Networking for Azure Virtual Machine Scale Sets - Azure Virtual Machine Scale Sets (2023)

When you deploy an Azure Virtual Machine Scale Set through the portal, certain network properties are defaulted, for example, an Azure load balancer with inbound NAT rules. This article describes how to use some of the more advanced networking features that you can configure with scale sets.

You can configure all the features covered in this article by using Azure Resource Manager templates. Azure CLI and PowerShell samples are also included for select features.

accelerated network

Azure Accelerated Networking improves network performance by enabling Single Root I/O Virtualization (SR-IOV) for a virtual machine. For more information about using accelerated networking, see Accelerated Networking forwindowsolinuxVirtual machines. To use accelerated networking with scale sets, set enableAcceleratedNetworking toTRUEin the networkInterfaceConfigurations configuration of your scale set. For example:

"network profile": { "network interface settings": [ { "name": "niconfig1", "properties": { "main": true, "enable accelerated network": true, "ip settings": [ ... ] } } ]}

Azure virtual machine scale sets with Azure Load Balancer

verAzure load balancer and virtual machine scale setsfor more information on how to configure your default load balancer with virtual machine scale sets based on your scenario.

Create a scale set that references an application gateway

To create a scale set that uses an application gateway, reference the application gateway's backend address pool in the ipConfigurations section of your scale set as in this ARM template configuration:

"ipConfigurations": [{ "name": "{config-name}", "properties": { "subnet": { "id": "{subnet-id}" }, "ApplicationGatewayBackendAddressPools": [{ "id" : "/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.Network/applicationGateways/{gateway-name}/backendAddressPools/{pool-name}" }]}]

Configurable DNS settings

By default, scale sets assume DNS settings specific to the virtual network and subnet in which they are created. However, you can configure the DNS settings for a scale set directly.

Create a scale set with configurable DNS servers

To create a scale set with custom DNS settings using the Azure CLI, add the--dns-serversargument for thevmss crearcommand, followed by the server IP addresses separated by a space. For example:

--dns-servers 10.0.0.6 10.0.0.5

To configure custom DNS servers in an Azure template, add a dnsSettings property to the networkInterfaceConfigurations section of the scale set. For example:

"dns settings":{ "dns servers":["10.0.0.6", "10.0.0.5"]}

Creating a scale set with configurable virtual machine domain names

To create a scale set with a custom DNS name for virtual machines using the CLI, add the--vm-domain-nameargument for theCreate virtual machine scale setscommand, followed by a string representing the domain name.

To set the domain name in an Azure template, add aDNS settingsproperty for scale setnetwork interface configurationsection. For example:

"network profile": { "network interface settings": [ { "name": "nic1", "properties": { "main": true, "ip settings": [ { "name": "ip1 ", "properties": { " subnet": { "id": "[concat('/subscriptions/', subscription().subscriptionId,'/resourceGroups/', resourceGroup().name, '/providers/Microsoft. Network/virtualNetworks/', variables( 'vnetName'), '/subnets/subnet1')]" }, "publicIPAddressconfiguration": { "name": "publicip", "properties": { "idleTimeoutInMinutes": 10, "dnsSettings ": { "domainNameLabel": " [parameters('vmssDnsName')]" } } } } } ] }}

The output, for an individual virtual machine DNS name, would have the following format:

<vm><vmindex>.<specified Vmss domain name tag>

Public IPv4 per virtual machine

In general, Azure scale set virtual machines do not require their own public IP addresses. For most scenarios, it is cheaper and safer to associate a public IP address with a load balancer or individual virtual machine (also known as a jumpbox), which forwards incoming connections to scale defined virtual machines as needed (for example). example, through inbound NAT rules).

However, some scenarios require that the virtual machines in the scale set have their own public IP addresses. One example is gaming, where a console needs to make a direct connection to a virtual machine in the cloud, which is processing the physics of the game. Another example is where virtual machines need to make external connections to each other through regions in a distributed database.

Creation of a scaled set with public IP per virtual machine

To create a scale set that assigns a public IP address to each virtual machine using the CLI, add the--public-ip-per-vmparameter for thevmss creardomain.

To create a scale set using an Azure template, ensure that the API version of the Microsoft.Compute/virtualMachineScaleSets resource is at least30/03/2017and add apublic IP address configurationJSON property for the ipConfigurations section of the scale set. For example:

"publicIpAddressConfiguration": { "name": "pub1", "sku": { "name": "Standard" }, "properties": { "idleTimeoutInMinutes": 15 }}

Note that when creating virtual machine scale sets with public IP addresses per instance with a load balancer in front, the instance IP addresses are determined by the load balancer's SKU (i.e. Basic or Standard). . If the virtual machine scale set is created without a load balancer, the instance's IP SKU can be configured directly using the SKU section of the template, as shown above.

Example template using a basic load balancer:vmss-public-ip-linux

Alternatively, aPublic IP prefix(a contiguous block of standard SKU public IP addresses) can be used to generate instance-level IP addresses in a virtual machine scale set. The zonal properties of the prefix will be passed to the instance IPs, although they are not displayed in the output.

Example template with a public IP prefix:vmms-with-public-ip-prefix

Query the public IP addresses of virtual machines in a scale set

To list the public IP addresses assigned to virtual machines in the scale set using the CLI, use theaz vmss list-instance-public-ipsdomain.

To list public IP addresses of scale sets using PowerShell, use theGet-AzPublicIpAddressdomain. For example:

Get-AzPublicIpAddress -ResourceGroupName myrg -VirtualMachineScaleSetName myvmss

You can also query public IP addresses by directly referencing the resource ID from the public IP address settings. For example:

Get-AzPublicIpAddress -ResourceGroupName myrg -Name myvmsspip

You can also view the public IP addresses assigned to virtual machines in the scale set by viewing theAzure Resource Exploreror the versioned Azure REST API30/03/2017the tallest.

To consult theAzure Resource Explorer:

1. OpenAzure Resource Explorerin a web browser.
2. Expandcompanieson the left side, by clicking on the+Close to. If you only have one item incompanies, it may already be expanded.
3. Extend your subscription.
4. Expand your resource pool.
5. Expandproviders.
6. ExpandMicrosoft.Compute.
7. Expandvirtual machine scale sets.
8. Expand your scale set.
9. click onpublic addresses.

To query the Azure REST API:

OBTENER https://management.azure.com/subscriptions/{your sub ID}/resourceGroups/{RG name}/providers/Microsoft.Compute/virtualMachineScaleSets/{scale set name}/publicipaddresses?api-version=2017-03- 30

Example output ofAzure Resource ExplorerThe Azure REST API:

{ "valor": [ { "nombre": "pub1", "id": "/subscriptions/your-subscription-id/resourceGroups/your-rg/providers/Microsoft.Compute/virtualMachineScaleSets/pipvmss/virtualMachines/0/networkInterfaces /pipvmssnic/ipConfigurations/yourvmssipconfig/publicIPAddresses/pub1", "etag": "W/\"a64060d5-4dea-4379-a11d-b23cd49a3c8d\"", "properties": { "provisioningState": "Bem-sucedido", " resourceGuid": "ee8cb20f-af8e-4cd6-892f-441ae2bf701f", "ipAddress": "13.84.190.11", "publicIPAddressVersion": "IPv4", "publicIPAllocationMethod": "Dynamic", "idleTimeoutInMinutes": 15, "ipConfiguration" : { "id": "/subscriptions/your-subscription-id/resourceGroups/your-rg/providers/Microsoft.Compute/virtualMachineScaleSets/yourvmss/virtualMachines/0/networkInterfaces/yourvmssnic/ipConfigurations/yourvmssipconfig" } } }, { " nome" : "pub1", "id": "/subscriptions/your-subscription-id/resourceGroups/your-rg/providers/Microsoft.Compute/virtualMachineScaleSets/yourvmss/virtualMachines/3/networkInterfaces/yourvmssnic/ipConfigur ations /yourvmssipconfig/publicIPAddresses/pub1", "etag": "W/\"5f6ff30c-a24c-4818-883c-61ebd5f9eee8\"", "properties": { "provisioningState": "Bem-sucedido", "resourceGuid": "036ce266- 403f-41bd-8578-d446d7397c2f", "ipAddress": "13.84.159.176", "publicIPAddressVersion": "IPv4", "publicIPAllocationMethod": "Dinámico", "idleTimeoutInMinutes": 15, "ipConfiguration": { " id": "/subscriptions/your-subscription-id/resourceGroups/your-rg/providers/Microsoft.Compute/virtualMachineScaleSets/yourvmss/virtualMachines/3/networkInterfaces/yourvmssnic/ipConfigurations/yourvmssipconfig" } } }

Multiple IP addresses per NIC

Each NIC connected to a virtual machine in a scale set can have one or more associated IP configurations. Each configuration is assigned a private IP address. Each configuration can also have an associated public IP address resource. To understand how many IP addresses can be assigned to a NIC and how many public IP addresses can be used in an Azure subscription, seeAzure limits.

Multiple NICs per virtual machine

You can have up to 8 NICs per virtual machine, depending on the size of the machine. The maximum number of NICs per machine is available atVirtual machine size article. All NICs connected to a VM instance must be connected to the same virtual network. The NICs can connect to different subnets, but all subnets must be part of the same virtual network.

The following example is a scale set network profile that shows multiple NIC entries and multiple public IP addresses per virtual machine:

"network profile": { "network interface settings": [ { "name": "nic1", "properties": { "main": true, "ip settings": [ { "name": "ip1 ", "properties": { " subnet": { "id": "[concat('/subscriptions/', subscription().subscriptionId,'/resourceGroups/', resourceGroup().name, '/providers/Microsoft. Network/virtualNetworks/', variables( 'vnetName'), '/subnets/subnet1')]" }, "publicipaddressconfiguration": { "name": "pub1", "properties": { "idleTimeoutInMinutes": 15 } }, "loadBalancerInboundNatPools": [ { "id ": "[concat('/subscriptions/', subscription().subscriptionId,'/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Network/loadBalancers/', variables('lbName'), ' /inboundNatPools/natPool1')]" } ], "loadBalancerBackendAddressPools": [ { "id": "[concat('/subscriptions/', subscription().subscriptionId,'/resourceGroups/' , resourceGroup().name, ' /providers/Microsoft.Network/loadBalancers/', variables('lbName'), '/backendAddressPools/addressPool1')]" } ] } } ] } }, { "name" : "ni c2", "properties": { "main": false, "ipConfigurations": [ { "name": "ip1", "properties": { "subnet": { "id": "[concat(' /subscriptions/ ', subscription().subscriptionId,'/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Network/virtualNetworks/', variables('vnetName') , '/subnets/subnet1')] " }, "publicipaddressconfiguration": { "name": "pub1", "properties": { "idleTimeoutInMinutes": 15 } }, "loadBalancerInboundNatPools": [ { "id": "[ concat('/subscriptions/', subscription(). subscriptionId,'/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Network/loadBalancers/', variables('lbName'), '/inboundNatPools/natPool1')]" } ], "loadBalancerBackendAddressPools": [ { "id": "[concat('/subscriptions/', subscription().subscriptionId,'/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Network/loadBalancers/', variables('lbName' ), '/backendAddressPools/addressPool1')]" } ] } } ] } } ]}

NSG and ASGs by scale set

network security groupsallows you to filter traffic to and from Azure resources in an Azure virtual network using security rules.Application security groupsIt allows you to manage the network security of Azure resources and pool them as an extension of your application framework.

Network security groups can be applied directly to a scale set by adding a reference to the network interface configuration section of the scale set's virtual machine properties.

Application security groups can also be specified directly for a scale set by adding a reference to the network interface IP configuration section of the scale set's virtual machine properties.

For example:

"network profile": { "network interface settings": [ { "name": "nic1", "properties": { "main": true, "ip settings": [ { "name": "ip1 ", "properties": { " subnet": { "id": "[concat('/subscriptions/', subscription().subscriptionId,'/resourceGroups/', resourceGroup().name, '/providers/Microsoft. Network/virtualNetworks/', variables( 'vnetName'), '/subnets/subnet1')]" }, "applicationSecurityGroups": [ { "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup( .name, '/providers/Microsoft.Network/applicationSecurityGroups/', variables('asgName'))]" } ], "loadBalancerInboundNatPools": [ { "id": "[concat(' /subscriptions/', subscription().subscriptionId,'/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Network/loadBalancers/', variables('lbName'), '/inboundNatPools/natPool1')] " } ], "loadBalancerBackendAddressPools" : [ { "id": "[concat('/subscriptions/', subscription().subscriptionId,'/resourceGroups/', resourc eGroup().name, '/ providers/Microsoft.Network/loadBalancers/', variables('lbName'), '/backendAddressPools/addressPool1')]" } ] } } ], "networkSecurityGroup": { "id": "[concat('/subscriptions/ ' , subscription().subscriptionId,'/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Network/networkSecurityGroups/', variables('nsgName'))]" } } } ]}

To verify that your NSG is associated with your scale set, use thethe vmss showdomain. The following example uses--consultationto filter the results and display only the relevant section of the output.

az vmss show \ -g myResourceGroup \ -n myScaleSet \ --query virtualMachineProfile.networkProfile.networkInterfaceConfigurations[].networkSecurityGroup[ { "id": "/subscriptions/.../resourceGroups/myResourceGroup/providers/Microsoft.Network/networkSecurityGroups/ nsgName", "resourceGroup": "myResourceGroup" }]

To verify that your application security group is associated with your scale set, use thethe vmss showdomain. The following example uses--consultationto filter the results and display only the relevant section of the output.

az vmss show \ -g myResourceGroup \ -n myScaleSet \ --query virtualMachineProfile.networkProfile.networkInterfaceConfigurations[].ipConfigurations[].applicationSecurityGroups[ [ { "id": "/subscriptions/.../resourceGroups/myResourceGroup/providers/Microsoft .Network/applicationSecurityGroups/asgName", "resourceGroup": "myResourceGroup" } ]]

Perform network updates for specific instances

You can perform network upgrades to specific instances of the virtual machine scale set.

CanPUTagainst the instance to update the network configuration. This can be used to do things like add or remove network interface cards (NICs) or remove an instance from a backend pool.

PUT https://management.azure.com/subscriptions/.../resourceGroups/vmssnic/providers/Microsoft.Compute/virtualMachineScaleSets/vmssnic/virtualMachines/1/?api-version=2019-07-01

The following example shows how to add a second IP configuration to your NIC.

1. TO TAKEthe details of a specific instance of the virtual machine scale set.

   GET https://management.azure.com/subscriptions/.../resourceGroups/vmssnic/providers/Microsoft.Compute/virtualMachineScaleSets/vmssnic/virtualMachines/1/?api-version=2019-07-01

   The following has been simplified to show only the network parameters for this example.

   { ... "propiedades": { ... "networkProfileConfiguration": { "networkInterfaceConfigurations": [ { "name": "vmssnic-vnet-nic01", "properties": { "primary": true, "enableAcceleratedNetworking": false, "networkSecurityGroup": { "id": "/subscriptions/123a1a12-a123-1ab1-12a1-12a1a1234ab1/resourceGroups/vmssnic/providers/Microsoft.Network/networkSecurityGroups/basicNsgvmssnic-vnet-nic01" }, "dnsSettings": { "dnsServers": [] }, "enableIPForwarding": false, "ipConfigurations": [ { "name": "vmssnic-vnet-nic01-defaultIpConfiguration", "properties": { "publicIPAddressConfiguration": { "name": "publicIp -vmssnic-vnet-nic01", "propiedades": { "idleTimeoutInMinutes": 15, "ipTags": [], "publicIPAddressVersion": "IPv4" } }, "primary": true, "subnet": { "id" : "/subscriptions/123a1a12-a123-1ab1-12a1-12a1a1234ab1/resourceGroups/vmssnic/providers/Microsoft.Network/virtualNetworks/vmssnic-vnet/subnets/default" }, "privateIPAddressVersion": "IPv4" } } ] } } ] }, ... }}

2. PUTagainst the instance, updating itself to add additional IP configuration. This is similar to addingnetwork interface configuration.

   PUT https://management.azure.com/subscriptions/.../resourceGroups/vmssnic/providers/Microsoft.Compute/virtualMachineScaleSets/vmssnic/virtualMachines/1/?api-version=2019-07-01

   The following has been simplified to show only the network parameters for this example.

   { ... "propiedades": { ... "networkProfileConfiguration": { "networkInterfaceConfigurations": [ { "name": "vmssnic-vnet-nic01", "properties": { "primary": true, "enableAcceleratedNetworking": false, "networkSecurityGroup": { "id": "/subscriptions/123a1a12-a123-1ab1-12a1-12a1a1234ab1/resourceGroups/vmssnic/providers/Microsoft.Network/networkSecurityGroups/basicNsgvmssnic-vnet-nic01" }, "dnsSettings": { "dnsServers": [] }, "enableIPForwarding": false, "ipConfigurations": [ { "name": "vmssnic-vnet-nic01-defaultIpConfiguration", "properties": { "publicIPAddressConfiguration": { "name": "publicIp -vmssnic-vnet-nic01", "propiedades": { "idleTimeoutInMinutes": 15, "ipTags": [], "publicIPAddressVersion": "IPv4" } }, "primary": true, "subnet": { "id" : "/subscriptions/123a1a12-a123-1ab1-12a1-12a1a1234ab1/resourceGroups/vmssnic/providers/Microsoft.Network/virtualNetworks/vmssnic-vnet/subnets/default" }, "privateIPAddressVersion": "IPv4" } }, { "nombre ": "mi-segunda-config", "propiedades": { "sub-re de": { "id": "/subscriptions/123a1a12-a123-1ab1-12a1-12a1a1234ab1/resourceGroups/vmssnic/providers/Microsoft.Network/virtualNetworks/vmssnic-vnet/subnets/default" }, "privateIPAddressVersion": "IPv4 " } } ] } } ] }, ... }}

Explicit network egress connectivity for flexible scale sets

To enhance default network security,Virtual machine scale sets with flexible orchestrationwill require instances created implicitly via the autoscaling profile to have outgoing connectivity explicitly defined via one of the following methods:

• For most scenarios, we recommendNAT gateway attached to the subnet.
• For scenarios with high security requirements or when using Azure Firewall or Network Virtual Appliance (NVA), you can specify a user-defined custom route as the next hop through the firewall.
• The instances are in the backend pool of an Azure Load Balancer Standard SKU.
• Attach a public IP address to the instance's network interface.

With single-instance virtual machines and uniformly orchestrated virtual machine scale sets, outbound connectivity is provided automatically.

Common scenarios that will require explicit outbound connectivity include:

• Activating the Windows VM will require that you have configured the outbound connectivity of the VM instance in the Windows Activation Key Management Service (KMS). To seeTroubleshoot Windows virtual machine activationFor more information.
• Access to storage accounts or Key Vault. Connectivity to Azure services can also be established usingPrivate link.

verStandard outbound access in Azurefor more details on how to set up secure outbound connections.

Next steps

For more information about Azure virtual networks, seeIntroduction to Azure virtual networks.