A customer recently posed a question, and it was one that coincided with a subject I had been meaning to write about for some time. Can virtual machines (VMs) running applications in Microsoft Azure be monitored with OpsMgr and if so, how does one configure this monitoring? Yes, a VM running in Windows Azure IaaS is essentially a VM running an OS, and as such the VM and any applications that reside on it can be monitored with OpsMgr just like you would monitor any other on-premise VM.
There are however two important considerations for the monitoring of the VMs in Azure. Cross-premises connectivity would have to be configured between your corporate network and the Azure network in order for the OpsMgr Management Server to communicate with the OpsMgr agents that will be deployed to the Azure VMs. The appropriate ports must also be opened to facilitate this communication. This connectivity can be established by enabling a Site-to-Site (S2S) or Point-to-Site (P2S) VPN connection between your corpnet and the Azure network. While the Site-to-Site connectivity requires you to have a VPN device, the Point-to-Site connectivity allows you to setup VPN connections between individual computers and a Windows Azure virtual network without the need for a VPN device.
The second consideration is that of mutual authentication between the OpsMgr Management group and the Azure IaaS VMs. If the Azure IaaS VMs are part of a trusted environment, then Kerberos would be used for authentication. If this is not the case, certificates should be used for mutual authentication. The certificates deployed to the Azure IaaS VMs will facilitate mutual authentication between the OpsMgr Management group and the Azure IaaS VMs. If you have more than a handful of VMs to monitor in Azure, then deploy a OpsMgr Gateway Server in the Azure Network and configure certificates on this server for mutual authentication with your on-premise OpsMgr Management group. The OpsMgr Gateway server would then use Kerberos to manage all the downstream IaaS VMs in Azure.
This post is comprised of two parts. In the first part, I’ll briefly talk about the steps for setting up connectivity from the Corpnet to the Azure network, and in the second part, I’ll talk about the necessary OpsMgr configurations. I’ll illustrate what I’ve described above using VMs deployed to my lab.
My lab is comprised of a AD domain, a OpsMgr management group and a Microsoft PKI as depicted below. I’ve also spun up a trial Azure subscription for the purpose of writing this post. Furthermore, I have configured cross-premises connectivity to my Azure virtual network via P2S VPN connections, from my OpsMgr Management Server and a second client, to my Azure Virtual Network which contains my Azure IaaS VMs. I won’t go into details about setting up connectivity to the Azure network because there already exists a great deal of excellent documentation on the subject. You’ll find steps for setting up Point-to-Site (P2S) VPN here, and for Site-to-Site (S2S) VPN here.
Regardless of whether you went the P2S or S2S route, the outcome, for this illustration, is the same: You will now have a connection to your Azure network. Confirm that this connection was successful by viewing the connection status in the dashboard for the Azure Virtual Network. In Azure, select Networks > click on your Virtual Network > Click on the Dashboard tab
Once you have cross-premises connectivity established between your intranet and the Azure network, and assuming that you already have VMs in your virtual network in Azure, you should now be able to ping them from a on-premise server if you set up S2S, or from the client, if you went the P2S route. Note the IP address for the VM resource in my virtual network: 10.0.1.4
As shown below, I’m able to ping the Azure VM from my on-premise server. If you are unable to communicate with your Azure VM(s) at this point, ensure that the VM is part of correct Azure affinity group or Azure virtual network. This setting is configured during the creation of the Azure VM. Additionally, review the Windows firewall settings on the Azure VM.
In the next part of this blog post, we will look into how to configure monitoring for the Azure IaaS VMs using System Center Operations Manager 2012 R2.
Latest posts by Chiyo Odika (see all)
- Zero Trust and the Azure Firewall service - July 9, 2019
- Making the move to Azure Security Center and Azure Sentinel - July 9, 2019
- Azure Monitor Management solution for RDS, Windows VDI and Citrix - February 28, 2019