Deploying and Configuring an Ubuntu VM with NGINX in Azure

In this guide, we’ll walk through creating and configuring an Ubuntu virtual machine (VM) in Azure, deploying an NGINX web server, and managing its network security rules using the Azure CLI.

This tutorial uses placeholders like [resource group name] so you can substitute your specific resource group details.

Step 1: Create a Resource Group

The first step is to create a resource group, which acts as a logical container for your Azure resources.

Bash 
az group create --name [resource group name] --location eastus

az group create --name [resource group name] --location eastus

Replace [resource group name] with your chosen name.

Resource groups help organize resources like VMs, storage accounts, and networks.

Step 2: Create an Ubuntu Virtual Machine

Create a virtual machine (VM) with an Ubuntu 22.04 image.

Bash 
az vm create --resource-group [resource group name] \
    --name my-vm \
    --public-ip-sku Standard \
    --image Ubuntu2204 \
    --admin-username azureuser \
    --generate-ssh-keys
--public-ip-sku Standard: Assigns a public IP with better reliability.
--image Ubuntu2204: Specifies the Ubuntu 22.04 image.
--generate-ssh-keys: Automatically generates SSH keys for secure login.

az vm create --resource-group [resource group name] \
    --name my-vm \
    --public-ip-sku Standard \
    --image Ubuntu2204 \
    --admin-username azureuser \
    --generate-ssh-keys
--public-ip-sku Standard: Assigns a public IP with better reliability.
--image Ubuntu2204: Specifies the Ubuntu 22.04 image.
--generate-ssh-keys: Automatically generates SSH keys for secure login.
  • –public-ip-sku Standard: Assigns a public IP with better reliability.
  • –image Ubuntu2204: Specifies the Ubuntu 22.04 image.
  • –generate-ssh-keys: Automatically generates SSH keys for secure login.

Step 3: Why Can’t We Access the VM Yet?

By default, Azure restricts network traffic to newly created VMs for security purposes.

The Network Security Group (NSG) associated with the VM blocks inbound HTTP traffic (port 80) unless explicitly allowed.

Therefore, we must configure the NSG to allow HTTP traffic.

Step 4: Install NGINX Using a Custom Script

Deploy NGINX to the VM using the custom Script extension, which enables the execution of custom configuration scripts.

bash 
az vm extension set --resource-group [resource group name] \
    --vm-name my-vm \
    --name customScript \
    --publisher Microsoft.Azure.Extensions \
    --version 2.1 \
    --settings '{"fileUris":["https://raw.githubusercontent.com/MicrosoftDocs/mslearn-welcome-to-azure/master/configure-nginx.sh"]}' \
    --protected-settings '{"commandToExecute": "./configure-nginx.sh"}'
configure-nginx.sh: Installs and configures NGINX on the VM.
customScript: Enables custom scripts during deployment.
  • configure-nginx.sh: Installs and configures NGINX on the VM.
  • custom Script: Enables custom scripts during deployment.

Step 5: Retrieve the Public IP Address

Retrieve the public IP address of the VM to test connectivity.

bash 
IPADDRESS="$(az vm list-ip-addresses --resource-group [resource group name] \
    --name my-vm \
    --query "[].virtualMachine.network.publicIpAddresses[*].ipAddress" \
    --output tsv)"

For example:

bash 
echo $IPADDRESS

You can test the NGINX server using curl:

bash 
curl --connect-timeout 5 http://$IPADDRESS

At this point, you’ll likely receive a timeout or connection error because HTTP traffic is still blocked by the NSG.

Step 6: Manage Network Security Group (NSG) Rules

Azure creates a default NSG for the VM. To allow HTTP traffic, you must configure it.

List NSGs in the Resource Group

bash 
az network nsg list --resource-group [resource group name] --query '[].name' --output tsv

View Existing Rules

Check the rules in the NSG:

bash 
az network nsg rule list --resource-group [resource group name] --nsg-name my-vmNSG \
    --query '[].{Name:name, Priority:priority, Port:destinationPortRange, Access:access}' \
    --output table

Add a Rule to Allow HTTP Traffic

Create a rule to permit inbound traffic on port 80:

bash 
az network nsg rule create --resource-group [resource group name] \
    --nsg-name my-vmNSG \
    --name allow-http \
    --protocol tcp \
    --priority 100 \
    --destination-port-range 80 \
    --access Allow

Re-check the rules to confirm the new one:

bash 
az network nsg rule list --resource-group [resource group name] --nsg-name my-vmNSG \
    --query '[].{Name:name, Priority:priority, Port:destinationPortRange, Access:access}' \
    --output table

Step 7: Verify the NGINX Installation

With the HTTP traffic rule in place, test the NGINX server again:

bash 
curl --connect-timeout 5 http://$IPADDRESS

If everything is configured correctly, you’ll see the default NGINX welcome page.

Summary

By following this guide, you have:

  • Created a resource group and deployed a virtual machine.
  • Installed and configured NGINX using a custom script.
  • Configured the Network Security Group to allow HTTP traffic.
  • Verified the web server’s accessibility.

Next Steps

Enhance Security:

  • Restrict access to specific IP ranges using NSG rules.
  • Configure HTTPS with an SSL certificate for secure communication.

Automate Deployments:

  • Use Azure Bicep or Terraform to automate VM creation and configuration.

Monitor Resources:

  • Enable Azure Monitor to track resource utilization and application performance.

Leave a comment

Your email address will not be published. Required fields are marked *