Configuration and management issues for Azure Cloud Services (classic): Frequently asked questions (FAQs)


Cloud Services (classic) is now deprecated for new customers and will be retired on August 31st, 2024 for all customers. New deployments should use the new Azure Resource Manager based deployment model Azure Cloud Services (extended support).

This article includes frequently asked questions about configuration and management issues for Microsoft Azure Cloud Services. You can also consult the Cloud Services VM Size page for size information.

If your Azure issue is not addressed in this article, visit the Azure forums on Microsoft Q & A and Stack Overflow. You can post your issue in these forums, or post to @AzureSupport on Twitter. You also can submit an Azure support request. To submit a support request, on the Azure support page, select Get support.


Monitoring and logging

Network configuration





Why is the certificate chain of my Cloud Service TLS/SSL certificate incomplete?

We recommend that customers install the full certificate chain (leaf cert, intermediate certs, and root cert) instead of just the leaf certificate. When you install just the leaf certificate, you rely on Windows to build the certificate chain by walking the CTL. If intermittent network or DNS issues occur in Azure or Windows Update when Windows is trying to validate the certificate, the certificate may be considered invalid. By installing the full certificate chain, this problem can be avoided. The blog at How to install a chained SSL certificate shows how to do this.

What is the purpose of the "Windows Azure Tools Encryption Certificate for Extensions"?

These certificates are automatically created whenever an extension is added to the Cloud Service. Most commonly, this is the WAD extension or the RDP extension, but it could be others, such as the Antimalware or Log Collector extension. These certificates are only used for encrypting and decrypting the private configuration for the extension. The expiration date is never checked, so it doesn’t matter if the certificate is expired. 

You can ignore these certificates. If you want to clean up the certificates, you can try deleting them all. Azure will throw an error if you try to delete a certificate that is in use.

How can I generate a Certificate Signing Request (CSR) without "RDP-ing" in to the instance?

See the following guidance document:

Obtaining a certificate for use with Windows Azure Web Sites (WAWS)

The CSR is just a text file. It doesn't have to be created from the machine where the certificate will ultimately be used. Although this document is written for an App Service, the CSR creation is generic and applies also for Cloud Services.

My Cloud Service Management Certificate is expiring. How to renew it?

You can use following PowerShell commands to renew your Management Certificates:

Select-AzureSubscription -Current -SubscriptionName <your subscription name>

The Get-AzurePublishSettingsFile will create a new management certificate in Subscription > Management Certificates in the Azure portal. The name of the new certificate looks like "YourSubscriptionNam]-[CurrentDate]-credentials".

How to automate the installation of main TLS/SSL certificate(.pfx) and intermediate certificate(.p7b)?

You can automate this task by using a startup script (batch/cmd/PowerShell) and register that startup script in the service definition file. Add both the startup script and certificate(.p7b file) in the project folder of the same directory of the startup script.

What is the purpose of the "Microsoft Azure Service Management for MachineKey" certificate?

This certificate is used to encrypt machine keys on Azure Web Roles. To learn more, check out this advisory.

For more information, see the following articles:

Monitoring and logging

What are the upcoming Cloud Service capabilities in the Azure portal which can help manage and monitor applications?

Ability to generate a new certificate for Remote Desktop Protocol (RDP) is coming soon. Alternatively, you can run this script:

$cert = New-SelfSignedCertificate -DnsName -CertStoreLocation "cert:\LocalMachine\My" -KeyLength 20 48 -KeySpec "KeyExchange"
$password = ConvertTo-SecureString -String "your-password" -Force -AsPlainText
Export-PfxCertificate -Cert $cert -FilePath ".\my-cert-file.pfx" -Password $password

Ability to choose blob or local for your csdef and cscfg upload location is coming soon. Using New-AzureDeployment, you can set each location value.

Ability to monitor metrics at the instance level. More monitoring capabilities are available in How to Monitor Cloud Services.

Why does IIS stop writing to the log directory?

You've exhausted the local storage quota for writing to the log directory. To correct this, you can do one of three things:

  • Enable diagnostics for IIS and have the diagnostics periodically moved to blob storage.
  • Manually remove log files from the logging directory.
  • Increase quota limit for local resources.

For more information, see the following documents:

How do I enable WAD logging for Cloud Services?

You can enable Windows Azure Diagnostics (WAD) logging through following options:

  1. Enable from Visual Studio
  2. Enable through .NET code
  3. Enable through PowerShell

In order to get the current WAD settings of your Cloud Service, you can use Get-AzureServiceDiagnosticsExtensions PowerShell cmd or you can view it through portal from “Cloud Services --> Extensions” blade.

Network configuration

How do I set the idle timeout for Azure load balancer?

You can specify the timeout in your service definition (csdef) file like this:

<?xml version="1.0" encoding="utf-8"?>
<ServiceDefinition name="mgVS2015Worker" xmlns="" schemaVersion="2015-04.2.6">
  <WorkerRole name="WorkerRole1" vmsize="Small">
      <Setting name="Microsoft.WindowsAzure.Plugins.Diagnostics.ConnectionString" />
      <Import moduleName="RemoteAccess" />
      <Import moduleName="RemoteForwarder" />
      <InputEndpoint name="Endpoint1" protocol="tcp" port="10100"   idleTimeoutInMinutes="30" />

See New: Configurable Idle Timeout for Azure Load Balancer for more information.

How do I associate a static IP address to my Cloud Service?

To set up a static IP address, you need to create a reserved IP. This reserved IP can be associated to a new Cloud Service or to an existing deployment. See the following documents for details:

What are the features and capabilities that Azure basic IPS/IDS and DDOS provides?

Azure has IPS/IDS in datacenter physical servers to defend against threats. In addition, customers can deploy third-party security solutions, such as web application firewalls, network firewalls, antimalware, intrusion detection, prevention systems (IDS/IPS), and more. For more information, see Protect your data and assets and comply with global security standards.

Microsoft continuously monitors servers, networks, and applications to detect threats. Azure's multipronged threat-management approach uses intrusion detection, distributed denial-of-service (DDoS) attack prevention, penetration testing, behavioral analytics, anomaly detection, and machine learning to constantly strengthen its defense and reduce risks. Microsoft Antimalware for Azure protects Azure Cloud Services and virtual machines. You have the option to deploy third-party security solutions in addition, such as web application fire walls, network firewalls, antimalware, intrusion detection and prevention systems (IDS/IPS), and more.

How to enable HTTP/2 on Cloud Services VM?

Windows 10 and Windows Server 2016 come with support for HTTP/2 on both client and server side. If your client (browser) is connecting to the IIS server over TLS that negotiates HTTP/2 via TLS extensions, then you don't need to make any change on the server-side. This is because, over TLS, the h2-14 header specifying use of HTTP/2 is sent by default. If on the other hand your client is sending an Upgrade header to upgrade to HTTP/2, then you need to make the change below on the server side to ensure that the Upgrade works and you end up with an HTTP/2 connection.

  1. Run regedit.exe.
  2. Browse to registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters.
  3. Create a new DWORD value named DuoEnabled.
  4. Set its value to 1.
  5. Restart your server.
  6. Go to your Default Web Site and under Bindings, create a new TLS binding with the self-signed certificate just created.

For more information, see:

  • HTTP/2 on IIS
  • Video: HTTP/2 in Windows 10: Browser, Apps and Web Server

These steps could be automated via a startup task, so that whenever a new PaaS instance gets created, it can do the changes above in the system registry. For more information, see How to configure and run startup tasks for a Cloud Service.

Once this has been done, you can verify whether the HTTP/2 has been enabled or not by using one of the following methods:

  • Enable Protocol version in IIS logs and look into the IIS logs. It will show HTTP/2 in the logs.
  • Enable F12 Developer Tool in Internet Explorer or Microsoft Edge and switch to the Network tab to verify the protocol.

For more information, see HTTP/2 on IIS.


How can I implement role-based access for Cloud Services?

Cloud Services doesn't support the Azure role-based access control (Azure RBAC) model, as it's not an Azure Resource Manager based service.

See Understand the different roles in Azure.

Remote desktop

Can Microsoft internal engineers remote desktop to Cloud Service instances without permission?

Microsoft follows a strict process that will not allow internal engineers to remote desktop into your Cloud Service without written permission (email or other written communication) from the owner or their designee.

I cannot remote desktop to Cloud Service VM by using the RDP file. I get following error: An authentication error has occurred (Code: 0x80004005)

This error may occur if you use the RDP file from a machine that is joined to Azure Active Directory. To resolve this issue, follow these steps:

  1. Right-click the RDP file you downloaded and then select Edit.
  2. Add "\" as prefix before the username. For example, use .\username instead of username.


I cannot scale beyond X instances

Your Azure Subscription has a limit on the number of cores you can use. Scaling won't work if you have used all the cores available. For example, if you have a limit of 100 cores, this means you could have 100 A1 sized virtual machine instances for your Cloud Service, or 50 A2 sized virtual machine instances.

How can I configure Auto-Scale based on Memory metrics?

Auto-scale based on Memory metrics for a Cloud Services is not currently supported.

To work around this problem, you can use Application Insights. Auto-Scale supports Application Insights as a Metrics Source and can scale the role instance count based on guest metric like "Memory". You have to configure Application Insights in your Cloud Service project package file (*.cspkg) and enable Azure Diagnostics extension on the service to implement this feat.

For more details on how to utilize a custom metric via Application Insights to configure Auto-Scale on Cloud Services, see Get started with auto scale by custom metric in Azure

For more information on how to integrate Azure Diagnostics with Application Insights for Cloud Services, see Send Cloud Service, Virtual Machine, or Service Fabric diagnostic data to Application Insights

For more information about to enable Application Insights for Cloud Services, see Application Insights for Azure Cloud Services

For more information about how to enable Azure Diagnostics Logging for Cloud Services, see Set up diagnostics for Azure Cloud Services and virtual machines


How do I add `nosniff` to my website?

To prevent clients from sniffing the MIME types, add a setting in your web.config file.

            <add name="X-Content-Type-Options" value="nosniff" />

You can also add this as a setting in IIS. Use the following command with the common startup tasks article.

%windir%\system32\inetsrv\appcmd set config /section:httpProtocol /+customHeaders.[name='X-Content-Type-Options',value='nosniff']

How do I customize IIS for a web role?

Use the IIS startup script from the common startup tasks article.

What is the quota limit for my Cloud Service?

Why does the drive on my Cloud Service VM show very little free disk space?

This is expected behavior, and it shouldn't cause any issue to your application. Journaling is turned on for the %approot% drive in Azure PaaS VMs, which essentially consumes double the amount of space that files normally take up. However there are several things to be aware of that essentially turn this into a non-issue.

The %approot% drive size is calculated as <size of .cspkg + max journal size + a margin of free space>, or 1.5 GB, whichever is larger. The size of your VM has no bearing on this calculation. (The VM size only affects the size of the temporary C: drive.) 

It's unsupported to write to the %approot% drive. If you're writing to the Azure VM, you must do so in a temporary LocalStorage resource (or other option, such as Blob storage, Azure Files, etc.). So the amount of free space on the %approot% folder is not meaningful. If you aren't sure if your application is writing to the %approot% drive, you can always let your service run for a few days and then compare the "before" and "after" sizes. 

Azure will not write anything to the %approot% drive. Once the VHD is created from your .cspkg and mounted into the Azure VM, the only thing that might write to this drive is your application. 

The journal settings are non-configurable, so you can't turn it off.

How can I add an Antimalware extension for my Cloud Services in an automated way?

You can enable Antimalware extension using PowerShell script in the Startup Task. Follow the steps in these articles to implement it:

For more information about Antimalware deployment scenarios and how to enable it from the portal, see Antimalware Deployment Scenarios.

How to enable Server Name Indication (SNI) for Cloud Services?

You can enable SNI in Cloud Services by using one of the following methods:

Method 1: Use PowerShell

The SNI binding can be configured using the PowerShell cmdlet New-WebBinding in a startup task for a Cloud Service role instance as below:

New-WebBinding -Name $WebsiteName -Protocol "https" -Port 443 -IPAddress $IPAddress -HostHeader $HostHeader -SslFlags $sslFlags

As described here, the $sslFlags could be one of the values as the following:

Value Meaning
0 No SNI
1 SNI Enabled
2 Non SNI binding which uses Central Certificate Store
3 SNI binding which uses Central Certificate store

Method 2: Use code

The SNI binding could also be configured via code in the role startup as described on this blog post:

//<code snip> 
                var serverManager = new ServerManager(); 
                var site = serverManager.Sites[0]; 
                var binding = site.Bindings.Add("", newCert.GetCertHash(), "My"); 
                binding.SetAttributeValue("sslFlags", 1); //enables the SNI 
    //</code snip>

Using any of the approaches above, the respective certificates (*.pfx) for the specific hostnames have to be first installed on the role instances using a startup task or via code in order for the SNI binding to be effective.

How can I add tags to my Azure Cloud Service?

Cloud Service is a Classic resource. Only resources created through Azure Resource Manager support tags. You can't apply tags to Classic resources such as Cloud Service.

The Azure portal doesn't display the SDK version of my Cloud Service. How can I get that?

We're working on bringing this feature on the Azure portal. Meanwhile, you can use following PowerShell commands to get the SDK version:

Get-AzureService -ServiceName "<Cloud Service name>" | Get-AzureDeployment | Where-Object -Property SdkVersion -NE -Value "" | select ServiceName,SdkVersion,OSVersion,Slot

I want to shut down the Cloud Service for several months. How to reduce the billing cost of Cloud Service without losing the IP address?

An already deployed Cloud Service gets billed for the Compute and Storage it uses. So even if you shut down the Azure VM, you'll still get billed for the Storage.

Here's what you can do to reduce your billing without losing the IP address for your service:

  1. Reserve the IP address before you delete the deployments. You will only be billed for this IP address. For more information about IP address billing, see IP addresses pricing.
  2. Delete the deployments. Don’t delete the, so that you can use it for future.
  3. If you want to redeploy the Cloud Service by using the same reserve IP that you reserved in your subscription, see Reserved IP addresses for Cloud Services and Virtual Machines.