WEBVTT 0:00:02.640000 --> 0:00:08.000000 In this video, we're going to take a look at Azure Virtual Network Gateways. 0:00:08.000000 --> 0:00:12.020000 The topics that we're going to cover include what Virtual Network Gateways 0:00:12.020000 --> 0:00:14.020000 are and the big picture. 0:00:14.020000 --> 0:00:19.200000 Then we're going to drill down into some of the details regarding Virtual 0:00:19.200000 --> 0:00:20.780000 Network Gateways. 0:00:20.780000 --> 0:00:24.840000 Then I'll go ahead and demonstrate both provisioning a Virtual Network 0:00:24.840000 --> 0:00:27.040000 Gateway and also how you would use those. 0:00:27.040000 --> 0:00:31.580000 I'm going to set up a VNet to VNet gateway connection. 0:00:31.580000 --> 0:00:34.760000 So let's go ahead and let's dive into this. 0:00:34.760000 --> 0:00:37.620000 For starters, I'm going to talk about the components that you would use 0:00:37.620000 --> 0:00:39.840000 for a Virtual Network Gateway. 0:00:39.840000 --> 0:00:42.840000 Let's go ahead and draw that out. 0:00:42.840000 --> 0:00:48.100000 I've got two main elements. 0:00:48.100000 --> 0:00:54.880000 I've got my on-prem environment. 0:00:54.880000 --> 0:00:59.200000 Now, I should say I can do this VNet to VNet as well, but really the one 0:00:59.200000 --> 0:01:04.640000 you typically care about is on-prem and I've got a VNet. 0:01:04.640000 --> 0:01:07.240000 Now, here's what I need. 0:01:07.240000 --> 0:01:11.980000 I need on the VNet side, I need a gateway. 0:01:11.980000 --> 0:01:14.460000 Now, right now, I'm going to talk about VPN gateways and then I'll kind 0:01:14.460000 --> 0:01:18.360000 of redo it a little bit with ExpressRoute, but that's not really the focus 0:01:18.360000 --> 0:01:24.960000 here. Now, that gateway needs to have a dedicated subnet. 0:01:24.960000 --> 0:01:29.420000 I actually asked a dedicated subnet that has a specific name, which is 0:01:29.420000 --> 0:01:36.380000 Gateway subnet. Now, that can be a small subnet. 0:01:36.380000 --> 0:01:39.340000 You can go technically, I think you can go as low as a 28, but you never 0:01:39.340000 --> 0:01:45.040000 want to go below a 27, but it can be out of the way and that's going to 0:01:45.040000 --> 0:01:47.380000 set up your gateway on the VNet. 0:01:47.380000 --> 0:01:54.000000 Easy enough. That gateway subnet is going to have a public IP address. 0:01:54.000000 --> 0:01:59.780000 And the gateway subnet public IP is effectively static, even if it's dynamic 0:01:59.780000 --> 0:02:03.740000 because you can't shut down a gateway subnet or gateway. 0:02:03.740000 --> 0:02:07.220000 The only way you get rid of a gateway is to delete it, so it doesn't really 0:02:07.220000 --> 0:02:08.680000 matter whether it's static or not. 0:02:08.680000 --> 0:02:17.960000 Now, on the on-prem side, you are going to have some kind of VPN appliance. 0:02:17.960000 --> 0:02:23.640000 And of course, all of your major vendors have VPN appliances that are 0:02:23.640000 --> 0:02:28.980000 going to work with the Net Gateways, VPN Gateways in Azure. 0:02:28.980000 --> 0:02:36.560000 Now, the VPN appliance does have to have an addressable public IP so that 0:02:36.560000 --> 0:02:39.480000 the gateway subnet knows who to communicate with. 0:02:39.480000 --> 0:02:44.980000 Now, once you establish the connection between them, all data, of course, 0:02:44.980000 --> 0:02:49.380000 is going to flow between these endpoints that's going between your on 0:02:49.380000 --> 0:02:54.640000 -prem and your gateway. 0:02:54.640000 --> 0:02:57.200000 Now, it is possible to define redundancy. 0:02:57.200000 --> 0:03:01.660000 I can have multiple connections to my gateway subnet, which means I could, 0:03:01.660000 --> 0:03:09.320000 for example, have multiple redundant appliances on the on-prem side. 0:03:09.320000 --> 0:03:15.020000 And I can run those in an active active or active passive architecture. 0:03:15.020000 --> 0:03:19.040000 And again, what that's going to do is funnel all of the traffic between 0:03:19.040000 --> 0:03:24.900000 these two sites, the on-prem and the VNet, over that tunnel. 0:03:24.900000 --> 0:03:28.380000 Now, again, the VPN is going over the public internet. 0:03:28.380000 --> 0:03:34.300000 It's going to encrypt it with shared IPsec, IPsec shared key encryption. 0:03:34.300000 --> 0:03:39.220000 Now, there's another component that you need on the Azure side if you're 0:03:39.220000 --> 0:03:40.520000 going to do this. 0:03:40.520000 --> 0:03:47.400000 And what you need is you need a what's called a local network gateway. 0:03:47.400000 --> 0:03:53.500000 This is say local NW, GW, because I'm probably trying to type all that 0:03:53.500000 --> 0:04:02.960000 out. Now, what the local network gateway does is it really just represents 0:04:02.960000 --> 0:04:05.100000 your endpoint on the client side. 0:04:05.100000 --> 0:04:09.280000 So it's going to have really two key components on the on-prem side, I 0:04:09.280000 --> 0:04:11.280000 said client side, on-prem side. 0:04:11.280000 --> 0:04:16.460000 It's going to have the public IP that it can connect to. 0:04:16.460000 --> 0:04:20.560000 And it's going to have the address space. 0:04:20.560000 --> 0:04:22.460000 It's over on the other side. 0:04:22.460000 --> 0:04:27.560000 And so what I do in Azure, when I'm configuring a virtual network gateway 0:04:27.560000 --> 0:04:29.920000 connection in Azure, I create the local network gateway connection to 0:04:29.920000 --> 0:04:33.480000 the local network gateway to represent the on-prem gateway. 0:04:33.480000 --> 0:04:38.420000 And then I create a connection to that local network gateway, right? 0:04:38.420000 --> 0:04:43.580000 Which effectively actually creates the connection, of course, to the appliance 0:04:43.580000 --> 0:04:49.400000 itself. And that is how the base configuration of virtual network gateway's 0:04:49.400000 --> 0:04:51.160000 works. Couple of things to know. 0:04:51.160000 --> 0:04:56.040000 First of all, you have the option that first of all, there's multiple 0:04:56.040000 --> 0:04:59.100000 tiers. I'm going to bring up a pricing page and show you the different 0:04:59.100000 --> 0:05:02.840000 tiers for virtual network gateways that you can choose because the capabilities 0:05:02.840000 --> 0:05:05.160000 do depend on the tier that you choose. 0:05:05.160000 --> 0:05:10.780000 Also, virtual network gateways do support BGP, right? 0:05:10.780000 --> 0:05:15.260000 So, border gateway protocol, allowing you to automatically transfer things 0:05:15.260000 --> 0:05:18.600000 like prefixes for routing purposes. 0:05:18.600000 --> 0:05:23.040000 But this is big picture virtual network gateways as far as VPN. 0:05:23.040000 --> 0:05:25.880000 Now, I'm going to just clear this because there's a lot here. 0:05:25.880000 --> 0:05:35.900000 And then I'm going to redraw the same thing, but with express route. 0:05:35.900000 --> 0:05:39.320000 And again, I'm not really going to focus on express route because it's 0:05:39.320000 --> 0:05:42.000000 not really the focus of this course. 0:05:42.000000 --> 0:05:45.120000 But with express route, I've got a private connection. 0:05:45.120000 --> 0:05:52.980000 I have to contract with an express route provider to set up a circuit 0:05:52.980000 --> 0:05:56.560000 that's going to come into my place of business, or I can co-locate. 0:05:56.560000 --> 0:05:58.380000 There's different options there. 0:05:58.380000 --> 0:06:00.980000 A lot of options, not going to go into all that right now. 0:06:00.980000 --> 0:06:06.460000 But key thing is that's going to provide a circuit into Azure that is 0:06:06.460000 --> 0:06:08.860000 going over that private connectivity. 0:06:08.860000 --> 0:06:13.020000 Now, as far as express route goes, on the Azure side, you have a gateway. 0:06:13.020000 --> 0:06:14.480000 You have an express route gateway. 0:06:14.480000 --> 0:06:15.740000 It's still virtual network gateway. 0:06:15.740000 --> 0:06:18.160000 It's just set up for express route. 0:06:18.160000 --> 0:06:23.200000 And it has some configuration options, although not as many as you have 0:06:23.200000 --> 0:06:27.360000 with a VPN gateway because most of the work, frankly, is being done when 0:06:27.360000 --> 0:06:29.220000 you set up express route itself. 0:06:29.220000 --> 0:06:30.880000 A couple things to note. 0:06:30.880000 --> 0:06:36.140000 If you are using a hub and spoke architecture with express route, you 0:06:36.140000 --> 0:06:42.760000 have to set up the BGP to advertise your IP addresses and IP address prefixes. 0:06:42.760000 --> 0:06:46.260000 Whereas if I'm using a VPN gateway, I actually can set up gateway transit 0:06:46.260000 --> 0:06:49.420000 and that's going to handle it for me automatically. 0:06:49.420000 --> 0:06:52.900000 That's the big picture with virtual network gateways. 0:06:52.900000 --> 0:06:57.020000 One other thing, before I go beyond the big picture, you can actually 0:06:57.020000 --> 0:07:04.060000 have, and this is a not uncommon architecture, I can have both an express 0:07:04.060000 --> 0:07:09.840000 route and a VPN gateway set up to handle the same communications as a 0:07:09.840000 --> 0:07:15.000000 fallback or possibly even to give you a little more actual capacity. 0:07:15.000000 --> 0:07:20.240000 All right, let's take a look briefly at some of what I would consider 0:07:20.240000 --> 0:07:25.720000 to be kind of important choices and details with your gateways. 0:07:25.720000 --> 0:07:29.120000 First of all, for a VPN gateway, there's a key decision. 0:07:29.120000 --> 0:07:31.240000 Well, I actually say there's kind of two key decisions. 0:07:31.240000 --> 0:07:32.340000 One is the tier. 0:07:32.340000 --> 0:07:36.140000 The other is, is it going to be route based or policy based? 0:07:36.140000 --> 0:07:38.220000 Route based is going to be dynamic. 0:07:38.220000 --> 0:07:40.780000 Policy based is going to be static. 0:07:40.780000 --> 0:07:43.680000 Route based is almost always the choice you want to go through. 0:07:43.680000 --> 0:07:48.020000 If you go with, it has more functionality, more capability, so you can 0:07:48.020000 --> 0:07:53.700000 make more connections to a route based VPN gateway. 0:07:53.700000 --> 0:07:59.600000 As far as encryption, you have IKEI, IPsec, shared key, and that can be 0:07:59.600000 --> 0:08:05.560000 IKEV1 or V2 depending on your configuration of your gateway. 0:08:05.560000 --> 0:08:09.200000 Also, for encryption, I'm just going to mention it here, not going to 0:08:09.200000 --> 0:08:15.180000 go deep down this path, but you can actually set up very granular detailed 0:08:15.180000 --> 0:08:18.040000 custom encryption policies. 0:08:18.040000 --> 0:08:24.640000 If you've got a requirement that you're using specific algorithms and 0:08:24.640000 --> 0:08:29.260000 you're ordering them and you need a very detailed level of control of 0:08:29.260000 --> 0:08:33.000000 the encryption behind your VPN gateway, you actually have the ability 0:08:33.000000 --> 0:08:34.700000 to do that on the Azure side. 0:08:34.700000 --> 0:08:38.120000 Obviously, if you do that, you're going to have to have a matching policy 0:08:38.120000 --> 0:08:40.880000 on the PRIM side. 0:08:40.880000 --> 0:08:45.060000 Point to site. If you're using point to site, a couple things you want 0:08:45.060000 --> 0:08:48.960000 to know. First of all, there are actually three different protocols that 0:08:48.960000 --> 0:08:51.280000 are supported with point to site. 0:08:51.280000 --> 0:08:56.320000 There's OpenVPN, which is a very common open, well VPN standard. 0:08:56.320000 --> 0:09:01.580000 There's SSTP, which is a Microsoft proprietary standard, and, and here's 0:09:01.580000 --> 0:09:10.460000 that, point to site as well. 0:09:10.460000 --> 0:09:15.680000 There are two different authentication methods. 0:09:15.680000 --> 0:09:18.480000 It's one thing to have the protocol for communication, but I also need 0:09:18.480000 --> 0:09:19.800000 to authenticate. 0:09:19.800000 --> 0:09:24.920000 I can either use native certificate based authentication or I can use 0:09:24.920000 --> 0:09:27.480000 a radius server. 0:09:27.480000 --> 0:09:29.880000 That is how you authenticate with point to site. 0:09:29.880000 --> 0:09:31.560000 I've got ExpressRoute in here. 0:09:31.560000 --> 0:09:35.020000 That's really just kind of a placeholder so that you know you can set 0:09:35.020000 --> 0:09:44.380000 up ExpressRoute component than using a VPN gateway for a lot of reasons. 0:09:44.380000 --> 0:09:47.660000 A large part of the configuration of ExpressRoute is going to be done 0:09:47.660000 --> 0:09:52.300000 with the ExpressRoute provider as opposed to, say, you're just doing something 0:09:52.300000 --> 0:09:55.420000 on PRIM and then setting it up with Azure. 0:09:55.420000 --> 0:09:56.980000 Lots of options there. 0:09:56.980000 --> 0:10:01.700000 Very deep topic to go down, but not really the focus, as I said, of this 0:10:01.700000 --> 0:10:06.560000 particular demonstration or video. 0:10:06.560000 --> 0:10:13.200000 All right. Now, what I want to do is I want to demonstrate a VPN gateway. 0:10:13.200000 --> 0:10:15.620000 I'm going to do first, kind of draw out. 0:10:15.620000 --> 0:10:19.120000 I've already got a deployed scenario, and I'm going to draw it out a little 0:10:19.120000 --> 0:10:22.840000 bit and show you what we have, and then I'm going to dive in and set up 0:10:22.840000 --> 0:10:27.460000 the VPN gateway and a VPN gateway connection. 0:10:27.460000 --> 0:10:32.340000 I'm going to go, drawing myself a whiteboard here. 0:10:32.340000 --> 0:10:33.460000 Here's what I have deployed. 0:10:33.460000 --> 0:10:37.240000 I have four networks deployed. 0:10:37.240000 --> 0:10:40.740000 I've got a network representing an on-prem environment. 0:10:40.740000 --> 0:10:44.740000 I've got a network representing a hub environment and two spokes. 0:10:44.740000 --> 0:10:49.880000 Now, I don't actually have this set up through the on-prem, but really 0:10:49.880000 --> 0:10:55.400000 the only difference, if you're doing this for real with on-prem, the difference 0:10:55.400000 --> 0:10:57.380000 would be that, of course, you would have to go and configure whatever 0:10:57.380000 --> 0:11:01.640000 your on-prem appliances, and you would also have to create a local network 0:11:01.640000 --> 0:11:03.700000 gateway. I'll show you how to do that. 0:11:03.700000 --> 0:11:08.040000 I've got a on-prem with a server in the on-prem. 0:11:08.040000 --> 0:11:15.160000 I've got a hub network with a server in the hub network, and the server 0:11:15.160000 --> 0:11:31.260000 is a Windows Server 2016, and I've got spoke and spoke to. 0:11:31.260000 --> 0:11:33.040000 I've got servers in each one of these. 0:11:33.040000 --> 0:11:38.960000 I've just got these networks, and I've got some servers so I can test 0:11:38.960000 --> 0:11:44.480000 connectivity. Now, for both the on-prem and the hub, I have already installed 0:11:44.480000 --> 0:11:50.380000 a VPN gateway, and I've already set up a period connection between the 0:11:50.380000 --> 0:11:50.980000 hub and the spoke. 0:11:50.980000 --> 0:11:55.420000 I've already installed the VPN gateways because they take about 40 minutes 0:11:55.420000 --> 0:11:59.220000 to provision, and I thought that would make for a very bad demonstration 0:11:59.220000 --> 0:12:02.460000 watching the clock tick for 40 minutes. 0:12:02.460000 --> 0:12:06.760000 I've already set up the period connection because that's actually done 0:12:06.760000 --> 0:12:11.040000 in other videos, fairly straightforward, and it's really just a kind of 0:12:11.040000 --> 0:12:14.680000 a side issue here that I want to show you with the connectivity. 0:12:14.680000 --> 0:12:19.340000 What I want to do is I'm first going to install something I'm not going 0:12:19.340000 --> 0:12:22.720000 to use at all, but I'm going to install a VPN gateway on spoke to just 0:12:22.720000 --> 0:12:27.160000 so you can see the process of installing it, and then I'm going to set 0:12:27.160000 --> 0:12:31.380000 up a connection between the on -prem VPN gateway and the hub. 0:12:31.380000 --> 0:12:38.040000 I'm also going to set up just kind of randomly a local gateway, local 0:12:38.040000 --> 0:12:41.220000 network gateway, just so you can see what that setting is. 0:12:41.220000 --> 0:12:44.880000 I'm going to then set the connection between the on-prem and hub, and 0:12:44.880000 --> 0:12:54.940000 I'm going to modify my peering connection a little bit and show you how 0:12:54.940000 --> 0:12:57.620000 by just setting a setting in the peering connection, I should be able 0:12:57.620000 --> 0:13:02.000000 to connect all the way from my on-prem through the hub to the spoke, without 0:13:02.000000 --> 0:13:05.080000 actually having to set any routes myself. 0:13:05.080000 --> 0:13:07.260000 That's what we're going to do. 0:13:07.260000 --> 0:13:14.480000 Let's go ahead and take a look at it. 0:13:14.480000 --> 0:13:21.480000 What I have up right now is just the topology view of that same networking 0:13:21.480000 --> 0:13:24.540000 where you can see I've got the on-prem, I've got the spokes, spoken spoke 0:13:24.540000 --> 0:13:27.020000 to, and I've got the hub VNet. 0:13:27.020000 --> 0:13:30.400000 It's not ordered exactly the way I would want it, but you can see all 0:13:30.400000 --> 0:13:32.660000 the parts here. I'm not going to spend a whole lot of time on it if you 0:13:32.660000 --> 0:13:35.060000 want to pause the video and kind of look through the parts. 0:13:35.060000 --> 0:13:36.540000 There are key things. 0:13:36.540000 --> 0:13:41.180000 I've got the VPN gateways on both the hub and the on-prem and the spoke 0:13:41.180000 --> 0:13:44.280000 is connected to the hub via peering. 0:13:44.280000 --> 0:13:54.000000 What I'm going to do now is go ahead and create a virtual network gateway. 0:13:54.000000 --> 0:14:02.520000 I'm going to go and set this up and I'm going to give this a name. 0:14:02.520000 --> 0:14:07.780000 This is going to be spoke to VPN. 0:14:07.780000 --> 0:14:12.540000 I'll put this in the east because that's where everything is. 0:14:12.540000 --> 0:14:16.060000 I've got the choice of either VPN or express route. 0:14:16.060000 --> 0:14:19.360000 On VPN I've got route based or policy based. 0:14:19.360000 --> 0:14:21.260000 Then I've got the SKU. 0:14:21.260000 --> 0:14:25.420000 I told you that I would actually show you the pricing page so you can 0:14:25.420000 --> 0:14:27.100000 see the differentiation of the SKU. 0:14:27.100000 --> 0:14:30.580000 I'm just going to bring that up really quickly. 0:14:30.580000 --> 0:14:40.220000 Appreciate it. Hopefully this is the right one. 0:14:40.220000 --> 0:14:43.360000 That is the right one. 0:14:43.360000 --> 0:14:49.080000 Here are the prices and the limits of all of them. 0:14:49.080000 --> 0:14:50.840000 Basic, of course, is going to be the cheapest. 0:14:50.840000 --> 0:14:59.000000 It will only go up to 10 tunnels and 128 point to site tunnels. 0:14:59.000000 --> 0:15:07.320000 VPN, GW1, GW2 and GW3 all support up to 30 site to site tunnels and 250 0:15:07.320000 --> 0:15:10.820000 up to 1,000 point to sites. 0:15:10.820000 --> 0:15:15.960000 But do note that you need to pay additional above certain limits. 0:15:15.960000 --> 0:15:23.280000 There are some outbound traffic costs. 0:15:23.280000 --> 0:15:28.720000 You also now have the ability to put your VPN gateways across different 0:15:28.720000 --> 0:15:30.820000 availability zones. 0:15:30.820000 --> 0:15:34.360000 You can have very high availability for your gateways. 0:15:34.360000 --> 0:15:38.320000 The keys, if you're doing anything significant, you're going to want to 0:15:38.320000 --> 0:15:42.560000 use a VPN, GW. The basic is very limited, particularly if you're studying 0:15:42.560000 --> 0:15:46.520000 for an exam. You can go and look at some more details. 0:15:46.520000 --> 0:15:49.460000 But by and large, if there's anything interesting that you're doing with 0:15:49.460000 --> 0:15:53.060000 a VPN gateway beyond basic connectivity, then you're going to want one 0:15:53.060000 --> 0:15:54.680000 of the GW levels. 0:15:54.680000 --> 0:15:58.860000 Keep in mind the AZ is simply availability zone. 0:15:58.860000 --> 0:16:01.280000 It's the same performance levels. 0:16:01.280000 --> 0:16:04.500000 It's just giving you better availability. 0:16:04.500000 --> 0:16:09.780000 Okay. So that all goes back to that SKU, the VPN, GW1. 0:16:09.780000 --> 0:16:14.160000 All right. Now I need to associate this with a virtual network. 0:16:14.160000 --> 0:16:18.020000 I'm going to put it over on the spoke to VNet. 0:16:18.020000 --> 0:16:21.540000 All right. Now the cool thing is when I do this, it will actually through 0:16:21.540000 --> 0:16:26.600000 the portal create the gateway subnet, subnet forming. 0:16:26.600000 --> 0:16:32.160000 Otherwise, if I'm doing this, for example, in a script or if I've got 0:16:32.160000 --> 0:16:37.540000 a template, I'll have to make sure that I defined that subnet independently. 0:16:37.540000 --> 0:16:49.420000 I'm going to go ahead and create a public IP. 0:16:49.420000 --> 0:16:52.780000 It's set up to be basic. 0:16:52.780000 --> 0:16:56.480000 And I'm not going to enable active mode. 0:16:56.480000 --> 0:17:02.080000 And I am disabling BGP ASN. 0:17:02.080000 --> 0:17:07.680000 Okay. Now that can only be configured with VPN, as I said, GW1, GW2, and 0:17:07.680000 --> 0:17:11.500000 GW3. And I'm actually going to put this back to basic because I'm not 0:17:11.500000 --> 0:17:13.120000 doing anything with it. 0:17:13.120000 --> 0:17:19.540000 And then simply review and create. 0:17:19.540000 --> 0:17:22.020000 And that's it. Now that's it. 0:17:22.020000 --> 0:17:24.800000 Plus you wait 40 minutes, so I'm not going to make you wait on that. 0:17:24.800000 --> 0:17:28.600000 The other thing, if I'm doing this actual site to site, so I've got an 0:17:28.600000 --> 0:17:37.240000 on-prem, what I'm going to need to do is create a local network gateway. 0:17:37.240000 --> 0:17:39.820000 And really, you can think of the local network gateway again simply as 0:17:39.820000 --> 0:17:44.540000 a registration of your on-prem environment. 0:17:44.540000 --> 0:17:47.980000 And what I do is I'm going to give this a name. 0:17:47.980000 --> 0:17:54.480000 So we'll say demo local network gateway, LNG, or liquefied natural gas, 0:17:54.480000 --> 0:17:55.160000 one of the other. 0:17:55.160000 --> 0:18:00.320000 Now this would be the actual public IP address, which I don't actually 0:18:00.320000 --> 0:18:03.260000 have. That is not actually a public IP address. 0:18:03.260000 --> 0:18:04.040000 That would work. 0:18:04.040000 --> 0:18:05.980000 But I can set that up. 0:18:05.980000 --> 0:18:08.060000 I can set up the address space. 0:18:08.060000 --> 0:18:11.480000 This would be the internal address space that I want to use. 0:18:11.480000 --> 0:18:20.300000 So I can say, OK, 10.0.100.0.0.16. 0:18:20.300000 --> 0:18:26.660000 And maybe we also have 192.168.0.0.0. 0:18:26.660000 --> 0:18:33.280000 We'll say 16. And so whatever address space is that I need to define that 0:18:33.280000 --> 0:18:35.540000 are on the client side, that's what I set up here. 0:18:35.540000 --> 0:18:41.600000 And then I would simply put this into a resource group. 0:18:41.600000 --> 0:18:46.300000 And that's going to give me the local network gateway configuration again, 0:18:46.300000 --> 0:18:49.020000 just pointing to that endpoint. 0:18:49.020000 --> 0:18:52.400000 All right. That doesn't go and configure anything on my local network. 0:18:52.400000 --> 0:19:02.040000 Now I want to go back to my massive amount of resources that I've got 0:19:02.040000 --> 0:19:05.860000 created here in my resource group. 0:19:05.860000 --> 0:19:08.740000 So these are all the resources that I'm using. 0:19:08.740000 --> 0:19:11.320000 Some of these are doubled up because I might have done something wrong, 0:19:11.320000 --> 0:19:13.760000 but that's neither here nor there. 0:19:13.760000 --> 0:19:18.480000 If I go down here, notice I've got these virtual network gateways. 0:19:18.480000 --> 0:19:23.960000 So I've got a hub VPN, an on -prem VPN, and a spoke to VPN. 0:19:23.960000 --> 0:19:27.080000 I'm going to go to my hub VPN. 0:19:27.080000 --> 0:19:30.780000 All right. And we're going to take a look at this and notice that it's 0:19:30.780000 --> 0:19:32.740000 route base. It is basic. 0:19:32.740000 --> 0:19:34.940000 It's a VPN route base hub. 0:19:34.940000 --> 0:19:37.740000 And there's a few things that I can change. 0:19:37.740000 --> 0:19:39.060000 Not a whole lot. 0:19:39.060000 --> 0:19:41.720000 If I want to, I can go from basic to standard notice. 0:19:41.720000 --> 0:19:43.280000 I don't have active active. 0:19:43.280000 --> 0:19:47.180000 I can't configure a BGP with basic. 0:19:47.180000 --> 0:19:49.920000 I can also set up connections. 0:19:49.920000 --> 0:19:52.200000 I can go to my point to site configuration. 0:19:52.200000 --> 0:19:56.120000 But what I'm really interested in right now is setting up my connections. 0:19:56.120000 --> 0:20:01.420000 So I'm going to go to connections and I am simply going to add a connection. 0:20:01.420000 --> 0:20:08.280000 And this is going to be hub to spoke VPN. 0:20:08.280000 --> 0:20:10.080000 No, not hub to spoke. 0:20:10.080000 --> 0:20:14.620000 Hub to on-prem VPN. 0:20:14.620000 --> 0:20:19.040000 And the connection type is going to be vnet to vnet. 0:20:19.040000 --> 0:20:22.960000 Notice I can do site to site or express route, but we're going to go vnet 0:20:22.960000 --> 0:20:26.020000 to vnet. Hub VPN is the first one. 0:20:26.020000 --> 0:20:29.100000 Second one is going to be on-prem. 0:20:29.100000 --> 0:20:30.880000 So that's the only one that's available. 0:20:30.880000 --> 0:20:34.260000 Then you have to specify the shared key. 0:20:34.260000 --> 0:20:39.040000 And you, of course, will use something, hopefully, a little bit more secure 0:20:39.040000 --> 0:20:45.540000 than ABC123. I can choose the protocol and everything else is good and 0:20:45.540000 --> 0:20:51.740000 I hit OK. Now, any time you have a connection, you have to set that connection 0:20:51.740000 --> 0:20:54.200000 in both directions. 0:20:54.200000 --> 0:20:59.580000 So I've now set up the connection from the hub to the on-prem. 0:20:59.580000 --> 0:21:05.380000 What I now need to do is go to the on-prem and set up a connection to 0:21:05.380000 --> 0:21:09.580000 the hub. Now, it'll show me the hub, but that's not all I need. 0:21:09.580000 --> 0:21:17.960000 I'm going to go ahead and set up on-prem to hub VPN. 0:21:17.960000 --> 0:21:22.780000 Vnet to vnet. And I'm going to pick the only one available, which is hub 0:21:22.780000 --> 0:21:30.340000 VPN, and my very complex shared key and leave everything else the same. 0:21:30.340000 --> 0:21:33.440000 And then I've got my connections. 0:21:33.440000 --> 0:21:37.820000 Now, this is going to take a few minutes for these connections to actually 0:21:37.820000 --> 0:21:40.320000 fully spin up. So we'll wait for that. 0:21:40.320000 --> 0:21:49.560000 We'll come back and we'll test them out. 0:21:49.560000 --> 0:21:55.080000 All right. Both of the connections are showing up with the status of connected. 0:21:55.080000 --> 0:21:57.860000 So what I want to do is test them out. 0:21:57.860000 --> 0:22:01.700000 Now, I have already connected over to my on-prem VM. 0:22:01.700000 --> 0:22:05.920000 I have an RDP session connected to my on-prem VM. 0:22:05.920000 --> 0:22:13.060000 And I want to connect to the local IP address of my hub. 0:22:13.060000 --> 0:22:14.660000 So I'm going to go over that VPN. 0:22:14.660000 --> 0:22:18.480000 Well, in order to do that, I come over here and I see that the hub, its 0:22:18.480000 --> 0:22:21.440000 private IP address is 10.1.0.5. 0:22:21.440000 --> 0:22:28.160000 So I'm going to go into my on-prem and I'm going to pop in here. 0:22:28.160000 --> 0:22:49.420000 And I'm going to connect to 10.1.0.5. 0:22:49.420000 --> 0:22:51.000000 And that out of the way. 0:22:51.000000 --> 0:22:54.160000 Let me move that out of the strike to. 0:22:54.160000 --> 0:22:57.000000 There we go. All right. 0:22:57.000000 --> 0:23:01.420000 I'm connecting. And now you can see that I am in fact connected to 10 0:23:01.420000 --> 0:23:05.420000 .1.0.5. And we can let that start up. 0:23:05.420000 --> 0:23:08.380000 But if I get that screen, it means the connection's there. 0:23:08.380000 --> 0:23:13.420000 The next thing I'm going to do is I want to actually extend this out through 0:23:13.420000 --> 0:23:15.960000 that peering connection as well. 0:23:15.960000 --> 0:23:19.920000 But in order to do that, I need to go to my hub. 0:23:19.920000 --> 0:23:26.020000 And from my hub, virtual network, I actually want to go to the hub virtual 0:23:26.020000 --> 0:23:34.480000 network. So let's go to to TAS. 0:23:34.480000 --> 0:23:38.240000 As I could have just gone to virtual networks. 0:23:38.240000 --> 0:23:40.880000 And I'm going to go to hub. 0:23:40.880000 --> 0:23:44.960000 And there's a setting on the peering connection. 0:23:44.960000 --> 0:23:46.940000 I've already set up the peering connection. 0:23:46.940000 --> 0:23:48.920000 This is my hub to spoke one. 0:23:48.920000 --> 0:23:51.300000 I'm going to go in to hub to spoke one. 0:23:51.300000 --> 0:23:55.140000 And I am going to allow gateway transit. 0:23:55.140000 --> 0:23:56.680000 I actually have to set this up on both sides. 0:23:56.680000 --> 0:24:00.880000 So let's see, allow gateway transit on the hub side. 0:24:00.880000 --> 0:24:09.600000 And then while that's going on, notice by the way, the use remote gateways 0:24:09.600000 --> 0:24:12.220000 is great out because it has a gateway. 0:24:12.220000 --> 0:24:15.820000 I'm going to go to the spoke side. 0:24:15.820000 --> 0:24:25.580000 And I'm going to go to peering for the spoke side. 0:24:25.580000 --> 0:24:31.980000 And I'm going to use the remote gateway. 0:24:31.980000 --> 0:24:39.440000 And let that save. 0:24:39.440000 --> 0:24:45.580000 We're almost there. 0:24:45.580000 --> 0:24:48.340000 So that is now saved. 0:24:48.340000 --> 0:24:51.300000 And go back and do one more thing. 0:24:51.300000 --> 0:24:54.140000 I've got a virtual machine on the spoke. 0:24:54.140000 --> 0:24:55.620000 Let's take a look at that. 0:24:55.620000 --> 0:25:00.240000 It's local private IP address is 10.2.0.4. 0:25:00.240000 --> 0:25:07.460000 So if I go back to my on-prem and I'm doing this blind, hopefully I didn't 0:25:07.460000 --> 0:25:11.160000 do anything. Unintelligent. 0:25:11.160000 --> 0:25:14.500000 If I go to 10.2.0.4. 0:25:14.500000 --> 0:25:17.280000 And there we go. 0:25:17.280000 --> 0:25:20.540000 As soon as I get this, I know I've got the connectivity. 0:25:20.540000 --> 0:25:25.300000 And so now I've got that transitive connection between my on-prem going 0:25:25.300000 --> 0:25:29.780000 through a VPN gateway. 0:25:29.780000 --> 0:25:36.320000 And then connecting up over a peering connection to another virtual machine. 0:25:36.320000 --> 0:25:40.900000 So I really have a hub and spoke with no routing configuration. 0:25:40.900000 --> 0:25:44.880000 Just setting up that VPN gateway connection and then making sure that 0:25:44.880000 --> 0:25:47.520000 my peering connections have the right configuration. 0:25:47.520000 --> 0:25:52.460000 So there are many options and you can go very deep into the configuration 0:25:52.460000 --> 0:25:55.080000 of a VPN connection. 0:25:55.080000 --> 0:26:00.720000 However, keep in mind that you can also on the Azure side at least, fairly 0:26:00.720000 --> 0:26:05.600000 easily or at least with minimal configuration, you can set up and have 0:26:05.600000 --> 0:26:08.220000 a VPN connection working. 0:26:08.220000 --> 0:26:12.400000 Truly the more complex element, at least again, if you do kind of the 0:26:12.400000 --> 0:26:15.800000 minimal setup in Azure, is going to be making sure that you go through 0:26:15.800000 --> 0:26:18.620000 the settings for your on-prem appliance. 0:26:18.620000 --> 0:26:24.900000 There are guidelines for a wide range of appliances that have been certified 0:26:24.900000 --> 0:26:27.100000 to work with Azure VPN gateway. 0:26:27.100000 --> 0:26:31.820000 You can look up Azure VPN gateway appliances and you'll get a list and 0:26:31.820000 --> 0:26:32.880000 then you can click links to the website. 0:26:32.880000 --> 0:26:36.440000 So things like tutorials or settings or even settings files to make it 0:26:36.440000 --> 0:26:39.600000 easier to fully configure your VPN gateway connection.