#Azure : VNet-to-VNet Connectivity


VNet-to-VNet connectivity is another option to connect two virtual networks. When peering was not available in Azure, VNet-to-VNet connection was the only option to connect two virtual networks either in same region or in two different regions. Connecting a virtual network to another virtual network (VNet-to-VNet) is like connecting a VNet to an on-premises site location. Both connectivity types use an Azure VPN gateway to provide a secure tunnel using IPsec/IKE.

The VNets you connect can be:

  • In the same or different regions
  • In the same or different subscriptions
  • In the same or different deployment models

Let me explain you, how to set it up step by step. Login to the Azure Portal and go to the virtual network.

As you are going to setup a VNet-to-VNet connectivity between two virtual networks, therefore a Gateway subnet and a Network gateway is required in both virtual networks.

Select subnet under settings in virtual network, select “+ Gateway subnet” to create a gateway subnet for this virtual network.

Select an address range that will be used by this network gateway. By default, it selects next available address range.

In my case, I am using last subnet of my address space for gateway subnet.

Once added, you can review all used subnets in subnet panel.

Once, you have setup the subnet gateway in your virtual network then move on and create virtual network gateway to attach with gateway subnet.

Define the name of the virtual network gateway. Select the gateway type to “VPN” as we are establishing VNet-to-VNet connection. Select VPN type either Route-based or Policy-based according to your requirements. Select the VPN SKU based on your need.

Gateway SKUs by tunnel, connection, and throughput:

SKU S2S/VNet-to-VNet
Tunnels
P2S
Connections
Aggregate
Throughput Benchmark
VpnGw1 Max. 30 Max. 128 650 Mbps
VpnGw2 Max. 30 Max. 128 1 Gbps
VpnGw3 Max. 30 Max. 128 1.25 Gbps
Basic Max. 10 Max. 128 100 Mbps

Courtesy: Microsoft

Select the resource group, location and subscription etc.

Select your virtual network for which you are setting up this virtual network gateway.

Create new public IP address for your virtual network gateway.

Create public IP address using either Basic SKU or Standard SKU.

Once you are done with all the details, click on “Create” to deploy virtual network gateway.

Follow the same steps for another virtual network as well.

Once completed above steps in both the virtual networks now this is a time to establish a connection between both virtual network gateways which belongs to their respective virtual networks so that both the virtual networks can talk to each other. To do this, go to the “+ Create a resource” and search for “connection”.

Select the “Connection”.

Click on “Create” to establish a connection between virtual networks.

In basic settings select the type of the connection to VNet-to-VNet. Select the appropriate subscription, resource group and location.

Once configured all the basic settings, select “OK”.

Select both the virtual network gateways that needs to be connected, select the checkbox “Establish bidirectional connectivity” if you want to establish two-way connection. Define first and second connection names and then shared key to establish a secure connection.

Select first virtual network gateway.

Select second virtual network gateway.

Define both first and second connection name and enter the shared key, select OK.

Review the details in summary page and select OK to create a connection between virtual network gateways.

Once completed successfully, resources can talk to each other across virtual networks.

Advertisements

#Azure : Network Peering


In Microsoft Azure Virtual Networks, Peering connects multiple virtual networks. It simplifies the connectivity and configuration between virtual networks. Once connectivity established through peering, traffic flows seamlessly between two virtual networks. Traffic between peered virtual network leverages Microsoft infrastructure backbone, much likely traffic is flowing within the same virtual network. However, it doesn’t cover all the scenarios and it is the option available only for virtual networks available in same region. Apart from this major constraint, there are many other restrictions applies to it such as address ranges can’t be added or deleted from the address space of a virtual network once peered with another virtual network. However, peering virtual networks between region is currently in preview for few regions and it may be generally available soon.

Address spaces within same virtual network doesn’t require peering. For example, if I have two address spaces one for corporate network and another for perimeter network, and both are part of the same virtual network then there is no need to establish any kind of connectivity because both networks can talk to each other by default.

Now, let me show you how to setup peering between virtual network.

Login to the Azure Portal and first go to your virtual network and then go to the “Peering” under settings. Select “+ Add” to establish a peering between virtual networks.

In Add peering panel, fill the required details.

Name: Enter a common name for the peering that you can recognized.

Peer details: Select virtual network deployment model.

Subscription: Select the subscription.

Virtual network: Select the destination virtual network.

Configuration: By default, “Allow virtual network access” enabled. If you don’t have specific configuration, go with default configuration.

Once entered all the necessary details then click “OK” to setup a peering.

Once created successfully, you will be able to see it in peering panel.

Follow the same steps in another virtual network as well. Once completed from both the side, you will be able to flow data between peered networks.

#Azure : Virtual Networks


Azure virtual network enables Azure resources to communicate with each other in Azure network and with external resources through internet. Azure virtual network is like your traditional local area network in datacenter. Azure virtual networks can be connected with another virtual network in Azure and with your On-premises datacenter as well. Azure virtual network supports private ip addressing and subnetting as you do in your on-premises network. Azure virtual network supports subnets within a virtual network, the number of subnets can be defined based on the virtual network class and size of each subnets, and it is as same as VLAN in your traditional network. By default, subnets within virtual network can talk to each other without establishing any connection. Once a virtual network created, multiple address spaces can be added based on your need. While doing this entire exercise, please make sure that any ip address or ip addresses range is not overlapping with each other neither across your Azure virtual networks nor with on-premises network.

Let me show you, how to set up virtual networks step by step. To start login to Azure portal.

In Azure portal, select “+ Create a resource” à“Networking” à “Virtual network”.

Look at the details required to create a virtual network.

Name: Name of the virtual network, it should be unique in your Azure environment.

Address space: Define address space based on your requirement.

Subscription: Select your subscription.

Resource: Either create a new one or use existing resource group.

Location: Select location to create this virtual network resource, It will selected automatically if you are using existing resource group.

Subnet: Define the name of the subnet.

Address range: Define the address range for this subnet.

Service endpoints: Define the service endpoints, by default it is disable.

Look at the below screenshots for filled details. Once filled all the required details, click on “Create” to deploy a virtual network.


Once deployed successfully, you can find this virtual network in your resources.


Select “Subnets” to look at/verify your existing subnet. Click on “+ Subnet” to create a new subnet in your existing virtual network.


Enter the name of the subnet and then enter the address range for this subnet. As we had used 172.26.0.0/20 (172.26.0.0 – 172.26.15.255), therefore the next range will start from 172.26.16.0, You can specify the new range based on your need.


Once filled the required details, select “OK” to deploy a new subnet in your existing virtual network.


Once deployed successfully, you can see both your subnets here.


Go to the Address space, if you would like to add a new address space in your virtual network.


Add the address space based on your requirement. (Example: Many organization uses different – different set of ip address ranges for different types of networks. Very simple example is Corporate and Perimeter network.) Once entered the range, click on “Save”.


Once added the address space successfully, define the subnet in that address space.


In connected device panel, you can see the devices that are using ip address from this virtual network.


In subnet panel, you can define multiple subnets based on your define address ranges.


In DNS panel, you can define the custom DNS server addresses based your network design. By default, it uses Azure-provided DNS server.


In peering panel, you can define peering between two virtual networks that belongs to the same region.


In Service endpoints panel, you can specify services endpoints based on your requirement. In general, you don’t have to define any thing here.


In properties panel, you can see the properties of your virtual network, such as resource id, location, resource group etc.


In Locks, you panel you can define the locks for your resources by defining lock type either “delete” or “read-only”.


In the Automation script panel, you can view the temple of this deployment and you also get an option for download, add to library and deploy.


In the diagram panel, you get the graphical representation of all the subnets and associated resources.


I hope, this step by step blog post helped you to create your virtual network and subnets in Microsoft Azure. To know more about the networking features such as Gateway subnet, peering etc., read the next blog post.

#Azure : Map your traditional datacenter storage with cloud storage


Storage plays a critical role in technology, without storage you can’t think about anything. Because of the criticality of its existence, storage providers have made enormous amount of money in the past by selling disks with the intelligent built into their proprietary storage controllers that controllers the behavior and performance of the storage. At present, that intelligence has been integrated with the software and that’s why this kind of storage are known as software defined storage. SDS has given a chance to the industry to have infinite amount of data without the hurdle of jumbling cables connectivity between the compute and the storage. In short, now you can leverage your compute with local disks attached to it and create your own software defined storage using software capabilities such as VMware vSAN, Windows S2D, Scale IO etc.

Let me provide you a high-level overview of traditional datacenter storage:

Direct Attach Storage: Direct attach storage as name describes, it is a pool of disk that can be directly connected with the server locally using SAS cable. You can attach multiple DAS with on one server in the form of chain, while number of DAS in one chain depends on DAS specification. Example: Very good option for application like Microsoft Exchange to provide large mailbox size.

Storage Area Network: SAN is a block level data storage technology and commonly used storage across enterprises. It is also known as intelligent storage and supports high availability, scalability, resiliency and so on. In general SAN has two storage controllers in HA mode and it can be connected using two methodologies based on storage type, these methodologies are fiber channel and iSCSI. Fiber channel storage uses fiber channel switch to establish a connection between storage arrays and with compute using FC cables. Now-a-days few fiber channel SAN supports FCoE (Fiber channel over Ethernet). Another option in SAN is iSCSI, it uses network switch to connect between storage arrays and with compute using SFP+ cables. There are many hybrid SANs are available in the market, which supports both the technologies.

Network Ares Storage: NAS is a file level computer data storage, which used over the network. Many enterprises use this technology for File Share storage and NFS. This type of storage directly connects to your local area network using ethernet switch.

Software Defined Storage: Software defined storage is a latest technology that is being used in traditional datacenter as well as in the cloud. This technology generally used your local internal storage of the server and leverage the storage logic defined by software services such as vSAN from VMware, Storage space direct from Microsoft and Scale IO from Dell EMC etc. It uses a pool of servers and their local storage to create a single storage pool that can leveraged across the compute nodes. It also provides traditional SAN capabilities such as tiering.

When it comes to the cloud and specifically Microsoft Azure storage services, you can differentiate available services in four categories i.e. blob, file queue and table storage. In most of the cases, you leverage blob storage. To know more about in details, read the following posts:

Storage Accounts

Storage services

Storage replication

Step-by-step Microsoft Azure Storage

Storage Explorer

Now, let me explain how to do a selection of storage in cloud.

Largely data in cloud has been divided into two large pieces i.e. structured data and unstructured data. While the type of storage has been divided into two tiers i.e. Standard and Premium. Standards storage is common across entire storage service landscape while premium is only part of the blob and can be leveraged only to create OS and data disks. Follow the following steps to select the right set of storage service option for your specific solutions.

OS & data disk: Uses blob and performance tier can be selected between standard and premium. Standard is backed by SAS HDDs and premium is backed by high-performance SSDs. Many high-performance OS disks use SSD by default. OS disk is to install the operating systems and data disk can be used to install application binaries and to store the application data as well.

Application storage requirement: Look at the application architecture and IOPS requirement. Look at your exiting application environment and storage configuration in case of brown field and use the application definition documentation to estimate the storage size, performance tier and type of storage service. Once defined then use the storage service based on your application requirement.

Database storage requirement: First select between PaaS and IaaS based on your application need and then define the storage tier and storage service based on your database type and application need.

Above mentioned criteria are a very high-level decision-making technique but in one line I would say, know your application and data requirement in terms of size (first) and availability/replication (second) and performance (third) to make the right selection.

#Azure : Storage Explorer


When you move from traditional datacenter to the cloud, you know the limitation very well. In the cloud, you don’t much worry about the underlying infrastructure management. In the context of virtual machine, you don’t play with hypervisor at all. But once you look at the storage, you feel that management tool is required to manage the storage pool. To help you in this area, you have few options from Microsoft but at the same time you may find multiple offerings from the Microsoft Partners. Microsoft natively provide following options for storage management.

  • Microsoft Azure Portal
  • Microsoft Visual Studio Server Explorer
  • Microsoft Azure Storage Explorer

Microsoft Azure Storage Explorer comes with full-fledged functionalities and support all major operating systems such as Windows, Linux and OSX. It is a thick client application that you need to download and install on your system.

To download this tool, go to the “Azure Storage Explorer” page and download the storage explorer by selecting right operating system based on your need.

Once download completes, install this tool in your system.

To install, run StorageExplorer.exe on your system. Accept the agreement and click on Next.

Select the installation directory and click on Next.

Go with default setting and click on Next as it will create a short cut in the Start Menu.

It will take few seconds to compete the installation.

Once done, click on Next to open the Storage Explorer wizard.

First time, it will take few seconds to load the wizard.

Once loaded successfully, you will get an option to connect your storage account or service. Click on “Sign in” to continue.

In my case, I would like to manage entire storage portfolio of my Azure subscription. But you can use specific storage accounts or provide access to others on a specific storage accounts using different methods.

Login using your Microsoft Azure subscription account.

Go to the Microsoft Azure Storage Explorer and select “Manage Accounts” option and then click on either “All subscriptions” or any specific subscription and then finally click on apply.

Once connected, you will be able to see all your storage accounts.

Now, you can play with it. You can use storage explorer for following activities.

Blob storage

  • View, delete, and copy blobs and folders
  • Upload and download blobs while maintaining data integrity
  • Manage snapshots for blobs

Queue storage

  • Peek most recent 32 messages
  • View, add, and dequeue messages
  • Clear queue

Table storage

  • Query entities with OData or query builder
  • Add, edit, and delete entities
  • Import and export tables and query results

File storage

  • Navigate files through directories
  • Upload, download, delete, and copy files and directories
  • View and edit file properties

Azure Cosmos DB storage

  • Create, manage and delete databases and collections
  • Generate, edit, delete and filter documents
  • Manage stored procedure, triggers and user-defined functions

Azure Data Lake storage

  • Navigate ADLS resources across multiple ADL accounts
  • Upload, download files and folders
  • Copy folders or files to the clipboard
  • Delete files and folders

Above mentioned activities are just an overview that you can see when opening Microsoft Azure Store Explorer web page but you can do many more things with storage explorer. Therefore, explore this explorer as much as possible.

#Azure : Step-by-step Microsoft Azure Storage


Microsoft Azure storage offers variety of services that can be used to fulfill most of the business needs. Configuration and selection of services differs based on the storage requirements. I have covered most of the services and configuration options in the following post:

Storage Accounts

Storage services

Storage replication

In this blogpost, I am going to cover step-by-step process for creating storage accounts, configuring required storage services and selecting right storage replication methodology to fulfill your business needs.

Login to Azure Portal. Create a new resource group or use existing one based on your requirements.

Select “+ Create a resource” to create storage account.

Select “Storage” from the Azure market place and then select “Storage account – blob, file, table, queue”.

In the “Create storage account” panel, enter the unique name for the storage account. This name should be in all lowercase without any space or special characters.

By default deployment model is set to “Resource manager”, if you choose “Classic” under deployment model then you will not be able to select the kind of the storage account and as well as many new features that comes with general purpose v2 storage account.

When you go with default deployment model “Resource Manager”, you can select one of the following account kind:

Storage (general purpose v1)

StorageV2 (general purpose v2)

Blob storage

Select the performance tier based on your requirements.

Standard performance tier provides, four replication methodologies. Select most suitable replication options based on data availability requirements.

If you select premium performance tier then only you have one replication option i.e. LRS, and default access tier will be Hot. In premium storage, there is no option for cold access tier.

All four replication methodology is very specific to location. In few locations, you don’t have option to go with ZRS.

In “Resource Manager” deployment model, you have an option to select virtual network. In general, we don’t enable this option (by default it is disabled) but if you have any specific requirement based on your data confidentiality then you can define the virtual network / subnet so that the services running under specified network subnet can only use this storage account.

Once done with the configuration, click on create to create a storage account with specified storage services. I hope, it gives you a clearer picture about storage configuration in Microsoft Azure. Please feel free to share your experience by leaving a comment in the comment box section.

#Azure : Storage replication


Microsoft Azure storage offers numerous type of availability and durability of the data, within the datacenter, across datacenters, within the same region, or across regions. Based on your needs, you can select the right replication methodology. For example, if you would like to save your data from catastrophic failure in a single region then choose replication option that supports replication across regions.

Please keep in mind that you can configure replication options when you are creating a storage account and each region doesn’t support all replication options. Microsoft Azure offers four different replication options.

LRS: Locally redundant storage

ZRS: Zone-redundant storage

GRS: Geo-redundant storage

RA-GRS: Read-access geo-redundant storage

Table below provides you a quick overview about differences between all four replication options.

strategy LRS ZRS GRS RA-GRS
Data is replicated across multiple datacenters. No Yes Yes Yes
Data can be read from a secondary location as well as the primary location. No No No Yes
Designed to provide _durability of objects over a given year. at least 99.999999999% (11 9’s) at least 99.9999999999% (12 9’s) at least 99.99999999999999% (16 9’s) at least 99.99999999999999% (16 9’s)

Courtesy: Microsoft

Let me explain you all four replication options in detail.

Locally redundant storage: maintains three copies of your data. It replicates your data within a scale unit, which is hosted in a datacenter in the region in which you create your storage account. A scale unit is nothing but a set of multiple racks, which hosts storage nodes. To maintain high availability, these replicas reside in separate fault domains and update domain. A fault domain is nothing but a group of nodes, which belongs to a single point of failure. While an update domain is a group of nodes that can be upgraded at the same time. LRS is cost effective solution but doesn’t safeguard your data from datacenter level failure.

Zone-redundant storage: maintains three copies of your data. ZRS is little confusing as of now because of its two versions. ZRS is in preview, which falls under general purpose v2 storage accounts, it replicates data synchronously across multiple availability zones with in a region and very useful for highly available applications. While the existing or old ZRS capability is now referred to as ZRS classic, which falls under general purpose v1 storage accounts. ZRS classic replicates data asynchronously three times across two to three facilities within same region or in some cases across two regions. ZRS classic are planned to depreciate by March 2021 and once new ZRS generally available in a region then ZRS classic can’t be created.

Geo-redundant storage: maintains six copies of your data. It replicates three copies in one region and another three copies in another region. In primary region, it replicates your data within a scale unit, which is hosted in a datacenter in the region in which you create your storage account. A scale unit is nothing but a set of multiple racks, which hosts storage nodes. To maintain high availability, these replicas reside in separate fault domains and update domain just like LRS. While in secondary region also it does the same thing but between the region data replication take place in asynchronous mode. Your data doesn’t become available in case of primary region failure, until Microsoft initiates the failover. Primary and secondary region association is pre-defined based on the locations and can’t be changes manually. Once you create a storage account, you just need to specify your primary azure region. Here is the list of primary and their respective secondary regions.

Primary Secondary
North Central US South Central US
South Central US North Central US
East US West US
West US East US
US East 2 Central US
Central US US East 2
North Europe West Europe
West Europe North Europe
South East Asia East Asia
East Asia South East Asia
East China North China
North China East China
Japan East Japan West
Japan West Japan East
Brazil South South Central US
Australia East Australia Southeast
Australia Southeast Australia East
India South India Central
India Central India South
India West India South
US Gov Iowa US Gov Virginia
US Gov Virginia US Gov Texas
US Gov Texas US Gov Arizona
US Gov Arizona US Gov Texas
Canada Central Canada East
Canada East Canada Central
UK West UK South
UK South UK West
Germany Central Germany Northeast
Germany Northeast Germany Central
West US 2 West Central US
West Central US West US 2

Courtesy: Microsoft

Read-access geo-redundant storage: maintains six copies of your data. It replicates three copies in one region and another three copies in another region. In primary region, it replicates your data within a scale unit, which is hosted in a datacenter in the region in which you create your storage account. A scale unit is nothing but a set of multiple racks, which hosts storage nodes. To maintain high availability, these replicas reside in separate fault domains and update domain just like LRS. While in secondary region also it does the same thing but between the region data replication take place in asynchronous mode. In case of RA-GRS, your data is available in read mode always, even in case of primary region failure. However, you can’t get write access on your data from secondary region until Microsoft initiates the failover. Primary and secondary region association is pre-defined based on the locations and can’t be changes manually like GRS. Once you create a storage account, you just need to specify your primary azure region.