Apex Institute of Technology

LAB MANUAL

Semester: 7th
Course Name: Cloud
Security
Course Code: CSB-436
Course Coordinator: Gurpreet singh panesar

1
 Department-Vision and Mission
M1: To provide relevant, rigorous and contemporary curriculum and
aligned assessment system to ensure effective learning outcomes for
engineering technologies.
M2: To provide platform for industry engagement aimed at providing
handson training on advanced technological and business skills to our
Mission students.
of the
M3: To provide opportunities for collaborative, interdisciplinary and
Departm
cutting-edge research aimed at developing solutions to real life problems
e nt
M4: To imbibe quest for innovation, continuous learning and zeal to pursue
excellence through hard work and problem-solving approach

M5: To foster skills of leadership, management, communication, team

spirit and strong professional ethics in all academic and societal
endeavours of our students
To be recognized as a center of excellence for Computer Science &
Engineering education and research, through effective teaching practices,
Vision of
hands-on training on cutting edge computing technologies and excellence
the
in innovation, for creating globally aware competent professionals with
Departm
strong work ethics whom would be proficient in implementing modern
e nt
technology solutions and shall have entrepreneurial zeal to solve problems
of organizations and society at large.
Program Educational Objectives(PEOs)

To be able to explore areas of research, technology application &

innovation and make a positive impact in different types of
institutional settings such as corporate entities, government bodies, NGOs,
PEO1
inter-government organizations, & start-ups.

To be able to design, and implement technology and computing solutions to

the organizational problems, effectively deploy knowledge of engineering
PEO2 principles, demonstrate critical thinking skills&make the intellectual
connections between quantitative and qualitative tools, theories and context
to solve the organizational problems

2
 To be able to work with, lead & engage big and small teams comprising
diverse people in terms of gender, nationality, region, language, culture &
PEO3
beliefs. To understand stated and unstated differences of views, beliefs &
customs in diverse & inter disciplinary team settings
To be able to continuously learn and update one’s knowledge, engage in
PEO4 lifelong learning habits and acquire latest knowledge to perform in
current work settings
To continuously strive for justice, ethics, equality, honesty, and integrity
PEO5 both in personal and professional pursuits. Able to understand and
conduct in a way that i responsible and respectful.

Program Specific Outcomes(PSOs)

PSO1 The graduate student shall be able to analyze and evaluate systems
with respect to maintaining operations in the presence of risks and
threats, and also communicate the human role in security systems with
an emphasis on ethics, social engineering vulnerabilities and training.
PSO2 The graduate student shall be able to conduct an Information Security
risk assessment an Audit and troubleshoot Information Security
systems using Cryptographic measures
PSO3 The graduate student shall be able to assess the Ethical Ramification of
working in Information Security, information assurance, and cyber/
computer forensics software/tools.
PSO4 The graduate student shall be able to design and develop a security
architecture and operational and strategic cyber security strategies and
policies.

3
 Program OutComes(POs)

PO1 Engineering Knowledge: Apply knowledge of mathematics, science,

engineering fundamentals and an engineering specialization to the
solution of complex engineering problems.

PO2 Problem Analysis: Identify, formulate, research literature and analyze

complex engineering problems reaching substantiated conclusions
using first principles of mathematics, natural sciences and engineering
sciences.
PO3 Design/ Development of Solutions: Design solutions for complex
engineering problems and design system components or processes that
meet specified needs with appropriate consideration for public health
and safety, cultural, societal and environmental considerations
PO4 Conduct investigations of complex problems using research-based
knowledge and research methods including design of experiments,
analysis and interpretation of data and synthesis of information to
provide valid conclusions.

PO5 Modern Tool Usage: Create, select and apply appropriate techniques,
resources and modern engineering and IT tools including prediction
and modeling to complex engineering activities with an understanding
of the limitations.

PO6 The Engineer and Society: Apply reasoning informed by contextual

knowledge to assess societal, health, safety, legal and cultural issues
and the consequent responsibilities relevant to professional engineering
practice.

PO7 Environment and Sustainability: Understand the impact of professional

engineering solutions in societal and environmental contexts and
demonstrate knowledge of and need for sustainable development.

PO8 Ethics: Apply ethical principles and commit to professional ethics and
responsibilities and norms of engineering practice.

PO9 Individual and Team Work: Function effectively as an individual, and

as a member or leader in diverse teams and in multi- disciplinary

4
 settings.
PO10 Communication: Communicate effectively on complex engineering
activities with the engineering community and with society at large,
such as being able to comprehend and write effective reports and
design documentation, make effective presentations and give and
receive clear instructions.

PO11 Project Management and Finance: Demonstrate knowledge and

understanding of engineering and management principles and apply
these to one's own work, as a member and leader in a team, to manage
projects and in multidisciplinary environments

PO12 Life-long Learning: Recognize the need for and have the preparation
and ability to Engage in independent and life- long learning in the
broadest context of technological Change.

Scheme Name of Course: Cloud Security Lab L T P S C

Version: (CSB-436)
2021

Programs: BE-CSE (BIS) 0 0 4 0 2

Total Marks: 100

Internal Marks: 40
External Marks: 60
Pre-requisite: Cloud Computing Total hours =30

Course Objective
1 Assess system administration tasks and design script to automate these
tasks and solve system administration problems using a shell interface.
2 Design Complex scripts in a scripting language such as perl, python or
Ruby.
3 Develop script to a high level in powershell.

Course Outcomes

5
 1 Implement enterprise governance strategies including role-based
access control, Azure policies, and resource locks.

2 Implement perimeter security strategies including Azure Firewall

3 Implement container security strategies including Azure Container

Instances, Azure Container Registry, and Azure
Kubernetes.

4. Implement Azure Key Vault including certificates, keys, and secretes.

5. Implement storage security strategies including shared access signatures,

blob retention policies, and Azure Files authentication.

6
 Lab Experiments with CO Mapping

ExperimentNo Experiment Name Mapped with CO

1 Resource Group and Virtual CO1

machine creation
2 Role-Based Access Control CO1

3 MFA, Conditional Access and CO2

AAD
Identity Protection
4 Network Security Groups and CO2
Application Security Group

5 Azure Firewall CO3

6 Configuring and Securing ACR and CO2

AKS

7 Key Vault (Implementing Secure CO4

Data by setting up

8 Securing Azure SQL Database CO5

9 Service Endpoints and Securing CO5

Storage

10 Azure Monitor Azure Security CO3,CO5

Center

MODE OF EVALUATION: The performance of students is evaluated as follows:

Prac-
tical

7
 Semester End
Continuous Internal Assessment Examination
Components
(CAE) (SEE)

Marks 60 40
Total Marks 100
Course PO PO PO PO PO P P P P PO PO PO PS PS PS PSO PSO
Outcome 1 2 3 4 5 O O O O 10 1 12 O O O 4 5
6 7 8 9 1 2 3
1
CO1 1 2 2 2 2 3 2 2 2 2
CO2 1 2 2 3 2 1 3 2 3 3
CO3 1 2 2 3 2 1 3 2 3 3
CO4 1 3 3 3 2 1 2 2 3 3
CO5 1 3 3 3 2 1 3 3 2 2

8
Marks List ( Group A and B)

EXPERIMENT 1.1

Mapped Course Outcomes- CO1

CO1: Implement enterprise governance strategies including role-based access control,

Azure policies, and resource locks.

AIM:-

This experiment will address the Role Based Access control in Azure.

Apparatus required:-

9
Azure Account

Theory :-

Microsoft Azure is a collection of various cloud computing services, including remotely

hosted and managed versions of proprietary Microsoft technologies, and open
technologies, such as various Linux distributions deployable inside a virtual machine.

Procedure Steps:-

Step 1:

Create a Resource Group in Azure and Deploy a Virtual Machine.

What is a resource group?

A resource group is a container that holds related resources for an Azure solution. The
resource group can include all the resources for the solution, or only those resources that
you want to manage as a group.

Create resource groups

1. Sign in to the Azure portal.

2. Select Resource groups

10
1. Select Add.

2. Enter the following values:

▪ Subscription: Select your Azure subscription.

▪ Resource group: Enter a new resource group name.

▪ Region: Select an Azure location, such as Central US.

11
 ▪ Select Review + Create

▪ Select Create. It takes a few seconds to create a resource group.

▪ Select Refresh from the top menu to refresh the resource group list, and
then select the newly created resource group to open it. Or select
Notification(the bell icon) from the top, and then select Go to
resource group to open the newly created resource group

4. List resource groups

12
 ▪ Sign in to the Azure portal.

▪ To list the resource groups, select Resource groups

▪ To customize the information displayed for the resource groups, select

Edit columns. The following screenshot shows the addition columns
you could add to the display:

5. Open resource groups

▪ Sign in to the Azure portal.
▪ Select Resource groups.
▪ Select the resource group you want to open.
6. Delete resource groups
▪ Open the resource group you want to delete.

▪ Select Delete resource group.

13
 ▪

7.

Deploy resources to a resource group

After you have created a Resource Manager template, you can use the
Azure portal to deploy your Azure resources.
Lock resource groups
Locking prevents other users in your organization from accidentally
deleting or modifying critical resources, such as Azure subscription,
resource group, or resource.

▪ Open the resource group you want to lock.

▪ In the left pane, select Locks.

▪ To add a lock to the resource group, select Add.

▪ Enter Lock name, Lock type, and Notes. The lock types include

Read-only, and Delete.

Create Free Windows Virtual Machine in Azure

14
A virtual machine may be a file, typically called an image, which behaves like an actual
computer. The top user has an equivalent experience on a virtual machine as they might
have on dedicated hardware. But in a cloud virtual machine is an operating system image
running on the server, we can use a cloud virtual machine in many ways – Development,
test servers, low-traffic web servers, databases, microservices, and basic computing.

Step 1: Log in to your Microsoft Azure account.

Step 2: Now search for Free services in the given search bar.

Free Services

Step 3: Select the Create option under the Windows Virtual Machine section in order to
create a Windows VM.

15
Creating windows vm

Step 4: Next add the following details as per your requirement:

• Enter the name of the virtual machine in the Virtual Machine name text box.
• Select the nearest or most favorable region.
• Select the image of the Windows Machine you wish to use. Here, Windows server
2012 – Gen 1 is used.
•
Types of images available
• Select the available size in Windows VM (1vcpu, 1gib memory).
• Select the authentication type as per your convenience.
• Type the username and password
• Select the allowed ports (SSH {22}, HTTP {80}, HTTPS {443} , RDP {3389})
• Add tags as per your requirement
Step 5: Click on the Review + create button, then click on create to start the deployment.

Review+create

Step 6: After the deployment is complete, go to the virtual machine section in the newly
created virtual machine in order to connect the virtual machine to your local machine.

Virtual machine

Step 7: Next, open the start menu and search “Remote Desktop Connection”, launch the
“Remote Desktop Connection” application.

16
Step 8: Enter the public IP address and username of your Windows Virtual Machine, and
click connect.

Connect
Step 9: Enter the password to access your Windows Virtual Machine.

Password
Step 10: Proceed to connect and use your Windows Free Virtual Machine.
EXPERIMENT 1.2

Mapped Course Outcomes-CO1

CO1: Implement enterprise governance strategies including role-based access control,

Azure policies, and resource locks.

Aim:- This Experiment will give a practical overview of MFA, Conditional Access
and AAD Identity Protection.

Theory:

What is Azure Active Directory?

Azure Active Directory (Azure AD) is a cloud-based identity and access management
service. This service helps your employees access external resources, such as Microsoft
365, the Azure portal, and thousands of other SaaS applications.

Add or delete users using Azure Active Directory

Add new users or delete existing users from your Azure Active Directory (Azure AD)
organization. To add or delete users you must be a User administrator or Global
administrator.

Procedural Steps:-

Add a new user

17
You can create a new user using the Azure Active Directory portal.

To add a new user, follow these steps:

1. Sign in to the Azure portal in the User Administrator role for the organization.

2. Search for and select Azure Active Directory from any page.

3. Select Users, and then select New user.

On the User page, enter information for this user:

• Name. Required. The first and last name of the new user. For example, Mary
Parker.

• User name. Required. The user name of the new user.

The domain part of the user name must use either the initial default domain
name, <yourdomainname>.onmicrosoft.com, or a custom domain name, such
as contoso.com.

Groups. Optionally, you can add the user to one or more existing groups. You can also
add the user to groups at a later time.

Directory role: If you require Azure AD administrative permissions for the user, you can
add them to an Azure AD role. Y

Job info: You can add more information about the user here, or do it later.

Add a new guest user

You can also invite the new guest user to collaborate with your organization by selecting
Invite user from the New user page. If your organization's external collaboration settings
are configured such that you're allowed to invite guests, the user will be emailed an
invitation they must accept in order to begin collaborating.

18
Add a new user within a hybrid environment
If you have an environment with both Azure Active Directory (cloud) and Windows
Server Active Directory (on-premises), you can add new users by syncing the existing
user account data.

Delete a user

To delete a user, follow these steps:

1. Sign in to the Azure portal using a User administrator account for the organization.

2. Search for and select Azure Active Directory from any page.

3. Search for and select the user you want to delete from your Azure AD tenant. For
example, Mary Parker.

4. Select Delete user.

The user is deleted and no longer appears on the Users - All users page. The user can be
seen on the Deleted users page for the next 30 days and can be restored during that time.

You can delete an existing user using Azure Active Directory portal.

Assign administrator and non-administrator roles to users with Azure Active Directory
In Azure Active Directory (Azure AD), if one of your users needs permission to manage
Azure AD resources, you must assign them to a role that provides the permissions they
need.

Assign roles
A common way to assign Azure AD roles to a user is on the Assigned roles page for a
user.

Assign a role to a user

1. Go to the Azure portal and sign in using a Global administrator account for the
directory.

2. Search for and select Azure Active Directory.

19
3. Select Users.

4. Search for and select the user getting the role assignment. For example, Demo.

20
 5. On the Demo - Profile page, select Assigned roles. The Demo - Administrative
roles page appears.

6. Select Add assignments, select the role to assign to Alain (for example,
Application administrator), and then choose Select.

The Application administrator role is assigned to Alain Charon and it appears on

the Alain Charon - Administrative roles page.

Remove a role assignment

If you need to remove the role assignment from a user, you can also do that from
the Alain Charon - Administrative roles page.

To remove a role assignment from a user

1. Select Azure Active Directory, select Users, and then search for and select the user
getting the role assignment removed. For example, Alain Charon.

2. Select Assigned roles, select Application administrator, and then select Remove
assignment.

EXPERIMENT 1.3

Mapped Course Outcomes-CO2

CO2 IImplement perimeter security strategies including Azure Firewall.

Aim:- Azure AD Privileged Identity Management Implementation

Apparatus Required:-

Azure Account

Procedural Steps:-

First, create a Conditional Access policy and assign your test group of users as follows:

21
1. Sign in to the Azure portal by using an account with global administrator
permissions.

2. Search for and select Azure Active Directory. Then select Security from the menu
on the left-hand side.

3. Select Conditional Access, select + New policy, and then select Create new policy.

4. Enter a name for the policy, such as MFA Pilot.

5. Under Assignments, select the current value under Users or workload identities.

22
6. Under What does this policy apply to?, verify that Users and groups is selected.

7. Under Include, choose Select users and groups, and then select Users and groups.

23
 Since no one is assigned yet, the list of users and groups (shown in the next step)
opens automatically.
8. Browse for and select your Azure AD group, such as MFA-Test-Group, then
choose Select.

24
We've selected the group to apply the policy to. In the next section, we configure the
conditions under which to apply the policy.

Configure which apps require multi-factor authentication

1. Select the current value under Cloud apps or actions, and then under Select what
this policy applies to, verify that Cloud apps is selected.

2. Under Include, choose Select apps.

25
 3. Browse the list of available sign-in events that can be used. For this tutorial, select
Microsoft Azure Management so that the policy applies to sign-in events to the
Azure portal. Then choose Select.

Configure multi-factor authentication for access

configure the access controls to require multi-factor authentication during a sign-in event
to the Azure portal.

1. Under Access controls, select the current value under Grant, and then select Grant
access.

26
2. Select Require multi-factor authentication, and then choose Select.

27
28
Activate the policy
Conditional Access policies can be set to Report-only if you want to see how the
configuration would affect users, or Off if you don't want to the use policy right now.
Because a test group of users is targeted for this tutorial, let's enable the policy, and then
test Azure AD Multi-Factor Authentication.

1. Under Enable policy, select On.

2. To apply the Conditional Access policy, select Create.

Clean up resources
If you no longer want to use the Conditional Access policy that you configured then
delete the policy by using the following steps:

1. Sign in to the Azure portal.

2. Search for and select Azure Active Directory, and then select Security from the
menu on the left-hand side.

3. Select Conditional access, and then select the policy that you created, such as MFA
Pilot.

4. select Delete, and then confirm that you want to delete the policy.

29
 EXPERIMENT 1.4

Mapped Course Outcomes-CO2

CO2 Implement perimeter security strategies including Azure Firewall.

Aim:- Creating a Storage Account and uploading a File in the container to check the
public access.

Apparatus Required:-

Azure Account

Procedural Steps:-
Creating a Storage Account and uploading a File in the container to check public access.

2. Select Existing Resource Group or you can create a new one. ( As per your
Requirement).

4. Keep Advanced settings as default as of now.

5. you can leave it as default or can choose accordingly.

6. Create

7. Once the Deployment is completed, Select the resource (Storage Account) you have
just created.
8. Create a New container (Type a name for your new container. The container name
must be lowercase, must start with a letter or number, and can include only letters,
numbers, and the dash (-) character)

30
9. Set the level of public access to the container. The default level is Private (no
anonymous access).

8. Click on the newly created Container and now you can upload file in it.

9. The container which we have created is public and so is the Url of the image.

Copy the Url and paste into a new tab and see if you can access your image or not.

Also, take a look at the image URL.

10. You can also change access for the image from public to private using the change
access level option.
EXPERIMENT 2.1

Mapped Course Outcomes-CO2

CO2 Implement perimeter security strategies including Azure Firewall.

Aim:- To implement the concept of Network Security Groups and Application Security G

Procedural Steps:-

• Implement perimeter security strategies including Azure Firewall.

• Log in to the Azure Portal

Create a Virtual Network and the Primary Subnet

Create the Secondary Subnet

31
Create and Associate a Network Security Group

Additional Resources
As an Azure user, you want to use the Azure Portal to create and use your first
virtual network.
To do this, you will log in to the Azure Portal and create a virtual network,
subnets, and a network security group.
You have been provided instructions for this lab. Follow these steps to create
and use your first Azure virtual network.
Log in to the Azure Portal

Log in to the Azure Portal with the credentials provided in the lab page to begin
the process of creating a virtual network

Create a Virtual Network and the Primary Subnet

1. The Azure Portal will open up in the overview page for the resource group
created when your lab environment was initiated. Look for the "Location"
of your resource group, and take note of the region where your resource
group is located. Use that region when you create your other resources.
2. On the Create virtual network page, configure the following settings:
▪ Resource group: Select the pre-provisioned resource group from the
dropdown.
▪ Name: Enter "VNET1".
▪ Region: Use the same region as your resource group
3. Delete the existing range, then update the address space to 10.0.0.0/24.
4. Create the subnet:
▪ Name: Enter "default".
▪ Address range: Enter "10.0.0.0/25".

Create the Secondary Subnet

1. Use the Azure Portal to create a second subnet.

32
2. Create the second subnet with an address range of 10.0.0.128/25 and a
name of "SubnetA".

Create and Associate a Network Security Group

1. Use the Azure Portal to create a new network security group named
"NSG1". Use the same region as your resource group
2. Associate the Network Security Group with the subnet's default and Subnet.

Creating Azure Virtual Networks

Introduction
In this hands-on lab, we will use the Azure Portal to create and use a virtual
network. We will log in to the Azure Portal and use it to create a virtual
network, subnets, and a network security group. After completing this
hands-on lab, you will have gained the experience required to create and
use your first virtual network using the Azure Portal.
Solution
Log in to the Azure Portal
Log in to the Azure Portal with the credentials provided in the lab page
to begin the process of creating a virtual network Create a Virtual
Network and the Primary Subnet
1. The Azure Portal will open up in the overview page for the resource group
created when your lab environment was initiated. Look for the "Location"
of your resource group, and take note of the region where your resource
group is located. Use that region when you create your other resources.
2. Select "+Create" and enter "Virtual Networks" in the search box.
3. In the search results, select Virtual networks under the Services category.
4. Click the blue Create virtual network button at the bottom of the page.
5. On the Create virtual network page, configure the following settings:
▪ In Resource group, select the pre-provisioned resource group from the
dropdown.
▪ In Name, enter "VNET1".
▪ In Region, select the same region as the resource group.
6. Click the IP Addresses button at the bottom.
7. Delete the existing range, then update the address space to 10.0.0.0/24.
8. You may have a default subnet already created. If not, reate a new subnet
by clicking the + Add subnet button. If one is already created, then select
"default."

33
 9. In the pane that appears on the right, configure yoursubnet: ▪ In Subnet
name, enter "default".
▪ In Subnet address range, enter "10.0.0.0/25".
▪ Click the blue Add (or Save) button at the bottom.
10. On the Create virtual network page, click Next: Security.
11. Leave these settings at their defaults and click Next: Tags.
12. Click the blue Review + create button.
13. Click the blue Create button.
14. When the deployment is complete, click Go to resource to view the
information for this resource.
• Create the Secondary Subnet

1. In the menu on the left, click Subnets under Settings.

2. Click + Subnet at the top of the page.
3. On the Add subnet side menu on the left, configure the following settings:
▪ In Name, enter "SubnetA".
▪ In Address range, enter "10.0.0.128/25". ▪
Leave everything else as the defaults.
4. Click the Save button.
• Create and Associate a Network Security Group Create a New Network Security
Group

1. Type "Network security group" into the search bar at the top.
2. Click Network Security Group under Services.
3. Click the Create network security group button at the bottom of the
Network security group page.
4. On the Create network security group page, configure the following
settings:
▪ In Resource group, select the pre-provisioned resource group from the
dropdown.
▪ Name: NSG1
▪ Region: select the same region as the resource group.
5. Click the Review + create button.
6. Click the Create button.
7. When the deployment is complete, click the Go to resource button.
8. In the menu on the left, under the Settings section, click Subnets.
9. Click the + Associate button.
10. On the Associate subnet side menu on the left, configure the following
settings:

34
 ▪ In Virtual network, select VNET1. ▪ In
Subnet, select default.
11. Click the blue OK button at the bottom.
• Attach the Security Group to the Secondary Subnet

1. Type "virtual networks" into the search bar at the top.

2. Click Virtual Networks under Services.
3. In the menu on the left, click VNET1 to open our virtual network.
4. In the menu on the left, under Settings, click Subnets.
5. Click SubnetA to open our subnet's side menu configuration on the right.
6. Under Network security group, select NSG1 from the dropdown menu.
7. Click the blue Save button.
8. Refresh the Subnets page by clicking the Refresh button. Both subnets
should now have the NSG1 security group attached.
9. Launch Virtual machine in your created subnet and attach the security
group which you have created.
10. Set the inbound and outbound rules in security group and check the
connectivity to your virtual machine.
Experiment 2.2

Mapped Course Outcomes-CO3

CO3. Implement container security strategies including Azure Container Instances,

Azure Container Registry, and Azure Kubernetes.

Aim:-

To understand the concept of Azure Firewall

Procedure Steps:-

Configure Azure Private Link for Blob Storage

A private endpoint is a network interface that uses a private IP address from your virtual
network. This network interface connects you privately and securely to a service that's
powered by Azure Private Link. By enabling a private endpoint, you're bringing the
service into your virtual network.

35
Additional Resources

You work in the security operations team for a company.

The Company host several solutions within Azure. One of these solutions stores
confidential information in Azure Blob storage.

You have been tasked with the configuration of Azure Private Link to ensure that a
virtual machine within this solution accesses the Blob storage container using a private IP
address.

Configure a Private Endpoint for Blob Storage

Solution:

Log in to the Azure portal .

Configure a Private Endpoint for Blob Storage

1. You will begin on the resource group Overview page. Under Resources, select the
storage account that has been created in previous Experiment.
2. From the left-side menu, under Settings, select Networking.
3. On the Networking page, select the Private endpoint connections tab.
4. Click + Private endpoint to create a new private endpoint.
5. On the Basics tab, set the following parameters:
◦ Subscription: Select the subscription
◦ Resource Group: Select the existing resource group
◦ Name: privateendpoint1
◦ Region: Select Region
1. Click Next: Resource.
2. On the Resource tab, set the following parameters:
◦ Target sub-resource: blob
3. Click on Next: Configuration.
4. On the Configuration tab, set the following parameters:
◦ Virtual network: vnet1
◦ Subnet: subnet1
◦ Private DNS integration: Leave this section as-is
1. Click on Next: Tags, then Next: Review + create, and then Create. Note the
deployment can take some time to complete. Verify the Private Endpoint from VM1

To complete this section, you will need an RDP client to connect to the Windows server.

Test the Private Endpoint

36
 1. After the endpoint is created, click Home in the top navigation, and click on the
existing storage account.
2. From the left-side menu, under Settings, click Endpoints.
3. Copy the Blob Service FQDN, without the https:// or trailing slash / (e.g.,
azurelalab123.blob.core.windows.net). Keep this value handy to use now and in a
later section.
4. Open a terminal session.
5. Use nslookup followed by the FQDN you copied to see a public IP address.
Connect to VM1 using RDP

1. Go back to the Home page in the Azure portal.

2. At the top, select the Virtual Machines tile.
3. Select vm1, select Connect, then RDP. Select Download RDP File to connect
directly with the RDP file.
Note: You may choose to copy the public IP address and connect via RDP manually with
your RDP client, instead of using the RDP file. To do this, open up your preferred RDP
client, then enter in rdp:// followed by the public IP found in your lab credentials for vm1.

1. Connect to the virtual machine using the credentials provided for vm1
on the lab page.
2. On the RDP session, close the Server Manager page. Verify the Private
Endpoint from VM1

1. Right-click the Start menu, and then choose Run.

2. Type cmd into the search bar, and press Enter.
3. Here, perform the nslookup test followed by the FQDN you copied earlier. You
will see a private IP address that lets you know that your Blob Storage is private. Note:
You should see a private IP address, such as 10.1.1.5. You may also choose to upload
and access a file using other tools such as netstat and Storage Explorer.

Further Reading:-

1. T1 Mark Lutz 2013, Learning Python, O'ReiIIy Media [ISBN: 9781449355739]

2. T2 Rytis Sileika 2014, Pro Python System Administration, Apress [ISBN:

9781484202180]

37
Research Articles:-

1.https://www.researchgate.net/publication/
221610488_Application_of_Software_Engineering_Fundamentals_A_Hands_on_Experie
nce

Experiment 2.3

Mapped Course Outcomes-CO2

CO2 : Implement perimeter security strategies including Azure Firewall

Aim:-

To Configuring and Securing ACR and AKS

Procedure Steps:-

• Creating COSMOS DB

Select Cosmos DB

2. Select The API Option (Application Programming Interface this means what kind of
interface for your program, your application, do you need from Cosmos.)

I have selected Core (SQL) which is a SQL-type base that is sort of a traditional database-
type interface.

There are others that you can choose from as well.

3. creating an Azure Cosmos DB Account for Core SQL.

• create a new resource group,

38
Click OK.

• Give it an account name (you need to have a unique name for Cosmos DB
account and other resources on Azure, because you can directly use that name in a
URL to access the data from the outside.)
• Choose a location.
• Choose a capacity mode, and we want to apply the free tier discount. So make
sure you have the free tier discount. On one account, one Cosmos DB account per
subscription can have a free tier.
• Next step of this is the Global Distribution (one of the absolute benefits of
Cosmos is that it's globally scaled and distributed), So we for now just going to go
with the default. You can change this later on as well.
• Networking part is how do we want data to be accessed. Allow public IP, and
service endpoint, private and private endpoint all of it, we're going to allow in this
particular case.
• Backup policies ( Default)
• Next is encryption (Service Management).

And this is how you want to encrypt the data that is in Cosmos. So do you want the
service itself to manage it? Or do you want to provide a service-managed, customer-
managed key?

So a key that you provide yourself.

• And then we're going to go to Review + Create and we're going to create our
Cosmos DB
• So click Create when the validation is successful.

Go to resource and Quick Start.

you need something in Cosmos to even be able to use it, you can either add a container,
or you can download and run your .NET app.

So once a container is, as it says, created, you can just download the sample .NET that
connects directly to it.

39
 • Go to Overview
• Add a container.
• Create a new Database ID here. that's our Database ID.

And the RU/s, as you can see, that's the way that you calculate how powerful the database
is and how many queries you can use with the database and that's also how they estimate
costs.

So RU/s, you can read up on your own, But be aware that's when you see RU/s, that
means how much you paying for the database and how much you can do.

• Give it a Container ID (cosmosdemo) And then we have a Partition key, just try
and copy it and follow along.

the partition key (ordered set of one or more columns in a table).

So /userid.

And then we can just click OK on that, And that will create our new container.

You can see our Database ID on the left herein the tree view, If we expand that, you can
then see the Container ID.

There it is, cosmosdemo. And then within that, you can see the items (So the items are the
entries in our Cosmos DB database) If you click on that, you can see that there are, none,
So we're going to create a new item, just so you can see how data is stored.

Now Cosmos DB is what's called a NoSQL database (not relational) means that data is
stored as, basically, documents.

• Create new item or work with existing documents.

you can see you have a template here that says, id:

replace_with_new_document_id.

Add the below lines (This is the JSON format.)

40
{

"id" : "1"

"content" : "This is my first document in CosmosDB"

• click Save.

And now what happens when it saves it adds a whole bunch of other fields. As you can
see,

underscore, underscore, underscore. Those are part of how Cosmos indexes and finds the
data, so don't mess with those,just leave those as they are. They're part of how Cosmos
DB works.

So we've now created a database, a container, and an item in that container for Cosmos
DB data.

Now the real power of Cosmosis not that it's a document database, it is that it has
geographical redundancy.

So on the left here, you have Replicate Data Globally click on that, And now we can then,
with a click of a button, get data all over the world.

You can see a nice little map And you can see the Region you can then start adding
regions in wherever you want the data.

• You can also enable Multi-region writes. this means that you can now write to any
of these data centers or these regions, and the data is automatically replicated
across all of your regions in Cosmos DB, means that customers closer to those
regions will have less time waiting for you to run the data.

But you pay 4 times as much as before And free tiers do not support Multi-region
writes.

NOTE: Do not Forget to Delete All your Resources.

41
 Experiment 3.1-

Mapped Course Outcomes-CO5

CO5 Design and develop complex scripts to automate the development and operations of
an organisation.

Theory:

Azure Key Vault is a cloud service that provides a secure store for secrets. You can
securely store keys, passwords, certificates, and other secrets. Azure key vaults may be
created and managed through the Azure portal. In this quickstart, you create a key vault,
and then use it to store a secret.

Steps:
1. To create a key vault in Azure, in the search bar, type Key Vault, and go to the Key
Vaults.

2. create a new resource group.

◦

3. Give it a region, pricing tier( Standard, which is usually the one that you would use for
most purposes), Premium, which is including support is for HSM-backed keys (These
are hardware-secured management keys, So the hardware itself is secure, not just a
software by Azure and you pay a bit more for that) leave the rest as default. Click Next.

4. Access policies (Part of what Azure Key Vault is about)

You have a secret and we're going to secure that through access policies,
who can access it. (Leave it as default).

5. Azure is going to have access to 9 selected key permissions. There are different
permissions on the keys: Get, List, Update, Create, etc.

42
6. Leave them as default for now. Click Review and Create.

And once the validation has passed for this key vault, then click Create.

7. Go to your Key Vault and we're going to Secret here.

• Generate a secret.
• Manual or Certificate ( Manual is the one we're going to use where you just enter
the details).
• A certificate could be uploading a certificate that you can then share such as access
to certain things that require a secure certificate.
• Give it a name.
• Value: Type a value for the secret. Key Vault APIs accept and return secret values
as strings.
• Leave the other values to their defaults. Click Create

And we now have a secret, this secret can be shared with users, and you can use access
policies to give access to this secret.

• It could be a password.
• It could be a connection string to a database.
• It could be many of the things that you want outside parties to have access to.

And then when they no longer require access, you can then remove that access policy for
that user.
Experiment 3.2

Mapped Course Outcomes-CO4

CO4 Automate repetitive system administration tasks using an appropriate scripting

language.

AIM:-

43
Implementation of Azure Monitor

Procedure Steps :-

Using Azure Monitor

Azure Monitor is used to monitoring the health and the status of your applications and
your infrastructure on Azure. But it can also show you how Azure is doing itself. How is
the platform actually performing right now?

The most common types of alert rules in Azure Monitor are metric alerts and log query
alerts.

Metric alert rules are useful for alerting when a particular metric exceeds a threshold. An
example is when the CPU of a machine is running high. The target of a metric alert rule
can be a specific machine, a resource group, or a subscription. In this instance, you can
create a single rule that applies to a group of machines.

Log alerts can measure two different things which can be used to monitor virtual
machines in different scenarios:

• Result count: Counts the number of rows returned by the query, and can be used
to work with events such as Windows event logs, syslog, application exceptions.
• Calculation of a value: Makes a calculation based on a numeric column, and can
be used to include any number of resources. For example, CPU percentage. You can
monitor multiple instances’ values with one rule using dimensions. You would use
dimensions if, for example, you want to monitor CPU usage on multiple instances
running your web site or app for CPU usage over 80%.
Step 1: Go to Alert -> Create New alert rule.

Step 2: Select the source ( It could be of any type : Application, Operating System, Azure
Resources, Subscription, Tenant or custom resources)

Step 3: Resource: Select the resource as your virtual machine (Make sure you have at
least one VM running).

Step 4: Select the location, you can also customize filters accordingly.

44
Step 5: Condition: Configure Signal logic (CPU Utilization, Memory Percentage, Logical
disk used, Network interfaces bytes received etc) any of your choices based on which you
want to trigger an alert.

Step 6: Action: create action group -> give it a name (Notify me)-> Action name (Email,
SMS any type)-> action type (mail, SMS).

Step 7: Select the Alert Rule name, give it a description, and select the severity.

Try to put some CPU load on your machine and check the alerts.

Related links and references

1. Version Control with Git 2e: Powerful Tools and Techniques for Collaborative Software

Development, Jon loeliger, Matthew McCullough

Experiment 3.2

CO3: Implement container security strategies including Azure Container Instances, Azure
Container Registry, and Azure Kubernetes.
CO5: Implement storage security strategies including shared access signatures, blob retention
policies, and Azure Files authentication.

AIM:- Working with Pricing Calculator

The process steps:-

Pricing Calculator

Step 1: Select a product to include in your estimate.

Step 3: Select your estimate

45
Step 4: you can also choose support level lets say, Standard.

Now you will get an estimated value and you can save it, and export it.

46
Marks (Group A and B)
MST Practical Questions:

Question 1: Use the Azure Portal to create and connect to an Azure virtual machine.

a. log in to the Azure Portal and create a Windows virtual machine.

b. Then, connect to the virtual machine via RDP.

c. Finally, use the Azure Portal to stop the virtual machine.

Question 2: Create and Manage Azure AD Users and Groups in the Portal.

a. Create 2 different Groups for the Development and Support Team.

b. Invite the users and add them to the particular Groups as per your requirement.
Question 3: Deploy your own HTML Web application using Azure cloud.

Final Practical

Problem statement 1: a) Launch a Windows type virtual Machine.

b) Create a Azure Monitor service on your virtual machine with metric as CPU Utlization .

c) Increase the CPU utilization on your VM and show the numeric graph using Azure Monitor.

Problem Statement 2: Create a virtual network, subnets, and a network security group.

b) Launch a VM in each subnet.

c) What will happen when you Allow and Deny the ssh port on the machine? Demonstrate.

Problem statement 3: a) Create a Storage Account and check the public and protected access of a container by uploading a file.

b) Configure Azure Private Link for Private Blob Storage.

Problem Statement 4:: Show Multi Region Replication of data with the help of Cosmos DB.

Problem statement 5: Create a Resource Group in Azure and Deploy a Virtual Machine.

Problem Statement 6: Working on Azure Active Directory

1. Create a user.

2. Delete user.

3. Assign Role to user.

4. Remove role from a user.

Problem Statement 7: Deploy a Web Application (Any HTML Page) using Azure Web App Service.

Problem Statement 8: Create a Storage Account in azure and upload a File using blob type storage in the a container to check the
public access.