Azure: Difference between revisions

Microsoft's cloud platform, similar to Amazon's AWS or Google's GCP.

To get KeyVault stuff working with Debian's 2.18.0, I had to run: pip3 install azure-keyvault==1.1.0

CLI

• Multiplatform CLI available from https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest
• On Debian-derived systems, install azure-cli
  • az account list -- list subscription groups

Networking

Azure hosts use ConnectX devices from Mellanox (now NVIDIA). ConnectX-4 needs the mlx5_core driver, while ConnectX-3 needs mlx4_en. It is not possible as of February 2023 to force allocation of one or the other for a given VM, and the NIC type can change if the VM is moved. Azure documentation typically refers to both classes as "SmartNICs".

The fundamental network object of Azure is the VNet. Hosts connected to the same VNet can communicate with one another without intermediary gateways. VNets ought use RFC1918 or RFC6598 addresses, and best practices include using distinct sections of these address spaces in your distinct VNets (since VNets can be peered with one another). Broadcast and multicast are not supported with an VNet. ARP requests are answered by the (virtual) gateway (actually SDN), not broadcast to the various machines of the VNet. You will not typically see incoming ARP requests (though you will see your own requests, and any replies you receive). ARP replies will generally contain the bogus hardware address 12:34:56:78:9a:bc, and this will typically be the only MAC address in your neighbor tables. You do see a "real" MAC locally when examining your interfaces. Your private IP addresses will be acquired using DHCP.

You'll see traffic with the IP 168.63.129.16; it is used by numerous internal Microsoft services, including DHCP. No host can transmit with this address.

VMs can be assigned public IPs, but they will not be visible on the VM proper, and should not be added using ip-address. The incoming traffic will be directed to your VM by the SDN, and DNATted such that you see your internal IP as the destination address.

Accelerated Networking

"Accelerated Networking" (AN) is available on most VM classes, and provides the VM with an SR-IOV Virtual Function; this will show up as a distinct interface within the VM. It can be selected at VM creation time, or whenever the VM is deallocated (stopped). Some VM classes *require* AN. The mapping of VF devices to synthetic devices is undefined, and ought be managed with systemd-networkd or udev rules in the presence of multiple virtual interfaces. The synthetic interface and its associated VF interface will have the same MAC address. From the perspective of other network entities, these are a single interface. They can be distinguished by checking ethtool for the driver (the synthetic interface is "hv_netsvc") or checking ip-link output for the slave designator (the VF is the slave). From the Azure docs:

Applications should interact only with the synthetic interface...Outgoing network packets are passed from the netvsc driver to the VF driver and then transmitted through the VF interface. Incoming packets are received and processed on the VF interface before being passed to the synthetic interface. Exceptions are incoming TCP SYN packets and broadcast/multicast packets that are processed by the synthetic interface only.

VMs

• Fsv2: 8370C (Ice Lake), 8272CL (Cascade Lake), 8168 (Skylake), 3.4--3.7
• FX: 8246R (Cascade Lake), 4.0
• Dv2: 8370C (Ice Lake), 8272CL (Cascade Lake), 8171M (Skylake), 2673v3 (Haswell), 2673v4 (Broadwell)
• DSv2: 8370C (Ice Lake), 8272CL (Cascade Lake), 8171M (Skylake), 2673v3 (Haswell), 2673v4 (Broadwell)
• Eav4, Easv4: EPYC 7452
• H: 2667v3 without hyperthreading or SR-IOV but w/ MPI

NUMA (multipackage) machines are only available from the HB class.

External Links

• Accelerated Networking on HB, HC, HBv2, HBv3, and NDv2 (mostly about InfiniBand)
• Performance Impact of Enabling Accelerated Networking on HBv3, HBv2, and HC VMs
• Accelerated Networking: How it Works