Featured resource
2025 Tech Upskilling Playbook
Tech Upskilling Playbook

Build future-ready tech teams and hit key business milestones with seven proven plays from industry leaders.

Check it out
  • Lab
    • Libraries: If you want this lab, consider one of these libraries.
    • Cloud
Azure icon
Labs

Implement Defense in Depth on Azure

Defense in depth is a strategy that utilizes multiple protection measures to secure a workload. Each measure is designed to slow the advance of an attacker. These measures are applied at many or all of the security layers so that if one layer is breached, protection measures are already in place to prevent the next layer from being breached. In the Defense in depth strategy, the security layers are: * Data * Application * Compute * Network * Perimeter * Identity and access There is also a physical layer, but that is taken care of by Microsoft as part of the shared responsibility model. In this lab, you will configure protection at each security layer.

Azure icon
Lab platform
Lab Info
Level
Advanced
Last updated
Sep 24, 2025
Duration
2h 0m

Contact sales

By filling out this form and clicking submit, you acknowledge our privacy policy.
Table of Contents
  1. Challenge

    Secure Identities
    1. Enable a system-assigned managed identity for webserver1

    2. Enforce Entra ID Authentication for Azure SQL Database

      • Set your cloud student user account as the Admin account
      • Require Entra ID authentication
    3. Configure the Azure SQL Server Service Firewall

      • Allow access from Azure resources and your IP address
    4. Create a database contained user for webserver1

    5. Update the Web Application to use Entra ID Passwordless Authentication

      • Update C:\inetpub\wwwroot\appsettings.json on webserver1 with the passwordless connection string for the database
    6. Test the Web Application

  2. Challenge

    Secure the Network Perimeter - Part 2
    1. Create and Associate Route Table with the web-subnet

      • Configure a route table with the name rt-01 and associate it with the web-subnet
      • Configure a default route to send traffic to the Azure Firewall, using the name: main-fw-route

      Note: The names rt-01, and main-fw-route is used to grade the lab.

    2. Configure a DNAT rule (with the collection named natcollection) to forward HTTP traffic through the Firewall to webserver1

  3. Challenge

    Secure the Internal Network
    1. Create a Subnet for the Azure SQL Database

    2. Create Private Endpoint for the Azure SQL Database

      • Use the name pe-sql for the Private Endpoint

      Note: The name pe-sql is used to grade the lab.

    3. Disable the SQL Server Public Endpoint

    4. Test the Web Application

  4. Challenge

    Secure Compute and Application Resources
    1. Deploy Azure Bastion

    2. Remove the Public IP Address from the Virtual Machine

    3. Schedule Automatic Updates on webserver1

      • Schedule to the updates to start today, run weekly on Sunday at midnight, in your local timezone
  5. Challenge

    Secure Data
    1. Create a Subnet for Key Vault

      • Deploy a new subnet for Key Vault in the exsting Virtual Network
    2. Deploy Key Vault

      • Create a private endpoint and
      • Permit public access until the end of this objective, to allow easier completion of the objective
    3. Configure Azure Disk Encryption

      • Encrypt the Operating System and Data disks on webserver1
      • Ensure the RSA key size for the Key is set to: 4096
    4. Generate a HTTPS Certificate

      • Store the certificate in Key Vault
      • Use the Subject: CN=webserver1
    5. Bind the HTTPS Certificate to the Web Server

      • Ensure webserver1 is listening on port 443 for HTTPS traffic using the certificate stored in Key Vault, use the below script from within cloudshell to configure the binding:
      	$VaultID = (Get-AzKeyVault).ResourceId
      	$VaultName = (Get-AzKeyVault).VaultName
      	$ResourceGroup = (Get-AzResourceGroup).ResourceGroupName
      	$VMName = "webserver1"
      	$CertificateURL = (Get-AzKeyVaultSecret -VaultName $VaultName -Name $VMName ).id
      	$VM = Get-AzVM -ResourceGroupName $resourceGroup -Name $VMName
      	Add-AzVMSecret -VM $VM -SourceVaultId $VaultID -CertificateStore "My" -CertificateUrl $CertificateURL | Update-AzVM
      	Invoke-AzVMRunCommand -ResourceGroupName $ResourceGroup -VMName $VMName  -CommandId 'RunPowerShellScript' -ScriptString 'New-WebBinding -Name "WebApp" -Protocol https -Port 443; Get-ChildItem cert:\localmachine\My | Where-Object Subject -eq "CN=webserver1" | New-Item -Path IIS:\SslBindings\!443'
      
    6. Update the Firewall Rules to forward HTTPS traffic

    7. Prevent Public Access to Key Vault

    8. Configure SQL Server Dynamic Data Masking to mask Credit Card Data

  6. Challenge

    Improve Security Operations - Part 1
    1. Deploy Log Analytics

      • For the Log Analytics workspace, use the name log-sentinel

      Note: The name the workspace must be log-sentinel to be graded successfully.

    2. Create a Data Collection Endpoint

    3. Create a Data Collection Rule to collect IIS WebServer Logs from webserver1

    4. Enable Sentinel on the Log Analytics Workspace

    5. Install the Web Session Essentials from the Content Hub in Microsoft Sentinel

  7. Challenge

    Secure the Network Perimeter - Part 1
    1. Deploy required subnets to support Azure Firewall

    2. Deploy Azure Firewall

      • For the Firewall, use the name: fw-01
      • For the Firewall Policy, use the name: fwpolicy-01

      Note: The names fw-01 and fwpolicy-01 are used to grade the lab.

  8. Challenge

    Improve Security Operations - Part 2
    1. Enable Sentinel Analytics Rules

      • Create an analytics rule based on the template: Identify instances where a single source is observed using multiple user agents
    2. Test the Web Application

      Note: If receiving a gateway timeout error, try adding HTTPS:// before the public IP of the firewall resource.

About the author

Pluralsight Skills gives leaders confidence they have the skills needed to execute technology strategy. Technology teams can benchmark expertise across roles, speed up release cycles and build reliable, secure products. By leveraging our expert content, skill assessments and one-of-a-kind analytics, keep up with the pace of change, put the right people on the right projects and boost productivity. It's the most effective path to developing tech skills at scale.

Real skill practice before real-world application

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Learn by doing

Engage hands-on with the tools and technologies you’re learning. You pick the skill, we provide the credentials and environment.

Follow your guide

All labs have detailed instructions and objectives, guiding you through the learning process and ensuring you understand every step.

Turn time into mastery

On average, you retain 75% more of your learning if you take time to practice. Hands-on labs set you up for success to make those skills stick.

Get started with Pluralsight