Understanding Azure Virtual Network for Azure Node Deployments with Microsoft HPC Pack
To connect your on-premises cluster network and the Azure nodes that are deployed through the node template, the cluster administrator can set up the deployment to use an Azure virtual network. For example, you might do this if you are running an application on the Azure nodes that must communicate with an on-premises license server. An Azure virtual network can also help with small data transfers between an on-premises file server and the Azure nodes, connect the Azure nodes with an on-premises Active Directory domain controller, and help non-administrator cluster users connect remotely to the Azure role instances.
To set up the deployment to use an Azure virtual network, specify the name of an existing Azure virtual network that is configured in the Azure subscription and, optionally, the names of one or more subnets in the virtual network.
In this topic:
Configure an Azure virtual network for site-to-site connectivity
Typically, a network administrator will configure an Azure virtual network. The following are high level tasks to configure an Azure virtual network for HPC Pack to support secure site-to-site connections between the local (on-premises) network and Azure, using a supported VPN gateway device.
Configure an Azure virtual network in an Azure subscription by using the Azure management tools. To create a virtual network in Azure for the first time, we recommend using the Custom Create wizard in the Management Portal. This wizard creates a network configuration file (.netcfg) for your virtual network. After creation of the first virtual network via the Management Portal, the .netcfg file can be exported and used as a template to creat2 additional virtual networks, if needed.
To enable site-to-site connectivity, specify the site-to-site connectivity option, specify the name of a local network, and configure a gateway subnet. This information will also be used to configure the on-premises VPN device.
Starting with HPC Pack 2012 with SP1, instead of configuring a VPN device, a software VPN gateway can be configured in the on-premises network by using the Routing and Remote Access service in Windows Server 2012. See Additional considerations.
For planning considerations and links to procedures to configure an Azure virtual network, see Configure a Site-to-Site VPN in the Management Portal.
Example: Connect to an on-premises license server
Certain HPC applications require software licenses, and before it can run on Azure nodes, a job might need to connect to on-premises license server running software such as FLEXlm license manager. To enable this, an Azure virtual network can be configured to provide connectivity between the license server and the Azure nodes that are running a licensed application.
The following table lists the general steps to enable connectivity to an on-premises license server, and indicates the organizational roles that might be involved to complete these steps.
|Enterprise network administrator||- Defines Azure virtual networks
- Defines IP subnets within virtual networks, including a gateway subnet
- Configures an industry-standard VPN gateway device to accept connections from Azure through the gateway subnet. For sample VPN gateway configuration scripts, see About VPN Devices for Virtual Network.
- Configures DNS server
- Configures routes as necessary to the virtual network.
|HPC cluster administrator||- Deploys on-premises license server in a local subnet that is accessible to the HPC cluster head node or nodes
- Configures an Azure node template for a deployment to use the Azure virtual network that connects to the on-premises license server
- Configures an activation filter that checks for license availability in a job
|HPC cluster user||- Submits a job for the licensed application to the HPC cluster|
For background information on configuring an activation job filter to connect to a license server, see:
The Azure cloud service, storage account, and virtual network used for the Azure node deployment should be assigned to the same Azure affinity group. This ensures that your Azure services will be located in the same data center. You can create an affinity group either before you create an Azure virtual network or at the time that you create it. For more information, see Create an Affinity Group Using the Management Portal.
Run the Azure Virtual Network Test to validate the Azure virtual networks that are configured in the Azure node templates. For more information, see Understanding Diagnostic Tests.
When you specify a virtual network in an Azure node template, you can optionally select one or more subnets to specify the IP address range of the Azure nodes. If you do not select a subnet, then the Azure nodes automatically receive IP addresses selected from outside the ranges allocated to the existing subnets.
If the address space of the virtual network is completely partitioned into subnets, ensure that you specify a subnet in the node template. If you do not do this, your Azure node deployment will fail because no IP addresses are available for the nodes.
Starting with HPC Pack 2012 with SP1, HPC Pack supports connectivity between Azure and an on-premises network without requiring a VPN hardware device. You can use the Routing and Remote Access service (RRAS) configured in an on-premises server running Windows Server 2012 to connect to an Azure virtual network. To use this, you must create a dynamic-routing Virtual Network Gateway.
Starting with HPC Pack 2012 with SP1, it is not necessary to configure a VPN connection to an on-premises network to use an Azure virtual network. For example, if you deploy an HPC Pack head node on an Azure virtual machine, you can use an Azure virtual network to provide connectivity between the head node and Azure worker nodes that are added as compute resources.
HPC Pack does not currently support configuration of a point-to-site VPN or a regional virtual network.