AZ-104

Azure Administrator

Instructor: Sharif Khairy 2

 AZ-104
Azure Administrator

Module 5 Intersite Connectivity

 AZ-900

Contents
Module 5 Intersite Connectivity
In this module, you will learn about intersite connectivity features including VNet
Peering, Virtual Network Gateways, and VPN Gateway Connections.

4
AZ-900

Contents
Module 5 Intersite Connectivity
This module includes:
● VNet Peering
● VPN Gateway Connections
● ExpressRoute and Virtual WAN
● Lab 05 - Implement Intersite Connectivity

5
 AZ-900

VNet Peering
Perhaps the simplest and quickest way to connect your VNets is to use VNet
peering.
Virtual network peering enables you to seamlessly connect two Azure virtual
networks.

Module 5 Intersite Connectivity 6

 AZ-900

VNet Peering
There are two types of VNet peering.
● Regional VNet peering connects Azure virtual networks in the same region.
● Global VNet peering connects Azure virtual networks in different regions.
Azure public cloud region is not peering with Government cloud regions.

Module 5 Intersite Connectivity 7

 AZ-900

Benefits of virtual network peering

● Private. Network traffic between peered virtual networks is private.
Traffic between the virtual networks is kept on the Microsoft backbone network.
No public Internet, gateways, or encryption is required in the communication
between the virtual networks.
● Performance. A low-latency, high-bandwidth connection between resources in
different virtual networks.

Module 5 Intersite Connectivity 8

 AZ-900

Benefits of virtual network peering

● Communication. The ability for resources in one virtual network to communicate
with resources in a different virtual network, once the virtual networks are peered.
● Seamless. The ability to transfer data across Azure subscriptions, deployment
models, and across Azure regions.
● No disruption. No downtime to resources in either virtual network when creating
the peering, or after the peering is created.

Module 5 Intersite Connectivity 9

 AZ-900

Global VNet peering special requirements

● Cloud regions. When creating a global peering, the peered virtual networks
can exist in any Azure public cloud region or China cloud regions, but not in
Government cloud regions.
You can only peer virtual networks in the same region in Azure Government
cloud regions.
● Virtual network resources. Resources in one virtual network cannot
communicate with the IP address of an Azure internal load balancer in the
peered virtual network.
The load balancer and the resources that communicate with it must be in the
same virtual network.

Module 5 Intersite Connectivity 10

 AZ-900

Gateway Transit and Connectivity

When virtual networks are peered, you can configure a VPN gateway in the
peered virtual network as a transit point.
In this case, a peered virtual network can use the remote gateway to gain access
to other resources.
A virtual network can have only one gateway.
Gateway transit is supported for both VNet Peering and Global VNet Peering.

Module 5 Intersite Connectivity 11

 AZ-900

Gateway Transit and Connectivity

Module 5 Intersite Connectivity 12

 AZ-900

Gateway Transit and Connectivity

When you Allow Gateway Transit the virtual network can communicate to
resources outside the peering.
● Use a site-to-site VPN to connect to an on-premises network.
● Use a VNet-to-VNet connection to another virtual network.
● Use a point-to-site VPN to connect to a client.

Module 5 Intersite Connectivity 13

 AZ-900

Configure VNet Peering

1. Create two virtual networks.
2. Peer the virtual networks.
3. Create virtual machines in each virtual network.
4. Test the communication between the virtual machines.

Module 5 Intersite Connectivity 14

 AZ-900

Service Chaining
VNet Peering is nontransitive. This means that if you establish VNet Peering
between VNet1 and VNet2 and between VNet2 and VNet3, VNet Peering
capabilities do not apply between VNet1 and VNet3.
you can leverage user-defined routes and service chaining to implement custom
routing that will provide transitivity.
This allows you to:
● Implement a multi-level hub and spoke architecture.
● Overcome the limit on the number of VNet Peerings per virtual network.

Module 5 Intersite Connectivity 15

 AZ-900

Hub and spoke architecture

All the spoke virtual networks can then peer with the hub virtual network.
Traffic can flow through network virtual appliances or VPN gateways in the hub
virtual network.

Module 5 Intersite Connectivity 16

 AZ-900

User-defined routes and service chaining

Service chaining enables you to direct traffic from one virtual network to a virtual
appliance, or virtual network gateway, in a peered virtual network, through user-
defined routes.

Module 5 Intersite Connectivity 17

 AZ-900

VPN Gateway Connections

A VPN gateway is a specific type of virtual network gateway that is used to send
encrypted traffic between an Azure virtual network and an on-premises location
over the public Internet.
You can also use a VPN gateway to send encrypted traffic between Azure virtual
networks over the Microsoft network.
Each virtual network can have only one VPN gateway.

Module 5 Intersite Connectivity 18

 AZ-900

VPN Gateway Connections

You can create multiple connections to the same VPN gateway.
● Site-to-site connections connect on-premises datacenters to Azure virtual
networks
● Network-to-network connections connect Azure virtual networks (custom)
● Point-to-site (User VPN) connections connect individual devices to Azure virtual
networks

Module 5 Intersite Connectivity 19

 AZ-900

Implement Site-to-Site Connections

Here are the steps to creating a VNet-to-VNet connections.
The on-premises part is necessary only if you are configuring Site-to-Site.

Module 5 Intersite Connectivity 20

 AZ-900

Implement Site-to-Site Connections

Create VNets and subnets.
Remember for this VNet to connect to an on-premises location.
You need to coordinate with your on-premises network administrator to reserve an
IP address range that you can use specifically for this virtual network.

Module 5 Intersite Connectivity 21

 AZ-900

Implement Site-to-Site Connections

Specify the DNS server (optional). DNS is not required to create a Site-to-Site
connection.
However, if you want to have name resolution for resources that are deployed to
your virtual network, you should specify a DNS server in the virtual network
configuration.

Module 5 Intersite Connectivity 22

 AZ-900

Create the Gateway Subnet

Before creating a virtual network gateway for your virtual network, you first need
to create the gateway subnet.
The gateway subnet contains the IP addresses that are used by the virtual
network gateway.

Module 5 Intersite Connectivity 23

 AZ-900

Create the Gateway Subnet

When you create your gateway subnet, gateway VMs are
deployed to the gateway subnet and configured with the
required VPN gateway settings.

Module 5 Intersite Connectivity 24

 AZ-900

Create the Gateway Subnet

When working with gateway subnets, avoid associating a network security group
(NSG) to the gateway subnet.
Associating a network security group to this subnet may cause your VPN gateway
to stop functioning as expected.

Module 5 Intersite Connectivity 25

 AZ-900

VPN Gateway Configuration

The VPN gateway settings that you chose are critical to creating a successful
connection.
● Gateway Type
● VPN Type
● SKU
● Generation
● Virtual network

Module 5 Intersite Connectivity 26

 AZ-900

VPN Gateway Configuration

● Gateway type. VPN or ExpressRoute.
● VPN Type. Route based or Policy based.
Choose a route based gateway if you intend to use point-to-site, inter-virtual
network, or multiple site-to-site connections.
Route based gateway support IKEv2.
Policy-based gateways support only IKEv1.
Most VPN types are Route-based.

Module 5 Intersite Connectivity 27

 AZ-900

VPN Gateway Configuration

● SKU. Route-based VPN types are offered in three SKUs:
Basic, Standard, and High performance. Standard or High performance must be
chosen if you are using ExpressRoute.
A high performance SKU must be selected if you are using active-active mode.
● Generation. 1 or 2. Changing generation or changing SKUs across generations
is not allowed.
Basic and VpnGw1 SKUs are only supported in Generation1.
VpnGw4 and VpnGw5 SKUs are only supported in Generation2.

Module 5 Intersite Connectivity 28

 AZ-900

VPN Gateway Configuration

● Virtual Networks. The virtual network that will be able to send and receive
traffic through the virtual network gateway.

Module 5 Intersite Connectivity 29

 AZ-900

VPN Gateway Types

When you create the virtual network gateway for a VPN gateway configuration,
you must specify a VPN type.
The VPN type that you choose depends on the connection topology that you
want to create.
For example, a Point-to-Site (P2S) connection requires a Route-based VPN type.
A VPN type can also depend on the hardware that you are using.
Site-to-Site (S2S) configurations require a VPN device.
Some VPN devices only support a certain VPN type.

Module 5 Intersite Connectivity 30

 AZ-900

VPN Gateway Types

The VPN type you select must satisfy all the connection requirements for the
solution you want to create.
For example, if you want to create a S2S VPN gateway connection and a P2S VPN
gateway connection for the same virtual network, you would use VPN type
Route-based because P2S requires a Route-based VPN type.
You would also need to verify that your VPN device supported a Route-based VPN
connection.

Module 5 Intersite Connectivity 31

 AZ-900

VPN Gateway Types

● Route-based VPNs. Route-based VPNs use routes in the IP forwarding or

routing table to direct packets into their corresponding tunnel interfaces.
The tunnel interfaces then encrypt or decrypt the packets in and out of the
tunnels.
● Policy-based VPNs. Policy-based VPNs encrypt and direct packets through
IPsec tunnels based on the IPsec policies configured with the combinations of
address prefixes between your on-premises network and the Azure VNet.

Module 5 Intersite Connectivity 32

 AZ-900

VPN Gateway Types

When using a Policy-based VPN, keep in mind the following limitations:
● Policy-Based VPNs can only be used on the Basic gateway SKU and is not
compatible with other gateway SKUs.
● You can have only 1 tunnel when using a Policy-based VPN.
● You can only use Policy-based VPNs for S2S connections.
Most VPN Gateway configurations require a Route-based VPN.

Module 5 Intersite Connectivity 33

 AZ-900

Gateway SKUs and Generations

When you create a virtual network gateway, you need to specify the gateway SKU
that you want to use.
Select the SKU that satisfies your requirements based on the types of workloads,
throughputs, features, and SLAs.

Module 5 Intersite Connectivity 34

 AZ-900

Gateway SKUs and Generations

Module 5 Intersite Connectivity 35

 AZ-900

Create the Local Network gateway

The local network gateway typically refers to the on-premises location.
IP Address. The public IP address of the local gateway.
Address Space. One or more IP address ranges (in CIDR notation) that define
your local network's address space.

Module 5 Intersite Connectivity 36

 AZ-900

Configure the On-Premises VPN device

Microsoft has validated a list of standard VPN devices that should work well with
the VPN gateway.
This list was created in partnership with device manufacturers like Cisco, Juniper,
Ubiquiti, and Barracuda Networks.
If you don’t observe your device listed in the validated VPN devices table, Contact
your device manufacturer for additional support and configuration instructions.

Module 5 Intersite Connectivity 37

 AZ-900

Configure the On-Premises VPN device

To configure your VPN device, you need the following:
● A shared key. This is the same shared key that you will specify when creating
the VPN connection.
● The public IP address of your VPN gateway. When you created the VPN
gateway you may have configured a new public IP address or used an existing IP
address.
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices

Module 5 Intersite Connectivity 38

 AZ-900

Create the VPN Connection

Once your VPN gateways are created, you can create
the connection between them.
● Name. Enter a name for your connection.
● Connection type. Select Site-to-Site (IPSec) from
the drop-down.
● Shared key (PSK). In this field, enter a shared key
for your connection.
You can generate or create this key yourself. In a site-
to-site connection, the key you use is the same for
your on-premises device and your virtual network
gateway connection.
Module 5 Intersite Connectivity 39
 AZ-900

Verify the VPN Connection

After you have configured all the Site-to-Site components it is time to verify that
everything is working.
You can verify the connections either in the portal, or by using PowerShell.

Module 5 Intersite Connectivity 40

 AZ-900

High Availability Scenarios

Active/standby
Every Azure VPN gateway consists of two instances in an active-standby
configuration.
For any planned maintenance or unplanned disruption that happens to the
active instance, the standby instance would take over (failover) automatically,
and resume the S2S VPN or VNet-to-VNet connections.

Module 5 Intersite Connectivity 41

 AZ-900

Active/standby
The switch over will cause a brief interruption.
For planned maintenance, the connectivity should be
restored within 10 to 15 seconds.
For unplanned issues, the connection recovery will be
longer, about 1 minute to 1 and a half minutes in the
worst case.

Module 5 Intersite Connectivity 42

 AZ-900

Active/standby
For P2S VPN client connections to the gateway, the P2S connections will be
disconnected and the users will need to reconnect from the client machines.

Module 5 Intersite Connectivity 43

 AZ-900

Active/active
You can now create an Azure VPN gateway in an active-
active configuration, where both instances of the
gateway VMs will establish S2S VPN tunnels to your on-
premises VPN device.
each Azure gateway instance will have a unique public IP
address, and each will establish an IPsec/IKE S2S VPN
tunnel to your on-premises VPN device specified in your
local network gateway and connection.

Module 5 Intersite Connectivity 44

 AZ-900

Active/active
both VPN tunnels are actually part of the same
connection.
configure your on-premises VPN device to accept or
establish two S2S VPN tunnels to those two Azure VPN
gateway public IP addresses.
Because the Azure gateway instances are in active-active
configuration, the traffic from your Azure virtual network
to your on-premises network will be routed through both
tunnels simultaneously.

Module 5 Intersite Connectivity 45

 AZ-900

ExpressRoute Connections
Azure ExpressRoute lets you extend your on-premises networks into the
Microsoft cloud over a dedicated private connection facilitated by a
connectivity provider.
With ExpressRoute, you can establish connections to Microsoft cloud services,
such as Microsoft Azure, Office 365, and CRM Online.

Module 5 Intersite Connectivity 46

 AZ-900

Make your connections fast, reliable, and private

Use Azure ExpressRoute to create private connections between Azure datacenters
and infrastructure on your premises or in a colocation environment.
ExpressRoute connections don't go over the public Internet.
More reliability, faster speeds, and lower latencies than typical Internet
connections.
In some cases, using ExpressRoute connections to transfer data between on-
premises systems and Azure can give you significant cost benefits.

Module 5 Intersite Connectivity 47

 AZ-900

Use a virtual private cloud for storage, backup, and recovery

ExpressRoute gives fast and reliable connection with bandwidths up to 100 Gbps.
Excellent for scenarios like periodic data migration, replication, disaster recovery,
and other high-availability strategies.

Module 5 Intersite Connectivity 48

 AZ-900

Extend and connect your datacenters

Use ExpressRoute to both connect and add compute and storage capacity to
your existing datacenters.
With high throughput and fast latencies.

Module 5 Intersite Connectivity 49

 AZ-900

Build hybrid applications

build applications that span on-premises infrastructure and Azure without
compromising privacy or performance.
For example, run a corporate intranet application in Azure that authenticates
your customers with an on-premises Active Directory service,

Module 5 Intersite Connectivity 50

 AZ-900

ExpressRoute Capabilities
ExpressRoute is supported across all Azure regions and locations.
ExpressRoute locations refer to those where Microsoft peers with several service
providers.

Module 5 Intersite Connectivity 51

 AZ-900

ExpressRoute benefits
Layer 3 connectivity: Microsoft uses BGP, an industry standard dynamic
routing protocol, to exchange routes between your on-premises network, your
instances in Azure, and Microsoft public addresses.
Redundancy: Each ExpressRoute circuit consists of two connections to two
Microsoft Enterprise edge routers (MSEEs) from the connectivity provider/your
network edge.

Module 5 Intersite Connectivity 52

 AZ-900

ExpressRoute benefits
Connectivity to Microsoft cloud services: ExpressRoute connections enable
access to the following services: Microsoft Azure services, Microsoft Office 365
services, and Microsoft Dynamics 365.
Connectivity to all regions within a geopolitical region: You can connect to
Microsoft in one of our peering locations and access regions within the
geopolitical region.
Global connectivity with ExpressRoute premium add-on: You can enable
the ExpressRoute premium add-on feature to extend connectivity across
geopolitical boundaries.

Module 5 Intersite Connectivity 53

 AZ-900

ExpressRoute benefits
Across on-premises connectivity with ExpressRoute Global Reach: You can
enable ExpressRoute Global Reach to exchange data across your on-premises
sites by connecting your ExpressRoute circuits.

Module 5 Intersite Connectivity 54

 AZ-900

ExpressRoute benefits
Bandwidth options: You can purchase ExpressRoute circuits for a wide range of
bandwidths from 50 Mbps to 10 Gbps.
Flexible billing models: You can pick a billing model that works best for you. Choose
between the billing models listed below.
● Unlimited data. all inbound and outbound data transfer is included free of charge.
● Metered data. Outbound data transfer is charged per GB of data transfer. Data
transfer rates vary by region.
● ExpressRoute premium add-on. This add-on includes increased routing table
limits, increased number of VNets, global connectivity, and connections to Office 365
and Dynamics 365.

Module 5 Intersite Connectivity 55

 AZ-900

Coexisting Site-to-Site and ExpressRoute

ExpressRoute is a direct, private connection.
Site-to-Site VPN traffic travels encrypted over the public Internet.
Being able to configure Site-to-Site VPN and ExpressRoute connections for the same
virtual network.

Module 5 Intersite Connectivity 56

 AZ-900

ExpressRoute and VPN Gateway coexisting connections example

Module 5 Intersite Connectivity 57

 AZ-900

ExpressRoute connection models

You can create a connection between your on-premises network and the Microsoft
cloud in three different ways, Co-located at a cloud exchange, Point-to-point Ethernet
Connection, and Any-to-any (IPVPN) Connection.

Module 5 Intersite Connectivity 58

 AZ-900

Co-located at a cloud exchange

Co-location providers can offer either Layer 2 cross-connections, or managed
Layer 3 cross-connections between your infrastructure in the co-location facility
and the Microsoft cloud.

Module 5 Intersite Connectivity 59

 AZ-900

Point-to-point Ethernet connections

Point-to-point Ethernet providers can offer Layer 2 connections, or managed
Layer 3 connections between your site and the Microsoft cloud.

Module 5 Intersite Connectivity 60

 AZ-900

Any-to-any (IPVPN) networks

You can integrate your WAN with the Microsoft cloud. IPVPN providers, typically
Multiprotocol Label Switching (MPLS) VPN, offer any-to-any connectivity between
your branch offices and datacenters.
WAN providers typically offer managed Layer 3 connectivity.

Module 5 Intersite Connectivity 61

 AZ-900

Intersite Connections Comparison

There are many intersite connection choices. This table summarizes how to make
a selection.

Module 5 Intersite Connectivity 62

 AZ-900

Virtual WANs
Azure Virtual WAN brings together many Azure cloud connectivity services such as
site-to-site VPN, User VPN (point-to-site), and ExpressRoute into a single
operational interface.

Module 5 Intersite Connectivity 63

 AZ-900

Virtual WAN advantages

● Integrated connectivity solutions in hub and spoke. Automate site-to-site
configuration and
connectivity between on-premises sites and an Azure hub.
● Automated spoke setup and configuration. Connect your virtual networks
and workloads to the
Azure hub seamlessly.
● Intuitive troubleshooting. You can see the end-to-end flow within Azure, and
then use this information to take required actions.

Module 5 Intersite Connectivity 64

 AZ-900

Virtual WAN types

There are two types of virtual WANs: Basic and Standard.

Module 5 Intersite Connectivity 65

 AZ-900

Module 05 Lab
Lab 05 - Implement Virtual Networking
Objectives
In this lab, you will:
● Task 1: Provision the lab environment.
● Task 2: Configure local and global virtual network peering.
● Task 3: Test intersite connectivity.

Module 4 Virtual Networking 66

AZ-900

Thanks!
Any questions?
You can find me at:
[email protected]
+93 784670845

67