Design and deploy an Azure networking environment for virtual machines

Design and deploy an Azure networking environment for virtual machines
5/3/ :49 PM Design and deploy an Azure networking environment for virtual machines Joe Davies Senior Content Developer Microsoft © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Agenda At the end of this session, you should be better able to…
5/3/ :49 PM Agenda At the end of this session, you should be better able to… Understand the elements of Azure IaaS networking and their relationships and settings for virtual machines. Step through a methodical process to design networking environments for virtual machines in Azure IaaS. Step through a methodical process that deploys your networking environment for hosting virtual machines in Azure IaaS. © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Approach Practical Foundation assumed
5/3/ :49 PM Approach Practical Step-by-step design and deployment methodology Distill down the design decisions to the settings required for configuring each element Resource groups, virtual networks, subnets, network security groups, route tables (UDRs), load balancers, virtual machine network interfaces Use the determined settings and PowerShell/CLI command blocks or ARM templates to build out the networking environment and the virtual machine network interfaces Foundation assumed Environment of Azure virtual machines (network, compute, storage, management) Azure infrastructure elements, their hierarchy, dependencies, and boundaries Components of Azure IaaS networking

Azure IaaS networking components
5/3/ :49 PM Azure IaaS networking components Virtual networks with subnets Route tables for subnets Network security groups with rules for subnets Azure load balancers with rules If all of the above is correct, then you get to create: Network interfaces on VMs © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Manage complexity and collect settings with tables
5/3/ :49 PM Manage complexity and collect settings with tables Load balancers Network interfaces VNets Load balancer rules Interconnections NSGs Subnets NSG rules Route table

Interface behavior inheritance: Addressing
5/3/ :49 PM Interface behavior inheritance: Addressing Load balancers Network interfaces VNets Load balancer rules Interconnections NSGs Subnet addressing Subnets NSG rules Route table © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Interface behavior inheritance: Routing
5/3/ :49 PM Interface behavior inheritance: Routing Load balancers Network interfaces Subnet routing VNet routing VNets Load balancer rules Interconnections NSGs Subnets NSG rules Route table © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Interface behavior inheritance: Network security
5/3/ :49 PM Interface behavior inheritance: Network security Load balancers Network interfaces VNets Load balancer rules Interconnections Network security (packet filtering) NSGs Subnets NSG rules Route table © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Interface behavior inheritance: Load balancing
5/3/ :49 PM Interface behavior inheritance: Load balancing Load balancing Load balancers Network interfaces VNets Load balancer rules Interconnections NSGs Subnets NSG rules Route table © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Step-by-step design process
5/3/ :49 PM Step-by-step design process Resource groups VNets Subnets DNS servers Cross-premises connections Azure load balancers Route tables Network interfaces

Step 1: Determine your resource groups
5/3/ :49 PM Step 1: Determine your resource groups Recommendation Use multiple resource groups Infrastructure elements Tiers/roles/IT departments For Azure networking elements, create infrastructure or networking-specific resource groups

Resource groups: Per tier and infra
5/3/ :49 PM Resource groups: Per tier and infra ID DB APP WEB MGMT Gateway Infrastructure Management Jumpbox Monitoring

Resource groups for multiple VNets
5/3/ :49 PM Resource groups for multiple VNets ID DB APP WEB MGMT INFRA

Results for Step 1 List of resource groups
5/3/ :49 PM Results for Step 1 List of resource groups Networking elements of Azure (VNets, subnet-specific network security groups, load balancers, etc.) Tiers of your application

Step 2: Determine the VNets that you need
5/3/ :49 PM Step 2: Determine the VNets that you need Cloud-only vs. cross-premises Address space Location and subscription boundaries Connections between them

When to use multiple VNets
5/3/ :49 PM When to use multiple VNets Production vs. test versions of an app Different business units that use different subscriptions Different instances of an app in different locations Tradeoff: More VNets mean more connections between them and on-premises Plan and design Azure virtual networks article

5/3/ :49 PM VNet address space One or more CIDR blocks

Connecting two VNets VNet-to-VNet (V2V) VPN connection VNet peering
5/3/ :49 PM Connecting two VNets VNet-to-VNet (V2V) VPN connection Requires Azure gateway and gateway subnet Local Network address space on either side for routing VNet peering Direct connection between the VNets of a common location using the Azure backbone VNet peering article

Best practices Use multiple VNets as needed or required
5/3/ :49 PM Best practices Use multiple VNets as needed or required Interconnect VNets with VNet peering when you can Between resource manager-based VNets within the same location Between service manager and resource manager-based VNets within the same subscription Otherwise, use V2V connections or ExpressRoute Between Azure Service Manager-based VNets Resource manager VNets across locations or subscriptions Use a different IPsec preshared key for each V2V connection

Results for Step 2 1. Fill out your VNet table
5/3/ :49 PM Results for Step 2 1. Fill out your VNet table Resource group is your infrastructure or networking-specific resource group Name Purpose Subscription Location Resource group Address space DNS servers

Results for Step 2 (cont.)
5/3/ :49 PM Results for Step 2 (cont.) 2. Fill out your interconnections table for each VNet Name Purpose VNet or on-prem location Type of connection

Step 3: Determine the subnets for each VNet
5/3/ :49 PM Step 3: Determine the subnets for each VNet Just like on-premises, except… Three less host addresses per subnet (used by Azure) Routing between them in the VNet and beyond the VNet is automatic (override with route tables) Types of subnets Address space Network security groups Routing to and from all needed destinations

Types of subnets in an Azure VNet
5/3/ :49 PM Types of subnets in an Azure VNet VM-hosting Hosts Azure virtual machines Gateway Hosts the two VMs of your Azure gateway and other VMs for ExpressRoute Only used for VNets that are connected to an on-premises (S2S VPN or ExpressRoute) or to another VNet (V2V) Azure Patterns and Practices (P&P) recommendation: /27 prefix length Management Hosts a jumpbox VM (AKA bastion host) and a monitoring VM Initiate remote sessions to all the VMs in the VNet instead of assigning a public IP address to each VM Computer monitoring software

Subnet best practices Use a separate subnet for each tier or role
5/3/ :49 PM Subnet best practices Use a separate subnet for each tier or role For n host bits on an Azure subnet, there are 2n-5 possible host addresses For subnet isolation, use subnet-based NSGs for VM-hosting and management subnets Define your gateway subnet using the last part of the VNet address space For the variable bits in the VNet address space, set the bits used for the gateway subnet to 0 and the remaining bits to 1 Example for /16 with a /27 prefix length: or /27 Calculating the gateway subnet address space for Azure virtual networks © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Results for Step 3 A. Fill out a Subnet table for each VNet
5/3/ :49 PM Results for Step 3 A. Fill out a Subnet table for each VNet Include a gateway subnet (named GatewaySubnet) for VNets with ExpressRoute or S2S or V2V VPN connections Name Purpose Address space Network security group Route table (UDR)

5/3/ :49 PM Results for Step 3 (cont.) B. Fill out your NSG table for the subnets of each VNet Resource group is your infrastructure or networking-specific resource group No NSGs for gateway subnets Name Purpose Subscr Location Resource group

5/3/ :49 PM Results for Step 3 (cont.) C. Fill out a rules table for each NSG NSG gotchas: Rules that block Internet access can cause VM extensions to fail NSGs with rules do not have the same set of capabilities as a firewall network appliance Name Description Access Protocol Direction Priority Source address prefix Source port range Destination address prefix Destination port range

5/3/ :49 PM Results for Step 3 (cont.) D. Update your Subnet table with the names of the NSG for each subnet Name Purpose Address space Network security group Route table (UDR) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Resources for Step 3 Network security groups
5/3/ :49 PM Resources for Step 3 Network security groups Azure Network Security Groups (NSG) – Best Practices and Lessons Learned © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Step 4: Determine the DNS server configuration for each VNet
5/3/ :49 PM Step 4: Determine the DNS server configuration for each VNet DNS servers assigned to VMs can be: Supplied by Azure: Provides resolution of public DNS names and internal name resolution for VMs and role instances that reside within the same VNet Provided by a server: Provides full control of local or intranet name registration and either intranet or Internet name resolution

5/3/ :49 PM Best practices For cross-premises VNets, use DNS servers in the VNet to prevent on-premises traffic for DNS registrations and resolutions Must configure DNS replication and forwarding

Results for Step 4 Fill out the DNS servers column of your VNet table
5/3/ :49 PM Results for Step 4 Name Purpose Subscription Location Resource group Address space DNS servers Fill out the DNS servers column of your VNet table For cross-premises VNets and Windows Server AD DCs, you need pre- and post-promotion DNS servers Pre-promotion are on-premises DNS servers so that the DC VMs can find existing DCs during domain join Post-promotion are the static IP addresses of the DCs in the VNet

Step 5: Determine the settings for cross-premises VNets
5/3/ :49 PM Step 5: Determine the settings for cross-premises VNets Types of cross-premises connections Site-to-site (S2S) VPN ExpressRoute (requires private peering relationship) Network edge VPN device or router Terminates S2S VPN or ExpressRoute connection On-premises route for VNet address space

Limitation of S2S VPN connections
5/3/2018 Limitation of S2S VPN connections Normal route summarization You can have the following address spaces as separate routes in a route table: /8 (summarize the entire space) /24 (subnet-specific route) Closest matching route finds the right one S2S VPN connections do not allow route summarization You cannot have the following overlapping address spaces /8 for the Local Network /24 for the virtual network You must explicitly define the Local Network address space so that it does not include the address space of your virtual network See the "Appendix: Example of defining the Local Network address space for S2S connections" in this deck

Best practices for cross-premises VNets
5/3/ :49 PM Best practices for cross-premises VNets Use the High Performance gateway SKU to go up to 200 Mbps Use a different IPsec preshared key for each S2S VPN connection For S2S connections, choose a VNet address space from an RFC 1918 CIDR block not being used on your intranet Minimizes the number of CIDR blocks in your Local Network address space © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5/3/ :49 PM Results for Step 5 Route for VNet address space added to on-premises routing infrastructure Edge VPN device or router ready for cross-premises connections Azure gateway SKU chosen Local Network address space defined

5/3/ :49 PM Resources for Step 5 Implementing a Hybrid Network Architecture with Azure and On-premises VPN Implementing a Hybrid Network Architecture with Azure ExpressRoute Implementing a highly available hybrid network architecture © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Step 6: Determine the Azure load balancers for each VNet
5/3/ :49 PM Step 6: Determine the Azure load balancers for each VNet Internet-facing Public IP address Rules that specify unsolicited inbound traffic to distribute among the members of the load balanced set Internal Private IP address

Configuration elements of an Azure load balancer
5/3/ :49 PM Configuration elements of an Azure load balancer Front end IP address Static IP address on a subnet (internal) or a public IP address (Internet-facing) Back end address pool Used to contain the IP addresses of the member VMs Health probe Determines the availability of a load balanced set member (HTTP or TCP-based) Rules The type of traffic sent to the front end IP address to distribute to the members of the load balanced set

5/3/ :49 PM Best practices Use a network appliance if you need more control over load balancing or additional capabilities Example: Azure load balancer does not support SSL offload HTTP probes should not point to a page that requires authentication

Results for Step 6 A. Fill out a load balancer table
5/3/ :49 PM Results for Step 6 A. Fill out a load balancer table Resource group is your infrastructure or networking-specific resource group Name Purpose Type Subscr Location Resource group Front-end IP configuration Back end address pool Health probe

5/3/ :49 PM Results for Step 6 (cont.) B. Fill out a rules table for each load balancer Name Front-end IP configuration Back end address pool Health probe Protocol Front end port Back end port

Step 7: Determine the use of route tables
5/3/ :49 PM Step 7: Determine the use of route tables Route tables (AKA user-defined routes) override the default routing for subnets Two primary examples of their use: Sending traffic to a network appliance for processing before forwarding on to the next hop Preventing VMs in a cross-premises VNet from sending their traffic directly to the Internet (forced tunneling)

Route table entry for a traffic appliance
5/3/ :49 PM Route table entry for a traffic appliance Forwards all traffic to a specific CIDR block to the IP address of the network appliance User Defined Routes and IP Forwarding

Route table entry for forced tunneling
5/3/ :49 PM Route table entry for forced tunneling Forwards all default route traffic across the cross-premises connection Configure forced tunneling

Results for Step 7 A. Fill out a route table for each subnet as needed
5/3/ :49 PM Results for Step 7 A. Fill out a route table for each subnet as needed Route name Purpose Type Route prefix Next-hop IP address

5/3/ :49 PM Results for Step 7 (cont.) B. Update your subnet table Name Purpose Address space Network security group Route table (UDR)

Step 8: Virtual machine network interfaces
5/3/ :49 PM Step 8: Virtual machine network interfaces Fill in your network interfaces table Resource group is the same as the VM's resource group (typically tier or role-based) Identify the VNet and subnet Member of a load-balanced set? Identify load balancer name and backend address pool Name VM name Subscr Loc Resource group VNet Subnet Load balancer name LB backend address pool Static private IP address Public IP address

Private IP address best practices
5/3/ :49 PM Private IP address best practices Default: Dynamic private IP addresses assigned from the available subnet address space (DHCP) Assign static private IP addresses to VMs as needed Domain controllers/DNS servers Servers that need to quickly recover their role after a restart (IP address caching by tier servers) If assigning from the start of the address space… First possible IP address for VMs is the fourth possible host address for the subnet

Public IP address best practices
5/3/ :49 PM Public IP address best practices Assign public IP addresses only to jumpbox VMs Prevents each VM from becoming a target for Internet-based attacks Use an NSG for the management subnet to allow traffic only from specific address ranges Can specify a public DNS name Azure creates an FQDN: <your DNS name>.<short location name>.cloudapp.azure.com Example: contososp2016farm1.westus.cloudapp.azure.com Create CNAME record for Azure FQDN or an A record for the Azure public IP address

Results for Step 8 Completed network interface table Name VM name
5/3/ :49 PM Results for Step 8 Completed network interface table Name VM name Subscr Loc Resource group VNet Subnet Load balancer name LB backend address pool Static private IP address Public IP address

Build Azure IaaS networking environments
5/3/ :49 PM Build Azure IaaS networking environments

Process 1. Create the networking infrastructure 2. Create the VMs
5/3/ :49 PM Process 1. Create the networking infrastructure VNets with their subnets and interconnections NSGs with their rules assigned to subnets Route tables assigned to subnets Load balancers with their rules 2. Create the VMs Create public IP addresses (if needed) Create network interfaces Assign the subnet, public IP address, static private IP address, load balancer backend address pool Corner cases: Assign DNS server, assign network security group, enable IP forwarding Assign the network interface to the VM

1. Create the networking infrastructure
5/3/ :49 PM 1. Create the networking infrastructure VNets with their subnets VNets with their interconnections VNets Subnets VNets Interconnections © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

1. Create the networking infrastructure (cont.)
5/3/ :49 PM 1. Create the networking infrastructure (cont.) NSGs assigned to subnets Route tables assigned to subnets NSGs NSG rules Subnets UDRs Route tables Subnets

1. Create the networking infrastructure (cont.)
5/3/ :49 PM 1. Create the networking infrastructure (cont.) Load balancers Load balancers Load balancer rules

2. Create the VMs For each VM:
5/3/ :49 PM 2. Create the VMs Network interfaces For each VM: A. Create public IP addresses and domain names (if needed) B. Create the network interfaces Assign the subnet, public IP address, static private IP address, load balancer C. Assign the network interface to the VM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

PowerShell example of step 2
5/3/ :49 PM PowerShell example of step 2 $vnet=Get-AzureRMVirtualNetwork -Name $vnetName -ResourceGroupName $rgName $subnet=Get-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name $subnetName $staticIP=" " $lb=Get-AzureRMLoadBalancer -ResourceGroupName $rgName -Name $lbName $nic=New-AzureRMNetworkInterface -Name ($vmName +"-NIC") -ResourceGroupName $rgName -Location $locName –Subnet $subnet -PrivateIpAddress $staticIP -LoadBalancerBackendAddressPool $lb.BackendAddressPools[0] ... $vm=Add-AzureRMVMNetworkInterface -VM $vm -Id $nic.Id New-AzureRMVM -ResourceGroupName $rgName -Location $locName -VM $vm B. Create the network interface: Assign the subnet, static private IP address, load balancer backend address pool C. Assign the network interface to the VM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Azure CLI 2.0 example of step 2
5/3/ :49 PM Azure CLI 2.0 example of step 2 B. Create the network interface: Assign the subnet, network security group, load balancer backend address pool and rule az network nic create --resource-group myResourceGroup --location westeurope --name myNic1 \ --vnet-name myVnet --subnet mySubnet --network-security-group myNetworkSecurityGroup \ --lb-name myLoadBalancer --lb-address-pools myBackEndPool \ --lb-inbound-nat-rules myLoadBalancerRuleSSH1 az vm create \ --resource-group myResourceGroup \ --name myVM1 \ --location westeurope \ --availability-set myAvailabilitySet \ --nics myNic1 \ --vnet myVnet \ --subnet-name mySubnet \ --nsg myNetworkSecurityGroup \ --storage-account mystorageaccount \ --image UbuntuLTS \ --ssh-key-value ~/.ssh/id_rsa.pub \ --admin-username ops C. Assign the network interface to the VM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5/3/2018 Design example © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Federated authentication for Office 365
5/3/ :49 PM Federated authentication for Office 365 Active Directory Federation Services (AD FS) infrastructure for Office 365 single sign-on Virtual network Office 365 WEB1 ADFS1 DC1 On-premises network TCP 443 WEB2 ADFS2 DC2 Subnet Subnet AD DS1 Internet pipe Site-to-site VPN or ExpressRoute Gateway Subnet

Step-by-step design process
5/3/ :49 PM Step-by-step design process Resource groups VNets Subnets DNS servers Cross-premises connections Azure load balancers Route tables Network interfaces

Multi-tier LOB app for federated authentication
5/3/ :49 PM Multi-tier LOB app for federated authentication Three tiers: Web proxies that are directly accessible over the Internet AD FS servers for federated authentication Domain controllers and a DirSync server for identity Web proxies Federation Identity WEB1 ADFS1 DC1 WEB2 ADFS2 DC2 DS1 © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Step 1: Resource groups INFRA WEB ADFS ID 5/3/2018 Virtual network
DC1 WEB2 ADFS2 DC2 DS1 Gateway © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Results for Step 1 List of resource groups:
5/3/2018 Results for Step 1 List of resource groups: Infrastructure: FEDAUTH-INFRA Web proxy tier: FEDAUTH-WEB ADFS tier: FEDAUTH-ADFS Identity tier: FEDAUTH-ID © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Site-to-site VPN or ExpressRoute
5/3/2018 Step 2: VNets Single cross-premises VNet Non-overlapping intranet address space Virtual network WEB1 ADFS1 DC1 Site-to-site VPN or ExpressRoute Internet pipe On-premises network WEB2 ADFS2 DC2 DS1 Gateway © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Interconnections table
5/3/ :49 PM Results for Step 2 1. Fill out your VNet table VNet table Name Purpose Subscription Location Resource group Address space DNS servers FedAuthNet Host ADFS infrastructure Contoso West US FEDAUTH-INFRA /24 2. Fill out your interconnections table for each VNet Interconnections table Name Purpose VNet or on-prem location Type of connection HQConnect Cross-premises S2S

5/3/2018 Step 3: Subnets Three VM-hosting subnets One for the Azure gateway Virtual network Subnet Subnet Subnet WEB1 ADFS1 DC1 On-premises network WEB2 ADFS2 DC2 Subnet Internet pipe Site-to-site VPN or ExpressRoute DS1 Gateway © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Results for Step 3 A. Fill out the Subnet table Subnet table Name
5/3/ :49 PM Results for Step 3 A. Fill out the Subnet table Subnet table Name Purpose Address space Network security group Route table (UDR) GatewaySubnet S2S gateway /28 WebProxy Web proxies /28 ADFS AD FS servers /28 Identity DCs and DirSync server /28 /24 with a /28 prefix length: or /28 /28 allow for 16-5 or 11 possible host addresses

5/3/ :49 PM Results for Step 3 (cont.) B. Fill out the NSG table NSG table Name Purpose Subscr Location Resource group WebProxy Subnet isolation for the WebProxy subnet Contoso West US FEDAUTH-INFRA ADFS Identity

Results for Step 3 C. Update the Subnet table with the NSGs
5/3/ :49 PM Results for Step 3 C. Update the Subnet table with the NSGs Subnet table Name Purpose Address space Network security group Route table (UDR) GatewaySubnet S2S gateway /28 WebProxy Web proxies /28 ADFS AD FS servers /28 Identity DCs and DirSync server /28

5/3/2018 Step 4: DNS servers DCs in the virtual network will be local DNS servers after promotion to replica DCs Before they become replica DCs, they need on-premises DNS servers at and Virtual network DC1 On-premises network DC2 DNS Site-to-site VPN or ExpressRoute DS1 Internet pipe Gateway Subnet © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Results for Step 4 Update the DNS servers column of the VNet table
5/3/ :49 PM Results for Step 4 Update the DNS servers column of the VNet table VNet table Name Purpose Subscription Location Resource group Address space DNS servers FedAuthNet Host ADFS infrastructure Contoso West US FEDAUTH-INFRA /24

Step 5: Cross-premises connections
5/3/2018 Step 5: Cross-premises connections S2S VPN cross-premises connection On-premises route for VNet address space /24 Virtual network WEB1 ADFS1 DC1 On-premises network WEB2 ADFS2 DC2 /24 /24 Subnet Subnet S2S VPN DS1 Internet pipe Gateway Subnet © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5/3/ :49 PM Results for Step 5 Route for VNet address space added to on-premises routing infrastructure /24 Edge VPN device or router ready for cross-premises connections Public IP address Local Network address space defined /8, /12

Step 6: Azure load balancers
5/3/2018 Step 6: Azure load balancers One Internet-facing load balancer for incoming client auth requests One internal load balancer for distributing auth requests to the AD FS servers Virtual network TCP 443 WEB1 ADFS1 DC1 On-premises network WEB2 ADFS2 DC2 Subnet Subnet S2S VPN DS1 Internet pipe Gateway Subnet © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Results for Step 6 A. Fill out the load balancers table
5/3/ :49 PM Results for Step 6 A. Fill out the load balancers table Resource group is the FEDAUTH-INFRA resource group Load balancers table Name Purpose Type Subscr Location Resource group Front-end IP configuration Back end address pool Health probe ADFSServers Distribute AD FS traffic Internal Contoso West US FEDAUTH-INFRA ADFSServers-LBFE ADFSServers-LBBE WebServersProbe WebAppProxyServers Distribute client auth traffic Internet-facing WebAppProxyServers-LBFE WebAppProxyServers-LBBE

5/3/ :49 PM Results for Step 6 (cont.) B. Rule for the internal load balancer for the AD FS servers Rule for the Internet-facing load balancer for the web proxies Load balancer rule table Name Front-end IP configuration Back end address pool Health probe Protocol Front end port Back end port HTTPSTraffic ADFSServers-LBFE ADFSServers-LBBE WebServersProbe TCP 443 Load balancer rule table Name Front-end IP configuration Back end address pool Health probe Protocol Front end port Back end port WebTraffic WebAppProxyServers-LBFE WebAppProxyServers-LBBE WebServersProbe TCP 443

5/3/2018 Step 7: Route tables Prevent the servers in the AD FS and identity tiers from directly accessing the Internet Virtual network WEB1 ADFS1 DC1 On-premises network WEB2 ADFS2 DC2 Subnet Subnet /0 S2S VPN DS1 Internet pipe Gateway Subnet © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Route table: ForcedTunnel
5/3/ :49 PM Results for Step 7 A. Create a route table for both subnets Route table: ForcedTunnel Route name Purpose Route prefix Next-hop IP address Default route Force tunnel /0 VirtualNetworkGateway

5/3/ :49 PM Results for Step 7 (cont.) B. Update the subnet table Subnet table Name Purpose Address space Network security group Route table (UDR) GatewaySubnet S2S gateway /28 WebProxy Web proxies /28 ADFS AD FS servers /28 ForcedTunnel Identity DCs and DirSync server /28

Recap Network interfaces Load balancers VNets Load balancer rules
5/3/ :49 PM Recap Load balancers Network interfaces VNets Load balancer rules Interconnections NSGs Subnets NSG rules Route table

Step 8: Network interfaces
5/3/2018 Step 8: Network interfaces One network interface per VM (total of 7) Static IP addresses for all VMs Resource group and subnet based on VM tier Web proxy and AD FS servers are members of a load balanced set Virtual network WEB1 ADFS1 DC1 On-premises network TCP 443 WEB2 ADFS2 DC2 Subnet Subnet S2S VPN DS1 Internet pipe Gateway Subnet © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Results for Step 8 Completed network interface table DC1-NIC DC1
5/3/ :49 PM Results for Step 8 Completed network interface table Name VM name Subscr Loc Resource group VNet Subnet Load balancer name LB backend address pool Static private IP address Public IP address DC1-NIC DC1 Contoso West US FEDAUTH-ID FedAuthNet Identity DC2-NIC DC2 DS1-NIC DS1 ADFS1-NIC ADFS1 FEDAUTH-ADFS ADFS ADFSServers ADFSServers-LBBE ADFS2-NIC ADFS2 WEB1-NIC WEB1 FEDAUTH-WEB WebProxy WebAppProxyServers WebAppProxyServers-LBBE WEB2-NIC WEB2

Results for Step 8 Completed network interface table 192.168.10.16/28
5/3/ :49 PM /28 1st 2nd 3rd 4th Results for Step 8 Completed network interface table Name VM name Subscr Loc Resource group VNet Subnet Load balancer name LB backend address pool Static private IP address Public IP address DC1-NIC DC1 Contoso West US FEDAUTH-ID FedAuthNet Identity DC2-NIC DC2 DS1-NIC DS1 ADFS1-NIC ADFS1 FEDAUTH-ADFS ADFS ADFSServers ADFSServers-LBBE ADFS2-NIC ADFS2 WEB1-NIC WEB1 FEDAUTH-WEB WebProxy WebAppProxyServers WebAppProxyServers-LBBE WEB2-NIC WEB2

Results for Step 8 Completed network interface table 192.168.10.32/28
5/3/ :49 PM /28 1st 2nd 3rd 4th (LB) 5th Results for Step 8 Completed network interface table Name VM name Subscr Loc Resource group VNet Subnet Load balancer name LB backend address pool Static private IP address Public IP address DC1-NIC DC1 Contoso West US FEDAUTH-ID FedAuthNet Identity DC2-NIC DC2 DS1-NIC DS1 ADFS1-NIC ADFS1 FEDAUTH-ADFS ADFS ADFSServers ADFSServers-LBBE ADFS2-NIC ADFS2 WEB1-NIC WEB1 FEDAUTH-WEB WebProxy WebAppProxyServers WebAppProxyServers-LBBE WEB2-NIC WEB2

Resources for this LOB app
5/3/ :49 PM Resources for this LOB app Deploy high availability federated authentication for Office 365 in Azure Federated identity for your Office 365 dev/test environment © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Session resources Plan and design Azure virtual networks article
5/3/ :49 PM Session resources Plan and design Azure virtual networks article Azure Network Security Groups (NSG) – Best Practices and Lessons Learned Implementing a Hybrid Network Architecture with Azure and On-premises VPN Deploy high availability federated authentication for Office 365 in Azure © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5/3/2018 Appendix: Example of defining the Local Network address space for S2S connections

Define the Local Network address space
5/3/2018 Define the Local Network address space Can include private and public address spaces Private: /8, /12, and /16 Public: IANA-allocated space that corresponds to on-premises network locations Option 1: The list of prefixes for the address space currently in use You must update the list of prefixes when you deploy new address space on your on-premises network Option 2: Your entire on-premises address space Only need to update the Local Network address space when you add new address space (a new public address space) What is your Local Network address space?

Working around the address space “hole”
5/3/2018 Working around the address space “hole” Initial Local Network address space List the other address spaces from which the virtual network address space is not derived Define the set of prefixes around the “hole” Depends on address space on which the virtual network is derived (the root space) Enumerate the non-overlapping prefixes for the previous octets, skipping the prefixes containing the virtual network address space (if needed) Based on the prefix length of the virtual network address space, enumerate the non-overlapping prefixes, skipping the virtual network address space

Local Network address space example
5/3/2018 Local Network address space example On-premises network address spaces Private address space: /8, /12, and /16 A single public address space: /16 Virtual network address space of /24 The virtual network root space is /8 Step 1: Define the address space that does not include the virtual network root space /12, /16, and /16

5/3/2018 Local Network address space example Step 2: Define the non-overlapping prefixes for the previous octets, skipping the prefix that contains the virtual network address space ( /24) Prefixes in the previous octet /16 /16 … /16 /16 Skipping /16 Total of 255 prefixes

5/3/2018 Local Network address space example Step 2: Define the non-overlapping prefixes for the previous octets, skipping the prefix that contains the virtual network address space ( /24) /16 /16 /16 … /16 /16

5/3/2018 Local Network address space example Step 3: Within the octet, enumerate the non-overlapping prefixes, skipping the virtual network address space ( /24) Prefixes within the octet /24 /24 … /24 /24 /24 Skipping /24 Total of 255 prefixes

5/3/2018 Local Network address space example Step 3: Within the octet, enumerate the non-overlapping prefixes, skipping the virtual network address space ( /24) /24 … /24 /24 /24 /24 /16 /24

5/3/2018 Local Network address space example Step 4: Compile the list of prefixes /12, /16, /16 (3 prefixes that are not the root space) /16, /16… /16, /16 (255 prefixes, previous octet) /24, /24… /24, /24… /24 (255 prefixes, within the octet) … /16 /16 … /16 /16

5/3/2018 Local Network address space example Step 4: Compile the list of prefixes /12, /16, /16 (3 prefixes that are not the root space) /16, /16… /16, /16 (255 prefixes, previous octet) /24, /24… /24, /24… /24 (255 prefixes, within the octet) Use this list to define the routes for your Local Network

Design and deploy an Azure networking environment for virtual machines

Similar presentations

Presentation on theme: "Design and deploy an Azure networking environment for virtual machines"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Design and deploy an Azure networking environment for virtual machines

Similar presentations

Presentation on theme: "Design and deploy an Azure networking environment for virtual machines"— Presentation transcript:

Similar presentations

About project

Feedback