7 hours 58 minutes
Welcome back. In this episode, we're gonna move on to talking about how to manage our virtual networks. My learning objectives include looking at user to find routing, looking at network security groups, or NSG and finally looking at application security groups or a SG.
So what are user to find routes? These air routes that are created by you in order to override as yours default drought tables or to simply add to the existing route table.
Azure route tables are their own type of resource that you can create and then assigned to individual. Seven. It's inside the virtual networks. This allows reusing what you've already created, so you don't have to duplicate effort.
And if you don't define a route for a particular set of networks, that means the packet will be dropped.
Here. On the right are the options. When creating your own route, we have to give the route and name, specify the destination I p address prefix to determine which traffic we're targeting. We select the next top type and was selecting the virtual appliance option. We have to specify the I P address of what the virtual appliance is.
Let's take a bit more look at our next top type options.
When creating your own routes, you have to select the next top where you want to direct traffic to the first is a virtual appliance, which is a V M that is running some kind of network application. Like a firewall, these appliances are available through the azure marketplace from well known third party vendors.
When selecting the appliance as the next top, you have to select the private I P address associated with the appliance.
The next is virtual network gateway.
These are the virtual network gateways we spoke about earlier when discussing how to connect Azure two different networks, the virtual network gateway must be defined as a VPN type, not express route. The third option is none. This is used when you want to drop traffic destined to a specific address prefix.
The fourth option is virtual network. This is to override the default rounding that occurs automatically between virtual networks. Sub nets. Finally, we have the Internet. This is used to route traffic destined to an address prefix to the Internet instead or to route traffic. Going to an azure service with a public I P address
over the azure backbone network.
Next, what our network security groups, network security groups are used. A filter traffic between resource is like virtual machines. They can allow or deny inbound and outbound traffic.
The rules inside of a network security group are evaluated using a five to pull information such as the source, Sore sport, destination, destination port and protocol network. Security groups can be assigned at the sub net level and at the individual Virtual Machine Network interface.
This means you have to look at your network security groups When evaluating rules.
You have to look at both the Senate and the network interface to determine the final result.
This next page shows the default network security groups that are created. When you create a network security group, you can see some of the elements we just spoke about such a support. The protocol, the Source and destination network and the action that you're going to take. For instance, a source network is our built in virtual networks or an azure load balancer.
And some of our destination networks include the Internet.
Now, these rules have a very high priority, which means they're some of the last ones that are evaluated when creating a network security group rules. You want to have a lower priority, but make sure you space them out a little bit when defining them, so you can have room to add in other ones later.
Finally, what are applications? Security groups? These are security groups built around an application structure such as Web friends, our database servers.
These are gonna be very similar to network security groups as they allow segmentation inside the virtual network traffic.
You can group virtual network machine network interfaces together that perform similar functions within the application infrastructure. And unlike network security groups, thes network interfaces can belong to multiple applications. Security groups.
Enough with their slides. For right now, let's jump back over to our azure portal and take a look at some of these concepts
here in our azure portal. Let's go ahead and create a round table.
First, let's click on Create a Resource.
Let's search the marketplace for a round table.
Let's give our roundtable on name
Willie our subscription at Microsoft Azure Standard and let's select a resource group. I'm gonna continue using my network demo one,
and finally we'll just leave our location east us, which we've been using all along in our demos here.
Now that our resource is deployed, let's go ahead and go look at our new route table Not mentioned. There are a couple of different ways of accessing. Resource is inside the azure portal, and I want to show you a new one Here,
for instance, Over on the left, we have a list of our favorite resource is, and I'm gonna show you how we can add a new one here. Lets go and click on all service is
I'm gonna search for round tables.
We're going to see round tables pop up over here in our search results. And if you notice there is a black star next to it, we just click on it. We're gonna favored it.
If we scroll down here on the left,
it now shows up under a list of favorites. So let's go look at our route tables
inside of our round table. Let's go ahead and click on routes
and we currently don't have any to find. So let's click on add.
Now we have a seven. It earlier that we created
called seven It's zero and what I want to do is traffic going to it go through a particular network gateway. So let's name this sub net zero route table.
Let's enter in the address prefix for that sub net.
And I'm just gonna leave the next top type as virtual network gateway. But I do want to show you, if you were to select virtual appliance,
you'll have to put in the next top address of the private I P address of the virtual appliance.
We'll leave this at Virtual Network eight Way and click on. Okay,
now that our route tables available, we have two different options to associate it to sub nets.
First, inside the round table, we can click on settings and sub nets,
choose our virtual network
and then select the seven it inside that virtual network. Since this is targeting traffic to sub net zero, let's select one of our other submits to associate this with,
and now this round table is associated with that sudden it. Let's go check this out under our virtual network settings.
Once you make our way into Sub Net one, we can now see that our round table is associated with it here
next Let's take a look at creating a network security group again. Let's go and click on Create a Resource
Search for Network Security Group.
We'll give this name. Let's say we're creating a network security group to allow poor 80 and 443 toe our production Web servers.
Let's continue to assign to our network Demo Resource Group
and leave it at East us.
Now that resource is created. Let's do the same thing we did for round tables and add it to our favorites. Goto all service is
Let's go into our new network security girl.
And here on the overview page, you'll see the same set of inbound and outbound security rules that we saw on our slides. These are the defaults that come with one. When you create a new security group,
let's go unexamined, are inbound security rules and set him up for our Web servers.
Let's go ahead and click on add
and here we have some of those elements we need to define for our rules, such of the source source, port ranges, destination and destination port range.
For now, we're gonna leave the source and sort port ranges at any and all of them
and destination. We're going to select any as well
and our destination Port range. We're gonna just changed 80.
We'll leave the protocol, it any as well, and we won't allow this traffic. And then we also set our priority.
You'll notice here on the tool tip is something I mentioned in the slides is that we want to leave gaps in between the priority of our rule, just in case. We need to put something in between some rules later on.
For now, I'm just gonna leave this one at 100
will rename our rules. It just poured 80 and click on add.
Now that we have one for poor 80 let's go ahead and add one for 443 as well
and we're gonna do this one a little differently. Let's click on Basic.
This reduces the number of options that we have. We can go under service
and find https,
which is gonna automatically put it on Port 443
It's gonna get a little gap in our priority toe. 1 10 Let's rename our rule
and click on add.
So now are inbound. Security rules for this network security group are gonna allow poor 80 and 443 in.
We're gonna allow traffic from other virtual networks or from a load balancer. But then we're gonna deny all other inbound traffic to our virtual network
and very similar to our user to find routes from here. We can go ahead and associate it to a sudden it by going to settings. Sub nets,
choose our virtual network,
choose our sub net
and then click on. Okay,
now that we can see that this network security group is associated to seven at one. And let's go verify this by looking at our virtual network settings,
and here we now have under the drop down of Network Security group are prod Web Dash NSG security Group
that does it for this demo. Let's go back to our slides and wrap this up.
Coming up next, we're going to take a look, Maura, at virtual network periods, which we've already discussed a little bit in previous episodes.
See you in the next episode.