Notes from MS Learn AZ-700 Module 7: Design and Implement Private Access to Azure Services – Unit 5: Exercise – Restrict Network Access to PaaS Resources with Virtual Network Service Endpoints Using the Azure Portal
Tasks (taken from MS Learn: Items without “Task” in front of them are personal additions)
- Task 1: Create a virtual network.
- Search and select Virtual Networks in portal
- Click Create
- Select or Create New Resource group (create new in this example)
- Enter unique name in dialog and click OK
- Enter Instance Name
- Choose Region from dropdown
- Click Next : IP Addresses >
- Click link for default
- In right panel change name to Public
- Click Save
- Click Next : Security >
- Verify all security settings toggled to Disable
- Click Review + create
- Once validated click Create
- Select or Create New Resource group (create new in this example)
- Task 2: Enable a service endpoint.
- Click Go to resource on deployment complete page from task above
- Click Subnets in left panel
- Click Subnet in menu bar to create a new subnet
- In right panel
- Enter unique name for subnet
- Under Service Endpoints choose Microsoft.Storage from services dropdown
- Click Save
- In right panel
- Note 2 subnets created: Public and Private
- Task 3: Restrict network access for a subnet.
- Search and click Network security groups in portal
- Click Create in menu bar
- Choose Resource group from dropdown
- Enter unique name under Instance details
- Click Review + create
- Once validated click Create
- Once deployment complete choose Go to resource
- Under Settings choose Outbound security rules
- Click Add in menu bar
- In right panel
- Choose Service Tag in Source dropdown
- Choose Virtual Network in Source service tag dropdown
- Choose Service Tag in Destination dropdown
- Choose Storage in Destination Service Tag dropdown
- Enter wildcard (*) in Destination port ranges box
- Enter unique name in Name box
- Click Add
- Click Refresh to verify rule created with Priority 100
- Task 4: Add other outbound rules.
- Follow MS Learn steps similar to above to Deny Internet All
- Change Priority to 110
- Click Add
- Refresh page to verify rule with priority 110 created
- Task 5: Allow access for RDP connections.
- Under settings in left panel click Inbound Security Rules
- Click Add in menu bar
- In right panel
- Select Service Tag in Destination dropdown
- Select Virtual Network in Destination Service Tag dropdown
- Change port in Destination port ranges box to 3389
- Add unique name for rule in Name box
- Click Add
- In right panel
- Click Refresh to verify new rule created
- Click Subnets in left panel
- Click Associate in menu bar
- In right panel
- Select Private subnet from subnet dropdown
- Click OK
- Task 6: Restrict network access to a resource.
- This is really just a task to create the storage account but Task 6: Title is as from MS Learn
- Search and click Storage Accounts in portal
- Click Create
- Choose resource group from dropdown
- Enter unique storage account name
- Choose Locally-redundant storage (LRS): from Redundancy dropdown
- Click Review
- Click Create
- Task 7: Create a file share in the storage account.
- Click Go to resource from deployment completion page from Task 6 steps
- Choose File Shares under data storage in left panel
- Click File Share in menu bar
- In right panel
- Enter Marketing in Name box
- Click Create
- In right panel
- Task 8: Restrict network access to a subnet.
- In left panel under Security + networking choose Networking
- Toggle Public Network Access to “Enabled from selected virtual networks and IP addresses
- Click Add existing virtual network
- In right panel
- Select VNet under Virtual networks dropdown
- Select subnet under Subnets dropdown (Private)
- Click Add
- In right panel
- Click Save in menu bar
- In left panel under Security + Networking choose Access Keys
- Click Show button for Key under key1
- Click Copy to clipboard button
- Task 9: Create virtual machines.
- Open PowerShell in cloudshell pane (button next to portal search bar)
- Upload Template and Parameter file as we’ve done in previous exercises
- Verify Subscription
- (az account show –output table)
- Set account
- (az account set –subscription “Name from output above”)
- Set resource group name variable
($RGName = “myResourceGroup”)
- Deploy VM
- (New-AzResourceGroupDeployment -ResourceGroupeName $RGName -TemplateFile filename.json -TemplateParameterFile filename.parameters.json)
- Close cloud PowerShell
- Search Virtual Machines and verify new VMs created
- Task 10: Confirm access to storage account.
- Choose Private VM
- Select Connect > RDP from menu bar
- Click Download RDP File
- Click Open file link
- Click Connect on dialog
- Enter creds and click OK
- Search for PowerShell in RDP session
- ($acctKey = ConvertTo-SecureString -String “previouslycopiedkey” -AsPlainText -Force)
- (credential = New-Object System.Management.Automation.PSCredential -ArgumentList “Azure\contosostorage755238”, $acctKey)
- (New-PSDrive -Name Z -PSProvider FileSystem -Root “\\contosostorage755238.file.core.windows.net\marketing” -Credential $credential)
- Ping bing.com
- Should fail
- Close RDP Session and ContosoPrivate VM page in portal
- Choose ContosoPublic VM
- Click Connect > RDP from menu bar
- Click Download RDP File
- Click Open file link
- Click Connect on dialog
- Enter creds and click OK
- Open PowerShell in RDP session
- ($acctKey = ConvertTo-SecureString -String “previouslycopiedkey” -AsPlainText -Force)
- (credential = New-Object System.Management.Automation.PSCredential -ArgumentList “Azure\contosostorage755238”, $acctKey)
- (New-PSDrive -Name Z -PSProvider FileSystem -Root “\\contosostorage755238.file.core.windows.net\marketing” -Credential $credential)
- Output should list Access is denied
- Ping bing.com
- Should be successful
- Close RDP session
- Search Storage accounts in portal
- Choose the new contosostorage account created earlier
- Choose File share in left panel under Data Storage
- Choose marketing
- Access is denied due to PC not in private subnet