Azure Networking- Challenges Guide

Exercise 1: Create a Virtual Network

Duration: 20 minutes

Synopsis: In this exercise, you learn how to create a virtual network using the Azure portal and deploy avirtual machines (VMs) and connect it to the Virtual network. 

 

Create a virtual network

  1. Select Create a resource in the upper left-hand corner of the portal.

  2. In the search box, enter Virtual Network. Select Virtual Network in the search results.

  3. In the Virtual Network page, select Create.

  4. In Create virtual network, enter or select this information in the Basics tab:

    Setting Value
    Project details  
    Subscription Select your subscription.
    Resource group Select Create new.
    Enter myResourceGroup.
    Select OK.
    Instance details  
    Name Enter myVNet.
    Region Select (US) East US.

    Create virtual network Azure portal

  5. Select the IP Addresses tab, or select the Next: IP Addresses button at the bottom of the page.

  6. In IPv4 address space, select the existing address space and change it to 10.1.0.0/16.

  7. Select + Add subnet, then enter MySubnet for Subnet name and 10.1.0.0/24 for Subnet address range.

  8. Select Add.

  9. Select the Security tab, or select the Next: Security button at the bottom of the page.

  10. Under BastionHost, select Enable. Enter this information:

    Setting Value
    Bastion name Enter myBastionHost
    AzureBastionSubnet address space Enter 10.1.1.0/24
    Public IP Address Select Create new.
    For Name, enter myBastionIP.
    Select OK.
  11. Select the Review + create tab or select the Review + create button.

  12. Select Create.

Create virtual machines

Create two VMs in the virtual network:

Create the first VM

  1. On the upper-left side of the portal, select Create a resource > Compute > Virtual machine.

  2. In Create a virtual machine, type or select the values in the Basics tab:

    Setting Value
    Project Details  
    Subscription Select your Azure subscription
    Resource Group Select myResourceGroup
    Instance details  
    Virtual machine name Enter myVM1
    Region Select (US) East US
    Availability Options Select No infrastructure redundancy required
    Image Select Windows Server 2019 Datacenter
    Azure Spot instance Select No
    Size Choose VM size or take default setting
    Administrator account  
    Username Enter a username
    Password Enter a password
    Confirm password Reenter password
    Inbound port rules  
    Public inbound ports Select None.
       
  3. Select the Networking tab, or select Next: Disks, then Next: Networking.

  4. In the Networking tab, select or enter:

    Setting Value
    Network interface  
    Virtual network Select myVNet.
    Subnet Select mySubnet
    Public IP Select None
    NIC network security group Select Basic
    Public inbound ports network Select None.
  5. Select the Review + create tab, or select the blue Review + create button at the bottom of the page.

  6. Review the settings, and then select Create.

 

Task 3 – Connect to myVM1

  1. Go to the Azure portal to manage your private VM. Search for and select Virtual machines.

  2. Pick the name of your private virtual machine myVM1.

  3. In the VM menu bar, select Connect, then select Bastion.

    Connect to myVM1 with Azure Bastion

  4. In the Connect page, select the blue Use Bastion button.

  5. In the Bastion page, enter the username and password you created for the virtual machine previously.

  6. Select Connect.

 

 

 

 

Exercise 2: Restrict the network acces 

Duration: 45 minutes

Synopsis: In this exercise, attendees will learn how to restrict network access to PaaS resources with virtual network service endpoints. The virtual network service endpoints enable you to limit network access to some Azure service resources to a virtual network subnet. You can also remove internet access to the resources. Service endpoints provide a direct connection from your virtual network to supported Azure services, allowing you to use your virtual network’s private address space to access the Azure services. Traffic destined to Azure resources through service endpoints always stays on the Microsoft Azure backbone network. 

 

 

Create a virtual network

  1. Sign in to the Azure portal.

  2. Select + Create a resource on the upper left corner of the Azure portal. Search for Virtual Network, and then select Create.

    Screenshot of search for virtual network in create a resource page.

  3. On the Basics tab, enter the following information and then select Next: IP Addresses >.

    Setting Value
    Subscription Select your subscription
    Resource group Select Create new and enter myResourceGroup.
    Name Enter myVirtualNetwork
    Region Select (US) East US

    Screenshot of basics tab for create a virtual network.

  4. On the IP Addresses tab, select the following IP address settings and then select Review + create.

    Setting Value
    IPv4 address space Leave as default.
    Subnet name Select default and change the subnet name to “Public”.
    Subnet Address Range Leave as default.

    Screenshot of IP addresses tab for create a virtual network.

  5. If the validation checks pass, select Create.

  6. Wait for the deployment to finish, then select Go to resource or move on to the next section.

Enable a service endpoint

Service endpoints are enabled per service, per subnet. To create a subnet and enable a service endpoint for the subnet:

  1. If you're not already on the virtual network resource page, you can search for the newly created network in the box at the top of the portal. Enter myVirtualNetwork, and select it from the list.

  2. Select Subnets under Settings, and then select + Subnet, as shown:

    Screenshot of adding subnet to an existing virtual network.

  3. On the Add subnet page, select or enter the following information, and then select Save:

    Setting Value
    Name Private
    Subnet address range Leave as default
    Service endpoints Select Microsoft.Storage
    Service endpoint policies Leave default. 0 selected.

    Screenshot of add a subnet page with service endpoints configured.

 Caution

Before enabling a service endpoint for an existing subnet that has resources in it, see Change subnet settings.

Restrict network access for a subnet

By default, all virtual machine instances in a subnet can communicate with any resources. You can limit communication to and from all resources in a subnet by creating a network security group, and associating it to the subnet:

  1. In the search box at the top of the Azure portal, search for Network security groups.

    Screenshot of searching for network security groups.

  2. On the Network security groups page, select + Create.

    Screenshot of network security groups landing page.

  3. Enter or select the following information:

    Setting Value
    Subscription Select your subscription
    Resource group Select myResourceGroup from the list
    Name Enter myNsgPrivate
    Location Select East US
  4. Select Review + create, and when the validation check is passed, select Create.

    Screenshot of create an network security group page.

  5. After the network security group is created, select Go to resource or search for myNsgPrivate at the top of the Azure portal.

  6. Select Outbound security rules under Settings and then select + Add.

    Screenshot of adding outbound security rule.

  7. Create a rule that allows outbound communication to the Azure Storage service. Enter, or select, the following information, and then select Add:

    Setting Value
    Source Select VirtualNetwork
    Source port ranges *
    Destination Select Service Tag
    Destination service tag Select Storage
    Service Leave default as Custom.
    Destination port ranges Change to 445. SMB protocol is used to connect to a file share created in a later step.
    Protocol Any
    Action Allow
    Priority 100
    Name Rename to Allow-Storage-All

    Screenshot of creating an outbound security to access storage.

  8. Create another outbound security rule that denies communication to the internet. This rule overrides a default rule in all network security groups that allows outbound internet communication. Complete steps 6-9 from above using the following values and then select Add:

    Setting Value
    Source Select VirtualNetwork
    Source port ranges *
    Destination Select Service Tag
    Destination service tag Select Internet
    Service Leave default as Custom.
    Destination port ranges *
    Protocol Any
    Action Change default to Deny.
    Priority 110
    Name Change to Deny-Internet-All

    Screenshot of creating an outbound security to block internet access.

  9. Create an inbound security rule that allows Remote Desktop Protocol (RDP) traffic to the subnet from anywhere. The rule overrides a default security rule that denies all inbound traffic from the internet. Remote desktop connections are allowed to the subnet so that connectivity can be tested in a later step. Select Inbound security rules under Settings and then select + Add.

    Screenshot of adding inbound security rule.

  10. Enter or select the follow values and then select Add.

    Setting Value
    Source Any
    Source port ranges *
    Destination Select VirtualNetwork
    Destination port ranges Change to 3389
    Protocol Any
    Action Allow
    Priority 120
    Name Change to Allow-RDP-All

    Screenshot of creating an allow inbound remote desktop rule.

     Warning

    RDP port 3389 is exposed to the Internet. This is only recommended for testing. For Production environments, we recommend using a VPN or private connection.

  11. Select Subnets under Settings and then select + Associate.

    Screenshot of network security groups subnet association page.

  12. Select myVirtualNetwork under Virtual Network and then select Private under Subnets. Select OK to associate the network security group to the select subnet.

    Screenshot of associating a network security group to a private subnet.

Restrict network access to a resource

The steps required to restrict network access to resources created through Azure services, which are enabled for service endpoints will vary across services. See the documentation for individual services for specific steps for each service. The rest of this tutorial includes steps to restrict network access for an Azure Storage account, as an example.

Create a storage account

  1. Select + Create a resource on the upper, left corner of the Azure portal.

  2. Enter “Storage account” in the search bar, and select it from the drop-down menu. Then select Create.

  3. Enter the following information:

    Setting Value
    Subscription Select your subscription
    Resource group Select myResourceGroup
    Storage account name Enter a name that is unique across all Azure locations. The name has to between 3-24 characters in length, using only numbers and lower-case letters.
    Region Select (US) East US
    Performance Standard
    Redundancy Locally redundant storage (LRS)

    Screenshot of create a new storage account.

  4. Select Create + review, and when validation checks have passed, select Create.

     Note

    The deployment may take a couple of minutes to complete.

  5. After the storage account is created, select Go to resource.

Create a file share in the storage account

  1. Select File shares under Data storage, and then select + File share.

    Screenshot of file share page in a storage account.

  2. Enter or set the following values for the file share, and then select Create:

    Setting Value
    Name my-file-share
    Quota Select Set to maximum.
    Tier Leave as default, Transaction optimized.

    Screenshot of create new file share settings page.

  3. The new file share should appear on the file share page, if not select the Refresh button at the top of the page.

Restrict network access to a subnet

By default, storage accounts accept network connections from clients in any network, including the internet. You can restrict network access from the internet, and all other subnets in all virtual networks (except the Private subnet in the myVirtualNetwork virtual network.) To restrict network access to a subnet:

  1. Select Networking under Settings for your (uniquely named) storage account.

  2. Select Allow access from Selected networks and then select + Add existing virtual network.

    Screenshot of storage account networking settings page.

  3. Under Add networks, select the following values, and then select Add:

    Setting Value
    Subscription Select your subscription
    Virtual networks myVirtualNetwork
    Subnets Private

    Screenshot of add virtual network to storage account page.

  4. Select the Save button to save the virtual network configurations.

  5. Select Access keys under Security + networking for the storage account and select Show keys. Note the value for key1 to use in a later step when mapping the file share in a VM.

    Screenshot of storage account key and connection strings.

Create virtual machines

To test network access to a storage account, deploy a VM to each subnet.

Create the first virtual machine

  1. On the Azure portal, select + Create a resource.

  2. Select Compute, and then Create under Virtual machine.

  3. On the Basics tab, enter or select the following information:

    Setting Value
    Subscription Select your subscription
    Resource group Select myResourceGroup, which was created earlier.
    Virtual machine name Enter myVmPublic
    Region (US) East US
    Availability options Availability zone
    Availability zone 1
    Image Select an OS image. For this VM Windows Server 2019 Datacenter – Gen1 is selected.
    Size Select the VM Instance size you want to use
    Username Enter a user name of your choosing.
    Password Enter a password of your choosing. The password must be at least 12 characters long and meet the defined complexity requirements.
    Public inbound ports Allow selected ports
    Select inbound ports Leave default set to RDP (3389)

    Screenshot of create public virtual machine settings.

  4. On the Networking tab, enter or select the following information:

    Setting Value
    Virtual Network Select myVirtualNetwork.
    Subnet Select Public.
    NIC network security group Select Advanced. The portal automatically creates a network security group for you that allows port 3389. You'll need this port open to connect to the virtual machine in a later step.

    Screenshot of create public virtual machine network settings.

  5. Select Review and create, then Create and wait for the deployment to finish.

  6. Select Go to resource, or open the Home > Virtual machines page, and select the VM you just created myVmPublic, which should be started.

Create the second virtual machine

  1. Repeat steps 1-5 to create a second virtual machine. In step 3, name the virtual machine myVmPrivate and set NIC network security group to None. In step 4, select the Private subnet.

    Screenshot of create private virtual machine network settings.

  2. Select Review and create, then Create and wait for the deployment to finish.

     Warning

    Do not continue to the next step until the deployment is completed.

  3. Select Go to resource, or open the Home > Virtual machines page, and select the VM you just created myVmPrivate, which should be started.

Confirm access to storage account

  1. Once the myVmPrivate VM has been created, go to the overview page of the virtual machine. Connect to the VM by selecting the Connect button and then select RDP from the drop-down.

    Screenshot of connect button for private virtual machine.

  2. Select the Download RDP File to download the remote desktop file to your computer.

    Screenshot of download RDP file for private virtual machine.

  3. Open the downloaded rdp file. When prompted, select Connect.

    Screenshot of connection screen for private virtual machine.

  4. Enter the user name and password you specified when creating the VM. You may need to select More choices, then Use a different account to specify the credentials you entered when you created the VM. For the email field, enter the “Administrator account: username” credentials you specified earlier. Select OK to sign into the VM.

    Screenshot of credential screen for private virtual machine.

     Note

    You may receive a certificate warning during the sign-in process. If you receive the warning, select Yes or Continue, to proceed with the connection.

  5. Once signed in, open Windows PowerShell. Using the script below, map the Azure file share to drive Z using PowerShell. Replace <storage-account-key> and both <storage-account-name> variable with values you supplied and made note of earlier in the Create a storage account steps.

    PowerShell
    $acctKey = ConvertTo-SecureString -String "<storage-account-key>" -AsPlainText -Force
    $credential = New-Object System.Management.Automation.PSCredential -ArgumentList "Azure\<storage-account-name>", $acctKey
    New-PSDrive -Name Z -PSProvider FileSystem -Root "\\<storage-account-name>.file.core.windows.net\my-file-share" -Credential $credential
    

    PowerShell returns output similar to the following example output:

    PowerShell
    Name        Used (GB)     Free (GB) Provider      Root
    ----        ---------     --------- --------      ----
    Z                                      FileSystem    \\mystorage007.file.core.windows.net\my-f...
    

    The Azure file share successfully mapped to the Z drive.

  6. Close the remote desktop session to the myVmPrivate VM.

Confirm access is denied to storage account

From myVmPublic:

  1. Enter myVmPublic In the Search resources, services, and docs box at the top of the portal. When myVmPublic appears in the search results, select it.

  2. Repeat steps 1-5 above in Confirm access to storage account for the myVmPublic VM.

    After a short wait, you receive a New-PSDrive : Access is denied error. Access is denied because the myVmPublic VM is deployed in the Public subnet. The Public subnet doesn't have a service endpoint enabled for Azure Storage. The storage account only allows network access from the Private subnet, not the Public subnet.

    PowerShell
    New-PSDrive : Access is denied
    At line:1 char:1
    + New-PSDrive -Name Z -PSProvider FileSystem -Root "\\mystorage007.file ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (Z:PSDriveInfo) [New-PSDrive],     Win32Exception
        + Fu llyQualifiedErrorId : CouldNotMapNetworkDrive,Microsoft.PowerShell.Commands.NewPSDriveCommand
    
    
  3. Close the remote desktop session to the myVmPublic VM.

From a local machine:

  1. In the Azure portal, go to the uniquely named storage account you created earlier. For example, mystorage007.

  2. Select File shares under Data storage, and then select the my-file-share you created earlier.

  3. You should receive the following error message:

    Screenshot of access denied error message.

 Note

The access is denied because your computer is not in the Private subnet of the MyVirtualNetwork virtual network.

 

 

Exercise 3 – Monitoring communications between Azure resources

Duration: 45 minutes

Synopsis: In this exercise, you will learn how to Connection Monitor to monitor communication between resources and to create a monitor by using the Azure portal. Connection Monitor supports hybrid and Azure cloud deployments.


Create a connection monitor

To create a monitor in Connection Monitor by using the Azure portal:

  1. On the Azure portal home page, go to Network Watcher.

  2. In the left pane, in the Monitoring section, select Connection monitor.

    You'll see all the connection monitors that were created in Connection Monitor. To see the connection monitors that were created in the classic Connection Monitor, go to the Connection monitor tab.

    Screenshot that shows connection monitors created in Connection Monitor.

  3. In the Connection Monitor dashboard, in the upper-left corner, select Create.

  4. On the Basics tab, enter information for your connection monitor:

    • Connection Monitor Name: Enter a name for your connection monitor. Use the standard naming rules for Azure resources.
    • Subscription: Select a subscription for your connection monitor.
    • Region: Select a region for your connection monitor. You can select only the source VMs that are created in this region.
    • Workspace configuration: Choose a custom workspace or the default workspace. Your workspace holds your monitoring data.
      • To use the default workspace, select the check box.
      • To choose a custom workspace, clear the check box. Then select the subscription and region for your custom workspace.

    Screenshot that shows the Basics tab in Connection Monitor.

  5. At the bottom of the tab, select Next: Test groups.

  6. Add sources, destinations, and test configurations in your test groups. To learn about setting up your test groups, see Create test groups in Connection Monitor.

    Screenshot that shows the Test groups tab in Connection Monitor.

  7. At the bottom of the tab, select Next: Create Alerts. To learn about creating alerts, see Create alerts in Connection Monitor.

    Screenshot that shows the Create alert tab.

  8. At the bottom of the tab, select Next: Review + create.

  9. On the Review + create tab, review the basic information and test groups before you create the connection monitor. If you need to edit the connection monitor, you can do so by going back to the respective tabs. Screenshot that shows the Review + create tab in Connection Monitor.

     Note

    The Review + create tab shows the cost per month during the Connection Monitor stage. Currently, the Current Cost/Month column shows no charge. When Connection Monitor becomes generally available, this column will show a monthly charge.

    Even during the Connection Monitor stage, Log Analytics ingestion charges apply.

  10. When you're ready to create the connection monitor, at the bottom of the Review + create tab, select Create.

Connection Monitor creates the connection monitor resource in the background.

Create test groups in a connection monitor

Each test group in a connection monitor includes sources and destinations that get tested on network parameters. They're tested for the percentage of checks that fail and the RTT over test configurations.

In the Azure portal, to create a test group in a connection monitor, you specify values for the following fields:

  • Disable test group: You can select this check box to disable monitoring for all sources and destinations that the test group specifies. This selection is cleared by default.

  • Name: Name your test group.

  • Sources: You can specify both Azure VMs and on-premises machines as sources if agents are installed on them. To learn about installing an agent for your source, see Install monitoring agents.

    • To choose Azure agents, select the Azure endpoints tab. Here you see only VMs that are bound to the region that you specified when you created the connection monitor. By default, VMs are grouped into the subscription that they belong to. These groups are collapsed.

      You can drill down from the Subscription level to other levels in the hierarchy:

      Subscription > Resource group > VNET > Subnet > VMs with agents

      You can also change the Group by selector to start the tree from any other level. For example, if you group by virtual network, you see the VMs that have agents in the hierarchy VNET > Subnet > VMs with agents.

      When you select a VNET, subnet, or single VM, the corresponding resource ID is set as the endpoint. By default, all VMs in the selected VNET or subnet that have the Azure Network Watcher extension participate in monitoring. To reduce the scope, either select specific subnets or agents or change the value of the scope property.

      Screenshot that shows the Add Sources pane and the Azure endpoints tab in Connection Monitor.

    • To choose on-premises agents, select the Non–Azure endpoints tab. By default, agents are grouped into workspaces by region. All these workspaces have the Network Performance Monitor configured.

      If you need to add Network Performance Monitor to your workspace, get it from Azure Marketplace. For information about how to add Network Performance Monitor, see Monitoring solutions in Azure Monitor. For information about how to configure agents for on-premises machines, see Agents for on-premises machines.

      Under Create Connection Monitor, on the Basics tab, the default region is selected. If you change the region, you can choose agents from workspaces in the new region. You can select one or more agents or subnets. In the Subnet view, you can select specific IPs for monitoring. If you add multiple subnets, a custom on-premises network named OnPremises_Network_1 will be created. You can also change the Group by selector to group by agents.

      Screenshot that shows the Add Sources pane and the Non-Azure endpoints tab in Connection Monitor.

    • To choose recently used endpoints, you can use the Recent endpoint tab

    • When you finish setting up sources, select Done at the bottom of the tab. You can still edit basic properties like the endpoint name by selecting the endpoint in the Create Test Group view.

  • Destinations: You can monitor connectivity to an Azure VM, an on-premises machine, or any endpoint (a public IP, URL, or FQDN) by specifying it as a destination. In a single test group, you can add Azure VMs, on-premises machines, Office 365 URLs, Dynamics 365 URLs, and custom endpoints.

    • To choose Azure VMs as destinations, select the Azure endpoints tab. By default, the Azure VMs are grouped into a subscription hierarchy that's in the region that you selected under Create Connection Monitor on the Basics tab. You can change the region and choose Azure VMs from the new region. Then you can drill down from the Subscription level to other levels in the hierarchy, just as you can when you set the source Azure endpoints.

      You can select VNETs, subnets, or single VMs, as you can when you set the source Azure endpoints. When you select a VNET, subnet, or single VM, the corresponding resource ID is set as the endpoint. By default, all VMs in the selected VNET or subnet that have the Network Watcher extension participate in monitoring. To reduce the scope, either select specific subnets or agents or change the value of the scope property.

      <Screenshot that shows the Add Destinations pane and the Azure endpoints tab.>

      <Screenshot that shows the Add Destinations pane at the Subscription level.>

    • To choose non-Azure agents as destinations, select the Non-Azure endpoints tab. By default, agents are grouped into workspaces by region. All these workspaces have Network Performance Monitor configured.

      If you need to add Network Performance Monitor to your workspace, get it from Azure Marketplace. For information about how to add Network Performance Monitor, see Monitoring solutions in Azure Monitor. For information about how to configure agents for on-premises machines, see Agents for on-premises machines.

      Under Create Connection Monitor, on the Basics tab, the default region is selected. If you change the region, you can choose agents from workspaces in the new region. You can select one or more agents or subnets. In the Subnet view, you can select specific IPs for monitoring. If you add multiple subnets, a custom on-premises network named OnPremises_Network_1 will be created.

      Screenshot that shows the Add Destinations pane and the Non-Azure endpoints tab.

    • To choose public endpoints as destinations, select the External Addresses tab. The list of endpoints includes Office 365 test URLs and Dynamics 365 test URLs, grouped by name. You also can choose endpoints that were created in other test groups in the same connection monitor.

      To add an endpoint, in the upper-right corner, select Add Endpoint. Then provide an endpoint name and URL, IP, or FQDN.

      Screenshot that shows where to add public endpoints as destinations in Connection Monitor.

    • To choose recently used endpoints, go to the Recent endpoint tab.

    • When you finish choosing destinations, select Done. You can still edit basic properties like the endpoint name by selecting the endpoint in the Create Test Group view.

  • Test configurations: You can add one or more test configurations to a test group. Create a new test configuration by using the New configuration tab. Or add a test configuration from another test group in the same Connection Monitor from the Choose existing tab.

    • Test configuration name: Name the test configuration.
    • Protocol: Select TCPICMP, or HTTP. To change HTTP to HTTPS, select HTTP as the protocol and then select 443 as the port.
      • Create TCP test configuration: This check box appears only if you select HTTP in the Protocol list. Select this check box to create another test configuration that uses the same sources and destinations that you specified elsewhere in your configuration. The new test configuration is named <name of test configuration>_networkTestConfig.
      • Disable traceroute: This check box applies when the protocol is TCP or ICMP. Select this box to stop sources from discovering topology and hop-by-hop RTT.
    • Destination port: You can provide a destination port of your choice.
      • Listen on port: This check box applies when the protocol is TCP. Select this check box to open the chosen TCP port if it's not already open.
    • Test Frequency: In this list, specify how frequently sources will ping destinations on the protocol and port that you specified. You can choose 30 seconds, 1 minute, 5 minutes, 15 minutes, or 30 minutes. Select custom to enter another frequency that's between 30 seconds and 30 minutes. Sources will test connectivity to destinations based on the value that you choose. For example, if you select 30 seconds, sources will check connectivity to the destination at least once in every 30-second period.
    • Success Threshold: You can set thresholds on the following network parameters:
      • Checks failed: Set the percentage of checks that can fail when sources check connectivity to destinations by using the criteria that you specified. For the TCP or ICMP protocol, the percentage of failed checks can be equated to the percentage of packet loss. For HTTP protocol, this value represents the percentage of HTTP requests that received no response.
      • Round trip time: Set the RTT, in milliseconds, for how long sources can take to connect to the destination over the test configuration.

    Screenshot that shows where to set up a test configuration in Connection Monitor.

Create alerts in Connection Monitor

You can set up alerts on tests that are failing based on the thresholds set in test configurations.

In the Azure portal, to create alerts for a connection monitor, you specify values for these fields:

  • Create alert: You can select this check box to create a metric alert in Azure Monitor. When you select this check box, the other fields will be enabled for editing. Additional charges for the alert will be applicable, based on the pricing for alerts.

  • Scope > Resource > Hierarchy: These values are automatically filled, based on the values specified on the Basics tab.

  • Condition name: The alert is created on the Test Result(preview) metric. When the result of the connection monitor test is a failing result, the alert rule will fire.

  • Action group name: You can enter your email directly or you can create alerts via action groups. If you enter your email directly, an action group with the name NPM Email ActionGroup is created. The email ID is added to that action group. If you choose to use action groups, you need to select a previously created action group. To learn how to create an action group, see Create action groups in the Azure portal. After the alert is created, you can manage your alerts.

  • Alert rule name: The name of the connection monitor.

  • Enable rule upon creation: Select this check box to enable the alert rule based on the condition. Disable this check box if you want to create the rule without enabling it.

Screenshot that shows the Create alert tab in Connection Monitor.

Scale limits

Connection monitors have these scale limits:

  • Maximum connection monitors per subscription per region: 100
  • Maximum test groups per connection monitor: 20
  • Maximum sources and destinations per connection monitor: 100
  • Maximum test configurations per connection monitor: 2 via the Azure porta
 

Exercise 4: Azure Storage Explorer

Duration: 30 minutes

Synopsis: Microsoft Azure Storage Explorer is a standalone app that makes it easy to work with Azure Storage data on Windows, macOS, and Linux. In these exercises, you’ll learn several ways of connecting to and managing your Azure storage accounts.

Task 1 – Download and install Storage Explorer

To download and install Storage Explorer, see Azure Storage Explorer.

Connect to a storage account or service

Storage Explorer provides several ways to connect to Azure resources:

Sign in to Azure

 Note: To fully access resources after you sign in, Storage Explorer requires both management (Azure Resource Manager) and data layer permissions. This means that you need Azure Active Directory (Azure AD) permissions to access your storage account, the containers in the account, and the data in the containers. 

  1. In Storage Explorer, select View > Account Management or select the Manage Accounts button.

    Manage Accounts

  2. ACCOUNT MANAGEMENT now displays all the Azure accounts you're signed in to. To connect to another account, select Add an account….

  3. The Connect to Azure Storage dialog opens. In the Select Resource panel, select Subscription.

    Connect dialog

  4. In the Select Azure Environment panel, select an Azure environment to sign in to. You can sign in to global Azure, a national cloud or an Azure Stack instance. Then select Next.

    Option to sign in

     

  5. Storage Explorer will open a webpage for you to sign in.

  6. After you successfully sign in with an Azure account, the account and the Azure subscriptions associated with that account appear under ACCOUNT MANAGEMENT. Select the Azure subscriptions that you want to work with, and then select Apply.

    Select Azure subscriptions

  7. EXPLORER displays the storage accounts associated with the selected Azure subscriptions.

    Selected Azure subscriptions

Attach to an individual resource

Storage Explorer lets you connect to individual resources, such as an Azure Data Lake Storage Gen2 container, using various authentication methods. Some authentication methods are only supported for certain resource types.

To connect to an individual resource, select the Connect button in the left-hand toolbar. Then follow the instructions for the resource type you want to connect to.

Connect to Azure storage option

When a connection to a storage account is successfully added, a new tree node will appear under Local & Attached > Storage Accounts.

For other resource types, a new node is added under Local & Attached > Storage Accounts > (Attached Containers). The node will appear under a group node matching its type. For example, a new connection to an Azure Data Lake Storage Gen2 container will appear under Blob Containers.

 

 

Exercise 5: Monitoring a Virtual Machine

Duration: 45 minutes

Synopsis: To monitor the health and performance of an Azure virtual machine, you need to install an agent to collect data from its guest operating system. VM insights is a feature of Azure Monitor for monitoring the guest operating system and workloads running on Azure virtual machines. When you enable monitoring for an Azure virtual machine, it installs the necessary agents and starts collecting performance, process, and dependency information from the guest operating system.

In this exercise, you learn how to:

  • Create a Log Analytics workspace to collect performance and log data from the virtual machine.
  • Enable VM insights for the virtual machine which installs the required agents and begins data collection.
  • Inspect graphs analyzing performance data collected form the virtual machine.
  • Inspect map showing processes running on the virtual machine and dependencies with other systems.

 

Task 1 – Enable Monitoring

Create a Log Analytics workspace

Log data in Azure Monitor is stored in a Log Analytics workspace. If you already created a workspace in your subscription, then you can use that one. You can also choose to use the default workspace that's created in each Azure subscription.

If you want to create a new Log Analytics, then you can use the following procedure. If you're going to use an existing one, then move on to the next section.

From All services in the Azure portal, select Log Analytics workspaces.

Select Log Analytics workspaces in Azure portal

Click Create to create a new workspace.

Create workspace button

On the Basics tab, select a SubscriptionResource group, and Region for the workspace. These do not need to be the same as the resource being monitored. Provide a Name that must be globally unique across all Azure Monitor subscriptions.

Workspace basics

Click Review + Create to create the workspace.

Enable monitoring

Select Insights from your virtual machine's menu in the Azure portal. If VM insights hasn't yet been enabled for it, you should see a screen similar to the following allowing you to enable monitoring. Click Enable.

 Note

If you selected the option to Enable detailed monitoring when you created your virtual machine, VM insights may already be enabled. Select your workspace and click Enable again. This is the workspace where data collected by VM insights will be sent.

Enable VM insights with workspace

You'll see a message saying that monitoring is being enabled. It may take several minutes for the agent to be installed and for data collection to begin.

 Note

You may receive a message about an upgrade being available for VM insights. If so, select the option to perform the upgrade before proceeding.

View performance

When the deployment is complete, you'll see views in the Performance tab in VM insights with performance data for the machine. This shows you the values of key guest metrics over time.

VM insights performance view

View processes and dependencies

Select the Maps tab to view processes and dependencies for the virtual machine. The current machine is at the center of the view. View the processes running on it by expanding Processes.

VM insights map view with processes

View machine details

The Maps view provides different tabs with information collected about the virtual machine. Click through the tabs to see what's available.

VM insights map view with machine details

 

Task 2 – Alert on machine down

Create a heartbeat query

There are multiple ways to create a log query alert rule. For this tutorial, we'll start from the Logs Events tab in the Map view. This gives a summary of the log data that's been collected for the virtual machine.

Map view with log events tab

Click on Heartbeat. This opens Log Analytics, which is the primary tool to analyze log data collected from the virtual machine, with a simple query for heartbeat events. If you click on TimeGenerated to sort by that column, you can see that a heartbeat is created each minute.

Log query alert with heartbeat events.

For the alert, you want to return only heartbeat records in the last 5 minutes. If no records are returned, then you can assume the virtual machine is down.

Add a line to the query to filter the results to only records created in the last 5 minutes. This uses the ago function that subtracts a particular time span from the current time.

Heartbeat
| where Computer == 'computer-name'
| where TimeGenerated > ago(5m)

Click Run to see the results of this query, which should now include just the heartbeats in the last 5 minutes.

Log query alert with heartbeat events using time filter.

Create alert rule

Now that you have the log query, you can create an alert rule that will send an alert when that query doesn't return any records. If it no heartbeat records are returned from the last 5 minutes, then we can assume that machine hasn't been responsive in that time.

Click New alert rule to create a rule from the current query.

New alert rule.

The alert rule will already have the Log query filled in. The Measurement is also already correct since we want to count the number of table rows returned from the query. If the number of rows is zero, then we want to create an alert.

Alert rule condition 1.

Scroll down to Alert logic and change Operator to Equal to and provide a Threshold value of 0. This means that we want to create an alert when no records are returned, or when the record count from the query equals zero.

Alert rule condition 2.

Configure action group

The Actions page allows you to add one or more action groups to the alert rule. Action groups define a set of actions to take when an alert is fired such as sending an email or an SMS message.

If you already have an action group, click Add action group to add an existing group to the alert rule.

Alert rule add action group.

If you don't already have an action group in your subscription to select, then click Create action group to create a new one. Select a Subscription and Resource group for the action group and give it an Action group name that will appear in the portal and a Display name that will appear in email and SMS notifications.

Action group basics

Select Notifications and add one or more methods to notify appropriate people when the alert is fired.

Action group notifications

Configure details

The Details page allows you to configure different settings for the alert rule.

  • Subscription and Resource group where the alert rule will be stored. This doesn't need to be in the same resource group as the resource that you're monitoring.
  • Severity for the alert. The severity allows you to group alerts with a similar relative importance. A severity of Error is appropriate for an unresponsive virtual machine.
  • Keep the box checked to Enable alert upon creation.
  • Keep the box checked to Automatically resolve alerts. This will automatically resolve the alert when the virtual machine comes back online and heartbeat records are seen again.

Alert rule details.

Click Review + create to create the alert rule.

View the alert

To test the alert rule, stop the virtual machine. If you configured a notification in your action group, then you should receive that notification within a few minutes. You'll also see an alert indicated in the summary shown in the Alerts page for the virtual machine.

Alerts summary

Click on the Severity to see the list of those alerts. Click on the alert itself to view its details.

Alerts list

 

Task 3 – Collect guest logs and metrics

Create data collection rule

Data collection rules in Azure Monitor define data to collect and where it should be sent. When you define the data collection rule using the Azure portal, you specify the virtual machines it should be applied to. The Azure Monitor agent will automatically be installed on any virtual machines that don't already have it.

 Note

You must currently install the Azure Monitor agent from Monitor menu in the Azure portal. This functionality is not yet available from the virtual machine's menu.

From the Monitor menu in the Azure portal, select Data Collection Rules and then Create to create a new data collection rule.

Create data collection rule

On the Basics tab, provide a Rule Name which is the name of the rule displayed in the Azure portal. Select a SubscriptionResource Group, and Region where the DCR and its associations will be stored. These do not need to be the same as the resources being monitored. The Platform Type defines the options that are available as you define the rest of the DCR. Select Windows or Linux if it will be associated only those resources or Custom if it will be associated with both types.

Data collection rule basics

Select resources

On the Resources tab, identify one or more virtual machines that the data collection rule will apply to. The Azure Monitor agent will be installed on any that don't already have it. Click Add resources and select either your virtual machines or the resource group or subscription where your virtual machine is located. The data collection rule will apply to all virtual machines in the selected scope.

Data collection rule resources

Select data sources

A single data collection rule can have multiple data sources. For this tutorial, we'll use the same rule to collect both guest metrics and guest logs. We'll send metrics to both to Azure Monitor Metrics and to Azure Monitor Logs so that they can be analyzed both with metrics explorer and Log Analytics.

On the Collect and deliver tab, click Add data source. For the Data source type, select Performance counters. Leave the Basic setting and select the counters that you want to collect. Custom allows you to select individual metric values.

Data collection rule metric data source

Select the Destination tab. Azure Monitor Metrics should already be listed. Click Add destination to add another. Select Azure Monitor Logs for the Destination type. Select your Log Analytics workspace for the Account or namespace. Click Add data source to save the data source.

Data collection rule destination

Click Add data source again to add logs to the data collection rule. For the Data source type, select Windows event logs or Linux syslog. Select the types of log data that you want to collect.

Data collection rule Windows log data source

Data collection rule Linux log data source

Select the Destination tab. Azure Monitor Logs should already be selected for the Destination type. Select your Log Analytics workspace for the Account or namespace. If you don't already have a workspace, then you can select the default workspace for your subscription, which will automatically be created. Click Add data source to save the data source.

Data collection rule Logs destination

Click Review + create to create the data collection rule and install the Azure Monitor agent on the selected virtual machines.

Save data collection rule

Viewing logs

Data is retrieved from a Log Analytics workspace using a log query written in Kusto Query Language (KQL). While a set of pre-created queries are available for virtual machines, we'll use a simple query to have a look at the events that we're collecting.

Select Logs from your virtual machines's menu. Log Analytics opens with an empty query window with the scope set to that machine. Any queries will include only records collected from that machine.

 Note

The Queries window may open when you open Log Analytics. This includes pre-created queries that you can use. For now, close this window since we're going to manually create a simple query.

Log Analytics

In the empty query window, type either Event or Syslog depending on whether your machine is running Windows or Linux and then click Run. The events collected within the Time range are displayed.

 Note

If the query doesn't return any data, then you may need wait a few minutes until events are created on the virtual machine to be collected. You may also need to modify the data source in the data collection rule to include additional categories of events.

Log Analytics with query results

For a tutorial on using Log Analytics to analyze log data, see Log Analytics tutorial. For a tutorial on creating alert rules from log data, see Tutorial: Create a log query alert for an Azure resource.

View guest metrics

You can view metrics for your host virtual machine with metrics explorer without a data collection rule just like any other Azure resource. With the data collection rule though, you can use metrics explorer to view guest metrics in addition to host metrics.

Select Metrics from your virtual machines's menu. Metrics explorer opens with the scope set to your virtual machine. Click Metric Namespace, and select Virtual Machine Guest.

 Note

If you don't see Virtual Machine Guest, you may just need to wait a few more minutes for the agent to be deployed and data to begin collecting.

Metrics explorer

The available guest metrics are displayed. Select a Metric to add to the chart.

Metrics explorer with guest metrics

 

 

 

Exercise 6: Administering users 

Duration: 20 minutes

Synopsis: In this exercise, you will setup Azure Sentinel to point to a logging workspace and then create custom alerts that execute Azure Runbooks.

Assign roles

A common way to assign Azure AD roles to a user is on the Assigned roles page for a user. You can also configure the user eligibility to be elevated just-in-time into a role using Privileged Identity Management (PIM). For more information about how to use PIM, see Privileged Identity Management.

 Note

If you have an Azure AD Premium P2 license plan and already use PIM, all role management tasks are performed in the Privileged Identity Management experience. This feature is currently limited to assigning only one role at a time. You can't currently select multiple roles and assign them to a user all at once.

Azure AD roles managed in PIM for users who already use PIM and have a Premium P2 license

Assign a role to a user

  1. Go to the Azure portal and sign in using a Global administrator account for the directory.

  2. Search for and select Azure Active Directory.

    Azure portal search for Azure Active Directory

  3. Select Users.

  4. Search for and select the user getting the role assignment. For example, Alain Charon.

    All users page - select the user

  5. On the Alain Charon – Profile page, select Assigned roles.

    The Alain Charon – Administrative roles page appears.

  6. Select Add assignments, select the role to assign to Alain (for example, Application administrator), and then choose Select.

    Assigned roles page - showing the selected role

    The Application administrator role is assigned to Alain Charon and it appears on the Alain Charon – Administrative roles page.

Remove a role assignment

If you need to remove the role assignment from a user, you can also do that from the Alain Charon – Administrative roles page.

To remove a role assignment from a user

  1. Select Azure Active Directory, select Users, and then search for and select the user getting the role assignment removed. For example, Alain Charon.

  2. Select Assigned roles, select Application administrator, and then select Remove assignment.

    Assigned roles page, showing the selected role and the remove option

    The Application administrator role is removed from Alain Charon and it no longer appears on the Alain Charon – Administrative roles page.

 

 

Exercise 7: Using Compliance Tools (Azure Policy, Secure Score and Compliance Manager)

Duration: 30 minutes

Synopsis: In this exercise, attendees will learn how to migrate web application to utilize Azure Key Vault rather than storing valuable credentials (such as connection strings) in application configuration files.

Task 1: Review a basic Azure Policy

 

  1. Open the Azure Portal. Select All Services, then type Policy. Select Policy in the list of items.

    All services are selected in the left menu. In the search box policy is entered. Policy is selected from the filtered list of services.

  2. In the blade menu, select Compliance, and review your Overall resource compliance percentage.

    The Compliance item is selected from the left menu. The Policy compliance screen is displayed.

  3. For the scope, ensure the proper subscription is selected, then select ASC Default (subscription:.

  4. In the Initiative compliance blade, review your compliance metrics.

  5. Scroll to the results area and select the Non-compliant resources tab.

    The non-compliant resources tab is highlighted.

  6. In the filter search box, type PAW-1 and select it when displayed.

    Note: You may not see resources display right away. If this is the case, then scroll through some other non-compliant resources.

  7. With the Policies tab selected, review the policies that the resource is non-complying against.

    Note: New policies are being created and your number may be different from the image below.

    The Resource compliance blade for PAW-1 is displayed with the non-compliant items highlighted.

  8. Choose one of the policies. Review the Definition JSON of the policy definition, notice how it is based on ARM Template format and is looking for specific properties to be set of the non-compliant resources.

    The policy definition is displayed in JSON format.

    Note: You can use these out of box templates to build your own policies and apply them as blueprints.

 

Task 2: Review and create Azure Blueprints 

 

  1. In the Policy blade, under Authoring, select Definitions. These are a list of all defined policies which can be selected for assignment to your subscription resources.

    A listing of policy definitions on the Policy Blade Definitions screen.

  2. In the Policy blade, under Related Services, select Blueprints.

  3. In the Blueprints blade, select Blueprint definitions.

  4. Select +Create blueprint.

    The Blueprint definitions screen is displayed with the Blueprint definitions item selected from the left menu. The + Create blueprint menu item is selected.

  5. Review some of the sample blueprints, then select Start with blank blueprint.

    The Create blueprint screen is displayed with the Blank blueprint item selected from the list of available samples.

  6. For the name, type gdprblueprint.

  7. For the location, select the ellipses, then select your subscription in the drop down.

  8. Choose Select.

    New blue print dialog with name and location filled in.

  9. Select Next: Artifacts.

  10. Select + Add artifact.

  11. For the Artifact Type, select Policy Assignment, review all the policies available to you (at the time of this writing you would see 37 definitions and 311 policies).

  12. In the search box, type unrestricted, browse for the Audit unrestricted network access to storage accounts.

    On the Create blueprint screen, on the Artifacts tab the + Add artifact link is selected beneath the Subscription. In the Add artifact blade, the artifact type of Policy assignment is selected. In the Search textbox, unrestricted is entered. Beneath the Search textbox, the Policy Definitions tab is selected and the Audit unrestricted network access to storage accounts is selected from the list of search results.

  13. Select Add.

  14. Select Save Draft. It may take a few minutes. The blade will automatically change when the save operation finishes.

  15. For the new blueprint, select the ellipses, then select Publish Blueprint.

    The ellipses menu is expanded for the gdprblueprint blueprint item with the Publish blueprint menu item highlighted.

  16. Select Publish.

  17. For the version type 1.0.0.

  18. For the new blueprint, select the ellipses, then select Assign Blueprint.

    Screen shot showing the Assign blueprint dialog.

  19. Review the page, then choose Assign. This policy will now be audited across all your storage accounts in the specific subscription.

 

Task 3: Secure Score

 

  1. In the Azure Portal, select All Services, then type Security, select Security Center.

  2. In the Security Center blade, under POLICY & COMPLIANCE, select Secure score.

  3. Review your overall secure score values and then notice the category values.

    Screen shot showing Secure score blade and the score and categories highlighted.

  4. On the bottom half of the window, select your subscription, you will be presented with the items that have failed resource validation sorted by the score value that is assigned to that particular recommendation item.

  5. Select the An Azure Active Directory administrator should be provisioned for SQL Servers, on the recommendation blade, you will be presented with information about how to remediate the recommendation to gain the impact value to your score.

    Screen shot with the Provision an Azure AD Administrator for SQL Server highlighted.

 

Task 4: Use Compliance Manager for Azure 

 

Note: You may need to additional permissions to run this portion of the lab. Contact your Global Administrator.

  1. In a browser, go to the Service Trust/Compliance Manager portal (https://servicetrust.microsoft.com).

  2. In the top corner, select Sign in, you will be redirected to the Azure AD login page.

    Sign in is highlighted at the top of the Service Trust/Compliance Manager portal.

  3. If prompted, select or sign in with your Azure AD\Office 365 credentials.

  4. In the menu, select Compliance Manager->Compliance Manager Classic.

    Compliance Manager Classic is highlight in the menu navigation.

  5. Select on the +Add Assessment link.

  6. Select Create a new Group, for the name type AzureSecurity, select Next, set the Would you like to copy the data from an existing group toggle to No, select Next.

  7. For the product dropdown, select Azure.

  8. For the certification dropdown, select GDPR.

    Add a Standard Assessment dialog with Azure and GDPR selected.

  9. Select Add to Dashboard. You will now see a new assessment for Azure and GDPR in progress:

    Azure GDPR assessment status that shows in progress.

  10. Select Azure GDPR.

  11. Review the various controls that you can implement:

    Several categories of controls are listed on the page.

  12. On the top menu, choose Trust Documents, then select Audit Reports.

  13. Notice the various tabs that you can select from, select FedRAMP Reports.

  14. These are all the FedRAMP reports sorted by date that have been performed and publicly posted for Azure customer review. Select the item displayed and briefly review the document.

    The FedRAMP Reports report type is highlighted on the Data Protection Standards and Regulatory Compliance Reports page, and Azure - FedRAMP Moderate System Security Plan v3.02 is highlighted at the bottom.

 

 

 

 

Scroll to top