Microsoft Azure Virtual Machines and Networking

Azure VMs

VMs types and sizes
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/sizes

Only supported virtual machine type in Azure is “VHD”. VHDX is not currently supported.

Note : Managed disks are now preferred to use instead of storage accounts in legacy Classic Azure

Before migrating VMs to Azure, identify the workloads are supported in a virtual machine. 3rd party vendors may only support their software as PaaS instead of IaaS

VM availability.

2x VMs are better than 1x. I.E your solution is much better if its scalable. Try to utilise VMs in an “availability set”. Servers suitable for availability sets are identical machines file wise. This would give you high availability in the event of failure.

Alternatively, if you only want 1x a virtual machine (example domain controller or DNS), go for solid state (disks with an “s” in the name) and Microsoft have a better SLA for up time.

Managed Disks or Unmanaged Disks
Managed disks go with the VMs,
Try the Market Place for machine images

Scale sets
Scale sets provide VM auto scaling

  • Create rules for scaling
  • DSC config
  • Pure compute box with data at the backend
    i.e Stateless work loads
    Suggestion, for stateless servers, the backend database wont be SQL, it would be the Azure flat file or Azure Cosmos or some read/cache option.

Disk encryption and Azure Key Vault..thoughts
Requirement? Keys are stored in Azure key vault (secure area, no access).
But the drives aren’t physical, so to steal a physical disk would be very challenging to locate.

To steal an virtual drive and mount, its the administrator mistake? Lost or weak admin password?

Networking
Define the DNS server IP
Defining Peerings for vNETS. This allows routes between vNETS

Public IPs will fall in to a network security group for a default firewall. Its purely a basic firewall.

Use Market place to find a 3rd party firewall to lock down internet facing servers (fastest option)
Alternatively route via on prem firewall (slowest option) or route via another cloud firewall (second fastest)

Network Security Group
Inbound and Outbound security groups

By default network security groups have a public IP address and an RDP allow connection.

Network security groups can be assigned to a network card, a subnet or the subnet a load balancer sits within.

Cost : Networks and Network Security Groups are Free

Create your own route tables. Then you have options to assign routes to a subnet or a virtual machine.

Additionally configure the Windows Firewall settings on a virtual machine.

(My thoughts and opinions, are my own @stephenhackers)