1
00:00:00,840 --> 00:00:01,290
Lastly,

2
00:00:01,290 --> 00:00:04,650
let's turn our attention to the Azure networking subsystem and

3
00:00:04,650 --> 00:00:07,940
how we connect to our Azure virtual machines.

4
00:00:07,940 --> 00:00:10,350
Here's a Lucidchart diagram that I created.

5
00:00:10,350 --> 00:00:12,070
It's pretty overwhelming at first,

6
00:00:12,070 --> 00:00:15,770
and we're just going to look at a subset of items that you see here,

7
00:00:15,770 --> 00:00:16,240
okay?

8
00:00:16,240 --> 00:00:19,570
So don't freak out seeing NAT gateways and peerings.

9
00:00:19,570 --> 00:00:23,890
Microsoft has a separate associate‑level certification for the Azure

10
00:00:23,890 --> 00:00:27,520
Network Engineer job role; it's the AZ‑700 exam,

11
00:00:27,520 --> 00:00:28,440
specifically.

12
00:00:28,440 --> 00:00:29,510
But for our purposes,

13
00:00:29,510 --> 00:00:33,670
we just need to know the basics about Azure virtual machine networking.

14
00:00:33,670 --> 00:00:36,970
Now the software data center that we put our virtual machines

15
00:00:36,970 --> 00:00:39,640
into in Azure is called the Virtual Network.

16
00:00:39,640 --> 00:00:44,790
And although these VNets support both Internet Protocol version 4 and 6,

17
00:00:44,790 --> 00:00:48,190
the Microsoft exams tend to ignore v6.

18
00:00:48,190 --> 00:00:51,210
We're just concerned with IPv4 here, okay?

19
00:00:51,210 --> 00:00:54,300
And you've got yourself one or more overall address ranges,

20
00:00:54,300 --> 00:00:57,830
and Azure takes care of dynamically distributing those private,

21
00:00:57,830 --> 00:01:02,190
non‑routable IP addresses using Dynamic Host Configuration Protocol.

22
00:01:02,190 --> 00:01:04,520
It's an important point that your virtual networks,

23
00:01:04,520 --> 00:01:08,110
although they exist in the internet and are internet‑adjacent,

24
00:01:08,110 --> 00:01:10,410
those VMs that you deploy in a VNet,

25
00:01:10,410 --> 00:01:14,020
unless you have some ingress from the internet configured,

26
00:01:14,020 --> 00:01:16,130
they are inaccessible from the internet.

27
00:01:16,130 --> 00:01:17,230
That's an important point.

28
00:01:17,230 --> 00:01:21,230
These VNets are secure isolation boundaries for your VMs.

29
00:01:21,230 --> 00:01:25,190
Now notice that the VMs have a little network interface card icon on them.

30
00:01:25,190 --> 00:01:28,720
This is to denote that your networking in Azure VMs is done

31
00:01:28,720 --> 00:01:31,370
separately from the virtual machine configuration.

32
00:01:31,370 --> 00:01:35,540
That is, there's a virtual network interface that you associate with the VM,

33
00:01:35,540 --> 00:01:38,410
and that is where you configure your IP addressing.

34
00:01:38,410 --> 00:01:42,100
The main software firewall used in Azure virtual networks

35
00:01:42,100 --> 00:01:43,880
is called the network security group.

36
00:01:43,880 --> 00:01:48,070
This is simply an OSI layer for access list where you use ports,

37
00:01:48,070 --> 00:01:50,720
protocols, and IP addresses to construct,

38
00:01:50,720 --> 00:01:54,060
allow, and block rules that govern both inbound,

39
00:01:54,060 --> 00:01:57,830
that's ingress, and outbound, egress, network traffic.

40
00:01:57,830 --> 00:02:00,420
We've got a hybrid cloud shown here, and again,

41
00:02:00,420 --> 00:02:03,730
I don't need to get into the weeds of the various parts and pieces,

42
00:02:03,730 --> 00:02:05,650
but there's a couple ways, actually,

43
00:02:05,650 --> 00:02:08,210
that you can extend your on‑premises environment,

44
00:02:08,210 --> 00:02:09,780
and by extension,

45
00:02:09,780 --> 00:02:13,150
you can extend your on‑premises IP infrastructure

46
00:02:13,150 --> 00:02:14,730
into your Azure Virtual Network.

47
00:02:14,730 --> 00:02:16,530
One of those is what you see here,

48
00:02:16,530 --> 00:02:19,280
what's called a site‑to‑site virtual private network,

49
00:02:19,280 --> 00:02:21,580
or VPN, that traverses the internet.

50
00:02:21,580 --> 00:02:23,800
It's an IPsec IKE2 tunnel.

51
00:02:23,800 --> 00:02:26,700
The other way to go is to use WAN technologies.

52
00:02:26,700 --> 00:02:29,100
This is what's called Microsoft ExpressRoute.

53
00:02:29,100 --> 00:02:32,040
Peerings, I'll just highlight this, allow you,

54
00:02:32,040 --> 00:02:33,570
in a cost‑effective way,

55
00:02:33,570 --> 00:02:37,580
to link or create a routing path between virtual networks.

56
00:02:37,580 --> 00:02:41,740
So you might have a hub VNet where you've got a VPN to on‑prem,

57
00:02:41,740 --> 00:02:45,370
you might have an Azure firewall, and these things can get pretty expensive,

58
00:02:45,370 --> 00:02:48,550
and you don't want to deploy these to all of your VNets,

59
00:02:48,550 --> 00:02:52,320
yet you still want to have transitive routing among those VNets.

60
00:02:52,320 --> 00:02:54,710
This is where peerings can really shine.

61
00:02:54,710 --> 00:02:58,840
Some various ways to establish network connectivity to an Azure VM,

62
00:02:58,840 --> 00:03:00,160
if it's Windows Server,

63
00:03:00,160 --> 00:03:04,790
you may want a desktop, so you can do Remote Desktop Protocol,

64
00:03:04,790 --> 00:03:07,240
if it's Linux, you would not do a desktop typically,

65
00:03:07,240 --> 00:03:09,370
you'd use SSH, but either way,

66
00:03:09,370 --> 00:03:13,340
you could affix a public internet‑accessible IP address to the VM.

67
00:03:13,340 --> 00:03:16,200
It's called an instance‑specific public IP.

68
00:03:16,200 --> 00:03:19,700
I would recommend against that because I can guarantee you that

69
00:03:19,700 --> 00:03:22,340
if you put a public IP address on your VM,

70
00:03:22,340 --> 00:03:25,860
you're going to see alerts in Microsoft Defender for Cloud within

71
00:03:25,860 --> 00:03:28,640
24 hours of people trying to brute force you.

72
00:03:28,640 --> 00:03:33,270
You really only want that public IP address directly on the VM if you're

73
00:03:33,270 --> 00:03:36,980
looking to host inbound internet access to that VM.

74
00:03:36,980 --> 00:03:39,600
There's far better options that I'll show you.

75
00:03:39,600 --> 00:03:44,060
Another thing we could do is RDP or SSH over a hybrid connection,

76
00:03:44,060 --> 00:03:46,220
like site‑to‑site VPN or ExpressRoute.

77
00:03:46,220 --> 00:03:50,740
There we're connecting using private, non‑internet routable IP addresses.

78
00:03:50,740 --> 00:03:55,360
The Azure Bastion represents a nice way to keep your VMs off the internet,

79
00:03:55,360 --> 00:03:58,960
but still be able to get an RDP desktop or an SSH

80
00:03:58,960 --> 00:04:01,230
connection to those virtual machines.

81
00:04:01,230 --> 00:04:05,740
The Serial Console represents a sort of backdoor into your virtual machine.

82
00:04:05,740 --> 00:04:09,980
This can be really handy if you need to gain emergency access to a

83
00:04:09,980 --> 00:04:13,560
machine that somehow is inaccessible via other means.

84
00:04:13,560 --> 00:04:17,500
Programmatically and through scripts you could use Azure PowerShell commands

85
00:04:17,500 --> 00:04:21,660
or Azure CLI statements in a Bash script to work with VMs,

86
00:04:21,660 --> 00:04:23,240
including connecting to them.

87
00:04:23,240 --> 00:04:25,000
And there's others, but lastly,

88
00:04:25,000 --> 00:04:28,350
there's the fundamental Azure Resource Manager REST API.

89
00:04:28,350 --> 00:04:29,820
You could use a tool like Postman.

90
00:04:29,820 --> 00:04:32,940
Now I don't know if you can invoke a desktop that way,

91
00:04:32,940 --> 00:04:33,790
but at the least,

92
00:04:33,790 --> 00:04:42,000
you could send commands to that virtual machine directly using HTTP and the ARM REST API endpoints.