Microsoft Azure Virtual Network Services : Reading #4 – Azure DNS

Azure DNS

Azure DNS is a hosting service for DNS domains, providing name resolution using the Microsoft Azure infrastructure. By hosting your domains in Azure, you can manage your DNS records using the same credentials, APIs, tools, and billing as your other Azure services.

DNS domains in Azure DNS are hosted on Azure’s global network of DNS name servers. Azure uses Anycast networking so that each DNS query is answered by the closest available DNS server. This provides both fast performance and high availability for your domain.

The Azure DNS service is based on Azure Resource Manager (ARM). As such, it benefits from ARM features such as role-based access control, audit logs, and resource locking.

Domains and DNS records can be managed using
Azure portal
Azure PowerShell cmdlets
Azure CLI
Applications requiring automatic DNS management can integrate with the service via the REST API and SDKs.

The domains purchased from a third-party domain name registrar, can be hosted in Azure DNS for the management of DNS records.
Delegation of DNS zones with Azure DNS
Add a custom domain name to Azure Active Directory

Delegating a Domain to Azure DNS
Once you create your DNS zone in Azure DNS, you need to set up NS records in the parent zone to make Azure DNS the authoritative source for name resolution for your zone.

Microsoft Azure Virtual Networks – Reading #3

IP Addresses

You can assign IP addresses to Azure resources to communicate with other Azure resources, your on-premises network, and the Internet. There are two types of IP addresses you can use in Azure:

Private and Public IP Addressing - Classic

Private and Public IP Addressing Azure Resource Management
Public IP addresses: Used for communication with the Internet, including Azure public-facing services, such as Azure Redis Cache, Azure Event Hubs, SQL databases, and Azure storage.

In Azure Resource Manager, a public IP address is a resource that has its own properties. You can associate a public IP address resource with any of the following resources:
Virtual machines (VM)
Internet-facing load balancers
VPN gateways
Application gateways

Public IP Allocation Method
There are two methods in which an IP address is allocated to a public IP resource: dynamic (default) or static.

The public IP address is allocated when you start (or create) the associated resource (like a VM or load balancer), and released when you stop (or delete) the resource. IP address will change when you stop and start a resource.

To ensure the IP address for the associated resource remains the same, you can set the allocation method explicitly to static. In this case, an IP address is assigned immediately. It is released only when you delete the resource or change its allocation method to dynamic. Static Public IP is assigned from a pool of available IP addresses in the Azure.

Static public IP addresses are commonly used in the following scenarios:
End-users need to update firewall rules to communicate with your Azure resources.
DNS name resolution, where a change in IP address would require updating A records.
Your Azure resources communicate with other apps or services that use an IP address-based security model.
You use SSL certificates linked to an IP address.

Public IP DNS Hostname Resolution
You can specify a DNS domain name label for a public IP resource, which creates a mapping for domainnamelabel.location.cloudapp.azure.com to the public IP address in the Azure-managed DNS servers. Each domain name label created must be unique within its Azure location.

Assigning a Public IP to a VM
You can associate a public IP address with a Windows or Linux VM by assigning it to its network interface. In the case of a multi-network interface VM, you can assign it to the primary network interface only. You can assign either a dynamic or a static public IP address to a VM.

Assigning a Public IP to an Internet-Facing Load Balancer
You can associate a public IP address with an Azure Load Balancer, by assigning it to the load balancer front end configuration. This public IP address serves as a load-balanced virtual IP address (VIP). You can assign either a dynamic or a static public IP address to a load balancer front-end. You can also assign multiple public IP addresses to a load balancer front-end, which enables multi-VIP scenarios like a multi-tenant environment with SSL-based websites.

VPN and Application Gateways
Azure VPN Gateway is used to connect an Azure virtual network (VNet) to other Azure VNets or to an on-premises network. You need to assign a public IP address to its IP configuration to enable it to communicate with the remote network. Currently, you can only assign a dynamic public IP address to a VPN gateway.

You can associate a public IP address with an Azure Application Gateway, by assigning it to the gateway’s frontend configuration. This public IP address serves as a load-balanced VIP. Currently, you can only assign a dynamic public IP address to an application gateway frontend configuration.

Private IP addresses: Used for communication within an Azure virtual network (VNet), and your on-premises network when you use a VPN gateway or ExpressRoute circuit to extend your network to Azure, without using an Internet-reachable IP address.

In the Azure Resource Manager deployment model, a private IP address is associated with the following types of Azure resources:
VMs
Internal load balancers (ILBs)
Application gateways

Private IP Allocation
There are two methods in which a private IP address is allocated: dynamic (default) or static. Dynamic IP address is automatically allocated from the resource’s subnet (using DHCP). This IP address can change when you stop and start the resource.

Static private IP addresses are commonly used for:
VMs that act as domain controllers or DNS servers.
Resources that require firewall rules using IP addresses.
Resources accessed by other apps/resources through an IP address.

Assigning a Private IP to a VM
A private IP address is assigned to the network interface of a Windows or Linux VM. In the case of a multi-network interface VM, each interface gets a private IP address assigned. You can specify the allocation method as either dynamic or static for a network interface.

Internal DNS Hostname Resolution for VMs
All Azure VMs are configured with Azure-managed DNS servers by default unless you explicitly configure custom DNS servers. These DNS servers provide internal name resolution for VMs that reside within the same VNet.

VMs configured with Azure-managed DNS servers will be able to resolve the hostnames of all VMs within their VNet to their private IP addresses.

Internal Load Balancers (ILB) & Application Gateways
You can assign a private IP address to the front end configuration of an Azure Internal Load Balancer (ILB) or an Azure Application Gateway. This private IP address serves as an internal endpoint, accessible only to the resources within its virtual network (VNet) and the remote networks connected to the VNet. You can assign either a dynamic or static private IP address to the front end configuration.

Multiple NICs in Virtual Machines

You can create virtual machines (VMs) in Azure and attach multiple network interfaces (NICs) to each of your VMs.
Multi-NIC is a requirement for many network virtual appliances, such as application delivery and WAN optimisation solutions. Multi-NIC also provides more network traffic management functionality, including isolation of traffic between a front end NIC and back-end NIC(s), or separation of data plane traffic from management plane traffic.

Limitations of Multiple NICs

  • Internet facing VIP (classic deployment) is only supported on the default NIC. There is only one VIP to the IP of the default NIC
  • Multi-NIC VMs must be created in Azure virtual networks (VNets). Non-VNet VMs cannot be configured with Multi NICs.
  • All VMs in an availability set need to use either multi-NIC or single NIC. There cannot be a mixture of multi-NIC VMs and single NIC VMs within an availability set. Same rules apply for VMs in a cloud service.
  • A VM with single NIC cannot be configured with multi NICs (and vice-versa) once it is deployed, without deleting and re-creating it.
  • Only can be configure using PowerShell, ARM or CLI. Not supported in portal

Network Security Groups

Network Security Groups provide advanced security protection for the VMs that you create using Azure classic or Azure resource deployment method. They control inbound and outbound traffic passing through a Network Interface Card (NIC) (Resource Manage deployment model), a VM (classic deployment), or a subnet (both deployment models).

Network Security Group Rules
NSGs contain rules that specify whether the traffic is approved or denied. Each rule is based on a source IP address, a source port, a destination IP address, and a destination port. Based on whether the traffic matches this combination, it either is allowed or denied. Created using Portal or PowerShell.

Azure Network Security Groups (NSG) – Best Practices and Lessons Learned.

Custom Network Security Group Rules
There are predefined default rules for inbound and outbound traffic. You cannot delete these rules, but you can override them using custom rule because they have the lowest priority.

Planning Network Security Groups

  • By default, you can create 100 NSGs per region per subscription. You can raise this limit to 400 by contacting Azure support.
  • You can apply only one NSG to a VM, subnet, or NIC.
  • By default, you can have up to 200 rules in a single NSG. You can raise this limit to 500 by contacting Azure support.
  • You can apply an NSG to multiple resources.

Microsoft Azure Virtual Networks – Reading #2

Managing Virtual Networks with the Azure Portal

There are several options for managing virtual networks in Azure:
1. Use the resource manager model in the Azure portal.
2. PowerShell script.
3. Use the classic portal.
4. Use a configuration file (service manager model for the classic portal).

Network Configuration Files
A network configuration file is an XML file with a specific schema. The network configuration file can include the following settings:

  • The name and location of the virtual network
  • DNS servers for the virtual network
  • Private IP address spaces for DIPs in the virtual network
  • Subnets within the private address spaces
  • The IP address of the virtual gateway that connects to a VPN

Microsoft Azure Virtual Networks – Reading #1

Azure Networking Components Overview

Azure Networking Components

Key components for Azure Networking:
Azure Virtual Network
IP Addressing in Virtual Networks
Azure Load Balancer
Application gateways
Domain Name System (DNS)
Subnets
Microsoft Azure Traffic Manager
Cross-Premises Network Connectivity: VPN Gateway ExpressRoute

Azure offer two deployment models: Azure Resource Manager vs. classic deployment: Understand deployment models and the state of your resources.
1. Azure Classic Deployment Model
2. Azure Resource Manager Deployment Model
Microsoft is moving towards the Resource Manager deployment model.
Azure Resource Manager contains a network provider that provides advanced control and network management capabilities.
Advantages of using Azure Resource Manager to configure Azure Virtual Networks

  • Faster configuration due to resources being grouped.
  • Easier management.
  • Customization and deployment based on JavaScript Object Notation (JSON) templates.
  • Networking resources such as IP addresses, DNS settings, or NICs are managed independently and can be assigned to VMs, Azure load balancers, or application gateways.

You can create Azure network resources by using either the Azure Portal, Azure PowerShell module, Azure command-line interface (Azure CLI), or by using deployment templates as well.

Connecting to Virtual Networks
There are several ways to connect to Azure VNet:-
Cloud-Only Virtual Networks
Point-to-Site VPNs
Site-to-Site VPNs
ExpressRoute
VNet-to-VNet

Planning IP Address Space
Always plan to use an address space that is not already in use in your organisation, either on-premises or in other VNets. Even if you plan for a VNet to be cloud-only, you may want to make a VPN connection to it later. If there is any overlap in address spaces at that point, you will have to reconfigure or recreate the VNet.

Subnet Allocation
You must also sub-divide the VMs and cloud services in your VNet by providing one or more subnets.

Planning for Name Resolution
Planning for Name Resolution
Name Resolution Scenarios

  • VMs in the same cloud service. VMs can resolve the names of all other VMs in the same cloud service automatically by using the internal Azure name resolution.
  • VMs in the same VNet. If the VMs are in different cloud services but within a single VNet, those VMs can resolve IP addresses for each other by using the internal Azure name resolution service and their Fully Qualified Domain Names (FQDNs). This is supported only for the first 100 cloud services in the VNet. Alternatively, use your own DNS system to support this scenario.
  • Between VMs in a VNet and on-premises computers. To support this scenario you must use your own DNS system.
  • Between VMs in different VNets. To support this scenario you must use your own DNS system.
  • Between on-premises computers and public endpoints. If you publish an endpoint from a VM in an Azure VNet, the Azure-provided external name resolution service will resolve the public VIP. This also applies for any internet-connected computers that are not on your premises.

Reading #5 – Microsoft Azure Managing Virtual Machines

Managing Virtual Machines

There are various options for managing Azure VMs; some are available for all platforms, and others just for Windows or Linux VMs.

Virtual Machine Agents and Virtual Machine Extensions
VM Agent Extensions are software components that extend the VM functionality and management operations.
The VM Agent is a lightweight process intended to bootstrap these additional extensions.

More:
VM Agent and Extensions – Part 1 and Part 2

Azure Cross-Platform Command-Line Interface
The Azure Command-Line 2.0 provides a set of open source, cross-platform commands for working with Azure.

Azure PowerShell
Azure PowerShell provides a set of cmdlets that use the Azure Resource Manager model for managing your Azure resources.

Remote Desktop Protocol
Remote Desktop Protocol (RDP) enables Windows administrators to establish a graphical user interface session with an Azure virtual machine.

Secure Shell
When creating a Linux VM, you need to enable Secure Shell (SSH), then you can then establish a connection from a Windows client by using the Secure Shell (SSH) protocol with Putty.

Configuration Management Tools

Deploying and maintaining the desired state of your servers and application resources can be tedious and error prone. Azure supports several configuration management systems.

Desired State Configuration (DSC)
With Azure automation Desired State Configuration (DSC), you can consistently deploy, reliable monitor, and automatically update the desired state of all your IT resources, at scale from the cloud. DSC is a VM agent extension and works on both Windows and Linux. DSC supports ARM templates, Azure PowerShell, and Azure CLI.

Chef and Puppet
Chef are Puppet are popular Linux configuration management tools that lets you automate the entire lifecycle of your Azure infrastructure.

Ansible
Ansible is an open source, an agentless automation tool that automates software and OS features provisioning, configuration management, and application deployment.

Monitoring and Diagnostics

The administrator enables and configures VM diagnostics from the Monitoring area of the new portal VM blade.
An administrator can enable diagnostic logging for:

  • Basic metrics
  • Network and web metrics
  • .NET metrics
  • Windows event system logs
  • Windows event security logs
  • Windows event application logs
  • Diagnostic infrastructure logs

More on Azure Diagnostics.

Alerts

You can receive an alert based on monitoring metrics or events. When the value of an alert rule crosses an assigned threshold, the alert rule becomes active and can send a notification.

Reading #4 – Microsoft Azure Virtual Machine Disk

Virtual Machine Disk Types

All Azure virtual machines have at least two disks – a Windows operating system disk and a temporary disk. Virtual machines also can have one or more data disks. All disks are stored as VHDs and the maximum capacity is 1023 gigabytes (GB).

Overview of Virtual Machine Disks

Operating System Disks
Every virtual machine has one attached operating system disk. It’s registered as a SATA drive and labelled as the C: drive by default.

Temporary Disk
Every virtual machine has a temporary disk that is automatically created for you. On Windows virtual machines, this disk is labelled as the D: drive by default and it used for storing pagefile.sys. For more information on how Azure uses the temporary disk, see Understanding the temporary drive on Microsoft Azure Virtual Machines.

Data Disks
Every virtual machine can have data disks to store application data, or other data you need to keep. Data disks are registered as SCSI drives and are labelled with a letter that you choose. The size of the virtual machine determines how the size of the temporary disk and the maximum number of disks you can attach. Data disks are stored in a BLOB in an Azure storage account.

To use Premium storage, you’ll need a DS-series, FS-series, or GS-series virtual machine. You can use disks from both Premium and Standard storage accounts with these virtual machines. Premium storage is only available in certain regions.

Storage spaces can be used to combine multiple disks into a single larger high-performance volume.

Importing and Exporting Disks

If you want to move on-premises data to Azure Storage (or vice versa), there are a variety of ways to do this. One way is the Azure import and export service.

This service is suitable in situations where you want to transfer several TBs of data to or from Azure, but uploading or downloading over the network is not feasible due to limited bandwidth or high network costs.

Scenarios where this would be useful include:

  • Migrating data to the cloud. Move large amounts of data to Azure quickly and cost effectively.
  • Content distribution. Quickly send data to your customer sites.
  • Backup. Take backups of your on-premises data to store in Azure blob storage.
  • Data recovery. Recover large amount of data stored in blob storage and have it delivered to your on-premises location.

Additioanal reading
Azure Blob storage

Reading #3 – Microsoft Azure – Configuring Virtual Machines

IP Addressing

Public IP addresses: Used for communication with the Internet, including Azure public-facing services, like SQL Services. You can associate public IP addresses with virtual machines, internet facing load balancers, VPN gateways, and application gateways.

Private IP addresses: Used for communication within an Azure virtual network (VNet), and your on-premises network when you use a VPN gateway or ExpressRoute circuit to extend your network to Azure. You can associate private IP addresses with virtual machines, internal load balancers, and application gateways.

There are two IP allocation methods in Azure:
Dynamic
Default method for both private and public IP
Address is allocated when resource is created
Address is released when resource is stopped
IP address can change if the resource is stopped and started.

Static
IP address does not change
Public IP addresses are not released until the IP address type is changed to Dynamic or the resource is deleted
You cannot determine a public IP address in advance
For a private IP address, you need to specify a valid IP address that is part of virtual machine’s subnet

Availability Sets

An availability set helps Azure maintain high availability and fault tolerance when deploying and upgrading applications.
Best practices when creating Availability sets

  • For redundancy, configure multiple virtual machines in an Availability Set.
  • Configure each application tier into separate Availability Sets.
  • Combine a Load Balancer with Availability Sets.

Manage the availability of Windows virtual machines in Azure
Manage the availability of Linux virtual machines
SLA for Virtual Machines is in place for availability sets.

Update and Fault Domains
Update Domains and Fault Domains helps Azure maintain high availability and fault tolerance when deploying and upgrading applications.
Azure concepts – Update Domain vs Fault Domain in Availability Sets – simply explained

Scale Sets

Virtual machine scale sets are an Azure Compute resource you can use to deploy and manage a set of identical VMs. With all VMs configured the same, VM scale sets are designed to support true auto-scale – no pre-provisioning of VMs is required – and as such makes it easier to build large-scale services targeting big compute, big data, and containerized workloads.

Scale Sets are often integrated with Azure Insight, Load Balancer and NAT rules. Azure Insight is used to measure when to scale up or scale down. The Load Balance and NAT rules work together to spread the workload over the available machines as they are added.

General guidance

  • A scale set supports up to 1,000 VMs. See Working with large virtual machine scale sets
  • These scale sets are automatically created with load balancer NAT rules to enable SSH or RDP connections.
  • Consider using Azure Premium Storage instead of Azure Storage for faster, more predictable VM provisioning times and improved I/O performance.
  • You can set the maximum, minimum and default number of VMs, and define triggers – action rules based on resource consumption.
  • When you increase the number of virtual machines in a scale set, VMs are balanced across update and fault domains to ensure, maximum availability. Similarly, when you scale in, VMs are removed with maximum availability in mind.

Azure Resource Explorer

Azure Resource Explorer is a great tool to view and modify resources about the virtual machines in a scale set. The tool is web-based and uses your Azure portal logon credentials. The source for the Resource Explorer tool is available on GitHub.

Additional reading
Azure virtual network
Load Balancers
VPN Gateways
Application gateways
Virtual Machine Scale Sets

Reading #2 – Microsoft Azure Creating Virtual Machines

Creating Virtual Machines

1. Planning Considerations
Storage: How much, where, and in what configuration
Disk: Sizing, persistence and caching.
Compute: Capacity required.
Availability: Uptime requirements, geo-distribution, service level agreements, and accessibility.
Cost: Azure services, such as storage and compute.
Azure pricing Online Pricing Calculator tool

2. Methods for Creating Virtual Machines
A. Create a Windows virtual machine with the Azure portal
B. Create a Windows virtual machine from an Azure Resource Manager template

C. Create a Windows virtual machine with PowerShell
D. Build, manage, and deploy VMs with the Azure Tools for Visual Studio and the Azure SDK
E. Create a Linux virtual machine with the Azure CLI

3. No matter what method, these are the basic steps for deploying a virtual machine.
A. Select an image or disk to use for your new virtual machine.
B. Provide required information such as host name, user name, and password for the new virtual machine.
C. Provide optional information like domain membership, virtual networks, storage account, cloud service, and availability set.
D. Provision the machine.

4. Creating Virtual Machines from:
Creating Virtual Machines from the Marketplace
Alternative, you can upload a custom image from an on-premise virtual machine.
Steps to create Virtual Machines (using Custom Images)
On-Premise
1. Prepare the VM. Identify the virtual machine that you would like to use in Azure. Make sure the virtual machine has all the roles and features installed that you need. Run sysprep to prepare the machine.
2. Prepare the VM VHD. Locate the underlying VHD that the virtual machine is using. In Azure, you can only use generation 1 virtual machines that are in the VHD file format. There are utilities to convert VHDX and VMDK file formats to VHD.
Azure On-Premise
3. Create the Storage Container. You need a storage account in Azure to store the uploaded VM image. You can either use an existing storage account or create a new one.
4. Upload the VHD. Use the Add-AzureRmVhd cmdlet to upload the image to a container in your storage account.
5. Create a VM using the uploaded VHD.

Additional references
Manage Linux virtual machines from Windows environments using Bash on Windows
Bash on Windows on GitHub

Reading #1 – Microsoft Azure Introduction to Microsoft Azure Virtual Machines

Introduction to Microsoft Azure Virtual Machines

  1. Amazon Web Services in Plain English

  2. AWS to Azure services comparison

  3. What Linux Software is supported on Azure?

  4. What Windows Server Software is Supported?

  5. Azure Virtual Machine Readiness Assessment.

  6. Microsoft Azure Virtual Machine Optimization Assessment tool.

  7. What Virtual Machines Sizes are Available?
    VM Sizes
    Linux Virtual Machine Sizing
    Virtual Machines Pricing.
    Azure Pricing Calculator.

  8. Azure subscription and service limits, quotas, and constraints