Tutorial / Cram Notes
The privileged endpoint (PEP) in Microsoft Azure Stack Hub is a pre-configured remote PowerShell interface that offers administrative access to the underlying infrastructure of your Azure Stack Hub environment. Utilizing the privileged endpoint, operators can perform various maintenance tasks, including collecting diagnostic logs, which are crucial when troubleshooting issues or as requested by Microsoft Support for in-depth analysis.
Collecting diagnostic logs through the privileged endpoint is a controlled operation, to ensure that the access and the operations performed are both secure and limited to authorized personnel. To use the PEP for gathering logs, you must connect to the privileged endpoint from an elevated PowerShell session on a machine that has network connectivity to the Azure Stack Hub.
Collecting Diagnostic Logs through the Privileged Endpoint
-
Initiate a Remote PowerShell Session:
Open an elevated PowerShell window and use the following command to initiate a session with the privileged endpoint. Make sure to replace `
`, ` ` and ` ` with your specific Azure Stack Hub’s region, fully qualified domain name, and directory tenant ID. $cred = Get-Credential
Enter-PSSession -ComputerName. -ConfigurationName PrivilegedEndpoint -Credential $cred -SessionOption (New-PSSessionOption -Culture en-US -UICulture en-US) -
Collect Diagnostic Logs:
Within the PEP session, you can execute the `Get-AzureStackLog` cmdlet to gather the logs. For example, to collect logs related to the compute resource provider, you can use the following command:
Get-AzureStackLog -OutputPath "\\AzureStack\Shares\DiagnosticShare" -Filter "Compute"Replace `\\AzureStack\Shares\DiagnosticShare` with your desired output path where the logs will be saved. The `-Filter` parameter allows you to specify which component’s logs to collect, in this case, “Compute” for the compute resource provider logs.
When executing the `Get-AzureStackLog` cmdlet, a background job is created to collect the logs. The task can run for several minutes to a few hours, depending on the amount of data to collect and the overall performance of the system. You can use the `Get-Job` cmdlet to monitor the progress.
After the logs have been collected, they can be found at the specified output path. You should then compress these files and secure them appropriately if they need to be transferred over the internet. Remember that the logs may contain sensitive information, and it’s critical to handle and store them securely.
Table Comparing Endpoint Usage for Log Collection
| Feature | Standard Endpoint | Privileged Endpoint |
|---|---|---|
| Access Level | Limited to user resources | Full access to Azure Stack Hub internals |
| Log Collection Scope | Resource-specific logs, accessible by users | Full system logs, including infrastructure and service fabrics |
| Security | User-level credentials required | Elevated privileges and authorized administrative access required |
| Usage | Routine monitoring and user-level diagnosis | In-depth troubleshooting and official Microsoft support incidents |
It’s important to regularly review the Azure Stack Hub security and audit logs, ensuring that any access and operations via the privileged endpoint are legitimate and authorized. Unauthorized access or misuse of the PEP can lead to potential security risks.
Please remember that the ability to access and use the privileged endpoint is intended for Azure Stack Hub operators and should only be performed when necessary and with caution following best practices for security and compliance. It is also subject to change pursuant to the updates in Azure Stack Hub’s feature set and Microsoft’s guidelines.
For detailed procedures and best practices related to collecting logs and using the privileged endpoint, refer to the official Microsoft documentation for the specific Azure Stack Hub version you are managing.
Practice Test with Explanation
True or False: You can collect diagnostic logs on demand from the privileged endpoint without any elevated permissions.
- (A) True
- (B) False
Answer: B) False
Explanation: Collecting diagnostic logs on demand using the privileged endpoint requires elevated permissions. You need to be granted the necessary rights to access the privileged endpoint.
True or False: Azure Stack Hub’s privileged endpoint is intended for use by cloud operators for troubleshooting and maintenance.
- (A) True
- (B) False
Answer: A) True
Explanation: The privileged endpoint (PEP) is a special instance in Azure Stack Hub that provides cloud operators with secured and restricted access for performing internal system operations.
Which PowerShell commandlet is used to collect diagnostic logs on demand from Azure Stack Hub’s privileged endpoint?
- (A) Get-AzsReadinessCheckerLog
- (B) Get-AzureStackLog
- (C) Save-AzureRmProfile
- (D) Get-AzureStackDiagnostics
Answer: B) Get-AzureStackLog
Explanation: The Get-AzureStackLog PowerShell cmdlet is used to collect diagnostic logs on Azure Stack Hub.
To use the privileged endpoint to collect logs, which of the following must be true?
- (A) The user must be connected to the internet.
- (B) The user needs to be in the Azure Stack operator role.
- (C) Azure Stack Hub must be in multi-node deployment.
- (D) The user must be connected to the Azure Stack Hub’s internal network.
Answer: B) The user needs to be in the Azure Stack operator role.
Explanation: To use the privileged endpoint, the user must be an Azure Stack Hub operator and have sufficient permissions.
True or False: Logs collected from the privileged endpoint can be stored directly in Azure Blob storage.
- (A) True
- (B) False
Answer: A) True
Explanation: Logs collected from the privileged endpoint can be transferred and stored directly in Azure Blob storage for further analysis or for maintaining backup.
Can the privileged endpoint be used to enable support for collecting syslogs from infrastructure components in Azure Stack Hub?
- (A) Yes
- (B) No
Answer: A) Yes
Explanation: The privileged endpoint can be used to configure Azure Stack Hub to collect syslogs from infrastructure components for diagnostic purposes.
How do you access the privileged endpoint in Azure Stack Hub?
- (A) Through Azure portal
- (B) Using an assigned public IP
- (C) Over a secure remote PowerShell session
- (D) Via direct access from any machine
Answer: C) Over a secure remote PowerShell session
Explanation: Privileged endpoint access is typically done through a secure remote PowerShell session from a machine that has network connectivity to the Azure Stack Hub’s administrative network.
True or False: You can collect diagnostic logs automatically on a predefined schedule using the privileged endpoint.
- (A) True
- (B) False
Answer: B) False
Explanation: The privileged endpoint is used to collect logs on demand and does not have a native feature for scheduling automatic log collection. Automation of tasks such as scheduling would require an external tool or service.
Which Azure Stack role is authorized to request and download diagnostic logs through the privileged endpoint?
- (A) Contributor
- (B) Owner
- (C) Operator
- (D) User
Answer: C) Operator
Explanation: The Azure Stack Hub operator role is authorized to request and download diagnostic logs through the privileged endpoint.
True or False: The privileged endpoint is also used to perform Azure Stack Hub updates.
- (A) True
- (B) False
Answer: A) True
Explanation: The privileged endpoint is not only for collecting diagnostic logs but also for carrying out various maintenance activities including applying updates to the Azure Stack Hub.
Which of the following formats can be used for the logs collected through the privileged endpoint in Azure Stack Hub?
- (A) .zip
- (B) .evtx
- (C) .log
- (D) All of the above
Answer: D) All of the above
Explanation: Logs collected through the privileged endpoint can be in various formats, such as .zip (compressed file), .evtx (Event Viewer logs), or plain .log files.
As an Azure Stack operator, for which of the following reasons would you likely need to collect diagnostic logs on demand?
- (A) Perform regular maintenance
- (B) Triage and troubleshoot issues
- (C) Verify user permissions
- (D) Set up initial deployment
Answer: B) Triage and troubleshoot issues
Explanation: While the privileged endpoint can assist with various tasks, its primary use for on-demand log collection is to triage and troubleshoot issues encountered in Azure Stack Hub.
Great post, really helped me understand how to collect diagnostic logs on demand!
Can someone explain what kind of permissions are needed to use the privileged endpoint?
Thanks for the detailed steps on using the privileged endpoint.
Is it safe to use the privileged endpoint for collecting logs in a production environment?
Appreciate the blog post!
I’ve faced issues while trying to collect logs using the commands provided. Any idea what might be wrong?
This was very helpful. Thank you!
The blog was somewhat useful but I think there should be more examples.