Microsoft Azure Integration and Security exam AZ-101 – Resources Part 3 – Implement Advanced Virtual Networking

Implement Advanced Virtual Networking 30-35%

John Savill has a fantastic course on designing an Azure Networking Strategy here. I hold John in high regard and would recommend any of his courses.

Before approaching the following two load balancing objectives, I recommend giving this a read.

Implement application load balancing

Regarding the Application Load Balancer and Load Balancer, I find it useful to draw parallels bettween these features and the HAProxy project.

HAProxy can get involved in TCP and HTTP flows. The HTTP mode draws parallels to the Azure Application Gateway. The TCP mode to the Azure Load Balancer. There’s not feature parity, but for sake of discussion, these are my analogies from HAProxy to Azure services.

May include but not limited to:
Configure Application Gateway and load balancing rules;

The application gateway pricing can be found here. It has a per-hour charge depending on the type (size), nominal data processing and outbound data charges.

The application gateway relies on being deployed in a subnet in a VNet. The VNet doesn’t have to be one of your existing VNets. You can craft a unique VNet for the sole purpose of hosting the Application Gateway. But, if you intend serving data from Virtual Machines or Scale Sets in an existing VNet, the Application Gateway must be in the same VNet as those resources. Using either a new VNet or existing, the subnet used for the Application Gateway should be an empty subnet or a subnet with no other resource types besides Application Gateways.
Each V1 (V2s scale slightly higher but are in preview in Jan 2019) Application Gateway, standard or WAF (Web Application Firewall) can be between one and seventy five VMs (instances). Your subnet should be big enough to cope with each Application Gateway or Gateways and any private frontend IP addresses you’re might choose to deploy.

https://azure.microsoft.com/en-gb/services/application-gateway/

https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-ilb-arm

Implement front end IP configurations;

https://docs.microsoft.com/en-us/azure/application-gateway/tutorial-manage-web-traffic-powershell#create-an-application-gateway

Manage application load balancing;

https://docs.microsoft.com/en-gb/azure/application-gateway/quick-create-portal

Implement Azure load balancer

May include but not limited to:
Configure internal load balancer, load balancing rules, and public load balancer;

The Azure Load Balancer pricing only applies to the standard SKU, the basic SKU is free. But the features on basic are a little dissapointing.

Internal Load Balancer;

To make use of the Internal Load Balancer, you first need to talk about the constructs it can back off to. The basic SKU can only back off to Availability Sets, VM Scale Sets and a single VM. The standard SKU does things more as you’d expect.

https://docs.microsoft.com/en-us/azure/load-balancer/tutorial-load-balancer-basic-internal-portal

https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-get-started-ilb-arm-ps

Public Load Balancer;

For me, a key thing to mention is that you must whitelist traffic in any NSGs associated with VNet Subnets and/or IaaS VMs Network Interfaces which are in the path of the flow from the Load Balancer (perceived from their perspective as the Internet) to IaaS VMs on the port the Load Balancer is sending traffic to.

https://docs.microsoft.com/en-us/azure/load-balancer/quickstart-create-basic-load-balancer-portal

https://docs.microsoft.com/en-us/azure/load-balancer/tutorial-load-balancer-standard-manage-portal

Manage Azure load balancing;

https://docs.microsoft.com/en-us/azure/load-balancer/tutorial-load-balancer-standard-manage-portal#remove-or-add-vms-from-the-backend-pool

Monitor and manage networking

Azure Network Watcher pricing is dependent on your log volumes.

Tim Warner’s course on Pluralsight helps plenty with this subject

https://app.pluralsight.com/library/courses/azure-network-watcher-troubleshooting/table-of-contents

May include but not limited to:
Monitor on-premises connectivity;

Network Watcher only really works if you’re using the native Azure VPN Gateway. Any Network Virtual Appliances (NVAs) won’t be diagnosed by the VPN Troubleshoot tool within Network Watcher.

You’ll need a storage account and container to drop the logs for the VPN Troubleshoot tool to start monitoring the connection of the gateway.

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-diagnose-on-premises-connectivity

You could also stand up a connection monitor from an IaaS VM to an on-premises VM endpoint. This is dependent on the Azure Network Watcher Extension being installed and available on the source IaaS VM.

Use network resource monitoring and Network Watcher;

Network resources? I guess this could count as using a connection monitor instance to monitor to/from a couple IaaS VMs Network Interfaces? Strictly speaking an Azure Network Interface is a resource, and subsequently a network resource. Sorry I can’t bring more clarity on this one.

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-diagnose-on-premises-connectivity

IP Flow verify can give you a bottom-up view on whether NSGs are getting in the way of a flow you’re troubleshooting.

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview

Effective Security Rules gives you a top-down view on what rules are in effect on any given IaaS VMs Network Interfaces.

Manage external networking and virtual network connectivity;

https://docs.microsoft.com/en-us/azure/network-watcher/view-relative-latencies

Integrate on premises network with Azure virtual network

May include but not limited to:
Create and configure Azure VPN Gateway;

From a real world perspective, I’ve operated an Azure Virtual Network Gateway on the “VpnGw1” SKU to an on-premises Cisco ASA running the latest ASA code. My experience wasn’t that pleasant in that we lost VPN connectivity a few times and that forced my hand into considering a Network Virtual Appliance (NVA). We now run a Cisco ASAv10 in Azure with a better track record. The VPN on the Azure side has remained stable with our on-premises ASAs causing us more trouble than the ASAv in Azure, now.

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal#VNetGateway

Create and configure site to site VPN;

The exam requires you to understand Azure’s own Virtual Nework Gateway (VNG) offering. This exam doesn’t cover any of the Network Virtual Appliances (NVAs) that are in the Virtual Machine marketplace and can be used instead of the VNG, such as Cisco ASAv/CSRv (BYOL) and PaloAlto VM-Series Next Generation Firewall (BYOL).
The Azure VNG is a pair of VMs for high availability that are spun up and invisible to you in the portal, abstracted away into the VNG resource. Whilst it’s possible to use a /29 “GatewaySubnet”, you should choose a /28 or /27 to support the possibility you may choose Azure ExpressRoute at a later date.
Do not apply any Network Security Groups to the “GatewaySubnet” resource.

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal

Configure Express Route;

ExpressRoute is available because in comparison to Site-to-Site VPNs, it offers;

  • Consistent latency
  • Predictable performance
  • An SLA
  • Redundancy
  • Higher throughput options (9Gbps maximum)

It doesn’t use the Public Internet to pass your internal traffic to the Azure Virtual Networks, so there’s no IPSec involved in the flow.

Whilst I understand that there are organisations that might choose Express Route because of scale (attaching ExpressRoute to your existing MPLS cloud has benefits) or some other largesse, my steer, if you need access to Azure Virtual Networks, would be to use Site to Site VPN constructs using either the Azure VPN Gateway or Network Virtual Appliances (NVAs) where ever possible.

https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-circuit-portal-resource-manager

Verify on premises connectivity;

My belief is that both these exam objectives assume you’re using Azure Virtual Network Gateway or Express Route to connect your on-premises network to Azure.

If you are to use Network Performance Monitor for your ExpressRoute circuits, a pre-requisite is to have Azure Log Anaylytics extensions installed at both the on-premises site and the Azure tenant in which the ExpressRoute circuit terminates to generate data for OMS to report on.

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-diagnose-on-premises-connectivity

https://docs.microsoft.com/en-us/azure/network-watcher/diagnose-communication-problem-between-networks

Manage on-premises connectivity with Azure

This could mean either the Azure VPN Gateway or ExpressRoute. ExpressRoute is basically impossible to replicate in your own Azure tenant unless you have your organisation running ExpressRoute into your Managed WAN or on-premises environment.

https://docs.microsoft.com/en-us/azure/expressroute/expressroute-introduction

One thought on “Microsoft Azure Integration and Security exam AZ-101 – Resources Part 3 – Implement Advanced Virtual Networking”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s