AZ-104-MicrosoftAzureAdministrator/New Instructions/Lab/LAB_04-Implement_Virtual_Networking.md

# Lab 04 - Implement Virtual Networking

## Lab requirements

This lab requires an Azure subscription. Your subscription type may affect the availability of features in this lab. You may change the region, but the steps are written using **East US** and **West Europe**. 

## Estimated time: 40 minutes

## Lab scenario 

Your global organization plans to implement virtual networks. These networks are in East US, West Europe, and Southeast Asia. The immediate goal is to accommodate all the existing resources. However, the organization is in a growth phase and wants to ensure there is additional capacity for the growth.

The **CoreServicesVnet** virtual network is deployed in the **East US** region. This virtual network has the largest number of resources. The network has connectivity to on-premises networks through a VPN connection. This network has web services, databases, and other systems that are key to the operations of the business. Shared services, such as domain controllers and DNS are located here. A large amount of growth is anticipated, so a large address space is necessary for this virtual network.

The **ManufacturingVnet** virtual network is deployed in the **West Europe** region, near the location of your organization's manufacturing facilities. This virtual network contains systems for the operations of the manufacturing facilities. The organization is anticipating a large number of internal connected devices for their systems to retrieve data from, such as temperature, and needs an IP address space that it can expand into.

## Interactive lab simulation

An **[interactive lab simulation](https://mslabs.cloudguides.com/guides/AZ-700%20Lab%20Simulation%20-%20Design%20and%20implement%20a%20virtual%20network%20in%20Azure)** is available for this topic. The simulation lets you to click through a similar scenario at your own pace. There are differences between the interactive simulation and this hosted lab, but the core concepts and ideas being demonstrated are the same. An Azure subscription is not required. 

## Tasks

+ Task 1: Create a resource group.
+ Task 2: Create the CoreServicesVnet virtual network and subnets.
+ Task 3: Create the ManufacturingVnet virtual network and subnets.
+ Task 4: Configure a Network Security Group. 

## Architecture diagram
![Network layout](../media/az104-lab04-diagram.png)


| **Virtual Network** | **VNet address and region**   |  **Subnet**                | **Subnet address**    |
| ------------------- | ------------ | --------------------------------- | ------------------------- | 
| CoreServicesVnet    | 10.20.0.0/16 East US      | SharedServicesSubnet      | 10.20.10.0/24 |
|                     |              		  | DatabaseSubnet            | 10.20.20.0/24 |
| ManufacturingVnet   | 10.30.0.0/16  West Europe | SensorSubnet1             | 10.30.20.0/24 |
|                     |                           | SensorSubnet2             | 10.30.21.0/24 |

These virtual networks and subnets are structured in a way that accommodates existing resources yet allows for the projected growth. Let's create these virtual networks and subnets to lay the foundation for our networking infrastructure.

>**Did you know?**: It is a good practice to avoid overlapping IP address ranges to reduce issues and simplify troubleshooting. Overlapping is a concern across the entire network, whether in the cloud or on-premises. Many organizations design an enterprise-wide IP addressing scheme to avoid overlapping and plan for future growth.



## Task 1: Create a resource group

### Create a resource group for all the resources in this lab. 

1. Sign in to the **Azure portal** - `http://portal.azure.com`.

1. Search for and select **Resource groups**, then select **+ Create**.  

1. Create the resource group with these settings. 

| **Tab**         | **Option**                                 | **Value**            |
| --------------- | ------------------------------------------ | -------------------- |
| Basics          | Resource group                             | `az104-rg4` |
|                 | Region                                     | (US) **East US**     |
| Tags            | No changes required                        |                      |
   
1. When finished select **Review + create** and then **Create**.
   
## Task 2: Create the CoreServicesVnet virtual network and subnets

The organization plans a large amount of growth for core services. In this task, you create the virtual network and the associated subnets to accommodate the existing resources and planned growth.

1. Search for and select **Virtual Networks**.

    ![Azure portal home page Global Search bar results for virtual network.](../media/az104-lab04-vnet-search.png)

1. Select **Create** on the Virtual networks page.  

    ![Create a virtual network wizard.](../media/az104-lab04-createvnet.png)

3. Use the information in the following table to create the CoreServicesVnet virtual network.  

| **Tab**      | **Option**         | **Value**            |
| ------------ | ------------------ | -------------------- |
| Basics       | Resource Group     | **az104-rg4** |
|              | Name               | `CoreServicesVnet`     |
|              | Region             | (US) **East US**         |
| IP Addresses | IPv4 address space | `10.20.0.0/16` (Delete or overwrite the IP address space)     |

   
![IP address configuration for azure virtual network deployment](../media/az104-lab04-address-space.png)

4. Create the CoreServicesVnet subnets. To begin delete the **default** subnet, then select **+ Add subnet**. To finish creating each subnet, select **Add**.

| **Subnet**             | **Option**           | **Value**              |
| ---------------------- | -------------------- | ---------------------- |
| SharedServicesSubnet   | Subnet name          | `SharedServicesSubnet`   |
|                        | Starting address		| `10.20.10.0`          |
|						 | Size					| `/24`	|
| DatabaseSubnet         | Subnet name          | `DatabaseSubnet`         |
|                        | Starting address		| `10.20.20.0`        |
|						 | Size					| `/24`	|

1. To finish creating the CoreServicesVnet and its associated subnets, select **Review + create**.

1. Verify your configuration passed validation, and then select **Create**.

1. Wait for the virtual network to deploy and then select **Go to resource**. 

1. In the **Automation** section, select **Export template**, and then wait for the template to be generated.

1. **Download** the template.

1. Navigate on the local machine to the **Downloads** folder and **Extract all** the files in the downloaded zip file. 

1. Before proceeding ensure you have two files **template.json** and **parameters.json**. Take a minute to review the files and the information about the CoreServicesVnet. You will use this template to create the ManufacturingVnet in the next task. 
 
## Task 3: Create the ManufacturingVnet virtual network and subnets

In this task, you create the ManufacturingVnet virtual network and associated subnets. The organization anticipates growth for the manufacturing offices so the subnets are sized for the expected growth.

1. Edit the local **template.json** file in the **Downloads** folder. If you are using Visual Studio Code be sure you are working in a **trusted window** and not in **restricted mode**. 

### Make changes for the ManufacturingVnet virtual network

1. Replace all occurrences of **CoreServicesVnet** with `ManufacturingVnet`. 

1. Replace all occurrences of **eastus** with `westeurope`. 

1. Replace all occurrences of **10.20.0.0/16** with `10.30.0.0/16`. 

### Make changes for the ManufacturingVnet subnets

1. Change all occurrences of **SharedServicesSubnet** to `SensorSubnet1`.

1. Change all occurrences of **10.20.10.0/24** to `10.30.20.0/24`.

1. Change all occurrences of **DatabaseSubnet** to `SensorSubnet2`.

1. Change all occurrences of **10.20.20.0/24** to `10.30.21.0/24`.

1. Read back through the file and ensure everything looks correct.

1. Be sure to **Save** your changes.

	>**Note:** If this is just getting too difficult, the final completed files are in the Lab 04 Downloads folder. 

## Make changes to the parameters.json file

1. Edit the local **parameters.json** file and change **CoreServicesVnet** to `ManufacturingVnet`.

1. Make sure everything looks correct and **Save** your changes. 

	>**Note:** You can now deploy the template with either Azure PowerShell (option 1) or the Bash shell (option 2). Your choice, but only do one type of deployment. 

### Deploy the template with Azure Powershell (option 1)

1. Open the Cloud Shell, and select **PowerShell**.

1. If necessary, use the **Advanced** settings to create disk storage for the Cloud Shell. Detailed steps are in Lab 03. 

1. In the Cloud Shell, use the **Upload** icon to upload the template and parameters files. You will need to upload each separately.

1. Verify your files are available in the Cloud Shell storage.

    ```powershell
    dir
    ```

1. Deploy the template to the az104-rg4 resource group.

    ```powershell
    New-AzResourceGroupDeployment -ResourceGroupName az104-rg4 -TemplateFile template.json -TemplateParameterFile parameters.json
    ```
1. Ensure the command completes and the ProvisioningState is **Succeeded**.

	>**Note:** If you need to make changes to the files, be sure **rm** (remove) the old file before uploading the new one. 
	


1. Before continuing, return to the portal and ensure the ManufacturingVnet virtual network and subnets were created. You may need to **Refresh** the virtual networks page. 


### Deploy the template with Bash (option 2)


1. Open the Cloud Shell, and select **Bash**.

1. If necessary, use the **Advanced** settings to create disk storage for the Cloud Shell.

1. In the Cloud Shell, use the **Upload** icon to upload the template and parameters files. You will need to upload each separately.

1. Verify your files are available in the Cloud Shell storage.

    ```sh
    ls
    ```

1. Deploy the template to the az104-rg4 resource group.

    ```sh
    az deployment group create --resource-group az104-rg4 --template-file template.json --parameters parameters.json
    ```
1. Ensure the command completes and the ProvisioningState is **Succeeded**.

1. Return to the portal, and ensure the **ManufacturingVnet** and associate subnets were created. You may need to **Refresh** the virtual networks page. 
   
## Task 4: Configure a Network Security Group 

In this task, we create a network security group, associate it with a subnet, and add inbound and outbound rules. 

### Create an application security group

1. In the Azure portal, search for and select **Application security groups**.

1. Click **Create** and provide the basic information.

    | Setting | Value |
    | -- | -- |
    | Subscription | *your subscription* |
    | Resource group | **az104-rg4** |
    | Name | `asg-web` |
    | Region | **(US) East US**  |

1. Click **Review + create** and then after the validation click **Create**.

### Create the network security group and associate it with a subnet

1. In the Azure portal, search for and select **Network security groups**.

1. Select **Create** and provide information on the **Basics** tab. 

    | Setting | Value |
    | -- | -- |
    | Subscription | *your subscription* |
    | Resource group | **az104-rg4** |
    | Name | `myNSGSecure` |
    | Region | **(US) East US**  |

1. Click **Review + create** and then after the validation click **Create**.

1. After the NSG is created, click **Go to resource**.

1. Under **Settings** click **Subnet** and then **Associate**.

    | Setting | Value |
    | -- | -- |
    | Virtual network | **CoreServicesVnet (az104-rg4)** |
    | Subnet | **SharedServicesSubnet** |

1. Click **OK** to save the association.

### Configure an inbound security rule

1. In the **Settings** area, select **Inbound security rules**.

1. Review the default inbound rules. Notice that only other virtual networks and load balancers are allowed access.

1. Click **Add inbound port rule** . Click **Add** when you are done. 

    | Setting | Value |
    | -- | -- |
    | Source | **Any** |
    | Source port ranges | *****|
    | Destination | **Application security group** |
    | Destination application security groups | **asg-web** |
    | Service | **Custom** (notice your other choices) |
    | Destination port ranges | **80,443** |
    | Protocol | **TCP** |
    | Action | **Allow** |
    | Priority | **100** |
    | Name | **AllowInternet** |