10 Steps to get started with Azure for partners. #8

#8 Building and securing Virtual Machines

By Christopher Melendez

Deploy and manage compute resources for Azure administrators

Finally, we’re getting to the business end of the 10 steps to get started with Azure for partners.  We touched on Azure Migrate earlier, but that was only for customers that are looking to migrate existing workloads into the cloud.  What about your customers that are looking for a “greenfield” deployment?  Where do you go to spin up their virtual infrastructure?  Luckily, building virtual machines (VM) can be quick and painless.  There are a few ways to build out your environment. You can leverage the Azure portal, or if you’re more of a command line guy or need to deploy at scale, you could go with Azure CLI, Azure PowerShell, or Azure ARM Templates.  Any of the options you choose allow you to deploy virtual machines from scratch. The Azure Marketplace also provides virtual machine operating system images that can include SQL Servers, Web Servers, and Application Servers.  Another option is to deploy a virtual machine from an existing VHD image. This can be a virtual machine that was created on-premises in your Hyper-V environment or created in Azure to be used as a template for a large-scale deployment.

Linux on Azure

Azure Virtual Machines are used when customers need more control over their workloads. They provide the Infrastructure as a Service model for on-demand, scalable computing resources. This means you will need to maintain the VM by performing management tasks, such as configuring, patching, and installing necessary software.  Azure VMs can be provisioned with different operating systems, sizes, and features.  Linux is supported in Azure, so you can choose from many distributions available out on the market, such as SUSE, Red Hat, Ubuntu, Debian, Docker, FreeBSD, and CentOS to name a few. There’s no surprise that Microsoft Operating Systems are also supported.  The supported Windows OSs include Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows 10 Pro, and even Windows 7.

Availability options for Azure Virtual Machines

Now that you have your Operating System determined, you can think about scaling and resiliency. Virtual machine scaling is accomplished with Azure virtual machine scale sets.  This technology provides the means to create and manage a group of virtual machines that are load balanced. The VM instance count can automatically increase or decrease depending on the load or defined by a schedule. Scale sets give you the option for high availability to applications, and they provide a control plane to centrally manage, configure, and update a large cluster of VMs.  Resiliency in Azure is handled by availability sets and availability zones. An availability set is a logical grouping of VMs. You create the availability set when you’re deploying the virtual machine. It’s recommended that you build out two or more VMs within an availability set to provide for highly available application to meet the 99.95% Azure SLA.  Availability sets consist of update domains and fault domains.  Update domains are groups of virtual machines and the underlying physical hardware that can be rebooted whenever Microsoft needs to patch the infrastructure. Fault domains define a group of VMs that share a common power source and network switch in a rack. Availability sets protect your infrastructure from rack failures, where availability zones protect from datacenter failures.

Sizes for virtual machines in Azure

It’s a good idea to plan and gather the necessary information needed to deploy a virtual environment in Azure. These considerations generally present themselves in the portal or command line options.  For example, how will you organize your environment?  Will you organize your resource groups by functions such as a web servers resource group and a database resource group, or will you organize your resource groups by production and testing environments?  Another big decision that needs to be planned out is the virtual network, which we covered in step #7.  The most important thing is to understand that you will need to create a VNet to deploy any virtual machines in your Azure environment. The good thing is, creating a virtual network is part of the virtual machine deployment process. You will have to either select an existing virtual network, or you will have to create one during the deployment process.  Keep in mind, as discussed in our previous step, virtual machines in different subnets under the same VNet can communicate with each other, provided there are no NSG rules specifically blocking it.  VNets however, cannot communicate with each by default. Also, you must keep in mind connectivity through the VPN Gateway if you do setup a hybrid IT solution.

Implement virtual machine host security in Azure

Some other security considerations that might be difficult to implement later, would be virtual machine disk encryption.  This is a very important feature that often gets overlooked, but it could be a deal breaker for some customers that have compliance demands that enforce the need to have encrypted data at rest. Leveraging Azure Key Vault as a key management solution for your disk encryption, can make the process painless.  Another security related feature that could be a huge benefit for your customers would be enabling diagnostics logging, implementing an Azure Log Analytics Workspace, and integrating it with Azure Security Center, Azure Monitor, and Azure Policy.   Adopting these Azure feature sets can give you the visibility and clarity that can take your customer’s Azure experience to the next level.  If done correctly, implementing these tools can turn your MSP from a reactive shop to a proactive well-oiled machine.