Microsoft Azure Network Security | Cloud Network Security Explain | Cloud Training | JOYATRES |
we discuss something regarding this cycle we also discussed something regarding the network security code what is Network Security Group how can we make use of network security look we discussed all that participants the last topic that we discussed yesterday was uh that is what is System Route and what is user defined nodes right so what is system.s and what is user depend on so we discussed that particular part so today we'll try to achieve that practically but before we achieve it practically we will discuss the Azure fire bonus rate right see we all know what we can do with the help of Fireball so with the help of firewall we can control the traffic right so basically you see what is azure firewall we all know what we can do with the help of fire with the help of firewall we can control the incoming and the outgoing traffic incoming and outgoing traffic can be managed with the help of Fire game right we can manage the incoming and outgoing traffic with the help of network security group as well see mostly whenever traffic will be coming from outside our Network we try to control the traffic with the help of iPhone and whenever a traffic is moving within the network then we try to control the traffic with the help of network security so we are talking about we're talking about something called as Ure firewalls so first of all this Azure firewall it's a pass service it's a platform as a service platform of the service means the underlying machine where the Azure firewall will be running that machine will be managed by Microsoft we don't need to worry about that machine so the underlying infrastructure where this Azure firewall will be running that underlying infrastructure will be managed by Microsoft okay then sometimes people also refer this as faas firewall as a service that's Fireball as a service falls under the category of passwords this Azure firewall has got unrestricted Cloud scalability unrestricted Cloud scalability means if more and more traffic will be hitting on our firewall firewall will be getting more and more resources and would be able to handle all the traffic so suddenly let's say if huge amount of traffic is hitting on a firewall our Fireball would be able to handle that particular time so it has got unrested cloud scalability it is also stateful in nature it remembers a statement right it is also stateful in nature see let's say this is our virtual Network in our virtual Network let's say we have a subnet here and from this subnet one machine is getting an IP in this is our laptop and maybe we can consider this as the internet we already know in order to create the Azure firewall first we have to create a dedicated subnet for the firewall the name of the subnet should be Azure firewall subnet and after that we would be able to create the Azure firewall here thank you so let's do a naming convention I am saying this is v-net number one let's say 10.1.0.0 16 which is in the East TVs region this is sublet number one that is 10.1.0.02 Depot this is VM number one which has an ip10.1.0.4
for the better security we are giving no public IEP to this machine so this VM number one will have no public IP and this VM number one will have no public ports for the better security we are not giving it any public IP and we are not leaving any public inbound ports right now this is we are considering as our laptop this is we are considering as the internet so guys please tell me can I take the RDP of this VM number one from my laptop is it possible I would be able to RDP this machine from my laptop would that be possible no no no I would not be able to do that right see if it's if it's only about RDP maybe I can use Bastion host using the Bastion host I can take the RDP of this machine right so right so if it's only about RDP maybe we can take the RDP with the help of Brazil host but what about if this VM number one is acting like a web server what is this VM number one is acting like a SQL Server would we be able to access this from a laptop so what we can do here we can make use of firewall maybe first we can create the firewall subnet let's say this is azure firewall subnet 10.1.1.0 this is our Azure firewall whenever we will be creating our firewall we have to give a name to this firewall let's say I give it a name easy file this is the name of our Firefall now this firewall will have two IDs one is the private IP which it will be getting from the firewall subnet what would be the private IP private IP would be 10.1.1. this will be the private IP of the file name and then this Fireball will also have a public IP let's say we give it a name firewall public right so it will have to destroy it as well as public can we do it like this maybe from our laptop via internet we can hit on the firewall public IP public IPS are exposed to the Internet so we can hit on the firewall public IP then at the fireball level maybe here we can do some netting we can create some networks we can do the netting here netting is Network address translation right so we can do the netting so after netting we would be able to hit this VM number one on its private ID so maybe we can take the RDP as well we can also hit this machine as a web server right so we would be able to hit this machine on its private AP so that is how we would be able to access this machine maybe as a web server maybe as a SQL server or maybe we can take the RDP depending upon the requirement depending upon the requirement we can create the lab rows right so let's try to implement this practically as well so what do we need to create one network one sublet one firewall sublet one Azure firewall we already have our laptops with us internet is already there and we need to create one machine we should have no public IP and no public ports so let's go to the portal and let's start deploying all these things so let's say I'll start by deploying a virtual Network maybe I can go to this virtual Network here we can say create in which resource Group let's say I give it a name RG buyer mode right we are doing a fireball Maps what is the name of the network v-net number one in East U.S
what is the address range 10.1.0.016 we are adding a subnet from here that is subnet number one 10.1.0.0.24 and then we say that now we have two options of creating this firewall we can create the Azure firewall while creating a virtual Network if we have not created the firewall while creating a virtual Network we can do that later on as well so if I click on security it gives me an option to deploy the firewall so maybe we can say enable it says what is the name you want to give to your firewall you can give it any name of your choice let's say I just give it a name easy firewall maybe you can give it a name firewall one my firewall jiten firewall whatever name you want to play Fireball address space it will have its dedicated subnet so I'm saying the range should be 10.1.1.0 and this firewall will also have a public IP so maybe I'll give it a name firewall public right everything is seen as we have defined in this diagram so now I will say it will be when create so what are we deploying in a single room we are deploying virtual Network we need one along with subnet one along with Azure firewall subnet along with the Azure Firefall so we are deploying all these things in a single room what is left to be deployed just this VM number one is ready so let's wait for a moment let the deployment happen here hello Jaden oh yes um yeah I didn't really pay attention what what is the purpose for the vm1 what is the purpose of VMware so we are assuming that this vm1 could be a web server or this could be a SQL server and maybe someone is trying to access it outside of a virtual Network so how they would be able to access it so usually we do not expose our machines we do not provide the IPS of our machine to anyone right so they will be hitting our machines or they would be able to access our machines via firewall okay foreign okay so it's still being deployed so I think v-net number one would have been deployed so what we can try to do now now maybe we can try to deploy VM number one but as we can see here the machine should have no public IP and should have no public rules so let's go to the portal and let's try to deploy VM number one so we can go to Virtual machines we can say create the Azure virtual machine thank you okay in which is also let's say in RG firewall what is your name vm1 then we can go to the networking section and we can see if we are able to see our video we are able to see here so let's say we are deploying vm1 in East us as Windows Server 2019 over CPU 16GB Ram we can give a username and we can give a password to this machine right then we need to ensure that no public Port should be open so public inbound codes we are saying none we are not leaving any public and one person for the better security right then we can go to networking we can see this machine is getting IP from v-net one getting IP from subnet 1 and public IP we don't want to give it a public account public IP should be then we can go to monitoring and we can say boot Diagnostics to say so now we are deploying this issue so this machine will be deployed in a so let's wait for a minute let the machine be deployed so um the firewall that we are about to create it doesn't run on anything how it it doesn't like run on anything how does that um uh it doesn't doesn't anything means you know like yeah this is a firewall but when we when we when we create this when we create the firewall it doesn't run like in any virtual machine something like that no it's a past service this this Fireball is running on a machine okay this Fireball is running on a machine platform as a service means any machine on which this firewall is running that machine has been created by Microsoft ah okay and that machine is managed by Microsoft okay thanks so we can see here this firewall has two IPS this is a firewall primate ID 10.1.1.4 right and here we can see the firewall public ID so we can click on this firewall and this is the firewall complicated from here we can bend down the number of this public IP this is the public IP of the inspired so maybe we can profit this topic IP and maybe we can put this IP or notepad here so let's say we put it here if you go one step back here also you would be able to see it says public ID configuration so from here also you can see the public IP of this Bible and if in case required the firewall may have multiple public IPS too let's say if you want this Fireball to have two public IPS or 10 public IPS or 50 Public IPS you can do that maximum it can have up to 250 public IPS one single file right from here we can add the public IP configuration okay now we already know the machine that we have deployed this VM number one that we have deployed this machine has no public IP how can I take the RDP of this machine maybe I can create a rule in firewall see this machine does not have any publication so maybe I can create a rule in the firewall and then I can take the RDP of this machine let's say I want to make this machine as my web server so maybe after taking the RDP in this VM number one I can deploy the web server rule I can deploy the IIs rule right then this machine will start acting like a web server and then again we can create a rule in the firewall if I want to access my web server from my laptop I will try to achieve all this part right so how can we do this maybe I can simply go to the firewall on the left hand side I can see the rules I can go to this firewall rules from here maybe I can create a ladder it says natural connection so I can create a network right so I'm creating the rule let's say for VM number one so I can give it a name VM number one rules priority let's say I give it a priority 300. name let's say I'm creating an RDP rule protocol how the traffic will be coming if you know it will be coming if you do not it's coming by TCP or UDP you may select both right then it says Source type source is nothing but an IP address so guys can you please save me from this diagram what is the source what should I put in the source IP address here what is the source the source is your laptop zero yeah yeah it could be it depends it entirely depends if I want that RDP of this VM number one can only be taken from my laptop I will only put the public IP of my laptop how can I find the public IP of my laptop I can simply go to internet and I can type here what is my IP address right maybe on the internet I can type what is my IP address and I would be able to find out the public IP of the laptop this is the IPv6 address okay go ahead okay switch it in here we are not supposed to use our IP address of my laptop like a Nik IP address you are referring private IP address yeah so we get the internet ipritic IP the network can you can you reach to internet using the private IP address no it's not possible yeah so um can we still find that on if we go to Power Up Power share can we find our public IP using when we do that yes it will simply go to Powershell you may run a script this what is my IP address you want to find out the IP address via internet okay can we find that using the command like find that to use a command to man to yeah if I don't remember the exact command okay that is fine yeah yes yeah how to find foreign foreign yeah right and let's look up my IP dot open dns.com resolver opening or
something like this you would be able to see your authoritative name server as well as the IP address okay okay okay so basically see point is if I want that RDP can be taken only from my laptop then I will be entering the public IP of my laptop if I want RDP can be taken from five machines I will be entering the IP address of those five machines here if I want RDP can be taken from any machine I can simply press type wildcard means if a traffic is coming from any machine allowed to take the RDP what should be the destination address guys what should I put in the destination address the the V1 VM sorry vm1 so one gentleman says vm1ip any other input team what should we put in the destination okay see from my laptop we are not trying to reach VM number one directly from my library yeah right so from my laptop via internet I am trying to hit only firewall publicity yeah so destination should always be Fireball yeah yep if I am trying to take the RDP on which Port should I hit on Fireball if I'm trying to take the RDP on which Port should we hit on the firewall public ID RDP Port of the rdp4208 yeah RDP Port is 3389 right so usually people hit on Fireball on 3389 which is ideally not a secure method reason is we are not trying to take the RDP of a firewall we are trying to take the RDP of a machine so on if you want you may certainly hit on 3389 but this would not be a secured method so usually we should hit on firewall on any random Port any port which is not easy to guess there are certain ports which are known to everyone RDP Port is three three eight nine HTTP Port is 80 https 443 DNS 53 dscp 6768 FTP 2021 Kerberos 88 smdb 25 these ports are known to everyone so ideally we should hit on firewall on any random Port between 1 to 64 000. so maybe let's say I can hit on Port two I can hit on so and support I can hit on student support I can hit on so when support right let's say I am waiting on Port 82. so if I am hitting on firewall public ip1 Port 82 it should translate this to VM number one private IP that is 10.1.0.4 that is the IP of VM number one
you can see in this diagram as well yeah and since we are trying to take the RDP of this machine it should hit on 338 right this will be my web server so this will be my RDP after taking the RDP what I can do I can make this machine as a web server I can go to server manager I can go to add rules and features and I can add the web server role once this machine will act like a web server I can create a web server role as well you can do that later on or you can do it right away whatever is convenient to you right so I am saying whenever traffic is coming via TCP protocol it is coming from any IP address hitting on the firewall public IP on Port 83 hit on the same machine that is 10.1.0.4 but this time hit on Port it because http because we are trying to access the machine as a web server and we can say that so we are creating two rules basically one is we are saying if anyone is hitting on firewall public IP on Port 82 send the traffic to VM number one that is 10.1.0 Dot over and hit the traffic RDP right and similarly if anyone is hitting on firewall public IPL code 83 send the traffic to VM number one that is 0.4 but this time hit on 48
right so basically we are creating posts so once this rules will be created what do we need to do if we want to access if we want to take the RDP of this machine we just need to hit on firewall public IP on Port 82. if we hit on firewall public IPO and Port 82 it will give us a dialog box a challenge box where it will ask us to enter the credentials of VM number because it will be hitting on machine on Port 3389 and it will give us a box where it will ask us to enter the credentials so let's wait for a minute okay I think the rule is now created it says successfully updated the rules so now we can hit on firewall public IP and we are specifically hitting on Port 82 that is a rule for the RDP I'll say connect so when we click on connect we'll take the connection to 10.1.0.4 143389 written with this one public IP address of the firewall can we connect to like a 500 VMS if we have yeah absolute PC what do we need only thing that we need is let's say I have VM number two okay I'll just give you one example you will get declarative automatic you see I am saying on same firewall if I am hitting on Port 84.
take the traffic to VM number two that is 10.1.0.5 right okay same firewall if I'm waiting on Port 85. take the traffic to VM number three this time it is 10.1.0.6 same for everyone let's say if I'm hitting one port 129 take the traffic to VM number 100 just an example that is 10.1.0.99 or whatever IP you want to give and hit the traffic on 338 okay so in production environments do you use this method to connect to Western host in the production environment see when you are taking the RDP using the Bastion roast in the backend same process is being used reason is you will be using the same Bastion rules and multiple people will be connecting to multiple machines at the same time but there is just a single IP so basically that is the reason we are allocating the dedicated subnet for the Bastion as well okay these IPS will be used in the back end to take the rdps or to do the netting in the backend right okay okay so basically guys see we can see here when we entered the firewall public IP on Port 82 it basically asking us to enter the credentials of this VM number okay okay let's say I hit it again firewall public ip142 so it will give us dialog box where we can enter the credentials of the machine so I can enter the usernames I can enter the password and if we click on OK it will take the connection to VM number one right so now we are able to take the RDP or VMO if you want to make this VM number one as a web server what can we do we can simply go to this machine you can simply go to server manager we can simply go to add roles and features and we can add the web server rule IIs rule IAS stands for internet Information Services right so we are going to addition so what other server manager be open okay server manager is now open so we can simply go to add rows and features we can say next we are going to deploy a role role base or feature based installation next we are trying to deploy a role in VM number one next Winstone this web server IIs is transfer internet Information Services next next next and install so now we are installing this tool now the machine will become the web server so how we would be able to check if a machine is acting like a web server or not you can simply go to any web browser and you can type http localhost so when you type HTTP localhost it will basically display the basic page of the web server so let's say I open Microsoft Edge okay so let's say in this Microsoft Edge maybe a type here HTTP localhost and I'm getting on Port 80 right so right now the machine is not acting like a web server that is the reason it says cannot reach this page but once the role will be deployed completely we would be able to see the basic page of the website right here we would be able to see the basic page of the email server so let's wait for a minute and this web server would be accessible are we covering proportional in this course or different course I'm sorry the Powershell are we covering in the same course with a different course if potential we have like 40 hours trainings and dedicated 40 years training okay okay let me know I want to actually join and even other portion also not included uh partial when we say other Powershell means your Powershell as well we have a dedicated course course number is ac040 okay so basically Microsoft has well defined the course outline so there are different different courses okay so what we can see here see guys now this machine the role is deployed and now this machine is acting like a web server right okay so guys what time yeah please please go ahead yeah so this row um I know there is is deployed on this machine the um the V1 machine that we just created where so where where are this package coming from are they coming from the library or where are they coming from I'll show you I'll show you all the product as well I have shared the public IP of the firewall along with the port number can you guys please take this public IP of this firewall along with this port number and try to hit this on your machine and let me know if if you are able to my web server website see just like me I just went to a browser I just hit the public IP of the firewall on Port 83 and if I hit enter I am able to access the web server from my laptop there is are you able to access it as well okay I can able to access yes all of you would be able to access it reason is when we were creating this tool when we were creating this web server rule we Define if a traffic is coming from any IP address see what is the source any IP address if a traffic is coming from any IP address allow the traffic that is the reason all of you are able to access the web server but I am going to change this rule I am saying if a traffic is coming only from my laptop IP then only allow the access to the web server if a traffic is coming from any other IP do not allow the access so I am updating only my IP here I will say save so once the rule will be updated just close this tab the tab from where you are able to access the web server close that tab open a new tab in the incognito mode like this we can simply go to incognito mode and you can open the new tab maybe after two minutes try this activity and then try to hit the same IP again which I shared in the chat window on Port 83 right firewall public IPL 483 now you will find out you would not be able to access the web server reason is now the access to the web server I have only allowed from a certain IP address that is my laptop IP so if I try to access it I would be able to access the web server but if anyone else will try to access it you would not be able to access it right so let's wait for a minute okay I see the rule has been updated see if I go to a browser and if I hit the firewall public IP on Port 83 I would be able to access the web server guys one of you can give it a try now open the new incognito tab and try to access the web server on the same IP and please let me know the results 20.246.160.144 1483
later sorry yeah I can see page cannot be displayed here so basically you would not be able to access the page now yeah right okay now I think one gentleman asked where is this page configured right so if you want to change this page let's say I'm saying whenever anyone is hitting my web page I would like to get a message hello world from web server one so you can do that so this is where the page is hosted you can simply go to your C drive in your seat right you can see this folder inet pump in this folder there is something called as www in this www root this is the page this is the HTML document so I am saying I can open this page maybe with Notepad and I am saying when anyone is hitting my web server I would like to get this message hello world from web server one right let's say this is a message I would like to get so I can simply customize the starting location thank you so now if I try to hit this same IP again on same four now I'll get a message hello world web server if you want to configure this this is your default site so how can you configure all this part see you can simply go to server manager in server manager here this machine is now acting like a web server IIs right this is the is so from here you can simply go to tools and you can simply open this internet information services manager this is what you can open this is your VM number one in this PM number one this is your application pool default application Port this is your site this is the default site that we have done the site that PLC is the default side so how to do authentication compression default document error Pages Handler mappings HTTP response all these things have been defined here right if you want to edit some permissions if you want to do some cheaters in the bindings you can do all this part from here so let's say you want to change the bindings so right now The Binding is on HTTP on Port 80. if you want to edit the binding you can add The Binding that's all we can do all this one that's how you can play around with your bench server basically perfect any question any query anything there is so far okay so now we will try to configure the user defined routing the concept that we discussed yesterday system routes and user defined routes now we'll try to work on that particular part right see guys this Azure virtual machine this virtual machine do not have any public IP but it is a property of the Azure virtual machine that it can communicate with the internet we already know this machine do not have any public ID but from this machine let's say if I try to go to www.google.com I'm able to communicate to Google I try to go to bing.com or let's say I try to go to Yahoo or I try to go to MSN any website over the Internet so I'm able to communicate to any website over the Internet any web application over the internet right so my question to you is from this VM number one when the traffic is going towards internet is it going via Azure firewall or is it communicating to the internet directly so it should be going through firewall only okay because because the public IP is configuring firewall already right okay is there a way we can figure it out whether it is going by a firewall or whether it is going via uh whether it is going to internet directly see we have multiple options to figure it out one option is we can simply go to Powershell right so let's say from this VM number one I have open Powershell let's say I would like to increase the Powershell font size and I can simply say traced out www.google.com I want to trace a route when a packet is going from vm1 towards google.com how is it traveling I want to trace it out and let enter it says in order to access google.com it
is hitting on so and so IP this is the IP it is hitting in order to access google.com and you will find out there is no hop in between means it is not going via firewall so it is going directly so from this VM number one when the traffic is going towards internet it is not going via Azure file wall which router is following it is following a system row it is following the route of its own choice we have other methods as well for example there is a very good tool in Azure so let's say from the same machine let's say simply go to total.ajo.com I can log in with my credentials there is something in Azure called as Network watcher Network Watcher or with the help of network Watcher you can use it for the troubleshooting purposes right so we can set up Network watch for the troubleshooting purposes we can just type here Network watcher it's like a troubleshooting tool in this network Watcher we have multiple options even option is connection troubleshoot so we can check the connection how they are going what is the source VM number one what is the destination we can specify manually what is the destination www.google.com preferred IP version let's say ipv4 let's say we are going via TCP destination Port 80 Source Port 80 right diagnostic test so there are multiple diagnostic tests let's say I'm doing all the tests and we can say run the diagnostic test so it will run the diagnostic test and let us know when a packet is going from this machine towards google.com is it going via Azure firewall or is it not going by Azure file so we can check the helper to say and we will find out it is communicating to the internet directly right it is communicating to the internet directly so let the test go on this might take a moment right now guys let's see if this is the important server of your organization VM number one this is the important server of your organization would you allow the important server of your organization to communicate to all the websites over the internet it can communicate to google.com msn.com let's say if it is your SQL Server it's your verification would you allow this machine to communicate to all the websites over the Internet no no for security purpose we will not allow this so what we want we are saying whenever a packet is going from this machine and it is going towards internet it should always go via okay so what are we doing we are defining the route user defined as we discussed yesterday as well we in not remove the system routes but we can overcome system routes with the help of user Defender so wherever there will be a system route wherever there will be a user defined route user defined route will have more priority thank you so we cannot remove the system routes but we can overcome them with the help of user depend so how can we create this route see I think the diagnostic test has been completed and we can see here although it has failed but we can see few things out see one thing we can simply see the topological View so from vm1 that is 10.1.0.4 when the
traffic is going towards internet it is going directly there is no hop in between we can see it here as well or by home details traffic started from VM number one 10.1.0.4 next stop is two and so that is the IP of google.com right destination addresses google.com so it is not hitting any firewall in between right you can have a doubt actually since this side this VM is in private IP address the firewall is the only way to communicate to outside no no it is using Microsoft DRS let me show you I I got a dog see if you see here if you go to the virtual Network or even if you go to the machine as well your point is this machine has only got the private IB how is it resolving google.com without using the public IPO
firewall right see if you go to this VM number one if you go to the networking section this is a Nick card of this machine okay and if you go to the Nick card of this machine you can go to the DNS servers so you will find out here that it is inheriting from the virtual Network it is using Microsoft DNS to resolve this so there is a Microsoft DNS I think it starts at 168. that IP address starts with 168 right okay so basically yeah basically it is using that IP okay so let me show you I think it starts with 168.63. something right so if we type here what is my Azure DNS server IP Microsoft right yeah so this machine can talk to the internet even without the public IP of the firewall that's right it is server IP address okay if you now recall what we discussed earlier we discussed in every subnet five IPS are reserved 10.1.0.0 .1 0.2 and 0.3 they are reserved for the DNS purposes these IPS are being used in the back end to communicate with the Azure DNS IPS okay if you do not want this Behavior so what you can do you can simply go here you can simply go to your Nick card here and you can say that you don't want to inherit from the Azure virtual Network you would like to use your own dnsl okay then this machine will be reaching out to your DNS server to resolve the names into eyepiece so whenever you will be typing www.google.com in your web browser this VM number one will be reaching out to your DNA server to resolve it right now it is reaching out to Microsoft deals right so by default uh I have another question by default all the private VMS can communicate to internet yeah in Azure all the machines would be able to communicate eventually okay okay see but what we want we want whenever traffic is going from this machine right see what do we want we want whenever traffic is going from this machine towards internet it should go via Fireball so how can we do this we need to create a user if I enroll how do we create a user defined now with the help of something called as supporting we can create a router right what is the name let's say I give it a name route table that is the name also whenever we will be creating a round table we also have to define a region it should be in the same region as a region of a virtual Network that is East US after creating this route table within this route table we have to create the routes no whenever we will be creating a route we have to give a name to the store let's say I give it a name internet route why I gave it a name internet route because traffic is going towards internet you can give it any name of your choice my route Route 1 route from vm1 to internet I just gave it a name internet route because traffic is going towards internet then it says what is the address prefix or you can also say what is the destination interest where the traffic is going we know traffic is going towards internet how can we represent internet 0.0.0.0
and this is how we would be able to represent internet this is where traffic is going we also need to Define in the node what is the next stop we can clearly seal this diagram Azure firewall is acting like a next stop in fact the private IP of the Azure firewall is acting like the next stop right 10.1.1.4 is acting like stop we also discussed yesterday that whenever we need to Define next form we have five options for the next stop it could be a virtual Network it would be a virtual Network Gateway it could be a virtual Appliance it would be internet and it could be right we already know our firewall is not a virtual Network it is not a virtual Network Gateway it is neither internet it is not none so basically our firewall is acting like a merchant so next stop is 10.1.1.4 which is nothing but the Azure firework which is acting like a virtual see you guys so far in this round we have defined where the traffic is going traffic is going towards internet we have also defined how traffic is going traffic is going via Azure firewall but so far we have not defined from where traffic is starting what is the source so traffic is starting from VM number one how do we Define from where traffic is starting we need to associate this route table with a subnet right we need to associate the route table with a Circle and we always associate route table with that subnet from where traffic was starting so traffic is starting from vm1 and vm1 is getting IP from subnet one so we will associate the route table with subnet number so now basically we have defined from where traffic is starting right any question any query guys before we try to deploy this route table and before we try to deploy this route zero zero zero so even the internal communication will go to other VM 10 dot is 1.0.5 no what is the what is the address prefix we are seeing when a traffic is going towards internet then only you should go by a fireball if you will be communicating to a different machine let's say you are communicating to 10.1.0.5 you are communicating within the same network okay got it so let's see how can we create this maybe I can just type here route table you can see here Round Table we can say create in which resources let's say in the same Resource Group RG firewall same region region of a virtual Network and let's say we give it a name row table and we'll say it again so route table will be created in a okay so this router is now created now we can go inside this route table so when we go inside this out table on the left hand side we can see an option called as routes so we can go to the routes now you can say add a route what is the name of the route you can give it any name let's say I give it a name internet route because traffic is going towards destination address prefix what is the destination address we are saying traffic is going towards internet that is 0.0.0.0 what is the next stop Azure firewall which is acting like a virtual Appliance what is the next hop address we can see in the diagram that is 10.1.1.4
okay so this is the address 10.1.1.4 you can say add so we are able to create the route so in the route we have defined the destination we have defined the next term how we will Define from where your traffic is starting we will associate this route table with a summary and we always associate route table with that submit from where traffic is starting it's starting from vm1 which is getting IP from subnet 1. right so let the route be created and then we will associate this round with a subnet it's done router is now created so here we can see the subnet and we will associate the route table with the circle so we'll say associate and now we will be associating this with subnet number we'll say right so once it will be configured how can we test it again we can either test it with the help of this Powershell you can simply do a trace route second we can test it with the help of that Network Watcher as well right third since all the traffic would now be going via Azure buyer wall from the VM number one if you try to go to any website over the internet you would not be able to communicate reason is all the traffic will be passing via Azure firewall in the Azure firewall we have not created any rule which allows the traffic to go towards C right so you will find out all the traffic which is going by internet will automatically be denied see we can test it so let's say I'll try to go to google.com so now it is unable to resolve google.com it is hitting on the firewall there is no rule in firewall which allows the traffic to go to google.com so we are
unable to access it you can try any website now msn.com bing.com yahoo.com so we are unable to complete it we can even try to do a trace route same command we can try to run so when we will run now traced out and we press enter um [Music] so we can run the same command paste out google.com so when we press enter it is getting on so and so IP to access google.com but it is going via buyer
mode see the first stop is 10.1.1.6 getting IP from the firewall submit it is sitting on the firewall first we can check it with the help of network Watcher as well it is not showing here with friendship we can check it with the help of network Watcher as well and we will find out now it's going by Azure file but see guys now we are unable to communicate to any website over the internet let's say you want your web server or your database server to be able to communicate with specific websites over the internet to be able to communicate with specific verifications over the internet you can do that you can go to the firewall and you can create the application Loop see right now from vm1 what is the destination we are trying to go towards google.com let's see where TCP preferred IP version is V4 Port 80 destination Port is also 80 and we cannot be diagnostic test we will find out we'll be going via Firefall right but what about if I want to allow certain websites if I want to allow certain web applications what we can do we can simply go to firewall and we can create the application rule in firewall that if traffic is coming from VM number one and if it is going towards a particular website allow the traffic right so let's say traffic is coming from vm1 it is trying to access office 365.com allow the access if it's coming from vm1 if it's trying to access portal.io.com allow the access or any website that you want right so now we can see when a traffic is going from VM number one it is coming from VM number one it is 10.1.0.4 the next stop is 10.1.1.4 which is the Azure firewall and
then it is hitting on the destination address that is google.com you can see in the topological view as well from vm1 towards internet it is going via azure right so how can we allow a specific website let me show you that part as well so we can simply go to firewall in firewall we can go to the rules this is a rule section in rules maybe we can go to the application rules in application Rule and we can click on here add the application rule collection right so let's say I'm creating a rule for vm1 vm1 rules priority let's say 200 do you want to allow the traffic do you want to deny the traffic we are saying allow what is the name let's say we are creating a Google rule Source type from where traffic is coming VM number one n dot one dot zero Dot coming by which protocol HTTP on Port 80 or coming via https on Port 443 Target fqdn I am saying let's say it's going towards google.com so if traffic is coming from VM number one coming via so and so protocol on so and so port or https protocol Port 443 and going towards google.com we are saying allow the truck and we can say that so once this rule will be created if you try to go to any other website you would not be able to access it but if you try to go to google.com you will
be able to access google.com right so what will be done maybe in a moment so let's just wait for a moment here okay so now this tool is updated so how can we test it we can simply go to that machine and we can try to go to multiple websites we know apart from google.com we would not be able to access any website from the machine right so let's say we go to this particular machine and we can close this Powershell here so let's say first we'll try to go to msn.com www.msn.com which we would not be able to access access right let's say we go to bing.com www.bing.com
you would not be able to access let's say we're trying to go to portal.show.com we would not be able to access so we are unable to access any website over the internet but since we have created the rule for the Google if we go to google.com we will be able to access it right but again you can only access google.com if you try to type here Gmail and as soon as you click on Gmail now you would not be able to access it will be trying to click on the sign in you would not be able to fix it any question any query another guy is so far so guys yesterday I was unable to share you the link for the study material today I'll be sharing that link as well right you can go through that link and when you go through that link you will be seeing certain Labs you can do those labs as well so that is all for my help for today I apologize for the inconvenience class today you guys have to go to church as well Technologies for the inconvenience costs [Music] if you have any questions any queries please speak to us or else we are good for today so um just a quick question is there any reason why we need to really allow our private machine to get to the internet is there any reason it is the feature of the Azure if you do not want that see ideally it should not be allowed to wherefore it is allowed but that is the reason we have configured the user defined routing that all the machines could not be able to communicate to all the websites over the internet this is how it has been designed by Azure but now we are going to do some modifications as per our organization requirements can you open the WhatsApp group if you have any questions shall we post on the group it's all the WhatsApp group is already there so opening one more WhatsApp group I don't think it would be any now in the same group same group and we open it's only for admins now I think you are unable to pose the question I don't think so [Music] okay maybe you can just try to type hi I think yeah people are able to pour system I don't think so okay okay yeah it's open yeah okay doing things all right thank you very much guys so have a good rest of the day take care stay safe I'll share it right away uh the reading material but all of you can read it as well
2023-05-26 07:22
