Category: AZ-700

Microsoft AZ-700: Module 8 Additional Resource

Reading Time: < 1 minute

Notes from MS Learn AZ-700 Module 8: Design and Implement Network Monitoring – Unit 5: Additional Resources

Resources from MS Learn

Network monitoring solutions

Share this article:

Permanent link to this article: https://www.packetpilot.com/microsoft-az-700-module-8-additional-resource/

Microsoft AZ-700: Exercise – Monitor a Load Balancer Resource Using Azure Monitor

Reading Time: 3 minutes

Notes from MS Learn AZ-700 Module 8: Design and Implement Network Monitoring – Unit 3: Exercise – Monitor a Load Balancer Resource Using Azure Monitor

Tasks (taken from MS Learn: Items without “Task” in front of them are personal additions)

  • Task 1: Create the virtual network.
    • Search and click Virtual networks in portal
    • Select Create
      • Select or Create New under Resource Group (create new in this example)
        • Enter unique name and click OK
      • Enter Unique name in Instance details Name box
      • Choose appropriate Region from dropdown
      • Click Next : IP Addresses >
        • Delete default IPv4 address space
        • Enter new IPv4 address space
        • Click add subnet
          • In right panel enter unique name
          • Enter appropriate Subnet address range
          • Click Add
      • Click Next : Security >
      • Toggle BastionHost to Enable
      • Enter Bastion Name in box
      • Enter AzureBastionSubnet address space in box
      • Select or create new Public IP address (create new in this example)
        • Enter unique name in dialog
        • Click OK
    • Click Review + create
    • Once validation succeeds click Create
  • Task 2: Create the load balancer.
    • Search and choose Load Balancers in portal
    • Click Create
      • Choose Resource Group from dropdown
      • Enter unique name in Instance details name box
      • Click Next : Frontend IP Configuration >
      • Click Add a frontend IP configuratioin
        • In right panel Enter unique name
        • Choose backend subnet from dropdown
        • Click add
    • Click Review + Create
    • Once validated click Create
  • Task 3: Create a backend pool.
    • On Deployment complete page from above click Go to resource
    • In left panel click Backend pools
      • Click Add
        • Enter Unique Name
        • Click Save
  • Task 4: Create a health probe.
    • In left panel choose Health Probes
    • Select Add in menu bar
      • Enter Unique name
      • Change Protocol to HTTP in dropdown
      • Change Interval to 15
      • Click Add
  • Task 5: Create a load balancer rule.
    • In left panel click Load balancing rules
    • Click Add in menu bar
      • Enter unique name
      • Choose Frontend IP Address from dropdown
      • Choose Backend Pool from dropdown
      • Enter Port Number in box
      • Enter backend port number in box
      • Choose created health probe from dropdown
      • Adjust Idle timeout slider to 15 min
      • Click Add
  • Task 6: Create backend servers.
    • Open PowerShell in Azure Portal cloudshell
    • Upload template and parameters files as done in previous exercises
    • Verify account and set subscription and Resource Group variable as done in previous exercises
    • Deploy the 3 VMs using the 3 different parameters files using the same tasks as previous excercises
  • Task 7: Add VMs to the backend pool.
    • Under Load balancers settings in the left pane select Backend Pools
    • Click myBackendPool
    • Click Add under IP configurations
    • Check all three new VMs checkboxes and click add
    • Click Save
  • Task 8: Install IIS on the VMs.
    • Navigate to Virtual Machines in Portal
    • Connect via Bastion to the first VM
    • Open PowerShell in session
      • (Install-WindowsFeature -name Web-Server -IncludeManagementTools)
      • (Remove-Item C:|inetpub\wwwroot\iisstart.htm)
      • Add-Content -Path “C:\inetpub\wwwroot\iisstart.htm” -Value $(“HelloWorld from ” + $env:computername))
      • Repeat for other VMs
  • Task 9: Test the load balancer.
    • Under Virtual Machines Page click Create
    • Choose Azure Virtual Machine
      • Choose appropriate Resource group from dropdown
      • Enter Unique Virtual machine name in box
      • Choose Windows Server 2019 Datacenter – x64 Gen2 from dropdown under image
      • Under size dropdown choose Standard_D2s_v3 – 2 vcpus, 8GiB memory ($137.24/month)
      • Enter creds
      • Click Next : Disks >
      • Click Next : Networking >
        • Under Public IP dropdown select None
        • Toggle NIC network security group to Advanced
          • Under Configure network security group dropdown choose myNSG
    • Click Review + Create
    • Once validated click Create
    • Navigate to Load Balancer (search under portal)
      • Click new LB (myIntLoadBalancer)
      • Click See more
      • Copy private IP
    • Connect to test Virtual Machine via Bastion
      • Open Internet Explorer
      • Browse to LB IP
      • Refresh
        • Should show diff VMs during refreshes
        • Close IE
  • Task 10: Create a Log Analytics Workspace.
    • Search and select log analytics workspaces in portal
    • Click Create
    • Choose appropriate resource group from dropdown
    • Enter Unique Name
    • Choose appropriate region from dropdown
    • Click Review and Create
    • Once validated click Create
  • Task 11: Use Functional Dependency View.
    • In portal navigate to previously create LB
    • Choose Insights in left panel
    • Close metrics pane
    • Click zoom button to zoom in
    • Hovering offers details
    • Click Download Topology
    • Click View Metrics to reopen pane
  • Task 12: View detailed metrics.
    • After closing Metric pane select view detailed metrics
    • Click Frontend & Backend Availability to view response
    • Click Data Throughput
  • Task 13: View resource health.
    • Search and click Monitor in portal
    • Click Service Health in left panel
    • Click Resource Health in left panel
      • In Resource type dropdown choose load balancer
      • Choose new load balancer
  • Task 14: Configure diagnostic settings.
    • Navigate back to new load balancer page
    • Click diagnostic settings in left panel
    • Select Add diagnostic setting
      • Enter unique name
      • Check All Metrics box
      • Click Save
      • Close page
  • Task 15: Clean up resources.
Share this article:

Permanent link to this article: https://www.packetpilot.com/microsoft-az-700-exercise-monitor-a-load-balancer-resource-using-azure-monitor/

Microsoft AZ-700: Monitor Your Networks Using Azure Network Watcher

Reading Time: 3 minutes

Notes from MS Learn AZ-700 Module 8: Design and Implement Network Monitoring – Unit 4: Monitor Your Networks Using Azure Network Watcher

Azure Network Watcher is regional service enabling you to monitor/diagnose network conditions. Allows to diagnose problems at end-to-end network level. Network dianostic and visual tools are available with Network Watcher helping understand, diagnose, and gain. Insight to your Azure network. Designed to monitor/repair network health of IaaS including VMs, VNets, App Gateways, and LB

  • Azure Network Watcher scenarios (example)
    • Automate remote network monitor with packet capture
      • Monitor/Diag network issues without logging into VMs
      • Trigger PCAP by setting alerts
      • Gain real-time perf info at packet level
      • Investigate in detail when issue observed
    • Gain insight into network traffic using flow logs
      • Build deep understanding of traffic patterns using NSG flow logs
      • Info helps gather data for compliance,auditing,monitoring of sec profile
    • Diagnose VPN connectivity
      • Provides ability to diagnose most common VPN GW/Connection issues
      • Allows identifying issue using details logs for further investigation
  • Azure Network Watcher Tools
    • Network Topology
      • Generates visual of resources in VNet as well as relationship between resources
    • Verify IP Flow
      • Diagnose connectivity issues from/to INET and from/to On-prem
    • Next Hop
      • Determine if traffic directed as intended
      • Info helps determine routing
      • Next hop could be INET/VirtualAppliance/Virtual Network Gateway/VNet/VNet Peering/None
    • Effective Security Rules
      • NSG are associated at subnet or NIC.
      • Effect rules returns all configured NSGs/rules associated to VM
      • Allows accessing things like open ports
    • VPN Diags
      • Returns info to aid tshoot of Gateways and connections
      • Summary info includes
        • Connection statistics
        • CPU Info
        • Memory Info
        • IKE errors
        • Packet Drops
        • Buffers
        • Events
    • Packet Capture
      • Capture sessions to track traffic to/from VM
      • Aids in diagnosing network anomalies
      • Gather network stats
      • Info on network intrusions
      • Debug client-server comms
    • Connection Troubleshooting
      • More recent addition to Watcher suite
      • Provides net perf data
    • NSG Flow Logs
      • Maps IP traffic through NSGs
        • Network Monitoring
          • Identify unknown or undesired traffic
          • Monitor traffic/bandwidth consumption
          • Filter logs by IP & port to understand app behavior
          • Export Flow Logs to tools for dashboards
        • Usage Monitoring/Optimization
          • Identify top talkers
          • Combine with data to identify cross-region traffic
          • Understand traffic growth for forcasting
          • Use to remove overtly restrictive rules
        • Compliance
          • Use flow data to verify isolation/compliance with enterprise rules
        • Network forensics/security analysis
          • Flows analyzed from compromised IP/NICs
          • Explort logs to SIEM/IDS tools
  • Connection Monitor Overview
    • Provides unified e-to-e monitoring in Network Watcher
    • Connection Monitor supports hybrid and Azure cloud
    • Provides tools to monitor/diagnose/view connectivity related metrics for Azure deployments
    • Benefits of Connection Monitor
      • Unified, Intuitive experience in Azure and Hybrid
      • Cross-region/workspace connectivity monitoring
      • High probing freq and better viz into network perf
      • Faster alerting for hybrid
      • Support connectivity checks based on HTTP/TCP/ICMP
      • Metrics/Log Analytics for both Azure and non-Azure tests
    • Example Use Cases
      • Front end web server VM communicating with DB in multi-tier app
        • Test connectivity between the two VMs
      • VMs in East US ping VMs in Central US
        • Compare cross-region latency
      • Multi on-premises office in diff locations
        • Office connect to MS 365 Url
        • Compare latency between locations
      • Hybrid app required connectivity to Azure storage
        • On-prem site and Azure app connect to same endpoint
        • Compare latency between the two
      • Check connectivity between on-prem and Azure VM’s hosting cloud app
  • Connection Monitor Components
    • Connection Monitor Resource
      • Region specific Azure resource
      • All following entities are properties of this
    • Endpoint
      • SRC/DST participating in connectivity checks
        • VM
        • On-prem agent
        • URL
        • IP’s
    • Test config
      • Protocol-specific config for test
      • Based on chosen protocol
      • Define port/threshold/frequency/etc
    • Test group
      • Group containing SRC/DST endpoints and test configs
      • Connection Minotir can contain multiple test groups
    • Test
      • Combo of SRC/DST endpoint and test config
      • Most granular
      • Includes percentage of checks failed and RTT
  • Traffic Analytics
    • Cloud-based providing visibility into user/app activity in cloud networks
    • Traffic Analytics looks at Network Watcher NSG flow logs to provide insight into traffic flow
    • Abilities
      • Visualize network activity across subscriptions and identify hot spots
      • Identify sec threat to and secure network with info such as
        • Open Ports
        • Apps attempting INET access
        • VMs connecting to rouge nets
      • Determine traffic flow patterns over Azure regions and INET
      • Pinpoint misconfigs leading to failed connections
  • How Traffic Analytics Works
    • Examines raw NSG flow logs
    • Aggregated and then enhanced
    • Enhancements
      • Geography
      • Security
      • Topology Info
    • Info stored in Log Analytics workspace
Share this article:

Permanent link to this article: https://www.packetpilot.com/microsoft-az-700-monitor-your-networks-using-azure-network-watcher/

Microsoft AZ-700: Monitor Your Networks Using Azure Monitor

Reading Time: 3 minutes

Notes from MS Learn AZ-700 Module 8: Design and Implement Network Monitoring – Unit 2: Monitor Your Networks Using Azure Monitor

  • What is Azure Monitor
    • Helps to maximize availability/performance of apps and services
    • Delivers comprehensive solution for collecting/analyzing/acting on telemetry from cloud and on-prem
    • Info helps understand how apps are performing and identify issues affecting them and depended upon resources
    • Sample list of features
      • Use App Insights to detect/diagnose issues across apps
      • Correlate infra issues with VM and Container insights
      • Use log analytics for troubleshooting/diagnostics of monitoring data
      • Support ops at scale with smart alerts/automated actions
      • Create visual dashboards and workbooks in Azure
      • Collect data from monitored resources using. Azure Monitor Metrics
    • Diagram below offers high-level overview of Azure Monitor
    • Two fundamental types of data
      • Metrics
      • Logs
    • Left Panel is monitoring source to populate data stores
    • Right Panel is actions that can be performed on said data
      • Analysis
      • Alerting
      • Stream to ext sources
    • (Image taken from MS Learn)
  • Monitor data types in Azure Monitor
    • Two types of data collected
      • Metrics
        • Azure Monitor Metrics is feature collecting numeric data from monitored resources into time series DB
        • Metrics are numerical and collected at regular intervals
        • Describe aspects of system at a particular time
        • Lightweight/Capable of supporting near real-time – useful for alerting
      • Logs
        • Contain diff kinds of data organized into records with diff properties for each type
        • Telemetry(events and traces) stored as logs in addition for perf data for analysis
  • Azure Monitor metric sources
    • 4 key sources of collected
      • Azure resources
        • Create platform metrics giving visibility into resource health/perf
        • Each resource type creates distinct metrics
        • Platform metrics collected from Azure resource at 1min unless defined differently
      • Applications
        • App insights show metrics for monitored apps to aid in perf issue and trend detection
        • Includes server response time and browser exceptions
      • VM Agents
        • Collected from guest OS
        • Enable guest OS for Windows VM with Windows Diagnostic Extension (WAD)
        • Linux VMs with InfluxData Telegraf Agent
      • Custom
        • Defined metrics in app monitored with App Insights
        • Also custom metrics for Azure service using custom API
  • Azure Monitor Metric tasks
    • Table summarized tasks possible for using metrics
    • (Table below from MS Learn)
  • Metrics Explorer
    • Data collected is shown in the Monitoring tab of a resource Overview Page
    • Example for a VM
      • CPU
      • Network
      • Disk
  • Monitor network resources with Azure Monitor Network Insights
    • Use Insights > Networks section of Azure Monitor for high-level network resource health and metrics
    • Provides access to network monitoring features
      • Connection Monitor
      • Flow Logging for NSG
      • Traffic Analytics
    • Key components
      • Network Health/Metrics
        • Offers simple method of visualizing inventory of net resources along with resource health and alerts
        • Health divided into 4 areas
          • Search & filtering
          • Resource health & metrics
          • Alerts
          • Dependency view
      • Connectivity
        • Providing visualization of Connection Monitor tests
        • Test grouped by SRC/DST
      • Traffic
        • Providing access to NSG flow logs & Traffic analytics for selected subscriptions
        • Grouped by location
        • Searchable by any IP addr in environment
      • Diagnostic Toolkit
        • Providing access to all diag feature available for shoot of network/components
        • Most user Network Watcher
          • Capture packets for anomaly diagnoses
          • Troubleshoot VPN
            • Diagnose Virtual Network Gateway/Connection health
          • Troubleshoot connectivity
            • Check TCP connections
            • Includes FQDN, URI, or IPv4 Addr
          • Identify Next Hops
            • Obtain next hop type/IP of packet from VM and NIC
            • Knowing can help establish traffic direction to expected DST or drops
          • Diagnose traffic filtering issues
            • Verify packet is allowed/denied to/from VM
            • Security group decision and name of rule denying traffic returned
Share this article:

Permanent link to this article: https://www.packetpilot.com/microsoft-az-700-monitor-your-networks-using-azure-monitor/

MS AZ-700: Module 7: Design and Implement Private Access to Azure Services – Unit 7: Summary + Additional Resources from MS Learn Course

Reading Time: < 1 minute

Notes from MS Learn AZ-700 Module 6: Design and implement network security – Unit 7: Summary + Additional Resources from MS Learn Course

Additional links from MS Learn Course

Share this article:

Permanent link to this article: https://www.packetpilot.com/ms-az-700-module-6-summary-additional-resources-from-ms-learn-course/

Microsoft AZ-700: Exercise – Create an Azure Private Endpoint Using Azure PowerShell

Reading Time: 2 minutes

Notes from MS Learn AZ-700 Module 7: Design and Implement Private Access to Azure Services – Unit 6: Exercise – Create an Azure Private Endpoint Using Azure PowerShell

Tasks (taken from MS Learn: Items without “Task” in front of them are personal additions)

  • Task 1: Create a resource group and deploy the prerequisite web app.
    • Open PowerShell in cloudshell under portal: Button next to search bar
    • Upload template and parameter file as done in previous exercises
    • View/verify subscription
      • (az account show –output table)
    • Set subscription
      • (az account set –subscription “Name as noted from output above”
    • Create Resource Group
      • (New-AzResourceGroup -Name ‘NAME-rg’ -Locatiion ‘eastus’)
    • Set Resource Group name variable
      • ($RGName = “CreatePrivateEndpointQS-rg”)
    • Create VMs
      • (New-AzResourceGroupDeployment -ResourceGroupName $RGName -TemplateFile templatefile.json -TemplateParameterFile parametersfilename.json)
  • Task 2: Create a virtual network and bastion host.
    • Create backend subnet
      • ($subnetConfig = New-AzVirtualNetworkSubnetConfig -Name myBackendSubnet -AddressPrefix 10.0.0.0/24)
    • Create Azure Bastion Subnet
      • ($bastsubnetConfig = NewAzVirtualNetworkSubnetConfig -Name AzureBastionSubnet -AddressPrefix 10.0.1.0/24)
    • Create Virtual Network
      • ($vnet = New-AzVirtualNetwork @parameters1)
    • Create Public IP for Bastion Host
      • ($parameters2 = @{
        Name = ‘myBastionIP’
        ResourceGroupName = ‘CreatePrivateEndpointQS-rg’
        Location = ‘eastus’
        Sku = ‘Standard
        AllocationMethod = ‘Static’
        }
      • ($publicip = New-AzPublicIpAddress @parameters2)
    • Create Bastion Host
      • ($parameters3 = @{
        ResourceGroupName = ‘CreatePrivateEndpoingQS-rg’
        Name = ‘myBastion’
        PublicIpAddress = $publicip
        VirtualNetwork = $vnete
        })
      • (New-AzBastion @parameters3)
  • Task 3: Create a test virtual machine.
    • Set local admin creds for VM
      • ($cred = Get-Credential)
      • Input Username
      • Input Password
    • Get VNet config
      • ($vnet = Get-AzVirtualNetwork -Name myVNet -ResourceGroupName CreatePrivateEndpoingQS-rg)
    • Create VM NIC
      • ($parameters1 = @{
        Name = ‘myNicVM’
        ResourceGroupName = ‘CreatePrivateEndpoingQS-rg’
        Location = ‘eastus’
        Subnet = $vnet.Subnets[0]
        })
      • ($nicVM = New-AzNetworkInterface @parameters1)
    • Create VM Configuration
      • ($parameters2 = @{
        VMName = ‘myVM’
        VMSize = ‘Standard_DS1_v2’
        })
      • ($parameters3 = @{
        ComputerName = ‘myVM’
        Credential = $cred
        })
      • ($parameters4 = @{
        PublisherName = ‘MicrosoftWindowsServer’
        Offer = ‘WindowsServer’
        Skus = ‘2019DataCenter’
        Version = ‘latest’
        })
      • ($vmConfig = New-AzVMConfig @parameters2 | Set-AzVMOperatingSystem -Windows @parameters3 | Set-AzVMSourceImage @parameters4 | Add-AzVMNetworkInterface -Id $nicCM.Id)
      • (New-AzVM -ResourceGroupName ‘CreatePrivateEndpoingQS-rg’ -Location ‘eastus’ -VM $vmConfig)
  • Task 4: Create a private endpoint.
    • Place Webapp into variable
      • ($webapp = Get-AzWebApp -ResourceGroupName CreatePrivateEndpointQS-rg)
    • Create Private Endpoint connection
      • ($parameters1 = @{
        Name = ‘myConnection
        PrivateLinkServiceId = $webapp.ID
        GroupID = ‘sites’
        })
      • $privateEntpointConnection = New-AzPrivateLinkServiceConnection @parameters1)
    • Place VNet into variable
      • ($vnet = Get-AzVirtualNetwork -ResourceGroupName ‘CreatePrivateEndpoingQS-rg’ -Name ‘myVNet’)
    • Disable Private Endpoint Policy
      • ($vnet.Subnets[0].PrivateEndpointNetworkPolicies = “Disabled”
      • ($vnet | Set-AzVirtualNetwork)
    • Create Private Endpoint
      • ($parameters2 = @{
        ResourceGroupName = ‘CreatePrivateEndpoingQS-rg’
        Name = ‘myPrivateEndpoint’
        Location = ‘eastus’
        Subnet = $vnet.Subnets[0]
        PrivateLinkServiceConnection = $privateEndpoingConnection
        })
      • New-AzPrivateEndpoint @parameters2)
  • Task 5: Configure the private DNS zone.
    • Place VNet into variable
      • (vnet = Get-AzVirtualNetwork -ResourceGroupName ‘CreatePrivateEndpointQS-rg’ -Name ‘myVNet’)
    • Create Private DNS Zone
      • ($parameters1 = @{
        ResourceGroupName = ‘CreatePrivateEndpointQS-rg’
        Name = ‘privatelinke.azurewebsites.net’
        })
      • ($zone = New-AzPrivateDnsZone @parameters1)
    • Create DNS Network Link
      • ($parameters2 = @{
        ResourceGroupName = ‘CreatePrivateEndpoingQS-rg’
        ZoneName = ‘privatelink.azurewebistes.net’
        Name = ‘myLink’
        VirtualNetworkId = $vnet.Id
        })
      • ($link = New-AzPrivateDnsVirtualNetworkLink @parameters2)
    • Create DNS Config
      • ($parameters3 = @{
        Name = ‘privatelink.azurewebsites.net’
        PrivateDnsZoneId = $zone.ResourceId
        })
      • ($config = New-AzPrivateDnsZoneConfig @parameters3)
    • Create DNS Zone Group
      • ($parameters4 = @{
        ResourceGroupName = ‘CreatePrivateEndpoingQS-rg’
        PrivateEndpointName = ‘myPrivateEndpoint’
        Name = ‘myZoneGroup’
        PrivateDnsZoneConfig = $config
        })
      • (New-AzPrivateDnsZoneGroup @parameters4)
  • Task 6: Test connectivity across the private endpoint.
    • Navigate to Virtual Machines in portal
    • Open myVM created earlier
    • Click Connect > Bastion
      • Enter credentions and click connect
      • Open PowerShell
        • (Nslookup contoso-webapp-755238.azurewebsites.net)
          • Private IP provided from subnet
        • Browse to URL in Internet Explorer
        • Select OK in dialog
        • Success
Share this article:

Permanent link to this article: https://www.packetpilot.com/microsoft-az-700-exercise-create-an-azure-private-endpoint-using-azure-powershell/

Microsoft AZ-700: Exercise – Restrict Network Access to PaaS Resources with Virtual Network Service Endpoints Using the Azure Portal

Reading Time: 3 minutes

Notes from MS Learn AZ-700 Module 7: Design and Implement Private Access to Azure Services – Unit 5: Exercise – Restrict Network Access to PaaS Resources with Virtual Network Service Endpoints Using the Azure Portal

Tasks (taken from MS Learn: Items without “Task” in front of them are personal additions)

  • Task 1: Create a virtual network.
    • Search and select Virtual Networks in portal
    • Click Create
      • Select or Create New Resource group (create new in this example)
        • Enter unique name in dialog and click OK
      • Enter Instance Name
      • Choose Region from dropdown
      • Click Next : IP Addresses >
      • Click link for default
        • In right panel change name to Public
        • Click Save
      • Click Next : Security >
      • Verify all security settings toggled to Disable
      • Click Review + create
      • Once validated click Create
  • Task 2: Enable a service endpoint.
    • Click Go to resource on deployment complete page from task above
    • Click Subnets in left panel
    • Click Subnet in menu bar to create a new subnet
      • In right panel
        • Enter unique name for subnet
        • Under Service Endpoints choose Microsoft.Storage from services dropdown
        • Click Save
    • Note 2 subnets created: Public and Private
  • Task 3: Restrict network access for a subnet.
    • Search and click Network security groups in portal
    • Click Create in menu bar
      • Choose Resource group from dropdown
      • Enter unique name under Instance details
    • Click Review + create
    • Once validated click Create
    • Once deployment complete choose Go to resource
    • Under Settings choose Outbound security rules
      • Click Add in menu bar
      • In right panel
        • Choose Service Tag in Source dropdown
        • Choose Virtual Network in Source service tag dropdown
        • Choose Service Tag in Destination dropdown
        • Choose Storage in Destination Service Tag dropdown
        • Enter wildcard (*) in Destination port ranges box
        • Enter unique name in Name box
        • Click Add
      • Click Refresh to verify rule created with Priority 100
  • Task 4: Add other outbound rules.
    • Follow MS Learn steps similar to above to Deny Internet All
    • Change Priority to 110
    • Click Add
    • Refresh page to verify rule with priority 110 created
  • Task 5: Allow access for RDP connections.
    • Under settings in left panel click Inbound Security Rules
    • Click Add in menu bar
      • In right panel
        • Select Service Tag in Destination dropdown
        • Select Virtual Network in Destination Service Tag dropdown
        • Change port in Destination port ranges box to 3389
        • Add unique name for rule in Name box
        • Click Add
    • Click Refresh to verify new rule created
    • Click Subnets in left panel
      • Click Associate in menu bar
      • In right panel
        • Select Private subnet from subnet dropdown
        • Click OK
  • Task 6: Restrict network access to a resource.
    • This is really just a task to create the storage account but Task 6: Title is as from MS Learn
    • Search and click Storage Accounts in portal
    • Click Create
      • Choose resource group from dropdown
      • Enter unique storage account name
      • Choose Locally-redundant storage (LRS): from Redundancy dropdown
      • Click Review
      • Click Create
  • Task 7: Create a file share in the storage account.
    • Click Go to resource from deployment completion page from Task 6 steps
    • Choose File Shares under data storage in left panel
    • Click File Share in menu bar
      • In right panel
        • Enter Marketing in Name box
        • Click Create
  • Task 8: Restrict network access to a subnet.
    • In left panel under Security + networking choose Networking
    • Toggle Public Network Access to “Enabled from selected virtual networks and IP addresses
    • Click Add existing virtual network
      • In right panel
        • Select VNet under Virtual networks dropdown
        • Select subnet under Subnets dropdown (Private)
        • Click Add
    • Click Save in menu bar
    • In left panel under Security + Networking choose Access Keys
      • Click Show button for Key under key1
      • Click Copy to clipboard button
  • Task 9: Create virtual machines.
    • Open PowerShell in cloudshell pane (button next to portal search bar)
    • Upload Template and Parameter file as we’ve done in previous exercises
    • Verify Subscription
      • (az account show –output table)
    • Set account
      • (az account set –subscription “Name from output above”)
    • Set resource group name variable

($RGName = “myResourceGroup”)

  • Deploy VM
    • (New-AzResourceGroupDeployment -ResourceGroupeName $RGName -TemplateFile filename.json -TemplateParameterFile filename.parameters.json)
  • Close cloud PowerShell
  • Search Virtual Machines and verify new VMs created
  • Task 10: Confirm access to storage account.
    • Choose Private VM
    • Select Connect > RDP from menu bar
    • Click Download RDP File
    • Click Open file link
    • Click Connect on dialog
    • Enter creds and click OK
    • Search for PowerShell in RDP session
      • ($acctKey = ConvertTo-SecureString -String “previouslycopiedkey” -AsPlainText -Force)
      • (credential = New-Object System.Management.Automation.PSCredential -ArgumentList “Azure\contosostorage755238”, $acctKey)
      • (New-PSDrive -Name Z -PSProvider FileSystem -Root “\\contosostorage755238.file.core.windows.net\marketing” -Credential $credential)
      • Ping bing.com
        • Should fail
      • Close RDP Session and ContosoPrivate VM page in portal
    • Choose ContosoPublic VM
    • Click Connect > RDP from menu bar
    • Click Download RDP File
    • Click Open file link
    • Click Connect on dialog
    • Enter creds and click OK
    • Open PowerShell in RDP session
      • ($acctKey = ConvertTo-SecureString -String “previouslycopiedkey” -AsPlainText -Force)
      • (credential = New-Object System.Management.Automation.PSCredential -ArgumentList “Azure\contosostorage755238”, $acctKey)
      • (New-PSDrive -Name Z -PSProvider FileSystem -Root “\\contosostorage755238.file.core.windows.net\marketing” -Credential $credential)
        • Output should list Access is denied
      • Ping bing.com
        • Should be successful
    • Close RDP session
    • Search Storage accounts in portal
      • Choose the new contosostorage account created earlier
      • Choose File share in left panel under Data Storage
      • Choose marketing
        • Access is denied due to PC not in private subnet
Share this article:

Permanent link to this article: https://www.packetpilot.com/microsoft-az-700-exercise-restrict-network-access-to-paas-resources-with-virtual-network-service-endpoints-using-the-azure-portal/

Microsoft AZ-700: Integrate Private Endpoint with Domain Name Service

Reading Time: 2 minutes

Notes from MS Learn AZ-700 Module 7: Design and Implement Private Access to Azure Services – Unit 4: Integrate Private Endpoint with Domain Name Service

Private DNS zones typically hosted in same subscription where hub VNet deployed. Central hosting practice is recommended for cross-premises DNS resolution. Most cases – only networking and identity admins have permissions to manage DNS records

  • Azure Private Endpoint DNS Configuration
    • Below diagram show typical high-level architecture for enterprise env with central DNS.
    • Name resolution for Private Link resources done via Azure Private DNS
    • (Image taken from MS Learn)
    • Highlights of diagram
      • On-prem DNS servers have conditional forwarders configured for each Private Endpoint
      • DNS servers in hub VNet use Azure DNS resolver as forwarder
      • All VNets have DNS forwarders configured as primary/secondary DNS servers
      • DNS records follow lifecycle of Private Endpoint
    • Significance of IP Addr 168.63.129.16
      • VIP (public) that facilitates communication channel to Azure platform resources
        • Enables VM Agent to communicate with Azure platform to signal that it is in a “Ready” state
        • Enables communication with DNS virtual server providing filtered name resolution – Filtering ensures customers can resolve only hostnames to their resources
        • Enables health probes from load balancer to determine health state of VMs
        • Enables VMs to obtain dynamic IP addr from DHCP service in Azure
        • Enables heartbeat messages for PaaS role
    • On-prem workloads using DNS forwarder
      • For on-prem workloads to resolve FQDN of Private Endpoint use DNS forwarder to resolve Azure service public DNS zone
      • A DNS forwarder is VM running on VNet linked to Private DNS Zone
      • Query must be originated from VNet to Azure DNS
      • Proxy options include
        • Windows DNS
        • Linux DNS
        • Azure FW
      • Diagram below illustrates DNS resolution sequence from on-prem
      • Configuration uses DNS forwarder in Azure
      • Resolution made by private DNS zone linked to VNet
      • (Image taken from MS Learn)
      • Configuration needs
        • On-prem network
        • VNet connected to on-prem
        • DNS forwarder in Azure
        • Private DNS zones privatelink.database.windows.net with A record
        • Private Endpoint info (FQDN record name with private IP)
    • Virtual Network and On-prem workloads using Azure DNS Private Resolver
      • When using DNS Private Resolver – you don’t need DNS forwarder VM.
      • Azure DNS is able to resolve on-prem domain names
      • Below diagram uses DNS Private Resolver in hub-spoke topo
      • Best practice: Azure landing zone design pattern recommends using this type of topo
      • Hybrid net connection established using Azure ExpressRoute and FW
      • Provides secure hybrid network
      • DNS Private Resolver is deployed in hub network
      • (Image taken from MS Learn)
    Share this article:

    Permanent link to this article: https://www.packetpilot.com/microsoft-az-700-integrate-private-endpoint-with-domain-name-service/

    Microsoft AZ-700: Define Private Link Service and Private Endpoint

    Reading Time: 2 minutes

    Notes from MS Learn AZ-700 Module 7: Design and Implement Private Access to Azure Services – Unit 3: Define Private Link Service and Private Endpoint

    • What is Azure Private Link
      • Azure Private Link enables access to Azure PaaS Services and Azure hosted customer-owned/partner services over Private Endpoint in VNet
    • Private Link is designed to remove public part of connection
    • Provides secure access to Azure Services achieved by replacing resource public endpoint with a private NIC
    • Key considerations for this architecture
      • Azure resource becomes part of your VNet
      • Connection to resource uses Microsoft Azure backbone instead of public INET
      • Can configure Azure resource to no longer expose its public IP
    • What is Azure Private Endpoint
      • Key technology behind Private Link
      • NIC that enables a private/secure connection between VNet and Azure service
      • NIC that replaces resources public endpoint
      • Provides secure access to Azure services
      • Replaces resource public endpoint with private NIC
    • How is Azure Private Endpoint different from service endpoint
      • Grants network access to specific resource behind given service providing granular segmentation
      • Traffic can reach service resource from on-prem without using public endpoints
      • Service endpoint remains publicly routable
      • Private endpoint is private IP in address space of VNet where configured
    • What is Azure Private Link Service
      • Gives private access from Azure VNet to PaaS services and MS Partner services in Azure. What is org has its own Azure services. Is it possible to offer those customer a private connection to orgs services
    • Yes with Private Link Service
    • Lets you offer Private Link connections to custom Azure services
    • Consumers of custom service can access them privately without going over INET from their own VNets
    • Private Link service is reference to own service powered by Private Link
    • Service is running behind Azure standard load balancer can be enable for Private Link access
    • Customers can create private endpoint inside their VNet and map to this service
    • Private Link service receives connections from multiple private endpoints.
    • Private endpoint connects to 1 Private Link services
    • Private Endpoint Properties
      • Considerations
        • Unique name with resource group
        • Subnet to deploy/allocate private IP addresses from VNet
        • Private Link resource to connect using resource ID/Alias from list of available types – A unique network identifier is generated for all traffic sent to resource
        • The subresource to connect – each private link resource type has diff options to select based on pref
        • Automatic or manual connection approval method – based on Azure role-based access control (RBAC) Private Endpoint can be approved automatically.
        • For manual method of above, owner of resource approves connections
        • Only Private Endpoints in approved state used to send traffic
      • Additional Considerations
        • Clients initiate net connections. Only established in single direction
        • Private Endpoint has read-only NIC. Interface assigned dynamically from subnet that maps to Private Link resource – remains unchanged for lifecycle of Private Endpoint
        • Must be deployed in same region and subscription of VNet
        • Private Link can be deployed in diff region than VNet of Private Endpoint
        • Multiple Private Endpoints can be created using same Private Link
        • Multiple Private Endpoints can be created on same or diff subnets within same VNet
    Share this article:

    Permanent link to this article: https://www.packetpilot.com/microsoft-az-700-define-private-link-service-and-private-endpoint/

    Microsoft AZ-700: Explain Virtual Network Service Endpoints

    Reading Time: 3 minutes

    Notes from MS Learn AZ-700 Module 7: Design and Implement Private Access to Azure Services: Unit 2: Explain Virtual Network Service Endpoints

    Think your org migrates existing ERP app with DB server to Azure VMs. Now, you consider Azure platform as a service in Azure for cost/admin requirements. Storage services hold large file assets. These engineering diagrams have proprietary info and must remain secure from unauthorized access. Must be only accessible from specific systems

    • What is a virtual network service endpoint
      • VNet service endpoint provides secure and direct connectivity to Azure services. Service endpoints allow you to secure critical Azure service resources to only your VNets. Service Endpoints enables private IP addrs in the VNet to reach the endpoint of an Azure service without needing a public IP
      • By default, Azure services are designed for DIA. All Azure resources have public Ips including PaaS services such as Azure SQL and Storage. Since explosed to INET potential for anyone to access Azure services
      • Service endpoints can connect certain PaaS services directly to private address space in Azure
      • Service endpoints use private space to access PaaS services directly
      • Adding service endpoints doesn’t remove public endpoint but provides a redirect of traffic
    • Preparing to Implement Service Endpoints
      • Two required steps
        • Turn off public access to service
        • Add Service Endpoint to VNet
      • When enabling Service Endpoint traffic flow is restricted and Azure VMs are enabled directly from private addr space
      • Devices cannot access service from public network
      • VM vNIC Service Endpoint becomes Next Hop Type
      • Example route table before enabling Service Endpoint (Table below from MS Learn)
      • Example route table after adding 2 Service Endpoints to VNet (Table below from MS Learn)
      • All traffic for service now routed to VNet Service Endpoint and remains inside Azure
    • Create Service Endpoints
      • Planning to move sensitive diagram into Azure Storage. File must only be accessible from computers inside corp network. You want to create a VNet Service Endpoint for Azure Storage to secure connectivity to storage accounts
      • Steps
        • Enable service endpoint on a subnet
        • Use network rules to restrict access to Azure Storage
        • Create a virtual network service endpoint for Azure Storage
        • Verify access is denied appropriately
    • Configure service tags
      • Service tag represents group of IP prefixes from a given Azure service. MS manages prefixes encompassed by service tag automatically updating addrees minimizing complexity of frequent updates to network security rules
      • You can use service tags to define network access controls on network security groups or FW
      • Use service tags in place of specific IP’s when creating security rules
      • Specifying service tag name (e.g. API Management) in appropriate SRC/DST of rule allows or denies traffic for service
      • As of March 2021 Service Tags can be used in place of IP ranges in user defined routes. Currently in Public Preview
      • Use service tags to achieve network isolation and protect Azure resources from general Internet while accessing Azure services that have public endpoints
      • Create In/Out network security group rules for deny to/from INET and allow to/from AzureCloud or other specific Azure services
    • Available service tags
      • Follow this MS Table for all service tags available for use in NSG rules. Columns define whether tag
        • Is suitable for rules that cover in/outbound traffic
        • Supports regional scope
        • Is usable in FW rules
      • By default, service tags are for entire cloud
      • Some tags also allow more granular control via restricting IP ranges to specific region
      • Service tags of Azure services denote prefixes from specific cloud being used
      • If implementing VNet service endpoint Azure adds route to VNet subnet. Prefixes in route are same as prefixes for corresponding service tag
    Share this article:

    Permanent link to this article: https://www.packetpilot.com/microsoft-az-700-explain-virtual-network-service-endpoints/

    Load more