In this series, you will learn how to design an implementation of Azure Security Center and Microsoft Compliance Manager tools to ensure a secure and privacy-focused Azure cloud-based architecture.

At the end of this workshop, you will be better able to secure your cloud-based applications and services, while ensuring privacy standards are followed and your architecture is compliant.

In this hands-on lab, you will implement many of the Azure Security Center features to secure their cloud-based Azure infrastructure (IaaS) and applications (PaaS). Specifically, you will ensure that any internet exposed resources have been properly secured and any non-required internet access disabled. Additionally, you will implement a “jump machine” for admins with Application Security enabled to prevent admins from installing non-approved software and potentially exposing cloud resources. You will then utilize custom alerts to monitor for TCP/IP Port Scans and then fire alerts and run books based on those attacks.

At the end of this hands-on lab, you will be better able to design and build secure cloud-based architectures and to improve the security of existing applications hosted within Azure.

Target audience

  • Cloud Administrators
  • Cloud Architects
  • Security Analysts
  • Security Architects


  1. Microsoft Azure subscription must be pay-as-you-go or MSDN.
    • Trial subscriptions will not work.
  2. A machine with the following software installed:
    • Visual Studio 2017
    • SQL Management Studio 2017
    • Power BI Desktop

Task 1: Download GitHub resources

  1. Open a browser window to the cloud workshop GitHub repository (
  2. Select Clone or download, then select Download Zip.Clone or download and Download ZIP are highlighted in this screenshot of the cloud workshop GitHub repository.
  3. Extract the zip file to your local machine, be sure to keep note of where you have extracted the files. You should now see a set of folders:A set of extracted folders and files are visible in File Explorer: .vs, AzureTemplate, Database, Scripts, WebApp,

Task 2: Deploy resources to Azure

  1. Open your Azure Portal.
  2. Select Resource groups.
  3. Select +Add.
  4. Type a resource group name, such as azsecurity-[your initials or first name].
  5. Select Review + Create, then select Create.
  6. Select Refresh to see your new resource group displayed and select it.
  7. Select Export template, and then select Deploy.Automation script is highlighted under Settings on the left side of the Azure portal, and Deploy is highlighted on the top-right side.
  8. Select Build your own template in the editor.
  9. In the extracted folder, open the Hands-on labScriptstemplate.json.
  10. Copy and paste it into the window.
  11. Select Save, you will see the dialog with the input parameters. Fill out the form:
    • Subscription: Select your subscription.
    • Resource group: Use an existing Resource group, or create a new one by entering a unique name, such as azsecurity-[your initials or first name].
    • Location: Select a location for the Resource group. Recommend using East US, East US 2, West Central US, or West US 2.
    • Modify the sqlservername to be something unique such as “azsecurity-[your initials or first name]”.
    • Fill in the remaining parameters, but if you change anything, be sure to note it for future reference throughout the lab.
    • The userObjectId can be retrieved by navigating to Azure Active Directory blade and searching for your user account. On the user account page, you will find your object id which you can copy and paste into the field.
    • Check the I agree to the terms and conditions stated above checkbox.
    • Select Purchase.

    The above information is entered in the form, and I agree to the terms and conditions stated above and Purchase are selected and highlighted at the bottom.

  12. The deployment will take 15-30 minutes to complete. To view the progress, select the Deployments link, then select the Microsoft.Template deployment.Deployments is highlighted under Settings on the left side of the Azure portal, and Microsoft.Template is highlighted under Deployment Name on the right side.
    • As part of the deployment, you will see the following items created:
      • One storage account.
      • Three virtual networks (dbVNet, webVnet, mainVnet).
      • Three network security groups.
      • Three virtual machines (db-1, web-1, paw-1).
        • IIS is installed on web-1 via a DSC script from the GitHub repository.
      • One SQL Azure Server with sample database.
      • One Azure Key Vault.

    Created items list This screenshot is a list of the items that were created, including the items listed above.

  13. See Appendix A for detailed steps on creating these components without using an ARM template.

To be continued… say tuned…