Azure BCDR- Challenges Guide

In this hands-on lab, you will implement three different environments and use Azure BCDR technologies to achieve three distinct objectives for each environment. These objectives include a migration to Azure, Azure region-to-region failover, and a PaaS implementation using BCDR technologies to ensure high availability of an application.

At the end of this hands-on lab, you will be able to design and build complex and robust IaaS BCDR solutions.

 

Exercise 1: Configure BCDR services

Duration: 15 minutes

Synopsis: In this exercise, attendees will secure a Privileged Access Workstation (PAW) workstation using the Azure Security Center Just-in-Time Access feature.

 

Task 1: Create Azure recovery services vault

  1. Using LABVM, connect to the Azure portal using your web browser at https://portal.azure.com.

  2. Select +Create a resource, then enter Backup and Site Recovery, and select Create.

    Screenshot of the Backup and Site Recovery Screen with the Create button selected.

  3. Complete the Recovery Services Vault blade using the following inputs, then select Review + create and finally Create:

    • Resource Group: BCDRAzureSiteRecovery

    • Vault nameBCDRRSV

    • Location: Central US (your secondary region)

  4. Once the BCDRRSV Recovery Service Vault has been created, open it in the Azure portal. Select the “Site Recovery” tab.

    Screenshot of the Backup / Site Recovery tabs with Site Recovery tab selected.

  5. This is your dashboard for Azure Site Recovery (ASR), for the HOL.

    The Azure Site Recovery dashboard displays.

Task 2: Deploy Azure automation

  1. Open the Azure portal at: https://portal.azure.com.

  2. Select +Create a resource and then enter Automation in the search box.

  3. Select Automation and then Create.

    Image of Create button.

  4. Complete the Add Automation Account blade using the following inputs and then select Create:

    • Name: Enter a Globally unique name starting with BCDR.

    • Resource group: Use existing BCDRAzureAutomation

    • Location: Select a site in your area (but NOT your Primary site).

    • Create Azure Run As account: Yes

      Fields in the Add Automation Account blade are set to the previously defined values.

    Note: Azure Automation accounts are only allowed to be created in certain Azure regions, but they can act on any region in Azure (except Government, China or Germany). It is not a requirement to have your Azure Automation account in the same region as the BCDRAzureAutomation resource group but CANNOT be in your primary site.

  5. Once the Azure automation account has been created, open the account and select Modules gallery under Shared Resources.

    Under Shared Resources, Modules gallery is selected.

  6. When the Modules load, scroll down and locate and select AzureRM.profile.

    The AzureRM.Profile link is selected.

  7. Select Import.

    Import is selected in the AzureRM.profile blade.

  8. On the Import blade, select the OK button.

    In the Import blade, an OK button is displayed along with a message that Importing a module may take several minutes.

  9. It will take a few minutes to update the modules. Select Modules under Shared Resources, and you can wait until the import has completed.

    In the Automation Account blade, under Shared Resources, Modules is selected. A message is displayed that Azure modules are being updated is highlighted.

    A success message is displayed indicating the Azure modules have been updated.

  10. Next, you'll need to install AzureRM.Network version 5.4.2 from PowerShell Gallery (The lab requires a specific version). Open your browser and navigate to the following URL: https://www.powershellgallery.com/packages/AzureRM.Network/5.4.2.

  11. After the PowerShell gallery page loads, select Azure Automation under Installation Options.

    On the AzureRM.Network 5.4.2 page at PowershellGallery.com, the Azure Automation tab is selected in the Installation Options section.

  12. Select the Deploy to Azure Automation button.

    Deploy to Azure Automation is highlighted in the AzureRM.Network page.

  13. Enter your Azure credentials when prompted. Back in the Azure Portal Azure Automation blade, select the BCDR automation account created previously and select OK.

    Screenshot of the Import blade with the Azure Automation account highlighted.

  14. The portal will begin the import process and should only take about a minute.

    A dialog is displayed indicating a deployment is in progress.

  15. Next, navigate back to the Azure Automation Account blade and select Runbooks.

    In the Automation Account blade, under Process Automation, Runbooks is selected.

  16. Select Import a runbook.

    The Import a runbook menu item.

  17. Select the Folder icon on the Import blade and select the file ASRRunbookSQL.ps1 from the C:\HOL\Deployments directory on the LABVM. The Runbook type should default to PowerShell Workflow. Notice that the Name can't be changed. This is the name of the Workflow inside of the Runbook script. Select Create.

    Fields in the Import blade are set to the previously defined values. A call out points to the Name field that is not editable.

  18. Once the Runbook is imported, the PowerShell runbook will load. If you wish, you can review the comments to better understand the runbook. Once completed select Publish to make the code available for use in the portal.

    On the top menu of the Edit PowerShell Workflow Runbook blade, Publish is selected.

    Note: You might notice the Test Pane link. This script can't be tested from here as there are more configurations required, and it relies of being called by Azure Site Recovery to feed its variables.

  19. Select Yes, to configure that this Runbook will be published.

    In the Publish Runbook section, a message asks if you want to proceed with the Yes button selected.

    A success message is displayed indicating the publishing of the runbook was successful.

  20. Navigate back to the Azure Automation account.

    Screenshot of the Azure Automation account ASRSQLFailoverAG runbook heading.

  21. Select +Import a runbook.

    Screenshot of the Import a runbook menu item.

  22. Select the Folder icon on the Import blade and select the file ASRRunbookWEB.ps1 from the C:\HOL\Deployments directory on the LABVM. The Runbook type should default to PowerShell Workflow. Notice that the Name can't be changed. This is the name of the Workflow inside of the Runbook script. Select Create.

    Fields in the Import blade are set to the previously defined settings. A call out points to the read-only Name field.

  23. Once the Runbook is imported, the PowerShell runbook will load. If you wish, you can review the comments to better understand the runbook. Once completed, select Publish to make the code available for use in the portal.

    On the top menu of the Edit PowerShell Workflow Runbook blade, Publish is selected.

  24. Select Yes to configure that this Runbook will be published.

    In the Publish Runbook section, a message asks if you want to proceed, and the Yes button is selected.

    Screenshot of the successful Published runbook message.

  25. Navigate back to Runbooks, and make sure that both Runbooks show as Published.

    Two runbooks have authoring status as published: ASRSQLFailover, and ASRWEBFailover.

  26. From LABVM, select Start and select PowerShell ISE (make sure to right-click and Run as Administrator).

    Screenshot of the Windows PowerShell ISE icon.

  27. Open the file C:\HOL\Deployments\ASRRunBookVariable.ps1. Review the script and enter the automation account name you created earlier. Then select the green play button to execute the script. You will need to authenticate to Azure.

    In the Windows PowerShell ISE window, the green play button is selected, and a call out points to the $AutomationAccountName variable definition in the script window.

    Note: If you are using an account that has multiple subscriptions you may need to change the subscription associated with your current Azure session. You can comment out the Connect-AzAccount command in the script and complete the login and the use the Connect-AzAccount and Set-AzContext cmdlets to create the proper context for this HOL. For help, you can review this article: https://docs.microsoft.com/en-us/powershell/azure/manage-subscriptions-azureps?view=azps-2.7.0#change-the-active-subscription.

  28. Once the script has run, you will see the following output from PowerShell ISE. This script created a variable that will be used with the PowerShell Runbook in Azure Automation to help with the Failover and Failback of the Azure IaaS environment.

    Screenshot of PowerShell ISE output.

  29. Move back to the Azure portal and locate the Azure Automation account. Select the Variables link in the Shared Resources section.

    In the Automation Account blade, Variables is selected from the menu.

  30. Notice that the variable BCDRIaaSPlan has been created. This variable will be used along with ASR to orchestrate part of the failover.

    In the Automation Account blade, under Name, a call out highlights the BCDRIaaSPlan variable.

    Note: When you configure the ASR Recovery Plan for the IaaS deployment you will use the SQL Runbook as a Pre-Failover Action and the Web Runbook as a Post-Failover action. They will run both ways and have been written to take the “Direction”, of the failover into account when running.

 

 

 

Exercise 2 – Configure environment for failover

Duration: 90 minutes

In this exercise, you will configure the three environments to use BCDR technologies found in Azure. Each environment has unique configurations that must be completed to ensure their availability in the event of a disaster.

Note: Make sure prior to starting each task that the deployment that you started in Exercise 1 has completed for each as you come to that task. This can be determined by reviewing the deployments for each Resource group in the Azure portal. If it says Succeeded, then you can begin the task.


 

Task 1: Configure on-premises to Azure IaaS failover

In this task, the OnPremVM will be configured to replicate to Azure and be ready to failover to the BCDRIaaSSecondarySite. This will consist of configuring your Hyper-V host with the ASR provider and then enabling replication of the VM to the Recovery Service Vault.

  1. From the Azure portal, open the BCDRRSV Recovery Services Vault located in the BCDRAzureSiteRecovery resource group.

  2. Select Site Recovery in the Getting Started area of BCDRRSV blade.

    In the Recovery Services vault blade, under Getting Started, Site Recovery is selected.

  3. Next, select Prepare Infrastructure in the For On-Premises Machines section. This will start you down a path of various steps to configure your VM that is running on Hyper-V on-premises to be replicated to Azure.

    In the For On-Premises Machines section, Prepare Infrastructure is selected.

  4. On Step 1 Protection Goal select the following inputs and then select OK:

    • Where are your machines located?: On-premises

    • Where do you want to replicate your machines to?: To Azure

    • Are you performing a migration?: No

      Note: You may see a checkbox that says, I understand, but I would like to continue with Azure Site Recovery checked.

    • Are your machines virtualized?: Yes, with Hyper-V (Your VM is running as a nested VM in Azure).

    • Are you using System Center VMM to manage your Hyper-V hosts?: No

    Fields in the Protection goal blade are set to the previously defined values.

  5. On Step 2 Deployment planning, confirm you have completed deployment planning by selecting Yes, I have done it then select OK.

    Note: You can read more about planning an ASR to deployment here: https://docs.microsoft.com/en-us/azure/site-recovery/site-recovery-hyper-v-deployment-planner.

    In the Deployment planning blade, Yes, I have done it is selected from a dropdown list.

  6. On Step 3 Prepare source select +Hyper-V Site.

    In the top menu of the Prepare source blade, +Hyper-V Site is selected.

  7. On the Create Hyper-V site blade, enter the name: OnPremHyperVSite. Select OK.

    OnPremHyperVSite is in the Name field on the Create Hyper-V site blade.

  8. The portal will deploy the site providing you notifications. Wait for the creation process to complete, and the ASR portal will update once this is done. Your new site is now shown under Step 1: Select Hyper-V site.

    The Successfully completed creating Hyper-V site message displays.

    Under Step 1: Select Hyper-V site, OnPremHyperVSite is selected in the dropdown list.

  9. Next select +Hyper-V Server.

    In the top menu of the Prepare source blade, Hyper-V Server is selected.

  10. A new blade will appear. You will need to download the vault registration key to register the host in the Hyper-V site of ASR. Select the Download button which will save the file to your Downloads folder on the LABVM.

    In the Add Server blade, the Download button is selected.

  11. Open a NEW tab in your web browser and connect again to the Azure Portal at https://portal.azure.com.

  12. Select Resource groups, then on the next blade select BCDROnPremPrimarySite.

    In the Resource groups blade, under Name, BCDROnPremPrimarySite is selected.

  13. Locate and select the HYPERVHOST VM object.

    The HyperVHost resource is displayed and selected..

  14. Select Connect and open the RDP file that is downloaded.

    In the HyperVHost blade, the Connect button is selected.

  15. Enter the credentials for the VM:

    • Usernamemcwadmin
    • Passworddemo@pass123
  16. You will be prompted with a warning about a certificate. Select Yes to connection (you can always select yes to these prompts during this HOL).

    In the Remote Desktop Connection dialog box, the Yes button is selected.

  17. Select Yes on the Networks prompt.

    Screenshot of the Networks prompt with the Yes button selected.

  18. On the HYPERVHOST select Configure this local server in the Server Manager Dashboard.

    In Server Manager, the link to Configure this local server is selected.

  19. On the right side of the pane, select On by IE Enhanced Security Configuration.

    IE Enhanced Security Configuration is set to On.

  20. Change to Off for Administrators and select OK.

  21. Open Internet Explorer on HYPERVHOST and browse to the following URL. This will download the Azure Site Recovery Provider for Hyper-V.

    http://aka.ms/downloaddra_cus
    
  22. Select Run.

    When asked if you want to run or save the file, the Run button is selected.

  23. Select On and then Next.

    In the Microsoft Update screen, under Microsoft Update, On (recommended) is selected.

  24. Select Install on the Provider Installation screen.

    On the Provider Installation screen, Install is selected.

  25. Once the Provider has been installed you will come to a screen that will request for you Register or Finish. Select Register.

    On the Provider Installation screen, the Register button is selected.

  26. Minimize your Remote Desktop window and locate the vault registration key which is in the Downloads directory of LABVM. Right-click the file and copy it. Move back to HYPERVHOST and paste the file to the desktop.

    In the file manager context menu, Paste is selected.

    The file that was pasted is displayed.

  27. On the Vault Setting screen select Browse.

    In the Vault Settings Screen, the Browse button is selected.

  28. Locate the Vault file on the desktop and select Open.

    In File Explorer, the vault file is selected.

  29. The Vault Settings will now be populated. Select Next.

    Fields in the Vault Settings screen are populated.

  30. On the Proxy settings screen retain the settings Connect directly to Azure Site Recovery without a proxy server and select Next.

    On the Proxy Settings screen, the radio button is selected for Connect directly to Azure Site Recovery without a proxy server.

  31. The provider will then connect and configure the Azure Site Recovery registration for the Hyper-V Server.

    On the Registration screen, a message indicates that azure site recovery is being configured for registration.

  32. After a few minutes, the wizard will be complete with the message The Server was registered in the Azure Site Recovery vault. Select Finish to close the Provider installation.

    The message on the Registration screen now says the server was registered in the Azure Site Recovery vault.

  33. Select StartWindows Administrative Tools.

    Screenshot of the Windows Administrative Tools icon.

  34. Locate then double-click the Hyper-V Manager.

    Screenshot of the Hyper-V Manager icon.

  35. When the Hyper-V Manager opens, select the Server name in the left pane and then you will see that the OnPremVM virtual machine is running on your HYPERVHOST. This is an Ubuntu 16.04.3 LTS server running Apache, PHP and MySQL. Double-click on the VM to open.

    In Hyper-V Manager, HyperVHOST is selected, and the OnPremVM virtual machine data displays.

  36. The console for the OnPremVM will load. Press Enter to get a login prompt.

    The OnPremVM virtual machine console displays.

  37. Login to the VM using the following credentials:

    • Usernamemcwadmin
    • Passworddemo@pass123
  38. Once logged in enter a few commands and notice that you can get to the internet and that the local IP address of the VM is currently 192.168.0.10.

    ping 8.8.8.8 -c 4
    
    ifconfig
    

    In the OnPremVM virtual machine console, the local IP address is highlighted.

  39. Open Internet Explorer on HYPERVHOST and browse to the following URL of the OnPremVM. This is very simple PHP application running on the OnPremVM connected to the MySQL Server that is running locally on the VM. This is to simulate an application is that running on one VM in the on-premises data center.

    http://192.168.0.10/bcdr.php
    

    Internet Explorer is shown with the address bar highlighted containing the above URL.

  40. From the command prompt of the OnPremVM, update the OS with the latest patches by using the following command. You will need to enter the password again.

    sudo apt-get update -y

    In the OnPremVM virtual machine console, the previous command is highlighted.

  41. After the updates complete, install the Azure Guest Agent for Linux on the VM using the following commands:

    sudo apt-get install walinuxagent -y

    In the OnPremVM virtual machine console, the previous command displays.

    Note: You may see some errors and warnings including some related to “cloud-init” and new updates being available. This is normal behavior since this VM thinks it should be in Azure. This may take 5-10 minutes.

  42. Once you're returned to the command prompt, type exit into the terminal and hit Enter to log out of OnPremVM.

  43. Sign out of HYPERVHOST and return to the Azure portal running on your LABVM.

  44. You will need to return to the Prepare Source screen and select +Hyper-V Server. Notice the warning that it could take up to 30 mins for this server to appear, but in practice you should cancel out of this window by selecting Step 2 and then answer yes again with I have done it to the question of Deployment planning.

    +Hyper-V Server is selected in the Prepare source blade.

  45. Once the Server appears, select OK.

    In the Prepare source blade, a call out points to HYPERVHOST under Step 2.

  46. On Step 4 Target Prepare review the screen to better understand the various steps. Select +Storage account to add a storage account that will be used for the OnPremVM when it is failed over to Azure.

    +Storage account is selected from the top menu in the Target blade.

  47. Select Create New and provide a unique name for your storage account containing the name of the VM OnPremVM with added characters to make it unique. Also, select the Premium tier for the storage account and select OK.

    In the Choose storage account blade, Create new is selected. In the Create storage account blade, fields are set to the previously defined settings.

    Note: Be sure to select Premium Performance or you may run into issues later in the lab.

  48. Select +Storage account again and create a second storage account using the Standard performance tier, then select OK.

  49. The portal will submit a deployment, and you must wait until this completes. It will be created in the BCDRAzureSiteRecovery resource group.

    Screenshot of the Deployment succeeded message.

  50. You will be failing the OnPremVM into the Secondary site that was deployed with your IaaS installation, so you already have a Virtual Network created. Select OK on the Target blade to continue.

    The Target blade is shown indicating three steps that need to be completed. Step 1: Select Azure subscription, Step 2: Ensure at least one compatible storage account exists, and Step 3: Ensure that at least one compatible Azure virtual network exists.

  51. On the Replication Policy screen, select the +Create and Associate item.

    Create and Associate is selected in the Replication Policy blade.

  52. Enter the name: OnPremVM-POL. Review the settings that you can configure and then select OK.

    In the Create and Associate blade, the Name field is set to OnPremVM-POL.

  53. Azure will run a deployment and start the process of creating and then associating the Hyper-V Site with the replication policy.

    In Step 1 of the replication policy, the Replication policy field is empty.

    In Step 1 of the replication policy, the Replication policy field is displays OnPremVM-POL.

    Note: This will take a couple of minutes to complete. Please wait until this completes prior to moving on.

    Once complete, select OK.

    The OK button is selected in the Replication policy blade following messages indicating the replication policy has been successfully created and associated with OnPremHyperVSite.

  54. Select OK again, and the process for adding the Hyper-V Server to the Recovery Services Vault will be complete.

    The OK button is selected in the Prepare infrastructure blade that indicates all five tasks have been completed.

  55. Next, select Step 1: Replicate Application.

    In the Recovery Services vault blade, Step 1: Replicate Application is selected.

  56. On the Source blade select: SourceOn-premisesAre you performing a migrationNo, and Source locationOnPremHyperVSite and select OK.

    Fields in the Source blade are set to the previously defined values.

  57. Complete the Target blade, select the following values and select OK:

    • Post-failover resource group: BCDRIaaSSecondarySite
    • Storage Account: Select the account you just created (onpremvm8675309).
    • Storage Account for replication logs: Create a new one using the prefix bcdrasrrepllogs.
    • Azure network: Configure now for selected machines.
    • Post-failover Azure network: BCDRFOVNET
    • Subnet: WEB (172.16.1.0/24)

    Fields in the Target blade are set to the previously defined settings.

  58. Next on the Select virtual machines select OnPremVM and then select OK.

    In the Select virtual machines blade, OnPremVM is selected.

  59. Complete the OnPremVM selections of the Configure properties blade using these inputs and then select OK:

    • OS Type: Linux
    • OS Disk: OnPremLinuxVM
    • Disks to Replicate: OnPremLinuxVM [127.00GB]

    Fields in the Configure properties blade are set to the previously defined settings.

  60. On the Configure replication settings blade review the selections and notice that the OnPremVM-POL that you created has been selected. Select OK.

    The Configure replication settings blade displays.

  61. On the final screen, select Enable replication.

    Enable replication is selected on the Enable replication blade.

  62. The deployment will be submitted. You can select Site Recovery Jobs to review the process.

    In the Recovery Services vault blade, Jobs and Site Recovery Jobs are selected. The Site Recovery jobs blade displays process status.

  63. After a few minutes, the Enable replication will move to Successful. Select Overview and Site Recovery on the BCDRRSV blade. You should now see that there is one (1) Healthy Replicated Item.

    In the Recovery Services vault blade, a call out points to the healthy replicated item.

  64. Select Healthy 1 and you will see the replicated items list. Notice it shows that the VM is healthy, but the replication has just started, so it shows 0% synchronized. It will take a few minutes for the VM to replicate.

    In the Replicated items blade, a call out points to the status of 0 percent synchronized.

    Note: If the OnPremVM does not immediately go to a healthy replication state, or ever gets in an unhealthy state, you may need to “Disable Replication” and recreate it using the steps above.

  65. Select OnPremVM. Review the Replication details for OnPremVM. Once the VM has replicated, the selections across the top menu bar of the dashboard will allow you to work with this VM.

    In the Replicated items blade, a call out points to the status of Protected.

    Note: It will take about 15 minutes for the VM to replicate, so you can move on and come back to review the environment later.

  66. Scroll down and review the Infrastructure view of the BCDR environment you have created for OnPremVM. You can select Hyper-V Virtual Machine to review what is protected.

    In the Infrastructure view, Hyper-V Virtual machine and Log storage accounts are in On-premises, and connect to Azure Site Recovery and Storage accounts in Azure.

    In the Hyper-V sites blade, OnPremHyperVSite has one Hyper-V host, and one protected VM.

  67. Next, select Compute and Network.

    In the Replicated items blade, Compute and Network menu item is selected beneath the GENERAL section.

  68. Details of the VM will be shown, and you can make configuration changes. Change the Size of the VM to DS2_v2, and then select Save.

    The Compute properties dialog box displays with size set to the previously mentioned value.

    Note: It could take a few minutes for these screens to populate, so be patient. You can come back to this step later to adjust the size if you wish.

Task 2: Configure IaaS SQL Always On availability groups for region to region failover

In this task, you will build a Windows Failover Cluster and configure SQL Always On Availability Groups. This will be in place to ensure that if there is an issue in the Primary site in Azure you can failover to the Secondary site and have access to the data for the application. You will also configure Front Door to ensure that the Web Application will always answer to the same DNS name even when it is failed over to the Secondary site.

  1. From the LABVM navigate to the Azure Portal, and navigate to Resource Groups and then BCDRAzureSiteRecovery.

    In the Resource groups blade, under Name, BCDRAzureSiteRecovery is selected.

  2. Select +Add.

    In the Resource Group blade, the +Add button is selected.

  3. In the Search box, enter Storage Account, and then select Storage account — blob, file, table, queue.

    In the search box Storage Account is entered, from the search results, Storage account - blob, file, table, queue is selected.

  4. Select Create.

    Screenshot of the Create button.

  5. Complete the Create storage account form using the following details, then select Review + create:

    • Resource group: Use existing BCDRAzureSiteRecovery.
    • Storage account name: Unique name starting with bcdrcloudwitness
    • Location: Any location in your area that is NOT your Primary or Secondary site.
    • Performance: Standard
    • Account kind: Storage (general purpose v2)
    • Replication: Locally-redundant storage (LRS)

    Fields in the Create storage account blade are set to the previously defined settings.

  6. Once the storage account is created, locate and select Access keys under Settings.

    Under Settings, Access keys is selected.

  7. Copy the name of the account and the first access key to notepad and save the file as C:\HOL\Deployments\CloudWitness.txt on your LABVM.

    In the Storage account Access keys section, the Storage account name copy button is selected, and under key1, the copy button for key1 is called out.

    Notepad displays with the copied Storage account name and key1 information.

  8. From the LABVM, connect to the Azure portal and locate the BCDRIaaSPrimarySite Resource group.

    In the Resource groups blade, under Name, the BCDRIaaSPrimarySite resource group is selected.

  9. Select BCDRDC1 and then select Connect.

    In the top menu of the Virtual Machine blade, Connect is selected.

  10. Once in the RDP session to BCDRDC1, select Start and then Remote Desktop. You will need to connect to SQLVM1 for the next steps.

    Screenshot of the Remote Desktop icon.

  11. Connect to SQLVM1 using the following credentials:

    • UsernameCONTOSO\mcwadmin
    • Passworddemo@pass123

    In the Remote Desktop Connection window, fields are set to the previously defined settings.

  12. Minimize your Remote Desktop window and locate three files: ClusterCreateSQLVM1.ps1ClusterUpdateSQLVM1.ps1 and CloudWitness.txt in the C:\HOL\Deployments directory of your LABVM. Right-click the files and copy them, then move back to your SQLVM1 and paste the files to the desktop.

    Screenshot of the three file icons pasted to the desktop of the VM.

  13. On SQLVM1, select Start and then select PowerShell ISE (make sure to right-click and Run as Administrator).

    Screenshot of the Windows PowerShell ISE icon.

  14. Open the ClusterCreateSQLVM1.ps1 in the PowerShell ISE window. Then select the green play button. This script will create the Windows Failover Cluster and add all the SQL VMs as nodes in the cluster. It will also assign a static IP address of 10.0.2.99 to the new Cluster named AOGCLUSTER.

    On the Windows PowerShell ISE top menu, the green play button is selected.

    In the PowerShell ISE window, a call out points to AOGCLUSTER.

    Note: If you get a The term 'New-Cluster' is not recognized error, then run the following command to install the Failover Clusters feature and try again:

    Add-WindowsFeature RSAT-Clustering-PowerShell

    Note: It is possible to use a wizard for this task, but the resulting cluster will require additional configuration to set the static IP address in Azure.

  15. After the cluster has been created, select Start and then Windows Administrative Tools. Locate and open the Failover Cluster Manager.

    Screenshot of the Failover Cluster Manager shortcut icon.

  16. When the cluster opens, select Nodes and the SQL Server VMs will show as nodes of the cluster and show their status as Up.

    In Failover Cluster Manager, Nodes is selected in the tree view, and three nodes display in the details pane.

  17. If you select Roles, you will notice that currently, there aren't any roles assigned to the cluster.

    In Failover Cluster Manager, Roles is selected in the tree view, and zero roles display in the details pane.

  18. Select Networks, and you will see two networks: Cluster Network 1 and Cluster Network 2. Both should show the status of Up. If you navigate through to the networks, you will see their IP address spaces, and on the lower tab you can select Network Connections and review the nodes.

    In Failover Cluster Manager, Networks is selected in the tree view, and two networks display in the details pane.

    Details of Cluster Network 1 display the owner node, status, and name details.

  19. Right-click AOGCLUSTER, then select More ActionsConfigure Cluster Quorum Settings.

    In Failover Cluster Manager, a call out says to right-click the cluster name in the tree view, then click More Actions, and then click Configure Cluster Quorum Settings.

  20. On the Configure Cluster Quorum Wizard select Next, then choose Select the quorum witness. Then, select Next again.

    On the Select Quorum Configuration Option screen of the Configure Cluster Quorum Wizard, the radio button for Select the quorum witness is selected.

  21. Select Configure a cloud witness and Next.

    On the Select Quorum Witness screen, the radio button for Configure a cloud witness is selected.

  22. Open the CloudWitness.txt file on the desktop of SQLVM1 and copy the Storage account name and KEY1 values and paste them into their respective fields on the form. Leave the Azure Service endpoint as configured. Then, select Next.

    Fields on the Configure cloud witness screen are set to the previously defined settings.

  23. Select Next on the Confirmation screen.

    On the Confirmation screen, the Next button is selected.

  24. Select Finish.

    Finish is selected on the Summary screen.

  25. Select the name of the Cluster again and the Cloud Witness should now appear in the Cluster Resources. It's important to always use a third data center, in your case here a third Azure Region to be your Cloud Witness.

    Under Cluster Core Resources, the Cloud Witness status is Online.

  26. Select Start and Launch SQL Server 2017 Configuration Manager.

    Screenshot of the SQL Server 2017 Configuration Manager option on the Start menu.

  27. Select SQL Server Services, then right-click SQL Server (MSSQLSERVER) and select Properties.

    In SQL Server 2017 Configuration Manager, in the left pane, SQL Server Services is selected. In the right pane, SQL Server (MSSQLSERVER) is selected, and from its right-click menu, Properties is selected.

  28. Select the AlwaysOn High Availability tab and check the box for Enable AlwaysOn Availability Groups. Select Apply and then select OK on the message that notifies you that changes won't take effect until after the server is restarted.

    In the SQL Server Properties dialog box, on the Always On High Availability tab, the Enable AlwaysOn Availability Groups checkbox is checked and the Apply button is selected.

    A pop-up warns that any changes made will not take effect until the service stops and restarts. The OK button is selected.

  29. On the Log On tab, change the service account to contoso\mcwadmin with the password demo@pass123. Select OK to accept the changes, and then select Yes to confirm the restart of the server.

    In the SQL Server Properties dialog box, on the Log On tab, fields are set to the previously defined settings. The OK button is selected.

    A pop-up asks you to confirm that you want to make the changes and restart the service. The Yes button is selected.

  30. Open a new Remote desktop session (this can be done from within SQLVM1), and repeat these steps to Enable SQL Always On. Change the username to contoso\mcwadmin on each of the other nodes SQLVM2, and SQLVM3. Make sure that you have restarted the SQL Service on each node prior to moving to the next node.

    Note: If you get confused what server you are on open a command prompt and simply enter the command hostname.

  31. After you have completed the process on each SQLVM Node, reconnect to SQLVM1 using Remote Desktop.

    Note: Remember that you must use the BCDRDC1 VM as your jumpbox to get into the environment. You can use the Azure portal to connect to BCDRDC1 and then use Remote desktop from there to SQLVM1.

  32. Use the Start menu to launch Microsoft SQL Server Management Studio 17 and connect to the local instance of SQL Server. (Located in the Microsoft SQL Server Tools folder).

    Screenshot of Microsoft SQL Server Management Studio 17 on the Start menu.

  33. Select Connect to sign on to SQLVM1.

    Screenshot of the Connect to Server dialog box.

  34. Right-click Always On High Availability, then select New Availability Group Wizard.

    In Object Explorer, Always On High Availability is selected, and from its right-click menu, New Availability Group Wizard is selected.

  35. Select Next on the Wizard.

    On the New Availability Group Wizard begin page, Next is selected.

  36. Provide the name BCDRAOG for the Availability group name, then select Next.

    The Specify availability group options form displays the previous availability group name.

  37. Select the ContosoInsurance Database, then select Next.

    The ContosoInsurance database is selected from the user databases list.

  38. On the Specify Replicas screen next to SQLVM1, select Automatic Failover.

    On the Replicas tab, for SQLVM1, the checkbox for Automatic Failover (Up to 3) is selected.

  39. Select Add Replica.

    Screenshot of the Add replica button.

  40. On the Connect to Server dialog box enter the Server Name of SQLVM2 and select Connect.

    Screenshot of the Connect to Server dialog box for SQLVM2.

  41. For SQLVM2, select Automatic Failover and Availability Mode of Synchronous commit.

    On the Replicas tab, for SQLVM2, the checkbox for Automatic Failover (Up to 3) is selected, and availability mode is set to synchronous commit.

  42. Select Add Replica.

    Screenshot of the Add replica button.

  43. On the Connect to Server dialog box enter Server Name of SQLVM3 and select Connect.

    Screenshot of the Connect to Server dialog box for SQLVM3.

  44. At this point, the wizard should resemble the following:

    On the Replicas tab, for SQLVM3, the checkbox for Automatic Failover (Up to 3) is cleared, and availability mode is set to Asynchronous commit. SQLVM1 and SQLVM2 have Automatic Failover (Up to 3) checked with Availability mode set to Synchronous commit.

  45. Select Endpoints and review these that the wizard has created.

    On the Endpoints tab, the three servers are listed.

  46. Next, select Listener. Then, select the Create an availability group listener.

    On the Listener tab, the radio button for Create an availability group listener is selected.

  47. Add the following details:

    • Listener DNS Name: BCDRAOG
    • Port: 1433
    • Network Mode: Static IP

    Fields for the Listener details are set to the previously defined settings.

  48. Next, select Add.

    The Add button is selected beneath an empty subnet table.

  49. Select the Subnet of 10.0.2.0/24 and then add IPv4 10.0.2.100 and select OK. This is the IP address of the Internal Load Balancer that is in front of the SQLVM1 and SQLVM2 in the BCDRVNET Data Subnet running in the Primary Site.

    The Add IP Address dialog box fields are set to the previously defined settings.

  50. Select Add.

    The Add button is selected beneath the subnet table.

  51. Select the Subnet of 172.16.2.0/24 and then add IPv4 172.16.2.100 and select OK. This is the IP address of the Internal Load Balancer that is in front of the SQLVM3 in the BCDRFOVNET Data Subnet running in the Secondary Site.

    Fields in the Add IP Address dialog box are set to the previously defined settings.

  52. Select Next.

    On the Listener tab, the Next button is selected.

  53. On the Select Initial Data Synchronization screen, make sure that Automatic seeding is selected and select Next.

    On the Select Initial Data Synchronization screen, the radio button for Automatic seeding is selected. The Next button is selected at the bottom of the form.

  54. On the Validation screen, you should see all green. Select Next.

    The Validation screen displays a list of everything it is checking, and the results for each, which all display success. The Next button is selected.

  55. On the Summary page select Finish.

    On the Summary page, the Finish button is selected.

  56. The wizard will configure the AOG.

    On the New Availability Group Progress page, a progress bar shows the progress for configuring the endpoints.

  57. Once the AOG is built, select Close.

    On the New Availability Group Results page, a message says the wizard has completed successfully, and results for all steps is success. The Close button is selected.

  58. Move back to SQL Management Studio on SQLVM1 and expand the Always On High Availability item in the tree view. Under Availability Groups, expand the BCDRAOG (Primary) item.

    In SQL Management Studio, Always On High Availability is expanded in the tree view.

  59. Right-click BCDRAOG (Primary) and then select Show Dashboard. You should see that all the nodes have been added and are now “Green”.

    The right-click menu for BCDRAOG displays, and Show Dashboard is selected.

    Screenshot of the BCDRAOG Dashboard indicating the status of all SQL Server VMs as healthy.

  60. Next, select Connect and then Database Engine in SQL Management Studio.

    Connect / Database Engine is selected in Object Explorer.

  61. Enter BCDRAOG as the Server Name. This will be connected to the listener of the group that you created.

    In the Connect to Server Dialog box, Server name is BCDRAOG, and the connect button is selected.

  62. Once connected to the BCDRAOG, you can select Databases and will be able to see the database there. Notice that you have no knowledge directly of which server this is running on.

    A call out points to ContosoInsurance (Synchronized) in SQL Management Studio.

  63. Move back to PowerShell ISE on SQLVM1 and open the PowerShell script named ClusterUpdateSQLVM1.ps1. Select the Play button. This will update the Failover cluster with the IP Addresses of the Listener that you created for the AOG.

    In the Windows PowerShell ISE window, the play button is selected.

    A PowerShell ISE command window displays the IP addresses for the Listener for AOG.

  64. Move back to SQL Management Studio and select Connect and then Database Engine.

    In Object Explorer, Connect / Database Engine is selected.

  65. This time, put the following into the IP address of the Internal Load balancer of the Primary Site AOG Load Balancer: 10.0.2.100. You again will be able to connect to the server which is up and running as the master.

    Fields in the Connect to Server dialog box are set to the previously defined settings.

  66. Once connected to 10.0.2.100, you can select Databases and will be able to see the database there. Notice that you have no knowledge directly of which server this is running on.

    A call out points to the Databases folder in Object Explorer.

    Note: It could take a minute to connect the first time as this is going through the Azure Internal Load Balancer.

  67. Move back to Failover Cluster Manager on SQLVM1, and you can review the IP Addresses that were added by selecting Roles and BCDRAOG and viewing the Resources. Notice how the 10.0.2.100 is Online since the current primary replica is on the Primary Site.

    In the Failover Cluster Manager tree view, Roles is selected. Under Roles, BCDRAOG is selected, and details of the role display. A call out points to the IP Addresses, one of which is online, and the other is offline.

  68. Now that the AOG is up and running online the Contoso Insurance Web Application should be available. Minimize the RDP window and from the LABVM open the Azure portal and navigate to the resource group BCDRIaaSPrimarySite. Select WWWEXTLB-PIP which is the Public IP address for the external load balancer WWWEXTLB in front of WEBVM1 and WEBVM2 in your Primary region.

    In the Public IP address blade for WWWEXTLB-PIP, a call out points to the DNS name.

  69. Locate the DNS name address and copy it to your clipboard.

    In the Public IP address blade, a call out points to the DNS name address.

  70. Open a new tab in the browser and navigate to the DNS name. The Contoso Insurance PolicyConnect application should load in your browser. Select the Current Policy Offerings button to check for database connectivity.

    The Contoso Insurance PolicyConnect webpage displays, and the Current Policy Offerings button is selected.

  71. If you can see the offerings, then the application is able to access the database. You can also go back to the home page and interact with the application including adding, editing or deleting data.

    The Contoso Insurance Index webpage displays a list of offerings.

    Note: If you see the following screen shot then something is not configured correctly with your environment. The connection string of the application is configured to use the name of bcdraog.contoso.com which is the name for the SQL AOG listener. This configuration is part of the connection string located in the web.config file which is on WEBVM1 and WEBVM2 in the C:\Inetpub\wwwroot directory. If you for some reason you named something incorrectly you can make a change to this file and then iisreset /restart from the command line on the WEBVMs.

    An Error message displays stating that an error occurred while processing your request.

  72. Once you have verified that the application is up and running, you will need to build a Front Door to direct traffic to the edge of your Primary and Secondary Site. Select +Create a resource, then search for and select Front Door within the Azure Portal.

    In the Azure Portal, under Azure Marketplace, search for and select Front Door.

  73. Complete the Basics tab of the Create a Front Door blade using the following inputs, then select Next: Configuration >:

    • Resource group: Use existing BCDRIaasPrimarySite
    • Location: Automatically assigned based on the region of BCDRIaaSPrimarySite.

    Fields in the Create a Front Door blade are set to the previously defined settings.

  74. Select the plus icon on the Frontend hosts box to set the host name of Front Door.

    The Configuration tab is shown with the Add Frontend hosts Plus button highlighted.

  75. In the Add a frontend host pane, enter the following values, then select Add:

    • Host name: Enter a unique name with the prefix of bcdriaas.
    • Session affinity: Disabled

    Fields in the Add a frontend host pane are set to the previously defined settings.

  76. Select the plus button on the Backend pools box to begin adding endpoints to the backend pool.

    The Configuration tab is shown with the Add backend pools plus button highlighted.

  77. On the Add a backend pool pane, enter the following value, then select the Add a backend link.

    • NameBCDRIaaSPrimarySiteLB
    • Health Probes – Protocol: HTTP

    The Add a backend pool pane has the Name set and Add a backend link highlighted.

  78. On the Add a backend pane, enter the following values, then select Add:

    • Backend host type: Custom host
    • Backend host name: Paste in the DNS name for the Public IP Address (named WWWEXTLB-PIP) associated with the Load Balancer for the Web VMs within the BCDRIaaSPrimarySite resource group.

    The Add a backend pane has the previously specified values set.

  79. Select Add a backend again and add another backend host to the pool. Create it similar to before, but with the following settings:

    • Backend host type: Custom host
    • Backend host name: Paste in the DNS name for the Public IP Address (named WWWEXTLB-PIP) associated with the Load Balancer for the Web VMs within the BCDRIaaSSecondarySite resource group.
    • Priority: 2

    The Add a backend pane has the previously specified values set.

  80. Select Add to create the backend pool.

  81. Select the plus button on the Routing rules box.

    The Configuration tab is shown with the Add Routing rules plus button highlighted.

  82. On the Add a rule pane, enter the following values, then select Add.

    • NameBCDRIaaS
    • Accepted protocol: HTTP only
    • Backend pool: BCDRIaaSPrimarySiteLB
    • Forwarding protocol: HTTP Only

    Add a rule pane with the previously specified values entered in the fields.

  83. Select Review + Create.

    Review + create button is highlighted

  84. Once validation has completed, select Create to provision the Front Door service.

  85. Select the Frontend host URL of Azure Front Door, the Policy Connect web application will load. This is connecting to the WWWEXTLB External Load Balancer that is in front of WEBVM1 and WEBVM2 running in the Primary Site in BCDRIaaSPrimarySite resource group and connecting to the SQL Always On Listener at the same location.

    The Frontend host link is selected from the Azure Front Door.

    The Contoso Insurance PolicyConnect webpage displays.

    Note: Be sure to use HTTP to access the Azure Front Door frontend host URL. The lab configurations only supports HTTP for Front Door since WebVM1 and WebVM2 for the BCDRIaaS environment are only setup for HTTP support; not HTTPS (no SSL\TLS).

    Note: If you get a “Our services aren't available right now” error (or a 404 type error) accessing the web application, then continue on with the lab and come back to this later. Sometime this can take a ~10 minutes for the routing rules to publish before it's “live”.

    Error shown displaying Our services aren't available right now

Task 3: Configure IaaS for region to region failover

In this task the WEBVM1 and WEBVM2 will be configured to replicate from the Primary Site to the Secondary site to support an Azure region to region failover. This will consist of configuring the VMs to replicate and integrating with the Azure Automation to failover the SQL Always On group from the Primary Site to the Secondary. Once the failover is complete the website will again answer to the Front Door hostname.

  1. From the Azure portal on LABVM, open the BCDRRSV Recovery Services Vault located in the BCDRAzureSiteRecovery resource group.

  2. Select Site Recovery in the Getting Started area of BCDRRSV blade.

    In the Recovery Services vault blade, under Getting Started, Site Recovery is selected.

  3. Next, select Step 1: Replicate Application in the For On-Premises Machines and Azure VMs section. This will start you down a path of various steps to configure your WEBVMs that are running on Azure at your Primary Site.

    Under For On-Premises Machines and Azure VMs ,Step 1: Replicate Application is selected.

  4. On Step 1 Source select the following inputs and then select OK:

    • Source: Azure
    • Source Location: East US 2 (Your Primary Region)
    • Azure virtual machine deployment model: Resource Manager
    • Source resource group: BCDRIaaSPrimarySite

    In the Source blade, fields are set to the previously defined settings.

  5. On Step 2 Virtual Machines, select WEBVM1 and WEBVM2 and then select OK.

    In the Select virtual machines blade, the check boxes for WebVM1 and WEBVM2 are selected.

  6. On the Configure settings blade, select the Target location as Central US (your Secondary Site Azure Region).

    In the Configure settings blade, the Target location is set to Central US.

  7. Select Customize.

    In the Configure settings blade, the Customize button is selected.

  8. Update the rest of the blade using the following inputs and the select OK:

    • Target resource group: BCDRIaaSSecondarySite
    • Target virtual network: BCDRFOVNET
    • Replica Managed Disk: Accept the new account.
    • Cache Storage: Accept the new account.
    • Target Availability Type:
      • WEBVM1zone 1
      • WEBVM2zone 2

    In the Configure settings blade, under General Settings and VM Settings fields are set to the previously defined settings.

    Note: Double check these selections, they are critical to your on-premise to Azure failover!

    In the Configure settings blade, the following Network, Storage, and Availability sets are called out: Target resource group, Target virtual network, and Target availability zones.

  9. Next, select Create target resources.

    Screenshot of the Create target resources button.

  10. Then select Enable replication.

    Screenshot of the Enable replication button.

  11. The Azure portal will start the deployment. This will take approximately 10 minutes to complete. You will receive a notification once it has deployed.

    A message is displayed indicating Enabling replication for two vm(s) has successfully completed.

  12. Return to the Recovery Services Vault BCDRRSV and you will now see that three (3) items are being replicated.

    The Recovery Services Vault blade displays with information about three successfully replicated items.

    The Infrastructure view (machines replicating to Azure) displays a diagram for Azure virtual machines(s), which includes a Primary Region and a Recovery Region. The primary region has Create storage account(s) (1), and Virtual machines 2, which connect to each other, and to Azure Site Recovery, which connects to Storage Account(s) (1). Azure Site Recovery and Storage Accounts are located in the Recovery Region.

  13. Select the Replicated Items link under Protected Items.

    Under Protected Items, Replicated items is selected.

  14. You should see three items: OnPremVMWEBVM1 and WEBVM2. The OnPremVM will show as protected and the others may still need to synchronize a bit more.

    Under Replicated Items, the status for WEBVM1, WEBVM2 shows 93 percent synchronized, while the status for OnPremVM is Protected.

  15. Once WEBVM1 and WEBVM2 have reached Protected status, you can move on to the next step.

    Under Replicated Items, the status for WEBVM1, WEBVM2 is now Protected.

    Note: It can take up to 30 minutes for this action to complete.

  16. Under the Manage area select Recovery Plans (Site Recovery).

    Under Manage, Recovery Plans (Site Recovery) is selected.

  17. Select +Recovery plan.

    On the Recovery Services vault blade top menu, Add a recovery plan is selected.

  18. On the Create recovery plan blade, provide the Name: BCDRIaaSPlan and Source: select your Primary site.

    Fields in the Create recovery plan blade are set to the previously defined settings.

  19. Complete the rest of the blade using the following inputs and then select OK:

    • Target: Secondary region
    • Allow items with deployment model: Resource Manager
    • Select Items: Select WEBVM1 and WEBVM2

    Fields in the Create recovery plan blade are set to the previously defined settings.

  20. After a moment, the BCDRIaaSPlan Recovery plan will appear, select it to review.

    In the Recovery Services vault blade , BCDRIaaSPlan is selected.

  21. When the BCDRIaaSPlan loads notice that it shows 2 VMs in the Source which is your Primary Site. Then select Customize.

    On the BCDSRV blade top menu, Customize is selected. Under Items in recovery plan, a call out points to Source, which shows two.

  22. Once the BCDRIaaSPlan blade loads, select the ellipse next to All groups failover.

    The All groups failover ellipses is selected in the Recovery plan blade.

  23. Select Add pre-action.

    In the Recovery plan blade, the right-click menu for All groups failover displays and Add pre-action is selected.

  24. On the Insert action blade, select Script and then provide the name: ASRSQLFailover. Ensure that your Azure Automation account is selected and then chose the Runbook name: ASRSQLFailover. Select OK.

    Fields in the Insert action blade are set to the previously defined settings.

  25. Once the BCDRIaaSPlan blade loads, select the ellipse next to Group 1: Start.

    In the Recovery plan blade, the ellipses next to Group 1: Start is called out.

  26. Select Add post action.

    In the Recovery plan blade, the Group 1: Start right-click menu displays, and Add post action is selected.

  27. On the Insert action blade, select Script and then provide the name: ASRWEBFailover. Ensure that your Azure Automation account is selected and then chose the Runbook name: ASRWEBFailover. Select OK.

    In the Insert Action blade, fields are set to the previously defined settings.

  28. Make sure that your Pre-steps are running under All groups failover and the Post-steps are running under the Group1: Start. Select Save.

    In the Recovery plan blade, both instances of Script: ASRFSQLFailover are called out under both All groups failover: Pre-steps, and Group 1: Post-steps.

  29. After a minute, the portal will provide a successful update notification. This means that your machines are fully configured and ready to Failover and Back between the Primary and Secondary regions.

    The Updating recovery plan message shows that the update was successfully completed.

Task 4: Configure PaaS for region to region failover

In this task you will deploy the website to App Services using Visual Studio, migrate a database to Azure SQL Database and configure it for high-availability using an Azure SQL Database Failover Group. The Front Door will be used to direct traffic. If there is a failover of the database it will happen transparently, and the users will never know there was an outage. There is no reconfiguration required for this to function properly.

  1. From the LABVM, open the Azure portal at: https://portal.azure.com.

  2. Navigate to the BCDRPaaSPrimarySite resource group. Select the SQL Server resource.

    In the Resource group blade, under Name, the SQL Server Resource is selected.

  3. This server will host your SQL Database for the Contoso Insurance Web App. Select Properties under the Settings area.

    Under Settings, Properties is selected.

  4. Copy the name of the SQL Server to notepad. Also, notice that the Server Admin Login is the same. Save this file as C:\HOL\Deployments\SQLSERVER.txt.

    In the SQL server blade, the Server Name is called out. Under Server Admin Login, mcadmin is called out as well.

    The FQDN name displays in Notepad.

  5. Use the Start menu in the LabVM to launch Microsoft SQL Server Management Studio 18 and connect to the local instance of SQL Server (Located in the Microsoft SQL Server Tools 18 folder).

    In the Start menu, Microsoft SQL Server Management Studio 18 is selected.

  6. Select Connect to Sign On to the Local SQLEXPRESS on LABVM.

    In the Connect to Server dialog box fields are set to the previously defined settings.

  7. Right-click Databases, then select Restore Database.

    In the Object Explorer tree view, Databases is selected, and in its right-click menu, Restore Database is selected.

  8. Select Device and then the Ellipse.

    Under Source, the Device radio button is selected.

  9. Select Add.

    Under Select backup devices, the Add button is selected.

  10. Navigate the folder menu and locate the C:\HOL\Database folder and then select on ContosoInsurance.bak and then OK.

    In SQL Server, in the tree view, Databases is selected. In the right pane, ContosoInsurance.bak is selected.

  11. Select OK.

    In the Select backup devices dialog box, a call out points to the Backup media location.

  12. Select OK to restore the ContosoInsurance database.

    Screenshot of the Restore Database - ContosoInsurance dialog box.

  13. Select OK at the restored successfully prompt.

    The Microsoft SQL Server Management Studio pop-up shows that the ContosoInsurance database was successfully restored.

  14. Expand Databases and then right-click on the ContosoInsurance database, select Tasks, then Deploy Database to Microsoft Azure SQL Database.

    In the Object Explorer tree view, ContosoInsurance is selected, and in its right-click menu, Deploy Database to Microsoft Azure SQL Database is selected.

  15. Select Next on the Introduction screen.

    Screenshot of the Deploy Database to Microsoft Azure SQL Database introduction.

  16. Select Connect.

    Screenshot of the Specify Target Connection screen.

  17. In the Connect to SQL Server screen, copy the name of your Azure SQL Server from the SQLSERVER.TXT. Change the Authentication to SQL Server Authentication and enter the credentials for the server then select Connect.

    • Loginmcwadmin
    • Passworddemo@pass123

    Fields in the Connect to Server dialog box display with the previously defined settings.

  18. Update the remainder of the Deployment Settings screen using these inputs and then select Next:

    • Edition of Azure SQL database: Standard
    • Maximum database size (GB): 1
    • Service Objective: S1

    Under Specify Target Connection, fields display the previously defined settings.

  19. Select Finish and allow the Database to be migrated to Azure.

    Screenshot of the Verify Specified Settings screen.

    An Importing database progress bar displays with individual steps below showing their progress.

  20. Select Close once the database has been migrated to Azure SQL Database.

    On the Operation Complete screen, under Summary, all steps in the database import process have results of Success. The Close button is selected.

    Note: If you get an error stating something similar to “unresolved reference to the object #aspnet_Permissions” then select Close and retry the database import process again.

  21. Move back to the Azure portal on LABVM. Open the BCDRPaaSPrimarySite resource group and notice that there is a new SQL Database called ContosoInsurance.

    In the Resource group blade, a call out points to the ContosoInsurance SQL database.

  22. Select ContosoInsurance to open the resource.

  23. Under Settings, select Configure.

    Under Settings, the Configure option highlighted.

  24. On the Configure pane, select the Premium pricing tier category, then select Yes for the Would you like to make this database zone redundant? option.

    The Premium pricing tier is highlighted and the option to make this database zone redundant is selected.

    This will configure the Azure SQL Database to span across Availability Zones within the Azure Region it is hosted, and offer higher availability.

  25. Select Apply to save the pricing tier changes.

  26. On the ContosoInsurance database resource, select the Overview pane, then select Show database connection strings.

    Under Connection strings, the link for Show database connection strings is selected.

  27. Select the Copy to clipboard link to capture the connection string and then paste it to your SQLSERVER.TXT file.

    On the ADO.NET tab, the database connection string is selected.

    The Database connection string for the newly migrated ContosoInsurance SQL Database displays in Notepad.

  28. In the Azure portal, move back to the BCDRPaaSPrimarySite resource group and then select the SQL Server resource.

    In the Resource group blade, the SQL Server resource is selected.

  29. Under Settings, select Failover groups.

    In the SQL server blade, under Settings, Failover groups is selected.

  30. Select +Add group.

    In the SQL server blade, Add group is selected.

  31. Complete the Failover group blade using these inputs and then select Create:

    • Failover group name: Enter a lowercase unique name 3-24 characters using the prefix bcdrpassfog.

    • Secondary Server: Select the secondary SQL Server from your BCDRPaaSSecondarySite.

    • Database within the group: ContosoInsurance

    Fields in the Failover group blade display the previously defined settings.

    Options the Databases blade, the checkbox for the SQL Server database to be selected.

  32. The portal will submit a deployment.

    A Deployment in progress message displays.

  33. The portal will update once the Failover group has been deployed. Select the group.

    In the SQL Server blade, the failover group displays.

  34. The Failover group (FOG) portal will appear. Copy the name of the Listener endpoint to your clipboard and then copy this to your SQLSERVER.TXT file.

    On the Configuration details tab, a map of the world is displayed with the primary and secondary sites linked geographically.

    In Notepad, a call out points to the Fog Listener Endpoint.

  35. In the SQLSERVER.TXT file, update the server name in the connection string with the name of the FOG listener endpoint. Also, change the user name and password to the credentials for the SQL Server:

    • Usernamemcwadmin
    • Passworddemo@pass123

    A text file is displayed showing the before and after state of the server part of the connection string.

    A text file is displayed showing the before and after state of the User ID and Password portion of the connection string.

  36. The new connection string will be used for the Web App. This will ensure that when the SQL Database is failed over that the server is always pointing to the Failover group. Open the Web App in the BCDRPaaSPrimarySite resource group.

    The New Connection String for the Web App is called out.

  37. Select the URL. The empty Web App will appear.

    The new URL link is selected.

    On the Microsoft Azure app service tab, a message says that your app service app is up and running.

  38. Under Settings, select Configuration.

    Under Settings, Application settings is selected.

  39. Scroll down to the Connection strings settings and add a new connection string using the following inputs, then select OK to add the connection string.

    • NamePolicyConnect
    • Value: Paste in the updated string you created with the failover group name from the SQLSERVER.TXT file.
    • TypeSQLAzure

    The connection string for PolicyConnect displays.

    Note: You must use the Name PolicyConnect. This is the name that is recognized by the Application in the source code.

  40. Select Save on the Configuration blade.

  41. Repeat the same procedure on the Web App located in the BCDRPaaSSecondarySite resource group using the same connection string:

    The New Connection String for the Web App is called out.

    • NamePolicyConnect
    • Value: Paste in the updated string you created with the failover group name from the SQLSERVER.TXT file.
    • TypeSQLAzure
  42. On the LABVM open Visual Studio. You will be required to login to Visual Studio. If you don't have an account you can create a free account following the prompts.

    Visual Studio 2019 from the start menu displays.

  43. Select Open a project or solution.

    In Visual Studio, Open a project or solution is selected.

  44. Open the Solution located at C:\HOL\WebApp\ContosoInsurance.sln.

    Note: You may see a security warning about opening projects from trustworthy sources. Select OK if prompted.

    In the Open Project window, contosoinsurance.sln is selected.

  45. Locate the ContosoInsurance application in the Solution Explorer on the right-hand area of Visual Studio.

    In Solution Explorer, ContosoInsurance is selected.

    Note: If for some reason the Solution Explorer is not seen you can select View -> Solution Explorer on the Menu bar of Visual Studio.

  46. Right-click the ContosoInsurance Application and select Publish.

    In Solution Explorer, the right-click menu for ContosoInsurance displays, and Publish is selected.

  47. On the Publish screen on the Target step select Azure and then Next.

    On the Publish Target screen on the Target step, Azure is selected.

  48. On the Publish screen on the Specific target step select Azure App Service and then Next.

    On the Publish Specific target screen, Azure App Service is selected.

  49. On the Publish screen on the App Service step select application under BCDRPaaSPrimarySite and finally Finish.

    On the Publish App Service screen, the application under BCDRPaaSPrimarySite is selected.

  50. Select Publish to publish the ContosoInsurance application to Azure. On the Publish tab, the Publish button is highlighted.

  51. Once the publish has succeeded, open the Azure Web App in a browser to see that it's running successfully.

    The Contoso Insurance PolicyConnect webpage displays.

  52. Select the Current Policy Offerings button, and the page should load with data showing. This means that you have successfully implemented the Web App and it has connected to the Failover Group database.

    The Index webpage displays the insurance options.

  53. Execute the same steps for the BCDRPaaSSecondarySite.

  54. Once the publish to the has succeeded, open the Azure Web App in a browser to see that it's running successfully.

    The Contoso Insurance PolicyConnect webpage displays.

  55. Select the Current Policy Offerings button, the page should load showing data (various coverage plans). This means that you have successfully implemented the Web App, and it has connected to the Failover Group database.

    The Index webpage displays the insurance options.

  56. Close Visual Studio and move back to the Azure Portal. The next step will be to deploy a Front Door for this PaaS implementation. Select +Create a resource then search for and select Front Door in the Azure Marketplace and select Create.

    In the Azure Portal, select Create a resource.

    In the Create newblade, select search for Front Door.

    In the Front Door resource blade select Create.

  57. Complete the Basics tab of the Create a Front Door blade using the following inputs, then select Next: Configuration >:

    • Resource group: Use existing BCDRPaasPrimarySite
    • Resource group location: Automatically assigned based on the BCDRPaaSPrimarySite.

    In the Create Front Door blade, fields display the previously defined settings.

  58. Select the plus button on the Frontend hosts box to set the host name of Front Door.

    The configuration tab is shown with the add Frontend hosts plus button highlighted.

  59. In the Add a frontend host pane, enter the following values, then select Add:

    • Host name: Enter a unique name with the prefix of bcdrpaas.
    • Session affinity: Disabled

    The Add a front end host pane is shown with a unique host name filled out and the Session affinity disabled.

  60. Select the plus button on the Backend pools box to begin adding endpoints to the backend pool.

    The Configuration tab is shown with the Add backend pool button plus highlighted.

  61. On the Add a backend pool pane, enter the following values, then select the Add a backend link:

    • NameBCDRPaaS
    • Health Probes – Protocol: HTTP

    The Add a backend pool pane is populated with the specified values.

  62. On the Add a backend pane, enter the following values, then select Add:

    • Backend host type: App service
    • Backend host name: Select the Primary Web App (named like bcdrprimarysiteXXX.azurewebsites.net) that's in the BCDRPaaSPrimarySite resource group.

    The Add a backend pane form is displayed with the previously specified values entered.

  63. Select the Add a backend link again, and add another backend host name with the following values, then select Add:

    • Backend host type: App service
    • Backend host name: Select the Secondary Web App (named like bcdrsecondarysiteXXX.azurewebsites.net) that's in the BCDRPaaSSecondarySite resource group.

    The Add a backend pane displays with the previously specified values entered.

  64. Select Add to create the backend pool.

  65. Select the plus button on the Routing rules box.

    The Configuration tab is shown with the Add routing rules plus button highlighted.

  66. On the Add a rule pane, enter the following values, then select Add:

    • Name: BCDRPaaS
    • Backend pool: BCDRPaaS
    • Forwarding protocol: Match request

    Add a rule pane is displayed with the previously specified fields populated.

  67. Select Review + Create.

    Review + Create button is highlighted.

  68. Once validation has completed, select Create to provision the Front Door service.

  69. Select the DNS name of the Front Door, the Policy Connect web application will load. This is connecting to one of the two Web Apps running in the Primary Site or Secondary Site and talking to the Azure SQL Database Failover Group primary replica using the SQL FOG Listener.

    The Frontend host link is called out.

    The Contoso Insurance PolicyConnect webpage displays with a call out pointing to the URL in the address bar.

    Note: If you get a “Our services aren't available right now” error accessing the web application, then continue on with the lab and come back to this later. Sometime this can take a ~10 minutes for the routing rules to publish before it's “live”

  1.  

 

 

 

Exercise 3: Migrating to Azure Key Vault

Duration: 30 minutes

Synopsis: In this exercise, attendees will learn how to migrate web application to utilize Azure Key Vault rather than storing valuable credentials (such as connection strings) in application configuration files.

Task 1: Create an Azure Key Vault secret

 

  1. Switch to your Azure Portal.

  2. Select Key Vaults, then select your Azure Key Vault.

    Key vaults is highlighted on the left side of the Azure portal, and CloudSecurityVault is highlighted on the right.

  3. Select Secrets, then select +Generate/Import.

    Secrets is highlighted on the left side of the Azure portal, and Generate/Import is highlighted on the right.

  4. For the Upload Options, select Manual.

  5. For the Name, enter InsuranceAPI.

  6. For the Value, copy the connection string information from the InsuranceAPI solution Web.config file in Exercise 2.

  7. Select Create.

  8. Select Secrets.

  9. Select InsuranceAPI.

  10. Select the current version.

    The current version is selected with a status of Enabled under InsuranceAPI Versions.

  11. Copy and record the secret identifier URL for later use:

    The Secret Identifier URL is highlighted under Properties.

 

Task 2: Create an Azure Active Directory application

 

  1. In the Azure Portal, select Azure Active Directory, then select App Registrations.

    Azure Active Directory is highlighted on the left side of the Azure portal, and App registrations is highlighted on the right.

  2. Select +New application registration.

  3. For the user-facing display name, type AzureKeyVaultTest.

  4. For the supported accounts, select Accounts in this organization directory only…

  5. For the Redirect URL, type http://localhost:12345.

    AzureKeyVaultTest is entered in the Name box, and http://localhost:12345 is entered in the Sign-on URL box under Create.

  6. Select Register.

  7. Copy and record the Application ID for later use.

    The Application ID and Object ID are highlighted under Essentials for the AzureKeyVaultTest application, and All settings is selected at the bottom.

  8. In the left menu pane, under the Manage heading, select Certificates and secrets link.

  9. Under Client secrets, select New client secret.

    In the Certificates and secrets window, the New client secret button is selected.

  10. For the description, enter InsuranceAPI.

  11. For the Expires, select In 1 year.

  12. Select Add.

  13. Copy and record the key value for later use.

 

Task 3: Assign Azure Active Directory application permissions

 

  1. Switch back to Azure Portal and select your Azure Key Vault.

  2. Under the Settings heading, select Access Policies.

  3. Select + Add Access Policy.

    In the Access policies screen, the + Add Access Policy button is selected.

  4. Choose Select principal field value. In the right-hand pane, type AzureKeyVaultTest. Select the item.

  5. Choose the Select button at the bottom.

  6. Select the Secret permissions drop-down, check the Get and List permissions.

    In the secret permissions drop down options, the Get and List operations are selected.

    Your selection summary should look like this.

    The AzureKeyVaultTest principal is selected and the secret permissions drop down list states there are two selected values.

  7. Select Add button.

  8. Select Save button at the top.

 

Task 4: Install or verify NuGet Package

 

  1. Close the previous Visual Studio solution, then from the extracted GitHub directory, open the \Hands-on lab\WebApp\InsuranceAPI_KeyVault\InsuranceAPI.sln solution.

    Note: Be sure you re-open the correct solution.

    The screenshot displays the folder structure for both Visual Studio solutions.

  2. Switch to Visual Studio.

  3. In the menu, select View->Other Windows->Package Manager Console.

  4. In the new window that opens, run the following commands:

    Install-Package Microsoft.CodeDom.Providers.DotNetCompilerPlatform
    Install-Package Microsoft.IdentityModel.Clients.ActiveDirectory -Version 2.16.204221202
    Install-Package Microsoft.Azure.KeyVault

    Note: These already exist in the project but are provided as a reference. If you receive a codedom version error when you debug, run this command.

    Update-Package Microsoft.CodeDom.Providers.DotNetCompilerPlatform -r
  5. From Solution Explorer, double-click the Web.config file to open it.

    Notice the appSettings section has some token values:

    Some token values are highlighted in the appSettings section of the Web.config file.

  6. Replace the ApplicationId (ClientId) and ClientSecret with the values from Task 2.

    The pane is displaying the Application Registration information. ApplicationId is circled.

  7. Replace the SecretUri with the Azure Key Vault secret key Uri from Task 1.

  8. Save the Web.config file in Visual Studio.

    Note: You can take this lab a step further and publish the Web App to an Azure App Service and enable System-assigned Managed Identities. This will allow you to completely remove any authentication from your configurations and utilize Key Vault references.

 

 

Task 5: Test the solution 

 

  1. Open the Web.config, and comment out or delete the connectionString from the file at line 78.

  2. Open the Global.asax.cs file, and place a break point at line 28.

    Note: This code makes a call to get an accessToken as the application you set up above, then make a call to the Azure Key Vault using that accessToken.

  3. Press F5 to run the solution.

    You should see that you execute a call to Azure Key Vault and get back the secret (which in this case is the connection string to the Azure Database).

    The connection string to the Azure Database is visible through the Visual Studio debugger.

  4. Press F5 to continue the program.

  5. Navigate to http://localhost:portno/api/Users, you should get an error. Because you encrypted the column in the previous exercise, EntityFramework is not able to retrieve the value(s) using default settings. In order to do seamless decryption, you would need to:

    • Run the \Hands-on lab\Database\02_PermissionSetup.sql script if you have not already done so.

    • Add the AzureKeyVaultProvider for Entity Framework reference to the project.

    • Register the provider code in order for .NET to handle the encrypted column.

    • Add an access policy to the Azure Key Vault that gives key permissions (decryptsigngetunwrapkeyverify) to the Azure AD application.

    • Add the Column Encryption Setting=Enabled to the connection string.

    • Detailed steps can be found in this blog post

    • A third solution (\Hands-on lab\WebApp\InsuranceAPI_KeyVault_Encrypted\InsuranceAPI.sln) was added to the GitHub repo that has the necessary references and code added.

      • Simply update the web.config file with your client id and secret after adding the required Key Vault permissions above.

      • Update the Key Vault connection string to have the Column Encryption Setting=Enabled.

      • Review the code added to the global.asax.cs file.

      • Run the project and navigate to the above page.

 

 

Exercise 4: Securing the Network

Duration: 45 minutes

Synopsis: In this exercise, attendees will utilize Network Security Groups to ensure that virtual machines are segregated from other Azure hosted services and then explore the usage of the Network Packet Capture feature of Azure to actively monitor traffic between networks.

Task 1: Test network security group rules #1

 

  1. In the Azure Portal, select Virtual Machines.

  2. Select paw-1, then select Connect.

  3. In the dialog, select Download RDP file Anyway. Open the downloaded RDP file and connect to the Virtual Machine.

    Note: Default username is wsadmin with p@ssword1rocks as password and you may need to request JIT Access if you have taken a break between exercises.

  4. In the PAW-1 virtual machine, open Windows PowerShell ISE as administrator.

    • Select the Windows icon.

    • Right-click Windows PowerShell ISE, choose More, then select Run as Administrator.

  5. Copy and run the following command:

    Set-ExecutionPolicy -ExecutionPolicy Unrestricted

    The PowerShell ISE window displays the execution policy change command.

  6. In the dialog, select Yes.

  7. Select File->Open, browse to the extracted GitHub directory and open the \Hands-on lab\Scripts\PortScanner.ps1.

    Note: You would have downloaded the GitHub repo and extracted this in the setup steps. If you did not perform those steps, perform them now. You can also choose to copy the file from your desktop to the VM.

  8. Review the script. Notice that it does the following:

    • Installs NotePad++

    • Adds hosts entries for DNS

    Note: When using multiple virtual networks, you must setup a DNS server in the Azure tenant.

    • Executes port scans
  9. Press F5 to run the script. You should see the following (the Azure ARM Template created a default rule to block all traffic):

    • Port scan for port 3389 (RDP) to DB-1 and WEB-1 is unsuccessful from the PAW-1 machine.

    • The information above for port 3389 (RDP) is visible after running the script and pressing F5.

    The information above for port 3389 (RDP) is visible after running the script and pressing F5.

    • Port scan for port 1433 (SQL) to DB-1 and WEB-1 is unsuccessful from the PAW-1 machine. DB-1 is running SQL Server but traffic is blocked at NSG and via the Windows Firewall.

    The information above for port 1433 (SQL) is visible after running the script and pressing F5.

    • Port scan for port 80 (HTTP) to DB-1 and WEB-1 is unsuccessful from the PAW-1 machine, if traffic was allowed, it would always fail to DB-1 because it is not running IIS or any other web server.

    The information above for port 80 (HTTP) is visible after running the script and pressing F5.

Note: The ARM template deploys a Deny All rule. If you were to simply create a Network Security Group from the UI, you would not experience this behavior.

Task 2: Configure network secuirty groups

 

  1. Switch to the Azure Portal.

  2. Configure the database server to only allow SQL Connections from the web server:

    • Select Network Security Groups.

    • Select DbTrafficOnly.

    • Select Inbound Security Rules.

    • Select +Add.

    • For the Source, select IP Addresses.

    • For the Source IP address, enter 10.2.0.4.

    • For the Destination, keep Any.

    • For the Destination port range, enter 1433.

    • For the Priority, enter 100.

    • For the Name, enter Port_1433.

    • Select Add.

  3. Configure the web server to allow all HTTP and HTTPS connections:

    • Select Network Security Groups.

    • Select WebTrafficOnly.

    • Select Inbound Security Rules.

    • Select +Add.

    • For the Source, keep Any.

    • For the Destination, keep Any.

    • For the Destination port ranges, enter 80,443.

    • For the Priority, enter 100.

    • Change the Name to Port_80_443.

    • Select Add.

    Note: In some rare cases it may take up to 15 minutes for your Network Security Group to change its status from Updating. You won't be able to add any other rules until it completes.

  4. Configure both the database and web server to only allow RDP connections from the PAW machine:

    • Select Network Security Groups. For both the DbTrafficOnly and WebTrafficOnly, do the following:

      • Select Inbound Security Rules.

      • Select +Add.

      • For the Source, select IP Addresses.

      • For the Source IP address, enter 10.0.0.4.

      • For the Destination port range, enter 3389.

      • For the Priority, enter 101.

      • For the Name, enter Port_3389.

      • Select Add.

  5. Configure all Network Security Groups to have Diagnostic logs enabled.

    • Select Network security groups. For each NSG (DBTrafficOnly and WebTrafficOnly), do the following:

      • In the content menu, select Diagnostic logs, and then select Add diagnostic setting.

      Diagnostics settings is selected under Monitoring on the left side, and Add diagnostics settings is selected on the right.

      • For the name, enter the NSG name and then add Logging to the end.

      • Check the Send to Log Analytics checkbox, in the Log Analytics box, select Configure.

      • Select the azseclog… workspace.

      • Select both LOG checkboxes.

      • Select Save.

      Save is highlighted at the top, and two log items are selected below.

      • Repeat for all remaining Network Security Groups.

Task 3: Test network security group rules #2

 

  1. Switch back to the PAW-1 virtual machine.

  2. Press F5 to run the PortScan script. You should see the following:

    • Port scan for port 3389 (RDP) to DB-1 and WEB-1 is successful from the PAW-1 machine.

    The information above for port 3389 (RDP) is visible after running the script and pressing F5.

    • Port scan for port 1433 (SQL) to DB-1 is successful, and WEB-1 is unsuccessful from the PAW-1 machine.

    Note: You may need to disable the windows firewall on the DB-1 server to achieve this result.

    The information above for port 1433 (SQL) is visible after running the script and pressing F5.

    • If IIS has been setup on WEB-1, the port scan for port 80 (HTTP) to DB-1 is unsuccessful and WEB-1 is successful from the PAW-1 machine

    The information above for port 80 (HTTP) is visible after running the script and pressing F5.

 

Task 4: Install network watcher VM extension

 

  1. Switch to the Azure Portal.

  2. Select Virtual Machines.

  3. Select db-1.

  4. In the blade menu, select Extensions, then select +Add.

    Extensions is selected on the left under Settings, and + Add is highlighted at the top right.

  5. Browse to the Network Watcher Agent for Windows, and select it.

  6. Select Create.

    Network Watcher Agent for Windows is highlighted on the left, and Create is highlighted on the right.

  7. In the next Install extension dialog window (note that it could be blank) select OK. You should see a toast notification about the script extension being installed into the Virtual Machine.

    The toast notification states:

 

Task 5: Setup network packet capture

 

  1. In the main Azure Portal menu, search All services for Network Watcher.

  2. In the context menu, select Network Watcher.

    Network watcher is selected from the filtered list of services.

  3. Expand the subscription regions item you are running your labs in.

  4. For the East US region (or whatever region you deployed your VMs too), select the ellipsis, then select Enable Network Watcher.

    The East US row is highlighted under Region, and Enable network watcher is selected in the submenu.

  5. In the new context menu, select Packet capture.

  6. Select +Add.

    Packet capture is selected and highlighted on the left under Network Diagnostic Tools, and + Add is highlighted at the top right.

  7. Select your subscription.

  8. Select your resource group.

  9. For the target virtual machine, ensure that db-1 is selected.

  10. For the capture name, enter databasetraffic.

  11. Notice the ability to save the capture file to the local machine or an Azure storage account. Ensure that the resource group storage account is selected. If you check your resource group, the storage account is prefixed with “diagstor”.

    In the Add packet capture window, databasetraffic is entered in the Packet capture name box, and the Storage account check box is checked.

  12. For the values, enter the following:

    • Maximum bytes per packet: 0.
    • Maximum bytes per session: 1073741824.
    • Time limit: 600.
  13. Select OK.

 

Task 6: Execute a port scan

 

  1. Switch your Remote Desktop connection to the PAW-1 virtual machine.

  2. Uncomment the last line of the script, and press F5.

    The PowerShell ISE window displays uncommented PowerShell script port scan command.

    Note: You should see the basic ports scanned, and then a port scan from 80 to 443. This will generate many security center logs for the Network Security Group which will be used in the Custom Alert in the next exercise.

 

 

Exercise 5: Azure Sentinel Loggin and Reporting

Duration: 20 minutes

Synopsis: In this exercise, you will setup Azure Sentinel to point to a logging workspace and then create custom alerts that execute Azure Runbooks.

Task 1: Create a dashboard

 

  1. Open the Azure Portal.

  2. Select All services, then type Sentinel, select Azure Sentinel.

    All Services is selected in the left menu, and a search for Sentinel is displayed along with its search results.

  3. In the blade, select +Add, select the Log Analytics resource for your resource group, then choose Add Azure Sentinel.

    The screenshot displays the Azure workspace found in the resource group.

  4. In the blade, under Threat Management, select Workbooks.

  5. In the list of workbooks, select Azure Network Watcher, choose Save.

  6. Select the region and choose OK.

  7. In the list of workbooks, select Azure AD Audit logs, select Save.

  8. Select the region and select OK.

    In the left menu beneath Threat Management the Workbooks item is selected and the Azure AD Audit Logs item is selected beneath the Templates tab on the right.

  9. Select View saved workbook, take a moment to review your new workbook.

    Note: You may not have data in the log analytics workspace. Wait for 10-15 minutes.

 

Task 2: Create an Analytics alert 

 

  1. Navigate back to the Azure Sentinel workspace, in the Configuration blade section, select Analytics then select +Create then Scheduled query rule.

    In the left menu beneath Configuration the Analytics item is selected. To the right, the + Create button is expanded and the Scheduled query rule item is selected.

  2. On the General tab, enter PortScans for the name.

  3. For the description, enter A custom rule to detect port scans, select Next: Set rule logic.

  4. In the Rule query text box, type:

    AzureDiagnostics
    | where ruleName_s == 'UserRule_DenyAll' and Type != 'AzureMetric' and type_s == 'block' and direction_s == 'In' and Resource == 'WEBTRAFFICONLY' and OperationName == 'NetworkSecurityGroupCounters'
    | summarize AggregatedValue = sum(matchedConnections_d) by ruleName_s, primaryIPv4Address_s
    | where AggregatedValue > 0

    In this screenshot, the alert simulation shows data after the query has been entered.

    Note: If you were quick going through the labs, then you may not have log data in the Log Analytics workspace just yet that corresponds to “AzureMetric”. You may need to wait 15-30 minutes before a query will execute.

    Note: Since the introduction of Azure Security Center and Sentinel, the backend logging has changed a few times as well as the way the calculations are done in the rule query (timespan in query vs outside query, etc.). The ultimate goal of this query is to find when a series of failed connection attempts have been made against a network security group and a specific deny rule. If for some reason the UI/backend has been modified since the last published lab, modify the query to accomplish this goal.

  5. Under Map entities, for the IP, select the primaryIPv4Address_s column.

  6. Under Query scheduling, for the Run query every setting, type 5 minutes.

    Note: This is a lab and you want to see the results as quickly as possible. In a production environment, you may want to choose a different time threshold.

  7. For the Lookup data from the last, type 1 hours.

  8. Under Alert threshold, for the Generate alert when number of query results, enter 1.

    Note: We want to hit the threshold quickly for lab purposes. This query and value may not be appropriate for production and is only for learning purposes.

    Review the current data to determine what would trigger the alert. Notice the red threshold line intersects the blue event data line.

    A chart is displayed showing the current log data and the alert threshold. The red and blue line intersect in the chart.

  9. Select Next: Automated response, notice you have no playbooks to select yet.

  10. Select Next: Review.

  11. Select Create.

    Note: It may take a few minutes for the alert to fire. You may need to run the PortScan script a few times from paw-1

    In the Azure Sentinel Analytics screen beneath the Active Rules tab, the PortScans rule is highlighted in the table and its status shows it is Enabled.

 

Task 3: Investigate a custom alert incident

 

  1. In the main menu, select Azure Sentinel.

  2. Select Incidents.

  3. Select the new PortScans incident.

    In the Azure Sentinel Incidents window, the most recent PortScans security alert is selected from the table.

    Note: It may take 15-20 minutes for the alert to fire. You can continue to execute the port scan script to cause log events or you can lower the threshold for the custom alert.

  4. In the dialog, choose Investigate.

    The incident dialog is displayed with the Investigate button selected.

  5. In future versions, you will get to see insights about the alerts and the resources related to what caused it to fire:

    The Azure Security Insights screen is displayed detailing the lifetime of an alert instance.

 

Task 4: Create an run a playbook

 

  1. In the Azure Sentinel blade, select Playbooks.

  2. In the new window, select + Add Playbook.

    The playbooks blade is displayed with the Playbooks item selected in the left hand menu and the + Add Playbook button selected.

  3. The Create logic app blade will display:

    • For the name, enter Email.

    • Select your existing resource group.

    • Toggle the Log Analytics to On and then select your azuresecurity Log Analytics workspace.

    The information above is entered in the Create logic app blade.

  4. Select Create, after a few moments, the Logic Apps Designer will load. If the designer does not load, wait a few minutes and refresh the Playbook list. Select the Email playbook.

    The playbooks list is displayed and the Email playbook is highlighted.

  5. Select the Get a notification email when Security Center detects a threat template.

    The Logic Apps Designer screen is displayed with a list of templates. The Get a notification email when Security Center detects a threat template is selected.

  6. Select Use this template.

    The Use this template button is selected under Send notification email with alert details from Azure Security Center.

  7. For the Office 365 Outlook connection, select the + link, enter your Azure/O365 credentials.

    The Sign in button is highlighted next to Office 365 Outlook under This logic app will connect to.

    Note: This would need to be a valid Office 365 account, if you do not have a valid Office 365 account, then utilize a basic email template for Outlook.com.

  8. For the Security Center Alert connection, select the + link.

  9. Select Continue.

    The Logic app connection blade is displayed. Outlook and Azure Security Center validation are displayed.

  10. For the email address, enter your email.

  11. Select Save. You now have an email alert action based on LogicApps for your custom security alert to use.

    Save is highlighted in Logic Apps Designer, and information about the custom security alert appears below.

  12. Lastly, after you have created the new Playbook, ensure that the status is Enabled. If not, then select Enable in the menu.

 

Task 5: Execute Jupyter Notebooks

 

  1. In the Azure Sentinel blade, select Notebooks.

  2. In the blade top menu navigation, select Clone Notebooks.

  3. If not already logged in, select your Azure credentials, the GitHub repo will start to clone into your workspace.

    Azure Sentinel Notebooks blade shows Clone Notebooks is highlighted.

    You will see the GitHub progress meter.

    The GitHub progress meter is displayed.

  4. Navigate to My Projects and select the Run on Free Compute.

  5. Search for the Get Started.ipynb notebook. You may have to page through the results to find the Get Started.ipynb notebook. Select it. In this example, it was located on the second page.

    The Azure Sentinel Notebooks list is displayed with the Get Started.ipynb item highlighted in the list. Page 2 is also selected.

  6. In the menu, select Kernel->Change kernel, then select Python 3.6.

    The Kernel menu is expanded and the change kernel with Python 3.6 is selected.

  7. Choose the Run button until you execute the entire Notebook, note that some steps will required your input.

    When the cell has an asterisk, it is still processing. Wait for a number to appear.

    The cell is still processing. It has an asterisk showing in the brackets.

    This cell has completed processing. You should see a number.

    This cell has completed processing. A number appears in the brackets.

    Note: You can find the open source GitHub notebooks at https://github.com/Azure/Azure-Sentinel.

    At this point, you may have to enter the code.

    A web browser based dialog is displayed with a field to enter a code. Enter the notebook code into the Azure dialog.

    Your final cell processing should provide an output.

    Your final notebook cell has processed and displays an output.

 

Task 6: Creating Reports with Power BI

 

  1. Navigate back to your Azure Sentinel browser window. Select Logs.

    Note: You may see a Welcome to Log Analytics splash page in the blade. Select Get Started.

    The screenshot displays the Welcome to Log Analytics blade.

  2. In the Schema tab under Active, expand the LogManagement node, notice the various options available.

  3. In the schema window, select AzureDiagnostics, then choose the eye icon.

  4. In the top right, select Export, then select the Export to Power BI (M Query) link.

    The Azure Sentinel Logs screen is displayed. The logs item is selected in the left menu. LogManagement and AzureDiagnostics are selected from the active schema list. The Azure Diagnostics item has an eye icon. A new query tab is shown with the Export item highlighted.

    The Export item is expanded with the Export to PowerBI (M Query) item highlighted.

  5. Select Open, a text document with the Power Query M Language will be displayed.

  6. Follow the instructions in the document to execute the query in Power BI.

    The instructions at the top of the PowerBIQuery.txt file are highlighted.

  7. Close Power BI.

 

 

Exercise 6: Using Compliance Tools (Azure Policy, Secure Score and Compliance Manager)

Duration: 30 minutes

Synopsis: In this exercise, attendees will learn how to migrate web application to utilize Azure Key Vault rather than storing valuable credentials (such as connection strings) in application configuration files.

Task 1: Review a basic Azure Policy

 

  1. Open the Azure Portal. Select All Services, then type Policy. Select Policy in the list of items.

    All services are selected in the left menu. In the search box policy is entered. Policy is selected from the filtered list of services.

  2. In the blade menu, select Compliance, and review your Overall resource compliance percentage.

    The Compliance item is selected from the left menu. The Policy compliance screen is displayed.

  3. For the scope, ensure the proper subscription is selected, then select ASC Default (subscription:.

  4. In the Initiative compliance blade, review your compliance metrics.

  5. Scroll to the results area and select the Non-compliant resources tab.

    The non-compliant resources tab is highlighted.

  6. In the filter search box, type PAW-1 and select it when displayed.

    Note: You may not see resources display right away. If this is the case, then scroll through some other non-compliant resources.

  7. With the Policies tab selected, review the policies that the resource is non-complying against.

    Note: New policies are being created and your number may be different from the image below.

    The Resource compliance blade for PAW-1 is displayed with the non-compliant items highlighted.

  8. Choose one of the policies. Review the Definition JSON of the policy definition, notice how it is based on ARM Template format and is looking for specific properties to be set of the non-compliant resources.

    The policy definition is displayed in JSON format.

    Note: You can use these out of box templates to build your own policies and apply them as blueprints.

 

Task 2: Review and create Azure Blueprints 

 

  1. In the Policy blade, under Authoring, select Definitions. These are a list of all defined policies which can be selected for assignment to your subscription resources.

    A listing of policy definitions on the Policy Blade Definitions screen.

  2. In the Policy blade, under Related Services, select Blueprints.

  3. In the Blueprints blade, select Blueprint definitions.

  4. Select +Create blueprint.

    The Blueprint definitions screen is displayed with the Blueprint definitions item selected from the left menu. The + Create blueprint menu item is selected.

  5. Review some of the sample blueprints, then select Start with blank blueprint.

    The Create blueprint screen is displayed with the Blank blueprint item selected from the list of available samples.

  6. For the name, type gdprblueprint.

  7. For the location, select the ellipses, then select your subscription in the drop down.

  8. Choose Select.

    New blue print dialog with name and location filled in.

  9. Select Next: Artifacts.

  10. Select + Add artifact.

  11. For the Artifact Type, select Policy Assignment, review all the policies available to you (at the time of this writing you would see 37 definitions and 311 policies).

  12. In the search box, type unrestricted, browse for the Audit unrestricted network access to storage accounts.

    On the Create blueprint screen, on the Artifacts tab the + Add artifact link is selected beneath the Subscription. In the Add artifact blade, the artifact type of Policy assignment is selected. In the Search textbox, unrestricted is entered. Beneath the Search textbox, the Policy Definitions tab is selected and the Audit unrestricted network access to storage accounts is selected from the list of search results.

  13. Select Add.

  14. Select Save Draft. It may take a few minutes. The blade will automatically change when the save operation finishes.

  15. For the new blueprint, select the ellipses, then select Publish Blueprint.

    The ellipses menu is expanded for the gdprblueprint blueprint item with the Publish blueprint menu item highlighted.

  16. Select Publish.

  17. For the version type 1.0.0.

  18. For the new blueprint, select the ellipses, then select Assign Blueprint.

    Screen shot showing the Assign blueprint dialog.

  19. Review the page, then choose Assign. This policy will now be audited across all your storage accounts in the specific subscription.

 

Task 3: Secure Score

 

  1. In the Azure Portal, select All Services, then type Security, select Security Center.

  2. In the Security Center blade, under POLICY & COMPLIANCE, select Secure score.

  3. Review your overall secure score values and then notice the category values.

    Screen shot showing Secure score blade and the score and categories highlighted.

  4. On the bottom half of the window, select your subscription, you will be presented with the items that have failed resource validation sorted by the score value that is assigned to that particular recommendation item.

  5. Select the An Azure Active Directory administrator should be provisioned for SQL Servers, on the recommendation blade, you will be presented with information about how to remediate the recommendation to gain the impact value to your score.

    Screen shot with the Provision an Azure AD Administrator for SQL Server highlighted.

 

Task 4: Use Compliance Manager for Azure 

 

Note: You may need to additional permissions to run this portion of the lab. Contact your Global Administrator.

  1. In a browser, go to the Service Trust/Compliance Manager portal (https://servicetrust.microsoft.com).

  2. In the top corner, select Sign in, you will be redirected to the Azure AD login page.

    Sign in is highlighted at the top of the Service Trust/Compliance Manager portal.

  3. If prompted, select or sign in with your Azure AD\Office 365 credentials.

  4. In the menu, select Compliance Manager->Compliance Manager Classic.

    Compliance Manager Classic is highlight in the menu navigation.

  5. Select on the +Add Assessment link.

  6. Select Create a new Group, for the name type AzureSecurity, select Next, set the Would you like to copy the data from an existing group toggle to No, select Next.

  7. For the product dropdown, select Azure.

  8. For the certification dropdown, select GDPR.

    Add a Standard Assessment dialog with Azure and GDPR selected.

  9. Select Add to Dashboard. You will now see a new assessment for Azure and GDPR in progress:

    Azure GDPR assessment status that shows in progress.

  10. Select Azure GDPR.

  11. Review the various controls that you can implement:

    Several categories of controls are listed on the page.

  12. On the top menu, choose Trust Documents, then select Audit Reports.

  13. Notice the various tabs that you can select from, select FedRAMP Reports.

  14. These are all the FedRAMP reports sorted by date that have been performed and publicly posted for Azure customer review. Select the item displayed and briefly review the document.

    The FedRAMP Reports report type is highlighted on the Data Protection Standards and Regulatory Compliance Reports page, and Azure - FedRAMP Moderate System Security Plan v3.02 is highlighted at the bottom.

 

 

 

 

Scroll to top