1
00:00:01,440 --> 00:00:04,120
In this demonstration, I'm going to walk you through using

2
00:00:04,120 --> 00:00:06,830
the Azure Network Adapter, and I'll at least get you started

3
00:00:06,830 --> 00:00:08,380
with Azure extended network.

4
00:00:08,380 --> 00:00:12,140
I'm on a Windows Server 2022 domain member server

5
00:00:12,140 --> 00:00:13,620
running in my local environment.

6
00:00:13,620 --> 00:00:16,300
It's not in Azure, and I've installed Windows Admin

7
00:00:16,300 --> 00:00:18,320
Center on this machine and signed in.

8
00:00:18,320 --> 00:00:22,190
As you can see, I've done a couple things on the Server Manager page here.

9
00:00:22,190 --> 00:00:26,620
I've got my local server set up as a Gateway, and then I've

10
00:00:26,620 --> 00:00:29,940
used the Add function to bring in localdc1.

11
00:00:29,940 --> 00:00:33,990
That's my domain controller in my local domain, so I can work with it as well.

12
00:00:33,990 --> 00:00:36,500
So for Azure Network Adapter, what do we want to do?

13
00:00:36,500 --> 00:00:38,370
Well, we want to go to my local server,

14
00:00:38,370 --> 00:00:41,830
localmem1. And then in the settings, I'm going to look for

15
00:00:41,830 --> 00:00:45,090
networks. And then in the Networks interface, you can see we

16
00:00:45,090 --> 00:00:47,540
have Add Azure Network Adapter.

17
00:00:47,540 --> 00:00:50,960
Now, it's a little bit odd because notice it says Preview.

18
00:00:50,960 --> 00:00:51,730
What does that mean?

19
00:00:51,730 --> 00:00:51,980
Well,

20
00:00:51,980 --> 00:00:55,780
this means it's a public preview feature, that it's not generally available.

21
00:00:55,780 --> 00:00:59,390
And normally that means, unless Microsoft tells you otherwise, that the

22
00:00:59,390 --> 00:01:03,830
feature is not covered by service‑level agreements or Azure support, so I

23
00:01:03,830 --> 00:01:07,700
do want to give that caveat alway. Be careful using public preview

24
00:01:07,700 --> 00:01:11,070
features because they're normally intended for non‑production use.

25
00:01:11,070 --> 00:01:13,250
Microsoft sometimes makes an exception,

26
00:01:13,250 --> 00:01:16,420
but that's something you need to track with that engineering team.

27
00:01:16,420 --> 00:01:20,370
Okay, so I'm going to click Add Azure Network Adapter, and we get an error.

28
00:01:20,370 --> 00:01:25,310
This is to be expected because I haven't yet registered this machine and this

29
00:01:25,310 --> 00:01:28,880
instance of Windows Admin Center with my Azure subscription.

30
00:01:28,880 --> 00:01:32,340
So let's hit Settings. And on the Account page, we're going to sign

31
00:01:32,340 --> 00:01:36,130
in. It looks like I'm already signed in with my timw account, so

32
00:01:36,130 --> 00:01:38,810
it's just directly asking me to consent.

33
00:01:38,810 --> 00:01:42,300
This is an OAuth authorization screen asking us for

34
00:01:42,300 --> 00:01:43,960
permission and so on and so forth.

35
00:01:43,960 --> 00:01:44,980
So I'm signed in.

36
00:01:44,980 --> 00:01:46,140
That's looking pretty good.

37
00:01:46,140 --> 00:01:50,100
Let's come back to Server Manager, back to our Gateway, back

38
00:01:50,100 --> 00:01:54,310
down to Networks, back into Azure Network Adapter. And you may

39
00:01:54,310 --> 00:01:56,360
be asked to sign in a second time.

40
00:01:56,360 --> 00:01:59,780
I must have already done that sometime in the past. And when you

41
00:01:59,780 --> 00:02:03,310
sign in and formally register your WAC server,

42
00:02:03,310 --> 00:02:04,040
you're asked,

43
00:02:04,040 --> 00:02:07,500
do you want to reuse an existing service principal or create a new one?

44
00:02:07,500 --> 00:02:11,010
Because what happens is, let me go back for a moment into my Azure

45
00:02:11,010 --> 00:02:14,990
subscription and go to Azure Active Directory. We need a security

46
00:02:14,990 --> 00:02:18,080
context for your Windows Admin Center to do its work.

47
00:02:18,080 --> 00:02:18,950
Does that make sense?

48
00:02:18,950 --> 00:02:21,840
So you not only need to sign in with your administrative account,

49
00:02:21,840 --> 00:02:23,370
but then you create a persistent,

50
00:02:23,370 --> 00:02:27,260
basically a service account for WAC and your tenant, and we

51
00:02:27,260 --> 00:02:30,840
can find that if we go to App registrations. If I go to All

52
00:02:30,840 --> 00:02:33,710
applications and sort that in verse,

53
00:02:33,710 --> 00:02:38,310
we can see I've got it right down here. I've got Windows Admin Center gateway

54
00:02:38,310 --> 00:02:42,090
installed on several of my servers. The one that we're concerned with right

55
00:02:42,090 --> 00:02:45,890
now is this one I'm highlighting. And notice that the service principal has

56
00:02:45,890 --> 00:02:50,410
the name WindowsAdminCenter and then the URL of the server. And so that means

57
00:02:50,410 --> 00:02:55,300
we can grant this identity role‑based access ourselves in addition, and that

58
00:02:55,300 --> 00:03:00,110
would determine the scope of work that can happen here in WAC. So anyway,

59
00:03:00,110 --> 00:03:04,410
I've got my Add Azure Network Adapter form up here. I choose my Subscription,

60
00:03:04,410 --> 00:03:06,550
my Region, my Virtual Network,

61
00:03:06,550 --> 00:03:10,840
which I believe, in my case, is vnet11. And here, depending upon whether

62
00:03:10,840 --> 00:03:13,940
you already have a virtual network gateway installed,

63
00:03:13,940 --> 00:03:18,440
you can either have WAC initiate the creation of that subnet and

64
00:03:18,440 --> 00:03:22,250
gateway, or we can reuse our existing one, which is what I'm going to

65
00:03:22,250 --> 00:03:26,330
do. Now again, to show you that back in Azure, let me go to Virtual

66
00:03:26,330 --> 00:03:28,770
network gateways, and I've created a gateway.

67
00:03:28,770 --> 00:03:31,610
These take quite a bit of time to create, 30,

68
00:03:31,610 --> 00:03:34,340
40 minutes at least, depending upon your region.

69
00:03:34,340 --> 00:03:37,110
So rather than have WAC create one,

70
00:03:37,110 --> 00:03:41,870
I made sure to do the work in advance. So we can see it's in vnet11. And

71
00:03:41,870 --> 00:03:45,730
if I jump over to my virtual network and go to Subnets, your virtual

72
00:03:45,730 --> 00:03:50,070
network gateway is a managed appliance. It's a VPN ExpressRoute endpoint.

73
00:03:50,070 --> 00:03:54,800
That needs to be on its own subnet. I normally will do a class C block,

74
00:03:54,800 --> 00:03:58,900
/24, but you can make it much smaller if you want to, 24 is kind of

75
00:03:58,900 --> 00:04:02,500
overkill, for sure. But the subnet does need the name label,

76
00:04:02,500 --> 00:04:04,790
GatewaySubnet, with no spaces.

77
00:04:04,790 --> 00:04:08,830
So let me go back a couple steps to the VNet gateway. And what we're getting at

78
00:04:08,830 --> 00:04:12,820
here is on Point‑to‑site‑configuration, right now there's no point‑to‑site

79
00:04:12,820 --> 00:04:17,180
configuration happening, but we're going to initiate that in an automated way

80
00:04:17,180 --> 00:04:19,820
with this Add Azure Network Adapter thing.

81
00:04:19,820 --> 00:04:21,660
So when you set up a point to site,

82
00:04:21,660 --> 00:04:25,980
you need to specify a private client address space that will be used by

83
00:04:25,980 --> 00:04:29,550
connections. As it says here, it's the client address pool, their private

84
00:04:29,550 --> 00:04:33,580
IPs. This needs to be a non‑overlapping range with any of my other

85
00:04:33,580 --> 00:04:40,250
networks, so I'm going to do a 172.16.30/24. And the way Azure Network

86
00:04:40,250 --> 00:04:44,570
Adapter does authentication is with certificate, so I'm going to have it

87
00:04:44,570 --> 00:04:46,430
auto generate self‑signed.

88
00:04:46,430 --> 00:04:49,970
Now that's not particularly secure and flexible. Otherwise, if

89
00:04:49,970 --> 00:04:52,750
you're using Active Directory Certificate Services,

90
00:04:52,750 --> 00:04:57,260
you can add the public key and client package manually.

91
00:04:57,260 --> 00:05:00,990
I'm going to auto generate. And that will create a root certificate that's

92
00:05:00,990 --> 00:05:06,330
attached to the gateway and a client certificate that WAC will auto install

93
00:05:06,330 --> 00:05:10,550
on the local server to establish that connection. Let me click Create. And

94
00:05:10,550 --> 00:05:14,990
this shouldn't go as fast because we're not having to create the gateway.

95
00:05:14,990 --> 00:05:18,660
It says that it could take up to 10 minutes for Azure to complete this

96
00:05:18,660 --> 00:05:22,190
work. That's fine. And while we're waiting for that work to finish

97
00:05:22,190 --> 00:05:26,470
actually, I can just walk you through a little bit of the Azure extended

98
00:05:26,470 --> 00:05:26,900
network.

99
00:05:26,900 --> 00:05:30,650
Now, remember, extended network is where you need to extend an on‑premises

100
00:05:30,650 --> 00:05:35,800
subnet into Azure using the very same IP range because the idea is you're

101
00:05:35,800 --> 00:05:40,270
migrating a virtual machine, and it needs to retain its existing private IP.

102
00:05:40,270 --> 00:05:44,600
What we'll do is go over to Settings, Extensions. And I can see it right here,

103
00:05:44,600 --> 00:05:49,300
Azure Extended Network. So you'll want to install that extension onto your

104
00:05:49,300 --> 00:05:53,650
server, so I'll click Install. Once it's installed, it'll reload the page, and

105
00:05:53,650 --> 00:05:57,980
it will show up on the Installed extensions list, right here. Then, to make use

106
00:05:57,980 --> 00:06:02,190
of that network, we can again come back to our server in question, localmem1.

107
00:06:02,190 --> 00:06:07,720
Come down to Networks, specifically we have a new setting for Azure Extended

108
00:06:07,720 --> 00:06:11,460
Network, and then we can initiate the setup process. Once again,

109
00:06:11,460 --> 00:06:14,070
I need you to understand that as of this recording,

110
00:06:14,070 --> 00:06:16,740
I mean maybe by the time you're watching this training video,

111
00:06:16,740 --> 00:06:20,810
Extended Network and/or the Network Adapter will be in generally

112
00:06:20,810 --> 00:06:24,480
available status in which you won't see a preview tag, and those

113
00:06:24,480 --> 00:06:28,170
products will have their own published service‑level agreements and

114
00:06:28,170 --> 00:06:29,710
Azure support arrangements.

115
00:06:29,710 --> 00:06:31,070
Let's click Set up. Again,

116
00:06:31,070 --> 00:06:34,580
there's a lot of set up here to this and a lot of prerequisites that

117
00:06:34,580 --> 00:06:38,840
you need to get on board here. It gives firewall exceptions. We've got

118
00:06:38,840 --> 00:06:42,880
needing those network virtual appliances that have multiple switches

119
00:06:42,880 --> 00:06:47,640
and Hyper‑V VMs. Oh, boy. There's quite a bit to it. But this takes you

120
00:06:47,640 --> 00:06:51,130
through that setup, and that's really all I want to say about that at

121
00:06:51,130 --> 00:06:51,590
this point.

122
00:06:51,590 --> 00:06:54,910
Let's come back to Networks, and let's see how WAC

123
00:06:54,910 --> 00:06:56,870
is doing thus far in its work.

124
00:06:56,870 --> 00:06:57,240
Okay,

125
00:06:57,240 --> 00:07:01,960
we see an update here that Point to Site VPN Client Configuration is started.

126
00:07:01,960 --> 00:07:06,060
This will take up to 5 minutes. We'll get notification once it's completed. And

127
00:07:06,060 --> 00:07:08,980
what that's referring to, if we go back to our gateway here.

128
00:07:08,980 --> 00:07:13,010
Let me refresh the Point‑to‑site configuration screen. Notice now that

129
00:07:13,010 --> 00:07:17,210
the interface is fleshed out to where we have the client address pool as

130
00:07:17,210 --> 00:07:21,820
I configured it in WAC. It looks like the Azure Network Adapter is using

131
00:07:21,820 --> 00:07:27,540
the IKEv2 and OpenVPN (SSL) option with, as we know, Azure certificate is

132
00:07:27,540 --> 00:07:29,010
the Authentication type.

133
00:07:29,010 --> 00:07:32,870
It created a root certificate using self‑signed data.

134
00:07:32,870 --> 00:07:35,640
There's the public key data right there, and it auto

135
00:07:35,640 --> 00:07:38,190
generated just a single client certificate.

136
00:07:38,190 --> 00:07:42,040
And normally, when you set up a shared point‑to‑site configuration,

137
00:07:42,040 --> 00:07:44,770
after you establish your metadata here in terms of

138
00:07:44,770 --> 00:07:46,790
tunnel type, authentication type,

139
00:07:46,790 --> 00:07:51,270
you save, let it cook, and the gateway will create a VPN

140
00:07:51,270 --> 00:07:54,790
installation package right here, Download VPN client. You

141
00:07:54,790 --> 00:07:57,230
actually already saw that in the previous demo.

142
00:07:57,230 --> 00:08:00,320
I'm kind of repeating. It occurred to me now that I'm repeating

143
00:08:00,320 --> 00:08:02,440
a lot of what I taught in the previous demo.

144
00:08:02,440 --> 00:08:04,730
That's totally okay because let's face it,

145
00:08:04,730 --> 00:08:07,350
adult education is about repetition, isn't it?

146
00:08:07,350 --> 00:08:07,790
Nice.

147
00:08:07,790 --> 00:08:10,150
Well, once that configuration completes,

148
00:08:10,150 --> 00:08:13,320
we now see on the Networks page for localmem1,

149
00:08:13,320 --> 00:08:16,840
in addition to its own primary Ethernet adapter,

150
00:08:16,840 --> 00:08:19,680
we have this point‑to‑site VPN that goes into

151
00:08:19,680 --> 00:08:21,980
vnet11, and the status is connected.

152
00:08:21,980 --> 00:08:24,310
If we select the link, we can disconnect,

153
00:08:24,310 --> 00:08:25,020
we can delete,

154
00:08:25,020 --> 00:08:27,910
we can reconnect again. And then on this machine, we can

155
00:08:27,910 --> 00:08:30,310
always go into the Settings app, and we've got our

156
00:08:30,310 --> 00:08:32,550
point‑to‑site VPN already connected.

157
00:08:32,550 --> 00:08:33,440
So what does that mean?

158
00:08:33,440 --> 00:08:36,960
Well, that means we should be able to open up a Layer 3 connection.

159
00:08:36,960 --> 00:08:40,840
So that means I should be able to establish Layer 3 connectivity,

160
00:08:40,840 --> 00:08:42,510
the resources in that VNet.

161
00:08:42,510 --> 00:08:45,460
Like I have a VM in that VNet right now,

162
00:08:45,460 --> 00:08:52,500
so let me try a ping, IPv4 10.11.11.11. Yep, so we've got connectivity. And

163
00:08:52,500 --> 00:08:56,100
this localmem machine, it's going over the internet normally. It's just that

164
00:08:56,100 --> 00:09:02,000
we're using the P2S VPN to get into that VNet. So there we have it. It's working just fine.