Step 1 - Logging In
Run this command to log in to the Azure account:
az login -u $username -p $password
After you log in, you should get a block of JSON with details about your sign-in.
You can view the Azure account username with this command:
echo $username
You can view the Azure account password with this command:
echo $password
Step 2 - Getting Set Up
While we can create our own firewall with a custom virtual machine, it might be a better bet to use the firewall service Microsoft provides. As a platform-as-a-service (PaaS), it will have high availability and scalability. It also offers different tiers of standard and premium services, where more categories of threats are captured. In this lab we will use a Standard tier which follows L3–L7 security policies, and you can read more about the standard and premium tiers here.
In this lab, we will implement a firewall and configure it to allow outbound traffic to GitHub.com. Note this lab assumes you have some comfort with creating virtual networks and user-defined routing.
The steps will entail:
Creating a virtual network and subnets
Creating a frontend and backend VM with a network interface between them
Declaring and configuring a firewall
Routing all public requests through the firewall
Opening up the right IP addresses for the public API
First we need a resource group. O'Reilly provides one with a name saved to the variable $resource
, which was created with this command:
az group create --name $resource --location eastus
Let's also enable the Azure Firewall extension:
az extension add --name azure-firewall
Next let's create a virtual network with the az network vnet create command. This will also contain the firewall's subnet:
az network vnet create \
--name lesson28VN \
--subnet-name AzureFirewallSubnet \
--address-prefix 10.0.0.0/16 \
--subnet-prefix 10.0.1.0/26 \
--location eastus \
--resource-group $resource
And then let's create the subnets for the workload and jump virtual machines, giving us a total of three subnets (including the AzureFirewallSubnet
created in the virtual network):
az network vnet subnet create \
--name workloadSubnet \
--vnet-name lesson28VN \
--address-prefix 10.0.2.0/24 \
--resource-group $resource
az network vnet subnet create \
--name jumpSubnet \
--vnet-name lesson28VN \
--address-prefix 10.0.3.0/24 \
--resource-group $resource
Step 3 - Configuring the VMs
Let's create the two virtual machines, one for the jump and the other for the workload, and put them in the subnets we just created. We are going to make their username azureuser
. First let's create the jump VM:
az vm create \
--name jumpVM \
--image UbuntuLTS \
--location eastus \
--resource-group $resource\
--vnet-name lesson28VN \
--subnet jumpSubnet \
--admin-username azureuser \
--generate-ssh-keys
Let's also open up port 22 for forwarding via SSH:
az vm open-port \
--name jumpVM \
--port 22 \
--resource-group $resource
Let's then create a network interface controller (NIC) for the work VM we are about to create.
az network public-ip create \
--name workPublicIp \
--allocation-method Static \
--resource-group $resource \
--sku Standard
az network nic create \
--name workNIC \
--vnet-name lesson28VN \
--subnet workloadSubnet \
--public-ip-address workPublicIp \
--resource-group $resource
Next, create the worker VM with the preceding NIC configuration:
az vm create \
--name workVM \
--image UbuntuLTS \
--location eastus \
--nics workNIC \
--resource-group $resource \
--admin-username azureuser \
--generate-ssh-keys