Azure CLi Resources Deployment Architecture 1

This guide provides a comprehensive walkthrough for deploying cloud infrastructure using the Azure Command-Line Interface within a Linux environment. It outlines the initial steps of installing the toolkit and authenticating an account before moving into the creation of resource groups and virtual networks. The text details how to configure security rules and firewalls to manage traffic, ensuring that specific ports are open for remote access and web services.

Furthermore, it explains the process of provisioning a Linux virtual machine, assigning public IP addresses, and installing Nginx to host a functional web page. By following these structured phases, users can successfully transition from basic setup to a live cloud server deployment.

Mind Map

Phase 1: Environment Setup and Authentication

Before creating resources, you must install the Azure CLI and authenticate your session

• Installation: In a Linux environment, Azure CLI can be installed via the command brew install azure-cli
• Login: Use the command az login to authenticate with your Azure account
• Account Configuration: You can verify your active account with az account show and set a specific subscription using az account set --subscription "Your Subscription Name"

Action plan:

Install Azure CLI & Login

• Open Linux Server Visual Studio Code, go to File and navigate dropdown. Click on open folder. Click on New folder to create a folder. Rename folder Linux server, select the linux folder and save. Everything Linux we are handling will be saved in the folder

• We will be using terminal most of the time. To get to terminal click on view and process to click on the terminal icon in the dropdown

• We are going to install Azure Cli in our terminal window. use brew install azure-cli

• Agree with the installation terms

• To Check version az --version

• Once confirmation report is retrieved, proceed to login. Type az loginand click enter. Select account you want to login with. Once confirmation report is retrieved, proceed to login. Type az account show to show account and az account set --subscription "Your Subscription Name" to reveal subscription name

---

Phase 2: Logical Organization (Resource Groups)

Resources in Azure are organized into Resource Groups (RG), which serve as logical containers

• Variable Usage: It is recommended to set shell variables for frequently used values like the resource group name (RG=azurecli-lab-rg) and location (LOCATION="eastus") to simplify later commands
• Creation: The command az group create --name $RG --location $LOCATION establishes the group where all subsequent resources will reside.

Action plan:

Set a variable for the resource group

RG= azurecli-lab-rg
LOCATION="koreacentral"

---

Phase 3 : Networking and Security Configuration

A secure network environment must be established before deploying virtual machines:

• Virtual Network (VNet) and Subnet: These provide the private network for resources to communicate. They are created using az network vnet create, specifying address prefixes for the VNet and a dedicated subnet (e.g., "FrontEnd")
• Network Security Group (NSG): Acting as a virtual firewall, an NSG is created with az network nsg create
• Firewall Rules: By default, Azure blocks inbound traffic. You must explicitly "poke holes" in the firewall by creating rules with az network nsg rule create toallow specific traffic, such as SSH (Port 22) for administration and HTTP (Port 80) for web access
• Association: The NSG must be attached to the subnet to ensure any VM created within it inherits these security rules

Action plan:

Create the Virtual Network and Subnet

• The virtual network is the private network your Azure resources communicate on while the Subnet allows you to apply different routing and firewall rules to different types of resources. We will proceed to run this command in the terminal:az network vnet create --resource-group $RG --name "MyVnet" --location $LOCATION --address-prefix 10.0.0.0/16 --subnet-name "FrontEnd" --subnet-prefix 10.0.1.0/24

Create a Network Security Group (NSG)

This acts as a virtual firewall. Without an NSG attached, Microsoft allows no inbound traffic but allows all outbound traffic. We need an NSG to poke specific holes in the firewall. We will proceed to run this command in the terminal: az network nsg create --resource-group $RG --location $LOCATION --name "lab-nsg"

Open port 22 (SSH) & 80 (HTTP)

Add inbound rules prioritizing SSH (port 22) and HTTP (port 80) access from the internet. We will need SSH to log in and configure the server, and HTTP so users can view the web page. Let us proceed to run this command in the terminal:
az network nsg rule create
--resource-group $RG
--nsg-name "lab-nsg"
--name "AllowSSH"
--priority 1000
--destination-port-ranges 22
--access Allow
--protocol Tcp
--direction Inbound

• Allow HTTP (Port 80) Let us proceed to run this command in the terminal: az network nsg rule create --resource-group $RG --nsg-name "lab-nsg" --name "AllowHTTP" --priority 1010 --destination-port-ranges 80 --access Allow --protocol Tcp --direction Inbound

Attach NSG to Subnet.

Enforces the firewall rules (NSG) at the subnet boundary. Applying the NSG to the subnet ensures that any VM created in that subnet automatically inherits those exact firewall rules — protecting the entire subnet. Let us proceed to run this command in the terminal:
--resource-group $RG
--vnet-name lab-vnet
--name lab-subnet
--network-security-group lab-nsg

- Verification: Once you've run these, you can verify they were created successfully with this command:az network nsg rule list --resource-group $RG --nsg-name "lab-nsg" --output table

---

Phase 4 Provision a Linux Virtual Machine

The final stage involves creating the actual compute resource and ensuring it is accessible:

• Public IP Allocation: To access a VM from the internet, you must allocate a public IP. The sources note that Microsoft is phasing out "Basic" SKUs, so a "Standard" SKU with a Static allocation method should be used: az network public-ip create --sku Standard --allocation-method Static
• VM Creation: The az vm create command pulls all previous components together. It specifies the image (e.g., Ubuntu2204), size, administrative username, and connects the VM to the previously created VNet, subnet, and NSG Using the --generate-ssh-keys flag automatically handles authentication key

Action plan:

Allocate a Public IP

Without a public IP, the VM can only be accessed internally through the VNet or a VPN. You need this to reach your web server from your browser.

From the error above, essentially, Azure is telling us that for our specific subscription and region, the limit for Basic SKU Public IPs is currently set to zero. Additionally, Microsoft is phasing out the Basic SKU in favor of the Standard SKU for better security and performance.

​The Fix
​To bypass this error, we will need to change the --sku to Standard. In Azure, a Standard SKU Public IP must also use the Static allocation method (it does not support Dynamic).

​Run this command instead:az network public-ip create --resource-group $RG --name lab-public-ip --allocation-method Static --sku Standard

or

az network public-ip create
--resource-group $RG
--name lab-public-ip
--allocation-method Static
--sku Standard

Create the VM

Create a B1s Ubuntu VM with auto-generated SSH keys and connects it to the existing subnet and firewall.

• Create VM (will generate SSH keys in ~/.ssh if not present) az vm create --resource-group $RG --name lab1-vm --image Ubuntu2204 --size Standard_B2s_v2 --location koreacentral --admin-username azureuser --generate-ssh-keys --vnet-name lab1-vnet --subnet lab1-subnet --public-ip-address lab1-public-ip --nsg lab1-nsg`

Retrieve the public IP. Filters the Azure API response to return just the IP address string.

We will need this IP to SSH into the machine and to test the web application. Run this command in the terminal: az network public-ip show --resource-group $RG --name lab1-public-ip --query ipAddress --output tsv

Verify the VM is running.

This queries the VM status and displays it in a clean table format. Always verify provisioning success before attempting connections. Run this command in the terminal: az vm show --resource-group $RG --name lab1-vm --show-details --query '{Name:name, State:powerState, IP:publicIps}' --output table

SSH into your VM & install Nginx.

Logs into the VM over the internet via SSH, installs the Nginx package using APT, and starts the service. A fresh VM is blank. Nginx serves as the web server to test our HTTP port 80 firewall rule. Run this command in the terminal:
az network public-ip show
--resource-group $RG
--name "lab-public-ip"
--query "ipAddress"
--output tsv

The Connection timed out error in our latest screenshot indicates that while our VM is running, our terminal cannot reach it over port 22. This is almost certainly because the Network Security Group (NSG) for our new lab1 infrastructure does not yet have a rule allowing SSH traffic.
​Think of the NSG as a locked door; even if the server is "home," you can't get in unless you specifically authorize the port.

​The Fix: To Open Port 22
​Run this command to tell Azure to allow SSH connections into our lab1-nsg;
az network nsg rule create
--resource-group $RG
--nsg-name "lab-nsg"
--name "ManualAllowSSH"
--priority 100
--destination-port-ranges 22
--access Allow
--protocol Tcp
--direction Inbound

Run
ssh -i ~/.ssh/id_rsa azureuser@20.41.100.132 "sudo apt update && sudo apt install nginx -y && sudo systemctl start nginx"

---

Conclusion: Since our terminal shows the installation is done, let's head over to Chrome to do a final verification. First we have to allow access by running this final command in the terminal:
az network nsg rule create --resource-group $RG --nsg-name lab1-nsg --name AllowHTTP --priority 1010 --destination-port-ranges 80 --access Allow --protocol Tcp --direction Inbound

• Proceed to Open Edge. Paste the IP address: http://20.41.100.132. The Result: You should see a white page with bold text saying "Welcome to nginx!".