Azure IaaS Virtual Machine Creation Checklist

Hi, i have put this article together as a reminder for the tasks I perform during and after VM creation in Azure.

image  azurelogo

 

  Azure Virtual Machine Pre-Creation Checklist

 

 

Check List Item

Comments

Affinity Group Does an Affinity Group exist ?  If part of a group or service ensure you use the same affinity group to keep all resources in the same region.
Storage Account Does a storage account exist ? I do not like to let Azure create one with a random meaningless name.  Again group with other objects as required.
Virtual Network Has this been created ?  More importantly is there a subnet for this VM ? I generally create one subnet per VM if I want to have a bit of control of the Azure DHCP IP addressing system. For example I would create a subnet for each DC so that I know what my DC IP addresses will always be.  Or at least I have some level of confidence they won’t change.
Availability Set Does the VM need to be part of an availability set ? If so think of a name to give it.  Use an AV set if you need to design for HA.
Cloud Service Is the VM going to be part of an existing Cloud Service or an instance in a new Cloud Service ?  Use cloud services to separate application tiers and load balance and the name also has to be unique to the whole of Azure in the cloudapp.net domain.  Each cloud service has one external IP address (VIP). the cloud service name is also the default internet DNS name for the service. E.g.  mysharepointCS will create mysharepointcs.cloudapp.net.   to customise this create a DNS CNAME record at your ISP with your own domain name and subdomain such as Intranet.Mycorp.com and point it to the cname above.
VM Image Type Will you be using a pre created sysprepped image, or using a blank Azure gallery image ? Note SQL Images have SQL Licenses costs included for the time the VM is on.
OS Type Which OS do you need ? I always choose the latest available unless there is a reason such as a required application not supporting it.
VM Resources How much RAM / CPU do I need determines the size of the VM I will create.  This depends on the workload and purpose. e.g. test and demo or training does not need to be too large.  Do you have enough resources in Azure to run this machine ? Check Settings and Usage tab to see core limits for your subscription.
Computer Name Choose a name for the computer, Azure will use this name for the cloud service if an existing cloud service is not selected. You can also create a new cloud service for the VM.  Use a Cloud Service to group services into tiers and for load balancing and availability sets. I could do several articles on the items listed in the last sentence so we won’t go into detail here.
Administrator username and password What will the local Admin account name and password be ? Remember you can not choose the words Admin or administrator !
The password must be at least 8 characters and must be a mix of upper, lower and (numerical or special characters).
Endpoints Create or amend default RDP and PowerShell. I normally amend the RDP ports so I do not get a random port.  Choose a port range such as 56435 and ensure your firewall will allow access then use this when creating the VM/s.  The port must be unique per cloud service.  So if there are two VMs in the cloud service then use 60000 for the first VM and 60001 for the second and so on for example.

What can be changed after the VM has been created ?

Note that settings such as affinity group, storage account, OS Type, Gallery image can  not be changed once the VM is up and running.  Some settings such as availability set can be changed while VM is running and also size of the VM can be changed but the VM will restart.

In order to change the network and Subnet the VM will need to be deleted but select “Keep the attached disks” which will allow you to create a new VM but use the existing virtual machine VHD files to save you creating and configuring a new one.

image

 

 

Post VM Creation Essential Checks

image    Here is a table followed by some screen shots for reference of the checks and any additional configuration and installation steps you may choose to do on the virtual machine in Azure.

Action

Comment

Complete checks in screen shots below using the Dashboard and Configure screens in the Portal for the VM Check virtual network, availability set, affinity group, DNS, cloud service, VM size etc.
Join the Virtual Machine to the Domain if required and restart This will check networking is correct also.  use IPCONFIG /ALL from within the VM to check networking is correct.
Run Windows update to update the VM image The images are refreshed by Microsoft with Windows updates about once a month.  Have patience here as it takes a while from “install updates” button click and downloading at 0% to progress.
Firewall Configuration By default the firewall is on and pretty restricted so you may want to open up Ping etc. See scripts below.
Internet Access Ensure the VM can access the internet. By default all VMs should be able to access the internet.  If you have configured DNS incorrectly this may not work.  Adding your own DNS servers and using them for the VMs for internet access if fine as in built Root Hints will send DNS queries to the internet.  If there are problems check the forwarders in the DNS console on the DNS Servers.  If they are not resolvable then add different DNS servers such as 8.8.8.8 for example.

 

Once the VM is up and running ensure the VM has been created correctly in the correct subnet, availability set etc.  Select Dashboard and to view the cloud service, IP addressing and DNS names.

  • From the Portal click on the virtual machine and select the configure tab.  Here you can see the VM size, network configuration and availability set.

image

  • RDP to the VM to ensure the correct Operating system is installed and you can see any other VMs on the same network.

    Firewall Scripts

    SQL-Server-2012-logo-405x260-390x242 

  • Run on SQL Servers Only or Servers that have PowerPivot for SharePoint installed.
#Echo SQL Server Ports - Only enable on SQL Servers or SharePoint for PowerPivot.


#Enable SQL Server DB Engine default Port


netsh advfirewall firewall add rule name="Open SQL Server Port 1433" dir=in action=allow protocol=TCP localport=1433


#echo Enabling SQL Server Browser Service port 2382

netsh advfirewall firewall add rule name="SQL Browser (TCP 2382)" dir=in action=allow protocol=TCP localport=2382 profile=domain

#echo Enabling port for SQL Server Browser Service's 'Browse' Button

netsh advfirewall firewall add rule name="SQL Browser (UDP 1434)" dir=in action=allow protocol=UDP localport=1434 profile=domain


#echo Enabling SQL Server Analysis Services port 2383

netsh advfirewall firewall add rule name="SQL Server Analysis Services inbound on TCP 2383" dir=in action=allow protocol=TCP localport=2383 profile=domain


#echo Enabling SQL Dedicated Admin Connection Port

netsh advfirewall firewall set rule name="SQL Admin Connection" dir=in action=allow protocol=TCP


#echo Allowing multicast broadcast response on UDP (Browser Service Enumerations OK)

netsh firewall set multicastbroadcastresponse ENABLE


#Echo Enabling SQL static instance Port – Static SQL Server port servers only example # port 49247 used here.  Change as appropriate.

netsh advfirewall firewall add rule name="Open SQL Server Port 49247" dir=in action=allow protocol=TCP localport=49247 profile=domain


 

SharePointLogo

  • Run on SharePoint servers
    #Echo - SHAREPOINT SERVERS ONLY

    #echo Enabling HTTP Server ports 32843 and 32844, 445, 137, 138, 139

    netsh advfirewall firewall add rule name="SharePoint 32843 inbound on TCP 32843" dir=in action=allow protocol=TCP localport=32843 profile=domain

    netsh advfirewall firewall add rule name="SharePoint 32844 inbound on TCP 32844" dir=in action=allow protocol=TCP localport=32844 profile=domain

    netsh advfirewall firewall add rule name="SharePoint Search Index inbound on TCP 16500-16519" dir=in action=allow protocol=TCP localport=16500-16519 profile=domain

    
    

    #Echo SharePoint AppFabric Cache Ports

    netsh advfirewall firewall add rule name="SharePoint 22233 inbound on TCP Cache Port 22233" dir=in action=allow protocol=TCP localport=22233 profile=domain

    netsh advfirewall firewall add rule name="SharePoint 22234 inbound on TCP Cache cluster 22234" dir=in action=allow protocol=TCP localport=22234 profile=domain

    netsh advfirewall firewall add rule name="SharePoint 22235 inbound on TCP Cache arbitration 22235" dir=in action=allow protocol=TCP localport=22235 profile=domain

    netsh advfirewall firewall add rule name="SharePoint 22236 inbound on TCP Cache replication 22236" dir=in action=allow protocol=TCP localport=22236 profile=domain

    netsh advfirewall firewall add rule name="SharePoint 808 inbound on TCP WCF 808" dir=in action=allow protocol=TCP localport=808 profile=domain

    I use two scripts, one when the VM is created to open up the ports required followed by a second one which is run as a scheduled task at the required frequency.

Scheduled Script to run at set frequency

Run this script using task scheduler this will prevent the firewall from locking you out of the VM if anyone changes RDP / PowerShell firewall by mistake.  Also if the firewall is set to defaults it will also lock you out of the VM.  If that happens you will need to rebuild it.

netsh advfirewall firewall set rule group="Remote Desktop" new enable=yes

netsh advfirewall firewall set rule group="Remote Service Management" new enable=yes

netsh advfirewall firewall set rule group="Remote Administration" new enable=yes

netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=yes

netsh advfirewall firewall set rule group="Performance Logs and Alerts" new enable=yes

Netsh advfirewall firewall set rule group="Remote Event Log Management" new enable=yes

Netsh advfirewall firewall set rule group="Remote Event Monitor" new enable=yes

Netsh advfirewall firewall set rule group="Remote Scheduled Tasks Management" new enable=yes

netsh advfirewall firewall set rule group="Remote Volume Management" new enable=yes

netsh advfirewall firewall set rule group="Windows Firewall Remote Management" new enable =yes

enable-psremoting -force

 

Troubleshooting

I get random RDP ports for every VM I create

Azure will use the AUTO port numbering option if you don’t specify explicitly in the GUI.  Change the RDP port during creation or amend the endpoints once VM has been provisioned.  If creating using script then wait until the VM is provisioned and script the change to the RDP endpoint.

Here is the Endpoint screen during GUI creation.

image

 

Here is the Endpoint screen after VM provisioning.  Select the required endpoint and click Edit.

image

Enter the details as required.

image

You are able to create a load balanced endpoint here also.

I am running Windows Update in Azure VM and it is stuck on “0 KB total, 0% Complete”

image

Check the VM has an internet connection.  They all should have by default unless you have some miss configured DNS in your environment.

If the VM has internet access then the above Windows Update stall is normal and the downloads will begin in a few minutes, sometimes even ten minutes to go and make some tea or move onto something else and come back to this.

Advertisements

About Mitesh Chauhan
Mitesh Chauhan, Azure Cloud Solutions Architect. This is my blog where I share articles and thoughts on IT Infrastructure and architecture. The topics I am most passionate about are Implementation and architecture of rock solid Cloud Infrastructure based around SQL Server and Windows Server mainly using Microsoft Azure. MCTS - Azure Architecture MCTS - Azure Implementation MCSE Server Infrastructure (Windows Server 2012) , MCITP SQL Server 2008, Togaf Certified, Prince 2 Practitioner.

One Response to Azure IaaS Virtual Machine Creation Checklist

  1. Pingback: Azure IaaS VM Creation Checklist - IT Consulting Solutions Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: