1 00:00:01,540 --> 00:00:02,270 In this demo, 2 00:00:02,270 --> 00:00:06,500 we're going to work with TCP/IP and Windows Server Virtual Machines. 3 00:00:06,500 --> 00:00:09,330 I showed you that pretty complicated network diagram. 4 00:00:09,330 --> 00:00:13,660 I've got basically the same diagram set up as my desktop background. 5 00:00:13,660 --> 00:00:15,300 If you're wondering how I did this, 6 00:00:15,300 --> 00:00:18,630 I'm making sure to look at the Dashboard view rather 7 00:00:18,630 --> 00:00:23,300 than the Home view in the portal, and then if you edit your dashboard, 8 00:00:23,300 --> 00:00:25,450 there's a tile called Markdown, 9 00:00:25,450 --> 00:00:29,110 and Markdown allows you to use Markdown syntax to 10 00:00:29,110 --> 00:00:31,230 point to a resource if you want to. 11 00:00:31,230 --> 00:00:37,270 If I hit Edit here, I'm just simply pointing to a ping file on my website. 12 00:00:37,270 --> 00:00:38,310 It's as simple as that. 13 00:00:38,310 --> 00:00:40,660 Just wanted to explain that because I get asked that by 14 00:00:40,660 --> 00:00:42,930 students a lot when I'm doing live training. 15 00:00:42,930 --> 00:00:45,310 But anyway, I'm not going to redo my lecture, 16 00:00:45,310 --> 00:00:48,590 but we're going to take a look and inspect network configuration, 17 00:00:48,590 --> 00:00:52,080 specifically TCP/IP configuration for a VM. 18 00:00:52,080 --> 00:00:54,440 Let's take a look at how vm2 is set up. 19 00:00:54,440 --> 00:00:56,410 What we can do is come down under Settings, 20 00:00:56,410 --> 00:00:57,130 Networking, 21 00:00:57,130 --> 00:00:59,600 and this will leave nothing to the imagination in 22 00:00:59,600 --> 00:01:02,540 terms of the TCP/IP stack on that VM. 23 00:01:02,540 --> 00:01:05,020 And what's notable about this interface is that these 24 00:01:05,020 --> 00:01:07,740 hyperlinks will take you to those resources. 25 00:01:07,740 --> 00:01:08,370 The private, 26 00:01:08,370 --> 00:01:13,240 non‑internet accessible IP is coming from Azure‑provided DHCP in the 27 00:01:13,240 --> 00:01:16,960 context of the virtual network that I've deployed this VM to. 28 00:01:16,960 --> 00:01:20,270 I do, in fact, have a public IP, but what if I realize, 29 00:01:20,270 --> 00:01:23,040 wait a minute, this is representing a security hazard, 30 00:01:23,040 --> 00:01:27,860 I'm going to come over the internet using Azure Bastion to manage this machine. 31 00:01:27,860 --> 00:01:32,440 I don't want to RDP directly on this public IP, how can we get rid of it? 32 00:01:32,440 --> 00:01:37,080 Maybe instead of 10.0.0.5, we need to do 10.0.0.20 instead. 33 00:01:37,080 --> 00:01:38,840 How could we change the IP? 34 00:01:38,840 --> 00:01:39,030 Well, 35 00:01:39,030 --> 00:01:42,220 what you never want to do is RDP into the VM and 36 00:01:42,220 --> 00:01:44,070 change the network properties in there. 37 00:01:44,070 --> 00:01:45,150 That's never going to work. 38 00:01:45,150 --> 00:01:47,920 You're going to want to make the change from the Azure control plane. 39 00:01:47,920 --> 00:01:49,150 And remember what I said, 40 00:01:49,150 --> 00:01:52,640 that it's at the virtual network interface level that this is done. 41 00:01:52,640 --> 00:01:56,930 And we have a nice handy dandy hyperlink to the network interface right here, 42 00:01:56,930 --> 00:01:59,520 and we'll head on over to that network interface, 43 00:01:59,520 --> 00:02:02,420 and in particular, we'll want to use under Settings, 44 00:02:02,420 --> 00:02:07,470 IP configurations, we have our ipconfig1 default configuration. 45 00:02:07,470 --> 00:02:08,540 If we select it, 46 00:02:08,540 --> 00:02:13,370 this is where you can associate or disassociate a public IP address. 47 00:02:13,370 --> 00:02:17,380 Now note that disassociating does not delete that public IP. 48 00:02:17,380 --> 00:02:20,230 I'm going to have to, after I disassociated it with it, 49 00:02:20,230 --> 00:02:23,130 I'll have to track down that resource, which you can easily do. 50 00:02:23,130 --> 00:02:26,540 If you do a search for public IP addresses, they're right here. 51 00:02:26,540 --> 00:02:29,950 But you're going to be paying for that even if it's disassociated, 52 00:02:29,950 --> 00:02:30,940 so keep that in mind. 53 00:02:30,940 --> 00:02:34,040 I'm going to Disassociate, and then for Assignment, 54 00:02:34,040 --> 00:02:37,690 it looks like I've already made this private IP address static. 55 00:02:37,690 --> 00:02:39,260 By default, it's dynamic, 56 00:02:39,260 --> 00:02:43,790 which could present the pain point if your VM is stopped and restarted, 57 00:02:43,790 --> 00:02:44,140 you see. 58 00:02:44,140 --> 00:02:48,360 So I'm going to do Static, and I'm going to change it to 10.0.0.20. 59 00:02:48,360 --> 00:02:50,810 Now notice that it says the virtual machine will be 60 00:02:50,810 --> 00:02:53,100 restarted to utilize the new address, 61 00:02:53,100 --> 00:02:57,770 just like a physical machine or an on‑premises VM would have to be restarted, 62 00:02:57,770 --> 00:03:00,340 same thing here when you're changing the IP address. 63 00:03:00,340 --> 00:03:03,370 But let me click Save, and that will, as I said, 64 00:03:03,370 --> 00:03:04,330 reboot the VM, 65 00:03:04,330 --> 00:03:08,700 and it will come back with no public IP on it anymore and it will have a new, 66 00:03:08,700 --> 00:03:12,550 statically‑assigned, private, non‑internet routable IP address. 67 00:03:12,550 --> 00:03:17,630 Now, while that's cooking, let's come back to the vm2 networking settings. 68 00:03:17,630 --> 00:03:19,820 They haven't yet been updated, as you can see. 69 00:03:19,820 --> 00:03:24,420 We've got our network security group that's providing security at OSI Layer 4, 70 00:03:24,420 --> 00:03:26,910 no need to say anything more about that right now, 71 00:03:26,910 --> 00:03:31,160 but what I do want to say is the network on which this virtual machine lives, 72 00:03:31,160 --> 00:03:32,780 we can click to it right here. 73 00:03:32,780 --> 00:03:37,140 And it looks like, in my case, my VNet is called az800‑rg‑vnet, 74 00:03:37,140 --> 00:03:42,680 and it has a private, non‑internet routable IP space of 10.0.0.0/16. 75 00:03:42,680 --> 00:03:43,610 I set that up. 76 00:03:43,610 --> 00:03:46,400 Our subnet configuration has two subnets, 77 00:03:46,400 --> 00:03:50,650 one a default subnet that I'm using for my virtual machine workload, 78 00:03:50,650 --> 00:03:52,820 and then I've created a Bastion subnet. 79 00:03:52,820 --> 00:03:55,090 Now when you create an Azure Bastion jump host, 80 00:03:55,090 --> 00:03:57,700 you have to have a separate subnet for it that has the 81 00:03:57,700 --> 00:03:59,310 reserved name label AzureBastionSubnet. 82 00:03:59,310 --> 00:04:02,900 It has to be there or you can't deploy the Bastion. 83 00:04:02,900 --> 00:04:04,260 A Bastion, like I said, 84 00:04:04,260 --> 00:04:09,150 is simply a managed jump host that goes into its own subnet as you can see here. 85 00:04:09,150 --> 00:04:13,670 It has a public IP, but it listens only on TCP 443, 86 00:04:13,670 --> 00:04:17,820 so any ports scans against that public IP endpoint are not going to 87 00:04:17,820 --> 00:04:20,920 reveal anything juicy in terms of management ports, 88 00:04:20,920 --> 00:04:23,980 hence the value proposition of Azure Bastion. 89 00:04:23,980 --> 00:04:27,110 Now, this gives us the ability now to manage vm2. 90 00:04:27,110 --> 00:04:32,430 Now, technically, we could RDP to vm1 on its public instance‑specific, 91 00:04:32,430 --> 00:04:33,740 public IP address. 92 00:04:33,740 --> 00:04:38,740 But vm2, to as you can see, no longer has an internet accessible public IP, 93 00:04:38,740 --> 00:04:42,550 so that if we go to on the Overview page to the Connect menu, 94 00:04:42,550 --> 00:04:45,200 and attempt an RDP session with that machine, 95 00:04:45,200 --> 00:04:47,430 this is not going to work unless, of course, 96 00:04:47,430 --> 00:04:51,440 you have an express route circuit, or a site‑to‑site VPN, 97 00:04:51,440 --> 00:04:53,280 or a point‑to‑site VPN, 98 00:04:53,280 --> 00:04:57,170 you're never going to have a path using that non‑internet IP. 99 00:04:57,170 --> 00:05:00,710 But because I've got Bastion deployed, I can do a Connect, 100 00:05:00,710 --> 00:05:04,170 Bastion, and there we have the connection just like I showed you earlier. 101 00:05:04,170 --> 00:05:04,860 Isn't that neat? 102 00:05:04,860 --> 00:05:07,520 Now, last thing I want to show you is the serial console. 103 00:05:07,520 --> 00:05:10,710 Like I said, this is a nice backdoor into your VM. 104 00:05:10,710 --> 00:05:14,810 If you find that its RDP connection is all bungled up and you just, 105 00:05:14,810 --> 00:05:16,360 or maybe boot records, 106 00:05:16,360 --> 00:05:21,000 just low‑level surgery that normally you'd never think to be able to get that 107 00:05:21,000 --> 00:05:24,710 kind of serial port access to a machine because number one, 108 00:05:24,710 --> 00:05:27,520 it's a VM and not a piece of hardware, and number two, 109 00:05:27,520 --> 00:05:30,790 it's miles or kilometers away from you in an Azure datacenter. 110 00:05:30,790 --> 00:05:32,220 Now, here's the exam alert. 111 00:05:32,220 --> 00:05:35,110 In order to use Serial Console, you have to make sure, 112 00:05:35,110 --> 00:05:38,300 as a prerequisite, you have Boot diagnostics enabled, 113 00:05:38,300 --> 00:05:42,550 and it looks like on vm2 I don't have boot diagnostics enabled, 114 00:05:42,550 --> 00:05:44,090 so I better click Settings, 115 00:05:44,090 --> 00:05:47,180 and I'm going to Enable with a managed storage account. 116 00:05:47,180 --> 00:05:48,230 Now, what does this do? 117 00:05:48,230 --> 00:05:52,530 Enabling boot diagnostics will capture a screenshot of the desktop 118 00:05:52,530 --> 00:05:56,000 state of the VM that you can verify just as a way to make sure that 119 00:05:56,000 --> 00:05:58,450 the Windows VM's not in a blue screen state, 120 00:05:58,450 --> 00:05:59,240 for example. 121 00:05:59,240 --> 00:06:02,990 If it's a Linux machine, you just see a console screen, it's not as useful. 122 00:06:02,990 --> 00:06:05,230 Once you have boot diagnostics enabled, 123 00:06:05,230 --> 00:06:08,550 you can see that desktop or terminal screenshot on the 124 00:06:08,550 --> 00:06:10,550 boot diagnostics blade in the portal. 125 00:06:10,550 --> 00:06:14,590 Now, I just enabled it, so it's going to be a little while before it shows up. 126 00:06:14,590 --> 00:06:16,760 Same thing with the live serial log, 127 00:06:16,760 --> 00:06:20,750 but that again is a prerequisite to using the Serial Console. 128 00:06:20,750 --> 00:06:24,960 So if we go to Serial console, it's got its own particular syntax. 129 00:06:24,960 --> 00:06:25,340 Again, 130 00:06:25,340 --> 00:06:30,060 the reason why you would use this is to gain backdoor access to the file system 131 00:06:30,060 --> 00:06:33,430 and boot environment of the VM for troubleshooting purposes. 132 00:06:33,430 --> 00:06:37,010 Okay, now Serial Console is also called SAC, 133 00:06:37,010 --> 00:06:39,600 as you can see here, so we're at an SAC prompt, 134 00:06:39,600 --> 00:06:44,360 and we can create a cmd​.exe channel just by typing cmd. 135 00:06:44,360 --> 00:06:48,840 To see a list of channels, it says use ch ‑? 136 00:06:48,840 --> 00:06:50,880 to get channel help. 137 00:06:50,880 --> 00:06:53,440 And if we want to switch a channel to its number, 138 00:06:53,440 --> 00:06:56,280 we can see that ch is list all channels actually, 139 00:06:56,280 --> 00:07:00,090 so before we can switch to the channel, we need to know what number it is, 140 00:07:00,090 --> 00:07:03,450 and it looks like the command.exe is on channel 1, 141 00:07:03,450 --> 00:07:09,360 so we'll do ch ‑si1 to switch to the cmd session. 142 00:07:09,360 --> 00:07:13,840 And once we're at the command prompt, we can use tools like BCDEdit. 143 00:07:13,840 --> 00:07:15,840 We also can use PowerShell. 144 00:07:15,840 --> 00:07:18,780 Of course, nothing in Azure is anonymous by default, 145 00:07:18,780 --> 00:07:21,000 so I'm prompted for login credentials. 146 00:07:21,000 --> 00:07:25,590 So on this machine I've got, hopefully I'll be using the correct credentials. 147 00:07:25,590 --> 00:07:27,030 Type in my password. 148 00:07:27,030 --> 00:07:27,670 There we go. 149 00:07:27,670 --> 00:07:31,330 So now we're at a CMD session, and if I type powershell, 150 00:07:31,330 --> 00:07:33,510 we're now in a PowerShell session. 151 00:07:33,510 --> 00:07:36,660 So let's do a get‑command and see what's available to us. 152 00:07:36,660 --> 00:07:39,820 Elsewhere in this AZ‑800 training, 153 00:07:39,820 --> 00:07:42,780 you saw about PowerShell Just Enough Administration, 154 00:07:42,780 --> 00:07:43,470 or JEA. 155 00:07:43,470 --> 00:07:46,360 Wow, these are a lot of commands, a lot more than I thought, 156 00:07:46,360 --> 00:07:48,920 so let me wait for all of these to enumerate. 157 00:07:48,920 --> 00:07:49,630 Yikes! 158 00:07:49,630 --> 00:07:53,640 But I'm seeing references to the Azure PowerShell commands as well, 159 00:07:53,640 --> 00:07:55,540 so that's definitely good to see. 160 00:07:55,540 --> 00:07:58,130 And if you're seeing what looks like gobbledygook, 161 00:07:58,130 --> 00:08:00,550 that's my technical term for the day, by the way, 162 00:08:00,550 --> 00:08:03,000 that's just that the terminal's a little bit wonky, 163 00:08:03,000 --> 00:08:07,070 it's overriding previous text, but instead of scrolling cleanly, 164 00:08:07,070 --> 00:08:10,150 it's kind of typing over it, so pardon the mess. 165 00:08:10,150 --> 00:08:14,370 Yeah, it looks like I furiously was trying to break output with Ctrl+C. 166 00:08:14,370 --> 00:08:21,000 So that's the Serial Console. I give you a link to the Serial Console docs in the exercise files, as usual.