Azure manages network traffic by using system routes and user defined routes. I have created this video to demonstrate the System Route,User defines Route and Network appliance. This Video also demonstrates How to configure the routing table in Azure so network traffic can go via Network Virtual Appliance.
Azure uses system routes to direct network traffic between virtual machines, on-premises networks, and the Internet. Here are the examples of system routes.
- Traffic between VMs in the same subnet.
- Between VMs in different subnets in the same virtual network.
- Data flow from VMs to the Internet.
- Communication between VMs using a VNet-to-VNet VPN.
- Site-to-Site and ExpressRoute communication through the VPN gateway.
Azure automatically handles all network traffic routing on it’s own. But,in case if you want to do something completely different it provides a way to achieve it. For example, you may have a VM that performs a network function, such as routing, firewalling, or WAN optimization. And you may want certain subnet traffic to be directed to this virtual appliance VM. You can place an appliance between subnets or a subnet and the internet.
In these situations, you can configure user-defined routes (UDRs). UDRs control network traffic by defining routes that specify the next hop of the traffic flow. This hop can be a virtual network gateway, virtual network, internet, or virtual appliance.
What is network Virtual appliance?
A network virtual appliance (NVA) is a virtual appliance primarily focused on network functions virtualization. A typical network virtual appliance involves various layers (four to seven functions) like
- WAN optimizer,
- Application delivery controllers,
- Load balancers,
- IDS (Intrusion Detection Systems)/IPS (Intrusion Prevention Systems ),
- SD-WAN edge and more.
While the public cloud may provide some of these functionalities natively, it is quite common to see customers deploying network virtual appliances from independent software vendors (ISV).
In this blog we will create a Network Virtual appliance (VM) and three subnets inside a Virtual network.These subnets would be:
- Public (MyVmPublic will be associated with this subnet)
- Private ( MyVmPrivate will be associated with this subnet )
- Dmz ( MyVmNva will be associated with this subnet )
We will create three VMs and associate these VMs to specific subnets. Then we will create a route table and configure the route table so next hop is MyVmNva. This way we can route the traffic coming from MyVmPublic VM via MyVmNva VM to MyVmPrivate VM.We will implement this by using Powershell.
1. Connect to Azure and create a resource group.
#1. Connect to Azure Connect-AzAccount #2. Create a Resource Group New-AzResourceGroup -ResourceGroupName myResourceGroup -Location EastUS
2. Create a routing table. Set destination subnet Address prefix (Private subnet), next Hop type to Virtual appliance and Next hop address(Dmz Subnet).
#3. Create a Routing Table $routeTablePublic = New-AzRouteTable ` -Name 'myRouteTablePublic' ` -ResourceGroupName myResourceGroup ` -location EastUS #4. Set Routing Table configuration Get-AzRouteTable ` -ResourceGroupName "myResourceGroup" ` -Name "myRouteTablePublic" ` | Add-AzRouteConfig ` -Name "ToPrivateSubnet" ` -AddressPrefix 10.0.1.0/24 ` -NextHopType "VirtualAppliance" ` -NextHopIpAddress 10.0.2.4 ` | Set-AzRouteTable
3. Create a Virtual Network and then create three subnets (Private, Dmz, Public Subnet) into Virtual network. Associate the routing table to the subnet.
#5. Create a Virtual Network $virtualNetwork = New-AzVirtualNetwork ` -ResourceGroupName myResourceGroup ` -Location EastUS ` -Name myVirtualNetwork ` -AddressPrefix 10.0.0.0/16 #6.Create a Public Subnet in Virtual Network $subnetConfigPublic = Add-AzVirtualNetworkSubnetConfig ` -Name Public ` -AddressPrefix 10.0.0.0/24 ` -VirtualNetwork $virtualNetwork #7.Create a Private Subnet in Virtual Network $subnetConfigPrivate = Add-AzVirtualNetworkSubnetConfig ` -Name Private ` -AddressPrefix 10.0.1.0/24 ` -VirtualNetwork $virtualNetwork #8.Create a DMZ Subnet in Virtual Network $subnetConfigDmz = Add-AzVirtualNetworkSubnetConfig ` -Name DMZ ` -AddressPrefix 10.0.2.0/24 ` -VirtualNetwork $virtualNetwork #9. Update the Virtual Network $virtualNetwork | Set-AzVirtualNetwork #10.Associate a routing table to a subnet (Here we have associated it to public Subnet) Set-AzVirtualNetworkSubnetConfig ` -VirtualNetwork $virtualNetwork ` -Name 'Public' ` -AddressPrefix 10.0.0.0/24 ` -RouteTable $routeTablePublic | ` Set-AzVirtualNetwork # Retrieve the virtual network object into a variable. This will be used in the next commandlet. $virtualNetwork=Get-AzVirtualNetwork ` -Name myVirtualNetwork ` -ResourceGroupName myResourceGroup # Retrieve the subnet configuration into a variable.This will be used in the next commandlet. $subnetConfigDmz = Get-AzVirtualNetworkSubnetConfig ` -Name DMZ ` -VirtualNetwork $virtualNetwork
4. Create a NIC card and enable Network forwarding and associate it with Dmz Subnet.
# 11.Create the network interface in Dmz subnet. $nic = New-AzNetworkInterface ` -ResourceGroupName myResourceGroup ` -Location EastUS ` -Name 'myVmNva' ` -SubnetId $subnetConfigDmz.Id ` -EnableIPForwarding
5. Create a VM named MyVmNva and associate the NIC card created in step 4 to this VM.
#12.CREATE A NVA (Network Virtual Appliance) VM. #--------------------------------------------------- # Create a credential object. $cred = Get-Credential -Message "Enter a username and password for the VM." # Create a VM configuration. $vmConfig = New-AzVMConfig ` -VMName 'myVmNva' ` -VMSize Standard_DS2 | ` Set-AzVMOperatingSystem -Windows ` -ComputerName 'myVmNva' ` -Credential $cred | ` Set-AzVMSourceImage ` -PublisherName MicrosoftWindowsServer ` -Offer WindowsServer ` -Skus 2016-Datacenter ` -Version latest | ` Add-AzVMNetworkInterface -Id $nic.Id $vmNva = New-AzVM ` -ResourceGroupName myResourceGroup ` -Location EastUS ` -VM $vmConfig ` -AsJob #-----------NVA VM CREATED--------------
6.Create a Public VM (MyVmPublic) in Public subnet and Private VM (MyVmPrivate)in Private Subnet.
#13. Create a Public VM New-AzVm ` -ResourceGroupName "myResourceGroup" ` -Location "East US" ` -VirtualNetworkName "myVirtualNetwork" ` -SubnetName "Public" ` -ImageName "Win2016Datacenter" ` -Name "myVmPublic" ` -AsJob #14. Create a Private VM New-AzVm ` -ResourceGroupName "myResourceGroup" ` -Location "East US" ` -VirtualNetworkName "myVirtualNetwork" ` -SubnetName "Private" ` -ImageName "Win2016Datacenter" ` -Name "myVmPrivate" #15. Get the public IP Address of Private VM so you can RDP into it Get-AzPublicIpAddress ` -Name myVmPrivate ` -ResourceGroupName myResourceGroup ` | Select IpAddress
7. Connect to Private VM by using Public IP address of the VM.
#16.Login into public IP address if Private VM mstsc /v:<publicIpAddress>
8. Create Firewall rule to allow ICMP packets on MyVmPublic and MyVmPrivate VMs.
#tracert.exe command is used to test routing. Tracert uses the Internet Control Message Protocol (ICMP), which is denied through #the Windows Firewall. Enable ICMP through the Windows firewall by entering the following command #from PowerShell on the myVmPrivate VM New-NetFirewallRule -DisplayName "Allow ICMPv4-In" -Protocol ICMPv4 #17. connect to NVA VM from Private VM mstsc /v:myvmnva
9. Enable port forwarding on MyVmNva.
#18. Enable Port Forwarding on NVA VM. You need to enable IP forwarding within Azure for the VM's #network interface. Within the VM, the operating system, or an application running within the VM, must # also be able to forward network traffic.This will be done on NVAVM Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -Name IpEnableRouter -Value 1 #Restart the NVA VM so changes can take effect. Restart-Computer #19. Connect to Public VM from Private VM & Enable ICMP through the Windows firewall mstsc /v:myVmPublic New-NetFirewallRule –DisplayName "Allow ICMPv4-In" –Protocol ICMPv4
10. Testing & Verification. We will do testing for the packets coming from Public subnet to Private subnet and the traffic coming from Private subnet to Public Subnet.
- Test 1: Run Tracert MyVmPrivate command from Public VM. It will show that packets are transmitted via MyVmNva hosted in DmzSubnet.
- Test 2: Test the traffic from Private VM to Public VM. We will use this command Tracert MyVmPublic.
#20. To test if Routing is working or not? Run this command on Public VM tracert myVmPrivate #Now logg off from Public VM connect thru Private VM #21. Test the traffic from Private VM to Public VM tracert myVmPublic
I hope this was helpful.