AzureTalk: Azure Networking Part 2

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

so in the last session you know I have discovered B net the subnet inside that and IP addresses NSG and today's session we are going to go and talk about on premised network connectivity models or like you know how to connect v-net or the virtual network that you design in Azure into on-prem network before I go ahead and get really straight into you know this session today what I wanted to do is I wanted to show you the you know registration how can you register yourself on to you know into these sessions because a lot of people in pasta have asked how do I register how do I get the meeting invite so it's very easy since you already registered that's why you're in the meeting session but you know if any of your friend and colleague who wants to be part of this asha talk session please ask them to register on cloud easy calm cloud kay and easy easy to iCloud easy calm and they can go there and they can register on to this forum and you know once they register the will get included into the I should talk subscriber list and they will receive constant updates on Azure talk so with that let's get back to the presentation so I said in the past session I have conducted you know I talked about we need what is V net in people who have joined the in the last session they would know I talked about the subnet and how to submit it that we also talked about the Seidel block the notation that we use for dividing our IPs and network we also talked about different kind of IP addresses that you have like public IP and private IP into a shoot we also talked about network security group which is a security it provides security to your endpoints in a show and today we are going to talk about key component is we have V net in Azure then how do I connect it to on frame or you know have connectivity to other network our other we need inside Asha so how do you you know your Asha networking or your we net what is the beam it is the building block this is the block or even this is this is the unit that probably you you will host all your resources so anything and everything that your provision will ultimately belong to a virtual network if it is an infrastructure service VM any resources that you create so before even you plan your subscription before even you know use you plan your network you'll have to plan your network now that that networking does include we need does include the subnet planning does include your cider block decide and also it does include like you know how would you allocate your IP addresses having stated that you know once you have finalized on how your virtual network is going to look like the next point is how do I enable the hybrid connectivity that means that I have some resources in B net which is signature which is which is sitting in agile and then you know how do I all right so you know so the next concept the next point is that now you have a v-neck just sitting in Asia and how do I bring that are you know probably how do i establish connectivity between my on-prem infrastructure that you know we have sitting on DRAM and this infrastructure that we have built in Asia so there are various ways that you know you can connect your on-premise resources or on-premise network into Azure or rather you know you can extend your on premised Network into energy and vice versa how could you do that so there are various ways that you can achieve that hybrid connectivity model Microsoft gives you or Microsoft Azure gives you multiple options within a year you can connect your virtual network from hazard into your on-prem you know network so that way you will have communication going back and forth between your server sitting on Prem and then you know server sitting in Azure so maybe now you can have your into local infrastructure like you know domain controllers you can have your exchange server SMTP server sitting on promote you can have your database server sitting on print whereas you have your VMs is sitting in Azure which need to authenticate you know to your domain controllers you could have a web application which needs to access to you know the database server that that web application could be hosted in a way of running iis server now that need connected to your reach back to your on-prem there are various ways to achieve that so some of the options that we will talk about today as like you know so Microsoft gives you basically you can divide it into two categories one is that your you are connecting your v-net to on-premise so you know you have a unit in agile and you want to get into on Prem so the three options that are either you know four options that you get is you have VPN connectivity models so this VPN connectivity model you know you can use your VPN device if you have any VPN device on Prem and you want to set up a connectivity between your on Prem Anaya v-net you can use a VPN which is Virtual Private Network IPSec tunneling model that you can use so there three modes we'll talk more about this so in next slide so we have point to site VPN which is you know for dev test or for small developer workstation they want to connect to we in it they can utilize point to site VPN site to site VPN is which is you know for enterprise level customers they want to have connectivity between the we net and their on Prem VPN device so they can go with the site-to-site VPN then you also have multi-site VPN wherein you know you have a v-net in Azure and that we need needed to connect it to multiple branch offices on Prem so you could have branch office and one geography you can happen in America you can have in Europe you can have in Singapore like in all these three location needed to connect to your we net one via net into Azure so you can configure multi-site VPN so one VPN gateway does support multiple VPN tunnel so that is also one of the options that you have on card so which you can make use of that additionally like you know as you know VPN makes use of Internet infrastructure so all your traffic goes over internet it encrypted format so you may have bandwidth constraint depending on what kind of internet pipe you have and you know you will run into issues because VPN gateway also has its own limitations in terms of what is apparently that maximum it can support so either as of today Microsoft has released new excuse of VPN gateway which can support up to 1 to 1.25 TV which is like you know sufficient for some you know some good organization for like in a small or maybe medium organization but in a fairly large organization and you're expecting a large volume of data are in translating from your partial or from your vn8 into on tram in that case probably it or javi PN model will not probably in a 1 obviously that is a bandwidth restriction that you have the second is obviously the security reason some of the customers you know they are not really comfortable transiting the traffic over internet right so the any any traffic in VPN it goes over internet now so it's encrypted traffic but it's still some of the organization's so they don't want to put the traffic onto Internet so for them what is the connectivity model that they have add option they have they have expressed sound so Express route something you know which is a dedicated pipe that you you get from you know your Express route providers or another network connectivity provider that they are out there who can give you a dedicated link so basically you get you know a dedicated link from your a sure to your on-prem so in and there there are three different models which express out also offers but in today's talk will not cover Express not but you know maybe in subsequent I should talk we'll discuss what Express sir but just to know the difference that you know the VPN is translating traffic over Internet in cryptid format he's it uses IP external maximum bandwidth that you can get in a VPN is 1.25 gig with the you know latest if you're using latest excuse if use Express route maximum bandwidth you can get up to 10 Gbps and and this is dedicated circuit for you I doesn't translate over Internet so your you know the Express route provider you nobita-kun expiry calls or any any other provider many providers which provides that connectivity they will in a bring a line from their exchange into your on-prem and their exchange is connected to Microsoft edge router and that's where you know that connection that the meeting point so you will have a dedicated link and you always have capability you can start small and you can increment you can have 1 Gbps pipe if you want to increment you can increment to five times PS so that flexibility you have as a poster in case of EPN you are only restricted to 1.25 kick so these are the two methods that you can connect to your you know from V net to on-prem now there is a third possibility which happens let's say if I have to Venus and I want to connect those two in it into into one Network in that case you know you will look into we need to V net configuration so let's say you have only cloud only the source you don't have any hybrid connectivity model but you know you have one v net in in one I showed you in another we need in other isolation and you know you have resources which needed to be shared between these two Wynette you can use site-to-site VPN it's the same I know or configuration that you will do for on-prem there is nothing special about it so you will need the VPN gateways on the both W net and then you'll configure your site to site VPN that's that's a possibility the second option which Microsoft has recently released or maybe now six months back they have released called we need clearing if your Wii net are in the same region same as your region they are not in to separate as your region you can use V net peering so we need peering doesn't require any kind of VPN devices it utilizes Microsoft backbone to your you know transit your traffic so that's that's that works for you and it gives you a very high throughput because it's just on Microsoft back one it gives you speed up to 25 Gbps now that will depend on what kind of V and that you have to leverage that because most of the VM even cannot hit 1 Gbps of network payments you don't have to look at you know what kind of VM you have but theoretically Microsoft is offering a 25 gigabits per second on v-net peering but the caveat is the V net has to be in the same as your region and also the wean it should belong to in or you know you can also peer it across the subscription also that's also possibility but both the subscription need be associated with single agitated tenant if you have to be into subscription and both subscriptions are controlled through different eyes your eighty you cannot perform the unit peering even if those grenades are in the same Association so that is possibility you can appear across subscription only and only if your subscription a and subscription B both are associated to same I should write I in case you have Venus which is not in same as your region you know you cannot use v-net peering so then in that case you can utilize your site to site VPN for connecting these two wieners and in today's demo we will see that we will configure we need to Venus configuration obviously I cannot do up site to site VPN with on-prem because I don't have a device on VPN device on plan but for simplicity sake you would assume that one when it is your on-prem another unit is your assure there is no difference in terms of configuration it's almost same gobble dump will walk through the you know on prim configuration a dummy walk through access we will see what options we do get when we try to consider site to site VPN but we will primarily focus today's demo will be primarily focused on being a to V net VPN configurations so moving on to the next slide up so we talked about these 3.3 connectivity models side to side so site to site is where you have a V net in your I sure and you know you want to connect it to on-prem so you know you will set up a VPN gateway in your agile we net and that VPN gate will will establish a IPSec tunnel using site-to-site VPN tunnel and it will use that and you will have your on-prem VPN device sitting over here you know which will which will communicate with your VPN gateway agents so this is site-to-site configuration inside to site VPN you are connecting one as your site or one I should be Nate to your on-prem site so it's one to one so you know it's what's called side to side the second option is where is I talked about the multi side so multi site is when you have one as unit that needed to be connected to your you know branch office one and then another one is branch office two so in this case the same Venis you know need to be accessible from both to your on-premises from site one and side shoot in that case you will set up a multi-site VPN now that multi-site VPN you don't have to set up multiple gateways and by the way you can have only one gateway in one v-net you can't have more than one gateway in one minute so essentially in when you enable the multi-site multi-site VPN gateway you will end up sharing your bandwidth so let's say if you have used your 9 to 5 gig of your you know the s cues in that case your 1.25 gig will be shared between these two connections right so it will not be dedicated but you will be sharing your bandwidth within these two and if you have third site also so then also in that case you will be using that another key point to keep in mind is when you configure your multi-site you will have to use it out based VPN type so Microsoft gives you two kinds of VPN devices one is called route based one is called policy based and you know so when you do multi-site you cannot use policy based you will have to use route based VPN then you know it's going to work now the difference between these two is router based purely works on the you know the routing table and on the IPS whereas the policy base is based on the policy and it's based on the configuration or the rules that you define but in case of if you are trying to make use of multi-site you will is route based and most of time you know all the time basically the configuration that we will do is we will use router base it's also route which is also called dynamic routing in classic and policy-based is called static routing which like you know now it has the name has been renamed so now the dynamic routing is called route based VPN devices the third option that you are that we talked about or in a we did touch upon briefly in the previous slide is point to sign so point to site connectivity it allows your developer and this is purely for you know dev environment so if you have any user who has set up a dev test lab or you know in Azure and they want to perform some kind of testing and connectivity from there's a VM or from their laptop you know setting in that case they can use the VPN gateway go into site now in case a point to site what you will do is you have you obviously you will have to set up a VPN gateway you know in agile v net and then all your individual clients so let's say you have developer one here developer two here and developer three here they can download a small in a VPN client and that small VPN client gets downloaded over into their devices it could be laptop or if you have a server and that server only needs to talk to your you know resources inside your Vienna T national you can also you can also install that weekend client on that server and this weekend client it like you know it's called point to site so basically you don't need a VPN device you know at the user in India you don't need that whereas in case of side to side or multi side you will need VPN devices on Prem here and you need both the locations but if you are like you know into dev test environment and you want to provide that connectivity to your developer you can use point to site VPN and point to site VPN is nothing but you have a VPN gateway a server VPN gateway sitting in a shoe and then you download a small package which Microsoft lets you download it and then you name you can install it on your respective laptop or a desktop or if you have any server you know which just that seven needs connection to your V in it so you can do that so that's called point to site finally as I said you have we need to we need configuration we need to win it confucian is the same model you know as in if you have connected to a beam it to an on-prem site locations the same thing the difference here is when you have two V nets in that case instead of using your on-prem VPN gateway or VPN gateway router you will utilize your as you can get with both lines so there's no difference essentially it's all it's almost same all the conference steps are same so that is to achieve a configuration between two units out so if you need to set up conductivity between one v-net we need one and we need to are you can utilize we need to be in it configuration and I also talked about v-neck peering we need peering as of what lets you connect to water network in the same region so there's a key component it has to be in the same region if it is across that if multiple regions you cannot peer it and it doesn't require weekend gateway so like you know when you set up a VPN gateway you pay for your depending on what s key you select you pay on you know charges for that s cube plus you also pay for the traffic if that traffic is exiting out of position if it is within the reason you don't pay for any traffic however in case of Enid clearing you don't require a VPN data so that means you don't pay any you know fee or any any you know pricing that there is no pricing in one for gateway so you don't pay for any you know rent or the pricing for your gate but Microsoft does charge you for aggress and engage traffic so in case of unit building doe it is in the same region but still you will be charged one cent per GB of egress and ingress so if you have to wean it which are connected using virtual network peering you will you know incur 2 cents per GB so one cent at the egress point and one cent at the ingress point so that will be effectively it will be 2 cents per GB literature for this Phoenix meeting so this virtual network should be should be on the same subscription rate not on the different different subscription ah now it can be in different subscription if both the subscription are associated with single Azure ad so the key the key is in a same agitated tenant so let's say if your company has one as your ad tenant and you have provision hundreds of subscription you can peer those of units as long as it is controlled by single eyes with it ok like enterprises level will have multiple subscriptions and we can do we need fearing for those to connect networks or servers or something corrector in case of enterprise most of the time you know they will have single a ad tenant yeah they will spin up all the subscription yes you can do that but even but yeah but if you have two Enterprise enterprise a and enterprise B and though there's V net is in the same region they cannot clear it because they cannot peer it because both are using separate isolated tenant yeah if it isn't separated a then we can connect through we need to win it right if it isn't now as you're correct you can use B pin gateway you can use we been Gateway yeah ok so are you using site-to-site VPN today I mean demonstrating in a lab or yes we will do that side to site VPN and it will take 45 minutes so what I have done is I have already preconfigured three four vegan devices to cut short on that time and we will do that demo to deploy we can get wait to call most forty four times here correct yeah times yeah so I mean before we started this session in our one hour before I have prepped the environment so we have all everything I mean we don't have any on premises right how we are doing so we will we will inner today use one of the V need to play role of four on term so we will assume that one of the V net is on so the difference is on Prem you will have your own VPN physical router or physical VPN device but in our case is really you know using gain it as our on Prem so our router or our VPN is we pin gateway device from microcut I shall be netiquette okay all right so moving on to the next what are we going to you know do today and will up create so in a well we have Google created two virtual networks and we will set up APN gateway the both I mean so like you know first we will have to configure the weenus we will add our address spaces on the subnets that you know you do which which we will do it you can do through portal but in my case how you doing through this script and which we are already done but I will show you that and will also create a gateway subnet because the Gateway seven it is where your gateway goes into and you know when you set up the configuration then the next step is you will create your virtual network gateway or VPN device basically you know into those respective units so you have this unit and this way net here we will configure these two VPN gateways which take 45 minutes but in my case I only push but I will walk you through the steps you know what all steps the console for creating the VPN gateway I then finally we will configure the VPN connection so one of this weekend getaways provision and finally we will verify the v-net connected now having done all that then we will move on the v-net being where you know we will set up the peering between to Venus and we will also show how we can use our remote gateway to translate the traffic so remote Gator is also called transiting so you can have your you know we net1 pier to be in it too and then you know we need to can have a VPN gateway which is connected to on Prem so your v-net one can make use of your we can get when we need to to go to one time so that is called transiting gateway original or remote vehicle basically in case of unit peering so let's get into the demo straightaway alright so what I have done is I have already pre-configured you know my resource group I have this I should talk aarrg under that I have created for v-net serving at 1 2 & 3 and we need folders in half and we need for now I have config I have also configured you know my VPN gateways you see as you talk VPN one VPN to and we printed these three gateways that I have configured into three different units so all this under Bennett one and under we need to infinity but we need for doesn't have any gateways so what we will do you will in the demo we will use we need for to connect to you know we need to one and we'll also show you how it can transit using peering and then how it can use the remote gateway but before I go into further any you know discussion let's go ahead and you know create a we net and you know Abdi net and inside a resource group so I've used this script maybe lets me just expand it so I think this is the same script which I have used in the past the only changes in the last session that I only change that I have done is now I have added a database subnet so basically what this is doing is it's not only provisioning the front in the subnet but also front back in but also not including the Gateway subject so maybe quickly let's go through it so what I'm doing is I here I'm defining my you know my resource group name so I'll have to change it to RG 2 because I already have our G 1 the first line it lets you log into Rogers subscription then the second line is select which subscription you should be using so that's my cloud easy subscription because a multiple subscription this is where I'm defining my resource group name this line is creates a new resource group and I'm calling new resource as URM resource group so this will create a new resource group for me when that resource group is created this is where I am in or creating out Bennett under this resource group which is stored in this variable and I am giving this name to a you know we net one so basically one two three and in fact I also have the fourth one which is in a listed here so this is your name this is your address prefix what is your going to be the address Sider block of this and once you know that is done i specify my location where i want to create it then the next one is I'm adding my subnets here which is a - your virtual network subnet config front-end back-end and Gateway subnet front-end I have I have used Seidel blog of 26 so that you know I can get 64 addresses gives you 4 minus 5 which is 59 addresses for the front in the back end and then for the Gateway subnet I'm using slash 28 over here and you know once this is done finally I am going ahead and updating that on I shall proto are using set as your RM virtual network and this is a repeat you will see I have we need to unit 3 and we need 4 so let's quickly go ahead and run this script I already logged in so I will not really try to log in my subscription maybe I can start from the subscription and this will create another I should talk RG and I will have 4 every has the first IP block is 191 61.0 the second one's 2.0 the third one is 3.0 and the fourth one is 4.0 so let's go ahead and execute it I will start from here and a certain selection so this will create another resource group for me on my portal if I come here so right now you only see as you talk RG and RG 1 so it should now give me another one so you can see now it got created RG 2 and it will in the background interest provisions write net has provisioned we need one it should provision another one we need 2 and then finally we need 3 and we need 4 so while it is running in the background what I will show you is let's head over to as you talk RG 1 which is the one that I have created and how do you create a VPN gateway right so that's RI the beginning point so the first was once you have created a V net then you know you go ahead and assign your address space obviously in our case we are doing through the PowerShell but you can also do it through the GUI so you know you can create a V net and then you can come over to address space and this is where you can add multiple address spaces if you wish to submit you can come over here and you can create your subnets I already have this pre created but you can also do it to the cui so I will not go through it basically you know I don't have to show you this through the GUI you can you know do it through graphical user interface but I will just restrict myself to the automated provisioning so let's assume that you know you have your resource group you have your Venus and you have your subnets and then you also have a gateway subnet right so I talked about that you need to have a gateway 7/8 that's where people professional VPN device or you know VPN gateway should be printed so assuming that you have completed those tasks and hopefully this is we need to so you know you have completed those tasks what would the next step so next step would be to you know create a VPN gateway so you can you'll click on plus and then come to the networking under the networking you will say something called virtual network it now once you create on this it asks for the details so like you know name so you can say a any name that you want to I can say eighty-three VPN one device this is my name of this VP now this is key thing right so if you are creating a site-to-site VPN your gateway type should be VPN but if you are using Express route you should select Express or because Express route you know has higher bandwidth requirement and you know that gate will be provision separately for you as opposed to this but since we will be using our site to site VPN so will use VPN gateway in that case you know we are not going to select express out but if you had any express route configuration that you really want to do it that you can do it the next one is which I talked about router base versus policy base like you know if you really want to by default you know almost all the activity that we do is using based on route base which is a dynamic routing as opposed to policy briefs which is static routing in which you need to configure but you know most of the use cases is route with so I will leave it as route base and this is where you define your sq so sq is a you know it gives you different performance you have VPN these are the new excuse VPN GW 1 2 & 3 VPN gateway 3 will give you performance up to 1 point 2 5 GB gateway to 1 GPS and we can get with 1 500 Mbps if I am not mistaken and these one that you see basic standard and high performance the this is like you know the old one if you really want to make use of that you can do it but keep in mind if you select the basic one you cannot you can switch from basic to standard high performance but certainly not to weep in gateway 1 2 3 but if you select weep in JT 1 you can switch back and forth between gateway 1 2 1 3 5 and in fact I can show you you know the different excuse that Microsoft has to offer and what are the you know bandwidth that you get so let's say if you select VPN gateway you can have side to side you know or we to be in it to win it you know ton of maximum 30 so you cannot have more than 30 can't connect more than 30 to one v-net so you will have only this 30 maximum point to site is miss supports maximum 128 as I said its 500 Mbps is a regular gate throughput so if you have 30 it will get divided so you know always share this 500m appears if you're using is queue gate to be 2 it will give you up to 1 Gbps same limitation 30 maximum you can connect to your site or you to be net same in case of weekend gateway 3 is 1.25 Gbps if you are using basic then you get hundred Mbps so I have configured all my VPN gate for using basic because I don't have that much of a should credit in my cap so you know I'm using pacing so let's come back to this so we'll select basic here and this is where you specify your virtual network like where you will provision this so this network will be with you know you want that virtual network to be connected so in my case you know I can select a unit 1 in RG 2 which I have created so I can say ok let's go ahead and provision it there and then every VPN requires a public IP you know that'sthat's where you communicate with each other without that it's not going to work now how do you assign that you will come in to choose a public IP and you say create new which and then you can specify against a VPN you specify the name this is my tip 104 as you talk to me and I say ok and once that is done you specify a subscription location in our left location as is you just go ahead and create it so once you know create it it will start provisioning I can go ahead and do it for you but it will take four to five minutes you can say it says it takes 45 minutes right up to 45 minutes but anyway I will let it run in the background and I will move back to my resource group where I I have already pre provisioned so I have let's come to my source group and we will utilize I should talk our G resource group that's where I have this V in it and this VPNs so I have you can see I have VPN one V pin 2 and V pin 3 and I have you know up for V net so of unit 1 has between one device we need to has V pin to device we need 3 as V pin 3 device and this one is without any you know we've been device at all so probably we will use this for v-net clearing so right now what I will do is I will create a connectivity between V knit 1 and we need to using site-to-site VPN so for that you will have to you know go into the property of your VPN gateway so I will come to the my first VPN which belong to my first network and I come into connections right so here in in terms of connection if you come here and then you will say that I want to add a connection because I want to establish connectivity between you know my V net1 and we need to write so I need this V in it to win it off site to site whatever you call it between this V net right so I will do that so basically I will add a connection and this connection has to be added from the both the side so while you know on the VPN gateway for V net1 you perform this task and you add V need to then similarly you have to go on to the V in it - we can get when perform the same tasks for V net1 connection so right now 1 v net1 so I will go ahead and say add and here I can specify so this is a T V net 1 - we need to so this is between you know my be net1 and - between you need to know this is very specified connection what kind of connection type it is so but since you know in my case is we need to win in this I have selected it but I want to show you what happens when you send it side to side IPC so when you select side to side IPSec it will ask you for your virtual gateway obviously in this case it has automatically picked up because I have that Gateway provision in my current V net and then it will ask you to choose the local network it but now this network gateway that it is talking about the local this one is your remote basically your on-prem gateway so the IP of that you'll have to specify that make work a gateway here since in my case I don't have anything but you know if you had it you will go ahead and create a new one you specify the you know name and the IP address so this is the public IP address of your VPN device which is sitting on trend and you know you can add that in plus you can also specify the address space of your branch office so whichever addresses space another key thing to keep in mind is that you can't have overlapping IP address spaces between two we needs or between your v-net and on-prem so you have to very careful when you're designing your network to have non of overlapping you know IP addressing otherwise your VPN will not work if there is a conflict there is overlapping IP address it will not work at all okay so since I don't have a local network gateway I don't have any on Thames gateway hence I I will not proceed with this I just wanted to show you or basically if you were doing it in real world and you are trying to connect your v-net to on-prem gate with you can you know perform this task and you specify your name of your be in it gateway on payment specify the public IP but I will just skip this and I would change my connection type from we need to aside to site which is for on time too we need to be in it then the moment I select that you know instead of local gateway now it is asking me please choose the other network gateway that you really want to and since this is the same circuit sure I can select that but if it is different subscription across that in that case you know you'll have to use PowerShell script and there's separate I mean there are additional steps involved if you do want to do point side to side between two beam it's a cross subscription which is for two different organization it has to be done through PowerShell and plus is also some additional steps are required that we need to perform but in my case I mean both the venous are in the same subscription so I will use you know normal option so here it says what is the virtual network gateway so I only have one virtual network gateway here then it says choose another virtual network gateway I will select my ad you talk RGB knit 2 so that's where I have this adjective VPN 2 device I will select that and then this is where you specify your shared key now this is the same sheet key which will have 2 input on the other side also when we perform the same task on we need to so this is the same shared key that you need to specify so let's go ahead and put in co5 ok and then this is the same resource group so I will leave everything into the same resource group and I say ok so this is going to go ahead and create a connection for me between a we knit 1 and we need to and it will take some time let its provision yeah so you can see now you know I have this one is provision and the status is saying updating because I have not configured or any connection yet right so it's what I will do is I'll perform the same steps on my you can see started saying unknown on the same you know on my we need to so let's go to the veena - and I will say say succeeded because it has a provision but it doesn't say connected so I will come to my VPN Jew which is in my second unit and I perform the same steps what I have done right so let's go ahead and go to the connection and this is where you can see that you know I have this connection is showing that I have this connection which has to be authorized I so let's come back here and if you look at you know it says what is the P appear is my I should talk VPN one right so you can if you look at this so what I can do is it says succeeded right but there is no data now I will do the same stuff here and I will set up my first is my ETV TN 1 then we can select between 1 and I specify this as from I should talk it's again we need to win it my first is we've been through and shared key was a PC 1 2 3 4 right at the same we shared key that we had so this will create now the connection and we will see that you know both both should get provisioned also it says deployment in progress okay so now you can see that you know I have this this should so succeed it will take some time before it updates itself and I wily right is getting provision I want to show you there is something called point to site configuration right so we talked about the point to site configuration and this is where you can specify your point to site you know settings if you have to even specify you have to you know include your root certificate basically that's certificate which is used for the point of site configuration and you can also you can download the beep in client it's not highlighted because I have not uploaded this certificate once I upload this certificate then you know I can download the VPN client from here which can get installed on Windows Oh p.m. or you know which is available but for point to site you need to upload a certificate and you can use self signed certificate but it's a development environment but in case I have any challenges you can do that so let's come back to connections it is connecting and this is unknown so you can say not succeed tonight so I mean what either the infants is that you when you configure this you have to use a pre-shared key both the pre shade keys has to be the same because that's that's what is used by a VPN to authenticate to each other and you know connect with one another so that's how you will do it between the two we need before I go further into it anybody has any question which don't ask no questions okay so right now you know you saw that we have configured between to wean and so we net1 and we need to is connected through each other using a VPN gate we're using a site-to-site VPN or we need to wean it basically we view now what we will do is we will configure peering between v-net 4 and we net1 we have V net for which does not have any we can get with that will appear to win at 1 V net 1 and V net for both are in same as your region so let's come back to our we net 2 1 this is the we net 1 here I have and if I come here into the peering and you know I don't have peering obviously at this point of time I will have to add one so I go ahead and add one and let's give this name so it will be knit one to wean it or tearing and you specify your virtual network that you want to peer to so basically I will specify my unit 4 which is a naja takashi miike this so my V knit one we could clear to win it for and I have to perform the same steps on B net for as well voiceover suppose the side you have to perform the same task and then you will say it will show the status connected configuration now this is where you have to now I talked about allow Gateway transit now if you have this option so basically what will happen is we need for can send the traffic and can use the Gateway provision in this V net so this V net will act as a transit hub for your period V in it so we need for will send traffic to unit 1 over this fearing and then if your unit 1 is connected to on frame using a VPN gateway or using Express route gateway to on-prem and if you'll allow transit gateway in that case the traffic from v-net 4 will come in to be net1 and can transit to your on time so this is a key component when you are designing and hub-and-spoke model so you know something in hub and spoke model what do we do we do let's see so in Hubbard spoke model you have a hub which is you know sitting in a shoe and then you have spokes and then you know another spoke you have s 1 then you have s to all these are connected to a hub in azure and this is sitting in Azure cloud right and then you have this your on-prem and in on-prem this is where so here you will have a site-to-site VPN or now anything that you wish to it could be expressed route also you know it doesn't matter so if you configure this is your peering this is your peering and if you configure your VPN gateway which is gateways over here and if you configure the setting to allow use of your gateway for this period v-net in that case you know this v-net this book 1 will send the traffic over here and then then from there it will translate into on-prem using your transit cater so anytime you're building any Hubbins book model and you're working at a very large scale in that case your vineet peering and your you know transit gateway should be utilized to make sure that traffic from your spoke can reach into your on per okay so that's a setting i was demonstrating so i will go back and you know do that anybody has any question on VPN create peering and transit gateway and how it works need spss just this time listen to some regular words because I was having a gateway and it is connected to the Gateway of the try on print correct and and as only has another minute and it is not having any database between airing appearing to using that to be able to connect it MRI so the other thing we have achieved it correct so so that is the objective of using a peering basically rather than having making everything own and connecting it to the on prim we are going with this model yeah so yet two options right obviously one is you can use as transiting your traffic and from spoke can come to heaven from hub to gears your on them the second option is also let's say if you if you didn't have any on Prem in scope at all and you had this been itching to the same as your region you don't want to set up a VPN gateway why would you do that you will be you know charges for your VPN gate rather than my cursor has given you unit peering which gives you 25 Gbps of theoretical speed as opposed to VPN gateway which restrict you to 1.25 Gbps that too you pay a you know a price for it right whereas we need peering is know we can get ways involved it's only the traffic charges you pay UK two cents per G one cent one side one side to one side so you can just say maybe here yes we in same region hospice attachment peering or data transfer this are the appearing is only possible within the same vision if you gain it in different region you cannot do clearing yeah we still the charges at transfer of the money label yes it is it is available okay thank you here anybody else has any question all right so coming back to this right so right now I'm since I'm on V net one which is a VPN gateway I'm assuming that we can get way is you know let's say connect it on Prem I will say that Allah created transit so intentionally what will happen is it will let be peered here do you know use this gateway to come back to on Maggie so let's go ahead and do that so let's review the settings once again you give the name you specify your remote V in it that you want to appear with so this is V net for you specify you know this allow gateway transit which I have done it and then I say ok so this will go ahead and provision the Spearing for me now I will have to perform similar tasks on V net for and envy net for you will see that I will have an option to use the remote gateway rather than allow the use of Gateway and we have to select that option there so let's go to the V net for it says peering status enabled I initiated which means this is pending let's come to Unit four and if I come in peering here and I say add and this will be V net for two we knit one tears ok and again here you have to select the virtual network so this time it will be my V net one that's where I have for my gateway and when I come over here I can see that no use remote gateways options so the moment I select this so what it will do is might be in it for which is peered to V knit one can use the gateway in V need one to reach back to on-prem or to reach back to you know if you had this VPN gateway connected to another V in it so it can also reach back to that in it that is something possible right so I say use the demote gateway and I say okay no relation yeah is it possible to do a lean it clearing to do this math test what do you mean by smoke this okay so we have configuring a lenient feeling so that is fantastic that's fine but before I just want to know how to latency and everything we can't keep this unit peering in the production number directly right so we have to test it so there is any other option to do the smoke test what is my latency what has been done with what are the best performance I can get it in the network part so then I can go with design team I will work with them so this is the best factories so like we can work accordingly right we can't go with the directly there's a unit peering we can configure it this is the metric the TTL everything this works fine so there is any other output we can get it before we configure the Ving it I mean you can do your own testing so you can have you can set up your VM in V net for and v-net one and you can have this communicate you can send traffic between each other and you can you know measure your throughputs you know using your tools that you can set up on these VMs and you know Microsoft has published documentation and kite events which tells you how much bandwidth that you will get which is around 25 Gbps if you don't trust that then you know you can certainly have two VMs or two devices configured into these tube units and you know send traffic and you can perform your own tests or the tests that you document the other side some case environment is running in a bgt so you know the other writing is it's configured for my side to side so i just want to use one of the side to get to configure with being it so this other side I don't want about the traffic to be in it so it will be route traffic for we need to subside the first side to it will be replicated under the transfer form yeah so don't use remote gateway right so if you want only restrict to it into unit don't use the remote gate we do not set up that option by the way in AWS you cannot use this option it's not available yet so you're going to transit so if you have one V in it your one APC is peer to another V PC you cannot you know come on them using transit it's not possible to any native voice it's only possible Elijah alright and that is any best actors and naming convention which you have to provide and each each and every network for example we need car we need naming oral side to side and we yeah I haven't did there are people they use it so typically you know usually what they do is you know you will specify this is a multi clouds you will specify first letter will be your you know your EWS it you can say easy for as your AWS is aw then after that you specify your agitations if it is south-central you say SC if it is not central you say and see if it is India South is if it is India based iw like that and then after that you go let's say you know this is your production so you say P if it is development you say D if it is you at D you say ye o if it is Q where you say Q that and then after that you can specify your service name so let's say if it is V net you can say V and T 1 if it is your gateway you can say GW 1 and if it is loadable IL B it is il be one like that so there is some of this there are ways you can be creative and come up with this and you can also start some yeah that's what the Microsoft recommended this naming convention because I have plotted on mine lab and when I want I am doing a gateway and so on so this kind of conversion I am using it but that's not a best practice so Microsoft suggesting has to do this naming convention announced now the Microsoft will never force you there is only certain restriction is there for example if you are using storage account naming it has to be lowercase that's it lower and uppercase restriction is an apartment that is known section Microsoft gives you full freedom it's up to you how you want to set it up all right Goodman all right so now you can see that you know I've configured this unit bearing and you can see the status is showing connected now if I have any traffic from v-net 4 it can reach to v-net one in from v-net one if I had v-net one connected to my aunt I can transit through that cake so let's recap what we have done right so in case of peering we set up appearing and we allowed on v-net 4 to use the motor gateway as for the transit option right so this is on the side where I don't have any gate when I want to use the you know remote gateway which is the option that I had and that I've selected in case of my hub so this is my spoke right so spook will use the remote gateway but in case of hub which is my unit 1 what I did for pairing is I said please you know use let others use my gateway connection so if you come to the property and if you look at this what I said is please allow the Gateway transit that means maybe knit for can use make use of this current kit when transit into on print ok this is this is you know further v-net peering right similarly on the side of the site to site VPN we performed the VPN DB we have configured our VPN we selected the options you know in terms of the connection that we have you specify the pre shared key and and once the ppreciate key is specified you can look at this shared key that you know that i have specified so this is ABC 1 2 3 4 5 right so that's what you specify shared key and all the settings and ones in other setting matches it will create that connectivity in my case it looks like I put in wrong 8ki so let's look at this guy what is the shared key so it's wrong so I mean this shared case what determining mutual authentication and a traffic going between point to site VPN it's again as I said it's for developers and you know you can download up you can client into that but apart from that site to site VPN it's at the VPN devices level and apart from that you also have you know between so point a site-to-site VPN key to me between 2 minutes are between vn8 to on-ramp also you can use you can Club your unit peering with point to with the site to site VPN or with the express route connectivity as well you can use both so now I can say it's connected right because I had put in wrong pre shared key so I have to do the same on the other side also but anyway so that's what it is you know this point decide to site VPN envy net creating as all about alright we are seven minute pass our allotted time I will take any closing questions anybody has any questions before we call it night call it day or call it off yeah so from my side I have recently used that Traffic Manager with for my internal DNS and public DMS my all the traffic's it's now using as your Traffic Manager for ingress and egress so past couple of months I'm my Billis it's very less integrated that traffic manager with my internal and external DNS the performance really good and comparatively with iws so it's good so it's fantastic ah we are from all the flaws in AWS and I use the ELB to make it end point to configure an external and internal domains but here it's straightforward my DNS is talking instantly so the TTL and latency is very less so that's really good sign of Microsoft don't ask me how much works in a manager when I see the reminders all right excellent doable a little bit under and other platforms that had the clearance a width and a compared with AWS because both are and Sydney region I used it my we are on 7 2009 so we have tested a couple of domains here that's what's fantastic so that's one I want to share with you guys all right good yeah so we'll have session on eyes with traffic manage and another networking the legend network is going to be a big topic as yet fragile I am so will I think I'm expected to take three to four more sessions to cover entire initial networking stack complete alright thank you you know without for sharing your feedback and if we don't have any closing question any closing comments so you know thank you all of you for joining the call today and you know for as you talk and I hope to see you again next time thank you and wish you rest of good day and good night and good evening thank you very sorry I am

Info

Channel: AzureTalk

Views: 17,352

Rating: 4.9298244 out of 5

Keywords: Azure Talk, AzureTalk, Vnet, nsg, vpn, vnet peering, s2s vpn, mutli site vpn, azure, azure networking

Id: OBpK3tP30hk

Channel Id: undefined

Length: 67min 22sec (4042 seconds)

Published: Mon Jul 10 2017