"So you want to get to know Azure?..." Deploying an HPC Pack 2016 cluster in Azure

I am writing a new series of articles (1 a week) that will help you to explore the Microsoft Azure platform. The whole series is called "So you want to get to know Azure?...". These articles will cover a wide variety of topics from the most basic to the most advanced aspects of Azure. Feel free to use them to enhance your Azure experience! - Good Luck and may Azure be with you always....

Article #7 week of 3/19/18

======================================================

NOTE: This article assumes that you already have an Azure Subscription that is active and available. If you do not, go here:

https://azure.microsoft.com/en-us/free/

Follow the instructions to create a free account and begin using Azure.

======================================================

HPC Pack is Microsoft's free HPC solution built on Microsoft Azure and Windows Server technologies and supports a wide range of HPC workloads.

Prerequisites:

PFX certificate

A Microsoft HPC Pack 2016 cluster requires a Personal Information Exchange (PFX) certificate to secure the communication between the HPC nodes. The certificate must meet the following requirements:

> It must have a private key capable of key exchange

> Key usage includes Digital Signature and Key Encipherment

> Enhanced key usage includes Client Authentication and Server Authentication

If you do not already have a certificate that meets these requirements, you can request the certificate from a certification authority. Alternatively, use the following commands to generate the self-signed certificate based on the operating system on which you run the command. Then, export the certificate as a password-protected PFX file with private key.

For Windows 10 or Windows Server 2016, run the built-in New-SelfSignedCertificate PowerShell cmdlet as follows:

New-SelfSignedCertificate -Subject "CN=HPC Pack 2016 Communication" -KeySpec KeyExchange -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2") -CertStoreLocation cert:\CurrentUser\My -KeyExportPolicy Exportable -NotAfter (Get-Date).AddYears(5)

For operating systems earlier than Windows 10 or Windows Server 2016, download the self-signed certificate generator from the Microsoft Script Center. Extract its contents and run the following commands at a PowerShell prompt:

Import-Module -Name c:\ExtractedModule\New-SelfSignedCertificateEx.ps1

New-SelfSignedCertificateEx -Subject "CN=HPC Pack 2016 Communication" -KeySpec Exchange -KeyUsage "DigitalSignature,KeyEncipherment" -EnhancedKeyUsage "Server Authentication","Client Authentication" -StoreLocation CurrentUser -Exportable -NotAfter (Get-Date).AddYears(5)

After the certificate is created in the Current User store, use the Certificates snap-in to export the certificate as a password-protected PFX file with private key. You can also export the certificate using the Export-Pfxcertificate PowerShell cmdlet.

Upload certificate to an Azure key vault

Before deploying the HPC cluster, upload the PFX certificate to an Azure key vault as a secret, and record the following information for use during the deployment: Vault name, Vault resource group, Certificate URL, and Certificate thumbprint.

A sample PowerShell script to upload the certificate, create the key vault, and generate the required information follows. For more information about uploading a certificate to an Azure key vault, see Get started with Azure Key Vault.

#Build an HPC 
#Give the following values
$VaultName = "itprotvhpcvault"
$SecretName = "itprotvhpc"
$VaultRG = "itprotvhpcdemo"
$location = "westus"
$PfxFile = "c:\itphpc\itprotvhpc.pfx"
$Password = "Dandandan123!"
#Validate the pfx file
try {
    $pfxCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList $PfxFile, $Password
}
catch [System.Management.Automation.MethodInvocationException]
{
    throw $_.Exception.InnerException
}
$thumbprint = $pfxCert.Thumbprint
$pfxCert.Dispose()
# Create and encode the JSON object
$pfxContentBytes = Get-Content $PfxFile -Encoding Byte
$pfxContentEncoded = [System.Convert]::ToBase64String($pfxContentBytes)
$jsonObject = @"
{
"data": "$pfxContentEncoded",
"dataType": "pfx",
"password": "$Password"
}
"@
$jsonObjectBytes = [System.Text.Encoding]::UTF8.GetBytes($jsonObject)
$jsonEncoded = [System.Convert]::ToBase64String($jsonObjectBytes)
#Create an Azure key vault and upload the certificate as a secret
$secret = ConvertTo-SecureString -String $jsonEncoded -AsPlainText -Force
$rg = Get-AzureRmResourceGroup -Name $VaultRG -Location $location -ErrorAction SilentlyContinue
if($null -eq $rg)
{
    $rg = New-AzureRmResourceGroup -Name $VaultRG -Location $location
}
$hpcKeyVault = New-AzureRmKeyVault -VaultName $VaultName -ResourceGroupName $VaultRG -Location $location -EnabledForDeployment -EnabledForTemplateDeployment
$hpcSecret = Set-AzureKeyVaultSecret -VaultName $VaultName -Name $SecretName -SecretValue $secret
"The following Information will be used in the deployment template"
"Vault Name             :   $VaultName"
"Vault Resource Group   :   $VaultRG"
"Certificate URL        :   $($hpcSecret.Id)"
"Certificate Thumbprint :   $thumbprint"

 NOTE !! PLEASE READ CAREFULLY...

The picture below is IDENTICAL to the picture above.The Red box and the blue arrow are meant to draw your attention to an error that occurs in the output of the PowerShell script pertaining to the CERTIFICATE URL value string that is produced. The :443 in the string needs to be removed so that the URL matches the expected format for input that the Azure Portal requires when you use this value as part of the template creation. For example, based on the following information returned by the script as shown in the picture below, the full CERTIFICATE URL BEFORE YOU REMOVE the highlighted text is:

https://itprotvhpcvault.vault.azure.net:443/secrets/itprotvhpc/3bc7fafe87de4cd083a1cf0b5ca96607

This needs to be corrected to read as follows:

https://itprotvhpcvault.vault.azure.net/secrets/itprotvhpc/3bc7fafe87de4cd083a1cf0b5ca96607

Use the corrected Certificate URL value string WITHOUT the :443 when asked for it as part of the input for the values during the template creation process.

Supported topologies

Choose one of the Azure Resource Manager templates to deploy the HPC Pack 2016 cluster. Following are high-level architectures of three example cluster topologies. High-availability topologies include multiple cluster head nodes.

1.    High-availability cluster with Active Directory domain

2.    High-availability cluster without Active Directory domain

3.    Cluster with a single head node

Deploy a cluster

To create the cluster, choose a template and click Deploy to Azure. In the Azure portal, specify parameters for the template as described in the following steps. Each template creates all Azure resources required for the HPC cluster infrastructure. Resources include an Azure virtual network, public IP address, load balancer (only for a high-availability cluster), network interfaces, availability sets, storage accounts, and virtual machines.

Step 1: Select the subscription, location, and resource group

The Subscription and the Location must be same that you specified when you uploaded your PFX certificate (see Prerequisites).

Step 2: Specify the parameter settings

Enter or modify values for the template parameters. Click the icon next to each parameter for help information. Also see the guidance for available VM sizes.

Specify the values you recorded in the Prerequisites for the following parameters: Vault name, Vault resource group, Certificate URL, and Certificate thumbprint.

Step 3. Review terms and create

Review the terms and conditions associated with the template. If you agree, click Purchase to start the deployment.

Depending on the cluster topology, deployment can take 30 minutes or longer to complete.

NOTE: If you have a demo subscription, you will get the following error when the template creation process kicks off:

This error is stating that you have requested more CPU Cores than the maximum allowed value of "10" for a demo subscription. Even though the help url referenced in the error message indicates that you can request an increase in the allotted maximum cores, this WILL NOT work for a demo subscription. (it only is possible to raise the quota on paid subscriptions).

Please see the following for more information and quota maximums:

Azure subscription and service limits, quotas, and constraints

Connect to the cluster

1.    After the HPC Pack cluster is deployed, go to the Azure portal. Click Resource groups, and find the resource group in which the cluster was deployed. You can find the head node virtual machines.

2.    Click one head node (in a high-availability cluster, click any of the head nodes). In Overview, you can find the public IP address or full DNS name of the cluster.

3.    Click Connect to log on to any of the head nodes using Remote Desktop with your specified administrator user name. If the cluster you deployed is in an Active Directory Domain, the user name is of the form <privateDomainName>\<adminUsername> (for example, itpro.tv\hpcadmin).

 

Good Luck...

You can follow me on Twitter: @Adam_ITProTV