Thank you very much for this contribution, this makes it much easier for me to migrate my appliances from pfSense.

However, exposing the VM over the Internet during deployment, accessible with default credentials, even if for a short while, seems like security through obscurity.

May I suggest that you add an option/configuration that does not create a Public IP?

I'd imagine most users know how access the WAN interface via the Azure private IP, either from another VM, Azure Bastion, or over VPN. Public IP seems rather unnecessary.

Thanks for the feedback.
I fully agree with you. The main reason I have to use a Public IP is because the deployment is done via Bootstrap option which requires Internet in order to reach OPNSense image repository. I am planning to create an option to create a fully private deployment (remove public access right after bootstrap) but I am not fully dedicated to this project. Therefore no ETA but open for collaboration or you can fork this project and make your own changes.

My initial intention for this project is to spin up quickly some labs and using an opensource Network Virtual Appliance (NVA) and OPNSense was the only one that offers bootstrap option). I will add that to the roadmap list and hopefully can complete that soon.

The main reason I have to use a Public IP is because the deployment is done via Bootstrap option which requires Internet in order to reach OPNSense image repository

I may be missing something, but from my experience Azure VMs have Internet access by default even without a Public IP assigned to any interface?

Although I can appreciate its usefulness in order to SSH during the deployment to debug or tcping for monitoring the progress.

It does for single VM deployment but not for VMs behind an internal load balancer Standard SKU, another Active/Active HA scenario that I am working on similar to what I added here: https://github.com/dmauser/Lab/tree/master/RS-AA-OPNsense-ForceTunnel-ER
I will add soon an option to make public IP optional (it is not a big effort). I will update here when it is done.
For monitoring, you can also watch the deployment status via portal/CLI. We can come up with other ideas to have better monitoring. :-)
Thanks for the feedback.

Wow, that's quite amazing. I worked around in the interim by forking and adjusting the templates, but really, this is some great work!

I am closing this thread because we cannot commit time to this request during existing deployment.
Workarounds:

1. Remove public IP after deployment (you can also add a deployment script to do that).
2. Fork and make your own modifications (feel free to send a push request. We love collaboration).