Lab 04: Implement Virtual Networking

Objective: This lab introduces fundamental Azure virtual networking concepts. You will create virtual networks, subnets, network security groups (NSGs), application security groups (ASGs), and configure DNS zones.

Scenario: Your organization is expanding its Azure infrastructure. You need to create virtual networks that accommodate existing resources and allow for future growth, particularly in the Core Services and Manufacturing divisions.

Key Concepts:

• Virtual Network (VNet): Your isolated network in Azure.

• Subnet: A subdivision of a VNet, used for organization and security. Crucially, Azure reserves 5 IP addresses in each subnet:

  • x.x.x.0: Network address.

  • x.x.x.1: Reserved for the default gateway.

  • x.x.x.2: Reserved for Azure's DNS.

  • x.x.x.3: Reserved for future use.

  • x.x.x.255: Broadcast address (for subnets with a /24 prefix).

• Network Security Group (NSG): A firewall, controlling inbound and outbound traffic with rules.

• Application Security Group (ASG): Groups VMs with similar security needs (e.g., web servers) to simplify NSG rule management.

• Azure DNS: A service to host and manage DNS domains (both public and private).

• Avoid overlapping IP address ranges across your cloud and on-prem to prevent connectivity issues.

• Templates: The best method to deploy resources consistently and efficiently.

Interactive lab simulations

Secure network traffic: Create a VM, a vNet and a NSG and add rules to allow and disallow traffic

Create a simple virtual network: Set up a vNet with two VM, Demonstrate their communication

Design and implement a virtual network in Azure: Create a resource group and vNet with subnets

Implement virtual networking: Configure a vNet, deploy VM, set up NSG, and configure Azure DNS

Lab Scenario

Your organization plans to implement virtual networks with extra capacity for growth.

• CoreServicesVnet:

  • Largest number of resources

  • Requires a large address space for anticipated growth

• ManufacturingVnet:

  • Contains systems for manufacturing operations

  • Expects many internal connected devices for data retrieval

Job Skills Tasks:

1. Create a vnet with subnets using the portal.

2. Create a vnet and subnets using a template.

3. Set up communication between an ASG and an NSG.

4. Configure public and private Azure DNS zones.

Task 1: Create CoreServicesVnet (Portal)

1. Sign In: Log into the Azure portal (https://portal.azure.com).

2. Create VNet: Search for and select "Virtual Networks." and Click "Create."

   • Basics Tab: Resource Group: az104-rg4 Name: CoreServicesVnet

   • IP Addresses Tab: IPv4 Address Space: 10.20.0.0/16

     • Add two Subnets (and remove the default):

       a. Name: SharedServicesSubnet Starting Address: 10.20.10.0/24

       b. Name: DatabaseSubnet Starting Address: 10.20.20.0/24

3. Go to Resource: Once deployed, click "Go to resource."

4. Export Template:

   • Go to the Automation\Export template\Download.

   • Extract the downloaded ZIP file. You will have template.json and parameters.json.

Task 2: Create ManufacturingVnet (Template)

1. Edit template.json: Use a text editor to do a "Find and Replace all” to make these changes:

• Replace ALL: CoreServicesVnet -> ManufacturingVnet

• Replace ALL: 10.20.0.0 -> 10.30.0.0

• Replace ALL: SharedServicesSubnet -> SensorSubnet1

• Replace ALL: 10.20.10.0/24 -> 10.30.20.0/24

• Replace ALL: DatabaseSubnet -> SensorSubnet2

• Replace ALL: 10.20.20.0/24 -> 10.30.21.0/24

2. Edit the 'parameters.json' file.

   • Replace the one occurrence of CoreServicesVnet → ManufacturingVnet and Save your file.

3. Save: Save the changes to template.json.

4. Deploy:

   • In the portal, search for "Deploy a custom template."

   • Choose "Build your own template in the editor."

   • Click "Load file" and select your modified template.json and Click "Save."

   • Select az104-rg4 as the resource group.

   • Click "Review + create," then "Create."

5. Verify: After deployment, confirm the ManufacturingVnet and its subnets (SensorSubnet1, SensorSubnet2) were created correctly. Check the address spaces.

Task 3: ASG and NSG Configuration

1. Create ASG:Search for "Application security groups" and Click "Create."

   • Resource Group: az104-rg4

   • Name: asg-web

   • Note: At this point, you would associate the ASG with virtual machine(s) that reside in SensorSubnet1. These machines will be affected by the inbound NSG rule you create in the next task.

2. Create NSG: Search for "Network security groups" and Click "Create."

   • Resource Group: az104-rg4

   • Name: myNSGSecure

3. Associate NSG with Subnet: Go to the myNSGSecure resource.

   • Under "Settings," click "Subnets," then "Associate."

   • Virtual Network: CoreServicesVnet (az104-rg4)

   • Subnet: SharedServicesSubnet Click "OK."

1. Create Inbound Rule (Allow ASG Traffic):

   • In myNSGSecure, go to "Settings" -> "Inbound security rules" and click "+ Add."

   • Settings:

     • Source: Application security group

     • Source application security groups: asg-web

     • Source port ranges: *

     • Destination: Any

     • Service: Custom

     • Destination port ranges: 80,443

     • Protocol: TCP

     • Action: Allow

     • Priority: 100

     • Name: AllowASG

   • Click "Add."

2. Create Outbound Rule (Deny Internet):

   • In myNSGSecure, go to "Settings" -> "Outbound security rules."

   • Click "+ Add."

   • Settings:

     • Source: Any

     • Source port ranges: *

     • Destination: Service Tag

     • Destination service tag: Internet

     • Service: Custom

     • Destination port ranges: 8080

     • Protocol: Any

     • Action: Deny

     • Priority: 4096

     • Name: DenyAnyCustom8080Outbound

   • Click "Add."

Task 4: DNS Zones

1. 

   Virtual network: ManufacturingVnet

2. Create Public DNS Zone Search for "DNS zones" and click "Create."

   • Resource Group: az104-rg4

   • Name: contoso.com (or a unique name if already taken)

   • Note: Copy one of the name server addresses from the Overview blade. You won't actually configure DNS with your registrar in this lab, but you need the address for nslookup.

   • Add a record set:

     • Name: www Type: A TTL: 1 Hour IP Address: 10.1.1.4

     • (This is a placeholder; in a real deployment, it would be your web server's public IP.)

3. 

4. Test DNS Resolution: Open a command prompt on your local computer.

   • • Run nslookup www.contoso.com <name server address> (replace <name server address> with the name server you copied).

       • The output should show the 10.1.1.4 IP address (if the name is available and propagation has occurred, which it will not do instantaneously).

5. Create Private DNS Zone:Search for "Private DNS zones" and Click "Create."

   • Name: private.contoso.com

     

6. Link VNet: In the private DNS zone, go to "Virtual network links" click "Add."

   • Link name: manufacturing-link click "Create".

7. 

   Resource Group: az104-rg4

8. Add Record Set

   • Go back to the DNS Management section

   • Select + Recordsets

     • Name: sensorvm

     • Type: A

     • TTL: 1 Hour

     • IP Address: 10.1.1.4 (This is a placeholder)

Note: In a real-world scenario, you'd enter the IP address for a specific manufacturing virtual machine.