Modernizing Your Infrastructure with Hybrid Cloud – Week 3 Has Arrived!

This week’s focus is on networking. It starts out with Kevin Remde and Keith Mayer continuing the series on “Modernizing Your Infrastructure with Hybrid Cloud” and in today’s episode they discuss various options for networking. Tune in as they go in depth on what options are available for hybrid cloud networking as they explore network connectivity and address concerns about speed, reliability and security.

  • [2:46] What components are involved in Hybrid Cloud Networking?
  • [5:30] What are some of the technical capabilities of Hybrid Cloud networking?
  • [9:25]  Which VPN gateways are supported with Microsoft Azure?
  • [11:28]  What are some of the common scenarios that customers are implementing for Hybrid Cloud networking?
  • [15:40]  Besides Site-to-Site IPSec VPNs, are there any other connectivity options for Hybrid Cloud networking?
  • [20:10] DEMO: Can you walk us through the basic steps for setting up a Hybrid Cloud network?
Check back at http://aka.ms/ModernCloud as the week progresses for some related blog posts:
  • Tuesday: Step by Step: Setting a Static IP address on your Azure VM by Brian Lewis
  • Wednesday: Building Microsoft Azure Virtual Networks by Matt Hester
  • Thursday: Cross-premises connectivity with Site-to-Site VPN by Kevin Remde
  • Friday: Cross-premises connectivity with ExpressRoute by Keith Mayer

Making Sense of DNS Queries: Recursive or Iterative?

I’ve been dealing with DNS for a pretty long time.  It’s always been a key component of keeping Active Directory and all the clients on your network happy and connected.  But for the life of me I can never seem to remember which is which when it comes to recursive or iterative DNS queries.  It’s like a trivia question that has just gone wrong in my brain.

Today at work, I was was asked one of those “Hey, do you know who would do X?” questions by a colleague and as I was hunting down the answer, I realized it was just like DNS queries!  
Simply put, if you ask your manager a question and he/she comes back with the complete answer, you have just performed a RECURSIVE query.  You asked and someone else took on the responsibility of locating the correct answer.  
If you ask your manager a question an he/she comes back with a referral directing you to ask a different person, that is an ITERATIVE query.  You are responsible for walking the tree of your organization, theoretically getting closer and closer to the answer with each query you make.  Iterative starts with I and “I” do the work to find the answer. 
Sometimes it just takes a real life example to make concepts stick. However if you want technical details go here: http://technet.microsoft.com/en-us/library/cc961401.aspx

Reserve Public IPs in Azure? Maybe Not…

Recently Microsoft announced the general availability for VIP reservations in Azure. VIP reservation now generally available; Virtual Machines instance-level public IPs are in preview.

“You can now reserve public IP addresses and use them as virtual IP (VIP) addresses for your applications. Reserve up to five addresses per subscription at no additional cost and assign them to the Azure Cloud Services of your choice. In addition, you can now assign public IP addresses to your virtual machines, so they become directly addressable without having to map an endpoint to access them directly.” 

When Azure IaaS was first introduced, you could not ensure that public facing IP address of your VM or cloud service would remain the same, particularly if you shut down all the machines within a cloud service. What Azure would retain for you was the DNS name you created within the cloudapp.net domain. The recommended practice was to use DNS to locate your services, instead of relying on a specific IP address.

I know, we all love the comfort of knowing our IP address. Over the past decade or so, I lovingly handed out the easiest internal and external addresses we had to servers I accessed frequently. Stable IP addressing was a must – changes often meant re-configuring firewalls, routers and even some applications, which could lead to downtime and complaints. Even Azure’s long term lease for IP addresses if your cloud service was active, wasn’t comforting enough for many who had been burned the past by a hard-coded application or some other IP address nightmare.

But it’s not 1998 anymore. The Internet isn’t a quaint little place you go to read text and your “mobile” phone isn’t hard wired into your car. IPv4 addresses are exhausted at the top levels, it’s just a matter of time before your internet service provider won’t have anything to give you when you ask. For a while I firmly believed that IANA would open up that special “Class E” space to buy extra time, but nope, it didn’t happen.

So yes, if you have a legitimate business need to have reserved public IPs you can go reserve some public IP addresses in Azure to meet your needs. The first five are free if you are actively using them.  But think hard about what your business needs are. Do you have an application that needs a static public IP address? Maybe it’s time address that requirement within the application itself.  Do you update applications by swapping IP addresses?  Maybe you should look more closely at the options within Azure to swap staging and production deployments.

But if you aren’t thinking about IPv6 and just want to try to buy some time in the IPv4 world, you might want pause before hunting down the necessary PowerShell to get that done. This is why name services existing in the first place – so you don’t have to learn and remember IP addresses and don’t need to latch onto them for all time. Once IPv6 is fully deployed across all the major players (cloud providers, ISPs, etc) you won’t even bother trying to remember a 128-bit address. Unless you are trying to impress people at bars.

No, I’m pretty sure there are better ways to impress people at bars.

So don’t bother with hoarding up IPv4 addresses, just embrace FQDNs, DNS, and start preparing for IPv6 so that when it comes to you, you’ll be ready. In the great words of my preschooler as she dances around singing Disney songs, “Let It Go”. FQDNs are the future and the exhaustion of the IPv4 address space will make that so.

Azure DNS: What Comes First?

Oh, it’s that age old question – what comes first? The chicken or the egg?  With Windows Azure, the question often is about DNS. What comes first?  The IP address of the DNS server or the machine itself?

Honestly, it depends on what you plan on doing with your virtual machines and how you utilize the virtual networks.

Option 1: Spin up a VM as a “Quick Create”
When you do this, you are creating a VM without a custom virtual network that you control. The Azure fabric will assign an external IP address (VIP) and an internal IP address (DIP) isolated from all other machines. An appropriate DNS server from the fabric will be injected and your servername.cloudapp.net DNS name will be registered so your VM can be reachable from the Internet. All is done.

You could create other VMs the same way and the only way they would be reachable from one to the other is over the Internet via ports you opened. They would not share any “internal” networking.

Option 2: Create a Virtual Network and the create VMs attached to your VNET.
When you do this, you are controlling the internal address assignments and purposely joining VMs to that network so they can communicate with each other.  For that they need an “internal” DNS server.
Because the DNS settings are injected into the VM upon boot, you must have the IP address of that DNS server in mind before you begin and assign it within your Virtual Network settings, before creating the VMs themselves.

This DNS server could be from your on-premises network (if you are creating a site-to-site VPN) or one that does not yet exist in your Azure VNET, like an server acting as an Active Directory DC, perhaps.
When you create a virtual network, take note of the first IP address that would be assigned to a machine, or you can now choose to statically assign IP addresses using PowerShell. Add that address as the DNS server in your virtual network.  Then when you create VMs they will know to use the internal DNS you specify as the primary DNS.

An external address (VIP) would still be automatically assigned and the name of the cloud service would be either your server name or something else that fits into the design of what you are trying to accomplish. That DNS name would still be registered with Azure DNS, but your internal IP address would be registered with the DNS server you specified.

Happy networking!

********************
For more “Pieces of Azure” find them here:

Do You Need More Books? Of Course You Do!!

I’m sure you need a resolution for 2014 to read more books about technology!  If that happens to be one on your list, here are few that might interest you.

  • FREE eBook – Introducing Microsoft System Center 2012 R2 Technical Overview by Mitch Tulloch with Symon Perriman and the System Center Team. Read more about it at the Microsoft Press blog. This is also available in print format from Amazon, but you’ll need to pay for that.
  • Practical IPv6 for Windows Administrators by Edward Horley.  Due out by the end of December, you can currently pre-order this title.  The Kindle version should be available in January.
  • In early Spring, look for the release of Networking for VMware Administrators, by Chris Wahl and Steven Panto. While geared toward folks who work with VMware vSphere, I think it’s valuable to be able to understand virtual networking concepts and how they are used by various vendors, even if you aren’t a VMware shop. Estimated at about 350 pages, this isn’t going to be very light reading!

Do you have any reading recommendations? What’s on your list for 2014?

Getting Comfortable with Azure Virtual Networks and DHCP

One of the great features of Azure IaaS is being able to extend your existing internal network to the cloud over a site-to-site VPN. You can bring your own IP addresses, but remember, the devil is always in the details. Or rather, knowledge is power!

Azure IaaS supports the standard private IP network ranges – 10.x, 172.x and 192.x – so you can easily give your Azure network a range that is comparable to the network range you are using in your data center.

However, Azure expects all guests to receive their IP address via DHCP. This took me a bit to grow comfortable with, as I spent years in smaller datacenters were each server was lovingly assigned an IP address that had been selected from a master spreadsheet. (Old school, I know!)  My favorite servers were given “choice” addresses with easy to remember numbers.

But networking is changing and we must change with it, so I’m becoming more comfortable with having less control over the particular address assigned to a given machine. This is key thinking when it comes to network virtualization.  By abstracting away some of the nuts and bolts of the network, the ability to be more flexible is introduced – which is good.  Someone I was talking to at a conference recently compared it to the adoption of IPv6.  IPv6 addresses are so long you would never statically assign them to a machine, that is all automated.

But, can I give my Azure VM a static address? Well, lets just say nothing is stopping you. You can go into your VM IP settings and do whatever you want.  But the risk of introducing a future IP address conflict is high and you will eventually lose the ability to connect to your VM.  Azure expects to get periodic DHCP renewal requests and when those stop the Azure fabric will remove that IP as active and stop forwarding traffic to it. There is no way to connect to the “console” of your Azure VM, so lost remote access to a machine due to an addressing issue will make for a very unhappy day.

Let’s say my internal network for my servers is 192.168.10.x/24.  I have two basic options for my Azure network:

  1. Configure 192.168.10.x/24 in Azure, with a subnet for 192.168.10.128/25. I would need to make sure that everything in my physical datacenter was assigned IPs in the beginning half of the range, leaving 192.168.10.128 – 192.168.10.255 under Azure control. Azure also grabs a few other address out of the range for internal use, so I’d likely want to make sure I wasn’t using those in my physical network either. I think this option is messy and prone to errors. Also, I’m sure someone who does networking configuration all day will tell me it makes them cringe for more than one reason.
  2. Create an different address range for Azure and make sure my internal switching gear is set up to route to it, like 192.168.20.x/24.  This would allow me to use a numbering scheme that makes sense within my organization, but also makes it easy to quickly identify resources that are internal vs. Azure based.

Keep in mind that any server in Azure will be assigned a persistent private IP address from your range with an infinite lease time, so if you are worried about domain controllers or other servers where the current “best practice” is to have a static assigned address, you can relax.  The only time a machine would loose it’s IP lease is when it’s in the “Stopped – Deallocated” state.

Finally, keeping with my “plan twice, create once” mantra, once your add a machine to an Azure network, you can only make limited changes – like adding new subnets or adjusting subnets that are not yet used.

For more information visit the Windows Azure Virtual Networks Overview.

End of the Month Round Up

I’m looking forward to attending TechEd in Orlando in two weeks.  If you haven’t already signed up to attend, it might actually be too late!  TechEd is sold out this year and they are accepting names for the waiting list only at this time. I imagine it will be a crazy time, filled with lots of learning and networking with peers. 

I won’t be speaking this year, but that just gives me more time to attend some of the great sessions – I’ll be concentrating on Active Directory in Server 2012, Exchange 2010, PowerShell and some System Center.

If you are hoping for something more local to your home town, check out the Windows Server 2012 Community Roadshow. US locations will include Houston, Chicago, Irvine, New York and San Jose, just to name a few. Microsoft MVPs will be presenting the content, so don’t miss out a free chance to prepare for the release of Server 2012.

Another notable event that’s upcoming is the World IPv6 Launch. Check out which major ISPs and web companies are turning on IPv6 for the duration. 

Finally, if you are looking to make some improvements to your personal, cloud-based storage and file management for your personal computers, take a look at SugarSync.  I’ve been using it for several years and it’s been an easy way for me to access files from multiple computers and keep everything synced and backed up.  I’ve even got a link for a referral if you’d like to try it out.