Merge pull request #284269 from asudbring/sfi-us295036

ttorble · web-flow · commit 02d89d9cd482 · 2024-08-12T08:14:29.000+01:00
SFI-ROPC Remove ROPC from filter traffic CLI tutorial
diff --git a/articles/virtual-network/tutorial-filter-network-traffic-cli.md b/articles/virtual-network/tutorial-filter-network-traffic-cli.md
@@ -1,14 +1,10 @@
 ---
 title: Filter network traffic - Azure CLI
 description: In this article, you learn how to filter network traffic to a subnet, with a network security group, using the Azure CLI.
-services: virtual-network
 author: asudbring
-
 ms.service: azure-virtual-network
-ms.devlang: azurecli
 ms.topic: how-to
-ms.tgt_pltfrm: virtual-network
-ms.date: 03/30/2018
+ms.date: 08/09/2024
 ms.author: allensu
 ms.custom: devx-track-azurecli
 # Customer intent: I want to filter network traffic to virtual machines that perform similar functions, such as web servers.
@@ -35,175 +31,201 @@ A network security group contains security rules. Security rules specify a sourc
 
 ### Create application security groups
 
-First create a resource group for all the resources created in this article with [az group create](/cli/azure/group). The following example creates a resource group in the *eastus* location: 
+First create a resource group for all the resources created in this article with [az group create](/cli/azure/group). The following example creates a resource group in the *westus2* location: 
 
 ```azurecli-interactive
 az group create \
-  --name myResourceGroup \
-  --location eastus
+  --name test-rg \
+  --location westus2
 ```
 
 Create an application security group with [az network asg create](/cli/azure/network/asg). An application security group enables you to group servers with similar port filtering requirements. The following example creates two application security groups.
 
 ```azurecli-interactive
 az network asg create \
-  --resource-group myResourceGroup \
-  --name myAsgWebServers \
-  --location eastus
+  --resource-group test-rg \
+  --name asg-web-servers \
+  --location westus2
 
 az network asg create \
-  --resource-group myResourceGroup \
-  --name myAsgMgmtServers \
-  --location eastus
+  --resource-group test-rg \
+  --name asg-mgmt-servers \
+  --location westus2
 ```
 
 ### Create a network security group
 
-Create a network security group with [az network nsg create](/cli/azure/network/nsg). The following example creates a network security group named *myNsg*: 
+Create a network security group with [az network nsg create](/cli/azure/network/nsg). The following example creates a network security group named *nsg-1*: 
 
 ```azurecli-interactive 
 # Create a network security group
 az network nsg create \
-  --resource-group myResourceGroup \
-  --name myNsg
+  --resource-group test-rg \
+  --name nsg-1
 ```
 
 ### Create security rules
 
-Create a security rule with [az network nsg rule create](/cli/azure/network/nsg/rule). The following example creates a rule that allows traffic inbound from the internet to the *myWebServers* application security group over ports 80 and 443:
+Create a security rule with [az network nsg rule create](/cli/azure/network/nsg/rule). The following example creates a rule that allows traffic inbound from the internet to the *asg-web-servers* application security group over ports 80 and 443:
 
 ```azurecli-interactive
 az network nsg rule create \
-  --resource-group myResourceGroup \
-  --nsg-name myNsg \
+  --resource-group test-rg \
+  --nsg-name nsg-1 \
   --name Allow-Web-All \
   --access Allow \
   --protocol Tcp \
   --direction Inbound \
   --priority 100 \
   --source-address-prefix Internet \
   --source-port-range "*" \
-  --destination-asgs "myAsgWebServers" \
+  --destination-asgs "asg-web-servers" \
   --destination-port-range 80 443
 ```
 
-The following example creates a rule that allows traffic inbound from the Internet to the *myMgmtServers* application security group over port 22:
+The following example creates a rule that allows traffic inbound from the Internet to the *asg-mgmt-servers* application security group over port 22:
 
 ```azurecli-interactive
 az network nsg rule create \
-  --resource-group myResourceGroup \
-  --nsg-name myNsg \
+  --resource-group test-rg \
+  --nsg-name nsg-1 \
   --name Allow-SSH-All \
   --access Allow \
   --protocol Tcp \
   --direction Inbound \
   --priority 110 \
   --source-address-prefix Internet \
   --source-port-range "*" \
-  --destination-asgs "myAsgMgmtServers" \
+  --destination-asgs "asg-mgmt-servers" \
   --destination-port-range 22
 ```
 
-In this article, SSH (port 22) is exposed to the internet for the *myAsgMgmtServers* VM. For production environments, instead of exposing port 22 to the internet, it's recommended that you connect to Azure resources that you want to manage using a [VPN](../vpn-gateway/vpn-gateway-about-vpngateways.md?toc=%2fazure%2fvirtual-network%2ftoc.json) or [private](../expressroute/expressroute-introduction.md?toc=%2fazure%2fvirtual-network%2ftoc.json) network connection.
+In this article, the *asg-mgmt-servers* asg exposes SSH (port 22) to the internet. For production environments, use a [VPN](../vpn-gateway/vpn-gateway-about-vpngateways.md?toc=%2fazure%2fvirtual-network%2ftoc.json) or [private](../expressroute/expressroute-introduction.md?toc=%2fazure%2fvirtual-network%2ftoc.json) network connection to manage Azure resources instead of exposing port 22 to the internet.
 
 ## Create a virtual network
 
-Create a virtual network with [az network vnet create](/cli/azure/network/vnet). The following example creates a virtual named *myVirtualNetwork*:
+Create a virtual network with [az network vnet create](/cli/azure/network/vnet). The following example creates a virtual named *vnet-1*:
 
 ```azurecli-interactive 
 az network vnet create \
-  --name myVirtualNetwork \
-  --resource-group myResourceGroup \
+  --name vnet-1 \
+  --resource-group test-rg \
   --address-prefixes 10.0.0.0/16
 ```
 
-Add a subnet to a virtual network with [az network vnet subnet create](/cli/azure/network/vnet/subnet). The following example adds a subnet named *mySubnet* to the virtual network and associates the *myNsg* network security group to it:
+Add a subnet to a virtual network with [az network vnet subnet create](/cli/azure/network/vnet/subnet). The following example adds a subnet named *subnet-1* to the virtual network and associates the *nsg-1* network security group to it:
 
 ```azurecli-interactive
 az network vnet subnet create \
-  --vnet-name myVirtualNetwork \
-  --resource-group myResourceGroup \
-  --name mySubnet \
+  --vnet-name vnet-1 \
+  --resource-group test-rg \
+  --name subnet-1 \
   --address-prefix 10.0.0.0/24 \
-  --network-security-group myNsg
+  --network-security-group nsg-1
 ```
 
 ## Create virtual machines
 
 Create two VMs in the virtual network so you can validate traffic filtering in a later step. 
 
-Create a VM with [az vm create](/cli/azure/vm). The following example creates a VM that will serve as a web server. The `--asgs myAsgWebServers` option causes Azure to make the network interface it creates for the VM a member of the *myAsgWebServers* application security group.
-
-The `--nsg ""` option is specified to prevent Azure from creating a default network security group for the network interface Azure creates when it creates the VM. To streamline this article, a password is used. Keys are typically used in production deployments. If you use keys, you must also configure SSH agent forwarding for the remaining steps. For more information, see the documentation for your SSH client. Replace `<replace-with-your-password>` in the following command with a password of your choosing.
+Create a VM with [az vm create](/cli/azure/vm). The following example creates a VM that serves as a web server. The `--asgs asg-web-servers` option causes Azure to make the network interface it creates for the VM a member of the *asg-web-servers* application security group. The `--nsg ""` option is specified to prevent Azure from creating a default network security group for the network interface Azure creates when it creates the VM. The command prompts you to create a password for the VM. SSH keys aren't used in this example to facilitate the later steps in this article. In a production environment, use SSH keys for security.
 
 ```azurecli-interactive
-adminPassword="<replace-with-your-password>"
-
 az vm create \
-  --resource-group myResourceGroup \
-  --name myVmWeb \
+  --resource-group test-rg \
+  --name vm-web \
   --image Ubuntu2204 \
-  --vnet-name myVirtualNetwork \
-  --subnet mySubnet \
+  --vnet-name vnet-1 \
+  --subnet subnet-1 \
   --nsg "" \
-  --asgs myAsgWebServers \
+  --asgs asg-web-servers \
   --admin-username azureuser \
-  --admin-password $adminPassword
+  --authentication-type password \
+  --assign-identity
 ```
 
 The VM takes a few minutes to create. After the VM is created, output similar to the following example is returned: 
 
 ```output
 {
   "fqdns": "",
-  "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVmWeb",
-  "location": "eastus",
+  "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Compute/virtualMachines/vm-web",
+  "location": "westus2",
   "macAddress": "00-0D-3A-23-9A-49",
   "powerState": "VM running",
   "privateIpAddress": "10.0.0.4",
-  "publicIpAddress": "13.90.242.231",
-  "resourceGroup": "myResourceGroup"
+  "publicIpAddress": "203.0.113.24",
+  "resourceGroup": "test-rg"
 }
 ```
 
-Take note of the **publicIpAddress**. This address is used to access the VM from the internet in a later step.  Create a VM to serve as a management server:
+Create a VM with [az vm create](/cli/azure/vm). The following example creates a VM that serves as a management server. The `--asgs asg-mgmt-servers` option causes Azure to make the network interface it creates for the VM a member of the *asg-mgmt-servers* application security group.
+
+The following example creates a VM and adds a user account. The `--generate-ssh-keys` parameter causes the CLI to look for an available ssh key in `~/.ssh`. If one is found, that key is used. If not, one is generated and stored in `~/.ssh`. Finally, we deploy the latest `Ubuntu 22.04` image.
 
 ```azurecli-interactive
 az vm create \
-  --resource-group myResourceGroup \
-  --name myVmMgmt \
+  --resource-group test-rg \
+  --name vm-mgmt \
   --image Ubuntu2204 \
-  --vnet-name myVirtualNetwork \
-  --subnet mySubnet \
+  --vnet-name vnet-1 \
+  --subnet subnet-1 \
   --nsg "" \
-  --asgs myAsgMgmtServers \
+  --asgs asg-mgmt-servers \
   --admin-username azureuser \
-  --admin-password $adminPassword
+  --generate-ssh-keys \
+  --assign-identity
 ```
 
-The VM takes a few minutes to create. After the VM is created, note the **publicIpAddress** in the returned output. This address is used to access the VM in the next step. Don't continue with the next step until Azure finishes creating the VM.
+The VM takes a few minutes to create. Don't continue with the next step until Azure finishes creating the VM.
+
+## Enable Microsoft Entra ID sign in for the virtual machines
+
+The following code example the extension to enable a Microsoft Entra ID sign-in for a Linux VM. VM extensions are small applications that provide post-deployment configuration and automation tasks on Azure virtual machines.
+
+```bash
+az vm extension set \
+    --publisher Microsoft.Azure.ActiveDirectory \
+    --name AADSSHLoginForLinux \
+    --resource-group test-rg \
+    --vm-name vm-web
+
+az vm extension set \
+    --publisher Microsoft.Azure.ActiveDirectory \
+    --name AADSSHLoginForLinux \
+    --resource-group test-rg \
+    --vm-name vm-mgmt
+```
 
 ## Test traffic filters
 
-Use the command that follows to create an SSH session with the *myVmMgmt* VM. Replace *\<publicIpAddress>* with the public IP address of your VM. In the example above, the IP address is *13.90.242.231*.
+Using an SSH client of your choice, connect to the VMs created previously. For example, the following command can be used from a command line interface such as [Windows Subsystem for Linux](/windows/wsl/install) to create an SSH session with the *vm-mgmt* VM. In the previous steps, we enabled Microsoft Entra ID sign-in for the VMs. You can sign-in to the virtual machines using your Microsoft Entra ID credentials or you can use the SSH key that you used to create the VMs. In the following example, we use the SSH key to sign in to management VM and then sign in to the web VM from the management VM with a password.
 
-```bash 
-ssh azureuser@<publicIpAddress>
+For more information about how to SSH to a Linux VM and sign in with Microsoft Entra ID, see [Sign in to a Linux virtual machine in Azure by using Microsoft Entra ID and OpenSSH](/entra/identity/devices/howto-vm-sign-in-azure-ad-linux).
+
+### Store IP address of VM in order to SSH
+
+Run the following command to store the IP address of the VM as an environment variable:
+
+```bash
+export IP_ADDRESS=$(az vm show --show-details --resource-group test-rg --name vm-mgmt --query publicIps --output tsv)
 ```
 
-When prompted for a password, enter the password you entered in [Create VMs](#create-virtual-machines).
+```bash
+ssh -o StrictHostKeyChecking=no azureuser@$IP_ADDRESS
+```
 
-The connection succeeds, because port 22 is allowed inbound from the Internet to the *myAsgMgmtServers* application security group that the network interface attached to the *myVmMgmt* VM is in.
+The connection succeeds because the network interface attached to the *vm-mgmt* VM is in the *asg-mgmt-servers* application security group, which allows port 22 inbound from the Internet.
 
-Use the following command to SSH to the *myVmWeb* VM from the *myVmMgmt* VM:
+Use the following command to SSH to the *vm-web* VM from the *vm-mgmt* VM:
 
 ```bash 
-ssh azureuser@myVmWeb
+ssh -o StrictHostKeyChecking=no azureuser@vm-web
 ```
 
-The connection succeeds because a default security rule within each network security group allows traffic over all ports between all IP addresses within a virtual network. You can't SSH to the *myVmWeb* VM from the Internet because the security rule for the *myAsgWebServers* doesn't allow port 22 inbound from the Internet.
+The connection succeeds because a default security rule within each network security group allows traffic over all ports between all IP addresses within a virtual network. You can't SSH to the *vm-web* VM from the Internet because the security rule for the *asg-web-servers* doesn't allow port 22 inbound from the Internet.
 
-Use the following commands to install the nginx web server on the *myVmWeb* VM:
+Use the following commands to install the nginx web server on the *vm-web* VM:
 
 ```bash 
 # Update package source
@@ -213,24 +235,27 @@ sudo apt-get -y update
 sudo apt-get -y install nginx
 ```
 
-The *myVmWeb* VM is allowed outbound to the Internet to retrieve nginx because a default security rule allows all outbound traffic to the Internet. Exit the *myVmWeb* SSH session, which leaves you at the `username@myVmMgmt:~$` prompt of the *myVmMgmt* VM. To retrieve the nginx welcome screen from the *myVmWeb* VM, enter the following command:
+The *vm-web* VM is allowed outbound to the Internet to retrieve nginx because a default security rule allows all outbound traffic to the Internet. Exit the *vm-web* SSH session, which leaves you at the `username@vm-mgmt:~$` prompt of the *vm-mgmt* VM. To retrieve the nginx welcome screen from the *vm-web* VM, enter the following command:
 
 ```bash
-curl myVmWeb
+curl vm-web
 ```
 
-Logout of the *myVmMgmt* VM. To confirm that you can access the *myVmWeb* web server from outside of Azure, enter `curl <publicIpAddress>` from your own computer. The connection succeeds, because port 80 is allowed inbound from the Internet to the *myAsgWebServers* application security group that the network interface attached to the *myVmWeb* VM is in.
+Sign out of the *vm-mgmt* VM. To confirm that you can access the *vm-web* web server from outside of Azure, enter `curl <publicIpAddress>` from your own computer. The connection succeeds because the *asg-web-servers* application security group, which the network interface attached to the *vm-web* VM is in, allows port 80 inbound from the Internet.
 
 ## Clean up resources
 
 When no longer needed, use [az group delete](/cli/azure/group) to remove the resource group and all of the resources it contains.
 
 ```azurecli-interactive
-az group delete --name myResourceGroup --yes
+az group delete \
+    --name test-rg \
+    --yes \
+    --no-wait
 ```
 
 ## Next steps
 
 In this article, you created a network security group and associated it to a virtual network subnet. To learn more about network security groups, see [Network security group overview](./network-security-groups-overview.md) and [Manage a network security group](manage-network-security-group.md).
 
-Azure routes traffic between subnets by default. You may instead, choose to route traffic between subnets through a VM, serving as a firewall, for example. To learn how, see [Create a route table](tutorial-create-route-table-cli.md).
+Azure routes traffic between subnets by default. You can instead, choose to route traffic between subnets through a VM, serving as a firewall, for example. To learn how, see [Create a route table](tutorial-create-route-table-cli.md).
