how-to-connect-vnet-injection.md

title	description	ms.topic	ms.date
Connect to your virtual network in Azure Lab Services | Microsoft Docs	Learn how to connect a lab to one of your networks.	how-to	2/11/2022

Connect to your virtual network in Azure Lab Services

[!INCLUDE preview focused article]

This article provides information about connecting a lab plan to your virtual network.

Some organizations have advanced network requirements and configurations that they want to apply to labs. For example, network requirements can include a network traffic control, ports management, access to resources in an internal network, etc.

In the Azure Lab Services April 2022 Update (preview), customers may take control of the network for the labs using virtual network (VNet) injection. You can now tell us which virtual network to use, and we’ll inject the necessary resources into your network. VNet injection replaces the peering to your virtual network, as was done in previous versions.

With VNet injection, you can connect to on premise resources such as licensing servers and use user defined routes (UDRs).

Overview

You can connect to your own virtual network to your lab plan when you create the lab plan.

Important

VNet injection must be configured when creating a lab plan. It can't be added later.

Before you configure VNet injection for your lab plan:

• Create a virtual network. The virtual network must be in the same region as the lab plan.
• Create a subnet for the virtual network.
• Create a network security group (NSG) and apply it to the subnet.
• Delegate the subnet to Microsoft.LabServices/labplans.

Certain on-premises networks are connected to Azure Virtual Network either through ExpressRoute or Virtual Network Gateway. These services must be set up outside of Azure Lab Services. To learn more about connecting an on-premises network to Azure using ExpressRoute, see ExpressRoute overview. For on-premises connectivity using a Virtual Network Gateway, the gateway, specified virtual network, network security group, and the lab plan all must be in the same region.

Note

If your school needs to perform content filtering, such as for compliance with the Children's Internet Protection Act (CIPA), you will need to use 3rd party software. For more information, read guidance on content filtering with Lab Services.

Delegate the virtual network subnet for use with a lab plan

After you create a subnet for your virtual network, you must delegate the subnet for use with Azure Lab Services.

Only one lab plan at a time can be delegated for use with one subnet.

1. Create a virtual network, subnet, and network security group (NSG) if not done already.

2. Open the Subnets page for your virtual network.

3. Select the subnet you wish to delegate to Lab Services to open the property window for that subnet.

4. For the Delegate subnet to a service property, select Microsoft.LabServices/labplans. Select Save.

   :::image type="content" source="./media/how-to-connect-vnet-injection/delegate-subnet-for-azure-lab-services.png" alt-text="Screenshot of properties windows for subnet. The Delegate subnet to a service property is highlighted and set to Microsoft dot Lab Services forward slash lab plans.":::

5. For the Network security group property, select the NSG you created earlier.

   [!WARNING] An NSG is required to allow access to the template and lab VMs. For more information about Lab Services architecture, see Architecture Fundamentals in Azure Lab Services.

   :::image type="content" source="./media/how-to-connect-vnet-injection/subnet-select-nsg.png" alt-text="Screenshot of properties windows for subnet. The Network security group property is highlighted.":::

6. Verify the lab plan service appears in the Delegated to column. Verify the NSG appears in the Security group column.

   :::image type="content" source="./media/how-to-connect-vnet-injection/delegated-subnet.png" alt-text="Screenshot of list of subnets for a virtual network. The Delegated to and Security group columns are highlighted." lightbox="./media/how-to-connect-vnet-injection/delegated-subnet.png":::

Connect the virtual network during lab plan creation

1. Sign in to the Azure portal.

2. Select Create a resource in the upper left-hand corner of the Azure portal.

3. Search for lab plan. (Lab plan (preview) can also be found under the DevOps category.)

4. Enter required information on the Basics tab of the Create a lab plan page. For more information, see Tutorial: Create a lab plan with Azure Lab Services.

5. From the Basics tab of the Create a lab plan page, select Next: Networking at the bottom of the page.

6. Select Enable advanced networking.

   1. For Virtual network, select an existing virtual network for the lab network. For a virtual network to appear in this list, it must be in the same region as the lab plan.

   2. Specify an existing subnet for VMs in the lab. For subnet requirements, see Delegate the virtual network subnet for use with a lab plan.

      :::image type="content" source="./media/how-to-connect-vnet-injection/create-lab-plan-advanced-networking.png" alt-text="Screenshot of the Networking tab of the Create a lab plan wizard.":::

Once you have a lab plan configured with advanced networking, all labs created with this lab plan use the specified subnet.

Known issues

• Deleting your virtual network or subnet will cause the lab to stop working
• Changing the DNS label on the public IP will cause the Connect button for lab VMs to stop working.
• Azure Firewall isn’t currently supported.

Next steps

See the following articles:

• As an admin, attach a compute gallery to a lab plan.
• As an admin, configure automatic shutdown settings for a lab plan.
• As an admin, add lab creators to a lab plan.