A virtual machine is the basic compute service provided by any cloud service provider. It falls under Infrastructure as a service, where you create a Windows or Linux Machine and manage it.
Sample AZ CLI command
az vm create \
--resource-group resource-group-for-testing \
--location westus \
--name SampleVM \
--image UbuntuLTS \
--admin-username azureuser \
Unmanaged vs. Managed disks
The final storage choice you’ll make is whether to use unmanaged or managed disks.
With unmanaged disks, you are responsible for the storage accounts that are used to hold the VHDs corresponding to your VM disks. You pay the storage account rates for the amount of space you use.
Managed disks are the newer (and recommended) disk-storage model. They elegantly solve the complexity of unmanaged disks by putting the burden of managing the storage accounts onto Azure.
Increased reliability: Azure ensures that VHDs associated with high-reliability VMs will be placed in different parts of Azure storage to provide similar levels of resilience.
Better security: This means they can use role-based access control to restrict who can work with the VHD data.
Snapshot support: You can use snapshots to create a read-only copy of a VHD.
Backup support: You can automatically back up managed disks to different regions for disaster recovery with Azure Backup, all without affecting the service of the VM.
What is a Network Security Group?
Virtual networks (VNets) are the foundation of the Azure networking model and provide isolation and protection. Network Security Groups (NSGs) are the main tool you use to enforce and control network traffic rules at the networking level.
Security group rules
NSGs use rules to allow or deny traffic moving through the network. Each rule identifies the source and destination address (or range), protocol, port (or range), direction (inbound or outbound), a numeric priority, and whether to allow or deny the traffic that matches the rule. The following illustration shows NSG rules applied at the subnet and network-interface levels.
Keep in mind that security groups are optional at both levels. If no security group is applied, then all traffic is allowed by Azure. If the VM has a public IP, this could be a serious risk, particularly if the OS doesn’t provide some sort of firewall.
The Azure Bastion service is a new fully platform-managed PaaS service that you provision inside your virtual network. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly in the Azure portal over SSL. When you connect via Azure Bastion, your virtual machines do not need a public IP address.