As I have previously stated, one of Azure’s best advantages is the ability to create and manage a network in the cloud. You need another server to run as a file server? Just create and configure another Azure VM on the spot. There’s no need to purchase or set up any new equipment and no need to front thousands of dollars for new equipment.
Just as with an onsite network, there are other infrastructure components and roles that you need to install to help ensure that your network is accessible by your employees but not accessible to hackers.
Additional Azure Services and Roles
In today’s networking world, there are two main ways to set up a network. You can purchase physical equipment and build your network or you can build your network as a virtual network. Azure Virtual WAN is a networking service that brings many networking, security, and routing functionalities together to provide a single operational interface.
Building a network is like building a house. You don’t have a house if all you do is pour a foundation. For a house to be a livable home, you need to install doors, windows, plumbing, and electricity.
When you build a network, just running cabling throughout the office does not give you a network. It’s not a network until you install your servers, set up your shares, create your users, set roles and permissions, and install additional components.
These types of components can include things like using firewalls, routers, proxy, or NAT services, along with other components. One of the advantages of using Azure is that all of these components can be set up and used in the Azure Virtual WAN.
Let’s explore some of the additional Azure services and roles that you can add to your cloud network.
Depending on your organization, not all of these services are required. Also, your organization may need to use some Azure services that are not listed here. To learn more about all of the available Azure services and components, please visit Microsoft’s website at http://azure .microsoft.com/en- us/products.
Using the Remote Access Role
The DirectAccess Remote Client Management deployment uses DirectAccess to maintain clients over the Internet. Windows Server 2022 took the best of Windows Server 2016 and Windows Server 2012 and combined DirectAccess and Routing and Remote Access Service (RRAS) VPN into a single Remote Access role.
Understanding Additional Infrastructure Components
The Remote Access Role is installed and uninstalled by using Windows PowerShell or from the Server Manager console (on VMs or Servers). The Remote Access role consists of two components:
■ DirectAccess and Routing and Remote Access Services (RRAS) VPN: DirectAccess and VPN are managed in the Remote Access Management console.
■ RRAS: Features are managed in the Routing and Remote Access console.
The Remote Access server role is dependent on the following features:
■ Web Server (IIS): Required to configure the network location server and default web probe
■ Windows internal database: Used for local accounting on the Remote Access server
If your organization is looking at implanting DirectAccess, I recommend that you visit Microsoft’s website at http://learn.microsoft.com/ en- us/windows- server/remote/remote- access/ras/ manage- remote- access.
Using the Azure Network Adapter
One advantage of using Azure is the ability for your end users or clients to access your cloud- based network from anywhere in the world. Basically, if you have Internet access and the proper permissions, you can access the Azure network.
Azure allows you to set up and use the Azure Network Adapter. The Azure Network Adapter lets you connect remotely to your virtual network. You can access your Azure network from any remote location, such as a remote office, hotel, or any location with Internet access.
You can also configure and use the Azure Network Adapter instead of a site- to- site VPN. This can be very useful when you need to connect only a few servers to the virtual network. Azure Network Adapter connections don’t require a VPN device or even a public- facing IP address.
If you want to allow access to a virtual network, setting up an Azure Network Adapter requires the following components:
■ An account connected to at least one active Azure subscription
■ A current virtual network
■ Internet access between your Azure virtual network and the servers that you want to connect
■ Current version of the Windows Admin Center that has the ability to connect to Azure To configure an Azure Network Adapter, in the Windows Admin Center, choose Networks under Tools, and then follow these steps:
- Open the Windows Admin Center.
- Choose the VMs that you want to add to the Azure Network Adapter.
- Under Tools, select Networks.
- Select Add Azure Network Adapter.
- In the Add Azure Network Adapter pane, configure the options that you want to use and then click Create.
If your Azure setup doesn’t have an Azure Virtual Network Gateway, the Windows
Admin Center will automatically create a gateway for you. The actual setup can take up to 25–30 minutes, so be sure to plan the deployment carefully. Give yourself enough time to ensure that everything is ready before you start trying to make connections. Once the connection is complete, you will be able to access the virtual machines directly.
Understanding Azure Extended Network
As a director of IT, trainer, and consultant for over 30 years, I can tell you that one of the hardest things for IT people to learn is the Internet Protocol (IP). Configuring and maintaining an IP network can be confusing to many IT people. But IP is not a hard topic to learn once someone shows you how easy it is to configure.
One part of IP that can be difficult is the practice of subnetting a network. To understand using an Azure Extended Network, you must first understand subnetting. Think of IP subnetting as a large open warehouse. The warehouse is wide open (no walls or doors inside the warehouse). This is an example of setting up an IP network where everyone is on the same IP network. There are no segmented offices or rooms. Everyone works in the same open warehouse together.
Say the company has decided that they want to separate the warehouse into conference rooms. Each conference room will be used only by the department (sales, marketing, etc.) that owns that room. So, you build your walls and segment the warehouse into multiple conference rooms. Each room is assigned to a specific group of people based on their department. Users have to work in their conference room only. They can access any other room, but they work in their department’s conference room. This is an example of subnetting a network.
When an IP network is not subnetted, every user on the network is part of the same IP network. If I decide that I need to subnet my network, I will install routers and turn the large network into a bunch of smaller networks. This is called subnetting.
As I stated earlier, building a subnetted network is not easy for most IT people. Now, let’s take it to the next level. Think about building a network and subnetting that network; now you need to add Azure as part of your IP network. This adds a whole new level of issues that you can run into. This is where Azure Extended Network comes into play. Azure Extended Network allows you to extend an onsite subnet to an Azure cloud network. That way, onsite virtual machines retain their original onsite private IP addresses when migrating to Azure.
Understanding Additional Infrastructure Components
Azure Extended Network lets you extend the onsite network to Azure by using a bidirectional VXLAN tunnel. You set the VXLAN tunnel between two Windows Server 2022 VMs. The 2022 VMs act as a virtual appliance, with one VM running onsite and the other VM running in Azure. Each VM also needs to be connected to the subnet that you want to extend. Every subnet that you are going to extend requires one pair of appliances. Multiple subnets can be extended using multiple VM pairs.
Extended networks are not something that is required or even recommended unless you are having a very specific issue migrating servers to Azure. Once you decide that your organization is migrating to Azure, you may run into a situation where an onsite server/VM needs to keep its original IP address. The Azure network may not use the same IP scheme that you had configured onsite.
Extended Network for Azure should only be configured and used for machines that cannot have their IP address changed when migrating to Azure. If possible, it is always better to change the IP address and connect it to the subnet that exists in Azure.
Azure Extended Networks allow you to configure up to 250 IP addresses. You can anticipate a combined throughput of about 700 Mbps. This throughput will also depend on the virtual machine components. One of the variables that can affect throughput is CPU speed of the VMs that are being used as the Azure virtual appliances.