Skip main navigation

New offer! Get 30% off your first 2 months of Unlimited Monthly. Start your subscription for just £29.99 £19.99. New subscribers only. T&Cs apply

Find out more

Managing AWS VMs with Automation DSC

Hello, and welcome back to this video on managing AWS VMs with automation DSC. Ironical, right? We’re talking about another cloud platform. But as a promise, early on in the training I said, you need tools today that allow you to do automation, not across on-prem or one cloud provider, but scale across multiple cloud providers. Because in reality, customers have those use cases where they’re using one cloud and the other cloud for resilience. So if one isn’t available, they can fail their load over to the other cloud provider. We’re going to use Azure automation again here. We’re going to use the same basic web server dot developer DSC configuration that we’ve created in the last video. Exactly the same process.
But because the AWS VMs are not discoverable within the Azure portal– at least today they aren’t– we will have to run a couple of PowerShell scripts on the target machines in Amazon, to do the registration from that machine, and make it aware of the Azure automation DSC pull server. So in this video, really, we’re going to look at applying the DSC configurations on AWS VMs by leveraging the Azure automation toolkit. All right, so I will get right into the demo.
So as you can see here, we have the Azure portal. Within that, we have the DSC node, which is we kind of set up in the last demo. It’s still compliant. It’s still reading and applying the configuration basic web server dot developer. Now, I’m going to go into the AWS console, and you can get there by typing I’ve already created an account on here, but I don’t have any assets on there at the moment. So if I go in there, I don’t have any running instances. So I’m going to click on Launch Instance. And from the AWS marketplace, I’m going to look for Windows Server 2016. Yeah. OK, well the search– I searched for Windows 2016.
The first result I get back is 2012. But continue scrolling down. And if I scroll down, there I will find, hopefully, there we are. Microsoft Windows Server 2016 base and with containers. It’s eligible for free tiers. So if you just wanted to have a play, you can create a free account as well, like I’ve done here. So I’m going to select this marketplace image for Windows Server 2016. And I’m going to select the T2 micro-instance, and click Review and Launch. So I’m not really configuring the VM a lot, as part of provisioning. I’m just selecting the vanilla option set that’s available. So let’s just select everything as default and click Launch.
And I’ve already created a pair of SSH keys, so I’m just going to use the same SSH to set up the authentication with this VM. So click on Launch Instance. It will take a few minutes for the VM provisioning to complete, so hopefully in the next few minutes it will complete.
As you can see here, the launch status has been updated. And if I scroll down, I have the option to click View Instances. As you can see in the background, the instance is in running board, but it’s still initializing. It takes about four or five minutes to complete. Meanwhile, let’s just give this instance a name, call it IAC-AWS-Windows-16, and call it Dev02.
So if I try and log on to this instance now, it will just tell me that it needs a few more minutes to finish the provisioning process, so we’ll just wait it out.
Looks like the provisioning process has completed. So if I try and connect to this machine now, I can right click, click Connect, and get the password, decrypt the password, download the IDP file, and then try and connect to this instance now. [INAUDIBLE] the password, click OK, brilliant. We’re able to connect now.
All right. So we’re logged in into the AWS instance of Windows 2016. First thing I’m going to do is I’m going to launch PowerShell.
And what I want to show you here is run the command host dot version, and this already has PowerShell 5 installed, which means all the AzureRM modules are pre-existing on the server. So let’s go into Server Manager.
As you can see, Server Manager is here, but it doesn’t have the IIS role, as expected. This is a vanilla Windows 2016 image that wouldn’t have a web server role enabled on it. And so if I just tried to run INET manager from the run prompt, then I wouldn’t expect that to work either. So while this is running in the background, I’m going to come out of the VM and show you the– I’ll show you where you can find the script to resistor this node with the DSC pull server. So when you come back into the Azure portal, and you click on Add On-prem VM, it takes you into a help particle which has a script.
That is called DSCMetaConfig script. So search for DSCMetaConfig, and this will bring you to this magical script, which actually does the heavy lifting of registering the target node with the DSC pull server. Of course, you have to feed some inputs to the script, and at the bottom here you would see the options of where you need to specify these parameters. So what exactly do you need? You need the registration URL. Now, earlier on, when we were creating the Azure account, Azure automation account, I showed you from the Settings plate an option called Key. And that had the primary key, the secondary key, and the unique URL of this Azure automation account.
With that unique URL is exactly the registration URL that you need to feed in. And to attend, or to authenticate with the automation account, it needs the primary key specified here as well. In addition to that, you need to specify the name of the target host from where the script is being run. So in this case, I’m going to specify the machine name of the Azure VM– of the AWS VM. And apart from that, you don’t really have to change any of the options, apart from the node configuration file. In our case, we’re using the basic web server dot developer, so we’ll key that in here.
And should we want to change the behaviour of reboot, if needed, then we can make these tweaks there. This basically will specify the LTM configuration on the AWS VM. So let’s take this script across to the AWS instance.
Let me just copy it.
Open the AWS instance. Bring up PowerShell ISE, because doing this from the console might be a little bit tricky.
All right? Click on New. Paste it here.
And just substitute the values that need to go in the parameter section.
All right, so let’s get these values out. So let’s go back into the Azure automation account. From this account, I’m going to scroll down to the key section, pick up the URL, go back into the instance of the VM, substitute this value here, pick up the primary key. Now, a question that I get asked a lot is, why is there a primary access key and a secondary access key? The benefit here is if you have two keys, and you need to reset one of the keys, then by handing out both the keys to the user of this automation account means in the code, they can handle authentication with one key or the other.
So if one doesn’t work, they have a fail back to the second. And if you reset one, you still have the opportunity of supplying them an updated key without their automation starting to break, because they’re using the secondary key. So let’s copy the primary access key across, and fill that in here. And check what the name of this AWS VM is. It’s called EC2 something, something. Let’s copy that here. Paste it here. And specify the configuration. It is called basic web server dot developer. And let’s change the reboot if needed from false to true. Let’s change allow module overwrite to true. And let’s leave the rest of the settings as is.
So again, let’s run the command to see what the LCM configuration looks like before we register the node.
It’s set up for push at the minute, as expected. So I’m going to do is I’m going to run this script now.
And what this does is it generates a MOF file at this following location now. So if we look at the MOF file and open it in possibly Notepad, you can see it’s got a lot of sensitive information in it. It’s got the server URL that you’re connecting with. It’s got the registration key. And it’s only needed one time to establish the connection between this VM with DSC. So my advice would be, once the connection’s established, that you clear this file out and delete it, because it’s got connection details of the Azure automation account in it that you don’t need to leave on the VM.
So coming out from there, in order to execute the MOF file, we need to run the following command.
And what it’s starting to do here is it’s applying the configuration to the LCM. This will take a couple of moments to complete. But once this is complete, and it is now, let’s go back and run the get DSC local configuration management command again. And we can see that the Refresh mode has changed from push to pull, and all the other settings that we’ve specified are now updated here. The last step in the process is to connect to Azure, using AzureRM command. And then just simply link this node to the DSC Server.
What I’m going to do is I’m going to run the following command, which is log in AzureRM.
Seems like I don’t remember the command. So let me just cheat here again. It’s called log in AzureRM account.
Oh, that’s because the AzureRM modules are not installed here, and that’s why this command is failing. So there are two commands that we can use to see what modules are installed and what modules are available. Let’s look at the command get, find module.
Find module gives you a list of all the modules that are available within the PowerShell Gallery that you can effectively instal on this target node.
As part of this, it instals the new get package manager, which kind of makes the getting the PowerShell packages easier.
So as we can see, the full list of all the PowerShell modules that you can instal gets printed out here. So I’m just going to break it, and instead run the command instal module AzureRM. Now, when I run this command, it’s basically going to use the NuGet repository, connect with the PowerShell gallery to download the AzureRM module, and instal it on this machine. Now, this can take anywhere from 5 to 10 minutes. So as you see, it just ask for my approval. I’m just going to click yes to all.
As you can see, the installation process has kicked off, and it’s got a bunch of modules that it needs to instal. As you can see, installing the packages and all its dependencies. Traditionally, you would have had to download these modules, put it in a separate folder location, and then trigger the installation process. But with the embedded package management provided too by NuGet. It’s just a couple of commands to do. No more manual intervention required. Again, this will take about 5 to 10 minutes to complete.
All right. So the installation of all the module is completed. If I was clocking the time, it would be in the range of 5 to 6 minutes. It’s a one-time activity, and it kind of needs to be done. So if I try and run the log in AzureRM account command now– it should hopefully work. And the benefit here is, I don’t really need to key in the command here to say import AzureRM module. Behind the scenes, it does all the heavy lifting of doing that. Let’s just accept the security prompt.
And I’ll key in my credentials, connect to the Azure portal.
There we go. Just authenticating with my Enterprise credentials. All right, so as you can see, I’ve successfully connected using PowerShell to my Azure subscription. What I’m going to do is I’m going to run a command to get AzureRM subscriptions. This will give me a list of all the subscriptions that I have access to within Azure. There is this specific description that we’re doing our demo on. I just want to use the same subscription. So I’m going to copy the subscription ID of that specific subscription, and run a command which is set AzureRM context. And then subscription ID is this. I’m connected to the subscription now.
So now that we’re successfully connected, and the more files been generated, the LCM on this VM in AWS has been configured to what it needs to, I’m going to run the following command to register this node to DSC. So let’s just create a new file here.
The only value that needs changing here, or the couple of values that need changing here, is you need to specify the resource group name where your Azure automation account resides. You need to specify the exact name of the automation account. And then what this hostname is. What the hostname for this machine is. So let’s just run the command hostname. We can see that the hostname is as follows. So let’s copy that across into the script. The resource group name, well, let’s find that out from the Azure portal. Let’s go into the Overview section. And you can see, this is the resource group name. We can simply copy this resource group name, go back into the virtual machine, paste it here.
And all we need is the automation account name, which we can easily get from the property section right down here.
And let’s paste that here. At this point, if I run the command, it’s going to use the existing authentication instance, because I’ve just authenticated with Azure in the context of this ISC script. It’s going to leverage the same connection to register this node. This will take a few minutes. That was pretty quick. It’s managed to do the registration successfully. It’s telling me it’s connected. If I come out of this VM and go to the Azure portal now, go back into the Azure automation account, look at nodes, well, while the count’s gone up from 1 to 2, so there’s something going on in here. We’ve just integrated the AWS VM into the Azure automation.
And if you click on it, and it’s going through the same process as the Windows Azure instance of the machine needed to go through, which was ensure the connectivity, make sure that it takes the DSC configuration down, goes through the process of installing all the features. So if we wait for a couple of minutes, we should hopefully be able to see the compliancy status of this DSC configuration.
Alrighty. So the consistency checks have completed. If I click on the consistency, again, no different than what the behaviour was for Azure VMs. I can see here the Windows feature drilldown of how much time was spent in configuring these roles. And if I go back into the VM, and this time around, if I go back to the Server Manager, I can see the IIS roll in there. If I launch a browser and navigate to local host, IIS loads up. And if I go to INET Manager, then no doubt that shows up here as well. So you’re now at ninja level, right? I mean, not only have you seen how to apply Azure automation to Azure.
But now, in effect, you have seen how to apply Azure automation to other cloud providers as well. An interesting code that is available on this coffee mug says, designing products for 7.4 billion starts with designing for one. Really, what they’re trying to say, is automating, provisioning an environment management for 7.4 billion servers starts by designing for one.

Runbooks in Azure Automation might not have access to resources in other clouds or in your on-premises environment because they run on the Azure cloud platform.

The video in this step demonstrates how to implement the Automation DSC platform to platform, and in this instance for AWS VMs. You will learn how to make the AWS VMs discoverable within the Azure Portal by running PowerShell scripts on target machines in Amazon. You will be applying DSC configurations on AWS VMs by leveraging the Azure Automation tool kit.

The information below will help you understand how to manage a hybrid unit.

The Hybrid Runbook Worker Feature

The Hybrid Runbook Worker feature of Azure Automation allows you to run runbooks on machines located in your datacentre to manage local resources. The runbooks are stored and managed in Azure Automation and then delivered to one or more on-premise machines:

hybrid management infographic


You can designate one or more computers in your datacentre to act as a Hybrid Runbook Worker and then run runbooks from Azure Automation. Each worker requires the Microsoft management agent with a connection to Microsoft Operations Management Suite and the Azure Automation runbook environment. Operations Management Suite is only used to install and maintain the management agent and to monitor the functionality of the worker. Azure Automation performs the delivery of runbooks and the instruction to run them.


There are no inbound firewall requirements to support Hybrid Runbook Workers. Only TCP 443 is required for outbound internet access. The agent on the local computer initiates all communication with Azure Automation in the cloud. When a runbook is started, Azure Automation creates an instruction that is retrieved by the agent. The agent then pulls down the runbook and any parameters before running it. It will also retrieve any assets that are used by the runbook from Azure Automation.


To manage the configuration of your servers that support the Hybrid Runbook Worker role with Desired State Configuration (DSC), you must add them as DSC nodes.

Hybrid Runbook Worker Groups

Each Hybrid Runbook Worker is a member of a Hybrid Runbook Worker group that you specify when you install the agent. A group can include a single agent but you can install multiple agents in a group for high availability.

When you start a runbook on a Hybrid Runbook Worker, you specify the group that it will run on. The members of the group will determine which worker will service the request. You cannot specify a specific worker.

For more information on installing and removing Hybrid Runbook Workers and groups, see Installing Hybrid Runbook Worker and Hybrid Management in Azure Automation.

Join the discussion

The last two steps demonstrated how you can manage Azure IaaS and AWS VMs with Automation DSC. Consider the context and automation in your environment. How would you benefit from implementing Automation DSC in your environment? Share your ideas with the group.
Use the Discussion section below and let us know your thoughts. Try to respond to at least one other post and once you’re happy with your contribution, click the Mark as complete button to move on to the next step.
This article is from the free online

Microsoft Future Ready: DevOps Development, Implementation and Azure Automation

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now