Azure Stack

Overview

Azure Stack is Microsoft’s Azure Cloud for on-premises environments. Azure Stack contains the core Azure services, allowing organizations to take advantage of Azure’s offerings with the security, compliance, and financial benefits of hosting it in their own data-centers.

• Virtual Machine Provisioning

• Backups / Snapshots

• Resource Group Sync & Selection

• Network Sync & Selection

• Security Group Sync & Selection

• Storage Account Sync & Selection

• Marketplace Search and Provisioning

• Remote Console

• Periodic Synchronization

• Lifecycle Management and Resize

• Availability Set Support

• Azure Load Balancers

• Azure Storage

• Docker Host Provisioning & Management

• Service Plan Sync

• Pricing Sync with markup options

• Cost Estimator

Combine these features with public Azure and Morpheus can provide a single pane of glass and self service portal for managing instances scattered across both Azure offerings.

Requirements

Azure Stack Accessibility

By default, the Azure Stack management url’s are not accessible from an external network. Port mappings and DNS must be configured for communication between the Morpheus Appliance and Azure Stack.

Important

In order to communicate with Azure Stack, Morpheus must be able to reach the internal Azure Stack network. The Azure Stack Portal needs to be exposed to the Morpheus Appliances’ network with corresponding entries added to DNS.

One option to expose the Internal Azure Stack network to the Morpheus Appliances network is to use the Expose-AzureStackPortal.ps1 powershell script from https://gallery.technet.microsoft.com/scriptcenter/Expose-the-Azure-Stack-7ef68b19. An Azure Stack Port Mapping Tool is also available.

Below is a sample output from the script for reference:

[Admin Portal] Created port mappings on 10.30.23.120 to 192.168.102.8
[Admin Portal] Ports: 13011 30015 13001 13010 13021 13020 443 13003 12646 12647 12648 12649 12650 12495 13026 12499
[Admin Portal] DNS: 10.30.23.120 - adminportal.local.azurestack.external adminmanagement.local.azurestack.external

[Tenant Portal] Created port mappings on 10.30.23.121 to 192.168.102.10
[Tenant Portal] Ports: 13011 30015 13001 13010 13021 13020 443 13003 12646 12647 12648 12649 12650 12495 13026 12499
[Tenant Portal] DNS: 10.30.23.121 - portal.local.azurestack.external management.local.azurestack.external

[Blob Storage] Created port mappings on 10.30.23.122 to 192.168.102.4
[Blob Storage] Ports: 80 443
[Blob Storage] DNS: 10.30.23.122  *.blob.local.azurestack.external

VERBOSE: DNS delegation/forwarding is optional, change the DNS records on MAS-DC01 manually (dnsmgmt.msc from Host).
[DNS Delegation] Created port mappings on 10.30.23.120 to 192.168.200.224
[DNS Delegation] Ports: 53 (TCP/UDP)
[DNS Delegation] DNS: local.azurestack.external NS 10.30.23.120
[DNS Delegation] Change records on MAS-DC01 manually `if` you plan to use DNS forwarding.
[DNS Delegation] Change records back to the original internal IPs before running this script again.

VERBOSE: App Service detected and external IPs specified, creating mappings.
[App Service API] Created port mappings on 10.30.23.123 to 192.168.102.17
[App Service API] Ports: 443
[App Service API] DNS: 10.30.23.123  api.appservice.local.azurestack.external
[App Service Apps] Created port mappings on 10.30.23.124 to 192.168.102.15
[App Service Apps] Ports: 80 443 21 990
[App Service Apps] DNS: 10.30.23.124  *.appservice.local.azurestack.external

Azure Stack Resources

The following resources need to be created and configured inside Azure Stack for successful provisioning:

• Resource Group(s)

• Virtual Network(s)

• Storage Account(s)

• Network Security Group(s)

  • Inbound ports open from Morpheus Appliance: 22, 5985, 3389

  • Outbound ports open to Morpheus Appliance: 80, 443

Note

Proper Network and Network Security Group configuration is required for Morpheus agent install, communication, and remote console access. Other configurations, such as docker instances, will need the appropriate ports opened as well.

Required Credentials & Permissions

Credentials to integrate Morpheus with Azure Stack are located in both the public Azure Portal and the Private Azure Stack Portal. The Azure Active Directory Application used must be an owner of the Azure Stack subscription.

Azure Portal:

• Azure Active Directory Application Credentials

• Directory ID

• Management URL

• Identity Resource URL

• Application ID

• Key Value

Azure Stack Portal:

• Azure Stack Subscription ID

• Active Directory App from Azure portal added as owner of the Azure Stack Subscription in Azure Stack.

Adding an Azure Stack Cloud

Configure

1. In the Morpheus UI, navigate to Infrastructure > Clouds and Select + CREATE CLOUD

2. Select AZURE STACK (PRIVATE) from the Clouds list and select NEXT

3. In the Configure section, enter:

   Cloud Configuration

   NAME

   Name of the Cloud in Morpheus

   CODE

   Unique code used for api/cli, automation and policies.

   LOCATION

   Description field for adding notes on the cloud, such as location.

   VISIBILITY

   For setting cloud permissions in a multi-tenant environment. Not applicable in single tenant environments.

   TENANT

   If Visibility is set to Private, select the Tenant the Cloud resources will assigned to.

   ENABLED

   When disabled, automatic Cloud sync is paused and the Cloud will not be selectable for provisioning.

   AUTOMATICALLY POWER ON VMS

   When enabled, Morpheus will maintain the expected power state of managed VMs. Morpheus will power on any managed VMs in the Cloud that have been shut down for unknown reasons (not powered off by Morpheus) to ensure availability of services.

   Note

   When “AUTOMATICALLY POWER ON VMS” is enabled, the power state of managed VMs should be maintained in Morpheus. This setting is not applicable to discovered/unmanaged resources.

   Details

   IDENTITY URL

   https://login.microsoftonline.com

   MANAGEMENT URL*

   Azure AD Azure Stack Administrator app or Microsoft Azure Stack Administrator app url. Example: https://adminmanagement.local.azurestack.external/

   IDENTITY RESOURCE URL

   Azure AD Azure Stack Administrator App ID URI Example: https://adminmanagement.xxxxxxx.onmicrosoft.com/4a80e607-4259-4ac6-83e2-2fabeaf2eh83

   BASE DOMAIN

   This should match the base domain in your Management url. Example: local.azurestack.external

   SUBSCRIPTION ID

   Subscription ID from Azure Stack portal (this is different from the Subscription ID in you Azure portal used when configuring Azure Stack)

   TENANT ID

   This is the Directory ID from the Azure AD directory

   CLIENT ID

   Application ID of Azure AD app with Azure Stack permissions granted, and has been added as an owner of the Azure Stack subscription (in the Azure Stack portal).

   CLIENT SECRET

   Key Value of Application ID used above

   Note

   Once all credentials are entered and validated, the Location and Resource Group fields will populate.

   Location

   Select an Azure Stack region for the cloud to scope to. This typically will be “local”.

   Resource Group

   Select All or a single Resource Group to scope the cloud to. Selecting a single Resource Group will only sync resources in that Resource Group and disable Resource Group selection during provisioning. All will sync all resources and allow specifying the Resource Group during provisioning.

   Inventory Existing Instances

   If enabled, existing Virtual Machines will be inventoried and appear as unmanaged Virtual Machines in Morpheus.

4. The Azure Stack cloud is ready to be added to a group and saved. Additional configuration options available:

   Note

   All fields and options can be edited after the Cloud is created.

   Advanced Options

   DOMAIN

   Specify a default domain for instances provisioned to this Cloud.

   SCALE PRIORITY

   Only affects Docker Provisioning. Specifies the priority with which an instance will scale into the cloud. A lower priority number means this cloud integration will take scale precedence over other cloud integrations in the group.

   APPLIANCE URL

   Alternate Appliance url for scenarios when the default Appliance URL (configured in admin > settings) is not reachable or resolvable for Instances provisioned in this cloud. The Appliance URL is used for Agent install and reporting.

   TIME ZONE

   Configures the time zone on provisioned VM’s if necessary.

   DATACENTER ID

   Used for differentiating pricing among multiple datacenters. Leave blank unless prices are properly configured.

   NETWORK MODE

   Unmanaged or select a Network Integration (NSX, ACI etc)

   LOCAL FIREWALL

   On or Off. Enable to managed Host and VM firewall/IP Table rules (linux only)

   SECURITY SERVER

   Security Server setting is for Security Service Integrations such as ACI

   TRUST PROVIDER

   Select Internal (Morpheus) or an existing Trust Provider Integration

   STORAGE MODE

   Single Disk, LVM or Clustered

   BACKUP PROVIDER

   Select a backup provider. Depending on the Cloud type and any currently-configured backup plugins you may select Internal Backups (Morpheus) or another configured backup solution

   REPLICATION PROVIDER

   Sets the default Replication Provider for the Cloud. Select an existing Replication Provider Integration

   GUIDANCE

   Enable Guidance recommendations on cloud resources.

   COSTING

   Enable for Morpheus to sync Costing data from the Cloud provider, when available. For on-prem Clouds, enabling costing activates a costing service designed to mirror the live costing experience of public clouds, including invoicing with line items and real-time cost data (Operations > Costing > Invoices). If your organization utilizes reserved instances and you want to pull in related pricing data, some Cloud integrations include the option to select Costing and Reservations. If this is not relevant, select Costing to save money on additional calls to the Cloud provider’s costing API.

   DNS INTEGRATION

   Records for instances provisioned in this cloud will be added to selected DNS integration.

   SERVICE REGISTRY

   Services for instances provisioned in this cloud will be added to selected Service Registry integration.

   CONFIG MANAGEMENT

   Select a Chef, Ansible or Puppet integration to be used with this Cloud.

   CMDB

   Select CMDB Integration to automatically update selected CMDB.

   CMDB DISCOVERY

   When checked, any automatically discovered (unmanaged) servers onboarded into Morpheus from this Cloud will also have CMDB records created for them.

   CHANGE MANAGEMENT

   Select an existing Change Management Integration to set on the Cloud. ex: Cherwell

   AGENT INSTALL MODE

   • SSH / WINRM / Guest Execution: Morpheus will attempt to use SSH, WINRM or Guest Execution for Agent install.

   • Cloud Init / Unattend (when available): (DEFAULT) Morpheus will utilize Cloud-Init or Cloudbase-Init for agent install when provisioning images with Cloud-Init/Cloudbase-Init installed. Morpheus will fall back on SSH or WINRM if cloud-init is not installed on the provisioned image. Morpheus will also add Agent installation to Windows unattend.xml data when performing Guest Customizations or utilizing syspreped images.

   VDI GATEWAY

   Set a VDI Gateway for outbound communication from the Morpheus Appliance to the vdi endpoints. VDI Gateways can be added in /tools/vdi/gateways

   CUSTOM LOGOS

   When integrating a Cloud, it will appear by default throughout the UI with its standard logo (VMware logo for VMware Clouds, etc.). If desired, you may upload a custom logo that should appear instead. This might be useful for MSPs which might not want to reveal the Cloud type underlying its services. A dark mode version of the logo may also be uploaded if the standard logo doesn’t look right against the Morpheus dark mode theme. Checking USE DEFAULT CLOUD LOGOS allows the user to return to the standard logo for the Cloud type without deleting the custom uploaded logo.

   INVENTORY OPTIONS

   Inventory options allow you to set a default active or inactive state for certain discovered resources. The list of available resources to configure will vary based on the Cloud type and its supported resources. By default, all possible resources for the Cloud type will be discovered in an active state. Uncheck the box for some or all resources to discover them in an inactive state. The list of potential resources that may appear include:

   • Service Plans

   • Resource Pools

   • Networks

   • Security Groups

   • Datastores

   • Folders

   Provisioning Command

   PROXY

   Set a proxy for inbound communication from Instances to the Morpheus Appliance. Proxies can be added in the Infrastructure > Networks > Proxies tab.

   Bypass Proxy for Appliance URL

   Enable to bypass proxy settings (if added) for Morpheus Agent communication to the Appliance URL.

   NO PROXY

   Include a list of IP addresses or name servers to exclude from proxy traversal

   USER DATA (LINUX)

   Add cloud-init user data. Morpheus 4.1.0 and earlier assumes bash syntax. Morpheus 4.1.1 and later supports all User Data formats. Refer to https://cloudinit.readthedocs.io/en/latest/topics/format.html for more information.

5. Once all options are configured, select NEXT to add the cloud to a Group.

   GROUP

   A Group must be specified or created for the new Cloud to be added to. Clouds can be added to additional Groups or removed from Groups after being created.

   USE EXISTING

   Add the new Cloud to an exiting Group in Morpheus .

   CREATE NEW

   Creates a new Group in Morpheus and adds the Cloud to the Group.

6. Confirm all settings are correct and select COMPLETE. The Azure Stack Cloud will be added, and Morpheus will perform the initial cloud sync of:

   • Virtual Machines (if Inventory Existing Instances is enabled)

   • Networks

   • Virtual Images/Blueprints

   • Network Security Groups

   • Storage Accounts

   • Marketplace Catalog

   • Availability Sets

   Tip

   Synced Networks can be configured or deactivated from the Networks section in this Clouds detail page, or in the Infrastructure > Networks section.