From 2b5f9b2066222e3071c4ea8adf82d3aaefe14090 Mon Sep 17 00:00:00 2001 From: Mike Wasson Date: Tue, 10 Apr 2018 11:22:21 -0700 Subject: [PATCH] Update hub-spoke deployment section (#488) * Update deployment section --- .../hybrid-networking/hub-spoke.md | 211 +++++++++--------- 1 file changed, 103 insertions(+), 108 deletions(-) diff --git a/docs/reference-architectures/hybrid-networking/hub-spoke.md b/docs/reference-architectures/hybrid-networking/hub-spoke.md index bb2d64c5ec6..c1391e5da98 100644 --- a/docs/reference-architectures/hybrid-networking/hub-spoke.md +++ b/docs/reference-architectures/hybrid-networking/hub-spoke.md @@ -3,7 +3,7 @@ title: Implementing a hub-spoke network topology in Azure description: >- How to implement a hub-spoke network topology in Azure. author: telmosampaio -ms.date: 02/23/2018 +ms.date: 04/09/2018 pnp.series.title: Implement a hub-spoke network topology in Azure pnp.series.prev: expressroute @@ -108,189 +108,185 @@ Also consider what services are shared in the hub, to ensure the hub scales for A deployment for this architecture is available on [GitHub][ref-arch-repo]. It uses Ubuntu VMs in each VNet to test connectivity. There are no actual services hosted in the **shared-services** subnet in the **hub VNet**. -### Prerequisites +The deployment creates the following resource groups in your subscription: + +- hub-nva-rg +- hub-vnet-rg +- onprem-jb-rg +- onprem-vnet-rg +- spoke1-vnet-rg +- spoke2-vent-rg -Before you can deploy the reference architecture to your own subscription, you must perform the following steps. +The template parameter files refer to these names, so if you change them, update the parameter files to match. + +### Prerequisites 1. Clone, fork, or download the zip file for the [reference architectures][ref-arch-repo] GitHub repository. -2. Make sure you have the Azure CLI 2.0 installed on your computer. For CLI installation instructions, see [Install Azure CLI 2.0][azure-cli-2]. +2. Install [Azure CLI 2.0][azure-cli-2]. -3. Install the [Azure buulding blocks][azbb] npm package. +3. Install the [Azure building blocks][azbb] npm package. -4. From a command prompt, bash prompt, or PowerShell prompt, login to your Azure account by using the command below, and follow the prompts. +4. From a command prompt, bash prompt, or PowerShell prompt, log into your Azure account by using the command below. ```bash az login ``` -### Deploy the simulated on-premises datacenter using azbb +### Deploy the simulated on-premises datacenter To deploy the simulated on-premises datacenter as an Azure VNet, follow these steps: -1. Navigate to the `hybrid-networking\hub-spoke\` folder for the repository you downloaded in the pre-requisites step above. +1. Navigate to the `hybrid-networking/hub-spoke` folder of the reference architectures repository. -2. Open the `onprem.json` file and enter a username and password between the quotes in line 36 and 37, as shown below, then save the file. +2. Open the `onprem.json` file. Replace the values for `adminUsername` and `adminPassword`. - ```bash - "adminUsername": "XXX", - "adminPassword": "YYY", - ``` + ```bash + "adminUsername": "", + "adminPassword": "", + ``` -3. On line 38, for `osType`, type `Windows` or `Linux` to install either Windows Server 2016 Datacenter, or Ubuntu 16.04 as the operating system for the jumpbox. +3. (Optional) For a Linux deployment, set `osType` to `Linux`. -4. Run `azbb` to deploy the simulated onprem environment as shown below. +4. Run the following command: - ```bash - azbb -s -g onprem-vnet-rg - l -p onoprem.json --deploy - ``` - > [!NOTE] - > If you decide to use a different resource group name (other than `onprem-vnet-rg`), make sure to search for all parameter files that use that name and edit them to use your own resource group name. + ```bash + azbb -s -g onprem-vnet-rg -l -p onoprem.json --deploy + ``` -5. Wait for the deployment to finish. This deployment creates a virtual network, a virtual machine, and a VPN gateway. The VPN gateway creation can take more than 40 minutes to complete. +5. Wait for the deployment to finish. This deployment creates a virtual network, a virtual machine, and a VPN gateway. It can take about 40 minutes to create the VPN gateway. -### Azure hub VNet +### Deploy the hub VNet -To deploy the hub VNet, and connect to the simulated on-premises VNet created above, perform the following steps. +To deploy the hub VNet, perform the following steps. -1. Open the `hub-vnet.json` file and enter a username and password between the quotes in line 39 and 40, as shown below. +1. Open the `hub-vnet.json` file. Replace the values for `adminUsername` and `adminPassword`. - ```bash - "adminUsername": "XXX", - "adminPassword": "YYY", - ``` + ```bash + "adminUsername": "", + "adminPassword": "", + ``` -2. On line 41, for `osType`, type `Windows` or `Linux` to install either Windows Server 2016 Datacenter, or Ubuntu 16.04 as the operating system for the jumpbox. +2. (Optional) For a Linux deployment, set `osType` to `Linux`. -3. Enter a shared key between the quotes in line 72, as shown below, then save the file. +3. For `sharedKey`, enter a shared key for the VPN connection. - ```bash - "sharedKey": "", - ``` + ```bash + "sharedKey": "", + ``` -4. Run `azbb` to deploy the simulated onprem environment as shown below. +4. Run the following command: - ```bash - azbb -s -g hub-vnet-rg - l -p hub-vnet.json --deploy - ``` - > [!NOTE] - > If you decide to use a different resource group name (other than `hub-vnet-rg`), make sure to search for all parameter files that use that name and edit them to use your own resource group name. + ```bash + azbb -s -g hub-vnet-rg -l -p hub-vnet.json --deploy + ``` + +5. Wait for the deployment to finish. This deployment creates a virtual network, a virtual machine, a VPN gateway, and a connection to the gateway. It can take about 40 minutes to create the VPN gateway. -5. Wait for the deployment to finish. This deployment creates a virtual network, a virtual machine, a VPN gateway, and a connection to the gateway created in the previous section. The VPN gateway creation can take more than 40 minutes to complete. +### Test connectivity with the hub -### (Optional) Test connectivity from onprem to hub +Test conectivity from the simulated on-premises environment to the hub VNet. -To test conectivity from the simulated on-premises environment to the hub VNet using Windows VMs, perform the following steps. +**Windows deployment** -1. From the Azure portal, navigate to the `onprem-jb-rg` resource group, then click on the `jb-vm1` virtual machine resource. +1. Use the Azure portal to find the VM named `jb-vm1` in the `onprem-jb-rg` resource group. -2. On the top left hand corner of your VM blade in the portal, click `Connect`, and follow the prompts to use remote desktop to connect to the VM. Make sure to use the username and password you specified in lines 36 and 37 in the `onprem.json` file. +2. Click `Connect` to open a remove desktop session to the VM. Use the password that you specified in the `onprem.json` parameter file. -3. Open a PowerShell console in the VM, and use the `Test-NetConnection` cmdlet to verify that you can connect to the hub jumpbox VM as shown below. +3. Open a PowerShell console in the VM, and use the `Test-NetConnection` cmdlet to verify that you can connect to the jumpbox VM in the hub VNet. ```powershell Test-NetConnection 10.0.0.68 -CommonTCPPort RDP ``` - > [!NOTE] - > By default, Windows Server VMs do not allow ICMP responses in Azure. If you want to use `ping` to test connectivity, you need to enable ICMP traffic in the Windows Advanced Firewall for each VM. +The output should look similar to the following: -To test conectivity from the simulated on-premises environment to the hub VNet using Linux VMs, perform the following steps: +```powershell +ComputerName : 10.0.0.68 +RemoteAddress : 10.0.0.68 +RemotePort : 3389 +InterfaceAlias : Ethernet 2 +SourceAddress : 192.168.1.000 +TcpTestSucceeded : True +``` -1. From the Azure portal, navigate to the `onprem-jb-rg` resource group, then click on the `jb-vm1` virtual machine resource. +> [!NOTE] +> By default, Windows Server VMs do not allow ICMP responses in Azure. If you want to use `ping` to test connectivity, you need to enable ICMP traffic in the Windows Advanced Firewall for each VM. -2. On the top left hand corner of your VM blade in the portal, click `Connect`, and then copy the `ssh` command shown on the portal. +**Linux deployment** -3. From a Linux prompt, run `ssh` to connect to the simulated on-premises environment jumpbox witht the information you copied in step 2 above, as shown below. +1. Use the Azure portal to find the VM named `jb-vm1` in the `onprem-jb-rg` resource group. - ```bash - ssh @ - ``` +2. Click `Connect` and copy the `ssh` command shown in the portal. -4. Use the password you specified in line 37 in the `onprem.json` file to the connect to the VM. +3. From a Linux prompt, run `ssh` to connect to the simulated on-premises environment. Use the password that you specified in the `onprem.json` parameter file. -5. Use the `ping` command to test connectivity to the hub jumpbox, as shown below. +4. Use the `ping` command to test connectivity to the jumpbox VM in the hub VNet: ```bash ping 10.0.0.68 ``` -### Azure spoke VNets +### Deploy the spoke VNets To deploy the spoke VNets, perform the following steps. -1. Open the `spoke1.json` file and enter a username and password between the quotes in lines 47 and 48, as shown below, then save the file. +1. Open the `spoke1.json` file. Replace the values for `adminUsername` and `adminPassword`. - ```bash - "adminUsername": "XXX", - "adminPassword": "YYY", - ``` + ```bash + "adminUsername": "", + "adminPassword": "", + ``` -2. On line 49, for `osType`, type `Windows` or `Linux` to install either Windows Server 2016 Datacenter, or Ubuntu 16.04 as the operating system for the jumpbox. +2. (Optional) For a Linux deployment, set `osType` to `Linux`. -3. Run `azbb` to deploy the first spoke VNet environment as shown below. +3. Run the following command: ```bash - azbb -s -g spoke1-vnet-rg - l -p spoke1.json --deploy + azbb -s -g spoke1-vnet-rg -l -p spoke1.json --deploy ``` - > [!NOTE] - > If you decide to use a different resource group name (other than `spoke1-vnet-rg`), make sure to search for all parameter files that use that name and edit them to use your own resource group name. +4. Repeat steps 1-2 for the `spoke2.json` file. -4. Repeat step 1 above for file `spoke2.json`. - -5. Run `azbb` to deploy the second spoke VNet environment as shown below. +5. Run the following command: ```bash - azbb -s -g spoke2-vnet-rg - l -p spoke2.json --deploy + azbb -s -g spoke2-vnet-rg -l -p spoke2.json --deploy ``` - > [!NOTE] - > If you decide to use a different resource group name (other than `spoke2-vnet-rg`), make sure to search for all parameter files that use that name and edit them to use your own resource group name. - -### Azure hub VNet peering to spoke VNets -To create a peering connection from the hub VNet to the spoke VNets, perform the following steps. - -1. Open the `hub-vnet-peering.json` file and verify that the resource group name, and virtual network name for each of the virtual network peerings starting in line 29 are correct. - -2. Run `azbb` to deploy the first spoke VNet environment as shown below. +6. Run the following command: ```bash - azbb -s -g hub-vnet-rg - l -p hub-vnet-peering.json --deploy + azbb -s -g hub-vnet-rg -l -p hub-vnet-peering.json --deploy ``` - > [!NOTE] - > If you decide to use a different resource group name (other than `hub-vnet-rg`), make sure to search for all parameter files that use that name and edit them to use your own resource group name. - ### Test connectivity -To test conectivity from the simulated on-premises environment to the spoke VNets using Windows VMs, perform the following steps. +Test conectivity from the simulated on-premises environment to the spoke VNets. + +**Windows deployment** -1. From the Azure portal, navigate to the `onprem-jb-rg` resource group, then click on the `jb-vm1` virtual machine resource. +1. Use the Azure portal to find the VM named `jb-vm1` in the `onprem-jb-rg` resource group. -2. On the top left hand corner of your VM blade in the portal, click `Connect`, and follow the prompts to use remote desktop to connect to the VM. Make sure to use the username and password you specified in lines 36 and 37 in the `onprem.json` file. +2. Click `Connect` to open a remove desktop session to the VM. Use the password that you specified in the `onprem.json` parameter file. -3. Open a PowerShell console in the VM, and use the `Test-NetConnection` cmdlet to verify that you can connect to the hub jumpbox VM as shown below. +3. Open a PowerShell console in the VM, and use the `Test-NetConnection` cmdlet to verify that you can connect to the jumpbox VM in the hub VNet. ```powershell Test-NetConnection 10.1.0.68 -CommonTCPPort RDP Test-NetConnection 10.2.0.68 -CommonTCPPort RDP ``` -To test conectivity from the simulated on-premises environment to the spoke VNets using Linux VMs, perform the following steps: - -1. From the Azure portal, navigate to the `onprem-jb-rg` resource group, then click on the `jb-vm1` virtual machine resource. +**Linux deployment** -2. On the top left hand corner of your VM blade in the portal, click `Connect`, and then copy the `ssh` command shown on the portal. +To test conectivity from the simulated on-premises environment to the spoke VNets using Linux VMs, perform the following steps: -3. From a Linux prompt, run `ssh` to connect to the simulated on-premises environment jumpbox witht the information you copied in step 2 above, as shown below. +1. Use the Azure portal to find the VM named `jb-vm1` in the `onprem-jb-rg` resource group. - ```bash - ssh @ - ``` +2. Click `Connect` and copy the `ssh` command shown in the portal. -4. Use the password you specified in line 37 in the `onprem.json` file to the connect to the VM. +3. From a Linux prompt, run `ssh` to connect to the simulated on-premises environment. Use the password that you specified in the `onprem.json` parameter file. -5. Use the `ping` command to test connectivity to the jumpbox VMs in each spoke, as shown below. +5. Use the `ping` command to test connectivity to the jumpbox VMs in each spoke: ```bash ping 10.1.0.68 @@ -299,21 +295,20 @@ To test conectivity from the simulated on-premises environment to the spoke VNet ### Add connectivity between spokes -If you want to allow spokes to connect to each other, you need to use a newtwork virtual appliance (NVA) as a router in the hub virtual netowrk, and force traffic from spokes to the router when trying to connect to another spoke. To deploy a basic sample NVA as a single VM, and the necessary uder defined routes to allow the two spoke VNets to connect, perform the following steps: +This step is optional. If you want to allow spokes to connect to each other, you must use a newtwork virtual appliance (NVA) as a router in the hub VNet, and force traffic from spokes to the router when trying to connect to another spoke. To deploy a basic sample NVA as a single VM, along with user-defined routes (UDRs) to allow the two spoke VNets to connect, perform the following steps: -1. Open the `hub-nva.json` file and enter a username and password between the quotes in lines 13 and 14, as shown below, then save the file. +1. Open the `hub-nva.json` file. Replace the values for `adminUsername` and `adminPassword`. - ```bash - "adminUsername": "XXX", - "adminPassword": "YYY", - ``` -2. Run `azbb` to deploy the NVA VM and user defined routes. + ```bash + "adminUsername": "", + "adminPassword": "", + ``` + +2. Run the following command: ```bash - azbb -s -g hub-nva-rg - l -p hub-nva.json --deploy + azbb -s -g hub-nva-rg -l -p hub-nva.json --deploy ``` - > [!NOTE] - > If you decide to use a different resource group name (other than `hub-nva-rg`), make sure to search for all parameter files that use that name and edit them to use your own resource group name.