assigned to individual VMs. Or more specifically, they get assigned to individual network cards associated to individual VMs. So, you can see here there is a public IP address, which is associated to DCO1 NIC. Obviously, that NIC is associated with the DCO1 VM. There is DCO1 public IP tied to a DCO1 network interface card tied to DCO1 VM.

Vadim Vladimirskiy
You can change the public IP without really affecting the other objects. That would kind of work pretty simply. You click on DCO1 public IP. You can see that there is a public IP address. You don’t really get to choose what it is. It just kind of gives it to you. It also gives you a DNS name that’s always going to be pointing at that public IP address. We then create a DNS record in the nerdio.net zone, in our own DNS zone, and point this IP address to DC5048, which is this account ID.nerdio.net. Okay?

Vadim Vladimirskiy
We double-check. If we do ping dc5048.nerdio.net, we should see this same IP address, and we do. That’s what we would expect. Okay, so these objects get created as well. The DNS records get created as well, but they cannot be attached to anything yet, because the VMs don’t yet exist. Right? We haven’t created the VMs. The next step, which is the storage environment setup … Again, we have not created any VMs at this point, either. All we’ve done is we’ve copied the OS disk that those VMs are going to be created based on.

Vadim Vladimirskiy
One other thing that we do during the network … I’m sorry … during the storage environment setup is even though we’re used managed disks, which do not live in storage accounts, we also create two storage accounts for some specific use cases. There is one called PRM for premium. There’s a premium storage account. Then, there is a standard storage account. What happens is when you provision the VM, each VM has what they call boot diagnostics, because you cannot have console access into the VM. Right? You can only connect to it at the networking layer once the operating system is running.

Vadim Vladimirskiy
So let’s say your VM is not booting up and you don’t know why. What is it hanging up on? What’s the issue? You don’t know what’s going on. To help you with that, they have something called boot diagnostics. Boot diagnostics gives you a screenshot … I guess, in this case, it doesn’t work. But it gives you a screenshot that shows you what is currently on the screen. Let’s see if another one will work here. Yup. There we go.

Vadim Vladimirskiy
Right. This is basically a screenshot that gets updated every few minutes. There is also a serial log, where you can see this kind of information. But really, this is useful. Like, for instance, if this machine lost its network connectivity, there would be a little networking icon with a yellow exclamation point next to it, in which case you know the problem that it has is that it doesn’t have network connectivity. That happens occasionally during provisioning. We test for that condition. If that happens, we just reset the VM, and then it comes back online.

Vadim Vladimirskiy
But this is, you know, a nice, little, handy thing. The reason I’m showing you this is in order to have a boot diagnostic screenshot, you need to tell it where to place the screenshot. Screenshots always go into storage accounts, because they’re not part of a disk. Right? This is not a disk kind of a thing. This is an independent file, and that file gets stored inside of a storage account. That’s the reason we provision all of these things. Okay?

Vadim Vladimirskiy
Again, I’m obviously giving you a very high level overview of what happens. But you can imagine, you know, every single thing I’d mentioned, every single object, configuration, everything had to be manually decided on and scripted so that it gets built exactly the same way every time you provision an account. The thing to keep in mind is what would it take for someone to build this thing from scratch by themselves. Right? There’s a lot of UI GUI sort of ways of doing things.

Vadim Vladimirskiy
But many things are not possible to do through the GUI, so you resort to using PowerShell. Then, you have to run the command. You have to learn what the constructs are and what properties should be selected. Then, you can create certain things, and then said, “Oh, shoot. I forgot to enable diagnostics.” Now, you may have to destroy what you’ve done and recreate it, so there’s a tremendous amount of automation and scripting that goes into just doing these very first two steps of building the network and the storage environment. That’s even before we get into building the servers themselves and the active directory and federation and all of that other stuff.

Videos in the series