This directory contains Infrastructure as Code (IaC) templates to deploy a comprehensive Azure lab environment for AZ-104 certification training.
The environment consists of:
-
Hub-Spoke Network Topology
- Hub VNet with Azure Firewall, VPN Gateway, and Bastion
- Spoke VNet with workload subnet and AKS subnet
- Full VNet peering configuration
-
Compute Resources
- Windows Server 2022 VM in Hub
- Ubuntu 20.04 VM in Spoke
- All VMs use cost-optimized B-series SKUs
-
Monitoring & Security
- Log Analytics Workspace with full solutions
- NSG Flow Logs with Traffic Analytics
- Azure Bastion for secure VM access
- Network Security Groups on all subnets
-
Sample Logic App
- Demonstrates service health monitoring
- Managed Identity configuration
- Log Analytics integration
- Azure Subscription (Azure Pass or Pay-As-You-Go)
- PowerShell 7.0 or later
- Az PowerShell module
- Azure Key Vault (setup instructions below)
-
Create an Azure Key Vault (if not exists):
# These steps should be done by the instructor $rg = "az104-rg" $location = "southcentralus" $kvName = "YOUR-KV-NAME" # Replace with your Key Vault name # Create Key Vault az keyvault create --name $kvName --resource-group $rg --location $location # Add VM password secret az keyvault secret set --vault-name $kvName --name "vmpassword2" --value "YOUR-SECURE-PASSWORD"
-
Clone this repository
-
Navigate to the class-setup directory
-
Run the deployment script:
./deploy.ps1
The script will:
- Verify your Azure context
- Create/update resource group
- Deploy all resources
- Display connection information
- All VM access is through Azure Bastion only
- No public IPs on VMs
- NSGs restrict all unnecessary traffic
- All credentials are stored in Azure Key Vault
- All resources send logs to Log Analytics
- B-series VMs for cost efficiency
- NSG flow logs retention set to 30 days
- Standard SKU for Azure Firewall
- Consider stopping VMs when not in use
- Clone this repository
- Navigate to the class-setup directory
- Run the deployment script with your Azure Pass subscription:
./deploy.ps1 - Follow the prompts to verify your Azure context
- Wait for deployment to complete (approximately 30-45 minutes)
To remove all resources:
Remove-AzResourceGroup -Name "az104-rg" -Force-
If deployment fails:
- Check Azure Pass subscription status
- Verify you're in the correct subscription context
- Review error messages in the Azure Portal
-
If VM access fails:
- Ensure you're using Azure Bastion
- Verify NSG rules
- Check VM status in Azure Portal
This is a lab environment for learning purposes. The configuration emphasizes learning opportunities over production-ready security. Review and understand each component as part of your AZ-104 studies.