Microsoft Azure AZ-800 — Section 16: Implementing on-premises and hybrid network connectivity Part 3
123. Understanding Azure Extended Network
I’d like to now talk about a feature called Azure Extended Network.
So what exactly is Azure extended network? So this a newer feature that Microsoft introduced in the. The goal of this feature is to allow for the ability to have an on-premise subnet that stretches out to the cloud so that you have a subnet. That’s that’s partially on-premise, partially in the cloud now. The thing that that I want to go ahead and get out in the open. There’s a misconception about this feature. When people hear the name Azure Extended Network, they sort of think, Oh, this just a way for us to connect our on-premise network to the cloud. No, you can do that a couple of ways, but not this not what that does. In fact, that is a prerequisite for this. You do need to connect your on-premise network to the cloud, either by using a VPN gateway or express route. One of the two.
And that’s going to be the way that does that. Of course, you know you have the Azure network adapter feature, but that’s not really going to do it. That’s not going to connect everything together. What you need is an actual on-premise VPN router that in that VPN router is going to connect to a VPN gateway out in the cloud, or you’re going to have to go through a telecommunications provider to get what’s called Express Route and connect your on-premise network to the cloud. That is a prerequisite to this feature. The this feature, what it’s doing is it is actually allowing a subnet on your on-premise network to span out to the cloud so that if you’re planning to migrate, let’s say you’re going to migrate some on-premise virtual machines out to the cloud. Those virtual machines can keep their same IP address and all that stuff.
So which is important if you’ve got a bunch of things connecting to them by IP and you’re worried about the IP address changes causing problems and you’re wanting to migrate things out to cloud, this not something that’s super common. I would say most of the time you can migrate services and have IP changes that it’s not a big deal. But if you’re in a situation where that is a big deal, that’s where this going to really come into play.
OK.
So, when you set this up, this going to do what’s called a bi directional voice LAN, which is a virtual, extensible local area network.
OK, it’s going to be running on-premise. You’re going to have a couple of virtual machines that are going to make this possible. These are virtual machines are going to act as virtual appliances.
OK.
So essentially, I will have a couple of virtual machine servers which are going to be Windows servers, one set up in Azure, one set up on-premise. And then from there I can I can perform this extension. The other key thing to remember here that’s important is that each subnet will have to have a pair of these appliances.
So you can’t you can’t just do, you know, one pair of these appliances to do the extension and it encompass, you know, 200 subnet. You can’t do that if you if you got multiple subnet that you’re going to extend, you’re going to have to have multiple virtual machines.
OK. There’s also capacity considerations. First off, you are allowed to extend up to 250 IP addresses using one extension.
So the two appliance machines, the one in Azure and one that’s on-premise that are connecting each other. To make this possible, you can have a maximum 250 IP addresses involved there.
OK? The throughput is on average, about 700 megabit per second.
OK. And of course, part of the performance of this going to depend on the performance of the virtual machines.
So you get to make sure your CPU speed and all that is up to where it needs to be now. To set this up, there’s some configuration. I’ll give you some visualization here in just a moment, but just kind of go through the steps here, some configuration consideration in Azure. You basically have to create the a virtual network in the virtual network will need to contain at least two subnet. And you’ll also have to have a gateway connection.
So you have to set up the VPN Gateway or express route site, site, VPN Gateway or express route again. I told you a minute ago that is prerequisite in Azure. You have to create a Windows server 20, 22 or higher in the future type of virtual machine to support this, and it’s got to support nested virtualization.
So you’ve got to make sure that’s turned on because you are going to be installing Hyper-V on top of this VM.
OK? And so that’ll be one of the two appliances that are needed. That’ll be the one in Azure.
OK. And then from there, you’ll connect the primary network interface to the subnet that’s going to be extended based on your again, either your VPN gateway sites like Gateway or your special.
OK, so from there, there’s a couple of quick, easy PowerShell commands you can run just to set the Hyper-V stuff up. Once you’ve done that, and here’s the examples of the commands installed. Windows featured s name Hyper-V include management. Rules restart, so you could do that, obviously, by logging on to the virtual machine and going into server manager and roles and features and install Hyper-V that way. The other thing is to create the external networks the virtual machine switches that are needed on Hyper-V. You can run that command there or you can use the graphical tool to do that, which which you’ve seen.
OK, then you got on-premise configuration.
So the on-premise configuration is up to different, really. You know, you’re going to you’ve got to make sure you’ve you’ve got you figured out what subnet you’re using on-premise. The obviously the subnet that’s got the virtual machines that you plan on migrating to the cloud are obviously the ones that you would pick for this.
OK, so then you’re going to set up a server virtual machine and it can either be a server 2019 or 2020.
So unlike the cloud where you have to have at least server 2022 on-premise, it can be at least server 2019.
OK. It’s also got a support nested virtualization. Then you just run the pretty much the same commands you’re going to install Windows feature with PowerShell, or you can use a graphical tool. And then from there you can set up the virtual switches.
So, it’s very, very similar configuration with what you’ve got in the cloud versus on France.
OK. After you’ve done that, the next step is to jump into Windows Administration centre back and you will have to install the Azure extended network component, which I’m going to show you right now.
So here I am in Windows Admin Center on my N.Y.C. server one. All I had to do to get there was this type of HDD vs colon slash once he server one, which I’ve installed whack in a previous example. But from there, I’m just going to click on my server here. That’s my acting gateway, and it’s going to make a connection to that, OK? And then from there, I’m going to go up to settings. All right. Right here and click Settings. All right. And you’re just going to wait on that to load up here. And once I get to settings, we’re going to essentially go in and we got to add this Azure extended network as a extension.
So you won’t have this feature at the beginning. You got to go into extensions and add it.
So at least at the creation of this video, they require you to add an extension, OK? Now you’ll see that you don’t see it in the lists because I’ve already added it, so, it already says that I’ve added it right here. But in your case, if you haven’t already added it, then you would click available extensions, select the extension and then click Install, and that’s how you’re going to get that at it. Once you’ve added it, you should now be able to go right here to Windows Admin Center, click on your server again, and then from there, it’ll show up in this list as Azure Extended Network.
OK, so that I can click on that. And then basically, there’s going to be a walk through on here, you’re just going to go pretty much step by step and walk through setting up the Azure extended network.
So, I would click Setup, OK, gives you step by step guide on how to do it.
OK, follow that. All right. It’s going to make you download what’s called the Azure Extended Network package, so you’re going to download this little package file. All right. It’s going to show up right here, a little execuTable. You’re going to open that little file and it is going to extract a Tab file.
OK. And you can just save it wherever I’ve saved to my desktop. And then from there, I’m going to click Select File and I’m going to add it, or I can drag and drop it in there and you’re basically going to follow. This wasn’t I can’t demonstrate all this, unfortunately, because I don’t have the VPN gateway and all that stuff set up for the network that I’m on. This one of those things I don’t have access to. But if you were doing this in the real world, that’s how you would. You would follow that. And that essentially that covers everything to if you’re taking the exam that covers the stuff that you the facts that you need to know for the test.
So. But I welcome you if you want to, if you want to try it, if you’ve got this set up like in a in your own network, your real network, then go ahead and can keep going with it and actually follow the steps that I showed you in the slides with creating the PowerShell commands and all that using Hyper-V and then go ahead and configure it and give it a shot.
124. Visualizing Network Policy Server and Web App Proxy
Sort of help you visualize a couple of things here. I want to talk about the concept of in peace and the concept of web application proxy.
So, I’ll start with NPS now. NPS Network Policy Server and some of you might have heard of this concept is what is known as radius radius as remote authentication DOWLAN user service, and it’s a service has been around since the dial up days, really going back into the 1990s where ISPs would have these radius servers that you would authenticate with, and the Radius servers would also handle accounting, which means they would track how long you were connected. And that’s how they would build you and all that. Well, this concept of radius is actually stood the test of time and is actually still utilized by various companies, including ISP’s. But we can use it in our environment as well.
Now, the Microsoft flavored radius is actually called NPS Network Policy Server. And this gets into the concept of where perhaps your company has a bunch of RaaS servers.
So, let’s say we’ve got some rad servers. Maybe, we’ve got VPN connections and things like that going. And it’s especially beneficial if you have quite a few, like if you’re a larger company and you’ve got, you know, a bunch of different RaaS servers to handle the amount of load that’s coming in, perhaps to your network where you might have RaaS servers in very various locations, you’re going to need a way to be able to sort of manage the authentication you don’t if you want to view the logs on who’s been logging on and how long they were authenticated and logged on. You’d have to view these logs individually. There wouldn’t be a central way for you to look at that. The other thing is these RaaS servers are all having to connect in and authenticate you through Kerberos with your internal domain domain controllers. And so that’s a bit of a problem as well. There’s no central way to keep track of what’s going on.
So with a radius server within peace, as it’s called, so, I was going to add a Imps server down here. We’re going to put it internal. We’re going to allow. We’re going to basically be able to handle the ability to centrally log what’s going on centrally, authenticate what’s going on and centrally account what’s going on.
So everybody’s going to authenticate centrally with with the help of NPS. It’s going to track everybody who’s logged on through VPN servers, RaaS, whatever. And God forbid, if you still have dial up you, you could keep track of that as well. And it’s it’s going to it’s going to deal with the gist of the amount of load and traffic that’s going on, logging authentication and accounting in conjunction with you to make sure it’s now. The problem, though, is you don’t want these RaaS servers communicating directly. If somebody was to attack one of the servers or something, it could could add vulnerability.
So Microsoft also provides another type of server called a radius proxy.
OK.
So the radius proxy server is going to kind of put that right here on radius proxy.
OK. All right. I’m going to kind of lower the font a little bit.
So that fits in there.
So radius proxy server, and we’ll just connect that right here onto our little DMZ.
So what the radius proxy server, the benefit there is when you have somebody who is connecting in like this person here, maybe working from home, they might communicate with the rest server, but the rest server will communicate the radius proxy. The radius proxy will communicate with your maps, and your maps will authenticate you with domain controllers. Every one of these radius, these RaaS servers will help will basically communicate through these proxy with the NPS inside and authenticate with your to make a choice. The other thing is because the radius proxy is encrypting and using a secure connection between the DMZ and this machine, you don’t really have to worry about this guy getting hacked and a hacker or discovering sensitive information if a hacker was able to communicate directly with a radius server. They could potentially gain sensitive information.
Now, of course, there’s a disadvantage this. There’s a lot of machines involved here. I mean, obviously, for the most part, the biggest benefit of using NPS is if you are if you do have multiple RaaS servers, if you just have if you just have like one, there’s not a great deal of benefit for it. But if you’re a bigger company, medium to larger company, it’s got lots of remote access servers and you want to be able to keep track of everybody that’s logging on in the company. And when they’re logging on and how long they’re logged on, that’s where the server is really going to benefit you.
OK, so that’s the idea of NPS. All right.
So the other thing is this thing called a web app proxy, and I liked it. I like to go over both of these because sometimes people get them mixed up a web chat proxy is actually for. Web services and, you know, ordinarily we think of our Web server as being out here on the internet, and if it’s a public web server, that’s that’s the general rule of thumb. People will put that right here on their DMZ. But what if we have some kind of app that’s inside of our company running on a web server like will say that this like an employee web app? All right.
So, we’ve got a web app server that’s maybe running like employee website. I don’t know. Maybe, it’s like a time sheet kind of thing. You know, we’re tracking tracking hours and an employee can look up information like how many, how many hours they’ve worked and how many days off they get whatever. And this a line of business app that the company set up. Well, essentially, we don’t want our employees just connecting through the firewall and accessing that app, and we don’t want to put the app out here because it could be compromised.
So this where a web app proxy comes in.
So where that proxy is a server that we can set up out here on the DMZ? Granted, you can mix some of these servers together. By the way, you don’t have so many, but I’m drawing it as a separate one.
So this a web app proxy. All right, I’ll spell that out.
OK? W.A.S.P. Web App Proxy So where that proxy acts as what a lot of people call a reverse proxy? So, if you are familiar with that concept of a reverse proxy, there’s actually appliances like boxes you can purchase that’ll do this job, but Microsoft is providing it through the help of actual server. And the idea would be for somebody out here on the internet like an employee that needs to log onto this internal web site. They can communicate with this web at proxy in the web. That proxy is going to act as a gateway with that server now to do this. There is an additional little server you do have to set up, and if you wanted, you could just install it directly on your web server. It’s a service called Active Directory, Federated Services and so Active Directory Federated Services having installed on the server. And what that will basically do is you’ll communicate with your web, that proxy, where that proxy will communicate with the federated server, which authenticate you with your domain and then clear you to access the app that is on that server, OK? And so the idea is the web. That proxy is just a middleman really between the people out on the internet who are trying to get access to this internal web service. And ultimately the web out proxy really doesn’t know anything.
So, if it got hacked and a hacker was to gain access to it, it’s not going to necessarily be able to give credentials away or anything like that. And so, it basically just allows for this ability for users to get access to the server, and it can also cache content as well, which can speed up the process of the fact that it is a middleman.
So the main thing to remember here, though, is that there is a difference between a web proxy versus the radius proxy versus NPS, where that proxy is reverse proxy. That’s allowing your internet users, usually people that need access to a private app to get access. And then NPS is, of course, network policy server, which is used for mostly authenticating with R&S VPN. It used to be dial up. Of course, you can still use dial up connections. Fact there are some ISP’s out there that are actually still providing dial up services, and they use this for that. But obviously there is a big difference. And of course, now moving into the newer age of things, Microsoft actually also now has something called an Azure ad proxy, which is sort of replacing where that proxy so, web, that proxy has been around for a long time now, and as we move into the cloud, they’re providing another another way to do that. But I’m not getting into that, just this very moment. But hopefully that does help you now kind of get a good visualization of the difference between what NPS radius proxy versus a web proxy.