I have been involved in a number of ADFS deployments in Azure over the past few months and one thing that has had to be taken into consideration was the fact that by default Azure creates a cloud service with a dynamic public VIP.
This is especially an issue when creating the web application proxy cloud service. If for some reason the cloud service were to stop (i.e. funds run out) and the resources be deallocated the public VIP associated with the external HTTPS load balancer would be lost. If the cloud service were to be restarted, it would be allocated a different public VIP meaning the external DNS records for the ADFS service would be wrong. Depending on the TTL of the DNS record, any updates could take some time to filter through and cause the service to be unavailable.
To prevent this happening Microsoft have made it possible to request Reserved IP addresses although a few things should be kept in mind.
- Reserved IPs can only be used for VMs and Cloud Services.
- You can use PowerShell or the Azure Management REST API to request a reserved IP from a particular region. The Azure Portal does not currently allow you to do this.
- Up to 20 Reserved IP addresses can be requested per subscription, however only the first 5 are free after which they are charged. http://azure.microsoft.com/en-us/pricing/details/ip-addresses/
Create and assign a Reserved VIP to the Subscription
New-AzureReservedIP –ReservedIPName MyReservedPublicIP –Location “North Europe”
List the Reserved VIP assigned to the Subscription
Once an IP is reserved, it remains associated to your subscription until you delete it. To delete the reserved IP shown above, run the following PowerShell command:
Remove-AzureReservedIP -ReservedIPName "MyReservedIP"
Historically it has been essential to request a reserved IP before creating a cloud service or VM to which it will ultimately be assigned during their creation. If this had not been thought of at the point of the initial deployment, this could result in the need to tear down the environment and redeploy.
Thankfully this has now changed and its possible to convert a Dynamically assigned VIP to a Reserved public VIP. In this example I have created a cloud service called “techkbtest” the screenshot below shows the dashboard of the cloud service and the Public (VIP) address of 220.127.116.11 currently dynamically assigned to it.
The snippet below shows the reserved VIP currently assigned to the subscription. Obviously the list is empty because at this point the public VIP assigned to the cloud service above is still dynamic.
Using the command below a request can not only made for a reserved IP but also that the dynamic VIP currently assigned to the cloud service “techkbttest” is used and converted.
New-AzureReservedIP -ReservedIPName "WasDynamicNowReservedIP" -Location "North Europe" -ServiceName "techkbtest"
Now when viewing any reserved VIP associated with the subscription, the newly created reservation is listed with the original Public VIP which has been associated with the cloud service all along.
For clarification, looking back to the dashboard of the cloud service shows that the Public (VIP) has definitely not changed.
It is now a lot easier to retrospectively change between dynamic and reserved VIP, however its still good practice to establish if this is required during the design phase and configure this from the beginning.
The following PowerShell creates a cloud service, requests a reserved IP, deploys a VM into the cloud service and finally binds the reserved IP to the cloud service.
$CSName = "Cloud-Service-Name"
New-AzureService -ServiceName $CSName -Location "North Europe"
New-AzureReservedIP –ReservedIPName WAPReservedIP –Location “North Europe”
$image = "a699494373c04fc0bc8f2bb1389d6106__Windows-Server-2012-R2-201505.01-en.us-127GB.vhd"
$VMName = "Virtual-Machine-Name"
$AVSet = "Availability-Set"
$VNetwork = "Virtual-Network"
$IP = "10.0.1.38"
$dns1 = New-AzureDns -Name 'Google1' -IPAddress '18.104.22.168'
$dns2 = New-AzureDns -Name 'Google2' -IPAddress '22.214.171.124'
$vm1 = New-AzureVMConfig -Name $VMName -InstanceSize "Small" -AvailabilitySetName $AVSet -Image $image | set-AzureSubnet -SubnetNames $Subnet | set-AzureStaticVNetIP -IPAddress $IP
$pwd = "Pass1234"
$un = "MyAdmin"
$vm1 | Add-AzureProvisioningConfig -Windows -AdminUserName $un -Password $pwd
$vm1 | New-AzureVM -ServiceName $CSName -VNetName $VNetwork -DnsSettings $dns1,$dns2 -ReservedIPName WAPReservedIP