Cloud administrators using Microsoft Azure should be familiar with building basic, internal-only VMs. Having to expose a VM to the outside world, however, is a different story.
Azure VMs receive an internal and an external IP address by default. The internal IP address allows all inbound and outbound traffic to use the local network by default. External IPs are assigned an external Dynamic Host Configuration Protocol-allocated IP address. The external Azure VM IP address comes with firewall rules for Remote Desktop Protocol (RDP) or Secure Shell rules that are configured to allow a connection from the outside world for management purposes.
Administrators must expose port 80 (HTTP) to connect a VM to external network traffic.
New administrators commonly let the VM keep its default assigned external IP address when the VM powers on. This is a mistake. When the administrator powers down, reboots or otherwise restarts the VM in question, the machine could lose that external IP address and get assigned a new one. This setup has issues for any sort of robustness. The business's website could disappear on an Azure VM reboot.
The Azure VM IP address can be retained across reboots with a static, reserved IP address. The administrator also can assign this IP address to alternate machines, which provides backup if the machine must be rebuilt. There is a small hourly charge for each reserved Azure VM IP address.
Reserve the Azure VM IP address
To assign an IP address permanently to the Azure subscription, log into the Azure portal (see Figure 1), select the green plus sign for new in the left-hand corner and then click Networking and Public IP address.
Give the IP address a unique name that describes its use (see Figure 2). In this example, the name is TechTargetTestIP. The administrator can then configure the IP address.
IP address assignment is an important selection: The VM needs a static IP address to be persistent.
The Azure DNS label is optional and not used in this example.
The resource group selection is mandatory; a resource group effectively creates a collection of Azure VMs, resources and associated management policies. The administrator can create a new globally unique resource group, as shown in this example. The green check mark seen in the figure confirms this name is unique.
Lastly, select an appropriate location in the availability zone where the VMs for deployment reside. This example uses Azure's East US location for everything.
Assign the Azure VMs to the static IP address
To create Azure VMs with these options, administrators must put the VM in the same region as the reserved static IP address. Also, modify the public IP address section of the VM configuration tab to use the allocated address (see Figure 3).
The resource group selected during VM creation should match the one used in the IP address reservation. Select Use existing, and pick from the drop-down menu.
Before committing the change, select the network security group (NSG) component to reveal network security rules. NSGs are best thought of as firewall rules that can be assigned to Azure VMs, load balancers and networks. A user can assign NSGs to one device or many. To apply one rule to many devices, select the NSG when applying it to other devices.
In this example, we create a new NSG, which is the default selection, rather than join an existing one. The name for a new NSG is the VM's name with -nsg appended (see Figure 4).
The rules are configured on the last pop-out screen. By default, RDP is allowed in from any IP. The outbound rules allow any. To build a web server on the Azure VM with a static IP address, allow port 80 inwards.
It's a fairly trivial task to add port 80 to the allowed rule set. Click Add an inbound rule, and in the additional window that opens, give the rule the name Webserver port 80 (see Figure 5). Set the priority to 100, and select HTTP from the service drop-down list.
To give everyone access, leave the source field set to any. From the Service menu, select HTTP. This will make the rest of the selection for you to allow HTTP inbound traffic. Alternatively, the administrator can customize the setup.
At this point, commit the changes, and build the VM. Log into the VM you've created, and enable the Internet Information Services (IIS) server from the server roles. Then, open a browser, and point it at the external IP address (see Figure 6). From there, an administrator could use that reserved static Azure VM IP address in the appropriate domain name system server, with the appropriate records to have it resolvable globally.
An Azure VM's external IP address is quickly found: Open the VMs blade in the Azure portal, and look at the Public IP address label.
In these steps, we've created a single VM, which is a single point of failure. Now that you can correctly reserve and expose IP addresses to the external world, you can deploy VMs following these best practices. Keep in mind: Azure sets some limitations and quotas for networked VMs.
These same principles apply, for the most part, to load balancing on Azure VMs. The Azure internal load balancer accepts multiple front-end IP addresses, and Microsoft offers Azure VM Scale Sets for stateless workloads with varying demand. Multicloud load balancing requires a different approach.
Dig Deeper on Containers and virtualization
Related Q&A from Stuart Burns
Mistakes happen. Thankfully, in Git, admins have two command options to roll back to a previous commit. Learn more about both here. Continue Reading
Both Ansible and Ansible Tower offer enterprises a wealth of resources for config management, but they aren't equals. Assess their differences in ... Continue Reading
Even though Ansible has its roots in open source software and Linux, is it possible to use the configuration management tool for Windows environments? Continue Reading