Megaphone Commons

{{last_updated_at}} by {{last_updated_by}}

# Microsoft Azure - Setup

## For the Client

Hi there!  If I've directed you to this page, the part that concerns you are the first three sections only.  It's a bit convoluted, so feel free to ask me if you run into trouble! -Jon

[**NOTE**: Most of Microsoft's pages break with an ad blocker enabled.]

### Get a Sponsorship

* [Go to the Nonprofit Microsoft Getting Started page](https://nonprofit.microsoft.com/en-us/getting-started).  Fill out the paperwork to be approved as a 501c3.  Approval can take 1 day or 3-4 weeks - I've seen both multiple times.

* Once approved, go to https://www.microsoft.com/en-us/nonprofits/azure to claim credits (or go directly to [Claiming Your Credits](https://nonprofit.microsoft.com/en-us/offers/azure).

* You'll know you're successful because you'll see a sponsorship listed on the [Sponsorship Page](https://www.microsoftazuresponsorships.com/Balance).

### Create a Subscription

* Check that you have credits in your sponsored account: https://www.microsoftazuresponsorships.com/Balance

* Visit the [Azure Portal](https://portal.azure.com).  

* Click the **Subscriptions** icon.

* Click the **Add** button.

* Add a subscription of type "Microsoft Azure Sponsorship" from the Azure portal. You will likely need to select **Show other subscription types** to see it.

 * **Note**: Even sponsored subscriptions require a credit card, make sure you have one available.

### Grant access to other users

Microsoft is now enforcing two-factor authentication, so you need to create a separate user for me as your web vendor.

[Source](https://docs.microsoft.com/en-us/azure/cost-management-billing/manage/add-change-subscription-administrator) for instructions

* Open the new subscription by clicking on it from the **Subscriptions** page.

* Click **Access Control (IAM)** in the left navigation bar.

* At the top, press **Add » Add role assignment**.

* On the *Role* tab, go to the **Privileged administrator roles** subtab. 

* Click **Owner** and press **Next**.

* On the *Members* tab, set *Assign Access* to **User, group, or service principal**, and click **Select Members**.

* In the *Search by name or email address* box, put the email of the new user and press **Select**.

* Click **Review and Assign**, then click **Review and Assign** again.

At this point, they'll receive an email to either log in with an existing Microsoft account or to create a new one.

### On Renewals

You will need to renew every year.  Instructions for this are incomplete - but you should look up your subscription ID in the Azure portal (will be a long string of numbers and letters), then go to https://www.microsoftazuresponsorships.com/Balance and assign your new credits to the existing subscription.

If you did not do this in time, you should be able to open a support ticket with Microsoft to request a refund.

## Technical Configuration

To set up a free account, you must:

* Get a Sponsorship (see above)

* Create a Subscription linked to the Sponsorship (see above)

* (Strongly recommended) Grant access to the subscription to other users.

* Create a Resource Group linked to the Subscription

* Create a Virtual Machine (and associated resources) linked to the Resource Group

### Create a resource group

* Select "Resource Group" from the main Azure portal.  

* Select **Create** and give it a name.

* Your subscription should be pre-selected since you only have the one.

* Click **Review and Create**, then **Create**.

### Create a virtual machine

* Click on your new resource group in the Azure Portal.

* Click **Create**.

* Click **Create** under **Virtual MAchine**.

* Search for the name of the image you want (e.g. `Debian 11 "Bullseye`).

 * If you picked an image that shows an hourly cost, it's probably the wrong one.

* See the screenshots below for configuration of the "Basics" and "Disk" tabs.  The other tabs I keep with the defaults.  My standard VPS type is now `D2as_v5`.

 * "D2" is general-purpose VM, we always select this.  "a" is AMD-series, "d" is temp disk included (we don't need this), "s" supports premium SSD disks.

* I've attached a downloaded template for this VM, which as of now I haven't used yet, not sure how it works.

![Create a VM - Basics Tab](https://hq.megaphonetech.com/attachments/download/1771/Selection_999(010).png)

![Create a VM - Disks Tab](Selection_1016.png)

### Post-provisioning configuration

#### Get serial console working

Serial console is necessary for single-user mode, and troubleshooting if SSH fails.

* Go to **Boot Diagnostics** in the VM's left nav.

* Click **Settings** at the top.

* Select **Enable with custom storage account**.

* Select **Create New**.

* Come up with a name.  Any name.

* Save with your custom boot selected.

Now Serial Console will work.

#### Partition and format the attached disk

Your VM will have an "OS disk" of 30GB it ships with.  Your attached disk is unformatted.  Partition and format the new disk (via SSH):

* Use `fdisk -l` to determine the attached disk and change the first command below accordingly.

```shell

DISK=/dev/sdb

sudo parted --script -a optimal $DISK mklabel gpt -- mkpart primary ext4 '0%' '100%'

sudo mkfs -t ext4 ${DISK}1

# install lsof and rsync

apt install lsof rsync

```

#### Mount the attached disk

From within *Serial Console*:

```shell

DISK=/dev/sdb

# Go to single-user mode

init 1

# Ensure that no files are open in /var.

# This should come back empty. (Note that recently it hasn't been but seems to work anyway).

lsof | grep /var

# pkill anything that's running, e.g. `pkill hv_kvp_daemon`.  It's OK if `systemd-journal` has files open.

mount ${DISK}1 /mnt

rsync -va /var/* /mnt

mv /var /var.old

umount /mnt

mkdir /var

mount ${DISK}1 /var

# Get the UUID of the drive for fstab

```shell

# Look for the partition you just created

blkid

```

vi /etc/fstab

```

Add the following line to `/etc/fstab`, subbing in *your* UUID:

```

UUID=13523269-c397-46a4-93b5-cb9f108489da       /var     ext4    defaults    0 1

```

You can reboot now to see that everything looks good.  Note that due to a bug in `cloud-init`, there's a 2-minute delay on every reboot in Debian 11 (fixed in Debian 12, will presumably be backported at some point).

#### Modify Firewall Rules

* Click on your new virtual machine in the Azure portal.

* Click **Networking** in the side navigation.

* You should see your firewall settings.  They should look like the screenshot below, except they'll be missing the two items circled.

* Add the "allow_ping" and "Port_5665" rules to the *Inbound Port Rules* as shown in the screenshot.

![Firewall Rules](https://hq.megaphonetech.com/attachments/download/1772/Selection_999(012).png)

#### Add a swapfile

[Complete instructions are here](https://support.microsoft.com/en-us/help/4010058/how-to-add-a-swap-file-in-linux-azure-virtual-machines) but in short, add this to `/etc/waagent.conf` for an 8GB swapfile:

```

    ResourceDisk.Format=y

    ResourceDisk.EnableSwap=y

    ResourceDisk.SwapSizeMB=8192

```

Then run `service walinuxagent restart`.

## Post-deployment management

### Adding a new disk

Add a disk by going to the virtual machine and clicking "Disk", not by "Add Resource".  Then used the `parted` and `mkfs` commands from above.  Don't forget to modify `/etc/fstab`!