Stefan Johner Working with #Azure. Microsoft MVP. Likes cheese, chocolate and @burgdorferbier. Runs Experts Live Café Switzerland Sat, 18 Nov 2017 21:34:08 +0000 en-US hourly 1 104606374 Circuits, Peerings, Pricing, Latency… All you need to know about Azure ExpressRoute Fri, 17 Nov 2017 14:58:26 +0000 Since I was dealing with Azure ExpressRoute lately, I will try to summarize some important aspects in a blog post to provide kind of a high-level overview of Azure ExpressRoute.

To get started, one should know that there are basically three options to connect on premise networks to Microsoft Azure:

  1. Internet
  2. Virtual Private Network (VPN)
  3. Azure ExpressRoute

Both internet and VPN connections may be suitable for you. When you are based in countries where good Internet connectivity is available (e.g. Switzerland), a VPN connection may be sufficient for most of the scenarios.

ExpressRoute basically provides a private, dedicated, high-throughput network connection between on-premises and Microsoft Azure. In general, reasons to go with ExpressRoute are the following:

  • Predictable performance
  • Private Layer 2 connection
  • Higher bandwith (up to 10Gbps)
  • Connectivity to Azure Public Services (e.g. Websites, Backup, etc.)

You may also get reasonable bandwidth and latency by using a VPN but nobody will guarantee you that this is always the case. One more thing to consider when going for a VPN connection is that bandwidth will be limited to what Azure VPN gateways have to offer (which is 1.25Gbps at time of writing).

For most companies dealing with network connectivity from on premise locations to Azure it is probably the easiest and most cost efficient way to start with VPN connections and change to ExpressRoute if cloud adoption and traffic increases.

If you are still interested in Azure ExpressRoute please continue reading and/or check out this Azure User Group Belgium talk by Kristof Rennen.

What is Azure ExpressRoute?

When talking about ExpressRoute, actually in most cases an ExpressRoute circuit is referenced. An ExpressRoute circuit represents a logical connection between the on-premises infrastructure and Microsoft cloud services through a connectivity provider (e.g. Equinix or interxion). So when thinking about using Azure ExpressRoute it is important to be aware that there is always a connectivity provider involved. You need to consider this when it comes to overall costs of ExpressRoute.

There are many providers offering Azure ExpressRoute connectivity with different characteristics (Cloud Exchange, Point-to-Point, Any-to-Any) and in different locations. Check out ExpressRoute partners and peering locations or your local Microsoft representative for more details

There are many other providers offering ExchangeRoute with different pricing options and SLA. It is also possible to have ExpressRoute with different models (e.g direct point-to-point connection, Layer 3 connectivity).

It is possible to order multiple ExpressRoute circuits. Each circuit can be in the same or different regions, and can be connected to on premises through different connectivity providers. A circuit has a fixed bandwidth and is mapped to exactly one connectivity provider and one peering location (e.g. West Europe).

Below you will find kind of a big picture which hopefully gives you a good overview on how ExpressRoute works on a high level. I will reference to some of the components outlined in the picture.

Common scenarios

There obviousely exist a bunch of reasons to implement ExpressRoute. The following scenarios are probably the most common ones:

  • Storage, backup and recovery
  • BI and big data (working with big amounts of data in the cloud)
  • Hybrid apps (e.g. app in the cloud and database on premise)

Unlike Site2Site VPN which only works for IaaS, Azure ExpressRoute can be used with various other public services (e.g. Websites, IoT, Backup, database services).


A peering is essentially a collection of two BGP sessions between the on premises routers and the Microsoft ExpressRoute routers. If the Cloud Exchange Co-location or Point-to-Point Ethernet Connection connectivity models are used (which is the case for example when using Equinix Cloud Exchange or interxion Cloud Connect), the customer edge router (CE) would establish BGP peering with MSEEs. Provider edge customer facing (PE-CE) and Provider edge Microsoft facing (PE-MSEE) would still exist but be somewhat transparent as Layer 2 devices.

An ExpressRoute circuit can have multiple peerings associated with it:

  • Azure Private Peering for Virtual Networks and Virtual Machines
  • Azure Public Peering for Azure public IPs (Most of Azure services including PowerBI and Dynamics 365 for Finance and Operations)
  • Microsoft Peering for Office 365 and Dynamics 365 (except Dynamics 365 for Finance and Operations which is connected through public peering)

Each of the peerings mapped to a circuit is configured identically on a pair of routers (in active-active or load sharing configuration) for high availability.

The recommended configuration is that private peering is connected directly to the core network, and the public and Microsoft peering links are connected to your DMZ.

Private peering

Azure compute services, namely virtual machines (IaaS) and cloud services (PaaS), that are deployed within a virtual network can be connected through the private peering domain.

The private peering domain is considered to be a trusted extension of your core network into Microsoft Azure.

Bi-directional connectivity between your core network and Azure virtual networks (VNets) is possible. This peering can be used to connect to virtual machines and cloud services directly on their private IP addresses.

Public peering

Services such as Azure Storage, SQL databases, and Websites are offered on public IP addresses. Public peering can be used to privately connect to services hosted on public IP addresses.

The public peering domain can be connected to a DMZ and connect to all Azure services on their public IP addresses from WAN without having to connect through the internet.

Connectivity is always initiated from your WAN to Microsoft Azure services. Microsoft Azure services will not be able to initiate connections into your network through this routing domain.

Microsoft peering

Microsoft peering is used to connect to Microsoft online services (such as Office 365 services). However, Software as a Service offerings, like Office 365 and Dynamics 365, were created to be accessed securely and reliably via the Internet and most of them require Internet connection no matter if ExpressRoute is implemented or not. ExpressRoute is only recommended in specific scenarios for these applications (e.g direct networking for regulatory purposes or where a network assessment for Skype for Business connectivity requires it).

For Micrsoft Peering, Premium Addon and Authorization from Microsoft is required.

Bandwidth options

ExpressRoutes circuits can be provisioned with the following bandwidths (as of November 2017). It is recommended to start with smaller bandwitdh and expand as ExpressRoute is up and running.

  • 50 Mbps
  • 100 Mbps
  • 200 Mbps
  • 500 Mbps
  • 1 Gbps
  • 2 Gbps
  • 5 Gbps
  • 10 Gbps

The bandwidth selected is shared across all the peerings for the circuit and it is only possible to upgrade bandwidth (no downgrade). ExpressRoute circuit bandwidth can be increased without having to tear down the connections.


Round Trip Time (RTT) is of course heavily dependent on the locations and regions which are going to be connected. As a benchmark,  RTT is around 14ms for Zurich –  West Europe (Amsterdam) and about 32ms for Zurich – North Europe (Dublin).

Virtual Network Gateways

A virtual network gateway is used to send network traffic between Azure virtual networks and on-premises locations. When you configure an ExpressRoute connection, you must create and configure a virtual network gateway and a virtual network gateway connection.

There exist several different gateway SKU . The higher the SKU, the more CPUs and network bandwidth are allocated to the gateway. As a result, the gateway can support higher network throughput to the virtual network. The following ExpressRoute Gateways are available at the time of writing. All of them can coexist with VPN Gateway.

  • Standard SKU (1000 Mbps)
  • High Performance SKU (2000 Mbps)
  • Ultra Performance SKU (9000 Mbps)

Availability and Failover

For ExpressRoute high availability, Microsoft requires a redundant pair of BGP sessions between MSEEs  and PE-MSEEs. A redundant pair of network paths is also encouraged between customer network and PE-CEs.

In terms of failover, it is possible to have two different Virtual Network Gateways – one for backup VPN and one for ExpressRoute. ExpressRoute and VPN gateways can coexist in one virtual network. However each virtual network can have only one virtual network gateway per gateway type (e.g. one ExpressRoute and one VPN Gateway).

Site-to-Site VPN failover

It is possible to configure a Site-to-Site VPN connection as a backup for ExpressRoute. However this is only possible for virtual networks linked to the Azure private peering path. There is no VPN failover solution for services accessible through Azure public and Microsoft peerings.

However as outlined here, there are some limitations which need to be considered:

  • Transit routing is not supported. You cannot route (via Azure) between your local network connected via Site-to-Site VPN and your local network connected via ExpressRoute.
  • Basic SKU gateway is not supported. You must use a non-Basic SKU gateway for both the ExpressRoute gateway and the VPN gateway.
  • Only route-based VPN gateway is supported. You must use a route-based VPN Gateway.
  • Static route should be configured for your VPN gateway. If your local network is connected to both ExpressRoute and a Site-to-Site VPN, you must have a static route configured in your local network to route the Site-to-Site VPN connection to the public Internet.
  • ExpressRoute gateway must be configured first and linked to a circuit. You must create the ExpressRoute gateway first and link it to a circuit before you add the Site-to-Site VPN gateway.


Of course cost is an important aspect of Azure ExpressRoute. There are various aspects to be aware of when calculating pricing of an Azure Express Route implementation:

  • Express Route circuit
  • Express Route provider
  • Virtual network gateway
  • Land line to entry point / peering location

Pricing example

The following example pricing is based on a real sample and should give you a rough overview of the costs which might occur for an ExpressRoute implementation (as of writing in November 2017). Pricing is based on an sample Azure ExpressRoute implementation in Switzerland and of course prices vary according to the chosen provider, location of the infrastructure and Azure region you want to connect to.

In addition to the monthly fees shown below, one-time fees for providing cages in the provider peering location may apply as well. Depending on the chosen provider you may be able to just have one physical connection which can be shared to connect to additional cloud providers like Amazon AWS and Oracle.

You will notice that the cost for the Azure ExpressRoute circuits are much less than the cost for the provider.

SKUBase Price/MonthNotes
Express Route 1GbpsCHF 393.75CHF 393.75West Europe, Metered
Outbound data transferCHF 0.0226/GBCHF 716.701TB/day = 31TB/month
Standard ExpressRoute GatewayCHF 0.1716/hrCHF 127.67744h, bandwidth up to 1Gbps
Two Cabinets at Cloud Exchange LocationCHF 2000/mthCHF 4000
Two Cloud Exchange PortsCHF 185/mthCHF 3702 x 10GB
Two Cross Connects to Cloud ExchangeCHF 120/mthCHF 240
Vritual Circuit to Cloud Service ProviderCHF 185/mthCHF 3702 x 1GB
Remote Virtual CircuitCHF 600/mthCHF 12002 x 1GB
TotalCHF 7418


Azure ExpressRoute pricing also depends on which zone is going to be connected.

For ExpressRoute, the following sub-regions correspond to Zones 1, 2, 3 and Government, where a sub-region is the lowest level geo-location that you may select to deploy your applications and associated data (e.g. West US, North Europe).

·         Zone 1: West US, East US, North Central US, South Central US, East US 2, Central US, West Europe, North Europe, Canada East, Canada Central

·         Zone 2: East Asia, Southeast Asia, Australia East, Australia Southeast, Japan East, Japan West, Korea Central, Korea South, India South, India West, India Central

·         Zone 3: Brazil South

·         Government Zone: US Gov Iowa, US Gov Virginia

For ExpressRoute deployments in region Europe (sub-regions North Europe and West Europe), outbound data transfer is therefore charged with Zone 1 pricing (CHF 0.0226 per GB as of Novemnber 2017).

Pricing Options

There exist two pricing plans to chose from. Both options include unlimited inbound data transfer.

·         Metered Data (No outbound data transfer included, outbound data transfer is charged at a rate based on corresponding Zone)

·         Unlimited Data (Unlimited outbound data transfer included)

In general the Unlimited Data pricing option would be a better choice if you have high levels of utilization, and the Metered Data pricing option would be preferable for low levels of utilization.

Typically metered option is cheaper as long as less than 60% of the maximum bandwidth is used per month. Keep in mind that it is not possible to switch back from unlimited to metered connection.

Connection to Azure regions

Once connected to an ExpressRoute location, users can connect to other regions in the same geo at no additional cost over existing plan charges. For example, once connected to an ExpressRoute location in Europe (North Europe, West Europe), customers can send or retrieve data to or from any Azure region in Europe without the need to pay an additional fee on top of their existing plan charges.

With ExpressRoute Premium Addon, an ExpressRoute circuit created in any region will have access to resources across any other region in the world. For example, a virtual network created in West US can be accessed through an ExpressRoute circuit provisioned in West Europe


I will not go into details about security since I am in no way an expert in this field. However there is one thing which sometimes is not thought of in the first place: Although ExpressRoute is a private connection, traffic flowing over the network is not encrypted. Encryption in transit of course be achieved by encrypting traffic flowing over the connection. For example by deploying physical and/or virtual encryption devices on both sides (e.g. Fortinet, F5, Steelhead, etc).


]]> 0 2257
Fluentd Sessions at Open Source Summit 2017 Sun, 24 Sep 2017 20:14:02 +0000 Probably all of you know that a vital part of Operations Management Suite Agent for Linux is based on open source data collector Fluentd. Those of you which are interested in OMS Agent for Linux should definitively take a look at the following presentations which were held at Open Source Summit Japan which took place from May 31 to June 2nd 2017 in Tokyo.

Fluentd v1.0 in a nutshell by Nakagawa Masahiro


Fluentd 101 by Satoshi Tagomori


Cloud Native Logging by Eduardo Silva


Taking Kubernetes to the Next Level with Fluentd and OpenShift by Steven Pousty

Taking Kubernetes to the Next Level With Fluentd and OpenShift


]]> 0 2146
Use Azure CLI 2.0 behind corporate proxy server Sun, 24 Sep 2017 19:22:15 +0000 There exist different options to script control, modify and automate your Azure environment. The most popular one is probably Azure PowerShell module. However there is another good option to consider using when managing your Azure environment: Azure CLI

Azure CLI is open source and built on Python which offers good cross-platform capabilities.The cool thing about Azure CLI is that you can use it with pretty much all known platforms like macOS, Windows and Linux. This means you do not have to learn another command line tool for each platform. And the best: You can use it in your browser with Azure Cloud Shell (which is actually also possible with PowerShell as announced at Ignite 2017)

I have been using Azure CLI for a while now and when using it behind corporate proxy servers it gets a little clumsy. For some time Azure CLI was not supported behind corporate proxies at all. However it seems that this was fixed in 2015.03.04 Version 0.8.16 already but is not reflected on the GitHub project wiki

Due to the authentication schematics of Azure Service, Azure CLI needs to pass an authentication payload through the HTTPS request, which will be denied at authentication time at your corporate proxy. By executing Azure login you will receive a TIMEOUT message- this is expected.

Please ensure you have network connection. Error detail: HTTPSConnectionPool(host='', 
port=443): Max retries exceeded with url: /common/oauth2/devicecode?api-version=1.0 
(Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x04C655D0>: 
Failed to establish a new connection: [WinError 10060]

This can be easily solved by setting HTTPS_PROXY environment variable. If you don’t know what proxy you are using, check out this superuser answer.


After setting HTTPS_PROXY in your command prompt you should be able to successfully execute az login and connect to your Azure environment.

For a permanent solution just add the above variable to your environment variables.

HTTPS_PROXY environment variable


]]> 0 2234
Issue with renewal of existing Let’s Encrypt certificates Fri, 01 Sep 2017 21:29:31 +0000 I am a fan of Let’s Encrypt. I think this initiative vastly improved the Internet experience of everyone and brought big progress in terms of securing the entire web. Below graphics are taken from Let’s Encrypt stats page.

The process of installing and using Let’s Encrypt on your machines is pretty straightforward and there are plenty of guides out there which explain this in detail for various distributions.

However if you are using Let’s Encrypt for some time now it might happen that after installing letsencrypt package on your Ubuntu box you are unable to renew certificates. This occurred to me when I changed from certbot to the (apparently older) letsencrypt package in Ubuntu 16.04.

You might get an error similar to this one when trying to renew your existing certificates.

WARNING:letsencrypt.cli:Attempting to renew cert from
/etc/letsencrypt/renewal/ produced an unexpected error: 'server'.

The older Ubuntu package is not forwards-compatible to configuration files generated by more recent releases. Fixing this comes down to pretty much three options:

  • Continue using certbot.
  • Start with a new configuration. Clean /etc/letsencrypt and then re-issue all certificates.
  • Try to manually fix the configuration.

Well to me it seemed to be the best option to start with a new configuration and re-issue all certificates with the default Ubuntu letsencrypt package.

sudo apt-get install letsencrypt

I then successfully created new certificates. However when renewing for the first time, I ran into the following error message. The message is actually pretty clear on how to resolve the issue but I decided to reference it anyway to point out that the apache plugin may need to be installed.

sjohner@donald:~$ sudo letsencrypt renew
Processing /etc/letsencrypt/renewal/
2016-09-29 20:48:48,959:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/ produced an unexpected error: The requested apache plugin does not appear to be installed. Skipping.

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/ (failure)
1 renew failure(s), 0 parse failure(s)

Installing the Apache plugin for Let’s Encrypt python-letsencrypt-apache resolves the issue

$ sudo apt-cache search letsencrypt
letsencrypt - Let's Encrypt main client
python-letsencrypt - Let's Encrypt main library
python-letsencrypt-apache - Apache plugin for Let's Encrypt
python-letsencrypt-apache-doc - Apache Let's Encrypt plugin documentation
python-letsencrypt-doc - Let's Encrypt client documentation
$ sudo apt-get install python-letsencrypt-apache


]]> 0 1623
Service Manager Installation by using a PowerShell Script Thu, 24 Aug 2017 11:02:59 +0000 This is the fifth part of a blog post series called “Installing Service Manager 2016” and will cover how to install a secondary Service Manger 2016 management server and necessary prerequisites by using a PowerShell script.

When it comes to Service Manager installations, it sometimes feels like one has to solve a big puzzle until finally having a working installation. Besides that the installations is somewhat time consuming, there are also multiple prerequisites which have to be installed. Also see my previous post about installing Service Manager 2016 for more information about necessary prerequisites.

To facilitate this process I created a PowerShell script which automatically downloads and installs all the necessary prerequisites as well as Service Manager itself. The benefit of having an install script is of course that you don’t have to click through all these manual steps with the installer but also that every installation which is performed with this script looks the same. As a nice side-effect, the installation is already documented by the script.

The script is not perfect and it will not do all the work for you. You still have to install SQL server and create service user accounts as well as administrator security group. But since most of the time the database and Active Directory users are provided by a separate team, this should not bother you too much.

Basically the script performs the following steps:

  1. Check if it was executed with administrative privileges
  2. Check if specified service and workflow accounts are available
  3. Check if the specified service account has local admin permissions
  4. Check if the SQL connection is available
  5. Install .Net framework (sxs folder has to be present)
  6. Install prerequisites (download them if not already present)
  7. Install Service Manager 2016 (either as primary or additional management server)
  8. Add DAL registry settings
  9. Restart computer

Make sure the script is started with a user account that has administrative privileges on the Service Manager server as well as appropriate permissions on the SQL database which is used for installation.

The following files have to be present on the machine you want to install Service Manager 2016:

  • Service Manager source files
  • Windows Server 2016 sxs folder for installation of .NET framework 3.5

If you do not have internet connection on that machine, you can copy the prerequisites executables to the corresponding machine. The script will check if prerequisites are already available and won’t try to download them in this case.

I recommend using the following directory structure but you are free to pass other values for sxs, source and prerequisites folders.

PS C:\Install> ls

    Directory: C:\Install

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        8/23/2017   2:51 PM                prereq
d-----        8/23/2017   2:17 PM                source
d-----        8/23/2017   2:48 PM                sxs
-a----        8/23/2017   2:29 PM          14295 Install-SCSM2016.ps1

When running the script you can specify if you are installing a primary or additional management server. Furthermore (at least for now) you need to set several variables at the beginning of the script. For example you will need to specify service account usernames and passwords as well as database server and license key. This could be improved by importing the necessary variables from a csv file for example or by passing the appropriate values to corresponding parameters.

I recommend running the script by using the -Verbose switch which gives you some log output about what’s going on in the background. You can also check the Service Manager installation log file which is located in temp directory (‘C:\Users\<User>\AppData\Local\Temp’)

The script has been tested with Service Manager 2016 installed on Windows Server 2016 with SQL Server 2016. It is available for download on my Service Manager GitHub repository and Technet Gallery. Please feel free to get it from there and contribute to the project. If you have any suggestions/issues concerning the script, please report them on the corresponding GitHub issue page or even better implement changes by yourself and push back to the repository so that others can benefit from your ideas as well 🙂


]]> 0 2166
Speaking at Experts Live Europe 2017 Wed, 14 Jun 2017 15:47:57 +0000 Only few weeks left until Experts Live Europe conference 2017 kicks off. This year Experts Live is taking place from August 23 – 25 in the Berlin Congress Center in Berlin Germany. Six tracks and more than 100 sessions are waiting for you! If you want to learn and network about Microsoft cloud, datacenter and workplace solutions you should definitely book this event!

Experts Live Europe


For all of you which do not know Experts Live Europe, Marcel Zehner wrote a nice blog post on why you definitely should not miss this amazing event if you are interested in any Microsoft cloud related topics. Experts Live Europe will bring together the Microsoft IT Pro Community from all over the world, including a large quantity of Microsoft MVPs and (former) Microsoft employees.

Myself I will co-host two sessions at this years event:

  • Azure TestDev Labs – What the heck is it?
    Wednesday, August 23 • 10:45am – 11:45am
    In this session we show you how you can use Azure TestDev Labs to build your own lab and keep control of cost and resources.

  • sudo OMS loves Linux
    Thursday, August 24 • 8:00am – 9:00am
    This session is all about how we can manage Linux workloads in our data centers using Microsoft Operations Management suite. We will discuss how to automate, monitor, configure and manage Linux operating systems that are running in your hybrid data center using different OMS solutions. Session Takeaways OMS Log Analytics for Linux, Integrating Zabbix/Nagios/syslog with OMS, Linux Configuration Management with OMS, Update Management & Change Tracking, Container Management in OMS.

Hope to see you in Berlin! 🙂

Sunrise Berlin

von Lear 21 (Eigenes Werk) [CC BY-SA 4.0 (], via Wikimedia Commons

]]> 0 2143
SCSM 2016 UR3 breaks HTML portal Hamburger menu hyperlinks Fri, 09 Jun 2017 13:24:27 +0000 Update: This has been fixed with Update Rollup 4 for System Center 2016 Service Manager

This issue was initially discovered by Jure Jeram and all credits for the workaround below goes to him. His findings are also documented in Service Manger forums. Thanks for sharing your findings!

With update rollup 3 for Service Manager 2016 released by the end of May 2017, a small issue seems to pop up after applying it to the out of the box HTML portal of Service Manager 2016.

The installation of UR3 applies some changes to the files sidenavigator.js and Sidebar.cshtml of the HTML portal. However it seems as if this breaks the hyperlinks in the expanded Hamburger menu on the portal.

Basically several lines in menuActions function in sidenavigator.js are commented out after applying update rollup 3.

Sidenavigator.js after installing UR3

Furthermore UR3 adds some hyperlink HTML tags to Sidebar.cshtml. It seems that some functionality affecting the Hamburger menu was moved from sidenavigator.js to Sidbar.cshtml with upate rollup 3.

Sidebar CSHTML Minimized Menu

But apparently these these changes are only added for the minimized version of the Hamburger menu, they are missing for the expanded menu.

Sidebar CSHTML Expanded Menu

As Jure outlines in Technet Forums, as a workaround we can add the missing HTML tags manually in Sidebar.cshtml file. All we have to do is to add the following code to each menu item

<div class="row side_nav_home">
	<a class="side_nav_bar_icon" href="/home">
           <span class="icon-Dictionary icon-medium icon icon-pos"></span>
           <span class="icon-text icon-text-pos">@Resources.SelfServicePortalResources.ServiceCatalog</span>
    <div class="row side_nav_request">
	<a class="side_nav_bar_icon" href="/MyRequests">
           <span class="icon-ContactInfo icon-medium icon icon-pos"></span>
           <span class="icon-text icon-text-pos">@Resources.SelfServicePortalResources.MyRequests</span>
    <div class="row side_nav_activities">
	<a class="side_nav_bar_icon" href="/MyActivities">
           <span class="icon-MultiSelectMirrored icon-medium icon icon-pos"></span>
           @if (ViewBag.Notications > 0)
               <div class="notification"><span class="activities_count">@ViewBag.Notications</span></div>
           <span class="icon-text icon-text-pos">@Resources.SelfServicePortalResources.MyActvities</span>
    <div class="row side_nav_help">
	<a class="side_nav_bar_icon" href="/KnowledgeBase">
           <span class="icon-WhatsThis icon-medium icon icon-pos"></span>
           <span class="icon-text icon-text-pos">@Resources.SelfServicePortalResources.HelpArticles </span>

Sidebar CSHTML Expanded Menu Added Links

Hope this helps you work around the issue for the time being. I reported this on Microsoft Connect, feel free to vote on it if you are affected.

]]> 0 2149
Microsoft OMS Update Deployment for Linux Thu, 04 May 2017 16:10:09 +0000 About two weeks ago, Microsoft quietly introduced Update Deployments for Linux in Operations Management Suite. The Update Management solution in OMS allows you to manage updates for your Windows as well as your Linux computers. The status of available updates can be quickly assessed and you can initiate installation of required updates for your Windows and since lately also your Linux servers (supported distributions). Cool thing here: it doesn’t matter where your servers are located. With OMS you can concentrate all your machines in one place no matter whether they are running in AWS, Azure, Google Cloud Platform, in our own datacenter or wherever. Just install the OMS Agent and you are good to go. For more information about using the OMS Agent for Linux, check out my previous post Working with Operations Management Suite Agent for Linux.

Update Management Overview.png

First of all, lets check what we need to use Update Deployments for our Linux machines. Putting aside requirements for Windows Servers, the Update Management Solution supports the following distributions:

  • CentOS 6 (x86/x64), and 7 (x64)
  • Red Hat Enterprise 6 (x86/x64), and 7 (x64)
  • SUSE Linux Enterprise Server 11 (x86/x64) and 12 (x64)
  • Ubuntu 12.04 LTS and newer x86/x64

Furthermore the Linux agents must of course be installed on your box and have access to an update repository.

Important point here: All available updates from the given repository are going to be installed. There is no way of selecting which updates should be installed or not by using OMS. The solution always reports how up-to-date the given computer is based on what source is configured to synchronize with. This can be of course a local repository or a public repository. If you want more granular control over updates you would need to provide your own repository to make sure only packages are available which are approved.

Another note: OMS Agent for Linux configured to report to multiple OMS workspaces is not supported with Update Management solution (yet).

Computers which are configured for Update Management use the following components for performing assessment and update deployments (just install OMS Agent for Linux, it will take care of PowerShell DSC and Hybrid Runbook Worker components):

Now lets take a look on what’s happening when using OMS Update Management solution with your Linux machines. The following schema is taken from Microsoft documentation and describes the procedure when using the OMS Update Management solution.


  1. The OMS Agent for Linux scans for available updates every 3 hours and reports status to OMS. Note that it can take anywhere from 30 minutes up to 6 hours for the dashboard to display updated data from managed computers.
  2. OMS users review the update assessment and define a deployment schedule by using the OMS portal
  3. The Hybrid Runbook Worker running on your Linux machine checks for maintenance windows and deployments
  4. If the corresponding machine is affected by an Update Deployment (either as direct member or as member of a computer group), it leverages the appropriate package manager (Yum, Apt, Zypper) to install available packages.
  5. The OMS Agent for Linux reports status of the Update Deployment back to OMS

Updates are installed by runbooks in Azure Automation. When enabling this solution, any Windows or Linux computer directly connected to your OMS workspace is automatically configured as a Hybrid Runbook Worker to support the runbooks included in this solution. These runbooks are not visible and they do not require any configuration. When an Update Deployment is created, a schedule is created that starts a master update runbook at the specified time for the computers included in the deployment. This master runbook then starts a child runbook on each agent which performs installation of required updates. For each computer managed by the solution, a new Hybrid Runbook Worker Group will be listed in your OMS-Automation account following the naming convention Hostname FQDN_GUID. You can see the created Hybrid worker groups when looking at your OMS-Automation account in Azure.

Update Management Hybrid Runbook Workers

So once the OMS agent is installed on your server, it starts reporting Update status to OMS and you will see the Update Management dashboard being populated with data.

Update Management Overview

As you see above, both of my Linux computers do actually miss some optional updates so lets create a deployment to install these packages. Therefore, scroll to the right in the Update Management solution and select Manage Update Deployments. You will get a screen where you can add a new deployment.

Update Management Add Deployment.png

The above deployment is configured to deploy updates to my test server. This happens once but you are also able to configure weekly or monthly recurring update deployments.

Important note here: When you include computer groups in your update deployment, group membership is evaluated only once at the time of schedule creation. Subsequent changes to a group are not reflected. To work around this, you have to delete the scheduled update deployment and recreate it unfortunately.

Also note that your deployments must have a unique name, otherwise you will not be able to create a deployment. This is probably because the created master runbooks in your automation account are named after the deployment.

Update Management Deployment with same name

At the given time, the scheduled deployment takes place and installs all available updates for the given machine. When the deployment is completed, you can check details on affected computers, installed updates by drilling into the appropriate deployment.

Update Management Successfull Deployment

OMS Update Management is a neat solution to keep track of the update status of your Linux (and of course Windows) machines. Functionality at this time is somehow limited because you still rely on a process and/or tool to approve which updates should be installed (like WSUS for Windows or Spacewall for Linux). But you can sure get a great overview of the patch status in your heterogeneous environment and you have a single point of entry to manage system updates no matter if it is Windows or Linux or if the systems are running on premise or in public cloud.




]]> 0 1977
Speaking at Experts Live Switzerland Wed, 03 May 2017 20:42:26 +0000 I am happy to be speaking at Experts Live Switzerland 2017 which takes place place May 17th in Bern, Switzerland. Experts Live Switzerland 2017 is a community event which focuses on Microsoft Cloud-, Datacenter- and Workplace-Management topics. I will speak about how OMS enables modern IT management including real-time insights, control & compliance and security in the world of the hybrid cloud.


All sessions expect the welcome and closing keynote are held in German. The event takes place May 17th in Bern, so save the date and hopefully you join my session. Make sure you check out the Experts Live Switzerland website for registration and Marcel Zehner’s blog post for more information about this event.

]]> 0 2081
Speaking at Global Azure Bootcamp Switzerland 2017 Thu, 20 Apr 2017 13:44:38 +0000 I am happy to speak at this years Global Azure Bootcamp Event in Zürich, Switzerland! Azure Bootcamp Switzerland takes place on April 22nd at Microsoft Switzerland in Wallisellen. All around the world user groups and communities will come together once again in the fifth great Global Azure Bootcamp event! Each user group will organize their own one day deep dive class on Azure. The result is that thousands of people get to learn about Azure and join together online under the social hashtag #GlobalAzure!


Together with my buddy Stefan Roth I will talk about Microsoft Operations Management Suite (OMS). Come to our session and get an overview of the most important elements and functionality of Microsoft OMS.

If you want to join us, there is still time to sign up for Azure Bootcamp Switzerland: use Eventbrite to register for this free event.
The Bootcamp is organized by the Azure Zurich User Group and the Azure Cloud User Group Switzerland and will take place at Microsoft Switzerland in Wallisellen. Find more details on the Global Azure Bootcamp Switzerland website.

]]> 0 1951