1. Overview of Azure Routing
So we’re moving on to the next section of the course which says Design and Implement Routing and is worth 25% to 30%, another big section. And so in this section and the sections that follow, we’re going to talk about routing and we’re also going to talk about routing related issues such as load balancer and application gateway, as well as the Azure Front Door Service Traffic Manager and the Network Address Translation within an Azure Virtual Network. And so in this first section, we’re going to talk about routing. So by default within an Azure Virtual Network, azure takes care of routing traffic. If you have a machine on one subnet and another machine on the other subnet, you can communicate between them and Azure takes care of that. And those are called system routes. And so for each subnet within the Virtual Network, there’s a default set of routes for you.
So if we switch over to the Microsoft documentation real quick, we can see that another resource on the same virtual network, basically the routing happens at the Virtual Network layer zero zero represents the default route, which means all IP addresses get sent to the Internet. And any of these internal addresses, the ten dots, so 192, 168 dots, these are internal addresses. And there’s no routing basically does not leave the Virtual Network. Even if you attempted to route traffic to Aten dot address, it stays within the Virtual Network. Now, we’ve already seen, as we’ve done things such as Virtual Network Peering, Virtual Network Gateway, that there are routes added to the system route table related to that. So if you add a peer network, then certainly that routing is taken care of for you.
If you add a Virtual Network gateway, then any of the IP addresses on the remote network are also taken care of for you. And also any Azure services that get added to your Virtual Network, that routing is taken care of for you as well. So all that stuff is done for you. You can’t opt out of it, you can’t modify it’ll you can do is create your own custom routes that would take precedence over the default routes. And so when you are creating a subnet, there is this option of choosing what’s called a route table and we can create some custom routes and then this route table would affect this subnet.
And therefore any IP addresses that appear on the route table or match the side or notation or what have you, then will follow those instructions and trump the default instructions. So what we’re going to do is we’re going to set this up, we’re going to do a little tutorial in the next video where we’re going to create a route table and attach it to a subnet and see that we can actually affect traffic instead of it following its default way. We can basically set traffic to other places and basically shape the network.
2. Route Tables and Custom Routes
What we’re going to do in this video is we’re going to start with the virtual network that we’ve previously created. And remember, we had three devices, three virtual machines connected to this virtual network, two in the front and one in the mid tier. And we’re going to create a custom route table. And what that means is we can then hard code list of rules that says how traffic should be handled. And let’s say in this example example, Iknow that this machine 100 68 wants to communicate with this machine 100 five. But I want to force that traffic to got four first before it goes to five. Like I’m sort of making a less efficient route. But anyways, we’re going to send the traffic from 68 to four, and four is just going to redirect it to five. And that’s called custom route. Now what we have to do is we ‘restarting with what’s called a route table. We go to the home screen and I’m going to search for route table. And I can see it here. I’m going to create a route table. I’m going to place it in the same resource group as I’ve been creating resources in the same region that I’ve been creating resources. And I’m going to give it a name. I’m going to call it first route. And we’ll leave the default herein terms of publishing its routes. All right, so this first row table actually doesn’t do anything because we haven’t added routes to it and we haven’t attached it to any subnets yet. So this should be relatively quick to create. And there it islands the first thing we’re going to do is we’re going to add a route to its remember, our intention here is when we want to go to so any traffic that goes to100 zero five, I’m just abbreviating that. If we see any traffic that comes through and goes specifically to this single address, this 32 represents a single address, then what we want it to do is we want to forward it to the other address first. So we’re going to assign this to the mid tier subnet and we’re interfering with the route for a single address and sending it to a different one. Now, you’ll see it says ensure you have forwarding enabled on your virtual appliance. And this is under the network interface card. And also it has to be within Windows. So we have to do that in a second. So I’m going to say, okay, so now we’ve created route table that has a single route to it’ll of the other defaults that we swain the last video will continue to be so that this is just our custom route. It doesn’t actually delete the default routes. So I hit refresh. I can see my route here. Now I could go under subnets and I could associate this with the mid tier subnet right, I could just go right into here and assign it like that. There’s another way to do that. I’m going to discard this. We’re going to go into the virtual network, into the subnet, and we’re going to select this mid tier subnet and I’m going to choose the first route from the route table. We could have done this when we set it up, but we’re doing it now. So any device, we just happen to have a single device right now on the mid tier.But if we added more, they would have to follow these routes. So I’m going to say save. Now remember when we created it, it told us that we had to enable IP forwarding. And there’s a couple of steps to do that. So since we are sending the traffic to the four device, I’m going to go home, I’m going to go into Am under networking and we’re going to skip to the network Interface card. And this is where the forwarding, first of all, needs to be enabled. Now I’ve previously enabled this. I’m just going to show you where this is. You can see this IP forwarding setting under IP configurations and by default it’s disabled and you can turn this on to enabled. And so like I said, this is one half of the steps. Now what this is going to do is it’s going to allow the device, in this case the VM, to receive traffic that doesn’t belong to it. And then it will then make an attempt at forwarding that traffic to the proper location. That’s not the normal behavior. Normally it ignores traffic that’s not directed to it. Now the other thing we need to do is we need to go into the device. So if I go back to the VM, go back to overview, and I was actually to connect to this, I got to make sure that it’s running, of course. But if I was to use the RDP to connect into it, then we can set a setting on the device. Now one of the first things we might want to do is we may want to allow for a trace route. Trace route is basically not a TCP protocol program. It uses what’s called ICMP. And so what you may want to do is you may want to allow that ICMP traffic to come in that allows people to ping this device and also use trace route. The other thing we have to do is that we have to allow this IP forwarding. So we were just showing you the forwarding at the network interface card level, but within the registry of Windows, we do have to enable a router, set that value to one. And in order for this device to pick up this value, we have to restart the computer. So you have to do a reboot and that is going to restart these network settings. I’m going to give that 30 seconds,45 seconds to restart all right, so the front end machine has been restarted. Now, we did make the change to the mid tier. The mid tier doesn’t happen to have a public IP address. So I have to repeat my Inception imitation and connect to ten dot zero, zero dot 68, which is on my midtier subnet using remote desktop inside the front end. So we’re going to just do this remote route here. So now we’re remoted into the midtier machine. So we can just start off with a simple ping and let’s see if we can reach the front end. VM. We certainly can. And the ping is working. This is the ICMP protocol. We can also use this trace route command, which does something similar to ping but actually shows you all of the steps. Now, the real test here is going to be what happens when we try to reach another machine. Is it going to go directly to that machine or is it going to have to go through the dot4 machine like our custom trace route mandates? So here’s our trace route to five. You’ll notice that it’s two hops. The first hop is the front end machine that we’re currently remoted into before it goes on to the setting second VM. And this is exactly what we expected to happen because of our custom route. So in this video, we saw that you can actually change the defaults that are routing traffic within Azure by creating custom routes.
3. Forced Tunneling in PowerShell
So let’s talk about the concept of force tunneling. Now it’s very similar to what we just demonstrated when it comes to shaping traffic within Azure. But forced tunneling basically forces outbound traffic to go through something like a sitetosite VPN. And so in this diagram, we see that the frontend server can connect to the Internet directly, but there is no route from the back end or mid tier servers to the Internet to or from. And all traffic must travel over the site to site VPN through some type of on premises device. Now this is quite common that companies have these types of requirements that allows you to inspect traffic, to audit it. You have your familiar tools at your disposal for seeing what’s coming across your network. And these servers need to be protected. A website or front end typically is in Microsoft’s zero trust model. You assume that you’ve been breached and so typically you don’t want your website to contain a lot of secrets. This is a way of the sites that have the secrets are sort of more protected from access to the Internet. Even if somehow somebody was able to push avirus or something onto these machines, then the traffics till has to go through traditional firewalls and potentially just blocked to suspicious outbound addresses or volume of traffic or what have you. So in this video, because I find this really interesting, we’re going to use Azure PowerShell using the cloud shell to create all new networks, all new subnets, and then we’re going to create a route table and even a VPN gateway using PowerShell to create this kind of setup. I’ll attach the link to this if you want to follow along with written instructions to this video. So I’m going to get out of here and I’m going to go into the cloud shell. Now, if you haven’t yet set up your cloud shell, then you’re going to be prompted to create a storage account. And there’s some set up to do, but once you’ve set that up, you should be able to, as I just did, start up a terminal right within the browser and I’m going to just be 100% dedicated to this. Now this is going to take some time because remember we saw earlier, creating a VPN gateway can take half an hour or more. And so we just have to be prepared. There’s some amount of effort. And if you’re doing this from your local, you can obviously have PowerShell installed on your local machine. Then you have to have the latest PowerShell, the latest SDK. Like if I go under my thing, we can see PowerShell. Seven is the latest run as administrator and I’m on seven one three. You do have to download the Azure SDK and then you do have to connect to your account in order for PowerShell on your local to be able to do these types of commands. So we’re going to start off by creating a new resource group, and the command is New AZ Resource Group. And I’m going to give it a name. I’m going to call this I’ll follow the Microsoft instruction. I’ll call it forced tunneling. And we do need to put this in some location. I’m going to put this in West US. So we’ve created our resource group named Force Tunneling. Now, the way that you create a Virtual Network and subnets is sort of a two step approach. First you create a subnet config, and next you then create the Virtual Network and you pass the subnet config to its if I was to say New AZ Virtual Networksubnet config, give it a name, give it a subnet range, it doesn’t actually go and create this, right? It’s just stored in a variable for now. And it’s not until I create the Virtual Network that it does that. So I’m going to create a couple more. So now I’ve created four subnets. One of them is a Virtual Network gateway. So the gateway subnet that we see when we create the Virtual Network, and then the last thing we’re going to do is we’re going to say, new AZ Virtual Network, give it a name. I’m putting this in the west us. The resource group we’ve already created and address prefix that covers all of the subnets. And then they’re passing in the four variables for the subnets. So this is going to create us a brand new Virtual Network. So the next step here is to create local network gateways. Remember, we did this. It represents the local site. So this is in case headquarters. And so you are creating you’re pretending that you have a network gateway on the otherside with this fake IP address. And you’re basically starting the process of creating branch locations. So this first one is the headquarters, which is called a local network gateway. And we’re also going to create three more branch locations. So branch one, branch two, branch three. So then we will have four local network gateways to represent our four physical office locations. All right, so let’s clear it up. And the next thing we’re going to do is we’re going to create the route table. So the command is New AZ route table, and we give it a name. So this is like my route table. We are going to place this in a resource group.You can always hit the tab button, which is the tab key auto fills, which is helpful. And we’re going to put it into ourForced Tunneling Resource Group and the location we’ve been putting stuff in West US. And we’ll continue with that. Now, for some reason, the next command just gets the route table as a variable. So just going to say dollar sign RT equals, and it’s just going to get the route table. Now we need to create a route. And so command is add a Z route config to type this properly default route is the name. And where are we going to intercept? We’re intercepting all traffic. So zero means all traffic. And the next hop type hitting tab gives me some suggestions is a Virtual Network gateway. Because remember, we’re sending this to our site to site through our VPN. And the route table is dollar sign RT. So this is going to set upour route onto our route table. And next we have to say set route table. All right, so we’ve got our Virtual Network, oursubnets, our local network gateways, and our route table. So I’m going to clear this again, and what we’re going to do here is we’re going to assign our route table to our back end subnets. So, going back to the diagram, we’ve go tour two back end subnets, and the route table needs to handle both of them. So we’re going to basically, I’ll go back up over this, just to be clear what we’re doing here. So basically, we are getting the Virtual Network, we are getting the subnet from that Virtual Network, and then we are assigning the route table to the mid tier and the back end, and we are saying, that’s good, you can update this is like an update command update changes. So now our subnets have this route table. I think what we’re going to do is we’re going to pause the video, and when we come back, we’re going to create the Virtual Network gateway by PowerShell, which does take, like I said, half an hour to 440 minutes.
4. Create a S2S VPN in PowerShell
Okay, so now to create the gateway, it’s going to be very similar to what we did when we were in the portal. We do have to create a public IP address. And so I’m going to create avariable called public IP Address Pip. And the command is New AZ public IP address. And we do have to give the address a name. So this is the gateway IP. We’re going to put this into the resource groupforce tunneling, and the location is going to be where all the other resources are in West US. And instead of asking for a static IP address, we’ll ask for a dynamic one, which is just going to pull from its pool and then it’ll basically let it go and we stop using it, which is fine. All right, now it’s time to create the network gateway. Now, similar to creating the virtual network itself, you do need to set up yourself with some variables before you can just go ahead and create its we’re going to go and get the gateway subnet into a variable, which is, remember, gateway subnet is required for gateways. And we’re going to get the IP addressin to a variable, an IP config, effectively. And the last step is the step that’s going to take a while, that is to create a virtual network gateway. So we can see here it’s going to be called gateway One, put into the same resource group, the same location, taking in the variables of IP config. Taking in the gateway type is VPN and VPN type is basically a route based VPN. And we’re choosing the SKU VPN GW one SKU, which is we were playing with basic and standard before. This is a version into the second generation SKUs and not enabling the propagation of Roots. So this was created as a network gateway and we’re just going to let that run.
5. Set Network Gateway Default Site
All right, so we’ve been away for a little bit, and the Virtual Network gateway actually did get created. But in the meantime, our cloud shell timedout, so it shut itself down, which is fine, created a new cloud shell here. Now, the next step we have to do is we have our gateway and we need to pick our headquarters as the default site. So we’re basically going to call the SetAZ Virtual Network Gateway default site commandlet and basically identify our headquarters as the default site. So we’re going to set some variables, local and virtual gateway, and then we’re going to call this AZ Virtual Network Gateway default Site to say that this is the default, this is really what’s required. This is the key to the forced tunneling aspect of this demo is by saying that the gateway is pointing to the headquarters and that’s where the traffic when we’re sending traffic to the gateway, it’s going to go to the default unless told otherwise. So we’re going to update the gateway for that. All right, so now we’ve set the default site for the gateway. Clear that out. Now, the next steps here have to do with linking those local network gateways to the gateway. So we’ve created the headquarters and three branch locations, and now we have to sort of set up those connections. So we saw in the previous area of the course that these network gateways can support multiple connections, right? So we already demonstrated a couple of sections ago that we can establish a single connection. Well, this is using four of the connections. To do that, we’re going to use the newAZ Virtual Network Gateway command, give it a name, so name connection one, and pass in some of those standard things such as resource group and location. Location. We’re putting things in West US, remember, and we’re going to have to basically pass in the gateway as in dollar sign gateway. Point that to the local network gateway. As LNG. Remember, we created four variables here for local networks. Connection type is going to be IPsec. And remember when we were setting up the gatewaysprior, it has to have some type of text that is called a pre shared key. And in this case, we’re just calling pre shared key as the text. So this is establishing the first connection as long as I didn’t make any typos here, establishing the first connection between the headquarters and the network gateway. So that took a few seconds, and now we need to do the same thing with the three branch locations. So I’m just going to paste in the command for the three, branch one, branch two, and branch three, which are LNG, two, three, and four in our variables here. All right, so that has created the links between the local site and the network gateway connection. So our last step here is just to look at the gateway connection. So we’re doing a get command and we can sort of see the results of here. So that’s pretty much it. I’m going to close out the cloud shell here. And if we go into what we did today was we created a route table. And that route table forces traffic to travel all traffic for all routes to travel over the virtual network gateway, which again, takes it outside of Azure, back onto your corporate network in a design such as this. And this is again a common way of ensuring that your back end servers go through some type of auditing process, firewall process for your security, whereas your website can be relatively more exposed. You obviously don’t want to get hacked, but they said it makes sense for servers trying to connect to the Internet going through your premises. And that’s called force tunneling.
