22 ‐ Single Private VNet with no internet, having all other services connected like blob storage - SanjeevOCI/Study GitHub Wiki

1. Create a Resource Group
Start by creating a Resource Group, if one doesn’t already exist. This helps logically organize and isolate resources.

2. Create a New Virtual Network (VNet)
Create a new Virtual Network with a non-overlapping address space (e.g., 10.0.0.0/16).
This ensures there’s no IP conflict with other networks.

3. Create a Private Subnet
Create a private subnet within the VNet with a smaller CIDR range based on your requirements.
Since this network will have no internet connectivity, you will:

  • Not assign a Public IP to the VM
  • Not associate the subnet with any NAT Gateway or Public Load Balancer

4. No Internet Gateway / Public Routing
Azure does not have a separate Internet Gateway resource. Internet access is provided through system routes when a public IP is present.
In this case:

  • Do not create a Public IP
  • Do not associate a NAT Gateway
  • Use only internal routing

5. Create a Virtual Machine (Instance)
In the private subnet, create a Virtual Machine without a Public IP.
This ensures the VM is not reachable directly from the internet.
The VM can still connect to:

  • Managed Disks (Azure equivalent of block volumes)
  • Azure Blob Storage (object storage equivalent) through private connectivity

6. Configure Access to Azure Services Privately (Optional)
If the VM needs to connect to Azure services like Blob Storage:

  • Use Private Endpoints to connect to the storage account privately over Azure backbone
  • Alternatively, use Service Endpoints on the subnet for restricted access

7. Configure Network Security Group (NSG) Rules

Update the NSG attached to the subnet or NIC:

  • Egress Rule:

    • Destination: Internal VNet CIDR or service-specific endpoint IPs
    • Protocol: All (or TCP for specific ports needed)

  • Ingress Rule:

    • Allow inbound traffic from trusted subnets or on-premises via VPN/ExpressRoute only
    • For management access, connect through Azure Bastion or an on-prem jump server

Default NSG Rules in Azure:

  • Default Inbound: Deny all inbound by default
  • Default Outbound: Allow all outbound by default (still subject to routing restrictions)

8. Harden with a Firewall
Even without internet access, security is important.
You can deploy:

  • Azure Firewall (in private mode without public IP)
  • Third-party firewall appliances in the VNet
  • Apply strict NSG rules for segmentation

9. Storage Configuration

  • OS Disk (automatically created when VM is created)
  • Attach additional Data Disks (block storage equivalent) if needed
  • Use Blob Storage via Private Endpoints for backups and data storage
  • Optionally enable Azure Backup for VM disks

10. Verify Access

  • Connect to the private VM using Azure Bastion or VPN from on-premises
  • Test access to Managed Disks and Blob Storage via private connectivity