Synopsis: In this exercise, you learn how to create a virtual network using the Azure portal and deploy avirtual machines (VMs) and connect it to the Virtual network.
Create a virtual network
Select Create a resource in the upper left-hand corner of the portal.
In the search box, enter Virtual Network. Select Virtual Network in the search results.
In the Virtual Network page, select Create.
In Create virtual network, enter or select this information in the Basics tab:
Setting
Value
Project details
Subscription
Select your subscription.
Resource group
Select Create new. Enter myResourceGroup. Select OK.
Instance details
Name
Enter myVNet.
Region
Select (US) East US.
Select the IP Addresses tab, or select the Next: IP Addresses button at the bottom of the page.
In IPv4 address space, select the existing address space and change it to 10.1.0.0/16.
Select + Add subnet, then enter MySubnet for Subnet name and 10.1.0.0/24 for Subnet address range.
Select Add.
Select the Security tab, or select the Next: Security button at the bottom of the page.
Under BastionHost, select Enable. Enter this information:
Setting
Value
Bastion name
Enter myBastionHost
AzureBastionSubnet address space
Enter 10.1.1.0/24
Public IP Address
Select Create new. For Name, enter myBastionIP. Select OK.
Select the Review + create tab or select the Review + create button.
Select Create.
Create virtual machines
Create two VMs in the virtual network:
Create the first VM
On the upper-left side of the portal, select Create a resource > Compute > Virtual machine.
In Create a virtual machine, type or select the values in the Basics tab:
Setting
Value
Project Details
Subscription
Select your Azure subscription
Resource Group
Select myResourceGroup
Instance details
Virtual machine name
Enter myVM1
Region
Select (US) East US
Availability Options
Select No infrastructure redundancy required
Image
Select Windows Server 2019 Datacenter
Azure Spot instance
Select No
Size
Choose VM size or take default setting
Administrator account
Username
Enter a username
Password
Enter a password
Confirm password
Reenter password
Inbound port rules
Public inbound ports
Select None.
Select the Networking tab, or select Next: Disks, then Next: Networking.
In the Networking tab, select or enter:
Setting
Value
Network interface
Virtual network
Select myVNet.
Subnet
Select mySubnet
Public IP
Select None
NIC network security group
Select Basic
Public inbound ports network
Select None.
Select the Review + create tab, or select the blue Review + create button at the bottom of the page.
Review the settings, and then select Create.
Task 3 – Connect to myVM1
Go to the Azure portal to manage your private VM. Search for and select Virtual machines.
Pick the name of your private virtual machine myVM1.
In the VM menu bar, select Connect, then select Bastion.
In the Connect page, select the blue Use Bastion button.
In the Bastion page, enter the username and password you created for the virtual machine previously.
Select Connect.
Exercise 2: Restrict the network acces
Duration: 45 minutes
Synopsis: In this exercise, attendees will learn how to restrict network access to PaaS resources with virtual network service endpoints. The virtual network service endpoints enable you to limit network access to some Azure service resources to a virtual network subnet. You can also remove internet access to the resources. Service endpoints provide a direct connection from your virtual network to supported Azure services, allowing you to use your virtual network’s private address space to access the Azure services. Traffic destined to Azure resources through service endpoints always stays on the Microsoft Azure backbone network.
Select + Create a resource on the upper left corner of the Azure portal. Search for Virtual Network, and then select Create.
On the Basics tab, enter the following information and then select Next: IP Addresses >.
Setting
Value
Subscription
Select your subscription
Resource group
Select Create new and enter myResourceGroup.
Name
Enter myVirtualNetwork
Region
Select (US) East US
On the IP Addresses tab, select the following IP address settings and then select Review + create.
Setting
Value
IPv4 address space
Leave as default.
Subnet name
Select default and change the subnet name to “Public”.
Subnet Address Range
Leave as default.
If the validation checks pass, select Create.
Wait for the deployment to finish, then select Go to resource or move on to the next section.
Enable a service endpoint
Service endpoints are enabled per service, per subnet. To create a subnet and enable a service endpoint for the subnet:
If you're not already on the virtual network resource page, you can search for the newly created network in the box at the top of the portal. Enter myVirtualNetwork, and select it from the list.
Select Subnets under Settings, and then select + Subnet, as shown:
On the Add subnet page, select or enter the following information, and then select Save:
Setting
Value
Name
Private
Subnet address range
Leave as default
Service endpoints
Select Microsoft.Storage
Service endpoint policies
Leave default. 0 selected.
Caution
Before enabling a service endpoint for an existing subnet that has resources in it, see Change subnet settings.
Restrict network access for a subnet
By default, all virtual machine instances in a subnet can communicate with any resources. You can limit communication to and from all resources in a subnet by creating a network security group, and associating it to the subnet:
In the search box at the top of the Azure portal, search for Network security groups.
On the Network security groups page, select + Create.
Enter or select the following information:
Setting
Value
Subscription
Select your subscription
Resource group
Select myResourceGroup from the list
Name
Enter myNsgPrivate
Location
Select East US
Select Review + create, and when the validation check is passed, select Create.
After the network security group is created, select Go to resource or search for myNsgPrivate at the top of the Azure portal.
Select Outbound security rules under Settings and then select + Add.
Create a rule that allows outbound communication to the Azure Storage service. Enter, or select, the following information, and then select Add:
Setting
Value
Source
Select VirtualNetwork
Source port ranges
*
Destination
Select Service Tag
Destination service tag
Select Storage
Service
Leave default as Custom.
Destination port ranges
Change to 445. SMB protocol is used to connect to a file share created in a later step.
Protocol
Any
Action
Allow
Priority
100
Name
Rename to Allow-Storage-All
Create another outbound security rule that denies communication to the internet. This rule overrides a default rule in all network security groups that allows outbound internet communication. Complete steps 6-9 from above using the following values and then select Add:
Setting
Value
Source
Select VirtualNetwork
Source port ranges
*
Destination
Select Service Tag
Destination service tag
Select Internet
Service
Leave default as Custom.
Destination port ranges
*
Protocol
Any
Action
Change default to Deny.
Priority
110
Name
Change to Deny-Internet-All
Create an inbound security rule that allows Remote Desktop Protocol (RDP) traffic to the subnet from anywhere. The rule overrides a default security rule that denies all inbound traffic from the internet. Remote desktop connections are allowed to the subnet so that connectivity can be tested in a later step. Select Inbound security rules under Settings and then select + Add.
Enter or select the follow values and then select Add.
Setting
Value
Source
Any
Source port ranges
*
Destination
Select VirtualNetwork
Destination port ranges
Change to 3389
Protocol
Any
Action
Allow
Priority
120
Name
Change to Allow-RDP-All
Warning
RDP port 3389 is exposed to the Internet. This is only recommended for testing. For Production environments, we recommend using a VPN or private connection.
Select Subnets under Settings and then select + Associate.
Select myVirtualNetwork under Virtual Network and then select Private under Subnets. Select OK to associate the network security group to the select subnet.
Restrict network access to a resource
The steps required to restrict network access to resources created through Azure services, which are enabled for service endpoints will vary across services. See the documentation for individual services for specific steps for each service. The rest of this tutorial includes steps to restrict network access for an Azure Storage account, as an example.
Create a storage account
Select + Create a resource on the upper, left corner of the Azure portal.
Enter “Storage account” in the search bar, and select it from the drop-down menu. Then select Create.
Enter the following information:
Setting
Value
Subscription
Select your subscription
Resource group
Select myResourceGroup
Storage account name
Enter a name that is unique across all Azure locations. The name has to between 3-24 characters in length, using only numbers and lower-case letters.
Region
Select (US) East US
Performance
Standard
Redundancy
Locally redundant storage (LRS)
Select Create + review, and when validation checks have passed, select Create.
Note
The deployment may take a couple of minutes to complete.
After the storage account is created, select Go to resource.
Create a file share in the storage account
Select File shares under Data storage, and then select + File share.
Enter or set the following values for the file share, and then select Create:
Setting
Value
Name
my-file-share
Quota
Select Set to maximum.
Tier
Leave as default, Transaction optimized.
The new file share should appear on the file share page, if not select the Refresh button at the top of the page.
Restrict network access to a subnet
By default, storage accounts accept network connections from clients in any network, including the internet. You can restrict network access from the internet, and all other subnets in all virtual networks (except the Private subnet in the myVirtualNetwork virtual network.) To restrict network access to a subnet:
Select Networking under Settings for your (uniquely named) storage account.
Select Allow access from Selected networks and then select + Add existing virtual network.
Under Add networks, select the following values, and then select Add:
Setting
Value
Subscription
Select your subscription
Virtual networks
myVirtualNetwork
Subnets
Private
Select the Save button to save the virtual network configurations.
Select Access keys under Security + networking for the storage account and select Show keys. Note the value for key1 to use in a later step when mapping the file share in a VM.
Create virtual machines
To test network access to a storage account, deploy a VM to each subnet.
Create the first virtual machine
On the Azure portal, select + Create a resource.
Select Compute, and then Create under Virtual machine.
On the Basics tab, enter or select the following information:
Setting
Value
Subscription
Select your subscription
Resource group
Select myResourceGroup, which was created earlier.
Virtual machine name
Enter myVmPublic
Region
(US) East US
Availability options
Availability zone
Availability zone
1
Image
Select an OS image. For this VM Windows Server 2019 Datacenter – Gen1 is selected.
Size
Select the VM Instance size you want to use
Username
Enter a user name of your choosing.
Password
Enter a password of your choosing. The password must be at least 12 characters long and meet the defined complexity requirements.
Public inbound ports
Allow selected ports
Select inbound ports
Leave default set to RDP (3389)
On the Networking tab, enter or select the following information:
Setting
Value
Virtual Network
Select myVirtualNetwork.
Subnet
Select Public.
NIC network security group
Select Advanced. The portal automatically creates a network security group for you that allows port 3389. You'll need this port open to connect to the virtual machine in a later step.
Select Review and create, then Create and wait for the deployment to finish.
Select Go to resource, or open the Home > Virtual machines page, and select the VM you just created myVmPublic, which should be started.
Create the second virtual machine
Repeat steps 1-5 to create a second virtual machine. In step 3, name the virtual machine myVmPrivate and set NIC network security group to None. In step 4, select the Private subnet.
Select Review and create, then Create and wait for the deployment to finish.
Warning
Do not continue to the next step until the deployment is completed.
Select Go to resource, or open the Home > Virtual machines page, and select the VM you just created myVmPrivate, which should be started.
Confirm access to storage account
Once the myVmPrivate VM has been created, go to the overview page of the virtual machine. Connect to the VM by selecting the Connect button and then select RDP from the drop-down.
Select the Download RDP File to download the remote desktop file to your computer.
Open the downloaded rdp file. When prompted, select Connect.
Enter the user name and password you specified when creating the VM. You may need to select More choices, then Use a different account to specify the credentials you entered when you created the VM. For the email field, enter the “Administrator account: username” credentials you specified earlier. Select OK to sign into the VM.
Note
You may receive a certificate warning during the sign-in process. If you receive the warning, select Yes or Continue, to proceed with the connection.
Once signed in, open Windows PowerShell. Using the script below, map the Azure file share to drive Z using PowerShell. Replace <storage-account-key> and both <storage-account-name> variable with values you supplied and made note of earlier in the Create a storage account steps.
After a short wait, you receive a New-PSDrive : Access is denied error. Access is denied because the myVmPublic VM is deployed in the Public subnet. The Public subnet doesn't have a service endpoint enabled for Azure Storage. The storage account only allows network access from the Private subnet, not the Public subnet.
PowerShell
New-PSDrive : Access is denied
At line:1 char:1
+ New-PSDrive -Name Z -PSProvider FileSystem -Root"\\mystorage007.file ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Z:PSDriveInfo) [New-PSDrive], Win32Exception
+ Fu llyQualifiedErrorId : CouldNotMapNetworkDrive,Microsoft.PowerShell.Commands.NewPSDriveCommand
Close the remote desktop session to the myVmPublic VM.
From a local machine:
In the Azure portal, go to the uniquely named storage account you created earlier. For example, mystorage007.
Select File shares under Data storage, and then select the my-file-share you created earlier.
You should receive the following error message:
Note
The access is denied because your computer is not in the Private subnet of the MyVirtualNetwork virtual network.
Exercise 3 – Monitoring communications between Azure resources
Duration: 45 minutes
Synopsis: In this exercise, you will learn how to Connection Monitor to monitor communication between resources and to create a monitor by using the Azure portal. Connection Monitor supports hybrid and Azure cloud deployments.
Create a connection monitor
To create a monitor in Connection Monitor by using the Azure portal:
On the Azure portal home page, go to Network Watcher.
In the left pane, in the Monitoring section, select Connection monitor.
You'll see all the connection monitors that were created in Connection Monitor. To see the connection monitors that were created in the classic Connection Monitor, go to the Connection monitor tab.
In the Connection Monitor dashboard, in the upper-left corner, select Create.
On the Basics tab, enter information for your connection monitor:
Connection Monitor Name: Enter a name for your connection monitor. Use the standard naming rules for Azure resources.
Subscription: Select a subscription for your connection monitor.
Region: Select a region for your connection monitor. You can select only the source VMs that are created in this region.
Workspace configuration: Choose a custom workspace or the default workspace. Your workspace holds your monitoring data.
To use the default workspace, select the check box.
To choose a custom workspace, clear the check box. Then select the subscription and region for your custom workspace.
At the bottom of the tab, select Next: Test groups.
Add sources, destinations, and test configurations in your test groups. To learn about setting up your test groups, see Create test groups in Connection Monitor.
At the bottom of the tab, select Next: Review + create.
On the Review + create tab, review the basic information and test groups before you create the connection monitor. If you need to edit the connection monitor, you can do so by going back to the respective tabs.
Note
The Review + create tab shows the cost per month during the Connection Monitor stage. Currently, the Current Cost/Month column shows no charge. When Connection Monitor becomes generally available, this column will show a monthly charge.
Even during the Connection Monitor stage, Log Analytics ingestion charges apply.
When you're ready to create the connection monitor, at the bottom of the Review + create tab, select Create.
Connection Monitor creates the connection monitor resource in the background.
Create test groups in a connection monitor
Each test group in a connection monitor includes sources and destinations that get tested on network parameters. They're tested for the percentage of checks that fail and the RTT over test configurations.
In the Azure portal, to create a test group in a connection monitor, you specify values for the following fields:
Disable test group: You can select this check box to disable monitoring for all sources and destinations that the test group specifies. This selection is cleared by default.
Name: Name your test group.
Sources: You can specify both Azure VMs and on-premises machines as sources if agents are installed on them. To learn about installing an agent for your source, see Install monitoring agents.
To choose Azure agents, select the Azure endpoints tab. Here you see only VMs that are bound to the region that you specified when you created the connection monitor. By default, VMs are grouped into the subscription that they belong to. These groups are collapsed.
You can drill down from the Subscription level to other levels in the hierarchy:
Subscription > Resource group > VNET > Subnet > VMs with agents
You can also change the Group by selector to start the tree from any other level. For example, if you group by virtual network, you see the VMs that have agents in the hierarchy VNET > Subnet > VMs with agents.
When you select a VNET, subnet, or single VM, the corresponding resource ID is set as the endpoint. By default, all VMs in the selected VNET or subnet that have the Azure Network Watcher extension participate in monitoring. To reduce the scope, either select specific subnets or agents or change the value of the scope property.
To choose on-premises agents, select the Non–Azure endpoints tab. By default, agents are grouped into workspaces by region. All these workspaces have the Network Performance Monitor configured.
Under Create Connection Monitor, on the Basics tab, the default region is selected. If you change the region, you can choose agents from workspaces in the new region. You can select one or more agents or subnets. In the Subnet view, you can select specific IPs for monitoring. If you add multiple subnets, a custom on-premises network named OnPremises_Network_1 will be created. You can also change the Group by selector to group by agents.
To choose recently used endpoints, you can use the Recent endpoint tab
When you finish setting up sources, select Done at the bottom of the tab. You can still edit basic properties like the endpoint name by selecting the endpoint in the Create Test Group view.
Destinations: You can monitor connectivity to an Azure VM, an on-premises machine, or any endpoint (a public IP, URL, or FQDN) by specifying it as a destination. In a single test group, you can add Azure VMs, on-premises machines, Office 365 URLs, Dynamics 365 URLs, and custom endpoints.
To choose Azure VMs as destinations, select the Azure endpoints tab. By default, the Azure VMs are grouped into a subscription hierarchy that's in the region that you selected under Create Connection Monitor on the Basics tab. You can change the region and choose Azure VMs from the new region. Then you can drill down from the Subscription level to other levels in the hierarchy, just as you can when you set the source Azure endpoints.
You can select VNETs, subnets, or single VMs, as you can when you set the source Azure endpoints. When you select a VNET, subnet, or single VM, the corresponding resource ID is set as the endpoint. By default, all VMs in the selected VNET or subnet that have the Network Watcher extension participate in monitoring. To reduce the scope, either select specific subnets or agents or change the value of the scope property.
To choose non-Azure agents as destinations, select the Non-Azure endpoints tab. By default, agents are grouped into workspaces by region. All these workspaces have Network Performance Monitor configured.
If you need to add Network Performance Monitor to your workspace, get it from Azure Marketplace. For information about how to add Network Performance Monitor, see Monitoring solutions in Azure Monitor. For information about how to configure agents for on-premises machines, see Agents for on-premises machines.
Under Create Connection Monitor, on the Basics tab, the default region is selected. If you change the region, you can choose agents from workspaces in the new region. You can select one or more agents or subnets. In the Subnet view, you can select specific IPs for monitoring. If you add multiple subnets, a custom on-premises network named OnPremises_Network_1 will be created.
To choose public endpoints as destinations, select the External Addresses tab. The list of endpoints includes Office 365 test URLs and Dynamics 365 test URLs, grouped by name. You also can choose endpoints that were created in other test groups in the same connection monitor.
To add an endpoint, in the upper-right corner, select Add Endpoint. Then provide an endpoint name and URL, IP, or FQDN.
To choose recently used endpoints, go to the Recent endpoint tab.
When you finish choosing destinations, select Done. You can still edit basic properties like the endpoint name by selecting the endpoint in the Create Test Group view.
Test configurations: You can add one or more test configurations to a test group. Create a new test configuration by using the New configuration tab. Or add a test configuration from another test group in the same Connection Monitor from the Choose existing tab.
Test configuration name: Name the test configuration.
Protocol: Select TCP, ICMP, or HTTP. To change HTTP to HTTPS, select HTTP as the protocol and then select 443 as the port.
Create TCP test configuration: This check box appears only if you select HTTP in the Protocol list. Select this check box to create another test configuration that uses the same sources and destinations that you specified elsewhere in your configuration. The new test configuration is named <name of test configuration>_networkTestConfig.
Disable traceroute: This check box applies when the protocol is TCP or ICMP. Select this box to stop sources from discovering topology and hop-by-hop RTT.
Destination port: You can provide a destination port of your choice.
Listen on port: This check box applies when the protocol is TCP. Select this check box to open the chosen TCP port if it's not already open.
Test Frequency: In this list, specify how frequently sources will ping destinations on the protocol and port that you specified. You can choose 30 seconds, 1 minute, 5 minutes, 15 minutes, or 30 minutes. Select custom to enter another frequency that's between 30 seconds and 30 minutes. Sources will test connectivity to destinations based on the value that you choose. For example, if you select 30 seconds, sources will check connectivity to the destination at least once in every 30-second period.
Success Threshold: You can set thresholds on the following network parameters:
Checks failed: Set the percentage of checks that can fail when sources check connectivity to destinations by using the criteria that you specified. For the TCP or ICMP protocol, the percentage of failed checks can be equated to the percentage of packet loss. For HTTP protocol, this value represents the percentage of HTTP requests that received no response.
Round trip time: Set the RTT, in milliseconds, for how long sources can take to connect to the destination over the test configuration.
Create alerts in Connection Monitor
You can set up alerts on tests that are failing based on the thresholds set in test configurations.
In the Azure portal, to create alerts for a connection monitor, you specify values for these fields:
Create alert: You can select this check box to create a metric alert in Azure Monitor. When you select this check box, the other fields will be enabled for editing. Additional charges for the alert will be applicable, based on the pricing for alerts.
Scope > Resource > Hierarchy: These values are automatically filled, based on the values specified on the Basics tab.
Condition name: The alert is created on the Test Result(preview) metric. When the result of the connection monitor test is a failing result, the alert rule will fire.
Action group name: You can enter your email directly or you can create alerts via action groups. If you enter your email directly, an action group with the name NPM Email ActionGroup is created. The email ID is added to that action group. If you choose to use action groups, you need to select a previously created action group. To learn how to create an action group, see Create action groups in the Azure portal. After the alert is created, you can manage your alerts.
Alert rule name: The name of the connection monitor.
Enable rule upon creation: Select this check box to enable the alert rule based on the condition. Disable this check box if you want to create the rule without enabling it.
Scale limits
Connection monitors have these scale limits:
Maximum connection monitors per subscription per region: 100
Maximum test groups per connection monitor: 20
Maximum sources and destinations per connection monitor: 100
Maximum test configurations per connection monitor: 2 via the Azure porta
Exercise 4: Azure Storage Explorer
Duration: 30 minutes
Synopsis: Microsoft Azure Storage Explorer is a standalone app that makes it easy to work with Azure Storage data on Windows, macOS, and Linux. In these exercises, you’ll learn several ways of connecting to and managing your Azure storage accounts.
Note: To fully access resources after you sign in, Storage Explorer requires both management (Azure Resource Manager) and data layer permissions. This means that you need Azure Active Directory (Azure AD) permissions to access your storage account, the containers in the account, and the data in the containers.
In Storage Explorer, select View > Account Management or select the Manage Accounts button.
ACCOUNT MANAGEMENT now displays all the Azure accounts you're signed in to. To connect to another account, select Add an account….
The Connect to Azure Storage dialog opens. In the Select Resource panel, select Subscription.
In the Select Azure Environment panel, select an Azure environment to sign in to. You can sign in to global Azure, a national cloud or an Azure Stack instance. Then select Next.
Storage Explorer will open a webpage for you to sign in.
After you successfully sign in with an Azure account, the account and the Azure subscriptions associated with that account appear under ACCOUNT MANAGEMENT. Select the Azure subscriptions that you want to work with, and then select Apply.
EXPLORER displays the storage accounts associated with the selected Azure subscriptions.
Attach to an individual resource
Storage Explorer lets you connect to individual resources, such as an Azure Data Lake Storage Gen2 container, using various authentication methods. Some authentication methods are only supported for certain resource types.
To connect to an individual resource, select the Connect button in the left-hand toolbar. Then follow the instructions for the resource type you want to connect to.
When a connection to a storage account is successfully added, a new tree node will appear under Local & Attached > Storage Accounts.
For other resource types, a new node is added under Local & Attached > Storage Accounts > (Attached Containers). The node will appear under a group node matching its type. For example, a new connection to an Azure Data Lake Storage Gen2 container will appear under Blob Containers.
Exercise 5: Monitoring a Virtual Machine
Duration: 45 minutes
Synopsis: To monitor the health and performance of an Azure virtual machine, you need to install an agent to collect data from its guest operating system. VM insights is a feature of Azure Monitor for monitoring the guest operating system and workloads running on Azure virtual machines. When you enable monitoring for an Azure virtual machine, it installs the necessary agents and starts collecting performance, process, and dependency information from the guest operating system.
In this exercise, you learn how to:
Create a Log Analytics workspace to collect performance and log data from the virtual machine.
Enable VM insights for the virtual machine which installs the required agents and begins data collection.
Inspect graphs analyzing performance data collected form the virtual machine.
Inspect map showing processes running on the virtual machine and dependencies with other systems.
Task 1 – Enable Monitoring
Create a Log Analytics workspace
Log data in Azure Monitor is stored in a Log Analytics workspace. If you already created a workspace in your subscription, then you can use that one. You can also choose to use the default workspace that's created in each Azure subscription.
If you want to create a new Log Analytics, then you can use the following procedure. If you're going to use an existing one, then move on to the next section.
From All services in the Azure portal, select Log Analytics workspaces.
Click Create to create a new workspace.
On the Basics tab, select a Subscription, Resource group, and Region for the workspace. These do not need to be the same as the resource being monitored. Provide a Name that must be globally unique across all Azure Monitor subscriptions.
Click Review + Create to create the workspace.
Enable monitoring
Select Insights from your virtual machine's menu in the Azure portal. If VM insights hasn't yet been enabled for it, you should see a screen similar to the following allowing you to enable monitoring. Click Enable.
Note
If you selected the option to Enable detailed monitoring when you created your virtual machine, VM insights may already be enabled. Select your workspace and click Enable again. This is the workspace where data collected by VM insights will be sent.
You'll see a message saying that monitoring is being enabled. It may take several minutes for the agent to be installed and for data collection to begin.
Note
You may receive a message about an upgrade being available for VM insights. If so, select the option to perform the upgrade before proceeding.
View performance
When the deployment is complete, you'll see views in the Performance tab in VM insights with performance data for the machine. This shows you the values of key guest metrics over time.
View processes and dependencies
Select the Maps tab to view processes and dependencies for the virtual machine. The current machine is at the center of the view. View the processes running on it by expanding Processes.
View machine details
The Maps view provides different tabs with information collected about the virtual machine. Click through the tabs to see what's available.
Task 2 – Alert on machine down
Create a heartbeat query
There are multiple ways to create a log query alert rule. For this tutorial, we'll start from the Logs Events tab in the Map view. This gives a summary of the log data that's been collected for the virtual machine.
Click on Heartbeat. This opens Log Analytics, which is the primary tool to analyze log data collected from the virtual machine, with a simple query for heartbeat events. If you click on TimeGenerated to sort by that column, you can see that a heartbeat is created each minute.
For the alert, you want to return only heartbeat records in the last 5 minutes. If no records are returned, then you can assume the virtual machine is down.
Add a line to the query to filter the results to only records created in the last 5 minutes. This uses the ago function that subtracts a particular time span from the current time.
Heartbeat
| where Computer == 'computer-name'
| where TimeGenerated > ago(5m)
Click Run to see the results of this query, which should now include just the heartbeats in the last 5 minutes.
Create alert rule
Now that you have the log query, you can create an alert rule that will send an alert when that query doesn't return any records. If it no heartbeat records are returned from the last 5 minutes, then we can assume that machine hasn't been responsive in that time.
Click New alert rule to create a rule from the current query.
The alert rule will already have the Log query filled in. The Measurement is also already correct since we want to count the number of table rows returned from the query. If the number of rows is zero, then we want to create an alert.
Scroll down to Alert logic and change Operator to Equal to and provide a Threshold value of 0. This means that we want to create an alert when no records are returned, or when the record count from the query equals zero.
Configure action group
The Actions page allows you to add one or more action groups to the alert rule. Action groups define a set of actions to take when an alert is fired such as sending an email or an SMS message.
If you already have an action group, click Add action group to add an existing group to the alert rule.
If you don't already have an action group in your subscription to select, then click Create action group to create a new one. Select a Subscription and Resource group for the action group and give it an Action group name that will appear in the portal and a Display name that will appear in email and SMS notifications.
Select Notifications and add one or more methods to notify appropriate people when the alert is fired.
Configure details
The Details page allows you to configure different settings for the alert rule.
Subscription and Resource group where the alert rule will be stored. This doesn't need to be in the same resource group as the resource that you're monitoring.
Severity for the alert. The severity allows you to group alerts with a similar relative importance. A severity of Error is appropriate for an unresponsive virtual machine.
Keep the box checked to Enable alert upon creation.
Keep the box checked to Automatically resolve alerts. This will automatically resolve the alert when the virtual machine comes back online and heartbeat records are seen again.
Click Review + create to create the alert rule.
View the alert
To test the alert rule, stop the virtual machine. If you configured a notification in your action group, then you should receive that notification within a few minutes. You'll also see an alert indicated in the summary shown in the Alerts page for the virtual machine.
Click on the Severity to see the list of those alerts. Click on the alert itself to view its details.
Task 3 – Collect guest logs and metrics
Create data collection rule
Data collection rules in Azure Monitor define data to collect and where it should be sent. When you define the data collection rule using the Azure portal, you specify the virtual machines it should be applied to. The Azure Monitor agent will automatically be installed on any virtual machines that don't already have it.
Note
You must currently install the Azure Monitor agent from Monitor menu in the Azure portal. This functionality is not yet available from the virtual machine's menu.
From the Monitor menu in the Azure portal, select Data Collection Rules and then Create to create a new data collection rule.
On the Basics tab, provide a Rule Name which is the name of the rule displayed in the Azure portal. Select a Subscription, Resource Group, and Region where the DCR and its associations will be stored. These do not need to be the same as the resources being monitored. The Platform Type defines the options that are available as you define the rest of the DCR. Select Windows or Linux if it will be associated only those resources or Custom if it will be associated with both types.
Select resources
On the Resources tab, identify one or more virtual machines that the data collection rule will apply to. The Azure Monitor agent will be installed on any that don't already have it. Click Add resources and select either your virtual machines or the resource group or subscription where your virtual machine is located. The data collection rule will apply to all virtual machines in the selected scope.
Select data sources
A single data collection rule can have multiple data sources. For this tutorial, we'll use the same rule to collect both guest metrics and guest logs. We'll send metrics to both to Azure Monitor Metrics and to Azure Monitor Logs so that they can be analyzed both with metrics explorer and Log Analytics.
On the Collect and deliver tab, click Add data source. For the Data source type, select Performance counters. Leave the Basic setting and select the counters that you want to collect. Custom allows you to select individual metric values.
Select the Destination tab. Azure Monitor Metrics should already be listed. Click Add destination to add another. Select Azure Monitor Logs for the Destination type. Select your Log Analytics workspace for the Account or namespace. Click Add data source to save the data source.
Click Add data source again to add logs to the data collection rule. For the Data source type, select Windows event logs or Linux syslog. Select the types of log data that you want to collect.
Select the Destination tab. Azure Monitor Logs should already be selected for the Destination type. Select your Log Analytics workspace for the Account or namespace. If you don't already have a workspace, then you can select the default workspace for your subscription, which will automatically be created. Click Add data source to save the data source.
Click Review + create to create the data collection rule and install the Azure Monitor agent on the selected virtual machines.
Viewing logs
Data is retrieved from a Log Analytics workspace using a log query written in Kusto Query Language (KQL). While a set of pre-created queries are available for virtual machines, we'll use a simple query to have a look at the events that we're collecting.
Select Logs from your virtual machines's menu. Log Analytics opens with an empty query window with the scope set to that machine. Any queries will include only records collected from that machine.
Note
The Queries window may open when you open Log Analytics. This includes pre-created queries that you can use. For now, close this window since we're going to manually create a simple query.
In the empty query window, type either Event or Syslog depending on whether your machine is running Windows or Linux and then click Run. The events collected within the Time range are displayed.
Note
If the query doesn't return any data, then you may need wait a few minutes until events are created on the virtual machine to be collected. You may also need to modify the data source in the data collection rule to include additional categories of events.
You can view metrics for your host virtual machine with metrics explorer without a data collection rule just like any other Azure resource. With the data collection rule though, you can use metrics explorer to view guest metrics in addition to host metrics.
Select Metrics from your virtual machines's menu. Metrics explorer opens with the scope set to your virtual machine. Click Metric Namespace, and select Virtual Machine Guest.
Note
If you don't see Virtual Machine Guest, you may just need to wait a few more minutes for the agent to be deployed and data to begin collecting.
The available guest metrics are displayed. Select a Metric to add to the chart.
Exercise 6: Administering users
Duration: 20 minutes
Synopsis: In this exercise, you will setup Azure Sentinel to point to a logging workspace and then create custom alerts that execute Azure Runbooks.
Assign roles
A common way to assign Azure AD roles to a user is on the Assigned roles page for a user. You can also configure the user eligibility to be elevated just-in-time into a role using Privileged Identity Management (PIM). For more information about how to use PIM, see Privileged Identity Management.
Note
If you have an Azure AD Premium P2 license plan and already use PIM, all role management tasks are performed in the Privileged Identity Management experience. This feature is currently limited to assigning only one role at a time. You can't currently select multiple roles and assign them to a user all at once.
Assign a role to a user
Go to the Azure portal and sign in using a Global administrator account for the directory.
Search for and select Azure Active Directory.
Select Users.
Search for and select the user getting the role assignment. For example, Alain Charon.
On the Alain Charon – Profile page, select Assigned roles.
The Alain Charon – Administrative roles page appears.
Select Add assignments, select the role to assign to Alain (for example, Application administrator), and then choose Select.
The Application administrator role is assigned to Alain Charon and it appears on the Alain Charon – Administrative roles page.
Remove a role assignment
If you need to remove the role assignment from a user, you can also do that from the Alain Charon – Administrative roles page.
To remove a role assignment from a user
Select Azure Active Directory, select Users, and then search for and select the user getting the role assignment removed. For example, Alain Charon.
Select Assigned roles, select Application administrator, and then select Remove assignment.
The Application administrator role is removed from Alain Charon and it no longer appears on the Alain Charon – Administrative roles page.
Exercise 7: Using Compliance Tools (Azure Policy, Secure Score and Compliance Manager)
Duration: 30 minutes
Synopsis: In this exercise, attendees will learn how to migrate web application to utilize Azure Key Vault rather than storing valuable credentials (such as connection strings) in application configuration files.
Task 1: Review a basic Azure Policy
Open the Azure Portal. Select All Services, then type Policy. Select Policy in the list of items.
In the blade menu, select Compliance, and review your Overall resource compliance percentage.
For the scope, ensure the proper subscription is selected, then select ASC Default (subscription:.
In the Initiative compliance blade, review your compliance metrics.
Scroll to the results area and select the Non-compliant resources tab.
In the filter search box, type PAW-1 and select it when displayed.
Note: You may not see resources display right away. If this is the case, then scroll through some other non-compliant resources.
With the Policies tab selected, review the policies that the resource is non-complying against.
Note: New policies are being created and your number may be different from the image below.
Choose one of the policies. Review the Definition JSON of the policy definition, notice how it is based on ARM Template format and is looking for specific properties to be set of the non-compliant resources.
Note: You can use these out of box templates to build your own policies and apply them as blueprints.
Task 2: Review and create Azure Blueprints
In the Policy blade, under Authoring, select Definitions. These are a list of all defined policies which can be selected for assignment to your subscription resources.
In the Policy blade, under Related Services, select Blueprints.
In the Blueprints blade, select Blueprint definitions.
Select +Create blueprint.
Review some of the sample blueprints, then select Start with blank blueprint.
For the name, type gdprblueprint.
For the location, select the ellipses, then select your subscription in the drop down.
Choose Select.
Select Next: Artifacts.
Select + Add artifact.
For the Artifact Type, select Policy Assignment, review all the policies available to you (at the time of this writing you would see 37 definitions and 311 policies).
In the search box, type unrestricted, browse for the Audit unrestricted network access to storage accounts.
Select Add.
Select Save Draft. It may take a few minutes. The blade will automatically change when the save operation finishes.
For the new blueprint, select the ellipses, then select Publish Blueprint.
Select Publish.
For the version type 1.0.0.
For the new blueprint, select the ellipses, then select Assign Blueprint.
Review the page, then choose Assign. This policy will now be audited across all your storage accounts in the specific subscription.
Task 3: Secure Score
In the Azure Portal, select All Services, then type Security, select Security Center.
In the Security Center blade, under POLICY & COMPLIANCE, select Secure score.
Review your overall secure score values and then notice the category values.
On the bottom half of the window, select your subscription, you will be presented with the items that have failed resource validation sorted by the score value that is assigned to that particular recommendation item.
Select the An Azure Active Directory administrator should be provisioned for SQL Servers, on the recommendation blade, you will be presented with information about how to remediate the recommendation to gain the impact value to your score.
Task 4: Use Compliance Manager for Azure
Note: You may need to additional permissions to run this portion of the lab. Contact your Global Administrator.
In the top corner, select Sign in, you will be redirected to the Azure AD login page.
If prompted, select or sign in with your Azure AD\Office 365 credentials.
In the menu, select Compliance Manager->Compliance Manager Classic.
Select on the +Add Assessment link.
Select Create a new Group, for the name type AzureSecurity, select Next, set the Would you like to copy the data from an existing group toggle to No, select Next.
For the product dropdown, select Azure.
For the certification dropdown, select GDPR.
Select Add to Dashboard. You will now see a new assessment for Azure and GDPR in progress:
Select Azure GDPR.
Review the various controls that you can implement:
On the top menu, choose Trust Documents, then select Audit Reports.
Notice the various tabs that you can select from, select FedRAMP Reports.
These are all the FedRAMP reports sorted by date that have been performed and publicly posted for Azure customer review. Select the item displayed and briefly review the document.