Getting Started with Azure CLI: Build a 3-Tier Network

Posted on by

Azure CLI is a tool designed to help you quickly and efficiently manage Azure services.

I’ve spent some time playing with Azure CLI to understand if it’s comparable to AWS CLI.

Azure Client Configuration

This article assumes that the azure-cli package has already been installed on the system.

Configure the client:

$ az configure

Login into Azure:

$ az login

You have logged in. Now let us find all the subscriptions to which you have access...
[
  {
    "cloudName": "AzureCloud",
    "id": "abcdefgh-1234-5678",
    "isDefault": true,
    "name": "example Azure EMEA POS PAYG",
    "state": "Enabled",
    "tenantId": "1234567-1234-5678",
    "user": {
      "name": "[email protected]",
      "type": "user"
    }
  }
]

Provision Azure Resource via CLI

We are going to create a 3-Tier network: DMZ, application and database.

Resource Group

First of all, create a resource group called ux_group. UX stands for User Experience.

$ az group create --name ux_group --location uksouth

If you want to delete a resource group, do the following:

$ az group delete --name ux_group

Virtual Network and Subnets

Create a virtual network and a DMZ subnet:

$ az network vnet create \
  --name ux_vnet \
  --resource-group ux_group \
  --subnet-name ux_vlan_dmz \
  --address-prefixes 10.1.0.0/22 \
  --subnet-prefixes 10.1.1.0/24

Create a new subnet for the application layer:

$ az network vnet subnet create \
  --vnet-name ux_vnet \
  --resource-group ux_group \
  --name ux_vlan_app \
  --address-prefixes 10.1.2.0/24

Create a new subnet for the database layer: 

$ az network vnet subnet create \
  --vnet-name ux_vnet \
  --resource-group ux_group \
  --name ux_vlan_secure \
  --address-prefixes 10.1.3.0/24

Security Groups

Create three security groups to use with our 3-Tier infrastructure:

$ az network nsg create \
  --resource-group ux_group \
  --name ux_nsg_dmz
$ az network nsg create \
  --resource-group ux_group \
  --name ux_nsg_app
$ az network nsg create \
  --resource-group ux_group \
  --name ux_nsg_secure

If you need to detele a security group, do the following

$ az network nsg delete \
  --resource-group ux_group \
  --name ux_nsg_dmz

Firewall Rules

Create a firewall rule for the DMZ subnet to allow custom SSH access:

$ az network nsg rule create \
  --name Allow_custom_SSH \
  --nsg-name ux_nsg_dmz \
  --priority 100 \
  --resource-group ux_group \
  --access Allow \
  --protocol Tcp \
  --direction Inbound \
  --destination-port-ranges 22 \
  --source-address-prefixes 1.2.3.4/32 5.6.7.8/32

Create a firewall rule for the DMZ subnet to allow HTTP/S access:

$ az network nsg rule create \
  --name Allow_HTTP_HTTPS \
  --nsg-name ux_nsg_dmz \
  --priority 101 \
  --resource-group ux_group \
  --access Allow \
  --protocol Tcp \
  --direction Inbound \
  --destination-port-ranges 80 443

Create a firewall rule for the application subnet to allow custom SSH access:

$ az network nsg rule create \
  --name Allow_custom_SSH \
  --nsg-name ux_nsg_app \
  --priority 100 \
  --resource-group ux_group \
  --access Allow \
  --protocol Tcp \
  --direction Inbound \
  --destination-port-ranges 22 \
  --source-address-prefixes 1.2.3.4/32 5.6.7.8/32

Create a firewall rule for the database subnet to allow custom SSH access:

$ az network nsg rule create \
  --name Allow_custom_SSH \
  --nsg-name ux_nsg_secure \
  --priority 100 \
  --resource-group ux_group \
  --access Allow \
  --protocol Tcp \
  --direction Inbound \
  --destination-port-ranges 22 \
  --source-address-prefixes 1.2.3.4/32 5.6.7.8/32

Storage

Create a storage account:

$ az storage account create \
  --sku Premium_LRS \
  --kind StorageV2 \
  --resource-group ux_group \
  --name uxstorageaccount

Create a disk for the DMZ server (not required when creating a disk during a VM setup):

$ az disk create \
  --name mydmzserver1_disk1 \
  --resource-group ux_group \
  --size-gb 30 \
  --sku Standard_LRS

Create a DMZ VM

Create a public IP that will be used by the DMZ server:

$ az network public-ip create \
  --name ux_ip1 \
  --resource-group ux_group \
  --allocation-method Static

Create a NIC for the DMZ server and attach the public IP:

$ az network nic create \
  --name mydmzserver1_nic1 \
  --resource-group ux_group \
  --vnet-name ux_vnet \
  --subnet ux_vlan_dmz \
  --network-security-group ux_nsg_dmz \
  --public-ip-address ux_ip1 \
  --private-ip-address 10.1.1.5

Create a new virtual machine in the DMZ subnet.

When specifying an existing NIC, do not specify NSG, public IP, ASGs, VNet or subnet.

$ az vm create \
  --name mydmzserver1 \
  --resource-group ux_group \
  --nics mydmzserver1_nic1 \
  --image centos \
  --size Standard_B2ms \
  --authentication-type ssh \
  --ssh-key-value ~/.ssh/id_rsa.pub \
  --os-disk-name mydmzserver1_disk1 \
  --os-disk-size-gb 30 \
  --os-disk-caching ReadWrite \
  --storage-sku Standard_LRS

Create an Application VM

Create a public IP for the application server:

$ az network public-ip create \
  --name ux_ip2 \
  --resource-group ux_group \
  --allocation-method Static

Create a NIC for the application server:

$ az network nic create \
  --name myappserver1_nic1 \
  --resource-group ux_group \
  --vnet-name ux_vnet \
  --subnet ux_vlan_app \
  --network-security-group ux_nsg_app \
  --public-ip-address ux_ip2 \
  --private-ip-address 10.1.2.5

Create the application VM. When specifying an existing NIC, do not specify NSG, public IP, ASGs, VNet or subnet.

$ az vm create \
  --name myappserver1 \
  --resource-group ux_group \
  --nics myappserver1_nic1 \
  --image centos \
  --size Standard_D2s_v3 \
  --authentication-type ssh \
  --ssh-key-value ~/.ssh/id_rsa.pub \
  --os-disk-name myappserver1_disk1 \
  --os-disk-size-gb 64 \
  --os-disk-caching ReadWrite \
  --storage-sku Premium_LRS

Create a Database VM

Create a public IP for the database server:

$ az network public-ip create \
  --name ux_ip3 \
  --resource-group ux_group \
  --allocation-method Static

Create a NIC for the database server:

$ az network nic create \
  --name mydbserver1_nic1 \
  --resource-group ux_group \
  --vnet-name ux_vnet \
  --subnet ux_vlan_secure \
  --network-security-group ux_nsg_secure \
  --public-ip-address ux_ip3 \
  --private-ip-address 10.1.3.5

Create the database VM. When specifying an existing NIC, do not specify NSG, public IP, ASGs, VNet or subnet.

$ az vm create \
  --name mydbserver1 \
  --resource-group ux_group \
  --nics myappserver1_nic1 \
  --image centos \
  --size Standard_D2s_v3 \
  --authentication-type ssh \
  --ssh-key-value ~/.ssh/id_rsa.pub \
  --os-disk-name myappserver1_disk1 \
  --os-disk-size-gb 64 \
  --os-disk-caching ReadWrite \
  --storage-sku Premium_LRS

At this stage we should have 3 servers running in the Azure cloud.

Leave a Reply

Your email address will not be published. Required fields are marked *