Setting Up a Secure Azure Network with Bastion Host and Virtual Machines Using Azure CLI
Introduction
In this tutorial, you'll learn how to create a secure Azure network environment using Azure CLI commands. This setup includes creating a virtual network with subnets, deploying an Azure Bastion host for secure access, and configuring virtual machines within the network. Using Bastion helps you securely connect to your virtual machines over SSL without needing a public IP, enhancing security for your resources.
Prerequisites
Azure CLI installed on your system
An active Azure subscription
Basic knowledge of networking concepts
Steps to Set Up Your Azure Network Environment
Step 1: Create an Azure Resource Group
Begin by creating a resource group, which serves as a container for managing your resources in Azure.
az group create --name siddhant-rg --location westus
Step 2: Create a Virtual Network and Subnet
Now, create a virtual network named siddhant-vnet-1
with a designated address range. This network will contain two subnets: one for the Bastion host and one for the virtual machines.
az network vnet create --name siddhant-vnet-1 --resource-group siddhant-rg --address-prefix 172.168.0.0/16 --subnet-name siddhant-subnet-1 --subnet-prefixes 172.168.0.0/24
Step 3: Deploy Azure Bastion
3.1: Create a Subnet for Azure Bastion
Azure Bastion requires a dedicated subnet named AzureBastionSubnet
. Create this subnet with the specified address range.
az network vnet subnet create --name AzureBastionSubnet --resource-group siddhant-rg --vnet-name siddhant-vnet-1 --address-prefix 172.168.1.0/26
3.2: Create a Public IP Address for Bastion
The Bastion host needs a public IP address to enable access from the internet. Create a public IP with a standard SKU and redundancy across three availability zones.
az network public-ip create --resource-group siddhant-rg --name public-ip --sku Standard --location westus
3.3: Create the Bastion Host
Now, deploy the Bastion host to the dedicated subnet using the public IP created in the previous step.
az network bastion create --name bastion --public-ip-address public-ip --resource-group siddhant-rg --vnet-name siddhant-vnet-1 --location westus
Step 4: Create Virtual Machines in the Network
Create two virtual machines (siddhant-vm-1
and siddhant-vm-2
) within the network. These VMs will not have public IP addresses, as they will be accessed through the Bastion host.
az vm create --resource-group siddhant-rg --admin-username siddhant --authentication-type password --name siddhant-vm-1 --image Canonical:0001-com-ubuntu-server-jammy:22_04-lts:latest --public-ip-address ""
az vm create --resource-group siddhant-rg --admin-username siddhant --authentication-type password --name siddhant-vm-2 --image Canonical:0001-com-ubuntu-server-jammy:22_04-lts:latest --public-ip-address ""
Step 5: Connect to a Virtual Machine
In the Azure portal, search for and select Virtual machines.
On the Virtual machines page, select siddhant-vm-1.
In the Overview information for
siddhant-vm-1
, select Connect.On the Connect to virtual machine page, select the Bastion tab.
Select Use Bastion.
Enter the username and password created for the VM, then select Connect.
Step 6: Start Communication Between VMs
At the Bash prompt for
siddhant-vm-1
, enter:ping -c 4 siddhant-vm-2
You should see a reply similar to the following:
Close the Bastion connection to
siddhant-vm-1
and repeat the connection steps forsiddhant-vm-2
.At the Bash prompt for
siddhant-vm-2
, enter:ping -c 4 siddhant-vm-1
You should see a similar reply.
Step 7: Clean Up Resources
Once testing is complete, delete the resource group to avoid incurring costs:
az group delete --name siddhant-rg --yes --no-wait
Conclusion
By following this guide, you’ve set up a secure network environment in Azure with a Bastion host for managing virtual machines over SSL. This approach minimizes exposure to the public internet and improves the security of your cloud infrastructure.