In this guide, we’ll walk through creating and configuring an Ubuntu virtual machine (VM) in Azure, deploying an NGINX web server, and managing its network security rules using the Azure CLI.
This tutorial uses placeholders like [resource group name] so you can substitute your specific resource group details.
Step 1: Create a Resource Group
The first step is to create a resource group, which acts as a logical container for your Azure resources.
Bash
az group create --name [resource group name] --location eastus
az group create --name [resource group name] --location eastus
Replace [resource group name] with your chosen name.
Resource groups help organize resources like VMs, storage accounts, and networks.
Step 2: Create an Ubuntu Virtual Machine
Create a virtual machine (VM) with an Ubuntu 22.04 image.
Bash
az vm create --resource-group [resource group name] \
--name my-vm \
--public-ip-sku Standard \
--image Ubuntu2204 \
--admin-username azureuser \
--generate-ssh-keys
--public-ip-sku Standard: Assigns a public IP with better reliability.
--image Ubuntu2204: Specifies the Ubuntu 22.04 image.
--generate-ssh-keys: Automatically generates SSH keys for secure login.
az vm create --resource-group [resource group name] \
--name my-vm \
--public-ip-sku Standard \
--image Ubuntu2204 \
--admin-username azureuser \
--generate-ssh-keys
--public-ip-sku Standard: Assigns a public IP with better reliability.
--image Ubuntu2204: Specifies the Ubuntu 22.04 image.
--generate-ssh-keys: Automatically generates SSH keys for secure login.
- –public-ip-sku Standard: Assigns a public IP with better reliability.
- –image Ubuntu2204: Specifies the Ubuntu 22.04 image.
- –generate-ssh-keys: Automatically generates SSH keys for secure login.
Step 3: Why Can’t We Access the VM Yet?
By default, Azure restricts network traffic to newly created VMs for security purposes.
The Network Security Group (NSG) associated with the VM blocks inbound HTTP traffic (port 80) unless explicitly allowed.
Therefore, we must configure the NSG to allow HTTP traffic.
Step 4: Install NGINX Using a Custom Script
Deploy NGINX to the VM using the custom Script extension, which enables the execution of custom configuration scripts.
bash
az vm extension set --resource-group [resource group name] \
--vm-name my-vm \
--name customScript \
--publisher Microsoft.Azure.Extensions \
--version 2.1 \
--settings '{"fileUris":["https://raw.githubusercontent.com/MicrosoftDocs/mslearn-welcome-to-azure/master/configure-nginx.sh"]}' \
--protected-settings '{"commandToExecute": "./configure-nginx.sh"}'
configure-nginx.sh: Installs and configures NGINX on the VM.
customScript: Enables custom scripts during deployment.
- configure-nginx.sh: Installs and configures NGINX on the VM.
- custom Script: Enables custom scripts during deployment.
Step 5: Retrieve the Public IP Address
Retrieve the public IP address of the VM to test connectivity.
bash
IPADDRESS="$(az vm list-ip-addresses --resource-group [resource group name] \
--name my-vm \
--query "[].virtualMachine.network.publicIpAddresses[*].ipAddress" \
--output tsv)"
For example:
bash
echo $IPADDRESS
You can test the NGINX server using curl:
bash
curl --connect-timeout 5 http://$IPADDRESS
At this point, you’ll likely receive a timeout or connection error because HTTP traffic is still blocked by the NSG.
Step 6: Manage Network Security Group (NSG) Rules
Azure creates a default NSG for the VM. To allow HTTP traffic, you must configure it.
List NSGs in the Resource Group
bash
az network nsg list --resource-group [resource group name] --query '[].name' --output tsv
View Existing Rules
Check the rules in the NSG:
bash
az network nsg rule list --resource-group [resource group name] --nsg-name my-vmNSG \
--query '[].{Name:name, Priority:priority, Port:destinationPortRange, Access:access}' \
--output table
Add a Rule to Allow HTTP Traffic
Create a rule to permit inbound traffic on port 80:
bash
az network nsg rule create --resource-group [resource group name] \
--nsg-name my-vmNSG \
--name allow-http \
--protocol tcp \
--priority 100 \
--destination-port-range 80 \
--access Allow
Re-check the rules to confirm the new one:
bash
az network nsg rule list --resource-group [resource group name] --nsg-name my-vmNSG \
--query '[].{Name:name, Priority:priority, Port:destinationPortRange, Access:access}' \
--output table
Step 7: Verify the NGINX Installation
With the HTTP traffic rule in place, test the NGINX server again:
bash
curl --connect-timeout 5 http://$IPADDRESS
If everything is configured correctly, you’ll see the default NGINX welcome page.
Summary
By following this guide, you have:
- Created a resource group and deployed a virtual machine.
- Installed and configured NGINX using a custom script.
- Configured the Network Security Group to allow HTTP traffic.
- Verified the web server’s accessibility.
Next Steps
Enhance Security:
- Restrict access to specific IP ranges using NSG rules.
- Configure HTTPS with an SSL certificate for secure communication.
Automate Deployments:
- Use Azure Bicep or Terraform to automate VM creation and configuration.
Monitor Resources:
- Enable Azure Monitor to track resource utilization and application performance.