Azure Virtual Network Step by Step

Azure Virtual Network Step by Step

Here’s some brand new content from the SoftwareArchitect.ca YouTube channel that you might find interesting.

Azure Virtual Network Step by Step. In this tutorial, I show you how to create an Azure Virtual Network setup. I take you through the fields of the Azure Portal create virtual network screen, and tell you why I am choosing the values I did. We also go into detail about subnets, and create multiple new subnets on the virtual network.

You’ll see an Azure Virtual Network Gateway Subnet being added, as well as the creation of new Network Security groups. NSGs are important for Azure Virtual Network security.

At the end of the video, I create a Windows VM to add to the network as a connected device.

Quickstart Series: Windows Web App in Azure

In this video, I show you how to create a Windows Web App in Microsoft Azure. Windows Web App. We go through the Azure Portal, and see how form fields get filled in. If you can’t afford to create resources in Azure, but want to see how it’s done in 2018, this is the video for you.

Or you can see the video directly on YouTube.

Transcript:

Hi there, this is Scott Duffy from softwarearchitect.ca and in this video we’re going to create a virtual network and I’ll show you how to do that step-by-step. To start off with, we’re going to go to the top left of the Azure portal, this is portal.azure.com. Hopefully, you already have an account and you can sign up for a free account if you don’t have one. And the first thing we want to do is say create a resource. We’re going to go into the marketplace here, it’s organized by category. We’re looking for a virtual network, so we’re going to choose the networking category and we’re going to choose virtual network, which is the first item. I’m going to minimize this menu to get that out of the way.

Now, the virtual network screen comes up and we have to give our virtual network a name and I’m going to call it AZNewVnet. Now, you can call this whatever you want, it doesn’t have to be unique to all of Azure, just as long as it’s unique to your own Azure subscription, give it a name that means something to you. The most important decision we have to make when we’re creating a virtual network to start is the size of the address space. By default, Microsoft is offering to me 10.0.0.0/16. This is called CIDR notation, and CIDR notation uses this slash with a number to represent a range of IP addresses. So, Microsoft helpfully shows you at the bottom that 10.0.0.0/16, means that it starts at 10.0.0.0 and goes all the way to 10.0.255.255. This encompasses 65,536 IP addresses. Now, that is quite a lot and the chances are excellent that you’re never going to use all of these addresses on a single virtual network.

So this might be a bit excessive. If you do have plans of growing your Azure account, creating lots of different resources for lots of different projects, you might want to start to think about protecting your private addresses. So, 26 is a bit excessive, if I change this to 24, then you’ll see here that I’m given 256 addresses from 10.0.0.0 to 10.0.0.255. Now, it’s not actually 256 addresses because Microsoft does reserve five addresses for its own purposes. Actually, I’m going to change this to 23 and I’ll give myself a double the amount of addresses which is 512 in this case.

My subscription is a pay-as-you-go, you may have the free plan or MSDN or any visual studio or any of the other plans that Microsoft has. You have to create your resources in what’s called a resource group. A resource group is a logical grouping of related resources. It’s used for management, security and billing, things like that. So I would create a resource group. I’m going to give it the same name as the virtual network because this is a demonstration. But if you’re going to create a virtual network and you’re going to create public IP addresses and you’re going to create virtual machines, you might want to put them all into the same resource group and give that a logical name that you’ll know on the billing reports, et cetera, what these resources stand for, who’s going to pay for them, et cetera.

Microsoft now has up to 50 regions around the world that are available for you to create resources in. Now, some of these regions are government regions and so we can’t create resources in government regions, and some of them are in places like China where we can’t create resources in there either without sending up agreement. But the rest of the world, everywhere from Europe, Asia, South America, North America, Canada, all these other places, we have lots of options available for most of the world, in India even.

I would choose a that is close to where you are, close to where your users are likely to be. The closer it is then the quicker it’s going to be in terms of response times. The only other consideration is if you’ve got regions that don’t have every service and you’re going to need a specific service, then you may want to choose a different region. So I’m going to click East US2.

Now, the other important part of virtual networks is a concept called subnets. Subnets are a way of splitting up your virtual network into at least one or more sub networks. The default subnet is called default but you can call it whatever you want. So this could be my front-end subnet. In this subnet, I would place all my web servers and all my public facing services. You have to specify an address range which is a subset of your total address space. So, in this case, I created 512 addresses for the network and this first subnet called front-end is going to take half of them. It’s going to take the 10.0.0.0 to 10.0.0.255. That’s great. So I’m basically splitting my networking to half.

Microsoft’s also now offering what’s called DDoS protection, Distributed Denial-of-Service protection and you get basic protection for free. Now, basic protection basically provides you what Microsoft can do in terms of protecting your network against Distributed Denial-of-Service attacks, and so it basically does some basic level for ipv4 and ipv6. If a single attacker is throwing a lot of garbage traffic at your resources, you can get basic DDoS protection.

Standard DDoS protection gives you more options in terms of traffic monitoring, there’s machine learning algorithms that is looking at the traffic, it’s going to apply policies to all of your public IP addresses associated with resources. So if you have load balancers or gateways or service fabric running within this network, then it’s going to provide intelligent policies that will monitor the traffic and take appropriate action if it thinks that you’re under attack. I’m going to leave it as basic for now.

Service endpoints is also a cool new feature that allows this virtual network to be open directly to other Azure services. It’s just basically establishing a private connection between this virtual network and Microsoft storage sequel database, Cosmos DB or sequel data warehouse. So those are the options in terms of having private networking between your resources and these kind of storage accounts. But this will allow you to do then is basically block, if you wanted to open this up to Microsoft storage for instance, you can block external access to your storage account.

Now, normally storage is provided like platform-as-a-service, the URL is publicly addressable. The only way you can get access to a storage account is if you have the proper security keys. So it is authenticated, it is protected but the URL and the endpoint is still open. If you were to connect your virtual network into a Microsoft storage account, then you can protect traffic coming into that storage account and actually block it. So it’s more of a firewall protection than just relying on authentication. I’m going to leave this off for now. We’re not going to enable service endpoints but it’s a really cool new feature.

I’m going to pin this to my dashboard. When I click the create button, it’s going to fire off and create me a virtual network. Now, it does this pretty quickly, but I’m going to pause this video for just a second until it’s completed. All right. So that took under 60 seconds and I have a new virtual network. Now, there are no devices, there’s no nodes or anything on this network. It is a completely untouched network but it’s available to me. If I go into the subnets, I can see the front-end subnet that I created, it used to be called default. It takes up one half of the address space, and remember I said that Microsoft takes five IP addresses for its own uses. So out of 256 addresses, you’re only left with 251 that you can do anything with.

I’m going to create a second subnet and we’re going to call it backend, and this is where I’m going to put my application servers. I’m going to actually only use … So, instead of using all 255, I’ll only use half of the remainder. So, instead of having 128 addresses, there’s 123 net addresses available for me to use. So I’m creating a second subnet and I still have unused IP addresses in my virtual network. You’ll see here that subnets really are a way of breaking out your network into sub-networks.

Now, you might see there’s this gateway subnet option at the top. Let me tell you a little bit about that. If you’re going to be creating a virtual private network, the virtual private network uses what’s called a network gateway to connect your own network, if you’re on your own corporation or in your own home, into Microsoft Azure but the gateway needs its own subnet. So, if I want to add a virtual private network to my virtual network, then I would have to start by adding a gateway subnet. There’s no really no options here other than choosing this range of address. It doesn’t need that much but /28 is fine. I could say, okay. I’ll do that and it will add a gateway subnet to my network and that way I can connect a private network to it.

Now, one thing we didn’t talk about is the security aspect of this. Virtual networks and subnets are where you attach your security to your firewalls. Let’s go into the front-end subnet here and we’ll see that there’s a number of options but one of the options says network security group. Now, I don’t have any network security groups to find in East US 2. So why don’t we go, I’m going to say create network security group. I’ll show you how this works. Network security group. Let’s create a network security group in East US 2. Let’s call this front-end network security group and I’m going to use the virtual network resource group that we created our virtual network on, that way it keeps the resources together.

We’re going to create the front-end network security group and while I’m here, I’m also going to create a back-end network security group, we’ll deal with both. I will go back here and I say network security group. Network security groups are really the firewall setting for networks. Use existing, new virtual network, East US 2. We’re going to go into our resource groups here. Go into our new virtual network resource group and we can see here that besides our virtual network, we have a front-end network security group that’s also been created.

Now, network security groups are basically firewalls and they have inbound and outbound rules. The rules are processed in order from lowest priority to the highest and it does come with a number of preset rules. I’m going to switch over to the inbound security rules settings so that we can see them clearer. So there are three rules that come built into it. The first rule, basically, allows any other traffic on the virtual network to travel from other virtual network into our virtual network. This also allows the load balancer traffic to travel into our virtual network and then denies all other traffic.

So, if I was to apply this front-end never security group rule to our front-end subnet, it would deny all public internet traffic by default. Let’s say then I do want to add HTTP traffic over port 80. So let’s go into the basic set up because it has that for me. I can choose HTTP service, it knows that it’s port 80. It will define that in a low priority number, so number 100 is much below the 65,000, and if I add it, this will then allow port 80 traffic to travel from anywhere into this virtual network. So let’s let that do that. I’m also going to have port 443, which is the secure HTTP channel. So let’s add that. It has to … 443.

Now I’ve added two network security group rules, one for port 80 and one for port 443. Since I didn’t change this name, it’s a little bit confusing. I can’t change the name. So, I’ve allowed two types of ports to travel from anywhere into this network. Now, if I was to go back to my network security group. So let’s go into the virtual network. Let’s go into the subnet. Let’s go into the front-end and let’s choose the front-end network security group to attach it to the front end subnet. And if I save this, now I am allowing port 80 in port 443 traffic to travel from the public internet into any devices that are attached to the front-end subnet. Right now we don’t have any devices attached to the front-end subnet. We can see the security group.

If I was to attach the backend security group to the back end network, remember it denies all inbound traffic, only allows traffic from other virtual networks, it allows the load balancer traffic. So, by setting up these security group settings, I am severely restricting traffic to the backend and I am allowing traffic over two ports into the front-end. So that’s how you deal with security at the subnet level. Hopefully, you’re getting a better understanding of how Microsoft Azure deals with virtual networks and specifically with subnets. It is the subnet level that we basically attach devices. Right now there are no devices but if we had one, it would tell us what subnet it’s part of.

Another thing we should talk about is this concept of peering. It’s a primitively new concept as well within Microsoft Azure. But let’s say that we have some resources in another virtual network or in another subscription or another region of the world, and we want to allow traffic to travel between that virtual network and this virtual network. So peering is the ability to connect two virtual networks no matter where they are within Microsoft Azure. So we have this AZNewVnet. If I was to create another virtual network, then I could choose it and I would allow the traffic to travel between two different virtual networks. Or if I again had a specific virtual network in a different account or somewhere else, then I could put the full resource ID in there and that will allow virtual network traffic to travel between those networks. So that’s a new emerging important concept.

The last thing we probably talked about is how you would add devices here. So let’s go home and we’re going to create a resource for our virtual network. We’re going to try to be very quick with this, right. I’m going to create a new virtual machine, give it a user ID, put it into the existing v-net resource group. It’s important that the resources exists in the same region, under the same subscription in order for us to connect it to our virtual network. So I’m going to choose the simplest. I have a basic B1 option here, it’s only $17 a month. Remember when we’re getting resources that this is paid by the minute, so even if it’s $17 a month, it’s only 50 cents a day, it’s only two cents an hour. So, if I created this for an hour, I would only be charged two cents. I’m going to skip the other options.

You’ll see here that it’s automatically filled in our AZNewVnet virtual network, it’s chosen the first default subnet, which is front-end. If I want this virtual machine to exist on this other front end, I can just let it or I can choose to add it to the backend. So right in this option here, I get a chance of either assigning it to the front-end or to the backend. This is how we set this up. Now, the machine itself can have a public IP address. We can choose to have none or we can choose to create a new one. And you’ll notice that it’s asking me to create an network security group. We have the network security group assigned to the subnet, we can also optionally have it assigned to the virtual machines NIC, network card. I’m just going to reuse instead of creating a new network security group. It’s a good practice to allow to reuse security groups as a way of it being a good security practice.

So, if I’m going to put this in the front-end group, then I’m going to … The other option is I can choose no security group because I know that the front-end subnet has one. So remember, there’s basically two ends of this connection. There’s the subnet connection and then there’s the virtual network interface connection, and I don’t have to have the security group on both. If I just say okay and I say create, this is going to create me a new resource onto my virtual network. Now, there’s a few things that it creates including the network card that are more than just the virtual machine, but that’s how you create a virtual network step-by-step and we even went so far as to create security network, security groups and to add a brand-new Windows virtual machine to this existing network. Thanks a lot guys. I would offer it to you to subscribe to this channel. Please hit subscribe if you want more videos like this or hit thumbs up or share this with your friends.