VM Best Practices and Cost Optimisation

Running Azure Virtual Machines effectively requires a combination of architectural best practices, operational discipline, and cost awareness. This lesson brings together the concepts from previous lessons into actionable guidance for production VM deployments.

---

Architecture Best Practices

Use Availability Zones for Production

Always deploy production VMs across Availability Zones when available. This provides the highest SLA (99.99%) and protects against data centre-level failures.

Production Architecture
──────────────────────
Zone 1: VM1, VM4
Zone 2: VM2, VM5
Zone 3: VM3, VM6
         ↕
   Standard Load Balancer (zone-redundant)
         ↕
      Internet

Use Managed Disks

Always use Managed Disks rather than unmanaged disks. They are automatically aligned with fault domains in Availability Sets and support snapshots, RBAC, and encryption out of the box.

Choose the Right Disk Type

Workload	Recommended Disk
Production databases	Premium SSD or Ultra Disk
General production workloads	Premium SSD
Dev/test environments	Standard SSD
Backups and archival	Standard HDD

Separate OS and Data Disks

Keep the operating system on the OS disk and application data on separate data disks. This allows you to:

• Resize data disks independently
• Snapshot data without snapshotting the OS
• Replace the OS disk without losing application data
• Choose different performance tiers for each disk

---

Security Best Practices

Remove Public IPs

Avoid assigning public IP addresses directly to VMs. Instead:

Alternative	Use Case
Azure Bastion	Secure SSH/RDP management access
Azure Load Balancer	Distribute inbound traffic across VMs
Application Gateway	Layer 7 load balancing with WAF
NAT Gateway	Outbound internet access without per-VM public IPs
VPN/ExpressRoute	Access from on-premises networks

Use Network Security Groups

Apply NSGs at the subnet level for broad rules and at the NIC level only for VM-specific exceptions:

# Allow HTTPS on port 443 only
az network nsg rule create \
  --resource-group rg-prod \
  --nsg-name production-nsg \
  --name AllowHTTPS \
  --priority 100 \
  --direction Inbound \
  --access Allow \
  --protocol Tcp \
  --destination-port-ranges 443 \
  --source-address-prefixes Internet

Enable Encryption

• Azure Disk Encryption — encrypt OS and data disks with BitLocker (Windows) or dm-crypt (Linux)
• Customer-managed keys — use Azure Key Vault for key management
• Encryption at host — encrypt the temporary disk and disk caches

Use Managed Identities

Use managed identities instead of storing credentials in VM configuration:

# Assign a system-assigned managed identity
az vm identity assign \
  --resource-group rg-prod \
  --name myVM

The VM can then authenticate to Azure services (Key Vault, Storage, SQL) without passwords or API keys.

---

Operational Best Practices

Automate Patching

Use Azure Update Manager (formerly Update Management) to schedule and track OS patching across your VMs:

• Define maintenance windows
• Approve patches automatically or manually
• Track compliance across all VMs from a single dashboard
• Support for both Windows and Linux

Use Azure Backup

Protect VMs with Azure Backup:

# Enable backup for a VM
az backup protection enable-for-vm \
  --resource-group rg-prod \
  --vault-name myRecoveryVault \
  --vm myVM \
  --policy-name DefaultPolicy

Azure Backup provides:

• Application-consistent snapshots
• Configurable retention policies
• Cross-region restore capability
• File-level recovery without restoring the entire VM

Monitor VM Health

Configure Azure Monitor to collect metrics and logs:

What to Monitor	Metric
CPU utilisation	Percentage CPU
Memory pressure	Available memory (requires agent)
Disk performance	IOPS, throughput, queue depth
Network	Bytes in/out, packet drops
OS-level logs	Syslog (Linux), Event logs (Windows)

Set up alerts for critical conditions: