You will complete the first milestone of an Azure build: a VNet, a subnet, and a secured VM reachable only from your IP. By the end you will have the network and compute foundation the next milestone extends.

Learning Objectives

  • Deploy a VNet and subnet.
  • Launch a key-authenticated VM.
  • Scope inbound access to your IP only.
  • Time: ~5 hours · Difficulty: Intermediate · Prereqs: the Azure CLI configured.

Architecture Overview

Environment Setup

  • Azure CLI authenticated with a default resource group.
  • An SSH keypair and your current public IP.

Step-by-Step Execution

01
Create the VNet and subnet
az network vnet create -n vnet --address-prefixes 10.0.0.0/16 --subnet-name app --subnet-prefixes 10.0.1.0/24
02
Deploy the VM with key auth
az vm create -n vm01 --image Ubuntu2204 --vnet-name vnet --subnet app --ssh-key-values ~/.ssh/id_ed25519.pub
03
Restrict SSH to your IP
$ az vm open-port -n vm01 --port 22 && az network nsg rule update --nsg-name vm01NSG -n open-port-22 --source-address-prefixes 203.0.113.10/32
"sourceAddressPrefix": "203.0.113.10/32"

Progress So Far

Testing & Validation

ssh azureuser@$(az vm show -d -n vm01 --query publicIps -o tsv) 'hostname'

You should connect by key and see the hostname. Confirm SSH from any other IP is blocked. Milestone 1 is complete.

Troubleshooting
  • SSH blocked from your IP: your public IP changed; update the NSG source prefix.
  • VM has no public IP: add one or use a bastion/jump host.
  • Password prompt: deploy with the SSH key, not a password.

Extension Ideas

Key Results

  • Deployed a VNet, subnet, and a working VM.
  • Enforced key-only SSH access.
  • Restricted inbound SSH to a single IP.
  • Established the foundation for milestone 2.