Tuesday, April 28, 2020

Run Android emulator and Android Studio on Azure VM using Hyper V

14 min to read.

Abstract

Due to Corona outbreak, times are hard! Please take care everyone! I wish good health for all! Stay safe!

There is another outbreak I am seeing – Making Development environment available on Azure to enable Work from home. Almost in every customer call I hear about requirement to enable Development Environment on Azure and accessing it from Home laptop/ PC and continue the business.

In the era of “Mobile first” almost every big enterprise, every Small and Medium Business (SMB), every Start up company have mobile development teams. They use variety of tools and one of the important IDE used for Mobile development is “Android Studio”.

Installing and running Android studio is smooth; however Android emulator installation fails on Azure VM. It is not straight forward. In this blog we will see “how to enable Android emulator with Android Studio on Azure VM”.

Let’s go!

Concept - Android Emulator and VM Acceleration

Without a virtualization technology and VM acceleration, the Android emulator must translate the machine code from the VM block by block to conform to the architecture of the host computer. This process can be quite slow. 

With a hypervisor, the VM and the architecture of the computer running emulator match, so the emulator can run code directly on the processor using the hypervisor. This improvement drastically increases both the speed and performance of the android emulator.

This concept is well suited for hardware. For example, if you have laptop then Android emulator can work like a charm. Because the required hardware for VM acceleration is provided by underlying laptop on which you are running Android Studio and hypervisor for emulator runs on laptop hardware.

Android Emulator and Intel HAXM

Android emulator is default based on Intel Hardware Accelerated Execution manager [HAXM]. This is Virtualization technology used behind the scene by Android studio to run the android emulator. HAXM is installed as a part of installation process of Android Studio as well.

So on Azure VM where we plan to run the Android simulator, Intel HAXM should be installed and present.
At the same time Intel HAXM and Hyper V are mutually exclusive. Means, if you have Hyper V enabled then HAXM can’t be installed and vice versa.

Installation of HAXM on Azure VM is not a problem. The VM series is a problem. When you say I want to install the HAXM; Hyper V should be disabled. Most of the VM series today have Hyper V “some way” enabled or not supported.

Remember Azure VM itself is a VM. Means it is based on Hyper V behind the scene already. Now on top of this VM you want to install another Hypervisor – either HAXM or Hyper V. The only series that supports the Hyper V on Azure VM itself is Hyperthreaded VMs – Dsv3 and Esv3 series or Dv3 and Ev3 series.

This Azure VM series support nested virtualization; because it supports running Hyper V on top of it or running any other hypervisor on top of it. Therefore installation of HAXM on Azure VM will succeed only on these Azure VMs and other will fail.

Now even if we install HAXM successfully on Azure VM and then install Android Studio with emulator successfully; the emulator will not work. I have experienced many errors as described below -

“error while loading state for instance 0x0 of device 'goldfish_pipe'”.

“Unfortunately, the Android emulator can’t support virtual machine acceleration from within a virtual machine.”

Android Emulator and WHPX

Microsoft Visual Studio has Android Emulator. It uses WHPX technology behind the scene. However it works on hardware. Means it can run well on your laptop but not on Azure VM. I could not start Android Emulator on Azure VM. When I attach the Visual Studio Android Emulator to Android Studio; it fails with many errors.
So what is the solution?

Solution and Architecture

Well, the solution provided will not help to run the latest version of Android emulator. However you will be able to make the Android Emulator work on Azure VM with “Older version”.

For this we will leverage “VS Emulator for Android” which is earlier version of Android Emulator Microsoft had released prior to current version of “hardware acceleration” based Android emulator.

So overall solution looks as follow – [click to get better view].



As a part of the solution make sure you provision VM with v3 series. I have selected Ds4v3 VM on Azure portal and provisioned it. By default allow the internet access to this VM so that we can download required software. As per the diagram I have attached public IP to my VM. So take RDP over public IP.

After RDP, install the software in the order mentioned below.

Visual Studio Emulator for Android – Life saver!

I have selected below version [click to get better view] of Windows 10 for provisioning VM on Azure. Also I have selected Ds4v3 series and Gen1 for provisioning. Go ahead and provision Azure VM.



Install Hyper V

Login to your VM and configure Hyper V on top of it. Open Run window -> type “appwiz.cpl” -> Click on “Turn windows feature on or off” -> Select all options against Hyper V option -> Select option “Windows Hypervisor platform”. After successful installation restart VM. Refer below [click to get better view].



Install Java

VS Emulator for Android requires Java. Therefore install using the link - https://www.java.com/download/.
Restart the machine.

Install Visual Studio Emulator for Android

Go to this page - https://visualstudio.microsoft.com/vs/msft-msandroid-emulator/. Install VS emulator for Android. Remember we don’t have to install the complete Visual Studio here. The Visual Studio based Android emulator is based on Hardware acceleration and it will not work on Azure VM. At least I could not make it work after lot of attempts.

Successful installation screen shown below. It should also appear in start menu. [click to get better view].

After installation restart the Azure VM.



Install Android Studio

Install Android Studio from the link - https://developer.android.com/studio#downloads. Current version as of today is Android Studio 3.6.3. Install with default selected options. After successful installation you will see an option “start android studio”. Select this option and click finish as shown [click to get better view].



This launches the Android Studio and further starts configuration of Android Emulator. Continue with standard configuration with default options selected. You will see that HAXM installation failed. This is expected behavior as Hyper V is already enabled; HAXM is bound to fail. You will get screenshot as follows [click to get better view] –



This completes the installation of all required software. Restart the machine.

Integrating Android Studio to use Visual Studio Emulator for Android

The default path of Android SDK for me is - C:\Users\kunal\AppData\Local\Android\Sdk. This is default path.

We need to set a specific registry key to tell Visual Studio Emulator for Android where the Android Sdk is located. To set the needed registry key, run the script below in PowerShell on the Azure VM. If you have installed it on different path then change the below path in script accordingly.

$androidSdkPath = Resolve-Path $(Join-Path "$($env:APPDATA)" "../Local/Android/Sdk")

$registryKeyPath = "HKLM:Software\WOW6432NODE\Android Sdk Tools"
New-Item -Path $registryKeyPath
New-ItemProperty -Path $registryKeyPath -Name Path -PropertyType String -Value $androidSdkPath


Successful execution of the script will have below view [click to get better view].



Running Android Studio with VS Emulator for Android

First open Visual Studio Emulator for Android. On the launch screen you will see all version available in this emulator. You will see the last version that were available on this was API 23 Marshmallow. Refer below screenshot [click to get better view].



From above screen I downloaded the red marked device for emulator. When you click on Green checkmark then Device emulator starts as shown below [click to get better view].



Now open Android Studio. Click on “Start a new Android Project” on start screen. Then Select the Project Template as Basic Activity. Click Next. On “Configure your project” screen I selected Java as Language and kept rest of the setting as is. Click Finish. The creation of new project will take few mins. Final screen will be visible as shown. As you can see, VS Emulator is also visible on the below diagram. This means Android Studio has picked up VS Emulator for Android [click to get better view].



Go ahead and click on Run to deploy your test application on this emulator.

Post deployment you will see your application running on Visual Studio Emulator for Android as shown below [click to get better view].



Follow general security best practices when you take RDP over internet to this VM. Like whitelisting incoming IP in NSG etc.

Disclaimer

Visual Studio emulator for android is obsolete version and has last version of android available as API 23 – Android 6.0 - Marshmallow. However currently Android is running with version API 29 – Android 10.0 - Q.
I know we are not running on latest version however this workaround unblocks us in current Covid-19 situation.

Also, on top of this page - https://visualstudio.microsoft.com/vs/msft-msandroid-emulator/, it explains you that current version of Android Emulator uses hardware acceleration. VS Emulator for Android is older version of it and not recommended. 

However I chose this solution to my customers as of now; as this unblocks the customer immediately with the power of Azure cloud.

Also, right now my customer was not able to perform any android specific development task due to Corona virus situation. So even if older version, at least customer was able to continue the business and that was more important.

I repeat, the above approach of using older version of VS emulator is obsolete. For best experience you should switch to Hardware based emulator either using HAXM or WHPX. The above stated approach is a workaround for now. May be in future Microsoft Azure may release “absolutely non restricted Hyper V” supporting VMs and it may work.

Please note, this recommendation is my personal recommendation and in no way it represents the company I work for.

Bonus Tip

You can very well use this approach with Azure Windows Virtual Desktop [WVD]. Plus on top of it if you want to test your APK by device connection to USB; then you can enable local laptop USB while you take RDP to WVD and make it work.

Conclusion

Hope this article helped you to get started on Android Studio and Android emulator with Azure VM quickly. Let me know your views in comments section below to improve and what are your thoughts on this approach.
Happy emulating!!

A humble request!

Internet is creating a lot of digital garbage. If you feel this a quality blog and someone will definitely get benefited, don't hesitate to hit share button present below. Your one share will save many precious hours of a developer. Thank you.

Next Related Posts








Friday, April 17, 2020

Azure Function for generating Azure AD Token using .NET core

10 min to read.


Abstract

Development is a struggle, a continuous struggle. With serverless this struggle is becoming more and more imminent. Developers are still trying to get comfortable to serverless technologies.

Azure Function is one of the key serverless offering today on Azure. Azure Function is becoming backbone for many serverless and micro service based applications.

Recently after writing Azure AD token generator using .NET Core; immediately got a lot of requests to make this code run in Azure Function and here we are!

So in this blog we will create Azure Function to generate Azure AD token using .NET core.

Let’s go!

Architecture

Refer to below diagram [Click to get better view] for overall components used for running this code in Azure Function.



To publish the code of Azure AD token generator using .NET core to Azure Function, I plan to use Visual Studio. Publish operation from Visual studio to Azure Function is deployed as .zip file.

When we create Azure Function, creating an Azure storage account is also important and mandatory step. When we publish code from Visual studio, behind the scene Azure Files share is created in associated storage account and .Zip is actually copied to File Share.

This File Share will then mapped to Azure Function compute behind the scene and then used for running the actual application from Bin folder as shown above.

To get administrative access to runtime of Function keys are used. These keys are stored securely in Blob Storage which also get automatically created in the associated Storage account.

Making Azure Function async

First create Azure function project as shown below in Visual Studio – [click to get better view]



If you have seen the GitHub code of Azure AD Token generator using .NET core, you will observe that entire code is built using Async mechanism and token is also received in async way. When we create Azure Function project by default Azure Function startup method is not async. So let us make it async as shown below – [Click to get better view]



Then copy the code from GitHub and remove all Console specific methods. Instead make all methods to log information as shown in below screenshot – [click to get better view]



Publishing from Visual Studio

After completing code changes, it is time to publish to Azure Function. Either you can create new Azure Function from the Azure portal and specify the same during Publish method or simply create new Resource Group, Function from Visual Studio publish screen itself. In this tutorial, I am creating new Azure Function from Azure Portal as shown below – [click to get better view]



I have created TimerTrigger function. Then click on Publish button of your Azure Function project from Solution Explorer and make sure you select existing Function to create Publish Profile as shown below – [click to get better view]



Then continue further to publish to Azure Function.

Benefits of running Azure function from package file

Now in above screenshot of Creating profile you might have observed as checkbox – “Run from a package file”.
This is really important. This directly sets the Azure Function to run from package file only. Means your Azure Functions runs directly from a deployment package file in your Function App. By running function from package file you –

       1.      Reduces the risk of file copy locking issues
2.      Improves performance of Function App drastically
3.      Code start time is reduced
4.      Unwanted files are automatically removed from final deployment package.

My current Function app is based on Windows and .NET core therefore in Architecture diagram you might have observed below setting –

WEBSITE_RUN_FROM_PACKAGE = 1

This setting tells Function app to run from package file. You can also view this setting from “Application Settings” tab in Azure Function as shown below – [click to get better view]



Other ways of deployment

I can also write the code Azure function directly in Azure portal editor. However I have seen lot of issues in adding Nuget package reference in Azure function. Deploying from Visual Studio[for .NET code], VS code [all other languages including .NET] makes it easy in all respect; as all dependent assemblies, files get packaged in .zip.

When you deploy the Azure Function from Visual Studio with .zip package deployment; automatically your Azure Function will become read only and will show message as shown below –

Your app is currently in read only mode because you are running from a package file. To make any changes update the content in your zip file and WEBSITE_RUN_FROM_PACKAGE app setting.

Well, this is fine because anyways deployment is governed by Visual Studio. So we don’t need to make any changes in the code from portal. So Function becoming read only is fine. Rest of the platform specific features never become read only.  So I will definitely recommend to deploy the Azure function using VS or VS Code or using DevOps.

Verifying the .zip package and Azure File Share

After deployment, you can verify that .zip package is actually present in Azure File Share of the storage account and it is mapped to D drive on Kudu Console of Azure Function. See below - [Click to get better view]



Running the Azure Function and view the Azure AD Token

Run the Function and you should be able to view the generated Azure AD Token as shown below – [Click to get better view] –



I created TimerTrigger Azure Function to get Azure AD token on timely basis. This is because my next blog is based on Azure API Management monitoring which requires Azure AD token generation on timely basis from Function. You can also use HttpTrigger for Azure Function to generate Azure AD Token. So stay tuned for next blog soon!

Conclusion

Hope this article helped you to get Serverless Azure Function for generating Azure AD token using .NET core. Let me know your views in comments section below to improve and what are your thoughts on this approach.

Happy token generating!!

A humble request!

Internet is creating a lot of digital garbage. If you feel this a quality blog and someone will definitely get benefited, don't hesitate to hit share button present below. Your one share will save many precious hours of a developer. Thank you.

Next Related Posts








Saturday, April 4, 2020

Azure AD Token Generator using .NET Core

10 min to read.

Abstract

Change is inevitable. With .NET Framework becoming legacy and .NET core stated as future; many migration projects are getting triggered. Also for new projects, development choice is .NET core by default.

Last year in April 2019 I wrote a blog post on How to create service principal or App registration in Azure AD.

This is one of the most visited blog post. Reason is simple. Any functionality having requirement of invoking Azure REST API requires Azure AD token generation. This helps in performing management tasks against Azure environment; and hence it is crucial.

The last year blog is based on .NET framework.

With .NET core becoming more and more obvious choice, I thought it is time to have new blog post and new code base for “.NET core based Azure AD Token generator using Service principal.”

Let’s go!


Why I need to generate the Azure AD Token?

This is common question I get. What are the scenarios where I need to generate Azure Ad token from code and use it? Therefore below diagram lists few tasks where I will use Azure AD token generator code. Click on below diagram to get better view.



App registration and assign permissions to Azure AD application

The concepts of Azure AD Service principal, application registration, process of creating service principal remains same for .Net core too.

The only change we will see is in codebase.

So follow my earlier blog and perform below tasks –
       1.       Create Azure Service Principal by app registration
2.      Record Tenant ID, Application ID and Secret key
3.      Assign correct permissions to Azure AD app

By following earlier blog if you are still not clear then refer to document to understand – How and Why applications are added to Azure AD.

.NET Core code base for Azure AD token generation


Let us understand the code base for .NET core. The code now fundamentally is different than .NET framework. However Tenant ID, Application ID and Secret Key of Azure AD will be leveraged same as .NET framework code.
Build confidential client application as below – [click to enlarge]



This class is present in Nuget package Microsoft.Identity.Client and I am using 4.10.0 version for this project.


Azure AD authentication has many flows applicable. The current flow we are using in our code is “Azure AD Client Credentials” flow. For client credential flow we have to provide scope.

Scope is a boundary for which granted access token will be valid. If you request token for one scope and use for another; request will be denied. Example, you provide scope while requesting token from Azure AD as https://api.loganalytics.io/ [Log analytics resource scopes].

Means with generated token we can perform operation ONLY on Log Analytics. Post getting token if you try to access Azure Storage resource with scope as https://storage.azure.com/ then it will be denied. So providing correct scope is crucial.

The format of scope for “Client Credentials” is always of the shape “resource/.default”. So configure the scope as below. In my example I am leveraging scope for Azure Log Analytics. [click to enlarge below].



Now for this scope we retrieve the Access Token as below – [click to enlarge].



Further we can use this token with Postman to perform Azure management operation. Alternatively, we can also integrate this code in Azure functions, or applications to get token at runtime without user credentials and perform required administrative operation against azure environment.

Download  code

Entire code is available for download from github at the link  - https://github.com/kunalchandratre1/AzureADTokenGeneratorNETCore

Conclusion

Hope this article helped you to get quick code for generating Azure AD token using .NET core. Let me know your views in comments section below to improve and what are your thoughts on this approach.
Happy token generating!!

A humble request!

Internet is creating a lot of digital garbage. If you feel this a quality blog and someone will definitely get benefited, don't hesitate to hit share button present below. Your one share will save many precious hours of a developer. Thank you.



Next Related Posts

Start stop multiple Azure VMs and save cost. This uses Azure AD application behind the scenes.

Monday, March 9, 2020

Bypassing on premises firewall to RDP or SSH into Azure VM

12 min to read.

Abstract

Believe it or not! On-premises firewalls port opening process is proving to be number one blocker for Azure adoption, till the time Site to Site VPN or Azure Express Route is setup.

Problem is not with changing the firewall rules to access Azure VM either by RDP or SSH; It is the “process” setup by an Enterprises to allow an outbound traffic from their on premises network; to Azure or internet in general.

I am not saying security teams working for on premises environment security is bad; it is their job to keep things secure and hence they will always hesitate/ seek approval/ seek clarifications to open 3389 or 22 port for outbound traffic from their network.

In this blog post I will illustrate a way by which you can access Azure VM either by RDP or SSH without asking your internal network/ security team to open any ports.

Let’s go!

Problem Statement

Refer to below diagram – [To get good view of the diagram, click on it]



       1.      As you can see in the diagram above; your laptop is sitting in your organizations network which is controlled environment with Firewall and proxy devices.
2.      You have azure VM with public IP x.x.x.x as shown in the diagram.
3.      To make RDP/ SSH into Azure VM you need to use standard ports like 3389 for RDP and 22 for SSH.
4.      There is no Site to Site or Express Route present between your on premises network and Azure environment.
5.     Your organizations on premises firewall device blocks any outbound/ outgoing internet traffic with port 3389/22.
6.      Hence your RDP/ SSH to Azure VM from your laptop fails.

So you may say that let me talk to my network/ security/ firewall team and see if they can open 3389/ 22 port outbound for my laptop IP?

Well you can do that but based on my experience I have seen, it takes weeks to get 3389/ 22 opened for internet or even for particular IP. Also organizations have a process set for making port opening and rule modification in firewall. As security teams and your firewall operations always go through stringent audit and compliance process; it will always be a big battle for you.

If you are financial organization then opening up 3389/ 22 over internet in on premises is never happening!

The most secured solution is to use either Site to Site VPN or Express route to connect to Azure VMs. However configuration of these also takes time.

So what is the solution to quickly get started with RDP/ SSH to Azure VM without opening on premises firewall rules?

Solution architecture – Have Azure VM behind Azure Load Balancer


Although all on premises firewall/ proxy servers will block 3389/ 22 ports; they will always have 443 port 
outbound openFor example from my laptop in above diagram if I plan to access https://google.com then this will be accessed over 443 port only as most of the trusted site works on https and default port for https is 443. 

So if I take RDP/ SSH from my laptop over 443 port instead of 3389/ 22 port then traffic originated from my laptop should cross on premises firewall and reach out side.

The question is how do I allow RDP/ SSH over 443? Because default port of RDP is 3389 and SSH is 22 and it 
can’t be changed. This is where I need “Inbound Network Address Translation [Inbound NAT]”.

Means my traffic should reach to Azure VM over 443 but the 443 port needs to be translated/ changed to 3389 or 22. However Azure VM can’t to inbound NAT and this is where we need Azure Load Balancer.

Azure load balancer is an awesome PaaS service. It takes care of inbuilt HA for you. It comes in 2 flavors –
       1.      Basic - Free
2.      Standard – Cost is associated with it.

For our case we can use Standard or Basic. I am poor guy and always love to avoid unnecessary spend. Because the contract of unnecessary spend I have given to my better half. So I will use Basic layer 4 Azure load balancer for this tutorial.

Refer to below diagram – [To get good view of the diagram, click on it]



       1.      From local laptop either for doing SSH or RDP use 443 as a port instead of standard ports for SSH and RDP.
2.      As the traffic to Azure VM is over 443; it is allowed in on premises firewall.
3.      The request for RDP/ SSH lands on Azure public Load balancer.
4.      The inbound NAT rules are processed, and incoming traffic translated to 3389/ 22 ports. Then forwarded to backend pool which is our VM we want to access.
5.      Similarly as session is established within on premises firewall; the return traffic flows back seamlessly to our laptop.

This way even if we don’t open any ports in on premises firewall we are able to reach to our VM on Azure.

Azure Public Load Balancer configuration

I am assuming you have Azure VM public IP, so follow the rest of the process.

First we will remove existing Public IP assigned to VM NIC; so that we can use same Public IP for Azure LB. As we are bringing Azure VM behind Azure LB; we don’t need Public IP for Azure VM.

Below screenshot depicts how can you disable the public IP for Azure VM NIC.



The IP that we assigned to Azure LB while creation will be configured automatically as “Frontend IP configuration” within Azure LB.

Create LB as shown. Attach same Public IP which we removed from Azure VM NIC. You can also create new to attach to LB but not required. Let us leverage existing public IP only.



Configure the existing VM as backend as shown below –



Then click on “Inbound NAT rules -> Add”. Provide the values as shown below –



In above NAT rule I am setting up custom port to 3389 as I am having windows VM to which I am doing RDP. If you have a linux VM, you should put custom port as 22.

After configuration of NAT rule in Azure LB if you see VM; you will still see same Public IP attached. Even if it shows public IP attached to Azure VM, it is actually attached to Azure Load Balancer. This can be confirmed with Public IP information blade from Azure portal as shown below –



RDP view

If you now try to make RDP using simply public IP as below it will not work. Because by default the system assumed the port number 3389.



Try the same RDP with 443 port and it should be successful as below –



In case this doesn’t work, make sure the NSG attached to VM is not blocking any traffic from Azure Load Balancer. By default rule in NSG allows the full traffic from load balancer to Azure VM and it’s weight is 65001 as shown below –



If you have added any other rule with lower weight value than 65001, then that rule might be blocking communication from load balancer to Azure VM. So kindly check NSG rules if this doesn’t work.

Benefits of this approach

Biggest benefit of this approach is you don’t have to inform anything to your security/ firewall teams. This works seamless. Biggest problem I see it as a security risk.

Bonus tip

Tip 1 –
Is this correct practice? Well not really. But if you want to get started immediately while your port opening in your organization is taking place or setup of Site to Site VPN, or Express Route is going to take time, then this is life saver.

Ultimately aim should be setting up Site to Site VNET or Express Route to access Azure resources from your on premises.

Tip 2 -
You can leverage azure offering called as Azure Bastion.

Conclusion

Hope this article helped you to get started on Azure VM quickly. Let me know your views in comments section below to improve and what are your thoughts on this approach.
Happy hacking!!

A humble request!

Internet is creating a lot of digital garbage. If you feel this a quality blog and someone will definitely get benefited, don't hesitate to hit share button present below. Your one share will save many precious hours of a developer. Thank you.



Next Related Posts