You will build a complete multi-tier Azure environment with segmented networking, hardened VMs, and monitoring, all from the CLI. By the end you will have a secured, observable cloud network deployed reproducibly.

Learning Objectives

  • Deploy a VNet with web, app, and data subnets.
  • Place hardened VMs and scope traffic with NSGs.
  • Wire telemetry into Azure Monitor with alerts.
  • Time: ~12 hours · Difficulty: Advanced · Prereqs: the Azure CLI configured.

Architecture Overview

Environment Setup

  • Azure CLI authenticated with a default resource group.
  • An SSH keypair for VM access.
  • A Log Analytics workspace for monitoring.

Step-by-Step Execution

01
Deploy the segmented network
az network vnet create -n vnet --address-prefixes 10.0.0.0/16 --subnet-name web --subnet-prefixes 10.0.1.0/24
02
Place a hardened VM and scope its NSG
az vm create -n web01 --image Ubuntu2204 --vnet-name vnet --subnet web --ssh-key-values ~/.ssh/id_ed25519.pub
03
Connect monitoring and alerts
$ az monitor metrics alert create -n cpu --scopes $VMID --condition "avg Percentage CPU > 80"
"enabled": true

Progress So Far

Testing & Validation

az network nsg list -o table && az vm list -d -o table

You should see each tier's NSG and running VMs. Confirm the web tier is reachable on 443 while the data tier rejects internet traffic.

Troubleshooting
  • Tier reachable from internet: tighten the NSG; only web should expose 443.
  • No metrics: enable diagnostics/agent so data reaches the workspace.
  • Quota errors: choose a smaller VM SKU or another region.

Extension Ideas

Key Results

  • Deployed a 3-tier segmented Azure network.
  • Restricted internet exposure to the web tier only.
  • Enabled monitoring with a CPU alert.
  • Built the environment reproducibly from the CLI.