20_1 ‐ Scenario 1 ‐ Single VNet with internet connectivity - SanjeevOCI/Study GitHub Wiki

1. Create a Resource Group
Start by creating a Resource Group, if one doesn’t already exist. This helps logically organize and isolate resources.

2. Create a New Virtual Network (VNet)
Create a new Virtual Network with a non-overlapping address space (e.g., 10.0.0.0/16). This ensures there’s no IP conflict with other networks.

3. Create a Public Subnet
Create a subnet with a smaller CIDR Range based on the network or number of services I need to configure.
In Azure, subnets are not inherently public or private — public access depends on whether the NIC of the VM has a Public IP assigned.
Since I need my compute instance to be reachable from the internet, I will assign a Public IP when creating the VM.

4. Public IP Configuration
In Azure, there is no separate Internet Gateway like in OCI — internet routing is handled by default.
To make the VM reachable from the internet, I will create and associate a Public IP Address resource with the NIC of the VM during creation.

5. Create a Virtual Machine (Instance)
In the public subnet, I will create a Virtual Machine and assign the Public IP.
While creating the VM, I will select:

  • The Resource Group and VNet created earlier
  • The Public Subnet
  • Public IP assignment
  • Network Security Group configuration
  • OS image and authentication method (SSH key for Linux or password for Windows)

6. Routing to the Internet
Azure automatically creates system routes for internet-bound traffic when a Public IP is assigned.
You don’t need to manually create an internet route like in OCI.
The default route for internet traffic is:

  • Destination CIDR Block: 0.0.0.0/0
  • Next Hop: Internet

7. Configure Network Security Group (NSG) Rules

By default, an NSG is created during VM creation (if you choose that option).
I will configure two rules – one for egress and one for ingress.

Important – NSG Priority Concept:
Azure NSG rules have priorities ranging from 100 to 4096 (lower number = higher priority).
The default inbound NSG rule is Deny All Inbound at a low priority (high number).
To allow inbound SSH (port 22) or RDP (port 3389) traffic, I must create a rule with higher priority (lower number) than the default deny rule so that my allow rule is evaluated first.

Egress --> By default, Azure allows all outbound traffic. I can keep this as-is unless there’s a security need to restrict it.

  • Egress Rule:
    • Destination: 0.0.0.0/0
    • Protocol: All (or TCP for specific services)
    • Allow all outbound traffic since it poses low risk

Ingress --> I will create an inbound rule to allow management access and optionally application traffic.

  • Ingress Rule:
    • If accessing the instance via SSH (Linux), allow TCP port 22
    • If accessing via RDP (Windows), allow TCP port 3389
    • Priority: Set to a lower value (e.g., 100) so it overrides the default deny
    • Restrict the source to your specific laptop/desktop’s public IP for security
    • If the application needs to be accessible over the internet (web traffic), allow port 80 (HTTP) and/or 443 (HTTPS)
    • Source CIDR for public web access: 0.0.0.0/0

Default NSG Rules in Azure:

  • Default Inbound:
    • Deny all inbound by default (priority higher number, so can be overridden by your custom allow rule with lower number)
  • Default Outbound:
    • Allow all outbound by default

8. Harden with a Firewall
As the instance is connected to the internet, I will also make sure that enough firewalls are provisioned at every level.
For example, I would recommend to the client that we deploy a Palo Alto firewall or similar Network Virtual Appliance (NVA) in the VNet.

Once you have a Palo Alto firewall, it will provide Layer 7 (application-level) protection, detect threats, and help prevent attacks. As the service is publicly accessible, the risk of external threats is higher, so firewall protection is essential to secure the infrastructure.

9. Storage Configuration

  • OS Disk (automatically created with VM)
  • Attach additional Data Disks if needed
  • Optionally configure Azure Disk Backup for volume backup policy

10. Verify Access

  • SSH into the Linux VM or RDP into the Windows VM using its public IP.
  • Host a simple app or web server and test from the internet.