Documente Academic
Documente Profesional
Documente Cultură
Module 4
Virtual Networks
Contents:
Module Overview
4-1
4-2
4-5
4-8
4-12
4-15
Module Overview
Microsoft Azure virtual networks are a critical component of most Azure deployments. With Azure virtual
networks, you can establish secure and reliable communication between Azure virtual machines and
between your data center and Azure. By using Azure virtual networks, you can effectively extend your
data center to Microsoft Azure.
In this module, you will learn how to create and implement Azure networks, and how to implement
communications between your on-premises infrastructure and Azure.
Objectives
After completing this module, you will be able to:
Lesson 1
Lesson Objectives
After completing this lesson, you will be able to:
resources in your local network infrastructure. For example, you can run a service in an Azure VM that
uses data stored on your locally deployed storage.
Additional Reading: For more information on virtual networks, go to
http://go.microsoft.com/fwlink/?LinkID=517442
If you do not plan to connect your Azure virtual machines to your local network infrastructure, you
will use cloud-only virtual network deployments. In this case, on-premises resources can access Azure
virtual machines only through connection endpoints. The Azure virtual machines can communicate
with each other and access the Internet, but they cannot use any VPN-based connections.
To connect your internal data center to Azure virtual machines by using a secure connection, and to
provide two-way resource access between Azure VMs and an on-premises infrastructure, you create a
Cross-Premise virtual network. When creating a Cross-Premise virtual network, you must create a
gateway to your internal network. You must also consider IP addressing.
Lesson 2
Lesson Objectives
After completing this lesson, you will be able to:
If you choose to connect your virtual network with your on-premises infrastructure, you must select pointto-site or site-to-site connectivity options on the DNS Servers and VPN Connectivity page of the wizard. If
you choose to create site-to-site connectivity, you will have to configure on-premises VPN device IP
address, and specify your local IP scope. For pointto-site connectivity, you must select the IP address
range that will be used for VPN clients.
Demonstration Steps
1.
2.
3.
4.
5.
6.
7.
8.
When you create an Azure Traffic Manager policy for your application, there are three options that you
can configure to determine how Azure Traffic Manager behaves:
Performance. If you choose this option, Traffic Manager sends all client requests to the data center
with the lowest latency from the user system. Usually, this will be the data center that is
geographically closest to the user.
Failover. If you choose this option, Traffic Manager directs all client requests to the data center that
you specify in the policy. If the data center is unavailable, Traffic Manager directs requests to other
data centers in the priority order defined by the policy.
Round Robin. If you choose this option, Azure Traffic Manager equally distributes client requests
across all data centers in which the application is running.
Azure Traffic Manager periodically checks all instances of the application that it manages. It periodically
pings each copy of the application via an HTTP GET and records the response. If there is no response, it
stops directing users to that instance of the application until it reestablishes the connection.
Lesson 3
Lesson Objectives
After completing this lesson, you will be able to:
You will choose to download the 32-bit or 64-bit VPN client. You can then manually install VPN client
software on each machine, or use a software distribution mechanism, such as Microsoft System Center
Configuration Manager.
2.
Create a dynamic routing gateway. A gateway is a mandatory component for a point-to-site VPN
connection. You must enable a dynamic routing gateway after you create your virtual network with
point-to-site connectivity. It usually takes up to 15 minutes to create the gateway.
3.
Create certificates. As described earlier, certificates are used for VPN authentication purposes. To
create a root self-signed certificate, you should issue the following command:
makecert -sky exchange -r -n "CN=RootCertificateName" -pe -a sha1 -len 2048 -ss My
"RootCertificateName.cer"
After you create the root certificate, you should upload it to Azure by using the Certificates tab in the
Network configuration pane. Then you should create client certificates. You use the same commandline utility as for the root certificate, but with different parameters. For example:
makecert.exe -n "CN=ClientCertificateName" -pe -sky exchange -m 96 -ss My -in
"RootCertificateName" -is my -a sha1
This command creates a client certificate in a users Personal store on the computer where you issue
this command. You can generate as many client certificates as needed by using this same command
and typing different values for ClientCertificateName. We recommend that you create unique client
certificates for each computer that you want to connect to the virtual network. After you create the
client certificates, you should export them in the .pfx format and import them on the client machines
that will be connecting to the network.
4.
Download and install the VPN client software. After you configure a dynamic gateway and
certificates, you will be see a link to download a VPN client for a supported operating system. You
should download the appropriate VPN client (32-bit or 64-bit) and install it on client machines that
will be initiating a VPN connection. Ensure that you also install the client certificate from step 3 before
you initiate the VPN connection.
Demonstration Steps
1.
2.
3.
4.
Notice that you have options for ADDRESS SPACE available in the point-to-site connectivity section.
Ensure that 10.0.0.0/24 is selected.
5.
6.
In the command prompt window, type makecert -sky exchange -r -n "CN=VNET1Cert" -pe -a
sha1 -len 2048 -ss My "C:\temp\VNET1Cert.cer", and then press Enter. Do not close the command
prompt window.
7.
Switch back to the Azure management portal, and click the CERTIFICATES tab on the VNET1 portal.
Upload the certificate that you just created and stored to C:\temp.
8.
Restore the command prompt window. Type makecert.exe -n "CN=VNET1Client" -pe -sky
exchange -m 96 -ss My -in "VNET1Cert" -is my -a sha1, and then press Enter.
9.
Switch back to the Azure portal and in the VNET1 configuration pane, on the DASHBOARD tab, click
to create gateway.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 60 minutes
Sign in to your classroom computer by using the credentials your instructor provides.
You must have successfully completed Lab 1 before you start working on this lab.
2.
3.
4.
5.
6.
Select the IP range 192.168.0.0/24 as the range for Virtual Network Address Spaces.
7.
8.
Results: After completing this exercise, you will have created a new virtual network.
2.
3.
Open the Azure preview portal at https://portal.azure.com and sign in with the Microsoft account
associated with your Azure subscription.
2.
Create a new virtual machine in the Azure preview portal with following parameters:
o
Password: Moc1500!
Create a new virtual machine in the Azure preview portal with following parameters:
o
Password: Moc1500!
In the Azure preview portal, connect to the Server1 virtual machine by using an RDP connection.
2.
3.
In the Azure preview portal, connect to the Server2 virtual machine by using an RDP connection.
4.
Note the Internal IP address assigned to Server2. Open Network and Sharing Center on Server2 and
enable Network discovery and file sharing.
5.
On the Server1 machine, open File Explorer and in the address bar, type \\IPaddressofServer2, and
then press Enter. Ensure that the server opens, which confirms that your servers can communicate via
virtual network VNET1.
Results: After completing this exercise, you will have created two new virtual machines and assigned them
to VNET1.
2.
3.
4.
Notice that you have options for ADDRESS SPACE available in the point-to-site connectivity section.
Ensure that 10.0.0.0/24 is selected.
5.
6.
In the command prompt window, type: makecert -sky exchange -r -n "CN=VNET1Cert" -pe -a
sha1 -len 2048 -ss My "C:\temp\VNET1Cert.cer" and press Enter. Do not close the command
prompt window.
7.
Switch back to the Azure management portal, and click the CERTIFICATES tab on the VNET1 portal.
Upload the certificate that you just created and stored to C:\temp.
8.
Restore the command prompt window. Type the following command: makecert.exe -n
"CN=VNET1Client" -pe -sky exchange -m 96 -ss My -in "VNET1Cert" -is my -a sha1, and press
Enter.
9.
Switch back to the Azure portal and in the VNET1 configuration pane, on the DASHBOARD tab, click
to create the gateway.
10. After gateway is created, download 64-bit VPN client from DASHBOARD and install it on the
classroom machine. Unblock the file that you downloaded before starting installation
11. Initiate VPN connection by using VPN client and ensure that you can establish it.
12. Execute ipconfig command in Command prompt and ensure that you have IP address from
10.0.0.0/24 scope assigned to PPP adapter VNET1.
13. Disconnect from VNET1.
Results: After completing this exercise, you will have established a point-to-site connectivity.
Best Practice
Before you create any virtual networks, analyze your requirements and determine what type of virtual
network you need.
Carefully plan address space for virtual networks, especially if you are going to implement cross-site
connectivity.
Use point-to-site VPNs when you want to provide access from single computers at remote locations
to your Azure virtual network.
Issue a separate client certificate for each client that will be using a point-to-site VPN.
Troubleshooting Tip