AZ 120 Module: Design and implement an infrastructure to support SAP workloads on Azure

Lab: Automate deployment by using Azure Center for SAP solutions

Estimated Time: 100 minutes

All tasks in this lab are performed from the Azure portal

Objectives

After completing this lab, you will be able to:

Implement prerequisites for deploying SAP workloads in Azure by using Azure Center for SAP solutions
Deploy the infrastructure that will host SAP workloads in Azure by using Azure Center for SAP solutions

Exercise 1: Implement prerequisites for deploying SAP workloads in Azure by using Azure Center for SAP solutions

Duration: 60 minutes

In this exercise, you will implement prerequisites for deploying SAP workloads in Azure by using Azure Center for SAP solutions. This will include the following tasks:

Addressing the vCPU requirements in the target Azure subscription
Configuring Azure role-based access control (RBAC) role assignments for the Microsoft Entra ID user account that will be used to perform the deployment
Creating a storage account associated with the Azure Center for SAP solutions used for the deployment
Creating a user-assigned managed identity to be used by Azure Center for SAP solutions for authentication and authorization of its automated deployment
Creating a network security group (NSG) to be used within subnets of the virtual network that will host the deployment
Creating route tables to be used within subnets of the virtual network that will host the deployment
Creating and configuring the virtual network that will host the deployment
Deploying Azure Firewall into the virtual network that will host the deployment
Deploying Azure Bastion into the virtual network that will host the deployment

The exercise consists of the following tasks:

Task 1: Address the vCPU requirements in the target Azure subscription
Task 2: Configure Azure role-based access control (RBAC) role assignments for the Microsoft Entra ID user account that will be used to perform the deployment
Task 3: Create a storage account associated with the Azure Center for SAP solutions used for the deployment
Task 4: Create and configure a user-assigned managed identity to be used by Azure Center for SAP solutions for authentication and authorization of its automated deployment
Task 5: Create a network security group (NSG) to be used within subnets of the virtual network that will host the deployment
Task 6: Create route tables to be used within subnets of the virtual network that will host the deployment
Task 7: Create and configure the virtual network that will host the deployment
Task 8: Deploy Azure Firewall into the virtual network that will host the deployment
Task 9: Deploy Azure Bastion into the virtual network that will host the deployment

Task 1: Address the vCPU requirements in the target Azure subscription

Note: You do not need to complete this task if you have already implemented all of the AZ-120 lab prerequisites.

Note: To complete this lab (as described), you will need a Microsoft Azure subscription with the vCPU quotas that accommodate deployment of the following VMs:

2 x Standard_E4ds_v4 (4 vCPUs and 32 GiB of memory each) or 2 X Standard_D4ds_v4 (4 vCPUs and 16 GiB of memory each) VMs for the ASCS tier
2 x Standard_E4ds_v4 (4 vCPUs and 32 GiB of memory each) or 2 X Standard_D4ds_v4 (4 vCPUs and 16 GiB of memory each) VMs for the application tier
2 x Standard_M64ms (64 vCPUs and 1750 GiB of memory each) VMs for the database tier

Note: To minimize the vCPU and memory requirements for the database VMs, you can change the VM SKU to Standard_M32ts (32 vCPUs and 192 GiB of memory each).

From the lab computer, start a Web browser, and navigate to the Azure portal at https://portal.azure.com.
In the Azure Portal, select the Cloud Shell icon and start a PowerShell session in Cloud Shell.

Note: If this is the first time you are launching Cloud Shell in the Azure subscription you will be using in this lab, you will be asked to create an Azure file share to persist Cloud Shell files. If so, accept the defaults, which will result in creation of a storage account in an automatically generated resource group.

In the Azure portal, in the Cloud Shell pane, at the PowerShell prompt, run the following (if needed, replace eastus with the name of the Azure region to which you intend to deploy resources in this lab):

Note: To identify the names of Azure regions, in the Cloud Shell, at the Bash prompt, run (Get-AzLocation).Location

 Set-Variable -Name "Azure_region" -Value ('eastus') -Option constant -Scope global -Description "All processes" -PassThru

 Get-AzVMUsage -Location $Azure_region | Where-Object {$_.Name.Value -eq 'standardEDSv4Family'}
    
 Get-AzVMUsage -Location $Azure_region | Where-Object {$_.Name.Value -eq 'standardDSv4Family'}

 Get-AzVMUsage -Location $Azure_region | Where-Object {$_.Name.Value -eq 'standardMSFamily'}

 Get-AzVMUsage -Location $Azure_region | Where-Object {$_.Name.Value -eq 'cores'}

Review the output to identify the current vCPU usage and the vCPU limit. Ensure that the difference between them is sufficient to accommodate vCPUs of Azure VMs that you will be deployed in this lab. Take into account both VM family-specific and total regional vCPU numbers.
If the number of vCPUs is not sufficient, close the Cloud Shell pane, in the Azure portal, in the Search text box, search for and select Quotas.
On the Quotas page, select Compute.
On the Quotas | Compute page, use the Region filter to select the Azure region to which you intend to deploy resources in this lab.
In the Quota name column, locate and select the VM SKU name that requires a quota increase.
In the same row, check the entry in the Adjustable column. The next step depends on whether the column contains Yes or No entry.
- If the entry is set to Yes, select the Request adjustment icon, on the New Quota Request, in the New limit text box, enter the new quota limit, and then select Submit.
- If the entry is set to No, select the Request access or get recommendations icon and, the Quota Recommendations pane, select Contact Support option, and then select Next.

On the Problem description tab of the New support request page, specify the following settings and then select Next:

Setting	Value
What is your issue related to?	Azure services
Issue type	Service and subscription limits (quotas)
Subscription	The name of the Azure subscription you are using in this lab
Quota type	Compute/VM (cores/vCPUs) subscription limit increases

On the Additional details tab, select Enter details.
On the Quota details tab, in the Deployment model drop-down list, select Resource manager, in the Locations drop-down list, select the target Azure region, in the Quotas drop-down list, select the Azure VM series you need to increase the quota limits for, in the New limit text box, enter the new quota limit, and then select Save and Continue.
Back on the Additional details tab, in the Advanced diagnostic information tab, select Yes (Recommended).
In the Support method section, select either Email or Phone as your preferred contact method and then select Next.
On the Review + create tab, select Create.

Note: Wait until the request to increase quota limits is successfully complete before you proceed to the next task.

Task 2: Configure Azure role-based access control (RBAC) role assignments for the Microsoft Entra ID user account that will be used to perform the deployment

On the lab computer, start Microsoft Edge, and navigate to the Azure portal at https://portal.azure.com.
When prompted to authenticate, sign in by using the Microsoft Entra ID credentials with the Owner role in the Azure subscription you will be using for this lab.
In the Azure portal, in the Search text box, search for and select Subscriptions.
On the Subscriptions page, select the entry representing the Azure subscription you will be using for this lab.
On the page displaying the properties of the Azure subscription, select Access control (IAM).
On the Access control (IAM) page, select + Add and then, in the drop-down menu select Add role assignment.
On the Role tab of the Add role assignment page, in the listing of Job function roles, search for and select the Azure Center for SAP solutions administrator entry, and the select Next.
On the Members tab of the Add role assignment page, click + Select members.
On the Select members pane, in the Select text box, enter the name of the Microsoft Entra ID user account you used to access the Azure subscription you are using for this lab, select it in the list of results matching your entry, and then click Select.
Back on the Members tab, select Review + assign.
On the Review + assign tab, select Review + assign.
Repeat the previous six steps to assign the role of Managed Identity Operator to the user account you are using for this lab.

Task 3: Create a storage account associated with the Azure Center for SAP solutions used for the deployment

On the lab computer, in the Microsoft Edge window displaying the Azure portal, in the Search text box, search for and select Storage accounts.
On the Storage accounts page, select + Create.

On the Basics tab of the Create a storage account page, specify the following settings and select Next: Advanced >.

Setting	Value
Subscription	The name of the Azure subscription you are using in this lab
Resource group	the name of a new resource group ACSS-DEMO
Storage account name	any globally unique name between 3 and 24 in length consisting of letters and digits
Region	the name of the Azure region in which you have sufficient vCPU quotas to run this lab
Performance	Standard
Redundancy	Geo-redundant storage (GRS)
Make read access to data available in the event of regional availability	Disabled

On the Advanced tab, review the available options, accept the defaults, and select Next: Networking >.
On the Networking tab, review the available options, ensure that the option Enable public access from all networks is enabled and select Review.
On the Review tab, wait for the validation process to complete and select Create.

Note: Do not wait for the provisioning of the Azure Storage account to complete. Instead, proceed to the next task. The provisioning might take about 2 minutes.

Task 4: Create and configure a user-assigned managed identity to be used by Azure Center for SAP solutions for authentication and authorization of its automated deployment

On the lab computer, in the Microsoft Edge window displaying the Azure portal, in the Search text box, search for and select Managed Identities.
On the Managed Identities page, select + Create.

On the Basics tab of the Create User Assigned Managed Identity page, specify the following settings and then select Review + Create:

Setting	Value
Subscription	The name of the Azure subscription you are using in this lab
Resource group	ACSS-DEMO
Region	the name of the Azure region in which you provisioned the storage account earlier in this lab
Name	Contoso-MSI

On the Review tab, wait for the validation process to complete and select Create.

Note: Wait for the provisioning of the user assigned managed identity to complete. This should take just a few seconds.
In the Azure portal, navigate to the Managed Identities page and select the Contoso-MSI entry.
On the Contoso-MSI page, select Azure role assignments.
On the Azure role assignments page, select + Add role assignment (Preview).

On the + Add role assignment (Preview) pane, specify the following settings and select Save:

Setting	Value
Scope	Subscription
Subscription	The name of the Azure subscription you are using in this lab
Role	Azure Center for SAP solutions service role

Back on the Azure role assignments page, select + Add role assignment (Preview).

On the + Add role assignment (Preview) pane, specify the following settings and select Save:

Setting	Value
Scope	Storage
Subscription	The name of the Azure subscription you are using in this lab
Resource	The name of the Azure Storage account you created in the previous task
Role	Reader and Data Access

Task 5: Create a network security group (NSG) to be used within subnets of the virtual network that will host the deployment

On the lab computer, in the Microsoft Edge window displaying the Azure portal, in the Search text box, search for and select Network security groups.
On the Network security groups page, select + Create.

On the Basics tab of the Create network security group page, specify the following settings and then select Review + create:

Setting	Value
Subscription	The name of the Azure subscription you are using in this lab
Resource group	The name of a new resource group CONTOSO-VNET-RG
Name	ACSS-DEMO-NSG
Region	the name of the Azure region in which you provisioned the storage account earlier in this lab

On the Review + create tab, wait for the validation process to complete and select Create.

Note: By default, the built-in rules of network security groups allow all outbound traffic, all traffic within the same virtual network, as well as all traffic between peered virtual networks. This is sufficient to successfully complete the lab. Depending on your security requirements, you might consider blocking some of that traffic. If so, refer to the guidance included in the Prepare network for infrastructure deployment Microsoft Learn documentation.

Task 6: Create route tables to be used within subnets of the virtual network that will host the deployment

On the lab computer, in the Microsoft Edge window displaying the Azure portal, in the Search text box, search for and select Route tables.
On the Route tables page, select + Create.

On the Basics tab of the Create Route table page, specify the following settings and then select Review + create:

Setting	Value
Subscription	The name of the Azure subscription you are using in this lab
Resource group	CONTOSO-VNET-RG
Region	the name of the Azure region in which you provisioned resources earlier in this lab
Name	ACSS-ROUTE
Propagate gateway routes	No

On the Review + create tab, wait for the validation process to complete and select Create.

Task 7: Create and configure the virtual network that will host the deployment

On the lab computer, in the Microsoft Edge window displaying the Azure portal, in the Search text box, search for and select Virtual networks.
On the Virtual networks page, select + Create.

On the Basics tab of the Create virtual network page, specify the following settings and select Next:

Setting	Value
Subscription	The name of the Azure subscription you are using in this lab
Resource group	CONTOSO-VNET-RG
Virtual network name	CONTOSO-VNET
Region	the name of the Azure region in which you provisioned resources earlier in this lab

On the Security tab, accept the default settings and select Next.

Note: You could provision at this point both Azure Bastion and Azure Firewall, however you will provision them separately once the virtual network is created.
On the IP addresses tab, specify the following settings and then select Review + create:

Setting Value

IP address space 10.5.0.0/16 (65,536 addresses)

Note: Delete any pre-created subnet entries. You will add subnets after the virtual network is created.
On the Review + create tab, wait for the validation process to complete and select Create.
Navigate back to the Virtual networks page, select the CONTOSO-VNET entry.
On the CONTOSO-VNET page, in the vertical menu bar on the left side of the page, select Subnets.
On the CONTOSO-VNET | Subnets page, select + Subnet.

Setting	Value
IP address space	10.5.0.0/16 (65,536 addresses)

On the Add subnet pane, specify the following settings and select Save:

Setting	Value
Name	app
Subnet address range	10.5.0.0/24
Network security group	ACSS-DEMO-NSG
Route table	ACSS-ROUTE

Back on the CONTOSO-VNET | Subnets page, select + Subnet.

On the Add subnet pane, specify the following settings and select Save:

Setting	Value
Name	AzureBastionSubnet
Subnet address range	10.5.1.0/26

Back on the CONTOSO-VNET | Subnets page, select + Subnet.

On the Add subnet pane, specify the following settings and select Save:

Setting	Value
Name	db
Subnet address range	10.5.2.0/24
Network security group	ACSS-DEMO-NSG
Route table	ACSS-ROUTE

Back on the CONTOSO-VNET | Subnets page, select + Subnet.

On the Add subnet pane, specify the following settings and select Save:

Setting	Value
Name	AzureFirewallSubnet
Subnet address range	10.5.3.0/24

Task 8: Deploy Azure Firewall into the virtual network that will host the deployment

Note: Before you deploy an Azure Firewall instance, you will first create a firewall policy and a public IP address to be used by the instance.

On the lab computer, in the Microsoft Edge window displaying the Azure portal, in the Search text box, search for and select Firewall Policies.
On the Firewall Policies page, select + Create.

On the Basics tab of the Create an Azure Firewall Policy page, specify the following settings and select Next: DNS Settings >:

Setting	Value
Subscription	The name of the Azure subscription you are using in this lab
Resource group	CONTOSO-VNET-RG
Name	FirewallPolicy_contoso-firewall
Region	the name of the Azure region in which you provisioned resources earlier in this lab
Policy tier	Standard
Parent policy	None

On the DNS Settings tab, accept the default Disabled option and select Next: TLS inspection >.
On the TLS inspection tab, select Next: Rules >.
On the Rules tab, select + Add a rule collection.

On the Add a rule collection pane, specify the following settings:

Setting	Value
Name	AllowOutbound
Rule collection type	Network
Priority	101
Rule collection action	Allow
Rule collection group	DefaultNetworkRuleCollectionGroup

On the Add a rule collection pane, in the Rules section, add a rule with the following settings:

Setting	Value
Name	RHEL
Source type	IP Address
Source	*
Protocol	Any
Destination Ports	*
Destination Type	IP Address
Destination	13.91.47.76,40.85.190.91,52.187.75.218,52.174.163.213,52.237.203.198

Note: To identify the IP addresses to use for RHEL, refer to Prepare network for infrastructure deployment

Setting	Value
Name	ServiceTags
Source type	IP Address
Source	*
Protocol	Any
Destination Ports	*
Destination Type	Service Tag
Destination	AzureActiveDirectory,AzureKeyVault,Storage

Note: If preferred, it is possible to use service tags with regional scopes.

Setting	Value
Name	SUSE
Source type	IP Address
Source	*
Protocol	Any
Destination Ports	*
Destination Type	IP Address
Destination	52.188.224.179,52.186.168.210,52.188.81.163,40.121.202.140

Note: To identify the IP addresses to use for SUSE, refer to Prepare network for infrastructure deployment

Setting	Value
Name	AllowOutbound
Source type	IP Address
Source	*
Protocol	TCP,UDP,ICMP,Any
Destination Ports	*
Destination Type	IP Address
Destination	*

Select the Add button to save all rules.
Back on the Rules tab, select Next: IDPS >.
On the IDPS tab, select Next: Threat intelligence >.

Note: The IDPS functionality requires the Premium SKU.
On the Threat intelligence tab, review the available settings without making any changes and then select Review + create.
On the Review + create tab, wait for the validation process to complete and select Create.

Note: Wait for the provisioning of the Firewall Policy to complete. The provisioning should take about 1 minute.
On the lab computer, in the Microsoft Edge window displaying the Azure portal, in the Search text box, search for and select Public IP addresses.
On the Public IP addresses page, select + Create.

On the Basics tab of the Create a public IP address page, specify the following settings and then select Review + create:

Setting	Value
Subscription	The name of the Azure subscription you are using in this lab
Resource group	CONTOSO-VNET-RG
Region	the name of the Azure region in which you provisioned resources earlier in this lab
Name	contoso-firewal-pip
IP Version	IPv4
SKU	Standard
Availability zone	No zone
Tier	Regional
Routing preference	Microsoft network
Idle timeout (minutes)	4
DNS name label	not set

On the Review + create tab, wait for the validation process to complete and select Create.

Note: Wait for the provisioning of the public IP address to complete. The provisioning should take a few seconds.
On the lab computer, in the Microsoft Edge window displaying the Azure portal, in the Search text box, search for and select Firewalls.
On the Firewalls page, select + Create.

On the Basics tab of the Create a firewall page, specify the following settings and then select Review + create:

Setting	Value
Subscription	The name of the Azure subscription you are using in this lab
Resource group	CONTOSO-VNET-RG
Name	contoso-firewall
Region	the name of the Azure region in which you provisioned resources earlier in this lab
Availability zone	None
Firewall SKU	Standard
Firewall management	Use a Firewall Policy to manage this firewall
Firewall policy	FirewallPolicy_contoso-firewall
Choose a virtual network	Use existing
Virtual network	CONTOSO-VNET
Public IP address	contoso-firewall-pip
Forced tunneling	Disabled

Note: Wait for the provisioning of the Azure Firewall to complete. The provisioning might take about 3 minutes.

In the Azure portal, navigate back to the Firewalls page.
On the Firewalls page, select the contoso-firewall entry.
On the contoso-firewall page, note the Private IP entry set to 10.5.3.4 representing the private IP address of the Azure Firewall instance.

Note: In order for the network traffic to be routed via Azure Firewall, you need to add user defined routes to the route tables associated with the app and db subnets of the virtual network that will host the SAP deployment.
In the Azure portal, in the Search text box, search for and select Route tables.
On the Route tables page, select the ACSS-ROUTE entry.
On the ACSS-ROUTE page, select Routes.
On the ACSS-ROUTE | Routes page, select + Add.

On the Add route pane, specify the following settings and then select Add:

Setting	Value
Route name	Firewall
Destination type	IP Addresses
Destination IP Addresses/CIDR ranges	0.0.0.0/0
Next hop type	Virtual appliance
Next hop address	10.5.3.4

Task 9: Deploy Azure Bastion into the virtual network that will host the deployment

On the lab computer, in the Microsoft Edge window displaying the Azure portal, in the Search text box, search for and select Bastions.
On the Bastions page, select + Create.

On the Basics tab of the Bastions page, specify the following settings and select Next : Tags >:

Setting	Value
Subscription	The name of the Azure subscription you are using in this lab
Resource group	CONTOSO-VNET-RG
Name	ACSS-BASTION
Region	the name of the Azure region in which you provisioned resources earlier in this lab
Tier	Basic
Instance count	2
Virtual network	CONTOSO-VNET
Subnet	AzureBastionSubnet
Public IP address	Create new
Public IP address name	ACSS-BASTION-PIP

On the Tags tab, select Next : Advanced >
On the Advanced tab, review the available settings without making any changes and then select Next : Review + create >
On the Review + create tab, wait for the validation process to complete and select Create.

Note: Do not wait for the provisioning of the Bastion host to complete. Instead, proceed to the next task. The provisioning might take about 15 minutes.

Exercise 2: Deploy the infrastructure that will host SAP workloads in Azure by using Azure Center for SAP solutions

Duration: 40 minutes

In this exercise, you will use Azure Center for SAP solutions to deploy the infrastructure that will host SAP workloads into the Azure subscription you used in the previous exercise. Following the successful deployment, you can either proceed with installing SAP software by using Azure Center for SAP solutions or deleting the Azure resources provisioned in this lab.

Note: For information regarding installing SAP software by using Azure Center for SAP solutions, refer to the Microsoft Learn documentation that describes how to Get SAP installation media and Install SAP software. Instructions for deleting the Azure resources provisioned in this lab are included in the second task of this exercise.

The exercise consists of the following task:

Task 1: Create Virtual Instance for SAP solutions
Task 2: Delete the Azure resources provisioned in this lab

Task 1: Create Virtual Instance for SAP solutions

On the lab computer, in the Microsoft Edge window displaying the Azure portal, in the Search text box, search for and select Azure Center for SAP Solutions.
On the Azure Center for SAP Solutions | Overview page, select Create a new SAP system.

On the Basics tab of the Create Virtual Instance for SAP solutions page, specify the following settings and select Next : Virtual machines

Setting	Value
Subscription	The name of the Azure subscription you are using in this lab
Resource group	The name of a new resource group Contoso-SAP-C1S
Name (SID)	C1S
Region	the name of the Azure region in which you provisioned resources earlier in this lab
Environment type	Production
SAP product	S/4HANA
Database	HANA
HANA scale method	Scale up (recommended)
Deployment type	Distributed with High Availability (HA)
Compute availability	99.95 (Availability Set)
Virtual network	CONTOSO-VNET
Application subnet	app (10.5.0.0/24)
Database subnet	db (10.5.2.0/24)
Application OS image	Red Hat Enterprise Linux 8.2 for SAP Applications - x64 Gen2 latest
Database OS image	Red Hat Enterprise Linux 8.2 for SAP Applications - x64 Gen2 latest
SAP transport option	Create a new SAP transport directory
Transport resource group	ACSS-DEMO
Storage account name	no entry
Authentication type	SSH public
Username	contososapadmin
SSH public key source	Generate new key pair
Key pair name	contosoc1skey
SQP FQDN	sap.contoso.com
Managed identity source	Use existing user assigned managed identity
Managed identity name	Contoso-MSI

On the Virtual machines tab, specify the following settings:

Setting	Value
Generate Recommendation based on	SAP Application Performance Standard (SAPS) - Select this option to provide SAPS for application tier and Database Memory size and click Generate Recommendations
SAPS for application tier	10000
Memory size for database (GiB)	1024

Select Generate Recommendation.
Review the size and the number of VMs for the ASCS, application, and database virtual machines.
Note: If needed, adjust the recommended sizes by selecting the See all Sizes link for each set of virtual machines and choosing an alternative size. By default, the distributed deployment type with high availability as well as the application tier SAPS and database memory size specified above results in the following VM SKU recommendations:
- 2 x Standard_E4ds_v4 for the ASCS VMs (4 vCPUs and 32 GiB of memory each)
- 2 x Standard_E4ds_v4 VMs for the application VMs (4 vCPUs and 32 GiB of memory each)
- 2 x Standard_M64ms for the database VMs (64 vCPUs and 1750 GiB of memory each)
Note: To minimize the vCPU and memory requirements for the database VMs, consider changing the VM SKU to Standard_M32ts (32 vCPUs and 192 GiB of memory each).

Note: If needed, you can request quota increase by selecting the Request Quota link for a specific SKU of virtual machines and submitting a quota increase request. The processing of a request typically takes a few minutes.

Note: Azure Center for SAP solutions enforces the usage of the SAP supported VM SKUs during deployment.
On the Virtual machines tab, in the Data disks section, select the View and customize configuration link.
On the Database disk configuration page, review the recommended configuration without making any changes and select Close.
Back on the Virtual machines tab, select Next : Visualize Architecture.
On the Visualize Architecture tab, review the diagram illustrating the recommended architecture and select Review + create.
On the Review + create tab, wait for the validation process to complete, select the checkbox confirm that you have ample quota available in the deployment region to avoid running into “Insufficient Quota” error, and select Create.
When prompted, in the Generate new key pair window, select Download private key and create resource.

Note: The private key required to connect to the Azure VMs included in the deployment will be downloaded to the computer from which you are running this lab.

Note: Wait for the deployment to complete. This might take about 25 minutes.

Note: Following the deployment, either proceed to installing SAP software by using Azure Center for SAP solutions or delete the lab resources by following instructions in the next task.

Task 2: Delete the Azure resources provisioned in this lab

Important: The cost of the resources you deployed is significant, so ensure that you deprovision the lab if you don’t intend to use it beyond this point. Deleting the virtual instance for SAP solutions will not delete the underlying infrastructure resources. To delete the resources, you should use the procedure described in this task, which targets resources in three resource groups:

Contoso-SAP-C1S
CONTOSO-VNET-RG
ACSS-DEMO

On the lab computer, in the Microsoft Edge window displaying the Azure portal, select the Cloud Shell icon and start a PowerShell session in Cloud Shell.

Note: If this is the first time you are launching Cloud Shell in the Azure subscription you will be using in this lab, you will be asked to create an Azure file share to persist Cloud Shell files. If so, accept the defaults, which will result in creation of a storage account in an automatically generated resource group.

In the Azure portal, in the Cloud Shell pane, at the PowerShell prompt, run the following commands to stop and deallocate all Azure VMs deployed in this lab:

 $resourceGroupName = 'Contoso-SAP-C1S'
 $vms = Get-AzVM -ResourceGroupName $resourceGroupName
 foreach ($vm in $vms) {
    Stop-AzVM -ResourceGroupName $resourceGroupName -Name $vm.Name -Force 
 }

At the PowerShell prompt, run the following commands to detach all data disks from all Azure VMs deployed in this lab:

 foreach ($vm in $vms) {  
    $vmDisks = $vm.StorageProfile.DataDisks
    foreach ($vmDisk in $vmDisks) {
       Remove-AzVMDataDisk -VM $vm -Name $vmDisk.Name
    }
    Update-AzVM -ResourceGroupName $resourceGroupName -VM $vm -ErrorAction SilentlyContinue
 }

At the PowerShell prompt, run the following commands to enable the delete option for network interfaces and disks attached to all Azure VMs deployed in this lab:

 foreach ($vm in $vms) {
    $vmConfig = Get-AzVM -ResourceGroupName $resourceGroupName -Name $vm.Name
    $vmConfig.StorageProfile.OsDisk.DeleteOption = 'Delete'
    $vmConfig.StorageProfile.DataDisks | ForEach-Object { $_.DeleteOption = 'Delete' }
    $vmConfig.NetworkProfile.NetworkInterfaces | ForEach-Object { $_.DeleteOption = 'Delete' }
    $vmConfig | Update-AzVM
 }

At the PowerShell prompt, run the following commands to delete all Azure VMs deployed in this lab:

 foreach ($vm in $vms) {
    Remove-AzVm -ResourceGroupName $resourceGroupName -Name $vm.Name -ForceDeletion $true -Force
 }

At the PowerShell prompt, run the following commands to delete the Contoso-SAP-C1S resource group and all of its remaining resources:
```
 Remove-AzResourceGroup -Name 'Contoso-SAP-C1S' -Force -AsJob
```
At the PowerShell prompt, run the following commands to delete the CONTOSO-VNET-RG resource group and all of its remaining resources:
```
 Remove-AzResourceGroup -Name 'CONTOSO-VNET-RG' -Force -AsJob
```
At the PowerShell prompt, run the following commands to delete the ACSS-DEMO resource group and all of its remaining resources:
```
 Remove-AzResourceGroup -Name 'ACSS-DEMO' -Force -AsJob
```
Note: The last three command execute asynchronously (as determined by the -AsJob parameter), so while you will be able to run the next PowerShell command immediately afterwards within the same PowerShell session, it will take a few minutes before the resource groups and their resources are actually removed.