AZ-900 Labs

AZ-900 Labs
Create a virtual machine in the portal

(10 min)
In this walkthrough, we will create a virtual machine in the Azure portal, connect to
the virtual machine, install the web server role and test.
Note: Take time during this walk-through to click and read the Informational icons.
Task 1: Create the virtual machine

1. Sign-in to the Azure portal: https://portal.azure.com
2. From the All services blade in the Portal Menu, search for and select Virtual
machines, and then click +Add, +Create, +New and choose +Virtual
machine from the drop down.
3. On the Basics tab, fill in the following information (leave the defaults for
everything else):
Settings Values
Subscription Use default supplied
Resource group Create new resource group
Virtual machine name myVM
Region (US) East US
No infrastructure redundancy options

Availability options
required
Windows Server 2019 Datacenter -

Image
Gen2
Size Standard D2s v3

Settings Values
Administrator account username azureuser
Administrator account password (type

Pa$$w0rd1234
in carefully!)
Inbound port rules - **Allow select ports **
Select inbound ports RDP (3389) and HTTP (80)
4. Switch to the Networking tab to ensure HTTP (80) and RDP (3389) are
selected in section Select inbound ports.
5. Switch to the Management tab, and in its Monitoring section, select the
following setting:
Settings Values
Boot diagnostics Disable
6. Leave the remaining values on the defaults and then click the Review +
create button at the bottom of the page.
7. Once Validation is passed click the Create button. It can take anywhere from
five to seven minutes to deploy the virtual machine.
8. You will receive updates on the deployment page and via

the Notifications area (the bell icon in the top menu bar).
Task 2: Connect to the virtual machine

In this task, we will connect to our new virtual machine using RDP (Remote Desktop
Protocol).
1. Click on bell icon from the upper blue toolbar, and select 'Go to resource'
when your deployment has succeded.
Note: You could also use the Go to resource link on the deployment page
2. On the virtual machine Overview blade, click Connect button and
choose RDP from the drop down.
Note: The following directions tell you how to connect to your VM from a
Windows computer. On a Mac, you need an RDP client such as this Remote
Desktop Client from the Mac App Store and on a Linux computer you can use
an open source RDP client.
3. On the Connect to virtual machine page, keep the default options to

connect with the public IP address over port 3389 and click Download RDP
File. A file will download on the bottom left of your screen.
4. Open the downloaded RDP file (located on the bottom left of your lab
machine) and click Connect when prompted.
5. In the Windows Security window, sign in using the Admin Credentials you
used when creating your VM azureuser and the password Pa$$w0rd1234.
6. You may receive a warning certificate during the sign-in process. Click Yes or
to create the connection and connect to your deployed VM. You should
connect successfully.
A new Virtual Machine (myVM) will launch inside your Lab. Close the Server Manager
and dashboard windows that pop up (click "x" at top right). You should see the blue
background of your virtual machine. Congratulations! You have deployed and
connected to a Virtual Machine running Windows Server.
Task 3: Install the web server role and

test
In this task, install the Web Server role on the server on the Virtual Machine you just
created and ensure the default IIS welcome page will be displayed.
1. In the newly opened virtual machine, launch PowerShell by

searching PowerShell in the search bar, when found right click Windows
PowerShell to Run as administrator.
2. In PowerShell, install the Web-Server feature on the virtual machine by
running the following command. (Paste in the command and hit ENTER for the
installment to begin).
Install-WindowsFeature -name Web-Server -IncludeManagementTools
3. When completed, a prompt will state Success with a value True. You do not
need to restart the virtual machine to complete the installation. Close the RDP
connection to the VM by clicking the x on the blue bar at the top center of
your virtual machine. You can also minimize it by clicking the - on the blue bar
at the top center.
4. Back in the portal, navigate back to the Overview blade of myVM and, use
the Click to clipboard button to copy the public IP address of myVM, then
open a new browser tab, paste the public IP address into the URL text box,
and press the Enter key to browse to it.
5. The default IIS Web Server welcome page will be displayed.

Congratulations! You have created a new VM running a web server that is accessible
via its public IP address. If you had a web application to host, you could deploy
application files to the virtual machine and host them for public access on the
deployed virtual machine.
Note: To avoid additional costs, you can optionally remove this resource group.
Search for resource groups, click your resource group, and then click Delete
resource group. Verify the name of the resource group and then click Delete.
Monitor the Notifications to see verify that the deletion completed successfully.
Create a Web App (10 min)
In this walkthrough, we will create a web app that runs a Docker container. The
Docker container contains a Welcome message.
Azure App Service are actually a collection of four services, all of which are built to
help you host and run web applications. The four services (Web Apps, Mobile Apps,
API Apps, and Logic Apps) look different, but in the end they all operate in very
similar ways. Web Apps are the most commonly used of the four services, and this is
the service that we will be using in this lab.
Task 1: Create a Web App

In this task, you will create an Azure App Service Web App.
1. Sign-in to the Azure portal.
2. From the All services blade, search for and select App Services, and click +
Add, + Create, + New
3. On the Basics tab of the Web App blade, specify the following settings
(replace xxxx in the name of the web app with letters and digits such that the
name is globally unique). Leave the defaults for everything else, including the
App Service Plan.
Setting Value
Resource Group Create new resource group
Name myDockerWebAppxxxx
Publish Docker Container
Operating System Linux
Region East US
4. Note: Remember to change the xxxx so that your Web App name is unique.
5. Click Next > Docker and configure the container information.
Setting Value
Options Single container
Image Source Docker Hub
Access Type Public
Image and tag mcr.microsoft.com/azuredocs/aci-helloworld
Note: The startup command is optional and not needed in this exercise.
5. Click Review + create, and then click Create.
Task 2: Test the Web App

In this task, we will test the web app.
1. Wait for the Web App to deploy.
2. From Notifications click Go to resource.
3. On the Overview blade, locate the URL. Copy the URL to the clipboard.
4. In a new browser window, paste the URl and press enter. The Welcome to
Azure Container Instances! welcome message will be displayed.
5. Switch back to the Overview blade of your web app and scroll down. You will
notice several charts tracking Data In/Out and Requests. If you repeat step 4 a
few times, you should be able to see corresponding telemetry being displayed
in these charts. This includes number of requests and average response time.
Monitor the Notifications to see how the delete is proceeding.
Congratulations you successfully created an Azure App Service.

Deploy Azure Container Instances (10
min)
In this walkthrough we create, configure, and deploy a container by using Azure
Container Instances (ACI) in the Azure Portal. The container is a Welcome to ACI web
application that displays a static HTML page.
Task 1: Create a container instance

In this task, we will create a new container instance for the web application.
1. Sign in to the Azure portal.
2. From the All services blade, search for and select Container instances and
then click + Add, + Create, + New.
3. Provide the following Basic details for the new container instance (leave the
defaults for everything else)):
Setting Value
Container name mycontainer
Region (US) East US
Image source Docker Hub or other registry
Image type Public
Image mcr.microsoft.com/azuredocs/aci-helloworld
OS type Linux
Size Leave at the default

4. Configure the Networking tab (replace xxxxx with letters and digits such that
the name is globally unique). Leave all other settings at their default values.
Setting Value
DNS name label mycontainerdnsxxxxx
5. Note: Your container will be publicly reachable at dns-name-

label.region.azurecontainer.io. If you receive a DNS name label not
available error message following the deployment, specify a different DNS
name label (replacing the xxxxx) and re-deploy.
6. Click Review and Create to start the automatic validation process.
7. Click Create to create the container instance.
8. Monitor the deployment page and the Notifications page.
Task 2: Verify deployment of the

container instance
In this task, we verify that the container instance is running by ensuring that the
welcome page displays.
1. After the deployment is complete, click the Go to resource link the

deployment blade or the link to the resource in the Notification area.
2. On the Overview blade of mycontainer, ensure your

container Status is Running.
3. Locate the Fully Qualified Domain Name (FQDN).
4. Copy the container's FQDN into a new web browser tab and press Enter. The
Welcome page should display.
Congratulations! You have used Azure Portal to successfully deploy an application
to a container in Azure Container Instances.
Create a virtual network (20 min)
In this walkthrough, we will create a virtual network, deploy two virtual machines
onto that virtual network and then configure them to allow one virtual machine to
ping the other within that virtual network.
Task 1: Create a virtual network

In this task, we will create a virtual network.
Note: Before beginning the lab, disable both the public and private firewall in your
machine by opening the Start menu > Settings > Network and Internet > Locate
Windows Firewall
1. Sign in to the Azure portal at https://portal.azure.com
2. From the All services blade, search for and select Virtual networks, and then
click + Add, + Create, + New.
everything else):
Setting Value
Subscription Leave default provided
Resource Group Create new resource group
Name vnet1
Region (US) East US
4. Click the Review + create button. Ensure the validation passes. Then hit
create to deploy the resource.
Task 2: Create two virtual machines

In this task, we will create two virtual machines in the virtual network.
1. From the All services blade, search for Virtual machines and then click +
Add, + Create, + New, from the drop down select Virtual Machine.
everything else):
Setting Value
Resource group Select default in drop down
Virtual machine name vm1
Region (US) East US
Image Windows Server 2019 Datacenter - Gen2
Username azureuser
Password Pa$$w0rd1234
Public inbound ports Select Allow selected ports
Selected inbound ports RDP (3389)
3. Select the Networking tab. Make sure the virtual machine is placed in
the vnet1 virtual network. Review the default settings, but do not make any
other changes.
4. Click Review + create. After the Validation passes, click Create. Deployment
times can vary but it can generally take between three to six minutes to
deploy.
5. Monitor your deployment but continue on to the next step.
6. Create a second virtual machine by repeating steps 2 to 4 above. Make sure

you use a different virtual machine name, that the virtual machine is in the
same virtual network, and is using a new public IP address:
Setting Value
select default in dropdown (same as Task1-3 &

Resource group
Task2-2)
Setting Value
Virtual machine
vm2
name
Virtual network vnet1
Public IP vm2-ip
7. Wait for both virtual machines to deploy and status says running.
Task 3: Test the connection

In this task, we will try to test whether the virtual machines can communicate (ping)
each other. If not we will install a rule to allow an ICMP connection. Usually ICMP
coonnections are automatically blocked.
1. From the All resources blade, search for vm1, open its Overview blade, and
make sure its Status is Running. You may need to Refresh the page.
2. On the Overview blade, select Connect and then select RDP from the drop
down.
Note: The following directions tell you how to connect to your VM from a
Windows computer.
3. On the Connect with RDP blade, keep the default options to connect by IP
address over port 3389 and click Download RDP File.
4. Open the downloaded RDP file (located at the bottom left of you VM) and
click Connect when prompted.
5. In the Windows Security window, type the username azureuser and

password Pa$$w0rd1234 and then click OK.
6. You may receive a certificate warning during the sign-in process. Click Yes to
create the connection and connect to your deployed VM. You should connect
successfully. Close the Windows Server and Dashboard windows that pop up.
You should see a Blue Windows background. You are now in your virtual
machine.
Note: In your newly created virtual machine, disable both the public and private
firewall by opening the Start menu > Settings > Network and Internet > Locate
Windows Firewall
7. Open up PowerShell on the virtual machine by clicking the Start button, and
in Search type PowerShell, right click on Windows PowerShell to Run as
administrator
8. In Powershell, try to ping vm2 by typing:
ping vm2
9. You should be successful. You have pinged VM2 from VM1.
Congratulations! You have configured and deployed two virtual machines in a

virtual network, and then you were able to connect them.
Create blob storage (5 min)
In this walkthrough, we will create a storage account, then work with blob storage
files.
Task 1: Create a storage account

In this task, we will create a new storage account.
1. Sign in to the Azure portal at https://portal.azure.com
2. From the All services blade, search for and select Storage accounts, and then
3. On the Basics tab of the Create storage account blade, fill in the following
information (replace xxxx in the name of the storage account with letters and
digits such that the name is globally unique). Leave the defaults for everything
else.
Setting Value
Subscription Leave provided default
Storage account name storageaccountxxxxx
Location (US) East US
Performance Standard
Redundancy Locally redundant storage (LRS)
4. Note - Remember to change the xxxxx so that it makes a unique Storage

account name
5. Click Review + Create to review your storage account settings and allow
Azure to validate the configuration.
6. Once validated, click Create. Wait for the notification that the account was
successfully created.
7. From the Home page, search for and select Storage accounts and ensure
your new storage account is listed.
Task 2: Work with blob storage

In this task, we will create a Blob container and upload a blob file.
1. Click the name of the new storage account, scroll to the Data storage section
in the left menu, and then click Containers.
2. Click + Container and complete the information. Use the Information icons to
learn more. When done click Create.
Setting Value
Name container1
Public access level Private (no anonymous access)

3.
4. Open a new browser window and search Bing for an image of a flower. Right
click on the image and save it to your VM.
5. Back in the Portal, click on container1 , and then select Upload.
6. Browse for the image file you just saved on your local computer. Select it and
then select upload.
7. Click the Advanced arrow, leave the default values but review the available
options, and then click Upload.
Note: You can upload as many blobs as you like in this way. New blobs will be
listed within the container.
8. Once the file is uploaded, right-click on the file and notice the options
including View/edit, Download, Properties, and Delete.
9. If you have time review the options for Files, Tables, and Queues.
Task 3: Monitor the storage account

1. Return to the storage account blade and click Diagnose and solve problems.
2. Explore some of the most common storage problems. Notice there are
multiple troubleshooters here.
3. On the storage account blade, scroll down to the Monitoring section and
click Insights. Notice there is information on Failures, Performance,
Availability, and Capacity. Your information will be different.
Congratulations! You have created a storage account, then worked with storage
blobs.
Create a SQL database (5 min)
In this walkthrough, we will create a SQL database in Azure and then query the data
in that database.
Task 1: Create the database

In this task, we will create a SQL database based on the AdventureWorksLT sample
database.
1. Sign in to the Azure portal at https://portal.azure.com.
2. From the All services blade, search for and select SQL databases, and then
3. On the Basics tab, fill in this information.
Setting Value
Database name db1
Select Create new (A new sidebar will open on the

Server
right)
Server name sqlserverxxxx (must be unique)
Authentication
Use SQL authentication
method
Server admin login sqluser
Password Pa$$w0rd1234
Click OK
4.
5. On the Networking tab and configure the following settings (leave others
with their defaults)
Setting Value
Connectivity method Public endpoint
Allow Azure services and resources to access this server Yes
Add current client IP address No

6.
7. On the Security tab.
Setting Value
Microsoft Defender for SQL Not now
8. Move to the Additional settings tab. We will be using the AdventureWorksLT

sample database.
Setting Value
Use existing data Sample

9.
10. Click Review + create and then click Create to deploy and provision the
resource group, server, and database. It can take approx. 2 to 5 minutes to
deploy.
Task 2: Test the database.

In this task, we will configure the SQL server and run a SQL query.
1. When the deployment has completed, click Go to resource from the

deployment blade. Alternatively, from the All Resources blade, search and
select Databases, then SQL databases ensure your new database was
created. You may need to Refresh the page.
2. Click the db1 entry representing the SQL database you created. On the db1
blade click Query editor (preview).
3. Login as sqluser with the password Pa$$w0rd1234.
4. You will not be able to login. Read the error closely and make note of the IP
address that needs to be allowed through the firewall.
5. Back on the db1 blade, click Overview.

6. From the db1 Overview blade, click Set server firewall Located on the top
center of the overview screen.
7. Click + Add client IP (top menu bar) to add the IP address referenced in the
error. (it may have autofilled for you - if not paste it into the IP address fields).
Be sure to Save your changes.
8. Return to your SQL database (slide the bottom toggle bar to the left) and click
on Query Editor (Preview). Try to login again as sqluser with the
password Pa$$w0rd1234. This time you should succeed. Note that it may
take a couple of minutes for the new firewall rule to be deployed.
9. Once you log in successfully, the query pane appears. Enter the following
query into the editor pane.
10. SELECT TOP 20 pc.Name as CategoryName, p.name as ProductName

11. FROM SalesLT.ProductCategory pc
12. JOIN SalesLT.Product p
ON pc.productcategoryid = p.productcategoryid;
13. Click Run, and then review the query results in the Results pane. The query
should run successfully.
Congratulations! You have created a SQL database in Azure and successfully queried
the data in that database.
Implement Azure Functions (5 min)

In this walkthrough, we will create a Function App to display a Hello message when
there is an HTTP request.
Task 1: Create a Function app

In this task, we will create a Function app.
2. In the Search bar at the top of the portal, search for and select Function
App and then, from the Function App blade, click + Add, + Create, + New.
3. On the Basic tab of the Function App blade, specify the following settings
(replace xxxx in the name of the function with letters and digits such that the
name is globally unique and leave all other settings with their default values):
Settings Value
Subscription Keep default supplied
Function App name function-xxxx
Publish Code
Runtime stack .NET

Settings Value
Version 3.1
Region East US
4. Note - Remember to change the xxxx so that it makes a unique Function

App name
5. Click Review + Create and, after successful validation, click Create to begin
provisioning and deploying your new Azure Function App.
6. Wait for the notification that the resource has been created.
7. When the deployment has completed, click Go to resource from the

deployment blade. Alternatively, navigate back to the Function App blade,
click Refresh and verify that the newly created function app has
the Running status.
Task 2: Create a HTTP triggered

function and test
In this task, we will use the Webhook + API function to display a message when there
is an HTTP request.
1. On the Function App blade, click the newly created function app.
2. On the function app blade, in the Functions section, click Functions and then
3. An Add function pop-up window will appear on the right. In the Select a
template section click HTTP trigger. Click Add
4. On the HttpTrigger1 blade, in the Developer section, click Code + Test.
5. On the Code + Test blade, review the auto-generated code and note that the
code is designed to run an HTTP request and log information. Also, notice the
function returns a Hello message with a name.
6. Click Get function URL from the top section of function editor.
7. Ensure that the value in the Key drop-down list is set to default and
click Copy to copy the function URL.
8. Open a new browser tab and paste the copied function URL into your web
browser's address bar. When the page is requested the function will run.
Notice the returned message stating that the function requires a name in the
request body.
9. Append &name=yourname to the end of the URL.
Note: For example, if your name is Cindy, the final URL will resemble the
following: https://azfuncxxx.azurewebsites.net/api/HttpTrigger1?code=X9xx999
9xXXXXX9x9xxxXX==&name=cindy
10. When you hit enter, your function runs and every invocation is traced. To view
the traces, return to the Portal HttpTrigger1 | Code + Test blade and
click Monitor. You can configure Application Insights by selecting the
timestamp and click Run query in Application Insights.
Congratulations! You have created a Function App to display a Hello message when
there is an HTTP request.
Create a VM with PowerShell (10 min)
In this walk-through, we will configure the Cloud Shell, use Azure PowerShell module
to create a resource group and virtual machine, and review Azure Advisor
recommendations.
Task 1: Configure the Cloud Shell

In this task, we will configure Cloud Shell.
1. Sign in to the Azure portal.** You can find your login credentials within the
resources tab (directly next to this Instructions tab!) **
2. From the Azure portal, open the Azure Cloud Shell by clicking on the icon in
the top right of the Azure Portal.
3. When prompted to select either Bash or PowerShell, select PowerShell.
4. On the You have no storage mounted screen select Show advanced

settings then fill in the information below
Settings Values
Create new resource

Resource Group
group
Storage account (Create a new account a use a globally

cloudshellxxxxxxx
unique name (ex: cloudshellstoragemystorage))
File share (create new) shellstorage
5. Select Create Storage
Task 2: Create a resource group and

virtual machine
In this task, we will use PowerShell to create a resource group and a virtual machine.
1. Ensure PowerShell is selected in the upper-left drop-down menu of the Cloud
Shell pane.
2. Verify your new resource group by running the following command in the
Powershell window. Press Enter to run the command.
Get-AzResourceGroup | Format-Table
3. Create a virtual machine by pasting the following command into the terminal
window.
4. New-AzVm `
5. -ResourceGroupName "myRGPS" `
6. -Name "myVMPS" `
7. -Location "East US" `
8. -VirtualNetworkName "myVnetPS" `
9. -SubnetName "mySubnetPS" `
10. -SecurityGroupName "myNSGPS" `
-PublicIpAddressName "myPublicIpPS"
11. When prompted provide the username (azureuser) and the password
(Pa$$w0rd1234) that will be configured as the local Administrator account on
that virtual machines.azureadmin
12. Once VM is created, close the PowerShell session Cloud Shell pane.
13. In the Azure portal, search for Virtual machines and verify the myVMPS is
running. This may take a few minutes.
14. Access the new virtual machine and review the Overview and Networking
settings to verify your information was correctly deployed.
Task 3: Execute commands in the Cloud

Shell
In this task, we will practice executing PowerShell commands from the Cloud Shell.
2. Ensure PowerShell is selected in the upper-left drop-down menu of the Cloud
Shell pane.
3. Retrieve information about your virtual machine including name, resource

group, location, and status. Notice the PowerState is running.
Get-AzVM -name myVMPS -status | Format-Table -autosize
4. Stop the virtual machine using the following command.
Stop-AzVM -ResourceGroupName myRGPS -Name myVMPS
5. When prompted confirm (Yes) to the action. Wait for Succeeded status.
6. Verify your virtual machine state. The PowerState should now be deallocated.
You can also verify the virtual machine status in the portal. Close Cloudshell.
Get-AzVM -name myVMPS -status | Format-Table -autosize
Task 4: Review Azure Advisor

Recommendations
Note: This same task is in the Create a VM with Azure CLI lab.
In this task, we will review Azure Advisor recommendations for our virtual machine.
1. From the All services blade, search for and select Advisor.
2. On the Advisor blade, select Overview. Notice recommendations are

grouped by Reliability, Security, Performance, and Cost.
3. Select All recommendations and take time to view each recommendation

and suggested actions.
Note: Depending on your resources, your recommendations will be different.
4. Notice that you can download the recommendations as a CSV or PDF file.
5. Notice that you can create alerts.
6. If you have time, continue to experiment with Azure PowerShell.
Congratulations! You have configured Cloud Shell, created a virtual machine using
PowerShell, practiced with PowerShell commands, and viewed Advisor
recommendations.
Create a VM with the CLI (10 min)
In this walk-through, we will configure the Cloud Shell, use Azure CLI to create a
resource group and virtual machine, and review Azure Advisor recommendations.
Task 1: Configure the Cloud Shell

In this task, we will configure Cloud Shell, then use Azure CLI to create a resource
group and a virtual machine.
3. In the Welcome to Azure Cloud Shell dialog, when prompted to select

either Bash or PowerShell, select Bash.
4. A new window will open stating You have no storage mounted.

Select advanced settings.
5. In the advanced settings screen, fill in the following fields, then click Create
Storage:
o Resource Group: Create new resource group

o Storage Account: Create a new account a use a globally unique name
(ex: cloudshellxyzstorage)
o File Share: Create a new one and name it cloudshellfileshare
Task 2: Use CLI to create a virtual

machine
In this task, we will use Azure CLI to create a resource group and a virtual machine.
1. Ensure Bash is selected in the upper-left drop-down menu of the Cloud Shell
pane (and if not, select it).
2. Verify the resource group you are using by entering the following command.
3. az group list --output table

4. In Cloud Shell enter the command below and make sure that each line, except
for the last one, is followed by the backslash (\) character. If you type the
whole command on the same line, do not use any backslash characters.
5. az vm create \
6. --name myVMCLI \
7. --resource-group myRGCLI \
8. --image UbuntuLTS \
9. --location EastUS2 \
10. --admin-username azureuser \
11. --admin-password Pa$$w0rd1234
Note: If you are using the command line on a Windows computer, replace the
backslash (\) character with the caret (^) character.
Note: The command will take 2 to 3 minutes to complete. The command will
create a virtual machine and various resources associated with it such as
storage, networking and security resources. Do not continue to the next step
until the virtual machine deployment is complete.
12. When the command finishes running, in the browser window, close the Cloud
Shell pane.
13. In the Azure portal, search for Virtual machines and verify that myVMCLI is
running.
Task 3: Execute commands in the Cloud
Shell
In this task, we will practice executing CLI commands from the Cloud Shell.
2. Ensure Bash is selected in the upper-left drop-down menu of the Cloud Shell
pane.
3. Retrieve information about the virtual machine you provisioned, including

name, resource group, location, and status. Notice the PowerState is running.
4. az vm show --resource-group myRGCLI --name myVMCLI --show-details --output

table
5. Stop the virtual machine. Notice the message that billing continues until the
virtual machine is deallocated.
6. az vm stop --resource-group myRGCLI --name myVMCLI
7. Verify your virtual machine status. The PowerState should now be stopped.
8. az vm show --resource-group myRGCLI --name myVMCLI --show-details --output

table
Task 4: Review Azure Advisor

Recommendations
In this task, we will review Azure Advisor recommendations.
Note: If you have completed the previous lab (Create a VM with PowerShell), then
you have already performed this task.
1. From the All services blade, search for and select Advisor.
2. On the Advisor blade, select Overview. Notice recommendations are

grouped by Reliability, Security, Performance, and Cost.
3. Select All recommendations and take time to view each recommendation
and suggested actions.
Note: Depending on your resources, your recommendations will be different.
4. Notice that you can download the recommendations as a CSV or PDF file.
5. Notice that you can create alerts.
6. If you have time, continue to experiment with Azure CLI.
Congratulations! You have configured Cloud Shell, created a virtual machine using
Azure CLI, practiced with Azure CLI commands, and viewed Advisor
recommendations.
Secure network traffic (10 min)
In this walk-through, we will configure a network security group.
Task 1: Create a virtual machine

In this task, we will create a Windows Server 2019 Datacenter virtual machine.
2. From the All services blade, search for and select Virtual machines, and then
click + Add, + Create, + New Virtual Machine.
everything else):
Settings Values
Subscription Use default provided
Virtual machine name SimpleWinVM
Region (US) East US
Image Windows Server 2019 Datacenter Gen 2
Size Standard D2s v3
Administrator account username azureuser
Administrator account password Pa$$w0rd1234
Inbound port rules None
4. Switch to the Networking tab, and configure the following setting:

Settings Values
NIC network security group None
5. Switch to the Management tab, and in its Monitoring section, select the
following setting:
Settings Values
Boot diagnostics Disable
6. Leave the remaining defaults and then click the Review + create button at
the bottom of the page.
7. Once Validation is passed click the Create button. It can take about five
minutes to deploy the virtual machine.
8. Monitor the deployment. It may take a few minutes for the resource group
and virtual machine to be created.
9. From the deployment blade or from the Notification area, click Go to

resource.
10. On the SimpleWinVM virtual machine blade, click Networking, review

the Inbound port rules tab, and note that there is no network security group
associated with the network interface of the virtual machine or the subnet to
which the network interface is attached.
Note: Identify the name of the network interface. You will need it in the next
task.
Task 2: Create a network security group

In this task, we will create a network security group and associate it with the network
interface.
1. From the All services blade, search for and select Network security
groups and then click + Add, + Create, + New
2. On the Basics tab of the Create network security group blade, specify the
following settings.
Setting Value
Subscription Use default subscription
Resource group Select default from drop down
Name myNSGSecure
Region (US) East US
3. Click Review + create and then after the validation click Create.
4. After the NSG is created, click Go to resource.
5. Under Settings click Network interfaces and then ** Associate**.
6. Select the network interface you identified in the previous task.
Task 3: Configure an inbound security

port rule to allow RDP
In this task, we will allow RDP traffic to the virtual machine by configuring an inbound
security port rule.
1. In the Azure portal, navigate to the blade of the SimpleWinVM virtual

machine.
2. On the Overview pane, click Connect.
3. Attempt to connect to the virtual machine by selecting RDP and downloading

an running the RDP file. By default the network security group does not allow
RDP. Close the error window.
4. On the virtual machine blade, scroll down to the Settings section, click
on Networking, and notice the inbound rules for the myNSGSecure
(attached to network interface: myVMNic) network security group denies
all inbound traffic except traffic within the virtual network and load balancer
probes.
5. On the Inbound port rules tab, click Add inbound port rule .
Click Add when you are done.
Setting Value
Source Any
Source port ranges *
Destination Any
Destination port ranges 3389
Protocol TCP
Action Allow
Priority 300
Name AllowRDP
6. Select Add and wait for the rule to be provisioned and then try again to RDP
into the virtual machine by going back to Connect This time you should be
successful. Remember the user is azureuser and the password
is Pa$$w0rd1234.
Task 4: Configure an outbound security

port rule to deny Internet access
In this task, we will create a NSG outbound port rule that will deny Internet access
and then test to ensure the rule is working.
1. Continue in your virtual machine RDP session.
2. After the machine starts, open an Internet Explorer browser.
3. Verify that you can access https://www.bing.com and then close Internet
Explorer. You will need to work through the IE enhanced security pop-ups.
Note: We will now configure a rule to deny outbound internet access.
4. Back in the Azure portal, navigate back to the blade of

the SimpleWinVM virtual machine.
5. Under Settings, click Networking, and then Outbound port rules.
6. Notice there is a rule, AllowInternetOutbound. This a default rule and cannot

be removed.
7. Click Add outbound port rule to the right of the myNSGSecure (attached
to network interface: myVMNic) network security group and configure a
new outbound security rule with a higher priority that will deny internet traffic.
Click Add when you are finished.
Setting Value
Source Any
Source port ranges *
Destination Service Tag
Destination service tag Internet

Setting Value
Destination port ranges *
Protocol TCP
Action Deny
Priority 4000
Name DenyInternet
8. Click Add Return to the VM you RDP's.
9. Browse to https://www.microsoft.com. The page should not display. You

may need to work through additional IE enhanced security pop-ups.
Manage access with RBAC (5 min)
In this walkthrough, we will assign permission roles to resources and view logs.
Task 1: View and assign roles

In this task, we will assign the Virtual machine contributor role.
2. From the All services blade, search for and select Resource groups, then
click +Add +New +Create.
3. Create a new resource group. Click Create when you are finished.
Setting Value
Subscription Use default provided
Resource group myRGRBAC
Region (US) East US
4. Create Review + create and then click Create.
5. Refresh the resource group page and click the entry representing the newly
created resource group.
6. Click on the Access control (IAM) blade, and then switch to the Roles tab.
Scroll through the large number of roles definitions that are available. Use the
Informational icons to get an idea of each role's permissions. Notice there is
also information on the number of users and groups that are assigned to each
role.
7.
7. Switch to the Role assignments tab of the myRGRBAC - Access control
(IAM) blade, click + Add and then click Add role assignment. Search for the
Virtual Machine Contributor role and select. Switch to the "Members" tab and
Assign access to: User, group, or service principal. Then click + Select
members and type in your name to the popup search function and hit 'select.'
Then hit 'Review and Assign'
Note: The Virtual machine contributor role lets you manage virtual machines,
but not access their operating system or manage the virtual network and
storage account they are connected to.
8. Refresh the Role assignments page and ensure you are now listed as a Virtual
machine contributor.
Note: This assignment does not actually grant you any additional provileges,
since your account has already the Owner role, which includes all privilges
associated with the Contributor role.
Task 2: Monitor role assignments and

remove a role
In this task, we will view the activity log to verify the role assignment, and then
remove the role.
1. On the myRGRBAC resource group blade, click Activity log.
2. Click Add filter, select Operation, and then Create role assignment.
3. Verify the Activity log shows your role assignment.
Note: Can you figure out how to remove your role assignment?
Congratulations! You created a resource group, assigned an access role to it and

viewed activity logs.
Manage resource locks (5 min)
In this walkthrough, we will add a lock to the resource group and test deleting the
resource group. Locks can be applied in a subscription to resource groups, or
individual resources to prevent accidental deletion or modification of critical
resources.
Task 1: Add a Lock to the resource

group and test deletion
In this task, we will add a resource lock to the resource group and test deleting the
resource group.
2. In the Azure portal, navigate to the resource group myRGLocks.
3. You can apply a lock to a subscription, resource group, or individual resource

to prevent accidental deletion or modification of critical resources.
4. In the Settings section, click Locks, and then click + Add.
5. Configure the new lock. When you are done click OK.
Setting Value
Lock name '''RGLock'''
Lock Type Delete
6. Click Overview and click Delete resource group. Type the name of the
resource group and click OK. You receive an error message stating the
resource group is locked and can't be deleted.
Task 2: Test deleting a member of the

resource group
In this task, we will test if the resource lock protects a storage account in the resource
group.
1. From the All services blade, search for and select Storage accounts, and then
click + Add, + Create, or + New.
2. On the Storage Accounts page **+Add +New +Create ** blade, fill in the
following information (replace xxxx in the name of the storage account with
letters and digits such that the name is globally unique). Leave the defaults for
everything else.
Setting Value
Subscription Select your subscription
Resource group myRGLocks
Storage account name storageaccountxxxx

Setting Value
Performance Standard
Account kind StorageV2 (general purpose v2)
Replication Locally redundant storage (LRS)
Access tier (default) Hot
3. Click Review + Create to review your storage account settings and allow
Azure to validate the configuration.
4. Once validated, click Create. Wait for the notification that the account was
successfully created.
5. Wait for the notification that the storage account was successfully created.
6. Access your new storage account and from the Overview pane, click Delete.
You receive an error message stating the resource or its parent has a delete
lock.
Note: Although we did not create a lock specifically for the storage account,
we did create a lock at the resource group level, which contains the storage
account. As such, this parent level lock prevents us from deleting the resource
and the storage account inherits the lock from the parent.
Task 3: Remove the resource lock

In this task, we will remove the resource lock and test.
1. Return to the myRGLocks-XXXXXXXX resource group blade and, in

the Settings section, click Locks.
2. Click Delete link to the far right of the myRGLocks-XXXXXXXX entry, to the
right of Edit.
3. Return to the storage account blade and confirm you can now delete the
resource.
Congratulations! You created a resource group, added a lock to resource group and
tested deletion, tested deleting a resource in the resource group, and removed the
resource lock.
Explore Microsoft Compliance

Offerings (5 min)
In this walkthrough, we will access Compliance Offerings, the Service Trust Portal
(STP), and Compliance Manager.
Task 1: Access Microsoft Compliance

Offerings
1. In a browser, navigate to the Compliance Offerings page.
2. On the Compliance page, notice the offerings are grouped into Global, US
Government, Industry, and Regional.
3. In the Global group, click ISO 27001. Scroll through the information provided.
Scrolling down on the page will take you to a section Compliance offerings
specifically for Azure
Note: The ISO 27001 Information Security Management Standards page is

typical of the type of complaince information we provide.
Task 2: Access the Service Trust Portal

(STP)
1. In a browser, navigate to the Service Trust Portal page.
2. Notice the Audit Reports section. In this section are independent audit
reports for different Microsoft's Cloud services. If you want to try the
Compliance Manager you will need to login.
3. It may take a couple of minutes for all the audits to load. You will need to
login to your Microsoft account to view specific reports.
Task 3: Access the Compliance Manager

via the Service Trust Portal
The Compliance Manager makes it easy to perform risk assessments of Microsoft's
cloud services. Use Compliance Manager to manage your organization's compliance
activities from implementation to reporting.
1. If your browser window is still open from Task 2, proceed to Step 2. Otherwise,
In a browser, navigate to the Compliance Manager page.
2. Scroll down to Audit Reports. Take a look around.
Congratulations! In this walkthrough, you accessed the Trust Center, Service Trust
Portal (STP), and Compliance Manager.
Use the Pricing Calculator (10 min)
In this walkthrough, we will use the Azure Pricing Calculator to generate a cost
estimate for an Azure virtual machine and related network resources.
Task 1: Configure the pricing calculator

In this task, we will estimate cost of a sample infrastructure by using the Azure
Pricing Calculator.
Note: To create an Azure Pricing Calculator estimate, this walkthrough provides

example configurations for the VM and related resources. Use this example
configurations or provide the Azure Pricing Calculator with details of
your actual resource requirements instead.
1. In a browser, navigate to the Azure Pricing Calculator webpage.
2. To add details of your VM configuration, click Virtual Machines on

the Products tab. Scroll down to view the virtual machine details.
3. Replace Your Estimate and Virtual Machines text with more descriptive
names for your Azure Pricing Calculator estimate and your VM configuration.
This walkthrough example uses My Pricing Calculator Estimate for the
estimate, and Windows VM for the VM configuration.
4. Modify the default VM configuration.
Settings Value
Region North Europe
Operating System Windows
Type (OS only)

Settings Value
Tier Standard
Instance A2: 2 Core(s), 3.5 GB RAM, 135 GB Temporary storage
5.
6. Note: The VM instance specifications and pricing may differ from those in this
example. Follow this walkthrough by choosing an instance that matches the
example as closely as possible. To view details about the different VM product
options, choose Product details from the More info menu on the right.
7. Set the Billing Option to Pay as you go.
8. In Azure, a month is defined as 730 hours. If your VM needs to be available

100 percent of the time each month, you set the hours-per-month value
to 730. This walkthrough example requires one VM to be available 50 percent
of the time each month.
Leave the number of VMs set at 1, and change the hours-per-month value
to 365.
9. In the Managed OS Disks pane, modify the default VM storage configuration.
Number of Storage
Tier Disk size Snapshot
disks transactions
Standard S30: 1024

1 Off 10,000
HDD GiB
10.
11. To add networking bandwidth to your estimate, go to the top of the Azure
Pricing Calculator webpage. Click Networking in the product menu on the
left, then click the Bandwidth tile. In the Bandwidth added message dialog,
click View.
12. Add a name for your VM bandwidth configuration. This walkthrough example
uses the name Bandwidth: Windows VM. Modify the default bandwidth
configuration by adding the following details.
Region Zone 1 Outbound Data Transfer Amount
North Europe 50 GB
13.
14. To add an Application Gateway, return to the top of the Azure Pricing
Calculator webpage. In the Networking product menu, click the Application
Gateway tile. In the Application Gateway message dialog, click View.
15. Add a name for your Application Gateway configuration. This walkthrough
uses the name App Gateway: Windows VM. Modify the default Application
Gateway configuration by adding the following details.
Settings Value
Region North Europe
Tier Basic
Size Small
Instances 1
Hours 365
Data processed 50 GB
Zone 1: North America, Europe 50 GB

16.
Task 2: Review the pricing estimate

In this task, we will review the results of the Azure Pricing Calculator.
1. Scroll to the bottom of the Azure Pricing Calculator webpage to view

total Estimated monthly cost.
Note: Explore the various options available within the Azure Pricing Calculator.
For example, this walkthrough requires you to update the currency to Euro.
2. Change the currency to Euro, then select Export to download a copy of the
estimate for offline viewing in Microsoft Excel (.xlsx) format.
Congratulations! You downloaded an estimate from the Azure Pricing Calculator.

AZ-900 Labs

Uploaded by

Document Informationclick to expand document information

Copyright:

Available Formats

AZ-900 Labs

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AZ-900 Labs

Uploaded by

Copyright:

Available Formats

AZ-900 Labs

Create a virtual machine in the portal

Task 1: Create the virtual machine

Subscription Use default supplied

Resource group Create new resource group

Virtual machine name myVM

Region (US) East US

No infrastructure redundancy options

Windows Server 2019 Datacenter -

Size Standard D2s v3

Administrator account username azureuser

Administrator account password (type

Inbound port rules - **Allow select ports **

Select inbound ports RDP (3389) and HTTP (80)

Boot diagnostics Disable

8. You will receive updates on the deployment page and via

Task 2: Connect to the virtual machine

3. On the Connect to virtual machine page, keep the default options to

Task 3: Install the web server role and

1. In the newly opened virtual machine, launch PowerShell by

Install-WindowsFeature -name Web-Server -IncludeManagementTools

5. The default IIS Web Server welcome page will be displayed.

Task 1: Create a Web App

1. Sign-in to the Azure portal.

Subscription Use default supplied

Resource Group Create new resource group

Publish Docker Container

Operating System Linux

Options Single container

Image Source Docker Hub

Access Type Public

Image and tag mcr.microsoft.com/azuredocs/aci-helloworld

5. Click Review + create, and then click Create.

Task 2: Test the Web App

1. Wait for the Web App to deploy.

2. From Notifications click Go to resource.

Congratulations you successfully created an Azure App Service.

Task 1: Create a container instance

1. Sign in to the Azure portal.

Subscription Use default supplied

Resource group Create new resource group

Container name mycontainer

Region (US) East US

Image source Docker Hub or other registry

Image type Public

Size Leave at the default

DNS name label mycontainerdnsxxxxx

5. Note: Your container will be publicly reachable at dns-name-

6. Click Review and Create to start the automatic validation process.

7. Click Create to create the container instance.

8. Monitor the deployment page and the Notifications page.

Task 2: Verify deployment of the

1. After the deployment is complete, click the Go to resource link the

2. On the Overview blade of mycontainer, ensure your

3. Locate the Fully Qualified Domain Name (FQDN).

Task 1: Create a virtual network

1. Sign in to the Azure portal at https://portal.azure.com

Subscription Leave default provided

Resource Group Create new resource group

Inbound port rules - Allow select ports