Azure Portal guide to build a custom Windows Server

image (IIS + Chrome)

1) Create the Resource Group

1. Portal → Resource groups → + Create.

2. Subscription → Name: Viceroy-RG → Region (pick same region for VNet +

VMs) → Create.

2) Create Virtual Network + Subnets

1. Portal → Virtual networks → + Create.
2. Basics: Subscription, Resource group viceroy-RG,
3. Address space: 10.101.0.0/16.
4. Subnets: add three subnets:
○ AzureBastionSubnet — /26 (required for Bastion).
○ ViceroyVNet — 10.10.1.0/24 (builder VM here).
○ Vicesubnet — 10.10.2.0/24 (test/production VMs).
5. Review + Create.
3) Create Network Security Groups (NSGs) and associate them
Create separate NSGs for management and app subnets to control traffic.

NSG: nsg-management

● Portal → Network security groups → + Create → Name nsg-management.

● Inbound rules (examples):
○ Allow Azure Bastion (no extra rule needed if using Bastion and no NSG
blocking outbound). If you place NSG on AzureBastionSubnet, be
cautious — best to leave AzureBastionSubnet unblocked or follow MS
docs.
○ Allow RDP only from management IP ranges (if you temporarily need
remote RDP) — but recommended: do not open 3389 to Internet.
● Associate nsg-management with snet-management.

NSG: nsg-app

● Create nsg-app.
● Inbound rule: Allow HTTP (TCP 80) from Internet (or better: from Load
Balancer only). Priority e.g., 100 allow TCP 80.
● Deny all other inbound by default.
● Associate nsg-app with snet-app.

NOTE: If using Bastion, your VMs do not require a public IP. Keep them private.
4. Deploy Azure Bastion (recommended)

1. Portal → search Bastion → + Create.

2. Select Subscription / Resource group viceroy-RG... / Name
viceroybastion01.
3. Virtual network →Vnet-UKsouth → Subnet: it requires
AzureBastionSubnet.
4. Public IP: Create new (PIP is needed). Size and SKU default.
5. Create.
Use Bastion to RDP into builder/test VMs securely (no public IP on VMs).
5) Create Storage Account for diagnostics & optional image storage

1. Portal → Storage accounts → + Create.

2. Name viceroystor, Replication: Standard LRS (ok for diagnostics),
Performance Standard.
3. Networking: Recommended to allow public access initially for simple testing,
but best practice is to disable public access and use Private Endpoint if
needed.
4. Create.

(You will use managed images / Shared Image Gallery; storage account is useful for
boot diagnostics and backups.)

6) Create the Builder VM (configure for image creation)

1. Portal → Virtual machines → + Create → Azure virtual machine.

2. Basics:
○ Resource group: Viceroy-RG...
○ Name: viceroyVM
○ Region: same as RG/VNet
○ Image: Windows Server 2022 Datacenter (or 2019)
○ Size: Standard_D2s_v3 or similar (2 vCPU, 8GB). Adjust as needed.
○ Authentication: username/password.
○ Public inbound ports: None (recommended).
3. Disks: OS disk type: Premium SSD (P10) recommended.
4. Networking:
○ Virtual network: vnet-imgbuild-001
 ○ Subnet: snet-management
○ Public IP: None (use Bastion).
○ NIC network security group: none (we already associated at subnet
level).
5. Management: enable Boot diagnostics and choose stimgxxx storage
account.
6. Advanced / Extensions: none needed now.
7. Review + Create.
7) Connect to the Builder VM and configure (IIS + Chrome + test page)

1. Portal → Virtual Machines → viceroyVM → Connect → Bastion → Connect.

2. Inside Windows:

Install IIS (PowerShell) (Run as Admin):

Install-WindowsFeature -Name Web-Server -
IncludeManagementTools
Create test page:
Set-Content -Path "C:\inetpub\wwwroot\index.html" -Value
"<html><body><h1>Custom Image Test - IIS
OK</h1></body></html>"
Install Chrome (machine-level installer):
$tmp = "C:\Temp\chrome_installer.exe"; New-Item C:\Temp -
ItemType Directory -Force
Invoke-WebRequest -Uri
"https://dl.google.com/chrome/install/latest/chrome_installer.
exe" -OutFile $tmp
Start-Process -FilePath $tmp -ArgumentList "/silent /install"
-Wait

○ (If direct download blocked, upload installer via RDP file transfer or
place in storage account and download.)
○ Validate http://localhost shows the page and Chrome opens.
8) Prepare the VM for capture (sysprep & cleanup)

Before Sysprep

● Remove any sensitive/local user data.

● Ensure Windows Update is in a good state (optional).
● Ensure VM is NOT domain joined.
● Make sure installed apps are suitable for sysprep (some third-party apps can
break sysprep).

Run Sysprep

1. On the VM: open C:\Windows\System32\Sysprep\sysprep.exe.

2. Options:
○ System Cleanup Action: Enter System Out-of-Box Experience (OOBE)
○ Check Generalize
○ Shutdown Options: Shutdown
3. Click OK. Wait until the VM shuts down and is deallocated.
 Important: Sysprep generalizes machine; you typically run it only once
per image.

9) Capture the VM as a Managed Image

1. Portal → Virtual Machines → select viceroyVM (it must be Stopped

(deallocated)).
2. At top, click Capture.
3. Fill:
○ Image name: img-win-iis-chrome-v1
○ Resource group for image (same or new)
○ Check The virtual machine has been generalized (checkbox)
○ Optionally Automatically delete this virtual machine after creating the
image if you don’t need the builder VM anymore.
4. Click Create. This creates an Azure Managed Image resource.
10) (Recommended) Create a Shared Image Gallery & publish a version

Shared Image Gallery gives versioning and regional replication.

1. Portal → Shared image gallery → + Create.

○ Name: viceroyLabImage.
○ Resource group: viceroy-RG
2. After create → open gallery → + Add → Image definition:
○ Name: win-iis-chrome
○ OS type: Windows
○ SKU: v1
3. Under the image definition → + Create version → Source: select the Managed

Image img-win-iis-chrome-v1.
○ Version: 1.0.0
○ Target regions: choose current region (and others if you want
replication)
○ Replicas: set count
4. Create version. Wait for replication to finish.
11) Create Test VM from the Image (validate)

Option A — From Managed Image

1. Portal → Managed Images → select img-win-iis-chrome-v1 → Create

VM.

Option B — From Shared Image Gallery

1. Portal → Shared Image Gallery → Image Definition → Image Version → Create

VM.

When creating test VM:

● Place in snet-app.
● If you want to test via public browser quickly, temporarily enable a Public IP
on the test VM and allow inbound port 80 in NSG (or instead put a Temporary
LB rule). For secure workflow, avoid public IP and test via Bastion by
browsing http://localhost inside VM.
● Create the VM.

Validation

● Connect via Bastion → open browser to http://localhost and confirm the

IIS test page.
● Check that Chrome is present and launches.
BOOM!!
13) Validation checklist

● Builder VM deployed in snet-management (no public IP), accessible via

Bastion.
● IIS + Chrome installed and validated on builder.
● Sysprep completed and VM stopped (deallocated).
● Managed Image created successfully.
● Shared Image Gallery version created (optional).
● Test VM created from image; IIS page and Chrome present.
● (If required) Production VMs deployed from image and behind Load Balancer
with probe green.

14) Security & best practices (brief)

● Do not keep builder VM with admin accounts or public IPs long-term — delete
it or secure it after capture.
● Use Azure Bastion or VPN — avoid opening RDP to the internet.
● Keep VM Agent installed.
● Use Shared Image Gallery for versioning and automated image distribution.
● Use Managed Identities for automation tasks that need access to storage or
Key Vault.
● If storing images in a storage account, disable public access and use a
Private Endpoint if needed.