4-1

Module 4
Virtual Networks
Contents:
Module Overview

4-1

Lesson 1: Getting Started with Virtual Networks

4-2

Lesson 2: Creating a Virtual Network

4-5

Lesson 3: Implementing Point-to-Site Networks

4-8

Lab: Create a Virtual Network

4-12

Module Review and Takeaways

4-15

Module Overview
Microsoft Azure virtual networks are a critical component of most Azure deployments. With Azure virtual
networks, you can establish secure and reliable communication between Azure virtual machines and
between your data center and Azure. By using Azure virtual networks, you can effectively extend your
data center to Microsoft Azure.
In this module, you will learn how to create and implement Azure networks, and how to implement
communications between your on-premises infrastructure and Azure.

Objectives
After completing this module, you will be able to:

Describe the purpose and functionality of Azure virtual networks.

Create Azure virtual networks.

Implement point-to-site networks.

Microsoft ConfidentialInternal Use Only.

4-2 Virtual Networks

Lesson 1

Getting Started with Virtual Networks

You must be familiar with virtual networks before implementing them in Azure. Also, it is important that
you determine whether your cloud deployment requires virtual networks. In this lesson, you will learn
about virtual networks and their proper implementation.

Lesson Objectives
After completing this lesson, you will be able to:

Describe virtual networks.

Determine the need for a virtual network.

Describe virtual network awareness.

What Are Virtual Networks?

When you deploy virtual machines in your onpremises environment, you must create virtual
networks to enable the virtual machines to
communicate with each other. Depending on
your communication needs for virtual machines,
you can create private, internal, or external virtual
networks switches. By using these switches and
networks, virtual machines communicate with the
rest of your network, with other virtual machines,
and with the Microsoft Hyper-V host machine.
Deploying virtual machines in Microsoft Azure is
similar to deploying them on-premises. However,
because you do not deploy Azure virtual machines in your own data center, and because they are not
physically connected to your network infrastructure, you must connect these virtual machines to your
internal infrastructure first. By running software that your companys employees use in Azure virtual
machines, you can make these applications as accessible as if they were running in your own data center.
By default, Azure virtual machines can communicate with each other, but network communication with
your on-premises infrastructure is not enabled, except for Remote Desktop Protocol (RDP) traffic.
You can address this issue is by creating a virtual private network (VPN) between your local network
infrastructure and Azure virtual machines. However, before you create a VPN connection, you must first
create an Azure virtual network, and assign virtual machines to it.
The Microsoft Azure virtual network represents a logical boundary around a group of virtual machines,
called a virtual network, in an Azure data center. After you create a virtual network in Azure, you can
establish a connection, protected with Internet Protocol security (IPsec), between this network and your
local network.
When creating Azure virtual networks, you can allocate IP addresses for the Azure virtual machines from
the same IP address space that you use in your own network. This greatly simplifies the deployment of the
Azure virtual machines (VMs) and the movement of the locally deployed virtual machines to the Microsoft
Azure platform. Because the connection between your local infrastructure and Azure virtual machines
happens on the IP level, the connection does not depend on an operating system running in the virtual
machines. After you establish this connection, the Azure virtual machines running in virtual networks look
like just another part of your organizations network. As a result, virtual machines in Azure can also access
Microsoft ConfidentialInternal Use Only.

Microsoft Azure Fundamentals 4-3

resources in your local network infrastructure. For example, you can run a service in an Azure VM that
uses data stored on your locally deployed storage.
Additional Reading: For more information on virtual networks, go to
http://go.microsoft.com/fwlink/?LinkID=517442

Determine the Need for Virtual Networks

Not every deployment of Azure virtual machines
requires the deployment of Azure virtual
networks. Whether you need an Azure virtual
network depends on what you are trying to
do. Because there is no universal design for Azure
virtual networks, it is important that you carefully
plan virtual network deployments for resources in
Azure. In general, your solution for networking in
Azure will fall into one of the following categories:
no virtual networks, cloud-only virtual network,
and cross-premise virtual network.
We recommend that you evaluate your need for
virtual networks before you deploy Azure virtual machines, because virtual machines and cloud services
configure their network settings during deployment. This means you cannot move your existing Azure
virtual machines into a virtual network that is already deployed. However, you can redeploy your virtual
machines to connect them to proper virtual networks, which can cause some downtime.
Depending on your usage scenario, you can create two types of virtual networks in Microsoft Azure.

If you do not plan to connect your Azure virtual machines to your local network infrastructure, you
will use cloud-only virtual network deployments. In this case, on-premises resources can access Azure
virtual machines only through connection endpoints. The Azure virtual machines can communicate
with each other and access the Internet, but they cannot use any VPN-based connections.

To connect your internal data center to Azure virtual machines by using a secure connection, and to
provide two-way resource access between Azure VMs and an on-premises infrastructure, you create a
Cross-Premise virtual network. When creating a Cross-Premise virtual network, you must create a
gateway to your internal network. You must also consider IP addressing.

Microsoft ConfidentialInternal Use Only.

4-4 Virtual Networks

Virtual Network Awareness

Virtual machines deployed in a cloud utilize virtual
networks in Azure the most, but other Azure
services can also use them.
Currently, virtual networks created in Azure
support cloud services only. Cloud services in
Azure that can use virtual networks include
cloud services and virtual machines. A cloud
service consists of one or more web roles or
worker roles, each with its own application files
and configuration. At the time of writing this
course, Azure websites support integration with
the Azure virtual networks, but Microsoft Azure
SQL Database does not. Integration between Azure Websites and the Azure virtual network enables your
website to access resources running your virtual network. This includes the ability to access web services
or databases running on your Azure virtual machines. If your virtual network is connected to your onpremises network, your Azure Website will be able to access the on-premises systems through this
integration.
Also, within virtual networks, you can deploy cloud services with web and worker roles such as those in
Platforms as a Service (PaaS). You do not have to change your application code for this. When you
configure your service, you should specify your virtual network name and the role/subnet mappings in
the network configuration section. However, once you deploy a service to a virtual network, you cannot
move it in and out of the virtual network. If you want to move the service, you will have to delete and
then redeploy the service.

Microsoft ConfidentialInternal Use Only.

Microsoft Azure Fundamentals 4-5

Lesson 2

Creating a Virtual Network

To create and use virtual networks, you should configure several configuration options. In this lesson, you
will learn about virtual network components, and how to create virtual networks. Also, you will learn
about Microsoft Azure Traffic Manager.

Lesson Objectives
After completing this lesson, you will be able to:

Describe virtual network components.

Create a virtual network.

Describe the Microsoft Azure Traffic Manager.

Virtual Network Components

When you create a virtual network in the Azure
portal, you must configure several components
and properties. For cloud-only virtual networks,
configuration steps are simpler, because you do
not have to create a gateway to your on-premises
infrastructure. If you decide to have a crosspremise virtual network, you must configure
additional elements.
When you start a wizard to create a new virtual
network, you first have to provide a network
name. You may choose any name, but it cannot
start with a number. After you select your virtual
network name, you should configure the Location parameter. You can configure the location by selecting
a region from the drop-down list. This location specifies where you want your virtual machines to reside
when you deploy them to the virtual network you are creating. For example, if you indicate that your
network is located in the South Central US region, each virtual machine that you assign to this network
will be located in this same region. It is not possible to change the region associated with your virtual
network after you create it.
After you configure your network location, you will have the option to configure Domain Name System
(DNS) servers for your network. By default, Azure provides name resolution for your virtual network.
However, if you have more advanced DNS requirements, or want to use dedicated DNS servers for your
Azure virtual machines, you have the option to configure DNS servers for each virtual network you create.
If you do not want to connect your virtual network with an on-premises infrastructure, the only thing you
should configure for the Azure virtual network is the Virtual Network Address Space. When configuring
the Virtual Network Address Space, you specify the address space that you want to use within the virtual
network you create. You can choose between 10.0.0.0, 172.16.0.0, and 192.168.0.0 with variable length
subnet masks. You can also configure additional subnets within these address spaces. IP addresses from
ranges configured here will be dynamically assigned to your virtual machines. However, you cannot use
these IPs for connection endpoints on the Internet.

Microsoft ConfidentialInternal Use Only.

4-6 Virtual Networks

If you choose to connect your virtual network with your on-premises infrastructure, you must select pointto-site or site-to-site connectivity options on the DNS Servers and VPN Connectivity page of the wizard. If
you choose to create site-to-site connectivity, you will have to configure on-premises VPN device IP
address, and specify your local IP scope. For pointto-site connectivity, you must select the IP address
range that will be used for VPN clients.

Demonstration: Creating a Virtual Network

In this demonstration, you will see how to create an Azure virtual network.

Demonstration Steps
1.

Sign in to your Azure subscription at https://manage.windowsazure.com.

2.

Click Networks in the navigation pane.

3.

Choose to create a new virtual network.

4.

Name the network VNET1, and choose West US as the location.

5.

Do not make changes to DNS Servers and Connectivity options.

6.

Select 192.168.0.0/24 for Virtual Network Address Spaces.

7.

Add 172.16.0.0/16 subnet and name it Subnet-2.

8.

Finish the wizard and create a network.

Azure Traffic Manager

When you implement an application in Microsoft
Azure, you will want to provide efficient and fast
access to it for the end users. In situations where
you deploy an application in multiple Azure data
centers (such as when you deploy several virtual
machines in different Azure regions), you will want
to direct user request traffic across these data
centers so that users experience minimal latency.
To achieve this type of optimization, the Azure
platform provides a service called Azure Traffic
Manager. This service intelligently directs requests
from users across instances of an application
running in different Azure data centers.
When a user wants to access your application or a web site, the users machine will look up the DNS name
of your application. Queries for the IP address will go to Azure DNS servers. DNS in Azure will then search
for the Traffic Manager policy for the name that was received in a query. If it finds one, Azure Traffic
Manager calculates the most efficient connection for the specific user, based on policy, and directs the
user to the appropriate Azure data center.

Microsoft ConfidentialInternal Use Only.

Microsoft Azure Fundamentals 4-7

When you create an Azure Traffic Manager policy for your application, there are three options that you
can configure to determine how Azure Traffic Manager behaves:

Performance. If you choose this option, Traffic Manager sends all client requests to the data center
with the lowest latency from the user system. Usually, this will be the data center that is
geographically closest to the user.

Failover. If you choose this option, Traffic Manager directs all client requests to the data center that
you specify in the policy. If the data center is unavailable, Traffic Manager directs requests to other
data centers in the priority order defined by the policy.

Round Robin. If you choose this option, Azure Traffic Manager equally distributes client requests
across all data centers in which the application is running.

Azure Traffic Manager periodically checks all instances of the application that it manages. It periodically
pings each copy of the application via an HTTP GET and records the response. If there is no response, it
stops directing users to that instance of the application until it reestablishes the connection.

Microsoft ConfidentialInternal Use Only.

4-8 Virtual Networks

Lesson 3

Implementing Point-to-Site Networks

In many scenarios, you might need to initiate a remote connection to the Azure virtual network. Azure
virtual networks give you the ability to initiate a secure point-to-site VPN connection from anywhere, by
using a software VPN client. In this lesson, you will learn about point-to-site VPN connections and how to
implement them.

Lesson Objectives
After completing this lesson, you will be able to:

Describe a point-to-site VPN connection.

Describe the requirements for a point-to-site VPN connection.

Set up a point-to-site VPN connection.

Overview of Point-to-Site VPN

By default, each virtual machine that you create
in Azure is accessible by an RDP or an SSH
connection. However, if you want to establish a
secure connection from your computer (or from
your local network resources) to the Azure virtual
network, you have to create a VPN connection.
By setting up a point-to-site VPN connection, you
can create individual connections from client
computers that you want to connect to the Azure
virtual network. In site-to-site VPNs, you establish
a VPN connection throughout your whole local
network infrastructure, and you use a VPN device
on your side. With point-to-site VPNs, you establish a connection by using a software VPN client that you
install on each machine from which you want to initiate a connection to the Azure virtual network. This
type of VPN connection does not require that you have a VPN device. Also, you do not need to have a
static IP address assigned to the VPN client. You can establish a point-to-site VPN connection manually by
initiating a connection from the client.
Although site-to-site VPNs will probably be the ideal solution when you want to extend your data center
to Azure, there are some scenarios where point-to-site VPNs are more appropriate. For example, if you
want to configure just a few clients from your network to connect to the Azure virtual network, a pointto-site VPN is the appropriate solution. In addition, point-to-site is best if you want to enable your clients
to connect to the Azure virtual network from remote locations, such as hotels or airports. If you do not
have an externally facing IPv4 IP address for your VPN device, you will also have to establish a point-tosite connection.
Even when you have implanted a site-to-site VPN, you might need point-to-site VPN connections for
remote clients that require a connection to Azure. Because of this, point-to-site and site-to-site
configurations can exist concurrently.

Microsoft ConfidentialInternal Use Only.

Microsoft Azure Fundamentals 4-9

Overview of Requirements for Point-to-Site VPN

Although creating a point-to-site VPN connection
is fairly simple, it does require that you configure
certain settings before beginning the process.
When you create a virtual network in the Azure
portal and select the option to enable point-tosite connectivity, you will be required to configure
address space for IP addresses that you want to
assign to cross-premises clients connecting
through a point-to-site connection. This address
space must be from the private range 10.0.0.0/8,
172.16.0.0/12, or 192.168.0.0/16. You must ensure
that the range you select here does not overlap
with other virtual networks or networks on your local site.
Also, you will have to configure virtual network address space that will be used within the virtual network
you are creating. This network address space also should not overlap with address space that you use in
your on-premises environment.
Each point-to-site VPN requires that you configure a dynamic routing gateway. A point-to-site VPN
requires a gateway subnet. Only the virtual network gateway uses the gateway subnet.
You use certificates to perform authentication for the clients that are initiating a point-to-site VPN
connection. You must first create a root certificate and upload it to the Azure management portal. Then
you create client certificates used for authentication. You create these certificates manually by using the
makecert command line utility (part of Microsoft Visual Studio tools). Currently, you cannot use an
internal certification authority (CA) to generate these certificates, so you must use self-signed certificates.
You must install a client certificate on each computer that you want to connect to the virtual network, so
you must generate a client certificate for each machine that you want to connect to the Azure virtual
network. You can generate certificates for all clients on a single machine, export them, and then import on
each client. It is important that you export certificates in .pfx format that includes the private key. The next
topic will cover the certificate generation process
Based on generated certificates and the dynamic gateway, the Azure platform will generate VPN client
software that you should install on each machine that will be connecting to the Azure virtual network.
Currently, the Azure platform supports the following operating systems as clients:

Windows 8.1 (32-bit and 64-bit)

Windows 8 (32-bit and 64-bit)

Windows 7 (32-bit and 64-bit)

Windows Server 2012 R2 (64-bit only)

Windows Server 2012 (64-bit only)

Windows Server 2008 R2 (64-bit only)

You will choose to download the 32-bit or 64-bit VPN client. You can then manually install VPN client
software on each machine, or use a software distribution mechanism, such as Microsoft System Center
Configuration Manager.

Microsoft ConfidentialInternal Use Only.

4-10 Virtual Networks

Setting Up a Point-to-Site VPN

You can use the Azure management portal to
create a point-to-site VPN. If you have already
created virtual networks, you can enable them for
point-to-site connectivity. However, you might
have to change other configuration parameters.
Because of this, we recommend that you
configure point-to-site connectivity when you
create an Azure virtual network.
You would typically use the following process to
create and configure a virtual network with pointto-site connectivity:
1.

Create a virtual network. As the previous

lesson described, you should start the wizard for creating a new virtual network. During the wizard,
you should select the check box for enabling point-to-site VPN capability. You will see the
configuration page where you can configure address space for VPN clients, the virtual network
address space, and gateway subnet. If you enable point-to-site connectivity on an existing virtual
network, you will also have to configure these parameters.

2.

Create a dynamic routing gateway. A gateway is a mandatory component for a point-to-site VPN
connection. You must enable a dynamic routing gateway after you create your virtual network with
point-to-site connectivity. It usually takes up to 15 minutes to create the gateway.

3.

Create certificates. As described earlier, certificates are used for VPN authentication purposes. To
create a root self-signed certificate, you should issue the following command:
makecert -sky exchange -r -n "CN=RootCertificateName" -pe -a sha1 -len 2048 -ss My
"RootCertificateName.cer"

After you create the root certificate, you should upload it to Azure by using the Certificates tab in the
Network configuration pane. Then you should create client certificates. You use the same commandline utility as for the root certificate, but with different parameters. For example:
makecert.exe -n "CN=ClientCertificateName" -pe -sky exchange -m 96 -ss My -in
"RootCertificateName" -is my -a sha1

This command creates a client certificate in a users Personal store on the computer where you issue
this command. You can generate as many client certificates as needed by using this same command
and typing different values for ClientCertificateName. We recommend that you create unique client
certificates for each computer that you want to connect to the virtual network. After you create the
client certificates, you should export them in the .pfx format and import them on the client machines
that will be connecting to the network.
4.

Download and install the VPN client software. After you configure a dynamic gateway and
certificates, you will be see a link to download a VPN client for a supported operating system. You
should download the appropriate VPN client (32-bit or 64-bit) and install it on client machines that
will be initiating a VPN connection. Ensure that you also install the client certificate from step 3 before
you initiate the VPN connection.

Microsoft ConfidentialInternal Use Only.

Microsoft Azure Fundamentals 4-11

Demonstration: Set Up a Point-to-Site VPN

In this demonstration, you will see how to create a point-to-site VPN connection.

Demonstration Steps
1.

Open the Azure management portal and navigate to NETWORKS.

2.

Open the configuration pane for VNET1.

3.

Enable the Configure point-to-site connectivity option and save changes.

4.

Notice that you have options for ADDRESS SPACE available in the point-to-site connectivity section.
Ensure that 10.0.0.0/24 is selected.

5.

Open Developer Command Prompt for VS2013 as administrator.

6.

In the command prompt window, type makecert -sky exchange -r -n "CN=VNET1Cert" -pe -a
sha1 -len 2048 -ss My "C:\temp\VNET1Cert.cer", and then press Enter. Do not close the command
prompt window.

7.

Switch back to the Azure management portal, and click the CERTIFICATES tab on the VNET1 portal.
Upload the certificate that you just created and stored to C:\temp.

8.

Restore the command prompt window. Type makecert.exe -n "CN=VNET1Client" -pe -sky
exchange -m 96 -ss My -in "VNET1Cert" -is my -a sha1, and then press Enter.

9.

Switch back to the Azure portal and in the VNET1 configuration pane, on the DASHBOARD tab, click
to create gateway.

Microsoft ConfidentialInternal Use Only.

4-12 Virtual Networks

Lab: Create a Virtual Network

Scenario
A. Datum Corporation is planning to create several cloud-based virtual machines. You want to create a
configurable network to control communication between these virtual machines. Also, A. Datum wants to
evaluate ways to connect remote workers to cloud resources by using VPN. To address this requirement,
you decided to implement point-to-site VPNs.

Objectives
After completing this lab, you will be able to:

Create a virtual network.

Create a virtual machine from the Gallery.

Add point-to-site connectivity.

Lab Setup
Estimated Time: 60 minutes
Sign in to your classroom computer by using the credentials your instructor provides.
You must have successfully completed Lab 1 before you start working on this lab.

Exercise 1: Creating a Virtual Network

Scenario
As a first step in deploying virtual network infrastructure, you want to create a new virtual network.
The main task for this exercise is as follows:
1.

Create a virtual network.

Task 1: Create a virtual network

1.

Sign in to your Azure subscription on https://manage.windowsazure.com.

2.

Select NETWORKS in the navigation pane.

3.

Choose to create new virtual network.

4.

Name the network VNET1, and choose West US as location.

5.

Do not make changes to the DNS Servers and Connectivity options.

6.

Select the IP range 192.168.0.0/24 as the range for Virtual Network Address Spaces.

7.

Add the 172.16.0.0/16 subnet and name it Subnet-2.

8.

Finish the wizard and create a network.

Results: After completing this exercise, you will have created a new virtual network.

Microsoft ConfidentialInternal Use Only.

Microsoft Azure Fundamentals 4-13

Exercise 2: Creating Virtual Machines from the Gallery

Scenario
After creating a virtual network, you want to assign virtual machines to it. You will create two virtual
machines and assign them to the VNET1 virtual network.
The main tasks for this exercise are as follows:
1.

Create a virtual machine.

2.

Create a second virtual machine.

3.

Test virtual network connectivity.

Task 1: Create a virtual machine

1.

Open the Azure preview portal at https://portal.azure.com and sign in with the Microsoft account
associated with your Azure subscription.

2.

Create a new virtual machine in the Azure preview portal with following parameters:
o

Host name: Server1

User name: server1-admin

Password: Moc1500!

Pricing tier: Basic A1

Virtual Network: VNET1

Task 2: Create a second virtual machine

Create a new virtual machine in the Azure preview portal with following parameters:
o

Host name: Server2

User name: server2-admin

Password: Moc1500!

Pricing tier: Basic A1

Virtual Network: VNET1

Task 3: Test virtual network connectivity

1.

In the Azure preview portal, connect to the Server1 virtual machine by using an RDP connection.

2.

Note the Internal IP address assigned to Server1.

3.

In the Azure preview portal, connect to the Server2 virtual machine by using an RDP connection.

4.

Note the Internal IP address assigned to Server2. Open Network and Sharing Center on Server2 and
enable Network discovery and file sharing.

5.

On the Server1 machine, open File Explorer and in the address bar, type \\IPaddressofServer2, and
then press Enter. Ensure that the server opens, which confirms that your servers can communicate via
virtual network VNET1.

Results: After completing this exercise, you will have created two new virtual machines and assigned them
to VNET1.

Microsoft ConfidentialInternal Use Only.

4-14 Virtual Networks

Exercise 3: Add Point-to-Site Connectivity

Scenario
After creating a virtual network and virtual machines, you want to enable point-to-site functionality on
existing virtual networks, and establish a VPN connection from your computer.
The main task for this exercise is as follows:
1.

Add point-to-site connectivity.

Task 1: Add point-to-site connectivity

1.

Open the Azure management portal and navigate to NETWORKS.

2.

Open the configuration pane for VNET1.

3.

Enable the Configure point-to-site connectivity option and save changes.

4.

Notice that you have options for ADDRESS SPACE available in the point-to-site connectivity section.
Ensure that 10.0.0.0/24 is selected.

5.

Open Developer Command Prompt for VS2012 as administrator.

6.

In the command prompt window, type: makecert -sky exchange -r -n "CN=VNET1Cert" -pe -a
sha1 -len 2048 -ss My "C:\temp\VNET1Cert.cer" and press Enter. Do not close the command
prompt window.

7.

Switch back to the Azure management portal, and click the CERTIFICATES tab on the VNET1 portal.
Upload the certificate that you just created and stored to C:\temp.

8.

Restore the command prompt window. Type the following command: makecert.exe -n
"CN=VNET1Client" -pe -sky exchange -m 96 -ss My -in "VNET1Cert" -is my -a sha1, and press
Enter.

9.

Switch back to the Azure portal and in the VNET1 configuration pane, on the DASHBOARD tab, click
to create the gateway.

10. After gateway is created, download 64-bit VPN client from DASHBOARD and install it on the
classroom machine. Unblock the file that you downloaded before starting installation
11. Initiate VPN connection by using VPN client and ensure that you can establish it.
12. Execute ipconfig command in Command prompt and ensure that you have IP address from
10.0.0.0/24 scope assigned to PPP adapter VNET1.
13. Disconnect from VNET1.

Results: After completing this exercise, you will have established a point-to-site connectivity.

Microsoft ConfidentialInternal Use Only.

Microsoft Azure Fundamentals 4-15

Module Review and Takeaways

Review Questions
Question: Is it mandatory to setup the Domain Name System (DNS) on your Azure virtual
network?
Question: If you have machines running Windows XP and Windows Vista, can you initiate a
point-to-site connection?

Best Practice

Before you create any virtual networks, analyze your requirements and determine what type of virtual
network you need.

Carefully plan address space for virtual networks, especially if you are going to implement cross-site
connectivity.

Use point-to-site VPNs when you want to provide access from single computers at remote locations
to your Azure virtual network.

Issue a separate client certificate for each client that will be using a point-to-site VPN.

Common Issues and Troubleshooting Tips

Common Issue

Troubleshooting Tip

You do not see an option to download the

VPN client for a point-to-site connection.

The VPN client cannot establish a pointto-site VPN connection.

Microsoft ConfidentialInternal Use Only.

Microsoft ConfidentialInternal Use Only.