Azure Microsoft Cloud Enterprise Account: Use Bicep / Terraform to deploy a standard network environment on Azure in 10 minutes

cloud 2026-06-01 阅读 9

In modern cloud computing operation and maintenance, there is a very classic "recruit company" type rollover scene:

The company's architects worked hard to design a set of network segment solutions that met the security specifications, which were handed over to the operation and maintenance for implementation. Results Operation and maintenance logged into the Azure portal console and clicked the mouse while checking with naked eyes in the face of dense forms. Half an hour down, accidentally put the main network section

/16

Wrong type

/24

, or reverse the order of the inbound rules of the network security group (NSG). The result is:

The subsequent deployment of virtual machines is either completely lost or the core database is directly exposed to the public network, and it will take more than half a day to investigate the cause.

This kind of operation and maintenance method, which relies solely on human flesh to "point the country" on the web page, is called "manual bulldozer" in the industry ". It is not only inefficient, the most deadly

Completely unable to copy

. If you need to clone the same environment in the testing, advance and production environments, it is difficult to ensure that you click the mouse hundreds of times without making a mistake.

In order to completely end this inefficient and high-risk workshop operation and maintenance, Infrastructure as Code (IaC,Infrastructure as Code) came into being. In the ecosystem of Microsoft Cloud (Azure), there are two dominant IaC programming weapons:

One is Microsoft's own son Bicep (modern declarative DSL language), and the other is the industry's veteran standard Terraform.

Their underlying logic is extremely hard-core:

Write code to "draw" your network topology.

You just need to write a small text file that defines what you need. Then a line of commands is pushed to the cloud, and Azure's automated orchestration brain will build a high-rise building for you at the pixel level within one minute, instantly creating a basic network environment that meets the standards of large factories.

Today we reject any boring conceptual pile-up and go straight into hard-core combat. We will use

Bicep

and

Terraform

These two schools, hand in hand, take you with a set of standard codes, and weld a set of standard enterprise-level ground-based networks containing "1 VNet (virtual network), 2 independent subnets and 1 high-security network security group" in the cloud in 10 minutes.

The first stage: the depth of the dismantling, the standard network "three-dimensional model"

Before you start writing code, you must thoroughly understand the physical topology of the underlying network we are going to deploy. A qualified set of enterprise-level Azure network foundation is by no means a simple VNet. It must meet the most basic isolation architecture:

Virtual network chassis (Virtual Network, VNet): This is your exclusive independent kingdom on Azure, physically isolated from the external public network. We plan its network segment as a standard large factory intranet segment: 10.0.0.0/16.

Front and rear independent subnets (Subnets): two positions must be cut out horizontally inside the large chassis, each performing its own duties, physically isolated: We

B front-end subnet (Subnet-Frontend): divided into network segments 10.0.1.0/24, which will be specially used to mount public web applications or load balancers in the future. DB back-end subnet (Subnet-Backend): divided into network segments of 10.0.2.0/24. In the future, it will specifically store core databases or sensitive back-end services and cut off direct external network access.

High-security gatekeeper: Network Security Group (Network Security Group, NSG): This is a distributed firewall stuck at the entrance of the subnet. We want to write a secure seal rule: only 443(HTTPS) and 80(HTTP) traffic from the public network are allowed to enter the front-end subnet, and all other traffic is directly intercepted locally.

Phase II: Genre One-Microsoft Pro-Son Bicep Blitz

If you are a pure Microsoft family bucket team, there is no need to install third-party configuration tools. The Azure command-line tool (Azure CLI) natively understands 100 percent of Bicep. It does not have any cumbersome state file (State File) to maintain, the syntax is as clean as a clear water.

On the local computer, create a new one named

main.bicep

The following set of high-definition production templates, which have been tempered, is directly pasted:

// 1. Define global static parameters to facilitate one-click renaming in the future.

param location string = resourceGroup().location

param vnetName string = 'vnet-core-prod'

param nsgName string = 'nsg-web-firewall'

// 2. Uprooted: set up the gatekeeper (network security group)

resource nsg 'Microsoft. Network/networkSecurityGroups@2023-11-01' = {

location: location

properties: {

securityRules: [

{

properties: {

priority: 10

0 // highest priority

protocol: 'Tcp'

access: 'Allow'

direction: 'Inbound'

sourceAddressPrefix: '*' // from anywhere in the world

sourcePortRange: '*'

destinationAddressPrefix: '*'

destinationPortRange: '443' // Accurate Release 443 High Protection Port

}

]

}

// 3. Gankun's Great Move: Create a large chassis virtual network, cut out two subnets, and tie the uncle to the front terminal network at the same time

resource vnet 'Microsoft. Network/virtualNetworks@2023-11-01' = {

location: location

properties: {

addressSpace: {

addressPrefixes: [

10.0.0.0/16 '//core large network segment

]

}

subnets: [

{

properties: {

addressPrefix: '10.0.1.0/24' //front position

networkSecurityGroup: {

Id: nsg.id // Take the NSG firewall directly on this subnet

}

{

properties: {

addressPrefix: '10.0.2.0/24' //back-end database secret position

}

]

}

30-second one-button liftoff command (Bicep)

Open your local terminal, log in to your Azure account, and specify a resource group you have built (for example

rg-infra-prod

), directly knock down this line of incredibly short instructions:

Bash

az deployment group create --resource-group rg-infra-prod --template-file main.bicep

After typing enter, leave the keyboard with both hands. You will see the progress bar flashing in the terminal. After about 20 seconds, the console will return you a dense JSON success report.

At this time, if you log into the background of Azure web page to refresh, you will find that VNet has been lying there neatly, the two subnets and NSG are bound to each other, and the format is exactly the same as the pixel points planned in the code.

The third stage: school two-the industry is not old pine Terraform industrial-grade closed-loop.

If your company is a multi-cloud architecture, in addition to Azure

Also take care of AWS or Aliyun, then the industry-recognized industrial platinum standard is still the HashiCorp family.

Terraform

On the local computer, create a new empty directory and create a directory named

main.tf

The file. The Terraform uses the classic HCL syntax, the logic is a little thick, but due to the strong state lock mechanism, it is as stable as a mountain in the collaboration of large teams:# 1. Declare the joint code: We will call the official driver of Microsoft Azure (Provider)

terraform {

required_providers {

azurerm = {

source = "hashicorp/azurerm"

version = "~> 3.0"

}

provider "azurerm "{

features {}# must explicitly declare the enable feature

}

#2. Enclosure: Declare which existing resource group we want to plant the network in.

data "azurerm_resource_group" "core_rg "{

name = "rg-infra-prod"

}

#3. Cast Shield: Create a high-security network security group (NSG)

resource "azurerm_network_security_group" "web_nsg "{

name = "nsg-web-firewall"

location = data.azurerm_resource_group.core_rg.location

resource_group_name = data.azurerm_resource_group.core_rg.name

security_rule {

name &nbs

p; = "Allow-HTTPS-Inbound"

priority = 100

direction = "Inbound"

access = "Allow"

protocol = "Tcp"

source_port_range = "*"

destination_port_range = "443"

source_address_prefix = "*"

destination_address_prefix = "*"

}

#4. Open up a large chassis: Create a virtual network (VNet)

resource "azurerm_virtual_network" "core_vnet "{

name = "vnet-core-prod"

location = data.azurerm_resource_group.core_rg.location

resource_group_name = da

ta.azurerm_resource_group.core_rg.name

address_space = ["10.0.0.0/16"]

}

#5. Accurate segmentation: manually cut out the front-end subnet and bind it with NSG

resource "azurerm_subnet" "sub_frontend "{

name = "Subnet-Frontend"

resource_group_name = data.azurerm_resource_group.core_rg.name

virtual_network_name = banding

address_prefixes = ["10.0.1.0/24"]

}

resource "azurerm_subnet_network_security_group_association" "bind_nsg "{

subnet_id = Kan

network_security_group_id = Kan

}

#6. Accurate segmentation: manually cut out the pure intranet backend subnet

resource "azurerm_subnet" "sub_backend "{

name = "Subnet-Backend"

resource_group_name = data.azurerm_resource_group.core_rg.name

virtual_network_name = azu

Kan

address_prefixes = ["10.0.2.0/24"]

}

Three Axe One-key Landing Command (Terraform)

Open the terminal and switch

main.tf

Under the directory where it is located, type in the classic "Tara Boom Three Axes" in turn ":

Bash

# First Axe: Initialize and download Microsoft's latest official network component driver package

terraform init

# The second axe: rehearsal exercise, let Terraform first give you an inventory of what will be built later without spending money.

Terraform plan

# Third Axe: General Attack Begins, Real Infrastructure Charge to Cloud (Plus -- auto-approve No Human Flesh Knock Yes Confirmation)

terraform apply --auto-approve

In less than 30 seconds, the terminal will light up green.

Apply complete! Resources: 4 added

. The entire set of standard large-plant-level isolated network environments is perfectly grounded in Azure's cloud physical world.

The fourth stage: industrial-grade infrastructure is the history of the code to avoid the pit of blood and tears.

With these two sets of codes, you can basically look out for all the traditional traditional network management that is still struggling to click on the mouse on the web page. But to survive in the truly harsh commercial high-concurrency, DevOps pipeline, as the chief architect, you must immediately weld the following two bottom line avoidance specifications to the team:

1. Deadly "Terraform state file lost" tragedy (State Lock)

If you are using Terraform, when you finish

terraform apply

After that, the local directory will quietly give birth to a name.

Terraform state file

text file.

Disaster risks: This file is the "only memory brain" Terraform to remember what the current cloud network looks like ". If other developers also run this code on their own computers, since they do not have your tfstate file locally, Terraform will become blind and mistakenly think that there is nothing in the cloud, thus ruthlessly uprooting and physically erasing the production network and virtual machines you have built in the cloud at the moment of executing apply!

Big factory standard death-free gold medal configuration: it is strictly forbidden to keep tfstate on the local computer! backend "azurerm" policy must be configured in the terraform { ... } block. Forcibly put this state memory file and lock it in an official encryption Storage Acc in Azure.

ount (storage account blob), and open the state lock (State Locking). In this way, anyone running code in any corner of the world will go to the same central brain to align the data and completely weld the tragedy of "covering and deleting by mistake.

2. Beware of cross-regional paralysis caused by "hard coding (Hardcode)" in Bicep

When writing Bicep code, many novices will write directly in the code to save trouble.

location: 'eastasia'

(Hong Kong).

Reason Dismantling: If one day the company's business suddenly wants to go to the United States, you need to clone a complete set of identical isolation networks in eastus (US East Computer Room). As soon as you execute this line of code, the system will report an error mercilessly, because your resource group is clearly built in the United States, but the code forcibly orders Microsoft to pull the network in Hong Kong.

Hardcore Avoidance Guide: Always use parameters to dynamically capture geography. Just as we wrote the Bicep template above: param location string = resourceGroup().location. Let the code intelligently inquire about "which resource group it is currently planted in" and where the resource group is, it will automatically follow the vine and find out where it is, thus realizing a set of templates in the real sense and seamless global cloning.

Summary

Using Bicep / Terraform to implement modern infrastructure as code (IaC) deployment, the core industrial essence is actually simplified into 16 words:

Topology drop code, version control, central storage state, dynamic geography.

You have completely bid farewell to the original operation and maintenance state of checking parameters every day, fearing that the network segment is mismatched, and that human flesh clicks the mouse hundreds of times on the console at night. The foundation of all the core digital assets is completely solidified into a text code that can be submitted to GitHub. Sitting in front of the computer, gracefully change a number, a carriage return, the rest of the high defense and expansion of the heavy responsibility, rest assured to the twinkling cloud native era.