Create a Windows virtual machine with Accelerated Networking

Important

Virtual machines must be created with Accelerated Networking enabled. This feature cannot be enabled on existing virtual machines. You can follow the steps below to enable accelerated networking

  1. Delete the virtual machine
  2. Recreate the virtual machine with accelerated networking enabled

In this tutorial, you learn how to create a Windows virtual machine (VM) with Accelerated Networking. Accelerated networking enables single root I/O virtualization (SR-IOV) to a VM, greatly improving its networking performance. This high-performance path bypasses the host from the datapath, reducing latency, jitter, and CPU utilization, for use with the most demanding network workloads on supported VM types. The following picture shows communication between two VMs with and without accelerated networking:

Comparison

Without accelerated networking, all networking traffic in and out of the VM must traverse the host and the virtual switch. The virtual switch provides all policy enforcement, such as network security groups, access control lists, isolation, and other network virtualized services to network traffic. To learn more about virtual switches, read the Hyper-V network virtualization and virtual switch article.

With accelerated networking, network traffic arrives at the VM's network interface (NIC), and is then forwarded to the VM. All network policies that the virtual switch applies are now offloaded and applied in hardware. Applying policy in hardware enables the NIC to forward network traffic directly to the VM, bypassing the host and the virtual switch, while maintaining all the policy it applied in the host.

The benefits of accelerated networking only apply to the VM that it is enabled on. For the best results, it is ideal to enable this feature on at least two VMs connected to the same Azure Virtual Network (VNet). When communicating across VNets or connecting on-premises, this feature has minimal impact to overall latency.

Benefits

  • Lower Latency / Higher packets per second (pps): Removing the virtual switch from the datapath removes the time packets spend in the host for policy processing and increases the number of packets that can be processed inside the VM.
  • Reduced jitter: Virtual switch processing depends on the amount of policy that needs to be applied and the workload of the CPU that is doing the processing. Offloading the policy enforcement to the hardware removes that variability by delivering packets directly to the VM, removing the host to VM communication and all software interrupts and context switches.
  • Decreased CPU utilization: Bypassing the virtual switch in the host leads to less CPU utilization for processing network traffic.

Supported operating systems

Microsoft Windows Server 2012 R2 Datacenter and Windows Server 2016.

Supported VM instances

Accelerated Networking is supported on most general purpose and compute-optimized instance sizes with 4 or more vCPUs. On instances such as D/DSv3 or E/ESv3 that support hyperthreading, Accelerated Networking is supported on VM instances with 8 or more vCPUs. Supported series are: D/DSv2, D/DSv3, E/ESv3, F/Fs/Fsv2, and Ms/Mms.

For more information on VM instances, see Windows VM sizes.

Regions

Available in all public Azure regions and Azure Government Cloud.

Limitations

The following limitations exist when using this capability:

  • Network interface creation: Accelerated networking can only be enabled for a new NIC. It cannot be enabled for an existing NIC.
  • VM creation: A NIC with accelerated networking enabled can only be attached to a VM when the VM is created. The NIC cannot be attached to an existing VM. If adding the VM to an existing availability set, all VMs in the availability set must also have accelerated networking enabled.
  • Deployment through Azure Resource Manager only: Virtual machines (classic) cannot be deployed with Accelerated Networking.

Create a virtual network

Install Azure PowerShell version 5.1.1 or later. To find your currently installed version, run Get-Module -ListAvailable AzureRM. If you need to install or upgrade, install the latest version of the AzureRM module from the PowerShell Gallery. In a PowerShell session, log in to an Azure account using Add-AzureRmAccount.

In the following examples, replace example parameter names with your own values. Example parameter names included myResourceGroup, myNic, and myVM.

Create a resource group with New-AzureRmResourceGroup. The following example creates a resource group named myResourceGroup in the centralus location:

New-AzureRmResourceGroup -Name "myResourceGroup" -Location "centralus"

First, create a subnet configuration with New-AzureRmVirtualNetworkSubnetConfig. The following example creates a subnet named mySubnet:

$subnet = New-AzureRmVirtualNetworkSubnetConfig `
    -Name "mySubnet" `
    -AddressPrefix "192.168.1.0/24"

Create a virtual network with New-AzureRmVirtualNetwork, with the mySubnet subnet.

$vnet = New-AzureRmVirtualNetwork -ResourceGroupName "myResourceGroup" `
    -Location "centralus" `
    -Name "myVnet" `
    -AddressPrefix "192.168.0.0/16" `
    -Subnet $Subnet

Create a network security group

First, create a network security group rule with New-AzureRmNetworkSecurityRuleConfig.

$rdp = New-AzureRmNetworkSecurityRuleConfig `
    -Name 'Allow-RDP-All' `
    -Description 'Allow RDP' `
    -Access Allow `
    -Protocol Tcp `
    -Direction Inbound `
    -Priority 100 `
    -SourceAddressPrefix * `
    -SourcePortRange * `
    -DestinationAddressPrefix * `
    -DestinationPortRange 3389

Create a network security group with New-AzureRmNetworkSecurityGroup and assign the Allow-RDP-All security rule to it. In addition to the Allow-RDP-All rule, the network security group contains several default rules. One default rule disables all inbound access from the Internet, which is why the Allow-RDP-All rule is assigned to the network security group so that you can remotely connect to the virtual machine, once it's created.

$nsg = New-AzureRmNetworkSecurityGroup `
    -ResourceGroupName myResourceGroup `
    -Location centralus `
    -Name "myNsg" `
    -SecurityRules $rdp

Associate the network security group to the mySubnet subnet with Set-AzureRmVirtualNetworkSubnetConfig. The rule in the network security group is effective for all resources deployed in the subnet.

Set-AzureRmVirtualNetworkSubnetConfig `
    -VirtualNetwork $vnet `
    -Name 'mySubnet' `
    -AddressPrefix "192.168.1.0/24" `
    -NetworkSecurityGroup $nsg

Create a network interface with accelerated networking

Create a public IP address with New-AzureRmPublicIpAddress. A public IP address isn't required if you don't plan to access the virtual machine from the Internet, but to complete the steps in this article, it is required.

$publicIp = New-AzureRmPublicIpAddress `
    -ResourceGroupName myResourceGroup `
    -Name 'myPublicIp' `
    -location centralus `
    -AllocationMethod Dynamic

Create a network interface with New-AzureRmNetworkInterface with accelerated networking enabled and assign the public IP address to the network interface. The following example creates a network interface named myNic in the mySubnet subnet of the myVnet virtual network and assigns the myPublicIp public IP address to it:

$nic = New-AzureRmNetworkInterface `
    -ResourceGroupName "myResourceGroup" `
    -Name "myNic" `
    -Location "centralus" `
    -SubnetId $vnet.Subnets[0].Id `
    -PublicIpAddressId $publicIp.Id `
    -EnableAcceleratedNetworking

Create the virtual machine

Set your VM credentials to the $cred variable using Get-Credential:

$cred = Get-Credential

First, define your VM with New-AzureRmVMConfig. The following example defines a VM named myVM with a VM size that supports Accelerated Networking (Standard_DS4_v2):

$vmConfig = New-AzureRmVMConfig -VMName "myVm" -VMSize "Standard_DS4_v2"

For a list of all VM sizes and characteristics, see Windows VM sizes.

Create the rest of your VM configuration with Set-AzureRmVMOperatingSystem and Set-AzureRmVMSourceImage. The following example creates a Windows Server 2016 VM:

$vmConfig = Set-AzureRmVMOperatingSystem -VM $vmConfig `
    -Windows `
    -ComputerName "myVM" `
    -Credential $cred `
    -ProvisionVMAgent `
    -EnableAutoUpdate
$vmConfig = Set-AzureRmVMSourceImage -VM $vmConfig `
    -PublisherName "MicrosoftWindowsServer" `
    -Offer "WindowsServer" `
    -Skus "2016-Datacenter" `
    -Version "latest"

Attach the network interface that you previously created with Add-AzureRmVMNetworkInterface:

$vmConfig = Add-AzureRmVMNetworkInterface -VM $vmConfig -Id $nic.Id

Finally, create your VM with New-AzureRmVM:

New-AzureRmVM -VM $vmConfig -ResourceGroupName "myResourceGroup" -Location "centralus"

Confirm the driver is installed in the operating system

Once you create the VM in Azure, connect to the VM and confirm that the driver is installed in Windows.

  1. From an Internet browser, open the Azure portal and sign in with your Azure account.
  2. In the box that contains the text Search resources at the top of the Azure portal, type myVm. When myVm appears in the search results, click it. If Creating is visible under the Connect button, Azure has not yet finished creating the VM. Click Connect in the top left corner of the overview only after you no longer see Creating under the Connect button.
  3. Enter the username and password you entered in Create the virtual machine. If you've never connected to a Windows VM in Azure, see Connect to virtual machine.
  4. Right-click the Windows Start button and click Device Manager. Expand the Network adapters node. Confirm that the Mellanox ConnectX-3 Virtual Function Ethernet Adapter appears, as shown in the following picture:

    Device Manager

Accelerated Networking is now enabled for your VM.