Backend Virtual Machines
During this step of the tutorial we are going to:
- Create the virtual network that will accomodate the pool of our proxy servers.
- Create network security group and configure firewall rules allowing incoming connections for RDP protocol to manage these virtual machines.
- Create three virtual machines as members of this virtual network.
- And finally install Web Filtering Proxy on each virtual machine and set up automatic configuration sync.
Create the virtual network
Select your resource group, click add and search for Virtual Network in the search box as shown on the following screenshot.
Specify the backend-vnet as the name of the virtual network and click Next.
Ensure the IP address page looks like the following and click Next again.
Leave everything else as is and click Review and Create, review your settings and finally click Create button again.
The virtual network for our pool of proxy servers is now created. It should be visible in the resource group listing.
Create network security group
Firewall rules for incoming connections are configured using Network Security Group. This network security group will need to allow two types of connections.
- RDP connections to any virtual machine from our on-premises location for management.
- Connections to proxy port 3128 from any location for the purpose of browsing through the proxy pool.
Select your resource group, click add and search for Network Security Group in the search box.
Specify the backend-nsg as the name of the network security group and click Next. Ensure the region is set correctly.
After the security group is created, add the following rules to it.
| Priority | Name | Port | Protocol | Source | Destination | Action |
|---|---|---|---|---|---|---|
| 100 | Proxy_3128 | 3128 | TCP | any | any | allow |
Note
TODO: in order to allow RDP connections? Each machine needs to have the public IP address to configure? Or deploy the BASTION? Or some RDP gateway?
Create virtual machines
Now we are going to create three virtual machines (vm-proxy1, vm-proxy2 and vm-proxy3) each living in a different zone. A zone is just a physically separate location within one Azure region (think of it as a separate physical hardware server for each zone with separate cooling, electricity, etc).
Select your resource group, click add and search for Windows Server in the search box.
On the first page of the deployment wizard, fill in the virtual machine settings as described in the following table.
| Setting Name | Value |
|---|---|
| Virtual Machine Name | vm-proxy1, vm-proxy2 or vm-proxy3 respectively |
| Region | Select your region (West Europe in our case) |
| Availability Options | Zone 1, Zone 2, etc. |
| Image | Select Windows Server 2019 Datacenter |
| Azure Spot instance | Select No |
| Size | Select desired VM size (see note below) |
| Public inbound ports | Select None |
Note
We recommend to have at least 8Gb of RAM and 4 CPU on each web filtering virtual machine because HTTPS decryption and content inspection of all HTML pages is a quite CPU/RAM intensive process.
On the Networking tab, configure the following settings.
| Setting Name | Value |
|---|---|
| Virtual network | Select backend-vnet |
| Subnet | Select default |
| Public IP | Select None |
| NIC network security group | Select Advanced and choose backend-nsg |
| Accelerated networking | Select Off |
| Load balancing | Select No |
Please note that we will put our virtual machines behind the load balancer on the next step.
Good now continue on to the next step to create the load balancer for our clustered proxy.