Microsoft AZ-700: Exercise – Restrict Network Access to PaaS Resources with Virtual Network Service Endpoints Using the Azure Portal

Reading Time: 3 minutes

Notes from MS Learn AZ-700 Module 7: Design and Implement Private Access to Azure Services – Unit 5: Exercise – Restrict Network Access to PaaS Resources with Virtual Network Service Endpoints Using the Azure Portal

Tasks (taken from MS Learn: Items without “Task” in front of them are personal additions)

  • Task 1: Create a virtual network.
    • Search and select Virtual Networks in portal
    • Click Create
      • Select or Create New Resource group (create new in this example)
        • Enter unique name in dialog and click OK
      • Enter Instance Name
      • Choose Region from dropdown
      • Click Next : IP Addresses >
      • Click link for default
        • In right panel change name to Public
        • Click Save
      • Click Next : Security >
      • Verify all security settings toggled to Disable
      • Click Review + create
      • Once validated click Create
  • Task 2: Enable a service endpoint.
    • Click Go to resource on deployment complete page from task above
    • Click Subnets in left panel
    • Click Subnet in menu bar to create a new subnet
      • In right panel
        • Enter unique name for subnet
        • Under Service Endpoints choose Microsoft.Storage from services dropdown
        • Click Save
    • Note 2 subnets created: Public and Private
  • Task 3: Restrict network access for a subnet.
    • Search and click Network security groups in portal
    • Click Create in menu bar
      • Choose Resource group from dropdown
      • Enter unique name under Instance details
    • Click Review + create
    • Once validated click Create
    • Once deployment complete choose Go to resource
    • Under Settings choose Outbound security rules
      • Click Add in menu bar
      • In right panel
        • Choose Service Tag in Source dropdown
        • Choose Virtual Network in Source service tag dropdown
        • Choose Service Tag in Destination dropdown
        • Choose Storage in Destination Service Tag dropdown
        • Enter wildcard (*) in Destination port ranges box
        • Enter unique name in Name box
        • Click Add
      • Click Refresh to verify rule created with Priority 100
  • Task 4: Add other outbound rules.
    • Follow MS Learn steps similar to above to Deny Internet All
    • Change Priority to 110
    • Click Add
    • Refresh page to verify rule with priority 110 created
  • Task 5: Allow access for RDP connections.
    • Under settings in left panel click Inbound Security Rules
    • Click Add in menu bar
      • In right panel
        • Select Service Tag in Destination dropdown
        • Select Virtual Network in Destination Service Tag dropdown
        • Change port in Destination port ranges box to 3389
        • Add unique name for rule in Name box
        • Click Add
    • Click Refresh to verify new rule created
    • Click Subnets in left panel
      • Click Associate in menu bar
      • In right panel
        • Select Private subnet from subnet dropdown
        • Click OK
  • Task 6: Restrict network access to a resource.
    • This is really just a task to create the storage account but Task 6: Title is as from MS Learn
    • Search and click Storage Accounts in portal
    • Click Create
      • Choose resource group from dropdown
      • Enter unique storage account name
      • Choose Locally-redundant storage (LRS): from Redundancy dropdown
      • Click Review
      • Click Create
  • Task 7: Create a file share in the storage account.
    • Click Go to resource from deployment completion page from Task 6 steps
    • Choose File Shares under data storage in left panel
    • Click File Share in menu bar
      • In right panel
        • Enter Marketing in Name box
        • Click Create
  • Task 8: Restrict network access to a subnet.
    • In left panel under Security + networking choose Networking
    • Toggle Public Network Access to “Enabled from selected virtual networks and IP addresses
    • Click Add existing virtual network
      • In right panel
        • Select VNet under Virtual networks dropdown
        • Select subnet under Subnets dropdown (Private)
        • Click Add
    • Click Save in menu bar
    • In left panel under Security + Networking choose Access Keys
      • Click Show button for Key under key1
      • Click Copy to clipboard button
  • Task 9: Create virtual machines.
    • Open PowerShell in cloudshell pane (button next to portal search bar)
    • Upload Template and Parameter file as we’ve done in previous exercises
    • Verify Subscription
      • (az account show –output table)
    • Set account
      • (az account set –subscription “Name from output above”)
    • Set resource group name variable

($RGName = “myResourceGroup”)

  • Deploy VM
    • (New-AzResourceGroupDeployment -ResourceGroupeName $RGName -TemplateFile filename.json -TemplateParameterFile filename.parameters.json)
  • Close cloud PowerShell
  • Search Virtual Machines and verify new VMs created
  • Task 10: Confirm access to storage account.
    • Choose Private VM
    • Select Connect > RDP from menu bar
    • Click Download RDP File
    • Click Open file link
    • Click Connect on dialog
    • Enter creds and click OK
    • Search for PowerShell in RDP session
      • ($acctKey = ConvertTo-SecureString -String “previouslycopiedkey” -AsPlainText -Force)
      • (credential = New-Object System.Management.Automation.PSCredential -ArgumentList “Azure\contosostorage755238”, $acctKey)
      • (New-PSDrive -Name Z -PSProvider FileSystem -Root “\\contosostorage755238.file.core.windows.net\marketing” -Credential $credential)
      • Ping bing.com
        • Should fail
      • Close RDP Session and ContosoPrivate VM page in portal
    • Choose ContosoPublic VM
    • Click Connect > RDP from menu bar
    • Click Download RDP File
    • Click Open file link
    • Click Connect on dialog
    • Enter creds and click OK
    • Open PowerShell in RDP session
      • ($acctKey = ConvertTo-SecureString -String “previouslycopiedkey” -AsPlainText -Force)
      • (credential = New-Object System.Management.Automation.PSCredential -ArgumentList “Azure\contosostorage755238”, $acctKey)
      • (New-PSDrive -Name Z -PSProvider FileSystem -Root “\\contosostorage755238.file.core.windows.net\marketing” -Credential $credential)
        • Output should list Access is denied
      • Ping bing.com
        • Should be successful
    • Close RDP session
    • Search Storage accounts in portal
      • Choose the new contosostorage account created earlier
      • Choose File share in left panel under Data Storage
      • Choose marketing
        • Access is denied due to PC not in private subnet
Share this article:

Permanent link to this article: https://www.packetpilot.com/microsoft-az-700-exercise-restrict-network-access-to-paas-resources-with-virtual-network-service-endpoints-using-the-azure-portal/

Leave a Reply

Your email address will not be published.