Hello everyone and welcome to the Cloud Lunch & Learn sessions My name is Hugo Barona, and today we have Vaibhav with us, talking about Azure networking. So, I handover to you Vaibhav Thanks Hugo Hey everyone before we start just wanted to get a pulse on if you can hear me well if you are not able to hear me or if you see any issues please let me on you you know we will be able to help you out with that let’s get started good morning good afternoon and good evening depending upon where you are listening to us from thank you for joining us life today for this session if you are watching it later on demand I welcome you as well I would like to thank you for giving me an opportunity to speak in this Lunch and Learn session if you don’t follow him I recommend you to follow him and support cloud Lunch and Learn initiative that he is leading I’m going to talk about a topic which has been haunting me for years I come from application development background and I have never spent too much of time on learning networking in my initial days my focus has been programming back in those days but working one cloud changes everything if you have well known applications running one cloud you ought to know the networking aspects of cloud and I’m going to make it easy for you today I don’t really anticipate that you will be becoming an expert in Azure networking after my session today but what I can assure you is that I will share enough information with you today that will be helpful to you in your learning process with the couple of guidelines I would prefer to take Q&A s at the end of my presentation so that I don’t miss on sharing anything that I have planned for if you get a quotient or doubt in between the presentation P please feel free to post it on the chat window and I will get back to those at the end of the presentation with that let me start with my introduction my name is Vera Vajra I have 14 14 years of experience Ian’s working on enterprise class applications I’m in Microsoft certified as your solutions architect expert and I also hold few other as your certifications I’m currently working for Cabot as a cloud architect if you don’t know kivett is one of the largest construction companies in United States I’m also an organizer at Omaha as a user group which has over 700 community members in our meter growth and as an organizer I do organize user drop meetings and manage user groups website YouTube channel slack workspace Twitter handle and LinkedIn group as well please feel free to join the community if you have not already I’m a regular speaker at several local user groups and events speaking on as related topics I also blog on grabber boost all calm you can follow me on my twitter handle beverage RAL with further ado let let’s jump onto the agenda to go through what we are going to talk today we are going to start with very basic we will see what an agile region is then we will talk about virtual networks VPN gateways network security or filtering and routing I will briefly touch upon the different load balancing options we have in Azure and I will conclude the session with how we can monitor our network traffic I intend to cover a couple of cute demos as well the intent is to wrap up this session 5 or 10 minutes early so that I can answer some of the coefficients if you have a quick disclaimer I have used most of these figures during this presentation from Microsoft documentation so I just wanted to attribute those with that let’s let’s get started I wanted to start with very basic first when I speak with many folks one of my observation has been that they don’t understand what an azure region is they often relate region and a data center as same which is not correct everything in as your thoughts with a data center which is analogous to your on-prem data center if you have one data center is nothing but a building or group of buildings that is used to host or house your physical infrastructure including racks network switches etc whereas a region in azure is a collection of those day Center’s deployed within proximity with a network latency under two milliseconds the data centers within a region could be few miles apart up to 100 to 200 miles apart but they are under the in the same region now another thing to note here is that Microsoft grouped these regions under geographies strictly to comply with data residency and other laws geographies are fault tolerant to withstand complete region failure through their connection to Microsoft’s in networking infrastructure meaning if one region goes down the complete

geography doesn’t goes down there is at least a region up and running in each of the geographies lastly availability zones is a concept that you should be aware of when you’re speaking of Azure regions and data centers availability zones are physically separate locations within an azure region each availability zone is made up of one or more data centers equipped with independent power cooling and networking it’s a feature which is very handy in case you are planning for high availability and disaster recovery moving on what you see here is different geographies with their corresponding regions there are six geographies all together Americas Europe Asia Pacific Middle East and Africa as your government and as your China each of these geographies as you can see have multiple regions within them making each of these geographies fault tolerant for example in Americas there are 11 regions ranging from East u.s. East us to and so on in Europe there are 15 regions and in Asia there are 13 regions probably this gives a better view of the different regions in different geographies the blue dots here are the regions that are available for consumption meaning you can deploy your services in any of the available regions the one with the dotted circles are the regions which are announced and are going to be available in recent future and then there are few circles with their diamond in them it indicates that those regions have availability zones which you can select while you are conflicting your Azure resources one last note here when you choose a region to deploy your resources to there are few considerations to keep in mind certainly for data compliance and regulatory reasons you might have to choose a particular region but you should also keep in mind that not all these services are available in all the region please refer to the link provided up there to check the latest list of available products and what services are available in which region so now here is a snapshot of how many services as your office today on the lower bottom is the azure data center infrastructure which is the physical infrastructure owned and managed by Microsoft on top of that you have infrastructure services categorized into three categories compute storage and networking on top of that you have all the different platform services which are customized to suit different needs like web IOT ai and so on on the left side is the suit of management services which you can use for managing your as your environments efficiently these include services like Azure monitor Azure blueprints policies as a cost management and so on lastly on the right side there are security services like Azure ad which is a cloud-based identity store and Azure keyword which is a secure key management service anyways what we are going to focus today is the are the networking services as mentioned earlier we will look into some of these services like virtual network VPN gateway Express route load balancer and so on let’s talk about a virtual network it’s a fundamental building block for your private network in Azure being a private network it brings isolation on top of other Azure features like scalability and availability you can place a Razzie resources inside a virtual network to securely communicate with each other or with the internet traffic or with your own Prem networks a virtual network is analogous to a traditional network that you would manage and operate in your on-prem data centers when you create a virtual network you define a RFC 1918 IP address space if you are not aware of what it is I would highly encourage you to read in a nutshell it specifies the best practices for defining your private networks basically it categorizes the different IP addresses that an enterprise might need or use into three categories and starting with the first category where they place the hosts that don’t require access to other hosts or other enterprises or anything outside their own enterprise in such environments the IP address ranges are are unique within the enterprise but they can overlap outside the enterprise then the second category of hosts are the ones which need limited access outside their enterprise for scenarios like email or FTP and so on so similar to the category one host which does not have any access to outside environment these ones which have limited access have unique IP addresses within their enterprise but their IP addresses might conflict or overlap with outside their enterprise lastly as per RFC 1918 they list the third category of hosts which have network layer access to resources

outside the enterprise which means they just don’t need to have unique IP addresses locally but they also need to have IP addresses unique globally anyways coming back to this slide RFC 1918 standard allows three different IP ranges that we can use in any private network which are listed on the screen starting from 10.0.0.0 172 dot 16 dot o dot o and one ninety two dot one sixty eight dot o dot o so when creating a virtual network the ranges that I have listed there are the ranges you can specify that you can use and then you have to specify or define those IP address ranges while creating a virtual network insider notation which is basically based on the idea of subnet masks it requires you to provide IP ranges in two parts or network identifying prefix and a host identifier within that network the highest prefix could be slash 32 and the number of IP addresses double with every reducing prefix for example the IP address range that you are seeing on your screen here one ninety two dot one sixty eight dot hundred does dot 14 slash 24 uses 24 as a prefix which denotes 256 IP addresses ranging from one ninety two dot one sixty eight dot 100.0 two hundred dot 255 within a virtual network there is a limit that we can only have up to 65536 private IP addresses what that translates into is that the minimum prefix that it can go down up to is slash sixteen you cannot go beyond slash sixteen now moving on once you have a tenth once you have identified the IP range for your virtual network you can further segment your virtual network using a concept called subnets if you have networking background you understand what a subnet is and for what as your virtual network we can circles and changes subnets and virtual networks are used for network segmentation you can have up to 3000 subnets within a virtual network the traffic is enabled by default between these subnets within a virtual network but you can use energies to control the traffic flow it is important to understand that a virtual network is scoped to a single region and subscription what you are seeing here in this diagram is how it is laid out when you create a subscription within an azure region and a subscription you have a resource group within which you create a virtual network and within virtual network you have multiple subnets and you can create resources under each of those subnets Y scope is important here is because of couple of things the first primary reason being you cannot have a virtual network with same name in the same scope so far a naming to different virtual networks in the same scope you need two different names you cannot share the same name and secondly it is important to plan your virtual networks across different regions and subscriptions because if you intend to connect to different V Nets which we are going to talk to in upcoming slide anyways they cannot have overlapping IP addresses in other words you cannot connect to virtual networks with overlapping IP address ranges due to the this reason all resources in a virtual network can communicate outbound to the internet by default you can use something like network security group to restrict network traffic at sunlit level we will be looking into energies in later slides and if you need to enable inbound communication to your resources from internet you can do so by assigning a public IP address or a public load balancer on top of your virtual network you can also use public IP or public load balancer to just not to manage in communications but also to manage your outbound communications from your virtual network there are some best practices which I recommend you should follow when you are creating and planning your virtual networks in Azure to start with as I was saying in the last slide avoid non overlapping address spaces as if you intend to connect multiple virtual networks if they have overlapping address spaces you cannot connect them second ensure that subnets don’t cover the entire address space of the virtual network you should reserve some address space for the future requirements so that you should be able to spin up additional subnet whenever a need arises and that being said it doesn’t mean you should break down your virtual network into many small virtual networks it’s better to have fewer large virtual networks than multiple small virtual networks or these subnets to avoid management issues as well lastly you should secure your virtual networks with network security groups which we

are going to touch upon in the later slide I have listed down a link over there so if you can follow that you can go through the guidance on how to better plan your virtual networks and place your resources within the larger virtual network moving on we have seen what a virtual network is let’s talk about what about VPN gateways a VPN gateway is a specific type of virtual network gateway that is used to send encrypted traffic between an azure net virtual network and then on prime location over the public internet you can also use a VPN gateway to send encrypted traffic between Azure virtual networks over the Microsoft Network each virtual network can have only one VPN gateway however you can create multiple connections to the same VPN gateway when you create multiple connections to the same VPN gateway please note that all the VPN tunnels share the available gateway bandwidth there are two types of VPN gateways that you can create in Azure the first one is VPN and the second one is Express route each VPN can have only one VPN gateway whereas a VPN gateway as I was saying can have multiple connections now that even as I said even of the even though a v-net can have just one VPN gateway of Tiberian it can also have one additional Express route gateway meaning every V in virtual network can have to what VPN gateways of one of each type listed on this slide when you create a VPN gateway and attach it to a virtual network it creates an exclusive subnet called as gateway subnet in which the virtual network sorry in which the resources required by the Gateway are created moving on a VPN gateway supports different connectivity scenarios like you can connect your virtual networks meaning you can connect a virtual network to another virtual network in your agile environment and those virtual networks can be in same or different regions same or different subscriptions or they can use same or different deployment models if you are not aware of different deployment models in Azure there are two classic and arm arm stands for as a resource manager which is the current standard and all the resources before amber before arm was launched are called classic you cannot create classic resources anymore but if we have existing classic virtual networks you can connect them with each other or with ARM based virtual networks you using VPN gateway what you are seeing on the diagram on the lower side of the slide is shows our V net to V net gateway what it basically does is it creates an IPSec maybe and between two virtual networks a VPN gateway sits in front of each of the Venus and VPN gateways talk to each other to enable communication between the two virtual networks you know we can also establish site-to-site VPN gateway connection it provides a connection over IPSec VPN tunnel similar to Vina to v-net side to side connections can be used for cross premises and hybrid configurations where you want to connect your on-prem resources with Azure a side to side connection requires a VPN device to be located and installed on Prem that has a public IP address assigned to it you can also extend site to site X side to side connection into a multi-site connection where you can connect your multiple sites like your branch offices or department offices with Azure virtual network please note that you need to have a VPN device located at each of these locations and each of the tunnel that you are seeing here shares the available bandwidth at the gateway which I believe maxes out at 1 gigabytes per second similar to a site-to-site VPN gateway you can also have point to site connectivity between your Azure virtual network and you our remote client computers it is similar to how we connect to our VPNs for our office from our home we have to install a VPN client at each of our remote computers and – and for the connection it between VPN gateway and the VPN client our tunnel is established for each of the remote computers and as I was mentioning inside to site as well it’s the same case here each of the tunnels here share the same bandwidth at the VPN gateway level now I mentioned it earlier that one way to connect your virtual networks is using VNA – v-net connectivity using VPN gateway but they are not the best way to do it they are the recommended way when you have cross premises requirements

where you have to come or the hybrid requirements where you want in tend to connect your on-prem environments with Azure if you intend to connect your virtual networks with each other then the recommended ways to connect multiple minutes way through something known as virtual network peering where you can peer one virtual network into another the outcome is that the IP address ranges of the virtual network peers appear as one single virtual network and the resources between both the virtual networks can then start communicating with each other with minimal latency as they would have done with the other resources within the same virtual network now depending upon the location of the virtual network or the region in which the virtual network peers are in the peering falls under one of the two categories if both your virtual networks are in the same region let’s say East us it is counted as virtual network peering if the virtual network are in different regions it is counted as global network peering you need to be aware of the cost implications for both so our virtual network peering you pay for inbound and outbound data transfer at both virtual networks and competitively the cost for global peering is more than intra-regional v net peering due to the obvious reason because it leaves the region another another thing to note here is that V net pairings are not transitive what you see in the diagram is how you can connect your different virtual networks with each other here virtual network is paired with virtual network B which is in turn period with virtual network C you should note here that virtual network B can communicate with both virtual network a and C but virtual network a and C cannot communicate with each other and they can only communicate with you watch the network B lastly both appearing supports gateway transit what Gateway transit means is if I have a VPN gateway attached to a virtual network and the virtual network is speared with another virtual network then the period virtual network can opt for Gateway transit and use the remote gateway which is assigned with the virtual network 1 what I’m showing here is an hub-and-spoke topology which you can extend to connect your on Prem net bus with your Azure virtual networks what you are seeing here is on the left side you have a hub virtual network which is connected to your on-prem network over VPN gateway and then your hub virtual network is paired with different virtual networks which have your different as your resources running in there for more details on this topology you can visit that link where they have listed all the details the reference architecture as well as the deployment arm template moving on the another option that you have to connect your on-prem environment with as your virtual networks is known as Express route which provides labor layer 3 connectivity between your on-prem networks in the Microsoft cloud over a private correct connection facilitated by a connectivity provider with Express route you can also establish connections to microsoft services like office 365 connectivity can be from any to any network or a point-to-point Ethernet network or it could be a virtual cross connection through a connectivity provider at a colocation facility Express store connections do not go over the public internet this allows Express route connections to offer more reliability faster speeds and higher security you should note that Microsoft uses BGP which is an industry standard dynamic routing protocol it is used to exchange routes between your on-prem network with your instances in Azure and Microsoft public addresses each Express or transistor 2 connections to to Microsoft enterprise edge routers as you can see in the diagram Microsoft requires dual bgp connection as you can see between partner edge and the Microsoft edge there the primary reason being Microsoft wants to ensure that connections are handed off in a redundant manner and if one connection goes down the second one can take over as a failover and then each circuit has a fixed bandwidth that you can opt from 50 Mbps to 10 gigs per second the important point to note here is that the bandwidth is shared across all these circuit pairings that you establish I’m going to talk about the appearance in the next slide it comes with two different pricing models when you create an express out circuit in Azure portal starting with the metered and unmetered as the name suggests under metered data outbound transfer is metered whereas in under unmetered the there is a fixed cost for the explicit out and the outbound data transfer is

not metered and when I said for both method and unmetered outbound data transfer you should note that for any as your resource the inbound data transfer is always free and Microsoft charges us for the outbound data transfer and lastly you should also check out couple of other options in Express round as I was mentioning earlier that a fault mechanism in Express route is to use or facilitate a connectivity provider in between or a partner who establishes the connectivity between customers network to the Microsoft edge device you can use something known as Express route direct where you can connect directly to Microsoft global network without the need of an intermediate connectivity provider another option you have is Express route global reach where you can can link your multiple express routes markets in different regions together to make Private Network between your on-prem Networks Express out supports two independent pairings known as private peering and Microsoft peering what each of these peering means is with private you can connect to your private as your virtual machines and the cloud services that are running within your virtual network the private peering domain is considered to be a trusted extension of your core network into Microsoft Azure the peering lets you connect to virtual machines in cloud services directly on their private IP addresses from there from your virtual network and the second other other type of peering is Microsoft peering which lets you connect to Microsoft online services like office e65 and you can also connect to other as your past services outside your virtual network through the Microsoft now if you have already have been using Express routes in the past you might see there three different kind of earrings as your public as your private and Microsoft as your services will categorize this as your public and as your private in the past or represent the IP addressing schemes now IP private as your private remains the private peering whereas as your public bearing has been merged with Microsoft peering now you have to understand that each peering here is an independent is a pair of independent bgp sessions each of them configure redundancy for high availability there is a 1 is to n mapping between an Express route socket and the routing domains an Express route socket can have one or two clearings enabled power Express route circuit meaning you can either have private peering or Microsoft peering or both you can create a connection between your on-prem network in the Microsoft cloud in three different ways you can either ask for a colocation facility with the cloud exchange where you can order virtual cross connections to the Microsoft cloud through the colocation providers Ethernet exchange likewise you can also have a point-to-point Ethernet link for layer 2 or layer 3 connections over Express route lastly you can also integrate your van with the Microsoft cloud over Express loud Microsoft has a global network with Express of connectivity providers and system integrators to get the location wise list you should check out the list a link that I have listed down there moving on when I mention about Express route and VPN gateways those are the two different ways you can use to connect your on-prem networks with Azure that being said you can connect an on-prem network to an azure virtual network through a express route and VPN gateway as a failover setup as per this diagram traffic flows between the on-prem Network and the Azure virtual network through an Express route connection generally but if there is a loss of connectivity in the Express route socket traffic is then routed through an IPSec VPN tunnel which is established through VPN gateway and given the link down there for the reference architecture which you can refer to and set up the resource that comes to the deployment template as well moving on there is another networking service called as as your virtual van which brings many networking security and routing functionalities together to provide a single operational interface these functionalities include brands connectivity site-to-site VPN connectivity point to site connectivity Express route connectivity in front cloud connectivity as your firewall and encryption for private connectivity now you don’t have to use all of these features together and you can use a subset of the features depending upon your use case what you have to understand here is that the virtual van architecture is a hub-and-spoke architecture with scale and performance built in for your branches users express routes targets and the virtual networks as depicted in the diagram here as your region serves as the hubs that you can choose to connect to from your different branches and Express route circuits all hubs that you are seeing here are

connected in full mash in a standard virtual van making it you easy for your users to use the Microsoft backbone network for any to any connectivity including site to set point to point or point to site or Express route moving on I would like to touch upon few other features as well which are part of virtual networks these features are very handy to connect your Azure services privately and securely to start with there is a feature called a service endpoint which allows your resources within your virtual network to reach out to other Azure services with a private IP address you just need to enable the service endpoint on a subnet for the particular add a resource that you would like to connect from your virtual network as you can see in the diagram your virtual machine that sits in a subnet within a virtual network can connect to the azure storage through a service endpoint over public IP and it doesn’t needs to come through internet and use a public IP enter address there is no additional cost for using a service endpoint and it comes within a virtual network so feel free you use it and another service I want to mention about is called private links or endpoints which enables access to Azure path services over a private endpoint in your virtual network and the traffic flows on the Microsoft backbone network and there is no need to expose your services to the public Internet Microsoft has already announced support for private endpoints with some of these services like Azure storage and sequel databases for some of the past services like app services it is in public preview and is expected to go GA soon the feature is very powerful and I expect the list of supporting services to keep growing over the time lastly I want also like to mention about a feature known as virtual network NAT on network address translation many times there is a requirement to expose a single static public IP address on outbound communication from all the resources running inside a virtual network or a subnet for such scenarios you can use virtual network net which once enabled forces all the UDP and TCP traffic to flow from the resources under the subnet to use NAT and show the static public IP address now you can opt for a single static public IP or you can opt for a public IP prefix to configure virtual network net you just need to setup an ADD gateway with the public IP address or a IP IP prefix and assign it to the appropriate subject that you want the translation to happen now we have covered the different networking services that are available in Azure let’s let’s talk about network security and filtering first service that I want to talk about is network security groups you can use as a networking security groups network security groups to filter network traffic to and from Azure resources in an azure virtual network a network security group contains security rules that allow or deny in Burnet inbound network traffic or outbound network traffic from your as your resources for each rule you can specify source and destination port and protocol when you create an energy there are some default security rules which gets created automatically and you can override them with your own security rules with a higher priority you can also have augmented security rules within an industry which allow you to define larger and complex network security policies with fewer rules for example you can use something like service tax that represent a group of IP address prefixes from a given as a service like as your app services or as a storage and so on network security groups security routes are evaluated by priority using 5-tuple information which includes source source port destination destination port and protocol it energy uses security rules to allow or deny the traffic as you can see in the figure a energy can be applied at a NIC level or network interface level or at a subnet level to be left you see there is an NSG at an ethnic level as well as at this subnet level for V and one all these security rules in both the industries are evaluated and given preference depending upon the direction of the communication for inbound it first evaluates the rule at this subnet level and then at the NIC level if the traffic is allowed at this subnet level but not at the NIC level the traffic is denied likewise in the outbound communication from VM one the rules at the Mike level are evaluated first and then the rules at this subnet are evaluated for virtual machine two there is no energy at NIC level and the rules from subnet NSG applies to all the traffic so a virtual machine 3 there is no NSG at this subnet

level and there is one at the NIC level so the rules at the NIC level energy applies for all the traffic lastly for vm4 there is no energy assign and all the traffic flows without any security rules now the challenge with a network security groups is that you have to base your network security policies on your IP address ranges which is OK in most of the cases but sometimes it gets tricky to set up the network security policies that align with the application structure meaning if I have to grow virtual machines and define network security policies based on those it is not possible or at least not very intuitive in network security groups the problem is resolved using what is known as application security groups which allow us to configure the network security policies as an extension of our application structure what you are seeing here in the figure is Nick one and Nick two are the two network interface sis which are members of an application security group called as ASG where Nick 3 is a member of ASG logic application security group and then Nick 4 is a member of a Sgt B application security growth now VM one VM to VM threes sits in a different subnet and VM four sits in a different subnet inside the single virtual network now none of the network interfaces have an Associated network security group assigned to it so energy one is now you have to see here that energy one is associated to both these subnets subnet 1 and subnet 2 and contains certain rules with the application security group as either the source or destination so the advantage that you get out of creating those security rules assigned to an application security group rather than to a NIC or subnet is that the rule applies to all the links that are assigned to the application security grow for example if in my NS g1 if I define a rule with a source or destination as SG web it it applies the rule on both virtual machine 1 and virtual machine 2 and not on the virtual machine 3 whereas if we have applied up security rule as part of energy on this subnet 1 it would have applied it on all the three different virtual machines 1 2 & 3 so application security groups does give us control where we can base our network security policies on our application structure rather than the underlying IP address range ranges moving on there is another security feature in security service that we can leverage which is known as as your firewall you can use as a firewall to secure your as your virtual network resources it is a fully managed based and for security service it is a fully stateful firewall as a service that comes with a with built-in high availability and unrestricted cloud scalability like any other firewall you can define application rules to allow network traffic through your firewall I mean it’s not only a law but you can allow or deny your traffic through your firewall not moving to distributed denial of service attacks even our as your resources are not not away from them we have to have our DDoS protection in place to protect our resources and you can leverage as a DDoS protection to protect energy resources from distributed denial of service attacks by default basic DDoS protection is enabled included with most of the azure services and is provided free of cost from Microsoft you can also opt for standard tier for a DDoS protection which comes with additional support options and features but in my opinion for most of the use cases I have one done basic DDoS protection is more than suffice let’s talk about how we have understood what a virtual network is what PP in gateways how the network is established in Azure now let’s see how the routing is established within a virtual network when a subnet is created within a virtual network a router table is created by Azure which system default routes already added to the table as your system default routes can be add overridden with custom routes you can also add additional custom routes as well all the outbound traffic from a subnet is routed based on the routes in the subnets route table what you say here is the list of the default routes that are added to the route table for a subnet as you can see each route contains an address prefix and the next hop type when the traffic leaving a subnet is sent to an IP address within the address prefix of a route the route that contains the prefix is the route azure uses now in the diagram you can see there are three next hop types virtual network internet and none as the name suggests for virtual network next

hop type the traffic is routed between the address ranges within the address space of a virtual network for each address range in a virtual network there is a separate route created for each address range now notice that it adds our route for the virtual network address ranges and not for these specific subnet range because the subnet IP ranges are already covered under the virtual network IP address ranges for the internet next hop type the traffic is routed to the Internet the system default route specifies these 0.0.0.0 / 0 address prefix which can be overridden by adding a custom route in the table all the outbound traffic to the Internet is routed to Internet through this route except in one scenarios the public-facing has your services as your routes the traffic to be public-facing as your services directly on the azure backbone network rather than sending it over the Internet regardless of the region or the virtual network this how is my pain lastly the traffic routed to none next fob type is drop as your automatically creates default routes for RFC 1918 IP address prefixes meaning if you send traffic on private IP address is outside your virtual network address range it is automatically dropped when you extend your virtual network address ranges to include additional IP addresses the traffic on these IP addresses is automatically routed to the virtual network next off type now as your also adds additional default rules to support different types of capabilities that we have talked about earlier like virtual network peering and VPN gateway when you create a virtual network peering between two virtual networks a route is added for each address range within the address space of each of the virtual network clearing with the next hop type as the beam and peering one or more routes with virtual network gateway listed as the next type are added as well when a network when a virtual network gateway is added to a virtual network the source is also watcher Network gateway because the gateway adds the routes to this subnet if you are using Express routes to connect your on-prem networks with Azure the recommended way is to use BGP routes and not they be watchin Network gateway routes depicted in here it is recommended that you summarize on print roads to be largest address ranges possible so that the fewest number of routes are propagated to an azure virtual network gateway another next and the next next hop type you see here is virtual network service endpoint I did touched upon service endpoint in one of the last slides the public IP addresses for certain services are added to this route table by Azure when you enable a service endpoint to a particular service so every send points are enabled for individual subnets within a virtual network so the route is only added to the route table office subnet a service endpoint is enabled for the public IP addresses of Azure services change periodically and as your automatically manages the addresses in the route table when the address changes now there are situations when you need to either override as your default routes or add additional routes you can do so by adding your custom user-defined routes to the route table you can create up to 400 user-defined routes inside a route table you can specify a variety of next subtypes in your user-defined routes like a virtual appliance to route the traffic to a network virtual appliance you can use virtual network gateway as a next book type when the traffic is designed for specific address prefixes routed to a virtual network gateway the virtual network gateway must be created with the tied VPN if you intend to use virtual network gateway as the VPN as the next hop type as I mentioned the last light you cannot specify a virtual network gateway hop type as for the virtual network gateway for with that is created as an Express route gateway because with Express route as I was saying earlier you must use PGP for your custom routes you can also use next hop types like none as mentioned earlier where you want the traffic to betroth you can also choose virtual network when you want to overwrite the default routing within a virtual network and you can specify internet as your next of type when you want to explicitly Rao traffic this time to end address prefix to the Internet or if you want your traffic this time for as your services with public IP addresses please note that you don’t CV net peering and beam virtual network service endpoint as the next hop type in the user defined routes the reason being that routes within the virtual network peering and virtual network service endpoint network types are only created by Azure and they are configured automatically whenever you configure virtual network peering or a service endpoint you can exchange border gateway protocol or BGP routes between your on-prem network gateway and as your virtual network gateway it is used with VPN gateways of Express route type you

must use BGP 2x advertise on prime routes to the Microsoft edge router important point to note here is that you cannot create user-defined routes to force traffic to the Express route virtual network gateway if you deploy a virtual network gateway as type Express loud but you can use user-defined routes for forcing traffic from the Express route to for example a network virtual appliance when you exchange routes with as you are using PGP a separate route is added to the route table of all the subnets in a virtual network for each advertised prefix the route is added with virtual network gateway listed as both the source as well as the next half type remember the old good old days when you needed a jam box p.m. to connect virtual machines in your virtual network well those days are grown you don’t need a jump ops machine anymore if you have not heard of there is a new service called as as your Bastion service which is a fully platform managed platform as a service that provides secure and seamless RDP or SSH connect ability to your watch on machines directly in the azure portal over TLS when you connect by as your Bastion your virtual machines do not need a public IP address and they can be connected over private IP addresses due to time constant I would like to run through this section slightly fast as it provides many options to load balance your workloads to start with the first service you shall be aware of is an agile load balancer which works at layer 4 it distributes the inbound network traffic across a back-end pool which could have plain instances of virtual machines or a virtual machine scales at instances there could be two types of load balancers public and internal as the name suggests public load balancer is used for load balancing internet traffic to your virtual machines whereas an internal load answer is used for load-balancing within a virtual network for public load balancer you need to use a public IP address for front-end configuration so that Internet traffic can reach your load balancer whereas for internal load balancer you need to use a private IP address for load balancing the network traffic among the different instances in the back-end pool a load balancer uses a five tuple hash which comprises of source IP address source port destination IP address destination board and an IP protocol number to map your flows to the available server for both types of the load balancer as your offers a basic SKU and a standard SKU that have different functional performance security and health tracking capabilities the point to note here is that SK use are not mutable meaning once you create a load balancer with a specific SKU you cannot change the SKU you need to create a new balance that with the right SKU and migrate the configuration from the old load balancer another service you can use is as your Traffic Manager which uses DNS to direct client requests to the most appropriate service endpoint based on a traffic routing method in the health of the endpoints an endpoint could be any internet facing service hosted inside or outside of Azure the most important point to understand is the traffic manager works at a DNS level traffic manager uses DNS to direct clients to specific service endpoints based on the rules of the traffic routing method technically clients connect to this selected endpoint directly and not through the traffic manager traffic manager is not a proxy or a gateway and it does not cease the traffic passing between the client and server ways there are few our traffic routing methods within our traffic manager that you can use starting from priority which routes based on the priority of the endpoint now waited where traffic is distributed either evenly or according to the weights that you define you can use performance when you want end-users to be routed to the closest endpoint in terms of lowest Network latency you can use geography when your users are directed to when you want your users to be directed to specific endpoints based on their geographic locations likewise you can use value when you can have on the ipv4 or ipv6 addresses as endpoints lastly you can also use subnet traffic routing method to map sets of end-user IP address ranges to a specific end point within a traffic manager profile what you are seeing here is on the left you see a system with priority routing in traffic manager and to the right you see a weighted routing when primary app goes down or the primary endpoint goes down under priority routing the traffic is routed to the next app instance in order of priority where is in the second screenshot when the primary site goes down it sends the traffic based on the invades another service that you can use is known as as your front door which offers a layer 7 load balancing capabilities for your application with instant failover as your front door is an application delivery network as a service it comes with teachers like DSA dynamic site acceleration tls/ssl

offloading web application firewall URI path based routing and so on similar to Azure front out here is another service known as as your application gateway which is a web traffic load balancer that enables you to manage traffic to your web applications it is also a layer 7 application layer load balancing solution it also supports centralized SSL offload and SSL policy it supports of integrated Web Application Firewall pretty much the same features that as your front door provides while both front door and application gateway are layer 7 load balancer there is a difference between the two services front door is a global service whereas application gateway is a regional service while front door can load balance between your different scale units or clusters or stamp units across regions application gateway allows you to load balance between your VMs on containers that is within the scale unit within the same region so the scope between scope is the difference between application gateway and front door front door is global whereas application gateway is regional traditional load balancers when we have used a transport layer they generally operate at a more I mean is generally operate at one layers layer for at TCP and UDP whereas as your application get Reza I was mentioning earlier works at layer seven what that means is we can do URL based routing using as your application gateway as your application gateway can make routing decisions based on additional attributes of an STD be requests for example URI path or had host adders for examples you can route traffic based on the incoming URL so if images is in the incoming URL you can route traffic to a specific set of servers configured for your images likewise for videos so when selecting a load balancing option there are some key factors to consider including what type of traffic is incoming glow whether it’s a global versus regional service how much it is going to cost me I have put a link there which you can go and refer to to find out the best load balancing option for your use case and the service I want to touch upon is as a content delivery network which is a distributed network of servers that can efficiently deliver web content to the users Syrian store cached content on an servers in point of presence locations that are close to end-users to minimize latency what you what you are seeing here in the diagram is when a user elise requests the resource from the h servers and if there is no cached copy of that resource the observers to each or to the origin which could be as your a web app service or an azure storage the origin returns back the requested resource which at service pass it on to the LS and add servers also store or cached copy of that so that means any of the other users request the same resource if the eight servers have a cached copy of that the source it returns it that otherwise it again goes back to the origin and kept its updated copy you should not hear that at the H servers the time to live is by default seven days but that is completely configurable moving on there are two different ways you can monitor your network in Azure one of the services you can utilize this as a network watcher which you can use to monitor and diagnose health and performance of your network using Network waters diagnostic and visualization tools you can capture packets for on a virtual machine where a date if an IP flow is allowed or denied you can also identify things like where packets will be right routed from a VM and gain insights to your all up network topology and the screenshot that you are seeing is how you can see your network topology or watch a network topology within a network watcher lastly there is another solution known as network performance monitor which is a cloud-based hybrid network monitoring solution that helps you monitor network performance between various points in your network infrastructure network performance monitor detects network issues like traffic black holing routing errors and issues that conventional network monitoring methods aren’t able to detect the solution generates alerts and notifies when a threshold is breached for a network link it also ensures timely detection of network performance issues and localized is the source of the problem to a particular network segment or device it comes with three broad capabilities performance monitors so is connectivity monitor and expresstoll monitor performance monitor monitors the network connectivity between cloud deployments and your on-prem locations multiple data centers and branch offices service connectivity monitor monitors the connectivity from your users to these services that you care about determining what infrastructure is in the path and identifying where network bottlenecks are and express out monitor monitor sendto in connectivity and performance

between your branch offices and azure over as your express cloud now here are some of the resources that you can refer to for your agent networking learning to start with as your architecture Center is the is a great resource which lists all the reference architectures in the architectural disk practices you should swallow for your azure networking microsoft azure documentation is your source of authority is or it is always up-to-date and you can get first-hand information microsoft has listed some best practices for your network security do check it out there is a great resource called as Microsoft LAN which has good learning paths across different Azure services they have a learning power imagine networking as well you check it out then Microsoft has also partnered with Microsoft for 200 plus free courses on Azure which you can access using a free account check out a show called as of Friday hosted by Scott Hanselman where they cover different other services including most of the alger networking services it’s a cool show where they have short videos on each of these services lastly if you are interested you should also check out as your role based certifications which can help you in learning more about Azure with that I want to quickly go to my Azure portal I will quickly demonstrate whatever we have spoke in our presentation before I wrap it up when I’m showing my Azure portal I have already logged in into using my live ID through which I have a subscription and into my dashboard right now in my home page in Azure portal if I go to create a resource on my left side and go under the networking I can create all the different resource types that we have spoken our presentation for the sake of this demo I have already created a resource group here I will go ahead and show you how to create a virtual network select watcher Network under new click create choose the subscription that you want your virtual network to go and there is sauce grow give our name and the region that you want it to be created I want it to go in east us to specify the IP address ranges for your virtual network by default it picks it up one of the address ranges that are available but you can and multiple IP address ranges here right here I’ve given it is opted for 10.0.0.0 slash 16 which is the highest my prefix that I can opt for as you can see it has 65,536 addresses here it has a it comes with the default subnet with slash 24 prefix and can add multiple subnets which within this IP address range but I for the demo purpose I’ll stay with the default subnet that it creates for me I can go ahead and enable DDoS protection as I said by default basic is enabled but I can offer for standard as well which is a which is a pay-as-you-go service for firewall I can either enable it and keep it disabled if for now I’m gonna keep it disabled I can enable it and any time at virtual network level later I leave two accesses and let me review my virtual network in created it’s gonna take a few seconds or a minute before it creates a resource the resource is created you can see here the different options here is our address based if you need to extend your virtual network by adding additional address ranges you can add it under the address space here once you connect your different Azure services or agile resources within this virtual network they will show up here and they’re connected devices here is the subnet that I have created by creating my virtual network I can create additional subnets by clicking class subnet here and give these subnet some ranges I can assign the network security group on my subnet I can choose the appropriate route table if I have to I can select a service endpoint if I have to set it up for my subnet and what you are seeing here is I was mentioning when I was talking about VPN gateway that it creates a gateway subnet within the virtual network that hosts all the what’s all the VPN gateway resources you can create a gateway subnet here or it automatically gets created when you create a VPN gateway and assign it to a virtual network you can change your DDoS protection from basic to standard and vice versa anytime through DDoS protection plate you can enable your fire you can add a firewall if you’re watching Network anytime using this it’s coming back to peering I don’t have a

second virtual network but this is a place where you can add additional words you can add virtual network peering with your additional virtual network you can give them forever janym preparing you can choose the subscription and the watch a network that you want to appear with what it does is you it automatically adds peering on the other network as well so that are watchin efforts in talk with each other there are different options you can see here the first two options are whether you want to allow or watcher Network X access from three net one to the remote virtual network the second virtual network or from and vice versa you can also allow forward traffic from remote what your network to the virtual network one and so on what it means is generally the first two options is for the traffic between the V nets which are period whereas if the minutes peers are again connected to other virtual networks and you want traffic to be forwarded from one virtual network to the other words a network peers you can enable these options and you can if you have a VPN gateway assigned to your virtual network you can also allow Gateway transit here so that your virtual network peers can use your remote gateways here is your service endpoints where you can create different service endpoints for your virtual network you can opt for any of the available services that you can move it up here your private endpoints when you create it in Azure for any of the azure services list unlisted here you can configure your diagnostic settings here and migrate all your jump all your loss including matrix in the imperfection alerts to either log analytic storage the counter you can steam it to an even table here is your beam and topology diagram that shows up here you can also since I only have a minute one with a default subnet here once I start assigning my virtual machine the source is here it will start showing up here I can see the same topology in the D Network watcher is well with that I conclude my presentation and I would open the floor for any questions that you might have if not I would like to thank you go once again for giving me opportunity to speak at this cloud lunch and LAN session I hope you will find it unhelpful I’ve above yeah actually we have a few questions here so I will start by enumerate each one of the questions so the first question is what’s the main difference between load balancer traffic manager and application getaway the primary difference is how they work for example load balancer watts at layer 4 whereas application gateway in front door works at layer 7 application gateways that region up level whereas front door is 8 Global’s always and if you head out of this link it gives you different load balancing options and the criteria you should consider when you should be using different services okay we have let’s pick one more question so what are the main features of wofe web application file I can take this question for Fredrik so basically the Waffle circus apart from the load balancing features it provides you as well features such as routing so you can route the traffic to your applications using rules in terms of URL rules or even a by IP and so on so it’s basically a woof you know okay thank you to the Internet if you shared the article I’m going to share my slide deck with you and I think he is going to share it with the community and I think the session is also recorded and will be uploaded in the YouTube channel yes session will be recorded and also we have the slides available on our github repository so you can access the site at any time thank you yeah let’s wrap up so please in case you did not have a chance to do it in the beginning of the session I would like to share with you this opportunity provided by Microsoft to access free relevant materials related to this session in order to access these materials you can scan the QR codes or access to aks a KDOT ms link in these slides and fill in a quick form it is important to us for us too that you do the registration so you’ll be officially registered in this session and it’s a way to justify the efforts from our co-operators and

ourselves to keep these initiatives so please take any minutes and register to the forum please and I think we should be fine to close it up far off I just shared already do on the channel so I shared a link for our forums as well where you can provide us feedback about this session and also suggest any topics for future sessions so we can deliver contents that are relevant to yourselves and yeah thank you so much far for delivering this great session and thank you everyone to join and dedicate your time with us on this session I hope you enjoyed the session and we really appreciate your feedback so we can improve our sessions and also the River future sessions related to the topics that are useful and of your interests next week we’ll have another session with Michael even talking about our community service so please stay tuned and join us next week and have a great day and thank you once again thank you so much thanks everyone