I have a web server running in my on-premises network. I like to allow access to it from the internet via TCP port 443. To do that, I need to create two types of rules in my edge firewall. I need a NAT (Network Address Translation) rule to map a public IP address to the private IP address of the webserver. I also need an ACL rule to allow only relevant traffic (TCP 443). This ensures the traffic to web server from the public is protecting via edge firewall.
In Azure, we can use the same topology to filter inbound internet traffic. For that, we have to use Azure Firewall Destination Network Address Translation (DNAT). This is doing the same thing what NAT rule does but Microsoft calls it as DNAT. In this demo, I am going to demonstrate how to set up Azure Firewall and how to use it to filter incoming internet traffic.

In my demo environment, I have two virtual networks.

• EUSFWVnet1 – This network hosts the Azure firewall.
• EUSWorkVnet1 – This virtual network is the production network. This is where I create VMs.

The above two networks are connected using Azure VNet Peering method. With VNet peering, virtual networks are connected via the Azure backbone network. If we compare this with on-premises network, it is similar to the connection between your local network and edge firewall.

So, in this setup, I am going to allow RDP access to a virtual machine in EUSWorkVnet1 over the internet via Azure Firewall.

For the configuration process, I will be using PowerShell. Therefore, please make sure you have an Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-3.8.0

Setup Resource Group

The first step of the configuration is to create a new resource group. Both virtual networks and other services will be using the same resource group.
To do that,
1. Launch PowerShell console and connect to Azure using Connect-AzAccount
2. Create a new resource group using New-AzResourceGroup -Name REBELRG1 -Location “East US”. Here REBELRG1 is the resource group name and East US is the location.

Setup Azure Firewall Network

The next step is to create a new virtual network for Azure Firewall under REBELRG1 resource group.

$fwsubn1 = New-AzVirtualNetworkSubnetConfig -Name “AzureFirewallSubnet” -AddressPrefix 10.0.0.0/24
$eusfwvnet = New-AzVirtualNetwork -Name EUSFWVnet1 -ResourceGroupName REBELRG1 -Location “East US” -AddressPrefix 10.0.0.0/16 -Subnet $fwsubn1

EUSFWVnet1’s address space is 10.0.0.0/16. It is a class B IP address range. We have one subnet under it. AzureFirewallSubnet (10.0.0.0/24) will be used by Azure Firewall. Azure firewall only can be created in a subnet with name ‘AzureFirewallSubnet’

Setup Production Network

The next step of the configuration is to set up a virtual network for production workloads.

$worksubn1 = New-AzVirtualNetworkSubnetConfig -Name WorkSubnet -AddressPrefix 10.2.0.0/24
$workvnet = New-AzVirtualNetwork -Name EUSWorkVnet1 -ResourceGroupName REBELRG1 -Location “East US” -AddressPrefix 10.2.0.0/16 -Subnet $worksubn1

EUSWorkVnet1’s address space is 10.2.0.0/16. We have one subnet under it called WorkSubnet. This is the subnet we will use for the virtual machine.

There are two methods to connect two virtual networks.

1. Azure VPN Gateways
2. Azure VNET Peering

Azure VNET Peering
Azure VNET peering allows connecting virtual networks seamlessly via Azure backbone infrastructure. This is similar to inter-VLAN routing in on-premises networks. The traffic will not pass via the public internet. It provides low latency, high bandwidth connectivity between virtual networks. VNET peering can use to connect virtual networks in the same Azure region or different Azure regions.

Azure VPN Gateways
If we are connecting virtual networks over the internet, we have to use VPN gateway option. This is the same for connecting Azure networks with on-premises networks. Also, if the encryption is a requirement, we have to use VPN gateways. Azure VPN Gateways can use to connect,

• Virtual Networks in the same region
• Virtual Networks in different regions
• Virtual Networks in different subscriptions

If the connection is over the public internet, it is not possible to guarantee the uptime as it depends on many facts. By using Active-Active Azure VPN gateways to improve the high availability of the VNet-to-VNet connections. This is important if you connecting the virtual network between different Azure regions. We also can use Active-Active Azure VPN gateways with cross-premises VPN connections.

In Active-Active Azure VPN gateway setup,
• There are two Gateway IP configurations with two public IP addresses for one VPN gateway. This allows initiating full-mesh connectivity between two virtual networks.
• VPN gateway SKU must be VpnGw1, VpnGw2, VpnGw3, or HighPerformance
• Supported to use BGP

In this demo, I am going to demonstrate how we can establish VNet-to-VNet connectivity between two Azure regions via Active-Active Azure VPN gateways.

In this demo setup, I got two virtual networks in East US and UK South region. As shown above, I am going to establish a fully mesh connectivity between two virtual networks.
For the configuration process, I will be using PowerShell. Therefore, please make sure you have an Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-3.8.0

Create Active-Active Azure VPN Gateway in East US

Create a resource group in East US

The first step of the configuration is to create a new resource group in East US.
To do that,
1. Launch PowerShell console and connect to Azure using Connect-AzAccount
2. Create a new resource group using New-AzResourceGroup -Name REBELRG1 -Location “East US”. Here REBELRG1 is RG group name and East US is the location.

Create a virtual network

The next step is to create a new virtual network under REBELRG1 resource group.

$subn1 = New-AzVirtualNetworkSubnetConfig -Name VMNet1 -AddressPrefix 10.0.0.0/24

$gwsubn1 = New-AzVirtualNetworkSubnetConfig -Name “GatewaySubnet” -AddressPrefix 10.0.255.0/27

New-AzVirtualNetwork -Name EUSVnet1 -ResourceGroupName REBELRG1 -Location “East US” -AddressPrefix 10.0.0.0/16 -Subnet $subn1,$gwsubn1

EUSVnet1 address space is 10.0.0.0/16. It is a class B IP address range. We do not need the entire range for workloads. Therefore, I am going to create two small subnets under it.

• VM Network – 10.0.0.0/24
• Gateway subnet – 10.0.255.0/27

In the above, VM network is going to use for virtual machines and Gateway Subnet is going to use for the VPN gateway setup.

Virtual Network Gateway can only be created in a subnet with name ‘GatewaySubnet’

Azure VNET peering allows connecting virtual networks seamlessly via Azure backbone infrastructure. This is similar to inter-VLAN routing in on-premises networks. VNET peering can use to connect virtual networks in the same Azure region or different Azure regions. If it is between regions, we call it “Global VNET Peering”.
Global VNET Peering has following benefits,

• Low latency and high bandwidth as it uses Azure network backbone
• No requirement for encryptions, VPN gateways or public internet to connect VNETs

In this demo, I am going to demonstrate how to connect two virtual networks in two different Azure regions using Azure Global VNET peering.
For the configuration process, I will be using PowerShell. Therefore, please make sure you have an Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-3.8.0

As the first part of the configuration, I am going to create two new resource groups and two virtual networks.

1. Launch PowerShell console and connect to Azure using Connect-AzAccount

2. Then create two new resource group using,

New-AzResourceGroup -Name REBELRG1 -Location “East US”

New-AzResourceGroup -Name REBELRG2 -Location “UK South”

In the above, REBELRG1 & REBELRG2 are the resource group names and East US is the resource group names. REBELRG1 is created in Azure East US region and REBELRG2 is created in Azure UK South region.

3. The next step is to create a new virtual network under REBELRG1 resource group.

$vmsubnet = New-AzVirtualNetworkSubnetConfig -Name vmsubnet -AddressPrefix “10.0.2.0/24”
New-AzVirtualNetwork -Name REBELVN1 -ResourceGroupName REBELRG1 -Location “East US” -AddressPrefix “10.0.0.0/16” -Subnet $vmsubnet

In the above, REBELVN1 is the new virtual network name. It has 10.0.0.0/16 address space. It also has a new subnet 10.0.2.0/24 (vmsubnet) for virtual machines.

4. Then let’s go ahead and create another virtual network under REBELRG2 resource group. This will be in UK South Azure region.

$vmsubnet2 = New-AzVirtualNetworkSubnetConfig -Name vmsubnet2 -AddressPrefix “10.1.3.0/24”
New-AzVirtualNetwork -Name REBELVN2 -ResourceGroupName REBELRG2 -Location “UK South” -AddressPrefix “10.1.0.0/16” -Subnet $vmsubnet2

Each organization has different standards when it comes to server/desktop provisioning. These standards change based on the nature of the business, compliances, server/desktop role and so on. By keeping the customized OS image simplifies the provisioning process as well as prevent configuration errors. In the local environment, we can do this simply using WDS, System Centre or other 3rd party solutions. But what if need to do the same in Azure environment ?

In this blog post, I am going to demonstrate how to create a managed image in Azure and how to use it to deploy Azure VM. 

For the configuration process, I will be using PowerShell. Therefore, please make sure you have Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-2.6.0

Let's go ahead and start the configuration process by creating a new resource group. 

1. Launch PowerShell console and connect to Azure using Connect-AzAccount

2. Then create a new resource group using,

New-AzResourceGroup -Name REBELRG -Location "East US"

In the above, REBELRG is the resource group name and East US is the resource group location.

3. The next step is to create a new virtual network.

$vmsubnet  = New-AzVirtualNetworkSubnetConfig -Name vmsubnet -AddressPrefix "10.0.2.0/24"

New-AzVirtualNetwork -Name REBELVN1 -ResourceGroupName REBELRG -Location "East US" -AddressPrefix "10.0.0.0/16" -Subnet $vmsubnet

In the above, REBELVN1 is the new virtual network name. It has 10.0.0.0/16 address space. It also has a new subnet 10.0.2.0/24 (vmsubnet) for virtual machines. 

If we are in an Active Directory environment, we can use windows DNS services to manage DNS records. This allows us to connect to hosts using their FQDN. When a new host added or when host IP address updated, relevant DNS entries are get updated automatically. Also, the same DNS servers can use to create custom DNS records. 

If it is not an Active Directory environment and still wants to use DNS services, we have to use a custom DNS solution. In such a situation most of the time we need to manually add/update DNS records. 

So, what about Azure environment? Does the same apply to it? 

Azure DNS is a managed DNS solution. We can use it for public DNS records as well as for private DNS records. Using Azure private DNS, we can resolve DNS names in a virtual network. 

Azure Private DNS has following benefits, 

• No additional servers – We do not need to maintain additional servers to run DNS solution. It is a fully managed service. 

• Automatic Record Update – Similar to Active Directory DNS, we can configure Azure DNS to register/update/delete hostname records for virtual machines automatically. 

• Support common DNS records types – It supports common DNS records types such A, AAAA, MX, NS, SRV, TXT. 

• DNS resolution between virtual networks – Azure Private DNS zones can be shared between virtual networks.

In this demo, I am going to demonstrate how to create an Azure private DNS zone.

For the configuration process, I will be using PowerShell. Therefore, please make sure you have Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-2.6.0

Let's go ahead and start the configuration process by creating a new resource group. 

1. Launch PowerShell console and connect to Azure using Connect-AzAccount

2. Then create a new resource group using,

New-AzResourceGroup -Name REBELRG -Location "East US"

In the above, REBELRG is the resource group name and East US is the resource group location.

3. The next step is to create a new virtual network.

$vmsubnet  = New-AzVirtualNetworkSubnetConfig -Name vmsubnet -AddressPrefix "10.0.2.0/24"

New-AzVirtualNetwork -Name REBELVN1 -ResourceGroupName REBELRG -Location "East US" -AddressPrefix "10.0.0.0/16" -Subnet $vmsubnet

OpenVPN is an open-source VPN protocol that is trusted by many cloud service providers to provide site-to-site, point-to-site, and point-to-point connectivity to cloud resources. Now Azure AD authentication also works with OpenVPN protocol. This means we can use Azure AD features such as conditional access, user-based policies, Azure MFA with VPN authentication. In this Demo, I am going to demonstrate how to configure OpenVPN for Azure point-to-site VPN and then how to integrate Azure AD authentication with it. 

Prerequisites

1. To configure OpenVPN, first, we need to have a working point-to-site setup. The native Azure point-to-site VPN setup uses Azure certificate authentication. I wrote an article about it before and it can be accessed using http://www.rebeladmin.com/2018/07/step-step-guide-azure-point-site-vpn/

So, before we start, please go ahead and configure the VPN gateway with certificate authentication.  

2. Also, I am going to use Azure PowerShell for configuration. Please make sure you have the Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-2.6.0

Configure OpenVPN for Azure P2S VPN

1. Launch PowerShell console and connect to Azure using Connect-AzAccount (Using Global Administrator Account)

2. Then I ran Get-AzVirtualNetworkGateway -ResourceGroupName REBELVPNRG to review my VPN gateway configuration. Here REBELVPNRG is the resource group it belongs to. 

3. Then let's go ahead and change the VPN client protocol to OpenVPN using,

$vpngw = Get-AzVirtualNetworkGateway -ResourceGroupName REBELVPNRG -name REBEL-VPN-GW

Set-AzVirtualNetworkGateway -VirtualNetworkGateway $vpngw -VpnClientProtocol OpenVPN

In the above, REBEL-VPN-GW is the VPN gateway name.

If we need to access an Azure VM using RDP or SSH, most commonly we use public IP method. In this way, the virtual machine will have a public IP address (static or dynamic) assigned to it. Also, RDP or SSH service ports will open to the public via NSG. This is easy but not a very secure method. 

If we have VPN or Express Route connectivity to Azure, we can connect to virtual machines using private IP addresses. It is secure than the public IP address method. However, it required additional configuration in-network level. 

Azure Bastion is a solution that we can use to access Azure VM securely without the use of public IP addresses or VPN connectivity. This is similar to using a jump-server to connect to resources in the remote network but instead of the traditional RDP method, it is using browser-based secure HTTP connectivity. Let's go ahead and explore a bit more about the Azure bastion solution. 

1. This service is now generally available (From 4th of Nov 2019). However, it is still only available for six Azure regions which are Australia East, East US, Japan East, South Central US, West Europe, and West US.

2. Azure bastion service deployment is per virtual network. 

3. Users can connect to Azure bastion service via the Azure portal. It is a browser-based connectivity. From the user end, only TCP port 443 needs to be open. 

4. Machines in the virtual network don't need to have public IP addresses assigned. Bastion service can connect to virtual machines using private IP addresses. 

5. Azure bastion is a fully managed PaaS service. We do not need to worry about the hardening or protection of it. 

In this post, I am going to demonstrate how we can enable Azure bastion service. 

Create Virtual Machines

Before we go into the Azure bastion service setup, I am going to create one windows 2019 virtual machine and one ubuntu Linux virtual machine. These machines will not have any public IP address assign. After that, I will demonstrate how we can access those securely using Azure bastion service. 

To begin,

1. Log in to Azure portal (https://portal.azure.com) as Global Administrator 

2. Go to Virtual Machines | + Add 

3. Create Windows Server 2019 Server with following settings,

Resource Group Name (new) : REBELBASTION

Virtual Machine Name : REBELWIN01

Region : East US

Image : Windows Server 2019 DataCenter

Size : Standard D2s v3

Public inbounds ports: None

Virtual network : REBELBASTION-vnet

Subnet : 10.0.3.0/24

Public IP : None

If we need to set up a connection between two independent networks (not between VLANs), we have to use a virtual private network (VPN) connections. In Azure, we use VNets to create private networks. If we need to communicate between two VNets, we have to use one of the following methods,

• VNet-to-VNet Connection – The communication happens between two VPN gateways. This is easy to set up, compare to the site-to-site VPN method.

• Site-to-Site VPN – This is similar to creating VPN connection to the on-premises network. It also uses VPN gateway, but it gives more control over the local network gateway. 

• VNet Peering – This method doesn't use VPN gateways and it routes the traffic via Microsoft backend infrastructure. More information about VNet peering is available on https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview

In this demo, I am going to demonstrate how to create a VNet-to-VNet connection. These types of connections can establish between,

• Virtual Networks in the same region

• Virtual Networks in different regions

• Virtual Networks in different subscriptions

In this demo, I am going to create a VNet-to-VNet VPN connection between two virtual networks in two different regions. 

According to the above diagram, EUSVnet1 virtual network will be running on East US Azure region and UKSVnet1 virtual network will be running on UK South Azure region. Let's see how we can establish a VPN gateway connection between these two networks. Before start, please make sure you have the following in place. 

• Valid Azure Subscription – You can also use free azure subscription for testing purpose. https://azure.microsoft.com/en-gb/free/ 

• Azure PowerShell Module – In this demo I am going to use PowerShell. Please make sure you have Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-2.6.0

Create Resource Groups

The first step of the configuration is to create new resource groups in different regions. 

To do that, 

1. Launch PowerShell console and connect to Azure using Connect-AzAccount

2. Then create EUSRG1 under East US Azure region by using,

New-AzResourceGroup -Name EUSRG1 -Location "East US" 

In the above command, -Name parameter specifies the resource group name and -Location parameter specify the Azure region. 

3. Next step is to create UKSRG1 resource group in UK South Azure region by using,

New-AzResourceGroup -Name UKSRG1 -Location "UK South"

Azure point-to-site VPN means VPN tunnel between end-point & Azure without using corporate firewall. I have already written a complete guide on how to create point-to-site VPN with Azure. You can access it using http://www.rebeladmin.com/2018/07/step-step-guide-azure-point-site-vpn/ 

The above method includes many different tasks which we need to perform in both azure and on-premise to get it going. With Windows Server 2019, Microsoft introduced Azure Network Adapter which can use to create point-to-site VPN in a straightforward way. In this demo, I am going to demonstrate how we can create a point-to-site VPN using Azure Network Adapter. 

This feature currently available via new Windows Admin Center. So, before you start you need to get it running in your environment. In my demo setup, I have a domain joined server which running latest Windows Admin Center (build 1809). 

1. Log in to the Server as Administrator

2. Launch Windows Admin Center 

3. Click on the relevant server from the list

4. Click on Network

5. Then click on Actions | Add Azure Network Adapter

In one of my previous article, I explain how we can create site-to-site VPN connection between local network and azure virtual network. This VPN connection is initiated in your edge firewall or router level. But what if you connecting from remote location such as home? we can use point-to-site method to do that. In this method it will use certificates to do the authentication between end point and azure virtual network. 

So, let’s go ahead and see how we can do that, 

Create Resource Group 

In this exercise, I like to use separate resource group for virtual network and other components. 

1. Log in to Azure portal as global administrator

2. Launch Cloud Shell

3. Then run New-AzureRmResourceGroup -Name REBELVPNRG -Location "East US". In here REBELVPNRG is RG group name and East US is the location.

Create Virtual Network

Now we need to create new virtual network. We can create virtual network using,

New-AzureRmVirtualNetwork -ResourceGroupName REBELVPNRG -Name REBEL-VNET -AddressPrefix 192.168.0.0/16 -Location "East US"

In above, REBEL-VNET is the virtual network name. it uses 192.168.0.0/16 IP address range.