Microsoft Service Provider Reference Architecture Diagram

Microsoft Service Provider Reference Architecture Diagram

Connect an on premises network to Azure using VPNThis reference architecture shows how to extend an on premises network to Azure, using a site to site virtual private network VPN. Traffic flows between the on premises network and an Azure Virtual Network VNet through an IPSec VPN tunnel. Deploy this solution. Download a Visio file of this architecture. Architecture. The architecture consists of the following components. On premises network. Microsoft Service Provider Reference Architecture Diagram' title='Microsoft Service Provider Reference Architecture Diagram' />Microsoft Service Provider Reference Architecture DiagramA private local area network running within an organization. VPN appliance. A device or service that provides external connectivity to the on premises network. The VPN appliance may be a hardware device, or it can be a software solution such as the Routing and Remote Access Service RRAS in Windows Server 2. VCloud Director Installation and Upgrade Guide Overview of vCloud Director Installation, Configuration, and Upgrade vCloud Director Architecture. For a list of supported VPN appliances and information on configuring them to connect to an Azure VPN gateway, see the instructions for the selected device in the article About VPN devices for Site to Site VPN Gateway connections. Virtual network VNet. You appear to be using Microsoft Internet Explorer. The Service Trust Portal currently supports Microsoft Edge, Google Chrome, Apple Safari, and Mozilla Firefox. The cloud application and the components for the Azure VPN gateway reside in the same VNet. Azure VPN gateway. The VPN gateway service enables you to connect the VNet to the on premises network through a VPN appliance. For more information, see Connect an on premises network to a Microsoft Azure virtual network. The VPN gateway includes the following elements Virtual network gateway. A resource that provides a virtual VPN appliance for the VNet. It is responsible for routing traffic from the on premises network to the VNet. Local network gateway. An abstraction of the on premises VPN appliance. Network traffic from the cloud application to the on premises network is routed through this gateway. Connection. The connection has properties that specify the connection type IPSec and the key shared with the on premises VPN appliance to encrypt traffic. Gateway subnet. The virtual network gateway is held in its own subnet, which is subject to various requirements, described in the Recommendations section below. Cloud application. The application hosted in Azure. It might include multiple tiers, with multiple subnets connected through Azure load balancers. Cambridge Advanced Learner S Dictionary Latest Edition Free Download. For more information about the application infrastructure, see Running Windows VM workloads and Running Linux VM workloads. Internal load balancer. Network traffic from the VPN gateway is routed to the cloud application through an internal load balancer. The load balancer is located in the front end subnet of the application. Recommendations. The following recommendations apply for most scenarios. Follow these recommendations unless you have a specific requirement that overrides them. VNet and gateway subnet. Create an Azure VNet with an address space large enough for all of your required resources. Ensure that the VNet address space has sufficient room for growth if additional VMs are likely to be needed in the future. The address space of the VNet must not overlap with the on premises network. For example, the diagram above uses the address space 1. VNet. Create a subnet named Gateway. Subnet, with an address range of 2. This subnet is required by the virtual network gateway. Allocating 3. 2 addresses to this subnet will help to prevent reaching gateway size limitations in the future. Also, avoid placing this subnet in the middle of the address space. A good practice is to set the address space for the gateway subnet at the upper end of the VNet address space. The example shown in the diagram uses 1. Here is a quick procedure to calculate the CIDR Set the variable bits in the address space of the VNet to 1, up to the bits being used by the gateway subnet, then set the remaining bits to 0. Convert the resulting bits to decimal and express it as an address space with the prefix length set to the size of the gateway subnet. For example, for a VNet with an IP address range of 1. Converting that to decimal and expressing it as an address space yields 1. Warning. Do not deploy any VMs to the gateway subnet. Also, do not assign an NSG to this subnet, as it will cause the gateway to stop functioning. Virtual network gateway. Allocate a public IP address for the virtual network gateway. Create the virtual network gateway in the gateway subnet and assign it the newly allocated public IP address. Use the gateway type that most closely matches your requirements and that is enabled by your VPN appliance Create a policy based gateway if you need to closely control how requests are routed based on policy criteria such as address prefixes. Policy based gateways use static routing, and only work with site to site connections. Create a route based gateway if you connect to the on premises network using RRAS, support multi site or cross region connections, or implement VNet to VNet connections including routes that traverse multiple VNets. Route based gateways use dynamic routing to direct traffic between networks. They can tolerate failures in the network path better than static routes because they can try alternative routes. Route based gateways can also reduce the management overhead because routes might not need to be updated manually when network addresses change. For a list of supported VPN appliances, see About VPN devices for Site to Site VPN Gateway connections. Note. After the gateway has been created, you cannot change between gateway types without deleting and re creating the gateway. Select the Azure VPN gateway SKU that most closely matches your throughput requirements. Azure VPN gateway is available in three SKUs shown in the following table. SKUVPN Throughput. Max IPSec Tunnels. Basic. 10. 0 Mbps. Standard. 10. 0 Mbps. High Performance. Mbps. 30. Note. The Basic SKU is not compatible with Azure Express. Route. You can change the SKU after the gateway has been created. You are charged based on the amount of time that the gateway is provisioned and available. See VPN Gateway Pricing. Create routing rules for the gateway subnet that direct incoming application traffic from the gateway to the internal load balancer, rather than allowing requests to pass directly to the application VMs. On premises network connection. Create a local network gateway. Specify the public IP address of the on premises VPN appliance, and the address space of the on premises network. Note that the on premises VPN appliance must have a public IP address that can be accessed by the local network gateway in Azure VPN Gateway. The VPN device cannot be located behind a network address translation NAT device. Create a site to site connection for the virtual network gateway and the local network gateway. Select the site to site IPSec connection type, and specify the shared key. Site to site encryption with the Azure VPN gateway is based on the IPSec protocol, using preshared keys for authentication. You specify the key when you create the Azure VPN gateway. You must configure the VPN appliance running on premises with the same key. Other authentication mechanisms are not currently supported. Ensure that the on premises routing infrastructure is configured to forward requests intended for addresses in the Azure VNet to the VPN device. Open any ports required by the cloud application in the on premises network. Test the connection to verify that The on premises VPN appliance correctly routes traffic to the cloud application through the Azure VPN gateway. The VNet correctly routes traffic back to the on premises network. Prohibited traffic in both directions is blocked correctly.

Microsoft Service Provider Reference Architecture Diagram
© 2017