Advanced School of IT

Practical Test: Windows Azure

Handed out: Wednesday, November 29, 2023.

Due: 10:59 AM, Tuesday, December 12, 2023
01 - Create a virtual machine in the portal
In this walkthrough, we will create a virtual machine in the Azure Portal, connect to the
virtual machine, install the web server role and test.
Estimated time: 45 minutes

Task 1: Create the virtual machine

In this task, we will create a Windows Server 2016 Datacenter virtual machine.
1. Sign in to the Azure portal.

2. Search for Virtual machines and then click +Add.

3. In the Basics tab, fill in the information. Leave the defaults for everthing else.

Settings Values

Subscription Choose your subscription

Resource group myRGVM (create new)
Virtual machine name myVm
Location (US) East US
Image Windows Server 2016 Datacenter
Administrator account username azureuser
Administrator account password Pa$$w0rd1234
Inbound port rules - Allow select ports RDP (3389) and HTTP (80)

4. Move to the Management tab and the Monitoring section.

Settings Values
Boot diagnostics Off

5. Leave the remaining defaults and then select the Review + create button at the
bottom of the page.

6. Once Validation is passed click the Create button. It can take anywhere from five to
seven minutes to deploy the virtual machine.
7. You will receive updates on the deployment page and on the Notifications icon (top
menu).
Task 2: Connect to the virtual machine
In this task, we will connect to our new virtual machine using RDP.
1. Search for myVM and select your new virtual machine.
Note: You could also use the Go to resource link in the Notifications.
2. On the virtual machine Overview page, click the Connect button.

Screenshot of the virtual machine properties with the Connect button highlighted.
Note: The following directions tell you how to connect to your VM from a Windows
computer. On a Mac, you need an RDP client such as this Remote Desktop Client from
the Mac App Store and on Linux virtual machine you could connect directly from a
bash shell using ssh.

3. In the Connect to virtual machine page, keep the default options to connect with the
public IP address over port 3389 and click Download RDP File.

4. Open the downloaded RDP file and click Connect when prompted.
 Screenshot of the virtual machine properties with the Connect button highlighted.
5. In the Windows Security window, select More choices and then Use a different
account. Provide the username (.) and the password (Pa$$w0rd1234). Click OK to
connect.
 Screenshot of the Windows security dialogue with use a different account selected and
the username azure user entered and a password.
6. You may receive a certificate warning during the sign-in process. Click Yes or to create
the connection and connect to your deployed VM. You should connect successfully.
 Screenshot of the Certificate warning dialogue informing the user of an untrusted
certificate, with the Yes button highlighted.
Congratulations! You have deployed and connected to a Windows Server virtual machine in
Azure

Task 3: Install the web server role and test

In this task, install the Web Server role on the server and ensure the default IIS welcome
page can be displayed.
1. Open up a PowerShell command prompt on the virtual machine, by clicking the Start
button, typing PowerShell right clicking Windows PowerShell in the menu and
selecting Run as administrator
 Screenshot of the virtual machine desktop with the start button clicked and PowerShell
selected with run as an administrator highlighted.
2. Install the Web-Server feature in the virtual machine by running the following
command in the PowerShell command prompt. You can copy and paste this command.

Install-WindowsFeature -name Web-Server -IncludeManagementTools

3. When completed there will be a prompt stating Success with a value True. You do not
need to restart the virtual machine to complete the installation. Close the RDP
connection to the VM.

Screenshot of the windows PowerShell command prompt with the command Install-
WindowsFeature -name Web-Server -IncludeManagementTools successfully completed
and output stating it was successful.
4. Back in the portal, select the VM and in the Overview pane of the VM, use the Click to
copy button to the right of the public IP address to copy it and paste it into a browser
tab.

Screenshot of the Azure portal virtual machine property pane with the IP address copied.
5. The default IIS Web Server welcome page will open, and is available to connect to
publicly via this IP address, or via the fully qualified domain name.
 Screenshot of the default IIS web server welcome page being accessed via the public ip
address in a web browser.
Congratulations! You have created a web server that can be connected to publicly via this
IP address, or via the fully qualified domain name. If you had a web page to host you could
deploy those source files to the virtual machine and host them for public access on the
deployed virtual machine.
Note: To avoid additional costs, you can remove this resource group. Search for resource
groups, click your resource group, and then click Delete resource group. Verify the name
of the resource group and then click Delete. Monitor the Notifications to see how the
delete is proceeding.
02 - Secure network traffic
In this walk-through, we will configure a network security group.

Task 1: Create a virtual machine

In this task, we will create a Windows Server 2019 Datacenter virtual machine.

1. Sign in to the Azure portal.

2. From the All services blade, search for and select Virtual machines, and then click + Add.

3. On the Basics tab, fill in the following information (leave the defaults for everything else):

Settings Values

Subscription Choose your subscription

Resource group myRGSecure (create new)

Virtual machine name SimpleWinVM

Location (US) East US

Image Windows Server 2019 Datacenter

Size Standard D2s v3

Administrator account username azureuser

Administrator account password

Pa$$w0rd1234 Inbound port rules None

4. Switch to the Networking tab, and configure the following setting:

Settings Values

NIC network security group None

5. Switch to the Management tab, and in its Monitoring section, select the following setting:
 Settings Values

Boot diagnostics Disable

6. Leave the remaining defaults and then click the Review + create button at the bottom of
the page.

7. Once Validation is passed click the Create button. It can take about five minutes to deploy
the virtual machine.

8. Monitor the deployment. It may take a few minutes for the resource group and virtual
machine to be created.

9. From the deployment blade or from the Notification area, click Go to resource.

10. On the SimpleWinVM virtual machine blade, click Networking, review the Inbound
port rules tab, and note that there is no network security group associated with the
network interface of the virtual machine or the subnet to which the network interface
is attached.
Note: Identify the name of the network interface. You will need it in the next task.

Task 2: Create a network security group

In this task, we will create a network security group and associate it with the network interface.

1. From the All services blade, search for and select Network security groups and then click +
Add

2. On the Basics tab of the Create network security group blade, specify the following
settings.

Setting Value

Subscription Choose your subscription

Resource group myRGSecure

Name myNSGSecure

Region (US) East US

3. Click Review + create and then after the validation click Create.
 4. After the NSG is created, click Go to resource.

5. Under Settings click Network interfaces and then + Associate.

6. Select the network interace you identified in the previous task.

Task 3: Configure an inbound security port rule to allow RDP

In this task, we will allow RDP traffc to the virtual machine by configuring an inbound security port
rule.

1. In the Azure portal, navigate to the blade of the SimpleWinVM virtual machine.

2. On the Overview pane, click Connect.

3. Attempt to connect to the virutal machine using RDP. By default the network security
group does not allow RDP. Close the error window.

4. On the virtual machine blade, scroll down to the Settings section, click on Networking,
and notice the inbound rules for the myNSGSecure (attached to network interface:
myVMNic) network security group deny all inbound traffic except traffic within the virtual
network and load balancer probes.

5. On the Inbound port rules tab, click Add inbound port rule . Click Add when you are done.

Setting Value

Source Any

Source port ranges *

Destination Any

Destination port ranges 3389

Protocol TCP

Action Allow
 Priority 300

Setting Value

Name AllowRDP

6. Wait for the rule to be provisioned and then try again to RDP into the virtual machine. This
time you should be successful. Remember the user is azureuser and the password is
Pa$$w0rd1234.
Task 4: Configure an outbound security port rule to deny Internet access
In this task, we will create a NSG outbound port rule that will deny Internet access and then test to
ensure the rule is working.

1. Continue in your virtual machine RDP session.

2. After the machine starts, open an Internet Explorer browser.

3. Verify that you can access https://www.bing.com and then close Internet Explorer. You
will need to work through the IE enhanced security pop-ups.

Note: We will now configure a rule to deny outbound internet access.

4. In the Azure portal, navigate back to the blade of the SimpleWinVM virtual machine.

5. Under Settings, click Networking, and then Outbound port rules.

6. Notice there is a rule, AllowInternetOutbound. This a default rule and cannot be removed.

7. Click Add outbound port rule to the right of the myNSGSecure (attached to network
interface: myVMNic) network security group and configure a new outbound security rule
with a higher priority that will deny internet traffic. Click Add when you are finished.

Setting Value

Source Any

Source port ranges *

Destination Service

Tag Destination service tag Internet

Destination port ranges *

Protocol TCP

Action Deny
 Setting Value

Priority 4000

Name DenyInternet

8. Return to your RDP session.

9. Browse to https://www.microsoft.com. The page should not display. You may need to
work through additional IE enhanced security pop-ups.

Note: To avoid additional costs, you can remove this resource group. Search for resource groups,
click your resource group, and then click Delete resource group. Verify the name of the resource
group and then click Delete. Monitor the Notifications to see how the delete is proceeding.