Microsoft Azure AZ-800 — Section 15: Manage IP addressing in on-premises and hybrid scenarios Part 4
119. Resolve IP address issues in hybrid environments
Now, when it comes to dealing with subnet TCP IP subletting in a hybrid environment, the one key you want to remember is that the subnets have to be unique between the Azure world and the on-premise world that is the number one issue that people run into. They will connect their on-premise environment with Azure using either a VPN gateway or they will use express route. And then they will have some of the same subnet on-premise that they’ve got out in Azure or vice versa. And so the thing that we’ve got to make sure of is that we keep our subnet unique across the board.
So just like here in this drawing that I’ve made earlier. We’ve got different vignettes, vignette one, vignette two, three and four. This the hub and spoke scenario.
So, we have, you know, this vignette here is sort of like our hub. We got a firewall load balancer, VPN gateway. And then over here, we’ve got some vignettes that contain our virtual machines on it and all that well on-premise. We’ve also got subnets right. We have the HP services handing out addresses to these subnets and all that.
So what you need to do is make sure you’ve taken inventory. If you use IPM, that’s one way to do that. Take inventory of your on-premise subnet and make sure that you are there. You’re using different subsets out in the cloud. The good news is it’s not really all that difficult. It’s more difficult, probably to change things on-premise that is out in the cloud.
So you can go into Azure and you can you can alter Venus. If you need to recreate Venus, you can and assign those to virtual nicks. It’s not the end of the world. Hopefully, it’s not one of those things where you’ve implemented like thousands of servers and subnets and you’re having to go back and redo a bunch of things. Ultimately, though, you may have to redo some things if the azure is conflicting with on-premise.
So what I want to do now is I want to jump into Azure. I want to show you there are some tools to help you with troubleshooting this.
OK, so now I’m going to I’m here on Perl Lot Azure .com and I’m going to go to the menu button and go to all services. Once you get it all services, you’re going to do a search for network watcher. All right, So, we’re going to click on network watcher.
So network watcher is a really neat component that we have an azure that essentially allows us to monitor and test issues related to our Azure services. And that doesn’t just involve the cloud. If you have linked your on-premise network with Azure using a VPN gateway or direct route, then essentially you have the ability to troubleshoot using these network watcher tools that Microsoft has provided you.
So, if you’re having some issues, maybe some connectivity issues, whether it be within just the azure environment with your virtual machines, or maybe the azure environment of communicating with your on-premise due to in a hybrid type of scenario, then you can utilize this. This very, very neat.
So first off, the network watcher will automatically get activated on any region in which you have any kind of virtual network.
So you can see that I have the network watcher automatically turned on within east U.S. and east U.S, too, because I have resources in those regions.
OK, so right out of the gates here, I can click on topology over here, which is really neat. Tell it what resource group I want to look at like vignette demo and then I can see a little bit of a like a visual of how things are laid out. Vignette one vignette to the subnets I’ve gotten even that I’ve got it in SVG. You can also click on those components and it’ll take you straight to that resource and you can modify it, which is really neat as well.
So, I can switch over to vignette to VM Test. You can see I’ve got a virtual machine and all that stuff set up the Azure DC one. Here’s an SSD. I got a virtual NIC that’s connected to a subnet and vignette and all that. All right, so really neat gives you a nice little visual. You’re going to move it around if you need to. You can even download the topology if you want, as you can see. And and so from there. I’ve got some some nice little tools now, really, what I’m here to show you is this diagnostic set of tools here. This very helpful so, I can go to IP flow verify an IP flow verify is going to let me verify how packets are going to communicate between my virtual machines and anywhere else out there.
So this kind of neat. I can go through here, for example, and I can say, OK, well, the subscription, the resource group, I want to look at the virtual machine that that I’m going to test and be sure if you are going to do any kind of test, make sure your virtual machines are started because obviously this not going to work. If virtual machines are really not started, OK, then you can specify the network interface and then whether CCP UDP inbound or outbound.
So, you know, for example, if I wanted to do inbound test from, you know, somewhere out there like I’ll do Port 389 because I know that ports open on that machine and then whatever remote address.
So, for example, if I had a public IP address out there that I wanted to check, I could put that in. Or if you had an on-premise address that you had connected, you’ve connected your on-premise in your azure environment, you could put that on-premise private address in there as well.
OK, I want to put 8.8.8.8, which is just an easy public address. Remember, it’s Google’s DNS server, so granted, I’m not going to be sitting at Google’s DNS server, but I could click on check and then it can let me know whether or not there would be connectivity between that server out there on the internet, trying to communicate inbound with my ten point one 0.6 address. And from there, look at the results and says access would be allowed. The reason it’s allowed is because I do have a public address within that and all that stuff could figure. Of course, I could also say outbound, this server or this virtual machine trying to connect to that server. I could check that if I want. This definitely something needed, though you should try this out. Go in there. And if you’ve got all the stuff configured, you can go in there and kind of play around with this little bit, see what’s allowed and what’s not allowed, OK? And so this would not be turned down if this server was trying to hit another machine out there on the internet. In this case with Port 389, it’s not going to be blocked.
So there’s no firewall blocking this machine if it was trying to connect 8.8.8.8 on thirty.
Now, granted, Google would really have to have 389 available and you’d have to be able to connect into it for that to be allowed. But so then you also have NSG diagnostics over here, this little blade and this for troubleshooting and PSG’s network security group.
So you know, if you’re you’ve put network security groups in place, you can kind of plug in the information here and you can try and troubleshoot if there’s any kind of a problem from one device trying to communicate with another device, and it’s due to an NSG problem. You’ve also got next hot next hop will show you the next location. Traffic is going to pass.
So, for example, if I’m connecting from this virtual machine network interface to one one zero six to 8.8.8.8, that’s again, that’s Google’s DNS. Or we should say the next hop is the internet, because there’s nothing. There’s no routers between here, and I’m not having to pass through a peering network or anything like that to get there.
So, I should get a yeah, so, I should get internet is the answer. You can also look at effective security rules.
OK, so this will also. Be associated with an if you got no genes involved, then that’s going to give you some information regarding in stages in your network, if there’s any nasties, perhaps that could be affecting something. It’s going to show you what those rules are, so you can plug that in and it’ll it’ll show you what you got. Of course, I didn’t have an SG’s on the VM test, so, I didn’t get anything but on this. On this particular resource group, Azure adds. Already you can see that I do. It’s telling you what associated A.G is.
So this helpful because I can find out what images are associated with the resource group. And this great because what if I’ve got a bunch of industries and I’m in? I’m in a very complicated environment and I need to know if I just want to find out right now what illnesses are associated with a particular virtual machine. This a quick way to find that out.
So, if I was trying to troubleshoot, you’ve also got VPN troubleshooter.
So, if you’ve configured a VPN in your environment, you can use a VPN troubleshooter to try to help you troubleshoot course. You have to have a VPN set up for that to happen. If you don’t, then you’re just going to get this little message here. Packet capturing this going to let you do packet capturing between virtual machines and all that stuff if you want to do that. The downside of this it’s just going to generate a packet capturing file, and you’ll need something like Wireshark to be able to import that in.
OK.
So keep that in mind, it’s not going to actually let you visualize the packets without having something like Wireshark. You can go out to the internet. You know, all you got to do is just go to Google, for example, and then just do download. Of course, it does help if you type things correctly. Download Wireshark.
OK. Very quick, Wireshark, download Wireshark and you can download the latest version, install that and you would be able to plug that in.
OK. Lastly, a connection troubleshooter, this will take a few minutes, but it will let you. It’ll run like a diagnostic test against a certain if you’re using a one virtual machine trying to connect to a virtual, another virtual machine. And there’s a problem. It’ll run a little test on that. Try to give you a report. It does take a few minutes to do that.
So just be advised if you actually run through that, it’s going to take some time to generate that report. The last thing you’ve got here is you’ve got some logs down here. You’ve got a nasty flow logs show you Network Security Group related stuff. If there’s. Like traffic flowing, trying to get through an energy you can you can generate the flow log and take a look at that. Again, this going to help you with troubleshooting an issue related problems. And then finally, you’ve got a diagnostic test log, which is going to involve each of the different network resources that have shown up in Azure.
So definitely something to take a look at and play around with. I encourage you to jump in and play around a little bit with that and get a get a feel for it. But it’s it’s a these are great tools for helping you troubleshoot the resources between Azure, as well as your on-premise network and in a hybrid environment.