在 Azure Stack Hub 中執行 Windows 虛擬機器Run a Windows virtual machine on Azure Stack Hub

除了虛擬機器 (VM) 本身,在 Azure Stack Hub 中佈建 VM 還需要額外的元件,包括網路功能和儲存體資源。Provisioning a virtual machine (VM) in Azure Stack Hub requires some additional components besides the VM itself, including networking and storage resources. 本文將說明在 Azure 上執行 Windows VM 的最佳做法。This article shows best practices for running a Windows VM on Azure.

Azure Stack Hub 上的 Windows VM 架構

資源群組Resource group

資源群組是保存 Azure Stack Hub 相關資源的邏輯容器。A resource group is a logical container that holds related Azure Stack Hub resources. 一般來說,根據資源的存留期以及將管理資源的人員來群組資源。In general, group resources based on their lifetime and who will manage them.

請將關係密切且具有相同生命週期的資源置於同一個資源群組中。Put closely associated resources that share the same lifecycle into the same resource group. 資源群組可讓您以群組為單位來部署和監視資源,並根據資源群組追蹤帳單成本。Resource groups allow you to deploy and monitor resources as a group and track billing costs by resource group. 您也可以刪除整組資源,這對於測試部署很有用。You can also delete resources as a set, which is useful for test deployments. 請指派有意義的資源名稱,以簡化尋找特定資源及了解其角色的程序。Assign meaningful resource names to simplify locating a specific resource and understanding its role. 如需詳細資訊,請參閱建議的 Azure 資源命名慣例For more information, see Recommended Naming Conventions for Azure Resources.

虛擬機器Virtual machine

您可以從已發佈的映像清單、自訂的受控映像或您上傳至 Azure Stack Hub Blob 儲存體的虛擬硬碟 (VHD) 檔案來佈建 VM。You can provision a VM from a list of published images, or from a custom-managed image or virtual hard disk (VHD) file uploaded to Azure Stack Hub Blob storage.

Azure Stack Hub 提供與 Azure 不同的虛擬機器大小。Azure Stack Hub offers different virtual machine sizes from Azure. 如需相關資訊,請參閱 Azure Stack Hub 中虛擬機器的大小For more information, see Sizes for virtual machines in Azure Stack Hub. 如果您將現有的工作負載移至 Azure Stack Hub,請從最符合您內部部署伺服器/Azure 的 VM 大小開始。If you are moving an existing workload to Azure Stack Hub, start with the VM size that's the closest match to your on-premises servers/Azure. 然後根據 CPU、記憶體和每秒的磁碟輸入/輸出作業 (IOPS) 測量您的實際工作負載效能,並視需要調整大小。Then measure the performance of your actual workload in terms of CPU, memory, and disk input/output operations per second (IOPS), and adjust the size as needed.

磁碟Disks

成本是依佈建的磁碟容量而定。Cost is based on the capacity of the provisioned disk. IOPS 和輸送量 (亦即,資料傳輸速率) 取決於 VM 大小,因此當您佈建磁碟時,請考慮以下三個因素 (容量、IOPS 和輸送量)。IOPS and throughput (that is, data transfer rate) depend on VM size, so when you provision a disk, consider all three factors (capacity, IOPS, and throughput).

Azure Stack Hub 的磁碟 IOPS (每秒輸入/輸出作業數) 是 VM 大小的函式,而不是磁碟類型的函式。Disk IOPS (Input/Output Operations Per Second) on Azure Stack Hub is a function of VM size instead of the disk type. 這表示,對於 Standard_Fs 系列 VM,無論您選擇 SSD 或 HDD 的磁碟類型,單一額外資料磁碟的 IOPS 限制都是 2300 個 IOPS。This means that for a Standard_Fs series VM, regardless of whether you choose SSD or HDD for the disk type, the IOPS limit for a single additional data disk is 2300 IOPS. 加諸的 IOPS 限制是上限 (盡可能最大的上限),以避免雜訊相當多的鄰近磁碟。The IOPS limit imposed is a cap (maximum possible) to prevent noisy neighbors. 這不保證您可對特定的 VM 大小達到所需的 IOPS。It isn't an assurance of IOPS that you'll get on a specific VM size.

我們也建議使用受控磁碟We also recommend using Managed Disks. 受控磁碟藉由為您處理儲存體來簡化磁碟管理。Managed disks simplify disk management by handling the storage for you. 受控磁碟不需要儲存體帳戶。Managed disks do not require a storage account. 您只需指定磁碟的大小和類型,它就會以高度可用的資源方式進行部署。You simply specify the size and type of disk and it is deployed as a highly available resource.

作業系統磁碟是儲存在 Azure Stack Hub Blob 儲存體中的 VHD,因此即使主機電腦已關閉,仍會保存下來。The OS disk is a VHD stored in Azure Stack Hub blob storage, so it persists even when the host machine is down. 我們也建議建立一或多個資料磁碟,這些是用於應用程式資料的持續性 VHD。We also recommend creating one or more data disks, which are persistent VHDs used for application data. 若情況允許,請將應用程式安裝在資料磁碟,不要安裝在作業系統磁碟。When possible, install applications on a data disk, not the OS disk. 有些舊版應用程式可能需要在 C: 磁碟機上安裝元件,在此情況下,您可以使用 PowerShell 調整作業系統磁碟大小Some legacy applications might need to install components on the C: drive; in that case, you can resize the OS disk using PowerShell.

VM 也是使用暫存磁碟 (Windows 上的 D: 磁碟機) 來建立。The VM is also created with a temporary disk (the D: drive on Windows). 此磁碟會儲存在 Azure Stack Hub 儲存體基礎結構的暫存磁碟區中。This disk is stored on a temporary volume in the Azure Stack Hub storage infrastructure. 它可能在重新開機期間和其他 VM 生命週期事件中遭到刪除。It may be deleted during reboots and other VM lifecycle events. 僅將此磁碟使用於暫存資料,例如分頁檔或交換檔。Use this disk only for temporary data, such as page or swap files.

網路Network

網路元件包括下列資源:The networking components include the following resources:

  • 虛擬網路Virtual network. 每部 VM 都會部署到可以分割成多個子網路的虛擬網路。Every VM is deployed into a virtual network that can be segmented into multiple subnets.

  • 網路介面 (NIC)Network interface (NIC). NIC 可讓 VM 與虛擬網路通訊。The NIC enables the VM to communicate with the virtual network. 如果您的 VM 需要多個 NIC,請注意每種 VM 大小都有定義 NIC 的數目上限。If you need multiple NICs for your VM, be aware that a maximum number of NICs is defined for each VM size.

  • 公用 IP 位址/VIPPublic IP address/ VIP. 必須要有公用 IP 位址才能與 VM 進行通訊 — 例如,透過遠端桌面 (RDP)。A public IP address is needed to communicate with the VM — for example, via remote desktop (RDP). 此公用 IP 位址可以是動態或靜態。The public IP address can be dynamic or static. 預設值為動態。The default is dynamic.

  • 如果您需要一個不會變更的固定 IP 位址 (例如,若您需要建立 DNS「A」記錄,或將 IP 位址新增到安全清單中),請保留一個靜態 IP 位址Reserve a static IP address if you need a fixed IP address that won't change — for example, if you need to create a DNS 'A' record or add the IP address to a safe list.

  • 您也可以建立 IP 位址的完整網域名稱 (FQDN)。You can also create a fully qualified domain name (FQDN) for the IP address. 然後您可以在 DNS 中註冊指向該 FQDN 的 CNAME 記錄You can then register a CNAME record in DNS that points to the FQDN. 如需詳細資訊,請參閱在 Azure 入口網站中建立完整網域名稱For more information, see Create a fully qualified domain name in the Azure portal.

  • 網路安全性群組 (NSG)Network security group (NSG). NSG 可用來允許或拒絕通往 VM 的網路流量。NSGs are used to allow or deny network traffic to VMs. NSG 可與子網路或個別 VM 執行個體相關聯。NSGs can be associated either with subnets or with individual VM instances.

所有 NSG 都包含一組預設規則,包括一個封鎖所有網際網路輸入流量的規則。All NSGs contain a set of default rules, including a rule that blocks all inbound Internet traffic. 預設的規則不能刪除,但其他規則可以覆寫它們。The default rules cannot be deleted, but other rules can override them. 若要啟用網際網路流量,請建立允許輸入流量輸入特定連接埠的規則 — 例如,允許 HTTP 使用連接埠 80。To enable Internet traffic, create rules that allow inbound traffic to specific ports — for example, port 80 for HTTP. 若要啟用 RDP,請新增一個 NSG 規則,以允許將輸入流量輸入至 TCP 連接埠 3389。To enable RDP, add an NSG rule that allows inbound traffic to TCP port 3389.

作業Operations

診斷Diagnostics. 啟用監視和診斷,包括基本健康情況計量、診斷基礎結構記錄及開機診斷Enable monitoring and diagnostics, including basic health metrics, diagnostics infrastructure logs, and boot diagnostics. 如果您的 VM 進入無法開機的狀態,開機診斷能協助您診斷開機失敗。Boot diagnostics can help you diagnose boot failure if your VM gets into a non-bootable state. 建立用來儲存記錄的 Azure 儲存體帳戶。Create an Azure Storage account to store the logs. 標準本地備援儲存體 (LRS) 帳戶已足以保存診斷記錄。A standard locally redundant storage (LRS) account is sufficient for diagnostic logs. 如需詳細資訊,請參閱啟用監視和診斷For more information, see Enable monitoring and diagnostics.

可用性Availability. 您的 VM 可能會因為 Azure Stack Hub 操作員排定的計劃性維護而需要重新啟動。Your VM may be subject to a reboot due to planned maintenance as scheduled by the Azure Stack Hub operator. 為了讓 Azure 中的多 VM 生產系統實現高可用性,會將 VM 放在可用性設定組中,此設定組會將 VM 分散在多個容錯網域和更新網域中。For high availability of a multi-VM production system in Azure, VMs are placed in an availability set that spreads them across multiple fault domains and update domains. 在較小規模的 Azure Stack Hub 中,可用性設定組中的容錯網域會定義為縮放單位中的單一節點。In the smaller scale of Azure Stack Hub, a fault domain in an availability set is defined as a single node in the scale unit.

雖然 Azure Stack Hub 的基礎結構已經具備失敗復原能力,但在發生硬體故障時,基礎技術 (容錯移轉叢集) 仍然會造成受影響實體伺服器上的 VM 產生一些停機時間。While the infrastructure of Azure Stack Hub is already resilient to failures, the underlying technology (failover clustering) still incurs some downtime for VMs on an impacted physical server if there's a hardware failure. Azure Stack Hub 支援的可用性設定組最多可以有三個容錯網域 (與 Azure 一致)。Azure Stack Hub supports having an availability set with a maximum of three fault domains to be consistent with Azure.

容錯網域Fault domains 系統會將放在可用性設定組中的 VM 儘可能平均分散到多個容錯網域 (Azure Stack Hub 節點),讓這些 VM 在實體上彼此隔離。VMs placed in an availability set will be physically isolated from each other by spreading them as evenly as possible over multiple fault domains (Azure Stack Hub nodes). 如果發生硬體故障,失敗容錯網域中的 VM 將會在其他容錯網域中重新啟動。If there's a hardware failure, VMs from the failed fault domain will be restarted in other fault domains. 它們會保留在與其他 VM 不同的容錯網域中,但如有可能,則會留在相同的可用性設定組中。They'll be kept in separate fault domains from the other VMs but in the same availability set if possible. 當硬體回到線上時,系統會將 VM 重新平衡以保持高可用性。When the hardware comes back online, VMs will be rebalanced to maintain high availability.
更新網域Update domains 更新網域是另一種可讓 Azure 在可用性設定組中提供高可用性的方式。Update domains are another way that Azure provides high availability in availability sets. 更新網域是可以同時進行維護的基礎硬體邏輯群組。An update domain is a logical group of underlying hardware that can undergo maintenance at the same time. 位於相同更新網域中的 VM 會在預定進行的維護期間一起重新啟動。VMs located in the same update domain will be restarted together during planned maintenance. 當租用戶在可用性設定組內建立 VM 時,Azure 平台會自動將 VM 分散到這些更新網域中。As tenants create VMs within an availability set, the Azure platform automatically distributes VMs across these update domains.
在 Azure Stack Hub 中,會先將 VM 即時移轉至叢集內的各個其他線上主機,然後才更新 VM 的基礎主機。In Azure Stack Hub, VMs are live migrated across the other online hosts in the cluster before their underlying host is updated. 由於在主機更新期間並不會導致租用戶停機,因此 Azure Stack Hub 上更新網域功能的存在只是為了與 Azure 的範本相容。Since there's no tenant downtime during a host update, the update domain feature on Azure Stack Hub only exists for template compatibility with Azure. 可用性設定組中的 VM 會在入口網站上顯示 0 來作為更新網域的號碼。VMs in an availability set will show 0 as their update domain number on the portal.

備份 如需保護 Azure Stack Hub IaaS VM 的建議,請參閱 保護部署在 Azure Stack Hub 上的 VMBackups For recommendations on protecting your Azure Stack Hub IaaS VMs, reference Protect VMs deployed on Azure Stack Hub.

停止 VMStopping a VM. Azure 會區分「已停止」和「已解除配置」狀態。Azure makes a distinction between "stopped" and "deallocated" states. 您需要在 VM 狀態停止時支付費用,而不是在取消配置 VM 時支付。You are charged when the VM status is stopped, but not when the VM is deallocated. 在 Azure Stack Hub 入口網站中,[停止] 按鈕會解除配置 VM。In the Azure Stack Hub portal, the Stop button deallocates the VM. 如果您已在登入時透過 OS 關閉,則會停止 VM,但不會 取消配置,因此您仍需付費。If you shut down through the OS while logged in, the VM is stopped but not deallocated, so you will still be charged.

刪除 VMDeleting a VM. 如果您刪除 VM,並不會刪除 VM 磁碟。If you delete a VM, the VM disks are not deleted. 這表示您可以放心地刪除 VM,而不會遺失任何資料。That means you can safely delete the VM without losing data. 不過,您仍需支付儲存體費用。However, you will still be charged for storage. 若要刪除 VM 磁碟,請刪除受控磁碟物件。To delete the VM disk, delete the managed disk object. 若要防止意外刪除,請使用 資源鎖定 來鎖定整個資源群組或鎖定個別資源 (例如 VM)。To prevent accidental deletion, use a resource lock to lock the entire resource group or lock individual resources, such as a VM.

安全性考量Security considerations

將您的 VM 上架到 Azure 資訊安全中心,以集中檢視 Azure 資源的安全性狀態。Onboard your VMs to Azure Security Center to get a central view of the security state of your Azure resources. 資訊安全中心會監視潛在的安全性問題,並提供全面性的部署安全性健康狀態。Security Center monitors potential security issues and provides a comprehensive picture of the security health of your deployment. 資訊安全中心是依每個 Azure 訂用帳戶設定。Security Center is configured per Azure subscription. 啟用安全性資料收集,如將 Azure 訂用帳戶上架到資訊安全中心的標準層中所述。Enable security data collection as described in Onboard your Azure subscription to Security Center Standard. 啟用資料收集時,資訊安全性中心就會自動掃描任何該訂用帳戶建立的 VM。When data collection is enabled, Security Center automatically scans any VMs created under that subscription.

修補程式管理Patch management. 若要在您的 VM 上設定修補程式管理,請參閱這篇文章。To configure Patch management on your VM, refer to this article. 若已啟用,資訊安全性中心會檢查是否遺漏了任何安全性或重要更新。If enabled, Security Center checks whether any security and critical updates are missing. 使用 VM 上的群組原則設定來啟用自動系統更新。Use Group Policy settings on the VM to enable automatic system updates.

反惡意程式碼Antimalware. 如果啟用,資訊安全性中心會檢查是已安裝反惡意程式碼軟體。If enabled, Security Center checks whether antimalware software is installed. 您也可以使用資訊安全中心來從 Azure 入口網站內安裝反惡意程式碼軟體。You can also use Security Center to install antimalware software from inside the Azure portal.

存取控制Access control. 請使用角色型存取控制 (RBAC) 來控制 Azure 資源的存取。Use role-based access control (RBAC) to control access to Azure resources. RBAC 可讓您指派授權角色給您 DevOps 小組的成員。RBAC lets you assign authorization roles to members of your DevOps team. 例如,「讀取者」角色能檢視 Azure 資源但不能建立、管理或刪除它們。For example, the Reader role can view Azure resources but not create, manage, or delete them. 有些權限只專屬於某個 Azure 資源類型。Some permissions are specific to an Azure resource type. 例如,「虛擬機器參與者」角色能重新啟動或解除配置 VM、重設系統管理員密碼、建立新的 VM 等等。For example, the Virtual Machine Contributor role can restart or deallocate a VM, reset the administrator password, create a new VM, and so on. 其他對此架構可能有用的內建 RBAC 角色,包括 DevTest Labs 使用者網路參與者Other built-in RBAC roles that may be useful for this architecture include DevTest Labs User and Network Contributor.

注意

RBAC 不會限制使用者登入 VM 可執行的動作。RBAC does not limit the actions that a user logged into a VM can perform. 這些權限是由客體 OS上的帳戶類型來決定。Those permissions are determined by the account type on the guest OS.

稽核記錄Audit logs. 使用活動記錄來查看佈建動作和其他 VM 事件。Use activity logs to see provisioning actions and other VM events.

資料加密Data encryption. Azure Stack Hub 使用 BitLocker 128 位元 AES 加密來保護儲存子系統中待用的使用者和基礎結構資料。Azure Stack Hub uses BitLocker 128-bit AES encryption to protect user and infrastructure data at rest in the storage subsystem. 如需詳細資訊,請參閱 Azure Stack Hub 中的待用資料加密For more information, see Data at rest encryption in Azure Stack Hub.

後續步驟Next steps