Resilience Architecture in Azure

Hi folks,

a view days ago, I‘ve posted my first AWS resilience architecture.

I’ve used the following Azure services:

AWS EFS Azure Storage Account (File)
AWS EC2 and Auto scaling Azure VMSS
AWS Loadbalancer Azure LoadBalancer
AWS ElasticIPAzure Public IP
AWS Route TablesAzure PSE
AWS Internet Gateway
AWS NAT Gateway

Now it’s time to implement the same architecture in Azure and show the difference between those Cloud providers. First of all, I’ll implement the solution with (nearly) the same components like AWS and one step ahead I will show the best way at Azure.

The main idea, is to build a resilience WordPress architecture, using Azure VMSS instances and a managed database at the backend.

Here is the architecture design of my solution:

Okay let’s start with the first service. To store the WordPress files into a shared volume I use an Azure File Storage (at the moment).

To get a resilience architecture, I use the following settings:

  • Zone-redundant storage (ZRS)
  • Access Tier Hot
  • Performance Standard

My next step, I create an Azure File share named “wordpress”

Now I create an Azure MySQL Server. I’ve used the following configuration details:

Please use min. the “General Purpose” MySQL Database, because the “Basic Purpose” MySQL Database doesn’t support PSE!

Now I create the Network part. I’ll create an Azure VNet with the following settings:

  • IP Space:
  • Subnet Name: backend
  • Subnet address range:
  • Service endpoints: Microsoft.SQL, Microsoft.Storage

It‘s important to bind the storage and the MySQL server to the VNet with PSE, because the connection to that services are only permitted from the “backend” subnet. First of all, I open the Azure Storage Account and select the “Firewalls and virtual networks” settings at the left hand side:

In the next section, I’ll select the option “Selected networks” and add my existing “backend” subnet. Click on “Add existing virtual network”. Important remove all check boxes from the “Exceptions” section! The input looks like the following:

Click “Save”. Now it’s not possible to open the Azure File Share over the Azure Portal, you get the following error message:

Great, the next step, is to bind the Azure MySQL Server to the network. Open the Azure MySQL Server object and select “Connection security”:

Add the existing subnet to the MySQL Server. Please click “Add existing virtual network” and add the required values. The input looks like the following:

Important, please check that the option “Allow access to Azure services” is set to “No”.

Now it’s time to create an Azure Virtual Machine Scale set. For my resilience Architecture, I use the following settings:

It’s important to add a “cloud init” script, because we need the Apache, PHP, mysql client and also the share Azure storage account after the installation. To archive that, please add the following script to the “Cloud init” section:

apt-get update
apt-get install -y apache2 apache2-utils 
apt-get install -y mysql-client
apt-get install -y php libapache2-mod-php php-mysql
systemctl enable apache2
systemctl start apache2
echo "// /var/www/html cifs vers=3.0,username=%STORAGENAME%,password=%STORAGEKEY%,dir_mode=0777,file_mode=0777" >>/etc/fstab
mount -a

IMPORTANT, change the following sections based on your configuration:


Click “Create” to finish the VMSS configuration.

Now the basic environment is in place, we have to enable the HTTP access to the “environment”. To archive that, we have to create an Azure network security group with the following inbound rule:

Great, now it’s possible to connect to the webserver, but I want to install the WordPress content. To archive that, temporary I have to enable the “ssh” access to one of my VMSS instances. Per default, the VMSS setup created a NAT rule for each instance. You can find that NAT rules when you open the Loadbalancer and select the section “Inbound NAT rules”

I use the Loadbalancer DNS name and also the required port for my VM connection. Per default the connection is denied, I have created a “temp” Azure network security rule to enable that feature. For security reasons, I only allow my source public IP adress. The rule looks like the following:

Please add your public IP to the “Source IP address/CIDR reanges” field. Now it’s possible to connect to the VMs using the NAT port.

Now you have to download and extract the WordPress content to the Azure file storage.

cd /tmp
wget -c
tar -xzvf latest.tar.gz
sudo mv wordpress/* /var/www/html

It’s time to create a MySQL database:

sudo mysql -h %HOSTURL% -u $USERNAME%@%HOSTNAME% -p

Replace the variables with your configuration:


Now open your browser and enter the Azure Loadbalancer dns name to configure WordPress. My configuration looks like the following:

IMPORTANT, for a successfully connection you have to change the ” Enforce SSL connection” at the MySQL Server from “Enabled” to “Disabled”:

Another important part, change the Azure Loadbalancer “Session persistence” settings. You can find that option at

And click “Save”. The last point is to change the Website URL at the WordPress configuration:

The solution is okay, but there is too much of IaaS implemented. Another point, when I‘ll design an application architecture in Azure, I‘ll try to focus on PaaS services, if it’s possible. In Azure there are many options available and I‘ll show you another one in PaaS. I‘m sure there are another options available, but for me this is one of the easiest and cheapest one.

Fazit: it‘s possible to implement the same solution in Azure, but for my point of view not the best way. Another point, in Azure it’s sometimes easier to implement a complex networking architecture, because Microsoft implements a lot automatically at the background. There are some features only in preview available but those works really good!

Here is the Azure native way