go/azure-trainers
az login
In Azure, every object you create is called a "resource". A "resource group" is a logical, operational container of resources. It has no technical impact on the resources themselves, but allows common role based access control and cost attributions. Also an entire resource group can be deleted at once.
az group create --name myResourceGroup --location eastus
az configure --defaults group=myResourceGroup
Create your first virtual network. You can designate any address space you wish.
az network vnet create \
--name virtualNetwork1 \
--address-prefixes 10.0.0.0/16 \
--subnet-name subnet1
az network vnet update \
--name virtualNetwork1 \
--add addressSpace.addressPrefixes 10.1.0.0/16
az network vnet show \
--name virtualNetwork1 \
--query addressSpace.addressPrefixes
[
"10.0.0.0/16",
"10.1.0.0/16"
]
az network vnet update \
--name virtualNetwork1 \
--remove addressSpace.addressPrefixes 1
az network vnet show \
--name virtualNetwork1 \
--query addressSpace.addressPrefixes
[
"10.0.0.0/16",
]
Show existing subnets:
az network vnet subnet list --vnet-name virtualNetwork1 --query "[].addressPrefix"
Add a subnet:
az network vnet subnet create \
--vnet-name virtualNetwork1 \
-n subnet2 \
--address-prefixes 10.0.1.0/24
export SUBNET_ID=$(az network vnet subnet show --vnet-name virtualNetwork1 -n subnet2 --query id --output tsv)
az vm create \
--name myVm1 \
--image UbuntuLTS \
--generate-ssh-keys \
--no-wait \
--subnet $SUBNET_ID
az vm create \
--name myVm2 \
--image UbuntuLTS \
--generate-ssh-keys \
--no-wait \
--subnet $SUBNET_ID
A VM is given a Public IP when it is created. By default the public IP is exposed to the internet for SSH. SSH keys are auto-generated and added to the ~/.ssh config in whatever client you are using to create the VM.
ssh $(az vm list-ip-addresses --name myVm2 --query [0].virtualMachine.network.publicIpAddresses[0].ipAddress --output tsv)
Azure will automatically resolve the name of the VM to its private IP address
ping myVm1 -c 4
az group create --name myResourceGroup2 --location westus
az configure --defaults group=myResourceGroup2
az network vnet create \
--name myVirtualNetwork2 \
--address-prefixes 172.16.0.0/12 \
--subnet-name subnet1 \
--subnet-prefixes 172.16.0.0/16
az vm create \
--name myVm3 \
--image UbuntuLTS \
--generate-ssh-keys \
--no-wait \
--subnet $(az network vnet subnet show --vnet-name myVirtualNetwork2 -n subnet1 --query id --output tsv)
ssh $(az vm list-ip-addresses --name myVm3 --query [0].virtualMachine.network.publicIpAddresses[0].ipAddress --output tsv)
ping myVm1 -w 1
This will fail ^
az network vnet peering create \
--name VnetPeering \
--resource-group myResourceGroup \
--remote-vnet $(az network vnet show --name myVirtualNetwork2 -g myResourceGroup2 --query id --output tsv) \
--vnet-name virtualNetwork1 \
--allow-vnet-access \
--verbose
az network vnet peering create \
--name VnetPeering \
--resource-group myResourceGroup2 \
--vnet-name myVirtualNetwork2 \
--remote-vnet $(az network vnet show --name virtualNetwork1 -g myResourceGroup --query id --output tsv) \
--allow-vnet-access \
--verbose
export vm3PublicIp=$(az vm list-ip-addresses --name myVm3 --query [0].virtualMachine.network.publicIpAddresses[0].ipAddress --output tsv)
export vm3PrivateIp=$(az vm list-ip-addresses --name myVm3 --query [0].virtualMachine.network.privateIpAddresses[0] --output tsv)
export vm1PublicIp=$(az vm list-ip-addresses --name myVm1 -g myResourceGroup --query [0].virtualMachine.network.publicIpAddresses[0].ipAddress --output tsv)
export vm1PrivateIp=$(az vm list-ip-addresses --name myVm1 -g myResourceGroup --query [0].virtualMachine.network.privateIpAddresses[0] --output tsv)
ssh $vm3PublicIp "ping -c 4 $vm1PrivateIp"
# Create the NSG
az network nsg create --name vnet1subnet2nsg -g myResourceGroup -l eastus
# Add the NSG to Vnet1 Subnet2
az network vnet subnet update -g myResourceGroup -n subnet2 --vnet-name virtualNetwork1 \
--network-security-group vnet1subnet2nsg
# Test your connection
ssh $vm3PublicIp "ping -c 4 $vm1PrivateIp"
# This NSG rule will block inbound ICMP traffic from VM3 to VM1
az network nsg rule create -g myResourceGroup --nsg-name vnet1subnet2nsg \
--source-address-prefixes $vm3PrivateIp --source-port-ranges '*' \
--destination-address-prefixes $vm1PrivateIp --destination-port-ranges '*' \
--access Deny \
--protocol ICMP \
--priority 1000 \
--name "block-icmp-vm3-to-vm1" \
--description "Block ICMP Ping from VM3 to VM1"
# Test your connection
ssh $vm3PublicIp "ping -W 1 -c 4 $vm1PrivateIp"
By default your VM has unrestricted outbound access to the internet. You may not want this, but it's great for webscraping!
ssh $vm3PublicIp "wget -q -S -O - 2>&1 http://www.google.com"
az network nsg rule create -g myResourceGroup --nsg-name vnet1subnet2nsg \
--source-address-prefixes $vm1PrivateIp --source-port-ranges '*' \
--destination-address-prefixes 'Internet' --destination-port-ranges '*' \
--access Deny \
--direction Outbound \
--protocol TCP \
--priority 1010 \
--name "block-internet-from-vm1" \
--description "Block Internet from VM1"
# Now run your web scraper again:
ssh $vm1PublicIp "wget --timeout=5 http://www.google.com"
To test the load balancer, we will deploy two virtual machines (VMs) running Ubuntu server and load balance a web app between the two VMs
az network public-ip create \
--resource-group myResourceGroup \
--name myPublicIP
az network lb create \
--resource-group myResourceGroup \
--name myLoadBalancer \
--frontend-ip-name myFrontEndPool \
--backend-pool-name myBackEndPool \
--public-ip-address myPublicIP
az network lb probe create \
--resource-group myResourceGroup \
--lb-name myLoadBalancer \
--name myHealthProbe \
--protocol tcp \
--port 80
az network lb rule create \
--resource-group myResourceGroup \
--lb-name myLoadBalancer \
--name myLoadBalancerRule \
--protocol tcp \
--frontend-port 80 \
--backend-port 80 \
--frontend-ip-name myFrontEndPool \
--backend-pool-name myBackEndPool \
--probe-name myHealthProbe
az network nsg rule create \
--resource-group myResourceGroup \
--nsg-name vnet1subnet2nsg \
--name myNetworkSecurityGroupLBRule \
--priority 100 \
--protocol tcp \
--destination-port-range 80
for i in `seq 1 2`; do
az network nic create \
--resource-group myResourceGroup \
--name myNic$i \
--vnet-name virtualNetwork1 \
--subnet subnet2 \
--network-security-group vnet1subnet2nsg \
--lb-name myLoadBalancer \
--lb-address-pools myBackEndPool
done
vi cloud-init.txt
#cloud-config
package_upgrade: true
packages:
- nginx
- nodejs
- npm
write_files:
- owner: www-data:www-data
- path: /etc/nginx/sites-available/default
content: |
server {
listen 80;
location / {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
- owner: azureuser:azureuser
- path: /home/azureuser/myapp/index.js
content: |
var express = require('express')
var app = express()
var os = require('os');
app.get('/', function (req, res) {
res.send('Hello World from host ' + os.hostname() + '!')
})
app.listen(3000, function () {
console.log('Hello world app listening on port 3000!')
})
runcmd:
- service nginx restart
- cd "/home/azureuser/myapp"
- npm init
- npm install express -y
- nodejs index.js
az vm availability-set create \
--resource-group myResourceGroup \
--name myAvailabilitySet
for i in `seq 1 2`; do
az vm create \
--resource-group myResourceGroup \
--name myLBVM$i \
--availability-set myAvailabilitySet \
--nics myNic$i \
--image UbuntuLTS \
--admin-username azureuser \
--generate-ssh-keys \
--custom-data cloud-init.txt
done
Enter the public IP address in to a web browser, refresh to see the load being balanced between 2 VMs
az network public-ip show \
--resource-group myResourceGroup \
--name myPublicIP \
--query [ipAddress] \
--output tsv
az vm stop --resource-group myResourceGroup --name myLBVM1
az vm start --resource-group myResourceGroup --name myLBVM1
https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview allow/deny traffic from Internet
./azure-service-endpoint-mysqldb.sh
Create storage account Create private IP address Storage account resource firewall
./azure-private-endpoint-mysqldb.sh
NOTE: service endpoint remains a publicly routable IP while a private endpoint is a private ip in the addr space of the VNET
./azure-route-table-cli.sh
az group delete --name myResourceGroup --yes
az group delete --name myResourceGroup2 --yes
Other stuff: