Azure Site to Site VPN Connectivity - azure

We are going to work on Azure BizTalk Service + Service Bus Integration for one of our customer. I am exploring those two concepts. but in the mean time, I have also noticed, there is concept of "Site-To-Site" VPN connection" to establish Cloud to On-primes Network.
Can you please let me know in which scenario we need to choose Site-to-Site VPN connection?
Thanks,
Vinoth

You would establish a site-to-site VPN when you want to connect your Azure subscription to your on-premises data center. It could be that your BizTalk or even Service Bus infrastructure is hosted on-premises and you need to connect to it to provide functionality to your cloud service.
We would also use a S2S VPN connection when hosting virtual machines in Azure and want to connect them to networks on-premises. This would let users access these services over our own private network.

Related

Create a simple VPN in Azure

TLDR;
I got Azure credits, how do I make a simple VPN?
I recently got some Azure credits through a hackathon. How do I create a simple VPN on Azure. It need not be too feature rich, I just wanna use it to access blocked or region specific websites.
I saw on Azure portal that there is virtual machine and virtual network. I don't exactly need a VM, just want to redirect all network traffic through the virtual network.
How do I do this in Azure, Has anyone done anything similar in Azure?
Free VPN are slow and have bugs and paid VPN are expensive & I would like to use my azure credits to create my own VPN.
It sounds like you want to use Azure VPN similar to a consumer VPN like ExpressVPN or NordVPN which protects your client while you surf the Internet. Azure VPN is not designed to be used to surf the Internet. Azure VPN is a service that allows you to create a secure Site-to-Site or Point-to-Site VPN into an Azure Vnet. This allows you to communicate securely with resources in Azure without exposing them with a Public IP.
A VPN gateway is a specific type of virtual network gateway that is used to send encrypted traffic between an Azure virtual network and an on-premises location over the public Internet. You can also use a VPN gateway to send encrypted traffic between Azure virtual networks over the Microsoft network

What are some Architecture design consideration while choosing Azure HCM over Azure VPN S2S connection for application hosted on Azure App Service?

I am trying to deploy Hybrid Application on Azure. My Application will be hosted on Azure Cloud App Service and Database will be on company's private DC. I have some question on optimal architecture or optimum architecture solution on Azure in this scenario. I have an option to use VPN S2S connection or Azure Application Service Hybrid Connection Manager (HCM).
Since they both establish connection over public Internet they both will suffer from multiple hops connections and probably no SLA guarantees.
So what are the design consideration while choosing one over other and when would I choose Hybrid Connection manager (HCM) over VPN Site-to-site (S2S) when establishing hybrid connectivity from Azure hosed Application (PaaS) with the on-premise DB? Which one is faster?
As far as I know, in the case of connection from your app service to the on-premise database, the HCM features with app service is more easier deployed and without gateway needed than Azure app service over Site-to-site (S2S) connection. It's enough to use it for connecting resources in remote network. It's secure to makes outbound calls to Azure over port 443.
Each Hybrid Connection correlates to a single TCP host and port combination. It simply provides network access. See App Service Hybrid Connection benefits and Things you cannot do with Hybrid Connections
However, If you're using azure app service with virtual network and VPN connection, it makes a private connection from your web app service to your database and have more control of your network security rules. Also, there is preview feature to use Private Endpoints for Azure Web App.
You can use Private Endpoint for your Azure Web App to allow clients
located in your private network to securely access the app over
Private Link. The Private Endpoint uses an IP address from your Azure
VNet address space. Network traffic between a client on your private
network and the Web App traverses over the VNet and a Private Link on
the Microsoft backbone network, eliminating exposure from the public
Internet.

Can Azure App Services have fixed MAC addresses?

I've got an Azure app service that I'd like to use to run some software that requires licensing. The license is provided via a server on our internal network. The issue being finding a way to connect to this server.
The first option is to provide a fixed license that ties to the MAC address. However I don't think this will be possible from an app service, as it does not really have a MAC address? Can I provide a VNI to it and obtain a fixed MAC address that way?
What other options are there? Can the app service be tied to a VNET that can tunnel to the on-premises resource? Should I use a VM with a VNI instead of an app service? Any resources on these kind of problems would be appreciated.
I have used Azure Relay to connect my on-prem service with my app service. Not sure if you have already considered this option.
If your requirement is to establish a connection between your on-prem service and you app service, check out this https://learn.microsoft.com/en-us/azure/service-bus-relay/relay-what-is-it
Hope this helps
You could use VNet Integration with Azure App service and Azure VPN gateway to connect to on-premise resources. VNet Integration is used only to make outbound calls from your app into your VNet. There are Regional VNet Integration and Gateway-required VNet Integration.
How regional VNet Integration works
Regional VNet Integration works by mounting virtual interfaces with
addresses in the delegated subnet. Because the from address is in your
VNet, it can access most things in or through your VNet like a VM in
your VNet would. The networking implementation is different than
running a VM in your VNet. That's why some networking features aren't
yet available for this feature.
How gateway-required VNet Integration works
Gateway-required VNet Integration is built on top of point-to-site VPN
technology. Point-to-site VPNs limit network access to the virtual
machine that hosts the app. Apps are restricted to send traffic out to
the internet only through Hybrid Connections or through VNet
Integration. When your app is configured with the portal to use
gateway-required VNet Integration, a complex negotiation is managed on
your behalf to create and assign certificates on the gateway and the
application side. The result is that the workers used to host your
apps are able to directly connect to the virtual network gateway in
the selected VNet.
For more information, you could read this blog---How to Connect Azure Web Apps To On-Premises
In addition, If you need more control of the application deployment and less scale out or in than the Azure app service. You could host your application on the Azure VM, then set up a VPN gateway in that VNet where Azure VM locate, it allows access to the on-premise resources from your Azure VM as usual in the internal network.

Azure WebJob on Premise Resource

We have an Azure WebJob running on an App Service connected to a vNET via Point-to-Site connection.
That same vNET is then connected to the on-premise network via a Site-to-Site VPN connection.
Routing is set up so to the Site-to-Site conn so that that the IP range of the Azure vNET (172.27.0.0/24) is sent from OnPrem > Azure. This can be tested by logging in to a VM inside of the vNET to query on premise resources - this works fine, and as expected.
If the same request (to a REST API) is sent from the WebJob, things do not work.
The IP range of the Point-to-Site (172.27.1.144/28) does not intersect with that of the vNET, so i am wondering if we need to also route this range "back across" the Site-to-Site connection also?
Another alternative is that a routing table within Azure needs to have a manual entry, somehow?
Any tips on how to troubleshoot / get this working would be much appreciated.
The IP range of the Point-to-Site (172.27.1.144/28) does not intersect
with that of the vNET, so i am wondering if we need to also route this
range "back across" the Site-to-Site connection also?
You need to do that, indeed. Not only that, you need to configure this network range (172.27.1.144/28) on your on-premises router too - so it recognises and accepts the traffic.
But in order to make the routing from the Point-to-Site (Azure app service) to the on-premise over the Site-to-Site VPN Connection, you will need to use a Virtual Appliance which is capable of forwarding the traffic.
For sake of simplicity and cost savings, you could just use Azure Hybrid Connections to connect Azure Web App / Web Job to on-premise Resource.
You can also refer to the documentation here, which lists the limitations of connecting App Service Plan to a Virtual Network, namely:
There are some things that VNET Integration does not support
including:
mounting a drive
AD integration
NetBios
private site access
Please note the last one - private site access - this is your on-premises.

Extend On-premise AD to Azure

I want to be able to provision Azure VMs and attach them to on-premise AD. I have read the Azure documentation and there is a requirement for a site-to-site VPN connection.In my case, having a VPN device is not feasible. Would it be possible to do the same with a point-to-site VPN connection? I haven't seen any guidance on the Azure website regarding the same.
https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-install-replica-active-directory-domain-controller/
While I haven't considered using Point-to-site where my point would be my whole on-premises network, I can assure you that you do not need a special VPN device to make Site-to-Site VPN with Azure.
Check this dedicated article on how to create Azure Site-to-Site VPN with Windows Server Routing and Remote Access.

Resources