Time
8 hours 33 minutes
Difficulty
Intermediate
CEU/CPE
9

Video Transcription

00:00
Hello, Siberians.
00:01
Welcome to this demonstration on Azure Communities Service security. This lesson is part of the six Madu off the desert 500 Microsoft Azure Security technologies. Cows now for simplicity have been referring to the aggravation a que has going forward.
00:18
Here's some information on the tasks that will be completing in this demonstration.
00:22
We'll start by creating on a ks cluster Wouldn't configure Vobis access control fun Azure Didiza on the cluster who fought to protect a cluster by configuring devised I p ranges on Finally validate our configuration Let's get right into this.
00:39
So in the first ask I'll be creating an ache Es cluster
00:43
Anissa Visual representation off What? RB Dean Happy creating an A K s cluster That's going to have to note in eight on I'll be creating its use in the azure Pato
00:54
So here I am in the azure Pato. If I go, I'd and click on Create a resource And if I said for Coop abilities and I can say the option to create a competitive savage, so why don't click on that and I'll click on create now for the Results group, I have an existing research group called a key s allergy. So go ahead and select that FISA script.
01:11
Fatty kubernetes cluster name.
01:14
I'll be using Super Clouds. A k has Bobby changing. That's 202 because I already have civil one existing for the regional lived on us, UK South for the communities version. I'll leave that as the fought off 1.16 point 10 Now for the note size, I'll be changing that
01:30
house. Select a newer generation, which is the detour s victory on a click on Select On. For the not count, our change starts to just two.
01:38
The best practice, if you're doing anything in production, is to have a minimum off three. If I go ahead and click next for not pose and you can see that it's gonna be creating a Lennox, not pool. If I wanted to hard additional not booze. I can go ahead and click on the had option here, and I have the option to select the NOx or Windows, not full.
01:57
So this is what I meant when I mentioned of into TRV
02:00
part off this lesson that we can have a mixture off Windows and Linux not pulls in the same cluster, however great, and cancel this. Now I'll leave all of the configuration at the default setting, and I'll go ahead and click on next authentication Now for the authentication. You see that we have the option to configure the
02:19
cluster infrastructure, authentication matter
02:22
and what dismisses the methods that it close that would used to authenticate to azure Haiti in other, to be able to make configuration changes for cluster related resources, I will leave that as the default service principal now obeys access control. I will be configuring that in the next us so I'll leave that has enabled actually just live all the options as default on our click. Next for networking.
02:44
Now in the networking section,
02:46
I can either live without basic, in which case a Joe Quiet and create a new virtual network for me. Or, if I have an existing virtual network and sub net again, quiet and select advanced, in which case I'll have the option to select an existing 58 fetch on network. How leave that as basic
03:02
Now you can see the option here to specify a private cluster,
03:07
so I'll leave that as disabled, but we can go ahead and configure that option if you wanted to live everything else as default on our just quiet and click on review. Plus, create on after the validation has passed out wide and click on create. So that would take a few minutes to complete. So quiet and possibly cutting. And once it completed,
03:24
I resumed recording, and we can go through the next tasks
03:29
so the deployment completed successfully, so it only took a few minutes to complete. So let's go ahead to the next task.
03:35
So in the next task, how become figure of involved is access control for the A KS cluster in the air care service in Hasher? Have your signing to those to a user called Brenda. How be assigning the job? Anita Service closed Admin Vaux on the A joke amenities service contribute of all, which would give her permission
03:53
to be able to manage cluster.
03:57
So here I am, back in the azure pot off I go ahead and click on Goto this us. And if I click on access control now, if I go ahead and click on had on I click on Hardball assignment and the first road I be a sign in is the service cluster. Add mineral,
04:12
and you can see that this well out brain that's a list cluster at mean credentials. If I go ahead and select statue O on, I select Spring the night, click on Safe. Now if I go ahead and click on hard Again and I click on hardball assignment.
04:23
But this time around I'll be assigning the service contributor wrote to bring the If I Go Ahead and select Brender on if I click on Safe. So now I have distributes assigned
04:34
in the next task. I'll be configuring, Otto advised I p address ranges from Mike es Cluster on s a visual representation of what are between, by the fault, the cluster As a public I p that's accessible toe all Internet I p addresses. So what? I'll be doing this RV configuring an authorized IAP leased to lock that down.
04:55
Now for the next task, I'll be using the azure cloud shell to do that. So what? I'll do you side quieted click on cloud shell.
05:01
So the first thing that out do is I'll be authenticating to the communities ap I seven. And to do that abuse in the is that a ks? Get credentials commands. If I guide and copy on defy paste this command. So that is that a key has get credentials.
05:16
The results group off my kubernetes cluster. And if I said the name of the close to correctly to 02 on, if I press enter to that
05:25
now you can see that it's downloaded the proper cube configuration foul. And now, if I go ahead and test out if I run Keogh City, Hell
05:34
gets notes
05:36
and I pressed. Enter to that
05:39
you can see that I can just keep city our commands to interact Wheat, the a p a set of my cluster. So that's good. So the nation that obedience are very fine, the current configuration off the authorized IAP least. So to do that, I'll be running this command
05:57
and that is that a k a show again, the research group on the name off my cluster. But then Nam, specifying the query for the A P I sever access profile fig wide and press enter to that and you can see that the Auto Vice I P ranges is currently such to know that's the default. So our quiet on updates that so let's clear the screen a bit.
06:16
Toho updates that I'll be isn't this comment
06:20
now that is that a ks updates the name of my cluster, the resource group of my cluster on I'm specifying the A P I sever authorized by Provenge is on. I can put the vengeance off I p address that I want to. Marcus trusted here for my demonstration. I have to bootle the Knox machines hair Andi.
06:41
I'll be configuring one off them to be trusted, and the other one will remain untrusted. So the world I'll be configuring to be trusted will be the one on the left on site.
06:49
So if I glide and grab the I P address for that which I made it not off earlier
06:55
for quiet and paste, the high P address on If I pressed enter to that
06:59
and now that's applied. So let's go ahead and very fight that again
07:02
by running the previous command. So I go ahead and press enter to run that again, and you can see that now it's applied to the authorized I p ranges.
07:11
So in the final task off this demonstration are validating the configuration that I've just done
07:17
on as official representation of what are between have been connecting from two separate machines as I should your head here
07:25
and I'll be logging in as Brenda. And what I'll be doing is when I connect to the communities a p I. Sarah from the trust that I p. I expect that to be approved and for my commands to work. Now. If I connect from the other high P, which is not matters trusted, I expect that to fail.
07:41
So here I am, on my tool in ox machines. So I told you earlier that the system that I have on the left hand side is the one that I might distrusted. And one on the right hand side is one that's not Matt as trust it.
07:55
So on the left hand side what I'll do your soldiers go ahead and authentic kids to the a p a. Seven
08:01
Frank Quiet and Peace. That command so is the same is that a ks Get credentials command
08:05
on. If I go ahead and press enter to, that's
08:09
and that says it's much. Now go ahead and run the same thing on this other system and our press enter to that.
08:16
Now that's matched. So if I quiet on type, keep city hell
08:20
get notes
08:22
on if I press enter
08:24
and now I can see the notes that I have in the pool
08:28
if I go ahead and do the same thing on the right and site on, if I press enter to, that's so let's try that again
08:35
and you can see that I'm not getting any response and I'm not going to get in a response because it's not on the list of trust that I P addresses. That request will not before field.
08:46
So he has a somebody off the tax double completed in this demonstration.
08:52
We started by creating an A. K s cluster
08:56
with any conflict. Verb is access control for Hickey is cluster,
09:00
but configured theater vise i p address ranges on bill violated at our configuration.
09:05
Thanks very much for watching. And I'll see you in the next lesson.

Up Next

AZ-500: Microsoft Azure Security Technologies

In the AZ-500 Microsoft Azure Security Technologies training, students will learn the skills that are needed to pass the AZ-500 certification exam. All exam topics are covered as well as exam preparation strategies and hands-on practice.

Instructed By

Instructor Profile Image
David Okeyode
Cloud Security Architect
Instructor