diff --git a/Instructions/Labs/LAB_01-Manage_Entra_ID_Identities.md b/Instructions/Labs/LAB_01-Manage_Entra_ID_Identities.md
index ac4dfffe..1f81fa7e 100644
--- a/Instructions/Labs/LAB_01-Manage_Entra_ID_Identities.md
+++ b/Instructions/Labs/LAB_01-Manage_Entra_ID_Identities.md
@@ -6,292 +6,156 @@ lab:
# Lab 01 - Manage Microsoft Entra ID Identities
-# Student lab manual
+## Lab introduction
-## Lab scenario
-
-In order to allow Contoso users to authenticate by using Microsoft Entra ID, you have been tasked with provisioning users and group accounts. Membership of the groups should be updated automatically based on the user job titles. You also need to create a test tenant with a test user account and grant that account limited permissions to resources in the Contoso Azure subscription.
-
-**Note:** An **[interactive lab simulation](https://mslabs.cloudguides.com/guides/AZ-104%20Exam%20Guide%20-%20Microsoft%20Azure%20Administrator%20Exercise%201)** is available that allows you to click through this lab at your own pace. You may find slight differences between the interactive simulation and the hosted lab, but the core concepts and ideas being demonstrated are the same.
-
-## Objectives
-
-In this lab, you will:
-
-+ Task 1: Create and configure users
-+ Task 2: Create groups with assigned and dynamic membership
-+ Task 3: Create a tenant (Optional - lab environment issue)
-+ Task 4: Manage guest users (Optional - lab environment issue)
+This is the first in a series of labs for Azure Administrators. In this lab, you learn about users and groups. Users and groups are the basic building blocks for an identity solution.
## Estimated timing: 30 minutes
+## Lab scenario
+
+Your organization is building a new lab environment for pre-production testing of apps and services. A few engineers are being hired to manage the lab environment, including the virtual machines. To allow the engineers to authenticate by using Microsoft Entra ID, you have been tasked with provisioning users and groups. To minimize administrative overhead, membership of the groups should be updated automatically based on job titles.
+
+## Interactive lab simulation
+
+This lab uses an interactive lab simulation. The simulation lets you to click through a similar scenario at your own pace. There are differences between the interactive simulation and this lab, but many of the core concepts are the same. An Azure subscription is not required.
+
+>**Note:** This simulation is being updated. Microsoft Entra ID is the new name for Azure Active Directory (Azure AD).
+
++ [Manage Entra ID Identities](https://mslabs.cloudguides.com/guides/AZ-104%20Exam%20Guide%20-%20Microsoft%20Azure%20Administrator%20Exercise%201). Create and configure users and assign to groups. Create an Azure tenant and manage guest accounts.
+
## Architecture diagram
-
+
-### Instructions
+## Job skills
-## Exercise 1
++ Task 1: Create and configure user accounts.
++ Task 2: Create groups and add members.
-## Task 1: Create and configure users
+## Task 1: Create and configure user accounts
-In this task, you will create and configure users.
+In this task, you will create and configure user accounts. User accounts will store user data such as name, department, location, and contact information.
->**Note**: If you have previously used the Trial license for Microsoft Entra ID on this tenant you will need a new tenant and perform Task 2 after Task 3 in the new tenant.
+1. Sign in to the **Azure portal** - `https://portal.azure.com`.
-1. Sign in to the [Azure portal](https://portal.azure.com).
+ >**Note:** The Azure portal is used in all the labs. If you are new to the Azure, search for and select `Quickstart Center`. Take a few minutes to watch the **Getting started in the Azure portal** video. Even if you have used the portal before, you will find a few tips and tricks on navigating and customizing the interface.
+
+1. Search for and select `Microsoft Entra ID`. Microsoft Entra ID is Azure's cloud-based identity and access management solution. Take a few minutes to familiarize yourself with some of the features listed in the left pane.
-1. In the Azure portal, search for and select **Microsoft Entra ID**.
+1. Select the **Overview** blade and then the **Manage tenants** tab.
-1. On the Microsoft Entra ID blade, scroll down to the **Manage** section, click **User settings**, and review available configuration options.
+ >**Did you know?** A tenant is a specific instance of Microsoft Entra ID containing accounts and groups. Depending on your situation, you can create more tenants and **Switch** between them.
-1. On the Microsoft Entra ID blade, in the **Manage** section, click **Users**, and then click your user account to display its **Profile** settings.
+1. Return to the **Entra ID** page and select **Licenses**. From here you can purchase a license, manage the licenses you have, and assign licenses to users and groups. Select **Licensed features** to see what is available.
+
+### Create a new user
-1. Click **Edit properties**, and then in the **Settings** tab, set **Usage location** to **United States** and click **Save** to apply the change.
+1. Select **Users**, then in the **New user** drop-down select **Create new user**.
- >**Note**: This is necessary in order to assign an Microsoft Entra ID P2 license to your user account later in this lab.
-
-1. Navigate back to the **Users - All users** blade, and then click **+ New user**.
-
-1. Create a new user with the following settings (leave others with their defaults):
+1. Create a new user with the following settings (leave others with their defaults). On the **Properties** tab notice all the different types of information that can be included in the user account.
| Setting | Value |
| --- | --- |
- | User principal name | **az104-01a-aaduser1** |
- | Display name | **az104-01a-aaduser1** |
- | Auto-generate password | de-select |
- | Initial password | **Provide a secure password** |
- | Job title (Properties tab) | **Cloud Administrator** |
- | Department (Properties tab) | **IT** |
+ | User principal name | `az104-user1` |
+ | Display name | `az104-user1` |
+ | Auto-generate password | **checked** |
+ | Account enabled | **checked** |
+ | Job title (Properties tab) | `IT Lab Administrator` |
+ | Department (Properties tab) | `IT` |
| Usage location (Properties tab) | **United States** |
- >**Note**: **Copy to clipboard** the full **User Principal Name** (user name plus domain). You will need it later in this task.
+1. Once you have finished reviewing, select **Review + create** and then **Create**.
-1. In the list of users, click the newly created user account to display its blade.
+1. Refresh the page and confirm your new user was created.
-1. Review the options available in the **Manage** section and note that you can identify the roles assigned to the user account as well as the user account's permissions to Azure resources.
+### Invite an external user
-1. In the **Manage** section, click **Assigned roles**, then click **+ Add assignment** button and assign the **User administrator** role to **az104-01a-aaduser1**.
-
- >**Note**: You also have the option of assigning roles when provisioning a new user.
-
-1. Open an **InPrivate** browser window and sign in to the [Azure portal](https://portal.azure.com) using the newly created user account. When prompted to update the password, change the password to a secure password of your choosing.
-
- >**Note**: Rather than typing the user name (including the domain name), you can paste the content of Clipboard.
-
-1. In the **InPrivate** browser window, in the Azure portal, search for and select **Microsoft Entra ID**.
-
- >**Note**: While this user account can access the tenant, it does not have any access to Azure resources. This is expected, since such access would need to be granted explicitly by using Azure Role-Based Access Control.
-
-1. In the **InPrivate** browser window, on the Microsoft Entra ID blade, scroll down to the **Manage** section, click **User settings**, and note that you do not have permissions to modify any configuration options.
-
-1. In the **InPrivate** browser window, on the Microsoft Entra ID blade, in the **Manage** section, click **Users**, and then click **+ New user**.
-
-1. Create a new user with the following settings (leave others with their defaults):
+1. In the **New user** drop-down select **Invite an external user**.
| Setting | Value |
| --- | --- |
- | User principal name | **az104-01a-aaduser2** |
- | Display name | **az104-01a-aaduser2** |
- | Auto-generate password | de-select |
- | Initial password | **Provide a secure password** |
- | Job title | **System Administrator** |
- | Department | **IT** |
- | Usage location | **United States** |
+ | Email | your email address |
+ | Display name | your name |
+ | Send invite message | **check the box** |
+ | Message | `Welcome to Azure and our group project` |
+
+1. Move to the **Properties** tab. Complete the basic information, including these fields.
+
+ | Setting | Value |
+ | --- | --- |
+ | Job title | `IT Lab Administrator` |
+ | Department | `IT` |
+ | Usage location (Properties tab) | **United States** |
+
+1. Select **Review + invite**, and then **Invite**.
+
+1. **Refresh** the page and confirm the invited user was created. You should receive the invitation email shortly.
+
+ >**Note:** It is unlikely you will be creating user accounts individually. Do you know how your organization plans to create and manage user accounts?
-1. Sign out as the az104-01a-aaduser1 user from the Azure portal and close the InPrivate browser window.
+### Task 2: Create groups and add members
-## Task 2: Create groups with assigned and dynamic membership
+In this task, you create a group account. Group accounts can include user accounts or devices. These are two basic ways members are assigned to groups: Statically and Dynamically. Static groups require administrators to add and remove members manually. Dynamic groups update automatically based on the properties of a user account or device. For example, job title.
-In this task, you will create groups with assigned and dynamic membership.
+1. In the Azure portal, search for and select `Groups`.
-1. Back in the Azure portal where you are signed in with your **user account**, navigate back to the **Overview** blade of the tenant and, in the **Manage** section, click **Licenses**.
+1. Take a minute to familiarize yourself with the group settings in the left pane.
- >**Note**: Microsoft Entra ID Premium P1 or P2 licenses are required in order to implement dynamic groups.
+ + **Expiration** lets you configure a group lifetime in days. After that time the group must be renewed by the owner.
+ + **Naming policy** lets you configure blocked words and add a prefix or suffix to group names.
-1. In the **Manage** section, click **All products**.
-
-1. Click **+ Try/Buy** and activate the free trial of Microsoft Entra ID Premium P2.
-
-1. Refresh the browser window to verify that the activation was successful.
-
- >**Note**: It can take up to 10 minutes for the licenses to activate. Continue refreshing the page until it appears. Do not proceed until the licenses have been activated.
-
-1. From the **Licenses - All products** blade, select the **Microsoft Entra ID P2** entry, and assign all license options to your user account and the two newly created user accounts.
-
-1. In the Azure portal, navigate back to the Microsoft Entra ID tenant blade and click **Groups**.
-
-1. Use the **+ New group** button to create a new group with the following settings:
+1. In the **All groups** blade, select **+ New group** and create a new group.
| Setting | Value |
| --- | --- |
| Group type | **Security** |
- | Group name | **IT Cloud Administrators** |
- | Group description | **Contoso IT cloud administrators** |
- | Membership type | **Dynamic User** |
-
- >**Note**: If the **Membership type** drop-down list is grayed out, wait a few minutes and refresh the browser page.
-
-1. Click **Add dynamic query**.
-
-1. On the **Configure Rules** tab of the **Dynamic membership rules** blade, create a new rule with the following settings:
-
- | Setting | Value |
- | --- | --- |
- | Property | **jobTitle** |
- | Operator | **Equals** |
- | Value | **Cloud Administrator** |
-
-1. Save the rule by clicking **+Add expression** and **Save**. Back on the **New Group** blade, click **Create**.
-
-1. Back on the **Groups - All groups** blade of the tenant, click the **+ New group** button and create a new group with the following settings:
-
- | Setting | Value |
- | --- | --- |
- | Group type | **Security** |
- | Group name | **IT System Administrators** |
- | Group description | **Contoso IT system administrators** |
- | Membership type | **Dynamic User** |
-
-1. Click **Add dynamic query**.
-
-1. On the **Configure Rules** tab of the **Dynamic membership rules** blade, create a new rule with the following settings:
-
- | Setting | Value |
- | --- | --- |
- | Property | **jobTitle** |
- | Operator | **Equals** |
- | Value | **System Administrator** |
-
-1. Save the rule by clicking **+Add expression** and **Save**. Back on the **New Group** blade, click **Create**.
-
-1. Back on the **Groups - All groups** blade of the tenant, click the **+ New group** button, and create a new group with the following settings:
-
- | Setting | Value |
- | --- | --- |
- | Group type | **Security** |
- | Group name | **IT Lab Administrators** |
- | Group description | **Contoso IT Lab administrators** |
+ | Group name | `IT Lab Administrators` |
+ | Group description | `Administrators that manage the IT lab` |
| Membership type | **Assigned** |
+
+ >**Note**: An Entra ID Premium P1 or P2 license is required for dynamic membership. If other **Membership types** are available, the options will show up in the drop-down.
-1. Click **No members selected**.
+ 
-1. From the **Add members** blade, search and select the **IT Cloud Administrators** and **IT System Administrators** groups and, back on the **New Group** blade, click **Create**.
+1. Select **No owners selected**.
-1. Back on the **Groups - All groups** blade, click the entry representing the **IT Cloud Administrators** group and, on then display its **Members** blade. Verify that the **az104-01a-aaduser1** appears in the list of group members.
+1. In the **Add owners** page, search for and **select** yourself as the owner. Notice you can have more than one owner.
- >**Note**: You might experience delays with updates of the dynamic membership groups. To expedite the update, navigate to the group blade, display its **Dynamic membership rules** blade, **Edit** the rule listed in the **Rule syntax** textbox by adding a whitespace at the end, and **Save** the change.
+1. Select **No members selected**.
-1. Navigate back to the **Groups - All groups** blade, click the entry representing the **IT System Administrators** group and, on then display its **Members** blade. Verify that the **az104-01a-aaduser2** appears in the list of group members.
+1. In the **Add members** pane, search for and **select** the **az104-user1** and the **guest user** you invited. Add both of the users to the group.
-## Task 3: Create a tenant (Optional - Possible captcha issues, paid subscription required)
+1. Select **Create** to deploy the group.
-In this task, you will create a new tenant.
-
-1. In the Azure portal, search for and select **Microsoft Entra ID**.
+1. **Refresh** the page and ensure your group was created.
- >**Note**: There is a known issue with the Captcha verification in the lab environment. If you receive the error **Creation failed. Too many requests, please try later**, do the following:
- - Try the creation a few times.
- - Check the **Manage tenant** section to ensure the tenant wasn't created in the background.
- - Open a new **InPrivate** window and using the Azure Portal and try to create the tenant from there.
- Raise the problem with the trainer, then use the **[interactive lab simulation](https://mslabs.cloudguides.com/guides/AZ-104%20Exam%20Guide%20-%20Microsoft%20Azure%20Administrator%20Exercise%201)** to view the steps.
- - You can try this task later, but creating a tenant isn't required in other labs.
+1. Select the new group and review the **Members** and **Owners** information.
-1. Click **Manage tenants**, and then on the next screen, click **+ Create**, and specify the following setting:
+>**Note:** You may be managing a large number of groups. Does your organization have a plan for creating groups and adding members?
+
+## Cleanup your resources
- | Setting | Value |
- | --- | --- |
- | Directory type | **Microsoft Entra ID** |
-
-1. Click **Next : Configuration**
+If you are working with **your own subscription** take a minute to delete the lab resources. This will ensure resources are freed up and cost is minimized. The easiest way to delete the lab resources is to delete the lab resource group.
- | Setting | Value |
- | --- | --- |
- | Organization name | **Contoso Lab** |
- | Initial domain name | any valid DNS name consisting of lower case letters and digits and starting with a letter |
- | Country/Region | **United States** |
++ In the Azure portal, select the resource group, select **Delete the resource group**, **Enter resource group name**, and then click **Delete**.
++ Using Azure PowerShell, `Remove-AzResourceGroup -Name resourceGroupName`.
++ Using the CLI, `az group delete --name resourceGroupName`.
+
+## Key takeaways
- > **Note**: The **Initial domain name** should not be a legitimate name that potentially matches your organization or another. The green check mark in the **Initial domain name** text box will indicate that the domain name you typed in is valid and unique.
+Congratulations on completing the lab. Here are some main takeways for this lab:
-1. Click **Review + create** and then click **Create**.
-
-1. Display the blade of the newly created tenant by using the **Click here to navigate to your new tenant: Contoso Lab** link or the **Directory + Subscription** button (directly to the right of the Cloud Shell button) in the Azure portal toolbar.
-
-## Task 4: Manage guest users.
-
-In this task, you will create guest users and grant them access to resources in an Azure subscription.
-
-1. In the Azure portal displaying the Contoso Lab tenant, in the **Manage** section, click **Users**, and then click **+ New user**.
-
-1. Create a new user with the following settings (leave others with their defaults):
-
- | Setting | Value |
- | --- | --- |
- | User principal name | **az104-01b-aaduser1** |
- | Display name | **az104-01b-aaduser1** |
- | Auto-generate password | de-select |
- | Initial password | **Provide a secure password** |
- | Job title | **System Administrator** |
- | Department | **IT** |
-
-1. Click on the newly created profile.
-
- >**Note**: **Copy to clipboard** the full **User Principal Name** (user name plus domain). You will need it later in this task.
-
-1. Return to the first tenant that you created earlier.
-2. Select **Overview** in the navigation pane.
-3. Click **Manage tenants**.
-4. Check the box next to the first tenant you created earlier, then select **Switch**.
-
-1. Navigate back to the **Users - All users** blade, and then click **+ Invite external user**.
-
-1. Invite a new guest user with the following settings (leave others with their defaults):
-
- | Setting | Value |
- | --- | --- |
- | Email | the User Principal Name you copied earlier in this task |
- | Display Name (Properties tab) | **az104-01b-aaduser1** |
- | Job title (Properties tab) | **Lab Administrator** |
- | Department (Properties tab) | **IT** |
- | Usage location (Properties tab) | **United States** |
-
-1. Click **Invite**.
-
-1. Back on the **Users - All users** blade, click the entry representing the newly created guest user account.
-
-1. On the **az104-01b-aaduser1 - Profile** blade, click **Groups**.
-
-1. Click **+ Add membership** and add the guest user account to the **IT Lab Administrators** group.
++ A tenant represents your organization and helps you to manage a specific instance of Microsoft cloud services for your internal and external users.
++ Microsoft Entra ID has user and guest accounts. Each account has a level of access specific to the scope of work expected to be done.
++ Groups combine together related users or devices. There are two types of groups including Security and Microsoft 365.
++ Group membership can be statically or dynamically assigned.
-## Task 5: Clean up resources
+## Learn more with self-paced training
-> **Note**: Remember to remove any newly created Azure resources that you no longer use. Removing unused resources ensures you will not incur unexpected costs. While, in this case, there are no additional charges associated with tenants and their objects, you might want to consider removing the user accounts, the group accounts, and the tenant you created in this lab.
++ [Understand Microsoft Entra ID](https://learn.microsoft.com/training/modules/understand-azure-active-directory/). Compare Microsoft Entra ID to Active Directory DS, learn about Microsoft Entra ID P1 and P2, and explore Microsoft Entra Domain Services for managing domain-joined devices and apps in the cloud.
++ [Create Azure users and groups in Microsoft Entra ID](https://learn.microsoft.com//training/modules/create-users-and-groups-in-azure-active-directory/). Create users in Microsoft Entra ID. Understand different types of groups. Create a group and add members. Manage business-to-business guest accounts.
++ [Allow users to reset their password with Microsoft Entra self-service password reset](https://learn.microsoft.com/training/modules/allow-users-reset-their-password/). Evaluate self-service password reset to allow users in your organization to reset their passwords or unlock their accounts. Set up, configure, and test self-service password reset.
- > **Note**: Don't worry if the lab resources cannot be immediately removed. Sometimes resources have dependencies and take a longer time to delete. It is a common Administrator task to monitor resource usage, so just periodically review your resources in the Portal to see how the cleanup is going.
-1. In the **Azure Portal** search for **Microsoft Entra ID** in the search bar. Under **Manage** select **Licenses**. Once at **Licenses** under **Manage** select **All Products** and then select **Microsoft Entra ID Premium P2** item in the list. Proceed by then selecting **Licensed Users**. Select the user accounts **az104-01a-aaduser1** and **az104-01a-aaduser2** to which you assigned licenses in this lab, click **Remove license**, and, when prompted to confirm, click **Yes**.
-1. In the Azure portal, navigate to the **Users - All users** blade, click the entry representing the **az104-01b-aaduser1** guest user account, on the **az104-01b-aaduser1 - Profile** blade click **Delete**, and, when prompted to confirm, click **OK**.
-
-1. Repeat the same sequence of steps to delete the remaining user accounts you created in this lab.
-
-1. Navigate to the **Groups - All groups** blade, select the groups you created in this lab, click **Delete**, and, when prompted to confirm, click **OK**.
-
-1. In the Azure portal, display the blade of the Contoso Lab tenant by using the **Directory + Subscription** button (directly to the right of the Cloud Shell button) in the Azure portal toolbar.
-
-1. Navigate to the **Users - All users** blade, click the entry representing the **az104-01b-aaduser1** user account, on the **az104-01b-aaduser1 - Profile** blade click **Delete**, and, when prompted to confirm, click **OK**.
-
-1. Navigate to the **Contoso Lab - Overview** blade of the Contoso Lab tenant, click **Manage tenants** and then on the next screen, select the box next to **Contoso Lab**, click **Delete**, on the **Delete tenant 'Contoso Labs'?** blade, click the **Get permission to delete Azure resources** link, on the **Properties** blade, set **Access management for Azure resources** to **Yes** and click **Save**.
-
-1. Navigate back to the **Delete tenant 'Contoso Lab'** blade and click **Refresh**, click **Delete**.
-
-> **Note**: If a tenant has a trial license, then you would have to wait for the trial license expiration before you could delete the tenant. This would not incur any additional cost.
-
-#### Review
-
-In this lab, you have:
-
-- Created and configured users
-- Created groups with assigned and dynamic membership
-- Created a tenant
-- Managed guest users
diff --git a/Instructions/Labs/LAB_02a_Manage_Subscriptions_and_RBAC_Entra.md b/Instructions/Labs/LAB_02a_Manage_Subscriptions_and_RBAC_Entra.md
index 17e71e40..b72ef26f 100644
--- a/Instructions/Labs/LAB_02a_Manage_Subscriptions_and_RBAC_Entra.md
+++ b/Instructions/Labs/LAB_02a_Manage_Subscriptions_and_RBAC_Entra.md
@@ -5,214 +5,175 @@ lab:
---
# Lab 02a - Manage Subscriptions and RBAC
-# Student lab manual
-## Lab requirements
+## Lab introduction
-This lab requires permissions to create users, create custom Azure Role Based Access Control (RBAC) roles, and assign these roles to users. Not all lab hosters may provide this capability. Ask your instructor for the availability of this lab.
+In this lab, you learn about role-based access control. You learn how to use permissions and scopes to control what actions identities can and cannot perform. You also learn how to make subscription management easier using management groups.
+
+This lab requires an Azure subscription. Your subscription type may affect the availability of features in this lab. You may change the region, but the steps are written using **East US**.
+
+## Estimated timing: 30 minutes
## Lab scenario
-In order to improve management of Azure resources in Contoso, you have been tasked with implementing the following functionality:
+To simplify management of Azure resources in your organization, you have been tasked with implementing the following functionality:
-- creating a management group that would include all of Contoso's Azure subscriptions
+- Creating a management group that includes all your Azure subscriptions.
-- granting permissions to submit support requests for all subscriptions in the management group to a designated user. That user's permissions should be limited only to:
+- Granting permissions to submit support requests for all subscriptions in the management group. The permissions should be limited only to:
- - creating support request tickets
- - viewing resource groups
-
-**Note:** An **[interactive lab simulation](https://mslabs.cloudguides.com/guides/AZ-104%20Exam%20Guide%20-%20Microsoft%20Azure%20Administrator%20Exercise%202)** is available that allows you to click through this lab at your own pace. You may find slight differences between the interactive simulation and the hosted lab, but the core concepts and ideas being demonstrated are the same.
-
-## Objectives
-
-In this lab, you will:
-
-+ Task 1: Implement Management Groups
-+ Task 2: Create custom RBAC roles
-+ Task 3: Assign RBAC roles
+ - Create and manage virtual machines
+ - Create support request tickets (do not include adding Azure providers)
-## Estimated timing: 60 minutes
+## Interactive lab simulations
+
+There are some interactive lab simulations that you might find useful for this topic. The simulation lets you to click through a similar scenario at your own pace. There are differences between the interactive simulation and this lab, but many of the core concepts are the same. An Azure subscription is not required.
+
++ [Manage access with RBAC](https://mslearn.cloudguides.com/en-us/guides/AZ-900%20Exam%20Guide%20-%20Azure%20Fundamentals%20Exercise%2014). Assign built-in role to a user and monitor the activity logs.
+
++ [Manage subscriptions and RBAC](https://mslabs.cloudguides.com/guides/AZ-104%20Exam%20Guide%20-%20Microsoft%20Azure%20Administrator%20Exercise%202). Implement a management group and create and assign a custom RBAC role.
+
++ [Open a support request](https://mslearn.cloudguides.com/en-us/guides/AZ-900%20Exam%20Guide%20-%20Azure%20Fundamentals%20Exercise%2022). Review support plan options, then create and monitor a support request, technical or billing.
## Architecture diagram
-
+
+## Job skills
-### Instructions
-
-## Exercise 1
++ Task 1: Implement management groups.
++ Task 2: Review and assign a built-in Azure role.
++ Task 3: Create a custom RBAC role.
++ Task 4: Monitor role assignments with the Activity Log.
## Task 1: Implement Management Groups
-In this task, you will create and configure management groups.
+In this task, you will create and configure management groups. Management groups are used to logically organize subscriptions. Subscriptions should be segmented and allow for RBAC and Azure Policy to be assigned and inherited to other management groups and subscriptions. For example, if your organization has a dedicated support team for Europe, you can organize European subscriptions into a management group to provide the support staff access to those subscriptions (without providing individual access to all subscriptions). In our scenario everyone at the Help Desk will need to create a support request across all subscriptions.
-1. Sign in to the [**Azure portal**](http://portal.azure.com).
+1. Sign in to the **Azure portal** - `https://portal.azure.com`.
-1. Search for and select **Management groups** to navigate to the **Management groups** blade.
+1. Search for and select `Microsoft Entra ID`.
-1. Review the messages at the top of the **Management groups** blade. If you are seeing the message stating **You are registered as a directory admin but do not have the necessary permissions to access the root management group**, perform the following sequence of steps:
+1. In the **Manage** blade, select **Properties**.
- 1. In the Azure portal, search for and select **Microsoft Entra ID**.
-
- 1. On the blade displaying properties of your tenant, in the vertical menu on the left side, in the **Manage** section, select **Properties**.
-
- 1. On the **Properties** blade of your tenant, in the **Access management for Azure resources** section, select **Yes** and then select **Save**.
-
- 1. Navigate back to the **Management groups** blade, and select **Refresh**.
+1. Review the **Access management for Azure resources** area. Ensure you can manage access to all Azure subscriptions and management groups in the tenant.
+
+1. Search for and select `Management groups`.
1. On the **Management groups** blade, click **+ Create**.
- >**Note**: If you have not previously created Management Groups, select **Start using management groups**
-
-1. Create a management group with the following settings:
+1. Create a management group with the following settings. Select **Submit** when you are done.
| Setting | Value |
| --- | --- |
- | Management group ID | **az104-02-mg1** |
- | Management group display name | **az104-02-mg1** |
+ | Management group ID | `az104-mg1` (must be unique in the directory) |
+ | Management group display name | `az104-mg1` |
-1. In the list of management groups, click the entry representing the newly created management group.
+1. **Refresh** the management group page to ensure your new management group displays. This may take a minute.
-1. On the **az104-02-mg1** blade, click **Subscriptions**.
+ >**Note:** Did you notice the root management group? The root management group is built into the hierarchy to have all management groups and subscriptions fold up to it. This root management group allows for global policies and Azure role assignments to be applied at the directory level. After creating a management group, you would add any subscriptions that should be included in the group.
-1. On the **az104-02-mg1 \| Subscriptions** blade, click **+ Add**, on the **Add subscription** blade, in the **Subscription** drop-down list, select the subscription you are using in this lab and click **Save**.
+## Task 2: Review and assign a built-in Azure role
- >**Note**: On the **az104-02-mg1 \| Subscriptions** blade, copy the ID of your Azure subscription into Clipboard. You will need it in the next task.
+In this task, you will review the built-in roles and assign the VM Contributor role to a member of the Help Desk. Azure provides a large number of [built-in roles](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles).
-## Task 2: Create custom RBAC roles
+1. Select the **az104-mg1** management group.
-In this task, you will create a definition of a custom RBAC role.
+1. Select the **Access control (IAM)** blade, and then the **Roles** tab.
-1. From the lab computer, open the file **\\Allfiles\\Labs\\02\\az104-02a-customRoleDefinition.json** in Notepad and review its content:
+1. Scroll through the built-in role definitions that are available. **View** a role to get detailed information about the **Permissions**, **JSON**, and **Assignments**. You will often use *owner*, *contributor*, and *reader*.
- ```json
- {
- "Name": "Support Request Contributor (Custom)",
- "IsCustom": true,
- "Description": "Allows to create support requests",
- "Actions": [
- "Microsoft.Resources/subscriptions/resourceGroups/read",
- "Microsoft.Support/*"
- ],
- "NotActions": [
- ],
- "AssignableScopes": [
- "/providers/Microsoft.Management/managementGroups/az104-02-mg1",
- "/subscriptions/SUBSCRIPTION_ID"
- ]
- }
- ```
- > **Note**: If you are not sure where the files are stored locally in your lab environment, please ask your instructor.
+1. Select **+ Add**, from the drop-down menu, select **Add role assignment**.
-1. Replace the `SUBSCRIPTION_ID` placeholder in the JSON file with the subscription ID you copied into Clipboard and save the change.
+1. On the **Add role assignment** blade, search for and select the **Virtual Machine Contributor**. The Virtual machine contributor role lets you manage virtual machines, but not access their operating system or manage the virtual network and storage account they are connected to. This is a good role for the Help Desk. Select **Next**.
-1. In the Azure portal, open **Cloud Shell** pane by clicking on the toolbar icon directly to the right of the search textbox.
+ >**Did you know?** Azure originally provided only the **Classic** deployment model. This has been replaced by the **Azure Resource Manager** deployment model. As a best practice, do not use classic resources.
-1. If prompted to select either **Bash** or **PowerShell**, select **PowerShell**.
+1. On the **Members** tab, **Select Members**.
- >**Note**: If this is the first time you are starting **Cloud Shell** and you are presented with the **You have no storage mounted** message, select the subscription you are using in this lab, and click **Create storage**.
+ >**Note:** The next step assigns the role to the **helpdesk** group. If you do not have a Help Desk group, take a minute to create it.
-1. In the toolbar of the Cloud Shell pane, click the **Upload/Download files** icon, in the drop-down menu click **Upload**, and upload the file **\\Allfiles\\Labs\\02\\az104-02a-customRoleDefinition.json** into the Cloud Shell home directory.
+1. Search for and select the `helpdesk` group. Click **Select**.
-1. From the Cloud Shell pane, run the following to create the custom role definition:
+1. Click **Review + assign** twice to create the role assignment.
- ```powershell
- New-AzRoleDefinition -InputFile $HOME/az104-02a-customRoleDefinition.json
- ```
+1. Continue on the **Access control (IAM)** blade. On the **Role assignments** tab, confirm the **helpdesk** group has the **Virtual Machine Contributor** role.
-1. Close the Cloud Shell pane.
+ >**Note:** As a best practice always assign roles to groups not individuals.
-## Task 3: Assign RBAC roles
-
-In this task, you will create a user, assign the RBAC role you created in the previous task to that user, and verify that the user can perform the task specified in the RBAC role definition.
-
-1. In the Azure portal, search for and select **Microsoft Entra ID**, click **Users**, and then click **+ New user**.
-
-1. Create a new user with the following settings (leave others with their defaults):
-
- | Setting | Value |
- | --- | --- |
- | User name | **az104-02-aaduser1**|
- | Name | **az104-02-aaduser1**|
- | Let me create the password | enabled |
- | Initial password | **Provide a secure password** |
-
- >**Note**: **Copy to clipboard** the full **User name**. You will need it later in this lab.
-
-1. In the Azure portal, navigate back to the **az104-02-mg1** management group and display its **details**.
-
-1. Click **Access Control (IAM)**, click **+ Add** and then **Add role assignment**. On the **Role** tab, search for **Support Request Contributor (Custom)**.
-
- >**Note**: if your custom role is not visible, it can take up to 10 minutes for the custom role to appear after creation.
-
-1. Select the **Role** and click **Next**. On the **Members** tab, click **+ Select members** and **select** user account az104-***********************.**********.onmicrosoft.com. Click **Next** and then **Review and assign**.
-
-1. Open an **InPrivate** browser window and sign in to the [Azure portal](https://portal.azure.com) using the newly created user account. When prompted to update the password, change the password for the user.
-
- >**Note**: Rather than typing the user name, you can paste the content of Clipboard.
-
-1. In the **InPrivate** browser window, in the Azure portal, search and select **Resource groups** to verify that the az104-02-aaduser1 user can see all resource groups.
-
-1. In the **InPrivate** browser window, in the Azure portal, search and select **All resources** to verify that the az104-02-aaduser1 user cannot see any resources.
-
-1. In the **InPrivate** browser window, in the Azure portal, search and select **Help + support** and then click **+ Create a support request**.
-
-1. In the **InPrivate** browser window, on the **Problem Description/Summary** tab of the **Help + support - New support request** blade, type **Service and subscription limits** in the Summary field and select the **Service and subscription limits (quotas)** issue type. Note that the subscription you are using in this lab is listed in the **Subscription** drop-down list.
-
- >**Note**: The presence of the subscription you are using in this lab in the **Subscription** drop-down list indicates that the account you are using has the permissions required to create the subscription-specific support request.
-
- >**Note**: If you do not see the **Service and subscription limits (quotas)** option, sign out from the Azure portal and sign in back.
-
-1. Do not continue with creating the support request. Instead, sign out as the az104-02-aaduser1 user from the Azure portal and close the InPrivate browser window.
-
-## Task 4: Clean up resources
-
- >**Note**: Remember to remove any newly created Azure resources that you no longer use. Removing unused resources ensures you will not see unexpected charges, although, resources created in this lab do not incur extra cost.
-
- >**Note**: Don't worry if the lab resources cannot be immediately removed. Sometimes resources have dependencies and take a longer time to delete. It is a common Administrator task to monitor resource usage, so just periodically review your resources in the Portal to see how the cleanup is going.
-
-1. In the Azure portal, search for and select **Microsoft Entra ID**, click **Users**.
-
-1. On the **Users - All users** blade, click **az104-02-aaduser1**.
-
-1. On the **az104-02-aaduser1 - Profile** blade, copy the value of **Object ID** attribute.
-
-1. In the Azure portal, start a **PowerShell** session within the **Cloud Shell**.
-
-1. From the Cloud Shell pane, run the following to remove the assignment of the custom role definition (replace the `[object_ID]` placeholder with the value of the **object ID** attribute of the **az104-02-aaduser1** user account you copied earlier in this task):
-
- ```powershell
-
- $scope = (Get-AzRoleDefinition -Name 'Support Request Contributor (Custom)').AssignableScopes | Where-Object {$_ -like '*managementgroup*'}
+ >**Did you know?** This assignment might not actually grant you any additional privileges. If you already have the Owner role, that role includes all permissions associated with the VM Contributor role.
- Remove-AzRoleAssignment -ObjectId '[object_ID]' -RoleDefinitionName 'Support Request Contributor (Custom)' -Scope $scope
- ```
+## Task 3: Create a custom RBAC role
-1. From the Cloud Shell pane, run the following to remove the custom role definition:
+In this task, you will create a custom RBAC role. Custom roles are a core part of implementing the principle of least privilege for an environment. Built-in roles might have too many permissions for your scenario. In this task we will create a new role and remove permissions that are not be necessary. Do you have a plan for managing overlapping permissions?
- ```powershell
- Remove-AzRoleDefinition -Name 'Support Request Contributor (Custom)' -Force
- ```
+1. Continue working on your management group. In the **Access control (IAM)** blade, select the **Check access** tab.
-1. In the Azure portal, navigate back to the **Users - All users** blade of the **Microsoft Entra ID**, and delete the **az104-02-aaduser1** user account.
+1. In the **Create a custom role** box, select **Add**.
-1. In the Azure portal, navigate back to the **Management groups** blade.
+1. On the Basics tab complete the configuration.
-1. On the **Management groups** blade, select the **ellipsis** icon next to your subscription under the **az104-02-mg1** management group and select **Move** to move the subscription to the **Tenant Root management group**.
+ | Setting | Value |
+ | --- | --- |
+ | Custom role name | `Custom Support Request` |
+ | Description | ``A custom contributor role for support requests.` |
+
+1. For **Baseline permissions**, select **Clone a role**. In the **Role to clone** drop-down menu, select **Support Request Contributor**.
+
+ 
+
+1. Select **Next** to move to the **Permissions** tab, and then select **+ Exclude permissions**.
+
+1. In the resource provider search field, enter `.Support` and select **Microsoft.Support**.
+
+1. In the list of permissions, place a checkbox next to **Other: Registers Support Resource Provider** and then select **Add**. The role should be updated to include this permission as a *NotAction*.
+
+ >**Note:** An Azure resource provider is a set of REST operations that enable functionality for a specific Azure service. We do not want the Help Desk to be able to have this capability, so it is being removed from the cloned role. You could also selete and add other capabilities to the new role.
+
+1. On the **Assignable scopes** tab, ensure your management group is listed, then click **Next**.
+
+1. Review the JSON for the *Actions*, *NotActions*, and *AssignableScopes* that are customized in the role.
+
+1. Select **Review + Create**, and then select **Create**.
+
+ >**Note:** At this point, you have created a custom role and assigned it to the management group.
+
+## Task 4: Monitor role assignments with the Activity Log
+
+In this task, you view the activity log to determine if anyone has created a new role.
+
+1. In the portal locate the **az104-mg1** resource and select **Activity log**. The activity log provides insight into subscription-level events.
+
+1. Review the activites for role assignments. The activity log can be filtered for specific operations.
+
+ 
+
+## Cleanup your resources
+
+If you are working with **your own subscription** take a minute to delete the lab resources. This will ensure resources are freed up and cost is minimized. The easiest way to delete the lab resources is to delete the lab resource group.
+
++ In the Azure portal, select the resource group, select **Delete the resource group**, **Enter resource group name**, and then click **Delete**.
++ Using Azure PowerShell, `Remove-AzResourceGroup -Name resourceGroupName`.
++ Using the CLI, `az group delete --name resourceGroupName`.
+
+## Key takeaways
+
+Congratulations on completing the lab. Here are the main takeaways for this lab.
+
++ Management groups are used to logically organize subscriptions.
++ The built-in root management group includes all the management groups and subscriptions.
++ Azure has many built-in roles. You can assign these roles to control access to resources.
++ You can create new roles or customize existing roles.
++ Roles are defined in a JSON formatted file and include *Actions*, *NotActions*, and *AssignableScopes*.
++ You can use the Activity Log to monitor role assignments.
+
+## Learn more with self-paced training
+
++ [Secure your Azure resources with Azure role-based access control (Azure RBAC)](https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/). Use Azure RBAC to manage access to resources in Azure.
++ [Create custom roles for Azure resources with role-based access control (RBAC)](https://learn.microsoft.com/training/modules/create-custom-azure-roles-with-rbac/). Understand the structure of role definitions for access control. Identify the role properties to use that define your custom role permissions. Create an Azure custom role and assign to a user.
- >**Note**: It is likely that the target management group is the **Tenant Root management group**, unless you created a custom management group hierarchy before running this lab.
-
-1. Select **Refresh** to verify that the subscription has successfully moved to the **Tenant Root management group**.
-1. Navigate back to the **Management groups** blade, click the **ellipsis** icon to the right of the **az104-02-mg1** management group and click **Delete**.
- >**Note**: If you are unable to delete the **Tenant Root management group**, chances are that the **Azure Subscription** is under the management group. You need to move **Azure Subscription** out of the **Tenant Root management group** and then delete the group.
-## Review
-In this lab, you have:
-- Implemented Management Groups
-- Created custom RBAC roles
-- Assigned RBAC roles
diff --git a/Instructions/Labs/LAB_02b-Manage_Governance_via_Azure_Policy.md b/Instructions/Labs/LAB_02b-Manage_Governance_via_Azure_Policy.md
index 757a5289..fea05315 100644
--- a/Instructions/Labs/LAB_02b-Manage_Governance_via_Azure_Policy.md
+++ b/Instructions/Labs/LAB_02b-Manage_Governance_via_Azure_Policy.md
@@ -5,173 +5,174 @@ lab:
---
# Lab 02b - Manage Governance via Azure Policy
-# Student lab manual
+
+## Lab introduction
+
+In this lab, you learn how to implement your organization’s governance plans. You learn how Azure policies can ensure operational decisions are enforced across the organization. You learn how to use resource tagging to improve reporting.
+
+This lab requires an Azure subscription. Your subscription type may affect the availability of features in this lab. You may change the region, but the steps are written using **East US**.
+
+## Estimated timing: 30 minutes
## Lab scenario
-In order to improve management of Azure resources in Contoso, you have been tasked with implementing the following functionality:
+Your organization's cloud footprint has grown considerably in the last year. During a recent audit, you discovered a substantial number of resources that do not have a defined owner, project, or cost center. In order to improve management of Azure resources in your organization, you decide to implement the following functionality:
-- tagging resource groups that include only infrastructure resources (such as Cloud Shell storage accounts)
+- apply resource tags to attach important metadata to Azure resources
-- ensuring that only properly tagged infrastructure resources can be added to infrastructure resource groups
+- enforce the use of resource tags for new resources by using Azure policy
-- remediating any non-compliant resources
+- update existing resources with resource tags
-**Note:** An **[interactive lab simulation](https://mslabs.cloudguides.com/guides/AZ-104%20Exam%20Guide%20-%20Microsoft%20Azure%20Administrator%20Exercise%203)** is available that allows you to click through this lab at your own pace. You may find slight differences between the interactive simulation and the hosted lab, but the core concepts and ideas being demonstrated are the same.
+- use resource locks to protect configured resources
-## Objectives
+## Interactive lab simulations
-In this lab, we will:
+There are several interactive lab simulations that you might find useful for this topic. The simulation lets you to click through a similar scenario at your own pace. There are differences between the interactive simulation and this lab, but many of the core concepts are the same. An Azure subscription is not required.
-+ Task 1: Create and assign tags via the Azure portal
-+ Task 2: Enforce tagging via an Azure policy
-+ Task 3: Apply tagging via an Azure policy
++ [Manage resource locks](https://mslearn.cloudguides.com/en-us/guides/AZ-900%20Exam%20Guide%20-%20Azure%20Fundamentals%20Exercise%2015). Add a resource lock and test to confirm.
+
++ [Create an Azure policy](https://mslearn.cloudguides.com/en-us/guides/AZ-900%20Exam%20Guide%20-%20Azure%20Fundamentals%20Exercise%2017). Create an Azure policy that restricts the location resources can be located. Create a new resource and ensure the policy is enforced.
-## Estimated timing: 60 minutes
++ [Manage governance via Azure policy](https://mslabs.cloudguides.com/guides/AZ-104%20Exam%20Guide%20-%20Microsoft%20Azure%20Administrator%20Exercise%203). Create and assign tags via the Azure portal. Create an Azure policy that requires tagging. Remediate non-compliant resources.
## Architecture diagram
-
+
-### Instructions
+## Job skills
-## Exercise 1
++ Task 1: Create and assign tags via the Azure portal.
++ Task 2: Enforce tagging via an Azure Policy.
++ Task 3: Apply tagging via an Azure Policy.
++ Task 4: Configure and test resource locks.
## Task 1: Assign tags via the Azure portal
-In this task, you will create and assign a tag to an Azure resource group via the Azure portal.
+In this task, you will create and assign a tag to an Azure resource group via the Azure portal. Tags are a critical component of a governance strategy as outlined by the Microsoft Well-Architected Framework and Cloud Adoption Framework. Tags can allow you to quickly identify resource owners, sunset dates, group contacts, and other name/value pairs that your organization deems important. For this task, you assign a tag identifying the resource role ('Infra' for 'Infrastructure').
-1. In the Azure portal, start a **PowerShell** session within the **Cloud Shell**.
+1. Sign in to the **Azure portal** - `https://portal.azure.com`.
+
+1. Search for and select `Resource groups`.
- >**Note**: If this is the first time you are starting **Cloud Shell** and you are presented with the **You have no storage mounted** message, select the subscription you are using in this lab, and click **Create storage**.
-
-1. From the Cloud Shell pane, run the following to identify the name of the storage account used by Cloud Shell:
-
- ```powershell
- df
- ```
-
-1. In the output of the command, note the first part of the fully qualified path designating the Cloud Shell home drive mount (marked here as `xxxxxxxxxxxxxx`:
-
- ```
- //xxxxxxxxxxxxxx.file.core.windows.net/cloudshell (..) /usr/csuser/clouddrive
- ```
-
-1. In the Azure portal, search and select **Storage accounts** and, in the list of the storage accounts, click the entry representing the storage account you identified in the previous step.
-
-1. On the storage account blade, click the link representing the name of the resource group containing the storage account.
-
- **Note**: note what resource group the storage account is in, you'll need it later in the lab.
-
-1. On the resource group blade, click **Tags** in the left menu and create a new tag.
-
-1. Create a tag with the following settings and Apply your change:
+1. From the Resource groups, select **+ Create**.
| Setting | Value |
| --- | --- |
- | Name | **Role** |
- | Value | **Infra** |
+ | Subscription name | your subscription |
+ | Resource group name | `az104-rg2` |
+ | Location | **East US** |
-1. Click **Apply** and close the tag edition window to navigate back to the storage account blade. click on the ellipsis on the storage account and select **Edit tags** to note that the new tag was not automatically assigned to the storage account.
+ >**Note:** For each lab in this course you will create a new resource group. This lets you quickly locate and manage your lab resources.
-## Task 2: Enforce tagging via an Azure policy
+1. Select **Next: Tags** and create a new tag.
-In this task, you will assign the built-in *Require a tag and its value on resources* policy to the resource group and evaluate the outcome.
+ | Setting | Value |
+ | --- | --- |
+ | Name | `Cost Center` |
+ | Value | `000` |
-1. In the Azure portal, search for and select **Policy**.
+1. Select **Review + Create**, and then select **Create**.
-1. In the **Authoring** section, click **Definitions**. Take a moment to browse through the list of built-in policy definitions that are available for you to use. List all built-in policies that involve the use of tags by selecting the **Tags** entry (and de-selecting all other entries) in the **Category** drop-down list.
+## Task 2: Enforce tagging via an Azure Policy
-1. Click the entry representing the **Require a tag and its value on resources** built-in policy and review its definition.
+In this task, you will assign the built-in *Require a tag and its value on resources* policy to the resource group and evaluate the outcome. Azure Policy can be used to enforce configuration, and in this case, governance, to your Azure resources.
+
+1. In the Azure portal, search for and select `Policy`.
+
+1. In the **Authoring** blade, select **Definitions**. Take a moment to browse through the list of [built-in policy definitions](https://learn.microsoft.com/azure/governance/policy/samples/built-in-policies) that are available for you to use. Notice you can also search for a definition.
+
+ 
+
+1. Click the entry representing the **Require a tag and its value on resources** built-in policy. Take a minute to review the definition.
1. On the **Require a tag and its value on resources** built-in policy definition blade, click **Assign**.
-1. Specify the **Scope** by clicking the ellipsis button and selecting the following values:
+1. Specify the **Scope** by clicking the ellipsis button and selecting the following values. Click **Select** when you are done.
| Setting | Value |
| --- | --- |
- | Subscription | the name of the Azure subscription you are using in this lab |
- | Resource Group | the name of the resource group containing the Cloud Shell account you identified in the previous task |
+ | Subscription | *your subscription* |
+ | Resource Group | **az104-rg2** |
- >**Note**: A scope determines the resources or resource groups where the policy assignment takes effect. You could assign policies on the management group, subscription, or resource group level. You also have the option of specifying exclusions, such as individual subscriptions, resource groups, or resources (depending on the assignment scope).
+ >**Note**: You can assign policies on the management group, subscription, or resource group level. You also have the option of specifying exclusions, such as individual subscriptions, resource groups, or resources. In this scenario, we want the tag on all the resources in the resource group.
1. Configure the **Basics** properties of the assignment by specifying the following settings (leave others with their defaults):
| Setting | Value |
| --- | --- |
- | Assignment name | **Require Role tag with Infra value**|
- | Description | **Require Role tag with Infra value for all resources in the Cloud Shell resource group**|
+ | Assignment name | `Require Cost Center tag with Default value`|
+ | Description | `Require Cost Center tag with default value for all resources in the resource group`|
| Policy enforcement | Enabled |
- >**Note**: The **Assignment name** is automatically populated with the policy name you selected, but you can change it. You can also add an optional **Description**. **Assigned by** is automatically populated based on the user name creating the assignment.
+ >**Note**: The **Assignment name** is automatically populated with the policy name you selected, but you can change it. The **Description** is optional. Notice you can disable the policy at any time.
1. Click **Next** twice and set **Parameters** to the following values:
| Setting | Value |
| --- | --- |
- | Tag Name | **Role** |
- | Tag Value | **Infra** |
+ | Tag Name | `Cost Center` |
+ | Tag Value | `000` |
1. Click **Next** and review the **Remediation** tab. Leave the **Create a Managed Identity** checkbox unchecked.
- >**Note**: This setting can be used when the policy or initiative includes the **deployIfNotExists** or **Modify** effect.
-
1. Click **Review + Create** and then click **Create**.
- >**Note**: Now you will verify that the new policy assignment is in effect by attempting to create another Azure Storage account in the resource group without explicitly adding the required tag.
+ >**Note**: Now you will verify that the new policy assignment is in effect by attempting to create an Azure Storage account in the resource group. You will create the storage account without adding the required tag.
- >**Note**: It might take between 5 and 15 minutes for the policy to take effect.
+ >**Note**: It might take between 5 and 10 minutes for the policy to take effect.
-1. Navigate back to the blade of the resource group hosting the storage account used for the Cloud Shell home drive, which you identified in the previous task.
+1. In the portal, search for and select `Storage Account`, and select **+ Create**.
-1. On the resource group blade, click **+ Create** and then search for **Storage Account**, and click **+ Create**.
-
-1. On the **Basics** tab of the **Create storage account** blade, verify that you are using the Resource Group that the Policy was applied to and specify the following settings (leave others with their defaults), click **Review** and then click **Create**:
+1. On the **Basics** tab of the **Create storage account** blade, complete the configuration.
| Setting | Value |
| --- | --- |
- | Storage account name | any globally unique combination of between 3 and 24 lower case letters and digits, starting with a letter |
+ | Resource group | **az104-rg2** |
+ | Storage account name | *any globally unique combination of between 3 and 24 lower case letters and digits, starting with a letter* |
- >**Note**: You may receive a **Validation failed. Click here for details** error; If so, click the error message to identify the reason for the failure and skip the next step.
+1. Select **Review** and then click **Create**:
1. Once you create the deployment, you should see the **Deployment failed** message in the **Notifications** list of the portal. From the **Notifications** list, navigate to the deployment overview and click the **Deployment failed. Click here for details** message to identify the reason for the failure.
- >**Note**: Verify whether the error message states that the resource deployment was disallowed by the policy.
+ 
- >**Note**: By clicking the **Raw Error** tab, you can find more details about the error, including the name of the role definition **Require Role tag with Infra value**. The deployment failed because the storage account you attempted to create did not have a tag named **Role** with its value set to **Infra**.
+ >**Note**: Verify the error message states that the resource deployment was disallowed by the policy.
+
+ >**Note**: By clicking the **Raw Error** tab, you can find more details about the error, including the name of the role definition **Require Cost Center tag with Default value**. The deployment failed because the storage account you attempted to create did not have a tag named **Cost Center** with its value set to **Default**.
## Task 3: Apply tagging via an Azure policy
-In this task, we will use a different policy definition to remediate any non-compliant resources.
+In this task, we will use the new policy definition to remediate any non-compliant resources. In this scenario, we will make any child resources of a resource group inherit the **Cost Center** tag that was defined on the resource group.
-1. In the Azure portal, search for and select **Policy**.
+1. In the Azure portal, search for and select `Policy`.
1. In the **Authoring** section, click **Assignments**.
-1. In the list of assignments, click the ellipsis icon in the row representing the **Require Role tag with Infra value** policy assignment and use the **Delete assignment** menu item to delete the assignment.
+1. In the list of assignments, click the ellipsis icon in the row representing the **Require Cost Center tag with Default value** policy assignment and use the **Delete assignment** menu item to delete the assignment.
1. Click **Assign policy** and specify the **Scope** by clicking the ellipsis button and selecting the following values:
| Setting | Value |
| --- | --- |
- | Subscription | the name of the Azure subscription you are using in this lab |
- | Resource Group | the name of the resource group containing the Cloud Shell account you identified in the first task |
+ | Subscription | your Azure subscription |
+ | Resource Group | `az104-rg2` |
-1. To specify the **Policy definition**, click the ellipsis button and then search for and select **Inherit a tag from the resource group if missing**.
+1. To specify the **Policy definition**, click the ellipsis button and then search for and select `Inherit a tag from the resource group if missing`.
-1. Configure the remaining **Basics** properties of the assignment by specifying the following settings (leave others with their defaults):
+1. Select **Add** and then configure the remaining **Basics** properties of the assignment.
| Setting | Value |
| --- | --- |
- | Assignment name | **Inherit the Role tag and its Infra value from the Cloud Shell resource group if missing**|
- | Description | **Inherit the Role tag and its Infra value from the Cloud Shell resource group if missing**|
+ | Assignment name | `Inherit the Cost Center tag and its value 000 from the resource group if missing` |
+ | Description | `Inherit the Cost Center tag and its value 000 from the resource group if missing` |
| Policy enforcement | Enabled |
1. Click **Next** twice and set **Parameters** to the following values:
| Setting | Value |
| --- | --- |
- | Tag Name | **Role** |
+ | Tag Name | `Cost Center` |
1. Click **Next** and, on the **Remediation** tab, configure the following settings (leave others with their defaults):
@@ -180,48 +181,77 @@ In this task, we will use a different policy definition to remediate any non-com
| Create a remediation task | enabled |
| Policy to remediate | **Inherit a tag from the resource group if missing** |
- >**Note**: This policy definition includes the **Modify** effect.
+ >**Note**: This policy definition includes the **Modify** effect. So, a managed identity is required.
+
+ 
1. Click **Review + Create** and then click **Create**.
- >**Note**: To verify that the new policy assignment is in effect, you will create another Azure Storage account in the same resource group without explicitly adding the required tag.
+ >**Note**: To verify that the new policy assignment is in effect, you will create another Azure storage account in the same resource group without explicitly adding the required tag.
- >**Note**: It might take between 5 and 15 minutes for the policy to take effect.
+ >**Note**: It might take between 5 and 10 minutes for the policy to take effect.
-1. Navigate back to the blade of the resource group hosting the storage account used for the Cloud Shell home drive, which you identified in the first task.
-
-1. On the resource group blade, click **+ Create** and then search for **Storage Account**, and click **+ Create**.
+1. Search for and select `Storage Account`, and click **+ Create**.
1. On the **Basics** tab of the **Create storage account** blade, verify that you are using the Resource Group that the Policy was applied to and specify the following settings (leave others with their defaults) and click **Review**:
| Setting | Value |
| --- | --- |
- | Storage account name | any globally unique combination of between 3 and 24 lower case letters and digits, starting with a letter |
+ | Storage account name | *any globally unique combination of between 3 and 24 lower case letters and digits, starting with a letter* |
1. Verify that this time the validation passed and click **Create**.
-1. Once the new storage account is provisioned, click **Go to resource** button and, on the **Overview** blade of the newly created storage account, note that the tag **Role** with the value **Infra** has been automatically assigned to the resource.
+1. Once the new storage account is provisioned, click **Go to resource**.
-## Task 4: Clean up resources
+1. On the **Tags** blade, note that the tag **Cost Center** with the value **000** has been automatically assigned to the resource.
- >**Note**: Remember to remove any newly created Azure resources that you no longer use. Removing unused resources ensures you will not see unexpected charges, although keep in mind that Azure policies do not incur extra cost.
+ >**Did you know?** If you search for and select **Tags** in the portal, you can view the resources with a specific tag.
+
+## Task 4: Configure and test resource locks
+
+In this task, you configure and test a resource lock. Locks prevent either deletions or modifications of a resource.
+
+1. Search for and select your resource group.
- >**Note**: Don't worry if the lab resources cannot be immediately removed. Sometimes resources have dependencies and take a longer time to delete. It is a common Administrator task to monitor resource usage, so just periodically review your resources in the Portal to see how the cleanup is going.
+1. In the **Settings** blade, select **Locks**.
-1. In the portal, search for and select **Policy**.
+1. Select **Add** and complete the resource lock information. When finished select **Ok**.
-1. In the **Authoring** section, click **Assignments**, click the ellipsis icon to the right of the assignment you created in the previous task and click **Delete assignment**.
+ | Setting | Value |
+ | --- | --- |
+ | Lock name | `rg-lock` |
+ | Lock type | **delete** (notice the selection for read-only) |
+
+1. Navigate to the resource group **Overview** blade, and select **Delete resource group**.
-1. In the portal, search for and select **Storage accounts**.
+1. In the **Enter resource group name to confirm deletion** textbox provide the resource group name, `az104-rg2`. Notice you can copy and paste the resource group name.
-1. In the list of storage accounts, select the resource group corresponding to the storage account you created in the last task of this lab. Select **Tags** and click **Delete** (Trash can to the right) to the **Role:Infra** tag and press **Apply**.
+1. Notice the warning: Deleting this resource group and its dependent resources is a permanent action and cannot be undone. Select **Delete**.
-1. Click **Overview** and click **Delete** on the top of the storage account blade. When prompted for the confirmation, in the **Delete storage account** blade, type the name of the storage account to confirm and click **Delete**.
+1. You should receive a notification denying the deletion.
-## Review
+ 
-In this lab, you have:
+## Cleanup your resources
+
+If you are working with **your own subscription** take a minute to delete the lab resources. This will ensure resources are freed up and cost is minimized. The easiest way to delete the lab resources is to delete the lab resource group.
+
++ In the Azure portal, select the resource group, select **Delete the resource group**, **Enter resource group name**, and then click **Delete**.
++ Using Azure PowerShell, `Remove-AzResourceGroup -Name resourceGroupName`.
++ Using the CLI, `az group delete --name resourceGroupName`.
+
+## Key takeaways
+
+Congratulations on completing the lab. Here are the main takeaways for this lab.
+
++ Azure tags are metadata that consists of a key-value pair. Tags describe a particular resource in your environment. In particular, tagging in Azure enables you to label your resources in a logical manne.
++ Azure Policy establishes conventions for resources. Policy definitions describe resource compliance conditions and the effect to take if a condition is met. A condition compares a resource property field or a value to a required value. There are many built-in policy definitions and you can customize the policies.
++ The Azure Policy remediation task feature is used to bring resources into compliance based on a definition and assignment. Resources that are non-compliant to a modify or deployIfNotExist definition assignment, can be brought into compliance using a remediation task.
++ You can configure a resource lock on a subscription, resource group, or resource. The lock can protect a resource from accidental user deletions and modifications. The lock overrides any user permissions.
++ Azure Policy is pre-deployment security practice. RBAC and resource locks are post-deployment security practice.
+
+## Learn more with self-paced training
+
++ [Design an enterprise governance strategy](https://learn.microsoft.com/training/modules/enterprise-governance/). Use RBAC and Azure Policy to limit access to your Azure solutions, and determine which method is right for your security goals.
+
-- Created and assigned tags via the Azure portal
-- Enforced tagging via an Azure policy
-- Applied tagging via an Azure policy
diff --git a/Instructions/Labs/LAB_03b-Manage_Azure_Resources_by_Using_ARM_Templates.md b/Instructions/Labs/LAB_03b-Manage_Azure_Resources_by_Using_ARM_Templates.md
index 14da9a6d..6896b663 100644
--- a/Instructions/Labs/LAB_03b-Manage_Azure_Resources_by_Using_ARM_Templates.md
+++ b/Instructions/Labs/LAB_03b-Manage_Azure_Resources_by_Using_ARM_Templates.md
@@ -1,133 +1,276 @@
---
lab:
- title: 'Lab 03b: Manage Azure resources by Using ARM Templates'
+ title: 'Lab 03: Manage Azure resources by using Azure Resource Manager Templates'
module: 'Administer Azure Resources'
---
-# Lab 03b - Manage Azure resources by Using ARM Templates
-# Student lab manual
+# Lab 03 - Manage Azure resources by using Azure Resource Manager Templates
+## Lab introduction
+
+In this lab, you learn how to automate resource deployments. You learn about Azure Resource Manager templates and Bicep templates. You learn about the different ways of deploying the templates.
+
+This lab requires an Azure subscription. Your subscription type may affect the availability of features in this lab. You may change the region, but the steps are written using **East US**.
+
+## Estimated timing: 50 minutes
+
+## Interactive lab simulations
+
+There are interactive lab simulations that you might find useful for this topic. The simulation lets you to click through a similar scenario at your own pace. There are differences between the interactive simulation and this lab, but many of the core concepts are the same. An Azure subscription is not required.
+
++ [Manage Azure resources by using Azure Resource Manager templates](https://mslabs.cloudguides.com/guides/AZ-104%20Exam%20Guide%20-%20Microsoft%20Azure%20Administrator%20Exercise%205). Review, create, and deploy a managed disks with a template.
+
++ [Create a virtual machine with a template](https://mslearn.cloudguides.com/en-us/guides/AZ-900%20Exam%20Guide%20-%20Azure%20Fundamentals%20Exercise%209). Deploy a virtual machine with a QuickStart template.
+
## Lab scenario
-Now that you explored the basic Azure administration capabilities associated with provisioning resources and organizing them based on resource groups by using the Azure portal, you need to carry out the equivalent task by using Azure Resource Manager templates.
-**Note:** An **[interactive lab simulation](https://mslabs.cloudguides.com/guides/AZ-104%20Exam%20Guide%20-%20Microsoft%20Azure%20Administrator%20Exercise%205)** is available that allows you to click through this lab at your own pace. You may find slight differences between the interactive simulation and the hosted lab, but the core concepts and ideas being demonstrated are the same.
-
-## Objectives
-
-In this lab, you will:
-
-+ Task 1: Review an ARM template for deployment of an Azure managed disk
-+ Task 2: Create an Azure managed disk by using an ARM template
-+ Task 3: Review the ARM template-based deployment of the managed disk
-
-## Estimated timing: 20 minutes
+Your team wants to look at ways to automate and simplify resource deployments. Your organization is looking for ways to reduce administrative overhead, reduce human error and increase consistency.
## Architecture diagram
-
+
-### Instructions
+## Job skills
-## Exercise 1
++ Task 1: Create an Azure Resource Manager template.
++ Task 2: Edit an Azure Resource Manager template and redeploy the template.
++ Task 3: Configure the Cloud Shell and deploy a template with Azure PowerShell.
++ Task 4: Deploy a template with the CLI.
++ Task 5: Deploy a resource by using Azure Bicep.
-## Task 1: Review an ARM template for deployment of an Azure managed disk
+## Task 1: Create an Azure Resource Manager template
-1. Sign in to the [**Azure portal**](http://portal.azure.com).
+In this task, we will create a managed disk in the Azure portal. Managed disks are storage designed to be used with virtual machines. Once the disk is deployed you will export a template that you can use in other deployments.
-1. In the Azure portal, search for and select **Resource groups**.
+1. Sign in to the **Azure portal** - `https://portal.azure.com`.
-1. In the list of resource groups, click **az104-03a-rg1**.
+1. Search for and select `Disks`.
-1. On the **az104-03a-rg1** resource group blade, in the **Settings** section, click **Deployments**.
+1. On the Disks page, select **Create**.
-1. On the **az104-03a-rg1 - Deployments** blade, click the first entry in the list of deployments.
-
-1. On the **Microsoft.ManagedDisk-*XXXXXXXXX* \| Overview** blade, click **Template**.
-
- >**Note**: Review the content of the template and note that you have the option to **Download** it to the local computer, **Add to library**, or **Deploy** it again.
-
-1. Click **Download** and save the compressed file containing the template and parameters files to the **Downloads** folder on your lab computer.
-
-1. On the **Microsoft.ManagedDisk-*XXXXXXXXX* \| Template** blade, click **Inputs**.
-
-1. Note the value of the **location** parameter. You will need it in the next task.
-
-1. Extract the content of the downloaded file into the **Downloads** folder on your lab computer.
-
- >**Note**: These files are also available as **\\Allfiles\\Labs\\03\\az104-03b-md-template.json** and **\\Allfiles\\Labs\\03\\az104-03b-md-parameters.json**
+1. On the **Create a managed disk** page, configure the disk and then select **Ok**.
-1. Close all **File Explorer** windows.
+ | Setting | Value |
+ | --- | --- |
+ | Subscription | *your subscription* |
+ | Resource Group | `az104-rg3` (If necessary, select **Create new**.)
+ | Disk name | `az104-disk1` |
+ | Region | **East US** |
+ | Availability zone | **No infrastructure redundancy required** |
+ | Source type | **None** |
+ | Performance | **Standard HDD** (change size) |
+ | Size | **32 Gib** |
-## Task 2: Create an Azure managed disk by using an ARM template
+ >**Note:** We are creating a simple managed disk so you can practice with templates. Azure managed disks are block-level storage volumes that are managed by Azure.
-1. In the Azure portal, search for and select **Deploy a custom template**.
+1. Click **Review + Create** then select **Create**.
-1. On the **Custom deployment** blade, click **Build your own template in the editor**.
+1. Monitor the notifications (upper right) and after the deployment select **Go to resource**.
-1. On the **Edit template** blade, click **Load file** and upload the **template.json** file you downloaded in the previous task.
+1. In the **Automation** blade, select **Export template**.
-1. Within the editor pane, remove the following lines:
+1. Take a minute to review the **Template** and **Parameters** files.
- ```json
- "sourceResourceId": {
- "type": "String"
- },
- ```
+1. Click **Download** and save the templates to the local drive. This creates a compressed zipped file.
- ```json
- "hyperVGeneration": {
- "defaultValue": "V1",
- "type": "String"
- },
- ```
+1. Use File Explorer to extract the content of the downloaded file into the **Downloads** folder on your computer. Notice there are two JSON files (template and parameters).
- >**Note**: These parameters are removed since they are not applicable to the current deployment. In particular, sourceResourceId, sourceUri, osType, and hyperVGeneration parameters are applicable to creating an Azure disk from an existing VHD file.
+ >**Did you know?** You can export an entire resource group or just specific resources within that resource group.
-1. **Save** the changes.
+## Task 2: Edit an Azure Resource Manager template and then redeploy the template
-1. Back on the **Custom deployment** blade, click **Edit parameters**.
+In this task, you use the downloaded template to deploy a new managed disk. This task outlines how to quicky and easily repeat deployments.
-1. On the **Edit parameters** blade, click **Load file** and upload the **parameters.json** file you downloaded in the previous task, and **Save** the changes.
+1. In the Azure portal, search for and select `Deploy a custom template`.
-1. Back on the **Custom deployment** blade, specify the following settings:
+1. On the **Custom deployment** blade, notice there is the ability to use a **Quickstart template**. There are many built-in templates as shown in the drop-down menu.
+
+1. Instead of using a Quickstart, select **Build your own template in the editor**.
+
+1. On the **Edit template** blade, click **Load file** and upload the **template.json** file you downloaded to the local disk.
+
+1. Within the editor pane, make these changes.
+
+ + Change **disks_az104_disk1_name** to `disk_name` (two places to change)
+ + Change **az104_disk1** to `az102_disk2` (one place to change)
+
+1. Notice this is a **Standard** disk. The location is **eastus**. The disk size is **32GB**.
+
+1. **Save** your changes.
+
+1. Dpn't forget the parameters file. Select **Edit parameters**, click **Load file** and upload the **parameters.json**.
+
+1. Make this change so it matches the template file.
+
+ Change **disks_az104_disk1_name** to **disk_name** (one place to change)
+
+1. **Save** your changes.
+
+1. Complete the custom deployment settings:
| Setting | Value |
| --- |--- |
- | Subscription | *the name of the Azure subscription you are using in this lab* |
- | Resource Group | the name of a **new** resource group **az104-03b-rg1** |
- | Region | the name of any Azure region available in the subscription you are using in this lab |
- | Disk Name | **az104-03b-disk1** |
- | Location | the value of the location parameter you noted in the previous task |
- | Sku | **Standard_LRS** |
- | Disk Size Gb | **32** |
- | Create Option | **empty** |
- | Disk Encryption Set Type | **EncryptionAtRestWithPlatformKey** |
- | Data Access Auth Mode | None |
- | Network Access Policy | **AllowAll** |
- | Public Network Access | Disabled |
+ | Subscription | *your subscription* |
+ | Resource Group | `az104-rg3` |
+ | Region | **(US) East US)** |
+ | Disk_name | `az104-disk2` |
1. Select **Review + Create** and then select **Create**.
-1. Verify that the deployment completed successfully.
+1. Select **Go to resource**. Verify **az104-disk2** was created.
-## Task 3: Review the ARM template-based deployment of the managed disk
+1. On the **Overview** blade, select the resource group, **az104-rg3**. You should now have two disks.
+
+1. In the **Settings** section, click **Deployments**.
-1. In the Azure portal, search for and select **Resource groups**.
+ >**Note:** All deployments details are documented in the resource group. It is a good practice to review the first few template-based deployments to ensure success prior to using the templates for large-scale operations.
-1. In the list of resource groups, click **az104-03b-rg1**.
+1. Select a deployment and review the content of the **Input** and **Template** blades.
-1. On the **az104-03b-rg1** resource group blade, in the **Settings** section, click **Deployments**.
+## Task 3: Configure the Cloud Shell and deploy a template with Azure PowerShell
-1. From the **az104-03b-rg1 - Deployments** blade, click the first entry in the list of deployments and review the content of the **Input** and **Template** blades.
+In this task, you work with the Azure Cloud Shell and Azure PowerShell. Azure Cloud Shell is an interactive, authenticated, browser-accessible terminal for managing Azure resources. It provides the flexibility of choosing the shell experience that best suits the way you work, either Bash or PowerShell. In this task, you use PowerShell to deploy a template.
-## Clean up resources
+1. Select the **Cloud Shell** icon in the top right of the Azure Portal. Alternately, you can navigate directly to `https://shell.azure.com`.
- >**Note**: Do not delete resources you deployed in this lab. You will reference them in the next lab of this module.
+ 
-## Review
+1. When prompted to select either **Bash** or **PowerShell**, select **PowerShell**.
+
+ >**Did you know?** If you mostly work with Linux systems, Bash (CLI) feels more familiar. If you mostly work with Windows systems, Azure PowerShell feels more familiar.
+
+1. On the **You have no storage mounted** screen select **Show advanced settings** and provide the required information.
+
+ >**Note:** As you work with the Cloud Shell a storage account and file share is required.
+
+ | Settings | Values |
+ | -- | -- |
+ | Resource Group | **az104-rg3** |
+ | Storage account (Create new) | `sacloudshell` (must be globally unique, between 3 and 24 characters in length and use numbers and lower case letters only) |
+ | File share (Create new) | `fs-cloudshell` |
+
+1. When completed select **Create storage**. You only need to do this the first time you use the Cloud Shell. It will take a couple of minutes to provision the storage.
+
+1. Use the **Upload/Download files** icon to upload the template and parameters file from the downloads directory. You will need to upload each file separately.
+
+1. Verify your files are available in the Cloud Shell storage.
+
+ ```powershell
+ dir
+ ```
+ >**Note**: If you need to, you can use **cls** to clear the command window. You can use the arrow keys to move the command history.
+
+1. Select the **Editor** (curly brackets) icon and navigate to the parameters JSON file.
+
+1. Make a change. For example, change the disk name to **az104-disk3**. Use **Ctrl +S** to save your changes.
+
+ >**Note**: You can target your template deployment to a resource group, subscription, management group, or tenant. Depending on the scope of the deployment, you use different commands.
+
+1. To deploy to a resource group, use **New-AzResourceGroupDeployment**.
+
+ ```powershell
+ New-AzResourceGroupDeployment -ResourceGroupName az104-rg3 -TemplateFile template.json -TemplateParameterFile parameters.json
+ ```
+1. Ensure the command completes and the ProvisioningState is **Succeeded**.
+
+1. Confirm the disk was created.
+
+ ```powershell
+ Get-AzDisk
+ ```
+
+## Task 5: Deploy a template with the CLI
+
+1. Continue in the **Cloud Shell** select **Bash**. **Confirm** your choice.
+
+1. Verify your files are available in the Cloud Shell storage. If you completed the previous task your template files should be available.
+
+ ```sh
+ ls
+ ```
+
+1. Select the **Editor** (curly brackets) icon and navigate to the parameters JSON file.
+
+1. Make a change. For example, change the disk name to **az104-disk4**. Use **Ctrl +S** to save your changes.
+
+ >**Note**: You can target your template deployment to a resource group, subscription, management group, or tenant. Depending on the scope of the deployment, you use different commands.
+
+1. To deploy to a resource group, use **az deployment group create**.
+
+ ```sh
+ az deployment group create --resource-group az104-rg3 --template-file template.json --parameters parameters.json
+ ```
+
+1. Ensure the command completes and the ProvisioningState is **Succeeded**.
+
+1. Confirm the disk was created.
+
+ ```sh
+ az disk list --output table
+ ```
+
+## Task 6: Deploy a resource by using Azure Bicep
+
+In this task, you will use a Bicep file to deploy a managed disk. Bicep is a declarative automation tool that is built on ARM templates.
+
+1. Continue working in the **Cloud Shell** in a **Bash** session.
+
+1. Locate and download the **\Allfiles\Lab03\azuredeploydisk.bicep** file.
+
+1. **Upload** the bicep file to the Cloud Shell.
+
+1. Select the **Editor** (curly brackets) icon and navigate to the file.
+
+1. Take a minute to read through the bicep template file. Notice how the disk resource is defined.
+
+1. Make the following changes:
+
+ + Change the **managedDiskName** value to `Disk4`.
+ + Change the **sku name** value to `StandardSSD_LRS`.
+ + Change the **diskSizeinGiB** value to `32`.
+
+1. Use **Ctrl +S** to save your changes.
+
+1. Now, deploy the template.
+
+ ```
+ az deployment group create --resource-group az104-rg3 --template-file azuredeploydisk.bicep
+ ```
+
+1. Confirm the disk was created.
+
+ ```sh
+ az disk list --output table
+ ```
+
+ >**Note:** You have successfully deployed five managed disks, each in a different way. Nice job!
+
+## Cleanup your resources
+
+If you are working with **your own subscription** take a minute to delete the lab resources. This will ensure resources are freed up and cost is minimized. The easiest way to delete the lab resources is to delete the lab resource group.
+
++ In the Azure portal, select the resource group, select **Delete the resource group**, **Enter resource group name**, and then click **Delete**.
++ Using Azure PowerShell, `Remove-AzResourceGroup -Name resourceGroupName`.
++ Using the CLI, `az group delete --name resourceGroupName`.
+
+## Key takeaways
+
+Congratulations on completing the lab. Here are the main takeaways for this lab.
+
++ Azure Resource Manager templates let you deploy, manage, and monitor all the resources for your solution as a group, rather than handling these resources individually.
++ An Azure Resource Manager template is a JavaScript Object Notation (JSON) file that lets you manage your infrastructure declaratively rather than with scripts.
++ Rather than passing parameters as inline values in your template, you can use a separate JSON file that contains the parameter values.
++ Azure Resource Manager templates can be deployed in a variety of ways including the Azure portal, Azure PowerShell, and CLI.
++ Bicep is an alternative to Azure Resource Manager templates. Bicep uses a declarative syntax to deploy Azure resources.
+
+Bicep provides concise syntax, reliable type safety, and support for code reuse. Bicep offers a first-class authoring experience for your infrastructure-as-code solutions in Azure.
+
+## Learn more with self-paced training
+
++ [Deploy Azure infrastructure by using JSON ARM templates](https://learn.microsoft.com/training/modules/create-azure-resource-manager-template-vs-code/). Write JSON Azure Resource Manager templates (ARM templates) by using Visual Studio Code to deploy your infrastructure to Azure consistently and reliably.
++ [Review the features and tools for Azure Cloud Shell](https://learn.microsoft.com/training/modules/review-features-tools-for-azure-cloud-shell/). Cloud Shell features and tools.
++ [Manage Azure resources with Windows PowerShell](https://learn.microsoft.com/training/modules/manage-azure-resources-windows-powershell/). This module explains how to install the necessary modules for cloud services management and use PowerShell commands to perform simple administrative tasks on cloud resources like Azure virtual machines, Azure subscriptions and Azure storage accounts.
++ [Introduction to Bash](https://learn.microsoft.com/training/modules/bash-introduction/). Use Bash to manage IT infrastructure.
++ [Build your first Bicep template](https://learn.microsoft.com/training/modules/build-first-bicep-template/). Define Azure resources within a Bicep template. Improve the consistency and reliability of your deployments, reduce the manual effort required, and scale your deployments across environments. Your template will be flexible and reusable by using parameters, variables, expressions, and modules.
-In this lab, you have:
-- Reviewed an ARM template for deployment of an Azure managed disk
-- Created an Azure managed disk by using an ARM template
-- Reviewed the ARM template-based deployment of the managed disk
diff --git a/Instructions/Labs/LAB_04-Implement_Virtual_Networking.md b/Instructions/Labs/LAB_04-Implement_Virtual_Networking.md
index 983274a2..f5e59eb1 100644
--- a/Instructions/Labs/LAB_04-Implement_Virtual_Networking.md
+++ b/Instructions/Labs/LAB_04-Implement_Virtual_Networking.md
@@ -1,422 +1,365 @@
----
-lab:
- title: 'Lab 04: Implement Virtual Networking'
- module: 'Administer Virtual Networking'
----
-
-# Lab 04 - Implement Virtual Networking
-
-# Student lab manual
-
-## Lab scenario
-
-You need to explore Azure virtual networking capabilities. To start, you plan to create a virtual network in Azure that will host a couple of Azure virtual machines. Since you intend to implement network-based segmentation, you will deploy them into different subnets of the virtual network. You also want to make sure that their private and public IP addresses will not change over time. To comply with Contoso security requirements, you need to protect public endpoints of Azure virtual machines accessible from Internet. Finally, you need to implement DNS name resolution for Azure virtual machines both within the virtual network and from Internet.
-
-**Note:** An **[interactive lab simulation](https://mslabs.cloudguides.com/guides/AZ-104%20Exam%20Guide%20-%20Microsoft%20Azure%20Administrator%20Exercise%208)** is available that allows you to click through this lab at your own pace. You may find slight differences between the interactive simulation and the hosted lab, but the core concepts and ideas being demonstrated are the same.
-
-## Objectives
-
-In this lab, you will:
-
-+ Task 1: Create and configure a virtual network
-+ Task 2: Deploy virtual machines into the virtual network
-+ Task 3: Configure private and public IP addresses of Azure VMs
-+ Task 4: Configure network security groups
-+ Task 5: Configure Azure DNS for internal name resolution
-+ Task 6: Configure Azure DNS for external name resolution
-
-## Estimated timing: 40 minutes
-
-## Architecture diagram
-
-
-
-### Instructions
-
-## Exercise 1
-
-## Task 1: Create and configure a virtual network
-
-In this task, you will create a virtual network with multiple subnets by using the Azure portal
-
-1. Sign in to the [Azure portal](https://portal.azure.com).
-
-1. In the Azure portal, search for and select **Virtual networks**, and, on the **Virtual networks** blade, click **+ Create**.
-
-1. Create a virtual network with the following settings (leave others with their default values):
-
- | Setting | Value |
- | --- | --- |
- | Subscription | the name of the Azure subscription you will be using in this lab |
- | Resource Group | the name of a **new** resource group **az104-04-rg1** |
- | Name | **az104-04-vnet1** |
- | Region | the name of any Azure region available in the subscription you will use in this lab |
-
-1. Click **Next : IP Addresses**. The **Starting address** is **10.40.0.0**. The **Address space size** is **/20**.
-
-1. Click **+ Add subnet**. Delete the existing **default** subnet. Enter the following values then click **Add**.
-
- | Setting | Value |
- | --- | --- |
- | Subnet name | **subnet0** |
- | Starting address | **10.40.0.0** |
- | Subnet size | **/24 (256 addresses)** |
-
-1. Accept the defaults and click **Review and Create**. Let validation occur, and hit **Create** again to submit your deployment.
-
- >**Note:** Wait for the virtual network to be provisioned. This should take less than a minute.
-
-1. Click on **Go to resource**
-
-1. On the **az104-04-vnet1** virtual network blade, click **Subnets** and then click **+ Subnet**.
-
-1. Create a subnet with the following settings (leave others with their default values):
-
- | Setting | Value |
- | --- | --- |
- | Name | **subnet1** |
- | Address range (CIDR block) | **10.40.1.0/24** |
- | Network security group | **None** |
- | Route table | **None** |
-
-1. Click **Save**
-
-## Task 2: Deploy virtual machines into the virtual network
-
-In this task, you will deploy Azure virtual machines into different subnets of the virtual network by using an ARM template
-
-1. In the Azure portal, open the **Azure Cloud Shell** by clicking on the icon in the top right of the Azure Portal.
-
-1. If prompted to select either **Bash** or **PowerShell**, select **PowerShell**.
-
- >**Note**: If this is the first time you are starting **Cloud Shell** and you are presented with the **You have no storage mounted** message, select the subscription you are using in this lab, and click **Create storage**.
-
-1. In the toolbar of the Cloud Shell pane, click the **Upload/Download files** icon, in the drop-down menu, click **Upload**. Upload **\\Allfiles\\Labs\\04\\az104-04-vms-loop-template.json** and **\\Allfiles\\Labs\\04\\az104-04-vms-loop-parameters.json** into the Cloud Shell home directory.
-
- >**Note**: You must upload each file separately. After uploading, use **dir** to ensure both files were successfully uploaded.
-
-1. From the Cloud Shell pane, run the following to deploy two virtual machines by using the template and parameter files:
- >**Note**: You will be prompted to provide an Admin password.
-
- ```powershell
- $rgName = 'az104-04-rg1'
-
- New-AzResourceGroupDeployment `
- -ResourceGroupName $rgName `
- -TemplateFile $HOME/az104-04-vms-loop-template.json `
- -TemplateParameterFile $HOME/az104-04-vms-loop-parameters.json
- ```
-
- >**Note**: This method of deploying ARM templates uses Azure PowerShell. You can perform the same task by running the equivalent Azure CLI command **az deployment create** (for more information, refer to [Deploy resources with Resource Manager templates and Azure CLI](https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-cli).
-
- >**Note**: Wait for the deployment to complete before proceeding to the next task. This should take about 2 minutes.
-
- >**Note**: If you got an error stating the VM size is not available please ask your instructor for assistance and try these steps:
- > 1. Click on the `{}` button in your CloudShell, select the **az104-04-vms-loop-parameters.json** from the left hand side bar and take a note of the `vmSize` parameter value.
- > 1. Check the location in which the 'az104-04-rg1' resource group is deployed. You can run `az group show -n az104-04-rg1 --query location` in your CloudShell to get it.
- > 1. Run `az vm list-skus --location -o table --query "[? contains(name,'Standard_D2s')].name"` in your CloudShell. If there are no listed SKUs (i.e. there are no results), then you cannot deploy any D2S virtual machines in that region. You will need to find a region that will allow you to deploy D2S virtual machines. Once you have chosen a suitable location, delete the AZ104-04-rg1 resource group and restart the lab.
- > 1. Replace the value of `vmSize` parameter with one of the values returned by the command you just run.
- > 1. Now redeploy your templates by running the `New-AzResourceGroupDeployment` command again. You can press the up button a few times which would bring the last executed command.
-
-1. Close the Cloud Shell pane.
-
-## Task 3: Configure private and public IP addresses of Azure VMs
-
-In this task, you will configure static assignment of public and private IP addresses assigned to network interfaces of Azure virtual machines.
-
- >**Note**: Private and public IP addresses are actually assigned to the network interfaces, which, in turn are attached to Azure virtual machines, however, it is fairly common to refer to IP addresses assigned to Azure VMs instead.
-
- >**Note**: You will need **two** public IP addresses to complete this lab.
-
-1. In the Azure portal, search for and select **Public IP addresses**, then select **+ Create**.
-
-1. Ensure the **resource group** is **az104-04-rg1**,
-
-1. In the **Configuration Details** ensure the **name** is **az104-04-pip0**.
-
-1. Select **Review and create** and then **Create**.
-
-1. In the Azure portal, search for and select **Public IP addresses**, then select **+ Create**.
-
-1. Ensure the **resource group** is **az104-04-rg1**,
-
-1. In the **Configuration Details** ensure the **name** is **az104-04-pip1**.
-
-1. Select **Review and create** and then **Create**.
-
-1. In the Azure portal, search for and select **Resource groups**, and, on the **Resource groups** blade, click **az104-04-rg1**.
-
-1. On the **az104-04-rg1** resource group blade, in the list of its resources, click **az104-04-vnet1**.
-
-1. On the **az104-04-vnet1** virtual network blade, review the **Connected devices** section and verify that there are two network interfaces **az104-04-nic0** and **az104-04-nic1** attached to the virtual network.
-
-1. Click **az104-04-nic0** and, on the **az104-04-nic0** blade, click **IP configurations**.
-
- >**Note**: Verify that **ipconfig1** is currently set up with a dynamic private IP address.
-
-1. In the list IP configurations, click **ipconfig1**.
-
-1. Ensure the **Allocation** is **Static**.
-
-1. Select **Associate public IP address** and in the **Public IP address** drop-down select **az104-04-pip0**.
-
- >**Note:** If you receive an error, *domain name is already in use*, this is a known issue. You will need to locate the public ip address and associate it to the NIC separately.
- >
- > + Go to **Public IP addresses**
- > + Click **az104-04-pip0**
- > + In the **Overview** pane click **Associate IP**
- > + Set **Resource type** to **Network interface**
- > + Set **Network interface** to **az104-04-nic0**
- > + Repeat for **az104-04-pip1** and **az104-04-nic1**
-
-1. Select **Save**.
-
-1. Navigate back to the **az104-04-vnet1** blade.
-
-1. Click **az104-04-nic1** and, on the **az104-04-nic1** blade, click **IP configurations**.
-
- >**Note**: Verify that **ipconfig1** is currently set up with a dynamic private IP address.
-
-1. In the list IP configurations, click **ipconfig1**.
-
-1. Ensure the **Allocation** is **Static**.
-
-1. Select **Associate public IP address** and in the **Public IP address** drop-down select **az104-04-pip1**.
-
->**Note:** If you receive an error, *domain name is already in use*, this is a known issue. You will need to locate the public ip address and associate it to the NIC separately.
-
-1. Select **Save**.
-
-1. Navigate back to the **az104-04-rg1** resource group blade, in the list of its resources, click **az104-04-vm0**, and from the **az104-04-vm0** virtual machine blade, note the public IP address entry.
-
-1. Navigate back to the **az104-04-rg1** resource group blade, in the list of its resources, click **az104-04-vm1**, and from the **az104-04-vm1** virtual machine blade, note the public IP address entry.
-
- >**Note**: You will need both IP addresses in the last task of this lab.
-
-## Task 4: Configure network security groups
-
-In this task, you will configure network security groups in order to allow for restricted connectivity to Azure virtual machines.
-
-1. In the Azure portal, navigate back to the **az104-04-rg1** resource group blade, and in the list of its resources, click **az104-04-vm0**.
-
-1. On the **az104-04-vm0** overview blade, click **Connect**, click **RDP** in the drop-down menu, on the **Connect with RDP** blade, click **Download RDP File** using the Public IP address and follow the prompts to start the Remote Desktop session.
-
-1. Note that the connection attempt fails.
-
- >**Note**: This is expected, because public IP addresses of the Standard SKU, by default, require that the network interfaces to which they are assigned are protected by a network security group. In order to allow Remote Desktop connections, you will create a network security group explicitly allowing inbound RDP traffic from Internet and assign it to network interfaces of both virtual machines.
-
-1. Stop the **az104-04-vm0** and **az104-04-vm1** virtual machines.
-
- >**Note**: This is done for lab expediency. If the virtual machines are running when a network security group is attached to their network interface, it can can take over 30 minutes for the attachment to take effect. Once the network security group has been created and attached, the virtual machines will be restarted, and the attachment will be in effect immediately.
-
-1. In the Azure portal, search for and select **Network security groups**, and, on the **Network security groups** blade, click **+ Create**.
-
-1. Create a network security group with the following settings (leave others with their default values):
-
- | Setting | Value |
- | --- | --- |
- | Subscription | the name of the Azure subscription you are using in this lab |
- | Resource Group | **az104-04-rg1** |
- | Name | **az104-04-nsg01** |
- | Region | the name of the Azure region where you deployed all other resources in this lab |
-
-1. Click **Review and Create**. Let validation occur, and hit **Create** to submit your deployment.
-
- >**Note**: Wait for the deployment to complete. This should take about 2 minutes.
-
-1. On the deployment blade, click **Go to resource** to open the **az104-04-nsg01** network security group blade.
-
-1. On the **az104-04-nsg01** network security group blade, in the **Settings** section, click **Inbound security rules**.
-
-1. Add an inbound rule with the following settings (leave others with their default values):
-
- | Setting | Value |
- | --- | --- |
- | Source | **Any** |
- | Source port ranges | * |
- | Destination | **Any** |
- | Service | **RDP** |
- | Action | **Allow** |
- | Priority | **300** |
- | Name | **AllowRDPInBound** |
-
-1. On the **az104-04-nsg01** network security group blade, in the **Settings** section, click **Network interfaces** and then click **+ Associate**.
-
-1. Associate the **az104-04-nsg01** network security group with the **az104-04-nic0** and **az104-04-nic1** network interfaces.
-
- >**Note**: It may take up to 5 minutes for the rules from the newly created Network Security Group to be applied to the Network Interface Card.
-
-1. Start the **az104-04-vm0** and **az104-04-vm1** virtual machines.
-
-1. Navigate back to the **az104-04-vm0** virtual machine blade.
-
- >**Note**: In the subsequent steps, you will verify that you can successfully connect to the target virtual machine.
-
-1. On the **az104-04-vm0** blade, click **Connect**, click **RDP**, on the **Connect with RDP** blade, click **Download RDP File** using the Public IP address and follow the prompts to start the Remote Desktop session.
-
- >**Note**: This step refers to connecting via Remote Desktop from a Windows computer. On a Mac, you can use Remote Desktop Client from the Mac App Store and on Linux computers you can use an open source RDP client software.
-
- >**Note**: You can ignore any warning prompts when connecting to the target virtual machines.
-
-1. When prompted, sign in with the user and password.
-
- >**Note**: Leave the Remote Desktop session open. You will need it in the next task.
-
-## Task 5: Configure Azure DNS for internal name resolution
-
-In this task, you will configure DNS name resolution within a virtual network by using Azure private DNS zones.
-
-1. In the Azure portal, search for and select **Private DNS zones** and, on the **Private DNS zones** blade, click **+ Create**.
-
-1. Create a private DNS zone with the following settings (leave others with their default values):
-
- | Setting | Value |
- | --- | --- |
- | Subscription | the name of the Azure subscription you are using in this lab |
- | Resource Group | **az104-04-rg1** |
- | Name | **contoso.org** |
-
-1. Click **Review and Create**. Let validation occur, and hit **Create** again to submit your deployment.
-
- >**Note**: Wait for the private DNS zone to be created. This should take about 2 minutes.
-
-1. Click **Go to resource** to open the **contoso.org** DNS private zone blade.
-
-1. On the **contoso.org** private DNS zone blade, in the **Settings** section, click **Virtual network links**
-
-1. Click **+ Add** to create a virtual network link with the following settings (leave others with their default values):
-
- | Setting | Value |
- | --- | --- |
- | Link name | **az104-04-vnet1-link** |
- | Subscription | the name of the Azure subscription you are using in this lab |
- | Virtual network | **az104-04-vnet1** |
- | Enable auto registration | enabled |
-
-1. Click **OK**.
-
- >**Note:** Wait for the virtual network link to be created. This should take less than 1 minute.
-
-1. On the **contoso.org** private DNS zone blade, in the sidebar, click **Overview**
-
-1. Verify that the DNS records for **az104-04-vm0** and **az104-04-vm1** appear in the list of record sets as **Auto registered**.
-
- >**Note:** You might need to wait a few minutes and refresh the page if the record sets are not listed.
-
-1. Switch to the Remote Desktop session to **az104-04-vm0**, right-click the **Start** button and, in the right-click menu, click **Windows PowerShell (Admin)**.
-
-1. In the Windows PowerShell console window, run the following to test internal name resolution in the newly created private DNS zone:
-
- ```powershell
- nslookup az104-04-vm0.contoso.org
- nslookup az104-04-vm1.contoso.org
- ```
-
-1. Verify that the output of the command includes the private IP address of **az104-04-vm1** (**10.40.1.4**).
-
-## Task 6: Configure Azure DNS for external name resolution
-
-In this task, you will configure external DNS name resolution by using Azure public DNS zones.
-
-1. In a web browser, open a new tab and navigate to .
-
-1. Use the domain name search to identify a domain name which is not in use.
-
-1. In the Azure portal, search for and select **DNS zones** and, on the **DNS zones** blade, click **+ Create**.
-
-1. Create a DNS zone with the following settings (leave others with their default values):
-
- | Setting | Value |
- | --- | --- |
- | Subscription | the name of the Azure subscription you are using in this lab |
- | Resource Group | **az104-04-rg1** |
- | Name | the DNS domain name you identified earlier in this task |
-
-1. Click **Review and Create**. Let validation occur, and hit **Create** again to submit your deployment.
-
- >**Note**: Wait for the DNS zone to be created. This should take about 2 minutes.
-
-1. Click **Go to resource** to open the blade of the newly created DNS zone.
-
-1. On the DNS zone blade, click **+ Record set**.
-
-1. Add a record set with the following settings (leave others with their default values):
-
- | Setting | Value |
- | --- | --- |
- | Name | **az104-04-vm0** |
- | Type | **A** |
- | Alias record set | **No** |
- | TTL | **1** |
- | TTL unit | **Hours** |
- | IP address | the public IP address of **az104-04-vm0** which you identified in the third exercise of this lab |
-
-1. Click **OK**
-
-1. On the DNS zone blade, click **+ Record set**.
-
-1. Add a record set with the following settings (leave others with their default values):
-
- | Setting | Value |
- | --- | --- |
- | Name | **az104-04-vm1** |
- | Type | **A** |
- | Alias record set | **No** |
- | TTL | **1** |
- | TTL unit | **Hours** |
- | IP address | the public IP address of **az104-04-vm1** which you identified in the third exercise of this lab |
-
-1. Click **OK**
-
-1. On the DNS zone blade, note the name of the **Name server 1** entry.
-
-1. In the Azure portal, open the **PowerShell** session in **Cloud Shell** by clicking on the icon in the top right of the Azure Portal.
-
-1. From the Cloud Shell pane, run the following to test external name resolution of the **az104-04-vm0** DNS record set in the newly created DNS zone (replace the placeholder `[Name server 1]` with the name of **Name server 1** you noted earlier in this task and the `[domain name]` placeholder with the name of the DNS domain you created earlier in this task):
-
- ```powershell
- nslookup az104-04-vm0.[domain name] [Name server 1]
- ```
-
-1. Verify that the output of the command includes the public IP address of **az104-04-vm0**.
-
-1. From the Cloud Shell pane, run the following to test external name resolution of the **az104-04-vm1** DNS record set in the newly created DNS zone (replace the placeholder `[Name server 1]` with the name of **Name server 1** you noted earlier in this task and the `[domain name]` placeholder with the name of the DNS domain you created earlier in this task):
-
- ```powershell
- nslookup az104-04-vm1.[domain name] [Name server 1]
- ```
-
-1. Verify that the output of the command includes the public IP address of **az104-04-vm1**.
-
-## Clean up resources
-
- > **Note**: Remember to remove any newly created Azure resources that you no longer use. Removing unused resources ensures you will not see unexpected charges.
-
- > **Note**: Don't worry if the lab resources cannot be immediately removed. Sometimes resources have dependencies and take a longer time to delete. It is a common Administrator task to monitor resource usage, so just periodically review your resources in the Portal to see how the cleanup is going.
-
-1. In the Azure portal, open the **PowerShell** session within the **Cloud Shell** pane.
-
-1. List all resource groups created throughout the labs of this module by running the following command:
-
- ```powershell
- Get-AzResourceGroup -Name 'az104-04*'
- ```
-
-1. Delete all resource groups you created throughout the labs of this module by running the following command:
-
- ```powershell
- Get-AzResourceGroup -Name 'az104-04*' | Remove-AzResourceGroup -Force -AsJob
- ```
-
- >**Note**: The command executes asynchronously (as determined by the -AsJob parameter), so while you will be able to run another PowerShell command immediately afterwards within the same PowerShell session, it will take a few minutes before the resource groups are actually removed.
-
-## Review
-
-In this lab, you have:
-
-+ Created and configured a virtual network
-+ Deployed virtual machines into the virtual network
-+ Configured private and public IP addresses of Azure VMs
-+ Configured network security groups
-+ Configured Azure DNS for internal name resolution
-+ Configured Azure DNS for external name resolution
+---
+lab:
+ title: 'Lab 04: Implement Virtual Networking'
+ module: 'Implement Virtual Networking'
+---
+
+# Lab 04 - Implement Virtual Networking
+
+## Lab introduction
+
+This lab is the first of three labs that focuses on virtual networking. In this lab, you learn the basics of virtual networking and subnetting. You learn how to protect your network with network security groups and application security groups. You also learn about DNS zones and records.
+
+This lab requires an Azure subscription. Your subscription type may affect the availability of features in this lab. You may change the region, but the steps are written using **East US**.
+
+## Estimated time: 50 minutes
+
+## Lab scenario
+
+Your global organization plans to implement virtual networks. The immediate goal is to accommodate all the existing resources. However, the organization is in a growth phase and wants to ensure there is additional capacity for the growth.
+
+The **CoreServicesVnet** virtual networkhas the largest number of resources. A large amount of growth is anticipated, so a large address space is necessary for this virtual network.
+
+The **ManufacturingVnet** virtual network contains systems for the operations of the manufacturing facilities. The organization is anticipating a large number of internal connected devices for their systems to retrieve data from.
+
+## Interactive lab simulations
+
+There are several interactive lab simulations that you might find useful for this topic. The simulation lets you to click through a similar scenario at your own pace. There are differences between the interactive simulation and this lab, but many of the core concepts are the same. An Azure subscription is not required.
+
++ [Secure network traffic](https://mslearn.cloudguides.com/en-us/guides/AZ-900%20Exam%20Guide%20-%20Azure%20Fundamentals%20Exercise%2013). Create a virtual machine, a virtual network, and a network security group. Add network security group rules to allow and disallow traffic.
+
++ [Create a simple virtual network](https://mslearn.cloudguides.com/en-us/guides/AZ-900%20Exam%20Guide%20-%20Azure%20Fundamentals%20Exercise%204). Create a virtual network with two virtual machines. Demonstrate the virtual machines can communicate.
+
++ [Design and implement a virtual network in Azure](https://mslabs.cloudguides.com/guides/AZ-700%20Lab%20Simulation%20-%20Design%20and%20implement%20a%20virtual%20network%20in%20Azure). Create a resource group and create virtual networks with subnets.
+
++ [Implement virtual networking](https://mslabs.cloudguides.com/en-us/guides/AZ-104%20Exam%20Guide%20-%20Microsoft%20Azure%20Administrator%20Exercise%208). Create and configure a virtual network, deploy virtual machines, configure network security groups, and configure Azure DNS.
+
+## Architecture diagram
+
+
+
+These virtual networks and subnets are structured in a way that accommodates existing resources yet allows for the projected growth. Let's create these virtual networks and subnets to lay the foundation for our networking infrastructure.
+
+>**Did you know?**: It is a good practice to avoid overlapping IP address ranges to reduce issues and simplify troubleshooting. Overlapping is a concern across the entire network, whether in the cloud or on-premises. Many organizations design an enterprise-wide IP addressing scheme to avoid overlapping and plan for future growth.
+
+## Job skills
+
++ Task 1: Create a virtual network with subnets using the portal.
++ Task 2: Create a virtual network and subnets using a template.
++ Task 3: Create and configure communication between an Application Security Group and a Network Security Group.
++ Task 4: Configure public and private Azure DNS zones.
+
+## Task 1: Create a virtual network with subnets using the portal
+
+The organization plans a large amount of growth for core services. In this task, you create the virtual network and the associated subnets to accommodate the existing resources and planned growth. In this task, you will use the Azure portal.
+
+1. Sign in to the **Azure portal** - `https://portal.azure.com`.
+
+1. Search for and select `Virtual Networks`.
+
+1. Select **Create** on the Virtual networks page.
+
+1. Complete the **Basics** tab for the CoreServicesVnet.
+
+ | **Option** | **Value** |
+ | ------------------ | -------------------- |
+ | Resource Group | `az104-rg4` (if necessary, create new) |
+ | Name | `CoreServicesVnet` |
+ | Region | (US) **East US** |
+
+1. Move to the **IP Addresses** tab.
+
+ | **Option** | **Value** |
+ | ------------------ | -------------------- |
+
+ | IPv4 address space | `10.20.0.0/16` (separate the entries) |
+
+1. Select **+ Add a subnet**. Complete the name and address information for each subnet. Be sure to select **Add** for each new subnet.
+
+ | **Subnet** | **Option** | **Value** |
+ | ---------------------- | -------------------- | ---------------------- |
+ | SharedServicesSubnet | Subnet name | `SharedServicesSubnet` |
+ | | Starting address | `10.20.10.0` |
+ | | Size | `/24` |
+ | DatabaseSubnet | Subnet name | `DatabaseSubnet` |
+ | | Starting address | `10.20.20.0` |
+ | | Size | `/24` |
+
+ >**Note:** Every virtual network must have at least one subnet. Reminder that five IP addresses will always be reserved, so consider that in your planning.
+
+1. To finish creating the CoreServicesVnet and its associated subnets, select **Review + create**.
+
+1. Verify your configuration passed validation, and then select **Create**.
+
+1. Wait for the virtual network to deploy and then select **Go to resource**.
+
+1. Take a minute to verify the **Address space** and the **Subnets**. Notice your other choices in the **Settings** blade.
+
+1. In the **Automation** section, select **Export template**, and then wait for the template to be generated.
+
+1. **Download** the template.
+
+1. Navigate on the local machine to the **Downloads** folder and **Extract all** the files in the downloaded zip file.
+
+1. Before proceeding, ensure you have the **template.json** file. You will use this template to create the ManufacturingVnet in the next task.
+
+## Task 2: Create a virtual network and subnets using a template
+
+In this task, you create the ManufacturingVnet virtual network and associated subnets. The organization anticipates growth for the manufacturing offices so the subnets are sized for the expected growth. For this task, you use a template to create the resources.
+
+1. Locate the **template.json** file exported in the previous task. It should be in your **Downloads** folder.
+
+1. Edit the file using the editor of your choice. Many editors have a *change all occurrences* feature. If you are using Visual Studio Code be sure you are working in a **trusted window** and not in the **restricted mode**. Consult the architecture diagram to verify the details.
+
+### Make changes for the ManufacturingVnet virtual network
+
+1. Replace all occurrences of **CoreServicesVnet** with `ManufacturingVnet`.
+
+1. Replace all occurrences of **10.20.0.0/16** with `10.30.0.0/16`.
+
+### Make changes for the ManufacturingVnet subnets
+
+1. Change all occurrences of **SharedServicesSubnet** to `SensorSubnet1`.
+
+1. Change all occurrences of **10.20.10.0/24** to `10.30.20.0/24`.
+
+1. Change all occurrences of **DatabaseSubnet** to `SensorSubnet2`.
+
+1. Change all occurrences of **10.20.20.0/24** to `10.30.21.0/24`.
+
+1. Read back through the file and ensure everything looks correct.
+
+1. Be sure to **Save** your changes.
+
+>**Note:** There is a completed template files in the lab files directory.
+
+### Make changes to the parameters file
+
+1. Locate the **template.json** file exported in the previous task. It should be in your **Downloads** folder.
+
+1. Edit the file using the editor of your choice.
+
+1. Replace the one occurrence of **CoreServicesVnet** with `ManufacturingVnet`.
+
+1. **Save** your changes.
+
+### Deploy the custom template
+
+1. In the portal, search for and select **Deploy a custom template**.
+
+1. Select **Build your own template in the editor** and then **Load file**.
+
+1. Select the **templates.json** file with your Manufacturing changes, then select **Save**.
+
+1. Select **Review + create** and then **Create**.
+
+1. Wait for the template to deploy, then confirm (in the portal) the Manufacturing virtual network and subnets were created.
+
+>**Note:** If you have to deploy more than one time you may find some resources were successfully completed and the deployment is failing. You can manually remove those resources and try again.
+
+## Task 3: Create and configure communication between an Application Security Group and a Network Security Group
+
+In this task, we create an Application Security Group and a Network Security Group. The NSG will have an inbound security rule that allows traffic from the ASG. The NSG will also have an outbound rule that denies access to the internet.
+
+### Create the Application Security Group (ASG)
+
+1. In the Azure portal, search for and select `Application security groups`.
+
+1. Click **Create** and provide the basic information.
+
+ | Setting | Value |
+ | -- | -- |
+ | Subscription | *your subscription* |
+ | Resource group | **az104-rg4** |
+ | Name | `asg-web` |
+ | Region | **East US** |
+
+1. Click **Review + create** and then after the validation click **Create**.
+
+### Create the Network Security Group and associate it with the ASG subnet
+
+1. In the Azure portal, search for and select `Network security groups`.
+
+1. Select **+ Create** and provide information on the **Basics** tab.
+
+ | Setting | Value |
+ | -- | -- |
+ | Subscription | *your subscription* |
+ | Resource group | **az104-rg4** |
+ | Name | `myNSGSecure` |
+ | Region | **East US** |
+
+1. Click **Review + create** and then after the validation click **Create**.
+
+1. After the NSG is deployed, click **Go to resource**.
+
+1. Under **Settings** click **Subnets** and then **Associate**.
+
+ | Setting | Value |
+ | -- | -- |
+ | Virtual network | **CoreServicesVnet (az104-rg4)** |
+ | Subnet | **SharedServicesSubnet** |
+
+1. Click **OK** to save the association.
+
+### Configure an inbound security rule to allow ASG traffic
+
+1. Continue working with your NSG. In the **Settings** area, select **Inbound security rules**.
+
+1. Review the default inbound rules. Notice that only other virtual networks and load balancers are allowed access.
+
+1. Select **+ Add**.
+
+1. On the **Add inbound security rule** blade, use the following information to add an inbound port rule. This rule allows ASG traffic. When you are finished, select **Add**.
+
+ | Setting | Value |
+ | -- | -- |
+ | Source | **Application security group** |
+ | Source application security groups | **asg-web** |
+ | Source port ranges | * |
+ | Destination | **Any** |
+ | Service | **Custom** (notice your other choices) |
+ | Destination port ranges | **80,443** |
+ | Protocol | **TCP** |
+ | Action | **Allow** |
+ | Priority | **100** |
+ | Name | `AllowASG` |
+
+### Configure an outbound NSG rule that denies Internet access
+
+1. After creating your inbound NSG rule, select **Outbound security rules**.
+
+1. Notice the **AllowInternetOutboundRule** rule. Also notice the rule cannot be deleted and the priority is 65001.
+
+1. Select **+ Add** and then configure an outbound rule that denies access to the internet. When you are finished, select **Add**.
+
+ | Setting | Value |
+ | -- | -- |
+ | Source | **Any** |
+ | Source port ranges | * |
+ | Destination | **Service tag** |
+ | Destination service tag | **Internet** |
+ | Service | **Custom** |
+ | Destination port ranges | **8080** |
+ | Protocol | **Any** |
+ | Action | **Deny** |
+ | Priority | **4096** |
+ | Name | **DenyAnyCustom8080Outbound** |
+
+
+## Task 4: Configure public and private Azure DNS zones
+
+In this task, you will create and configure public and private DNS zones.
+
+### Configure a public DNS zone
+
+You can configure Azure DNS to resolve host names in your public domain. For example, if you purchased the contoso.xyz domain name from a domain name registrar, you can configure Azure DNS to host the `contoso.com` domain and resolve www.contoso.xyz to the IP address of your web server or web app.
+
+1. In the portal, search for and select `DNS zones`.
+
+1. Select **+ Create**.
+
+1. Configure the **Basics** tab.
+
+ | Property | Value |
+ |:---------|:---------|
+ | Subscription | **Select your subscription** |
+ | Resource group | **az04-rg4** |
+ | Name | `contoso.com` (if reserved adjust the name) |
+ | Region |**East US** (review the informational icon) |
+
+1. Select **Review create** and then **Create**.
+
+1. Wait for the DNS zone to deploy and then select **Go to resource**.
+
+1. On the **Overview** blade notice the names of the four Azure DNS name servers assigned to the zone. **Copy** one of the name server addresses. You will need it in a future step.
+
+1. Select **+ Record set**. You add a virtual network link record for each virtual network that needs private name-resolution support.
+
+ | Property | Value |
+ |:---------|:---------|
+ | Name | **www** |
+ | Type | **A** |
+ | TTL | **1** |
+ | IP address | **10.1.1.4** |
+
+>**Note:** In a real-world scenario, you'd enter the public IP address of your web server.
+
+1. Select **OK** and verify **contoso.com** has an A record set named **www**.
+
+1. Open a command prompt, and run the following command:
+
+ ```sh
+ nslookup www.contoso.com
+ ```
+1. Verify the host name www.contoso.com resolves to the IP address you provided. This confirms name resolution is working correctly.
+
+### Configure a private DNS zone
+
+A private DNS zone provides name resolution services within virtual networks. A private DNS zone is only accessible from the virtual networks that it is linked to and can't be accessed from the internet.
+
+1. In the portal, search for and select `Private dns zones`.
+
+1. Select **+ Create**.
+
+1. On the **Basics** tab of Create private DNS zone, enter the information as listed in the table below:
+
+ | Property | Value |
+ |:---------|:---------|
+ | Subscription | **Select your subscription** |
+ | Resource group | **az04-rg4** |
+ | Name | `private.contoso.com` (adjust if you had to rename) |
+ | Region |**East US** |
+
+1. Select **Review create** and then **Create**.
+
+1. Wait for the DNS zone to deploy and then select **Go to resource**.
+
+1. Notice on the **Overview** blade there are no name server records.
+
+1. Select **+ Virtual network links** and then select **+ Add**.
+
+ | Property | Value |
+ |:---------|:---------|
+ | Link name | `manufacturing-link` |
+ | Virtual network | `ManufacturingVnet` |
+
+1. Select **OK** and wait for the link to create.
+
+1. From the **Overview** blade select **+ Record set**. You would now add a record for each virtual machine that needs private name-resolution support.
+
+ | Property | Value |
+ |:---------|:---------|
+ | Name | **sensorvm** |
+ | Type | **A** |
+ | TTL | **1** |
+ | IP address | **10.1.1.4** |
+
+ >**Note:** In a real-world scenario, you'd enter the IP address for a specific manufacturing virtual machine.
+
+## Cleanup your resources
+
+If you are working with **your own subscription** take a minute to delete the lab resources. This will ensure resources are freed up and cost is minimized. The easiest way to delete the lab resources is to delete the lab resource group.
+
++ In the Azure portal, select the resource group, select **Delete the resource group**, **Enter resource group name**, and then click **Delete**.
++ Using Azure PowerShell, `Remove-AzResourceGroup -Name resourceGroupName`.
++ Using the CLI, `az group delete --name resourceGroupName`.
+
+## Key takeaways
+
+Congratulations on completing the lab. Here are the main takeaways for this lab.
+
++ A virtual network is a representation of your own network in the cloud.
++ When designing virtual networks it is a good practice to avoid overlapping IP address ranges. This will reduce issues and simplify troubleshooting.
++ A subnet is a range of IP addresses in the virtual network. You can divide a virtual network into multiple subnets for organization and security.
++ A network security group contains security rules that allow or deny network traffic. There are default incoming and outgoing rules which you can customize to your needs.
++ Application security groups are used to protect groups of servers with a common function, such as web servers or database servers.
++ Azure DNS is a hosting service for DNS domains that provides name resolution. You can configure Azure DNS to resolve host names in your public domain. You can also use private DNS zones to assign DNS names to virtual machines (VMs) in your Azure virtual networks.
+
+## Learn more with self-paced training
+
++ [Introduction to Azure Virtual Networks](https://learn.microsoft.com/training/modules/introduction-to-azure-virtual-networks/). Design and implement core Azure Networking infrastructure such as virtual networks, public and private IPs, DNS, virtual network peering, routing, and Azure Virtual NAT.
++ [Design an IP addressing scheme](https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/). Identify the private and public IP addressing capabilities of Azure and on-premises virtual networks.
++ [Secure and isolate access to Azure resources by using network security groups and service endpoints](https://learn.microsoft.com/training/modules/secure-and-isolate-with-nsg-and-service-endpoints/). Network security groups and service endpoints help you secure your virtual machines and Azure services from unauthorized network access.
++ [Host your domain on Azure DNS](https://learn.microsoft.com/training/modules/host-domain-azure-dns/). Create a DNS zone for your domain name. Create DNS records to map the domain to an IP address. Test that the domain name resolves to your web server.
+
diff --git a/Instructions/Labs/LAB_05-Implement_Intersite_Connectivity.md b/Instructions/Labs/LAB_05-Implement_Intersite_Connectivity.md
index 1ae9ab1c..b337278a 100644
--- a/Instructions/Labs/LAB_05-Implement_Intersite_Connectivity.md
+++ b/Instructions/Labs/LAB_05-Implement_Intersite_Connectivity.md
@@ -5,277 +5,298 @@ lab:
---
# Lab 05 - Implement Intersite Connectivity
-# Student lab manual
-## Lab scenario
+## Lab introduction
-Contoso has its datacenters in Boston, New York, and Seattle offices connected via a mesh wide-area network links, with full connectivity between them. You need to implement a lab environment that will reflect the topology of the Contoso's on-premises networks and verify its functionality.
+In this lab you explore communication between virtual networks. You implement virtual network peering and test connections. You will also create a custom route.
-**Note:** An **[interactive lab simulation](https://mslabs.cloudguides.com/guides/AZ-104%20Exam%20Guide%20-%20Microsoft%20Azure%20Administrator%20Exercise%209)** is available that allows you to click through this lab at your own pace. You may find slight differences between the interactive simulation and the hosted lab, but the core concepts and ideas being demonstrated are the same.
+This lab requires an Azure subscription. Your subscription type may affect the availability of features in this lab. You may change the region, but the steps are written using **East US**.
-## Objectives
+## Estimated time: 50 minutes
+
+## Lab scenario
-In this lab, you will:
+Your organization segments core IT apps and services (such as DNS and security services) from other parts of the business, including your manufacturing department. However, in some scenarios, apps and services in the core area need to communicate with apps and services in the manufacturing area. In this lab, you configure connectivity between the segmented areas. This is a common scenario for separating production from development or separating one subsidiary from another.
-+ Task 1: Provision the lab environment
-+ Task 2: Configure local and global virtual network peering
-+ Task 3: Test intersite connectivity
+## Interactive lab simulations
-## Estimated timing: 30 minutes
+There are several interactive lab simulations that you might find useful for this topic. The simulation lets you to click through a similar scenario at your own pace. There are differences between the interactive simulation and this lab, but many of the core concepts are the same. An Azure subscription is not required.
+
++ [Connect two Azure virtual networks using global virtual network peering](https://mslabs.cloudguides.com/guides/AZ-700%20Lab%20Simulation%20-%20Connect%20two%20Azure%20virtual%20networks%20using%20global%20virtual%20network%20peering). Test the connection between two virtual machines in different virtual networks. Create a virtual network peering and retest.
+
++ [Configure monitoring for virtual networks](https://learn.microsoft.com/training/modules/configure-monitoring-virtual-networks/). Understand how to use Azure Network Watcher Connection Monitor, flow logs, NSG diagnostics, and packet capture to monitor connectivity across your Azure IaaS network resources.
+
++ [Implement intersite connectivity](https://mslabs.cloudguides.com/en-us/guides/AZ-104%20Exam%20Guide%20-%20Microsoft%20Azure%20Administrator%20Exercise%209). Run a template to create a virtual network infrastructure with several virtual machines. Configure virtual network peerings and test the connections.
## Architecture diagram
-
+
-### Instructions
+## Job skills
-## Exercise 1
++ Task 1: Create a virtual machine in a virtual network.
++ Task 2: Create a virtual machine in a different virtual network.
++ Task 3: Use Network Watcher to test the connection between virtual machines.
++ Task 4: Configure virtual network peerings between different virtual networks.
++ Task 5: Use Azure PowerShell to test the connection between virtual machines.
++ Task 6: Create a custom route.
-## Task 1: Provision the lab environment
+## Task 1: Create a core services virtual machine and virtual network
-In this task, you will deploy three virtual machines, each into a separate virtual network, with two of them in the same Azure region and the third one in another Azure region.
+In this task, you create a core services virtual network with a virtual machine.
-1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Sign in to the **Azure portal** - `https://portal.azure.com`.
-1. In the Azure portal, open the **Azure Cloud Shell** by clicking on the icon in the top right of the Azure Portal.
+1. Search for and select `Virtual Machines`.
-1. If prompted to select either **Bash** or **PowerShell**, select **PowerShell**.
+1. From the virtual machines page, select **Create** then select **Azure Virtual Machine**.
- >**Note**: If this is the first time you are starting **Cloud Shell** and you are presented with the **You have no storage mounted** message, select the subscription you are using in this lab, and click **Create storage**.
-
-1. In the toolbar of the Cloud Shell pane, click the **Upload/Download files** icon, in the drop-down menu, click **Upload** and upload the files **\\Allfiles\\Labs\\05\\az104-05-vnetvm-loop-template.json** and **\\Allfiles\\Labs\\05\\az104-05-vnetvm-loop-parameters.json** into the Cloud Shell home directory.
-
-1. From the Cloud Shell pane, run the following to create the resource group that will be hosting the lab environment. The first two virtual networks and a pair of virtual machines will be deployed in [Azure_region_1]. The third virtual network and the third virtual machine will be deployed in the same resource group but another [Azure_region_2]. (replace the [Azure_region_1] and [Azure_region_2] placeholder, including the square brackets, with the names of two different Azure regions where you intend to deploy these Azure virtual machines. An example is $location1 = 'eastus'. You can use Get-AzLocation to list all locations.):
-
- ```powershell
- $location1 = 'eastus'
-
- $location2 = 'westus'
-
- $rgName = 'az104-05-rg1'
-
- New-AzResourceGroup -Name $rgName -Location $location1
- ```
-
- >**Note**: The regions used above were tested and known to work when this lab was last officially reviewed. If you would prefer to use different locations, or they no longer work, you will need to identify two different regions that Standard D2Sv3 virtual machines can be deployed into.
- >
- >In order to identify Azure regions, from a PowerShell session in Cloud Shell, run **(Get-AzLocation).Location**
- >
- >Once you have identified two regions you would like to use, run the command below in the Cloud Shell for each region to confirm that you can deploy Standard D2Sv3 virtual machines
- >
- >```az vm list-skus --location -o table --query "[? contains(name,'Standard_D2s')].name" ```
- >
- >If the command returns no results, then you need to choose another region. Once you have identified two suitable regions, you can adjust the regions in the code block above.
-
-1. From the Cloud Shell pane, run the following to create the three virtual networks and deploy virtual machines into them by using the template and parameter files you uploaded:
-
- >**Note**: You will be prompted to provide an Admin password.
-
- ```powershell
- New-AzResourceGroupDeployment `
- -ResourceGroupName $rgName `
- -TemplateFile $HOME/az104-05-vnetvm-loop-template.json `
- -TemplateParameterFile $HOME/az104-05-vnetvm-loop-parameters.json `
- -location1 $location1 `
- -location2 $location2
- ```
-
- >**Note**: Wait for the deployment to complete before proceeding to the next step. This should take about 2 minutes.
-
-1. Close the Cloud Shell pane.
-
-## Task 2: Configure local and global virtual network peering
-
-In this task, you will configure local and global peering between the virtual networks you deployed in the previous tasks.
-
-1. In the Azure portal, search for and select **Virtual networks**.
-
-1. Review the virtual networks you created in the previous task and verify that the first two are located in the same Azure region and the third one in a different Azure region.
-
- >**Note**: The template you used for deployment of the three virtual networks ensures that the IP address ranges of the three virtual networks do not overlap.
-
-1. In the list of virtual networks, click **az104-05-vnet0**.
-
-1. On the **az104-05-vnet0** virtual network blade, in the **Settings** section, click **Peerings** and then click **+ Add**.
-
-1. Add a peering with the following settings (leave others with their default values) and click **Add**:
-
- | Setting | Value|
+1. On the Basics tab, use the following information to complete the form, and then select **Next: Disks >**. For any setting not specified, leave the default value.
+
+ | Setting | Value |
| --- | --- |
- | This virtual network: Peering link name | **az104-05-vnet0_to_az104-05-vnet1** |
- | Settings to allow access, forwarded traffic, and gateway | **Ensure only the first three boxes are checked** |
- | Remote virtual network: Peering link name | **az104-05-vnet1_to_az104-05-vnet0** |
- | Virtual network deployment model | **Resource manager** |
- | I know my resource ID | unselected |
- | Subscription | the name of the Azure subscription you are using in this lab |
- | Virtual network | **az104-05-vnet1** |
- | Allow access to current virtual network | **Ensure the box is checked (default)** |
- | Settings to allow access, forwarded traffic, and gateway | **Ensure only the first three boxes are checked** |
+ | Subscription | *your subscription* |
+ | Resource group | `az104-rg5` (If necessary, **Create new**. )
+ | Virtual machine name | `CoreServicesVM` |
+ | Region | **(US) East US** |
+ | Availability options | No infrastructure redundancy required |
+ | Security type | **Standard** |
+ | Image | **Windows Server 2019 Datacenter: x64 Gen2** (notice your other choices) |
+ | Size | **Standard_DS2_v3** |
+ | Username | `localadmin` |
+ | Password | **Provide a complex password** |
- >**Note**: This step establishes two local peerings - one from az104-05-vnet0 to az104-05-vnet1 and the other from az104-05-vnet1 to az104-05-vnet0.
+ 
+
+1. On the **Disks** tab take the defaults and then select **Next: Networking >**.
- >**Note**: In case you run into an issue with the Azure portal interface not displaying the virtual networks created in the previous task, you can configure peering by running the following PowerShell commands from Cloud Shell:
-
- ```powershell
- $rgName = 'az104-05-rg1'
+1. On the **Networking** tab, for Virtual network, select **Create new**.
- $vnet0 = Get-AzVirtualNetwork -Name 'az104-05-vnet0' -ResourceGroupName $rgname
+1. Use the following information to configure the virtual network, and then select **Ok**. If necessary, remove or replace the existing information.
- $vnet1 = Get-AzVirtualNetwork -Name 'az104-05-vnet1' -ResourceGroupName $rgname
-
- Add-AzVirtualNetworkPeering -Name 'az104-05-vnet0_to_az104-05-vnet1' -VirtualNetwork $vnet0 -RemoteVirtualNetworkId $vnet1.Id
-
- Add-AzVirtualNetworkPeering -Name 'az104-05-vnet1_to_az104-05-vnet0' -VirtualNetwork $vnet1 -RemoteVirtualNetworkId $vnet0.Id
- ```
-
-1. On the **az104-05-vnet0** virtual network blade, in the **Settings** section, click **Peerings** and then click **+ Add**.
-
-1. Add a peering with the following settings (leave others with their default values) and click **Add**:
-
- | Setting | Value|
+ | Setting | Value |
| --- | --- |
- | This virtual network: Peering link name | **az104-05-vnet0_to_az104-05-vnet2** |
- | Allow access to remote virtual network |**Ensure the box is checked (default)** |
- | Remote virtual network: Peering link name | **az104-05-vnet2_to_az104-05-vnet0** |
- | Virtual network deployment model | **Resource manager** |
- | I know my resource ID | unselected |
- | Subscription | the name of the Azure subscription you are using in this lab |
- | Virtual network | **az104-05-vnet2** |
- | Allow access to current virtual network |**Ensure the box is checked (default)** |
+ | Name | `CoreServicesVNet` (Create new) |
+ | Address range | `10.0.0.0/16` |
+ | Subnet Name | `Core` |
+ | Subnet address range | `10.0.0.0/24` |
- >**Note**: This step establishes two global peerings - one from az104-05-vnet0 to az104-05-vnet2 and the other from az104-05-vnet2 to az104-05-vnet0.
+1. Select the **Monitoring** tab. For Boot Diagnostics, select **Disable**.
- >**Note**: In case you run into an issue with the Azure portal interface not displaying the virtual networks created in the previous task, you can configure peering by running the following PowerShell commands from Cloud Shell:
-
- ```powershell
- $rgName = 'az104-05-rg1'
+1. Select **Review + Create**, and then select **Create**.
- $vnet0 = Get-AzVirtualNetwork -Name 'az104-05-vnet0' -ResourceGroupName $rgname
+1. You do not need to wait for the resources to be created. Continue on to the next task.
- $vnet2 = Get-AzVirtualNetwork -Name 'az104-05-vnet2' -ResourceGroupName $rgname
+ >**Note:** Did you notice in this task you created the virtual network as you created the virtual machine? You could also create the virtual network infrastructure then add the virtual machines.
- Add-AzVirtualNetworkPeering -Name 'az104-05-vnet0_to_az104-05-vnet2' -VirtualNetwork $vnet0 -RemoteVirtualNetworkId $vnet2.Id
+## Task 2: Create a virtual machine in a different virtual network
- Add-AzVirtualNetworkPeering -Name 'az104-05-vnet2_to_az104-05-vnet0' -VirtualNetwork $vnet2 -RemoteVirtualNetworkId $vnet0.Id
- ```
+In this task, you create a manufacturing services virtual network with a virtual machine.
-1. Navigate back to the **Virtual networks** blade and, in the list of virtual networks, click **az104-05-vnet1**.
+1. From the Azure portal, search for and navigate to **Virtual Machines**.
-1. On the **az104-05-vnet1** virtual network blade, in the **Settings** section, click **Peerings** and then click **+ Add**.
+1. From the virtual machines page, select **Create** then select **Azure Virtual Machine**.
-1. Add a peering with the following settings (leave others with their default values) and click **Add**:
-
- | Setting | Value|
+1. On the Basics tab, use the following information to complete the form, and then select **Next: Disks >**. For any setting not specified, leave the default value.
+
+ | Setting | Value |
| --- | --- |
- | This virtual network: Peering link name | **az104-05-vnet1_to_az104-05-vnet2** |
- | Allow access to remote virtual network | **Ensure the box is checked (default)** |
- | Remote virtual network: Peering link name | **az104-05-vnet2_to_az104-05-vnet1** |
- | Virtual network deployment model | **Resource manager** |
- | I know my resource ID | unselected |
- | Subscription | the name of the Azure subscription you are using in this lab |
- | Virtual network | **az104-05-vnet2** |
- | Allow access to current virtual network | **Ensure the box is checked (default)** |
+ | Subscription | *your subscription* |
+ | Resource group | `az104-rg5` |
+ | Virtual machine name | `ManufacturingVM` |
+ | Region | **(US) East US** |
+ | Security type | **Standard** |
+ | Availability options | No infrastructure redundancy required |
+ | Image | **Windows Server 2019 Datacenter: x64 Gen2** |
+ | Size | **Standard_DS2_v3** |
+ | Username | `localadmin` |
+ | Password | **Provide a complex password** |
- >**Note**: This step establishes two global peerings - one from az104-05-vnet1 to az104-05-vnet2 and the other from az104-05-vnet2 to az104-05-vnet1.
+1. On the **Disks** tab take the defaults and then select **Next: Networking >**.
- >**Note**: In case you run into an issue with the Azure portal interface not displaying the virtual networks created in the previous task, you can configure peering by running the following PowerShell commands from Cloud Shell:
-
- ```powershell
- $rgName = 'az104-05-rg1'
+1. On the Networking tab, for Virtual network, select **Create new**.
- $vnet1 = Get-AzVirtualNetwork -Name 'az104-05-vnet1' -ResourceGroupName $rgname
+1. Use the following information to configure the virtual network, and then select **Ok**. If necessary, remove or replace the existing address range.
- $vnet2 = Get-AzVirtualNetwork -Name 'az104-05-vnet2' -ResourceGroupName $rgname
+ | Setting | Value |
+ | --- | --- |
+ | Name | `ManufacturingVNet` |
+ | Address range | `172.16.0.0/16` |
+ | Subnet Name | `Manufacturing` |
+ | Subnet address range | `172.16.0.0/24` |
- Add-AzVirtualNetworkPeering -Name 'az104-05-vnet1_to_az104-05-vnet2' -VirtualNetwork $vnet1 -RemoteVirtualNetworkId $vnet2.Id
+1. Select the **Monitoring** tab. For Boot Diagnostics, select **Disable**.
- Add-AzVirtualNetworkPeering -Name 'az104-05-vnet2_to_az104-05-vnet1' -VirtualNetwork $vnet2 -RemoteVirtualNetworkId $vnet1.Id
- ```
+1. Select **Review + Create**, and then select **Create**.
-## Task 3: Test intersite connectivity
+## Task 3: Use Network Watcher to test the connection between virtual machines
-In this task, you will test connectivity between virtual machines on the three virtual networks that you connected via local and global peering in the previous task.
-1. In the Azure portal, search for and select **Virtual machines**.
+In this task, you verify that resources in peered virtual networks can communicate with each other. Network Watcher will be used to test the connection. Before continuing, ensure both virtual machines have been deployed and are running.
-1. In the list of virtual machines, click **az104-05-vm0**.
+1. From the Azure portal, search for and select `Network Watcher`.
-1. On the **az104-05-vm0** blade, click **Connect**, in the drop-down menu, click **RDP**, on the **Connect with RDP** blade, click **Download RDP File** and follow the prompts to start the Remote Desktop session.
+1. From Network Watcher, in the Network diagnostic tools menu, select **Connection troubleshoot**.
- >**Note**: This step refers to connecting via Remote Desktop from a Windows computer. On a Mac, you can use Remote Desktop Client from the Mac App Store and on Linux computers you can use an open source RDP client software.
+1. Use the following information to complete the fields on the **Connection troubleshoot** page.
- >**Note**: You can ignore any warning prompts when connecting to the target virtual machines.
+ | Field | Value |
+ | --- | --- |
+ | Source type | **Virtual machine** |
+ | Virtual machine | **CoreServicesVM** |
+ | Destination type | **Virtual machine** |
+ | Virtual machine | **ManufacturingVM** |
+ | Preferred IP Version | **Both** |
+ | Protocol | **TCP** |
+ | Destination port | `3389` |
+ | Source port | *Blank* |
+ | Diagnostic tests | *Defaults* |
-1. When prompted, sign in by using the **Student** username and the password you configured when deploying your virtual machines via the CloudShell.
+ 
-1. Within the Remote Desktop session to **az104-05-vm0**, right-click the **Start** button and, in the right-click menu, click **Windows PowerShell (Admin)**.
+1. Select **Run diagnostic tests**.
-1. In the Windows PowerShell console window, run the following to test connectivity to **az104-05-vm1** (which has the private IP address of **10.51.0.4**) over TCP port 3389:
+ >**Note**: It may take a couple of minutes for the results to be returned. The screen selections will be greyed out while the results are being collected. Notice the **Connectivity test** shows **UnReachable**. This makes sense because the virtual machines are in different virtual networks.
- ```powershell
- Test-NetConnection -ComputerName 10.51.0.4 -Port 3389 -InformationLevel 'Detailed'
- ```
+
+## Task 4: Configure virtual network peerings between virtual networks
- >**Note**: The test uses TCP 3389 since this is this port is allowed by default by operating system firewall.
+In this task, you create a virtual network peering to enable communications between resources in the virtual networks.
-1. Examine the output of the command and verify that the connection was successful.
+1. In the Azure portal, select the `CoreServicesVnet` virtual network.
-1. In the Windows PowerShell console window, run the following to test connectivity to **az104-05-vm2** (which has the private IP address of **10.52.0.4**):
+1. In CoreServicesVnet, under **Settings**, select **Peerings**.
- ```powershell
- Test-NetConnection -ComputerName 10.52.0.4 -Port 3389 -InformationLevel 'Detailed'
- ```
+1. On CoreServicesVnet | Peerings, select **+ Add**.
-1. Switch back to the Azure portal on your lab computer and navigate back to the **Virtual machines** blade.
+1. Use the information in the following table to create the peering.
-1. In the list of virtual machines, click **az104-05-vm1**.
+| **Parameter** | **Value** |
+| --------------------------------------------- | ------------------------------------- |
+| **This virtual network** | |
+| Peering link name | `CoreServicesVnet-to-ManufacturingVnet` |
+| Allow CoreServicesVNet to access the peered virtual network | selected (default) |
+| Allow CoreServicesVNet to receive forwarded traffic from the peered virtual network | selected |
+| Allow gateway in CoreServicesVNet to forward traffic to the peered virtual network | Not selected (default) |
+| Enable CoreServicesVNet to use the peered virtual networks' remote gateway | Not selected (default) |
+| **Remote virtual network** | |
+| Peering link name | `ManufacturingVnet-to-CoreServicesVnet` |
+| Virtual network deployment model | **Resource manager** |
+| I know my resource ID | Not selected |
+| Subscription | *your subscription* |
+| Virtual network | **ManufacturingVnet** |
+| Allow ManufacturingVNet to access CoreServicesVNet | selected (default) |
+| Allow ManufacturingVNet to receive forwarded traffic from CoreServicesVNet | selected |
+| Allow gateway in CoreServicesVNet to forward traffic to the peered virtual network | Not selected (default) |
+| Enable ManufacturingVNet to use CoreServicesVNet's remote gateway | Not selected (default) |
-1. On the **az104-05-vm1** blade, click **Connect**, in the drop-down menu, click **RDP**, on the **Connect with RDP** blade, click **Download RDP File** and follow the prompts to start the Remote Desktop session.
+1. Review your settings and select **Add**.
- >**Note**: This step refers to connecting via Remote Desktop from a Windows computer. On a Mac, you can use Remote Desktop Client from the Mac App Store and on Linux computers you can use an open source RDP client software.
+ 
+
+1. In CoreServicesVnet | Peerings, verify that the **CoreServicesVnet-to-ManufacturingVnet** peering is listed. Refresh the page to ensure the **Peering status** is **Connected**.
- >**Note**: You can ignore any warning prompts when connecting to the target virtual machines.
+1. Switch to the **ManufacturingVnet** and verify the **ManufacturingVnet-to-CoreServicesVnet** peering is listed. Ensure the **Peering status** is **Connected**. You may need to **Refresh** the page.
-1. When prompted, sign in by using the **Student** username and the password from your parameters file.
-1. Within the Remote Desktop session to **az104-05-vm1**, right-click the **Start** button and, in the right-click menu, click **Windows PowerShell (Admin)**.
+## Task 5: Use Azure PowerShell to test the connection between virtual machines
-1. In the Windows PowerShell console window, run the following to test connectivity to **az104-05-vm2** (which has the private IP address of **10.52.0.4**) over TCP port 3389:
+In this task, you retest the connection between the virtual machines in different virtual networks.
- ```powershell
- Test-NetConnection -ComputerName 10.52.0.4 -Port 3389 -InformationLevel 'Detailed'
- ```
+### Verify the private IP address of the CoreServicesVM
- >**Note**: The test uses TCP 3389 since this is this port is allowed by default by operating system firewall.
+1. From the Azure portal, search for and select the `CoreServicesVM` virtual machine.
-1. Examine the output of the command and verify that the connection was successful.
+1. On the **Overview** blade, in the **Networking** section, record the **Private IP address** of the machine. You need this information to test the connection.
+
+### Test the connection to the CoreServicesVM from the **ManufacturingVM**.
-## Clean up resources
+>**Did you know?** There are many ways to check connections. In this task, you use **Run command**. You could also continue to use Network Watcher. Or you could use a [Remote Desktop Connection](https://learn.microsoft.com/azure/virtual-machines/windows/connect-rdp#connect-to-the-virtual-machine) to the access the virtual machine. Once connected, use **test-connection**. As you have time, give RDP a try.
->**Note**: Remember to remove any newly created Azure resources that you no longer use. Removing unused resources ensures you will not see unexpected charges.
+1. Switch to the `ManufacturingVM` virtual machine.
->**Note**: Don't worry if the lab resources cannot be immediately removed. Sometimes resources have dependencies and take a longer time to delete. It is a common Administrator task to monitor resource usage, so just periodically review your resources in the Portal to see how the cleanup is going.
+1. In the **Operations** blade, select the **Run command** blade.
-1. In the Azure portal, open the **PowerShell** session within the **Cloud Shell** pane.
+1. Select **RunPowerShellScript** and run the **Test-NetConnection** command. Be sure to use the private IP address of the **CoreServicesVM**.
-1. List all resource groups created throughout the labs of this module by running the following command:
+ ```Powershell
+ Test-NetConnection -port 3389
+ ```
+1. It may take a couple of minutes for the script to time out. The top of the page shows an informational message *Script execution in progress.*
- ```powershell
- Get-AzResourceGroup -Name 'az104-05*'
- ```
+
+1. The test connection should succeed because peering has been configured. Your computer name and remote address in this graphic may be different.
+
+ 
-1. Delete all resource groups you created throughout the labs of this module by running the following command:
+## Task 6: Create a custom route
- ```powershell
- Get-AzResourceGroup -Name 'az104-05*' | Remove-AzResourceGroup -Force -AsJob
- ```
+In this task, you want to control network traffic between the perimeter subnet and the internal core services subnet. A virtual network appliance will be installed in the core services subnet and all traffic should be routed there.
- >**Note**: The command executes asynchronously (as determined by the -AsJob parameter), so while you will be able to run another PowerShell command immediately afterwards within the same PowerShell session, it will take a few minutes before the resource groups are actually removed.
+1. Search for select the `CoreServicesVnet`.
-## Review
+1. Select **Subnets** and then **+ Create**. Be sure to **Save** your changes.
-In this lab, you have:
+ | Setting | Value |
+ | --- | --- |
+ | Name | `perimeter` |
+ | Subnet address range | `10.0.1.0/24` |
-+ Provisioned the lab environment
-+ Configured local and global virtual network peering
-+ Tested intersite connectivity
+
+1. In the Azure portal, search for and select `Route tables`, and then select **Create**.
+
+ | Setting | Value |
+ | --- | --- |
+ | Subscription | your subscription |
+ | Resource group | `az104-rg5` |
+ | Region | **East US** |
+ | Name | `rt-CoreServices` |
+ | Propagate gateway routes | **No** |
+
+1. After the route table deploys, select **Go to resource**.
+
+1. Select **Routes** and then **+ Add**. Create a route from the future NVA to the CoreServices virtual network.
+
+ | Setting | Value |
+ | --- | --- |
+ | Route name | `PerimetertoCore` |
+ | Destination type | **IP Addresses** |
+ | Destination IP addresses | `10.0.0.0/16` (core services virtual network) |
+ | Next hop type | **Virtual appliance** (notice your other choices) |
+ | Next hop address | `10.0.1.7` (future NVA) |
+
+1. Select **+ Add** when the route is completed. The last thing to do is associate the route with the subnet.
+
+1. Select **Subnets** and then **Associate**. Complete the configuration.
+
+ | Setting | Value |
+ | --- | --- |
+ | Virtual network | **CoreServicesVnet** |
+ | Subnet | **Core** |
+
+>**Note**: You have created a user defined route to direct traffic from the DMZ to the new NVA.
+
+## Cleanup your resources
+
+If you are working with **your own subscription** take a minute to delete the lab resources. This will ensure resources are freed up and cost is minimized. The easiest way to delete the lab resources is to delete the lab resource group.
+
++ In the Azure portal, select the resource group, select **Delete the resource group**, **Enter resource group name**, and then click **Delete**.
++ Using Azure PowerShell, `Remove-AzResourceGroup -Name resourceGroupName`.
++ Using the CLI, `az group delete --name resourceGroupName`.
+
+
+## Key takeaways
+
+Congratulations on completing the lab. Here are the main takeaways for this lab.
+
++ By default, resources in different virtual networks cannot communicate.
++ Virtual network peering enables you to seamlessly connect two or more virtual networks in Azure.
++ Peered virtual networks appear as one for connectivity purposes.
++ The traffic between virtual machines in peered virtual networks uses the Microsoft backbone infrastructure.
++ System defined routes are automatically created for each subnet in a virtual network. User-defined routes override or add to the default system routes.
++ Azure Network Watcher provides a suite of tools to monitor, diagnose, and view metrics and logs for Azure IaaS resources.
+
+## Learn more with self-paced training
+
++ [Distribute your services across Azure virtual networks and integrate them by using virtual network peering](https://learn.microsoft.com/en-us/training/modules/integrate-vnets-with-vnet-peering/). Use virtual network peering to enable communication across virtual networks in a way that's secure and minimally complex.
++ [Manage and control traffic flow in your Azure deployment with routes](https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/). Learn how to control Azure virtual network traffic by implementing custom routes.
diff --git a/Instructions/Labs/LAB_06-Implement_Network_Traffic_Management.md b/Instructions/Labs/LAB_06-Implement_Network_Traffic_Management.md
index 31b14fb7..73a008df 100644
--- a/Instructions/Labs/LAB_06-Implement_Network_Traffic_Management.md
+++ b/Instructions/Labs/LAB_06-Implement_Network_Traffic_Management.md
@@ -5,481 +5,161 @@ lab:
---
# Lab 06 - Implement Traffic Management
-# Student lab manual
+
+## Lab introduction
+
+In this lab, you learn how to configure and test a public Load Balancer and an Application Gateway.
+
+This lab requires an Azure subscription. Your subscription type may affect the availability of features in this lab. You may change the region, but the steps are written using **East US**.
+
+## Estimated timing: 50 minutes
## Lab scenario
-You were tasked with testing managing network traffic targeting Azure virtual machines in the hub and spoke network topology, which Contoso considers implementing in its Azure environment (instead of creating the mesh topology, which you tested in the previous lab). This testing needs to include implementing connectivity between spokes by relying on user defined routes that force traffic to flow via the hub, as well as traffic distribution across virtual machines by using layer 4 and layer 7 load balancers. For this purpose, you intend to use Azure Load Balancer (layer 4) and Azure Application Gateway (layer 7).
+Your organization has a public website. You need to load balance incoming public requests across different virtual machines. You also need to provide images and videos from different virtual machines. You plan on implementing an Azure Load Balancer and an Azure Application Gateway. All resources are in the same region.
-**Note:** An **[interactive lab simulation](https://mslabs.cloudguides.com/guides/AZ-104%20Exam%20Guide%20-%20Microsoft%20Azure%20Administrator%20Exercise%2010)** is available that allows you to click through this lab at your own pace. You may find slight differences between the interactive simulation and the hosted lab, but the core concepts and ideas being demonstrated are the same.
+## Interactive lab simulations
->**Note**: This lab, by default, requires total of 8 vCPUs available in the Standard_Dsv3 series in the region you choose for deployment, since it involves deployment of four Azure VMs of Standard_D2s_v3 SKU. If your students are using trial accounts, with the limit of 4 vCPUs, you can use a VM size that requires only one vCPU (such as Standard_B1s).
+There are interactive lab simulations that you might find useful for this topic. The simulation lets you to click through a similar scenario at your own pace. There are differences between the interactive simulation and this lab, but many of the core concepts are the same. An Azure subscription is not required.
-## Objectives
++ [Create and configure and Azure load balancer](https://mslabs.cloudguides.com/guides/AZ-700%20Lab%20Simulation%20-%20Create%20and%20configure%20an%20Azure%20load%20balancer). Create a virtual network, backend servers, load balancer, and then test the load balancer.
++ [Deploy Azure Application Gateway](https://mslabs.cloudguides.com/guides/AZ-700%20Lab%20Simulation%20-%20Deploy%20Azure%20Application%20Gateway). Create an application gateway, create virtual machines, create the backend pool, and test the gateway.
++ [Implement traffic management](https://mslabs.cloudguides.com/guides/AZ-104%20Exam%20Guide%20-%20Microsoft%20Azure%20Administrator%20Exercise%2010). Implement complete hub and spoke network including virtual machines, virtual networks, peering, load balancer, and application gateway.
-In this lab, you will:
+## Job skills
-+ Task 1: Provision the lab environment
-+ Task 2: Configure the hub and spoke network topology
-+ Task 3: Test transitivity of virtual network peering
-+ Task 4: Configure routing in the hub and spoke topology
-+ Task 5: Implement Azure Load Balancer
-+ Task 6: Implement Azure Application Gateway
++ Task 1: Use a template to provision an infrastructure.
++ Task 2: Configure an Azure Load Balancer.
++ Task 3: Configure an Azure Application Gateway.
-## Estimated timing: 60 minutes
+## Task 1: Use a template to provision an infrastructure
-## Architecture diagram
+In this task, you will use a template to deploy one virtual network, one network security group, and two virtual machines.
-
+1. Download the **\\Allfiles\\Lab06** lab files (template and parameters).
+1. Sign in to the **Azure portal** - `https://portal.azure.com`.
-### Instructions
+1. Search for and select `Deploy a custom template`.
-## Exercise 1
+1. On the custom deployment page, select **Build you own template in the editor**.
-## Task 1: Provision the lab environment
+1. On the edit template page, select **Load file**.
-In this task, you will deploy four virtual machines into the same Azure region. The first two will reside in a hub virtual network, while each of the remaining two will reside in a separate spoke virtual network.
+1. Locate and select the **\\Allfiles\\Lab06\\az104-06-vms-template.json** file and select **Open**.
-1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Select **Save**.
-1. In the Azure portal, open the **Azure Cloud Shell** by clicking on the icon in the top right of the Azure Portal.
+1. Select **Edit parameters** and load the **\\Allfiles\\Lab06\\az104-06-vms-parameters.json** file.
-1. If prompted to select either **Bash** or **PowerShell**, select **PowerShell**.
+1. Select **Save**.
- >**Note**: If this is the first time you are starting **Cloud Shell** and you are presented with the **You have no storage mounted** message, select the subscription you are using in this lab, and click **Create storage**.
+1. Use the following information to complete the fields on the custom deployment page, leaving all other fields with the default value.
-1. In the toolbar of the Cloud Shell pane, click the **Upload/Download files** icon, in the drop-down menu, click **Upload** and upload the files **\\Allfiles\\Labs\\06\\az104-06-vms-loop-template.json** and **\\Allfiles\\Labs\\06\\az104-06-vms-loop-parameters.json** into the Cloud Shell home directory.
+ | Setting | Value |
+ | --- | --- |
+ | Subscription | your Azure subscription |
+ | Resource group | `az104-rg6` (If necessary, select **Create new**) |
+ | Password | Provide a secure password |
-1. From the Cloud Shell pane, run the following to create the first resource group that will be hosting the lab environment (replace the '[Azure_region]' placeholder with the name of an Azure region where you intend to deploy Azure virtual machines)(you can use the "(Get-AzLocation).Location" cmdlet to get the region list):
+ >**Note**: If you receive an error that the VM size is unavailable, select a SKU that is available in your subscription and has at least 2 cores.
- ```powershell
- $location = '[Azure_region]'
- ```
-
- Now the resource group name:
- ```powershell
- $rgName = 'az104-06-rg1'
- ```
-
- And finally create the resource group in your desired location:
- ```powershell
- New-AzResourceGroup -Name $rgName -Location $location
- ```
+1. Select **Review + Create** and then select **Create**.
+ >**Note**: Wait for the deployment to complete before moving to the next task. The deployment should take approximately 5 minutes.
-1. From the Cloud Shell pane, run the following to create the three virtual networks and four Azure VMs into them by using the template and parameter files you uploaded:
+ >**Note**: Review the resources being deployed. There will be one virtual network with three subnets. Each subnet will have a virtual machine.
- >**Note**: You will be prompted to provide an Admin password.
+## Task 2: Configure an Azure Load Balancer
- ```powershell
- New-AzResourceGroupDeployment `
- -ResourceGroupName $rgName `
- -TemplateFile $HOME/az104-06-vms-loop-template.json `
- -TemplateParameterFile $HOME/az104-06-vms-loop-parameters.json
- ```
+In this task, you implement an Azure Load Balancer in front of the two Azure virtual machines in the virtual network. Load Balancers in Azure provide layer 4 connectivity across resources, such as virtual machines. Load Balancer configuration includes a front-end IP address to accept connections, a backend pool, and rules that define how connections should traverse the load balancer.
- >**Note**: Wait for the deployment to complete before proceeding to the next step. This should take about 5 minutes.
+## Architecture diagram - Load Balancer
- >**Note**: If you got an error stating the VM size is not available please ask your instructor for assistance and try these steps.
- > 1. Click on the `{}` button in your CloudShell, select the **az104-06-vms-loop-parameters.json** from the left hand side bar and take a note of the `vmSize` parameter value.
- > 1. Check the location in which the 'az104-06-rg1' resource group is deployed. You can run `az group show -n az104-06-rg1 --query location` in your CloudShell to get it.
- > 1. Run `az vm list-skus --location -o table --query "[? contains(name,'Standard_D2s')].name"` in your CloudShell.
- > 1. Replace the value of `vmSize` parameter with one of the values returned by the command you just run. If there are no values returned, you may need to choose a different region to deploy into. You may also choose a different family name, like "Standard_B1s".
- > 1. Now redeploy your templates by running the `New-AzResourceGroupDeployment` command again. You can press the up button a few times which would bring the last executed command.
+>**Note**: Notice the Load Balancer is distributing across two virtual machines in the same virtual network.
-1. From the Cloud Shell pane, run the following to install the Network Watcher extension on the Azure VMs deployed in the previous step:
+
- ```powershell
- $rgName = 'az104-06-rg1'
- $location = (Get-AzResourceGroup -ResourceGroupName $rgName).location
- $vmNames = (Get-AzVM -ResourceGroupName $rgName).Name
+1. In the Azure portal, search for and select `Load balancers` and, on the **Load balancers** blade, click **+ Create**.
- foreach ($vmName in $vmNames) {
- Set-AzVMExtension `
- -ResourceGroupName $rgName `
- -Location $location `
- -VMName $vmName `
- -Name 'networkWatcherAgent' `
- -Publisher 'Microsoft.Azure.NetworkWatcher' `
- -Type 'NetworkWatcherAgentWindows' `
- -TypeHandlerVersion '1.4'
- }
- ```
-
- >**Note**: Wait for the deployment to complete before proceeding to the next step. This should take about 5 minutes.
-
-
-
-1. Close the Cloud Shell pane.
-
-## Task 2: Configure the hub and spoke network topology
-
-In this task, you will configure local peering between the virtual networks you deployed in the previous tasks in order to create a hub and spoke network topology.
-
-1. In the Azure portal, search for and select **Virtual networks**.
-
-1. Review the virtual networks you created in the previous task.
-
- >**Note**: The template you used for deployment of the three virtual networks ensures that the IP address ranges of the three virtual networks do not overlap.
-
-1. In the list of virtual networks, select **az104-06-vnet2**.
-
-1. On the **az104-06-vnet2** blade, select **Properties**.
-
-1. On the **az104-06-vnet2 \| Properties** blade, record the value of the **Resource ID** property.
-
-1. Navigate back to the list of virtual networks and select **az104-06-vnet3**.
-
-1. On the **az104-06-vnet3** blade, select **Properties**.
-
-1. On the **az104-06-vnet3 \| Properties** blade, record the value of the **Resource ID** property.
-
- >**Note**: You will need the values of the ResourceID property for both virtual networks later in this task.
-
- >**Note**: This is a workaround that addresses the issue with the Azure portal occasionally not displaying the newly provisioned virtual network when creating virtual network peerings.
-
-1. In the list of virtual networks, click **az104-06-vnet01**.
-
-1. On the **az104-06-vnet01** virtual network blade, in the **Settings** section, click **Peerings** and then click **+ Add**.
-
-1. Add a peering with the following settings (leave others with their default values) and click **Add**:
+1. Create a load balancer with the following settings (leave others with their default values) then click **Next: Frontend IP configuration**:
| Setting | Value |
| --- | --- |
- | This virtual network: Peering link name | **az104-06-vnet01_to_az104-06-vnet2** |
- | Allow 'az104-06-vnet01' to access the peered virtual network | **Ensure the box is checked (default)** |
- | Allow gateway in 'az104-06-vnet01' to forward traffic to the peered virtual network | **Ensure the box is checked** |
- | Remote virtual network: Peering link name | **az104-06-vnet2_to_az104-06-vnet01** |
- | Virtual network deployment model | **Resource manager** |
- | I know my resource ID | enabled |
- | Resource ID | The value of resourceID parameter of **az104-06-vnet2** you recorded earlier in this task. |
- | Allow az104-06-vnet2 to access az104-06-vnet01 | **Ensure the box is checked (default)** |
- | Allow az104-06-vnet2 to receive forwarded traffic from az104-06-vnet01 | **Ensure the box is checked** |
-
- >**Note**: Wait for the operation to complete.
-
- >**Note**: This step establishes two local peerings - one from az104-06-vnet01 to az104-06-vnet2 and the other from az104-06-vnet2 to az104-06-vnet01.
-
-1. On the **az104-06-vnet01** virtual network blade, in the **Settings** section, click **Peerings** and then click **+ Add**.
-
-1. Add a peering with the following settings (leave others with their default values) and click **Add**:
-
- | Setting | Value |
- | --- | --- |
- | This virtual network: Peering link name | **az104-06-vnet01_to_az104-06-vnet3** |
- | Allow 'az104-06-vnet01' to access the peered virtual network | **Ensure the box is checked (default)** |
- | Allow gateway in 'az104-06-vnet01' to forward traffic to the peered virtual network | **Ensure the box is checked** |
- | Remote virtual network: Peering link name | **az104-06-vnet3_to_az104-06-vnet01** |
- | Virtual network deployment model | **Resource manager** |
- | I know my resource ID | enabled |
- | Resource ID | The value of resourceID parameter of **az104-06-vnet3** you recorded earlier in this task. |
- | Allow az104-06-vnet3 to access az104-06-vnet01 | **Ensure the box is checked (default)** |
- | Allow az104-06-vnet3 to receive forwarded traffic from az104-06-vnet01 | **Ensure the box is checked** |
-
-
- >**Note**: Wait for the operation to complete.
-
- >**Note**: This step establishes two local peerings - one from az104-06-vnet01 to az104-06-vnet3 and the other from az104-06-vnet3 to az104-06-vnet01. This completes setting up the hub and spoke topology (with two spoke virtual networks).
-
-## Task 3: Test transitivity of virtual network peering
-
-In this task, you will test transitivity of virtual network peering by using Network Watcher.
-
-1. In the Azure portal, search for and select **Network Watcher**.
-
-1. On the **Network Watcher** blade, expand the listing of Azure regions and verify the service is enabled in region you are using.
-
-1. On the **Network Watcher** blade, navigate to the **Connection troubleshoot**.
-
-1. On the **Network Watcher - Connection troubleshoot** blade, initiate a check with the following settings (leave others with their default values):
-
- > **Note**: It may take a few minutes for the resource group to be listed. If you don't want to wait, try this: delete the Network Watcher, create a new Network Watcher, and then retry Connection Troubleshoot.
-
- | Setting | Value |
- | --- | --- |
- | Subscription | the name of the Azure subscription you are using in this lab |
- | Resource group | **az104-06-rg1** |
- | Source type | **Virtual machine** |
- | Virtual machine | **az104-06-vm0** |
- | Destination | **Specify manually** |
- | URI, FQDN or IPv4 | **10.62.0.4** |
- | Protocol | **TCP** |
- | Destination Port | **3389** |
-
- > **Note**: **10.62.0.4** represents the private IP address of **az104-06-vm2**
-
-1. Click **Run diagnostic tests** and wait until results of the connectivity check are returned. Verify that the status is **Success**. Review the network path and note that the connection was direct, with no intermediate hops in between the VMs.
-
- > **Note**: This is expected, since the hub virtual network is peered directly with the first spoke virtual network.
-
-1. On the **Network Watcher - Connection troubleshoot** blade, initiate a check with the following settings (leave others with their default values):
-
- | Setting | Value |
- | --- | --- |
- | Subscription | the name of the Azure subscription you are using in this lab |
- | Resource group | **az104-06-rg1** |
- | Source type | **Virtual machine** |
- | Virtual machine | **az104-06-vm0** |
- | Destination | **Specify manually** |
- | URI, FQDN or IPv4 | **10.63.0.4** |
- | Protocol | **TCP** |
- | Destination Port | **3389** |
-
- > **Note**: **10.63.0.4** represents the private IP address of **az104-06-vm3**
-
-1. Click **Run diagnostic tests** and wait until results of the connectivity check are returned. Verify that the status is **Success**. Review the network path and note that the connection was direct, with no intermediate hops in between the VMs.
-
- > **Note**: This is expected, since the hub virtual network is peered directly with the second spoke virtual network.
-
-1. On the **Network Watcher - Connection troubleshoot** blade, initiate a check with the following settings (leave others with their default values):
-
- | Setting | Value |
- | --- | --- |
- | Subscription | the name of the Azure subscription you are using in this lab |
- | Resource group | **az104-06-rg1** |
- | Source type | **Virtual machine** |
- | Virtual machine | **az104-06-vm2** |
- | Destination | **Specify manually** |
- | URI, FQDN or IPv4 | **10.63.0.4** |
- | Protocol | **TCP** |
- | Destination Port | **3389** |
-
-1. Click **Run diagnostic tests** and wait until results of the connectivity check are returned. Note that the status is **Fail**.
-
- > **Note**: This is expected, since the two spoke virtual networks are not peered with each other (virtual network peering is not transitive).
-
-## Task 4: Configure routing in the hub and spoke topology
-
-In this task, you will configure and test routing between the two spoke virtual networks by enabling IP forwarding on the network interface of the **az104-06-vm0** virtual machine, enabling routing within its operating system, and configuring user-defined routes on the spoke virtual network.
-
-1. In the Azure portal, search and select **Virtual machines**.
-
-1. On the **Virtual machines** blade, in the list of virtual machines, click **az104-06-vm0**.
-
-1. On the **az104-06-vm0** virtual machine blade, in the **Settings** section, click **Networking**.
-
-1. Click the **az104-06-nic0** link next to the **Network interface** label, and then, on the **az104-06-nic0** network interface blade, in the **Settings** section, click **IP configurations**.
-
-1. Set **IP forwarding** to **Enabled** and save the change.
-
- > **Note**: This setting is required in order for **az104-06-vm0** to function as a router, which will route traffic between two spoke virtual networks.
-
- > **Note**: Now you need to configure operating system of the **az104-06-vm0** virtual machine to support routing.
-
-1. In the Azure portal, navigate back to the **az104-06-vm0** Azure virtual machine blade and click **Overview**.
-
-1. On the **az104-06-vm0** blade, in the **Operations** section, click **Run command**, and, in the list of commands, click **RunPowerShellScript**.
-
-1. On the **Run Command Script** blade, type the following and click **Run** to install the Remote Access Windows Server role.
-
- ```powershell
- Install-WindowsFeature RemoteAccess -IncludeManagementTools
- ```
-
- > **Note**: Wait for the confirmation that the command completed successfully.
-
-1. On the **Run Command Script** blade, type the following and click **Run** to install the Routing role service.
-
- ```powershell
- Install-WindowsFeature -Name Routing -IncludeManagementTools -IncludeAllSubFeature
-
- Install-WindowsFeature -Name "RSAT-RemoteAccess-Powershell"
-
- Install-RemoteAccess -VpnType RoutingOnly
-
- Get-NetAdapter | Set-NetIPInterface -Forwarding Enabled
- ```
-
- > **Note**: Wait for the confirmation that the command completed successfully.
-
- > **Note**: Now you need to create and configure user defined routes on the spoke virtual networks.
-
-1. In the Azure portal, search and select **Route tables** and, on the **Route tables** blade, click **+ Create**.
-
-1. Create a route table with the following settings (leave others with their default values):
-
- | Setting | Value |
- | --- | --- |
- | Subscription | the name of the Azure subscription you are using in this lab |
- | Resource group | **az104-06-rg1** |
- | Location | the name of the Azure region in which you created the virtual networks |
- | Name | **az104-06-rt23** |
- | Propagate gateway routes | **No** |
-
-1. Click **Review and Create**. Let validation occur, and click **Create** to submit your deployment.
-
- > **Note**: Wait for the route table to be created. This should take about 3 minutes.
-
-1. Click **Go to resource**.
-
-1. On the **az104-06-rt23** route table blade, in the **Settings** section, click **Routes**, and then click **+ Add**.
-
-1. Add a new route with the following settings:
-
- | Setting | Value |
- | --- | --- |
- | Route name | **az104-06-route-vnet2-to-vnet3** |
- | Address prefix destination | **IP Addresses** |
- | Destination IP addresses/CIDR ranges | **10.63.0.0/20** |
- | Next hop type | **Virtual appliance** |
- | Next hop address | **10.60.0.4** |
-
-1. Click **Add**
-
-1. Back on the **az104-06-rt23** route table blade, in the **Settings** section, click **Subnets**, and then click **+ Associate**.
-
-1. Associate the route table **az104-06-rt23** with the following subnet:
-
- | Setting | Value |
- | --- | --- |
- | Virtual network | **az104-06-vnet2** |
- | Subnet | **subnet0** |
-
-1. Click **Add**
-
-1. Navigate back to **Route tables** blade and click **+ Create**.
-
-1. Create a route table with the following settings (leave others with their default values):
-
- | Setting | Value |
- | --- | --- |
- | Subscription | the name of the Azure subscription you are using in this lab |
- | Resource group | **az104-06-rg1** |
- | Region | the name of the Azure region in which you created the virtual networks |
- | Name | **az104-06-rt32** |
- | Propagate gateway routes | **No** |
-
-1. Click Review and Create. Let validation occur, and hit Create to submit your deployment.
-
- > **Note**: Wait for the route table to be created. This should take about 3 minutes.
-
-1. Click **Go to resource**.
-
-1. On the **az104-06-rt32** route table blade, in the **Settings** section, click **Routes**, and then click **+ Add**.
-
-1. Add a new route with the following settings:
-
- | Setting | Value |
- | --- | --- |
- | Route name | **az104-06-route-vnet3-to-vnet2** |
- | Address prefix destination | **IP Addresses** |
- | Destination IP addresses/CIDR ranges | **10.62.0.0/20** |
- | Next hop type | **Virtual appliance** |
- | Next hop address | **10.60.0.4** |
-
-1. Click **OK**
-
-1. Back on the **az104-06-rt32** route table blade, in the **Settings** section, click **Subnets**, and then click **+ Associate**.
-
-1. Associate the route table **az104-06-rt32** with the following subnet:
-
- | Setting | Value |
- | --- | --- |
- | Virtual network | **az104-06-vnet3** |
- | Subnet | **subnet0** |
-
-1. Click **OK**
-
-1. In the Azure portal, navigate back to the **Network Watcher - Connection troubleshoot** blade.
-
-1. On the **Network Watcher - Connection troubleshoot** blade, use the following settings (leave others with their default values):
-
- | Setting | Value |
- | --- | --- |
- | Subscription | the name of the Azure subscription you are using in this lab |
- | Resource group | **az104-06-rg1** |
- | Source type | **Virtual machine** |
- | Virtual machine | **az104-06-vm2** |
- | Destination | **Specify manually** |
- | URI, FQDN or IPv4 | **10.63.0.4** |
- | Protocol | **TCP** |
- | Destination Port | **3389** |
-
-1. Click **Run diagnostic tests** and wait until results of the connectivity check are returned. Verify that the status is **Success**. Review the network path and note that the traffic was routed via **10.60.0.4**, assigned to the **az104-06-nic0** network adapter. If status is **Fail**, you should stop and then start az104-06-vm0.
-
- > **Note**: This is expected, since the traffic between spoke virtual networks is now routed via the virtual machine located in the hub virtual network, which functions as a router.
-
- > **Note**: You can use **Network Watcher** to view topology of the network.
-
-## Task 5: Implement Azure Load Balancer
-
-In this task, you will implement an Azure Load Balancer in front of the two Azure virtual machines in the hub virtual network.
-
-1. In the Azure portal, search for and select **Load balancers** and, on the **Load balancers** blade, click **+ Create**.
-
-1. Create a load balancer with the following settings (leave others with their default values) then click **Next : Frontend IP configuration**:
-
- | Setting | Value |
- | --- | --- |
- | Subscription | the name of the Azure subscription you are using in this lab |
- | Resource group | **az104-06-rg4** (if necessary create) |
- | Name | **az104-06-lb4** |
- | Region | name of the Azure region into which you deployed all other resources in this lab |
+ | Subscription | your Azure subscription |
+ | Resource group | **az104-rg6** |
+ | Name | `az104-lb` |
+ | Region | The **same** region that you deployed the VMs |
| SKU | **Standard** |
| Type | **Public** |
- | Tier | **Regional** |
-
+ | Tier | **Regional** |
+
+ 
+
1. On the **Frontend IP configuration** tab, click **Add a frontend IP configuration** and use the following settings:
-
+
| Setting | Value |
| --- | --- |
- | Name | **az104-06-fe4** |
+ | Name | `az104-fe` |
| IP type | IP address |
- | Public IP address | Select **Create new** |
| Gateway Load Balancer | None |
-
-1. On the **Add a public IP address** popup, use the following settings before clicking **OK** and then **Add**. When completed click **Next: Backend pools**.
-
+ | Public IP address | Select **Create new** (use the instructions in the next step) |
+
+1. On the **Add a public IP address** popup, use the following settings before clicking **OK** and then **Add**. When completed click **Next: Backend pools**.
+
| Setting | Value |
| --- | --- |
- | Name | **az104-06-pip4** |
+ | Name | `az104-lbpip` |
| SKU | Standard |
| Tier | Regional |
| Assignment | Static |
| Routing Preference | **Microsoft network** |
-1. On the **Backend pools** tab, click **Add a backend pool** with the following settings (leave others with their default values). Click **+ Add** (twice) and then click **Next:Inbound rules**.
+ >**Note:** The Standard SKU provides a static IP address. Static IP addresses are assigned with the resource is created and released when the resource is deleted.
+
+1. On the **Backend pools** tab, click **Add a backend pool** with the following settings (leave others with their default values). Click **+ Add** (twice) and then click **Next: Inbound rules**.
| Setting | Value |
| --- | --- |
- | Name | **az104-06-lb4-be1** |
- | Virtual network | **az104-06-vnet01** |
- | Backend Pool Configuration | **NIC** |
- | IP Version | **IPv4** |
- | Click **Add** to add a virtual machine | |
+ | Name | `az104-be` |
+ | Virtual network | **az104-06-vnet1** |
+ | Backend Pool Configuration | **NIC** |
+ | Click **Add** to add a virtual machine | |
| az104-06-vm0 | **check the box** |
| az104-06-vm1 | **check the box** |
+1. As you have time, review the other tabs, then click **Review and create**. Ensure there are no validation errors, then click **Create**.
-1. On the **Inbound rules** tab, click **Add a load balancing rule**. Add a load balancing rule with the following settings (leave others with their default values). When completed click **Add**.
+1. Wait for the load balancer to deploy then click **Go to resource**.
+
+**Add a rule to determine how incoming traffic is distributed**
+
+1. In the **Settings** blade, select **Load balancing rules**.
+
+1. Select **Add a load balancing rule**. Add a load balancing rule with the following settings (leave others with their default values). As you configure the rule use the informational icons to learn about each setting. When finished click **Save**.
| Setting | Value |
| --- | --- |
- | Name | **az104-06-lb4-lbrule1** |
+ | Name | `az104-lbrule` |
| IP Version | **IPv4** |
- | Frontend IP Address | **az104-06-fe4** |
- | Backend pool | **az104-06-lb4-be1** |
- | Protocol | **TCP** |
- | Port | **80** |
- | Backend port | **80** |
- | Health probe | **Create new** |
- | Name | **az104-06-lb4-hp1** |
+ | Frontend IP Address | **az104-fe** |
+ | Backend pool | **az104-be** |
| Protocol | **TCP** |
- | Port | **80** |
- | Interval | **5** |
- | Close the create health probe window | **OK** |
+ | Port | `80` |
+ | Backend port | `80` |
+ | Health probe | **Create new** |
+ | Name | `az104-hp` |
+ | Protocol | **TCP** |
+ | Port | `80` |
+ | Interval | `5` |
+ | Close the create health probe window | **Save** |
| Session persistence | **None** |
- | Idle timeout (minutes) | **4** |
+ | Idle timeout (minutes) | `4` |
| TCP reset | **Disabled** |
| Floating IP | **Disabled** |
- | Outbound source network address translation (SNAT) | **Recommended** |
+ | Outbound source network address translation (SNAT) | **Recommended** |
-1. As you have time, review the other tabs, then click **Review and create**. Ensure there are no validation errors, then click **Create**.
-
-1. Wait for the load balancer to deploy then click **Go to resource**.
-
-1. Select **Frontend IP configuration** from the Load Balancer resource page. Copy the IP address.
+1. Select **Frontend IP configuration** from the Load Balancer page. Copy the public IP address.
1. Open another browser tab and navigate to the IP address. Verify that the browser window displays the message **Hello World from az104-06-vm0** or **Hello World from az104-06-vm1**.
@@ -487,138 +167,174 @@ In this task, you will implement an Azure Load Balancer in front of the two Azur
> **Note**: You may need to refresh more than once or open a new browser window in InPrivate mode.
-## Task 6: Implement Azure Application Gateway
+## Task 3: Configure an Azure Application Gateway
-In this task, you will implement an Azure Application Gateway in front of the two Azure virtual machines in the spoke virtual networks.
+In this task, you implement an Azure Application Gateway in front of two Azure virtual machines. An Application Gateway provides layer 7 load balancing, Web Application Firewall (WAF), SSL termination, and end-to-end encryption to the resources defined in the backend pool. The Application Gateway routes images to one virtual machine and videos to the other virtual machine.
-1. In the Azure portal, search and select **Virtual networks**.
+## Architecture diagram - Application Gateway
-1. On the **Virtual networks** blade, in the list of virtual networks, click **az104-06-vnet01**.
+>**Note**: This Application Gateway is working in the same virtual network as the Load Balancer. This may not be typical in a production environment.
-1. On the **az104-06-vnet01** virtual network blade, in the **Settings** section, click **Subnets**, and then click **+ Subnet**.
+
-1. Add a subnet with the following settings (leave others with their default values):
+1. In the Azure portal, search and select `Virtual networks`.
+
+1. On the **Virtual networks** blade, in the list of virtual networks, click **az104-vnet1**.
+
+1. On the **az104-vnet1** virtual network blade, in the **Settings** section, click **Subnets**, and then click **+ Subnet**.
+
+1. Add a subnet with the following settings (leave others with their default values).
| Setting | Value |
| --- | --- |
- | Name | **subnet-appgw** |
- | Subnet address range | **10.60.3.224/27** |
+ | Name | `subnet-appgw` |
+ | Subnet address range | `10.60.3.224/27` |
1. Click **Save**
- > **Note**: This subnet will be used by the Azure Application Gateway instances, which you will deploy later in this task. The Application Gateway requires a dedicated subnet of /27 or larger size.
+ > **Note**: This subnet will be used by the Azure Application Gateway. The Application Gateway requires a dedicated subnet of /27 or larger size.
-1. In the Azure portal, search and select **Application Gateways** and, on the **Application Gateways** blade, click **+ Create**.
+1. In the Azure portal, search and select `Application Gateways` and, on the **Application Gateways** blade, click **+ Create**.
1. On the **Basics** tab, specify the following settings (leave others with their default values):
| Setting | Value |
| --- | --- |
- | Subscription | the name of the Azure subscription you are using in this lab |
- | Resource group | **az104-06-rg5** (create new) |
- | Application gateway name | **az104-06-appgw5** |
- | Region | name of the Azure region into which you deployed all other resources in this lab |
+ | Subscription | your Azure subscription |
+ | Resource group | `az104-rg6` |
+ | Application gateway name | `az104-appgw` |
+ | Region | The **same** Azure region that you used in Task 1 |
| Tier | **Standard V2** |
| Enable autoscaling | **No** |
- | Instance count | **2** |
- | Availability zone | **None** |
+ | Minimum instance count | `2` |
+ | Availability zone | **None** |
| HTTP2 | **Disabled** |
- | Virtual network | **az104-06-vnet01** |
+ | Virtual network | **az104-06-vnet1** |
| Subnet | **subnet-appgw (10.60.3.224/27)** |
-1. Click **Next: Frontends >** and specify the following settings (leave others with their default values). When complete, click **OK**.
+ 
+
+1. Click **Next: Frontends >** and specify the following settings (leave others with their default values). When complete, click **OK**.
| Setting | Value |
| --- | --- |
| Frontend IP address type | **Public** |
- | Public IP address| **Add new** |
- | Name | **az104-06-pip5** |
- | Availability zone | **None** |
+ | Public IP address| **Add new** |
+ | Name | `az104-gwpip` |
+ | Availability zone | **None** |
+ >**Note:** The Application Gateway can have both a public and private IP address.
+
1. Click **Next: Backends >** and then **Add a backend pool**. Specify the following settings (leave others with their default values). When completed click **Add**.
| Setting | Value |
| --- | --- |
- | Name | **az104-06-appgw5-be1** |
+ | Name | `az104-appgwbe` |
| Add backend pool without targets | **No** |
- | IP address or FQDN | **10.62.0.4** |
- | IP address or FQDN | **10.63.0.4** |
+ | Virtual machine | **az104-rg6-nic1 (10.60.1.4)** |
+ | Virtual machine | **az104-rg6-nic2 (10.60.2.4)** |
- > **Note**: The targets represent the private IP addresses of virtual machines in the spoke virtual networks **az104-06-vm2** and **az104-06-vm3**.
-
-1. Click **Next: Configuration >** and then **+ Add a routing rule**. Specify the following settings:
+1. Click **Add a backend pool**. This is the backend pool for **images**. Specify the following settings (leave others with their default values). When completed click **Add**.
| Setting | Value |
| --- | --- |
- | Rule name | **az104-06-appgw5-rl1** |
- | Priority | **10** |
- | Listener name | **az104-06-appgw5-rl1l1** |
+ | Name | `az104-imagebe` |
+ | Add backend pool without targets | **No** |
+ | Virtual machine | **az104-rg6-nic1 (10.60.1.4)** |
+
+1. Click **Add a backend pool**. This is the backend pool for **video**. Specify the following settings (leave others with their default values). When completed click **Add**.
+
+ | Setting | Value |
+ | --- | --- |
+ | Name | `az104-videobe` |
+ | Add backend pool without targets | **No** |
+ | Virtual machine | **az104-rg6-nic2 (10.60.2.4)** |
+
+1. Select **Next: Configuration** and then **Add routing rules**. Complete the information.
+
+ | Setting | Value |
+ | --- | --- |
+ | Rule name | `az104-gwrule` |
+ | Priority | `10` |
+ | Listener name | `az104-listener` |
| Frontend IP | **Public** |
| Protocol | **HTTP** |
- | Port | **80** |
+ | Port | `80` |
| Listener type | **Basic** |
- | Error page url | **No** |
-1. Switch to the **Backend targets** tab and specify the following settings (leave others with their default values). When completed click **Add** (twice).
+1. Move to the **Backend targets** tab. Select **Add** after completing the basic information.
+
+ | Setting | Value |
+ | --- | --- |
+ | Backend target | `az104-appgwbe` |
+ | Backend settings | `az104-http` (create new) |
+
+ >**Note:** Take a minute to read the information about **Cookie-based affinity** and **Connection draining**.
+
+1. In the **Path based routing** section, select **Add multiple targets to create a path-based rule**. You will create two rules. Click **Add** after the first rule and then add the second rule.
+
+ **Rule - routing to the images backend**
| Setting | Value |
| --- | --- |
- | Target type | **Backend pool** |
- | Backend target | **az104-06-appgw5-be1** |
- | Backend settings | **Add new** |
- | Backend settings name | **az104-06-appgw5-http1** |
- | Backend protocol | **HTTP** |
- | Backend port | **80** |
- | Additional settings | **take the defaults** |
- | Host name | **take the defaults** |
+ | Path | `/image/*` |
+ | Target name | `images` |
+ | Backend settings | **az104-http** |
+ | Backend target | `az104-imagebe` |
-1. Click **Next: Tags >**, followed by **Next: Review + create >** and then click **Create**.
+ **Rule - routing to the videos backend**
- > **Note**: Wait for the Application Gateway instance to be created. This might take about 8 minutes.
+ | Setting | Value |
+ | --- | --- |
+ | Path | `/video/*` |
+ | Target name | `videos` |
+ | Backend settings | **az104-http** |
+ | Backend target | `az104-videobe` |
-1. In the Azure portal, search and select **Application Gateways** and, on the **Application Gateways** blade, click **az104-06-appgw5**.
+1. Select **Add** twice then select **Next: Tags >**. No changes are needed.
-1. On the **az104-06-appgw5** Application Gateway blade, copy the value of the **Frontend public IP address**.
+1. Select **Next: Review + create >** and then click **Create**.
-1. Start another browser window and navigate to the IP address you identified in the previous step.
+ > **Note**: Wait for the Application Gateway instance to be created. This will take approximately 5-10 minutes. While you wait consider reviewing some of the self-paced training links at the end of this page.
-1. Verify that the browser window displays the message **Hello World from az104-06-vm2** or **Hello World from az104-06-vm3**.
+1. After the application gateway deploys, search for and select **az104-appgw**.
-1. Refresh the window to verify the message changes to the other virtual machine.
+1. In the **Application Gateway** resource, in the **Monitoring** section, select **Backend health**.
- > **Note**: You may need to refresh more than once or open a new browser window in InPrivate mode.
+1. Ensure both servers in the backend pool display **Healthy**.
- > **Note**: Targeting virtual machines on multiple virtual networks is not a common configuration, but it is meant to illustrate the point that Application Gateway is capable of targeting virtual machines on multiple virtual networks (as well as endpoints in other Azure regions or even outside of Azure), unlike Azure Load Balancer, which load balances across virtual machines in the same virtual network.
+1. On the **Overview** blade, copy the value of the **Frontend public IP address**.
-## Clean up resources
+1. Start another browser window and test this URL - `http:///image/`.
->**Note**: Remember to remove any newly created Azure resources that you no longer use. Removing unused resources ensures you will not see unexpected charges.
+1. Verify you are directed to the image server (vm1).
->**Note**: Don't worry if the lab resources cannot be immediately removed. Sometimes resources have dependencies and take a longer time to delete. It is a common Administrator task to monitor resource usage, so just periodically review your resources in the Portal to see how the cleanup is going.
+1. Start another browser window and test this URL - `http:///video/`.
-1. In the Azure portal, open the **PowerShell** session within the **Cloud Shell** pane.
+1. Verify you are directed to the video server (vm2).
-1. List all resource groups created throughout the labs of this module by running the following command:
+> **Note**: You may need to refresh more than once or open a new browser window in InPrivate mode.
- ```powershell
- Get-AzResourceGroup -Name 'az104-06*'
- ```
+## Cleanup your resources
-1. Delete all resource groups you created throughout the labs of this module by running the following command:
+If you are working with **your own subscription** take a minute to delete the lab resources. This will ensure resources are freed up and cost is minimized. The easiest way to delete the lab resources is to delete the lab resource group.
- ```powershell
- Get-AzResourceGroup -Name 'az104-06*' | Remove-AzResourceGroup -Force -AsJob
- ```
++ In the Azure portal, select the resource group, select **Delete the resource group**, **Enter resource group name**, and then click **Delete**.
++ Using Azure PowerShell, `Remove-AzResourceGroup -Name resourceGroupName`.
++ Using the CLI, `az group delete --name resourceGroupName`.
+
+## Key takeaways
- >**Note**: The command executes asynchronously (as determined by the -AsJob parameter), so while you will be able to run another PowerShell command immediately afterwards within the same PowerShell session, it will take a few minutes before the resource groups are actually removed.
+Congratulations on completing the lab. Here are the main takeaways for this lab.
-## Review
++ Azure Load Balancer is an excellent choice for distributing network traffic across multiple virtual machines at the transport layer (OSI layer 4 - TCP and UDP).
++ Public Load Balancers are used to load balance internet traffic to your VMs. An internal (or private) load balancer is used where private IPs are needed at the frontend only.
++ The Basic load balancer is for small-scale applications that don't need high availability or redundancy. The Standard load balancer is for high performance and ultra-low latency.
++ Azure Application Gateway is a web traffic (OSI layer 7) load balancer that enables you to manage traffic to your web applications.
++ The Application Gateway Standard tier offers all the L7 functionality, including load balancing, The WAF tier adds a firewall to check for malicious traffic.
++ An Application Gateway can make routing decisions based on additional attributes of an HTTP request, for example URI path or host headers.
-In this lab, you have:
+## Learn more with self-paced training
-+ Provisioned the lab environment
-+ Configured the hub and spoke network topology
-+ Tested transitivity of virtual network peering
-+ Configuref routing in the hub and spoke topology
-+ Implemented Azure Load Balancer
-+ Implemented Azure Application Gateway
++ [Improve application scalability and resiliency by using Azure Load Balancer](https://learn.microsoft.com/training/modules/improve-app-scalability-resiliency-with-load-balancer/). Discuss the different load balancers in Azure and how to choose the right Azure load balancer solution to meet your requirements.
++ [Load balance your web service traffic with Application Gateway](https://learn.microsoft.com/training/modules/load-balance-web-traffic-with-application-gateway/). Improve application resilience by distributing load across multiple servers and use path-based routing to direct web traffic.
diff --git a/Instructions/Labs/LAB_07-Manage_Azure_Storage.md b/Instructions/Labs/LAB_07-Manage_Azure_Storage.md
index 8fa013c5..7b1c91fa 100644
--- a/Instructions/Labs/LAB_07-Manage_Azure_Storage.md
+++ b/Instructions/Labs/LAB_07-Manage_Azure_Storage.md
@@ -5,334 +5,257 @@ lab:
---
# Lab 07 - Manage Azure Storage
-# Student lab manual
+
+## Lab introduction
+
+In this lab you learn to create storage accounts for Azure blobs and Azure files. You learn to configure and secure blob containers. You also learn to use Storage Browser to configure and secure Azure file shares.
+
+This lab requires an Azure subscription. Your subscription type may affect the availability of features in this lab. You may change the region, but the steps are written using **East US**.
+
+## Estimated timing: 50 minutes
## Lab scenario
-You need to evaluate the use of Azure storage for storing files residing currently in on-premises data stores. While majority of these files are not accessed frequently, there are some exceptions. You would like to minimize cost of storage by placing less frequently accessed files in lower-priced storage tiers. You also plan to explore different protection mechanisms that Azure Storage offers, including network access, authentication, authorization, and replication. Finally, you want to determine to what extent Azure Files service might be suitable for hosting your on-premises file shares.
+Your organization is currently storing data in on-premises data stores. Most of these files are not accessed frequently. You would like to minimize the cost of storage by placing infrequently accessed files in lower-priced storage tiers. You also plan to explore different protection mechanisms that Azure Storage offers, including network access, authentication, authorization, and replication. Finally, you want to determine to what extent Azure Files is suitable for hosting your on-premises file shares.
-**Note:** An **[interactive lab simulation](https://mslabs.cloudguides.com/guides/AZ-104%20Exam%20Guide%20-%20Microsoft%20Azure%20Administrator%20Exercise%2011)** is available that allows you to click through this lab at your own pace. You may find slight differences between the interactive simulation and the hosted lab, but the core concepts and ideas being demonstrated are the same.
+## Interactive lab simulations
-## Objectives
+There are interactive lab simulations that you might find useful for this topic. The simulation lets you to click through a similar scenario at your own pace. There are differences between the interactive simulation and this lab, but many of the core concepts are the same. An Azure subscription is not required.
-In this lab, you will:
-
-+ Task 1: Provision the lab environment
-+ Task 2: Create and configure Azure Storage accounts
-+ Task 3: Manage blob storage
-+ Task 4: Manage authentication and authorization for Azure Storage
-+ Task 5: Create and configure an Azure Files shares
-+ Task 6: Manage network access for Azure Storage
-
-## Estimated timing: 40 minutes
++ [Create blob storage](https://mslearn.cloudguides.com/en-us/guides/AZ-900%20Exam%20Guide%20-%20Azure%20Fundamentals%20Exercise%205). Create a storage account, manage blob storage, and monitor storage activities.
+
++ [Manage Azure storage](https://mslabs.cloudguides.com/guides/AZ-104%20Exam%20Guide%20-%20Microsoft%20Azure%20Administrator%20Exercise%2011). Create a storage account and review the configuration. Manage blob storage containers. Configure storage networking.
## Architecture diagram
-
+
+## Job skills
-### Instructions
++ Task 1: Create and configure a storage account.
++ Task 2: Create and configure secure blob storage.
++ Task 3: Create and configure secure Azure file storage.
-## Exercise 1
+## Task 1: Create and configure a storage account.
-## Task 1: Provision the lab environment
+In this task, you will create and configure a storage account. The storage account will use geo-redundant storage and will not have public access.
-In this task, you will deploy an Azure virtual machine that you will use later in this lab.
+1. Sign in to the **Azure portal** - `https://portal.azure.com`.
-1. Sign in to the **[Azure portal](https://portal.azure.com)**.
+1. Search for and select `Storage accounts`, and then click **+ Create**.
-1. In the Azure portal, open the **Azure Cloud Shell** by clicking on the icon in the top right of the Azure Portal.
+1. On the **Basics** tab of the **Create a storage account** blade, specify the following settings (leave others with their default values):
-1. If prompted to select either **Bash** or **PowerShell**, select **PowerShell**.
+ | Setting | Value |
+ | --- | --- |
+ | Subscription | the name of your Azure subscription |
+ | Resource group | **az104-rg7** (create new) |
+ | Storage account name | any globally unique name between 3 and 24 in length consisting of letters and digits |
+ | Region | **(US) East US** |
+ | Performance | **Standard** (notice the Premium option) |
+ | Redundancy | **Geo-redundant storage** (notice the other options)|
+ | Make read access to data in the event of regional availability | Check the box |
- >**Note**: If this is the first time you are starting **Cloud Shell** and you are presented with the **You have no storage mounted** message, select the subscription you are using in this lab, and click **Create storage**.
+>**Did you know?** You should use the Standard performance tier for most applications. Use the Premium performance tier for enterprise or high-performance applications.
-1. In the toolbar of the Cloud Shell pane, click the **Upload/Download files** icon, in the drop-down menu, click **Upload** and upload the files **\\Allfiles\\Labs\\07\\az104-07-vm-template.json** and **\\Allfiles\\Labs\\07\\az104-07-vm-parameters.json** into the Cloud Shell home directory.
+1. On the **Advanced** tab, use the informational icons to learn more about the choices. Take the defaults.
-1. From the Cloud Shell pane, run the following to create the resource group that will be hosting the virtual machine (replace the '[Azure_region]' placeholder with the name of an Azure region where you intend to deploy the Azure virtual machine)
+1. On the **Networking** tab, review the available options, select **Disable public access and use private access.**.
- >**Note**: To list the names of Azure regions, run `(Get-AzLocation).Location`
- >**Note**: Each command below should be typed separately
+1. Review the **Data protection** tab. Notice 7 days is the default soft delete retention policy. Note you can enable blob versioning. Accept the defaults.
- ```powershell
- $location = '[Azure_region]'
- ```
+1. Review the **Encryption** tab. Notice the additional security options. Accept the defaults.
+
+1. Select **Review**, wait for the validation process to complete, and then click **Create**.
+
+1. Once the storage account is deployed, select **Go to resource**.
+
+1. Review the **Overview** blade and the additional configurations that can be changed. These are global settings for the storage account. Notice the storage account can be used for Blob containers, File shares, Queues, and Tables.
+
+1. In the **Security + Networking** section, select **Networking**. Notice public network access is disabled.
+
+ + Change the **public access level** to **Enabled from selected virtual networks and IP addresses**.
+ + In the **Firewall** section, check the box for **Add your client IP address.**
+ + Be sure to **Save** your changes.
- ```powershell
- $rgName = 'az104-07-rg0'
- ```
+1. In the **Data management** section, view the **Redundancy** blade. Notice the information about your primary and secondary data center locations.
- ```powershell
- New-AzResourceGroup -Name $rgName -Location $location
- ```
+1. In the **Data management** section, select **Lifecycle management**, and then select **Add a rule**.
+
+ + **Name** the rule `Movetocool`. Notice your options for limiting the scope of the rule.
-1. From the Cloud Shell pane, run the following to deploy the virtual machine by using the uploaded template and parameter files:
+ + On the **Base blobs** tab, *if* based blobs were last modified more than `30 days` ago *then* **move to cool storage**. Notice your other choices.
+
+ + Notice you can configure other conditions. Select **Add** when you are done exploring.
- >**Note**: You will be prompted to provide an Admin password.
+ 
- ```powershell
- New-AzResourceGroupDeployment `
- -ResourceGroupName $rgName `
- -TemplateFile $HOME/az104-07-vm-template.json `
- -TemplateParameterFile $HOME/az104-07-vm-parameters.json `
- -AsJob
- ```
+## Task 2: Create and configure secure blob storage
- >**Note**: Do not wait for the deployments to complete, but proceed to the next task.
+In this task, you will create a blob container and upload an image. Blob containers are directory-like structures that store unstructured data.
- >**Note**: If you got an error stating the VM size is not available please ask your instructor for assistance and try these steps.
- > 1. Click on the `{}` button in your CloudShell, select the **az104-07-vm-parameters.json** from the left hand side bar and take a note of the `vmSize` parameter value.
- > 1. Check the location in which the 'az104-04-rg1' resource group is deployed. You can run `az group show -n az104-04-rg1 --query location` in your CloudShell to get it.
- > 1. Run `az vm list-skus --location -o table --query "[? contains(name,'Standard_D2s')].name"` in your CloudShell.
- > 1. Replace the value of `vmSize` parameter with one of the values returned by the command you just run.
- > 1. Now redeploy your templates by running the `New-AzResourceGroupDeployment` command again. You can press the up button a few times which would bring the last executed command.
+### Create a blob container and a time-based retention policy
-1. Close the Cloud Shell pane.
+1. Continue in the Azure portal, working with your storage account.
-## Task 2: Create and configure Azure Storage accounts
+1. In the **Data storage** section, click **Containers**.
-In this task, you will create and configure an Azure Storage account.
-
-1. In the Azure portal, search for and select **Storage accounts**, and then click **+ Create**.
-
-1. On the **Basics** tab of the **Create storage account** blade, specify the following settings (leave others with their default values):
+1. Click **+ Container** and **Create** a container with the following settings:
| Setting | Value |
| --- | --- |
- | Subscription | the name of the Azure subscription you are using in this lab |
- | Resource group | the name of a **new** resource group **az104-07-rg1** |
- | Storage account name | any globally unique name between 3 and 24 in length consisting of letters and digits |
- | Region | the name of an Azure region where you can create an Azure Storage account |
- | Performance | **Standard** |
- | Redundancy | **Geo-redundant storage (GRS)** |
+ | Name | `data` |
+ | Public access level | Notice the access level is set to private |
-1. Click **Next: Advanced >**, on the **Advanced** tab of the **Create storage account** blade, review the available options, accept the defaults, and click **Next: Networking >**.
+ 
-1. On the **Networking** tab of the **Create storage account** blade, review the available options, accept the default option **Enable public access from all networks** and click **Next: Data protection >**.
+1. On your container, scroll to the ellipsis (...) on the far right, select **Access Policy**.
-1. On the **Data protection** tab of the **Create storage account** blade, review the available options, accept the defaults, click **Review + Create**, wait for the validation process to complete and click **Create**.
-
- >**Note**: Wait for the Storage account to be created. This should take about 2 minutes.
-
-1. On the deployment blade, click **Go to resource** to display the Azure Storage account blade.
-
-1. On the Storage account blade, in the **Data management** section, click **Redundancy** and note the secondary location.
-
-1. In the **Redundancy** drop-down list select **Locally redundant storage (LRS)** and save the change. Note, at this point, the Storage account has only the primary location.
-
-1. On the Storage account blade, in the **Settings** section, select **Configuration**. Set **Blob access tier (default)** to **Cool**, and save the change.
-
- > **Note**: The cool access tier is optimal for data which is not accessed frequently.
-
-## Task 3: Manage blob storage
-
-In this task, you will create a blob container and upload a blob into it.
-
-1. On the Storage account blade, in the **Data storage** section, click **Containers**.
-
-1. Click **+ Container** and create a container with the following settings:
+1. In the **Immutable blob storage** area, select **Add policy**.
| Setting | Value |
| --- | --- |
- | Name | **az104-07-container** |
- | Public access level | **Private (no anonymous access)** |
+ | Policy type | **Time-based retention** |
+ | Set retention period for | `180` days |
-1. In the list of containers, click **az104-07-container** and then click **Upload**.
+1. Select **Save**.
-1. Browse to **\\Allfiles\\Labs\\07\\LICENSE** on your lab computer and click **Open**.
+### Manage blob uploads
-1. On the **Upload blob** blade, expand the **Advanced** section and specify the following settings (leave others with their default values):
+1. Return to the containers page, select your **data** container and then click **Upload**.
+
+1. On the **Upload blob** blade, expand the **Advanced** section.
+
+ >**Note**: Locate a file to upload. This can be any type of file, but a small file is best. A sample file can be downloaded from the AllFiles directory.
| Setting | Value |
| --- | --- |
+ | Browse for files | add the file you have selected to upload |
+ | Select **Advanced** | |
| Blob type | **Block blob** |
- | Block size | **4 MB** |
- | Access tier | **Hot** |
- | Upload to folder | **licenses** |
-
- > **Note**: Access tier can be set for individual blobs.
+ | Block size | **4 MiB** |
+ | Access tier | **Hot** (notice the other options) |
+ | Upload to folder | `securitytest` |
+ | Encryption scope | Use existing default container scope |
1. Click **Upload**.
- > **Note**: Note that the upload automatically created a subfolder named **licenses**.
+1. Confirm you have a new folder, and your file was uploaded.
-1. Back on the **az104-07-container** blade, click **licenses** and then click **LICENSE**.
+1. Select your upload file and review the options including **Download**, **Delete**, **Change tier**, and **Acquire lease**.
-1. On the **licenses/LICENSE** blade, review the available options.
-
- > **Note**: You have the option to download the blob, change its access tier (it is currently set to **Hot**), acquire a lease, which would change its lease status to **Locked** (it is currently set to **Unlocked**) and protect the blob from being modified or deleted, as well as assign custom metadata (by specifying an arbitrary key and value pairs). You also have the ability to **Edit** the file directly within the Azure portal interface, without downloading it first. You can also create snapshots, as well as generate a SAS token (you will explore this option in the next task).
-
-## Task 4: Manage authentication and authorization for Azure Storage
-
-In this task, you will configure authentication and authorization for Azure Storage.
-
-1. On the **licenses/LICENSE** blade, on the **Overview** tab, click **Copy to clipboard** button next to the **URL** entry.
-
-1. Open another browser window by using InPrivate mode and navigate to the URL you copied in the previous step.
+1. Copy the file **URL** and paste into a new **Inprivate** browsing window.
1. You should be presented with an XML-formatted message stating **ResourceNotFound** or **PublicAccessNotPermitted**.
> **Note**: This is expected, since the container you created has the public access level set to **Private (no anonymous access)**.
-1. Close the InPrivate mode browser window, return to the browser window showing the **licenses/LICENSE** blade of the Azure Storage container, and switch to the the **Generate SAS** tab.
+### Configure limited access to the blob storage
-1. On the **Generate SAS** tab of the **licenses/LICENSE** blade, specify the following settings (leave others with their default values):
+1. Select your uploaded file and then on the **Generate SAS** tab. You can also use the ellipsis (...) to the far right. Specify the following settings (leave others with their default values):
| Setting | Value |
| --- | --- |
| Signing key | **Key 1** |
- | Permissions | **Read** |
+ | Permissions | **Read** (notice your other choices) |
| Start date | yesterday's date |
| Start time | current time |
| Expiry date | tomorrow's date |
| Expiry time | current time |
| Allowed IP addresses | leave blank |
-
1. Click **Generate SAS token and URL**.
-1. Click **Copy to clipboard** button next to the **Blob SAS URL** entry.
+1. Copy the **Blob SAS URL** entry to the clipboard.
-1. Open another browser window by using InPrivate mode and navigate to the URL you copied in the previous step.
+1. Open another InPrivate browser window and navigate to the Blob SAS URL you copied in the previous step.
- > **Note**: You should be able to view the content of the file by downloading it and opening it with Notepad.
+ >**Note**: You should be able to view the content of the file.
- > **Note**: This is expected, since now your access is authorized based on the newly generated the SAS token.
+## Task 3: Create and configure an Azure File storage
- > **Note**: Save the blob SAS URL. You will need it later in this lab.
+In this task, you will create and configure Azure File shares. You will use Storage Browser to manage the file share.
-1. Close the InPrivate mode browser window, return to the browser window showing the **licenses/LICENSE** blade of the Azure Storage container, and from there, navigate back to the **az104-07-container** blade.
+### Create the file share and upload a file
-1. Click the **Switch to the Microsoft Entra User Account** link next to the **Authentication method** label.
+1. In the Azure portal, navigate back to your storage account, in the **Data storage** section, click **File shares**.
- > **Note**: You can see an error when you change the authentication method (the error is *"You do not have permissions to list the data using your user account with Microsoft Entra"*). It is expected.
+1. Click **+ File share** and on the **Basics** tab give the file share a name, `share1`.
- > **Note**: At this point, you do not have permissions to change the Authentication method.
+1. Notice the **Tier** options. Keep the default **Transaction optimized**.
+
+1. Move to the **Backup** tab and ensure **Enable Backup** is **not** checked. We are disabling backup to simplify the lab configuration.
-1. On the **az104-07-container** blade, click **Access Control (IAM)**.
+1. Click **Review + create**, and then **Create**. Wait for the file share to deploy.
-1. On the **Check access** tab, click **Add role assignment**.
+ 
-1. On the **Add role assignment** blade, specify the following settings:
+### Explore Storage Browser and upload a file
- | Setting | Value |
- | --- | --- |
- | Role | **Storage Blob Data Owner** |
- | Assign access to | **User, group, or service principal** |
- | Members | the name of your user account |
+1. Return to your storage account and select **Storage Browser**. The Azure Storage Browser is a portal tool that lets you quickly view all the storage services under your account.
-1. Click **Review + Assign** and then **Review + assign**, and return to the **Overview** blade of the **az104-07-container** container and verify that you can change the Authentication method to (Switch to Microsoft Entra User Account).
+1. Select **File shares** and verify your **share1** directory is present.
- > **Note**: It might take about 5 minutes for the change to take effect.
+1. Select your **share1** directory and notice you can **+ Add directory**. This lets you create a folder structure.
-## Task 5: Create and configure an Azure Files shares
+1. Select **Upload**. Browse to a file of your choice, and then click **Upload**.
-In this task, you will create and configure Azure Files shares.
+ >**Note**: You can view file shares and manage those shares in the Storage Browser. There are currently no restrictions.
-> **Note**: Before you start this task, verify that the virtual machine you provisioned in the first task of this lab is running.
+### Restrict network access to the storage account
-1. In the Azure portal, navigate back to the blade of the storage account you created in the first task of this lab and, in the **Data storage** section, click **File shares**.
+1. In the portal, search for and select **Virtual networks**.
-1. Click **+ File share** and on the **Basics** tab give the file share a name, **az104-07-share**. Review the other settings on this tab.
+1. Select **+ Create**. Select your resource group. and give the virtual network a **name**, `vnet1`.
-1. Move to the **Backup** tab, and ensure **Enable Backup** is **not** checked.
+1. Take the defaults for other parameters, select **Review + create**, and then **Create**.
-1. Click **Review and create**, and then **Create**. Wait for the file share to deploy.
+1. Wait for the virtual network to deploy, and then select **Go to resource**.
-1. Click the newly created file share and note the information available on the **az104-07-share** blade.
+1. In the **Settings** section, select the **Subnets** blade.
+ + Select the **default** subnet.
+ + In the **Service endpoints** section choose **Microsoft.Storage** in the **Services** drop-down.
+ + Do not make any other changes.
+ + Be sure to **Save** your changes.
-1. Click **Browse** and note that there are no files or folders in the new file share. Click **Connect**.
+1. Return to your storage account.
-1. On the **Connect** blade, ensure that the **Windows** tab is selected. Below you will find a button with the label **Show Script**. Click on the button and you will find grey textbox with a script, in the bottom right corner of that box hover over the pages icon and click **Copy to clipboard**.
+1. In the **Security + networking** section, select the **Networking** blade.
-1. In the Azure portal, search for and select **Virtual machines**, and, in the list of virtual machines, click **az104-07-vm0**.
+1. Select **add existing virtual network** and select **vnet1** and **default** subnet, select **Add**.
-1. On the **az104-07-vm0** blade, in the **Operations** section, click **Run command**.
+1. In the **Firewall** section, **Delete** your machine IP address. Allowed traffic should only come from the virtual network.
-1. On the **az104-07-vm0 - Run command** blade, click **RunPowerShellScript**.
+1. Be sure to **Save** your changes.
-1. On the **Run Command Script** blade, paste the script you copied earlier in this task into the **PowerShell Script** pane and click **Run**.
+ >**Note:** The storage account should now only be accessed from the virtual network you just created.
-1. Verify that the script completed successfully.
+1. Select the **Storage browser** and **Refresh** the page. Navigate to your file share or blob content.
-1. Replace the content of the **PowerShell Script** pane with the following script and click **Run**:
+ >**Note:** You should receive a message *not authorized to perform this operation*. You are not connecting from the virtual network. It may take a couple of minutes for this to take effect.
- ```powershell
- New-Item -Type Directory -Path 'Z:\az104-07-folder'
- New-Item -Type File -Path 'Z:\az104-07-folder\az-104-07-file.txt'
- ```
+
-1. Verify that the script completed successfully.
+## Cleanup your resources
-1. Navigate back to the **az104-07-share \| Browse** file share blade, click **Refresh**, and verify that the **az104-07-folder** appears in the list of folders.
+If you are working with **your own subscription** take a minute to delete the lab resources. This will ensure resources are freed up and cost is minimized. The easiest way to delete the lab resources is to delete the lab resource group.
-1. Click **az104-07-folder** and verify that **az104-07-file.txt** appears in the list of files.
++ In the Azure portal, select the resource group, select **Delete the resource group**, **Enter resource group name**, and then click **Delete**.
++ Using Azure PowerShell, `Remove-AzResourceGroup -Name resourceGroupName`.
++ Using the CLI, `az group delete --name resourceGroupName`.
-## Task 6: Manage network access for Azure Storage
+## Key takeaways
-In this task, you will configure network access for Azure Storage.
+Congratulations on completing the lab. Here are the main takeaways for this lab.
-1. In the Azure portal, navigate back to the blade of the storage account you created in the first task of this lab and, in the **Security + Networking** section, click **Networking** and then click **Firewalls and virtual networks**.
++ An Azure storage account contains all your Azure Storage data objects: blobs, files, queues, and tables. The storage account provides a unique namespace for your Azure Storage data that is accessible from anywhere in the world over HTTP or HTTPS.
++ Azure storage provides several redundancy models including Locally redundant storage (LRS), Zone-redundant storage (ZRS), and Geo-redundant storage (GRS).
++ Azure blob storage allows you to store large amounts of unstructured data on Microsoft's data storage platform. Blob stands for Binary Large Object, which includes objects such as images and multimedia files.
++ Azure file Storage provides shared storage for structured data. The data can be organized in folders.
++ Immutable storage provides the capability to store data in a write once, read many (WORM) state. Immutable storage policies can be time-based or legal-hold.
-1. Click the **Enabled from selected virtual networks and IP addresses** option and review the configuration settings that become available once this option is enabled.
+## Learn more with self-paced training
- > **Note**: You can use these settings to configure direct connectivity between Azure virtual machines on designated subnets of virtual networks and the storage account by using service endpoints.
-
-1. Click the checkbox **Add your client IP address** and save the change.
-
-1. Open another browser window by using InPrivate mode and navigate to the blob SAS URL you generated in the previous task.
-
- > **Note**: If you did not record the SAS URL from task 4, you should generate a new one with the same configuration. Use Task 4 steps 4-6 as a guide for generating a new blob SAS URL.
-
-1. You should be able to download the LICENSE.txt file.
-
- > **Note**: This is expected, since you are connecting from your client IP address.
-
-1. Close the InPrivate mode browser window, return to the browser window showing the **Networking** blade of the Azure Storage account.
-
-1. In the Azure portal, search for and select **Virtual machines**, and, in the list of virtual machines, click **az104-07-vm0**.
-
-1. On the **az104-07-vm0** blade, in the **Operations** section, click **Run command**.
-
-1. On the **Run Command Script** blade, run the following in the **PowerShell Script** pane to attempt downloading of the LICENSE blob from the **az104-07-container** container of the storage account (replace the `[blob SAS URL]` placeholder with the blob SAS URL you generated in the previous task):
-
- ```powershell
- Invoke-WebRequest -URI '[blob SAS URL]'
- ```
-1. Verify that the download attempt failed.
-
- > **Note**: You should receive the message stating **AuthorizationFailure: This request is not authorized to perform this operation**. This is expected, since you are connecting from the IP address assigned to an Azure VM hosting the Cloud Shell instance.
-
-## Clean up resources
-
->**Note**: Remember to remove any newly created Azure resources that you no longer use. Removing unused resources ensures you will not see unexpected charges.
-
->**Note**: Don't worry if the lab resources cannot be immediately removed. Sometimes resources have dependencies and take a long time to delete. It is a common Administrator task to monitor resource usage, so just periodically review your resources in the Portal to see how the cleanup is going. You might also try to delete the Resource Group where the resources reside. That is a quick Administrator shortcut. If you have concerns speak to your instructor.
-
-1. In the Azure portal, open the **PowerShell** session within the **Cloud Shell** pane.
-
-1. List all resource groups created throughout the labs of this module by running the following command:
-
- ```powershell
- Get-AzResourceGroup -Name 'az104-07*'
- ```
-
-1. Delete all resource groups you created throughout the labs of this module by running the following command:
-
- ```powershell
- Get-AzResourceGroup -Name 'az104-07*' | Remove-AzResourceGroup -Force -AsJob
- ```
-
- >**Note**: The command executes asynchronously (as determined by the -AsJob parameter), so while you will be able to run another PowerShell command immediately afterwards within the same PowerShell session, it will take a few minutes before the resource groups are actually removed.
-
-## Review
-
-In this lab, you have:
-
-- Provisioned the lab environment
-- Created and configured Azure Storage accounts
-- Managed blob storage
-- Managed authentication and authorization for Azure Storage
-- Created and configured an Azure Files shares
-- Managed network access for Azure Storage
++ [Optimize your cost with Azure Blob Storage](https://learn.microsoft.com/training/modules/optimize-your-cost-azure-blob-storage/). Learn how to optimize your cost with Azure Blob Storage.
++ [Control access to Azure Storage with shared access signatures](https://learn.microsoft.com/training/modules/control-access-to-azure-storage-with-sas/). Grant access to data stored in your Azure Storage accounts securely by using shared access signatures.
diff --git a/Instructions/Labs/LAB_08-Manage_Virtual_Machines.md b/Instructions/Labs/LAB_08-Manage_Virtual_Machines.md
index 6f820e9e..d4dada2c 100644
--- a/Instructions/Labs/LAB_08-Manage_Virtual_Machines.md
+++ b/Instructions/Labs/LAB_08-Manage_Virtual_Machines.md
@@ -5,663 +5,428 @@ lab:
---
# Lab 08 - Manage Virtual Machines
-# Student lab manual
-## Lab scenario
+## Lab introduction
-You were tasked with identifying different options for deploying and configuring Azure virtual machines. First, you need to determine different compute and storage resiliency and scalability options you can implement when using Azure virtual machines. Next, you need to investigate compute and storage resiliency and scalability options that are available when using Azure virtual machine scale sets. You also want to explore the ability to automatically configure virtual machines and virtual machine scale sets by using the Azure Virtual Machine Custom Script extension.
+In this lab, you create and compare virtual machines to virtual machine scale sets. You learn how to create, configure and resize a single virtual machine. You learn how to create a virtual machine scale set and configure autoscaling.
-**Note:** An **[interactive lab simulation](https://mslabs.cloudguides.com/guides/AZ-104%20Exam%20Guide%20-%20Microsoft%20Azure%20Administrator%20Exercise%2012)** is available that allows you to click through this lab at your own pace. You may find slight differences between the interactive simulation and the hosted lab, but the core concepts and ideas being demonstrated are the same.
-
-## Objectives
-
-In this lab, you will:
-
-+ Task 1: Deploy zone-resilient Azure virtual machines by using the Azure portal and an Azure Resource Manager template
-+ Task 2: Configure Azure virtual machines by using virtual machine extensions
-+ Task 3: Scale compute and storage for Azure virtual machines
-+ Task 4: Register the Microsoft.Insights and Microsoft.AlertsManagement resource providers
-+ Task 5: Deploy zone-resilient Azure virtual machine scale sets by using the Azure portal
-+ Task 6: Configure Azure virtual machine scale sets by using virtual machine extensions
-+ Task 7: Scale compute and storage for Azure virtual machine scale sets (optional)
+This lab requires an Azure subscription. Your subscription type may affect the availability of features in this lab. You may change the region, but the steps are written using **East US**.
## Estimated timing: 50 minutes
-## Architecture diagram
+## Lab scenario
-
+Your organization wants to explore deploying and configuring Azure virtual machines. First, you implement an Azure virtual machine with manual scaling. Next, you implement a Virtual Machine Scale Set and explore autoscaling.
+## Interactive lab simulations
-### Instructions
+There are interactive lab simulations that you might find useful for this topic. The simulation lets you to click through a similar scenario at your own pace. There are differences between the interactive simulation and this lab, but many of the core concepts are the same. An Azure subscription is not required.
-## Exercise 1
++ [Create a virtual machine in the portal](https://mslearn.cloudguides.com/en-us/guides/AZ-900%20Exam%20Guide%20-%20Azure%20Fundamentals%20Exercise%201). Create a virtual machine, connect and install the web server role.
-## Task 1: Deploy zone-resilient Azure virtual machines by using the Azure portal and an Azure Resource Manager template
++ [Deploy a virtual machine with a template](https://mslearn.cloudguides.com/en-us/guides/AZ-900%20Exam%20Guide%20-%20Azure%20Fundamentals%20Exercise%209). Explore the QuickStart gallery and locate a virtual machine template. Deploy the template and verify the deployment.
-In this task, you will deploy Azure virtual machines into different availability zones by using the Azure portal and an Azure Resource Manager template.
++ [Create a virtual machine with PowerShell](https://mslearn.cloudguides.com/en-us/guides/AZ-900%20Exam%20Guide%20-%20Azure%20Fundamentals%20Exercise%2010). Use Azure PowerShell to deploy a virtual machine. Review Azure Advisor recommendations.
-1. Sign in to the [Azure portal](http://portal.azure.com).
++ [Create a virtual machine with the CLI](https://mslearn.cloudguides.com/en-us/guides/AZ-900%20Exam%20Guide%20-%20Azure%20Fundamentals%20Exercise%2011). Use the CLI to deploy a virtual machine. Review Azure Advisor recommendations.
-1. In the Azure portal, search for and select **Virtual machines** and, on the **Virtual machines** blade, click **+ Create**, click **+ Azure virtual machine**.
+## Job skills
-1. On the **Basics** tab of the **Create a virtual machine** blade, specify the following settings (leave others with their default values):
++ Task 1: Deploy zone-resilient Azure virtual machines by using the Azure portal.
++ Task 2: Manage compute and storage scaling for virtual machines.
++ Task 3: Create and configure Azure Virtual Machine Scale Sets.
++ Task 4: Scale Azure Virtual Machine Scale Sets.
++ Task 5: Create a virtual machine using Azure PowerShell (optional 1).
++ Task 6: Create a virtual machine using the CLI (optional 2).
+
+## Tasks 1 and 2: Azure Virtual Machines Architecture Diagram
+
+
+
+## Task 1: Deploy zone-resilient Azure virtual machines by using the Azure portal
+
+In this task, you will deploy two Azure virtual machines into different availability zones by using the Azure portal. Availability zones offer the highest level of uptime SLA for virtual machines at 99.99%. To achieve this SLA, you must deploy at least two virtual machines across different availability zones.
+
+1. Sign in to the Azure portal - `https://portal.azure.com`.
+
+1. Search for and select `Virtual machines`, on the **Virtual machines** blade, click **+ Create**, and then select in the drop-down **+ Azure virtual machine**. Notice your other choices.
+
+1. On the **Basics** tab, in the **Availability zone** drop down menu, place a checkmark next to **Zone 2**. This should select both **Zone 1** and **Zone 2**.
+
+ >**Note**: This will deploy two virtual machines in the selected region, one in each zone. You achieve the 99.99% uptime SLA because you have at least two VMs distributed across at least two zones. In the scenario where you might only need one VM, it is a best practice to still deploy the VM to another zone.
+
+1. On the Basics tab, continue completing the configuration:
| Setting | Value |
| --- | --- |
- | Subscription | the name of the Azure subscription you will be using in this lab |
- | Resource group | the name of a new resource group **az104-08-rg01** |
- | Virtual machine name | **az104-08-vm0** |
- | Region | select one of the regions that support availability zones and where you can provision Azure virtual machines |
+ | Subscription | the name of your Azure subscription |
+ | Resource group | **az104-rg8** (If necessary, click **Create new**) |
+ | Virtual machine names | `az104-vm1` and `az104-vm2` (After selecting both availability zones, select **Edit names** under the VM name field.) |
+ | Region | **East US** |
| Availability options | **Availability zone** |
- | Availability zone | **Zone 1** |
- | Image | **Windows Server 2019 Datacenter - Gen2** |
- | Azure Spot instance | **No** |
+ | Availability zone | **Zone 1, 2** (read the note about using virtual machine scale sets) |
+ | Security type | **Standard** |
+ | Image | **Windows Server 2019 Datacenter - x64 Gen2** |
+ | Azure Spot instance | **unchecked** |
| Size | **Standard D2s v3** |
- | Username | **Student** |
- | Password | **Provide a secure password, minimum 12 characters** |
+ | Username | `localadmin` |
+ | Password | **Provide a secure password** |
| Public inbound ports | **None** |
| Would you like to use an existing Windows Server license? | **Unchecked** |
-1. Click **Next: Disks >** and, on the **Disks** tab of the **Create a virtual machine** blade, specify the following settings (leave others with their default values):
+ 
+
+1. Click **Next: Disks >** , specify the following settings (leave others with their default values):
| Setting | Value |
| --- | --- |
| OS disk type | **Premium SSD** |
+ | Delete with VM | **checked** (default) |
| Enable Ultra Disk compatibility | **Unchecked** |
-1. Click **Next: Networking >** and, on the **Networking** tab of the **Create a virtual machine** blade, click **Create new** below the **Virtual network** textbox.
-
-1. On the **Create virtual network** blade, specify the following settings (leave others with their default values):
+1. Click **Next: Networking >** take the defaults but do not provide a load balancer.
| Setting | Value |
| --- | --- |
- | Name | **az104-08-vnet01** |
- | Address range | **10.80.0.0/20** |
- | Subnet name | **subnet0** |
- | Subnet range | **10.80.0.0/24** |
-
-1. Click **OK** and, back on the **Networking** tab of the **Create a virtual machine** blade, specify the following settings (leave others with their default values):
-
- | Setting | Value |
- | --- | --- |
- | Subnet | **subnet0** |
- | Public IP | **default** |
- | NIC network security group | **basic** |
- | Public inbound Ports | **None** |
- | Accelerated networking | **Off**
+ | Delete public IP and NIC when VM is deleted | **Checked** |
| Load balancing options | **None** |
-1. Click **Next: Management >** and, on the **Management** tab of the **Create a virtual machine** blade, specify the following settings (leave others with their default values):
+
+1. Click **Next: Management >** and specify the following settings (leave others with their default values):
| Setting | Value |
| --- | --- |
- | Patch orchestration options | **Manual updates** |
+ | Patch orchestration options | **Azure orchestrated** |
-1. Click **Next: Monitoring >** and, on the **Monitoring** tab of the **Create a virtual machine** blade, specify the following settings (leave others with their default values):
+1. Click **Next: Monitoring >** and specify the following settings (leave others with their default values):
| Setting | Value |
| --- | --- |
- | Boot diagnostics | **Enable with custom storage account** |
- | Diagnostics storage account | **accept the default value** |
+ | Boot diagnostics | **Disable** |
- >**Note**: If necessary, select an existing storage account in the dropdown list or create a new storage account. Record the name of the storage account. You will use it in the next task.
+1. Click **Next: Advanced >**, take the defaults, then click **Review + Create**.
-1. Click **Next: Advanced >**, on the **Advanced** tab of the **Create a virtual machine** blade, review the available settings without modifying any of them, and click **Review + Create**.
+1. After the validation, click **Create**.
-1. On the **Review + Create** blade, click **Create**.
+ >**Note:** Notice as the virtual machine deploys the NIC, disk, and public IP address (if configured) are independently created and managed resources.
-1. On the deployment blade, click **Template**.
+1. Wait for the deployment to complete, then select **Go to resource**.
-1. Review the template representing the deployment in progress and click **Deploy**.
+ >**Note:** Monitor the **Notification** messages.
- >**Note**: You will use this option to deploy the second virtual machine with matching configuration except for the availability zone.
+## Task 2: Manage compute and storage scaling for virtual machines
-1. On the **Custom deployment** blade, specify the following settings (leave others with their default values):
+In this task, you will scale a virtual machine by adjusting its size to a different SKU. Azure provides flexibility in VM size selection so that you can adjust a VM for periods of time if it needs more (or less) compute and memory allocated. This concept is extended to disks, where you can modify the performance of the disk, or increase the allocated capacity.
+
+1. On the **az104-vm1** virtual machine, in the **Availability + scale** blade, select **Size**.
+
+1. Set the virtual machine size to **DS1_v2** and click **Resize**. When prompted, confirm the change.
+
+ >**Note**: Choose another size if **Standard DS1_v2** is not available. Resizing is also known as vertical scaling, up or down.
+
+ 
+
+1. In the **Settings** area, select **Disks**.
+
+1. Under **Data disks** select **+ Create and attach a new disk**. Configure the settings (leave other settings at their default values).
| Setting | Value |
| --- | --- |
- | Resource Group | **az104-08-rg01** |
- | Network Interface Name | **az104-08-vm1-nic1** |
- | Public IP Address Name | **az104-08-vm1-ip** |
- | Virtual Machine Name, Virtual Machine Name1, Virtual Machine Computer Name | **az104-08-vm1** |
- | Virtual Machine RG | **az104-08-rg01** |
- | Admin Username | **Student** |
- | Admin Password | **Provide a secure password** |
- | Enable Hotpatching | **false** |
- | Zone | **2** |
+ | Disk name | `vm1-disk1` |
+ | Storage type | **Standard HDD** |
+ | Size (GiB) | `32` |
- >**Note**: You need to modify parameters corresponding to the properties of the distinct resources you are deploying by using the template, including the virtual machine and its network interface.
+1. Click **Apply**.
-1. Click **Review + Create**, on the **Review + Create** blade, click **Create**.
+1. After the disk has been created, click **Detach** (if necessary, scroll to the right to view the detach icon), and then click **Apply**.
- >**Note**: Wait for both deployments to complete before you proceed to the next task. This might take about 5 minutes.
+ >**Note**: Detaching removes the disk from the VM but keeps it in storage for later use.
-## Task 2: Configure Azure virtual machines by using virtual machine extensions
+1. Search for and select `Disks`. From the list of disks, select the **vm1-disk1** object.
-In this task, you will install Windows Server Web Server role on the two Azure virtual machines you deployed in the previous task by using the Custom Script virtual machine extension.
+ >**Note:** The **Overview** blade also provides performance and usage information for the disk.
-1. In the Azure portal, search for and select **Storage accounts** and, on the **Storage accounts** blade, click the entry representing the diagnostics storage account you created in the previous task.
+1. In the **Settings** blade, select **Size + performance**.
-1. On the storage account blade, in the **Data Storage** section, click **Containers** and then click **+ Container**.
+1. Set the storage type to **Standard SSD**, and then click **Save**.
-1. On the **New container** blade, specify the following settings (leave others with their default values) and click **Create**:
+1. Navigate back to the **az104-vm1** virtual machine and select **Disks**.
+
+1. Verify the disk is now **Standard SSD**.
+
+ >**Note:** You have now created a virtual machine, scaled the SKU and the data disk size. In the next task we use Virtual Machine Scale Sets to automate the scaling process.
+
+## Task 3 and 4: Azure Virtual Machine Scale Sets Architecture Diagram
+
+
+
+## Task 3: Create and configure Azure Virtual Machine Scale Sets
+
+In this task, you will deploy an Azure virtual machine scale set across availability zones. VM Scale Sets reduce the administrative overhead of automation by enabling you to configure metrics or conditions that allow the scale set to horizontally scale, scale in or scale out.
+
+1. In the Azure portal, search for and select `Virtual machine scale sets` and, on the **Virtual machine scale sets** blade, click **+ Create**.
+
+1. On the **Basics** tab of the **Create a virtual machine scale set** blade, specify the following settings (leave others with their default values) and click **Next : Spot >**:
| Setting | Value |
| --- | --- |
- | Name | **scripts** |
- | Public access level | **Private (no anonymous access**) |
-
-1. Back on the storage account blade displaying the list of containers, click **scripts**.
-
-1. On the **scripts** blade, click **Upload**.
-
-1. On the **Upload blob** blade, click the folder icon, in the **Open** dialog box, navigate to the **\\Allfiles\\Labs\\08** folder, select **az104-08-install_IIS.ps1**, click **Open**, and back on the **Upload blob** blade, click **Upload**.
-
-1. In the Azure portal, search for and select **Virtual machines** and, on the **Virtual machines** blade, click **az104-08-vm0**.
-
-1. On the **az104-08-vm0** virtual machine blade, in the **Settings** section, click **Extensions + applications**, and the click **+ Add**.
-
-1. On the **Install an Extension** blade, click **Custom Script Extension** and then click **Next**.
-
-1. From the **Configure Custom Script Extension Extension** blade, click **Browse**.
-
-1. On the **Storage accounts** blade, click the name of the storage account into which you uploaded the **az104-08-install_IIS.ps1** script, on the **Containers** blade, click **scripts**, on the **scripts** blade, click **az104-08-install_IIS.ps1**, and then click **Select**.
-
-1. Back on the **Install extension** blade, click **Review + create** and, on the **Review + create** blade click **Create**.
-
-1. In the Azure portal, search for and select **Virtual machines** and, on the **Virtual machines** blade, click **az104-08-vm1**.
-
-1. On the **az104-08-vm1** blade, in the **Automation** section, click **Export template**.
-
-1. On the **az104-08-vm1 - Export template** blade, click **Deploy**.
-
-1. On the **Custom deployment** blade, click **Edit template**.
-
- >**Note**: Disregard the message stating **The resource group is in a location that is not supported by one or more resources in the template. Please choose a different resource group**. This is expected and can be ignored in this case.
-
-1. On the **Edit template** blade, in the section displaying the content of the template, insert the following code starting with line **20** (directly underneath the `"resources": [` line):
-
- >**Note**: If you are using a tool that pastes the code in line by line intellisense may add extra brackets causing validation errors. You may want to paste the code into notepad first and then paste it into line 20.
-
- ```json
- {
- "type": "Microsoft.Compute/virtualMachines/extensions",
- "name": "az104-08-vm1/customScriptExtension",
- "apiVersion": "2018-06-01",
- "location": "[resourceGroup().location]",
- "dependsOn": [
- "az104-08-vm1"
- ],
- "properties": {
- "publisher": "Microsoft.Compute",
- "type": "CustomScriptExtension",
- "typeHandlerVersion": "1.7",
- "autoUpgradeMinorVersion": true,
- "settings": {
- "commandToExecute": "powershell.exe Install-WindowsFeature -name Web-Server -IncludeManagementTools && powershell.exe remove-item 'C:\\inetpub\\wwwroot\\iisstart.htm' && powershell.exe Add-Content -Path 'C:\\inetpub\\wwwroot\\iisstart.htm' -Value $('Hello World from ' + $env:computername)"
- }
- }
- },
-
- ```
-
- >**Note**: This section of the template defines the same Azure virtual machine custom script extension that you deployed earlier to the first virtual machine via Azure PowerShell.
-
-1. Click **Save** and, back on the **Custom template** blade, click **Review + Create** and, on the **Review + Create** blade, click **Create**
-
- >**Note**: Wait for the template deployment to complete. You can monitor its progress from the **Extensions** blade of the **az104-08-vm0** and **az104-08-vm1** virtual machines. This should take no more than 3 minutes.
-
-1. To verify that the Custom Script extension-based configuration was successful, navigate back on the **az104-08-vm1** blade, in the **Operations** section, click **Run command**, and, in the list of commands, click **RunPowerShellScript**.
-
-1. On the **Run Command Script** blade, type the following and click **Run** to access the web site hosted on **az104-08-vm1**:
-
- ```powershell
- Invoke-WebRequest -URI http://10.80.0.4 -UseBasicParsing
- ```
-
- >**Note**: The **-UseBasicParsing** parameter is necessary to eliminate dependency on Internet Explorer to complete execution of the cmdlet
-
- >**Note**: The **-URI** parameter is the **Private IP address** of the VM. Navigate to the **az104-08-vm1** blade, in the **Networking** section, and click **Network settings**
-
- >**Note**: You can also connect to **az104-08-vm0** and run `Invoke-WebRequest -URI http://10.80.0.5 -UseBasicParsing` to access the web site hosted on **az104-08-vm1**.
-
-## Task 3: Scale compute and storage for Azure virtual machines
-
-In this task you will scale compute for Azure virtual machines by changing their size and scale their storage by attaching and configuring their data disks.
-
-1. In the Azure portal, search for and select **Virtual machines** and, on the **Virtual machines** blade, click **az104-08-vm0**.
-
-1. On the **az104-08-vm0** virtual machine blade, click **Size** and set the virtual machine size to **Standard DS1_v2** and click **Resize**
-
- >**Note**: Choose another size if **Standard DS1_v2** is not available.
-
-1. On the **az104-08-vm0** virtual machine blade, click **Disks**, Under **Data disks** click **+ Create and attach a new disk**.
-
-1. Create a managed disk with the following settings (leave others with their default values) and click **Apply**:
-
- | Setting | Value |
- | --- | --- |
- | Disk name | **az104-08-vm0-datadisk-0** |
- | Storage type | **Premium SSD** |
- | Size (GiB| **1024** |
-
-1. Back on the **az104-08-vm0 - Disks** blade, Under **Data disks** click **+ Create and attach a new disk**.
-
-1. Create a managed disk with the following settings (leave others with their default values) and click **Apply**:
-
- | Setting | Value |
- | --- | --- |
- | Disk name | **az104-08-vm0-datadisk-1** |
- | Storage type | **Premium SSD** |
- | Size (GiB)| **1024 GiB** |
-
-
-1. On the **az104-08-vm0** blade, in the **Operations** section, click **Run command**, and, in the list of commands, click **RunPowerShellScript**.
-
-1. On the **Run Command Script** blade, type the following and click **Run** to create a drive Z: consisting of the two newly attached disks with the simple layout and fixed provisioning:
-
- ```powershell
- New-StoragePool -FriendlyName storagepool1 -StorageSubsystemFriendlyName "Windows Storage*" -PhysicalDisks (Get-PhysicalDisk -CanPool $true)
-
- New-VirtualDisk -StoragePoolFriendlyName storagepool1 -FriendlyName virtualdisk1 -Size 64GB -ResiliencySettingName Simple -ProvisioningType Fixed
-
- Initialize-Disk -VirtualDisk (Get-VirtualDisk -FriendlyName virtualdisk1)
-
- New-Partition -DiskNumber 4 -UseMaximumSize -DriveLetter Z
- ```
-
- > **Note**: Wait for the confirmation that the commands completed successfully.
-
-1. In the Azure portal, search for and select **Virtual machines** and, on the **Virtual machines** blade, click **az104-08-vm1**.
-
-1. On the **az104-08-vm1** blade, in the **Automation** section, click **Export template**.
-
-1. On the **az104-08-vm1 - Export template** blade, click **Deploy**.
-
-1. On the **Custom deployment** blade, click **Edit template**.
-
- >**Note**: Disregard the message stating **The resource group is in a location that is not supported by one or more resources in the template. Please choose a different resource group**. This is expected and can be ignored in this case.
-
-1. On the **Edit template** blade, in the section displaying the content of the template, replace the line **30** `"vmSize": "Standard_D2s_v3"` with the following line):
-
- ```json
- "vmSize": "Standard_DS1_v2"
-
- ```
-
- >**Note**: This section of the template defines the same Azure virtual machine size as the one you specified for the first virtual machine via the Azure portal.
-
-1. On the **Edit template** blade, in the section displaying the content of the template, replace line **54** (`"dataDisks": [ ],`) with the following code :
-
- ```json
- "dataDisks": [
- {
- "lun": 0,
- "name": "az104-08-vm1-datadisk0",
- "diskSizeGB": "1024",
- "caching": "ReadOnly",
- "createOption": "Empty"
- },
- {
- "lun": 1,
- "name": "az104-08-vm1-datadisk1",
- "diskSizeGB": "1024",
- "caching": "ReadOnly",
- "createOption": "Empty"
- }
- ],
- ```
-
- >**Note**: If you are using a tool that pastes the code in line by line intellisense may add extra brackets causing validation errors. You may want to paste the code into notepad first and then paste it into line 49.
-
- >**Note**: This section of the template creates two managed disks and attaches them to **az104-08-vm1**, similarly to the storage configuration of the first virtual machine via the Azure portal.
-
-
-1. Click **Save** and, back on the **Custom deployment** blade, click **Review + Create** and, on the **Review + Create** blade, click **Create**.
-
- >**Note**: Wait for the template deployment to complete. You can monitor its progress from the **Disks** blade of the **az104-08-vm1** virtual machine. This should take no more than 3 minutes.
-
-1. Back on the **az104-08-vm1** blade, in the **Operations** section, click **Run command**, and, in the list of commands, click **RunPowerShellScript**.
-
-1. On the **Run Command Script** blade, type the following and click **Run** to create a drive Z: consisting of the two newly attached disks with the simple layout and fixed provisioning:
-
- ```powershell
- New-StoragePool -FriendlyName storagepool1 -StorageSubsystemFriendlyName "Windows Storage*" -PhysicalDisks (Get-PhysicalDisk -CanPool $true)
-
- New-VirtualDisk -StoragePoolFriendlyName storagepool1 -FriendlyName virtualdisk1 -Size 2046GB -ResiliencySettingName Simple -ProvisioningType Fixed
-
- Initialize-Disk -VirtualDisk (Get-VirtualDisk -FriendlyName virtualdisk1)
-
- New-Partition -DiskNumber 4 -UseMaximumSize -DriveLetter Z
- ```
-
- > **Note**: Wait for the confirmation that the commands completed successfully.
-
-## Task 4: Register the Microsoft.Insights and Microsoft.AlertsManagement resource providers
-
-1. In the Azure portal, open the **Azure Cloud Shell** by clicking on the icon in the top right of the Azure Portal.
-
-1. If prompted to select either **Bash** or **PowerShell**, select **PowerShell**.
-
- >**Note**: If this is the first time you are starting **Cloud Shell** and you are presented with the **You have no storage mounted** message, select the subscription you are using in this lab, and click **Create storage**.
-
-1. From the Cloud Shell pane, run the following to register the Microsoft.Insights and Microsoft.AlertsManagement resource providers.
-
- ```powershell
- Register-AzResourceProvider -ProviderNamespace Microsoft.Insights
-
- Register-AzResourceProvider -ProviderNamespace Microsoft.AlertsManagement
- ```
-
-## Task 5: Deploy zone-resilient Azure virtual machine scale sets by using the Azure portal
-
-In this task, you will deploy Azure virtual machine scale set across availability zones by using the Azure portal.
-
-1. In the Azure portal, search for and select **Virtual machine scale sets** and, on the **Virtual machine scale sets** blade, click **+ Add** (or **+ Create**).
-
-1. On the **Basics** tab of the **Create a virtual machine scale set** blade, specify the following settings (leave others with their default values) and click **Next : Disks >**:
-
- | Setting | Value |
- | --- | --- |
- | Subscription | the name of the Azure subscription you are using in this lab |
- | Resource group | the name of a new resource group **az104-08-rg02** |
- | Virtual machine scale set name | **az10408vmss0** |
- | Region | select one of the regions that support availability zones and where you can provision Azure virtual machines different from the one you used to deploy virtual machines earlier in this lab |
+ | Subscription | the name of your Azure subscription |
+ | Resource group | **az104-rg8** |
+ | Virtual machine scale set name | `vmss1` |
+ | Region | **(US)East US** |
| Availability zone | **Zones 1, 2, 3** |
| Orchestration mode | **Uniform** |
- | Image | **Windows Server 2019 Datacenter - Gen2** |
- | Run with Azure Spot discount | **No** |
+ | Security type | **Standard** |
+ | Image | **Windows Server 2019 Datacenter - x64 Gen2** |
+ | Run with Azure Spot discount | **Unchecked** |
| Size | **Standard D2s_v3** |
- | Username | **Student** |
+ | Username | `localadmin` |
| Password | **Provide a secure password** |
| Already have a Windows Server license? | **Unchecked** |
>**Note**: For the list of Azure regions which support deployment of Windows virtual machines to availability zones, refer to [What are Availability Zones in Azure?](https://docs.microsoft.com/en-us/azure/availability-zones/az-overview)
-1. On the **Disks** tab of the **Create a virtual machine scale set** blade, accept the default values and click **Next : Networking >**.
+ 
-1. On the **Networking** tab of the **Create a virtual machine scale set** blade, click the **Create virtual network** link below the **Virtual network** textbox and create a new virtual network with the following settings (leave others with their default values).
+1. On the **Spot** tab, accept the defaults and select **Next: Disks >**.
+
+1. On the **Disks** tab, accept the default values and click **Next : Networking >**.
+
+1. On the **Networking** page, click the **Create virtual network** link below the **Virtual network** textbox and create a new virtual network with the following settings (leave others with their default values). When finished, select **OK**.
| Setting | Value |
| --- | --- |
- | Name | **az104-08-rg02-vnet** |
- | Address range | **10.82.0.0/20** |
- | Subnet name | **subnet0** |
- | Subnet range | **10.82.0.0/24** |
+ | Name | `vmss-vnet` |
+ | Address range | `10.82.0.0/20` (change what is there) |
+ | Subnet name | `subnet0` |
+ | Subnet range | `10.82.0.0/24` |
- >**Note**: Once you create a new virtual network and return to the **Networking** tab of the **Create a virtual machine scale set** blade, the **Virtual network** value will be automatically set to **az104-08-rg02-vnet**.
+1. In the **Networking** tab, click the **Edit network interface** icon to the right of the network interface entry.
-1. Back on the **Networking** tab of the **Create a virtual machine scale set** blade, click the **Edit network interface** icon to the right of the network interface entry.
-
-1. On the **Edit network interface** blade, in the **NIC network security group** section, click **Advanced** and click **Create new** under the **Configure network security group** drop-down list.
+1. For **NIC network security group** section, select **Advanced** and then click **Create new** under the **Configure network security group** drop-down list.
1. On the **Create network security group** blade, specify the following settings (leave others with their default values):
| Setting | Value |
| --- | --- |
- | Name | **az10408vmss0-nsg** |
+ | Name | **vmss1-nsg** |
1. Click **Add an inbound rule** and add an inbound security rule with the following settings (leave others with their default values):
| Setting | Value |
| --- | --- |
| Source | **Any** |
- | Source port ranges | **\*** |
+ | Source port ranges | * |
| Destination | **Any** |
- | Destination port ranges | **80** |
- | Protocol | **TCP** |
+ | Service | **HTTP** |
| Action | **Allow** |
| Priority | **1010** |
- | Name | **custom-allow-http** |
+ | Name | `allow-http` |
1. Click **Add** and, back on the **Create network security group** blade, click **OK**.
-1. Back on the **Edit network interface** blade, in the **Public IP address** section, click **Enabled** and click **OK**.
+1. In the **Edit network interface** blade, in the **Public IP address** section, click **Enabled** and click **OK**.
-1. Back on the **Networking** tab of the **Create a virtual machine scale set** blade, under the **Load balancing** section, specify the following (leave others with their default values).
+1. In the **Networking** tab, under the **Load balancing** section, specify the following (leave others with their default values).
| Setting | Value |
| --- | --- |
| Load balancing options | **Azure load balancer** |
| Select a load balancer | **Create a load balancer** |
-
-1. On the **Create a load balancer** page, specify the load balancer name and take the defaults. Click **Create** when you are done then **Next : Scaling >**.
-
- | Setting | Value |
- | --- | --- |
- | Load balancer name | **az10408vmss0-lb** |
-1. On the **Scaling** tab of the **Create a virtual machine scale set** blade, specify the following settings (leave others with their default values) and click **Next : Management >**:
+1. On the **Create a load balancer** page, specify the load balancer name and take the defaults. Click **Create** when you are done then **Next : Scaling >**.
| Setting | Value |
| --- | --- |
- | Initial instance count | **2** |
+ | Load balancer name | `vmss-lb` |
+
+ >**Note:** Pause for a minute and review what you done. At this point, you have configured the virtual machine scale set with disks and networking. In the network configuration you have created a network security group and allowed HTTP. You have also created a load balancer with a public IP address.
+
+1. On the **Scaling** tab, specify the following settings (leave others with their default values) and click **Next : Management >**:
+
+ | Setting | Value |
+ | --- | --- |
+ | Initial instance count | `2` |
| Scaling policy | **Manual** |
-1. On the **Management** tab of the **Create a virtual machine scale set** blade, specify the following settings (leave others with their default values):
+1. On the **Management** tab, specify the following settings (leave others with their default values):
| Setting | Value |
| --- | --- |
- | Boot diagnostics | **Enable with custom storage account** |
- | Diagnostics storage account | accept the default value |
+ | Boot diagnostics | **Disable** |
- >**Note**: You will need the name of this storage account in the next task.
+1. Click **Next : Health >**.
- Click **Next : Health >**:
+1. On the **Health** tab, review the default settings without making any changes and click **Next : Advanced >**.
-1. On the **Health** tab of the **Create a virtual machine scale set** blade, review the default settings without making any changes and click **Next : Advanced >**.
+1. On the **Advanced** tab, click **Review + create**.
-1. On the **Advanced** tab of the **Create a virtual machine scale set** blade, specify the following settings (leave others with their default values) and click **Review + create**.
+1. On the **Review + create** tab, ensure that the validation passed and click **Create**.
+
+ >**Note**: Wait for the virtual machine scale set deployment to complete. This should take approximately 5 minutes. While you wait review the [documentation](https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview).
+
+## Task 4: Scale Azure Virtual Machine Scale Sets
+
+In this task, you scale the virtual machine scale set using a custom scale rule.
+
+1. Select **Go to resource** or search for and select the **vmss1** scale set.
+
+1. Choose **Scaling** from the menu on the left-hand side of the scale set window.
+
+>**Did you know?** You can **Manual scale** or **Custom autoscale**. In scale sets with a small number of VM instances, increasing or decreasing the instance count (Manual scale) may be best. In scale sets with a large number of VM instances, scaling based on metrics (Custom autoscale) may be more appropriate.
+
+### Scale out rule
+
+1. Select **Custom autoscale**. then change the **Scale mode** to **Scale based on metric**. And then select **Add rule**.
+
+1. Let's create a rule that automatically increases the number of VM instances. This rule scales out when the average CPU load is greater than 70% over a 10-minute period. When the rule triggers, the number of VM instances is increased by 20%.
| Setting | Value |
| --- | --- |
- | Spreading algorithm | **Fixed spreading (not recommended with zones)** |
-
- >**Note**: The **Max spreading** setting is currently not functional.
-
-1. On the **Review + create** tab of the **Create a virtual machine scale set** blade, ensure that the validation passed and click **Create**.
-
- >**Note**: Wait for the virtual machine scale set deployment to complete. This should take about 5 minutes.
-
-## Task 6: Configure Azure virtual machine scale sets by using virtual machine extensions
-
-In this task, you will install Windows Server Web Server role on the instances of the Azure virtual machine scale set you deployed in the previous task by using the Custom Script virtual machine extension.
-
-1. In the Azure portal, search for and select **Storage accounts** and, on the **Storage accounts** blade, click the entry representing the diagnostics storage account you created in the previous task.
-
-1. On the storage account blade, in the **Data Storage** section, click **Containers** and then click **+ Container**.
-
-1. On the **New container** blade, specify the following settings (leave others with their default values) and click **Create**:
-
- | Setting | Value |
- | --- | --- |
- | Name | **scripts** |
- | Public access level | **Private (no anonymous access**) |
-
-1. Back on the storage account blade displaying the list of containers, click **scripts**.
-
-1. On the **scripts** blade, click **Upload**.
-
-1. On the **Upload blob** blade, click the folder icon, in the **Open** dialog box, navigate to the **\\Allfiles\\Labs\\08** folder, select **az104-08-install_IIS.ps1**, click **Open**, and back on the **Upload blob** blade, click **Upload**.
-
-1. In the Azure portal, navigate back to the **Virtual machine scale sets** blade and click **az10408vmss0**.
-
-1. On the **az10408vmss0** blade, in the **Settings** section, click **Extensions and applications**, and the click **+ Add**.
-
-1. On the **New resource** blade, click **Custom Script Extension** and then click **Next**.
-
-1. From the **Install extension** blade, **Browse** to and **Select** the **az104-08-install_IIS.ps1** script that was uploaded to the **scripts** container in the storage account earlier in this task, and then click **Create**.
-
- >**Note**: Wait for the installation of the extension to complete before proceeding to the next step.
-
-1. In the **Overview** section of the **az10408vmss0** blade, click **Instances**, select the checkboxes next to the two instances of the virtual machine scale set, click **Upgrade**, and then, when prompted for confirmation, click **Yes**.
-
- >**Note**: Wait for the upgrade to complete before proceeding to the next step.
-
-1. In the Azure portal, search for and select **Load balancers** and, in the list of load balancers, click **az10408vmss0-lb**.
-
-1. On the **az10408vmss0-lb** blade, note the value of the **Public IP address** assigned to the frontend of the load balancer, open an new browser tab, and navigate to that IP address.
-
- >**Note**: Verify that the browser page displays the name of one of the instances of the Azure virtual machine scale set **az10408vmss0**.
-
-## Task 7: Scale compute and storage for Azure virtual machine scale sets
-
-In this task, you will change the size of virtual machine scale set instances, configure their autoscaling settings, and attach disks to them.
-
-1. In the Azure portal, search for and select **Virtual machine scale sets** and select the **az10408vmss0** scale set
-
-1. In the **az10408vmss0** blade, in the **Settings** section, click **Size**.
-
-1. In the list of available sizes, select **Standard DS1_v2** and click **Resize**.
-
-1. In the **Settings** section, click **Instances**, select the checkboxes next to the two instances of the virtual machine scale set, click **Upgrade**, and then, when prompted for confirmation, click **Yes**.
-
-1. In the list of instances, click the entry representing the first instance and, on the scale set instance blade, note its **Location** (it should be one of the zones in the target Azure region into which you deployed the Azure virtual machine scale set).
-
-1. Return to the **az10408vmss0 - Instances** blade, click the entry representing the second instance and, on the scale set instance blade, note its **Location** (it should be one of the other two zones in the target Azure region into which you deployed the Azure virtual machine scale set).
-
-1. Return to the **az10408vmss0 - Instances** blade, and in the **Settings** section, click **Scaling**.
-
-1. On the **az10408vmss0 - Scaling** blade, select the **Custom autoscale** option and configure autoscale with the following settings (leave others with their default values):
-
- | Setting | Value |
- | --- |--- |
- | Scale mode | **Scale based on a metric** |
-
-1. Click the **+ Add a rule** link and, on the **Scale rule** blade, specify the following settings (leave others with their default values):
-
- | Setting | Value |
- | --- |--- |
- | Metric source | **Current resource (az10480vmss0)** |
+ | Metric source | **Current resource (vmss1)** |
| Metric namespace | **Virtual Machine Host** |
- | Metric name | **Network In Total** |
+ | Metric name | **Percentage CPU** (review your other choices) |
| Operator | **Greater than** |
- | Metric threshold to trigger scale action | **10** |
- | Duration (in minutes) | **1** |
+ | Metric threshold to trigger scale action | **70** |
+ | Duration (minutes) | **10** |
| Time grain statistic | **Average** |
- | Time aggregation | **Average** |
- | Operation | **Increase count by** |
- | Instance count | **1** |
+ | Operation | **Increase percent by** (review other choices) |
| Cool down (minutes) | **5** |
+ | Percentage | **20** |
- >**Note**: Obviously these values do not represent a realistic configuration, since their purpose is to trigger autoscaling as soon as possible, without extended wait period.
+ 
-1. Click **Add** and, back on the **az10408vmss0 - Scaling** blade, specify the following settings (leave others with their default values):
+1. Be sure to **Save** your changes.
- | Setting | Value |
- | --- |--- |
- | Instance limits Minimum | **1** |
- | Instance limits Maximum | **3** |
- | Instance limits Default | **1** |
+### Scale in rule
-1. Click **Save**.
+1. During evenings or weekends, demand may decrease so it is important to create a scale in rule.
-1. In the Azure portal, open the **Azure Cloud Shell** by clicking on the icon in the top right of the Azure Portal.
+1. Let's create a rule that decreases the number of VM instances in a scale set. The number of instances should decrease when the average CPU load drops below 30% over a 10-minute period. When the rule triggers, the number of VM instances is decreased by 20%.
-1. If prompted to select either **Bash** or **PowerShell**, select **PowerShell**.
-
-1. From the Cloud Shell pane, run the following to identify the public IP address of the load balancer in front of the Azure virtual machine scale set **az10408vmss0**.
-
- ```powershell
- $rgName = 'az104-08-rg02'
-
- $lbpipName = 'az10408vmss0-lb-publicip'
-
- $pip = (Get-AzPublicIpAddress -ResourceGroupName $rgName -Name $lbpipName).IpAddress
- ```
-
-1. From the Cloud Shell pane, run the following to start an infinite loop that sends the HTTP requests to the web sites hosted on the instances of Azure virtual machine scale set **az10408vmss0**.
-
- ```powershell
- while ($true) { Invoke-WebRequest -Uri "http://$pip" }
- ```
-
-1. Minimize the Cloud Shell pane but do not close it, switch back to the **az10408vmss0 - Instances** blade and monitor the number of instances.
-
- >**Note**: You might need to wait a couple of minutes and click **Refresh**.
-
-1. Once the third instance is provisioned, navigate to its blade to determine its **Location** (it should be different than the first two zones you identified earlier in this task.
-
-1. Close Cloud Shell pane.
-
-1. On the **az10408vmss0** blade, in the **Settings** section, click **Disks**, click **+ Create and attach a new disk**, and attach a new managed disk with the following settings (leave others with their default values):
+1. Select **Add a rule**, adjust the settings, then select **Add**.
| Setting | Value |
| --- | --- |
- | LUN | **0** |
- | Storage type | **Standard HDD** |
- | Size (GiB) | **32** |
+ | Operator | **Less than** |
+ | Threshold | **30** |
+ | Operation | **decrease percentage by** (review your other choices) |
+ | Percentage | **20** |
-1. Apply the change
+1. Be sure to **Save** your changes.
-1. In the **Settings** section of the **az10408vmss0** blade, click **Instances**, select the checkboxes next to the instances of the virtual machine scale set, click **Upgrade**, and then, when prompted for confirmation, click **Yes**.
+### Set the instance limits
- >**Note**: The disk attached in the previous step is a raw disk. Before it can be used, it is necessary to create a partition, create a filesystem, and mount it. To accomplish this, you will use Azure virtual machine Custom Script extension. First, you will need to remove the existing Custom Script Extension.
+1. When your autoscale rules are applied, instance limits make sure that you do not scale out beyond the maximum number of instances or scale in beyond the minimum number of instances.
-1. In the **Settings** section of the **az10408vmss0** blade, click **Extensions and applications**, click **CustomScriptExtension**, and then click **Uninstall**.
+1. **Instance limits** are shown on the **Scaling** page after the rules.
- >**Note**: Wait for uninstallation to complete.
+ | Setting | Value |
+ | --- | --- |
+ | Minimum | **2** |
+ | Maximum | **10** |
+ | Default | **2** |
-1. In the Azure portal, open the **Azure Cloud Shell** by clicking on the icon in the top right of the Azure Portal.
+1. Be sure to **Save** your changes
-1. If prompted to select either **Bash** or **PowerShell**, select **PowerShell**.
+1. On the **vmss1** page, select **Instances**. This is where you would monitor the number of virtual machine instances.
-1. In the toolbar of the Cloud Shell pane, click the **Upload/Download files** icon, in the drop-down menu, click **Upload** and upload the file **\\Allfiles\\Labs\\08\\az104-08-configure_VMSS_disks.ps1** into the Cloud Shell home directory.
+ >**Note:** If you are interested in using Azure PowerShell for virtual machine creation, try Task 5. If you are interested in using the CLI to create virtual machines, try Task 6.
-1. From the Cloud Shell pane, run the following to display the content of the script:
+## Task 5: Create a virtual machine using Azure PowerShell (option 1)
- ```powershell
- Set-Location -Path $HOME
+1. Use the icon (top right) to launch a **Cloud Shell** session. Alternately, navigate directly to `https://shell.azure.com`.
- Get-Content -Path ./az104-08-configure_VMSS_disks.ps1
- ```
+1. Be sure to select **PowerShell**. If necessary, use the **Show advanced settings** and configure the shell storage.
- >**Note**: The script installs a custom script extension that configures the attached disk.
+1. Run the following command to create a virtual machine. When prompted, provide a username and password for the VM. While you wait check out the [New-AzVM](https://learn.microsoft.com/powershell/module/az.compute/new-azvm?view=azps-11.1.0) command reference for all the parameters associated with creating a virtual machine.
-1. From the Cloud Shell pane, run the following to execute the script and configure disks of Azure virtual machine scale set:
+ ```powershell
+ New-AzVm `
+ -ResourceGroupName 'az104-rg8' `
+ -Name 'myPSVM' `
+ -Location 'East US' `
+ -Image 'Win2019Datacenter' `
+ -Zone '1' `
+ -Size 'Standard_D2s_v3'
+ -Credential '(Get-Credential)' `
+ ```
- ```powershell
- ./az104-08-configure_VMSS_disks.ps1
- ```
+1. Once the command completes, use **Get-AzVM** to list the virtual machines in your resource group.
-1. Close the Cloud Shell pane.
+ ```powershell
+ Get-AzVM `
+ -ResourceGroupName 'az104-rg8' `
+ -Status
+ ```
-1. In the **Settings** section of the **az10408vmss0** blade, click **Instances**, select the checkboxes next to the instances of the virtual machine scale set, click **Upgrade**, and then, when prompted for confirmation, click **Yes**.
+1. Verify your new virtual machine is listed and the **Status** is **Running**.
-## Clean up resources
+1. Use **Stop-AzVM** to deallocate your virtual machine. Type **Yes** to confirm.
->**Note**: Remember to remove any newly created Azure resources that you no longer use. Removing unused resources ensures you will not see unexpected charges.
+ ```powershell
+ Stop-AzVM `
+ -ResourceGroupName 'az104-rg8' `
+ -Name 'myPSVM' `
+ ```
->**Note**: Don't worry if the lab resources cannot be immediately removed. Sometimes resources have dependencies and take a longer time to delete. It is a common Administrator task to monitor resource usage, so just periodically review your resources in the Portal to see how the cleanup is going.
-1. In the Azure portal, open the **PowerShell** session within the **Cloud Shell** pane.
+1. Use **Get-AzVM** with the **-Status** parameter to verify the machine is **deallocated**.
-1. Remove az104-08-configure_VMSS_disks.ps1 by running the following command:
+ >**Did you know?** When you use Azure to stop your virtual machine, the status is *deallocated*. This means that any non-static public IPs are released, and you stop paying for the VM’s compute costs.
- ```powershell
- rm ~\az104-08*
- ```
+## Task 6: Create a virtual machine using the CLI (option 2)
-1. List all resource groups created throughout the labs of this module by running the following command:
+1. Use the icon (top right) to launch a **Cloud Shell** session. Alternately, navigate directly to `https://shell.azure.com`.
- ```powershell
- Get-AzResourceGroup -Name 'az104-08*'
- ```
+1. Be sure to select **Bash**. If necessary, use the **Show advanced settings** and configure the shell storage.
-1. Delete all resource groups you created throughout the labs of this module by running the following command:
+1. Run the following command to create a virtual machine. When prompted, provide a username and password for the VM. While you wait check out the [az vm create](https://learn.microsoft.com/cli/azure/vm?view=azure-cli-latest#az-vm-create) command reference for all the parameters associated with creating a virtual machine.
- ```powershell
- Get-AzResourceGroup -Name 'az104-08*' | Remove-AzResourceGroup -Force -AsJob
- ```
+ ```sh
+ az vm create --name myCLIVM --resource-group az104-rg8 --image Ubuntu2204 --admin-username localadmin --generate-ssh-keys
+ ```
- >**Note**: The command executes asynchronously (as determined by the -AsJob parameter), so while you will be able to run another PowerShell command immediately afterwards within the same PowerShell session, it will take a few minutes before the resource groups are actually removed.
+1. Once the command completes, use **az vm show** to verify your machine was created.
-## Review
+ ```sh
+ az vm show --name myCLIVM --resource-group az104-rg8 --show-details
+ ```
-In this lab, you have:
+1. Verify the **powerState** is **VM Running**.
-+ Deployed zone-resilient Azure virtual machines by using the Azure portal and an Azure Resource Manager template
-+ Configured Azure virtual machines by using virtual machine extensions
-+ Scaled compute and storage for Azure virtual machines
-+ Deployed zone-reslient Azure virtual machine scale sets by using the Azure portal
-+ Configured Azure virtual machine scale sets by using virtual machine extensions
-+ Scaled compute and storage for Azure virtual machine scale sets
+1. Use **az vm deallocate** to deallocate your virtual machine. Type **Yes** to confirm.
+
+ ```sh
+ az vm deallocate --resource-group az104-rg8 --name myCLIVM
+ ```
+
+1. Use **az vm show** to ensure the **powerState** is **VM deallocated**.
+
+ >**Did you know?** When you use Azure to stop your virtual machine, the status is *deallocated*. This means that any non-static public IPs are released, and you stop paying for the VM’s compute costs.
+
+## Cleanup your resources
+
+If you are working with **your own subscription** take a minute to delete the lab resources. This will ensure resources are freed up and cost is minimized. The easiest way to delete the lab resources is to delete the lab resource group.
+
++ In the Azure portal, select the resource group, select **Delete the resource group**, **Enter resource group name**, and then click **Delete**.
++ Using Azure PowerShell, `Remove-AzResourceGroup -Name resourceGroupName`.
++ Using the CLI, `az group delete --name resourceGroupName`.
+
+
+## Key takeaways
+
+Congratulations on completing the lab. Here are the main takeaways for this lab.
+
++ Azure virtual machines are on-demand, scalable computing resources.
++ Azure virtual machines provide both vertical and horizontal scaling options.
++ Configuring Azure virtual machines includes choosing an operating system, size, storage and networking settings.
++ Azure Virtual Machine Scale Sets let you create and manage a group of load balanced VMs.
++ The virtual machines in a Virtual Machine Scale Set are created from the same image and configuration.
++ In a Virtual Machine Scale Set the number of VM instances can automatically increase or decrease in response to demand or a defined schedule.
+
+## Learn more with self-paced training
+
++ [Create a Windows virtual machine in Azure](https://learn.microsoft.com/training/modules/create-windows-virtual-machine-in-azure/). Create a Windows virtual machine using the Azure portal. Connect to a running Windows virtual machine using Remote Desktop
++ [Build a scalable application with Virtual Machine Scale Sets](https://learn.microsoft.com/training/modules/build-app-with-scale-sets/). Enable your application to automatically adjust to changes in load while minimizing costs with Virtual Machine Scale Sets.
++ [Connect to virtual machines through the Azure portal by using Azure Bastion](https://learn.microsoft.com/en-us/training/modules/connect-vm-with-azure-bastion/). Deploy Azure Bastion to securely connect to Azure virtual machines directly within the Azure portal to effectively replace an existing jumpbox solution, monitor remote sessions by using diagnostic logs, and manage remote sessions by disconnecting a user session.
+
diff --git a/Instructions/Labs/LAB_09a-Implement_Web_Apps.md b/Instructions/Labs/LAB_09a-Implement_Web_Apps.md
index 234209ca..2cb45210 100644
--- a/Instructions/Labs/LAB_09a-Implement_Web_Apps.md
+++ b/Instructions/Labs/LAB_09a-Implement_Web_Apps.md
@@ -5,267 +5,191 @@ lab:
---
# Lab 09a - Implement Web Apps
-# Student lab manual
+
+
+## Lab introduction
+
+In this lab, you learn about Azure web apps. You learn to configure a web app to display a Hello World application in an external GitHub repository. You learn to create a staging slot and swap with the production slot. You also learn about autoscaling to accommodate demand changes.
+
+This lab requires an Azure subscription. Your subscription type may affect the availability of features in this lab. You may change the region, but the steps are written using East US.
+
+## Estimated timing: 20 minutes
## Lab scenario
-You need to evaluate the use of Azure Web apps for hosting Contoso's web sites, hosted currently in the company's on-premises data centers. The web sites are running on Windows servers using PHP runtime stack. You also need to determine how you can implement DevOps practices by leveraging Azure web apps deployment slots.
+Your organization is interested in Azure Web apps for hosting your company websites. The websites are currently hosted in an on-premises data center. The websites are running on Windows servers using the PHP runtime stack. The hardware is nearing end-of-life and will soon need to be replaced. Your organization wants to avoid new hardware costs by using Azure to host the websites.
-**Note:** An **[interactive lab simulation](https://mslabs.cloudguides.com/guides/AZ-104%20Exam%20Guide%20-%20Microsoft%20Azure%20Administrator%20Exercise%2013)** is available that allows you to click through this lab at your own pace. You may find slight differences between the interactive simulation and the hosted lab, but the core concepts and ideas being demonstrated are the same.
+## Interactive lab simulations
-## Objectives
+There are interactive lab simulations that you might find useful for this topic. The simulation lets you to click through a similar scenario at your own pace. There are differences between the interactive simulation and this lab, but many of the core concepts are the same. An Azure subscription is not required.
-In this lab, you will:
-
-+ Task 1: Create an Azure web app
-+ Task 2: Create a staging deployment slot
-+ Task 3: Configure web app deployment settings
-+ Task 4: Deploy code to the staging deployment slot
-+ Task 5: Swap the staging slots
-+ Task 6: Configure and test autoscaling of the Azure web app
-
-## Estimated timing: 30 minutes
++ [Create a web app](https://mslearn.cloudguides.com/en-us/guides/AZ-900%20Exam%20Guide%20-%20Azure%20Fundamentals%20Exercise%202). Create a web app that runs a Docker container.
+
++ [Implement Azure web apps](https://mslabs.cloudguides.com/guides/AZ-104%20Exam%20Guide%20-%20Microsoft%20Azure%20Administrator%20Exercise%2013). Create an Azure web app, manage the deployment, and scale the app.
## Architecture diagram
-
+
-### Instructions
+## Job skills
-## Exercise 1
++ Task 1: Create and configure an Azure web app.
++ Task 2: Create and configure a deployment slot.
++ Task 3: Configure web app deployment settings.
++ Task 4: Swap deployment slots.
++ Task 5: Configure and test autoscaling of the Azure web app.
-## Task 1: Create an Azure web app
+## Task 1: Create and configure an Azure web app
-In this task, you will create an Azure web app.
+In this task, you create an Azure web app. Azure App Services is a Platform As a Service (PAAS) solution for web, mobile, and other web-based applications. Azure web apps is part Azure App Services hosting most runtime environments, such as PHP, Java, and .NET. The app service plan that you select determines the web app compute, storage, and features.
-1. Sign in to the [**Azure portal**](http://portal.azure.com).
+1. Sign in to the **Azure portal** - `https://portal.azure.com`.
-1. In the Azure portal, search for and select **App services**, and, on the **App Services** blade, click **+ Create**.
+1. Search for and select `App services`.
+
+1. Select **+ Create**, from drop-down menu, **Web App**. Notice the other choices.
1. On the **Basics** tab of the **Create Web App** blade, specify the following settings (leave others with their default values):
| Setting | Value |
| --- | ---|
- | Subscription | the name of the Azure subscription you are using in this lab |
- | Resource group | the name of a new resource group **az104-09a-rg1** |
+ | Subscription | your Azure subscription |
+ | Resource group | `az104-rg9` (If necessary, select **Create new**) |
| Web app name | any globally unique name |
| Publish | **Code** |
| Runtime stack | **PHP 8.2** |
| Operating system | **Linux** |
- | Region | the name of an Azure region where you can provision Azure web apps |
- | Pricing plans | accept the default configuration |
+ | Region | **East US** |
+ | Pricing plans | accept the defaults |
+ | Zone redundancy | accept the defaults |
-1. Click **Review + create**. On the **Review + create** tab of the **Create Web App** blade, ensure that the validation passed and click **Create**.
+ 1. Click **Review + create**, and then **Create**.
- >**Note**: Wait until the web app is created before you proceed to the next task. This should take about a minute.
+ >**Note**: Wait until the Web App is created before you proceed to the next task. This should take about a minute.
-1. On the deployment blade, click **Go to resource**.
+1. After the deployment, select **Go to resource**.
-## Task 2: Create a staging deployment slot
+## Task 2: Create and configure a deployment slot
-In this task, you will create a staging deployment slot.
+In this task, you will create a staging deployment slot. Deployment slots enable you to perform testing prior to making your app available to the public (or your end users). After you have performed testing, you can swap the slot from development or staging to production. Many organizations use slots to perform pre-production testing. Additionally, many organizations run multiple slots for every application (for example, development, QA, test, and production).
-1. On the blade of the newly deployed web app, click the **Default domain** link to display the default web page in a new browser tab.
+1. On the blade of the newly deployed Web App, click the **Default domain** link to display the default web page in a new browser tab.
-1. Close the new browser tab and, back in the Azure portal, in the **Deployment** section of the web app blade, click **Deployment slots**.
+1. Close the new browser tab and, back in the Azure portal, in the **Deployment** section of the Web App blade, click **Deployment slots**.
- >**Note**: The web app, at this point, has a single deployment slot labeled **PRODUCTION**.
+ >**Note**: The Web App, at this point, has a single deployment slot labeled **PRODUCTION**.
1. Click **+ Add slot**, and add a new slot with the following settings:
| Setting | Value |
| --- | ---|
- | Name | **staging** |
+ | Name | `staging` |
| Clone settings from | **Do not clone settings**|
-1. Back on the **Deployment slots** blade of the web app, click the entry representing the newly created staging slot.
+1. Select **Add**.
+
+1. Back on the **Deployment slots** blade of the Web App, click the entry representing the newly created staging slot.
>**Note**: This will open the blade displaying the properties of the staging slot.
1. Review the staging slot blade and note that its URL differs from the one assigned to the production slot.
-## Task 3: Configure web app deployment settings
+## Task 3: Configure Web App deployment settings
-In this task, you will configure web app deployment settings.
+In this task, you will configure Web App deployment settings. Deployment settings allow for continuous deployment. This ensures that the app service has the latest version of the application.
-1. On the staging deployment slot blade, in the **Deployment** section, click **Deployment Center** and then select the **Settings** tab.
+1. In the staging slot, select **Deployment Center** and then select **Settings**.
- >**Note:** Make sure you are on the staging slot blade (rather than the production slot).
+ >**Note:** Make sure you are on the staging slot blade (instead than the production slot).
-1. On the **Settings** tab, in the **Source** drop-down list, select **Local Git** and click the **Save** button
+1. In the **Source** drop-down list, select **External Git**. Notice the other choices.
-1. On the **Deployment Center** blade, copy the **Git Clone Uri** entry to Notepad.
+1. In the repository field, enter `https://github.com/Azure-Samples/php-docs-hello-world`
- >**Note:** You will need the Git Clone Uri value in the next task of this lab.
+1. In the branch field, enter `master`.
-1. On the **Deployment Center** blade, select the **Local Git/FTPS credentials** tab, in the **User Scope** section, specify the following settings, and click **Save**.
+1. Select **Save**.
- | Setting | Value |
- | --- | ---|
- | User name | any globally unique name (see note) |
- | Password | any password that satisfies complexity requirements (see note) |
+1. From the staging slot, select **Overview**.
- >**Note:** Copy these credentials to Notepad. You will need them later.
-
- >**Note:** These credentials will be passed through the URI. Do not include any special characters that affect the interpretation of the URI. For example, @, $, or #. An asterick or plus sign (in the middle of the string) would work.
-
-## Task 4: Deploy code to the staging deployment slot
+1. Select the **Default domain** link, and open the URL in a new tab.
-In this task, you will deploy code to the staging deployment slot.
+1. Verify that the staging slot displays **Hello World**.
-1. In the Azure portal, open the **Azure Cloud Shell** by clicking on the icon in the top right of the Azure Portal.
+>**Note:** The deployment may take a minute. Be sure to **Refresh** the application page.
-1. If prompted to select either **Bash** or **PowerShell**, select **PowerShell**.
+## Task 4: Swap deployment slots
- >**Note**: If this is the first time you are starting **Cloud Shell** and you are presented with the **You have no storage mounted** message, select the subscription you are using in this lab, and click **Create storage**.
+In this task, you will swap the staging slot with the production slot. Swapping a slot allows you to use the code that you have tested in your staging slot, and move it to production. The Azure portal will also prompt you if you need to move other application settings that you have customized for the slot. Swapping slots is a common task for application teams and application support teams, especially those deploying routine app updates and bug fixes.
-1. From the Cloud Shell pane, run the following to clone the remote repository containing the code for the web app.
+1. Navigate back to the **Deployment slots** blade, and then select **Swap**.
- ```powershell
- git clone https://github.com/Azure-Samples/php-docs-hello-world
- ```
+1. Review the default settings and click **Swap**.
-1. From the Cloud Shell pane, run the following to set the current location to the newly created clone of the local repository containing the sample web app code.
+1. On the **Overview** blade of the Web App select the **Default domain** link to display the website home page.
- ```powershell
- Set-Location -Path $HOME/php-docs-hello-world/
- ```
+1. Verify the production web page displays the **Hello World!** page.
-1. From the Cloud Shell pane, run the following to add the remote git (make sure to replace the `[deployment_user_name]` and `[git_clone_uri]` placeholders with the value of the **Deployment Credentials** user name and **Git Clone Uri**, respectively, which you identified in previous task):
+ >**Note:** Copy the Default domain **URL** you will need it for load testing in the next task.
- ```powershell
- git remote add [deployment_user_name] [git_clone_uri]
- ```
+## Task 5: Configure and test autoscaling of the Azure Web App
- >**Note**: The value following `git remote add` does not have to match the **Deployment Credentials** user name, but has to be unique
+In this task, you will configure autoscaling of Azure Web App. Autoscaling enables you to maintain optimal performance for your web app when traffic to the web app increases. To determine when the app should scale you can monitor metrics like CPU usage, memory, or bandwidth.
-1. From the Cloud Shell pane, run the following to push the sample web app code from the local repository to the Azure web app staging deployment slot (make sure to replace the placeholder values with the value of the **Deployment Credentials** user name and password and the app name, which you identified in previous task):
+1. In the **Settings** section, select **Scale out (App Service plan)**.
- ```powershell
- git push https://:@-staging.scm.azurewebsites.net/.git master
- ```
+ >**Note:** Ensure you are working on the production slot not the staging slot.
-1. Close the Cloud Shell pane.
+1. From the **Scaling** section, select **Automatic**. Notice the **Rules Based** option. Rules based scaling can be configured for different app metrics.
-1. On the staging slot blade, click **Overview** and then click the **Default domain** link to display the default web page in a new browser tab.
+1. In the **Maximum burst** field, select **2**.
-1. Verify that the browser page displays the **Hello World!** message and close the new tab.
+ 
-## Task 5: Swap the staging slots
+1. Select **Save**.
-In this task, you will swap the staging slot with the production slot
+1. Select **Diagnose and solve problems** (left pane).
-1. Navigate back to the blade displaying the production slot of the web app.
+1. In the **Load Test your App** box, select **Create Load Test**.
-1. In the **Deployment** section, click **Deployment slots** and then, click **Swap** toolbar icon.
+ + Select **+ Create** and give your load test a **name**. The name must be unique.
+ + Select **Review + create** and then **Create**.
-1. On the **Swap** blade, review the default settings and click **Swap**.
+1. Wait for the load test to create, and then select **Go to resource**.
-1. Click **Overview** on the production slot blade of the web app and then click the **Default domain** link to display the web site home page in a new browser tab.
+1. From the **Overview** | **Add HTTP requests**, select **Create**.
-1. Verify the default web page has been replaced with the **Hello World!** page.
+1. For the **Test URL**, paste in your **Default domain** URL. Ensure this is properly formatted and begins with **https://**.
-## Task 6: Configure and test autoscaling of the Azure web app
+1. Select **Review + create** and **Create**.
-In this task, you will configure and test autoscaling of Azure web app.
+ >**Note:** It may take a couple of minutes to create the test.
-1. On the blade displaying the production slot of the web app, in the **Settings** section, click **Scale out (App Service plan)**.
+1. Review the test results including **Virtual users**, **Response time**, and **Requests/sec**.
-1. From the **Scaling section** select the **Rules Based** option, then click on the **Manage rules based scaling** link.
+1. Select **Stop** to complete the test run.
-1. Click **Custom autoscale**.
+## Cleanup your resources
- >**Note**: You also have the option of scaling the web app manually.
+If you are working with **your own subscription** take a minute to delete the lab resources. This will ensure resources are freed up and cost is minimized. The easiest way to delete the lab resources is to delete the lab resource group.
-1. Select **Scale based on a metric** and click **+ Add a rule**
++ In the Azure portal, select the resource group, select **Delete the resource group**, **Enter resource group name**, and then click **Delete**.
++ Using Azure PowerShell, `Remove-AzResourceGroup -Name resourceGroupName`.
++ Using the CLI, `az group delete --name resourceGroupName`.
-1. On the **Scale rule** blade, specify the following settings (leave others with their default values):
- | Setting | Value |
- | --- |--- |
- | Metric source | **Current resource** |
- | Metric namespace | **standard metrics** |
- | Metric name | **CPU Percentage** |
- | Operator | **Greater than** |
- | Metric threshold to trigger scale action | **10** |
- | Duration (in minutes) | **1** |
- | Time grain statistic | **Maximum** |
- | Time aggregation | **Maximum** |
- | Operation | **Increase count by** |
- | Instance count | **1** |
- | Cool down (minutes) | **5** |
- >**Note**: These values do not represent a realistic configuration, since their purpose is to trigger autoscaling as soon as possible, without extended wait period.
+## Key takeaways
-1. Click **Add** and, back on the App Service plan scaling blade, specify the following settings (leave others with their default values):
+Congratulations on completing the lab. Here are the main takeaways for this lab.
- | Setting | Value |
- | --- |--- |
- | Instance limits Minimum | **1** |
- | Instance limits Maximum | **2** |
- | Instance limits Default | **1** |
++ Azure App Services lets you quickly build, deploy, and scale web apps.
++ App Service includes support for many developer environments including ASP.NET, Java, PHP, and Python.
++ Deployment slots allow you to create separate environments for deploying and testing your web app.
++ You can manually or automatically scale a web app to handle additional demand.
++ A wide variety of diagnostics and testing tools are available.
-1. Click **Save**.
+## Learn more with self-paced training
- >**Note**: If you got an error complaining about 'microsoft.insights' resource provider not being registered, run `az provider register --namespace 'Microsoft.Insights'` in your cloudshell and retry saving your auto scale rules.
-
-1. In the Azure portal, open the **Azure Cloud Shell** by clicking on the icon in the top right of the Azure Portal.
-
-1. If prompted to select either **Bash** or **PowerShell**, select **PowerShell**.
-
-1. From the Cloud Shell pane, run the following to identify the URL of the Azure web app.
-
- ```powershell
- $rgName = 'az104-09a-rg1'
-
- $webapp = Get-AzWebApp -ResourceGroupName $rgName
- ```
-
-1. From the Cloud Shell pane, run the following to start and infinite loop that sends the HTTP requests to the web app:
-
- ```powershell
- while ($true) { Invoke-WebRequest -Uri $webapp.DefaultHostName }
- ```
-
-1. Minimize the Cloud Shell pane (but do not close it) and, on the web app blade, in the Settings section, click **Scale out (App Service plan)**.
-
-1. Monitor the utilization and the number of instances for a few minutes.
-
- >**Note**: You may need to **Refresh** the page.
-
-1. Once you notice that the number of instances has increased to 2, reopen the Cloud Shell pane and terminate the script by pressing **Ctrl+C**.
-
-1. Close the Cloud Shell pane.
-
-## Clean up resources
-
->**Note**: Remember to remove any newly created Azure resources that you no longer use. Removing unused resources ensures you will not see unexpected charges.
-
->**Note**: Don't worry if the lab resources cannot be immediately removed. Sometimes resources have dependencies and take a long time to delete. It is a common Administrator task to monitor resource usage, so just periodically review your resources in the Portal to see how the cleanup is going.
-
-1. In the Azure portal, open the **PowerShell** session within the **Cloud Shell** pane.
-
-1. List all resource groups created throughout the labs of this module by running the following command:
-
- ```powershell
- Get-AzResourceGroup -Name 'az104-09a*'
- ```
-
-1. Delete all resource groups you created throughout the labs of this module by running the following command:
-
- ```powershell
- Get-AzResourceGroup -Name 'az104-09a*' | Remove-AzResourceGroup -Force -AsJob
- ```
-
- >**Note**: The command executes asynchronously (as determined by the -AsJob parameter), so while you will be able to run another PowerShell command immediately afterwards within the same PowerShell session, it will take a few minutes before the resource groups are actually removed.
-
-## Review
-
-In this lab, you have:
-
-+ Created an Azure web app
-+ Created a staging deployment slot
-+ Configured web app deployment settings
-+ Deployed code to the staging deployment slot
-+ Swapped the staging slots
-+ Configured and test autoscaling of the Azure web app
++ [Stage a web app deployment for testing and rollback by using App Service deployment slots](https://learn.microsoft.com/training/modules/stage-deploy-app-service-deployment-slots/). Use deployment slots to streamline deployment and roll back a web app in Azure App Service.
++ [Scale an App Service web app to efficiently meet demand with App Service scale up and scale out](https://learn.microsoft.com/training/modules/app-service-scale-up-scale-out/). Respond to periods of increased activity by incrementally increasing the resources available and then, to reduce costs, decreasing these resources when activity drops.
diff --git a/Instructions/Labs/LAB_09b-Implement_Azure_Container_Instances.md b/Instructions/Labs/LAB_09b-Implement_Azure_Container_Instances.md
index 9e9aff59..80de5895 100644
--- a/Instructions/Labs/LAB_09b-Implement_Azure_Container_Instances.md
+++ b/Instructions/Labs/LAB_09b-Implement_Azure_Container_Instances.md
@@ -5,51 +5,56 @@ lab:
---
# Lab 09b - Implement Azure Container Instances
-# Student lab manual
+
+## Lab introduction
+
+In this lab, you learn how to implement and deploy Azure Container Instances.
+
+This lab requires an Azure subscription. Your subscription type may affect the availability of features in this lab. You may change the region, but the steps are written using **East US**.
+
+## Estimated timing: 15 minutes
## Lab scenario
-Contoso wants to find a new platform for its virtualized workloads. You identified a number of container images that can be leveraged to accomplish this objective. Since you want to minimize container management, you plan to evaluate the use of Azure Container Instances for deployment of Docker images.
+Your organization has a web application that runs on a virtual machine in your on-premises data center. The organization wants to move all applications to the cloud but doesn't want to have a large number of servers to manage. You decide to evaluate Azure Container Instances and Docker.
+## Interactive lab simulations
-**Note:** An **[interactive lab simulation](https://mslabs.cloudguides.com/guides/AZ-104%20Exam%20Guide%20-%20Microsoft%20Azure%20Administrator%20Exercise%2014)** is available that allows you to click through this lab at your own pace. You may find slight differences between the interactive simulation and the hosted lab, but the core concepts and ideas being demonstrated are the same.
+There are interactive lab simulations that you might find useful for this topic. The simulation lets you to click through a similar scenario at your own pace. There are differences between the interactive simulation and this lab, but many of the core concepts are the same. An Azure subscription is not required.
-## Objectives
++ [Deploy Azure Container Instances](https://mslearn.cloudguides.com/en-us/guides/AZ-900%20Exam%20Guide%20-%20Azure%20Fundamentals%20Exercise%203). Create, configure, and deploy a Docker container with Azure Container Instances.
+
++ [Implement Azure Container Instances](https://mslabs.cloudguides.com/guides/AZ-104%20Exam%20Guide%20-%20Microsoft%20Azure%20Administrator%20Exercise%2014). Deploy a Docker image using Azure Container Instances.
-In this lab, you will:
+## Job skills
-- Task 1: Deploy an Azure Container Instance using a Docker image
-- Task 2: Review the functionality of the Azure Container Instance
+- Task 1: Deploy an Azure Container Instance using a Docker image.
+- Task 2: Test and verify deployment of an Azure Container Instance.
-## Estimated timing: 20 minutes
## Architecture diagram
-
-
-### Instructions
-
-## Exercise 1
+
## Task 1: Deploy an Azure Container Instance using a Docker image
-In this task, you will create a new container instance for the web application.
+In this task, you will create a simple web application using a Docker image. Docker is a platform that provides the ability to package and run applications in isolated environments called containers. Azure Container Instances provides the compute environment for the container image.
-1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Sign in to the **Azure portal** - `https://portal.azure.com`.
-1. In the Azure portal, search for locate **Container instances** and then, on the **Container instances** blade, click **+ Create**.
+1. In the Azure portal, search for and select `Container instances` and then, on the **Container instances** blade, click **+ Create**.
1. On the **Basics** tab of the **Create container instance** blade, specify the following settings (leave others with their default values):
| Setting | Value |
| ---- | ---- |
- | Subscription | the name of the Azure subscription you are using in this lab |
- | Resource group | the name of a new resource group **az104-09b-rg1** |
- | Container name | **az104-9b-c1** |
- | Region | the name of a region where you can provision Azure container instances |
+ | Subscription | Select your Azure subscription |
+ | Resource group | `az104-rg9` (If necessary, select **Create new**) |
+ | Container name | `az104-c1` |
+ | Region | **East US** (or a region available near you)|
| Image Source | **Quickstart images** |
| Image | **mcr.microsoft.com/azuredocs/aci-helloworld:latest (Linux)** |
-1. Click **Next: Networking >** and, on the **Networking** tab of the **Create container instance** blade, specify the following settings (leave others with their default values):
+1. Click **Next: Networking >** and specify the following settings (leave others with their default values):
| Setting | Value |
| --- | --- |
@@ -57,15 +62,17 @@ In this task, you will create a new container instance for the web application.
>**Note**: Your container will be publicly reachable at dns-name-label.region.azurecontainer.io. If you receive a **DNS name label not available** error message, specify a different value.
-1. Click **Next: Advanced >**, review the settings on the **Advanced** tab of the **Create container instance** blade without making any changes, click **Review + Create**, ensure that the validation passed and click **Create**.
+1. Click **Next: Advanced >**, review the settings without making any changes.
- >**Note**: Wait for the deployment to complete. This should take about 3 minutes.
+ 1. Click **Review + Create**, ensure that the validation passed and then select **Create**.
- >**Note**: While you wait, you may be interested in viewing the [code behind the sample application](https://github.com/Azure-Samples/aci-helloworld). To view it, browse the \\app folder.
+ >**Note**: Wait for the deployment to complete. This should take 2-3 minutes.
-## Task 2: Review the functionality of the Azure Container Instance
+ >**Note**: While you wait, you may be interested in viewing the [code behind the sample application](https://github.com/Azure-Samples/aci-helloworld). To view the code, browse the \\app folder.
-In this task, you will review the deployment of the container instance.
+## Task 2: Test and verify deployment of an Azure Container Instance
+
+In this task, you review the deployment of the container instance. By default, the Azure Container Instance is accessible over port 80. After the instance has been deployed, you can navigate to the container using the DNS name that you provided in the previous task.
1. On the deployment blade, click the **Go to resource** link.
@@ -73,39 +80,34 @@ In this task, you will review the deployment of the container instance.
1. Copy the value of the container instance **FQDN**, open a new browser tab, and navigate to the corresponding URL.
-1. Verify that the **Welcome to Azure Container Instance** page is displayed.
+ 
-1. Close the new browser tab, back in the Azure portal, in the **Settings** section of the container instance blade, click **Containers**, and then click **Logs**.
+1. Verify that the **Welcome to Azure Container Instance** page is displayed. Refresh the page several times to create some log entries then close the browser tab.
+
+1. In the **Settings** section of the container instance blade, click **Containers**, and then click **Logs**.
1. Verify that you see the log entries representing the HTTP GET request generated by displaying the application in the browser.
+
+## Cleanup your resources
-## Clean up resources
+If you are working with **your own subscription** take a minute to delete the lab resources. This will ensure resources are freed up and cost is minimized. The easiest way to delete the lab resources is to delete the lab resource group.
->**Note**: Remember to remove any newly created Azure resources that you no longer use. Removing unused resources ensures you will not see unexpected charges.
++ In the Azure portal, select the resource group, select **Delete the resource group**, **Enter resource group name**, and then click **Delete**.
++ Using Azure PowerShell, `Remove-AzResourceGroup -Name resourceGroupName`.
++ Using the CLI, `az group delete --name resourceGroupName`.
->**Note**: Don't worry if the lab resources cannot be immediately removed. Sometimes resources have dependencies and take a long time to delete. It is a common Administrator task to monitor resource usage, so just periodically review your resources in the Portal to see how the cleanup is going.
-1. In the Azure portal, open the **PowerShell** session within the **Cloud Shell** pane.
+## Key takeaways
- >**Note**: Cloud Shell storage must be created for these commands to work.
+Congratulations on completing the lab. Here are the main takeaways for this lab.
-1. List all resource groups created throughout the labs of this module by running the following command:
++ Azure Container Instances (ACI) is a service that enables you to deploy containers on the Microsoft Azure public cloud.
++ ACI doesn't require you to provision or manage any underlying infrastructure.
++ ACI supports both Linux containers and Windows containers.
++ Workloads on ACI are usually started and stopped by some kind of process or trigger and are usually short-lived.
- ```powershell
- Get-AzResourceGroup -Name 'az104-09b*'
- ```
+## Learn more with self-paced training
-1. Delete all resource groups you created throughout the labs of this module by running the following command:
++ [Run container images in Azure Container Instances](https://learn.microsoft.com/training/modules/create-run-container-images-azure-container-instances/). Learn how Azure Container Instances can help you quickly deploy containers, how to set environment variables, and specify container restart policies.
- ```powershell
- Get-AzResourceGroup -Name 'az104-09b*' | Remove-AzResourceGroup -Force -AsJob
- ```
-
- >**Note**: The command executes asynchronously (as determined by the -AsJob parameter), so while you will be able to run another PowerShell command immediately afterwards within the same PowerShell session, it will take a few minutes before the resource groups are actually removed.
-
-## Review
-
-In this lab, you have:
-
-- Deployed a Docker image by using the Azure Container Instance
-- Reviewed the functionality of the Azure Container Instance
+
diff --git a/Instructions/Labs/LAB_09c-Implement-Azure-Container-Apps.md b/Instructions/Labs/LAB_09c-Implement-Azure-Container-Apps.md
index 18bda8f4..750c795b 100644
--- a/Instructions/Labs/LAB_09c-Implement-Azure-Container-Apps.md
+++ b/Instructions/Labs/LAB_09c-Implement-Azure-Container-Apps.md
@@ -4,100 +4,88 @@ lab:
module: 'Administer PaaS Compute Options'
---
-# Lab 09c: Implement Azure Container Apps
-# Student lab manual
+# Lab 09c - Implement Azure Container Apps
+
+## Lab introduction
+
+In this lab, you learn how to implement and deploy Azure Container Apps.
+
+This lab requires an Azure subscription. Your subscription type may affect the availability of features in this lab. You may change the region, but the steps are written using **East US**.
+
+## Estimated timing: 15 minutes
## Lab scenario
-Azure Container Apps enables you to run microservices and containerized applications on a serverless platform. With Container Apps, you enjoy the benefits of running containers while leaving behind the concerns of manually configuring cloud infrastructure and complex container orchestrators.
-## Objectives
+Your organization has a web application that runs on a virtual machine in your on-premises data center. The organization wants to move all applications to the cloud but doesn't want to have a large number of servers to manage. You decide to evaluate Azure Container Apps.
-In this lab, we will:
-- Task 1: Create a container app and environment
-- Task 2: Deploy the container app
-- Task 3: Test and verify deployment of the container app
+## Interactive lab simulations
-Begin by signing in to the [Azure portal](https://portal.azure.com).
+There are no interactive lab simulations for this topic.
-## Estimated timing: 20 minutes
+## Job skills
-## Task 1: Create a container app and environment
+- Task 1: Create and configure an Azure Container App and environment.
+- Task 2: Test and verify deployment of the Azure Container App.
-To create your container app, start at the Azure portal home page.
+## Architecture diagram
-1. Search for `Container Apps` in the top search bar.
-1. Select **Container Apps** in the search results.
-1. Select the **Create** button.
+
-### Basics tab
+## Task 1: Create and configure an Azure Container App and environment
-In the *Basics* tab, do the following actions.
+Azure Container Apps take the concept of a managed Kubernetes cluster a step further and manages the cluster environment as well as provides other managed services on top of the cluster. Unlike an Azure Kubernetes cluster, where you must still manage the cluster, an Azure Container Apps instance removes some of the complexity to setting up a Kubernetes cluster.
-1. Enter the following values in the *Project details* section.
+1. From the Azure portal, search for and select `Container Apps`.
+
+1. From **Container Apps**, select **Create**.
+
+1. Use the following information to fill out the details on the **Basics** tab.*.
| Setting | Action |
|---|---|
- | Subscription | Select your Azure subscription. |
- | Resource group | Select **Create new** and enter `az104-09c-rg1`. |
- | Container app name | Enter `my-container-app`. |
+ | Subscription | Select your Azure subscription |
+ | Resource group | `az104-rg9` |
+ | Container app name | `my-app` |
+ | Region | **East US** (Or a region available near you) |
+ | Container Apps Environment | Leave default |
-#### Create an environment
+1. On the **Container** tab, ensure that **Use quickstart image** is enabled and that the quickstart image is set to **Simple hello world container**.
-Next, create an environment for your container app.
+1. Select the **Review and create** and then **Create**.
-1. Select the appropriate region.
+ >**Note:** Wait for the container app to deploy. This will take a couple of minutes.
+
+## Task 2: Test and verify deployment of the Azure Container App
- | Setting | Value |
- |--|--|
- | Region | **Your choice**. |
-
-1. In the *Create Container Apps environment* field, select the **Create new** link.
-1. In the *Create Container Apps Environment* page on the *Basics* tab, enter the following values:
-
- | Setting | Value |
- |--|--|
- | Environment name | Enter `my-environment`. |
- | Zone redundancy | Select **Disabled** |
-
-1. Select the **Monitoring** tab to create a Log Analytics workspace.
-1. Select the **Create new** link in the *Log Analytics workspace* field and enter the following values.
-
- | Setting | Value |
- |--|--|
- | Name | Enter `my-container-apps-logs` |
-
- The *Location* field is pre-filled with your region for you.
-
-1. Select **OK** and then **Create**.
-
-1. Click **Next: Container**.
-
-1. Check the box next to **Use quickstart image**.
-
-1. Select the **Review and create** button at the bottom of the page. This step may take a couple of minutes.
-
- The settings in the Container App are verified. If no errors are found, the *Create* button is enabled.
-
- If there are errors, any tab containing errors is marked with a red dot. Navigate to the appropriate tab. Fields containing an error will be highlighted in red. Once all errors are fixed, select **Review and create** again.
-
-1. Select **Create**.
-
- A page with the message *Deployment is in progress* is displayed. Once the deployment is successfully completed, you'll see the message: *Your deployment is complete*.
-
-## Task 2: Test and verify deployment of the container app
+By default, the Azure container app that you create will accept traffic on port 80 using the sample Hello World application. Azure Container Apps will provide a DNS name for the application. Copy and navigate to this URL to ensure that the application is up and running.
1. Select **Go to resource** to view your new container app.
1. Select the link next to *Application URL* to view your application.
+ 
+
1. Verify you receive the **Your Azure Container Apps app is live** message.
+
+## Cleanup your resources
-## Clean up resources
+If you are working with **your own subscription** take a minute to delete the lab resources. This will ensure resources are freed up and cost is minimized. The easiest way to delete the lab resources is to delete the lab resource group.
-If you're not going to continue to use this application, you can delete the Azure Container Apps instance and all the associated services by removing the resource group.
++ In the Azure portal, select the resource group, select **Delete the resource group**, **Enter resource group name**, and then click **Delete**.
++ Using Azure PowerShell, `Remove-AzResourceGroup -Name resourceGroupName`.
++ Using the CLI, `az group delete --name resourceGroupName`.
-1. Select the **my-container-apps** resource group from the *Overview* section.
-1. Select the **Delete resource group** button at the top of the resource group *Overview*.
-1. Enter the resource group name and confirm you want to delete the app.
-1. Select **Delete**.
-1. The process to delete the resource group may take a few minutes to complete.
+
+
+## Key takeaways
+
+Congratulations on completing the lab. Here are the main takeaways for this lab.
+
++ Azure Container Apps (ACA) is a serverless platform that allows you to maintain less infrastructure and save costs while running containerized applications.
++ Container Apps provides server configuration, container orchestration, and deployment details.
++ Workloads on ACA are usually long-running processes like a Web App.
+
+## Learn more with self-paced training
+
++ [Configure a container app in Azure Container Apps](https://learn.microsoft.com/training/modules/configure-container-app-azure-container-apps/). Examines the features and capabilities of Azure Container Apps, and then focuses on how to create, configure, scale, and manage container apps using Azure Container Apps.
+
diff --git a/Instructions/Labs/LAB_10-Implement_Data_Protection.md b/Instructions/Labs/LAB_10-Implement_Data_Protection.md
index d328ef73..cbd316a6 100644
--- a/Instructions/Labs/LAB_10-Implement_Data_Protection.md
+++ b/Instructions/Labs/LAB_10-Implement_Data_Protection.md
@@ -4,477 +4,299 @@ lab:
module: 'Administer Data Protection'
---
-# Lab 10 - Backup virtual machines
-# Student lab manual
+# Lab 10 - Implement Data Protection
-## Lab scenario
+## Lab introduction
-You have been tasked with evaluating the use of Azure Recovery Services for backup and restore of files hosted on Azure virtual machines and on-premises computers. In addition, you want to identify methods of protecting data stored in the Recovery Services vault from accidental or malicious data loss.
+In this lab, you learn about backup and recovery of Azure virtual machines. You learn to create a Recovery Service vault and a backup policy for Azure virtual machines. You learn about disaster recovery with Azure Site Recovery.
-**Note:** An **[interactive lab simulation](https://mslabs.cloudguides.com/guides/AZ-104%20Exam%20Guide%20-%20Microsoft%20Azure%20Administrator%20Exercise%2016)** is available that allows you to click through this lab at your own pace. You may find slight differences between the interactive simulation and the hosted lab, but the core concepts and ideas being demonstrated are the same.
-
-## Objectives
-
-In this lab, you will:
-
-+ Task 1: Provision the lab environment
-+ Task 2: Create a Recovery Services vault
-+ Task 3: Implement Azure virtual machine-level backup
-+ Task 4: Implement File and Folder backup
-+ Task 5: Perform file recovery by using Azure Recovery Services agent
-+ Task 6: Perform file recovery by using Azure virtual machine snapshots (optional)
-+ Task 7: Review the Azure Recovery Services soft delete functionality (optional)
+This lab requires an Azure subscription. Your subscription type may affect the availability of features in this lab. You may change the regions, but the steps are written using **East US** and **West US**.
## Estimated timing: 50 minutes
+## Lab scenario
+
+Your organization is evaluating how to backup and restore Azure virtual machines from accidental or malicious data loss. Additionally, the organization wants to explore using Azure Site Recovery for disaster recovery scenarios.
+
+## Interactive lab simulation
+
+There is an interactive lab simulation that you might find useful for this topic. The simulation lets you to click through a similar scenario at your own pace. There are differences between the interactive simulation and this lab, but many of the core concepts are the same. An Azure subscription is not required.
+
++ **[Backup virtual machines and on-premises files.](https://mslabs.cloudguides.com/guides/AZ-104%20Exam%20Guide%20-%20Microsoft%20Azure%20Administrator%20Exercise%2016)**. Create a recovery services vault and implement an Azure virtual machine backup. Implement on-premises file and folder backup using the Microsoft Azure Recovery Services agent. On-premises backups are outside the scope of this lab but it might be helpful to view those steps.
+
+## Job skills
+
++ Task 1: Use a template to provision an infrastructure.
++ Task 2: Create and configure a Recovery Services vault.
++ Task 3: Configure Azure virtual machine-level backup.
++ Task 4: Monitor Azure Backup.
++ Task 5: Enable virtual machine replication.
+
+## Estimated timing: 40 minutes
+
## Architecture diagram
-
+
-### Instructions
+## Task 1: Use a template to provision an infrastructure
-## Exercise 1
+In this task, you will use a template to deploy a virtual machine. The virtual machine will be used to test different backup scenarios.
-## Task 1: Provision the lab environment
+1. Download the **\\Allfiles\\Lab10\\** lab files.
-In this task, you will deploy two virtual machines that will be used to test different backup scenarios.
+1. Sign in to the **Azure portal** - `https://portal.azure.com`.
-1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Search for and select `Deploy a custom template`.
-1. In the Azure portal, open the **Azure Cloud Shell** by clicking on the icon in the top right of the Azure Portal.
+1. On the custom deployment page, select **Build you own template in the editor**.
-1. If prompted to select either **Bash** or **PowerShell**, select **PowerShell**.
+1. On the edit template page, select **Load file**.
- >**Note**: If this is the first time you are starting **Cloud Shell** and you are presented with the **You have no storage mounted** message, select the subscription you are using in this lab, and click **Create storage**.
+1. Locate and select the **\\Allfiles\\Lab10\\az104-10-vms-edge-template.json** file and select **Open**.
-1. In the toolbar of the Cloud Shell pane, click the **Upload/Download files** icon, in the drop-down menu, click **Upload** and upload the files **\\Allfiles\\Labs\\10\\az104-10-vms-edge-template.json** and **\\Allfiles\\Labs\\10\\az104-10-vms-edge-parameters.json** into the Cloud Shell home directory.
+ >**Note:** Take a moment to review the template. We are deploying a virtual network and virtual machine so we can demonstrate backup and recovery.
-1. From the Cloud Shell pane, run the following to create the resource group that will be hosting the virtual machines (replace the `[Azure_region]` placeholder with the name of an Azure region where you intend to deploy Azure virtual machines). Type each command line separately and execute them separately:
+1. **Save** your changes.
- ```powershell
- $location = '[Azure_region]'
- ```
-
- ```powershell
- $rgName = 'az104-10-rg0'
- ```
-
- ```powershell
- New-AzResourceGroup -Name $rgName -Location $location
- ```
+1. Select **Edit parameters** and then **Load file**.
-1. From the Cloud Shell pane, run the following to create the first virtual network and deploy a virtual machine into it by using the template and parameter files you uploaded:
- >**Note**: You will be prompted to provide an Admin password.
-
- ```powershell
- New-AzResourceGroupDeployment `
- -ResourceGroupName $rgName `
- -TemplateFile $HOME/az104-10-vms-edge-template.json `
- -TemplateParameterFile $HOME/az104-10-vms-edge-parameters.json `
- -AsJob
- ```
+1. Load and select the **\\Allfiles\\Lab10\\az104-10-vms-edge-parameters.json** file.
-1. Minimize Cloud Shell (but do not close it).
+1. **Save** your changes.
- >**Note**: Do not wait for the deployment to complete but instead proceed to the next task. The deployment should take about 5 minutes.
+1. Use the following information to complete the custom deployment fields, leaving all other fields with their default values:
-## Task 2: Create a Recovery Services vault
+ | Setting | Value |
+ | --- | --- |
+ | Subscription | Your Azure subscription |
+ | Resource group| `az104-rg-region1` (If necessary, select **Create new**)
+ | Region | **East US** |
+ | Username | **localadmin** |
+ | Password | Provide a complex password |
-In this task, you will create a recovery services vault.
+1. Select **Review + Create**, then select **Create**.
-1. In the Azure portal, search for and select **Recovery Services vaults** and, on the **Recovery Services vaults** blade, click **+ Create**.
+ >**Note:** Wait for the template to deploy, then select **Go to resource**. You should have one virtual machine in one virtual network.
+
+## Task 2: Create and configure a Recovery Services vault
+
+In this task, you will create a Recovery Services vault. A Recovery Services vault provides storage for the virtual machine data.
+
+1. In the Azure portal, search for and select `Recovery Services vaults` and, on the **Recovery Services vaults** blade, click **+ Create**.
1. On the **Create Recovery Services vault** blade, specify the following settings:
| Settings | Value |
| --- | --- |
- | Subscription | the name of the Azure subscription you are using in this lab |
- | Resource group | the name of a new resource group **az104-10-rg1** |
- | Vault Name | **az104-10-rsv1** |
- | Region | the name of a region where you deployed the two virtual machines in the previous task |
+ | Subscription | the name of your Azure subscription |
+ | Resource group | `az104-rg-region1` |
+ | Vault Name | `az104-rsv-region1` |
+ | Region | **East US** |
>**Note**: Make sure that you specify the same region into which you deployed virtual machines in the previous task.
-1. Click **Review + Create**, ensure that the validation passed and click **Create**.
+ 
- >**Note**: Wait for the deployment to complete. The deployment should take less than 1 minute.
+1. Click **Review + Create**, ensure that the validation passes and then click **Create**.
+
+ >**Note**: Wait for the deployment to complete. The deployment should take a couple of minutes.
1. When the deployment is completed, click **Go to Resource**.
-1. On the **az104-10-rsv1** Recovery Services vault blade, in the **Settings** section, click **Properties**.
+1. On the Recovery Services vault blade, in the **Settings** section, click **Properties**.
-1. On the **az104-10-rsv1 - Properties** blade, click the **Update** link under **Backup Configuration** label.
+1. Select the **Update** link under **Backup Configuration** label.
1. On the **Backup Configuration** blade, review the choices for **Storage replication type**. Leave the default setting of **Geo-redundant** in place and close the blade.
>**Note**: This setting can be configured only if there are no existing backup items.
+
+ >**Did you know?** The [Cross Region Restore](https://learn.microsoft.com/azure/backup/backup-create-recovery-services-vault#set-cross-region-restore) option allows you to restore data in a secondary, Azure paired region.
-1. Back on the **az104-10-rsv1 - Properties** blade, click the **Update** link under **Security Settings** label.
+1. Return to the Recovery Services vault blade, click the **Update** link under **Security Settings > Soft Delete and security settings** label.
-1. On the **Security Settings** blade, note that **Soft Delete (For workload running in Azure)** is **Enabled**.
+1. On the **Security Settings** blade, note that **Soft Delete (For workload running in Azure)** is **Enabled**. Notice the **soft delete retention period** is **14** days.
-1. Close the **Security Settings** blade and, back on the **az104-10-rsv1** Recovery Services vault blade, click **Overview**.
+1. Return to the Recovery Services vault blade, select the **Overview** blade.
-## Task 3: Implement Azure virtual machine-level backup
+>**Did you know?** Azure has two types of vaults: Recovery Services vaults and Backup vaults. The main difference is the datasources that can be backed up. Learn more about [the differences](https://learn.microsoft.com/answers/questions/405915/what-is-difference-between-recovery-services-vault).
-In this task, you will implement Azure virtual-machine level backup.
+## Task 3: Configure Azure virtual machine-level backup
+
+In this task, you will implement Azure virtual-machine level backup. As part of a VM backup, you will need to define the backup and retention policy that applies to the backup. Different VMs can have different backup and retention policies assigned to them.
>**Note**: Before you start this task, make sure that the deployment you initiated in the first task of this lab has successfully completed.
-1. On the **az104-10-rsv1** Recovery Services vault blade, click **Overview**, then click **+ Backup**.
+1. On the Recovery Services vault blade, click **Overview**, then click **+ Backup**.
1. On the **Backup Goal** blade, specify the following settings:
| Settings | Value |
| --- | --- |
- | Where is your workload running? | **Azure** |
- | What do you want to backup? | **Virtual machine** |
+ | Where is your workload running? | **Azure** (notice your other options) |
+ | What do you want to backup? | **Virtual machine** (notice your other options |
-1. On the **Backup Goal** blade, click **Backup**.
+1. Select **Backup**.
-1. On the **Backup policy**, review the **DefaultPolicy** settings and select **Create a new policy**.
+1. Notice there a two **Policy sub types**: **Enhanced** and **Standard**. Review the choices and select **Standard**.
+
+1. In **Backup policy**, select **Create a new policy**.
1. Define a new backup policy with the following settings (leave others with their default values):
| Setting | Value |
| ---- | ---- |
- | Policy name | **az104-10-backup-policy** |
+ | Policy name | `az104-backup` |
| Frequency | **Daily** |
| Time | **12:00 AM** |
| Timezone | the name of your local time zone |
- | Retain instant recovery snapshot(s) for | **2** Days(s) |
+ | Retain instant recovery snapshot(s) for | **12** Days(s) |
+
+ 
1. Click **OK** to create the policy and then, in the **Virtual Machines** section, select **Add**.
-1. On the **Select virtual machines** blade, select **az-104-10-vm0**, click **OK**, and, back on the **Backup** blade, click **Enable backup**.
+1. On the **Select virtual machines** blade, select **az-104-10-vm0**, click **OK**, and then back on the **Backup** blade, click **Enable backup**.
- >**Note**: Wait for the backup to be enabled. This should take about 2 minutes.
+ >**Note**: Wait for the backup to be enabled. This should take approximately 2 minutes.
-1. Navigate back to the **az104-10-rsv1** Recovery Services vault blade, in the **Protected items** section, click **Backup items**, and then click the **Azure virtual machine** entry.
+1. In the **Protected items** section, click **Backup items**, and then click the **Azure virtual machine** entry.
-1. On the **Backup Items (Azure Virtual Machine)** blade select the **View details** link for **az104-10-vm0**, and review the values of the **Backup Pre-Check** and **Last Backup Status** entries.
+1. Select the **View details** link for **az104-10-vm0**, and review the values of the **Backup Pre-Check** and **Last Backup Status** entries.
-1. On the **az104-10-vm0** Backup Item blade, click **Backup now**, accept the default value in the **Retain Backup Till** drop-down list, and click **OK**.
+ >**Note:** Notice the backup is pending.
+
+1. Select **Backup now**, accept the default value in the **Retain Backup Till** drop-down list, and click **OK**.
>**Note**: Do not wait for the backup to complete but instead proceed to the next task.
-## Task 4: Implement File and Folder backup
+## Task 4: Monitor Azure Backup
-In this task, you will implement file and folder backup by using Azure Recovery Services.
+In this task, you will deploy an Azure storage account. Then you will configure the vault to send the logs and metrics to the storage account. This repository can then be used with Log Analytics or other third-party monitoring solutions.
-1. In the Azure portal, search for and select **Virtual machines**, and on the **Virtual machines** blade, click **az104-10-vm1**.
+1. From the Azure portal, search for and select `Storage accounts`.
-1. On the **az104-10-vm1** blade, click **Connect**, in the drop-down menu, click **RDP**, on the **Connect with RDP** blade, click **Download RDP File** and follow the prompts to start the Remote Desktop session.
+1. On the Storage accounts page, select **Create**.
- >**Note**: This step refers to connecting via Remote Desktop from a Windows computer. On a Mac, you can use Remote Desktop Client from the Mac App Store and on Linux computers you can use an open source RDP client software.
+1. Use the following information to define the storage account, then and select **Review**.
- >**Note**: You can ignore any warning prompts when connecting to the target virtual machines.
+ | Settings | Value |
+ | --- | --- |
+ | Subscription | *Your subscription* |
+ | Resource group | **az104-rg-region1** |
+ | Storage account name | Provide a globally unique name |
+ | Region | **East US** |
-1. When prompted, sign in by using the **Student** username and the password from the parameters file.
+1. On the Review tab, select **Create**.
- >**Note:** Because the Azure portal doesn't support IE11 anymore, you'll have to use the Microsoft Edge Browser for this task.
+ >**Note**: Wait for the deployment to complete. It should take about a minute.
-1. Within the Remote Desktop session to the **az104-10-vm1** Azure virtual machine, start an Edge web browser, browse to the [Azure portal](https://portal.azure.com), and sign in using your credentials.
+1. Search and select your Recovery Services vault.
-1. In the Azure portal, search for and select **Recovery Services vaults** and, on the **Recovery Services vaults**, click **az104-10-rsv1**.
+1. Select **Diagnostic Settings** and then select **Add diagnostic setting**.
-1. On the **az104-10-rsv1** Recovery Services vault blade, click **+ Backup**.
+1. Name the setting `Logs and Metrics to storage`.
-1. On the **Backup Goal** blade, specify the following settings:
+1. Place a checkmark next to the following log and metric categories:
+
+ - **Azure Backup Reporting Data**
+ - **Addon Azure Backup Job Data**
+ - **Addon Azure Backup Alert Data**
+ - **Azure Site Recovery Jobs**
+ - **Azure Site Recovery Events**
+ - **Health**
+
+1. In the Destination details, place a checkmark next to **Archive to a storage account**.
+
+1. In the Storage account drop-down field, select the storage account that you deployed earlier in this task.
+
+1. Select **Save**.
+
+1. Return to your Recovery Services vault, in the **Monitoring** blade select **Backup jobs**.
+
+1. Locate the backup operation for the **az104-10-vm0** virtual machine.
+
+1. Review the details of the backup job.
+
+## Task 5: Enable virtual machine replication
+
+1. In the Azure portal, search for and select `Recovery Services vaults` and, on the **Recovery Services vaults** blade, click **+ Create**.
+
+1. On the **Create Recovery Services vault** blade, specify the following settings:
| Settings | Value |
| --- | --- |
- | Where is your workload running? | **On-premises** |
- | What do you want to backup? | **Files and folders** |
+ | Subscription | the name of your Azure subscription |
+ | Resource group | `az104-rg-region2` (If necessary, select **Create new**) |
+ | Vault Name | `az104-rsv-region2` |
+ | Region | **West US** |
- >**Note**: Even though the virtual machine you are using in this task is running in Azure, you can leverage it to evaluate the backup capabilities applicable to any on-premises computer running Windows Server operating system.
+ >**Note**: Make sure that you specify a **different** region than the virtual machine.
-1. On the **Backup Goal** blade, click **Prepare infrastructure**.
+1. Click **Review + Create**, ensure that the validation passes and then click **Create**.
-1. On the **Prepare infrastructure** blade, click the **Download Agent for Windows Server or Windows Client** link.
+ >**Note**: Wait for the deployment to complete. The deployment should take a couple of minutes.
-1. When prompted, click **Run** to start installation of **MARSAgentInstaller.exe** with the default settings.
+1. Search for and select the `az104-10-vm0` virtual machine.
- >**Note**: On the **Microsoft Update Opt-In** page of the **Microsoft Azure Recovery Services Agent Setup Wizard**, select the **I do not want to use Microsoft Update** installation option.
+1. In the **Backup + Disaster recovery** blade, select **Disaster recovery**.
-1. On the **Installation** page of the **Microsoft Azure Recovery Services Agent Setup Wizard**, click **Proceed to Registration**. This will start **Register Server Wizard**.
+1. Select **Enable replication**.
-1. Switch to the web browser window displaying the Azure portal, on the **Prepare infrastructure** blade, select the checkbox **Already downloaded or using the latest Recovery Server Agent**, and click **Download**.
+1. On the **Basics** tab, notice the **Target region**.
-1. When prompted, whether to open or save the vault credentials file, click **Save**. This will save the vault credentials file to the local Downloads folder.
+1. Move to the **Advanced settings** tab. Resource selections have been made for you. It is important to review them.
-1. Switch back to the **Register Server Wizard** window and, on the **Vault Identification** page, click **Browse**.
+1. Verify your subscription, vm resource group, virtual network, and availability (take the default) settings.
-1. In the **Select Vault Credentials** dialog box, browse to the **Downloads** folder, click the vault credentials file you downloaded, and click **Open**.
+1. In **Storage settings** select **Show details**.
-1. Back on the **Vault Identification** page, click **Next**.
+ | Setting | Value |
+ | ---- | ---- |
+ | Churn for the vm | **Normal churn** |
+ | Cache storage account | **(new) xxx** |
-1. Ensure **Save passphrase securely to Azure Key Vault** is not checked.
+ >**Note:** It is important that both of these settings be populated, or the validation will fail. If values are not present, try refreshing the page. If that doesn't work, create an empty storage account and then return to this page.
-1. On the **Encryption Setting** page of the **Register Server Wizard**, click **Generate Passphrase**.
+1. In **Replication settings** select **Show details**. Notice your recovery resources vault in region 2 was automatically selected.
-1. On the **Encryption Setting** page of the **Register Server Wizard**, click the **Browse** button next to the **Enter a location to save the passphrase**.
+1. Select **Review + Start replication** and then **Enable replication**.
-1. In the **Browse For Folder** dialog box, select the **Documents** folder and click **OK**.
+ >**Note**: Enabling replication will take a 10-15 minutes. Watch the notification messages in the upper right of the portal. While you wait, consider reviewing the self-paced training links at the end of this page.
+
+1. Once the replication is complete, search for and locate your Recovery Services Vault, **az104-rsv-region2**. You may need to **Refresh** the page.
-1. Click **Finish**, review the **Microsoft Azure Backup** warning and click **Yes**, and wait for the registration to complete.
+1. In the **Protected items** section, select **Replicated items**.
- >**Note**: In a production environment, you should store the passphrase file in a secure location other than the server being backed up.
+1. Check that the virtual machine is showing as healthy for the replication health. Note that the status will show the synchronization (starting at 0%) status and ultimately show **Protected** after the initial synchronization completes.
-1. On the **Server Registration** page of the **Register Server Wizard**, review the warning regarding the location of the passphrase file, ensure that the **Launch Microsoft Azure Recovery Services Agent** checkbox is selected and click **Close**. This will automatically open the **Microsoft Azure Backup** console.
+ 
-1. In the **Microsoft Azure Backup** console, in the **Actions** pane, click **Schedule Backup**.
+1. Select the virtual machine to view more details.
+
+>**Did you know?** It is a good practice to [test the failover of a protected VM](https://learn.microsoft.com/azure/site-recovery/tutorial-dr-drill-azure#run-a-test-failover-for-a-single-vm).
-1. In the **Schedule Backup Wizard**, on the **Getting started** page, click **Next**.
+## Cleanup your resources
-1. On the **Select Items to Backup** page, click **Add Items**.
+If you are working with **your own subscription** take a minute to delete the lab resources. This will ensure resources are freed up and cost is minimized. The easiest way to delete the lab resources is to delete the lab resource group.
-1. In the **Select Items** dialog box, expand **C:\\Windows\\System32\\drivers\\etc\\**, select **hosts**, and then click **OK**:
++ In the Azure portal, select the resource group, select **Delete the resource group**, **Enter resource group name**, and then click **Delete**.
++ Using Azure PowerShell, `Remove-AzResourceGroup -Name resourceGroupName`.
++ Using the CLI, `az group delete --name resourceGroupName`.
-1. On the **Select Items to Backup** page, click **Next**.
-1. On the **Specify Backup Schedule** page, ensure that the **Day** option is selected, in the first drop-down list box below the **At following times (Maximum allowed is three times a day)** box, select **4:30 AM**, and then click **Next**.
+## Key takeaways
-1. On the **Select Retention Policy** page, accept the defaults, and then click **Next**.
+Congratulations on completing the lab. Here are the main takeaways for this lab.
-1. On the **Choose Initial Backup type** page, accept the defaults, and then click **Next**.
++ Azure Backup service provides simple, secure, and cost-effective solutions to back up and recover your data.
++ Azure Backup can protect on-premises and cloud resources including virtual machines and file shares.
++ Azure Backup policies configure the frequency of backups and the retention period for recovery points.
++ Azure Site Recovery is a disaster recovery solution that provides protection for your virtual machines and applications.
++ Azure Site Recovery replicates your workloads to a secondary site, and in the event of an outage or disaster, you can failover to the secondary site and resume operations with minimal downtime.
++ A Recovery Services vault stores your backup data and minimizes management overhead.
-1. On the **Confirmation** page, click **Finish**. When the backup schedule is created, click **Close**.
+## Learn more with self-paced training
-1. In the **Microsoft Azure Backup** console, in the Actions pane, click **Back Up Now**.
-
- >**Note**: The option to run backup on demand becomes available once you create a scheduled backup.
-
-1. In the Back Up Now Wizard, on the **Select Backup Item** page, ensure that the **Files and Folders** option is selected and click **Next**.
-
-1. On the **Retain Backup Till** page, accept the default setting and click **Next**.
-
-1. On the **Confirmation** page, click **Back Up**.
-
-1. When the backup is complete, click **Close**, and then close Microsoft Azure Backup.
-
-1. Switch to the web browser window displaying the Azure portal, navigate back to the **Recovery Services vault** blade, in the **Protected items** section, and click **Backup items**.
-
-1. On the **az104-10-rsv1 - Backup items** blade, click **Azure Backup Agent**.
-
-1. On the **Backup Items (Azure Backup Agent)** blade, verify that there is an entry referencing the **C:\\** drive of **az104-10-vm1.**.
-
-## Task 5: Perform file recovery by using Azure Recovery Services agent (optional)
-
-In this task, you will perform file restore by using Azure Recovery Services agent.
-
-1. Within the Remote Desktop session to **az104-10-vm1**, open File Explorer, navigate to the **C:\\Windows\\System32\\drivers\\etc\\** folder and delete the **hosts** file.
-
-1. Open Microsoft Azure Backup and click **Recover data** in the **Actions** pane. This will start **Recover Data Wizard**.
-
-1. On the **Getting Started** page of **Recover Data Wizard**, ensue that **This server (az104-10-vm1.)** option is selected and click **Next**.
-
-1. On the **Select Recovery Mode** page, ensure that **Individual files and folders** option is selected, and click **Next**.
-
-1. On the **Select Volume and Date** page, in the **Select the volume** drop down list, select **C:\\**, accept the default selection of the available backup, and click **Mount**.
-
- >**Note**: Wait for the mount operation to complete. This might take about 2 minutes.
-
-1. On the **Browse And Recover Files** page, note the drive letter of the recovery volume and review the tip regarding the use of robocopy.
-
-1. Click **Start**, expand the **Windows System** folder, and click **Command Prompt**.
-
-1. From the Command Prompt, run the following to copy the restore the **hosts** file to the original location (replace `[recovery_volume]` with the drive letter of the recovery volume you identified earlier):
-
- ```sh
- robocopy [recovery_volume]:\Windows\System32\drivers\etc C:\Windows\system32\drivers\etc hosts /r:1 /w:1
- ```
-
-1. Switch back to the **Recover Data Wizard** and, on the **Browse and Recover Files**, click **Unmount** and, when prompted to confirm, click **Yes**.
-
-1. Terminate the Remote Desktop session.
-
-## Task 6: Perform file recovery by using Azure virtual machine snapshots (optional)
-
-In this task, you will restore a file from the Azure virtual machine-level snapshot-based backup.
-
-1. Switch to the browser window running on your lab computer and displaying the Azure portal.
-
-1. In the Azure portal, search for and select **Virtual machines**, and on the **Virtual machines** blade, click **az104-10-vm0**.
-
-1. On the **az104-10-vm0** blade, click **Connect**, in the drop-down menu, click **RDP**, on the **Connect with RDP** blade, click **Download RDP File** and follow the prompts to start the Remote Desktop session.
-
- >**Note**: This step refers to connecting via Remote Desktop from a Windows computer. On a Mac, you can use Remote Desktop Client from the Mac App Store and on Linux computers you can use an open source RDP client software.
-
- >**Note**: You can ignore any warning prompts when connecting to the target virtual machines.
-
-1. When prompted, sign in by using the **Student** username and the password from the parameters file.
-
- >**Note:** Because the Azure portal doesn't support IE11 anymore, you'll have to use the Microsoft Edge Browser for this task.
-
-1. Within the Remote Desktop session to the **az104-10-vm0**, click **Start**, expand the **Windows System** folder, and click **Command Prompt**.
-
-1. From the Command Prompt, run the following to delete the **hosts** file:
-
- ```sh
- del C:\Windows\system32\drivers\etc\hosts
- ```
-
- >**Note**: You will restore this file from the Azure virtual machine-level snapshot-based backup later in this task.
-
-1. Within the Remote Desktop session to the **az104-10-vm0** Azure virtual machine, start an Edge web browser, browse to the [Azure portal](https://portal.azure.com), and sign in using your credentials.
-
-1. In the Azure portal, search for and select **Recovery Services vaults** and, on the **Recovery Services vaults**, click **az104-10-rsv1**.
-
-1. On the **az104-10-rsv1** Recovery Services vault blade, in the **Protected items** section, click **Backup items**.
-
-1. On the **az104-10-rsv1 - Backup items** blade, click **Azure Virtual Machine**.
-
-1. On the **Backup Items (Azure Virtual Machine)** blade, select **View details** for **az104-10-vm0**.
-
-1. On the **az104-10-vm0** Backup Item blade, click **File Recovery**.
-
- >**Note**: You have the option of running recovery shortly after backup starts based on the application consistent snapshot.
-
-1. On the **File Recovery** blade, accept the default recovery point and click **Download Executable**.
-
- >**Note**: The script mounts the disks from the selected recovery point as local drives within the operating system from which the script is run.
-
-1. Click **Download** and, when prompted whether to run or save **IaaSVMILRExeForWindows.exe**, click **Save**.
-
-1. Back in the File Explorer window, double-click the newly downloaded file.
-
-1. When prompted to provide the password from the portal, copy the password from the **Password to run the script** text box on the **File Recovery** blade, paste it at the Command Prompt, and press **Enter**.
-
- >**Note**: This will open a Windows PowerShell window displaying the progress of the mount.
-
- >**Note**: If you receive an error message at this point, refresh the web browser window and repeat the last three steps.
-
-1. Wait for the mount process to complete, review the informational messages in the Windows PowerShell window, note the drive letter assigned to the volume hosting **Windows**, and start File Explorer.
-
-1. In File Explorer, navigate to the drive letter hosting the snapshot of the operating system volume you identified in the previous step and review its content.
-
-1. Switch to the **Command Prompt** window.
-
-1. From the Command Prompt, run the following to copy the restore the **hosts** file to the original location (replace `[os_volume]` with the drive letter of the operating system volume you identified earlier):
-
- ```sh
- robocopy [os_volume]:\Windows\System32\drivers\etc C:\Windows\system32\drivers\etc hosts /r:1 /w:1
- ```
-
-1. Switch back to the **File Recovery** blade in the Azure portal and click **Unmount Disks**.
-
-1. Terminate the Remote Desktop session.
-
-## Task 7: Review the Azure Recovery Services soft delete functionality
-
-1. On the lab computer, in the Azure portal, search for and select **Recovery Services vaults** and, on the **Recovery Services vaults**, click **az104-10-rsv1**.
-
-1. On the **az104-10-rsv1** Recovery Services vault blade, in the **Protected items** section, click **Backup items**.
-
-1. On the **az104-10-rsv1 - Backup items** blade, click **Azure Backup Agent**.
-
-1. On the **Backup Items (Azure Backup Agent)** blade, click the entry representing the backup of **az104-10-vm1**.
-
-1. On the **C:\\ on az104-10-vm1.** blade, select **View details** for **az104-10-vm1.** .
-
-1. On the Detail blade, click on **az104-10-vm1**.
-
-1. On the **az104-10-vm1.** Protected Servers blade, click **Delete**.
-
-1. On the **Delete** blade, specify the following settings.
-
- | Settings | Value |
- | --- | --- |
- | TYPE THE SERVER NAME | **az104-10-vm1.** |
- | Reason | **Recycling Dev/Test server** |
- | Comments | **az104 10 lab** |
-
- >**Note**: Make sure to include the trailing period when typing the server name
-
-1. Enable the checkbox next to the label **There is backup data of 1 backup items associated with this server. I understand that clicking "Confirm" will permanently delete all the cloud backup data. This action cannot be undone. An alert may be sent to the administrators of this subscription notifying them of this deletion** and click **Delete**.
-
- >**Note**: This will fail because the **Soft delete** feature must be disabled.
-
-1. Navigate back to the **az104-10-rsv1 - Backup items** blade and click **Azure Virtual Machines**.
-
-1. On the **az104-10-rsv1 - Backup items** blade, click **Azure Virtual Machine**.
-
-1. On the **Backup Items (Azure Virtual Machine)** blade, select **View details** for **az104-10-vm0**.
-
-1. On the **az104-10-vm0** Backup Item blade, click **Stop backup**.
-
-1. On the **Stop backup** blade, select **Delete Backup Data**, specify the following settings and click **Stop backup**:
-
- | Settings | Value |
- | --- | --- |
- | Type the name of Backup item | **az104-10-vm0** |
- | Reason | **Others** |
- | Comments | **az104 10 lab** |
-
-1. Navigate back to the **az104-10-rsv1 - Backup items** blade and click **Refresh**.
-
- >**Note**: The **Azure Virtual Machine** entry is still lists **1** backup item.
-
-1. Click the **Azure Virtual Machine** entry and, on the **Backup Items (Azure Virtual Machine)** blade, click the **az104-10-vm0** entry.
-
-1. On the **az104-10-vm0** Backup Item blade, note that you have the option to **Undelete** the deleted backup.
-
- >**Note**: This functionality is provided by the soft-delete feature, which is, by default, enabled for Azure virtual machine backups.
-
-1. Navigate back to the **az104-10-rsv1** Recovery Services vault blade, and in the **Settings** section, click **Properties**.
-
-1. On the **az104-10-rsv1 - Properties** blade, click the **Update** link under **Security Settings** label.
-
-1. On the **Security Settings** blade, Disable **Soft Delete (For workloads running in Azure)** and also disable **Security Features (For workloads running on-premises)** and click **Save**.
-
- >**Note**: This will not affect items already in soft delete state.
-
-1. Close the **Security Settings** blade and, back on the **az104-10-rsv1** Recovery Services vault blade, click **Overview**.
-
-1. Navigate back to the **az104-10-vm0** Backup Item blade and click **Undelete**.
-
-1. On the **Undelete az104-10-vm0** blade, click **Undelete**.
-
-1. Wait for the undelete operation to complete, refresh the web browser page, if needed, navigate back to the **az104-10-vm0** Backup Item blade, and click **Delete backup data**.
-
-1. On the **Delete Backup Data** blade, specify the following settings and click **Delete**:
-
- | Settings | Value |
- | --- | --- |
- | Type the name of Backup item | **az104-10-vm0** |
- | Reason | **Others** |
- | Comments | **az104 10 lab** |
-
-1. Repeat the steps at the beginning of this task to delete the backup items for **az104-10-vm1**.
-
-## Clean up resources
-
->**Note**: Remember to remove any newly created Azure resources that you no longer use. Removing unused resources ensures you will not see unexpected charges.
-
->**Note**: Don't worry if the lab resources cannot be immediately removed. Sometimes resources have dependencies and take a longer time to delete. It is a common Administrator task to monitor resource usage, so just periodically review your resources in the Portal to see how the cleanup is going.
-
-1. In the Azure portal, open the **PowerShell** session within the **Cloud Shell** pane.
-
-1. List all resource groups created throughout the labs of this module by running the following command:
-
- ```powershell
- Get-AzResourceGroup -Name 'az104-10*'
- ```
-
-1. Delete all resource groups you created throughout the labs of this module by running the following command:
-
- ```powershell
- Get-AzResourceGroup -Name 'az104-10*' | Remove-AzResourceGroup -Force -AsJob
- ```
-
- >**Note**: Optionally, you might consider deleting the auto-generated resource group with the prefix **AzureBackupRG_** (there is no additional charge associated with its existence).
-
- >**Note**: The command executes asynchronously (as determined by the -AsJob parameter), so while you will be able to run another PowerShell command immediately afterwards within the same PowerShell session, it will take a few minutes before the resource groups are actually removed.
-
-## Review
-
-In this lab, you have:
-
-+ Provisioned the lab environment
-+ Created a Recovery Services vault
-+ Implemented Azure virtual machine-level backup
-+ Implemented File and Folder backup
-+ Performed file recovery by using Azure Recovery Services agent
-+ Performed file recovery by using Azure virtual machine snapshots
-+ Reviewed the Azure Recovery Services soft delete functionality
++ [Protect your virtual machines by using Azure Backup](https://learn.microsoft.com/training/modules/protect-virtual-machines-with-azure-backup/). Use Azure Backup to help protect on-premises servers, virtual machines, SQL Server, Azure file shares, and other workloads.
++ [Protect your Azure infrastructure with Azure Site Recovery](https://learn.microsoft.com/en-us/training/modules/protect-infrastructure-with-site-recovery/). Provide disaster recovery for your Azure infrastructure by customizing replication, failover, and failback of Azure virtual machines with Azure Site Recovery.
diff --git a/Instructions/Labs/LAB_11-Implement_Monitoring.md b/Instructions/Labs/LAB_11-Implement_Monitoring.md
index f03aeffe..8043f300 100644
--- a/Instructions/Labs/LAB_11-Implement_Monitoring.md
+++ b/Instructions/Labs/LAB_11-Implement_Monitoring.md
@@ -5,345 +5,261 @@ lab:
---
# Lab 11 - Implement Monitoring
-# Student lab manual
+
+## Lab introduction
+
+In this lab, you learn about Azure Monitor. You learn to create an alert and send it to an action group. You trigger and test the alert and check the activity log.
+
+This lab requires an Azure subscription. Your subscription type may affect the availability of features in this lab. You may change the region, but the steps are written using **East US**.
+
+## Estimated timing: 40 minutes
## Lab scenario
-You need to evaluate Azure functionality that would provide insight into performance and configuration of Azure resources, focusing in particular on Azure virtual machines. To accomplish this, you intend to examine the capabilities of Azure Monitor, including Log Analytics.
+Your organization has migrated their infrastructure to Azure. It is important that Administrators are notified of any significant infrastructure changes. You plan to examine the capabilities of Azure Monitor, including Log Analytics.
-**Note:** An **[interactive lab simulation](https://mslabs.cloudguides.com/guides/AZ-104%20Exam%20Guide%20-%20Microsoft%20Azure%20Administrator%20Exercise%2017)** is available that allows you to click through this lab at your own pace. You may find slight differences between the interactive simulation and the hosted lab, but the core concepts and ideas being demonstrated are the same.
+## Interactive lab simulation
-## Objectives
+There is an interactive lab simulation that you might find useful for this topic. The simulation lets you to click through a similar scenario at your own pace. There are differences between the interactive simulation and this lab, but many of the core concepts are the same. An Azure subscription is not required.
-In this lab, you will:
-
-+ Task 1: Provision the lab environment
-+ Task 2: Register the Microsoft.Insights and Microsoft.AlertsManagement resource providers
-+ Task 3: Create and configure an Azure Log Analytics workspace and Azure Automation-based solutions
-+ Task 4: Review default monitoring settings of Azure virtual machines
-+ Task 5: Configure Azure virtual machine diagnostic settings
-+ Task 6: Review Azure Monitor functionality
-+ Task 7: Review Azure Log Analytics functionality
-
-## Estimated timing: 45 minutes
++ [Implement monitoring](https://mslabs.cloudguides.com/guides/AZ-104%20Exam%20Guide%20-%20Microsoft%20Azure%20Administrator%20Exercise%2017). Create a Log Analytics workspace and Azure-automation solutions. Review monitoring and diagnostic settings for virtual machines. Review Azure Monitor and Log Analytics functionality.
## Architecture diagram
-
+
-### Instructions
+## Job skills
-## Exercise 1
++ Task 1: Use a template to provision an infrastructure.
++ Task 2: Create an alert.
++ Task 3: Configure action group notifications.
++ Task 4: Trigger an alert and confirm it is working.
++ Task 5: Configure an alert processing rule.
++ Task 6: Use Azure Monitor log queries.
-## Task 1: Provision the lab environment
+## Task 1: Use a template to provision an infrastructure
In this task, you will deploy a virtual machine that will be used to test monitoring scenarios.
-1. Sign in to the [Azure portal](https://portal.azure.com).
+1. If necessary, download the **\\Allfiles\\Lab11\\az104-11-vm-template.json** lab files to your computer.
-1. In the Azure portal, open the **Azure Cloud Shell** by clicking on the icon in the top right of the Azure Portal.
+1. Sign in to the **Azure portal** - `https://portal.azure.com`.
-1. If prompted to select either **Bash** or **PowerShell**, select **PowerShell**.
+1. From the Azure portal, search for and select `Deploy a custom template`.
- >**Note**: If this is the first time you are starting **Cloud Shell** and you are presented with the **You have no storage mounted** message, select the subscription you are using in this lab, and click **Create storage**.
+1. On the custom deployment page, select **Build you own template in the editor**.
-1. In the toolbar of the Cloud Shell pane, click the **Upload/Download files** icon, in the drop-down menu, click **Upload** and upload the files **\\Allfiles\\Labs\\11\\az104-11-vm-template.json** and **\\Allfiles\\Labs\\11\\az104-11-vm-parameters.json** into the Cloud Shell home directory.
+1. On the edit template page, select **Load file**.
-1. From the Cloud Shell pane, run the following to create the resource group that will be hosting the virtual machines (replace the `[Azure_region]` placeholder with the name of an Azure region where you intend to deploy Azure virtual machines):
+1. Locate and select the **\\Allfiles\\Labs11\\az104-11-vm-template.json** file and select **Open**.
- >**Note**: Make sure to choose one of the regions listed as **Log Analytics Workspace Region** in the referenced in [Workspace mappings documentation](https://docs.microsoft.com/en-us/azure/automation/how-to/region-mappings)
+1. Select **Save**.
- ```powershell
- $location = '[Azure_region]'
+1. Use the following information to complete the custom deployment fields, leaving all other fields with their default values:
- $rgName = 'az104-11-rg0'
-
- New-AzResourceGroup -Name $rgName -Location $location
- ```
-
-1. From the Cloud Shell pane, run the following to create the first virtual network and deploy a virtual machine into it by using the template and parameter files you uploaded:
-
- >**Note**: You will be prompted to provide an Admin password.
+ | Setting | Value |
+ | --- | --- |
+ | Subscription | Your Azure subscription |
+ | Resource group| `az104-rg11` (If necessary, select **Create new**)
+ | Region | **East US** |
+ | Username | `localadmin` |
+ | Password | Provide a complex password |
- ```powershell
- New-AzResourceGroupDeployment `
- -ResourceGroupName $rgName `
- -TemplateFile $HOME/az104-11-vm-template.json `
- -TemplateParameterFile $HOME/az104-11-vm-parameters.json `
- -AsJob
+1. Select **Review + Create**, then select **Create**.
+
+1. Wait for the deployment to finish, then click **Go to resource group**.
+
+1. Review what resources were deployed. There should be one virtual network with one virtual machine.
+
+**Configure Azure Monitor for virtual machines (this will be used in the last task)**
+
+1. In the portal, search for and select **Monitor**.
+
+1. Take a minute to review all the insights, detection, triage, and diagnosis tools that are available.
+
+1. Select **View** in the **VM Insights** box, and then select **Configure Insights**.
+
+1. Select your virtual machine, and then **Enable** (twice).
+
+1. Take the defaults for subscription and data collection rules, then select **Configure**.
+
+1. It will take a few minutes for the virtual machine agent to install and configure, proceed to the next step.
+
+## Task 2: Create an alert
+
+In this task, you create an alert for when a virtual machine is deleted.
+
+1. Continue on the **Monitor** page , select **Alerts**.
+
+1. Select **Create +** and select **Alert rule**.
+
+1. Select the box for the resource group, then select **Apply**. This alert will apply to any virtual machines in the resource group. Alternatively, you could just specify one particular machine.
+
+1. Select the **Condition** tab and then select the **See all signals** link.
+
+1. Search for and select **Delete Virtual Machine (Virtual Machines)**. Notice the other built-in signals. Select **Apply**
+
+1. In the **Alert logic** area (scroll down), review the **Event level** selections. Leave the default of **All selected**.
+
+1. Review the **Status** selections. Leave the default of **All selected**.
+
+1. Leave the **Create an alert rule** pane open for the next task.
+
+## Task 3: Configure action group notifications
+
+In this task, if the alert is triggered send an email notification to the operations team.
+
+1. Continue working on your alert. Select **Next: Actions**, and then select **Create action group**.
+
+ >**Did you know?** You can add up to five action groups to an alert rule. Action groups are executed concurrently, in no specific order. Multiple alert rules can use the same action group.
+
+1. On the **Basics** tab, enter the following values for each setting.
+
+ | Setting | Value |
+ |---------|---------|
+ | **Project details** |
+ | Subscription | your subscription |
+ | Resource group | **az104-rg11** |
+ | Region | **Global** (default) |
+ | **Instance details** |
+ | Action group name | `Alert the operations team` (must be unique in the resource group) |
+ | Display name | `AlertOpsTeam` |
+
+1. Select **Next: Notifications** and enter the following values for each setting.
+
+ | Setting | Value |
+ |---------|---------|
+ | Notification type | Select **Email/SMS message/Push/Voice** |
+ | Name | `VM was deleted` |
+
+1. Select **Email**, and in the **Email** box, enter your email address, and then select **OK**.
+
+ >**Note:** You should receive an email notification saying you were added to an action group. There may be a few minutes delay, but that is a sure sign the rule has deployed.
+
+1. Once the action group is created move to the **Next: Details** tab and enter the following values for each setting.
+
+ | Setting | Value |
+ |---------|---------|
+ | Alert rule name | `VM was deleted` |
+ | Alert rule description | `A VM in your resource group was deleted` |
+
+1. Select **Review + create** to validate your input, then select **Create**.
+
+## Task 4: Trigger an alert and confirm it is working
+
+In this task, you trigger the alert and confirm a notification is sent.
+
+>**Note:** If you delete the virtual machine before the alert rule deploys, the alert rule might not be triggered.
+
+1. In the portal, search for and select **Virtual machines**.
+
+1. Check the box for the **az104-vm0** virtual machine.
+
+1. Select **Delete** from the menu bar.
+
+1. Check the box for **Apply force delete**. Enter `delete` to confirm and then select **Delete**.
+
+1. In the title bar, select the **Notifications** icon and wait until **vm0** is successfully deleted.
+
+1. You should receive a notification email that reads, **Important notice: Azure Monitor alert VM was deleted was activated...** If not, open your email program and look for an email from azure-noreply@microsoft.com.
+
+ 
+
+1. On the Azure portal resource menu, select **Monitor**, and then select **Alerts** in the menu on the left.
+
+1. You should have three verbose alerts that were generated by deleting **vm0**.
+
+ >**Note:** It can take a few minutes for the alert email to be sent and for the alerts to be updated in the portal. If you don't want to wait, continue to the next task and then return.
+
+1. Select the name of one of the alerts (For example, **VM was deleted**). An **Alert details** pane appears that shows more details about the event.
+
+## Task 5: Configure an alert processing rule
+
+In this task, you create an alert rule to suppress notifications during a maintenance period.
+
+1. Continue in the **Alerts** blade, select **Alert processing rules** and then **+ Create**.
+
+1. Select your **resource group**, then select **Apply**.
+
+1. Select **Next: Rule settings**, then select **Suppress notifications**.
+
+1. Select **Next: Scheduling**.
+
+1. By default, the rule works all the time, unless you disable it or configure a schedule. You are going to define a rule to suppress notifications during overnight maintenance.
+Enter these settings for the scheduling of the alert processing rule:
+
+ | Setting | Value |
+ |---------|---------|
+ | Apply the rule | At a specific time |
+ | Start | Enter today's date at 10 pm. |
+ | End | Enter tomorrow's date at 7 am. |
+ | Time zone | Select the local timezone. |
+
+ 
+
+1. Select **Next: Details** and enter these settings:
+
+ | Setting | Value |
+ |---------|---------|
+ | Resource group | **az104-rg11** |
+ | Rule name | `Planned Maintenance` |
+ | Description | `Suppress notifications during planned maintenance.` |
+
+1. Select **Review + create** to validate your input, then select **Create**.
+
+## Task 6: Use Azure Monitor log queries
+
+In this task, you will use Azure Monitor to query the data captured from the virtual machine.
+
+1. In the Azure portal, search for and select `Monitor` blade, click **Logs**.
+
+1. If necessary close the splash screen.
+
+1. Select a scope, your **resource group**. Select **Apply**.
+
+1. In the **Queries** tab, select **Virtual machines** (left pane).
+
+1. Review the queries that are available. **Run** (hover over the query) the **Count heartbeats** query.
+
+1. You should receive a heartbeat count for when the virtual machine was running.
+
+1. Review the query. This query uses the *heartbeat* table.
+
+1. Replace the query with this one, and then click **Run**. Review the resulting chart.
+
+ ```
+ InsightsMetrics
+ | where TimeGenerated > ago(1h)
+ | where Name == "UtilizationPercentage"
+ | summarize avg(Val) by bin(TimeGenerated, 5m), Computer //split up by computer
+ | render timechart
```
- >**Note**: Do not wait for the deployment to complete but instead proceed to the next task. The deployment should take about 3 minutes.
+1. As you have time, review and run other queries.
-## Task 2: Register the Microsoft.Insights and Microsoft.AlertsManagement resource providers.
+ >**Did you know?**: If you want to practice with other queries, there is a [Log Analytics Demo Environment](https://learn.microsoft.com/azure/azure-monitor/logs/log-analytics-tutorial#open-log-analytics).
+
+ >**Did you know?**: Once you find a query you like, you can create an alert from it.
-1. From the Cloud Shell pane, run the following to register the Microsoft.Insights and Microsoft.AlertsManagement resource providers.
+## Cleanup your resources
- ```powershell
- Register-AzResourceProvider -ProviderNamespace Microsoft.Insights
+If you are working with **your own subscription** take a minute to delete the lab resources. This will ensure resources are freed up and cost is minimized. The easiest way to delete the lab resources is to delete the lab resource group.
- Register-AzResourceProvider -ProviderNamespace Microsoft.AlertsManagement
- ```
++ In the Azure portal, select the resource group, select **Delete the resource group**, **Enter resource group name**, and then click **Delete**.
++ Using Azure PowerShell, `Remove-AzResourceGroup -Name resourceGroupName`.
++ Using the CLI, `az group delete --name resourceGroupName`.
-1. Minimize Cloud Shell pane (but do not close it).
+## Key takeaways
-## Task 3: Create and configure an Azure Log Analytics workspace and Azure Automation-based solutions
+Congratulations on completing the lab. Here are the main takeaways for this lab.
-In this task, you will create and configure an Azure Log Analytics workspace and Azure Automation-based solutions
++ Alerts help you detect and address issues before users notice there might be a problem with your infrastructure or application.
++ You can alert on any metric or log data source in the Azure Monitor data platform.
++ An alert rule monitors your data and captures a signal that indicates something is happening on the specified resource.
++ An alert is triggered if the conditions of the alert rule are met. Several actions (email, SMS, push, voice) can be triggered.
++ Action groups include individuals that should be notified of an alert.
-1. In the Azure portal, search for and select **Log Analytics workspaces** and, on the **Log Analytics workspaces** blade, click **+ Create**.
+## Learn more with self-paced training
-1. On the **Basics** tab of the **Create Log Analytics workspace** blade, enter the following settings, click **Review + Create** and then click **Create**:
-
- | Settings | Value |
- | --- | --- |
- | Subscription | the name of the Azure subscription you are using in this lab |
- | Resource group | the name of a new resource group **az104-11-rg1** |
- | Log Analytics Workspace | any unique name |
- | Region | the name of the Azure region into which you deployed the virtual machine in the previous task |
-
- >**Note**: Make sure that you specify the same region into which you deployed virtual machines in the previous task.
-
- >**Note**: Wait for the deployment to complete. The deployment should take about 1 minute.
-
-1. In the Azure portal, search for and select **Automation Accounts**, and on the **Automation Accounts** blade, click **+ Create**.
-
-1. On the **Create an Automation Account** blade, specify the following settings, and click **Review + Create** upon validation click **Create**:
-
- | Settings | Value |
- | --- | --- |
- | Automation account name | any unique name |
- | Subscription | the name of the Azure subscription you are using in this lab |
- | Resource group | **az104-11-rg1** |
- | Region | the name of the Azure region determined based on [Workspace mappings documentation](https://docs.microsoft.com/en-us/azure/automation/how-to/region-mappings) |
-
- >**Note**: Make sure that you specify the Azure region based on the [Workspace mappings documentation](https://docs.microsoft.com/en-us/azure/automation/how-to/region-mappings)
-
- >**Note**: Wait for the deployment to complete. The deployment might take about 3 minutes.
-
-1. Click **Go to resource**.
-
-1. On the Automation account blade, in the **Configuration Management** section, click **Inventory**.
-
-1. In the **Inventory** pane, in the **Log Analytics workspace** drop-down list, select the Log Analytics workspace you created earlier in this task and click **Enable**.
-
- >**Note**: Wait for the installation of the corresponding Log Analytics solution to complete. This might take about 3 minutes.
-
- >**Note**: This automatically installs the **Change tracking** solution as well.
-
-1. On the Automation account blade, in the **Update Management** section, click **Update management** and click **Enable**.
-
- >**Note**: Wait for the installation to complete. This might take about 5 minutes.
-
-## Task 4: Review default monitoring settings of Azure virtual machines
-
-In this task, you will review default monitoring settings of Azure virtual machines
-
-1. In the Azure portal, search for and select **Virtual machines**, and on the **Virtual machines** blade, click **az104-11-vm0**.
-
-1. On the **az104-11-vm0** blade, in the **Monitoring** section, click **Metrics**.
-
-1. On the **az104-11-vm0 \| Metrics** blade, on the default chart, note that the only available **Metrics Namespace** is **Virtual Machine Host**.
-
- >**Note**: This is expected, since no guest-level diagnostic settings have been configured yet. You do have, however, the option of enabling guest memory metrics directly from the **Metrics Namespace** drop down-list. You will enable it later in this exercise.
-
-1. In the **Metric** drop-down list, review the list of available metrics.
-
- >**Note**: The list includes a range of CPU, disk, and network-related metrics that can be collected from the virtual machine host, without having access into guest-level metrics.
-
-1. In the **Metric** drop-down list, select **Percentage CPU**, in the **Aggregation** drop-down list, select **Avg**, and review the resulting chart.
-
-## Task 5: Configure Azure virtual machine diagnostic settings
-
-In this task, you will configure Azure virtual machine diagnostic settings.
-
-1. On the **az104-11-vm0** blade, in the **Monitoring** section, click **Diagnostic settings**.
-
-1. On the **Overview** tab of the **az104-11-vm0 \| Diagnostic settings** blade, select a **Diagnostic storage account**, and then click **Enable guest-level monitoring**.
-
- >**Note**: Wait for the diagnostic settings extension to be installed. This might take about 3 minutes.
-
-1. Switch to the **Performance counters** tab of the **az104-11-vm0 \| Diagnostic settings** blade and review the available counters.
-
- >**Note**: By default, CPU, memory, disk, and network counters are enabled. You can switch to the **Custom** view for more detailed listing.
-
-1. Switch to the **Logs** tab of the **az104-11-vm0 \| Diagnostic settings** blade and review the available event log collection options.
-
- >**Note**: By default, log collection includes critical, error, and warning entries from the Application Log and System log, as well as Audit failure entries from the Security log. Here as well you can switch to the **Custom** view for more detailed configuration settings.
-
-1. On the **az104-11-vm0** blade, in the **Monitoring** section, click **Logs** and then click **Enable**.
-
-1. On the **az104-11-vm0 - Logs** blade, note **Azure Monitor agent** will be installed, and then click **Configure**.
-
- >**Note**: Do not wait for the operation to be completed, but instead proceed to the next step. The operation might take about 5 minutes.
-
-1. On the **az104-11-vm0 \| Logs** blade, in the **Monitoring** section, click **Metrics**.
-
-1. On the **az104-11-vm0 \| Metrics** blade, on the default chart, note that at this point, the **Metrics Namespace** drop-down list, in addition to the **Virtual Machine Host** entry includes also the **Guest (classic)** entry.
-
- >**Note**: This is expected, since you enabled guest-level diagnostic settings. You also have the option to **Enable new guest memory metrics**.
-
-1. In the **Metrics Namespace** drop-down list, select the **Guest (classic)** entry.
-
-1. In the **Metric** drop-down list, review the list of available metrics.
-
- >**Note**: The list includes additional guest-level metrics not available when relying on the host-level monitoring only.
-
-1. In the **Metric** drop-down list, select **Memory\\Available Bytes**, in the **Aggregation** drop-down list, select **Max**, and review the resulting chart.
-
-## Task 6: Review Azure Monitor functionality
-
-1. In the Azure portal, search for and select **Monitor** and, on the **Monitor \| Overview** blade, click **Metrics**.
-
-1. On the **Select a scope** blade, on the **Browse** tab, navigate to the **az104-11-rg0** resource group, expand it, select the checkbox next to the **az104-11-vm0** virtual machine entry within that resource group, and click **Apply**.
-
- >**Note**: This gives you the same view and options as those available from the **az104-11-vm0 - Metrics** blade.
-
-1. In the **Metric** drop-down list, select **Percentage CPU**, in the **Aggregation** drop-down list, select **Avg**, and review the resulting chart.
-
-1. On the **Monitor \| Metrics** blade, on the **Avg Percentage CPU for az104-11-vm0** pane, click **New alert rule**.
-
- >**Note**: Creating an alert rule from Metrics is not supported for metrics from the Guest (classic) metric namespace. This can be accomplished by using Azure Resource Manager templates, as described in the document [Send Guest OS metrics to the Azure Monitor metric store using a Resource Manager template for a Windows virtual machine](https://docs.microsoft.com/en-us/azure/azure-monitor/platform/collect-custom-metrics-guestos-resource-manager-vm)
-
-1. On the **Create alert rule** blade, in the **Condition** section, click the existing condition entry.
-
-1. On the **Configure signal logic** blade, in the list of signals, in the **Alert logic** section, specify the following settings (leave others with their default values) and click **Done**:
-
- | Settings | Value |
- | --- | --- |
- | Threshold | **Static** |
- | Aggregation type | **Average** |
- | Operator | **Greater than** |
- | Threshold value | **2** |
- | Check every | **1 minute** |
- | Lookback period| **1 Minute** |
-
-1. Click **Next: Actions >**, on the **Create an alert rule** blade, in the **Action group** section, click the **+ Create action group** button.
-
-1. On the **Basics** tab of the **Create action group** blade, specify the following settings (leave others with their default values) and select **Next: Notifications >**:
-
- | Settings | Value |
- | --- | --- |
- | Subscription | the name of the Azure subscription you are using in this lab |
- | Resource group | **az104-11-rg1** |
- | Action group name | **az104-11-ag1** |
- | Display name | **az104-11-ag1** |
-
-1. On the **Notifications** tab of the **Create an action group** blade, in the **Notification type** drop-down list, select **Email/SMS message/Push/Voice**. In the **Name** text box, type **admin email**. Click the **Edit details** (pencil) icon.
-
-1. On the **Email/SMS message/Push/Voice** blade, select the **Email** checkbox, type your email address in the **Email** textbox, leave others with their default values, click **OK**, back on the **Notifications** tab of the **Create an action group** blade, select **Next: Actions >**.
-
-1. On the **Actions** tab of the **Create action group** blade, review items available in the **Action type** drop-down list without making any changes and select **Review + create**.
-
-1. On the **Review + create** tab of the **Create action group** blade, select **Create**.
-
-1. Back on the **Create alert rule** blade, click **Next: Details >**, and in the **Alert rule details** section, specify the following settings (leave others with their default values):
-
- | Settings | Value |
- | --- | --- |
- | Alert rule name | **CPU Percentage above the test threshold** |
- | Alert rule description | **CPU Percentage above the test threshold** |
- | Severity | **Sev 3** |
- | Enable upon creation | **Yes** |
-
-1. Click **Review + create** and on the **Review + create** tab click **Create**.
-
- >**Note**: It can take up to 10 minutes for a metric alert rule to become active.
-
-1. In the Azure portal, search for and select **Virtual machines**, and on the **Virtual machines** blade, click **az104-11-vm0**.
-
-1. On the **az104-11-vm0** blade, click **Connect**, in the drop-down menu, click **RDP**, on the **Connect with RDP** blade, click **Download RDP File** and follow the prompts to start the Remote Desktop session.
-
- >**Note**: This step refers to connecting via Remote Desktop from a Windows computer. On a Mac, you can use Remote Desktop Client from the Mac App Store and on Linux computers you can use an open source RDP client software.
-
- >**Note**: You can ignore any warning prompts when connecting to the target virtual machines.
-
-1. When prompted, sign in by using the **Student** username and the password from the parameters file.
-
-1. Within the Remote Desktop session, click **Start**, expand the **Windows System** folder, and click **Command Prompt**.
-
-1. From the Command Prompt, run the following to trigger increased CPU utilization on the **az104-11-vm0** Azure VM:
-
- ```sh
- for /l %a in (0,0,1) do echo a
- ```
-
- >**Note**: This will initiate the infinite loop that should increase the CPU utilization above the threshold of the newly created alert rule.
-
-1. Leave the Remote Desktop session open and switch back to the browser window displaying the Azure portal on your lab computer.
-
-1. In the Azure portal, navigate back to the **Monitor** blade and click **Alerts**.
-
-1. Note the number of **Sev 3** alerts and then click the **Sev 3** row.
-
- >**Note**: You might need to wait for a few minutes and click **Refresh**.
-
-1. On the **All Alerts** blade, review generated alerts.
-
-## Task 7: Review Azure Log Analytics functionality
-
-1. In the Azure portal, navigate back to the **Monitor** blade, click **Logs**.
-
- >**Note**: You might need to click **Get Started** if this is the first time you access Log Analytics.
-
-1. If necessary, click **Select scope**, on the **Select a scope** blade, select the **Recent** tab, select **az104-11-vm0**, and click **Apply**.
-
-1. In the query window, paste the following query, click **Run**, and review the resulting chart:
-
- ```sh
- // Virtual Machine available memory
- // Chart the VM's available memory over the last hour.
- InsightsMetrics
- | where TimeGenerated > ago(1h)
- | where Name == "AvailableMB"
- | project TimeGenerated, Name, Val
- | render timechart
- ```
-
- > **Note**: The query should not have any errors (indicated by red blocks on the right scroll bar). If the query will not paste without errors directly from the instructions, paste the query code into a text editor such as Notepad, and then copy and paste it into the query window from there.
-
-
-1. Click **Queries** in the toolbar, on the **Queries** pane, locate the **Track VM availability** tile and double-click it to fill the query window, click the **Run** command button in the tile, and review the results.
-
-1. On the **New Query 1** tab, select the **Tables** header, and review the list of tables in the **Virtual machines** section.
-
- >**Note**: The names of several tables correspond to the solutions you installed earlier in this lab.
-
-1. Hover the mouse over the **VMComputer** entry and click the **See Preview data** icon.
-
-1. If any data is available, in the **Update** pane, click **Use in editor**.
-
- >**Note**: You might need to wait a few minutes before the update data becomes available.
-
-## Clean up resources
-
->**Note**: Remember to remove any newly created Azure resources that you no longer use. Removing unused resources ensures you will not see unexpected charges.
-
->**Note**: Don't worry if the lab resources cannot be immediately removed. Sometimes resources have dependencies and take a longer time to delete. It is a common Administrator task to monitor resource usage, so just periodically review your resources in the Portal to see how the cleanup is going.
-
-1. In the Azure portal, open the **PowerShell** session within the **Cloud Shell** pane.
-
-1. List all resource groups created throughout the labs of this module by running the following command:
-
- ```powershell
- Get-AzResourceGroup -Name 'az104-11*'
- ```
-
-1. Delete all resource groups you created throughout the labs of this module by running the following command:
-
- ```powershell
- Get-AzResourceGroup -Name 'az104-11*' | Remove-AzResourceGroup -Force -AsJob
- ```
-
- >**Note**: The command executes asynchronously (as determined by the -AsJob parameter), so while you will be able to run another PowerShell command immediately afterwards within the same PowerShell session, it will take a few minutes before the resource groups are actually removed.
-
-## Review
-
-In this lab, you have:
-
-+ Provisioned the lab environment
-+ Created and configured an Azure Log Analytics workspace and Azure Automation-based solutions
-+ Reviewed default monitoring settings of Azure virtual machines
-+ Configured Azure virtual machine diagnostic settings
-+ Reviewed Azure Monitor functionality
-+ Reviewed Azure Log Analytics functionality
++ [Improve incident response with alerting on Azure](https://learn.microsoft.com/en-us/training/modules/incident-response-with-alerting-on-azure/). Respond to incidents and activities in your infrastructure through alerting capabilities in Azure Monitor.
++ [Monitor your Azure virtual machines with Azure Monitor](https://learn.microsoft.com/en-us/training/modules/monitor-azure-vm-using-diagnostic-data/). Monitor your Azure VMs by using Azure Monitor to collect and analyze VM host and client metrics and logs.