Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update hub-spoke deployment section #488

Merged
merged 3 commits into from
Apr 10, 2018
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
211 changes: 103 additions & 108 deletions docs/reference-architectures/hybrid-networking/hub-spoke.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ title: Implementing a hub-spoke network topology in Azure
description: >-
How to implement a hub-spoke network topology in Azure.
author: telmosampaio
ms.date: 02/23/2018
ms.date: 04/09/2018

pnp.series.title: Implement a hub-spoke network topology in Azure
pnp.series.prev: expressroute
Expand Down Expand Up @@ -108,189 +108,185 @@ Also consider what services are shared in the hub, to ensure the hub scales for

A deployment for this architecture is available on [GitHub][ref-arch-repo]. It uses Ubuntu VMs in each VNet to test connectivity. There are no actual services hosted in the **shared-services** subnet in the **hub VNet**.

### Prerequisites
The deployment creates the following resource groups in your subscription:

- hub-nva-rg
- hub-vnet-rg
- onprem-jb-rg
- onprem-vnet-rg
- spoke1-vnet-rg
- spoke2-vent-rg

Before you can deploy the reference architecture to your own subscription, you must perform the following steps.
The template parameter files refer to these names, so if you change them, update the parameter files to match.

### Prerequisites

1. Clone, fork, or download the zip file for the [reference architectures][ref-arch-repo] GitHub repository.

2. Make sure you have the Azure CLI 2.0 installed on your computer. For CLI installation instructions, see [Install Azure CLI 2.0][azure-cli-2].
2. Install [Azure CLI 2.0][azure-cli-2].

3. Install the [Azure buulding blocks][azbb] npm package.
3. Install the [Azure building blocks][azbb] npm package.

4. From a command prompt, bash prompt, or PowerShell prompt, login to your Azure account by using the command below, and follow the prompts.
4. From a command prompt, bash prompt, or PowerShell prompt, log into your Azure account by using the command below.

```bash
az login
```

### Deploy the simulated on-premises datacenter using azbb
### Deploy the simulated on-premises datacenter

To deploy the simulated on-premises datacenter as an Azure VNet, follow these steps:

1. Navigate to the `hybrid-networking\hub-spoke\` folder for the repository you downloaded in the pre-requisites step above.
1. Navigate to the `hybrid-networking/hub-spoke` folder of the reference architectures repository.

2. Open the `onprem.json` file and enter a username and password between the quotes in line 36 and 37, as shown below, then save the file.
2. Open the `onprem.json` file. Replace the values for `adminUsername` and `adminPassword`.

```bash
"adminUsername": "XXX",
"adminPassword": "YYY",
```
```bash
"adminUsername": "<user name>",
"adminPassword": "<password>",
```

3. On line 38, for `osType`, type `Windows` or `Linux` to install either Windows Server 2016 Datacenter, or Ubuntu 16.04 as the operating system for the jumpbox.
3. (Optional) For a Linux deployment, set `osType` to `Linux`.

4. Run `azbb` to deploy the simulated onprem environment as shown below.
4. Run the following command:

```bash
azbb -s <subscription_id> -g onprem-vnet-rg - l <location> -p onoprem.json --deploy
```
> [!NOTE]
> If you decide to use a different resource group name (other than `onprem-vnet-rg`), make sure to search for all parameter files that use that name and edit them to use your own resource group name.
```bash
azbb -s <subscription_id> -g onprem-vnet-rg -l <location> -p onoprem.json --deploy
```

5. Wait for the deployment to finish. This deployment creates a virtual network, a virtual machine, and a VPN gateway. The VPN gateway creation can take more than 40 minutes to complete.
5. Wait for the deployment to finish. This deployment creates a virtual network, a virtual machine, and a VPN gateway. It can take about 40 minutes to create the VPN gateway.

### Azure hub VNet
### Deploy the hub VNet

To deploy the hub VNet, and connect to the simulated on-premises VNet created above, perform the following steps.
To deploy the hub VNet, perform the following steps.

1. Open the `hub-vnet.json` file and enter a username and password between the quotes in line 39 and 40, as shown below.
1. Open the `hub-vnet.json` file. Replace the values for `adminUsername` and `adminPassword`.

```bash
"adminUsername": "XXX",
"adminPassword": "YYY",
```
```bash
"adminUsername": "<user name>",
"adminPassword": "<password>",
```

2. On line 41, for `osType`, type `Windows` or `Linux` to install either Windows Server 2016 Datacenter, or Ubuntu 16.04 as the operating system for the jumpbox.
2. (Optional) For a Linux deployment, set `osType` to `Linux`.

3. Enter a shared key between the quotes in line 72, as shown below, then save the file.
3. For `sharedKey`, enter a shared key for the VPN connection.

```bash
"sharedKey": "",
```
```bash
"sharedKey": "",
```

4. Run `azbb` to deploy the simulated onprem environment as shown below.
4. Run the following command:

```bash
azbb -s <subscription_id> -g hub-vnet-rg - l <location> -p hub-vnet.json --deploy
```
> [!NOTE]
> If you decide to use a different resource group name (other than `hub-vnet-rg`), make sure to search for all parameter files that use that name and edit them to use your own resource group name.
```bash
azbb -s <subscription_id> -g hub-vnet-rg -l <location> -p hub-vnet.json --deploy
```

5. Wait for the deployment to finish. This deployment creates a virtual network, a virtual machine, a VPN gateway, and a connection to the gateway. It can take about 40 minutes to create the VPN gateway.

5. Wait for the deployment to finish. This deployment creates a virtual network, a virtual machine, a VPN gateway, and a connection to the gateway created in the previous section. The VPN gateway creation can take more than 40 minutes to complete.
### Test connectivity with the hub

### (Optional) Test connectivity from onprem to hub
Test conectivity from the simulated on-premises environment to the hub VNet.

To test conectivity from the simulated on-premises environment to the hub VNet using Windows VMs, perform the following steps.
**Windows deployment**

1. From the Azure portal, navigate to the `onprem-jb-rg` resource group, then click on the `jb-vm1` virtual machine resource.
1. Use the Azure portal to find the VM named `jb-vm1` in the `onprem-jb-rg` resource group.

2. On the top left hand corner of your VM blade in the portal, click `Connect`, and follow the prompts to use remote desktop to connect to the VM. Make sure to use the username and password you specified in lines 36 and 37 in the `onprem.json` file.
2. Click `Connect` to open a remove desktop session to the VM. Use the password that you specified in the `onprem.json` parameter file.

3. Open a PowerShell console in the VM, and use the `Test-NetConnection` cmdlet to verify that you can connect to the hub jumpbox VM as shown below.
3. Open a PowerShell console in the VM, and use the `Test-NetConnection` cmdlet to verify that you can connect to the jumpbox VM in the hub VNet.

```powershell
Test-NetConnection 10.0.0.68 -CommonTCPPort RDP
```
> [!NOTE]
> By default, Windows Server VMs do not allow ICMP responses in Azure. If you want to use `ping` to test connectivity, you need to enable ICMP traffic in the Windows Advanced Firewall for each VM.
The output should look similar to the following:

To test conectivity from the simulated on-premises environment to the hub VNet using Linux VMs, perform the following steps:
```powershell
ComputerName : 10.0.0.68
RemoteAddress : 10.0.0.68
RemotePort : 3389
InterfaceAlias : Ethernet 2
SourceAddress : 192.168.1.000
TcpTestSucceeded : True
```

1. From the Azure portal, navigate to the `onprem-jb-rg` resource group, then click on the `jb-vm1` virtual machine resource.
> [!NOTE]
> By default, Windows Server VMs do not allow ICMP responses in Azure. If you want to use `ping` to test connectivity, you need to enable ICMP traffic in the Windows Advanced Firewall for each VM.

2. On the top left hand corner of your VM blade in the portal, click `Connect`, and then copy the `ssh` command shown on the portal.
**Linux deployment**

3. From a Linux prompt, run `ssh` to connect to the simulated on-premises environment jumpbox witht the information you copied in step 2 above, as shown below.
1. Use the Azure portal to find the VM named `jb-vm1` in the `onprem-jb-rg` resource group.

```bash
ssh <your_user>@<public_ip_address>
```
2. Click `Connect` and copy the `ssh` command shown in the portal.

4. Use the password you specified in line 37 in the `onprem.json` file to the connect to the VM.
3. From a Linux prompt, run `ssh` to connect to the simulated on-premises environment. Use the password that you specified in the `onprem.json` parameter file.

5. Use the `ping` command to test connectivity to the hub jumpbox, as shown below.
4. Use the `ping` command to test connectivity to the jumpbox VM in the hub VNet:

```bash
ping 10.0.0.68
```

### Azure spoke VNets
### Deploy the spoke VNets

To deploy the spoke VNets, perform the following steps.

1. Open the `spoke1.json` file and enter a username and password between the quotes in lines 47 and 48, as shown below, then save the file.
1. Open the `spoke1.json` file. Replace the values for `adminUsername` and `adminPassword`.

```bash
"adminUsername": "XXX",
"adminPassword": "YYY",
```
```bash
"adminUsername": "<user name>",
"adminPassword": "<password>",
```

2. On line 49, for `osType`, type `Windows` or `Linux` to install either Windows Server 2016 Datacenter, or Ubuntu 16.04 as the operating system for the jumpbox.
2. (Optional) For a Linux deployment, set `osType` to `Linux`.

3. Run `azbb` to deploy the first spoke VNet environment as shown below.
3. Run the following command:

```bash
azbb -s <subscription_id> -g spoke1-vnet-rg - l <location> -p spoke1.json --deploy
azbb -s <subscription_id> -g spoke1-vnet-rg -l <location> -p spoke1.json --deploy
```

> [!NOTE]
> If you decide to use a different resource group name (other than `spoke1-vnet-rg`), make sure to search for all parameter files that use that name and edit them to use your own resource group name.
4. Repeat steps 1-2 for the `spoke2.json` file.

4. Repeat step 1 above for file `spoke2.json`.

5. Run `azbb` to deploy the second spoke VNet environment as shown below.
5. Run the following command:

```bash
azbb -s <subscription_id> -g spoke2-vnet-rg - l <location> -p spoke2.json --deploy
azbb -s <subscription_id> -g spoke2-vnet-rg -l <location> -p spoke2.json --deploy
```
> [!NOTE]
> If you decide to use a different resource group name (other than `spoke2-vnet-rg`), make sure to search for all parameter files that use that name and edit them to use your own resource group name.

### Azure hub VNet peering to spoke VNets

To create a peering connection from the hub VNet to the spoke VNets, perform the following steps.

1. Open the `hub-vnet-peering.json` file and verify that the resource group name, and virtual network name for each of the virtual network peerings starting in line 29 are correct.

2. Run `azbb` to deploy the first spoke VNet environment as shown below.
6. Run the following command:

```bash
azbb -s <subscription_id> -g hub-vnet-rg - l <location> -p hub-vnet-peering.json --deploy
azbb -s <subscription_id> -g hub-vnet-rg -l <location> -p hub-vnet-peering.json --deploy
```

> [!NOTE]
> If you decide to use a different resource group name (other than `hub-vnet-rg`), make sure to search for all parameter files that use that name and edit them to use your own resource group name.

### Test connectivity

To test conectivity from the simulated on-premises environment to the spoke VNets using Windows VMs, perform the following steps.
Test conectivity from the simulated on-premises environment to the spoke VNets.

**Windows deployment**

1. From the Azure portal, navigate to the `onprem-jb-rg` resource group, then click on the `jb-vm1` virtual machine resource.
1. Use the Azure portal to find the VM named `jb-vm1` in the `onprem-jb-rg` resource group.

2. On the top left hand corner of your VM blade in the portal, click `Connect`, and follow the prompts to use remote desktop to connect to the VM. Make sure to use the username and password you specified in lines 36 and 37 in the `onprem.json` file.
2. Click `Connect` to open a remove desktop session to the VM. Use the password that you specified in the `onprem.json` parameter file.

3. Open a PowerShell console in the VM, and use the `Test-NetConnection` cmdlet to verify that you can connect to the hub jumpbox VM as shown below.
3. Open a PowerShell console in the VM, and use the `Test-NetConnection` cmdlet to verify that you can connect to the jumpbox VM in the hub VNet.

```powershell
Test-NetConnection 10.1.0.68 -CommonTCPPort RDP
Test-NetConnection 10.2.0.68 -CommonTCPPort RDP
```

To test conectivity from the simulated on-premises environment to the spoke VNets using Linux VMs, perform the following steps:

1. From the Azure portal, navigate to the `onprem-jb-rg` resource group, then click on the `jb-vm1` virtual machine resource.
**Linux deployment**

2. On the top left hand corner of your VM blade in the portal, click `Connect`, and then copy the `ssh` command shown on the portal.
To test conectivity from the simulated on-premises environment to the spoke VNets using Linux VMs, perform the following steps:

3. From a Linux prompt, run `ssh` to connect to the simulated on-premises environment jumpbox witht the information you copied in step 2 above, as shown below.
1. Use the Azure portal to find the VM named `jb-vm1` in the `onprem-jb-rg` resource group.

```bash
ssh <your_user>@<public_ip_address>
```
2. Click `Connect` and copy the `ssh` command shown in the portal.

4. Use the password you specified in line 37 in the `onprem.json` file to the connect to the VM.
3. From a Linux prompt, run `ssh` to connect to the simulated on-premises environment. Use the password that you specified in the `onprem.json` parameter file.

5. Use the `ping` command to test connectivity to the jumpbox VMs in each spoke, as shown below.
5. Use the `ping` command to test connectivity to the jumpbox VMs in each spoke:

```bash
ping 10.1.0.68
Expand All @@ -299,21 +295,20 @@ To test conectivity from the simulated on-premises environment to the spoke VNet

### Add connectivity between spokes

If you want to allow spokes to connect to each other, you need to use a newtwork virtual appliance (NVA) as a router in the hub virtual netowrk, and force traffic from spokes to the router when trying to connect to another spoke. To deploy a basic sample NVA as a single VM, and the necessary uder defined routes to allow the two spoke VNets to connect, perform the following steps:
This step is optional. If you want to allow spokes to connect to each other, you must use a newtwork virtual appliance (NVA) as a router in the hub VNet, and force traffic from spokes to the router when trying to connect to another spoke. To deploy a basic sample NVA as a single VM, along with user-defined routes (UDRs) to allow the two spoke VNets to connect, perform the following steps:

1. Open the `hub-nva.json` file and enter a username and password between the quotes in lines 13 and 14, as shown below, then save the file.
1. Open the `hub-nva.json` file. Replace the values for `adminUsername` and `adminPassword`.

```bash
"adminUsername": "XXX",
"adminPassword": "YYY",
```
2. Run `azbb` to deploy the NVA VM and user defined routes.
```bash
"adminUsername": "<user name>",
"adminPassword": "<password>",
```

2. Run the following command:

```bash
azbb -s <subscription_id> -g hub-nva-rg - l <location> -p hub-nva.json --deploy
azbb -s <subscription_id> -g hub-nva-rg -l <location> -p hub-nva.json --deploy
```
> [!NOTE]
> If you decide to use a different resource group name (other than `hub-nva-rg`), make sure to search for all parameter files that use that name and edit them to use your own resource group name.

<!-- links -->

Expand Down