How to create a Linux virtual machine in Azure with multiple network interface cards

This article details how to create a VM with multiple NICs with the Azure CLI.

Create supporting resources

Install the latest Azure CLI and log in to an Azure account using az login.

In the following examples, replace example parameter names with your own values. Example parameter names included myResourceGroup, mystorageaccount, and myVM.

First, create a resource group with az group create. The following example creates a resource group named myResourceGroup in the eastus location:

az group create --name myResourceGroup --location eastus

Create the virtual network with az network vnet create. The following example creates a virtual network named myVnet and subnet named mySubnetFrontEnd:

az network vnet create \
    --resource-group myResourceGroup \
    --name myVnet \
    --address-prefix 10.0.0.0/16 \
    --subnet-name mySubnetFrontEnd \
    --subnet-prefix 10.0.1.0/24

Create a subnet for the back-end traffic with az network vnet subnet create. The following example creates a subnet named mySubnetBackEnd:

az network vnet subnet create \
    --resource-group myResourceGroup \
    --vnet-name myVnet \
    --name mySubnetBackEnd \
    --address-prefix 10.0.2.0/24

Create a network security group with az network nsg create. The following example creates a network security group named myNetworkSecurityGroup:

az network nsg create \
    --resource-group myResourceGroup \
    --name myNetworkSecurityGroup

Create and configure multiple NICs

Create two NICs with az network nic create. The following example creates two NICs, named myNic1 and myNic2, connected the network security group, with one NIC connecting to each subnet:

az network nic create \
    --resource-group myResourceGroup \
    --name myNic1 \
    --vnet-name myVnet \
    --subnet mySubnetFrontEnd \
    --network-security-group myNetworkSecurityGroup
az network nic create \
    --resource-group myResourceGroup \
    --name myNic2 \
    --vnet-name myVnet \
    --subnet mySubnetBackEnd \
    --network-security-group myNetworkSecurityGroup

Create a VM and attach the NICs

When you create the VM, specify the NICs you created with --nics. You also need to take care when you select the VM size. There are limits for the total number of NICs that you can add to a VM. Read more about Linux VM sizes.

Create a VM with az vm create. The following example creates a VM named myVM:

az vm create \
    --resource-group myResourceGroup \
    --name myVM \
    --image UbuntuLTS \
    --size Standard_DS3_v2 \
    --admin-username azureuser \
    --generate-ssh-keys \
    --nics myNic1 myNic2

Add routing tables to the guest OS by completing the steps in [Configure the guest OS for multiple NICs](#configure-guest-os-for- multiple-nics).

Add a NIC to a VM

The previous steps created a VM with multiple NICs. You can also add NICs to an existing VM with the Azure CLI. Different VM sizes support a varying number of NICs, so size your VM accordingly. If needed, you can resize a VM.

Create another NIC with az network nic create. The following example creates a NIC named myNic3 connected to the back-end subnet and network security group created in the previous steps:

az network nic create \
    --resource-group myResourceGroup \
    --name myNic3 \
    --vnet-name myVnet \
    --subnet mySubnetBackEnd \
    --network-security-group myNetworkSecurityGroup

To add a NIC to an existing VM, first deallocate the VM with az vm deallocate. The following example deallocates the VM named myVM:

az vm deallocate --resource-group myResourceGroup --name myVM

Add the NIC with az vm nic add. The following example adds myNic3 to myVM:

az vm nic add \
    --resource-group myResourceGroup \
    --vm-name myVM \
    --nics myNic3

Start the VM with az vm start:

az vm start --resource-group myResourceGroup --name myVM

Add routing tables to the guest OS by completing the steps in [Configure the guest OS for multiple NICs](#configure-guest-os-for- multiple-nics).

Remove a NIC from a VM

To remove a NIC from an existing VM, first deallocate the VM with az vm deallocate. The following example deallocates the VM named myVM:

az vm deallocate --resource-group myResourceGroup --name myVM

Remove the NIC with az vm nic remove. The following example removes myNic3 from myVM:

az vm nic remove \
    --resource-group myResourceGroup \
    --vm-name myVM \
    --nics myNic3

Start the VM with az vm start:

az vm start --resource-group myResourceGroup --name myVM

Create multiple NICs using Resource Manager templates

Azure Resource Manager templates use declarative JSON files to define your environment. You can read an overview of Azure Resource Manager. Resource Manager templates provide a way to create multiple instances of a resource during deployment, such as creating multiple NICs. You use copy to specify the number of instances to create:

"copy": {
    "name": "multiplenics"
    "count": "[parameters('count')]"
}

Read more about creating multiple instances using copy.

You can also use a copyIndex() to then append a number to a resource name, which allows you to create myNic1, myNic2, etc. The following shows an example of appending the index value:

"name": "[concat('myNic', copyIndex())]", 

You can read a complete example of creating multiple NICs using Resource Manager templates.

Add routing tables to the guest OS by completing the steps in [Configure the guest OS for multiple NICs](#configure-guest-os-for- multiple-nics).

Configure guest OS for multiple NICs

The previous steps created a virtual network and subnet, attached NICs, then created a VM. A public IP address and network security group rules that allow SSH traffic were not created. To configure the guest OS for multiple NICs, you need to allow remote connections and run commands locally on the VM.

To allow SSH traffic, create a network security group rule with az network nsg rule create as follows:

az network nsg rule create \
    --resource-group myResourceGroup \
    --nsg-name myNetworkSecurityGroup \
    --name allow_ssh \
    --priority 101 \
    --destination-port-ranges 22

Create a public IP address with az network public-ip create and assign it to the first NIC with az network nic ip-config update:

az network public-ip create --resource-group myResourceGroup --name myPublicIP

az network nic ip-config update \
    --resource-group myResourceGroup \
    --nic-name myNic1 \
    --name ipconfig1 \
    --public-ip myPublicIP

To view the public IP address of the VM, use az vm show as follows::

az vm show --resource-group myResourceGroup --name myVM -d --query publicIps -o tsv

Now SSH to the public IP address of your VM. The default username provided in a previous step was azureuser. Provide your own username and public IP address:

ssh azureuser@137.117.58.232

To send to or from a secondary network interface, you have to manually add persistent routes to the operating system for each secondary network interface. In this article, eth1 is the secondary interface. Instructions for adding persistent routes to the operating system vary by distro. See documentation for your distro for instructions.

When adding the route to the operating system, the gateway address is .1 for whichever subnet the network interface is in. For example, if the network interface is assigned the address 10.0.2.4, the gateway you specify for the route is 10.0.2.1. You can define a specific network for the route's destination, or specify a destination of 0.0.0.0, if you want all traffic for the interface to go through the specified gateway. The gateway for each subnet is managed by the virtual network.

Once you've added the route for a secondary interface, verify that the route is in your route table with route -n. The following example output is for the route table that has the two network interfaces added to the VM in this article:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.0.1.1        0.0.0.0         UG    0      0        0 eth0
0.0.0.0         10.0.2.1        0.0.0.0         UG    0      0        0 eth1
10.0.1.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.0.2.0        0.0.0.0         255.255.255.0   U     0      0        0 eth1
168.63.129.16   10.0.1.1        255.255.255.255 UGH   0      0        0 eth0
169.254.169.254 10.0.1.1        255.255.255.255 UGH   0      0        0 eth0

Confirm that the route you added persists across reboots by checking your route table again after a reboot. To test connectivity, you can enter the following command, for example, where eth1 is the name of a secondary network interface:

ping bing.com -c 4 -I eth1

Next steps

Review Linux VM sizes when trying to creating a VM with multiple NICs. Pay attention to the maximum number of NICs each VM size supports.

To further secure your VMs, use just in time VM access. This feature opens network security group rules for SSH traffic when needed, and for a defined period of time. For more information, see Manage virtual machine access using just in time.