AzureCon Challenge

Introduction to Virtual Networking

Overview
In this challenge you will create a virtual network with 2 sub-networks. You will then add a Network Security Group to the subnets to see how different rules
will impact the traffic coming to and from your virtual network. On each subnet you will have to add a virtual machine, in order to see the system working.

1. Login to Azure
For this challenge, you have either elected to use your own subscription or have created a new Azure
subscription using the provided Azure Pass (or Free Trial). If you want to switch to use the provided Azure
Pass the promotion code is displayed on the My Account page on the http://challenge.azurecon.com web
site. If there is no promo code displayed, you will need to use the free trial http://azure.microsoft.com/pricing/free-trial.
Azure has TWO management portals - the classic portal (http://manage.windowsazure.com) and a new
portal that is in Preview at http://portal.azure.com. You will use the Preview portal in this challenge.
1.

Open a browser and go to http://portal.azure.com

2.

Enter your Microsoft Account email address and password for the Microsoft Account you
associated with your Azure Pass or your own subscription.

3.

You will now be in your Azure subscription (see opposite) and from here you can create and
manage Azure services.

2. Create a Virtual Network

In this task you will create a new virtual network with one subnet
1.

On the portal press the New button on the top left corner

2.

Choose Networking

3.

Choose Virtual Network

4.

On the bottom of the Virtual Network blade switch the deployment model to Resource Manager and the press Create.

5.

On the Create virtual network blade, fill in following values for the parameters:

Page | 1

Name

VnetLab

Address Space

10.100.0.0/24

Subnet name

Subnet1

Subnet address range

10.100.0.0/25

Resource Group

VnetLabRG

Location

Choose a location close to your current region

6.

Make sure that Pin to dashboard is checked and the press Create

7.

After a short while the virtual network is created and its settings will be displayed on the portal.

3. Add a subnet to an existing virtual network

In this task you will add a second subnet to your virtual network
1.

On the settings blade select Subnets, and then press Add.

2.

On the Add subnet blade fill in following values for the parameters:

3.

Name

Subnet2

Address range

10.100.0.128/25

Press the Ok button at the bottom of the blade and in a short while your new subnet will be created.

4. Create and configure two VMs

In this task you will create two VMs, one for each subnet.
1.

Page | 2

In the portal press the New button on the top left corner, then choose Compute, and then Windows Server 2012 R2 Datacenter.

2.

On the Windows Server 2012 R2 Datacenter blade, select the Resource Manager Deployment model, and press Create.

3.

On the Basic blade fill in the following values for the Parameters and the press OK:
Name

VNetLabVM1

User Name

Azureadmin

Password

P@ssWord1

Resource Group

Choose the existing VNetLabRG

Location

Choose a location close to your current region

4.
5.

On the Size blade choose D1 as size for your VM and then press Select.
On the Settings blade make sure you choose VNetLab for the Virtual Network, and Subnet1 for the Subnet.

6.

Select Network Security Group

7.

Select Create New

8.

Change the name to VNetLabNSG1, and leave all other values as they are.

Page | 3

9.
10.

Disable Monitoring and press OK, and then press OK again to create the VM.
Repeat steps 1-9 using the following values:
Name

VNetLabVM2

User Name

Azureadmin

Password

P@ssWord1

Resource Group

Choose the existing VNetLabRG

Location

Choose a location close to your current region

NSG Name

VNetLabNSG1

Subnet

Subnet-2

11.

On the left navigation bar select Virtual Machines (NOT the classic ones), or if is not displayed, select Browse and search after Virtual Machines.

12.

Wait for VNetLabVM1 to transition to Running Status

13.

Select VNetLabVM1 and then press settings.

14.

On the Settings blade choose Network Interfaces

15.

On the Network Interfaces blade take note of the Private IP Address and write it down as you will need it later.

16.

Go back to the VNetLabVM1 and press Connect

17.
18.
19.

Save the .rdp file and then Open it.

Enter the user name and password you chose earlier to connect to the Virtual Machine.
When you are logged in, the server manager opens automatically. On the top right corner, chose Manage, and then Add Roles and Features.

Page | 4

20. Press Next three times, and on the Server Roles tab, choose Web Server:

21.

Press the Add Features button on the Dialog that shows up

22. Press Next, Next and accept all the default values, and then press Finish. After a short while you will have a webserver running locally.

5. Test the configuration without NSG

In this step we will test the communication between subnets and from one subnet to internet, by logging into VNetLabVM2.
1.

Page | 5

On the left navigation bar select Virtual Machines (NOT the classic ones), or if is not displayed, select Browse and search after Virtual Machines.

2.

Wait for VNetLabVM2 to transition to Running Status

3.

Select VNetLabVM2 and then press connect

4.
5.
6.
7.

Save the .rdp file and then Open it.

Enter the user name and password you chose earlier to connect to the Virtual Machine.
When you are logged in, the server manager opens automatically. Close it and open Internet Explorer instead.
Navigate to the private address of VNetLabVM1 (with the IP address that you wrote down on step 15 of task 4), and the start page of IIS should
show up.

8.

Verify that you can navigate to Internet by going to bing.com. Press Close button twice to acknowledge that some content is blocked.

6. Configure the NSG

In this task you will configure the Network Security Group to allow access to internet for VNetLabVM2 but deny access to VNetLabVM1s web server.

Page | 6

1.

On the Azure Portal select Browse at the bottom of the left nav.

2.

On the search box write Net and then select Network security groups

3.
4.

Select the NSG VNetLabNSG1 and choose Settings, Outbound security rules, Add+
Enter the following in the dialog
Name

basicoutboundrule

Priority

100

Destination

CIDR block

Destination IP address
range

10.100.0.0/25

Destination port range

80

Source

CIDR block

Source IP address range

10.100.0.128/25

Protocol

Any

Source port range

Action

Deny

7. Test the configuration with NSG

In this step we are going to test the NSG rules, by proving that is not possible to browse to the intranet web server from VNetLabVM2.
1.
2.
3.

4.

Page | 7

Go back to the RDP session for VNetLabVM2. If you close the session down, repeat steps 1-6 from task 5.
If the Internet Explorer is open, close it.
Open Internet Explorer and navigate to the private address of VNetLabVM1 (the one that you wrote down on step 15 of task 4), and the start page
of IIS should timeout with a This page cant be displayed error.
a.
Note: If you see the IIS home page, press CTRL + F5 at the same time to ensure you are not viewing a cached copy.
Try to navigate to bing.com from VNetLabVM2, and you will see now that this is still possible.

--- END OF LAB --Go back to the AzureCon Challenge web site (http://challenge.azurecon.com) and complete the challenge question to get your points.
REMEMBER: You only have one chance at the question, make sure you really know the answer!

Page | 8