Task 1: Provision the lab environment
Task 2: Configure the hub and spoke network topology
Task 3: Test transitivity of virtual network peering
Task 4: Configure routing in the hub and spoke topology
Task 5: Implement Azure Load Balancer
Task 6: Implement Azure Application Gateway
Task 1: Provision the lab environment
From the Cloud Shell pane, run the following to create the three virtual networks and four Azure VMs into them by using the template and parameter files you uploaded:
$location = "west europe"
$rgName = "az104-06-rg1"
New-AzResourceGroup -Name $rgName -Location $location -Force
New-AzResourceGroupDeployment `
-ResourceGroupName $rgName `
-TemplateFile az104-06-vms-loop-template.json `
-TemplateParameterFile az104-06-vms-loop-parameters.json -WhatIf
Deploy it
In this task, you will deploy four virtual machines into the same Azure region.
The first two will reside in a hub virtual network, while each of the remaining two will reside in a separate spoke virtual network.
Deploy network watchers
$rgName = 'az104-06-rg1'
$location = (Get-AzResourceGroup -ResourceGroupName $rgName).location
$vmNames = (Get-AzVM -ResourceGroupName $rgName).Name
foreach ($vmName in $vmNames) {
Set-AzVMExtension `
-ResourceGroupName $rgName `
-Location $location `
-VMName $vmName `
-Name 'networkWatcherAgent' `
-Publisher 'Microsoft.Azure.NetworkWatcher' `
-Type 'NetworkWatcherAgentWindows' `
-TypeHandlerVersion '1.4'
}Result
Already had 3 of them from before.
Will only need the one in we now
Task 2: Configure the hub and spoke network topology
In this task, you will configure local peering between the virtual networks you deployed in the previous tasks in order to create a hub and spoke network topology.
select az104-06-vnet2, overview, json view to the far right, open an get resource id, record the value of the Resource ID property.
select az104-06-vnet3, overview, json view to the far right, open an get resource id, record the value of the Resource ID property.
In the list of virtual networks, click az104-06-vnet01.
On the az104-06-vnet01 virtual network blade, in the Settings section, click Peerings and then click + Add.
Add a peering with the following settings (leave others with their default values) and click Add:
| Setting | Value |
|---|---|
| This virtual network: Peering link name | az104-06-vnet01_to_az104-06-vnet2 |
| Traffic to remote virtual network | Allow (default) |
| Traffic forwarded from remote virtual network | Block traffic that originates from outside this virtual network |
| Virtual network gateway | None (default) |
| Remote virtual network: Peering link name | az104-06-vnet2_to_az104-06-vnet01 |
| Virtual network deployment model | Resource manager |
| I know my resource ID | enabled |
| Resource ID | value of resourceID para of az104-06-vnet2 |
| Traffic to remote virtual network | Allow (default) |
| Traffic forwarded from remote virtual network | Allow (default) |
| Virtual network gateway | None (default) |
Note:This step establishes two local peerings – one from az104-06-vnet01 to az104-06-vnet2 and the other from az104-06-vnet2 to az104-06-vnet01.
Note: Allow forwarded traffic needs to be enabled in order to facilitate routing between spoke virtual networks, which you will implement later in this lab.
Could fail on first update, just update again
Now do the same again for
| Setting | Value |
|---|---|
| This virtual network: Peering link name | az104-06-vnet01_to_az104-06-vnet3 |
| Traffic to remote virtual network | Allow (default) |
| Traffic forwarded from remote virtual network | Block traffic that originates from outside this virtual network |
| Virtual network gateway | None (default) |
| Remote virtual network: Peering link name | az104-06-vnet3_to_az104-06-vnet01 |
| Virtual network deployment model | Resource manager |
| I know my resource ID | enabled |
| Resource ID | value of resourceID parameter of az104-06-vnet3 |
| Traffic to remote virtual network | Allow (default) |
| Traffic forwarded from remote virtual network | Allow (default) |
| Virtual network gateway | None (default) |
Done
Note: This step establishes two local peerings – one from az104-06-vnet01 to az104-06-vnet3 and the other from az104-06-vnet3 to az104-06-vnet01. This completes setting up the hub and spoke topology (with two spoke virtual networks).
Note: Allow forwarded traffic needs to be enabled in order to facilitate routing between spoke virtual networks, which you will implement later in this lab.
Task 3: Test transitivity of virtual network peering
In this task, you will test transitivity of virtual network peering by using Network Watcher
On the Network Watcher – Connection troubleshoot blade, initiate a check with the following settings (leave others with their default values):
| Setting | Value |
|---|---|
| Subscription | the name of the Azure subscription |
| Resource group | az104-06-rg1 |
| Source type | Virtual machine |
| Virtual machine | az104-06-vm0 |
| Destination | Specify manually |
| URI, FQDN or IPv4 | 10.62.0.4 (az104-06-vm2) |
| Protocol | TCP |
| Destination Port | 3389 |
Click Check and wait until results of the connectivity check are returned. Verify that the status is Reachable. Review the network path and note that the connection was direct, with no intermediate hops in between the VMs.
Note: This is expected, since the hub virtual network is peered directly with the second spoke virtual network.
Next
| Setting | Value |
|---|---|
| Subscription | the name of the Azure subscription |
| Resource group | az104-06-rg1 |
| Source type | Virtual machine |
| Virtual machine | az104-06-vm2 |
| Destination | Specify manually |
| URI, FQDN or IPv4 | 10.63.0.4 (az104-06-vm3) |
| Protocol | TCP |
| Destination Port | 3389 |
Click Check and wait until results of the connectivity check are returned. Note that the status is Unreachable.
Note: This is expected, since the two spoke virtual networks are not peered with each other (virtual network peering is not transitive).
Task 4: Configure routing in the hub and spoke topology
In this task, you will configure and test routing between the two spoke virtual networks by enabling IP forwarding on the network interface of the az104-06-vm0 virtual machine, enabling routing within its operating system, and configuring user-defined routes on the spoke virtual network.
on az104-06-vm0
Note: This setting is required in order for az104-06-vm0 to function as a router, which will route traffic between two spoke virtual networks.
Note: Now you need to configure operating system of the az104-06-vm0 virtual machine to support routing.
On the az104-06-vm0 blade, in the Operations section, click Run command, and, in the list of commands, click RunPowerShellScript.
Install-WindowsFeature RemoteAccess -IncludeManagementToolsLet it finish
Install-WindowsFeature -Name Routing -IncludeManagementTools -IncludeAllSubFeature
Install-WindowsFeature -Name "RSAT-RemoteAccess-Powershell"
Install-RemoteAccess -VpnType RoutingOnly
Get-NetAdapter | Set-NetIPInterface -Forwarding Enabled
Note: Now you need to create and configure user defined routes on the spoke virtual networks.
Create new
Go to route table and add a new route
| Setting | Value |
|---|---|
| Route name | az104-06-route-vnet2-to-vnet3 |
| Address prefix destination | IP Addresses |
| Destination IP addresses/CIDR ranges | 10.63.0.0/20 |
| Next hop type | Virtual appliance |
| Next hop address | 10.60.0.4 |
New route
Back on the az104-06-rt23 route table blade, in the Settings section, click Subnets, and then click + Associate.
Navigate back to Route tables blade and click + Create.
Create a route table with the following settings (leave others with their default values):
| Setting | Value |
|---|---|
| Subscription | the name of the Azure subscription you are using in this lab |
| Resource group | az104-06-rg1 |
| Region | the name of the Azure region in which you created the virtual networks |
| Name | az104-06-rt32 |
| Propagate gateway routes | No |
Now two route tables
On the az104-06-rt32 route table blade, in the Settings section, click Routes, and then click + Add.
Add a new route
Back on the az104-06-rt32 route table blade, in the Settings section, click Subnets, and then click + Associate.
Associate the route table az104-06-rt32 with the following subnet:
navigate back to the Network Watcher – Connection troubleshoot blade.
Click Check and wait until results of the connectivity check are returned. Verify that the status is Reachable.
Review the network path and note that the traffic was routed via 10.60.0.4, assigned to the az104-06-nic0 network adapter. If status is Unreachable, you should stop and then start az104-06-vm0.
Note: This is expected, since the traffic between spoke virtual networks is now routed via the virtual machine located in the hub virtual network, which functions as a router.
Note: You can use Network Watcher to view topology of the network.
Task 5: Implement Azure Load Balancer
In this task, you will implement an Azure Load Balancer in front of the two Azure virtual
machines in the hub virtual network.
| Setting | Value |
|---|---|
| Subscription | the name of the Azure subscription |
| Resource group | az104-06-rg4 (if necessary create) |
| Name | az104-06-lb4 |
| Region | deployed all other resources |
| SKU | Standard |
| Type | Public |
| Tier | Regional |
On the Frontend IP configuration tab, click Add a frontend IP configuration and use the following settings before clicking OK and then Add.
When completed click Next: Backend pools.
On the Backend pools tab, click Add a backend pool with the following settings (leave others with their default values). Click + Add (twice) and then click Next:Inbound rules.
On the Inbound rules tab, click Add a load balancing rule. Add a load balancing rule with the following settings (leave others with their default values). When completed click Add
| Setting | Value |
|---|---|
| Name | az104-06-lb4-lbrule1 |
| IP Version | IPv4 |
| Frontend IP Address | az104-06-pip4 |
| Backend pool | az104-06-lb4-be1 |
| Protocol | TCP |
| Port | 80 |
| Backend port | 80 |
| Health probe | Create new |
| Name | az104-06-lb4-hp1 |
| Protocol | TCP |
| Port | 80 |
| Interval | 5 |
| Unhealthy threshold | 2 |
| Close the create health probe window | OK |
| Session persistence | None |
| Idle timeout (minutes) | 4 |
| TCP reset | Disabled |
| Floating IP | Disabled |
| Outbound source network address translation (SNAT) | Recommended |
.
Deploy it, Wait for the load balancer to deploy then click Go to resource.
Select Frontend IP configuration from the Load Balancer resource page. Copy the IP address.
Open another browser tab and navigate to the IP address. Verify that the browser window displays the message Hello World from az104-06-vm0 or Hello World from az104-06-vm1.
Task 6: Implement Azure Application Gateway
In this task, you will implement an Azure Application Gateway in front of the two Azure virtual machines in the spoke virtual networks.
On the az104-06-vnet01 virtual network blade, in the Settings section, click Subnets, and then click + Subnet.
Add a subnet with the following settings (leave others with their default values):
| Setting | Value |
|---|---|
| Name | subnet-appgw |
| Subnet address range | 10.60.3.224/27 |
Note: This subnet will be used by the Azure Application Gateway instances, which you will deploy later in this task. The Application Gateway requires a dedicated subnet of /27 or larger size.
In the Azure portal, search and select Application Gateways and, on the Application Gateways blade, click + Create.
Click Next: Frontends > and specify the following settings (leave others with their default values). When complete, click OK.
Click Next: Backends > and then Add a backend pool. Specify the following settings (leave others with their default values). When completed click Add.
The targets represent the private IP addresses of virtual machines in the spoke virtual networks az104-06-vm2 and az104-06-vm3.
Click Next: Configuration > and then + Add a routing rule. Specify the following settings:
options
routing table
Switch to the Backend targets tab and specify the following settings (leave others with their default values). When completed click Add (twice).
| Setting | Value |
|---|---|
| Target type | Backend pool |
| Backend target | az104-06-appgw5-be1 |
| Backend settings | Add new |
| Backend settings name | az104-06-appgw5-http1 |
| Backend protocol | HTTP |
| Backend port | 80 |
| Additional settings | take the defaults |
| Host name | take the defaults |
Create it
In the Azure portal, search and select Application Gateways and, on the Application Gateways blade, click az104-06-appgw5.
On the az104-06-appgw5 Application Gateway blade, copy the value of the Frontend public IP address.
Start another browser window and navigate to the IP address you identified in the previous step.
Verify that the browser window displays the message Hello World from az104-06-vm2 or Hello World from az104-06-vm3.
Note: Targeting virtual machines on multiple virtual networks is not a common configuration, but it is meant to illustrate the point that Application Gateway is capable of targeting virtual machines on multiple virtual networks (as well as endpoints in other Azure regions or even outside of Azure), unlike Azure Load Balancer, which load balances across virtual machines in the same virtual network.
Topology
