|
1 | 1 | --- |
2 | | -title: Architecture Fundamentals in Azure Lab Services | Microsoft Docs |
3 | | -description: This article will cover the fundamental resources used by Lab Services and basic architecture of a lab. |
4 | | -ms.topic: overview |
5 | | -ms.date: 05/30/2022 |
| 2 | +title: Architecture fundamentals |
| 3 | +titleSuffix: Azure Lab Services |
| 4 | +description: This article covers the fundamental resources used by Azure Lab Services and the basic architecture of a lab environment. |
| 5 | +services: lab-services |
6 | 6 | ms.service: lab-services |
| 7 | +author: ntrogh |
| 8 | +ms.author: nicktrog |
| 9 | +ms.topic: conceptual |
| 10 | +ms.date: 04/24/2023 |
7 | 11 | --- |
8 | 12 |
|
9 | | -# Architecture Fundamentals in Azure Lab Services |
| 13 | +# Architecture fundamentals in Azure Lab Services |
10 | 14 |
|
11 | 15 | [!INCLUDE [preview note](./includes/lab-services-new-update-focused-article.md)] |
12 | 16 |
|
13 | | -Azure Lab Services is a SaaS (software as a service) solution, which means that the resources needed by Lab Services are handled for you. This article will cover the fundamental resources used by Lab Services and basic architecture of a lab. |
| 17 | +Azure Lab Services is a SaaS (software as a service) solution, which means that the infrastructure resources needed by Azure Lab Services are managed for you. This article covers the fundamental resources that Azure Lab Services uses and the basic architecture of a lab. |
14 | 18 |
|
15 | | -Azure Lab Services does provide a couple of areas that allow you to use your own resources with Lab Services. For more information about using VMs on your own network, see [Connect to your virtual network in Azure Lab Services](how-to-connect-vnet-injection.md) to use virtual network injection instead of virtual network peering. To reuse images from an Azure Compute Gallery, see how to [attach a compute gallery](how-to-attach-detach-shared-image-gallery.md). |
| 19 | +While Azure Lab Services is a managed service, you can configure the service to integrate with your own resources. For example, [connect lab virtual machines to your own network with virtual network injection](how-to-connect-vnet-injection.md) instead of using virtual network peering. Or reuse your own custom virtual machine images by [attaching an Azure compute gallery](./how-to-attach-detach-shared-image-gallery.md). |
16 | 20 |
|
17 | | -Below is the basic architecture of a lab without advanced networking enabled. The lab plan is hosted in your subscription. The student VMs, along with the resources needed to support the VMs are hosted in a subscription owned by Azure Lab Services. Let’s talk about what is in Azure Lab Service's subscriptions in more detail. |
| 21 | +The following diagram shows the basic architecture of a lab without advanced networking enabled. The [lab plan](./classroom-labs-concepts.md#lab-plan) is hosted in your subscription. The lab virtual machines, along with the resources needed to support the virtual machines, are hosted in a subscription owned by Azure Lab Services. |
18 | 22 |
|
19 | 23 | :::image type="content" source="./media/classroom-labs-fundamentals/labservices-basic-architecture.png" alt-text="Architecture diagram of basic lab in Azure Lab Services."::: |
20 | 24 |
|
21 | | -## Hosted Resources |
| 25 | +## Hosted resources |
22 | 26 |
|
23 | | -The resources required to run a lab are hosted in one of the Microsoft-managed Azure subscriptions. Resources include: |
| 27 | +Azure Lab Services hosts the resources to run a lab in one of the Microsoft-managed Azure subscriptions. These resources include: |
24 | 28 |
|
25 | | -- template virtual machine for the educator |
26 | | -- virtual machine for each student |
27 | | -- network-related items such as a load balancer, virtual network, and network security group |
| 29 | +- template virtual machine for the lab creator to configure the lab |
| 30 | +- lab virtual machine for each lab user to remotely connect to |
| 31 | +- network-related items, such as a load balancer, virtual network, and network security group |
28 | 32 |
|
29 | | -These subscriptions are monitored for suspicious activity. It's important to note that this monitoring is done externally to the virtual machines through VM extension or network pattern monitoring. If [shutdown on disconnect](how-to-enable-shutdown-disconnect.md) is enabled, a diagnostic extension is enabled on the virtual machine. The extension allows Lab Services to be informed of the remote desktop protocol (RDP) session disconnect event. |
| 33 | +Azure monitors these managed subscriptions for suspicious activity. It's important to note that this monitoring is done externally to the virtual machines through VM extensions or network pattern monitoring. If you enable [shutdown on disconnect](how-to-enable-shutdown-disconnect.md), a diagnostic extension is enabled on the virtual machine. The extension allows Azure Lab Services to be informed of the remote desktop protocol (RDP) session disconnect event. |
30 | 34 |
|
31 | | -## Virtual Network |
| 35 | +## Virtual network |
32 | 36 |
|
33 | 37 | By default, each lab is isolated by its own virtual network. |
34 | 38 |
|
35 | | -Students connect to their virtual machine through a load balancer. No student virtual machines have a public IP address; they only have a private IP address. The connection string for the student will be the public IP address of the load balancer and a random port between: |
| 39 | +Lab users connect to their lab virtual machine through a load balancer. Lab virtual machines don't have a public IP address and only have a private IP address. The connection string to remotely connect to the lab virtual machine uses the public IP address of the load balancer and a random port between: |
36 | 40 |
|
37 | 41 | - 4980-4989 and 5000-6999 for SSH connections |
38 | 42 | - 4990-4999 and 7000-8999 for RDP connections |
39 | 43 |
|
40 | | -Inbound rules on the load balancer forward the connection, depending on the operating system, to either port 22 (SSH) or port 3389 (RDP) of the appropriate virtual machine. An NSG prevents outside traffic on any other ports. |
| 44 | +Inbound rules on the load balancer forward the connection, depending on the operating system, to either port 22 (SSH) or port 3389 (RDP) of the lab virtual machine. A network security group (NSG) blocks external traffic to any other port. |
41 | 45 |
|
42 | | -If the lab is using [advanced networking](how-to-connect-vnet-injection.md), then each lab is using the same subnet that has been delegated to Azure Lab Services and connected to the lab plan. You'll also be responsible for creating an [NSG with an inbound security rule to allow RDP and SSH traffic](how-to-connect-vnet-injection.md#associate-delegated-subnet-with-nsg) so students can connect to their VMs. |
| 46 | +If you configured the lab to use [advanced networking](how-to-connect-vnet-injection.md), then each lab uses the subnet that was connected to the lab plan and delegated to Azure Lab Services. In this case, you're responsible for creating a [network security group with an inbound security rule to allow RDP and SSH traffic](how-to-connect-vnet-injection.md#associate-delegated-subnet-with-nsg) to the lab virtual machines. |
43 | 47 |
|
44 | | -## Access control to the virtual machines |
| 48 | +## Access control to the lab virtual machines |
45 | 49 |
|
46 | | -Lab Services handles the student’s ability to perform actions like start and stop on their virtual machines. It also controls access to their VM connection information. |
| 50 | +Azure Lab Services manages access to lab virtual machines at different levels: |
47 | 51 |
|
48 | | -Lab Services also handles the registration of students to the service. There are currently two different access settings: restricted and nonrestricted. For more information, see the [manage lab users](how-to-configure-student-usage.md#send-invitations-to-users) article. Restricted access means Lab Services verifies that the students are added as user before allowing access. Nonrestricted means any user can register as long as they have the registration link and there's capacity in the lab. Nonrestricted can be useful for hackathon events. |
| 52 | +- Start or stop a lab VM. Azure Lab Services grants lab users permission to perform such actions on their own virtual machines. The service also controls access to the lab virtual machine connection information. |
49 | 53 |
|
50 | | -Student VMs that are hosted in the lab have a username and password set by the creator of the lab. Alternately, the creator of the lab can allow registered students to choose their own password on first sign-in. |
| 54 | +- Register for a lab. Azure Lab Services offers two different access settings: restricted and nonrestricted. *Restricted access* means that Azure Lab Services verifies that lab users are added to the lab before allowing access. *Nonrestricted access* means that any user can register for a lab by using the lab registration link, if there's capacity in the lab. Nonrestricted access can be useful for hackathon events. For more information, see the [manage lab users](how-to-configure-student-usage.md#send-invitations-to-users) article. |
| 55 | + |
| 56 | +- Virtual machine credentials. Lab virtual machines that are hosted in the lab have a username and password set by the creator of the lab. Alternately, the creator of the lab can allow registered users to choose their own password on first sign-in. |
51 | 57 |
|
52 | 58 | ## Next steps |
53 | 59 |
|
54 | | -To learn more about features available in Lab Services, see [Azure Lab Services concepts](classroom-labs-concepts.md) and [Azure Lab Services overview](lab-services-overview.md). |
| 60 | +- What is [Azure Lab Services](./lab-services-overview.md) |
| 61 | + |
| 62 | +- Learn more about the [key concepts in Azure Lab Services](./classroom-labs-concepts.md) |
0 commit comments