Microsoft Azure AZ-800 — Section 16: Implementing on-premises and hybrid network connectivity Part 5

Microsoft Azure AZ-800 — Section 16: Implementing on-premises and hybrid network connectivity Part 5

127. Visualizing Azure Virtual WAN

I now want to go over a concept known as Azure Virtual Wind, so this Azure for a virtual wide area network is what that’s what that basically stands for now. You know, traditionally in networking, you would have different locations, right? So, for example, we’ll see these ovals are going to represent different locations at our company.

OK. You could also say different sites if you want different regions.

Now these regions could be all over the world. They don’t necessarily have to be, you know, they don’t necessarily have to be regions in the United States or anything like that. You can have a region in the U.S, you can have a region in Australia or U.K. or whatever. But ultimately, let’s say you’ve got location one, you’ve got location to this good again. If you wanted to stay with just in the United States, you could say, you know, New York, you could say Dallas, Texas or Toledo or you want to say U.S, U.K, Canada, Australia, whatever. You could basically set that to whatever you want. Doesn’t matter if you’re in different regions, but ultimately, you know, in the past, you know, you’d have different servers.

You’d also have client computers. And in these different locations at your company, you would generally need to somehow make these computers connect, right? So again, different servers and different client computers in each location. And one of the things that we would always need to make happen in a lot of cases is allow connectivity between these locations now. There’s a couple of ways we could do this one we. One thing we could do is we could do what’s called when connections and we could pay a telecommunication provider to provide us with telecom telecommunications equipment that could connect these locations together, OK, through the telecommunications network.

And you would pay, of course, a fee to do that. Alternatively, another thing we could do is we could do what’s called a site to site VPN where we would actually have VPN routers that we would use in each location and we could use a site like VPN or Microsoft Word. We also could use a R&S site site VPN service, so, we could set up a RaaS server to a site site VPN, and we could do that through the internet.

OK.

So ultimately, though, what what Microsoft is now offering us, the ability to do is we can use their Azure network to essentially take care of this. We this little cloud that I’m kind of cleaning up here is going to represent the Azure network.

OK? And so, we could use the Azure Cloud itself, the Azure network itself as a means to allow traffic to pass between these locations. On top of that, on the Azure network, we’ve also got our Venus right virtual networks and we’ve got, you know, connected to those vignettes. We’ve got, you know, VMS, we’ve got virtual machines could be servers, workstations, all of that stuff that’s out in the cloud. And of course, that’s connected to the Azure network as well, and we want to do is make connectivity.

So the way that we would normally do this two main ways we would use. We could get what’s called a VPN router, OK? Or another option was something called Express Route Express route that’s expressed right is going to be essentially, you’re going to purchase a telecommunications in connection from a telecommunications provider directly into Azure.

So there are various providers that provide this feature.

So either way, you’re going to have a piece of equipment in this piece of equipment is going to be hooked up at each one of your locations, and that’s going to basically give you a connection to Azure.

OK. The only thing is that doesn’t mean that any traffic can pass between these locations.

So what I mean by that is if we wanted these clients here to be able to access this server here or vice versa, that doesn’t necessarily that let that happen.

So how can we connect all this stuff together? What you can do that with this azure wind technology. And so what it is, is you are going to add a component into Azure, known as Azure Weigh-In.

So, it’s an Azure actual azure component called Azure weigh in. All right.

So, I’ll just say Azure when component. And then underneath that when component, you can create what are called hubs.

So, I can have like hub one, I could have what’s called Hub two, I could have what’s called Hub three. And all of that is linked to this wind component.

OK. And from there, these. OFWs can be allowed the ability to allow traffic to pass so traffic again from location one can travel over the location to avoid the location three and vice versa. And not only that, can also communicate with your vignettes out there. Of course, you can do that anyway. They could communicate with your vignettes without the Azure wind, but the cool thing about Azure Wind is it’s going to allow traffic to flow between these different sites and communicate with each other.

OK, so ultimately this what the Azure wind is going to let you do instead of paying a telecommunications provider to connect your locations together. You could do azure wind, but keep in mind the prerequisite for that is you need to either set up a VPN router that cansupport this or express route, which is a telecommunications link anyway.

Now the VPN routers Microsoft has a whole list of supported VPN routers out there that support this technology.

So like Barracudand things like that, you are out there and they even provide you with a little script. You can run on your VPN router that will auto set up the connection for the VPN gateway out here in the cloud.

OK, but ultimately, that’s what Azure Whan is going to do for you. It’s going to make it where these different locations can use the Azure network to route traffic and communicate with these different locations.

128. Implement Azure Virtual WAN

So the first step in configuring your Azure virtual win is you definitely want to plug this into the pricing calculator and just kind of get a visualization of the cost. Here I am on the Azure pricing calculator site, which of course, you can get there just by Googling Azure price calculator. But ultimately, if I click here on networking and scroll down, you’ll see I have virtual when I can click that and then click View, and that’s going to let me kind of look at it. It’s right out of the gate.

So you’re just like the most base price you’re looking at and they tell you one hundred eighty two dollars a month. But that’s not, you know, that’s not including you got to specify the regions like, for example, if I’m going to do east us, that might be my first region, then I might also do decide to do like Australia. I got to calculate that. I got to look at how many hours it’s going to be deployed. You know, it’s looking at it on a per month. And then I have to also look at like data process. Like how much datare we looking at going through this? The data is, you know, relatively I have a terabyte of data going through that’s twenty dollars extra month, right? Am I going to integrate this with an Azure firewall? Because if I am, that’s going to up the price, you know, considerably, as you can see. And then from there, I have to look at my connections like the hubs that I’m going to create that are going to connect everything together, whether I’m going to do a site site VPN to connect sites together, which is one of the main things I might use it for or from disallowing user in or I’ve got express rail going.

So these are some of the things you need to think about if you are going to set this up OK from there, if I come over here to all services on hold on ashcan, if I click the menu button here and I go to all services, I can just do a quick search for the word when and if you do a search for the word when you’ll see virtual in. And then from there you would click to create the virtual. When it’s going to bring this up, you specify your resource group. I created a couple of research groups, one called AUC RG and one called ECAC RG.

So east2west RG. Maybe, I’m going to create my east us, you know, virtual way in here. I’m going to give it a name is call it East US v win. All right. And then you can choose standard or basic, and they tell you here standard going to support connectivity sites, site endpoints, Venus Express routes. All that basic is just going to sport. It’s going to have fewer options. And if you actually go out there and look, you basically don’t get the additional support for, well, actually, you know what? I’ll just show you basic virtual way, and we’ll take a look at the document on that. All right.

So, if you pull this up here. Kind of scroll down a little bit, you can see right here what you’re going to, what’s going to be supported with basic, you’re going to get in the site to site VPN only, you’re not getting all the additional possibilities.

So, if all you care about is the sites like VPN and basic is going to be the way to go if you want the extra options you got to do site to site.

OK, so that is just a consideration as far as all that goes.

So, I’m going to go ahead and click, review and create. All right. Validation pass and we tell it to create and it’s going to go ahead and create that. I’ll give it a moment. I’ll paul’s a video on Twitter.

OK, so once that’s done, I’m just going to click Go to resource. Here I am in the Azure virtual wind area, and I’m going to click on hubs and this where I would create the hubs that I’m going to use. I would say hub, click new hub, you know, give it a specify the region, give it a name. I’m going to call it hub one and then specify the address space that you want the hub to use.

So, it’s going to use a private address space that’s going to be used to connect everything together so you could specify whatever address space here you want. I was going to say 10.30 dot zero zero slash twenty four. That’ll be my address space.

OK.

So from there, click next Specify sites sites as you will be, you will need to enable the site to site VPN Gateway. Do you want to create the site site gateway now? OK, so this kind of the next step would be you’d have to actually have the on-premise VPN gateway so that you could set this up. And if you go here to learn more, they get into supporting this and they’ll even outline some of the different VPN routers and all that that you can support.

So, in the real world, you definitely will want to make sure that you support you have the right equipment to do this. Obviously, I can’t show that to you because I don’t have access to the equipment, but you can. You could go through the process of setting that up with your actual on-premise gateway.

OK. Also point site. You want to do point the site. That’s just a single device connecting in. And then there’s express, right right there.

So, I can’t really show it to you. The main thing I want you to understand, though, is these are the concepts that go behind it. These are the things that would have to be configured, and those are what your options are as far as setting this up.

129. Understanding the Azure AD App Proxy

Let’s take some time now and talk about understanding the Azure Active Directory application proxy.

OK, so first off, what exactly is the Azure Active Directory application proxy? So this a feature that we have available to us that Microsoft offers to make on-premise web based applications available from the cloud services.

So this really neat. You know, before a feature like this came out, we would essentially have to set up a DMZ. We have to we could do something called a reverse proxy that we could put in our DMZ, or we could have an on-premise private web application that was talking to the reverse proxy. People would have to communicate with that reverse proxy on the web and are on our DMZ. And then the reverse proxy would talk between the internet users and our on-premise web based application. But instead of us having to host what’s called a reverse proxy in our DMZ, we can essentially allow Microsoft to do that for us and basically host that application out there and be able to provide support for the internal application to our our users out on the web.

So.

So what are you getting out of it? Basically, your web proxy is going to make it where you can host a web server on your internal network, not in your DMZ now in your internal network.

OK, privately, OK. Without opening a bunch of ports.

OK, coming in. I’m no. I have an open up port 80 and 443 and all this stuff coming in.

OK. And I’m not actually having to set up a server in the DMZ or any of that. I can host this web app inside. And the Microsoft Cloud Services, which is going to be hosted through Azure 80s of application. Proxy service, is going to be the middle man application between these web users and my internal web application, and it’s going to handle the authentication of. In fact, you can see here the application proxy works with web applications that use integrated Windows authentication, web applications that use form based or header based access. Web APIs that you want to may be exposed to rich applications. Different devices it supports applications hosted behind a remote desktop gateway RTG, and then also, it supports rich client apps that are integrated with the Msall, which is the Microsoft Authentication Library.

OK, so some some great features here. Let’s look at some of the other facts about this.

So with as far as like remote access to your on-premise applications, Azure, these app proxy is going to provide a secure way for you to provide access to on-premise web applications. It supports so single sign on, you’re essentially going to be setting up that on-premise application. You’re going to specify an external URL and an internal application portal. Your internal web server is going to basically have a little agent software that’s going to communicate with that proxy, and you’re not having to open up again a bunch of ports coming in. It provides remote access for all sorts of things. As you can see some of the options there, some of the things on the screen remote desktop, SharePoint, Teams, all that. All right, so you can you can provide so access to a bunch of things here.

Now, some other things to consider. First off, Microsoft will tell you, you know, this simple to use. It’s easy to set up. It’s going to make these on-premise applications available the same way Microsoft makes their SAS applications available.

So your office on the Web, Word, Excel, PowerPoint, all that stuff. Those apps that are just being made available on the internet, it’s very secure. You’re not having to actually provide any kind of a certificate, you know, SSL certificate. Microsoft will use their certificate services to handle all of this. And again, one of those main four main facts about it being secure is that IT application proxy doesn’t require you to open any inbound connections through your firewall. That’s a beautiful thing to me. And of course, it’s very cost effective. You know, they tell you that you’re on-premise.

Solutions typically require you to set up you demilitarized zones, edge servers. All that application proxy is something that’s going to run for you in your cloud. And to use it, you’re not really needing to change any network infrastructure or any of that. And it’s mostly just having the Azure ad licensing.

So, if you haven’t already reviewed the Azure ATP one or two licensing agreements and all that, you need to look that up is Google Azure ADP one versus P2. There’s document on that. It gets into what you get.

OK, how does it work? OK, so here’s a little kind of a. A diagram that shows you how it works, you can kind of see step by step one two three four.

So on and so forth there.

So you got the first step is, he says, after a user has access the application through an endpoint, the user is directed to Azure ad sign in page, so the user goes to they type in a URL of some kind like app, one dot exam, labpractice.com. The DNS is going to direct it to the app proxy service.

OK. You’re going to register it in Azure AD, so, it will be registered as a DNS name, a URL based name as long as you set up a custom domain name and all that in Azure AD. That’ll work right at that point. It tells you that after the user has authenticated with Azure, it sends a token to the user’s client device. The client sends the token to your app proxy service, which is again hosted by Azure Ad. All right, which is going to retrieve the user, the UPS and the user principal name. That’s basically the email address like Jesse and Examlabpractice.com. And basically providing the security principal name spawned from the token.

So you got your token, you have the correct naming information associated with the token, which is going to use the user principal name basically like J.C. at exam lab practice, .com and the security principal name that will be associated with that token.

OK, so then the application proxy sends a request to your application proxy connector.

So the application proxy connector is what is going to be associated with your on-premise web service. This connector is essentially a little agent software that’s going to be installed and associated with your web server. This could be directly on your web server. And then from there, if you configured single sign on, the connector would perform an additional authentication, which would means it would essentially go and talk to your on-premise Active Directory Domain controller if it needs it. If that’s the case, then at that point you’re on active actor to make sure or generates another token. That token isn’t presented to the web server. And voila, you now have connectivity with the web server with the help of the application proxy service and again not having to expose that on-premise. Web application directly to the internet. It’s all happening through the proxy. It’s all being secured through the proxy.

Now lastly, let’s just quickly look at the components that make this up. You know what actually makes all this tick, right? So the first thing you’ve got is the endpoint, and the endpoint is going to be the URL or like an end user portal that somebody is going to be putting into or clicking to get to in order to access your service that you’re trying to make available.

OK, so this going to be an internet facing based URL that Azure ad is giving access to. Then of course, you have Azure ad. That’s the next component that is, well, that’s your directory service. Then you have the application proxy service that is going to be the service that’s making all of this stuff work in conjunction with Azure AD. And what’s going to be communicating with the Azure 80 connector? The Azure 80 connector is a little agent. Like I said, that’s going to be installed on a Windows server inside your network that’s going to esTablish that outbound connection to your Azure application proxy service. Remember, there’s no you’re not really opening things coming in here. It’s all dynamic ports that are that are happening there.

So there’s not really inbound ports that are that are being open. And then you got you got Active Directory. That’s adds active directed domain services that your on-premise domain controller, that that may require authentication there and then your on-premise application itself, which is the web app that’s been installed on a web server. Like this, Internet Information Services, which is going to, you know, actually produce the app that somebody is going to be interacting with.

So those are your different components that are going to make up application proxy and the back and forth and everything that’s going to happen. Hopefully, that gives you now an understanding of what the Azure Active Directory application proxy is.

130. Implement Azure AD Application Proxy

Now, if I am going to go through the process of working with my applications and publishing apps and using application proxies, all that, I’m going to utilize a couple of things here. There is an application proxy blade. There’s also an enterprise apps enterprise blade.

So let’s just look at all this together here.

So here we are on Portal Dot Azure .com, and I’m going to click the little menu button here and we’re going to go to Azure Active Directory.

OK, so from there, if I scroll down here, I can see I’ve got an application proxy blade and this where I can download my application connector service so, I can click that. And it tells you that this little connector is going to run on a Windows Server 2012 R2 served 2016 server, so you can accept the terms for that. You can download the little agent and you can install the little agent on a server, but you need to install it there on your little web server. That’s going to be providing this. That’s going to be in your internal network, OK? And that’s how you’re going to you’re going to do that.

Now the other thing that’s going to need to happen here, here’s the little download here. You would run that on the server. But the other thing needs to happen is I’m going to go here to enterprise applications. All right. And as you can see, I’ve got one here, but I can also see new application if I want. And this where we are looking at applications that we’re trying to publish and make available.

OK.

So, I have at one, if I want to add another application, I can click new application here. And from there it can let me you to let me choose what kind of application I want to do. Here is an application you’re developing. Is it it on-premise app or is a non gallery OK? So on-premise app, this an app I want to make available with the help of this application proxy. I can click on that. And then again, it’s going to let me download the application proxy connector through this and it’ll go directly into enterprise. Or, as I was saying before, you could add the app first. Through app registrations, you can get the application proxy and then it can be published his app for enterprise.

So app for enterprises are going to be applications that are going to be made available public facing applications that I want somebody to be able to get to. And once I click on the app, I can go through here and I can say assign users, specify which users can access to. It can have access to it. I can set up what’s called conditional access to it. This going to, you know, can choose control through the where, when, how and all that somebody is going to use to get into it, though I’m not really getting to that right now, the security side of all of that. But this where you do it. And this then also, If you look over to the left, you’ve got application proxy and this where you tie to your on-premise agent.

So you got to make sure you have your once you install that little agent on your server, the application proxy agent, at that point, you’ll get the your the URL that’s going to be plugged in and all that right now. This going to be the external URL that I’m using to make available. But if I want, I can switch that to my custom domain name one practice .com. And now it would be called App 1.2GHz in my practice .com.

So this going to be the external facing DNS name right now that somebody would use to get to this app, one that I’ve created. And then I would specify the internal URL which the agent is going to generate once I get the agent installed in my environment. And then at that point I can I can just adjust all the settings I can go with. You know what my authentication is going to be? I can do Azure Active Directory authentication or pass through. That means it’s going to pass to my on-premise domain controller I can do. I can specify what’s called the backend application timeout default or long. It’s going to increase the amount of time somebody is going to get for basically the token to be passed before it times out. Then you’ve got some of these other options here, like you use HGTV only cookies. This would make it where it doesn’t require a secure cookies. That’s, you know, generally speaking. And they tell you this here. If you see it says using an HDTV only cookie setting protects against cross-site scripting attacks, access preventing client side scripting.

So, it’s as if publishing to remote desktop services, though you must select no on that, then you could do secure cookie.

So using circa, he’s going to ensure that your cookies are transmitted breached HTTPS requests.

So that’s hypertext transfer protocol with security, which is SSL TLS based. You got persistent cookies, they tell you here. Using a persistent cookie allows the access cookie to not expire when the browser is closed. Instead, it tells you to last for, you know, duration, the lifetime of the access token, whatever. However long the access token is available, then you’ve got to translate URLs headers so, they tell you for applications that require the original host header in the in the request, that means the URL, whatever they type must be what it’s associated to. You can’t have a redirection and then the application body they tell you can enable this feature. If your application contains links to resources published through the application proxy with the IMS app, proxy darknet domain tells you if the applications you publish with the application proxy have the same internal and external names, you really don’t need this feature. It’s if there are some of the things within the web application where it’s using different URLs, that’s where that’s going to come into play.

OK. If you are doing some web development there, you might want to also click the link and go and read up on their little article on that. But that’s what your different features they’re going to handle. And again, we’re not really looking at the development stuff, nor if you were taking an exam, you’re not really having to understand the developer stuff for this, but having an understanding of what the application proxy is coming in here to the enterprise apps and all that and understanding some of these different fields, just make sure you familiarize yourself with that, OK? And and that’s that is how you’re going to use your enterprise applications with the help of your application. See?