Forem: Francis Adeboye

Automating Hub & Spoke Secure Azure Networks with Terraform (IaC) & Azure Firewalls

Francis Adeboye — Fri, 12 Sep 2025 20:37:33 +0000

Introduction

Imagine your business’s digital assets—all your customer data, company secrets, and applications—are stored inside a high-value property. Without security guards or locks on the doors, this property is an open invitation for burglars (Vulnerabilities). In the same way, an insecure cloud network is a prime target for cyber threats.

Cloud network security provides those essential guards and locks (Virtual Network, Security Groups, Firewalls & Encryption), protecting your most valuable digital assets from a growing number of attackers.

However, managing security in a vast and constantly changing cloud environment is nearly impossible to do manually. This is where automation becomes your most critical tool. By integrating smart, automated systems, you can ensure every door is locked and every alarm is active, making your digital property secure and resilient in real time.

Architecture Overview

Hub-Spoke Network Concept

Your network uses a Hub-Spoke model, which is a highly effective way to manage a cloud network. The Hub is your central security and connectivity point, where an Azure Firewall inspects all traffic. The Spokes are isolated networks that host your applications. This design provides centralized security, simplifies routing, and makes your network easy to scale.

Network Components

Hub VNet: This is where the Azure Firewall is deployed. It's the central checkpoint for all traffic.
App (Spoke) VNet: This is where your applications are deployed. The frontend is secured using an Application Security Group (ASG), while the backend uses a Network Security Group (NSG) for granular control.
DNS: A Private DNS Zone is used to resolve internal names, ensuring your applications can communicate with each other securely using private records.
Route Tables: These are configured with User-Defined Routes (UDRs) to force all traffic from the spokes to pass through the hub's firewall.

Traffic Flow

Inbound Traffic: Traffic from the internet goes directly to the Hub Firewall, which then forwards it to the correct application in the spoke VNet. The ASG on the frontend ensures only allowed traffic reaches the web servers.
Outbound Traffic: Traffic from an application in the spoke VNet is sent to the Hub Firewall for inspection before it can reach the internet.
DNS Flow: DNS queries are handled internally via the Private DNS Zone, with the hub firewall forwarding the requests.

Deploying Infrastructure as Code (IaC) with Terraform

Terraform is an essential tool for implementing this architecture because it allows an organization to define its entire infrastructure as code (IaC). This approach offers several key benefits: it ensures repeatable, immutable & consistent deployments, makes infrastructure version-controlled (just like application code) to track changes, and enables fully automated deployments.

Prerequisites

Azure Account & Azure Subscription
Azure CLI
App Role that allows Terraform Deployment
Terraform Installed
Azure Terraform Visual Studio code extension
Remote Backend (Hashicorp Cloud with CLI workflow or Azure Storage Account): For this lab, I'll be using a HashiCorp Terraform Cloud account. This approach provides a managed, secure, and collaborative environment for storing the Terraform state file, which is often easier to set up and manage than a self-hosted Azure Storage Account for state management.

To make the code flexible, it is best to use variables for key settings like IP ranges, location, and resource group names. This makes it easy to deploy the same architecture in different environments (e.g., development, staging, production) with a single command.

A crucial best practice is to use remote state management. By storing the Terraform state file in a remote backend (like HashiCorp Terraform Cloud or an Azure Storage Account), it prevents state conflicts, enables collaboration among team members, and ensures the state is backed up and secure.

Terraform File Structure

Terraform project directory for this architecture would be organized & created as follows:

main.tf: This core file would declare the azurerm provider and the Terraform remote backend configuration for state management. This ensures state is stored securely and enables team collaboration.

#############################################
# Provider & HCP Remote Backend Configuration
#############################################

terraform {
  cloud {
    organization = "your-organization-name"
    workspaces {
      name = "secure-network-workload"
    }
  }
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~>4.0"
    }

    random = {
      source  = "hashicorp/random"
      version = "~>3.0"
    }
  }
}

provider "azurerm" {
  features {
  }
}

deployments.tf: This is the primary file that holds all resources blocks for the deployment. This is where resource group, virtual networks, subnets, firewalls, security groups, virtual machines and other network components would be declared.

###################################
# Azure Resources for Deployment
###################################

resource "azurerm_resource_group" "resource_group" {
  name     = "${var.project_name}-${var.prefix}-RG"
  location = var.location
  tags     = coalesce(var.tags, { Project = var.project_name, Environment = var.environment, Owner = var.owner_name, ManagedBy = var.managed_by })
}

variables.tf: This file contains all the input variables for the configuration. This allows for easy customization without changing the main code.

#####################################
# Variables for Deployment
#####################################
variable "prefix" {
  type    = string
}

variable "project_name" {
  type = string
}

variable "owner_name" {
  type = string

}

variable "managed_by" {
  type = string

}

variable "environment" {
  type = string
}

variable "location" {
  type = string
}
variable "tags" {
  type    = map(string)
  default = {}
}

outputs.tf: This file specifies the values that will be outputted after a successful deployment, such as the public/private IPs of the firewall or the IDs of the created subnets.

#####################################
# Deployment Outputs
#####################################
output "resource_group_name" {
  description = "Resource Group Name"
  value       = azurerm_resource_group.resource_group.name
}

terraform.tfvars: This file holds the actual values for the variables declared in variables.tf.

####################################################################
# Terraform variables for Network Secure Workload Project Deployment
####################################################################

location     = "UK South"
project_name = "Hub-Spoke-Network"
environment  = "Development"
owner_name   = "Francis Adeboye"
managed_by   = "Terraform"
prefix      = "nsw-dev"

tags = {
  Owner       = "Francis Adeboye"
  Project     = "Hub-Spoke-Network"
  Contact     = "your-email-address"
  Environment = "Development"
  ManagedBy   = "Terraform"
}

Deployment Flow (Hands-on Lab)

Initializing Terraform - Before deploying any infrastructure, the first step is to initialize the Terraform project. This is done with the terraform init command. Other commands will be used subsequently during this hands-on where applicable.

terraform init: This command initializes the working directory, downloads the necessary provider plugins, and sets up the remote backend for state management.

terraform fmt: This command formats the configuration files to ensure consistent style and readability.

terraform validate: This command validates the syntax of the configuration, checking for errors before deployment.

terraform plan: This command creates an execution plan, showing what resources will be created, modified, or destroyed, and is a crucial step for reviewing changes before deployment.

terraform apply: This command applies the changes defined in the plan to the cloud provider, creating the infrastructure.

terraform destroy: This command destroys all the resources managed by the configuration, used for cleaning up the environment.

Create and configure virtual networks

Create a Resource Group

###################################
# Azure Resource Group
###################################

resource "azurerm_resource_group" "resource_group" {
  name     = "${var.project_name}-${var.prefix}-RG"
  location = var.location
  tags     = coalesce(var.tags, { Project = var.project_name, Environment = var.environment, Owner = var.owner_name, ManagedBy = var.managed_by })
}

Create Spoke (App) virtual network with Subnets (Front & Back End)

###################################
# Resource Group Data Source
###################################

data "azurerm_resource_group" "resource_group" {
  name     = "${var.project_name}-${var.prefix}-RG"
}


###################################
# Spoke App Virtual Network
###################################
resource "azurerm_virtual_network" "spoke_app_vnet" {
  name                = var.spoke_app_vnet_name
  location            = var.location
  resource_group_name = azurerm_resource_group.resource_group.name
  address_space       = var.spoke_app_address_space

  tags = coalesce(var.tags, { Project = var.project_name, Environment = var.environment, Owner = var.owner_name, ManagedBy = var.managed_by })
}

# Subnets for Spoke App VNet
resource "azurerm_subnet" "front_end_app_subnet" {
  name                 = "front-end-app-subnet"
  resource_group_name  = data.azurerm_resource_group.resource_group.name
  virtual_network_name = azurerm_virtual_network.spoke_app_vnet.name
  address_prefixes     = [var.front-end-app]
}

resource "azurerm_subnet" "back_end_app_subnet" {
  name                 = "back-end-app-subnet"
  resource_group_name  = data.azurerm_resource_group.resource_group.name
  virtual_network_name = azurerm_virtual_network.spoke_app_vnet.name
  address_prefixes     = [var.back-end-app]
}

Create Hub Virtual network with Subnet (Azure Firewall)

###################################
# Hub Vnet for Azure Firewall
###################################
resource "azurerm_virtual_network" "hub_vnet" {
  name                = var.hub_vnet_name
  location            = var.location
  resource_group_name = azurerm_resource_group.resource_group.name
  address_space       = var.hub_address_space

  tags = coalesce(var.tags, { Project = var.project_name, Environment = var.environment, Owner = var.owner_name, ManagedBy = var.managed_by })
}

# Subnet for Azure Firewall

resource "azurerm_subnet" "firewall_subnet" {
  name                 = "AzureFirewallSubnet"
  resource_group_name = data.azurerm_resource_group.resource_group.name
  virtual_network_name = azurerm_virtual_network.hub_vnet.name
  address_prefixes     = [var.firewall-subnet]
}

Configure Vnet peering between Hub & Spoke Virtual Network

####################################
# Vnet Peering between Hub and Spoke
####################################

resource "azurerm_virtual_network_peering" "spoke_to_hub" {
  name                      = "spoke-to-hub-vnet"
  resource_group_name       = data.azurerm_resource_group.resource_group.name
  virtual_network_name      = azurerm_virtual_network.spoke_app_vnet.name
  remote_virtual_network_id = azurerm_virtual_network.hub_vnet.id
  allow_virtual_network_access = "true"
}

resource "azurerm_virtual_network_peering" "hub_to_spoke" {
  name                      = "hub-to-spoke-vnet"
  resource_group_name       = data.azurerm_resource_group.resource_group.name
  virtual_network_name      = azurerm_virtual_network.hub_vnet.name
  remote_virtual_network_id = azurerm_virtual_network.spoke_app_vnet.id
  allow_virtual_network_access = "true"
}

Create and configure Virtual Machines & network security groups (ASG & NSG)

Create 2 Virtual Machines (Linux Ubuntu Server)


#################################################################################
# Virtual Machine Deployment
#################################################################################
# Public IP Addresses
resource "azurerm_public_ip" "vm1_public_ip" {
  name                = "VM1-ip"
  location            = var.location
  resource_group_name = azurerm_resource_group.resource_group.name
  allocation_method   = "Static"
  sku                = "Standard"
}

resource "azurerm_public_ip" "vm2_public_ip" {
  name                = "VM2-ip" 
  location            = var.location
  resource_group_name = azurerm_resource_group.resource_group.name
  allocation_method   = "Static"
  sku                = "Standard"
}

# Network Interfaces
resource "azurerm_network_interface" "vm1_nic" {
  name                = "VM1-nic"
  location            = var.location
  resource_group_name = azurerm_resource_group.resource_group.name

  ip_configuration {
    name                          = "ipconfig1"
    subnet_id                     = azurerm_subnet.front_end_app_subnet.id
    private_ip_address_allocation = "Dynamic"
    public_ip_address_id         = azurerm_public_ip.vm1_public_ip.id
  }
}

resource "azurerm_network_interface" "vm2_nic" {
  name                = "VM2-nic"
  location            = var.location
  resource_group_name = azurerm_resource_group.resource_group.name

  ip_configuration {
    name                          = "ipconfig2"
    subnet_id                     = azurerm_subnet.back_end_app_subnet.id
    private_ip_address_allocation = "Dynamic"
    public_ip_address_id         = azurerm_public_ip.vm2_public_ip.id
  }
}

# Virtual Machines
resource "azurerm_linux_virtual_machine" "vm1" {
  name                = "VM1"
  location            = var.location
  resource_group_name = azurerm_resource_group.resource_group.name
  size                = "Standard_B1s"
  admin_username      = var.admin_username
  admin_password      = var.admin_password
  network_interface_ids = [
    azurerm_network_interface.vm1_nic.id
  ]

  os_disk {
    caching              = "ReadWrite"
    storage_account_type = "Standard_LRS"
    disk_size_gb        = 30
  }

  source_image_reference {
    publisher = "Canonical"
    offer     = "UbuntuServer"
    sku       = "18.04-LTS"
    version   = "latest"
  }

  disable_password_authentication = false
}

resource "azurerm_linux_virtual_machine" "vm2" {
  name                = "VM2"
  location            = var.location
  resource_group_name = azurerm_resource_group.resource_group.name
  size                = "Standard_B1s"
  admin_username      = var.admin_username
  admin_password      = var.admin_password
  network_interface_ids = [
    azurerm_network_interface.vm2_nic.id
  ]

  os_disk {
    caching              = "ReadWrite"
    storage_account_type = "Standard_LRS"
    disk_size_gb        = 30
  }

  source_image_reference {
    publisher = "Canonical"
    offer     = "UbuntuServer"
    sku       = "18.04-LTS"
    version   = "latest"
  }

  disable_password_authentication = false
}

Create Application Security Group (ASG) & Attach to VM-1 (NIC)

###########################################################
# Application Security Group (front-end) attached to VM1 NIC
###########################################################
resource "azurerm_application_security_group" "app_front_end_asg" {
  name                = "app-front-end-asg"
  location            = var.location
  resource_group_name = azurerm_resource_group.resource_group.name

  tags = coalesce(var.tags, { Project = var.project_name, Environment = var.environment, Owner = var.owner_name, ManagedBy = var.managed_by })
}

# Attach ASG to VM1 NIC

resource "azurerm_network_interface_application_security_group_association" "vm1_nic_asg_assoc" {
  network_interface_id          = azurerm_network_interface.vm1_nic.id
  application_security_group_id = azurerm_application_security_group.app_front_end_asg.id
}

Create Network Security Group (NSG) & Associate with Backend Subnet

###########################################################
# Network Security Group (back-end) attached to back-end subnet
###########################################################
resource "azurerm_network_security_group" "back_end_nsg" {
  name                = "app-back-end-nsg"
  location            = var.location
  resource_group_name = azurerm_resource_group.resource_group.name

  tags = coalesce(var.tags, { Project = var.project_name, Environment = var.environment, Owner = var.owner_name, ManagedBy = var.managed_by })
}
# Attach NSG to back-end subnet
resource "azurerm_subnet_network_security_group_association" "back_end_subnet_nsg_assoc" {
  subnet_id                 = azurerm_subnet.back_end_app_subnet.id
  network_security_group_id = azurerm_network_security_group.back_end_nsg.id
}

Create Network Security Group inbound rules filter traffic to ASG on Port 22 (ASG)

#####################################################################################################################
# NSG Rule to filter inbound/outbound traffic from anywhere on port 22 (SSH) to Application Security Group (front-end)
#####################################################################################################################
resource "azurerm_network_security_rule" "allow_ssh_inbound" {
  name                                       = "Allow-ssh-Inbound"
  priority                                   = 100
  direction                                  = "Inbound"
  access                                     = "Allow"
  protocol                                   = "Tcp"
  source_port_range                          = "*"
  source_address_prefix                      = "*"
  destination_port_range                     = "22"
  destination_application_security_group_ids = [azurerm_application_security_group.app_front_end_asg.id]
  resource_group_name                        = azurerm_resource_group.resource_group.name
  network_security_group_name                = azurerm_network_security_group.back_end_nsg.name
}

Create and configure Azure Firewall

Create Azure Firewall Subnet in Spoke (App) Vnet

###########################################################
# Azure Firewall Subnet (Spoke Vnet)
###########################################################
resource "azurerm_subnet" "spoke_firewall_subnet" {
  name                 = "AzureFirewallSubnet"
  resource_group_name  = azurerm_resource_group.resource_group.name
  virtual_network_name = azurerm_virtual_network.spoke_app_vnet.name
  address_prefixes     = [var.spoke-firewall-subnet]
}

Configure Azure Firewall & firewall policy

######################################################################
# Standard Firewall (Spoke App Vnet), with Firewall Policy & Public IP
######################################################################
resource "azurerm_public_ip" "firewall_public_ip" {
  name                = "firewall-public-ip"
  location            = var.location
  resource_group_name = azurerm_resource_group.resource_group.name
  allocation_method   = "Static"
  sku                 = "Standard"

  tags = coalesce(var.tags, { Project = var.project_name, Environment = var.environment, Owner = var.owner_name, ManagedBy = var.managed_by })
}

resource "azurerm_firewall_policy" "firewall_policy" {
  name                = "firewall-policy"
  resource_group_name = azurerm_resource_group.resource_group.name
  location            = var.location
  sku                 = "Standard"

  tags = coalesce(var.tags, { Project = var.project_name, Environment = var.environment, Owner = var.owner_name, ManagedBy = var.managed_by })
}

resource "azurerm_firewall" "app_firewall" {
  name                = "firewall"
  location            = var.location
  resource_group_name = azurerm_resource_group.resource_group.name
  sku_tier            = "Standard"
  sku_name            = "AZFW_VNet"
  firewall_policy_id  = azurerm_firewall_policy.firewall_policy.id

  ip_configuration {
    name                 = "firewall-ip-config"
    subnet_id            = azurerm_subnet.spoke_firewall_subnet.id
    public_ip_address_id = azurerm_public_ip.firewall_public_ip.id
  }

  tags = coalesce(var.tags, { Project = var.project_name, Environment = var.environment, Owner = var.owner_name, ManagedBy = var.managed_by })
}

Update firewall policy Collection group with application & network rule collection

###########################################################
# Update Firewall Policy with Collection Group (App & Network Rules)
###########################################################

resource "azurerm_firewall_policy_rule_collection_group" "firewall_policy_rule_collection_group" {
  name               = "fw-policy-rule-collection-group"
  firewall_policy_id = azurerm_firewall_policy.firewall_policy.id
  priority           = 200

  application_rule_collection {
    name     = "app-vnet-fw-rule-collection"
    priority = 200
    action   = "Allow"
    rule {
      name              = "AllowAzurePipelines"
      source_addresses  = ["10.20.0.0/23"]
      destination_fqdns = ["dev.azure.com", "azure.microsoft.com"]

      protocols {
        type = "Https"
        port = 443
      }
    }
  }

  network_rule_collection {
    name     = "app-vnet-fw-nrc-dns"
    priority = 300
    action   = "Allow"
    rule {
      name                  = "AllowDns"
      protocols             = ["UDP"]
      source_addresses      = ["10.20.0.0/23"]
      destination_ports     = ["53"]
      destination_addresses = ["1.1.1.1", "1.0.0.1"]
    }
  }
}

Configure network routing to Spoke (App) Vnet Firewall

Create and configure a route table.

#####################################
# Spoke Vnet Firewall Route Table
#####################################
resource "azurerm_route_table" "spoke_firewall_route_table" {
  name                = "spoke-vnet-firewall-rt"
  location            = var.location
  resource_group_name = azurerm_resource_group.resource_group.name
  tags                = coalesce(var.tags, { Project = var.project_name, Environment = var.environment, Owner = var.owner_name, ManagedBy = var.managed_by })
}

Associate Route Table to Front End & Back End Subnet

##################################################################
# Associate Route Table to Spoke App Subnets (front-end & back-end)
##################################################################
resource "azurerm_subnet_route_table_association" "front_end_app_subnet" {
  subnet_id      = azurerm_subnet.front_end_app_subnet.id
  route_table_id = azurerm_route_table.spoke_firewall_route_table.id
}

resource "azurerm_subnet_route_table_association" "back_end_app_subnet" {
  subnet_id      = azurerm_subnet.back_end_app_subnet.id
  route_table_id = azurerm_route_table.spoke_firewall_route_table.id
}

Create Route to Route Outbound traffic via Network Virtual Appliance (NVA) Firewall private IP address

##################################################################
# Routes Outgoing Traffic via NVA Firewall using Firewall Private IP
##################################################################
resource "azurerm_route" "outbound_firewall_route" {
  name                   = "outbound-firewall-route"
  route_table_name       = azurerm_route_table.spoke_firewall_route_table.name
  resource_group_name    = azurerm_resource_group.resource_group.name
  address_prefix         = "0.0.0.0/0"
  next_hop_type          = "VirtualAppliance"
  next_hop_in_ip_address = azurerm_firewall.app_firewall.ip_configuration[0].private_ip_address
}

Create DNS zones and configure DNS settings

Create and configure a private DNS zone.

###################################################
# Private DNS Zone private.contoso.com
###################################################
resource "azurerm_private_dns_zone" "private_dns_zone" {
  name                = "private.contoso.com"
  resource_group_name = azurerm_resource_group.resource_group.name
}

Configure Virtual Network Link for Private DNS zone

##############################################
# Private DNS Zone Vnet Link to Spoke App Vnet
###############################################
resource "azurerm_private_dns_zone_virtual_network_link" "dns_zone_vnet_link" {
  name                  = "dns-zone-vnet-link"
  resource_group_name   = azurerm_resource_group.resource_group.name
  private_dns_zone_name = azurerm_private_dns_zone.private_dns_zone.name
  virtual_network_id    = azurerm_virtual_network.spoke_app_vnet.id
  registration_enabled  = true
}

Create and configure DNS (A)records mapping backend (VM2)

##########################################################
# Private DNS A Record for Backend VM in Private DNS Zone
##########################################################
resource "azurerm_private_dns_a_record" "backend_vm_dns_record" {
  name                = "backend-vm"
  zone_name           = azurerm_private_dns_zone.private_dns_zone.name
  resource_group_name = azurerm_resource_group.resource_group.name
  ttl                 = 1
  records             = [azurerm_network_interface.vm2_nic.private_ip_address]
}

Cleaning up resources

When you’re done testing and validating the deployment, it’s a good practice to tear down all the infrastructure you created. This avoids unnecessary costs and keeps your Azure subscription tidy.

With Terraform, cleanup is simple. Just run:

terraform destroy --auto-approve

This command:

Destroys all resources defined in your Terraform state.
Uses --auto-approve to skip the interactive confirmation step.
Ensures your Azure subscription is returned to a clean state.

Here’s an example of Terraform tearing down the resources in my remote backend workspace:

Resources

Terraform AzureRM Provider Documentation

Terraform Deployment Files

Conclusion

Using Terraform and Infrastructure as Code, we've built a secure hub-and-spoke network in Azure that’s automated, consistent, and easy to scale. This setup helps reduce manual errors and makes it simple to manage environments.

One key lesson: it’s important to carefully choose where firewalls sit — whether centralized or in each spoke — and to set up DNS correctly to avoid routing issues. With smart design choices, you can create cloud networks that are both secure and flexible, ready to grow with your needs.

🌍 The Dark Side of Connectivity in a Digital Age

Francis Adeboye — Sun, 31 Aug 2025 13:31:31 +0000

The world is evolving at an unprecedented pace, driven by large-scale digital innovation. Our daily lives have become deeply digitalized—from sending emails to friends and family across the globe, to engaging in social interactions, making seamless financial transactions via mobile devices, shopping online, and even dating through digital platforms. All of these activities rely on the internet and human participation.

While the internet offers a vast stage for connection and convenience, it also presents significant risks. You cannot control what others do online, but you can take proactive steps to protect yourself from malicious actors. These threats include identity theft, malware, financial crimes, blackmail, and child exploitation. Importantly, some of these acts are not just criminal—they may also stem from compulsive or addictive behaviours, such as internet addiction, pornography dependency, or obsessive hacking.

Understanding this behavioural dimension is key to prevention and rehabilitation. Security matters across every industry—from banking and healthcare to digital platforms—because it protects what we value most: our assets, our privacy, and our trust.

⚠️ Common Digital Threats

Stolen Identity: Personal data can be hijacked and misused.
Malware Attacks: Harmful software can compromise your devices and privacy.
Financial Crimes: Online scams, phishing, and fraud are increasingly sophisticated.
Blackmail & Exploitation: Sensitive information can be weaponized.
Child Pornography: A deeply disturbing crime that requires global vigilance and zero tolerance.
Behavioural Addictions: Some malicious acts may be driven by compulsive online behaviours, such as:
- Pornography addiction
- Cyberstalking or voyeurism
- Obsessive hacking or digital gambling

💥 Consequences of Digital Vulnerability

Financial Losses: From drained bank accounts to stolen assets.
Damaged Reputation: Leaked data or false information can tarnish your public image.
Emotional Distress: Anxiety, fear, and shame can take a heavy toll.
Mental Health Crisis: In extreme cases, emotional trauma may lead to breakdowns or suicidal thoughts.
Erosion of Trust: When digital systems fail, public confidence in institutions and platforms suffers.

🛡️ Navigating the Digital World Safely

You can’t control what others do online—but you can protect yourself.

Use strong, unique passwords and enable two-factor authentication
Keep your software and devices updated
Be cautious with unknown links, downloads, and contacts
Use reputable antivirus and privacy tools
Stay informed about digital safety and emerging threats
Recognize signs of compulsive digital behaviour—in yourself and others—and seek support when needed

🔁Trust Builds Organizations - Zero Trust Builds Digital Security

In today’s digital landscape, trust is earned through security. But true security demands a Zero Trust mindset—one that assumes no user, device, or system is inherently safe. This approach helps organizations and individuals stay vigilant, verify everything, and minimize risk.

Security isn’t just a technical requirement—it’s a social contract. It protects our identities, our relationships, and our mental well-being in a world that’s always online.

🚧Where Traffic Management Meets Scalability: Designing a Secure Azure Web App Architecture with VMSS and Load Balancer

Francis Adeboye — Fri, 22 Aug 2025 19:32:27 +0000

Why Scalability and Traffic Management Matter for Modern Web Apps ?

Scaling web applications in the cloud doesn’t have to be complicated — but it becomes essential the moment your app starts gaining traction. Imagine launching a small MVP gaming app just for fun. You expect a few hundred players, so you host it on a single virtual machine — simple and cheap. But overnight, the game goes viral, and suddenly thousands of players are trying to connect at once. The single Virtual machine hosting the app crashes under the load, and you’re faced with the challenge every developer fears: scaling fast, without downtime.

This is exactly the kind of problem that cloud platforms like Azure , AWS & and other CSPs are designed to solve. In this demo lab, I’ll walk you through how to set up a scalable, secure, and monitored web infrastructure using:

Virtual Machine Scale Sets (VMSS) for automatic scaling
Public Load Balancer to distribute incoming traffic
NAT Gateway for secure outbound connectivity for patches and updates of Virtual Machines
Azure Bastion to lock down admin access to VM securely
Network Security Groups to control inbound traffic
Machine Image for consistent VM provisioning and fast deployment
Azure Monitor to track performance and health

Together, these services handle surging traffic by distributing requests across multiple NGINX web servers, scaling resources based on demand, and maintaining security and observability throughout.

By the end of this demo, you’ll see how even a small MVP can be ready for going viral — without breaking under pressure.

🔑 Prerequisites

Before starting, make sure you have:

An active Azure subscription
A valid SSH key pair
Basic knowledge of Azure VNets, NSGs, and VMs

Architecture Overview

Before we dive into the portal, let’s map out what the solution looks like. Our goal is to keep the viral game running smoothly by spreading player traffic across multiple servers, while still keeping admin access secure and updates flowing. Here’s the big picture of how Azure Bastion, NAT Gateway, NSGs, VM Scale Sets, and the Load Balancer all connect seamlessly.

Step 1: 🌐Networking Environment Setup

Every scalable system begins with a solid foundation. Think of this as laying the groundwork for a new city. Before any buildings can go up, you need to map out the neighbourhoods (virtual networks), assign street addresses (IP address space), divide those streets into smaller blocks (subnets), and establish the rules for who can enter and exit each building (security groups). This structured approach provides the essential backbone where all your servers and services will reside, ensuring a secure and scalable environment.

Create a Resource Group

Name: DigitalLab-RG (or reuse existing).

Virtual Network, Subnets, NSGs, NAT Gateway for Inbound Traffic, Public Load Balancer & Bastion Host for Secure Access to Custom VM

Create Virtual Network

Name: vnet-webservers
Address space: 10.50.0.0/16

Add Subnets (Private & Bastion)

snet-custommvms-private: 10.50.10.0/24
snet-vmss-private: 10.50.11.0/24
AzureBastionSubnet: 10.50.9.192/26

Create Network Security Groups (NSG)

nsg-customvm: Allow Port 22 from Bastion subnet
nsg-vmss: Allow Port 80 from Internet, Port 22 from your IP
linuxworkers-nsg: Allow Port 80 from Internet, Port 22 from your IP ( VMSS NIC)

Associate NSGs to Subnets (Custom VM & VMSS)

snet-custommvms-private → nsg-customvm
snet-vmss-private → nsg-vmss
AzureBastionSubnet → No NSG (Not need, Handled by Azure)

Create Network Address Translation Gateway (NAT GW) for Outbound Traffic & Associate NAT to Private Subnet.

Our servers need a way to stay updated without exposing themselves to the internet. That’s where the NAT Gateway comes in — letting the VMs download patches and packages securely, without opening any direct inbound ports.

Create NAT GW (Outbound Traffic)
Attach to snet-vmss-private and snet-custommvms-private

Deploy Bastion Host to AzureBastionSubnet

Name: Jumpbox
Tier: Standard
Subnet: AzureBastionSubnet
Public IP: vnet-webservers-ip

Step 2:🚧 Traffic Management (Load Balancer)

Of course, players won’t connect to servers directly. Instead, all traffic flows through a Public Load Balancer, which evenly distributes requests across our VMSS instances. If one VM fails or scales out, the load balancer keeps traffic flowing seamlessly.

Create Public Load Balancer

Name: FrontEndLB
Region: UK South
SKU: Standard
Type: Public

Frontend IP Configuration

Name: FrontEndIP
Public IP: Create new → LoadBalancerIP

Backend Pool

Name: LinuxWorkerNode
Attach to vnet-webservers

Inbound Rules

Load balancing rule: HTTP (Port 80) → Backend pool
NAT rule: Map SSH access (Port 221–320) to backend VMs

Step 3: 🖥 Compute Setup

Instead of manually configuring every server, we’ll start by preparing a single NGINX VM. Once it’s patched and ready, we’ll capture it as a reusable image in the Azure Compute Gallery. Think of this as our source of truth for every future web server for faster deployment.

Create Azure Compute Gallery

Create Virtual Machine (Linux)
Add Data Disk
Place Custom VM in the Private Subnet for the Network configuration
Disable Boot Diagnostic
Post Configuration user data script to Mount Data Disk, Install Azure Monitor Agent on VM and Install NGINX

#!/bin/bash

# Variables
DISK="/dev/sdb"  # Adjust if needed
PARTITION="${DISK}1"
MOUNT_POINT="/mnt/data"
HTML_FILE="/var/www/html/index.nginx-debian.html"

# Create a new partition
echo -e "n\np\n1\n\n\nw" | sudo fdisk $DISK

# Refresh partition table
sudo partprobe $DISK

# Format the partition with EXT4
sudo mkfs.ext4 $PARTITION

# Create mount point and mount the partition
sudo mkdir -p $MOUNT_POINT
sudo mount $PARTITION $MOUNT_POINT

# Make the mount persistent
echo "$PARTITION $MOUNT_POINT ext4 defaults,nofail 0 2" | sudo tee -a /etc/fstab

# Install Nginx
sudo apt update
sudo apt install -y nginx

# Replace default Nginx welcome page
sudo bash -c "cat > $HTML_FILE <<EOF
<html>
<head><title>Welcome</title></head>
<body><h1>Welcome to my Ubuntu 22.04 VM</h1></body>
</html>
EOF"

#  Install Azure Monitor Agent with auto-upgrade enabled
echo "Installing Azure Monitor Agent with auto-upgrade..."
if ! command -v curl &> /dev/null; then
    echo "Installing curl..."
    sudo apt install -y curl
fi
curl -s https://aka.ms/InstallAzureMonitorLinuxAgent | bash -s -- --enable-auto-upgrade

Check Azure Monitor Agent Installation for Telemetry
Connect to Custom VM via Bastion to check Post Configuration script Installed NGINX

Stop the Virtual Machine, Capture the Image of the Custom VM , Publish the Image to Azure Compute Gallery

Now that NGINX is up and running smoothly on the Custom VM, let’s play it safe and delete the Bastion host, Bastion Public IP and Custom VM to avoid any extra costs before moving on to the next step

Step 4: 📈 Deploying the VM Scale Set (VMSS)

Now comes the fun part: scaling out. Using our template image, we’ll spin up a VM Scale Set (VMSS) so Azure can automatically add or remove servers depending on traffic. This ensures the game won’t lag or crash, even if thousands of new players join.

Create a Virtual Machine Scale Set (VMSS) using the Linux NGINX template image

Select the image created by selecting see all images to select shared image

Configure the Network interface of the VMSS by placing it in the private subnet snet-vmss-private, attach the NIC NSG created earlier linuxworkers-nsg and disable public IP address.

Attach VMSS to Load Balancer by selecting load balancer and the backendpool created earlier

Disable Boot Diagnostic

Enable & Configure Application Health monitoring for Health Probes

Step 5: 🧪 Testing the Setup

Time to put it to the test. We’ll hit the Public Load Balancer’s IP in a browser, then simulate heavy load by stressing one of the VMs gather performance logs metrics gathered by the azure monitoring agents.

Get Load Balancer IP

Open in browser → Confirm NGINX landing page.

Go to Inbound NAT rule in Load Balancer section to see what port each VM running is mapped to for SSH access from Local source IP.

Remote into both VM with using public load balancer public ip private key

ssh -i "your-key.pem" username@loadbalancerip -p <port>

Test Communication between both VMs
Check if NGINX webserver is running , Test Webserver & Azure Monitor Agents on both VMs
Make some changes to the content of the html file by navigating to /var/www/html/index.nginx-debian.html directory for each server to test how traffic is being distributed by the load balancer

Refresh the Load Balancer IP on the browser, you might need to refresh a couple of times to see the changes and traffic distributed on both servers

Now that the VMs are running smoothly, Lets try to overload one of the VMs CPU usage by installing stress

Step 6 📊 Monitoring and Insights

Scaling isn’t just about adding servers — it’s about visibility. With Azure Monitor, Log Analytics, and VM Insights, we’ll track performance, scaling events, and system health in real time. This way, we can catch issues before players do.

Create a Log Analytics Workspace: central repository where the logs will be stored and analyzed

Next Navigate to Monitor to create Data Collection Endpoint (DCE): This endpoint is a resource that defines a unique URL where monitoring agents send their collected data

Create a Data Collection Rule (DCR): This rule specifies what data to collect and where to send it.

Enabling VM Insights on the nodes allows the Azure Monitor Agents to execute the rules defined in the Data Collection Rule (DCR). The agents then collect data from the virtual machines and send it to the designated Data Collection Endpoint (DCE). This process links the monitored virtual machines to the Log Analytics Workspace, where the collected data is stored and can be analyzed.

Query logs in the Log Analytics workspace

Monitor Performance in the VM Insight Pane of Azure Monitor

Step 7: Cleanup (Export Before Deleting)

Before deleting resources, export your deployment template so you can reuse it later.

Export Deployment Template

Go to your Resource Group in the Azure Portal
Select Automation → Export Template
Download the template as JSON or ARM/Bicep
Save it to your repo or PC for future redeployments

This template captures your networking, VMSS, load balancer, and monitoring setup so you can redeploy quickly.

Delete Unused Resources (to avoid charges)

Resource Group (if you don’t need the environment anymore)
Public IP addresses
Disks & Snapshots
NAT Gateway

🎯 Key Takeaways

VMSS + Load Balancer = scalability and resilience
Virtual Network + NAT + Bastion + NSGs = secure connectivity
Compute Gallery + Template Image = fast, consistent deployments
Azure Monitor = visibility into performance & scaling events

🛡️ Managing Azure Storage Accounts: Secure, Scalable, and Resilient Data Solutions with Blob Storage & Azure Files

Francis Adeboye — Mon, 11 Aug 2025 18:20:59 +0000

In today’s cloud-first world, businesses need storage solutions that are not just scalable—but secure, highly available, and resilient to failure. Azure Storage Accounts offer exactly that: a unified platform for storing diverse data types—blobs (Binary Large Object), files, queues, tables, and disks—accessible globally over HTTP/HTTPS with a unique namespace.

Whether you're backing up a public website, managing internal documents, or enabling shared access across departments, Azure’s storage services provide the flexibility and control needed to meet enterprise demands. With built-in redundancy options like LRS, ZRS, GRS, RA-GRS and GZRS, your data is protected against local failures and regional outages. And with encryption at rest, network isolation, and identity-based access, security is baked into every layer.

This hands-on guide walks through five real-world scenarios, each mapped to a specific Azure storage configuration:

🧪 Provisioning Storage for IT Team Training & Development

This solution requires a low-cost, flexible storage solution for large files like software test builds and training videos. Using Azure Blob Storage with Locally Redundant Storage (LRS) fits the bill perfectly. This setup is ideal because it's a cost-effective option that's designed for data that doesn't need a backup. Plus, all data transfers are kept secure using TLS 1.2 encryption

Create a Resource Group Container for this project: StorageAccountLab-RG

I'll be using my existing Resource Group for the Demonstration

Deploy a Storage Account to support testing and training for the IT Team.

Use the search Bar: Storage Accounts -> Create

Select Subscription -> Resource Group -> Storage Account Name ( Globally Unique) -> Standard -> Locally Redundant Storage ( LRS ) -> Review+Create -> Go to Resources

Configure simple settings for Data Redundancy , Secure Transfer , Transport Layer Security (TLS) v1.2 , Shared Keys & Public Access.

🌐 Public Web Storage for Product Delivery to Global Customers

This task sets up Azure Blob Storage to host a public company website container with the intent to deliver product images and content to global users. We’ll create a highly available storage account with RA-GRS redundancy, configure anonymous access for fast public delivery, and enable features like soft delete and versioning to protect and manage content. The goal is to ensure quick load times, easy access, and resilience—without requiring users to log in.

Create a Storage account to support public website using default settings

Configure High Availability that allows Read access in a Secondary Region if there is Regional Failure

Navigate to the Data Management section -> Select Redundancy -> Select Read-access Geo Redundant storage -> Review the Primary & Secondary Location

Enable Accessibility to public website without customer login requirement

Settings -> Configuration -> Enable Allow Blob anonymous access -> Save

Create Blob Container where images & product catalogues will be uploaded

Data Storage section -> Select Container -> Name publicwebsite -> Create

Configure anonymous read access for the public container blobs that allows global customers to view contents without authentication.

Select the Public website container -> Change access level -> Select Anonymous read access for blobs only -> OK

Upload files to the public website container to test access

Configure Soft Delete feature to protect website contents from accidental deletion

Navigate to Data Management -> Enable Soft Delete for blobs -> Set retention period for 21 days -> Save

Delete Uploaded files -> Select show active and deleted blobs to display files that has been deleted from the container -> select Undelete to restore file -> Select Only show active blob once file has been undeleted/restored

Enable versioning to keep track of changes in product documents

Data Management -> Data Protection -> Select Enable versioning for blobs -> Keep all version -> Save

To understand version control, upload a new version of a file with a small change. This will create a new version of the document, allowing you to easily revert to the original if needed

When you attempt to upload the same file after small changes has been made, You will notice the file already exist, select overwrite if file exists

View versions -> Show deleted version

🔐 Private Internal Storage for Corporate Documents - Secure, Redundant, Cost Effective & Controlled Access

In this task, we’re provisioning a secure Azure Blob Storage solution for internal corporate documents, designed to meet enterprise-grade requirements for availability, privacy, and operational efficiency. The storage account is configured with Geo-Redundant Storage (GRS) to ensure high availability in the event of regional outages. Sensitive files are housed in a private container with no anonymous access, maintaining strict internal confidentiality. We’ll handle secure file uploads and generate SAS tokens to enable scoped, time-bound access for external partners. To optimize costs, lifecycle management will automatically transition blobs to the cool tier after 30 days. Finally, we’ll replicate objects from a public container into this private one, ensuring internal backup continuity and data resilience.

Create a storage account for internal private corporate documents with High Availability (GRS)

Ensure to check Data Management section that Redundancy is set to GRS as Read access is not required in the Secondary Region, Apologies for the error :)

Create private storage container to store corporate document
Upload a file to the private container and test its not publicly accessible.

Generate a Shared Access Signature (SAS) Token/URL that with will be used by Third Party partners for Read/Write permissions

Select uploaded file -> click on the 3 dots -> Select Generate SAS
Set permission to Read -> Set Start and Expiry to 24hrs -> Https -> Generate Token and URL -> Copy URL to browser to view file

Configure a Lifecycle rule in Data Management section that move blobs from Hot to Cool Tier

Data Management -> Lifecycle management -> Add rule

Set up Backup container in the private storage account for object replication from the public website to the private back up container.

Data Storage -> Add Container -> enter parameters for backup and default setting -> Create

Navigate back to the public website storage account to set up replication rule
Add Replication rule with Destination Storage Account(Private) Source container (public) to Destination container (private)
Review replication rule
Upload a file into the public container
Check the private container to check object was replicated, This can take up to 2-5mins, so you might need to refresh a couple of times.

🗂️ Secure Shared File Storage for Finance Department Using Azure Files

We’ll configure Azure Files to support shared file storage for the company’s finance department. The solution uses a Premium-tier storage account with ZRS redundancy to ensure performance and availability across zones. We’ll create a dedicated file share and directory for corporate use, enable snapshot protection to guard against accidental deletions, and test restore functionality. To secure access, we’ll restrict connectivity to a specific virtual network using service endpoints, and switch the storage account from public to selected network access only, ensuring that file access is tightly controlled and compliant with internal policies.

Create a Zone Redundant storage account for the finance department's shared files in the Resource Group **StorageAccountLab-RG".

Storage accounts -> + Create -> Resource group -> Create new -> [enter name] -> OK -> Storage account name -> [enter name] -> Performance -> Premium -> Premium account type -> File shares -> Redundancy -> Zone-redundant storage -> Review -> Create -> Go to resource

Create file share for the corporate office

File shares -> + File share -> Name -> [enter a name] -> Go to back up tab to disable backup -> Create

Configure a directory for the finance department

Select your file share -> + Add directory -> Name -> finance -> Browse -> [select finance directory] -> Upload -> [select a file]

Create Snapshot of the file share to protect against accidental deletion

Select your file share -> Operations -> Snapshots -> + Add snapshot -> OK -> Select your snapshot -> [verify file directory]

Restore a File from a Snapshot

Return to file share -> Browse -> [locate and select file] -> Properties -> Delete -> Yes -> Snapshots -> [select snapshot] -> [navigate to file] -> Restore -> [enter new file name] -> Verify

Configure storage access restriction to selected Virtual Network & Subnet

Virtual networks -> Create -> [select resource group] -> [name virtual network] -> Review + create -> Create -> Go to resource -> Settings -> Subnets -> default -> Service endpoints -> Services -> Microsoft.Storage -> Save

Restrict storage account to only access from selected Virtual Network

Return to files storage account -> Security + networking -> Networking -> Public network access -> Enabled from selected virtual networks and IP addresses -> Virtual networks -> Add existing virtual network -> [select virtual network and subnet] -> Add -> Save

Verify Access Restriction

Storage browser -> [navigate to file share] -> Verify message ("not authorized to perform this operation")

🔐 Securing Azure Blob Storage for App Development Using Key Vault, Encryption, Managed Identities & Immutable Protection

In this task, we’re configuring a Secure Azure Blob Storage solution to support the development of a new internal application. The focus is on enforcing strict access controls using managed identities and access keys, while applying role-based access control (RBAC) to streamline permissions across development and testing environments. To safeguard critical test data, we’ll enable immutable blob protection, ensuring that once written, data cannot be altered or deleted during retention. This setup supports secure automation, identity-driven access, and robust data integrity—ideal for modern app development workflows that demand both agility and compliance.

Create Storage Account with Infrastructure Encryption Enabled

Storage accounts -> + Create -> Resource group -> Create new -> [name your resource group] -> OK -> Storage account name -> [enter a name] -> Encryption Tab -> Enable infrastructure encryption -> Review + Create -> Create

Create User-Assigned Managed Identity

Managed identities -> Create -> [select your resource group] -> Name -> [give it a name] -> Review and create -> Create

Add Role Assignment to Managed Identity

Storage account -> Access Control (IAM) -> Add role assignment -> Storage Blob Data Reader -> Members -> Managed identity -> Select members -> [select your managed identity] -> Select -> Review + assign -> Review + assign

Assign Key Vault Administrator Role to User

Resource groups -> [select your resource group] -> Access Control (IAM) -> Add role assignment -> Key Vault Administrator -> Members -> User, group, or service principal -> Select members -> [select your user account] -> Select -> Review + assign -> Review + assign (Activate Role)

Create Key Vault to Store Access Keys

Key vaults -> Create -> [select your resource group] -> Name -> [provide a name] -> Access configuration -> Azure role-based access control (recommended) -> Review + create -> Create -> Go to resource -> Overview -> [verify soft-delete and purge protection are enabled]

Create a Customer Managed Key (CMK)

Key vault -> Objects -> Keys -> Generate/Import -> Name -> [name the key] -> Create

Assign Key Vault Crypto Service Encryption User Role to Managed Identity

Resource groups -> [select your resource group] -> Access Control (IAM) -> Add role assignment -> Key Vault Crypto Service Encryption User -> Members -> Managed identity -> Select members -> [select your managed identity] -> Select -> Review + assign -> Review + assign

Configure Encryption for Storage Account to use Customer-Managed Keys (CMK) in the Key Vault

Return to storage account -> Security + networking -> Encryption -> Customer-managed keys -> Select a key vault and key -> [select your key vault and key] -> Identity type -> User-assigned -> Select an identity -> [select your managed identity] -> Add -> Save

Configure an Immutable Policy (Time-based Retention) and Encryption Scope

Storage account -> Data storage -> Containers -> Create container -> hold -> Create -> [upload a file] -> Settings -> Access policy -> + Add policy -> Policy type -> time-based retention -> Retention period -> 5 days -> Save -> [try to delete file] -> [verify "failed to delete blobs" message]

Create and Apply Encryption Scope that enables infrastructure encryption to storage account

Storage account -> Security + networking -> Encryption -> Encryption scopes -> Add -> Name -> [enter a name] -> Encryption type -> Microsoft-managed key -> Infrastructure encryption -> Enable -> Create -> [return to storage account] -> Create a new container -> Advanced -> Encryption scope -> [select your new scope]

Clean up resources

Resource groups -> [select your resource group] -> Delete resource group -> [type the resource group name] -> Delete

Conclusion

Across these five tasks, we’ve explored how Azure Storage can be tailored to meet a wide range of enterprise needs—from public content delivery and internal document protection to secure app development and departmental file sharing. Each scenario demonstrates how thoughtful configuration—whether through redundancy models like RA-GRS and ZRS, access control via RBAC and managed identities, or data protection features like snapshots, versioning, and immutability—can transform storage from a passive resource into a strategic asset.

By aligning storage architecture with business goals, security standards, and operational workflows, we not only meet technical requirements—we build solutions that scale, adapt, and protect. Whether you're designing for global reach or internal governance, Azure provides the flexibility and control to do it right.

🖥️⚙️ Azure VM Provisioning & Web Server Setup: Linux Nginx and Windows IIS Deployment

Francis Adeboye — Sun, 03 Aug 2025 16:38:54 +0000

This guide outlines a practical, hands-on task involving the provisioning and configuration of Azure Virtual Machines to host two of the most popular web servers in use today. This is a foundational skill for anyone looking to work with cloud infrastructure.

What We'll Be Doing

We'll be setting up two distinct environments to get a feel for managing different server types in the cloud:

Linux VM with Nginx: We'll provision a Linux-based virtual machine and configure it to run Nginx. Nginx is a lightweight, high-performance web server that is widely used for static sites, reverse proxies, and scalable microservices. You'll learn how to set up and manage a Linux server from scratch.
Windows VM with IIS: We'll provision a Windows-based virtual machine and configure it to run IIS (Internet Information Services). As Microsoft's integrated web server, IIS is the go-to choice for hosting .NET applications, enterprise-level solutions, and internal portals. This will give you experience with the Windows Server ecosystem.

Why This Matters for Your Career

Engaging in this task provides a wealth of benefits that directly translate to your career and skill set:

Hands-on Mastery: You'll gain practical experience with VM provisioning, a core skill for any cloud professional. We'll walk through the process using both the Azure Portal (for a visual approach) and the Azure CLI (for automation and scripting practice).
Cross-Platform Expertise: Get comfortable working with both Linux and Windows server environments. In today's diverse tech landscape, being proficient in both is a huge advantage, making you a more versatile and valuable asset to any team.
Understanding Cloud Concepts: You'll solidify your understanding of fundamental cloud concepts like networking, security groups, public IPs, and remote access—all in a real-world context.

🚀 Ready to dive in? Let's get started!

🧱 Task 1: Installing IIS on an Azure Windows VM

First, log on to the Azure Portal.

Before we create our VM, we'll start by creating a dedicated Resource Group. This is a logical container that holds related resources for an Azure solution. Using a Resource Group helps with organization, cost management, and lifecycle management of your services.

Create a Resource Group

In the Azure Portal search bar, type Resource Group and select it from the results.

Click + Create to get started.

Subscription: Select your Azure subscription.
Resource group name: Enter a descriptive name like WebServer-RG.
Region: Choose a region where you want your resources to be deployed. For this demonstration, we'll use UK South
Click Review + Create, then Create. Your new resource group will be ready in a few moments.

Create the Windows Virtual Machine

Now that our resource group is ready, let's create the Windows VM within it.

Select Create within the WebServer-RG , then type Virtual Machine and select + Create > Azure Virtual Machine.
Fill out the required parameters:
Resource group: Select the WebServer-RG we just created.
Virtual machine name: Name your VM, for example, WindowsVM.
Region: This should be the same as your resource group's region (UK South).
Image: Choose a suitable Windows Server image.
Size: Select a VM size.
Administrator account: Create a username and password for your VM.
** Set Inbound Traffic to None, as We will configure Network Security Group NSG separately.

💰 Cost-Saving Tip: For this demonstration, you can select the Azure Spot Discount option to get a lower rate. Keep in mind that Spot VMs can be evicted if Azure needs the capacity, so they are not recommended for production workloads.

Configure Disks, Management & Tags

Disks: For this guide, we'll use the default OS disk. We'll add a separate data disk later for best practice.
Management: Disable Boot diagnostics under the Monitoring tab for more control and privacy over your data.
Tags: Use tags for better resource management. Tags are key-value pairs that help with cost management and categorization. For example: - Key: Department - Value: IT - Key: Project - Value: WebServerDemo

Finalize and Create the VM

After reviewing all the settings, click Review + create. Once the validation passes, click Create. The deployment will take a few minutes.

Attach and Initialize a Data Disk

Although the OS disk is ready, it's a best practice to keep your web content on a separate Data disk. This makes it easier to manage backups and resize storage independently.

Navigate to your new VM's resource page.
Under Settings, go to Disks.
Click + Create and attach a new disk.
Choose a size and type for your new disk, then click OK.

Create Network Security Group NSG to allow Inbound Traffic

Networking: We will configure inbound ports to allow RDP (port 3389) for remote access and HTTP (port 80) for web traffic.

Connect to the VM and Prepare the Disk

Now it's time to connect to the VM using RDP to finalize the setup.

On the VM's overview page, click Connect > RDP.
Search for Remote Desktop on Local Machine and connect to WindowsVM using the administrator credentials you created earlier.
Inside the VM, search for Disk Management in the Start menu.
You'll see the new disk you just attached. It will be marked as "Not Initialized."
Right-click the disk and select Initialize Disk.
Right-click on the unallocated space and select New Simple Volume. Follow the wizard to format the disk and assign it a drive letter.

Install and Verify IIS

With the VM ready, let's install IIS. The easiest way is with PowerShell.

Launch PowerShell as an Administrator.
Run the following command to install the web server role and its management tools:

Install-WindowsFeature Web-Server -IncludeManagementTools

Verify Webserver is running via Power Shell

Invoke-WebRequest http://vm-public-ip-address

Once the installation is complete, you can verify it's running from your browser.

Find the VM's public IP address in the Azure Portal.
Open a new browser tab and navigate to http://<your-vm-public-ip-address>.

You should see the default IIS welcome page! This confirms your web server is up and running.

🪟 Task 2: Deploying a Web Server (NGINX) on Azure Linux VM via CLI

In this section, we’ll provision an Ubuntu Linux VM using Azure CLI and configure it as a web server by installing Nginx.

Purpose:
To demonstrate automated resource provisioning using Azure CLI and highlight its contrast with GUI-based deployment via the portal. This method offers transparency, repeatability, and control—skills essential for FinOps, DevOps, and security workflows.

While this guide uses Azure CLI, alternative Infrastructure as Code (IaC) approaches like PowerShell, ARM templates, Bicep, and Terraform can be used based on team preferences, project scale, and governance requirements.

Prerequisites:

Azure CLI installed on your local machine: You can follow the official Azure CLI installation guide to get it installed.

Log on to Azure portal via CLI

Launch Terminal or VSCode run az login to connect Azure Portal
Select the Subscription number to be used for the deployment
This will prompt microsoft authentication in the browser
Fill in your azure portal credentials to complete log in process

Create or Use Existing Resource Group

In the previous task, We created a Resource Group named WebServer-RG which I will be using for the rest of this demonstration.

List out existing Resource Group in Azure Account az group list --output table

Deploy Azure Linux Virtual Machine (Ubuntu)

✅ Tip: --nsg-rule NONE avoids exposing inbound ports.

# Create azure vm
az vm create \
  --name LinuxVM \
  --resource-group WebServer-RG \
  --image Ubuntu2204 \
  --size Standard_D2s_v3 \
  --admin-username azureuser \
  --generate-ssh-keys \
  --priority Spot \
  --eviction-policy Deallocate \
  --nsg-rule NONE \
  --tags environment="Development Lab" os="Linux" department="IT Operations" role="Cloud Administrator"

# Disable Boot Diagnostics
az vm update --name LinuxVM --resource-group WebServer-RG --set diagnosticsProfile.bootDiagnosticsEnabled=false

Create NSG to allow Inbound Traffic on Port 22(SSH) & Port 80(HTTP)

# Create NSG rule for SSH and HTTP access
az network nsg rule create --resource-group WebServer-RG --nsg-name LinuxVMNSG --name AllowSSH --protocol Tcp --priority 1000 --destination-port-range 22 --access Allow
az network nsg rule create --resource-group WebServer-RG --nsg-name LinuxVMNSG --name AllowHTTP --protocol Tcp --priority 1001 --destination-port-range 80 --access Allow

Create Data Disk & Associate New Disk to VM

# Create Data Disk and attach it to the VM
az disk create --resource-group WebServer-RG --name DataDisk1 --size-gb 8 --sku Standard_LRS
az vm disk attach --resource-group WebServer-RG --vm-name LinuxVM --name DataDisk1

Connect to VM via Secure Shell (SSH)

Navigate to the Path where the ssh key is kept, typically would be in /.ssh

# Connect to the VM using SSH
ssh -i "file-path-to-ssh-key" azureuser@<vm-public-ip-address>

Mount Newly Created Data Disk on VM

# Switch to root user
sudo su

# Mount Disk
<< EOF
sudo fdisk /dev/sdc << EOL
n
p
1
w
EOL
sudo mkfs.ext4 /dev/sdc1
sudo mkdir /mnt/data
sudo mount /dev/sdc1 /mnt/data
echo '/dev/sdc1 /mnt/data ext4 defaults 0 0' | sudo tee -a /etc/fstab
EOF

# List the disk in Linux VM with df command
df -h

# Show mounted disks
lsblk

Install NGINX on Ubuntu Virtual Machine

# Install NGINX on the VM
apt update
apt install -y nginx
systemctl start nginx
systemctl enable nginx

# Check NGINX status
systemctl status nginx

Clean Up Resources

# Stop the virtual machine
az vm stop --name LinuxVM --resource-group WebServer-RG

# Delete the virtual machine
az vm delete --name LinuxVM --resource-group WebServer-RG --yes --no-wait   

# Clean up the resource group
az group delete --name WebServer-RG --yes --no-wait

🧠 Final Thoughts

Provisioning web servers across different platforms in Azure isn’t just a technical exercise—it’s a blueprint for cloud fluency. By deploying IIS via the portal and NGINX via CLI, you’ve shown how flexible Azure can be for hybrid workflows, real-world scenarios, and secure architecture.

🌐 Cloud Computing Basics: 7 Key Concepts You Should Know

Francis Adeboye — Sat, 02 Aug 2025 07:31:53 +0000

Cloud computing has revolutionized how we deploy, manage, and scale services. Whether you're in IT support, aiming for a career in cloud security, or just curious about the landscape—grasping these foundational concepts can sharpen your edge. Let's break them down.

1. Virtualization

Virtualization is the process of creating a virtual version of something, like a server, storage device, or network. It's the technology that allows multiple virtual machines (VMs) to run on a single physical server, which dramatically optimizes resource usage and provides isolation. Think of it as a single computer being able to run several other computers inside of it, each with its own operating system and applications.

2. Scalability

Scalability refers to a system's ability to handle an increased workload by adding more resources. In cloud environments, this typically means you can increase your compute power, storage, or other services to meet growing demand without compromising performance. A good example is a website that can handle a few hundred visitors a day but can also scale up to handle thousands during a flash sale.

3. Agility

Agility is the ability to rapidly respond to change. This could mean releasing new features, patching vulnerabilities, or quickly adjusting your infrastructure. The cloud gives teams the flexibility to experiment and innovate at a much faster pace than traditional on-premises setups. With a few clicks, you can deploy a new environment to test an idea and tear it down just as easily.

4. High Availability (HA)

High Availability ensures that systems remain operational with minimal downtime, even when individual components fail. This is achieved through a combination of redundancy, load balancing, and failover mechanisms. If one server goes down, another is ready to take over instantly, ensuring a seamless experience for users.

5. Fault Tolerance

Fault tolerance is the ability of a system to continue functioning even when parts of it completely fail. While high availability focuses on recovering quickly, fault-tolerant systems are designed to avoid downtime altogether by duplicating every component. Imagine two identical systems running in parallel—if one fails, the other doesn't skip a beat. This is often more costly but crucial for mission-critical applications where even a moment of downtime is unacceptable.

6. Global Reach

Global reach means you can deploy applications and services across multiple geographical regions and data centers around the world. This helps improve latency and user experience by placing your services physically closer to your end-users. It also increases availability by distributing your application across different locations, making it more resilient to regional outages.

7. Elasticity vs. Scalability

These two terms are often used interchangeably, but there's a key difference:

Concept	Definition
Scalability	The ability of a system to grow over time in response to increased demand. It's a planned, strategic action.
Elasticity	The ability to automatically adjust resources—scaling up or scaling down—based on fluctuating demand. It's dynamic and reactive.

Think of scalability as a planned increase in your resources to meet anticipated growth, while elasticity is the system's ability to handle unexpected spikes in traffic and then shrink back down to save costs.

Final Thoughts

These core principles are the building blocks for understanding cloud architecture and will prove invaluable as you dive deeper into areas like FinOps (cloud financial management) and security. Grasping these concepts will help you make smarter design decisions, optimize costs, and build more resilient applications.