Book Image

Designing and Implementing Microsoft Azure Networking Solutions

By : David Okeyode
Book Image

Designing and Implementing Microsoft Azure Networking Solutions

By: David Okeyode

Overview of this book

Designing and Implementing Microsoft Azure Networking Solutions is a comprehensive guide that covers every aspect of the AZ-700 exam to help you fully prepare to take the certification exam. Packed with essential information, this book is a valuable resource for Azure cloud professionals, helping you build practical skills to design and implement name resolution, VNet routing, cross-VNet connectivity, and hybrid network connectivity using the VPN Gateway and the ExpressRoute Gateway. It provides step-by-step instructions to design and implement an Azure Virtual WAN architecture for enterprise use cases. Additionally, the book offers detailed guidance on network security design and implementation, application delivery services, private platform service connectivity, and monitoring networks in Azure. Throughout the book, you’ll find hands-on labs carefully integrated to align with the exam objectives of the Azure Network Engineer certification (AZ-700), complemented by practice questions at the end of each chapter, allowing you to test your knowledge. By the end of this book, you’ll have mastered the fundamentals of Azure networking and be ready to take the AZ-700 exam.

Related Content you might be interested in

Current Title:

Small book image
Designing and Implementing Microsoft Azure Networking Solutions
David Okeyode
Aug, 2023 | 524 pages
Small book image
Microsoft Azure Security Technologies Certification and Beyond
David Okeyode
Nov, 2021 | 526 pages
Small book image
Hands-On Networking with Azure
Mohamed Waly
Mar, 2018 | 276 pages
Small book image
Azure Networking Cookbook, Second Edition
Mustafa Toroman
Dec, 2020 | 298 pages
Table of Contents (17 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Conventions used
Get in touch
Share your thoughts
Download a free PDF copy of this book
1
Part 1: Design and Implement Core Networking Infrastructure in Azure
Part 1: Design and Implement Core Networking Infrastructure in Azure
Free Chapter
2
Chapter 1: Azure Networking Fundamentals
Chapter 1: Azure Networking Fundamentals
Technical requirements
Understanding Azure VNet
Planning Vnet naming
Planning VNet location
Planning Vnet IP address spaces
Planning Vnet subnet segmentation
Hands-on exercise – creating a single-stack VNet in Azure
Hands-on exercise – creating a dual-stack VNet in Azure
Understanding private IP address assignment for subnet workloads
Hands-on exercise – determining the VM location and sizes for future exercises
Hands-on exercise – exploring private IP assignments
Hands-on exercise – cleaning up resources
Summary
Further reading
3
Chapter 2: Designing and Implementing Name Resolution
Chapter 2: Designing and Implementing Name Resolution
Technical requirements
A hands-on exercise – provisioning resources for the chapter’s exercises
Name resolution scenarios and options
Internal name resolution scenarios and options
External name resolution scenarios and options
A hands-on exercise – clean up resources
Summary
Further reading
4
Chapter 3: Design, Implement, and Manage VNet Routing
Chapter 3: Design, Implement, and Manage VNet Routing
Technical requirements
Understanding the default routing for Azure VNet workloads
Modifying the default routing behavior
Hands-on exercise – cleaning up resources
Summary
Further reading
5
Chapter 4: Design and Implement Cross-VNet Connectivity
Chapter 4: Design and Implement Cross-VNet Connectivity
Technical requirements
Understanding cross-VNet connectivity options
Connecting VNets using VNet peering
Connecting VNets using a VPN gateway connection
Connecting VNets using a vWAN
Hands-on exercise – provisioning resources for the chapter
Hands-on exercise – implementing cross-region VNet connectivity using the vWAN
Comparing the three cross-VNet connectivity options
Hands-on exercise – clean up resources
Summary
Further reading
6
Part 2: Design, Implement, and Manage Hybrid Networking
Part 2: Design, Implement, and Manage Hybrid Networking
7
Chapter 5: Design and Implement Hybrid Network Connectivity with VPN Gateway
Chapter 5: Design and Implement Hybrid Network Connectivity with VPN Gateway
Technical requirements
Understanding Azure hybrid network connection options
Hands-on exercise – provision resources for chapter exercises
Hands-on exercise: implement a BGP-enabled VPN connection in Azure
Understanding point-to-site connections
Hands-on exercise – implement a P2S VPN connection with Azure certificate authentication
Troubleshoot Azure VPN Gateway using diagnostic logs
Hands-on exercise – clean up resources
Summary
8
Chapter 6: Designing and Implementing Hybrid Network Connectivity with the ExpressRoute Gateway
Chapter 6: Designing and Implementing Hybrid Network Connectivity with the ExpressRoute Gateway
Technical requirements
Understanding what ExpressRoute is and its main use cases
Understanding ExpressRoute components
Deciding on an ExpressRoute connectivity model
Selecting the right ExpressRoute circuit SKU
Selecting the right ExpressRoute gateway SKU
Improving data path performance with ExpressRoute FastPath
Designing and implementing cross-network connectivity over ExpressRoute
Understanding the implementation of encryption over ExpressRoute
Understanding the implementation of BFD
Hands-on exercise – implementing an ExpressRoute gateway
Summary
9
Chapter 7: Design and Implement Hybrid Network Connectivity with Virtual WAN
Chapter 7: Design and Implement Hybrid Network Connectivity with Virtual WAN
Technical requirements
Designing a scalable network topology in Azure
Understanding the design considerations of a vWAN hub
Understanding the routing and SD-WAN configuration in a virtual hub
Hands-on exercise 1 – provision resources for chapter exercises
Configuring Site-to-Site connectivity using VWAN
Hands-on exercise 2 – implement site-to-site VPN connectivity using VWAN
Implementing a global transit network architecture using VWAN
Understanding the security considerations of a virtual hub
Summary
Further reading
10
Chapter 8: Designing and Implementing Network Security
Chapter 8: Designing and Implementing Network Security
Technical requirements
Securing the Azure virtual network perimeter
Implementing DDoS protection
Hands-on exercise 1 – provisioning resources for Chapter 8’s exercises
Hands-on exercise 2 – implementing DDoS Protection, monitoring, and validation
Implementing Azure Firewall
Hands-on exercise 3 – deploying Azure Firewall into a VNet and a Virtual WAN Hub
Implementing a WAF in Azure
Implementing central management with Firewall Manager
Summary
Further reading
11
Part 3: Design and Implement Traffic Management and Network Monitoring
Part 3: Design and Implement Traffic Management and Network Monitoring
12
Chapter 9: Designing and Implementing Application Delivery Services
Chapter 9: Designing and Implementing Application Delivery Services
Technical requirements
Understanding Azure’s load-balancing and application delivery services
Designing and implementing an Azure Load Balancer service
Designing and implementing an Azure Application Gateway service
Designing and implementing an Azure Front Door load balancer service
Designing and implementing an Azure Traffic Manager service
Choosing an optimal load-balancing and application delivery solution
Summary
13
Chapter 10: Designing and Implementing Platform Service Connectivity
Chapter 10: Designing and Implementing Platform Service Connectivity
Technical requirements
Implementing platform service network security
Summary
Further reading
14
Chapter 11: Monitoring Networks in Azure
Chapter 11: Monitoring Networks in Azure
Technical requirements
Introducing Azure Network Watcher for monitoring, network diagnostics, and logs
Understanding the network monitoring tools of Network Watcher
Understanding the Network diagnostic tools of Network Watcher
Hands-on exercise 1 – provisioning the resources for the chapter's exercises
Hands-on exercise 2 – implementing the network monitoring tools of Network Watcher
Understanding NSG flow logs
Hands-on exercise 3 – enabling NSG flow logs
Summary
Further reading
15
Index
Index
Why subscribe?
16
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share your thoughts
Download a free PDF copy of this book

Planning Vnet subnet segmentation

To provide isolation within a Vnet, we can divide it into one or more subnets. Subnets are primarily used for workload segmentation (logical perimeters within a Vnet). Figure 1.8 shows an example of this. In the diagram, we have a Vnet with two subnets. Web services are deployed into their own subnet (Web tier Subnet) and data services are deployed into their own subnet (Data tier Subnet).

With this approach, we can use an Azure route table to control how traffic is routed between the subnets. We can also use a network security group (NSG) or a network virtual appliance (NVA) to define allowed inbound/outbound traffic flow from/to the subnets (segments). The result of this is that if a part of our application stack is compromised, we are better placed to contain the impact of the security breach and mitigate the risk of lateral movement through the rest of our network. This is an important Zero Trust principle implementation. We will cover route tables, NSGs, and NVAs later in this book.

Figure 1.8 – Segmentation using subnets

Figure 1.8 – Segmentation using subnets

How many subnets can Azure VNet have? It can have up to 3,000 subnets! Each subnet must have a unique IP address range that is within the defined IP address spaces of the Vnet (overlap is not allowed). For example, a Vnet with an IPv4 address space of 10.1.0.0/16 cannot have a subnet with an IP address range of 10.1.1.0/24 and another subnet with an address range of 10.1.1.0/25 as these ranges overlap with each other. Attempting to do so will result in the error message shown in Figure 1.9:

Figure 1.9 – Subnets with overlapping addresses not allowed

Figure 1.9 – Subnets with overlapping addresses not allowed

After defining the IP address range for a subnet, Azure reserves five IP addresses within each subnet that can’t be used! The first four IP addresses and the last IP address in an Azure subnet cannot be allocated to resources for the following reasons:

  • x.x.x.<first address>: This is reserved for protocol conformance as the network address
  • x.x.x. <second address>: This is reserved by Azure for the default gateway of the subnet
  • x.x.x. <third address> and x.x.x. <fourth address>: This is reserved by Azure to map the Azure DNS IPs to the Vnet space
  • x.x.x. <last address>: This is reserved for protocol conformance as the broadcast address (even though Azure Vnets don’t use broadcasts as we mentioned earlier)

For example, if the IP address range of your subnet is 10.1.0.0/24, the following addresses will be reserved:

  • 10.1.0.0: Network address
  • 10.1.0.1: Default gateway address
  • 10.1.0.2 and 10.1.0.3: Used to map Azure DNS IPs to the Vnet space
  • 10.1.0.255: Broadcast address

This leaves a total of 250 addresses that can be allocated to subnet resources: 10.1.0.410.1.0.254. Because of the required address reservation, the smallest supported IPv4 address prefix is /29, which gives five reserved addresses and three usable addresses. Specifying anything less leaves zero usable IPv4 addresses, which results in the error message shown in Figure 1.10:

Figure 1.10 – The smallest supported IPv4 address prefix for a subnet is /29

Figure 1.10 – The smallest supported IPv4 address prefix for a subnet is /29

Note

The smallest supported size for an Azure IPv4 subnet is /29. The largest is /2.

If you are implementing a dual-stack design, the standard size of the assigned IPv6 address space should be /64. This is in line with the standard defined by the IETF. A /64 space is the smallest subnet that can be used locally if auto-configuration is desired. Any attempt to add an IPv6 address space that is not a /64 will result in the error message shown in Figure 1.11:

Figure 1.11 – Only a /64 address space assignment allowed for a subnet

Figure 1.11 – Only a /64 address space assignment allowed for a subnet

When planning your subnets, make sure that you design for scalability. Workloads in your subnets should not cover the entire address space, giving you no room to add more workloads if needed. Plan and reserve some address space for the future. Also, take into consideration that some network resources such as the VMSS may need to dynamically add more workloads based on incoming requests. Modifying the IP address range of an Azure subnet that has workloads deployed is no straightforward task. It involves you removing all existing resources! Attempting this will result in the error message shown in Figure 1.12:

Figure 1.12 – The error message when trying to resize a subnet with resources

Figure 1.12 – The error message when trying to resize a subnet with resources

Working with platform services in subnets

For most organizations, the main services that they will deploy into Azure VNet subnets are infrastructure-as-a-service (IaaS) services such as VMs and VMSSs but there are currently about 23 more services that can be deployed into a Vnet subnet, including platform services such as Azure SQL Managed Instance, App Service, Cache for Redis, and Azure Kubernetes Service. Deploying a supported platform service into a Vnet subnet is referred to as Vnet integration or Vnet injection.

A full list of services that are supported for VNet integration can be found at https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-for-azure-services#services-that-can-be-deployed-into-a-virtual-network.

There are about 25 services that can be deployed into a Vnet subnet, as shown in Figure 1.13:

Figure 1.13 – Various types of services supported for Vnet integration

Figure 1.13 – Various types of services supported for Vnet integration

Most PaaS services that support Vnet integration impose restrictions on the subnets that they can be deployed into, and this should be considered when planning your subnets. Here are some of the restrictions to consider:

  • About 14 services require a dedicated subnet — this means that they cannot be combined with other services in the same subnet. For example, a VPN gateway cannot be deployed together with another service in the same subnet – the subnet must be dedicated only to that service!
  • Still, on dedicated subnets, some services allow multiple instances of the same service in the same dedicated subnet while some require a dedicated subnet per service instance! For example, the Azure SQL Managed Instance’s service allows multiple instances of the same service to be deployed into the dedicated subnet (Figure 1.14), while the Azure Spring Cloud service requires dedicated subnets per service instance (Figure 1.14):
Figure 1.14 – Two SQL-managed instances in the same dedicated subnet. Spring cloud requires dedicated subnets per instance

Figure 1.14 – Two SQL-managed instances in the same dedicated subnet. Spring cloud requires dedicated subnets per instance

  • Some platform services require their subnets to be called a specific name. For example, the subnet that the Azure Firewall service is deployed into must be called AzureFirewallSubnet, the subnet that the VPN Gateway service is deployed into must be called GatewaySubnet, and the subnet that the Azure Bastion service is deployed into must be called AzureBastionSubnet. This is required for some automation components relating to the services to work.
  • Some platform services require a minimum Classless Inter-Domain Routing (CIDR) block for their subnets. For example, the subnet that the Azure Bastion service is deployed into must have a minimum /26 prefix.
  • Some platform services require permissions to establish basic network configuration rules for the subnet that they will be deployed into. The process of assigning this permission is called subnet delegation. For example, when a SQL-managed instance is deployed into a subnet, it automatically creates an NSG and a route table and applies them to that subnet.

The key takeaway here is this – before deploying platform services into subnets, ensure that you follow the guidance in the service documentation regarding the aforementioned considerations to avoid inconsistencies in service functionalities. Always refer to the documentation for up-to-date information: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-for-azure-services#services-that-can-be-deployed-into-a-virtual-network.

Now that you have some understanding of how to plan key aspects of Azure VNet, let us go ahead and get some implementation going!

Previous Section
End of Section 7
Next Section