Begin Azure IaaS – Prepare your Environment

1 – Introduction

This article presents how to prepare an environment in Azure IaaS (Resource Group, Cloud Service, VMNET, VM …) from the beginning and explain Azure basic concept:

  • creation of all required resources (Resource Group, Storage account, Cloud Services).
  • configuration of a Virtual Network (VNET) with multiple subnet.
  • configuration of VPN Gateway (Point-to-site VPN) for client connection and certificate configuration.
  • use of Azure PowerShell.
  • VM creation with multiple vNIC and VHDX.
  • deploy a simple AD Forest.





For the demonstration I will used the architecture that I prepare to test the StarWind Virtual SAN product.

For more information see my other article:
SQL AlwaysOn FCI (Failover Cluster Instance) in IaaS Azure Cloud with StarWind Virtual SAN Solution

Overview of Architecture:

Schema - Azure - SQL AlwaysOn FCI & Virtual SAN - OverviewThe environment will be composed:

  • 1x Azure subscription (for reminder you can create a trial account with 150€ available for 30 days).
  • 1x Azure Resource Group:
    Note: A RG is a logical container used to regroup Azure resources associated to an application. It provides the centralized management and monitoring of these resources (lifecycle, cost calculation, provisioning, access control …)




RG-TCLAB1 Resource Group West Europe
  • 1x Azure Storage Account (required to host VM VHDX):



resource group

account type

tclab1storage Storage Account RG-TCLAB1 Standard-LRS (Locally Redundant)
  • 1x Virtual Network (VNET) with three subnets:



resource group

address space



tc-lab1-lan Virtual Network RG-TCLAB1 Prod PROD Subnet
Gateway (Azure) Used for VPN (P2S or S2S)
Heartbeat Cluster /Virtual SAN Heartbeat
  • 2x Cloud Service. Just for reminder all VM in a Cloud Service must have the same number of NIC. So with two CS, I don’t need to create the AD DC VM with the Heartbeat VLAN. In addition CS allow scalability option.



resource group


tc-lab1-cs Cloud Service RG-TCLAB1 Used for basic servers (AD DC …)
tc-lab1-cs-sqlsrv Cloud Service RG-TCLAB1 Used for SQL Servers
  • 3x Virtual Machine



resource group

dns name




l1-dc-1 Virtual Machine RG-TCLAB1 Basic A0 (0.25 Core, 0.75 GB) AD DC / DNS Server
l1-sqlfci-1 Virtual Machine RG-TCLAB1 Standard A3 (4 Cores, 7 GB) SQL AlwaysOn FCI Node 1
l1-sqlfci-2 Virtual Machine RG-TCLAB1 Standard A3 (4 Cores, 7 GB) SQL AlwaysOn FCI Node 2
  • The two SQL nodes will be created with two vNIC and two VHDX.

2 – Create a Azure Resource Group

Note about Azure portal: For the moment the migration of Azure portal is in progress. I will use the new portal (in Preview) to do all configuration.


New Portal:

Click on “Brows ALL” and select “Resource groups”. Click “Add”:

Enter a Name and select a location (note that the location is important for Azure resources, you have to create resources in the same location). Click “Create” (Pin is to Startboard, a Resource Group is useful to manage your environment):

3 – Create a Azure Virtual Network (VNET)

Click “New”, Select “Networking” and click “Virtual Network”:

Enter a name, select an Address space (you can keep the default, I change it just for the demonstration).

Enter your first network subnet ( and change the default name. Change the location and click “Create”:

Wait for the creation and select your new VNET:

3.1 Configure an Azure VPN Point-to-site

Note: You can configure a “Site-to-site” VPN (use to connect your On-premise infrastructure) or a “Point-to-site” (use for client connection).

You can connect to your VM through RDP without VPN (P2S), but configured a VPN permits to secure your communication between yours computers and your Azure environment (VNET).

Click on the “VPN connections” tab, select “Point-to-site”, select a subnet ( is the subnet for VPN Clients), check “Create gateway immediately” and click “OK”:

Wait for your Gateway creation (this part can take 10/15 minutes):

Note that a new subnet was automatically create for the Gateway mask /29)

Gateway created:

Configure Certificate authentication

Certificates are used to authenticate VPN clients for point-to-site VPNs.

I will use the traditional “makecert” tool to create Root Certificate. This tools is available in the Windows SDK or in MS Visual Studio (Express or full).

Note that at this time, only self-signed root certificates are supported in Azure

Install Windows SDK for Windows 8.1:


Generate a self-signed root certificate


Star a CMD and run (change the CN and the output path):

makecert -sky exchange -r -n "CN=RootTechCoffee101" -pe -a sha1 -len 2048 -ss My "D:\CERT\RootTechCoffee101.cer"

The certificate is created in my personal folder:

Retrieve it:

Go to your VNET and click on Point-to-site. Click on “Manage Certificate”:

Click “Upload” and select your Root certificate created previously:

Check the certificate status:

Download your VPN Client:

Generate a Client Certificate

Start CMD and Run (Change CN and your Root Certificate name):

makecert.exe -n “CN=ClientTechCoffee101” -pe -sky exchange -m 96 -ss My -in “RootTechCoffee101” -is my -a sha1

Check if certificate if OK:

Configure your VPN client

Now we just have to install the VPN client on our workstation, launch the exe (VPN Client) previously downloaded:

The package configure the VPN connection, click on “Networks” and connect to the new VPN:

Check “Do not show …” and click “Continue”:

We are now connected, we can connect to VM with RDP directly with private IP Address.

Note that route are added:

You can check all connected client, from you VNET click on Point-to-site clients:

3.2 Configure additional Subnet

Now we can create additional subnets (here only one: Heartbeat).



resource group

address space



tc-lab1-lan Virtual Network RG-TCLAB1 Prod PROD Subnet
Gateway (Azure) Used for VPN (P2S or S2S)
Heartbeat Cluster /Virtual SAN Heartbeat

Go to VNET (tc-lab1-lan) settings.

Note – Overview of Address Space:

Select “Subnets” and click “Add”:

Enter name and subnet for the new subnet (here: Heartbeat):

Click “Save”:

4 – Create a Cloud Service

I will create two CS:



resource group


tc-lab1-cs Cloud Service RG-TCLAB1 Used for basic servers (AD DC …)
tc-lab1-cs-sqlsrv Cloud Service RG-TCLAB1 Used for SQL Servers

Go to Cloud Services and click “Add”:

Enter a name, select your Resource Group and make sure you put the Cloud Service in the same Region as your Virtual Network.

Create a new Cloud Service for SQL Servers:

CS created:

5 – Create a Storage Account

Before you begin provisioning VMs you must create a Storage Account.

Select “NEW\Data + Storage\Storage”:

Enter a name and select your storage model:

Note: Azure Storage pricing –

Configure your resource Group and make sure you create the Storage Account in the same Location as your Virtual Network

So now everything is ok and we are ready for VM deployment!

Be careful with your resources location:

6 – Install Azure PowerShell

Azure PowerShell module allow to manage all your Azure environment.

You have to install it because at this time it is the only way to deploy Virtual Machine with multiple NIC/Subnets.

The Azure PowerShell module require Microsoft .NET Framework 4.5.

Download Web installer (recommended):

Or Direct Download Link:

Click Install:

You can also install also the Azure CLI (Command line) Tools:

Link to Azure Script Center:

6.1 Connect to Azure PowerShell

Start Azure PowerShell:

Enter “Add-AzureAccount” and enter your login information:

Note: Get Azure Cmdlet (get-help Azure)

7 – Create Azure VM DC/DNS

Now we are ready to create VMs. I will create the first VM (AD DC) through GUI and SQL VM through PowerShell (mandatory)

Note: Currently there is a bug with the new Portal, it’s impossible to select the Cloud Service and the VNET during the first VM Creation. Once the first VM is created, you can create all other VM through the new portal.

Issue overview:

During the creation of the first VM , when you select your Cloud Service:

VNET is not configured and locked:

Go to Azure Portal:

Click “New\Compute\Virtual Machine\From Gallery”:

Select the WS2012R2 Datacenter Image (STANDARD is not available, Windows Server licenses are included):

Enter a name and select the size (this is a DC in a lab so: BASIC A0). Enter a local administrator name and password and click “Next”:

Select the cloud Service and the VNET (with prod subnet => “default”):

Click “Create”:

Just for the issue on the new portal, now if I try to create a new VM from the portal the VNET is correctly configured when I select my cloud Service:

8 – Create Azure VM with multiple NIC (SQL Node)

As I said previously, for the moment the only way to create a VM with multiple networks is through PowerShell.

The way to create an Azure VM though PS is to create a VM Configuration “New-AzureVMConfig” and then create the VM “New-AzureVM).

So, first select a VM image from Azure VM image gallery. Note that images change frequently (new updates included …). The first command bellow automatically selects the last published Image of WS2012R2 DTC:

# Retrieve VM Image (last version)
$image = (Get-AzureVMImage -Verbose:$false | Where-Object {$_.label -like “Windows Server 2012 R2 Datacenter*”}| Sort-Object –Descending PublishedDate)[0]
$image | ft Label,PublishedDate
## Other Options ##

#List available images
Get-AzureVMImage -Verbose:$false | where-object { $_.Label -like "Windows Server 2012 R2 Datacenter*"} | fl Label,ImageName,PublishedDate
$image = Get-AzureVMImage -Verbose:$false | where-object { $_.Label -like "Windows Server 2012 R2 Datacenter, June 2015"} | fl Label,ImageName

#Use the StarWind VirtualSan Image (require a "Pay-as-you-go" subscription"
$image = Get-AzureVMImage -Verbose:$false | where-object { $_.Label -like "starwindperhour" }  # or "starwindbyol

Note: I use the WS2012R2 image, but the StarWind Virtual SAN VM is available in the Azure Marketplace ( The access (through PowerShell) to this image require a “Pay-as-you-go” or an “MSDN” subscription.

Marketplace VM overview:

Next, specify the VM name, the size and configure the default administrator account:

Note: To retrieve InstanceSize value go to:

Note: Multiple NIC is not supported on all VM sizes. You cannot use “Basic” VM size and for “Standard” the minimum is AXX. For more information go to:

For SQL VM, I will use the A3 Standard size.

# Configure VM
#  * Note: To retieve VM Size values go to:

$vm = New-AzureVMConfig -Name "l1-sqlfci-1" -InstanceSize "Large" -Image $image.ImageName -AvailabilitySetName "AVS-SQLSrv"

# Create the default administrator login.
Add-AzureProvisioningConfig –VM $vm -Windows -AdminUserName "tcadmin" -Password "xxxxx" 

Now we can configure VM NICs. First we set the first NIC on the default subnet with a static IP and then we add a new NIC connected to the Heartbeat subnet:

Note about StaticIP:

In Azure, a Static IP is not like a DHCP reservation. This mean that set a static IP in a VNET will ensures the VM will attempt to be assigned the correct IP address at provisioning time but it is no guarantee.

# Configure the default NIC
Set-AzureSubnet -SubnetNames "default" -VM $vm
Set-AzureStaticVNetIP -IPAddress "" -VM $vm

# Add additional NICs to the VM configuration.
Add-AzureNetworkInterfaceConfig -Name "Ethernet1" -SubnetName "Heartbeat" -StaticVNetIPAddress "" -VM $vm

Create the VM:

# Create the VM
New-AzureVM -ServiceName "tc-lab1-cs-sqlsrv" -Location "West Europe" –VNetName "tc-lab1-lan" –VMs $vm 

Note about Warning “The specified DNS name is already taken” from O’Reilly book:

Repeat the operation to create the second SQL Server:

8.1 – Resources Overview in Azure

If you go to your Cloud Services, you can have a view of VM Status:

Or through PowerShell, you can use:

# Get VM Status
get-azurevm | ft ServiceName,Name,Status,IpAddress,PowerState,InstanceSize,AvailabilitySetName -AutoSize

You can also manage all your resources from your Resource Group:

8.2 – Attach Disk to VM

Now I will create one new VHDX for each SQL Server.

Select the first SQL server and open Settings. Select “Disk” and click “Attach New

Repeat the same operation for the second SQL Server

Prepare Disk:

Note: Each of the arrays which will be used by StarWind Virtual SAN to store virtual disk images has to meet the following requirements:

  • Initialized as GPT
  • Have a single NTFS-formatted partition
  • Have a drive letter assigned

So on each SQL Server, initialize new disk:

And create a new Volume:

9 – Create Active Directory FOREST

Connect to the AD DC/DNS Server and add roles (AD DS & DNS Server):

Promote DC and create forest:

Add-WindowsFeature -Name "AD-Domain-Services,DNS,GPMC" -IncludeManagementTools

# AD DS Deployment
Import-Module ADDSDeployment
Install-ADDSForest `
-CreateDnsDelegation:$false `
-DatabasePath "C:\Windows\NTDS" `
-DomainMode "Win2012R2" `
-DomainName "tclab1.corp" `
-DomainNetbiosName "TCLAB1" `
-ForestMode "Win2012R2" `
-InstallDns:$true `
-LogPath "C:\Windows\NTDS" `
-NoRebootOnCompletion:$false `
-SysvolPath "C:\Windows\SYSVOL" `
-safemodeadministratorpassword (convertto-securestring "Password1" -asplaintext -force)

9.1 – Create a new GPO

Basically, I configure at minimal three settings on all servers:

Windows Firewall (Computer Configuration\Policies\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile\)


  • Windows Firewall: Allow Inbound File and printer sharing exception
  • Windows Firewall: Allow Inbound Remote Administration exception

DNS Suffix

Go to “Computer Configuration | Policies | Administrative Templates | Network | DNS Client” and set the Primary DNS Suffix value:

10 – Finalyze SQL Server basic configuration

10.1 – Join Computer to Domain

Rename NIC:

Note that if you Stop VM through the Azure Portal (Status: Stopped (Deallocated), NICs will be reinitialized. This will not occurs if you just stop VM through OS.

Configure DNS IP:

And add computer to domain:

10.2 – Install Windows Features

Install .NET 3.5 Framework (required for SQL 2012/2014) and WSFC cluster features:

# For remote install add: -ComputerName <Hostname>

Install-WindowsFeature Net-Framework-Core,Failover-Clustering -IncludeManagementTools
Install-WindowsFeature Multipath-IO

OK, now the environment is ready. In the next step I will configure the Virtual SAN product to create clustered disk and install a SQL Cluster (AlwaysOn FCI)

Next Steps: SQL AlwaysOn FCI (Failover Cluster Instance) in IaaS Azure Cloud with StarWind Virtual SAN Solution

11 – LINK

Configure a Point-to-Site VPN connection to an Azure Virtual Network

How to Create and Deploy a Cloud Service

How to install and configure Azure PowerShell

Downloads – Get the SDKs and command-line tools you need

Azure Script Center

Install and Configure the Azure CLI

Install the Azure CLI

Using the Azure CLI for Mac, Linux, and Windows with Azure Service Management

About Gilles Monville

Gilles Monville is a passionate of IT for many years; he works for over 10 years on Microsoft and VMware environments. In addition to Virtualization and Cloud computing, he loves automation (Orchestrator, PowerShell, Cloud deployment …)

Leave a Reply


Check Also

RDS 2016 farm: RDS Final configuration

This article is the final topic about how to deploy a Remote Desktop Service in ...

RDS 2016 Farm: Deploy the Microsoft Azure VM

This topic is part of a series about how to deploy a Windows Server 2016 ...

RDS 2016 Farm: Create Microsoft Azure networks, storage and Windows image

This topic is part of a series about how to deploy a Windows Server 2016 ...