Notes from MS Learn AZ-700 Module 7: Design and Implement Private Access to Azure Services – Unit 6: Exercise – Create an Azure Private Endpoint Using Azure PowerShell
Tasks (taken from MS Learn: Items without “Task” in front of them are personal additions)
- Task 1: Create a resource group and deploy the prerequisite web app.
- Open PowerShell in cloudshell under portal: Button next to search bar
- Upload template and parameter file as done in previous exercises
- View/verify subscription
- (az account show –output table)
- Set subscription
- (az account set –subscription “Name as noted from output above”
- Create Resource Group
- (New-AzResourceGroup -Name ‘NAME-rg’ -Locatiion ‘eastus’)
- Set Resource Group name variable
- ($RGName = “CreatePrivateEndpointQS-rg”)
- Create VMs
- (New-AzResourceGroupDeployment -ResourceGroupName $RGName -TemplateFile templatefile.json -TemplateParameterFile parametersfilename.json)
- Task 2: Create a virtual network and bastion host.
- Create backend subnet
- ($subnetConfig = New-AzVirtualNetworkSubnetConfig -Name myBackendSubnet -AddressPrefix 10.0.0.0/24)
- Create Azure Bastion Subnet
- ($bastsubnetConfig = NewAzVirtualNetworkSubnetConfig -Name AzureBastionSubnet -AddressPrefix 10.0.1.0/24)
- Create Virtual Network
- ($vnet = New-AzVirtualNetwork @parameters1)
- Create Public IP for Bastion Host
- ($parameters2 = @{
Name = ‘myBastionIP’
ResourceGroupName = ‘CreatePrivateEndpointQS-rg’
Location = ‘eastus’
Sku = ‘Standard
AllocationMethod = ‘Static’
} - ($publicip = New-AzPublicIpAddress @parameters2)
- ($parameters2 = @{
- Create Bastion Host
- ($parameters3 = @{
ResourceGroupName = ‘CreatePrivateEndpoingQS-rg’
Name = ‘myBastion’
PublicIpAddress = $publicip
VirtualNetwork = $vnete
}) - (New-AzBastion @parameters3)
- ($parameters3 = @{
- Create backend subnet
- Task 3: Create a test virtual machine.
- Set local admin creds for VM
- ($cred = Get-Credential)
- Input Username
- Input Password
- Get VNet config
- ($vnet = Get-AzVirtualNetwork -Name myVNet -ResourceGroupName CreatePrivateEndpoingQS-rg)
- Create VM NIC
- ($parameters1 = @{
Name = ‘myNicVM’
ResourceGroupName = ‘CreatePrivateEndpoingQS-rg’
Location = ‘eastus’
Subnet = $vnet.Subnets[0]
}) - ($nicVM = New-AzNetworkInterface @parameters1)
- ($parameters1 = @{
- Create VM Configuration
- ($parameters2 = @{
VMName = ‘myVM’
VMSize = ‘Standard_DS1_v2’
}) - ($parameters3 = @{
ComputerName = ‘myVM’
Credential = $cred
}) - ($parameters4 = @{
PublisherName = ‘MicrosoftWindowsServer’
Offer = ‘WindowsServer’
Skus = ‘2019DataCenter’
Version = ‘latest’
}) - ($vmConfig = New-AzVMConfig @parameters2 | Set-AzVMOperatingSystem -Windows @parameters3 | Set-AzVMSourceImage @parameters4 | Add-AzVMNetworkInterface -Id $nicCM.Id)
- (New-AzVM -ResourceGroupName ‘CreatePrivateEndpoingQS-rg’ -Location ‘eastus’ -VM $vmConfig)
- ($parameters2 = @{
- Set local admin creds for VM
- Task 4: Create a private endpoint.
- Place Webapp into variable
- ($webapp = Get-AzWebApp -ResourceGroupName CreatePrivateEndpointQS-rg)
- Create Private Endpoint connection
- ($parameters1 = @{
Name = ‘myConnection
PrivateLinkServiceId = $webapp.ID
GroupID = ‘sites’
}) - $privateEntpointConnection = New-AzPrivateLinkServiceConnection @parameters1)
- ($parameters1 = @{
- Place VNet into variable
- ($vnet = Get-AzVirtualNetwork -ResourceGroupName ‘CreatePrivateEndpoingQS-rg’ -Name ‘myVNet’)
- Disable Private Endpoint Policy
- ($vnet.Subnets[0].PrivateEndpointNetworkPolicies = “Disabled”
- ($vnet | Set-AzVirtualNetwork)
- Create Private Endpoint
- ($parameters2 = @{
ResourceGroupName = ‘CreatePrivateEndpoingQS-rg’
Name = ‘myPrivateEndpoint’
Location = ‘eastus’
Subnet = $vnet.Subnets[0]
PrivateLinkServiceConnection = $privateEndpoingConnection
}) - New-AzPrivateEndpoint @parameters2)
- ($parameters2 = @{
- Place Webapp into variable
- Task 5: Configure the private DNS zone.
- Place VNet into variable
- (vnet = Get-AzVirtualNetwork -ResourceGroupName ‘CreatePrivateEndpointQS-rg’ -Name ‘myVNet’)
- Create Private DNS Zone
- ($parameters1 = @{
ResourceGroupName = ‘CreatePrivateEndpointQS-rg’
Name = ‘privatelinke.azurewebsites.net’
}) - ($zone = New-AzPrivateDnsZone @parameters1)
- ($parameters1 = @{
- Create DNS Network Link
- ($parameters2 = @{
ResourceGroupName = ‘CreatePrivateEndpoingQS-rg’
ZoneName = ‘privatelink.azurewebistes.net’
Name = ‘myLink’
VirtualNetworkId = $vnet.Id
}) - ($link = New-AzPrivateDnsVirtualNetworkLink @parameters2)
- ($parameters2 = @{
- Create DNS Config
- ($parameters3 = @{
Name = ‘privatelink.azurewebsites.net’
PrivateDnsZoneId = $zone.ResourceId
}) - ($config = New-AzPrivateDnsZoneConfig @parameters3)
- ($parameters3 = @{
- Create DNS Zone Group
- ($parameters4 = @{
ResourceGroupName = ‘CreatePrivateEndpoingQS-rg’
PrivateEndpointName = ‘myPrivateEndpoint’
Name = ‘myZoneGroup’
PrivateDnsZoneConfig = $config
}) - (New-AzPrivateDnsZoneGroup @parameters4)
- ($parameters4 = @{
- Place VNet into variable
- Task 6: Test connectivity across the private endpoint.
- Navigate to Virtual Machines in portal
- Open myVM created earlier
- Click Connect > Bastion
- Enter credentions and click connect
- Open PowerShell
- (Nslookup contoso-webapp-755238.azurewebsites.net)
- Private IP provided from subnet
- Browse to URL in Internet Explorer
- Select OK in dialog
- Success
- (Nslookup contoso-webapp-755238.azurewebsites.net)