AzureVMPublicIPUpgrade.psm1
Function Start-VMPublicIPUpgrade { <# .SYNOPSIS Upgrades all public IP addresses attached to a VM to Standard SKU. .DESCRIPTION This script upgrades the Public IP Addresses attached to VM to Standard SKU. In order to perform the upgrade, the Public IP Address allocation method is set to static before being disassociated from the VM. Once disassociated, the Public IP SKU is upgraded to Standard, then the IP is reassociated with the VM. Because the Public IP allocation is set to 'Static' before detaching from the VM, the IP address will not change during the upgrade process, even in the event of a script failure. Because Standard SKU Public IPs require an associated Network Security Group, the script will prompt to proceed if a VM is processed where both the NIC and subnet do not have an NSG associated with them. If the script is run with the '-ignoreMissingNSG' parameter, the script will not prompt and will continue with the upgrade process; if -skipVMMissingNSG is specified, the script will skip upgrading that VM. Recovering from a failure: The script exports the Public IP address and IP configuration associations to a CSV file before beginning the upgrade process. In the event of a failure during the upgrade, this file can be used to retry the migration and attach public IPs with the appropriate IP configuration. To initate a recovery, follow these steps: 1. Review the log 'PublicIPUpgrade.log' file to determine which VM was in process during the failure 2. Determine if the script failed due to a configuration issue that needs to be addressed before retrying the migration. If so, address the error. 2. Get the name and resource group or full ID of the VM to recover (e.g. '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG/providers/Microsoft.Compute/virtualMachines/myVM') 3. Execute the script with the following syntax: ./Start-VMPublicIPUpgrade.ps1 -RecoverFromFile ./PublicIPUpgrade_Recovery_2020-01-01-00-00.csv -VMResourceId '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG/providers/Microsoft.Compute/virtualMachines/myVM' 4. The script will attempt to re-execute each step the migration. .NOTES PREREQUISITES: - VMs must not be associated with a Load Balancer to use this script. - VM NICs or associated subnets should have an NSG associated with them. If the VM NIC or subnet does not have an NSG associated with it, the script will prompt. .LINK https://github.com/Azure/AzLoadBalancerMigration Please report issues at https://github.com/Azure/AzLoadBalancerMigration/issues .EXAMPLE Start-VMPublicIPUpgrade -VMName 'myVM' -ResourceGroupName 'myRG' # Upgrade a single VM, passing the VM name and resource group name as parameters. .EXAMPLE Start-VMPublicIPUpgrade -VMName 'myVM' -ResourceGroupName 'myRG' -WhatIf # Evaluate upgrading a single VM, without making any changes .EXAMPLE Get-AzVM -ResourceGroupName 'myRG' | Start-VMPublicIPUpgrade -skipVMMissingNSG # Attempt upgrade of every VM the user has access to. VMs without Public IPs, which are already upgraded, or which do not have NSGs will be skipped. .EXAMPLE Start-VMPublicIPUpgrade -RecoverFromFile ./PublicIPUpgrade_Recovery_2020-01-01-00-00.csv -VMName myVM -VMResourceGroup -rg-myrg # Recover from a failed migration, passing the name and resource group of the VM to recover, along with the recovery log file. .EXAMPLE $VMs = Get-AzVM -ResourceGroupName rg-*-prod ForEach ($vm in $VMs) { Start-Job -Name $vm.Name -ScriptBlock { $params = @{ vmName = $args[0].Name resourceGroupName = $args[0].ResourceGroupName logFilePath = '{0}{1}' -f $args[0].Name,'name_PublicIPUpgrade.log' recoveryLogFilePath = '{0}{1}' -f $args[0].Name,'name_PublicIPUpgrade_recovery.csv' } Start-VMPublicIPUpgrade.ps1 @params -WhatIf } -ArgumentList $vm -InitializationScript {Import-Module Az.Accounts, Az.Compute, Az.Network, Az.Resources} } # Upgrade all VMs in Resource Groups with '-prod' in the name, using PowerShell jobs to run the script in parallel. #> param ( # vm name [Parameter(Mandatory = $true, ParameterSetName = 'VMName')] [Parameter(Mandatory = $true, ParameterSetName = 'Recovery-ByName')] [string] $vmName, # vm resource group name [Parameter(Mandatory = $true, ParameterSetName = 'VMName')] [Parameter(Mandatory = $true, ParameterSetName = 'Recovery-ByName')] [string] $resourceGroupName, # vm object [Parameter(Mandatory = $true, ParameterSetName = 'VMObject', ValueFromPipeline = $true)] [Microsoft.Azure.Commands.Compute.Models.PSVirtualMachine] $VM, # vm resource id [Parameter(Mandatory = $true, ParameterSetName = 'VMResourceId')] [Parameter(Mandatory = $true, ParameterSetName = 'Recovery-ById')] [string] $vmResourceId, # vm resource id [Parameter(Mandatory = $true, ParameterSetName = 'Recovery-ById')] [Parameter(Mandatory = $true, ParameterSetName = 'Recovery-ByName')] [string] $recoverFromFile, # recovery log file path - log Public IP address and IP configuration associations for recovery purposes [Parameter(Mandatory = $false)] [string] $recoveryLogFilePath = "PublicIPUpgrade_Recovery_$(Get-Date -Format 'yyyy-MM-dd-HH-mm').csv", # log file path [Parameter(Mandatory = $false)] [string] $logFilePath = "PublicIPUpgrade.log", # skip check for NSG association, migrate anyway - Basic Public IPs allow inbound traffic without an NSG, but Standard Public IPs require an NSG. Migrating without an NSG will break inbound traffic flows! [Parameter(Mandatory = $false)] [switch] $ignoreMissingNSG, # skip VMs missing NSGs - if a VM is missing an NSG, skip migrating it [Parameter(Mandatory = $false)] [switch] $skipVMMissingNSG, # prompt for confirmation to migrate IPs [Parameter(Mandatory = $false)] [boolean] $confirm = $true, # whatif [Parameter(Mandatory = $false)] [switch] $WhatIf ) BEGIN { Function Add-LogEntry { param ( [parameter(Position = 0, Mandatory = $true)]$message, [parameter(Position = 1, Mandatory = $false)][ValidateSet('INFO', 'WARNING', 'ERROR')]$severity = 'INFO' ) # add timestamp to message, output to log and host $timestamp = Get-Date -Format 'yyyy-MM-ddTHH:mm:sszz' switch ($severity) { 'INFO' { "[{0}][{1}] {2}" -f $timestamp, $severity, $message | Tee-Object -FilePath $logFilePath -Append | Write-Host } 'WARNING' { "[{0}][{1}] {2}" -f $timestamp, $severity, $message | Tee-Object -FilePath $logFilePath -Append | Write-Warning } 'ERROR' { "[{0}][{1}] {2}" -f $timestamp, $severity, $message | Tee-Object -FilePath $logFilePath -Append | Write-Error } } } # set error action preference If ($WhatIf) { $ErrorActionPreference = 'Continue' } Else { $ErrorActionPreference = 'Stop' } Add-LogEntry "####### Starting VM Public IP Upgrade process... #######" # prompt to continue if -Confirm is $false or -WhatIf are not specified If (!$WhatIf -and $confirm) { While ($promptResponse -notmatch '[yYnN]') { $promptResponse = Read-Host "This script will upgrade all public IP addresses attached to the specified VM or VMs to Standard SKU. This will cause a brief interruption to network connectivity. Do you want to continue? (y/n)" } If ($promptResponse -match '[nN]') { Add-LogEntry "Exiting script..." -severity WARNING return } Else { Add-LogEntry "Continuing with script..." } } # initalize recovery log file header Add-Content -Path $recoveryLogFilePath -Value 'publicIPAddress,publicIPID,ipConfigId,VMId' -Force Add-LogEntry "Creating recovery log file at '$($recoveryLogFilePath)'" } PROCESS { # get vm object, depending on parameters passed If ($PSCmdlet.ParameterSetName -in 'VMName', 'Recovery-ByName') { Add-LogEntry "Getting VM '$($VMName)' in resource group '$($resourceGroupName)'..." $VM = Get-AzVM -Name $vmName -ResourceGroupName $resourceGroupName } ElseIf ($PSCmdlet.ParameterSetName -in 'VMResourceId', 'Recovery-ById') { Add-LogEntry "Getting VM with resource ID '$($vmResourceId)'..." $VM = Get-AzResource -ResourceId $vmResourceId | Get-AzVM } Add-LogEntry "Processing VM '$($VM.Name)', id: $($VM.Id)..." # validate scenario If ($PSCmdlet.ParameterSetName -notin 'Recovery-ByName', 'Recovery-ById') { # confirm VM has public IPs attached, build dictionary of public IPs and ip configurations Add-LogEntry "Checking that VM '$($VM.Name)' has public IP addresses attached..." ## get NICs with public IPs attached $vmNICs = $VM.NetworkProfile.NetworkInterfaces | Get-AzResource | Get-AzNetworkInterface | Where-Object { $_.IpConfigurations.PublicIPAddress } ## build ipconfig/public IP table $publicIPIDs = @() $publicIPIPConfigAssociations = @() ForEach ($ipConfig in $vmNICs.IpConfigurations) { If ($ipConfig.PublicIPAddress) { $publicIPIDs += $ipConfig.PublicIPAddress.id $publicIPIPConfigAssociations += @{ publicIPId = $ipConfig.PublicIPAddress.id ipConfig = $ipConfig publicIP = '' publicIPAddress = '' } } } If ($publicIPIPConfigAssociations.count -lt 1) { Add-LogEntry "VM '$($VM.Name)' does not have any public IP addresses attached. Skipping upgrade." -severity WARNING return } Else { Add-LogEntry "VM '$($VM.Name)' has $($publicIPIPConfigAssociations.count) public IP addresses attached." } # confirm public IPs are Basic SKU (VM should only have one SKU) Add-LogEntry "Checking that VM '$($VM.Name)' has Basic SKU public IP addresses..." $publicIPs = $publicIPIDs | ForEach-Object { Get-AzResource -ResourceId $_ | Get-AzPublicIpAddress } If (( $publicIPSKUs = $publicIPs.Sku.Name | Get-Unique) -ne @('Basic')) { Add-LogEntry "Public IP address SKUs for VM '$($VM.Name)' are not Basic. SKUs are: '$($publicIPSKUs -join ',')'. Skipping upgrade." WARNING return } Else { Add-LogEntry "Public IP address SKUs for VM '$($VM.Name)' are Basic." } # confirm VM is not associated with a load balancer Add-LogEntry "Checking that VM '$($VM.Name)' is not associated with a load balancer..." If ($VMNICs.IpConfigurations.LoadBalancerBackendAddressPools -or $VMNICs.IpConfigurations.LoadBalancerInboundNatRules) { Add-LogEntry "VM '$($VM.Name)' is associated with a load balancer. The Load Balancer cannot be a different SKU from the VM's Public IP address(s) and must be upgraded simultaneously. See: https://learn.microsoft.com/azure/load-balancer/load-balancer-basic-upgrade-guidance" ERROR return } Else { Add-LogEntry "VM '$($VM.Name)' is not associated with a load balancer." } # confirm VM is not a member of an Availability Set Add-LogEntry "Checking that VM '$($VM.Name)' is not a member of an Availability Set..." If ($VM.AvailabilitySetReference) { Add-LogEntry "VM '$($VM.Name)' is a member of an Availability Set. Availability Sets cannot have VMs with different Public IP address SKUs, requiring all Public IPs to be upgraded at the same time, which this script does not support. Skipping upgrade..." WARNING return } Else { Add-LogEntry "VM '$($VM.Name)' is not a member of an Availability Set." } # confirm that each NIC with a public IP address associated has a Network Security Group Add-LogEntry "Checking that VM '$($VM.Name)' has a Network Security Group associated with each NIC..." ## build hash of subnets associated with VM NICs $VMNICSubnets = @{} ForEach ($nic in $vmNICs) { ForEach ($subnetId in $nic.IpConfigurations.Subnet.id) { $subnet = Get-AzResource -ResourceId $subnetId | Get-AzVirtualNetworkSubnetConfig $VMNICSubnets[$subnet.id] = $subnet } } ## check that each NIC or all subnets have NSGs associated $nicsMissingNSGs = 0 $ipConfigNSGReport = @() ForEach ($vmNIC in $vmNICs) { $ipconfigSubnetsWithoutNSGs = 0 $ipconfigSubnetNSGs = @() ForEach ($ipconfig in $vmNIC.IpConfigurations) { If ($VMNICSubnets[$ipconfig.Subnet.id].NetworkSecurityGroup) { $ipconfigSubnetNSGs += @{ ipConfigId = $ipconfig.id subnetId = $ipconfig.Subnet.Id subnetHasNSG = $true subnetNSGID = $VMNICSubnets[$ipconfig.Subnet.id].NetworkSecurityGroup.id nicHasNSG = $null -ne $vmNIC.NetworkSecurityGroup nicNSGId = $vmNIC.NetworkSecurityGroup.id } } Else { $ipconfigSubnetsWithoutNSGs++ $ipconfigSubnetNSGs += @{ ipConfigId = $ipconfig.id subnetId = $ipconfig.Subnet.Id subnetHasNSG = $false subnetNSGId = '' nicHasNSG = $null -ne $vmNIC.NetworkSecurityGroup nicNSGId = $vmNIC.NetworkSecurityGroup.id } } } If ($ipconfigSubnetsWithoutNSGs -gt 0 -and !$vmNIC.NetworkSecurityGroup) { $ipCOnfigNSGReport += $ipconfigSubnetNSGs $nicsMissingNSGs++ } } If ($nicsMissingNSGs -gt 0) { Add-LogEntry "VM '$($VM.Name)' has associated Public IP Addresses, but IP Configurations where neither the NIC nor Subnet have an associated Network Security Group. Standard SKU Public IPs are secure by default, meaning no inbound traffic is allowed unless an NSG explicitly permits it, whereas a Basic SKU Public IP allows all traffic by default. See: https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#sku." WARNING Add-LogEntry "IP Configs Missing NGSs Report: $($ipConfigNSGReport | ConvertTo-Json -Depth 3)" WARNING While ($promptResponse -notmatch '[yYnN]' -and !$ignoreMissingNSG -and !$skipVMMissingNSG) { $promptResponse = Read-Host "Do you want to proceed with upgrading this VM's Public IP address without an NSG? (y/n)" } If ($promptResponse -match '[nN]' -or $skipVMMissingNSG) { Add-LogEntry "Skipping migrating this VM due to missing NSG..." -severity WARNING return } ElseIf ($ignoreMissingNSG) { Add-LogEntry "Skipping NSG check because -ignoreMissingNSG was specified" WARNING } Else { Add-LogEntry "Continuing with script..." } } Else { Add-LogEntry "VM '$($VM.Name)' has a Network Security Group associated with each NIC or subnet." } } Else { ### Failed Migration Recovery ### # import recovery info Add-LogEntry "Importing recovery file for VM '$($VM.Name)' from file '$($recoverFromFile)'" $recoveryInfo = Import-Csv -path $recoverFromFile | Where-Object { $_.VMId -eq $VM.Id } Add-LogEntry "Building recovery objects for VM '$($VM.Name)' based on recovery file '$($recoverFromFile)'..." # rebuild migration objects from recovery to retry $publicIPIDs = $recoveryInfo.PublicIPID $vmNICs = @() $vmNICsById = @{} $recoveryInfo.ipConfigId | ForEach-Object { ($_ -split '/ipConfigurations/')[0] } | Select-Object -Unique | ForEach-Object { $_ | Get-AzNetworkInterface } | ForEach-Object { $vmNICs += $_ $vmNICsById[$_.id] = $_ } $publicIPIPConfigAssociations = @() ForEach ($recoveryItem in $recoveryInfo) { $ipConfigSplit = $recoveryItem.ipConfigId -split '/ipConfigurations/' $publicIPIDs += $ipConfig.PublicIPAddress.id $publicIPIPConfigAssociations += @{ publicIPId = $recoveryItem.publicIPID ipConfig = Get-AzNetworkInterfaceIpConfig -NetworkInterface $vmNICsById[$ipConfigSplit[0]] -Name $ipConfigSplit[1] publicIP = Get-AzResource -ResourceId $recoveryItem.publicIPID | Get-AzPublicIpAddress publicIPAddress = $recoveryItem.publicIPAddress } } $publicIPs = $publicIPIPConfigAssociations.publicIP } # start upgrade process # export recovery data and add public ip object to assocation object ForEach ($publicIP in $publicIPs) { $publicIPIPConfigAssociations | Where-Object { $_.publicIPId -eq $publicIP.id } | ForEach-Object { $_.publicIPAddress = $publicIP.IpAddress $_.publicIP = $publicIP Add-Content -Path $recoveryLogFilePath -Value ('{0},{1},{2},{3}' -f $_.publicIPAddress, $_.publicIPId, $_.ipConfig.id, $VM.Id) -Force } } try { # set all public IPs to static assignment Add-LogEntry "Setting all public IP addresses to static assignment..." ForEach ($publicIP in $publicIPIPConfigAssociations.publicIP) { Add-LogEntry "Setting public IP address '$($publicIP.Name)' ('$($publicIP.IpAddress)') to static assignment..." $publicIP.PublicIpAllocationMethod = 'Static' If (!$WhatIf) { $publicIP = Set-AzPublicIpAddress -PublicIpAddress $publicIP } Else { Add-LogEntry "WhatIf: Set-AzPublicIpAddress -PublicIpAddress $($publicIP.id)" } } # disassociate all public IPs from the VM Add-LogEntry "Disassociating all public IP addresses from the VM..." Foreach ($nic in $vmNICs) { ForEach ($ipConfig in $nic.IpConfigurations | Where-Object { $_.PublicIPAddress }) { Add-LogEntry "Confirming that Public IP allocation is 'static' before disassociating..." If ((Get-AzResource -ResourceId $ipConfig.PublicIpAddress.Id | Get-AzPublicIpAddress).PublicIpAllocationMethod -ne 'Static') { If (!$WhatIf) { Write-Error "Public IP address '$($ipConfig.PublicIpAddress.Id)' is not set to static allocation! Script will exit to ensure that the VM's public IP addresses are not lost." return } Else { Add-LogEntry "WhatIf: Public IP address '$($ipConfig.PublicIpAddress.Id)' not changed from 'Dynamic' in WhatIf mode." } } If (!$WhatIf) { Add-LogEntry "Disassociating public IP address '$($ipConfig.PublicIpAddress.Id)' from VM '$($VM.Name)', NIC '$($nic.Name)'..." Set-AzNetworkInterfaceIpConfig -NetworkInterface $nic -Name $ipConfig.Name -PublicIpAddress $null | Out-Null } Else { Add-LogEntry "WhatIf: Disassociating public IP address '$($ipConfig.PublicIpAddress.Id)' from VM '$($VM.Name)', NIC '$($nic.Name)'..." } } Add-LogEntry "Applying updates to the NIC '$($nic.Name)'..." If (!$WhatIf) { $nic | Set-AzNetworkInterface | Out-Null } Else { Add-LogEntry "WhatIf: Updating NIC with: `$nic | Set-AzNetworkInterface" } } # upgrade all public IP addresses Add-LogEntry "Upgrading all public IP addresses to Standard SKU..." ForEach ($publicIP in $publicIPIPConfigAssociations.publicIP) { Add-LogEntry "Upgrading public IP address '$($publicIP.Name)' to Standard SKU..." $publicIP.Sku.Name = 'Standard' If (!$WhatIf) { Set-AzPublicIpAddress -PublicIpAddress $publicIP | Out-Null } Else { Add-LogEntry "WhatIf: Set-AzPublicIpAddress -PublicIpAddress $($_.id)" } } } catch { Write-Error "An error occurred during the upgrade process. We will try to reassociate all IPs with the VM: $_" } finally { # always reassociate all public IPs to the VM Add-LogEntry "Reassociating all public IP addresses to the VM..." try { Foreach ($nic in $vmNICs) { ForEach ($assocation in ($publicIPIPConfigAssociations | Where-Object { $_.ipconfig.Id -like "$($nic.Id)/*" })) { Add-LogEntry "Reassociating public IP address '$($assocation.publicIPId)' to VM '$($VM.Name)', NIC '$($nic.Name)'..." Set-AzNetworkInterfaceIpConfig -NetworkInterface $nic -Name $assocation.ipConfig.Name -PublicIpAddress $assocation.publicIP | Out-Null } Add-LogEntry "Applying updates to the NIC '$($nic.Name)'..." If (!$WhatIf) { $nic | Set-AzNetworkInterface | Out-Null } Else { Add-LogEntry "WhatIf: Updating NIC with: `$nic | Set-AzNetworkIntereface" } } } catch { Add-LogEntry "An error occurred while reassociating public IP addresses to the VM: $_" ERROR } } Add-LogEntry "Upgrade of VM '$($VM.Name)' complete.'" } END { Add-LogEntry "####### Upgrade process complete. #######" } } |