AzureTalk | Azure Networking | Session 1

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

all right good morning good afternoon good evening everybody thank you for joining to this session on Asha talk my name is Mitch Kumar most of you know me I am a cloud architect I'm also Mike certified trainer and I have done you know a couple of lot of other certifications in 2016 I have completed those certifications today we will talk about the networking component in Azure which is the another beer and backbone of I should at the beginning point or building block of I should cloud so I'll move into the edge industry away so today we will talk about your different Asha networking component so to begin with we will you know try to understand what is V net that is virtual network then further we'll drill down into subnet Insider blog how we allocate subnets and how we look inside a block to these subnets and the Venus will also talk about different kind of IP addresses which are available in Asia and you know how do you locate that and what are the scenarios in which you will choose those IP addresses bolt cover NHD network security group which is a provides a security for your public endpoint it controls it in bone in our bone traffic and if time permits permission will also cover other topic but probably today I will not be able to cover on so we'll have you know another session or maybe couple of more sessions to cover international networking as you think is very important and key component of you know building a pub successful public cloud into a sure so all right so it's in terms of you know be net everybody you know when you talk about I sure we talk about Network now what your network is a D component or is the building block that you know you will when you're designing a solution in agile that's the point that you know you will start your solutioning so first you will have to lay out the networking infrastructure so how do you build that network infrastructure inertia so the infrastructure or the component that you will it relies to build your network infrastructure is called a v-neck or in now it's also called virtual network now virtual network is what lets you define and you know organize your network in Azure each minute you can have you know multiple visits in Azure each minute is a contained and isolated unit in itself so any resources in RV net and now if you provision any resources inside the V net you know that is isolated and it doesn't talk to any other resources in other unit until unless you set up a connection between those winners but by default we in it is a self-contained unit networking unit or you can call you can call it which contains all your actual resources or any resource especially is resources infrastructure service reom that Ebel put that will belong to one of your V net or a subnet inside the V net you can also provision some of hazardous sources there are some exception but most of the time you will be provisioning your is workload you are not going to provision any kind of pass workload except a SC application service environment you know that's an exception which is the pass which can be putting into out can belong to a V node otherwise you know all this addressing scheme as meant for is infrastructure service vm between the azure we need the address space that you're allowed to use these are the private address space you know which Microsoft allows you to use there are three I ate addresses that you can use one is the block is 10.0.0.0 / 8 and again you know this notation that you see here this kind of notation is called Sider block we'll also talk about that what this Seidel block is called classless inter-domain routing format so we're in like you know / 8 denotes the network component or the bit used to define the network so you know your network addresses you know what is first 8-bit belongs to a network network or to us the rest 32 minus 8 which is 24-bit is left for your hosts inside that network similarly you also have the second block which is you know 172 dot 16 dot 0 dot 0 and this is you know up to you can use up to 170 2.31 dot 255 so any of these ranges that you can assign to you mean it between these two and then finally the third one is which is 192 dot 168 this this is the block which is like now if you really want to smaller network in that case you know probably you can make use of this or if you need a larger and a really large network in that case you know you can make use of 10 dot dot 0 dot 0 dot slash it but that doesn't restrict you you can use any of the block and you know you can segment it and he can micro segment it so based on that it doesn't matter even if you need smaller network you're not mini you can also make use of 10 subnet you can do further sub knitting and you can do that we'll see that in the demo but these are the three address spaces that you will make use of a new provision of V net in as you write and every V net has something called an address space and address spaces spaces where you will specify your subnets all the subnets which you know gets defined inside the virtual network will take the IP address from this servers so these IP addresses right so any subject that we will define will come from the address space that you have associated with you'll be in it it cannot come outside of that so it has to be part of the same IP blog or same cipher block which you have is assigned to your limit and on the left side you see right I talked about that you have you know all your resources in Azure and then you know you have your local network so local network you know in case of this is your on-prem service you have servicing on print and then you know you have resources and ashes so you know there are various ways to connect to as you but you know just for illustration purpose here we are showing that we have VPN connectivity so that way your local network or your on-prem network can reach out to a sure their various ways to connect it and we will cover that also in our different options to connect on Prem network to asher and in our next session but test felicitations purpose here what you see is you will have a VPN connectivity or you know you will set up a connectivity between your I should virtual network and you know on from local network now this virtual network that you see you know how to make sure that when you are assigning those IP addresses the sided block the sight of blood doesn't coincide with the IP that you have on Prem so make sure that you know if you're already using any of the IP block from this range on Prem make sure that you have mutually exclusive you know IP addressing scheme so you shouldn't be overlapping if there is an overlap of IP address block in that case your VPN will fill it will not work so that's one of the key consideration when you're designing a topology to make sure that you don't have any overlapping network not only your on-prem but also if you have branch offices and you're using you know IP ranges I'll just make sure that you know you you don't have any duplication of IP address range what you have on trend so you know the I should IP address of the virtual network cyber blog has to be unique and remember you know once you a provision the network it's very difficult to make changes especially you know it will be like you have to do dedicated with very tedious tasks no ones have production workload so please make sure that you have your doing your due diligence when they are designing your I should networking or you know your virtual network and the layout and IP addressing scheme so moving on to the next one is what is happening right most of us who have worked in the industry and they have in a some form or not have worked with submitting you know obviously a lot of us have come from networking background or server administration background so you know subnet is nothing but it's it's a block of IP address card out of your you know we need or you know your address that you specify to the arena now you can have multiple subnets with Indian so we need is your top-level container you can say networking unit for you and with envy in it you can have multiple submit the point a here is the do subnet will derive its address space from you know the address which was assigned to your v-net so any address that you will give out your subnet will have to come from the v-net IP address block so you cannot have totally unrelated IP address block assigned to your subnet so subnet is you know is a contained unit into V in it and you can divide your V netted to multiple subnet depending on how much you want to divide you know you know if you need a front-end subnet unit web if you want to create a DMZ so web DM the web subnet application subnet database subnet or you know internal subnet so if you need only for subnet you can also design that so depending on what your requirement how you want to design it topology you will segregate your v-net into further subnets right all your resources all your viens that you deploy it it goes into one of the subnet so obviously your resource will ultimately end up into a V net but you know within those v-net it will belong to one of this now any resources so let's say if you have you know two subnets let's say fronted and back in subnet and if you put in a VM in front in a VM in back in in that case you don't need to do anything that communication between subnet is by default open so like you know any sub list within a v-net can talk to each other without any hindrance until su put in a restriction which will see that you know using NSE we can put in a restriction how to come in how to restrict the communication from certain subnets so that's basic eating but I default you will need to put in a routing table you don't need to put anything you don't need to put even a DNS server because it utilizes I should DNS to resolve the service within the same v-net but when you go across the veena that's what you know you need to have connectivity you need to have the DNS infrastructure set up and all you know comes into the picture but if you're deploying good unit within a V net in doing a POC or test kind of thing in that case you know and if you have not set up any images at all all these servers between two subnets within the same v-net can talk to each other you can deploy NSD which is in the network security group to subnet NAC can be to provided subnet level or at a NIC level and you know in today's parlance I'm purely talking about armed portal as you the source manager portal as you know there's also a like you know ASM portal which is a service management portal which is the old version so I'm not you know going to refer those ASM portal because it's old I'm purely talking you know from the ashes manager protal perspective so you can apply your NSC at the subnet level and at the niccola was if you applied the subnet level it will apply to all Lou Williams inside that unless you have an initiate that nickel so that will you know take the precedence if it is for the incoming traffic now if it is for outgoing traffic the subnet and as you will take the person up in terms of you know how many IP blocks or IP addresses that you have by default five IP addresses you cannot make use of any subnet those are reserved by Mike is up a 3ip are used by Microsoft and then the first and the last IP first IP is you know the subnet address itself the last IP is your your subnet broadcast address of those you cannot use it so you are like you know maximum you can any submit that you define within that will have two minus five so the minimum supported subnet mask is 29 so what that that tells you that tells you that if I have 29 bit subnet masks which means four hosts I only have three bits now that three bits gives me 2 to the power 3 which is you know is equals to 8 now out of that I minus 5 so I will have 3 addresses reusable host address in a 29 bit subnet mask so you know if you if if you have such a smaller requirement probably you can the smallest subnet that can be no existence with 20 times bit subnet mask not less than that so if for example let's say you know hypothetically if we say that can we had 30 what will happen in case of 30 so if I have a 30 subnet mask in that case what's going to happen is you will have 30 so was you will only have 2 bits left for your host so it will be due to the public tool that the number of hosts you can have and minus 5 so you see 4 5 is what reserved by Microsoft and all the SAPS 4 minus 5 it's minus 1 you know which is not practically possible so that's why you will have the IP address which is the subnet you know which can exist as minimus 29 bit not less than that and that will give you 3 IP address you know for your host we talked about in a different notation so the notation that you know which is we are using is called sided block it's classless Internet domain routing so basically what happens inside the block you're putting an IP address and then at the end you put in slash and then you please specify your subnet mask or the big knot that bit at this 24 bit over here it tells me how many in a bit is allocated to network so in this case I can clearly see that that 192 13250 is you know is my my network bit and then so the first 24 bit is my network bit and then the rest 8 bit is for the host so I can clearly see that you know if I have to really type in what is my subnet mask it will be 255.255.255.0 right so it will be 255.255.255.0 so this will be my subnet mask and this kind of notation is also called cyber block and inside a block you mentioned your IP address and then you know it is specify your B bit which belong to your network now that doesn't have to follow this like you know 8 16 and 24 you can have any number 8 9 10 or 1 so in this case if I ever I have would have a put in 25 in that case you know my subnet mask would be something it will be 255.255.255.192 my subnet mask because you know first 25 bit belongs to the network and then the rest 7 bit belongs to my host so that gives me 2 to the power 7 host which is 128 minus 5 which is equals to 123 host right and that's that's how you calculate and some of the you know and this is very important because you know when you design these solutions you have to make sure that you have enough IP blocks because if you have to keep in mind that you know also keep your future growth in mind too so not about you're not designing to present but also you know what will your feature growth in a how many servers you will add into index into five years and you have to make sure that you know you're ready to commodity accommodate that in terms of IP address there are two kinds of IP addresses that you can use in ashes one is public IP address and it is used mainly to communicate to if you are going out to internet or you know you are accessing any actual path services usually any path services internet facing especially you know if you're using actual key walls using using actual storage or using actual recovery service for all these most of the services are in fact as your sequel is also internet tracing so if you have a is VM which needs to reach out to a as your sequel in that case you will need you know the internet connection or you know Internet so in that case probably you will make use of public IP addresses and we will see that you know the public IP address can be assigned to a VM when I say VM it gets assigned to you know one of the NIC card of the VM or if you have a load balancer which are created to kind of load balance or internal load balance an external load balancer so if you had any external load balancer which is internet facing in that case you will assign a public IP to it so that you know the other entity on internet can communicate to it VPN gateways it certainly requires the public IP because the we can get in as you mean it will have to talk to your VPN gateway on-prem certainly it needs a public IP and also application gateway which is a layer seven you know load balancer you can say and it also supports now sort of application file book that also requires a public IP so obviously you know these are the four which consumes public IP now those public IP can be assigned in a different ways it can be static it can be dynamic so you can have static IP which cost you more and in case of dynamic you know that IP is it changes you know if if you decommission those servers or you know in case you don't want to retain their type in that case you know you can go dynamic is much but if you want to retain the same IP irrespective of the service now there are not in that case I know you will go and publish in a static active this similarly you have private IP address which is the addressing scheme within the V net the address space that you have is specified your any of the server any of your VM get assigned this private IP pointing form and this is assigned by DHCP again it can be set by dynamic now the dynamic is infinite it's a now again it's given as a DHCP lease so Microsoft help DHCP service which leases out your private IP and that lease period is infinite as long as your server exists and if you don't do your located you will retain the same IP even if you restart the server you will still retain the IP because it has been leased to you with an infinite in a time period the second option is you know you can set a static IP private IP again it don't go by that name static lloyd static but it doesn't mean that you will go into network interface card and manually enter the IP know it's a DHCP reservation IP that means that you know that is reserved for you irrespective of what happens even if you deal with it your VM you still retain the same IP so that's the difference between another dynamic and static and you can set these settings from the NIC hard property you know whether you know the IP the private IP should be dynamic or the private IP should be starting you know you can set both where you will use static IP you will use static IP for your you know critical services like your domain controllers your DNS servers or any server which you know let's say if you have internet web servers you know web server which will be accessed by internal users in that case you will certainly require the static IP to so those kind of services which has affinity to you know IP address you will set those as static and it doesn't cost you anything whether you use dynamic or static you know you don't get it's the same at in case of privatizing but in case of public IP yes you do get charged more for static public IP so I'll move on to the next one all right so this is a dick book security group right as I said in the ending like in the previous slide we did talk about network security group so network security group you can say you know its security mechanism provided by Microsoft with which you can protect your VMs running inside the old V net inside your subnet you can control the traffic you can control incoming traffic you can control outgoing traffic so like you know any server that you have that that has NSG if you want to control your inbound traffic you can configure your NSG to you know configure those inbound rules or you can also configure your outbound rules where in here it will control the outgoing traffic the NSG which you know is is what is your traffic controller you can say and this traffic controller can be deployed at the network NIC card or it can be deployed at the subnet level now if you have any VM running in classic deployment which is as your service manager portal in that case you can you know deploy it the VM level but you know SM is long way gone and you know if people are running resources workload in that they should migrate to arm portal soon or sooner or later so but in case of you're running in Azure resource manager your network in you can apply the NSG at the network interface card or you can also apply it at the subnet level some of the you know settings that you will define in your network security group so in every network security group once you define it has a set of rulz so this set of rules you know you have your name which you know gives a unique identifier to the rule you specify the direction then you have the direction that direction tells with is inbound or outbound you also have priority defines or depending on you know what's the priority higher priority rule you know will win so how the priorities I decided the lower the number higher the private is higher the number lower spread its opposite usually we think that you know if higher the number is the higher the priority but that's not the case in Hacha lower the number higher the priority is this access which is specifies you know whether you want to allow that access or it's that denied so you can you know define both whether it should be allowed or should be denied source IP address that's your source and in our destination so you have source IP from where you want your traffic to come and then you perform where you own it's going to so source in destination you can specify so if it is you know it's coming from one network region one subnet you want to allow so you will have your source subnet and then you will have destination subnet that you can specify you also have your source port so what kind of put you want to specify you want only specify the sequel port 143 you can go that if you want to allow RDP port you can include the three 389 if you want to include HTTP HTTP port 80 and 443 and similarly on the destination side also so you have source port range and the destination port reg you can specify if you want to specify you know that they can it could be any traffic UDP and TCP in that case you can use wildcard certificate which is let you know astrick if you specify asterisk in that case you know all the protocols is a lot inspector of UDP or TCP it's all always enough right so moving on this is what the network setup is going to look like today and this is what I and I borrowed it from Microsoft websites on Microsoft website this is one of the exercise where we will create our v-net and that that we need will have you know the IP block which is one ninety two dot one sixty eight dot zero dot zero and slash 16 this is the cider format that I was talking about so the cider format which lets you you know say you can see that first 16-bit which is 192 dot 168 is my network address and then 0 die the rest 16-bit is my host so I will have 2 to the power 16 -5 host is huge network that's we are going to build it but then you will see that you know we further divide it and if you come down here you will see that we have divided we have done a subnetting of slash 24 so that tells me the originally I had 16-bit but I have borrowed another 8-bit to create subnets so now I have 2 to the power 8 subnets slicing each subnet I have 2 to the power 8 -5 host so we will create will see that will create 2 subnets which in in case of one is front end that was 192 168 1 dot 0 slash 24 and another one is the back in 192 dot 168 or 2.0 now the back end is where we have the sequel server will also in or deploy a VM if time permits and we will open the we will deploy the NSG over here this NST will have an inbound rule for web which will be 80 and which will also have three three eight nine which we want to allow RDP and then you know this NHC will have inbound rule which will allow one for three three on the back end side and in a web rule wedding like that the web server can talk to this guy on 1 4 3 3 so this this is what we are going to in a do in our demo today so let's go ahead and get started in a while I get started the demo anybody has any question and you know we'll perform the same task in two ways one through using PowerShell and another one through in a Perl now when we are on the portal will perform the same task but with this slightly different methodology but now you will use the same address block and will also do the same stuff using our powershell script so for you know powershell script you know if you have not downloaded it you can install web platform installer and with that you can install your actual powershell and once you have installed it then you know you can perform this task using a PowerShell so what I'll do is you come on the left side and then click on on new and when you say new here you will you know you can go into networking and enter networking you have something called virtual network which you can select so if you select virtual network it will ask you for the name right so let's give it a name it's going to be a I sure talk mean it one now with the IP address that we wanted to give and now this is the address space of your OB net this is you know the top-level address space that you're giving so this is going to one ninety two dot one sixty eight dot zero dot zero now and this is very near specify slash 16 so this will tell this system that I have used this and it can tell you that you're going to get 65536 address and it's also telling arranged in a front where it will start and really now once you have specifies your you know address space that is your minute address space this is the you know at the space given gel-v net it's the time to define your sub so can we create more than one address space in the unit no right yes you can add more than one space once it is created you can add you know more than one other space but at the time of creation you can only have one address space but later you can modify and add more than one address space let's go ahead give it a name front end and this will be one ninety two dot one sixty eight dot one dot 0 slash 24 so this is going to be my 24 address you specify this is my subscription now you can specify if you already have a resource group you can use that if you don't have then you know probably you can create one so in my case I already have one so I will use that and this is a location so in which data center you know in isolation you want to position it so you can select depending on you know where you want to host your resources in my case I am going to select south central us okay so resource content exists so I say oops okay I'll say I'll do one so this will create this v-net for me now we have only created one subnet so now we know once this V native provision we'll have to go back and add another subnet into it which will do the back in subnet right so currently saying deployment is in progress deployment succeeded so let us come to the resources and if I see my resources I can say you know I have I should talk we need one which is created in I should talk RG 1 so let's go here and if you come here you know I think Buddha you asked this question right this is where you can add your address space so once in this v-net is created here you can add additional address ranges I'm sorry she yes yes sorry yeah so you can add your address space here and then you can make use of those address spaces or further creating subnets okay now if I come to my subnet you can see that I have this front-end subnet now I will go ahead and create another one which is the back-end a back-end subnet now you'll have to specify the range that it's going to be again remember it's a sighted block so you have to make sure that you put in the format of your IP address slash your you know there is some netmask that you would like to use so in this case this is going to be the two so 192 162 0/24 which will give me 256 address minus 5 so which is like and I will have 251 host address to deal with now here itself you can specify a network security group by the what will will come later where we create a network security group and you will assign that network security group to the you know the subnets the front in subnet and the backing subnet and you can also specify a routing table routing table is much more advanced wherein you want to do the manual routing in that case you can you can define that but we'll mark are going to touch this or explain this today so let's just keep it simple we created a back-end subnet with this IP address block which is one ninety two dot one sixty eight dot 2.0 slash twenty four it gives me two 50 100 s so I say ok so basically what's going to do is it will add me on one subnet so you can see front in in back in subnet that it created now on the top if you can also see that I have gateway subnet now this subnet is a special subnet which is used for you know hosting your VPN devices so if you would say if you want to connect your we need to on Prem in that case you will have to create that gateway subnet then only your all your VPN gateway will go under that gateway subnets that's how you will need it when you know when we will provision VPN connectivity into v-net or you know between the unit and your content that case will require but right now you know I can leave it as it is now so what you see over here is I have fronted and back in subnet now the same task what I will do is I will go ahead and perform that from the my PowerShell script so if I come over here this is my PowerShell script that I have defined so you know if you look at it closely first line is wherein you log in with your user credentials you know log in as your RM account will prompt you for your username and password once you put in user and password it authenticates you then you have if you have multiple subscriptions so in my case I have three subscriptions so I have to select the subscription which subscription you you want your resources to be provisioned in in that case sitting you select Ashwood RM subscription and if you are not sure about your location where you want to provision and you want to get the list you can say get as your RM location so that will give you the list of all your you know locations in I assure you know where all you can host with the i/o regions it will show you that and the next line where you see what I am doing is here and creating a resource group because I want all my resources to be under one resource group I don't want that to be you know belong to one resource group so I'm creating this resource group which will create a talk Archy location you specify this location is a south-central use that's where I'm going to provision the next one where I'm creating a we net so what I'm doing is I'm calling a command called new as URM virtual network so basically what it does is it creates a virtual network and every command lit that you call it has its own parameters that you have to specify the parameter for new I should add in virtual network is you have to specify the disor scroop name you know it has to so you specify the resource cook that you have created over here in and you specify that name and then you specify your v-net name so this is where you would specify your unit name which will go ahead and create it so in our case since we already have we need one I will change it to we need to and the next one is where you specify the address prefix now address prefix is this is something you know either you can maintain the same you can have two v-net you know with the same address space but then remember you know if you future if you try to you know have connectivity in these two it will not work for you because you have overlapping you know I'll be in it or address dispersed so in that case it will fail for you so basically what you will do is in this I mean in my case I'm not going to do any kind of being a two v-net communication so that's what I will just leave it as it is I'm not going to really touch it so though it is overlapping but I will leave as it is then you specify your address prefix this is where you specified insider block Department and then you give your location where it has to provision so it is going to be in south-central us now Neeraj is fear so if you change the 16 number the one I don't know what you call you call it as so the mask so if you change the one or increase that one will it have any impact yeah so if you do slash 24 so then you know you will have only eight bits to play so I can do like this so I can say that okay I have 24 bits which means now I will have 8 bits under that will have to decide my subnet so let's say I can give it the 26 and I can also give this 26 so this way you know what will happen on maybe not just for ease of use I can mention one so what can happen in this case is from 1 to 26 this will give me for subnet of 64 minus of 64 hosting each subnet so we can do that you can certainly do that that's not a problem so you know you can specify that range and then that that pool so basically it will start from 1 to 64 so this will be your 65 but a mistake 65 so this is what will happen is your first subnet will have IP range from one ninety two dot one sixty eight dot one dot zero to sixty sixty four and then the next one will start from you know the 65 to 127 or side rather than 64 to 127 the first one will be from 0 to 63 so you can you can play around with that you know that's not a problem depending on how you want to network you can do that okay thank you so so this is where you specify your you know the address prefix of all your v-net now once you are you not done with v-net patient this is what it will create so let's let's do this right I've already logged in so but just for demonstration purpose I want to show you how it looks like and I run it one by one so that they can look at these steps so the moment you say in a log in Azure RM account it will ask me to log in so with my credential so this will log me in and then after this what I will do is I will run the next command which is it will select my subscription so this will hopefully it has selected my subscription which is cloudy easy once my subscription is selected I want to see in a world on location do I know that I'm gonna have to push in South Central us but you know if I want to list those locations so I can say get as your item location and it will get me the list now if you look at have u-kiss RTK very essential us West us to Canada central Canada is all these locations so I can pick my choices if I really am not sure where so this is the one I have chosen which is south central us so if I go up north central in South Central this is what I have chosen in my case right so I've chosen the south central us that's where I want to post my resources so I got the location I'm sure that where I want to host it so let's go ahead and create a resource group first which is I should talk outage RG and the location is south central us so let's execute this let's see what it does so it will create an Asha Talk RG so if we go to the portal and if you look at the our resource group in here you can see they do not have as you talked algae which is empty at this point of time I do not have any resources inside this I'm going to create one right so let's come back here and let's execute this one so I can say execute oops sorry to select this because this is in the next line yeah so basically what it is doing is it's creating a virtual network in my eye so track our key resource group which name is we need to with this address prefix which is one ninety two dot one sixty eight dot one dot 0 slash 24 and then once that is done we'll see that we will also add two subnets inside it so one is fronted one is back in and so let it complete once it is completed I will add so the command is you have add as you are in virtual network subnet concept so basically it will add the subnet information subnet configuration into my virtual network and it specified the name which is you know 110 and back and that's what I have chosen then it is specify you know the virtual network now this is where this variable comes into the picture that's where we have stored you know when this got created that object that virtual network object is stored in my variable called dollar V net and we referring that V net dollar V net variable Lina and specifying that as a part of virtual network parameter and then we specify address prefix now this address prefix is for your subnet so in essence we have created slash 24 so we are going with slash 26 so that we have four subnets and each subnet I will have 64 minus 5 or so you know just for simplicity I was a 64 host so the first subnet will have range 191 60 8.10 263 the second one will have probably I can say 64 from 64 up to 127 so let's go ahead and execute both this so this one is has added you know to 192 168 64 26 and 192 161 0 slash 26 so once you know this is done this has been yet not provision on Azure portal so will have to call the set I should RM virtual network so what we have done here is we have just updated the virtual object which you know we have stored in V in it we have you know applied those information in the cached object but it's not yet set on actual portal so we'll have to say set as your RM what you'll network and this is what's going to set it and it will an updated on Azure portal so if I do that we'll take a couple of seconds after that we'll see that we'll have our we net updated v-net provision and updated with this two subnets so it's taking time if 10 seconds or so meanwhile let's navigate to the portal earlier you saw that we didn't have any resources now we'll close it and we will go once again and this time you will see that we have one resource collage we talked we need to which we position through PowerShell and if I come here and if I look at address space I see 192 and 68 that one's little slash 24 that I have created and it does tell me right just tells me that I'm using an overlapping Network but I did it purposefully so I'm fine with it now in terms of subnet if you look at it here you can see that how many IP addresses I have available if you look at closely right it says 59 it should have been 64 because we have 6 bits for our hosts you know slash 26 which tells you know you have 32 minus 26 which is Duda but as I said 5 de si 5 IP addresses the first address is the network that work address itself the last address is the subnet broadcast address plus I should reserves 3 more IP so in total you're losing 5 IPS you know when you do the subnetting so you will only get 2 to the power in this case to do the power 6 minus 5 which is 59 I P addresses and that's what you know max I'm showing you now this is like you know this is what exactly we did through the GUI now we have done through the PowerShell the the beauty of PowerShell is like you know you can template eyes it and if you are working in a production where you have lot of you know dev test environment going in and in a lot of break fix environment going in you can just you know write your script and the habit provision are now automatically that you can do it next level of automation is also so this provides you ability to automate your virtual network creation the next level of automation is you can also use JSON template which you know with which you can specify so right now what you see you see all these details name front pinned and subnets if you look at it this is what I have my now all this what you see is this is the address space this etag this is the JSON format which is it has spit out for us you can use the same one if you really want to do that and with the JSON is script also you can provision it but today I will just confine myself to only the powershell and you know this demonstration was meant to that you can do the same task not only from the portal but also from the you know powershell any question while I move on to the next section not for me it see there is a overlapping in the different region or not know so in my case decider is overlapping in the same region as long as you know I don't have to make this talk to each other I I should be fine and I did it purposefully ok but in your case if you are production and you are doing that make sure that you don't have any overlapping because you know at the end of the day if your green it is going to obviously if you have multiple winners you want that connectivity that we are using minute baiting or epin gateway or you know using express route you all these Venus will talk to each other so make sure that you don't have in overlap otherwise this is going to wreak havoc and your one of your novena to will not be able to come in production network it is in the same vision but to answer your question it is in the same vision it doesn't matter even if it is in different region also if you try to connect it will fail because you have overlapping address space okay so I will move on let's now what we are going to do is you know we have created two subnets let's you know try to look at some of the properties of the subnets so if we come to the our V net that we've created first central portal and if I come to subnet now under the subnet you know you see also here you have 251 because this is the first one but this is something very interesting you see DNS servers now what is this this DNS server is defined you can define your DNS server setting at the v-net level now this is the DNS server that all your resources inside this v-net will use for name resolution by default as I said as long as your resources within the same v-net and you know the I want to talk to each other they can do so because Microsoft is providing that DNS server functionality and it is called as you provide a DNS server but in production when you know host your servers and you know you build your domain controller Siebel your DNS service this is where you will come and specify your IP address of your DNS server so let's see if you have put in a domain controller and you know and you have assigned an IP which is static private IP you can specify that you know IP over here let's say 34 so then what will happen is any name resolution which has to happen within the v-net for name resolution that will be taken care of by this seven further if the resolution has to happen for internet you know any traffic like Microsoft comm you want to resolve in that case this DNS server will receive the query and will forward ultimately forward to query to Microsoft load-balanced DNS server which is one sixty eight dot zero I mean there is one IP which is in a load balance repiping so you know that way you will resolve locally at the same time if you have to go to internet that will also works so this is the NS setting this DNS server you define at the v-net level you don't define at the 7-eleven and in fact most of the time you know that you know when you're on Prem you log into your server and then go to the NIC card property and from there you set the DNS server but you know here that you can't do anything of that sort basically what you are doing over here is the moment you put this IP address the TCP server will pick this up and whenever it assigns the IP to any of your server microsoft dhcp server basically when you know it assigns any IP address to your VM it will also put in this DNS server as a part of the DHCP scope or DHCP lease that's going to lease it out so this is where you define your DNS server so we'll just right now I don't have any DNA server so i discarded the next thing is you know peering probably you know we'll cover it later peering but this is too good to know if you have to wean it in the same region and you want to like you know put in a connective to between these two you can do so using Microsoft tearing this this disappearing has to not to be confused with the express route peering different peering that provides this is purely we need to be in it peering and at the traffic stays between within the Microsoft backbone and you know the bandwidth that you get is 25 Gbps that kind of it's it's a very high throughput connection and there are some charges which you know you have to pay but the cat the condition is the unit has to be the wind both the beenit's have to be in the same region you cannot do clearing across petition okay so that's it so let's go and try to create an NST network security group and we'll assign that network security group to the front-end subnet and the back in subnet and you know configure this to accept the traffic so you can come to the networking and then here we should have something called network security group and I said what caretaker now you specify the name so I will say front in NSE G and a one industry can be applied to multiple subnets but not Y servers that means you know if on one subnet you can't apply multiple industries but you can have one initiate one seven eight level and you can have another initiated NIC level certainly that that's you know feasible and that's valid but you cannot apply to NS G's at either subnet level or at the Nick level so let's say a front-end Anesti you specify a subscription source group so I will say let's go with this can you please repeat that the last line one more time providing the NS t sure so NSG okay let's write so you know you have a subnet right and you have NSG now you can have two NS t now these two n HT cannot be assigned to the same subnet this is not possible however if let's say you have subnet to the same n HT can be applied to subnet one as well as subnet two which is a very valid configuration but there is another situation where you know if you have a VM inside a subnet and that VM does have a NIC card obviously it will have a NIC card and if you want to specify your energy that NSG you can have two ns T applied so one NS g which is at the subnet level and another energy at the Nick level but you can't have two ns G applied at either at subnet level or at the nuclear got you so that means you can add the rules in the single NS t to add complexity right yes yes you can do that and in fact you can apply 1ns due to multiple subnets so let's say you need same kind of security and you know more than one subnet so you don't have to create one nhd for each subnet rather than you defining your rule base NSG and that energy can be applied to multiple servers here instead of applying on multiple subnets hunt we have apply it on virtual network itself no you cannot it can be only applied at the subnet level or NIC card level you cannot apply it below oh this is something lies or DLC a network which are generating right yeah so you can design your DMZ Network so like you know where you can have your web you can have your app and then you can have your DB and then you can have your internet so now you will create for NSCs so your G 1 here T 2 here G 3 here so you know this will control and you can specify your energy now in fact it will be G 0 so so G 0 will protect your web and it will only allow 80 port 80 and 443 then this is web and applications is this you know the second NS you will control this traffic the application which reported is talking to whether an RPC port or 443 whatever it is we just opened that board application DV you will only open one for three three and DB an intranet probably you don't require any button in case in connective is required you can set up that industry so NS d is what helps you to set up your DMZ kind of infrastructure you know which you want to replicate in action and I believe I am NOT wrong 230 400 is the maximum limit of NS G's rules which we can apply at each NSC right correct so that can be modified if you call Microsoft they can upgrade it to 500 or in some exceptional cases they can also take it 2000 okay all right let's get back to our next G so I've specified my front-end energy which is going to apply to my front-end web this is as you talk RG south-central us exactly it so this will create so let's refer what should we our rule so in the front-end we want to specify the rdp which will be 3 389 and we also want to specify the HTTP traffic so all these both these are incoming right so we'll specify that trying to put in it once exceeded let's come here and 1 t1 this is my front-end NSC now this is where you specify your inbound and outbound so you know obviously in our case since it's a front-end so I'm going to go ahead and add inbound rule and I say add and I can say RDP allow now this is a priety this is what you know I said the lower the priority hires in the precedence it is so you know if you if you have any you want to make sure that you know you it has the highest but it it applies to putting the lowest number so I would put in 100 now source is where you can specify any in that case you know any internet the person can come or if you are if you want to specify can specify sided block of your company so you know it will accept only RDP traffic only from you know that IQ block so but in this case I can specify just any now here you specify the service now if you don't have predefined services over here in that case you can you know specify custom but you should have remote except I see that RDP so which will automatically pick 3 3 8 89 which is then a Fortran now this is the action where you specify allow or deny so in our case we want to allow hence we will leave it as allow so let's review once again we put in the name we put in the priority we put in the source what is going to be the source and then you know I can select the RTP service or I can also custom select if it's not already there okay the protocol the protocol is TCP or you can specify TCP DP depending on what if it is like a DNS server 853 UDP and 53 TCP for zone transfer so depending on what about really rule you want to set you know you can set that then action allow it in our in this case and I won't allow so I say ok so this will create rule for me then we'll create another one which will be for the incoming traffic so which will be for HTTP or HTTPS so I say add this is going to be ETP allow and again you know source is this since it is HTTP traffic I want to leave it any you know you really don't want to restrict it to cited block until is Internet application which we really want to restrict in that case you can do so I will specify HTTP here you already have predefined right so you look at DNS also as DNS TCP this is for zone transfer DNS UDP that is for the DNS query then you have HTTP and HTTPS so depending on what's in this case let's take a rest ETP it has already picked up my port range which is 80 if I select HTTP it will be 443 so I will just say HTTP just for this type of purpose and again you know you want to allow it to nice I say allow and I say okay now once it is done I'll have to assign this energy to one of my subnet now you can do with both the places either you can go directly into subnet property from there you can specify or you can also specify you know from the NSG property itself so if you look at here I have subnet now if I come yes I can say associate so let's go ahead and associate it to the front end I have to choose the we net where I have so I have created in v-net one and this will go to front end and I say okay now this is like you know the same now what I will do is I will apply the same NSG to another front end which I have created an as you talked mean into so let's go ahead and do that and this is what the point was that one energy can be applied to multiple subnets so let's go ahead this was in unit 2 and this is front end okay and here you go so you can see that you know this has the same energy is applied to two different subnets that's possible but you can't have you know two ns G's applied to single subnet that's not possible okay you can also if you really want if I had in a VM I could have to choose a network interface card and I could have associated with that but I don't have any VM or so that's why I don't have any NIC card also but if I had it I could associate that with the NIC card also and you can see that's why I say right somebody asked this question can I assign the NACA the v-net low-balled answer was no because you know you can see this you have only two option you have only subnet and you have only a network interface card right so let's close this out let's go ahead and create another NSG and this will be for the backend NSG let's come over here networking and where that here is so it would be will call it back in and st again inside like the subscription also use existing resource groups so this will go in as your top RT one location self central us create now on the back end let's look at what what do we need to allow for the packet so back in we want to allow sequel traffic and what traffic we know which denies Internet bound traffic from the back in Sumner so we will deny that a sequel it will allow the sequel traffic only from the front end so this time we'll use the sided block to allow that so let's come here sources back in NSG so first we will have to allow the sequel traffic from our web front-end now what was the web front-end it was one ninety two dot one sixty eight dot one dot zero if I'm not much less confirm this once again Chris subversive surprised the front gate is warning sorry that is scary only we have taken frontage a 1.0 1.0 and back into correcting so let's do this so let's come back back and NSE and will allow inbound security rule and we say add and this is going to be sequel traffic from front end all right again you specify a priority portal one hundred source so this is where able to specify the cited blocks either block is going to one ninety two dot one sixty eight dot one dot 0/24 right this is what I want this traffic to come so I will accept traffic only from web so web can talk to my sequels were specify the service service I should see sequel service here oh my sequel I see a mess equal yeah and a mystical yep so I select MSC close it automatically picked up one for three three if you had any a custom port that you have configured your sequel to listen on sometime people do have one three six seven also so in that case you just select custom and specify port range and the action is allowed right you want the sequel traffic now the to be coming from where we want to accept that traffic sizer okay needed sorry to interpret area so how can we go and do that you told you to let we can have our own poor as we are doing at the DBA so how can we go ahead and do that basically a DBA can select any of the port they can configure it to yeah the time of exit yeah at the time of installation you can choose your port number that's equal should listen all you can also select non-standard ports also so if those non-standard ports are there then when you configure your rule make sure that you select custom so maybe I can show you so now we will need the an outbound rule which will deny the which will deny the rule all right so you know now will have to deny internet connections alright so that was the next task that we needed to do is this rule denies all the internet bound traffic from the back in subnet so now this time we have configured inbound inbound was for the sequel traffic from the front in outbound is where we will define will say that I don't want you know any internet connection from the back in subnet so I will go ahead and add and I say back and internet deny right now this is this is what the rule name is you said the priority what are we right it's out one now this destination is very hard to make sure because we want to deny the traffic to only Internet now Microsoft provides you certain tags there are you know tags that you can specify so this is where you have to select the tag instead of any sided blocker in because you don't know what all IP is on in Internet so you select tag Microsoft has clubbed all those IPS which are later for internet under the tag so you here you can see that you know the 310th is that by default used by Microsoft by default Internet is allowed so what you will do is you will select Internet in say that hey I don't want you know Internet to be accessed like service you can leave it the custom because there is no service define such protocol I want to block both TCP and UDP port ranges you can specify if you are not sure it could be 18 4 4 3 only you know when you're going on internet if you're not sure you can specify a strake so which will deny all the in a port ranges you know not only the state info for 3 about anything even it will block our deep if somebody is trying to do an article from your server over Internet trying to access anything else or FTP SFTP anything which goes over Internet and then action should we deny right we want to deny the outbound IP is a route 1 internet connection so we specify the name priority you said you specify tag in this case because you know we want to destination is my internet service will be custom you specify the protocol I want to block both TCP and UDP port ranges I specified a strict if you want to specify a port range you can do so 84 4 3 that kind you can also do that or in if you have any port ranges in your mind you can do that but you know I will just say a string and then in the action its deny I say ok I have a question here yeah good for the building purpose we will use the tagging to write so this tag shouldn't be confused with the building tag yeah this is traffic tag which Microsoft has already three you just want to make sure yeah so that tag is different so that tag you know you can create in any resources that you create you can specify the tag so but that has this this tag is different this you're talking about the tag which you see over here you can see this this is the tag this is the building tag which are ennobling but the tag that I was talking about it is purely classic for tagging the traffic ok so this is done now let's go ahead and assign this NSG to our subnet and again I will associate it to my back-end subnet which is sure we net1 and this is my back-end and so this has assigned to my another back-end which is in a 192 and 62 - I can if you want to sign for other subnet also I can do that which we have done in pause so let's do it - back-end ok so now we have associated you know the our NHD to the subnet the same activity you could have done in oh by going into the properties of the subnet so if let's say come into the subnet say if I'm the front end you can see that I have network security group from here also you can specify any network security group which you want to specify so I have to one put in you go second select so anyways you know you can you can do it alright so I think we are 15 minute past our allotted time any questions especially get on the demo session anything I have a couple of questions more sure good ok so we can see a gay fish subnet here right yes do we have any kind of like since it's the Gateway subnet do we have how do we facilitate the high availability for that so Gateway subnet is meant for your VP and I think we'll cover that you know in the next session but just to give you a brief gateway subnet you create it I think we talked about it when you have to host your VPN gateway so you want to connected we need to on trim so you can you will have to create a gateway subnet and inside that gateway subnet you so if you use the sq provided Microsoft Microsoft gives you high availability by default and you know the provision to VPN which is active passive so in case something happens to the one that is the second one will take over by default Microsoft is kicking you high availability for the VPN gateway device that you put in under the gateway subnet tool covers are using the availability set kind of a model or is it something different no it's fully pass something from Microsoft so it is in general offerings yeah fully good we don't know our order fully managed so I don't know what what's how they're doing it but it looks like in on the background they're spinning up two wheels for you and the one is standby and I think these these gateway servers are remote routing and access services if I'm not mistaken running on Windows 2016 but you know I can't really comment on that because I haven't I don't have access to that information or if you want you can also deploy third-party gateways as well like Cisco and yeah that was a good point yeah sure thank you maybe is what you do sorry I missed your question what is the significance of the resource group why need to create the resource group well resource group is a container of all your resources so it's a unit which you can delegate so it helps you to organize all your resources actual resources under one umbrella and then you can delegate so let's say you can have a diverse group you can have a queue a resource group you can have a prodigious group you can have a utt source group def you can delegate the right to the dev users you can cure you can delegate to the QA so Q users can create resources inside that and that is possible you know using a social loop so you can come into the access control over here and you can specify you can add that root user so you know that user from dev or QA perspective resource group can create resource inside that resource group only that's it they cannot go beyond that and it's it's a good way you know it's everything is organized that's one thing the second benefit of resource group is you can template eyes it so let's say I want environment which I build and I want to repeat it again and again and again over a period of time I I can't right into one resource group and deploy in export this as a JSON file so you will come under automation and it can deploy that as a JSON fun so that's another significant so it helps you to automate one it's second it helps you organize resource third it helps you to control permission on the resources that abortion and force one just to our own it would be useful for your building purpose as well so you can just schedule it in that it yeah alright I think you know we are twenty minutes pass our allotted time so thank you once again guys for joining a car as you talk session today and a hope you find it useful and you know we'll meet again next week and we'll continue our journey on a social network and we'll discuss either the natural connectivity model VPN and Wynette peering Express out and whatnot all right thank you for joining session today definitely Rishi by all right

Info

Channel: AzureTalk

Views: 59,130

Rating: 4.9093852 out of 5

Keywords: azure talk, Azure Network, VNET, Subnet, CIDR, NSG, Network Security Group

Id: yel-ssaoVXQ

Channel Id: undefined

Length: 78min 12sec (4692 seconds)

Published: Sun Jul 02 2017