Virtual Network(VNet)虛擬網路
一個VNet可設定多個Address space與多個Subnets
舉例
vNetTest1
|- Address space (10.55.0.0/16)
|- Subnet (10.55.0.0/24)
|- Subnet (10.55.1.0/24)
|- Address space (172.16.0.0/16)
|- Subnet (172.16.1.0/24)
Load Balacing Solution:
- Azure Load Balancer
- Azure Application Gateway
- Azure Marketplace Load Balancing Appliance
- Azure Traffic Manager 重導DNS解析的請求
External Connectivity 外部連接
- VNet Peering
- Multi-Region VPN Connectivity 多(跨)區域
若要採用Peering建立外部連接,除了在Virtual Network設定Peering之外,還必須新增與設定Route Tables資源
Network Security Group (NSG)
- 可套用到網段Subnets或網卡NIC,而不是套用到虛擬網路Virtual Network(VNet)
- 最多可設定200個規則Rule
- 一個訂閱最多可以設定100個網路安全性群組
- 利用Azure Firewall減少設定NSG的數量
下圖範例是從VM裡面檢查Networking設定,觀察繼承套用一個附加Attach到Subnet的NSG
其他與安全性相關的功能
Azure Firewall 限制與管制進出流量 / Azure DDoS Protection 保護DDoS攻擊
Web App - Azure Application Gateway - WAF 應用程式防火牆
API Management Policy-rate limiting 限制呼叫量
VPN
Point to Site
1.Create a Gateway subnet (input Address ragne) on exist vNet
Settings -> Subnets -> +Gateway subnet ->輸入位址範圍(必須是此vNet含有的Address space內)
例如: vNet有一組Address space 是 10.0.0.0/16,第一組Subnet是10.0.0.0/24給VM使用,Gateway subnet可以指定為10.0.55.0/24
2.Create a Virtual Network Gateway
(1)Search virtual network gateways from all services
(2)click Virtual Network Gateways link
(3)click create virtual network gateway button
3.Prepare Certificate
create root cert in win 10
$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
-Subject "CN=AzTsmtVpnRoot" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign
create client cert in win 10
New-SelfSignedCertificate -Type Custom -DnsName AzTsmtVpnClient -KeySpec Signature `
-Subject "CN=AzTsmtVpnClient" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" `
-Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")
virtual network gateway->Point-to-site configuration->configure now
address pool = 172.16..25.0/24 (輸入一組私有網段)
tunnel type = SSTP & IKEv2 (Windows also use IKEv2 first and then try SSTP. )
authentication type = Azure Certificates
下方輸入憑證名稱與憑證資料
憑證名稱是當時建立root憑證時的名稱
憑證資料可以將cert檔案用記事本打開,複製中間的內容,然後貼上
https://learn.microsoft.com/en-us/azure/architecture/guide/technology-choices/load-balancing-overview
| Service | Global/regional | Recommended traffic |
|---|---|---|
| Azure Front Door | Global | HTTP(S) |
| Traffic Manager | Global | non-HTTP(S) |
| Application Gateway | Regional | HTTP(S) |
| Azure Load Balancer | Regional | non-HTTP(S) |
Azure Load Balancer vs Application Gateway vs Traffic Manager vs Front Door
https://tutorialsdojo.com/azure-load-balancer-vs-app-gateway-vs-traffic-manager/
Load Balancer | Application Gateway | Traffic Manager | Front Door | |
Service | Network load balancer. | Web traffic load balancer. | DNS-based traffic load balancer. | Global application delivery |
Network Protocols | Layer 4 (TCP or UDP) | Layer 7 (HTTP/HTTPS) | Layer 7 (DNS) | Layer 7 (HTTP/HTTPS) |
Type | Internal and Public | Standard and WAF | – | Standard and Premium |
Routing | Hash-based, | Path-based | Performance, Weighted, Priority, Geographic, MultiValue, Subnet | Latency, Priority, Weighted, Session Affinity |
Global/Regional Service | Global | Regional | Global | Global |
Recommended Traffic | Non-HTTP(S) | HTTP(S) | Non-HTTP(S) | HTTP(S) |
Endpoints | NIC (VM/VMSS), IP address | IP address/FQDN, Virtual machine/VMSS, App services | Cloud service, App service/slot, Public IP address | App service, Cloud service, Storage, Application Gateway, API Management, Public IP address, Traffic Manager, Custom Host |
Endpoint Monitoring | Health probes | Health probes | HTTP/HTTPS GET requests | Health probes |
Redundancy | Zone redundant and Zonal | Zone redundant | Resilient to regional failures | Resilient to regional failures |
SSL/TLS Termination | – | Supported | – | Supported |
Web Application Firewall | – | Supported | – | Supported |
Sticky Sessions | Supported | Supported | – | Supported |
VNet Peering | Supported | Supported | – | – |
SKU | Basic and Standard | Standard and WAF (v1 & v2) | – | Standard and Premium |
Pricing | Standard Load Balancer – charged based on the number of rules and processed data. | Charged based on Application Gateway type, processed data, outbound data transfers, and SKU. | Charged per DNS queries, health checks, measurements, and processed data points. | Charged based on outbound/inbound data transfers, and incoming requests from client to Front Door POPs. |
What is Azure Virtual Network?
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview
What is Azure Load Balancer?
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview
What is Azure Application Gateway?
https://docs.microsoft.com/en-us/azure/application-gateway/overview
Application Gateway
https://azure.microsoft.com/en-us/services/application-gateway/
Security groups
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
Virtual network peering
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview
Create, change, or delete a virtual network peering
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering
Policies in Azure API Management
https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-policies
Step-By-Step: Creating an Azure Point-to-Site VPN
https://techcommunity.microsoft.com/t5/ITOps-Talk-Blog/Step-By-Step-Creating-an-Azure-Point-to-Site-VPN/ba-p/326264
沒有留言:
張貼留言