jpatrickfulton.dev

Extend a Personal Network to Azure: Overview

July 18, 2023 - 5 min read (892 words)

In a world of cloud computing and remote work, hybrid workflows and bridges between on-premise networks and cloud-based virtual networks are becoming more common.

This series of posts examines the creation of a hybrid workflow between an on-premise network and cloud hosted virtual network connected by virtual private networking technology. An emphasis will be placed on managing cloud costs while maintaining performance and security. While the example is based on bridging a home network with cloud resources, an adaptation of the example can easily be applied to small business networks and applications.

Using Microsoft Azure as a cloud provider, this series will discuss the creation of an infrastructure-as-a-service hybrid workflow that connects an on-premise network to a cloud network. Within the cloud network, a series of virtual machines will be created to provide backup and network services to workstations on the local network.

Posts from this Series:
  1. Overview
  2. Virtual Network
  3. Azure VPN Gateway
  4. Samba Server
  5. Replace the Azure VPN Gateway with an OpenVPN Server
  6. Setup a Firewalla OpenVPN Client Connection
  7. Resize the Managed Backup Data Disk
  8. Convert the Backup Server to a Spot Instance
  9. Spot Instance Restart Orchestration

Table of Contents

Prerequisites

The series makes a series of assumptions for a user that is following along. It assumes:

  • You have already signed up for Azure and have an active subscription
  • You have either a macOS or Linux workstation from which you are working
  • You have installed the Azure CLI to your workstation
  • You have a basic working knowledge of the bash shell

The steps needed to cover these prerequisites are covered in sections below.

Existing On-premise Network Structure

For reference, the on-premise network is structured in the 10.0.0.0/16 address space. It includes several separate subnets that are described below.

SubnetNameDescription
10.0.0.0/24WifiWifi Network Clients
10.0.10.0/24Wired LANWired LAN Clients
10.0.11.0/24OpenVPNOpenVPN Network Clients
10.0.12.0/24WireGuardWireGuard Network Clients

Target Cloud Network Structure

To avoid address space conflicts and routing tricks, the cloud network will be created on a complementary address space: 10.10.0.0/16. Its subnet design will follow the table below.

SubnetNameDescription
10.10.0.0/24DefaultDefault Subnet
10.10.10.0/24OpenVPNOpenVPN Network Clients

Get a Jump on Things

While these steps are covered in posts within the series, to accelerate the process of following along, you can take the following steps in advance to prepare a local workstation and an Azure subscription.

Install the Azure CLI

The Azure CLI is used throughout the series and is a valuable tool for interacting with an Azure environment.

On macOS, Homebrew can be used with this guide to install the Azure CLI. On a Linux workstation, following careful review, this script can be used to install the Azure CLI and other extensions that will be used along the way. Alternatively, these manual steps can be applied to get the Azure CLI installed.

Prepare an Azure Subscription

The Azure subscription that you use to follow the guides in this series may require some features and providers to be enabled. The next sections cover listing those providers and features. Missing ones can then be enabled as needed.

List the Registered Providers

The next command uses the Azure CLI to list registered providers for a subscription. The main providers used in this series are Microsoft.Compute and Microsoft.Network. Look for those in the output. Should they be missing, use this guide from Microsoft to get them registered.

az provider list --query "sort_by([?registrationState=='Registered'].{Namespace: namespace, Registered: registrationState}, &Namespace)" -o table
Namespace                           Registered
----------------------------------  ------------
Microsoft.ADHybridHealthService     Registered
Microsoft.Advisor                   Registered
Microsoft.AlertsManagement          Registered
Microsoft.Authorization             Registered
Microsoft.AzureActiveDirectory      Registered
Microsoft.Billing                   Registered
Microsoft.ChangeAnalysis            Registered
Microsoft.ClassicSubscription       Registered
Microsoft.Commerce                  Registered
Microsoft.Compute                   RegisteredMicrosoft.Consumption               Registered
Microsoft.CostManagement            Registered
Microsoft.Diagnostics               Registered
Microsoft.EventGrid                 Registered
Microsoft.Features                  Registered
Microsoft.GuestConfiguration        Registered
Microsoft.ManagedIdentity           Registered
Microsoft.MarketplaceNotifications  Registered
Microsoft.MarketplaceOrdering       Registered
Microsoft.Network                   RegisteredMicrosoft.OperationalInsights       Registered
Microsoft.OperationsManagement      Registered
Microsoft.PolicyInsights            Registered
Microsoft.Portal                    Registered
Microsoft.ResourceGraph             Registered
Microsoft.ResourceHealth            Registered
Microsoft.Resources                 Registered
Microsoft.Security                  Registered
Microsoft.SerialConsole             Registered
Microsoft.Sql                       Registered
Microsoft.Storage                   Registered
Microsoft.Web                       Registered
microsoft.insights                  Registered
microsoft.support                   Registered

List the Enabled Features of Microsoft.Compute

Additionally, the Microsoft.Compute/EncryptionAtHost feature of the Microsoft.Compute provider is needed in this series to enable end-to-end managed disk encryption from the virtual machines to the Azure storage system. Use the following command to see if it is registered for your subscription.

az feature list --namespace Microsoft.Compute --query "[?properties.state=='Registered'].{Name: name, Registered: properties.state}" -o table
Name                                Registered
----------------------------------  ------------
Microsoft.Compute/EncryptionAtHost  Registered

If the feature is missing from the output of the command, use the steps in the next section.

Enable the Encrypt at Host Azure Feature

Following the Azure documentation, run the following commands to leverage the Azure CLI to enable EncryptionAtHost for the subscription.

az login
az feature register --name EncryptionAtHost  --namespace Microsoft.Compute
Once the feature 'EncryptionAtHost' is registered, invoking 'az provider register -n Microsoft.Compute' is required to get the change propagated
{
  "id": "/subscriptions/4913be3f-a345-4652-9bba-767418dd25e3/providers/Microsoft.Features/providers/Microsoft.Compute/features/EncryptionAtHost",
  "name": "Microsoft.Compute/EncryptionAtHost",
  "properties": {
    "state": "Registering"
  },
  "type": "Microsoft.Features/providers/features"
}

Check the status of the registration using the following command. Wait a few minutes until the output shows Registered.

az feature show --name EncryptionAtHost --namespace Microsoft.Compute
{
  "id": "/subscriptions/4913be3f-a345-4652-9bba-767418dd25e3/providers/Microsoft.Features/providers/Microsoft.Compute/features/EncryptionAtHost",
  "name": "Microsoft.Compute/EncryptionAtHost",
  "properties": {
    "state": "Registered"
  },
  "type": "Microsoft.Features/providers/features"
}

Propagate the change per the output of the earlier command.

az provider register -n Microsoft.Compute
Profile picture

Written by J. Patrick Fulton.

Azure IaaS virtual machine virtual network vpn hybrid workflow Azure CLI