AZ-700 Designing and Implement Azure Networking Study SUPER Guide!

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

John, Thank you for your many informative videos, which are a big help to many people.

👍︎︎ 9 👤︎︎ u/Righteous_Dude 📅︎︎ Aug 03 2021 🗫︎ replies

This maybe my year to finally learn Azure.

So thank you so much, for this video and all the others. It's really a crime you don't have more subs on your channel.

👍︎︎ 3 👤︎︎ u/Rothkeen 📅︎︎ Aug 03 2021 🗫︎ replies

As many of us comes from Networking and /or Security it's very valuable video and certification.

Especially that tshirt with " There's no place like ::1" :)))

👍︎︎ 3 👤︎︎ u/Summer-Classic 📅︎︎ Aug 03 2021 🗫︎ replies

Noice :) Do you have any plans for az104/az400 exam crams? Trying to plan when to take my exams and you've helped a lot with all the fundamentals, wouldn't want to miss out!

👍︎︎ 2 👤︎︎ u/beardedbanker8 📅︎︎ Aug 03 2021 🗫︎ replies

Hi John,

Do you have a website where we can purchase your content, or it's all free ?

Thanks

👍︎︎ 1 👤︎︎ u/MikeAdeboye 📅︎︎ Aug 04 2021 🗫︎ replies

Captions

hey everyone in this video i want to provide how to study for and i study cram for the new az700 the designing and implementing azure networking solutions exam and certification i took the beta of the exam this week to get an idea of what was involved and really i spent the last seven days just preparing for this video it's probably the most amount of work i've ever put into one single video um i hope it turns out useful as always if this is useful a like subscribe comment and share is appreciated and hit that bell icon to get notified of new content now when i think about preparing for this i definitely do want to get some hands-on and the good thing is for the networking for the most part it's not really expensive resources networks are free there are some elements i might want to spin up to see them and experiment then i could delete them pretty quickly to start off head over to the az 700 page so this page will give me the instructions well how do i actually go ahead and schedule the exam it has the skills measured so you want to be able to look at this skills outline and basically be able to put a tick next to every single one of these to say yes i understand those concepts i feel pretty good i can answer questions around them now it is a pretty broad exam i mean there's a lot of content covered in here so i don't have to be a super deep dive expert in any one area i just need to really understand how do these things fit together and what is their function in an overall solution now the other thing that's really good here is they do now have they didn't have this when i took the exam but i did kind of quickly run for it just to see what was in it they now have a free learning path and again that's going to cover most of the content now what they've done in this learning path is they've essentially taken the microsoft documentation and cut and pasted it into this learning path so instead of you having to go and search for the microsoft docs for the right content that's what the learning path really is there's a few questions to clarify your learning but for the most part it's the microsoft documentation which i think is a pretty good thing the documentation is good now for the content i've created in the past i've created a special az700 playlist once i finish recording this video i'll put this at the top of that you can actually go and see that and what i've done is over the years i've created a whole bunch of content around all the different areas so i have videos around the networking and then all of the different topics that are basically in the exam i've already got videos about them i'm not going to keep referencing these throughout this session you can just go and check out this playlist you can go and look at those youtube only allows me to add i think five kind of cards in the top corner that link to particular videos so i'll target some of the primary ones but obviously i can't link to all of them i've got too many videos but go and make sure you check out the playlist it's in the description this video will be part of it and review that content so look at the microsoft learn material watch this study cram and then ideally go through the various videos i have no advertising on my channel i make no money from this this is me trying to help out so you're not going to be interrupted or bombarded with other stuff now in terms of the actual exam it was two hours i had 59 questions there were a couple of case studies at the start remember the case study is hey here's the scenario multiple pages maybe where we are today business requirements technical requirements and then those same artifacts i used to answer a number of questions i think i had one case study that was four questions one case study that was seven questions so that makes up a chunk of that total 59 questions then the rest of them some of the questions where it has a certain kind of scenario and then it said does this solution meet the requirement and it will have exactly the same thing three or four times it just changes how they would solve it and you can't go back so it's asking you hey we would do this does this solve it and then once you've selected that and move on i can't go back because the next answer maybe would give you a hint and change your previous answer and then there's just a whole bunch of regular questions hey what would i use which steps would be required put these steps in the right sequences those types of questions so that's the exam two hours 59 questions i have plenty of time i think i did it in sub hour or seen the beta you don't get your result yet but it really wasn't that bad in terms of the content there was nothing super deep that i thought was ridiculous it was it kind of was logical um for the most part okay so have that cup of coffee or whatever your beverage is and let's actually get down and start thinking about the actual review of all the content i'm going to go pretty quick i have to i'm covering a huge number of things so the first part i want to kind of dive into just the basics and when i think about the basics obviously we're going to start out with a virtual network so we have this concept of this virtual network and i can have multiple virtual networks i'm not bound to just one or anything like that and a key point a virtual network is it exists within a certain subscription and a certain region i.e if i have multiple subscriptions one virtual network cannot span that if i'm deploying to east us and west us i would need a virtual network in each of those so a virtual network exists within a specific region within a specific subscription it cannot span regions it cannot span subscriptions so that's really kind of a key point now it is a regional construct i.e exists in the region if i'm in a region that supports availability zones those are distinct data centers with independent calling power communications in your subscription typically you would see three availability zones my virtual network spans all of them so even though there might be like three availability zones my virtual network is not pinned to a certain availability zone it is still a regional resource and then what happens with the virtual network i put resources into it virtual machines aks environments uh app services many other types of resources that we will actually explore now my virtual network is a layer 3 construct essentially it understands ip it's not layer 2 there is no concept of vlans in an azure virtual network to maybe segment traffic and there are other constructs i use for kind of micro segmentation so because this ip most of the time we're really dealing with kind of tcp and udp and there's icmp i can do echo requests within there as well i cannot do broadcast i cannot do multicast i cannot cannot do gre encapsulation this is all software defined networking azure is using those things itself so i'm really thinking about hey layer 3 ip tcp udp and what i'm going to have is this virtual network is really defined as one or more private ip blocks now i'm saying private ip i.e the rfc 1918 the 10 dot 172 16 192.168. those ip ranges but they don't have to be if i have some public ip block i can bring those to azure but they are still going to be considered private ips i.e they will not be accessible from the internet so when i think about what is the virtual network i'm going to add one or more so i can have multiple blocks i'm going to have ipv4 cider ranges remember side of range is that kind of 10.1.0.0 16. i have other videos on ipbasics if you're not sure what kind of cider ranges is and again i can use the rfc 1918 um and others i'm not restricted to those so i'm going to add one or more ipv4 now optionally but i don't have to i can add 0 or more ipv6 it is always dual stack i cannot do only ipv6 but i can optionally add ipv6 if i actually want to add it to there now if i add ipv6 to the virtual network at least one subnet has to have an ipv6 range as well but they don't all have to have it which brings me on to so within the virtual network just like a real network i divide it into subnets so i can absolutely think about within this i'll create multiple subnets and essentially what happens is those subnets are a segment of the ip space so i might have kind of subnet one subnet two and i can give them names they don't have to be called subnet one and two i can give them proper names and so these subnets are they have a portion of ipv4 cider range this has an ipv4 slider range and again optionally if i gave the virtual network and ipv6 they can optionally have an ipv6 which will always be 64. so because of the way some equipment works with ipv6 and because of the how huge the address space is i'll always have a slash 64 if it's ipv6 for the regular subnets i can pick the subnet size and once again notice subnets are spanning the availability zones as well subnets are not pinned to a particular availability zone they are regional as well so it's another important point to realize these ip ranges of the subnets have to come from the ip range of the virtual network they cannot overlap and when i'm picking my ip ranges even with other virtual networks with my on-premises networks i don't want them to overlap if they overlap well for normal kind of communications it won't work i won't be able to connect those networks together unless i do some kind of network address translation which is generally pretty cumbersome so i need unique side arranges for each of these kind of constructs and we can see this if i jump over to the portal kind of super quickly if i look at my virtual networks for example i have a whole bunch of different virtual networks but you'll see the address space i have here but notice i can add additional ones see yes i have this address space when i created it i did a slash 16 but i could add additional ranges now if i wanted to i could add ipv6 address ranges to that and then i have subnets which are a portion of that space and notice i'm doing some slash 24 some 28s the smallest is a slash 29 you can kind of see that right here now notice that slash 29 gives me three usable ip addresses and you might say well that's kind of strange 29 should actually give me more ip addresses than three and that's that's empty now the reason for that is just ordinarily with tcp if we think about let's pretend this is a slash 24 so it's very easy on the whole side it's zero through two five five well always we always lose kind of the dot zero and the dot two five five because the dot zero is kind of the network address we generally don't give that to anything and the dot 255 is kind of that network broadcast so we can't use that either but then what happens is azure takes the first usable address as kind of this default gateway and then it uses the next two for dns purposes so you can see i always lose five ip addresses from whatever range i create which means the smallest is a slash 29 which equals three usable so that's kind of the point on that so they're the basics around kind of that virtual network and again if i have ipv6 on the virtual network i have to have at least one subnet and then i put resources into these subnets whether it's a vm or aks or app services or firewalls or nvas doesn't matter what it is there's some resource which will via a nic and the azure resource manager network interface is a resource as well it will get linked to a certain subnet and it will get its address through dhcp so the azure fabric provides that dhcp service it's always going to use that except in some very fiddly which you don't really need to know if i have multiple ips on a single configuration i must do some static config but it's going to get that ip now these are all private remember these are all kind of private ip addresses those ip addresses as dynamic normally i.e hey i need an ip address here it is if i d provision that resource i i stopped paying for it well the next time i start that vm up or whatever that is i might get a different ip address i can also say hey i want it to be static so that's kind of like a dhcp reservation so when i restart my resource i would still get the same ip address even i was deallocated and that's done on kind of her resource level see if i was to quickly look at like a virtual machine i look at its network configuration i can see it has a network interface card and i can see on that network interface we have ip configurations and within there i've got this ipconfig and this ipconfig we can see is static assignment and that's kind of the key point and i've given it the particular ip address i want it to always get so if i had resources in azure that always need the same ip address maybe it's a sql server or a domain controller i can absolutely make that happen so that's kind of the fundamentals when i think about okay just the virtual network so make sure you don't have overlapping ip ranges you can add ranges i can resize things if they're empty so i can resize but i'd have to empty it first so ideally get your planning done the right way so that's all private ips okay well that's great then we can think about kind of public ips i cannot bring my own ips to azure if i own a block of public ips i can't use them as public ips in azure azure has its own public ips that are regional so i can think about hey i have kind of a certain region in azure could be like east u.s or east us-2 or westeros whatever when i create a public ip it exists in that region i can't move it to another region i have to create a new public ip now by default it's kind of an interesting point resources in azure can get to the internet i don't have to do anything special i can do an outbound connection and i can get the state for the response back to me i don't have to do anything special the exact mechanism varies depending on hey does a resource have its own public ip is it behind a load balance that has a public ip depends on the config but fundamentally they can all get outbound to the internet and get the response back but what about if i want to offer services to the internet i actually may want to make a web server available so i think again okay well remember i have that virtual network and remember that virtual network has that private ip space and then within there i have a certain subnet and we just say i have some kind of resource it could be a vm with a nic attached it really doesn't matter so remember that has a private ip that private ip is from the ip range of the subnet it is in you can do outbound can't receive so what i have to do is i have to create a public ip this is a resource in azure now there's actually two skus for a public ip so i can think about well there's a basic skew and then from the base it can also build on there is a standard skew so two different types now that basic skew you get a certain amount free this can be dynamic or static i again if i kind of stop using it and then start using it again i might get a different public ip it is open by default all right it's just going to let everything kind of come in there is no availability zone support what that means is if i was kind of having certain resources i can't make that resilient against maybe a data center failure or make it resilient across different zones or pin it to a certain zone it has no concept of that then we have standard the standard is static only it is locked down by default and we'll see we'll talk about something called network security groups later on so here i would use an nsg to allow things here i would have to use an sg to actually lock that thing down and it has a z support and what you'll find is there are a lot of services that require a standard sku public ip and if i have certain types of resource like a load balancer we'll talk about later on the skus have to match so if i have a basic load balancer i have to use a basic public ip so use a standard load balancer i have to use a standard public ips they kind of go hand in hand so we have these two different skus available to us and then what i essentially do is i have to use that public ip now yes technically i could link that public ip to a particular resource that then becomes kind of this instance level so it's just the the resource doesn't really know it has a public ip it gets converted by the fabric but it links directly into that resource but most of the time if we're doing this kind of public ips i'm offering a service to something so i want it to be resilient i want it scalable so generally this is not kind of the thing we want to do instead we would have some kind of load balancing solution now depending on what we're doing here this might be a layer 4 i like tcp udp might be layer 7 like http https http 2 we'll talk about that and this load balance would link to a whole bunch of different resources and i would link the public ip as the front end configuration of that and that's generally kind of what we'll typically do with public ips public companies are used by a whole bunch of things vpn gateways and firewall solutions they're they're massively used now the other thing i can do is a public ip is a single ip address what about if i know i'm going to need multiple public ips and really i want them to be contiguous one after the other so the other thing i can actually create is a public ip prefix so public ip prefix is that contiguous block that i kind of get in advance and then i can use them from that block some resources i can just assign the prefix to like in that gateway i can give it a prefix and it will kind of go through the ips and use them as i need to so this is a contiguous block of public ips so that's how i can think about those so two different skus that's how i can then obviously offer things from the internet to actually get to certain services and likewise if i have a public ip i might then use it for the outbound as well there were services like azure firewall and that gateway that would actually use it to snap traffic on the outbound and we're going to talk about those later on so don't worry about that just yet okay so that's all well and good um we have this virtual network we have public ips and i said the virtual network was bound within a region and a certain subscription so what about if i have multiple regions what about if i have multiple subscriptions what about just if how many different virtual networks for different regions well i can pair them so what we can actually do now is well i can do peering so i can absolutely imagine the idea that okay i have the net one and v-net one is a certain ip address space let's say this is 10.0.0 16. so that's kind of the important those first two blocks and then let's say we have two other virtual networks for the time being i've got a v-net over here called this v-net two and i have another one over here v-net three and remember if i want to connect them they have to be unique ip ranges so we'll say this one is 10.1 16. so it's those bits that are important and we'll say 10.2 so those are the important parts so because they're unique ranges yes i can connect those and what we might say is well let's say this is kind of region one i that could be west u.s and this one happens to be in region two maybe that's easter it doesn't has really no bearing so what i can do from here is i can pair them together so on the azure backbone say hey i want a connection between these v-nets now before this would have to do like a site-to-site vpn then we were restricted to the speed of the vpn gateway vms couldn't operate their native capability we lost stuff with that with peering i don't have any of those problems it's using the native azure backbone so because these are in the same region this is just v-net peering because these are in different regions well this is global v-neck peering but it doesn't really change very much it's going to kind of work the same way now i cannot peer across clouds what i mean by that is there's more than one azure cloud there's the commercial cloud that most of us are using then there are sovereign clouds china usgov germany i cannot peer v-nets for example commercial to china or to us gov i'd only appear within the same cloud now appear is actually created in each direction there's a bit of permissioning i need to actually peer to a v-net there's provisions i need to establish the v-net outbound my deep dive video on that i've actually got one on kind of peering over your v-net peering i go into exactly what those permissions are so i'm not going to cover that here but there are permissions i need to do if it's different subscriptions i have to kind of authorize that peer to actually complete but essentially it's made up of two peering connections once i do those pairings there was some kind of special tags in virtual networks one was called virtual network and i might think virtual network is the iep space of my virtual network it really isn't virtual network is the known ipspace so when i appear virtual network now includes the networks i have connected to so if i appear to these two v-nets virtual network the tag which we're going to talk about now includes 10.1 16 and 10.216 as well that's important when we think about certain rules because if i'm using virtual network it now applies to these as well so important point so ipspace cannot overlap i cannot hear if the ip space overlaps another important point let's imagine this is a hub and these are spokes so this spoke has peered to the hub this spoke appear to the hub can they talk to each other no it is not transitive those cannot talk if i want them to be able to talk i would have to add appear between these two i.e i have to create a mesh network the alternative to that is root via the hub what i mean is there are certain appliances i could put in this hub right here that would then enable it to be the next hop and could route on their behalf so there are ways to do that for example let's think about a second i could have something like in here i could have azure firewall or just some kind of network virtual appliance and then i could you tell these hey use this appliance to actually get to each other so the way i would do that is i could use thank would user define routing and say hey if you want to get over to there go that way and i would do the same to get back again so there are ways to do that now also consider within this hub i probably have connectivity i probably have kind of a gateway subnet and i have some gateway devices this could be site-to-site vpn it could be express route and we're going to talk about what exactly those are so these are kind of these maybe it's active passive if it's vpn or it could be active active express right it's always active active but i have these devices that have kind of connectivity to my kind of on-premises networks out there now what if i want these spokes to be able to use that connectivity via this hub and i can absolutely turn that on so there's a configuration i can actually do so i remember i said there's kind of two pairings two kind of directions on this so what i'm going to do is on this side of the pier there's a flag i can do that actually lets me say hey allow gateway transit i let them use my gateways and then on this side i'm going to say use remote gateway so that's on this side of the connection so allow gateway transit on the hub side let them use my gateway send the bgp routes through use the remote gateway hang on these connections let's actually use that and if we go and look super quick if i was to go and just look at a virtual network so i look at my hub so my hub if i looked at the pairings so this is from me to let's say east us what i would make sure is use this virtual networks that would be the setting i would need to make sure i have turned on so that in the power shell would be allow gateway transit and then on the peering of the spoke if i looked at its connection what i would need to make do and i can't do that because i've not got it turned on on the other connection i would do use remote virtual networks gateway so that would then let those spokes actually go get the routes advertised by a bgp of that connection and then use it so the spokes would now be able to get to these whatever that on-prem is on the other side of that vpn or that express route because they're going to use the gateways of that i can only use one peers remote gateway i could not have another hub and use that remote gateway as well it's a one only one of them can be selected to actually do that and if i have a gateway in my local v-net i can't use a remote gateway i'm only ever going to use my own now there was actually another setting and it was allow forwarded traffic and that's kind of important if i do have some kind of network virtual appliance in the hub and i want traffic to be able to flow via it because this has to basically accept traffic from here via this connection so there was that option on the peering as well and it was this setting here allow forwarded traffic from remote virtual network so that would say hey i'm going to let that hub network send me traffic from someone else i.e it can act as that kind of forwarder so i mentioned sank about kind of some special routing if i actually want to do this i said this user defined udr thing and if you think about it by default a virtual network has a set of routes there are routes it knows just because of its ip space the rest of the rfc address space is kind of black hold it knows everything else to go out to the internet and i can see those if i go and look at a network interface card so if i just go and pick any kind of virtual machine in my environment and if i go and look at its networking and look at its network interface card so i'm selecting its nick we have this effective routes option down here at the bottom and these two actually both super useful effective routes to see the routes it knows and effective security rules when i start doing things like nsgs network security groups to see what rules are impacting it but if i look at the effective routes we'll see a whole bunch of different routes now there are some that just built in and then there are other things that will get added when i have things like a vpn connection or an express route well there will be other routes added for the address space on the other end of that connection so we can see here well there's a default route for my local v-net kind of see that foot there's a default route zero zero zero zero zero goes to the internet and then there's a whole bunch of ones well black hole the rest of kind of the rfc space there's different rules about that over here then there are some other special ones around sort of the azure itself and that's actually an important point i said you can kind of use pretty much any set of ip addresses you want there are actually a set of ip ranges you cannot use so i said sure use rfc you can use other address spaces but you cannot use these ones i said you can't use multicast or broadcast but it also blocks off some other ip addresses because they're just not allowed as part of azure there are other ranges you can't use but i have these default routes and again other things will get added into them like i've added peering well now it knows there are these other ip spaces over here that are used for peering there are other ones about certain service endpoints and i'll talk more about that later on there are private endpoints i added in i would see things for virtual appliances i would see things for gateways there's this whole bunch of default routes that kind of just exist within the virtual network that gets populated to the network interface cards themselves but i may want to change that i may want to add additional routing and for good cause maybe i've got like network virtual appliances i want to change the type of traffic i'm actually doing and sending over these things so i can create route tables so i can think about okay i can create this route table and we think of this as this user defined routing and a route table is really just a set of routes the routes i'm going to define now in this case i might say look i want to define a route how to get to that spoke over there now that particular nva it would have a certain ip address um maybe it actually has an ip address of 10.0. i don't know 1.4 that's the ip address of that azure firewall over there so i want to say look to get to this address space over here so to get to 10.2 my next hop is a virtual appliance and its ip address is 10.0.1.4. this is remember a software defined networking my next hop doesn't have to be an ip address on my local subnet it can be an ip address actually on a different subnet even a different network it's not like traditional networking how we used to think of a bit of copper wire and actual physical connections so i create this route table if i had zero zero zero zero slash zero i'm setting a default route i send everything to this virtual appliance and i could do that and then what i do is within here i have subnets so i have a certain subnet i link the route table let's change that color i link it the route table has to be in the same region as the virtual network when i create those things and then i would do exactly the same on the other side i would have a route table here as well this one would say hey to get to 10.1.0.0 i would go to that same virtual appliance and i would link it to the subnets i want it to go here so what i've essentially done now is through that i've configured hey you can now get to each other by that virtual appliance i've added my own user defined routing to change the default behavior so i'm linking it i want to make sure it's symmetrical i want to make sure it flows in the same direction especially this is kind of a stateful firewall or virtual appliance it needs to see the traffic going in both directions and again remember i could look at those effective routes as i was showing here to actually see what is happening so if i kind of look to this and actually if we look at a different virtual machine so if i look at my west central and it has its networking and it has a network interface and look at its effective routes this actually is using my azure firewall so what i did for this one is i added a default route i want everything to go via a particular azure firewall i have defined so here you can see this user defined route here so i'm overriding the regular zero zero zero zero i'm sending it to my virtual appliance so that means hey everything go via this particular one now i also have another vm in the v-net i wanted to talk to it also has a route table but it only sends traffic through that's destined for the subnet of that west central us so it's using the same appliance in that same hub virtual network and i go into detail on this in my azure traffic my azure firewall video it's not going to deep dive here but the point is i define these various routes i want and then take effect on the various devices that i actually have in the environment and there's a bit of work it has to do is go and work out the effective routes but it's going through and all i'm going to see is a slash 16 user defined route that's actually applying on this network interface card when this wakes up it would show that to me but honestly i don't want to sit here waiting for this if i go and look at the route tables themselves the whole point is this was the one it had and we can see here this is what you would have seen 16 goes to that same virtual appliance i can just add multiple routes so i give it a name the prefix and then what is the type of hop is it a virtual appliance is it to the internet is it overriding the default virtual networks is it a virtual network gateway like site site vpn or express route so i can add multiple routes and then i link it to one or more subnets but again i can only link it to v nets in the same region as the route table so i'm doing things across multiple regions i'll need a route table for each of those so that's kind of a key point in how those things really all fit together so that's one element when i think about hey i'm connecting things together i also talked as well about hey if i want to get to the internet well there's this public ip if i have one if the load balance from behind has a public ip i'll use it but i may want more control now there are mechanisms i can do for azure firewall and through the load balancer but it's actually a dedicated service so there's actually something so that was kind of the peering there's actually something called nat gateway so with nat gateway we'll use a color i haven't used that it's a nat gateway as the name suggests this is focused just on the outbound nat connectivity so what i do is i create this nat gateway and what i do is i have public ips or prefixes that i attach to this that is basically focusing and listening on these have to be standard skew remember i talked before about different skus some services require a certain one has to be standard skew and then what i'm doing is from that nat gateway once again i link it so i go and link it to particular subnets again in the same region as the nat gateway instance so what happens is now their outbound traffic to the internet will go by the nat gateway and that gateway performs that snapped source network address translation it's super super efficient and normally we might struggle with pull exhaustion the whole point of snap is at this private ip range they're not usable on the internet so these devices essentially use a port per unique session tcp or udp we've had tons of people connecting it's only so many ports per ip address so i can run out so by giving it a prefix or multiple public ips it lets it scale even better i think it's 16 ips but you should check that number that's kind of the top of my head i'm thinking 16 but could be wrong but and that's in total so if i had a prefix of 8 that counts out of those 16 that i can do it's standard skew and it's also ipv4 only i cannot do ipv6 on this each public ip is 64 000 concurrent connections so times that by 16. that's that's a lot of connections through one nat gateway it can be pinned to a certain zone so it can be zonal or regional but it cannot be zone redundant so those are the two options i can pin it to a zone or it can just be deployed to the region it works with things like standard load balancer it actually does not work with basic resources so if i try and pin it to a subnet with basic public ips or public load balancers it will not work it'll actually complain it won't let me link it but then any traffic i'm doing outbound will go via this nat gateway now it is intelligent if i had services that had maybe a load balancer and it had requests coming in so we think about this picture over here if things were coming in to load balancer the responses would still be sent out via the load balancer but net new outbound connections to the internet would go by the nat gateway so it is intelligent it's not going to break flows by coming from different ip addresses it will work with the other things you actually have okay so next public ips public ip outbound all good things and again that gateway is super simple to actually deploy the next big thing we typically have is uh dns by default the virtual machines i have or any resources in a v-net are using azure dns so if i go back against dns if i have that virtual network as part of the virtual network configuration there's actually the ability to define my dns now by default it will use azure dns or i can use custom i have a choice for that now the default azure dns will provide me name resolution for the resources in the same virtual network but if i'm going across virtual networks i won't get any kind of consistent name resolution i can also define custom dns at a per nic level if i need to override it just for a couple of virtual machines now the way this really works behind the scenes is hey we have these resources that get defined and the way its dns works is there's a special ip address so there's this 168.63.129. 129. terrible writing 129.16. that is always the ip address for azure's dns so this is the azure endpoint that's where i go for anything that is azure dns so that would be if it's going off then queueing sync on the internet he'll be saying if it's going internally now what if i want a custom name i want different names internally but i want them to work across different zones now i could have my own dns servers i could have active directory dns servers i could have some custom linux thing but i wanted to just be a native part of the platform so what i can actually do is i can create azure private dns zones so i create this azure private dns zone and that is a certain name that is whatever i'm going to have name.com or whatever i want it's a certain name for that zone now within this this azure private dns i support a whole range of different types of records so i can have things like a record c name records um text records pointer records mx records um srv soa there's a whole bunch of different types of records i can have within that and i can manually add those or i can actually have kind of this auto creation of those now the way that auto actually works is i have my virtual network i actually have multiple virtual networks but i link the virtual network to azure private dns zones and there's two different modes for those links each virtual network can link to one only one azure private dns zone for registration only one now i might have other azure private dns zones name two bob.com i can also link to those for resolution i.e i can go and look up records i can link to up to a thousand for resolution purposes so i can link to one azure private dns for the resources that get created vms aks worker nodes virtual machine scale set sql managed instance it will register those names into that zone so get vm1.name.com vm2.name.com and obviously i would also use that for resolution as well i want to be able to look things up as well and then if i have other zones name two name three i can link to those but only for resolution my resources will not create records let's make sense i'm not going to create vm one in eight different zones so i can link to one for registration a thousand for actual resolution purposes so now i can look up hey www.name2.com or whatever that might be now the zones themselves so each of these zones now firstly these are global resources i can use them across different regions and for each zone it supports a hundred v-nets that are doing registration to it and it supports a thousand v-nets for resolution which again makes sense i might have five different v-nets i want them all to maybe register the same name.com and they can go and look across so a single zone can have multiple virtual networks um registering records into it and up to a thousand resolving from it but a particular v-net can only register records into one but it can use a thousand for actual resolution so hopefully that makes sense and this when i use azure dns it's using that for the actual lookups so that's how i'm actually resolving it's using that one six eight sixty three one two nine sixteen this will only work in azure so one of the things you'll sometimes see is if i'm on prem and i wanna use azure private dns i can't this ips will not work i would have to have some kind of dns forwarder as a vm that it talks to its private ip and then it goes and talks that vm in azure goes and talks to this now i can also have that's private dns i can also have azure public dns zones now obviously for public dns zone these are all going to be manually added i'm not also registering anything to these this is really host records or ipv6 host records and aliases once again it's going to be a certain name whatever that might be name dot com and i have to be authoritative qualitative probably spotlight i have to be authoritive for that zone to be able to make that on the public um it has to actually point to azure dns for that to actually work but then that endpoint will resolve to those as well so i can use those from my resources internally so if i want something to be accessible from the public internet i create an azure public dns zone but i have to prove i own that name there are records you create like a text record that proves i own that and they'll go and check how you did create that text record that means you have access to create records in it so okay well we'll go and move it to here obviously privately in essence i can use whatever names i want it doesn't care because it's only usable from within that virtual network itself so that's how i can use the kind of the dns things so these are all really right now all about just stuff in azure itself what about hybrid connectivity hey i want to get to other things so there's many different types of hybrid connectivity technically from on-prem i could connect to things by an internet connection i could expose it to the internet but that's generally pretty terrible i don't want to expose things to the internet so instead remember those private ip addresses of our resources i want to be able to get those private ip addresses which means connecting my virtual network to my data center or maybe some virtual network on another cloud and the way we think about starting with this is kind of a vpn a virtual private network so straight away i'm going to think once again we're going to start with this virtual network nearly everything we do i'm going to start with a virtual network we'll have to drink them thirsty it's going to be a super long session but i see me drink quite a few times so i have this virtual private network now remember always i don't want to overlap the ip ranges this mean it has a certain ip range and the first thing i have to do is i create a gateway subnet now i get to name it and what actually happens is it's going to create this for me it's going to use kind of an ip range now the minimum is a slash 29 the recommended is a slash 27 and the reason the 27 is recommended and sorry it's not you get to name it you can pick the ip range it's going to use is if i only use site site vpn 29 is fine if i only use express throughout gateway 29 is fine if i choose later on to coexist and i want vpn and express route i need the slash 27 and it i remember i can't resize there's things in it already so unless you're really really short of ip ranges do that one do the slash 27 but if you saw kind maybe a question it's like hey you've got a slash 29 vpn you're going to add express route it's not going to work you're going to have to delete the gateway make it a slash 27 add the gateway back then add the express route so that's going to kind of be a key thing now there's actually two types of vpn gateway so what's happening is my gateway is going to deploy into here so into that v-net i'm going to kind of get these gateways and there's two types now there's actually a huge number of skus massive number of different skews they really relate to kind of the generation as a v1 the v2 there's even a basic and it's really about the speed how fast they're going to go but we can really break this down into the basic skew which is really kind of this legacy again i'm going to do the frowny face um i really don't want to be using that and then we kind of have everything else these kind of gen 1 and gen 2. and then the ones we we kind of want to use and the reason is this is super restricted so this is something we call a policy based you'll also hear this called static and the way this basically works is it can only have one tunnel i.e a connection to one network it cannot coexist with express route it cannot do point-to-site vpn the way these work is essentially it encrypts the traffic first then sends it to the tunnel which has kind of an axle of which ip address does it allows so because doing that encryption first i can only have one tunnel whereas all of the others are route based i.e dynamic and what that means i can have n number of tunnels because what it's basically doing is it sends it directs the traffic to a tunnel and then encrypts so i can have different kind of encryption depending on the tunnel i'm sending to so it gives me that flexibility of multiple tunnels i can have both express route coexist i can also have point to site vpn if i want it um so it's just kind of this richer option it supports things like i can do bgp optionally and i can do active active configurations as well if i want to so it deploys these multiple gateways they can actually both be active and both establish tunnels to give me kind of that better resiliency if there's actually a problem now there are massive number of skus if we jump over quickly so here we can see hey this gen 1 we have basic this one so it doesn't support bgp it's not zone redundant it says max 10 but that's only max 10 if it's running in a dynamic mode so it does support that as well but it's actually the only one that supports static then there's this whole bunch of vpn gateway one two three a z versions then there's gen two versions and you can see things like the number of tunnels very point to site site site if it's bgp zones the speed [Music] um varies kind of greatly you can kind of see the different speeds now this is the total speed it supports across all of the different tunnels what we find is actual for an individual tunnel it's kind of this one gigabit per second because it goes for a single core so no matter how yes i can have multiple these get bigger so i can spot more tunnels but the actual a particular tunnel is still one gigabit per second because it goes through a single core and that kind of maxes out a single core so i can think about okay so i've got different gateway actually if i go back to that document for a second it does kind of go through different requirements it talks about the encryptions it can use feature set so remember the basic sku can do route based and policy based and remember that policy based is is kind of stressing one connection and then everything else they're only route based so it does kind of talk about those differences between them i cannot convert from a basic sku to one of the other skus i basically have to delete the basic and then recreate it the others for the most part i can kind of convert between them so how am i using these so i create the gateway so i create as a resource the vpn gateway resource that's kind of step number one well then what happens is if you think about it i have my on premises and this is a certain ip space so i have some range that represents the ip space on prem let's say cider one and this is obviously an ip range up here it says insider two and then i'm going to have gateway devices so i have kind of a gateway here maybe i have two so what i have to do is i then create um what is kind of called this local network gateway so local network gateway is created in azure and it represents kind of the public so these each have a public ip now i might not have two i might just have one probably ip2 so i'd create it i say okay well this is public ip1 and it's cider 1. now if it's bgp then there's other things i can do as part of that address config if i was going active active i'd create a second one of these for public ip2 and it would just be the same cider range so this defines my on-prem connectivity and then the next thing i have to do out of here is a vpn connection which is from the gateway i create a vpn connection which links to a certain local network gateway up here i have a public ip now if i selected as part of the creation to make this active active i'll have two public ips so this would be public ips if it's active active and then i really control what that configuration actually looks like because there are a number of high availability configurations i might for example say hey i'm going to connect from both of these to the gateway i might do that so i've got resiliency if one of these fails or i might just have one but i'm active active here so i connect one of them pretend that isn't there to both so maybe i do that or maybe i'm active active on both sides so i have that so different configurations i can perform but but i have that capability it's all documented the learning material goes into detail on all of these but essentially remember you are going by these gateway devices each tunnel is really one gigabit per second per tunnel so yes these might support 10 gigabits per second as a gateway but an individual tunnel is still kind of limited to that number i wouldn't use this to connect different v-nets together remember because i'm limited by that tunnel speed when i'm linking virtual networks together use the peering this is a much better superior speed option for that okay so that's i'm connecting my on-prem to azure and essentially now that they're connected azure is an extension on my on-prem network now from here i can go and get to the private ips of any resource here and if i do the networking correctly kind of peered networks as well it's just an extension of the network likewise things here all the peered networks from using the remote gateway allow gateway transit can get to things on premises what about if i just have some individual machine contractors remote workers they want to be able to get in well i can also it's really going by these public ips i can enable point to site vpn as well only remember on the route-based skus but i can go and turn that on so that's giving me the ability for individual machines to actually go and connect to that virtual network so it's going to create a tunnel there's actually three different types available to me there's kind of this open vpn now this is establishing an outbound kind of tls so it's using 443s that should work really from anywhere and this really works for kind of all clients this could be ios android windows mac linux that's generally kind of the preferred thing you're going to use there's also there's sstp once again that's kind of the tls443 but that's windows only and then the third one is this ike v2 and that's kind of mac one of the great things about this so all of these can use things like cert based or authentication they can integrate with ad so if i had my regular kind of active directory so i've got my regular ad they can integrate but the way they integrate is i have to deploy radius so i have to have a radius server that talks to my ad so then these can kind of go and queries to radius if i have azure ad so i'll think about hey um this is for the open vda openvpn only so i have kind of azure ad this can use that so i can actually one of the nice things and then things like conditional access mfa can all come into play now the only thing to to use the open vdm with azure id you have to add an enterprise application to my azure id as part of the setup you'll go to a special url and i have to consent and say yes when i do that consent it will add in an enterprise app so if you see hey hey you want to add open vpn what do i have to do is adding an enterprise app to azure id to actually make that work hey i want to hook into active directory hey i need a radius server um if your ip address space changes of what you're connecting to for the open vpn and the sstp that's right for the openvpn and ike it will just detect it but i will have to reconnect for the sstp i have to re-download the configuration to actually make it take effect to learn about those new routes so that's where i can actually think but now i've got this kind of complete connection remember a key thing though those connections right here they are all over the internet so it's all going over the internet latency i don't know might be taking a different path different noisy neighbors people conflicting with me so that will potentially vary uh pretty massively over time and i may not like that no they've encrypted i'm not super concerned about the security side of it but maybe i want a more dedicated kind of private connection just for me so how do i i think about that so that's when we get to express route so i'm going to keep drinking so express route is all about a private connection let's just scroll over i have plenty of space good all right so it's about express route so i think of microsoft microsoft has this massive global wan it spans the world it's one of the biggest networks you can actually see it so if i go and look there's a way you can go and explore so this is a kind of a picture of the azure global infrastructure and you can see all these little kind of connections all of these microsoft has all this connectivity all these little lines that's connectivity all throughout the world so there's this massive backbone network and those blue circles are azure regions that i kind of talked about so all these different regions all throughout the world south central day sport availability zones got all those things i can see kind of a basic map view as well so regions all throughout the world massive set of infrastructure now the way this actually works is there's this massive microsoft backbone fantastic and i talked about regions so i can think okay well i'll draw this great big region i have a certain region so this is hey i've got a region one really doesn't matter and the way this works behind the scenes is there these kind of regional network gateways in each region that go and actually connect to that microsoft backbone network that's what actually gives it that connectivity now in addition to connecting and again there's many many other regions so it's like other regions region 2 3 etc lots of regions they all connect as well redundant connections but there's other kind of points of presence so there's also these kind of points of presence on the edge there's a certain pop and maybe i go and connect to some internet service provider could be an att or verizon whatever that is that's how we get to the internet and internet is just a whole bunch of different connected networks and these kind of meet these carrier neutral facilities now in addition to those kind of points of presence that microsoft backbone network also expands into these peering points so we actually have these carrier neutral facilities so we kind of call these meat meas and peering points same thing and what happens here is that microsoft network once again expands into a whole array of routers i'm just drawing two there's this whole microsoft enterprise edge actually at that facility so what we can do is customers i can think about hey i've kind of got my customer network so i'll kind of draw that down here so this is my customer now that customer might be at a colo in which case they're in kind of the same building i'm drawing it as hey they have their kind of customer edge routers and those customer routers connect into this kind of meet me facility it could be an mpls so it's kind of more cloud but it's this layer three mpls tagged but it's still basically going to end up as that isp is essentially going to have a set of routers so they have kind of this provider edge customer facing to connect to the customer and then what will actually happen here is that that provider has an ms enterprise edge facing so those connections get connected through and then it does a cross connect to azure so i'm gonna do this as a magical color just to kind of show magic then we get this at this point what have you done you've connected the customer network to that microsoft backbone network so that's kind of the key point and again i've drawn it as this direct layer 2 connection doesn't have to be there's many different ways this can actually work there's different models it could be an mpls that it can even be um express route direct so if express route direct essentially the customer has their own routers in here they're not using a provider and the customer maps their routers directly into the microsoft enterprise edge so if i'm a really big customer i get these 10 or 100 gigabit per second direct port connections and then i create circuits on top of those now these meet me locations there's a whole bunch of them so if i jump over i can kind of see hey look for amsterdam 2 there's different addresses and there's different service providers that operate out of these so lots of different locations different providers shows me kind of the different speeds they're supporting you'd also see this local azure region for some of them not all of them some of them it doesn't apply to and i'm going to explain what that means in a second but basically for all of the models i'm using a certain provider microsoft does not provide last mile microsoft do not provide the connection from your location to its enterprise edge you're using someone to do that if that's a service provider or you have got your routers in this facility and using express direct so you can do that it's always a pair it's always redundant so with activeactive so there's always two connections between you and that's kind of an important point because i buy a circuit even if i'm doing direct i buy a port i create circuits on it so i create kind of this express route circuit and that express route circuit is a certain speed so i buy a 10 let's say 100 megabit per second circuit was actually 200 megabit per second circuits so in if everything's happy and working i'll get double the throughput and it's full duplex so it's 100 in each direction on each connection so actually get a much bigger throughput than i might otherwise think i have now that's great i've connected my network to microsoft's backbone network fantastic what can i do absolutely nothing um because i think it's been advertised i've just connected networks together but there's no routes being advertised to say hey you can get to this v-net or these microsoft services because there's actually two different types of service i can use two types of peering once i have this connectivity there's something called private peering and microsoft peering so private pairing is hey i have don't do that color let's get that back out i have a certain virtual network remember that virtual network is a certain kind of ip space within there and i want to connect that virtual network to my on-premises ip space so that would be private peering microsoft appearing would be hey there's other types of service in azure there's maybe storage accounts there's even things like microsoft 365 there's sequel there's all these different things i want to use those but those don't live in a v-net but i want to be able to get those advertised as well so let's start with private peering so if i think about private peering i have my virtual network so the first thing i have remember i need that gateway so i have my gateway subnet and it's going to deploy express route gateways so these are different from the vpn type they can co-exist express route will always take preference i need that slash 27 if i want vpn and express route you can actually do it vpn over express route if i want it encrypted end to end i can do that because this is a private connection there's no encryption on here so if i actually want it encrypted i could do ipsec i could do a vpn over it i do have those options but this is not an encrypted connection but i get some number of gateways we don't really see or care about the exact number there are different skus so if i look at the express route gateways i can see hey standard skew high performance ultra performance and then there's a maximum number of circuit connections so depending on the skew of the gateway i can depend to multiple express route circuits so remember a circuit is really tied to a certain meet me i might connect to different ones maybe for redundancy for various purposes i can actually connect to more than one circuit from a particular um gateway skew so there are different ones available they're different speeds so you can see the maximum megabytes per second of the different gateways what it can actually support talk about the gateway subnet as well so we have these documentation but some of them are a z understanding and some of them are not so i have that choice if it understands azs it can be zonal i pinched a particular a z or it can be zone redundant multiple v-nets can connect to the same circuit so i create a circuit i create authorizations that let gateways connect to the circuit so if i had a circuit i could have this v-net connected to it and that v-net and that v-net they would actually then be able to talk to each other so if i had another virtual network connecting to the same express route circuit doing private peering they could talk to each other but the traffic would flow by the meet me so even if there was another v-net sitting here this is kind of v-net two and it was connected to the same circuit the traffic would do this so this meet me was 50 miles away from the data center was going to add significant latency so i wouldn't do that i wouldn't connect them using that i would use peering to kind of remember that key kind of point but once i had this gateway essentially what i'm doing is i establish private peering so i'm actually going to go and say hey from here for all of these connections that is private peering and what happens is the address space of kind of this this side of range down here gets advertised up to the v-net so we'll have in its routing table effective routes hey to get decided to go the next hop and that's actually an interesting thing about the next hop inbound traffic flows via the gateway that is true but outbound does not outbound goes to the msee it's pretty more detail you need to know for the exam the outbound does not go by the gateway the next hop will be the msee inbound goes by the gateways so that's kind of a key point for that there are different things i can actually do the same called fast path so this inbound connection if i turn on fast path then the inbound does not go by the gateway fast path will go directly to the resources does some magic there are things it doesn't support so if i do fast path for example if i jump over here it can't have user defined routes on the gateway because it doesn't go by the gateway i can't do connect to things that appeared i can't talk to basic load balancers i can't talk to private link so that's just kind of an important point to understand that hey the way the traffic flows is inbound is normally by the gateways but if i turn on fast path then it does not then there's some limitations i still need gateways i still have to do that bgp route propagation and it actually has to be the highest skew it's like the the ultra or the erg gateway 3 az so i still need the gateway and i still need the top tier the outbound never goes by the gateway doesn't need to and it just goes straight to the mse there are different speeds uh about express route so when i when i buy a circuit i mean there are certain limits i'm going to talk about premium in a second but it tells about number circuits i can have it's a number of virtual networks that can connect to a circuit for the standard sku is basically always 10 so 10 different v-nets can connect to the same skew regardless of kind of the circuit size we can see over here but if i add premium where i can add more v-nets to the same circuit as kind of it gets faster this bigger connection so there are some differences that kind of creep in between standard and premium and again i'll talk about those uh in a second what standard and premium differ by so is private peering so private peering hey i'm connecting ip space to iep space of a virtual network then what we also have is kind of this idea of microsoft appearing so microsoft peering are those other services that don't exist in a v-net now ordinarily these services advertise these public ip addresses out to the internet and i connect via those public ips but maybe i want to actually connect to them via this private connection now when i turn on i can have both microsoft peering and private peering on the same circuit my provider may charge me separately that's down to the provider so i turn on microsoft peering and i get nothing nothing happens because by default it's not advertising any routes by bgp to say hey take this path instead of your path via the internet so what i have to actually create is a route filter and then i kind of link that to the microsoft peering and that says well hey via bgp now we're going to advertise these services to come in via this connection so if i jump over super quick if i look at my over here so if i look at my route filters so i'll create a route filter and what it's going to do if i manage the rules i select the service communities i exchange sharepoint online azure ad all the different regions and then particular services within a particular region someone say hey i just want these routes advertised through my microsoft peering so only these things that i have selected would go by my express route connection so that's really kind of a key point about that and that's really all there is to it now i i do have to do a few different things for all of these peering connections obviously if you notice there's the microsoft edge side and the provider edge side i need ip addresses if it's private ip so private peering i can give it private ips two thirties or one slash twenty nine the customer always gets the first usable ip the mse uses the other one i can use public ips kind of a waste if it's microsoft peering again i need two 30s or 29 but they have to be public ips that i have to actually use for that connectivity also microsoft peering because it's all public ip space i have to nap the traffic so when i tell it an ip space i'm advertising over microsoft peering it's generally going to be my nap servers here which are separate ips that's going to nap the traffic from that private cider to space over that connection so i can actually get to it but i talked about kind of premium express route premium before so what does that mean so ordinarily we have express route standard and i can actually think standard covers everything in a certain geopolitical boundary because i'm connecting to the microsoft backbone network but i can only connect to things in the same geopolitical boundary now these are documented if i look at the express throughout regions it tells me at the top the geopolitical region so north america for example in all of these regions so if i have a regular express route circuit to meet me in north america i can connect to all of these regions but only those regions if i turn on premium so if i go premium let's pick a different color i would do gold there we go if i do premium it is now global i can connect to any region on the microsoft backbone network so it's really the big difference between them now there are some other differences with the premium sku i can advertise more routes i think it's ten thousand routes instead of four thousand routes i can if i get microsoft buy-in connect to microsoft 365 services over that as well so there are some differences between the skus let's look at the pricing details quickly i think this might spell it out so notice you can add on the premium kind of price added on to the cost of the standard price if i want that try and see if it tells me what premium is so expressed about documentation tells me what premium is uh where's it gone but it's basically that i don't know if i'm going to find it quickly but that that's the key point behind premium is let's see if the faq has it premium here we go yep so increased route limits so it's four thousand ten thousand remember that increased number of vnets can connect based on the speed connecting to microsoft 365 services and global connectivity so those are the things i said so thank goodness i didn't get that wrong um but that's what i would actually kind of use that for now when i'm looking at the pricing an interesting thing is in azure you don't pay for ingress so data coming into azure i never pay for it but i pay for egress if it's going out to the internet out to another region i pay for egress from azure and express route is no different there's actually two different skus it's actually three so there's a a metered plan for express route where i pay for the egress and that's normally the right one for most customers so if i look at the metered plan you can see the meter plan let's just say 100 megabits per second okay so it's 80 why is it pounds it must detect my accent some new advanced thing there's a hundred and ten dollars per month but i then don't have any outbound data included so i pay for the outbound data and it's telling me based on the zone so different regions like north america is zone one um that tells me what zone two three four is later on there's also an unmetered plan but for the unmetered plan notice the price is significantly higher so it's 575 dollars instead of the 110 so i'm paying more but i don't pay for the egress typically you wouldn't do the unmetered unless you were constantly using i think it's 60 or more of the constant egress speed it just doesn't work out um optimal for you there is also notice here in this unmetered tank called a local circuit now notice the local is significantly cheaper than the standard so what is local now remember when i talked about the different locations if i jump back to this document by location when we looked at this document it actually had this concept of a local azure region for some of them not all of them now it's atlanta doesn't have one but if i scroll down for example like san antonio is local to south central us i.e that meet me is super close to a certain region so what the local sku lets me do is if i use the local sku i can only connect to the azure region that is local to the meet me i can't connect to the others but i don't pay for egress so kind of the big point here is that local skew if i just need to do a huge amount of egress but it my region is local to the meet me per that chart it's a lot cheaper so if i have that requirement hey use the local sku so the local skew kind of a key point kind of draw this out so local only region so it's kind of an important thing so there is the local sku but i can only use the region local to meet me per that chart that's kind of a key point um a few other little things so i talked before about kind of bgp i talked about bgp is used i have this redundant pair this active active if there is a failure it uses bgp to detect that and do the failover well that bgp could be fairly strong it could take many minutes to fail over so there's actually something i can do b f d this is basically i think it's almost like a sub second so what bfd is actually going to do is this bi-directional forwarding detection it's going to enable much faster link fell over so i can turn that on typically sub second there's a failure it's going to detect that another thing you might want to do is remember this is not encrypted i talked about this is not an encrypted connection it's a private connection but it's not encrypted now remember i talked about instead of just buying circuits if i'm like big into this i might buy kind of express route direct so express route direct there is no service provider at that meet me it essentially becomes so this is the meet me still you can think about well i still have that microsoft enterprise edge routers but now it's really the customer edge we have this customer edge routers and then i have that pair of connections between them so this is only for express route directs it's just me i'm owning the ports so if i want to encrypt it there is actually something i can do called mac sec so what mac sec is not end to end encryption but it's going to encrypt between the two routers the customer router and the microsoft enterprise edge routers so basically the air of the meet me location so it's traveling over that because obviously the cables going that traffic will be encrypted between the two routers again not end to end but in the air of that meet me i can use mac sec to do that encryption and as mentioned already i could do a site site vpn over express route so if i have private peering if you think about i've got the routers used for express route i could also have kind of the vpn gateways behind this and above this and so over the private peering i could establish a site site vpn as well so that that is actually possible remember you can have multiple circuits and you probably would so if i had multiple locations geographically distributed i might have let's say dallas and london let's say i had that for example well if i had that kind of dallas london idea so let's say hey this was a global region and let's say hey i had another data center here and i had another meet me location here i'm not going to draw different connections well this would make sense because think latency i wouldn't want to from london talk to my london azure region by going over my private connection up here back over the atlantic twice that would be terrible so i'll add kind of a local meet me but now imagine a scenario well hey this is let's say this is dallas this is london i would actually like these to talk via my express route connections because it's microsoft backbone network well i can actually do that so what we have is there's actually a feature called express route global reach and i can turn that on and what that's going to do is essentially over that it's microsoft backbone network it's going to connect my offices to each other so that's what express route global reach does it gives me that connection to actually go and leverage that capability use that existing now maybe it's a backup connection it's not my primary one i'm using it as a backup or maybe that that is how i connect them together so that's hybrid connectivity site site vpn point site vpn express route with express route i don't only have to do private peering i can kind of that microsoft peering as well there's a lot of management involved in those things if i have express route and i have vpn maybe i'm doing all these different peerings i have all these different things that maybe i have to manage there's actually quite a lot of work i'm doing there so there is another service that kind of takes a lot of that work away from me and that service is azure virtual wan so we hear a lot about sd-wans today and hey this new world of just using the internet connection so instead of me having to worry about these peerings and these vpns and these express routes well if i think about a certain region i can just create an instance of azure virtual one now what it's doing behind the scenes is it does create a managed v-net but i don't have really any direct access to that managed v-net it's just there but what i can then do is if i have kind of other v-nets i have i essentially can add them it's going to appear them so i can kind of do this there were two skews so i actually i should kind of stress that point there's a basic so if i have the basic skew i can do those connections but it only supports site-to-site vpn so if i had a location it supports connecting it but that's just me getting to the v-net and i could have multiple locations and it would kind of connect those things together then there's also let's do another color i'm going to run out colors today i think for sure and we'll pick that color no it's too similar that's a bad idea we'll pick gold again there's also a standard sku so in addition to kind of the site-to-site vpn it also supports express route and it supports point to site and it kind of supports this v-net transitive and it supports kind of multi-hub routing because i may have another region so then the other region i have another v1 over here it will now let me kind of connect them and it has connections and everything would route together these v-nets can now talk to each other i could add another location with an express route they can talk they can talk they can talk i can have my kind of point to site it's kind of now enabling this full connectivity between it now if i don't want this kind of any to any configuration i can add custom route tables to restrict the flow so if i don't want this any to any i can absolutely use a custom route table for v-nets so i can link it to these say hey i actually don't want you to talk so i can restrict that if i want to so that's kind of a cool thing i can do there's even third-party nvme network virtual appliances that i can actually install into the managed v-net maybe i've got like a barracuda and then my branch office is maybe connected via barracuda gateways locally into this barracuda nva that i've got in that management so i can absolutely do that as well okay so lots of different things i'm trying to get my bearings a little bit so that was all about kind of connectivity hybrid connectivity making all those things work now i want to actually talk about is i kind of alluded to a load balancer long long ago many many hours ago i talked about this load balancer there's actually different load balancer solutions available to us and it depends on my requirement again i've got a whole video about picking the right one because i think about hey i have these public ip spaces public ip addresses or maybe internal i want to make services highly available so how do i actually do that there are many many different options when i think about load balancers in azure dot here i want to draw high away from everything else because if i think about the different types of services we might have well there's different requirements think of load balancers what do we have well i might have services at a global level and i have services at a regional level i within a certain region and then quite separate from that i have some services that operate at layer seven so things like http https hdb2 and other things that operate at layer four ie tcp udp so depending on what i'm doing and what i need i'm going to have different solutions that i actually want to use for this watch the video there's a lot of detail around this now a key point here is i'll often combine solutions so within a certain region i'm going to use one of these then if i'm deployed to multiple regions i'll probably have global services that point to the regionally highly resilient services let's start with the bottom layer for regional so what is my solution here so my solution here is the azure load balancer this is actually kind of a very simple service when you think about what it's doing it's layer 4 so with layer 4 what that really means is i'm focusing on these kind of five tuples and you see these five tuples a lot you think about kind of the source ip and port you think about the destination ip and port and the protocol that's really what we understand for this so i have this load balancer so kind of draw this big symbol and the whole point of what this has is there's actually front ends now this front end is obviously an ip address now there's two types of load balancer i can either be internal or external i cannot mix them i can have multiple front-end configurations but i cannot mix them so i'm either everything is an internal front end or everything is an external front end i can't mix them so i have a front end ip address and then what's happening is that traffic is coming into the load balancer and i have a number of rules and those rules are really deciding how do i distribute the traffic now for this there's actually a number of different skews and that really dictates what i can do for some of these kind of traffics and what i can support on the other end so there's two skus there is a basic skew so the basic sku everything has to be in one availability set so i can have up to 300 in the back ends but they're all from the same availability set all the same vm scale set this is free but it means there is no sla so there's no service level agreement for free there is no availability zone support and also it's open by default which is very similar to the the free public ip or the basic public ip and remember i have to use these together so if it is exterior if it's basic load balancer i have to use a basic public ip or there's standard so i could use that with a standard public ip so this there's a there's a cost for this but it means i get an sla i can actually support a thousand back end in the same v-net it doesn't have to be the same vm scale set the same availability doesn't care so it's a thousand instances about that it supports az's simply zone redundant or zonal i pinned to a particular one and it's locked down by default so i'd have to open things up and also it can point to either network interface cards or ip addresses some resources don't have a nic if i think about pods in aks they don't have their own nic so the idea of being able to use an ip address can actually be very powerful i can give me have more support support containers but they must be in the same v-net as the load balancer so i do get those different skus so we have this front-end ip address we have the load balancer itself and then we have back end pools which are made up of resources again from either the same virtual network or the same availability set if it's basic etc and it kind of distributes um to those via the rules there were also health probes going on so the health probe i specify as part of this to say how do i know if a particular member of the pool is healthy if it's not healthy i don't want to send the traffic to it so that's really an important thing i want to have now there are different rules available as part of the load balancer so a key one is a load balancing rule so this is kind of this hash based distribution so for these kind of source ip port destination ippo protocol creates a hash to then send it on so based on these protocol ports it sends it to a particular backend member i can pick a certain stickiness so by default is kind of the five tuples but i can also specify a three or two tuple so three two pull takes out the pool so once the source ip and the destination ip and the protocol is the same it always go to the same back end member two two pull is just source and destination i p so even the protocol can change it will go to the same back end member so i can kind of pick that stickiness i actually want there's also um nat walls so in that always hey i don't want to distribute the traffic over multiple members i want it to go to a particular vm and port so hey it comes in to this ip and this pool always send it maybe it's for an rdp connection although i want to be careful about rdp to the internet if it's standard i can also do outbound and this is really about outbound nat walls and actually con figuring this is snap basically so i can figure how i do outbound if it's that kind of exterior ip one of the configurations i can do is these rules this load balancing rule there's a there's a finite number of rules i can actually have so something i can do on standard is i can do something called h a ports so if i turn on h a ports that's standard only i don't create individual rules for ports anymore it just will evenly distribute all of the flows this would be super useful if these were like network virtual appliances and i'm covering a whole bunch of ports and protocols i don't want to do individual rules so if i turn on h a ports it will just distribute the flows over the back end port members i don't have to now do individual rules and i can't do individual rules so ha ports just does all flows i can also turn on something called floating ip and what basically that means is i send the front end ip to the back end ordinarily what the back ends pool see as the destination is themselves it gets rewritten by the virtual switch to say even that was sent to this front end ip they don't see the front end ip they think they are the target sometimes i don't want to do that so what i can do is if i turn on floating ip what they see as the destination is the um front end ip address i have to do a bit of wizardry inside the vms maybe add a loopback adapter for that ip so it makes sense to it but i can actually turn that on i can configure that if i want to so that's really the load balancer so the load balancer is really all about hey layer 4 i can create rules i guess we can see one of these super super quick see if i jump over to my load balancer and and i should actually stressing when i talk about load balancers there is a help me choose it can answer you questions and there's actually a service comparison so this is super useful and it tells you hey look for the load balancer it's tcp udp it can do private load balancing it's not global it's using that round robin based on the hash and it's azure resources only so it's a really useful thing if i look at my load balancers basically what you're just going to add in is hey i can have my back end pools the members i'm sending to and then i can have rules hey yeah look tcp on this ip coming in go into this port send it so hey look it's coming in ipv4 going to this particular front end ip on the load balancer it's tcp it's coming into port 80. i want to send it to port 80 on these back end vms and this is the health probe i'm going to use to see if they're healthy i can pick additional session persistence so this comes down to the two pulls so hey um but normally it's five two pull with none but i could also say hey just do 2 2 pool client ip or 3 client ipm protocol i can turn on that floating ip that i talked about so it was seen the front end ip address and there's also some outbound snap rules as well there and also can also see inbound that to map particular port and ip to a particular vm i can do outbound rules as well so that's layout f4 okay what about region also within a region layer seven well that is going to be app gateway so gateway is another service we have again it's regional http https http 2 it is a layer 7 device now because it's layer 7 it understands a whole bunch of layer 7 things i can do things like url based routing i can do redirection redirect http to https redirect this site to another site i can do ssl offload it can actually go and do that decryption and then send it unencrypted to the back end or we can even re-encrypt it and send it on um i can rewrite the entire url i can rewrite the request i can do cookie-based affinity there's a whole bunch of cool things i can do with this there's also a web application firewall so what i can optionally turn on is the first part is this web application firewall component to protect me from these standard types of open web application security project core rule set crs to give me that initial protection and then what happens is this app gateway actually deploys into my virtual network so deploys into a v-net and what i'm actually going to have here is very similar initially is i'm going to have these front end ips so i have a front end ip now the front end ip it always has a public and it's listening on optionally i can also have a private i cannot do private only what i can do is lock down the public so it's really not being used for anything but i can't not have it now once i have the front end i p what i actually create are listeners so a listener is kind of listening on a particular ip and kind of a particular port is how that's working now at this point i can also tie into other things like i could do things like ssl offload at this point through ports i can hook into various certificates as part of that configuration but for the listener there's two types so there's basic so basic is basically basically everything goes to this particular rule anything that is listening on in this port no matter what the fqdn is going to go to that rule there's also something called multi-site and what i can do with a multi-site is i can have multiple listeners on the same port on the same ip which normally wouldn't work so what this is actually doing this is actually looking at kind of the fully qualified domain name i the domain that's coming in and i can do wild cards i can do various characters in there to send that to a different rule so the same port say my p i can actually use different rules so hey this is going to start at saviletech.com go to this rule to go to this backend set oh if it's star dot i don't know savcom whatever dot net goes to these other ones so i i can use these different things so this uses rules and and kind of just like the other thing there's a basic rule where with the basic rule it just kind of says hey um you just go over here send this to to everything i kind of have so it's port go over here i can also do a path based routing so with path based hey if it slash blog go to this set because what i'm going to have on the other end of this are various back end pools again so if it's path based one path could go there one path could go somewhere else i can also do various types of rewrite within here so i can rewrite the url i can rewrite the request i can rewrite the header there's a whole bunch of different things i can do to actually change what's within there in terms of the services in this back-end pool it's actually a lot more flexible so the services that back end pool can yes they can be things in azure but they could also be things on premises it actually doesn't really care as long as there's connectivity to them sites like vpn or express route these could be kind of on-prem as well via kind of that site-to-site vpn express route other things as well it really wouldn't matter to it as part of that rule as well has a whole bunch of kind of http settings that i can configure and that's things like um affinity so hey there's cookie base the session affinity if i'm gonna do maybe re-encryption i can configure all of those things on there so i have those different options again there are different skus available for this um i think there's auto scale in the standard skew there's some redundancy zonal but again it exists in a single region these are all regional resources and again the azure site it's kind of cool if i go and look at the service comparison it shows me okay well app gateway okay yeah http https http 2 private round robin azure non-azure cloud on-prem and all these kind of nice features like session affinity host and path based routing tls offload okay waff nsgs nsg because it lives in the virtual network so i can use that and that optional web application firewall so there's a whole bunch of different things it has the same health probes so we can go and check is the back end pool member actually there and i can use it so it gives me those capabilities okay so now let's kind of move on to the next kind of level of service so those were regional what about global so let's think layer 4 first now what i would say is for layer 4 global there is actually global azure load balancer but at this time it's in preview so it's not in the exam but what that global does is it actually has an anycast address that can point to regional azure load balances but again that's not going to be in the exam but there is a video in the playlist if you are interested on that so solution we really have now for global balancing that's not http well that's going to be azure traffic manager and it's really a pretty simple service because it's dns that's that's how it's working behind the scenes so the way this is really going to work is i create a traffic manager name so let's just say this is i don't know sav web dot and it's going to be traffic manager dot net that's resolvable across the kind of the whole azure dns service now i don't want to point people to that so on my domain servers i might create a www.savaltek which is a c name record an alias that actually points to that then what traffic manager does is on the back end of this i can have a whole bunch of different resources i might have in these azure regions over here it can even support things that aren't in azure so maybe it's some location over here and it has them as possible resolutions i can even use ip addresses fully qualified domain names as part of that and the way it's really going to work is hey i'm i'm kind of sitting here on my machine and i say hey www.savaltech.com and i question that to my local dns server who then goes off and does a whole bunch of recursive resolution so they resolve that for me so that goes up to traffic manager now traffic manager has a whole bunch of different methods it can use to actually distribute the common load balancing one you're going to use is performance so what performance does based on the latency of my dns server to the possible targets it will resolve to the one closest to me i it would give me kind of that one the one that is closest to me now as the targets it can actually be these azure endpoints so it could be azure endpoints it can also be external that could be a fully qualified domain name an ip address or it can actually be nested so this could actually be kind of another traffic manager profile which is one of those things so performance is the most common hey redirect me to the one that's closest to me there are others so if we look at the documentation we can see there's priority have one as the primary service endpoint but go to others if it's not available because again we have health probing on this thing weighted send 50 to this end point 20 to another performance obviously the one send me to the closest one geographic send me to the one based on different geographies so i have these different endpoints these endpoints are for north america these are for this country multi-value hey instead of returning one return all of the possible ipv4 ipv6 addresses and then the client can pick which ones it wants to use or subnet hey map these ip ranges to specific endpoints and the documentation goes through kind of how all of those works there's different things available that i can leverage key point though is dns so i do as part of my configuration have to consider what the time to live with the record is so if one of these goes away if the time to deliver the record is five minutes it's not going to go and recheck and get results to saying different for five minutes so i always have to consider that for my layer 7 solution it's azure front door now azure front door is really focused around the idea that once again there's this massive microsoft backbone network and what i can think about having is remember we have all these different regions and most likely i've kind of got my app gateway in this region offering a service i've got another region with kind of my app gateway offering it from here as well maybe there's even some on-premises region that's offering the service over here and i talked about before also hanging off this network are a whole bunch of points of presence different locations that network expands to microsoft's use it for the content delivery network so what azure front door does is essentially it adds an anycast ip which means that ip address is available at all of the different points of presence that is supported by here now additionally i can turn on web application firewall to kind of be in front of all of those to give me that protection from the common thing and then it has a number of possible back end targets as part of that azure front door profile and now this is only again for http https https 2 is again that is that layer 7. so now what happens is me as the user let's say i'm here i want to go to the service so i go to this anycast ip so i'm going to go to the one that is closest to me now so that's anycast but then what it does is saying called split tcp because ordinarily what happens is it then redirect me to the backend service there's a whole bunch of things that happen i have to establish a tcp connection then i have to establish a tls connection it does all this to the local point of presence so it's much much faster in terms of that actual connection it can do things like ssl offload so at this point i can do ssl offload it's going to actually improve the overall performance and then i make a request hey i want this block of data at that point it will go and take the request and get the data it will go and do the request it will get the response for a much bigger chunk of data i can do caching so the next person will get a better performance and then it serves up portions of the data so azure front door is really going to improve the performance for multiple reasons yes it does some caching yes it's going to redirect me to the one closest that's available again it's doing the health probing to check it's there but all the tcp establishment the tls establishment happens close to me not going to the back end then it gets big chunks of data and serves that up so i can really focus a whole bunch of different things if it's a back end if it has a public ip it has a resolvable dns name i can use it with this capability now what's coming out is kind of these v2 world of azure front door now if i actually look at this for a second this is preview right now but they're basically going to add some additional features and what they're doing is they're really combining azure front door with web application firewall and the azure content delivery network that cdn is kind of super useful for static for non-changing content so they're merging all of these things in together and what's really happening is that premium sku you can see hey doc private link support so i can now redirect to resources via a private endpoint that we're going to talk about has things like free intelligence bot protection all of those kind of waf capabilities so you can kind of go through here make sure you've got a basic understanding of the features of it but the v2 really merging all these various things in together so up until this point we've really been focusing on making things available hybrid connectivity now let's think about the opposite side of this picture i don't want to make things available anymore i actually want to think about maybe locking things down so the whole idea of how this great connectivity everything can talk to each other fantastic maybe i don't want to do that or i want that but now i need to actually control and start restricting things down now azure security center was a great starting point azure security center has based on azure policy some default things that you can actually leverage to advise on hey locking things down using these capabilities hey i should have managed a firewall there are things i can do for protecting those public ips there's a standard distributed denial of service that's just inherent but it's really designed for massive scale there's also a paid for version so there's a standard offering what the standard distributed denial of service protection does is i apply it to a v-net all of the public ips associated with services in the v-net it now uses things like machine learning to actually tune to what is historically seen on that it gives me more control reporting hey i'm going to start preventing these denial of service attacks a lot earlier because i've learned what is common for this particular service so distributing all of service there's a standard offering gives me machine learning based protection more reporting more control but now i really want to think about really controlling things so i have my virtual network so i have my v-net and remember the whole point of this is i might have locals multiple subnets in that v-net so i've got kind of subnet one two three i don't know everything can talk to everything i can do all the peered networks express route connected networks if i don't do anything else so i want to think about controlling that so the way we do that is we create something called a network security group and just like many other things we've seen we have both the idea of inbound and the idea of outbound and we create rules now these rules are really all based around that same kind of five tuple idea we're very big on kind of maybe a cider range an ip range but there's also these things called service tags which i want to talk about a super important point though about network security groups this is not an edge device it's not a appliance sitting at the edge of my subnet protecting traffic if i think about a virtual machine the virtual machine attaches to a network interface card it is here that the nsg is enforced and why that matters is it means it doesn't matter if i apply the nsg at the subnet which is how i normally am going to do it so what i'm going to do is i'm going to link this to a subnet it still applies to the vms in the same subnet it's just for management i apply it to the subnet but i can also link it there as well it's just that it gets very hard to manage so we tend we'd rather not do that most of the time we'll link it at a subnet so it's easier to manage but we can because it actually is applied in the virtual filtering platform of the switch that makes all of this actually happens so i link this into the nik it's enforced there i did our link into the subnet it's these whole bunch of rules so it applies regardless of even if they're in the same subnet now it's created within a region so i have to apply it to a v-net in the same region and i create these rules now there are a number of them built in so if i jump over and get a whole bunch of different tabs let's close some of these down so if i go and look at my network security groups there are certain rules built in so if i just go and look at it doesn't matter i can see inbound walls and notice there are these three rules by default this is inbound to the vm where it has this linked and it's got this special name here called virtual network so anything from the virtual network to the virtual network is allowed on any port any protocol and remember what i said the virtual network is the known connected ip space so if i have a virtual network let's try and find a big picture of one and i've peered it to different networks and i've done sites like vpn or and or express route and other things all of those connected things are virtual network that's an important way it's the known connected ip space so that default rule that we see there is any of the connected ip space can all talk to each other completely unrestricted so that's kind of a default rule that's there inbound then it also always allows the azure load balancers to talk to it so it can do health probing everything else is denied so that's coming in outbound rules the stuff going out of the neck it says hey look again everything within the v-net is allowed everything out to [Music] the internet is allowed and this is stateful so the response will be allowed back as well everything else is denied so what the basic rules basically let you do is to say hey anything within the v-net in and out i can go out to the internet nothing else can come in to me except the load balancer for probing purposes and then what i would do is i would add additional rules so the source again can be ip addresses or this weird service tag thing i picked the port is coming from destination again could be ip addresses or can go to kind of this virtual networks it's an inbound rule if it was an outbound rule the source can be ip addresses or the virtual network but now the destination can be a service tag so i talked about the virtual network as a service tag already there's a massive number of them and think of a service tag as really just representing different azure services i talked before that really the azure services i can't remember where it was on this board anymore i think it was when we talked about microsoft peering a really just a bunch of public ip addresses that it advertises out to the internet a huge number of public ip addresses well maybe in my rule i want to allow access just to storage in south central us there is a csv file i could go and get but i don't want to have to have a load of ip addresses that update periodically in my network security group rule so a service tag is basically the ipsiders per service and often it's service dash region so they've created these so in my raw i don't have to say this ip this ip this ip this for storage in south central instead what i can very nicely do is hey yeah look there's service tags for all of the azure services storage there it is and i can use this only for outbound because storage doesn't establish connections into a virtual network whereas something like service fabric all that does in and out so it tells me which direction that service tag is usable so in my outbound security role i could say hey i want to allow access to now it says internet everything that is not my virtual network which is the known connected ip space i could say kind of these standard global things so i could say okay all these services i could say storage or i could say storage dot just south central us so i could pick a very particular one and just allow connectivity to that it knows it's custom service and i can here have a a certain port i want to use if it was a certain type of service within the storage account maybe smb i would pick a certain one i can pick the protocols so i create the rules to basically specify the types of connectivity i want so yes i can use side slider ranges because that would be super useful the cider range if what i want to do maybe is say look subnet 1 is maybe my dmz so i'm going to allow in from kind of the internet 443. but i would block that to all of my others and that would be the default anyway then maybe i'm going to allow these to talk and these to talk by doing the different cider ranges in my rules of each of these subnets but i don't want this to be able to talk so i could control all of that just by creating these as the nsg rules and then i would link it to each of those different subnets so the the nsg is all about hey i create the rules realize i have to link it to the subnet for it to take effect it processes the rules now the other thing i can do is on this nick i can actually tag it so we have these things called application security groups which is really just a tag that's all this thing is and then in my rules in addition to sidearm service i can put in a tag so if i look at the virtual machine what i can do is firstly i can create these application security groups which are nothing but tags so i've got one called quarantine sql vm sql vm web vm i have two because they are regional i can only use the app security group in the same region that it is created then what i could do on a particular resource if i go and look at my virtual machines let's look at my domain controller and look at the networking over here if i look down here we have this application security group tab if i select it i can configure app security groups from the same region that's why there's only one web vm so i could add that tag to this network interface card for this virtual machine then it doesn't matter about the sideart ranges then in my network security groups instead of having to worry about what ip range it's in i could absolutely as part of my rule save for things like okay so for my inbound rule is that myself central make sure so make sure it's the same region in here for example now i could add a rule instead of worrying about the sider range i'll say hey look i want to allow my web vm to be able to talk to my sql vms and i would put in the right port for sql was it 14 33 i'm not 100 sure but i can specify that instead so that doesn't matter where it exists it's just based on that tagging i'm actually doing on the nick itself so application security groups are actually super super powerful then i can think okay that's controlling things so that's fantastic i really want to make sure i'm doing that but now i might think about controlling connectivity because there's other types of service imagine for example i had kind of a storage account so i had storage account one and maybe there's a storage account too remember these have their own kind of firewalls as part of them as well maybe i want to restrict the storage account to only allow this v-net in but i can't do that because this is a private ip space it would be meaningless to that firewall so what i can actually do is i can create something called a service endpoint so what service endpoints let me do so i can add a service endpoint for storage in south central us that does really two things firstly it now gives me a better route to all of the storage accounts that are in south central us so there's a preferred optimized route it also now makes subnet three in this v-net it's gonna be net one a known entity to fire walls that are in the storage account of south central us so this particular one i could actually now say hey yes i'm going to allow vnet1 subnet 3 that's allowed to pass through so now this can actually talk to that particular instance because i allowed it on its firewall so that's what service endpoints do so i can go in on a virtual network i can select the services i want a service endpoint for gives me an optimized route and i'll see that in the effective route table and i showed you those earlier you might have noticed there was a whole bunch of ip addresses well those same service tags represent the ip addresses at the service and it has an optimized route it knows to use the service endpoint route and it's now a known entity i can enable it on the firewall itself to just let that through so that's making it known maybe though i don't want any public connectivity now that service endpoint is only usable from that subnet i can't go and access that from a express route a site site vpn or anything else so the other thing i can do is say hey i have another let's say storage account five i can add something called a private endpoint a private endpoint is an ip address from the network it's going to get it from whatever the side of range is that represents that particular instance of that service in this case storage account five so now there's no public connectivity to it i can get to it through this private endpoint now it's just an ip address so any network peered to this v-net we can use that address any sites like the piano express route can get to now this storage account through that private endpoint now there's also some special dns required and i'll talk about that in a second but i do have to be able to resolve the name to this private ip instead of all the public ones it it's still going to spit out there they just won't be usable but that's if it's a standard built-in kind of pad service to azure nearly all of them support private endpoints today what about if i had my own custom service so i have some kind of resource what i have to do i have to put them behind a standard internal load balancer and then i add the private link service in front of that and then this can have private endpoints that point to that and i can have multiple private endpoints to different things this is all flowing in kind of this direction this is getting me to a service it's getting me to the storage account to the sequel to these things that kind of distribute so if i wanted to add my own service via private endpoint i have to have a standard internal load balancer i have to add the private link service to that which does the nat which means these can actually be in a v-net and they could have overlapping ip space this actually does the netting and then i project a private endpoint into that particular subnet which again is kind of usable everywhere now the dns has to work now by default it can work with an azure private dns so it will create it for me and link it to the v-net but what we'll see is there's a whole bunch of new private link dot domains so we'll see hey for let's see sql instead of just being database.windows.net now it's privately database.windows.net and what happens is an alias is now created so the things in database.windows.net now actually resolves to the privatelink.database.windows.net uh i can show you this so if i open up a so i've got one of these so if i look at my private link quickly i've actually got a couple but i created some private endpoints to storage account so i've got a blob private link resource of files private link resource a cloud endpoint etc so what happens is ordinarily if i look at my storage accounts for a second if i can find storage which maybe i've removed from my menu so just type in storage i created one with private links so i've got this private link demo and what we can see is on this i have a whole bunch of those private endpoints i've added but what i'm looking for oh this is networking there's those firewall things i could add if i had the things but i've got my private endpoint connections and you can see i've added two and normally the name for this service actually go through if i look at my endpoints well my name would be this essayprivatelink.blob.cor.windows.net i'm kind of looking here if i actually open up terminal for a second and if i do an ns lookup on that what we'll see is because there is a private link let's get rid of the http part i don't want that it now actually has an alias over here and that will actually resolve if i'm on a v-net that can resolve that dns record to the private ip now this is just a public one because i'm not on a network that has that dns but it would actually resolve to the private ip instead and then i could get to the service so that's what's kind of happening there's a whole set of special dns happening behind the scenes as well that i actually need to manage app service also supports these when i think about app service it's a little bit special just in terms of kind of the zone it's going to use but once again you're going to see it go ahead and in the dns we'll see hey look we have a c name for private link link.azurewebsites.net so we will get that over there but if we think about to remember that the dns is kind of a key thing because it has to be able to resolve that so if i'm very simple just in the v-net it will create an azure private dns zone it will create the private link.blob.cor.windows.net whatever that is and it will use it for resolution and i'm good for trying to use it for i either have to create a private link dot blob dot cord up when it's up there and add in the ip never ever add for the non-private link you'll block access to all of the other services that are blocked not a good thing or i could add kind of a dns resolver and i go into that in detail but dns is super important i have to be able to resolve to the private link alias to be able to get to the service now let's talk about app service for a moment so app service remember i create an azure app service plan and then that can have multiple apps inside it now each app can push a private endpoint so each individual app would have its own private endpoint but that's all about getting two the app what about if i want the app to get to things in the virtual network so there's three options for that the maybe the superior one is thing called regional v-net integration so with regional vena integration at the app service plan not per app so you have this regional v-net integration it basically takes over a subnet and it projects these phantom network interfaces into it through which it can go and get to things it has to be in this the v-net has to be in the same region as the app service plan hence regional but it can then go and get to things on kind of any connected network peered networks express route that gives me access to anything if that is not an option another model i can do is it can establish a point-to-site vpn connection out to obviously some gateway that could be in other regions at that point but it doesn't work with resources like service endpoints or connected over express route it's really just that i guess there's a third option there's something called hybrid connections and that's really using things like azure relay that i might use on premises it establishes an outbound connection to the relay service and now it can get to anything on that network so i could use that for like on-premises connectivity as well so these things the regional vienna integration the gateway to gateway required i think it's called gateway required integration or the hybrid connectivity enable the apps to get out to whatever that is connected to so it's kind of a key point about that okay coming up to the end um one more really big service so that's nsgs the next kind of thing i can think about from locking things down is azure firewall now i drew a picture of this kind of already this way way back my board's getting so big now it's going to start crashing i'm sure i deploy this into its own subnet azure firewall subnet um it has to be i think it's a slash 26 minimum and i just use user defined routing to send traffic to it it could be zero zero zero zero zero for everything to go viral i could send particular things but the whole point is i'm going to use route tables that use defined routing to send things to my azure firewall it has public ips so it can also get out the internet can snap the traffic for me um it's very good at east west traffic kind of management it can accept inbound as well it's not as good as things like app gateway but i can do that so remember the whole point of azure firewall then is yes i have my virtual network i'm going to create this azure firewall subnet that only it can use nothing else can deploy into that it's going to be this slash 26 minimum and into that it's deploying its appliances so it's creating these multiple appliances and the primary thing it's going to do initially is there's going to be this internal ip that's kind of balancing between those and that's the important part because all the other subnets are going to udr to route traffic kind of through that it can be paired as well i could have another v-net multiple peered and it can use that internal ip as its next hop as well i can do all of those things and the key part what i'm going to do with azure firewall is there's two skus so i can think about there's a standard sku and there's a premium skew so the premium sku literally just came out i literally just released an 85 minute deep dive video on this there's a whole bunch of features i am not going to go into them but understand sort of the things it can do it's built in h a availability zone support all these different types of filtering and monitoring premium primarily adds really i think about is three key features i can do tls inspection i have this idps intrusion detection and prevention system so i'm looking for particular types of headers things in the header but it's not really stateful and i can do url filtering so instead of looking at just at the fully qualified domain name i can look at the path as well and i can use that path as part of web categories web categories is a standard feature but with premium i add that ability to use the path as part of the category a new site a search site etc etc so premium i'm really adding that kind of tls inspection and watch my 85 minute deep dive if you want to know all about these things i have the idps and url filtering so remember url is fully qualified domain name plus the path and kind of http etc etc and what i do is i this is really getting i think upset the size of this whiteboard if this crashes it's not my fault someone else's fault what i do is i create a policy now there are classic rules that i applied directly we try and stay away from that now the premium can only use policies so i create a policy i can link one policy to a particular instance of azure firewall and then i have rules and there's really three types of raw there are nat rules nat rule is all about hey i've got this inbound traffic coming in it's one of those public ips it has i want to do dna and i'll show these in a second but it's basically hey coming into this port and this public ip send it to this backend member very very simple i can do network rules so network rules we really think about as layer 4 so hey tcp udp it's kind of those five tuples again source ip ip groups which are just groups of ips i define in azure ports i can obviously use the cider ranges i can use the service tags again those service texts we use in the nsg's it's about allowing disallowing those types then there are application rules so application rules as you're going to guess is more about layer 7. so here i can still control hey who it's coming from who is the source but now i can control it based on hey what's the fully qualified domain name what's the fully qualified domain name tag a fully qualified domain name tag are just well-known ms services that they are defining that maybe use different fully qualified domains when is update and windows diagnostics they create those for you if it's premium we use gold again for premium based on the url and then i can also do it on kind of these web categories but then once again with premium i can also include the url to help distinguish that whereas the regular standard is really just that fully qualified domain name so i have those different things i can actually do as show it to you quickly so if i jump over to my azure firewall super super close all these down again so my azure firewall here basically i don't configure anything here this is premium so i can't do classic rules all i can really do is link a policy one policy and then in the policy that's where i can define the dna rules which say about inbound say coming from these places which is our home base is an ip group go into this port on this protocol redirect me to sorry when it's going to this public ip on the azure firewall over here so go into this public ip on this protocol this port from this ip group which is a bunch of ips i want to send it to this private ip on this port so it's just sending to some backend member a network rule well hey again who it's coming from so i created an ip group of the ip spaces of my vnets and in this example i said hey from the ip space on 33.89 if it's tcp going to the same group of ips allow the traffic it's a very simple port protocol destination allow and then app rules these are the richer things here i'm saying things like hey based on let's look at one of these coming from a certain ip range this is my west central v-net i've done a rule based on web categories and because i've got premium and i've got tls inspection even if the url changes i'm giving it access to these types of sites this is a continuous daily updated feed coming in for this but there are also rules where i could do based on fully qualified domain name tags so these are the popular services that microsoft have defined i could also do it based on the url i can have those as well and if i looked at the network rules let's look at one of these quick you could see i could also have service tax those same service tags i could use as well because that's really a layer 4 type thing it's okay to have those and then again tls inspection threat intelligence those looking at all the different signals there's a massive different signatures it's using to kind of leverage those malicious ip addresses sorry i'm talking about idps of the signatures idps all those signatures about detecting hey these types of malicious types of things in the header i can really control and lock those things out so really powerful capabilities i've often used it with i'll still use nsgs for some of that micro segmentation that i can use this kind of that layer 7 is extremely powerful saying i cannot do with nsgs and then really the final thing is understand the monitoring um there's network insights there's a whole bunch of different things that i can leverage um to understand this connection monitoring i can have agents deployed and do rules to go and check there if you go through that learning it it goes through all the different resources a really powerful one is network watcher so network watcher gives me insights into a lot of that traffic and when i talk about these nsgs one of the things i can actually turn on is something called nsg flow logs and i can kind of turn that on and these go to a storage account and then optionally i can kind of send it to a log analytics workspace and then with if they go there i can do something called traffic analytics and traffic analytics gives me this visual kind of goal showing me most common people talking hey malicious traffic i can see the most um or huge amounts of detail through that but i have to kind of go and turn that on so i have to have nsgs and then i can use all of this is kind of part of this network watcher component so network watcher is very powerful opens up a huge set of functionality for really getting the flow lock is not the data but it's hey it's from this source to this destination these flows it's capturing that data and then i can do this traffic analytics which is part of the network watcher if we go and look at network water just give you a really quick idea of some of the functionality so i've got my network watcher and here you can see hey look i can look at the topology i've got connection monitoring where i have those agents i can see is the connectivity working is it failing i can validate things like ip flow nsg diagnostics work out what is the next hop what are the effective security rules and i kind of showed you the effective routing you can look at the effective security rules i can see that on the nick as well i can capture packets i can turn this on on a per vm basis if i'm doing like some deep troubleshooting i can turn on the nsg flow logs to actually go and capture those and then from that once i've got those i can do traffic analytics that then gives me this fantastic kind of visual view of hey these are the most common things talking i can do it from a map i have things like network insights see load balancers there's just a massive things go and look at these understand kind of the key things you might use to troubleshoot but super super powerful um just so much to cover but this is kind of where we are i don't think i can't just zoom out anymore i think i'm going to feel there you go so there we go we fit it all on the board so this is what we covered um obviously a huge amount of stuff that's done that weird browser thing there we go um i hope this was useful go through the docs see the learning again my playlist i go through really all of these things in detail now there might be i don't know how many hours of content is there maybe that would be eight hours of your life um but i think it will help you but this was kind of the summary maybe watch this before you start learning to put everything in a picture then you might link it together as you go deeper dive i would definitely watch it i don't know how long i've been recording for three hours now my voice says three hours uh who was it just before to cram some last minute knowledge in but super good luck don't worry if you don't pass everyone fails things sometimes it'll tell you at the end where you did kind of weaker go and redouble your efforts and you'll definitely pass next time believe in you but uh please please uh this was so much work i really would appreciate if you would subscribe definitely like and uh until next time take care you

Info

Channel: John Savill's Technical Training

Views: 29,842

Rating: 4.9887853 out of 5

Keywords: azure, azure cloud, microsoft azure, microsoft, cloud, az 700, az-700, azure networking, network security groups, virtual networks, azure firewall, expressroute, s2s VPN, network security, certification

Id: nVZYDhB_M64

Channel Id: undefined

Length: 171min 59sec (10319 seconds)

Published: Tue Aug 03 2021