Tag Archives: Azure Iaas

#Azure : Virtual Machine Configuration

When you have decided to use Azure IaaS virtual machines based on your requirements, you need to look at the configuration. Resource group is required to create any resource in Microsoft Azure. Let see the configuration of virtual machine.

Login to the Microsoft Azure Portal and select “+ create a resource”. Select compute and then select OS that needs to be deployed as part of the VM. In my case, I am deploying “Windows Server 2016 Datacenter”.

In the first step, define settings as required.

Name = Name of the virtual machine, same name will be applied as a host name.

VM disk type = Either HDD or SSD

User name = Default administrator name

Password = Password for the administrative user name

Confirm password = Confirm password for the administrative user name

Subscription = Select subscription from where the VM cost will be deducted

Resource group = Either “Create new” or “Use existing”

Location = Select the location of your Azure Region

Windows license = Select “Yes” if you have windows license otherwise “No”

Finally select “OK”

In the second step, select the VM size based on your requirement. You can short the VM size by selecting disk type, vCPUs and Memory.

In the third step, configure optional features.

High Availability = If you are deploying multiple VMs in the HA mode, create an “Availability set” and define fault & update domain as needed.

Storage = If you would like to use disk managed by Microsoft, select “Yes” in “Use managed disks” option. Otherwise select “No”, if you select “No” then you need to define a storage account.

Network = Select virtual network for the VM. If you don’t have any then a new will be created for you by default but still you can define your virtual network and use the same.

Subnet = select subnet, an ip to the VM will be assigned from this subnet

Public IP address = Use public ip address, if you want to access this VM directly through the internet. Otherwise you can select “None” here.

Network security group = Use network security group, if you would like to access or deny network traffic on the VM level.

Extensions = If you need to use any extensions as part of the VM deployment then add extensions such as PowerShell DSC, Custom Script Extension etc.

Auto-shutdown = Either “On” or “Off” and define the time and time zone based on your needs.

Notification before shutdown = Either “On” or “Off”

Monitoring = Either “Enabled” or “Disabled” for boot and guest OS diagnostics. If you enable the diagnostics then you need to use a storage account. This diagnostics user account either you can create or use the existing one.

Backup = Either “Enabled” or “Disabled”. If you enable backup option then you need to define “Recovery Services vault”, Resource group (for recovery service vault) and backup policy.

Once done select OK.

In the fourth step, review all the configuration and select “Create” to start the deployment process.

Wait for couple of minutes, your VM will be available for use. If you would like to reuse the VM configuration as-is or would like to reuse the VM configuration with customization then “Download template and parameters” for future deployments.


#AzureAD : Application Proxy

I believe many of you have heard about reverse proxy multiple times in your IT career. If anytime you had published any web application through reverse proxy, you can easily understand the complexity and pain behind it. To publish a web application, you would have been worked with multiple teams for fulfilling security, network and DMZ requirements. Azure AD makes it quite simple for us, you just need to enable, download and install application proxy, and finally publish your internal web application. To use this application proxy server, you need a Windows server with either Windows Server 2012 R2 or Windows Server 2016 operating system and keep this VM as a standalone machine. So now, let’s have a look how to do it.

Login to the Azure Portal from application proxy VM and go to Azure Active Directory and then go to the Application proxy to download connector.

A web browser will open, select terms and condition and download the tool.

Once tool is downloaded, run the tool and agree to the license terms and condition and click on Install.

Now, AAD Application Proxy Connector installation will start.

Login to the Azure AD through your AAD admin account to complete the installation.

Now, installation will progress further and will finish in few minutes.

Now, go to the Azure portal and enable application proxy.

Once it is done, you will be able to find your application proxy server in active status.

Now, It is a time to publish your internal application. Therefore, go to the Enterprise applications under Azure AD.

Click in “On-premises application”.

Enter your internal url and save the settings. However, you should note down the external url to access this application.

Select Assign a user for testing.

Add users and define their roles and click on Assign.

Once, you are done please wait for some time. Now access your application from the internet by using the external url. You can also publish this app through myapps portal, the way we publish enterprise apps from the gallery.

Now, you can see that I am able to access my intranet portal. (I am not a developer, however I tried to modify the default IIS page )

If you have MFA enabled for your users, you can leverage an additional layer of security for your internal web applications as well.

#Azure – Resource groups, Access control (IAM)

Resource groups in Microsoft Azure is a logical container and help customers to manage multiple resources in constructive manner. When you deploy multiple resources in a logical container then it is necessary to consider the security measures as well. Resource groups provide an option to manage the access control through Access control (IAM).

It offers multiple pre-defined RBAC (role based access control) roles. When you create a new subscription first time in Microsoft Azure, by default azure creates and associates it with an automatically created azure active directory. For example if I create my subscription with email address xyz@hotmail.com then an azure active directory with xyzhotmail will be created in the background. Going forward you can add multiple subscriptions into it.

However, once you are logged in to the Microsoft Azure then you can switch between the directories if you have multiple. But keep a note in your mind that one subscription belongs to only one directory in azure while one directory can belongs to multiple subscription.

RBAC roles can be assigned to the users and groups that are part of the associated azure active directory. Groups can be created in azure active directory while users either can be created in azure active directory or can be associated with their public email addresses.

Here is the list and their one line descriptions provided by Microsoft Azure.

Role name


API Management Service Contributor

Can manage API Management service and the APIs

API Management Service Operator Role

Can manage API Management service, but not the APIs themselves

API Management Service Reader Role

Read-only access to API Management service and APIs

Application Insights Component Contributor

Can manage Application Insights components

Automation Operator

Able to start, stop, suspend, and resume jobs

Backup Contributor

Can manage backup in Recovery Services vault

Backup Operator

Can manage backup except removing backup, in Recovery Services vault

Backup Reader

Can view all backup management services

Billing Reader

Can view all billing information

BizTalk Contributor

Can manage BizTalk services

ClearDB MySQL DB Contributor

Can manage ClearDB MySQL databases


Can manage everything except access.

Data Factory Contributor

Can create and manage data factories, and child resources within them.

DevTest Labs User

Can view everything and connect, start, restart, and shutdown virtual machines

DNS Zone Contributor

Can manage DNS zones and records

Azure Cosmos DB Account Contributor

Can manage Azure Cosmos DB accounts

Intelligent Systems Account Contributor

Can manage Intelligent Systems accounts

Logic App Contributor

Can manage all aspects of a Logic App, but not create a new one.

Logic App Operator

Can start and stop workflows defined within a Logic App.

Monitoring Reader

Can read all monitoring data

Monitoring Contributor

Can read monitoring data and edit monitoring settings

Network Contributor

Can manage all network resources

New Relic APM Account Contributor

Can manage New Relic Application Performance Management accounts and applications


Can manage everything, including access


Can view everything, but can’t make changes

Redis Cache Contributor

Can manage Redis caches

Scheduler Job Collections Contributor

Can manage scheduler job collections

Search Service Contributor

Can manage search services

Security Manager

Can manage security components, security policies, and virtual machines

Site Recovery Contributor

Can manage Site Recovery in Recovery Services vault

Site Recovery Operator

Can manage failover and failback operations Site Recovery in Recovery Services vault

Site Recovery Reader

Can view all Site Recovery management operations

SQL DB Contributor

Can manage SQL databases, but not their security-related policies

SQL Security Manager

Can manage the security-related policies of SQL servers and databases

SQL Server Contributor

Can manage SQL servers and databases, but not their security-related policies

Classic Storage Account Contributor

Can manage classic storage accounts

Storage Account Contributor

Can manage storage accounts

Support Request Contributor

Can create and manage support requests

User Access Administrator

Can manage user access to Azure resources

Classic Virtual Machine Contributor

Can manage classic virtual machines, but not the virtual network or storage account to which they are connected

Virtual Machine Contributor

Can manage virtual machines, but not the virtual network or storage account to which they are connected

Classic Network Contributor

Can manage classic virtual networks and reserved IPs

Web Plan Contributor

Can manage web plans

Website Contributor

Can manage websites, but not the web plans to which they are connected

Source: Microsoft

Now, you should know how the permission works here. There are three basic RBAC roles that apply to all resource types.

Owner: As suggested by name itself, full access to all the resources and has rights to manage the delegation for others.

Contributor: who can read, write/create and manage but can’t delegate rights to others.

Reader: who can view existing resources but can’t make any changes.

Now, let’s look at the inheritance of the resources. Same as other Microsoft technologies, permission inheritance works in a downwards manner here.

It means Subscription à Resource groups à Resources.

If pre-defined RBAC roles do not fulfill your requirement then you can create your own custom roles through Azure PowerShell, Azure CLI and the Rest API.

#Azure – Base Operating System

Microsoft Azure supports multiple base operating system for VMs. There are many other supported scenarios where you get the base OS with application from the portal itself or you can use your customize image either for base OS only or base OS with application. In this blogpost, I’ll cover the list of base operating systems available for VMs.

List of supported operating systems in Microsoft Azure:

Operating Systems

Provided By


Window Server 2016 (Datacenter, Datacenter – Sever Core, Nano Server, with Containers)



Windows Server 2012 R2 (Datacenter, Essentials)



Windows Server 2012 Datacenter



Windows Server 2008 R2 SP1



Ubuntu Server



Red Hat Enterprise Linux 7

Red Hat


SUSE Linux Enterprise Server



Debian Linux



Oracle Linux 7



CentOS-based 7.3

Rogue Wave Software


Container Linux by CoreOS



Free BSD 10.3



Clear Linux OS

Clear Linux Project


Open SUSE Leap 42.2



Windows 7 Enterprise N with SP1 (x64)



Windows 8.1 Enterprise N (x64)




Free*: OS Price has included with VM pricing.

BYOL: Bring your own license

Paid: Additional OS cost will be added.


Note: The above information is true at present when I am writing this blog. List can be modified any time by Microsoft and therefore it doesn’t guarantee any accuracy for future use.

#Azure – Resource Group

Microsoft Azure is one of the leading cloud platform and growing continuously. This post will cover the resource group concept, which is integral part of any resource in Azure IaaS. Microsoft Azure platform has been spread across multiple geographical locations and once you create any resource in MS Azure IaaS, basically it belongs to a particular region that you had selected at the time of deployment.

In layman’s language, resource group is nothing but it is just like a logical container that makes your life easier after deployment of multiple resources. Let’s take an example of virtual machine. When you create a virtual machine, you can observe that it is a combination of multiple resources such as compute, storage, networking etc. In case of traditional datacenter you can touch and feel these items but in case of virtual machine you can presume that your cpu cores and memory is your compute, virtual hard disks are your storage and virtual networks are your networking components. As you know each resource in a virtual machine gives complement to another resource and for us it is advisable to keep all of them in a single pool for better interaction. Once you create these resources such as storage account or virtual network, you specify a resource group and location. If you have an existing resource group then the location will be selected by default as per the resource group.

Now, let’s discuss the same thing in technical language. A resource groups allows you to create and manage multiple resources in a single container so that you can manage them easily by grouping them together. A resource group facilitates that all the resources in a resource group belongs to same region, where the resource group was located but you can still change the resource location if you want. This feature make sure that multiple resources are located nearby to each other to provide better performance. With the help of resource group, you can easily deploy, update, and delete multiple resources within the resource group by a single or few clicks. Resource group provides you an ability to secure your resources by configuring user and administrator roles through “Access control (IAM)”. There are many other cool features such as policies, monitoring etc. that you can explore by playing with it.

Therefore now let’s see how to create a resource group.

Go to the https://portal.azure.com and click on “Resource groups”.

Click on “Add” to create a new resource group.

Fill the required information such as “Resource group name”, select “Subscription” and select “Resource group location”.

Once resource group has been created, you can see multiple options such as “Access control”, “Resource costs”, “Policies” etc.

To understand better, you can take an example of cluster/pool. Multiple components such as VMs, storage pools and virtual networks make a single cluster/pool and if you need to manage these multiple components, it is better always to keep them in a single place called resource group so that you can have a single view from the application point of view such as cluster manger and from the baseline infrastructure point of view as well that is resource group. Now, you should start playing with it to learn more about each option given under resource group.

#Skype4b: Key planning considerations for SfB on Azure IaaS Part III

Part I and Part II of this blog post series covers basic of key designs considerations, typical server configuration in traditional datacenter environment, Azure IaaS nomenclature and mapping Azure IaaS components with traditional datacenter. This part of the blog post covers the limitation of Azure IaaS for Skype for Business Server.

First, let me describe the Skype for Business role wise limitations.

Skype for Business Server Role Limitations on Azure IaaS
Front End Technically feasible
Back End Supported
Mediation Technically not feasible
Director Technically feasible
Persistent Chat Technically feasible
Video Interop Technically not feasible
Edge Technically not feasible

Supported: Server role such as Back End server is fully supported because it uses SQL server in the background and SQL server is a supported application on Azure IaaS.

Technically feasible: Technically feasible server roles are those server role that can be deployed but there is no performance study data exist.

Technically not feasible: Technically not feasible server role are those server roles their recommended configuration can’t be met on Azure IaaS. However, technically you may deploy these roles on Azure IaaS VM.

Above mentioned “technically not feasible” server roles are lacking technically because of network configuration most of the time. As everybody knows that Lync/Skype for Business is network intensive application and network requirement are little complex for Skype for Business deployment. Following are the key limitations in Skype for Business deployment on Azure IaaS:

  • All the VMs type doesn’t support more than one NIC. If you don’t select right VM in the beginning, you will have to redeploy the VM to support more than one NIC.
  • Azure IaaS doesn’t support multiple VNet for single VM.
  • Quality of Services can’t be configured as you can’t access Network switch deployed in Azure datacenter.
  • Enterprise Voice can’t be configured.
  • Video Integration Server configuration is difficult if you have Skype for Business infra on Azure IaaS.

Though, these functionality may be enabled in future but as of now not available. Therefore, Microsoft doesn’t recommend or support Lync / Skype for Business deployment on Azure IaaS.

#Skype4b: Key planning considerations for SfB on Azure IaaS – Part II

Part I of this blog post series covers basic of key designs considerations and typical server configuration in traditional datacenter environment. Now, let’s discuss first thing first.

Create a mind map or sketch a rough design diagram of Skype for Business deployment and collect all the information that you need to size the application.

Create a rough Bill of Material and Bill of Quantity in your mind or note it down somewhere.

Create a list of things that you need to finish the deployment process such as DNS and Certificate requirement.

Look at the end user connectivity as well because at the end of the day end users have to consume these services.

Now, start mapping your rough design diagram component with Azure IaaS components.

Traditional datacenter and Azure IaaS uses the same logic but has different naming conventions. Below table shows you the right set of Azure IaaS services/component mapping with traditional datacenter.

Traditional Datacenter

Azure IaaS

Server – Physical / Virtual Machine

Server – Virtual Machine

Storage – External (SAN/NAS) / Internal

Storage – Storage Account and Disks

Network – NIC and LAN

Network – NIC and VNet

Load Balancer

Load Balancer


Network Security Group

Reverse Proxy

Reverse Proxy

Voice Gateway


Based on the table above, it really looks simple. But in actual, it is not. There are many limitations which you can find while deploying Lync / Skype for Business on Azure IaaS. As of now, you should get familiar with all the terminologies. Next part of this blog post will cover the limitations and will describe why Microsoft does not recommend Lync / Skype for Business on Azure IaaS.