With these series I slowly coming to the complete configuration of vWAN architecture and here in this article I am creating and configuring Azure Virtual Machines (VM) as one of the configuration. There are 3 Microsoft Azure Virtual Machines I will creating using existing Virtual Network (vNET) created earlier in different regions to show connectivity using Virtual WAN (vWAN) hub between VMs in different regions.
Virtual Machine | Location | Virtual Network | Subnet | IP Address |
vm1-vnet1-westus | West US | vnet1-westus | subnet1-vnet1-westus | 10.0.0.4/24 |
vm1-vnet2-westus | West US | vnet2-westus | subnet1-vnet2-westus | 10.1.0.4/24 |
vm1-vnet3-westeurope | West Europe | vnet2-westeurope | subnet1-vnet3-westus | 10.2.0.4/24 |
To create a new Azure VM go to Resource Group and click + Create button.
Microsoft Azure Virtual WAN Part 1 - Create Virtual Network and subnets
Part 2 Create a Virtual WAN (VWAN) on Azure Portal
Microsoft Azure Virtual WAN Part 3 - Create and convert to secured virtual hub inside VWAN
Microsoft Azure Virtual WAN Part 3.1 - Create secured virtual hub inside Azure Firewall Manager
Microsoft Azure Virtual WAN Part 4 - Add Virtual Network connection | Hub vNet Peering
Microsoft Azure Virtual WAN Part 5 - Create Azure Virtual Machine (VM)
Microsoft Azure Virtual WAN Part 6 - Creating and configuring Azure Firewall Policies
Microsoft Azure Virtual WAN Part 7 - Configure security configuration | Route traffic to your secured hub | Test connectivity
You can create a Virtual Machine that runs Linux or Windows, Select an image from Azure marketplace or use your own customized image. Search for Virtual Machine or choose a OS of VM from the list. I am selecting Ubuntu Server here for testing my VM connectivity. Select the subscription to manage and deployed resource and costs. Use resource groups like folders to organize and manage all your resources. Choose Virtual Machine Name. Virtual machines in Azure have two distinct names: virtual machine name used as the Azure resource identifier, and in guest host name. When you create a VM in the portal, the same name is used for both the virtual machine name and the host name. The virtual machine name cannot be changed after the VM is created. You can change the host name when you log into the virtual machine.
Choose the Azure region that's right for you and your customers. Not all VM sizes are available in all regions. Azure offers a range of options for managing availability and resiliency for your applications. Architect your solution to use replicated VMs in Availability Zones or Availability Sets to protect your apps and data from datacenter outages and maintenance events.
Security type refers to the different security features available for a virtual machine. Security features like Trusted launch and Confidential virtual machines help to improve the security of Azure generation 2 virtual machines. However, additional security features have some limitations, which include not supporting back up, managed disks, and ephemeral OS disks. In the Image choose the base operating system or application for the VM, I am fine with Ubuntu OS for testing.
Azure Spot offers unused Azure capacity at a discounted rate versus pay as you go prices. Workloads should be tolerant to infrastructure loss as Azure may recall capacity for pay as you go workloads. Select a VM size to support the workload that you want to run. The size that you choose then determines factors such as processing power, memory, and storage capacity. Azure offers a wide variety of sizes to support many types of uses. Azure charges an hourly price based on the VM's size and operating system. '
In the Administrator account details choose whether the administrator account will use username/password or SSH keys for authentication. I am selecting Authentication type as Password. If you are keeping SSH public key (Azure now automatically generates an SSH key pair for you and allows you to store it for future use. It is a fast, simple, and secure way to connect to your virtual machine). Provide The administrator username for the VM he value must not be empty. Username must only contain letters, numbers, hyphens, and underscores and may not start with a hyphen or number. he value must be between 1 and 64 characters long. Provide the administrator password for the VM and confirm password.
In the Disks tab, Azure VMs have one operating system disk and a temporary disk for short-term storage. You can attach additional data disks. The size of the VM determines the type of storage you can use and the number of data disks allowed. In the Disk options under OS disk type can choose between Azure managed disks types to support your workload or scenario, I am good with standard SSD (locally-redundant storage). Encryption type is (Default) Encryption at-rest with a platform-managed key. Enable Ultra Disk compatibility is a Azure Ultra Disks deliver high throughput, high IOPS, and consistent low latency disk storage for Azure IaaS VMs. Ultra Disk is suited for data-intensive workloads such as SAP HANA, top tier databases, and transaction-heavy workloads. Adding this capability on results in a reservation charge that is only imposed if you enabled Ultra Disk capability on the VM without attaching an Ultra Disk.
In the Data disks You can add and configure additional data disks for your virtual machine or attach existing disks. This VM also comes with a temporary disk. For best performance, reliability, scalability and access control we recommend Azure Managed Disks for most virtual machine configurations. Use unmanaged disks if you need to support certain classic scenarios or want to manage disk VHDs in your own storage account. Ephemeral OS disks are created on the local virtual machine (VM) storage and are not persisted to the remote Azure Storage. Ephemeral OS disks can be stored on VM cache or VM temp/resource disk if sufficient space is available.
Click Next: Networking > button.
In the Networking tab, define network connectivity for your virtual machine by configuring network interface card (NIC) settings. You can control ports, inbound and outbound connectivity with security group rules, or place behind an existing load balancing solution. Virtual networks are logically isolated from each other in Azure. You can configure their IP address ranges, subnets, route tables, gateways, and security settings, much like a traditional network in your data center. Virtual machines in the same virtual network can access each other by default. Select existing Virtual Network as defined in the give table above.
Subnet is a range of IP addresses in your virtual network, which can be used to isolate virtual machines from each other or from the Internet. Use a public IP address if you want to communicate with the virtual machine from outside the virtual network.
Public IP is set to None. A NIC network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, the virtual machine. To simplify management of security rules, it's recommended that you associate a network security group to individual subnets, rather than individual network interfaces within the subnet, whenever possible. It is configured with default Basic option.
Public inbound ports by default, access to the virtual machine is restricted to sources in the same virtual network, and traffic from Azure load balancing solutions. Select None to confirm, or choose to allow traffic from the public internet to one of these common ports. You can Enables low latency and high throughput on the network interface with Accelerated networking.
In the Load balancing You can place this virtual machine in the backend pool of an existing Azure load balancing solution. I am not selecting Place this virtual machine behind an existing load balancing solution?
Click Next: Management > button.
Configure monitoring and management options for your VM in Management tab. Azure Security Center Azure Security Center provides unified security management and advanced threat protection across hybrid cloud workloads. Your subscription is protected by Azure Security Center basic plan.
In the Monitoring Use this feature to troubleshoot boot failures for custom or platform images. Boot diagnostics with managed storage account significantly improves creation time of Virtual machines by using pre-provisioned storage accounts managed by Microsoft. Here I am keeping option disable for this lab. Enable OS guest diagnostics - Get metrics every minute for your virtual machine. You can use them to create alerts and stay informed on your applications.
Identity option System Assigned managed identity enables Azure resources to authenticate to cloud services (e.g. Azure Key Vault) without storing credentials in code. Once enabled, all necessary permissions can be granted via Azure role-based access control. The lifecycle of this type of managed identity is tied to the lifecycle of this resource. Additionally, each resource (e.g. Virtual Machine) can only have one system assigned managed identity.
Use your corporate Active Directory credentials to log in to the VM, enforce MFA, and enable access via RBAC roles. RBAC role assignment of Virtual Machine Administrator Login or Virtual Machine User Login is required when using Azure AD login. Azure AD login now uses SSH certificate-based authentication. You will need to use an SSH client that supports OpenSSH certificates. You can use Azure CLI or Cloud Shell from the Azure Portal.
Enable Auto-shutdown allows configuring your virtual machine to automatically shutdown daily.
Guest OS updates has Patch orchestration options allow you to control how patches will be applied to your virtual machine.
Click Next: Advanced >.
In the Advanced tab Add additional configuration, agents, scripts or applications via virtual machine extensions or cloud-init. Extensions provide post-deployment configuration and automation. Add new features, like configuration management or antivirus protection, to your virtual machine using extensions. VM applications (preview) contain application files that are securely and reliably downloaded on your VM after deployment. In addition to the application files, an install and uninstall script are included in the application. You can easily add or remove applications on your VM after create.
Customdata and cloud init - Pass a cloud-init script, configuration file, or other data into the virtual machine while it is being provisioned. The data will be saved on the VM in a known location. Custom data on the selected image will be processed by cloud-init.
User data Pass a script, configuration file, or other data that will be accessible to your applications throughout the lifetime of the virtual machine. Don't use user data for storing your secrets or passwords.
Host - Azure Dedicated Hosts allow you to provision and manage a physical server within our data centers that are dedicated to your Azure subscription. A dedicated host gives you assurance that only VMs from your subscription are on the host, flexibility to choose VMs from your subscription that will be provisioned on the host, and the control of platform maintenance at the level of the host.Select a host group, then choose a host from within that group. The host group must be in the same region and availability zone as the VM you are creating.
Proximity placement groups allow you to group Azure resources physically closer together in the same region. A Proximity placement group is a logical grouping used to make sure that Azure compute resources are physically located close to each other. Proximity placement groups are useful for workloads where low latency is a requirement.
Click Next: Tags >, Define tags then click Review + Create.
Validation should be passed, click Create button. It will go into deployment mode and show the progress.
Once Azure VM is created Check the Resource group VM is created successfully.
Same way I have created another VM in same region using different Virtual Network.
This is third Virtual Machine created in another region with selected Virtual Network as per the table. In the next article I will configure Azure Firewall Manager and Policy
Useful Articles
Get Azure virtual machine backup reports using Powershell
Why is my Azure recovery services vault not getting deleted?
Create an Azure virtual machine scale set and load balancer using Terraform
Azure Terraform fixed Availibility Zones on Virtual Machine Scale Set
Writing and Using Terraform modules
Terraform Using one module variable in another module
Hashicorp Terraform dynamic block with example
Terraform for_each loop on map example
How to create a Storage Account in Microsoft Azure
Host static website on Azure Storage Account
10 Useful Tips to Save Money as an Azure User