Відео

There's no easy way to do that that I know of. You could possibly get it somewhat done by downloading the vhd file and using it to create a template for a new cloud pc, but even then you would have to sysprep the machine and therefore loose user settings.

@@PetterTech Thanks for your reply.

Glad you liked it!

With the AzAPI v2 you should be able to create the custom image template and all the stuff you need, but probably not start the actual building of the image. I have not tried it myself though

As long as the IP configuration on the network interface is of the dynamic type, it can theoretically change. It's not likely to, but it might. That's why a static config could be preferrable if you need to be sure the ip address never changes

This can relate to private dns zones yes. My general recommendation would be to create a private dns zone for each type of private endpoint you use, for exampel private endpoints for storage accounts, and then link those to both the hub vnet and all vnets where that type is in use.

I used a trusted launch vm so yes, vTPM was enabled. But I did not bother with Bitlocker on this one

If a region does not have support for availability zones your deployments gets placed randomly across the datacenters within that region. Imagine that you deploy 3 virtual machines to a region that has 3 datacenters, if that region supports availability zones you get the option to deploy to specific availability zones. If you then place your 3 virtual machines in 3 separate availability zones you know that at least 2 of them will be available if a datacenter goes down. If that region does not support availability zones you have no idea as to which datacenter your virtual machines will be placed in. So in the event that a data center goes down you will either have all of your virtual machines available, none of them available, 2 available or 1 available. It's all up to chance

​@@PetterTechahh ok many thanks clear now :)

You would write a script to do it and then add that script using the "Add you own script" button. Like I did with installing PowerShell

Yup, that would certainly be a good addition!

Looks like you may have gotten your wish:learn.microsoft.com/en-us/azure/virtual-desktop/session-host-update?WT.mc_id=AZ-MVP-5004795 🥳

My pleasure! Thanks for watching! 👍

I have heard about cases where this is a tough one, though usually this applies to situations where the machines were upgraded from Windows 10 to Windows 11 21H2. Is that the case in your scenario as well?

@@PetterTech no

@@PetterTech I now know it's a bad idea to upgrade an Azure VM from 21H2 to another version. Microsoft hopes that you redeploy with an Azure provided updated image, that was optimize for Azure, office, teams, etc...

Hi there! Fabric is unfortunately not something I have experience in using. On a very general note I would look into authenticating with a service principal. I know there was an announcment of something around service principals and Fabric a few days ago, but I'm not sure if that applies to your scenario

Noted! Thank you for the feedback 👍

Thank you, glad you found it useful 👍 Also, thank you for the feedback, it is duly noted ;)

Glad you liked it!

Indeed it is :)

I haven't tried it with P2S yet no. I'll have to add it to my list of things to try :)

Hi, I couldn't get it to work on my P2S setup even though I had configured everything perfectly. Decided to move on to other parts of the networking, and I finally got it to work after setting up the firewall in the hub VNet. In the firewall config, I enabled dns application on policies and further in, I enabled DNS proxy. I then changed the DNS server address in my VPN XML config file to the private IP address of the firewall. Now it works perfectly the way it should and I can ping to VMs on my spokes using their FQDNs. It looks like the VPN client cannot access the inbound endpoint for some reason, but if you have another azure resource acting as a DNS proxy, it will work. Azure Firewall is very expensive, so it might be cheaper to set up a cheap VM on your hub VNet to act as an intermediary, but I didn't look into it further.

You should be able to see what checks failed. It could be a lot of different things, from the vnet not having internet access, not being able to join ad, image corruption etc. etc.

Sorry to hear that, but thanks for the feedback! I'll keep it in mind going forward 👍

You're welcome!

You can and it's not overkill! At least not in my opinion. When your Linux VMs are Arc-enabled you can install an extension on them via Azure called "Entra ID based SSH login" (or something similar), that will enable the usage of Entra ID based authentication on them. I also don't think that kind of usage should trigger any costs either, so it's a great starting point :)

@@PetterTech Thank you for your reply. Good to know there's probably no costs involved. I'm gonna test it out. Cheers! 👍

Yes, that would be my approach 👍

I haven't really been working on Windows 365 custom images in a while, but from what I can tell not too much have changed. Has the machine you grabbed an image of ever been joined to Active Directory, Entra ID or any form of MDM tool?

@@PetterTech I have tried with Entra joined and with VMs that have never been near Entra. The results are the same.

I doubt anything other than Windows will be supported as long as Dev Box is built upon Windows 365. So if you need Ubuntu or other Linux distros, your only option is what WSL provides

I would say basics of Azure would be a good starting point. So as far as certifications go I would suggest the AZ-104 and then optionally the AZ-140

Much appreciated 👍

Nope. That's kinda how it is with the cloud. Besides, if your internet is down you can't access Windows 365 either 🤷

Glad it was helpful!

Awesome! You planning on deploying it there?

Based on that size and the cost difference I would guess that the difference in price is the Windows license. Could it be true that for the one that costs $550 you have either ticket the hybrid benefit checkbox or selected an operating system other than Windows?

That is correct. Have some form of central storage for user profiles, e.g. Azure Files, and use FSLogix to connect to them. And avoid storing data locally on the session hosts or in user profiles

As of now, I don't think that is possible. But they have started building some more accessibility features so that may change in the future.

All of the things! 🕺😅

The routing preference on the public IP doesn't really matter in this case as that is more related to whether or not traffic should prefer to flow through Microsoft's network or prefer to use public internet as the carrier. While I haven't tested your specific scenario I know that the default behavior for a VM with a public IP assigned to it is to use that as the outgoing IP. But as soon as you have a NAT gateway assigned to the subnet the VM will use that as the outgoing IP, so I would assume it's the same in your scenario.

@@PetterTech Ok. I did this last night. With the route table in play and a VM with a Pub IP, the route table determined what would happen. The VM never showed up online as it’s assigned public IP. It continued to use the defined default routes in the table. In this case a virtual Cisco VMX we have up there or just out through Microsoft’s default Internet next hop. So I made a NAT gateway with my Pub IP, assigned it to the server subnet. Then I made routes in the table with next hop destination “Internet”. That made that traffic go out through the gateway and show up with the gateway’s pub IP as the NAT gateway becomes the “Internet” hop when you make that kind of route. This solved our problem. Which was, when you have static IPs assigned by Cisco to your VMX / SASE service the assigned IPs only work for ports 80 and 443. Any other traffic shows up at the destination as an IP from a random Cisco pool. Confirmed with Cisco’s TAC. We have an application that uses a non-standard port to connect to a vendor. When it arrives at the vendor they want to see it on a defined public IP so they can whitelist it on their side. Doing the gateway allowed me to keep our route table intact but force traffic to this destination out the gateway and its static pub IP. The rest of the traffic continues to go out the VMX etc.

Cool to hear! I guess that kind of challenge isn't a unique one so good to know a way around it 👍

Thanks for the kind words :) I think it’ll do just fine for that, the size of it did actually surprise me a bit as I was expecting it to be smaller.

I believe my thinking was that by linking it to the hub vNet instead of the spoke vNet, any additional spokes created would not need to have a link to them as well. At least as long as they point to the inbound endpoint for DNS. That way the setup scales better since you have less links. Even though that can lead to DNS resolution loops, that should be limited to queries originating from the onprem vNet and it can be avoided by having the DNS server there (10.0.0.5) always use itself as the primary DNS server. That being said, if in doubt you should follow the documentation. That way you will have an easier time if you ever need to create a support ticket for anything in the setup 😉

Thank you 👍

You would do that via script then, like I do with powershell in the video 👍

Thanks for the feedback! Future videos will be in 4K, though upscaled in the beginning

My pleasure!

Thank you! Really glad to hear that ❤️

The consumption billing should follow the projects. So if you place the projects in separate subscriptions you can split the cost in that way

@@PetterTech Subscription could be same as architecture prefers same VNet and different subnets. However, Resource group could help. Thank you for your response.

Using a public ip prefix with the NAT gateway is more for scaling up the number of outbound connections that can exist. The NAT gateway really isn't made for doing one to one NAT stuff, for that you would need a more advanced service like Azure Firewall or a load balancer.

@@PetterTech, thanks.. I used a loadbalancer to fix my case 👍🏻

You are welcome! Hope it helped :)