Lab: VNet Peering and Service Chaining

All tasks in this lab are performed from the Azure portal except for Exercise 2 Task 3, Exercise 3 Task 1, and Exercise 3 Task 2, which include steps performed from a Remote Desktop session to an Azure VM

Lab files:

  • Labfiles\Module_05\VNet_Peering_and_Service_Chaining\az-100-04_01_azuredeploy.json

  • Labfiles\Module_05\VNet_Peering_and_Service_Chaining\az-100-04_02_azuredeploy.json

  • Labfiles\Module_05\VNet_Peering_and_Service_Chaining\az-100-04_azuredeploy.parameters.json

Scenario

Adatum Corporation wants to implement service chaining between Azure virtual networks in its Azure subscription.

Objectives

After completing this lab, you will be able to:

  • Create Azure virtual networks and deploy Azure VM by using Azure Resource Manager templates.

  • Configure VNet peering.

  • Implement custom routing

  • Validate service chaining

Exercise 0: Prepare the Azure environment

The main tasks for this exercise are as follows:

  1. Create the first virtual network hosting two Azure VMs by using an Azure Resource Manager template

  2. Create the second virtual network in the same region hosting a single Azure VM by using an Azure Resource Manager template

Task 1: Create the first virtual network hosting two Azure VMs by using an Azure Resource Manager template

  1. From the lab virtual machine, start Microsoft Edge, browse to the Azure portal at http://portal.azure.com and sign in by using a Microsoft account that has the Owner role in the Azure subscription you intend to use in this lab.

  2. In the Azure portal, navigate to the New blade.

  3. From the New blade, search Azure Marketplace for Template deployment.

  4. Use the list of search results to navigate to the Template deployment (deploy using custom templates) blade, and then click Create.

  5. On the Custom deployment blade, click the Build your own template in the editor link. If you do not see this link, click Edit template instead.

  6. From the Edit template blade, load the template file Labfiles\Module_05\VNet_Peering_and_Service_Chaining\az-100-04_01_azuredeploy.json.

    Note: Review the content of the template and note that it defines deployment of an Azure VM hosting Windows Server 2016 Datacenter.

  7. Save the template and return to the Custom deployment blade.

  8. From the Custom deployment blade, navigate to the Edit parameters blade.

  9. From the Edit parameters blade, load the parameters file Labfiles\Module_05\VNet_Peering_and_Service_Chaining\az-100-04_azuredeploy.parameters.json.

  10. Save the parameters and return to the Custom deployment blade.

  11. From the Custom deployment blade, initiate a template deployment with the following settings:

    • Subscription: the name of the subscription you are using in this lab

    • Resource group: the name of a new resource group az1000401-RG

    • Location: the name of the Azure region which is closest to the lab location and where you can provision Azure VMs

    • Vm Size: use Standard_DS1_v2 or Standard_DS2_v2, based on the instructor’s recommendations

    • Vm1Name: az1000401-vm1

    • Vm2Name: az1000401-vm2

    • Admin Username: Student

    • Admin Password: Pa55w.rd1234

    • Virtual Network Name: az1000401-vnet1

    Note: To identify Azure regions where you can provision Azure VMs, refer to https://azure.microsoft.com/en-us/regions/offers/

Note: Do not wait for the deployment to complete but proceed to the next task. You will use the network and the virtual machines included in this deployment in the second exercise of this lab.

Task 2: Create the second virtual network in the same region hosting a single Azure VM by using an Azure Resource Manager template

  1. In the Azure portal, navigate to the New blade.

  2. From the New blade, search Azure Marketplace for Template deployment.

  3. Use the list of search results and select the Template deployment (deploy using custom templates) result, and then click Create.

  4. On the Custom deployment blade, click the Build your own template in the editor link. If you do not see this link, click Edit template instead.

  5. From the Edit template blade, load the template file Labfiles\Module_05\VNet_Peering_and_Service_Chaining\az-100-04_02_azuredeploy.json.

    Note: Review the content of the template and note that it defines deployment of an Azure VM hosting Windows Server 2016 Datacenter.

  6. Save the template and return to the Custom deployment blade.

  7. From the Custom deployment blade, navigate to the Edit parameters blade.

  8. From the Edit parameters blade, load the parameters file Labfiles\Module_05\VNet_Peering_and_Service_Chaining\az-100-04_azuredeploy.parameters.json.

  9. Save the parameters and return to the Custom deployment blade.

  10. From the Custom deployment blade, initiate a template deployment with the following settings:

    • Subscription: the name of the subscription you are using in this lab

    • Resource group: the name of a new resource group az1000402-RG

    • Location: the name of the Azure region which you selected in the previous task

    • Vm Size: use Standard_DS1_v2 or Standard_DS2_v2, based on the instructor’s recommendations

    • VmName: az1000402-vm3

    • Admin Username: Student

    • Admin Password: Pa55w.rd1234

    • Virtual Network Name: az1000402-vnet2

    Note: Do not wait for the deployment to complete but proceed to the next task. You will use the network and the virtual machines included in this deployment in the second exercise of this lab.

Result: After you completed this exercise, you have created two Azure virtual networks and initiated deployments of three Azure VM by using Azure Resource Manager templates.

Exercise 1: Configure VNet peering

The main tasks for this exercise are as follows:

  1. Configure VNet peering for the first virtual network

  2. Configure VNet peering for the second virtual network

Task 1: Configure VNet peering for the first virtual network

  1. In the Azure portal, navigate to the az1000401-vnet1 virtual network blade.

  2. From the az1000401-vnet1 virtual network blade, display its Peerings blade.

  3. From the az1000401-vnet1 - Peerings blade, click + Add to create a VNet peering with the following settings:

    • Name: az1000401-vnet1-to-az1000402-vnet2

    • Virtual network deployment model: Resource manager

    • I know my resource ID: leave unchecked

    • Subscription: the name of the Azure subscription you are using in this lab

    • Virtual network: az1000402-vnet2

    • Name of peering from az1000402-vnet2 to az1000401-vnet1: az1000402-vnet2-to-az1000401-vnet1

    • Allow virtual network access from az1000401-vnet1 to az1000402-vnet2: Enabled

    • Allow virtual network access from az1000402-vnet2 to az1000401-vnet1: Enabled

    • Allow forwarded traffic from az1000402-vnet2 to az1000401-vnet1: Disabled

    • Allow forwarded traffic from az1000401-vnet1 to az1000402-vnet2: Disabled

    • Allow gateway transit: unchecked

    Note: Because you have administrative access to both virtual networks, the portal is configuring both directions (from vnet1 to vnet2, AND vnet2 to vnet1) in a single action. From the CLI, PowerShell, or REST API, these tasks must be performed independently.

Exercise 2: Implement custom routing

The main tasks for this exercise are as follows:

  1. Enable IP forwarding for a network interface of an Azure VM

  2. Configure user defined routing

  3. Configure routing in an Azure VM running Windows Server 2016

Task 1: Enable IP forwarding for a network interface of an Azure VM

Note: Before you start this task, ensure that the template deployments you started in Exercise 0 have completed.

  1. In the Azure portal, navigate to the blade of the second Azure VM az1000401-vm2.

  2. From the az1000401-vm2 blade, display its Networking blade.

  3. From the az1000401-vm2 - Networking blade, display the blade of the network adapter (az1000401-nic2) of the Azure VM.

  4. From the az1000401-nic2 blade, display its IP configurations blade.

  5. From the az1000401-nic2 - IP configurations set IP forwarding to Enabled, and then click Save.

Note: The Azure VM az1000401-vm2, which network interface you configured in this task, will function as a router, facilitating service chaining between the two virtual networks.

Task 2: Configure user defined routing

  1. In the Azure portal, navigate to the New blade.

  2. From the New blade, search Azure Marketplace for Route table.

  3. Select Route table, and then click Create.

  4. From the Create route table blade, create a new route table with the following settings:

    • Name: az1000402-rt1

    • Subscription: the name of the Azure subscription you use for this lab

    • Resource group: az1000402-RG

    • Location: the same Azure region in which you created the virtual networks

    • Virtual network gateway route propagation: Disabled

  5. In the Azure portal, navigate to the az1000402-rt1 blade.

  6. From the az1000402-rt1 blade, display its Routes blade.

  7. From the az1000402-rt1 - Routes blade, add to the route table a route with the following settings:

    • Route name: custom-route-to-az1000401-vnet1

    • Address prefix: 10.104.0.0/16

    • Next hop type: Virtual appliance

    • Next hop address: 10.104.1.4

    Note: 10.104.1.4 is the IP address of the network interface of az1000401-vm2, which will provide service chaining between the two virtual networks.

  8. From the az1000402-rt1 blade, display its Subnets blade.

  9. From the az1000402-rt1 - Subnets blade, associate the route table az1000402-rt1 with subnet0 of az1000402-vnet2.

Task 3: Configure routing in an Azure VM running Windows Server 2016

  1. In the Azure portal, navigate to the blade of the az1000401-vm2 Azure VM.

  2. From the Overview pane of the az1000401-vm2 blade, generate an RDP file and use it to connect to az1000401-vm2.

  3. When prompted, authenticate by specifying the following credentials:

    • User name: Student

    • Password: Pa55w.rd1234

  4. Within the Remote Desktop session to az1000401-vm2, from Server Manager, select Manage use the Add Roles and Features Wizard

  5. Click Next twice, ensure az1000401-vm2 is selected and click Next, select the Remote Access server role then click Next three times, Select the Routing role service, select Add Features and all required features. Select Next three times, click Install. Click Close when the installation is complete.

    Note: If you receive an error message There may be a version mismatch between this computer and the destination server or VHD once you select the Remote Access checkbox on the Server Roles page of the Add Roles and Features Wizard, clear the checkbox, click Next, click Previous and select the Remote Access checkbox again.

  6. Within the Remote Desktop session to az1000401-vm2, from Server Manager, select Tools start the Routing and Remote Access console.

  7. In the Routing and Remote Access console, right click on the server name and select Configure and Enable Routing and Remote Access, Select Next use the Custom configuration then Next, enable LAN routing then Next, click Finish and the click Start Service.

  8. Within the Remote Desktop session to az1000401-vm2, start the Windows Firewall with Advanced Security console and enable File and Printer Sharing (Echo Request - ICMPv4-In) inbound rule for all profiles.

Result: After completing this exercise, you have implemented custom routing between peered Azure virtual networks.

Exercise 3: Validating service chaining

The main tasks for this exercise are as follows:

  1. Configure Windows Firewall with Advanced Security on the target Azure VM

  2. Test service chaining between peered virtual networks

Task 1: Configure Windows Firewall with Advanced Security on the target Azure VM

  1. In the Azure portal, navigate to the blade of the az1000401-vm1 Azure VM.

  2. From the Overview pane of the az1000401-vm1 blade, generate an RDP file and use it to connect to az1000401-vm1.

  3. When prompted, authenticate by specifying the following credentials:

    • User name: Student

    • Password: Pa55w.rd1234

  4. Within the Remote Desktop session to az1000401-vm1, open the Windows Firewall with Advanced Security console and enable File and Printer Sharing (Echo Request - ICMPv4-In) inbound rule for all profiles.

Task 2: Test service chaining between peered virtual networks

  1. In the Azure portal, navigate to the blade of the az1000402-vm3 Azure VM.

  2. From the Overview pane of the az1000402-vm3 blade, generate an RDP file and use it to connect to az1000402-vm3.

  3. When prompted, authenticate by specifying the following credentials:

    • User name: Student

    • Password: Pa55w.rd1234

  4. Once you are connected to az1-1000402-vm3 via the Remote Desktop session, start Windows PowerShell.

  5. In the Windows PowerShell window, run the following:

    Test-NetConnection -ComputerName 10.104.0.4 -TraceRoute
    

    Note: 10.104.0.4 is the IP address of the network interface of the first Azure VM az1000401-vm1

  6. Verify that test is successful and note that the connection was routed over 10.104.1.4

    Note: Without custom routing in place, the traffic would flow directly between the two Azure VMs.

Result: After you completed this exercise, you have validated service chaining between peered Azure virtual networks.

Exercise 4: Remove lab resources

Task 1: Open Cloud Shell

  1. At the top of the portal, click the Cloud Shell icon to open the Cloud Shell pane.

  2. At the Cloud Shell interface, select Bash.

  3. At the Cloud Shell command prompt, type in the following command and press Enter to list all resource groups you created in this lab:

    az group list --query "[?starts_with(name,'az1000')].name" --output tsv
    
  4. Verify that the output contains only the resource groups you created in this lab. These groups will be deleted in the next task.

Task 2: Delete resource groups

  1. At the Cloud Shell command prompt, type in the following command and press Enter to delete the resource groups you created in this lab

    az group list --query "[?starts_with(name,'az1000')].name" --output tsv | xargs -L1 bash -c 'az group delete --name $0 --no-wait --yes'
    
  2. Close the Cloud Shell prompt at the bottom of the portal.

Result: In this exercise, you removed the resources used in this lab.