在 Azure Stack Hub 上运行 Windows 虚拟机Run a Windows virtual machine on Azure Stack Hub

除 VM 本身以外,在 Azure Stack Hub 中预配虚拟机 (VM) 还需要其他一些组件,包括网络和存储资源。Provisioning a virtual machine (VM) in Azure Stack Hub requires some additional components besides the VM itself, including networking and storage resources. 本文介绍在 Azure 上运行 Windows VM 的最佳做法。This article shows best practices for running a Windows VM on Azure.

Azure Stack Hub 上的 Windows VM 体系结构

资源组Resource group

资源组是保存相关 Azure Stack Hub 资源的逻辑容器。A resource group is a logical container that holds related Azure Stack Hub resources. 一般情况下,可根据资源的生存期及其管理者将资源分组。In general, group resources based on their lifetime and who will manage them.

将共享相同生命周期、密切相关的资源放入同一资源组Put closely associated resources that share the same lifecycle into the same resource group. 资源组可让你以组的形式部署和监视资源,并按资源组跟踪计费成本。Resource groups allow you to deploy and monitor resources as a group and track billing costs by resource group. 还可以删除作为集的资源,这适用于测试部署。You can also delete resources as a set, which is useful for test deployments. 指定有意义的资源名称,以便简化特定资源的查找并了解其角色。Assign meaningful resource names to simplify locating a specific resource and understanding its role. 有关详细信息,请参阅 Azure 资源的建议命名约定For more information, see Recommended Naming Conventions for Azure Resources.

虚拟机Virtual machine

可以通过发布的映像列表或上传到 Azure Stack Hub Blob 存储的自定义托管映像或虚拟硬盘 (VHD) 文件来预配 VM。You can provision a VM from a list of published images, or from a custom-managed image or virtual hard disk (VHD) file uploaded to Azure Stack Hub Blob storage.

Azure Stack Hub 提供了与 Azure 不同的虚拟机大小。Azure Stack Hub offers different virtual machine sizes from Azure. 有关详细信息,请参阅 Azure Stack Hub 中的虚拟机大小For more information, see Sizes for virtual machines in Azure Stack Hub. 若要将现有工作负荷转移到 Azure Stack Hub,一开始请先使用与本地服务器/Azure 最匹配的 VM 大小。If you are moving an existing workload to Azure Stack Hub, start with the VM size that's the closest match to your on-premises servers/Azure. 然后从 CPU、内存和每秒磁盘输入/输出操作次数 (IOPS) 等方面测量实际工作负荷的性能,并根据需要调整大小。Then measure the performance of your actual workload in terms of CPU, memory, and disk input/output operations per second (IOPS), and adjust the size as needed.

磁盘Disks

成本取决于预配磁盘的容量。Cost is based on the capacity of the provisioned disk. IOPS 和吞吐量(即数据传输速率)取决于 VM 大小,因此在预配磁盘时,请全面考虑三个因素(容量、IOPS 和吞吐量)。IOPS and throughput (that is, data transfer rate) depend on VM size, so when you provision a disk, consider all three factors (capacity, IOPS, and throughput).

Azure Stack Hub 上的磁盘 IOPS(每秒输入/输出操作次数)是 VM 大小(而不是磁盘类型)的函数。Disk IOPS (Input/Output Operations Per Second) on Azure Stack Hub is a function of VM size instead of the disk type. 这意味着,对于 Standard_Fs 系列 VM,不管你选择 SSD 还是 HDD 作为磁盘类型,单个额外的数据磁盘的 IOPS 限制都是 2300。This means that for a Standard_Fs series VM, regardless of whether you choose SSD or HDD for the disk type, the IOPS limit for a single additional data disk is 2300 IOPS. 施加的 IOPS 限制是一种上限(最大可能值),目的是防止邻域干扰。The IOPS limit imposed is a cap (maximum possible) to prevent noisy neighbors. 它不是你会在特定 VM 大小上获得的 IOPS 的保证。It isn't an assurance of IOPS that you'll get on a specific VM size.

我们还建议使用托管磁盘We also recommend using Managed Disks. 托管磁盘可代你处理存储,简化磁盘管理。Managed disks simplify disk management by handling the storage for you. 托管磁盘不需要存储帐户。Managed disks do not require a storage account. 只需指定磁盘的大小和类型,就可以将它部署为高度可用的资源。You simply specify the size and type of disk and it is deployed as a highly available resource.

OS 磁盘是存储在 Azure Stack Hub blob 存储中的 VHD,因此即使主机关闭,OS 磁盘也仍然存在。The OS disk is a VHD stored in Azure Stack Hub blob storage, so it persists even when the host machine is down. 我们还建议创建一个或多个数据磁盘(用于保存应用程序数据的持久性 VHD)。We also recommend creating one or more data disks, which are persistent VHDs used for application data. 如果可能,请将应用程序安装在数据磁盘上,而不是 OS 磁盘上。When possible, install applications on a data disk, not the OS disk. 某些旧版应用程序可能需要将组件安装在 C: 驱动器上;在这种情况下,可使用 PowerShell 重设 OS 磁盘的大小Some legacy applications might need to install components on the C: drive; in that case, you can resize the OS disk using PowerShell.

还使用临时磁盘(Windows 上的 D: 驱动器)创建 VM。The VM is also created with a temporary disk (the D: drive on Windows). 此磁盘存储在 Azure Stack Hub 存储基础结构中的临时卷上。This disk is stored on a temporary volume in the Azure Stack Hub storage infrastructure. 它在重新启动期间以及发生其他 VM 生命周期事件期间可能会被删除。It may be deleted during reboots and other VM lifecycle events. 只使用此磁盘存储临时数据,如页面文件或交换文件。Use this disk only for temporary data, such as page or swap files.

网络Network

网络组件包括以下资源:The networking components include the following resources:

  • 虚拟网络 。Virtual network. 每个 VM 都会部署到可细分为多个子网的虚拟网络中。Every VM is deployed into a virtual network that can be segmented into multiple subnets.

  • 网络接口 (NIC)Network interface (NIC). NIC 使 VM 能够与虚拟网络进行通信。The NIC enables the VM to communicate with the virtual network. 如果 VM 需要多个 NIC,请注意每种 VM 大小都定义了最大 NIC 数量。If you need multiple NICs for your VM, be aware that a maximum number of NICs is defined for each VM size.

  • 公共 IP 地址/VIPPublic IP address/ VIP. 需要使用公共 IP 地址才能与 VM 通信 - 例如,通过远程桌面 (RDP)。A public IP address is needed to communicate with the VM — for example, via remote desktop (RDP). 公共 IP 地址可以是动态的或静态的。The public IP address can be dynamic or static. 默认是动态的。The default is dynamic.

  • 如果需要不会更改的固定 IP 地址 — 例如,如果需要创建 DNS 'A' 记录或将 IP 地址添加到安全列表,请保留静态 IP 地址Reserve a static IP address if you need a fixed IP address that won't change — for example, if you need to create a DNS 'A' record or add the IP address to a safe list.

  • 还可以为 IP 地址创建完全限定域名 (FQDN)。You can also create a fully qualified domain name (FQDN) for the IP address. 然后,可以在 DNS 中注册指向 FQDN 的 CNAME 记录You can then register a CNAME record in DNS that points to the FQDN. 有关详细信息,请参阅在 Azure 门户中创建完全限定的域名For more information, see Create a fully qualified domain name in the Azure portal.

  • 网络安全组 (NSG)Network security group (NSG). NSG 用于允许或拒绝流向 VM 的网络流量。NSGs are used to allow or deny network traffic to VMs. NSG 可与子网或单个 VM 实例相关联。NSGs can be associated either with subnets or with individual VM instances.

所有 NSG 都包含一组默认规则,其中包括阻止所有入站 Internet 流量的规则。All NSGs contain a set of default rules, including a rule that blocks all inbound Internet traffic. 无法删除默认规则,但其他规则可以覆盖它们。The default rules cannot be deleted, but other rules can override them. 若要启用 Internet 流量,请创建允许特定端口的入站流量的规则 — 例如,将端口 80 用于 HTTP。To enable Internet traffic, create rules that allow inbound traffic to specific ports — for example, port 80 for HTTP. 若要启用 RDP,请添加允许 TCP 端口 3389 的入站流量的 NSG 规则。To enable RDP, add an NSG rule that allows inbound traffic to TCP port 3389.

操作Operations

诊断Diagnostics. 启用监视和诊断,包括基本运行状况指标、诊断基础结构日志和启动诊断Enable monitoring and diagnostics, including basic health metrics, diagnostics infrastructure logs, and boot diagnostics. 如果 VM 陷入不可启动状态,启动诊断有助于诊断启动故障。Boot diagnostics can help you diagnose boot failure if your VM gets into a non-bootable state. 创建用于存储日志的 Azure 存储帐户。Create an Azure Storage account to store the logs. 标准的本地冗余存储 (LRS) 帐户足以存储诊断日志。A standard locally redundant storage (LRS) account is sufficient for diagnostic logs. 有关详细信息,请参阅启用监视和诊断For more information, see Enable monitoring and diagnostics.

可用性Availability. 由于 Azure Stack Hub 操作员计划的计划内维护,你的VM 可能需要重新启动。Your VM may be subject to a reboot due to planned maintenance as scheduled by the Azure Stack Hub operator. 为了在 Azure 中实现多 VM 生产系统的高可用性,可以将 VM 置于横跨多个容错域和更新域的可用性集中。For high availability of a multi-VM production system in Azure, VMs are placed in an availability set that spreads them across multiple fault domains and update domains. 在较小规模的 Azure Stack Hub 中,可用性集中的容错域定义为缩放单元中的单个节点。In the smaller scale of Azure Stack Hub, a fault domain in an availability set is defined as a single node in the scale unit.

在发生硬件故障时,虽然 Azure Stack Hub 的基础结构已具备故障还原能力,但基础技术(故障转移群集功能)的局限仍会导致受影响物理服务器上的 VM 出现停机。While the infrastructure of Azure Stack Hub is already resilient to failures, the underlying technology (failover clustering) still incurs some downtime for VMs on an impacted physical server if there's a hardware failure. 为了与 Azure 保持一致,Azure Stack Hub 支持的可用性集最多有三个容错域。Azure Stack Hub supports having an availability set with a maximum of three fault domains to be consistent with Azure.

容错域Fault domains 置于可用性集中的 VM 在物理上是彼此隔离的,换句话说,会尽可能均衡地让其分散到多个容错域(Azure Stack Hub 节点)中。VMs placed in an availability set will be physically isolated from each other by spreading them as evenly as possible over multiple fault domains (Azure Stack Hub nodes). 如果发生硬件故障,出现故障的容错域中的 VM 将在其他容错域中重启。If there's a hardware failure, VMs from the failed fault domain will be restarted in other fault domains. 它们保留在与其他 VM 不同的容错域中,但如果可能,则保留在相同的可用性集中。They'll be kept in separate fault domains from the other VMs but in the same availability set if possible. 当硬件重新联机时,会对 VM 重新进行均衡操作,以维持高可用性。When the hardware comes back online, VMs will be rebalanced to maintain high availability.
更新域Update domains 更新域是 Azure 在可用性集中提供高可用性的另一种方法。Update domains are another way that Azure provides high availability in availability sets. 更新域是可以同时维护的基础硬件逻辑组。An update domain is a logical group of underlying hardware that can undergo maintenance at the same time. 同一个更新域中的 VM 会在计划内维护期间一起重启。VMs located in the same update domain will be restarted together during planned maintenance. 当租户在可用性集内创建 VM 时,Azure 平台会自动将 VM 分布到这些更新域。As tenants create VMs within an availability set, the Azure platform automatically distributes VMs across these update domains.
在 Azure Stack Hub 中,VM 会先跨群集中的其他联机主机进行实时迁移,然后其基础主机才会进行更新。In Azure Stack Hub, VMs are live migrated across the other online hosts in the cluster before their underlying host is updated. 由于在主机更新期间不会造成租户停机,因此 Azure Stack Hub 上存在更新域功能只是为了确保与 Azure 实现模板兼容。Since there's no tenant downtime during a host update, the update domain feature on Azure Stack Hub only exists for template compatibility with Azure. 可用性集中的 VM 将显示 0 作为其在门户上的更新域编号。VMs in an availability set will show 0 as their update domain number on the portal.

备份 有关保护 Azure Stack Hub IaaS VM 的建议,请参阅保护在 Azure Stack Hub 上部署的 VMBackups For recommendations on protecting your Azure Stack Hub IaaS VMs, reference Protect VMs deployed on Azure Stack Hub.

停止 VMStopping a VM. Azure 对“已停止”和“已解除分配”状态做了区分。Azure makes a distinction between "stopped" and "deallocated" states. 当 VM 状态为已停止时(而不是当 VM 已解除分配时)将向你收费。You are charged when the VM status is stopped, but not when the VM is deallocated. 在 Azure Stack Hub 门户中,“停止” 按钮可解除分配 VM。In the Azure Stack Hub portal, the Stop button deallocates the VM. 如果在已登录时通过 OS 关闭,VM 会停止,但 不会解除分配,因此仍会产生费用。If you shut down through the OS while logged in, the VM is stopped but not deallocated, so you will still be charged.

删除 VMDeleting a VM. 如果删除 VM,不会删除 VM 磁盘。If you delete a VM, the VM disks are not deleted. 这意味着可以安全地删除 VM,而不会丢失数据。That means you can safely delete the VM without losing data. 但是,仍将向你收取存储费用。However, you will still be charged for storage. 若要删除 VM 磁盘,请删除托管磁盘对象。To delete the VM disk, delete the managed disk object. 若要防止意外删除,请使用资源锁锁定整个资源组或锁定单个资源(如 VM)。To prevent accidental deletion, use a resource lock to lock the entire resource group or lock individual resources, such as a VM.

安全注意事项Security considerations

将 VM 载入到 Azure 安全中心以获取 Azure 资源的安全状态的中心视图。Onboard your VMs to Azure Security Center to get a central view of the security state of your Azure resources. 安全中心监视潜在的安全问题,并全面描述了部署的安全运行状况。Security Center monitors potential security issues and provides a comprehensive picture of the security health of your deployment. 安全中心针对每个 Azure 订阅进行配置。Security Center is configured per Azure subscription. 根据将 Azure 订阅载入安全中心标准版中所述启用安全数据收集。Enable security data collection as described in Onboard your Azure subscription to Security Center Standard. 启用数据收集后,安全中心会自动扫描该订阅下创建的所有 VM。When data collection is enabled, Security Center automatically scans any VMs created under that subscription.

修补程序管理Patch management. 若要在 VM 上配置修补程序管理,请参阅此文To configure Patch management on your VM, refer to this article. 如果启用,安全中心会检查是否缺少任何安全更新和关键更新。If enabled, Security Center checks whether any security and critical updates are missing. 使用 VM 上的组策略设置可启用自动系统更新。Use Group Policy settings on the VM to enable automatic system updates.

反恶意软件Antimalware. 如果启用,安全中心会检查是否已安装反恶意软件。If enabled, Security Center checks whether antimalware software is installed. 还可以使用安全中心从 Azure 门户中安装反恶意软件。You can also use Security Center to install antimalware software from inside the Azure portal.

访问控制Access control. 使用基于角色的访问控制 (RBAC) 来控制对 Azure 资源的访问。Use role-based access control (RBAC) to control access to Azure resources. RBAC 允许将授权角色分配给开发运营团队的成员。RBAC lets you assign authorization roles to members of your DevOps team. 例如,“读者”角色可以查看 Azure 资源,但不能创建、管理或删除这些资源。For example, the Reader role can view Azure resources but not create, manage, or delete them. 某些权限特定于 Azure 资源类型。Some permissions are specific to an Azure resource type. 例如,“虚拟机参与者”角色可以执行重启或解除分配 VM、重置管理员密码、创建新的 VM 等操作。For example, the Virtual Machine Contributor role can restart or deallocate a VM, reset the administrator password, create a new VM, and so on. 可能对此体系结构有用的其他内置 RBAC 角色包括开发测试实验室用户网络参与者Other built-in RBAC roles that may be useful for this architecture include DevTest Labs User and Network Contributor.

备注

RBAC 不限制已登录到 VM 的用户可以执行的操作。RBAC does not limit the actions that a user logged into a VM can perform. 这些权限由来宾 OS 上的帐户类型决定。Those permissions are determined by the account type on the guest OS.

审核日志Audit logs. 使用活动日志可查看预配操作和其他 VM 事件。Use activity logs to see provisioning actions and other VM events.

数据加密Data encryption. Azure Stack Hub 使用 BitLocker 128 位 AES 加密在存储子系统中保护用户和基础结构静态数据。Azure Stack Hub uses BitLocker 128-bit AES encryption to protect user and infrastructure data at rest in the storage subsystem. 有关详细信息,请参阅 Azure Stack Hub 中的静态数据加密For more information, see Data at rest encryption in Azure Stack Hub.

后续步骤Next steps