Ins and Outs: Azure Input Endpoints

Go ahead, say that three times fast! Yes, it’s a tongue twister and when it comes to virtual machines and cloud services, it can be a bit of mind-bender too.  (If you haven’t had a chance to read my previous posts about Cloud Services for IaaS and Virtual Networks and DHCP, you might want to check those out for background.)

In a nutshell, input endpoints are openings in your cloud service firewall.

Because a cloud service has only one external IP address, port forwarding is used to direct various access requirements to the right location.

In this screen shot, you can see that my single cloud service (with a public IP of 137.135.42.10) has four endpoints open, two for the server named “sabina” and two for “franka”.

In this case, the port numbers were randomly assigned and as this is a Windows Server the default ports are for RDP and PowerShell.

By looking at the specific endpoints assigned to “Franka”, we can se that Remote Desktop is using the public port 58155 and PowerShell is using 58392.

Because this Windows Server was spun up using the image from the Azure gallery, I can trust that the Windows Firewall on the OS has the appropriate rules open to allow traffic that is passed through the Azure endpoints to be received by the server.

If I was to add on a different service, like HTTP or FTP, I would need add the endpoint to Azure AND add the appropriate rules to server OS, so it will listen on the proper port. When creating a new endpoint, Azure will suggest the default port numbers, but they can be customized easily.

An important point to remember is that opening the endpoint in Azure won’t guarantee your server will be accessible via that protocol.  You must open the corresponding listener port from within your operating system. This is critical if you are bring your own server image to Azure, as it’s important to make sure that RDP (or your management protocol of choice) is also open on the OS otherwise you will be unable to manage your server once it’s in the cloud.

If you require more fine tuning of your endpoint access with customized ACL lists, that’s not available via the Azure GUI.  However, you can use PowerShell for that level of detail – read more here.

Depending on the work that your servers are doing within your cloud service, you can also configure basic round-robin load balances on those endpoints.  Learn more about that here.

Haven’t tried out Azure yet? Sign up for a free trial today.

New System Center Training on Microsoft Virtual Academy

If you don’t regularly check in with the Microsoft Virtual Academy, you are missing out on a great way to learn at your own pace.  If System Center is something you are getting into, or even if you’ve been using it for years, you might want to look at some of the new recordings available.  Here are a few that are fresh this week!

Infrastructure Provisioning (with Kenon Owens)
http://www.microsoftvirtualacademy.com/training-courses/infrastructure-provisioning-and-management-with-system-center-2012-r2
Many organizations have a very diverse underlying infrastructure. From different pieces of hardware, to different hypervisors. Regardless of this, they need to be able to manage everything in a consistent way. With System Center 2012 R2 Virtual Machine Manager, they are able to have a consistent management experience across these multiple hypervisors. This course will address deployment of compute, storage, and networking resources, and how to construct all of the different resources that we have and construct them together into a private cloud. Finally the course will delve into day-to-day operations to keep the infrastructure up and running, and deploying services to the end users as well as the architecture behind it all.

Infrastructure Monitoring (with Won Huh)
http://www.microsoftvirtualacademy.com/training-courses/infrastructure-monitoring-with-system-center-2012-r2
This course covers new monitoring capabilities and opportunities offered in Systems Center 2012 R2. Moving away from physical boxes being monitored only by individual teams, this course goes over all monitoring opportunities, including Private Cloud Monitoring, Public Cloud Monitoring, Hybrid Cloud Monitoring, OS and Workload Monitoring. Also included in this course is information about proactive monitoring integrated through System Center Advisor, and an overview of the new customized widget dashboard.

The Blog Series: Why Windows Server 2012 R2?

Well, why not?  Join the Microsoft IT Pro Evangelists as they embark on another blog series hosted by Dan Stolts. 

Check out Dan’s official landing page to learn about Active Directory Certificate Services, iSCSI Target Server, Scale-out File Server, Tiered Storage Spaces and more!

The series runs from now until Thanksgiving so check in with Dan often for the newest post.

Meanwhile if you need the bits to Server or Hyper-V Server... get them here:

• Windows Server 2012 R2
• Windows Hyper-V Server 2012 R2

Getting Comfortable with Azure Virtual Networks and DHCP

One of the great features of Azure IaaS is being able to extend your existing internal network to the cloud over a site-to-site VPN. You can bring your own IP addresses, but remember, the devil is always in the details. Or rather, knowledge is power!

Azure IaaS supports the standard private IP network ranges - 10.x, 172.x and 192.x – so you can easily give your Azure network a range that is comparable to the network range you are using in your data center.

However, Azure expects all guests to receive their IP address via DHCP. This took me a bit to grow comfortable with, as I spent years in smaller datacenters were each server was lovingly assigned an IP address that had been selected from a master spreadsheet. (Old school, I know!)  My favorite servers were given “choice” addresses with easy to remember numbers.

But networking is changing and we must change with it, so I’m becoming more comfortable with having less control over the particular address assigned to a given machine. This is key thinking when it comes to network virtualization.  By abstracting away some of the nuts and bolts of the network, the ability to be more flexible is introduced – which is good.  Someone I was talking to at a conference recently compared it to the adoption of IPv6.  IPv6 addresses are so long you would never statically assign them to a machine, that is all automated.

But, can I give my Azure VM a static address? Well, lets just say nothing is stopping you. You can go into your VM IP settings and do whatever you want.  But the risk of introducing a future IP address conflict is high and you will eventually lose the ability to connect to your VM.  Azure expects to get periodic DHCP renewal requests and when those stop the Azure fabric will remove that IP as active and stop forwarding traffic to it. There is no way to connect to the “console” of your Azure VM, so lost remote access to a machine due to an addressing issue will make for a very unhappy day.

Let’s say my internal network for my servers is 192.168.10.x/24.  I have two basic options for my Azure network:

1. Configure 192.168.10.x/24 in Azure, with a subnet for 192.168.10.128/25. I would need to make sure that everything in my physical datacenter was assigned IPs in the beginning half of the range, leaving 192.168.10.128 – 192.168.10.255 under Azure control. Azure also grabs a few other address out of the range for internal use, so I’d likely want to make sure I wasn’t using those in my physical network either. I think this option is messy and prone to errors. Also, I’m sure someone who does networking configuration all day will tell me it makes them cringe for more than one reason.
2. Create an different address range for Azure and make sure my internal switching gear is set up to route to it, like 192.168.20.x/24.  This would allow me to use a numbering scheme that makes sense within my organization, but also makes it easy to quickly identify resources that are internal vs. Azure based.

Keep in mind that any server in Azure will be assigned a persistent private IP address from your range with an infinite lease time, so if you are worried about domain controllers or other servers where the current “best practice” is to have a static assigned address, you can relax.  The only time a machine would loose it’s IP lease is when it’s in the “Stopped – Deallocated” state.

Finally, keeping with my “plan twice, create once” mantra, once your add a machine to an Azure network, you can only make limited changes - like adding new subnets or adjusting subnets that are not yet used.

For more information visit the Windows Azure Virtual Networks Overview.

Get the Bits!

I've got a few easy links for you to visit if you haven't had a chance to check out Windows Server 2012 R2 or Hyper-V 2012 R2.  I've also included a few other links of interest as well!
(Note: As of Oct 18th, these links will take you the non-Preview version.)

• Windows Server 2012 R2
• Windows Hyper-V Server 2012 R2

If you haven't gotten an Azure trial yet, you can find that here - http://aka.ms/NewAzureTrial and for some extra learning, check out the Microsoft Virtual Academy.

Need something else? There is always the TechNet Evaluation Center.  The Windows 8.1 Enterprise Evaluation is available there now.

The Not So Black Box: Azure Cloud Service

You’ve probably been virtualizing things on-premise for a while now and it’s pretty straightforward.  You spin up a VM, connect it to a network much like a physical machine, configure it as you need it and go on your way.  Depending on it’s role you might configure  your perimeter firewall so that it has some ports open on an Internet routable IP address.

And that pretty much sums it up. In Azure, a lot of that is same.  Except for the whole “Cloud Service” thing. A Cloud Service is a key part of the Azure fabric and if you’ve been working with PaaS for a while, it’s likely very familiar.  But if you are coming from the data center, it’s a new idea. Or at least, it was for me.

If you’ve taken one of the free Azure IT Camps or gotten a similar presentation on Azure IaaS you’ve likely seen this graphic:


What this shows is that a cloud service is a container that holds your VM.  This container is the “steward” of several key components that make your server room in the cloud work. A cloud service holds an external IP address and unique DNS name, is tied to a physical location in the Azure global fabric and acts as a firewall boundary.

You can create a cloud service first and add a VM to it, or you can create a VM and a matching cloud service will be made for it.  I prefer making the cloud service first (and I’ll explain why) but first, let’s break those things down:

• Physical Location – When you create a cloud service, it's tied to one of Microsoft’s eight worldwide data centers.  They are grouped in pairs (US – West Coast, US – East Coast, Europe and Asia).  At minimum, you must select the region your cloud service lives in.
• DNS Name – Each cloud service has an external DNS name in the cloudapp.net name space. By default, creating a VM will automatically create a cloud service with a matching external DNS name, if the DNS name is available.  (If not, you’ll be prompted to name it differently.) The DNS name does not have to be the same as the server name.

Up to 50 VMs can live inside a single cloud service, so if you are using a cloud service to host some servers for a website, you might want your external DNS name to be something meaningful for the service those servers provide.


For example, only one cloud service is needed for “mywebsite.cloudapp.net", but inside it contains four servers that are all available to service requests to the same site.

• External IP Address – Once your cloud service is populated with at least one running VM, it will be assigned an external IP address.  This address has a lifetime lease, however I recommend using the DNS name as the best way to reference the service from other systems.
• Firewall Boundary – The cloud service is used as the boundary where all the input endpoints are opened so you can access the VMs within it using the protocols of your choosing.  By default, RDP and Powershell is open for Windows operating systems, but this is all configurable by either using the Azure portal or via Powershell. Depending on what service you’ll be providing, you’ll need to open other ports.

Now, why do I like making an empty cloud service first?

Because it allows me to create the *.cloudapp.net DNS name separate from the machine creation process and think about how I want my VMs and applications to be grouped and accessible BEFORE I get started spinning up machines. Whenever I’m creating a cloud service in conjunction with VM creation, I nearly always end up with a DNS name I don’t like. 

Creating VMs in Azure is an almost trivial task, but the placement of them isn’t, so taking the time to understand cloud services, endpoints and other factors before getting down the business of creating VMs is something I consider a personal best practice. 

Azure doesn’t allow for name and location changes once a cloud service or VM is created, so correcting that requires deleted your work and starting over.  I’m crossing my fingers that some basic edits are built into Azure in the future, but for the moment, I like to “plan twice, create once!”

Pieces of Azure

Once upon a time, a very short time ago, I had a data center of my very own. If you’ve read this blog often enough, you know that before I joined Microsoft I was part of a NetOps team that had it’s own little server room.  We had some applications and servers that were still stand-alone on physical hardware, lots more servers virtualized on VMware.  Cables and VLANs and a phone system… all the usual stuff.

Also once up a time, several years before, Microsoft started talking about Azure.  And I looked at it with curiosity and saw that it was all platform-as-a-service geared toward mostly Developers.
And then my brain tuned out.

Click! Back to the things that mattered to my data center.

And then, not so long ago, Microsoft started talking about IaaS in Azure. It started to seem more relevant to me, so I started to look closer. And now I’m working for Microsoft and I’ve been learning a lot more about Azure IaaS. And I realize that if I was still sitting outside my server room door, Azure would probably be one of the things topping my list of projects.  It’s THAT relevant.

But coming from a “classic” data center mindset, there are bits of Azure that take a moment to get your head around.  A little shift of thinking.  Because there are some things I was really comfortable with in my data center that Azure just doesn’t do the same way.

Check back tomorrow when I touch on Cloud Services, the first thing in my list of high level Azure concepts that I’m learning to love.

VMware or Microsoft?–The Complete Quick List

The VMware or Microsoft blog series has come to an end, for now.  Below is the complete list of posts for your convenience.  You'll find lots of great information and you can never be too informed when making decisions that affect the company and services you support.

1. Series Introduction
2. What is a “Purpose-Built Hypervisor?
3. Simplified Microsoft Hyper-V Server 2012 Host Patching = Greater Security and More Uptime
4. Reducing VMware Storage Costs WITH Windows Server 2012 Storage Spaces
5. Does size really matter?
6. Let’s talk certifications!
7. Virtual Processor Scheduling
8. FREE Zero Downtime Patch Management
9. Agentless Protection
10. Site to Site Disaster Recovery with HRM
11. Destination: VMWorld
12. Get the “Scoop” on Hyper-V during VMworld
13. VMWorld: Key Keynote Notes
14. VMWorld: Did you know that there is no extra charge?
15. VMWorld: A Memo to IT Leadership
16. Moving Live Virtual Machines, Same But Different
17. Not All Memory Management is Equal
18. Can I get an app with that?
19. Deploying Naked Servers
20. Automated Server Workload Balancing
21. Thoughts on VMWorld
22. Shopping for Private Clouds
23. Dynamic Storage Management in Private Clouds
24. Replaceable? or Extensible? What kind of virtual switch do you want?
25. Offloading your Storage
26. VDI: A Look at Supportability and More!
27. Agentless Backup for Virtual Environments
28. How robust is your availability?
29. VM Guest Operating System Support
30. How to license Windows Server VMs
31. Comparing vSphere 5.5 and Windows Server 2012 R2 Hyper-V At-A-Glance
32. Evaluating Hyper-V Network Virtualization as an alternative to VMware NSX
33. Automation is the Key to Happiness
34. Comparing Microsoft’s Public Cloud to VMware’s Public Cloud
35. What does AVAILABILITY mean in YOUR cloud?