1. Virtual Networks
So it took 22 minutes to get a virtual network gate deployed into East US two, and 32 minutes to get that deployed into Japan. So now that those deployments are complete, we can take a look at them. So I’m going to go back up to the resource group level. Now, before I get into the gateways themselves, let’s look at the networks. So remember, we added the gateway subnet to those two networks, new test one and new test three. In my case, if we go into connected devices, we can see that the network gateway successfully connected to the gateway subnet in this network, go back up to the resource level, and I’m going to go into that gateway. What we’re interested in is Nexions.
Okay? Now there are no current connections. Now we could set up a point to site VPN or a site to site VPN, but in this case, we’re going to set up a Venet connection. So under connections, I’m going to say add. We do have to give it a name. I’m going to call this Talking to Japan. It is a net to VNet configuration as opposed to site to site or express route. So that is one of the VNet gateway configurations here. Now we know that the first gateway is the one that we’re in, which is the VNet gateway. The other gateway is the Japan gate. And we can choose this from the list here. So now we’re signaling that we want to connect these two gateway. We do have to create a shared key that both gates are going to have to be set up with in order to have this communication.
Now, if we have physical device, we could grab the key from that, but this is a VNet to VNet, so we do have to give it the password effectively. Now it’s not hidden in any way. So I’m going to put my shared key, going to leave all the rest of the defaults. We know what subscription we’re in, resource group we’re in. We know where this gateway has already been created. So I’m going to say, okay, we’ll give that a moment to get created. So it’s been about ten minutes since I created this connection and we can see that it’s in a state. If I go into it, we can click into it.
We can see a section and it’s connecting the new test one and new test three networks based on the two gateways. Remember, this is in East US two and this one’s in Japan. And so we can go into the log and we can actually see that there are activities going on. 13 minutes ago I started this connection and now we’re into some other stuff. So we can actually look at the deployment as it’s going. Now it’s exceeded. So now we have, as we were clicking around, two virtual networks that are connected over a network gateway. So remember, we’ve got peering that can be local or global with one pricing structure. Or we’ve got this network gateway which can also be local or global.
Now, the advantage of a network gateway over the other option in terms of peering is that network gateways are actually symbol. So if you have a lot of traffic being sent, you can actually get up to a higher if we go into the configuration, we can see that gateway one, but we can go into gateway two and a gateway three if we wish. We could also set up an active to active configuration which would allow even redundancy in case so that this thing would even be higher availability. Gateways have sort of an enterprise greater than not saying that peering is unreliable in any way either. So we can also set up a configuration where you have your corporate network using a site to site VPN to get into Azure using a gateway and then being able to then further connect onto other networks there through a peering relationship. Now, we did set up a gateway on both ends, but that’s not even required in a peers and ship. Remember when we were looking at the peering? I go into this one and into peering. We basically could have enabled a network.
We can enable new test two to use the VPN device on new test one or the gateway device or new test one. And so this concept of remote gateways is a way of having one VPN device and then having remote gateways that are using that to communicate onto the corporate network. So lots of settings will need to set up peering between different networks.
2. Public IP Addresses
Now, we started off this section talking about these IP addresses being private. These IP addresses are not accessible from the public Internet. How would you go about creating public IP address? What we’re going to do is we’re going to go into this plus sign here for new and we’re going to say public, public IP. We’ll search for that. And right off the bat, we’ve got this concept of public IP address offered by Microsoft. So let’s choose that. I’m going to say create. So we can now choose to create a public IP address. I’m going to call this a ZHD new Public IP three. Now we do options in terms of SKU and in terms of pricing. Okay? Public IP SKU mash SKU of the load balancer.
So if you’re using a standard load balancer, you get a standard public IP and a basic load balancer gets a basic microsoft does support IPV six at the load balancer level. The virtual machines and other resources do not support EV four, but IPV six. But if you do need to use that, then you’re going to load balancer in front in order for IPV six to travel into a virtual machine because that will convert that to an IP four communication. We get the choices between a dynamic IP address and a static IP address. Now a static IP address is an IP address that never changes. This is good for when you want to use that IP address in some kind of setting like Firewall that needs to be opened up, or a DNS registration. When you are creating a custom domain name and you need that IP address to live within the DNS system. So you only need a static IP address if you need to then register that somewhere. The regular domain name system will take care of a dynamic IP address. Basically to do is give this IP address a name and then we can use that name everywhere that we need to. We can choose a connection opening timeout. So basically four minutes if it is the default that clients do not need to use. Keep a live message in order to keep the communication open. This is where you give it a fully qualified name. Since we’re creating this public IP address in Central US region, then the fully qualified domain is something centralus cloud App, Azure. com. And so I’m going to say my public IP probably a terrible domain name, but this is the one that you’re going to get for free. Again, you can map this to a custom domain name if you need to using your domain name register. A CNAME record would be able to map some domain into something like this. Or you can use Azure’s DNS system, which will vote in a bit as well. Now we’re going to get an IPV four for free, but do we want a PV six version? We can go ahead and create that if we wanted. It going to go in my subscription. I’m going to put this into my new resource group 200, and I’ve been putting this stuff into Canada, so I’m going to move this to Canada East as well, and I’m going to say create. So that’s going to go off and get me a public IP address in Canada East region.
3. Network Routing
So we’ve been looking at networking virtual networks and subnets. The next topic we want to talk about is called routes, specifically their route table. Close this up, go into the Create New Resource and we’re going to look for a route table. Now, a route table is basically a list of IP address ranges and that will tell Microsoft Azure how to send traffic that’s basically coming over your network. So we’re going to create this now and we’ll just sort of look at it quickly. Put this in my new resource group, Canada East, and we’re going to just leave the default settings and let that so that was fairly quick. Our route table took 25 seconds to come to go into it.
Now, if we start looking at the routes, we got no user defined routes by default. So let’s add a route to this route as an example. Now, let’s say we want to implement a rule that says any traffic that originates from a server running on the back end network that we created for the other Virtual Network, we want that to go through Firewall before it leaves the park. So I’m going to say send to Firewall as being the rule name we want. Let’s say we set up the back end network so that’s 192 00:23 by memory and with this traffic to be sent to a Virtual Appliance. And that Virtual Appliance is going to end up being a Firewall. Now, we have not created this Virtual Appliance yet and might be outside of the scope of this lesson to do so, but let’s just assume Firewall is sitting there waiting for someone to talk to. It 194 one. Again, we haven’t yet created it yet, but this is where traffic originating from these sources are going in. So now we’re going to create that rule. We haven’t even associated this route table with our subnet yet. So let’s, let’s go down to the subnet section and say associate, we have to choose the Virtual Network, our new net. And we wanted this rule to be associated with the back end subnet. So traffic that travels over the back end subnet has to follow this route table.
4. VPNs and ExpressRoute
So the VPN stands for Virtual Private Network. It allows you to join outside or external machine or an external network into an Azure network. So the VPN is a private connection, meaning that there is end to encryption between the source, the client, and the network that it’s connecting to. The benefit of using of a VPN is that you’re able to access systems by the private IP address. So as long as those services exist on a virtual network and have private IP addresses, then you’re able to use a VPN to connect to them. Now within Azure, you get three primary ways of setting up a Virtual Private Network. There’s the point to site VPN, the site to site VPN, and Express Route. On screen is an image of a point to site VPN and a site to site VPN. We can see at the top we have a single person running a laptop or some other computer and they want to connect into an Azure Virtual Network called VNet One. And they use a point of site VPN connect privately in an encrypted fashion into this network. Okay, you can also then set up your site to site VPN.
It does require harder, and we’ll talk about that in a second, but then you’re setting up an entire network, an entire office complex to connect to Azure and they can access those devices that are running in Azure if they’re running on their local network. So both the point of site and the site to site VPN travel over the public Internet. Even though it is encrypted end to end, it is still using a public Internet access that is both good and bad. So you can use a point to site VPN from your home computer over your existing Internet that your Internet service provider provides you to get access to your office’s backend systems. So that’s a good thing. Now using a pointtosite VPN is very simple.
It’s as simple as installing some software onto your computer and then configuring that software in order to have your credentials and your certificate to let you improve who you are to connect to that network. A site to site VPN is more complicated. It does require a gateway to be installed as a physical piece of hardware on your side of the connection. So in order to connect your company’s network into an Azure network, you do need a gateway on both ends. But their gateway is just a piece of software that you install. Now Express Route is the most complicated of the three. It is actually a private connection into Azure and does not travel over the public Internet.
Now the great thing about Express Route is it’s extremely fast, but of course that’s always also expensive. You’re going to need to talk to your communications provider to set up this Express Route. So Microsoft has a list of vendors you’re going to have to basically get from your corporate network. A high speed fiber connection into a communications provider. Here’s a diagram of an express Roche. You can see that the customer’s premises has obviously public Internet access and can access some services over public Internet. But the Express route is in the center and there’s basically three types of connections from your corporate network into Azure. There’s what’s called public peering, private Ink and Microsoft peering. In actual fact, there’s nothing that is publicly peered anymore. So it’s really only Microsoft peering and private peering. Now, Express route has this feature called the premium add on. And basically it allows you to, instead of connecting your Express route just into virtual networks in your local region, you’re able to connect with virtual networks all over the world. So if you’re a company that’s in the United States and you have virtual networks in Europe, and you want to have an Express route connection between your American head office and your European virtual network, then you’re going to require the Premium Add on in order to get high speed connection from America into Europe. Again, it’s not just actually the non Premium Add on, it’s not just for the local region, but for the entire geographic area.
So if you’re an American company, you can connect to East US, west Central US, East US two, all of that using a standard Express route connection. You also get an expansion of the number of virtual networks you connect. So the state Express route restricts you from connecting only ten virtual networks on a single export connection. But if you go with the Premium Add on, you can get from 20 to 100 things on the bandwidth. And we can see here screenshot of this. Again, as it currently stands, Microsoft only allows ten VNet links from a standard Express route circuit.
And if you have the Premium Add on, you get 2025, 40, 50, all the way up to 100, depending on the speed of the connection that you’ve purchased. Now, of course, nothing is free. An Express route is particularly pricey. They do support speeds from 50 gigabits per second to ten gigabits per second. You’re going to pay your ISP. So this, the connection itself is a private arrangement between yourself and the Internet service provider. So there’s a fee for that connection. You are going to pay Microsoft for using Express route. And on the metered version, you’re also going to pay for outbound traffic. Inbound traffic is free. Outbound traffic from Azure to your net cost a bit of money. You can see the pricing for the Express Route standard version if you choose to pay for traffic runs from this cheap $55 a month, up to $5,000 a month.
And depending on the speed, you have a range of prices. Now, if you want unlimited data, so let’s say you don’t want to pay for the outbound data, then those prices jump from $55 to $300 a month and from $5,000 up to $51,000 a month. In terms of express route. And remember, there’s a premium add on. And so if you need to have that global connectivity and you need those additional network connections, you’re going to go from only $300 a month to 375, or from $51,000 a month to $54,000 a month, again, depending on speed. So, again, this is a very pricey option, but it is also the highest speed, most secure option for cutting your local network, your corporate network, into App.