Secure Azure Deploy


I was able to get the az cli script that Mr Allen put together here working except for the curl command at the end to change the default password.

Rather than run a command after the fact and have an unsecured instance facing the internet (for even a few seconds), I want to inject the new password as part of the build.

Is this possible?


It's possible. In the step of the script that creates the network access rules and does this:

az network nsg rule create

You just need to add a flag --source-address-prefixes. Use that to specify the network range of where you're coming from, and then instead of the security groups being open to the internet, they can be open to the IP range you specify, or no IPs at all. You can always adjust the definition of the network security rules after the VM has finished starting up.

Here's the reference on how that command works

This is very good information, thank you. I will try this out now.

Thank you!

For others that stumble here, the following worked to allow only a single IP address to access the VM:

  • Before deploying: curl to get current IP address
  • Add the following flag to your deployment script under az network nsg rule create
--source-address-prefixes \
1 Like