Azure Virtual Network

Azure Virtual Network

Virtual Network(VNet)虛擬網路
一個VNet可設定多個Address space與多個Subnets

舉例
vNetTest1
  |- Address space (10.55.0.0/16)
     |- Subnet (10.55.0.0/24)
     |- Subnet (10.55.1.0/24)
  |- Address space (172.16.0.0/16)
     |- Subnet (172.16.1.0/24)

Load Balacing Solution:

• Azure Load Balancer
• Azure Application Gateway
• Azure Marketplace Load Balancing Appliance
• Azure Traffic Manager 重導DNS解析的請求

External Connectivity 外部連接

• VNet Peering 
• Multi-Region VPN Connectivity 多(跨)區域

若要採用Peering建立外部連接，除了在Virtual Network設定Peering之外，還必須新增與設定Route Tables資源




Network Security Group (NSG)

• 可套用到網段Subnets或網卡NIC，而不是套用到虛擬網路Virtual Network(VNet)
• 最多可設定200個規則Rule
• 一個訂閱最多可以設定100個網路安全性群組
• 利用Azure Firewall減少設定NSG的數量

下圖範例是從VM裡面檢查Networking設定，觀察繼承套用一個附加Attach到Subnet的NSG

其他與安全性相關的功能
Azure Firewall 限制與管制進出流量 / Azure DDoS Protection 保護DDoS攻擊
Web App - Azure Application Gateway - WAF 應用程式防火牆
API Management Policy-rate limiting 限制呼叫量



VPN
Point to Site
1.Create a Gateway subnet (input Address ragne) on exist vNet
   Settings -> Subnets -> +Gateway subnet ->輸入位址範圍(必須是此vNet含有的Address space內)
   例如: vNet有一組Address space 是 10.0.0.0/16，第一組Subnet是10.0.0.0/24給VM使用，Gateway subnet可以指定為10.0.55.0/24

2.Create a Virtual Network Gateway
   (1)Search virtual network gateways from all services
   (2)click Virtual Network Gateways link
   (3)click create virtual network gateway button

3.Prepare Certificate

create root cert in win 10
$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
-Subject "CN=AzTsmtVpnRoot" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign

create client cert in win 10
New-SelfSignedCertificate -Type Custom -DnsName AzTsmtVpnClient -KeySpec Signature `
-Subject "CN=AzTsmtVpnClient" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" `
-Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")

4.Configure Point-To-Site VPN
virtual network gateway->Point-to-site configuration->configure now

address pool = 172.16..25.0/24 (輸入一組私有網段)
tunnel type = SSTP & IKEv2 (Windows also use IKEv2 first and then try SSTP. )
authentication type = Azure Certificates

下方輸入憑證名稱與憑證資料
憑證名稱是當時建立root憑證時的名稱
憑證資料可以將cert檔案用記事本打開，複製中間的內容，然後貼上




https://learn.microsoft.com/en-us/azure/architecture/guide/technology-choices/load-balancing-overview

Service	Global/regional	Recommended traffic
Azure Front Door	Global	HTTP(S)
Traffic Manager	Global	non-HTTP(S)
Application Gateway	Regional	HTTP(S)
Azure Load Balancer	Regional	non-HTTP(S)

Azure Load Balancer vs Application Gateway vs Traffic Manager vs Front Door
https://tutorialsdojo.com/azure-load-balancer-vs-app-gateway-vs-traffic-manager/

Load Balancer	Application Gateway	Traffic Manager	Front Door
Service	Network load balancer.	Web traffic load balancer.	DNS-based traffic load balancer.	Global application delivery
Network Protocols	Layer 4 (TCP or UDP)	Layer 7 (HTTP/HTTPS)	Layer 7 (DNS)	Layer 7 (HTTP/HTTPS)
Type	Internal and Public	Standard and WAF	–	Standard and Premium
Routing	Hash-based, Source IP affinity	Path-based	Performance, Weighted, Priority, Geographic, MultiValue, Subnet	Latency, Priority, Weighted, Session Affinity
Global/Regional Service	Global	Regional	Global	Global
Recommended Traffic	Non-HTTP(S)	HTTP(S)	Non-HTTP(S)	HTTP(S)
Endpoints	NIC (VM/VMSS), IP address	IP address/FQDN, Virtual machine/VMSS, App services	Cloud service, App service/slot, Public IP address	App service, Cloud service, Storage, Application Gateway, API Management, Public IP address, Traffic Manager, Custom Host
Endpoint Monitoring	Health probes	Health probes	HTTP/HTTPS GET requests	Health probes
Redundancy	Zone redundant and Zonal	Zone redundant	Resilient to regional failures	Resilient to regional failures
SSL/TLS Termination	–	Supported	–	Supported
Web Application Firewall	–	Supported	–	Supported
Sticky Sessions	Supported	Supported	–	Supported
VNet Peering	Supported	Supported	–	–
SKU	Basic and Standard	Standard and WAF (v1 & v2)	–	Standard and Premium
Pricing	Standard Load Balancer – charged based on the number of rules and processed data.	Charged based on Application Gateway type, processed data, outbound data transfers, and SKU.	Charged per DNS queries, health checks, measurements, and processed data points.	Charged based on outbound/inbound data transfers, and incoming requests from client to Front Door POPs.

What is Azure Virtual Network?
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview

What is Azure Load Balancer?
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview

What is Azure Application Gateway?
https://docs.microsoft.com/en-us/azure/application-gateway/overview
Application Gateway
https://azure.microsoft.com/en-us/services/application-gateway/

Security groups
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview

Virtual network peering
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview
Create, change, or delete a virtual network peering
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering

Policies in Azure API Management
https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-policies

Step-By-Step: Creating an Azure Point-to-Site VPN
https://techcommunity.microsoft.com/t5/ITOps-Talk-Blog/Step-By-Step-Creating-an-Azure-Point-to-Site-VPN/ba-p/326264