6.1.1. Networking - Virtual Network (VNet) - Connecting VNets.md

Connecting VNets

• You don't need to have a Layer 3 router to route traffic from subnet to subnet
• Azure system routes take care of the routing for you automatically

Options

VPN Gateway

• Creates IPsec/IKEv2 tunnel and always-on connection
• Used for connecting VPNs in cloud or hybrid scenario.

Inside Azure

VNet-to-VNet VPN

• Create isolation or administrative boundaries
• Provide cross-region geo-redundancy and replication securely
• No traffic crosses the public internet
• Separate VPN gateways costs while VNet peering is free.
• 💡 Make sure your VNet address spaces do not overlap.
• Troubleshooting
  • Verify connectivity through peering
    • Set up Azure DNS

VNet peering

• Seamless connection between two Azure VNets.
  • The peered networks appear as one, for connectivity purposes.
  • ❗ Name resolution does not flow, requires own DNS zone
• Runs on Azure backbone
• 💡 You can peer across regions and subscriptions
• Peering can overcome misplaced VMs
• Helps to optimize costs through service chaining
  • I.e. services' communication are chained through a subnet
• ❗ Peering must be done on both sites
  • VNet1 => VNet2 and VNet2 <= VNet1
• Enables force tunnelling
  • E.g. when all Internet traffic must go through on-premises firewall device.
  • You can use user defined routes for all outbound traffic to go back through VPN gateway to on-premises.
• ❗ Peerings are not transitive
  • If you peer spoke1 <=> spoke2 and spoke2 <=> spoke3 then spoke1 cannot communicate with spoke3 automatically.
  • Common solution is transiting VNet with Hub and Spoke topology.
    • Topology is a segmentation
      • When to segment with VNets and when with subnets?
        • Depends on bureaucratic reasons
        • E.g. different VNets when
          • Different cost centers/groups need management autonomy
          • You want to completely isolate different workloads
    • Name resolution needs configurations
      • You can't do with Azure provided DNS as all your hosts have then internal.cloudapp.net
      • In peering azure provided DNS won't work

Peering configuration

• Allow forwarded traffic
  • Am I peering from a hub VNet that'll have IP-forwarder?
  • Allow peers (other VNets) to forward traffic to go through.
• Allow gateway transit
  • Am I hosting a VPN gateway?
• Use remote gateways
  • Is this network use peers gateway?
  • ❗ VNets must be in same region

Peering troubleshooting tips

• Azure blocks ICMP between VNets and the Internet
  • ICMP is used for ping
  • Microsoft blocks it because of DDoS attacks.
• Simplify NSGs as much as possible to reduce troubleshooting friction
• Azure portal Diagnose and solve problems/Resource health blade is useful
• Network Watcher and Network Performance Monitor make troubleshooting much easier

Network Watcher

• Shows where's the traffic is captured/denied
• Suite of tools
  • Topology
    • E.g. VNETs, subnets, VMs, NICs
  • Variable Packet Capture
    • Captures TCP packages at NIC level as wireshark files.
  • IP Flow Verify
    • Troubleshoots NSG
  • Next hop
    • Troubleshoots route tables
  • Connection troubleshoot
    • Why it does not connect?
  • Diagnostics Logging
  • Security Group View
  • NSG Flow Logging
  • VPN Gateway Troubleshooting
  • Network Subscription Limits
  • Role Based Access Control
• Can be enabled on VMs
  • In Portal you can search for "Network Watcher" and enable

Network Performance Monitor

• Network monitoring solution for hybrid networks
• E.g. top network health events, ExpressRoute monitor, service endpoint monitor, performance monitor
• It ties in logs/metrics with Log Analytics.
• Part of Insights & Analytics Azure management solution.
• Works with installing Microsoft Monitoring Agent (MMA) in VM.
• Flow
  1. Deploy Insight & Analytics and then select Network Performance Monitor
  2. Choose VM and click on "Connect", it'll install MicrosoftMonitoringAgent

VNet states

• Initiated
  • When a peering to the second virtual network from the first virtual network, the peering status is Initiated 2
  • A peering gets Initiated state by default once deployed and other node is missing
  • For peering to be completed, one of the nodes must be on Initiated state before they're links
• Connected
  • Once peering is created from second VNet to first VNet that already has peering, peering status become Connected
  • Peering status of first VNet change from Initiated to Connected
  • ❗️ Peering is not established if status for both peerings is not Connected
• Disconnected
  • One of the links created was deleted 1
  • To re-establish a peering connection, there's two options

    • Re-crate 1

      1. Delete the link
      2. Recreate it

    • Update, the state of Disconnected peering should be updated to Initiated:

        az network vnet peering update \
          --name '<< pering name>>' \
          --resource-group '<<resource-group-name>>' \
          --vnet-name '<< prd-vnet-name >>' \
          --set peeringState='Initiated'

Hybrid Connections

Site-to-site VPN

• Two VPN devices connect to each other.
• Flow
  1. Deploy a VPN Gateway resource in Azure
     • Requires gateway subnet (or DMZ subnet).
     • Different SKUs: Basic, VpnGw1, VpnGw2, VpnGw3
       • You get more bandwidth, site-to-site and point-to-site points.
       • Don't use basic for production
     • You can see the deployed VPN Gateway in Connected Devices in subnet.
  2. Deploy a Local Network Gateway as well.
     • For your on-prem gateway device, you need to set up one of the route table configurations:
       • PolicyBased
         • Handle route tables manually
         • ❗ Does not work with BGP failover, active-to-active configurations
         • RouteBased
           • 💡 Always use if possible
           • Some VPN devices do not support it
           • What's compatible is documented on Microsoft docs.
  3. Create a connection between two gateways
     • Create local-to-azure in Local Network Gateway
     • Create azure-to-local in VPN Gateway
     • In Shared Key in connection blade, specify a key.

Point-to-site VPN

• Allows access to Azure resources through VPN tunnel from a client agent.
• More portable way
• Flow
  1. On Azure deploy VPN gateway
  2. In Point-to-site configuration blade download VPN client
  3. Deploy agent (a VPN Client) from VPN gateway
  4. Install on individual endpoints (e.g. laptops)
• Allows connection outside network perimeter

Azure ExpressRoute

• High speed secure connection between on-prem and cloud

Best practices for High Availability

• Combine ExpressRoute and VPN
  • In gateway subnet
    • Deploy ExpressRoute gateway
    • Deploy VPN Gateway
  • Both gateways gives access to front-end tier and a jump box in a management subnet
  • If ExpressRoute goes down VPN gateway gets activated
• Deploy two VPNs
  • Requires enabling BGP in gateway link
    • Robust routing
    • Enable active-to-active connection configuration
    • ❗ Only allowed RouteBased routing configuration
  • Two VPN gateways on-prem
    • Allows redundant active-to-active connection to single gateway.
    • You have one active and one stand-by gateway

System Routes vs. User-defined Routes

• Situations
  • You need to move one VM to another VNet.
    • It requires re-deploying
  • Isolation and segmentations
    • E.g. development / production VNet
  • Hub & Spoke Topology
    • Hub: VNet have Virtual Network Appliance (e.g. firewall), or gateway
      • ❗️ Virtual Network Appliance as it costs both money and resources.
    • Spokes
      • Other VNets (e.g. front-end, back-end)
      • You can force communicates with each other through Hub.
• Internet calls and calls from internet
  • Handled by Azure using system routes
  • You don't need to manipulate them
• If you want to override system routes (e.g. for Hub & Spoke topology)
  • You need User Defined Routing
  • For network appliance you need to configure IP forwarding
    • Enables it to pass on traffic that it's not destined for itself.