Azure IaaS Operations Guidance


This is a collection of Azure Infrastructure installation and operational guidance resources I provide to my customers.  By keeping these links up to date with each engagement, all of my customers may benefit.  Hopefully you can too!  The latest Azure updates will always be at Azure service updates.  Make it part of your operational procedure to review that monthly, if not weekly!  In 2015, there were over 500 updates. Wow!

The goal of this guide to highlight core installation and operational procedures for an Azure IaaS deployment which predominantly will consist of Compute, Network and Storage resources.  This article Azure Infrastructure Services Implementation Guidelines, gives a pretty good run down of what needs to be created and in what order. The resources I will keep updated below pretty much follow most of those resources in the last link. But for now, there is a very important piece of that puzzle missing.  For the newer Azure Resource Manager (ARM) model of deployment, we need to plan, design and create Azure Resource Groups. Once we have Resource Groups, we can delegate administration with Role Based Access Control (RBAC).

Besides all this, if you just need to ramp up and learn more on Azure, go to the Azure Learning Paths page.  Check it out and learn something new! I also have my Azure Certification resources (Slides and Videos) from MS Ignite, to get you certified and ready to go!

Azure Active Directory


AzureAD a leader in the 2016 Gartner IDaaS MQ!

Cloud Architecture

There is quite a bit of guidance out there to help architect your cloud identity strategy.  Azure Active Directory provides the core Identity Management as a Service platform for all of the possbile hybrid and cloud scenarios. Here are some great resources to read up on.

Authentication & Authorization

Azure AD Operational Guidance

Azure AD Tenant

In the original Azure Portal,, the primary control of overall administration was at the subscription level. Now, in the new Azure Resource Manager (ARM) mode, there are fewer justifications for multiple subscriptions as there were before in the Azure Service Management (ASM) model e.g. administration only at the top level.  Now in ARM, you can control administration at the subscription level, Resource Groups, and at the Azure Resources contained within. For more on those differences, see Understanding Resource Manager deployment and classic deployment. You can only create Azure Resources to leverage ARM deployments and RBAC by using  So stop using that old portal; unless you just have to.  For more on that, read Azure portal availability chart.


Before you can do anything, you not only need an Azure subscription, but you also need to know how many, if more than one, and what the limits are. Simpler is always the best. In the ARM deployment model now, things like separation of billing and delegation of administration no longer require separate subscriptions.  Billing can be even more with tagging and RBAC gives even more flexibility to control administration across your portal.

Azure Resource Manager (ARM) and Role Based Access Control (RBAC)

This content can now be found at


Creating your virtual networks and subnets is very high on the priority list of things to do after the subscription and resource groups are created. One quick tip to note is that in traditional networking addressing, we take away 2 addresses (n-2) for all 1's and all 0's, when calculating hosts from networks.  In Azure, it gets a little hungry, using 3 additional addresses.  So remember this safety tip....figure (n-5) when you do your host calculations.  For an example, if you needed 30 hosts, on-premises, you would figure a /27 network would work, right? Don't believe me, just ask Cisco :) But in Azure, you would fall short as a /27 network would actually result in only 27 hosts per network. So I warned you! Also, if you make you VNet networks too small, if will haunt you, as it currently is not so easy to remove the VMs and recreate VNets, so plan them very, very carefully.  Been there, done that.  You don't want to go there.


  1. Azure Networking Series - a collection of topics
  2. Azure Network Security - nice list of all the Azure resources for Networking
  3. Azure Reference Architectures - Networking DMZ
  4. Microsoft Cloud Networking for Enterprise Architects - This is a great soup to nuts overview!
  5. Microsoft Cloud Services and Network Security - Read these top two docs, and you will see all the components to consider 
  6. Microsoft Azure Network Security Whitepaper version 3 is now available This explains what Microsoft does to protect Azure
  7. Virtual Network Overview
  8. Network Resource Provider
  9. IP Addresses in Azure Virtual Network
  10. About secure cross-premises connectivity for virtual networks
  11. User Defined Routes and IP Forwarding
  12. What is Azure load balancer?
  13. What is a Network Security Group (NSG)?
    1. See more Details on Network Security in the Networking section of

Operational Guidance


Find ALL Storage Documentation e.g. Get Started, Designing, etc..

Managing Storage

Operational Guidance



Operational Guidance


Below are some additional topics related to various deployments.  These also provide other examples of deploying things like Windows Server Active Directory and SQL Always on clusters in an Azure Subscription.  What will you put in your subscription?

Windows Active Directory Servers in IaaS

Many organizations now are moving their Domain Controllers into Azure as VMs in IaaS.  Here are some links to help out!

If you want to have replica Domain Controllers in the cloud for on-premises domain controllers...