This is part of a series on Building an Azure Dev Test Lab.
There are many things that can be done in Azure without setting up Azure Networking. But, there are also many reasons to setup a private Azure network. This article is a summary of what Azure Services are required to get Azure networking in place.
- What Is Azure Networking?
- Azure Networking Not Required
- Azure Networking Required
- Azure Active Directory Domain Services (AADDS)
- Azure Virtual Network
- Azure Bastion
- Azure Virtual Machines
- Azure VPN Gateway
- Azure Firewall
- Fortinet FortiGate Virtual Appliance Firewall
- Azure Front Door
- Lab Scenarios
- References
What Is Azure Networking?
In the context of this article, Azure networking refers to the Azure systems and services that are required for one Azure service or virtual machine to communicate to another Azure service or virtual machine over a private (not public) network.
Azure Networking Not Required
You can do any of the following without any private Azure networking:
- Authenticate users using Azure Authentication for Office 365, Azure Devops, and external SAML authentication.
- Push code to/from Azure Devops repositories.
- Push deployments from Azure Devops to Azure Services / Websites.
- Host Azure Websites on the Internet.
Azure Networking Required
Your Azure system may be a candidate for a private Azure network, if you need any one of the following:
- Join Azure VM's to an Azure Active Directory Domain Service. You'll need AADDS.
- You want VM to VM traffic on a private network. You'll need an Azure Virtual Network.
- You want a VNET / VLAN. You'll need an Azure Virtual Network.
- You want an external VPN into a private Azure network. You'll need and Azure Gateway or a FortiGate Virtual Appliance Firewall
- You want a WAN VPN from Azure to your premises network. You'll need and Azure Gateway or a FortiGate Virtual Appliance Firewall
- You want to run legacy applications in the cloud (legacy equates to Windows Services, Websites, or other Windows applications not designed for the cloud).
Azure Active Directory Domain Services (AADDS)
AADDS [1] is the fundamental building block for an Azure Dev Test lab. It provides the "Domain Controller" functionality in Azure (but it's not really a Domain Controller). AADDS allows you to use managed domain services—such as Windows Domain Join for VM's, group policy, LDAP, and Kerberos authentication (simple sign-in using Azure AD credentials).
Steps to Create AADS Services
- Create a subscription and resource group to assign to the AADDS.
- Define region (CENTRAL-US, EAST-US, WEST-US, etc.).
- Pick SKU: Standard, Premium, Enterprise (Premium, Enterprise allow resource domains).
- Create Azure AD Domain Services ( azure.domain.com, or aadds.domain.com, but could be domain.com).
- Add a new network, aadds-vnet (must be 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16).
- Create new group AAD DC Administrators.
- Configure DNS (after AAADS allocated) which will configure DNS for above VNET to point to (2) AD services DC's.
- Must have Azure AD Cloud Sync password write-back enabled.
- Enable Azure AD Password sync to enable password hash synchronization.
For a more detailed explanation on setting up AADS Services, refer to this youtube video:
Lets Get One Thing Straight | Azure AD Domain Services
Azure Virtual Network
Azure Virtual Network [2] allows you to create your own private network in the cloud. Just like in your on-premises network, there are numerous security reasons you don't want everything you do on the public internet. Azure Virtual Network provides:
- IPSEC or VPN / WAN from your on-premises network to Azure.
- Your own DNS services.
- Your own IP addresses.
- Network Address Translation (NAT)
Azure Bastion
Azure Bastion [3] provides the services to allow remote desktop connections to an Azure VM, without requiring a VPN, or without requiring the RDP port 3389 to be exposed on the open internet. VPN's can cut bandwidth by 30-40%.
Azure Virtual Machines
Azure Virtual Machines [4] allow you to get your legacy applications in the cloud. These are not your typical VM's. Azure VM's can provide:
- up to 416 vCPUs
- up to 12 TB of memory
- up to 3.7 million local storage IOPS per VM.
- up to 30 Gbps Ethernet.
- up to 200 Gbps InfiniBand internet.
Linux VM's will be cheaper than Windows VM's. Reserved Virtual Machines will be cheaper than Pay as you go.
Azure Dev-Test box [5] provides another VM capable of running a developer class workstation. A Dev-Test box template can be setup and configured once and then developers can pull from a pool of boxes. A Dev-Test lab can be configured to shut down unused VM's during certain hours to minimize expenses.
Codespaces [6] also provides another VM capable of running developer scenarios. Azure Codespaces have been migrated to GitHub Codespaces [6]. GitHub uses GitHub Codespaces [7] to develop GitHub. In under 10 seconds, you can spin up a Codespace. If your application development process can use Visual Studio Code, Codespaces eliminates the need for developer machine by running a virtual developer machine in the cloud. It's significantly cheaper than a full private network.
Azure VPN Gateway
Azure VPN Gateway [8] provides the ability create a site to site IPSEC VPN or a point to site VPN from anywhere to your Azure network.
Azure Firewall
Azure Firewall [9] protects your Azure Virtual Network resources in the cloud. It protects your Azure private network just like an on-premises firewall would.
Fortinet FortiGate Virtual Appliance Firewall
If you have Fortinet firewalls and routers, then it may be easier to use a custom VM and purchase a VM version of the a FortiGate Virtual Appliance [10]. The Fortigate FG-VM02V VM support 2 vCPU cores and supports 15 Gbps bandwidth. I've used the FortiGate 60E at multiple sites for years. It provide a great Firewall, and stellar support. The Firewall keeps your private network private.
Azure Front Door
Azure Front Door [11] provides a Content Delivery Network (CDN), Load balancing and failover, Web Application Firewall, DDOS and bot protection. If your running a production website, Azure Front Door can provide the necessary protection. CloudFlare [12] is another vendor that can provide website and API protection.
Lab Scenarios
That's a lot of services for Azure Networking. Let's take a look at some scenarios and see what is required. I'm going to preface this with Microsoft is continually changing what is present in Azure., so this information is based on Q1 2023 Azure information.
LAB 1 Public Website / API Development
This would be a thin Azure system and would include the following:
- Azure Devops Git repositories for code (requires a Visual Studio or Stakeholder license)
- Azure Pipelines (included with Azure Devops)
- Visual Studio code (free)
- Azure Dev App Services / Websites
- Azure Test App Services / Websites
This configuration does not require any private Azure networking.
LAB 2 Private Web Dev / Test APIs
This would be a private network Azure system and would include the following:
- Azure Devops Git repositories for code (requires a Visual Studio or Stakeholder license)
- Azure Pipelines (included with Azure Devops)
- Private Dev Server API's (Azure Websites) running on Azure AADS account.
- Private Test Server API's (Azure Websites) running on Azure AADS account.
- Developers have an AD joined machine and account.
Since this configuration is a private network, an Azure network is required. Typical services would include:
- Azure Active Directory Domain Services (AADDS)
- Azure Cloud Sync (to mirror AD accounts to Azure).
- Azure Virtual Network with private IP's.
- Azure Websites assigned a private IP.
- Azure Front Door, or Azure Firewall
LAB 3 Private Web Dev / Test APIs with Azure SQL
This would be a private network Azure system and would include the following:
- Azure Devops Git repositories for code (requires a Visual Studio or Stakeholder license)
- Azure Pipelines (included with Azure Devops)
- Private Dev Server API's (Windows VM, Linux VM's)
- Private Test Server API's (Windows VM, Linux VM's)
- Developers have an AD joined machine and account.
- Dev Azure SQL database instances.
- Test Azure SQL database instances.
- Developers use private Azure VM's to develop / test.
- Site to Site VPN (WAN)
Since this configuration is a private network with VM's, an Azure network is required. Typical services would include:
- Azure Active Directory Domain Services (AADDS)
- Azure Cloud Sync (to mirror AD accounts to Azure).
- Azure Virtual Network with private IP's.
- Azure VM's assigned a private IP.
- Azure Bastion for remote VM access.
- Azure SQL instances assigned a private IP.
- Azure Gateway
- Azure Firewall or FortiGate Virtual Appliance Firewall for Site to Site VPN.
đź“ť Note: If you have a need for multiple deployment slots (production, staging, development) other than the default production slot, you need to have a Standard, Premium, or Isolated plan [13]. You can work around this limitation by having two individual sites, and manually changing the DNS records to switch between the sites.
References
- [1] https://azure.microsoft.com/en-us/products/active-directory/ds
- [2] https://azure.microsoft.com/en-us/products/virtual-network/
- [3] https://azure.microsoft.com/en-us/products/azure-bastion/
- [4] https://azure.microsoft.com/en-us/products/virtual-machines/
- [5] https://azure.microsoft.com/en-us/solutions/dev-test/#overview
- [6] https://azure.microsoft.com/en-us/updates/begin-migrating-your-codespaces-to-github-codespaces/
- [7] https://github.blog/2021-08-11-githubs-engineering-team-moved-codespaces/
- [8] https://azure.microsoft.com/en-us/products/vpn-gateway/
- [9] https://azure.microsoft.com/en-us/pricing/details/azure-firewall/
- [10] https://www.fortinet.com/products/private-cloud-security/fortigate-virtual-appliances
- [11] https://azure.microsoft.com/en-us/products/frontdoor
- [12] https://www.cloudflare.com
- [13] https://learn.microsoft.com/en-us/azure/app-service/deploy-staging-slots