AZ-304 Microsoft Azure Architect Design – Design a Networking Strategy

1. Overview of Networking in Azure

So in this section of the course we’re going to be discussing the topics underneath the design and network solution section of the exam objectives. We can see on screen the exam objectives and there are seven sub objectives in this section. So in this video we’re going to be talking about network architecture and in other videos that come after this we’re going talk about name resolution, provisioning, security, connectivity, et cetera. Now do keep in mind that this is a design exam and some of these topics are advanced topics. And so we’re not really going to go through the absolute basics of creating a virtual network here. It’s going to be assumed that you already know how to create a VNet, you already know how to create a subnet, attach your virtual machine and other resources to that subnet. So you can see the objectives here.

And this is what we’re going to cover in this course. Now the AZ 303 exam, which is the Architect Technologies exam, does cover some of those basics and that’s why I suggest the 303 exam is actually a prerequisite for the 304. Even though it’s not, it’s a good exam to take first before you take 304. So let’s talk about network architecture. Now we’re going to refer to a couple of official Microsoft resources for this. The first one is going to be what’s called the Cloud Adoption Framework. So the Cloud Adoption Framework is a document that Microsoft prepared that will help you prepare to migrate your existing architecture into the cloud and it’s a pretty good resource as an architect. Going through it you can see a lot of the considerations that you’re going to have to set up. But what we’re talking about here is the networking aspect.

And so we’re going to refer directly to the network topology section of the Cloud Adoption Framework. I’m going to add a link to this, to this video. So in the resources for the video you’ll see a link directly to this. And so there’s some other topics that are part of this section in here. In terms of IP addressing, the one that we are more concerned with is the topology. So this first video is going to deal with the network topology. Now network topology is effectively how you design your networks, multiple networks within your environment. Do you create standalone networks that don’t really talk to each other? Do you create interconnected networks and what is the design of that? Do you try to connect every network with every other network or are you trying to do what is called a hub and spoke model? So these are some of the design elements. When you’re sitting down to design your network, it really depends on how your applications need to talk to each other.

So in some cases your applications may not need to talk to each other for any reason, in which case maybe for security reasons, it makes sense not to connect those networks. But if you have applications that run on separate networks that do from time to time need to send data back and forward then you’re going to have to basically set up that interconnectivity. Now the next document I’ll refer to on this is specifically the Hub and Spoke network model within Azure. So this is the Azure architecture documentation and if you look under Networking and under Architectures they have a number of them including High Availability Peering which we’ll talk about high Availability again and the Hub and Spoke Network Model. Now the Hub and Spoke network model is basically summarized as there being one central network over which all traffic travels and then you have a distribution of subnetworks that connect to it. I don’t think this diagram does a very good job of showing the Hub and the Smoke Hub and the Spoke although you do have the center here what would be considered to be the Hub and then the other networks including the on premises network connect only to it. The on premises network does not connect to the other networks and the other networks do not connect to each other. So if one of these networks wants to communicate with the resource on the other network it has to go through the center. Now this is a fairly simplified network design because you’re minimizing the number of connections between it. But there is some additional complexity because the data does have to travel from one network to another and then to another to get to its destination. In some ways you can look at this as the US. Airline system.

If you want to travel from one small city to another oftentimes you have to travel through a large city in order to get there. There’s no direct flights between every single small city. Usually you have to travel to Detroit or to Los Angeles or to New York before you get on to the next destination. That’s why when you’re traveling from a small city to small city this is the Hub and spoke design and that’s why they’re called Hubs in terms of airports.

So it’s a very similar design if you’re familiar with that. Now what we’re going to do is Microsoft also has a code samples website. I’ll attach these three documents to this video and so we can see the exact same diagram we were just examining but we can actually download this as a Arm template. So we can see there are JSON here of basically the variables and the resources. So this is the Arm template contains a log, linux workspace the Hub Virtual Network and then firewall public IP address, et cetera. So what I’m going to do basically in order to set this up within my environment I’m going to just go download the Arm template and deploy it. We’ll do that in the next video.

2. The Hub and Spoke Networking Topology

All right, so let’s set up a Hub and spoke model for ourselves. I’m going to go from the code sample that’s called Hub and spoke deployment link was in the previous video and actually there is code here so that you can just copy and deploy it yourself. So the first thing you need to do is create a resource group. Now as you may know, at the current time you have to create the resource group separately from the resources themselves because when you do a deployment you’re deploying inside of an existing resource group. So the deployment is almost a sub resource of the group. So the group must exist first. So I can go to my Azure account, open up the Azure cloud shell which is this command here and I’ve already run the AZ group create I called it HubSpoke demo location Central US. So I went a little bit different than here but it should be fine. So I created the resource group. Now we have three choices in terms of deploying it.

In terms of this example code, we can do a basic deployment which does not include a VPN gateway or virtual machines. We can do the virtual machines which will do Linux and Windows VMs and we can deploy everything with a VPN gateway. So if we go back up to the diagram we can see that the VPN gateway is for connecting to an on premises network. So I don’t believe we need this and I don’t even really want the virtual machines at this time. So I’m just going to deploy it using this command. Now I did change the name of the resource group so I’m going to have to overwrite that. Notice that the deployment command links to GitHub to pull down the deployment JSON.

So we should be able to deploy this using the deployment JSON right from the web without having to download this and upload it, et cetera. So I do have the command pasted here and I changed the resource group to the demo. So now I can hit enter. So this is going to take a few minutes to deploy and let’s let that deployment fire off. Hopefully there won’t be any issues with that. So we got a successful message for deploying this. I will say just to warn you that this is a very complicated set of code. Like if we look at the there’s over 1000 lines of this Arm template and so yeah, you to work for me, just keep trying and hopefully it’ll work for you too. But it is complicated. So if I go into resource groups, I can go into Hub, just search for it, I guess the Hub spoke demo.

Now the idea here is that we’ve got and I will maximize this, try to get some extra space here. So the idea here is that we’ve got three networks. We’ve got the Hub and we’ve got two spokes. We saw this in the diagram, right? And so if one of the spokes wants to talk to the other spoke it has to go through the hub. So the hub becomes where all of the connectivity happens. And if we go into one of these networks we can go into the peering section, we can see that the spoke itself is only peered to the hub. It does not have a direct connection to the second spoke. Now it doesn’t have to do anything different in order to connect to the other spoke because the hub itself will know how to connect to the second spoke. So it will just connect to the hub and the hub will pass the message along. Now the way it works is through the virtual networks having a routing table.

So if we go into the virtual network and we go into subnets and we look at the subnet on, in this case the spoke, you can see that the subnet itself is directed to how to direct traffic through the routing table and it directs stuff through the firewall, I guess. So if we go back to the resource group we go into the routing table, we can see that the subnets have subnets are attached and the route is basically to go to the fire hall, the firewall and it’s a firewall that’s going to direct the traffic properly. Very interesting setup. Now, like I said, this is done for both safety and security and simplicity, right? So if we go back to the diagram here, we can see that by having a firewall being the tunnel basically to this that protects the two subnets in the background here.

So it’s basically a protected setup. Instead of having firewalls on these individual ones, instead of having a spider pattern where everything is connected to each other, it’s a strong defensive front end where you’ve got the bastion, which will allow you to get remote access into those networks, the gateway, which will also allow private encrypted access and for everything else, the firewall that will direct traffic properly. And basically there’s a deny all rule. So it basically blocks all traffic coming in. So it’s a very defensive posture here where everything behind here is protected by one of these three services. So that’s just one of the types of configurations. It’s certainly not the only one and it really is going to depend on your needs. We can go back to the Azure documentation and look at some of the other setups as this is not the only one. Of course.

3. Virtual WAN Networking Topology

So another type of network architecture we have to be aware of for this exam is the virtual Wan. Now, wide area networks or WANs, have been around for decades. I can remember them back in the earliest days of my career in technology. The idea here is that you have several offices, several completely separate geographic locations, and you need to interconnect them, need users in one office to be able to communicate privately and seamlessly to users in the other access files. Those networks need to be connected. Now, traditionally you may have purchased a high speed connection, a direct connection between your offices. Paid a lot of money for that. Then came along the idea of the Win, which is again another type of hub and spoke, if you think about it, where you’ve got in this particular case, Microsoft Azure being the hub and all of the networks in your other locations as being the spokes.

So if somebody in your headquarters needs to access a file that happens to live within your branch network, it goes and accesses the hub, which in this case is Microsoft Azure. And the request can be directed down to the spoke. So this diagram very much shows a hub and spoke type architecture. But instead of it being virtual networks that we saw in the hub and spoke video, the last couple of videos, what you have are complete Office networks.

So it is possible to set up a wide area network within Microsoft Azure, which would eliminate the need for you to have separate private communication channels between your branches, if that’s the way you wanted to go with that. So that’s called a Win, and there’s going to basically be a separate type of Win device that you would install on a network that can allow all of this connectivity to happen. So this is a hobby spoke network, but if you wanted to set it up using a Wan device, wan is specifically a Microsoft cloud managed service. And so you can basically install the Wan device within Azure. And you can have several types of devices that connect to the Wan device. To set up this network for your headquarters, you may want to install the Express route, which is a very high speed dedicated connection for the branches. It might just be a site to site VPN, which requires a VPN gateway device on those locations, but can travel over the public Internet.

So it doesn’t have to be private connections, but if you use the right device, it’ll be encrypted and secure. What you care about, obviously it’s being fast, you can see here, even in the diagram, remote users work from Home is a big trend. You can have your Point to Site VPN instead of connecting to specific branches. You can connect into Azure using your point to Site VPN. And you’re part of the same network that has access to the branches and to the headquarters as well.

So the wan device is what enables this type of architecture in this particular setup. Now, this might not make sense globally, right? If you have your virtual Wan device installed in the US region, if your branch offices are in Asia or in Europe or in Australia, that might be a latency of a connection that might be too far. And so the next concept is the Virtual Wan hub, where you’ve got your hubs installed in multiple locations and you’ve got within Azure hub to hub connectivity that allows you to have basically two wands that are connected to each other.

So that’s another type of network architecture. Instead of having one centralized Wan, you’ve got Win hubs. So you can find all this in the Azure Portal, in the marketplace if you do a search for when now there’s a lot of different Wan devices. Of course, this is technology that’s been around for, like I said, decades. But if you do a search for Microsoft Virtual Wan, you’ll find the Microsoft edition. And so it’s just a matter of going through and setting up this device onto your Azure subscription. And then you can then hook it up into your express route into virtual site to site networks, etc.

4. Azure Public DNS

So in this video, we’re going to talk about domain name services. And the two Microsoft provided services that are relevant are the Azure DNS service and the private DNS service. Did a search in the marketplace for DNS and I filtered it based on Microsoft publisher. So basically, we have a public facing DNS. In a private DNS, I’ll talk about the differences between them. Now, if you don’t know, a domain name service is the service on the Internet that can turn a domain name into an IP address. So if you type in MyDomain. com, there is a server out there who claims to be the authority on that domain name. And then it’s able to return an IP address so that your computer can then go and directly open a connection with that web server over port 80.

So Microsoft does have this service. It’s called the public DNS or Azure DNS. Now, this is a very basic DNS service. So if I had my own private domain name that I’ve registered, then I’m able to go allow Microsoft Azure to manage it. From there, I can use any of my public facing IP addresses and assign those two domains. So if you have a virtual machine and it has a public IP address, we know that you can create a fully qualified domain name on an IP address.

Actually, I can show that to you. If we look for IP public IP addresses in the Hub and spoke model, I created one, at least two of them. And you can see here that it’s got a public facing IP address, but it doesn’t have a name associated with it in this case. So what I can do is I can give it a name. So I can call this bastion IP or my bastion IP. And you’ll see that it’s got this fully qualified centralus cloud app, Azure. com. And the green checkmark means it’s available. So this is a domain name, but let’s say you don’t want your service to have such a domain name. It’s very difficult to remember and it may not be something you want associated with your company.

So how do you create your own domain name? Well, you can register a domain and then you can go into the Azure DNS service and you can basically allow Azure to manage the domain. And what it will do is you’ll be able to manage the domain that you registered to direct traffic to this IP address. And you’d have to set this up specifically. It wouldn’t work unless you go in here and tell the Azure DNS that this is the IP address. So that’s basically the gist of what public DNS services are. Now, your registrar would have it. There are some public DNS companies that will provide the service to you. And again, Microsoft Azure provides the service. What it doesn’t provide is the ability to register domain names. There’s no domain registry in Azure.

So you’re going to have to go to your own domain, register to register it, and then allow Azure DNS to manage the domain using their name services. And you would set that up in the Azure DNS public DNS. So let’s go to Azure DNS. And you can see there’s many companies that provide DNS servers. This is a third option, is basically running your own DNS server, obviously. So you got the Azure created services, and then you can also just get your own virtual machine. You can see that there are costs sometimes associated with that.

So we can create our own DNS service and then we can then tell it that the domain name what we want to manage. So you’ll see that I can define a location for it and the zone is actually your domain. So I am basically telling Microsoft that they can go and manage the domain for my website@cloudskills. com. Now, this doesn’t take effect until I go to the domain registry and use the Azure Name Services. So even just doing this isn’t going to change anything until I go to my registry and set that up. Now, we won’t do that for now. We’re going to switch over to the next video and talk about the concept of the private DNS.

• Category: Uncategorized