Q: If I place VMs in different cloud services in Azure, can they still talk to each other?
A: This can be a fairly confusing topic. First, consider a single cloud service. Each VM has an internal dynamic IP address (DIP), which is assigned by the Azure fabric. All VMs within the cloud service can communicate with each other via the DIP. The cloud service also has a virtual IP address (VIP), which is Internet-addressable; in addition, endpoints can be created so that certain ports on the VIP point to specific ports for specific VMs within the cloud service. This enables communication to VMs in the cloud service via the Internet, as the following figure shows (if you enable these endpoints).
Now consider using two different cloud services with VMs in each cloud service. The VMs within each cloud service can communicate, but the only way VMs in different cloud services can communicate is via endpoints defined on the cloud service VIP. Although this is fine for limited communications, it isn't efficient. As the following figure shows, the VM with DIP2 talks to the VM with DIP3 in another cloud service via the cloud service VIP. Remember that this requires an endpoint defined on the target cloud service for the communication, which is effectively open to the Internet.
The solution is to place the cloud services in a virtual network, which then allows all the VMs in cloud services on the same virtual network to communicate directly using the internal (DIP) addresses, as the following figure shows. With a virtual network, you can define the IP address range to use (from the non-Internet-routable RFC 1597).
- Always create a virtual network, first using an IP address scheme that doesn't overlap with your on-premises.
- Create a cloud service and VMs and attach the VMs to a virtual subnet in the virtual network during creation. This will bind the cloud service to the virtual network, and all subsequently created VMs in the cloud service will have to attach to a virtual subnet in the virtual network.
All your VMs will now be able to communicate with each other using the internal IP addresses even though they're in different cloud services.