Northpoint Entity VM Creation Baseline
VM Baseline
Set on June 30th, 2022
VM Initial Parameters
Subscription
Subscription must match the entity:
- Azure Subscription 1 (Ending in 6a2f) is NPD
- NorthPoint Logistics is NPL
- WareHouse Quote is WHQ
Resource Group
- Name the resource group after what the VM will be used for
- Ex. UI Path application that hosts VMs is called UI Path
VM Name
Name the VM based on the naming convention below
- For NPD: NPD-AppNameVM
- For NPL: NPL-AppNameVM
- For WHQ: whq-appname01 (number in sequential order if multiple)
Region and Availability Zone
Region - Central US unless otherwise stated
Availability Zone - Zone 1
Security Type
Always use Trusted Launch virtual machines
- This enables vTPM and a few other features for gen 2, and newer, VMs
Administrator Account
This will follow the default TechPoint account that is in LastPass
Inbound Port Rules
Only allow RDP - the port number will be changed at a later time but needs to be enabled so you can access the VM initially
Disks
For the most part this will stay standard unless you have to make changes to do an application requesting it. Don't change anything unless you have to.
- Please just make sure that “Delete with VM” box is checked
Networking
Let Azure create and leave as default for the intial networking info:
If this is getting added to an existing resource group, make sure everything below lines up with the existing infrastructure
- Virtual Network
- Subnet
- Public IP
Under NIC Network security group.
- Click Advanced and create a new NSG
Do not check the delete public ip and nic on VM deletion box
Monitoring
Azure AD
Check the “Login with Azure AD” box
- This will also automatically check the "System assigned managed identity"
Auto-Shutdown
Check the "Enable Euto-Shutdown" box if needed - most production machines won't need this. As we'll setup an automation account to auto-shutdown and auto-start
But it may be requested on some machines, NPL-PowerBI machines for example.
SKIP THE ADVANCED TAB
Tags
Always use these tags as a minimum:
- Billing - Entity abbreviation
- Application - Full application name
Secondary Configuration
Network Security Gateway
Go to the Network Security Group > Inbound rules and set RDP to mimic the picture below.
Create Allow Rule
- Click Add
- Source - IP Address
- Add NPD global external IP - 138.199.99.26
- Leave destination as “Any”
- Leave service as “Custom”
- Set port to 3389 (will change later)
- Set protocol to TCP
- Set priority to 1000
- Name as “Default-RDP-Access”
Create Deny Rule
- Click Add
- Source - Service Tag
- Change to “Internet”
- Leave destination as “Any”
- Leave service as “Custom”
- Set port to 3389 (will change later)
- Set protocol to TCP
- Set Action to "Deny"
- Set priority to 1010
- Name as “Deny-RDP"
Change RDP Listening Port
- Go to the VM
- Under operations > select run command
- Select “SetRDPPort” command
- Run command
- Set port to: 51500
- Once the command has been run successfully go back to the NSG
- Click into both RDP-Access and Deny-RDP and change the port number
- 3389 ..to.. 51500
- Save and test