Rivia
Rivia

From A to Azure: Article 3 – Virtual Machine Basics

Ashley September 26, 2021
0 Comments

In our first article we created a virtual machine as our first resource. In this article we will dive deeper into Azure Virtual Machines (VM) and how to manage them.

Github links to scripts used in this article

Components that make a Virtual Machine

The first thing to know about Virtual Machines (VM) is that you can’t just spin up a VM and call it good, there are multiple other resources that get created or utilized to allow a VM to function.

Let’s go over what these resources and their options are:

Virtual Machine

This resource represents the configuration/ SKU (Size) of the VM

  • Settings
    • Available RAM
    • How many vCPUs
    • Which Managed Disk is being utilized
    • Which Network Interface is being utilized

Network Interface

This resource is the actual object that can directly communicate with the virtual network and internet

  • DNS Server
    • Inherit from the Virtual Network
    • Custom DNS
      • Primarily used to map a VM to a custom Active Directory server for domain registration (If not utilizing Azure AD) or private internal routing.
    • Network Security Group
      • Choose which Network Security Group (NSG) to utilize
        • Will use the Network Security Group attached to the Virtual Network by default
        • Can opt out of using any Network Security Groups
      • Private IP addresses
        • Dynamic
          • Will reset/change upon VM restart
        • Static
          • Will remain the same through restarts
        • Public IP addresses
          • Dynamic
            • Will reset/change upon VM restart
          • Static
            • Will remain the same through restarts

Virtual Network (VNet)

This resource represents the network that your resources will reside in and communicate through.

  • Address Space
    • Allocate the range of IP addresses within the network in CIDR notation
      • IE 192.168.0.0/16 = 192.168.0.0 – 192.168.255.255
      • IE 10.0.1.0/24 = 10.0.1.0 – 10.0.1.255
      • More information on CIDR notation:
      • Subnets
        • Dedicated separated networks within a VNet address space
          • Useful for separating resources for management and security purposes
          • Set a sub-range of IP addresses in CIDR notation within existing address spaces
            • IE 192.168.1.0/24 fits within the address space of 192.168.0.0/16
              • Only uses 250 IP addresses of the available 65,536
            • DDoS Protection (Optional)
              • A DDoS protection plan is a paid service that offers enhanced DDoS mitigation capabilities via adaptive tuning, attack notification, and telemetry to protect against the impacts of a DDoS attack for all protected resources within this virtual network. Basic DDoS protection is integrated into the Azure platform by default and at no additional cost.
                • Enable or Disable
                  • Monthly price (As of when this article was written) for DDoS Protection (includes protection for 100 resources)
                    • $2,944/month
                  • Overage charges (more than 100 resources)
                    • $29.5 per resource per month
                  • Firewall (Optional)
                    • Managed cloud-based network security service that protects your Azure Virtual Network resources. It is a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. You can centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks.
                    • Azure Firewall uses a static public IP address for your virtual network resources allowing outside firewalls to identify traffic originating from your virtual network. The service is fully integrated with Azure Monitor for logging and analytics.
                  • Security (Optional)
                    • Security Center continuously monitors the configuration of your virtual networks to identify potential security vulnerabilities and recommends actions to mitigate them.
                      • Just In Time access, which reduces your exposure to network attacks
                      • Adaptive application controls to block malicious or unsupported applications
                      • Threat detection using advanced analytics and global threat intelligence
                      • Interactive investigation tools and automated remediation for rapid response
                      • And much more
                    • DNS Server
                      • Default (Azure-provided)
                      • Custom DNS
                        • Primarily used to map a VM to a custom Active Directory server for domain registration (If not utilizing Azure AD) or private internal routing.
                      • Peerings
                        • Establishes connectivity and routing between two VNets
                        • Works like a hub and spoke network
                          • Can link Network A to B and C at the same time
                          • Cannot connect B and C also
                        • Service Endpoints (Optional)
                          • Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service Endpoints enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet.
                            • Improved security for Azure service resources
                              • Service endpoints provide the ability to secure Azure service resources to your virtual network by extending VNet identity to the service. Once you enable service endpoints in your virtual network, you can add a virtual network rule to secure the Azure service resources to your virtual network. Fully removes public internet access to resources and only allows traffic from your virtual network
                            • Optimal routing for Azure service traffic
                              • Endpoints always take service traffic directly from your virtual network to the service on the Microsoft Azure backbone network. Keeping traffic on the Azure backbone network allows you to continue auditing and monitoring outbound Internet traffic from your virtual networks, through forced-tunneling, without impacting service traffic. Less security management
                            • Less management overhead for security
                              • You no longer need reserved, public IP addresses in your virtual networks to secure Azure resources through IP firewall. There are no Network Address Translation (NAT) or gateway devices required to set up the service endpoints. You can configure service endpoints through a simple click on a subnet. There’s no additional overhead to maintaining the endpoints.
                            • Services supported:
                              • Azure Storage (Microsoft.Storage): Generally available in all Azure regions.
                              • Azure SQL Database (Microsoft.Sql): Generally available in all Azure regions.
                              • Azure Synapse Analytics (Microsoft.Sql): Generally available in all Azure regions for dedicated SQL pools (formerly SQL DW).
                              • Azure Database for PostgreSQL server (Microsoft.Sql): Generally available in Azure regions where database service is available.
                              • Azure Database for MySQL server (Microsoft.Sql): Generally available in Azure regions where database service is available.
                              • Azure Database for MariaDB (Microsoft.Sql): Generally available in Azure regions where database service is available.
                              • Azure Cosmos DB (Microsoft.AzureCosmosDB): Generally available in all Azure regions.
                              • Azure Key Vault (Microsoft.KeyVault): Generally available in all Azure regions.
                              • Azure Service Bus (Microsoft.ServiceBus): Generally available in all Azure regions.
                              • Azure Event Hubs (Microsoft.EventHub): Generally available in all Azure regions.
                              • Azure Data Lake Store Gen 1 (Microsoft.AzureActiveDirectory): Generally available in all Azure regions where ADLS Gen1 is available.
                              • Azure App Service (Microsoft.Web): Generally available in all Azure regions where App service is available.
                              • Azure Cognitive Services (Microsoft.CognitiveServices): Generally available in all Azure regions where Cognitive services are available.

Network Security Group (Optional – Recommended)

This resource represents a grouping of security rules that can be applied to a VNet subnet or individual resource

  • Inbound Security Rules
    • Port/IP based rules to allow/deny inbound traffic
    • Rules will apply in order of priority
      • 1 is given the most priority
      • Allows you to set a blanket ‘Deny All’ or ‘Allow All’ at the bottom of the list and override for specific ports, IPs, and protocols with higher priority rules
  • Outbound Security Rules
    • Port/IP based rules to allow/deny outbound traffic
    • Rules will apply in order of priority
      • 1 is given the most priority
      • Allows you to set a blanket ‘Deny All’ or ‘Allow All’ at the bottom of the list and override for specific ports, IPs, and protocols with higher priority rules
  • Network Interfaces
    • Network Interface direct associations
      • Can associate or dissociate
  • Subnets
    • Subnet associations
      • Can associate or dissociate

Managed Disk

This resource represents the logical disk that holds the data for the VM, you can theoretically delete the VM and rebuild it, so long as this disk remains.

  • Size + Performance
    • Allows resizing the SKU of the managed disk once it is unattached or the attached VM is deallocated
  • Encryption
    • (Default) Encryption at-rest with a platform(Azure)-managed key
    • Encryption at-rest with a customer-managed key
      • Uses a disk encryption set that must be setup prior in an Azure KeyVault
    • Double encryption with both a platform-managed and customer-managed keys
      • Uses a disk encryption set that must be setup prior in an Azure KeyVault
    • Networking
      • (Default) Public endpoint (all networks)
      • Private Endpoint (through disk access)
        • An Azure disk pool is an Azure resource that allows your applications and workloads to access a group of managed disks from a single endpoint. A disk pool can expose an Internet Small Computer Systems Interface (iSCSI) target to enable data access to disks inside this pool over iSCSI.
      • Deny All
    • Disk Export
      • Allows you to generate a download URL to download the disk locally

Create A Virtual Machine

Please refer to “From A to Azure: Article 1 – The Basics” for a walkthrough on creating Virtual Machines.

Adjusting VM Size (Portal)

We will be using the small VM created above for this demonstration and scaling it up.

  • Navigate to your VM in Azure
  • Select the Stop button
    • Wait until the status shows Stopped (Deallocated)
  • Navigate to the Size blade on the left side menu

  • Select the B4ms size and select Resize

Adjusting VM Size (PowerShell)

## Set parameters for VM operations

$resourceGroup = "RG-Name"

$vmName = "VM-Name"

$vm = Get-AzVM -ResourceGroupName $resourceGroup -VMName $vmName




## List available sizes for VM

Get-AzVMSize -ResourceGroupName $resourceGroup -VMName $vmName




## Stop the VM

$vm | Stop-AzureRmVM -Force -AsJob



## Resize the VM

$vm.HardwareProfile.VmSize = "Standard_B4ms"

Update-AzVM -VM $vm -ResourceGroupName $resourceGroup


## Github link to adjust VM size script

Adjusting Disk Size (Portal)

We will be using the small VM disk created above for this demonstration and scaling it up.

  • Select the Disk blade on the left side menu
  • Select the attached disk
    • You may also navigate to the disk directly from the resource group

  • Select the Size + Performance blade on the left side menu
    • Select the 1024 GiB P30 disk
    • Select Resize

Adjusting Disk Size (PowerShell)

## Get Disks

Get-AzDisk




## Disk Parameters

$vmDiskName = ‘Disk_Name'

$resourceGroup = "RG_Name"

$diskSize = 1124




## Get Disk

$vmDisk = Get-AzDisk -ResourceGroupName $resourceGroup -Name $vmDiskName 




## Set new disk size

$vmDisk.DiskSizeGB = $diskSize




## Update Azure with new Disk Size (Cannot be scaled downwards, only upwards)

Update-AzDisk -ResourceGroupName $resourceGroup `

-Disk $vmDisk `

-DiskName $vmDisk.Name


## Github link to adjust VM disk size script

Disabling/Enabling RDP Access to VM via Network Security Group (NSG) (Portal)

By default we have allowed RDP access into our VM’s, this was done via the Network Security Group, we will be demonstrating removing this rule, and adding it manually back.

Disabling RDP

  • Navigate to the Network Security Group that was created with the VM, within the Azure Resource Group
    • Navigate to the Inbound Security Rules (Also seen on the Overview Tab)
      • There should be a rule created allowing port 3389 through the NSG
      • Click the Delete/Trash icon next to this rule to disallow RDP access

      • Confirm deletion of the rule

    • RDP is now denied to any resources that utilize this NSG

Enabling RDP

  • Navigate to the Network Security Group that was created with the VM, within the Azure Resource Group
    • Navigate to the Inbound Security Rules
      • Select + Add
      • Enter 3389 (RDP Port) into the Destination Port Ranges
      • Select Add

    • RDP is now allowed on any resources utilizing this NSG

Disabling/Enabling RDP Access to VM via Network Security Group (NSG) (PowerShell)

## Connect to Azure

Connect-AzAccount




## List All Network Security Groups

Get-AzNetworkSecurityGroup




## Create Rule

Get-AzNetworkSecurityGroup -name "NSG_Name" -ResourceGroupName "RG_Name" | Add-AzNetworkSecurityRuleConfig -Name "Allow-RDP" -Description "Allow RDP" -Access "Allow" -Protocol "Tcp" -Direction "Inbound" -Priority 100 -SourceAddressPrefix "Internet" -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 3389 | Set-AzNetworkSecurityGroup




## Remove Rule

Get-AzNetworkSecurityGroup -name "NSG_Name" -ResourceGroupName "RG_Name" | Remove-AzNetworkSecurityRuleConfig -Name "Allow-RDP" | Set-AzNetworkSecurityGroup

## Github link to enable/disable RDP access via NSG rule

Associating / Dissociating Network Security Group From VM/Subnet (Portal)

If you create a VM without a network security group, or wish to change NSGs you can follow this process to adjust at the VM level.

Virtual Machine

  • Navigate to the VM
    • Alternatively you can navigate directly to the Network Interface from the Resource Group
  • Select the Networking blade on the left side menu
    • Select the Network Interface listed

  • Navigate to the Network Security Group Blade on the left side menu
    • Change the drop down menu to either None or the name of your NSG
    • Select Save

Virtual Network – Subnet

NSGs can be applied to either a direct network device or an entire subnet. This is how to adjust the NSG at the subnet level

  • Navigate to the Virtual Network within your Resource Group
    • Select the Subnet blade on the left side menu
      • Select the appropriate Subnet
        • Adjust the Network Security Group drop down menu to either None or the appropriate NSG
        • Select Save

Associating / Dissociating Network Security Group From VM/Subnet (PowerShell)

## NSG Parameters

$NSG = Get-AzNetworkSecurityGroup -name "NSG_Name" -ResourceGroupName "RG_Name" 




## Dissociate NSG to Network Adapter

$NIC = Get-AzNetworkInterface -name "NIC_Name" 

$NIC.NetworkSecurityGroup = $null

$NIC | Set-AzNetworkInterface




## Associate NSG to Network Adapter

$NIC = Get-AzNetworkInterface -name "NIC_Name" 

$NIC.NetworkSecurityGroup = $NSG

$NIC | Set-AzNetworkInterface




## Dissociate NSG to Subnet

$VNet = Get-AzVirtualNetwork -name "Vnet_Name"

$Subnet = Get-AzVirtualNetworkSubnetConfig -VirtualNetwork $VNet -Name "Subnet_Name "

$Subnet.NetworkSecurityGroup = $null

Set-AzVirtualNetwork -VirtualNetwork $VNet




## Associate NSG to Subnet

$VNet = Get-AzVirtualNetwork -name "Vnet_Name"

$Subnet = Get-AzVirtualNetworkSubnetConfig -VirtualNetwork $VNet -Name "Subnet_Name"

$Subnet.NetworkSecurityGroup = $NSG

Set-AzVirtualNetwork -VirtualNetwork $VNet

## Github link to associate and dissociate NSG script

Enable Boot Diagnostics (Portal)

Boot Diagnostics is a recommended toggle to allow Azure to collect startup logs of your VM in the instance that it has boot issues. Logs can either be stored in a managed (auto-created) storage account, or within a storage account you already had created. Creating a singular storage account to house all of your VM diagnostics is generally recommended to avoid resource sprawl. For simplicity, in this instance, we will use a managed storage account. Boot Diagnostics is required to utilize the Azure Serial Console.

  • Navigate to your Azure VM
    • Navigate to the Boot Diagnostics blade on the left side menu
    • Select the Settings button
    • Select Enable with managed storage account
    • Select Save

  • You are now able to see screenshots of the VM (even while booting) and see serial logs in the Boot Diagnostic blade

Enable Boot Diagnostics (PowerShell)

## Create Storage Account for Diagnostic Logs

New-AzStorageAccount -ResourceGroupName "RG_Name" `

    -Name "storageaccountname" `

    -Location "EastUS" `

    -SkuName "Standard_LRS"




## SKUs

## Standard_LRS Locally-redundant storage

## Standard_ZRS Zone-redundant storage

## Standard_GRS Geo-redundant storage

## Standard_RAGRS   Read access geo-redundant storage

## Premium_LRS  Premium locally-redundant storage

## Premium_ZRS  Premium zone-redundant storage




$VM = Get-AzVM -ResourceGroupName "RG_Name" -Name "VM_Name"

Set-AzVMBootDiagnostic -VM $VM -Enable -ResourceGroupName "RG_Name" -StorageAccountName " storageaccountname"

Update-AzVM -VM $VM -ResourceGroupName "RG_Name"

## Github link to enable VM boot diagnostics

On-Demand Performance Diagnostics (Portal)

You may wish to collect data on the performance of your VM to troubleshoot issues as they come. Azure can handle all of that with a simple option.

  • Navigate to your Azure VM
    • Navigate to the Performance Diagnostics blade on the left side menu
    • Select Install Performance Diagnostics
    • Select the adequate level of logging from the Analysis drop down menu

Enable Ongoing Performance Diagnostics (Portal)

You may wish to continually collect performance diagnostic information in order to establish metrics, alerts, and reports on VM performance.

  • Navigate to your Azure VM
    • Navigate to the Diagnostic Settings
    • Select a pre-existing Storage Account to store the diagnostic logs
    • Select Enable Guest-Level Monitoring
    • Once monitoring is established you may adjust what logs you wish to collect and how frequently they are collected
      • Performance Counters
        • CPU
        • Memory
        • Disk
        • Network
        • Net
        • SQL
      • Logs
        • Event Logs
        • IIS Logs
        • .Net Application Logs
        • ETW Logs
      • Crash Dumps

Enable Ongoing Performance Diagnostics (PowerShell)

This PowerShell script will require an XML document stored locally to call to that includes the configuration of how you wish to collect your diagnostic data. An XML Sample is located in our GitHub.

## VM Performance Diagnostics Parameters

$vm_resourcegroup = "Rivia"

$vm_name = "VM-Rivia"

$diagnosticsconfig_path = "C:\Users\Ashley\Documents\Rivia\DiagnosticsPubConfig.xml"

$diagnosticsstorage_name = "rivdiagnosticstorage"




## Enable Performance Diagnostics

Set-AzVMDiagnosticsExtension -ResourceGroupName $vm_resourcegroup -VMName $vm_name -DiagnosticsConfigurationPath $diagnosticsconfig_path -StorageAccountName $diagnosticsstorage_name 

## Github link to enable ongoing VM diagnostics script

## Github link to diagnostics configuration XML file [REQUIRED] (Change the 2 variables within)

Reset Password of VM Administrator Account (Portal)

Sometimes you may find that you forget or lose the password of your Azure VM, no worries Azure has your back here with a built in password recovery tool!

  • Navigate to your Azure VM
    • Navigate to the Reset Password blade on the left side menu
    • Enter the Username of the user to reset and the New Password
    • Select Update

Reset Password of VM Administrator Account (PowerShell)

The following script will prompt a credential window to enter a username and password to update

$SubName = "Sub_Name" 

$RgName = "RG_Name" 

$VmName = "VM_Name " 

$Location = "eastUS" 




Select-AzSubscription -SubscriptionName $SubName

Set-AzVMAccessExtension -ResourceGroupName $RgName -Location $Location -VMName $VmName -Credential (get-credential) -typeHandlerVersion "2.0" -Name VMAccessAgent

## Github link to reset VM account password

Serial Console (Portal)

At times it may be necessary to access the serial console of the VM, Azure makes this simple so long as you have Boot Diagnostics enabled.

  • Navigate to your Azure VM
    • Navigate to the Serial Console blade on the left side menu

Redeploy + Reapply VM (Portal)

If all other troubleshooting attempts fail, it may be an actual Azure issue, in which case the simplest solution may be to just redeploy to a new Azure host, or reapply the VM configuration to the existing Azure host.

  • Navigate to your Azure VM
    • Navigate to the Redeploy + Reapply blade on the left side menu

Redeploy  + Reapply VM (PowerShell)

## Redeploy

Set-AzVM -Redeploy -ResourceGroupName "RG_Name" -Name "VM_Name"




## Reapply

Set-AzVM -Reapply -ResourceGroupName "RG_Name" -Name "VM_Name"

## Github link to redeploy and reapply VM script

Summary

In this article we looked at basic management of Azure VMs and the resources commonly associated with them. We will touch on more advanced networking, retention, and security in future articles.

Categories: AWS, Azure

Related Articles

Responses

Your email address will not be published. Required fields are marked *