Monday, 8 January 2018

Azure VNET

VNET- Customer managed secure, isolated virtual network.
·        Services and VMs that are part of VNET can access each other.
·        Each VNET can have as many subnets
·        All services deployed within a VNET can access internet 
Typed of VNET's
·        Cloud only VNET
o   When a VNET created in Azure
o   VMs and services access through endpoints.
o   No configuration of VPN device required.
·        Cross premise Virtual network(Hybrid network)
o   Connection of On-Premise network with the Cloud VNET through site to site tunnel.
o   Requires a VPN device.
VNet Address space and Subnet
o   Specify Topology during VNET creation: address space and subnet
o   Private address space
§  This is the range VMs and services can use
§  Non Routable(these can’t access by public network)
§  Specified in CIDR Notation (classless inter domain routing)
·        10.0.0.0/8: 10.0.0.0 to 10.255.255.255
·        172.16.0.0/12: 172.16.0.0 to 172.31.255.255
·        192.168.0.0/16:192.168.0.0 to 192.168.255.255
o   Subnet
§  Break up the network with more manageable sections.
§  All services can access across subnets.
§  Network security groups can be utilized to implement rules .
VNet Creation and NSG.
VNET Creation:

Subnet:


 
Inbound/outbound rules:



VIP- Public IP address.
DIP- Private IP address.
Click on subnets and add NSG, users to your subnet. NSG and users should be created before assigning to subnet.
NSG creation and add security rules:
·        Go to NSG->Provide name, same resource group as VNET->Same location->Create
·        Add inbound , outbound rules that you want to assign to subnet.
You can use firewall rules to block or allow specific traffic passing through from one side to the other. 
·        Inbound rules (WAN to LAN) restrict access by outsiders to private resources, selectively allowing only specific outside users to access specific resources. 
·        Outbound rules (LAN to WAN) determine what outside resources local users can have access to.
If the Windows Firewall is turned off then it will have no effect, and the Inbound and Outbound rules will mean nothing.
·        You can associate subnet in NSG.  

Some Important 18 protocols and ports in Network.

TCP
Transport control Protocol
(Connection Oriented)
UDP
User datagram protocol
(Connection less)
FTP-File Transfer protocol
20 – File Transfer
,21 –Connection establish
SNMP-Simple Network management  protocol
161,162
  TFTP- Trivial File Transfer Protocol
69
NTP- Network Time Protocol
123
SFTP- Secure File Transfer protocol
22
SIP- Session Initiation Protocol
5060, 5061
SSH – Secure shell
22
RTSP – Real Time Streaming protocol
554
                                                           LDAP- Lightweight Directory Access protocol
                                                          389
                                                          RDP- Remote desktop protocol
                                                          3389
TELNET
23

SMTP- Simple Mail transfer protocol
25
IF SSL
465

IMAP4 – Internet message access protocol
143
If SSL
993

POP3 -  Post office protocol
110
If SSL
995

HTTP- Hyper text transfer protocol
80

HTTPS- Hyper text transfer protocol secure
443


Hybrid network connectivity

·        Connecting On premise network to the Azure Virtual network
·        Connecting from Azure Vnet to Vnet
Following options available in cross premise connectivity.
·        Point to Site VPN
·        Site to Site VPN
·        Express route
·        VNet to VNet
·        Multi site VPN
VPN Gateways:
Point to site and site to site both require setting up a VPN gateway.
2 types of VPN gateways:
·        Static routing VPN Gateway-Policy based. Encrypt and encapsulate a subset of traffic flowing through an interface according to custom defined policy. The policy dictates the interesting traffic.
·        Dynamic routing VPN Gateway-Route based VPN. A tunnel interface is employed. Any traffic going to tunnel interface is placed into the VPN.
Multi-site VPN, VNet to Vnet and Point to site require dynamice routing VPN gateways.
Point to site VPN.
Providing organization employees/users to organization network access from anywhere.
·        individual client machines connect to Azure VNet using traditional VPN client
·        Utilizes SSTP(secure socket tunnel protocol).
·        Users certificate authentication between client computers and Vnets.
·        Individually configured: VPN client installed on client computer.
Sequence of steps to establish Point to Site VPN
1.      Create a VNet in Azure.
2.      Create a Network gateway and Virtual network gateway from management portal or Powershell.
a.      Go to VNet subnet section, create network gateway subnet. It will create range Ip address that be used by VPN clients.
b.      Goto Virtual network Gateway and provide information.
3.      Create self-signed root certificate.
a.      We need a Makecert.exe to create root certificate, enter dir/s makcert.exe in cmd prompt to find out makecert exist in machine, if not found download it from here: Makecert.
b.      Before going to run makecert command, we need to do these: Open Root console(type mmc in Win+R)-> File->add/Remove snap in->Certificate->add->my user account->finish.
c.      Cd to makecert location and run ” makecert -sky exchange -r -n "CN=VnetP2SRootCer" -pe -a sha1 -len 2048 -ss My .\VnetP2SRootCertOrg.cer “.
d.      You should see Root certificate in mmc console personal folder.
4.      Create self-signed client cert from root cert.
a.      Create client cert using root cert, run this command “makecert -n "CN=VnetP2SClient" -pe -sky exchange -m 96 -ss My -in "VnetP2SRootCer" -is My -a sha1”
b.      You should see client certificate in mmc console personal folder.
5.      Export root and client cert from certificate store.
a.      Right Click on root cert ->all tasks->export ->No, Don’t export private key->Check Base 64 format->save.
b.      Right Click on client cert ->all tasks->export ->Yes,  export private key->provide password >save.
6.      Upload Root authentication cert to azure.
a.      Open exported Root Cert in Edit plus/Visual studio, make cert text in one line and copy.
b.      Goto portal->Virtual network gateway->Point to site configuration->provide not overlap IP with Vnet->provide copied root cert data and save it.
7.      Install the client certificate on the client machine to authenticate to the VNET.
a.      Install the Client cert in user machine by clicking on client cert->Enter password->Next(everything should be default)-> Save.
b.      You should see client certificate in mmc console trusted certifcate folder.
8.      Install client VPN package-Download from azure.
a.      Download VPN package from Virtual network gateway and install it on machine.
b.      You can see VnetP2SClient option in wifi network section in windows.
9.      Establish VPN and verify connectivity.
a.      Open Network and connect to Vnet.
b.      You can access VNET resources.
By at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)