Hybrid Network Infrastructure in Microsoft Azure (Part 11)

If you would like to be notified when Deb Shinder releases the next part of this article series please sign zup to the WindowsNetworking.com Real time article update newsletter.

If you would like to read the other parts in this article series please go to:

In part 1 of this series, I began the discussion about hybrid network infrastructure with some thoughts regarding what hybrid clouds are about, and then talked about some of the networking functionality that you get when you adopt Azure Infrastructure Services. There was also an introduction to the Datacenter Extension Reference Architecture Diagram that Tom put together with Jim Dial and several other people at Microsoft. In part 2, Tom joined in as co-author and we went over site to site VPNs and point to site VPNs. In part 3 we took a look at the Azure dedicated WAN link service, which goes by the name of ExpressRoute, and also discussed the Azure Virtual Gateway, which is located on the edge of your Azure Virtual Network and enables you to connect your on-premises network to an Azure Virtual Network.

Then in part 4, we spent the bulk of our time discussing what Azure Virtual Networks are and how they compare to the virtual networks we use in traditional on-premises Hyper-V installations. Part 5 went into a little more detail on Azure Virtual Networks and some special considerations you need to take into account. In Part 6, we discussed Azure Virtual Networks and external load balancers. In Part 7, we began our discussion on the subject of internal load balancing and on how to use PowerShell to configure ILB for virtual machines that are contained within an Azure Virtual Network. In Part 8, we moved on to how to configure ILB for Cloud Services by editing the .cscfg file, and then talked about Network Security Groups

In part 9 we talked about virtual machine ACLs, which you can use to allow selective remote access to virtual machines you place on Azure Virtual Networks. We also talked about some alternatives to using virtual machine ACLs, which in many ways can be more secure than configuring ACLs. In addition, virtual machine ACLs can’t be used on Azure Service Management (ARM)-based virtual machines.

We will now continue working our way through our list of network capabilities that are available in Azure at the time this article was written (always keeping in mind that Azure is constantly changing and growing and adding new functionalities). In Part 10, we started talking about two items simultaneously, because they are interrelated: multi-homed NICs and third party firewalls.

Site to site VPNs

√ Point to Site VPNs

√ Dedicated WAN links

√ Virtual network gateways

√ Azure Virtual Networks

Inter-virtual Network connectivity

External load balancers

Internal load balancers

Network Security Groups

Virtual machine ACLs

> Dual-homed

> Third party firewalls

  • Dedicated public IP addresses
  • Static IP addresses on virtual machines
  • Public addresses on virtual machines
  • DNS

Internet facing VIPs are supported only on the VM’s default NIC

Internet-facing Virtual IP addresses (in ASM or “classic” deployments) are only supported on the “default” NIC on the virtual machine. There is only one VIP to the IP address of the VM’s default NIC. What this means is that the VIP that accepts the incoming requests from the Internet will only forward to the default NIC of the multi-NIC virtual machine. You’re going to want to make sure you know which NIC is the default so that you aren’t in for any surprises.

VIPs are called “virtual” because they aren’t really linked to the VM instances in the cloud, but to the Azure load balancer. Any of your VM instances within the Azure cloud can be accessed via a single VIP. By default, VIPs are dynamic but it is possible to reserve a public VIP (at extra cost).

No Instance Level Public IPs for you (if you’re using ASM VMs)

Instance level public IP (ILPIP) addresses are public IP addresses that you can assign to a VM or role instance directly instead of being assigned to the cloud service that VM or role instance “lives” in, like the VIP that’s assigned to the cloud service. It’s assigned in addition to, not instead of the VIP. You can use the ILPIP to connect directly to the VM or role instance.

An instance level public IP address is a dedicated IP address assigned to accept incoming connections to a specific virtual machine. This is in contrast to a VIP, which is a single IP address representing multiple external NICs.

Note:
You can connect to the VM/role instance through the cloud service’s VIP and the port number, or directly using the ILPIP address, or using the fully qualified domain name via the DNS A records that are automatically created for each instance when it’s created. Each VM or role instance can have only one ILPIP and each Azure subscription gets 5 ILPIPs.

At this time, ILPIPs (ASM deployments) are not supported for multi-NIC VMs. This could change in the future, as Azure’s capabilities are always changing and being upgraded.

Don’t let NIC ordering changes take you by surprise

NIC ordering is important in Windows because network security appliances use NIC ordering in a number of ways. With multi-NIC VMs, the order of the NICs from inside the VM will be random (we’re used to this with on-premises VMs too). However, the ordering could change across Azure infrastructure updates. That said, the IP addresses, and the MAC addresses will stay the same even if the VMs are moved around or core elements of the Azure virtualization platform change.

Here is an example: Let’s assume our first NIC, which we’ll call NIC-1, has the IP address of 10.1.0.100 and a MAC address of 00-0D-3A-B0-39-0D. It might happen that after an Azure infrastructure update and reboot, you might find that NIC-1 has been changed to NIC-2. This would represent a change in NIC ordering, but the good news is that it shouldn’t really affect anything since the IP address and MAC pairing will remain the same. Also, keep in mind that when you initiate the restart, the NIC order will remain the same. It’s just when Microsoft does an update that this change might occur.

Don’t black hole your NIC with the wrong IP addresses

It should go without saying, but addresses on each of the NICs on a multi-NIC VM must be on a valid subnet on your Azure Virtual Network. It wouldn’t make sense to assign IP addresses that aren’t valid, unless your goal is not to send or receive traffic on that NIC. Also, multiple NICs on a single VM can each be assigned addresses that are in the same subnet. This doesn’t give you any security advantages, but there are scenarios (such as using a separate NIC for backup) where you might want to consider doing this.

Size Matters

VM size determines the number of NICs you can create for a VM. The table below lists the numbers of NICs corresponding to the size of the VMs.

VM   Size (Standard SKUs) NICs   (max allowed per VM)
All Basic Sizes 1
A0\extra small 1
A1\small 1
A2\medium 1
A3\large 2
A4\extra large 4
A5 1
A6 2
A7 4
A8 2
A9 4
A10 2
A11 4
D1 1
D2 2
D3 4
D4 8
D11 2
D12 4
D13 8
D14 8
DS1 1
DS2 2
DS3 4
DS4 8
DS11 2
DS12 4
DS13 8
DS14 16
D1_v2 1
D2_v2 2
D3_v2 4
D4_v2 8
D5_v2 16
D11_v2 2
D12_v2 4
D13_v2 8
D14_v2 8
G1 1
G2 2
G3 4
G4 8
G5 8
All Other Sizes 1

Table 1

Note that there is no additional charge for the multiple NICs feature but there are different limits on the number of NICs that you can assign based on the VM SKUs. Multiple NICs are only supported in Azure IaaS, not PaaS.

How to create a VM with multiple NICs

Now that we know all about multiple NICs, how do you go about creating a VM that takes advantage of this capability? You can use PowerShell cmdlets to get a VM image from the Azure VM image gallery and create an Azure VM configuration and default administrator logon. Then you will need to specify the subnet and IP address of the NIC that will be the default NIC. After that, you just add additional NICs to the VM configuration in much the same way. Note that the interface name needs to be unique for the VM; it doesn’t represent the names of the NICs in the VM.

Here are the applicable PowerShell commands for all of these steps:

$image = Get-AzureVMImage `

-ImageName “a699494373c04fc0bc8f2bb1389d6106__Windows-Server-2012-R2-201410.01-en.us-127GB.vhd”

$vm = New-AzureVMConfig -Name "MultiNicVM" -InstanceSize "ExtraLarge" `
 -Image $image.ImageName –AvailabilitySetName "MyAVSet"
Add-AzureProvisioningConfig –VM $vm -Windows -AdminUserName "<YourAdminUID>" `
 -Password "<YourAdminPassword>"
Add-AzureNetworkInterfaceConfig -Name "Ethernet1" `
 -SubnetName "Midtier" -StaticVNetIPAddress "10.1.1.111" -VM $vm
Add-AzureNetworkInterfaceConfig -Name "Ethernet2" `
 -SubnetName "Backend" -StaticVNetIPAddress "10.1.2.222" -VM $vm
Set-AzureSubnet -SubnetNames "Frontend" -VM $vm
Set-AzureStaticVNetIP -IPAddress "10.1.0.100" -VM $vm
New-AzureVM -ServiceName "MultiNIC-CS" –VNetName "MultiNIC-VNet" –VMs $vm

Check out Create a VM with multiple NICs to learn more about how to configure multi-NIC virtual machines.

Note:
In case you were wondering whether you can use multiple NICs with non-Windows VMs such as those that run Linux or FreeBSD, the good news is that multiple NICs can be used with VMs running any supported platform in Azure.

Virtual Security Appliances

Multi-NIC machines are critical for setting up network security software on your virtual machines. You can install the operating system yourself and put the network security software on it, or you can make it easier on yourself and use network security appliances that you can get from the Azure Marketplace. If you do a search like this, you’ll find a number of network security appliances you can use on your Azure Virtual Networks. We have noticed that the search function is a little weak, so if there’s a specific appliance you’re interested in, make sure to search for *that* appliance. There’s a good chance it’s there and you just need to look for that specific one.

Not coincidentally, the support for multiple NICs in Azure was announced in conjunction with several partnerships with vendors such as Citrix and Riverbed who were bringing to the market network virtual appliances that required multiple NICs. At the TechEd Europe 2014 conference, Microsoft presented demonstrations of two such appliances: Citrix Netscaler and Riverbed Steelhead. You can also create virtual network appliances that use the Barracuda NG Firewall and Web Application Firewall images. All of these are available in the Azure image gallery in Azure Marketplace.

Summary

In this article we focused on multi-NIC virtual machines. This is a feature you need to have in order to get decent network security for VMs on your Azure Virtual Network, so kudos to Microsoft for adding this support to Azure. There are a number of things you need to be aware of when configuring multi-NIC VMs, and we talked about some of the most important issues. Once you have a good understanding of multi-NIC VMs, you will be ready to set up network security VMs. You can create your own, or use a virtual appliance from the Azure Marketplace.

If you would like to be notified when Deb Shinder releases the next part of this article series please sign zup to the WindowsNetworking.com Real time article update newsletter.

If you would like to read the other parts in this article series please go to:

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top