virtual machine | Tom's Notes

Installing the new Veeam Software Appliance v13

By Tomica Kaniski in Other 03/09/2025 0 Comment

It’s finally here – the Veeam Software Appliance, v13!

What is it?

A simple to deploy, hardened Veeam instance, which is not installed on Windows anymore, but comes with it’s own (Rocky) Linux – everything packed in a nice software appliance!

Very nice!

Naturally, should be installed ASAP! 🙂

Installation

So, without actually reading the manual, I went and installed it in my lab (that’s how easy is to start with it!). There will be plenty of time to read the manual once issues start… right?!

Installation has a few steps:

obtain the installation ISO image from here (or from your account page):
- be careful to select Linux appliance, and not the Windows installation ISO

prepare hardware to install it to – for me, it’s a Windows Server 2025 Hyper-V VM (4 vCPU, 18 GB RAM, 2×240 GB HDD, SecureBoot (MS UEFI CA) enabled):
- check the requirements here

once you selected and prepared your hardware, you can start the installation – it looks like this:

in case you didn’t read the hardware requirements, you may face this error (so, go back, re-read the hardware requirements and update your hardware):

and after this question, the (automatic) installation proceeds, with no more inputs required from your side:
- while waiting for it to install, I recommend you take a look at the nice, shiny, new What’s new document!

installation took ~35 minutes on my machine

Initial configuration

After the automatic installation finished, there are a couple of initial settings that have to be taken care of:

accepting the necessary agreements:

assigning a hostname
setting up networking
configuring time source
setting up passwords for the admin accounts (Host Administrator and (optionally) Security Officer):
- really liked the process of setting up the MFA for host administrator here (as SO is optional, MFA for this account will be setup later, inside the web interface)!
- don’t use passwords that are too short… or the same! 😁

summary:

And… that’s it! Veeam is installed and initially configured, and now you can access it via browser:

host management at https://<vsa-ip-address>:10443/

Veeam Backup & Replication web interface https://<vsa-ip-address>/
- (or just use the Windows console for full experience)

What a nice installation experience! Well done, Veeam people! 👏

Of course, next I’ll install my license, add rest of the infrastructure, setup my backup jobs, and connect it to (Veeam One) monitoring.

After all, it’s a “normal” Veeam solution we already know and work with.

Cheers!

Remote Desktop connection to an Entra ID-joined Windows Server with Entra ID credentials… quick and dirty

By Tomica Kaniski in Other 07/08/2024 3 Comments

Connecting via Remote Desktop to an Entra ID-joined Windows machine, by using the Entra ID credentials, should be easy, right? It usually is… if you have covered all the prerequisites.

Multiple such guides are around, but none has listed all the steps needed (or I just haven’t found the right one) – I chose to follow this one, from my MVP colleague Tom Wechsler, available here.

Some points before we start:

I don’t have a P1 or P2 license, so there are no Conditional Access policies (if they were, I would create one skipping the MFA for these connections as per this article)
Security defaults are enabled on my tenant, so all users need to register for MFA in 14 days (which allowed me to skip MFA… for 14 days)
this is not to be used for production, as not all security best practices are being followed(!)

In my case, all the required steps that allowed me to finally access my Entra ID-joined Windows (Server) machine in Azure via (publicly accessible) Remote Desktop (FOR DEMO PURPOSES), are the following:

Create an Entra ID-joined Windows virtual machine in Azure:

first, you will need to select a supported operating system (Windows 10/11, Windows Server Datacenter 2019/2022):
- worked for me with both Windows Server 2019 Datacenter and Windows Server 2022 Datacenter

another thing needed during the creation of the machine itself is to select Login with Microsoft Entra ID under Management settings so that your machine would be automatically joined to the Entra ID and have the extension installed (note that this option automatically creates the system-assigned managed identity as well, and if not selected at the time of creation, it can also be added later, under virtual machine’s Extensions):

Create a user that will connect to the virtual machine:

the easiest thing would be to create a fresh, new Entra ID user, that will be used for connecting to this virtual machine (you can also use an existing user, but make sure it is not using MFA, which will prevent you from connecting) – my user will be called vmuser
try to sign in with this new user into the Azure portal if you need to change its password, or just to skip the MFA setup:

as the machine is Entra ID-joined, under the Access Control (IAM) settings of the virtual machine (in my case, temp-1), assign this user (vmuser) either the Virtual Machine User Login or the Virtual Machine Administrator Login role:

Connect to the virtual machine with a local admin account (created with the machine):

if you run dsregcmd /status command, the following should be configured already:
- AzureAdJoined: YES
- AzureAdPrt: NO
- IsDeviceJoined: YES
next, go to the System Properties – Remote Desktop settings and disable the Network Level Authentication option (enabled by default):

next, open the Local Security Policy console (secpol.msc) and check if the option Security Settings – Local Policies – Security Options – Network security: Allow PKU2U authentication requests to this computer to use online identities. is set to Enabled (if not, enable it – reboot will be required):

On the computer you will be connecting from (not Entra ID-joined):

do the same – open the Local Security Policy console (secpol.msc) and check if the option Security Settings – Local Policies – Security Options – Network security: Allow PKU2U authentication requests to this computer to use online identities. is set to Enabled (if not, enable it – reboot will be required):

next, download the RDP connection file from the portal:

and then edit the downloaded RDP file (with Notepad) – it should look like the below (more on the available options):
- remove the line with the username (as it will be provided on connection)
- add the following two lines:
  - enablecredsspsupport:i:0
  - authentication level:i:2

try connecting to the virtual machine now, by using the edited RDP file, username, and password of your Entra ID account:
- for the username, make sure you are using the AzureAD\upn-or-email-address format (in my case, AzureAD\[email protected])

your connection should be working, and you will have either the user or admin permissions on the system (depending on the assigned Entra ID role):

Hope this helps.

Cheers!

Azure VM with CloudFlare DNS… by Terraform

By Tomica Kaniski in Other 25/08/2020 0 Comment

I like Terraform! 🙂

Had an idea the other day – I wanted to make myself an Ubuntu virtual machine on Microsoft Azure and also create a corresponding DNS record inside my kaniski.eu domain (currently hosted at CloudFlare… like, I guess, half of the Internet). Of course, I can do all that by using both of the portals, but this time I wanted to do it with Terraform, so it can be easily brought up and down, reusable, etc.

For this, you’ll need:

Microsoft Azure subscription
CloudFlare account (with a domain attached to its DNS servers, of course)
Terraform (v0.13)
(optional) Visual Studio Code
(or you can all do it inside Azure Cloud Shell)

To configure Terraform with your Azure subscription, you’ll need:

Azure Subscription ID
Tenant ID
Client ID
Client secret

There’s a nice document about setting it all up – https://docs.microsoft.com/en-us/azure/developer/terraform/overview.

For accessing CloudFlare API via Terraform, you’ll need the following info from your CloudFlare account page:

e-mail address
CloudFlare zone ID
CloudFlare account ID

CloudFlare API key

Be really careful with using your Azure/CloudFlare keys (can’t be stressed enough!)!

Also note that the following code is only one way of doing it, one that suits me for this purpose, not best practice or the prettiest code ever! 🙂

The whole example (main.tf) looks like this (it can/should be improved, but that’s not really the point here and now):

# providers
provider "azurerm" {
  version = "~> 2.24"

  subscription_id = var.subscription_id
  tenant_id       = var.tenant_id
  client_id       = var.client_id
  client_secret   = var.client_secret

  features {}
}

provider "cloudflare" {
  version = "~> 2.10.0"

  email      = var.cf_email
  api_key    = var.cf_apikey
  account_id = var.cf_accountid
}

# resource group
resource "azurerm_resource_group" "example-rg" {
  name     = "example-rg"
  location = "West Europe"
}

# network
resource "azurerm_virtual_network" "example-net" {
  name                = "example-net"
  location            = azurerm_resource_group.example-rg.location
  resource_group_name = azurerm_resource_group.example-rg.name
  address_space       = ["10.11.0.0/16"]
}

# subnet
resource "azurerm_subnet" "example-sub" {
  name                 = "example-sub"
  resource_group_name  = azurerm_resource_group.example-rg.name
  virtual_network_name = azurerm_virtual_network.example-net.name
  address_prefixes     = ["10.11.12.0/24"]
}

# nics
resource "azurerm_network_interface" "myvm-nic" {
  name                 = "myvm-nic"
  location             = azurerm_resource_group.example-rg.location
  resource_group_name  = azurerm_resource_group.example-rg.name
  enable_ip_forwarding = true

  ip_configuration {
    name                          = "myvm-nic-ip-config"
    subnet_id                     = azurerm_subnet.example-sub.id
    private_ip_address_allocation = "Static"
    private_ip_address            = "10.11.12.4"
    public_ip_address_id          = azurerm_public_ip.myvm-ip.id
  }
}

# public ips
resource "azurerm_public_ip" "myvm-ip" {
  name                = "myvm-ip"
  location            = azurerm_resource_group.example-rg.location
  resource_group_name = azurerm_resource_group.example-rg.name
  allocation_method   = "Static"
}

# network security group
resource "azurerm_network_security_group" "example-nsg" {
  name                = "example-nsg"
  location            = azurerm_resource_group.example-rg.location
  resource_group_name = azurerm_resource_group.example-rg.name

  security_rule {
    name                       = "SSH"
    priority                   = 100
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*"
    destination_port_range     = "22"
    source_address_prefix      = "*"
    destination_address_prefix = "10.11.12.4"
  }
}

resource "azurerm_subnet_network_security_group_association" "example-sub-nsg-assoc" {
  subnet_id                 = azurerm_subnet.example-sub.id
  network_security_group_id = azurerm_network_security_group.example-nsg.id
}

# vms
resource "azurerm_virtual_machine" "myvm" {
  name                          = "myvm"
  location                      = azurerm_resource_group.example-rg.location
  resource_group_name           = azurerm_resource_group.example-rg.name
  network_interface_ids         = [azurerm_network_interface.myvm-nic.id]
  vm_size                       = "Standard_DS1_v2"
  delete_os_disk_on_termination = true

  storage_image_reference {
    publisher = "Canonical"
    offer     = "UbuntuServer"
    sku       = "19_10-daily-gen2"
    version   = "latest"
  }

  storage_os_disk {
    name              = "myvm-osdisk"
    caching           = "ReadWrite"
    create_option     = "FromImage"
    managed_disk_type = "Standard_LRS"
  }

  os_profile {
    computer_name  = "myvm"
    admin_username = var.admin_username
  }

  os_profile_linux_config {
    disable_password_authentication = true
    ssh_keys {
      key_data = file("~/.ssh/id_rsa.pub")
      path     = "/home/${var.admin_username}/.ssh/authorized_keys"
    }
  }
}

# cloudflare dns
resource "cloudflare_record" "myvm-dns" {
  zone_id = var.cf_zoneid
  name    = "myvm"
  value   = azurerm_public_ip.myvm-ip.ip_address
  type    = "A"
}

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

# providers

provider "azurerm" {

version = "~> 2.24"

subscription_id = var.subscription_id

tenant_id = var.tenant_id

client_id = var.client_id

client_secret = var.client_secret

features {}

}

provider "cloudflare" {

version = "~> 2.10.0"

email = var.cf_email

api_key = var.cf_apikey

account_id = var.cf_accountid

}

# resource group

resource "azurerm_resource_group" "example-rg" {

name = "example-rg"

location = "West Europe"

}

# network

resource "azurerm_virtual_network" "example-net" {

name = "example-net"

location = azurerm_resource_group.example-rg.location

resource_group_name = azurerm_resource_group.example-rg.name

address_space = ["10.11.0.0/16"]

}

# subnet

resource "azurerm_subnet" "example-sub" {

name = "example-sub"

resource_group_name = azurerm_resource_group.example-rg.name

virtual_network_name = azurerm_virtual_network.example-net.name

address_prefixes = ["10.11.12.0/24"]

}

# nics

resource "azurerm_network_interface" "myvm-nic" {

name = "myvm-nic"

location = azurerm_resource_group.example-rg.location

resource_group_name = azurerm_resource_group.example-rg.name

enable_ip_forwarding = true

ip_configuration {

name = "myvm-nic-ip-config"

subnet_id = azurerm_subnet.example-sub.id

private_ip_address_allocation = "Static"

private_ip_address = "10.11.12.4"

public_ip_address_id = azurerm_public_ip.myvm-ip.id

}

# public ips

resource "azurerm_public_ip" "myvm-ip" {

name = "myvm-ip"

location = azurerm_resource_group.example-rg.location

resource_group_name = azurerm_resource_group.example-rg.name

allocation_method = "Static"

}

# network security group

resource "azurerm_network_security_group" "example-nsg" {

name = "example-nsg"

location = azurerm_resource_group.example-rg.location

resource_group_name = azurerm_resource_group.example-rg.name

security_rule {

name = "SSH"

priority = 100

direction = "Inbound"

access = "Allow"

protocol = "Tcp"

source_port_range = "*"

destination_port_range = "22"

source_address_prefix = "*"

destination_address_prefix = "10.11.12.4"

}

resource "azurerm_subnet_network_security_group_association" "example-sub-nsg-assoc" {

subnet_id = azurerm_subnet.example-sub.id

network_security_group_id = azurerm_network_security_group.example-nsg.id

}

# vms

resource "azurerm_virtual_machine" "myvm" {

name = "myvm"

location = azurerm_resource_group.example-rg.location

resource_group_name = azurerm_resource_group.example-rg.name

network_interface_ids = [azurerm_network_interface.myvm-nic.id]

vm_size = "Standard_DS1_v2"

delete_os_disk_on_termination = true

storage_image_reference {

publisher = "Canonical"

offer = "UbuntuServer"

sku = "19_10-daily-gen2"

version = "latest"

}

storage_os_disk {

name = "myvm-osdisk"

caching = "ReadWrite"

create_option = "FromImage"

managed_disk_type = "Standard_LRS"

}

os_profile {

computer_name = "myvm"

admin_username = var.admin_username

}

os_profile_linux_config {

disable_password_authentication = true

ssh_keys {

key_data = file("~/.ssh/id_rsa.pub")

path = "/home/${var.admin_username}/.ssh/authorized_keys"

}

# cloudflare dns

resource "cloudflare_record" "myvm-dns" {

zone_id = var.cf_zoneid

name = "myvm"

value = azurerm_public_ip.myvm-ip.ip_address

type = "A"

}

Variables used in this simple example are (terraform.tfvars):

subscription_id = ""
tenant_id       = ""
client_id       = ""
client_secret   = ""
admin_username  = ""
cf_zoneid       = ""
cf_email        = ""
cf_apikey       = ""
cf_accountid    = ""

subscription_id = ""

tenant_id = ""

client_id = ""

client_secret = ""

admin_username = ""

cf_zoneid = ""

cf_email = ""

cf_apikey = ""

cf_accountid = ""

Just note one more thing – I’m using the current version of Terraform (v0.13) and version 2 of the CloudFlare provider (notable changes between the v1 and v2 are listed at https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/guides/version-2-upgrade).

As always, running terraform init will take care of the missing providers and install them as needed. Also, running terraform plan can give us an estimation of what exactly will be done and terraform fmt will make our code look nice! 🙂

When I run this code (terraform apply), it completes successfully (of course) and provisions 9 items and, more important – gives me info about the DNS name and IP address of the provisioned VM (which I already know, but still):

Next is a series of checks:

DNS record really exists in CloudFlare DNS?

resources are really provisioned in Azure?

SSH into the VM works?

And that’s it – when you’re done, you can use terraform destroy and it’s all gone! 🙂

Cheers!

Creating some virtual machines in Azure with PowerShell

By Tomica Kaniski in Other 15/03/2019 0 Comment

The other day I was creating some Linux virtual machines (I know, I know…) and, with Azure being my preferred hosting platform, I’ve decided to create this machines by using a simple PowerShell script. Not because I’m so good at PowerShell, but because I like it… and sometimes I really don’t like clicking through the wizard to create multiple machines.

I wanted to create multiple machines with ease, each with “static” IP address from the provided subnet, accessible via the Internet (SSH, HTTP) and running the latest Ubuntu Linux, of course.

So, I was browsing through the official documentation (a.k.a. docs.com, more specifically https://docs.microsoft.com/en-us/azure/virtual-machines/linux/quick-create-powershell), and I’ve come up with this (my version of the official docs):

# prerequisites
Install-Module -Name Az -AllowClobber -Scope CurrentUser

# connect to Azure
Connect-AzAccount
Select-AzSubscription "<YOUR_SUBSCRIPTION_ID>"

# create VMs
$vmname = "myVM1"
$ip = "10.11.11.11"
$rg = "myResourceGroup"
$loc = "WestEurope"
$vnet = Get-AzVirtualNetwork -Name $rg -ResourceGroupName $rg
$subnet = Get-AzVirtualNetworkSubnetConfig -Name $subnet.Name -VirtualNetwork $vnet
$pip = New-AzPublicIpAddress -Name "$vmname-pip" -ResourceGroupName $rg -Location $loc -AllocationMethod Dynamic -IdleTimeoutInMinutes 4
$nsg_ssh = New-AzNetworkSecurityRuleConfig -Name "ssh" -Protocol "Tcp" -Direction "Inbound" -Priority 300 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 22 -Access "Allow"
$nsg_web = New-AzNetworkSecurityRuleConfig -Name "web" -Protocol "Tcp" -Direction "Inbound" -Priority 301 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 80 -Access "Allow"
$nsg = New-AzNetworkSecurityGroup -Name "$vmname-nsg" -ResourceGroupName $rg -Location $loc -SecurityRules $nsg_ssh,$nsg_web
if(Test-AzPrivateIPAddressAvailability -IPAddress $ip -ResourceGroupName $rg -VirtualNetworkName $vnet.Name){
  $ipconfig = New-AzNetworkInterfaceIpConfig -Name "$vmname-ip" -Subnet $subnet -PrivateIpAddress $ip -PublicIpAddress $pip
  $nic = New-AzNetworkInterface -Name "$vmname-nic" -ResourceGroupName $rg -Location $loc -IpConfiguration $ipconfig -NetworkSecurityGroupId $nsg.Id
}
$securePassword = ConvertTo-SecureString ' ' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ("tomica", $securePassword)
$vmConfig = New-AzVMConfig -VMName $vmname -VMSize "Standard_A1_v2" | Set-AzVMOperatingSystem -Linux -ComputerName $vmname -Credential $cred -DisablePasswordAuthentication | Set-AzVMSourceImage -PublisherName "Canonical" -Offer "UbuntuServer" -Skus "18.10" -Version "latest" | Add-AzVMNetworkInterface -Id $nic.Id
$sshPublicKey = cat ~/.ssh/id_rsa.pub
Add-AzVMSshPublicKey -VM $vmconfig -KeyData $sshPublicKey -Path "/home/tomica/.ssh/authorized_keys"
New-AzVM -ResourceGroupName $rg -Location $loc -VM $vmConfig

# prerequisites

Install-Module -Name Az -AllowClobber -Scope CurrentUser

# connect to Azure

Connect-AzAccount

Select-AzSubscription "<YOUR_SUBSCRIPTION_ID>"

# create VMs

$vmname = "myVM1"

$ip = "10.11.11.11"

$rg = "myResourceGroup"

$loc = "WestEurope"

$vnet = Get-AzVirtualNetwork -Name $rg -ResourceGroupName $rg

$subnet = Get-AzVirtualNetworkSubnetConfig -Name $subnet.Name -VirtualNetwork $vnet

$pip = New-AzPublicIpAddress -Name "$vmname-pip" -ResourceGroupName $rg -Location $loc -AllocationMethod Dynamic -IdleTimeoutInMinutes 4

$nsg_ssh = New-AzNetworkSecurityRuleConfig -Name "ssh" -Protocol "Tcp" -Direction "Inbound" -Priority 300 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 22 -Access "Allow"

$nsg_web = New-AzNetworkSecurityRuleConfig -Name "web" -Protocol "Tcp" -Direction "Inbound" -Priority 301 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 80 -Access "Allow"

$nsg = New-AzNetworkSecurityGroup -Name "$vmname-nsg" -ResourceGroupName $rg -Location $loc -SecurityRules $nsg_ssh,$nsg_web

if(Test-AzPrivateIPAddressAvailability -IPAddress $ip -ResourceGroupName $rg -VirtualNetworkName $vnet.Name){

$ipconfig = New-AzNetworkInterfaceIpConfig -Name "$vmname-ip" -Subnet $subnet -PrivateIpAddress $ip -PublicIpAddress $pip

$nic = New-AzNetworkInterface -Name "$vmname-nic" -ResourceGroupName $rg -Location $loc -IpConfiguration $ipconfig -NetworkSecurityGroupId $nsg.Id

}

$securePassword = ConvertTo-SecureString ' ' -AsPlainText -Force

$cred = New-Object System.Management.Automation.PSCredential ("tomica", $securePassword)

$vmConfig = New-AzVMConfig -VMName $vmname -VMSize "Standard_A1_v2" | Set-AzVMOperatingSystem -Linux -ComputerName $vmname -Credential $cred -DisablePasswordAuthentication | Set-AzVMSourceImage -PublisherName "Canonical" -Offer "UbuntuServer" -Skus "18.10" -Version "latest" | Add-AzVMNetworkInterface -Id $nic.Id

$sshPublicKey = cat ~/.ssh/id_rsa.pub

Add-AzVMSshPublicKey -VM $vmconfig -KeyData $sshPublicKey -Path "/home/tomica/.ssh/authorized_keys"

New-AzVM -ResourceGroupName $rg -Location $loc -VM $vmConfig

If this helps you with similar task – you’re welcome.

Cheers!