▶ Professional Portfolio Project · 2026

Cloud Security
Infrastructure

// Microsoft Azure · OpenVPN · Pi-Hole · InsightVM · Grafana · Prometheus

925 Mbps Throughput
79K+ Domains Blocked
5 Security Layers
1 Public Port
Azure VM Ubuntu 24.04 OpenVPN Pi-Hole v6 InsightVM Grafana Prometheus iptables NSG

// 01 — Architecture

System Design

azure-security-lab — network topology
Cloud Security Infrastructure — Azure Home Lab OpenVPN · Pi-Hole · InsightVM · Grafana · Prometheus INTERNET / CLIENT DEVICES 📱 iPhone 10.10.0.6 📱 Android 10.10.0.10 💻 Ubuntu 10.10.0.14 🔒 AES-256-GCM Certificate Auth · PKI ☁ Azure Network Security Group (NSG) ✅ 1194/UDP (VPN) · ✅ 22/TCP (Admin IP Only) · ❌ All Other Ports Denied by Default Azure VM · Ubuntu 24.04 LTS · 10.1.0.4 · 20.193.136.209 4 vCPU · 15.6 GB RAM · 925 Mbps SR-IOV Accelerated Networking 🔥 iptables Host Firewall ACCEPT tun0 (VPN clients) · DROP eth0:53,80,443,3780 · MASQUERADE NAT · FORWARD tun0↔eth0 🔒 OpenVPN 1194/UDP AES-256-GCM tun0 · 10.10.0.0/24 redirect-gateway def1 MASQUERADE NAT 🛡 Pi-Hole v6 53/DNS · FTL Engine 79,487+ blocklists listeningMode = ALL Upstream: Google+CF DNSSEC enabled 🔍 InsightVM 3780/TCP Scan: 10.10.0.0/24 Local Scan Engine CVE Detection Risk Scoring 📊 Grafana + Prometheus 3000/TCP · 9090/TCP Pi-Hole Exporter :9617 Scrape: every 15s Node Exporter :9100 Real-time dashboards 🌍 Internet via NAT Masquerade 🔒 VPN-Only Access Pi-Hole UI · InsightVM · Grafana SECURITY LAYERS Layer 1: Azure NSG Layer 2: iptables Layer 3: OpenVPN PKI Layer 4: Pi-Hole DNS Layer 5: InsightVM

// 02 — Technology Stack

What's Running

🔒
OpenVPN
PORT 1194/UDP · AES-256-GCM
Full-tunnel VPN gateway. All device traffic routed through Azure VM. Certificate-based PKI authentication. SR-IOV accelerated networking delivering 925 Mbps.
🛡️
Pi-Hole v6
PORT 53/DNS · FTL ENGINE
DNS-level ad and malware blocking with 79,487+ entries. DNSSEC enabled. Upstream: Google (ECS) + Cloudflare. Configured to accept all VPN subnet queries.
🔍
InsightVM
PORT 3780/TCP · ENTERPRISE
Vulnerability scanning across VPN subnet 10.10.0.0/24. CVE detection, risk scoring, and remediation guidance. SSH credential-based deep scanning for Linux hosts.
📊
Grafana
PORT 3000/TCP · LIVE DASHBOARDS
Real-time visualization of Pi-Hole metrics, system performance, and VPN traffic. Powered by Prometheus data with 15-second scrape intervals.
📈
Prometheus
PORT 9090/TCP · METRICS
Metrics collection from Node Exporter (system), Pi-Hole Exporter (DNS stats), and self-monitoring. Time-series database for Grafana.
🔥
iptables + NSG
DUAL-LAYER FIREWALL
Azure NSG restricts all inbound except 1194/UDP. Host iptables blocks ports 53, 80, 443, 3780 from eth0. Only VPN clients (tun0) get full service access.

// 03 — Security Hardening

Defence in Depth

01
Azure Network Security Group
Cloud-level firewall · Priority 110: 1194/UDP open · Priority 100: SSH admin IP only · Default deny all inbound
✓ ACTIVE
02
iptables Host Firewall
13 rules · DROP eth0:53,80,443,3780,13456,43321,40815 · ACCEPT tun0 VPN clients · Persisted via netfilter-persistent
✓ ACTIVE
03
OpenVPN Encryption + PKI
AES-256-GCM · Certificate-based auth · Custom CA · No username/password auth · Impossible to connect without valid .ovpn + cert
✓ ACTIVE
04
Pi-Hole DNS Filtering
79,487+ blocked domains · All device DNS routed through Pi-Hole · Blocks ads, trackers, malware domains at DNS level
✓ ACTIVE
05
InsightVM Vulnerability Scanning
Continuous scanning · CVE identification · Risk scoring · Remediation guidance · SSH deep scanning on Linux clients
✓ ACTIVE

// 04 — Live Dashboards

Real-Time Monitoring

vpn-access-required.sh
# Dashboards are protected — accessible via VPN only
$ echo "Connect to VPN: 20.193.136.209:1194"
Connect to VPN: 20.193.136.209:1194
$ ping -c 1 10.1.0.4
PING 10.1.0.4 — 1 packet transmitted, 1 received — time 8ms
$ curl http://10.1.0.4/admin # Pi-Hole dashboard
HTTP/1.1 200 OK — Pi-Hole FTL v6.5 — Active ✓
$ curl http://10.1.0.4:3000 # Grafana dashboard
HTTP/1.1 200 OK — Grafana v11 — Active ✓
Grafana — Pi-Hole Metrics
10.1.0.4:3000
📡
Connect to VPN to view
live Grafana dashboard

VPN: 20.193.136.209:1194
// VPN REQUIRED
Pi-Hole — DNS Dashboard
10.1.0.4/admin
🛡️
Connect to VPN to view
live Pi-Hole dashboard

VPN: 20.193.136.209:1194
// VPN REQUIRED

// 05 — Problem Solving

Challenges Solved

troubleshooting-log.md — 7 issues resolved
Problem Root Cause Fix Applied
Phone internet not working redirect-gateway commented out Uncommented in server.conf
No internet after VPN enabled Missing NAT MASQUERADE rules Added iptables POSTROUTING rules
DNS not resolving on VPN Pi-Hole listeningMode=LOCAL Changed to listeningMode=ALL
Slow VPN speeds AES-256-CBC cipher mismatch Upgraded to AES-256-GCM + data-ciphers
Ubuntu VPN not connecting Cipher negotiation failure (CBC vs GCM) Added data-ciphers line to .ovpn file
IP subnet conflict Pi-Hole DHCP using 10.10.0.x range Disabled Pi-Hole DHCP server
Grafana showing no data Dashboard hostname variable wrong Fixed node variable to 10.1.0.4

// 06 — Outcomes

Results

925
Mbps Throughput
79K+
Domains Blocked
3
Devices Protected
1
Public Port Open
5
Security Layers
13
iptables Rules
100%
Traffic Encrypted
0%
Idle CPU Load

// 07 — Enterprise Application

How This Scales to Enterprise

This home lab mirrors real enterprise security architecture patterns. Every component maps directly to tools and practices used in Fortune 500 security teams — just at smaller scale. Here's how each piece translates to an enterprise environment.

🏢
Remote Access

Corporate VPN Gateway

OpenVPN at this scale demonstrates understanding of full-tunnel routing, PKI certificate management, and NAT — the same concepts used in Cisco AnyConnect, Palo Alto GlobalProtect, and Zscaler deployments.

  • Certificate-based auth → replace with Active Directory / LDAP
  • Single VM → scale to HA cluster with load balancer
  • 10.10.0.0/24 → enterprise subnets per department
  • Manual config → automate with Ansible / Terraform
  • Applicable to: Zero Trust Network Access (ZTNA)
🛡️
DNS Security

Enterprise DNS Filtering

Pi-Hole demonstrates DNS-layer threat intelligence — the same principle behind Cisco Umbrella, Palo Alto DNS Security, and Cloudflare Gateway used to block malware C2, phishing, and data exfiltration.

  • 79K+ blocklists → enterprise threat intel feeds
  • Single node → replicated DNS cluster (anycast)
  • Manual blocklists → integrate with MISP / threat feeds
  • HTTP admin → HTTPS + SSO + RBAC
  • Applicable to: SOC DNS monitoring & response
🔍
Vulnerability Mgmt

Enterprise Vulnerability Program

InsightVM is an enterprise-grade tool used by thousands of organisations. This lab demonstrates scanner deployment, scan policy configuration, credential management, and asset discovery — core VM skills.

  • VPN subnet scan → enterprise asset inventory
  • Local engine → distributed scan engine fleet
  • SSH creds → CyberArk / HashiCorp Vault integration
  • Manual scans → scheduled + authenticated scan policies
  • Applicable to: ISO 27001, NIST, PCI-DSS compliance
📊
Observability

Security Monitoring & SIEM

Grafana + Prometheus demonstrates metrics-based observability — a foundation for security dashboards. This architecture maps directly to Splunk, Elastic SIEM, Microsoft Sentinel, and Datadog Security.

  • Pi-Hole exporter → security event data sources
  • Prometheus → log aggregation (Elastic / Splunk)
  • Grafana dashboards → SOC analyst workbench
  • Manual alerts → SOAR automated response playbooks
  • Applicable to: SOC Tier 1 monitoring & triage
🔥
Network Security

Perimeter & Host Firewalling

The dual-layer NSG + iptables approach mirrors enterprise defence-in-depth: cloud security groups (AWS SGs, Azure NSG) combined with host-based firewalls — exactly as required by CIS benchmarks.

  • Azure NSG → AWS Security Groups / GCP Firewall Rules
  • iptables → enterprise EDR host firewall policies
  • Manual rules → firewall-as-code (Terraform)
  • Single VM → enterprise micro-segmentation
  • Applicable to: CIS Benchmark L1/L2 hardening
☁️
Cloud Security

Cloud Infrastructure Security

Deploying, hardening, and operating services on Azure demonstrates practical cloud security skills — IAM, network controls, identity, and monitoring — all mapped to real-world cloud security frameworks.

  • Single VM → multi-region HA architecture
  • Manual deployment → ARM / Bicep / Terraform IaC
  • Basic NSG → Azure Defender for Cloud integration
  • Local monitoring → Azure Monitor + Log Analytics
  • Applicable to: CSPM, cloud security posture mgmt

// Home Lab → Enterprise Mapping

enterprise-mapping.md — tool equivalence matrix
Capability This Lab (Home) Enterprise Equivalent
Remote Access VPN OpenVPN + PKI Cisco AnyConnect · Palo Alto GlobalProtect · Zscaler
DNS Threat Filtering Pi-Hole v6 FTL Cisco Umbrella · Cloudflare Gateway · Infoblox
Vulnerability Management InsightVM (Enterprise) Tenable.io · Qualys VMDR · Rapid7 InsightVM (same)
Metrics & Dashboards Prometheus + Grafana Splunk · Datadog · Microsoft Sentinel · Elastic SIEM
Cloud Firewall Azure NSG AWS Security Groups · GCP Firewall · Azure Firewall Premium
Host Firewall iptables (13 rules) CrowdStrike Falcon · SentinelOne · Windows Defender Firewall
Network Encryption AES-256-GCM end-to-end IPSec · MACsec · TLS 1.3 everywhere
Certificate Auth Custom PKI / easy-rsa Active Directory CS · HashiCorp Vault PKI · AWS ACM
Identity & Access ~ IP-based VPN auth Azure AD / Entra ID · Okta · PingIdentity · MFA
Automated Response Manual remediation Splunk SOAR · Palo Alto XSOAR · Microsoft Sentinel playbooks
Log Management ~ journalctl + openvpn.log Elastic Stack · Splunk · Azure Monitor Log Analytics
Infrastructure as Code Manual deployment Terraform · Ansible · ARM Templates · Pulumi

// Scaling Path

STAGE 01
Home Lab
1 VM · 3 devices · Manual config · Azure free tier
Current
STAGE 02
Small Business
2–3 VMs · 50 users · Ansible automation · AD integration
+AD +IaC
STAGE 03
Mid-Market
HA cluster · 500 users · SIEM integration · SOC dashboards
+HA +SIEM
STAGE 04
Enterprise
Multi-region · 10K+ users · Zero Trust · SOAR playbooks
+ZT +SOAR
STAGE 05
Global
Anycast DNS · CDN edge · Full CSPM · Red/Blue team ops
+CSPM

// Enterprise Value Metrics

~$0
Cost vs $50K+
enterprise DNS tools
100%
Traffic encrypted
zero cleartext
<1ms
DNS filtering
latency overhead
9.38%
Ads/trackers
blocked by default
1
Public port
minimal attack surface
15s
Metric scrape
interval · real-time

Ready to Bring This to Your Organisation

This lab demonstrates hands-on proficiency with the same tools, concepts, and architecture patterns used in enterprise security teams. Every component was deployed, broken, debugged, and hardened — not just read about.

View Live Dashboards See Problem Solving