Tutorial / Cram Notes
The Emergency VM Access Service (EVA)
The Emergency VM Access Service (EVA) is a critical feature for managing and maintaining virtual machines (VMs) in a Microsoft Azure Stack Hub environment, particularly when standard access methods are unavailable. Azure Stack Hub operators may need to use EVA during situations where VMs become inaccessible due to misconfiguration, network issues, or when operating system (OS) level access is required for troubleshooting.
Understanding Emergency VM Access Service (EVA)
The Emergency VM Access (EVA) feature in Azure Stack Hub enables operators to gain access to the VMs when normal access methods, such as through Remote Desktop Protocol (RDP) or Secure Shell (SSH), are not possible. EVA is a last-resort tool that should be used judiciously because it gives operators the ability to log in to a VM with the highest privileges.
How to Enable EVA
To enable EVA on an Azure Stack Hub VM, operators must use the Privileged End Point (PEP). The PEP is a special VM in the Azure Stack Hub infrastructure that provides elevated permissions to perform certain tasks that can’t be done through the user portal or regular APIs.
Here are the steps to enable EVA for a VM:
- Connect to the Privileged End Point (PEP) session using Just Enough Administration (JEA). This can be done through a remote PowerShell session.
- Once connected, use the
New-SEVMAccessTokencmdlet to create an access token. This token will provide temporary access to the VM. - Apply this access token to the target VM using the
Set-SEVMAccessTokencmdlet. Specify the VM name and the access token generated in the previous step. - After setting the token, you can connect to the VM’s special administrative account using the provided credentials.
Important Considerations
When using EVA, you should keep the following in mind:
- Only use EVA as a last resort when other access methods have failed.
- EVA access should be temporary and revoked after the necessary troubleshooting is completed.
- Keep a secure record of the use of EVA, as it involves high-level access to critical infrastructure components.
Disabling EVA
After completing the required troubleshooting and maintenance, it is crucial to disable EVA to ensure the VM is returned to a secure state:
- Connect back to the PEP session.
- Use the
Revoke-SEVMAccessTokencmdlet to remove EVA access from the VM. - Confirm that the EVA access has been revoked and no temporary administrative accounts remain enabled on the VM.
Example Scenario
For instance, if a VM named ‘WebServer01’ becomes unresponsive to RDP connections, an Azure Stack Hub operator would take the following steps to enable EVA:
- Establish a PEP session using:
Enter-PSSession -ComputerName "PEPHostName" -ConfigurationName PrivilegedEndpoint -Credential $cred - Generate an EVA token using:
$token = New-SEVMAccessToken - Apply the token to ‘WebServer01’:
Set-SEVMAccessToken -VMName "WebServer01" -AccessToken $token - With the token, the operator can now access the VM directly and perform necessary troubleshooting.
- Once resolved, disable EVA using:
Revoke-SEVMAccessToken -VMName "WebServer01"
Conclusion
The EVA service is a powerful tool that can help Azure Stack Hub operators manage and troubleshoot VMs when standard access methods are not viable. While enabling EVA is relatively straightforward, operators must employ strict security practices and protocols to ensure that EVA use does not compromise the integrity and security of the Azure Stack Hub environment. Regularly reviewing and auditing EVA use, along with disabling it after each use, is essential for maintaining a secure hybrid cloud infrastructure.
Practice Test with Explanation
True or False: The Emergency VM Access feature (EVA) can be used to enable local administrator access on a VM in Azure Stack Hub when normal access methods fail.
- True
Explanation: EVA is designed to allow administrative access to a VM in cases where normal access methods, such as RDP or SSH, are no longer functioning.
True or False: Enabling the Emergency VM Access Service on Azure Stack Hub requires an internet connection.
- False
Explanation: EVA can be enabled without an internet connection as it is a mechanism used within the Azure Stack Hub environment and does not depend on external connectivity.
Which Azure Stack Hub role is required to enable the Emergency VM Access Service (EVA)?
- A) Operator
- B) Guest OS Administrator
- C) Azure Stack Hub User
- D) System Administrator
Answer: A) Operator
Explanation: The Operator role has the necessary permissions to enable EVA on Azure Stack Hub.
What PowerShell module is used for accessing the EVA feature on Azure Stack Hub?
- A) AzureRM
- B) Azure
- C) AzureStack
- D) Azs.EmergencyAccess
Answer: C) AzureStack
Explanation: The AzureStack PowerShell module is used to interact with Azure Stack Hub services, including enabling the EVA feature.
True or False: You can use Emergency VM Access Service to reset the built-in local administrator account password.
- True
Explanation: EVA can be used to reset credentials, such as the password of the built-in local administrator account, if necessary.
True or False: Emergency VM Access can be enabled on a per-subscription basis within Azure Stack Hub.
- False
Explanation: EVA is generally enabled at the system level for VMs and is not typically managed on a per-subscription basis.
How can administrators retrieve the credentials configured by the Emergency VM Access Service after it is enabled?
- A) Azure Stack Hub portal
- B) PowerShell output
- C) Email notification
- D) Azure Monitor logs
Answer: B) PowerShell output
Explanation: Once EVA is enabled through PowerShell, the temporary credentials are output directly in the PowerShell session.
True or False: It’s possible to access VMs in disconnected scenarios using the Emergency VM Access Service.
- True
Explanation: EVA can be utilized even in disconnected (offline) scenarios where Azure Stack Hub is not connected to the internet, as long as you have access to the local Azure Stack Hub infrastructure.
Which of the following are reasons to use the Emergency VM Access Service? (Select two)
- A) Regular access methods (SSH/RDP) are not working
- B) Azure Stack Hub portal is down
- C) Need to access VM’s BIOS settings
- D) To perform routine VM maintenance
Answer: A) Regular access methods (SSH/RDP) are not working, B) Azure Stack Hub portal is down
Explanation: EVA is primarily used when regular access methods like SSH or RDP fail, or when Azure Stack Hub portal is inaccessible, not for accessing VM’s BIOS settings or routine maintenance.
True or False: After using the Emergency VM Access to resolve access issues, the service should be disabled and the VM returned to its original state.
- True
Explanation: After rectifying access issues using EVA, it is recommended to disable EVA and revert any changes to ensure the security of the VM.
Which PowerShell cmdlet is used to enable Emergency VM Access on a specific VM in Azure Stack Hub?
- A) Enable-AzsEVA
- B) Set-AzsUserSubscriptionEVA
- C) Grant-AzsVmAccess
- D) Set-AzsVmAccess
Answer: C) Grant-AzsVmAccess
Explanation: The Grant-AzsVmAccess cmdlet is used to grant access to a VM using Emergency VM Access Service in Azure Stack Hub.
True or False: Emergency VM Access can be enabled for VMs running on any type of storage within Azure Stack Hub.
- True
Explanation: EVA can be used regardless of the underlying storage type of the VM within Azure Stack Hub.
Interview Questions
What is the Emergency VM Access (EVA) service in Azure Stack Hub?
The EVA service is a feature of Azure Stack Hub that allows operators to access the VM console of a tenant virtual machine in case of a critical situation, such as a network outage.
How does the EVA service work?
The EVA service uses a designated VM to provide a secure and temporary remote access solution to VM consoles in a tenant subscription. The EVA VM is deployed in the privileged fabric infrastructure and enables operators to securely connect to the VM console of a tenant VM.
What permissions do operators need to enable and use the EVA service?
To enable and use the EVA service, operators must have the Azure Stack Hub Owner or Azure Stack Hub Operator role, as well as the Contributor or Owner role in the tenant subscription.
Can operators access all VM consoles with the EVA service?
No, operators can only access the VM consoles of the virtual machines for which the tenant has enabled EVA access.
How can an operator enable EVA access for a VM?
To enable EVA access for a VM, the tenant can add the operator’s service principal to the VM’s local administrators group, or the tenant can add the operator’s user account to the VM’s Remote Desktop Users group.
How can an operator access the EVA service?
Operators can access the EVA service through the Azure Stack Hub administrator portal or through PowerShell using the Azure Stack Hub PowerShell module.
What security measures are in place to protect the EVA service?
The EVA service is designed with several security measures, including certificate-based authentication, remote desktop gateway, and secure communication protocols.
How long is EVA access granted to an operator?
EVA access is granted for a limited time, and it is configurable by the tenant.
How can an operator revoke EVA access for a VM?
To revoke EVA access for a VM, the tenant can remove the operator’s service principal or user account from the VM’s local administrators group or Remote Desktop Users group.
Can the EVA service be used to perform actions on a tenant’s behalf?
No, the EVA service is only intended for emergency situations and provides read-only access to the VM console. The EVA service cannot be used to perform actions on behalf of a tenant.
Can anyone explain the procedure to enable the Emergency VM Access Service (EVA) in Azure Stack Hub?
How does enabling EVA impact the normal operation of VMs?
Thanks for the detailed post on EVA! It was very helpful.
Is it possible to schedule the EVA activation during maintenance windows?
Awesome post on EVA! Appreciate the insights.
I tried enabling EVA but ran into an access issue. Any thoughts?
Does anyone know if EVA activation logs are stored anywhere?
Can EVA be used for performance troubleshooting?