Let's Build an Azure Network - Part 1

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
what no no mom your computer doesn't have kovat 19 I know it's a virus but your computer can't get it [Laughter] [Music] welcome to the show I have Ryan Barry with me today Ryan what's up not much what's going today strange times I see you're hunkering down in an underground bunker I I am yeah and I went down to NORAD and with a whoppers housed and I'm sitting down there making sure it's it's as you know keep the lights on yeah yeah cool well I mean I'm really impressed with the quality of our connection because I'm up at moon base alpha and yeah yeah the network connectivity seems to be great yeah nice so so I was kind of talking to you a little bit today about what it is that I wanted to accomplish and so one of the things that I want to accomplish today is I want to and I'm by the way guys we're gonna surprise Ryan with this as well a little bit I told him generally what we were gonna do but but because we have time today and because we're all sequestered in our bunkers and on the moon I figured why not what the heck let's do it like this so are you ready I'm ready let's go here is the network that I want to create and this part is kind of easy right we're just gonna go into Azure we want to create a couple of subnets and so the fun part is going to be defining network connectivity to the boxes that we create we're gonna create a couple of VMs up here in these subnets and so defining network connectivity to those boxes via VPN that connects to my network and we want to do it step-by-step so that everybody could watch this video understand step one do this step two do this step three do this step four do this sound good sounds good all right I'm gonna make You fullscreen again hang on I'm gonna really make you fullscreen okay there we go all right so uh so kick it off man what do we need to do so you know and azure has a plethora of vehicles that you can use to connect services together within the cloud and also outside of the cloud which is often you know requirement when customers have stuff on premises they want to plumb in so one you know that to start off with you know we can talk quickly because it's it's easier to to demonstrate and also to you know walk through the options that exist in in Azure is to have multiple networks in Azure so why would you need to do that so you know let's think about a scenario where a customer might have you know maybe Palo Alto devices that are scanning network traffic and they want to put that in like a centralized place sitting in Azure and actually have all outbound traffic to the internet going through their appliance or you know maybe they want to be able to use it that sort of device as a way to you know to control you know Ackles and and you know network security to different networks both on-premises and in the cloud another reason why you might want to have multiple networks in Azure is maybe you have stuff in two different regions right in the east east us West us so you know there's you know one easy solution that is available in in all clouds is just simply setting up a VPN tunnel between those networks the challenge with that and actually that's actually the only way that some of our competitors offer to be able to do this sort of thing the challenge with that is that you're limited with throughput so do you have you know if you use the inbuilt features in Azure and you can get up to like a gig and a half of network throughput or if you buy you know like a barracuda appliance you license it based on the amount of traffic that you want to push through that so in both of those scenarios you're going to be you know the choke point is going to be your virtual appliance the box that you establish was IPSec tunnels I'm so an azure we we've taken that a step further you know we have this massive global network that we need to find and invested billions and building out and customers can actually in a string a virtual patch cable between those networks and you're not limited by you know throughput between those networks so if you're across regions maybe you have a network in Europe and Asia and one in the US you can string all those together in your limiting factor is the speed of light and we don't really have any advertised limits of how how much throughput or bandwidth we provide but it you know I've seen you know demonstrations we can get tens of gigabits of throughput between between those links Wow so now is that between just links that exist in Azure yes yes we're covering the top part of your diagram there we have multiple networks in different regions maybe or even maybe in the same region where you might have like an IT lockdown network with the Palo Alto example and then one that other services are deployed onto or maybe multiple networks the service is kind of a hub and spoke design which is a common thing that a lot of customers I work with need ok so let's go ahead and set up the top part of that network how does that sound sure yeah let's just go ahead and let me flip over here so I have my my Skynet Network that's actually where I have everything set up but what we can do is maybe start with an example you know because the peering is actually easy to set up it that's actually the technical feature an address called in the denied peering where you can actually tunnel those two things to two networks and Azure together so I'm just going to go ahead and flip my subscription in and we'll call it taste and I will what I'm doing is creating a resource group kind of the container to house all the stuff yeah subnets the subnets can be in the same region I don't really care ok yeah I just wanna I just want to make sure that everybody understands how to get from their local environment to the cloud so that it's a seamless network ok so by the way I don't know if you noticed but I started dyeing my beard gray look much more distinguished yeah it's a lot work yeah you know I got to put all this together every day and it's just a lot of work all right so what I'm gonna do is just I'm going to go ahead and in create a virtual network yeah all right all right it ain't believe it with this there it is okay so it's gonna default PK so this is actually an important thing to just point that some of the viewers might now know about so when you create a resource group you could have stuff inside that resource group that resides in other places so even though the resource group has a home in East us I can put a network in here in Asia or right it's yeah that's a good point yeah so we'll go ahead and make this and like you said connectivity is just as fast correct yep yeah so we'll go ahead and go into the IP address so this is gonna be a 170 do you have any favorite numbers so you want to make this yeah yeah yeah let's make it 10 dot 10.10 and then we can do a 15 if you want 15 okay yeah yeah all right oh wait that's for the network right yeah do it do a 24 actually since its it doesn't matter you can do the delete delete the third 10 and let's just make it a Class B yeah I guess it's still a Class A yeah yeah IP address range but we'll make it a Class B for this network yeah yep and do you see we support ipv6 we'll go ahead and add add a subnet to this guy just to actually have something okay so subnet a is gonna be 10 10 10 dot whatever you want you could do you could do 15 if you wanted yeah okay yeah there we go yeah so 10.10 dot can attend at 10 that's 0 what are we doing no no no just the the third octet make it a zero it's not in the address space that we're in well we just looking silly yeah we are okay that's not gonna work yeah okay sixteen I guess I'm obviously my later manse is feeling me here I nee a let's see let's go ahead and try this again here just to I thought there was actually gonna be a default that we can actually run with yeah you could probably just add a default and then we can create the subnet rate at the second one yeah yeah so we actually do you need to submit yeah and this is live folks so we have 10.10 a zero times zero slash 16 so tended tend at 1 0 slash 24 there we go yeah there you go yeah you could yeah yeah I just wasn't thinking that yeah that that makes sense yeah now all right so so we're creating our network here yeah yeah bigger not smaller all right so while we're waiting for this to deploy I have a question for you now sure I have to admit that I have always assumed and and I found out that it's an incorrect assumption I have always assumed that everybody on the planet toast pop-tarts and puts butter on them you know I saw that you know I have never heard of such a thing I see that there's a song about that but I'm stunning and I just thought that was nor I grew up doing it I thought it was normal I mentioned it to somebody the other day like it was matter-of-fact and they looked at me like I was just nuts and I'm like well what do you mean toasted pop-tarts are delicious that's gross I'm like how is it gross I said oh I've never you know it just seems gross and I'm okay so you it not a cold pop don't don't start with a cold pop-tart and put a cold butter pad on it and eat it that's not what we're talking about we're talking toast the pop-tart then you put butter on the pop-tart it's gonna absorb the butter I mean it sounds delicious and it's the best thing on the plan I love it but the same person that said oh it's gross I said well do you like Cinnabon oh I love Cinnabon I mean give me a break it's its pastry cinnamon sugar and butter amazing just amazing absolutely all right so we're gonna we're gonna stick the second subnet in a different location yeah I'll go ahead and put it in in south-central us okay whoops I didn't mean to create I got a hit IP addresses all right actually this has this is actually an entirely different network range so this section we can if we roll with this so we've got a 10 down and a 172 down and we can string them together so there's yeah but I just want I want to make sure everybody understands what we're doing because what we did before was a little different yeah that we did I think I think you did dot one dot zero didn't you my subnet I'm trying to member the yeah I'll work creating another network yes Oh another network okay yeah sign that and did we have three times or five six ten yeah it was a slash 16 so I do a 10.9 yep trying to remember a bit what octet we were we're working with okay so we do that and then we'll add a subnet - why are we getting at virtual network oh you've got another virtual network bit yeah but it's in a but in Android because are all software-defined it's just warning me that I'm not going to be able to put those two together yeah yeah yeah no work that's that's good to know in case anybody else sees yeah exactly uh / 24 okay let that do its thing and if I go so to be clear to be clear just so that you know again if anybody is confused what we started with was a diagram that showed two subnets in the same network and what we're actually creating is a little bit different than that what we're creating here is two networks with a single subnet in each network correct and the reason we're doing that just so that everybody understands the reason that we're doing that is because we wanted to show and that we decided on this design path after we started the podcast we wanted to show that you could have networks in completely different regions and that'd be access between those networks in the Azure environment was exactly the same speed as having two subnets in the same network on the in the same in the same region yeah yeah I mean it might be a little faster in the same region but you get them you got speed of light and because we don't actually advertise it I'm sure that if if we had you know thousands or maybe you know hundreds of thousands of customers trying to access resources in another region I'm sure at some point there's going to be some some sort of throttles that are gonna kick in but but it's certainly much greater bandwidth is available then then say you know an IPSec tunnel between them Ronis is much less costly because you know a few sectorally regardless of what direction you're gonna go there's a class whether you have a virtual clients from Cisco Paulo or Barracuda and you know not to downplay any of our partners because those are have perfectly valid reasons why customers use those but there's licensing class and there's infrastructure that needs to run in Azure to support that when you have everything in Azure and just want to pull them together the the you know network hearing capability is so much easier to set up yeah yeah makes sense yeah so we have have these two these two networks and so if I go to the east so we don't have anything deployed in these networks yet and I can see that you know by going to connected devices here and what we're gonna do is set up what's called p-nut peering okay so we're going to set up a a connection from the east east to south and what I'm gonna do is that's kind of nice taste there it is right there so this is east to south and then south to East okay all right so that that we have some options here where we can enable what direction we actually want traffic to be permitted to flow to go from east to south and then conversely this is actually setting up the other direction and allow it to go from south to East so you know depending on what sort of what this is actually going to do is deposit all of our routing rules and set up our network network security groups to be able to allow this this connectivity at work okay so you had to essentially set up two single Direction connections correct yep one is east to south and then one south to East right so if you think about that like if you're building a mesh network and I actually have an example of that that we can look at where I have a network and last I have one in East and I have one in North Central and South Central and to be able to allow traffic to go so I could just have like North Central go to East and uh and then have you know South Central go to I'm sorry East go to South Central but if I wanted my network in north to be able talk to both of them I have to create peer links to both those kind of a so you know I could you could end up with a lot of peers if you have a very if you have a very big nest a mesh to network okay so hang on just a second I just want to draw this out for everybody I'm gonna share mspaint and I'm not I'm certainly not an artist here so this is not gonna be pretty I'm just letting you guys know up front hang on just a second all right okay can you see paint coolest tool ever yep yeah can you see it okay so that's one mm-hmm these aren't gonna be symmetrical sorry sorry about that that's two all right so this is gonna be network a right and in here we have a subnet okay and then this is going to be network B M and then we have a subnet hang on okay and this is in the East region okay and then this is in the South Region okay and then we just essentially are creating two connections correct one that goes east to south so I'm gonna say yeast to South got and I'll just do a little arrow there okay and then we're gonna draw another one here and this one goes south to East like that mm-hmm does that make sense you got it okay that's right so I'm drawing this out for everybody here so that they understand what we're doing now what was it called when we created these links what was the official Azure name of that so it's called FINA tearing yeah v-net peirong ah there we go alright okay so there we go so that's what we're doing folks alright so definis I'm gonna stop sharing my screen here alright or stop sharing the app hang on there we go okay so really should be can you still see the APRA can you see me like an I can see you and I should be sharing okay yeah okay so we're in good shape okay continue on I just wanted to make sure that you know we had it mapped out yep so there's some other options here that you can see that allows you to accept or allow for to traffic to go over that link so if you had you know some sort of virtualized NAT appliance the sitting and maybe the South Network is receiving traffic from outside the South Network that's destined for an end point this in the east Network you know that traffic is is going to be known as originating within our software-defined network from a different network so you can actually have control you know the ability to control whether or not you want to allow that traffic to traverse yeah the final option is this gateway transit check box and it's going to yell at me because I don't actually have a VPN I don't have an MVP on gateway or an Express route gateway and what that means like if you have a hub-and-spoke network where you have you know maybe a you know the hub network that's got all your security stuff and then director controllers know your core network infrastructure in its connected back on prem using using a VPN connection or an expresstoll connection whether or not it's going to allow traffic to go over I think it's two-way even if I'm not mistaken for a cross and I can navigate wait yeah so I'm pretty sure it's multi-directional that where it allows so you know Ezra's gonna know you know Tia routes that I set up about the network on Prem and how to get to it that you know that that VPN tunnel and likewise my on promises Network depending on how I advertise its my on Prem network is going to know about all the resources manager so this allows me to allow traffic that hits let's say myself the network has a VPN network in it this allows traffic coming in to my self network to go to my East Network just coming in over that VPN tunnel that's what that check back just does okay all right that makes sense yeah so if I hit okay and I was adding adding the peered links here for both sides and it takes takes just a moment to to enable okay there we go so you can see this is I'm looking at the east and it's showing Yesus connected to south and if I go to my South Network which I want to click on that it takes me over to the south and I go to P rings it did the reverse on the other one where it goes south going over to East so now they're both connected correct yep now if one of them was not connected we could send traffic one way but not bi-directional so we wouldn't be able to do things like establish TCP sessions or would we I don't know in terms of ephemeral ports well so a TCP session requires right by directional communication so so the question is if I have linked a set up I could maybe send a syn request to a target that's that's in the other in the other environment all right but but I wouldn't be able to get the ax in back is that what we're saying yes that that would be the you know technically what we're doing and there's a nut so you have to opt in it used to be that there was a that had actually go in and approve ax so we've changed what that user experience is I have permission to be able to create this endpoint on both networks now what would be more typical like let's say that I'm a I'm a developer at a you know enterprise customer or you know building a line of business application and I want to plumb in my application sitting in a network in Azure to you know core or services that IT manages I don't have permission or I probably wouldn't have permission to enable that on the other network so this is but because they have permission on both sides I'm able to do that so I have so so I guess I guess the only question that I have is you know why would we why would we just make it automatic and the only answer that I can think of is that maybe we want to control the direction that traffic routes through but but it seems like we could automatically make an asymmetric route here if we weren't careful and there's nothing wrong with that from a TCP standpoint except that if there's firewalls in network a and firewalls and in one of the other networks you know they're not going to know anything about that TCP session setup and so that could cause us to drop traffic etc yeah I think I think it's more just for the approval scenario where you know I could create the peer to the hub network but I might not have permission to actually create the corresponding peer and the other network and I'm gonna need somebody who actually does have access to say ok I trust your network and I'm not just gonna let you attach to me you know without me knowing so I think is more for that scenario where if I didn't have the permission then I'd have to actually have somebody else create this other link for me ok but definitely the the bottom line is we have to do it by direct we have to set up both to come for that traffic yeah exactly ok all right in like City it used to be that you would do both of these steps separately and you would actually have to go into each of them and say I approve this I approve this so it was a handshake and it looks like that you know because I have permission in both that the user interface says I need to do this to make it work and you have permission to do this I'm gonna do do both sides yeah ok so that so for all intents and purposes if we put stuff in one of those networks we'd actually be able to you know to to make them talk and I guess we could actually go in here and maybe deploy just a real simple VM I can put a Linux box yeah okay so we'll just call it East VM and I'll put it in East us and that seems fine password gonna allow connectivity to it externally and I'm gonna go to networking and because I picked East is it's going to default to the first network I found a nice it's gonna land it in that subnet a and it's a lot can it allow traffic to the port 22 so everything looks good on this it so I'm just gonna go ahead and let it create this guy and while it creates this VM I can create one in the south okay that sounds great go ahead and do that and I'll go and create another one here and we'll call this to yourself and keep everything else the same do you password fantasy capacity mechanical keyboard here you can hear me go clickety clack on that's awesome okay so this is gonna put in the South and everything's the same so pretty basic just creating two two simple vm's that's just you know that's that's something that I I just assumed as normal kind of like you know I have to try you know man I can't I quarantine and get up I really can't believe it so so I'll tell you I'll tell you what started this and for the folks that are watching this you know I I didn't want to say anything because I don't want this to be dated right but right now we're in the corona virus quarantine and so so here's what started the BOP toward thing I was I went to our grocery store and you know I I was looking for for TP and there was there was there was no toilet paper and so then I said oh that's okay I'll just go grab some yeah I don't know man you know what I need some food too so I went over to the breakfast aisle and I was looking you know for some some cereal my wife is you know she can't have gluten so so I usually get like Rice Krispies or something something rice paste because it's usually gluten-free and so and I noticed that all of the pop-tarts were sold out and at first I'm thinking well why would people be buying out pop-tarts but then I then it hit me shelf life right pop-tarts lasts forever yeah so I'm saying to all the Preppers I guess are buying toilet paper and pop-tarts and so that started the whole pop-tart conversation pretty funny yeah so what I just did so one of the machines just came up so I just went I'm just kind of got stuff squared away so I could kind of walk through the steps here so i'm yeah i made these machines that public IP addresses is probably a typical from a you know corporate or you know line of business or enterprise type of application or networking environment but you cheated for the sake of simplicity to allow me to easily get into that machine yeah that's going to go ahead and and if I do so I'm hitting the public endpoint in an azure we don't actually assign that public IP address to the network interface it's it's you know we're network address translation so if I look at my network interface you can see that this is the IP address that it has and nowhere do we see the reference to the public IP address that this machine actually got right so this is the m1 and this is the one that is in the east and what I'm going to do and I can see the private IP address which corresponds to what I saw in the other window and the other machine I think came up so if I go to that I made that one also have a public IP address but it also has a private IP address and I'm going to instead of going so I'm in the East the machine of the East so I'm going to connect to the one in the south via its private IP address because now I'm going to use that tunnel that we made okay so if I do this and there is a the private IP and lo and behold we're talking so if I do so this is you can see my hostname will change from east vm to taste cells so and and here you can see that it's got the ten ten nine one for address that corresponds we'll all we see in the port oh yeah perfect yeah bi-directional communication on both ways we can talk and at a very high rate of speed no no IPSec tunnels very secure from a customer standpoint because we're I slay ting all that traffic from customer to customer it is not encrypted when it leaves our data center so some customers that might be a requirement but we do you know and that's where the advent of things from our partners like Palo Alto devices and so forth come into play where you can actually encrypt that traffic if it's necessary okay so we've created so I'm just going back to the to the to the drawing yep so we've created two boxes one in each subnet yep you got it okay and then they can talk to each other we've just proven that over the peering the VPN peering that we did [Music] correct in Azure right so all right absolutely so way easier then like I said setting up setting up VPN tunnels and dealing keys and all that other sort of stuff okay all right so let's share your screen again shirts go back I can just hit the there we go there we go okay so the the next step so now in your diagram you sure at the beginning the leg of our the tee that you draw you drew was connectivity from you know on-premises into a sure right so the way that you can facilitate that and I have I have basically what we just built already in place with a what we call a virtual network gateway this created and I'll show you if I go to this go back so hang on hang on just the shirt sorry to interrupt you but here's what I'm thinking let's make this two parts and we'll make this that what we've done right now because we've set up all the azure components for building the environment up that's all up right yeah so so I'm gonna break this up into part two because I think part two we're gonna we're gonna create the VPN gateway to our our local network correct sure yeah all right so thanks for helping me out with part one stay on the phone and we'll we'll start part two all right sounds like a plan all right hang on a second you
Info
Channel: Taste of Premier
Views: 488
Rating: 5 out of 5
Keywords: Microsoft, Azure, Networking, Taste of Premier, Lex Thomas, Ryan Berry
Id: uBaq8wvg3R0
Channel Id: undefined
Length: 36min 48sec (2208 seconds)
Published: Tue Mar 24 2020
Related Videos
Taste Of Premier: Building "Containerized" Apps!
Taste of Premier
382
Incident Response and Compromise Recovery Part 2
Taste of Premier
767
Connecting to Azure with a VPN
Taste of Premier
945
RMS Titanic: Fascinating Engineering Facts
engineerguy
4M
Incident Response And Compromise Recovery - Part 1
Taste of Premier
1.3K
Introduction to Cloud Computing
Eli the Computer Guy
1.4M
AIRBUS A350 - High Tech In The Air | Exceptional Engineering Full Documentary
WELT Documentary
3.6M
Java Project Tutorial - How To Design Login And Dashboard Form In Java Netbeans
1BestCsharp blog
5.5M
TCP/IP and Subnet Masking
Eli the Computer Guy
3.5M
Engineering Connections: Earthquake Proof Bridge (Richard Hammond) | Science Documentary
Reel Truth Science Documentaries
4.5M
AI Virtual Keyboard using OpenCV | Computer Vision | CVZone
Murtaza's Workshop - Robotics and AI
134K
Swift Programming Tutorial for Beginners (Full Tutorial)
CodeWithChris
4.6M
Gigantic Cruise Liner | Exceptional Engineering | Free Documentary
Free Documentary
1.7M
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.