In my previous blog post, I explained how we can use FIDO2 security keys to perform password-less authentication with Azure AD. You can access it using Step-by-Step Guide: Azure AD password-less sign-in using FIDO2 Security keys
We also can use FIDO2 security keys to sign-in to Azure AD Joined or Hybrid Azure AD Joined Windows 10 devices. In this demo, I am going to demonstrate how we can enable FIDO2 security key sign-in using Azure AD and Microsoft Intune.
Before enabling password-less authentication with FIDO2 security keys, make sure you have,

1. Azure AD and Intune – Make sure you have valid Azure AD and Intune subscription in place.
2. Azure AD Join on Hybrid Azure AD joined Windows 10 Devices – If it is Azure AD Join device, it should run at least Windows 10 version 1903. If it is Hybrid Azure AD joined device at least it should be running Windows 10 Insider Build 18945
3. FIDO2 Security keys – The good people at eWBM provided eWBM Goldengate security key G320 (USB-C) and eWBM Goldengate security key G310 (USB-A) for testing. I will be using eWBM Goldengate security key G320 (USB-C) in this demo with Surface Pro 7.

4. Azure AD user account which completed the FIDO2 security key enrolment process – This explained in details via my previous post http://www.rebeladmin.com/2020/03/step-step-guide-azure-ad-password-less-sign-using-fido2-security-keys/

In this demo, I am going to use a user called Megan Bowen (meganb@M365x620957.onmicrosoft.com) for testing. I already have an Azure AD join device ready for her. It is showing as compliant in the Microsoft Intune portal.

Enable Windows Hello for Business with Intune

Before we create a device configuration profile, we need to enable Windows Hello for Business with FIDO2 security key support. To do that,

1. Log in to Azure Portal as Global Administrator ( https://portal.azure.com/ )
2. Search for Intune in the search box and click on it.

3. Then click on Device Enrolment

4. In the new window click on Windows enrollment | Windows Hello for Business

5. Select Enable for Configure Windows Hello for Business. Then keep the default settings.

6. Also, select Enable for Use security keys for sign-in

This will enable FIOD2 security key support.

7. At the end click on Save to apply the changes.

Passwords are the most commonly used method to protect user identities in a system. This is applying to Active Directory as well. However, with growing data breaches, it is obvious that passwords are no longer strong. In Verizon Data Breach Investigations Report (2017), it says, 81% of hacking-related breaches used either stolen or weak passwords. So, if passwords are not safe, what else we can do to improve the security in the sign-in process?

Multi-factor authentication can add another layer of security into the authentication process. It can be SMS, phone call, OTP code, Phone App notification to further confirm the authenticity of the sign-in request. There are many different MFA products available in the market. Each required engineers’ involvement in service provision, deployment, licenses management, integration, end-user training, troubleshooting, and maintenance. It also adds complexity to the sing-in process. MFA doesn’t eliminate the requirement for passwords.

But now we have an option to replace traditional authentication with password-less authentication. This is basically to replace passwords with biometrics, PIN, certificates and security keys. Fast Identity Online (FIDO) is an open standard for passwordless authentication. This allows authenticating into systems using external security key built into a device.

Source : https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-passwordless

FIDO2 is the third standard that came out from FIDO Alliance. FIDO2 consists of Client to Authenticator Protocol (CTAP) and the W3C standard WebAuthn. When we use FIDO2 security keys for authentication,

1. User register with WebAuthn remote peer (FIDO2 server) and generate new key pair (public and private)
2. Private key is stored in the device and is only available for client-side.
3. Public key will be registered in the web service’s database.
4. After that in sign-in process, the system will verify the private key which is always need to be unlocked by a user action such as biomimetic or PIN.

Azure AD now supports password-less authentication using FIDO2 security keys. In this demo, I am going to demonstrate how we can use FIDO2 security keys to authenticate into Azure AD. To do this we need,

1. Azure AD Multi-factor authentication enabled
2. FIDO2 security keys

eWBM security keys
The good people at eWBM provided eWBM Goldengate security key G320 (USB-C) and eWBM Goldengate security key G310 (USB-A) for testing. I will be using eWBM Goldengate security key G320 (USB-C) in this demo with Surface Pro 7.

Enable Multi-factor authentication

Before we go ahead with the FIDO2 enrolment, we need to enable multi-factor authentication for the users. To do that,

1. Log in to Azure portal https://portal.azure.com/ as Global Administrator
2. Click on Azure Active Directory under Azure Services

3. Click on Users

4. In All Users window, click on Multi-Factor Authentication

5. Search for the user. In this demo, I am going to use user Megan Brown for testing. Then select the user and click on Enable.

6. Then click on enable multi-factor auth

In my previous blog posts, I explained about two types of Azure solution to load balance web traffic.

• Azure Traffic Manager – If you are looking for DNS level load balancing which can distribute traffic to global endpoints, Azure traffic manager will be the product to look at. More info about deployment can be found on http://www.rebeladmin.com/2020/02/step-by-step-guide-dns-based-traffic-load-balancing-with-azure-traffic-manager/

• Azure Load Balancer – Azure load balancer works in layer 4 (transport layer) and can distribute network traffic to endpoints in the same Azure region. It can use to distribute internet traffic as well as internal traffic. More info about deployment can be found on http://www.rebeladmin.com/2020/01/step-step-guide-setup-azure-load-balancer-powershell-guide/

However, if you looking for Layer 7 (Application Layer) load balancing solution, Azure Application Gateway is the answer. Azure Application Gateway has the following features,

• Secure Sockets Layer (SSL/TLS) termination
• Autoscaling
• Zone redundancy
• Static VIP
• Web Application Firewall
• Ingress Controller for AKS
• URL-based routing
• Multiple-site hosting
• Redirection
• Session affinity
• Websocket and HTTP/2 traffic
• Connection draining
• Custom error pages
• Rewrite HTTP headers
• Sizing

More info about these features are available on https://docs.microsoft.com/en-us/azure/application-gateway/features

In this demo, I am going to show how we can setup URL-based routing using Azure Application Gateway.

To do that I will need to do the following tasks,

1. Setup new resource group
2. Create Virtual Networks
3. AG IP and frontend port configuration
4. Create Backend pool
5. Create listener and AG routing rule
6. Create Azure Application Gateway
7. Add Backend pools for videos and images
8. Add frontend port for the pool
9. Create Backend Listener
10. Create URL path map
11. Create routing rule
12. Create virtual machines
13. Add Web Content
14. Testing

For the configuration process, I will be using Azure PowerShell. Therefore, please make sure you have Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-2.6.0

Setup new resource group

Launch PowerShell console and connect to Azure using Connect-AzAccount

Then create a new resource group using,

New-AzResourceGroup -Name REBELRG1 -Location “East US”

In the above, REBELRG1 is the resource group name and East US is the resource group location.

Create Virtual Networks

In this demo, I am going to use two back end servers. Before VM setup, let’s go ahead and create a new virtual network in REBELRG1 resource group.

$vmsubnet = New-AzVirtualNetworkSubnetConfig -Name vmsubnet -AddressPrefix “10.0.2.0/24”
$agsubnet = New-AzVirtualNetworkSubnetConfig -Name agsubnet -AddressPrefix “10.0.3.0/24”
New-AzVirtualNetwork -Name REBELVN1 -ResourceGroupName REBELRG1 -Location “East US” -AddressPrefix “10.0.0.0/16” -Subnet $vmsubnet, $agsubnet

In the above, REBELVN1 is the new virtual network name. It has 10.0.0.0/16 address space. It also has a new subnet 10.0.2.0/24 (vmsubnet) for virtual machines and 10.0.3.0/24 subnet (agsubnet) for the application gateway.

Create new public IP address

We require public ip address for Azure Application gateway. This will be the external contact point for the gateway. To create that,

New-AzPublicIpAddress -ResourceGroupName REBELRG1 -Location “East US” -Name REBELPublicIP01 -AllocationMethod Static -Sku Standard

In the above, we are creating a public IP address called REBELPublicIP01 with standard SKU.

Azure Private Link provides secure access to certain Azure PaaS services such as Azure SQL Database, Azure Storage, Azure Vault Services, MySQL Databases, Azure Cosmo DB via Microsoft backbone network. This will prevent sensitive data been transfer over the public internet. There are mainly two components in Azure Private Link.

Azure Private Endpoint – Azure private endpoint is a network interface that has a private ip address from a VNET. This allows us to connect to Azure services such as Azure vault, Azure Cosmo Database, Azure SQL database, Azure Storage etc. via Azure Private Link.

Azure Private Link Service – Azure Private Link service allows us to enable private access to our services which are placed behind Azure standard load balancer. Customers/Consumers can connect to these services via private endpoints placed in their own VNETs.

In this demo, I am going to demonstrate how to create Azure private endpoints and how we can access the Azure SQL database using it.

For the configuration process, I will be using PowerShell. Therefore, please make sure you have Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-2.6.0

Let’s go ahead and start the configuration process by creating a new resource group.

1. Launch PowerShell console and connect to Azure using Connect-AzAccount

2. Then create a new resource group using,

New-AzResourceGroup -Name REBELRG -Location “East US”

In the above, REBELRG is the resource group name and East US is the resource group location.

3. The next step is to create a new virtual network.

$vmsubnet = New-AzVirtualNetworkSubnetConfig -Name vmsubnet -AddressPrefix “10.0.2.0/24” -PrivateEndpointNetworkPoliciesFlag “Disabled”

New-AzVirtualNetwork -Name REBELVN1 -ResourceGroupName REBELRG -Location “East US” -AddressPrefix “10.0.0.0/16” -Subnet $vmsubnet

In the above, REBELVN1 is the new virtual network name. It has 10.0.0.0/16 address space. It also has a new subnet 10.0.2.0/24 (vmsubnet) for virtual machine and private endpoint. In the above -PrivateEndpointNetworkPoliciesFlag is set to disable. This will disable applying network policies on private endpoint in the subnet.

4. We now have the virtual network ready. The next step is to create a new virtual machine for testing.

$mylogin = Get-Credential

New-AzVm -ResourceGroupName REBELRG -Name “REBELTVM01” -Location “East US” -VirtualNetworkName “REBELVN1” -SubnetName “vmsubnet” -addressprefix 10.0.2.0/24 -PublicIpAddressName “REBELVM01IP1” -OpenPorts 3389 -Image win2019datacenter -Size Standard_D2s_v3 -Credential $mylogin

In the above, I am creating a virtual machine called REBELTVM01. It is running windows server 2019 data centre edition. I have specified it using -Image parameter. It also using Standard_D2s_v3 vm size.

In an organization, we add users to roles, groups, and applications to allow them to do certain tasks. Some of these tasks may not be carried out frequently. Is there a better way to handle these types of access, how we can ensure a user only have the relevant permissions when they required?

Azure AD Access packages allow administrators to manage access permissions to groups, applications and SharePoint sites in a more efficient way. Internal and external users will have relevant permissions to do their tasks only when they required. It will reduce the manual review of the user account permissions. The relevant policies will ensure who can request access, how the access requests are handled and when the access permissions will be revoked.

Azure AD access packages can use to,

• Manage membership of Azure AD groups
• Manage membership of Office 365 groups
• Manage membership of SharePoint sites
• Mange membership of Azure AD applications

In this post, I am going to demonstrate how we can manage access permissions using Azure AD Access Package.

In my demo environment, I have a user called Debra Berger. She is going to work on a new recruiting campaign. As part of her job, she has to access LinkedIn application. At the moment only members of sg-Finance & sg-Sales and Marketing groups have access to it. Debra Berger is not a member of both groups. She only needs this app for the new campaign. So, let’s go ahead and create an access package for this.

To do this,

1. Log in to Azure Portal as Global Administrator https://portal.azure.com/

2. Go to Menu and click on Azure Active Directory

3. Then click on Identity Governance

4. Click on Access packages

5. Then click on New access package

6. It will open a new wizard to create access packages. Provide name, description, and catalog for the new access package. By default, the catalog is set to General, if required you can create your own. Once settings are in click on Next: Resource roles >

In my previous blog post, I explained how to setup an Azure Traffic Manager. In there, I used GUI method to set it up. In this post I am going to show how we can set up Azure Traffic Manager using Azure PowerShell.

In this demo, I am going to demonstrate how we can use Azure traffic managers to improve the application/service performance by pointing users to the closest endpoint. This demo includes the following tasks,

1. Setup two new resource groups (East US, UK South)
2. Setup two new windows VM (East US, UK South)
3. Setup IIS with sample web page
4. Create a Traffic Manager profile
5. Add endpoints to Traffic Manager profile
6. Testing

Setup two new resource groups (East US, UK South)

Let’s go ahead and start the setup process by creating a new Azure resource group.

For the configuration process, I will be using Azure PowerShell. Therefore, please make sure you have an Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-2.6.0

1. Launch PowerShell console and connect to Azure using Connect-AzAccount
2. Then create a new resource group using,

New-AzResourceGroup -Name REBELRGEUS -Location “East US”
New-AzResourceGroup -Name REBELRGUKS -Location “UK South”

In the above, we are creating two resource groups. The first one called REBELRGEUS and it is created on East US Azure region.
The second group is called REBELRGUKS and it is created on UK South azure region.

Setup two new windows VM (East US, UK South)

1. In this demo, I am going to use two back end servers. Before VM setup, let’s go ahead and create a new virtual network in REBELRGEUS resource group

$vmsubnet = New-AzVirtualNetworkSubnetConfig -Name vmsubnet -AddressPrefix “10.0.2.0/24”

New-AzVirtualNetwork -Name REBELVN1 -ResourceGroupName REBELRGEUS -Location “East US” -AddressPrefix “10.0.0.0/16” -Subnet $vmsubnet

In the above, REBELVN1 is the new virtual network name. It has 10.0.0.0/16 address space. It also has a new subnet 10.0.2.0/24 (vmsubnet) for virtual machines.

2. Then let’s go ahead and create another virtual network under REBELRGUKS resource group.

$vmsubnet2 = New-AzVirtualNetworkSubnetConfig -Name vmsubnet2 -AddressPrefix “10.1.3.0/24”

New-AzVirtualNetwork -Name REBELVN2 -ResourceGroupName REBELRGUKS -Location “UK South” -AddressPrefix “10.1.0.0/16” -Subnet $vmsubnet2

In the above, REBELVN2 is the new virtual network name. It has 10.1.0.0/16 address space. It also has a new subnet 10.1.3.0/24 (vmsubnet2) for virtual machines.

3. As the next step of the configuration, I am going to create a new virtual machine under REBELRGEUS resource group. This will be used for testing purposes.

$mylogin = Get-Credential

New-AzVm -ResourceGroupName REBELRGEUS -Name “REBELTVMEUS” -Location “East US” -VirtualNetworkName “REBELVN1” -SubnetName “vmsubnet” -addressprefix 10.0.2.0/24 -PublicIpAddressName “REBELTVMEUSIP1” -OpenPorts 3389,80 -Image win2019datacenter -Size Standard_D2s_v3 -Credential $mylogin

In my previous blog post, I explain how we can use Azure load balancer to distribute network traffic to endpoints in the same Azure region. It can be accessed using http://www.rebeladmin.com/2020/01/step-step-guide-setup-azure-load-balancer/ . But we can’t use the same method to distribute traffic to different Azure regions. For that, we have to use the Azure Traffic Manager.

The azure traffic manager is a DNS based traffic load balancer. It does have the following characteristics,

• Based on the traffic-routing method, it can route traffic to the closest endpoints to the user. This will improve the application/service performance.
• When an endpoint is not available, the traffic will automatically route to the most appropriate endpoint.
• Application/service maintenance can be done without any downtime. During the maintenance, traffic can redirect to other available endpoints.

In this demo, I am going to demonstrate how we can use Azure traffic managers to improve the application/service performance by pointing users to the closest endpoint. This demo includes the following tasks,

1. Setup two new resource groups (East US, UK South)
2. Setup two new windows VM (East US, UK South)
3. Setup IIS with sample web page
4. Create a Traffic Manager profile
5. Add endpoints to Traffic Manager profile
6. Testing

Setup two new resource groups (East US, UK South)

Let’s go ahead and start the setup process by creating a new Azure resource group.
For the configuration process, I will be using Azure PowerShell. Therefore, please make sure you have an Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-2.6.0

1. Launch PowerShell console and connect to Azure using Connect-AzAccount
2. Then create a new resource group using,

New-AzResourceGroup -Name REBELRGEUS -Location “East US”

New-AzResourceGroup -Name REBELRGUKS -Location “UK South”

In the above, we are creating two resource groups. The first one called REBELRGEUS and it is created on East US Azure region.

The second group is called REBELRGUKS and it is created on UK South azure region.

The new decade is started with another achievement! I am glad to announce my blog rebeladmin.com is listed among Top 50 Microsoft Azure Blogs, Websites & Influencers in 2020.

https://blog.feedspot.com/microsoft_azure_blogs/

Feedspot has a team of over 25 experts whose goal is to discover and rank popular blogs, podcasts and youtube channels in several niche categories.

Feedspot Ranking is based on,

•  Relevancy
• Industry
• Blog post frequency(freshness)
• Social media follower counts and engagements
• Domain authority
• Age of a blog
• Alexa Web Traffic Rank and many other parameters

It is a great honour and I take this opportunity to thanks all my blog readers around the globe for their honest feedbacks and trust. That’s what made all these possible.

In my previous blog post http://www.rebeladmin.com/2020/01/step-step-guide-setup-azure-load-balancer/, I explained how to setup an Azure load balancer. In that post, I used GUI method to set it up. In this post I am going to show how we can set azure load balancer using Azure PowerShell. 

In this demo, I am going to set up two virtual servers with IIS on it. Then I am going to set up Azure load balancer and load balance the web service access for external connections over TCP port 80. 

To do that I will need to do the following tasks,

1. Setup new resource group

2. Setup two new windows VM

3. Setup IIS with sample web page

4. Create Azure load balancer

5. Create a backend pool

6. Create health probes

7. Create load balancer rule

8. Testing

For the configuration process, I will be using Azure PowerShell. Therefore, please make sure you have Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-2.6.0

Setup new resource group

1. Launch PowerShell console and connect to Azure using Connect-AzAccount

2. Then create a new resource group using,

New-AzResourceGroup -Name REBELRG1 -Location "East US"

In the above, REBELRG1 is the resource group name and East US is the resource group location.

Setup two new windows VM

1. In this demo, I am going to use two back end servers. Before VM setup, let's go ahead and create a new virtual network. 

$vmsubnet  = New-AzVirtualNetworkSubnetConfig -Name vmsubnet -AddressPrefix "10.0.2.0/24"

New-AzVirtualNetwork -Name REBELVN1 -ResourceGroupName REBELRG1 -Location "East US" -AddressPrefix "10.0.0.0/16" -Subnet $vmsubnet

In the above, REBELVN1 is the new virtual network name. It has 10.0.0.0/16 address space. It also has a new subnet 10.0.2.0/24 (vmsubnet) for virtual machines.

2. Then I need to create a new availability set. To add back end servers to load balancer, those VMs need to be in the same availability set. 

New-AzAvailabilitySet -Location "East US" -Name "REBELAS1" -ResourceGroupName "REBELRG1" -Sku aligned -PlatformFaultDomainCount 2 -PlatformUpdateDomainCount 2

In above REBELAS1 is the availability group name. More info about scale sets can found here https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/availability

3. As the next step of the configuration, I am going to create two new virtual machines under REBELRG1 resource group. 

$mylogin = Get-Credential

New-AzVm -ResourceGroupName REBELRG1 -Name "REBELTVM01" -Location "East US" -VirtualNetworkName "REBELVN1" -SubnetName "vmsubnet" -addressprefix 10.0.2.0/24 -PublicIpAddressName "REBELTVM01IP1" -AvailabilitySetName "REBELAS1" -OpenPorts 3389,80 -Image win2019datacenter -Size Standard_D2s_v3 -Credential $mylogin

New-AzVm -ResourceGroupName REBELRG1 -Name "REBELTVM02" -Location "East US" -VirtualNetworkName "REBELVN1" -SubnetName "vmsubnet" -addressprefix 10.0.2.0/24 -PublicIpAddressName "REBELTVM02IP1" -AvailabilitySetName "REBELAS1" -OpenPorts 3389,80 -Image win2019datacenter -Size Standard_D2s_v3 -Credential $mylogin

In the above, I am creating two virtual machines called REBELTVM01 & REBELTVM02. It is running windows server 2019 data center edition. I have specified it using -Image parameter. It also using Standard_D2s_v3 vm size. For networking, It uses REBELVN1 virtual network and subnet 10.0.2.0/24.

The role of a load balancer is to improve the availability of services by distributing the load to a pool of back end servers. When it comes to load balancing, Azure has a few different products to choose from. 

• Azure Application Gateway – If you require a load balancer that can provide features such as SSL offloading, reverse proxy and works in the application layer (layer 7), Azure application gateway is the answer.

• Azure Traffic Manager – If you are looking for DNS level load balancing which can distribute traffic to global endpoints, Azure traffic manager will be the product to look at. 

• Azure Load Balancer – Azure load balancer works in layer 4 (transport layer) and can distribute network traffic to endpoints in the same Azure region. It can use to distribute internet traffic as well as internal traffic. In this post, we are going to look into this service in detail. 

Like many other load balancers, Azure load balancer also has the following components. 

• Frontend/Virtual IP address – This is the load balancer IP address that works as a front door to clients. After clients initiate connections to a frontend IP address, the traffic will be distributed to the back-end servers. 

• Server pool – The back-end application servers will be group together in a pool to serve an incoming request from a load balancer. 

• Rules – The incoming traffic will be distributed to the backend servers according to the rules defined in the load balancer.  

• Probes – If a back-end server is down, load balancer needs to know. Then it can stop distributing traffic to the faulty server. The load balancer uses probs to detect the health of the back-end servers. 

• Inbound NAT rules – Inbound NAT rules define how the traffic is forward from the load balancer to the back-end server. 

In this post, I am going to demonstrate how we can load balance a web application using Azure standard load balancer. This demo includes the following tasks,

1. Setup new resource group

2. Setup two new windows VM

3. Setup IIS with sample web page

4. Create Azure load balancer

5. Create a backend pool

6. Create health probes

7. Create load balancer rule

8. Testing

Setup new resource group

Let's go ahead and start the setup process by creating new Azure resource group. 

For the configuration process, I will be using Azure PowerShell. Therefore, please make sure you have an Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-2.6.0

1. Launch PowerShell console and connect to Azure using Connect-AzAccount

2. Then create a new resource group using,

New-AzResourceGroup -Name REBELRG1 -Location "East US"

In the above, REBELRG1 is the resource group name and East US is the resource group location.

Setup two new windows VM

1. In this demo, I am going to use two back end servers. Before VM setup, let's go ahead and create a new virtual network. 

$vmsubnet  = New-AzVirtualNetworkSubnetConfig -Name vmsubnet -AddressPrefix "10.0.2.0/24"

New-AzVirtualNetwork -Name REBELVN1 -ResourceGroupName REBELRG1 -Location "East US" -AddressPrefix "10.0.0.0/16" -Subnet $vmsubnet

In the above, REBELVN1 is the new virtual network name. It has 10.0.0.0/16 address space. It also has a new subnet 10.0.2.0/24 (vmsubnet) for virtual machines.

2. Then I need to create a new availability set. To add back end servers to load balancer, those VMs need to be in the same availability set. 

New-AzAvailabilitySet -Location "EastUS" -Name "REBELAS1" -ResourceGroupName "REBELRG1" -Sku aligned -PlatformFaultDomainCount 2 -PlatformUpdateDomainCount 2

In above REBELAS1 is the availability group name. More info about scale sets can found here https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/availability

3. As the next step of the configuration, I am going to create two new virtual machines under REBELRG1 resource group. 

$mylogin = Get-Credential

New-AzVm -ResourceGroupName REBELRG1 -Name "REBELTVM01" -Location "East US" -VirtualNetworkName "REBELVN1" -SubnetName "vmsubnet" -addressprefix 10.0.2.0/24 -PublicIpAddressName "REBELTVM01IP1" -AvailabilitySetName "REBELAS1" -OpenPorts 3389,80 -Image win2019datacenter -Size Standard_D2s_v3 -Credential $mylogin

New-AzVm -ResourceGroupName REBELRG1 -Name "REBELTVM02" -Location "East US" -VirtualNetworkName "REBELVN1" -SubnetName "vmsubnet" -addressprefix 10.0.2.0/24 -PublicIpAddressName "REBELTVM02IP1" -AvailabilitySetName "REBELAS1" -OpenPorts 3389,80 -Image win2019datacenter -Size Standard_D2s_v3 -Credential $mylogin

In the above, I am creating two virtual machines called REBELTVM01 & REBELTVM02. It is running windows server 2019 data center edition. I have specified it using -Image parameter. It also using Standard_D2s_v3 vm size. For networking, It uses REBELVN1 virtual network and subnet 10.0.2.0/24.