The latest release of the Windows Azure PowerShell cmdlets has a huge amount of functionality for both Windows Azure Virtual Machines and significant improvements to Cloud Services.
Virtual Machine Updates
- Virtual Machine Stop Billing Support
- Endpoint Access Control List Support
- Endpoint Support Improvements
Cloud Service Enhancements
- Dynamically configure RDP per role or per service
- Dynamically configure Diagnostics per role or per service
Virtual Machine Stop Billing
It was announced at TechEd today that in addition to the huge improvement of per-minute billing when you stop a Virtual Machine you will not be charged. This functionality was exposed in PowerShell as well in the Stop-AzureVM cmdlet. One caveat I want to mention is if you stop the last VM in a deployment you will lose your deployment’s virtual IP address. If you want to stop the last VM but not lose your IP a new switch has been added -StayProvisioned. Stop-AzureVM will prompt you with a warning if you try to stop the last VM (with -StayProvisioned you will continue to be billed).
Virtual Machine Endpoint Access Control Support
A significant improvement in the security of virtual machines is the ability to lock down an endpoint so that only a specified set of IP addresses can access it.
To specify ACLs during or after deployment from PowerShell you create a new ACL configuration object using New-AzureAclConfig and then modify it with Set-AzureAclConfig. The created ACL object is then specified to the *-AzureEndpoint cmdlet in the -ACL parameter.
Example – Setting an ACL for SSH
$acl = New-AzureAclConfig Set-AzureAclConfig -AddRule Permit -RemoteSubnet "188.8.131.52/16" -Order 1 ` -ACL $acl -Description "Lock down SSH" Get-AzureVM -ServiceName mwlinuxsvc1 -Name mwlinux | Set-AzureEndpoint -Name ssh -Protocol tcp -PublicPort 22 ` -LocalPort 22 -ACL $acl | Update-AzureVM
Virtual Machine Other Endpoint Improvements
It is not a well known fact that prior to this release it was not possible to perform an update on a load balanced endpoint set. The underlying API would not actually support it. In this release a new API was added that allowed for the direct modification of a load balanced endpoint set.
To support this in PowerShell a new cmdlet called Set-AzureLoadBalancedEndpoint was added.
This cmdlet supports modifying a load balanced endpoint for operations such as changing health probe settings or port settings. Best of all this cmdlet can be called directly against this service and doesn’t require updating each individual endpoint.
Example of enabling an http health probe on an existing load balanced endpoint.
Set-AzureLoadBalancedEndpoint -ServiceName $svc -ProbeProtocolHTTP ` -LBSetName "lbweb" -ProbePath "/healthcheck" ` -ProbePort 80
Finally, a flag for enabling DirectServerReturn has been enabled on Add/Set Endpoint cmdlets. This flag allows you to enable DirectServerReturn on certain endpoints which in turn allows the server to respond directly to the client instead of funneling the response back through the load balanced.
Cloud Services – Enabling RDP and Diagnostics on Demand
A new concept called “Cloud Service Extensions” was recently added which allows certain code to be executed after a Cloud Service has been deployed. Currently, the only two extensions that have been published to date are RDP and Diagnostics.
The power of the extensions model is you do not have to repackage your application to enable/disable functionality like RDP and Diagnostics it can be done after the fact.
Both cmdlets support a -Role parameter which allows you to selectively enable or disable the extension.
Example of enabling RDP for all roles
$cred = Get-Credential Set-AzureServiceRemoteDesktopExtension -ServiceName $svc -Credential $cred
Example on removing RDP from all roles
Remove-AzureServiceRemoteDesktopExtension -ServiceName $svc
A few things about the Cloud Service Extension architecture. The above example sets a default RDP configuration. So all roles will have the same user name / password. If you then called the cmdlet on an individual role the role would get its own settings. This is interesting when you remove the role specific settings because the default settings will still apply.
The cmdlets are smart enough to warn you of this behavior on use.
The other cmdlet that has been added is the Set-AzureServiceDiagnosticsExtension. It works exactly the same way but accepts a wadcfg.xml file that can configure diagnostics logging on the role or roles.
One final caveat – the RDP and Diagnostics extensions are not compatible with the legacy RDP and Diagnostics plugins that ship in the SDK. To take advantage of this dynamic behavior you will first need to remove the legacy plugins from your application and redeploy.
My Last Release 🙁
Sadly, this is the last release that I will have direct involvement in as I accepted a new job outside of Microsoft working with an outstanding Microsoft and Windows Azure Partner – Aditi. However, I will still continue to stay in tune with the Windows Azure PowerShell cmdlets and blog religiously about them (and email bugs and feature requests!).
The WA PowerShell/Runtime team is outstanding and I expect some great things from them going forward from the PowerShell and Service Management API front (hopefully, some powerful new Cloud Service Extensions will make their way out of Redmond as well)!