Skip to content
/ Cloud-Projects Public

Setting up and protecting a virtual machine to create a testing environment for a small business that provides IT services to other companies.

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

yvesstan/Cloud-Projects

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

70 Commits
LabPic
LabPic
 
 
README.md
README.md
 
 

Repository files navigation

Cloud-Projects --> MICROSOFT AZURE

SUMMARY

In this project "Securing virtual machines" my main tasks is focus on setting up and protecting a virtual machine to create a testing environment for a small business that provides IT services to other companies. To do this I used JIT, Azure Bastion, and Azure Standard Firewall. I also set up Microsoft Sentinel to monitor the testing environment. This work serves as a solution to the implementation of the project and includes screenshots that demonstrate the steps I had taken along the process. The image below is a conceptual representation of the network configuration that I've created.

CONTEXT

A small business that provides IT services has a number of systems hosted in Microsoft Azure. The backend systems are hosted on Azure virtual machines, and they need to be securely configured and protected from threats.

As a security engineer I've been charged to put together a testing environment using the many different Microsoft security services. This testing environment will form the basis for how production VMs will be protected in the future for this IT services provider.

The client would like you to set up protection for a virtual machine in Azure using JIT, Azure Bastion, and Azure Standard Firewall. Once this has been set up, they would also like to configure Microsoft Sentinel to monitor the testing environment before it is deployed on the production network.

Step 1 Virtual machine setup

To start building a testing environment a virtual machine is needed first. Deploy a virtual machine in a new resource group. No public IP will be needed for this VM as Azure Bastion will be used for remote access.

  1. Sign into the Azure portal with your credentials.
  2. In the Azure portal menu, select the Create a resource button located on the left-hand side of the screen.

  1. Next, search for “virtual network” in the search bar, select Virtual machine from the results and then select Create.

  1. In the Basics tab of the Create a virtual machine wizard, fill out the following information:

Subscription: select your subscription.

Resource group: Create new and enter "Services_Test" as the name of the new resource group.

Name: Enter "ServicesVM" as the name of the virtual machine.

Region: Select the region that is closest to you.

Image: Windows Server 2022 Datacenter: Azure Edition.

Scroll down and complete the rest of the details.

Size: Standard_DS1_v2

Username:AzAdmin

Password:P@$$@1234567

Confirm password: P@$$@1234567

  1. Select Next: Disks.

  1. Select Next: Networking.

  1. Select Create New for the virtual network.

  1. Fill in the following details on the Create virtual network page:

Name: "Services_Test_Network"

Address space address range: 172.16.0.0/16

Subnets Subnet name: "VMs"

Subnets Address range: 172.16.1.0/24

  1. Select OK.

  1. For public IP select None.

  2. Select the Review + create button to review the settings.

  1. Select the Create button to create the virtual network.

  1. The virtual machine will now deploy.

Step 2: Hub Network with VNet peering.

Create a hub network with VNet peering to the Service_Test_Network, all inside a new resource group ready for an Azure Standard firewall deployment.

  1. On the Azure home page, search and select the Resource groups service.

  1. Select Create.

  1. Select the following details:

Resource group: "Service_Security"

Virtual network name: "Services_Hub"

  1. Select Review + create, and then Create.

  1. Go back to the Azure home page by selecting Home in the top left-hand corner.

  1. On the Azure home page search for Virtual networks and select the Virtual networks service.

  1. Select Create.

  1. Select your subscription and resource group Services_Security.

  2. Select Next.

  1. Select Next again.

  1. Edit the IP address space with the following enter 192.168.1.0 and for the address space size, enter /24.

  2. Select default under Subnets.

  1. Fill in the subnet template: Azure Firewall.

  2. Fill in a new starting address: 192.168.1.0.

  3. Select Save.

  1. Select Review + Create.

  1. Select Create.

  1. Select Go to resource.

  1. Select Peerings either on the left or right-hand side of the page.

  1. Select Add to add a new peering.

  1. Name the peering "Hub_Test".

  1. Scroll down, leave the default settings and under Peering link name type "Test_Hub".

  2. Under the Virtual network dropdown, select Services_Test_Network.

  3. Select Add and the network peering will be set up.

Step 3: Azure Standard Firewall deployment

Now we'll deploy an Azure Standard Firewall within the hub network.

  1. Search for firewalls and select Firewalls.

  1. Select Create Firewall.

  1. Fill in the following details:

Subscription: Select your subscription

Resource group: Services_Security

Give the firewall instance the name "ServicesFirewall".

Region: Select the same location that you have used previously.

Firewall SKU: Select Standard.

Firewall management: Use Firewall rules (classic) to manage this firewall.

Virtual network: select Use existing and select Services_Security_Network.

For the public IP address select Add new and give it the name "Services".

  1. Click Review + create then Create and the firewall will be deployed.

Step 4: Just-in-time access (JIT) setup

NOw we have to enable JIT access on the Services_VM. RDP access is enabled by default.

  1. Search for and select Virtual machines.

  1. Select the Services_VM virtual machine.

  1. Select Configuration from the left-hand side menu.

  1. Select Enable just-in-time.

Step 5: Azure Bastion configuration

Configure Azure Bastion for the ServicesVM.

  1. Use the search bar and search for Virtual networks and select Virtual networks.

  1. Select the Services_Test_Network network.

  1. On the page for the virtual network, in the left pane, select Bastion to open the Bastion page.

  1. On the Bastion page, select Configure manually.

  1. On the Create a Bastion page, use the following settings:

Instance Name: "Services_Bastion".

Virtual network: "Services_Test_Network".

  1. Scroll down and to configure the AzureBastionSubnet select Manage subnet configuration.

  1. On the subnets page select + Subnet.

  1. Create the AzureBastionSubnet subnet using the following values.

Subnet name: "AzureBastionSubnet".

Subnet address range: 172.16.2.0/24.

Select Save at the bottom of the page to save your values.

  1. At the top of the Subnets page, select Create a Bastion to return to the Bastion configuration page.

  1. Select Create new under Public IP address. Leave the default naming suggestion. Select Review + Create.

  1. Select Create.

Step 6: Testing remote connectivity

Now we'll use Azure Bastion with JIT and connect to the Services VM using RDP, to confirm that the deployment is working.

  1. Search and select Virtual machines.

  1. Select the Services_VM.

  1. At the top of the page, select Connect

  1. Scroll down on the right scroll bar and select Request access.

  1. At the top of the page, select Bastion to go to the Bastion page.

  1. Select Use Bastion.

  1. Complete the required authentication values, for the Services_VM:

Username AzAdmin

Password P@$$@1234567

  1. Click Connect to connect to the VM

The connection to this virtual machine, via Bastion, will open directly in the Azure portal (over HTML5) using port 443 and the Bastion service.

Step 7: Implement Microsoft Sentinel We'll now implement Microsoft Sentinel ready for testing and training.

  1. From the Azure portal home page, search for and select Microsoft Sentinel.

  1. Select Create Microsoft Sentinel.

  1. Select Create a new workspace.

  1. Fill in the following deployment details for a log analytics workspace. Your current subscription will be already selected.

Resource group: "Services_Test"

Instance name: "ServiceSentinel"

  1. Select Review + Create.

  1. Select Create.

  1. After a few seconds a new workspace is created. Select Service_Sentinel.

  2. Select Add.

  1. Select OK to the Microsoft Sentinel free trail.

Clean-up

If you are using your own Azure subscription, it is recommended that you follow the clean-up instructions to stop compute resources. When you're working in your own subscription, it's also a good idea at the end of a project to identify whether you still need the resources you created. Resources left running can cost you money. You can delete resources individually or delete the resource group to delete the entire set of resources. Remember to also delete the Standard Firewall as it cannot be powered off and you will continue being charged if it stays active.

Conclusion

Completing this final course project allowed me to put into practice concepts I have learned about securing virtual machines. By setting up a testing environment for a small business it help understanding how to configure and deploy key Microsoft services. I've started by deploying a virtual machine, before moving on to protecting the network by deploying an Azure firewall. After that, I've continued by protecting management ports on that VM by using JIT and Azure Bastion combined. And finally, I have deployed Microsoft Sentinel ready for different data connectors to be added in the future.

About

Setting up and protecting a virtual machine to create a testing environment for a small business that provides IT services to other companies.

Topics

network cloud-computing azure-active-directory system-administration

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published