How To Make The Best Use Of Live Sessions

• Please log in 10 mins before the class starts and check your internet connection to avoid any network issues during
the LIVE session

• All participants will be on mute, by default, to avoid any background noise. However, you will be unmuted by
instructor if required. Please use the “Questions” tab on your webinar tool to interact with the instructor at any point
during the class

• Feel free to ask and answer questions to make your learning interactive. Instructor will address your queries at the
end of on-going topic

• We have dedicated support team to assist all your queries. You can reach us anytime at: support@edureka.co

• Your feedback is very much appreciated. Please share feedback after each class, which will help us enhance
your learning experience

Copyright © edureka and/or its affiliates. All rights reserved.

Microsoft Azure Administrator
Certification (AZ-104)
 COURSE OUTLINE
MODULE 08

01. Managing Azure Subscriptions And 11. Implementing And Managing Hybrid
Resource Groups Identities

02. Azure Virtual Networks And Network

10. Manage Azure Active Directory (AD)
Security

03. Overview Of Azure Virtual Machines 09. Monitoring And Access Management
For Cloud Resources

08. Integrate On-premises Network With

04. Overview Of Azure Storage Services
Azure Virtual Network

07. Network Traffic Distribution And

05. Secure And Manage Azure Storage Connectivity

06. Configure Virtual Machines For High

Availability
Recap

Copyright © edureka and/or its affiliates. All rights reserved.

Module 8 – Integrate On-premises
Network With Azure Virtual
Network

Copyright © edureka and/or its affiliates. All rights reserved.

Topics
Following are the topics covered in this module:

▪ Azure Inter-site VPN Connectivity Methods

▪ Site-to-Site VPN Gateway Connection
▪ Point-to-Site VPN Gateway Connection
▪ VNet-to-VNet Connections
▪ Azure ExpressRoute
▪ Azure Network Watcher
▪ Resource Troubleshooting in Azure Network Watcher

Copyright © edureka and/or its affiliates. All rights reserved.

Objectives
After completing this module, you should be able to:

▪ Implement inter-site VPN connectivity

▪ Configure VNet-to-VNet connections

▪ Understand Azure ExpressRoute

▪ Implement network resource monitoring and

troubleshooting using Azure Network Watcher

Copyright © edureka and/or its affiliates. All rights reserved.

Azure Inter-site VPN Connectivity
Methods

Copyright © edureka and/or its affiliates. All rights reserved.

Azure Inter-site VPN Connectivity Methods
After you create a VPN gateway, you can create the following types of connections:

A cross-premises IPsec/IKE VPN tunnel connection between the VPN

01
gateway and an on-premises VPN device (Site-to-Site)

A VPN over IKEv2 or SSTP VPN tunnel connection (Point-to-

02 Site)
VPN Gateway

An IPsec/IKE VPN tunnel connection between that VPN gateway and

03 another VPN gateway (VNet-to-VNet)

Copyright © edureka and/or its affiliates. All rights reserved.

Site-to-Site VPN Gateway
Connection

Copyright © edureka and/or its affiliates. All rights reserved.

Site-to-Site VPN Gateway Connection
A Site-to-Site VPN gateway connection is used to connect your on-premises network to an
Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel.

VPN VIP VPN

VNet1 131.1.1. VIP
1 33.2.1.5
East US
10.10.0.0/16
IPsec IKE S2S
VPN
Tunnel
On-premises
LocalSite1
10.0.0.0/24
20.0.0.0/24

Copyright © edureka and/or its affiliates. All rights reserved.

Site-to-Site VPN Gateway Connection
To create a S2S connection, you must have a VPN device located on-premises that has an externally facing
IPv4 address

S2S connections are a great option for an always-available cross-premises connection and hybrid
configurations

VPN VIP VPN

VNet1 131.1.1. VIP
1 33.2.1.5
East US
10.10.0.0/16
IPsec IKE S2S
VPN
Tunnel
On-premises
LocalSite1
10.0.0.0/24
20.0.0.0/24
Always remember that the VPN device located on-premises has a public IP address not located behind a
Note:
NAT

Copyright © edureka and/or its affiliates. All rights reserved.

Multi-Site VPN Gateway Connection
You can connect multiple on-premises sites to a single virtual network and it is very similar
to creating other Site-to-Site connections

Copyright © edureka and/or its affiliates. All rights reserved.

Point-to-Site VPN Gateway
Connection

Copyright © edureka and/or its affiliates. All rights reserved.

Point-to-Site VPN Gateway Connection
A Point-to-Site (P2S) VPN gateway connection lets you create a secure
connection to your virtual network from an individual client computer

A P2S connection is established by starting it from the client computer

P2S connections can be used with S2S connections through the same VPN
gateway, as long as all the configuration requirements for both connections
are compatible

VPN Client
192.168.0.0/24

Copyright © edureka and/or its affiliates. All rights reserved.

Point-to-Site VPN Gateway Connection
Unlike S2S connections, P2S connections do
VPN Client
not require a computer to be located on- Address Pool:
192.168.0.0/24
premises or an externally facing IPv4 address
or a VPN device
P2S SSTP
VPN Client
Tunnel
192.168.0.11
VPN Type: Routed-based
Gateway VIP: 131.1.1.1
VNet1
East US
10.10.0.0/16
P2S SSTP
10.11.0.0/16 VPN Client
Tunnel
192.168.0.12

P2S SSTP
Tunnel VPN Client
192.168.0.13

Copyright © edureka and/or its affiliates. All rights reserved.

Demo 1: Create A Point-to-Site
Connection

Note: Refer to Module-8 Demo1 Document on LMS for all the steps in detail

Copyright © edureka and/or its affiliates. All rights reserved.

VNet-to-VNet Connections

Copyright © edureka and/or its affiliates. All rights reserved.

VNet-to-VNet Connections
01 03

Connecting VNet-to-VNet is similar to connecting a

The VNets you connect can be:
VNet to an on-premises site location
• in the same or different regions
02 • in the same or different subscriptions

Both connectivity types use a VPN gateway to provide • in the same or different deployment models

a secure tunnel using IPsec/IKE

VPN VIP VPN VIP

VNet1 131.1.1. 151.2.2. VNet4
East US 1 2 West US
10.10.0.0/16 10.41.0.0/16
10.12.0.0/16 IPsec IKE S2S 10.42.0.0/16
VPN
Tunnel

Copyright © edureka and/or its affiliates. All rights reserved.

Demo 2: Create A VNet-to-VNet
Connection

Note: Refer to Module-8 Demo2 Document on LMS for all the steps in detail

Copyright © edureka and/or its affiliates. All rights reserved.

Azure ExpressRoute

Copyright © edureka and/or its affiliates. All rights reserved.

What Is Azure ExpressRoute?
ExpressRoute is an Azure service that lets you create private connections between
Microsoft datacenters and your on-premises infrastructure

An ExpressRoute connection uses a virtual network gateway as

part of its required configuration

Traffic over an ExpressRoute circuit is not encrypted

by default

Azure
ExpressRoute
Copyright © edureka and/or its affiliates. All rights reserved.
Azure ExpressRoute

Copyright © edureka and/or its affiliates. All rights reserved.

ExpressRoute Benefits
ExpressRoute connections do not go over the public Internet, so:

They are more reliable They have faster speeds

They have higher security than

They have lower latencies
the connections over the Internet

Copyright © edureka and/or its affiliates. All rights reserved.

ExpressRoute Connectivity Models

Copyright © edureka and/or its affiliates. All rights reserved.

Site-to-Site VPN Vs. ExpressRoute Cross-
▪premises
While Site-to-Site VPN connections over the
public Internet do not offer the advantages
outlined in the previous slide, they are a lower-
cost connectivity option for smaller shops

▪ You configure a Site-to-Site VPN as a failover

path for ExpressRoute

▪ To avoid asymmetrical routing, your local

network configuration should also prefer the
ExpressRoute circuit over the Site-to-Site VPN

Copyright © edureka and/or its affiliates. All rights reserved.

Connectivity With ExpressRoute
ExpressRoute provides two Hybrid Cloud cross-premises connection options:

– Dedicated fibre connections via cross-connecting at Exchange Provider locations, and

– Wide Area Network (WAN) connectivity via MPLS Network Service Providers

Copyright © edureka and/or its affiliates. All rights reserved.

Which Scenarios Does ExpressRoute Enable?
Datacenter Extension
Hybrid applications
Add compute and storage capacity to
Predictable network bandwidth and
your existing datacenter on-demand, by
latency that enables building apps to span
leveraging the elasticity of the Azure
tiers between on-premises and the cloud
cloud platform

Enterprise Storage for Hybrid Backup and Recovery

Cloud High throughput for frequently transferring
Provide cloud applications with access to large amounts of data between on-
enterprise-grade solutions for super-fast premises and cloud, common to cloud
access to cloud storage backup

Copyright © edureka and/or its affiliates. All rights reserved.

Azure Network Watcher

Copyright © edureka and/or its affiliates. All rights reserved.

What Is Azure Network Watcher?
Azure Network Watcher provides tools to monitor, diagnose, view metrics, and enable
or disable logs for resources in an Azure virtual network

Azure Network Watcher

Copyright © edureka and/or its affiliates. All rights reserved.

Azure Network Watcher Service Pillars

Topology Network Diagnostics

Diagnostic tools for network

Visualize your network topology
related issues

Logs
Metric

Measure and view your network Provide network diagnostic logs

performance and health

Copyright © edureka and/or its affiliates. All rights reserved.

What Azure Network Watcher Does?

0 Monitors communication between a VM and an endpoint

1

0 Views resources in a VNet and their relationships

2

0
Diagnoses network traffic filtering problems to or from a
3 VM

0 Diagnoses network routing problems from a VM

4

0 Diagnoses outbound connections from a VM

5

Copyright © edureka and/or its affiliates. All rights reserved.

What Azure Network Watcher Does?

0 Captures packets to and from a VM

6

0
Diagnoses problems with Azure VPN gateway and
7 connections

0
Determines relative latencies between Azure regions and
8 ISPs

0 Analyses traffic to or from a network security group

9

1 Views diagnostic logs for network resources

0

Copyright © edureka and/or its affiliates. All rights reserved.

Resource Troubleshooting In
Azure Network Watcher

Copyright © edureka and/or its affiliates. All rights reserved.

Introduction To Resource Troubleshooting

Network Watcher provides the capability to troubleshoot gateways and connections

The capability can be called through the portal, PowerShell, Azure CLI, or REST API

When called, Network Watcher diagnoses the health of the gateway, or connection, and returns
the appropriate results once the diagnosis is complete

Copyright © edureka and/or its affiliates. All rights reserved.

Results – Gateway Fault Types

Fault Type Reason Log

NoFault When no error is detected Yes

GatewayNotFound Cannot find gateway or gateway is not provisioned No

PlannedMaintenance Gateway instance is under maintenance No

This fault occurs when a user update is in progress.

UserDrivenUpdate No
The update could be a resize operation

This fault occurs when the primary instance of the

VipUnResponsive No
gateway can't be reached due to a health probe failure

Copyright © edureka and/or its affiliates. All rights reserved.

Results – Gateway Fault Types (Contd…)

Fault Type Reason Log

PlatformInActive There is an issue with the platform No

ServiceNotRunning The underlying service is not running No

NoConnectionsFoundForGatewa No connections exist on the gateway. This fault is only

No
y a warning

Connections are not connected. This fault is only a

ConnectionsNotConnected Yes
warning

GatewayCPUUsageExceeded The current gateway CPU usage is > 95% Yes

Copyright © edureka and/or its affiliates. All rights reserved.

Results – Connection Fault Types

Fault Type Reason Log

NoFault When no error is detected Yes

GatewayNotFound Cannot find gateway or gateway is not provisioned No

PlannedMaintenance Gateway instance is under maintenance No

This fault occurs when a user update is in progress.

UserDrivenUpdate No
The update could be a resize operation

This fault occurs when the primary instance of the

VipUnResponsive gateway can't be reached due to a health probe No
failure

ConnectionEntityNotFound Connection configuration is missing No

Copyright © edureka and/or its affiliates. All rights reserved.

Results – Connection Fault Types (Contd…)

Fault Type Reason Log

ConnectionIsMarkedDisconnected The connection is marked "disconnected" No

ConnectionNotConfiguredOnGatew The underlying service does not have the

Yes
ay connection configured

ConnectionMarkedStandby The underlying service is marked as standby. Yes

Authentication Preshared key mismatch Yes

PeerReachability The peer gateway is not reachable Yes

WfpParse Error An error occurred parsing the WFP log Yes

Copyright © edureka and/or its affiliates. All rights reserved.

Supported Gateway And Connection Types

Gateway types
VPN Supported
ExpressRoute Not Supported
Connection types
IPSec Supported
VNet2Vnet Supported
ExpressRoute Not Supported
VPN types
VPNClient Not Supported
Route Based Supported
Policy Based Not Supported

Copyright © edureka and/or its affiliates. All rights reserved.

Demo 3: Configure Network
Watcher

Note: Refer to Module-8 Demo3 Document on LMS for all the steps in detail

Copyright © edureka and/or its affiliates. All rights reserved.

Summary

Copyright © edureka and/or its affiliates. All rights reserved.

Copyright © edureka and/or its affiliates. All rights reserved.
Copyright © edureka and/or its affiliates. All rights reserved.
Copyright © edureka and/or its affiliates. All rights reserved.