My Notes
Passionate Developer, Enterprise Hybrid Engineer
Azure Cloud Deployment Self Managed Step by Step
Summary Checklist
- VNet & Subnets created.
- Domain Controller VM deployed and promoted.
- VNet DNS pointed to the DC's private IP.
- Users/Groups created in Active Directory.
- File Share (VM or Azure Files) configured.
- Client VMs joined to the domain.
Would you like me to provide the specific PowerShell commands to automate the creation of the Virtual Network and Subnets?
High-Level Architecture
1. Networking Foundation (The "Building")
- Create a Virtual Network (VNet): In the Azure Portal, create a VNet (e.g., Lab-VNet) with an address space like 10.0.0.0/16
-
Create Subnets:
- Identity-Subnet (e.g., 172.0.1.0/24): For your Domain Controllers.
- Workload-Subnet (e.g., 172.0.2.0/24): For your file servers and client VMs.
- Static Private IPs: Ensure your Domain Controller VM will have a static private IP address (configured in the Azure NIC settings, not just inside Windows).
- Network Security Groups (NSG): Azure automatically blocks most traffic. Ensure your NSG allows RDP (3389) for management and internal ports for AD (DNS, Kerberos, SMB).
2. The Domain Controller (The "Brain")
- Deploy a VM: Create a Windows Server VM (e.g., Windows Server 2022) in the IdentitySubnet.
- Install Roles: Log in via RDP and use Server Manager to add the Active Directory Domain Services (AD DS) and DNS Server roles.
-
Promote to DC: Click the flag icon in Server
Manager and select "Promote this server to a domain controller."
- Select "Add a new forest."
- Enter your Root Domain Name (e.g., corp.local or internal.yourdomain.com).
- Crucial Step - VNet DNS: Once the DC is up, go back to the Azure Portal > VNet > DNS Servers and change it from "Default" to "Custom." Enter the Private IP of your new Domain Controller. This allows other VMs to "see" the domain.
Critical Considerations for Domain Controllers
Because this subnet is for identity services, keep these three rules in mind:
- Static IP Addresses: Once you deploy your Domain Controller VMs, go to the Network Interface settings for each VM and change the private IP assignment from Dynamic to Static.
- DNS Redirection: After your Domain Controllers are promoted, you must go to your Virtual Network > DNS Servers settings and change them from "Azure-provided" to "Custom," entering the private IPs of your new DCs.
- Subnet Sizing: A /24 range (256 IPs) is excellent for identity because it allows for multiple DCs, file servers, or certificate services while leaving room for Azure's 5 reserved IP addresses.
3. Identity Management (Users & Groups)
- Tools: Open Active Directory Users and Computers (ADUC) on your DC.
- Structure: Create Organizational Units (OUs) for Users, Computers, and Groups.
- GPO: Open Group Policy Management to set rules (like mapping drives automatically or enforcing wallpaper).
4. File Storage (The "Cabinet")
You have two main options for cloud-based file shares in a traditional domain:
| Option | Best For | Setup |
|---|---|---|
| Windows File Server VM | Full feature parity with on-prem (NTFS, Quotas). | Deploy a Windows VM, join it to the domain, and share folders. |
| Azure Files (SMB) | Lower cost, no VM to manage. | Create an Azure Storage Account, join it to your AD domain, and use AD identities to set permissions. |
5. Joining Workstations
- Deploy Workload VMs: Create Windows 10/11 or Server VMs in the WorkloadSubnet.
- Join Domain: Go to System Settings > About > Rename this PC (advanced) and join the domain using the FQDN (e.g., corp.local).
- Login: Restart and log in with a user account you created in Step 3.
Kubernetes Infrastructure on Ubuntu 24.04.3 LTS
Technology Stack
Kubernetes (K8s), Oracle Cloud Infrastructure Free Tier, Fortinet Security, Docker, Ubuntu Linux
Infrastructure Specifications
Hardware & OS
- Master Node: Local environment running Ubuntu 24.04.3 LTS.
- Worker Node: OCI Compute Instance (VM.Standard.E4.Flex) running Ubuntu 24.04.3 LTS.
Security Gateway
FortiWifi 60E Firewall.
Hybrid Networking
- VPN Tunnel: Established a Site-to-Site VPN tunnel via the FortiWifi 60E to bridge the internal local network with the OCI Virtual Cloud Network (VCN).
- Cloud Routing: Configured OCI Security Lists and Route Tables to allow private communication between nodes while exposing the application via a Public IP.
Kubernetes Setup
Implementation Phases
Cluster Initialization
- Deployed kubeadm, kubelet, and kubectl on all nodes.
- Initialized the Master Node and established the Control Plane.
- Joined the OCI Worker Node to the local Master via the secure VPN link.
- Deployed Calico CNI to manage the overlay network across the hybrid environment.
Further Details
Architected and deployed a high-availability productivity suite (Nextcloud & OnlyOffice) on a hybrid Kubernetes cluster spanning on-premises and Oracle Cloud Infrastructure (OCI).
Engineered cross-provider networking by configuring OCI Security Lists, VCN routing, and Linux iptables to facilitate seamless communication between master and worker nodes across different subnets.
Networking: BGP Peering (Port 179) via Calico.
Application: Nextcloud + MariaDB.
Fixed DNS and Network issues across the hybrid bridge.
Hybrid Cloud Connectivity, Network Security, and Kubernetes Infrastructure - Complex Matter
Persistent Node Connectivity: Eliminated kubectl exec and log-streaming timeouts by implementing Static IP Reservations within the SSL-VPN tunnel, ensuring consistent communication between the master node and remote Kubelets.
Network Optimization: Configured custom SSL-VPN portals and authentication rules to prioritize high-availability traffic for specific cloud worker nodes, maintaining a 100% stable INTERNAL-IP mapping across reboots. deployed a granular SSL-VPN solution by to reserve a IP for OCI Ubuntu Node that holds all the pods.
Static IP Mapping: Engineered a dedicated IP address pool and host-object reservation system (10.212.134.x) to enforce IP-based security policies for cross-cloud Kubernetes traffic.
Engineered Network Persistence: Solved critical cluster stability issues by implementing Static IP Reservations within the VPN framework. Configured custom SSL-VPN Portals and Address Objects to ensure remote nodes maintained a constant INTERNAL-IP, eliminating communication timeouts for kubectl exec and log-streaming.
Engineered Network Persistence: Solved critical cluster stability issues by implementing Static IP Reservations within the VPN framework. Configured custom SSL-VPN Portals and Address Objects to ensure remote nodes maintained a constant INTERNAL-IP, eliminating communication timeouts for kubectl exec and log-streaming.
Detailed Technical Proficiency
- Networking: FortiOS Administration, SD-WAN, SSL-VPN Tunneling, Static Routing, IP Reservation, NAT/No-NAT Policies & Monitoring.
- Cloud: Oracle Cloud Infrastructure (OCI), Virtual Cloud Networks (VCN).
- Kubernetes: Multi-Node Cluster Management, Kubelet Configuration, Hybrid-Cloud Control Planes, CSR (Certificate Signing Request) Management.
Core Professional Competencies
- "I know Firewalls": You understand Fortinet, which is one of the top 3 firewall brands in the world.
- "I understand the 'Underlay'": You know that Kubernetes relies on a stable network layer, and you know how to fix it when it breaks.
- "I am Resourceful": You successfully connected two completely different environments (Home/Office to OCI) which requires high-level troubleshooting skills.