Azure Sphere – Initial Setup, Configuration and First Impressions

In April this year, Microsoft announced Azure Sphere. This was the same week as I’d be preparing for a presentation I was giving on Azure IoT at the Sydney location for the Global Azure Bootcamp. When pre-orders became available from Seeed Studio I naturally signed up as I’ve previously bought many IoT related pieces of hardware from Seeed Studio.

Fast forward to this week and the Azure Sphere MT3620 device shipped. It’s a long weekend here in Sydney Australia and delivery wasn’t due until after the long weekend, but by some miracle the packaged was delivered on the Friday by DHL after only leaving China 3-4 days earlier.

What a great opportunity then to un-box it, get it configured and build the sample “Hello World” (Blinky) project.

Getting Started

Following the “Get Started Guide” here I was straight away perplexed as to why Visual Studio was required, when I’ve made the complete transition to Visual Studio Code.

It seems there isn’t support in the IoT Workbench Extension in VS Code for the MT3620 yet.

Azure IoT Workbench.PNG

After patching and updating my now out-of-date Visual Studio installation I was finally able to install the VS Tools for Azure Sphere.

Azure Sphere VS Tools.PNG

which also comes with the TAP Driver for communicating with the device via the USB port, which is necessary for setup.

TAP Driver.PNG

With that all done it needs to be connected to Azure Active Directory. For that I created a new user for use with Azure Sphere in my Azure AD Tenant and then proceeded to login to Azure AD with that account.

azsphere login

azsphere login.PNG

Permissions.PNG

Successfully logged in (if you try with a Microsoft Account you’ll get a message indicating Azure AD is required), it prompts you to create an Azure Sphere Tenant.

Create Tenant

NOTE: Claiming the Device

Claiming the Device.PNG

With the Azure Sphere Device connected the Windows 10 computer you are executing the command from, as this is the first time setup an Azure Sphere Tenant needs to be created and the device claimed.

azsphere tenant create --name 
azsphere device claim

Claim Device.PNG

Connecting to Wifi

With the Azure Sphere Tenant created and the device claimed its time to connect it to Wifi.

azsphere device wifi show-status
azsphere device wifi add --ssid  --key

Connect Azure Sphere to Wifi.PNG

Checking the Wifi Connection Status after connecting provides the device connection status.

azsphere device wifi show-status

Azure Sphere Wifi Status.PNG

Checking the Azure Sphere OS Version against what is available shows it’s on the latest.

azsphere device show-ota-status

Azure Sphere OS Version.PNG

Blink Example Project

With the device now configured it was time to try out the sample project. Again following the instructions I first Enabled Debugging.

azsphere device prep-debug

Enable Azure Sphere Debugging.PNG

Following the example as per the Getting Started Guide I built the Blink Example project.

New Project Azure Sphere Blink Example.PNG

and ran it. It all worked as per the instructions. Pressing the A button with debugging enabled allow the state of the device (button) to be read and output.

Blink Example with Debugging.PNG

Summary

The setup was very quick, completely painless and just worked. So initial impressions are positive. My only gripe is that the Azure IoT Workbench Extension for VS Code doesn’t support the hardware. I’m hoping that comes soon.

Now to build something with it. What to build ……..

 

Remove/Modify Specific AWS Tags from the Environment- PowerShell

Why use TAGs

To help you manage your instances, images, and other Amazon EC2 resources, you can optionally assign your own metadata to each resource in the form of tags. This topic describes tags and shows you how to create them.

(Ref: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html)

Problem :

Sometimes tags are applied in environments prior to developing a tagging strategy. The problem in exponentially increased with the size of the environment and the number of users creating resources.

Currently we are looking for a solution to remove specific unwanted tags from EC2 instances or modify the tag values which are incorrect.

For this purpose , the below mentioned script was developed that solves the problem for AWS.

Solution :

The below mentioned script performs the following tasks

  • Get the list of all the EC2 instances in the tenant
  • Loop through all the EC2 instances
  • Get values of all the tags in the environment
  • Check each Tag Key and Tag Value.
  • Modify of remove the tag value ( based on requirement )

Code:

#Set up the AWS profile using the Access Key and Secret Key

Set-AWSCredential -AccessKey AccessKey -SecretKey SecretKEy -StoreAs ProfileName

#Getting the list of all the instances in the Tenant

$instances = (Get-EC2Instance -ProfileName ProfileName -Region RegionName).Instances

$tagkeytoremove = 'TAG1' # Declaring the TAG Key to remove / modify

$tagvaluetoremove = 'ChangePLease' # Declaring the Tag Value to Remove / Modify

$NewTagValue = "NewTagValue" # Declaring the new tag value.

Foreach ( $instance in $instances ) # Looping through all the instances
{
    $OldTagList = $instance.tags
    foreach ($tag in $OldTagList) # Looping through all the Tags
    {
        if($tag.key -ceq $tagkeytoremove -and $tag.Value -ceq $tagvaluetoremove ) # Comparing the TAG Key and Values
        {
            Remove-EC2Tag -Resource $instances.instanceid -Tag $tag -Force # Removing the Old Tag Key Value Pair
            New-EC2Tag -Resource $instances.instanceid -Tag @{ Key=$tag.key;Value=$NewTagValue} -Force #Adding the New Tag Key Value pair.

        }
    }
} # Loop Ends

 

Use AppKey to change WebApp's default DNS settings since ASE App Services don't inherit vnet's DNS settings

Recently I helped a customer with app service implementations. The web app service was deployed under isolated App Service Environment (ASE) and connected with enterprise VNets between on-prem servers and Azure subscriptions. When the Application tried to connect to the on-prem SQL DBs, it threw out an exception – the SQL DB name can’t be resolved. I checked the ASE vnet’s DNS settings and it looks all good to me and DNS settings points to the correct internal DNS servers. But what caused the issue?
Firstly, I worked with the app team and test using DB server IP instead of DB server name and re-run the app, it’s successfully connected and retrieved SQL data and this can approve that the issue is related with name resolutions (most likely to be DNS issue) rather than network access.
Next, I tried to verify the traffic flow. Through the Kudu console, I managed to run “nslookup” under the cmd console, I can see the below result, web app is using MS DNS server 168.63.129.16 instead of internal DNS servers. Believe or not, Web app didn’t inherit the DNS settings from ASE connected VNet, which is the root cause I am afraid.
nslookup result
After researching on MSDN blog, I found a way to manually overwrite the MS default DNS settings for web app service, the solution is to add AppKeys “Website_DNS_Server= primary DNS server IP”, “Website_DNS_ALT_Server=secondary DNS server IP” under the App Settings, this makes sense now since web app is a PaaS application and we don’t have the control of the underlying infrastructure.
app setting screenshot
After adding App Keys “Website_DNS_Server=primary/secondary servers IP” and restarted the web app service, the web app started to use the correct internal DNS server to resolve SQL host names now. 😊
 

Use AppKey to change WebApp’s default DNS settings since ASE App Services don’t inherit vnet’s DNS settings

Recently I helped a customer with app service implementations. The web app service was deployed under isolated App Service Environment (ASE) and connected with enterprise VNets between on-prem servers and Azure subscriptions. When the Application tried to connect to the on-prem SQL DBs, it threw out an exception – the SQL DB name can’t be resolved. I checked the ASE vnet’s DNS settings and it looks all good to me and DNS settings points to the correct internal DNS servers. But what caused the issue?

Firstly, I worked with the app team and test using DB server IP instead of DB server name and re-run the app, it’s successfully connected and retrieved SQL data and this can approve that the issue is related with name resolutions (most likely to be DNS issue) rather than network access.

Next, I tried to verify the traffic flow. Through the Kudu console, I managed to run “nslookup” under the cmd console, I can see the below result, web app is using MS DNS server 168.63.129.16 instead of internal DNS servers. Believe or not, Web app didn’t inherit the DNS settings from ASE connected VNet, which is the root cause I am afraid.

nslookup result

After researching on MSDN blog, I found a way to manually overwrite the MS default DNS settings for web app service, the solution is to add AppKeys “Website_DNS_Server= primary DNS server IP”, “Website_DNS_ALT_Server=secondary DNS server IP” under the App Settings, this makes sense now since web app is a PaaS application and we don’t have the control of the underlying infrastructure.

app setting screenshot

After adding App Keys “Website_DNS_Server=primary/secondary servers IP” and restarted the web app service, the web app started to use the correct internal DNS server to resolve SQL host names now. 😊

 

Creating custom Deep Learning models with AWS SageMaker

S

This blog will cover how to use SageMaker, and I’ve included the code from my GitHub, https://github.com/Steve–Hunter/DeepLens-Safety-Helmet.

1 What is AWS SageMaker?

AWS (Amazon Web Services) SageMaker is “a fully managed machine learning service. With Amazon SageMaker, data scientists and developers can quickly and easily build and train machine learning models, and then directly deploy them into a production-ready hosted environment.” (https://docs.aws.amazon.com/sagemaker/latest/dg/whatis.html). In other words, SageMaker gives you a one-stop-shop to get your Deep Learning models going, in a relatively friction-less way.
Amazon have tried hard to deliver a service that appeals to the life-cycle for developing models, which are the results of training. It enables Deep Learning to complete the virtuous circle of:

Data can cover text, numeric, images, video – the idea is that the model gets ‘smarter’ as it learns more of the exceptions and relationships in being given more data.
SageMaker provides Jupyter Notebooks as a way to develop models; if you are unfamiliar, think of Microsoft OneNote with code snippets, you can run (and re-run) a snippet at a time, and intersperse with images, commentary, test runs. The most popular coding language is Python (which is in the name of Jupyter).

2 AI / ML / DL ?

I see the phrases AI (Artificial Intelligence), Machine Learning (ML) and Deep Learning used inter-changeably, this diagram shows the relationship:



(from https://www.geospatialworld.net/blogs/difference-between-ai%EF%BB%BF-machine-learning-and-deep-learning/

So I see AI encompassing most things not yet possible (e.g. Hollywood ‘killer robots’); Deep Learning has attracted attention, as it permits “software to train itself”; this is contrary to all previous software, which required a programmer to specifically tell the machine what to do. What makes this hard is that it is very difficult to foresee everything that could come up, and almost impossible to code for exception from ‘the real world’. An example of this is machine vision, where conventional ‘rule-based’ programming logic can’t be applied, or if you try, only works in very limited circumstances.
This post will cover the data and training of a custom model to identify people wearing safety helmets (like those worn on a construction site), and a future post will show how to load this model into an AWS DeepLens (please see Sam Zakkour’s post on this site). A use case for this would be getting something like a DeepLens to identify workers at a construction site that aren’t wearing helmets.

3 Steps in the project

This model will use a ‘classification’ approach, and only have to decide between people wearing helmets, and those that aren’t.
The project has 4 steps:

  • Get some images of people wearing and not wearing helmets
  • Store images in a format suitable for Deep Learning
  • Fine tune an existing model
  • Test it out!

3.1 Get some images of people wearing and not wearing helmets

The hunger for data to feed Deep Learning models has led to a number of online resources that can supply data. A popular one is Imagenet (http://www.image-net.org/), with over 14 million images in over 21,000 categories. If you search for ‘hard hat’ (a.k.a ‘safety helmet’) in Imagenet:

Your query returns:

The ‘Synset’ is a kind of category in Imagenet, and covers the inevitable synonyms such as ‘hard hat’, ‘tin hat’ and ‘safety hat’.
When you expand this Synset, you get all the images; we need the parameter in the URL that uniquely identifies these images (the ‘WordNet ID’) to download them:

Repeat this for images of ‘people’.
Once you have the ‘WordNet ID’ you can use this to download the images. I’ve put the code from my Jupyter Notebook here if you want to try it yourself https://github.com/Steve–Hunter/DeepLens-Safety-Helmet/blob/master/1.%20Download%20ImageNet%20images%20by%20Wordnet%20ID.ipynb
I added a few extras in my code to:

  1. Count of images and reporting
  2. Added continue on bad image (poisoned my .rec image file!)
  3. Parameterise the root folder and class for images

This saves the images to the SageMaker server in AWS, where they are picked up by the next stage …

3.2 Store images in a format suitable for Deep Learning

It would be nice if we could just feed in the images as JPEGs, but most image processing frameworks require the images to be pre-processed, mainly for performance reasons (disk IO). AWS uses MXNet a lot, and so that’s the format I used, ‘ImageRecord format or recordIO. You can read more about it here https://gluon-cv.mxnet.io/build/examples_datasets/recordio.html, and the Jupyter Notebook is here https://github.com/Steve–Hunter/DeepLens-Safety-Helmet/blob/master/2.%20Store%20images%20into%20binary%20recordIO%20format%20for%20MXNEt.ipynb .
The utility to create the ImageRecord format also splits the images into

  • a set of training and testing images
  • images that show wearing and not wearing helmets (the two categories we are interested in)

It’s best practice to train on a set of images, but test on another, in a ratio of around 70:30. This avoid the curse of deep learning of ‘over-fitting’ where the model hasn’t really learned ‘in general’ what people wearing safety helmets look like, only the ones it has seen already. This is the really cool part of deep learning, it really does learn, and can tell from an unseen image if there is a person(s) wearing a safety helmet!
The two ImageRecord files for training and testing are stored in SageMaker, for the next step …

3.3 Fine tune an existing model

One of my favourite saying is by Isaac Newton “If I have seen further it is by standing on the shoulders of Giants.”, and this applies to Deep Learning, in this case the ‘Giants’ are Google, Microsoft etc, and ‘standing on’ is the open source movement. You could train your model on all 14 million images in Imagenet, taking weeks and immense amount of compute power (which only Google/Microsoft can afford, but generously open source the trained models), but a neat trick in deep learning is to take an existing model that has been trained, and ‘re-purpose’ it for what you want. There may not be a pre-trained model for the images you want to identify, but you can find something close enough, and train it on just the images you want.
There are so many pre-trained models, the MXNet framework refers to them as a ‘model zoo’, the one I used is called ‘Squeezenet’ – there are competitions to find the model that can perform best, and Squeezenet gives good results, and is small enough to load onto a small device like a DeepLens.
So the trick is to start with something that looks like what we are trying to classify; Squeezenet has two existing categories for helmets, ‘Crash helmet’ and ‘Football helmet’.
When you use the model ‘as is’, it does not perform well, and gets things wrong – telling it to look for ‘Crash Helmets’ in these images, it thinks it can ‘see them’ – there are two sets of numbers below which each represent the probability of the corresponding images having helmets in them. Both numbers are a percentage and the first of the number being the prediction of a helmet, the second there not being a helmet.
!

Taking ‘Crash helmet’ as the starting point, and re-trained (also called ‘fine tuning’ or ‘transfer learning’) the last part of the model (the purple one on the far right), to learn what safety helmets look like.

The training took about an hour, on an Amazon ml.t2.medium instance (free tier) and I picked the ‘best’ accuracy, you can see the code and runs here: https://github.com/Steve–Hunter/DeepLens-Safety-Helmet/blob/master/3.%20Fine%20tune%20existing%20model.ipynb

3.4 Test it out!

After training things improve a lot – in the first image below, the model is now 96% certain it can see safety helmets, and in the second 98% certain it is not.
What still ‘blows my mind’ is that there are multiple people in the image – the training set contained individuals, groups, different lighting and helmet colours – imagine trying to ‘code’ for this in a conventional way! But the model has learned the ‘helmet-ness’ of the images!




You can give the model an image it has never seen (e.g. me wearing a red safety helmet, thanks fire warden!):

4 Next

My GitHub goes onto cover how to deploy to a DeepLens (still working on that), and I’ll blog about how that works later, and what it could do if it ‘sees’ someone not wearing a safety helmet.
This example is a simple classifier (‘is’ or ‘is not’ … like the ‘Silicon Valley’ episode of ‘Hotdog not hotdog’), but could cover many different categories, or be trained to recognise people faces from a list.
The same method can be applied to numeric data (e.g. find patterns to determine if someone is likely to default on a loan), and with almost limitless cloud-based storage and processing, new applications are emerging.
I feel that the technology is already amazing enough, we can now dream up equally amazing use cases and applications for this fast moving and evolving field of deep learning!

Cloud PABX with On-premises PSTN connectivity

Sometimes my consulting engagements require creative thinking on how we can deliver Skype for Business services based on the customer needs and timing of suitable products becoming available to the market. In this case my customer wanted Skype for Business online with enterprise voice with  Telstra calling for Office 365. At the time the Telstra PSTN calling plan was not generally available. Business issues and time constraints required the business to implement a new greenfield solution within a week. Normal Telco lead times and gateway acquisitions can take four to six weeks to have SIP infrastructure ready. Gateway acquisitions can be expensive, especially if it becomes redundant when the customer moves to a full cloud solution as soon as Telstra PSTN calling plans for SFB are available.
In this design I implemented a hybrid solution using a new Skype for Business Server deployment and PSTN connectivity through a third-party SIP trunk provider for Skype for Business. Through this provider we could purchase PSTN numbers and connectivity without the need for a hardware gateway appliance. The solution required a hybrid topology. The initial implementation required an on-premise solution with a single Skype for Business front end server and an SFB edge.
sfb hybrib
The users are initially homed on-premise and PSTN delivered through 3rd party SIP trunks terminating onto the mediation service role. The PSTN media is anchored through a registered public IP that the Telco provider allows. On the Skype for Business server the 3rd party SIP hosting service is configured as a standard PSTN gateway
To take advantage of Microsoft Cloud PABX features we can simply migrate the on-premise user to the cloud. In this topology, users are homed in the cloud on Skype for Business Online instead of being homed on the on-premise deployment.
With this option, your Skype for Business Online users get their Enterprise Voice PSTN connectivity through  the  on-premises Skype for Business Server deployment.
So how does Cloud PABX know to associate the on-premise PSTN with the user?
Through the Office 365 online power shell portal we can look at the users online properties. The get-csonlineuser command needs to show on-prem enterprise-voice is enabled, a SIP address and the on-Premises line URI as in the example below.
Next in the on-premise SFB Management Shell I run the get-csuser command to retrieve the users on-premise properties and find the user is assigned the Voice routing Policy of Global-Hybrid. I then run the get-csvoiceroutingpolicy command to check the Global-Hybrid voice routing policy and determine the PSTN usages assigned to the user. The PSTN usage configuration in the on-premise Server will determine the route used to dial out.
blog
The cloud PABX user and a on-premise SFB user in this SFB hybrid scenario will both  follow the on-premise call routing logic. The PSTN usage configuration in the on-premise server will send the call to the 3rd Party SIP trunk provider.
Note: Telstra calling for Office 365 with Skype for Business is now available. This will allow a PSTN calling solution without any on-premises infrastructure.
Keith

Removing blockers for Cloud PABX with On-Premise PSTN for Skype for Business Online.

Overcoming obstacles to migrating to Cloud based enterprise voice solutions is achievable through clever design options. Some enterprise business infrastructure managers may feel that their legacy voice environment is restricting the migration of voice services to cloud based offerings like Skype for Business or Microsoft teams. However, Microsoft offers a variety of design options for enabling PSTN connectivity for Office 365 accounts or Skype for Business accounts with your on-premise Skype for Business Server deployment. Microsoft Cloud PBX with PSTN access through a Hybrid Skype for Business on-premise deployment can provide a migration strategic vision.
Your goal maybe a full unified communications cloud vision, for example Skype for Business Cloud PABX with Telstra calling for Office 365 plans or a hybrid, but your organization migration strategy may be blocked. This issue may arise for some of the following reasons:

  1. Locked in TELCO contract or Investments in On-Premises PSTN connectivity
  2. Legacy PABX infrastructure capital investment.
  3. Existing On-premise server applications ie: contact centre and call recording Solutions.
  4. Dependency on analogue infrastructure

With a Hybrid SFB solution It is possible to realise a staged migration to Hosted Cloud PABX services now. Therefore, your migration strategy may be migrating some of the user base now and testing cloud-based telephony until the restricting forces are removed.
In this scenario you can move users to Skype for Business Online Cloud PBX with SFB on-premise PSTN connectivity.
Skype for Business Server Hybrid deployment
sfb hybrib
The diagram shows a hybrid design that consists of a Skype for Business Server on-premise deployment federated with Office 365. Users can be homed on premises or online in cloud. The users will be able to make and receive calls through existing on-premises voice infrastructure. Notice that existing legacy PABX infrastructure is integrated into the solution. Additional third party gateways from Microsoft qualified gateway provider can deliver multiple connectivity options for legacy infrastructure to integrate into a SFB solution.
Overcoming the barriers for migration to Skype for Business:

  1. The business can maintain existing TELCO PSTN contracts. Existing PSTN services can terminate on SFB session border controllers that are controlled through the on-premise server. The business can then simply port the existing number range to new Office 365 Telstra  PSTN plans when existing contracts expire.
  1. Integration with legacy PABX solutions can be maintained through SIP or ISDN Links between SFB and 3rd party PABX solutions through a Session Border controller. This can maintain investments in legacy services and also enjoy benefits of Microsoft Cloud PABX and digital workspace.
  1. Key users on legacy contact centre and call recording applications can remain on existing platforms. Cloud based contact centre solutions can be evaluated and migration strategies separating contact center users from the rest of the business can be created.
  1. Legacy analogue requirements may be maintained through SFB on-premise servers and provision of analogue gateways

Therefore, if your business objective is progressing to Cloud based enterprise voice infrastructure and committed to Office 365 Cloud PABX as your voice solution then you have migration strategies with a SFB Hybrid design.
Keith Coutlemanis

IaaS Application Migration – Go Live Decision Responsibility Model, High Level Run Sheet and Change Management Life Cycle

Go Live Decision Responsibility Model

A go-live decision model helps to assign accountability to key project stakeholders in order to make decision to proceed with go-live on an agreed date or not. Below is an example responsibility model that will guide to create a required decision responsibility model.
Decision.jpg

High Level Run Sheet

run sheet is a list of procedures or events organised in progressive sequence to execute the required agreed outcome. Below sheet is an example that can be used as part of application migration to cloud.
run sheet.jpg

Change Management Life Cycle

The objective of change management in this context is to ensure that standardised methods and procedures are used for efficient and prompt handling of all changes to control IT infrastructure, in order to minimise the number and impact of any related incidents upon service (ITSM Best Practice).
In this context, below is a simple change management practice model that can be used to control all changes to IT infrastructure in an IaaS application migration.
change mgt.jpg

Summary

Hope you found these examples useful for your application migration to assist and complete transition.
 

IaaS Application Migration – Governance, Escalation & Warranty Period Model

What is Governance and Escalation Model – IaaS Application Migration Project

A governance model is the mechanism used by the project management to translate the elements of the governance framework and policies into practices, procedures, and job responsibilities within the boundary of the project. An escalation plan is a set of procedures set in place to deal with potential problems in a variety of contexts. Example: Project team need to reach out a key stakeholder in the program to make a decision of a go-live/roll-back.

Why Governance and Escalation Model is important

  • To understand clear direction
  • To make key decisions
  • Clear roles and responsibilities
  • Stakeholder visibility and assistance
  • Escalation path is defined to assist
  • Budget tracking
  • To track the delivery of project

IaaS Application Migration Project Governance Model

Below is an example of a governance model.
iaaS Gov.jpg

Application Migration – Escalation Matrix

Below is an example of an escalation matrix, which is helpful to escalate from those 3 levels when required.
IaaS - Escalation matrix.jpg

Application Migration – Incident Management Process

Typically, the IaaS project will use the existing incident management process but will provide project support assistance if required to resolve an incident related to new migration or roll-back. These activities occur during post go-live warranty periods or when an application is rolled back but caused an incident.
IM process.jpg

Application Migration – Telephone Conference Details

It is important to provide telco details to jump on conference calls. These are for technical and non-technical management and resolution activities.
telco.jpg

Warranty Period – Definition

warranty.jpg

  • Provision of IaaS project resources to provide assistance to the BAU teams, in the event that incidents require support and or resolution for an agreed period of time. By definition BAU teams can constitute application teams, vendor A and vendor B infrastructure teams.
  • A warranty entails an obligation to eliminate any defects in the operation of a product directly related to production workloads and as a result of project activity. During the warranty period the project must fix all defects within the agreed time limit, provided that the following conditions are met:
    • evidence of system issue(s) is given;
    • agreement that the issue occurred due to a project activity;
    • no unwarranted interference with the migrated application;
    • application feature is covered in the requirements.

Application Migration – Warranty Support Activities

Typical warranty period activities can be,

  • Warranty support from project will be provided at least minimum of 14 days of application being successfully migrated or the period agreed by steering committee / IT owners.
  • Project team will update Service Desk with newly migrated application details prior and post application being migrated.
  • Project team will be available from 8am post migration day, to provide support if required, including to participate in warranty meetings.
  • Project team will assist to resolve migration related incidents during the agreed warranty period.
  • Project incident queue will be created via <TOOL> to direct required project support to incidents. These incidents will be clearly tagged by BAU team to separate from other BAU incidents to assist IT scorecard.
  • TOOL group needs to be monitored after a cutover during warranty period.
  • Existing incident management and major incident management process will be followed, project team will be notified by BAU team to participate if required.
  • A change freeze period is agreed before and after migration with application owners.
  • If significant changes are expected to resolve an incident due to project activity, the effort/Charges will be absorbed by the project team.
  • If required, project team will participate in the Daily Operational Forum.
  • Go/No Go – at agreed point of no return after successful cutover and during warranty period, rollback/fix forward will be performed if pending issues. Final decision maker will be the sponsor, while the contributors are Project, Service Delivery Team and IT owners.

dor.jpg

Go/No Go – Decision 2 (During Warranty Period) – Criteria for Consideration – Rollback/Fix Forward

rollback.jpg

Exit Criteria – Warranty Period

Example of exit criteria’s when we exist warranty,

  • All critical issues have been resolved.
  • All project related incidents have been updated/resolved.
  • All necessary and required knowledge and documentation have been updated.
  • Evidence of testing details available from testing tool.
  • IT Owners sign-off obtained.
  • BAU acceptance obtained for migrated applications from organisation’s SDM

Summary

I hope that above examples are useful to your project to create an effective governance, escalation and warranty period model. Thanks.

Scheduled Runbook Tasks at background to automatically back up VMs with tag@{backup = 'true'}

I always like to create some automation tasks to replace the tedious manual click job. This can be very helpful for customers with large environment. In this blog, I want to share the Azure Runbook which I made to run at the Azure background and automatically back up the VMs with tag@{backup = ‘true’}. This can standardize the VM backup with certain backup policy and automatically audit the environment and make sure to back up the required computing VM resources.
In order to run the runbook, add below modules into your Azure automation account environment:

  • RecoveryServices Version 4.1.4
  • RecoveryServices.backup Version 4.3.0

Pic1
Below is the Runbook PS script file:
[code language=”powershell”]
#define login
 
function Login() {
$connectionName = “AzureRunAsConnection”
try
{
Write-Verbose “Acquiring service principal for connection ‘$connectionName'” -Verbose
 
$servicePrincipalConnection = Get-AutomationConnection -Name $connectionName
 
Write-Verbose “Logging in to Azure…” -Verbose
 
Add-AzureRmAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint | Out-Null
}
catch {
if (!$servicePrincipalConnection)
{
$ErrorMessage = “Connection $connectionName not found.”
throw $ErrorMessage
} else{
Write-Error -Message $_.Exception
throw $_.Exception
}
}
}
 
Login
 
#define global variables
 
$rsVaultName = “myRsVault”
$rgName = “edmond-guo-rg”
$location = “Australia Southeast”
$keyvault = “edkeyvault1”
$vmrg = “VMs”
$backupvms = (Get-AzureRmResource -Tag @{ backup=”true”} -ResourceGroupName edmond-guo-rg -ResourceType Microsoft.Compute/virtualMachines).Name
 
# Register the Recovery Services provider and create a resource group
 
Register-AzureRmResourceProvider -ProviderNamespace “Microsoft.RecoveryServices”
 
# Create a Recovery Services Vault and set its storage redundancy type
 
New-AzureRmRecoveryServicesVault `
-Name $rsVaultName `
-ResourceGroupName $rgName `
-Location $location
$vault1 = Get-AzureRmRecoveryServicesVault –Name $rsVaultName
Set-AzureRmRecoveryServicesBackupProperties -Vault $vault1 -BackupStorageRedundancy LocallyRedundant
 
# Set Recovery Services Vault context and create protection policy
 
Get-AzureRmRecoveryServicesVault -Name $rsVaultName | Set-AzureRmRecoveryServicesVaultContext
$schPol = Get-AzureRmRecoveryServicesBackupSchedulePolicyObject -WorkloadType “AzureVM”
$retPol = Get-AzureRmRecoveryServicesBackupRetentionPolicyObject -WorkloadType “AzureVM”
 
 
 
foreach($backupvm in $backupvms)
{
# Provide permissions to Azure Backup to access key vault and enable backup on the VM
 
Set-AzureRmKeyVaultAccessPolicy -VaultName $keyvault -ResourceGroupName $rgName -PermissionsToKeys backup,get,list -PermissionsToSecrets backup,get,list -ServicePrincipalName 17078714-cbca-45c7-b486-5d9035fae0b5
$pol = Get-AzureRmRecoveryServicesBackupProtectionPolicy -Name “NewPolicy”
Enable-AzureRmRecoveryServicesBackupProtection -Policy $pol -Name $backupvm -ResourceGroupName $vmrg
 
# Modify protection policy
 
$retPol = Get-AzureRmRecoveryServicesBackupRetentionPolicyObject -WorkloadType “AzureVM”
$retPol.DailySchedule.DurationCountInDays = 365
$pol = Get-AzureRmRecoveryServicesBackupProtectionPolicy -Name “NewPolicy”
Set-AzureRmRecoveryServicesBackupProtectionPolicy -Policy $pol -RetentionPolicy $RetPol
 
# Trigger a backup and monitor backup job
 
$namedContainer = Get-AzureRmRecoveryServicesBackupContainer -ContainerType “AzureVM” -Status “Registered” -FriendlyName $backupvm
$item = Get-AzureRmRecoveryServicesBackupItem -Container $namedContainer -WorkloadType “AzureVM”
$job = Backup-AzureRmRecoveryServicesBackupItem -Item $item
$joblist = Get-AzureRmRecoveryservicesBackupJob –Status “InProgress”
Wait-AzureRmRecoveryServicesBackupJob `
-Job $joblist[0] `
-Timeout 43200
}
[/code]
So this runbook job will run every day at 5AM and taking the VM snapshot and save the VM backup images in your Backup Vault which is defined in the script.
pic2
Hopefully this runbook script can help you with the day to day operations task. 😉

Follow ...+

Kloud Blog - Follow