Azure allows Virtual Machine extension objects to be attached to provisioned virtual machines.  As they are objects, they may be declared directly with Resource Manager templates.

Using Azure's Point-to-site vpn avoids having to expose ssh or winrm ports to the internet to get onto the systems.

Before a Point-to-site VPN can be established, a Virtual Network Gateway must be created.  This will be associated with the Virtual Network that will be accessible.

Access to the network will be controlled by certificates.

This PowerShell code snippet creates an Azure AD application registration with an associated SPN and self-signed certificate for Azure authentication.

I've used this for generating certificates that Virtual Machines can use for authenticating to Azure as an alternative to Managed Identities.

Architectural Overview

All virtual machine disks are accessible by WebAPI off their underlying Storage volume (either through Storage Account Access or through Snapshot usage with Managed Disks).  In the case of Storage Accounts, a single factor of access exists for retrieval of disk Images from the internet (knowledge of URI and Storage Account key).  Different controls may be implemented to reduce the threat of data loss.  Core to these controls is the requirement for all data to be encrypted at REST. 

Chocolatey is a variation of NuGet server that is freely available in different forms.  NuGet is targeted as a class or library distribution system that allows developers to search for (and install) modules into developed projects.  The variation of Chocolatey allows packages to also run install and uninstall scripts – which transforms the NuGet framework into a fully-fledged package management system. 

Windows Management Framework 5.1 incorporates Chocolatey providers that allow packages to be installed to a Windows system with single-line PowerShell commands.