This post aims to introduce Microsoft Azure IaaS (Virtual Machines service) to folks who were not involved from the beginning with Azure and who would like to rapidly understand how it works, and if it can convince them start or even think use it. In this post, I will not detail the IaaS features in Microsoft Azure, since we have hundreds of them, and there is books and long articles describing in details the Azure fundamentals.
This post is divided like below:
- Introduction : I will rapidly introduce the Azure Virtual Machines service (IaaS)
- Components : This is the principal part of this post, I will detail the components and bricks of the Azure Virtual Machines services. It will help you understand how the Azure IaaS can be used and what to consider before deciding to go with the Azure Virtual Machines service.
- Networking : I will explain the networking concept in Azure
- Storage : I will explain the storage concept in Azure
- Pricing : I will explain how the Azure pricing works
- Design considerations : I will put some design considerations and must-remember points
- Further Reading : I will post some interesting resources and readings to go deep and dive into Azure.
Azure Virtual Machines is one of the central features of Azure’s IaaS capabilities. Azure Virtual Machines supports the deployment of Windows Server or Linux virtual machines (VMs) in a Microsoft Azure datacenter. You have total control over the configuration of the VM. You are responsible for all server software installation, configuration, and maintenance, as well as operating system patches. All the resources are running within the Microsoft Datacenters, the only link to them will be networking. Think of it like you have your own datacenter in another location or region from you on-premise. You create all your workloads there and you access them remotely. The only difference here is :
– The Datacenter belongs to Microsoft
– All the underlying management, updates, maintenance are Microsoft’s responsibility (Hardware, Networking, Cooling, Power…)
– The physical security are Microsoft responsibility
The result is : Microsoft offers you a feature ( A service) that enables you to create virtual machines and use them freely, just like they were yours, and they are yours.
I would loved to continue introducing the Azure Virtual machines feature, because it’s amazing and very interesting. I will dedicate a full post just for discussing the ‘what and why ‘about Public Cloud Platforms (Iaas Offer) and is it reasonable to go forward toward this new concept.
The compute component is the heart of Azure VM. Compute mean the virtual machine resources : CPU, Memory and Operating System
When you create a virtual machine in Azure, you will choose first the VM configuration : Hardware and Software (Example : I want to deploy a Windows Server 2012 R2 Datacenter VM with 4 GB of RAM and 2 CPU). Look that I’m not mentioning the storage configuration (OS disk size, number and size of data disks). This is intentionally and will be explained further.
Azure does not give you the possibility of freely choosing the hardware configuration. In fact, Azure exposes predefined templates to choose from. These templates are classified into Virtual Machine series and sizes. The complete Virtual Machine sizes list can be found here and it’s regularly updated by Microsoft in case of a change. LINK1 : Azure Virtual Machine Series and Sizes
The Virtual Machines in Azure can be classified by :
The tier is a categorization of the virtual machine type. There are two Tier types in Azure : Basic tier and Standard tier. Basic tier VMs are generally used for test/dev and less important VMs. Basic Tier VMs are spreadly used for production environment. The difference resides in the following things:
– Basic Tier VMs do not support Azure load balancing capabilities (you cannot load balance traffic between two basic VMs using the Azure load balancing feature)
– Basic Tier VMs do not support the Azure ‘Autoscale’ feature. ‘Autoscale’ allows Azure to automatically scale the number of virtual machines to meet resource requirements (CPU usage for example) and then scale down by shutting down VMs when scale conditions are no longer crossed
– Not all the hardware configurations are given with the Azure Basic tier VMs. Advanced hardware configurations (more and faster CPU, more and faster memory, more disks, faster temporary disks, more performance…) are just provided with Standard tier VMs
– Basic VMs data disks IOPS is capped a 300 IOPS per disk, less than the 500 IOPS for the standard tier ( storage will explained in details later in this article)
The series is classification to help the customer rapidly find and choose between tens of virtual machines types. It’s like the classification that we find in car vendors : Mercedes Class A, B, C, E and S or BMW Series 1, 3, 5 and 7 . Till today, there are 4 Azure Virtual Machines Series : The A-Series, D-Series, DS-Series and G-Series:
- A-series: A-Series presents ‘normal’ and ‘classic’ virtual machine class. They are intended to the majority of workloads. Only the A-Series provide the Basic tier classification
- D-Series: D-Series presents enhanced VM’s underlying hardware. VMs are provisioned on top of better physical servers using faster processors, faster disk cache and more storage support. They provide also the capability of using offloading network technologies to communicate over a low latency, high throughput network in Azure. LINK2 : D-Series Virtual Machines Sizes
- DS-series: DS-series is the only Azure VM series that let you benefit form the Azure Premium Storage (Storage in Azure will be discussed later). It mainly intended for workloads that need high performance and low latency storage.
- G-series: This is the last announced Azure Series, it provides powerful VM’s hardware configurations (High specifications). Underlying hardware uses better CPU and memory brands. It is mainly intended for giant workloads (can provide hundreds of GB of RAM). LINK 3 : G-Series Virtual Machines Sizes
The Size of a virtual machine means its hardware configuration. In Azure, the hardware configuration counts 4 elements :
CPU : The virtual processor count
Memory : The amount of RAM allocate do the virtual machine
Temporary or Local storage : The size of a temporary storage allocated to the virtual machine. It’s an attached disk that can be used for storing temporary (volatile) data during the virtual machine running time. The content is lost in any case the virtual machine is stopped (Planned or unplanned)
Number of supported data disks : Each virtual machine size has a maximum data disk count. For example, you can attach a maximum of 4 data disks (Data VHDs) to a Standard A2 VM while you can attach 16 to a A4 VM. This is very important since the maximum size of a data disk is 1 TB (1023 MB), for example you cannot have have a 5 TB volume using an A2 VM (4 disks of 1 TB with stripping will give you a maximum of 4 TB volume)
Microsoft provides a wide range of operating system images. Both Windows and Linux are supported. In addition, pre-configured images can be found like Windows + SQL or Linux + Apache. Images can be found on the Azure VM ‘Library’ or on the VM depot. Moreover, Azure allows you to bring your VMs and run them in Azure. You can upload VHDs to Azure and then use and deploy them (Of course, the VM OS need to be supported by Azure). There is no maintained link that list the supported operating systems in Azure. However, till the writing time of this article, here the actual supported OS :
When you create a virtual machine in Azure, this virtual machine is provisioned as part of a cloud service. Several virtual machines can be part of the same cloud service, this will let you create load balanced services between virtual machines. You will not be able to use Azure ILB (Internal Load Balancing) if your VMs are not within the same cloud service and the same virtual network
Important notice : With the introduction of Azure Resource Manager that goes GA on June 30 (ARM GA Announcement) for a set of Azure features, Cloud Services are no longer needed if you use the ARM stack for your VM deployments.
Azure provides load balancing features for its virtual machines services. You can use the load balancing features to distribute traffic between VMs whether these VMs are internet facing or not. The load balancing features can load balance level 4 traffic and support only tcp and udp traffic. As discussed earlier, the load balancing is only supported on VMs part of the same cloud service. The following link gives a good description of the Azure Load Balancing feature LINK 5 : Azure load balancing
Important notice : With the introduction of Azure Resource Manager that goes GA on June 30 (ARM GA Announcement) for a set of Azure features, Cloud Services are no longer needed if you use the ARM stack for your VM deployments.
Affinity groups are a way to point to a fixed set of physical servers located near each other in the same region. In the past, affinity groups were a requirement for creating virtual networks (VNets). At the time, the network manager service that managed VNets could only work within a set of physical servers or scale unit. Recent architectural improvements have increased the scope of network management to a region. As a result of these architectural improvements, affinity groups are no longer recommended or required for virtual networks. The use of affinity groups for VNets is being replaced by regions. Virtual networks that are associated with regions are called regional VNets. Affinity groups are deprecated, this is why I will not explain their usability.
There are two types of Azure platform events that can affect the availability of the virtual machines: planned maintenance and unplanned maintenance. Planned maintenance does not generally affect the availability of the Azure virtual machines, but my sometimes require you to reboot your VMs. Unplanned maintenance may not be referred to maintenance but to unplanned service disruption caused generally by the underlying hardware failure. To guarantee the Azure SLA (actually 99.95 % service time), it’s highly recommended to always create highly available workloads that can be achieved by redundant services. Clustering, Built-in clustering and Load balancing are sort of high availability paths. However, it’s important to guarantee, that at a given time, a set of highly available VMs (clustered, Load balanced…) are not under the same fault domain (A fault domain is a set of resources that share the same Single-point-of-failure), this is why the Availability Set configuration was provided. Two or more VMs under the same ‘availability set’ will be placed on different fault domains. In case of planned or unplanned maintenance, at least one VM is guaranteed to be kept up and running. VMs must be under the same cloud service to be able to join an availability set configuration. More information can be found here LINK 6 : Azure virtual machines high availability
When you plan to create a virtual machine in Azure, you need to know the target virtual machine specification and then choose between the different Tier/Series/Size. Keep in mind the following points:
- You can at anytime change the virtual machine type. You can scale up or scale down (from a hardware configuration perspective) the configuration at any time. But you need to respect the target VM’s type requirements. For example, you cannot change from a DS-Series to another series if you are using Premium Storage or you cannot pass from an A4 VM with 16 disks to an A3 VM, because A3 supports a maximum of 8 data disks. You can rarely encounter issues with the VM configuration changes, you can refer to this post for more information LINK 5 : Azure VMs sizes considerations
- Only few Azure VMs support more than one network adapter : [ 4 NICs : A4, A7, A9, D4, D13, G4] [2 NICS : A3, A6, A8, D3, D12, G3]
- VM pricing depends on the three classification: Tier, Series and Size. The more the configuration and options are better, the more the VM is expensive (Pricing will be discussed later in this post)
- Notice that the storage usage and network throughput is not part of the VMs classification, and hence on pricing. Storage and network usage are billed separately
- For all your ‘normal’ virtual machines that do not require load balancing and special performance, use the Basic tier VMs : It’s more affordable
Virtual networks (VNets) are used in Azure to provide a layer of security and isolation to your services. VMs and services that are part of the same virtual network can access each other. By default, services outside the virtual network cannot connect to services within the virtual network. You can, however, configure the network to allow access to external services:
- A virtual network is a closed logical network boundary ( It’s like a network in a physical network architecture)
- 2 virtual networks cannot natively communicates even if they are within the same region. A Vnet to Vnet connection must be configured to let they communicate (Using VPN)
- All traffic within the same virtual network is by default permitted. However, Azure provides a security layer that let you configure ACLs between virtual machines or subnets (will be discussed later)
- VLANs are not supported nor understood by virtual networks, in fact Azure virtual networks are layer 3 networks for the tenant perspective.
- Only tcp, udp and icmp protocols are supported within Azure virtual networks
- Virtual networks support cross premises connection : You will be able to connect you on-premises network to an Azure virtual network for example
- Virtual Networks are regional scoped, and hence, your virtual network can span all the datacenters within the same region (In the past, Virtual Network are datacenter scoped, and you can be in the situation when you want to provision a virtual machine on the same region but you can’t connect it to a virtual network, even if it created on the same region)
You can read the TechNet FAQ for more information: LINK 6 : Azure Virtual Networks FAQ
When creating a virtual network the following information should be provided :
– Location [Mandatory] : In which region the virtual network will be created
– DNS Servers [Optional] : Azure will be responsible for assigning the IP addresses for your VMs (Of course it will pick up IP addresses from a pool that you provide). You can hence provide the DNS servers that will be configured for this virtual network and that the VMs within it will use. DNS servers are configured per virtual network.
– Address Space [Mandatory] : Each created virtual network must be configured with at least one virtual network address space. The virtual network address spaces contain the IP addresses fields that this virtual network provides. You cannot assign a virtual machine, an IP address that is not included in the virtual network address spaces ranges (Imagine like you are defining a network on your switch where you assign it a network address)
– Subnet [Mandatory] : The Address Space range cannot be used directly by Azure. At least one subnet must be defined per Address Space. You can choose to divide the address space into several subnets or use a single subnet per address space (a subnet range that will fit the entire virtual space).
NB: Azure Virtual Networks support both Public and Private IP addresses ranges (CIDR notation), this will permit you to bypass the RFC-1918 limitation. However, cross-premises virtual networks (that will be connected to on-premise or to another virtual network using VPN or Express route) must respect the RFC1918 IP ranges. In other words, only the Cloud-Only virtual networks can use non RFC-1918 IP addresses
When creating a virtual machine, you can choose to connect it to a virtual network, and choose which subnet will be used to pick up an IP address from. Azure will configure this IP address for your VM, and it will appear as a static IP address on your guest OS (Not a DHCP_reservation-like). On the same time this IP address is not static, that means it can be cases where the IP address will change. Discussing the cases and how to fix permanently and IP address will be discussed later in the Design considerations
Azure provides different ways for interconnecting the Azure virtual network to the local on-premise network. The following are the actual options provided by Microsoft:
- Site-to-Site VPN : S2S VPNs can be established between an Azure Virtual Network and an On-premise network (called Local Network). The S2S VPN is established between two parties, between an Azure Gateway and on-premise VPN device. Establishing a site to site VPN will allow your on-premise resources to communicate with your Azure resources. Actually, Microsoft provides 3 Azure gateways that offer different features and different prices. On-premises VPN devices should respect the minimum gateway requirements presented here. Microsoft also maintain a lit of known compatible devices
- Point-to-Site VPN : Azure supports establishing VPNs from a client perspective. A Point to Site VPN will allow individual clients to connect from anywhere to the Azure resources. actually, only Windows clients can establish a point to site VPN to Azure
- ExpressRoute: Azure ExpressRoute enables you to create private connections between Azure datacenters and infrastructure that’s on premises. ExpressRoute do not use public internet to transmit data. Unlike VPNs, ExpressRoute uses a private circuit. ExpressRoute offers many benefits specially speed and SLA. For additional information, you can read more here LINK7 : Azure ExpessRoute
Security in Azure Networking
Azure provides different options to secure the inter and intra communication within the Azure virtual networks. However, there are many considerations to better chose which option to use :
- When a virtual machine is created and connected to a virtual network, it is able to communicate with all the virtual machines within the same virtual network.
- When a virtual machine is created and connected to a virtual network, external inbound connections (external to the virtual network) are not allowed except for two services (configured by default) : Remote Desktop Connection and Remote PowerShell. Allowing/Denying inbound traffic is conducted via two options :
- Endpoint : An endpoint is a mapping relation between two ports, a Public port and a Private Port. The Public port is the port on which the virtual machine will listen for traffic from external networks, the Private port is the port on which the service is really listening on the virtual machine. The Public/Private couple is a port redirection rule. Of course Public and Private ports can be the same.
- ACL : When an Endpoint is configured for a virtual machine (Example : Public Port A, Private Port A), an access rule is automatically added to the access rule list for that virtual machine allowing external communication on that Public port. To limit access from different external sources, access rules can be added to limit the inbound connection form defined sources. Access rules can be explicit allow or explicit deny rules (Example : Allow only inbound connections on Public Port A from the external subnet 10.10.10.0/24 and Deny inbound connections on Public Port A from the external subnet 10.10.20.0/24 ).
The following link shows how to set up endpoints for Azure virtual machines LINK8 : Azure VM’s Endpoints. More information about Azure Virtual Machine’s security can also found here
There is another option that was added and that leverage more flexibility that the Endpoints and ACL concepts. In fact, as discussed, Endpoints are only applicable for external inbound traffic. The second feature allow you to create rules within the virtual network. It’s called Network Security Groups (NSG).
NSG is a powerful feature that allows you to :
- Define security rules for a single virtual machine
- Define security rules for a virtual network subnet
To resume, you can create ACLs using a 5 pattern (Source IP, Source port, Destination IP, Destination port, protocol) and apply them to a single virtual machine or to an entire subnet. This is similar to rules that you define for an inter-VLAN communications. This permits the creation of different security zones within the same virtual network (like a DMZ zone). NSG is supported with the local networks (On-Premise networks). The following link describes better the Azure Network Security Groups feature. LINK 9 : Azure Network Security Groups
By default, any virtual machine that is connected to a virtual network can access Internet. If you do not specify DNS server names on your virtual network configuration, default Azure DNS servers will be configured to permit name resolution. If your virtual network uses custom DNS servers, those DNS servers should resolve internet names if internet access is desired. If you want to restrict internet connection on your virtual network, you can use Network Security Groups to set per VM or per subnet denying rules.
Storage is the third key component in the Azure IaaS infrastructure. Storage includes any sort of service where we can store data (Tenant data). There are many storage services in Azure (Look here for the complete documentation) but for an Iaas perspective only one or two services are involved : Blob storage and File storage.
To avoid reinventing the wheel, I picked up the following introduction from this link. Azure Blob storage is a service for storing large amounts of unstructured data, such as text or binary data, that can be accessed from anywhere in the world via HTTP or HTTPS. You can use Blob storage to expose data publicly to the world, or to store application data privately.
Common uses of Blob storage include:
- Serving images or documents directly to a browser
- Storing files for distributed access
- Streaming video and audio
- Performing secure backup and disaster recovery
- Storing data for analysis by an on-premises or Azure-hosted service
There are tow types o Blob storage:
- Block blob storage : For streaming and storing documents, videos, pictures, backups, and other unstructured text or binary data.
- Page blob storage : Optimized for random read and write operations, page blobs are ideal for VHD images. This blob type is used for the virtual machine storage and will be discussed on this section
Page Blob storage is commonly used to store Azure virtual machine files including operating system disks and data disks. There are two types of storage provided for virtual machines today : The Standard Storage and the Premium Storage. The difference between the two types is performance.
- To be able to use the storage, a storage account need to be created. The storage account is just an account that permits you access the Azure storage. Each storage type (Standard or Premium) needs a different storage account. So to be able to use both storage types, two storage accounts should be owned. You can have more than one storage account per subscription and the maximum is 100.
- Like any Azure resource, the storage account is region limited. You can’t provision a VM in a region and its storage resource in another region
- Azure storage offers different redundancy options categorized into 4 variants : LRS, ZRS, GRS and RA-GRS. The following Link provides description for each variant. The minimum redundancy in Azure is LRS which creates 3 copies of the data on the same facility.
- Standard Storage : Storage performance is limited in term of IOPS an throughput. The reference IO UNIT size is 8 KB. The maximum IOPS per disk (VHD) is 300 for a basic tier and 500 for a standard tier, the maximum throughput is 60 MB/s. Of course higher IOPS and throughput can be achieved using disk aggregation (stripping). This link explains more the IOPS and throughput for Azure storage. LINK10 : Azure Storage IOPS and throughput
- Premium Storage : Storage performance is the main key of this storage type that let you achieve 64.000 IOPS an more than 512 MB/s per virtual machine. More detailed information can be found on the following link LINK 11 : Azure Premium Storage overview
- Blob storage can be accessed via the Azure PowerShell or Azure Storage APIs for common management tasks.
File storage is a new Azure storage service (In preview till the writing time of this post). File storage offers shared storage for applications using the standard SMB 2.1 protocol. Microsoft Azure virtual machines and cloud services can share file data across application components via mounted shares, and on-premises applications can access file data in a share via the File storage API. Applications running in Azure virtual machines or cloud services can mount a File storage share to access file data, just as a desktop application would mount a typical SMB share. Any number of Azure virtual machines or roles can mount and access the File storage share simultaneously. Since a File storage share is a standard SMB 2.1 file share, applications running in Azure can access data in the share via file I/O APIs. Developers can therefore leverage their existing code and skills to migrate existing applications. IT Pros can use PowerShell cmdlets to create, mount, and manage File storage shares as part of the administration of Azure applications. This guide will show examples of both.
Common uses of File storage include:
- Migrating on-premises applications that rely on file shares to run on Azure virtual machines or cloud services, without expensive rewrites
- Storing shared application settings, for example in configuration files
- Storing diagnostic data such as logs, metrics, and crash dumps in a shared location
- Storing tools and utilities needed for developing or administering Azure virtual machines or cloud services
More information can be found here LINK 12 : Azure File storage overview
This section describes the pricing basics for the Azure IaaS components. Pricing is a very important when designing the Azure platform, since in the Azure model, the components granularity can let you create different similar designs with different costs. You should be aware of every components that you will include in your design, to perfectly estimate the total platform cost.
- Each virtual machine type has a cost. The cost is for compute resources (Not storage and Network) and depends on the 3-Tuple : (Tier, Series, Size). Check the following link for the most recent Virtual Machine pricing LINK 13 : Azure Virtual Machines price list
- The consumption is calculated in a per-minute usage. So if you use you VM for 1 hour, you will be charged for 60 minutes, if you use it for 30 seconds, you will be charged for 1 minute
- Prices are different from a region to another. In general, the most expensive is in the Australia and Brazil regions
- A virtual machine is always billed unless it’s deleted or Deallocated (stopped and deallocated)
- Storage and network resources are billed separately. The temporary storage shipped with the virtual machine is however free.
- There are taxes applied to the virtual machine usage. These taxes are not included in the Azure virtual machine prices, and are added separately to the bill. I have no idea how these taxes are calculated. I will be glad if someone leave me a comment with this precious, hidden information
- For the Azure virtual machine pricing details, follow this link. LINK 13 : Azure virtual machine pricing
- Virtual machine storage (except the temporary disk) is billed in a per GB/Month basis. For example, if you use 100 GB in the first 15 days, and 0 GB in the second 15 days, you will be billed for the usage of 50 GB per month. Every day, Azure will pick up a value of the consumed storage for that day. By the end of the month, these value will be used to calculate the monthly usage value ( DAY1 + DAY2 + … + DAY30)/30
- Storage cost depends on the location (Region) and the redundancy type. The more the storage is redundant, the more it’s expensive ( LRS > ZRS > GRS < RA-GRS)
- The storage cost decrease with storage consumption. The more you use storage, the cheaper the GB/month pricing unit will be
- Only really consumed storage is billed. For example, if you create a 200 GB vhd, with only 50 GB content, only 50 GB will be billed by the end of the month.
- Storage transactions are billed. Every write/read operation is charged. The actual price is a fixed amount per 100.000 transactions. The question is why ? The answer is : Imagine a person copying 50 GB of data to a location, and leaving it till the end of the month, and another person, copying 50 GB of data to a location, but everyday, it replaces them by 50 GB of new data. At the end of the month, the two persons used 50 GB of data, but it’s clearly that the second one was continuously soliciting the storage subsystem, and hence, amortizing the system. It’s obvious to charge it a way more than the first one.
- Premium storage billing is different from the standard storage billing, you should be aware of the difference :
For the Azure storage pricing details, follow this link. LINK 15 : Azure storage pricing
- Network traffic and data transfer inside the same Azure region is free (Intra-VNET, Inter-VNET in the same region)
- Microsoft will charge outbound data transfers(Egress data), that means that data leaving the Azure datacenters will be charged. Inbound data (Data uploaded to Azure) is free. The first outbound 5 GB of data is free.
- Like the other pricing models, prices decrease with usage increase.
- Prices are different from one zone to another. Prices in Zone1 are lower than Zone 2, which prices are lower than Zone 3. Of course, things can change on the future, and it will change.
- In addition to the data transfer charge, there are charges applied to the IP addresses that may be assigned to virtual machines and related services (Per hour basis)
- PIP : PIP addresses are not free, and are charged per hour basis (however, one PIP costs around 3 Euros per month, per VM)
- VIP : VIP is free. But if you want to have multiple VIP for the same cloud service (up to 5 VIP), you can have them at a nominal charge, at the same cost then PIP.
- Reserved IP: If you want to reserve the VIP address (set it to static), the first 5 will be free and additional reserved VIP will be charged. Even unused reserved IP addresses will be charged too (For example you reserve an IP and you don’t use it for a service)
- Address remap : Address remap is free if you remap up to 100 address per month. If you cross this limit, a fee will be applied per additional remap (remap mean that you assign an IP already assigned to a cloud service to another cloud service)
- When you establish a cross-premise connection using VPN or a Vnet-to-Vnet connection, an Azure gateway is used. There are many Azure gateway types that offer different performances and scalability values and with different costs. The following link shows the Azure gateway types. Pricing can be found in this link
- Express Route : Azure ExpressRoute enables you to create private connections between Azure datacenters and infrastructure that’s on your premises or in a colocation environment. ExpressRoute connections do not go over the public Internet, and offer more reliability, faster speeds, lower latencies and higher security than typical connections over the Internet. Express route has many advantages:
- Detected circuit between Azure and on-premise
- Private circuit that do not go through internet
- SLA (Availability and performances)
- There is a hidden information that is not exposed to Azure users, but will add a little dollars to you bill. It’s the tax cost. In fact, a tax applyes when using Azure (or in genral any service). The tax cost is not included in the features or services pricing and added later to the bill. Unfortunately, Microsoft do not provide information about how much this tax is really is. (Look for this TechNet thread)
Express route pricing can be found here
For the Azure network pricing details (Data transfers), follow this link. LINK 16 : Azure data transfers pricing
For the Azure network pricing details (IP addresses), follow this link. LINK 17 : Azure IP addresses pricing
Design Consideration ad recommendations
This section will describe some design considerations and recommendations when planning to use Azure IaaS and specially Virtual Machines.
- There are 3 virtual machine states: Running, Stopped (Allocated) and Stopped (Unallocated)
- Running: This is when the virtual machine is up and running : All the virtual machine resources are billed —-> Compute, Network and Storage
- Stopped (Allocated) : This is when the virtual machine is stopped using the operating system (The machine is stopped from inside the operating system) —-> All the virtual machine resources are billed : Compute, Network and Storage
- Stopped (Unallocated) : This when the virtual machine is stopped using the Azure portal shutdown button or Azure PowerShell/API —-> Only the storage used by the VM is billed
- Always start with the minimal virtual machine size that fit your needs. You can upgrade the virtual machine configuration, later needed
- High availability (fault domain and upgrade e domain to achieve SLA)
- By default, a dynamic IP address is picked from the virtual network’s IP pool is assigned to any provisioned virtual machine. This IP address is dynamic, that means it ‘may’ change in some conditions (Look HERE). Its’ recommended to set the IP address to static via the following option:
- Set the IP address to static during the virtual machine provisioning : Only with PowerShell on the Azure management portal or via the portal in the Azure Preview portal
- Set the IP address to static after the virtual machine creation : Only with PowerShell on the Azure management portal or via the portal in the Azure Preview portal (You can use the following script to fix an IP address for a single virtual machine or this one for a group of virtual machines)
- If you plan to use cross-premises connection with Azure, the address space and subnets of your virtual network must be within the RC1918 IP addresses ranges
- Network security groups is the best option for creating security zones in your virtual networks. Security groups allow you to create ACL rules inter and intra-subnet. NSG and Endpoints are not supported together, you should use either one or the other.
- You should carefully prepare your virtual network design, in fact, changing the network design of an existing Azure platform is not straight forward and require downtime.
- You cannot change the IP address of a Virtual Machine without downtime (VM reboot)
- You can move a VM within the same virtual network between subnets (Require reboot). But you cannot change the virtual network without rebuilding the virtual machine (You should delete the virtual machine and rebuild it using its VHDs)
- For cross-premises connection using VPN, if you plan (And I think it always will be) to connect more than one site or P2S clients, you must use dynamic routing, that means your on-premise VPN devises must support dynamic routing.
- Azure virtual machines do not support acting as Layer 3 (IP) gateways or routers. You cannot for example use a 2-NIC virtual machine as a software router. Read here more about Multi-NIC Azure VMs
- There are different IP addresses types in Azure, you should be aware of them
- Internal IP address : Also known as DIP, This is the private internal IP address of the virtual machine, this is the local IP address assigned to a virtual machine from the VNet’s address space pool. This IP address cannot be reached from the external network. This IP address is by default dynamic unless you set it to static (See below)
- Internal virtual IP address : Also know as LIB. When we say virtual, we say load balancer. The internal virtual IP address is an IP address assigned by the Azure Internal load balancer to be used by internal services to access load balanced workloads. Look to the Load Balance feature described earlier in this post. Internal virtual IP address is not reachable from external network
- External virtual IP address : Also know as VIP. This is the IP address of load balanced services that can be accessed from the external network, and can only target the same cloud service. This VIP is dynamic but since it’s public, it’s highly recommended to set it to static. Microsoft allows you to reserve up to 5 VIP by subscription, we call them reserved VIP.
- Instance level IP : Also know as PIP. This is a public IP that can be directly be assigned to a virtual machine. This will permit you to directly access a virtual machine from the external network without the need of configuring endpoints. Microsoft allows you to reserve up to 5 PIP by subscription
- To obtain the desired IOPS/Throughput on the data disks, you can use disks stripping. Today, Microsoft recommends using Storage Spaces inside an Azure virtual machine for disk aggregation.
- Using and managing Premium storage is only possible via the Azure preview portal. If you want to deploy DS-Series, you should use the Azure preview portal
- As discussed below (Storage section), to obtain the desired IOPS/Throughput with the Premium storage, you should select the adequate VM_Size/P_Disk couple, otherwise you will not achieve the desired performance. Do not forget that each virtual machine size (DS-Series) has a maximum IOPS/Throughput limit. In addition, each P-disk type has also a maximum IOPS/Throughput
Managing Azure and specially Azure virtual machines is today possible via the Azure management portals:
- Azure Management portal (https://manage.windowsazure.com/) : This is the classic portal, where you can make almost all the management tasks. There are many actions and features that you can’t do/use via this portal. You will have to use the second portal
- Azure portal (https://portal.azure.com/) : This is the new metro-style portal. Even if it’s actually in preview, you can make all the management tasks using it.
–> I personally use and recommend using the new Azure portal since (surprisingly unlike the community), since :
- The classic management portal will be deprecated with time, and one day, you will use it anyway. So it’s a good idea to start and take the habitude and the hand on it.
- It’s more oriented to touch screen, tablets and phones.
- Many features are only possible via this portal : DS-Series virtual machines, resetting VM passwords, RBAC…
- IaaS V2 (ARM objects) can only be shown and used on the new portal
- I personally like colorful portals
Azure service Quota and limits : http://azure.microsoft.com/en-in/documentation/articles/azure-subscription-service-limits/
We live in the internet Era, and thanks to search engines like Bing and Google, nothing cannot be not found. If you want to learn more about Azure, where to go:
- There is two Microsoft free eBooks that you can download right here : http://www.microsoftvirtualacademy.com/ebooks. The first to read is Microsoft Azure Essentials: Fundamentals of Azure. The second is Introducing Windows Azure for IT Professionals. Although the latter dates from October 2013, it contains many useful labs to begin manipulating Azure
- Microsoft Azure blog : For whom who want to be stay always tuned about the last Azure updates and news, this is the official Microsoft Azure blog
- You favorite search engine + the Key word : This is my preferred and most used learning method
The goal of this post is to demystify the Azure virtual machines service and Ito explain the different relayed features and components. The information provided are just a start point, and may become deprecated on few months (some of them of course). Azure is under continuous enhancements and fast features growth. I highly recommend you to always check the Microsoft links for the last updates and news. Do not hesitate at asking your questions via the comments, I will be glad to answer, wherever I have the answer.