1. Home
  2. Training Library
  3. Microsoft Azure
  4. Courses
  5. Create and Manage Virtual Machines for Azure 70-532 Certification

Configure VM Networking


Start course


Course Description

This course will show you how to create and manage virtual machines in the Azure ecosystem. 

Course Objectives

By the end of this course, you'll have gained a firm understanding of the key components that comprise the Azure virtual machine ecosystem. Ideally, you will achieve the following learning objectives:

  • How to create and manage virtual machines in the Azure environment. 
  • How to create and manage VM images, workloads, and more. 
  • How to monitor your Azure virtual machines. 

Intended Audience

This course is intended for individuals who wish to pursue the Azure 70-532 certification.


You should have work experience with Azure and general cloud computing knowledge.

This Course Includes

  • 59 minutes of high-definition video.
  • Expert-led instruction and exploration of important concepts surrounding Azure virtual machines.

What You Will Learn

  • The concepts behind VM workloads.
  • How to create and manage Azure VM images.
  • Azure VM configuration management.
  • Azure VM networking.
  • How to scale Azure virtual machines.
  • How to design and implement Azure VM storage.
  • How to monitor your Azure virtual machines.  


Hello, and welcome back. In this section, we'll learn how to configure the networking stack of a VM.

Let's briefly cover what we'll be going over. Firstly, we'll discuss traffic within the context of virtual machines, IP addresses, DNS, load balances, and health probes. Next, we'll look at the security elements of networking such as the Network Security Groups and firewalls, and then finally we'll look at a couple of the aspects of endpoint configuration, Direct Server Return, and Keep-Alives.

Let's start by discussing public IP addresses for virtual machines. It's important to understand that a virtual machine in an Azure sits behind what is effectively a load balancer, also known as a cloud service in Azure terms. The load balancer, by default, acts as the public facing endpoint to the Internet. It contains a public IP address. Behind this sits the VM, which has private virtual IP addresses, traffic is routed via the load balancer's VM, and specific ports can be opened up on the load balancer and maps to ports on a VM.

We'll now discuss two aspects of IP addresses on virtual machines. Reserved and public IP addresses. By default, the public IP address of a load balancer is not fixed. If the service is shut down, and it starts up again it may be allocated at a different IP address. To prevent this from happening, you can reserve the public IP address for the load balancer so that it remains fixed even when the service is deallocated. You may have need to expose a virtual machine directly out to the Internet, side-stepping the load balancer completely. For example, you may need requests to have a direct IP address for VM for responses. Or need dynamically opened ports for callers to access, such as passive FTP. Therefore you can create an Instance level IP address for the virtual machine and eliminate the load balancer import mapping.

In this demo, we'll illustrate how to create a public Instance IP address for a virtual machine, Before also showing how to reserve an IP address for the load balancer. We'll start in the usual portal, where we already have a virtual machine provisioned over a cloud service front end.

We can now go ahead and create a public IP address for the virtual machine. What you'll need to do is navigate to the cloud service, so if we click on "Cloud Services" here, on the left menu... We can select the cloud service that has our VM contained within it. So we select that... And then on the far panel that's opened up, You can select the VM directly from here. And then navigate to the IP Addresses configuration section underneath the Settings sub-menu here. First thing we'll need to do is switch "ON" our Instance IP address. We now have a public IP address directly to the virtual machine. And we can also remove it, just by clicking "OFF" again.

Now let's look at setting up a reserved IP address. We can see in the IP address pane that the Virtual IP address is Dynamic. We want to set this Restricted. For this, we'll need to go to PowerShell. Here, I've already opened a PowerShell instance and set the Azure subscription as appropriate. We used a new Azure reserved IP command to reserve the IP that we had in our overviews panel. Here's the command in a Notepad file, new Azure reserved IP, with the reserved IP name of MyReservedIP, Location of North Europe, and the Service Name which is the same as the deployment label on the overview panel. If we take all of this and then put it into the PowerShell window, We'll see that it will reserve the IP for us.

You can see that the PowerShell command has been executed successfully. If we now take a look at the IP Address panel on the Azure portal, we'll see that the Virtual IP Address should now show as Reserved. So let's take a look... I'm in the Azure portal, I've got the cloud service for our virtual machine here, and I'm going to click on the virtual machine that's inside that cloud service... And if we select the IP Addresses option, We can now see that the IP Address, the Virtual IP Address, has now been reserved.

When you create a new virtual machine from the Marketplace, it will by default position its virtual machine into a VNet for you. VNets are extremely useful, as they open up possibilities such as a Hybrid on-premise stroke cloud network. As well as the possibility to allow secure network traffic between multiple virtual machines and cloud services in Azure.

Without a virtual network, VM instances moving within the same service can freely communicate with one another but not to other services. Putting multiple services in the same VNet overcomes this restriction. When you create a virtual machine, there are several options you have regarding domain name resolution, or DNS. Use your own DNS service, or use the Azure-provided DNS. As you can see, the former allows more control particularly within Hybrid solutions, but requires provisioning and management of DNS yourself. The latter is provided by Azure when you create a virtual machine and will suffice in many situations.

You can easily load balance traffic on a set of virtual machines in Azure, provided that they sit behind the same load balancer or cloud service. This allows you to scale up instances of a virtual machine and improve performance to consumers of an endpoint such as HTTP traffic. You can then elect to load balance inbound traffic either publicly or privately. The former is known as Azure load balancer, whilst the latter is known as the Azure internal load balancer.

Let's review the three options. Without the load balancer, all traffic for a specific endpoint will root to the same single node. With the external load balancer, traffic will root all nodes in an equal manner. And finally, we can elect to use the internal load balancer, which will only allow private traffic in. The load balancer will also make use of the health probes, health probes are endpoints that exists on every machine in the set that the load balancer can ping on a regular basis. If the health probe repeatedly fails on a particular VM, it will be taken out of the load balancer and traffic redirected to the remaining nodes.

In this demo, we'll see how to create a load balance set. Here I am in the Azure portal, I've selected our Virtual Machine and I want to show you how you can set up some load balanced sets. First of all, we'll go to the option "load balanced sets" here on the left menu. There are no load balanced sets found, so we'll have to join one. So we click the "join"... And then from here, we can choose whether we're gonna join a public or internal load balanced set. We'll click public, and then we'll configure our settings and we'll give it a name, In our case we'll just call it HTTP Traffic... And we'll put it on the TCP protocol, public port will be 80, and we'll set up a health probe on the TCP protocol, And we'll say it's gonna be on port 20,001... And then when we're happy with that we'll click OK, And then it's already set up an endpoint name for us of HTTP Traffic, and a private port of port 80. We'll click OK... And now it's adding the load balanced set, and then including our VM Vnet. And now we can see that we're included within this load balanced set. It has the DNS name, as we can see here, and all of the other settings that we provided are also there, too.

Let's move onto discussing security. There are two elements we'll discuss now, Network Security Groups, or NSGs, and firewalls. NSGs allow you to control traffic in a virtual network for our list of access control rules. Each access control role can operate on virtual machines, role instances, network adapters, or subnets. Each rule can affect traffic based on direction, protocol, end source or destination addresses' end port.

We'll now illustrate how to create a network security group, create a rule on it, and then apply it to the virtual machine. First, let's create a network security group. In order to do so, we'll need to select our resource group, which is "CA group"... Once you're in the CA group, we can then go ahead and click "add" at the top of the page, and it will bring up a pane so that we can search for our network security group. Select the network security group, click on that... And because we have a classic VM, we're gonna select "classic" as the deployment model down at the bottom here. Then we'll click "create"... And we'll give it a name, and we'll just call it 'NSG' to begin with. We use our group here, and we'll click "create"...

Now our network security group has been created, Let's add a rule to that group. So we select the NSG that we've created, we select the inbound security rules... And if we look at the default we'll see that there's a selection of default rules already there now. Let's click "add" and we'll create a new rule to allow HTTP. And then we'll click OK and now that rule has been created, and we'll go back to our resource group... And then we'll go to our VM, and we'll select "network security group" under settings. And we'll click "edit" and then we'll select "NSG" from that group setting. And we'll click "save" and we've now applied our network security group to our VM.

You can also create an NSG via PowerShell. Use the New-AzureNetworkSecurityGroup command to create an empty group. Then you can use the Get-AzureNetworkSecurityGroup command to retrieve an existing group and use the Set-AzureNetworkSecurityRule command to add a new command to the existing group. Firewalls can be configured and installed directly on an operating system as would normally be done. However, in addition you can use the virtual machine's extensions to add a firewall directly onto the machine either during provisioning, or post-provision.

There are a variety of security and firewall extensions that can be added, such as Deep Security Agent. In addition, a number of anti-malware tools such as Microsoft Antimalware can also be applied. There are times when you require the response from a virtual machine to avoid going via the load balancer to the origin client, and instead respond directly to the caller. A common example for this is the use of SQL service always on availability groups feature. Azure supports this via direct server return or DSR. In addition, Azure also supports configuration of keep-alives. This is useful if you wish to keep a connection open to a client endpoint for up to 30 minutes.

Here's a short example of how to create an endpoint via PowerShell. We run three commands piped into one another. The first command, "Get-AzureVM", retrieves the VM that we wish to add the endpoint to. The second, "Add-AzureEndpoint", creates a TCP endpoint named "CAtest" with DSR enabled and an idle time-out of 20 minutes. Finally, we call "Update-AzureVM" to execute the command on Azure. After execution, we can log in to the portal and confirm that the endpoint has been created successfully.

Stay tuned for the next section, where we'll cover how to scale virtual machines.

About the Author

Isaac has been using Microsoft Azure for several years now, working across the various aspects of the service for a variety of customers and systems. He’s a Microsoft MVP and a Microsoft Azure Insider, as well as a proponent of functional programming, in particular F#. As a software developer by trade, he’s a big fan of platform services that allow developers to focus on delivering business value.