This project gives us the chance to practice managing Azure resources, including networks, virtual machines, and storage blobs. We will also have the chance to work with tags and resource locks. In this article we will learn how to update a virtual network and subnet, manage virtual machines, control storage access, and manage resource tags and locks.
Note : This guided project requires us to provide an Azure subscription. Leaving resources provisioned and running after completion of the exercise may result in unexpected costs. It is important to keep track of resources you create to ensure you remove them during the clean-up task. Where possible, follow recommended naming conventions to make it easier to clean up the resource for this project at the end. Creating and using Azure resources for this project may increase your Azure costs.
Let's get to it!
Phase 1: The first phase is to prepare our environment.
Action plan:
Step 1: From the Azure portal home page, in the search box, enter resource groups. Select Resource groups under services.
Important: Take note of other resource groups that are already created. During clean up, you want to avoid deleting resource groups that were already here. Pay special attention for a resource group called NetworkWatcherRG. If it doesn’t already exist, the NetworkWatcherRG will be created during this guided project and should be deleted at the end. However, if the NetworkWatcherRG already exists prior to starting this project, you should NOT delete it at the end. It may be helpful to take a screenshot of resource groups that exist before you create the group for the guided project.
Step 2: Select Create.
Note: Your subscription should already be selected. If you have multiple Azure subscriptions associated with this login, select the one you’d like to use for the guided project.
Step 3: Enter guided-project-rg in the Resource group name field. The Region field will automatically populate. Leave the default value. Select Review + create.
Step 4: Select Create.
Step 5: Return to the home page of the Azure portal by selecting Home. If Home is not visible, select Microsoft Azure.
Step 6: Create a virtual network with one subnet
From the Azure portal home page, in the search box, enter virtual networks. Select virtual networks under services.
Step 7:Select Create.
Step 8: Click Resource group drop-down menu and select the Resource group we created earlier, guided-project-rg Scroll down to the Instance details section and enter guided-project-vnet for the Virtual network name. Select Review + create.
Step 9: Select Create. Wait for the screen to refresh and show Your deployment is complete.
Step 10: Select Home to return to the Azure portal home page.
Step 11: Create a virtual machine. From the Azure portal home page, in the search box, enter virtual machines. Select virtual machines under services.
Step 12: Select Create and then select Virtual machine.
Step 13: Select guided-project-rg for the Resource group.
Enter guided-project-vm for the Virtual machine name.
Important : Notice the error when you scroll down. This size is currently unavailable in East USfor the current subscription: NotAvailableForSubscription.
Troubleshooting Azure: Regional Quota & Resource Constraints
When deploying a Virtual Machine (VM) in Azure, you might hit a Subscription Quota or SKU Availability error. This usually means your chosen VM size isn't available in your current region (e.g., US East).
The quick fix? Deploy the VM to a region like Korea Central where the size is supported. But what happens to your existing infrastructure? Here is the breakdown:
1. The Resource Group (RG)
You do not need to delete your Resource Group in US East.
- The Logic: An RG is a logical container used for management and metadata.
- The Benefit: While the RG itself is located in US East to store its metadata, the actual resources inside it (VMs, Networks, Storage) can be located in any region supported by your subscription.
2. The Virtual Network (VNet) Dependency.
Unlike the Resource Group, a Virtual Machine must reside in the same region as its Virtual Network. Because we are moving the VM to Korea Central, the initial VNet in US East becomes incompatible.
- The Fix: We must deploy a new Virtual Network in Korea Central to support the new VM.
3. The Implementation Strategy
If the project requires a specific, unique naming convention for the VNet:
- Delete the initial Virtual Network in US East (to free up the name).
- Deploy the new Virtual Machine to Korea Central.
- Create the new Virtual Network in Korea Central during the deployment process, using the required name.
Key Takeaway
Resource Groups are globally flexible logical containers, but Networking and Compute resources are "region-locked" to each other. Always ensure your VNet and VM share the same regional home!
Step 14 : Now lets get back to creating our VM. Due to the Size constraint we will change the region to Korea Central. Once you notice the error is gone, proceed to the next step. For the Image, select one of the Ubuntu Server options. (For example, Ubuntu Server 24.04 LTS - x64 Gen2). Select an available size for your VM in your selected region. Continue further on the Basics page to the Administrator account section. Select Password for authentication type. Enter guided-project-admin for the admin Username. Enter a password for the admin account. Confirm the password for the admin account. Leave the rest of the settings as default settings. You can review the settings if you like, but shouldn’t change any. Select Review + create. Select create. Go to Home page after deployment confirmation.
.
Step 15: We will proceed create a Storage account. From the Azure portal home page, in the search box, enter storage accounts. Select Storage accounts under services. Select create.
Scroll down to the Instance details section and enter a name for the storage account. Storage accounts must be globally unique, so you may have to try a few different times to get a storage account name.
Select Review + create. Select Create. Wait for the screen to refresh and show Your deployment is complete. Select Home to return to the Azure portal home page. We have completed the Prepare exercise. Return to Microsoft Learn to continue to Phase 2.
Phase 2: Update the virtual network. We are helping an Azure Admin maintain resources. While we won’t be responsible for maintaining the entire infrastructure, the Admin will ask us to help out by completing certain tasks.
Currently, there’s a Linux virtual machine (VM) that’s underutilized, and a need for a new Linux machine to serve as an FTP server. However, the Azure admin wants to be able to track network flow and resource utilization for the needed FTP server, so has asked us to start out by provisioning a new subnet. The current subnet should be left alone, as there are future plans for using it for additional VMs.
Action plan:
Step 1: Create a new subnet on an existing virtual network (vNet).
From the Azure portal home page, in the search box, enter virtual networks. Select virtual networks under services. Select the guided-project-vnet virtual network. From the guided-project-vnet blade, under settings, select Subnets. To add a subnet, select + Subnet. For Subnet purpose leave it as Default. For Name* enter: ftpSubnet. Leave the rest of the settings alone and select Add. To increase security, you need to configure a Network security group to restrict which ports are allowed on the subnet.
Step 2 : Create a network security group . From the Azure portal home page, in the search box, enter virtual networks. Select virtual networks under services. Select Network security groups. Select + Create. Verify the subscription is correct*. Select the **guided-project-rg resource group. Enter ftpNSG for the network security group name. Select Review + create. Once the validation is complete, select Create. Wait for the screen to refresh and display Your deployment is complete. Select Go to resource.
Step 3 : Create an inbound security rule. Under settings, select Inbound security rules. Select + Add. Change the Destination port ranges from 8080 to 22. Select TCP for the protocol. Set the name to ftpInbound. Select Add.
Select Home to return to the Azure portal home page. We created a new Network security group and configured rules to allow inbound FTP traffic. Now, we will need to associate the new network security group with the ftpSubnet.
Step 4 : Associate a network security group to a subnet.
From the Azure portal home page, in the search box, enter virtual networks. Select virtual networks under services. Select the guided-project-vnet virtual network. Under settings, select Subnets. Select the ftpSubnet we created. On the Edit subnet page, under the Security section heading, update the Network security group field to ftpNSG. Select Save. We have completed the work needed to prepare the network for shifting the current Linux VM to a new subnet that’s designed to handle incoming FTP traffic. We will move to Phase 3.
Phase 3:Manage virtual machines. With the network settings updated to support segmenting the Linux virtual machine, you are ready to manage the virtual machine itself. The first thing the Azure admin asks us to complete is moving the virtual machine to the new subnet you created in the previous exercise.
Action plan:
Step 1: Move the virtual machine network to the new subnet
From the Azure portal home page, in the search box, enter virtual machines. Select virtual machines under services. Select the guided-project-vm virtual machine. If the virtual machine is running, select Stop. Wait for the Status field to update and show Stopped (deallocated). Within the Networking subsection of the menu, select Network settings. Select the Network interface / IP configuration hyperlink for the VM. On the IP Configurations page, update the Subnet to ftpSubnet. Select Apply. Good job! we have migrated the VM from one subnet to another. Remember, the new subnet had specific network security rules applied to help it function as an FTP server.
Step 2:The next task from the Azure admin relates to the computing power of the VM. The admin would like us to vertically scale the machine to increase the computing power . From the Azure portal home page, in the search box, enter virtual machines . Select virtual machines under services. Select the guided-project-vm virtual machine . Locate the Availability + scale submenu and select Size . Select a new VM size D2s_v5 for example . (Note: If you don’t see the same size as shown in this exercise, select something similar.) Select Resize . Note: The VM size may not update in the Azure UI until the VM is restarted. Select Home to return to the Azure portal home page.
With the VM scaled up to a more robust processor, it can handle the new role it’s being assigned. However, now the Azure admin realizes that if the VM is going to server as an FTP server, it needs more storage. The Azure admin asked us to attach a new data disk to the VM.
Step 3: Attach data disks to a virtual machine. From the Azure portal home page, in the search box, enter virtual machines. Select virtual machines under services. Select the **guided-project-vm virtual machine. Locate the settings submenu and select Disks. Select Create and attach a new disk.Leave LUN as default.Enter ftp-data-disk for the Disk name.Leave the Storage type as default.Enter 20 for the Size.Select Apply to create the new storage disk and attach the disk to the machine. Select Home to return to the Azure portal home page.
Awesome! Now the VM has enough storage to handle some uploads. The final thing the Azure admin is concerned about is the cost of running the computer 24 hours a day. The first thing they will do every morning is start up the FTP server. However, they’d like you to configure it to automatically shutdown every day at 7 PM Coordinated Universal Time (UTC).
Step 4 : Configure automatic shutdown on the virtual machine.
From the Azure portal home page, in the search box, enter virtual machines. Select virtual machines under services. Select the guided-project-vm virtual machine. Under the Operations submenu, select Auto-shutdown. In order to let late uploads finish, set the Scheduled shutdown to 7:15:00 PM. Select Save. Select Home to return to the Azure portal home page. Congratulations! We have successfully completed all of the management tasks the Azure admin needed a hand with for the virtual machine.
Phase 4: Control storage access. The Azure admin wants us to get more familiar with storage accounts, containers, and file shares. They anticipate needing to share an increasing number of files and need someone who is skilled using these services. They have given us a task of creating a storage container and a file share and uploading files to both locations.
Action plan:
Step 1: Create a storage container . From the Azure portal home page, in the search box, enter storage accounts. Select storage accounts under services. Select the storage account you created in the Prepare environmental variables. The storage account name is the hyperlink to the storage account. (Note: it should be associated with the resource group guided-project-rg.). On the storage account blade, under the Data storage submenu, select Containers. Select + Add container. In the Name field, enter storage-container.Select Create.
Step 2 : Upload a file to the storage container. With a storage container created, we can now upload a blob to the container. Now, Locate a picture that you can upload, either on your computer or from the internet, and save it locally to make uploading easier. Select the storage container you just created. Select Upload and upload the file you prepared. Once the file is ready for upload, select Upload.
With the file uploaded, notice that the Access tier is displayed. For something we uploaded just for testing, it doesn’t need to be assigned to the Hot access tier. In the next few steps, we will change the access tier for the file.
Step 3 : Change the access tier. Select the file you just uploaded (the file name is a hyperlink). Select Change tier. Select Cold. Select Save. Select Home to return to the Azure portal home page. Good job! We have successfully uploaded a storage blob and changed the access tier from Hot to Cold. Next, we work with file shares.
Step 4 : Create a file share . From the Azure portal home page, in the search box, enter storage accounts . Select storage accounts under services. Select the storage account. The storage account name is the hyperlink to the storage account. (Note: it should be associated with the resource group guided-project-rg.). On the storage account blade , under the Data storage submenu, select File shares . Select + File share . On the Basics tab , in the name field enter ** file-share** . On the Backup tab, uncheck Enable backup . Select Review + create . Select ** Create** . Once the file share is created , select Upload . Upload ** the same file you uploaded to the blob storage or a different file, it’s up to you.Select Home to return to the Azure portal home page.
The next piece of the puzzle is figuring one way to control access to the files that have been uploaded. Azure has many ways to control files, including things like role-based access control. In this scenario, the Azure admin wants us to use shared access tokens or keys.
Step 5 : Create a shared access signature token. From the Azure portal home page, in the search box, enter storage accounts. Select storage accounts under services. Select the storage account we created in the Prepare exercise. On the storage account blade, select Storage browser. Expand Blob containers. Note: Blob container is another name for the storage containers. Items uploaded to a storage container are called blobs. Select the storage container we created earlier, storage-container. Select the ellipses (three dots) on the end of the line for the image you uploaded. Select Generate SAS. Note: When you generate a shared access signature, you set the duration. Once the duration is over, the link stops working. The Start automatically populates with the current date and time. Set the signing method to Account key. Set Signing key to Key 1. Set Stored access policy to None. Set Permissions to Read. Enter a custom start and expiry time or leave the defaults. Set Allowed protocols to HTTPS only. Select Generate SAS token and URI. Copy the Blob SAS URL and paste it in another window or tab of your browser. It should display the image you uploaded. Keep this tab or window open. Select Home to return to the Azure portal home page. With the SAS token created, anyone with that link can access the file for the duration that was set when you created the SAS token. However, controlling access to a resource or file is about more than just granting access. It’s also about being able to revoke access. To revoke access with a SAS token, you need to invalidate the token. You invalidate the token by rotating the key that was used.
Step 6 : Expand the Security + networking submenu. Select Access keys. For Key 1, select Rotate key. Read and then acknowledge the warning about regenerating the access key by selecting Yes. Once you see the success message for rotating the access key, go back to the window or tab you used to check the SAS token and refresh the page. You should receive an authentication failed error.
Phase 5: Pleased with our progress so far, the Azure admin hopes that we can wrap a few things up to help with monitoring and protecting resources. They want to know that someone can’t accidentally get rid of the virtual machine that’s running as an FTP server, and they want a quick way to see what department is using resources and the resource’s purpose.
Action plan:
Step 1: Adding tags to resources is a quick way to be able to group and organize resources. Tags can be added at different levels, giving us the ability to organize and group resources at a level that makes sense. Add tags to a virtual machine . We will start by adding a pair of tags to the virtual machine. One tag will be to identify the purpose of the virtual machine and the other will be to indicate the department the machine supports. From the Azure portal home page, in the search box, enter virtual machines. Select virtual machines under services. Select the guided-project-vm virtual machine. From the menu pane, select Tags. On one line for Name enter Department and for Value enter Customer Service. On the next line, for Name enter Purpose and for Value enter FTP Server. Select Apply.
Step 2: Add a resource lock to a VM. If necessary, expand the Settings submenu. Select Locks. Select + Add. For the name, enter VM-delete-lock. For the Lock type, select Delete.You may enter a note to help remind you why you created the lock. Select OK. That’s it. Now the VM is protected from deletion and has tags assigned to help track use. Time to move onto the network. Select Home to return to the Azure portal home page.
Step 3 : Add tags to network resources. From the Azure portal home page, in the search box, enter virtual networks. Select virtual networks under services. Select the guided-project-vnet network. From the menu pane, select Tags. For the Name select Department. For the Value enter IT. Select Apply. Now both the VNet and VM have are organized.
Phase 6: Remove delete locks. If you attempt to delete a resource with a delete lock, you’ll receive a warning that the operation failed due to a delete lock being in place. To avoid that, it’s important to clear delete locks from resources you intend to delete before issuing the delete command.
Action plan:
Step 1 : From the Azure portal home page, in the search box, enter
virtual machines . Select virtual machines under services. Select the guided-project-vm virtual machine . If necessary, expand the Settings submenu . Select Locks . Select Delete on the line for the VM-delete-lock . On the pop-up window , select Delete to confirm deletion of the lock. Once the delete lock is removed, we will be able to delete the VM . While this is the only delete lock required by the exercise, if you applied other delete locks during the exercise, remove them now. When you’re done, select Home to return to the Azure portal home page.
Step 2 : Delete the project resource group . A key benefit of using resource groups is the ability to rapidly delete all of the resources assigned to a resource group at once. From the Azure portal home page, in the search box, enter Resource groups . Select resource groups under services. Select the guided-project-rg resource group . Select Delete resource group. Select Apply ** force delete** . Enter ** guided-project-rg** in the confirmation box . Select Delete . On the Delete confirmation pop-up , select Delete. It will approximately 5 minutes before the resource group is fully deleted . We will need to refresh the resource group page every few minutes until the guided-project-rg is gone to confirm complete deletion. Important: Recall at the beginning of the Project we checked for a NetworkWatcherRG resource group. If there WAS a NetworkWatcherRG when you started , then you’re finished . However, if the NetworkWatcherRG was created for the guided project, we will need to delete the NetworkWatcherRG as well following a nearly identical process.
Congratulations – We have finished the Project and the clean up task is completed
Mission Accomplished !
Top comments (1)
Hi
Nice to meet you
Thank for your working.
How are you doing?
I am a senior full stack ai and mobile app developer with over 10 years of experience.
Can we discuss about your project together?