# 1.8 Manage and control traffic flow in your Azure deployment with routes

# 1.8.1 Introduction

# 1.8.2 Identify routing capabilities of an Azure virtual network

All subnets in a virtual network can communicate with the Internet and each other by default; Azure automatically adds these (system) routes for you.
Additional system routes can be enabled by using other services:
- Virtual network peering
- Service chaining
- Virtual network gateway
- Virtual network service endpoint

# Virtual network peering and service chaining

Virtual network peering lets you connect two virtual networks together. Azure creates the routes for you when you set up peering. Service chaining is really just the ability to create user defined routes, which can be set up to point a virtual network at a virtual network gateway of another v-net (e.g. to create a hub and spoke network).

# Virtual network service endpoint

Azure services, like Azure Storage, can be accessed directly from a v-net by enabling the service endpoint for the service type. This causes Azure to create a system route for that service in your virtual network.

# 1.8.3 Exercise - Create custom routes

# Create a route table and custom route

az network route-table create \
    --name publictable \
    --resource-group learn-1c6c08a8-514f-4720-adf8-d57d37aa2312 \
    --disable-bgp-route-propagation false

1
2
3
4

az network route-table route create \
    --route-table-name publictable \
    --resource-group learn-1c6c08a8-514f-4720-adf8-d57d37aa2312 \
    --name productionsubnet \
    --address-prefix 10.0.1.0/24 \
    --next-hop-type VirtualAppliance \
    --next-hop-ip-address 10.0.2.4

1
2
3
4
5
6
7

Question: Why is the address prefix not 10.0.2.0/24?

# Create a virtual network and subnets

Create public, private, and DMZ subnets:

az network vnet create \
    --name vnet \
    --resource-group learn-1c6c08a8-514f-4720-adf8-d57d37aa2312 \
    --address-prefix 10.0.0.0/16 \
    --subnet-name publicsubnet \
    --subnet-prefix 10.0.0.0/24

1
2
3
4
5
6

az network vnet subnet create \
    --name privatesubnet \
    --vnet-name vnet \
    --resource-group learn-1c6c08a8-514f-4720-adf8-d57d37aa2312 \
    --address-prefix 10.0.1.0/24

1
2
3
4
5

az network vnet subnet create \
    --name dmzsubnet \
    --vnet-name vnet \
    --resource-group learn-1c6c08a8-514f-4720-adf8-d57d37aa2312 \
    --address-prefix 10.0.2.0/24

1
2
3
4
5

List the subnets:

az network vnet subnet list \
    --resource-group learn-1c6c08a8-514f-4720-adf8-d57d37aa2312 \
    --vnet-name vnet \
    --output table

1
2
3
4

# Associate the route table with the public subnet

az network vnet subnet update \
    --name publicsubnet \
    --vnet-name vnet \
    --resource-group learn-1c6c08a8-514f-4720-adf8-d57d37aa2312 \
    --route-table publictable

1
2
3
4
5

# 1.8.4 What is an NVA?

Yeah so it's just a goddamn gateway PC, but with a more complicated name. Like in the old days when we just set up a Linux box, enabled a firewall, IP forwarding, NAT, port forwarding, etc.

# 1.8.5 Exercise - Create an NVA and virtual machines

# Deploy the network virtual appliance

az vm create \
    --resource-group learn-1c6c08a8-514f-4720-adf8-d57d37aa2312 \
    --name nva \
    --vnet-name vnet \
    --subnet dmzsubnet \
    --image UbuntuLTS \
    --admin-username azureuser \
    --admin-password azurepass12!

1
2
3
4
5
6
7
8

Get the IP of the VM:

NVAIP="$(az vm list-ip-addresses \
    --resource-group learn-1c6c08a8-514f-4720-adf8-d57d37aa2312 \
    --name nva \
    --query "[].virtualMachine.network.publicIpAddresses[*].ipAddress" \
    --output tsv)"

echo $NVAIP

1
2
3
4
5
6
7

# Enable IP forwarding for the network interface

NICID=$(az vm nic list \
    --resource-group learn-1c6c08a8-514f-4720-adf8-d57d37aa2312 \
    --vm-name nva \
    --query "[].{id:id}" --output tsv)

echo $NICID

1
2
3
4
5
6

NICNAME=$(az vm nic show \
    --resource-group learn-1c6c08a8-514f-4720-adf8-d57d37aa2312 \
    --vm-name nva \
    --nic $NICID \
    --query "{name:name}" --output tsv)

echo $NICNAME

1
2
3
4
5
6
7

az network nic update --name $NICNAME \
    --resource-group learn-1c6c08a8-514f-4720-adf8-d57d37aa2312 \
    --ip-forwarding true

1
2
3

# Enable IP forwarding on the Linux box

NVAIP="$(az vm list-ip-addresses \
    --resource-group learn-1c6c08a8-514f-4720-adf8-d57d37aa2312 \
    --name nva \
    --query "[].virtualMachine.network.publicIpAddresses[*].ipAddress" \
    --output tsv)"

echo $NVAIP

1
2
3
4
5
6
7

ssh -t -o StrictHostKeyChecking=no azureuser@$NVAIP 'sudo sysctl -w net.ipv4.ip_forward=1; exit;'

# 1.8 Manage and control traffic flow in your Azure deployment with routes

# 1.8.1 Introduction

# 1.8.2 Identify routing capabilities of an Azure virtual network

# Virtual network peering and service chaining

# Virtual network service endpoint

# 1.8.3 Exercise - Create custom routes

# Create a route table and custom route

# Create a virtual network and subnets

# Associate the route table with the public subnet

# 1.8.4 What is an NVA?

# 1.8.5 Exercise - Create an NVA and virtual machines

# Deploy the network virtual appliance

# Enable IP forwarding for the network interface

# Enable IP forwarding on the Linux box

# 1.8.6 Exercise - Route traffic through the NVA

# 1.8.7 Summary