Azure Insights: VM performance; Bicep; SNAT port exhaustion

April 18 2021

Microsoft Azure pros discuss VM performance, Bicep deployments with GitHub Actions, and SNAT port exhaustion.

Boosting the performance of Azure VMs

Microsoft senior cloud advocate Thomas Maurer shared ways to improve performance and reliability for Azure VMs with Azure Advisor. Users need to check on VMs periodically as the cloud environment changes and Advisor provides a "personalized cloud consultant" for that purpose. The service analyzes resource configurations and telemetry.

Users are able to access Advisor through the Azure portal, or directly with Azure VM navigation. In fact, users are able to create Advisor recommendations forwarded to an inbox. He recommends users explore Advisor capabilities in Microsoft documents. 

Deploying Bicep with GitHub Actions

Thomas Thornton looked into how to deploy Azure Bicep with GitHub Actions. Bicep is a next-gen domain specific language or ARM templates. The offering permits creation of workflows with a GitHub repo much like Azure DevOps pipelines.

Thornton shared a sample configuration, recommending Bicep for use with VSCode. He wrote:

Within the GitHub repository to where you are going to be running the Bicep configuration, select settings -> secrets. Add 2 secrets: AZURE_SUBSCRIPTION_ID – Subscription ID of the Azure Subscription [and] AZURE_CREDENTIALS – in json format as below, this is the Service Principal that will be used for az login and to deploy your Bicep configuration.

Spotting SNAT port exhaustion in Azure Kubernetes Service

Daniel Neumann, writing on Daniel's Tech Blog, discussed running Azure Kubernetes Service clusters with numerous outbound ports. This can result in SNAT port exhaustion. SNAT, short for Source Network Address Translation, is used for outbound calls to external addresses. These are allocated for outbound connections within the same destination IP and port. Default configurations offer 64,000 ports with 30 minute idle timeout settings. New outbound connections stop working when SNAT ports run into exhaustion. He wrote:

When running into a SNAT port exhaustion new outbound connections fail. So, it is important to detect a SNAT port exhaustion as early as possible. In the end you check the metrics of your load balancer of the AKS cluster. The metric SNAT Connection Count shows you when a SNAT port exhaustion happened. Important step here is to add the filter for the connection state and set it to failed.

Values higher than zero indicate SNAT port exhaustion. AKS offers two mitigation options. Users can adjust the pre-allocation of the number of ports per node to stop automatic allocation or assign dedicated public IP for each node in the cluster.

FREE Membership Required to View Full Content:

Become a MemberLogin
Joining gives you free, unlimited access to news, analysis, white papers, case studies, product brochures, and more, and it’s all FREE. You’ll also have the option to receive periodic email newsletters with the latest relevant articles and content updates. Learn more about us here
About MSCN Reporter

More about MSCN Reporter