Multi-Tier Azure Infrastructure Build
You will build a complete multi-tier Azure environment with segmented networking, hardened VMs, and monitoring, all from the CLI. By the end you will have a secured, observable cloud network deployed reproducibly.
Learning Objectives
- Deploy a VNet with web, app, and data subnets.
- Place hardened VMs and scope traffic with NSGs.
- Wire telemetry into Azure Monitor with alerts.
- Time: ~12 hours · Difficulty: Advanced · Prereqs: the Azure CLI configured.
Architecture Overview
graph TD
Net((Internet)) -->|443| Web[Web subnet + NSG]
Web -->|8080| App[App subnet + NSG]
App -->|5432| Data[Data subnet + NSG]
All[All tiers] -->|telemetry| Mon[Azure Monitor]
Environment Setup
- Azure CLI authenticated with a default resource group.
- An SSH keypair for VM access.
- A Log Analytics workspace for monitoring.
Step-by-Step Execution
01
Deploy the segmented network
az network vnet create -n vnet --address-prefixes 10.0.0.0/16 --subnet-name web --subnet-prefixes 10.0.1.0/2402
Place a hardened VM and scope its NSG
az vm create -n web01 --image Ubuntu2204 --vnet-name vnet --subnet web --ssh-key-values ~/.ssh/id_ed25519.pub03
Connect monitoring and alerts
$ az monitor metrics alert create -n cpu --scopes $VMID --condition "avg Percentage CPU > 80"
"enabled": true
Progress So Far
graph LR
A[01 Network] -->|done| B[02 VMs + NSG]
B -->|done| C[03 Monitoring]
style A fill:#1a4a1a,stroke:#00ff00,color:#fff
style B fill:#1a4a1a,stroke:#00ff00,color:#fff
style C fill:#1a4a1a,stroke:#00ff00,color:#fff
Testing & Validation
az network nsg list -o table && az vm list -d -o tableYou should see each tier's NSG and running VMs. Confirm the web tier is reachable on 443 while the data tier rejects internet traffic.
Troubleshooting
- Tier reachable from internet: tighten the NSG; only web should expose 443.
- No metrics: enable diagnostics/agent so data reaches the workspace.
- Quota errors: choose a smaller VM SKU or another region.
Extension Ideas
- Codify it all with Infrastructure as Code.
- Audit posture with CSPM.
- Extend to the Cloud Capstone.
Key Results
- Deployed a 3-tier segmented Azure network.
- Restricted internet exposure to the web tier only.
- Enabled monitoring with a CPU alert.
- Built the environment reproducibly from the CLI.