Azure Cloud Services Extended Support: Fix Deployment & Config Errors
Why This Is Happening
If you've just tried to deploy an Azure Cloud Services extended support workload and hit a wall , whether that's a cryptic ARM template validation failure, a virtual network reference error in your .cscfg file, or a certificate provisioning issue that makes zero sense on the surface , I want you to know you're not alone. I've seen this exact class of errors trip up senior Azure architects who've been running Cloud Services (classic) for years.
Here's the core issue: Azure Cloud Services extended support isn't just a rebrand. It's a fundamentally different deployment model built on Azure Resource Manager (ARM), and the mental model you built around the old Service Manager-based platform doesn't map cleanly onto it. Microsoft didn't do a great job making that obvious in the error messages. When your deployment fails with something like InvalidTemplateDeployment or NetworkConfigurationMissing, the portal error is often vague enough that you'd need to already know what you're looking for to fix it.
The transition from Cloud Services (classic), the old Azure Service Manager-based model, to Cloud Services extended support brings real benefits. You get regional resiliency, role-based access control (RBAC), support for Azure Policy, resource tagging, and ARM deployment templates. These are things enterprises have needed for years. But getting there requires touching your .csdef and .cscfg files, wiring in a virtual network, setting up Azure Key Vault for certificate management, and updating every deployment script that previously called the old Service Manager APIs.
Who runs into these errors? Mostly teams migrating existing Cloud Services (classic) workloads, either doing a fresh redeploy directly into ARM, or using the in-place migration path. Also new teams trying to stand up a net-new Cloud Services extended support deployment without realizing that several things that were optional in classic are now mandatory: a virtual network being the biggest one.
There's also a critical timeline you need to be aware of. Cloud Services extended support was deprecated as of March 31, 2025, with full retirement scheduled for March 31, 2027. So if you're still building on this platform today, you either have an existing workload to maintain or you're evaluating whether to migrate here or to something else entirely, like Azure Kubernetes Service, Virtual Machine Scale Sets, or Azure App Service. That context matters for every decision in this guide.
The good news: the fixes are well-defined once you know what to look for. Browse all Microsoft fix guides →
The Quick Fix, Try This First
Before you go deep into ARM templates and Key Vault configuration, check the three most common deployment blockers first. In my experience, about 60% of Azure Cloud Services extended support deployment failures come down to one of these.
1. Your .cscfg file is missing the NetworkConfiguration block. Every Cloud Services extended support deployment must be inside a virtual network, this is non-negotiable, unlike classic. If your configuration file doesn't reference a VNet and subnet in the NetworkConfiguration section, the deployment fails immediately. Open your .cscfg and look for this block:
<NetworkConfiguration>
<VirtualNetworkSite name="your-vnet-name" />
<AddressAssignments>
<InstanceAddress roleName="YourWebRole">
<Subnets>
<Subnet name="your-subnet-name" />
</Subnets>
</InstanceAddress>
</AddressAssignments>
</NetworkConfiguration>If that block is absent or has wrong names, that's your problem right there. The VNet and subnet must already exist in Azure Resource Manager, you can't reference a classic VNet here.
2. Your ARM template and service definition file are out of sync. The .csdef and .cscfg files must be consistent with the ARM template you're deploying. Role names, instance counts, VM sizes, if any of those don't match between your ARM template and your config files, you'll get a validation error before Azure even starts provisioning resources.
3. Certificates are still being referenced by thumbprint in the old way. Cloud Services extended support requires certificates to be managed through Azure Key Vault. If you're still using the classic approach of uploading certs directly to the cloud service, that won't work here. You need to store the certificate in Key Vault and reference the Key Vault URL in your ARM template's osProfile section.
Fix whichever of those three applies to your situation, re-run the deployment, and there's a solid chance you're unblocked. If you're still hitting errors after those checks, read on, the step-by-step section below covers each fix in detail.
az deployment group validate, not just az deployment group create. The validate command catches schema mismatches and missing references without actually deploying anything, saving you the wait time on a failed provisioning cycle. This one habit alone has saved me hours on complex Cloud Services extended support migrations.
The ARM template is the backbone of every Azure Cloud Services extended support deployment. Think of it as the new deployment manifest that replaces what the old Service Manager API used to handle implicitly. The template defines infrastructure and configuration using JSON declarative syntax, you specify what you want, and ARM figures out how to build it.
Start by making sure your template includes the correct resource type. For Cloud Services extended support, it's Microsoft.Compute/cloudServices. Here's the minimal structure you need:
{
"type": "Microsoft.Compute/cloudServices",
"apiVersion": "2022-04-04",
"name": "[parameters('cloudServiceName')]",
"location": "[parameters('location')]",
"properties": {
"packageUrl": "[parameters('packageSasUri')]",
"configurationUrl": "[parameters('configurationSasUri')]",
"upgradeMode": "Auto",
"roleProfile": {
"roles": [
{
"name": "WebRole1",
"sku": {
"name": "Standard_D2_v3",
"capacity": 2
}
}
]
}
}
}The role name WebRole1 here must match exactly what you have defined in your .csdef file. Casing matters. A mismatch causes validation error RoleProfileRoleNameNotFound. Also verify that the VM size you specify in the ARM template sku.name field matches what's in your .csdef under WorkerRole or WebRole, Azure validates these against each other during deployment preflight.
Once your template is written, run the validation:
az deployment group validate \
--resource-group myResourceGroup \
--template-file cloudservice.json \
--parameters @cloudservice.parameters.jsonA successful validation returns a JSON object with "provisioningState": "Succeeded" in the properties. If it fails, the error message in the CLI output is far more descriptive than what you see in the portal, always check the CLI output for the actual error detail.
I can't stress this enough: every Cloud Services extended support deployment needs a virtual network. This trips people up constantly because it was optional in Cloud Services (classic). Now it's a hard requirement, no VNet, no deployment, full stop.
If you don't already have a VNet and subnet in the correct resource group and region, create them first. You can do this via Azure CLI:
az network vnet create \
--name myCloudServiceVNet \
--resource-group myResourceGroup \
--location eastus \
--address-prefix 10.0.0.0/16
az network vnet subnet create \
--name myCloudServiceSubnet \
--resource-group myResourceGroup \
--vnet-name myCloudServiceVNet \
--address-prefix 10.0.0.0/24Once your VNet and subnet exist, you need to reference them in two places. First, in the NetworkConfiguration section of your .cscfg file (as shown in the Quick Fix section above). Second, in your ARM template's networkProfile:
"networkProfile": {
"loadBalancerConfigurations": [
{
"name": "myLoadBalancer",
"properties": {
"frontendIpConfigurations": [
{
"name": "myFrontend",
"properties": {
"publicIPAddress": {
"id": "[resourceId('Microsoft.Network/publicIPAddresses', 'myPublicIP')]"
}
}
}
]
}
}
]
}The Virtual Network and subnet must be ARM-based resources, classic VNets are not compatible. If you're migrating from classic and your old VNet was a classic resource, you'll need to create a new ARM VNet. There's no automatic conversion. After referencing the VNet correctly in both files, redeploy. If the VNet reference error disappears and you see the deployment move past the validation phase, you're on the right track.
Certificates in Cloud Services extended support don't work the way they did in classic. You can't upload them directly to the cloud service anymore. Instead, every certificate must live in Azure Key Vault, and you reference the Key Vault during deployment. This is genuinely better, Key Vault gives you centralized credential management, audit logs, and rotation support, but the setup has a few sharp edges.
First, create a Key Vault if you don't have one:
az keyvault create \
--name myCloudServiceKV \
--resource-group myResourceGroup \
--location eastus \
--sku standardImport your certificate (assuming you have a PFX file):
az keyvault certificate import \
--vault-name myCloudServiceKV \
--name mySSLCert \
--file ./mycert.pfx \
--password "YourCertPassword"Now, in your ARM template, add the certificate reference inside the osProfile block. You need the full Key Vault secret URL, which you can get with:
az keyvault certificate show \
--vault-name myCloudServiceKV \
--name mySSLCert \
--query "sid" -o tsvThen reference it in the template:
"osProfile": {
"secrets": [
{
"sourceVault": {
"id": "/subscriptions/{subId}/resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults/myCloudServiceKV"
},
"vaultCertificates": [
{
"certificateUrl": "https://myCloudServiceKV.vault.azure.net/secrets/mySSLCert/abc123..."
}
]
}
]
}One thing that bites people: the Key Vault must have soft delete enabled and the managed identity of the deployment must have at least Get and List permissions on secrets. If the Key Vault access policy is missing, you'll see error code KeyVaultAccessForbidden during provisioning.
You have four official deployment paths for Cloud Services extended support: the Azure portal, PowerShell, ARM templates directly, and Visual Studio. Each has trade-offs depending on your team's workflow.
Via Azure Portal: Go to portal.azure.com, search for "Cloud Services (extended support)", and click Create. Walk through the wizard, you'll upload your .cspkg and .cscfg files, select your VNet, and optionally link your Key Vault. The portal is fine for one-off deployments and quick testing, but it's not scriptable.
Via PowerShell: This is the most common path for teams with existing automation. Make sure you have the Az module installed and you're using the ARM-based cmdlets, not the old AzureRM or Azure Service Manager cmdlets:
Import-Module Az
# Connect to your subscription
Connect-AzAccount
Set-AzContext -SubscriptionId "your-subscription-id"
# Deploy
New-AzCloudService `
-Name "myCloudService" `
-ResourceGroupName "myResourceGroup" `
-Location "East US" `
-PackageUrl "https://mystorageaccount.blob.core.windows.net/package/myservice.cspkg?sv=..." `
-ConfigurationUrl "https://mystorageaccount.blob.core.windows.net/config/ServiceConfiguration.Cloud.cscfg?sv=..." `
-UpgradeMode "Auto"Via ARM template (CLI):
az deployment group create \
--resource-group myResourceGroup \
--template-file cloudservice.json \
--parameters @cloudservice.parameters.jsonAfter the deployment kicks off, monitor it in the portal under your resource group's Deployments blade. A successful deploy shows all resources with Succeeded status. If anything fails, click the failed operation to see the detailed error, this sub-operation error is usually much more specific than the top-level message.
One thing that changed significantly from classic is how staging and production slot swaps work. Cloud Services extended support does not support multiple deployment slots within a single cloud service. Each cloud service is a single, independent deployment. I know, this feels like a step backward at first. But Microsoft built an equivalent mechanism: VIP Swap.
With VIP Swap, you deploy two separate cloud services (extended support), one for your current production workload and one for your staged release. You tag them as VIP swappable with each other, and then trigger the swap. This effectively rotates the public IP addresses between the two services, redirecting traffic to your newly staged release with minimal downtime.
Here's how to configure it. First, both cloud services need to be deployed in the same resource group and region. Then, in each service's ARM template, add the networkProfile.swappableCloudService property pointing to the other service:
"networkProfile": {
"swappableCloudService": {
"id": "/subscriptions/{subId}/resourceGroups/myRG/providers/Microsoft.Compute/cloudServices/myProductionCloudService"
}
}Both services must reference each other. Once that's in place, trigger the swap with PowerShell:
Switch-AzCloudService `
-ResourceGroupName "myResourceGroup" `
-CloudServiceName "myStagingCloudService"Or via CLI:
az cloud-service update \
--resource-group myResourceGroup \
--name myStagingCloudService \
--vip-swapAfter the swap completes, typically under two minutes, your staging service becomes production and vice versa. Check the public IP associated with your production service in the portal to confirm traffic is routing correctly. The DNS label, if you configured one, follows the Public IP resource, not the cloud service itself, so your domain should update automatically after the swap.
Advanced Troubleshooting
If you've worked through the five steps above and things still aren't right, here's where to dig deeper.
Event Viewer and Azure Diagnostics: For issues that happen post-deployment, roles that keep recycling, instances stuck in Stopped (Deallocated) state, or startup tasks failing silently, the first place to look is the Azure Diagnostics extension. If you haven't enabled it, add it to your ARM template:
{
"type": "Microsoft.Compute/cloudServices/extensions",
"name": "[concat(parameters('cloudServiceName'), '/Microsoft.Insights.VMDiagnosticsSettings')]",
"properties": {
"publisher": "Microsoft.Azure.Diagnostics",
"type": "PaaSDiagnostics",
"typeHandlerVersion": "1.5",
"settings": {
"StorageAccount": "[parameters('diagnosticsStorageAccount')]"
}
}
}Once enabled, diagnostic logs flow to your storage account where you can query them. For Windows role instances, you can also RDP in (if remote desktop is configured in your .csdef) and check Windows Event Viewer, specifically the Application and System logs, for startup errors. Event ID 7024 (service failed to start) and 1000 (application crash) are the ones I check first.
Role instance states: Cloud Services extended support exposes two power state concepts, provisioning state and instance state. If you see instances stuck in Provisioning for more than 15 minutes, that usually signals a startup task failure or a misconfigured .csdef startup command. Check your startup task exit codes, Azure expects exit code 0 for success. If your startup task exits with anything else, the role instance won't transition to Ready.
RBAC and ARM deployment failures: One of the real advantages of the extended support model is RBAC support. But this also means your deployment service principal needs the right permissions. The deploying identity needs at minimum Contributor on the resource group. For Key Vault access specifically, the service principal needs a Key Vault access policy granting Get on secrets and certificates. Check this with:
az keyvault show \
--name myCloudServiceKV \
--query "properties.accessPolicies" -o tableDNS label configuration: In extended support, the DNS label is a property of the Public IP resource, not the cloud service itself. This surprises people who configured DNS labels through the old cloud service interface. If your public-facing DNS isn't resolving after deployment, check the Public IP resource associated with your load balancer frontend:
az network public-ip show \
--resource-group myResourceGroup \
--name myPublicIP \
--query "dnsSettings" -o jsonMigration-specific issues: If you're using the in-place migration path from classic to extended support, the migration tool validates your existing classic cloud service before starting. Common blockers include: reserved IP addresses that aren't in the right format, certificates stored in the cloud service rather than Key Vault, and role configurations that reference VM sizes no longer available in your region. Run the migration preflight check first and fix each flagged item before attempting the actual migration.
If you're seeing consistent provisioning failures that don't correlate to any configuration issue, roles failing to start on multiple clean deployments, ARM API returning 500-level errors, or your subscription quota showing available capacity but deployments still failing, it's time to open a support ticket. These symptoms often indicate a platform-level issue in your region. Go to Microsoft Support, select Azure, and choose "Cloud Services (extended support)" as the service. Include the deployment correlation ID from the Azure portal Deployments blade, it's the single most useful piece of information for Microsoft support engineers to quickly trace what happened.
Prevention & Best Practices
Getting a deployment working once is one thing. Keeping it stable and avoiding the same headaches on every subsequent deploy is another. Here's what I've seen work reliably for teams running Azure Cloud Services extended support in production.
Always version your ARM templates in source control. The declarative ARM template approach is a gift, treat it that way. Keep your templates in Git alongside your application code. Tag template versions that map to known-good production deployments. If a new deployment goes wrong, you have a reliable rollback path via VIP Swap to the last known-good service, and you can diff the templates to find the culprit change.
Validate before you deploy, every time. Make az deployment group validate a mandatory step in your CI/CD pipeline before any actual deployment runs. A failed validation in CI is a two-minute feedback loop. A failed deployment in production is a 20-minute incident. The cost difference is significant.
Keep your Guest OS family pinned and monitored. Azure Guest OS releases for Cloud Services extended support follow the same schedule as Cloud Services (classic), Microsoft publishes release notes for each Guest OS update. Subscribe to the Azure updates RSS feed or set up an Azure Monitor alert on Guest OS changes. An unexpected Guest OS update has caused application compatibility issues for teams that weren't watching.
Plan your migration away from extended support now. I'll be direct: Cloud Services extended support is deprecated and retires March 31, 2027. That's not a distant deadline. Start evaluating your migration path to a modern Azure service, Virtual Machine Scale Sets, Azure Kubernetes Service, Azure App Service, or Azure Service Fabric, based on your application's architecture and how actively it's evolving. Microsoft's own guidance is clear: if your application isn't changing much, extended support gives you a manageable bridge to ARM. If it's actively developed, move to a modern platform now rather than later.
- Run
az deployment group validatein every CI/CD pipeline before deployment, catch errors before they hit production - Store all certificates in Azure Key Vault and rotate them on a schedule, never let a certificate expiry take down your service
- Tag both your production and staging cloud services as VIP-swappable from day one, you'll want zero-downtime deployments before you think you need them
- Set up Azure Monitor alerts on role instance health and provisioning state, know about stuck instances before your users do
Frequently Asked Questions
What exactly is Azure Cloud Services extended support and how is it different from Cloud Services classic?
Azure Cloud Services extended support is the Azure Resource Manager-based version of the original Azure Cloud Services (classic) platform, which ran on the older Azure Service Manager. The extended support model gives you the same core capability, hosting web and worker roles in Azure's managed compute environment, but adds ARM features like RBAC, Azure Policy support, resource tagging, and ARM template deployments. The application code itself doesn't change; what changes is the deployment infrastructure around it. Key new requirements include a mandatory virtual network, Azure Key Vault for certificate management, and ARM-compatible deployment scripts.
Is Azure Cloud Services extended support being shut down? Should I still build on it?
Yes, Microsoft deprecated Cloud Services extended support on March 31, 2025, and the platform will be fully retired on March 31, 2027. You should not build new workloads on it today. If you have existing workloads running on Cloud Services (classic) that need to stay on a Cloud Services-style architecture with minimal code changes, extended support is a reasonable migration bridge until 2027. But for any actively developed application, Microsoft recommends exploring Azure Kubernetes Service, Virtual Machine Scale Sets, Azure App Service, or Azure Service Fabric instead. The right choice depends on how much your application is evolving and what modern features you need.
How do I migrate from Cloud Services classic to Cloud Services extended support?
There are two migration paths. The first is a clean redeployment: you deploy your cloud service fresh in Azure Resource Manager using an ARM template, then delete the old Cloud Services (classic) deployment. This gives you a clean slate but requires more upfront work to build the ARM template and wire in the VNet and Key Vault dependencies. The second path is in-place migration, which Microsoft provides tooling for, it migrates your existing classic deployment to extended support with minimal to no downtime. Run the migration validation step first to catch blockers like classic VNets, directly-stored certificates, or unsupported VM sizes before you start the actual migration.
Do I really need a virtual network for Cloud Services extended support? My classic deployment didn't use one.
Yes, a virtual network is mandatory, there's no way around it. Every Cloud Services extended support deployment must reference a VNet and subnet in the NetworkConfiguration section of the .cscfg file. The VNet must be an ARM-based resource, not a classic VNet. This is one of the most common blockers for teams migrating from classic, where the VNet was optional. Create an ARM VNet in the same resource group and region as your cloud service, then reference it by name in your config file before deploying.
Can I still use staging and production deployment slots the way I did in Cloud Services classic?
Not in the same way, no. Cloud Services extended support doesn't support multiple slots within a single cloud service, each service is a single independent deployment. The equivalent capability is VIP Swap: you deploy two separate cloud services, tag them as VIP swappable with each other, and swap their public IP addresses to redirect traffic. It achieves the same result as a classic staging-to-production slot swap, but the setup is more explicit, both services need to reference each other in their ARM templates' networkProfile.swappableCloudService property before the swap can be triggered.
My role instances keep getting stuck in "Provisioning" state, what should I check?
A role instance stuck in Provisioning for more than 15 minutes almost always points to a startup task failure. Check that all startup tasks defined in your .csdef file exit with code 0, Azure treats any non-zero exit code as a failure and won't transition the instance to Ready. Also verify that any software your startup task tries to install or configure is accessible from within the VNet (firewall rules, NSG rules). Enable the Azure Diagnostics extension if you haven't already, then check the diagnostic logs in your storage account or RDP into the instance and inspect Windows Event Viewer's Application and System logs for error events around the time the instance started provisioning.