VNet and Cross-Premises Connectivity 5 Cheryl McGuire | Technical Writer – Microsoft Ronald Beekelaar | Founder – Virsoft Solutions
Lessons Virtual Network Settings Cross-Premises Settings This should also be a review for the 70-642.
Virtual Network Settings
Creating a Virtual Network Management Portal Network Configuration file PowerShell REST API
Creating a Virtual Network in the Management Portal Custom Create Quick Create
Demo Create a VNet Basic Virtual Network Demo
Cross-Premises Settings
Extending Your Infrastructure Extend your datacenter with virtualization and networking 12/6/2019 Securely connect to Virtual Network from anywhere Uses VPN client in Windows OS Traverses firewalls and proxies Windows Azure datacenter On-premises datacenter VPN Site-to-Site VPN VPN Individual computers behind corporate firewall Let’s say you have individual PCs behind the firewall that you want to connect directly to Azure—or that you have remote workers. You can connect securely to the virtual network In Azure from anywhere using the VPN client in Windows. Because it works across firewalls and proxies, it doesn’t matter if users are behind your firewall, behind someone else’s firewall, or are remote. Check with YuShun Point-to-Site VPN Remote workers © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Cross-Premises Design Considerations Site-to-Site - Always connected - Requires a compatible VPN device with externally facing IPv4 address - Does not require individual client configuration - Branch office solution Point-to-Site - SSTP can securely traverse firewalls and NAT devices - Does not require a VPN device - Connection is configured on each client - VPN connection is manually started from the client computer
Configuration Considerations Local Networks Specifies which traffic goes across the VPN No IP address overlaps Can specify non-internal IP ranges DNS Server Cannot use Windows Azure IDNS for name resolution Region/Affinity Group Where do you want your resources? VPN Devices Check the list of device requirements
Static vs. Dynamic Routing Gateways Gateway Type - Dynamic or Static? Site-to-Site – can be either dynamic or static Point-to-Site – dynamic only If you want both site-to-site and point-to-site for the same VNet, choose dynamic Dynamic is presently in preview Static Routing Gateways Dynamic Routing Gateways GA Feature Preview Feature “Policy-based” VPN configuration On-premise VPN devices need to enumerate the combination of prefixes IPsec/IKEv1 “Route-based” VPN configuration Slightly more straightforward on-premise VPN configurations IPsec/IKEv2 Site-to-Site Only Site-to-Site and Point-to-Site
Demo Add Site-to-Site to existing VNet
Site-to-Site Settings Configuring a Site-to-Site connection requires configuration on both your Virtual Network and your VPN device. After your Gateway has been created, you’ll need the following information from the Dashboard page to configure your VPN device: Gateway IP address VPN Device Script (template) Manage Key (from the bottom of the page)
Point-to-Site Add Point-to-Site to a VNet Configure the VNet for Point-to-Site in the Management Console Create the Gateway (dynamic) Use makecert to create a self-signed root certificate (can’t use a CA) Import the .cer file (the file without private key) to Windows Azure Generate a client cert for each client and install Download the appropriate VPN client package from the Dashboard page and install it on the client computers
Point-to-Site Connection Without root cert With root cert
Point-to-Site Certificates Create your root certificate using makecert Download and install Microsoft Visual Studio Express 2013 (if you don’t already have a tool to create a certificate) In the Visual Studio Tools folder, open the x86 Native Tools Command Prompt Change to whatever folder you want your .cer file to create a copy in Make the appropriate changes and run this to create the root cert: Create client certs from the root certificate and install them on the client computers
Client VPN Package Install Download the install package from the VNet dashboard and install it on the client Installed
Demo Configure Point-to-Site VNET
12/6/2019 1:49 PM © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.