Back in the days of cloud services every VM created got a set of default endpoints that let in traffic for RDP and Remoting on a random port, and if you wanted ingress on other ports you just created more endpoints. In the V2 world cloud services don’t exist, and endpoints are now primary configured as inbound NAT rules on a load balancer, with the default being no NAT rules. This is ultimately a much better and more secure way of doing it, however it did make it a pain when you needed to add one or more NAT rule for each VM in your deployment, especially when you had lots of VM’s.
Anyone using the Azure DSC Extension for ARM deployments with the “AutoUpgradeMinorVersion” property set to true will notice that the extension version has gone up to 2.9.1. No official announcement as yet on what is in it, but testing has shown that at a minimum this includes a fix for an issue with server 2016 TP4 OS’s where DSC deployments would fail with the error:
ConvertTo-MOFInstance : System.ArgumentException error processing property 'Password' OF TYPE 'MSFT_Credential': Certificate 'AAAAAAAAAAAAAAAAAAA' cannot be used for encryption.
It’s often necessary to configure Azure virtual machines to use a consistent outbound IP address, to connect to another resource with an IP based whitelist. In a classic cloud service based deployment this was easy, all of the VM’s in the cloud service used the cloud services IP for outbound traffic and all was well.
In an Azure Resource Manager (ARM) deployment things are different. There’s no concept of cloud services and public IP’s are assigned to VM’s or load balencers.
