As you might know, Azure Stack is bringing Azure services to your datacenter, or a location closer to you. It is delivered as an integrated system, meaning that it comes predesigned and preinstalled, so customers have a faster go to production and can focus on what really matters.
However, Azure Stack is not managed by Microsoft, there are some third-parties which offer managed services for Azure Stack, but in general you will be responsible to operate the Azure Stack integrated system.
In this blog post, I will cover, the basic toolset of the Azure Stack Operator, and what tools and access points you should be familiar with, after Azure Stack is delivered and integrated into the datacenter.
Before we have a closer look at the tooling, lets first see what the Azure Stack Operator’s responsibilities are. After you went through the different steps of the process, like sizing, planning the integration, installation and final integration, there are some recurring tasks, the operator needs to take care of.
- Offers/plans and quotas – To make subscriptions available to the Azure Stack tenants, the operator needs to create offerings, plans and usage quotas, to manage the resource consumption on Azure Stack.
- Deploy & manage Azure Services on Azure Stack – If you are not just using the Azure IaaS services on Azure Stack, you might add other resource providers like App Services to your Azure Stack installation. The Azure Stack Operator has the responsibility to manage these additional RPs.
- Marketplace Management – To make marketplace items available to the tenant, the Azure Stack Operator Make appropriate marketplace items available in local gallery. This can be done by using Azure Marketplace Syndication or the Operator can create its own customized marketplace items.
- Patch & Update – Azure Stack needs to be updated regularly to keep consistency with the innovation happening in Azure and to make sure the Azure Stack stays secure. Even when the services during an update stay available, the Azure Stack Operator will need to plan the maintenance window, start the update and monitor the update process.
- Maintenance tasks to resolve alerts, participate in server/disk replacement – In Azure, Microsoft takes care of this, on Azure Stack, the operator needs to take care that issues are resolved and for example disk replacements are done.
- Incident resolution with Microsoft/OEM – In the unlikely event that your Azure Stack runs into a warning or error, the Azure Stack Operator will need to work with Microsoft or/and the OEM to resolve the incident.
- Backup Azure Stack infrastructure – Azure Stack has an integrated infrastructure backup, to back up the configuration of the Azure Stack. This is a fully automated process, however, like with all backups, it is good advice to verify them regularly. This only covers the configuration of the Azure Stack and the meta data, the tenant data is in the responsibility of the tenant.
- Rotate Secrets (e.g. external certificates) – Depending on your security and compliance requirements, the Azure Stack Operator will need to change and update passwords or certificates from time to time.
Since we are now aware of the responsibilities of an Azure Stack Operator, I want to give you a quick look at the toolset, the operator can use to manage the Azure Stack.
Admin Portal and Admin API
Next to the Azure Stack tenant portal, which gives you a consistent experience with the Microsoft Azure portal, Azure Stack also has an administrator portal. The administrator portal is the main place for the Azure Stack operator to go for the day-to-day management tasks.
The Azure Stack administrator portal gives a glance on the health of the system and resource consumption. This is also the place where the operator creates offers and plans, manages the marketplace and starts the Azure Stack update process.
A lot of customers already have existing systems for monitoring etc., Azure Stack doesn’t only come with a portal, behind the portal you also have an API, which allows you for example to connect directly from your existing monitoring system to get the Azure Stack health state. These APIs are also used by the SCOM Management Pack for Azure Stack or the Azure Log Analytics (formerly OMS) solution.
To manage Azure Stack in a more automated and scripted way, there is also an Azure Stack PowerShell Module available. The PowerShell module is also used for some advanced configuration tasks, which are not built into the portal UI. Installing that PowerShell module is simple, you can use the Install-Module cmdlet to install the module from the PSGallery.
I also want to mention the Azure Stack Tools. These are extra tools and scripts for Azure Stack integrated system as well as for the Azure Stack Development Kit. Over the last couple of months, a lot of these tools were moved into the PowerShell module.
Privileged endpoint (PEP)
The Admin Portal, API and the PowerShell module, are the tools the Azure Stack Operator should use for the day-to-day management tasks. However, in some advanced scenarios, more access is needed. The privileged endpoint (PEP) provides the Azure Stack operator with a pre-configured remote PowerShell console and uses PowerShell JEA (Just Enough Administration) to expose only a restricted set of cmdlets.
Note that for security reasons, it is required that you connect to the PEP only from a hardened VM running on top of the hardware lifecycle host, or from a dedicated Privileged Access Workstation.
The PEP is also needed if you are working with support and you need to get more advanced access to the system. The support session needs to be unlocked together with Microsoft support using the Get-SupportSessionToken and Unlock-SupportSession cmdlets.
Depending on the OEM you are buying the Azure Stack from, you will have different, hardware and OEM specific tools for the hardware Lifecyle available. These are mostly the hardware tools you might already be familiar with.
Another place where you should get familiar with is the Azure portal itself. Azure Stack really is an Azure service. Your Azure Stack is registered to an Azure subscription, which you will not only report your consumption to, but also open support requests for Azure Stack.
If you are an Enterprise Agreement customer, you can also view the overall consumption of your resources on Azure Stack in the Cost Management blade. If you are using a CSP subscription, you will see the consumption in the CSP portal.
There is also a learning material and a certification exam available for Azure Stack.
Also check out the Microsoft Ignite session The guide to becoming a Microsoft Azure Stack operator – BRK3334 from Prathibha (Theebs) Chintagunta and Vijay Tewari from the Azure Stack team.