In the below post, we will explore the Azure Instance Metadata service and how we can make use of the service when deploying our SAP landscape.
What Is the Azure Instance Metadata Service?
The Azure Metadata Service is a locally accessed (on each VM deployed in Azure), REST enabled, API versioned HTTP service endpoint that provides a gateway to the Azure “fabric” hosting your VMs.
New features are added through new versions of the API, accessed through the URI and by appending the required version as a querystring parameter.
What Can You Do With the Azure Instance Metadata Service?
A simple example, would be to query the service to show the current VM size (Azure VM Size) from within the VM itself, without needing access to the Azure Portal or any Azure authorisation (e.g. Service Principals).
How Can You Query the Azure Intance Metadata Service?
Depending on whether you’re using Linux or Windows as your VM operating system, you can call the REST API for the Azure Instance Metadata Service using something similar to the following in Linux:
curl -H Metadata:true --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2019-06-01"
or in PowerShell 6.3+ on Windows (includes -noproxy):
Invoke-RestMethod -Headers @{"Metadata"="true"} -Method GET -NoProxy -Uri 169.254.169.254/metadata/instance?api-version=2019-06-01
or Powershell <6.0 compatible (excludes -noproxy):
Invoke-RestMethod -Headers @{"Metadata"="true"} -Method GET -Uri 169.254.169.254/metadata/instance?api-version=2019-06-01
This will return a JSON string which, among other things, will contain the current VM size.
You can use the querystring parameter “format=text ” to get a raw text response:
169.254.169.254/metadata/instance?api-version=2017-08-01&format=text
For more information on the API options and returned data use the following links for Windows or Linux VMs:
What Is Providing the 169.254.x.x Address?
The Azure Instance Metadata service is provided by the WAAGENT. This (in Linux) is a daemon service and in Windows is a Windows Service installed during the VM build process when a VM is built using the Azure Resource Manager (not the Classic Azure VM build process).
The agent is a set of python routines. These python routines are visible on GitHub here: https://github.com/Azure/WALinuxAgent The agent is not required to be installed inside VMs hosted in Azure but it is used by a multitude of Azure features.
If you analyse the agent log files (see /var/log/waagent.log in Linux), you will see that the agent is in constant communication with Azure APIs over HTTP (and HTTPS).
Can I Disable the Azure Instance Metadata Service?
Yes, you can disable it (see here: https://github.com/Azure/WALinuxAgent/wiki/VMs-without-WALinuxAgent ), but without the agent running, you will not be able to run the Azure Enhanced Monitoring for Linux (AEM) plugin which is required in a production SAP system, because of the required use of Premium disks (see SAP note 2191498). The Azure Instance Metadata service will auto-start with the VM.
There are noted downsides to having the agent running (documented here: https://raymii.org/s/blog/Linux_on_Microsoft_Azure_Disable_this_built_in_root_access_backdoor.html ) but as mentioned, for SAP support, you need Azure Enhanced Monitoring (for Linux) which is a plugin for this agent.
Is the Azure Instance Metadata Service Used by SAP?
Yes, although indirectly. The SAP Hostagent (7.21) is able to query the metadata service statistics of the guest VM. The statistics are recorded into local file system files by the Azure Enhanced Monitoring for Linux agent plugin (also listed on GitHub under here: https://github.com/Azure/azure-linux-extensions/tree/master/AzureEnhancedMonitor ).
The AEM plugin is a basic set of Python routines for the recording of the Azure disk and CPU statistics into designated flat text files (in Linux see /var/lib/AzureEnhancedMonitor/PerfCounters), and these files are then consumed by the SAP Hostagent.
As you may know, the Hostagent includes the SAPOSCOL (SAP O/S Collector) binary executable, which is the actual process within the SAP Hostagent delivered binaries, responsible for digesting the AEM statistics. It makes the statistical information available in a shared memory segment, which can be accessed by a SAP Netweaver stack (in fact you can access it manually also by using the SAPOSCOL interactive command line).
In SAP Netweaver (AS ABAP) you can use transaction ST06 to access this SAPOSCOL information, where you will see a summary page for the O/S details (including the Azure provided details) plus a historical report of statistical data, all obtained from the SAPOSCOL memory segment.
Is the Azure Instance Metadata Service ReadOnly?
Yes, all of the data is readonly. However there is one area that you can influence using a HTTP POST as outlined in the information provided here:https://docs.microsoft.com/en-us/azure/virtual-machines/linux/scheduled-events
As you will see the ScheduledEvents API doesn’t really give you any control of the VM, as it’s more of a notification provider that gives you fair warning and allows you time to perform some provisional processing prior to a scheduled event execution. It’s not used by the SAP Hostagent as far as I can determine.
How Can We Utilise the Azure Instance Metadata Service During SAP Deployment Projects?
During deployments of SAP into Microsoft Azure, I have found it very useful to script access to the Azure Instance Metadata service to form part of a basic configuration check of VMs.
As an example, a Custom Operation can be defined in SAP LaMa (SAP Landscape Manager) which can be executed across all known SAP Hostagents and can return the information back into SAP LaMa as part of a Custom Validation execution (see more about SAP LaMa Custom Validation here: https://blogs.sap.com/2018/05/14/how-to-use-sap-landscape-management-custom-validations ).
This then provides you with an easy SAP level reporting capability to see what size of VMs you’re running in your landscape and the configuration of such items like Azure disk cache settings (an important topic for HANA databases!).
What is /usr/sbin/azuremetadata ?
In distributions of SUSE Linux (including OpenSUSE), a commandline binary executable exists which calls the Azure Instance Metadata service.
It has a fixed set of command line options and can be used to retrieve a minimised set of data as can be queried using “curl” or “wget”.
If you need only the barest, quickest method of calling the Azure Instance Metadata service, then this binary executable will probably suffice.
This executable is also used by other SUSE features, so it is unlikely that it will be deprecated, however, it may not use the latest version of the API.
What Is the Latest Version of the Azure Instance Metadata Service API?
If you look at the two URLs provided previously for Windows and Linux, you will notice they contain a section called “Versioning” on the pages which details the currently supported versions of the API.
Are There Any Issues With the Azure Instance Metadata Service?
Yes, I’ve seen a couple of issues. The service is relied upon in various areas of SUSE Linux cloud-netconfig to provide the VM with IP address details at boot time. If this integration fails or is slow, your Linux VM may not have all IP addresses after boot (only the primary IP).
Sometimes (quite a lot of times) you will notice timeout errors in the agent log file as it tries to talk to Azure APIs. Apparently this is normal and noted in a few forum posts in places. However, it means that the agent is obviously “stalling” while it experiences this “timeout”. Therefore I would argue that it is not ideal.
You may also be interested in: