Join David Elfassy for an in-depth discussion in this video Understanding the Azure networking components, part of Microsoft Azure: Core Functionalities.
- [Instructor] So we looked at virtual machines and we looked at other components of objects that are stored in Azure. But one of the elements that's really important in having those elements communicate properly with each other is virtual networking. Now, virtual networking is one of those things that you configure in Azure but it's not necessarily required in Azure. It essentially extends the functionality of your basic usage of virtual machines in Azure by adding layers of security and isolation. So let's dig a little bit deeper into virtual networking.
So what is a virtual network? Well, a virtual network is a portion of our Azure configuration that will allow you to isolate a group of virtual machines, or a group of services, into a security segment. So think about it as a way to isolate a group of machines, maybe isolating them from the Internet, or isolating them from each other. Or even provide better communication with a group of virtual machines. So think about two sets of virtual machines or a set of virtual machines that hosts databases and another set of virtual machines that will host applications and you want them to communicate really quickly with each other and not have to be routed through load balancers or go through firewalls.
Well, you can do that by using virtual networks and having those machines communicate to each other within a virtual network. Communication within the virtual network is never routed through load balancers so essentially there's a quicker communication that goes on there. By default, your virtual networks are not connected to the Internet. So we'll see how to connect those to the Internet because we may want to have those virtual networks connected to our internal network through the Internet. So, again, by default, they're not connected because they're isolated but we can provide a gateway, or a point of connection, to those virtual networks and then control that point of connection in a secure manner.
So what do virtual networks contain? Well, they contain different elements. The first element of a virtual network is a virtual network address space. So a virtual network address space is really a range of addresses that services and VMs can use. So when you're thinking about which IP addresses will your machines have, well they'll have the IP addresses that are within your address space, the group of addresses that you can use. You define that. What's really important is that they're non-routable and you will list them in a CIDR notation.
Now, the CR notation is an example here, 192.168.0.0/16, identifies the number of bits through that address scheme that is used for the hosts as opposed to the segment. Now, there's a whole lot to IP subnetting, and you can surely learn a lot about that, but you don't have to for using it in Azure. Azure will actually give you, through dropdown lists, the ability to choose different segments and their CIDR notations. So you don't have to type that out yourself.
Understand though, that it will define the number of IP addresses that are available. So that number after the forward slash at the end defines how many IP addresses you have available within your address space. You can configure that, you can modify it, and you can add additional address spaces later on so you're not bound to it. But one other thing that's important when you configure your address space is that you don't want it to overlap with your internal addressing scheme. Or the addressing scheme of other virtual networks. Because if you have different virtual networks or an internal network and a virtual network that uses the same network address space range, they will overlap and create conflicts.
And those conflicts will prevent communication. Within our network address space, we're going to create subnets. So the subnets are segmented, manageable groups of IP addresses that are going to be included in our network address space and those are the elements that we're really going to configure for routing. So when we're going to specify that a segment can communicate with another segment, those segments are really subnets. So think about it as smaller, manageable groups of IP addresses. Whenever you specify a subnet, you need to be aware of that the first four IP addresses of that subnet will be reserved for Azure services so they won't be available for you to assign to virtual machines or to cloud services.
They'll be taken away by Azure. As well, another property within our virtual network is the DNS server settings. Now, DNS server is something that's very common to you if you manage on-premises environment. You already know that DNS servers are required for Active Directory, they're required for name resolution across the network. Maybe you had an old networking environment that used WINS. WINS name resolution has been replaced mostly by DNS name resolution. So, DNS is also part of Azure where if you wanted virtual machines within your Azure environment to be able to resolve each other's names, as opposed to their IP address, you'll be using a DNS server setting.
By default, you already have a DNS server, the ones provided by Azure. However, if you want to connect your virtual network to the internal network of your organization, well, you'll need to put in place a DNS server that provides that cross premise name resolution. Now, if we dig a little bit deeper into virtual networking, we discover the next level, virtual private networks. Now, what are virtual private networks? Well, they are used to connect our internal network to your virtual network.
Essentially connecting your on-premises infrastructure to Azure. If you're going to deploy a virtual private network, first you need to have a virtual network in Azure. Then, you'll need to configure a VPN gateway. Now, the VPN gateway is that element of your virtual private network that's going to give that connection, that inbound point from your external network into Azure. Now there's three different flavors of virtual private networks in Azure. We've got the site-to-site VPN, point-to-site VPN, and ExpressRoute VPN, also known as private VPN.
So let's dig in to each one of those. So first, the site-to-site VPN. Site-to-site VPN is used to connect an entire office, or even multiple offices to Azure. So think about it like having an entire network that wants to be extended into Azure. If you have a data center or you have your company's office with hundreds or thousands of users and you want all of those users to be able to connect easily and quickly to Azure services. To do that, you'd create a site-to-site VPN.
But to do that, you also need to have dedicated hardware on your network. You need to have your own VPN appliance that is able to establish a direct connection over the Internet, of course, to Azure. So this requires a little bit more planning, a little bit more costly, because of that dedicated hardware. However, your users and your clients on your internal network will not know the difference. They won't have to establish any special connection. They don't have to have a VPN connection because they are going through the VPN connection that's applied through your dedicated hardware.
So in terms of experience from your user standpoint, it's very easy for them to access resources in Azure. However, from an administrative standpoint, there's more planning and more configuration and management that is required to deploy that solution. A point-to-site VPN is the opposite of a site-to-site VPN in the sense that it is configured and managed directly from the client computer. So, if you only have several computers, or developers or a certain dedicated group of computers that need to connect to Azure services over a private link, then you would configure a point-to-site VPN on their client computers.
Now, those computers will not require any dedicated hardware but they will require a dedicated VPN connection on their client computer. So they'll have to launch that connection and then through that connection, they will establish a link over to Azure. That connection is an SSTP connection, or a Secure Socket Transport Protocol connection. And that type of connection uses certificate-based authentication to establish the tunnel between the client connection and the VPN gateway that is stored in Azure.
The last type of VPN connection that we can establish is the ExpressRoute VPN, also known as a private VPN. Now, this is a less common type of VPN because it requires dedicated hardware, not on your network, but at your network provider's network. So this is a dedicated link directly from your network provider to Azure. I want to be clear about this is that if you have an ExpressRoute VPN, your communication does not go over the Internet, it goes over a dedicated link that's been assigned that provider directly to the data centers that are hosted by Microsoft for Azure.
So think about it as a private VPN over a dedicated link. Some people say it's not a VPN. It's really it's own type of connection because a VPN assumes connection over the Internet. It's still called a VPN but it's really a dedicated link connection. Now, the point of establishing ExpressRoute is, the name says it very well, having the quickest possible link to Azure, or a link that establishes the lowest possible latency in terms of communication. There's, of course, additional costs that are assigned to those and it's not available everywhere in the world, only with those special providers that have been chosen by Microsoft.
Those providers then have to prove their reliability and their ability to establish a good link over to the Azure data centers.
- Understanding Azure subscriptions
- Managing Azure with portals and PowerShell
- Configuring Azure web apps
- Deploying virtual machines
- Configuring virtual machines for high availability
- Managing Azure Active Directory
- Creating Azure virtual networks
- Implementing a VPN
- Performing Azure backups