DEV Community

Darkenstein.R
Darkenstein.R

Posted on • Updated on

Configuring Azure VM’s security groups to allow web-access via your web browser.

In this guide, we will configure an Nginx Web-Server Virtual Machine to be accessible from the web.

A webserver is a resource that stores and delivers component files (including HTML documents, images, and JavaScript files) for the website over HTTP.

To create a web server, you need to create a Linux VM, then install it with a server. Here we’ll be using Nginx. Nginx offers a suite of products spanning across Load Balancing, API Management, Security, and Monitoring to help you create reliable applications that can scale. Other web servers include Apache Tomcat, Node.js, Lighttpd.

--
Configure VM and Nginx. (Default access enabled via Port 22)
To configure a Linux VM via Azure Cloud Shell, begin by running the following command;

az vm create \
--resource-group [resource group name] \
--name ayo-vm \
--image UbuntuLTS \
--admin-username azureuser \
--generate-ssh-keys

After a few moments, the VM will initialize.

--
Then install Nginx on the VM, by running the following command;

az vm extension set \
--resource-group [resource group name] \
--vm-name my-vm \
--name customScript \
--publisher Microsoft.Azure.Extensions \
--version 2.1 \
--settings '{"fileUris":["https://raw.githubusercontent.com/MicrosoftDocs/mslearn-welcome-to-azure/master/configure-nginx.sh"]}' \
--protected-settings '{"commandToExecute": "./configure-nginx.sh"}'

In summary, this command uses a custom script to run a bash script hosted on git-hub. This script does the following;
a. Download the latest package information.
b. Then installs Ngnix
c. Initializes the home page, to print a welcome message on your browser.

--
Access your Nginx server via Cloud shell and web-browser.
-Via CloudShell
In your Azure console run the following code.

echo $IPADDRESS

Paste and load the IP address in your browser.

//Error!


To find out the reason for the error;
View the existing security groups associated with the VM by running the following command;

az network nsg list \
--resource-group [resource group name] \
--query '[].name' \
--output tsv

Then, run the following command that lists the rules associated with the security group listed above.

az network nsg rule list \
--resource-group [resource group name] \
--nsg-name my-vmNSG \
--query '[].{Name:name, Priority:priority, Port:destinationPortRange, Access:access}' \
--output table

//The output shows that only port 22 (SSH) is allowed inbound connections.


Create new network security rules that allow access through port 80 (HTTP)
//Here’s why there is an error. By default when you create an Nginx web server, your web-server is only accessible via port 22, to server administrators. To enable you to access the server via the web, there is a need to enable port 80.

To do this, a new rule must be created.
To create a new rule, run the following command;

az network nsg rule create \
--resource-group [resource group name] \
--nsg-name my-vmNSG \
--name allow-http \
--protocol tcp \
--priority 100 \
--destination-port-range 80 \
--access Allow

//New rule created!

To verify this run the command to view the list of security group rules again

az network nsg rule list \
--resource-group [resource group name] \
--nsg-name my-vmNSG \
--query '[].{Name:name, Priority:priority, Port:destinationPortRange, Access:access}' \
--output table


Access your Nginx server via your web browser again.
To do this, go to your browser and enter your IP-Address as earlier.


In Discussion

After an Azure VM is being created, there is needed to explicitly allow inbound access via port 80 (HTTP), so that the server can be accessed via the web. If this is not confirmed, the server will only be accessible via SSH port 22. The reason for these default settings is to prevent DDoS (Distributed Denial of Service) attacks to the web resource.
The security groups can also be modified using the Azure portal, Azure PowerShell, or through an Azure Resource Manager (ARM) template.

Top comments (0)