Implement Defense in Depth on Azure

Enable a system-assigned managed identity for webserver1

Enforce Entra ID Authentication for Azure SQL Database

• Set your cloud student user account as the Admin account
• Require Entra ID authentication

Configure the Azure SQL Server Service Firewall

• Allow access from Azure resources and your IP address

Create a database contained user for webserver1

Update the Web Application to use Entra ID Passwordless Authentication

• Update C:\inetpub\wwwroot\appsettings.json on webserver1 with the passwordless connection string for the database

Test the Web Application

Create and Associate Route Table with the web-subnet

• Configure a route table with the name rt-01 and associate it with the web-subnet
• Configure a default route to send traffic to the Azure Firewall, using the name: main-fw-route

Note: The names rt-01, and main-fw-route is used to grade the lab.

Configure a DNAT rule (with the collection named natcollection) to forward HTTP traffic through the Firewall to webserver1

Create a Subnet for the Azure SQL Database

Create Private Endpoint for the Azure SQL Database

• Use the name pe-sql for the Private Endpoint

Note: The name pe-sql is used to grade the lab.

Disable the SQL Server Public Endpoint

Test the Web Application

Deploy Azure Bastion

Remove the Public IP Address from the Virtual Machine

Schedule Automatic Updates on webserver1

• Schedule to the updates to start today, run weekly on Sunday at midnight, in your local timezone

Create a Subnet for Key Vault

• Deploy a new subnet for Key Vault in the exsting Virtual Network

Deploy Key Vault

• Create a private endpoint and
• Permit public access until the end of this objective, to allow easier completion of the objective

Configure Azure Disk Encryption

• Encrypt the Operating System and Data disks on webserver1
• Ensure the RSA key size for the Key is set to: 4096

Generate a HTTPS Certificate

• Store the certificate in Key Vault
• Use the Subject: CN=webserver1

Bind the HTTPS Certificate to the Web Server

• Ensure webserver1 is listening on port 443 for HTTPS traffic using the certificate stored in Key Vault, use the below script from within cloudshell to configure the binding:

	$VaultID = (Get-AzKeyVault).ResourceId
	$VaultName = (Get-AzKeyVault).VaultName
	$ResourceGroup = (Get-AzResourceGroup).ResourceGroupName
	$VMName = "webserver1"
	$CertificateURL = (Get-AzKeyVaultSecret -VaultName $VaultName -Name $VMName ).id
	$VM = Get-AzVM -ResourceGroupName $resourceGroup -Name $VMName
	Add-AzVMSecret -VM $VM -SourceVaultId $VaultID -CertificateStore "My" -CertificateUrl $CertificateURL | Update-AzVM
	Invoke-AzVMRunCommand -ResourceGroupName $ResourceGroup -VMName $VMName  -CommandId 'RunPowerShellScript' -ScriptString 'New-WebBinding -Name "WebApp" -Protocol https -Port 443; Get-ChildItem cert:\localmachine\My | Where-Object Subject -eq "CN=webserver1" | New-Item -Path IIS:\SslBindings\!443'

Update the Firewall Rules to forward HTTPS traffic

Prevent Public Access to Key Vault

Configure SQL Server Dynamic Data Masking to mask Credit Card Data

Deploy Log Analytics

• For the Log Analytics workspace, use the name log-sentinel

Note: The name the workspace must be log-sentinel to be graded successfully.

Create a Data Collection Endpoint

Create a Data Collection Rule to collect IIS WebServer Logs from webserver1

Enable Sentinel on the Log Analytics Workspace

Install the Web Session Essentials from the Content Hub in Microsoft Sentinel

Deploy required subnets to support Azure Firewall

Deploy Azure Firewall

• For the Firewall, use the name: fw-01
• For the Firewall Policy, use the name: fwpolicy-01

Note: The names fw-01 and fwpolicy-01 are used to grade the lab.

Enable Sentinel Analytics Rules

• Create an analytics rule based on the template: Identify instances where a single source is observed using multiple user agents

Test the Web Application

Note: If receiving a gateway timeout error, try adding HTTPS:// before the public IP of the firewall resource.