Azure Network Peering

31 Sunday May 2020

Posted by GIRISH SRINIVASA in Azure, Azure AD DS

Tags

Azure ADDS, Azure VM, Virtual Network Peering

In the article we set up Azure AD DS managed domain and the deployed configuration set up the managed domain in its own virtual network and subnet as per below:

aadsDeploymentTopology

Azure Virtual Network Peering allows seamless connectivity between different Azure Virtual Network(s) (Azure VNet). Typical use case for using virtual network peering might include the following:

“There is an existing Azure VNet containing SubNets and Virtual Machines and a new Azure AD DS managed domain is provisioned in a separate virtual network. The Virtual Machines need to be a member of Azure AD DS managed domain and this can be done through Azure Virtual Network peering.”

We will consider the following deployment example:

Peering1

The following articles will detail how to setup the above lab:

Setting up AzureVNet
Creating AzureVM
Deploying Azure AD DS domain

Choose the default virtual network created in Azure AD DS instance and select Peerings

Peering2

Peering3

Select “+Add”

Peering4

A two-way peering link needs to be created between the two virtual networks and this is highlighted in the information section under “Add peering”

Peering5

Peering6

The statuses of two peering links can be viewed under Notifications

Peering7

And once successful a Peering Status of Connected is shown on individual virtual network(s)

Peering8

Peering9

With the above what we have accomplished so far is to allow the following virtual network’s to communicate

Peering10

iDynamics-VNet has no information about the DNS servers and this needs to be updated/configured manually. The IP Addresses of Azure AD DS domain controllers can be obtained from aadds-vnet virtual network

Peering11

Enter the above highlighted IP Addresses to the DNS servers custom settings for iDynamics-VNet

Peering12

Connectivity to various virtual machines within iDynamics-VNet will be controlled through a managed jump box:

Peering13

Establish RDP connection to AZ-MGMT01

Peering14

Peering15

Once connected to the AZ-MGMT01 should be able to ping Azure AD DS managed domain “idynamics.com.au”. The Public IP address in the screen snap shot below will be different this is because the virtual machine is was in a status of Stopped(deallocated) so a new Public IP Address was assigned when the virtual machine was started again.

Peering18

Deploying Azure AD DS

29 Friday May 2020

Posted by GIRISH SRINIVASA in Azure, Azure AD, Azure AD DS

≈ 2 Comments

Tags

Azure AD DS, Deploying Azure AD DS

In the article we looked at comparison of Active Directory offering between On-Premises and cloud. This article will walk through deployment of Azure AD DS.

Logon to AzurePortal and select “Azure AD Domain Services”

AzureADDS1

Choose “Create Azure AD Domain Services”

AzureADDS3

Choose and existing Resource Group or Create a New one if required,
Enter a DNS domain name keeping in mind the following condition(s):
- If the default built-in domain name of directory with a suffix of “. onmicorosoft.com” is used then cannot create a digital certificate to secure the connection with this default domain.
- Non-routable domain suffixes are not to be used such as “*.local”
- Domain prefix cannot be longer than 15 characters.
- DNS domain name for managed domain shouldn’t already exist in the virtual network or in on-premises network if Azure managed domain has a VPN connection to on-premises network.

AzureADDS4

The default Forest type is set to “User”. This type of forest synchronizes all objects from Azure AD, including the user accounts created in on-premises AD DS environment. A Resource forest synchronizes users and groups created directly in Azure AD only.

The next step of the wizard automatically creates a VNet and an associated subnet

AzureADDS5

AzureADDS6

AzureADDS7

The above highlighted text for synchronization is important. In the context of moving user accounts from on-premises AD DS to Azure AD DS the synchronization path was shown here

AzureADDS8

AzureADDS9

Once deployment is complete the topology can be viewed by going to adds-vnet > Diagram

AzureADDS10

The following topology diagram will be generated and the highlighted sections indicate Virtual Network, SubNet and Network Security Group (NSG).

AzureADDS11

The Overview tab of the provisioned managed domain will indicate Required Configuration step to update DNS settings

AzureADDS12

Prior to Configuration the DNS Servers settings for adds-vnet will be:

AzureADDS13

After Configuration

AzureADDS14

AzureADDS15

The above steps will complete deployment of Azure AD DS in the next article we will join Azure VM’s create here to his managed domain and in the process learn about Azure Virtual network peering.

Comparing Windows AD DS, Azure AD and Azure AD DS

29 Friday May 2020

Posted by GIRISH SRINIVASA in Azure, Azure AD, Azure AD DS, Uncategorized

≈ 2 Comments

Tags

Azure AD, Azure AD DS

Windows AD DS:

Provides authentication and authorization to on-premise applications, resources. Access to various resources can be streamlined through Group Policy some examples of implementing GPO for user’s rights assignment are detailed in the article here.

Authentication Protocol: Kerberos and NTLM

AD Database access: Through LDAP query

Creation of Domain Trusts: Allowed

On-Premise Windows Server AD offers 5 core services:

Active Directory Domain Services (ADDS)
Active Directory Certificate Services (ADCS)
Active Directory Rights Management Services (ADRMS)
Active Directory Lightweight Directory Services (ADLDS)
Active Directory Federation Services (ADFS)

Windows ADDS provides a hierarchical data storage for various objects in the network users, computers, groups, printers etc. The objects are placed within various Organizational Units (OUs). For example the following screen snap shot demonstrates a way of organizing On-Premises ADDS

capture1

Azure Active Directory (Azure AD):

While allowing to create users and groups Azure AD provides a flat structure without Organizational Units (OUs) or Group Policy Objects (GPOs).

Azure AD does have a domain name
Provides no trusts between domains
Supports Web based authentication OAuth 2.0, SAML 2.0 and Open ID Connect
Use of HTTP/HTTPS to provide identity services
Querying Azure AD done through REST API end point called AD Graph API

Azure Active Directory Domain Services (Azure AD DS):

Cloud based PaaS offering providing managed domain services, group policy, Kerberos / NTLM authentication that is compatible with on-premises Windows AD DS. The following will additional features of Azure AD DS:

Integration with Azure AD
Cannot extend the schema
No Domain / Forest trust
Read-Only LDAP

The following screen snap shots show how identity information is synchronized in cloud-only and hybrid models.

Cloud-Only:

capture2

Hybrid Model:

capture3

Creating Azure VM

23 Saturday May 2020

Posted by GIRISH SRINIVASA in Azure

≈ 3 Comments

Tags

Azure VM, RDP

In the article we explored setting up a Azure Virtual Network (VNet), subnets within a VNet. This article will briefly run through the steps involved in creating Azure Virtual Machines within various subnet(s).

VM1

The steps below are for creating AZ-FE01 Azure VM and will be similar for other VM’s that need to be provisioned. From the AzurePortal click on Create a resource under Azure Services

VM2

VM3

VM3.1

VM4

VM5

Click on Review and Create and Azure VM will be provisioned.

Every Azure VM provisioned will have a Public IP Address and Private IP Address.

Private IP Address is used for communication between other Azure resources within a SubNet, across subnets within the boundary of Azure VNet.

Public IP Address is used to facilitate access to the Virtual Machine from internet. For RDP connections to the VM the default port is 3389. For the purposes of the lab set up we will allow RDP connection to Management JumpBox (AZ-MGMT01) only. This follows a pattern similar to On-premises setup.

Once the deployment is complete the properties of AZ-FE01 can be viewed and modified as required.

VM6

Azure Virtual Network(Azure VNet)

16 Saturday May 2020

Posted by GIRISH SRINIVASA in Azure

≈ 1 Comment

Tags

ResourceGroups, SubNets, VirtualNetwork (VNET)

Azure VNet is a representation of network in the cloud and is a logical isolation of Azure Cloud dedicated to subscription ability to fully control IP Address blocks, DNS settings, security policies and route tables.

VNet can be further segmented into subnets, each subnets will have a logical collection of Virtual Machines. VNets are completed isolated from one another and this provides the ability to create disjoint networks for development, testing and production that use the same CIDR(Classless Inter-Domain Routing) address blocks. In order to connect VNet to on-premise data center we can use site-to-site VPN connection or Express Route connection.

It is important to note that before creating Virtual Machines and installing software first plan VNet. This is because an existing virtual machine CANNOT be added to a newly created virtual network.

This article will go through the steps involved in creating a VNet having SubNets and AzureVM’s attached to different SubNet(s). The topology for the sample lab set up is as per below:

Capture

The artifacts in the above diagram include:

VNet: iDynamics-VNet

SubNet(s):

FrontEnd-SubNet containing Azure VM resource AZ-FE01
BackEnd-SubNet containing Azure VM resource AZ-BE01
Management-SubNet containing Azure VM resource AZ-MGMT01

All AZure VM’s can be configured to be accessed through RDP connection by allowing traffic through port 3389. Best practice is to have a Management SubNet with an VM allocated so that external users login to that Virtual Machine and proceed from there on.

There are two addresses associated to each VM viz., Public IP Address and Private IP Address. All the VM’s in the SubNet that need to be accessed from internet need to have Public IP Address. For internal communication between resources in a virtual network Private IP Address is needed.

For setting up the lab the following IP Addressing scheme will be used:

Capture1