2.6 Introduction to Virtual Networking

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
18 hours 58 minutes
Difficulty
Intermediate
CEU/CPE
9
Video Transcription
00:00
>> Welcome back. In this episode,
00:00
we're going to move on to our next Azure resource
00:00
with virtual networking.
00:00
My objectives for you include
00:00
understanding virtual networking concepts,
00:00
how to communicate over these virtual networks,
00:00
and basic routing and filtering options we have.
00:00
Let's get started. First,
00:00
what are virtual networks?
00:00
Azure Virtual Networks, or VNets
00:00
are the building block of
00:00
>> creating your network in Azure.
00:00
>> They provide secure communication within the networks
00:00
as well as to the Internet and on-premises networks.
00:00
VNets connect multiple Azure resources together,
00:00
like virtual machines or storage accounts.
00:00
VNets work a lot like
00:00
the networks found in your on-premises data center,
00:00
but with the additional benefits like scalability,
00:00
high availability, and isolation.
00:00
Creating virtual networks is free in Azure,
00:00
but there are limitations such as
00:00
50 VNets across different regions.
00:00
However, creating
00:00
additional networking components like VNet peering,
00:00
public IP addresses, or VPN
00:00
gateways do have a price associated with them.
00:00
There are a few VNet concepts
00:00
we need to cover before moving forward.
00:00
The first is address spaces.
00:00
When you define a VNet,
00:00
you give it an address space that
00:00
other networks or subnets will reside in it.
00:00
These address spaces will fall into the ranges
00:00
defined in RFC 1918 and are
00:00
probably ones you're already familiar with,
00:00
like 192.168.0.0.
00:00
From this address space,
00:00
Azure will auto-assign IP addresses
00:00
to resources created inside the network.
00:00
Subnets are segmentations inside the virtual network.
00:00
This allows breaking up
00:00
the larger VNet address space into
00:00
smaller address spaces to deploy specific workloads into.
00:00
For example, you might have a subnet for web front
00:00
ends and a second subnet for database servers.
00:00
Looking at our 192.168.0.0
00:00
network with a 16-bit subnet mask,
00:00
we could then create a subnet of
00:00
192.168.1.0 with the 24-bit subnet mask.
00:00
When creating a VNet,
00:00
you have to assign it to a region like
00:00
East US or South Central US.
00:00
VNets are scoped to one region or
00:00
location as well as the subnets defined in them.
00:00
Finally, VNets are also scoped to subscriptions,
00:00
resources in one subscription cannot use
00:00
a VNet defined in a separate subscription.
00:00
Now you'll also notice on this slide on the right,
00:00
this is what creating a virtual network inside of Azure
00:00
looks and you can see some of
00:00
the values that I've put in here, such as the name,
00:00
the address space, subscription, the resource group,
00:00
and the location, as well as defining
00:00
the first subnet for the virtual network.
00:00
Let's talk about VNet communication inside of Azure.
00:00
All resources in a VNet can
00:00
communicate outbound to the internet by default.
00:00
If you want to allow inbound communication
00:00
to a resource like a virtual machine,
00:00
you can create and assign a public
00:00
IP address to the resource
00:00
or replace the resource behind
00:00
a load balancer that is publicly accessible.
00:00
If you have two VNets that
00:00
need to communicate with each other,
00:00
you can use peering connections.
00:00
This will enable resources and
00:00
virtual networks to communicate with each other.
00:00
The virtual networks can be in
00:00
the same or different Azure regions.
00:00
Finally, there's the concept of service endpoints.
00:00
These allow limiting network access to
00:00
Azure resources to a specified virtual network subnet.
00:00
This provides a direct connection
00:00
from the virtual network to the service
00:00
and allows using the private address space
00:00
to access the resource.
00:00
Traffic going to the resource through
00:00
these endpoints is routed on the Azure backbone network.
00:00
An example of this would be
00:00
configuring an endpoint for a storage account
00:00
and allowing virtual machines in
00:00
the subnet to access it directly.
00:00
Azure Virtual Networks are not just
00:00
limited to resources in Azure,
00:00
you can allow communication with
00:00
on-premises resources
00:00
through a couple of different options.
00:00
The first is through a virtual private network or VPN.
00:00
There are two options we can work with here.
00:00
The first is a point-to-site VPN,
00:00
this is established between a single computer in
00:00
your network to a virtual network inside of Azure.
00:00
Each computer that needs
00:00
access to the virtual network inside
00:00
of Azure would need to establish its own connection.
00:00
This is similar to how you might
00:00
establish a VPN connection to
00:00
access on-premises network resources
00:00
when you're outside the office.
00:00
The second VPN option is a site-to-site connection.
00:00
This is made between an on-premises VPN device
00:00
and an Azure VPN Gateway deployed in a virtual network.
00:00
This will allow multiple on-premises resources to
00:00
access an Azure virtual network
00:00
through the same connection.
00:00
This would be a preferred option in
00:00
a hybrid scenario where an application or
00:00
workload is being shared between
00:00
on-premises and Cloud resources.
00:00
Both of these VPN solutions use
00:00
encryption to secure the traffic over the Internet.
00:00
Finally, there's Azure ExpressRoute.This is
00:00
a connection established between
00:00
Azure and an ExpressRoute partner.
00:00
This connection is private as
00:00
the traffic does not traverse the internet.
00:00
Since these connections do not
00:00
go over the public internet,
00:00
they are often more reliable,
00:00
faster with lower latencies, and more secure.
00:00
Connections inside of Azure is
00:00
made through a virtual network gateway as well,
00:00
just like VPN solutions are.
00:00
In fact, you can configure
00:00
a site-to-site VPN connection as well as in
00:00
Azure ExpressRoute for the same virtual network
00:00
by deploying two different network gateways.
00:00
By default, traffic and Azure Networks
00:00
is automatically routed between subnets,
00:00
on-premises networks, and the Internet.
00:00
If needed, you can override
00:00
these defaults by creating your own route tables.
00:00
These route tables can be assigned to individual subnets
00:00
in a virtual network to
00:00
control where the traffic should go.
00:00
You often see these referred to as
00:00
user-defined routes or UTR.
00:00
If you have your Azure networks connected to
00:00
your on-premises networks using
00:00
the methods we talked about earlier,
00:00
you can publish your on-premises BGP routes
00:00
to the virtual networks.
00:00
This exchange of routes informs
00:00
the Azure Virtual Network gateways about the reachability
00:00
of the on-premises network address spaces
00:00
so the resources can establish communication.
00:00
With all this network traffic flying around,
00:00
sometimes we want to control who can talk to each
00:00
other or provide some network isolation.
00:00
This can be implemented in one of two ways.
00:00
First, there are network security groups or NSGs.
00:00
You can set inbound and outbound security rules
00:00
to filter traffic between resources.
00:00
These rules are defined using
00:00
IP addresses, ports, and protocols.
00:00
For example, you can easily block
00:00
remote desktop protocol for
00:00
a subnet to disallow remote connections.
00:00
The next is network virtual appliance.
00:00
This is a virtual machine that performs
00:00
network functions commonly found
00:00
in an on-premises data center,
00:00
like firewalls or [inaudible] optimizers.
00:00
There are several available in
00:00
the Azure marketplace from third-party vendors,
00:00
like Barracuda, Forty Gate,
00:00
Cisco, and Riverbed.
00:00
That does it for the basics of virtual networking.
00:00
Let's follow it up with
00:00
a little post-assessment question.
00:00
How many options are there to connect to
00:00
Azure to on-premises networks?
00:00
The answer is, we have three options,
00:00
point-to-site VPNs, site-to-site VPNs, and ExpressRoute.
00:00
Coming up next, we're actually going to
00:00
dive back into the Azure portal
00:00
to start creating virtual networks
00:00
and see what all the options look like.
00:00
See you in the next episode.
Up Next