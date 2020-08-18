Successfully reported this slideshow.
Session 5 AZ-104: Microsoft Azure Administrator
AzureEzy Core Team
Today's Session Speaker Niraj Kumar AZURE Talk Founder Enterprise Architect, MCT Rahul Mathuria AzureTalk Core Team Member, Cloud Engineer, MCT
https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! AZ-104: Skills Measured • Manage Azure identities...
Agenda • Azure Virtual Network • VNET Peering • IP Addressing • NSG aka ACL • Azure Firewall • Azure VPN Gateway • Azure Express Route • Azure WAN
Prerequisites • TCP/IP • Virtual private networks (VPNs) • Firewalls • virtual networking • Encryption Technologies
Azure Networking
Components of Azure Network
Today's Discussion
Azure Virtual Network • Azure Virtual Network creates a LAN like ONPREM Networks • Gives you robust boundary to communicate with other Azure Services
Virtual Network In Action
SUBNET • Subnets create a Logical Boundary • Helps with segregation • Subnets are assigned IP addresses by subnetting VNET network address space.
User Defined Routes(UDR)
User Defined Routes(UDR) • Used to route the traffic to its desired Destination • Can only be applied for Outgoing Traffic
https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! Types of Routes 15 System Routes:- • Predefined i...
Priority of Routes in Azure • UDR • BGP Routes • System Routes
Question 1 User Defined Route applied at _________? a) Inbound b) Outbound
Public and Private IP Address
Private and Public IP Address • Does it Ring a Bell ? ☺
https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! Public IP Address • Enables network flow for a de...
https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! Private IP Address • Used for Internal Communicat...
Allocation Method/SKU for Public and Private IP Address • Static Allocation • Dynamic Allocation
https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! Communicate Via VNET(Public and Private) 24 • Lev...
VNET PEERING
VNET Peering • Enables 2 VLAN to communicate with each other • Eventually appears as ONE virtual network VNET Peering has 2 Types • Global and • Regional Peering
https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! Peering Whereabouts • Gateway Transit:- • Enable ...
Network Security Group Aka ACL
Network Security Group • A networking filter (firewall) • Containing list of security rules • Allowing or denying network traffic to resources connected to Azure VNETs
https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! NSG Default Rules and Priority 30Reference : Micr...
https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! NSG Enforcement 31 Inbound Traffic: • NSG applied...
Question 2 Do you need NSG to be allowed on NIC and Subnet simultaneously for a same Port and Protocol? a) True b) False
Azure Firewall
https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! Azure Firewall • Managed, Cloud-based Network Sec...
https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! Rules are Needed • Nat Rule:- Inbound Internet ne...
Azure VPN Gateway
https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! VPN Gateway(A Door to Connect) • Used to send enc...
https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! Types of Azure Gateway • P2S VPN Gateway:- Secure...
https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! Gateway SKU • Important for throughput purposes a...
https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! Gateway Types • Policy Based VPN :- • 1:1 traffic...
Gateway Subnet • Deploy the VPN gateway • Recommended CIDR greater than /28 • When you create Gateway Subnet, Gateway VM deployed as per the SKU you select while deploying the VPN
https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! Local Network Gateway • Represent the ONPREM Conf...
Question 3 Choose the types of VPN Gateways? a) Application Gateway b) Local Network Gateway c) Express Route Gateway d) VPN Gateway
Azure Express Route
https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! Express Route 47 • Private dedicated leased line ...
ER Connectivity Models Reference : Microsoft Docs
Azure Virtual WAN
https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! Azure Virtual WAN • Brings many networking, secur...
https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! Demo 1. Create VNET with Hub and Spoke Architectu...
Q & A
https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! 53 https://terraform.home.blog https://azureezy.c...
Speakers:
1. Niraj Kumar, https://www.linkedin.com/in/nirajkum/
2. Rahul Mathuria, https://www.linkedin.com/in/rahul-mathuria/

Topics Covered:
1. Azure Virtual Network
2. VNET Peering
3. IP Addressing
4. NSG aka ACL
5. Azure Firewall
6. Azure VPN Gateway
7. Azure Express Route
8. Azure WAN


AzureTalk community references:
1. AzureTalk Telegram Group: https://t.me/azuretalk
2. AzureEzy Website: https://azureezy.com
3. Youtube: https://youtube.com/azuretalk

Azure Reference Links
1. Popular Microsoft Azure training: https://www.microsoft.com/en-us/learning/azure-training.aspx
2. Azure Docs: https://docs.microsoft.com/en-us/azure/
3. Get started with Azure: https://docs.microsoft.com/en-us/azure/#pivot=get-started&panel=get-started1
4. Self-paced Labs: https://www.microsoft.com/handsonlabs/SelfPacedLabs
5. Azure-quickstart-templates GitHub: https://github.com/Azure/azure-quickstart-templates

  1. Session 5 AZ-104: Microsoft Azure Administrator
  2. AzureEzy Core Team
  3. Today's Session Speaker Niraj Kumar AZURE Talk Founder Enterprise Architect, MCT Rahul Mathuria AzureTalk Core Team Member, Cloud Engineer, MCT
  4. AZ-104: Skills Measured • Manage Azure identities and governance (15-20%) • Deploy and manage Azure compute resources (25-30%) • Implement and manage storage (10-15%) • Configure and manage virtual networking (30-35%) • Monitor and back up Azure resources (10-15%)
  5. Agenda • Azure Virtual Network • VNET Peering • IP Addressing • NSG aka ACL • Azure Firewall • Azure VPN Gateway • Azure Express Route • Azure WAN
  6. Prerequisites • TCP/IP • Virtual private networks (VPNs) • Firewalls • virtual networking • Encryption Technologies
  7. Azure Networking
  8. Components of Azure Network
  9. Today's Discussion
  10. Azure Virtual Network • Azure Virtual Network creates a LAN like ONPREM Networks • Gives you robust boundary to communicate with other Azure Services
  11. Virtual Network In Action
  12. SUBNET • Subnets create a Logical Boundary • Helps with segregation • Subnets are assigned IP addresses by subnetting VNET network address space.
  13. User Defined Routes(UDR)
  14. User Defined Routes(UDR) • Used to route the traffic to its desired Destination • Can only be applied for Outgoing Traffic
  15. Types of Routes System Routes:- • Predefined in Azure fabric means pre-applied to Azure services • You can override these routes using Custom Routes Custom
  16. 16. https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! Priority of Routes in Azure 16 • UDR • BGP Routes • System Routes
  17. 17. https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! Question 1 User Defined Route applied at _________? a) Inbound b) Outbound 17 https://q.azureezy.com/1
  19. 19. https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! Public and Private IP Address 19
  20. 20. https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! Private and Public IP Address • Does it Ring a Bell ? ☺ 20
  21. 21. https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! Public IP Address • Enables network flow for a device to Communicate to Internet • Azure dynamically assign the IP address for Azure Services • Some resources you can associate a public IP address :- • Virtual machine network interfaces • Internet-facing load balancers • VPN gateways • Application gateways • Azure Firewall 21
  22. 22. https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! Private IP Address • Used for Internal Communication • Azure picks the IP address from CIDR segment you use for communication Azure Resource that can have Private IP address:- • Virtual machine network interfaces • Internal load balancers (ILBs) • Application gateways • On-premises network through a VPN gateway or ExpressRoute circuit 22
  23. 23. https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! Allocation Method/SKU for Public and Private IP Address 23 • Static Allocation • Dynamic Allocation
  24. 24. https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! Communicate Via VNET(Public and Private) 24 • Leverage VNET service Integration for a Dedicated PAAS Communication • Service Endpoints, Private Endpoint helps customer to connect with Azure services privately via Azure backbone
  25. 25. https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! VNET PEERING 25
  26. 26. https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! VNET Peering • Enables 2 VLAN to communicate with each other • Eventually appears as ONE virtual network VNET Peering has 2 Types • Global and • Regional Peering 26
  27. 27. https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! Peering Whereabouts • Gateway Transit:- • Enable Traffic to flow through gateway • Only enabled on a VNET has VPN Gateway • Allow Forwarded Traffic :- Forwards traffic between Peered VNETs • Use Remote Gateway :- • Enabled on Spokes and let you use the properties of a VPN Gateway • Save Cost 27
  28. 28. https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! Network Security Group Aka ACL 28
  29. 29. https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! Network Security Group 29 • A networking filter (firewall) • Containing list of security rules • Allowing or denying network traffic to resources connected to Azure VNETs
  30. 30. https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! NSG Default Rules and Priority 30Reference : Microsoft Docs • Virtual network: Traffic originating and ending in a virtual network is allowed both in inbound and outbound directions • Internet: Outbound traffic is allowed, but inbound traffic is blocked • Load balancer: Allow Azure’s load balancer to probe the health of your VMs and role instances. If you are not using a load balanced set, you can override this rule
  31. 31. https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! NSG Enforcement 31 Inbound Traffic: • NSG applied to subnet: If a subnet NSG has a matching rule to deny traffic, the packet is dropped • NSG applied to NIC: If NSG applied at NIC has DENY rule, packets gets dropped even if you have an ALLOW rule at Subnet. Outbound Traffic: • NSG applied to NIC: If a VMNIC NSG has a matching rule that denies traffic, packets are dropped • NSG applied to subnet: If NSG applied at Subnet has Deny rule, it will drop the packet, even if you allow the packet at NIC . Reference : Microsoft Docs
  32. 32. https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! Question 2 Do you need NSG to be allowed on NIC and Subnet simultaneously for a same Port and Protocol? a) True b) False 32 https://q.azureezy.com/2
  33. 33. https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! Question 2 Do you need NSG to be allowed on NIC and Subnet simultaneously for a same Port and Protocol? a) True b) False 33 https://q.azureezy.com/2
  34. 34. https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! Azure Firewall 34
  35. 35. https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! Azure Firewall • Managed, Cloud-based Network Security service • Protects Virtual Network resources • Fully stateful firewall as a service • Built-in high availability and unrestricted cloud scalability, Supports Highly Available firewall Clusters • Inbound DNAT and Outbound SNAT Support • Threat intelligence-based filtering can be enabled for your firewall to alert and deny traffic from/to known malicious IP addresses and domains • You can route all Internet-bound traffic to a designated next hop • Compliant to PCI, SOC, ISO, ICSA Labs, and HITRUST 35Reference : Microsoft Docs
  36. 36. https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! Rules are Needed • Nat Rule:- Inbound Internet network traffic to your firewall public IP address is translated (Destination Network Address Translation) and filtered to the private IP addresses on your virtual networks. • Network Rules:- • Allow or Deny rules based on IP addresses and/or service tags • Applied before application rules • Application Rules:- Allow or Deny rules based on Domain Name System (DNS) names 36
  37. 37. https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! Azure VPN Gateway 37
  38. 38. https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! VPN Gateway(A Door to Connect) • Used to send encrypted traffic between an Azure virtual network and an on-premises location over the public Internet • A Virtual Network Can have only one Gateway • Composed of two or more VMs that are deployed to a specific subnet called the gateway subnet 38Reference : Microsoft Docs
  39. 39. https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! Types of Azure Gateway • P2S VPN Gateway:- Secure connection to your virtual network from an individual client • VPN Gateway :- • Connection over IPsec/IKE (IKEv1 or IKEv2) VPN tunnel • Requires a VPN device located on- premises that has a public IP address assigned to it • ExpressRoute :- High Bandwidth connectivity between ONPREM and CLOUD Networks over a private connection 39Reference : Microsoft Docs
  40. 40. https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! Gateway SKU • Important for throughput purposes and for overload requirements • Needs to be dealt meticulously • These connection limits are separate example, you can have 128 SSTP connections and 250 IKEv2 connections on a VpnGw1 SKU 40 Reference : Microsoft Docs
  41. 41. https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! Gateway Types • Policy Based VPN :- • 1:1 traffic selector method to communicate with other VPN devices • Hence Address Space of Opposite VPN devices needs to be specified • Route-based:- • Any-to-any (wildcard) traffic selectors • Let routing/forwarding tables direct traffic to different IPsec tunnels 41Reference : Microsoft Docs
  42. 42. https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! Gateway Subnet • Deploy the VPN gateway • Recommended CIDR greater than /28 • When you create Gateway Subnet, Gateway VM deployed as per the SKU you select while deploying the VPN 42
  43. 43. https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! Local Network Gateway • Represent the ONPREM Configuration • Azure VPN gateway Connects with Local Network Gateway to establish the connection with Azure over IKE/IPSEC • Furnishes all details related to ONPREM i.e. Address Space, ONPREM VPN Gateway Public IP 43
  44. 44. https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! Question 3 Choose the types of VPN Gateways? a) Application Gateway b) Local Network Gateway c) Express Route Gateway d) VPN Gateway 44 https://q.azureezy.com/3
  45. 45. https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! Question 3 Choose the types of VPN Gateways? a) Application Gateway b) Local Network Gateway c) Express Route Gateway d) VPN Gateway 45 https://q.azureezy.com/3
  46. 46. https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! Azure Express Route
  47. 47. https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! Express Route 47 • Private dedicated leased line • Do not go over the public Internet • Connectivity can be from an any-to- any (IP VPN) network, a point-to- point Ethernet network, or a virtual cross-connection through a connectivity provider at a co- location facility Reference : Microsoft Docs
  48. 48. https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! ER Connectivity Models 48Reference : Microsoft Docs
  49. 49. https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! Azure Virtual WAN 49
  50. 50. https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! Azure Virtual WAN • Brings many networking, security, and routing functionalities together to provide a single operational interface • Include branch connectivity (via connectivity automation from Virtual WAN Partner devices such as SD-WAN or VPN CPE), Site-to-site VPN connectivity, remote user VPN (Point-to-site) connectivity, private (ExpressRoute) connectivity, intra-cloud connectivity (transitive connectivity for virtual networks), routing, Azure Firewall, and encryption for private connectivity • Simply get started with just one-use case, and then adjust your network as it evolves 50Reference : Microsoft Docs
  51. 51. https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! Demo 1. Create VNET with Hub and Spoke Architecture 2. Use VNET Peering to connect the Spokes 3. Create S2S Connectivity 4. Deploy Azure Firewall, NSG and UDR to route and restrict traffic 5. Deploy VM and check the Connectivity across the Network and Internet
  52. 52. https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! Q & A 52
  53. 53. https://azureezy.com © 2020 AzureEzy and AzureTalk. All rights reserved! 53 https://terraform.home.blog https://azureezy.com Thanks! https://azureezy.com/az-104 https://t.me/AzureTalk https://youtube.com/AzureTalk https://www.linkedin.com/in/nirajkum/ www.linkedin.com/in/rahul-mathuria

