Microsoft Cloud Server (VPS)Azure VM provisioning and network setup tutorial

As a novice who has just transferred from a major domestic factory (Aliyun, Tengxun Cloud) or a traditional physical computer room to Microsoft Azure, the first place that is most easily educated is Azure's

Network Architecture

.

Many people click the mouse to turn on the virtual machine (VM) according to their previous habits, only to find that either the public network cannot be connected anyway, or the intranet cannot be connected to each other. This is because Azure's design philosophy is "security off by default", and its network logic (VNet, NSG) is more rigorous and concrete than other cloud vendors.

Today, I will not move the official set of machines on Gao Dashang to turn over the documents. Let's use vernacular and pure practical logic to take you to open an Azure VM and get the network through completely.

Core Concept: Three Essential Pieces for Pit Avoidance

Before you do it, you have to build a picture in your mind. In Azure, a virtual machine does not exist in isolation, it must be wrapped in the following three network tiers:

VNet (virtual network/Virtual Network): The equivalent of an entire building you rent in the cloud.

Subnet: Different floors in the building (e. g. Finance, R & D). The VM must live on a specific floor.

NSG (Network Security Group/Network Security Group): equivalent to the security at the entrance of the floor. It is up to him to decide which IP can enter and which ports are open.

Having understood this, we will start the practical operation directly.

Phase 1: Create a virtual machine (VM)

Log in to the Azure Portal (console), and in the search bar, enter

Virtual machines

, click

Create -> Azure virtual machine

.

1. Basic configuration (Basics)

Project details (Project Details): Select your subscription (Subscription) and resource group (Resource group). The resource group is like a folder. Put all the things in this test together for one-click deletion.

Instance details (instance details):Virtual machine name: Any name, such as my-web-vm. Region (region): the nearest place for foreign trade or cross-border customers (such as East US), and East Asia (Hong Kong, China) for domestic tests. Image: Choose a system you are familiar with, such as Ubuntu Server 22.04 LTS or Windows Server 2022. Size (size): B1s or B2s (save money) is selected for personal test, and D series (standard balance type) is recommended for production environment.

2. Credentials and ports (easy to step on pits)

A

uthentication type: It is strongly recommended to select SSH public key (security). If it is Windows, select Password.

Public inbound ports:>⚠Avoid pit warning: here the system will ask you if you want to check "allow SSH (22)" or "RDP (3389)". Novices can check it first for the convenience of testing. But if it is a production environment, don't open it here, otherwise hackers all over the world will start sweeping your port in 1 second.

Phase 2: Core Network Setup (Networking)

Click at the bottom of the page

Next: Disks

, click again

Next: Networking

. Here is the highlight of the day.

[Internet (Your IP)]

│

(22/80 ports allowed)

----------------------------------------------------------------------------------

│ NSG (Network Security Group/Security) │

So----------------------------------------

│

▼

----------------------------------------------------------------------------------

│ VNet (virtual network) ─ ─ Subnet (subnet) │

│-► [Your Virtual Machine VM (my-web-vm) ] │

So----------------------------------------

1. Virtual networks and subnets

Virtual network: If you are using it for the first time, Azure will help you create a new one (such as my-web-vm-vnet) by default. It will automatically divide a large network segment similar to 10.0.0.0/16.

Subnet: A 10.0.0.0/24 subnet is cut by default. Just use the default directly.

Public IP(Public IP)

Public IP: Azure will help you create one by default. Please note that Azure's public IP is Static (static) by default, which means that if you shut down and start up, the IP will not change, which is more kind than other cloud vendors.

3. Configure the network security group (NSG)

In

NIC network security group

option, select

Basic

.

If you are in the first step (Basic

Ports 22 or 3389 are allowed in s), and Azure will automatically generate an inbound rule for you here.

After the configuration is completed, click directly

Review create

, wait 2-3 minutes, your virtual machine is born.

The third stage: get through the network! How to safely release traffic?

The machine is on and the public network IP is available. Suppose we installed an Nginx website in it, the default port is

Eighty

. Now you enter the public network IP in the browser, it is absolutely impossible to open. Because the "security guard" (NSG) stopped port 80.

We're going to modify the NSG rules.

Actual Operation Release Port 80 (Website Service):

In the left menu bar of the VM, find Settings -> Networking (or Network settings).

You should see a form that looks like a firewall, click Add on the right side to inbound port rule.

Fill in the following parameters: Source: Any (allow anyone access). Source port ranges: *. Destination (target): Any. Service: You can directly select HTTP in the drop-down menu, and it will automatically help you change the port to 80. Action: Allow. Priority (priority): Enter a number, such as 300 (the smaller the number, the higher the priority). Name: A name, such as Allow-HTTP-80.

Click Add. Wait 10 seconds for the rule to take effect. At this time, you can refresh your browser and the website will open in seconds!

Advanced Advanced: What would a real old bird do?

If you are ready to officially deploy your business on Azure, there are two things I suggest you get into the habit now:

1. Restrict the source IP of the management port

Never open ports 22(Linux) or 3389(Windows) to any.

Old Bird's Practice: In NSG rules, change the Source of SSH rules from Any to IP Addresses.

Then fill in the current public network static IP of your home or company in the Source IP addresses. In this way, except for you, no one in the world even has the chance to try to explode your password.

2. Intranet interoperability does not require a detour to the public network

If you have two VMs (such as a Web and a database) under the same VNet (virtual network).

The NSG of the database does not need to open a public network port.

When the Web server connects to the database, it directly connects to the intranet IP (

Like 10.0.0.X). Azure's VNet is all-in by default, and the traffic goes through Microsoft's backbone intranet, which is not only free, but also extremely fast and very safe.

Summary

The key to Azure networking is

Think of NSG as your bodyguard

. After the VM is turned on, don't be in a hurry to suspect that the system is broken. 99% of the reasons are that NSG is short of a released Rule.

Take this logic and try building your first Azure VM!