Virtual Networking

VNET- Customer managed secure, isolated virtual network.

·        Services and VMs that are part of VNET can access each other.

·        Each VNET can have as many subnets

·        All services deployed within a VNET can access internet

Typed of VNETs

·        Cloud only VNET

o   When a VNET created in Azure

o   VMs and services access through endpoints.

o   No configuration of VPN device required.

·        Cross premise Virtual network(Hybrid network)

o   Connection of On-Premise network with the Cloud VNET through site to site tunnel.

o   Requires a VPN device.

VNet Address space and Subnet

o   Specify Topology during VNET creation: address space and subnet

o   Private address space

§  This is the range VMs and services can use

§  Non Routable(these can’t access by public network)

§  Specified in CIDR Notation (classless inter domain routing)

·        10.0.0.0/8: 10.0.0.0 to 10.255.255.255

·        172.16.0.0/12: 172.16.0.0 to 172.31.255.255

·        192.168.0.0/16:192.168.0.0 to 192.168.255.255

o   Subnet

§  Break up the network with more manageable sections.

§  All services can access across subnets.

§  Network security groups can be utilized to implement rules .

Azure VNET

VNET- Customer managed secure, isolated virtual network.

·        Services and VMs that are part of VNET can access each other.

·        Each VNET can have as many subnets

·        All services deployed within a VNET can access internet 

Typed of VNET's

·        Cloud only VNET

o   When a VNET created in Azure

o   VMs and services access through endpoints.

o   No configuration of VPN device required.

·        Cross premise Virtual network(Hybrid network)

o   Connection of On-Premise network with the Cloud VNET through site to site tunnel.

o   Requires a VPN device.

VNet Address space and Subnet

o   Specify Topology during VNET creation: address space and subnet

o   Private address space

§  This is the range VMs and services can use

§  Non Routable(these can’t access by public network)

§  Specified in CIDR Notation (classless inter domain routing)

·        10.0.0.0/8: 10.0.0.0 to 10.255.255.255

·        172.16.0.0/12: 172.16.0.0 to 172.31.255.255

·        192.168.0.0/16:192.168.0.0 to 192.168.255.255

o   Subnet

§  Break up the network with more manageable sections.

§  All services can access across subnets.

§  Network security groups can be utilized to implement rules .

VNet Creation and NSG.

VNET Creation:

Subnet:

 

Inbound/outbound rules:

VIP- Public IP address.

DIP- Private IP address.

Click on subnets and add NSG, users to your subnet. NSG and users should be created before assigning to subnet.

NSG creation and add security rules:

·        Go to NSG->Provide name, same resource group as VNET->Same location->Create

·        Add inbound , outbound rules that you want to assign to subnet.

You can use firewall rules to block or allow specific traffic passing through from one side to the other. 

·        Inbound rules (WAN to LAN) restrict access by outsiders to private resources, selectively allowing only specific outside users to access specific resources. 

·        Outbound rules (LAN to WAN) determine what outside resources local users can have access to.

If the Windows Firewall is turned off then it will have no effect, and the Inbound and Outbound rules will mean nothing.

·        You can associate subnet in NSG.  

Some Important 18 protocols and ports in Network.

TCP Transport control Protocol (Connection Oriented)	UDP User datagram protocol (Connection less)
FTP-File Transfer protocol 20 – File Transfer ,21 –Connection establish	SNMP-Simple Network management  protocol 161,162
TFTP- Trivial File Transfer Protocol 69	NTP- Network Time Protocol 123
SFTP- Secure File Transfer protocol 22	SIP- Session Initiation Protocol 5060, 5061
SSH – Secure shell 22	RTSP – Real Time Streaming protocol 554
LDAP- Lightweight Directory Access protocol                                                           389
RDP- Remote desktop protocol                                                           3389
TELNET 23
SMTP- Simple Mail transfer protocol 25 IF SSL 465
IMAP4 – Internet message access protocol 143 If SSL 993
POP3 -  Post office protocol 110 If SSL 995
HTTP- Hyper text transfer protocol 80
HTTPS- Hyper text transfer protocol secure 443

Hybrid network connectivity

·        Connecting On premise network to the Azure Virtual network

·        Connecting from Azure Vnet to Vnet

Following options available in cross premise connectivity.

·        Point to Site VPN

·        Site to Site VPN

·        Express route

·        VNet to VNet

·        Multi site VPN

VPN Gateways:

Point to site and site to site both require setting up a VPN gateway.

2 types of VPN gateways:

·        Static routing VPN Gateway-Policy based. Encrypt and encapsulate a subset of traffic flowing through an interface according to custom defined policy. The policy dictates the interesting traffic.

·        Dynamic routing VPN Gateway-Route based VPN. A tunnel interface is employed. Any traffic going to tunnel interface is placed into the VPN.

Multi-site VPN, VNet to Vnet and Point to site require dynamice routing VPN gateways.

Point to site VPN.

Providing organization employees/users to organization network access from anywhere.

·        individual client machines connect to Azure VNet using traditional VPN client

·        Utilizes SSTP(secure socket tunnel protocol).

·        Users certificate authentication between client computers and Vnets.

·        Individually configured: VPN client installed on client computer.

Sequence of steps to establish Point to Site VPN

1.      Create a VNet in Azure.

2.      Create a Network gateway and Virtual network gateway from management portal or Powershell.

a.      Go to VNet subnet section, create network gateway subnet. It will create range Ip address that be used by VPN clients.

b.      Goto Virtual network Gateway and provide information.

3.      Create self-signed root certificate.

a.      We need a Makecert.exe to create root certificate, enter dir/s makcert.exe in cmd prompt to find out makecert exist in machine, if not found download it from here: Makecert.

b.      Before going to run makecert command, we need to do these: Open Root console(type mmc in Win+R)-> File->add/Remove snap in->Certificate->add->my user account->finish.

c.      Cd to makecert location and run ” makecert -sky exchange -r -n "CN=VnetP2SRootCer" -pe -a sha1 -len 2048 -ss My .\VnetP2SRootCertOrg.cer “.

d.      You should see Root certificate in mmc console personal folder.

4.      Create self-signed client cert from root cert.

a.      Create client cert using root cert, run this command “makecert -n "CN=VnetP2SClient" -pe -sky exchange -m 96 -ss My -in "VnetP2SRootCer" -is My -a sha1”

b.      You should see client certificate in mmc console personal folder.

5.      Export root and client cert from certificate store.

a.      Right Click on root cert ->all tasks->export ->No, Don’t export private key->Check Base 64 format->save.

b.      Right Click on client cert ->all tasks->export ->Yes,  export private key->provide password >save.

6.      Upload Root authentication cert to azure.

a.      Open exported Root Cert in Edit plus/Visual studio, make cert text in one line and copy.

b.      Goto portal->Virtual network gateway->Point to site configuration->provide not overlap IP with Vnet->provide copied root cert data and save it.

7.      Install the client certificate on the client machine to authenticate to the VNET.

a.      Install the Client cert in user machine by clicking on client cert->Enter password->Next(everything should be default)-> Save.

b.      You should see client certificate in mmc console trusted certifcate folder.

8.      Install client VPN package-Download from azure.

a.      Download VPN package from Virtual network gateway and install it on machine.

b.      You can see VnetP2SClient option in wifi network section in windows.

9.      Establish VPN and verify connectivity.

a.      Open Network and connect to Vnet.

b.      You can access VNET resources.

Introduction to Cloud Computing

·        What is Cloud Computing

·        Cloud Characteristics

·        Cloud Computing Service Models

·        Deployment Models in Cloud Computing

·        Advantages and Disadvantages of Cloud Computing

What is Cloud Computing?

·        Cloud is just a metaphor for the internet, when we say cloud, we are just referring to internet. 

·        In the simplest terms, cloud computing means storing and accessing data and programs over the Internet instead of our local computer's hard drive.

·        The phrase cloud computing means "a type of Internet-based computing" where different services — such as servers, storage and applications — are delivered to an organization's computers and devices through the Internet.

·        Cloud Computing refer to a variety of services available over the Internet that deliver computing functionality on the service provider's infrastructure.

·        A cloud computing service consists of highly optimized data centers (third party data centers from the end user point of view), that provide various hardware, software and information resources (when needed).

·        Cloud platform hide the complexity and details of the underlying infrastructure from users and applications by providing very simple graphical interface or API (Applications Programming Interface).

·        The Cloud platform provides on demand services that are always on, anywhere, anytime and anyplace.

Why are businesses moving to cloud?

In traditional hosting, a software company has to deal with licensing costs, protection of data, frequent upgrades to latest technologies, maintenance and up gradation of hardware and most important finding the right skillsets at the right time. 

Cloud Characteristics

·        Characteristics of Cloud computing that distinguish it from traditional hosting.

·        Remotely hosted: Services or data are hosted on remote infrastructure.

·        Ubiquitous: Services or data are available from anywhere through internet.

·        Resiliency: Cloud providers generally mirrors solutions to multiple data centers to minimize downtime in the event of a disaster. 

·        On-demand self-service: A consumer can himself provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service’s provider. It is sold on demand mostly by the minutes or hours. (Pay as you go model)

·        Rapid elasticity – A user can utilize as much or little of the cloud service as required. For example resources (ex: webservers) on the cloud can be scaled to meet high traffic in peak times or scaled down in times of less traffic. 

·        Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs).

·        Fully managed by the provider - The user is abstracted from the details of how the service is managed in the cloud. For example the user need not worry about aspects such as hardware used, software updates and patches, plug-ins, web security. There is optimum utilization of resources and as well as sharing of resources. Everything is taken care of by the provider.

Cloud Computing Service Models

Cloud Computing = Software as a Service (SaaS)

  + Platform as a Service (PaaS)

  + Infrastructure as a Service (IaaS)

1)    IaaS (Infrastructure as a Service): 

a. Delivers computer infrastructure, typically a platform virtualization environment as a service. 

b. Cloud providers build datacenters, managing power, scale, hardware, networking, storage, distributed systems, etc

c. Rather than purchasing servers, software, data center space or network equipment, clients instead buy those resources as a fully outsourced service. 

d. Eg: Amazon Web Services(AWS), Rackspace Hosting, VMWare, Citrix

2) PaaS (Platform as a Service): 

a. Provides developer's necessary tools to create, test, host and maintain created applications. 

b. Cloud providers offer an Internet-based platform to developers who create services but don't want to build their own cloud. 

c. Ex: Windows Azure, Google App. 

3) SaaS (Software as a Service): 

a. From end user’s point of view apps are located in the cloud and it is almost always accessible

through a web browser. 

b. Any application hosted on a remote server that can be accessed over the Internet is considered as SaaS. 

c. Ex: Windows Azure, Gmail, Google Apps (Office like features), Sales Force CRM

The following picture neatly summarizes the functionality of the three service models of the cloud.

Deployment Models in Cloud Computing

There are three main deployment models in Cloud Computing.

1. Public Cloud: 

·        These are the clouds which are open for use by general public and they exist beyond the firewall of an organization, fully hosted and managed by vendors.

·        Your data is stored in the provider’s data center and the provider is responsible for the management and maintenance of the data center.

·        Because you are sharing computing resources among a network of users, the public cloud offers greater flexibility and cost savings.

·        This is good option if your demand for computing resources fluctuates. You have to purchase the capacity on the basis of usage and can scale up or scale down server capabilities based on traffic and other dynamic requirements.

·        This type of cloud environment is appealing to many companies because it reduces lead times in testing and deploying new products.

·        Cons: They are more vulnerable than private clouds and there is no control of resources used or who shares them. 

Note: Even though you don’t control the security of a public cloud, all of your data remains separate from others and security breaches of public clouds are rare.

2. Private Cloud: 

·        A private cloud hosting solution, also known as an internal or enterprise cloud, resides on company’s intranet or hosted data center where all of your data is protected behind a firewall.

·        This can be a great option for companies who already have expensive data centers because they can use their current infrastructure.

·        You go for a private cloud when you have strict security and data privacy issues.

·        Cons: The main drawback people see with a private cloud is that all management, maintenance and updating of data centers is the responsibility of the company.

3. Hybrid Clouds:

·        They consist of external and internal providers, namely a mix of public and private clouds.

·        Secure & critical apps are managed by an organization and the not-so-critical & secure apps by the third party vendor. For example, you can use a public cloud to interact with the clients but keep their data secured within a private cloud. Most companies are now switching to Hybrid clouds.

·        Ideal in situations where you have plans are to migrate to a complete cloud solution as existing hardware expires or you have some applications or hardware that are not ready for the cloud

 Advantages and Disadvantages of Cloud Computing

Advantages of Cloud Computing: 

1. Lower Computer Cost

2. Improved Performance

3. Reduced Software Cost and Instant Software Updates

4. Unlimited Storage Capacity 

5. Universal Document Access

6. Increased data reliability 

7. Device Independence 

Disadvantage of Cloud Computing:

              1. Requires a constant Internet connection.

2. Does not work well with low-speed connections.

3. Features might be limited based on provider you choose.

4. Can be slow. 

5. Stored data might not be secure.

6. If your data is stored abroad whose policy do you adhere to?