I’m confused between Azure Cloud Services and Azure VMs – what the ****?

I’ve finally caved in after a webinar yesterday in which this question came up for what seems like the 100th time. So I thought I’d blog it and send people here for the full explanation in the future.

Back in the good old bad old days when Microsoft Azure was first released there were hardly any services. Compute, which in those days was known as “Azure Hosted Services”. There was a SQL database service and some add-on bits of infrastructure to make it easy to build apps – a Security Token Service called the Access Control Service and an app messaging service called “Service Bus”. These bits were packaged up in to something called “Windows Azure App Fabric”. That name was eventually dropped when people got confused between “App Fabric” and the “Fabric” that runs and orchestrates operations inside the Azure data centres.

“Azure Hosted Services” were what you used when you wanted some computers to do some computing for you. There were 2 types of compute roles. Web Roles and Worker Roles. You might typically build a cloud app with say a web front end (for which you’d very likely use Web Roles) and say a middle tier (for which you’d very likely use Worker Roles) and a database back end for which you’d use the SQL DB service I mentioned earlier.

The computers (Windows Servers) that lived in these Roles were known as “instances”. You could have say a Web Role with multiple instances and you could dynamically add and remove instances as the app was running. You could do this with Worker Role instances too.

So you had the instances (servers) inside the roles and the roles lived inside another container called a Hosted Service. All the bits of compute inside a Hosted Service could talk to each other over a common network infrastructure. You could specify which ports were open to each computer (they were all closed by default) and you could connect ports up to a load balancer which was in turn connected to the Internet. So a Hosted Service was like a container for the compute parts of your app. One important thing it was granted, so you could talk to the compute within it, was an IP address that was connected to the Internet (via the aforementioned load balancer).

So here was the idea. As a dev, you’d write some code that would run on your Web Role and some other code that would run on your Worker Role. You’d package that in to a special file called a “Cloud Service Package” (.cspkg). You’d then describe the boxology of your app in couple of XML files in which you’d define the roles you had, how many instances of each role and how powerful each instance was. For example you might have a medium (2 cores, 3.5GB RAM) instance for the Worker Role and a Large instance (4 cores, 7GB RAM) for the Web Role. One file (.csdef) had things like ports and instance sizes, the other (.cscfg) had things like how many instances were in each role.

All you had to do was create these 2 files (you could use Visual Studio) and send them to Microsoft. Then somewhere between 8 and 15 minutes later your app would be live and running on the Internet. Fantastic. No management of infrastructure. Azure would do all the service management, patching, security fixes, failure-management etc for you.

Eventually, this way of doing things - “Hosted Services” - got renamed to “Cloud Services”.

OK, so then customers started saying “…well, I’d love to use Azure but I’d just like to start with an architectural model that’s more like what I have in my own data centre today. I can see how cloud services are great if I write apps to fit exactly in to the cloud services architecture but most of my apps are a few years old and they aren’t written that way – how can you help?”.

So on the 22nd June 2012, Microsoft announced Azure Virtual Machines. Dead easy to create a VM – click New, VM, then select a machine from a gallery. Answer a few questions like what you’d like the machine name to be what you’d like the password to be and so on and a few minutes later you’re running a server.

Virtual Machines were designed to fit in to the existing Cloud Services infrastructure and this is where the majority of the confusion comes from. Because when you look in the portal – it definitely looks like Cloud Services and Virtual Machines are 2 separate things: they are, but they are related:


So, if you go in to Cloud Services and click “New” – you’ll be able to create a Cloud Service as I’ve described it in the opening part of this blog-post with Web Roles and Worker Roles and integrated service management, fault management, automatic patching, SPs, security fixes and all that goodness. You’ll get to a question that asks you to supply a .cspkg and a .cscfg. SO at this point it wouldn’t appear to have anything to do with Azure Virtual Machines.

But when you get to page 3 of the New VM Wizard, it asks you to either create a new cloud service, or to put the VM in to an existing cloud service:


As I said earlier, VMs leverage the existing Cloud Services architecture. So when you create a VM, it will end up living inside a Role which will live inside a Cloud Service.

You normally don’t see the Role and you’re not all that interested in it anyway. By default, the Role will have the same name as the machine-name. But you have to either put your VM in to an existing Cloud Service or create a new one. This will give any VMs you put in to the same cloud service network access to each other. They will all be deployed on to a common network that is isolated from all the other VMs in Azure. Just like the Cloud Services I described in the opening part of this post. You also get access to a load balancer and you get an IP address that is connected to the Internet.

By default, if you create a new Cloud Service, the wizard will give it the same name as the server. Resist the temptation to accept the default at this point. In the pic above – you can see it wants to create a Cloud Service called plankysrv1.cloudapp.net. Now let’s imagine some time later, you add a new machine called plankysrv2 to this cloud service. It’s going to be confusing referring to plankysrv2 using the DNS name plankysrv1.cloudapp,net. So a much better strategy would be to name the Cloud Service something neutral – say, in this case “plankysrv.cloudapp.net”.

The thing about a Cloud Service, currently, is that whether it’s a “pure” Cloud Service or one that wraps around some Azure Virtual Machines, is that you get a single IP address connected to the Internet. Which means you get a single DNS name too. So you can see a name that doesn’t reference a specific server makes sense.

This is all fine if you don’t connect any of your Azure Virtual Machines up to the outside world. Most of the servers in your private datacentre are not connected directly to the Internet. But what if you create a web-front end across say 3 IIS web servers? Well, that’s where the load balancer comes in. Each Cloud Service has a load balancer connected to the Internet. If you connect your 3 web servers’ HTTP ports up to the load balancer then HTTP requests from the Internet will be load-balanced across all 3 servers.

But what if you want to do some configuration to a specific server and you want to RDP in to it? In that case, the load balancer can map different ports for you. So an example might be that to access different servers you use their port number in the RDP client.

plankysrv1 plankysrv.cloudapp.net:50267
plankysrv2 plankysrv.cloudapp.net:50268
plankysrv3 plankysrv.cloudapp.net:50269

When the load balancer sees an RDP request coming in on port 50268, it knows to send the data to plankysrv2 on the default RDP port (3389). So you don’t need to make any port modifications to the server at all. The Azure load balancer takes care of it for you. When you set up RDP access to your Azure Virtual Machines, you can either set up the port mapping explicitly yourself (like I’ve done in the table above). Or you can just let Azure find a spare high-numbered port for you. This is called “Automatic” and it looks like this when you go through the wizard:


OK – so here is what I see in the Cloud Services node, BEFORE I create a new Azure Virtual Machine:


If I now create a new VM called plankysrv1 and put it in to a Cloud Service called plankysrv.cloudapp.net – this is what I’ll see in the Cloud Services Node:


So that sort of proves that Azure Virtual Machines always end up in Cloud Services. You have no choice. But how can I tell which VMs are in that service? If I drill in to the service and select the Instances tab – it shows me:


I’m now going to add plankysrv2 in to the plankysrv.cloudapp.net Cloud Service – a la:


In the Cloud Services node, it won’t make any difference, but if I drill in to the Instances tab within the plankysrv.cloudapp,net service, then I’ll see 2 servers now:


You might also notice, in the New VM wizard, when you pick a specific Cloud Service, you can’t change the Region once you’ve made the choice. And that’s because a Cloud Service lives in one and only one Region. So whatever region the cloud service is in, that’s where your Azure Virtual Machine will be created. You aren’t offered a choice to change it.

OK, so I’ve now got 2 new Azure Virtual Machines (plankysrv1 and plankysrv2). I’m going to delete both of them. Here is the Virtual Machines node before I delete them:


…and here it is afterwards:


…so with all the Azure Virtual Machines gone – you’d think the Cloud Service would also disappear wouldn’t you? It forced you to create a Cloud Service with your first Azure Virtual Machine so it should therefore logically undo it when you delete the last Azure Virtual Machine? But that’s not what happens. Because it’s impossible to have an Azure Virtual Machine without an associated Cloud Service. But you can have an empty Cloud Service. It just sits there a bit like an empty shopping bag waiting for you to one day put something back in to it. So if you want to get rid of it – you have to explicitly delete it from within the Cloud Services node. Here is a screenshot of the Cloud Service empty but still in existence:


…however, if we take a look on the Instances tab – it’s empty:


I hope that’s given you a little bit of an understanding of the relationship between Cloud Services and Virtual Machines. If you always remember an Azure Virtual Machine cannot exist without a Cloud Service, but a Cloud Service can exist without an Azure Virtual Machine – it can be empty. That basic idea will see you through.

Planky == @plankytronixx

Comments (35)

  1. Blue Clouds says:

    So the empty shopping bag does not be paid I guess

  2. ...Planky says:

    Correct. If there's no VM in the cloud service then there's nothing to pay for. In fact, if you look at my 4th screen shot – you can see machines that are stopped. Well they must live in a cloud service because you can't have an orphaned VM. But you don't pay for them either.

  3. ...Planky says:

    …just a further point on payment. You don't pay for the compute hours (well minutes actually), but you still have to pay for the storage. So if your VM's disk is 30GB, you will pay the monthly charge for that. And that's because the storage IS being used… If you delete the disk, then you stop paying for the space it was taking.

  4. Uncle_Romania says:

    So if I have a VM do I pay for the cloud service as well as the VM? Or does a VM associated cloud service come free when you pay for the VM?

  5. ...Planky says:

    Hi Uncle R,

    You only pay for VMs. The Cloud Service which houses the VM is free. There's a slightly different rate for "Azure VMs" compared to the VMs (instances) in an "Azure Cloud Service". This reflects the extra automation that is done with updates, patches, SPs, recycling and fault management in pure Cloud Services.

    Here are some example prices (in British pennies per hour).

    Cloud Service Instances:

    a1 – 6p

    a2 – 11p

    a3 – 21p

    a4 – 41p

    Azure Virtual Machines

    a1 – 5.8p

    a2 – 11.5

    a3 – 23p

    a4 – 45.9p

    If you want to know more detail, here is VM pricing: azure.microsoft.com/…/virtual-machines or here is Cloud Services pricing: azure.microsoft.com/…/cloud-services

  6. Diane says:

    Sweet Jesus, thank you so much for deobfuscating this for us. The cloud service/vm/instance/dns name/host name/VIP IP snarl was killing me.

  7. Mike Courtney says:

    I do like your Azure sessions Mr P! I even travel across the country to get to them!

    Could you demystify something for me please:

    VM's in a cloud service can talk to each other without endpoints

    VM's in the same VNet can talk to each other without endpoints

    What happens if a cloud service contains 2 or more Vnets with machines in both – can they communicate openly because they are in the same cloud service or does the fact they are in different VNets overide it.

    The same can be asked about VNets that cross cloud services that – so if I have VM1 in VNet1 in cloudservice1  and I have VM2 in VNet1 in cloudservice2 – can they talk openly to each other or does the cross cloud service prevent this.

    Flow chart would be awesome!

    As an extension to this what about VPNs – if I connect a Vnet to my local network using a single cloud service are endpoints necessary for communication across the VPN!



  8. Mike Courtney says:

    OK what I have so far discovered is the Virtual network rules and even splitting a virtual network between 2 cloud services allows full communication between the VMs

    Subnets of a virtual network also work in an open way (even over cloud services)

    Now onto different virtual networks

  9. Lakshmi Shankar says:

    Any response to Mike's questions?

    Also, how does it matter if I had 5 VMs as a part of a cloud service or as a part of VNET? What is the difference between cloud service and VNET?

  10. Lakshmi Shankar says:

    Is there any use for an empty Cloud Service [with no VM in it]?

  11. Scott S says:

    If I have a VM that I do want connect at all to the outside, Can I delete the cloud service for it?

  12. ...Planky says:

    Hi Scott – no. A VM always lives inside a cloud service. If you don't want the VM to be connected to the outside world, just don't connect any endpoints to it. THe only way the cloud service's load balancer will route traffic to the VM is if it has endpoints connected. That's a task you have to explicitly do for each VM. So if you want it entirely self-contained and unable to communicate with the outside world – just don't connect any endpoints.

    Hope that helps.

  13. Vess says:

    Awesome article, thanks!

    There is really a big confusion about these terms

  14. VMs and Cloud Services - naming says:

    Let me say that I've been doing IT infrastructure for a couple decades so this should not be new to me.

    I decided to take Azure for a test drive.

    Created an Ubuntu  VM and gave it a DNS name. Let's call it "foo".

    Tried to add ssh certs in authorized_keys using all the correct standard tools and that never worked. Apparently a bunch of Microsoft nonsense that is only solvable through Powershell APIs that amount to the fact that only a bunch of Microsoft "fingerprinting" stuff that happens during VM creation can take a supplied cert and update the authorized_keys flle which on every other system is a simple file append.

    OK, fine. Have it your way, Microsoft.  So I deleted the VM "foo" intending to re-create it, supplying the keys at VM creation time.

    Now when I try to re-create the VM "foo" I get an error that "foo" already exists as a "Cloud Service" and cannot be created.  Darn if there is not now a  "Cloud Service" that I can find no way to delete.

    To hell with this idiocy, I'm going to find another provider that just works like every other Linux host on planet Earth and is not rife with a bunch of nonsense that is only doable through "the magic Console".

    Thanks Microsoft. After 3 decades you guys still don't know how how to run a computer.

  15. Step back - it makes okay sense says:

    Relax.  Think of the service as the firewall.  You open ports to your VM's, and add Load balanced sets, etc.

  16. boredom says:

    You didn't bother reading the article.  Deleting a VM does not delete the cloud service.  You can delete the service, although you probably didn't read that article either, or you can just put your new VM into an existing cloud service.

  17. PageNotFound says:

    Thanks you for writing this post. As an infra guy, coming from Virtual Server….  I never really got the whole "why does a VM have a cloud" service and why do I need one. Thanks for taking the time to write this up. Totally helped me.

  18. ...Planky says:

    I said I'd provide a video to answer the person who has named themselves "VMs and Cloud Services – naming". So hopefully you're re-visiting sometime and will see this is really very simple to do. You just have to know what to do. You don't have to use powershell. You can use the standard tools. Also I describe and show the difference between cloud services and VMs and also the *relationship" between them. Hope it helps. Go to this link: http://youtu.be/qyB0HY5g0nI

  19. Walter Michel says:

    Great article.  Really clarified relationship between cloud service and VM's.  This is especially useful for those of us with little or no experience with Azure PaaS.

  20. Ashish says:

    Great article !!!

    Just had a query, how can I create a VM in a cloud-service with a Web or Worker role using Azure portal ?

  21. Tony says:

    Hey, can a VM be in two cloud services?  Like port 80 for one and 21 for another?  I don't think so (did not see that as an option) – but just want to confirm?

  22. ...Planky says:

    Hi Ashish – you can't create web and worker roles in the portal directly. You need to create the code that will run on them and also create a "service model" (it's all done in Visual Studio with the Azure SDK). Then you can either deploy that directly to Azure from VS, or you can use VS to give you a package (a .cspkg file with your code in it) and a configuration file (.cscfg file) and use the portal to upload it and create a live-running cloud service for you. If you just go to the portal (the old portal – Cloud Services haven't appeared in the preview portal – yet!) and click New|Compute|Cloud Service, you'll just have an empty service sat there doing nothing. You need the package and the config. I'd recommend you have a quick watch of a demo I do of it in video at http://aka.ms/12to16maydemos.

  23. ...Planky says:

    Hi TOny – no you can't do that. A VM (whether it's a raw "Azure VM" or a Web/Worker Role VM) always lives inside exactly one cloud service. If you think about it – the cloud service gives all the VMs within it a common IP address on the public Internet and a DNS name. So imagine you had a VM in a cloud service foo.cloudapp.net… You'd go to foo.cloudapp.net:80 for the website and foo.cloudapp.net:21 for FTP.

    I'd recommend reading this post blogs.msdn.com/…/setting-up-a-passive-ftp-server-in-windows-azure-vm.aspx if you intend to run an ftp server in Azure…

  24. Atef says:

    all these stories behind what was a cloud service before and "HOW IT WORKS" now is of little use.

    I say it so that you and other people in Microsoft understand the very simple things that likes of Amazon get it right from the first shot.

    As a enterprise user who is testing migration from On-Prem and Amazon AWS to Azure, I need to know the following:

    Why, when and How should I be using cloud services from an architectural point of view. I have read million posts and watched gazillion videos and I can create cloud services with my eyes closed! but how do they fit in the bigger picture of infrastructure architecture and how do they tie in with Virtual networks (again from architectural point of view) to provide SECURITY and flexibility.

    I wish you people go to Amazon's documentation and see the ease with which customers can get information.

    We can only wish ……………

  25. Preeti says:

    Will loadbalancer be automatically created for every cloud service that is created as part of VM creation or we have configure loadbalancer explicitly?

  26. ...Planky says:

    Hi Preeti,

    Every Cloud Service, no matter what type, always has a load-balancer included. With the type of Cloud Service that includes Azure VMs, you have to explicity go in and connect the VMs to the load balancer. You do this my managing endpoints. So you might connect port 80 of a VM to the load balancer and expose it to the outside world on port 80.

    So you don't really configure the load balancer, you just configure the connections between your VM and the load balancer….

  27. Jeffrey S. Patton says:

    Can you have one VM in multiple cloud services? Or better, what if I have a pool of 8 vm's they all respond to port 80, but 4 will also respond to 443. Is the only way to do this by separating into different cloud services? Which goes back to the first question, if the only way to do this is separate cloud services, then I could have a port 80 cloud service and a port 443 cloud service, with the 4 port 443 servers also living in the port 80 cloud service.

    It came up in a discussion with a friend of mine, and I wasn't sure it was possible, and it may not be, or it's entirely possible that I just really don't know how to make the LB do what I want it to.

  28. Robert Castles says:

    This is an excellent article.  I appreciate the historical view as well as how MS was able to leverage that for evolving needs.  This article cleared up the majority of my confusion.  

  29. Toby says:

    Hi Planky!

    Great post. I think I've got my hands around Cloud Services versus VMs, but there's a whole new swath of confusion introduced in the Preview Portal now with Resource Groups and App Services. From what you've described my guess is that App Services are a new flavor of Cloud Service and from what I read online it seems RGs are the new hotness in terms of management, but unfortunately the support for them is not exactly uniform just yet so probably not worth using in a prod environment (note the Switch-AzureMode PS debacle going on here->github.com/…/Deprecation-of-Switch-AzureMode-in-Azure-PowerShell).

    What I'm not clear on, still, is how I can add my existing VMs to a Cloud Service. I know you say they "always have to be deployed" in a cloud service but in the preview portal I wasn't given that choice. I tried creating an empty cloud service but it just creates a Web Worker-type service with Production/Staging slots and no way to add anything to it except to upload packages.

    Anything you can clarify would be great! Thanks.

  30. Sergej Popov says:

    Hi Planky, thanks for the great post.

    Question on Web/Worker Role pricing: You have mentioned when you have VMs in Cloud Service you pay for each machine and Cloud Service itself is free. But what happens in case of Web/Worker roles? Do I pay per instance of my Web/Worker role same price as per VM? I cannot find pricing calculator for Web/Worker roles.


  31. DJ says:

    we can use single cloud service for multiple VMs. what is the best practice?. creating single cloud service for all VMs or having new cloud service for each VM?

  32. ...Planky says:

    Hi Sergei.

    Pricing for role instances of Web/Worker roles is ever so slightly more expensive than naked VMs. FOr example an A4 web/worker role machine is £0.391/hr. It if was a naked VM, it'd be £0.3666/hr. Almost two and a half pence cheaper per hour. You can look up prices for Web/Worker roles on th epricing page. You need to look under "Cloud Services". azure.microsoft.com/…/cloud-services

    Hi DJ,

    If you want to be able to scale your app out and have multiple machines connected to the same load balancer – you need all the VMs in the same cloud service. If not – then you can put each machine in a separate cloud service.

    But you might want to also find out about something in preview – the Resource Manager model. Which now allows you to connect multiple machines to the same load balancer as long as they are all on the same virtual network. Too big a topic to handle in this reply, but if you look up here (azure.microsoft.com/…/virtual-machines) there are a few videos near the top which explain the concept, which was not released when I wrote this blog post…

  33. LenV says:

    Thank you Planky for straightening this matter out! Any chance you could create another youtube demo in regards of "Mike Courtney 20 Nov 2014 2:25 AM" post/question. And maybe include his other comments from "Mike Courtney 20 Nov 2014 3:51 AM" .  Thank you again!!!

  34. www.f-s.us says:

    Cloud Services are PaaS and VMs are IaaS – simply put.

  35. Soulmat says:

    Hi, will i pay the same thing if i create one Cloud Services by VM or less Cloud Services for same number of VM ?

    Just for know if i can isolate the VM in a dedicated Cloud Services without pay more. Thank you !

Skip to main content