Note: This article was adapted from content originally written on October 19th, 2017, titled “Setting up a Private CI/CD Solution in Azure.” It has been simplified and split into four parts for easier reading.
Part 2: Azure Infrastructure and Networking Setup
Key Takeaways
- This article discusses setting up Azure infrastructure for a private CI/CD solution, including resource groups and networking.
- It details creating resource groups like Spacely-Engineering-Network and configuring a virtual network with specific settings.
- The guide includes steps for configuring subnets, network security groups, and setting up a VPN gateway.
- Additionally, it covers the creation of Docker Swarm manager and worker VMs for hosting CI/CD services.
- The next part focuses on configuring core services for the CI/CD pipeline.
In this part, we’ll walk through the detailed steps of setting up the Azure infrastructure that forms the foundation of our private CI/CD solution. This includes creating resource groups, configuring virtual networks, setting up network security groups, and establishing VPN connectivity.
Azure Setup
Step 1: Create Resource Groups
Resource groups in Azure provide a logical container for managing related resources. We’ll create multiple resource groups to organize our infrastructure effectively.
- Navigate to Resource Groups in the Azure portal and click Add.
- Create the following resource groups:
| Resource Group Name | Purpose | Region |
|---|---|---|
| Spacely-Engineering-Network | Network infrastructure resources | East US 2 |
| Spacely-Engineering-VPN | VPN gateway and related resources | East US 2 |
| Spacely-Engineering-VM | Virtual machines and compute resources | East US 2 |
| Spacely-Engineering-Load-Balancers | Load balancing infrastructure | East US 2 |
Step 2: Create the Virtual Network
- Navigate to Virtual Networks and click Add.
- Configure the virtual network with these settings:
- Name: Spacely-Engineering-Virtual-Network
- Address Space: 10.0.0.0/20
- Resource Group: Spacely-Engineering-Network
- Location: East US 2
- Click Create to provision the virtual network.
Step 3: Configure Subnets
After creating the virtual network, we need to configure multiple subnets for different purposes:
- Open your virtual network and navigate to Subnets.
- Create the following subnets:
| Subnet Name | Address Range | Purpose |
|---|---|---|
| GatewaySubnet | 10.0.255.224/27 | VPN Gateway (required name) |
| DMZ | 10.0.250.0/24 | Load balancers and exposed services |
| Private-Network-1 | 10.0.0.0/24 | Docker Swarm managers |
| Private-Network-2 | 10.0.1.0/24 | Docker Swarm workers |
Step 4: Configure Network Security Groups
Network Security Groups (NSGs) act as virtual firewalls, controlling inbound and outbound traffic to resources in your virtual network.
Create the Main NSG:
- Navigate to Network Security Groups and click Add.
- Configure with:
- Name: Spacely-Engineering-NSG
- Resource Group: Spacely-Engineering-Network
- Location: East US 2
- After creation, configure the following inbound security rules:
| Priority | Name | Port | Protocol | Source | Destination | Action |
|---|---|---|---|---|---|---|
| 100 | Allow-VPN-Clients | Any | Any | 172.16.0.0/24 | VirtualNetwork | Allow |
| 110 | Allow-Internal-Communication | Any | Any | VirtualNetwork | VirtualNetwork | Allow |
| 120 | Allow-Azure-LoadBalancer | Any | Any | AzureLoadBalancer | Any | Allow |
| 65000 | Deny-All-Inbound | Any | Any | Any | Any | Deny |
VPN Gateway Configuration
The VPN gateway enables secure connection to your private network from external locations.
Step 1: Create Public IP Address
- Navigate to Public IP addresses and click Add.
- Configure with:
- Name: Spacely-Engineering-VPN-Public-IP
- SKU: Basic
- Assignment: Dynamic
- Resource Group: Spacely-Engineering-VPN
Step 2: Create the VPN Gateway
- Navigate to Virtual Network Gateways and click Add.
- Configure the gateway:
- Name: Spacely-Engineering-Private-Gateway
- Gateway Type: VPN
- VPN Type: Route-based
- SKU: VpnGw1
- Virtual Network: Spacely-Engineering-Virtual-Network
- Public IP Address: Spacely-Engineering-VPN-Public-IP
- Resource Group: Spacely-Engineering-VPN
- Click Create (this can take 30-45 minutes to provision).
Step 3: Configure Point-to-Site Connection
After the gateway is created, configure point-to-site connectivity:
- Open your VPN gateway and navigate to Point-to-site configuration.
- Configure the following:
- Address Pool: 172.16.0.0/24 (for VPN clients)
- Tunnel Type: SSTP & IKEv2
- Authentication Type: Azure certificate
- Generate and configure certificates for authentication (refer to Azure documentation for detailed certificate steps).
- Download the VPN client configuration package for distribution to users.
Virtual Machine Configuration
Now let’s create the virtual machines that will host our CI/CD services.
Creating Docker Swarm Manager VMs
For each Docker Swarm manager (create 3 for high availability):
- Navigate to Virtual Machines and click Add.
- Configure the basic settings:
- Name: Spacely-Engineering-VM-00X (where X is 1, 2, or 3)
- VM Disk Type: SSD
- Username: spacely-eng-admin
- Authentication: SSH public key (recommended) or password
- Resource Group: Spacely-Engineering-VM
- Select VM size:
- Size: Standard DS2 v2 (2 vCPUs, 7 GB RAM)
- Configure settings:
- Storage: Use managed disks
- Virtual Network: Spacely-Engineering-Virtual-Network
- Subnet: Private-Network-1
- Public IP: None
- Network Security Group: Spacely-Engineering-NSG
- Enable boot diagnostics for troubleshooting.
- Review and create the VM.
Creating Docker Swarm Worker VMs
For the Docker Swarm workers (create 2 for build capacity):
- Follow the same process as managers with these differences:
- Name: Spacely-Engineering-VM-00X (where X is 4 or 5)
- Size: Standard DS3 v2 (4 vCPUs, 14 GB RAM) — workers need more resources for builds
- Subnet: Private-Network-2 (for VM-005)
Load Balancer Configuration
We’ll create internal load balancers for our services to ensure high availability.
GitLab Load Balancer
- Navigate to Load Balancers and click Add.
- Configure:
- Name: Spacely-Engineering-GitLab-LB
- Type: Internal
- SKU: Standard
- Virtual Network: Spacely-Engineering-Virtual-Network
- Subnet: DMZ
- IP Address Assignment: Static (10.0.250.10)
- Resource Group: Spacely-Engineering-Load-Balancers
- Configure backend pool:
- Add all three Docker Swarm manager VMs
- Configure health probe:
- Protocol: HTTP
- Port: 10080
- Path: /
- Configure load balancing rule:
- Frontend Port: 80
- Backend Port: 10080
- Protocol: TCP
Repeat this process for:
- Jenkins Load Balancer: IP 10.0.250.11, ports 80→18080
- Docker Registry Load Balancer: IP 10.0.250.12, ports 443→5000
VM Initial Configuration
Once your VMs are running, perform initial configuration on each:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
# Connect to VM via VPN ssh spacely-eng-admin@10.0.0.X # Update system packages sudo apt-get update && sudo apt-get upgrade -y # Install Docker curl -fsSL https://get.docker.com -o get-docker.sh sudo sh get-docker.sh # Add user to docker group sudo usermod -aG docker spacely-eng-admin # Install Docker Compose sudo curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose sudo chmod +x /usr/local/bin/docker-compose # Configure Docker daemon for production sudo bash -c 'cat > /etc/docker/daemon.json << EOF { "storage-driver": "overlay2", "log-driver": "json-file", "log-opts": { "max-size": "10m", "max-file": "3" } } EOF' # Restart Docker sudo systemctl restart docker |
Next Steps
With the Azure infrastructure and networking foundation in place, we’re ready to move on to configuring the core services that will power our CI/CD pipeline.
Continue to Part 3: Docker Swarm and Core Services Configuration, where we’ll set up Docker Swarm, configure GitLab, and establish our private Docker Registry.
This is Part 2 of a 4-part series on setting up a private CI/CD solution in Azure.