Scenario
You have been asked to implement your organization’s virtual networking infrastructure and test to ensure it is working correctly. In particular:
– The organization has two groups of servers: Web Servers and Management Servers.
– Each group of servers should be in its own Application Security Group.
– You should be able to RDP into the Management Servers, but not the Web Servers.
– The Web Servers should display the IIS web page when accessed from the internet.
– Network security group rules should be used to control network access.
Exercise 1: Create the virtual networking infrastructure
Task 1: Create a virtual network
1. Sign-in to the Azure portal https://portal.azure.com/.
2. In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Virtual networks and press the Enter key.
3. On the Virtual networks blade, click + Add.
4. On the Basics tab of the Create virtual network blade, specify the following settings (leave others with their default values) and click Next: IP Addresses:
| Setting | Value |
| Subscription | the name of the Azure subscription you are using in this lab |
| Resource group | click Create new and type the name AZ500LAB07 |
| Name | myVirtualNetwork |
| Region | East US |
5. On the IP addresses tab of the Create virtual network blade, set the IPv4 address space to 10.0.0.0/16, and, if needed, in the Subnet name column, click default, on the Edit subnet blade, specify the following settings and click Save:
| Setting | Value |
| Subnet name | default |
| Subnet address range | 10.0.0.0/24 |
6. Back on the IP addresses tab of the Create virtual network blade, click Review + create.
7. On the Review + create tab of the Create virtual network blade, click Create.
Task 2: Create application security groups
1. In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Application security groups and press the Enter key.
2. On the Application security groups blade, click + Add.
3. On the Basics tab of the Create an application security group blade, specify the following settings:
| Setting | Value |
| Resource group | AZ500LAB07 |
| Name | myAsgWebServers |
| Region | East US |
4. Click Review + create and then click Create.
5. Navigate back to the Application security groups blade and click + Add.
6. On the Basics tab of the Create an application security group blade, specify the following settings:
| Setting | Value |
| Resource group | AZ500LAB07 |
| Name | myAsgMgmtServers |
| Region | East US |
7. Click Review + create and then click Create.
Task 3: Create a network security group and associate the NSG to the subnet
1. In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Network security groups and press the Enter key.
2. On the Network security groups blade, click + Add.
3. On the Basics tab of the Create network security group blade, specify the following settings:
| Setting | Value |
| Subscription | the name of the Azure subscription you are using in this lab |
| Resource group | AZ500LAB07 |
| Name | myNsg |
| Region | East US |
4. Click Review + create and then click Create.
5. In the Azure portal, navigate back to the Network security groups blade and click the myNsg entry.
6. On the myNsg blade, in the Settings section, click Subnets and then click + Associate.
7. On the Associate subnet blade, specify the following settings and click OK:
| Setting | Value |
| Virtual network | myVirtualNetwork |
| Subnet | default |
Task 4: Create inbound NSG security rules to all traffic to web servers and RDP to the management servers.
1. On the myNsg blade, in the Settings section, click Inbound security rules.
2. Review the default inbound security rules and then click + Add.
3. On the Add inbound security rule blade, specify the following settings to allow TCP ports 80 and 443 to the myAsgWebServers application security group (leave all other values with their default values):
| Setting | Value |
| Destination | in the drop-down list, select Application security group and then click myAsgWebServers |
| Destination port ranges | 80,443 |
| Protocol | TCP |
| Priority | 100 |
| Name | Allow-Web-All |
4. On the Add inbound security rule blade, click Add to create the new inbound rule.
5. On the myNsg blade, in the Settings section, click Inbound security rules, and then click + Add.
6. On the Add inbound security rule blade, specify the following settings to allow the RDP port (TCP 3389) to the myAsgMgmtServers application security group (leave all other values with their default values):
| Setting | Value |
| Destination | in the drop-down list, select Application security group and then click myAsgMgmtServers |
| Destination port ranges | 3389 |
| Protocol | TCP |
| Priority | 110 |
| Name | Allow-RDP-All |
7. On the Add inbound security rule blade, click Add to create the new inbound rule.
RESULT: You have deployed a virtual network, network security with inbound security rules, and two application security groups.
Exercise 2: Deploy virtual machines and test network filters
Task 1: Create a virtual machine to use as a web server.
1. In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Virtual machines and press the Enter key.
2. On the Virtual machines blade, click + Add and, in the dropdown list, click + Virtual machine.
3. On the Basics tab of the Create a virtual machine blade, specify the following settings (leave others with their default values):
| Setting | Value |
| Subscription | the name of the Azure subscription you will be using in this lab |
| Resource group | AZ500LAB07 |
| Virtual machine name | myVmWeb |
| Region | (US)East US |
| Image | Windows Server 2019 Datacenter Gen 1 |
| Size | Standard D2s v3 |
| Username | Student |
| Password | Pa55w.rd1234 |
| Public inbound ports | None |
| Already have a Windows Server license | No |
NOTE: For public inbound ports, we will rely on the precreated NSG.
4. Click Next: Disks > and, on the Disks tab of the Create a virtual machine blade, set the OS disk type to Standard HDD and click Next: Networking >.
5. On the Networking tab of the Create a virtual machine blade, select the previously created network myVirtualNetwork.
6. Under NIC network security group select None.
7. Click Next: Management >, on the Management tab of the Create a virtual machine blade, specify the following settings
| Setting | Value |
| Boot diagnostics | Enabled with managed storage account (recommended) |
| Diagnostics storage account | the default value |
8. Click Review + create, on the Review + create blade, ensure that validation was successful and click Create.
Task 2: Create a virtual machine to use as a management server.
1. In the Azure portal, navigate back to the Virtual machines blade, click + Add, and, in the dropdown list, click + Virtual machine.
2. On the Basics tab of the Create a virtual machine blade, specify the following settings (leave others with their default values):
| Setting | Value |
| Subscription | the name of the Azure subscription you will be using in this lab |
| Resource group | AZ500LAB07 |
| Virtual machine name | myVMMgmt |
| Region | (US)East US |
| Image | Windows Server 2019 Datacenter Gen 1 |
| Size | Standard D2s v3 |
| Username | Student |
| Password | Pa55w.rd1234 |
| Public inbound ports | None |
| Already have a Windows Server license | No |
NOTE: For public inbound ports, we will rely on the precreated NSG.
3. Click Next: Disks > and, on the Disks tab of the Create a virtual machine blade, set the OS disk type to Standard HDD and click Next: Networking >.
4. On the Networking tab of the Create a virtual machine blade, select the previously created network myVirtualNetwork.
5. Under NIC network security group select None.
6. Click Next: Management >, on the Management tab of the Create a virtual machine blade, specify the following settings
| Setting | Value |
| Boot diagnostics | Enabled with managed storage account (recommended) |
| Diagnostics storage account | the default value |
7. Click Review + create, on the Review + create blade, ensure that validation was successful and click Create.
NOTE: Wait for both virtual machines to be provisioned before continuing.
Task 3: Associate each virtual machines network interface to its application security group.
1. In the Azure portal, navigate back to the Virtual machines blade and verify that both virtual machines are listed with the Running status.
2. In the list of virtual machines, click the myVMWeb entry.
3. On the myVMWeb blade, in the Settings section, click Networking and then, on the myVMWeb | Networking blade, click the Application security groups tab.
4. Click Configure the application security groups, in the Application security group drop-down list, select myAsgWebServers, and then click Save.
5. Navigate back to the Virtual machines blade and in the list of virtual machines, click the myVMMgmt entry.
7. On the myVMMgmt blade, in the Settings section, click Networking and then, on the myVMMgmt | Networking blade, click the Application security groups tab.
Task 4: Test the network traffic filtering
1. Navigate back to the myVMMgmt virtual machine blade.
2. On the myVMMgmt blade, click Connect and, in the drop down menu, click RDP.
3. Click Download RDP File and use it to connect to the myVMMgmt Azure VM via Remote Desktop. When prompted to authenticate, provide the following credntials:
| Setting | Value |
| User name | Student |
| Password | Pa55w.rd1234 |
NOTE: Verify that the Remote Desktop connection was successful. At this point you have confirmed you can connect via Remote Desktop to myVMMgmt.
4. In the Azure portal, navigate to the myVMWeb virtual machine blade.
5. On the myVMWeb blade, in the Operations section, click Run command and then click RunPowerShellScript.
6. On the Run Command Script pane, run the following to install the Web server role on myVmWeb:
Install-WindowsFeature -name Web-Server -IncludeManagementTools
NOTE: Wait for the installation to complete. This might take a couple of minutes. At that point, you can verify that myVMWeb can be accessed via HTTP/HTTPS.
7. In the Azure portal, navigate back to the myVMWeb blade.
8. On the myVMWeb blade, identify the Public IP address of the myVmWeb Azure VM.
9. Open another browser tab and navigate to IP address you identified in the previous step.
NOTE: The browser page should display the default IIS welcome page because port 80 is allowed inbound from the internet based on the setting of the myAsgWebServers application security group. The network interface of the myVMWeb Azure VM is associated with that application security group.
RESULT: You have validated that the NSG and ASG configuration is working and traffic is being correctly managed.
Clean up resources
1. Open the Cloud Shell by clicking the first icon in the top right of the Azure Portal. If prompted, select PowerShell and Create storage.
2. Ensure PowerShell is selected in the drop-down menu in the upper-left corner of the Cloud Shell pane.
3. In the PowerShell session within the Cloud Shell pane, run the following to remove the resource group you created in this lab:
Remove-AzResourceGroup -Name "AZ500LAB07" -Force -AsJob
4. Close the Cloud Shell pane.
I'm Not the PRO 