Virtual Networking in Azure
By Morgan Lucas
This is a post intended for this site, as a way to get a feel of using it consistently. Older posts are here.
Instructions?
Here - don’t be dismayed.
I'll be peering virtual networks so virtual machines can talk to each other using Powershell - which is a bit more involved.
The Outline of Events
Configure a network security group + security rules using Powershell.
The application server should connect to the database server over HTTP.
BUT the database server shouldn't use HTTP to connect to the application server.
The commands
This didn't work at first - You have to use Bash
tion>rg=Paolin
At line:1 char:39
+ az group create --name $rg --location rg=Paolin
+ ~
The '<' operator is reserved for future use.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : RedirectionNotSupported
With Bash:
{
"id": "/subscriptions/a78373f1-5023-41fe-ae36-d0742026d72f/resourceGroups/32",
"location": "eastus",
"managedBy": null,
"name": "32",
"properties": {
"provisioningState": "Succeeded"
},
"tags": null,
"type": "Microsoft.Resources/resourceGroups"
}
I made a new subnet, named it Apps (remember that), and tied it to a group that I created.
m@Azure:~$ az network vnet create \
> --resource-group $rg \
> --name ERP-Servers \
> --address-prefix 10.0.0.0/16 \
> --subnet-name Apps \
> --subnet-prefix 10.0.0.0/24
There's a lot of information returned:
DDoS protection is not enabled (This resource will have been shut off by the time this posts)
Provisioning state has succeeded.
No BGP communities
Private Endpoint Network Policies are Enabled
And I repeat it for a subnet named Databases;
az network vnet subnet create \
--resource-group $rg \
--vnet-name ERP-servers \
--address-prefix 10.0.1.0/24 \
--name Databases
The commands look similar, but they are not - one has subnet create, the other only create. They are both in Resource Group 32, but have different address prefix allotments.
And now the Network Security Group is created;
az network nsg create \
--resource-group $rg \
--name ERP-SERVERS-NSG
It's given a type of "Microsoft.Network/networkSecurityGroups" in Resource Group 32.
Now we create some Ubuntu Virtual Machines; Pulling the appropriate code from Microsoft's GitHub repository.
wget -N https://raw.githubusercontent.com/MicrosoftDocs/mslearn-secure-and-isolate-with-nsg-and-service-endpoints/master/cloud-init.yml && \
az vm create \
--resource-group $rg \ 32
--name AppServer \
--vnet-name ERP-servers \
--subnet Applications \
--nsg ERP-SERVERS-NSG \
--image UbuntuLTS \
--size Standard_B1ls \
--admin-username azureuser \
--custom-data cloud-init.yml \
--no-wait \
--admin-password (Entered, but not shown here)
Slightly Off the Beaten Path
So, I'm not a person who likes to follow the directions to the letter when learning. What do you learn if you just copy and paste commands?
Can you see the error above?
Yes, my Applications subnet is called Apps. The code spells it out Applications. So I end up deleting and remaking the resource groups while following the instructions. At least it's a learning experience!
So now we have Databases, Applications, and a Network Security Group in Resource Group 32, and here's how the VMs are running;
The public IP address for AppServer was 52.1.X.X
The public IP address for DataServer was 52.1.X.X
The VMs are in the same Virtual Network!
The next command has me putting those Public IPs to variables - In a Bash Shell! Could we always do this? Technology is amazing.
The connection times out initially because of an implicit deny all to outside traffic, and I fix that with a command that:
Allow SSH access
For servers in the Group
Can we connect now?
There was a 'connection timed out during banner exchange' message, although I check the GUI and see my rules are in place;
Off The Beaten Path Again
I had to deviate from the instructions; Return later; Go to your VM inside your resource group, and click 'Connect' at the top ribbon. Copy the 'Login using VM local account' information, paste it into the Bash terminal;
IP and Local Account IP Hidden
Run it twice; The second time should ask for the password to the VM.
As stated above, Azure was having issues all day, and they come up again here; Includes a lot of time outs and not recognizing its own commands.
I did get two VMs into the same Virtual Network!