Virtual Machines¶

Virtual machines (VMs) remain one of the most common building blocks in infrastructure automation. Even in cloud‑native environments, VMs are used for legacy workloads, custom runtimes, controlled security boundaries, and lift‑and‑shift migrations. As an expert‑level PowerShell practitioner, you must understand not only how to create VMs, but how to automate their lifecycle, enforce configuration standards, integrate them with identity and networking, and ensure deployments are idempotent and repeatable.

This section teaches you how to automate VM provisioning and management across Azure and AWS using PowerShell, with a focus on real‑world enterprise patterns.

1. Automating Azure virtual machines¶

Azure exposes VM automation through the Az.Compute module. VM creation in Azure follows a predictable structure:

Resource group → Network → Storage → VM configuration → Deployment

PowerShell orchestrates these components in a controlled, repeatable way.

1.1 Creating a resource group¶

Every Azure VM must live inside a resource group:

New-AzResourceGroup -Name "ProdRG" -Location "JapanEast"

1.2 Creating networking components¶

A VM requires a virtual network, subnet, and network interface.

$vnet = New-AzVirtualNetwork `
    -Name "ProdVNet" `
    -ResourceGroupName "ProdRG" `
    -Location "JapanEast" `
    -AddressPrefix "10.10.0.0/16"

Add-AzVirtualNetworkSubnetConfig `
    -Name "ProdSubnet" `
    -VirtualNetwork $vnet `
    -AddressPrefix "10.10.1.0/24"

$vnet | Set-AzVirtualNetwork

$nic = New-AzNetworkInterface `
    -Name "ProdNIC01" `
    -ResourceGroupName "ProdRG" `
    -Location "JapanEast" `
    -SubnetId $vnet.Subnets[0].Id

Networking is always created before the VM because the VM depends on it.

1.3 Creating the VM configuration¶

Azure VMs are defined through a configuration object:

$vmConfig = New-AzVMConfig -VMName "Web01" -VMSize "Standard_B2s" |
    Set-AzVMOperatingSystem -Windows -ComputerName "Web01" -Credential (Get-Credential) |
    Set-AzVMSourceImage -PublisherName "MicrosoftWindowsServer" -Offer "WindowsServer" -Skus "2022-datacenter" -Version "latest" |
    Add-AzVMNetworkInterface -Id $nic.Id

This object describes:

• OS type
• VM size
• Image
• Credentials
• NICs
• Disks

The VM is not created until you submit the configuration.

1.4 Deploying the VM¶

New-AzVM -ResourceGroupName "ProdRG" -Location "JapanEast" -VM $vmConfig

Azure handles the provisioning, OS deployment, and initial boot.

1.5 Post‑deployment automation¶

Once the VM exists, PowerShell can:

• Install software via Custom Script Extension
• Join the VM to Active Directory
• Apply DSC (Desired State Configuration)
• Configure monitoring and logging
• Attach additional disks
• Modify network rules

Example: running a script on the VM via extension:

Set-AzVMCustomScriptExtension `
    -ResourceGroupName "ProdRG" `
    -VMName "Web01" `
    -FileUri "https://storage.blob.core.windows.net/scripts/setup.ps1" `
    -Run "setup.ps1"

This is how enterprises enforce consistent configuration across fleets of VMs.

2. Automating AWS EC2 instances¶

AWS exposes VM automation through the AWS.Tools.EC2 module. EC2 automation is more imperative than Azure: you call API operations directly.

2.1 Launching an EC2 instance¶

New-EC2Instance `
    -ImageId "ami-0abcdef1234567890" `
    -InstanceType "t3.micro" `
    -MinCount 1 -MaxCount 1

AWS immediately returns instance metadata, and the instance begins provisioning.

2.2 Attaching security groups and IAM roles¶

Security groups define network access:

$sg = New-EC2SecurityGroup -GroupName "ProdSG" -Description "Prod access"
Grant-EC2SecurityGroupIngress -GroupId $sg -IpProtocol "tcp" -FromPort 80 -ToPort 80 -CidrIp "0.0.0.0/0"

IAM roles provide identity without storing credentials:

Register-IAMInstanceProfile -InstanceProfileName "ProdProfile"

2.3 Managing EC2 lifecycle¶

PowerShell can manage the full lifecycle:

• Start/stop instances
• Resize instances
• Attach EBS volumes
• Create AMIs
• Tag resources for governance

Example: stopping a VM safely:

Stop-EC2Instance -InstanceId $instanceId

Example: tagging for cost management:

New-EC2Tag -Resource $instanceId -Tag @{ Key="Environment"; Value="Production" }

Tags are essential for automation, cost allocation, and compliance.

3. Designing VM automation workflows¶

Expert‑level VM automation is not about creating a single VM—it is about designing a repeatable, governed, and auditable process.

A mature workflow includes:

3.1 Declarative infrastructure¶

• Azure: Bicep/ARM
• AWS: CloudFormation

PowerShell orchestrates deployments but does not replace declarative templates.

3.2 Configuration management¶

• PowerShell DSC
• Azure VM Extensions
• AWS SSM (Systems Manager)
• Custom bootstrap scripts

This ensures every VM is configured identically.

3.3 Identity and access¶

• Azure managed identities
• AWS IAM roles
• No embedded credentials
• Vault‑based secret retrieval

3.4 Governance and compliance¶

• Tagging standards
• Resource locks
• Policy enforcement (Azure Policy, AWS SCPs)
• Logging and monitoring

3.5 Idempotency¶

Running the automation twice must not:

• Create duplicate VMs
• Break networking
• Overwrite configuration unexpectedly

Idempotency is achieved through:

• Template‑based deployments
• State validation
• Conditional logic in scripts

4. Summary¶

Automating virtual machines with PowerShell requires a deep understanding of how cloud providers structure their compute resources and how to orchestrate them in a secure, repeatable, and compliant way. Key principles include:

• Using Az.Compute for Azure and AWS.Tools.EC2 for AWS
• Authenticating with managed identities or IAM roles
• Building VMs through structured configuration objects
• Applying post‑deployment configuration through extensions or SSM
• Designing workflows that are idempotent, auditable, and aligned with enterprise governance

With these skills, you can automate VM provisioning and lifecycle management at scale across any cloud environment.