How to Deploy Azure Resources Using Azure Bicep
In this article, I show you how to deploy Azure resources using Azure Bicep. It is a domain-specific language (DSL) for declaratively deploying Azure resources. It aims to simplify creating and managing your Azure infrastructure by offering several advantages over the traditional method using Azure Resource Manager (ARM) templates. Azure Bicep is used to deploy resources such as virtual machines, storage accounts, and networks using Bicep syntax.
See also how to Automate Infrastructure Deployments in the Cloud with Ansible and Azure Pipelines. While Azure Bicep is a modern tool for deploying Azure resources, you can also deploy a Linux virtual machine (VM) on Azure using the Azure CLI.
Learn how to create and attach an extra Disk to Azure Virtual Machine using the Azure Portal. PowerShell is also an available automation tool for provisioning Azure Resources using Azure Az PowerShell Cmdlet from Cloud Shell.
Creating Resources Using Azure Bicep
To implement Azure Bicep, we would carry out the following steps:
Step 1: Install the Bicep Visual Studio Extension
Launch the VSCode app on your machine and click the extensions icon. Search for Bicep, and then click on Install.
Step 2: Install the Bicep CLI
The prerequisite for installing the Bicep CLI is to have Azure CLI version 2.20.0 or later installed to be able to install the Bicep CLI. If you have met the above condition, proceed to install or upgrade the Bicep CLI by running any of the below commands:
$az bicep install --- # Install Bicep CLI
$az bicep upgrade --- # Upgrade Bicep CLI
You can also install the Azure Bicep manually using Chocolatey or the Winget command-line tool by running the below commands:
$choco install bicep
$winget install -e --id Microsoft.Bicep
$bicep --helpFor Linux users, run the following commands to set up Bicep on your machine:
$curl -Lo bicep https://github.com/Azure/bicep/releases/latest/download/bicep-linux-x64
$chmod +x ./bicep
$sudo mv ./bicep /usr/local/bin/bicep
$bicep --help
For macOS users, run the below commands:
$brew tap azure/bicep
$brew install bicep
$bicep --versionStep 3: Write your Bicep code
Having set up the Azure Bicep on our machines, let’s proceed to define our infrastructure. Here, we deploy an Azure Virtual Machine (VM) within a newly created Virtual Network (VNet).
To do so, make a directory on your desktop, navigate into it, and then open the file with VSCode.
$ cd desktop
$ mkdir azbicep-deploy && cd azbicep-deployment
$ code .
Add the below code to the main.bicep file and save it for deployment in the next step.
@description('Username for the Virtual Machine.')
param techadmin string
@description('Password for the Virtual Machine.')
@minLength(14)
@secure()
param adminPassword string
@description('Unique DNS Name for the Public IP used to access the Virtual Machine.')
param dnsLabelPrefix string = toLower('${mydemovmnet}-${uniqueString(resourceGroup().id, mydemovmnet)}')
@description('Name for the Public IP used to access the Virtual Machine.')
param publicIpName string = 'myPublicIP'
@description('Allocation method for the Public IP used to access the Virtual Machine.')
@allowed([
'Dynamic'
'Static'
])
param publicIPAllocationMethod string = 'Dynamic'
@description('SKU for the Public IP used to access the Virtual Machine.')
@allowed([
'Basic'
'Standard'
])
param publicIpSku string = 'Basic'
@description('The Windows version for the VM. This will pick a fully patched image of this given Windows version.')
@allowed([
'2016-datacenter-gensecond'
'2016-datacenter-server-core-g2'
'2016-datacenter-server-core-smalldisk-g2'
'2016-datacenter-smalldisk-g2'
'2016-datacenter-with-containers-g2'
'2016-datacenter-zhcn-g2'
'2019-datacenter-core-g2'
'2019-datacenter-core-smalldisk-g2'
'2019-datacenter-core-with-containers-g2'
'2019-datacenter-core-with-containers-smalldisk-g2'
'2019-datacenter-gensecond'
'2019-datacenter-smalldisk-g2'
'2019-datacenter-with-containers-g2'
'2019-datacenter-with-containers-smalldisk-g2'
'2019-datacenter-zhcn-g2'
'2022-datacenter-azure-edition'
'2022-datacenter-azure-edition-core'
'2022-datacenter-azure-edition-core-smalldisk'
'2022-datacenter-azure-edition-smalldisk'
'2022-datacenter-core-g2'
'2022-datacenter-core-smalldisk-g2'
'2022-datacenter-g2'
'2022-datacenter-smalldisk-g2'
])
param OSVersion string = '2022-datacenter-azure-edition'
@description('Size of the virtual machine.'
param vmSize string = 'Standard_D2s_v5'
@description('Location for all resources.')
param location string = resourceGroup().location
@description('Name of the virtual machine.')
param mydemovmnet string = 'simple-vm'
@description('Security Type of the Virtual Machine.')
@allowed([
'Standard'
'TrustedLaunch'
])
param securityType string = 'TrustedLaunch'
var storageAccountName = 'bootdiags${uniqueString(resourceGroup().id)}'
var nicName = 'mydemovmnic'
var addressPrefix = '10.0.0.0/16'
var subnetName = 'Subnet'
var subnetPrefix = '10.0.0.0/24'
var virtualNetworkName = 'mydemovmnet'
var networkSecurityGroupName = 'default-NSG'
var securityProfileJson = {
uefiSettings: {
secureBootEnabled: true
vTpmEnabled: true
}
securityType: securityType
}
var extensionName = 'GuestAttestation'
var extensionPublisher = 'Microsoft.Azure.Security.WindowsAttestation'
var extensionVersion = '1.0'
var maaTenantName = 'GuestAttestation'
var maaEndpoint = substring('emptyString', 0, 0)
resource storageAccount 'Microsoft.Storage/storageAccounts@2022-05-01' = {
name: storageAccountName
location: location
sku: {
name: 'Standard_LRS'
}
kind: 'Storage'
}
resource publicIp 'Microsoft.Network/publicIPAddresses@2022-05-01' = {
name: publicIpName
location: location
sku: {
name: publicIpSku
}
properties: {
publicIPAllocationMethod: publicIPAllocationMethod
dnsSettings: {
domainNameLabel: dnsLabelPrefix
}
}
}
resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2022-05-01' = {
name: networkSecurityGroupName
location: location
properties: {
securityRules: [
{
name: 'default-allow-3389'
properties: {
priority: 1000
access: 'Allow'
direction: 'Inbound'
destinationPortRange: '3389'
protocol: 'Tcp'
sourcePortRange: '*'
sourceAddressPrefix: '*'
destinationAddressPrefix: '*'
}
}
]
}
}
resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-05-01' = {
name: virtualNetworkName
location: location
properties: {
addressSpace: {
addressPrefixes: [
addressPrefix
]
}
subnets: [
{
name: subnetName
properties: {
addressPrefix: subnetPrefix
networkSecurityGroup: {
id: networkSecurityGroup.id
}
}
}
]
}
}
resource nic 'Microsoft.Network/networkInterfaces@2022-05-01' = {
name: nicName
location: location
properties: {
ipConfigurations: [
{
name: 'ipconfig1'
properties: {
privateIPAllocationMethod: 'Dynamic'
publicIPAddress: {
id: publicIp.id
}
subnet: {
id: resourceId('Microsoft.Network/virtualNetworks/subnets', virtualNetworkName, subnetName)
}
}
}
]
}
dependsOn: [
virtualNetwork
]
}
resource vm 'Microsoft.Compute/virtualMachines@2022-03-01' = {
name: mydemovmnet
location: location
properties: {
hardwareProfile: {
vmSize: vmSize
}
osProfile: {
computerName: mydemovmnet
adminUsername: techadmin
adminPassword: adminPassword
}
storageProfile: {
imageReference: {
publisher: 'MicrosoftWindowsServer'
offer: 'WindowsServer'
sku: OSVersion
version: 'latest'
}
osDisk: {
createOption: 'FromImage'
managedDisk: {
storageAccountType: 'StandardSSD_LRS'
}
}
dataDisks: [
{
diskSizeGB: 1023
lun: 0
createOption: 'Empty'
}
]
}
networkProfile: {
networkInterfaces: [
{
id: nic.id
}
]
}
diagnosticsProfile: {
bootDiagnostics: {
enabled: true
storageUri: storageAccount.properties.primaryEndpoints.blob
}
}
securityProfile: ((securityType == 'TrustedLaunch') ? securityProfileJson : null)
}
}
resource vmExtension 'Microsoft.Compute/virtualMachines/extensions@2022-03-01' = if ((securityType == 'TrustedLaunch') && ((securityProfileJson.uefiSettings.secureBootEnabled == true) && (securityProfileJson.uefiSettings.vTpmEnabled == true)))
parent: vm
name: extensionName
location: location
properties: {
publisher: extensionPublisher
type: extensionName
typeHandlerVersion: extensionVersion
autoUpgradeMinorVersion: true
enableAutomaticUpgrade: true
settings: {
AttestationConfig: {
MaaSettings: {
maaEndpoint: maaEndpoint
maaTenantName: maaTenantName
}
}
}
}
}
output hostname string = publicIp.properties.dnsSettings.fqdnStep 4: Authenticate your Azure Account
To run the code to deploy an Azure virtual machine, run the az login command to log into your Azure subscription and set your subscription if you have more than one subscription in your tenant.
$az login
$ az account set --subscription "subscriptionID"
See how to use the Azure Cloud Shell or Azure CLI and Azure PowerShell, and how to “Remove Azure VM: How to delete a Virtual Machine via the Azure Portal“.
Step 5: Deploy your Bicep file using Azure CLI
All the resources deployed to Azure are usually stored in a resource group. Run the below command to create a resource group:
az group create --name myVMGroup --location eastus 
The next step is to deploy the Bicep file by running the below command:
az deployment group create --resource-group myVMGroup --template-file main.bicep --parameters techadmin=<admin-username>
With the Bicep file above, we deployed an Azure Storage account, a Network Security Group (NSG), a virtual network, a network interface, a public IP address, a virtual machine, and two managed VM disks in the myVMGroup resource group.
Please see How to use a dedicated MsSQL Db for Pleasant Password, how to set the PowerShell Execution Policy via Windows Registry, and how to Change the default Save and Download Location in Windows.
Step 6: Clean up Azure Resources
After demonstrating how to deploy resources using Bicep, it’s best practice to clean up those resources to avoid incurring cloud costs.
To do this, simply delete the resource group that holds all the resources by running the below command:
az group delete --name <ResourceGroup> --no-waitWhen prompted, if you’re sure you want to perform this operation, reply with Y and press the Enter key to proceed.
I hope you found this article useful on how to deploy Azure resources using Azure Bicep. Please feel free to leave a comment below.
