Migrating your applications to Azure using Virtual Machine Scale Sets, Packer and Virtual Machine extensions – Part 2
This is a continuation of the previous post about migrating your not ready cloud application to the Azure cloud. The last post discussed about creating a managed image to be able to be used by a virtual machine scale set for provisioning.
What will we do in this series
I decided to do a series of posts about this topic as it touches a variety of aspects. I will use a concrete example that may or may not have happened to you and I plan to cover
- Building a managed image from an Ubuntu image as base, and setting up a web server to host an application
- Creating a Virtual Machine Scale Set using ARM templates (this post)
- Adding a post provisioning extension that will be fetching files from a blob storage that is required for the application to run once a virtual machine in the set has started
Creating the necessary resources
Creating the Virtual Machine Scale Set requires the following Azure resources:
- Virtual Network (vNet)
- includes a subnet
- Network Security Group (NSG) to able to access the VMs in the Virtual Machine Scalet Set
- Virtual Machine Scalet Set (VMSS)
- includes the HealthExtension to be able to do rolling updates for new images we create
- Load Balancer (LB)
- includes the Public IP address for the LB
We will construct our provisioning using an Azure Resource Manager (ARM) template. We will also populate the parameters and variables section with the necessary information the template needs.
Note that I cannot cover all bases when it comes to options and scenarios. You will need to adapt this to your environment.
Also note that this is for educational purposes. In a production environment, you will need to restrict and tweak some or all resources.
Tip: if you want to use comments in your arm templates, rename your file(s) to the jsonc extension.
Virtual Network
The first resource we need is a vnet. To create a vnet and the associated subnet we need to add the following to the ARM template resources array:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
{ "apiVersion": "2019-09-01", "type": "Microsoft.Network/virtualNetworks", "name": "[variables('vnetName')]", "location": "[resourceGroup().location]", "properties": { "addressSpace": { "addressPrefixes": [ "[variables('vnetAddressPrefix')]" ] } } }, { "type": "Microsoft.Network/virtualNetworks/subnets", "apiVersion": "2019-09-01", "location": "[resourceGroup().location]", "name": "[concat(variables('vNetName'),'/',variables('subnetName'))]", "dependsOn": [ "[resourceId('Microsoft.Network/virtualNetworks',variables('vNetName'))]" ], "properties": { "addressPrefix": "[variables('subnetPrefix')]" } } |
Network Security Group
Next is a Network Security Group. A NSG is necessary to allow traffic when you use a public load balancer. If you don’t add a NSG to your subnet, no traffic will be able to flow through.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
{ "type": "Microsoft.Network/networkSecurityGroups", "name": "[variables('nsgName')]", "location": "[resourceGroup().location]", "apiVersion": "2019-04-01", "properties": { "securityRules": [ { "name": "SSH", "properties": { "description": "Allows SSH traffic", "protocol": "Tcp", "sourcePortRange": "*", "destinationPortRange": "22", "sourceAddressPrefix": "*", "destinationAddressPrefix": "*", "access": "Allow", "priority": 100, "direction": "Inbound" } }, { "name": "HTTP", "properties": { "description": "Allows HTTP traffic", "protocol": "Tcp", "sourcePortRange": "*", "destinationPortRange": "80", "sourceAddressPrefix": "*", "destinationAddressPrefix": "*", "access": "Allow", "priority": 110, "direction": "Inbound" } } ] } } |
Here, I am allowing HTTP traffic along with SSH traffic. Since we’re load balanced, we need to be able to access the underlying VMs machine. Our load balancer will have NAT rules to transfer traffic to the underlying VMs SSH port (22), and each VM will be associated a port from the content of the variable nsgSSHNATPortRange. This port range has to closely be related to the maximum number of VMs our scale set can handle (capacity).
Virtual Machine Scale Set
The following ARM definition defines the scale set.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 |
{ "type": "Microsoft.Compute/virtualMachineScaleSets", "name": "[variables('vmssName')]", "location": "[variables('location')]", "apiVersion": "2019-07-01", "dependsOn": [ "[resourceId('Microsoft.Network/loadBalancers', variables('loadBalancerName'))]", "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('vNetName'), variables('subnetName'))]" ], "sku": { "name": "[variables('vmSku')]", // the max capacity should be 20 here as this is closely related to our NAT rules "capacity": 2 }, "properties": { "overprovision": true, "upgradePolicy": { "mode": "Rolling", "automaticOSUpgradePolicy": { "enableAutomaticOSUpgrade": false } }, "virtualMachineProfile": { "storageProfile": { "osDisk": { "createOption": "FromImage", "caching": "ReadWrite" }, "imageReference": { "id": "[parameters('customImageId')]" } }, "osProfile": { "computerNamePrefix": "[variables('vmssName')]", "adminUsername": "[parameters('administratorLogin')]", "adminPassword": "[parameters('administratorSSHKey')]", "linuxConfiguration": { "disablePasswordAuthentication": true, "ssh": { "publicKeys": [ { "path": "[concat('/home/', parameters('administratorLogin'), '/.ssh/authorized_keys')]", "keyData": "[parameters('administratorSSHKey')]" } ] } } }, "networkProfile": { "networkInterfaceConfigurations": [ { "name": "[variables('nicName')]", "properties": { "primary": true, "ipConfigurations": [ { "name": "ipconfig", "properties": { "subnet": { "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('vNetName'), variables('subnetName'))]" }, "loadBalancerBackendAddressPools": [ { "id": "[concat('/subscriptions/', subscription().subscriptionId,'/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Network/loadBalancers/', variables('loadBalancerName'), '/backendAddressPools/', variables('loadBalancerBackEndName'))]" } ], "loadBalancerInboundNatPools": [ { "id": "[concat('/subscriptions/', subscription().subscriptionId,'/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Network/loadBalancers/', variables('loadBalancerName'), '/inboundNatPools/', variables('loadBalancerNatPoolName'))]" } ] } } ] } } ] }, "extensionProfile": { "extensions": [ { "type": "extensions", "name": "HealthExtension", "properties": { "publisher": "Microsoft.ManagedServices", "type": "ApplicationHealthLinux", "autoUpgradeMinorVersion": true, "typeHandlerVersion": "1.0", "settings": { "protocol": "tcp", "port": 22 } } } ] } } }, "identity": { "type": "SystemAssigned" } } |
We assigned a Managed Identity of type system, using the identity property to this VMSS. In the next post, we will grant this identity access to a storage account where we will be able to fetch files in our extensions.
Load Balancer
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 |
{ "type": "Microsoft.Network/loadBalancers", "name": "[variables('loadBalancerName')]", "location": "[variables('location')]", "apiVersion": "2019-09-01", "dependsOn": [ "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressName'))]" ], "sku": { "name": "Standard" }, "properties": { "frontendIPConfigurations": [ { "name": "[variables('loadBalancerFrontEndName')]", "properties": { "publicIPAddress": { "id": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressName'))]" } } } ], "backendAddressPools": [ { "name": "[variables('loadBalancerBackEndName')]" } ], "loadBalancingRules": [ { "name": "roundRobinLBRule", "properties": { "frontendIPConfiguration": { "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('loadBalancerName')), '/frontendIPConfigurations/', variables('loadBalancerFrontEndName'))]" }, "backendAddressPool": { "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('loadBalancerName')), '/backendAddressPools/', variables('loadBalancerBackEndName'))]" }, "protocol": "Tcp", "frontendPort": 80, "backendPort": 80, "enableFloatingIP": false, "idleTimeoutInMinutes": 5, "probe": { "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('loadBalancerName')), '/probes/', variables('loadBalancerProbeName'))]" } } } ], "probes": [ { "name": "[variables('loadBalancerProbeName')]", "properties": { "protocol": "Tcp", "port": 80, "intervalInSeconds": 5, "numberOfProbes": 2 } } ], "inboundNatPools": [ { "name": "[variables('loadBalancerNatPoolName')]", "properties": { "frontendIPConfiguration": { "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('loadBalancerName')), '/frontendIPConfigurations/', variables('loadBalancerFrontEndName'))]" }, "protocol": "tcp", "frontendPortRangeStart": 50000, "frontendPortRangeEnd": 50019, "backendPort": 22 } } ] } } |
It’s important to note in the inboundNatPools (only) object, the properties frontendRangeStart and frontendRangeEnd. The rangeStart and rangeEnd have to match the number of instances that the VMSS can have. In this case, 0-19 (inclusives) means that we will be able to communicate with at most 20 VMs in our Scale Set. One port will be assigned to one VM in the set. As stated above, the capacity property of the VMSS cannot exceed 20 in this case.
Public IP
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
{ "type": "Microsoft.Network/publicIPAddresses", "name": "[variables('publicIPAddressName')]", "location": "[variables('location')]", "apiVersion": "2018-08-01", "sku": { "name": "Standard" }, "properties": { "publicIPAllocationMethod": "Static", "dnsSettings": { "domainNameLabel": "[variables('dnsName')]" } } } |
Parameters, variables and output variables
We are outputting the vmssName as we will need it to provision the extension as it will be described the next post in this series.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 |
"parameters": { "customImageId": { "type": "string", "metadata": { "description": "The full resourceId of the managed image" } }, "administratorLogin": { "type": "string", "metadata": { "description": "The administrator username" } }, "administratorSSHKey": { "type": "securestring", "metadata": { "description": "The SSH public key of the administrator" } }, "artifactsStorageName": { "type": "string", "metadata": { "description:": "The storage account name where the artifacts that the VMSS needs to access are stored in" } } }, "variables": { "location": "[resourceGroup().location]", "vNetName": "vNet-vmssdemo-blog", "vnetAddressPrefix": "10.0.0.0/16", "subnetName": "VmssSubnet", "subnetPrefix": "10.0.0.0/27", "nsgSSHNATPortRange": "50000-50019", "vmssName": "vmss-demo-blog", "loadBalancerName": "lb-vmssdemo-blog", // Size of VMs in the VM Scale Set. "vmSku": "Standard_D1_v2", "nicName": "nic-vmssdemo-blog", "dnsName": "vmss-demo-blog", "loadBalancerFrontEndName": "loadBalancerFrontend", "loadBalancerBackEndName": "loadBalancerBackend", "loadBalancerNatPoolName": "loadBalancerNatPool", "loadBalancerProbeName": "loadBalancerProbe001", "publicIPAddressName": "pip-vmssdemo-blog" }, "outputs": { "vmssName": { "type": "string", "value": "[variables('vmssName')]" } } |
Final words
Adding all of those into a json/jsonc file and you will have the necessary ARM template to deploy the VMSS and its necessary components.
You can find the full template in my GitHub repository.
