Task 01: Create Azure resources

Introduction

Creating a secure and well-structured cloud environment is critical for the City of Metropolis’s database migration efforts. By setting up an Azure virtual network, the city ensures that its PostgreSQL database is isolated from unauthorized access, aligning with security best practices. A virtual network gateway provides a secure and reliable connection between on-premises systems and Azure, supporting seamless data migration. Additionally, deploying an Azure Database for PostgreSQL within this controlled environment ensures scalability, reliability, and compliance with modern data management standards. These foundational steps enable the city to enhance public service operations while maintaining strong data security and performance.

Description

In this task, you’ll establish the core infrastructure for migrating the City of Metropolis’s PostgreSQL database to Azure. You’ll start by creating an Azure virtual network to isolate and protect database traffic. Then, you’ll create a virtual network gateway to establish a secure connection between the on-premises environment and Azure. You’ll also configure security certificates and set up a point-to-site VPN connection to ensure encrypted data transmission. Finally, you’ll deploy an Azure Database for PostgreSQL within this secured network. This setup mirrors real-world enterprise environments where security, connectivity, and scalability are essential for cloud-based database operations.

Success criteria

• You successfully created a virtual network in Azure with the required subnet configuration.
• You created a virtual network gateway to enable secure connections.
• You successfully generated and configured security certificates for authentication.
• You established a point-to-site VPN connection between the on-premises network and Azure.
• You successfully created an Azure Database for PostgreSQL and confirmed connectivity within the virtual network.

Learning resources

• Virtual network overview
• Create a virtual network
• Virtual network gateway
• Point-to-site VPN connections
• Azure Database for PostgreSQL - Flexible Server

01: Create a virtual network in Azure

To securely host the PostgreSQL database, the City of Metropolis needs an isolated network environment. In this task, you’ll create an Azure virtual network, which will serve as the destination for the migrated data, ensuring secure and efficient public service operations.

1. Open Microsoft Edge and go to portal.azure.com.

2. Sign in with your credentials:

3. On the Portal home page, on the top global search bar, enter and select Virtual networks.

   

4. Select Create virtual network.

   

5. On the Create network page, configure the Basics tab as follows:

   Item	Value
   Subscription	TechMaster-lodxxxxxxxx
   Resource group	RG1
   Virtual network name	Vnet1
   Region	(US) West US

   Confirm this resource is created in the West US region to ensure proper connectivity in later steps.

6. Other tabs will be left as default. Select Review + create.

   The setup manager will automatically create an address space and a subnet for you. The default value is 10.0.0.0/16 for the network, and the default subnet is 10.0.0.0/24. These can be changed to whatever you wish, as long as the ranges don’t overlap. The default values will work for the purposes of this lab.

7. Once the validation finishes, select Create to finish creating the virtual network.

8. Once the deployment completes, select Go to resource.

   

9. On the Vnet1 page, select Settings on the service menu, then select Subnets.

   

10. On the **Vnet1

    Subnets** page, select + Subnet.

11. Configure the Add a subnet pane as follows:

    Item	Value
    Subnet purpose	Virtual Network Gateway
    IPv4 address range	10.0.0.0/16
    Starting address	10.0.1.0
    Size	**/27 (32 addresses) **

12. At the bottom of the pane, select Add.

    

02: Create a virtual network gateway in Azure

In this task, you’ll set up a virtual network gateway to establish a secure connection between the on-premises PostgreSQL server and Azure. This ensures the city’s systems remain connected without compromising service.

1. From the Azure portal, on the top global search bar, enter and select Virtual network gateways.

   

2. Select Create virtual network gateway.

   

3. On the Create virtual network gateway page, configure the Basics tab as follows:

   Item	Value
   Subscription	TechMaster-lodxxxxxxxx
   Name	Vnet1GW
   Region	West US
   Gateway type	VPN
   SKU	VpnGw2AZ
   Generation	Generation2
   Virtual network	Vnet1
   Public IP address name	Vnet1GWpip
   Enable active-active mode	Disabled

   Confirm this resource is created in the West US region to ensure proper connectivity in later steps.

   

4. Select Review + create, then select Create.

   This process may take around 15 minutes. You can proceed with the following task as this deploys.

5. Minimize Edge. You’ll return to it in another task.

03: Generate certificates

To safeguard sensitive administrative data during migration, the City of Metropolis implements strong security protocols.

In this task, you’ll generate a server certificate and client certificate on the source server, essential for establishing a secure VPN connection to Azure.

1. On the VM, open Windows File Explorer and go to C:\LabFiles.

2. Right-click generate_cert.ps1 > Show more options > Edit.

3. Once the file opens in PowerShell ISE, select the top portion of the script, then select the Run Selection button at the top.

   

4. Select the bottom portion of the script, then select Run Selection.

   

   These two scripts are generating the server and client certificates, respectively.

5. In the Windows Taskbar search box, enter and select Manage user certificates.

6. From the certificate manager, on the left menu, expand Personal, then select Certificates.

7. Right-click P2SRootCert > All Tasks > Export.

8. In Certificate Export Wizard, select Next.

9. Leave No, do not export the private key selected, then select Next.

10. Select Base-64 encoded X.509 (.CER), then select Next.

11. On the File to Export step, select Browse.

12. Go to C:\LabFiles, enter P2SRootCert for File name, then select Save.

    

13. Once the file name is selected, select Next, then select Finish.

14. Once exported, go to C:\LabFiles in Windows File Explorer.

15. Right-click P2SRootCert > Edit in Notepad.

16. Once the file opens in Notepad, select and copy all the lines between —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–.

    

04: Create Azure Point-to-site connection and install VPN client

In this task, you will configure a Point-to-site connection in Azure and install the VPN client on the source server. This step enables encrypted data transfer, addressing integration and security considerations.

1. Go back to Edge with the Azure deployment.

2. Check the deployment status of the virtual network gateway. When complete, select Go to resource.

   Wait until the gateway is deployed before continuing.

3. On the leftmost service menu, select Settings > Point-to-site configuration.

4. Select Configure now.

5. Configure the Vnet1GW > Point-to-site configuration page as follows:

   Item	Value
   Address pool	172.16.201.0/24
   Tunnel type	IKEv2 and OpenVPN (SSL)
   Authentication type	Azure certificate
   Name (Root certificates)	RootCertificate
   Public certificate data (Root certificates)	{Paste the string copied in the previous task into the same row as RootCertificate}

6. Select Save at the top when finished.

   

7. Wait until the configuration saves. Select the bell icon near the upper-right corner of the page to open notifications and wait for Saved virtual network gateway.

   

   This will take a few minutes.

8. On the same page, select Download VPN client on the top bar.

   

9. Once the download completes, open Windows File Explorer and go to the Downloads folder.

10. Right-click Vnet1GW.zip and select Extract All, then select Extract.

11. From the Vnet1GW folder, open the WindowsAmd64 folder.

12. Right-click VpnClientSetupAmd64 and select Run as administrator.

    

    A warning will show stating that the app is unrecognized. Select More info, then select Run anyway.

13. In the User Account Control dialog, select Yes.

14. Select Yes to finish installing the VPN client.

15. In the lower-right corner of the Windows Taskbar, right-click the network icon, then select Network and Internet settings.

    

16. Select VPN.

17. On the line for Vnet1, select Connect.

    

18. In the Vnet1 window, select Connect.

    

19. In the elevated privlege dialog, select Continue.

20. In the User Account Control dialog, select Yes.

21. Verify that Vnet1 is connected successfully. The word “Connected” should show under the Vnet1 connection.

    

05: Create an Azure Database for PostgreSQL

Finally, you’ll provision an Azure Database for PostgreSQL 16 instance. This modern database environment provides scalability and reliability, supporting the city’s goal of delivering efficient public services.

1. Go back to Edge and the Azure portal.

2. In Azure’s global search bar, enter and select Azure Database for PostgreSQL flexible servers.

3. Select Create.

4. On the New Azure Database for PostgreSQL flexible server page, configure the Basics tab as follows:

   Item	Value
   Resource group	RG1
   Server name	azuredb@lab.LabInstance.Id
   Region	West US
   PostgreSQL version	16

   Confirm this resource is created in the West US region to ensure proper connectivity in later steps.

5. Under Compute + storage, select Configure server.

6. Configure the Compute + storage page as follows:

   Item	Value
   Compute processor	AMD
   Compute size	Standard_D2ads_v5 (2 vCores)
   Storage size	32 GiB
   Performance Tier	P4 (120 iops)
   High availability	Disabled

   

7. Select Save to return to the Basics tab.

8. On the Basics tab, set High availability to Disabled.

9. Under Authentication, select PostgreSQL authentication only, then enter the following details:

   Item	Value
   Administrator login	postgres
   Password	Passw0rd!
   Confirm password	Passw0rd!

10. Select Next: Networking >.

11. On the Networking tab, configure the following settings:

    Item	Value
    Connectivity method	Private access
    Virtual network	Vnet1
    Subnet	Vnet1/default
    Private DNS zone	(New)

    

12. Select Review + create, then select Create.

    This process may take around 5-7 minutes to complete.

    All the networking was set up first so that we could easily assign it to the new server upon creation. This connectivity method will allow anything on the Vnet1 private network to connect. With the point-to-site VPN connection established, the source server is connected to Vnet1.

---

Congratulations! You’ve successfully completed this task.