Unlock your DP-900 certification success by getting hands-on with hybrid data fundamentals using Azure Local and SDN Express. This lab guide walks sysadmins through real-world setup and security concepts, step by step.
Table of Contents
- Introduction
- What is DP-900? Why Use Azure Local for Labs?
- Lab Architecture Overview
- Prerequisites & Lab Prep
- Step 1: Deploying Azure Local (Physical or Nested)
- Step 2: SDN Express Setup
- Step 3: Creating the Hybrid Network Topology (VNet, Subnets, NSGs, SLB)
- Step 4: Deploying Relational (SQL) & Non-Relational (MongoDB) Workloads
- Step 5: Securing Data Tiers with SDN & NSG Rules
- Step 6: Populating and Querying the Databases
- Step 7: Validating Network Isolation
- Mapping Lab Steps to DP-900 Exam Objectives
- Conclusion & Next Steps
1. Introduction
The DP-900 (Microsoft Azure Data Fundamentals) certification is the foundation for any data professional or sysadmin moving into cloud data services. Passing is easier when you reinforce theory with hands-on work. This guide helps you build a hybrid data lab using Azure Local, allowing you to experience core concepts with real networking and security, skills you’ll actually use in production.
2. What is DP-900? Why Use Azure Local for Labs?
DP-900 covers core database concepts, data workloads, and cloud/hybrid data services. Azure Local, with SDN Express, lets you simulate the same environments found in regulated industries, enterprises, and hybrid deployments. Unlike pure cloud labs, you can fully control networking, storage, and VM deployment, making it perfect for deep practice.
3. Lab Architecture Overview
Below is the target topology:
You’ll isolate the SQL and MongoDB data tiers, using NSGs and SLB rules to control access.
4. Prerequisites & Lab Prep
- Hardware/Software:
- 1+ physical servers OR a nested virtualization host (Hyper-V or VMware ESXi)
- Azure Local media (Azure Stack HCI ISO)
- Windows Admin Center (WAC)
- Internet access for updates
- DP-900 study account
- Lab tools:
- PowerShell 7+
- Bicep CLI
- Azure CLI (if scripting ARM/Bicep)
- Windows Admin Center installed on a management VM
- VM Images:
- Windows Server (for SQL)
- Ubuntu or Windows (for MongoDB)
5. Step 1: Deploying Azure Local (Physical or Nested)
A. Physical Cluster
- Install Azure Stack HCI on at least two physical nodes.
- Join nodes to Active Directory.
- Configure cluster networking (storage, management, workload networks).
B. Nested Lab (Hyper-V Example)
- Create VMs for two Azure Local nodes (min. 4 vCPU, 16GB RAM each).
- Create internal networks for management and workload.
- Install Azure Stack HCI on each VM.
- Cluster the nodes and validate.
Tip: Use nested virtualization for risk-free learning and repeatable lab rebuilds.
6. Step 2: SDN Express Setup
SDN Express automates the deployment of SDN infrastructure.
On Management VM (PowerShell):
# Import SDN module
Import-Module SdnExpress
# Start SDN Express wizard
Start-SdnExpress
# Follow prompts:
# - Choose Topology: OneNode, TwoNode, FourNode (select your setup)
# - Specify management and workload networks
# - Define IP pools for SLB and NC services
Automate with Bicep (Example):
resource sdnController 'Microsoft.NetworkCloud/sdnControllers@2023-09-01' = {
name: 'sdnController'
location: resourceGroup().location
properties: {
...
}
}
(Adjust for your exact environment. Refer to Azure Local/Bicep documentation.)
7. Step 3: Creating the Hybrid Network Topology
A. VNet and Subnet Creation
Using Windows Admin Center:
- Go to SDN Manager > Virtual Networks > Add.
- Create a VNet named
HybridLab-VNet. - Add three subnets:
mgmt-subnet,sql-subnet,mongo-subnet.
Using ARM Template Example:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2020-06-01",
"name": "HybridLab-VNet",
"location": "[resourceGroup().location]",
"properties": {
"addressSpace": { "addressPrefixes": [ "10.1.0.0/16" ] },
"subnets": [
{ "name": "mgmt-subnet", "properties": { "addressPrefix": "10.1.1.0/24" } },
{ "name": "sql-subnet", "properties": { "addressPrefix": "10.1.2.0/24" } },
{ "name": "mongo-subnet", "properties": { "addressPrefix": "10.1.3.0/24" } }
]
}
}
]
}
B. NSG and SLB Setup
- For each subnet, define an NSG with rules:
- Allow management VM RDP/SSH to both SQL and MongoDB VMs
- Deny direct traffic between SQL and MongoDB subnets except specific application ports
Example NSG Rule (PowerShell):
New-NetworkControllerAccessControlListRule -Name "Allow-SQL-App" `
-Action Allow -Protocol TCP -SourceAddressPrefix "10.1.1.0/24" `
-DestinationAddressPrefix "10.1.2.0/24" -DestinationPortRange 1433
- Configure SLB rules to expose SQL and MongoDB endpoints for test connections.
8. Step 4: Deploying Relational and Non-Relational Data Workloads
A. Deploy SQL Server VM
- Create a VM in the
sql-subnet. - Install SQL Server Express.
- Open SQL port 1433 in Windows Firewall.
B. Deploy MongoDB VM
- Create a VM in the
mongo-subnet. - Install MongoDB Community Edition.
- Open MongoDB port 27017 in the firewall.
C. Connect VMs to the SDN VNet
- Ensure both VMs receive correct IPs from subnet pools.
- Test basic connectivity using PowerShell or WAC.
9. Step 5: Securing Data Tiers with SDN & NSG Rules
- Fine-tune NSG rules so only the management VM can RDP/SSH to SQL and MongoDB VMs.
- Block all other inter-tier traffic except for application ports.
- Test isolation by attempting pings and port scans from one data VM to another.
- Use SDN Express GUI or PowerShell to update rules as needed.
10. Step 6: Populating and Querying the Databases
A. SQL Server
CREATE DATABASE DP900Lab;
USE DP900Lab;
CREATE TABLE DemoData (ID int PRIMARY KEY, Value nvarchar(50));
INSERT INTO DemoData VALUES (1, 'AzureLocal'), (2, 'DP-900');
SELECT * FROM DemoData;
B. MongoDB
mongo
use DP900Lab
db.demoData.insertMany([{ID: 1, Value: "AzureLocal"}, {ID: 2, Value: "DP-900"}])
db.demoData.find()
- Run these commands from the management VM to verify connectivity and access.
11. Step 7: Validating Network Isolation
- Attempt to connect from the MongoDB VM to the SQL Server port and vice versa.
- Both should fail unless explicitly permitted in NSG rules.
- From the management VM, verify you can connect to both SQL and MongoDB using their respective clients (SQL Management Studio, Mongo Shell).
- Document all results for learning and troubleshooting.
12. Mapping Lab Steps to DP-900 Exam Objectives
| DP-900 Objective | Lab Section |
|---|---|
| Describe core data concepts | Database setup, VNet and subnet planning |
| Describe relational data on Azure | SQL Server VM deployment, firewall and NSG |
| Describe non-relational data on Azure | MongoDB VM deployment, subnet configuration |
| Describe analytics workload and tasks | Sample queries, data validation |
| Cloud and hybrid data services | Azure Local + SDN, hybrid topology, NSG/SLB config |
Pro Tip: This entire lab gives you scenario-based experience you can reference on exam day.
13. Conclusion & Next Steps
This guided lab demonstrates how core DP-900 concepts map directly to hybrid Azure Local deployments. You practiced deploying both relational and non-relational workloads, reinforced network security, and learned how to use SDN Express for real-world network controls.
For further study, rebuild the lab with additional data services (PostgreSQL, Redis), or script the entire process for automation mastery.
Disclaimer: The views expressed in this article are those of the author and do not represent the opinions of Microsoft, my employer or any affiliated organization. Always refer to the official Microsoft documentation before production deployment.
Introduction Cloud architects, compliance officers, and sysadmins face increasing demands to deliver regular, actionable compliance reports for software-defined networking (SDN) environments. In...