AZURE ::: Section 3: AZ-303: Implement Virtual Networking

 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 

 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 Lets begin with this diagram which you will come across from time to time . You will learn the concept of Hub and Spoke model.


Hub Virtual Network is where we keep a lot of management services .All services that we use to connect back to other networks . This could be your own premises network or perhaps VPNs into other Azure virtual networks in other regions if needed. There are things like Global peer and new services that have become available . But you are gateways through which you can connect to other networks as well .

What you can see in particular is that we have spokes on the right hand side . There is Spoke 1 Virtual Networks


And these are all connect through what we can Virtual Network Peering .  these allows us to connect these networks together so connection from Spoke 1 Virtual Network to the virtual machines there can connect into the Hub network , perhaps for management services , perhaps we have an Active Directory server in the Hub Virtual Network those VM needs access for example.

Lets dive into VNet themselves

What is a VNet , VNet is the main construct there which puts the resources in We will put subnets inside of those Virtual Networks .

We have subnet A and subnet B all located in the same subnet .

You have an Address-Space for the VNet . And you have address-space for the subnets . Obviously you cannot have subnets with the same address space in the same VNet. You will curve out the VNet space into various address space as you go through  you are also able to connect Subnet A to subnet B .

And if you want to filter traffic we can use things like Network security group . Which acts as a firewall essentially to say that traffic from subnet A can Subnet B or not.


You decide if traffic from subnet B reaches subnet A or not based on the rules that you create in those networks security groups 

So let talk about some of the Core--VNetwork capabilities

  • They are Isolated by default if you create VNet , you can create multiple V'Nets all with the same address space in them because they are Isolated -- As long as they cannot connect to each other. And only if you are peering or connecting them in anyways you need to think of it. The overlapping address-space problem that you run into. But as long as they are Isolated you can maintain the same address space for different VNets and subnets,
  • Since they are Isolated there are security boundaries in that perspective as well. 
  • They provide internet access out and they can also provide internet access in like IP Addresses as well 
  • Azure Resource Connectivity : They will have connectivity across all Azure resources as you will see and continue to expand as you are building VMs . When you build in storage and things like that . You can connect to them into the VNets themselves. 
  • On-Premise Connectivity : They will provide On-Premise connectivity through various mechanism that are available in Hybrid connectivity scenarios.
  • Traffic Filter : They have capability through things like Network Security Groups 
  • Routing : They have routing capabilities as well , they have some default routing behaviors that are built in. And they have some additional User defined routing capabilities that you can do it as well. But they take care that for you . 
  • Connect Virtual Networks : Last but not least you connect virtual networks together

Lets now talk about the IP Address Space : 

  • 1 Point : Are using standard address space that you are pretty familiar with from existing networking concept. 
  • You cannot add the following address ranges.

Lets take a moment to under stand Azure reserved IP-Addresses

So very important to know that you loose 5 Addresses if you take these into consideration .

Which resource can you Assign public IP addresses to


Two SKU available that you need to consider while choosing your Public IP Address 

  • Basic SKU: Basic one is the default one before the introduction of SKUs . The basic public address option. 
  • Dynamic allocation is when the VM is initiated an IP address is automatically allocated and de-allocated the machine it will actually de-allocate the Public IP.
  • With out Network Security Group around your VM put you absolutely at the mercy of your VM Firewall and nothing else. So it is absolutely necessary to have a NSG.
  • They do not support Availability Zones.

Some of the key points for VNets before we wrap up this lecture.

16. Demo: Create VNet in the Azure Portal

http://azure.portal.com


Click Add


SL-Network-Portal  -- Name

East-US


Go to the left hand side click on Virtual Network . If you have go some virtual network present here it will show up here. 


Go on and click add to add a new Virtual Network .




Service End Points -- Allow us to take a storage account and make it accessible directly under VNet . And the fire wall is the Azure Firewall which is also covered in Microsoft Security Certification .

Click Create .


click on it

We can see Address Space here .


Connected Devices  :

Subsets  : - If you want to add additional subnets 

Subnet - B



click into it

Note that already 5 IP addresses are used by the subnet it self.

And if you want to delete a subnet , you can simply delete. 

 

17. Demo: Create VNet in PowerShell

How to create a VNet using Powershell .

What I have got here is a script that I have attached in here in the course as well.

#Resource Group and Location

$rg = "SL-Network"

$location = "EastUS"

 

#VNET Name and Address Space

$VNETName = "SL-VNET-PShell"

$VNETAddressSpace = "10.0.0.0/22"

 

#Subnet Configurations

$websubnet = New-AzVirtualNetworkSubnetConfig -Name "SL-Web" -AddressPrefix "10.0.0.0/24"

$appsubnet = New-AzVirtualNetworkSubnetConfig -Name "SL-App" -AddressPrefix "10.0.1.0/24"

$dbsubnet = New-AzVirtualNetworkSubnetConfig -Name "SL-Data" -AddressPrefix "10.0.2.0/24"

 

#Create Resource Group

New-AzResourceGroup -Name $rg -Location $location

 

 

#Create VNET and Subnets

$virtualNetwork = New-AzVirtualNetwork -Name $VNETName -ResourceGroupName $rg `

    -Location $location -AddressPrefix $VNETAddressSpace -Subnet $websubnet,$appsubnet

 

#Add Additional Subnet

$subnetConfig = Add-AzVirtualNetworkSubnetConfig `

  -Name "LastSubnet" `

  -AddressPrefix "10.0.4.0/24" `

  -VirtualNetwork $virtualNetwork

 

#Write the changes to the VNET

$virtualNetwork | Set-AzVirtualNetwork


Lets run this portion of the script


Some warning Ignore them .

If you go to VNet : 

And now if you look at my Address Space .


I have got my three subnets as indicated in my Power shell script .


Additionally he is running the addtional script which is refering to the Virtual Network : Variable

But this changes are not yet reflected in the subnet therefore you may have to execute the below command too to reflect the changes.

$virtualNetwork |  Set-AzVirtualNetwork

There is an error , stating the last subnet is not valid in virtual network . And thats because that subnet exceeds the range 10.0.4.0/24 does not fit inside our 10.0.0.0/22

So what we have to do now is clear that subnet config and create it again. The last subnet needs to be cleared.

Remove-AZVirtualNetworkSubnetConfig -Name "LastSubnet" -VirtualNetwork $VirtualNetwork

 

 And now apply the changes to the network .

If you now go to Azure portal and back into subnets


18. Lecture: VNet Peering and Connectivity

How do we connect the different VNets together , perhaps we have workloads in one VNet , say VNet A and we want to and we want to connect the workload to another service in VNet B , what are options to do that .

And the first thing that you need to aware is the Azure Network Topology options that are available to us. 

  • Hub & Spoke : Which is the most common method 
  • Daisy Chain : You have Daisy chain , we want to go from VNet 1 to VNet 2 and you have services in VNet 2 that perhaps want to go to another VNet,
  • Mesh : Where you have got all of the above and away , you have got different VNets all peered with other VNets so that they can talk to each other

So it is important to decide what your goals are and where you are going in terms of the VNets. But don't over complicate this, because I have seen loads of Networks that are too complicated .

And it now important to understand how this VNet peering works .


The Vnets on the left are peered to the HUb Shared VNets , those services in the app team VNet can talk to the services in the Hub shared VNets. Now what we can do is we can add another peer on this. 


Now what is important to know is that the services in the App Team VNet cannot they cannot talk to the new peered VNet on the extreme Right. Thats because you cannot Daisy chain the VNets from a connectivity point of view. You need Gateways and other things to happen .

Peering :::

Peering is a method that allows two networks to connect and exchange traffic directly without having to pay a third party to carry traffic across the Internet.

 

This is important that it can only be in any of the regions and cannot be peers between those clouds -- or across these clouds.


19. Demo: VNet Peering

 We are going to create a Resource Group to put our two VNets in .

Resource Group -- Add

Next we will go to VNets - click Add 


We will create 2 VNets - Twice the process

When you create the 2nd Vnet it automatically senses that there is a VNET at this region and there fore creates a new address space accordingly in the next range


Because there is already an address range of 10.1.0.0/16 . It create 10.2


If you go inside the SL-VNET1 and you choosing peering from the left side .


Out VNet will be listed herein



Now I have some settings for the peering itself , for connectivity would would I allow. 



There is a configuration which says : Allow gateway transit . If you did have a gate way this is the one that you might choose from . Currently we have no Gateway and we are skipping by unchecking "Allow gateway transit"

And that connection is established and it doesn't take that long to complete . Click the Refresh Button .


So we have created two way peering where VNet1 can communicate to VNet 2 and similarly VNet 2 can communicate to VNet 1.

 

Often we would want to connect our Azure Network to our On-Premises network . Therefore there are a number of hybrid connectivity option . 

Hybrid cloud connectivity
 
A hybrid cloud network is a network that enables data transfers between on-premises IT resources, private clouds and public clouds, in other words, a hybrid cloud.

Hybrid cloud refers to a mixed computing, storage, and services environment made up of on-premises infrastructure, private cloud services, and a public cloud—such as Amazon Web Services (AWS) or Microsoft Azure—with orchestration among the various platform

  • S2S VPN : Site -to- Site VPN : This is how most people get started before they can commit to something large . Essentially this involves connecting a Datacenter over a VPN device to Azure.
  • Express Route : This is something for people when mature and ready to gravitate to when they adopt a lot of Azure and decide that I am ready for dedicated Circuit. May be I am doing a large scale migration . May be I have got a loads of data on On-Premises and in the Public cloud and I have Apps running every  where . I really want Azure to feel like a permanent extension my datacenter and express route is a good method for that .
  • Point-to-Site : P2S : A very easy way to connect your laptop into the V-Network


  • On the one side we have a On-Premises data center , its got its own IP range And on the other side on the left we have Azure with a VPN Gateway. And essentially we need connect these things together . We need to have a Public IP on the right hand side you cansee a VPN-VIP and on the left hand side we have a VPN-VIP there . What we do thane is we create a IPsec IKE VPN tunnel  between the two and now they are connected. \

Now we can also do this on Multiple Site with multiple Data center, we do not over-lapping Address space for they are not going to work on a routing perspective .


Multiple sites all connected to the VPN gateway . If can also create multiple VIPS if you want to connect multiple offices . Into different VPN gateways and segments of Azure network

Point-to-Site : Is connecting various clients to the Site / Azure infrastructure where the client are using VPN Client .

This can be people at their desk, laptop connecting to the VPN network . They can use SSTP or P2S IKEv .

I addition one of the things that you need to be aware of  while creating VPN Gateways . the various SKUs 

Go to the above link

And now if you want something that is little more dedicated, little more private , better guaranteed throughput we can look up to something like ExpressRoute 

And this essentially is a dedicated circuit between us and Microsofr Azure. First of all we have our network on the left hand side. We are going to choose a partner who sis going to provide that connection all the way across to the Microsoft Edge . And then we have the flexibility of looking at the private services or the public services available to us in Azure. If we look at the private services - This allows us to connect us to anything that we have created - Vnet etc in Azure . The public services in contrast such as services like 365 , service like Blob storage , Power BI - these are services that are puiblicly exposed

 


In addition to that you have three connectivity Models that you can that you need to choose between your .

 



 







21. Lecture: Routing

In order to make sure we understand All the key elements of core networking concept, one thing we absolutely need to nail down is routing .

Every subnet has a route table



What happens when you want to adjust the routing behavior, that's when the User Defined Routes come in  . User defined routes allows you to overright the default system routes provided by Azure. And this is commonly used for force tunneling and manage the default internet traffic on VMs


Here are the default system routes for you . 


You have web 1 web 2  DB1 DB2 there are all in the same virtual network , they can always communicate together , the  system routes taking care of that and same for the internet we know we can go out to the internet . So If I want to change the route . I would add the UDR


You can see two UDRs there it is basically due to their association with the subnets one with the front end and one with the backend . I am saying I want Web1 & 2 to communicate to DB1 and DB2 . Instead going directly I am going through a VM Applicane there . so we are changing the routing behavior there .


22. Demo: User Defined Routes

In this demonstration we are going to see how to create a route table and assign it to a subnet 

Azure Portal -- Go to Virtual Networks


SL-VNET 1 -- subnets I am going to change the behavior for this subnet



  I want to change the behavior of this subnet , any work loads that I put it there I want it to be re-directed to a Virtual Applicance . And to begin with I need a route table first of all.

Click the default subnet --


If you click there you can see this route table if you click this drop down. 

I do not have any Route tables to use so i need to goahead and create a one first of all.

Search for Route Table in teh search bar at the top of the screen in Azure portal 


Or you can click on All service and serach for route tables. that will show up there as well.



The resource group that I am going to use is SL-VNET-Peering

And I can choose to allow or not allow VNetwork gateway propagation . Now
Network gateway propagation is essentially is around if you are ON-Premise network gateway say exchanges BGP routes within the Azures Virtual network gateway . A route is added for each route propagated from the On-premises network gateway .

So Microsoft recommends that you summaries your On-Premises route to the largest Address ranges possible. So then fewest number of routes are then propagated to an Azure Virtual Network

But most people simple leave this Enabled . When they are doing their route tables . But every situation is little bit different.

Click Create and it simply creates the route table.


And you can see it is not associated with any subnets at this point and we have our .

Click on Routes on the left -- click add



This is where I can define my routes - Route Name -- lets say I want to go to my virtual appliance  "PAloAlto" as an example. And I can choose my address prefix


Then I choose the Hop type




10.1.0.2 -- That would be the next hop

Meaning : An traffic destined for 10.2.0.0/16 , go through the virtual appliance located at 10.1.0.2


Next thing I need to do is goahead and associate this route table to a subnet . Click subnets on the left /

click on Associate




Now that route yable is going to associated with the subnet SL-VNET1


Go to virtual networks --SL-VNET1 -- Subnets -- default subnet click --


All the system we deploy in VNet 1 goes through the V-Applicance

To us to unassociate . I can do it here as well I can simply take away

And save that 

Caution

You can get out of control here with route tables . Try to automate as much as you can when you deploy your virtual networks for subnets to automatically include the routes


23. Lecture: Internet Access and DNS

All devices in a VNet can communicate to internet by default , the way that works is through the private IP is SNAT - Source Network Address Translated  to a public IP that is selected by the Azure.

Out bound connectivity can be restricted via routes or traffic filtering so that means if you want to route that traffic through an applicance we can do that or you can do traffic filtering something through networks security groups. 

Inbound connectivity without SNAT requires an Public IP that means if you want something to come back in and we have communicated out to the internet . Then obviously thats going to work becuase we have the SNET in place .






24. Demo: Private DNS

Click All Services -- Click Private DNS . I am going to choose private DNS





We will create a New Virtual Network .


I am going to provisions two VMs and going to see how the DNS works there.

Next go to DNS - Private DNS Zone -- Lets create those Virtual Network Links



Enable auto registration : this take off lot of the pain in DNS management


Go through DNS once agai

24. Demo: Private DNS 1min

25. Demo: Azure Public DNS Zone































Comments

Post a Comment

Popular posts from this blog

Azure : 400 : Sec : 2 : NEW Configure processes and communication

Image
 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++   ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Azure Boards:  How we plan our work using Azure Boards  ?  When you sign into Azure- DevOps - it would have created an Organization and  Project  Azure DevOps Portal : https://azure.microsoft.com/en-us/products/devops Inside Organization > Inside Projects > Boards (Where we do the planning it self) Lets say you want to create a task or you want to create a User Story you will create something as the work Item within a project within your organization Create a New Work Item. I can create the Epic, Issue and Task but I cannot create a User story. Now why is this the case. Now why is this the case.  This is based on the work process model that is chosen within the project when you created within the Organization.  It shows the basic process and based on the basic process these are the ...
Read more

Azure : 104 : Sec: 2 : Azure Concepts

Image
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  Azure Concepts : ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  Azure services are huge . There are literally hundreds of services underneath the Azure Umbrella.  Core services Virtual Machine Virtual Networking Storage Virtual Mahine is a foundation on top of which other compute services provide services. So when you get Kubernetes contains you are actually work with VMs under the hood. Kubernetes is just an abstraction layer about the virtual machines. Virtual Machine Scaleset : It is a way to have load balancers The below are fully managed servers and you do not have remote access into them. Azure Storage Blobs is the most common within which you use containers to store your files.  Microsoft stores 3 copies of your files in case if there was some catastrophy happens  Redundancy Data Services  Data storage in terms of databases. When you are migr...
Read more

Azure-104 : Sec1 :

 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++   ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++.  Azure Free Account Central URL for Azure is >>> https://portal.azure.com/#home  
Read more