1
00:00:00,740 --> 00:00:03,140
Hybrid cloud infrastructure.

2
00:00:03,140 --> 00:00:08,920
Azure site‑to‑site Virtual Private Network, also called an Azure S2S VPN.

3
00:00:08,920 --> 00:00:12,640
Alright, so what you're looking at here is a network extension,

4
00:00:12,640 --> 00:00:13,510
that is to say,

5
00:00:13,510 --> 00:00:17,770
a VPN being defined as a secure connection over an unsecure medium,

6
00:00:17,770 --> 00:00:19,410
in this case, the public internet.

7
00:00:19,410 --> 00:00:22,880
You're taking your edge router and terminating one

8
00:00:22,880 --> 00:00:27,860
side of an IPSec IKEv2 tunnel, just garden variety VPN protocols,

9
00:00:27,860 --> 00:00:31,680
and this is going to offer you an always‑on connection

10
00:00:31,680 --> 00:00:34,280
from your on‑premises network into Azure,

11
00:00:34,280 --> 00:00:36,870
and you can layer in some pretty cool features like

12
00:00:36,870 --> 00:00:39,690
enabling Border Gateway Protocol, or BGP,

13
00:00:39,690 --> 00:00:43,910
that's going to give you the ability to do redundancy and active‑active,

14
00:00:43,910 --> 00:00:46,940
active‑passive failover kind of situations.

15
00:00:46,940 --> 00:00:50,500
You also can do dynamic route exchange and route updates.

16
00:00:50,500 --> 00:00:54,180
BGP is a good deal when it comes to the site‑to‑site VPN.

17
00:00:54,180 --> 00:00:58,740
Notice on the Azure side, you've got a dedicated subnet called gateway subnet.

18
00:00:58,740 --> 00:01:01,700
I normally do /24, but it can be smaller.

19
00:01:01,700 --> 00:01:04,920
I mean it's all private non‑routable IP ranges anyway,

20
00:01:04,920 --> 00:01:08,220
but you have a virtual network gateway that's going to terminate

21
00:01:08,220 --> 00:01:11,440
the VPN circuit in your virtual network in Azure.

22
00:01:11,440 --> 00:01:14,460
You represent your local on‑premises router with an

23
00:01:14,460 --> 00:01:16,820
Azure resource called the local gateway,

24
00:01:16,820 --> 00:01:19,110
and then you have one or more connections.

25
00:01:19,110 --> 00:01:21,750
The connections can be site‑to‑site VPN,

26
00:01:21,750 --> 00:01:25,210
VNet‑to‑VNet VPN, ExpressRoute circuits,

27
00:01:25,210 --> 00:01:27,960
and then there is a point‑to‑site VPN capability,

28
00:01:27,960 --> 00:01:30,740
as well that we looked at previously in this course.

29
00:01:30,740 --> 00:01:35,310
So value propositions of the site‑to‑site VPN is we've got Layer 3

30
00:01:35,310 --> 00:01:38,050
extension from our on‑premises environment into Azure,

31
00:01:38,050 --> 00:01:39,630
so we could, for example,

32
00:01:39,630 --> 00:01:43,830
join these Azure Virtual Machines to our local Active Directory domain,

33
00:01:43,830 --> 00:01:47,570
we can deploy domain controllers into the virtual network

34
00:01:47,570 --> 00:01:49,650
and stand up DNS and other services,

35
00:01:49,650 --> 00:01:54,010
and you've got that transparent Layer 3 connection between the 2 environments,

36
00:01:54,010 --> 00:01:55,040
it's pretty convenient.

37
00:01:55,040 --> 00:02:06,000
And because we're dealing with an encrypted IPSec IKEv2 tunnel, we don't have the issue of plaintext, cleartext data going over the connection.