AZ-104 Create a Windows Virtual Machine In Azure
Resources used in a Windows VM
A virtual machine that provides CPU and memory resources. An Azure Storage account to hold the virtual hard disks. Virtual disks to hold the OS, applications, and data. Virtual network (VNet) to connect the VM to other Azure services or your own on-premises hardware. A network interface to communicate with the VNet. A public IP address so you can access the VM. This is optional.
Note
An interesting capability is to create a VHD image from a real disk. This allows you to easily migrate existing information from an on-premises computer to the cloud.
Connecting to an Azure VM
As we saw a moment ago, Azure VMs communicate on a virtual network. They can also have an optional public IP address assigned to them. With a public IP, we can communicate with the VM over the Internet. Alternatively, we can set up a virtual private network (VPN) that connects our on-premises network to Azure - letting us securely connect to the VM without exposing a public IP. This approach is covered in another module and is fully documented if you are interested in exploring that option. One thing to be aware of with public IP addresses in Azure is they're often dynamically allocated. That means the IP address can change over time - for VMs this happens when the VM is restarted. You can pay more to assign static addresses if you want to connect directly to an IP address instead of a name and need to ensure that the IP address won't change.
Note
As you add or change settings in the wizard, Azure validates each value and places a green check mark next to a validated field, or red error indicator below the field. You can hover over an error indicator to get more information about a validation issue. It's a best practice to use a standard naming convention for resource names so you can easily identify their purpose. Windows VM names are a bit limited - they must be between 1 and 15 characters, cannot contain non-ASCII or special characters, and must be unique in the current resource group.
2. Suppose you have an application running on a Windows virtual machine in Azure. What is the best-practice guidance on where the app should store data files?
Attached data disk Dedicated data disks are generally considered the best place to store application data files. They can be larger than OS disks and you can optimize them for the cost and performance characteristics appropriate for your data.
Introduction to Windows virtual machines in Azure
Azure VMs are an on-demand scalable cloud computing resource. They're similar to virtual machines that are hosted in Windows Hyper-V. They include processor, memory, storage, and networking resources. You can start and stop virtual machines at will, just like with Hyper-V, and manage them from the Azure portal or with the Azure CLI. You can also use a Remote Desktop Protocol (RDP) client to connect directly to the Windows desktop user interface (UI) and use the VM as if you were signed in to a local Windows computer.
Increased reliability
Azure ensures that VHDs associated with high-reliability VMs will be placed in different parts of Azure storage to provide similar levels of resilience.
Configure the VM settings
Azure presents a wizard as a series of tabs to walk you through all the configuration details for creating the VM. The first tab is Basics. You can select Next or Previous to move from one tab to another, or you can select any tab in the horizontal menu to move to a customizable configuration section.
Mapping storage to disks
Azure uses virtual hard disks (VHDs) to represent physical disks for the VM. VHDs replicate the logical format and data of a disk drive but are stored as page blobs in an Azure Storage account. You can choose on a per-disk basis what type of storage it should use (SSD or HDD). This allows you to control the performance of each disk, likely based on the I/O you plan to perform on it.
Open ports in Azure VMs
By default, new VMs are locked down. Apps can make outgoing requests, but the only inbound traffic allowed is from the virtual network (for example, other resources on the same local network), and from Azure's Load Balancer (probe checks). There are two steps to adjusting the configuration to support FTP. When you create a new VM, you have an opportunity to open a few common ports (RDP, HTTP, HTTPS, and SSH). However, if you require other changes to the firewall, you will need to do them yourself. The process for this involves two steps: Create a Network Security Group. Create an inbound rule allowing traffic on port 20 and 21 for active FTP support.
How do you connect to a VM in Azure using RDP?
Connecting to a VM in Azure using RDP is a simple process. In the Azure portal, you go to the properties of your VM, and at the top, click Connect. This will show you the IP addresses assigned to the VM and give you the option to download a preconfigured.rdp file that Windows then opens in the RDP client. You can choose to connect over the public IP address of the VM in the RDP file. Instead, if you're connecting over VPN or ExpressRoute, you can select the internal IP address. You can also select the port number for the connection. If you're using a static public IP address for the VM, you can save the .rdp file to your desktop. If you're using dynamic IP addressing, the .rdp file only remains valid while the VM is running. If you stop and restart the VM, you must download another .rdp file.
3. What is the final rule that is applied in every Network Security Group?
Deny All This is a safe choice. It will block all traffic that you don't specifically allow.
How Azure uses network rules
For inbound traffic, Azure processes the security group associated to the subnet, then the security group applied to the network interface. Outbound traffic is processed in the opposite order (the network interface first, followed by the subnet).
Download the RDP file
In the Azure portal, ensure the Overview pane for the virtual machine that you created earlier is open. You can also find the VM on the Azure home page, under All Resources, if you need to open it. The Overview pane has a lot of information about the VM. In the top menu bar, select Connect, and from the dropdown list, select RDP. The Connect pane appears for your virtual machine. Note the IP address and Port number settings, then select Download RDP File, and save it to your computer. Before we connect, let's adjust a few settings. On Windows, find the file using Explorer, right-click, and select Edit. On macOS you will need to open the file first with the RDP client and then right-click on the item in the displayed list and select Edit. You can adjust a variety of settings to control the experience in connecting to the Azure VM. The settings you will want to examine are: Display: By default, it will be full screen. You can change this to a lower resolution, or use all your monitors if you have more than one. Local Resources: You can share local drives with the VM - allowing you to copy files from your PC to the VM. Click the More button under Local devices and resources to select what is shared. Experience: Adjust the visual experience based on your network quality. Share your Local C: drive so it will be visible to the VM. Switch back to the General tab, and select Save to save the changes. You can always come back and edit this file later to try other settings.
Sizing your VM
Just as a physical machine has a certain amount of memory and CPU power, so does a virtual machine. Azure offers a range of VMs of differing sizes at different price points. The size that you choose will determine the VMs processing power, memory, and max storage capacity.
Better security
Managed disks are truly managed resources in the resource group. This means they can use role-based access control to restrict who can work with the VHD data.
Backup support
Managed disks can be automatically backed up to different regions for disaster recovery with Azure Backup all without affecting the service of the VM.
Security group rules
NSGs use rules to allow or deny traffic moving through the network. Each rule identifies the source and destination address (or range), protocol, port (or range), direction (inbound or outbound), a numeric priority, and whether to allow or deny the traffic that matches the rule. The following illustration shows NSG rules applied at the subnet and network interface levels.
Use RDP to connect to Windows Azure virtual machines
Now that we have a Windows VM in Azure, the next thing you'll do is put your applications and data on those VMs to process our traffic videos. However, unless you've set up a site-to-site VPN to Azure, your Azure VMs won't be accessible from your local network. If you're just getting started with Azure, it's unlikely that you have a working site-to-site VPN. So how can you transfer files to Azure VMs? One easy way is to use Azure's Remote Desktop Connections feature to share your local drives with your new Azure VMs.
Connect to the Windows VM
On the Remote Desktop Connection dialog box, note the security warning and the remote computer IP address, and then select Connect to start the connection to the VM. In the Windows Security dialog box, enter your username and password that you used in steps 6 and 7. In the second Remote Desktop Connection dialog box, note the certificate errors, and then select Yes.
To connect to an Azure VM with an RDP client, you will need:
Public IP address of the VM (or private if the VM is configured to connect to your network) Port number
1. When creating a Windows virtual machine in Azure, which port would you open using the INBOUND PORT RULES in order to allow remote-desktop access?
RDP (3389) The Remote Desktop Protocol (RDP) uses port 3389 by default so this port is the standard port you would open if you wanted to use an RDP client to administer your Windows virtual machines.
What is the Remote Desktop Protocol?
Remote Desktop (RDP) provides remote connectivity to the UI of Windows-based computers. RDP enables you to sign in to a remote physical or virtual Windows computer and control that computer as if you were seated at the console. An RDP connection enables you to carry out the vast majority of operations that you can do from the console of a physical computer, with the exception of some power and hardware-related functions.
Choose the VM image
Selecting an image is one of the first and most important decisions you'll make when creating a VM. An image is a template that's used to create a VM. These templates include an OS and often other software, such as development tools or web hosting environments. Any application that can be supported by the computer can be included in the VM image. You can create a VM from an image that's pre-configured to exactly match your requirements, such as hosting an ASP.NET Core app.
Snapshot support
Snapshots can be used to create a read-only copy of a VHD. You have to shut down the owning VM but creating the snapshot only takes a few seconds. Once it's done, you can power on the VM and use the snapshot to create a duplicate VM to troubleshoot a production issue or rollback the VM to the point in time that the snapshot was taken.
By default, two virtual hard disks (VHDs) will be created for your Windows VM:
The Operating System disk. This is your primary or C: drive and has a maximum capacity of 2048 GB. A Temporary disk. This provides temporary storage for the OS or any apps. It is configured as the D: drive by default and is sized based on the VM size, making it an ideal location for the Windows paging file.
Unmanaged vs. Managed disks
The final storage choice you'll make is whether to use unmanaged or managed disks. With unmanaged disks, you are responsible for the storage accounts that are used to hold the VHDs that correspond to your VM disks. You pay the storage account rates for the amount of space you use. A single storage account has a fixed rate limit of 20,000 I/O operations/sec. This means that a single storage account is capable of supporting 40 standard virtual hard disks at full throttle. If you need to scale out, then you need more than one storage account, which can get complicated.
Install worker roles
The first time you connect to a Windows server VM, it will launch Server Manager. This allows you to assign a worker role for common web or data tasks. You can also launch the Server Manager through the Start Menu. This is where we would add the Web Server role to the server. This will install IIS and as part of the configuration you would turn off HTTP requests and enable the FTP server. Or, we could ignore IIS, and install a third-party FTP server. We'd then configure the FTP server to allow access to a folder on our big data drive we added to the VM. Because we aren't going to actually configure that here, just close Server Manager.
Choosing storage options
The next set of decisions revolves around storage. First, you can choose the disk technology. Options include a traditional platter-based hard disk drive (HDD) or a more modern solid-state drive (SSD). Just like the hardware you purchase, SSD storage costs more but provides better performance.
Tip
There are two levels of SSD storage available: standard and premium. Choose Standard SSD disks if you have normal workloads but want better performance. Choose Premium SSD disks if you have I/O intensive workloads or mission-critical systems that need to process data very quickly.
Creating an Azure VM
VMs can be defined and deployed on Azure in several ways: the Azure portal, a script (using the Azure CLI or Azure PowerShell), or through an Azure Resource Manager template. In all cases, you will need to supply several pieces of information, which we'll cover shortly. The Azure Marketplace also provides pre-configured images that include both an OS and popular software tools installed for specific scenarios.
Network communication
Virtual machines communicate with external resources using a virtual network (VNet). The VNet represents a private network in a single region that your resources communicate on. A virtual network is just like the networks you manage on-premises. You can divide them up with subnets to isolate resources, connect them to other networks (including your on-premises networks), and apply traffic rules to govern inbound and outbound connections.
What is a Network Security Group?
Virtual networks (VNets) are the foundation of the Azure networking model and provide isolation and protection. Network Security Groups (NSGs) are the main tool you use to enforce and control network traffic rules at the networking level. NSGs are an optional security layer that provides a software firewall by filtering inbound and outbound traffic on the VNet. Security groups can be associated to a network interface (for per-host rules), a subnet in the virtual network (to apply to multiple resources), or both levels.
Install custom software
We have two approaches we can use to install software. First, this VM is connected to the internet. If the software you need has a downloadable installer, you can open a web browser in the RDP session, download the software, and install it. Second, if your software is custom, like our custom service, you can copy it from your local machine over to the VM to install it. Let's look at this latter approach.
Configure Azure virtual machine network settings
We've installed our custom software, set up an FTP server, and configured the VM to receive our video files. However, if we try to connect to our public IP address with FTP, we'll find that it's blocked. Making adjustments to server configuration is commonly performed with equipment in your on-premises environment. In this sense, you can consider Azure VMs to be an extension of that environment. You can make configuration changes, manage networks, open or block traffic, and more through the Azure portal, Azure CLI, or Azure PowerShell tools. You've already seen some of the basic information and management options in the Overview panel for the virtual machine. Let's explore network configuration a bit more.
Planning your network
When you create a new VM, you will have the option of creating a new virtual network, or using an existing VNet in your region. Having Azure create the network together with the VM is simple but it's likely not ideal for most scenarios. It's better to plan your network requirements up-front for all the components in your architecture and create the VNet structure you will need separately. Then create the VMs and place them into the already-created VNets. We'll look more at virtual networks a bit later in this module. Let's apply some of this knowledge and create a VM in Azure.
What about data
You can store data on the C: drive along with the OS, but a better approach is to create dedicated data disks. You can create and attach additional disks to the VM. Each data disk can hold up to 32,767 gibibytes (GiB) of data, with the maximum amount of storage determined by the VM size you select.
Create a Windows virtual machine in Azure
Your company has decided to manage the video data from their traffic cameras in Azure using VMs. In order to run the multiple codecs, we first need to create the VMs. We also need to connect and interact with the VMs. In this unit, you will learn how to create a VM using the Azure portal. You will configure the VM for remote access, select a VM image, and choose the proper storage option.
