• Like
Azure Virtual Machines - building up your Infrastructure in the cloud
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Azure Virtual Machines - building up your Infrastructure in the cloud

  • 548 views
Published

 

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
548
On SlideShare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
13
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • So, someone told us Windows Azure is great place to start dealing around with Virtual Machines and we created our first Windows/Linux VM. Fantastic we can RDP/SSH to it and install and configure web server. But now I open web browser type in the name of my VM and it sais Connection Timeout! But it works locally! What the hack is wrong?
  • Endpoint defines a Public/Internet facing whole in the (fire)wall which will route specific Internet traffic to your Virtual Machine.An endpoint is defined with a: * Protocol, that might be TCP or UDP (Web traffic goes over TCP connections) * Public port – this is the port number that will be open to the Public * Private port – this is the port number that Internet traffic will hit your VM at!Next is firewall Rules. I haven’t checked Oracle Linux images for firewall rules, but other Linux based images do not have any firewall rules defined at all! On the opposite side are Windows images – every Windows Server Installation have very restrictive default Firewall Configuration. If you cannot RDP/SSH, do not blame Azure first! Make sure you have defined proper endpoints required for remote connection! If the endpoints are defined, the chance there is issue with the endpoints is extremely low. Something that a lot of people, even experienced ones, often forget is Corporate Firewalls! Very many corporations block fancy outgoing ports like 1433 (SQL Server !!!), 3389 (RDP), 22 (SSH), 25 (SMTP), 21 (FTP) !! Very important!Don’t fool yourself if you cannot PING! ICMP protocol is blocked at Windows Azure Load Balancer level! Unless over a VPN, PING to an Azure VM will always timeout! This does not mean your server is not reachable or that Endpoints are not workingOutside-in connectivity check. If you want to test whether an outside-in connection can be established, first make sure you can do outside connections on desired port to a service you know for sure is running fine! Testing TCP protocols is easy – use TELNET client (can be installed on any Windows based OS from “Add/Remove Windows Features”). Possible hit for IIS – use the cloud service name, not IP address? Not working with IP Address?
  • OK,You played around with VMs. Created some, tear down some, now want to be more sexy by constructing a whole network infrastructure in the cloud. If are not familiar with Windows Azure, creating a Virtual Network will be the first time you will hear about “Affinity Groups”! Do not confuse Affinity Group with Availability Set. And now is a good time to explain the importance of Affinity Groups, what are they and why we do care.[Some talk on Affinity Groups, usually on white board or Flip Chart]Now that we know more about affinity groups, let’s see what is a Windows Azure Virtual Network
  • We need Virtual Network when we need/want: * fixed and/or predictable IP Addressing scheme * fixed IP Address for our servers* * Securely and reliably connect more resources like * connect multiple VM deployments (Cloud Services) * connect Azure VM with on-premises corporate network * connect Azure VM with your laptop * connect Azure VM azure Platform Services deployment (worker roles / web roles)
  • Notes:The very first question you will have and issue you will meet is Name resolution for Azure VMs
  • Simple rule of thumb: When your VM is not part of a VNet, Windows Azure provides name resolution for you;When your VM is part of a VNet, you take care of name resoution
  • Notes:Given that we need to provide Name Resolution when using Virtual Network, next big question is: How to provide DNS Server in IAAS where all IP Addresses are DHCP Allocated
  • Notes:Given that we need to provide Name Resolution when using Virtual Network, next big question is: How to provide DNS Server in IAAS where all IP Addresses are DHCP Allocated

Transcript

  • 1. WINDOWS AZURE IAAS TIPS & TRICKS • Anton Staykov • @astaykov
  • 2. ABOUT ME • Windows Azure MVP (3 times now) • With Azure from the beginning  http://blogs.staykov.net/  @astaykov
  • 3. AGENDA  Azure IaaS  Outside-In connection issues  Virtual Networks  IP Addresses  AD/DC – Highway to …  Mail Server on Azure
  • 4. A CONTINUOUS OFFERING FROM PRIVATETO PUBLIC CLOUD
  • 5. WINDOWS AZUREVIRTUAL MACHINES * http://bit.ly/azurevmsupport
  • 6. COMMON ISSUES  VM Disappears or was deleted (MSND /Free Trial)  Blob storage occupied (VHD not deleted)  Temporary Disk (how temporary is it?)  What disk size should I chose?
  • 7. DEMO
  • 8. INTERNET CONNECTIVITY Outside-In
  • 9. Virtual Machine (IaaS) Local IP (DIP) LB VIP Windows Azure Cloud Service (foo.cloudapp.net) INTERNET NETWORKING PICTURE
  • 10. OUTSIDE-IN CONNECTIVITY  Endpoint Definition  Windows Firewall Rules  Corporate Firewalls  PING times out
  • 11. VIRTUAL NETWORK
  • 12. VNET SCENARIOS  Define IP Address space forVMs  IaaS Interconnectivity  Site-to-Site  Point-to-Site  IaaS-to-PaaS and vice-versa
  • 13. VNET  Address Spaces  10.0.0.0  172.16.0.0  192.168.0.0  Sub Nets  Gateway Sub-Net
  • 14. ADDRESS ALLOCATION SECRETS  Always and only by DHCP  The first host gets the 4th IP Address  i.e. 192.168.0.4  Automatic cross-sub-net connectivity  Internal IP Address Reservation!
  • 15. VNET CROSS-PREMISES  Site-to-Site  Point-to-Site  Express Route
  • 16. VNET LIMITATIONS  No Cross-Data-Center Connections  No site-to-multiple-sites Connections
  • 17. NAME RESOLUTION
  • 18. NAME RESOLUTION SCENARIOS  When not inVNet  PaaS only (Web/Worker Roles)  IaaS only (Virtual Machines)  When inVnet  Cloud only  Cloud + Site-to- SiteVPN
  • 19. DNS SERVER ON IAAS
  • 20. DNS SERVER SECRETS  Just for the DNS server machine, set DNS to 127.0.0.1 when deploying!  Place the DNS Server on its own subnet  Remember the full format of FQDN  http://bit.ly/fqdn  Reserve “Static IP Address” for theVM  http://bit.ly/azurestaticip
  • 21. IP ADDRESS ASSIGNMENT SECRETS  IP Address predictability and reservations  Sub-net isolation  Address Space Isolation
  • 22. AD/DC ON IAAS Highway to Clouds
  • 23. AC/DC NETWORK LAYOUT VNET-WE-IAASTIPS-PROD DNS/ 192.168.30.4 Address Space 192.168.30.0/29 Sub-ADDC: 192.168.30.0/29 Address Space 172.16.0.0/22 Sub-Clients: 172.16.0.0/22 http://bit.ly/azuread
  • 24. MAIL SERVER ON IAAS
  • 25. HOSTING OWN MAIL SERVER ISSUES  Public (dynamic) IP Address  Reverse DNS records (PTR Records)  http://bit.ly/azureptr
  • 26. KEYTAKEAWAYS  Never forget Firewall  Know your IP Addresses  Don’t host Email Server (yet)  Password Expiration
  • 27. Q&A • Anton Staykov • @astaykov • http://blogs.staykov.net/