Network isolation in Azure DevTest Labs

This article walks you through creating a network-isolated lab in Azure DevTest Labs.

By default, Azure DevTest Labs creates a new Azure virtual network for each lab. The virtual network acts as a security boundary to isolate lab resources from the public internet. To ensure lab resources follow organizational networking policies, you can use several other networking options:

Enable network isolation

You can enable network isolation in the Azure portal only during lab creation. To convert an existing lab and associated lab resources to isolated network mode, use the PowerShell script Convert-DtlLabToIsolatedNetwork.ps1.

During lab creation, you can enable network isolation for the default lab virtual network, or choose another, pre-existing virtual network to use for the lab.

Use the default virtual network and subnet

To enable network isolation for the Default virtual network and subnet that DevTest Labs creates for the lab:

  1. During lab creation, on the Create DevTest Lab screen, select the Networking tab.
  2. Next to Isolate lab resources, select Yes.
  3. Finish creating the lab.

Screenshot that shows enabling network isolation for the default network.

After you create the lab, no further action is needed. The lab handles isolating resources from now on.

Use a different virtual network and subnet

To use a different, existing virtual network for the lab, and enable network isolation for that network:

  1. During lab creation, on the Networking tab of the Create DevTest Lab screen, select a network from the dropdown list. The list only shows networks in the same region and subscription as the lab.

    Screenshot that shows selecting a virtual network.

  2. Select a subnet.

    Screenshot that shows selecting a subnet.

  3. Next to Isolate lab resources, select Yes.

    Screenshot that shows enabling network isolation for a selected network.

  4. Finish creating the lab.

Configure service endpoints

If you enabled network isolation for a virtual network other than the default, complete the following steps to isolate the lab storage account and key vault to the network you selected. Do these steps after you create the lab, but before you do any other lab configuration or create any lab resources.

Configure the endpoint for the lab storage account

  1. On the lab's Overview page, select the resource group.

    Screenshot that shows selecting the resource group for a lab.

  2. On the resource group Overview page, select the lab's storage account. The naming convention for the lab storage account is a\<labName>\<4-digit number>. For example, if the lab name is contosolab, the storage account name could be acontosolab1234.

    Screenshot that shows selecting the lab storage account.

  3. On the storage account page, select Networking from the left navigation. On the Firewalls and virtual networks tab, ensure that Allow Azure services on the trusted services list to access this storage account. is selected.

    DevTest Labs is a trusted Microsoft service, so selecting this option lets the lab operate normally in a network isolated mode.

  4. Select Add existing virtual network.

    Screenshot that shows allowing trusted Azure services on the Firewalls and virtual networks tab.

  5. On the Add networks pane, select the virtual network and subnet you chose when you created the lab, and then select Enable.

    Screenshot that shows adding the lab virtual network and subnet to the storage account.

  6. Once the service endpoint is successfully enabled, select Add.

  7. On the Networking page, select Save.

    Screenshot that shows selecting Add and Save after the service endpoint is enabled.

Azure Storage now allows inbound connections from the added virtual network, which enables the lab to operate successfully in a network isolated mode.

You can automate these steps with PowerShell or Azure CLI to configure network isolation for multiple labs. For more information, see Configure Azure Storage firewalls and virtual networks.

Configure the endpoint for the lab key vault

  1. On the lab's Overview page, select the resource group.

  2. On the resource group Overview page, select the lab's key vault.

    Screenshot that shows selecting the lab's key vault.

  3. On the key vault page, select Networking from the left navigation. On the Firewalls and virtual networks tab, ensure that Allow trusted Microsoft services to bypass this firewall is set to Yes.

  4. Select Add existing virtual networks.

    Screenshot that shows allowing trusted Microsoft services on the Firewalls and virtual networks tab.

  5. On the Add networks pane, select the virtual network and subnet you chose when you created the lab, and then select Enable.

  6. Once the service endpoint is successfully enabled, select Add.

  7. On the Networking page, select Save.

Considerations

Here are some things to remember when using a lab in a network isolated mode:

Enable access to the storage account from outside the lab

The lab owner must explicitly enable access to a network isolated lab's storage account from an allowed endpoint. Actions like uploading a VHD to the storage account for creating custom images require this access. You can enable access by creating a lab VM, and securely accessing the lab's storage account from that VM.

For more information, see Connect to a storage account using an Azure Private Endpoint.

Provide storage account to export lab usage data

To export usage data for a network isolated lab, the lab owner must explicitly provide a storage account and generate a blob within the account to store the data. Exporting usage data fails in network isolated mode if the user doesn't explicitly provide the storage account to use.

For more information, see Export or delete personal data from Azure DevTest Labs.

Set key vault access policies

Enabling the key vault service endpoint affects only the firewall. Make sure to configure the appropriate key vault access permissions in the key vault Access policies section.

For more information, see Assign a Key Vault access policy.

Next steps