Configure network access
First Step
Create an Azure virtual machine
Access your web server
- Run the following
az vm list-ip-addressescommand to get your VM's IP address and store the result as a Bash variable:
IPADDRESS="$(az vm list-ip-addresses \
--resource-group learn-962115de-4207-48f0-aa40-385939ba2b6b \
--name my-vm \
--query "[].virtualMachine.network.publicIpAddresses[*].ipAddress" \
--output tsv)"
- Run the following curl command to download the home page:
curl --connect-timeout 5 http://$IPADDRESS
The --connect-timeout argument specifies to allow up to five seconds for the connection to occur. After five seconds, you see an error message that states that the connection timed out:
- Run the following to print your VM's IP address to the console:
echo $IPADDRESS
You see an IP address, for example, 23.102.42.235. Copy the IP address that you see to the clipboard. Open a new browser tab and go to your web server. After a few moments, you see that the connection isn't happening.
List the current network security group rules
- Run the following
az network nsg listcommand to list the network security groups that are associated with your VM:
az network nsg list \
--resource-group learn-962115de-4207-48f0-aa40-385939ba2b6b \
--query '[].name' \
--output tsv
Every VM on Azure is associated with at least one network security group. In this case, Azure created an NSG for you called my-vmNSG.
- Run the following az network nsg rule list command to list the rules associated with the NSG named my-vmNSG:
az network nsg rule list \
--resource-group learn-962115de-4207-48f0-aa40-385939ba2b6b \
--nsg-name my-vmNSG
- Run the
az network nsg rule listcommand a second time. This time, use the --query argument to retrieve only the name, priority, affected ports, and access (Allow or Deny) for each rule. The --output argument formats the output as a table so that it's easy to read.
az network nsg rule list \
--resource-group learn-962115de-4207-48f0-aa40-385939ba2b6b \
--nsg-name my-vmNSG \
--query '[].{Name:name, Priority:priority, Port:destinationPortRange, Access:access}' \
--output table
You see the default rule, default-allow-ssh. This rule allows inbound connections over port 22 (SSH). SSH (Secure Shell) is a protocol that's used on Linux to allow administrators to access the system remotely. The priority of this rule is 1000. Rules are processed in priority order, with lower numbers processed before higher numbers. You need to also allow inbound connections on port 80, which allows access over HTTP.
Create the network security rule
- Run the following
az network nsg rule createcommand to create a rule called allow-http that allows inbound access on port 80:
az network nsg rule create \
--resource-group learn-962115de-4207-48f0-aa40-385939ba2b6b \
--nsg-name my-vmNSG \
--name allow-http \
--protocol tcp \
--priority 100 \
--destination-port-range 80 \
--access Allow
- To verify the configuration, run az network nsg rule list to see the updated list of rules:
az network nsg rule list \
--resource-group learn-962115de-4207-48f0-aa40-385939ba2b6b \
--nsg-name my-vmNSG \
--query '[].{Name:name, Priority:priority, Port:destinationPortRange, Access:access}' \
--output table
You see this both the default-allow-ssh rule and your new rule, allow-http:
Access your web server again
- Run the same curl command that you ran earlier:
curl --connect-timeout 5 http://$IPADDRESS
You see this:
<html><body><h2>Welcome to Azure! My name is my-vm.</h2></body></html>
- As an optional step, refresh your browser tab that points to your web server.
In practice, you can create a standalone network security group that includes the inbound and outbound network access rules you need. If you have multiple VMs that serve the same purpose, you can assign that NSG to each VM at the time you create it. This technique enables you to control network access to multiple VMs under a single, central set of rules.