Microsoft AZ-700: Exercise – Create an Azure Private Endpoint Using Azure PowerShell

Reading Time: 2 minutes

Notes from MS Learn AZ-700 Module 7: Design and Implement Private Access to Azure Services – Unit 6: Exercise – Create an Azure Private Endpoint Using Azure PowerShell

Tasks (taken from MS Learn: Items without “Task” in front of them are personal additions)

  • Task 1: Create a resource group and deploy the prerequisite web app.
    • Open PowerShell in cloudshell under portal: Button next to search bar
    • Upload template and parameter file as done in previous exercises
    • View/verify subscription
      • (az account show –output table)
    • Set subscription
      • (az account set –subscription “Name as noted from output above”
    • Create Resource Group
      • (New-AzResourceGroup -Name ‘NAME-rg’ -Locatiion ‘eastus’)
    • Set Resource Group name variable
      • ($RGName = “CreatePrivateEndpointQS-rg”)
    • Create VMs
      • (New-AzResourceGroupDeployment -ResourceGroupName $RGName -TemplateFile templatefile.json -TemplateParameterFile parametersfilename.json)
  • Task 2: Create a virtual network and bastion host.
    • Create backend subnet
      • ($subnetConfig = New-AzVirtualNetworkSubnetConfig -Name myBackendSubnet -AddressPrefix 10.0.0.0/24)
    • Create Azure Bastion Subnet
      • ($bastsubnetConfig = NewAzVirtualNetworkSubnetConfig -Name AzureBastionSubnet -AddressPrefix 10.0.1.0/24)
    • Create Virtual Network
      • ($vnet = New-AzVirtualNetwork @parameters1)
    • Create Public IP for Bastion Host
      • ($parameters2 = @{
        Name = ‘myBastionIP’
        ResourceGroupName = ‘CreatePrivateEndpointQS-rg’
        Location = ‘eastus’
        Sku = ‘Standard
        AllocationMethod = ‘Static’
        }
      • ($publicip = New-AzPublicIpAddress @parameters2)
    • Create Bastion Host
      • ($parameters3 = @{
        ResourceGroupName = ‘CreatePrivateEndpoingQS-rg’
        Name = ‘myBastion’
        PublicIpAddress = $publicip
        VirtualNetwork = $vnete
        })
      • (New-AzBastion @parameters3)
  • Task 3: Create a test virtual machine.
    • Set local admin creds for VM
      • ($cred = Get-Credential)
      • Input Username
      • Input Password
    • Get VNet config
      • ($vnet = Get-AzVirtualNetwork -Name myVNet -ResourceGroupName CreatePrivateEndpoingQS-rg)
    • Create VM NIC
      • ($parameters1 = @{
        Name = ‘myNicVM’
        ResourceGroupName = ‘CreatePrivateEndpoingQS-rg’
        Location = ‘eastus’
        Subnet = $vnet.Subnets[0]
        })
      • ($nicVM = New-AzNetworkInterface @parameters1)
    • Create VM Configuration
      • ($parameters2 = @{
        VMName = ‘myVM’
        VMSize = ‘Standard_DS1_v2’
        })
      • ($parameters3 = @{
        ComputerName = ‘myVM’
        Credential = $cred
        })
      • ($parameters4 = @{
        PublisherName = ‘MicrosoftWindowsServer’
        Offer = ‘WindowsServer’
        Skus = ‘2019DataCenter’
        Version = ‘latest’
        })
      • ($vmConfig = New-AzVMConfig @parameters2 | Set-AzVMOperatingSystem -Windows @parameters3 | Set-AzVMSourceImage @parameters4 | Add-AzVMNetworkInterface -Id $nicCM.Id)
      • (New-AzVM -ResourceGroupName ‘CreatePrivateEndpoingQS-rg’ -Location ‘eastus’ -VM $vmConfig)
  • Task 4: Create a private endpoint.
    • Place Webapp into variable
      • ($webapp = Get-AzWebApp -ResourceGroupName CreatePrivateEndpointQS-rg)
    • Create Private Endpoint connection
      • ($parameters1 = @{
        Name = ‘myConnection
        PrivateLinkServiceId = $webapp.ID
        GroupID = ‘sites’
        })
      • $privateEntpointConnection = New-AzPrivateLinkServiceConnection @parameters1)
    • Place VNet into variable
      • ($vnet = Get-AzVirtualNetwork -ResourceGroupName ‘CreatePrivateEndpoingQS-rg’ -Name ‘myVNet’)
    • Disable Private Endpoint Policy
      • ($vnet.Subnets[0].PrivateEndpointNetworkPolicies = “Disabled”
      • ($vnet | Set-AzVirtualNetwork)
    • Create Private Endpoint
      • ($parameters2 = @{
        ResourceGroupName = ‘CreatePrivateEndpoingQS-rg’
        Name = ‘myPrivateEndpoint’
        Location = ‘eastus’
        Subnet = $vnet.Subnets[0]
        PrivateLinkServiceConnection = $privateEndpoingConnection
        })
      • New-AzPrivateEndpoint @parameters2)
  • Task 5: Configure the private DNS zone.
    • Place VNet into variable
      • (vnet = Get-AzVirtualNetwork -ResourceGroupName ‘CreatePrivateEndpointQS-rg’ -Name ‘myVNet’)
    • Create Private DNS Zone
      • ($parameters1 = @{
        ResourceGroupName = ‘CreatePrivateEndpointQS-rg’
        Name = ‘privatelinke.azurewebsites.net’
        })
      • ($zone = New-AzPrivateDnsZone @parameters1)
    • Create DNS Network Link
      • ($parameters2 = @{
        ResourceGroupName = ‘CreatePrivateEndpoingQS-rg’
        ZoneName = ‘privatelink.azurewebistes.net’
        Name = ‘myLink’
        VirtualNetworkId = $vnet.Id
        })
      • ($link = New-AzPrivateDnsVirtualNetworkLink @parameters2)
    • Create DNS Config
      • ($parameters3 = @{
        Name = ‘privatelink.azurewebsites.net’
        PrivateDnsZoneId = $zone.ResourceId
        })
      • ($config = New-AzPrivateDnsZoneConfig @parameters3)
    • Create DNS Zone Group
      • ($parameters4 = @{
        ResourceGroupName = ‘CreatePrivateEndpoingQS-rg’
        PrivateEndpointName = ‘myPrivateEndpoint’
        Name = ‘myZoneGroup’
        PrivateDnsZoneConfig = $config
        })
      • (New-AzPrivateDnsZoneGroup @parameters4)
  • Task 6: Test connectivity across the private endpoint.
    • Navigate to Virtual Machines in portal
    • Open myVM created earlier
    • Click Connect > Bastion
      • Enter credentions and click connect
      • Open PowerShell
        • (Nslookup contoso-webapp-755238.azurewebsites.net)
          • Private IP provided from subnet
        • Browse to URL in Internet Explorer
        • Select OK in dialog
        • Success
Share this article:

Permanent link to this article: https://www.packetpilot.com/microsoft-az-700-exercise-create-an-azure-private-endpoint-using-azure-powershell/

Leave a Reply

Your email address will not be published.