Best Practices for running a Windows VM on Azure
This article outlines a set of proven practices for running a Windows virtual machine (VM) on Azure, paying attention to scalability, availability, manageability, and security.
Azure has two different deployment models: Azure Resource Manager and classic. This article uses Resource Manager, which Microsoft recommends for new deployments.
We don't recommend using a single VM for mission critical workloads, because it creates a single point of failure. For higher availability, deploy multiple VMs in an availability set. For more information, see Running multiple VMs on Azure.
Provisioning a VM in Azure involves more moving parts than just the VM itself. There are compute, networking, and storage elements.
A Visio document that includes this architecture diagram is available for download from the Microsoft download center. This diagram is on the "Compute - single VM" page.
- Resource group. A resource group is a container that holds related resources. Create a resource group to hold the resources for this VM.
- VM. You can provision a VM from a list of published images or from a virtual hard disk (VHD) file that you upload to Azure Blob storage.
- OS disk. The OS disk is a VHD stored in Azure Storage. That means it persists even if the host machine goes down.
- Temporary disk. The VM is created with a temporary disk (the
D:drive on Windows). This disk is stored on a physical drive on the host machine. It is not saved in Azure Storage, and might be deleted during reboots and other VM lifecycle events. Use this disk only for temporary data, such as page or swap files.
- Data disks. A data disk is a persistent VHD used for application data. Data disks are stored in Azure Storage, like the OS disk.
- Virtual network (VNet) and subnet. Every VM in Azure is deployed into a VNet that is further divided into subnets.
- Public IP address. A public IP address is needed to communicate with the VM—for example over remote desktop (RDP).
- Network interface (NIC). The NIC enables the VM to communicate with the virtual network.
- Network security group (NSG). The NSG is used to allow/deny network traffic to the subnet. You can associate an NSG with an individual NIC or with a subnet. If you associate it with a subnet, the NSG rules apply to all VMs in that subnet.
- Diagnostics. Diagnostic logging is crucial for managing and troubleshooting the VM.
The following recommendations apply for most scenarios. Follow these recommendations unless you have a specific requirement that overrides them.
Azure offers many different virtual machine sizes, but we recommend the DS- and GS-series because these machine sizes support Premium Storage. Select one of these machine sizes unless you have a specialized workload such as high-performance computing. For details, see virtual machine sizes.
If you are moving an existing workload to Azure, start with the VM size that's the closest match to your on-premises servers. Then measure the performance of your actual workload with respect to CPU, memory, and disk input/output operations per second (IOPS), and adjust the size if needed. If you require multiple NICs for your VM, be aware that the maximum number of NICs is a function of the VM size.
When you provision the VM and other resources, you must specify a region. Generally, choose a region closest to your internal users or customers. However, not all VM sizes may be available in all regions. For details, see services by region. To see a list of the VM sizes available in a given region, run the following Azure command-line interface (CLI) command:
azure vm sizes --location <location>
For information about choosing a published VM image, see Navigate and select Windows virtual machine images in Azure with Powershell or CLI.
Disk and storage recommendations
For best disk I/O performance, we recommend Premium Storage, which stores data on solid state drives (SSDs). Cost is based on the size of the provisioned disk. IOPS and throughput also depend on disk size, so when you provision a disk, consider all three factors (capacity, IOPS, and throughput).
Create separate Azure storage accounts for each VM to hold the virtual hard disks (VHDs) in order to avoid hitting the IOPS limits for storage accounts.
Add one or more data disks. When you create a new VHD, it is unformatted. Log into the VM to format the disk. If you have a large number of data disks, be aware of the total I/O limits of the storage account. For more information, see virtual machine disk limits.
When possible, install applications on a data disk, not the OS disk. However, some legacy applications might need to install components on the C: drive. In that case, you can resize the OS disk using PowerShell.
For best performance, create a separate storage account to hold diagnostic logs. A standard locally redundant storage (LRS) account is sufficient for diagnostic logs.
The public IP address can be dynamic or static. The default is dynamic.
- Reserve a static IP address if you need a fixed IP address that won't change — for example, if you need to create an A record in DNS, or need the IP address to be added to a safe list.
- You can also create a fully qualified domain name (FQDN) for the IP address. You can then register a CNAME record in DNS that points to the FQDN. For more information, see create a fully qualified domain name in the Azure portal.
All NSGs contain a set of default rules, including a rule that blocks all inbound Internet traffic. The default rules cannot be deleted, but other rules can override them. To enable Internet traffic, create rules that allow inbound traffic to specific ports — for example, port 80 for HTTP.
To enable RDP, add an NSG rule that allows inbound traffic to TCP port 3389.
You can scale a VM up or down by changing the VM size. To scale out horizontally, put two or more VMs into an availability set behind a load balancer. For details, see Running multiple VMs on Azure for scalability and availability.
For higher availabiility, deploy multiple VMs in an availability set. This also provides a higher service level agreement (SLA).
VHDs are stored in Azure storage, and Azure storage is replicated for durability and availability.
To protect against accidental data loss during normal operations (for example, because of user error), you should also implement point-in-time backups, using blob snapshots or another tool.
Resource groups. Put tightly-coupled resources that share the same life cycle into the same resource group. Resource groups allow you to deploy and monitor resources as a group and roll up billing costs by resource group. You can also delete resources as a set, which is very useful for test deployments. Give resources meaningful names. That makes it easier to locate a specific resource and understand its role. See Recommended Naming Conventions for Azure Resources.
VM diagnostics. Enable monitoring and diagnostics, including basic health metrics, diagnostics infrastructure logs, and boot diagnostics. Boot diagnostics can help you diagnose a boot failure if your VM gets into a nonbootable state. For more information, see Enable monitoring and diagnostics. Use the Azure Log Collection extension to collect Azure platform logs and upload them to Azure storage.
The following CLI command enables diagnostics:
azure vm enable-diag <resource-group> <vm-name>
Stopping a VM. Azure makes a distinction between "stopped" and "deallocated" states. You are charged when the VM status is stopped, but not when the VM is deallocated.
Use the following CLI command to deallocate a VM:
azure vm deallocate <resource-group> <vm-name>
In the Azure portal, the Stop button deallocates the VM. However, if you shut down through the OS while logged in, the VM is stopped but not deallocated, so you will still be charged.
Deleting a VM. If you delete a VM, the VHDs are not deleted. That means you can safely delete the VM without losing data. However, you will still be charged for storage. To delete the VHD, delete the file from Blob storage.
To prevent accidental deletion, use a resource lock to lock the entire resource group or lock individual resources, such as the VM.
Use Azure Security Center to get a central view of the security state of your Azure resources. Security Center monitors potential security issues and provides a comprehensive picture of the security health of your deployment. Security Center is configured per Azure subscription. Enable security data collection as described in Use Security Center. When data collection is enabled, Security Center automatically scans any VMs created under that subscription.
Patch management. If enabled, Security Center checks whether security and critical updates are missing. Use Group Policy settings on the VM to enable automatic system updates.
Antimalware. If enabled, Security Center checks whether antimalware software is installed. You can also use Security Center to install antimalware software from inside the Azure portal.
Operations. Use role-based access control (RBAC) to control access to the Azure resources that you deploy. RBAC lets you assign authorization roles to members of your DevOps team. For example, the Reader role can view Azure resources but not create, manage, or delete them. Some roles are specific to particular Azure resource types. For example, the Virtual Machine Contributor role can restart or deallocate a VM, reset the administrator password, create a new VM, and so forth. Other built-in RBAC roles that might be useful for this reference architecture include DevTest Labs User and Network Contributor. A user can be assigned to multiple roles, and you can create custom roles for even more fine-grained permissions.
RBAC does not limit the actions that a user logged into a VM can perform. Those permissions are determined by the account type on the guest OS.
To reset the local administrator password, run the
vm reset-access Azure CLI command.
azure vm reset-access -u <user> -p <new-password> <resource-group> <vm-name>
Use audit logs to see provisioning actions and other VM events.
Data encryption. Consider Azure Disk Encryption if you need to encrypt the OS and data disks.
A deployment for this reference architecture is available on GitHub. It includes a VNet, NSG, and a single VM. To deploy the architecture, follow these steps:
- Right click the button below and select either "Open link in new tab" or "Open link in new window."
Once the link has opened in the Azure portal, you must enter values for some of the settings:
- The Resource group name is already defined in the parameter file, so select Create New and enter
ra-single-vm-rgin the text box.
- Select the region from the Location drop down box.
- Do not edit the Template Root Uri or the Parameter Root Uri text boxes.
- Select windows in the Os Type drop down box.
- Review the terms and conditions, then click the I agree to the terms and conditions stated above checkbox.
- Click on the Purchase button.
- The Resource group name is already defined in the parameter file, so select Create New and enter
- Wait for the deployment to complete.
- The parameter files include a hard-coded administrator user name and password, and it is strongly recommended that you immediately change both. Click on the VM named
ra-single-vm0in the Azure portal. Then, click on Reset password in the Support + troubleshooting blade. Select Reset password in the Mode dropdown box, then select a new User name and Password. Click the Update button to persist the new user name and password.
For information on additional ways to deploy this reference architecture, see the readme file in the guidance-single-vm] Github folder.
Customize the deployment
If you need to change the deployment to match your needs, follow the instructions in the readme.
For higher availability, deploy two or more VMs behind a load balancer. For more information, see Running multiple VMs on Azure.