I am testing azure right now and have some problems.
I am using new Azure portal (Resource manager). How do I add a static IP to my network and forward ports to different VM's? Then how do I add a static IP on my "Network Interface"?
I can't assign this interface to VM, because it says that only dynamic IP can be assigned, and static IP can only be assigned to load balancer. I have created load balancer, added static public IP, but then I try to add a Virtual machine and it asks me to define availability set. But I do not have availability set. So I have created Availability set, but now I cannot add virtual machine to availability set, because PowerShell cmdlet is only for classic VM's, and there is no cmdlet for resource manager VM.
So I have only two questions:
How can I add static Public IP in my Azure RM network (so that ip address newer changes) and forward ports to Azure RM VM's in my private network? Because there will be exchange server, web server and I need to forward basic ports to them.
If answer to previous question is "Load balancer", so how I can move Azure RM VM's to Availability Set? Do I have to recreate a Virtual Machine? That if there is important data?
I have been investigating some aspects of this as I move from Classic VMs (ASM) to ARM.
The documentation isn't clear or very complete, and this being Azure will probably be different in a months time. But, today....
A static public IP can only be assigned to a load balancer, not an individual VM. Search for "Reserved IP Address" in the following article where it states "Static Public IPs can only be assigned to a Load balancer right now.":
https://azure.microsoft.com/en-gb/documentation/articles/virtual-machines-azurerm-versus-azuresm/
(EDIT: Noticed that in portal.azure.com there is a switch on each public IP resource to change it from dynamic to static - though I haven't tested this).
Port forward definitely requires a load balancer. See the comments at the bottom of this article where I asked this exact question and Microsoft replied confirming this:
https://azure.microsoft.com/en-gb/documentation/articles/load-balancer-arm-powershell/
Basic VMs cannot use a load balancer today:
https://azure.microsoft.com/en-gb/pricing/details/load-balancer/
I also read somewhere (can't find the link now) that under a load balancer, there are some restrictions about which machines can be grouped together (based around sizing). From memory I think A0 to A4 could be grouped for example, then say A5 to A8 could be, but say A0 and A7 couldn't be.
The following page states "Currently with Resource Manager, you can only add a virtual machine to an availability set during its creation.":
https://azure.microsoft.com/en-gb/documentation/articles/virtual-machines-ps-create-preconfigure-windows-resource-manager-vms/
If you need an Availability Set, then you may need to delete and recreate the VM. You should be able to delete the VM but keep the VHDs, then recreate the VM with the existing VHDs so not lose data.
As well as the links above, I have also found the following helpful:
http://blogs.msdn.com/b/cloud_solution_architect/archive/2015/05/05/creating-azure-vms-with-arm-powershell-cmdlets.aspx
http://blogs.technet.com/b/parallel_universe_-_ms_tech_blog/archive/2015/11/04/deploy-a-vm-with-azure-powershell-preview-1-0-cmdlets.aspx
Hope that helps.
Chris
Related
I am considering to use Azure Lab Services and I'm trying to find a way to create everything in it with no Public IPs but I can't find a way.
I noticed I can make the VMs from each lab to use private IP using a peered Vnet with a selected address space but when I create a lab it creates the Template VM with Public IP so I tried to search for a way to change it but there were no options on changing it neither in the Azure Lab Services site or in the infrastructure. I thought maybe using Azure CLI I could create a Lab using Azure Lab Services with no Public IP but this is all the CLI PowerShell commands I found.
I'd be really grateful if anyone knows if there's a way to create a Template VM without a Public IP or if there isn't yet I'd like to know it too.
This is by design in Azure Lab Services. Azure Lab Services is a SaaS solution, which means that the resources needed by Lab Services are handled for you. The lab account is hosted in your subscription. The student VMs, along with the resources needed to support the VMs are hosted in a subscription owned by Lab Services. Here is the basic architecture:
Each organization or school will set up their own network in a way that best fits their needs. Because Azure Lab Services runs in the public cloud, some extra configuration may be needed to allow students to access their VM when connecting from the campus network, like setting firewall rules that block RDP or SSH connections to machines outside their own network.
So, each lab uses a single public IP address and multiple ports. All VMs, both the template VM and student VMs, will use this public IP address. The public IP address will not change for the life of lab. However, each VM will have a different port number. The port numbers range from 49152 to 65535. The combination of public IP address and port number is used to connect instructor and students to the correct VM.
Here are some more FAQs about Azure Lab Services.
Creating a lab that uses a private ip is now possible with the April 2022 Update of Azure Lab Services, with some caveats. An advanced networking feature call vnet-injection allows users to have more control over the network used for the lab.
You can see advanced networking architecture diagram in the using shared server article. (Sorry, I can't post images yet.)
You would need to:
Create a virtual network in your subscription.
Create a subnet that is delegated to Microsoft.LabServices/labplans.
Create a lab plan with advanced networking and connect it to previously created subnet.
Create lab using the previous lab plan.
Update NSG to deny traffic through public ip.
CAVEAT: The 'connect' button Azure Lab Services website will no longer work for students. (Known issue on the team's backlog.) You will need to provide a separate rdp file for students to use. It would contain something like:
full address:s:10.0.0.1:3389
prompt for credentials:i:1
administrative session:i:1
On Azure, I have a two-VM set (both classic), whereby my web application resides on one VM, my database on another. Both map to the same DNS and belong to the same Resource Group, but both are acting as standalone cloud services at the moment. Let me explain: currently the web application communicates with the database over the public DNS. However, I need them to be on the same lan, so I can de-risk security and improve latency.
I know for a fact that they're not part of a virtual network because when I try to affix a static private IP to my database VM, I'm shown the following prompt in the portal:
This virtual machine can't be configured with a static private IP
address because it's not deployed in a virtual network.
How should I proceed to fix this misconfiguration and what should my next concrete step be? The website is live, and I don't want to risk service interruption. Ideally, both VMs should be in the same virtual network, and should communicate with eachother via a static internal IP. Please forgive my ignorance. Any help would be greatly appreciated.
I guess i'll be the bearer of bad news. You have to delete both VMs while keeping the VHDs in the storage account, then recreate the VMs (reattaching the disks) in the Virtual Network.
Since these are Classic VMs you can use the old Portal when re-creating them. You'll find the VHDs under "My Disks" in the VM creation workflow.
Alternatively, just restrict the inbound access with an ACL on the database Endpoint. Allow the VIP of the first VM and deny everything else. This is good enough for almost any scenario, since if your Web Server gets compromised it's game over. It makes no difference how they exfiltrate stuff off your database (over a VNET or over VIP).
Here's the relevant documentation page for setting up Endpoint ACLs:
https://azure.microsoft.com/en-us/documentation/articles/virtual-machines-windows-classic-setup-endpoints/
I have an Azure Cloud Service, mywebapp.cloudapp.net, that consists of two Azure VMs - mywebappvm1 and mywebappvm2. Both VMs are in the same Availability Set and have the same DNS name.
I also have a Regional Reserved IP address assigned to the Cloud Service so that I can give our clients a guaranteed IP address that our app uses.
Part of the app uses a private background process, currently only running on one of the VMs. I want to be able to make a connection to that process over TCP running on mywebappvm1 from mywebappvm2. I could use the public IP and an endpoint on mywebappvm1 but I don't want the background service to be publicly accessible.
I'm currently using the private IP address, but is that safe? Will the private IP of each VM change if it's rebooted? I can't see an easy way of fixing the private IP of each VM - that seems like something you can do with a VNET but I can't find any information on how to do it with a cloud service and an availability group as well.
Is there perhaps another way to run a web app on multiple load-balanced VMs within an availability set that would make this easier?
What you do is absolutely safe and actually a recommended best practice. You should not go out to public IP address in order to communicate between the Virtual Machines.
It is also a recommended best practice to organize your Virtual Machines into Virtual Network and sub-nets.
This excellent blog post describes how can you even use static IP addresses for the VMs, so you are always 100% sure that mywebappvm1 always get XXX.XXX.XXX.XXX IP Address andyour mywebappvm2 always get YYY.YYY.YYY.YYY IP Address.
Please note that if you do not use Static IP Address assigned to the VM, it is guaranteed that the IP Address of the VM may change.
The IP for a webRole VM instance will not change for the lifetime of the deployment regardless of reboot, update or swapping. The IP will be released only if you delete the deployment, detailed here
I had a need to add additional public IP addresses to an Azure VM and found a working solution here:
Azure VM: More than one Public IP
Essentially this creates a reserved IP in Azure and then adds the reserved IP to a cloud service. Once it's bound to a cloud service it can be mapped to a VM endpoint.
This all works great but there is one bit I don't understand - The IP address of the reserved IP and the resultant VM endpoint don't match. I have to set up DNS to point to the IP address of the endpoint to make this work. Is there something I am not doing right, or is this just the way reserved VMs work?
It looks like this unanswered question is the same issue:
azure reserved IP for VM is diffrent than the given
Thanks!
The "Azure Cloud Service" is a container that provides internet connectivity to "Azure VMs". Thus, you assign the Internet facing Public IP to the Cloud Service. This article is relatively good at explaining the relationship: Azure Cloud Services
From above link:
Here’s a definition of an Azure IaaS cloud service that will make it easy for you to understand what it is in the context of Azure Infrastructure Services:
A cloud service is a network container where you can place virtual machines.
All virtual machines in that container can communicate with each other directly through Azure (and therefore don’t have to go out to the Internet to communicate with each other).
This container is also assigned a DNS name that is reachable from the Internet.
A rudimentary DNS server is created and can provide name resolution for all virtual machines within the same cloud service container (note that name resolution provided by the DNS server is only available to the virtual machines that are located within the cloud service).
One or more Virtual IP Addresses (VIPs) are assigned to the container and these IP addresses can be used to allow inbound connections from the Internet to the virtual machines.
Certain services (like FTP) may require your vm have a public IP: Azure VM Public IP
(IaaS v1) An Azure cloud service comes with a permanent DNS name - something.cloudapp.net - and has a single VIP allocated whenever there are VMs deployed in it OR whenever a reserved IP address is associated with it. Traffic is either load balanced or NATted (port forwarded) to the VM from the Azure Load Balancer sitting on the VIP. You can also associate a public instance-level IP address (PIP) with a VM, which gives it an additional IP address. The VIP always has a DNS name (something.cloudapp.net) while the PIP has one only if you specifically add it, I did a post which goes into these differences.
(IaaS v2) VMs are not deployed into cloud services and only have a public IP address if one is specifically added - either by configuring a PIP on the NIC of the VM (and optionally giving it a cloudapp.azure.com DNS name) or by configuring a load balancer and either load balancing or NATting traffic to it. This load balancer is configured with a public IP address and can optionally have a cloudapp.azure.com DNS name associated with it. (Ignoring internal load balancers in this discussion.)
I want to have three public ip addresses for my VM in azure. I got one when I created the VM and now I want to assign two reserved ip addresses to my VM. I was able to create the reserved ip address but not sure how to assign them to existing VM or assign multiple to a new VM. Any suggestions on how to do this?
In Azure, a Load Balancer is required in order to direct traffic from multiple VIP addresses to a single (or multiple) VMs.
If, for example, you want a single VM to host multiple websites, all of which need to be accessible externally via port 443, you'd need three VIP addresses assigned to the Load Balancer, with a NAT on each at least two of the VIPs; i.e.
Site a: Incoming 443-443 to VM
Site b: Incoming 443-444 to VM
Site c: Incoming 443-445 to VM
All the traffic from the Load Balancer could then be routed to one VM, where you'd direct traffic on each incoming port to the required website based. This MS article explains it really well: https://azure.microsoft.com/en-gb/documentation/articles/load-balancer-multivip/
Reserved IP addresses are a way of ensuring that your VIP is no longer dynamic, which they are by default. The following article explains it well, including how to take an existing Cloud Service's currently-running dynamic VIP and making it static (Reserved): https://azure.microsoft.com/en-gb/documentation/articles/virtual-networks-reserved-public-ip/
An Azure VM can have two public IP addresses - one is the VIP of the cloud service containing the VM (as long as there are endpoints configured for the VM) and the other is the PIP (or public instance IP address) associated with the VM. A reserved IP address is an orthogonal concept to VIPs and PIPs and its use is documented here. I did a post on VIPs, DIPs and PIPs that you may find helpful.