3.15 Integrating with On-Premises Networks

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
18 hours 43 minutes
Difficulty
Intermediate
CEU/CPE
9
Video Transcription
00:00
>> Welcome back. This episode starts our next section on
00:00
advanced network gain by
00:00
discussing how we integrate with on-premises networks.
00:00
The objectives include understanding
00:00
what virtual network gateways are,
00:00
understanding the different topologies
00:00
we have available to us,
00:00
and then reviewing some of
00:00
the SKUs we have available to us.
00:00
We've talked previously about
00:00
some basic network topologies
00:00
for connecting our on-premises networks to Azure,
00:00
but let's go into some details now.
00:00
First, how are these connections made?
00:00
For this we have a virtual network gateway.
00:00
These gateways are one or more
00:00
specialized virtual machines that are
00:00
deployed to a subnet dedicated
00:00
for hosting these gateways.
00:00
These virtual network gateway virtual machines
00:00
are configured with route tables and
00:00
gateway services for the type
00:00
of gateway that was being provisioned.
00:00
These virtual machines do not need to
00:00
be configured directly by you,
00:00
and only virtual network gateways should be
00:00
deployed to this dedicated sub-net
00:00
called the gateway subnet.
00:00
When creating a virtual network gateway,
00:00
we have two options a VPN
00:00
gateway and an ExpressRoute gateway.
00:00
We'll discuss more on these topologies
00:00
to use later on in this episode.
00:00
Speaking of our topologies,
00:00
this slide is from an earlier episode where we discussed
00:00
an introduction to virtual networking
00:00
where a couple of topologies are available to us.
00:00
First, over the VPN or Virtual Private Network,
00:00
we have a Point-to-Site and Site-to-Site
00:00
topology and then we have a topology using ExpressRoute.
00:00
Let's discuss these in a little bit more detail.
00:00
First we have a Point-to-Site,
00:00
Point-to-Site VPN connection
00:00
creates an encrypted connection
00:00
between the Azure Virtual Network
00:00
and a single remote system.
00:00
The VPN connection is initiated from
00:00
the remote system to the VPN gateway in Azure.
00:00
This is similar to VPN
00:00
technology that you might already be
00:00
using to connect to your on-premises network
00:00
when you're not in the office.
00:00
This solution does not require
00:00
any on-premises infrastructure.
00:00
You can use the same VPN gateway as
00:00
your Site-to-Site connections which
00:00
we'll cover in this next slide.
00:00
A Site-to-Site VPN connection is
00:00
used in a cross-premises topology.
00:00
This is where you are connecting
00:00
your on-premises data center and
00:00
networks directly to the virtual networks in Azure.
00:00
This will connect multiple systems
00:00
in the site to your Azure resources.
00:00
This requires that you have
00:00
an on-premises VPN device
00:00
with a routable public IP address.
00:00
This VPN connection is made using
00:00
IPsec or IKE version 1 or 2.
00:00
You can also connect multiple sites by creating
00:00
another connection to the VPN gateway in Azure.
00:00
This allows connecting multiple on-premises sites
00:00
to the same gateway.
00:00
For example, on the left of our diagram we could have
00:00
another datacenter or remote site connecting
00:00
to the same VPN gateway in Azure,
00:00
as long as the site has its own on-premises
00:00
VPN device capable of making the connection.
00:00
In addition to on-premises data centers,
00:00
you can also make a Site-to-Site VPN connection
00:00
between Azure Virtual Networks,
00:00
much like you can with a peering connection.
00:00
Our last topology is ExpressRoute.
00:00
This allows connecting your
00:00
on-premises datacenter through
00:00
a connectivity provider directly to
00:00
the Microsoft Cloud and its services including Azure,
00:00
Office 365, and Dynamics, CRM Online.
00:00
ExpressRoute connections do not go over the Internet,
00:00
so they're considered more secure and
00:00
reliable with faster speeds and lower latencies.
00:00
Here in this table we have some of
00:00
the VPN Gateway SKUs that are available to us.
00:00
I don't feel it's necessary
00:00
to memorize everything in this table,
00:00
but I want to point out
00:00
a couple of things just to think about.
00:00
First, the basic SKU has
00:00
very limited tunnels that are available to it
00:00
and it does not support
00:00
IKE Version 2 or open VPN connections.
00:00
It also does not support
00:00
the Border Gateway Protocol or BGP,
00:00
and it is not zone redundant.
00:00
After that, our next three SKUs,
00:00
VPN Gw 1 through 3.
00:00
The main thing that matters here is
00:00
those are not zone redundant,
00:00
whereas we have a new sku down here with
00:00
AZ at the end of it that is zone redundant.
00:00
Meaning if a zone goes down in
00:00
the Azure region and other zones are available,
00:00
the gateway will stay up and still be
00:00
available and be able to process connections.
00:00
Just understand the limitations of the basic SKU,
00:00
and that we also have SKUs
00:00
available to us that are zone redundant.
00:00
Very similar to our ExpressRoute SKUs,
00:00
we do have a basic one but it's
00:00
pretty much deprecated at this point.
00:00
Much like our VPN SKUs,
00:00
we have a standard high performance
00:00
and ultra performance.
00:00
To the right we have ErGateway1,
00:00
2, and 3AZ,
00:00
meaning this is the zone redundant version
00:00
of the SKU available to us.
00:00
When we're configuring a VPN Gateway,
00:00
we do have a couple of options,
00:00
and we'll see this in the next episode with
00:00
our demo of creating a virtual network gateway.
00:00
The first is route-based versus
00:00
policy-based for the VPN type.
00:00
The difference here is route-based is going to use
00:00
routing and forwarding tables to direct
00:00
traffic through multiple IPsec tunnels,
00:00
whereas policy-based is going to
00:00
route traffic through the VPN based on
00:00
network prefixes like 10.2.0.0/16.
00:00
Next is enabling active-active mode.
00:00
Azure VPN gateway deployments
00:00
consists of two instances of the VMs,
00:00
and are deployed and an active standby configuration.
00:00
In the event of a maintenance activity
00:00
or unplanned issues on the active instance,
00:00
the standby instance will take over.
00:00
Enabling active-active means both instances
00:00
of virtual machines will be used simultaneously.
00:00
Last, there is an option to configure the BGP,
00:00
ASN or autonomous system number for the gateway.
00:00
This value is for identifying a set of Internet routable
00:00
IP prefixes that belong
00:00
to a network or collections of networks.
00:00
By default, Azure is assigned a default ASN of 65515.
00:00
We probably won't be configuring this typically,
00:00
but just know that the option is
00:00
there and available for you.
00:00
That does it for the basic of
00:00
our virtual network gateways.
00:00
Like I said, coming up in the next episode,
00:00
we'll go through a demo of creating one.
00:00
I want to end this episode with a quick quiz question,
00:00
what are the two gateway type options
00:00
when creating a virtual network gateway?
00:00
These two options go along with
00:00
our topologies that are available to us,
00:00
a VPN, virtual network
00:00
gateway and an ExpressRoute gateway.
00:00
Coming up next, we'll have a demo where we
00:00
configure a virtual network gateway.
00:00
See you in the next episode.
Up Next