Merge pull request #229612 from v-thepet/vnet1

Freshness: Create virtual network quickstarts

Author: v-dirichards

articles/virtual-network/media/quick-create-bicep/connect-to-virtual-machine.png

@@ -1,168 +1,211 @@
 ---
-title: 'Quickstart: Create a virtual network - Azure CLI'
+title: 'Quickstart: Use Azure CLI to create a virtual network'
 titleSuffix: Azure Virtual Network
-description: In this quickstart, learn to create a virtual network using the Azure CLI. A virtual network lets Azure resources communicate with each other and with the internet.
+description: Learn how to use Azure CLI to create and connect through an Azure virtual network and virtual machines.
 author: asudbring
 ms.service: virtual-network
 ms.topic: quickstart
-ms.date: 04/13/2022
+ms.date: 03/15/2023
 ms.author: allensu
 ms.custom: devx-track-azurecli, mode-api
-#Customer intent: I want to create a virtual network so that virtual machines can communicate privately with each other and with the internet.
+#Customer intent:  I want to use Azure CLI to create a virtual network so that virtual machines can communicate privately with each other and with the internet.
 ---
 
-# Quickstart: Create a virtual network using the Azure CLI
+# Quickstart: Use Azure CLI to create a virtual network
 
-A virtual network enables Azure resources, like virtual machines (VMs), to communicate privately with each other, and with the internet. 
+This quickstart shows you how to create a virtual network by using Azure CLI, the Azure command-line interface. You then create two virtual machines (VMs) in the network, securely connect to the VMs from the internet, and communicate privately between the VMs.
 
-In this quickstart, you learn how to create a virtual network. After creating a virtual network, you deploy two VMs into the virtual network. You then connect to the VMs from the internet, and communicate privately over the new virtual network.
+A virtual network is the fundamental building block for private networks in Azure. Azure Virtual Network enables Azure resources like VMs to securely communicate with each other and the internet.
 
-[!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)]
+## Prerequisites
 
-[!INCLUDE [azure-cli-prepare-your-environment.md](~/articles/reusable-content/azure-cli/azure-cli-prepare-your-environment.md)]
+- An Azure account with an active subscription. You can [create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
 
-- This quickstart requires version 2.0.28 or later of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed.
+- Azure Cloud Shell or Azure CLI.
 
-## Create a resource group
+  The steps in this quickstart run the Azure CLI commands interactively in [Azure Cloud Shell](/azure/cloud-shell/overview). To run the commands in the Cloud Shell, select **Open Cloudshell** at the upper-right corner of a code block. Select **Copy** to copy the code, and paste it into Cloud Shell to run it. You can also run the Cloud Shell from within the Azure portal.
 
-Before you can create a virtual network, you have to create a resource group to host the virtual network. Create a resource group with [az group create](/cli/azure/group#az-group-create). This example creates a resource group named **CreateVNetQS-rg** in the **Eastus** location:
+  You can also [install Azure CLI locally](/cli/azure/install-azure-cli) to run the commands. The steps in this article require Azure CLI version 2.0.28 or later. Run [az version](/cli/azure/reference-index?#az-version) to find your installed version and dependent libraries, and run [az upgrade](/cli/azure/reference-index?#az-upgrade) to upgrade.
 
-```azurecli-interactive
-az group create \
-    --name CreateVNetQS-rg \
-    --location eastus
-```
+  If you use a local installation, sign in to Azure by using the [az login](/cli/azure/reference-index#az-login) command.
 
-## Create a virtual network
+## Create a virtual network and subnet
 
-Create a virtual network with [az network vnet create](/cli/azure/network/vnet#az-network-vnet-create). This example creates a default virtual network named **myVNet** with one subnet named **default** .
+1. First, use [az group create](/cli/azure/group#az-group-create) to create a resource group to host the virtual network. Run the following code to create a resource group named `TestRG` in the `eastus` Azure region.
 
-```azurecli-interactive
-az network vnet create \
-  --name myVNet \
-  --resource-group CreateVNetQS-rg \
-  --subnet-name default
-```
+   ```azurecli-interactive
+   az group create \
+     --name TestRG \
+     --location eastus
+   ```
 
-## Create virtual machines
+1. Use [az network vnet create](/cli/azure/network/vnet#az-network-vnet-create) to create a virtual network named `VNet` with a subnet named `default` in the `TestRG` resource group.
 
-Create two VMs in the virtual network.
+   ```azurecli-interactive
+   az network vnet create \
+     --name VNet \
+     --resource-group TestRG \
+     --address-prefix 10.0.0.0/16 \
+     --subnet-name default \
+     --subnet-prefixes 10.0.0.0/24
+   ```
 
-### Create the first VM
+## Deploy Azure Bastion
 
-Create a VM with [az vm create](/cli/azure/vm#az-vm-create). 
+Azure Bastion uses your browser to connect to VMs in your virtual network over secure shell (SSH) or remote desktop protocol (RDP) by using their private IP addresses. The VMs don't need public IP addresses, client software, or special configuration. For more information about Azure Bastion, see [Azure Bastion](~/articles/bastion/bastion-overview.md).
 
-If SSH keys don't already exist in a default key location, the command creates them. To use a specific set of keys, use the `--ssh-key-value` option. 
+1. Use [az network vnet subnet create](/cli/azure/network/vnet/subnet#az-network-vnet-subnet-create) to create an Azure Bastion subnet for your virtual network. This subnet is reserved exclusively for Azure Bastion resources and must be named `AzureBastionSubnet`.
 
-The `--no-wait` option creates the VM in the background. You can continue to the next step. 
+   ```azurecli-interactive
+   az network vnet subnet create \
+     --name AzureBastionSubnet \
+     --resource-group TestRG \
+     --vnet-name VNet \
+     --address-prefix 10.0.1.0/26 \
+     --location eastus
+   ```
 
-This example creates a VM named **myVM1**:
+1. Create a public IP address for Azure Bastion. The bastion host uses the public IP to access secure shell (SSH) and remote desktop protocol (RDP) over port 443.
 
-```azurecli-interactive
-az vm create \
-  --resource-group CreateVNetQS-rg \
-  --name myVM1 \
-  --image UbuntuLTS \
-  --generate-ssh-keys \
-  --public-ip-address myPublicIP-myVM1 \
-  --no-wait
-```
+   ```azurecli-interactive
+   az network public-ip create --resource-group TestRG --name VNet-ip --sku Standard --location eastus
+   ```
 
-### Create the second VM
+1. Use [az network bastion create](/cli/azure/network/bastion#az-network-bastion-create) to create an Azure Bastion host in the AzureBastionSubnet of your virtual network.
 
-You used the `--no-wait` option in the previous step. You can go ahead and create the second VM named **myVM2**.
+   ```azurecli-interactive
+   az network bastion create \
+     --name VNet-bastion \
+     --public-ip-address VNet-ip \
+     --resource-group TestRG \
+     --vnet-name VNet --location eastus
+   ```
 
-```azurecli-interactive
-az vm create \
-  --resource-group CreateVNetQS-rg \
-  --name myVM2 \
-  --image UbuntuLTS \
-  --public-ip-address myPublicIP-myVM2 \
-  --generate-ssh-keys
-```
+It takes about 10 minutes for the Bastion resources to deploy. You can create VMs in the next section while Bastion deploys to your virtual network.
+
+## Create virtual machines
+
+Use [az vm create](/cli/azure/vm#az-vm-create) to create two VMs named `VM1` and `VM2` in the `default` subnet of the virtual network. When you're prompted for credentials, enter user names and passwords for the VMs.
+
+1. To create the first VM, run the following command:
+
+   ```azurecli-interactive
+   az vm create \
+     --resource-group TestRG \
+     --name VM1 \
+     --image Win2019Datacenter
+   ```
 
-[!INCLUDE [ephemeral-ip-note.md](../../includes/ephemeral-ip-note.md)]
+1. To create the second VM, run the following command:
 
-### Azure CLI output message
+   ```azurecli-interactive
+   az vm create \
+     --resource-group TestRG \
+     --name VM2 \
+     --image Win2019Datacenter
+   ```
 
-The VMs take a few minutes to create. After Azure creates the VMs, the Azure CLI returns output like this:
+>[!TIP]
+>You can also use the `--no-wait` option to create a VM in the background while you continue with other tasks.
+
+The VMs take a few minutes to create. After Azure creates each VM, Azure CLI returns output similar to the following message:
 
 ```output
 {
   "fqdns": "",
-  "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/CreateVNetQS-rg/providers/Microsoft.Compute/virtualMachines/myVM2",
+  "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/CreateVNetQS-rg/providers/Microsoft.Compute/virtualMachines/VM2",
   "location": "eastus",
   "macAddress": "00-0D-3A-23-9A-49",
   "powerState": "VM running",
   "privateIpAddress": "10.0.0.5",
   "publicIpAddress": "40.68.254.142",
-  "resourceGroup": "CreateVNetQS-rg"
+  "resourceGroup": "TestRG"
   "zones": ""
 }
 ```
 
-## VM public IP
+>[!NOTE]
+>VMs in a virtual network with a Bastion host don't need public IP addresses. Bastion provides the public IP, and the VMs use private IPs to communicate within the network. You can remove the public IPs from any VMs in Bastion-hosted virtual networks. For more information, see [Dissociate a public IP address from an Azure VM](ip-services/remove-public-ip-address-vm.md).
 
-To get the public IP address **myVM2**, use [az network public-ip show](/cli/azure/network/public-ip#az-network-public-ip-show):
+## Connect to a VM
 
-```azurecli-interactive
-az network public-ip show \
-  --resource-group CreateVNetQS-rg  \
-  --name myPublicIP-myVM2 \
-  --query ipAddress \
-  --output tsv
-```
+1. In the [Azure portal](https://portal.azure.com), search for and select **Virtual machines**.
 
-## Connect to a VM from the internet
+1. On the **Virtual machines** page, select **VM1**.
 
-In this command, replace `<publicIpAddress>` with the public IP address of your **myVM2** VM:
+1. At the top of the **VM1** page, select **Connect**.
 
-```bash
-ssh <publicIpAddress>
-```
+1. On the **Connect** page, select **More ways to connect**, and then select **Go to Bastion**.
+
+   :::image type="content" source="./media/quick-create-portal/connect-to-virtual-machine.png" alt-text="Screenshot of connecting to VM1 with Azure Bastion." border="true":::
+
+1. On the **Bastion** page, enter the username and password you created for the VM, and then select **Connect**.
 
 ## Communicate between VMs
 
-To confirm private communication between the **myVM2** and **myVM1** VMs, enter `ping myVM1 -c 4`.
+1. From the desktop of VM1, open a command prompt and enter `ping myVM2`. You get a reply similar to the following message:
 
-You'll receive a reply message like this:
+   ```cmd
+   C:\windows\system32>ping VM2
+   
+   Pinging VM2.ovvzzdcazhbu5iczfvonhg2zrb.bx.internal.cloudapp.net with 32 bytes of data:
+   Request timed out.
+   Request timed out.
+   Request timed out.
+   Request timed out.
+   
+   Ping statistics for 10.0.0.5:
+       Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
+   ```
 
-```bash
+   The ping fails because it uses the Internet Control Message Protocol (ICMP). By default, ICMP isn't allowed through Windows firewall.
 
-azureuser@myVM2:~$ ping myVM1 -c 4
-PING myVM1.h0o2foz2r0tefncddcnfqm2lid.bx.internal.cloudapp.net (10.0.0.4) 56(84) bytes of data.
-64 bytes from myvm1.internal.cloudapp.net (10.0.0.4): icmp_seq=1 ttl=64 time=2.77 ms
-64 bytes from myvm1.internal.cloudapp.net (10.0.0.4): icmp_seq=2 ttl=64 time=1.95 ms
-64 bytes from myvm1.internal.cloudapp.net (10.0.0.4): icmp_seq=3 ttl=64 time=2.19 ms
-64 bytes from myvm1.internal.cloudapp.net (10.0.0.4): icmp_seq=4 ttl=64 time=1.85 ms
+1. To allow ICMP to inbound through Windows firewall on this VM, enter the following command:
 
---- myVM1.h0o2foz2r0tefncddcnfqm2lid.bx.internal.cloudapp.net ping statistics ---
-4 packets transmitted, 4 received, 0% packet loss, time 3003ms
-rtt min/avg/max/mdev = 1.859/2.195/2.770/0.357 ms
+   ```cmd
+   netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow
+   ```
 
-```
+1. Close the remote desktop connection to VM1.
 
-Exit the SSH session with the **myVM2** VM.
+1. Repeat the steps in [Connect to a VM](#connect-to-a-vm) to connect to VM2.
+
+1. On VM2, from a command prompt, enter `ping VM1`.
+
+   This time you get a success reply similar to the following message, because you allowed ICMP through the firewall on VM1.
+
+   ```cmd
+   C:\windows\system32>ping VM1
+   
+   Pinging VM1.e5p2dibbrqtejhq04lqrusvd4g.bx.internal.cloudapp.net [10.0.0.4] with 32 bytes of data:
+   Reply from 10.0.0.4: bytes=32 time=2ms TTL=128
+   Reply from 10.0.0.4: bytes=32 time<1ms TTL=128
+   Reply from 10.0.0.4: bytes=32 time<1ms TTL=128
+   Reply from 10.0.0.4: bytes=32 time<1ms TTL=128
+   
+   Ping statistics for 10.0.0.4:
+       Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
+   Approximate round trip times in milli-seconds:
+       Minimum = 0ms, Maximum = 2ms, Average = 0ms
+   ```
+
+1. Close the remote desktop connection to VM2.
 
 ## Clean up resources
 
-When no longer needed, you can use [az group delete](/cli/azure/group#az-group-delete) to remove the resource group and all the resources it has:
+When you're done with the virtual network and the VMs, use [az group delete](/cli/azure/group#az-group-delete) to remove the resource group and all its resources.
 
 ```azurecli-interactive
 az group delete \
-    --name CreateVNetQS-rg \
+    --name TestRG \
     --yes
 ```
 
 ## Next steps
 
-In this quickstart: 
+In this quickstart, you created a virtual network with a default subnet that contains two VMs. You deployed Azure Bastion and used it to connect to the VMs, and securely communicated between the VMs. To learn more about virtual network settings, see [Create, change, or delete a virtual network](manage-virtual-network.md).
 
-* You created a default virtual network and two VMs. 
-* You connected to one VM from the internet and communicated privately between the two VMs.
-
-Private communication between VMs is unrestricted in a virtual network. 
-
-Advance to the next article to learn more about configuring different types of VM network communications:
+Private communication between VMs in a virtual network is unrestricted by default. Continue to the next article to learn more about configuring different types of VM network communications.
 > [!div class="nextstepaction"]
 > [Filter network traffic](tutorial-filter-network-traffic.md)
+