Azure - High level Network Design for Static Web Page

Below are the step by step process to create a complete network infrastructure for deploying static web application

1. Resource group

   1. This help us create all the resources in singe group that helps to track and manage the resource easily

2. VNet Configuration

   1. Enter the Name, Subscription, Resource group and also the region

   2. In Security tab can select the bastion host which helps in accessing the application deployed in instance(does not have public IP) in private subnet - paid service and also create public IP address with it helps in accessing bastion host

   3. Enable the Azure Firewall

      1. can select any tire

      2. policy - means how should the firewall behave - can create new

   4. IP Address Section

      1. Need to define the CIDR address

      2. Azure gives a clear interface which says what are all IP’s are available and what are all IP allocated to which resources.

3. Create VM

   1. There are different subnets are created but we are creating the VM in default subnet

   2. And we are using ssh key for authentication

   3. Leave default disk configuration

   4. In Network configuration select your VPC and select default subnet

   5. For public IP select none because we are going to access this VM from bastion host

4. SSH Into VM Using Bastion

   1. In the list of VM select the VM you created and click on connect

   2. In connect you can see a option called bastion click on that

   3. this will ask for the authentication (for this we can select ssh from local file)

   4. then connect , this will connect to the VM through the bastion host that created with VNet

   5. In that you can update and install the nginx using apt-get or apt

   6. then go the /var/www/html/ and create simple index.html

   7. then restart the nginx using systemctl

   8. So to accessing that html file we need to change the fire wall rules

5. Updating firewall for accessing index.html file

   1. Search for the firewall and go the firewall that created during VNet creation

   2. in that go to firewall policy

   3. In that firewall policy we need to create a DNAT(Destination Network Address Translation) rule so click that

   4. then, first add a rule collection in that there is field called priority, which means if firewall have multiple rules the rule with least priority will be applied (least is 100 to 65536)

   5. after creating rule collection, need to create a rule for that collection

      1. select the rule collection that just created and give the name for the rule and select source type as IP address

      2. Source IP → it is the IP who need to access(only my device or everybody, or for specific IP these can be given by comma separated)

      3. Destination IP → IP address of the firewall that is associated with the VM

      4. Destination port → for with port of firewall has to open for web

      5. Translated Type is ip address this is where the application deployed resource we specify

      6. Translation address is the private ip of the index.html is deployed using nginx

      7. Translation port → port that application is running

   6. So after updating rules you can access the nginx server using firewall ip with port number(http://firewall-ip:port)