Automating WAP Service Management with Service Management Automation


If you are an admin managing Windows Azure Pack (WAP), you may have wondered how you can trigger additional actions automatically whenever you or a tenant performs an action from within the portal or using the API. Although this functionality is made accessible through the VM Clouds service, it allows you to automate against a wide range of objects and actions that occur within WAP. How can this help you streamline your cloud management? For instance, you might want to allow for self-service VM creation, but at the same time still be able to apply your company’s policy to these created VMs. Or you might want to use create/delete events to keep track of WAP tenants in your CMDB. Or, depending on the plan that the user has signed up for (e.g. Production vs. Test), you may want have that VM follow a specific lifecycle policy.

WAP provides functionality to let you do this – by integrating Service Management Automation (SMA) with VM Clouds and WAP events in general, you can automatically trigger runbooks whenever certain events occur. This functionality is made available through Service Provider Foundation (SPF) which creates internal events that invoke a runbook when a specified action occurs.

In this post, I’ll explain how to get SMA and VM Cloud Automation set up to work together. I will also go through an illustrative “enforce policy” scenario where a monitoring agent is installed on the newly provisioned VM and will discuss the sample runbooks that are triggered to carry out the processes. The runbooks in this series wait for the VM to be provisioned, configure the firewall and then install an OM agent on the VM. Once you have seen how this works, you can then easily extend the samples to implement custom policy of your own.

Getting and Using the Samples

You can download the sample runbooks for this scenario from Script Center. To use these runbooks you must first do the following:

Create SMA assets to use in the runbook:

  • SpfUrl – A variable asset. This is the URL used to connect to SPF. Your URL may look something like: https://SPF_END_POINT:8090/SC2012R2/VMM/Microsoft.Management.Odata.svc
  • SpfCredentials: A credential asset. These are the credentials that you use to connect to SPF.
  • OpsMgrConnection: A connection asset. The connection asset used to connect to Operations Manager.

Publish the runbooks in SMA in the following order:

  1. Configure-Firewall
  2. Install-OMAgent
  3. Apply-VmPolicy

Getting Set up

This post assumes that you are currently using WAP and that you have SMA, SPF, and VMM deployed for use within WAP.

If you have not yet deployed all of these components, the following articles will walk you through the deployments:

For more detail on WAP deployments and getting SPF setup, you can also check out Ander’s Windows Azure Pack Installing & Configuring Series.

There are a few setup tasks that need to be completed before you can begin triggering automation from VM cloud actions. Follow these setup steps to integrate SMA with VM cloud services:

STEP 1: Register SMA & SPF for your VM Clouds:

1. In the WAP admin portal click VM Clouds > QuickStart


2. Under Register System Center Service Provider Foundation add the endpoint which is comprised of the server and the port for SPF. Make sure that you use the complete connection string for the endpoint.

3. You must also enter the admin credentials for the SPF endpoint. In my case, SPF was installed on the same machine as SMA, so the base connection string is the same, while the port differs. image


4. Under Register Service Management Automation for VM Clouds provide the complete URL and the port for the Service Management Automation web service endpoint.




STEP 2: Add your SPF account to the SMA Admin group on the SMA server

On the SMA server, make sure that the SPF Account used with the IIS App Pool is added to the “smaAdminGroup”. You should also make sure that the same user has access to both SMA and SPF application pools within IIS.


STEP 3: Trust the SMA web service certificate on the SPF server

If you have installed SMA with a self-signed certificate, you must establish trust between SMA and SPF with this certificate. To do this, import the SMA web service certificate into the “Trusted Root Certification Authorities” folder in the SPF server. To test that the correct certificate is installed, you should be able to go to https://<SMAServer> from a web browser on the SPF computer and not get prompted with a security warning.

STEP 4: Add “SPF” tag to the runbooks that you want to trigger

1. Navigate to SMA

2. Go to Runbooks

3. Select the runbook that you would like to trigger from VM Clouds. If you would like to follow along using our sample runbooks, download them from Script Center and import them now. Add the SPF tag to the Apply-VMPolicy runbook.

4. Go to the Configure tab


5. Add “SPF” to the tags.

STEP 5: Associate the runbook with a VM Cloud action

You should now be able to see all the runbooks with the SPF tag in VM Clouds and associate them with actions. Follow these steps to associate your runbooks with VM Cloud actions:

1. Navigate to VM Clouds and select the Automation view


2. Click Add and specify:

a. Object – the object that is associated with the runbook. In the case of our runbook, we would like it to start when a new virtual machine has been created, so select VMM Virtual Machine. You can view a full list of the object descriptions on the Using automation with Virtual Machine Clouds TechNet page.

b. Action – the event that must occur in order for the runbook to run. Select Create as the action so that the runbook is triggered when the VM is created.RE

c. Runbook – the runbook to trigger. If you followed along with the steps above, you should see the “Apply-Policy” runbook in the list of runbooks available. Select this runbook.

Applying Policy Example

Now that you are all set up to run, let’s take a look at what the runbook that is triggered by the VM creation event is actually doing. At a high level, the steps the runbook takes are to wait for the VM to be created, turn off the firewall, install the Operations Manager Agent, and finally to turn on the firewall and configure the open ports.

Because I am triggering a runbook when a virtual machine is created, I can pick any of the parameters generated by SPF for a virtual machine and use them as my input parameters. If I preferred to set variables at the beginning of my runbook, I could also have used the $PSPrivateMetaData object instead of parameters.

First, I have specified a few input parameters that contain the data that I need for my runbook:

  • Name – the name of the object specified for triggering the event
  • Operation – the Operation that triggered the event
  • VmmJobId – the id of the VMM job. This will be used as part of the URL to track the virtual machine as it is being created.
  • Params & ResourceObject – all the additional output provided by SPF to the runbook is stored in these parameters. This is used in the runbook to retrieve the StampId and the VmmJobId, it will be used in the URL to find out when the machine has finished creating.


If you run the runbook in publish mode or output the params and resourceObject variables in test mode, you can will see that there is a lot of information you can collect (screenshot is included above), so you can write many different types of runbooks outside of the example provided in this blog post.

Because I am planning to do some installations on the newly created virtual machine, the runbook needs to wait until the virtual machine has completed the provisioning step. The runbook builds a URL for the SPF service in order to check the status of the VM.

    $spfUrl = Get-AutomationVariable -Name "spfUrl"
    $spfCredentials = Get-AutomationPSCredential -Name "spfCredentials"
    $stampId = $params.StampId
    $fullUrl = $spfUrl + "Jobs?`$filter=ID eq guid'" + $vmmJobId + "' and StampId eq guid'" + $stampId + "'"
    Write-Output "SPF URL: $fullUrl"


The runbook then checks for to see if the VM has finished being created and loops until the job has been completed:

do {
Start-Sleep -s 30
$Output = InlineScript {

# Construct response to SPF.
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
$request = [System.Net.HttpWebRequest]::Create($Using:fullUrl)
$request.Credentials = $Using:spfCredentials
$request.Accept = "application/json"
$request.Headers.Add("Accept-Charset", "UTF-8")
$request.ContentType = "application/json"
$request.Method = "GET"
$response = $request.GetResponse()
$requestStream = $response.GetResponseStream()
$readStream = new-object System.IO.StreamReader $requestStream
            $outputJson = $readStream.ReadToEnd()
            $output = ConvertFrom-Json $outputJson

Write-Output "Current Progress: $($output.value.Progress)"

} while (!$output.value.IsCompleted)

Note if you didn’t have the proper certificates installed on the SMA workers, you could use System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} to avoid any certificate errors.

You could also chose to add in some logic here that would call different runbooks depending on the plan the VM has been created under. If you chose to go that route and have a series of actions that you would like to complete – for example, apply policy to the VM and add billing information – we recommend that you write runbooks that perform individual tasks so that you can reuse them in other solutions.

In this scenario, a child runbook called “Install-OMAgent” installs an OM agent on the host. Before installing the agent, the runbook disables the firewall by calling the “Configure-Firewall” runbook. The Configure-Firewall runbook can either disable a firewall or set rules opening the specified ports for incoming traffic based on the runbook parameters.  First, this runbook is used to disable the firewall.  Once the firewall is disabled, the runbook downloads the Operations Manager module to make sure it is installed on the Ops Manger server, gets the Operations Manager Management group, and installs the agent:

        Import-Module OperationsManager

        # Connect to the Operations Manager Management Group
        New-SCOMManagementGroupConnection -ComputerName $Using:OpsMgrServerConn.ComputerName
        #Install SCOM agent
        Write-Output "Installing Operations Manager agent"
        try {
            Install-SCOMAgent -Name $Using:ComputerName -PrimaryManagementServer (Get-SCOMManagementServer -Name $Using:OpsMgrServerConn.ComputerName)
        } catch {
            "Exception generated: "
    } -PSComputerName $OpsMgrServerConn.ComputerName

Once this has been done, the firewall should be enabled again. If the firewall is enabled, there are a number of ports that must be open in order to provide the OM agent with access to the VM going forward. This TechNet article explains the details of these firewall settings: Script Center.

To manage setting up the firewall configuration, a number of rules for the VM ports to be opened are established:

    $Ports = @{"SCMgmtServiceRule"=@("5723","TCP");

Then “Configure-Firewall” is called again, this time enabling the firewall and opening the necessary ports:

$OpenPortsForOM = $true      
Configure-Firewall -ComputerName $ComputerName -Disable (!$OpenPortsForOM)`
                   -PortRules $Ports -SetPorts $OpenPortsForOM   

Finally, the runbook writes output confirming success and completes.

Wrapping up

Hopefully, you now have a better understanding of the ways in which you can use events in WAP to trigger runbooks that describe your IT processes. If you have been following along, you also should have gotten SMA integrated with SPF in order to automate against a VM Cloud action. The example runbooks provided should give you the tools you need to begin creating your own runbooks to help manage Windows Azure Pack.