Microsoft Hub NVA configuration example.

Microsoft Hub NVA configuration example.

So in my previous post i gave a short description of implementing Microsoft Hub-Spoke model in IaaS. And i promised to publish some sample code you could use in CICD.

Of course the main goal should be to get in to containers and such technologies but seeing as how slow large enterprises are willing to adopt and move to such technologies I'm guessing IaaS will be a standard for some time yet.

So I'm going to give you a sketch of a private data center connection via express route (or a S2S VPN instead of the express route) to your azure subscription.

And slowly start to explain a few basic configurations.

The first overview:

 
















  




So in this simple drawing you can see I've implemented a express route. I've not drawn a full blown resource drawing so you're bound to miss certain things like a circuit for instance but lets keep it simple.

 The green line is a express route configuration over which I've implemented a VPN S2S tunnel. (there's almost no overhead in the tunnel and no real impact on the latency, but it's key in a simple HA scenario!)

I'm doing this because i want only one path to my private DC and that's via the NVA's in Azure and onpremise, the only BGP Route information in the express route configuration are the IP's of devices in between the firewalls and of course the firewall endpoint IP's themselves. (I didn't do this the first time around but it greatly simplifies things!)

 This also means that if a hacker where to obtain access somewhere on premise or in the cloud there wouldn't be a direct path bypassing the NVA. This makes the NVA a mandatory hop which helps you inspect traffic and reduces you're attack surface, etc.

 Second, I put a VPN tunnel over it so i can do layer 3 routing capabilities via my NVA, and also because in my case i used a barracuda cloud gen firewall and add a bulk tunnel in their proprietary tunnel technology called TINA which allows me to create a high available secondary path and to route the same traffic but via other infrastructure for example the internet as backup. (It's rare but it has happened that the express route had outage....)

  

In this drawing you can see black line heading to from the firewalls via the public load balancer to the private data center NVA's on which the TINA tunnel is being terminated. I've prioritized traffic that's latency sensitive to travel via the express route, other traffic travels via the internet. (traffic intelligence)

Worst case scenario all traffic will move over the internet or even visa versa. 

Using the azure standard loadbalancer makes it possible to use high available sessions and even move the application session from NVA1 to NVA2 behind the loadbalancer without having any impact on the service. 

This means that if NVA1 is initiating the tunnel and it breaks NVA2 takes over the tunnel without losing the sessions inside it. (if the application acts correctly it will retry it's action and you're user won't notice a thing!) 

 In this drawing i put in some domain controllers in the hub in azure which would talk via the NVA to the DC's in the private data center. But the DC's in Azure need to understand how to get to the private data center as there's no bgp route known for it in the VNET. 

So i put in a route table containing a UDR (User defined route) which is attached to the sub-net the DC's live in. 

The UDR contains a route which has a next hop virtual appliance, the hop will be the internal IP of the internal loadbalancer in between the nva's and the source computer. This way again if the firewall fails over the client session stays intact and retries it on the other firewall the moment the VPN has migrated. 

Stayed tuned as i add more information

Reacties

Een reactie posten

Populaire posts van deze blog

One ADFS to serve them all (Part I)!

Afbeelding
One ADFS to serve them all (part I)! The goal is to use a vanity URL host names that your site is using and to also use that same host name to resolve ADFS, without having you redirected back to the ADFS original service name (hostname + URL). Because for the end users this shouldn't look like anything else but the vanity domain they are already connected to. Thus how do we solve this? Follow this basic lab entry to get a feeling for the end solution. (I will post more about this subject in greater detail) The ADFS Limitation. The limitation I'm speaking of, in this case is the endpoint for SAML 2.0 / WS-Federation: "/adfs/ls"  (but as you can imagine it's pretty much every endpoint listed in ADFS) We connect with the 1 possible value set during installation for the federation service name: "your.host.name"  Which results in all endpoints only being accessibly under that federation service name.    Figure A: Federation service
Meer lezen

RDS: Remote Desktop Gateway with NPS and Cross domain identities.

This post is about configuring a Remote Desktop Gateway in Resource Domain A while consuming the identities from Identity domain B. Setup: - NPS in Domain A  - RDG in domain A - MFA in Domain A Requirements a "TWO-WAY trust" with selective authentication (or wide if you have no security risks) It won't be possible to authenticate users from domain B in Domain A via the RDG until the computer account has gotten the permission "Allow to authenticate" on the domain controllers in Domain B. The simplest way to achieve this is by going to properties on the "Domain Controllers" OU in users and computers in domain B (RSAT tools) and going to the security Tab. (if you don't see the security tab in users and computers then make sure you've enabled "advanced features" under the view selection.) Then when you're in the security tab click the bottom advanced button. This will open the "Advanced Security Settings for Domain
Meer lezen