Uploaded byKamelAbouSaleh1
52 views

Microsoft Azure Hybrid NetWorking principles

explains the principles for Microsoft Azure hybrid networks

Embed presentation

Download to read offline
ADVANCED MICROSOFT CLOUD INFRASTRUCTURE & AUTOMATION Week 2 – Virtual Networks Day 2 – Hybrid Networking
WHAT WE WILL LEARN TODAY • Understand Azure VPN Gateways • Azure Point-to-Site Connection • Azure Virtual Wide Area Network (WAN) • Network Virtual Appliance (NVA) in a Virtual Hub • Azure ExpressRoute
VPN GATEWAY • Azure VPN Gateway is a service that can be used to send encrypted traffic between an Azure VNet and on-premises locations over the Internet • It can also be used to send encrypted traffic between Azure VNets over Microsoft network • Multiple connections can be created to the same VPN gateway, however, all VPN tunnels share the available gateway bandwidth There are 3 configurations for the VPN Gateway: 1. Site-to-Site (S2S): connections connect on-premises datacenters to Azure virtual networks 2. VNet-to-Vnet: connections connect Azure virtual networks to each other 3. Point-to-Site (User VPN): connections connect individual devices to Azure virtual networks
VPN GATEWAY CREATION • The first step is to create Gateway Subnet to contain the IP addresses for the VPN tunnels (preferred CIDR block of /27 or larger) • Azure will deploy gateway VMs to the gateway subnet and the required VPN gateway settings will be automatically configured • Never deploy other resources (for example, additional VMs) to the gateway subnet • The VPN is Route-based, with the gateway SKU affecting the number of connections it can have and the aggregate throughput benchmark • Create a virtual network that includes the gateway subnet and provide it with a public IP address • It can take up to 45 minutes to provision the VPN gateway
VPN GATEWAY LOCAL NETWORK GATEWAY • The Local Network Gateway reflects the on-premises network configuration and enables Azure to route to your on-premises network • Give the site a name by which Azure can refer to it • Use a public IP address or Fully Qualified Domain Name (FQDN) for the Endpoint • Specify the IP address prefixes that will be routed through the gateway to the VPN device
VPN GATEWAY ON-PREMISES VPN DEVICE • Consult the list of supported VPN devices (Cisco, Juniper, Ubiquiti, Barracuda Networks) for how to configure the device (VPN device configuration script may be available) • Specify the public IP address as setup in Azure (previous slide) • Create a shared key to use with the Azure connection (next slide)
VPN GATEWAY CONNECTING • Once the VPN Gateway is created and the on-premises device is configured, create a connection object • Configure a name for the connection and specify the type as Site-to-site (IPsec) • Select the VPN gateway and the Local Network Gateway • Enter the shared key (created in previous slide) for the connection
VPN GATEWAY S2S CONNECTION • Take time to carefully plan your network configuration • On-premises configuration of VPN Device is necessary when connecting Site-to-Site • Always verify and test your connections
VPN GATEWAY VALIDATION & TROUBLESHOOTING • Validate VPN throughput to a VNet • Troubleshoot Azure VPN Gateway using diagnostic logs • Check whether the on-premises VPN device is validated • Verify the shared key and the VPN peer IPs • Utilize Network Watcher • Check UDR and NSGs on the gateway subnet • Verify the Azure gateway health probe • Check whether the on-premises VPN device has the perfect forward secrecy feature enabled
EXERCISE CREATE A VIRTUAL NETWORK GATEWAY Configure a virtual network gateway to connect the Contoso Core Services VNet and Manufacturing VNet
POINT-TO-SITE • OpenVPN® Protocol: an open-source VPN protocol that creates secure, encrypted connections over the internet using SSL/TLS • Secure Socket Tunneling Protocol (SSTP): this protocol is developed by Microsoft for secure, encrypted client / server connection using SSL/TLS over TCP port 443 • IKEv2 VPN: Internet Key Exchange version 2 is a VPN protocol that establishes secure connections by authentication processes within the IPsec suite • Azure certificate authentication: obtain a root certificate and upload the public key information to Azure, so the root certificate is considered 'trusted' for P2S connection • Microsoft Entra authentication: gateway options using Basic SKUs or a policy- based VPN type are incompatible with P2S VPN gateways that use Microsoft Entra ID authentication • Active Directory (AD) Domain Server: requires a RADIUS server that integrates with the AD server and allow users to sign in to Azure using their organization domain credentials Available Protocols Authentication Methods
POINT-TO-SITE CONFIGURATION IN AZURE • Navigate to the Settings section of the virtual network gateway • Select Point-to-site configuration and click Configure now to open the configuration page • On the Point-to-site configuration page, in the Address pool box, add the private IP address range that you want to use • VPN clients dynamically receive an IP address from the range that you specify • The minimum subnet mask is 29 bit for active/passive and 28 bit for active/active configuration
VIRTUAL WANS • Azure Virtual WAN is the service that Brings together S2S, P2S, and ExpressRoute • It implements the integrated connectivity using Hub-and-Spoke connectivity model • Virtual Networks and workloads are automatically connected to the Azure hub to enable visualization of the end- to-end flow within Azure • There are 2 types of WAN: • Basic WAN: which only supports S2S connectivity • Standard WAN: which support all connections over the virtual hub
VIRTUAL WANS CREATION • The minimum address space to create a hub is /24 • No need to explicitly plan the subnet address space for the services in the virtual hub • Azure Virtual WAN is a managed service: it creates the appropriate subnets in the virtual hub for the different gateways / services
EXERCISE CREATE A VIRTUAL WAN • Task 1: Create a Virtual WAN • Task 2: Create a hub • Task 3: Connect a VNet to the Virtual Hub
NVA IN VIRTUAL HUB • Network Virtual Appliances (NVAs) can be deployed within an Azure Virtual WAN hub to enhance security and connectivity features • NVAs act as 3rd party gateways, providing functionalities like SD- WAN, firewalls, or a combination of both, and enabling traffic inspection and control between different network segments • Deployed NVAs are provided as a solution jointly managed by Microsoft Azure and the 3rd party NVA vendors • Not all NVAs can be deployed into a Virtual WAN hub (even if listed in Azure Marketplace) but only NVAs from trusted partners • List of partners can be found in: https://learn.microsoft.com/en- us/azure/virtual-wan/about-nva- hub#partners
NVA IN VIRTUAL HUB DEPLOYMENT • From inside the Virtual WAN hub, go to Network Virtual Appliances tile and click on Create link • Select the NVA provider from the available list, then click the Create button • NVA Infrastructure Units indicates the number of connections this NVA will use of the hub bandwidth capacity (aggregated across all the branch sites that will be connecting to this hub through this NVA) • Token: some providers (such as Barracuda) require an authentication token to be provided to identify the Azure admin as a registered user of the NVA (tokens are obtained from the provider)
AZURE EXPRESSROUTE NETWORK LAYER 3 • The Open Systems Interconnection Model (OSI Model) is a conceptual model created by ISO to enable diverse systems communication using standard protocols • It is the universal computer networking concept that splits the communication system into seven abstract layers, each one stacked upon the last • The Network layer (layer 3 of OSI Model) provides the routing and switching technologies that create logical paths known as Virtual Circuits (VC), which are used for the transmission of data between network nodes • The main functions of the Network layer include routing and forwarding
AZURE EXPRESSROUTE • Azure ExpressRoute provides layer 3 connectivity with high redundancy across all regions within a specific geography • Admins utilize global connectivity with ExpressRoute premium add-on by enabling it across on-premises connectivity and benefit from ExpressRoute Global Reach • Azure ExpressRoute provides: • Bandwidth options from 50 Mbps upto 100 Gbps • Billing models: Unlimited or Metered
AZURE EXPRESSROUTE • Predictable, reliable, and high- throughput connections • Up to 100 Gbps bandwidth - supports dynamic scaling of bandwidth and direct access to national clouds • Built in redundant circuits • Integrates with existing Multiprotocol Label Switching (MPLS) • Up to 99.95% availability SLA across the entire connection. • Working with a third-party connectivity provider • Requires high-bandwidth routers on-premises Benefits Challenges
AZURE EXPRESSROUTE USE CASES
AZURE EXPRESSROUTE CONNECTIVITY MODELS
AZURE EXPRESSROUTE DESIGN CONSIDERATIONS
AZURE EXPRESSROUTE BFD • Bidirectional Forwarding Detection (BFD) is a network protocol designed for rapid detection of failures in the forwarding path between two network devices • BFD is configured by default on the Microsoft Edge, so admins only need to configure it on both primary and secondary devices • Once configured on the devices interface, it can then be linked it to the BGP session
AZURE EXPRESSROUTE ENCRYPTION • To enable encryption for Azure ExpressRoute, the on-premise VPN is utilized • The admin establish ExpressRoute connectivity with an ExpressRoute circuit and private peering • Then the VPN connectivity is established over ExpressRoute • Encrypted routing then occur between the on-premises networks and Azure across the ExpressRoute and VPN paths
AZURE EXPRESSROUTE COEXISTING S2S • When Site-to-Site (S2S) connectivity exist, the S2S VPN should be used as a secure failover path for ExpressRoute • That way, the S2S VPNs are used to connect to sites that are not connected with ExpressRoute • This is enabled by creating two VNet Gateways for the same virtual network
EXERCISE IDENTIFY THE EXPRESS ROUTE COMPONENTS
EXERCISE IDENTIFY THE EXPRESS ROUTE COMPONENTS
AZURE EXPRESSROUTE GLOBAL REACH • Designed to complement the service provider’s WAN implementation and connect an organization branch offices across the world • Admins can link ExpressRoute circuits together to make a private network between their organization on-premises networks
AZURE EXPRESSROUTE FURTHER INFORMATION • Simulation: https://mslabs.cloudguides.com/guides/AZ- 700%20Lab%20Simulation%20- %20Configure%20an%20ExpressRoute%20gateway • Simulation: https://mslabs.cloudguides.com/guides/AZ- 700%20Lab%20Simulation%20- %20Provision%20an%20ExpressRoute%20circuit • Reference: https://learn.microsoft.com/azure/expressroute/expressrou te-howto-circuit-portal-resource-manager • Reference: https://learn.microsoft.com/azure/expressroute/configure- expressroute-private-peering
END OF DAY 5

More Related Content

PPTX
Azure vnet
byzekeLabs Technologies
 
PPTX
CCI2019 - Architecting and Implementing Azure Networking
bywalk2talk srl
 
DOCX
AZ500 Secure Networking. and how things are implemented
bybharat4704
 
PPTX
A Deepdive into Azure Networking
byKarim Vaes
 
PPTX
Azure virtual network
byLalit Rawat
 
PPTX
10052016115136.pptx
bydixitgangaiah
 
PDF
Azure hands on lab
byAtanas Gergiminov
 
PDF
Networking deep dive
byJeroen Niesen
 
Azure vnet
byzekeLabs Technologies
 
CCI2019 - Architecting and Implementing Azure Networking
bywalk2talk srl
 
AZ500 Secure Networking. and how things are implemented
bybharat4704
 
A Deepdive into Azure Networking
byKarim Vaes
 
Azure virtual network
byLalit Rawat
 
10052016115136.pptx
bydixitgangaiah
 
Azure hands on lab
byAtanas Gergiminov
 
Networking deep dive
byJeroen Niesen
 

Similar to Microsoft Azure Hybrid NetWorking principles

PPTX
CC.pptx
byRevathiparamanathan
 
PPTX
CC.pptx
byRevathiparamanathan
 
PPTX
Brk30176 enterprise class networking in azure
byAbou CONDE
 
PPTX
Azure networking components - CLoud Network
byKAMALKAMALUDIN8
 
PPTX
Part 01: Azure Virtual Networks – An Overview
byNeeraj Kumar
 
PPTX
Introduction to Azure Virtual WAN Presentation
byKnoldus Inc.
 
PDF
Microsoft Azure Virtual Network description
byKamelAbouSaleh1
 
PDF
10 Minute Tech Azure Networking Lessons 1 and 2
byTen Minute Tech
 
PPTX
Azure Networking - The First Technical Challenge
byAidan Finn
 
PPTX
CCI2018 - Azure Network - Security Best Practices
bywalk2talk srl
 
PDF
MS Azure ExpressRoute 성공 사례와 하이브리드 클라우드 신규 서비스 소개
byKINX
 
PPTX
Azure virtual machine-network
byThi Nguyen Dinh
 
PPTX
A_Z-1_0_4T_00A-EN_U-Po_w_erPoint_06.pptx
byjayshuklatrainer
 
PPTX
Azure Networking: Innovative Features and Multi-VNet Topologies
byMarius Zaharia
 
PDF
Az 104 session 5: Azure networking
byAzureEzy1
 
PPTX
Flash card architect network infra in azure
byYoong Seng Lai
 
PDF
ExpertsLive NL 2018 - A deepdive into Azure Networking
byKarim Vaes
 
PPTX
Let's Talk About: Azure Networking
byPedro Sousa
 
PPTX
Microsoft Azure Ağ Servisleri
byÖnder Değer
 
PDF
Azure networking update 201908
byJay Kim
 
CC.pptx
byRevathiparamanathan
 
CC.pptx
byRevathiparamanathan
 
Brk30176 enterprise class networking in azure
byAbou CONDE
 
Azure networking components - CLoud Network
byKAMALKAMALUDIN8
 
Part 01: Azure Virtual Networks – An Overview
byNeeraj Kumar
 
Introduction to Azure Virtual WAN Presentation
byKnoldus Inc.
 
Microsoft Azure Virtual Network description
byKamelAbouSaleh1
 
10 Minute Tech Azure Networking Lessons 1 and 2
byTen Minute Tech
 
Azure Networking - The First Technical Challenge
byAidan Finn
 
CCI2018 - Azure Network - Security Best Practices
bywalk2talk srl
 
MS Azure ExpressRoute 성공 사례와 하이브리드 클라우드 신규 서비스 소개
byKINX
 
Azure virtual machine-network
byThi Nguyen Dinh
 
A_Z-1_0_4T_00A-EN_U-Po_w_erPoint_06.pptx
byjayshuklatrainer
 
Azure Networking: Innovative Features and Multi-VNet Topologies
byMarius Zaharia
 
Az 104 session 5: Azure networking
byAzureEzy1
 
Flash card architect network infra in azure
byYoong Seng Lai
 
ExpertsLive NL 2018 - A deepdive into Azure Networking
byKarim Vaes
 
Let's Talk About: Azure Networking
byPedro Sousa
 
Microsoft Azure Ağ Servisleri
byÖnder Değer
 
Azure networking update 201908
byJay Kim
 

More from KamelAbouSaleh1

PPTX
Compensation and Reward Management Application
byKamelAbouSaleh1
 
PPTX
Compensation and Reward Management Principles
byKamelAbouSaleh1
 
PPTX
Compensation and Reward Management Aspects
byKamelAbouSaleh1
 
PPTX
Compensation and Reward Management Definition
byKamelAbouSaleh1
 
PPTX
Six Sigma Change Management Black Belt Course
byKamelAbouSaleh1
 
PPTX
Artificial Intelligence for Digital Transformation.pptx
byKamelAbouSaleh1
 
PDF
Microsoft 365 products and services descrption
byKamelAbouSaleh1
 
PDF
Microsoft Core Cloud Services powerpoint
byKamelAbouSaleh1
 
PPTX
eekly_Course_Quality_Management_Wrap_Up_PPT
byKamelAbouSaleh1
 
PPTX
Weekly_Course_Change_Management_Wrap_Up_PPT
byKamelAbouSaleh1
 
Compensation and Reward Management Application
byKamelAbouSaleh1
 
Compensation and Reward Management Principles
byKamelAbouSaleh1
 
Compensation and Reward Management Aspects
byKamelAbouSaleh1
 
Compensation and Reward Management Definition
byKamelAbouSaleh1
 
Six Sigma Change Management Black Belt Course
byKamelAbouSaleh1
 
Artificial Intelligence for Digital Transformation.pptx
byKamelAbouSaleh1
 
Microsoft 365 products and services descrption
byKamelAbouSaleh1
 
Microsoft Core Cloud Services powerpoint
byKamelAbouSaleh1
 
eekly_Course_Quality_Management_Wrap_Up_PPT
byKamelAbouSaleh1
 
Weekly_Course_Change_Management_Wrap_Up_PPT
byKamelAbouSaleh1
 

Recently uploaded

PPTX
CC-105-Semi-Final-Topicdsgsdvsdgsdb.pptx
bykhajezjhozhua131
 
PPTX
[DSC Europe 25] Max Talanov - Non digital NNs.pptx
byDataScienceConferenc1
 
PDF
Data+Security+Masterclass Presentation.pdf
byckurt9676
 
PDF
OPPOTUS - Malaysians on Malaysia (MOM) Q3 2025
byOppotus
 
PPT
How To Write A Scientific Paper- IMRAD pattern
bydrmeenajain
 
PPTX
[DSC Europe 25] Dusan Jovicic - AI Story: From on-prem to cloud and back agai...
byDataScienceConferenc1
 
PDF
HTML-Unit 4 css introduction hi my name is css and i am from html - CSS.pdf
byrssharma6396
 
PDF
Math-10-Q3-Mod-32.pdfud77839939894872878
bybeyondberthday437
 
PPTX
Presentation 1-PUM Singapore 2015- 2D.pptx
byWilliamChong71
 
PDF
[DSC Europe 25] Marija Vlajkovic & Andrea Radonjanin - Integration of AI tool...
byDataScienceConferenc1
 
PPT
Perceptron and Activation Function in deep learning
byShrideviS7
 
PPTX
[DSC Europe 25] Jim Sterne - Adopting Generative AI Capabilities Into the Ent...
byDataScienceConferenc1
 
PPTX
Python Functions and Modules Detailed Notes.pptx
byJayantAbhinav
 
PPTX
[DSC Europe 25] Selena Milanovic - Educational AI in Sales.pptx
byDataScienceConferenc1
 
PPTX
Arrays (Lists) in PythonaSasaSAsASAsaSA.pptx
bybinarybombers1978
 
PPTX
Two Factor Authentication for CSE Students.pptx
byfizarcse
 
PDF
Kate Scrivens-OECD-Community well-being and climate risks.pdf
byStatsCommunications
 
PDF
BCS501 Module-05 Software Engineering and Project Management.pdf
byjaadu6918
 
PPTX
New_Unit_2_Routing and Supporting Protocols_upto_Dijkstras Algo
byhrushitakmoge777
 
PPTX
[DSC Europe 25] Andjelka Kovacevic - AI for the Deep Universe.pptx
byDataScienceConferenc1
 
CC-105-Semi-Final-Topicdsgsdvsdgsdb.pptx
bykhajezjhozhua131
 
[DSC Europe 25] Max Talanov - Non digital NNs.pptx
byDataScienceConferenc1
 
Data+Security+Masterclass Presentation.pdf
byckurt9676
 
OPPOTUS - Malaysians on Malaysia (MOM) Q3 2025
byOppotus
 
How To Write A Scientific Paper- IMRAD pattern
bydrmeenajain
 
[DSC Europe 25] Dusan Jovicic - AI Story: From on-prem to cloud and back agai...
byDataScienceConferenc1
 
HTML-Unit 4 css introduction hi my name is css and i am from html - CSS.pdf
byrssharma6396
 
Math-10-Q3-Mod-32.pdfud77839939894872878
bybeyondberthday437
 
Presentation 1-PUM Singapore 2015- 2D.pptx
byWilliamChong71
 
[DSC Europe 25] Marija Vlajkovic & Andrea Radonjanin - Integration of AI tool...
byDataScienceConferenc1
 
Perceptron and Activation Function in deep learning
byShrideviS7
 
[DSC Europe 25] Jim Sterne - Adopting Generative AI Capabilities Into the Ent...
byDataScienceConferenc1
 
Python Functions and Modules Detailed Notes.pptx
byJayantAbhinav
 
[DSC Europe 25] Selena Milanovic - Educational AI in Sales.pptx
byDataScienceConferenc1
 
Arrays (Lists) in PythonaSasaSAsASAsaSA.pptx
bybinarybombers1978
 
Two Factor Authentication for CSE Students.pptx
byfizarcse
 
Kate Scrivens-OECD-Community well-being and climate risks.pdf
byStatsCommunications
 
BCS501 Module-05 Software Engineering and Project Management.pdf
byjaadu6918
 
New_Unit_2_Routing and Supporting Protocols_upto_Dijkstras Algo
byhrushitakmoge777
 
[DSC Europe 25] Andjelka Kovacevic - AI for the Deep Universe.pptx
byDataScienceConferenc1
 

Microsoft Azure Hybrid NetWorking principles

  • 1.
    ADVANCED MICROSOFT CLOUD INFRASTRUCTURE& AUTOMATION Week 2 – Virtual Networks Day 2 – Hybrid Networking
  • 2.
    WHAT WE WILLLEARN TODAY • Understand Azure VPN Gateways • Azure Point-to-Site Connection • Azure Virtual Wide Area Network (WAN) • Network Virtual Appliance (NVA) in a Virtual Hub • Azure ExpressRoute
  • 3.
    VPN GATEWAY • AzureVPN Gateway is a service that can be used to send encrypted traffic between an Azure VNet and on-premises locations over the Internet • It can also be used to send encrypted traffic between Azure VNets over Microsoft network • Multiple connections can be created to the same VPN gateway, however, all VPN tunnels share the available gateway bandwidth There are 3 configurations for the VPN Gateway: 1. Site-to-Site (S2S): connections connect on-premises datacenters to Azure virtual networks 2. VNet-to-Vnet: connections connect Azure virtual networks to each other 3. Point-to-Site (User VPN): connections connect individual devices to Azure virtual networks
  • 4.
    VPN GATEWAY CREATION • Thefirst step is to create Gateway Subnet to contain the IP addresses for the VPN tunnels (preferred CIDR block of /27 or larger) • Azure will deploy gateway VMs to the gateway subnet and the required VPN gateway settings will be automatically configured • Never deploy other resources (for example, additional VMs) to the gateway subnet • The VPN is Route-based, with the gateway SKU affecting the number of connections it can have and the aggregate throughput benchmark • Create a virtual network that includes the gateway subnet and provide it with a public IP address • It can take up to 45 minutes to provision the VPN gateway
  • 5.
    VPN GATEWAY LOCAL NETWORKGATEWAY • The Local Network Gateway reflects the on-premises network configuration and enables Azure to route to your on-premises network • Give the site a name by which Azure can refer to it • Use a public IP address or Fully Qualified Domain Name (FQDN) for the Endpoint • Specify the IP address prefixes that will be routed through the gateway to the VPN device
  • 6.
    VPN GATEWAY ON-PREMISES VPNDEVICE • Consult the list of supported VPN devices (Cisco, Juniper, Ubiquiti, Barracuda Networks) for how to configure the device (VPN device configuration script may be available) • Specify the public IP address as setup in Azure (previous slide) • Create a shared key to use with the Azure connection (next slide)
  • 7.
    VPN GATEWAY CONNECTING • Oncethe VPN Gateway is created and the on-premises device is configured, create a connection object • Configure a name for the connection and specify the type as Site-to-site (IPsec) • Select the VPN gateway and the Local Network Gateway • Enter the shared key (created in previous slide) for the connection
  • 8.
    VPN GATEWAY S2S CONNECTION •Take time to carefully plan your network configuration • On-premises configuration of VPN Device is necessary when connecting Site-to-Site • Always verify and test your connections
  • 9.
    VPN GATEWAY VALIDATION &TROUBLESHOOTING • Validate VPN throughput to a VNet • Troubleshoot Azure VPN Gateway using diagnostic logs • Check whether the on-premises VPN device is validated • Verify the shared key and the VPN peer IPs • Utilize Network Watcher • Check UDR and NSGs on the gateway subnet • Verify the Azure gateway health probe • Check whether the on-premises VPN device has the perfect forward secrecy feature enabled
  • 10.
    EXERCISE CREATE A VIRTUALNETWORK GATEWAY Configure a virtual network gateway to connect the Contoso Core Services VNet and Manufacturing VNet
  • 11.
    POINT-TO-SITE • OpenVPN® Protocol:an open-source VPN protocol that creates secure, encrypted connections over the internet using SSL/TLS • Secure Socket Tunneling Protocol (SSTP): this protocol is developed by Microsoft for secure, encrypted client / server connection using SSL/TLS over TCP port 443 • IKEv2 VPN: Internet Key Exchange version 2 is a VPN protocol that establishes secure connections by authentication processes within the IPsec suite • Azure certificate authentication: obtain a root certificate and upload the public key information to Azure, so the root certificate is considered 'trusted' for P2S connection • Microsoft Entra authentication: gateway options using Basic SKUs or a policy- based VPN type are incompatible with P2S VPN gateways that use Microsoft Entra ID authentication • Active Directory (AD) Domain Server: requires a RADIUS server that integrates with the AD server and allow users to sign in to Azure using their organization domain credentials Available Protocols Authentication Methods
  • 12.
    POINT-TO-SITE CONFIGURATION IN AZURE •Navigate to the Settings section of the virtual network gateway • Select Point-to-site configuration and click Configure now to open the configuration page • On the Point-to-site configuration page, in the Address pool box, add the private IP address range that you want to use • VPN clients dynamically receive an IP address from the range that you specify • The minimum subnet mask is 29 bit for active/passive and 28 bit for active/active configuration
  • 13.
    VIRTUAL WANS • AzureVirtual WAN is the service that Brings together S2S, P2S, and ExpressRoute • It implements the integrated connectivity using Hub-and-Spoke connectivity model • Virtual Networks and workloads are automatically connected to the Azure hub to enable visualization of the end- to-end flow within Azure • There are 2 types of WAN: • Basic WAN: which only supports S2S connectivity • Standard WAN: which support all connections over the virtual hub
  • 14.
    VIRTUAL WANS CREATION • Theminimum address space to create a hub is /24 • No need to explicitly plan the subnet address space for the services in the virtual hub • Azure Virtual WAN is a managed service: it creates the appropriate subnets in the virtual hub for the different gateways / services
  • 15.
    EXERCISE CREATE A VIRTUALWAN • Task 1: Create a Virtual WAN • Task 2: Create a hub • Task 3: Connect a VNet to the Virtual Hub
  • 16.
    NVA IN VIRTUALHUB • Network Virtual Appliances (NVAs) can be deployed within an Azure Virtual WAN hub to enhance security and connectivity features • NVAs act as 3rd party gateways, providing functionalities like SD- WAN, firewalls, or a combination of both, and enabling traffic inspection and control between different network segments • Deployed NVAs are provided as a solution jointly managed by Microsoft Azure and the 3rd party NVA vendors • Not all NVAs can be deployed into a Virtual WAN hub (even if listed in Azure Marketplace) but only NVAs from trusted partners • List of partners can be found in: https://learn.microsoft.com/en- us/azure/virtual-wan/about-nva- hub#partners
  • 17.
    NVA IN VIRTUALHUB DEPLOYMENT • From inside the Virtual WAN hub, go to Network Virtual Appliances tile and click on Create link • Select the NVA provider from the available list, then click the Create button • NVA Infrastructure Units indicates the number of connections this NVA will use of the hub bandwidth capacity (aggregated across all the branch sites that will be connecting to this hub through this NVA) • Token: some providers (such as Barracuda) require an authentication token to be provided to identify the Azure admin as a registered user of the NVA (tokens are obtained from the provider)
  • 18.
    AZURE EXPRESSROUTE NETWORK LAYER3 • The Open Systems Interconnection Model (OSI Model) is a conceptual model created by ISO to enable diverse systems communication using standard protocols • It is the universal computer networking concept that splits the communication system into seven abstract layers, each one stacked upon the last • The Network layer (layer 3 of OSI Model) provides the routing and switching technologies that create logical paths known as Virtual Circuits (VC), which are used for the transmission of data between network nodes • The main functions of the Network layer include routing and forwarding
  • 19.
    AZURE EXPRESSROUTE • AzureExpressRoute provides layer 3 connectivity with high redundancy across all regions within a specific geography • Admins utilize global connectivity with ExpressRoute premium add-on by enabling it across on-premises connectivity and benefit from ExpressRoute Global Reach • Azure ExpressRoute provides: • Bandwidth options from 50 Mbps upto 100 Gbps • Billing models: Unlimited or Metered
  • 20.
    AZURE EXPRESSROUTE • Predictable,reliable, and high- throughput connections • Up to 100 Gbps bandwidth - supports dynamic scaling of bandwidth and direct access to national clouds • Built in redundant circuits • Integrates with existing Multiprotocol Label Switching (MPLS) • Up to 99.95% availability SLA across the entire connection. • Working with a third-party connectivity provider • Requires high-bandwidth routers on-premises Benefits Challenges
  • 21.
  • 22.
  • 23.
  • 24.
    AZURE EXPRESSROUTE BFD • BidirectionalForwarding Detection (BFD) is a network protocol designed for rapid detection of failures in the forwarding path between two network devices • BFD is configured by default on the Microsoft Edge, so admins only need to configure it on both primary and secondary devices • Once configured on the devices interface, it can then be linked it to the BGP session
  • 25.
    AZURE EXPRESSROUTE ENCRYPTION • Toenable encryption for Azure ExpressRoute, the on-premise VPN is utilized • The admin establish ExpressRoute connectivity with an ExpressRoute circuit and private peering • Then the VPN connectivity is established over ExpressRoute • Encrypted routing then occur between the on-premises networks and Azure across the ExpressRoute and VPN paths
  • 26.
    AZURE EXPRESSROUTE COEXISTING S2S •When Site-to-Site (S2S) connectivity exist, the S2S VPN should be used as a secure failover path for ExpressRoute • That way, the S2S VPNs are used to connect to sites that are not connected with ExpressRoute • This is enabled by creating two VNet Gateways for the same virtual network
  • 27.
  • 28.
  • 29.
    AZURE EXPRESSROUTE GLOBAL REACH •Designed to complement the service provider’s WAN implementation and connect an organization branch offices across the world • Admins can link ExpressRoute circuits together to make a private network between their organization on-premises networks
  • 30.
    AZURE EXPRESSROUTE FURTHER INFORMATION •Simulation: https://mslabs.cloudguides.com/guides/AZ- 700%20Lab%20Simulation%20- %20Configure%20an%20ExpressRoute%20gateway • Simulation: https://mslabs.cloudguides.com/guides/AZ- 700%20Lab%20Simulation%20- %20Provision%20an%20ExpressRoute%20circuit • Reference: https://learn.microsoft.com/azure/expressroute/expressrou te-howto-circuit-portal-resource-manager • Reference: https://learn.microsoft.com/azure/expressroute/configure- expressroute-private-peering
  • 31.