Azure Milestone 1: VNet and Secured VM
You will complete the first milestone of an Azure build: a VNet, a subnet, and a secured VM reachable only from your IP. By the end you will have the network and compute foundation the next milestone extends.
Learning Objectives
- Deploy a VNet and subnet.
- Launch a key-authenticated VM.
- Scope inbound access to your IP only.
- Time: ~5 hours · Difficulty: Intermediate · Prereqs: the Azure CLI configured.
Architecture Overview
graph LR
You[You] -->|SSH from your IP| VM[VM in subnet]
VNet[VNet 10.0.0.0/16] --> Sub[subnet 10.0.1.0/24]
Sub --> VM
NSG[NSG] --> VM
Environment Setup
- Azure CLI authenticated with a default resource group.
- An SSH keypair and your current public IP.
Step-by-Step Execution
01
Create the VNet and subnet
az network vnet create -n vnet --address-prefixes 10.0.0.0/16 --subnet-name app --subnet-prefixes 10.0.1.0/2402
Deploy the VM with key auth
az vm create -n vm01 --image Ubuntu2204 --vnet-name vnet --subnet app --ssh-key-values ~/.ssh/id_ed25519.pub03
Restrict SSH to your IP
$ az vm open-port -n vm01 --port 22 && az network nsg rule update --nsg-name vm01NSG -n open-port-22 --source-address-prefixes 203.0.113.10/32
"sourceAddressPrefix": "203.0.113.10/32"
Progress So Far
graph LR
A[01 VNet] -->|done| B[02 VM]
B -->|done| C[03 Scope SSH]
style A fill:#1a4a1a,stroke:#00ff00,color:#fff
style B fill:#1a4a1a,stroke:#00ff00,color:#fff
style C fill:#1a4a1a,stroke:#00ff00,color:#fff
Testing & Validation
ssh azureuser@$(az vm show -d -n vm01 --query publicIps -o tsv) 'hostname'You should connect by key and see the hostname. Confirm SSH from any other IP is blocked. Milestone 1 is complete.
Troubleshooting
- SSH blocked from your IP: your public IP changed; update the NSG source prefix.
- VM has no public IP: add one or use a bastion/jump host.
- Password prompt: deploy with the SSH key, not a password.
Extension Ideas
- Continue to Milestone 2: Full Environment.
- Bootstrap with cloud-init (see Azure VM Configuration).
- Codify with IaC.
Key Results
- Deployed a VNet, subnet, and a working VM.
- Enforced key-only SSH access.
- Restricted inbound SSH to a single IP.
- Established the foundation for milestone 2.