This chapter is the start of the exam objective called configure and manage virtual networking, which has an exam weighting of 20–30% of the overall exam.
In this chapter, we are going to look at implementing and managing virtual networking. This includes how to create and configure virtual networks, peer networks with each other, configure private and public IP addresses, create user-defined network routes, implement subnets, create endpoints on subnets, configure private endpoints, and finally, configure Azure DNS, including custom DNS settings and private or public DNS zones. This chapter is very important, as networking is often referred to as the cornerstone of Infrastructure as a Service (IaaS).
In brief, the following topics will be covered in this chapter:
To follow along with the hands-on lessons, you will need access to an Azure Active Directory as a global administrator. If you do not have access to one, students can enroll for a free account at https://azure.microsoft.com/en-in/free/.
An Azure subscription is also required; you can either register with your own credit card or enroll for the free $200 once-off credit if you use the following link: https://azure.microsoft.com/en-us/free/.
PowerShell will be used for some of the lab sections. For more details on how to configure PowerShell, visit https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-1.8.0.
In this section, we are going to look at how to create and configure Virtual Networks (VNets) and peering. Let's start with an overview of VNets and IP addressing and how it works within Azure.
Before we dive into how to configure VNets, let's take a moment to understand what VNets are and what their purpose is. A VNet in Azure is a representation of your network in the cloud that is used to connect resources such as virtual machines and other services to each other.
Unlike traditional networks, which make use of physical cables, switches, and routers to connect resources, VNets are completely software-based. VNets have isolated IP ranges, and resources placed inside a VNet do not talk to the resources in other VNets by default. To allow resources in two different VNets to talk to each other, you would need to connect the VNets using VNet peering.
Important Note
All resources deployed to a VNet must reside in the same region.
Azure supports both private and public IP addresses. Private IP addresses are assigned within the VNet in order to communicate with other resources within it and cannot be accessed via the internet by design. Public IP addresses are internet-facing by design and can be assigned to a virtual machine (VM) or other resources, such as VPN gateways.
Both private and public IP addresses can be configured to be dynamic or static. Dynamic IP addresses change when the host or resource is restarted, whereas static IP addresses do not change even if the resources are restarted.
Dynamic IP addresses are automatically assigned by Azure based on the subnet range. When a VM is deallocated (stopped), the dynamic IP address goes back into the pool of IP addresses that can be assigned to other resources again. By default, private IP addresses are dynamic but can be changed to static via the Azure portal when needed.
Static public IP addresses are random public IP addresses that do not change after being assigned to a resource. Unlike a dynamic IP address that changes when a resource is restarted, the static IP address is persisted. Public IPs are usually assigned to internet-facing resources such as VPN gateways and, in some instances, VMs.
Now that we have covered the basic networking components, let's go ahead and configure a VNet via PowerShell:
Connect-AzAccount
The output appears as shown in the following screenshot:
Select-AzSubscription -SubscriptionId "your-subscription-id"
New-AzResourceGroup -Name VNet_Demo_ResourceGroup -Location WestEurope
The following screenshot shows the output of the command:
$vnet = @{
Name = 'DemoVNet'
ResourceGroupName = 'VNet_Demo_ResourceGroup'
Location = 'WestEurope'
AddressPrefix = '10.0.0.0/16'
}
$virtualNetwork = New-AzVirtualNetwork @vnet
The following screenshot shows the output of the command:
$subnet = @{
Name = 'Demo_Subnet'
VirtualNetwork = $virtualNetwork
AddressPrefix = '10.0.0.0/24'
}
$subnetConfig = Add-AzVirtualNetworkSubnetConfig @subnet
$virtualNetwork | Set-AzVirtualNetwork
Hint
If you are getting an error stating that scripts are disabled on your system, you can use the following PowerShell command to resolve it: set-executionpolicy unrestricted –Scope CurrentUser.
One of the exam objectives for this chapter is to gain the ability to configure VNet peering. VNet peering is when two or more VNets are linked with each other so that traffic can be sent from one network to another. There are two types of VNet peering:
When using the Azure portal to configure VNet peering, there are a few settings that you should be aware of:
Let's go ahead and configure VNet peering. To do this, we need to create another VNet first using these steps:
Connect-AzAccount
$vnet = @{
Name = 'DemoVNet_2'
ResourceGroupName = 'VNet_Demo_ResourceGroup'
Location = 'WestEurope'
AddressPrefix = '192.168.0.0/24'
}
$virtualNetwork = New-AzVirtualNetwork @vnet
$subnet = @{
Name = 'Main_Subnet'
VirtualNetwork = $virtualNetwork
AddressPrefix = '192.168.0.0/24'
}
$subnetConfig = Add-AzVirtualNetworkSubnetConfig @subnet
$virtualNetwork | Set-AzVirtualNetwork
Next, click on Add:
In this section, we had a look at how virtual networking works in Azure as well as how to create a VNet and subnet via PowerShell. We also had a look at how to configure VNet peering between two VNets.
We encourage you to read up on Azure virtual networking and VNet peering further by using the following links:
In the previous section, we had a brief look at IP addressing, such as public and private IP addressing and also static and dynamic IP addresses. This section focuses on how to configure private and public IP addresses.
Let's first look at how to configure a private IP address for a VM from dynamic to static via the Azure portal. In order to do this, we are going to reference a VM we created earlier in this book:
That is how we configure private IP addresses to be static instead of dynamic.
Next, we are going to look at how to create a public IP address via PowerShell:
Connect-AzAccount
The following screenshot shows the output of the command:
$ip = @{
Name = 'myStandardPublicIP'
ResourceGroupName = 'VNet_Demo_ResourceGroup'
Location = 'WestEurope'
Sku = 'Standard'
AllocationMethod = 'Static'
IpAddressVersion = 'IPv4'
Zone = 1,2,3
}
New-AzPublicIpAddress @ip
The following screenshot shows the output of the command:
It is that simple to create a public IP address via PowerShell. Once the IP address has been created, it is now ready to be assigned to a resource such as a VM or other types of resources that support pre-created public IP addresses.
Next, we are going to look at user-defined routing.
By default, Azure automatically creates system routes and assigns them to the different subnets within a VNet. These routes can't be removed but can be overridden by custom routes known as User-Defined Routes (UDRs). These routes have a next hop setting that points to the next interface from a routing perspective so that traffic can be sent to the correct destination.
There are three main next hop types for system routes:
UDRs create a route table if you want to create custom routes. When working with UDRs, it is important to note that they support the preceding routing types as well as the following:
Let's go ahead and create a UDR via the Azure portal to forward all traffic to a VNet gateway:
We encourage students to read up further on Azure user-defined routing (UDRs) by visiting the following link: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview.
In this section, we created a route table with a custom route to route all traffic via the VPN gateway. Next, we are going to look at implementing subnets.
Inside a VNet, subnets allow you to segment your IP address ranges in which to place your resources. Resources in a single subnet get an IP address from the subnet IP address range. Resources in subnets within the same VNet can talk to each other. A VNet can have one or more subnets. Traffic can be filtered between subnets either via Network Security Groups (NSGs) or UDRs. It is also important to know that Azure reserves five IP addresses within each subnet that cannot be used. The reason for this is that these IPs are reserved for the network address, the Azure default gateway, Azure DNS, and the network broadcast address. An example of this would be the following:
Let's say there is a 10.1.1.0/24 subnet; the following addresses are reserved:
Important Note
Subnets can be added, removed, or modified.
Subnets within a VNet can be managed via the following methods:
Important Note
Subnets' address spaces cannot overlap one another.
Let's go ahead and add a subnet to an existing VNet via the Azure portal using the following steps:
Important Note
In the real world, the preceding changes may be configured instead of being set to None, depending on the requirements.
Set the Services fields to 0 selected, and click on Save:
In this short section, we had a look at subnetting in Azure and learned how to create additional subnets via the Azure portal. In the next section, we are going to look at configuring endpoints on subnets.
Endpoints, also referred to as service endpoints, allow secure and direct connectivity to Azure services over the Azure backbone network. Endpoints allow you to secure the traffic between your VNets, including subnets, and critical Azure resources such as Key Vault and SQL databases. Service endpoints allow private IP addresses in a VNet to be routed over the Azure backbone without requiring a dedicated public IP address.
Service endpoints are only supported on a limited number of Azure services.
Here are some of the key benefits of using service endpoints:
Let's go ahead and configure a SQL service endpoint on a subnet via the Azure portal using the following steps:
Following are the settings to create the network rule:
In this section, we had a look at what service endpoints are and learned how to configure them for an SQL service with a specific subnet.
We encourage you to read up on Azure service endpoints further by visiting the following link: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview.
Azure Private Link enables you to access Platform as a Service (PaaS) services such as Azure Storage and SQL databases, and Azure-hosted services over a private endpoint in your own VNet.
Much like service endpoints, private endpoints allow traffic between a VNet and a service to travel through the Microsoft backbone network. This way, exposing your service over the internet is no longer required.
A key difference between service endpoints and private endpoints is that service endpoints connect to Azure/Microsoft services over their backbone while the PaaS resources are still outside of the VNet and, thus, need to be routed as such, whereas private endpoints bring the resources directly into your VNet. It is important to understand that private endpoints keep all the traffic within your VNet:
In this section, we had a look at what private endpoints are and how they differ from service endpoints, and learned how to configure private endpoints for an existing key vault and VNet.
We encourage you to read up further on Azure private endpoints by visiting the following links:
Azure DNS is a hosting service for DNS domains where the name resolution is done via the Microsoft Azure infrastructure. It is important to note that you cannot buy domains via Azure DNS. However, you can delegate permissions to Azure DNS for record management.
There is also a feature called Azure Private DNS that provides a reliable and secure DNS service for VNets. When using private DNS zones, you can use a custom domain name instead of using the default domain names provided by Azure. One of the main reasons for using Azure Private DNS is that the domain names in the VNet will be resolved without having to configure custom DNS on the VNet.
The following is a high-level overview of how Azure Private DNS works:
Important Note
Azure DNS does not support Domain Name Security Extensions (DNSSEC).
The following are some of the benefits of using Azure Private DNS:
Let's go ahead and configure Azure Private DNS via PowerShell using the following steps:
Connect-AzAccount
Install-Module -Name Az.PrivateDns -force
$zone = New-AzPrivateDnsZone -Name demo.packt.com -ResourceGroupName VNet_Demo_ResourceGroup
$link = New-AzPrivateDnsVirtualNetworkLink -ZoneName demo.packt.com `
-ResourceGroupName VNet_Demo_ResourceGroup -Name "mylink" `
-VirtualNetworkId /subscriptions/xxx/resourceGroups/VNet_Demo_ResourceGroup/providers/Microsoft.Network/virtualNetworks/DemoVNet -EnableRegistration
Get-AzPrivateDnsZone -ResourceGroupName VNet_Demo_ResourceGroup
The output of the command is shown in the following screenshot:
In this section, we had a look at what Azure DNS is and the difference between Azure DNS and Azure Private DNS. We also looked at how to configure a private DNS zone, link it to an existing VNet, and verify that it has been created successfully.
We encourage you to read up on Azure DNS further by using the following links:
In this chapter, we discussed how to create VNets including VNet peering, and how to configure private and public IP addresses and UDRs. We also had a look at subnetting in Azure and learned how to configure endpoints and private endpoints for VNets. Lastly, we looked at how Azure DNS works and configured a custom private DNS zone, linking it to an existing VNet via PowerShell.
Skills that students have gained after reading this chapter and following along with the hands-on demos include virtual networking, custom routing in Azure, securing resources via endpoints and private endpoints, and Azure DNS.
In the next chapter, we'll cover how to secure access to VNets.
18.226.187.199