├── .github ├── CONTRIBUTING.md ├── ISSUE_TEMPLATE.md └── PULL_REQUEST_TEMPLATE.md ├── Allfiles └── Labs │ └── All-Labs │ ├── create-vms-template.json │ ├── create-vnet-peerings-template.json │ ├── create-vnet-subnets-template.json │ ├── create-vnets-vms-template.json │ └── delete.md ├── Instructions ├── Demos │ ├── DEMO_00_Introduction.md │ ├── DEMO_01_virtual_networks.md │ ├── DEMO_02_security_groups.md │ ├── DEMO_03_firewall.md │ ├── DEMO_04_route.md │ └── DEMO_05_domain_name.md ├── Labs │ ├── LAB_01_virtual_networks.md │ ├── LAB_02_security_groups.md │ ├── LAB_03_firewall.md │ ├── LAB_04_route.md │ ├── LAB_05_domain_name.md │ ├── azuredeploy.json │ └── azuredeploy.parameters.json └── Media │ ├── task-1.png │ ├── task-2.png │ ├── task-3.png │ ├── task-4.png │ └── task-5.png ├── LICENSE ├── _build.yml ├── _config.yml ├── index.md └── readme.md /.github/CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing to Microsoft Learning Repositories 2 | 3 | MCT contributions are a key part of keeping the lab and demo content current as the Azure platform changes. We want to make it as easy as possible for you to contribute changes to the lab files. Here are a few guidelines to keep in mind as you contribute changes. 4 | 5 | ## GitHub Use & Purpose 6 | 7 | Microsoft Learning is using GitHub to publish the lab steps and lab scripts for courses that cover cloud services like Azure. Using GitHub allows the course’s authors and MCTs to keep the lab content current with Azure platform changes. Using GitHub allows the MCTs to provide feedback and suggestions for lab changes, and then the course authors can update lab steps and scripts quickly and relatively easily. 8 | 9 | > When you prepare to teach these courses, you should ensure that you are using the latest lab steps and scripts by downloading the appropriate files from GitHub. GitHub should not be used to discuss technical content in the course, or how to prep. It should only be used to address changes in the labs. 10 | 11 | It is strongly recommended that MCTs and Partners access these materials and in turn, provide them separately to students. Pointing students directly to GitHub to access Lab steps as part of an ongoing class will require them to access yet another UI as part of the course, contributing to a confusing experience for the student. An explanation to the student regarding why they are receiving separate Lab instructions can highlight the nature of an always-changing cloud-based interface and platform. Microsoft Learning support for accessing files on GitHub and support for navigation of the GitHub site is limited to MCTs teaching this course only. 12 | 13 | > As an alternative to pointing students directly to the GitHub repository, you can point students to the GitHub Pages website to view the lab instructions. The URL for the GitHub Pages website can be found at the top of the repository. 14 | 15 | To address general comments about the course and demos, or how to prepare for a course delivery, please use the existing MCT forums. 16 | 17 | ## Additional Resources 18 | 19 | A user guide has been provided for MCTs who are new to GitHub. It provides steps for connecting to GitHub, downloading and printing course materials, updating the scripts that students use in labs, and explaining how you can help ensure that this course’s content remains current. 20 | 21 | 22 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | # Module: 00 2 | ## Lab/Demo: 00 3 | ### Task: 00 4 | #### Step: 00 5 | 6 | Description of issue 7 | 8 | Repro steps: 9 | 10 | 1. 11 | 1. 12 | 1. -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | # Module: 00 2 | ## Lab/Demo: 00 3 | 4 | Fixes # . 5 | 6 | Changes proposed in this pull request: 7 | 8 | - 9 | - 10 | - -------------------------------------------------------------------------------- /Allfiles/Labs/All-Labs/create-vms-template.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "virtualMachines_VM1_name": { 6 | "defaultValue": "VM1", 7 | "type": "String" 8 | }, 9 | "virtualMachines_VM2_name": { 10 | "defaultValue": "VM2", 11 | "type": "String" 12 | }, 13 | "publicIPAddresses_VM1_ip_name": { 14 | "defaultValue": "VM1-ip", 15 | "type": "String" 16 | }, 17 | "publicIPAddresses_VM2_ip_name": { 18 | "defaultValue": "VM2-ip", 19 | "type": "String" 20 | }, 21 | "virtualNetworks_app_vnet_name": { 22 | "defaultValue": "app-vnet", 23 | "type": "String" 24 | }, 25 | "networkInterfaces_VM1_nic_name": { 26 | "defaultValue": "VM1-nic", 27 | "type": "String" 28 | }, 29 | "networkInterfaces_VM2_nic_name": { 30 | "defaultValue": "VM2-nic", 31 | "type": "String" 32 | } 33 | }, 34 | "functions": [], 35 | "variables": {}, 36 | "resources": [ 37 | { 38 | "type": "Microsoft.Network/publicIPAddresses", 39 | "apiVersion": "2022-07-01", 40 | "name": "[parameters('publicIPAddresses_VM1_ip_name')]", 41 | "location": "eastus", 42 | "sku": { 43 | "name": "Basic", 44 | "tier": "Regional" 45 | }, 46 | "properties": { 47 | "ipAddress": "40.87.123.79", 48 | "publicIPAddressVersion": "IPv4", 49 | "publicIPAllocationMethod": "Dynamic", 50 | "idleTimeoutInMinutes": 4, 51 | "ipTags": [] 52 | } 53 | }, 54 | { 55 | "type": "Microsoft.Network/publicIPAddresses", 56 | "apiVersion": "2022-07-01", 57 | "name": "[parameters('publicIPAddresses_VM2_ip_name')]", 58 | "location": "eastus", 59 | "sku": { 60 | "name": "Basic", 61 | "tier": "Regional" 62 | }, 63 | "properties": { 64 | "ipAddress": "40.87.123.72", 65 | "publicIPAddressVersion": "IPv4", 66 | "publicIPAllocationMethod": "Dynamic", 67 | "idleTimeoutInMinutes": 4, 68 | "ipTags": [] 69 | } 70 | }, 71 | { 72 | "type": "Microsoft.Compute/virtualMachines", 73 | "apiVersion": "2022-08-01", 74 | "name": "[parameters('virtualMachines_VM1_name')]", 75 | "location": "eastus", 76 | "dependsOn": [ 77 | "[resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaces_VM1_nic_name'))]" 78 | ], 79 | "properties": { 80 | "hardwareProfile": { 81 | "vmSize": "Standard_DS1_v2" 82 | }, 83 | "storageProfile": { 84 | "imageReference": { 85 | "publisher": "Canonical", 86 | "offer": "UbuntuServer", 87 | "sku": "18.04-LTS", 88 | "version": "latest" 89 | }, 90 | "osDisk": { 91 | "osType": "Linux", 92 | "name": "[concat(parameters('virtualMachines_VM1_name'), '_disk1_6a38f4133b104e6fb10ee60804d2902b')]", 93 | "createOption": "FromImage", 94 | "caching": "ReadWrite", 95 | "managedDisk": { 96 | "storageAccountType": "Standard_LRS" }, 97 | "deleteOption": "Detach", 98 | "diskSizeGB": 30 99 | }, 100 | "dataDisks": [] 101 | }, 102 | "osProfile": { 103 | "computerName": "[parameters('virtualMachines_VM1_name')]", 104 | "adminUsername": "AzureAdmin", 105 | "adminpassword": "[concat('A1', uniqueString(resourceGroup().id))]", 106 | "linuxConfiguration": { 107 | "disablePasswordAuthentication": false, 108 | "patchSettings": { 109 | "patchMode": "ImageDefault", 110 | "assessmentMode": "ImageDefault" 111 | }, 112 | "enableVMAgentPlatformUpdates": false 113 | }, 114 | "secrets": [] 115 | }, 116 | "networkProfile": { 117 | "networkInterfaces": [ 118 | { 119 | "id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaces_VM1_nic_name'))]", 120 | "properties": { 121 | "primary": true 122 | } 123 | } 124 | ] 125 | } 126 | } 127 | }, 128 | { 129 | "type": "Microsoft.Compute/virtualMachines", 130 | "apiVersion": "2022-08-01", 131 | "name": "[parameters('virtualMachines_VM2_name')]", 132 | "location": "eastus", 133 | "dependsOn": [ 134 | "[resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaces_VM2_nic_name'))]" 135 | ], 136 | "properties": { 137 | "hardwareProfile": { 138 | "vmSize": "Standard_DS1_v2" 139 | }, 140 | "storageProfile": { 141 | "imageReference": { 142 | "publisher": "Canonical", 143 | "offer": "UbuntuServer", 144 | "sku": "18.04-LTS", 145 | "version": "latest" 146 | }, 147 | "osDisk": { 148 | "osType": "Linux", 149 | "name": "[concat(parameters('virtualMachines_VM2_name'), '_disk1_a76711e00aa04f15a1a08e59308344ed')]", 150 | "createOption": "FromImage", 151 | "caching": "ReadWrite", 152 | "managedDisk": { 153 | "storageAccountType": "Standard_LRS" 154 | }, 155 | "deleteOption": "Detach", 156 | "diskSizeGB": 30 157 | }, 158 | "dataDisks": [] 159 | }, 160 | "osProfile": { 161 | "computerName": "[parameters('virtualMachines_VM2_name')]", 162 | "adminUsername": "AzureAdmin", 163 | "adminpassword": "[concat('A1', uniqueString(resourceGroup().id))]", 164 | "linuxConfiguration": { 165 | "disablePasswordAuthentication": false, 166 | "patchSettings": { 167 | "patchMode": "ImageDefault", 168 | "assessmentMode": "ImageDefault" 169 | }, 170 | "enableVMAgentPlatformUpdates": false 171 | }, 172 | "secrets": [] 173 | }, 174 | "networkProfile": { 175 | "networkInterfaces": [ 176 | { 177 | "id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaces_VM2_nic_name'))]", 178 | "properties": { 179 | "primary": true 180 | } 181 | } 182 | ] 183 | } 184 | } 185 | }, 186 | { 187 | "type": "Microsoft.Network/networkInterfaces", 188 | "apiVersion": "2022-07-01", 189 | "name": "[parameters('networkInterfaces_VM1_nic_name')]", 190 | "location": "eastus", 191 | "dependsOn": [ 192 | "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIPAddresses_VM1_ip_name'))]", 193 | "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworks_app_vnet_name'), 'frontend')]" 194 | ], 195 | "kind": "Regular", 196 | "properties": { 197 | "ipConfigurations": [ 198 | { 199 | "name": "ipconfig1", 200 | "id": "[concat(resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaces_VM1_nic_name')), '/ipConfigurations/ipconfig1')]", 201 | "type": "Microsoft.Network/networkInterfaces/ipConfigurations", 202 | "properties": { 203 | "provisioningState": "Succeeded", 204 | "privateIPAddress": "10.1.0.4", 205 | "privateIPAllocationMethod": "Dynamic", 206 | "publicIPAddress": { 207 | "id": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIPAddresses_VM1_ip_name'))]" 208 | }, 209 | "subnet": { 210 | "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworks_app_vnet_name'), 'frontend')]" 211 | }, 212 | "primary": true, 213 | "privateIPAddressVersion": "IPv4" 214 | } 215 | } 216 | ], 217 | "dnsSettings": { 218 | "dnsServers": [] 219 | }, 220 | "enableAcceleratedNetworking": false, 221 | "enableIPForwarding": false, 222 | "disableTcpStateTracking": false, 223 | "nicType": "Standard" 224 | } 225 | }, 226 | { 227 | "type": "Microsoft.Network/networkInterfaces", 228 | "apiVersion": "2022-07-01", 229 | "name": "[parameters('networkInterfaces_VM2_nic_name')]", 230 | "location": "eastus", 231 | "dependsOn": [ 232 | "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIPAddresses_VM2_ip_name'))]", 233 | "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworks_app_vnet_name'), 'backend')]" 234 | ], 235 | "kind": "Regular", 236 | "properties": { 237 | "ipConfigurations": [ 238 | { 239 | "name": "ipconfig1", 240 | "id": "[concat(resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaces_VM2_nic_name')), '/ipConfigurations/ipconfig1')]", 241 | "type": "Microsoft.Network/networkInterfaces/ipConfigurations", 242 | "properties": { 243 | "provisioningState": "Succeeded", 244 | "privateIPAddress": "10.1.1.4", 245 | "privateIPAllocationMethod": "Dynamic", 246 | "publicIPAddress": { 247 | "id": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIPAddresses_VM2_ip_name'))]" 248 | }, 249 | "subnet": { 250 | "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworks_app_vnet_name'), 'backend')]" 251 | }, 252 | "primary": true, 253 | "privateIPAddressVersion": "IPv4" 254 | } 255 | } 256 | ], 257 | "dnsSettings": { 258 | "dnsServers": [] 259 | }, 260 | "enableAcceleratedNetworking": false, 261 | "enableIPForwarding": false, 262 | "disableTcpStateTracking": false, 263 | "nicType": "Standard" 264 | } 265 | }, 266 | { 267 | "type": "Microsoft.Network/virtualNetworks/subnets", 268 | "apiVersion": "2022-07-01", 269 | "name": "[concat(parameters('virtualNetworks_app_vnet_name'), '/backend')]", 270 | "dependsOn": [ 271 | "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworks_app_vnet_name'))]" 272 | ], 273 | "properties": { 274 | "addressPrefix": "10.1.1.0/24", 275 | "delegations": [], 276 | "privateEndpointNetworkPolicies": "Disabled", 277 | "privateLinkServiceNetworkPolicies": "Enabled" 278 | } 279 | }, 280 | { 281 | "type": "Microsoft.Network/virtualNetworks/subnets", 282 | "apiVersion": "2022-07-01", 283 | "name": "[concat(parameters('virtualNetworks_app_vnet_name'), '/frontend')]", 284 | "dependsOn": [ 285 | "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworks_app_vnet_name'))]" 286 | ], 287 | "properties": { 288 | "addressPrefix": "10.1.0.0/24", 289 | "delegations": [], 290 | "privateEndpointNetworkPolicies": "Disabled", 291 | "privateLinkServiceNetworkPolicies": "Enabled" 292 | } 293 | }, 294 | { 295 | "type": "Microsoft.Network/virtualNetworks", 296 | "apiVersion": "2022-07-01", 297 | "name": "[parameters('virtualNetworks_app_vnet_name')]", 298 | "location": "eastus", 299 | "dependsOn": [ 300 | 301 | ], 302 | "properties": { 303 | "addressSpace": { 304 | "addressPrefixes": [ 305 | "10.1.0.0/16" 306 | ] 307 | }, 308 | "dhcpOptions": { 309 | "dnsServers": [ 310 | "1.1.1.1", 311 | "1.0.0.1" 312 | ] 313 | }, 314 | "subnets": [ 315 | { 316 | "name": "frontend", 317 | "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworks_app_vnet_name'), 'frontend')]", 318 | "properties": { 319 | "addressPrefix": "10.1.0.0/24", 320 | "delegations": [], 321 | "privateEndpointNetworkPolicies": "Disabled", 322 | "privateLinkServiceNetworkPolicies": "Enabled" 323 | }, 324 | "type": "Microsoft.Network/virtualNetworks/subnets" 325 | }, 326 | { 327 | "name": "backend", 328 | "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworks_app_vnet_name'), 'backend')]", 329 | "properties": { 330 | "addressPrefix": "10.1.1.0/24", 331 | "delegations": [], 332 | "privateEndpointNetworkPolicies": "Disabled", 333 | "privateLinkServiceNetworkPolicies": "Enabled" 334 | }, 335 | "type": "Microsoft.Network/virtualNetworks/subnets" 336 | } 337 | ], 338 | "virtualNetworkPeerings": [], 339 | "enableDdosProtection": false 340 | } 341 | } 342 | ], 343 | "outputs": {} 344 | } 345 | -------------------------------------------------------------------------------- /Allfiles/Labs/All-Labs/create-vnet-peerings-template.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "virtualNetworks_app_vnet_name": { 6 | "defaultValue": "app-vnet", 7 | "type": "String" 8 | }, 9 | "virtualNetworks_hub_vnet_externalid": { 10 | "defaultValue": "/subscriptions/aa509d92-2cc7-4eb9-9ae9-db02c24e057d/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/hub-vnet", 11 | "type": "String" 12 | } 13 | }, 14 | "variables": {}, 15 | "resources": [ 16 | { 17 | "type": "Microsoft.Network/virtualNetworks", 18 | "apiVersion": "2024-01-01", 19 | "name": "[parameters('virtualNetworks_app_vnet_name')]", 20 | "location": "eastus", 21 | "properties": { 22 | "addressSpace": { 23 | "addressPrefixes": [ 24 | "10.1.0.0/16" 25 | ] 26 | }, 27 | "encryption": { 28 | "enabled": false, 29 | "enforcement": "AllowUnencrypted" 30 | }, 31 | "subnets": [ 32 | { 33 | "name": "frontend", 34 | "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworks_app_vnet_name'), 'frontend')]", 35 | "properties": { 36 | "addressPrefixes": [ 37 | "10.1.0.0/24" 38 | ], 39 | "delegations": [], 40 | "privateEndpointNetworkPolicies": "Disabled", 41 | "privateLinkServiceNetworkPolicies": "Enabled" 42 | }, 43 | "type": "Microsoft.Network/virtualNetworks/subnets" 44 | }, 45 | { 46 | "name": "backend", 47 | "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworks_app_vnet_name'), 'backend')]", 48 | "properties": { 49 | "addressPrefixes": [ 50 | "10.1.1.0/24" 51 | ], 52 | "delegations": [], 53 | "privateEndpointNetworkPolicies": "Disabled", 54 | "privateLinkServiceNetworkPolicies": "Enabled" 55 | }, 56 | "type": "Microsoft.Network/virtualNetworks/subnets" 57 | } 58 | ], 59 | "virtualNetworkPeerings": [ 60 | { 61 | "name": "[concat('hub-to-', parameters('virtualNetworks_app_vnet_name'))]", 62 | "id": "[resourceId('Microsoft.Network/virtualNetworks/virtualNetworkPeerings', parameters('virtualNetworks_app_vnet_name'), concat('hub-to-', parameters('virtualNetworks_app_vnet_name')))]", 63 | "properties": { 64 | "peeringState": "Connected", 65 | "peeringSyncLevel": "FullyInSync", 66 | "remoteVirtualNetwork": { 67 | "id": "[parameters('virtualNetworks_hub_vnet_externalid')]" 68 | }, 69 | "allowVirtualNetworkAccess": true, 70 | "allowForwardedTraffic": false, 71 | "allowGatewayTransit": false, 72 | "useRemoteGateways": false, 73 | "doNotVerifyRemoteGateways": false, 74 | "peerCompleteVnets": true, 75 | "remoteAddressSpace": { 76 | "addressPrefixes": [ 77 | "10.0.0.0/16" 78 | ] 79 | }, 80 | "remoteVirtualNetworkAddressSpace": { 81 | "addressPrefixes": [ 82 | "10.0.0.0/16" 83 | ] 84 | } 85 | }, 86 | "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings" 87 | } 88 | ], 89 | "enableDdosProtection": false 90 | } 91 | }, 92 | { 93 | "type": "Microsoft.Network/virtualNetworks/subnets", 94 | "apiVersion": "2024-01-01", 95 | "name": "[concat(parameters('virtualNetworks_app_vnet_name'), '/backend')]", 96 | "dependsOn": [ 97 | "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworks_app_vnet_name'))]" 98 | ], 99 | "properties": { 100 | "addressPrefixes": [ 101 | "10.1.1.0/24" 102 | ], 103 | "delegations": [], 104 | "privateEndpointNetworkPolicies": "Disabled", 105 | "privateLinkServiceNetworkPolicies": "Enabled" 106 | } 107 | }, 108 | { 109 | "type": "Microsoft.Network/virtualNetworks/subnets", 110 | "apiVersion": "2024-01-01", 111 | "name": "[concat(parameters('virtualNetworks_app_vnet_name'), '/frontend')]", 112 | "dependsOn": [ 113 | "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworks_app_vnet_name'))]" 114 | ], 115 | "properties": { 116 | "addressPrefixes": [ 117 | "10.1.0.0/24" 118 | ], 119 | "delegations": [], 120 | "privateEndpointNetworkPolicies": "Disabled", 121 | "privateLinkServiceNetworkPolicies": "Enabled" 122 | } 123 | }, 124 | { 125 | "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings", 126 | "apiVersion": "2024-01-01", 127 | "name": "[concat(parameters('virtualNetworks_app_vnet_name'), '/hub-to-', parameters('virtualNetworks_app_vnet_name'))]", 128 | "dependsOn": [ 129 | "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworks_app_vnet_name'))]" 130 | ], 131 | "properties": { 132 | "peeringState": "Connected", 133 | "peeringSyncLevel": "FullyInSync", 134 | "remoteVirtualNetwork": { 135 | "id": "[parameters('virtualNetworks_hub_vnet_externalid')]" 136 | }, 137 | "allowVirtualNetworkAccess": true, 138 | "allowForwardedTraffic": false, 139 | "allowGatewayTransit": false, 140 | "useRemoteGateways": false, 141 | "doNotVerifyRemoteGateways": false, 142 | "peerCompleteVnets": true, 143 | "remoteAddressSpace": { 144 | "addressPrefixes": [ 145 | "10.0.0.0/16" 146 | ] 147 | }, 148 | "remoteVirtualNetworkAddressSpace": { 149 | "addressPrefixes": [ 150 | "10.0.0.0/16" 151 | ] 152 | } 153 | } 154 | } 155 | ] 156 | } -------------------------------------------------------------------------------- /Allfiles/Labs/All-Labs/create-vnet-subnets-template.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "virtualNetworks_app_vnet_name": { 6 | "defaultValue": "app-vnet", 7 | "type": "String" 8 | }, 9 | "virtualNetworks_hub_vnet_name": { 10 | "defaultValue": "hub-vnet", 11 | "type": "String" 12 | } 13 | }, 14 | "variables": {}, 15 | "resources": [ 16 | { 17 | "type": "Microsoft.Network/virtualNetworks", 18 | "apiVersion": "2024-01-01", 19 | "name": "[parameters('virtualNetworks_app_vnet_name')]", 20 | "location": "eastus", 21 | "properties": { 22 | "addressSpace": { 23 | "addressPrefixes": [ 24 | "10.1.0.0/16" 25 | ] 26 | }, 27 | "encryption": { 28 | "enabled": false, 29 | "enforcement": "AllowUnencrypted" 30 | }, 31 | "subnets": [ 32 | { 33 | "name": "frontend", 34 | "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworks_app_vnet_name'), 'frontend')]", 35 | "properties": { 36 | "addressPrefixes": [ 37 | "10.1.0.0/24" 38 | ], 39 | "delegations": [], 40 | "privateEndpointNetworkPolicies": "Disabled", 41 | "privateLinkServiceNetworkPolicies": "Enabled" 42 | }, 43 | "type": "Microsoft.Network/virtualNetworks/subnets" 44 | }, 45 | { 46 | "name": "backend", 47 | "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworks_app_vnet_name'), 'backend')]", 48 | "properties": { 49 | "addressPrefixes": [ 50 | "10.1.1.0/24" 51 | ], 52 | "delegations": [], 53 | "privateEndpointNetworkPolicies": "Disabled", 54 | "privateLinkServiceNetworkPolicies": "Enabled" 55 | }, 56 | "type": "Microsoft.Network/virtualNetworks/subnets" 57 | } 58 | ], 59 | "virtualNetworkPeerings": [], 60 | "enableDdosProtection": false 61 | } 62 | }, 63 | { 64 | "type": "Microsoft.Network/virtualNetworks", 65 | "apiVersion": "2024-01-01", 66 | "name": "[parameters('virtualNetworks_hub_vnet_name')]", 67 | "location": "eastus", 68 | "properties": { 69 | "addressSpace": { 70 | "addressPrefixes": [ 71 | "10.0.0.0/16" 72 | ] 73 | }, 74 | "encryption": { 75 | "enabled": false, 76 | "enforcement": "AllowUnencrypted" 77 | }, 78 | "subnets": [ 79 | { 80 | "name": "AzureFirewallSubnet", 81 | "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworks_hub_vnet_name'), 'AzureFirewallSubnet')]", 82 | "properties": { 83 | "addressPrefixes": [ 84 | "10.0.0.0/26" 85 | ], 86 | "delegations": [], 87 | "privateEndpointNetworkPolicies": "Disabled", 88 | "privateLinkServiceNetworkPolicies": "Enabled" 89 | }, 90 | "type": "Microsoft.Network/virtualNetworks/subnets" 91 | } 92 | ], 93 | "virtualNetworkPeerings": [], 94 | "enableDdosProtection": false 95 | } 96 | }, 97 | { 98 | "type": "Microsoft.Network/virtualNetworks/subnets", 99 | "apiVersion": "2024-01-01", 100 | "name": "[concat(parameters('virtualNetworks_hub_vnet_name'), '/AzureFirewallSubnet')]", 101 | "dependsOn": [ 102 | "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworks_hub_vnet_name'))]" 103 | ], 104 | "properties": { 105 | "addressPrefixes": [ 106 | "10.0.0.0/26" 107 | ], 108 | "delegations": [], 109 | "privateEndpointNetworkPolicies": "Disabled", 110 | "privateLinkServiceNetworkPolicies": "Enabled" 111 | } 112 | }, 113 | { 114 | "type": "Microsoft.Network/virtualNetworks/subnets", 115 | "apiVersion": "2024-01-01", 116 | "name": "[concat(parameters('virtualNetworks_app_vnet_name'), '/backend')]", 117 | "dependsOn": [ 118 | "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworks_app_vnet_name'))]" 119 | ], 120 | "properties": { 121 | "addressPrefixes": [ 122 | "10.1.1.0/24" 123 | ], 124 | "delegations": [], 125 | "privateEndpointNetworkPolicies": "Disabled", 126 | "privateLinkServiceNetworkPolicies": "Enabled" 127 | } 128 | }, 129 | { 130 | "type": "Microsoft.Network/virtualNetworks/subnets", 131 | "apiVersion": "2024-01-01", 132 | "name": "[concat(parameters('virtualNetworks_app_vnet_name'), '/frontend')]", 133 | "dependsOn": [ 134 | "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworks_app_vnet_name'))]" 135 | ], 136 | "properties": { 137 | "addressPrefixes": [ 138 | "10.1.0.0/24" 139 | ], 140 | "delegations": [], 141 | "privateEndpointNetworkPolicies": "Disabled", 142 | "privateLinkServiceNetworkPolicies": "Enabled" 143 | } 144 | } 145 | ] 146 | } -------------------------------------------------------------------------------- /Allfiles/Labs/All-Labs/create-vnets-vms-template.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "virtualMachines_VM1_name": { 6 | "defaultValue": "VM1", 7 | "type": "String" 8 | }, 9 | "virtualMachines_VM2_name": { 10 | "defaultValue": "VM2", 11 | "type": "String" 12 | }, 13 | "publicIPAddresses_VM1_ip_name": { 14 | "defaultValue": "VM1-ip", 15 | "type": "String" 16 | }, 17 | "publicIPAddresses_VM2_ip_name": { 18 | "defaultValue": "VM2-ip", 19 | "type": "String" 20 | }, 21 | "virtualNetworks_app_vnet_name": { 22 | "defaultValue": "app-vnet", 23 | "type": "String" 24 | }, 25 | "networkInterfaces_VM1_nic_name": { 26 | "defaultValue": "VM1-nic", 27 | "type": "String" 28 | }, 29 | "networkInterfaces_VM2_nic_name": { 30 | "defaultValue": "VM2-nic", 31 | "type": "String" 32 | } 33 | }, 34 | "functions": [], 35 | "variables": {}, 36 | "resources": [ 37 | { 38 | "type": "Microsoft.Network/publicIPAddresses", 39 | "apiVersion": "2022-07-01", 40 | "name": "[parameters('publicIPAddresses_VM1_ip_name')]", 41 | "location": "eastus", 42 | "sku": { 43 | "name": "Basic", 44 | "tier": "Regional" 45 | }, 46 | "properties": { 47 | "ipAddress": "40.87.123.79", 48 | "publicIPAddressVersion": "IPv4", 49 | "publicIPAllocationMethod": "Dynamic", 50 | "idleTimeoutInMinutes": 4, 51 | "ipTags": [] 52 | } 53 | }, 54 | { 55 | "type": "Microsoft.Network/publicIPAddresses", 56 | "apiVersion": "2022-07-01", 57 | "name": "[parameters('publicIPAddresses_VM2_ip_name')]", 58 | "location": "eastus", 59 | "sku": { 60 | "name": "Basic", 61 | "tier": "Regional" 62 | }, 63 | "properties": { 64 | "ipAddress": "40.87.123.72", 65 | "publicIPAddressVersion": "IPv4", 66 | "publicIPAllocationMethod": "Dynamic", 67 | "idleTimeoutInMinutes": 4, 68 | "ipTags": [] 69 | } 70 | }, 71 | { 72 | "type": "Microsoft.Compute/virtualMachines", 73 | "apiVersion": "2022-08-01", 74 | "name": "[parameters('virtualMachines_VM1_name')]", 75 | "location": "eastus", 76 | "dependsOn": [ 77 | "[resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaces_VM1_nic_name'))]" 78 | ], 79 | "properties": { 80 | "hardwareProfile": { 81 | "vmSize": "Standard_DS1_v2" 82 | }, 83 | "storageProfile": { 84 | "imageReference": { 85 | "publisher": "Canonical", 86 | "offer": "UbuntuServer", 87 | "sku": "18.04-LTS", 88 | "version": "latest" 89 | }, 90 | "osDisk": { 91 | "osType": "Linux", 92 | "name": "[concat(parameters('virtualMachines_VM1_name'), '_disk1_6a38f4133b104e6fb10ee60804d2902b')]", 93 | "createOption": "FromImage", 94 | "caching": "ReadWrite", 95 | "managedDisk": { 96 | "storageAccountType": "Standard_LRS" }, 97 | "deleteOption": "Detach", 98 | "diskSizeGB": 30 99 | }, 100 | "dataDisks": [] 101 | }, 102 | "osProfile": { 103 | "computerName": "[parameters('virtualMachines_VM1_name')]", 104 | "adminUsername": "AzureAdmin", 105 | "adminpassword": "[concat('A1', uniqueString(resourceGroup().id))]", 106 | "linuxConfiguration": { 107 | "disablePasswordAuthentication": false, 108 | "patchSettings": { 109 | "patchMode": "ImageDefault", 110 | "assessmentMode": "ImageDefault" 111 | }, 112 | "enableVMAgentPlatformUpdates": false 113 | }, 114 | "secrets": [] 115 | }, 116 | "networkProfile": { 117 | "networkInterfaces": [ 118 | { 119 | "id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaces_VM1_nic_name'))]", 120 | "properties": { 121 | "primary": true 122 | } 123 | } 124 | ] 125 | } 126 | } 127 | }, 128 | { 129 | "type": "Microsoft.Compute/virtualMachines", 130 | "apiVersion": "2022-08-01", 131 | "name": "[parameters('virtualMachines_VM2_name')]", 132 | "location": "eastus", 133 | "dependsOn": [ 134 | "[resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaces_VM2_nic_name'))]" 135 | ], 136 | "properties": { 137 | "hardwareProfile": { 138 | "vmSize": "Standard_DS1_v2" 139 | }, 140 | "storageProfile": { 141 | "imageReference": { 142 | "publisher": "Canonical", 143 | "offer": "UbuntuServer", 144 | "sku": "18.04-LTS", 145 | "version": "latest" 146 | }, 147 | "osDisk": { 148 | "osType": "Linux", 149 | "name": "[concat(parameters('virtualMachines_VM2_name'), '_disk1_a76711e00aa04f15a1a08e59308344ed')]", 150 | "createOption": "FromImage", 151 | "caching": "ReadWrite", 152 | "managedDisk": { 153 | "storageAccountType": "Standard_LRS" 154 | }, 155 | "deleteOption": "Detach", 156 | "diskSizeGB": 30 157 | }, 158 | "dataDisks": [] 159 | }, 160 | "osProfile": { 161 | "computerName": "[parameters('virtualMachines_VM2_name')]", 162 | "adminUsername": "AzureAdmin", 163 | "adminpassword": "[concat('A1', uniqueString(resourceGroup().id))]", 164 | "linuxConfiguration": { 165 | "disablePasswordAuthentication": false, 166 | "patchSettings": { 167 | "patchMode": "ImageDefault", 168 | "assessmentMode": "ImageDefault" 169 | }, 170 | "enableVMAgentPlatformUpdates": false 171 | }, 172 | "secrets": [] 173 | }, 174 | "networkProfile": { 175 | "networkInterfaces": [ 176 | { 177 | "id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaces_VM2_nic_name'))]", 178 | "properties": { 179 | "primary": true 180 | } 181 | } 182 | ] 183 | } 184 | } 185 | }, 186 | { 187 | "type": "Microsoft.Network/networkInterfaces", 188 | "apiVersion": "2022-07-01", 189 | "name": "[parameters('networkInterfaces_VM1_nic_name')]", 190 | "location": "eastus", 191 | "dependsOn": [ 192 | "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIPAddresses_VM1_ip_name'))]", 193 | "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworks_app_vnet_name'), 'frontend')]" 194 | ], 195 | "kind": "Regular", 196 | "properties": { 197 | "ipConfigurations": [ 198 | { 199 | "name": "ipconfig1", 200 | "id": "[concat(resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaces_VM1_nic_name')), '/ipConfigurations/ipconfig1')]", 201 | "type": "Microsoft.Network/networkInterfaces/ipConfigurations", 202 | "properties": { 203 | "provisioningState": "Succeeded", 204 | "privateIPAddress": "10.1.0.4", 205 | "privateIPAllocationMethod": "Dynamic", 206 | "publicIPAddress": { 207 | "id": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIPAddresses_VM1_ip_name'))]" 208 | }, 209 | "subnet": { 210 | "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworks_app_vnet_name'), 'frontend')]" 211 | }, 212 | "primary": true, 213 | "privateIPAddressVersion": "IPv4" 214 | } 215 | } 216 | ], 217 | "dnsSettings": { 218 | "dnsServers": [] 219 | }, 220 | "enableAcceleratedNetworking": false, 221 | "enableIPForwarding": false, 222 | "disableTcpStateTracking": false, 223 | "nicType": "Standard" 224 | } 225 | }, 226 | { 227 | "type": "Microsoft.Network/networkInterfaces", 228 | "apiVersion": "2022-07-01", 229 | "name": "[parameters('networkInterfaces_VM2_nic_name')]", 230 | "location": "eastus", 231 | "dependsOn": [ 232 | "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIPAddresses_VM2_ip_name'))]", 233 | "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworks_app_vnet_name'), 'backend')]" 234 | ], 235 | "kind": "Regular", 236 | "properties": { 237 | "ipConfigurations": [ 238 | { 239 | "name": "ipconfig1", 240 | "id": "[concat(resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaces_VM2_nic_name')), '/ipConfigurations/ipconfig1')]", 241 | "type": "Microsoft.Network/networkInterfaces/ipConfigurations", 242 | "properties": { 243 | "provisioningState": "Succeeded", 244 | "privateIPAddress": "10.1.1.4", 245 | "privateIPAllocationMethod": "Dynamic", 246 | "publicIPAddress": { 247 | "id": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIPAddresses_VM2_ip_name'))]" 248 | }, 249 | "subnet": { 250 | "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworks_app_vnet_name'), 'backend')]" 251 | }, 252 | "primary": true, 253 | "privateIPAddressVersion": "IPv4" 254 | } 255 | } 256 | ], 257 | "dnsSettings": { 258 | "dnsServers": [] 259 | }, 260 | "enableAcceleratedNetworking": false, 261 | "enableIPForwarding": false, 262 | "disableTcpStateTracking": false, 263 | "nicType": "Standard" 264 | } 265 | }, 266 | { 267 | "type": "Microsoft.Network/virtualNetworks/subnets", 268 | "apiVersion": "2022-07-01", 269 | "name": "[concat(parameters('virtualNetworks_app_vnet_name'), '/backend')]", 270 | "dependsOn": [ 271 | "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworks_app_vnet_name'))]" 272 | ], 273 | "properties": { 274 | "addressPrefix": "10.1.1.0/24", 275 | "delegations": [], 276 | "privateEndpointNetworkPolicies": "Disabled", 277 | "privateLinkServiceNetworkPolicies": "Enabled" 278 | } 279 | }, 280 | { 281 | "type": "Microsoft.Network/virtualNetworks/subnets", 282 | "apiVersion": "2022-07-01", 283 | "name": "[concat(parameters('virtualNetworks_app_vnet_name'), '/frontend')]", 284 | "dependsOn": [ 285 | "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworks_app_vnet_name'))]" 286 | ], 287 | "properties": { 288 | "addressPrefix": "10.1.0.0/24", 289 | "delegations": [], 290 | "privateEndpointNetworkPolicies": "Disabled", 291 | "privateLinkServiceNetworkPolicies": "Enabled" 292 | } 293 | }, 294 | { 295 | "type": "Microsoft.Network/virtualNetworks", 296 | "apiVersion": "2022-07-01", 297 | "name": "[parameters('virtualNetworks_app_vnet_name')]", 298 | "location": "eastus", 299 | "dependsOn": [ 300 | 301 | ], 302 | "properties": { 303 | "addressSpace": { 304 | "addressPrefixes": [ 305 | "10.1.0.0/16" 306 | ] 307 | }, 308 | "dhcpOptions": { 309 | "dnsServers": [ 310 | "1.1.1.1", 311 | "1.0.0.1" 312 | ] 313 | }, 314 | "subnets": [ 315 | { 316 | "name": "frontend", 317 | "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworks_app_vnet_name'), 'frontend')]", 318 | "properties": { 319 | "addressPrefix": "10.1.0.0/24", 320 | "delegations": [], 321 | "privateEndpointNetworkPolicies": "Disabled", 322 | "privateLinkServiceNetworkPolicies": "Enabled" 323 | }, 324 | "type": "Microsoft.Network/virtualNetworks/subnets" 325 | }, 326 | { 327 | "name": "backend", 328 | "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworks_app_vnet_name'), 'backend')]", 329 | "properties": { 330 | "addressPrefix": "10.1.1.0/24", 331 | "delegations": [], 332 | "privateEndpointNetworkPolicies": "Disabled", 333 | "privateLinkServiceNetworkPolicies": "Enabled" 334 | }, 335 | "type": "Microsoft.Network/virtualNetworks/subnets" 336 | } 337 | ], 338 | "virtualNetworkPeerings": [], 339 | "enableDdosProtection": false 340 | } 341 | } 342 | ], 343 | "outputs": {} 344 | } 345 | -------------------------------------------------------------------------------- /Allfiles/Labs/All-Labs/delete.md: -------------------------------------------------------------------------------- 1 | delete 2 | -------------------------------------------------------------------------------- /Instructions/Demos/DEMO_00_Introduction.md: -------------------------------------------------------------------------------- 1 | --- 2 | demo: 3 | title: 'Demonstration: Student materials and lab environment (adjust)' 4 | module: 'Guided Project - Configure secure access to workloads with Azure virtual networking services' 5 | --- 6 | ## Demonstration - Student materials and lab environment (optional) 7 | 8 | Use this demonstration to show students how to access the lab environment and student materials. You can do this at the beginning of class or before the next demonstration. 9 | 10 | ### Show students the lab environment (adjust for your lab hoster) 11 | 12 | - Discuss how students access the lab environment. 13 | 14 | - Explain how to sign-in to the virtual machine host. 15 | 16 | - Explain how to access the [Azure portal](https://portal.azure.com). It is preferred to open the Azure portal in the lab environment instead of a separate window. Ask for a show of hands on how many students have used the portal. 17 | 18 | - Explain what resources have already been configured for the labs. 19 | 20 | - Review how to use the lab instructions. 21 | 22 | - Add other topics specific to your hoster. 23 | 24 | ### Show students their course materials. 25 | 26 | - Access the [Microsoft Learn page](https://learn.microsoft.com). 27 | 28 | - Discuss that Microsoft Learn is a great source for all Azure documentation, training, certifications, and assessments. 29 | 30 | - Select **Learning Paths** and then search for the **Configure secure access to your workloads using Azure virtual networking** learning path. 31 | 32 | - Discuss that the content in the learning path is specific to this assessment, but there is much more storage content they can review. 33 | 34 | - Explain the content is reference material and there isn't a 1:1 mapping with the classroom presentations. 35 | 36 | - Discuss that each of these modules may have additional hands-on activities. You will identify these activities as the course progresses. 37 | 38 | - Ask the students to locate and bookmark the learning path. 39 | 40 | -------------------------------------------------------------------------------- /Instructions/Demos/DEMO_01_virtual_networks.md: -------------------------------------------------------------------------------- 1 | --- 2 | demo: 3 | title: 'Demonstration: Create and Configure Virtual Networks and peering' 4 | module: 'Guided Project - Configure secure access to workloads with Azure virtual networking services' 5 | --- 6 | ## Demonstration – Create and Configure Virtual Networks and peering 7 | 8 | 9 | In this demonstration, you will create virtual networks. 10 | 11 | **Note:** You can use the suggested values for the settings, or your own custom values if you prefer. 12 | 13 | **Note:** An **[interactive lab simulation for virtual networks](https://mslearn.cloudguides.com/en-us/guides/AZ-900%20Exam%20Guide%20-%20Azure%20Fundamentals%20Exercise%204?azure-portal=true)** and **[Virtual network peering](https://mslabs.cloudguides.com/guides/AZ-104%20Exam%20Guide%20-%20Microsoft%20Azure%20Administrator%20Exercise%209?azure-portal=true)** is available that allows you to click through a similar lab if you are unable to do a live demonstration. You may find slight differences between the interactive simulation and the suggested demo, but the core concepts and ideas being demonstrated are the same. 14 | 15 | 16 | [Quickstart: Create a virtual network - Azure portal](https://docs.microsoft.com/azure/virtual-network/quick-create-portal) 17 | 18 | ### Create a virtual network in the portal 19 | 20 | 21 | 22 | 1. [Supporting Slide] Before beginning the demonstration, let's review what virtual networks are and key concepts for Azure Virtual Networks. Use this slide to highlight the capabilities of Azure Virtual Networks. As well as Azure Virtual Network concepts and best practices. As you demonstrate creating a virtual network you can explain the basic concepts of address space, subnets, regions, and subscriptions. You could also discuss these slides at the end and get straight into the demonstration. 23 | 24 | 2. Sign in the to the Azure portal and search for **Virtual Networks**. 25 | 26 | 3. Create a virtual network, explaining the basic settings as you go. Ensure at least one subnet is created. 27 | 28 | 4. Explain the Azure portal provides an easy-to-use interface. Items marked with a red asterisk are required. 29 | 30 | 5. [Supporting Slide] Select the Security tab. Use this slide to highlight the security services briefly, these topics will be covered in more detail later in the course. Learn more, Services that can be deployed into a virtual network. 31 | 32 | 6. [Supporting Slide] Select the IP Addresses tab. Use this slide to review: Plan virtual networks and subnets. Add or modify a subnet to demonstrate to students how to configure subnets. 33 | 7. Click Review and ensure there are no validation errors. 34 | 8. Click Create and wait for the virtual network to be deployed. Point out the notification messages. 35 | 9. Show how to go to the resource. 36 | 10. Repeat the process of creating another virtual network so you can demonstrate VNet Peering. 37 | 38 | ## Configure VNet Peering 39 | 40 | **Note:** For this demonstration you will need two virtual networks. 41 | 42 | [Connect virtual networks with VNet peering - tutorial](https://docs.microsoft.com/azure/virtual-network/tutorial-connect-virtual-networks-portal) 43 | 44 | **Configure VNet peering on the first virtual network** 45 | 46 | 1. In the **Azure portal**, select the first virtual network. Review the value of peering. 47 | 48 | 1. Under **Settings**, select **Peerings** and **+ Add** a new peering. 49 | 50 | 1. Configure the peering the second virtual network. Use the information icons to review the different settings. 51 | 52 | 1. When the peering is complete, review the **Peering status**. 53 | 54 | **Confirm VNet peering on the second virtual network** 55 | 56 | 1. In the **Azure portal**, select the second virtual network 57 | 58 | 1. Under **Settings**, select **Peerings**. 59 | 60 | 1. Notice that a peering has automatically been created. Notice that the **Peering Status** is **Connected**. 61 | 62 | 63 | >**Note**: Students should now be able to complete LAB_01 64 | 65 | -------------------------------------------------------------------------------- /Instructions/Demos/DEMO_02_security_groups.md: -------------------------------------------------------------------------------- 1 | --- 2 | demo: 3 | title: 'Demonstration: Create and configure network security groups' 4 | module: 'Guided Project - Configure secure access to workloads with Azure virtual networking services' 5 | --- 6 | ## Demonstration – Create and configure network security groups 7 | 8 | 9 | In this demonstration, we will explore security groups. 10 | 11 | **Note:** An **[interactive lab simulation for virtual networks](https://mslearn.cloudguides.com/en-us/guides/AZ-900%20Exam%20Guide%20-%20Azure%20Fundamentals%20Exercise%2013?azure-portal=true)** is available that allows you to click through a similar lab if you are unable to do a live demonstration. You may find slight differences between the interactive simulation and the suggested demo, but the core concepts and ideas being demonstrated are the same. 12 | 13 | [Restrict access to PaaS resources - tutorial - Azure portal](https://docs.microsoft.com/azure/virtual-network/tutorial-restrict-network-access-to-resources) 14 | 15 | ### Create a network security group 16 | 17 | 1. Access the Azure Portal. 18 | 19 | 1. Search for and select the **Network Security Groups**. 20 | 21 | 1. [Supporting Slide] Create a NSG explaining the settings as you go. 22 | 23 | 1. Wait for the new NSG to deploy. 24 | 25 | **Explore inbound and outbound rules** 26 | 27 | 1. Select your new NSG. 28 | 29 | 1. [Supporting Slide] Discuss how the NSG can be associated with subnets or network interfaces. 30 | 31 | 1. Discuss the purpose inbound and outbound rules. 32 | 33 | 1. Review the default inbound and outbound rules. 34 | 35 | 1. Create a new rule, explaining the settings as you go. Specifically discuss the service selection (like HTTPS) and the priority settings. 36 | 37 | 38 | ### Create ASG 39 | 40 | 1. [Supporting Slide] Search for and select the **Application Security Groups**. 41 | 42 | 1. Create an ASG explaining the settings as you go. 43 | 44 | 1. Wait for the new ASG to deploy. 45 | 46 | 1. Discuss how the ASG can be associated with NSG rules. 47 | 48 | 49 | ### Associate the NSGs 50 | 1. Navigate to the NSG you created 51 | 1. Select Subnets from the Settings section. 52 | 1. In the Subnets page, select + Associate 53 | 1. Under Associate subnet, select your Virtual network. 54 | 55 | 56 | >**Note**: Students should now be able to complete LAB_02 57 | 58 | -------------------------------------------------------------------------------- /Instructions/Demos/DEMO_03_firewall.md: -------------------------------------------------------------------------------- 1 | --- 2 | demo: 3 | title: 'Demonstration: Create and configure Azure Firewall' 4 | module: 'Guided Project - Configure secure access to workloads with Azure virtual networking services' 5 | --- 6 | ## Demonstration – Create and configure Azure Firewall 7 | 8 | **Note:** Azure Firewall can take a few minutes to deploy. 9 | 10 | In this demonstration, explore Azure Firewall. 11 | Review and create an Azure Firewall and Firewall policy. 12 | 1. [Supporting Slide] Before beginning the demonstration, let's review what Azure Firewall is. 13 | 2. Access the Azure portal. 14 | 3. Create an Azure Firewall. 15 | 4. ⓘ on the Basics tab explain the configuration options available as you fill them out. 16 | 5. Accept the other default values, then select Review + create. 17 | 6. After deployment is completed, go to the firewall resource, and review the overview page. 18 | 19 | 20 | ### Configure an application rule 21 | 22 | 1. [Supporting Slide] Azure Firewall policy rules 23 | 24 | This is the application rule that allows outbound access to www.google.com. 25 | 1. Navigate to the firewall policy you created. 26 | 2. Select Application rules. 27 | 3. Select Add a rule collection. 28 | 4. For Name, enter App-Coll01. 29 | 5. For Priority, enter 200. 30 | 6. For Rule collection action, select Allow. 31 | 7. Under Rules, for Name, enter Allow-Google. 32 | 8. For Source type, select IP address. 33 | 9. For Source, enter 10.0.2.0/24. 34 | 10. For Protocol:port, enter http, https. 35 | 11. For Destination Type, select FQDN. 36 | 12. For Destination, enter www.google.com 37 | 13. Select Add. 38 | 39 | Azure Firewall includes a built-in rule collection for infrastructure FQDNs that are allowed by default. These FQDNs are specific for the platform and can't be used for other purposes. For more information, see Infrastructure FQDNs. 40 | 41 | ### Configure a network rule 42 | This is the network rule that allows outbound access to two IP addresses at port 53 (DNS). 43 | 1. Select Network rules. 44 | 2. Select Add a rule collection. 45 | 3. For Name, enter Net-Coll01. 46 | 4. For Priority, enter 200. 47 | 5. For Rule collection action, select Allow. 48 | 6. For Rule collection group, select DefaultNetworkRuleCollectionGroup. 49 | 7. Under Rules, for Name, enter Allow-DNS. 50 | 8. For Source type, select IP Address. 51 | 9. For Source, enter 10.0.2.0/24. 52 | 10. For Protocol, select UDP. 53 | 11. For Destination Ports, enter 53. 54 | 12. For Destination type select IP address. 55 | 56 | >**Note**: Students should now be able to complete LAB_04 57 | 14. For Destination, enter 209.244.0.3, 209.244.0.4. 58 | These are public DNS servers operated by CenturyLink. 59 | 15. Select Add. 60 | 61 | -------------------------------------------------------------------------------- /Instructions/Demos/DEMO_04_route.md: -------------------------------------------------------------------------------- 1 | --- 2 | demo: 3 | title: 'Demonstration: Create and configure network routing' 4 | module: 'Guided Project - Configure secure access to workloads with Azure virtual networking services' 5 | --- 6 | ## Demonstration – Create and configure network routing 7 | 8 | In this demonstration, we will learn how to create a route table, define 9 | a custom route, and associate the route with a subnet. 10 | 11 | 12 | **Note:** This demonstration requires a virtual network with at least one subnet. 13 | 14 | [Route network traffic - tutorial - Azure portal](https://learn.microsoft.com/azure/virtual-network/tutorial-create-route-table-portal#create-a-route-table) 15 | 16 | 17 | ### Create a Route table 18 | 19 | 1. As you have time review the tutorial diagram. Explain why you need to create a user-defined route. 20 | 21 | 1. Access the Azure portal. 22 | 23 | 1. Search for and select **Route tables**. Discuss when **propagate gateway routes** should be used. 24 | 25 | 1. Create a routing table, explain any uncommon settings. 26 | 27 | 1. Wait for the new routing table to be deployed. 28 | 29 | **Add a route** 30 | 31 | 1. Select your new routing table, and then select **Routes**. 32 | 33 | 1. Create a new **route**. Discuss the different **hop types** that are available. 34 | 35 | 1. Create the new route and wait for the resource to be deployed. 36 | 37 | ### Associate a Route Table to a subnet 38 | A route table can be associated to zero or more subnets. Route tables aren't associated to virtual networks. You must associate a route table to each subnet you want the route table associated to. 39 | 40 | 41 | 1. Navigate to the subnet you want to associate with the routing table. 42 | 43 | 1. Select **Route table** and choose your new routing table. 44 | 45 | 1. **Save** your changes. 46 | 47 | 48 | >**Note**: You can only associate a route table to subnets in virtual networks that exist in the same Azure location and subscription as the route table. 49 | 50 | >**Note**: Students should now be able to complete LAB_04 51 | -------------------------------------------------------------------------------- /Instructions/Demos/DEMO_05_domain_name.md: -------------------------------------------------------------------------------- 1 | --- 2 | demo: 3 | title: 'Demonstration: Create and configure Azure DNS' 4 | module: 'Guided Project - Configure secure access to workloads with Azure virtual networking services' 5 | --- 6 | ## Demonstration – Create and configure Azure DNS 7 | 8 | In this demonstration, you will explore Azure DNS. 9 | 10 | [Tutorial: Host your domain and subdomain - Azure DNS](https://docs.microsoft.com/azure/dns/dns-delegate-domain-azure-dns) 11 | 12 | 13 | **Create a private DNS zone** 14 | 15 | 1. Access the Azure Portal. 16 | 17 | 1. Search for the **DNS zones** service. 18 | 19 | 1. Create a **DNS zone** and explain the purpose of the zone. For a name you can use contoso.internal.com. 20 | 21 | 1. Wait for the DNS zone to be created. You may need to **Refresh** the page. 22 | 23 | **Add a DNS record set** 24 | 25 | 26 | [Tutorial: Create an alias record to refer to a zone resource record](https://learn.microsoft.com/azure/dns/tutorial-alias-rr) 27 | 28 | 1. Once your zone is created, select **+Record Set**. 29 | 30 | 1. Use the **Type** drop-down to view the different types of records. Review how the different record types are used. Notice how the record information changes as you select different record types. 31 | 32 | 1. Create an **A** record as an example. 33 | 34 | **Link VNet for auto registration** 35 | 36 | 1. Once the DNS Zone is deployed review the overview page with the students. 37 | 1. link the private DNS zone to a virtual network, by creating a virtual network link. 38 | 1. On the left pane, select Virtual network links. 39 | 1. Select Add. 40 | 1. Type myLink for the Link name. 41 | 1. For Virtual network, select myAzureVNet. 42 | 1. Select the Enable auto registration check box. 43 | 1. Select OK. 44 | 45 | >**Note**: Students should now be able to complete LAB_05 -------------------------------------------------------------------------------- /Instructions/Labs/LAB_01_virtual_networks.md: -------------------------------------------------------------------------------- 1 | --- 2 | lab: 3 | title: 'Exercise 01: Create and configure virtual networks' 4 | module: 'Guided Project - Configure secure access to workloads with Azure virtual networking services' 5 | --- 6 | 7 | # Exercise 01: Create and configure virtual networks 8 | 9 | ## Scenario 10 | 11 | Your organization is migrating a web-based application to Azure. Your first task is to put in place the virtual networks and subnets. You also need to securely peer the virtual networks. You identify these requirements. 12 | + Two virtual networks are required, **app-vnet** and **hub-vnet**. This simulates a hub and spoke network architecture. 13 | + The app-vnet will host the application. This virtual network requires two subnets. The **frontend subnet** will host the web servers. The **backend subnet** will host the database servers. 14 | + The hub-vnet only requires a subnet for the firewall. 15 | + The two virtual networks must be able to communicate with each other securely and privately through **virtual network peering**. 16 | + Both virtual networks should be in the same region. 17 | 18 | ## Skilling tasks 19 | 20 | + Create a virtual network. 21 | + Create a subnet. 22 | + Configure vnet peering. 23 | 24 | ## Architecture diagram 25 | 26 | ![Diagram that shows two virtual networks that are peered.](../Media/task-1.png) 27 | 28 | ## Exercise instructions 29 | 30 | **Note**: To complete this lab you will need an [Azure subscription](https://azure.microsoft.com/free/) with **Contributor** RBAC role assigned. In this lab, when you are asked to create a resource, for any properties that are not specified, use the default value. 31 | 32 | ### Create hub and spoke virtual networks and subnets 33 | 34 | An [Azure virtual network](https://learn.microsoft.com/azure/virtual-network/virtual-networks-overview) enables many types of Azure resources to securely communicate with each other, the internet, and on-premises networks. All Azure resources in a virtual network are deployed into [subnets](https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-subnet?tabs=azure-portal) within the virtual network. 35 | 36 | 1. Sign in to the **Azure portal** - `https://portal.azure.com`. 37 | 38 | 1. Search for and select `Virtual Networks`. 39 | 40 | 1. Select **+ Create** and complete the configuration of the **app-vnet**. This virtual network requires two subnets, **frontend** and **backend**. 41 | 42 | | Property | Value | 43 | | :------------------- | :-------------- | 44 | | Resource group | **RG1** | 45 | | Virtual network name | `app-vnet` | 46 | | Region | **East US** | 47 | | IPv4 address space | **10.1.0.0/16** | 48 | | Subnet name | `frontend` | 49 | | Subnet address range | **10.1.0.0/24** | 50 | | Subnet name | `backend` | 51 | | Subnet address range | **10.1.1.0/24** | 52 | 53 | **Note**:Leave all other settings as their defaults. When finished select **"Review + create** and then **Create**. 54 | 55 | 1. Create the **Hub-vnet** virtual network configuration. This virtual network has the firewall subnet. 56 | 57 | | Property | Value | 58 | | :------------------- | :----------------------- | 59 | | Resource group | **RG1** | 60 | | Name | `hub-vnet` | 61 | | Region | **East US** | 62 | | IPv4 address space | **10.0.0.0/16** | 63 | | Subnet name | **AzureFirewallSubnet** | 64 | | Subnet address range | **10.0.0.0/26** | 65 | 66 | 1. Once the deployments are complete, search for and select your 'virtual networks`. 67 | 68 | 1. Verify your virtual networks and subnets were deployed. 69 | 70 | ### Configure a peer relationship between the virtual networks 71 | 72 | [Virtual network peering](https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview) enables you to seamlessly connect two or more Virtual Networks in Azure. 73 | 74 | 1. Search for and select the `app-vnet` virtual network. 75 | 76 | 1. In the **Settings** blade, select **Peerings**. 77 | 78 | 1. **+ Add** a peering between the two virtual networks. 79 | 80 | | Property | Value | 81 | | :--------------------------------------- | :----------------------------- | 82 | | Remote peering link name | `app-vnet-to-hub` | 83 | | Virtual network | `hub-vnet` | 84 | | Local virtual network peering link name | `hub-to-app-vnet` | 85 | 86 | **Note**: Leave all other settings as their defaults. Select **"Add"** to create the virtual network peering. 87 | 88 | 1. Once the deployment completes, verify the **Peering status** is **Connected**. 89 | 90 | ## Learn more with online training 91 | 92 | + [Introduction to Azure Virtual Networks](https://learn.microsoft.com/training/modules/introduction-to-azure-virtual-networks/). In this module, you learn how to design and implement Azure networking services. You learn about virtual networks, public and private IPs, DNS, virtual network peering, routing, and Azure Virtual NAT. 93 | 94 | ## Key takeaways 95 | 96 | Congratulations on completing the exercise. Here are the main takeaways: 97 | 98 | + Azure virtual networks (VNets) provide a secure and isolated network environment for your cloud resources. You can create multiple virtual networks per region per subscription. 99 | + When designing virtual networks make sure the VNet address space (CIDR block) doesn't overlap with your organization's other network ranges. 100 | + A subnet is a range of IP addresses in the VNet. You can segment VNets into different size subnets, creating as many subnets as you require for organization and security within the subscription limit. Each subnet must have a unique address range. 101 | + Certain Azure services, such as Azure Firewall, require their own subnet. 102 | + Virtual network peering enables you to seamlessly connect two Azure virtual networks. The virtual networks appear as one for connectivity purposes. 103 | -------------------------------------------------------------------------------- /Instructions/Labs/LAB_02_security_groups.md: -------------------------------------------------------------------------------- 1 | --- 2 | lab: 3 | title: 'Exercise 02: Create and configure network security groups' 4 | module: 'Guided Project - Configure secure access to workloads with Azure virtual networking services' 5 | --- 6 | 7 | # Exercise 02: Create and configure network security groups 8 | 9 | ## Scenario 10 | 11 | Your organization requires the network traffic in the app-vnet to be tightly controlled. You identify these requirements. 12 | + The frontend subnet has web servers that can be accessed from the internet. An **application security group** (ASG) is required for those servers. The ASG should be associated with any virtual machine interface that is part of the group. This will allow the web servers to be easily managed. 13 | + The backend subnet has database servers used by the frontend web servers. A **network security group** (NSG) is required to control this traffic. The NSG should be associated with any virtual machine interface that will be accessed by the web servers. 14 | + For testing, a virtual machine should be installed in the frontend subnet (VM1) and the backend subnet (VM2). The IT group has provided an Azure resource manager template to deploy these **Ubuntu servers**. 15 | 16 | ## Skilling tasks 17 | 18 | + Create a network security group. 19 | + Create network security group rules. 20 | + Associate a network security group to a subnet. 21 | + Create and use application security groups in network security group rules. 22 | 23 | ## Architecture diagram 24 | 25 | ![Diagram that shows one ASG and NSG associated to a virtual network.](../Media/task-2.png) 26 | 27 | 28 | 29 | 30 | ## Exercise instructions 31 | 32 | ### Create the network infrastructure for the exercise 33 | 34 | **Note:** This exercise requires the Lab 01 virtual networks and subnets to be installed. A [template](https://github.com/MicrosoftLearning/Configure-secure-access-to-workloads-with-Azure-virtual-networking-services/blob/main/Allfiles/Labs/All-Labs/create-vnet-subnets-template.json) is provided if you need to deploy those resources. 35 | 36 | 1. Use the icon (top right) to launch a **Cloud Shell** session. Alternately, navigate directly to `https://shell.azure.com`. 37 | 38 | 1. If prompted to select either **Bash** or **PowerShell**, select **PowerShell**. 39 | 40 | 1. Storage is not required for this task Select your subscription. **Apply** your changes. 41 | 42 | 1. Use these commands to deploy the virtual machines required for this exercise. 43 | 44 | >**Note**: If the deployment fails for capacity restriction, edit the template and change the "location" value. 45 | 46 | ```powershell 47 | $RGName = "RG1" 48 | 49 | New-AzResourceGroupDeployment -ResourceGroupName $RGName -TemplateUri https://raw.githubusercontent.com/MicrosoftLearning/Configure-secure-access-to-workloads-with-Azure-virtual-networking-services/main/Instructions/Labs/azuredeploy.json 50 | ``` 51 | 52 | 1. In the portal search for and select `virtual machines`. Verify both vm1 and vm2 are **Running**. 53 | 54 | ### Create Application Security Group 55 | 56 | [Application security groups (ASGs)](https://learn.microsoft.com/azure/virtual-network/application-security-groups) let you group together servers with similar functions. For example, all the web servers hosting your application. 57 | 58 | 1. In the portal, search for and select `Application security groups`. 59 | 60 | 1. Select **+ Create** and configure the application security group. 61 | 62 | | Property | Value | 63 | | :------------- | :--------------------------- | 64 | | Subscription | **Select your subscription** | 65 | | Resource group | **RG1** | 66 | | Name | `app-frontend-asg` | 67 | | Region | **East US** | 68 | 69 | 1. Select **Review + create** and then select **Create**. 70 | 71 | **Note**: You are creating the application security group in the same region as the existing virtual network. 72 | 73 | **Associate the application security group to the network interface of the VM** 74 | 75 | 1. In the Azure portal, search for and select `VM1`. 76 | 77 | 1. In the **Networking** blade, select **Application security groups** and then select **Add application security groups**. 78 | 79 | 1. Select the **app-frontend-asg** and then select **Add**. 80 | 81 | ### Create and Associate the Network Security Group 82 | 83 | [Network security groups (NSGs)](https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview) secure network traffic in a virtual network. 84 | 85 | 1. In the portal search for and select `Network security group`. 86 | 87 | 1. Select **+ Create** and configure the network security group. 88 | 89 | | Property | Value | 90 | | :------------- | :--------------------------- | 91 | | Subscription | **Select your subscription** | 92 | | Resource group | **RG1** | 93 | | Name | `app-vnet-nsg` | 94 | | Region | **East US** | 95 | 96 | 1. Select **Review + create** and then select **Create**. 97 | 98 | **Associate the NSG with the app-vnet backend subnet.** 99 | 100 | NSGs can be associated with subnets and/or individual network interfaces attached to Azure virtual machines. 101 | 102 | 1. Select **Go to resource** or navigate to the **app-vnet-nsg** resource. 103 | 104 | 1. In the **Settings** blade select **Subnets**. 105 | 106 | 1. Select **+ Associate** 107 | 108 | 1. Select **app-vnet (RG1)** and then the **Backend** subnet. Select **OK**. 109 | 110 | ### Create Network Security Group rules 111 | 112 | An NSG use [security rules](https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works) to filter inbound and outbound network traffic. 113 | 114 | 1. In the search box at the top of the portal, enter **Network security groups**. Select Network security groups in the search results. 115 | 116 | 1. Select **app-vnet-nsg** from the list of network security groups. 117 | 118 | 1. In the **Settings** blade, select **Inbound security rules**. 119 | 120 | 1. Select **+ Add** and configure an inbound security rule. 121 | 122 | | Property | Value | 123 | | :------------------------------------- | :----------------------------- | 124 | | Source | **Any** | 125 | | Source port ranges | **\*** | 126 | | Destination | **Application Security group** | 127 | | Destination application security group | **app-frontend-asg** | 128 | | Service | **SSH** | 129 | | Action | **Allow** | 130 | | Priority | **100** | 131 | | Name | **AllowSSH** | 132 | 133 | 134 | ### Learn more with online training 135 | 136 | + [Filter network traffic with a network security group using the Azure portal](https://learn.microsoft.com/training/modules/filter-network-traffic-network-security-group-using-azure-portal/). In this module, you focus on filtering network traffic using Network Security Groups (NSGs) in the Azure portal. Learn how to create, configure, and apply NSGs for improved network security. 137 | + [Secure and isolate access to Azure resources by using network security groups and service endpoints](https://learn.microsoft.com/training/modules/secure-and-isolate-with-nsg-and-service-endpoints/). In this module, you learn about network security groups and how to restrict network connectivity. 138 | 139 | ### Key takeaways 140 | 141 | Congratulations on completing the exercise. Here are the main takeaways: 142 | 143 | + Application security groups let you organize virtual machines and define network security policies based on your organization's applications. 144 | + An Azure network security group is used to filter network traffic between Azure resources in an Azure virtual network. 145 | + You can associate zero, or one, network security group to each virtual network subnet and network interface in a virtual machine. 146 | + A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, Azure resources. 147 | + You join virtual machines to an application security group. Then you use the application security group as a source or destination in the network security group rules. 148 | 149 | 150 | 151 | -------------------------------------------------------------------------------- /Instructions/Labs/LAB_03_firewall.md: -------------------------------------------------------------------------------- 1 | --- 2 | lab: 3 | title: 'Exercise 03: Create and configure Azure Firewall' 4 | module: 'Guided Project - Configure secure access to workloads with Azure virtual networking services' 5 | --- 6 | 7 | # Exercise 03: Create and configure Azure Firewall 8 | 9 | ## Scenario 10 | 11 | Your organization requires centralized network security for the application virtual network. As the application usage increases, more granular application-level filtering and advanced threat protection will be needed. Also, it is expected the application will need continuous updates from Azure DevOps pipelines. You identify these requirements. 12 | + Azure Firewall is required for additional security in the app-vnet. 13 | + A **firewall policy** should be configured to help manage access to the application. 14 | + A firewall policy **application rule** is required. This rule will allow the application access to Azure DevOps so the application code can be updated. 15 | + A firewall policy **network rule** is required. This rule will allow DNS resolution. 16 | 17 | ### Skilling tasks 18 | 19 | + Create an Azure Firewall. 20 | + Create and configure a firewall policy 21 | + Create an application rule collection. 22 | + Create a network rule collection. 23 | 24 | ## Architecture diagram 25 | 26 | ![Diagram that shows one virtual network with a firewall and route table.](../Media/task-3.png) 27 | 28 | 29 | 30 | ## Exercise instructions 31 | 32 | ### Create Azure Firewall subnet in our existing virtual network 33 | 34 | 1. In the search box at the top of the portal, enter **Virtual networks**. Select **Virtual networks** in the search results. 35 | 36 | 1. Select **app-vnet**. 37 | 38 | 1. Select **Subnets**. 39 | 40 | 1. Select **+ Subnet**. 41 | 42 | 1. Enter the following information and select **Save**. 43 | 44 | | Property | Value | 45 | | :------------ | :---------------------- | 46 | | Name | **AzureFirewallSubnet** | 47 | | Address range | **10.1.63.0/26** | 48 | 49 | **Note**: Leave all other settings as default. 50 | 51 | ### Create an Azure Firewall 52 | 53 | 1. In the search box at the top of the portal, enter **Firewall**. Select **Firewall** in the search results. 54 | 55 | 1. Select **+ Create**. 56 | 57 | 1. Create a firewall by using the values in the following table. For any property that is not specified, use the default value. 58 | >**Note**: Azure Firewall can take a few minutes to deploy. 59 | 60 | | Property | Value | 61 | | :----------------------- | :------------------------------------------------ | 62 | | Resource group | **RG1** | 63 | | Name | **app-vnet-firewall** | 64 | | Firewall SKU | **Standard** | 65 | | Firewall management | **Use a Firewall Policy to manage this firewall** | 66 | | Firewall policy | select **Add new** | 67 | | Policy name | **fw-policy** | 68 | | Region | **East US** | 69 | | Policy Tier | **Standard** | 70 | | Choose a virtual network | **Use existing** | 71 | | Virtual network | **app-vnet** (RG1) | 72 | | Public IP address | Add new: **fwpip** | 73 | 74 | [Learn more on creating a firewall](https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal). 75 | 76 | 1. Select **Review + create** and then select **Create**. 77 | 78 | ### Update the Firewall Policy 79 | 80 | 1. In the portal, search for and select `Firewall Policies`. 81 | 82 | 1. Select **fw-policy**. 83 | 84 | ### Add an application rule 85 | 86 | 1. In the **Settings** blade, select **Application rules** and then **Add a rule collection**. 87 | 88 | 1. Configure the application rule collection and then select **Add**. 89 | 90 | | Property | Value | 91 | | :--------------------- | :---------------------------------------- | 92 | | Name | `app-vnet-fw-rule-collection` | 93 | | Rule collection type | **Application** | 94 | | Priority | `200` | 95 | | Rule collection action | **Allow** | 96 | | Rule collection group | **DefaultApplicationRuleCollectionGroup** | 97 | | Name | `AllowAzurePipelines` | 98 | | Source type | **IP address** | 99 | | Source | `10.1.0.0/23` | 100 | | Protocol | `https` | 101 | | Destination type | **FQDN** | 102 | | Destination | `dev.azure.com, azure.microsoft.com` | 103 | 104 | **Note**: The **AllowAzurePipelines** rule allows the web application to access Azure Pipelines. The rule allows the web application to access the Azure DevOps service and the Azure website. 105 | 106 | ### Add a network rule 107 | 108 | 1. In the **Settings** blade, select **Network rules** and then **Add a network collection**. 109 | 110 | 1. Configure the network rule and then select **Add**. 111 | 112 | | Property | Value | 113 | | :--------------------- | :------------------------------------ | 114 | | Name | `app-vnet-fw-nrc-dns` | 115 | | Rule collection type | **Network** | 116 | | Priority | `200` | 117 | | Rule collection action | **Allow** | 118 | | Rule collection group | **DefaultNetworkRuleCollectionGroup** | 119 | | Rule | **AllowDns** | 120 | | Source | `10.1.0.0/23` | 121 | | Protocol | **UDP** | 122 | | Destination ports | `53` | 123 | | Destination addresses | **1.1.1.1, 1.0.0.1** | 124 | 125 | ### Verify the firewall and firewall policy status 126 | 127 | 1. In the portal search for and select **Firewall**. 128 | 129 | 1. View the **app-vnet-firewall** and ensure the **Provisioning state** is **Succeeded**. This may take a few minutes. 130 | 131 | 1. In the portal serach for and select **Firewall policies**. 132 | 133 | 1. View the **fw-policy** and ensure the **Provisioning state** is **Succeeded**. This may take a few minutes. 134 | 135 | ### Learn more with online training 136 | 137 | + [Introduction to Azure Firewall](https://learn.microsoft.com/training/modules/introduction-azure-firewall/). In this module, you learn about how Azure Firewall features, rules, deployment options, and administration. 138 | + [Introduction to Azure Firewall Manager](https://learn.microsoft.com/training/modules/intro-to-azure-firewall-manager/). In this moudle, you learn how Azure Firewall Manager provides central security policy and route management for cloud-based security perimeters. 139 | 140 | ### Key takeaways 141 | 142 | Congratulations on completing the exercise. Here are the main takeaways: 143 | 144 | + Azure Firewall is a cloud-based security service that protects your Azure virtual network resources from incoming and outgoing threats. 145 | + An Azure firewall policy is a resource that contains one or more collections of NAT, network, and application rules. 146 | + Network rules allow or deny traffic based on IP addresses, ports, and protocols. 147 | + Application rules allow or deny traffic based on fully qualified domain names (FQDNs), URLs, and HTTP/HTTPS protocols. 148 | -------------------------------------------------------------------------------- /Instructions/Labs/LAB_04_route.md: -------------------------------------------------------------------------------- 1 | --- 2 | lab: 3 | title: 'Exercise 04: Configure network routing' 4 | module: 'Guided Project - Configure secure access to workloads with Azure virtual networking services' 5 | --- 6 | 7 | # Exercise 04: Configure network routing 8 | 9 | ## Scenario 10 | 11 | To ensure the firewall policies are enforced, outbound application traffic must be routed through the firewall. You identify these requirements. 12 | + A route table is required. This route table will be associated with the frontend and backend subnets. 13 | + A route is required to filter all outbound IP traffic from the subnets to the firewall. The firewall’s private IP address will be used. 14 | 15 | ## Skilling tasks 16 | 17 | + Create and configure a route table. 18 | + Link a route table to a subnet. 19 | 20 | ## Architecture diagram 21 | 22 | ![Diagram that shows one virtual network with a firewall and route table.](../Media/task-3.png) 23 | 24 | 25 | ## Exercise instructions 26 | 27 | ### Create a route table 28 | 29 | Azure automatically creates a [route table](https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) for each subnet within an Azure virtual network. The route table includes the default [system routes](https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview#system-routes). You can create route tables and routes to override Azure's default system routes. 30 | 31 | **Record the private IP address of app-vnet-firewall** 32 | 33 | 1. In the search box at the top of the portal, enter **Firewall**. Select **Firewall** in the search results. 34 | 35 | 1. Select **app-vnet-firewall**. 36 | 37 | 1. Select **Overview** and record the **Private IP address**. 38 | 39 | **Add the route table** 40 | 41 | 1. In the search box, enter **Route tables**. When Route table appears in the search results, select it. 42 | 43 | 1. In the Route table page, select **+ Create** and create the route table. 44 | 45 | | Property | Value | 46 | | :------------- | :--------------------------- | 47 | | Subscription | **Select your subscription** | 48 | | Resource group | **RG1** | 49 | | Region | **East US** | 50 | | Name | `app-vnet-firewall-rt` | 51 | 52 | 1. Select **Review + create** and then select **Create**. 53 | 54 | 1. Wait for the route table to deploy, then select **Go to resource**. 55 | 56 | ### Associate the route table to the subnets 57 | 58 | 1. In the portal, continue working with the route table, select **app-vnet-firewall-rt**. 59 | 60 | 1. In the **Settings** blade, select **Subnets** and then **+ Associate**. 61 | 62 | 1. Configure an association to the frontend subnet, then select **OK**. 63 | 64 | | Property | Value | 65 | | :-------------- | :----------------- | 66 | | Virtual network | **app-vnet (RG1)** | 67 | | Subnet | **frontend** | 68 | 69 | 1. Configure an association to the backend subnet, then select **OK**. 70 | 71 | | Property | Value | 72 | | :-------------- | :----------------- | 73 | | Virtual network | **app-vnet (RG1)** | 74 | | Subnet | **backend** | 75 | 76 | ### Create a route in the route table 77 | 78 | 1. In the portal, continue working with the route table, select **app-vnet-firewall-rt**. 79 | 80 | 1. In the **Settings** blade, select **Routes** and then **+ Add**. 81 | 82 | 1. Configure the route, then select **Add**. 83 | 84 | | Property | Value | 85 | | :---------------------------------- | :------------------------------------------------------ | 86 | | Route name | **outbound-firewall** | 87 | | Destination type | **IP addresses** | 88 | | Destination IP addresses/CIDR range | **0.0.0.0/0** | 89 | | Next hop type | **Virtual appliance** | 90 | | Next hop address | **private IP address of the firewall** | 91 | 92 | 93 | ### Learn more with online training 94 | 95 | + [Manage and control traffic flow in your Azure deployment with routes](https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/). In this module, you learn how to control Azure virtual network traffic by implementing custom routes. This module has two sandboxes. 96 | 97 | ### Key takeaways 98 | 99 | Congratulations on completing the exercise. Here are the main takeaways: 100 | 101 | + Network traffic in Azure is automatically routed across Azure subnets, virtual networks, and on-premises networks. System routes control this routing. 102 | + User-defined routes override the default system routes so traffic can be routed through a network virtual appliances (NVAs). 103 | + Network virtual appliances (NVAs) control the flow of network traffic. Examples of NVAs are firewalls, load balancers, and routers. 104 | + Route tables contain routing information and are associated with a subnet. 105 | -------------------------------------------------------------------------------- /Instructions/Labs/LAB_05_domain_name.md: -------------------------------------------------------------------------------- 1 | --- 2 | lab: 3 | title: 'Exercise 05: Create DNS zones and configure DNS settings' 4 | module: 'Guided Project - Configure secure access to workloads with Azure virtual networking services' 5 | --- 6 | 7 | # Exercise 05: Create DNS zones and configure DNS settings 8 | 9 | ## Scenario 10 | 11 | Your organization requires workloads to use domain names instead of IP addresses for internal communications. The organization doesn’t want to add a custom DNS solution. You identify these requirements. 12 | + A **private DNS zone** is required for contoso.com. 13 | + The DNS will use a **virtual network link** to app-vnet. 14 | + A new **DNS record** is required for the backend subnet. 15 | 16 | ## Skilling tasks 17 | 18 | + Create and configure a private DNS zone. 19 | + Create and configure DNS records. 20 | + Configure DNS settings on a virtual network. 21 | 22 | ## Architecture diagram 23 | 24 | ![Diagram of Azure DNS linked to a virtual network.](../Media/task-5.png) 25 | 26 | 27 | 28 | ## Exercise instructions 29 | 30 | **Note:** This exercise requires the Lab 01 virtual networks and subnets to be installed. A [template](https://github.com/MicrosoftLearning/Configure-secure-access-to-workloads-with-Azure-virtual-networking-services/blob/main/Allfiles/Labs/All-Labs/create-vnet-subnets-template.json) is provided if you need to deploy those resources. 31 | 32 | ### Create a private DNS zone 33 | 34 | [Azure Private DNS](https://learn.microsoft.com/azure/dns/private-dns-overview) provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to add a custom DNS solution. By using private DNS zones, you can use your own custom domain names rather than the Azure-provided names. 35 | 36 | 1. On the Azure portal, search for and select `Private dns zones`. 37 | 38 | 1. Select **+ Create** and configure the DNS zone. 39 | 40 | | Property | Value | 41 | | :------------- | :--------------------------- | 42 | | Subscription | **Select your subscription** | 43 | | Resource group | **RG1** | 44 | | Name | `private.contoso.com` | 45 | | Region | **East US** | 46 | 47 | 1. Select **Review + create** and then select **Create**. 48 | 49 | 1. Wait for the DNS zone to deploy, and then select **Go to resource**. 50 | 51 | ### Create a virtual network link to your private DNS zone 52 | 53 | To resolve DNS records in a private DNS zone, resources must be linked to the private zone. A [virtual network link](https://learn.microsoft.com/azure/dns/private-dns-virtual-network-links) associates the virtual network to the private zone. 54 | 55 | 1. In the portal, continue working on the **private.contoso.com** DNS zone. 56 | 57 | 1. In the **DNS Management** blade, select **+ Virtual network links**. 58 | 59 | 1. Select **+ Add"** and configure the virtual network link. 60 | 61 | | Property | Value | 62 | | :----------------------- | :---------------- | 63 | | Link name | `app-vnet-link` | 64 | | Virtual network | **app-vnet** | 65 | | Enable auto registration | **Enabled** | 66 | 67 | 1. Select **Create** and wait for the deployment to finish. If necessary, **Refresh** the page. 68 | 69 | ### Create a DNS record set 70 | 71 | [DNS records](https://learn.microsoft.com/en-us/azure/dns/dns-zones-records#dns-records) provide information about the DNS zone. 72 | 73 | 1. In the portal, continue working on the **private.contoso.com** DNS zone. 74 | 75 | 1. In the **DNS Management** blade, select **+ Recordsets**. 76 | 77 | 1. Notice that two A records have automatically been created for each of the virtual machines. 78 | 79 | 1. Select **+ Add** and configure a record set. When finished select **Add**. 80 | 81 | | Property | Value | 82 | | :--------- | :----------- | 83 | | Name | `backend` | 84 | | Type | **A** | 85 | | TTL | **1** | 86 | | IP address | **10.1.1.5** | 87 | 88 | **Note:** This record set implies there is a virtual machine in app-vnet with a private IP address of 10.1.1.5. 89 | 90 | ### Learn more with online training 91 | 92 | + [Introduction to Azure DNS](https://learn.microsoft.com/training/modules/intro-to-azure-dns/). This module explains what Azure DNS does, how it works, and when you should choose to use Azure DNS as a solution to meet your organization’s needs. 93 | + [Host your domain on Azure DNS](https://learn.microsoft.com/training/modules/host-domain-azure-dns/). In this module, you learn how to create a DNS zone and DNS records. 94 | 95 | ### Key takeaways 96 | 97 | Congratulations on completing the exercise. Here are the main takeaways: 98 | 99 | + Azure DNS is a cloud service that allows you to host and manage domain name system (DNS) domains, also known as DNS zones. 100 | + Azure DNS public zones host domain name zone data for records that you intend to be resolved by any host on the internet. 101 | + Azure Private DNS zones allow you to configure a private DNS zone namespace for private Azure resources. 102 | + A DNS zone is a collection of DNS records. DNS records provide information about the domain. 103 | -------------------------------------------------------------------------------- /Instructions/Labs/azuredeploy.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "virtualMachines_VM1_name": { 6 | "defaultValue": "VM1", 7 | "type": "String" 8 | }, 9 | "virtualMachines_VM2_name": { 10 | "defaultValue": "VM2", 11 | "type": "String" 12 | }, 13 | "publicIPAddresses_VM1_ip_name": { 14 | "defaultValue": "VM1-ip", 15 | "type": "String" 16 | }, 17 | "publicIPAddresses_VM2_ip_name": { 18 | "defaultValue": "VM2-ip", 19 | "type": "String" 20 | }, 21 | "virtualNetworks_app_vnet_name": { 22 | "defaultValue": "app-vnet", 23 | "type": "String" 24 | }, 25 | "networkInterfaces_VM1_nic_name": { 26 | "defaultValue": "VM1-nic", 27 | "type": "String" 28 | }, 29 | "networkInterfaces_VM2_nic_name": { 30 | "defaultValue": "VM2-nic", 31 | "type": "String" 32 | } 33 | }, 34 | "functions": [], 35 | "variables": {}, 36 | "resources": [ 37 | { 38 | "type": "Microsoft.Network/publicIPAddresses", 39 | "apiVersion": "2022-07-01", 40 | "name": "[parameters('publicIPAddresses_VM1_ip_name')]", 41 | "location": "eastus", 42 | "sku": { 43 | "name": "Basic", 44 | "tier": "Regional" 45 | }, 46 | "properties": { 47 | "ipAddress": "40.87.123.79", 48 | "publicIPAddressVersion": "IPv4", 49 | "publicIPAllocationMethod": "Dynamic", 50 | "idleTimeoutInMinutes": 4, 51 | "ipTags": [] 52 | } 53 | }, 54 | { 55 | "type": "Microsoft.Network/publicIPAddresses", 56 | "apiVersion": "2022-07-01", 57 | "name": "[parameters('publicIPAddresses_VM2_ip_name')]", 58 | "location": "eastus", 59 | "sku": { 60 | "name": "Basic", 61 | "tier": "Regional" 62 | }, 63 | "properties": { 64 | "ipAddress": "40.87.123.72", 65 | "publicIPAddressVersion": "IPv4", 66 | "publicIPAllocationMethod": "Dynamic", 67 | "idleTimeoutInMinutes": 4, 68 | "ipTags": [] 69 | } 70 | }, 71 | { 72 | "type": "Microsoft.Compute/virtualMachines", 73 | "apiVersion": "2022-08-01", 74 | "name": "[parameters('virtualMachines_VM1_name')]", 75 | "location": "eastus", 76 | "dependsOn": [ 77 | "[resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaces_VM1_nic_name'))]" 78 | ], 79 | "properties": { 80 | "hardwareProfile": { 81 | "vmSize": "Standard_DS1_v2" 82 | }, 83 | "storageProfile": { 84 | "imageReference": { 85 | "publisher": "Canonical", 86 | "offer": "UbuntuServer", 87 | "sku": "18.04-LTS", 88 | "version": "latest" 89 | }, 90 | "osDisk": { 91 | "osType": "Linux", 92 | "name": "[concat(parameters('virtualMachines_VM1_name'), '_disk1_6a38f4133b104e6fb10ee60804d2902b')]", 93 | "createOption": "FromImage", 94 | "caching": "ReadWrite", 95 | "managedDisk": { 96 | "storageAccountType": "Standard_LRS" }, 97 | "deleteOption": "Detach", 98 | "diskSizeGB": 30 99 | }, 100 | "dataDisks": [] 101 | }, 102 | "osProfile": { 103 | "computerName": "[parameters('virtualMachines_VM1_name')]", 104 | "adminUsername": "AzureAdmin", 105 | "adminpassword": "[concat('A1', uniqueString(resourceGroup().id))]", 106 | "linuxConfiguration": { 107 | "disablePasswordAuthentication": false, 108 | "patchSettings": { 109 | "patchMode": "ImageDefault", 110 | "assessmentMode": "ImageDefault" 111 | }, 112 | "enableVMAgentPlatformUpdates": false 113 | }, 114 | "secrets": [] 115 | }, 116 | "networkProfile": { 117 | "networkInterfaces": [ 118 | { 119 | "id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaces_VM1_nic_name'))]", 120 | "properties": { 121 | "primary": true 122 | } 123 | } 124 | ] 125 | } 126 | } 127 | }, 128 | { 129 | "type": "Microsoft.Compute/virtualMachines", 130 | "apiVersion": "2022-08-01", 131 | "name": "[parameters('virtualMachines_VM2_name')]", 132 | "location": "eastus", 133 | "dependsOn": [ 134 | "[resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaces_VM2_nic_name'))]" 135 | ], 136 | "properties": { 137 | "hardwareProfile": { 138 | "vmSize": "Standard_DS1_v2" 139 | }, 140 | "storageProfile": { 141 | "imageReference": { 142 | "publisher": "Canonical", 143 | "offer": "UbuntuServer", 144 | "sku": "18.04-LTS", 145 | "version": "latest" 146 | }, 147 | "osDisk": { 148 | "osType": "Linux", 149 | "name": "[concat(parameters('virtualMachines_VM2_name'), '_disk1_a76711e00aa04f15a1a08e59308344ed')]", 150 | "createOption": "FromImage", 151 | "caching": "ReadWrite", 152 | "managedDisk": { 153 | "storageAccountType": "Standard_LRS" 154 | }, 155 | "deleteOption": "Detach", 156 | "diskSizeGB": 30 157 | }, 158 | "dataDisks": [] 159 | }, 160 | "osProfile": { 161 | "computerName": "[parameters('virtualMachines_VM2_name')]", 162 | "adminUsername": "AzureAdmin", 163 | "adminpassword": "[concat('A1', uniqueString(resourceGroup().id))]", 164 | "linuxConfiguration": { 165 | "disablePasswordAuthentication": false, 166 | "patchSettings": { 167 | "patchMode": "ImageDefault", 168 | "assessmentMode": "ImageDefault" 169 | }, 170 | "enableVMAgentPlatformUpdates": false 171 | }, 172 | "secrets": [] 173 | }, 174 | "networkProfile": { 175 | "networkInterfaces": [ 176 | { 177 | "id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaces_VM2_nic_name'))]", 178 | "properties": { 179 | "primary": true 180 | } 181 | } 182 | ] 183 | } 184 | } 185 | }, 186 | { 187 | "type": "Microsoft.Network/networkInterfaces", 188 | "apiVersion": "2022-07-01", 189 | "name": "[parameters('networkInterfaces_VM1_nic_name')]", 190 | "location": "eastus", 191 | "dependsOn": [ 192 | "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIPAddresses_VM1_ip_name'))]", 193 | "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworks_app_vnet_name'), 'frontend')]" 194 | ], 195 | "kind": "Regular", 196 | "properties": { 197 | "ipConfigurations": [ 198 | { 199 | "name": "ipconfig1", 200 | "id": "[concat(resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaces_VM1_nic_name')), '/ipConfigurations/ipconfig1')]", 201 | "type": "Microsoft.Network/networkInterfaces/ipConfigurations", 202 | "properties": { 203 | "provisioningState": "Succeeded", 204 | "privateIPAddress": "10.1.0.4", 205 | "privateIPAllocationMethod": "Dynamic", 206 | "publicIPAddress": { 207 | "id": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIPAddresses_VM1_ip_name'))]" 208 | }, 209 | "subnet": { 210 | "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworks_app_vnet_name'), 'frontend')]" 211 | }, 212 | "primary": true, 213 | "privateIPAddressVersion": "IPv4" 214 | } 215 | } 216 | ], 217 | "dnsSettings": { 218 | "dnsServers": [] 219 | }, 220 | "enableAcceleratedNetworking": false, 221 | "enableIPForwarding": false, 222 | "disableTcpStateTracking": false, 223 | "nicType": "Standard" 224 | } 225 | }, 226 | { 227 | "type": "Microsoft.Network/networkInterfaces", 228 | "apiVersion": "2022-07-01", 229 | "name": "[parameters('networkInterfaces_VM2_nic_name')]", 230 | "location": "eastus", 231 | "dependsOn": [ 232 | "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIPAddresses_VM2_ip_name'))]", 233 | "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworks_app_vnet_name'), 'backend')]" 234 | ], 235 | "kind": "Regular", 236 | "properties": { 237 | "ipConfigurations": [ 238 | { 239 | "name": "ipconfig1", 240 | "id": "[concat(resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaces_VM2_nic_name')), '/ipConfigurations/ipconfig1')]", 241 | "type": "Microsoft.Network/networkInterfaces/ipConfigurations", 242 | "properties": { 243 | "provisioningState": "Succeeded", 244 | "privateIPAddress": "10.1.1.4", 245 | "privateIPAllocationMethod": "Dynamic", 246 | "publicIPAddress": { 247 | "id": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIPAddresses_VM2_ip_name'))]" 248 | }, 249 | "subnet": { 250 | "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworks_app_vnet_name'), 'backend')]" 251 | }, 252 | "primary": true, 253 | "privateIPAddressVersion": "IPv4" 254 | } 255 | } 256 | ], 257 | "dnsSettings": { 258 | "dnsServers": [] 259 | }, 260 | "enableAcceleratedNetworking": false, 261 | "enableIPForwarding": false, 262 | "disableTcpStateTracking": false, 263 | "nicType": "Standard" 264 | } 265 | }, 266 | { 267 | "type": "Microsoft.Network/virtualNetworks/subnets", 268 | "apiVersion": "2022-07-01", 269 | "name": "[concat(parameters('virtualNetworks_app_vnet_name'), '/backend')]", 270 | "dependsOn": [ 271 | "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworks_app_vnet_name'))]" 272 | ], 273 | "properties": { 274 | "addressPrefix": "10.1.1.0/24", 275 | "delegations": [], 276 | "privateEndpointNetworkPolicies": "Disabled", 277 | "privateLinkServiceNetworkPolicies": "Enabled" 278 | } 279 | }, 280 | { 281 | "type": "Microsoft.Network/virtualNetworks/subnets", 282 | "apiVersion": "2022-07-01", 283 | "name": "[concat(parameters('virtualNetworks_app_vnet_name'), '/frontend')]", 284 | "dependsOn": [ 285 | "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworks_app_vnet_name'))]" 286 | ], 287 | "properties": { 288 | "addressPrefix": "10.1.0.0/24", 289 | "delegations": [], 290 | "privateEndpointNetworkPolicies": "Disabled", 291 | "privateLinkServiceNetworkPolicies": "Enabled" 292 | } 293 | }, 294 | { 295 | "type": "Microsoft.Network/virtualNetworks", 296 | "apiVersion": "2022-07-01", 297 | "name": "[parameters('virtualNetworks_app_vnet_name')]", 298 | "location": "eastus", 299 | "dependsOn": [ 300 | 301 | ], 302 | "properties": { 303 | "addressSpace": { 304 | "addressPrefixes": [ 305 | "10.1.0.0/16" 306 | ] 307 | }, 308 | "dhcpOptions": { 309 | "dnsServers": [ 310 | "1.1.1.1", 311 | "1.0.0.1" 312 | ] 313 | }, 314 | "subnets": [ 315 | { 316 | "name": "frontend", 317 | "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworks_app_vnet_name'), 'frontend')]", 318 | "properties": { 319 | "addressPrefix": "10.1.0.0/24", 320 | "delegations": [], 321 | "privateEndpointNetworkPolicies": "Disabled", 322 | "privateLinkServiceNetworkPolicies": "Enabled" 323 | }, 324 | "type": "Microsoft.Network/virtualNetworks/subnets" 325 | }, 326 | { 327 | "name": "backend", 328 | "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworks_app_vnet_name'), 'backend')]", 329 | "properties": { 330 | "addressPrefix": "10.1.1.0/24", 331 | "delegations": [], 332 | "privateEndpointNetworkPolicies": "Disabled", 333 | "privateLinkServiceNetworkPolicies": "Enabled" 334 | }, 335 | "type": "Microsoft.Network/virtualNetworks/subnets" 336 | } 337 | ], 338 | "virtualNetworkPeerings": [], 339 | "enableDdosProtection": false 340 | } 341 | } 342 | ], 343 | "outputs": {} 344 | } 345 | -------------------------------------------------------------------------------- /Instructions/Labs/azuredeploy.parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "virtualMachines_VM1_name": { 6 | "value": "VM1" 7 | }, 8 | "virtualMachines_VM2_name": { 9 | "value": "VM2" 10 | }, 11 | "publicIPAddresses_VM1_ip_name": { 12 | "value": "VM1-ip" 13 | }, 14 | "publicIPAddresses_VM2_ip_name": { 15 | "value": "VM2-ip" 16 | }, 17 | "virtualNetworks_app_vnet_name": { 18 | "value": "app-vnet" 19 | }, 20 | "networkInterfaces_VM1_nic_name": { 21 | "value": "VM1-nic" 22 | }, 23 | "networkInterfaces_VM2_nic_name": { 24 | "value": "VM2-nic" 25 | } 26 | } 27 | } -------------------------------------------------------------------------------- /Instructions/Media/task-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftLearning/Configure-secure-access-to-workloads-with-Azure-virtual-networking-services/9235e20d6b9a81f0edc9348313365c2196563cdb/Instructions/Media/task-1.png -------------------------------------------------------------------------------- /Instructions/Media/task-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftLearning/Configure-secure-access-to-workloads-with-Azure-virtual-networking-services/9235e20d6b9a81f0edc9348313365c2196563cdb/Instructions/Media/task-2.png -------------------------------------------------------------------------------- /Instructions/Media/task-3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftLearning/Configure-secure-access-to-workloads-with-Azure-virtual-networking-services/9235e20d6b9a81f0edc9348313365c2196563cdb/Instructions/Media/task-3.png -------------------------------------------------------------------------------- /Instructions/Media/task-4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftLearning/Configure-secure-access-to-workloads-with-Azure-virtual-networking-services/9235e20d6b9a81f0edc9348313365c2196563cdb/Instructions/Media/task-4.png -------------------------------------------------------------------------------- /Instructions/Media/task-5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftLearning/Configure-secure-access-to-workloads-with-Azure-virtual-networking-services/9235e20d6b9a81f0edc9348313365c2196563cdb/Instructions/Media/task-5.png -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2019 Sidney Andrews 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. -------------------------------------------------------------------------------- /_build.yml: -------------------------------------------------------------------------------- 1 | name: '$(Date:yyyyMMdd)$(Rev:.rr)' 2 | jobs: 3 | - job: build_markdown_content 4 | displayName: 'Build Markdown Content' 5 | workspace: 6 | clean: all 7 | pool: 8 | vmImage: 'Ubuntu 16.04' 9 | container: 10 | image: 'microsoftlearning/markdown-build:latest' 11 | steps: 12 | - task: Bash@3 13 | displayName: 'Build Content' 14 | inputs: 15 | targetType: inline 16 | script: | 17 | cp /{attribution.md,template.docx,package.json,package.js} . 18 | npm install 19 | node package.js --version $(Build.BuildNumber) 20 | - task: GitHubRelease@0 21 | displayName: 'Create GitHub Release' 22 | inputs: 23 | gitHubConnection: 'github-microsoftlearning-organization' 24 | repositoryName: '$(Build.Repository.Name)' 25 | tagSource: manual 26 | tag: 'v$(Build.BuildNumber)' 27 | title: 'Version $(Build.BuildNumber)' 28 | releaseNotesSource: input 29 | releaseNotes: '# Version $(Build.BuildNumber) Release' 30 | assets: '$(Build.SourcesDirectory)/out/*.zip' 31 | assetUploadMode: replace 32 | - task: PublishBuildArtifacts@1 33 | displayName: 'Publish Output Files' 34 | inputs: 35 | pathtoPublish: '$(Build.SourcesDirectory)/out/' 36 | artifactName: 'Lab Files' 37 | -------------------------------------------------------------------------------- /_config.yml: -------------------------------------------------------------------------------- 1 | remote_theme: MicrosoftLearning/Jekyll-Theme 2 | exclude: 3 | - readme.md 4 | - .github/ 5 | header_pages: 6 | - index.html 7 | author: Microsoft Learning 8 | twitter_username: mslearning 9 | github_username: MicrosoftLearning 10 | plugins: 11 | - jekyll-sitemap 12 | - jekyll-mentions 13 | - jemoji 14 | markdown: kramdown 15 | kramdown: 16 | syntax_highlighter_opts: 17 | disable : true 18 | -------------------------------------------------------------------------------- /index.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Online Hosted Instructions 3 | permalink: index.html 4 | layout: home 5 | --- 6 | 7 | # Content Directory 8 | 9 | Hyperlinks to each of the lab exercises and demos are listed below. 10 | 11 | ## Labs 12 | 13 | {% assign labs = site.pages | where_exp:"page", "page.url contains '/Instructions/Labs'" %} 14 | | Module | Lab | 15 | | --- | --- | 16 | {% for activity in labs %}| {{ activity.lab.module }} | [{{ activity.lab.title }}{% if activity.lab.type %} - {{ activity.lab.type }}{% endif %}]({{ site.github.url }}{{ activity.url }}) | 17 | {% endfor %} 18 | 19 | ## Demos 20 | 21 | {% assign demos = site.pages | where_exp:"page", "page.url contains '/Instructions/Demos'" %} 22 | | Module | Demo | 23 | | --- | --- | 24 | {% for activity in demos %}| {{ activity.demo.module }} | [{{ activity.demo.title }}]({{ site.github.url }}{{ activity.url }}) | 25 | {% endfor %} 26 | -------------------------------------------------------------------------------- /readme.md: -------------------------------------------------------------------------------- 1 | # Configure secure access to workloads with Azure virtual networking services 2 | 3 | Looking for the **[HTML pages](https://microsoftlearning.github.io/Configure-secure-access-to-workloads-with-Azure-virtual-networking-services/)**? 4 | 5 | **Are you an MCT?** - Have a look at our [GitHub User Guide for MCTs](https://microsoftlearning.github.io/MCT-User-Guide/) 6 | 7 | ## What are we doing? 8 | 9 | - To support this course, we will need to make frequent updates to the course content to keep it current with the Microsoft services used in the course. We are publishing the lab instructions and lab files on GitHub to allow for open contributions between the course authors and MCTs (Microsoft Certified Trainer) to keep the content current with product changes. 10 | 11 | - We hope this brings a sense of collaboration to the labs like we have never had before - when a Microsoft service such as Azure or Microsoft 365 changes and you find it first during a live delivery, go ahead and make an enhancement right in the lab source. Help your fellow MCTs. 12 | 13 | ## How should I use this repository?? 14 | 15 | - The instructor materials are your primary source for teaching the course content. 16 | 17 | - These files on GitHub are designed to be used in the course labs, which use the hosted lab environment. 18 | 19 | - It is recommended that for every delivery, trainers check GitHub for any changes that may have been made to support the latest Microsoft cloud services and get the latest files for their delivery. 20 | 21 | ## How do I contribute? 22 | 23 | - Any MCT (Microsoft Certified Trainer) can submit a pull request to the code or content in the GitHub repro. Microsoft and the course author will then triage and include content and lab code changes as needed. 24 | 25 | - You can submit bugs, changes, improvement, and ideas. Find a new Azure or Microsoft 365 feature before we have? Submit a new demo! 26 | --------------------------------------------------------------------------------