Manage Access to Azure Key Vault Using Templates
In this IT Pro Challenge virtual lab, you will get hands-on experience using the Microsoft Azure Portal and Azure’s Cloud Shell to deploy an Azure Key Vault, create and deploy an ARM template with Key Vault references, and manage disk encryption on the VMs in your environment. These skills are essential for System and IAM Administrators in Azure.
This hands-on lab provides an Azure administrator with an understanding of how to deploy a Key Vault to securely store secrets, keys, and certificates in the cloud. You will also learn how to reference the Key Vault when deploying ARM templates. You will become familiar with using the Azure Cloud Shell command-line interface to perform administrative actions within your environment. You will learn how to use the Cloud Shell Editor to edit configuration files within the Azure portal. The skills learned in this lesson are essential for Identity and Access Management (IAM) administrators or Windows system administrators operating in an Azure environment.
Understand the scenario
You are a system administrator for a company that is migrating its primary web apps and associated databases from its on-premises datacenter to Azure. You need to create an Azure Key Vault to securely store secrets, keys, and certificates in the cloud. You then need to deploy multiple cloud resources by using ARM templates with sensitive information stored in the Key Vault. You will also use Azure Disk Encryption for hardened security and store the encryption keys in the Key Vault, as a proof of concept. You are provided with an Azure resource group that initially contains no resources.
Deploy an Azure Key Vault:
Microsoft Azure Key Vault is a cloud-hosted management service that allows users to encrypt keys and secrets protected by hardware security modules. In this lesson, you will deploy a key vault with secrets to be used to access resources in your environment.
Create an ARM template by using Key Vault references:
Azure Resource Manager (ARM) templates are JSON files that define your infrastructure and configuration for your environment. An ARM template uses declarative syntax, which lets you state what you intend to deploy without having to write commands. You will specify the resources to deploy with a template file and the properties for those resources in a parameter file. In this section, you will gain experience using the Azure Cloud Shell to upload the template files; then, you will use the Cloud Shell Editor to edit the files configurations. Within the parameters file, you will reference your key vault, to set the parameters for your admin credentials.
Deploy an ARM template by using Key Vault references:
After your template files are configured, you will learn how to use Cloud Shell command syntax to deploy your resources. In this case, you will deploy a load-balanced environment with two Windows Server VMs.
Enable Azure Disk Encryption:
For this task, you will learn how to enable BitLocker disk encryption via the Azure Cloud Shell. BitLocker Drive Encryption is a data protection feature native to the Windows OS. You will learn the PowerShell commands required to enable disk encryption on a target VM and verify that encryption is enabled. Furthermore, to confirm that the configuration is applied appropriately, you will remotely connect to the VM. You will use Microsoft Disk Management to review your hard drive configuration, ensuring the drives have been encrypted with BitLocker and that a BitLocker Encryption Key (Bek) volume is created.
Lab Summary Conclusion:
In this hands-on virtual lab, you will learn how to perform important administrative functions related to Identity and Access Management (IAM) administration for an Azure environment. You will learn how to deploy and manage an Azure Key Vault for securing your credential secrets, keys, and certificates. Then you will gain experience using the Azure Cloud Shell to configure and deploy ARM templates that reference your Key Vault. Finally, you’ll learn to use the Cloud Shell to enable disk encryption on your Windows systems.
Other Challenges in this series
- GUIDED CHALLENGE: Create and Manage Shared Access Signatures (SAS) Keys
- GUIDED CHALLENGE: Configure Security for Cosmos DB
- ADVANCED CHALLENGE: Can you Implement Azure SQL Database Using Always Encrypted?