 episode on Learn TV. My name is Thomas Smauer. I'm here with Pierre Romo. How are you doing, Thomas? We have the pleasure today to go through one of the Microsoft Learn modules today to get with you with all our attendees. So, feel free to actually join our Microsoft Learn module. And it's going to be about hybrid networking infrastructure, right, Pierre? Yeah. When you're starting with Azure and you're thinking about hybrid networking, you really think, you really need to wrap your mind around, you're basically extending the capabilities of your own data center or your own environment. So, hybrid network is really, really important to know all the basics and to know how to navigate that. Absolutely. Absolutely. And who would we be if we would not have an awesome Microsoft Learn module on Microsoft Learn covering this? And this is where we actually invite you to join this like live. And you can actually open this up as well as watching us and talking about it. So, we have a QR code here. We have a link in here. You can actually go through that as well. And even if you just want to watch us today, you can later on go actually through that Learn module as well. So, Pierre, shall we actually have a look at the Learn module? Absolutely. Absolutely. Okay. So, let me... Perfect. There we go. Perfect. So, we have the Learn module here. I opened it already up on Microsoft Learn. And if we actually go to the introduction part, we want to quickly spend some time to actually explain for whom this Learn module is and why we would take this Learn module. So, Pierre, can you help me out a little bit and talk a little bit about why I would take this Learn module? Well, you want to be able to take this Learn module if you're not completely familiar with describing all of the parts of the Azure networking solutions because there's multiple of them. You want to know... You want to go through this if you're wondering how you can connect your own environment or your users to your Azure environment using VPN technology. You want to be able to take this module if you're looking to create a VPN gateway through using the portal or PowerShell. If you've got questions about ExpressRoute, we will go through this and explain what exactly ExpressRoute is and how it becomes very useful for you. And also, if you are in a distributed environment, so if you've got multiple environments around the world and you don't want to spend the money to basically lay your own fiber and how you can use the Azure WAN to help you connect all these different places. And of course, the culpable... The thing that always breaks, it seems to on the internet, DNS. So, how to find out how your DNS resolution can be set up so that all of your machines, whether they're on prem or in cloud, can resolve each other and the connectivity go on properly. No, that's awesome. Again, I think I'm very looking forward to the DNS part because it just had some issues with that in my own network and happily was actually to fix it. So, let's have a look on what you're actually going to learn. And I think Pierre covered it pretty well on who is going to look at this, especially if you are now coming from this on-premises world and you're going into the cloud world. Your organization is doing that. And we know for a fact that a lot of organizations are not going to be just cloud only. They're going to end up being in a hybrid state and that is going to be where they are and how they take advantage of it. And Azure is doing actually a great job in that. So, if you look at the learning objectives here, we're really going to go and have a look at Azure network topology. So, even if you're not familiar with the terms yet, if you don't know what a VNet is or any things like that, we're going to dive in and describe these and go through that as well. And then, as Pierre mentioned, we're going to talk about how you actually implement an Azure VPN connection because this is going to be something a lot of you are going to hit up there as well. And then, there are different types of VPN gateways. So, we're going to also have a look at that. And then, Pierre already said, we're going to have a look at what ExpressRoute is. We're going to look at what Azure Virtual WAN is, and we're going to see how we're actually going to implement DNS resolution in a hybrid environment. So, we also like the learn module obviously gives us all some prerequisites, right? So, you should be a little bit familiar with the on-premises world. We're going to really cover a little bit about the Azure part of things, but you should really be familiar with some of the Windows Server stuff you were doing of the hybrid networking on-prem and how automation works and how computer networks work in general, right? Yeah. And one skill that anybody who's been managing networks on-prem is absolutely crucial is the fact that your IP addressing, like your address space, your subnet, your subnet masks, how you can have multiple areas and all connect together within the same address space. These skills transfer very, very well into the cloud. So, if you're a networking person and you take care of your network on-prem, a half the battle is already won. Exactly. So, that's a good point. So, they're definitely helpful, but don't think that it's actually the same, right? I've seen that with many, many customers. So, they ended up doing like what they had on-prem, just doing the exact same thing in the cloud, and that's probably not the smartest thing to do, right? You definitely can use your skills, you already have, but there is definitely some change how you should set up your environment as well. Well, you end up with two different environments with the exact same address space, and then they won't route between the two of them. So, you have to extend that data center. Yeah, absolutely. For example, as well, and also like obviously just the way we set up things is slightly different, right? We can do like a little bit more fancy things with software defined networking and stuff. So, let's just dive in. And again, at the end, we will have also a knowledge check for you, and for us as well, to actually see if we understood what's going there. So, let's go into the introduction part. This is basically the first unit of this learn module, and it kind of like sets the stage a little bit on where we are, and then we're just going to repeat a little bit on what the learn module says, and it's actually like exactly what Pierre and I just told you about. It's actually making a scenario where Contoso, a well-known fictional company in Microsoft, is actually in this on-premises world, right? You can see here, it runs a couple of Windows Server 2012 R2 hosts, and basically they're running these stuff on-premises, but they realize that they need to be more agile, more flexibility, and want to take advantage of the cloud. And so, we are basically the lead engineers and administrators, and we're going to actually have a look how we can actually take advantage of Azure to make our business more successful. And one of the things, obviously, we need to set up, and that is what we're going to look at this module is seeing how can we actually deploy stuff in Azure and have our on-prem world, and how can they actually be connected to each other and talk to each other so that our apps can be distributed from different locations as well. Yeah, and I will suggest to our Contoso management that we should really go to Windows Server 2022 because of all of the added hybrid capabilities that are built in, but that's for another episode. Absolutely, absolutely. So, let's dive in and we talk about, I think this is one of the units we really want to talk about and spend some time with you here to describe the Azure network topologies and a little bit explaining on what the different things we have here, right? I think this is very important to understand, so we have all the base set up, and we know about the different things we actually need to get to work as well. So, first up, obviously, the thing we want to learn about is the virtual network, right? What is a virtual network? And we also often refer to it as a VNet. So, this is where we actually have basically a boundary of a private IP address space where we then also can create different subnets within that VNet. And automatically, all these subnets within that VNet can actually talk to each other. And in general, and I'll just mention that, they should not really overlap with your on-prem environment as well. So, that is actually what a subnet, what a virtual network is. And I want to quickly draw this actually to you on my white screen here to actually see how that could look like. So, from a from drawing perspective, we have a VNet here. So, this is an Azure VNet. And we can give this an address space. So, let's say this is 10.10.0.0 slash 16. So, this is basically going to be our virtual network, our VNet, with that address space. You can have multiple address spaces within that. You can also add them later to that VNet. And I'm sure we can show you that a little bit how it actually then works in the portal. But then you can, within that VNet, oops, this I didn't want to take that color. I actually want to switch, you can have different subnets. So, I can then create a subnet. Let's say here I do 10.10.1.0, wherever the drawing is not perfect here. This is the first subnet. And then I can have an additional subnet here, for example, for 10.2.0 slash 24. And you can imagine we can go on and create a lot of different subnets within that. So, we can make sure that we have different boundaries between different applications or different departments, as well, depending on how your setup works. So, that is actually a pretty cool thing to do, right, Pierre? Yes, yes, absolutely. So, we will talk about VNets later on much, much more. But I think that is very important to understand. And you can obviously have multiple virtual networks. Actually, one important other fact I want to add, once one virtual network can only be deployed in one Azure region. So, if your company is working with multiple Azure regions, you're going to have at least where you deployed Azure VMs, you're going to have at least two virtual subnets, right? You have one in one region and another one in the other one and the other region. And then we will also talk about how you can connect these as well in just a bit. That's right. So, Pierre, you want to talk a little bit about what a network interface is, because obviously our virtual machines need to be connected somehow to that virtual network, right? Yes. Well, normally, when you're on-prem, your machine comes with a physical neck and once it's created by default when you install the OS, you just have to make sure that it assigns the right IP address. But in a virtual world, especially in Azure, you have to define the NIC or the VNIC either while you're creating the VM or you can create them separately and then associated them with the specific virtual machine. So, your VNets will have the same as a normal VNets in terms of IP address, subnet, mask, and everything else, but it's assigned to a virtual machine. So, it's separate. So, when you're looking at your resources within your resource group, you'll see the virtual machine and then you'll also see the storage for that virtual machine, but you'll also see separately the NIC that's associated with that. So, you can create one or multiple NICs for each VM and then associate them with a subnet so that they can communicate with other VMs in your environment. Oh, okay. That's pretty cool. So, again, as you said, these are going to be actually object in Azure as well. So, I can actually take these VNets and then put it on one VM and also put it at another VM later on or remove and add additional VNICs as well to those interfaces. And here's a screenshot, by the way, also in the learn module where exactly we see that. This is the virtual network. This is how it shows up in the Azure portal. You can see here the address space. A little bit different from what I had, but it's 10.0.0.0.0.0. There's less 16. And then on the bottom, you can actually see the connected devices, which are actually network interfaces. So, you can see here, okay, this is what is connected and you can also see to which subnet within that virtual network, they're actually connected. So, that is basically how we can manage this as well. Yeah. So, as far as the virtual network is concerned, it never connects to a VM. It connects to the NIC that's associated with the VM. Okay. You have to be careful when not careful, but you have to be conscious of that distinction when you're managing your environment. Yeah. No, that's awesome. That's awesome. Perfect. And again, also, by the way, in the meantime, while we're on this, I really highly encourage you to basically ask your questions. We will see what's going on in the chat and we will see if we can answer a couple of your questions in the chat itself. So, the next thing we actually want to talk about, and I know, Pierre, that you obviously know a lot about network security group or NSGs, as we also call them. And as the name says, they probably make our network more secure. Can you explain a little bit what an NSG does and how it works? Yes. So, an NSG is an object or a configuration that filters traffic within and in and out of your network. It's not a firewall. So, that is not something, it will not do a packet inspection. It's strictly a source to destination over which port over which protocol and whether or not you allow it or deny it. So, I have a quick, let me see which one I have here. This is an example of a more involved network security group that you would typically have when you're just creating VMs. And in this case, just like most firewalls, you have a set of rules and those rules are interpreted from the lowest number to the highest number. So, that's why we start with 100 in this one and then 101 and 500 and 501 and so on. But it's where the name that we gave that particular rule, the port that it's going to be looking at and the protocol, the source to the destination and whether I allow it. The nice thing with this is that there are referenceable variables in there like the internet, the source is the internet. So, we don't have to start or do the 0.0.0.0 that you would normally do in a firewall. You just say if it's coming from the internet, it's outside of Azure and it's going wherever you define it, then you can either allow it or deny it. There's also the virtual network. So, if it's from within your virtual network on any subnet, any NIC, any VM or any service to another virtual to the same virtual subnet to always allow it. If it's coming from your load balancer. So, they are pre-configured ranges I could say or space. Yeah, exactly that you can do to do that. But I've been asked many times when we did Ignite, when we did Microsoft Ignite the tour that if I had NSGs or network security group, do I really need a firewall? NSGs are not a firewall. They're allowing you to segregate and control the traffic within your subnet but they are not something that will do a packet inspection. That is an Azure firewall which we will talk about a little bit later. Okay. So, basically it's very simple allow or deny list to like filter the network traffic. And what I think is very important and you already mentioned that I can actually assign a network security group to a virtual NIC of an Azure VM. Or I can, as you also mentioned, I can also assign it on the subnet level which obviously is much much more like handy if you have. So, you don't need to micromanagement all the rules on one specific on each of the VMs for example. So, I think that is very important. And as you can see here the Microsoft Learn module also has some good graphs here available actually explaining this as well how actually the assignment for example also for a subnet can work but then also how you can actually have it assigned to a specific virtual NIC of a VM. Yeah. And each network security group can be, as you mentioned, assigned to a subnet or an NIC but it can also be assigned to both. So, you have to be careful when you're doing the configuration because if you assign it to both then it'll be evaluated twice which can introduce latency. So, it's just proper design that if you decide to do NSGs to subnets or NSGs to NIC be careful that you're not duplicating efforts here. Okay. Now, that makes sense. So, yeah, it's always like with these rules you want to make sure that you actually not have too many layers of it actually are very clear where a setting is. That you at one point decide to change one setting but you only change it on the subnet level and you still have one assigned to a virtual machine or to a virtual network adapter of the virtual machine and then still it doesn't work and no one finds out why. So, now that's a great tool and by the way also NSGs usually if you just go to the portal and you create the VM, there's always an NSG basically assigned to this by default. So, if you actually want to do this you need to actually basically go and change that in settings as well. And this is also important because obviously in some cases you want to have the management port of a VM open from the public internet depending on what you're doing but in many cases you probably don't want to do that and you probably don't even want to assign a public IP address but in some cases you have. So, Pierre you also mentioned Azure Firewall. So, that for now is a firewall, right? Yes, right. That's a layer three to layer seven firewall. So, it does do an inspection of the packets. You can specify ports but it will still look at the packet more deeply at the network level not just at the application level and allow or deny that configuration. And it is very important when you're designing your environment with firewalls in mind to not only inspect and control traffic in and out from the internet but also I used to I refer to it as like not only east-west but also north-south. So, what's coming from on-prem to the cloud and what's going from the cloud to on-prem. Okay. Yeah, absolutely. I mean this this this graphic shows it pretty pretty well. One thing I also want to mention by the way is if you set this up and I think there's also part of LearnModule and we'll talk about that in just the Azure Firewall also gets a static public IP address for re-net resources. So, what often is a problem if if you're for example a company running certain workloads right and then you have different VMs running in Azure and they connect actually to the internet they like come with a public IP address at one point as a source to something right and with the Azure Firewall in place we can actually go and say hey this is the public IP address and all the VMs who are actually doing outbound traffic they go out with that IP address in mind right. Yeah, just like on-prem it does network address translation and you can have full control of that and on top of that you could put load balancers and a front door and other services to manage traffic once it's outside or coming from the outside of your network as well but today we're just going to talk about firewalls. I think one thing we need to mention when we look at this graph by the way which is not really where something we talk about but it's it's actually how you set up the network architecture and so we see here that we have two like spoke networks or re-nets and then we have a centralized hub where the Azure Firewall is deployed and that is actually what we call a hub and spoke network topology so if you go back to quickly on my whiteboard and just want to quickly like explain this to you why we would actually do that so again black we have for the re-nets so obviously we would create a re-net let's say this is re-net one and we have some applications in that right so we have some servers and all the stuff in that re-net and we have for example also our on-premises environment and since I'm a very good drawer this is this is our on-prem environment very beautiful here and usually we would actually then connect here and we will talk about VPNs in just a bit but we would connect the VPN connection here now think about it we were not just having one re-net right we probably have multiple re-nets so we will have re-net two we will have re-net three so what would happen is that we would need to create multiples of these connections to our on-prem environment and that it actually can get very complex to actually manage that so one of the things we're doing and it's not just for the Azure Firewall but also for other things is we actually connect the connect we call these these re-nets now one two and three those are the spokes right so we create a hub re-net and what we do here is we do a re-net peering with these spoke networks to this to the hub network look let's call that hub and this one is spoke spoke and then we can just have the connection the VPN basically here yep to our on-prem network and we can actually do the things in the spokes network whatever we want we can actually control that nicely and manage that nicely but it simplifies the whole network architecture a lot yeah and you mentioned peering because we haven't really covered that yet peering virtual network peering in Azure is a method where we can actually connect two two networks or two virtual networks that may be in the same region or in multiple regions together without having to deploy virtual gateways in each of them so it's just a simplified way of connecting those virtual networks and and it allows you to do that hub and spoke but you still have to figure out where you're going to put your firewall to control the traffic so if you were going to control the traffic in that situation you may want to have the the firewall in your hub network or in front of your hub network yeah I think this is a very important part by the way which um like just if you get started your organization sets up networking think about deploying a hub and spoke network architecture right go and read about this I think this is going to be very crucial to how you do the setup of your environment um not necessarily depending on all the other things you're doing but you will thank me later if you have that and we will just talk about this a little bit later as well because they're all the technologies like the Azure virtual WAN which is also part of that learn module which can help us setting this up as well it's like peering on steroids exactly that's a that's a nice way of putting it and then we already mentioned um that we somehow obviously need now to connect the cloud world together with the on-prem world right and this can be done using Azure VPN and then for that we're going to deploy a VPN gateway we'll talk about that in just a bit but then there's also a other option called ExpressRoute right yes so ExpressRoute or ExpressRoute depending on which part of the world you live in is really an MPLS segment provided by a partner so a telco that terminates in both the endpoints are both one in Azure in one of our data centers or one of our edge endpoint and the other one is in your data center so it becomes a very secure very robust MPLS segment that connects your environment to our environment encrypted and robust so for you to use yeah now that's awesome and again we're going to have a look at that in also just a bit and it also I just want to say it's not just a VPN replacement there's also some cool stuff if you're using public services in Azure or also in Office 365 for example as well and then last but not least we have well not not even last there's something more but one of the last things we're going to talk about is Azure Virtual WAN which again we're going to talk about much much more later and I already mentioned that this is kind or you mentioned it put it very nicely Pierre basically appearing on steroids right yeah so if you have we talked about our spoke networks earlier or spoke vNets you could have those around the world and have them either connected by appearing but you could also use the Virtual WAN to allow for not only your vNets to talk to each other but your let's say you have a user that's in North America connecting connecting to a point-to-side VPN which we will cover in more detail a little later and then going through the Azure Virtual WAN to connect to the London Office for example okay yeah leveraging the the the power of the Azure backbone for your benefits without having to pay multiple providers to give you that that same functionality yeah no awesome again this is this is like uh there covers a lot of different technology and then really if you get about series about it um you can really combine the the things we're going to talk about like express route VPN and routing Azure firewall and all that in the Azure Virtual WAN and the last thing like I want to talk about is the Azure subnet extension right we get a lot of questions from customer like how can I use the same subnet in Azure and also on-prem right and yeah for a long very long time we did not have an answer for that and usually we also don't recommend it to actually set that up for a long stable environment you actually should not have overlapping IP address spaces now I know that in some cases you probably during a migration process you actually need to have this in place right you probably cannot move everything and there's still dependencies on IP addresses or you don't have working DNS so uh then there it makes absolutely a lot of sense and we have something called the Azure subnet extension uh which we have here which allows you basically to extend um your on-premises subnet to the Azure one as well uh over an express route or VPN connection so while you're in for example a migration state or anything um you can actually do this um to set this up yeah this is most useful when you have um workloads where you cannot change the IP address but you you still need to be able to to connect that or migrate parts of it uh but it is as you mentioned a a stopgap measure you should not be looking at Azure subnet extension for a long term as a solution it's basically to to allow you to give you the time that you need in order for you to do the rest of the migration of all of these workloads and that way you can like reassign those IP address once they've been moved off of that on-prem subnet okay now perfect so let's go into the next unit of this learn module uh which actually talk we're actually writes about the Azure VPN options yep and there is a lot to cover here as well right the VPN actually stands for virtual private network and as we mentioned it allows us to connect over a private connect well not private but over the internet and an encrypted tunnel basically um to your in in this case to your azure environment or from your own prem to your azure environment and the other way around um to actually make this secure you probably have used VPN for your company for a very long time to actually connect to your company or your company to connect to other places um so there are multiple options here and one thing is actually the VPN gateway we actually need to deploy right yes so the VPN gateway pretty much is if first of all it's the same virtual gateway that you deploy for all of those uh gateway design whether or not for site to site um point to site multi site or vnet to vnet uh and but vnet to vnet as we mentioned a little earlier uh can be achieved with other uh technologies such as azure wan or vnet peering uh but the VPN does give you uh encryption in between uh which the other just transfer the uh the the the packets back and forth yeah no i remember like vnet to vnet was especially a thing when there was no uh vnet peering in the past um which was pretty handy in that way to connect different subnets together but so we talked a little bit about that and you meant listed these so can you explain a little bit like what is a site to site VPN connection what does that mean so site to site uh is a uh a tunnel over the internet uh that is basically terminated uh one in the uh virtual network gateway that you've created that you create uh inside of your vnet your virtual network and the other one at your on-prem on-prem so for example i personally hear it's not on right now but i do have a VPN uh site to site from my home office to my test description uh a couple of things that you actually require is uh you actually require a static ip you can't dynamic ip will only work until the ip changes so depending on your internet provider that may be often or never but it is encrypted using ip sack to support your cross premises and hybrid configuration so once this is on and your dns is set up properly uh you can from any machine on-prem if uh if you're not filtering that traffic you can connect to any of those machines on the other side of the tunnel so it makes it instead of having everybody doing a point to site to uh from your branch offices to your um azure virtual network through your resources that are there you set up one site to site VPN and everybody tunnels through it okay so that is actually what like what we could have looked at here like the 10.0.0.0.0 slash 24 um connecting through that tunnel and speaking like or talking to machines in uh 10.10.0.0.6t slash 16 um over the internet basically but in that encrypted tunnel and you were speaking about if you look at there we have a VPN uh VIP uh on the azure gateway site where it says on the right side where it says VPN gateway that is actually the one deployed in azure it's like 131.1.1.1 that's a public IP address and then you also mentioned the other static IP address we need uh on your site on the on-premises side basically uh which is here the 33.2.1.5 um so again just to to highlight that in the graphic uh as well and a multi-site the next the next item is the multi-site uh which is exactly the same uh except that you have branch one and branch two uh so or in the in this graphic you your HQ and your on-prem local site number two uh are connecting over separate tunnel to the same uh VPN gateway endpoint uh in your in azure so it's exactly the same it's just one more connection so the setup the setup is the same the configuration is the same you just create a separate connection and I forgot this dimension earlier uh that the one of the nice things with that is that you control the keys so the keys for the encryption are yours so you can set up your own key so you can manage how you um change those keys on a regular basis or whatever your compliance requirements are uh in terms of key management okay that's good and we also know when we talk about VPN gateways you can only have one VPN gateway uh per virtual network and we have different sizes of VPN gateways uh well that statement is not 100% true because we can have two if it's ha right we can set it up high available but you basically get one VPN gateway you can actually use and then we have different sizes uh there um depending on how much bandwidth you for example need right yeah bandwidth and latency will play a role so you have to make sure that you uh size them properly however uh this being uh a pay as you go or a paid service uh you can update your size so if you realize that at one point you or you did not pick a skew that was large enough to support your environment then you can actually um up upsize it and and take advantage of that perfect and then last but least the point to side VPN and that is actually a pretty uh easy thing well to set up and it basically allows you to like deploy a VPN client on machines of people so like for example here on my windows 11 machine I have a VPN client set up and I'm connected to my virtual network or to the VPN gateway or the Azure VPN gateway in Azure and then it creates this point to side uh SSB tunnel for example we open we also support open SSL as well but in the windows world we use sstp for that um also very often so uh then it allows me to like wherever I am like I'm like for example I'm working from home I don't need to have a gateway with a static IP address or anything I just start my VPN client and I can connect to the network into the network too that's right so in the in the good old days before the age of the human malware when we would work from airports and Starbucks and hotels uh we could securely connect to our resources in Azure using the point to side yeah now I have I also have a couple of customers who set this up for example as kind of like a disaster recovery uh space if they think about for example they have their uh uh headquarter and the headquarter goes down for some reason that the employees at least could connect still to the Azure resources with some notebooks from working from home or at other places so they can quickly go back to work in case of a disaster right which is depending on the company is very very important as well and if you don't have multiple sites in place uh as well and then you mentioned vnet to vnet which actually allows us to connect like different uh virtual networks together using these gateways so if you have two virtual networks in Azure you can connect them using the vnet gateway again I would still say that there are probably other options like for example to use vnet peering which is today probably in many cases the better approach to do and the more efficient approach especially but still you could do vnet gateways as well yeah and then last but not least so this is this is like important and I know that there's a lot of customers are interested in this so we now actually could actually start working right but we also have something called express route and you were very nicely describing that just before that a little bit sorry I was reading the comments in the in the chat we are very interactive here so again just quick reminder ask your questions in the chat we will try to answer all of these um as well uh we will just talk about like okay so we actually could use vpn we could use side-to-side vpn um for example to connect our on-premises environment to the azure world but um there are obviously some constraints right sometimes I have troubles with like latency or like a vpn it's still encrypted but it still goes over to public internet right it's still a connector it goes over to public internet uh again there's some latency and some bandwidth concerns with that as well so with express route Pierre we can actually address these yeah we can address these because you uh this is a dedicated MPLS segment as I mentioned uh from your network to our network uh that is completely encrypted that is very robust uh and it's provided by your uh telco or the the express route partner in your region so different different countries will have different partners uh but also the partner actually has to have redundancy in their connection uh hardware so that all of the network that manages that connection uh is redundant and and built on high availability with a high availability model it's it's more expensive uh but in some cases like I know I've had some customers in the past whereby compliance uh requirements because they were financial or health care or whatnot uh needed they couldn't were not allowed to go over public internet even in an encrypted tunnel so express route uh fit that bill yeah no it's absolutely and it still uses the the vpn gate we obviously to set this up as well um uh and again I there's many reasons as you just meant compliance is one but then there's also for example latency and also like like traffic wise right we have different offerings there um where like outgoing traffic for example to the on-prem world is usually with a cost there's also some like express route setups I think which will cover that as well in the pricing part so um like for a lot of companies doing serious work with Azure um they're definitely going to have a look at the um express route option and you can still have both in place right so for example what I see customers here and that's very sure nicely shown in this graphic we have actually express route in place um this setup but then they have for example also VPN connections uh for other locations or as a fallback for example for a failover scenario where for example at one point even though it's a redundant connection and it should nothing happen right there can always be something so they could actually set up a additional VPN gateway as kind of like a fallback uh as well yeah absolutely so you are definitely the expert to talk about when it comes to implementing VPN gateways so I know that this is something a lot of people get confused by there there's a selection you can do by policy based or root based configurations right okay my rule of thumb avoid policy base as much as you can uh go with a route base uh policy base means that you have to define static IP it's basically based on the static IP mapping so if you something changes in your infrastructure you'll have to update that that mapping uh in your policy to say from this to this now allow through the firewall and create that connection route base uh is kind of like the default and it uh it's a lot simpler to use and manage and deploy uh and it's uh I think at some point um it is basically the preferred way of doing it so uh route base is uh for if you're on-prem and oh there's a note right there so if you create a new subnet in your vnet then you have to go and update your gateway and updating a gateway is in some cases is not as easy as changing and fig configuration in some cases you almost have to uh tear it down and recreate it so you have to be careful and know ahead of time uh if you're picking policy base why you want to do this yeah and so there's also many constraints obviously if you take policy base you could for example not do like work like connections between virtual networks you cannot do the point-to-sight uh connection you cannot do multi-site connections uh or coexistence with express routes so you actually for these you need to have the route-based VPN connection in place right absolutely so then the module goes actually into a little bit of how this actually works and I know you probably have a demo for us to show instead of us going through this because again every one of you you can actually go out and read this as well um is it already time for the demo yeah let's let's let's run the video uh and I for everybody uh this is a recorded video and it's also linked in the um in the learning path I created that a little while ago and it's because creating the virtual the the VPN gateway can take up to 25 30 minutes uh so it's really hard to demo in when we're looking at an hour an hour and 15 minute kind of session uh because it would take really half the time so let's run this video but basically when to create this you need to uh be able to create the virtual network ahead of time I'm trying to make sure that it's running yeah so now we create the virtual network uh we pick a resource group so I'll give it a name so Contoso uh resource group and I want to give a name to my virtual network and if you're creating a virtual network without the gateway that's exactly the same thing so you give it an address space so I'm going to take the default I'm actually going to remove right now the subnets and I'm going to create my own when you are looking at creating a VPN gateway one of the things that you will require is that uh you're going to need a subnet specifically called gateway subnet the videos have been taken a little time so let's go forward and once you have your virtual network created did it jump ahead no it's creating it's creating it now so the virtual subnet is actually our virtual network is actually very fast to create like this is all software defined it's the gateway which takes a longer time as well that's right so once the the the subnet is created the virtual machine the virtual network and subnets are created now we have to create the virtual network gateway now you give it a name uh region is typically exactly the same place at this point you do have the options to do a VPN or to use your express route link if you have one then you select your type which is route base or policy base in this case we're going to pick route base we give it a name and a skew and the skew as I mentioned before is uh the different skews will have different capabilities in terms of throughput and uh latency now we give it a subnet IP address range then create and public IP address as we mentioned we need a static IP address uh then the active active mode is uh has you mentioned earlier if you're deploying multiple gateways in an HA configuration and that's it then you hit the create button and it goes away and then it starts creating that VPN gateway and this will take 25 to 30 minutes as I mentioned in this particular video I sped up the video considerably to make sure that it would actually finish on time for us to go through it properly so now that it's finished creating so imagine that we've been waiting and staring at the screen for 30 minutes you can go into that virtual network and in your virtual network you will see that we now have a VPN gateway with all of the proper configuration and the proper IP address which you're going to need once you set up your client end so your whether it's a point to site or site to site the other end of the virtual tunnel you're going to need that IP address but you have to create that first so through the portal very easy you can also create it using Azure CLI if you're a PowerShell user you can configure it with PowerShell it takes about the same time to deploy but it's a little quicker to actually you have a script so if you're running the same virtual network gateway in multiple vNets you can run that script and then run it again and then run it again everything you can do in Azure you can do in multiple different ways. Perfect no thank you and again this is also very interesting especially as we could use ARM templates or bicep obviously as well because it's all ARM based right and if you want to watch the video again it's also part of the learn module so you can actually on this unit four is actually going through exactly that video and you even have some nice commentary of peer going through that so if you're going to listen to that again you can do that. That one's a little bit more scripted though. Nice yeah so let's talk a little bit about the express route stuff and we talked a lot already like what it is but what you actually like let's repeat quickly like what it is and why we would actually do that but again it all comes down to have that private fast connection which doesn't go over the public connectivity right and then we have a couple of actually implementation options right there's not just a one-to-one option or like it's not just one thing it actually can't cover multiple things here. Yeah so your your express route basically it becomes the connection between your environment and if you go down a little bit through the graphic it's easier to when we talk about the graphic to explain it you have your environment so the the bottom part on the right side of your screen the blue virtual network that's you that's your eye as that's your virtual network that you have whether or not you've got a ton of peer network in there or just the one doesn't matter all of these will go through the microsoft edge then connect through the connections either primary or secondary connection to the partner's edge and the partner is like for us in Canada would be one of the telcos and then they provide the last mile to connect to your own environment so it's encrypted from your environment all the way to our environment very secure very robust now we are in the middle you can see that that says express route circuit so once you define you have your you've talked to your partner they've established the the express route tunnel then on your in your azure environment you have to create the express route gateway then it's connected to it and then you have to create your circuits and your circuits is basically what routes the not so much the traffic but the the type of application or the type of traffic that it goes so if you're going from a virtual machine in azure to a easier physical or virtual machine on prem it would use the secondary in this particular case it would use the secondary connection actually it's both connections but yeah well what they call them is the circuits there's two circuits there's one that is a microsoft peering circuit and then the other one that is a private peering circuit yeah so we have the private peering which actually is kind of like a replacement for the bpn right it's actually absolutely it's kind of like again you can use it with both but it's actually helping us to have like this private address space so only like virtual machines running in azure and on prem you can communicate over this as you probably used to from using a vpn but then the other cool thing is now we have this express route in place right we're using this private connection we set up these different connections by the way this this private when we see there these circuits we have two connections this is done for redundancy reasons but then you can see at the red line which is actually the microsoft peering so what that allows us to do is actually when we have these public ip addresses of office 365 dynamic 365 or even for azure public services we can actually still leverage that private connectivity that we have with express route so we can still get the benefits of the latency of having that private connection even though those are using public ip addresses we can still use that actually doing a peering with microsoft and again this is also a lot of benefit we see like a lot of microsoft 365 or office 365 customers are actually using this as well so their workforce connecting from on premises environments can leverage that as well yeah because uh i'll give you an example is uh um one of my colleague who looks after a bank uh in canada here in canada it's one of their requirements that uh they uh they deny split tunneling so everything has to go through uh their express route so if they have their office 365 or any other sass so uh dynamics 365 or other public services that we have in azure it all goes through the express route but just over a different circuit or a different peering uh circuit yeah yeah perfect uh i see that also by the way it's not necessarily related to um what we're just talking about but i see we have a question um from uh youtube i think uh james is asking um uh coming from aws is there a way we can actually set up windows server and ssh using terraform so i guess he wants to like to set up a virtual machine azure running windows server and then set up ssh in that and the answer is simply yes you can absolutely uh do that um you can use terraform to do to deploy the vm and then also to do some stuff on windows server as well however i will uh play uh not devil's advocate but i will say considering that we're today we're talking about hybrid networking in azure when you're connecting to those machines uh you have to create the virtual network uh ahead of time you can't just have a machine uh without a virtual network uh once it's on a virtual network if you want ssh into that machine you have two uh two options one you can give that machine a public ip address which can be dangerous because now it's exposed to the internet or you can use a feature in azure networking which what we call azure bastion host where you connect to the portal you select that that resource and then it opens basically a ssh or a rdp connection to that server through a browser so there's no actual end-to-end connection to that server it's a lot more secure and you don't have to expose your servers to the internet yeah it's heavily based kind of like a chump host as a service as a cure version of a chump host as a service uh which like if you if you were into that look at azure bastion so let's go a little bit forward again in the um uh in the learn module again we still have again explaining the different options we have and then we just want to highlight these again uh there's also obviously site to site vpn uh again which we can leverage or then point to site vpn uh which is actually pretty easy to to set it to set it up uh but then there's also obvious scenarios um if you look at this uh why we would actually use um uh express route and we talked a lot about the benefits already if you look at here it's actually like a layer-free connection uh it has built-in redundancy together with your express route provider as well and then um you can use it as connection to the azure services but then also uh um actually um like for the public services as well as kind of like a vpn replacement with the private appearing as well and then one cool thing by the way we should mention here is also the azure global the express route global reach and that allows us um to connect different on-premise environments over to azure right this is actually allows us to connect these things together yeah and that's basically leveraging the the azure one so you're connecting your express routes within whatever geography your your branch offices are and then you connect them together using the azure one so your traffic is always secure it's always on uh never goes over public internet excuse me and it's always uh well managed and redundant so this is pretty cool by the way just to also mention that um if you have multiple company locations that they all need to be connected somehow sort together right together with azure maybe maybe not even together with azure but maybe they just need to be connected between each other you can actually leverage the microsoft backbone or the microsoft network doing that so we can like have a very easy entry and we're going to show that when it comes to azure virtual one uh as well so there are some prerequisites we obviously need to whereby when you set up a express route circuit you obviously need to have an initial subscription and a connectivity partner to do that and then if you obviously you want to use it with office 365 you also need to have an obviously a free site 65 connection and then from the networking side obviously bgp is required for these scenarios as well and you need to set up the necessary um ip addresses for that specific setup yeah and the rest of this uh the rest of this uh unit uh within the learning module i basically just walks you through all of the steps uh that we talked about so how do you create your your once it's your configured express routes how do you create your circuits and how do you uh which uh type of peering configuration you want to put and we've already talked about both of those so the rest of this unit is basically walking you through this and showing you what it would look like because we can't simulate this in a sandbox for you to try it because we need to have a partner to actually lay some cable for you yeah even though i have a 10 gig connection at home unfortunately i can't show you this life life and i just want a little bit flex a little bit here uh with my internet speed so yeah yeah yeah yeah yeah we hear about the 10 gigs so speaking of 10 gig um let's have a look at azure virtual one we really like are really psyched about it uh as as we talked about it as you could hear us from the beginning i think the first thing we want to really talk about is this and it really brings down a lot of different things together and makes our life especially in these hybrid scenarios obviously uh way easier right yes so we can do a couple of things here we can obviously um make this again like resizing virtual uh when um we have a couple of functionalities we we can actually support so we can actually have branch connectivity side-to-side VPN connectivity point-to-side VPN connectivity for remote users we can have express route connections we can have inter cloud connectivity um between for example uh vnets as well uh VPN express route into connectivity uh between those locations um routing azure firewall and encryption for private connectivity so there's a bunch of awesome stuff uh we can actually bring together uh with the azure virtual van architecture and i think this here covers it pretty well so here we have like if you look at at the top part the top part is all virtual networks or renets uh in azure right so these are all like think about this kind of like the spoke uh networks we have there and in the middle you see the virtual one which is basically our hub where everything comes together and then on the bottom of the screen now you can actually see the different uh possibilities we have there to different locations so for example like our hq uh our headquarters or the contoso headquarters actually connected using express route because they have a ton of different people there they need to have a low latency that they have a good experience they have need a lot of bandwidth there as well and then we have for example certain band um branch offices where we actually can connect using vpn devices now the cool thing is also this onboarding like if you have a lot of these branch offices also this onboarding process can be automated right so you can then bring them and they like as soon as you plug them in basically they connect up to the virtual van uh as well and then we also have some remote users which i already mentioned when by using a point-to-side vpn um and they can also work together and now we're coming all together to this virtual van hub as i call it um we can actually now connect through all of the different things together right uh we can also leverage now now for example like you can connect from one branch office to the other branch office using that virtual van connection uh obviously we we can also secure that and make sure that some connections are not possible we can set this all up in the way we want it well you can you can i just unmuted myself uh a second ago with somebody rang the doorbell upstairs and all of the dogs in the house went nuts so if i went silent yeah you know why the the beauty of working from home connected to our resources through uh hybrid services anyway um as you were mentioning the the connecting all of this through using express route to vpn uh point-to-side vpn it's great but as we mentioned at the beginning using nsg and using firewall you have to be uh conscious of how you're going to manage the traffic going across uh between your subnets between on-prem and the cloud and between the internet and all of that because at this point if you've implemented it the way uh thomas was just showing it you can actually have you basically have one point of entry and then everything is interconnected so you got to make sure that your firewalls are set up and your network security group are also set up now but again this is pretty awesome um and then obviously we have different types there obviously as we have different tiers or different types as we call it so we have the basic and the standard tier available so if you for example just want to start and you only use a side-to-side vpn uh the basic tier should have you covered and then if you want to use more of it we have the standard tier which also includes other available configurations such as express route or point-to-side uh or vnet to vnet through the virtual uh hub and you heard me mention a couple of different things here um so here we have a description of all the components um which are actually used into that so we have the virtual WAN which is actually the virtual map of your Azure network with the multiple resources linked together within the virtual hub and the virtual hub is actually where we have these things coming together um where we have the service endpoint connectivity and then the hub virtual network uses the hub vnet connection connect to the hub to your vnet right so that is that is how you set this up and you can also this is by the way in preview a hub-to-hub connection so if you have multiple hubs you can interconnect them using virtual WAN uh you have a hub root table and that is what also enables us to basically say what is rooted where um when it comes to that uh configuration and then you have sites which sites represent actually the the different sites you have so for example if you have on-prem vpn devices you can actually like they're basically named as different sites there so you can easily manage them as well okay so by having that actually the learn module goes now through how you would set this up so first what you need to do is actually set up uh the virtual WAN then create a hub and then create a site again which probably like which not probably but refers to the on-premises locations and then you go actually and connect that site to the hub right uh and then um that is actually then variously linked together and so then you would go out and actually connect the vpn um from that side to the hub uh then we can connect a vnet to the same hub and then we basically would just go download the configuration file and go through that and the learn module here really goes through uh this configuration how to set up the virtual WAN it's actually pretty simple from a deployment perspective right when you're actually like the setup in in general is super easy to do but what you need to actually do is actually have some planning obviously you want to know what you want to connect together um what restriction you want to build in um what what should be able to talk to each other what should not be able to talk to each other so that is more a planning effort than actually like going through the portal and deploying this and again as Pierre will point out to me in just a bit I can also use the CLI I can use PowerShell I can use bicep I can use ARM templates to deploy this and automate that process and by the way we also have reference architectures for this so if there's a lot of things you now need to think of um check out the cloud adoption framework there we have reference architectures with Azure landing zones to go through this so I highly recommend uh that you check this out so I will not bore you by just going through all this again to create all these connections of what you should do let's talk about uh DNS in our hybrid environment DNS the all famous DNS uh DNS is very important as you know uh mostly because in a lot of cases it is a very big point of failure um and point of attack as well so you really have to start looking at how you're creating it or how you're configuring it so that's all of your machines uh all of your services whether they're on-prem or in the cloud can actually effectively connect and be able to find each other okay I think this is this by the way also important like hey if you don't want to end up where you have scenarios where you need to extend to network right like like where you actually communicate like where we've hard coded IP addresses and stuff like that and unfortunately there are still some applications or some configurations out there which have these these stuff in place so you definitely want to make sure that you have DNS in place and DNS by the way for for those who are listening and are probably new to that it stands for the main name service um and this actually does like kind of like translation of IP address to name right so that for those who haven't really worked with that before so Pierre how do we actually set this up and how do we make sure that we can for example leverage the Azure DNS in our on-prem environment or in our hybrid environment I should say okay so there are multiple ways of of addressing this particular problem number one is if you're only deploying within a single subnet or a single vnet and you're not really concerned about connecting to your on-prem environment uh anything within a virtual network will automatically use a built-in DNS service so when your machine boots and connects to the virtual network it gets an IP address even though in uh in Azure you have the the option of a static or or or dynamic address they're all dynamic but the only difference is when you select static it creates a reservation and the reservation time is the mathematical equivalent to the largest hexadecimal they could fit in that field and I believe it translates to something like 136 years give or take a few months so all everything is always dynamic but when you have all your machines within your your subnet or your virtual network they will use the built-in DNS to resolve each other the problem comes when you have multiple subnets or multiple vnets that need to resolve or if you have on-prem that need to resolve machines in the cloud and machines in the cloud needing to resolve machines on-prem at that point you have other options one of the ones that has been used a lot for a long time is sticking a domain controller with Active Directory DNS zone integrated DNS zone into your virtual network and then configuring your virtual network to use that DNS instead of the built-in DNS in your virtual environment now there are other ways of doing that where you can actually set up the internal DNS as a resolver to your original DNS so that it will look at your standard DNS server like in your graphics here where from our client the DNS query will go to the DNS server and then we'll forward that to the DNS in other vnet so this is this is a bit more modern than the drop ADC into it but you can do it either way or in my case let me show you one of my machines here I actually delegate my own domain to an azure zone and I manage it in here so I have went to my registrar and they say okay so I've been provided the the the name servers in my domain registration and now I'm managing all of my record sets and child zones within azure itself so you can have a almost like a a combination of different technologies that will serve different purposes it all depends on what your original or your your end goal is if you're going to reserve how you're going to do your your resolving if you're going to have everything in one zone or you're going to have zones and child zones and revolver resolvers that's all possible within our DNS environment so all right the difference that the problem is is that when you're looking at limitations and consideration when you're looking at azure DNS you can only link to specific VM to one DNS zone so you can't have multiple nicks looking at multiple zones and that graph actually shows it really well where if you've set up your forwarders properly then you don't have to because it will then take a bit of time then because the the first DNS will have to get to the second zone and then get the authoritative answer for you in azure we don't really provide a recursive DNS service we have an authoritative DNS service so you can't just have you can't just create a resolver service so when I've created my wired connect com DNS zone it is authoritative okay okay no but that is pretty cool again so we get kind of like a DNS as a service if you will where we don't need to manage necessarily all the DNS servers if we don't have them but as you as you also pointed out it's still absolutely okay also to bring your active directory sorry your active directory the main controllers to run them in azure as well you have like this setup as well in some cases right but then you have this little bit more modern approach where you can use azure DNS to do some resolving as well that's right okay so let's move on the next part is actually doing the knowledge check so what we're going to do here is I we have prepared a couple of questions and you're also very welcome to also participate in these questions so I will go through the question and Pierre if you want to go through the answers then we can can do that like this so an administrator at Contoso wants to be able to communicate able to communications between a number of azure VMs he is planning to scrape and deploy which of the following solution represents the simplest way for these VMs to be able to communicate with one another so a the administrator should connect the network interfaces of each VM to the same vnet b the administrator should connect the network interfaces of each VM to different vnets and see the administrator must configure a subnet extension to enable communication between the VMs so in this question I really think like this is like kind of like a tricky one in the words like it tries to basically make you think too far and so be careful here what your choice is again we give you a little bit of time here but I think I mentioned this or you mentioned it it depends I think we both mentioned it how that actually works when you deploy a vnet and you have different for example subnets within these vnets by default they can actually talk to each other and with that I already gave the answer for that specific question and it's a well if we want to be nitpicky with that is answer b the administrator should connect the network interfaces to each VM to different vnets but if these vnets are appeared then it will still connect correct correct absolutely if they appeared but in the easiest way we'll go with with that the easiest way absolutely I'm always fan of the easiest way so let's go to the next one and this is an administrator wants to deploy an azure vpn but is uncertain of the type required she wants to enable communications from users back to azure resources what type of vpn should she implement so again I feel this is a very tricky one so what are our options here well the options are you should implement a site to site vpn solution you she should implement a point to site vpn solution or she should implement a multi-site vpn solution so there's a keyword in your question that needs to be highlighted to answer get the answer yep absolutely absolutely I mean and you could argue that like in theory I think you could basically implement all of them in theory but the simplest solution would be the simplest solution would be b that's correct we are talking here especially because there's the word from users back to azure so in theory if your users are all on the same place where in your like headquarter you could also obviously set up a site to site vpn and then connect correct but the easiest solution especially if you're uncertain and you only want to have a couple of users connecting to azure resources then point to site can be the answer for that yes also promise you I'm not a big fan of that question I just need to point that out so this one is also by the way tricky for especially people are new because we talked a lot about different hearings in this in this talk and this one is very I want to I do the question again this time it's pretty easy what is microsoft peering and I really I really want to say it again microsoft peering not vnet peering not subnet peering microsoft peering so question a or answer a it provides a direct connection from your on-premises network to an azure data center b it enables you to connect your on-premises network to microsoft 365 services and dynamic 365 or c it provides a connection between your on-premises network and an express route provider any answer would be so I give some couple of seconds here for people to like also answer the question on learn tv um but obviously a microsoft peering allows you to actually connect your on-premises network to microsoft 365 services and dynamic 365 as well we should also include azure services as well because some of the public azure services would be also addressed by using that microsoft peering yes so all the majority of our sass offerings exactly exactly everything which is not like necessarily with isv m's or where you have private ip addresses in place where you actually connect to sass offerings um uh with public IP addresses you can leverage that and again there's some really good benefits of doing that especially when it comes to latency bandwidth and all the good stuff and as you also pointed out I think you said like compliance and regulations regulatory um requirements as well right they can be yes so uh let's go into the summary quickly and actually see what we talked about today so we went through actually and talked a little bit about the azure networking topologies right so from different um talked about the different pieces we talked about vnet subnets vpn gateways express route and so on so we had a lot of different explanations there and how they work together I want to stress one thing enough again as Pierre mentioned your skills which you have from on-prem absolute valid they can still be used in the cloud however it's a rethinking of how to do things right don't just take do the exact the same way as you do it in in uh in your on-premises environment uh rethink how you actually would do it in the cloud work right and then we have implement we talked about implementing azure vpn um how you can actually connect that virtual private network we talked about and Pierre very nicely explained when to use or how to use a root-based vpn gateway in the azure portal again if you want to watch the video it's in the learn module as well we talked how to implement and why you would actually implement azure express route we talked about implementing azure virtual when and how that that works and what the benefits are of that and then last but not least parts of the learn module we actually implemented dns resolution in a hybrid environment perfect anything to add Pierre do we did I forget something no we actually we covered pretty much everything that we set out to cover uh of course uh you are more than welcome to run through this and even just bookmark that one if you uh at some point have different or you're thinking about something is there's a lot of information at the bottom of each unit where to learn more and it will take you straight to the documentation absolutely and then I also quickly want to highlight don't miss the next one um on December 2nd uh it's about implementing a hybrid file server infrastructure um and so we will learn how you can actually like use that and deploy hybrid file servers in your environment and so very interesting one I'm pretty sure I'm going to watch that one it's going to be again live on learn tv um and on youtube and on youtube and on twitch and on twitter on all the socials so with that I also want to quickly say thank you for everyone watching we quickly going to have a look at uh if there are any questions so this is basically your last chance to get your questions in if you don't if we don't have any questions um uh in that in that space or you don't have enough time to actually ask your question please feel free to follow up with us uh on social media uh ping us there uh Pierre and I and many others are happy to actually help there um so really thank you for everyone joining here today yeah we have our little uh twitter handles here dms are open if you have questions we are not troubleshooting people though but we will help you with uh uh the vision and what you're trying to plan to absolutely and with that I want to say thank you to the microsoft learn tv team as well as to you pier it was a pleasure to work with you uh tonight for me I think morning or afternoon for you so late afternoon yeah absolutely fun and thank you again for everyone joining I hope we see you in another one as well here's