Azue Classroom Series – 18/Jul/2020

Azure CLI

  • Azure cli is organized to be easy to build command line
az <service> [<subservice>] <action> --param1 <value1> .... --paramn <value-n>
az group create --name test  --location centralus
az network vnet list
# in above examples
create and test are actions
  • Now lets write commands to create vnet with four subnets
# Create a resource group
az group create --location 'eastus' --name 'fromcliagain'

az network vnet create --name 'ntier' --resource-group 'fromcliagain' --address-prefixes 10.10.0.0/16

az network vnet subnet create --name web --address-prefixes 10.10.0.0/24 --resource-group 'fromcliagain' --vnet-name 'ntier'

az network vnet subnet create --name business --address-prefixes 10.10.1.0/24 --resource-group 'fromcliagain' --vnet-name 'ntier'

az network vnet subnet create --name db --address-prefixes 10.10.2.0/24 --resource-group 'fromcliagain' --vnet-name 'ntier'

az network vnet subnet create --name management --address-prefixes 10.10.3.0/24 --resource-group 'fromcliagain' --vnet-name 'ntier'

Preview Preview

  • Lets create one more vnet in range 10.11.0.0/16 in central us region with 4 subnets
az network vnet create --name 'ntiersecondary' --resource-group 'fromcliagain' --address-prefixes 10.11.0.0/16 --location 'centralus'

az network vnet subnet create --name web --address-prefixes 10.11.0.0/24 --resource-group 'fromcliagain' --vnet-name 'ntiersecondary'

az network vnet subnet create --name business --address-prefixes 10.11.1.0/24 --resource-group 'fromcliagain' --vnet-name 'ntiersecondary'

az network vnet subnet create --name db --address-prefixes 10.11.2.0/24 --resource-group 'fromcliagain' --vnet-name 'ntiersecondary'

az network vnet subnet create --name management --address-prefixes 10.11.3.0/24 --resource-group 'fromcliagain' --vnet-name 'ntiersecondary'
  • Now lets create a nsg for web subnet machines which should allow traffic from anywhere on 80 and 22 ports but deny the rest from internet. All the communications with in vnet should be possible
az network nsg create --name webvmnsg --location 'eastus' --resource-group 'fromcliagain'

az network nsg rule create --name 'allowvnet' --nsg-name 'webvmnsg' \
            --priority 300 --access 'allow' --source-address-prefixes 'VirtualNetwork' \
            --source-port-ranges '*' --destination-address-prefixes '*'  --destination-port-ranges '*'  --direction 'Inbound' --protocol '*' --resource-group 'fromcliagain'

az network nsg rule create --name 'allowhttp' --nsg-name 'webvmnsg' \
            --priority 310 --resource-group 'fromcliagain', --access 'allow' \
            --source-address-prefixes 'Internet' --source-port-ranges '*' \
            --destination-address-prefixes '*' --destination-port-ranges '80' \
            --direction 'Inbound' --protocol 'Tcp'

az network nsg rule create --name 'allowssh' --nsg-name 'webvmnsg' \
            --priority 320 --resource-group 'fromcliagain', --access 'allow' \
            --source-address-prefixes 'Internet' --source-port-ranges '*' \
            --destination-address-prefixes '*' --destination-port-ranges '22' \
            --direction 'Inbound' --protocol 'Tcp'

az network nsg rule create --name 'denyinternet' --nsg-name 'webvmnsg' \
            --priority 400 --resource-group 'fromcliagain', --access 'deny' \
            --source-address-prefixes 'Internet' --source-port-ranges '*' \
            --destination-address-prefixes '*' --destination-port-ranges '*' \
            --direction 'Inbound' --protocol '*'

az network nsg create --name webvmnsgsecondary --location 'centralus' --resource-group 'fromcliagain'

az network nsg rule create --name 'allowvnet' --nsg-name 'webvmnsgsecondary' \
          --priority 300 --resource-group 'fromcliagain' --access 'allow' \
           --source-address-prefixes 'VirtualNetwork' --source-port-ranges '*' \
           --destination-address-prefixes '*' --destination-port-ranges '*' \
           --direction 'Inbound' --protocol '*'

az network nsg rule create --name 'allowhttp' --nsg-name 'webvmnsgsecondary' \
            --priority 310 --resource-group 'fromcliagain', --access 'allow' \
            --source-address-prefixes 'Internet' --source-port-ranges '*' \
            --destination-address-prefixes '*' --destination-port-ranges '80' \
            --direction 'Inbound' --protocol 'Tcp'

az network nsg rule create --name 'allowssh' --nsg-name 'webvmnsgsecondary' \
            --priority 320 --resource-group 'fromcliagain', --access 'allow' \
            --source-address-prefixes 'Internet' --source-port-ranges '*' \
            --destination-address-prefixes '*' --destination-port-ranges '22' \
            --direction 'Inbound' --protocol 'Tcp'

az network nsg rule create --name 'denyinternet' --nsg-name 'webvmnsgsecondary' \
            --priority 400 --resource-group 'fromcliagain', --access 'deny' \
            --source-address-prefixes 'Internet' --source-port-ranges '*' \
            --destination-address-prefixes '*' --destination-port-ranges '*' \
            --direction 'Inbound' --protocol '*'
  • Exercise-1: Create nsg for appvm and db subnets which should allow all incoming from Virtual network but nothing from internet
  • Exercise-2: Create two network interfaces one in websubnet and other in db subnet with private and public ip addresses.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About learningthoughtsadmin