Azure Lab 07 – Manage Azure Storage 5 min

AZ-104-MicrosoftAzureAdministrator/LAB_07-Manage_Azure_Storage.md at master · MicrosoftLearning/AZ-104-MicrosoftAzureAdministrator · GitHub

Task 1: Provision the lab environment
Task 2: Create and configure Azure Storage accounts
Task 3: Manage blob storage
Task 4: Manage authentication and authorization for Azure Storage
Task 5: Create and configure an Azure Files shares
Task 6: Manage network access for Azure Storage

Connect-AzAccount -TenantId a-numberwith-letters

$l = "West Europe"
$rg = "az104-07-rg0"
New-AzResourceGroup -Name $rg -Location $l

#PS C:\Users\name\Desktop\AZ-104 all labs\07>

New-AzResourceGroupDeployment -ResourceGroupName $rg -TemplateFile .\az104-07-vm-template.json -TemplateParameterFile .\az104-07-vm-parameters.json -AsJob

Task 1: Provision the lab environment

Task 2: Create and configure Azure Storage accounts

In the Redundancy drop-down list select Locally redundant storage (LRS) and save the change. Note, at this point, the Storage account has only the primary location.

Task 3: Manage blob storage

Upload the license file

View the options after upload

What is lease, its a lock

Add lease

Remove lease

Task 4: Manage authentication and authorization for Azure Storage

On the licenses/LICENSE blade, on the Overview tab, click Copy to clipboard button next to the URL entry.

Open another browser window by using InPrivate mode and navigate to the URL you copied in the previous step.

You should be presented with an XML-formatted message stating ResourceNotFound or PublicAccessNotPermitted.

On the Generate SAS tab of the licenses/LICENSE blade, specify the following settings (leave others with their default values):

SettingValue
Signing keyKey 1
PermissionsRead
Start dateyesterday’s date
Start timecurrent time
Expiry datetomorrow’s date
Expiry timecurrent time
Allowed IP addressesleave blank

Note: If you are using Microsoft Edge, you should be presented with the The MIT License (MIT) page. If you are using Chrome, Microsoft Edge (Chromium) or Firefox, you should be able to view the content of the file by downloading it and opening it with Notepad.

Note: This is expected, since now your access is authorized based on the newly generated the SAS token.

Note: Save the blob SAS URL. You will need it later in this lab.

Click the Switch to the Azure AD User Account link next to the Authentication method label.

Note: You can see an error when you change the authentication method (the error is “You do not have permissions to list the data using your user account with Azure AD”). It is expected.

Note: At this point, you do not have permissions to change the Authentication method.

On the az104-07-container blade, click Access Control (IAM).

Click Review + Assign and then Review + assign, and return to the Overview blade of the az104-07-container container and verify that you can change the Authentication method to (Switch to Azure AD User Account).

Note: It might take about 5 minutes for the change to take effect.

Swap

Task 5: Create and configure an Azure Files shares

Note: Before you start this task, verify that the virtual machine you provisioned in the first task of this lab is running.

Create a share and edit quota

SettingValue
Nameaz104-07-share

Click the newly created file share and click Connect.

Select windows and copy the script

On the az104-07-vm0 – Run command blade, click RunPowerShellScript.

On the Run Command Script blade, paste the script you copied earlier in this task into the PowerShell Script pane and click Run.

Verify that the script completed successfully.

# Replace the content of the PowerShell Script pane with the following script and click Run:

New-Item -Type Directory -Path 'Z:\az104-07-folder'

New-Item -Type File -Path 'Z:\az104-07-folder\az-104-07-file.txt'

Verify that the script completed successfully.

Navigate back to the az104-07-share file share blade, click Refresh, and verify that az104-07-folder appears in the list of folders.

Bad tutorial, hm, lets fix this

Troubleshoot

5 min Create and configure an Azure Files mount on VM 2 with robocopy (update) – e-lo [IT Engineer life] (follow-e-lo.com)

1 success

Test-NetConnection -ComputerName az10407staccountwe.file.core.windows.net -Port 445

TcpTestSucceeded : True

2 Restart the VM, no success

3 Run the same script locally as admin, success, we can reach the storage account

4 Navigate to to fileshare, success.

\\az10407staccountwe.file.core.windows.net\az104-07-share\az104-07-folder

This is the folder and file we create from Run Command blade

5 Map the drive, success

Add path to the storage account, no credentials

Result is path with Z:

Windows explorer

Good

Upload new files from the storage account

view them on the VM

Task Extra: Restart VM

Drive and access is still success

Task 6: Manage network access for Azure Storage

In the Azure portal, navigate back to the blade of the storage account you created in the first task of this lab and, in the Security + Networking section, click Networking and then click Firewalls and virtual networks.

Click the Enabled from selected virtual networks and IP addresses option and review the configuration settings that become available once this option is enabled.

Note: You can use these settings to configure direct connectivity between Azure virtual machines on designated subnets of virtual networks and the storage account by using service endpoints.

Extra, while we are here, lets only allow our IP and not the VM’s vnet.

Click the checkbox Add your client IP address and save the change.

Open another browser window by using InPrivate mode and navigate to the blob SAS URL you generated in the previous task.

Note: If you did not record the SAS URL from task 4, you should generate a new one with the same configuration. Use Task 4 steps 4-6 as a guide for generating a new blob SAS URL.

We can download the file

In the Azure portal, open the Azure Cloud Shell by clicking on the icon in the top right of the Azure Portal.

If prompted to select either Bash or PowerShell, select PowerShell.

From the Cloud Shell pane, run the following to attempt downloading of the LICENSE blob from the az104-07-container container of the storage account (replace the [blob SAS URL] placeholder with the blob SAS URL you generated in the previous task):

Invoke-WebRequest -URI '[blob SAS URL]'

Verify that the download attempt failed.

Now the VM should not have access, since we removed the Enable all to Enable selected

Add the VM Vnet, and test again, it could take 15 min

Save the changes, 13:08

13:23, Try to access storage storage account from VM, is success

Task Extra: Move all resources to a different resource group

NOTE: ALL resources are in the same resource group here

Create a new resource group in Sweden

Select all and try to move

Next

Checking whether these resources can be moved. This might take a few minutes

Source subscription Pay-As-You-Go

Source resource group az104-07-rg0

Target subscription Pay-As-You-Go

Target resource group az104-07-rg1

Number of resources to move

7