This project outlines the design, deployment, and management of a secure, two-tier personal cloud environment using Microsoft Azure Infrastructure as a Service (IaaS). The goal was to gain practical, hands-on experience across Azure's core pillars: Compute, Networking, Storage, Security, Configuration Management, and Automation.
The final architecture features a protected backend server (VM-DB), only accessible via a hardened Jumpbox (VM-Lab). The solution includes essential configuration of Windows Server roles (IIS, DHCP, DNS), PowerShell automation, robust access control (IAM, SAS), and full implementation of Azure Backup and Monitoring.
- Deployed and secured a two-tier segmented network (Frontend/Backend).
- Configured a secure Jumpbox model using NSGs to protect backend resources.
- Implemented storage expansion and snapshots for reliability.
- Configured essential Windows Server roles (IIS, DHCP, and DNS) for administrative services.
- Utilized PowerShell for VM lifecycle management and disk provisioning automation.
- Secured Storage Account access using IAM (RBAC), SAS, and Access Keys.
- Established robust BCDR and Governance through Azure Backup, Monitoring, and Resource Tags.
The environment utilizes a classic tiered design to separate administrative access from sensitive data resources, enhancing security and manageability.
| Category | Component Name(s) | Purpose & Key Detail |
|---|---|---|
| Resource Group | myVm_group |
Logical container for unified lifecycle management in France Central. |
| Networking | VNet-Lab (10.0.0.0/16) |
Isolated private network with segmented address space. |
| Subnets | Frontend (10.0.1.0/24) |
For public-facing/jumpbox VMs (VM-Lab). |
Backend (10.0.2.0/24) |
For protected, private resources (VM-DB). No Public IP. |
|
| Compute (VMs) | VM-Lab (Jumpbox/Admin) |
Standard B1ms Windows Server 2025. Administrative gateway. |
VM-DB (Database) |
Protected server. Access restricted to the Jumpbox. | |
| Security | NSG-Frontend | Controls RDP access (3389) and enforces the secure access model. |
| Storage | Standard SSD (LRS) | Reliable managed disk type for all volumes. |
| Backup | RSV-Lab |
Recovery Services Vault storing protected backups for VM-DB. |
| Governance | Tags | Applied for Cost Tracking (Project, Environment, Owner). |
Goal: Establish the network structure and deploy Virtual Machines.
- Resource Group Creation: Created
myVm_groupin France Central to contain all resources. - Virtual Network (VNet): Deployed
VNet-Labwith the address space 10.0.0.0/16. - Subnet Segmentation: Added the
Frontend(10.0.1.0/24) andBackend(10.0.2.0/24) subnets for tier separation. - VM Deployment:
VM-Lab(Jumpbox): Deployed a Standard B1ms Windows Server 2025 into theFrontendsubnet. Public IP enabled for initial RDP access.VM-DB(Database Server): Deployed into theBackendsubnet with No Public IP, ensuring it's isolated from direct internet access.
Goal: Enforce least-privilege network access to secure the back-end VM.
- NSG Configuration: Created a Network Security Group (NSG) and associated it with the relevant NICs/Subnets.
- RDP Access Control: Configured two specific inbound rules:
- Rule 1 (Internet to Jumpbox): Allowed RDP (TCP/3389) only to
VM-Lab's Public IP. - Rule 2 (Jumpbox to DB): Created an internal rule allowing RDP traffic from the Frontend Subnet (Source: 10.0.1.0/24) to the Backend Subnet (Destination: 10.0.2.0/24).
- Rule 1 (Internet to Jumpbox): Allowed RDP (TCP/3389) only to
- Security Posture: Applied a low-priority Deny-All-Inbound rule for extra hardening, relying solely on the explicit Allow rules.
Goal: Configure essential server roles and automate routine disk provisioning tasks.
- Server Role Installation: Connected to
VM-Laband used Server Manager to install and configure:- Internet Information Services (IIS): Used for testing web connectivity and future application hosting.
- DHCP and DNS: Configured these roles to simulate a realistic domain administrative environment.
- PowerShell Automation: Created scripts for two critical automation tasks:
- VM Lifecycle: Used
Start-AzVMandStop-AzVMfor efficient resource management. - Disk Provisioning: Scripted the process for the new data disk:
Initialize-Disk -PartitionStyle GPT,New-Partition, andFormat-Volume -FileSystem NTFS -DriveLetter D.
- VM Lifecycle: Used
Goal: Expand VM storage, implement quick restore options, and configure robust storage access control.
- Data Disk Setup: Attached a 10 GB Standard SSD data disk to a VM and utilized the PowerShell script (from Step 3) to initialize and mount it as the D: volume.
- Snapshot: Created an Incremental Snapshot of the data disk via the Azure Portal for reliable point-in-time recovery.
- Storage Account Access Control: Secured access to the storage account (
storagelab<initials>) using a layered security model:- IAM (RBAC): Assigned specific Azure roles (e.g., Storage Blob Data Reader) to identity accounts.
- Shared Access Signature (SAS): Generated restricted tokens to grant temporary, granular access to specific storage resources (e.g., a single container).
- Access Keys: Utilized for administrative, legacy access (documented as high-privilege).
Goal: Implement full backup coverage, proactive monitoring, and organizational governance.
- Backup Implementation: Created a Recovery Services Vault (
RSV-Lab) and enabled Azure Backup for the criticalVM-DBusing a daily policy. - Proactive Monitoring: Configured Azure Monitor on
VM-DB:- Metric: CPU Percentage.
- Alert Rule: Triggered an email notification if CPU usage exceeded 80% for 5 minutes.
- Governance: Applied mandatory Resource Tags across all resources in
myVm_groupfor cost allocation and organization:Project: PersonalCloudLab,Environment: Lab,Owner: Louange.
| Category | Core Skills Demonstrated | Technologies Used |
|---|---|---|
| Cloud Fundamentals | Resource Lifecycle Management, IaaS Deployment, Multi-VM Orchestration | Azure Resource Manager (ARM), Azure Portal |
| Networking & Security | Virtual Networking (VNet/Subnets), Network Segmentation, Secure Jumpbox Model | Network Security Groups (NSGs) |
| Configuration | Windows Server Role Installation (IIS, DHCP, DNS), Server Manager, Disk Management | IIS, DHCP, DNS, Server Manager |
| Automation | VM Management Scripting, Disk Provisioning Automation | PowerShell |
| Access Control | Role-Based Access Control (RBAC), Shared Access Policies | Azure IAM, Shared Access Signature (SAS), Access Keys |
| Data & Storage | Managed Disks, Volume Initialization, Snapshots, Object Storage | Standard SSD, Azure Blob Storage |
| BCDR & Ops | Backup Policy Configuration, Metric-Based Alerting, Resource Tagging | Azure Backup, Azure Monitor, Azure Alerts |
To view images of components Click on their appropriate link .
| Component | Description | Screenshot (Conceptual Link) |
|---|---|---|
| Resource Group | Consolidated view of all resources in myVm_group. |
Resource Group Screenshots |
| Virtual Network | VNet-Lab structure showing the secure Frontend and Backend subnets. |
VNet-Lab with Subnets |
| Disk Management | The new data disk initialized and mounted as the D: volume. | Disk Management Console |
| Azure Backup | VM-DB protected by the Recovery Services Vault. |
Azure Backup Status |
| Monitoring Alert | CPU Alert Rule configured for performance management. | Monitoring/Alerts Configuration |
- Project 2 (PaaS Focus): Deploy a scalable web application using Azure App Service and connect it to a managed database (Azure SQL).
- Advanced IaC: Translate this entire detailed deployment into repeatable Infrastructure-as-Code (IaC) templates using Bicep or Terraform.
- Project 3: Create a Static Web Portfolio using Azure Storage + CDN.