DUMB DEV Community

Cover image for Hands-On Azure Cloud Engineering: Managing Networks, Virtual Machines, Storage Blobs, and Resource Governance
okunola babatunde
okunola babatunde

Posted on

Hands-On Azure Cloud Engineering: Managing Networks, Virtual Machines, Storage Blobs, and Resource Governance

#azure #cloudcomputing #cloudinfrastructure #teclearning

Cloud infrastructure is not just about launching servers in the cloud. It’s about designing systems that are organized, secure, scalable, and easy to manage over time. Recently, I worked on a hands-on Azure guided project where I practiced managing key parts of a cloud environment. The experience simulated assisting an Azure administrator with maintaining and improving an existing infrastructure. The project covered several important areas of cloud engineering, including:

  • Network configuration
  • Virtual machine management
  • Cloud storage services
  • Resource governance and protection

Although the work involved technical tools, the main idea behind it was simple: build systems that are easy to understand, monitor, and protect from mistakes.

Preparing the Azure Environment

The project required an active Azure subscription, since all tasks involved creating and managing real cloud resources. One of the first best practices emphasised was using clear naming conventions when creating resources. In simple terms, this means naming resources in a way that clearly describes their purpose. When teams follow structured naming patterns, it becomes much easier to:

  • Quickly identify resources
  • Keep infrastructure organized
  • Clean up environments after projects
  • Maintain consistency across teams

Another important lesson was cost awareness. Because cloud services charge based on usage, engineers must always create and manage resources responsibly.

Supporting an Azure Administrator

In this scenario, I was supporting an Azure administrator who manages an existing cloud environment. The infrastructure already contained a Linux Virtual Machine (VM), but it wasn’t being fully utilised. At the same time, there was a need for another Linux system that could function as an FTP server to allow files to be transferred between systems.
Before setting this up, the administrator wanted better visibility into network traffic and system usage.
To make this possible, the first step was to create a new subnet within the existing virtual network.
Creating a New Subnet for Better Network Organization
Rather than modifying the current network segment, the administrator requested the creation of a separate subnet dedicated to the FTP server.
The original subnet was left untouched because it may be used for future virtual machines.

Creating a new subnet offers several advantages:

  • It separates workloads into different network segments
  • It improves monitoring of network activity
  • It keeps infrastructure organised
  • It allows the environment to scale in the future This approach is known as network segmentation, and it helps improve both security and visibility in cloud environments.

Managing the Virtual Machine

Once the network structure was prepared, the next task was to update the virtual machine configuration.
The existing Linux VM was moved to the newly created subnet, ensuring it would operate within the correct network environment for the FTP service.
In real-world cloud environments, tasks like this are common. Infrastructure engineers often need to adjust existing systems while ensuring services continue to run smoothly.

Working with Azure Storage Services

Another key part of the project involved learning how to manage cloud storage services.
Organizations often need reliable ways to store and share files across systems, and Azure provides several services designed for this purpose.
During the exercise, I worked with:

  • AzureStorage Accounts
  • Blob Storage Containers
  • Azure File Shares

The tasks included:

  • Creating a storage container
  • Creating a file share
  • Uploading files to both storage locations

Blob Storage is typically used for storing large amounts of data such as application files, backups, logs, and media.
Azure File Shares, on the other hand, work more like a shared network folder, allowing multiple systems to access the same files.
These services are essential when organizations need secure and scalable file storage in the cloud.

Protecting and Organising Resources with Tags and Locks

As cloud environments grow, managing resources becomes more complex. Azure provides governance tools to help teams keep everything organised and protected.

Two important tools used in this project were resource tags and resource locks.

Resource Tags
Tags are simple labels attached to resources.
For example, a tag can show:
• Which department owns the resource
• The purpose of the resource
• The environment (development, testing, or production)
This makes it easier to track usage, manage costs, and quickly understand what each resource is used for.
Resource Locks
Resource locks help prevent accidental deletion or modification of important systems.
Because the Linux VM was going to operate as an FTP server, a lock was applied to ensure that no one could mistakenly delete it.
This adds an extra layer of operational protection and stability.

Final Outcome
By completing the project, the environment now includes:

  • A new subnet for better network organization
  • A Linux virtual machine positioned correctly within the network
  • Azure storage services configured for file sharing and storage
  • Resource tags applied for better organization Resource locks implemented to protect critical infrastructure from being accidentally deleted. Together, these improvements help ensure the cloud environment is structured, secure, and easier to manage.

Key Takeaways

This experience reinforced several important cloud engineering principles:

  • Designing well-structured network architectures
  • Managing and updating virtual machine configurations
  • Using cloud storage solutions effectively
  • Organising infrastructure with resource tagging
  • Protecting critical resources using locks These are foundational skills for anyone working with modern cloud platforms like Microsoft Azure. Cloud engineering is not only about deploying resources — it's about building environments that are reliable, organised, and sustainable.

However, to make this learning easier for others, I also created a step-by-step guide with screenshots, so anyone interested in Azure infrastructure can follow along and practice these tasks independently.

Need an Azure account?
If you already have a Microsoft Azure account to use for this lab, skip to Login to Microsoft Azure. If you need to create an Azure account, complete the following steps.

Go to the Azure free account page.
Select Try Azure for free
Complete the sign-up process for an Azure account.
Login to Microsoft Azure
Login to Microsoft Azure at Azure Portal

Create a resource group

In order to make clean-up easy at the end, start with creating a new resource group to hold the resources for this guided project. Using resource groups to organize things is a quick way to ensure you can manage resources when a project is over.

  1. From the Azure portal home page, in the search box, enter resource groups.
  2. Select Resource groups under services.

  3. Select Create

    Note:

    Your subscription should already be selected. If you have multiple Azure subscriptions associated with this login, select the one you’d like to use for the guided project.

  4. Enter "guided-project-rg" in the Resource group name field.

  5. The Region field will automatically populate. Leave your region set on Korea central

  6. Select Review + create.

  7. Select Create.

  8. Return to the home page of the Azure portal by selecting Home.

    Create a virtual network with one subnet

  9. From the Azure portal home page, in the search box, enter virtual networks.

  10. Select virtual networks under services.

  11. Select Create.

  12. Scroll down to the Instance details section and enter guided-project-vnet for the Virtual network name.

  13. Select Review + create.

  14. Select Create.

  15. Wait for the screen to refresh and show Your deployment is complete.

  16. Select Home to return to the Azure portal home page.

Create a virtual machine

  1. From the Azure portal home page, in the search box, enter virtual machines.
  2. Select virtual machines under services.
  3. Select Create and then select Virtual machine
  4. Select guided-project-rg for the Resource group.
  5. Enter guided-project-vm for the Virtual machine name.
  6. For the Image, select one of the Ubuntu Server options. (For example, Ubuntu Server 24.04 LTS - x64 Gen2)
  7. Continue further on the Basics page to the Administrator account section.
  8. Select Password for authentication type.
  9. Enter guided-project-admin for the admin Username.
  10. Enter a password for the admin account.
  11. Confirm the password for the admin account.
  12. Leave the rest of the settings as default settings. You can uploads.s3.amazonaws.com/uploads/articles/4y09h45cv9svvlrw5scz.png)
  13. Select Review + create
  14. Select Create to confirm the resource cost and create the virtual machine.
  15. Select Home to return to the Azure portal home page. Note: Once validation has passed, you’ll receive a cost estimate of how much it will cost per hour to run the VM.

Create a Storage account

  1. From the Azure portal home page, in the search box, enter storage accounts.
  2. Select Storage accounts under services.
  3. Select Create.
  4. Scroll down to the Instance details section and enter a name for the storage account. Storage accounts must be globally unique, so you may have to try a few different times to get a storage account name.
  5. Select Review + create.
  6. Select Create.
  7. Wait for the screen to refresh and show Your deployment is complete.
  8. Select Home to return to the Azure portal home page.

Create a new subnet on an existing virtual network (vNet)

  1. Login to Microsoft Azure at (Azure Portal)[https://portal.azure.com]
  2. From the Azure portal home page, in the search box, enter virtual networks.
  3. Select virtual networks under services.
  4. Select the guided-project-vnet virtual network.
  5. From the guided-project-vnet blade, under settings, select Subnets.
  6. To add a subnet, select + Subnet.
  7. For Subnet purpose leave it as Default.
  8. For Name enter: ftpSubnet.
  9. Leave the rest of the settings alone and select Add.
  10. Select Home to return to the Azure portal home page.

Create a network security group

  1. From the Azure portal home page, in the search box, enter virtual networks.
  2. Select virtual networks under services.
  3. Select Network security groups.
  4. Select + Create.
  5. Verify the subscription is correct.
  6. Select the guided-project-rg resource group.
  7. Enter ftpNSG for the network security group name.
  8. Select Review + create.
  9. Once the validation is complete, select Create.
  10. Wait for the screen to refresh and display Your deployment is complete.
  11. Select Go to resource.

Create an inbound security rule

  1. Under settings, select Inbound security rules.
  2. Select + Add.
  3. Change the Destination port ranges from 8080 to 22.
  4. Select TCP for the protocol.
  5. Set the name to ftpInbound.
  6. Select Add.
  7. Select Home to return to the Azure portal home page.

Associate a network security group to a subnet

  1. From the Azure portal home page, in the search box, enter virtual networks.
  2. Select virtual networks under services.
  3. Select the guided-project-vnet virtual network.
  4. Under settings, select Subnets.
  5. Select the ftpSubnet you created.
  6. On the Edit subnet page, under the Security section heading, update the Network security group field to ftpNSG.
  7. Select Save. *Move the virtual machine network to the new subnet *
  8. Login to Microsoft Azure at (Azure Portal)[https://portal.azure.com]
  9. From the Azure portal home page, in the search box, enter virtual machines.
  10. Select virtual machines under services.
  11. Select the guided-project-vm virtual machine.
  12. If the virtual machine is running, select Stop. ## Note: In order to make some configuration changes, such as changing the subnet, the VM will need to be restarted. You can request the change without stopping the VM, but Azure will force a restart before completing the change.
  13. Wait for the Status field to update and show Stopped (deallocated).
  14. Within the Networking subsection of the menu, select Network settings.
  15. Select the Network interface / IP configuration hyperlink for the VM.
  16. On the IP Configurations page, update the Subnet to ftpSubnet.
  17. Select Apply. 11. Select Home to return to the Azure portal home page.

Vertically scale the virtual machine

  1. From the Azure portal home page, in the search box, enter virtual machines.
  2. Select virtual machines under services.
  3. Select the guided-project-vm virtual machine.
  4. Locate the Availability + scale submenu and select Size. 5. Select a new VM size D2s_v5 for example. (Note: If you don’t see the same size as shown in this exercise, select something similar.)
  5. Select Resize.
  6. Select Home to return to the Azure portal home page.

Attach data disks to a virtual machine

  1. From the Azure portal home page, in the search box, enter virtual machines.
  2. Select virtual machines under services.
  3. Select the guided-project-vm virtual machine.
  4. Locate the settings submenu and select Disks. 5. Select Create and attach a new disk.
  5. Leave LUN as default.
  6. Enter ftp-data-disk for the Disk name.
  7. Leave the Storage type as default.
  8. Enter 20 for the Size.
  9. Select Apply to create the new storage disk and attach the disk to the machine. 11. Select Home to return to the Azure portal home page.

Configure automatic shutdown on a virtual machine

  1. From the Azure portal home page, in the search box, enter virtual machines.
  2. Select virtual machines under services.
  3. Select the guided-project-vm virtual machine.
  4. Under the Operations submenu, select Auto-shutdown. 5. In order to let late uploads finish, set the Scheduled shutdown to 7:15:00 PM.
  5. Select Save.
  6. Select Home to return to the Azure portal home page.

Create a storage container

  1. Login to Microsoft Azure at (Azure Portal)[https://portal.azure.com] From the Azure portal home page, in the search box, enter storage accounts.
  2. Select storage accounts under services.
  3. Select the storage account you created in the Prepare exercise
  4. The storage account name is the hyperlink to the storage account. (Note: it should be associated with the resource group guided-project-rg.) 5. On the storage account blade, under the Data storage submenu, select Containers.
  5. Select + Add container.
  6. In the Name field, enter storage-container.
  7. Select Create.

Upload a file to the storage container

  1. Select the storage container you just created.
  2. Select Upload and upload the file you prepared.
  3. Once the file is ready for upload, select Upload. With the file uploaded, notice that the Access tier is displayed. For something we uploaded just for testing, it doesn’t need to be assigned to the Hot access tier. In the next few steps, you’ll change the access tier for the file. ## Change the access tier
  4. Select the file you just uploaded (the file name is a hyperlink).
  5. Select Change tier.
  6. Select Cold.
  7. Select Save. ## Note: You just changed the access tier for an individual blob or file. To change the default access tier for all blobs within the storage account, you could change it at the storage account level.
  8. Select Home to return to the Azure portal home page.
  9. From the Azure portal home page, in the search box, enter storage accounts.
  10. Select storage accounts under services.
  11. Select the storage account you created in the Prepare exercise. The storage account name is the hyperlink to the storage account. (Note: it should be associated with the resource group guided-project-rg.)
  12. On the storage account blade, under the Data storage submenu, select File shares.
  13. Select + File share.
  14. On the Basics tab, in the name field enter file-share.
  15. On the Backup tab, uncheck Enable backup
  16. Select Review + create.
  17. Select Create.
  18. Once the file share is created, select Upload.
  19. Upload the same file you uploaded to the blob storage or a different file, it’s up to you.
  20. Select Home to return to the Azure portal home page. The next piece of the puzzle is figuring one way to control access to the files that have been uploaded. Azure has many ways to control files, including things like role-based access control. In this scenario, the Azure admin wants you to use shared access tokens or keys. ## Create a shared access signature token
  21. From the Azure portal home page, in the search box, enter storage accounts.
  22. Select storage accounts under services.
  23. Select the storage account you created in the Prepare exercise.
  24. On the storage account blade, select Storage browser. Expand Blob containers
  25. Expand Blob containers ## Note: Blob container is another name for the storage containers. Items uploaded to a storage container are called blobs.
  26. Select the storage container you created earlier, storage-container. 7. Select the ellipses (three dots) on the end of the line for the image you uploaded.
  27. Select Generate SAS ## Note: When you generate a shared access signature, you set the duration. Once the duration is over, the link stops working. The **Start automatically populates with the current date and time.Set 9. Signing method to Account key.
  28. Set Signing key to Key 1 ## Tip: There are two signing keys available. You can choose either one, or create SAS tokens with different durations.
  29. Set Stored access policy to None.
  30. Set Permissions to Read.
  31. Enter a custom start and expiry time or leave the defaults. 14. Set Allowed protocols to HTTPS only.
  32. Select Generate SAS token and URI.
  33. Copy the Blob SAS URL and paste it in another window or tab of your browser. It should display the image you uploaded. Keep this tab or window open.
  34. Select Home to return to the Azure portal home page. With the SAS token created, anyone with that link can access the file for the duration that was set when you created the SAS token. However, controlling access to a resource or file is about more than just granting access. It’s also about being able to revoke access. To revoke access with a SAS token, you need to invalidate the token. You invalidate the token by rotating the key that was used. ## Rotate access keys
  35. From the Azure portal home page, in the search box, enter storage accounts.
  36. Select storage accounts under services.
  37. Select the storage account you created in the Prepare exercise.
  38. Expand the Security + networking submenu.
  39. Select Access keys. 6. For Key 1, select Rotate key.
  40. Read and then acknowledge the warning about regenerating the access key by selecting Yes. 8. Once you see the success message for rotating the access key, go back to the window or tab you used to check the SAS token and refresh the page. You should receive an authentication failed error. ## Add tags to a virtual machine You’ll start by adding a pair of tags to the virtual machine. One tag will be to identify the purpose of the virtual machine and the other will be to indicate the department the machine supports.
  41. Login to Microsoft Azure at https://portal.azure.com
  42. From the Azure portal home page, in the search box, enter virtual machines.
  43. Select virtual machines under services.
  44. Select the guided-project-vm virtual machine.
  45. From the menu pane, select Tags.
  46. On one line for Name enter Department and for Value enter Customer Service
  47. On the next line, for Name enter Purpose and for Value enter FTP Server.
  48. Select Apply. While you’re working on the virtual machine, it’s a great time to add a resource lock. ## Add a resource lock to a VM
  49. If necessary, expand the Settings submenu.
  50. Select Locks.
  51. Select + Add.
  52. For the name, enter VM-delete-lock.
  53. For the Lock type, select Delete. You may enter a note to help remind you why you created the lock.
  54. Select OK. That’s it. Now the VM is protected from deletion and has tags assigned to help track use. Time to move onto the network. Select Home to return to the Azure portal home page. ## Add tags to network resources
  55. From the Azure portal home page, in the search box, enter virtual networks.
  56. Select virtual networks under services.
  57. Select the guided-project-vnet network.
  58. From the menu pane, select Tags. ## Note: Notice that now you can select an existing tag to apply or add a new tag. You can also select just the name or value and apply create something new in the other field.
  59. For the Name select Department.
  60. For the Value enter IT.
  61. Select Apply. Now both the VNet and VM have are organized. ## Exercise – Clean up ## Warning: Failure to complete this Clean up task could result in unexpected Azure costs. This task will remove resources created during this guided project. ## Remove delete locks If you attempt to delete a resource with a delete lock, you’ll receive a warning that the operation failed due to a delete lock being in place. To avoid that, it’s important to clear delete locks from resources you intend to delete before issuing the delete command.
  62. Login to Microsoft Azure at (Azure Portal)[https://portal.azure.com]
  63. From the Azure portal home page, in the search box, enter virtual machines.
  64. Select virtual machines under services.
  65. Select the guided-project-vm virtual machine.
  66. If necessary, expand the Settings submenu.
  67. Select Locks.
  68. Select Delete on the line for the VM-delete-lock.
  69. On the pop-up window, select Delete to confirm deletion of the lock. Once the delete lock is removed, you’ll be able to delete the VM. While this was the only delete lock required by the exercise, if you applied other delete locks during the exercise, remove them now. When you’re done, select Home to return to the Azure portal home page. ## Delete the project resource group A key benefit of using resource groups is the ability to rapidly delete all of the resources assigned to a resource group at once.
  70. From the Azure portal home page, in the search box, enter Resource groups.
  71. Select resource groups under services.
  72. Select the guided-project-rg resource group.
  73. Select Delete resource group.
  74. Select Apply force delete…
  75. Enter guided-project-rg in the confirmation box.
  76. Select Delete It will approximately 5 minutes before the resource group is fully deleted. You’ll need to refresh the resource group page every few minutes until the guided-project-rg is gone to confirm complete deletion. ## Important: Recall at the beginning of the Guided Project you checked for a NetworkWatcherRG resource group. If there WAS a NetworkWatcherRG when you started, then you’re finished. However, if the NetworkWatcherRG was created for the guided project, you’ll need to delete the NetworkWatcherRG as well following a nearly identical process. ## Delete the NetworkWatcherRG ## Important: If the NetworkWatcherRG existed prior to starting the guided project, do not delete it as part of the guided project clean up.
  77. From the Azure portal home page, in the search box, enter Resource groups.
  78. Select resource groups under services.
  79. Select the NetworkWatcherRG resource group.
  80. Select Delete resource group.
  81. Enter NetworkWatcherRG in the confirmation box.
  82. Select Delete.
  83. On the Delete confirmation pop-up, select Delete.

Top comments (0)