Azure Virtual Machines: IaaS Compute With Fine-Grained Control and Global Reach

Infrastructure-as-a-Service (IaaS) gives teams ownership of the operating system, runtime, and software stack without buying or racking physical hardware. Azure Virtual Machines is Microsoft’s IaaS compute offering. You pick a machine type, an OS image, a region, and a disk configuration, and within minutes you have a running server that behaves exactly like an on-premises box — except Microsoft owns and maintains the physical host.

This model matters when you need control that Platform-as-a-Service (PaaS) services do not offer: custom kernel modules, specific OS versions, third-party agents, or licensing arrangements tied to a particular OS.

Real-World Scenario

A manufacturing company runs an ERP system from an ISV that requires Windows Server 2019, a specific version of .NET Framework, and a custom ODBC driver. The ISV’s support contract prohibits running on a managed PaaS service. The team provisions a D-series VM in Azure, installs the ERP stack exactly as specified, and maps the shared storage to Azure Files via SMB — replicating the on-premises setup with no ISV support risk.

VM Series and When to Use Each

Azure groups VM sizes into series optimized for different workload profiles:

VM Series Decision Tree
-----------------------
Is the workload CPU-bound (batch, encoding)?
  Yes -> F-series (Compute Optimized)
Is it memory-heavy (in-memory DB, SAP HANA)?
  Yes -> M-series or E-series (Memory Optimized)
Does it need local NVMe for temp scratch space?
  Yes -> L-series (Storage Optimized)
Is it GPU-dependent (ML training, rendering)?
  Yes -> NC / ND / NV series (GPU)
Is it a general web/app server or dev box?
  Yes -> D-series or B-series (General Purpose)
Is it HPC with RDMA / InfiniBand?
  Yes -> H-series (HPC)

The B-series is worth special mention for dev/test: it uses CPU credits, so a burstable B2s is cheap during idle hours but can absorb short CPU spikes for CI jobs or batch scripts.

Availability: Sets vs. Zones vs. Scale Sets

Failure Domain Comparison
--------------------------
Availability Set
  VM-1 ── Fault Domain 0 ── Rack A
  VM-2 ── Fault Domain 1 ── Rack B
  VM-3 ── Fault Domain 2 ── Rack C
  (protects against single-rack failures within one data centre)

Availability Zone
  VM-1 ── Zone 1 ── Data Centre A
  VM-2 ── Zone 2 ── Data Centre B
  VM-3 ── Zone 3 ── Data Centre C
  (protects against data-centre-level outages; 99.99% SLA)

Virtual Machine Scale Set (VMSS)
  Auto-scales instances across zones
  Integrates with Load Balancer for traffic distribution

For production workloads, Availability Zones provide the strongest uptime guarantee. Sets are useful in regions that do not yet support Zones, or for lift-and-shift where changing architecture is impractical.

Managed Disks

Azure managed disks abstract the underlying storage account. You choose a tier (Standard HDD, Standard SSD, Premium SSD v2, or Ultra Disk) and Azure handles placement, replication, and IOPS guarantees.

Key points:

• Premium SSD v2 decouples capacity, IOPS, and throughput — you pay only for what you configure, which is more economical than the original Premium SSD for databases with uneven I/O patterns.
• Ultra Disk targets sub-millisecond latency for SAP, Oracle, or SQL Server workloads at hundreds of thousands of IOPS.
• Snapshots are incremental after the first full copy — a 1 TB disk with 10 GB of changes produces a 10 GB snapshot billing event.
• Zone-redundant storage (ZRS) for managed disks copies data synchronously across three zones without requiring you to manage replication manually.

VM Extensions

Extensions are small agents or scripts that run inside the VM after provisioning. Common uses:

Extension Examples
------------------
CustomScriptExtension    -- Run a PowerShell or bash script on first boot
MicrosoftMonitoringAgent -- Connect VM to Azure Monitor / Log Analytics
AADSSHLoginForLinux      -- Allow Azure AD users to SSH without local accounts
DependencyAgentLinux     -- Collect service-map data for VM Insights
AzureDiskEncryption      -- Enable BitLocker / dm-crypt with Key Vault keys

Extensions are idempotent and re-run on reboot if set to autoUpgradeMinorVersion: true. Use them to avoid baking agent installations into every custom image.

Cost Optimisation: Reserved Instances and Spot VMs

Azure VMs have three pricing modes:

1. Pay-as-you-go (PAYG) — billed per second, no commitment. Highest unit price.
2. Reserved Instances (RI) — 1-year or 3-year commitment for a specific VM family and region. Saves up to 72% over PAYG.
3. Spot VMs — use spare Azure capacity at up to 90% discount. Microsoft can evict with 30 seconds notice. Suitable for stateless batch jobs, rendering, or Kubernetes worker nodes that support graceful drain.

A common pattern is to baseline capacity with RIs for predictable workloads and add Spot VMs in scale sets for burst capacity.

Deploying a VM via Azure CLI

az group create --name prod-rg --location eastus2

az vm create \
  --resource-group prod-rg \
  --name app-vm-01 \
  --image Win2022AzureEdition \
  --size Standard_D4s_v5 \
  --admin-username azadmin \
  --generate-ssh-keys \
  --zone 1 \
  --os-disk-sku Premium_LRS \
  --nsg-rule RDP

Attaching a data disk after creation:

az vm disk attach \
  --resource-group prod-rg \
  --vm-name app-vm-01 \
  --name data-disk-01 \
  --size-gb 512 \
  --sku Premium_LRS \
  --new

Architecture: Multi-Tier Web Application

Internet
   |
[Public Load Balancer] (Standard SKU, Zone-redundant)
   |           |
[Web VM 1]  [Web VM 2]      <- Availability Zone 1 and 2
   |           |
[Internal Load Balancer]
   |           |
[App VM 1]  [App VM 2]      <- Availability Zone 1 and 2
   |           |
[Azure SQL Database]        <- Zone-redundant managed service
   |
[Azure Blob Storage]        <- Shared static assets

Each tier sits in its own subnet with a Network Security Group (NSG) that only allows traffic from the tier above it on the specific port required.

Key Interview Points

• Availability Set vs. Zone: Sets guard against rack failure within a single data centre; Zones guard against entire data-centre failure. SLA is 99.95% for Sets and 99.99% for cross-zone deployments.
• Managed vs. unmanaged disks: Always use managed disks in new deployments. Unmanaged disks require you to manage storage account IOPS limits manually.
• Why B-series for dev: CPU credit model prevents over-spending on compute for workloads that idle most of the day.
• Extension vs. custom image: Extensions are better for agent installation because they separate concerns; custom images are better when the install process is slow and must run on every new instance.
• Reserved Instance flexibility: You can exchange or return RIs (with restrictions). Instance size flexibility within a series lets the RI apply to a larger VM that consumes more normalisation units.

Best Practices

• Place VMs in Availability Zones for new production deployments; use placement policies to spread across fault domains.
• Enable Azure Disk Encryption with customer-managed keys for regulated workloads.
• Use Auto-shutdown schedules on dev/test VMs to avoid weekend billing waste.
• Tag VMs with environment, owner, and cost-centre for chargeback reporting.
• Enable Azure Update Manager to schedule OS patching in maintenance windows.
• Use Azure Bastion instead of public RDP/SSH to remove attack surface from the internet.