Provision an Azure 2016 Webserver (Single Tier)

7 min readMar 31, 2022

‘Single Tier webserver’ is a VM with both IIS and SQL Server on the same machine, which is adequate for a development environment.

Azure provides Windows images with the latest updated versions of SQL Server or SQL Express and SQL Server Maintenance Studio already installed. These pre-installations are a great time saver, to not have to download the SQL Server software and then go through the extensive installation and update process. The VM will also have an additional attached data drive installed with folders linked for SQL user databases. All that is required is to enable the sys admin (sa) account (optional).

Build Azure VM
Setup SSMS
Install IIS and Firewall Rule for HTTP, HTTPS
Import and install SSL certificate

1. Build VM in Azure Portal:

Marketplace > type in SQL Server Express to find the image options available and select the one with SQL Server SP1 and WS2016

Follow through with the VM setup

Because when the VM is stopped and restarted, it is possible that Azure will assign a different public IP address, it is advisable to select a Static IP, the Portal default is a Dynamic IP.

Endpoints need to be setup for the Azure VM to be able to receive HTTP and HTTPS since this will be a webserver. This can be added later in the Network Security Group for the VM, but it is just as easy to add it in the initial provisioning of the new machine. All Azure machines have the RDP/port 3389 allowed — the HTTP and HTTPS endpoints must also be added. Note that within the deployed Azure VM, Windows Firewall will also need to be opened to allow HTTP and HTTPS.

The final blade opening is for the SQL Server settings to be applied during the machine deployment. Port 1433 is being opened during deployment, within the server which saves configuration within the server. We like to enable the SQL Authentication, so the option to use Windows or SQL Authentication is available for various connections that might be required to the databases being used in the webserver.

Once the new Azure VM is showing as created, i.e. its blades are now visible in the Azure Portal — check to see that the deployment also created an attached disk for SQL Server data to be sent to:

To be able to access the new VM, download the RDP file for the new machine:

Once connected via RDP to the new server, notice the data drive that Azure provided for the SQL Data and Logs.

2. Check SQL Server using SQL Server Management Studio (SSMS):

Temporarily allow IE access so that any SQL Server or other Windows updates can be downloaded and installed on the server.

Install any SQL Updates that need to be applied:

Open SQL Server Management Studio (SSMS) with the Windows Authentication to the connection account established in the Portal setup.

To enable the Sys Admin account within SQL Server:

Setup sa account password > General > add in password and confirm > OK

Restart SQL Server for changes to sa account to take place.

To test that the sa account has been activated, Connect using SQL Authentication to SQL Server:

Verify the Data and Log location of user database files from within SSMS:

Server > Server Properties > Database Settings > Database default locations:

Create a Test Database to verify operation of SQL Server:

Databases > Create new Database:

3. Add the Webserver Role and Role Services to the server:

Server Manager > Manage > Add Roles and Features > Next

Select Web Server (IIS) and accept Add Features > Next

Once installation complete, open IIS and test that the Default Web Site resolves to the generic front page.

While IIS is installing, go to Windows Firewall > Advanced Settings > Inbound Rules > New Rule and setup a new inbound rule for HTTP (port 80) and HTTPS (port443).

4. Import and Install SSL Certificate

We have a wildcard SSL certificate stored in an Azure File Storage container that can be accessed & saved from this VM via a mapped network drive (see Creating a Mapped Drive to Azure File Storage for how this is done.) This SSL certifcate was first exported from another webserver.