create a virtual network

search for virtual network in the market place > create

set name, region and so on
next(IP adresses) > set the adress space > add subnet
create

make a virtual machine reachable from public net trough ssh

create a public ip for vm1
shearch for pubblic ip > create
set name, version, ...
set routing prefreferce to Microsoft network
create
enter the public ip adress > associate (top panel)
set network interfaces to vm1's network interface
enter vm1 > networking (left panel) > network settings > add network security
group
create port rule > inbound port rule
set service to ssh
NB: now you can enter vm1 via ssh, type hostname -I to get its private ip, and
connect to vm2 adding 1 to that private ip adress -> vm1 results in a jump-in
machine

routing traffic into a vnet

seach for route table > create
set region and name and resource group
set "propagate gateway routes": "no" prevents propafation of on-premises
routes to the network interfaces in associated subnets
create
enter the resource > setting > routes (left panel) > add
set destinatio type to IP adresses to 0.0.0.0/0 (meaning it captures all
traffic)
set nect hop type to virtual appliance (refers to a specialize virtual
machine or service that performs network-related task, such as a firewall) and its
ip
click on subnets (left panel) > associate
choose the virtaul network and the subnet
entering your virtual machine in the subnet > networking > network setting >
network interfaces > help (left panel) > effective routes
you can check that the system default routes that connect the vm to the
internet is invalid, mebaing that it is overriden by our rule

configure vnet peering (remember is not transitive)

enter vnet1 > setting > peering > add
set both side peering name
select vnet2 as virtual network
set the options you need from both side

securing vnets with Network Security Groups (NSGs) for nginx

search for network security group on the marketplace
set name and region
create
enter the network security group > settings (left panel) > network interfaces
open a cloud shell > ssh [username]@[NIC public IP]
sudo apt uodate && sudo apt install nginx -y
go back the the NSG > setting (left panel) > inbound security rules > add
set source and destination to Any
 set service to http
add
check from browser: the nginx page should be reachable

extending NSGs with Application Security Groups (ASGs)

seach from application security group in the marketplace > create
choose resource group, set name and region
create
enter one by one the vms you want to associate to the security group >
networking (left panel) > application security group > add pplication security
group
select the ASG
add
make sure that the vms are not associated to some NSG individually. Eventually,
delete this association
enter the security group > settings (left panel) > subnets > associate
choose the virtual network you vms are in and the subnet
now can create / update rules in the NSG setting as destination a ASG

implement azure load balancer

search for load balancer in the marketplace > create
set name
set region to the same of the vnet you are working in
set SKU according to your scenario
set Type to public
set tier (regional if all your vm are in the same region, global otherwise)
next (Frontend IP config) > add a frontend IP config
name the ip config, set version and type
add a public ip adress
name it
save
save
next (backend pools) > add backend pool
name it
set the virtual network you are working in
add your resource trhought IP adress or NIC
next (inbound rules)
add a load balancing rule
name it
set IP version
set your previously created ip config as frontend ip adress
set your previously created backend pool
choose the protocol, the frontend (public) and backend (private)
port
healt probe: craate new
name it
set is coherently with what the pool instance is expected to do

save
save
add an inbound nat rule (to forward ssh connections)
name it
set type to backend pool
set the beckend pool to the previously created ones
set the frontend ip adress through the previously created ip config
choose a non-conflictong port as frontend port range start (e.g.
1000)
 set the beckend port as the one you will use for ssh in your
backend
save
next (outbounds rules)
set it if you plan to reach an external server from your vms
create

implment private DNS

search fro private DNS zone in the marketplace > create
set the name you want high-level domain (i.e. contoso.com, than you will be
able to setup vm1.contoso.com, vm2.contoso.com and so on)
create
enter the private DNS zone > settings (left panel) > virtual networl links >
add
set the name and the virtual network you want to connect to
tick enable auto-registration to connect each resource inside the vnet to
the DNS

connect using azure bastion

enter the vnet where the subnet you want to jump in trough azure bastion is >
add a subnet
choose azure bastion as subnet purpose
assign a /26 or larger adress space
save
go back to the resource group > create > search fo azure bastion > create > set
up manually (or deploy using the defualt config if they mathc your needs)
name it
set the same region of the vnet you want to access
set the vnet and the bastion subnet you have previously crated
set up the bastion public ip
eventually set up advanced options
create
test: enter a vm in a subnet inside the bastion vnet > connect (top panel) >
connect with bastion > enter your credential/key for the vm

privately integrating public services (service endpoints)

create a storage account as example
enter the vnet where the vm that need to connect to a service is
select the subnet > edit > tick Microsoft.Storage in the Service menu under
Service endpoints > save
enter the storage account > seciruty + networking (left panel) > networking >
private enpoint connections (top panel) > add private endpoint
set name, ...
next (resource) > choose the target subservice
next (virtual network) > set vnet and subnet and choose ip config (if you
will use DNS dynamically is ok)
next (DNS zone) > setup
create

restrict public access to a storage account

enter the sa you want to secure > security + networking (left panel) >
networking > firewalls and virtual netwoek (top panel) > select enabled from
selected vnet and ip adresses
set up