Exposing management endpoints (RDP, SSH, HTTP, and others) over a public IP address is not a good idea. Any kind of management access should be controlled and allowed only over a secure connection. Usually, this is done by connecting to a private network (via S2S or P2S) and accessing resources over private IP addresses. In some situations, this is not easy to achieve. The cause of this can be insufficient local infrastructure, or in some cases, the scenario may be too complex. Fortunately, there are other ways to achieve the same goal. We can safely connect to our resources using Azure Bastion, Azure Virtual WAN, and Azure Private Link.
We will cover the following recipes in this chapter:
For this chapter, the following is required:
Azure Bastion allows us to connect securely to our Azure resources without additional infrastructure. All we need is a browser. It is essentially a PaaS service provisioned in our virtual network that provides a secure RDP/SSH connection to Azure Virtual Machines. The connection is made directly from the Azure portal over Transport Layer Security (TLS).
Before we can create an Azure Bastion instance, we must prepare the subnet.
In order to create a new subnet for Azure Bastion, we must do the following:
Figure 9.1: Creating a new subnet for Azure Bastion
Figure 9.2: Fill in Name and Address range for the subnet
In order to create a new Azure Bastion instance, we must follow these steps:
Figure 9.3: Configuration details of a Bastion instance
Azure Bastion is provisioned inside our virtual network, which allows communication with all resources on that network. Using TLS, it provides a secure RDP and SSH connection to all resources on that network. The connection is made through a browser session, and no public IP address is required. This means that we don't need to expose any of the management ports over a public IP address.
After creating the Azure Bastion instance, let's move on to the next recipe, where we will learn how to connect to a virtual machine with Azure Bastion.
With Azure Bastion, we can connect to a virtual machine through the browser without a public IP address and without exposing it publicly.
Before you start, open the browser and go to the Azure portal via https://portal.azure.com.
In order to connect to a virtual machine with Azure Bastion, we must follow these steps:
Figure 9.4: Connecting to a virtual machine with Azure Bastion
Figure 9.5: Adding a username and password for the virtual machine
The connection will open in a new window, allowing you to fully manage your virtual machine. The interface depends on the default management port, RDP or SSH.
Azure Bastion uses a subnet in the virtual network to connect to virtual machines in that specific network. It provides a safe connection over TLS and allows a connection to a virtual machine without exposing it over a public IP address.
In this recipe, we learned how to connect a virtual machine with Azure Bastion. In the next recipe, we'll learn how to create a virtual WAN.
In many situations, the network topology can get very complex. It can be difficult to keep track of all network connections, gateways, and peering processes. Azure Virtual WAN provides a single interface to manage all these points.
Before you start, open the browser and go to the Azure portal via https://portal.azure.com.
Figure 9.6: Information for the virtual WAN resource
Azure Virtual WAN is ready for deployment and it usually takes only a few minutes to complete.
Azure Virtual WAN brings multiple network services to a single point. From here, we can configure, control, and monitor connections such as Site-to-Site, Point-to-Site, ExpressRoute, or a connection between virtual networks. When we have multiple Site-to-Site connections or multiple virtual networks connected with peering, it can be hard to keep track of all these resources. Virtual WAN allows us to do that with a single service.
This is accomplished with hubs, and in the next recipe, we'll see how to set one up.
Hubs are used as regional connection points. They contain multiple service endpoints that enable connectivity between different networks and services. They're the core of networking for each region.
Before you start, open the browser and go to the Azure portal via https://portal.azure.com.
Figure 9.7: Adding a new hub
Figure 9.8: Information for the new virtual hub
Figure 9.9: Configuring a Site-to-Site gateway
Figure 9.10: Configuring a Point-to-Site gateway
Figure 9.11: Creating a new VPN configuration
Figure 9.12: Adding Client address pool and Custom DNS Servers information
Figure 9.13: Configuring ExpressRoute
Virtual hubs represent control points inside a region. From there, we can define all connections to virtual networks inside the region. This applies to Site-to-Site, Point-to-Site, and ExpressRoute. Each section is optional, and we can create a hub without any configurations for connection types. If we choose to create them at this point, we need to provide an SKU for each type. A Point-to-Site connection also requires the user's VPN configuration to be provided. Each connection type can be added at a later time as well.
In this recipe, we learned how to create a virtual hub. Let's move on to the next recipe and learn how to add a Site-to-Site connection in a virtual hub.
After a virtual hub is created and the Site-to-Site SKU is defined inside the hub, we can proceed to create a Site-to-Site connection. For this, we need to apply the appropriate connection settings and provide configuration details.
Before you start, open the browser and go to the Azure portal via https://portal.azure.com.
In order to create a Site-to-Site connection in a virtual hub (under a virtual WAN), we must take the following steps:
Figure 9.14: Selecting the previously created hub in the Connectivity section
Figure 9.15: Selecting the Create new VPN site option in the Virtual HUB pane
Figure 9.16: Creating a VPN site
Figure 9.17: Providing link details in the Links pane
Figure 9.18: Clicking on the Connect VPN sites option to initiate the connection
Figure 9.19: Providing information in the Connect sites pane
Adding a Site-to-Site connection to our virtual hub allows us to connect to a virtual hub in a specific region from our on-premises network (or other networks using Virtual appliance). To do so, we must provide information about the VPN connection in the virtual hub and configure the VPN device that will be used to connect.
However, this allows us only to connect to the hub. We need to connect virtual networks in order to access Azure resources. In the next recipe, we'll see how to add a virtual network connection to the virtual hub.
A virtual hub represents a central point in an Azure region. But to actually use this point, we need to connect virtual networks to a virtual hub. Then, we can use the virtual hub as intended.
Before you start, open the browser and go to the Azure portal via https://portal.azure.com.
In order to add a virtual network connection in a virtual hub (under a virtual WAN), we must take the following steps:
Figure 9.20: Adding a previously created virtual hub
Figure 9.21: Configuring the virtual hub details
Connecting a virtual network to a virtual hub will allow us to access resources when connected to the same hub. A connection can be made over a Site-to-Site connection, a Point-to-Site connection, or from another virtual network (connected to the same hub). When creating a connection, we need to provide routing and propagation rules in order to define the network flow. We can also define a static route. A static route will force all traffic to go through a single IP address, usually through a firewall or network virtual appliance.
Let's move on to the next recipe and learn how to create a Private Link endpoint.
Private Link allows us to connect to PaaS services over a secure network. As these services are usually exposed over the internet, this gives us a more secure method of access. There are two components available to make a secure connection—a Private Link endpoint and a Private Link service. Let's start by creating a Private Link endpoint first.
We need to create a service that will be associated with the Private Link endpoint:
Figure 9.22: Associating a new service with a Private Link endpoint
In order to deploy a new Private Link endpoint, we must take the following steps:
Figure 9.23: Creating a new Private Link endpoint
Figure 9.24: Basic information for the Private Link endpoint
Figure 9.25: Configuring the resources for the Private Link endpoint
Figure 9.26: Setting up the network configuration
The Private Link endpoint associates the selected PaaS resource with the subnet on the virtual network. By doing so, we have the option to access the PaaS resource over a secure connection. Optionally, we can integrate a private DNS zone and use DNS resolution instead of IP addresses.
A Private Link endpoint allows us to link services directly but only individual services and only directly. If we need to add load balancers in place, we can use a Private Link service.
A Private Link service allows us to set up a secure connection to resources associated with Standard Load Balancer. For that, we need to prepare infrastructure prior to deploying the Private Link service.
We must create a virtual machine first. Check the Creating Azure virtual machines recipe from Chapter 2, Virtual machine networking. Note that in the Networking section, we want to select the same virtual network that was used to connect the SQL server in the previous recipe.
A Private Link service requires Standard Load Balancer as well. See the Creating a public load balancer, Creating a backend pool, Creating health probes, and Creating load balancer rules recipes from Chapter 10, Load balancers. Note that in the backend target, we need to select the virtual machine we just created.
Now, open the browser and go to the Azure portal via https://portal.azure.com.
In order to deploy the new Private Link service, we must take the following steps:
Figure 9.27: Creating a new Private Link service
Figure 9.28: Information about the new Private Link service
Figure 9.29: Configuring the outbound settings
Figure 9.30: The Access security pane
A Private Link service and a Private Link endpoint work in a similar way, allowing us to connect to services (that are by default publicly accessible) over a private network. The main difference is that with a Private Link endpoint, we link PaaS services, and with a Private Link service, we create a custom service behind Standard Load Balancer.
3.137.188.11