Configure network access

Disclaimer
Prepare cloud shell for later use
Login to the Azure Portal (https://portal.azure.com) using the below credentials:

Username [email protected]
Password Ag0He7$!Dk

In the toolbar at the top of the Azure portal, select the Cloud Shell icon.
In the Welcome to Azure Cloud Shell dialog, select BASH.

On the you have no storage mounted screen select Show advanced settings.
In the advanced settings screen, fill in the following fields, then click Create Storage:

Resource group A Resource Group that is not NetworkWatcherRG

Storage account (Create new) cloudshell41289313
File share (create new) shellstorage
If you receive a "Tenant User Over Quota" error, change your Cloud Shell Region to an
alternative region.

After the cloud shell initializes and puts you at a text prompt, exit the shell.
In this exercise, you'll configure the access to the virtual machine (VM) you created earlier in
this module. The Microsoft Learn sandbox should still be running. If the sandbox timed out,
you'll need to redo the previous exercise (Exercise - Create an Azure virtual machine).

Right now, the VM you created and installed Nginx on isn't accessible from the internet.
You'll create a network security group that changes that by allowing inbound HTTP access on
port 80.

Task 1: Access your web server

In this procedure, you get the IP address for your VM and attempt to access your web server's
home page.

Run the following az vm list-ip-addresses command to get your VM's IP address and store the
result as a Bash variable:

azurecli
IPADDRESS="$(az vm list-ip-addresses \
--resource-group myRGKV-lod41289313 \
--name my-VM \
--query "[].virtualMachine.network.publicIpAddresses[*].ipAddress" \
--output tsv)"
Run the following curl command to download the home page:

bash
curl --connect-timeout 5 http://$IPADDRESS

The --connect-timeout argument specifies to allow up to five seconds for the connection to
occur. After five seconds, you see an error message that states that the connection timed out:

output
curl: (28) Connection timed out after 5001 milliseconds
This message means that the VM was not accessible within the timeout period.
As an optional step, try to access the web server from a browser:

Run the following to print your VM's IP address to the console:

bash
echo $IPADDRESS
You see an IP address, for example, 23.102.42.235.

Copy the IP address that you see to the clipboard.

Open a new browser tab and go to your web server. After a few moments, you see that the
connection isn't happening.

If you wait for the browser to time out, you'll see something like this:

Screenshot of a web browser showing an error message that says the connection timed out.
Keep this browser tab open for later.

Task 2: List the current network security group rules

Your web server wasn't accessible. To find out why, let's examine your current NSG rules.

Run the following az network nsg list command to list the network security groups that are
associated with your VM:

azurecli
az network nsg list \
--resource-group myRGKV-lod41289313 \
--query '[].name' \
--output tsv
You see this:
output
my-VM-NSG

Every VM on Azure is associated with at least one network security group. In this case, Azure
created an NSG for you called my-VM-nsg.

Run the following az network nsg rule list command to list the rules associated with the NSG
named my-VM-nsg:

azurecli
az network nsg rule list \
--resource-group myRGKV-lod41289313 \
--nsg-name my-VM-nsg
You see a large block of text in JSON format in the output. In the next step, you'll run a
similar command that makes this output easier to read.
Run the az network nsg rule list command a second time. This time, use the --query argument
to retrieve only the name, priority, affected ports, and access (Allow or Deny) for each rule.
The --output argument formats the output as a table so that it's easy to read.

azurecli
az network nsg rule list \
--resource-group myRGKV-lod41289313 \
--nsg-name my-VM-nsg \
--query '[].{Name:name, Priority:priority, Port:destinationPortRange, Access:access}' \
--output table
You see this:

output
Name Priority Port Access
----------------- ---------- ------ --------
default-allow-ssh 1000 22 Allow

You see the default rule, default-allow-ssh. This rule allows inbound connections over port 22
(SSH). SSH (Secure Shell) is a protocol that's used on Linux to allow administrators to access
the system remotely. The priority of this rule is 1000. Rules are processed in priority order,
with lower numbers processed before higher numbers.

By default, a Linux VM's NSG allows network access only on port 22. This enables
administrators to access the system. You need to also allow inbound connections on port 80,
which allows access over HTTP.

Task 3: Create the network security rule

Here, you create a network security rule that allows inbound access on port 80 (HTTP).

Run the following az network nsg rule create command to create a rule called allow-http that
allows inbound access on port 80:

azurecli
az network nsg rule create \
--resource-group myRGKV-lod41289313 \
--nsg-name my-VM-nsg \
--name allow-http \
--protocol tcp \
--priority 100 \
--destination-port-range 80 \
--access Allow
For learning purposes, here you set the priority to 100. In this case, the priority doesn't matter.
You would need to consider the priority if you had overlapping port ranges.
To verify the configuration, run az network nsg rule list to see the updated list of rules:

azurecli
az network nsg rule list \
--resource-group myRGKV-lod41289313 \
--nsg-name my-VM-nsg \
--query '[].{Name:name, Priority:priority, Port:destinationPortRange, Access:access}' \
--output table
You see this both the default-allow-ssh rule and your new rule, allow-http:

output
Name Priority Port Access
----------------- ---------- ------ --------
default-allow-ssh 1000 22 Allow
allow-http 100 80 Allow

Task 4: Access your web server again

Now that you've configured network access to port 80, let's try to access the web server a
second time.

After you update the NSG, it may take a few moments before the updated rules propagate.
Retry the next step, with pauses between attempts, until you get the desired results.

Run the same curl command that you ran earlier:

bash
curl --connect-timeout 5 http://$IPADDRESS
You see this:

html
<html><body><h2>Welcome to Azure! My name is my-VM.</h2></body></html>

As an optional step, refresh your browser tab that points to your web server.

You see this:

A screenshot of a web browser showing the home page from the web server. The home page
displays a welcome message.