Upload, create, and populate a managed disk
Create a managed disk to populate with the Access Gateway image.
Download and decompress
- Connect to the new VM using the IP address from the prior task and establish an ssh session.
ssh okta@AA.BB.CC.DD.
- Use wget to download the latest Access Gateway Microsoft Azure fixed disk image.
cd /home/okta wget https://download.oag.okta.com/ga/oag_azure.vhd.gz
- Unpack the fixed disk image to a temporary location on the /datadrive.
sudo mkdir /datadrive/temp sudo cp oag.vhd.gz /datadrive/temp sudo gunzip -v /datadrive/temp/oag_azure.vhd.gz --keep
Depending on the size of the disk and the speed of the VM, it can take 60 to 90 minutes to decompress the disk file.
If you encounter ssh timeout issues, consider running the decompress process in the background using nohup and routing the output to a log file.
nohup sudo nohup gunzip . . . > unzip.log 2>&1 &
Install Microsoft Azure CLI and AZCopy tools
- Change the directory:
cd /datadrive/temp
- Install Microsoft Azure CLI using this command:
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
- Install Azcopy using this command:
sudo wget https://aka.ms/downloadazcopy-v10-linux sudo tar -xvf downloadazcopy-v10-linux
Create and populate a managed disk
- After installing the Microsoft Azure environment, sign in using this command:
az login
- Sign in to az copy.
cd /datadrive/temp/azcopy_linux_amd64_10.3.4 sudo ./azcopy login --tenant-id=<tenant id from output of az login>
- Sign in or return to the Microsoft Azure command line interface:
az login
- Use the az disk create command to create a disk large enough to contain the OVA disk file.
az disk create -n <virtual-disk>\ --resource-group <resource-group> --location <“location”>\ --for-upload --upload-size-bytes <size> --sku standard_lrs
- <virtual-disk> is the name of the virtual disk. It's typically the same as the OVA disk, but without the suffix.
- <resource-group> is the name of the previously created resource group. For example, "AccessGateway".
- <location> is the location of the resource group. For example "eastus".
- <size> is the size of the disk in bytes. For example 236246270464. Note this is the size, in bytes, of the downloaded Access Gateway disk image.
- --sku standard_lrs is a required parameter.
Run this command and replace <resource-group> with AccessGateway, <location> with eastus, and <size> with 236246270464:
az disk create -n Okta-AccessGatewayDisk --resource-group AccessGateway \ --location eastus --for-upload --upload-size-bytes 236246270464 \ --sku standard_lrs
When you run this command, the following results appear:
{ "creationData": { "createOption": "Upload", "imageReference": null, "sourceResourceId": null, "sourceUniqueId": null, "sourceUri": null, "storageAccountId": null, "uploadSizeBytes": 20972032 },. . . "tags": {}, "timeCreated": "2020-04-20T17:51:29.894626+00:00", "type": "Microsoft.Compute/disks", "uniqueId": "d1485574-. . . ", "zones": null }
The file size of the created disk must be an exact match to the file size used when copying up the disk image. Use a command, such as ls -ln, to determine the file size in bytes.
- Use the az disk grant-access command to create a shared access token, which can be used to grant access to the previously created disk.
az disk grant-access -n <virtual-disk> -g <resource-group> --access-level Write \ --duration-in-seconds 86400
Where:
- <virtual-disk> is the name of the virtual disk.
- <resource-group> is the name of the previously created resource group.
- --access-level Write is the required write access level.
- --duration-in-seconds 86400 is the lifetime of the shared access token in seconds.
Run this command and replace <virtual-disk> with Okta-AccessGatewayDisk, and <resource-group> with AccessGateway:
az disk grant-access -n Okta-AccessGatewayDisk --resource-group AccessGateway \ --access-level Write --duration-in-seconds 86400Which produces the following results:
"accessSas": "https://md-. . . VY1SlQ79TOnwoMaVHjaqkmVlU%3D"
- Upload the disk file using the azcopy copy command.
cd /datadrive/temp/azcopy_linux_amd64_10.3.4 sudo ./azcopy copy <path-to-disk> <accessSas> --blob-type PageBlob
- <path-to-disk> is the fully qualified path to the fixed disk previously created.
- <accessSas> is the value from the az disk grant-access command.
Here is an example of the azcopy copy command with the parameters populated with values:
sudo ./azcopy copy /datadrive/temp/oag.vhd "https://md-impexp-t4pdnf22n02h.blob.core.windows.net/p15jhr4gwqhl/abcd?sv=2017-04-17&sr=b&si=b1154122-1458-4f02-a226-1554c66938c0&sig=vGnmhmKMY92r3ecQLlAEXtEHzRCFTsa5rrIxNsQqaZY%3D" -blob-type PageBlob
Azcopy uses the AZCOPY_CONCURRENCY_VALUE environment variable to control the upload process. Setting this variable to AUTO causes Azcopy to attempt to optimize the upload process.
Here is an example of a command using the AZCOPY_CONCURRENCY_VALUE environment variable:
export AZCOPY_CONCURRENCY_VALUE=AUTOsudo nohup sudo ./azcopy copy /datadrive/temp/oag.vhd \ "https://md-. . . VY1SlQ79TOnwoMaVHjaqkmVlU%3D" \ --blob-type PageBlob > /tmp/azcopy.log 2>&1 & - Monitor the copy using a command similar to this one:
tail -f /tmp/azcopy.log
When you run the tail command, the following results appear:
INFO: Scanning... Job 50d659dd-6174-fe4d-78b1-5f97e305fdee has started Log file is located at: ~/.azcopy/50d659dd-6174-fe4d-78b1-5f97e305fdee.log INFO: Trying 4 concurrent connections (initial starting point) INFO: Trying 16 concurrent connections (seeking optimum) . . . INFO: Trying 5 concurrent connections (at optimum) . . . Elapsed Time (Minutes): 78.9381 Total Number Of Transfers: 1 Number of Transfers Completed: 1 . . . Total Bytes Transferred: 236223201792 Final Job Status: Completed
- Once copied, use the az disk revoke-access command to revoke the previously granted access.
az disk revoke-access --name "<virtual-disk>" --resource-group "<resource-group>"
- <virtual-disk> is the name of the disk where access was granted.
- <resource-group> is the resource group that contains the disk.
Here is an example of the az disk revoke-access command with the parameters populated with values:
az disk revoke-access --name "Okta-AccessGateway-2020.5.0" --resource-group "AccessGateway"
Running this command produces the following results:
- Running
Failure to run the az disk revoke-access command results in an error when you attempt to create a VM as the disk will not be available for use.
If you don't run the az disk revoke-access command, the process results in an error when you attempt to create a VM as the disk isn't available for use.