20 ‐ Scenario 1 ‐ Single VNet with internet connectivity - SanjeevOCI/Study GitHub Wiki
Scenario: You have only one Azure Virtual Network (VNet) that is connected to the internet. The service should be reachable from the internet. The setup must be done using only infrastructure services—no PaaS should be used. The goal is to deploy plain compute and demonstrate understanding of networking, compute, and storage in Azure.
1. Create a Resource Group First, create a Resource Group if one doesn’t already exist. This will contain all related resources in one logical group.
2. Create a Virtual Network (VNet)
Create a new VNet with a non-overlapping address space (e.g., 10.0.0.0/16
). This will be your main network to host the compute resources.
3. Create a Public Subnet
Within the VNet, create a subnet (e.g., 10.0.1.0/24
). Azure does not assign a public IP to resources by default, but the subnet itself is not inherently public or private—it depends on whether the attached resource has a public IP and routing.
4. Create a Network Security Group (NSG) By default, when you create a VM, Azure creates a Network Security Group with basic rules.
- Ingress: Allows port 3389 (RDP) or port 22 (SSH), based on selected OS.
- Egress: Allows all outbound traffic. You can customize this NSG or create your own and associate it with the subnet or individual NICs.
5. Create a Public IP Address Azure does not assign a public IP by default. While creating the VM, you need to explicitly choose to create and associate a Public IP Address to the NIC. This makes the instance reachable from the internet.
6. Create a Virtual Machine (Compute) Launch a VM from the Azure Marketplace (Linux/Windows). During creation:
- Select the VNet and subnet created earlier
- Assign the public IP address
- Attach the NSG (default or custom)
- Choose authentication method (password or SSH key)
7. Routing (Internet Connectivity) Azure has a System Route Table by default. You do not need to manually create a route to the Internet Gateway. Azure automatically routes traffic from subnets with public IPs to the internet.
- Route to internet: 0.0.0.0/0 → Internet (default system route)
8. Configure Inbound and Outbound Rules in NSG
-
Ingress Rule: Allow TCP port 22 for Linux or 3389 for Windows
- Source: You can restrict to your public IP for security
-
Additional Ingress Rules: Allow port 80 or 443 if you're running a web server
-
Egress Rule: Default allows all outbound traffic (can be restricted if needed)
9. Optional: Install Basic Firewall or Defender
Since the instance is internet-facing, you can install basic OS-level firewall (like ufw
in Linux) or recommend Azure Firewall (optional, but is a PaaS service). For infrastructure-only setups, host-level firewall and NSG rules should be tightened.
Conclusion: In Azure, with one VNet and a public subnet, you can deploy a VM with a public IP, configure the NSG for inbound access, and rely on Azure’s default system routes to provide internet connectivity. Being aware that Azure automatically handles internet routing and does not assign public IPs or NSGs unless explicitly chosen is important to demonstrate your understanding of Azure infrastructure-level networking.