diff --git a/scenarios/azure-compute-docs/articles/virtual-machines/linux/attach-disk-portal.yml b/scenarios/azure-compute-docs/articles/virtual-machines/linux/attach-disk-portal.yml new file mode 100644 index 000000000..babdb3954 --- /dev/null +++ b/scenarios/azure-compute-docs/articles/virtual-machines/linux/attach-disk-portal.yml @@ -0,0 +1,259 @@ +### YamlMime:HowTo + +metadata: + title: Attach a data disk to a Linux VM + description: Use the portal to attach new or existing data disk to a Linux VM. + author: roygara + ms.author: rogarana + ms.date: 03/19/2024 + ms.service: azure-disk-storage + ms.topic: how-to + ms.collection: linux + ms.custom: + - linux-related-content + - ge-structured-content-pilot + +title: | + Use the portal to attach a data disk to a Linux VM +introduction: | + **Applies to:** :heavy_check_mark: Linux VMs :heavy_check_mark: Flexible scale sets + + This article shows you how to attach both new and existing disks to a Linux virtual machine through the Azure portal. You can also [attach a data disk to a Windows VM in the Azure portal](../windows/attach-managed-disk-portal.yml). + +prerequisites: + summary: | + Before you attach disks to your VM, review these tips: + dependencies: + - The size of the virtual machine controls how many data disks you can attach. For details, see [Sizes for virtual machines](../sizes.md). + +procedureSection: + - title: | + Find the virtual machine + summary: | + Follow these steps: + steps: + - | + Go to the [Azure portal](https://portal.azure.com/) to find the VM. Search for and select **Virtual machines**. + - | + Select the VM you'd like to attach the disk to from the list. + - | + In the **Virtual machines** page, under **Settings**, select **Disks**. + + - title: | + Attach a new disk + summary: | + Follow these steps: + steps: + - | + On the **Disks** pane, under **Data disks**, select **Create and attach a new disk**. + - | + Enter a name for your managed disk. Review the default settings, and update the **Storage type**, **Size (GiB)**, **Encryption** and **Host caching** as necessary. + + :::image type="content" source="./media/attach-disk-portal/create-new-md.png" alt-text="Screenshot of review disk settings." lightbox="./media/attach-disk-portal/create-new-md.png"::: + + - | + When you're done, select **Save** at the top of the page to create the managed disk and update the VM configuration. + + - title: | + Attach an existing disk + summary: | + Follow these steps: + steps: + - | + On the **Disks** pane, under **Data disks**, select **Attach existing disks**. + - | + Select the drop-down menu for **Disk name** and select a disk from the list of available managed disks. + - | + Select **Save** to attach the existing managed disk and update the VM configuration: + + - title: | + Connect to the Linux VM to mount the new disk + summary: | + To partition, format, and mount your new disk so your Linux VM can use it, SSH into your VM. For more information, see [How to use SSH with Linux on Azure](mac-create-ssh-keys.md). The following example connects to a VM with the public IP address of *10.123.123.25* with the username *azureuser*: + code: | + ```bash + ssh azureuser@10.123.123.25 + ``` + + - title: | + Find the disk + summary: | + Once connected to your VM, you need to find the disk. In this example, we're using `lsblk` to list the disks. + code: | + ```bash + lsblk -o NAME,HCTL,SIZE,MOUNTPOINT | grep -i "sd" + ``` + + The output is similar to the following example: + + ```output + sda 0:0:0:0 30G + ├─sda1 29.9G / + ├─sda14 4M + └─sda15 106M /boot/efi + sdb 1:0:1:0 14G + └─sdb1 14G /mnt + sdc 3:0:0:0 4G + ``` + + In this example, the disk that was added was `sdc`. It's a LUN 0 and is 4GB. + + For a more complex example, here's what multiple data disks look like in the portal: + + :::image type="content" source="./media/attach-disk-portal/find-disk.png" alt-text="Screenshot of multiple disks shown in the portal."::: + + In the image, you can see that there are 3 data disks: 4 GB on LUN 0, 16GB at LUN 1, and 32G at LUN 2. + + Here's what that might look like using `lsblk`: + + ```output + sda 0:0:0:0 30G + ├─sda1 29.9G / + ├─sda14 4M + └─sda15 106M /boot/efi + sdb 1:0:1:0 14G + └─sdb1 14G /mnt + sdc 3:0:0:0 4G + sdd 3:0:0:1 16G + sde 3:0:0:2 32G + ``` + + From the output of `lsblk` you can see that the 4GB disk at LUN 0 is `sdc`, the 16GB disk at LUN 1 is `sdd`, and the 32G disk at LUN 2 is `sde`. + + ### Prepare a new empty disk + + > [!IMPORTANT] + > If you are using an existing disk that contains data, skip to [mounting the disk](#mount-the-disk). + > The following instructions will delete data on the disk. + + If you're attaching a new disk, you need to partition the disk. + + The `parted` utility can be used to partition and to format a data disk. + - Use the latest version `parted` that is available for your distro. + - If the disk size is 2 tebibytes (TiB) or larger, you must use GPT partitioning. If disk size is under 2 TiB, then you can use either MBR or GPT partitioning. + + + The following example uses `parted` on `/dev/sdc`, which is where the first data disk will typically be on most VMs. Replace `sdc` with the correct option for your disk. We're also formatting it using the [XFS](https://xfs.wiki.kernel.org/) filesystem. + + ```bash + sudo parted /dev/sdc --script mklabel gpt mkpart xfspart xfs 0% 100% + sudo mkfs.xfs /dev/sdc1 + sudo partprobe /dev/sdc1 + ``` + + Use the [`partprobe`](https://linux.die.net/man/8/partprobe) utility to make sure the kernel is aware of the new partition and filesystem. Failure to use `partprobe` can cause the blkid or lslbk commands to not return the UUID for the new filesystem immediately. + + ### Mount the disk + + Create a directory to mount the file system using `mkdir`. The following example creates a directory at `/datadrive`: + + ```bash + sudo mkdir /datadrive + ``` + + Use `mount` to then mount the filesystem. The following example mounts the */dev/sdc1* partition to the `/datadrive` mount point: + + ```bash + sudo mount /dev/sdc1 /datadrive + ``` + To ensure that the drive is remounted automatically after a reboot, it must be added to the */etc/fstab* file. It's also highly recommended that the UUID (Universally Unique Identifier) is used in */etc/fstab* to refer to the drive rather than just the device name (such as, */dev/sdc1*). If the OS detects a disk error during boot, using the UUID avoids the incorrect disk being mounted to a given location. Remaining data disks would then be assigned those same device IDs. To find the UUID of the new drive, use the `blkid` utility: + + ```bash + sudo blkid + ``` + + The output looks similar to the following example: + + ```output + /dev/sda1: LABEL="cloudimg-rootfs" UUID="11111111-1b1b-1c1c-1d1d-1e1e1e1e1e1e" TYPE="ext4" PARTUUID="1a1b1c1d-11aa-1234-1a1a1a1a1a1a" + /dev/sda15: LABEL="UEFI" UUID="BCD7-96A6" TYPE="vfat" PARTUUID="1e1g1cg1h-11aa-1234-1u1u1a1a1u1u" + /dev/sdb1: UUID="22222222-2b2b-2c2c-2d2d-2e2e2e2e2e2e" TYPE="ext4" TYPE="ext4" PARTUUID="1a2b3c4d-01" + /dev/sda14: PARTUUID="2e2g2cg2h-11aa-1234-1u1u1a1a1u1u" + /dev/sdc1: UUID="33333333-3b3b-3c3c-3d3d-3e3e3e3e3e3e" TYPE="xfs" PARTLABEL="xfspart" PARTUUID="c1c2c3c4-1234-cdef-asdf3456ghjk" + ``` + + > [!NOTE] + > Improperly editing the **/etc/fstab** file could result in an unbootable system. If unsure, refer to the distribution's documentation for information on how to properly edit this file. You should create a backup of the **/etc/fstab** file is created before editing. + + Next, open the **/etc/fstab** file in a text editor. Add a line to the end of the file, using the UUID value for the `/dev/sdc1` device that was created in the previous steps, and the mountpoint of `/datadrive`. Using the example from this article, the new line would look like the following: + + ```config + UUID=33333333-3b3b-3c3c-3d3d-3e3e3e3e3e3e /datadrive xfs defaults,nofail 1 2 + ``` + + When you're done editing the file, save and close the editor. + + > [!NOTE] + > Later removing a data disk without editing fstab could cause the VM to fail to boot. Most distributions provide either the *nofail* and/or *nobootwait* fstab options. These options allow a system to boot even if the disk fails to mount at boot time. Consult your distribution's documentation for more information on these parameters. + > + > The *nofail* option ensures that the VM starts even if the filesystem is corrupt or the disk does not exist at boot time. Without this option, you may encounter behavior as described in [Cannot SSH to Linux VM due to FSTAB errors](/archive/blogs/linuxonazure/cannot-ssh-to-linux-vm-after-adding-data-disk-to-etcfstab-and-rebooting) + + + - title: | + Verify the disk + summary: | + You can now use `lsblk` again to see the disk and the mountpoint. + + ```bash + lsblk -o NAME,HCTL,SIZE,MOUNTPOINT | grep -i "sd" + ``` + + The output will look something like this: + + ```output + sda 0:0:0:0 30G + ├─sda1 29.9G / + ├─sda14 4M + └─sda15 106M /boot/efi + sdb 1:0:1:0 14G + └─sdb1 14G /mnt + sdc 3:0:0:0 4G + └─sdc1 4G /datadrive + ``` + + You can see that `sdc` is now mounted at `/datadrive`. + + ### TRIM/UNMAP support for Linux in Azure + + Some Linux kernels support TRIM/UNMAP operations to discard unused blocks on the disk. This feature is primarily useful to inform Azure that deleted pages are no longer valid and can be discarded. This feature can save money on disks that are billed based on the amount of consumed storage, such as unmanaged standard disks and disk snapshots. + + There are two ways to enable TRIM support in your Linux VM. As usual, consult your distribution for the recommended approach: + steps: + - | + Use the `discard` mount option in */etc/fstab*, for example: + + ```config + UUID=33333333-3b3b-3c3c-3d3d-3e3e3e3e3e3e /datadrive xfs defaults,discard 1 2 + ``` + - | + In some cases, the `discard` option may have performance implications. Alternatively, you can run the `fstrim` command manually from the command line, or add it to your crontab to run regularly: + + **Ubuntu** + + ```bash + sudo apt-get install util-linux + sudo fstrim /datadrive + ``` + + **RHEL** + + ```bash + sudo yum install util-linux + sudo fstrim /datadrive + ``` + + **SUSE** + + ```bash + sudo zypper install util-linux + sudo fstrim /datadrive + ``` + +relatedContent: + - text: Troubleshoot Linux VM device name changes + url: /troubleshoot/azure/virtual-machines/troubleshoot-device-names-problems + - text: Attach a data disk using the Azure CLI + url: add-disk.md +#For more information, and to help troubleshoot disk issues, see [Troubleshoot Linux VM device name changes](/troubleshoot/azure/virtual-machines/troubleshoot-device-names-problems). + +#You can also [attach a data disk](add-disk.md) using the Azure CLI. diff --git a/scenarios/azure-compute-docs/articles/virtual-machines/linux/disk-encryption-faq.yml b/scenarios/azure-compute-docs/articles/virtual-machines/linux/disk-encryption-faq.yml new file mode 100644 index 000000000..8912e4362 --- /dev/null +++ b/scenarios/azure-compute-docs/articles/virtual-machines/linux/disk-encryption-faq.yml @@ -0,0 +1,200 @@ +### YamlMime:FAQ +metadata: + title: FAQ - Azure Disk Encryption for Linux VMs + description: This article provides answers to frequently asked questions about Microsoft Azure Disk Encryption for Linux IaaS VMs. + author: msmbaldwin + ms.service: azure-virtual-machines + ms.collection: linux + ms.subservice: security + ms.topic: faq + ms.author: mbaldwin + ms.date: 08/06/2024 +title: Azure Disk Encryption for Linux virtual machines FAQ +summary: | + This article provides answers to frequently asked questions (FAQ) about Azure Disk Encryption for Linux virtual machines (VMs). For more information about this service, see [Azure Disk Encryption overview](disk-encryption-overview.md). + + +sections: + - name: Ignored + questions: + - question: | + What is Azure Disk Encryption for Linux virtual machines? + answer: | + Azure Disk Encryption for Linux virtual machines uses the dm-crypt feature of Linux to provide full disk encryption of the OS disk* and data disks. Additionally, it provides encryption of the temporary disk when using the [EncryptFormatAll feature](disk-encryption-linux.md#use-encryptformatall-feature-for-data-disks-on-linux-vms). The content flows encrypted from the VM to the Storage backend with a customer-managed key. + + See [Supported virtual machines and operating systems](disk-encryption-overview.md#supported-vms-and-operating-systems). + + - question: | + Where is Azure Disk Encryption in general availability (GA)? + answer: | + Azure Disk Encryption for Linux virtual machines is in general availability in all Azure public regions. + + - question: | + What user experiences are available with Azure Disk Encryption? + answer: | + Azure Disk Encryption GA supports Azure Resource Manager templates, Azure PowerShell, and Azure CLI. The different user experiences give you flexibility. You have three different options for enabling disk encryption for your virtual machines. For more information on the user experience and step-by-step guidance available in Azure Disk Encryption, see [Azure Disk Encryption scenarios for Linux](disk-encryption-linux.md). + + - question: | + How much does Azure Disk Encryption cost? + answer: | + There's no charge for encrypting VM disks with Azure Disk Encryption, but there are charges associated with the use of Azure Key Vault. For more information on Azure Key Vault costs, see the [Key Vault pricing](https://azure.microsoft.com/pricing/details/key-vault/) page. + + - question: | + How can I start using Azure Disk Encryption? + answer: | + To get started, read the [Azure Disk Encryption overview](disk-encryption-overview.md). + + - question: | + What VM sizes and operating systems support Azure Disk Encryption? + answer: | + The [Azure Disk Encryption overview](disk-encryption-overview.md) article lists the [VM sizes](disk-encryption-overview.md#supported-vms) and [VM operating systems](disk-encryption-overview.md#supported-operating-systems) that support Azure Disk Encryption. + + - question: | + Can I encrypt both boot and data volumes with Azure Disk Encryption? + answer: | + Yes, you can encrypt both boot and data volumes, or you can encrypt the data volume without having to encrypt the OS volume first. + + After you've encrypted the OS volume, disabling encryption on the OS volume isn't supported. For Linux virtual machines in a scale set, only the data volume can be encrypted. + + - question: | + Can I encrypt an unmounted volume with Azure Disk Encryption? + answer: | + No, Azure Disk Encryption only encrypts mounted volumes. + + - question: | + What is Storage server-side encryption? + answer: | + Storage server-side encryption encrypts Azure managed disks in Azure Storage. Managed disks are encrypted by default with Server-side encryption with a platform-managed key (as of June 10, 2017). You can manage encryption of managed disks with your own keys by specifying a customer-managed key. For more information see: [Server-side encryption of Azure managed disks](../disk-encryption.md). + + - question: | + How is Azure Disk Encryption different from other disk encryption solutions and when should I use each solution? + answer: | + See [Overview of managed disk encryption options](../disk-encryption-overview.md). + + - question: | + How do I rotate secrets or encryption keys? + answer: | + To rotate secrets, just call the same command you used originally to enable disk encryption, specifying a different Key Vault. To rotate the key encryption key, call the same command you used originally to enable disk encryption, specifying the new key encryption. + + >[!WARNING] + > - If you previously used [Azure Disk Encryption with Microsoft Entra app](disk-encryption-linux-aad.md) by specifying Microsoft Entra credentials to encrypt this VM, you must continue to use this option to encrypt your VM. You can't use Azure Disk Encryption on this encrypted VM as this isn't a supported scenario, meaning switching away from Microsoft Entra application for this encrypted VM isn't supported yet. + + - question: | + How do I add or remove a key encryption key if I didn't originally use one? + answer: | + To add a key encryption key, call the enable command again passing the key encryption key parameter. To remove a key encryption key, call the enable command again without the key encryption key parameter. + + - question: | + Does Azure Disk Encryption allow you to bring your own key (BYOK)? + answer: | + Yes, you can supply your own key encryption keys. These keys are safeguarded in Azure Key Vault, which is the key store for Azure Disk Encryption. For more information on the key encryption keys support scenarios, see [Creating and configuring a key vault for Azure Disk Encryption](disk-encryption-key-vault.md). + + - question: | + Can I use an Azure-created key encryption key? + answer: | + Yes, you can use Azure Key Vault to generate a key encryption key for Azure disk encryption use. These keys are safeguarded in Azure Key Vault, which is the key store for Azure Disk Encryption. For more information on the key encryption key, see [Creating and configuring a key vault for Azure Disk Encryption](disk-encryption-key-vault.md). + + - question: | + Can I use an on-premises key management service or HSM to safeguard the encryption keys? + answer: | + You can't use the on-premises key management service or HSM to safeguard the encryption keys with Azure Disk Encryption. You can only use the Azure Key Vault service to safeguard the encryption keys. For more information on the key encryption key support scenarios, see [Creating and configuring a key vault for Azure Disk Encryption](disk-encryption-key-vault.md). + + - question: | + What are the prerequisites to configure Azure Disk Encryption? + answer: | + There are prerequisites for Azure Disk Encryption. See the [Creating and configuring a key vault for Azure Disk Encryption](disk-encryption-key-vault.md) article to create a new key vault, or set up an existing key vault for disk encryption access to enable encryption, and safeguard secrets and keys. For more information on the key encryption key support scenarios, see [Creating and configuring a key vault for Azure Disk Encryption](disk-encryption-key-vault.md). + + - question: | + What are the prerequisites to configure Azure Disk Encryption with a Microsoft Entra app (previous release)? + answer: | + There are prerequisites for Azure Disk Encryption. See the [Azure Disk Encryption with Microsoft Entra ID](disk-encryption-linux-aad.md) content to create an Microsoft Entra application, create a new key vault, or set up an existing key vault for disk encryption access to enable encryption, and safeguard secrets and keys. For more information on the key encryption key support scenarios, see [Creating and configuring a key vault for Azure Disk Encryption with Microsoft Entra ID](disk-encryption-key-vault-aad.md). + + - question: | + Is Azure Disk Encryption using a Microsoft Entra app (previous release) still supported? + answer: | + Yes. Disk encryption using a Microsoft Entra app is still supported. However, when encrypting new virtual machines it's recommended that you use the new method rather than encrypting with a Microsoft Entra app. + + - question: | + Can I migrate virtual machines that were encrypted with a Microsoft Entra app to encryption without a Microsoft Entra app? + answer: Currently, there isn't a direct migration path for machines that were encrypted with a Microsoft Entra app to encryption without a Microsoft Entra app. Additionally, there isn't a direct path from encryption without a Microsoft Entra app to encryption with an AD app. + + - question: | + What version of Azure PowerShell does Azure Disk Encryption support? + answer: | + Use the latest version of the Azure PowerShell SDK to configure Azure Disk Encryption. Download the latest version of [Azure PowerShell](https://github.com/Azure/azure-powershell/releases). Azure Disk Encryption is *not* supported by Azure SDK version 1.1.0. + + > [!NOTE] + > The Linux Azure disk encryption preview extension "Microsoft.OSTCExtension.AzureDiskEncryptionForLinux" is deprecated. This extension was published for Azure disk encryption preview release. You should not use the preview version of the extension in your testing or production deployment. + + > For deployment scenarios like Azure Resource Manager (ARM), where you have a need to deploy Azure disk encryption extension for Linux VM to enable encryption on your Linux IaaS VM, you must use the Azure disk encryption production supported extension "Microsoft.Azure.Security.AzureDiskEncryptionForLinux". + + - question: | + Can I apply Azure Disk Encryption on my custom Linux image? + answer: | + You can't apply Azure Disk Encryption on your custom Linux image. Only the gallery Linux images for the supported distributions called out previously are supported. Custom Linux images aren't currently supported. + + - question: | + Can I apply updates to a Linux Red Hat VM that uses the yum update? + answer: | + Yes, you can perform a yum update on a Red Hat Linux VM. For more information, see [Azure Disk Encryption on an isolated network](disk-encryption-isolated-network.md). + + - question: | + What is the recommended Azure disk encryption workflow for Linux? + answer: | + The following workflow is recommended to have the best results on Linux: + * Start from the unmodified stock gallery image corresponding to the needed OS distro and version + * Back up any mounted drives you want encrypted. This back up allows for recovery if there's a failure, for example if the VM is rebooted before encryption has completed. + * Encrypt (can take several hours or even days depending on VM characteristics and size of any attached data disks) + * Customize, and add software to the image as needed. + + If this workflow isn't possible, relying on [Storage Service Encryption (SSE)](/azure/storage/common/storage-service-encryption) at the platform storage account layer may be an alternative to full disk encryption using dm-crypt. + + - question: | + What is the disk "Bek Volume" or "/mnt/azure_bek_disk"? + answer: | + The "Bek volume" is a local data volume that securely stores the encryption keys for Encrypted Azure virtual machines. + > [!NOTE] + > Do not delete or edit any contents in this disk. Do not unmount the disk since the encryption key presence is needed for any encryption operations on the IaaS VM. + + + - question: | + What encryption method does Azure Disk Encryption use? + answer: | + Azure Disk Encryption uses the decrypt default of aes-xts-plain64 with a 256-bit volume master key. + + - question: | + If I use EncryptFormatAll and specify all volume types, will it erase the data on the data drives that we already encrypted? + answer: | + No, data won't be erased from data drives that are already encrypted using Azure Disk Encryption. Similar to how EncryptFormatAll didn't re-encrypt the OS drive, it won't re-encrypt the already encrypted data drive. For more information, see the [EncryptFormatAll criteria](disk-encryption-linux.md#use-encryptformatall-feature-for-data-disks-on-linux-vms). + + - question: | + Is XFS filesystem supported? + answer: | + Encryption of XFS OS disks is supported. + + Encryption of XFS data disks is supported only when the EncryptFormatAll parameter is used. This option reformats the volume, erasing any data previously there. For more information, see the [EncryptFormatAll criteria](disk-encryption-linux.md#use-encryptformatall-feature-for-data-disks-on-linux-vms). + + - question: | + Is resizing the OS partition supported? + answer: | + Resize of an Azure Disk Encryption encrypted OS disk isn't supported. + + - question: | + Can I backup and restore an encrypted VM? + answer: | + Azure Backup provides a mechanism to backup and restore encrypted VM's within the same subscription and region. For instructions, please see [Back up and restore encrypted virtual machines with Azure Backup](/azure/backup/backup-azure-vms-encryption). Restoring an encrypted VM to a different region is not currently supported. + + - question: | + Where can I go to ask questions or provide feedback? + answer: | + You can ask questions or provide feedback on the [Microsoft Q&A question page for Azure Disk Encryption](/answers/topics/azure-disk-encryption.html). + +additionalContent: | + + ## Next steps + + In this document, you learned more about the most frequent questions related to Azure Disk Encryption. For more information about this service, see the following articles: + + - [Azure Disk Encryption Overview](disk-encryption-overview.md) + - [Apply disk encryption in Azure Security Center](/azure/security-center/asset-inventory) + - [Azure data encryption at rest](/azure/security/fundamentals/encryption-atrest) diff --git a/scenarios/azure-compute-docs/articles/virtual-machines/linux/faq.yml b/scenarios/azure-compute-docs/articles/virtual-machines/linux/faq.yml new file mode 100644 index 000000000..5700bcc9c --- /dev/null +++ b/scenarios/azure-compute-docs/articles/virtual-machines/linux/faq.yml @@ -0,0 +1,141 @@ +### YamlMime:FAQ +metadata: + title: Frequently asked questions for Linux VMs in Azure + description: Provides answers to some of the common questions about Linux virtual machines created with the Resource Manager model. + author: ju-shim + ms.service: azure-virtual-machines + ms.collection: linux + ms.topic: faq + ms.date: 03/06/2024 + ms.author: jushiman +title: Frequently asked question about Linux Virtual Machines +summary: | + This article addresses some common questions about Linux virtual machines created in Azure using the Resource Manager deployment model. For the Windows version of this topic, see [Frequently asked question about Windows Virtual Machines](../windows/faq.yml) + + +sections: + - name: Ignored + questions: + - question: | + What can I run on an Azure VM? + answer: | + All subscribers can run server software on an Azure virtual machine. For more information, see [Linux on Azure-Endorsed Distributions](endorsed-distros.md) + + - question: | + How much storage can I use with a virtual machine? + answer: | + Each data disk can be up to 32,767 GiB. The number of data disks you can use depends on the size of the virtual machine. For details, see [Sizes for Virtual Machines](../sizes.md). + + Azure Managed Disks are the recommended disk storage offerings for use with Azure Virtual Machines for persistent storage of data. You can use multiple Managed Disks with each Virtual Machine. Managed Disks offer two types of durable storage options: Premium and Standard Managed Disks. For pricing information, see [Managed Disks Pricing](https://azure.microsoft.com/pricing/details/managed-disks). + + Azure storage accounts can also provide storage for the operating system disk and any data disks. Each disk is a .vhd file stored as a page blob. For pricing details, see [Storage Pricing Details](https://azure.microsoft.com/pricing/details/storage/). + + - question: | + How can I access my virtual machine? + answer: | + Establish a remote connection to sign on to the virtual machine, using Secure Shell (SSH). See the instructions on how to connect [from Windows](ssh-from-windows.md) or + [from Linux and Mac](mac-create-ssh-keys.md). By default, SSH allows a maximum of 10 concurrent connections. You can increase this number by editing the configuration file. + + If you’re having problems, check out [Troubleshoot Secure Shell (SSH) connections](/troubleshoot/azure/virtual-machines/troubleshoot-ssh-connection?toc=%2fazure%2fvirtual-machines%2flinux%2ftoc.json). + + - question: | + Can I use the temporary disk (/dev/sdb1) to store data? + answer: | + Don't use the temporary disk (/dev/sdb1) to store data. It is only there for temporary storage. You risk losing data that can’t be recovered. + + - question: | + Can I copy or clone an existing Azure VM? + answer: | + Yes. For instructions, see [How to create a copy of a Linux virtual machine in the Resource Manager deployment model](/previous-versions/azure/virtual-machines/linux/copy-vm). + + - question: | + Why am I not seeing Canada Central and Canada East regions through Azure Resource Manager? + answer: | + The two new regions of Canada Central and Canada East are not automatically registered for virtual machine creation for existing Azure subscriptions. This registration is done automatically when a virtual machine is deployed through the Azure portal to any other region using Azure Resource Manager. After a virtual machine is deployed to any other Azure region, the new regions should be available for subsequent virtual machines. + + - question: | + Can I add a NIC to my VM after it's created? + answer: | + Yes, this is now possible. The VM first needs to be stopped deallocated. Then you can add or remove a NIC (unless it's the last NIC on the VM). + + - question: | + Are there any computer name requirements? + answer: | + Yes. The computer name can be a maximum of 64 characters in length. See [Naming conventions rules and restrictions](/azure/architecture/best-practices/resource-naming) for more information around naming your resources. + + - question: | + Are there any resource group name requirements? + answer: | + Yes. The resource group name can be a maximum of 90 characters in length. See [Naming conventions rules and restrictions](/azure/architecture/best-practices/resource-naming) for more information about resource groups. + + - question: | + What are the username requirements when creating a VM? + answer: | + Usernames should be 1 - 32 characters in length. + + The following usernames are not allowed: + + - `1` + - `123` + - `a` + - `actuser` + - `adm` + - `admin` + - `admin1` + - `admin2` + - `administrator` + - `aspnet` + - `backup` + - `console` + - `david` + - `guest` + - `john` + - `owner` + - `root` + - `server` + - `sql` + - `support_388945a0` + - `support` + - `sys` + - `test` + - `test1` + - `test2` + - `test3` + - `user` + - `user1` + - `user2` + - `user3` + - `user4` + - `user5` + - `video` + + + - question: | + What are the password requirements when creating a VM? + answer: | + There are varying password length requirements, depending on the tool you are using: + - Azure portal - between 12 - 72 characters + - Azure PowerShell - between 8 - 123 characters + - Azure CLI - between 12 - 123 characters + - Azure Resource Manager (ARM) templates - 12 - 72 characters and control characters are not allowed + + + Passwords must also meet 3 out of the following 4 complexity requirements: + + * Have lower characters + * Have upper characters + * Have a digit + * Have a special character (Regex match [\W_]) + + The following passwords are not allowed: + + * abc@123 + * P@$$w0rd + * P@ssw0rd + * P@ssword123 + * Pa$$word + * pass@word1 + * Password! + * Password1 + * Password22 + * iloveyou! diff --git a/scenarios/azure-compute-docs/articles/virtual-machines/linux/tutorial-lemp-stack.md b/scenarios/azure-compute-docs/articles/virtual-machines/linux/tutorial-lemp-stack.md new file mode 100644 index 000000000..1fc78144f --- /dev/null +++ b/scenarios/azure-compute-docs/articles/virtual-machines/linux/tutorial-lemp-stack.md @@ -0,0 +1,828 @@ +--- +title: Tutorial - Deploy a LEMP stack using WordPress on a VM +description: In this tutorial, you learn how to install the LEMP stack, and WordPress, on a Linux virtual machine in Azure. +author: fossygirl +ms.collection: linux +ms.service: azure-virtual-machines +ms.devlang: azurecli +ms.custom: innovation-engine, linux-related-content, devx-track-azurecli +ms.topic: tutorial +ms.date: 2/29/2024 +ms.author: carols +ms.reviewer: jushim +#Customer intent: As an IT administrator, I want to learn how to install the LEMP stack so that I can quickly prepare a Linux VM to run web applications. +--- + +# Tutorial: Install a LEMP stack on an Azure Linux VM + +**Applies to:** :heavy_check_mark: Linux VMs + +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://go.microsoft.com/fwlink/?linkid=2286415) + +This article walks you through how to deploy an NGINX web server, Azure MySQL Flexible Server, and PHP (the LEMP stack) on an Ubuntu Linux VM in Azure. To see the LEMP server in action, you can optionally install and configure a WordPress site. In this tutorial you learn how to: + +> [!div class="checklist"] +> +> * Create an Ubuntu VM +> * Open ports 80 and 443 for web traffic +> * Install and Secure NGINX, Azure Flexible MySQL Server, and PHP +> * Verify installation and configuration +> * Install WordPress +This setup is for quick tests or proof of concept. For more on the LEMP stack, including recommendations for a production environment, see the [Ubuntu documentation](https://help.ubuntu.com/community/ApacheMySQLPHP). + +This tutorial uses the CLI within the [Azure Cloud Shell](/azure/cloud-shell/overview), which is constantly updated to the latest version. To open the Cloud Shell, select **Try it** from the top of any code block. + +If you choose to install and use the CLI locally, this tutorial requires that you're running the Azure CLI version 2.0.30 or later. Find the version by running the `az --version` command. If you need to install or upgrade, see [Install Azure CLI]( /cli/azure/install-azure-cli). + +## Variable declaration + +First we need to define a few variables that help with the configuration of the LEMP workload. + +```bash +export NETWORK_PREFIX="$(($RANDOM % 254 + 1))" +export RANDOM_ID="$(openssl rand -hex 3)" +export MY_RESOURCE_GROUP_NAME="myLEMPResourceGroup$RANDOM_ID" +export REGION="westeurope" +export MY_VM_NAME="myVM$RANDOM_ID" +export MY_VM_USERNAME="azureadmin" +export MY_VM_SIZE='Standard_DS2_v2' +export MY_VM_IMAGE='Canonical:0001-com-ubuntu-minimal-jammy:minimal-22_04-lts-gen2:latest' +export MY_PUBLIC_IP_NAME="myPublicIP$RANDOM_ID" +export MY_DNS_LABEL="mydnslabel$RANDOM_ID" +export MY_NSG_NAME="myNSG$RANDOM_ID" +export MY_NSG_SSH_RULE="Allow-Access$RANDOM_ID" +export MY_VM_NIC_NAME="myVMNic$RANDOM_ID" +export MY_VNET_NAME="myVNet$RANDOM_ID" +export MY_VNET_PREFIX="10.$NETWORK_PREFIX.0.0/22" +export MY_SN_NAME="mySN$RANDOM_ID" +export MY_SN_PREFIX="10.$NETWORK_PREFIX.0.0/24" +export MY_MYSQL_DB_NAME="mydb$RANDOM_ID" +export MY_MYSQL_ADMIN_USERNAME="dbadmin$RANDOM_ID" +export MY_MYSQL_ADMIN_PW="$(openssl rand -base64 32)" +export MY_MYSQL_SN_NAME="myMySQLSN$RANDOM_ID" +export MY_WP_ADMIN_PW="$(openssl rand -base64 32)" +export MY_WP_ADMIN_USER="wpcliadmin" +export MY_AZURE_USER=$(az account show --query user.name --output tsv) +export FQDN="${MY_DNS_LABEL}.${REGION}.cloudapp.azure.com" +``` + + + +## Create a resource group + +Create a resource group with the [az group create](/cli/azure/group#az-group-create) command. An Azure resource group is a logical container into which Azure resources are deployed and managed. +The following example creates a resource group named `$MY_RESOURCE_GROUP_NAME` in the `eastus` location. + +```bash +az group create \ + --name $MY_RESOURCE_GROUP_NAME \ + --location $REGION -o JSON +``` + +Results: + + +```JSON +{ + "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myLEMPResourceGroupxxxxxx", + "location": "eastus", + "managedBy": null, + "name": "myLEMPResourceGroupxxxxxx", + "properties": { + "provisioningState": "Succeeded" + }, + "tags": null, + "type": "Microsoft.Resources/resourceGroups" +} +``` + +## Setup LEMP networking + +## Create an Azure Virtual Network + +A virtual network is the fundamental building block for private networks in Azure. Azure Virtual Network enables Azure resources like VMs to securely communicate with each other and the internet. +Use [az network vnet create](/cli/azure/network/vnet#az-network-vnet-create) to create a virtual network named `$MY_VNET_NAME` with a subnet named `$MY_SN_NAME` in the `$MY_RESOURCE_GROUP_NAME` resource group. + +```bash +az network vnet create \ + --name $MY_VNET_NAME \ + --resource-group $MY_RESOURCE_GROUP_NAME \ + --location $REGION \ + --address-prefix $MY_VNET_PREFIX \ + --subnet-name $MY_SN_NAME \ + --subnet-prefixes $MY_SN_PREFIX -o JSON +``` + +Results: + + +```JSON +{ + "newVNet": { + "addressSpace": { + "addressPrefixes": [ + "10.19.0.0/22" + ] + }, + "enableDdosProtection": false, + "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myLEMPResourceGroupxxxxxx/providers/Microsoft.Network/virtualNetworks/myVNetxxxxxx", + "location": "eastus", + "name": "myVNetxxxxxx", + "provisioningState": "Succeeded", + "resourceGroup": "myLEMPResourceGroupxxxxxx", + "subnets": [ + { + "addressPrefix": "10.19.0.0/24", + "delegations": [], + "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myLEMPResourceGroupxxxxxx/providers/Microsoft.Network/virtualNetworks/myVNetxxxxxx/subnets/mySNxxxxxx", + "name": "mySNxxxxxx", + "privateEndpointNetworkPolicies": "Disabled", + "privateLinkServiceNetworkPolicies": "Enabled", + "provisioningState": "Succeeded", + "resourceGroup": "myLEMPResourceGroupxxxxxx", + "type": "Microsoft.Network/virtualNetworks/subnets" + } + ], + "type": "Microsoft.Network/virtualNetworks", + "virtualNetworkPeerings": [] + } +} +``` + +## Create an Azure Public IP + +Use [az network public-ip create](/cli/azure/network/public-ip#az-network-public-ip-create) to create a standard zone-redundant public IPv4 address named `MY_PUBLIC_IP_NAME` in `$MY_RESOURCE_GROUP_NAME`. + +>[!NOTE] +>The below options for zones are only valid selections in regions with [Availability Zones](/azure/reliability/availability-zones-service-support). +```bash +az network public-ip create \ + --name $MY_PUBLIC_IP_NAME \ + --location $REGION \ + --resource-group $MY_RESOURCE_GROUP_NAME \ + --dns-name $MY_DNS_LABEL \ + --sku Standard \ + --allocation-method static \ + --version IPv4 \ + --zone 1 2 3 -o JSON +``` + +Results: + + +```JSON +{ + "publicIp": { + "ddosSettings": { + "protectionMode": "VirtualNetworkInherited" + }, + "dnsSettings": { + "domainNameLabel": "mydnslabelxxxxxx", + "fqdn": "mydnslabelxxxxxx.eastus.cloudapp.azure.com" + }, + "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myLEMPResourceGroupxxxxxx/providers/Microsoft.Network/publicIPAddresses/myPublicIPxxxxxx", + "idleTimeoutInMinutes": 4, + "ipTags": [], + "location": "eastus", + "name": "myPublicIPxxxxxx", + "provisioningState": "Succeeded", + "publicIPAddressVersion": "IPv4", + "publicIPAllocationMethod": "Static", + "resourceGroup": "myLEMPResourceGroupxxxxxx", + "sku": { + "name": "Standard", + "tier": "Regional" + }, + "type": "Microsoft.Network/publicIPAddresses", + "zones": [ + "1", + "2", + "3" + ] + } +} +``` + +## Create an Azure Network Security Group + +Security rules in network security groups enable you to filter the type of network traffic that can flow in and out of virtual network subnets and network interfaces. To learn more about network security groups, see [Network security group overview](/azure/virtual-network/network-security-groups-overview). + +```bash +az network nsg create \ + --name $MY_NSG_NAME \ + --resource-group $MY_RESOURCE_GROUP_NAME \ + --location $REGION -o JSON +``` + +Results: + + +```JSON +{ + "NewNSG": { + "defaultSecurityRules": + { + "access": "Allow", + "description": "Allow inbound traffic from all VMs in VNET", + "destinationAddressPrefix": "VirtualNetwork", + "destinationAddressPrefixes": [], + "destinationPortRange": "*", + "destinationPortRanges": [], + "direction": "Inbound", + "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myLEMPResourceGroup104/providers/Microsoft.Network/networkSecurityGroups/protect-vms/defaultSecurityRules/AllowVnetInBound", + "name": "AllowVnetInBound", + "priority": 65000, + "protocol": "*", + "provisioningState": "Succeeded", + "resourceGroup": "myLEMPResourceGroup104", + "sourceAddressPrefix": "VirtualNetwork", + "sourceAddressPrefixes": [], + "sourcePortRange": "*", + "sourcePortRanges": [], + "type": "Microsoft.Network/networkSecurityGroups/defaultSecurityRules" + }, + "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myLEMPResourceGroup104/providers/Microsoft.Network/networkSecurityGroups/protect-vms", + "location": "eastus", + "name": "protect-vms", + "provisioningState": "Succeeded", + "resourceGroup": "myLEMPResourceGroup104", + "securityRules": [], + "type": "Microsoft.Network/networkSecurityGroups" + } +} +``` + +## Create Azure Network Security Group rules + +Create a rule to allow connections to the virtual machine on port 22 for SSH and ports 80, 443 for HTTP and HTTPS. An extra rule is created to allow all ports for outbound connections. Use [az network nsg rule create](/cli/azure/network/nsg/rule#az-network-nsg-rule-create) to create a network security group rule. + +```bash +az network nsg rule create \ + --resource-group $MY_RESOURCE_GROUP_NAME \ + --nsg-name $MY_NSG_NAME \ + --name $MY_NSG_SSH_RULE \ + --access Allow \ + --protocol Tcp \ + --direction Inbound \ + --priority 100 \ + --source-address-prefix '*' \ + --source-port-range '*' \ + --destination-address-prefix '*' \ + --destination-port-range 22 80 443 -o JSON +``` + +Results: + + +```JSON +{ + "access": "Allow", + "destinationAddressPrefix": "*", + "destinationAddressPrefixes": [], + "destinationPortRanges": [ + "22", + "80", + "443" + ], + "direction": "Inbound", + "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myLEMPResourceGroupxxxxxx/providers/Microsoft.Network/networkSecurityGroups/myNSGNamexxxxxx/securityRules/Allow-Accessxxxxxx", + "name": "Allow-Accessxxxxxx", + "priority": 100, + "protocol": "Tcp", + "provisioningState": "Succeeded", + "resourceGroup": "myLEMPResourceGroupxxxxxx", + "sourceAddressPrefix": "*", + "sourceAddressPrefixes": [], + "sourcePortRange": "*", + "sourcePortRanges": [], + "type": "Microsoft.Network/networkSecurityGroups/securityRules" +} +``` + +## Create an Azure Network Interface + +Use [az network nic create](/cli/azure/network/nic#az-network-nic-create) to create the network interface for the virtual machine. The public IP addresses and the NSG created previously are associated with the NIC. The network interface is attached to the virtual network you created previously. + +```bash +az network nic create \ + --resource-group $MY_RESOURCE_GROUP_NAME \ + --name $MY_VM_NIC_NAME \ + --location $REGION \ + --ip-forwarding false \ + --subnet $MY_SN_NAME \ + --vnet-name $MY_VNET_NAME \ + --network-security-group $MY_NSG_NAME \ + --public-ip-address $MY_PUBLIC_IP_NAME -o JSON +``` + +Results: + + +```JSON +{ + "NewNIC": { + "auxiliaryMode": "None", + "auxiliarySku": "None", + "disableTcpStateTracking": false, + "dnsSettings": { + "appliedDnsServers": [], + "dnsServers": [] + }, + "enableAcceleratedNetworking": false, + "enableIPForwarding": false, + "hostedWorkloads": [], + "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myLEMPResourceGroupxxxxxx/providers/Microsoft.Network/networkInterfaces/myVMNicNamexxxxxx", + "ipConfigurations": [ + { + "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myLEMPResourceGroupxxxxxx/providers/Microsoft.Network/networkInterfaces/myVMNicNamexxxxxx/ipConfigurations/ipconfig1", + "name": "ipconfig1", + "primary": true, + "privateIPAddress": "10.19.0.4", + "privateIPAddressVersion": "IPv4", + "privateIPAllocationMethod": "Dynamic", + "provisioningState": "Succeeded", + "resourceGroup": "myLEMPResourceGroupxxxxxx", + "subnet": { + "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myLEMPResourceGroupxxxxxx/providers/Microsoft.Network/virtualNetworks/myVNetxxxxxx/subnets/mySNxxxxxx", + "resourceGroup": "myLEMPResourceGroupxxxxxx" + }, + "type": "Microsoft.Network/networkInterfaces/ipConfigurations" + } + ], + "location": "eastus", + "name": "myVMNicNamexxxxxx", + "networkSecurityGroup": { + "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myLEMPResourceGroupxxxxxx/providers/Microsoft.Network/networkSecurityGroups/myNSGNamexxxxxx", + "resourceGroup": "myLEMPResourceGroupxxxxxx" + }, + "nicType": "Standard", + "provisioningState": "Succeeded", + "resourceGroup": "myLEMPResourceGroupxxxxxx", + "tapConfigurations": [], + "type": "Microsoft.Network/networkInterfaces", + "vnetEncryptionSupported": false + } +} +``` +## Cloud-init overview + +Cloud-init is a widely used approach to customize a Linux VM as it boots for the first time. You can use cloud-init to install packages and write files, or to configure users and security. As cloud-init runs during the initial boot process, there are no other steps or required agents to apply to your configuration. + +Cloud-init also works across distributions. For example, you don't use apt-get install or yum install to install a package. Instead you can define a list of packages to install. Cloud-init automatically uses the native package management tool for the distro you select. + +We're working with our partners to get cloud-init included and working in the images that they provide to Azure. For detailed information cloud-init support for each distribution, see [Cloud-init support for VMs in Azure](./using-cloud-init.md). + +### Create cloud-init config file + +To see cloud-init in action, create a VM that installs a LEMP stack and runs a simple Wordpress app secured with an SSL certificate. The following cloud-init configuration installs the required packages, creates the Wordpress website, then initialize and starts the website. + +```bash +cat << EOF > cloud-init.txt +#cloud-config +# Install, update, and upgrade packages +package_upgrade: true +package_update: true +package_reboot_if_require: true +# Install packages +packages: + - vim + - certbot + - python3-certbot-nginx + - bash-completion + - nginx + - mysql-client + - php + - php-cli + - php-bcmath + - php-curl + - php-imagick + - php-intl + - php-json + - php-mbstring + - php-mysql + - php-gd + - php-xml + - php-xmlrpc + - php-zip + - php-fpm +write_files: + - owner: www-data:www-data + path: /etc/nginx/sites-available/default.conf + content: | + server { + listen 80 default_server; + listen [::]:80 default_server; + root /var/www/html; + server_name $FQDN; + } +write_files: + - owner: www-data:www-data + path: /etc/nginx/sites-available/$FQDN.conf + content: | + upstream php { + server unix:/run/php/php8.1-fpm.sock; + } + server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name $FQDN; + ssl_certificate /etc/letsencrypt/live/$FQDN/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/$FQDN/privkey.pem; + root /var/www/$FQDN; + index index.php; + location / { + try_files \$uri \$uri/ /index.php?\$args; + } + location ~ \.php$ { + include fastcgi_params; + fastcgi_intercept_errors on; + fastcgi_pass php; + fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name; + } + location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ { + expires max; + log_not_found off; + } + location = /favicon.ico { + log_not_found off; + access_log off; + } + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + } + server { + listen 80; + listen [::]:80; + server_name $FQDN; + return 301 https://$FQDN\$request_uri; + } +runcmd: + - sed -i 's/;cgi.fix_pathinfo.*/cgi.fix_pathinfo = 1/' /etc/php/8.1/fpm/php.ini + - sed -i 's/^max_execution_time \= .*/max_execution_time \= 300/g' /etc/php/8.1/fpm/php.ini + - sed -i 's/^upload_max_filesize \= .*/upload_max_filesize \= 64M/g' /etc/php/8.1/fpm/php.ini + - sed -i 's/^post_max_size \= .*/post_max_size \= 64M/g' /etc/php/8.1/fpm/php.ini + - systemctl restart php8.1-fpm + - systemctl restart nginx + - certbot --nginx certonly --non-interactive --agree-tos -d $FQDN -m dummy@dummy.com --redirect + - ln -s /etc/nginx/sites-available/$FQDN.conf /etc/nginx/sites-enabled/ + - rm /etc/nginx/sites-enabled/default + - systemctl restart nginx + - curl --url https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar --output /tmp/wp-cli.phar + - mv /tmp/wp-cli.phar /usr/local/bin/wp + - chmod +x /usr/local/bin/wp + - wp cli update + - mkdir -m 0755 -p /var/www/$FQDN + - chown -R azureadmin:www-data /var/www/$FQDN + - sudo -u azureadmin -i -- wp core download --path=/var/www/$FQDN + - sudo -u azureadmin -i -- wp config create --dbhost=$MY_MYSQL_DB_NAME.mysql.database.azure.com --dbname=wp001 --dbuser=$MY_MYSQL_ADMIN_USERNAME --dbpass="$MY_MYSQL_ADMIN_PW" --path=/var/www/$FQDN + - sudo -u azureadmin -i -- wp core install --url=$FQDN --title="Azure hosted blog" --admin_user=$MY_WP_ADMIN_USER --admin_password="$MY_WP_ADMIN_PW" --admin_email=$MY_AZURE_USER --path=/var/www/$FQDN + - sudo -u azureadmin -i -- wp plugin update --all --path=/var/www/$FQDN + - chmod 600 /var/www/$FQDN/wp-config.php + - mkdir -p -m 0775 /var/www/$FQDN/wp-content/uploads + - chgrp www-data /var/www/$FQDN/wp-content/uploads +EOF +``` + +## Create an Azure Private DNS Zone for Azure MySQL Flexible Server + +Azure Private DNS Zone integration allows you to resolve the private DNS within the current VNET or any in-region peered VNET where the private DNS Zone is linked. Use [az network private-dns zone create](/cli/azure/network/private-dns/zone#az-network-private-dns-zone-create) to create the private DNS zone. + +```bash +az network private-dns zone create \ + --resource-group $MY_RESOURCE_GROUP_NAME \ + --name $MY_DNS_LABEL.private.mysql.database.azure.com -o JSON +``` + +Results: + + +```JSON +{ + "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myLEMPResourceGroupxxxxxx/providers/Microsoft.Network/privateDnsZones/mydnslabelxxxxxx.private.mysql.database.azure.com", + "location": "global", + "maxNumberOfRecordSets": 25000, + "maxNumberOfVirtualNetworkLinks": 1000, + "maxNumberOfVirtualNetworkLinksWithRegistration": 100, + "name": "mydnslabelxxxxxx.private.mysql.database.azure.com", + "numberOfRecordSets": 1, + "numberOfVirtualNetworkLinks": 0, + "numberOfVirtualNetworkLinksWithRegistration": 0, + "provisioningState": "Succeeded", + "resourceGroup": "myLEMPResourceGroupxxxxxx", + "tags": null, + "type": "Microsoft.Network/privateDnsZones" +} +``` + +## Create an Azure Database for MySQL - Flexible Server + +Azure Database for MySQL - Flexible Server is a managed service that you can use to run, manage, and scale highly available MySQL servers in the cloud. Create a flexible server with the [az mysql flexible-server create](/azure/mysql/flexible-server/quickstart-create-server-cli#create-an-azure-database-for-mysql-flexible-server) command. A server can contain multiple databases. The following command creates a server using service defaults and variable values from your Azure CLI's local environment: + +```bash +az mysql flexible-server create \ + --admin-password $MY_MYSQL_ADMIN_PW \ + --admin-user $MY_MYSQL_ADMIN_USERNAME \ + --auto-scale-iops Disabled \ + --high-availability Disabled \ + --iops 500 \ + --location $REGION \ + --name $MY_MYSQL_DB_NAME \ + --database-name wp001 \ + --resource-group $MY_RESOURCE_GROUP_NAME \ + --sku-name Standard_B2s \ + --storage-auto-grow Disabled \ + --storage-size 20 \ + --subnet $MY_MYSQL_SN_NAME \ + --private-dns-zone $MY_DNS_LABEL.private.mysql.database.azure.com \ + --tier Burstable \ + --version 8.0.21 \ + --vnet $MY_VNET_NAME \ + --yes -o JSON +``` + +Results: + + +```JSON +{ + "databaseName": "wp001", + "host": "mydbxxxxxx.mysql.database.azure.com", + "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myLEMPResourceGroupxxxxxx/providers/Microsoft.DBforMySQL/flexibleServers/mydbxxxxxx", + "location": "East US", + "resourceGroup": "myLEMPResourceGroupxxxxxx", + "skuname": "Standard_B2s", + "subnetId": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myLEMPResourceGroupxxxxxx/providers/Microsoft.Network/virtualNetworks/myVNetxxxxxx/subnets/myMySQLSNxxxxxx", + "username": "dbadminxxxxxx", + "version": "8.0.21" +} +``` + +```bash +echo "Your MySQL user $MY_MYSQL_ADMIN_USERNAME password is: $MY_WP_ADMIN_PW" +``` + +The server created has the below attributes: + +* The server name, admin username, admin password, resource group name, location are already specified in local context environment of the cloud shell. They're created in the same location as your resource group and other Azure components. +* Service defaults for remaining server configurations: compute tier (Burstable), compute size/SKU (Standard_B2s), backup retention period (7 days), and MySQL version (8.0.21) +* The default connectivity method is Private access (VNet Integration) with a linked virtual network and an auto-generated subnet. + +> [!NOTE] +> The connectivity method cannot be changed after creating the server. For example, if you selected `Private access (VNet Integration)` during create then you cannot change to `Public access (allowed IP addresses)` after create. We highly recommend creating a server with Private access to securely access your server using VNet Integration. Learn more about Private access in the [concepts article](/azure/mysql/flexible-server/concepts-networking-vnet). +If you'd like to change any defaults, refer to the Azure CLI [reference documentation](/azure/mysql/flexible-server/quickstart-create-server-cli) for the complete list of configurable CLI parameters. + +## Check the Azure Database for MySQL - Flexible Server status + +It takes a few minutes to create the Azure Database for MySQL - Flexible Server and supporting resources. + +```bash +runtime="10 minute"; +endtime=$(date -ud "$runtime" +%s); +while [[ $(date -u +%s) -le $endtime ]]; do + STATUS=$(az mysql flexible-server show -g $MY_RESOURCE_GROUP_NAME -n $MY_MYSQL_DB_NAME --query state -o tsv); + echo $STATUS; + if [ "$STATUS" == 'Ready' ]; then + break; + else + sleep 10; + fi; +done +``` + +## Configure server parameters in Azure Database for MySQL - Flexible Server + +You can manage Azure Database for MySQL - Flexible Server configuration using server parameters. The server parameters are configured with the default and recommended value when you create the server. + +Show server parameter details: + +Run the [az mysql flexible-server parameter show](/azure/mysql/flexible-server/how-to-configure-server-parameters-cli) command to show details about any particular parameter for the server. + +## Disable Azure Database for MySQL - Flexible Server SSL connection parameter for Wordpress integration + +Modify a server parameter value: + +You can also modify the value of a certain server parameter, which updates the underlying configuration value for the MySQL server engine. To update the server parameter, use the [az mysql flexible-server parameter set](/azure/mysql/flexible-server/how-to-configure-server-parameters-cli#modify-a-server-parameter-value) command. + +```bash +az mysql flexible-server parameter set \ + -g $MY_RESOURCE_GROUP_NAME \ + -s $MY_MYSQL_DB_NAME \ + -n require_secure_transport -v "OFF" -o JSON +``` + +Results: + + +```JSON +{ + "allowedValues": "ON,OFF", + "currentValue": "OFF", + "dataType": "Enumeration", + "defaultValue": "ON", + "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myLEMPResourceGroupxxxxxx/providers/Microsoft.DBforMySQL/flexibleServers/mydbxxxxxx/configurations/require_secure_transport", + "isConfigPendingRestart": "False", + "isDynamicConfig": "True", + "isReadOnly": "False", + "name": "require_secure_transport", + "resourceGroup": "myLEMPResourceGroupxxxxxx", + "source": "user-override", + "systemData": null, + "type": "Microsoft.DBforMySQL/flexibleServers/configurations", + "value": "OFF" +} +``` + +## Create an Azure Linux Virtual Machine + +The following example creates a VM named `$MY_VM_NAME` and creates SSH keys if they don't already exist in a default key location. The command also sets `$MY_VM_USERNAME` as an administrator user name. + +To improve the security of Linux virtual machines in Azure, you can integrate with Microsoft Entra ID authentication. Now you can use Microsoft Entra ID as a core authentication platform. You can also SSH into the Linux VM by using Microsoft Entra ID and OpenSSH certificate-based authentication. This functionality allows organizations to manage access to VMs with Azure role-based access control and Conditional Access policies. + +Create a VM with the [az vm create](/cli/azure/vm#az-vm-create) command. + +```bash +az vm create \ + --name $MY_VM_NAME \ + --resource-group $MY_RESOURCE_GROUP_NAME \ + --admin-username $MY_VM_USERNAME \ + --authentication-type ssh \ + --assign-identity \ + --image $MY_VM_IMAGE \ + --location $REGION \ + --nic-delete-option Delete \ + --os-disk-caching ReadOnly \ + --os-disk-delete-option Delete \ + --os-disk-size-gb 30 \ + --size $MY_VM_SIZE \ + --generate-ssh-keys \ + --storage-sku Premium_LRS \ + --nics $MY_VM_NIC_NAME \ + --custom-data cloud-init.txt -o JSON +``` + +Results: + + +```JSON +{ + "fqdns": "mydnslabelxxxxxx.eastus.cloudapp.azure.com", + "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myLEMPResourceGroupxxxxxx/providers/Microsoft.Compute/virtualMachines/myVMNamexxxxxx", + "identity": { + "principalId": "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy", + "tenantId": "zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz", + "type": "SystemAssigned", + "userAssignedIdentities": null + }, + "location": "eastus", + "macAddress": "60-45-BD-D8-1D-84", + "powerState": "VM running", + "privateIpAddress": "10.19.0.4", + "resourceGroup": "myLEMPResourceGroupxxxxxx", + "zones": "" +} +``` + +## Check the Azure Linux Virtual Machine status + +It takes a few minutes to create the VM and supporting resources. The provisioningState value of Succeeded appears when the extension is successfully installed on the VM. The VM must have a running [VM agent](../extensions/agent-linux.md) to install the extension. + +```bash +runtime="5 minute"; +endtime=$(date -ud "$runtime" +%s); +while [[ $(date -u +%s) -le $endtime ]]; do + STATUS=$(ssh -o StrictHostKeyChecking=no $MY_VM_USERNAME@$FQDN "cloud-init status --wait"); + echo $STATUS; + if [[ "$STATUS" == *'status: done'* ]]; then + break; + else + sleep 10; + fi; +done +``` + + +```JSON +{ + "condition": null, + "conditionVersion": null, + "createdBy": null, + "createdOn": "2023-09-04T09:29:16.895907+00:00", + "delegatedManagedIdentityResourceId": null, + "description": null, + "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myLEMPResourceGroupxxxxxx/providers/Microsoft.Authorization/roleAssignments/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy", + "name": "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy", + "principalId": "zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz", + "principalType": "User", + "resourceGroup": "myLEMPResourceGroupxxxxxx", + "roleDefinitionId": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/Microsoft.Authorization/roleDefinitions/zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz", + "scope": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myLEMPResourceGroupxxxxxx", + "type": "Microsoft.Authorization/roleAssignments", + "updatedBy": "wwwwwwww-wwww-wwww-wwww-wwwwwwwwwwww", + "updatedOn": "2023-09-04T09:29:17.237445+00:00" +} +``` + + + + +## Enable Microsoft Entra ID login for a Linux Virtual Machine in Azure + +The following installs the extension to enable Microsoft Entra ID login for a Linux VM. VM extensions are small applications that provide post-deployment configuration and automation tasks on Azure virtual machines. + +```bash +az vm extension set \ + --publisher Microsoft.Azure.ActiveDirectory \ + --name AADSSHLoginForLinux \ + --resource-group $MY_RESOURCE_GROUP_NAME \ + --vm-name $MY_VM_NAME -o JSON +``` + +Results: + + +```JSON +{ + "autoUpgradeMinorVersion": true, + "enableAutomaticUpgrade": null, + "forceUpdateTag": null, + "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myLEMPResourceGroupxxxxxx/providers/Microsoft.Compute/virtualMachines/myVMNamexxxxxx/extensions/AADSSHLoginForLinux", + "instanceView": null, + "location": "eastus", + "name": "AADSSHLoginForLinux", + "protectedSettings": null, + "protectedSettingsFromKeyVault": null, + "provisioningState": "Succeeded", + "publisher": "Microsoft.Azure.ActiveDirectory", + "resourceGroup": "myLEMPResourceGroupxxxxxx", + "settings": null, + "suppressFailures": null, + "tags": null, + "type": "Microsoft.Compute/virtualMachines/extensions", + "typeHandlerVersion": "1.0", + "typePropertiesType": "AADSSHLoginForLinux" +} +``` + +## Check and browse your WordPress website + +[WordPress](https://www.wordpress.org) is an open source content management system (CMS) used by over 40% of the web to create websites, blogs, and other applications. WordPress can be run on a few different Azure services: [AKS](/azure/mysql/flexible-server/tutorial-deploy-wordpress-on-aks), Virtual Machines, and App Service. For a full list of WordPress options on Azure, see [WordPress on Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps?page=1&search=wordpress). + +This WordPress setup is only for proof of concept. To install the latest WordPress in production with recommended security settings, see the [WordPress documentation](https://codex.wordpress.org/Main_Page). + +Validate that the application is running by curling the application url: + +```bash +runtime="5 minute"; +endtime=$(date -ud "$runtime" +%s); +while [[ $(date -u +%s) -le $endtime ]]; do + if curl -I -s -f $FQDN > /dev/null ; then + curl -L -s -f $FQDN 2> /dev/null | head -n 9 + break + else + sleep 10 + fi; +done +``` + +Results: + + +```HTML + + + + + + +Azure hosted blog + + +``` + +```bash +echo "You can now visit your web server at https://$FQDN" +``` diff --git a/scenarios/metadata.json b/scenarios/metadata.json index 11f21445e..ff14c57f8 100644 --- a/scenarios/metadata.json +++ b/scenarios/metadata.json @@ -53,7 +53,7 @@ } }, { - "status": "inactive", + "status": "active", "key": "azure-docs/articles/mysql/flexible-server/tutorial-deploy-wordpress-on-aks.md", "title": "Tutorial: Deploy WordPress on AKS cluster by using Azure CLI", "description": "Learn how to quickly build and deploy WordPress on AKS with Azure Database for MySQL - Flexible Server.", @@ -465,5 +465,17 @@ "configurations": { "region": "westeurope" } + }, + { + "status": "active", + "key": "azure-compute-docs/articles/virtual-machines/linux/tutorial-lemp-stack.md", + "title": "Tutorial - Deploy a LEMP stack using WordPress on a VM", + "description": "In this tutorial, you learn how to install the LEMP stack, and WordPress, on a Linux virtual machine in Azure.", + "stackDetails": "", + "sourceUrl": "https://raw.githubusercontent.com/MicrosoftDocs/executable-docs/main/scenarios/azure-compute-docs/articles/virtual-machines/linux/tutorial-lemp-stack.md", + "documentationUrl": "", + "configurations": { + "region": "westeurope" + } } ] \ No newline at end of file