Welcome to the Azure Security Workshop.

This series of hands-on labs provides an insight into some of the basic approaches to securing your Microsoft Azure Cloud environment.

The workshop is based on a simplified version of the Microsoft Azure Reference Architecture to deploy an N-Tier application. For the benefit of simplification and cost saving, various resources and tiers have been removed to speed up the process of deployment.

As such, when the template is deployed, the following resources will not be included:

• The Active Directoy subnet/VMs
• VMs in Availability Sets
• The Load Balancers or Application Gateway (although there is a section on this in the workshop)
• Multiple servers in each tier. Only one VM per tier is deployed

This workshop gets you hands-on with the Azure platform. To gain the maximum benefit from the labs, you must be able to log in to an Azure Subscription, against which you have the necessary access permissions to create, edit and delete resources.

IMPORTANT: Some of the labs will get you to create Azure resources which are chargeable against the Subscription they are built in. Whilst the costs are relatively low, the charges will persist as the resources remain active, so please take the following into consideration:

• If you are using a company Subscription, ensure that...
  • You have been given authority to create billable resources
  • You have sufficient access rights to create resources
• If using an MSDN Subscription, keep a close watch on the costs and how they consume your monthly allowance.
• We would not recommend using a personal Subscription for these labs. Any costs charged to your personal credit/debit card are at the users discretion.

When navigating through the workshop, please pay close attention to the following conventions and formatting

Code examples, or command line output, will appear like this

Where chevrons are used in code examples, such as <resource-group-name>, this dictates a value which must be amended or changed within the code before it is executed. Usually it will be a value of a resource or property which has been created by you. For example, an instruction may tell Azure, via a CLI command, to show the properties of an Azure Resource Group. This will appear as follows:

az group show --resource-group <resource-group-name>

If a Resource Group had been created called workshop-resource-group, the actual command which must be entered is this:

az group show --resource-group workshop-resource-group

Longer commands may appear with line breaks in them. This is mainly cosmetic and enables these pages to show a command in it's entirity. Consider the following example which displays information about a virtual network adapter:

az network nic show --resource-group <resource-group-name> --name WebServer-01-NIC --query "ipConfigurations[].privateIpAddress"

A standard Github page will display the command above on a single line with the capability to scroll to the right. However if the command has a natural break point, it may be typed in with details missed. to mitigate this, some commands will appear twice with the second section including line breaks. This way the whole command can be viewed more comfortably:

az network nic show \
--resource-group <resource-group-name> \
--name WebServer-01-NIC \
--query "ipConfigurations[].privateIpAddress"

The Azure platform is an ever evolving entity. Things change, sometimes literally day to day. We take great care to ensure that the screenshots, commands and resources in the workshops are as up to date as possible, but sometimes something different will appear. All we ask that you bring these changes to our attention and we will work to rectify and issues which may arise and amend the workshop content accordingly

In a similar manner, should you find any part of the workshop unclear, or could improve, please let us know. It is important to us that the content can be followed as easily as possible.

For the purposes of the workshop, it is advisable to create a brand new Microsoft Account which you will use to log in to the Azure Portal. Having a new account ensures a brand new out-of-the-box experience which is dedicated to these labs.

Please follow the instructions on the setup page to create the Microsoft Account.

Please note: If you prefer to use an existing Hotmail, Gmail or other address, this step can be skipped. However you may find that applying the Azure Pass Credits in section 2 below will not work if the account has been used to log in to the Azure Portal on a previous occasion.

If you are setting up an Azure Pass or creating a Microsoft Account for the purposes of this lab, please visit the Account Creation page.

The Azure Pass setup should take you to the Azure Portal but if it does not, open a new browser window and navigate to the Azure Portal address, https://portal.azure.com. Login with your new account credentials.

The workshop labs use a combination of Azure CLI and Powershell commands which can be run directly in the Azure Portal using the Azure Cloud Shell. Azure Cloud Shell is an in-browser command line experience which removes the need for any local computer configuration/setup, and connects directly into your Azure environment.

For more information on Azure Cloud Shell, please refer to the Microsoft Azure documentation on the topic here: https://azure.microsoft.com/en-gb/features/cloud-shell/

Initiating the Cloud Shell will create the following resources:

• A Resource Group containing the resources required to run the Cloud Shell components
• A Storage Account to maintain state and persist files
• A file share which can be mounted into the Cloud Shell

• On the Azure Portal, click the Cloud Shell link on the very top bar of the portal screen. The Cloud Shell window will open in the bottom half of the screen.

  

• At the Welcome to Azure Cloud Shell screen, click Bash

  

• The system will tell you that you have no storage configured. Click the Show advanced settings link.

  

• To configure the storage on the Advanced Settings page:

  • The Subscription field should default to your Subscription name. If not, set this to the required Azure Subscription.

  • Set the Cloud Shell region to West Europe

  • Under Resource Group, ensure Create New is selected and enter a name for a new Azure Resource Group, which will be a container for the new Storage Account. This can be anything you choose.

  • Set Storage Account to Create New and enter the name for the Storage Account. Please note that Storage Account names must conform to the following conventions:

    • Must be between 3 and 24 characters long
    • Can contain numbers and lower-case letters only
    • Must be unique

  • Create a new File Share, again with the name of your choice. File Shares follow a slightly different naming convention:

    • File share names can contain only lowercase letters, numbers, and hyphens
    • Names must begin and end with a letter or a number
    • The name cannot contain two consecutive hyphens

  • Click Create Storage. The system will provision your storage account for the Cloud Shell and attempt to create a new shell session.

    

When successfull a command prompt will appear within the bottom half of the Azure window:

/images/homepage/intro CloudShellCreated.png

The new Cloud Shell can be tested by running the following command to list Resource Groups in your Azure Subscription.

az account list

The ouput of this command will show details of your Azure account and active Subscription...

[
    {
    "cloudName": "AzureCloud",
    "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "isDefault": true,
    "name": "Azure Pass - Sponsorship",
    "state": "Enabled",
    "tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx",
    "user": {
        "cloudShellID": true,
        "name": "[email protected]",
        "type": "user"
    }
    }
]

WORKSHOP TIP: Copy and paste the id property value from the output of your command into a new Notepad / text editor window. This is the Subscription ID for the account you are using, which will be used in some of the commands during the workshop labs.

VERY IMPORTANT: Use the location 'westeurope' to deploy your infrastructure for all labs, and for all CLI commands where the location parameter is specified. This will better guarantee that you will not have issues with the Azure Pass credits and availability of resource types.

Run the following command to create a resource group, providing your own resource group name for the --name parameter. This resource group will be used throughout the workshop and is a container inside which all Azure resources will be created, and against which the ARM Template will be deployed.

When considering a name for the resource group, make it something useful such as workshop-resources, my-resource-group or similar.

Parameters:

• --location: westeurope
• --name: your own Resource Group name

Command:

az group create --location <location> --name <resource-group-name>

The output from the command will appear similar to this...

{
  "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx/resourceGroups/my-resource-group",
  "location": "westeurope",
  "managedBy": null,
  "name": "my-resource-group",
  "properties": {
    "provisioningState": "Succeeded"
  },
  "tags": null,
  "type": null
}

The next lab is [Lab 0 - Deploying the workshop infrastructure](Lab-0.-Deploying the workshop infrastructure).