DEV Community: okunola babatunde

Arm Your Workstation: The Holy Trinity of DevOps Tools

okunola babatunde — Mon, 08 Jun 2026 11:47:57 +0000

Introduction:
When you’re setting up your development environment, it can feel a little like gearing up for battle. Every superhero has their gadget belt, and as developers, ours comes in the form of tools that make us faster, stronger, and more resilient. Three of the most essential gadgets you’ll want to strap on are Git, Curl, and Docker. Together, they give you control over your code history, the ability to talk to any server or API, and the power to run applications in neat, portable containers. Think of them as your starter pack for tackling real‑world DevOps challenges.

Implementation Guide

Upgrade Local Arsenal

Instruction Summary
Refreshes your computer's package list and upgrades installed software to their latest, shiniest versions.

Why It's Needed
A fully patched system keeps the gremlins away and prevents annoying errors when installing new tools.

Pillar Connection
Operational Excellence — Keeping your digital house clean and ready for action.

2. Install Git, Curl, and Docker
Instruction Summary
Installs Git (your code time-machine), Curl (for downloading stuff), and Docker (for running apps in isolated boxes).

Why It's Needed:
These three tools are the absolute foundation of modern tech. You'll use them every single day!
Pillar Connection:
Operational Excellence — Equipping yourself with industry-standard tools.

To install Git, run this Command "winget install -e --id Git.Git"

To install Docker, use this command "winget install -e --id Docker.Dockerdesktop"

To install curl, apply this command "winget install - e --id CURL.CURL"

To verify the installation of Git, run this command "git --version"

To verify the installation of docker, run this command "docker --version"
To verify the version of Curl *installed, run this command *"curl --version"

3. Introduce Yourself to Git
Instruction Summary:
Tells Git who you are so it can snap your name on every awesome piece of code you write.
Why It's Needed:
Since we just installed Git, it needs to know who's driving! Without this, you can't save (commit) your work.
Pillar Connection:
Security & Auditing — Knowing exactly who made what change. Your identity is needed to show and recognized by git, for the proper snapping of the code you are working it through any text editor. Do follow the underlisted procedure to walk you through;
a. Sets Git configuration (user name,)

To configure your username, run this command "git config --global user.name 'Okunola Babatunde'"
Sets Git configuration (email). To configure user email address, run this command "git config --global user.email 'your e-mail address'"
To verify the existence of user name and user email address have been created, run this command "git config --list"

4. Create a GitHub Repository
Instruction Summary: Creates a remote home for your code on GitHub — think of it as your project's cloud backup and portfolio piece.
Why It's Needed: In real DevOps, code lives in a remote repository so the whole team can collaborate, CI/CD pipelines can trigger, and nothing is lost if your laptop catches fire!

Pillar Connection: Collaboration & Sharing — Every professional project needs a central remote repository.

1. Go to https://github.com and sign in (or create an account if you don't have one). I have already created an account.

2. Click the '+' icon in the top-right corner → 'New repository'

3. Name it: devops-lab

4. Leave it PUBLIC, do NOT add a README (we'll push our own code)

5. Click 'Create repository'

6. Copy the HTTPS URL — it will look like: https://github.com/BAOKONCEPTS/devops-lab.git

Summarily, setting up a development environment is more than just installing software — it’s about equipping yourself with the right tools to thrive. Git, Curl, and Docker act like a developer’s starter kit, each serving a distinct but complementary role. Git keeps track of your code’s history and evolution, Curl lets you communicate directly with servers and APIs, and Docker provides a portable way to run applications consistently across environments. Together, they form the backbone of modern DevOps practices, giving developers confidence and agility in tackling real-world challenges.

In conclusion, think of Git, Curl, and Docker not just as technical utilities, but as companions on your coding journey. They empower you to collaborate without fear of losing progress, to experiment with APIs like a curious explorer, and to deploy applications with the ease of carrying them in your pocket. In a world where development can feel overwhelming, these tools remind us that resilience comes from preparation. Mastering them isn’t just about writing better code — it’s about becoming a developer who can adapt, communicate, and build with confidence.

Create DNS zones and configure DNS settings

okunola babatunde — Thu, 28 May 2026 20:28:23 +0000

Introduction:
Managing communication between workloads becomes much easier when services can connect using domain names instead of complex IP addresses. In this scenario, the organization wants to simplify internal name resolution within its Azure environment without deploying and maintaining a custom DNS infrastructure.

To achieve this, a private DNS zone for contoso.com is created and linked to the application virtual network (app-vnet). This allows resources within the virtual network to automatically resolve internal domain names securely and efficiently. DNS records are also configured for the backend subnet to support seamless communication between workloads and services.

This setup demonstrates how Azure Private DNS can provide a simple, scalable, and cloud-native solution for internal name resolution across Azure virtual networks.

Scenario
Your organization requires workloads to use domain names instead of IP addresses for internal communications. The organization doesn’t want to add a custom DNS solution. You identify these requirements.

A private DNS zone is required for contoso.com.
The DNS will use a virtual network link to app-vnet.
A new DNS record is required for the backend subnet.

Skilling tasks

Create and configure a private DNS zone.
Create and configure DNS records.
Configure DNS settings on a virtual network.

In this lab, I’ve shared a practical and easy-to-follow walkthrough for creating and configuring Azure Private DNS resources. The guide is structured to simplify the deployment process while helping you better understand how private DNS zones, virtual network links, and DNS records work together to support secure and reliable internal communication within Azure environments.

Exercise instructions
Note: This exercise requires the Lab 01 virtual networks and subnets to be installed. A template is provided if you need to deploy those resources.

Create a private DNS zone
Azure Private DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to add a custom DNS solution. By using private DNS zones, you can use your own custom domain names rather than the Azure-provided names.

On the Azure portal, search for and select Private dns zones.
Select + Create and configure the DNS zone.

Property Value
Subscription Select your subscription
Resource group RG1
Name private.contoso.com
Region East US

Select Review + create and then select Create.
Wait for the DNS zone to deploy, and then select Go to resource.

Create a virtual network link to your private DNS zone
To resolve DNS records in a private DNS zone, resources must be linked to the private zone. A virtual network link associates the virtual network to the private zone.

In the portal, continue working on the private.contoso.com DNS zone.
In the DNS Management blade, select + Virtual network links.
Select + Add” and configure the virtual network link.

Property Value
Link name app-vnet-link
Virtual network app-vnet
Enable auto registration Enabled

Select Create and wait for the deployment to finish. If necessary, Refresh the page.

Create a DNS record set
DNS records provide information about the DNS zone.

In the portal, continue working on the private.contoso.com DNS zone.
In the DNS Management blade, select + Recordsets.
Notice that two A records have automatically been created for each of the virtual machines.
Select + Add and configure a record set. When finished select Add.

Property Value
Name backend
Type A
TTL 1
IP address 10.1.1.5

Note: This record set implies there is a virtual machine in app-vnet with a private IP address of 10.1.1.5.

Summary:
This exercise focuses on configuring Azure Private DNS to enable internal domain name resolution within an Azure virtual network environment. A private DNS zone is created for contoso.com and linked to app-vnet using a virtual network link, allowing resources in the network to communicate using domain names instead of IP addresses.

Additional DNS records are configured for the backend subnet to support workload connectivity and service discovery. By using Azure’s built-in DNS capabilities, the organization avoids the complexity of deploying and managing custom DNS servers while maintaining reliable and secure internal communication.

Conclusion:
Implementing Azure Private DNS offers a simple and effective way to manage internal name resolution for cloud-based workloads. By linking the private DNS zone to the virtual network and configuring DNS records for backend resources, services can communicate more seamlessly using easy-to-remember domain names instead of complex IP addresses.

This approach not only simplifies network management but also improves scalability and reduces the operational effort required to maintain custom DNS solutions. Overall, Azure Private DNS helps create a more organized, reliable, and user-friendly cloud environment for both administrators and applications.

Key takeaways:

Azure Private DNS allows workloads within a virtual network to communicate using domain names instead of IP addresses.
Private DNS zones simplify internal name resolution without requiring custom DNS servers.
Virtual network links enable DNS zones to be securely associated with Azure virtual networks.
DNS records help map domain names to backend resources for easier workload communication and service discovery.
Using Azure-native DNS services improves scalability, simplifies administration, and supports secure internal networking.

Configure network routing

okunola babatunde — Thu, 28 May 2026 19:21:33 +0000

Introduction:
In a secure cloud environment, controlling how traffic flows between resources is just as important as protecting the resources themselves. To ensure Azure Firewall policies are consistently enforced, outbound traffic from application subnets must be routed through the firewall before reaching external destinations.

In this scenario, a route table is created and associated with both the frontend and backend subnets to centralize traffic management. A custom route is then configured to direct all outbound internet traffic to the Azure Firewall using its private IP address. This approach ensures that all traffic is inspected, filtered, and monitored based on the organization’s security policies before leaving the virtual network.

Scenario
To ensure the firewall policies are enforced, outbound application traffic must be routed through the firewall. You identify these requirements.

A route table is required. This route table will be associated with the frontend and backend subnets.
A route is required to filter all outbound IP traffic from the subnets to the firewall. The firewall’s private IP address will be used.

Skilling tasks

Create and configure a route table.
Link a route table to a subnet.

In this guide, I’ve provided a detailed step-by-step walkthrough that covers the complete process of configuring network routing in Azure from start to finish. The template is designed to simplify the deployment process and help you understand how traffic can be securely routed through Azure Firewall using route tables and custom routes.

Exercise instructions
Create a route table
Azure automatically creates a route table for each subnet within an Azure virtual network. The route table includes the default system routes. You can create route tables and routes to override Azure’s default system routes.

Record the private IP address of app-vnet-firewall

In the search box at the top of the portal, enter Firewall. Select Firewall in the search results.
Select app-vnet-firewall.
Select Overview and record the Private IP address.

Add the route table

In the search box, enter Route tables. When Route table appears in the search results, select it.
In the Route table page, select + Create and create the route table.

Property Value
Subscription Select your subscription
Resource group RG1
Region East US
Name app-vnet-firewall-rt

Select Review + create and then select Create.
Wait for the route table to deploy, then select Go to resource.

Associate the route table to the subnets

In the portal, continue working with the route table, select app-vnet-firewall-rt.
In the Settings blade, select Subnets and then + Associate.
Configure an association to the frontend subnet, then select OK. Property Value Virtual network app-vnet (RG1) Subnet frontend
Configure an association to the backend subnet, then select OK. Property Value Virtual network app-vnet (RG1) Subnet backend

Create a route in the route table

In the portal, continue working with the route table, select app-vnet-firewall-rt.
In the Settings blade, select Routes and then + Add.
Configure the route, then select Add.

Property Value
Route name outbound-firewall
Destination type IP addresses
Destination IP addresses/CIDR range 0.0.0.0/0
Next hop type Virtual appliance
Next hop address private IP address of the firewall

Summary:
This configuration focuses on implementing secure network routing within an Azure virtual network environment. By creating and associating a route table with the frontend and backend subnets, outbound traffic can be centrally controlled and redirected through Azure Firewall.

The custom route uses the firewall’s private IP address as the next hop, ensuring all outbound traffic is inspected against configured firewall policies. This setup improves visibility, strengthens security enforcement, and helps maintain consistent traffic filtering across the environment.

Conclusion
Configuring network routing through Azure Firewall provides a reliable way to enforce centralized security policies across application workloads. By directing outbound traffic through the firewall, organizations gain greater control over network communication while reducing the risk of unauthorized or unmonitored traffic leaving the environment.

This approach not only enhances security and traffic visibility but also creates a scalable foundation for managing and protecting cloud-based applications as infrastructure requirements continue to grow.

Key Takeaways

Route tables help control how traffic flows within an Azure virtual network.
Associating route tables with subnets ensures routing policies are consistently applied to resources within those subnets.
Custom routes can redirect outbound traffic through Azure Firewall for centralized inspection and filtering.
Using the firewall’s private IP address as the next hop ensures traffic passes through security controls before accessing external networks.
Centralized routing improves security visibility, policy enforcement, and overall network management within Azure environments.

Create and configure Azure Firewall

okunola babatunde — Thu, 28 May 2026 17:59:53 +0000

Introduction:
As organizations continue to move applications to the cloud, securing network traffic becomes more important than ever. In this scenario, the organization needs a centralized security solution for its application virtual network to better control and monitor traffic between resources and external services. To achieve this, Azure Firewall is deployed within the app-vnet to provide enterprise-grade network protection and traffic filtering.

As application usage grows, the organization also requires more granular control over outbound access and stronger protection against potential threats. By implementing Azure Firewall policies, administrators can centrally manage and enforce security rules across the environment. Specific application and network rules are configured to allow secure access to Azure DevOps for application updates and DNS services for name resolution, while still maintaining strict traffic control.

This setup demonstrates how Azure Firewall can help secure both north-south and east-west traffic, providing a scalable and manageable security architecture for modern cloud workloads.

Skilling Tasks

Create an Azure Firewall.
Create and configure a firewall policy.
Create an application rule collection.
Create a network rule collection. This guide provides a step-by-step approach to creating and configuring Azure Firewall within an Azure virtual network environment. It covers the deployment of Azure Firewall, the creation of firewall policies, and the configuration of both application and network rules to secure traffic flow across the environment. The guide also demonstrates how to manage outbound access, enable DNS resolution, and control application connectivity using centralized security policies. By following these steps, you can implement a scalable and secure network architecture that helps protect Azure workloads from unauthorized access and potential threats.

Exercise instructions
Create Azure Firewall subnet in our existing virtual network

In the search box at the top of the portal, enter Virtual networks. Select Virtual networks in the search results.
Select app-vnet.
Select Subnets.
Select + Subnet.
Enter the following information and select Save. Property Value Name AzureFirewallSubnet Address range 10.1.63.0/26 Note: Leave all other settings as default. Note: Leave all other settings as default. Create an Azure Firewall
In the search box at the top of the portal, enter Firewall. Select Firewall in the search results.
Select + Create.
Create a firewall by using the values in the following table. For any property that is not specified, use the default value. Note: Azure Firewall can take a few minutes to deploy.

Property Value
Resource group RG1
Name app-vnet-firewall
Firewall SKU Standard
Firewall management Use a Firewall Policy to manage this firewall
Firewall policy select Add new
Policy name fw-policy
Region East US
Policy Tier Standard
Choose a virtual network Use existing
Virtual network app-vnet (RG1)
Public IP address Add new: fwpip
Enable Firewall Management NIC uncheck the box

Select Review + create and then select Create. Update the Firewall Policy
In the portal, search for and select Firewall Policies.
Select fw-policy. Add an application rule
In the Settings blade, select Application rules and then Add a rule collection.
Configure the application rule collection and then select Add. Property Value Name app-vnet-fw-rule-collection Rule collection type Application Priority 200 Rule collection action Allow Rule collection group DefaultApplicationRuleCollectionGroup Name AllowAzurePipelines Source type IP address Source 10.1.0.0/23 Protocol https Destination type FQDN Destination dev.azure.com, azure.microsoft.com Note: The AllowAzurePipelines rule allows the web application to access Azure Pipelines. The rule allows the web application to access the Azure DevOps service and the Azure website. Add a network rule
In the Settings blade, select Network rules and then Add a network collection.
Configure the network rule and then select Add. Property Value Name app-vnet-fw-nrc-dns Rule collection type Network Priority 200 Rule collection action Allow Rule collection group DefaultNetworkRuleCollectionGroup Rule AllowDns Source 10.1.0.0/23 Protocol UDP Destination ports 53 Destination addresses 1.1.1.1, 1.0.0.1 Verify the firewall and firewall policy status
In the portal search for and select Firewall.
View the app-vnet-firewall and ensure the Provisioning state is Succeeded. This may take a few minutes.
In the portal serach for and select Firewall policies.
View the fw-policy and ensure the Provisioning state is Succeeded. This may take a few minutes.

Summary:
In this scenario, Azure Firewall is used to provide centralized network security for the application virtual network. Firewall policies are implemented to simplify rule management and improve control over network traffic. Application rules allow secure communication with Azure DevOps for application updates, while network rules enable DNS resolution required for connectivity and resource access.
However, using the Standard SKU provides support for both application and network rule collections, making it suitable for enterprise environments that require flexible traffic filtering and monitoring. The configuration also helps secure both external and internal traffic flows, improving the organizations overall security posture while maintaining application functionality.

Conclusion:
Implementing Azure Firewall within the application virtual network provides a strong foundation for centralized cloud security. By combining firewall policies with application and network rules, the organization can effectively manage traffic, protect workloads, and maintain secure access to essential services such as Azure DevOps and DNS.
This approach not only improves visibility and control over network communications but also supports future scalability as the application environment grows. Overall, Azure Firewall offers a reliable and flexible solution for protecting modern Azure workloads against evolving security challenges.

*Key Takeaways
Completing this exercise provided practical experience in deploying and managing Azure Firewall to secure resources within an Azure virtual network. Throughout the configuration process, several important concepts became clear:

Azure Firewall serves as a centralized, cloud-native security solution that helps monitor and control both inbound and outbound network traffic across Azure environments.
Firewall policies simplify security management by allowing administrators to organize and manage NAT, network, and application rules from a single location.
Network rules provide granular traffic control by filtering connections based on IP addresses, ports, and protocols, helping secure communication between resources.
Application rules offer more advanced filtering by allowing or blocking traffic using fully qualified domain names (FQDNs), URLs, and web protocols such as HTTP and HTTPS.
Implementing Azure Firewall improves visibility, strengthens network security, and provides a scalable foundation for protecting modern cloud workloads.

Create and configure network security groups

okunola babatunde — Thu, 28 May 2026 14:17:06 +0000

Introduction:
Creating and configuring secure virtual networks in Azure is more than just connecting resources — it’s about building an environment where applications can communicate safely, efficiently, and without unnecessary exposure to the internet.

Recently, I worked on a scenario focused on implementing Network Security Groups (NSGs) and Application Security Groups (ASGs) within an Azure virtual network architecture. The goal was simple: strengthen traffic control between frontend and backend systems while maintaining secure access for users and applications.

The environment was designed around two critical subnets inside an Azure Virtual Network (VNet):

Frontend Subnet
This subnet hosted web servers that needed to be accessible from the internet. To simplify management and improve security, an Application Security Group (ASG) was created and linked to the virtual machine interfaces belonging to the frontend servers.

To allow secure user access, an inbound NSG rule was configured to permit HTTPS traffic using:

Protocol: TCP
Port: 443

This setup ensures encrypted communication between users and the web application while reducing unnecessary exposure.

Backend Subnet
The backend subnet contained database servers responsible for handling application data. Since database servers should never be directly exposed publicly, tighter controls were implemented using a dedicated Network Security Group (NSG).

An inbound security rule was then created to allow traffic only from the frontend ASG to the backend servers using:

Service: MS SQL
Port: 1433

This approach follows the principle of least privilege by ensuring only approved frontend resources can communicate with the database layer.

To complete the deployment, two Ubuntu virtual machines were provisioned using an Azure Resource Manager (ARM) template:

VM1 deployed in the frontend subnet
VM2 deployed in the backend subnet

One thing I appreciated during this project was how Azure networking services make it possible to create layered security models that are both scalable and easy to manage. Instead of assigning rules individually to every VM, ASGs and NSGs help centralize traffic policies and simplify administration as environments grow.

This scenario reinforced the importance of:

Segmented network architecture
Controlled inbound and outbound traffic
Secure communication between application layers
Infrastructure automation using ARM templates
Cloud security best practices in Microsoft Azure

Cloud networking is not just about connectivity anymore — security and intelligent traffic management are now at the center of modern infrastructure design.

Skilling Tasks

Create an NSG.
Create NSG rules.
Associate an NSG to a subnet.
Create and use Application Security Groups in NSG rules.

In this guide, I’ll walk you through a simple step-by-step process for creating and configuring Network Security Groups (NSGs) in Azure. I will also cover how to create NSGs, set up security rules, associate NSGs with subnets, and use Application Security Groups (ASGs) to better control and secure network traffic between your resources. By the end of this walkthrough, you’ll have a clearer understanding of how Azure network security works in real-world environments.

Create the network infrastructure for the exercise
Note: This exercise requires the Lab 01 virtual networks and subnets to be installed. A template is provided if you need to deploy those resources.

Use the icon (top right) to launch a Cloud Shell session. Alternately, navigate directly to https://shell.azure.com.
If prompted to select either Bash or PowerShell, select PowerShell.
Storage is not required for this task Select your subscription. Apply your changes.
Use these commands to deploy the virtual machines required for this exercise. This command was used to deploy the two virtual machines used for this project. New-AzResourceGroupDeployment -ResourceGroupName RG1 -TemplateFile ./create-vnets-vms-template.json
In the portal search for and select virtual machines. Verify both vm1 and vm2 are Running. Create Application Security Group Application security groups (ASGs) let you group together servers with similar functions. For example, all the web servers hosting your application.
In the portal, search for and select Application security groups.
Select + Create and configure the application security group.

Property Value
Subscription Select your subscription
Resource group RG1
Name app-frontend-asg
Region East US

Select Review + create and then select Create. Note: You are creating the application security group in the same region as the existing virtual network.

Associate the application security group to the network interface of the VM

In the Azure portal, search for and select VM1.
In the Networking blade, select Application security groups and then select Add application security groups.
Select the app-frontend-asg and then select Add. Create and Associate the Network Security Group Network security groups (NSGs) secure network traffic in a virtual network.
In the portal search for and select Network security group.
Select + Create and configure the network security group. Property Value Subscription Select your subscription Resource group RG1 Name app-vnet-nsg Region westus2
Select Review + create and then select Create. Associate the NSG with the app-vnet backend subnet. NSGs can be associated with subnets and/or individual network interfaces attached to Azure virtual machines.
Select Go to resource or navigate to the app-vnet-nsg resource.
In the Settings blade select Subnets.
Select + Associate
Select app-vnet (RG1) and then the Backend subnet. Select OK.

Create Network Security Group rules
An NSG use security rules to filter inbound and outbound network traffic.

In the search box at the top of the portal, enter Network security groups. Select Network security groups in the search results.
Select app-vnet-nsg from the list of network security groups.
In the Settings blade, select Inbound security rules.
Select + Add and configure an inbound security rule. Property Value Source: Any Source port ranges: * Destination: Application Security group Destination application security group: app-frontend-asg Service: SSH Action: Allow Priority: 100 Name: AllowSSH

*Key Takeaways *

Application security groups help you group virtual machines by the apps they run, so you can easily set security rules for those apps.
Network security groups act like filters, controlling which traffic can move in and out of your Azure resources.
You can attach one security group (or none) to each subnet or virtual machine’s network card.
Inside a network security group are rules that decide whether traffic is allowed or blocked.
To make things easier, you connect virtual machines to an application security group, then use that group as the source or destination in your network rules.

Summary
In this scenario, the organization wants to strengthen security and better control the flow of network traffic within the app-vnet environment. The setup includes a frontend subnet that hosts web servers accessible from the internet and a backend subnet that contains database servers used by the frontend applications.

To improve security management, an Application Security Group (ASG) is used for the frontend web servers, making it easier to organize and manage virtual machines that belong to the same application layer. A Network Security Group (NSG) is also implemented to control and filter traffic between the frontend and backend resources, ensuring that only approved communication is allowed between the web servers and the database servers.

For testing and deployment purposes, two Ubuntu virtual machines are created: VM1 in the frontend subnet and VM2 in the backend subnet. These virtual machines are deployed using an Azure Resource Manager (ARM) template provided by the IT team, helping automate and standardize the deployment process.

In conclusion, using NSGs and ASGs in Azure helps create a more secure and well-organized network environment. By controlling how traffic flows between the frontend and backend resources, the organization can better protect its applications while still allowing the right communication between services. This setup also highlights how ARM templates make deployments faster, more consistent, and easier to manage in real-world cloud environments.

Designing Secure Azure Networking for a Web Application Migration: A Practical Hub-and-Spoke Approach

okunola babatunde — Mon, 25 May 2026 22:26:09 +0000

Introduction:

One of the biggest mistakes organizations make during cloud migration is focusing only on moving applications while neglecting the network architecture that supports them.

In reality, networking is the backbone of every secure and scalable cloud environment.

As part of my Azure cloud engineering journey, I’m currently working on a small but practical project focused on designing and implementing a secure Azure networking environment for a web-based application migration.

The goal is not just to deploy resources, but to understand how enterprise-grade Azure networking is designed in real-world environments.

And it all starts with Virtual Networks, Subnets, and Secure VNet Peering.

Let’s break it down in a practical and simplified way.

The Scenario: You're the Cloud Architect
Imagine this: Your company is finally moving its web application to Azure. And guess who gets the first task? You.

You need to build the virtual networks (VNets) and subnets from scratch. Oh, and they must talk to each other securely. No pressure, right?

Here’s the game plan:

Two VNets → app-vnet (for the app) + hub-vnet (for shared services)

Two subnets in app-vnet → frontend (web servers) + backend (database servers)

One subnet in hub-vnet → for a firewall (named AzureFirewallSubnet)

Private, secure connection between VNets → via VNet peering

Same Azure region → lower latency, no extra costs

This is called a hub and spoke network architecture.
hub-vnet = the center (firewall, monitoring)
app-vnet = the spoke (your application)

By the end of this tutorial, you'll have a production-ready network foundation in less than 10 minutes.

What I’m About to Build
1. Creating the Application Virtual Network (app-vnet)

This virtual network will host the application infrastructure.

Inside this VNet, I’ll create two separate subnets:

Frontend Subnet

This subnet will host the web servers responsible for handling user requests and application traffic.

Backend Subnet

This subnet will host the database servers and internal application services.

Separating frontend and backend resources into different subnets improves:

Security
Traffic control
Workload isolation
Easier policy enforcement

This is one of the most important principles in cloud networking — segmentation.

2. Creating the Hub Virtual Network (hub-vnet)

The second virtual network will act as the centralized hub.

Inside the hub-vnet, I’ll create a dedicated subnet for the firewall.

This firewall layer will help simulate how organizations centralize:

Security policies
Traffic inspection
Routing management
Controlled communication between environments

This architecture becomes extremely useful as environments grow larger and more complex.

3. Configuring Secure Virtual Network Peering

Once both VNets are created, the next step is to establish Virtual Network Peering between them.

This allows:

Secure private communication
Low-latency connectivity
Seamless resource access between VNets

One of the most interesting parts of Azure VNet Peering is that traffic remains on Microsoft’s private backbone network and never traverses the public internet.

That means better:

Security
Performance
Reliability

Here, is the technical details and guides to provision Hub-and-Spoke Approach.

Exercise instructions

Note: To complete this lab you will need an Azure subscription with Contributor RBAC role assigned. In this lab, when you are asked to create a resource, for any properties that are not specified, use the default value.

Create hub and spoke virtual networks and subnets

An Azure virtual network enables many types of Azure resources to securely communicate with each other, the internet, and on-premises networks. All Azure resources in a virtual network are deployed into subnets within the virtual network.

Search for and select Virtual Networks.
Select + Create and complete the configuration of the app-vnet. This virtual network requires two subnets, frontend and backend.

Property Value
Resource group RG1
Virtual network name app-vnet
Region East US
IPv4 address space 10.1.0.0/16
Subnet name frontend
Subnet address range 10.1.0.0/24
Subnet name backend
Subnet address range 10.1.1.0/24
Note:Leave all other settings as their defaults

When finished select “Review + create and then Create.

Create the Hub-vnet virtual network configuration. This virtual network has the firewall subnet.

Property Value
Resource group RG1
Name hub-vnet
Region East US
IPv4 address space 10.0.0.0/16
Subnet name AzureFirewallSubnet
Subnet address range 10.0.0.0/26

Once the deployments are complete, search for and select your ‘virtual networks`.
Verify your virtual networks and subnets were deployed.

Configure a peer relationship between the virtual networks
Virtual network peering enables you to seamlessly connect two or more Virtual Networks in Azure.

Search for and select the app-vnet virtual network.
In the Settings blade, select Peerings.
+ Add a peering between the two virtual networks.

Property Value
Remote peering link name app-vnet-to-hub
Virtual network hub-vnet
Local virtual network peering link name hub-to-app-vnet

Note: Leave all other settings as their defaults. Select “Add” to create the virtual network peering.

Once the deployment completes, verify the Peering status is Connected.

Key takeaways

Networking first – No app is secure or scalable without a solid network foundation.
Hub-spoke pattern – Centralize shared services (hub-vnet), isolate workloads (spoke-vnets).
VNet peering – Private, fast, free (same region), and requires bidirectional setup.
Subnets = security boundaries – Separate frontend (web) and backend (database) tiers.
Plan IPs carefully – Overlapping address spaces break peering.
Hands-on > theory – Building it yourself bridges the knowing-doing gap.
Patterns over clicks – Understanding why matters more than knowing how.

In conclusion, Cloud engineering is so much more than just deploying virtual machines. Don't get me wrong—spinning up a VM is satisfying. But the real value? That comes when you start thinking bigger. When you stop asking "How do I make this work?" and start asking "How do I make this secure, scalable, and resilient enough to grow with the business?" That shift in thinking changes everything.

This project gave me a chance to step into that mindset. I didn't just click buttons in the Azure portal. I dug into networking fundamentals—VNets, subnets, peering—and started to see how these pieces fit together in real enterprise environments. Not textbook diagrams. Not simplified labs. The kind of patterns you'd actually find in production.

And here's what stood out to me the most:

Every great cloud deployment—whether it's a small startup or a global enterprise—starts with a solid network foundation. You can have the most brilliant application code in the world, but if your network is messy or insecure, nothing else really matters.

This hands-on learning reminded me why I got into cloud engineering in the first place. It's not about memorising services or chasing certifications. It's about bridging that gap between knowing the theory and actually building something real.

And honestly? That's the kind of learning that sticks with you.

Manage tags and locks

okunola babatunde — Fri, 13 Mar 2026 19:28:04 +0000

Cloud environments can scale rapidly, making proper organization and protection essential. After completing tasks such as creating a subnet, updating a virtual machine, and working with an Azure storage account, the next step was to improve governance by implementing tags and resource locks.

Tags allow administrators to attach key-value metadata to resources, making it easier to categorize, track, and manage them across the environment. Resource locks, on the other hand, help prevent accidental deletion or modification of critical resources, adding an extra layer of protection.

During this exercise, I revisited the previously created resources and applied appropriate tags, locks, or both to strengthen management and oversight.
A simple guide to implement, how locks and tags are set, is stated bellow.

Add tags to a virtual machine

You’ll start by adding a pair of tags to the virtual machine. One tag will be to identify the purpose of the virtual machine and the other will be to indicate the department the machine supports.

Login to Microsoft Azure at https://portal.azure.com
From the Azure portal home page, in the search box, enter virtual machines.
Select virtual machines under services.
Select the guided-project-vm virtual machine.
From the menu pane, select Tags.
On one line for Name enter Department and for Value enter Customer Service
On the next line, for Name enter Purpose and for Value enter FTP Server.
Select Apply. While you’re working on the virtual machine, it’s a great time to add a resource lock. ## Add a resource lock to a VM
If necessary, expand the Settings submenu.
Select Locks.
Select + Add.
For the name, enter VM-delete-lock.
For the Lock type, select Delete. You may enter a note to help remind you why you created the lock.
Select OK. That’s it. Now the VM is protected from deletion and has tags assigned to help track use. Time to move onto the network. Select Home to return to the Azure portal home page. ## Add tags to network resources
From the Azure portal home page, in the search box, enter virtual networks.
Select virtual networks under services.
Select the guided-project-vnet network.
From the menu pane, select Tags. ## Note: Notice that now you can select an existing tag to apply or add a new tag. You can also select just the name or value and apply create something new in the other field.
For the Name select Department.
For the Value enter IT.
Select Apply. Now both the VNet and VM have are organised.

Conclusion

Using tags and resource locks is a simple but powerful way to maintain organization, visibility, and security in Azure environments as they continue to grow.

Control storage access

okunola babatunde — Fri, 13 Mar 2026 19:04:51 +0000

The effective storage management is key to a secure and efficient cloud environment. Recently, I worked hands-on with Azure storage accounts, creating a storage container and a file share, and uploading files to both. Containers provide scalable, structured object storage, while file shares allow SMB/NFS-style access for team collaboration.

This exercise helped me practice setting permissions, managing access keys, and ensuring data is organized and secure—skills essential for modern cloud operations.
Here, in this practical guide, I have shared with you how storage container and fileshare have been created, and how restriction is set on the container's content.

Create a storage container

Login to Microsoft Azure at (Azure Portal)[https://portal.azure.com] From the Azure portal home page, in the search box, enter storage accounts.
Select storage accounts under services.
Select the storage account you created in the Prepare exercise
The storage account name is the hyperlink to the storage account. (Note: it should be associated with the resource group guided-project-rg.) 5. On the storage account blade, under the Data storage submenu, select Containers.
Select + Add container.
In the Name field, enter storage-container.
Select Create.

Upload a file to the storage container

Select the storage container you just created.
Select Upload and upload the file you prepared.
Once the file is ready for upload, select Upload. With the file uploaded, notice that the Access tier is displayed. For something we uploaded just for testing, it doesn’t need to be assigned to the Hot access tier. In the next few steps, you’ll change the access tier for the file. ## Change the access tier
Select the file you just uploaded (the file name is a hyperlink).
Select Change tier.
Select Cold.
Select Save. ## Note: You just changed the access tier for an individual blob or file. To change the default access tier for all blobs within the storage account, you could change it at the storage account level.
Select Home to return to the Azure portal home page.
From the Azure portal home page, in the search box, enter storage accounts.
Select storage accounts under services.
Select the storage account you created in the Prepare exercise. The storage account name is the hyperlink to the storage account. (Note: it should be associated with the resource group guided-project-rg.)
On the storage account blade, under the Data storage submenu, select File shares.
Select + File share.
On the Basics tab, in the name field enter file-share.
On the Backup tab, uncheck Enable backup
Select Review + create.
Select Create.
Once the file share is created, select Upload.
Upload the same file you uploaded to the blob storage or a different file, it’s up to you.
Select Home to return to the Azure portal home page. The next piece of the puzzle is figuring one way to control access to the files that have been uploaded. Azure has many ways to control files, including things like role-based access control. In this scenario, the Azure admin wants you to use shared access tokens or keys. ## Create a shared access signature token
From the Azure portal home page, in the search box, enter storage accounts.
Select storage accounts under services.
Select the storage account you created in the Prepare exercise.
On the storage account blade, select Storage browser. Expand Blob containers
Expand Blob containers ## Note: Blob container is another name for the storage containers. Items uploaded to a storage container are called blobs.
Select the storage container you created earlier, storage-container. 7. Select the ellipses (three dots) on the end of the line for the image you uploaded.
Select Generate SAS ## Note: When you generate a shared access signature, you set the duration. Once the duration is over, the link stops working. The **Start automatically populates with the current date and time.Set 9. Signing method to Account key.
Set Signing key to Key 1 ## Tip: There are two signing keys available. You can choose either one, or create SAS tokens with different durations.
Set Stored access policy to None.
Set Permissions to Read.
Enter a custom start and expiry time or leave the defaults. 14. Set Allowed protocols to HTTPS only.
Select Generate SAS token and URI.
Copy the Blob SAS URL and paste it in another window or tab of your browser. It should display the image you uploaded. Keep this tab or window open.
Select Home to return to the Azure portal home page. With the SAS token created, anyone with that link can access the file for the duration that was set when you created the SAS token. However, controlling access to a resource or file is about more than just granting access. It’s also about being able to revoke access. To revoke access with a SAS token, you need to invalidate the token. You invalidate the token by rotating the key that was used. ## Rotate access keys
From the Azure portal home page, in the search box, enter storage accounts.
Select storage accounts under services.
Select the storage account you created in the Prepare exercise.
Expand the Security + networking submenu.
Select Access keys. 6. For Key 1, select Rotate key.
Read and then acknowledge the warning about regenerating the access key by selecting Yes. 8. Once you see the success message for rotating the access key, go back to the window or tab you used to check the SAS token and refresh the page. You should receive an authentication failed error.

Conclusion:

Mastering Azure storage accounts, containers, and file shares enables admins to control access, simplify file sharing, and maintain scalable, secure cloud environments.

Manage virtual machines

okunola babatunde — Fri, 13 Mar 2026 18:30:32 +0000

Managing virtual machines in Azure isn’t just about creating them—it’s about placing them strategically within the network for efficiency and visibility. After updating network settings to support subnet segmentation, I moved an existing Linux VM to a newly created subnet. This ensures better traffic isolation, simplifies monitoring, and lays the groundwork for scalable deployments.

Migrating the VM to its dedicated subnet preserved the integrity of the existing network while enhancing visibility into its resource utilisation and network flow. Proactive network management like this, keeps the cloud environment organised, secure, and easier to maintain.Here, these procedures guide you on how to do it yourself in a less stressful way.

Move the virtual machine network to the new subnet

Login to Microsoft Azure at (Azure Portal)[https://portal.azure.com]
From the Azure portal home page, in the search box, enter virtual machines.
Select virtual machines under services.
Select the guided-project-vm virtual machine.
If the virtual machine is running, select Stop. ## Note: In order to make some configuration changes, such as changing the subnet, the VM will need to be restarted. You can request the change without stopping the VM, but Azure will force a restart before completing the change.
Wait for the Status field to update and show Stopped (deallocated).
Within the Networking subsection of the menu, select Network settings.
Select the Network interface / IP configuration hyperlink for the VM.
On the IP Configurations page, update the Subnet to ftpSubnet.
Select Apply. 11. Select Home to return to the Azure portal home page.

Vertically scale the virtual machine

From the Azure portal home page, in the search box, enter virtual machines.
Select virtual machines under services.
Select the guided-project-vm virtual machine.
Locate the Availability + scale submenu and select Size. 5. Select a new VM size D2s_v5 for example. (Note: If you don’t see the same size as shown in this exercise, select something similar.)
Select Resize.
Select Home to return to the Azure portal home page.

Attach data disks to a virtual machine

From the Azure portal home page, in the search box, enter virtual machines.
Select virtual machines under services.
Select the guided-project-vm virtual machine.
Locate the settings submenu and select Disks. 5. Select Create and attach a new disk.
Leave LUN as default.
Enter ftp-data-disk for the Disk name.
Leave the Storage type as default.
Enter 20 for the Size.
Select Apply to create the new storage disk and attach the disk to the machine. 11. Select Home to return to the Azure portal home page.

Configure automatic shutdown on a virtual machine

From the Azure portal home page, in the search box, enter virtual machines.
Select virtual machines under services.
Select the guided-project-vm virtual machine.
Under the Operations submenu, select Auto-shutdown. 5. In order to let late uploads finish, set the Scheduled shutdown to 7:15:00 PM.
Select Save.
Select Home to return to the Azure portal home page.

Conclusion:

Using dedicated subnets for VMs is a straightforward, yet impactful practice in Azure. It enables workload isolation, better performance monitoring, and future-proofing of the infrastructure—keeping operations smooth and manageable.

Update the virtual network

okunola babatunde — Fri, 13 Mar 2026 18:05:49 +0000

As part of supporting an Azure Admin in managing cloud resources, I assist with specific tasks rather than maintaining the entire infrastructure. Currently, one Linux virtual machine (VM) is under-utilised, and there’s a requirement to deploy a new Linux VM to act as an FTP server. To ensure effective monitoring of network traffic and resource utilization for the FTP server, the Azure Admin has requested the creation of a dedicated subnet. The existing subnet will remain unchanged to accommodate future VM deployments. Here is a simple guide to provisioning a subnet for a Linux FTP Server. To achieve this goal, you need to follow a step-by-step guide as stated bellow

Create a new subnet on an existing virtual network (vNet)

Login to Microsoft Azure at (Azure Portal)[https://portal.azure.com]
From the Azure portal home page, in the search box, enter virtual networks.
Select virtual networks under services.
Select the guided-project-vnet virtual network.
From the guided-project-vnet blade, under settings, select Subnets.
To add a subnet, select + Subnet.
For Subnet purpose leave it as Default.
For Name enter: ftpSubnet.
Leave the rest of the settings alone and select Add.
Select Home to return to the Azure portal home page.

Create a network security group

From the Azure portal home page, in the search box, enter virtual networks.
Select virtual networks under services.
Select Network security groups.
Select + Create.
Verify the subscription is correct.
Select the guided-project-rg resource group.
Enter ftpNSG for the network security group name.
Select Review + create.
Once the validation is complete, select Create.
Wait for the screen to refresh and display Your deployment is complete.
Select Go to resource.

Create an inbound security rule

Under settings, select Inbound security rules.
Select + Add.
Change the Destination port ranges from 8080 to 22.
Select TCP for the protocol.
Set the name to ftpInbound.
Select Add.
Select Home to return to the Azure portal home page.

Associate a network security group to a subnet

From the Azure portal home page, in the search box, enter virtual networks.
Select virtual networks under services.
Select the guided-project-vnet virtual network.
Under settings, select Subnets.
Select the ftpSubnet you created.
On the Edit subnet page, under the Security section heading, update the Network security group field to ftpNSG.
Select Save.

Conclusion
In Azure, planning network segmentation and resource allocation is essential for performance, monitoring, and security. By provisioning a new subnet for an FTP server, the infrastructure becomes more organised, maintainable, and transparent for administrators tracking usage metrics. This approach exemplifies proactive cloud governance and prepares the environment for future scaling needs.

Hands-On Azure Infrastructure Setup: My Learning Journey

okunola babatunde — Fri, 13 Mar 2026 17:39:29 +0000

I recently completed a hands-on exercise in Azure to set up the foundation of a cloud environment—and it was a game-changer for understanding real-world cloud infrastructure.

Here’s what I did:

Logged into Microsoft Azure – The portal is your central hub for managing and monitoring cloud resources.
Created a Resource Group – Grouping resources together makes management, access control, and lifecycle policies much easier. I named mine guided-project-rg
Set up a Virtual Network & Subnet – Networking is the backbone of cloud infrastructure. With guided-project-vnet. I defined IP ranges and prepared the network for secure communication.
Provisioned a Virtual Machine – I created guided-project-vm running Ubuntu Server 24.04 LTS - x64 Gen2 .VMs provide scalable compute and are the building blocks for cloud applications.
Created a Storage Account – Storage is essential for persisting data. I set up privateokunola2strg with standard performance and hot access tier, perfect for development and testing workloads.

Key Takeaways:

Planning your resources upfront saves headaches later.

VNets, subnets, and resource groups aren’t just concepts—they’re practical tools for building scalable, secure environments.

Hands-on practice bridges the gap between theory and real-world application.

Cloud infrastructure isn’t just about creating resources—it’s about understanding how they connect and scale. Exercises like this are a great way to build confidence and technical skills in Azure.

From the Azure portal home page, in the search box, enter resource groups.
Select Resource groups under services.
Select Create

Note:

Your subscription should already be selected. If you have multiple Azure subscriptions associated with this login, select the one you’d like to use for the guided project.
Enter "guided-project-rg" in the Resource group name field.
The Region field will automatically populate. Leave your region set on Korea central
Select Review + create.
Select Create.
Return to the home page of the Azure portal by selecting Home.

Create a virtual network with one subnet
From the Azure portal home page, in the search box, enter virtual networks.
Select virtual networks under services.
Select Create.
Scroll down to the Instance details section and enter guided-project-vnet for the Virtual network name.
Select Review + create.
Select Create.
Wait for the screen to refresh and show Your deployment is complete.
Select Home to return to the Azure portal home page.

Create a virtual machine

From the Azure portal home page, in the search box, enter virtual machines.
Select virtual machines under services.
Select Create and then select Virtual machine
Select guided-project-rg for the Resource group.
Enter guided-project-vm for the Virtual machine name.
For the Image, select one of the Ubuntu Server options. (For example, Ubuntu Server 24.04 LTS - x64 Gen2)
Continue further on the Basics page to the Administrator account section.
Select Password for authentication type.
Enter guided-project-admin for the admin Username.
Enter a password for the admin account.
Confirm the password for the admin account.
Leave the rest of the settings as default settings. You can uploads.s3.amazonaws.com/uploads/articles/4y09h45cv9svvlrw5scz.png)
Select Review + create
Select Create to confirm the resource cost and create the virtual machine.
Select Home to return to the Azure portal home page. Note: Once validation has passed, you’ll receive a cost estimate of how much it will cost per hour to run the VM.

Create a Storage account

From the Azure portal home page, in the search box, enter storage accounts.
Select Storage accounts under services.
Select Create.
Scroll down to the Instance details section and enter a name for the storage account. Storage accounts must be globally unique, so you may have to try a few different times to get a storage account name.
Select Review + create.
Select Create.
Wait for the screen to refresh and show Your deployment is complete.
Select Home to return to the Azure portal home page.

Hands-On Azure Cloud Engineering: Managing Networks, Virtual Machines, Storage Blobs, and Resource Governance

okunola babatunde — Fri, 13 Mar 2026 16:13:43 +0000

Cloud infrastructure is not just about launching servers in the cloud. It’s about designing systems that are organized, secure, scalable, and easy to manage over time. Recently, I worked on a hands-on Azure guided project where I practiced managing key parts of a cloud environment. The experience simulated assisting an Azure administrator with maintaining and improving an existing infrastructure. The project covered several important areas of cloud engineering, including:

Network configuration
Virtual machine management
Cloud storage services
Resource governance and protection

Although the work involved technical tools, the main idea behind it was simple: build systems that are easy to understand, monitor, and protect from mistakes.

Preparing the Azure Environment

The project required an active Azure subscription, since all tasks involved creating and managing real cloud resources. One of the first best practices emphasised was using clear naming conventions when creating resources. In simple terms, this means naming resources in a way that clearly describes their purpose. When teams follow structured naming patterns, it becomes much easier to:

Quickly identify resources
Keep infrastructure organized
Clean up environments after projects
Maintain consistency across teams

Another important lesson was cost awareness. Because cloud services charge based on usage, engineers must always create and manage resources responsibly.

Supporting an Azure Administrator

In this scenario, I was supporting an Azure administrator who manages an existing cloud environment. The infrastructure already contained a Linux Virtual Machine (VM), but it wasn’t being fully utilised. At the same time, there was a need for another Linux system that could function as an FTP server to allow files to be transferred between systems.
Before setting this up, the administrator wanted better visibility into network traffic and system usage.
To make this possible, the first step was to create a new subnet within the existing virtual network.
Creating a New Subnet for Better Network Organization
Rather than modifying the current network segment, the administrator requested the creation of a separate subnet dedicated to the FTP server.
The original subnet was left untouched because it may be used for future virtual machines.

Creating a new subnet offers several advantages:

It separates workloads into different network segments
It improves monitoring of network activity
It keeps infrastructure organised
It allows the environment to scale in the future This approach is known as network segmentation, and it helps improve both security and visibility in cloud environments.

Managing the Virtual Machine

Once the network structure was prepared, the next task was to update the virtual machine configuration.
The existing Linux VM was moved to the newly created subnet, ensuring it would operate within the correct network environment for the FTP service.
In real-world cloud environments, tasks like this are common. Infrastructure engineers often need to adjust existing systems while ensuring services continue to run smoothly.

Working with Azure Storage Services

Another key part of the project involved learning how to manage cloud storage services.
Organizations often need reliable ways to store and share files across systems, and Azure provides several services designed for this purpose.
During the exercise, I worked with:

AzureStorage Accounts
Blob Storage Containers
Azure File Shares

The tasks included:

Creating a storage container
Creating a file share
Uploading files to both storage locations

Blob Storage is typically used for storing large amounts of data such as application files, backups, logs, and media.
Azure File Shares, on the other hand, work more like a shared network folder, allowing multiple systems to access the same files.
These services are essential when organizations need secure and scalable file storage in the cloud.

Protecting and Organising Resources with Tags and Locks

As cloud environments grow, managing resources becomes more complex. Azure provides governance tools to help teams keep everything organised and protected.

Two important tools used in this project were resource tags and resource locks.

Resource Tags
Tags are simple labels attached to resources.
For example, a tag can show:
• Which department owns the resource
• The purpose of the resource
• The environment (development, testing, or production)
This makes it easier to track usage, manage costs, and quickly understand what each resource is used for.
Resource Locks
Resource locks help prevent accidental deletion or modification of important systems.
Because the Linux VM was going to operate as an FTP server, a lock was applied to ensure that no one could mistakenly delete it.
This adds an extra layer of operational protection and stability.

Final Outcome
By completing the project, the environment now includes:

A new subnet for better network organization
A Linux virtual machine positioned correctly within the network
Azure storage services configured for file sharing and storage
Resource tags applied for better organization Resource locks implemented to protect critical infrastructure from being accidentally deleted. Together, these improvements help ensure the cloud environment is structured, secure, and easier to manage.

Key Takeaways

This experience reinforced several important cloud engineering principles:

Designing well-structured network architectures
Managing and updating virtual machine configurations
Using cloud storage solutions effectively
Organising infrastructure with resource tagging
Protecting critical resources using locks These are foundational skills for anyone working with modern cloud platforms like Microsoft Azure. Cloud engineering is not only about deploying resources — it's about building environments that are reliable, organised, and sustainable.

However, to make this learning easier for others, I also created a step-by-step guide with screenshots, so anyone interested in Azure infrastructure can follow along and practice these tasks independently.

Need an Azure account?
If you already have a Microsoft Azure account to use for this lab, skip to Login to Microsoft Azure. If you need to create an Azure account, complete the following steps.

Go to the Azure free account page.
Select Try Azure for free
Complete the sign-up process for an Azure account.
Login to Microsoft Azure
Login to Microsoft Azure at Azure Portal

Create a resource group

In order to make clean-up easy at the end, start with creating a new resource group to hold the resources for this guided project. Using resource groups to organize things is a quick way to ensure you can manage resources when a project is over.

From the Azure portal home page, in the search box, enter resource groups.
Select Resource groups under services.
Select Create

Note:

Your subscription should already be selected. If you have multiple Azure subscriptions associated with this login, select the one you’d like to use for the guided project.
Enter "guided-project-rg" in the Resource group name field.
The Region field will automatically populate. Leave your region set on Korea central
Select Review + create.
Select Create.
Return to the home page of the Azure portal by selecting Home.

Create a virtual network with one subnet
From the Azure portal home page, in the search box, enter virtual networks.
Select virtual networks under services.
Select Create.
Scroll down to the Instance details section and enter guided-project-vnet for the Virtual network name.
Select Review + create.
Select Create.
Wait for the screen to refresh and show Your deployment is complete.
Select Home to return to the Azure portal home page.

Create a virtual machine

From the Azure portal home page, in the search box, enter virtual machines.
Select virtual machines under services.
Select Create and then select Virtual machine
Select guided-project-rg for the Resource group.
Enter guided-project-vm for the Virtual machine name.
For the Image, select one of the Ubuntu Server options. (For example, Ubuntu Server 24.04 LTS - x64 Gen2)
Continue further on the Basics page to the Administrator account section.
Select Password for authentication type.
Enter guided-project-admin for the admin Username.
Enter a password for the admin account.
Confirm the password for the admin account.
Leave the rest of the settings as default settings. You can uploads.s3.amazonaws.com/uploads/articles/4y09h45cv9svvlrw5scz.png)
Select Review + create
Select Create to confirm the resource cost and create the virtual machine.
Select Home to return to the Azure portal home page. Note: Once validation has passed, you’ll receive a cost estimate of how much it will cost per hour to run the VM.

Create a Storage account

From the Azure portal home page, in the search box, enter storage accounts.
Select Storage accounts under services.
Select Create.
Scroll down to the Instance details section and enter a name for the storage account. Storage accounts must be globally unique, so you may have to try a few different times to get a storage account name.
Select Review + create.
Select Create.
Wait for the screen to refresh and show Your deployment is complete.
Select Home to return to the Azure portal home page.

Create a new subnet on an existing virtual network (vNet)

Login to Microsoft Azure at (Azure Portal)[https://portal.azure.com]
From the Azure portal home page, in the search box, enter virtual networks.
Select virtual networks under services.
Select the guided-project-vnet virtual network.
From the guided-project-vnet blade, under settings, select Subnets.
To add a subnet, select + Subnet.
For Subnet purpose leave it as Default.
For Name enter: ftpSubnet.
Leave the rest of the settings alone and select Add.
Select Home to return to the Azure portal home page.

Create a network security group

From the Azure portal home page, in the search box, enter virtual networks.
Select virtual networks under services.
Select Network security groups.
Select + Create.
Verify the subscription is correct.
Select the guided-project-rg resource group.
Enter ftpNSG for the network security group name.
Select Review + create.
Once the validation is complete, select Create.
Wait for the screen to refresh and display Your deployment is complete.
Select Go to resource.

Create an inbound security rule

Under settings, select Inbound security rules.
Select + Add.
Change the Destination port ranges from 8080 to 22.
Select TCP for the protocol.
Set the name to ftpInbound.
Select Add.
Select Home to return to the Azure portal home page.

Associate a network security group to a subnet

From the Azure portal home page, in the search box, enter virtual networks.
Select virtual networks under services.
Select the guided-project-vnet virtual network.
Under settings, select Subnets.
Select the ftpSubnet you created.
On the Edit subnet page, under the Security section heading, update the Network security group field to ftpNSG.
Select Save. *Move the virtual machine network to the new subnet *
Login to Microsoft Azure at (Azure Portal)[https://portal.azure.com]
From the Azure portal home page, in the search box, enter virtual machines.
Select virtual machines under services.
Select the guided-project-vm virtual machine.
If the virtual machine is running, select Stop. ## Note: In order to make some configuration changes, such as changing the subnet, the VM will need to be restarted. You can request the change without stopping the VM, but Azure will force a restart before completing the change.
Wait for the Status field to update and show Stopped (deallocated).
Within the Networking subsection of the menu, select Network settings.
Select the Network interface / IP configuration hyperlink for the VM.
On the IP Configurations page, update the Subnet to ftpSubnet.
Select Apply. 11. Select Home to return to the Azure portal home page.

Vertically scale the virtual machine

From the Azure portal home page, in the search box, enter virtual machines.
Select virtual machines under services.
Select the guided-project-vm virtual machine.
Locate the Availability + scale submenu and select Size. 5. Select a new VM size D2s_v5 for example. (Note: If you don’t see the same size as shown in this exercise, select something similar.)
Select Resize.
Select Home to return to the Azure portal home page.

Attach data disks to a virtual machine

From the Azure portal home page, in the search box, enter virtual machines.
Select virtual machines under services.
Select the guided-project-vm virtual machine.
Locate the settings submenu and select Disks. 5. Select Create and attach a new disk.
Leave LUN as default.
Enter ftp-data-disk for the Disk name.
Leave the Storage type as default.
Enter 20 for the Size.
Select Apply to create the new storage disk and attach the disk to the machine. 11. Select Home to return to the Azure portal home page.

Configure automatic shutdown on a virtual machine

From the Azure portal home page, in the search box, enter virtual machines.
Select virtual machines under services.
Select the guided-project-vm virtual machine.
Under the Operations submenu, select Auto-shutdown. 5. In order to let late uploads finish, set the Scheduled shutdown to 7:15:00 PM.
Select Save.
Select Home to return to the Azure portal home page.

Create a storage container

Login to Microsoft Azure at (Azure Portal)[https://portal.azure.com] From the Azure portal home page, in the search box, enter storage accounts.
Select storage accounts under services.
Select the storage account you created in the Prepare exercise
The storage account name is the hyperlink to the storage account. (Note: it should be associated with the resource group guided-project-rg.) 5. On the storage account blade, under the Data storage submenu, select Containers.
Select + Add container.
In the Name field, enter storage-container.
Select Create.

Upload a file to the storage container

Select the storage container you just created.
Select Upload and upload the file you prepared.
Once the file is ready for upload, select Upload. With the file uploaded, notice that the Access tier is displayed. For something we uploaded just for testing, it doesn’t need to be assigned to the Hot access tier. In the next few steps, you’ll change the access tier for the file. ## Change the access tier
Select the file you just uploaded (the file name is a hyperlink).
Select Change tier.
Select Cold.
Select Save. ## Note: You just changed the access tier for an individual blob or file. To change the default access tier for all blobs within the storage account, you could change it at the storage account level.
Select Home to return to the Azure portal home page.
From the Azure portal home page, in the search box, enter storage accounts.
Select storage accounts under services.
Select the storage account you created in the Prepare exercise. The storage account name is the hyperlink to the storage account. (Note: it should be associated with the resource group guided-project-rg.)
On the storage account blade, under the Data storage submenu, select File shares.
Select + File share.
On the Basics tab, in the name field enter file-share.
On the Backup tab, uncheck Enable backup
Select Review + create.
Select Create.
Once the file share is created, select Upload.
Upload the same file you uploaded to the blob storage or a different file, it’s up to you.
Select Home to return to the Azure portal home page. The next piece of the puzzle is figuring one way to control access to the files that have been uploaded. Azure has many ways to control files, including things like role-based access control. In this scenario, the Azure admin wants you to use shared access tokens or keys. ## Create a shared access signature token
From the Azure portal home page, in the search box, enter storage accounts.
Select storage accounts under services.
Select the storage account you created in the Prepare exercise.
On the storage account blade, select Storage browser. Expand Blob containers
Expand Blob containers ## Note: Blob container is another name for the storage containers. Items uploaded to a storage container are called blobs.
Select the storage container you created earlier, storage-container. 7. Select the ellipses (three dots) on the end of the line for the image you uploaded.
Select Generate SAS ## Note: When you generate a shared access signature, you set the duration. Once the duration is over, the link stops working. The **Start automatically populates with the current date and time.Set 9. Signing method to Account key.
Set Signing key to Key 1 ## Tip: There are two signing keys available. You can choose either one, or create SAS tokens with different durations.
Set Stored access policy to None.
Set Permissions to Read.
Enter a custom start and expiry time or leave the defaults. 14. Set Allowed protocols to HTTPS only.
Select Generate SAS token and URI.
Copy the Blob SAS URL and paste it in another window or tab of your browser. It should display the image you uploaded. Keep this tab or window open.
Select Home to return to the Azure portal home page. With the SAS token created, anyone with that link can access the file for the duration that was set when you created the SAS token. However, controlling access to a resource or file is about more than just granting access. It’s also about being able to revoke access. To revoke access with a SAS token, you need to invalidate the token. You invalidate the token by rotating the key that was used. ## Rotate access keys
From the Azure portal home page, in the search box, enter storage accounts.
Select storage accounts under services.
Select the storage account you created in the Prepare exercise.
Expand the Security + networking submenu.
Select Access keys. 6. For Key 1, select Rotate key.
Read and then acknowledge the warning about regenerating the access key by selecting Yes. 8. Once you see the success message for rotating the access key, go back to the window or tab you used to check the SAS token and refresh the page. You should receive an authentication failed error. ## Add tags to a virtual machine You’ll start by adding a pair of tags to the virtual machine. One tag will be to identify the purpose of the virtual machine and the other will be to indicate the department the machine supports.
Login to Microsoft Azure at https://portal.azure.com
From the Azure portal home page, in the search box, enter virtual machines.
Select virtual machines under services.
Select the guided-project-vm virtual machine.
From the menu pane, select Tags.
On one line for Name enter Department and for Value enter Customer Service
On the next line, for Name enter Purpose and for Value enter FTP Server.
Select Apply. While you’re working on the virtual machine, it’s a great time to add a resource lock. ## Add a resource lock to a VM
If necessary, expand the Settings submenu.
Select Locks.
Select + Add.
For the name, enter VM-delete-lock.
For the Lock type, select Delete. You may enter a note to help remind you why you created the lock.
Select OK. That’s it. Now the VM is protected from deletion and has tags assigned to help track use. Time to move onto the network. Select Home to return to the Azure portal home page. ## Add tags to network resources
From the Azure portal home page, in the search box, enter virtual networks.
Select virtual networks under services.
Select the guided-project-vnet network.
From the menu pane, select Tags. ## Note: Notice that now you can select an existing tag to apply or add a new tag. You can also select just the name or value and apply create something new in the other field.
For the Name select Department.
For the Value enter IT.
Select Apply. Now both the VNet and VM have are organized. ## Exercise – Clean up ## Warning: Failure to complete this Clean up task could result in unexpected Azure costs. This task will remove resources created during this guided project. ## Remove delete locks If you attempt to delete a resource with a delete lock, you’ll receive a warning that the operation failed due to a delete lock being in place. To avoid that, it’s important to clear delete locks from resources you intend to delete before issuing the delete command.
Login to Microsoft Azure at (Azure Portal)[https://portal.azure.com]
From the Azure portal home page, in the search box, enter virtual machines.
Select virtual machines under services.
Select the guided-project-vm virtual machine.
If necessary, expand the Settings submenu.
Select Locks.
Select Delete on the line for the VM-delete-lock.
On the pop-up window, select Delete to confirm deletion of the lock. Once the delete lock is removed, you’ll be able to delete the VM. While this was the only delete lock required by the exercise, if you applied other delete locks during the exercise, remove them now. When you’re done, select Home to return to the Azure portal home page. ## Delete the project resource group A key benefit of using resource groups is the ability to rapidly delete all of the resources assigned to a resource group at once.
From the Azure portal home page, in the search box, enter Resource groups.
Select resource groups under services.
Select the guided-project-rg resource group.
Select Delete resource group.
Select Apply force delete…
Enter guided-project-rg in the confirmation box.
Select Delete It will approximately 5 minutes before the resource group is fully deleted. You’ll need to refresh the resource group page every few minutes until the guided-project-rg is gone to confirm complete deletion. ## Important: Recall at the beginning of the Guided Project you checked for a NetworkWatcherRG resource group. If there WAS a NetworkWatcherRG when you started, then you’re finished. However, if the NetworkWatcherRG was created for the guided project, you’ll need to delete the NetworkWatcherRG as well following a nearly identical process. ## Delete the NetworkWatcherRG ## Important: If the NetworkWatcherRG existed prior to starting the guided project, do not delete it as part of the guided project clean up.
From the Azure portal home page, in the search box, enter Resource groups.
Select resource groups under services.
Select the NetworkWatcherRG resource group.
Select Delete resource group.
Enter NetworkWatcherRG in the confirmation box.
Select Delete.
On the Delete confirmation pop-up, select Delete.

DEV Community: okunola babatunde

Arm Your Workstation: The Holy Trinity of DevOps Tools

1. Go to https://github.com and sign in (or create an account if you don't have one). I have already created an account.

2. Click the '+' icon in the top-right corner → 'New repository'

3. Name it: devops-lab

4. Leave it PUBLIC, do NOT add a README (we'll push our own code)

5. Click 'Create repository'

6. Copy the HTTPS URL — it will look like: https://github.com/BAOKONCEPTS/devops-lab.git

Create DNS zones and configure DNS settings

Configure network routing

Create and configure Azure Firewall

Create and configure network security groups

Designing Secure Azure Networking for a Web Application Migration: A Practical Hub-and-Spoke Approach

Manage tags and locks

Add tags to a virtual machine

Conclusion

Control storage access

Create a storage container

Upload a file to the storage container

Conclusion:

Manage virtual machines

Move the virtual machine network to the new subnet

Vertically scale the virtual machine

Attach data disks to a virtual machine

Configure automatic shutdown on a virtual machine

Conclusion:

Update the virtual network

Create a new subnet on an existing virtual network (vNet)

Create a network security group

Create an inbound security rule

Associate a network security group to a subnet

Hands-On Azure Infrastructure Setup: My Learning Journey

Note:

Create a virtual network with one subnet

Create a virtual machine

Create a Storage account

Hands-On Azure Cloud Engineering: Managing Networks, Virtual Machines, Storage Blobs, and Resource Governance

Preparing the Azure Environment

Supporting an Azure Administrator

Managing the Virtual Machine

Working with Azure Storage Services

Protecting and Organising Resources with Tags and Locks

Create a resource group

Note:

Create a virtual network with one subnet

Create a virtual machine

Create a Storage account

Create a new subnet on an existing virtual network (vNet)

Create a network security group

Create an inbound security rule

Associate a network security group to a subnet

Vertically scale the virtual machine

Attach data disks to a virtual machine

Configure automatic shutdown on a virtual machine

Create a storage container

Upload a file to the storage container