From 0b1722d3ec47100b0f9f5bb33c8cce55ce1f1dd0 Mon Sep 17 00:00:00 2001 From: ITGuyLevi Date: Fri, 6 Oct 2023 04:38:39 -0700 Subject: [PATCH] Upload files to "AZ104/MicrosoftAureAdministrator/Instructions/Labs" --- ...ure_Resources_by_Using_Azure_PowerShell.md | 131 ++++ ...nage_Azure_Resources_by_Using_Azure_CLI.md | 133 ++++ .../LAB_04-Implement_Virtual_Networking.md | 388 +++++++++++ ...LAB_05-Implement_Intersite_Connectivity.md | 276 ++++++++ ...06-Implement_Network_Traffic_Management.md | 612 ++++++++++++++++++ 5 files changed, 1540 insertions(+) create mode 100644 AZ104/MicrosoftAureAdministrator/Instructions/Labs/LAB_03c-Manage_Azure_Resources_by_Using_Azure_PowerShell.md create mode 100644 AZ104/MicrosoftAureAdministrator/Instructions/Labs/LAB_03d-Manage_Azure_Resources_by_Using_Azure_CLI.md create mode 100644 AZ104/MicrosoftAureAdministrator/Instructions/Labs/LAB_04-Implement_Virtual_Networking.md create mode 100644 AZ104/MicrosoftAureAdministrator/Instructions/Labs/LAB_05-Implement_Intersite_Connectivity.md create mode 100644 AZ104/MicrosoftAureAdministrator/Instructions/Labs/LAB_06-Implement_Network_Traffic_Management.md diff --git a/AZ104/MicrosoftAureAdministrator/Instructions/Labs/LAB_03c-Manage_Azure_Resources_by_Using_Azure_PowerShell.md b/AZ104/MicrosoftAureAdministrator/Instructions/Labs/LAB_03c-Manage_Azure_Resources_by_Using_Azure_PowerShell.md new file mode 100644 index 0000000..70ac4bb --- /dev/null +++ b/AZ104/MicrosoftAureAdministrator/Instructions/Labs/LAB_03c-Manage_Azure_Resources_by_Using_Azure_PowerShell.md @@ -0,0 +1,131 @@ +--- +lab: + title: '03c - Manage Azure resources by Using Azure PowerShell' + module: 'Module 03 - Azure Administration' +--- + +# Lab 03c - Manage Azure resources by Using Azure PowerShell +# Student lab manual + +## Lab scenario + +Now that you explored the basic Azure administration capabilities associated with provisioning resources and organizing them based on resource groups by using the Azure portal and Azure Resource Manager templates, you need to carry out the equivalent task by using Azure PowerShell. To avoid installing Azure PowerShell modules, you will leverage PowerShell environment available in Azure Cloud Shell. + +## Objectives + +In this lab, you will: + ++ Task 1: Start a PowerShell session in Azure Cloud Shell ++ Task 2: Create a resource group and an Azure managed disk by using Azure PowerShell ++ Task 3: Configure the managed disk by using Azure PowerShell + +## Estimated timing: 20 minutes + +## Architecture diagram + +![image](../media/lab03c.png) + +## Instructions + +### Exercise 1 + +#### Task 1: Start a PowerShell session in Azure Cloud Shell + +In this task, you will open a PowerShell session in Cloud Shell. + +1. In the portal, open the **Azure Cloud Shell** by clicking on the icon in the top right of the Azure Portal. + +1. If prompted to select either **Bash** or **PowerShell**, select **PowerShell**. + + >**Note**: If this is the first time you are starting **Cloud Shell** and you are presented with the **You have no storage mounted** message, select the subscription you are using in this lab, and click **Create storage**. + +1. If prompted, click **Create storage**, and wait until the Azure Cloud Shell pane is displayed. + +1. Ensure **PowerShell** appears in the drop-down menu in the upper-left corner of the Cloud Shell pane. + +#### Task 2: Create a resource group and an Azure managed disk by using Azure PowerShell + +In this task, you will create a resource group and an Azure managed disk by using Azure PowerShell session within Cloud Shell + +1. To create a resource group in the same Azure region as the **az104-03b-rg1** resource group you created in the previous lab, from the PowerShell session within Cloud Shell, run the following: + + ```powershell + $location = (Get-AzResourceGroup -Name az104-03b-rg1).Location + + $rgName = 'az104-03c-rg1' + + New-AzResourceGroup -Name $rgName -Location $location + ``` +1. To retrieve properties of the newly created resource group, run the following: + + ```powershell + Get-AzResourceGroup -Name $rgName + ``` +1. To create a new managed disk with the same characteristics as those you created in the previous labs of this module, run the following: + + ```powershell + $diskConfig = New-AzDiskConfig ` + -Location $location ` + -CreateOption Empty ` + -DiskSizeGB 32 ` + -Sku Standard_LRS + + $diskName = 'az104-03c-disk1' + + New-AzDisk ` + -ResourceGroupName $rgName ` + -DiskName $diskName ` + -Disk $diskConfig + ``` + +1. To retrieve properties of the newly created disk, run the following: + + ```powershell + Get-AzDisk -ResourceGroupName $rgName -Name $diskName + ``` + +#### Task 3: Configure the managed disk by using Azure PowerShell + +In this task, you will managing configuration of the Azure managed disk by using Azure PowerShell session within Cloud Shell. + +1. To increase the size of the Azure managed disk to **64 GB**, from the PowerShell session within Cloud Shell, run the following: + + ```powershell + New-AzDiskUpdateConfig -DiskSizeGB 64 | Update-AzDisk -ResourceGroupName $rgName -DiskName $diskName + ``` + +1. To verify that the change took effect, run the following: + + ```powershell + Get-AzDisk -ResourceGroupName $rgName -Name $diskName + ``` + +1. To verify the current SKU as **Standard_LRS**, run the following: + + ```powershell + (Get-AzDisk -ResourceGroupName $rgName -Name $diskName).Sku + ``` + +1. To change the disk performance SKU to **Premium_LRS**, from the PowerShell session within Cloud Shell, run the following: + + ```powershell + New-AzDiskUpdateConfig -Sku Premium_LRS | Update-AzDisk -ResourceGroupName $rgName -DiskName $diskName + ``` + +1. To verify that the change took effect, run the following: + + ```powershell + (Get-AzDisk -ResourceGroupName $rgName -Name $diskName).Sku + ``` + +#### Clean up resources + + >**Note**: Do not delete resources you deployed in this lab. You will reference them in the next lab of this module. + +#### Review + +In this lab, you have: + +- Started a PowerShell session in Azure Cloud Shell +- Created a resource group and an Azure managed disk by using Azure PowerShell +- Configured the managed disk by using Azure PowerShell diff --git a/AZ104/MicrosoftAureAdministrator/Instructions/Labs/LAB_03d-Manage_Azure_Resources_by_Using_Azure_CLI.md b/AZ104/MicrosoftAureAdministrator/Instructions/Labs/LAB_03d-Manage_Azure_Resources_by_Using_Azure_CLI.md new file mode 100644 index 0000000..80739af --- /dev/null +++ b/AZ104/MicrosoftAureAdministrator/Instructions/Labs/LAB_03d-Manage_Azure_Resources_by_Using_Azure_CLI.md @@ -0,0 +1,133 @@ +--- +lab: + title: '03d - Manage Azure resources by Using Azure CLI' + module: 'Module 03 - Azure Administration' +--- + +# Lab 03d - Manage Azure resources by Using Azure CLI +# Student lab manual + +## Lab scenario + +Now that you explored the basic Azure administration capabilities associated with provisioning resources and organizing them based on resource groups by using the Azure portal, Azure Resource Manager templates, and Azure PowerShell, you need to carry out the equivalent task by using Azure CLI. To avoid installing Azure CLI, you will leverage Bash environment available in Azure Cloud Shell. + +## Objectives + +In this lab, you will: + ++ Task 1: Start a Bash session in Azure Cloud Shell ++ Task 2: Create a resource group and an Azure managed disk by using Azure CLI ++ Task 3: Configure the managed disk by using Azure CLI + +## Estimated timing: 20 minutes + +## Instructions + +### Exercise 1 + +#### Task 1: Start a Bash session in Azure Cloud Shell + +In this task, you will open a Bash session in Cloud Shell. + +1. From the portal, open the **Azure Cloud Shell** by clicking on the icon in the top right of the Azure Portal. + +1. If prompted to select either **Bash** or **PowerShell**, select **Bash**. + + >**Note**: If this is the first time you are starting **Cloud Shell** and you are presented with the **You have no storage mounted** message, select the subscription you are using in this lab, and click **Create storage**. + +1. If prompted, click **Create storage**, and wait until the Azure Cloud Shell pane is displayed. + +1. Ensure **Bash** appears in the drop-down menu in the upper-left corner of the Cloud Shell pane. + +#### Task 2: Create a resource group and an Azure managed disk by using Azure CLI + +In this task, you will create a resource group and an Azure managed disk by using Azure CLI session within Cloud Shell. + +1. To create a resource group in the same Azure region as the **az104-03c-rg1** resource group you created in the previous lab, from the Bash session within Cloud Shell, run the following: + + ```sh + LOCATION=$(az group show --name 'az104-03c-rg1' --query location --out tsv) + + RGNAME='az104-03d-rg1' + + az group create --name $RGNAME --location $LOCATION + ``` +1. To retrieve properties of the newly created resource group, run the following: + + ```sh + az group show --name $RGNAME + ``` +1. To create a new managed disk with the same characteristics as those you created in the previous labs of this module, from the Bash session within Cloud Shell, run the following: + + ```sh + DISKNAME='az104-03d-disk1' + + az disk create \ + --resource-group $RGNAME \ + --name $DISKNAME \ + --sku 'Standard_LRS' \ + --size-gb 32 + ``` + >**Note**: When using multi-line syntax, ensure that each line ends with back-slash (`\`) with no trailing spaces and that there are no leading spaces at the beginning of each line. + +1. To retrieve properties of the newly created disk, run the following: + + ```sh + az disk show --resource-group $RGNAME --name $DISKNAME + ``` + +#### Task 3: Configure the managed disk by using Azure CLI + +In this task, you will managing configuration of the Azure managed disk by using Azure CLI session within Cloud Shell. + +1. To increase the size of the Azure managed disk to **64 GB**, from the Bash session within Cloud Shell, run the following: + + ```sh + az disk update --resource-group $RGNAME --name $DISKNAME --size-gb 64 + ``` + +1. To verify that the change took effect, run the following: + + ```sh + az disk show --resource-group $RGNAME --name $DISKNAME --query diskSizeGb + ``` + +1. To change the disk performance SKU to **Premium_LRS**, from the Bash session within Cloud Shell, run the following: + + ```sh + az disk update --resource-group $RGNAME --name $DISKNAME --sku 'Premium_LRS' + ``` + +1. To verify that the change took effect, run the following: + + ```sh + az disk show --resource-group $RGNAME --name $DISKNAME --query sku + ``` + +#### Clean up resources + + >**Note**: Remember to remove any newly created Azure resources that you no longer use. Removing unused resources ensures you will not see unexpected charges. + +1. In the Azure portal, open the **Bash** shell session within the **Cloud Shell** pane. + +1. List all resource groups created throughout the labs of this module by running the following command: + + ```sh + az group list --query "[?starts_with(name,'az104-03')].name" --output tsv + ``` + +1. Delete all resource groups you created throughout the labs of this module by running the following command: + + ```sh + az group list --query "[?starts_with(name,'az104-03')].[name]" --output tsv | xargs -L1 bash -c 'az group delete --name $0 --no-wait --yes' + ``` + + >**Note**: The command executes asynchronously (as determined by the --nowait parameter), so while you will be able to run another Azure CLI command immediately afterwards within the same Bash session, it will take a few minutes before the resource groups are actually removed. + +#### Review + +In this lab, you have: + +- Started a Bash session in Azure Cloud Shell +- Created a resource group and an Azure managed disk by using Azure CLI +- Configured the managed disk by using Azure CLI diff --git a/AZ104/MicrosoftAureAdministrator/Instructions/Labs/LAB_04-Implement_Virtual_Networking.md b/AZ104/MicrosoftAureAdministrator/Instructions/Labs/LAB_04-Implement_Virtual_Networking.md new file mode 100644 index 0000000..f87ae2a --- /dev/null +++ b/AZ104/MicrosoftAureAdministrator/Instructions/Labs/LAB_04-Implement_Virtual_Networking.md @@ -0,0 +1,388 @@ +--- +lab: + title: '04 - Implement Virtual Networking' + module: 'Module 04 - Virtual Networking' +--- + +# Lab 04 - Implement Virtual Networking + +# Student lab manual + +## Lab scenario + +You need to explore Azure virtual networking capabilities. To start, you plan to create a virtual network in Azure that will host a couple of Azure virtual machines. Since you intend to implement network-based segmentation, you will deploy them into different subnets of the virtual network. You also want to make sure that their private and public IP addresses will not change over time. To comply with Contoso security requirements, you need to protect public endpoints of Azure virtual machines accessible from Internet. Finally, you need to implement DNS name resolution for Azure virtual machines both within the virtual network and from Internet. + +## Objectives + +In this lab, you will: + ++ Task 1: Create and configure a virtual network ++ Task 2: Deploy virtual machines into the virtual network ++ Task 3: Configure private and public IP addresses of Azure VMs ++ Task 4: Configure network security groups ++ Task 5: Configure Azure DNS for internal name resolution ++ Task 6: Configure Azure DNS for external name resolution + +## Estimated timing: 40 minutes + +## Architecture diagram + +![image](../media/lab04.png) + +## Instructions + +### Exercise 1 + +#### Task 1: Create and configure a virtual network + +In this task, you will create a virtual network with multiple subnets by using the Azure portal + +1. Sign in to the [Azure portal](https://portal.azure.com). + +1. In the Azure portal, search for and select **Virtual networks**, and, on the **Virtual networks** blade, click **+ Create**. + +1. Create a virtual network with the following settings (leave others with their default values): + + | Setting | Value | + | --- | --- | + | Subscription | the name of the Azure subscription you will be using in this lab | + | Resource Group | the name of a **new** resource group **az104-04-rg1** | + | Name | **az104-04-vnet1** | + | Region | the name of any Azure region available in the subscription you will use in this lab | + +1. Click **Next : IP Addresses** and enter the following values + + | Setting | Value | + | --- | --- | + | IPv4 address space | **10.40.0.0/20** | + +1. Click **+ Add subnet** enter the following values then click **Add** + + | Setting | Value | + | --- | --- | + | Subnet name | **subnet0** | + | Subnet address range | **10.40.0.0/24** | + +1. Accept the defaults and click **Review and Create**. Let validation occur, and hit **Create** again to submit your deployment. + + >**Note:** Wait for the virtual network to be provisioned. This should take less than a minute. + +1. Click on **Go to resource** + +1. On the **az104-04-vnet1** virtual network blade, click **Subnets** and then click **+ Subnet**. + +1. Create a subnet with the following settings (leave others with their default values): + + | Setting | Value | + | --- | --- | + | Name | **subnet1** | + | Address range (CIDR block) | **10.40.1.0/24** | + | Network security group | **None** | + | Route table | **None** | + +1. Click **Save** + +#### Task 2: Deploy virtual machines into the virtual network + +In this task, you will deploy Azure virtual machines into different subnets of the virtual network by using an ARM template + +1. In the Azure portal, open the **Azure Cloud Shell** by clicking on the icon in the top right of the Azure Portal. + +1. If prompted to select either **Bash** or **PowerShell**, select **PowerShell**. + + >**Note**: If this is the first time you are starting **Cloud Shell** and you are presented with the **You have no storage mounted** message, select the subscription you are using in this lab, and click **Create storage**. + +1. In the toolbar of the Cloud Shell pane, click the **Upload/Download files** icon, in the drop-down menu, click **Upload** and upload the files **\\Allfiles\\Labs\\04\\az104-04-vms-loop-template.json** and **\\Allfiles\\Labs\\04\\az104-04-vms-loop-parameters.json** into the Cloud Shell home directory. + + >**Note**: You might need to upload each file separately. + +1. From the Cloud Shell pane, run the following to deploy two virtual machines by using the template and parameter files you uploaded: + + ```powershell + $rgName = 'az104-04-rg1' + + New-AzResourceGroupDeployment ` + -ResourceGroupName $rgName ` + -TemplateFile $HOME/az104-04-vms-loop-template.json ` + -TemplateParameterFile $HOME/az104-04-vms-loop-parameters.json + ``` + + >**Note**: This method of deploying ARM templates uses Azure PowerShell. You can perform the same task by running the equivalent Azure CLI command **az deployment create** (for more information, refer to [Deploy resources with Resource Manager templates and Azure CLI](https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-cli). + + >**Note**: Wait for the deployment to complete before proceeding to the next task. This should take about 2 minutes. + +1. Close the Cloud Shell pane. + +#### Task 3: Configure private and public IP addresses of Azure VMs + +In this task, you will configure static assignment of public and private IP addresses assigned to network interfaces of Azure virtual machines. + + >**Note**: Private and public IP addresses are actually assigned to the network interfaces, which, in turn are attached to Azure virtual machines, however, it is fairly common to refer to IP addresses assigned to Azure VMs instead. + +1. In the Azure portal, search for and select **Resource groups**, and, on the **Resource groups** blade, click **az104-04-rg1**. + +1. On the **az104-04-rg1** resource group blade, in the list of its resources, click **az104-04-vnet1**. + +1. On the **az104-04-vnet1** virtual network blade, review the **Connected devices** section and verify that there are two network interfaces **az104-04-nic0** and **az104-04-nic1** attached to the virtual network. + +1. Click **az104-04-nic0** and, on the **az104-04-nic0** blade, click **IP configurations**. + + >**Note**: Verify that **ipconfig1** is currently set up with a dynamic private IP address. + +1. In the list IP configurations, click **ipconfig1**. + +1. On the **ipconfig1** blade, in the **Public IP address settings** section, select **Associate**, click **+ Create new**, specify the following settings, and click **OK**: + + | Setting | Value | + | --- | --- | + | Name | **az104-04-pip0** | + | SKU | **Standard** | + +1. On the **ipconfig1** blade, set **Assignment** to **Static**, leave the default value of **IP address** set to **10.40.0.4**. + +1. Back on the **ipconfig1** blade, save the changes. Make sure to wait for the save operation to complete before you proceed to the next step. + +1. Navigate back to the **az104-04-vnet1** blade + +1. Click **az104-04-nic1** and, on the **az104-04-nic1** blade, click **IP configurations**. + + >**Note**: Verify that **ipconfig1** is currently set up with a dynamic private IP address. + +1. In the list IP configurations, click **ipconfig1**. + +1. On the **ipconfig1** blade, in the **Public IP address settings** section, select **Associate**, click **+ Create new**, specify the following settings, and click **OK**: + + | Setting | Value | + | --- | --- | + | Name | **az104-04-pip1** | + | SKU | **Standard** | + +1. On the **ipconfig1** blade, set **Assignment** to **Static**, leave the default value of **IP address** set to **10.40.1.4**. + +1. Back on the **ipconfig1** blade, save the changes. + +1. Navigate back to the **az104-04-rg1** resource group blade, in the list of its resources, click **az104-04-vm0**, and from the **az104-04-vm0** virtual machine blade, note the public IP address entry. + +1. Navigate back to the **az104-04-rg1** resource group blade, in the list of its resources, click **az104-04-vm1**, and from the **az104-04-vm1** virtual machine blade, note the public IP address entry. + + >**Note**: You will need both IP addresses in the last task of this lab. + +#### Task 4: Configure network security groups + +In this task, you will configure network security groups in order to allow for restricted connectivity to Azure virtual machines. + +1. In the Azure portal, navigate back to the **az104-04-rg1** resource group blade, and in the list of its resources, click **az104-04-vm0**. + +1. On the **az104-04-vm0** overview blade, click **Connect**, click **RDP** in the drop-down menu, on the **Connect with RDP** blade, click **Download RDP File** using the Public IP address and follow the prompts to start the Remote Desktop session. + +1. Note that the connection attempt fails. + + >**Note**: This is expected, because public IP addresses of the Standard SKU, by default, require that the network interfaces to which they are assigned are protected by a network security group. In order to allow Remote Desktop connections, you will create a network security group explicitly allowing inbound RDP traffic from Internet and assign it to network interfaces of both virtual machines. + +1. In the Azure portal, search for and select **Network security groups**, and, on the **Network security groups** blade, click **+ Create**. + +1. Create a network security group with the following settings (leave others with their default values): + + | Setting | Value | + | --- | --- | + | Subscription | the name of the Azure subscription you are using in this lab | + | Resource Group | **az104-04-rg1** | + | Name | **az104-04-nsg01** | + | Region | the name of the Azure region where you deployed all other resources in this lab | + +1. Click **Review and Create**. Let validation occur, and hit **Create** to submit your deployment. + + >**Note**: Wait for the deployment to complete. This should take about 2 minutes. + +1. On the deployment blade, click **Go to resource** to open the **az104-04-nsg01** network security group blade. + +1. On the **az104-04-nsg01** network security group blade, in the **Settings** section, click **Inbound security rules**. + +1. Add an inbound rule with the following settings (leave others with their default values): + + | Setting | Value | + | --- | --- | + | Source | **Any** | + | Source port ranges | * | + | Destination | **Any** | + | Service | **RDP** | + | Action | **Allow** | + | Priority | **300** | + | Name | **AllowRDPInBound** | + +1. On the **az104-04-nsg01** network security group blade, in the **Settings** section, click **Network interfaces** and then click **+ Associate**. + +1. Associate the **az104-04-nsg01** network security group with the **az104-04-nic0** and **az104-04-nic1** network interfaces. + + >**Note**: It may take up to 5 minutes for the rules from the newly created Network Security Group to be applied to the Network Interface Card. + +1. Navigate back to the **az104-04-vm0** virtual machine blade. + + >**Note**: In the subsequent steps, you will verify that you can successfully connect to the target virtual machine and sign in by using the **Student** username and **Pa55w.rd1234** password. + +1. On the **az104-04-vm0** blade, click **Connect**, click **RDP**, on the **Connect with RDP** blade, click **Download RDP File** using the Public IP address and follow the prompts to start the Remote Desktop session. + + >**Note**: This step refers to connecting via Remote Desktop from a Windows computer. On a Mac, you can use Remote Desktop Client from the Mac App Store and on Linux computers you can use an open source RDP client software. + + >**Note**: You can ignore any warning prompts when connecting to the target virtual machines. + +1. When prompted, sign in by using the **Student** username and **Pa55w.rd1234** password. + + >**Note**: Leave the Remote Desktop session open. You will need it in the next task. + +#### Task 5: Configure Azure DNS for internal name resolution + +In this task, you will configure DNS name resolution within a virtual network by using Azure private DNS zones. + +1. In the Azure portal, search for and select **Private DNS zones** and, on the **Private DNS zones** blade, click **+ Create**. + +1. Create a private DNS zone with the following settings (leave others with their default values): + + | Setting | Value | + | --- | --- | + | Subscription | the name of the Azure subscription you are using in this lab | + | Resource Group | **az104-04-rg1** | + | Name | **contoso.org** | + +1. Click Review and Create. Let validation occur, and hit Create again to submit your deployment. + + >**Note**: Wait for the private DNS zone to be created. This should take about 2 minutes. + +1. Click **Go to resource** to open the **contoso.org** DNS private zone blade. + +1. On the **contoso.org** private DNS zone blade, in the **Settings** section, click **Virtual network links** + +1. Click **+ Add** to create a virtual network link with the following settings (leave others with their default values): + + | Setting | Value | + | --- | --- | + | Link name | **az104-04-vnet1-link** | + | Subscription | the name of the Azure subscription you are using in this lab | + | Virtual network | **az104-04-vnet1** | + | Enable auto registration | enabled | + +1. Click **OK**. + + >**Note:** Wait for the virtual network link to be created. This should take less than 1 minute. + +1. On the **contoso.org** private DNS zone blade, in the sidebar, click **Overview** + +1. Verify that the DNS records for **az104-04-vm0** and **az104-04-vm1** appear in the list of record sets as **Auto registered**. + + >**Note:** You might need to wait a few minutes and refresh the page if the record sets are not listed. + +1. Switch to the Remote Desktop session to **az104-04-vm0**, right-click the **Start** button and, in the right-click menu, click **Windows PowerShell (Admin)**. + +1. In the Windows PowerShell console window, run the following to test internal name resolution in the newly created private DNS zone: + + ```powershell + nslookup az104-04-vm0.contoso.org + nslookup az104-04-vm1.contoso.org + ``` + +1. Verify that the output of the command includes the private IP address of **az104-04-vm1** (**10.40.1.4**). + +#### Task 6: Configure Azure DNS for external name resolution + +In this task, you will configure external DNS name resolution by using Azure public DNS zones. + +1. In the web browser on the **SEA-DEV** lab system, open a new tab and navigate to . + +1. Use the domain name search to identify a domain name which is not in use. + +1. In the Azure portal, search for and select **DNS zones** and, on the **DNS zones** blade, click **+ Add**. + +1. Create a DNS zone with the following settings (leave others with their default values): + + | Setting | Value | + | --- | --- | + | Subscription | the name of the Azure subscription you are using in this lab | + | Resource Group | **az104-04-rg1** | + | Name | the DNS domain name you identified earlier in this task | + +1. Click Review and Create. Let validation occur, and hit Create again to submit your deployment. + + >**Note**: Wait for the DNS zone to be created. This should take about 2 minutes. + +1. Click **Go to resource** to open the blade of the newly created DNS zone. + +1. On the DNS zone blade, click **+ Record set**. + +1. Add a record set with the following settings (leave others with their default values): + + | Setting | Value | + | --- | --- | + | Name | **az104-04-vm0** | + | Type | **A** | + | Alias record set | **No** | + | TTL | **1** | + | TTL unit | **Hours** | + | IP address | the public IP address of **az104-04-vm0** which you identified in the third exercise of this lab | + +1. Click **OK** + +1. On the DNS zone blade, click **+ Record set**. + +1. Add a record set with the following settings (leave others with their default values): + + | Setting | Value | + | --- | --- | + | Name | **az104-04-vm1** | + | Type | **A** | + | Alias record set | **No** | + | TTL | **1** | + | TTL unit | **Hours** | + | IP address | the public IP address of **az104-04-vm1** which you identified in the third exercise of this lab | + +1. Click **OK** + +1. On the DNS zone blade, note the name of the **Name server 1** entry. + +1. In the Azure portal, open the **PowerShell** session in **Cloud Shell** by clicking on the icon in the top right of the Azure Portal. + +1. From the Cloud Shell pane, run the following to test external name resolution of the **az104-04-vm0** DNS record set in the the newly created DNS zone (replace the placeholder `[Name server 1]` with the name of **Name server 1** you noted earlier in this task and the `[domain name]` placeholder with the name of the DNS domain you created earlier in this task): + + ```powershell + nslookup az104-04-vm0.[domain name] [Name server 1] + ``` + +1. Verify that the output of the command includes the public IP address of **az104-04-vm0**. + +1. From the Cloud Shell pane, run the following to test external name resolution of the **az104-04-vm1** DNS record set in the the newly created DNS zone (replace the placeholder `[Name server 1]` with the name of **Name server 1** you noted earlier in this task and the `[domain name]` placeholder with the name of the DNS domain you created earlier in this task): + + ```powershell + nslookup az104-04-vm1.[domain name] [Name server 1] + ``` + +1. Verify that the output of the command includes the public IP address of **az104-04-vm1**. + +#### Clean up resources + + >**Note**: Remember to remove any newly created Azure resources that you no longer use. Removing unused resources ensures you will not see unexpected charges. + +1. In the Azure portal, open the **PowerShell** session within the **Cloud Shell** pane. + +1. List all resource groups created throughout the labs of this module by running the following command: + + ```powershell + Get-AzResourceGroup -Name 'az104-04*' + ``` + +1. Delete all resource groups you created throughout the labs of this module by running the following command: + + ```powershell + Get-AzResourceGroup -Name 'az104-04*' | Remove-AzResourceGroup -Force -AsJob + ``` + + >**Note**: The command executes asynchronously (as determined by the -AsJob parameter), so while you will be able to run another PowerShell command immediately afterwards within the same PowerShell session, it will take a few minutes before the resource groups are actually removed. + +#### Review + +In this lab, you have: + ++ Created and configured a virtual network ++ Deployed virtual machines into the virtual network ++ Configured private and public IP addresses of Azure VMs ++ Configured network security groups ++ Configured Azure DNS for internal name resolution ++ Configured Azure DNS for external name resolution diff --git a/AZ104/MicrosoftAureAdministrator/Instructions/Labs/LAB_05-Implement_Intersite_Connectivity.md b/AZ104/MicrosoftAureAdministrator/Instructions/Labs/LAB_05-Implement_Intersite_Connectivity.md new file mode 100644 index 0000000..a686096 --- /dev/null +++ b/AZ104/MicrosoftAureAdministrator/Instructions/Labs/LAB_05-Implement_Intersite_Connectivity.md @@ -0,0 +1,276 @@ +--- +lab: + title: '05 - Implement Intersite Connectivity' + module: 'Module 05 - Intersite Connectivity' +--- + +# Lab 05 - Implement Intersite Connectivity +# Student lab manual + +## Lab scenario + +Contoso has its datacenters in Boston, New York, and Seattle offices connected via a mesh wide-area network links, with full connectivity between them. You need to implement a lab environment that will reflect the topology of the Contoso's on-premises networks and verify its functionality. + +## Objectives + +In this lab, you will: + ++ Task 1: Provision the lab environment ++ Task 2: Configure local and global virtual network peering ++ Task 3: Test intersite connectivity + +## Estimated timing: 30 minutes + +## Architecture diagram + +![image](../media/lab05.png) + +### Instructions + +#### Task 1: Provision the lab environment + +In this task, you will deploy three virtual machines, each into a separate virtual network, with two of them in the same Azure region and the third one in another Azure region. + +1. Sign in to the [Azure portal](https://portal.azure.com). + +1. In the Azure portal, open the **Azure Cloud Shell** by clicking on the icon in the top right of the Azure Portal. + +1. If prompted to select either **Bash** or **PowerShell**, select **PowerShell**. + + >**Note**: If this is the first time you are starting **Cloud Shell** and you are presented with the **You have no storage mounted** message, select the subscription you are using in this lab, and click **Create storage**. + +1. In the toolbar of the Cloud Shell pane, click the **Upload/Download files** icon, in the drop-down menu, click **Upload** and upload the files **\\Allfiles\\Labs\\05\\az104-05-vnetvm-loop-template.json** and **\\Allfiles\\Labs\\05\\az104-05-vnetvm-loop-parameters.json** into the Cloud Shell home directory. + +1. From the Cloud Shell pane, run the following to create the resource group that will be hosting the lab environment. The first two virtual networks and a pair of virtual machines will be deployed in `[Azure_region_1]`. The third virtual network and the third virtual machine will be deployed in the same resource group but another `[Azure_region_2]`. (replace the `[Azure_region_1]` and `[Azure_region_2]` placeholder with the names of two different Azure regions where you intend to deploy these Azure virtual machines): + + ```powershell + $location1 = '[Azure_region_1]' + + $location2 = '[Azure_region_2]' + + $rgName = 'az104-05-rg1' + + New-AzResourceGroup -Name $rgName -Location $location1 + ``` + + >**Note**: In order to identify Azure regions, from a PowerShell session in Cloud Shell, run **(Get-AzLocation).Location** + +1. From the Cloud Shell pane, run the following to create the three virtual networks and deploy virtual machines into them by using the template and parameter files you uploaded: + + ```powershell + New-AzResourceGroupDeployment ` + -ResourceGroupName $rgName ` + -TemplateFile $HOME/az104-05-vnetvm-loop-template.json ` + -TemplateParameterFile $HOME/az104-05-vnetvm-loop-parameters.json ` + -location1 $location1 ` + -location2 $location2 + ``` + + >**Note**: Wait for the deployment to complete before proceeding to the next step. This should take about 2 minutes. + +1. Close the Cloud Shell pane. + +#### Task 2: Configure local and global virtual network peering + +In this task, you will configure local and global peering between the virtual networks you deployed in the previous tasks. + +1. In the Azure portal, search for and select **Virtual networks**. + +1. Review the virtual networks you created in the previous task and verify that the first two are located in the same Azure region and the third one in a different Azure region. + + >**Note**: The template you used for deployment of the three virtual networks ensures that the IP address ranges of the three virtual networks do not overlap. + +1. In the list of virtual networks, click **az104-05-vnet0**. + +1. On the **az104-05-vnet0** virtual network blade, in the **Settings** section, click **Peerings** and then click **+ Add**. + +1. Add a peering with the following settings (leave others with their default values) and click **Add**: + + | Setting | Value| + | --- | --- | + | This virtual network: Peering link name | **az104-05-vnet0_to_az104-05-vnet1** | + | This virtual network: Traffic to remote virtual network | **Allow (default)** | + | This virtual network: Traffic forwarded from remote virtual network | **Block traffic that originates from outside this virtual network** | + | Virtual network gateway | **None** | + | Remote virtual network: Peering link name | **az104-05-vnet1_to_az104-05-vnet0** | + | Virtual network deployment model | **Resource manager** | + | I know my resource ID | unselected | + | Subscription | the name of the Azure subscription you are using in this lab | + | Virtual network | **az104-05-vnet1** | + | Traffic to remote virtual network | **Allow (default)** | + | Traffic forwarded from remote virtual network | **Block traffic that originates from outside this virtual network** | + | Virtual network gateway | **None** | + + >**Note**: This step establishes two local peerings - one from az104-05-vnet0 to az104-05-vnet1 and the other from az104-05-vnet1 to az104-05-vnet0. + + >**Note**: In case you run into an issue with the Azure portal interface not displaying the virtual networks created in the previous task, you can configure peering by running the following PowerShell commands from Cloud Shell: + + ```powershell + $rgName = 'az104-05-rg1' + + $vnet0 = Get-AzVirtualNetwork -Name 'az104-05-vnet0' -ResourceGroupName $rgname + + $vnet1 = Get-AzVirtualNetwork -Name 'az104-05-vnet1' -ResourceGroupName $rgname + + Add-AzVirtualNetworkPeering -Name 'az104-05-vnet0_to_az104-05-vnet1' -VirtualNetwork $vnet0 -RemoteVirtualNetworkId $vnet1.Id + + Add-AzVirtualNetworkPeering -Name 'az104-05-vnet1_to_az104-05-vnet0' -VirtualNetwork $vnet1 -RemoteVirtualNetworkId $vnet0.Id + ``` + +1. On the **az104-05-vnet0** virtual network blade, in the **Settings** section, click **Peerings** and then click **+ Add**. + +1. Add a peering with the following settings (leave others with their default values) and click **Add**: + + | Setting | Value| + | --- | --- | + | This virtual network: Peering link name | **az104-05-vnet0_to_az104-05-vnet2** | + | This virtual network: Traffic to remote virtual network | **Allow (default)** | + | This virtual network: Traffic forwarded from remote virtual network | **Block traffic that originates from outside this virtual network** | + | Virtual network gateway | **None** | + | Remote virtual network: Peering link name | **az104-05-vnet2_to_az104-05-vnet0** | + | Virtual network deployment model | **Resource manager** | + | I know my resource ID | unselected | + | Subscription | the name of the Azure subscription you are using in this lab | + | Virtual network | **az104-05-vnet2** | + | Traffic to remote virtual network | **Allow (default)** | + | Traffic forwarded from remote virtual network | **Block traffic that originates from outside this virtual network** | + | Virtual network gateway | **None** | + + >**Note**: This step establishes two global peerings - one from az104-05-vnet0 to az104-05-vnet2 and the other from az104-05-vnet2 to az104-05-vnet0. + + >**Note**: In case you run into an issue with the Azure portal interface not displaying the virtual networks created in the previous task, you can configure peering by running the following PowerShell commands from Cloud Shell: + + ```powershell + $rgName = 'az104-05-rg1' + + $vnet0 = Get-AzVirtualNetwork -Name 'az104-05-vnet0' -ResourceGroupName $rgname + + $vnet2 = Get-AzVirtualNetwork -Name 'az104-05-vnet2' -ResourceGroupName $rgname + + Add-AzVirtualNetworkPeering -Name 'az104-05-vnet0_to_az104-05-vnet2' -VirtualNetwork $vnet0 -RemoteVirtualNetworkId $vnet2.Id + + Add-AzVirtualNetworkPeering -Name 'az104-05-vnet2_to_az104-05-vnet0' -VirtualNetwork $vnet2 -RemoteVirtualNetworkId $vnet0.Id + ``` + +1. Navigate back to the **Virtual networks** blade and, in the list of virtual networks, click **az104-05-vnet1**. + +1. On the **az104-05-vnet1** virtual network blade, in the **Settings** section, click **Peerings** and then click **+ Add**. + +1. Add a peering with the following settings (leave others with their default values) and click **Add**: + + | Setting | Value| + | --- | --- | + | This virtual network: Peering link name | **az104-05-vnet1_to_az104-05-vnet2** | + | This virtual network: Traffic to remote virtual network | **Allow (default)** | + | This virtual network: Traffic forwarded from remote virtual network | **Block traffic that originates from outside this virtual network** | + | Virtual network gateway | **None** | + | Remote virtual network: Peering link name | **az104-05-vnet2_to_az104-05-vnet1** | + | Virtual network deployment model | **Resource manager** | + | I know my resource ID | unselected | + | Subscription | the name of the Azure subscription you are using in this lab | + | Virtual network | **az104-05-vnet2** | + | Traffic to remote virtual network | **Allow (default)** | + | Traffic forwarded from remote virtual network | **Block traffic that originates from outside this virtual network** | + | Virtual network gateway | **None** | + + >**Note**: This step establishes two global peerings - one from az104-05-vnet1 to az104-05-vnet2 and the other from az104-05-vnet2 to az104-05-vnet1. + + >**Note**: In case you run into an issue with the Azure portal interface not displaying the virtual networks created in the previous task, you can configure peering by running the following PowerShell commands from Cloud Shell: + + ```powershell + $rgName = 'az104-05-rg1' + + $vnet1 = Get-AzVirtualNetwork -Name 'az104-05-vnet1' -ResourceGroupName $rgname + + $vnet2 = Get-AzVirtualNetwork -Name 'az104-05-vnet2' -ResourceGroupName $rgname + + Add-AzVirtualNetworkPeering -Name 'az104-05-vnet1_to_az104-05-vnet2' -VirtualNetwork $vnet1 -RemoteVirtualNetworkId $vnet2.Id + + Add-AzVirtualNetworkPeering -Name 'az104-05-vnet2_to_az104-05-vnet1' -VirtualNetwork $vnet2 -RemoteVirtualNetworkId $vnet1.Id + ``` + +#### Task 3: Test intersite connectivity + +In this task, you will test connectivity between virtual machines on the three virtual networks that you connected via local and global peering in the previous task. + +1. In the Azure portal, search for and select **Virtual machines**. + +1. In the list of virtual machines, click **az104-05-vm0**. + +1. On the **az104-05-vm0** blade, click **Connect**, in the drop-down menu, click **RDP**, on the **Connect with RDP** blade, click **Download RDP File** and follow the prompts to start the Remote Desktop session. + + >**Note**: This step refers to connecting via Remote Desktop from a Windows computer. On a Mac, you can use Remote Desktop Client from the Mac App Store and on Linux computers you can use an open source RDP client software. + + >**Note**: You can ignore any warning prompts when connecting to the target virtual machines. + +1. When prompted, sign in by using the **Student** username and **Pa55w.rd1234** password. + +1. Within the Remote Desktop session to **az104-05-vm0**, right-click the **Start** button and, in the right-click menu, click **Windows PowerShell (Admin)**. + +1. In the Windows PowerShell console window, run the following to test connectivity to **az104-05-vm1** (which has the private IP address of **10.51.0.4**) over TCP port 3389: + + ```powershell + Test-NetConnection -ComputerName 10.51.0.4 -Port 3389 -InformationLevel 'Detailed' + ``` + + >**Note**: The test uses TCP 3389 since this is this port is allowed by default by operating system firewall. + +1. Examine the output of the command and verify that the connection was successful. + +1. In the Windows PowerShell console window, run the following to test connectivity to **az104-05-vm2** (which has the private IP address of **10.52.0.4**): + + ```powershell + Test-NetConnection -ComputerName 10.52.0.4 -Port 3389 -InformationLevel 'Detailed' + ``` + +1. Switch back to the Azure portal on your lab computer and navigate back to the **Virtual machines** blade. + +1. In the list of virtual machines, click **az104-05-vm1**. + +1. On the **az104-05-vm1** blade, click **Connect**, in the drop-down menu, click **RDP**, on the **Connect with RDP** blade, click **Download RDP File** and follow the prompts to start the Remote Desktop session. + + >**Note**: This step refers to connecting via Remote Desktop from a Windows computer. On a Mac, you can use Remote Desktop Client from the Mac App Store and on Linux computers you can use an open source RDP client software. + + >**Note**: You can ignore any warning prompts when connecting to the target virtual machines. + +1. When prompted, sign in by using the **Student** username and **Pa55w.rd1234** password. + +1. Within the Remote Desktop session to **az104-05-vm1**, right-click the **Start** button and, in the right-click menu, click **Windows PowerShell (Admin)**. + +1. In the Windows PowerShell console window, run the following to test connectivity to **az104-05-vm2** (which has the private IP address of **10.52.0.4**) over TCP port 3389: + + ```powershell + Test-NetConnection -ComputerName 10.52.0.4 -Port 3389 -InformationLevel 'Detailed' + ``` + + >**Note**: The test uses TCP 3389 since this is this port is allowed by default by operating system firewall. + +1. Examine the output of the command and verify that the connection was successful. + +#### Clean up resources + + >**Note**: Remember to remove any newly created Azure resources that you no longer use. Removing unused resources ensures you will not see unexpected charges. + +1. In the Azure portal, open the **PowerShell** session within the **Cloud Shell** pane. + +1. List all resource groups created throughout the labs of this module by running the following command: + + ```powershell + Get-AzResourceGroup -Name 'az104-05*' + ``` + +1. Delete all resource groups you created throughout the labs of this module by running the following command: + + ```powershell + Get-AzResourceGroup -Name 'az104-05*' | Remove-AzResourceGroup -Force -AsJob + ``` + + >**Note**: The command executes asynchronously (as determined by the -AsJob parameter), so while you will be able to run another PowerShell command immediately afterwards within the same PowerShell session, it will take a few minutes before the resource groups are actually removed. + +#### Review + +In this lab, you have: + ++ Provisioned the lab environment ++ Configured local and global virtual network peering ++ Tested intersite connectivity diff --git a/AZ104/MicrosoftAureAdministrator/Instructions/Labs/LAB_06-Implement_Network_Traffic_Management.md b/AZ104/MicrosoftAureAdministrator/Instructions/Labs/LAB_06-Implement_Network_Traffic_Management.md new file mode 100644 index 0000000..1936f39 --- /dev/null +++ b/AZ104/MicrosoftAureAdministrator/Instructions/Labs/LAB_06-Implement_Network_Traffic_Management.md @@ -0,0 +1,612 @@ +--- +lab: + title: '06 - Implement Traffic Management' + module: 'Module 06 - Network Traffic Management' +--- + +# Lab 06 - Implement Traffic Management +# Student lab manual + +## Lab scenario + +You were tasked with testing managing network traffic targeting Azure virtual machines in the hub and spoke network topology, which Contoso considers implementing in its Azure environment (instead of creating the mesh topology, which you tested in the previous lab). This testing needs to include implementing connectivity between spokes by relying on user defined routes that force traffic to flow via the hub, as well as traffic distribution across virtual machines by using layer 4 and layer 7 load balancers. For this purpose, you intend to use Azure Load Balancer (layer 4) and Azure Application Gateway (layer 7). + +>**Note**: This lab, by default, requires total of 8 vCPUs available in the Standard_Dsv3 series in the region you choose for deployment, since it involves deployment of four Azure VMs of Standard_D2s_v3 SKU. If your students are using trial accounts, with the limit of 4 vCPUs, you can use a VM size that requires only one vCPU (such as Standard_B1s). + +## Objectives + +In this lab, you will: + ++ Task 1: Provision the lab environment ++ Task 2: Configure the hub and spoke network topology ++ Task 3: Test transitivity of virtual network peering ++ Task 4: Configure routing in the hub and spoke topology ++ Task 5: Implement Azure Load Balancer ++ Task 6: Implement Azure Application Gateway + +## Estimated timing: 60 minutes + +## Architecture diagram + +![image](../media/lab06.png) + + +## Instructions + +### Exercise 1 + +#### Task 1: Provision the lab environment + +In this task, you will deploy four virtual machines into the same Azure region. The first two will reside in a hub virtual network, while each of the remaining two will reside in a separate spoke virtual network. + +1. Sign in to the [Azure portal](https://portal.azure.com). + +1. In the Azure portal, open the **Azure Cloud Shell** by clicking on the icon in the top right of the Azure Portal. + +1. If prompted to select either **Bash** or **PowerShell**, select **PowerShell**. + + >**Note**: If this is the first time you are starting **Cloud Shell** and you are presented with the **You have no storage mounted** message, select the subscription you are using in this lab, and click **Create storage**. + +1. In the toolbar of the Cloud Shell pane, click the **Upload/Download files** icon, in the drop-down menu, click **Upload** and upload the files **\\Allfiles\\Labs\\06\\az104-06-vms-loop-template.json** and **\\Allfiles\\Labs\\06\\az104-06-vms-loop-parameters.json** into the Cloud Shell home directory. + +1. From the Cloud Shell pane, run the following to create the first resource group that will be hosting the lab environment (replace the `[Azure_region]` placeholder with the name of an Azure region where you intend to deploy Azure virtual machines)(you can use the "(Get-AzLocation).Location" cmdlet to get the region list): + + ```powershell + $location = '[Azure_region]' + + $rgName = 'az104-06-rg1' + + New-AzResourceGroup -Name $rgName -Location $location + ``` + +1. From the Cloud Shell pane, run the following to create the three virtual networks and four Azure VMs into them by using the template and parameter files you uploaded: + + ```powershell + New-AzResourceGroupDeployment ` + -ResourceGroupName $rgName ` + -TemplateFile $HOME/az104-06-vms-loop-template.json ` + -TemplateParameterFile $HOME/az104-06-vms-loop-parameters.json + ``` + + >**Note**: Wait for the deployment to complete before proceeding to the next step. This should take about 5 minutes. + +1. From the Cloud Shell pane, run the following to install the Network Watcher extension on the Azure VMs deployed in the previous step: + + ```powershell + $rgName = 'az104-06-rg1' + $location = (Get-AzResourceGroup -ResourceGroupName $rgName).location + $vmNames = (Get-AzVM -ResourceGroupName $rgName).Name + + foreach ($vmName in $vmNames) { + Set-AzVMExtension ` + -ResourceGroupName $rgName ` + -Location $location ` + -VMName $vmName ` + -Name 'networkWatcherAgent' ` + -Publisher 'Microsoft.Azure.NetworkWatcher' ` + -Type 'NetworkWatcherAgentWindows' ` + -TypeHandlerVersion '1.4' + } + ``` + + >**Note**: Wait for the deployment to complete before proceeding to the next step. This should take about 5 minutes. + +1. Close the Cloud Shell pane. + +#### Task 2: Configure the hub and spoke network topology + +In this task, you will configure local peering between the virtual networks you deployed in the previous tasks in order to create a hub and spoke network topology. + +1. In the Azure portal, search for and select **Virtual networks**. + +1. Review the virtual networks you created in the previous task. + + >**Note**: The template you used for deployment of the three virtual networks ensures that the IP address ranges of the three virtual networks do not overlap. + +1. In the list of virtual networks, select **az104-06-vnet2**. + +1. On the **az104-06-vnet2** blade, select **Properties**. + +1. On the **az104-06-vnet2 \| Properties** blade, record the value of the **Resource ID** property. + +1. Navigate back to the list of virtual networks and select **az104-06-vnet3**. + +1. On the **az104-06-vnet3** blade, select **Properties**. + +1. On the **az104-06-vnet3 \| Properties** blade, record the value of the **Resource ID** property. + + >**Note**: You will need the values of the ResourceID property for both virtual networks later in this task. + + >**Note**: This is a workaround that addresses the issue with the Azure portal occasionally not displaying the newly provisioned virtual network when creating virtual network peerings. + +1. In the list of virtual networks, click **az104-06-vnet01**. + +1. On the **az104-06-vnet01** virtual network blade, in the **Settings** section, click **Peerings** and then click **+ Add**. + +1. Add a peering with the following settings (leave others with their default values) and click Add: + + | Setting | Value | + | --- | --- | + | This virtual network: Peering link name | **az104-06-vnet01_to_az104-06-vnet2** | + | Traffic to remote virtual network | **Allow (default)** | + | Traffic forwarded from remote virtual network | **Block traffic that originates from outside this virtual network** | + | Virtual network gateway | **None (default)** | + | Remote virtual network: Peering link name | **az104-06-vnet2_to_az104-06-vnet01** | + | Virtual network deployment model | **Resource manager** | + | I know my resource ID | enabled | + | Resource ID | the value of resourceID parameter of **az104-06-vnet2** you recorded earlier in this task | + | Traffic to remote virtual network | **Allow (default)** | + | Traffic forwarded from remote virtual network | **Allow (default)** | + | Virtual network gateway | **None (default)** | + + >**Note**: Wait for the operation to complete. + + >**Note**: This step establishes two local peerings - one from az104-06-vnet01 to az104-06-vnet2 and the other from az104-06-vnet2 to az104-06-vnet01. + + >**Note**: **Allow forwarded traffic** needs to be enabled in order to facilitate routing between spoke virtual networks, which you will implement later in this lab. + +1. On the **az104-06-vnet01** virtual network blade, in the **Settings** section, click **Peerings** and then click **+ Add**. + +1. Add a peering with the following settings (leave others with their default values) and click Add: + + | Setting | Value | + | --- | --- | + | This virtual network: Peering link name | **az104-06-vnet01_to_az104-06-vnet3** | + | Traffic to remote virtual network | **Allow (default)** | + | Traffic forwarded from remote virtual network | **Block traffic that originates from outside this virtual network** | + | Virtual network gateway | **None (default)** | + | Remote virtual network: Peering link name | **az104-06-vnet3_to_az104-06-vnet01** | + | Virtual network deployment model | **Resource manager** | + | I know my resource ID | enabled | + | Resource ID | the value of resourceID parameter of **az104-06-vnet3** you recorded earlier in this task | + | Traffic to remote virtual network | **Allow (default)** | + | Traffic forwarded from remote virtual network | **Allow (default)** | + | Virtual network gateway | **None (default)** | + + >**Note**: This step establishes two local peerings - one from az104-06-vnet01 to az104-06-vnet3 and the other from az104-06-vnet3 to az104-06-vnet01. This completes setting up the hub and spoke topology (with two spoke virtual networks). + + >**Note**: **Allow forwarded traffic** needs to be enabled in order to facilitate routing between spoke virtual networks, which you will implement later in this lab. + +#### Task 3: Test transitivity of virtual network peering + +In this task, you will test transitivity of virtual network peering by using Network Watcher. + +1. In the Azure portal, search for and select **Network Watcher**. + +1. On the **Network Watcher** blade, expand the listing of Azure regions and verify that the service is enabled in the Azure into which you deployed resources in the first task of this lab. + +1. On the **Network Watcher** blade, navigate to the **Connection troubleshoot**. + +1. On the **Network Watcher - Connection troubleshoot** blade, initiate a check with the following settings (leave others with their default values): + + | Setting | Value | + | --- | --- | + | Subscription | the name of the Azure subscription you are using in this lab | + | Resource group | **az104-06-rg1** | + | Source type | **Virtual machine** | + | Virtual machine | **az104-06-vm0** | + | Destination | **Specify manually** | + | URI, FQDN or IPv4 | **10.62.0.4** | + | Protocol | **TCP** | + | Destination Port | **3389** | + + > **Note**: **10.62.0.4** represents the private IP address of **az104-06-vm2** + +1. Click **Check** and wait until results of the connectivity check are returned. Verify that the status is **Reachable**. Review the network path and note that the connection was direct, with no intermediate hops in between the VMs. + + > **Note**: This is expected, since the hub virtual network is peered directly with the first spoke virtual network. + +1. On the **Network Watcher - Connection troubleshoot** blade, initiate a check with the following settings (leave others with their default values): + + | Setting | Value | + | --- | --- | + | Subscription | the name of the Azure subscription you are using in this lab | + | Resource group | **az104-06-rg1** | + | Source type | **Virtual machine** | + | Virtual machine | **az104-06-vm0** | + | Destination | **Specify manually** | + | URI, FQDN or IPv4 | **10.63.0.4** | + | Protocol | **TCP** | + | Destination Port | **3389** | + + > **Note**: **10.63.0.4** represents the private IP address of **az104-06-vm3** + +1. Click **Check** and wait until results of the connectivity check are returned. Verify that the status is **Reachable**. Review the network path and note that the connection was direct, with no intermediate hops in between the VMs. + + > **Note**: This is expected, since the hub virtual network is peered directly with the second spoke virtual network. + +1. On the **Network Watcher - Connection troubleshoot** blade, initiate a check with the following settings (leave others with their default values): + + | Setting | Value | + | --- | --- | + | Subscription | the name of the Azure subscription you are using in this lab | + | Resource group | **az104-06-rg1** | + | Source type | **Virtual machine** | + | Virtual machine | **az104-06-vm2** | + | Destination | **Specify manually** | + | URI, FQDN or IPv4 | **10.63.0.4** | + | Protocol | **TCP** | + | Destination Port | **3389** | + +1. Click **Check** and wait until results of the connectivity check are returned. Note that the status is **Unreachable**. + + > **Note**: This is expected, since the two spoke virtual networks are not peered with each other (virtual network peering is not transitive). + +#### Task 4: Configure routing in the hub and spoke topology + +In this task, you will configure and test routing between the two spoke virtual networks by enabling IP forwarding on the network interface of the **az104-06-vm0** virtual machine, enabling routing within its operating system, and configuring user-defined routes on the spoke virtual network. + +1. In the Azure portal, search and select **Virtual machines**. + +1. On the **Virtual machines** blade, in the list of virtual machines, click **az104-06-vm0**. + +1. On the **az104-06-vm0** virtual machine blade, in the **Settings** section, click **Networking**. + +1. Click the **az104-06-nic0** link next to the **Network interface** label, and then, on the **az104-06-nic0** network interface blade, in the **Settings** section, click **IP configurations**. + +1. Set **IP forwarding** to **Enabled** and save the change. + + > **Note**: This setting is required in order for **az104-06-vm0** to function as a router, which will route traffic between two spoke virtual networks. + + > **Note**: Now you need to configure operating system of the **az104-06-vm0** virtual machine to support routing. + +1. In the Azure portal, navigate back to the **az104-06-vm0** Azure virtual machine blade and click **Overview**. + +1. On the **az104-06-vm0** blade, in the **Operations** section, click **Run command**, and, in the list of commands, click **RunPowerShellScript**. + +1. On the **Run Command Script** blade, type the following and click **Run** to install the Remote Access Windows Server role. + + ```powershell + Install-WindowsFeature RemoteAccess -IncludeManagementTools + ``` + + > **Note**: Wait for the confirmation that the command completed successfully. + +1. On the **Run Command Script** blade, type the following and click **Run** to install the Routing role service. + + ```powershell + Install-WindowsFeature -Name Routing -IncludeManagementTools -IncludeAllSubFeature + + Install-WindowsFeature -Name "RSAT-RemoteAccess-Powershell" + + Install-RemoteAccess -VpnType RoutingOnly + + Get-NetAdapter | Set-NetIPInterface -Forwarding Enabled + ``` + + > **Note**: Wait for the confirmation that the command completed successfully. + + > **Note**: Now you need to create and configure user defined routes on the spoke virtual networks. + +1. In the Azure portal, search and select **Route tables** and, on the **Route tables** blade, click **+ Create**. + +1. Create a route table with the following settings (leave others with their default values): + + | Setting | Value | + | --- | --- | + | Subscription | the name of the Azure subscription you are using in this lab | + | Resource group | **az104-06-rg1** | + | Location | the name of the Azure region in which you created the virtual networks | + | Name | **az104-06-rt23** | + | Propagate gateway routes | **No** | + +1. Click **Review and Create**. Let validation occur, and click **Create** to submit your deployment. + + > **Note**: Wait for the route table to be created. This should take about 3 minutes. + +1. Back on the **Route tables** blade, click **Refresh** and then click **az104-06-rt23**. + +1. On the **az104-06-rt23** route table blade, in the **Settings** section, click **Routes**, and then click **+ Add**. + +1. Add a new route with the following settings (leave others with their default values): + + | Setting | Value | + | --- | --- | + | Route name | **az104-06-route-vnet2-to-vnet3** | + | Address prefix | **10.63.0.0/20** | + | Next hop type | **Virtual appliance** | + | Next hop address | **10.60.0.4** | + +1. Click **OK** + +1. Back on the **az104-06-rt23** route table blade, in the **Settings** section, click **Subnets**, and then click **+ Associate**. + +1. Associate the route table **az104-06-rt23** with the following subnet: + + | Setting | Value | + | --- | --- | + | Virtual network | **az104-06-vnet2** | + | Subnet | **subnet0** | + +1. Click **OK** + +1. Navigate back to **Route tables** blade and click **+ Create**. + +1. Create a route table with the following settings (leave others with their default values): + + | Setting | Value | + | --- | --- | + | Subscription | the name of the Azure subscription you are using in this lab | + | Resource group | **az104-06-rg1** | + | Region | the name of the Azure region in which you created the virtual networks | + | Name | **az104-06-rt32** | + | Propagate gateway routes | **No** | + +1. Click Review and Create. Let validation occur, and hit Create to submit your deployment. + + > **Note**: Wait for the route table to be created. This should take about 3 minutes. + +1. Back on the **Route tables** blade, click **Refresh** and then click **az104-06-rt32**. + +1. On the **az104-06-rt32** route table blade, in the **Settings** section, click **Routes**, and then click **+ Add**. + +1. Add a new route with the following settings: + + | Setting | Value | + | --- | --- | + | Route name | **az104-06-route-vnet3-to-vnet2** | + | Address prefix | **10.62.0.0/20** | + | Next hop type | **Virtual appliance** | + | Next hop address | **10.60.0.4** | + +1. Click **OK** + +1. Back on the **az104-06-rt32** route table blade, in the **Settings** section, click **Subnets**, and then click **+ Associate**. + +1. Associate the route table **az104-06-rt32** with the following subnet: + + | Setting | Value | + | --- | --- | + | Virtual network | **az104-06-vnet3** | + | Subnet | **subnet0** | + +1. Click **OK** + +1. In the Azure portal, navigate back to the **Network Watcher - Connection troubleshoot** blade. + +1. On the **Network Watcher - Connection troubleshoot** blade, initiate a check with the following settings (leave others with their default values): + + | Setting | Value | + | --- | --- | + | Subscription | the name of the Azure subscription you are using in this lab | + | Resource group | **az104-06-rg1** | + | Source type | **Virtual machine** | + | Virtual machine | **az104-06-vm2** | + | Destination | **Specify manually** | + | URI, FQDN or IPv4 | **10.63.0.4** | + | Protocol | **TCP** | + | Destination Port | **3389** | + +1. Click **Check** and wait until results of the connectivity check are returned. Verify that the status is **Reachable**. Review the network path and note that the traffic was routed via **10.60.0.4**, assigned to the **az104-06-nic0** network adapter. If status is **Unreachable**, you should restart az104-06-vm0. + + > **Note**: This is expected, since the traffic between spoke virtual networks is now routed via the virtual machine located in the hub virtual network, which functions as a router. + + > **Note**: You can use **Network Watcher** to view topology of the network. + +#### Task 5: Implement Azure Load Balancer + +In this task, you will implement an Azure Load Balancer in front of the two Azure virtual machines in the hub virtual network + +1. In the Azure portal, search and select **Load balancers** and, on the **Load balancers** blade, click **+ Create**. + +1. Create a load balancer with the following settings (leave others with their default values): + + | Setting | Value | + | --- | --- | + | Subscription | the name of the Azure subscription you are using in this lab | + | Resource group | the name of a new resource group **az104-06-rg4** | + | Name | **az104-06-lb4** | + | Region| name of the Azure region into which you deployed all other resources in this lab | + | Type | **Public** | + | SKU | **Standard** | + | Public IP address | **Create new** | + | Public IP address name | **az104-06-pip4** | + | Availability zone | **No Zone** | + | Add a public IPv6 address | **No** | + +1. Click Review and Create. Let validation occur, and hit Create to submit your deployment. + + > **Note**: Wait for the Azure load balancer to be provisioned. This should take about 2 minutes. + +1. On the deployment blade, click **Go to resource**. + +1. On the **az104-06-lb4** load balancer blade, in the **Settings** section, click **Backend pools**, and click **+ Add**. + +1. Add a backend pool with the following settings (leave others with their default values): + + | Setting | Value | + | --- | --- | + | Name | **az104-06-lb4-be1** | + | Virtual network | **az104-06-vnet01** | + | IP version | **IPv4** | + | Virtual machine | **az104-06-vm0** | + | Virtual machine IP address | **ipconfig1 (10.60.0.4)** | + | Virtual machine | **az104-06-vm1** | + | Virtual machine IP address | **ipconfig1 (10.60.1.4)** | + +1. Click **Add** + +1. Wait for the backend pool to be created, in the **Settings** section, click **Health probes**, and then click **+ Add**. + +1. Add a health probe with the following settings: + + | Setting | Value | + | --- | --- | + | Name | **az104-06-lb4-hp1** | + | Protocol | **TCP** | + | Port | **80** | + | Interval | **5** | + | Unhealthy threshold | **2** | + +1. Click **Add** + +1. Wait for the health probe to be created, in the **Settings** section, click **Load balancing rules**, and then click **+ Add**. + +1. Add a load balancing rule with the following settings (leave others with their default values): + + | Setting | Value | + | --- | --- | + | Name | **az104-06-lb4-lbrule1** | + | IP Version | **IPv4** | + | Frontend IP Address | **select the LoadBalancerFrontEnd from the drop down** + | Protocol | **TCP** | + | Port | **80** | + | Backend port | **80** | + | Backend pool | **az104-06-lb4-be1** | + | Health probe | **az104-06-lb4-hp1** | + | Session persistence | **None** | + | Idle timeout (minutes) | **4** | + | TCP reset | **Disabled** | + | Floating IP (direct server return) | **Disabled** | + +1. Click **Add** + +1. Wait for the load balancing rule to be created, click **Overview**, and note the value of the **Public IP address**. + +1. Start another browser window and navigate to the IP address you identified in the previous step. + +1. Verify that the browser window displays the message **Hello World from az104-06-vm0** or **Hello World from az104-06-vm1**. + +1. Open another browser window but this time by using InPrivate mode and verify whether the target vm changes (as indicated by the message). + + > **Note**: You might need to refresh the browser window or open it again by using InPrivate mode. + +#### Task 6: Implement Azure Application Gateway + +In this task, you will implement an Azure Application Gateway in front of the two Azure virtual machines in the spoke virtual networks. + +1. In the Azure portal, search and select **Virtual networks**. + +1. On the **Virtual networks** blade, in the list of virtual networks, click **az104-06-vnet01**. + +1. On the **az104-06-vnet01** virtual network blade, in the **Settings** section, click **Subnets**, and then click **+ Subnet**. + +1. Add a subnet with the following settings (leave others with their default values): + + | Setting | Value | + | --- | --- | + | Name | **subnet-appgw** | + | Subnet address range | **10.60.3.224/27** | + +1. Click **Save** + + > **Note**: This subnet will be used by the Azure Application Gateway instances, which you will deploy later in this task. The Application Gateway requires a dedicated subnet of /27 or larger size. + +1. In the Azure portal, search and select **Application Gateways** and, on the **Application Gateways** blade, click **+ Create**. + +1. On the **Basics** tab of the **Create an application gateway** blade, specify the following settings (leave others with their default values): + + | Setting | Value | + | --- | --- | + | Subscription | the name of the Azure subscription you are using in this lab | + | Resource group | the name of a new resource group **az104-06-rg5** | + | Application gateway name | **az104-06-appgw5** | + | Region | name of the Azure region into which you deployed all other resources in this lab | + | Tier | **Standard V2** | + | Enable autoscaling | **No** | + | HTTP2 | **Disabled** | + | Virtual network | **az104-06-vnet01** | + | Subnet | **subnet-appgw** | + +1. Click **Next: Frontends >** and, on the **Frontends** tab of the **Create an application gateway** blade, click **Add new**, and specify the following settings (leave others with their default values): + + | Setting | Value | + | --- | --- | + | Frontend IP address type | **Public** | + | Public IP address| the name of a new public ip address **az104-06-pip5** | + +1. Click **Next: Backends >**, on the **Backends** tab of the **Create an application gateway** blade, click **Add a backend pool**, and, on the **Add a backend pool** blade, specify the following settings (leave others with their default values): + + | Setting | Value | + | --- | --- | + | Name | **az104-06-appgw5-be1** | + | Add backend pool without targets | **No** | + | Target type | **IP address or FQDN** | + | Target | **10.62.0.4** | + | Target type | **IP address or FQDN** | + | Target | **10.63.0.4** | + + > **Note**: The targets represent the private IP addresses of virtual machines in the spoke virtual networks **az104-06-vm2** and **az104-06-vm3**. + +1. Click **Add**, click **Next: Configuration >** and, on the **Configuration** tab of the **Create an application gateway** blade, click **+ Add a routing rule**. + +1. On the **Add a routing rule** blade, on the **Listener** tab, specify the following settings: + + | Setting | Value | + | --- | --- | + | Rule name | **az104-06-appgw5-rl1** | + | Listener name | **az104-06-appgw5-rl1l1** | + | Frontend IP | **Public** | + | Protocol | **HTTP** | + | Port | **80** | + | Listener type | **Basic** | + | Error page url | **No** | + +1. Switch to the **Backend targets** tab of the **Add a routing rule** blade and specify the following settings (leave others with their default values): + + | Setting | Value | + | --- | --- | + | Target type | **Backend pool** | + | Backend target | **az104-06-appgw5-be1** | + +1. Click **Add new** under to the **HTTP settings** text box, and, on the **Add an HTTP setting** blade, specify the following settings (leave others with their default values): + + | Setting | Value | + | --- | --- | + | HTTP settings Name | **az104-06-appgw5-http1** | + | Backend protocol | **HTTP** | + | Backend port | **80** | + | Cookie-based affinity | **Disable** | + | Connection draining | **Disable** | + | Request time-out (seconds) | **20** | + +1. Click **Add** on the **Add an HTTP setting** blade, and back on the **Add a routing rule** blade, click **Add**. + +1. Click **Next: Tags >**, followed by **Next: Review + create >** and then click **Create**. + + > **Note**: Wait for the Application Gateway instance to be created. This might take about 8 minutes. + +1. In the Azure portal, search and select **Application Gateways** and, on the **Application Gateways** blade, click **az104-06-appgw5**. + +1. On the **az104-06-appgw5** Application Gateway blade, note the value of the **Frontend public IP address**. + +1. Start another browser window and navigate to the IP address you identified in the previous step. + +1. Verify that the browser window displays the message **Hello World from az104-06-vm2** or **Hello World from az104-06-vm3**. + +1. Open another browser window but this time by using InPrivate mode and verify whether the target vm changes (based on the message displayed on the web page). + + > **Note**: You might need to refresh the browser window or open it again by using InPrivate mode. + + > **Note**: Targeting virtual machines on multiple virtual networks is not a common configuration, but it is meant to illustrate the point that Application Gateway is capable of targeting virtual machines on multiple virtual networks (as well as endpoints in other Azure regions or even outside of Azure), unlike Azure Load Balancer, which load balances across virtual machines in the same virtual network. + +#### Clean up resources + + >**Note**: Remember to remove any newly created Azure resources that you no longer use. Removing unused resources ensures you will not see unexpected charges. + +1. In the Azure portal, open the **PowerShell** session within the **Cloud Shell** pane. + +1. List all resource groups created throughout the labs of this module by running the following command: + + ```powershell + Get-AzResourceGroup -Name 'az104-06*' + ``` + +1. Delete all resource groups you created throughout the labs of this module by running the following command: + + ```powershell + Get-AzResourceGroup -Name 'az104-06*' | Remove-AzResourceGroup -Force -AsJob + ``` + + >**Note**: The command executes asynchronously (as determined by the -AsJob parameter), so while you will be able to run another PowerShell command immediately afterwards within the same PowerShell session, it will take a few minutes before the resource groups are actually removed. + +#### Review + +In this lab, you have: + ++ Provisioned the lab environment ++ Configured the hub and spoke network topology ++ Tested transitivity of virtual network peering ++ Task 4: Configure routing in the hub and spoke topology ++ Task 5: Implement Azure Load Balancer ++ Task 6: Implement Azure Application Gateway