Suggestions

• Update screenshots
• Take advantage of DDoS feature (WDS & Lab)
• Use Azure Firewall (WDS & Lab)
• Virtual Network Service Endpoints
• Update for new features of ExpressRoute (WDS)

• In exercise 8 - Task 2, on the 'on-premises' virtual machine (OnPremVM), unanble to connect 10.8.0.100 by http.

Due to lack of the routing information, asymmetric communication is occurring at 'WGVNet2'.

1. In exercise 2 - Task 1 we should configure the exchange of routing information as below.
   [VNETPeering_WGVNet1-WGVNet2]Use this virtual network's gateway or Route Server
2. In exercise 4 - Task 2 we should configure the route to 'OnPremVNet' as below.
   Route name: AppToOnpremises
   Address prefix destination: IP Addresses
   Address prefix: 192.168.2.0/27
   Next hop type: Virtual appliance
   Next hop address: 10.7.1.4 (This is the private IP of Azure Firewall.)

@DawnmarieDesJardins Heads up that I'm working on this. Creating this issue so we know what's in store on moving from master to main

• Update README.md for WDS and HOL documents folder links
• Update BHOL link to the ZIP file

Hello,

Currently, I am working on Task 1 of Exercise 8 of the MCW lab. I am trying to place the Bastion host on a new AzureBastionSubnet. When I try to provide 10.7.0.0/25 as the subnet address, I receive the following error. I am also alerted that this conflicts with GatewaySubnet (10.7.0.0/29).

Moreover, the guide notes the /25 subnet mask. However, it seems that Azure requires a /27 mask. I created an AzureBastionSubnet with the network address 10.7.3.0/27. Should I proceed down this route and modify the firewall ACLs and route tables accordingly?

Thank you.

The HOL needs much updating.

Running the instructions exactly as they are does not lead to a successull lab. The biggest issues in instructions are:

• Pre-prepared VM/Azure environment pre-creates RGs in different regions. Each some students get Australia East, some get Australia South East. Instructions refer to "South Central".
• This effects the ARM template provisioning. We had to update the ARM template to not use resourcegroup.getlocation()
• The Lab doesnt actualy have instructions to validate the lab. I.e. jump onto the VM on-prem and browse to the LB.
• The VNET peering instructions are not complete.
• The lab is too long - can be optimised. Its challenging to be completed within 2.5-3 hours

1. Instructions updated to not create resource groups if using a pre-provisioned Lab environment.
2. Update Lab instructions to confirm which region the pre-provisioned Lab VM has deployed resource groups - or change the Cloud Shop ARM template to remove resourcegroup.getocation.
3. Update lab secnario text and remove Barracuda firewall. Replace with Azure firewall.
4. Change 'perimeter' subnet screen shots with AzureFirewall.
5. Update architecture diagram with Azure Firewall (not VM).
6. Update architecture diagram to indicate correct routes between Firewall and subnets.
7. Route Table - BGP screen shots out of date
8. Az Firewall UI's/instructions need slight update.

In Exercise-11 Task-2, Unable to see All metrics under category details while adding diagnostic settings for Load balancer WGWEBLB which we have created with SKU: Basic.
But when I tried creating SKU: Standard Load Balancer, I was able see All Metrics while adding diagnostic settings for the which I have created.

In Exercise-5 Task-1, while creating Load Balancer noticed UI got updated. Instructions and screenshots need to be updated.

April update merged, need updated HTML files.
Thanks!

Hello,

After creating a load balancer in Exercise 5, Task 2, I am asked to initiate an RDP session to WGWEB1, one of the virtual machines in the backend pool. I am assuming that the sessions should be initiated from LABVM. According to WGAppNSG1, only systems on the Management (10.7.2.0/25) subnet can access machines on the AppSubnet over RDP.

Are there any issues in my environment that are preventing me from completing the connection? In the meantime, how should I try to ensure that my load balancing solution is working?

Thank you.

Before Exercise 10: Create a Network Monitoring Solution

I was testing the following scenario;

On the jump host virtual machine (WGMGMT1), initiate a Remote Desktop session to the WGWEB1 via its private IP address (10.8.0.4). This should be successful since it is allowed by Azure Firewall. --> this part is working as it supposed to be

However, an attempt to connect via Remote Desktop to the WGSQL1 via its private IP address should fail since it is blocked by a network security group. --> I was able to connect to WGSQL1 also.

Note: I created the WGMGMT1 VM in WGVNet1 --> Management Subnet

Cloud workshop logo is missing from step-by-step lab.

Questions asked in student section do not match questions answered in trainer section - also alignment is off (strange indenting)

Example:
Customer objections

1. As a financial institution, Woodgrove is under tight regulatory compliance requirements. Security is a key aspect of compliance and as such, it must be a key tenant of all operations including those related to technology. The corporate security officer is generally opposed to using services solely accessible over the public Internet. Services like Office 365, CRM, and other Microsoft SaaS offerings are off limits. Additionally, PaaS services accessed over the Internet are also unusable. It has relegated Woodgrove to private Azure services such as IaaS.

Checklist of preferred objection handling

1. Woodgrove is reluctant to use Azure PaaS and SaaS offerings due to the public nature of these services. They are very reluctant for their data to traverse the Internet.

Here are our suggested updates for the June 2020 update. Please add any other suggestions or feedback to this issue.

• Update to leverage ExpressRoute Global Reach
• Update PowerShell examples to use Az instead of AzRM
• Update diagrams to use the new Azure icons
• Replace "jump box" with Bastion (addresses issue #44)

Folder and document names have been updated. Please check your HOL documents for links that use folder names in their path and make sure they are still valid and working.

In exercise 6, we have task 1 and task 2 to configure vNet peering. The interface for vNet peering has changed and we can configure both sides of the peering in one shot.

This exercise needs maintenance and the steps need adjustment.

This is how the new interface looks like:

• In Exercise-5 Task-2 Step-10, unable to load the website with load balancer private IP: http://10.8.0.100 but website is getting loaded with private IP of the WGWEB1 VM.

• In Exercise-11 Task-1 Step-10, MicrosftEdge is not getting installed by using the command given in Labguide.

  Error: Invoke-WebRequest : The request was aborted: Could not create SSL/TLS secure channel.

The cause of the error is Powershell by default uses TLS 1.0 to connect to website, but website security requires TLS 1.2.

[Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls
[Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"

I have tried in the user environment and it worked.

• Screenshot need to be updated for Exercise-11 Task-1 Step-12

There are several images in the HOL step by step that do not appear as images, but as text.

There are also blocks of text that appear as code but should appear in-line with the rest of the text.

Exercise 8 Task 2 step 10 When we try to add a subnet to the route tables as mentioned in the instruction(step 10), we have received below error.

Error message: No available IP address in subnet GatewaySubnet.

Please find the error screenshot below:

You can find the available subnets and its configuration in the attached screenshot below:

Hi there,
In exercise 4, task 4, step # 11, the screenshot is not accurate. When you change the protocol from TCP to HTTP as directed in step 11, the interface looks like bellow.

This workshop is scheduled for a content update. Opsgility, please review the workshop and provide your update suggestions for SME review here.

Hi,
In exercise 7, task 4, step 4 we are direct to select a vNet that doesn't exist.

In the Azure portal, navigate to the blade of the virtual network WGVNet, select DDoS protection, select Standard, and, in the DDoS protection plan drop-down list, select the DDoSprotection entry.
There is no WGVNet and it was never a request to create one. We have WGVNet1 and WGVnet2, but no WGVNet.

Hey Michael,
I started to go in and update this repo with the most current abstracts your team sent over and I'm seeing duplicate files in the workshop. There are two WDS student guides, and two WDS trainer guides. In the labs folder, there's Before the hands-on lab and Before the lab (should be Before the HOL).

I've updated the ReadMe file with the latest info but not going to update the WDS or labs until file numbers are correct. Please let me know when it's complete. Thanks

Hello,
This workshop is scheduled for a May 2019 update. Please review open issue #24 and give your suggested updates for SME review.

SMEs - Please see open issue #27 Suggested WDS updates and leave your feedback there.

Thanks,
Dawnmarie

1. From Exercise 1 on, the links to the steps in the TOC are not working. Please correct formatting. Same issue on the unguided lab, please correct.

2. Line 373 - alt-text is just [C]

3. Lines 655 & 657 - The instructions say Location: southcentral us - the screenshot that follows, the location is filled out as West US.

image26.jpeg does not configure correctly. I can't get it to format without making the text appear instead of the image, nor can I link it, weirdly enough.

Document updated to match template. I added licensing info and TOC. Please format the shortcuts in the TOC to work.

1. Using the Azure Firewall for inbound/outbound traffic is nice. However, I'm not so sure about using it to filter traffic between application tiers (as at present). Between application tiers, I suggest using NSGs and ASGs. Using ASGs is nice because it allows us to showcase putting all tiers in the same subnet, decoupling network design from application architecture, while still giving full network isolation between tiers. We could even put in an objection/requirement regarding limited IP space and the need to be efficient yet future-proof. NSGs also means we can bring in NSG flow logs / traffic analytics

2. We should add more on Service Endpoints, they're not well covered at present. In particular, with Forced Tunnelling, Service Endpoints are important to ensure the route from VM to service (E.g. SQL Database) doesn't loop back via the on-premises environment. Also we can talk about the service firewalls, and (once GA) Service Endpoint Policy.

3. We could add a large-volume Internet/consumer facing app. That can use Azure firewall, WAF, DDoS Standard and perhaps even FrontDoor. Hard to justify using all those unless it's Internet-facing. However, adding a separate app effectively doubles the WDS, might be too much given time constraints.

1. Slide 1: Missing Microsoft Cloud Workshop Logo/image
2. Slide 2:
   "Create a Virtual Network and provision subnets with associated network security groups" - Abstract does not contain "...with associated network security groups"
3. Slide 26:
   "Image has a TON going on, isn't flat, doesn't have alt text from accessibility team and some colors cross over different backgrounds and are unreadable"
4. Slide 29:
   "Image no alt text from accessibility team."
5. Slide 31:
   "Image isn't flat, needs alt text from accessibility team, can't remove bullet point without screwing up image."

Hi
I am doing this lab and at least with me the results are not going as expected.

There are two tests to do:

On the jump host virtual machine (WGMGMT1), initiate a Remote Desktop session to the WGWEB1 via its private IP address (10.8.0.4). This should be successful since it is allowed by Azure Firewall. However, an attempt to connect via Remote Desktop to the WGSQL1 via its private IP address should fail since it is blocked by a network security group.

On the jump host virtual machine (WGMGMT1), initiate a Remote Desktop session to the WGWEB2 via its private IP address (10.8.0.5). This should be successful since it is allowed by Azure Firewall. However, an attempt to connect via Remote Desktop to the WGSQL1 via its private IP address should fail since it is blocked by a network security group

However, I found that from the WGWEB1 and WGWEB2 servers the RDP access to the WGSQL1 host worked normally.

I started to investigate all the settings and I think I understand why.

1 - NSG WGAppNSG1 is created
2 - It is configuring several INBOUND rules
3 - NSG WGAppNSG1 is associated only with VNET WGVNet2 subnet AppSubnet

NSG is added only to the application server subnet (WGAppNSG1).
To prevent application servers (WGWEB1 and WGWEB2) from accessing the SQL server (WGSQL1) it is necessary to:
or configure an OUTBOUND rule in NSG WGAppNSG1
or else create an NSG just for the data subnet (DataSubnet) blocking the RDP in the INBOUND rules

In my case I was able to block access by creating an OUTBOUND blocking rule in NSG WGAppNSG1

Source: Virtual network 
Source port ranges: *
Destination port ranges: 3389
Protocol: Any
Action: Deny
Priority: 100
Name: BlockRDP

Please confirm if what I'm talking about is correct or if just some wrong configuration in the way I set up the lab.

Thanks

Hi,
In exercise 11 task 1 we need to create storage account in both the regions East US and South Central US not just one region ,so that it is available while configuring the NSG Flow logs settings.
Exercise 11 task 4 OnPremVM is created in OnPremVMRG and not OnPremVNetRG.

Can you please update the changes.

Please add Duration for Exercise 4. Thanks

In the steps wherever we are deploying resources, it is mentioned to use region South Central US in the HOL Guide. But, it will be better if you can modify the guide to use the region where the Resource Group is deployed.

In Exercise-11 Task-1 Step-9, Unable to connect WGWEB1 VM through RDP in OnPremVM.

In Exercise-11 Task-3 Step-2, after selecting Traffic Analytics from the Logs menu in the blade. The Diagnostic logs from the network resources are not getting been ingested as shown in the labguide. Even after waiting for long time, It's been displaying as mentioned in the below image:

Hi can you share the ARM template discussed in the lab.

Requesting screenshot updation in Exercise 1, Task2, Step 4 & 5 with the latest Azure GUI.
Attaching the new screenshots below for reference.

Hi,
In exercise 7, task 2, the screenshot in step 6 is not consistent with step 5. The rule name, protocol selection and translated address on the screenshot in step 6 are not as directed in step 5. This will definitely cause confusion with students.
The fact that the VMs deployed correctly to the vNets tells me that the internal IP 10.7.x.y is the correct one, instead of the 10.8.x.y shown on screenshots. We will see whether this is the case when I finished the workshop.

In Exercise 4,Task 2, Tried configuring an Availability Set with the Azure Load Balancer but failed even though load balancer and the availability set are in the same region.

Need to update abstracts

Hi there, in exercise 3, task 2, step 3 says:

Repeat this procedure to add the DataToMgmt route using the following information:

But on the form bellow it the route name is:

Route name: AppToMgmt

It seems the correct name is AppToMgmt. Could you please fix the name on step # 3? Thanks in advance. :)

Hi there,
In exercise 4, task 4, step # 9, it says:

Then, choose Save.

The button on the interface is Ok, not Save

WGMGMT1 installation is missing in the HOL document and you are asking us to connect it in exercise 9. See below.

On the jump host virtual machine (WGMGMT1), open Internet Explorer and browse to the web application deployed to the WGVnet2 via the private IP address of the Azure Load Balancer(10.8.0.100). Note that this traffic is routed (and allowed) via Azure Firewall.On the jump host virtual machine (WGMGMT1), open Internet Explorer and browse to the web application deployed to the WGVnet2 via the private IP address of the Azure Load Balancer(10.8.0.100). Note that this traffic is routed (and allowed) via Azure Firewall.

In the HOL step by step document, exercise 5, task 1, step 5, it says "On the Choose Virtual Network blade, choose WGVNet". (also shows this in the screenshot)
I believe this incorrect, and should reference WGVNet1 as there is no WGVNET in the lab.

On exercise 8, task 4, step 2, the screenshot there is the same of to task 3, step 2. It should look like this (but the resource group):

Can't do an RDP session to WGWEB1 as the WGAppNSG1 network security group allows access to RDP only from Management subnet (inbound rule 200: AllowMgmtInboundAny3389). This can only be done from the Management subnet. Trouble is that previous instructions do not direct to create an admin server in Management subnet (10.7.2.0/25) in WGVNet1 (with appropriate NSG settings for that server to allow RDP into it or use of Bastion). Neither is that indicated in the "Before the HOL" doc.

Infographic for common scenarios doesn't show up correctly in student guide or trainer guide.

Unsure if this will be resolved when the ReadMe is updated. Content is the same as the abstract but wording is different. Creating this issue so we check the ppt after the ReadMe is fixed.

Next update we would like to switch from VM jump boxes to Bastion

Hi there,
On exercise 3, task 2, step 9, the screenshot is not correct. The final result of the steps looks like this: