Skip to content

Instantly share code, notes, and snippets.

@mshardey

mshardey/secure-nextcloud-deployment-on-azure-cloud.md

Last active September 26, 2024 17:46
Download ZIP
Secure Nextcloud Deployment on Azure Cloud: A Step-by-Step Guide. Learn how to deploy Nextcloud securely on Azure, leveraging Azure's built-in security features and best practices.
Raw
secure-nextcloud-deployment-on-azure-cloud.md

Overview

In this guided project, you will deploy a secure Nextcloud instance on Azure Cloud, leveraging Azure's fundamental architecture and topology. You will learn how to:

  1. Create a resource group
  2. Set up a virtual network (Vnet) and subnet
  3. Protect the subnet with a network security group (NSG)
  4. Deploy Bastion for secure Virtual Machine (VM) connections
  5. Create an Ubuntu Server virtual machine (VM)
  6. Install Nextcloud via SSH using Bastion
  7. Publish an IP address
  8. Create a DNS label

Prerequisites

  • Azure subscription (sign up for a free trial at https://azure.com/free)
  • Basic understanding of networking concepts (IP addresses, virtual networks, subnets)

Step 1: Create a Resource Group

  1. Log in to Azure Portal.
  2. Click "Create a resource" under "Azure services."
  3. Search for "Resource group" and click "Create."
  4. Name your resource group (e.g., RG-USE-Nextcloud).
  5. Choose the US East region.
  6. Click "Review + create" and then "Create."

Azure resource group creation Creating an Azure Resource Group

Step 2: Create a Virtual Network and Subnet

  1. Go to your resource group (RG-USE-Nextcloud).
  2. Click "Create" and search for "Virtual Network."
  3. Click "Create" and name your virtual network (e.g., VNET-USE-Nextcloud).
  4. Choose the East US region.
  5. Click "IP Addresses" at the top bar or click "Next" -> "Next" to get to the "IP Addresses" section.
  6. Leave the default address space (10.0.0.0/16).
  7. Edit the default subnet:
    • Change the name from "default" to "SNET-USE-Nextcloud."
    • Keep the address range (10.0.0.0/24).
    • Click "Save."
  8. Click "Review + create" and then "Create."

Configure Azure virtual network and subnet Configuring Virtual Network and Subnet

Step 3: Protect the Subnet with a Network Security Group

  1. Go to your resource group (RG-USE-Nextcloud).
  2. Click "Create" and search for "Network security group."
  3. Click "Create" and name your Network Security Group (e.g., NSG-USE-Nextcloud).
  4. Click "Review + create," then "Create."
  5. Associate the NSG with your subnet:
    • Go back to the resource group and click on your virtual network (VNET-USE-Nextcloud).
    • From the left pane, expand "Settings" and click "Subnets."
    • Click on the subnet name (SNET-USE-Nextcloud).
    • Scroll down to "Security" and select the Network security group (NSG-USE-Nextcloud).
    • Click "Save."

Note: To view your virtual network architecture, open the virtual network, expand "Monitoring" and click "Diagram" from the left pane.

Associate Azure Network Security Group with subnet Associating NSG with Subnet

Step 4: Deploy Bastion

  1. Go to the resource group (RG-USE-Nextcloud).
  2. Click on the virtual network (VNET-USE-Nextcloud), expand "Settings" and click "Subnets."
  3. Click the "Subnet" button and select "Azure Bastion" as the subnet purpose.
  4. Automatically generate the suggested name "AzureBastionSubnet."
  5. Click "Add."
  6. Create the Bastion resource:
    • Go back to the resource group.
    • Click "Create" and search for "Bastion."
    • Click "Create" and name your Bastion (e.g., BASTION-USE-Nextcloud).
    • Associate Bastion with your virtual network.
    • Rename the "Public IP address name" to "BASTIONIP-USE-Nextcloud."
    • Click "Review + create," then "Create."

Note: After checking your architecture, you will see that the Azure Bastion subnet has been added to your virtual network.

Azure Bastion host deployment configuration Bastion Host Deployment Configuration

Azure Bastion subnet creation and configuration Creating and Configuring Bastion Subnet

Step 5: Create an Ubuntu Server Virtual Machine

  1. Go to your resource group (RG-USE-Nextcloud).
  2. Click "Create" and search for "Ubuntu Server 20.04 LTS."
  3. Click "Create" and name your VM (e.g., VM-USE-Nextcloud).
  4. Choose a basic size (Standard_B1s).
  5. Select "SSH public key" for authentication and enter a username.
  6. Rename the "Key pair name" to "VM-USE-Nextcloud_SSHkey."
  7. Select "None" for public inbound ports.
  8. Click "Networking" and select "None" for the public IP option.
  9. Click "Review + create" and then "Create."

Important Note: When you click "Create," Azure will prompt you to generate a new key pair. Download it for later use.

Azure Ubuntu Server virtual machine deployment configuration Ubuntu Server VM Deployment Configuration

Step 6: Install Nextcloud via SSH using Bastion

  1. Go to your resource group (RG-USE-Nextcloud).
  2. Click the virtual machine (VM-USE-Nextcloud).
  3. From the top menu, click "Connect," then choose "Connect via Bastion."
  4. For the "Authentication Type," choose "SSH Private Key from Local File."
  5. Enter the "Username" created earlier, then browse to select the SSH key downloaded previously.
  6. Click "Connect."
  7. Install Nextcloud with sudo snap install nextcloud.
  8. Create an admin account with sudo nextcloud.manual-install admin 1P@ss$0k.
  9. Enable HTTPS with sudo nextcloud.enable-https self-signed.

Note: For enabling HTTPS, we used self-signed for simplicity. Type exit then the Enter key to disconnect from the virtual machine.

Connection to Azure virtual machine via Bastion Connecting to VM via Bastion Host

Install and configure Nexcloud on Azure virtual machine Installing and Configuring Nextcloud on VM

Step 7: Publish an IP Address

Associate a Public IP Address

  1. Go to your resource group (RG-USE-Nextcloud).
  2. Click the virtual machine (VM-USE-Nextcloud).
  3. Expand "Networking" and click "Network settings."
  4. Click the "Network interface / IP configuration" (e.g., vm-use-nextcloud202_z1 / ipconfig1).
  5. Ensure "IP configurations" is selected; then click "ipconfig1."
  6. Under "Public IP address settings," select "Associate public IP address" and click "Create a public IP address."
  7. Name the public IP address "VMIP-USE-Nextcloud" and click "Ok."
  8. Click "Save."

Verify Public IP Address

  1. Go back to the virtual machine (VM-USE-Nextcloud) and click "Overview."
  2. Verify your assigned public IP address.

Configure Inbound Rule for HTTPS

  1. Open your virtual machine (VM-USE-Nextcloud), then click "Networking" and "Network settings."
  2. Scroll up to the "Network security group" section and click "Create port rule" then "Inbound port rule."
  3. Select "IP addresses" as the "Source."
  4. For "Source IP addresses/CIDR ranges," paste your laptop/desktop's public IP address (obtained from https://whatsmyip.com).
  5. Select "IP addresses" for "Destination" and enter your virtual machine's private IP address (e.g., 10.0.0.4).
  6. Select "HTTPS" as the "Service."
  7. Leave "Action" as "Allow" and name the rule "AllowNextcloudHTTPSInbound."
  8. Click "Add."

Tips and Variations:

  • Ensure your laptop/desktop's public IP address is static or update the rule accordingly.
  • Consider restricting access to specific IP addresses or CIDR ranges.
  • Review Azure's security best practices for network security groups.
  • Important: Prior to this step, accessing the public IP address in a browser would not work due to the lack of an inbound HTTPS rule in the network security group.
  • After adding the rule, accessing the public IP address (e.g., https://52.168.107.188) will display a "Your connection is not secure" warning due to the self-signed certificate. Clicking "Advanced" and "Proceed" may still result in Nextcloud blocking access ("Access through untrusted domain").
  • To resolve this, create a DNS entry for your public IP address and configure Nextcloud accordingly (covered in the next step).

Assign public IP address to Azure virtual machine Assigning Public IP Address

Configure Azure NSG inbound security rule Configuring Inbound Security Rule

Step 8: Create a DNS Label

  1. Go to your resource group (RG-USE-Nextcloud).
  2. Click on the virtual machine network interface controller (VMIP-USE-Nextcloud).
  3. From the left pane, Expand "Settings" and click "Configuration."
  4. Set a DNS name label (e.g., tetteisnextcloud) in the "DNS name label (optional)" box.
  5. Click "Save."
  6. Go back to the resource group and click on the virtual machine.
  7. From the left pane with "Overview" selected, view both the public IP and DNS name.
  8. Connect to the virtual machine following Step 6.
  9. Update Nextcloud's trusted domains with sudo nextcloud.occ config:system:set trusted_domains 1 --value=tetteisnextcloud.eastus.cloudapp.azure.com.
  10. Exit the SSH connection by typing "exit."
  11. Enter your label in the browser (e.g., tetteisnextcloud.eastus.cloudapp.azure.com).

Verify Azure public IP and DNS configuration Verifying IP and DNS Configuration

Access Nextcloud login page Accessing Nextcloud Login Page

Conclusion

Congratulations! You've successfully deployed a secure Nextcloud instance on Azure Cloud. Remember to stop and delete your resources when not in use to avoid incurring costs.

Additional Tips

  • Use Azure's built-in security features to protect your resources.
  • Regularly update and patch your Nextcloud installation.
  • Monitor your resources' performance and adjust as needed.

Resource group empty pre-deployment Empty Resource Group (Pre-Deployment)

Resource group with list of deployed resources Resource Group with Deployed Resources

Final virtual network architecture of our project Final Virtual Network Architecture

Successful login to Nextcloud Successful Nextcloud Login

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment