AZ-303 Microsoft Azure Architect Technologies – Lab04 – Configuring VNet peering and service chaining

Module3

Lab04 – Configuring VNet peering and service chaining

Scenario

ADatum Corporation wants to implement service chaining between Azure virtual networks in its Azure subscription.

Objectives

After completing this lab, you will be able to:

  • Deploy Azure VMs by using Azure Resource Manager templates.
  • Configure VNet peering.
  • Implement routing
  • Validate service chaining

Lab Setup

Estimated Time: 60 minutes

User Name: Student

Password: Pa55w.rd

Exercise 1: Creating an Azure lab environment by using deployment templates

The main tasks for this exercise are as follows:

  1. Create the first Azure virtual network environment by using an Azure Resource Manager template
  2. Create the second Azure virtual network environment by using an Azure Resource Manager template

Task 1: Create the first Azure virtual network environment by using an Azure Resource Manager template

  1. From the lab virtual machine, start Microsoft Edge and browse to the Azure portal at http://portal.azure.com and sign in by using the Microsoft account that has the Owner role in the target Azure subscription.
  2. In the Azure portal, in the Microsoft Edge window, start a Bash session within the Cloud Shell.
  3. If you are presented with the You have no storage mounted message, configure storage using the following settings:
    • Subsciption: the name of the target Azure subscription
    • Cloud Shell region: the name of the Azure region that is available in your subscription and which is closest to the lab location
    • Resource group: the name of a new resource group az3030400-LabRG
    • Storage account: a name of a new storage account
    • File share: a name of a new file share
  4. From the Cloud Shell pane, create two resource groups by running (replace the <Azure region> placeholder with the name of the Azure region that is available in your subscription and which is closest to the lab location)
az group create --resource-group az3030401-LabRG --location <Azure region>
az group create --resource-group az3030402-LabRG --location <Azure region>
  • From the Cloud Shell pane, upload the first Azure Resource Manager template Module_03\azuredeploy0401.json into the home directory.
  • From the Cloud Shell pane, upload the parameter file Module_03\azuredeploy04.parameters.json into the home directory.
  • From the Cloud Shell pane, deploy the two Azure VMs hosting Windows Server 2016 Datacenter into the first virtual network by running:
az deployment group create --resource-group az3030401-LabRG --template-file azuredeploy0401.json --parameters @azuredeploy04.parameters.json --no-wait
 Note: Do not wait for the deployment to complete but proceed to the next task.

Task 2: Create the second Azure virtual network environment by using an Azure Resource Manager template

  1. From the Cloud Shell pane, upload the second Azure Resource Manager template Module_03\azuredeploy0402.json into the home directory.
  2. From the Cloud Shell pane, deploy an Azure VM hosting Windows Server 2016 Datacenter into the second virtual network by running:
3.     az deployment group create --resource-group az3030402-LabRG --template-file azuredeploy0402.json --parameters @azuredeploy04.parameters.json --no-wait

Note: The second template uses the same parameter file.

Note: Do not wait for the deployment to complete but proceed to the next exercise.

Result: After completing this exercise, you should have created two Azure virtual networks hosting Azure VMs running Windows Server 2016 Datacenter.

Exercise 2: Configuring VNet peering

The task for this exercise is as follows:

  1. Configure VNet peering for both virtual networks

Task 1: Configure VNet peering for both virtual networks

  1. In the Microsoft Edge window displaying the Azure portal, navigate to the az3030401-vnet virtual network blade.
  2. From the az3030401-vnet blade, create a VNet peering with the following settings:
  3. Name of the peering from the first virtual network to the second virtual network: az3030401-vnet-to-az3030402-vnet
  4. Virtual network deployment model: Resource manager
  5. Subscription: the name of the Azure subscription you are using for this lab
  6. Virtual network: az3030402-vnet
  7. Name of the peering from the second virtual network to the first virtual network: az3030402-vnet-to-az3030401-vnet
  8. Allow virtual network access from the first virtual network to the second virtual nework: Enabled
  9. Allow virtual network access from the second virtual network to the first virtual nework: Enabled
  10. Allow forwarded traffic from the first virtual network to the second virtual network: Disabled
  11. Allow forwarded traffic from the second virtual network to the first virtual network: Disabled
  12. Allow gateway transit: disabled

Exercise 3: Implementing routing

The main tasks for this exercise are as follows:

  1. Enable IP forwarding
  2. Configure user defined routing
  3. Configure routing on an Azure VM running Windows Server 2016

Task 1: Enable IP forwarding

  1. In Microsoft Edge, navigate to the az3030401-nic2 blade (the NIC of az3030401-vm2)
  2. On the az3030401-nic2 blade, modify the IP configurations by setting IP forwarding to Enabled.

Task 2: Configure user defined routing

  1. In the Azure portal, create a new route table with the following settings:
  2. Name: az3030402-rt1
  3. Subscription: the name of the Azure subscription you use for this lab
  4. Resource group: az3030402-LabRG
  5. Location: the same Azure region in which you created the virtual networks
  6. Virtual network gateway route propagation: Disabled

Once the creation of the route table has finished, click on Go to resource

  • In the Azure portal, on the route table az3030402-rt1 that was created on the previous step, click on Routes under Settings and add a route with the following settings:
  • Route name: custom-route-to-az3030401-vnet
  • Address prefix: 10.0.0.0/22
  • Next hop type: Virtual appliance
  • Next hop address: 10.0.1.4
  • In the Azure portal, associate the route table with the subnet-1 of the az3030402-vnet.

Task 3: Configure routing on an Azure VM running Windows Server 2016

  1. On the lab computer, from the Azure portal, start a Remote Desktop session to az3030401-vm2 Azure VM.
  2. When prompted to authenticate, specify the following credentials:
  3. User name: Student
  4. Password: Pa55w.rd1234
  5. Once you are connected to az3030401-vm2 via the Remote Desktop session, install the Remote Access role. In Server Manager, click Manage, and then click Add roles and features.
  6. On the Before you Begin screen, click Next.
  7. On the Installation Type screen, leave the default Role-based or feature-based installation selected and click Next.
  8. On the Server Selection screen, leave the default server selected and click Next.
  9. On the Server Roles screen, place a checkmark next to Remote Access and then click Next.
  10. On the Features screen, leave the defaults selected and then click Next.
  11. On the Remote Acces screen, click Next.
  12. On the Services screen, place a checkmark next to Routing and then click Next.
  13. On the Confirmation screen, click Next.
  14. On the Results screen, click Install.
  15. In the Remote Desktop session to az3030401-vm2, from Server Manager, click Tools and then click Routing and Remote Access to open the RRAS console.
  16. In the Routing and Remote Access console, right click under the name of the server az3030401-vm2 and select Configure and Enable Routing and Remote Access to run the Routing and Remote Access Server Setup Wizard.
  17. In the Routing and Remote Access Server Setup Wizard, select Custom configuration under Configuration and enable LAN routing.

Note: If you receive a warning pop-up, click OK.

  1. Start Routing and Remote Access service.
  2. In the Remote Desktop session to az3030401-vm2, click start and then click Windows Administrative Tools.
  3. From Administrative Tools, launch the Windows Firewall with Advanced Security console.
  4. In the console, click Inbound Rules.
  5. Locate the File and Printer Sharing (Echo Request – ICMPv4-In) inbound rule, right-click the rule and click Enable Rule.

Result: After completing this exercise, you have configured custom routing within the second virtual network.

Exercise 4: Validating service chaining

The main tasks for this exercise are as follows:

  1. Configure Windows Firewall with Advanced Security on an Azure VM
  2. Test service chaining between peered virtual networks

Task 1: Configure Windows Firewall with Advanced Security on the target Azure VM

  1. On the lab computer, from the Azure portal, start a Remote Desktop session to az3030401-vm1 Azure VM.
  2. When prompted to authenticate, specify the following credentials:
  3. User name: Student
  4. Password: Pa55w.rd1234
  5. In the Remote Desktop session to az3030401-vm1, start the Windows Firewall with Advanced Security console and enable File and Printer Sharing (Echo Request – ICMPv4-In) inbound rule for all profiles.

Task 2: Test service chaining between peered virtual networks

  1. On the lab computer, from the Azure portal, start a Remote Desktop session to az3030402-vm1 Azure VM.
  2. When prompted to authenticate, specify the following credentials:
  3. User name: Student
  4. Password: Pa55w.rd1234
  5. Once you are connected to az3030402-vm1 via the Remote Desktop session, start Windows PowerShell.
  6. In the Windows PowerShell window, run the following:
Test-NetConnection -ComputerName 10.0.0.4 -TraceRoute
  • Verify that test is successful and note that the connection was routed over 10.0.1.4

Result: After completing this exercise, you should have validated service chaining between peered virtual networks.

Exercise 5: Remove lab resources

Task 1: Open Cloud Shell

  1. At the top of the portal, click the Cloud Shell icon to open the Cloud Shell pane.
  2. If needed, switch to the Bash shell session by using the drop down list in the upper left corner of the Cloud Shell pane.
  3. At the Cloud Shell command prompt, type in the following command and press Enter to list all resource groups you created in this lab:
az group list --query "[?starts_with(name,'az30304')]".name --output tsv
  • Verify that the output contains only the resource groups you created in this lab. These groups will be deleted in the next task.

Task 2: Delete resource groups

  1. At the Cloud Shell command prompt, type in the following command and press Enter to delete the resource groups you created in this lab
az group list --query "[?starts_with(name,'az30304')]".name --output tsv | xargs -L1 bash -c 'az group delete --name $0 --no-wait --yes'
  • Close the Cloud Shell prompt at the bottom of the portal.

Result: In this exercise, you removed the resources used in this lab.