Pi-Hole: Hosting in Azure

From a desk ornament to a powerful cloud service: This post tracks my journey moving my beloved Pi-hole DNS sinkhole from a local Raspberry Pi and into my personal Azure tenant. It’s a great example of how a small problem can lead to massive real-world cloud learning.

Pi-hole is a homelab staple, but when my ISP router died and I replaced it with an aftermarket one, my little Pi-hole on Wi-Fi threw a fit. I was faced with a tedious reinstallation—a chore I was happy to skip by saying, "Let's deploy it on Azure instead!" This was my chance to treat a production-like service (my network's DNS) as a full Infrastructure as a Service (IaaS) project.

The Migration Playbook: IaaS, CLI, and Hardening

My entire process focused on getting the VM right and then locking it down, mirroring the discipline I use at work, but with my own wallet on the line.

  1. The Trigger and the Pivot: The initial step was forced upon me. The new aftermarket router meant my Raspberry Pi lost its connection, and fixing the Wi-Fi was more effort than it was worth. The only logical solution was to move the service to a reliable Azure VM to deepen my IaaS skills.
  2. Choosing the Right Footwear (VM Sizing): Knowing Pi-hole is minimal, I settled on the Standard B1s (Ubuntu 22.04)—Azure's burstable hero. I configured the VM entirely using the Azure CLI, which was fantastic practice for scripting infrastructure.
  3. Discovery #1: The Cost Shock of the Default Disk!

    In my CLI excitement, I missed a crucial flag: I didn't explicitly define the disk SKU. Azure defaulted to a Premium SSD LRS. When I looked at the projected monthly bill, the disk alone was eating up the savings from the tiny B1s VM!

    The Fix: I immediately migrated the disk to Standard HDD LRS. Since the B1s VM has such low IOPS limits anyway, the Premium SSD was pure waste. Lesson Learned: Always override Azure defaults and match the disk to the VM's true capabilities for cost optimization.

  4. Core Installation: With the VM provisioned and sized correctly, the actual Pi-hole install was straightforward, following their official docs. The service was now humming in the cloud.
  5. Defense in Depth (Linux Firewall): Security is paramount. I configured the local Linux firewall (`ufw`) to only accept DNS traffic (Port 53) and SSH (Port 22) from my static WAN IP. No one else needs to talk to this box.
  6. Defense in Depth (Azure NSG): This is where Azure shines. I created an Azure Network Security Group (NSG) rule to mirror the Linux firewall. This is the cloud edge defense. Traffic is now blocked before it even hits the VM's operating system. Only traffic originating from my home IP makes it through the door.
  7. Proactive Intrusion Prevention (Fail2Ban): For extra credit, I installed and configured Fail2Ban on the VM. Even though SSH is restricted by the NSG, Fail2Ban provides an additional safety layer, banning repeated failed login attempts from any source that might slip through or be tried internally.
  8. Admin Access Hardening: To ensure maximum security, I disabled password login and configured the VM to only allow access via PowerShell SSH using a .pem key file. This is best practice: keys, not passwords!
  9. The Cost/Security Trade-off (S2S VPN): I briefly considered a Site-to-Site VPN to truly integrate my home network with the Azure VNet. While highly educational, the Azure VPN Gateway cost was simply too high for this project's budget. It was a good exercise in realizing when a feature is overkill.
  10. The Most Important Step: Budget Discipline: Having learned my lesson with the SSD, I immediately set up Cost Management notifications and a dedicated project budget. This is the difference between a successful homelab and an unexpected bill.

Final Thoughts: Cloud Commitment

This project has been invaluable. It’s easy to spin up a VM, but correctly sizing the disk, establishing layered security (Linux firewall + Azure NSG), and actively monitoring the cost is what separates a beginner from a confident cloud engineer. My commitment to the Azure platform has never been stronger, and the Pi-hole is now a rock-solid, cost-optimized DNS service that I know intimately.