5. ExpressRoute Direct
Now, Express Route requires you to go through an Internet service provider who connect to the Azure network. But through Express Route Direct, you can actually connect directly with Microsoft to apply to connect directly to their global Microsoft backbone. Microsoft currently has around 150 edge locations or World, that’s outside of the regions that they have virtual machines. And so if you’re close to one of those 150 edge locations, you can just get servers directly onto the Microsoft network through Express Road Direct. One of the advantages, of course, is you’re going to get even higher speeds. So instead of having to go through an Internet Exchange provider to get your computer servers onto the Azure work, you go directly to Microsoft and it gets you some blazing speeds.
So the two speeds available for Brush Road Direct are the ten gigabits per second and 100 gigabits per second. Obviously that’s a huge jump and 100 gigabits per second is a massive amount of speed. Now, the way this is provisioned is slightly different. When you go through regular Express Route, you’re getting a circuit, what’s called an Express Route circuit at a provision speed. So if you’ve got a one gigabit per second Express Route circuit, that’s the single circuit and that’s the speed that you got. With the Express Route Direct, you’re provisioning ten gigabits or 100 gigabits per second and you get to build up multiple circuits. So within that ten gigabits per second, theoretically you could get a single five gigabyte, a couple of two gigabits per second and a one gigabit per second.
Take those four lines together to build up to your ten gigabits per second and you end up with four circuits. That means you can connect them to different networks for different purposes. 100 gigabits per second. You can take that 100 gigabits directly in a single circuit or you can put in some multiple ten gigabit per second circuits in there. Now, why do you need 100 gigabits per second? Well, the most obvious answer is for those situations where you have massive data ingestion requirements at Azure. So let’s say that you have a massive date sitting within Microsoft Azure. You’ve got some big data services running that is assessing data in your data lake and you need that data to be flowing from your network in Azure and you need that 100 gigabits per second connection to get all that data in there.
Well, that would be one example of what you would use an Expressroad Direct for. Now, do keep in mind that the 100 gigabits per second might sound great, but that’s very specialized network hardware, the 100 gigabits per second standard for the Internet, only came about less than ten years ago. And so you’re going to need to have hardware that to get on to this 100 gigabits per second network that operates at those speeds. The same is for the ten gigabits per second circuits as well. You have to have a gigabit per second circuit in your network internally in order to connect to that speed. So otherwise, at no point to do.
6. *NEW* Create Azure Firewall
Now, when it comes to protecting your virtual machines and your devices on virtual networks, azure gives us a few ways to do that. Now, we’ve already talked to basic network security in the form of a network security group. As we saw, network security group is very simplistic. It is rules based. You are basically defined a set of rules in order, and if none of the rules are matched, then the traffic is not allowed onto the network. It’s what’s called a five topple definition from the source IP and the source port, destination IP and destination port, and the protocol, whether it’s TCP or UDP, the Network Security group is simplistic. Moving up the chain you can have an application gateway, which is a load balancer that also has a web application Firewall optionally.
And the web application Firewall is basically designed for websites, it’s designed for web traffic and basically it’s designed to match number of hacking attempts, the known hacking styles versus the traffic that’s coming in. And so you can have a site scripting attack or a SQL injection attack. And a web application Firewall or WA is well defined to be able to stop those types of attacks. Now, moving up in the chain, you’ve got an actual Firewall device. Now, some third parties provide firewall can be added as virtual appliances into your virtual network. Microsoft does have a managed cloud service called Firewall. Now we can go into the marketplace, search for Firewall, hit create.
We’re given a very simplistic of parameters that we have to provide and then it’ll create the firewall for us. We do have to put it in a group. I’m going to call this Azed Firewall as the group name. You give it an instance name. I’ll also call that a zed firewall. I’m going to name them all the same. A little bit confusing, but it can work. Central US is the region we’ll put that in. Now we deport some of these advanced features like Availability Zones. And so if you want to place your Firewall into specific Availability Zones, let’s say you have more than one, then can basically set this up for a higher level of availability. And you need more than one and you need to place specific zones. I’m going to let Azure define where that goes. Now you’re going to have a Firewall, you might put that on into an existing network. I don’t have a network that I can put this on. So I’m going to create a virtual Network. You have to provide an IP address. You see the template here? So I can say ten dot, zero, dot, five dot, zero, and I’ll give it a full that’s not a valid block, apparently 100 50.
So I can give it three, two, one. So it does require an IP address range. Just like when you’re setting up a virtual network. I can give it a very basic 124 domain that has 256 addresses. And we are going to have to create a subnet for this. And so I can say 100 to that’ll, give us 228 addresses for that subnet. We do have to create public IP. So my public IP, now there is this concept of forced tunneling. Now for tunneling is essentially another subnet that you can create. And then all the traffic from that virtual network goes through the firewall into the subnet before going out to the Internet. So you can basically set up this small subnet. That is where all traffic goes through.
You can set your NSG, you can set up your rules. It makes it very easy for forcing traffic to go out during this specific small subnet. I’m going to leave that alone for now. I can put tags as usual, hit review, make sure all of the fields got filled out. And if I hit create, then it’s going to go off and create me a managed firewall. We’ll come back in a second and this will be done.
7. *NEW* Configure Azure Firewall
Alright, so the firewall has been successfully deployed and we can click go to Resource. Now, what I’ve gone ahead and done is I’ve actually created a virtual machine that we can protect with this firewall. So on the virtual network, we can see that the firewall created a subnet for itself called the Azure Firewall subnet and created a second subnet after the last video, before this video. And I’ve added a virtual machine onto the subnet. So we’ve got a machine that we can protect with the Firewall. Now, before we can do that, we actually have to create a route. So we’re going to basically go under networking and see if routes is here or I search for routes. And so we’re going to go into the route table here. And what this is doing is it’s telling Azure how to direct the traffic.
I’m going to put this into our firewall. This was central US and AZ route. So we’ve got a route, but it doesn’t actually have any part of it yet. We have to go and configure the route. So we go to Resource and what we want to do is we want to go down to subnet and we to associate the route that we just created with the website that subnet that we created. So now we’ve got a route for that and what we don’t have is a route. So we need to create a route. And this route is going to sit in the first route. And we want all traffic. So all traffic is that is the default for everything.
And we want this to go to actually, what it’s being is a virtual appliance, which is the firewall. Now, the thing that we’re missing, the IP address of the Firewall. Now, I happen to copy the private IP address of this firewall from the firewall page. So I can paste that in there and I can say, okay, so any traffic that is leaving the subnet is going to be sent to the Firewall. All right, let’s go back to our firewall. I’m going to go into the firewall. So we know that our virtual machine that we’ve created is going to be sending traffic into this firewall. Right now, we don’t have the rules around that.
So we don’t have a rule that says what to do with traffic coming from this virtual machine. Now, there’s a couple of different types of rules that we could create. One of them is called an application rule. And so we can basically add an application rule, give it a name. So, new application rule priority. Now, in Azure Firewall, where the priority is the lower the number, the higher priority. So I’ll give it a number like 500. We’re going to say we’re going to Allow. Now qualified domain name tags. So if we looked under Target, fully qualified, we’re going to give it a name, say Allow Microsoft. We’re going to say a source is the source IP address. Now the virtual machine we’re going to have to go and I’m going to say Star. We can put the IP address of the virtual machine in here or the entire range actually. So I think 100, 500:25, that’s the arson 128.
This is the subnet of the website. Then we can say what protocol or port. Let’s say we want http and https and Microsoft. com So this is basically allowing our virtual machine to communicate with Microsoft. com. Okay? So if we say add, then we are basically whitelisting that.
Now the networking rule is similar except we’re going to basically be putting IP addresses and not fully quite domain names. And so then we could whitelist traffic from our VM to the public internet by IP or conversely blacklist, right? So we can say we allow all traffic except we deny traffic to the following IP addresses, et cetera. Now before we can test this we need to allow two more types of traffic through. The first is we need to allow the VM to look up the domain name using the DNS system. So we’re going to add a network rule here. We’re going to call this the DNS rule and I’m going to give this a priority. Now the rule here is that we’re going to want UDP traffic which is for DNS servers. We’re going to allow it from the tender 50 from our source network here. A destination are going to be the DNS service that Microsoft VMs use. So two nine, I got this from the web here and the port 53. So this is basically going to allow VM to look up Microsoft. com in the global DNS or at least in centrallinks DNS and IP address for that. So it wouldn’t work without this rule to start. Now the final rule that we have to add is what’s going to allow us to RDP into the virtual machine through the firewall. And so before we can add that we need both the iPad firewall and the IP address of the virtual machine. So first I’m going to go to the firewalls publicly configuration. This is the number, I’m going to copy it here. 52, 150, that’s the public IP address of the firewall. And then I’m going to flip up to the virtual machine and I need the private IP address, the virtual machine.
So that’s this number 5132. And I’m going to try to remember that. Okay? So I’m going to go back to the flow. I’m going to go into rules, not rule. And before I forget, I’m going to put 100 5132, which is the virtual machine. So this is called RDP rule and we’re going to say priority 250. Just in the middle there, this is RDP TCP. We’re going to take in an IP address. Now the source address, we could put our own client IP address in there, but let’s put everything. So we’re going to allow RDP traffic coming from anywhere. Scenation address is what we copied, which is the public IP address of the firewall port. 3389 is the port number for RDP and we’re going to put the 3389 as well. So this rule is what’s going to allow us to RDP into the box.
All right, so let’s let the firewall update here. Remember, we did add the DNS rule for the outbound lookup, let’s go into the virtual machine here. We’re going to add those as the DNS server for the machine. So we’re going to go under network interface and under DNS servers and we’re going to add those two numbers and 29244. Remember we added these numbers to the outbound firewall rule that allow the Microsoft. com to be looked up to get an IP address. Now this is going to cause the virtual machine to be restarted. So that’s okay.
All right, so the way to test this is to go to the public IP address of the firewall. I’m going to copy that and basically go into RDP and connect through this IP address through RDP. Remember, our network address translation is what’s going to get us into the virtual machine. So I’ll start RDP, put in that IP address. I do need to log in using the admin user ID and password of the virtual machine that I created. It it’s good sign. It’s asking me for a security certificate. And so I am logged into the public IP address of the firewall, not the virtual machine. Now the way that we’re going to test this is we’re going to open up Internet Explorer and we’re going to have to go to a website that Internet Explorer has this funny security. Oh, this is about Internet.
So this failed, right? We tried to go to Youtube. com, failed, we can try to go to Google. com. The Http request was denied, right? There’s an interesting message. And now the final tackle to Microsoft. com, which we are supposedly allowing. And we do have to add Microsoft to the security rules of the browser. And Voila, Microsoft. com does successfully after having to do a ton of tracking stuff. So Google failed, YouTube failed and Microsoft. com succeeded. And that is we’re using Azure Firewall to basically enforce rule on the traffic and yeah, basically stop this machine from being able to get to the websites except for ones that we’ve specified.
8. *NEW* Virtual WAN
So let’s talk about the concept of a virtual plan. Now Wan stands for Wide Area Network. And the basic plan is that you’ve got two or more offices that need to communicate with each other and use Microsoft Azure as a hub where that communication goes into Azure and then out to your other office. And so that is a wide area network. It is kind of like a site to site VPN. But instead of having the connection being inside of Azure, the connection is basically in another office that you own. Now we can do this within Azure by searching for virtual Win in the marketplace. Now, creating the Win is pretty straightforward.
Awan is what’s called a global resource. It doesn’t actually live in any particular region, but you do have to choose a resource group. That’s because you are going to want to locate this Wan within your set of horses and so it makes it easier for organization. So let’s call this new Win, and I am going to call it on the name. I can put this in Canada. You do get either standard or base types for choosing the Win.
Basic will support fewer connectivity options. So let’s create this. All right, that was a pretty instant deployment to resource. Now as of yet, we have not incurred any costs. This is just a holder or a folder. What’s really going to cost us money is these hubs. Hub is the central point that is basically a gateway, VPN gateway within Azure. Now, the hubs themselves have a cost. You can see that a standard hub is basically twenty five cents per hour. You’re basically going to pay $6 a day roughly for just to exist.
And that does not include hooking up any other sort of integration. We’re talking about site to site units in terms of the megabits per second. You need or point to site if you want to use it as a point to site connection or express route connections. And those themselves have costs not only for the connection, but for the width effectively between those two locations. So we’re not going to create a hub right now. This is the point point at which we’re going to start to incur those costs.