Azure Security and Management - Microsoft Cloud Workshop

Microsoft Cloud Workshop Microsoft Cloud Workshop on Dec 01, 2018

In this workshop you will learn to design solutions using Azure’s native security and management services. With increasing number of resources running in the cloud, enterprises will need to apply the right capabilities to secure and well manage their data and resources.

At the end of this workshop, you will be better able to design and implement security and management solutions in Azure including inventory tracking and management, application performance monitoring , preventative maintenance and application and security alerting.

Before the Hands-on Lab

Azure security and management
Before the hands-on lab setup guide
December 2018

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein.

© 2018 Microsoft Corporation. All rights reserved.

Microsoft and the trademarks listed at https://www.microsoft.com/en-us/legal/intellectualproperty/Trademarks/Usage/General.aspx are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.

Contents

Azure Security and Management before the hands-on lab setup guide

Requirements

  • A corporate e-mail address (e.g., your @microsoft.com email).

  • Microsoft Azure subscription must be pay-as-you-go or MSDN

    • Trial subscriptions will not work.
  • Local machine or an Azure LABVM virtual machine configured with:

    • Visual Studio 2017 Community Edition or later

    • Azure SDK 2.9.+ or Later for Visual Studio

    • Azure PowerShell 4.0 or later

Before the hands-on lab

Duration: 30 mins

Before attending the HOL, you should follow these steps to prepare your environment for an efficient day. Your first task will be to build a LABVM to use for the HOL and download some student files that will be used. Then, you will create a new Azure Dashboard to use during the HOL.

Task 1: Build a lab Virtual Machine in Azure

  1. Launch a browser and navigate to https://portal.azure.com. Once prompted, login with your Microsoft Azure credentials. If prompted, choose whether your account is an organization account or just a Microsoft Account.

    Note: You may need to launch an "in-private" session in your browser if you have multiple Microsoft Accounts.

  2. Select +Create a resource, and in the search box, type in Visual Studio Community 2017, and press enter. Select the Visual Studio Community 2017 image running on Windows Server 2016.

    In the Azure Portal, Visual Studio Community 2017 on Windows Server 2016 (x64) is selected.

  3. Leave the default of Resource Manager deployment model and select Create.

    Under Select a deployment model, the Create button is selected.

  4. Set the following configuration on the Basics tab and select OK:

    • Name: LABVM

    • VM disk type: SSD

    • User name: demouser

    • Password: demo@pass123

    • Subscription: If you have multiple subscriptions, choose the subscription to execute your labs in.

    • Resource Group: OPSLABRG

    • Location: Choose the closest Azure region to you.

  5. Choose the DS2_V2 or D2S_V3 Standard instance size on the Size blade. Use the 'Search' filter to help find the size you need.

    The Choose a size blade displays

  6. On the Inbound Port Rules section, Choose the Allow Selected ports drop-down (if shown) and select RDP.

  7. Leave the other settings at their default values, and select Review + Create on the Summary blade. The deployment should begin provisioning. It may take 10+ minutes for the virtual machine to complete provisioning.

  8. Once the deployment is complete, move on to the next exercise.

Task 2: Connect to LABVM and download and unzip student files

  1. Move back to the Portal page on your local machine and wait for LABVM to show the Status of Running. Once it is running, select Connect to open the 'Connect to virtual machine' blade.

    In the Virtual Machine blade, the Connect button is selected.

  2. On the RDP tab, select Download RDP File.

    In the Connect to virtual machine blade, the download RDP file button is highlighted.

  3. Login with the credentials specified during creation:

    1. User: demouser

    2. Password: demo@pass123

  4. You will be presented with a Remote Desktop Connection warning because of a certificate trust issue. Select Yes to continue with the connection.

    Screenshot of the Remote Desktop Connection dialog box.

  5. When logging on for the first time, you will see a prompt on the right asking about network discovery. Select No.

    The No button is selected in the Networks prompt.

  6. Server Manager should open by default (otherwise open it from the Start menu). On the left, select Local Server.

    Screenshot of the Local Server option

  7. On the right side of the pane, find IE Enhanced Security Configuration. If it is On, select to open the settings.

    IE Enhanced Security Configuration is set to On.

  8. Change to Off for Administrators and select OK.

    Screenshot of the Internet Explorer Enhanced Security Configuration dialog box.

  9. In the lower left corner, click on the Windows button to open the Start Screen. Then, choose Internet Explorer to open it. On first use, you will be prompted about security settings. Accept the defaults by selecting OK.

    Screenshot of the Internet Explorer 11 dialog box.

  10. If prompted, choose to Turn Protected mode on.

    The Protected mode is set to Turn on Protected mode.

  11. In the URL address window enter the below URL and hit the Enter key. This will download the class files (in a .zip format) needed for the remaining labs: https://cloudworkshop.blob.core.windows.net/operations-management-suite/StudentFiles.zip

    Note: In some Azure VM images, the image is configured so that downloads are disabled. To enable the download of the Student Files, go to Internet Options, select the Security Tab, and on the Internet Zone select "Custom Level". Then scroll down to the Downloads section and select the radio button for Enable in the File Download subsection.

    File download is enabled in the downloads settings, under the Internet Options security settings 'custom level...' option

  12. You will be prompted about what you want to do with the file. Select Save.

    The Internet Explorer dialog box asks what you want to do with the StudentFiles.zip file, and Save is selected.

  13. Download progress is shown at the bottom of the browser window. When the download is complete, select Open folder.

  14. The Downloads folder opens. Right-click the zip file and select Extract All. In the Extract Compressed (Zipped) Folders window, enter C:\HOL in the Select a Destination and Extract Files dialog. select the Extract button.

Task 3: Create a new Azure portal dashboard

  1. Open Internet Explorer on LABVM and point to https://portal.azure.com.

  2. Sign in to Azure using your credentials.

    Screenshot of the Azure sign-in pop-up.

  3. Once you are at the Azure Portal Dashboard select New Dashboard, and type the name My Dashboard, then select done customizing.

    Screenshot of the Azure Portal dashboard.

    The Tile Gallery search field is set to My Dashboard.

  4. Then navigate to your LABVM blade and use the "Pin" to add it to My Dashboard. This Dashboard will be used for the rest of this HOL.

    The pin icon is called out on the LabVM blade.

  5. If you're going to be finishing this lab today, then continue to the next exercise. Otherwise, if you won't be finishing the rest of the lab today, then it may be helpful to select Stop on your LABVM within the Azure Portal. This will put the VM into a Stopped / Deallocated state and save money until it's needed again. When you're ready to continue with the lab, then navigate back to the LABVM blade and select Start to start it back up again.

You should follow all steps provided before attending the Hands-on lab.

Hands-on Lab Guide

Azure security and management
Hands-on lab Lab-guide
December 2018

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein.

© 2018 Microsoft Corporation. All rights reserved.

Microsoft and the trademarks listed at https://www.microsoft.com/en-us/legal/intellectualproperty/Trademarks/Usage/General.aspx are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners

Contents

Azure security and management hands-on lab step-by-step

Abstract and learning objectives

In this hands-on lab, you will first deploy a simple web application and database to Azure IaaS VMs, using a Resource Manager Template and Azure Automation DSC. You will then configure a range of infrastructure management capabilities on this deployment, including Update Management, Security Center, Service Map, Change Tracking and Application Insights. You will use Azure Monitor to configure application alerts and send, via both email and mobile application notifications. You will also learn how to further investigate infrastructure status using Log Analytics queries. In doing so, you will learn both how to deploy these solutions and be introduced to their capabilities.

At the end of this hands-on lab, you will be better able to design, implement and use a wide range of infrastructure management systems in Azure.

Note: The setup tasks should be completed in advance of the hands-on lab to save deployment time.

Overview

Contoso Holdings is a multi-national holding company headquartered in Los Angeles, CA that owns 48 manufacturing companies located in North America, Europe and Asia. These companies sell their products primarily to either distributors or large retail organizations around the world. Contoso, as the parent company, controls the IT systems for the companies that it owns and thus runs their e-commerce-based applications. There are about 125 of these e-commerce applications used primarily for business-to-business purchasing by corporate buyers. These apps provide the bulk of Contoso's 15 billion dollars in revenue per year, so they are mission critical.

Recently Contoso has started to investigate what it would take to move from on-premises datacenters to the cloud. Most of their applications are ASP.NET running on Windows VMs with SQL Server in a traditional N-tier configuration. Their goal is to lift and shift these applications over to the cloud while gaining more control over the applications and improving their security posture.

They are looking for you to build out a prototype system in Azure using a sample web application they have provided to you called CloudShop.

They are looking for management tools that will allow them to have a full end-to-end view of both the infrastructure and application performance. Their goal will be to effectively lift and shift all applications over to the cloud. They do not have time or money to instrument the applications. Of course, security is on the top of the chain, so they also need a security solution and updated management system.

Per Roberto Milian, VP of Development and IT Operations, "Contoso's primary concern is how to best: deploy, test, manage, monitor, patch, secure and troubleshoot these applications in Azure IaaS."

Solution architecture

The Proof of Concept Solution diagram includes Cloud Shop Application and Azure Management and Monitoring.

Requirements

  • A corporate e-mail address (e.g., your @microsoft.com email).

  • Microsoft Azure subscription must be pay-as-you-go or MSDN

    • Trial subscriptions will not work.
  • Local machine or an Azure LABVM virtual machine configured with:

    • Visual Studio 2017 Community Edition or later
    • Azure SDK 2.9.+ or Later for Visual Studio
    • Azure PowerShell 4.0 or later

Exercise 1: Configure Azure automation

Duration: 15 minutes

Overview

In this exercise, you will create and configure an Azure Automation account in the Azure Portal which will be used to configure the application servers using Azure DSC.

Task 1: Create automation account

  1. Browse to the Azure Portal and authenticate at https://portal.azure.com/.

    http://portal.azure.com
    
  2. Click +Create a resource, and type Automation in the search box. Choose Automation from the results.

    Fields in the Everything blade are set to the previously defined settings.

  3. Select Create on the Automation blade. This will display the Add Automation Account blade.

  4. On the Add Automation Account blade, specify the following information:

    1. Name: Automation-Acct

    2. Resource group: HOLRGAUTO (create a new resource group)

    3. Location: East US 2 or West Europe

    Note: Not all Azure Automation features are supported in all regions. We suggest using East US 2 or West Europe, whichever is closer to you. Leave the run as account state as default.

    Fields in the Add Automation Account blade are set to the previously defined settings.

  5. Click Create.

Task 2: Add an Azure Automation credential

  1. The CloudShopSQL DSC configuration requires a credential object to access the local administrator account on the virtual machine. Within the newly created Azure Automation DSC configuration select Credentials in the SHARED RESOURCES section.

    Under Shared Resources, Credentials is selected.

  2. Select the Add a credential button.

    Screenshot of the Add a credential button.

  3. Specify the following properties and click Create to continue:

    1. Name: SQLLocalAdmin

    2. User Name: demouser

    3. Password & Confirm: demo@pass123

    New Credential blade fields are set to the previously defined settings.

    Important: It is important to use the exact name for the credential, because one of the scripts you upload in the next step reference the name directly.

Task 3: Upload DSC configurations into automation account

  1. Select Resource groups > HOLRGAUTO > Automation-Acct and click State Configurations (DSC) in Configuration Management. Select configuration and then select Add.

    Screenshot of the Automation Account blade.

  2. Select the + Add a configuration button.

    In the Automation Account blade, the Add a configuration button is selected.

  3. On the Import pane, upload both C:\HOL\CloudShopSQL.ps1 and C:\HOL\CloudShopWeb.ps1 files. You'll need to select + Add a configuration a second time to upload the second file.

    Screenshot of the Import blade with fields set to the previously defined settings.

  4. After importing the .ps1 files, select the CloudShopSQL DSC Configuration. Then, select Compile on the toolbar (click Yes on the overwrite prompt).

  5. Repeat the same steps for CloudShopWeb.

    The name field is set to CloudShopSQL in the Automation Account blade.

    Screenshot of the Configuration blade.

    In the Compile DSC Configuration box, the Yes button is selected.

  6. Make sure to review the DSC configurations to ensure they have completed the compile before moving on to the next step.

    Screenshot of the Configuration blade.

Summary

In this exercise, you configured an Automation account, and configured DSC configuration scripts that will be leveraged by the virtual machine resources.

Exercise 2: Build CloudShop environment

Duration: 60 minutes

Overview

In this exercise, you will run a template deployment using an ARM template provided which will deploy a Virtual Network, Azure Load balancer, two IIS Servers and a SQL Server. The Servers will check into Azure Automation and run the DSC Configurations that you built in Exercise 1. This will configure the boxes with the CloudShop Application. You will also configure Inbound NAT Rules to allow RDP access to the Web Servers. Azure diagnostics will also be configured into a new storage account for the VMs.

Task 1: Template deployment

  1. In the portal, open your Azure Automation Account created earlier.

  2. Under Account Settings, locate the and select Keys.

    Under Account Settings, Keys is selected.

  3. Open Notepad and copy both the Primary Access Key and the URL. These will be needed inputs for the template deployment.

    The copy buttons are selected next to the Primary Access Key and URL.

    The primary key and URL displays in Notepad.

  4. In the Azure Portal, select the +Create a resource button. In the Search box, type Template Deployment.

  5. Select Template Deployment and click Create on the following screen.

    Template deployment is circled in the Everything blade.

  6. On the Custom deployment screen, select Build your own template in the editor.

    In the Custom deployment blade, Build your own template in the editor is selected.

  7. Select Load File.

    The Load file button is selected in the Edit template blade.

  8. In the Choose File to Upload dialog, navigate to the C:\HOL folder, and locate the OMSHacakthon-azuredeployappgw.json file.

  9. The JSON file will now be in the text window and the Parameters, Variables, and Resources should load in the Window. Select Save.

    Screenshot of the Edit template blade with JSON code.

  10. Once saved, the window will change to a screen which is asking for inputs. Use the following information to complete the form:

    Note: In your student files C:\HOL\parameters.txt there is a parameters file that you can use to quickly copy and paste into the portal.

    • Subscription: Use the current subscription

    • Resource Group: HOLRG (create a new resource group)

    • Location: Choose the closest Azure region to you.

    • HOL Storage Type: Premium_LRS

    • HOL VM Name: WEBVM1

    • HOL VM Admin User Name: demouser

    • HOL VM Admin Password: demo@pass123

    • HOL VM Windows OS Version: 2016-Datacenter

    • HOL Public IP DNS Name: hol-then-five-random-lowercase-characters

    • Registration Key: Locate in the Automation Account Blade/Keys

    • Registration URL: Locate in the Automation Account Blade/Keys

    • Webnode Configuration Name: CloudShopWeb.WebServer

    • Sqlnode Configuration Name: CloudShopSQL.SQLSERVER

    • Reboot Node If Needed: true

    • Allow Module Overwrite: true

    • Configuration Mode: ApplyAndMonitor

    • Configuration Mode Frequency Mins: 15

    • Refresh Frequency: 30

    • Action After Reboot: ContinueConfiguration

    • HOL SQL VM Name: SQLVM

    • HOL SQL VM Admin Name: demouser

    • HOL SQL VM Admin Password: demo@pass123

    • HOL Sql VMSKU: SQLDEV

    • VM Size SQL: Standard_DS2_v2

    • HOL VM2Name: WEBVM2

    • HOL VM2 Admin Name: demouser

    • HOL VM2 Admin Password: demo@pass123

    • HOL VM2 Windows OS Version: 2016-Datacenter

    • Application Gateway Size: Leave default

    • Capacity: Leave default

    • Web AV Set Name: webAVSet

  11. Once completed, choose the I agree to the terms and conditions stated above, and then click Purchase.

  12. This deployment should take about 25-30 minutes. The servers will take some time to check in with Azure Automation and configure the CloudShop application.

    Note: Wait for the Deployment to successfully complete before to moving on to the next steps.

  13. Now that the servers are built, and the deployment is complete, let's verify the servers are up and running properly. In the Azure Portal, Open the AppGWVnet and create a VNet Peering with hackathonVnet following the steps below:

    1. In the AppGWVnet blade, in settings area select Peering.

    2. At the top select +Add and complete the form.

      1. Name: PeeringtoHackathon

      2. Virtual Network: hackathonVNet

      3. Configuration: Select Allow forwarded traffic and Allow gateway transit

  14. In the Azure Portal, go to Resource Group HOLRG, select and click to open PublicIP1. Select Configuration in the Settings area and put a DNS name level cloudshop-XXXX (where X represents unique numbers to make sure it is unique).

  15. Repeat the same steps to create a peering from hackathonVnet to AppGWVnet.

Task 2: Allow remote desktop to the WEBVM1 & WEBVM2 using NAT rules

Now that the deployment and the application is up and running, the next step is to allow RDP to the Web Servers. There are many ways you can achieve this, including provisioning a dedicated jump box (or bastion host) in the same VNet where the web servers reside as well as simply attaching a public IP to one of the web servers and using that as a jump box. It is also possible to forward RDP traffic through Azure Load Balancer. For this task, you will be attaching a public IP to one of the web servers. h that to Web Server 1

  1. Click + Create a resource and type Public IP Address. Complete the blade with the following information

    • Name: Webserver1PublicIP

    • SKU: Basic

    • IP Version: IPv4

    • IP Address Assignment: Dynamic

    • DNS Name label: Put unique DNS Prefix

    • Resource Group: HOLRG

    • Location: Same location as your web server.

  2. Click Create to create the IP.

  3. Once Created, open the Webserver1PublicIP blade and associate it with Web Server 1 Network Interface.

    Public IP Association.

    The Connect button is selected in the Virtual machine blade.

  4. In the Azure portal, select WEBVM1, and the Connect Link should now be available. Select Connect.

    The Connect button is selected in the Virtual machine blade.

  5. On the 'Connect to virtual machine' blade, ensure the RDP tab is selected and choose Download RDP File.

    The Download RDP File button is highlighted on the RDP tab of the Connect to virtual machine blade

  6. Select Open when the RDP file downloads.

    The Open button is selected in the Open or Save message.

  7. You will get a warning about the publisher of the RDP file being unknown. Select Don't ask me again for connections to this computer and click Connect.

    In the Remote Desktop Connection dialog box, the Don't ask me again checkbox and the Connect button are both selected.

  8. When prompted by Windows Security, enter your credentials:

    • User Name: demouser

    • Password: demo@pass123

    Screenshot of the Windows Security prompt.

  9. A warning will appear stating The identity of the remote computer cannot be verified. Do you want to connect anyway?. Select the checkbox for the disclaimer Don't ask me again for connection to this computer. and then select Yes.

    The Remote Desktop Connection warning dialog box displays with the Don't ask me again checkbox and the Yes button selected.

    Note: When connecting to machines during this lab for the first time, you may encounter the same warnings. Follow these same steps to no longer receive those warnings as they do not apply to our setup.

  10. When logging on for the first time, you will see a prompt on the right asking about network discovery. Select No.

    The No button is selected in the Networks prompt.

  11. Notice the Server Manager opens by default. On the left, select Local Server.

    Screenshot of the Local Server option.

  12. On the right side of the pane, select On by IE Enhanced Security Configuration.

    The IE Enhanced Security Configuration is set to On.

  13. Change to Off for Administrators and select OK.

    Screenshot of the Internet Explorer Enhanced Security Configuration dialog box.

  14. In the lower left corner, select the Windows button to open the Start Screen. Then, Internet Explorer to open it. On first use, you will be prompted about security settings. Accept the defaults by selecting OK.

    Screenshot of the Internet Explorer 11 security settings dialog box with Use recommended settings selected.

  15. Leave your RDP Session to WEBVM1 open and minimized. Then, repeat this same procedure for WEBVM2.

Task 3: Configure diagnostics accounts for the VMs

In this task, you will configure the VMs to capture diagnostic data in an Azure Storage Account. Later you will connect this account to Azure Security Center and Log Analytics.

  1. In the Azure Portal, navigate to the HOLRG Resource Group and locate WEBVM1. Select the name to open the blade.

  2. On the WEBVM1, locate the Monitoring section, and select Diagnostic Settings

    On the WEBVM1 blade under Monitoring, Diagnostic settings is selected.

  3. Select the Enable guest-level monitoring button. This will load more information to choose from. Select the Storage Account Configure Required Settings, and then, choose the Storage Account you just created.

    On the Overview tab, the Enable guest-level monitoring button is selected.

    Screenshot of the Updating diagnostics settings notification.

    Note: If you receive an error at this stage. Navigate to All Services -> Subscriptions -> Resource Providers -> and ensure the Microsoft.Insights resource provider is registered.

  4. Select the Configure performance counters.

    Under Performance counters, the Configure performance counters link is selected.

  5. Next check the ASP.NET box and select Save.

    On the Performance counters tab, the ASP.NET checkbox is called out.

  6. This will submit a deployment for WEBVM1.

    Screenshot of the Updating diagnostics settings notice.

  7. Complete the same steps for WEBVM2.

  8. Next, using the same steps, configure SQLVM for diagnostics capture as well. Select the following metrics for this SQL Server, and select Save.

    1. SQL Metrics

    On the Performance counters tab, the SQL Server checkbox is called out.

    Note: You will need to wait for the portal to complete the updates to all VMs before moving to the next exercise.

Summary

In this exercise, you ran a template deployment using an ARM template provided which created a Virtual Network, Azure Load balancer, two IIS Servers and a SQL Server. The servers checked into Azure Automation and ran the DSC Configurations that configured the boxes with the CloudShop Application. You then configured a public IP to access the servers through a jump box and successfully connected to them through RDP. Azure diagnostics was also configured with a new storage account for the VMs.

Exercise 3: Build and configure Azure Security Center and Azure Management

Duration: 30 minutes

Overview

The next step is to provision the Azure security and Azure management components of Azure Automation, configure the VMs for the CloudShop application to be managed by the portal, and configure the diagnostics storage account to load data into the Log Analytics platform. Additionally, you will configure Update Management, Inventory Tracking and Change Management as well as install and configure the Service Map solution pack.

Task 1: Provision Log Analytics through Azure Monitor

  1. Open the Azure portal and navigate to All services, search for Log Analytics.

    Screenshot of the Azure portal with the previous selections displaying.

  2. In the Log Analytics blade, select + Add.

  3. Complete the OMS Workspace blade using the following information. Then, select OK:

    1. OMS Workspace: Unique name

    2. Subscription: Select the current subscription.

    3. Resource Group: HOLRG

    4. Location: Closest to your deployment

    5. Pricing Tier: Select Per GB

    Fields in the OMS Workspace and Pricing Tier blades are set to the prevoiusly defined settings.

  4. The deployment will only take a few moments to complete. Upon completion, open Log Analytics by clicking on the Log Analytics resource within the HOLRG resource group.

    Screenshot of the Log Analytics resource.

  5. Open the newly created oms log analytics workspace and select Virtual Machines which is found in the Workspace Data Sources section.

    Under Workspace Data Sources, Virtual machines is selected.

  6. A list of the VMs in your subscription will be shown in the list. You may want to filter your view to see the VMs for this HOL. You will add the WEB and SQL VMs.

    In the list of virtual machines, SQLVM, WEBVM1, and WEBVM2 are called out.

  7. Select the SQLVM to load a blade to the right. Then, click on Connect to add it to this Log Analytics Workspace.

    The Connect button is selected in the SQLVM blade.

  8. Follow the same steps for the WEBVM1 & WEBVM2.

  9. The portal should update to show that they are now a part of This workspace once they have all been added.

    SQLVM, WEBVM1, and WEBVM2 display in the portal.

Task 2: Explore Security Center

  1. Open the Azure portal and navigate to the Security Center menu option (All Services > Security Center).

    Within the Azure Portal, Security Center is selected.

  2. This will present the Security Center - Overview screen. For this exercise, you want to upgrade to the Standard tier which extends the capabilities of the Free tier to workloads running anywhere, including on-premises. It provides unified security management and threat protection across your hybrid cloud workloads. The Standard tier also adds advanced threat detection capabilities, which uses built-in behavioral analytics and machine learning to identify attacks and zero-day exploits, access and application controls to reduce exposure to network attacks and malware, and more.

  3. Select Start trial if present (your subscription may already be enabled for Standard).

  4. Close the panel and navigate back to the Security Center Overview screen. Click on Security policy under the Policy & Compliance section. Review the policy options that can be automatically applied to your subscription.

  5. Click on Recommendations on the left navigation. Note the different options and the SECURE SCORE IMPACT. This lets you know the impact of the changes on your overall security score (the higher the better).

  6. Click the option for Install monitoring agent on your Virtual machines. On the next screen, click Install agents to turn on automatic provision of the monitoring agent.

  7. On the next screen, accept the default workspace configuration and click Save to enable monitoring. This will automatically install the agent on any new or existing virtual machines in the subscription.

  8. After a few minutes, refresh the portal and click on Compute & Apps. You will see the Resolve monitoring agent health issues on your machines move to an orange state. Click on the orange bar and you will see that this recommendation is being remediated.

  9. Next, click on the Recommendations tab again and remediate the Install endpoint protection solution on virtual machines recommendation by clicking on it and following the directions to install Endpoint Protection on all of the virtual machines except LabVM.

    Note: You can accept the default configuration options for Microsoft Endpoint protection.

You will explore Azure Security Center more later in this lab, including configuring alerts and preventative maintenance.

Task 3: Add Service Map

In this section, you will add the Service Map solution to Log Analytics.

  1. From the Azure portal, click the + Create a resource Link followed by Management Tools and See all.

    Create a resource > Management Tools > See All click path screenshot.

  2. Note there are many solutions available, and more are added frequently. Browse the solutions to gain familiarity with the options.

    Screenshot of the Dynatrace homepage.

  3. Locate the Service Map solution and select it. If you don't see it on the page, use the Search Monitoring + Management field at the top of the screen to search for Service Map. On the Details page, you can read about the solution. When ready, select Create.

    In the Monitoring and Management blade, in the search results, Service Map is selected.

  4. Select the Log Analytics workspace you created and click Create.

    Screenshot of the Service Map blade.

Task 4: Configure Service Map

To configure the Service Map functionality, the Microsoft Dependency Agent needs to be installed on each virtual machine. This can be installed as a VM extension. For this lab, we'll install the VM extension for Service Map using the Azure CLI.

  1. Open the Azure Cloud Shell by clicking on the 'Cloud Shell' icon.

    Screenshot of Cloud Shell button

    Note: If this is your first time using the Azure Cloud Shell, you will be prompted to choose between a Bash Shell and PowerShell. Choose Bash Shell. Also, you will be prompted to create a storage account for use by the Cloud Shell.

  2. The Cloud Shell will open at the bottom of the Azure portal browser window. (If a PowerShell has been selected, change to the Bash Shell.) In the Bash Shell window, type the following command:

     az vm extension set --publisher Microsoft.Azure.Monitoring.DependencyAgent --version 9.1 --name DependencyAgentWindows --vm-name WEBVM1 --resource-group HOLRG
    

    Note: This command will take a minute or two to run.

  3. Repeat the above command two more times, replacing the --vm-name parameter with WEBVM2 and then with SQLVM.

  4. In the Azure Portal, navigate to the All Resources menu and locate the Service Map resource you created earlier. Click on the resource name.

    Screenshot of the All resources blade with ServiceMap selected.

  5. This will bring up the Service Map blade and you'll see that it is already populated with some data. Since we installed the agent on the three Windows virtual machines, the Service Map is showing these virtual machines now reporting data. Click on the Service Map tile.

    The Summary section displays information for both the Service Map and Solution Resources.

  6. When Service Map loads, click on WEBVM1 to see the data that has been analyzed for that virtual machine.

    Screenshot of the Service Map for WEBVM1.

Task 5: Configure Update Management

The Update Management functionality will be configured through your Virtual Machines.

  1. In the Azure Portal, browse to WEBVM1.

  2. Select Update management under OPERATIONS.

    Under Operations, Update management is selected.

  3. Select your Log Analytics workspace and Automation Account and select Enable.

    Screenshot of the Update Management window with the Enable button selected.

    Note: In some cases, your Log Analytics workspace may not be shown if it is located in a different region or geography. In this case, use the option provided to create a new Log Analytics workspace.

  4. Wait for the deployment to complete. This can take up to 15 minutes.

    Screenshot of the Update Manager being enabled message.

    Note: Do not navigate away from the Update Management blade until the deployment message reads "The 'Update Management' solution is being deployed on this virtual machine. This can take a few minutes. You can do other work while this is in progress.".

  5. While the solution is deploying, navigate to WEBVM2 and repeat steps 2-4.

  6. While the solution is deploying, navigate to SQLVM and repeat steps 2-4.

  7. Verify that the solution has been deployed by navigating to WEBVM1 and clicking on Update management under OPERATIONS.

    Under Operations, Update management is selected.

  8. The Portal shows the Update Management dashboard for the virtual machine. Here you can see which updates are pending, and the overall update compliance status of the VM.

    Missing updates shows as zero.

  9. Click on Schedule update deployment. The portal shows the 'New update deployment' blade, where you can choose which updates to deploy (based on classification), which to exclude (based on KnowledgeBase ID), when to deploy, and the duration of the maintenance window (updates not deployed within 20 minutes of the end of this time window are omitted so the VM can reboot.).

    The New Update Deployment blade shows the settings described in the preceeding text.

  10. Review the update settings, but do not configure an update deployment (to save time during the lab). Close the New update deployment blade.

  11. Click on Manage multiple machines. This brings you to the Update Management view within the Azure Automation portal experience. This gives you an overview of update compliance across all of your VMs.

    Screenshot of the Log Analytics Update Managemnent experience. The VMs we have created are listed, together with metrics showing the number of updates pending/failed.

    Note: It may take several minutes before data is shown in this view.

Task 6: Configure Inventory Tracking and Change Management

The Update Management functionality will be configured through Azure Automation.

  1. In the Azure Portal, browse to WEBVM1.

  2. Select Change tracking under OPERATIONS.

    Under Operations, Change tracking is selected.

  3. Verify the Log Analytics workspace and Automation Account and select Enable.

    The Enable button is selected in the Change Tracking window.

  4. Wait for the deployment to complete. This can take a few minutes.

    Screenshot of the Change Tracking being enabled message.

    Note: Do not navigate away from the Update Management blade until the deployment message reads "The 'Change Tracking and Inventory' solution is being deployed on this virtual machine. This can take a few minutes. You can do other work while this is in progress.".

  5. While the solution is deploying, navigate to WEBVM2 and repeat steps 2-4.

  6. While the solution is deploying, navigate to SQLVM and repeat steps 2-4.

  7. Verify that the solution has been deployed by navigating to WEBVM1 and clicking on Change tracking under OPERATIONS.

    Under Operations, Change tracking is selected.

    Changes shows as zero.

Summary

In this exercise, you provisioned the portal, configured the VMs for the CloudShop application to be managed by the Portal, and configured the diagnostics storage account to load data into the Log Analytics platform. Additionally, solution packs were installed and configured to gather data and provide dashboards for applications deployed in Azure IaaS. You also configured Service Map and now understand how it surfaces data.

Exercise 4: Instrument CloudShop using Azure Application Insights

Duration: 45 minutes

Overview

In this exercise, you will instrument the CloudShop using Application Insights at runtime. This will be accomplished by installing the Applications Insights tool on the web services and configuring an Application Insight workspace in Azure. Then, you will configure Application Insights to perform web tests and alerts. The final task will be to connect the Application Insights workspace to send data to the Portal.

Task 1: Install and Configure the Application Insights Status Monitor

To read more about this tool follow this link.

  1. Open a Remote Desktop Connection to WEBVM1.

  2. Open Internet Explorer and follow this link: http://bit.ly/2jxQ43z. Select Run on the Question if you want to run the file: AppliationsInsightsMonitor.exe.

    The Run button is selected next to the question asking if you want to run or save the file.

  3. This will start the Web Platform Installer. Select Install followed by I Accept on the following screen, and Continue.

    Screenshot of the Web Platform installer with the Install button selected.

  4. Once the Monitor is installed, select the Sign In link under the Configuration.

    Sign in is selected in the Application Insights Status Monitor window.

  5. You will sign-in to Azure as normal.

    Screenshot of the Azure sign in box.

  6. Under the Send telemetry to: Select Default website under New Application Insights resource. Then, click Configure settings.

    Under Configuration, Send telemetry to is set to New Application Insights resource and the Configure settings button is selected.

  7. On the Configuration settings for Application Insights, complete the information as follows, and select OK:

    • Microsoft Azure Subscriptions: Use the same subscription

    • Resource Groups: HOLInsights (It will create a new RG in Azure if you type HOLInsights)

    • Application Insights Resource: HOLCloudShop

    • Location: Select the same region as your deployment.

    Fields in the Configuration settings for Application Insights dialog box are set to the previously defined settings.

  8. This will build the Application Insights workspace for you in Azure.

  9. Next, select Add Application Insights.

    In the Default Web Site section, the Add Application Insights button is selected.

  10. Click Restart IIS to complete the setup.

    Screenshot of the Restart IIS button.

  11. This will only take a few seconds. Now, the CloudShop application running on WEBVM1 is instrumented and sending data to Azure Application Insights. The monitor on WEBVM1 should now look like below:

    IIS applications show as enabled in the Application Insights Status Monitor, and under Default Web Site, Status is Application Insights enabled, and Data is set to the specified Application Insights resource.

  12. Connect to a Remote Desktop Session for WEBVM2. To connect to WEBVM2, you can RDP to its private IP from WEBVM1.

  13. Open Internet Explorer and follow this link: http://bit.ly/2jxQ43z. Select Run on the Question if you want to run the file: AppliationsInsightsMonitor.exe. You may need to change the internet explorer security settings to allow download file in order to install.

    Screenshot of the Run button.

  14. This will start the Web Platform Installer. Click on Install followed by I Accept on the following screen, and Continue.

    On the Web Platform Installer, under Application Insights Status Monitor, the Install button is selected.

  15. Once the Monitor is installed, select the Sign In link under the Configuration.

    In the Application Insights Status Monitor, Sign in is selected.

  16. You will sign-in to Azure as normal.

Screenshot of the Microsoft Sign in box.

  1. Under the Send telemetry to: Select Default website under Existing Application Insights resource. Then, click Configure Settings.

    Send telemetry to is set to Existing Application Insights resource, and Configure settings is selected.

  2. On the Configuration settings for Application Insights, complete the information as follows, and select OK:

    1. Microsoft Azure Subscriptions: Use the same subscription

    2. Resource Groups: HOLInsights

    3. Application Insights Resource: HOLCloudShop

    4. Location: Select the same region as your deployment.

    Fields in the Configuration Settings for Application Insights dialog box are set to the previously defined settings.

  3. This will attach WEBVM2 to the Application Insights workspace you created a moment ago in Azure. Next, select Add Application Insights.

    Under Default Web Site, the Add Application Insights button is selected.

  4. Select Restart IIS to complete the setup.

    Screenshot of the Restart IIS button.

    Note: This will only take a few seconds. You can disconnect from WEBVM2 when done.

Task 2: Explore the Application Map, configure alerts, availability tests, and performance tests

  1. Open the Application Insights blade by clicking All services, followed by Application Insights (use the search filter to help you find it).

    Screenshot showing click path to open Applicaiton Insights.

  2. Select HOLCloudShop, followed by Application map.

    Screenshot showing clicks for HOLCloudShop (1) and Application map (2).

  3. Take a few minutes to explore the Application map. Click on each node in the application map and look at the data available.

    Screenshot of the Application Map.

  4. Close the Application Map pane, then click on Alerts.

    Under Configure, Alerts (Classic) is selected.

  5. Select View Classic Alert (next to the bell icon) then select +Add Metric Alert (Classic), complete the blade with the following information, and select OK:

    • Name: CloudShopProcessorAlert

    • Metric: Processor Time

    • Condition: Greater than

    • Threshold: 80

    • Period: Over the last 5 minutes

    • Notify via: Email owners, contributors and readers -- Check the Box

    Add rule blade fields are set to the previously defined settings.

    Screenshot of the rest of the Add rule blade fields.

  6. Select OK to save the alert. The portal will update with the new alert.

    Alert settings for CloudShopProcessorAlert display.

  7. In your HOLRG, locate the PublicIP Address, take note of the DNS name which is on the front of the load balancer Application Gateway for the CloudShop App running on WEBVM1 & WEBVM2.

  8. Next in the HOLCloudShop Application Insights workspace, under the Investigate section, select Availability

    Under Investigate, Availability is selected.

  9. Select +Add test, and complete the blade using the following information. Then, select Create.

    Create test blade fields are set to the previously defined settings.

  10. Select Create to create the availability test.

    Note: If the CloudShop Application becomes unavailable to this WebTest, you will then receive an email alert from Azure Application Insights.

  11. Select Performance Testing in the Configure section.

    Under Configure, Performance Testing is selected.

  12. Select +New.

  13. Click on Configure Test Using and complete this using these inputs. Then, select Done.

    Fields in the Configure test using blade are set to the previously defined settings.

  14. Complete the New Performance Test blade using the following information, and click Run Test.

    • Name: CloudShopLoadTest

    • Generate Load from: Select a Region

    • User Load: 2000

    • Duration: 5

    Fields in the New performance test blade are set to the previously defined settings.

  15. Select Run Test to start the performance test.

    Note: An error may occur if you do not have an Azure DevOps Account configured. If so, then you'll need to create one before setting up the Performance Test.

  16. Once this is submitted it will show as Queued. Select the line and then details about the performance test will be shown.

CloudShopLoadTest is selected under Recent runs in the Performance Testing blade.

  1. Select the Messages box to see the details of the test.

    Screenshot of the CloudShopLoadTest and Status Messages blades. In the CloudShopLoadTest blade, the Messages box is selected.

  2. Now, head back to the Overview blade of the HOLCloudShop Application Insights and select Live Metrics Stream.

    The Live Stream tile lists two servers.

  3. Real-time application information can be seen regarding the CloudShop App running in Azure on our IaaS VMs. Here, you can wait for the Performance Test to run, and show how the Web Application performs.

    Screenshot of the Live Metrics Stream page, with Incoming Requests, Outgoing Requests, and Overall Health, line and scatter graphs, and Server information.

  4. If you go back to the Performance Testing blade, and click on CloudShopLoadTest, you will see the metrics from the test run.

    Screenshot of Performance under load metrics.Screenshot of the Requests donut chart.

  5. Close the Performance Test and click on the Performance under Investigate.

    Under Investigate, Performance (preview) is selected.

  6. Explore the metrics from the CloudShop application.

    Screenshot of the CloudShop Application desktop.

  7. The Load Test should also have caused the alert on high processor usage to be triggered. An email should have been received.

    Screenshot of an Azure Application Insights warning alert.

    Note: The email may take several minutes to arrive. You can proceed with the lab and check for the email later.

  8. The alert will quickly resolve as the Load Test has completed causing the CPU condition to quiet.

    Screenshot of an Azure Application Insights success message.

Task 3: Simulate a failure of the CloudShop application

  1. Move to your HOLRG Resource group and stop both WEBVM1 and WEBVM2.

  2. Navigate back to the HOLCloudShop Application Insights portal. Select Availability and notice that the availability tests have start to fail once the web VMs are stopped.

    On the Application Insights blade, the Availability blade shows the web tests failing

  3. Select CloudShopWebTest to open the test summary blade. Notice how the tests are failing from all regions.

    Screenshot showing CloudShopWebTest details chart and test location status.

  4. A few email alerts should come into your inbox.

    Azure Application Insights warning alert screenshot

    Azure Application Insights details screenshot

  5. Select the See the analysis of this issue link in the email which will load the Azure portal.

    Both the Smart Detection and An abnormal rise in failed request rate blades display.

  6. Move back to your HOLRG and restart the VMs.

  7. Once the VMs are back online, the website will come back up. This will initiate responses to the Web Test and sending data to the Applications Insights portal. An email will be sent resolving the alert. After a period of time, the Smart Detection Alert will also resolve.

    Screenshot of the Azure Application Insights success message.

Summary

In this exercise, you instrumented the CloudShop using Application Insights at runtime. This was accomplished by installing the Application Insights Monitor for the web services and configuring an Application Insights workspace in Azure. Then, you configured Application Insights to perform web tests and alerts.

Exercise 5: Explore Azure Security and Operations Management, Application Insights, and build a dashboard

Duration: 45 minutes

Overview

In this exercise, you will explore the information and data being provided by Azure Security and Operations Management and Application Insights to gain situational awareness of the application and infrastructure. You will look at the security posture of the infrastructure, the applications performance, and build a dashboard that can be used to manage it moving forward.

Task 1: Work with Log Analytics queries

In this section, we will perform an ad-hoc search in Log Analytics data to see where our servers are not in compliance with security baselines. In the Log Search interface, we can perform ad-hoc searches against the log data being ingested into the Log Analytics service. Because the data is indexed, searching is very fast.

  1. Open the Azure portal and navigate to Azure Monitor by clicking on All services, searching for log analytics, and selecting Log Analytics.

    Selections in the Azure Portal display as previously mentioned.

  2. Select Log from the left under General.

    Under Shared Services, Log Analytics is selected.

  3. In the query editor, enter the following query: Update | where OSType!="Linux" and Optional==false. Select Run. This will search the Update management logs and report results. There are many other data sources we can query.

    Update | 
    where OSType!="Linux" and Optional==false
    

    Screenshot of the Log Search blade.

    Note: you may have less or more data, but keep in mind, the service has only been collecting data since you began the lab.

  4. Notice in the left, there are different types of data. Select Windows Defender followed by Apply.

    Under product, both the Windows Defender checkbox and the Apply button are selected.

  5. Notice the query dialog (where you entered a search before) has a search string in it querying for the type Product==Windows Defender.

    An updated search string displays in the Query dialog box.

  6. As you click on options in Log Search, queries are built automatically. Also, notice the results are paired down to a smaller subset of data. Click on Table to view the data in a column and row format.

    A Table of search results displays.

  7. This is a list of Windows virtual machines tracked in Update management that have pending updates for Windows Defender. To further refine the list, scroll on the left down to UPDATESTATE and select Needed (this option may not be shown if all updates are already installed). Notice the query automatically updates as it is a single point to refine.

    An updated search string displays in the Query dialog box. Below, in the Table, a callout points out that UpdateState for both table entries displays as Needed.

  8. Further refinements can be made as needed. Select additional refiners to update the search.

  9. Next, sort the findings, so the computers are sorted alphabetically. Click on the column header Computer until the virtual machines are sorted correctly.

    In the Table, on the header row, Computer is selected.

  10. Now we will export the list. This may be helpful if we wanted to share the findings list out amongst administrators, so several people can help remediate the findings. Click on Export.

    On the Log Search blade top menu, Export is selected.

    The Exporting results to Excel message displays.

  11. Once the report is exported, you are prompted what to do with the file. Select Save. Once completed, click on Open. Choose Notepad to open the file**.

The first message asking if you want to save SearchResults.csv has the Save button selected. The second message, download has completed has the Open button selected. The third message asks how you want to open the file, and Notepad is selected.

  1. Review the text file. Then, close it. You can also copy the file to your local PC and view it in Excel.

    Screenshot of the .csv information displaying in a Microsoft Excel window.

  2. Because this is a useful query, we can save it to be able to quickly run it again anytime we wish. First, copy the search query to the clipboard.

    Screenshot of a Search query with the Copy option selected.

  3. Click the Saved Searches followed by + Add.

    Saved Searches is selected from the Log Search blade top menu.

  4. Complete the Add Saved Search Blade with this information:

    • Display Name: Computers Needing Windows Defender Updates

    • Category: My Queries

    • Query: Paste the query from your clipboard.

    • Function Alias: WindowsDefNeeded

    Add Saved Search blade fields are set to the previously defined settings.

  5. Select OK.

  6. Let's explore some more sample queries. These are taken from the repository at: https://github.com/MicrosoftDocs/LogAnalyticsExamples/tree/master/log-analytics.

    Replace the current query with the following:

    let start_time=ago(23h);
    let end_time=now();
    Heartbeat
    | summarize heartbeat_per_hour=count() by bin_at(TimeGenerated, 1h, start_time), Computer
    | extend available_per_hour=iff(heartbeat_per_hour>0, true, false)
    | summarize total_available_hours=countif(available_per_hour==true) by Computer 
    | extend total_number_of_buckets=round((end_time-start_time)/1h)+1
    | extend availability_rate=total_available_hours*100/total_number_of_buckets
    
  7. Click Run.

  8. Select Table output. Notice how this query calculates VM availability, based on heartbeat.

    Screenshot showing the preceding query in Log Analytics, with a table showing the %age availability of each VM.

    For more information on how this query works, see: https://github.com/MicrosoftDocs/LogAnalyticsExamples/blob/master/log-analytics/server-availability-rate.md.

  9. Replace the current query with the following:

    // Find all processes that started in the last 3 days. ID 4688: A new process has been created.
    let RunProcesses = 
        SecurityEvent
        | where TimeGenerated > ago(3d)
        | where EventID == "4688";
    // Find the 5 processes that were run the most
    let Top5Processes =
        RunProcesses
        | summarize count() by Process
        | top 5 by count_;
    // Create a time chart of these 5 processes - hour by hour
    RunProcesses 
    | where Process in (Top5Processes) 
    | summarize count() by bin (TimeGenerated, 1h), Process
    | render timechart
    
  10. Click Run.

    Note: This query uses security events (only available when using the Standard tier of Security Center) to identify how often each process was run in the past 3 days, and then calculates the most commonly run processes. For more information, see https://github.com/MicrosoftDocs/LogAnalyticsExamples/blob/master/log-analytics/top-5-running-processes-in-the-last-3-days.md.

Task 2: Preventive maintenance using Security Center

In this section, we will use the Security Center Overview screen to review what preventative steps we can take to protect our environment.

  1. Within Security Center Overview page, there are five tiles in the middle of the screen under Resource security hygiene.

    On the Security Center Overview page, under Prevention, four tiles display: Recommendations, Compute & Apps, Networking, Data & storage, and Identity & access.

  2. Click on the Compute tile to drill into the security health of your compute resources.

    Screenshot of the Compute & apps tile.

  3. Notice there are several recommendations at the bottom of the screen. Let's go ahead and drill into these recommendations. Click on the Missing disk encryption item.

    Screenshot of the Compute page, Overview tab information.

  4. This brings up the Apply disk encryption blade. This gives a description of Azure disk encryption, links to instructions, and a list of virtual machines affected.

    On the Apply disk encryption blade, a description is given and the virtual machines created in this lab are displayed.

  5. Close the panel and navigate back to the Security Center Overview page. This time click on the Networking tile to drill into the security health of your networking resources.

    Screenshot of the Networking tile.

  6. Review the items showing in the Networking Recommendations. We won't implement these recommendations today, but if we wanted to, we could click on the item and implement each recommendation from this panel.

    Screenshot of the Security Health Networking page.

  7. Close the panel and navigate back to the Security Center Overview screen. This time, click on the Data & storage tile.

    Data & storage tile screenshot.

  8. Notice this tile is green which is an indication the resources are in a healthy state. Azure Security Center will flag the tile as red if there are critical recommendations that need to be addressed.

  9. As a last step, navigate back to the Security Center Overview screen and click on the Identity & access tile.

    Identity & access tile screenshot.

  10. As you review the Applications Security Health, notice in this example there's a recommendation to assign a second subscription owner.

    Under Identity & access, there is a recommendation to assign more than one subscription owner.

  11. Go ahead and close this panel and return to the Security Center Overview page.

  12. Azure Security Center provides a quick way to see all the recommendations we just saw in a single view. Click on the Recommendations tile under the Overview section.

    Screenshot of the Recommendations tile.

  13. This presents the same recommendations you saw by navigating to each resource type in the previous steps. Clicking each of the recommendations will provide you with additional steps you can take to remediate the issue.

    The Recommendations page displays a list of recommendations, their resource, state, and severity.

Task 3: Set up an Activity Log alert

If one of the virtual machines in the resource group were to be stopped (deallocated), that's a condition you would want to be notified of. In this section, we will set up an activity log alert to detect this condition.

  1. Open the Azure portal and navigate to Azure Monitor by clicking All services, searching for "monitor", and selecting Monitor.

    The previously mentioned selections are made in the Azure Portal.

  2. Select Alerts followed by New Alert Rule.

    Under Shared services, Alerts and then New Alert Rule are highlighted.

  3. Under Define alert condition, click on + Select target.

    + Select Target is highlighted on the blade defining a new Azure alert.

  4. In the 'Select a resource' blade, open the Filter by resource type drop-down and select Virtual machines. The UI will show each virtual machine in your subscription, grouped into resource groups. Click on the HOLRG resource group to select all the virtual machines in that resource group as the target resources monitored by this alert rule. Verify this selection in the 'Selection preview', then click Done.

    Screenshot showing the 'select a resource' blade, with selections matching the preceeding text.

  5. Under Define alert condition, select + Add criteria.

    + Add Criteria is highlighted on the blade defining a new Azure alert.

  6. In the 'Configure signal logic' blade, open the Monitor service drop-down and select Activity Log - Administrative. In the search field, enter deallocate. Click on Deallocate Virtual Machine (VirtualMachines).

    Screenshot showing the 'Configure signal logic' blade, with selections matching the preceeding text.

  7. If you have recently stopped the virtual machines, you will see a history of those events, otherwise the chart will show 'No data to display'. Leave the settings at their default values and click Done.

    Screenshot showing the 'Configure signal logic' blade, showing a chart of past 'Deallocate Virtual Machine' events. At the bottom of the screenshot, the 'Done' button is highlighted.

  8. Under Define alert details, fill in as follows:

    • Alert rule name: Alert on VM deallocate

    • Description: Raise an alert any time any VM in the HOLRG resource group is stop-deallocated.

    • Save alert to resource group: HOLRG

    • Enable rule upon creation: Yes

    Screenshot showing the 'Define alert details' settings filled in as described in the preceeding text.

  9. Under Define action group, select + New action group.

    + New action group is highlighted on the blade defining a new Azure alert.

    Note: Action groups define what action is taken when an alert is fired. They are defined separately from the alert rule, so that the same action group can be re-used across multiple alerts.

  10. Fill in the first section of the Add action group blade as follows:

    • Action group name: Mobile app push notifications action group

    • Short name: Mobile Push

    • Subscription: Choose your subscription.

    • Resource group: HOLRG

Screenshot showing the first section of the 'Add action group' blade filled in as described in the preceeding text.

  1. In the table under Actions, under Action name enter Notify mobile app. Open the drop down under Action Type and select Email/SMS/Push/Voice.

Screenshot showing the first line of the 'Actions' table, filled in as described in the preceeding text.

  1. The Email/SMS/Push/Voice blade should open automatically (if it does not, click on Edit details). Enable the checkbox for Azure app Push Notifications, and fill in your Azure user ID, then select OK.

Screenshot showing the 'Email/SMS/Push/Voice' blade, filled in as described in the preceeding text.

  1. All alert settings are now complete. Select OK to close the 'Add action group' blade, then click on Create alert rule to close the Create rule blade. You will see a notification once the alert has been created.

    Screenshots of the notification of the successfully created alert rule.

    Note: It may take up to 5 minutes after the alert rule is created for the alert to become active.

Task 4: Installing & using the Azure mobile application

In this section, you will take your monitoring solution mobile by installing and configuring the Azure mobile application.

  1. Open the AppStore or Google Play on your mobile device. Locate the search box and type Microsoft Azure, and press enter.

  2. When you locate the Microsoft Azure application, install it to your device.

    Screenshot of the Microsoft Azure Application Open screen that displays after successfully downloading the application.

  3. Once the application has been installed, you will need to allow the application to send you notifications.

  4. Next, touch the Sign in button.

    Screenshot of the Sign in screen.

  5. Once the login page loads, enter your Azure Credentials.

  6. Once you are logged into the app, navigate to the Notifications menu to see there are currently no notifications.

  7. Putting the phone aside for a moment, in your desktop web browser, navigate to the Virtual Machines list in the Azure portal.

  8. Click on checkbox next to WEBVM1, then click Stop, followed by Yes at the confirmation prompt. This will stop (deallocate) this virtual machine, which should trigger our alert and notify you through the Azure mobile application.

    WEBVM1 is selected from the virtual machines list, and the 'stop' button is highlighted.

  9. In a few moments, you should receive an alert through the Azure mobile app that the virtual machine was stopped (deallocated).

Task 5: Application Insights

Understanding what is happening within an application can be very challenging, but with the Application Insights configured for CloudShop, there is great telemetry being fed to Azure which can be viewed and acted upon. Here, you will investigate that data regarding how the CloudShop is performing.

  1. Open the Azure portal and navigate to Azure Monitor by clicking on All services, searching for "monitor", and selecting Monitor.

    The previously mentioned selections are made in the Azure portal.

  2. Click on the Application Insights tile, then select HOLCloudShop.

    Application Insights (1) is selected in the Overview blade, and under Name, HOLCloudShop (2) is selected.

  3. From the Application Insights blade, click on Pin to Dashboard.

    The Pin to dashboard icon is selected from the Overview blade.

  4. Under the INVESTIGATE section, click the Performance item.

    Under Investigate, Performance (preview) is selected.

  5. The Performance feature of Application Insights allows us to get rich performance monitoring and easy to consume dashboards.

  6. This dashboard gives near real-time insight into the performance of your application. In the screenshot below, you can see this application appears to have a performance issue with the Home/Index page. It appears to be taking 20.5 seconds on average to load.

    Note: Your numbers may not match. By clicking on the GET Home/Index, you will see the other sections of the dashboard will filter to performance data focused on that page.

    Under Operation Name, Get Home / Index is selected.

  7. Feel free to experiment with this dashboard to understand the performance considerations of your application.

  8. Pin the 'Operation times' chart to My Dashboard by clicking on the pin in the top right of the chart.

    Screenshot of the Pin icon.

  9. At this point, navigate back to My Dashboard and click Edit Dashboard, and arrange the many tiles you have added to give yourself an all up view of the environment you have built. Feel free to open the various solutions, find interesting data and Pin it to the Dashboard.

    Screenshot of My deashboard.

Summary

In this exercise, you explored the information and data being provided by Azure Security and Operations Management and Application Insights to gain situational awareness of the application and infrastructure. You looked at the Security Posture of the infrastructure, the performance of applications, and you built a dashboard that can be used to manage it moving forward.

After the hands-on lab

Duration: 10 mins

Overview

In this exercise, attendees will de-provision any Azure resources that were created in support of the lab.

  1. Delete the HOLRG, HOLInsights, and OPSLABRG resource groups

You should follow all steps provided after attending the Hands-on lab.

Attribution

This content was originally posted here:
https://github.com/Microsoft/MCW-Azure-Security-and-Management

License

This content is licensed with the MIT License license.

MIT License

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE