Microsoft Azure Homelab VM (Virtual Machine) Setup

What is a homelab? Why Azure?

A homelab is a educational & hobby learning environment for all software & hardware. It can be set up with no budget or a very large budget. This can be configured using virtualization (like Virtualbox) or a hardware-centric setup.

Azure has a $200 credit free trial available for new users of cloud services. This is ideal for the homelab because it is a risk free learning environment that reduces the burden of using bare-metal hardware.

Register an Azure Account

You are going to want to set up a free trial for Microsoft Azure ($200 credit/month). You can use a throwaway Protonmail email for this, feel free to use all of your normal information when setting this up. Typically you will need to access the account using 2FA. You will login in order to view your dashboard.

Azure Storage Account

1. Search for "Storage Account" → Click + Create → Azure storage account

2. Basics tab configuration:

   • Performance: Standard (cost-effective)
   • Redundancy: LRS (Locally Redundant Storage) for learning
   • Enable secure transfer required ☑
   • Enable blob public access: DISABLED (like making S3 private)
   • Enable infrastructure encryption Yes
   • Minimum TLS version: 1.2
   • Storage Account Name homelab1
   • Region East US
   • Subscription Azure Subscription 1
   • Resource Group ResourceGroup1

Virtual Network (VNet)

1. Basics tab configuration:

   • Virtual Network Name homelabnet1
   • Address space 10.0.0.0/16
   • Subnet 10.0.1.0/24

Create Log Analytics workspace

1. Basics tab configuration:

   • Name homelablogs1
   • Region East US

Configure Blob Service Logging

1. Diagnostic Setting configuration:

   • Diagnostic Setting Name blob-storage-logs
   • ☑ StorageRead - tracks all read operations
   • ☑ StorageWrite - tracks all write/upload operations
   • ☑ StorageDelete - tracks all delete operations
   • ☑ Transaction - performance metrics (optional but recommended)
   • ☑ Send to Log Analytics workspace
   • Select your workspace from the dropdown (the one you just created)

Log Query (KQL Mode)

StorageBlobLogs
| where TimeGenerated > ago(1h)
| project TimeGenerated, OperationName, StatusCode, Uri, CallerIpAddress
| order by TimeGenerated desc

Test Container Setup

1. Add New Container

   • Name homelab-container

Virtual Machine Setup

1. Basics tab configuration:

   • Virtual Machine Name homelab-vm
   • Region: Same as your storage account (e.g., East US)
   • Availability options: No infrastructure redundancy required
   • Security type: Standard
   • Image: Ubuntu Server 24.04 LTS - x64 Gen2 (free tier eligible)
   • Size: Click "See all sizes"
   • Search for DC4ds_v3 (4 vCPU, 32 GB RAM)
   • Click Select

2. Administrator Account configuration:

   • Authentication type: SSH public key (more secure than password)
   • Username: azureuser
   • SSH public key source: Generate new key pair
   • SSH Key Type Ed25519 SSH Format
   • Key pair name: homelab-vm_key

3. Inbound Port rules:

   • Public inbound ports: Allow selected ports
   • Select inbound ports: SSH (22)

4. Disk configuration:

   • OS disk type: Standard SSD (cheapest, sufficient for testing)
   • Leave everything else as default

5. Networking configuration:

   • Virtual network: Select your existing VNet (e.g., homelabnet1)
   • Subnet: Select your existing subnet (e.g., snet-eastus-1)
   • Public IP: homelab-vm-ip
   • NIC network security group: Basic
   • Public inbound ports: Allow selected ports
   • Select inbound ports: SSH (22)
   • Delete: YES, delete public IP when VM is deleted. This is because the public IP address is separate from the VM.

6. Management (optional cost savings):

   • Enable auto-shutdown: YES, Check this (to avoid charges if you forget)
     • Set time: 7:00 PM (or whatever works for you)
     • Time zone: EST UTC-05:00
     • Notification: Optional
   • Click Review + Create. Review operating costs.
   • Click Create
   • A popup will appear asking you to download the private key
   • Click Download private key and create resource
   • Save the .pem file somewhere safe (e.g., Downloads folder)
   • You'll need this to SSH into the VM
   • Wait 2-3 minutes for the VM to deploy

Connect to Your VM via SSH

Using Azure Cloud Shell

1. Go to your VM in the portal: Virtual machines → vm-storage-test
2. Click Connect at the top
3. Select Connect → SSH tab

4. You'll see instructions, but follow the below steps

Upload your private key to Cloud Shell:

1. Click the Cloud Shell icon (>_) in the top menu bar

2. Click the Upload/Download files icon (looks like a document with an arrow)
3. Click Upload
4. Select the .pem file you downloaded
5. It uploads to your Cloud Shell home directory

Set proper permissions and connect:

# Set correct permissions on the key
chmod 400 homelab-vm_key.pem
# Get your VM's public IP (or copy it from the portal)
VM_IP="xx.xxx.xx.xx"
# SSH into the VM
ssh -i homelab-vm_key.pem azureuser@$VM_IP
# Confirm adding SSH key
yes
# Test the VM
whoami

Install Azure CLI on the VM

Once you're connected to the VM:

# Update package list
sudo apt-get update
# Install Azure CLI
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash

Verify installation and exit:

az --version
exit

Authenticate to Azure from the VM

Using Managed Identity

Back in the Azure Portal:

1. Go to your VM: Virtual machines → homelab-vm
2. Left menu → Security → Identity
3. Under System assigned tab:
   • Toggle Status to On
   • Click Save
   • Click Yes to confirm
4. Wait 30 seconds for it to enable
5. Click Azure role assignments
6. Click + Add role assignment
   • Scope: Storage
   • Subscription: Azure Subscription 1
   • Resource: homelab1
   • Role: Storage Blob Data Contributor
   • Click Save

Back in your SSH session on the VM

# Login using managed identity
az login --identity

Test Access to Blob Storage

Now let's verify the VM can access your blob storage through the VNet:

# Set variables (replace with your actual values)
STORAGE_ACCOUNT="homelab1"
CONTAINER="homelab-container"
# List blobs in your container
az storage blob list \
    --account-name $STORAGE_ACCOUNT \
    --container-name $CONTAINER \
    --auth-mode login \
    --output table

Expected output:

You should see your test file listed! Something like:

Name      Blob Type    Length    Content Type
--------  -----------  --------  --------------
test.txt  BlockBlob    42        text/plain

Troubleshooting

Exit from ssh in the azure-cli and use the command:

az storage account show \
    --name homelab1 \
    --resource-group ResourceGroup1 \
    --query networkRuleSet \
    --output json

Azure VM Setup

1.1 Create the Virtual Machine

1. Search for "Virtual machines" → Click + Create → Azure virtual machine

2. Basics tab configuration:

   • Subscription: [Your Azure subscription]
   • Resource group: Click "Create new" → Name: rg-security-stack
   • Virtual machine name: vm-security-stack
   • Region: East US (or closest to you)
   • Availability options: No infrastructure redundancy required
   • Security type: Standard
   • Image: Ubuntu Server 24.04 LTS - x64 Gen2
   • Size: Click "See all sizes"
     • Search for: DC4ds_v3 (4 vCPU, 32 GB RAM)
     • Select this size (good balance of cost/performance)
   • Administrator account:
     • Authentication type: SSH public key
     • Username: azureuser
     • SSH public key source: Generate new key pair
     • Key pair name: vm-security-stack_key
   • Inbound port rules:
     • Public inbound ports: Allow selected ports
     • Select inbound ports: SSH (22)

   • Disks tab:

     • OS disk type: Standard SSD (LRS)
       • Delete with VM: ☑
       • Data disks: None (keep default)

     • Networking tab:

       Virtual network: Click "Create new"

       Name: vnet-security-stack
       Address space: 10.0.0.0/16
       

       Subnet: Click "Manage subnet configuration"

       Name: subnet-apps
       Address range: 10.0.1.0/24
       

       Public IP: (new) vm-security-stack-ip NIC network security group: Basic Public inbound ports: Allow selected ports Select inbound ports: SSH (22) Delete NIC when VM is deleted: ☑

       • Management tab:

         Enable auto-shutdown: ☑ Shutdown time: 7:00 PM (or your preference) Time zone: [Your timezone] Notification before shutdown: Optional Boot diagnostics: Enable with managed storage account

       • Review + create:

         • Review the estimated cost (should be ~$30-60/month or $1-2/day, this is doable with a free trial)
         • Click Create
         • IMPORTANT: Download the private key (.pem file) when prompted
         • Save it securely (e.g., ~/Downloads/vm-security-stack_key.pem)
       • Wait 3-5 minutes for deployment to complete

         Connect to Your VM

Get your VM's public IP:

1. Azure Portal → Virtual machines → vm-security-stack → Overview
2. Copy the Public IP address

Set proper permissions on SSH key (if using Linux/Mac):

chmod 400 ~/Downloads/vm-security-stack_key.pem

Connect via SSH:

# Replace <PUBLIC_IP> with your actual IP
ssh -i ~/Downloads/vm-security-stack_key.pem azureuser@<PUBLIC_IP>

On Windows (PowerShell):

ssh -i C:\Users\YourName\Downloads\vm-security-stack_key.pem azureuser@<PUBLIC_IP>

First time connecting:

1. You'll see: "The authenticity of host... can't be established"
2. Type yes and press Enter

You should see:

Welcome to Ubuntu 24.04.3 LTS (GNU/Linux 6.2.0-1018-azure x86_64)
...
azureuser@vm-security-stack:~$

Initial System Setup

Update the system:

sudo apt update && sudo apt upgrade -y

Install essential tools:

sudo apt install -y \
  curl \
  wget \
  git \
  htop \
  net-tools \
  ufw \
  fail2ban \
  unattended-upgrades

Set timezone (optional):

# List available timezones
timedatectl list-timezones | grep America

# Set your timezone (example: Eastern Time)
sudo timedatectl set-timezone America/New_York

# Verify
timedatectl

Enable automatic security updates:

sudo dpkg-reconfigure -plow unattended-upgrades
# Select "Yes" when prompted

Azure + Tailscale

In the next writeup, I will explain how to configure Tailscale VPN for secure tunneling into your Azure VM.