Microsoft Azure

• 1: Azure Introduction
• 2: Create your first Azure VM
• 3: Virtual networking fundamentals
• 4: Azure Virtual Machines setup
• 5: Azure IaaS + Azure Virtual Desktop

1: Azure Introduction

Difficulty: Easy

Introduction

In this lab, we will start-up and prepare our Azure environment to be able to do the Lab objectives. I will also aim to prepare you to understand the Azure Portal, even when having close to zero experience. In the further labs, some knowledge and experience is preferable. Steps may also vary as Websites and Portals are continuously updated.

These labs are not neccessarily step-by-step guides, but are more like “achieve this goal”. Some objectives however can be found on my website, and I will reference them as much as possible where needed.

Requirements

• Around 30 minutes of your time
• A credit-card which can be used to setup a Pay-as-you-go subscription
  • I will give you some tips about how to minimize the costs
• An email address which you can use
• A custom domain name for some objectives

Minimizing Azure costs

As registering your creditcard to Azure might sound like paying a huge amount of bucks every month, but it’s relatively cheap to try Azure and to perform some labs in it. You do have to adapt to this Pay-as-you-go structure. I will give you the following guidelines to minimize the costs:

• Shutdown unused VMs
  • VMs are the most expensive when running, when not running you still pay for disks and IP addresses
• Remove unused resources
• Place all testing resources in one resource group, which makes the deletion action very fast and easy
• Setup Budgets in your subscription

My best recommendation is to do a Lab objective, check if everything works, check your configuration and immediately remove all resources. Big chance you will not even pay 1 euro, dependent on how long you spent on the lab objective.

1.1 Setting up Azure environment

• To start following these labs, sign up for an Azure environment at https://azure.com
• If you have any form of free Azure credits, like the trial, student or Visual Studio Enterprise, use that
• Link your Credit card to your Azure environment, effectively creating a subscription
• Rename your Azure subscription to your own desired value
• Set a budget (optional)
• Go to the subscription and review the cost analysis. This will still be empty but is a important overview to monitor costs during your objectives

1.2 Getting used to the portal

Before we dive further into the labs, let’s get used to the portal itself and its features.

• In the top right corner, you have the settings wheel where you can set the language and some preferences, like menu items on the left always expanding (my favorite)
• Find and open “Microsoft Entra ID”
• Find and open “Virtual Machines”
• Find and open “Virtual Networks”
• Find and open “Storage Accounts”
• Find and open “Resource groups”

1.3 Creating your first resource group

Assuming you have never created a resource group before, let’s create your first resource group, which is a grouped container of resources that host a service.

• Head back to “Resource groups”
• Create a new Resource Group
• Place it in the region “West Europe”
• Finish the wizard

1.4 Deleting the resource group

After we have created the resource group, let’s now delete it. We simulate that we have placed all our resources of a objective in it and we want to delete it in a single go.

• Head back to “Resource groups”
• Open the resource group just created
• On the top, click “Delete resource group”
• Type “delete” and proceed with the removal action, after you reviewed possible resources which existed in that resource group

1.5 The Azure Cloud Shell

To add a bit to the Azure experience, Azure has a Cloud SHell in the top right corner. This cloud shell consists of two different CLI’s:

• Bash (Linux based)
• Azure PowerShell

Every action we can possible do in the Portal can also be done using commands and scripts, used in automation purposes. I wanted to introduce you to this in advance, so we can do some deep dives further learning the shell and its features.

Ensure the “Bash” option is selected and type this command:

az account list

This shows all subscriptions (accounts) in JSON format.

We could also create a resource group with Azure CLI just to try the experience.

az group create -l westeurope -n jv-az-lab-1

This creates a resource group named “jv-az-lab-1” in the West Europe region.

Then run this command:

az group delete -n jv-az-lab-1

This deletes the just created resource group named “jv-az-lab-1”.

Now we did some simple tasks with the Azure Cloud Shell which we will dive deeper into. The lab is now done, let’s check your knowledge!

Knowledge check

End of the page 🎉

You have reached the end of the page. You can navigate through other blog posts as well, share this post on X, LinkedIn and Reddit or return to the blog posts collection page. Thank you for visiting this post.

If you think something is wrong with this post or you want to know more, you can send me a message to one of my social profiles at: https://justinverstijnen.nl/about/

Go back to Blog homepage

If you find this page and blog very useful and you want to leave a donation, you can use the button below to buy me a beer. Hosting and maintaining a website takes a lot of time and money. Thank you in advance and cheers :)

The terms and conditions apply to this post.

2: Create your first Azure VM

Difficulty: Easy

Introduction

In this lab, we will build a very small Infrastructure as a Service environment in Azure. The goal is to create one Windows Server virtual machine for Justin Verstijnen Inc. and configure Remote Desktop access through a Network Security Group rule.

This lab is not necessarily a complete step-by-step guide for every button in the Azure Portal. The main goal is to achieve the required end-state, understand what you are building and become more comfortable with Azure IaaS resources. The Azure Portal is updated regularly, so some buttons or menu names may be slightly different when you perform this lab.

In the previous lab, we prepared the Azure environment and created our first resource group. In this lab, we will dive deeper, re-creating the resource group for our first virtual machine and setting basic NSG Firewall rules.

Requirements

• Around 30 minutes of your time
• Access to an Azure subscription
• Basic knowledge of the Azure Portal
• Basic knowledge of Windows Server
• Your own public IP address
• Remote Desktop access from your own computer

Minimizing Azure costs

As registering your creditcard to Azure might sound like paying a huge amount of bucks every month, but it’s relatively cheap to try Azure and to perform some labs in it. You do have to adapt to this Pay-as-you-go structure. I will give you the following guidelines to minimize the costs:

• Shutdown unused VMs
  • VMs are the most expensive when running, when not running you still pay for disks and IP addresses
• Remove unused resources
• Place all testing resources in one resource group, which makes the deletion action very fast and easy
• Setup Budgets in your subscription

My best recommendation is to do a Lab objective, check if everything works, check your configuration and immediately remove all resources. Big chance you will not even pay 1 euro, dependent on how long you spent on the lab objective.

Lab objective

Justin Verstijnen Inc. wants to create its first server in Azure. The company needs one Windows Server virtual machine that can be managed remotely with Remote Desktop.

The server must be protected by a Network Security Group. Remote Desktop access should only be allowed from your own public IP address.

Resource group

You need to create this resource group:

If the resource group does not exist yet, you can create it during the virtual machine wizard. You can also use any existing resource group, but I advice you to use an empty resource group.

Server

You need to create this virtual machine:

Network

During the virtual machine wizard, you can create the network automatically, using default values. In a future guide, I will also require you to create the virtual network yourself.

2.1 Creating the virtual machine

Start by creating the virtual machine for this lab.

• Open the Azure Portal
• Find and open “Virtual machines”
• Create a new Azure virtual machine
• Use the resource group JV-LAB
• Use the virtual machine name JV-DC-SRV01
• Place it in the region “West Europe”
• Choose a Windows Server image, for example “Windows Server 2022”
• Choose a small VM size for this lab, for example D2as_V7
• Create a local administrator account
• Make sure a public IP address is created
• Do not open inbound ports during the VM wizard
• Finish the wizard

Use the following values as a guideline:

The VM is now created, but Remote Desktop should not be reachable yet. This is expected, because we still need to create the inbound rule in the Network Security Group.

You can also create the VM with Azure Cloud Shell.

az vm create \
  --resource-group JV-LAB \
  --name JV-DC-SRV01 \
  --image Win2022Datacenter \
  --size Standard_D2as \
  --admin-username azureadmin \
  --vnet-name JV-VNET01 \
  --subnet default \
  --public-ip-sku Standard \
  --nsg JV-NSG-DC-SRV01 \
  --nsg-rule NONE

This creates a Windows Server VM without automatically opening RDP to the internet.

2.2 Finding your public IP address

The RDP rule should only allow access from your own public IP address. This is safer than allowing RDP from the entire internet.

You can find your public IP address by using this tool: https://tools.justinverstijnen.nl/iplookuptool. Copy the public IP address as will need it in the next step.

2.3 Creating the RDP rule in the Network Security Group

Now create an inbound security rule to allow Remote Desktop traffic to the virtual machine.

• Open the Azure Portal
• Find and open “Network Security Groups”
• Open JV-NSG-DC-SRV01
• Go to “Inbound security rules”
• Create a new rule
• Use the following values:

Be careful with opening RDP to the internet. For a real production environment, you should use a more secure management solution, like Azure Bastion, VPN or Just-in-time VM access.

You can also create the RDP rule with Azure Cloud Shell.

MY_IP=$(curl -s https://api.ipify.org)

az network nsg rule create \
  --resource-group JV-LAB \
  --nsg-name JV-NSG-DC-SRV01 \
  --name Allow-RDP-From-My-IP \
  --priority 1000 \
  --direction Inbound \
  --access Allow \
  --protocol Tcp \
  --source-address-prefixes "$MY_IP/32" \
  --source-port-ranges '*' \
  --destination-address-prefixes '*' \
  --destination-port-ranges 3389

This creates an inbound rule that only allows RDP from your own public IP address.

2.4 Connecting to the virtual machine

After the RDP rule is created, connect to the virtual machine.

• Open JV-DC-SRV01 in the Azure Portal
• Open “Connect”
• Choose “RDP”
• Download the RDP file or copy the public IP address
• Open Remote Desktop Connection on your own computer
• Connect to the public IP address of the VM
• Log in with the local administrator account you created during the VM deployment

If the connection does not work, check the following items:

• The VM is running
• The VM has a public IP address
• The Network Security Group contains an inbound allow rule for TCP port 3389
• The source IP address in the NSG rule matches your current public IP address
• Your local network allows outbound RDP traffic

You can test the RDP port from your own computer, outside of the RDP connection with PowerShell.

Test-NetConnection <public-ip-address> -Port 3389

Replace <public-ip-address> with the public IP address of your virtual machine.

2.5 Testing the lab objective

Now validate if the environment meets the requirements.

Check the following items:

• JV-DC-SRV01 exists
• The VM runs Windows Server 2022
• The VM has a public IP address
• The VM is connected to a virtual network
• The VM has a Network Security Group
• The NSG has an inbound rule for RDP on TCP port 3389
• The RDP rule only allows access from your own public IP address
• You can log in to the VM using Remote Desktop

2.6 Cleaning up the lab

When you are done, remove the resource group to prevent unexpected costs.

• Open “Resource groups”
• Open JV-LAB
• Review all resources in the resource group
• Click “Delete resource group”
• Type the resource group name
• Confirm the deletion

You can also remove the resource group with Azure Cloud Shell.

az group delete -n JV-LAB

The lab is now done, let’s check your knowledge!

Knowledge check

End of the page 🎉

You have reached the end of the page. You can navigate through other blog posts as well, share this post on X, LinkedIn and Reddit or return to the blog posts collection page. Thank you for visiting this post.

If you think something is wrong with this post or you want to know more, you can send me a message to one of my social profiles at: https://justinverstijnen.nl/about/

Go back to Blog homepage

If you find this page and blog very useful and you want to leave a donation, you can use the button below to buy me a beer. Hosting and maintaining a website takes a lot of time and money. Thank you in advance and cheers :)

The terms and conditions apply to this post.

3: Virtual networking fundamentals

Difficulty: Easy

Introduction

In this lab, we will build the basic networking foundation for Justin Verstijnen Inc. in Microsoft Azure.

You will create a virtual network, configure custom DNS settings, create and associate a Network Security Group, and create a second virtual network. After that, you will configure VNet peering so that both virtual networks can communicate with each other.

This lab is not necessarily a complete step-by-step guide for every button in the Azure Portal. The main goal is to achieve the required end-state, understand what you are building and become more comfortable with Azure networking concepts.

The Azure Portal is updated regularly, so some buttons or menu names may be slightly different when you perform this lab.

Requirements

• Around 30 minutes of your time
• Access to an Azure subscription
• Basic knowledge of the Azure Portal
• Basic understanding of IP addressing and subnets
• Basic understanding of firewall rules
• Basic understanding of DNS

Minimizing Azure costs

As registering your creditcard to Azure might sound like paying a huge amount of bucks every month, but it’s relatively cheap to try Azure and to perform some labs in it. You do have to adapt to this Pay-as-you-go structure. I will give you the following guidelines to minimize the costs:

• Shutdown unused VMs
  • VMs are the most expensive when running, when not running you still pay for disks and IP addresses
• Remove unused resources
• Place all testing resources in one resource group, which makes the deletion action very fast and easy
• Setup Budgets in your subscription

My best recommendation is to do a Lab objective, check if everything works, check your configuration and immediately remove all resources. Big chance you will not even pay 1 euro, dependent on how long you spent on the lab objective.

Lab objective

Justin Verstijnen Inc. wants to create a basic Azure network design with two virtual networks.

The first virtual network will be used as the main lab network. It must use a custom DNS configuration and have a Network Security Group attached to the subnet.

The second virtual network will be used to test VNet peering. After the peering is created, both virtual networks should be able to communicate with each other.

Resource group

You need to use this resource group:

If the resource group does not exist yet, you can create it before starting the lab.

Virtual networks

You need to create the following virtual networks:

When working with subnets, you can use this subnet calculator:

https://tools.justinverstijnen.nl/subnetcalculator

DNS configuration

Configure the following DNS servers on JV-VNET01:

Important note: Azure reserves the first 3 IP addresses and last 2 in every subnet. In a real production environment, you should make sure the custom DNS IP address is actually usable and reachable. For this lab, configure the DNS settings according to the required objective.

Network Security Group

Create this Network Security Group:

The NSG must contain two inbound allow rules:

The NSG must be associated with the default subnet in JV-VNET01.

3.1 Creating the resource group

Start by creating or opening the lab resource group.

• Open the Azure Portal
• Find and open “Resource groups”
• Create a new resource group
• Use the resource group name JV-LAB
• Place it in the region “West Europe”
• Finish the wizard

Use the following values as a guideline:

You can also create the resource group with Azure Cloud Shell.

az group create \
  --name JV-LAB \
  --location westeurope

3.2 Creating the first virtual network

Now create the first virtual network.

• Open the Azure Portal
• Find and open “Virtual networks”
• Create a new virtual network
• Use the resource group JV-LAB
• Use the virtual network name JV-VNET01
• Place it in the region “West Europe”
• Configure the address space 10.69.0.0/16
• Create a subnet named default
• Configure the subnet address range 10.69.0.0/24
• Finish the wizard

Use the following values as a guideline:

You can also create the virtual network with Azure Cloud Shell.

az network vnet create \
  --resource-group JV-LAB \
  --name JV-VNET01 \
  --location westeurope \
  --address-prefixes 10.69.0.0/16 \
  --subnet-name default \
  --subnet-prefixes 10.69.0.0/24

3.3 Configuring custom DNS on JV-VNET01

After creating the first virtual network, configure the DNS servers.

• Open the Azure Portal
• Find and open “Virtual networks”
• Open JV-VNET01
• Go to “DNS servers”
• Choose “Custom”
• Add the following DNS servers:

• Save the configuration

The first DNS server is the custom DNS server for this lab. The second DNS server is the Azure platform DNS IP address.

You can also configure the DNS settings with Azure Cloud Shell.

az network vnet update \
  --resource-group JV-LAB \
  --name JV-VNET01 \
  --dns-servers 10.69.0.1 168.63.129.16

If virtual machines are already connected to this virtual network, they may need to be restarted before they use the new DNS configuration.

3.4 Creating the Network Security Group

Now create the Network Security Group for the first virtual network.

• Open the Azure Portal
• Find and open “Network Security Groups”
• Create a new Network Security Group
• Use the resource group JV-LAB
• Use the name JV-NSG-VNET01
• Place it in the region “West Europe”
• Finish the wizard

Use the following values as a guideline:

You can also create the Network Security Group with Azure Cloud Shell.

az network nsg create \
  --resource-group JV-LAB \
  --name JV-NSG-VNET01 \
  --location westeurope

3.5 Creating the HTTP and HTTPS rules

Create two inbound security rules in the Network Security Group.

The first rule allows HTTP traffic to 10.69.0.4.

• Open the Azure Portal
• Find and open “Network Security Groups”
• Open JV-NSG-VNET01
• Go to “Inbound security rules”
• Create a new rule
• Use the following values:

Now create the second rule for HTTPS.

You can also create both rules with Azure Cloud Shell.

az network nsg rule create \
  --resource-group JV-LAB \
  --nsg-name JV-NSG-VNET01 \
  --name Allow-HTTP-Inbound \
  --priority 1000 \
  --direction Inbound \
  --access Allow \
  --protocol Tcp \
  --source-address-prefixes '*' \
  --source-port-ranges '*' \
  --destination-address-prefixes 10.69.0.4 \
  --destination-port-ranges 80

az network nsg rule create \
  --resource-group JV-LAB \
  --nsg-name JV-NSG-VNET01 \
  --name Allow-HTTPS-Inbound \
  --priority 1010 \
  --direction Inbound \
  --access Allow \
  --protocol Tcp \
  --source-address-prefixes '*' \
  --source-port-ranges '*' \
  --destination-address-prefixes 10.69.0.4 \
  --destination-port-ranges 443

3.6 Associating the NSG with the subnet

A Network Security Group is not directly associated with an entire virtual network. Instead, it is associated with a subnet or a network interface.

For this lab, associate JV-NSG-VNET01 with the default subnet in JV-VNET01.

• Open the Azure Portal
• Find and open “Virtual networks”
• Open JV-VNET01
• Go to “Subnets”
• Open the default subnet
• Select the Network Security Group JV-NSG-VNET01
• Save the subnet configuration

You can also associate the NSG with the subnet using Azure Cloud Shell.

az network vnet subnet update \
  --resource-group JV-LAB \
  --vnet-name JV-VNET01 \
  --name default \
  --network-security-group JV-NSG-VNET01

3.7 Creating the second virtual network

Now create the second virtual network.

• Open the Azure Portal
• Find and open “Virtual networks”
• Create a new virtual network
• Use the resource group JV-LAB
• Use the virtual network name JV-VNET02
• Place it in the region “West Europe”
• Configure the address space 10.70.0.0/16
• Create a subnet named default
• Configure the subnet address range 10.70.0.0/24
• Finish the wizard

Use the following values as a guideline:

You can also create the second virtual network with Azure Cloud Shell.

az network vnet create \
  --resource-group JV-LAB \
  --name JV-VNET02 \
  --location westeurope \
  --address-prefixes 10.70.0.0/16 \
  --subnet-name default \
  --subnet-prefixes 10.70.0.0/24

3.8 Creating VNet peering from JV-VNET01 to JV-VNET02

Now configure VNet peering from JV-VNET01 to JV-VNET02. A Peering is a link between multiple networks over the Azure backbone. This ensures a fast and low latency but unencrypted connection.

• Open the Azure Portal
• Find and open “Virtual networks”
• Open JV-VNET01
• Go to “Peerings”
• Create a new peering
• Use the following values:

Finish the wizard.

If both virtual networks are in the same subscription and region, the Azure Portal can create both peering directions during the same wizard.

You can also create the peerings with Azure Cloud Shell.

VNET01_ID=$(az network vnet show \
  --resource-group JV-LAB \
  --name JV-VNET01 \
  --query id \
  --output tsv)

VNET02_ID=$(az network vnet show \
  --resource-group JV-LAB \
  --name JV-VNET02 \
  --query id \
  --output tsv)

az network vnet peering create \
  --resource-group JV-LAB \
  --vnet-name JV-VNET01 \
  --name JV-VNET01-to-JV-VNET02 \
  --remote-vnet "$VNET02_ID" \
  --allow-vnet-access

az network vnet peering create \
  --resource-group JV-LAB \
  --vnet-name JV-VNET02 \
  --name JV-VNET02-to-JV-VNET01 \
  --remote-vnet "$VNET01_ID" \
  --allow-vnet-access

3.9 Testing the lab objective

Now validate if the environment meets the requirements.

Check the following items:

• The resource group JV-LAB exists
• The virtual network JV-VNET01 exists
• JV-VNET01 uses address space 10.69.0.0/16
• JV-VNET01 contains the subnet default
• The subnet in JV-VNET01 uses address range 10.69.0.0/24
• JV-VNET01 has custom DNS configured
• The first DNS server is 10.69.0.1
• The second DNS server is 168.63.129.16
• The Network Security Group JV-NSG-VNET01 exists
• The NSG is associated with the default subnet in JV-VNET01
• The NSG contains an inbound rule for HTTP on TCP port 80
• The HTTP rule allows traffic to 10.69.0.4
• The NSG contains an inbound rule for HTTPS on TCP port 443
• The HTTPS rule allows traffic to 10.69.0.4
• The virtual network JV-VNET02 exists
• JV-VNET02 uses address space 10.70.0.0/16
• JV-VNET02 contains the subnet default
• The subnet in JV-VNET02 uses address range 10.70.0.0/24
• VNet peering exists from JV-VNET01 to JV-VNET02
• VNet peering exists from JV-VNET02 to JV-VNET01
• Both peering connections show as connected

If you have virtual machines in both networks, you can also test connectivity between them.

For example, from a VM in JV-VNET01, test a VM in JV-VNET02:

Test-NetConnection <private-ip-address-in-JV-VNET02>

Replace <private-ip-address-in-JV-VNET02> with the private IP address of a virtual machine in JV-VNET02.

3.10 Cleaning up the lab

When you are done, remove the resource group to prevent unexpected costs.

• Open “Resource groups”
• Open JV-LAB
• Review all resources in the resource group
• Click “Delete resource group”
• Type the resource group name
• Confirm the deletion

You can also remove the resource group with Azure Cloud Shell.

az group delete \
  --name JV-LAB

The lab is now done, let’s check your knowledge!

Knowledge check

End of the page 🎉

You have reached the end of the page. You can navigate through other blog posts as well, share this post on X, LinkedIn and Reddit or return to the blog posts collection page. Thank you for visiting this post.

If you think something is wrong with this post or you want to know more, you can send me a message to one of my social profiles at: https://justinverstijnen.nl/about/

Go back to Blog homepage

If you find this page and blog very useful and you want to leave a donation, you can use the button below to buy me a beer. Hosting and maintaining a website takes a lot of time and money. Thank you in advance and cheers :)

The terms and conditions apply to this post.

4: Azure Virtual Machines setup

Difficulty: Easy to Medium

Introduction

In this lab, we will build our first real Infrastructure as a Service environment in terms of a Virtual Machine in Azure. The goal is to create a small but useful server environment for Justin Verstijnen Inc. using Azure Virtual Machines, a Virtual Network, Active Directory Domain Services and an application server.

This lab is not necessarily a complete step-by-step guide for every button in the Azure Portal. The main goal is to achieve the required end-state, understand what you are building and become more comfortable with Azure IaaS resources. The Azure Portal is updated regularly, so some buttons or menu names may be slightly different when you perform this lab.

In the previous lab, we prepared the Azure environment and created our first resource group. In this lab, we will now start using the resource group for actual infrastructure.

Requirements

• Around 60 to 120 minutes of your time
• Access to an Azure subscription
• Basic knowledge of the Azure Portal
• Basic knowledge of Windows Server
• A domain name to use for the Active Directory domain
• Remote Desktop access to the created virtual machines

Minimizing Azure costs

As registering your creditcard to Azure might sound like paying a huge amount of bucks every month, but it’s relatively cheap to try Azure and to perform some labs in it. You do have to adapt to this Pay-as-you-go structure. I will give you the following guidelines to minimize the costs:

• Shutdown unused VMs
  • VMs are the most expensive when running, when not running you still pay for disks and IP addresses
• Remove unused resources
• Place all testing resources in one resource group, which makes the deletion action very fast and easy
• Setup Budgets in your subscription

My best recommendation is to do a Lab objective, check if everything works, check your configuration and immediately remove all resources. Big chance you will not even pay 1 euro, dependent on how long you spent on the lab objective.

Lab objective

Justin Verstijnen Inc. wants to deploy a secure and manageable network in Azure. The company needs a domain controller to manage Active Directory and DNS, and a separate application server to host business applications.

Both servers must be located in the same virtual network, joined to the same Active Directory domain and configured with the required roles.

Company domain

Use the following Active Directory domain for this lab:

justinverstijnen.nl

Resource group

All resources can be created in one resource group.

Servers

Network

The network should remain as simple as possible, using a single virtual network and a single subnet.

Recommended subnet:

2.1 Creating the resource group

Start by creating the resource group for this lab.

• Open the Azure Portal
• Find and open “Resource groups”
• Create a new Resource Group
• Use the name JV-LAB
• Place it in the region “West Europe”
• Finish the wizard

You can also create the resource group with Azure Cloud Shell.

az group create -l westeurope -n JV-LAB

This creates the resource group named JV-LAB in the West Europe region.

2.2 Creating the virtual network

Now create the virtual network where the servers will be connected.

• Find and open “Virtual networks”
• Create a new Virtual Network
• Place it in the JV-LAB resource group
• Use the name JV-VNET01
• Use the address space 10.0.0.0/16
• Create a subnet named default
• Use the subnet range 10.0.0.0/24
• Finish the wizard

You can also create the virtual network with Azure Cloud Shell.

az network vnet create \
  --resource-group JV-LAB \
  --name JV-VNET01 \
  --address-prefix 10.0.0.0/16 \
  --subnet-name default \
  --subnet-prefix 10.0.0.0/24

After creating the virtual network, review the subnet and check if the address ranges are correct.

2.3 Creating dedicated Network Security Groups

Each server must have its own dedicated Network Security Group. This makes it easier to understand which security rules apply to which server.

Create the following Network Security Groups:

Recommended inbound rules for this lab:

Be careful with opening RDP to the internet. For a real production environment, you should use a more secure management solution, like Azure Bastion, VPN or Just-in-time VM access.

2.4 Creating the domain controller VM

Create the first virtual machine. This server will become the domain controller and DNS server.

Use the following values:

After creating the VM, open the Network Interface of the VM and make sure the private IP address is static.

The domain controller should always keep the same IP address, because DNS and domain services depend on it.

2.5 Installing Active Directory Domain Services

Log in to JV-DC-SRV01 using Remote Desktop.

Open PowerShell as Administrator and install the Active Directory Domain Services role.

Install-WindowsFeature AD-Domain-Services -IncludeManagementTools

After the role is installed, promote the server to a domain controller and create a new forest.

Install-ADDSForest `
  -DomainName "justinverstijnen.nl" `
  -DomainNetbiosName "JV" `
  -InstallDns:$true

You will be asked to enter a Directory Services Restore Mode password. After the configuration is completed, the server will reboot.

After the reboot, log in with the domain administrator account.

2.6 Configuring DNS for the virtual network

The application server must use the domain controller as DNS server. Otherwise, it will not be able to find the Active Directory domain.

• Open JV-VNET01
• Go to “DNS servers”
• Select “Custom”
• Add 10.0.0.100
• Save the configuration

After changing the DNS server of the virtual network, restart the VMs or renew the network configuration inside the VMs.

You can also configure the DNS server with Azure Cloud Shell.

az network vnet update \
  --resource-group JV-LAB \
  --name JV-VNET01 \
  --dns-servers 10.0.0.100

2.7 Creating the application server VM

Create the second virtual machine. This server will become the application server.

Use the following values:

After creating the VM, open the Network Interface of the VM and make sure the private IP address is static.

2.8 Joining the application server to the domain

Log in to JV-APP-SRV01 using Remote Desktop.

Before joining the domain, check if the server can resolve the domain name.

Resolve-DnsName justinverstijnen.nl

Also test if the domain controller can be reached.

Test-Connection 10.0.0.100

If DNS and network connectivity work, join the server to the domain.

Add-Computer -DomainName "justinverstijnen.nl" -Restart

After the reboot, log in using a domain account.

2.9 Installing IIS on the application server

The application server must host a basic web service. We will use IIS for this lab.

Open PowerShell as Administrator on JV-APP-SRV01 and run the following command:

Install-WindowsFeature Web-Server -IncludeManagementTools

After the installation, test the IIS default website locally.

Invoke-WebRequest http://localhost

You can also browse to the private IP address of the application server from the domain controller.

Invoke-WebRequest http://10.0.0.101

2.10 Testing the lab objective

Now validate if the environment meets the requirements.

Check the following items:

• JV-DC-SRV01 exists and has private IP address 10.0.0.100
• JV-APP-SRV01 exists and has private IP address 10.0.0.101
• Both servers run Windows Server 2022
• Both servers are connected to JV-VNET01
• Both servers can ping each other
• JV-DC-SRV01 is a domain controller for justinverstijnen.nl
• JV-APP-SRV01 is joined to justinverstijnen.nl
• IIS is installed on JV-APP-SRV01
• Both servers have their own dedicated Network Security Group

Useful validation commands:

whoami
hostname
ipconfig /all
Test-Connection 10.0.0.100
Test-Connection 10.0.0.101

Run this command on the domain controller to check if the application server is known in Active Directory.

Get-ADComputer -Filter * | Select-Object Name, Enabled

2.11 Cleaning up the lab

When you are done, remove the resource group to prevent unexpected costs.

• Open “Resource groups”
• Open JV-LAB
• Review all resources in the resource group
• Click “Delete resource group”
• Type the resource group name
• Confirm the deletion

You can also remove the resource group with Azure Cloud Shell.

az group delete -n JV-LAB

The lab is now done, let’s check your knowledge!

Knowledge check

End of the page 🎉

You have reached the end of the page. You can navigate through other blog posts as well, share this post on X, LinkedIn and Reddit or return to the blog posts collection page. Thank you for visiting this post.

If you think something is wrong with this post or you want to know more, you can send me a message to one of my social profiles at: https://justinverstijnen.nl/about/

Go back to Blog homepage

If you find this page and blog very useful and you want to leave a donation, you can use the button below to buy me a beer. Hosting and maintaining a website takes a lot of time and money. Thank you in advance and cheers :)

The terms and conditions apply to this post.

5: Azure IaaS + Azure Virtual Desktop

Difficulty: Medium

Introduction

In this lab, we will combine Azure Infrastructure as a Service with Azure Virtual Desktop. This is a more advanced lab objective than the previous IaaS lab, because we now add a remote work solution for 16 concurrent employees.

The environment will contain a domain controller, separate resource groups, multiple virtual networks, Azure Virtual Desktop session hosts and FSLogix profile containers stored on an Azure Storage Account.

This lab is not necessarily a complete step-by-step guide for every button in the Azure Portal. The main goal is to achieve the required end-state and understand how the resources depend on each other. Steps may vary as Microsoft updates the Azure Portal and Azure Virtual Desktop experience regularly.

Requirements

• Around 4 to 6 hours of your time
• Access to an Azure subscription
• Basic knowledge of Azure IaaS
• Basic knowledge of Windows Server and Active Directory Domain Services
• Basic knowledge of Remote Desktop concepts
• A domain name to use for the Active Directory domain
• Test users which can sign in to Azure Virtual Desktop

Minimizing Azure costs

As registering your creditcard to Azure might sound like paying a huge amount of bucks every month, but it’s relatively cheap to try Azure and to perform some labs in it. You do have to adapt to this Pay-as-you-go structure. I will give you the following guidelines to minimize the costs:

• Shutdown unused VMs
  • VMs are the most expensive when running, when not running you still pay for disks and IP addresses
• Remove unused resources
• Place all testing resources in one resource group, which makes the deletion action very fast and easy
• Setup Budgets in your subscription

My best recommendation is to do a Lab objective, check if everything works, check your configuration and immediately remove all resources. Big chance you will not even pay 1 euro, dependent on how long you spent on the lab objective.

Lab objective

Justin Verstijnen Inc. wants to deploy a secure and future-ready network in Azure, including the ability for employees to work remotely using Azure Virtual Desktop. The environment must support 16 concurrent employees.

The remote work solution must use Azure Virtual Desktop, and user profiles must work across both session hosts by using FSLogix profile containers stored on Azure Files.

Company domain

Use the following Active Directory domain for this lab:

justinverstijnen.nl

Resource groups

Solutions should be separated into dedicated resource groups as much as possible.

Servers

Roles should be placed on separate servers as much as possible.

* If there is sufficient time remaining.

Azure Virtual Desktop

Use a single host pool for the Azure Virtual Desktop machines.

Network

Different solutions should be placed in their own network where possible.

Recommended subnets:

3.1 Creating the resource groups

Start by creating the resource groups for this lab.

Create the following resource groups in the West Europe region:

• JV-RG-Infrastructure
• JV-RG-VirtualDesktop
• JV-RG-Backups

You can also create the resource groups with Azure Cloud Shell.

az group create -l westeurope -n JV-RG-Infrastructure
az group create -l westeurope -n JV-RG-VirtualDesktop
az group create -l westeurope -n JV-RG-Backups

After creating the resource groups, check if they are visible in the Azure Portal.

3.2 Creating the virtual networks

Create two virtual networks. One virtual network will be used for the infrastructure servers, and one virtual network will be used for the Azure Virtual Desktop session hosts.

Create the infrastructure virtual network:

az network vnet create \
  --resource-group JV-RG-Infrastructure \
  --name JV-VNET01 \
  --address-prefix 10.0.0.0/16 \
  --subnet-name infrastructure \
  --subnet-prefix 10.0.0.0/24

Create the Azure Virtual Desktop virtual network:

az network vnet create \
  --resource-group JV-RG-VirtualDesktop \
  --name JV-VNET02 \
  --address-prefix 10.1.0.0/16 \
  --subnet-name avd-sessionhosts \
  --subnet-prefix 10.1.0.0/24

Review both virtual networks before continuing.

3.3 Creating virtual network peering

The two virtual networks must be able to communicate with each other. This is needed because the Azure Virtual Desktop session hosts must be able to reach the domain controller.

Create peering from JV-VNET01 to JV-VNET02:

az network vnet peering create \
  --resource-group JV-RG-Infrastructure \
  --vnet-name JV-VNET01 \
  --name JV-VNET01-to-JV-VNET02 \
  --remote-vnet /subscriptions/$(az account show --query id -o tsv)/resourceGroups/JV-RG-VirtualDesktop/providers/Microsoft.Network/virtualNetworks/JV-VNET02 \
  --allow-vnet-access

Create peering from JV-VNET02 to JV-VNET01:

az network vnet peering create \
  --resource-group JV-RG-VirtualDesktop \
  --vnet-name JV-VNET02 \
  --name JV-VNET02-to-JV-VNET01 \
  --remote-vnet /subscriptions/$(az account show --query id -o tsv)/resourceGroups/JV-RG-Infrastructure/providers/Microsoft.Network/virtualNetworks/JV-VNET01 \
  --allow-vnet-access

After creating both peerings, open both virtual networks in the Azure Portal and check the peering status.

3.4 Creating the domain controller VM

Create the domain controller in the infrastructure resource group and infrastructure virtual network.

Use the following values:

After creating the VM, open the Network Interface of the VM and make sure the private IP address is static.

3.5 Installing Active Directory Domain Services

Log in to JV-DC-SRV01 using Remote Desktop.

Open PowerShell as Administrator and install the Active Directory Domain Services role.

Install-WindowsFeature AD-Domain-Services -IncludeManagementTools

After the role is installed, promote the server to a domain controller and create a new forest.

Install-ADDSForest `
  -DomainName "justinverstijnen.nl" `
  -DomainNetbiosName "JV" `
  -InstallDns:$true

You will be asked to enter a Directory Services Restore Mode password. After the configuration is completed, the server will reboot.

After the reboot, log in with the domain administrator account.

3.6 Configuring DNS for both virtual networks

The infrastructure network and the Azure Virtual Desktop network must both use the domain controller as DNS server.

Configure JV-VNET01 to use 10.0.0.10 as DNS server.

az network vnet update \
  --resource-group JV-RG-Infrastructure \
  --name JV-VNET01 \
  --dns-servers 10.0.0.10

Configure JV-VNET02 to use 10.0.0.10 as DNS server.

az network vnet update \
  --resource-group JV-RG-VirtualDesktop \
  --name JV-VNET02 \
  --dns-servers 10.0.0.10

After changing DNS settings, restart existing VMs or renew the network configuration inside the VMs.

3.7 Creating test users

Create a test group and test users for Azure Virtual Desktop access.

On the domain controller, open PowerShell as Administrator and run:

New-ADOrganizationalUnit -Name "Lab Users" -Path "DC=justinverstijnen,DC=nl"
New-ADGroup -Name "JV-AVD-Users" -GroupScope Global -GroupCategory Security -Path "OU=Lab Users,DC=justinverstijnen,DC=nl"

New-ADUser -Name "AVD User 01" -SamAccountName "avduser01" -UserPrincipalName "avduser01@justinverstijnen.nl" -Path "OU=Lab Users,DC=justinverstijnen,DC=nl" -AccountPassword (Read-Host -AsSecureString "Password") -Enabled $true
Add-ADGroupMember -Identity "JV-AVD-Users" -Members "avduser01"

You can create more users if you want to test multiple sessions.

3.8 Creating the Azure Storage Account for FSLogix

User profiles must work on both AVD machines. For this lab, the FSLogix profiles will be stored on an Azure Files share.

Create a Storage Account in the JV-RG-VirtualDesktop resource group.

Use a globally unique storage account name. For example:

jvavdprofiles001

Create a file share named:

profiles

Recommended settings for this lab:

Make sure the session hosts can access the storage account over the network. For a real production environment, you should review private endpoints, firewall settings and identity-based access carefully.

3.9 Preparing FSLogix profile permissions

FSLogix needs a profile location and the right permissions. In this lab, the user profile path will use the Azure Files share.

Example profile path:

\\jvavdprofiles001.file.core.windows.net\profiles

Make sure the users who will log in to Azure Virtual Desktop have the correct permissions on the file share and inside the NTFS permissions of the share.

A common lab approach is:

• Give the AVD users access to the Azure Files share
• Configure the required share permissions
• Configure NTFS permissions from a domain joined server
• Test access with a normal AVD test user before configuring FSLogix

From a domain joined server, you can test access to the share with:

Test-Path "\\jvavdprofiles001.file.core.windows.net\profiles"

Replace jvavdprofiles001 with your own storage account name.

3.10 Creating the Azure Virtual Desktop host pool

Now create the Azure Virtual Desktop host pool.

Use the following values:

Because the environment must support 16 concurrent employees and the lab requires 2 AVD machines, use a max session limit of 8 users per session host.

3.11 Creating the session hosts

Create two Azure Virtual Desktop session hosts in JV-VNET02.

Use the following values:

Make sure both session hosts can communicate with the domain controller before or during the domain join process.

Useful checks from a session host:

Resolve-DnsName justinverstijnen.nl
Test-Connection 10.0.0.10
nltest /dsgetdc:justinverstijnen.nl

If these checks fail, review virtual network peering, DNS settings and Network Security Group rules.

3.12 Assigning users to the Desktop Application Group

Users must be assigned to the Azure Virtual Desktop Application Group before they can see and start the desktop.

• Open Azure Virtual Desktop
• Open Application groups
• Open JV-AVD-DesktopAppGroup
• Go to “Assignments”
• Assign the group or users that should access the desktop

In this lab, assign the test users or the group JV-AVD-Users.

3.13 Configuring FSLogix on the session hosts

FSLogix is used so that user profiles are available on both session hosts. Without FSLogix, users might get a different local profile when they connect to another session host.

On both session hosts, configure the FSLogix profile container location.

Open PowerShell as Administrator and run:

New-Item -Path "HKLM:\SOFTWARE\FSLogix\Profiles" -Force
New-ItemProperty -Path "HKLM:\SOFTWARE\FSLogix\Profiles" -Name "Enabled" -PropertyType DWord -Value 1 -Force
New-ItemProperty -Path "HKLM:\SOFTWARE\FSLogix\Profiles" -Name "VHDLocations" -PropertyType MultiString -Value "\\jvavdprofiles001.file.core.windows.net\profiles" -Force

Replace jvavdprofiles001 with your own storage account name.

Restart both session hosts after configuring FSLogix.

3.14 Testing Azure Virtual Desktop

Now test the complete Azure Virtual Desktop flow.

Check the following items:

• The user can see the desktop in the Azure Virtual Desktop client or web client
• The user can start a desktop session
• The user lands on one of the two session hosts
• A profile container is created in the Azure Files share
• The user can sign out and sign in again
• The profile is available when the user lands on the other session host

Useful commands on a session host:

quser
hostname
whoami
Get-ItemProperty -Path "HKLM:\SOFTWARE\FSLogix\Profiles"

Useful checks for FSLogix:

• Check if a .vhd or .vhdx file is created in the profile share
• Check the FSLogix event logs on the session hosts
• Check if the user profile is not stored only locally on one session host

3.15 Creating the optional application server

If there is sufficient time remaining, create the optional application server.

Use the following values:

Join the application server to the domain and install IIS.

Add-Computer -DomainName "justinverstijnen.nl" -Restart

After the reboot, install IIS.

Install-WindowsFeature Web-Server -IncludeManagementTools

3.16 Creating backups

Create backup resources in the JV-RG-Backups resource group.

For this lab, the minimum objective is to create a backup structure and understand which resources should be protected.

Recommended backup scope:

Create a Recovery Services vault in JV-RG-Backups and configure backup for the VMs which should be protected.

Do not assume a backup works just because it is configured. Always check if restore points are created and test restore procedures in a real environment.

3.17 Testing the lab objective

Now validate if the environment meets the requirements.

Check the following items:

• JV-RG-Infrastructure, JV-RG-VirtualDesktop and JV-RG-Backups exist
• JV-VNET01 exists with address space 10.0.0.0/16
• JV-VNET02 exists with address space 10.1.0.0/16
• Both virtual networks are peered and can communicate with each other
• JV-DC-SRV01 runs Windows Server 2025
• JV-DC-SRV01 is a domain controller for justinverstijnen.nl
• JV-AVD-Hostpool exists
• The host pool contains two session hosts
• The max session limit matches the 16 concurrent employee requirement
• Users can access the desktop through Azure Virtual Desktop
• FSLogix profiles are stored on Azure Files
• A backup structure exists in JV-RG-Backups

Useful validation commands:

Resolve-DnsName justinverstijnen.nl
Test-Connection 10.0.0.10
nltest /dsgetdc:justinverstijnen.nl
quser
hostname
whoami

3.18 Cleaning up the lab

When you are done, remove the resource groups to prevent unexpected costs.

Review the resources before deleting them. Make sure you do not remove resources from another lab or production environment.

You can remove the lab resource groups with Azure Cloud Shell.

az group delete -n JV-RG-VirtualDesktop
az group delete -n JV-RG-Infrastructure
az group delete -n JV-RG-Backups

The lab is now done, let’s check your knowledge!

Knowledge check

End of the page 🎉

You have reached the end of the page. You can navigate through other blog posts as well, share this post on X, LinkedIn and Reddit or return to the blog posts collection page. Thank you for visiting this post.

If you think something is wrong with this post or you want to know more, you can send me a message to one of my social profiles at: https://justinverstijnen.nl/about/

Go back to Blog homepage

If you find this page and blog very useful and you want to leave a donation, you can use the button below to buy me a beer. Hosting and maintaining a website takes a lot of time and money. Thank you in advance and cheers :)

The terms and conditions apply to this post.