AZ-104 Lab 2: Secure Azure Networking –Hands-On Walkthrough
I've been working professionally in IT since 2021, with hands-on experience in endpoint management, desktop support, SaaS administration, and hybrid cloud environments. I started jmcnairtech to document what I learn along my journey and share practical solutions with others. This blog is about breaking down real-world troubleshooting with clear, actionable steps. Whether you're just starting out or refining your skills, I share what works, what breaks, and how to fix it.
In this lab, we’ll build a secure Azure network from scratch using the Azure Portal.
You’ll deploy virtual networks, subnets, network security groups, VNet peering, and Azure Bastion for secure RDP access.
This directly maps to AZ-104 exam objectives under “Manage Virtual Networking.”
Lab Objectives
Create and configure Azure VNets and subnets
Apply NSGs for subnet-level security
Connect VNets using peering
Use Azure Bastion for secure, no-public-IP access
What You’ll Need
Active Azure subscription
RDP client or web Bastion access
Your public IP (for temporary RDP rule)
Enough credit (free tier is fine if you delete resources afterward)
Step 1 – Create a Resource Group
Goal: keep all lab resources organized and easy to delete later.
Step 1.1
In the Azure Portal search bar, type Resource groups and select it.
Step 1.2
Click + Create.
Step 1.3
Subscription: your default
Resource group name:
rg-lab2-networkRegion: choose your closest (e.g., East US)
Click Review + Create → Create.
Step 2 – Create Virtual Networks and Subnets
Goal: establish one “hub” (primary) and one “spoke” VNet.
Step 2.1 – Create Primary VNet
In the portal, search Virtual networks → + Create.
Basics tab:
Resource group:
rg-lab2-networkName:
vnet-lab2-primaryRegion: East US
IP Addresses tab:
- Address space:
10.1.0.0/16
- Address space:
Add two subnets:
subnet-app→10.1.1.0/24subnet-db→10.1.2.0/24
Click Review + Create → Create.
Step 2.2 – Create Spoke VNet
+ Create → Virtual Network again.
Resource group:
rg-lab2-networkName:
vnet-lab2-spokeAddress space:
10.2.0.0/16Add subnet:
subnet-spoke→10.2.1.0/24Create.
Step 3 – Deploy the Virtual Machines
Goal: create three small servers to test routing and security.
Step 3.1 – Create vm-app-1
In the Portal, search Virtual machines → + Create → Azure virtual machine.
Basics:
RG:
rg-lab2-networkName:
vm-app-1Region: East US
Image: Windows Server 2025 Datacenter
Size:
Standard D2sUsername:
itadminPassword: (secure)
Networking tab:
VNet:
vnet-lab2-primarySubnet:
subnet-appPublic IP: Enabled
NIC NSG: Basic → RDP (3389)
Review + Create → Create.
Step 3.2 – Create vm-db-1
Same process but choose Subnet: subnet-db.
Step 3.3 – Create vm-spoke-1
VNet:
vnet-lab2-spokeSubnet:
subnet-spokePublic IP: Enabled
Size: small
Step 4 – Install IIS on vm-app-1
Goal: host a test web page.
Step 4.1
RDP into vm-app-1 using its public IP.
Step 4.2
Open Server Manager → Add roles and features → Web Server (IIS) → Install.
Step 4.3
After it finishes, open a browser on the VM → visit http://localhost.
You should see the IIS splash page.
Step 4.4 (Optional)
Edit iistart.htm and type “Hello from vm-app-1”
Step 5 – Configure Network Security Groups (NSGs)
Goal: allow only needed traffic between subnets.
Step 5.1 – Create NSG for App Subnet
In the portal, search Network security groups → + Create.
Name:
nsg-app-lab2, RG:rg-lab2-network, Region: East US → Create.Open
nsg-app-lab2→ Inbound security rules → + Add.Allow-HTTP-From-Internet:
- Source: Any | Port: 80 | Protocol: TCP | Action: Allow | Priority: 200
Allow-RDP-From-Home:
- Source: Your home IP/32 | Port: 3389 | Action: Allow | Priority: 210
Under Subnets, click Associate → vnet-lab2-primary → subnet-app.
Step 5.2 – Create NSG for DB Subnet
Create
nsg-db-lab2similarly.Add inbound rules:
Allow-App-to-DB-1433: Source
10.1.1.0/24, Port 1433, Allow, Priority 200.Allow-App-to-DB-RDP: Source
10.1.1.0/24, Port 3389, Allow, Priority 210.
Associate to
subnet-db.
Step 5.3 – Test NSGs
From your PC → RDP to
vm-app-1- allowedFrom your PC → RDP to
vm-db-1- not allowedFrom inside
vm-app-1→ RDP tovm-db-1- allowed
Step 6 – Peer the VNets
Goal: enable private routing between primary and spoke VNets.
Step 6.1
Open vnet-lab2-primary → Peerings → + Add.
Peering name:
primary-to-spokeRemote VNet:
vnet-lab2-spokeAllow traffic both ways → Add.
Step 6.2
Check that the reverse peering appears automatically; if not, add it manually on vnet-lab2-spoke.
Step 6.3 – Test Connectivity
RDP into vm-spoke-1 → open Command Prompt:
ping 10.1.1.x (private IP of vm-app-1)
Step 7 – Deploy Azure Bastion (Zero Public RDP)
Goal: secure management without exposing public IPs.
Step 7.1
Open vnet-lab2-primary → Subnets → + Subnet
Name:
AzureBastionSubnetAddress prefix:
10.1.3.0/26→ Save
Step 7.2
Search Bastions → + Create
Name:
bastion-lab2RG:
rg-lab2-networkVNet:
vnet-lab2-primaryPublic IP: new static IP
Create
Step 7.3
Once deployed:
Go to
vm-app-1 → Connect → Bastion → Use Bastion.Enter credentials and connect through browser.
From inside, RDP to
vm-db-1using its private IP.You’re now securely managing both VMs without public exposure.
Step 7.4
Remove the public IPs from all three VMs:
- VM → Networking → NIC → IP configurations → dissociate public IP.
Step 8– Validation and Cleanup
| Test | Expected | Reason |
| Internet → vm-db-1 | ❌ Blocked | No public IP + NSG |
| Internet → vm-app-1 (HTTP) | ✅ Allowed (temp) | NSG rule |
| vm-app-1 → vm-db-1 (1433) | ✅ Allowed | NSG permit |
| vm-spoke-1 → vm-app-1 | ✅ Allowed | Peering |
| Bastion → vm-app-1 | ✅ Allowed | Secure TLS access |
Cleanup:
Delete optional LB, public IPs, Bastion if done testing.
Or delete
rg-lab2-networkentirely to avoid charges.
You’ve now:
Built hub-and-spoke VNets with unique address spaces.
Secured subnets with NSGs.
Connected networks using peering.
Replaced open RDP with Azure Bastion.
Please reach out to me if you have any questions or need help with the lab. I’d be happy to hear from you!
