Project 1: Azure Compute and Identity Management

Topics Covered: VMs, RBAC, Azure AD, Policies, Encryption, Cost Management

Time: ~0.75 hours

Summary

This project involves deploying a virtual machine, securing it using RBAC, applying Azure Policies for resource governance, encrypting sensitive data, and monitoring costs. It teaches foundational concepts for managing Azure identities, governance, and compute resources.

Scenario

A company wants to deploy a virtual machine for their web application, secure it with role-based access control, enforce a policy for naming conventions, encrypt sensitive data, and monitor the cost of the deployed resources.

Steps

1. Create a Virtual Machine

   • Go to Azure Portal > Virtual Machines > Create.
   • Select subscription, resource group, region, VM size, and OS (Windows/Linux).
   • Configure an admin username/password or SSH key.
   • Add a data disk during creation.
     • Create a new disk > None.
     • If you select Storage Blob, this allows you to reuse disks from outside Azure or custom configurations you uploaded.
   • Configure Networking:
     • Assign a static private IP via the Advanced Networking section.
     • Use a Network Security Group (NSG) to allow or block traffic.
       • None: Use if you're managing the NIC setup manually or attaching an existing NIC.
       • Basic: Use for quick and simple deployments, such as test environments or small-scale applications.
       • Advanced: Use when you need fine-grained control, such as for production workloads or VMs requiring custom network setups.
   • Review and create the VM.
   • Download private key.

2. Configure Role-Based Access Control (RBAC)

   • Now create a key vault and store the private key, note you’ll need to assign yourself the permissions (least privilege principle)
     • Go to key vault > Create > in same resource group > same region (must) > review and create.
     • Go to entra > create group > select yourself as owner and member
     • Go to key vault > IAM > add role assignment > key vault admin > users > select your new group > review and assign (can take a while to propagate)
       • Sign out and sign back in to Azure Portal to refresh your token.
       • Or just assign it to yourself.
     • Go to key vault > objects > keys > generate/import > import > upload key file
   • Navigate to the VM > Access Control (IAM) > Add Role Assignment.
   • Assign the "Virtual Machine Contributor" or a custom role to a user or group.
   • Verify permissions:
     • Go to Entra > Manage > Groups > All groups > your group name

3. Log into the VM

   • Go to VM > your vm > connect > SSH using Azure CLI > Configure
   • On the new CLI that pops up, run

   az network public-ip list
   

   • Test IP in the browser to see that it’s only accessible via SSH not HTTPS due to NSG

4. Apply Azure Policy

   • Navigate to Azure Policy > Authoring > Definitions > Initiative definition > Name > Category > Next
   • Add policy definition(s) > Search tag > Select a few “Inherit a tag from resource group…” and “Inherit a tag from subscription_name” > Search allow > Select Allowed > Select “Allowed resource types” > Review + Create > Next
   • Create group > Tags > Save > Previous > Select tag policies > Add to a group > Select Tags > Save
   • Select Initiative parameters > Create initiative parameter > Name > DisplayName > Allowed Values > Save
   • For Reference ID’s Inherit a tag from resource group… and Inherit a tag from subscription_name select Value Type as Use Initiative Parameter and Value(s) as Name, Allowed resource types as “virtualMachines” > Review and create > Create
   • Now assign the initiative to the subscription and test
     • Select subscription in basics > parameter in Parameters > Review + create > Create
     • To view policy and compliance: Go to VM > Operations > Policies.

5. Monitor and Manage Costs

   • Navigate to Cost Management + Billing > Billing scope > Cost management > Budgets > Add:
     • Set a monthly spending limit for the subscription.
     • Configure email or action group notifications for thresholds (e.g., 50%, 80%, 100%).
   • Review Cost Analysis to identify trends and optimize spending.
   • Review Advisor recommendations to see cost recommendations.

Project 2: Azure Networking and Storage

Topics Covered: Virtual Networks, NSGs, Storage Accounts, Encryption, Protocols, ARM Templates

Time: ~0.75 hours

Summary

This project covers deploying a secure storage account, creating VNets and NSGs for isolation, enabling encryption, and automating resource deployment using ARM templates. It demonstrates networking and storage fundamentals.

Scenario