7/3/2021 AZ-104T00 (CS) | Lab 06 - go deploy

Lab 06 - Implement Traffic Management

 Lab scenario

You were tasked with testing managing network traffic targeting Azure virtual machines in the hub and spoke network topology, which Contoso
considers implementing in its Azure environment (instead of creating the mesh topology, which you tested in the previous lab). This testing needs
to include implementing connectivity between spokes by relying on user defined routes that force traffic to flow via the hub, as well as traffic
distribution across virtual machines by using layer 4 and layer 7 load balancers. For this purpose, you intend to use Azure Load Balancer (layer 4)
and Azure Application Gateway (layer 7).

Objectives

In this lab, you will:

Task 1: Provision the lab environment

Task 2: Configure the hub and spoke network topology
Task 3: Test transitivity of virtual network peering
Task 4: Configure routing in the hub and spoke topology
Task 5: Implement Azure Load Balancer
Task 6: Implement Azure Application Gateway

Exercise 1
Task 1: Provision the lab environment
1. The lab environment has already been provisioned for you.

2. Login to the Azure Portal as  [email protected] with the password  KBoh88qdqGL5374C

 https://portal.azure.com

 Note: Wait for the deployments to complete before proceeding to the next task. This should take about 5-15 minutes. To verify the status
of the deployments, you can examine the properties of the resource groups.

Task 2: Configure the hub and spoke network topology

 In this task, you will configure local peering between the virtual networks you deployed in the previous tasks in order to create a hub and spoke
network topology.

1. In the Azure portal, search for and select Virtual networks.

2. Review the virtual networks you created in the previous task.

 Note: The template used for deployment creates three virtual networks and ensures that the IP address ranges of the three virtual
networks do not overlap.

3. In the list of virtual networks, click az104-06-vnet01.

4. On the az104-06-vnet01 virtual network blade, in the Settings section, click Peerings and then click + Add.

5. Add a peering with the following settings (leave others with their default values):

 Note: Wait for the operation to complete.

 Note: This step establishes two local peerings - one from az104-06-vnet01 to az104-06-vnet2 and the other from az104-06-vnet2 to
az104-06-vnet01.

 Note: Allow forwarded traffic needs to be enabled in order to facilitate routing between spoke virtual networks, which you will
implement later in this lab.

Setting Value

https://lms.godeploy.it/Labs/LabGuide/278b5f91-c3db-eb11-abe8-00155de2c911# 1/9
7/3/2021 AZ-104T00 (CS) | Lab 06 - go deploy

Setting Value

This virtual Netowrk: Peering link name az104-06-vnet01_to_az104-06-vnet2

Trafffic to remote virtual network Allow (default)

Traffic forwarded from remote virtual network Block traffic that originates from outside this virtual network

Virtual network gateway None (default)

Remote virtual network: Peering link name az104-06-vnet2_to_az104-06-vnet01

Virtual network deployment model Resource manager

Subscription the name of the Azure subscription you are using in this lab

Virtual network az104-06-vnet2

Trafffic to remote virtual network Allow (default)

Traffic forwarded from remote virtual network Allow (default)

Virtual network gateway None (default)

6. On the az104-06-vnet01 virtual network blade, in the Settings section, click Peerings and then click + Add.

7. Add a peering with the following settings (leave others with their default values):

 Note: This step establishes two local peerings - one from az104-06-vnet01 to az104-06-vnet3 and the other from az104-06-vnet3 to
az104-06-vnet01. This completes setting up the hub and spoke topology (with two spoke virtual networks).

 Note: Allow forwarded traffic needs to be enabled in order to facilitate routing between spoke virtual networks, which you will
implement later in this lab.

Setting Value

This virtual network: Peering link name az104-06-vnet01_to_az104-06-vnet3

Trafffic to remote virtual network Allow (default)

Traffic forwarded from remote virtual network Block traffic that originates from outside this virtual network

Virtual network gateway None (default)

Remote virtual network: Peering link name az104-06-vnet3_to_az104-06-vnet01

Virtual network deployment model Resource manager

Subscription the name of the Azure subscription you are using in this lab

Virtual network az104-06-vnet3

Trafffic to remote virtual network Allow (default)

Traffic forwarded from remote virtual network Allow (default)

Virtual network gateway None (default)

Task 3: Test transitivity of virtual network peering

 In this task, you will test transitivity of virtual network peering by using Network Watcher.

1. In the Azure portal, search for and select Network Watcher.

2. On the Network Watcher blade, expand the listing of Azure regions and verify that the service is enabled in the Azure into which you deployed
resources in the first task of this lab.

3. On the Network Watcher blade, navigate to the Connection troubleshoot.

4. On the Network Watcher - Connection troubleshoot blade, initiate a check with the following settings (leave others with their default values):

 Note: 10.62.0.4 represents the private IP address of az104-06-vm2

Setting Value

Subscription the name of the Azure subscription you are using in this lab

Resource group az104-06-rg1-XXXXXX

Source type Virtual machine

Virtual machine az104-06-vm0

Destination Specify manually

https://lms.godeploy.it/Labs/LabGuide/278b5f91-c3db-eb11-abe8-00155de2c911# 2/9
7/3/2021 AZ-104T00 (CS) | Lab 06 - go deploy

Setting Value

URI, FQDN or IPv4 10.62.0.4

Protocol TCP

Destination Port 3389

5. Click Check and wait until results of the connectivity check are returned. Verify that the status is Reachable. Review the network path and note that
the connection was direct, with no intermediate hops in between the VMs.

 Note: This is expected, since the hub virtual network is peered directly with the first spoke virtual network.

 Note: The initial check can take about 2 minutes because it requires installation of the Network Watcher Agent virtual machine extension
on az104-06-vm0.

6. On the Network Watcher - Connection troubleshoot blade, initiate a check with the following settings (leave others with their default values):

 Note: 10.63.0.4 represents the private IP address of az104-06-vm3

Setting Value

Subscription the name of the Azure subscription you are using in this lab

Resource group az104-06-rg1

Source type Virtual machine

Virtual machine az104-06-vm0

Destination Specify manually

URI, FQDN or IPv4 10.63.0.4

Protocol TCP

Destination Port 3389

7. Click Check and wait until results of the connectivity check are returned. Verify that the status is Reachable. Review the network path and note that
the connection was direct, with no intermediate hops in between the VMs.

 Note: This is expected, since the hub virtual network is peered directly with the second spoke virtual network.

8. On the Network Watcher - Connection troubleshoot blade, initiate a check with the following settings (leave others with their default values):

Setting Value

Subscription the name of the Azure subscription you are using in this lab

Resource group az104-06-rg2-XXXXXXX

Source type Virtual machine

Virtual machine az104-06-vm2

Destination Specify manually

URI, FQDN or IPv4 10.63.0.4

Protocol TCP

Destination Port 3389

9. Click Check and wait until results of the connectivity check are returned. Note that the status is Unreachable.

 Note: This is expected, since the two spoke virtual networks are not peered with each other (virtual network peering is not transitive).

Task 4: Configure routing in the hub and spoke topology

 In this task, you will configure and test routing between the two spoke virtual networks by enabling IP forwarding on the network interface of the
az104-06-vm0 virtual machine, enabling routing within its operating system, and configuring user-defined routes on the spoke virtual network.

1. In the Azure portal, search and select Virtual machines.

2. On the Virtual machines blade, in the list of virtual machines, click az104-06-vm0.

3. On the az104-06-vm0 virtual machine blade, in the Settings section, click Networking.

https://lms.godeploy.it/Labs/LabGuide/278b5f91-c3db-eb11-abe8-00155de2c911# 3/9
7/3/2021 AZ-104T00 (CS) | Lab 06 - go deploy

4. Click the az104-06-nic0 link next to the Network interface label, and then, on the az104-06-nic0 network interface blade, in the Settings section,
in the Settings section, click IP configurations.

5. Set IP forwarding to Enabled and save the change.

 Note: This setting is required in order for az104-06-vm0 to function as a router, which will route traffic between two spoke virtual
networks.

 Note: Now you need to configure operating system of the az104-06-vm0 virtual machine to support routing.

6. In the Azure portal, navigate back to the az104-06-vm0 Azure virtual machine blade and click Overview.

7. On the az104-06-vm0 blade, in the Operations section, click Run command, and, in the list of commands, click RunPowerShellScript.

8. On the Run Command Script blade, type the following and click Run to install the Remote Access Windows Server role.

 Install-WindowsFeature RemoteAccess -IncludeManagementTools

 Note: Wait for the confirmation that the command completed successfully.

9. On the Run Command Script blade, type each of the following commands on a new line and click Run to install the Routing role service.

 Install-WindowsFeature -Name Routing -IncludeManagementTools -IncludeAllSubFeature

 Install-WindowsFeature -Name "RSAT-RemoteAccess-Powershell"

 Install-RemoteAccess -VpnType RoutingOnly

 Get-NetAdapter | Set-NetIPInterface -Forwarding Enabled

 Note: Wait for the confirmation that the command completed successfully.

 Note: Now you need to create and configure user defined routes on the spoke virtual networks.

10. In the Azure portal, search and select Route tables and, on the Route tables blade, click + Add.

11. Create a route table with the following settings (leave others with their default values):

 Note: Wait for the route table to be created. This should take about 3 minutes.

Setting Value

Name az104-06-rt23

Subscription the name of the Azure subscription you are using in this lab

Resource group az104-06-rg2-XXXXXX

Location West US

Virtual network gateway route propagation Disabled

12. Back on the Route tables blade, click Refresh and then click az104-06-rt23.

13. On the az104-06-rt23 route table blade, click Routes and then click + Add.

14. Add a new route with the following settings (leave others with their default values):

Setting Value

Route name az104-06-route-vnet2-to-vnet3

Address prefix 10.63.0.0/20

Next hop type Virtual appliance

Next hop address 10.60.0.4

15. Back on the az104-06-rt23 route table blade, click Subnets and then click + Associate.

https://lms.godeploy.it/Labs/LabGuide/278b5f91-c3db-eb11-abe8-00155de2c911# 4/9
7/3/2021 AZ-104T00 (CS) | Lab 06 - go deploy

16. Associate the route table az104-06-rt23 with the following subnet:

Setting Value

Virtual network az104-06-vnet2

Subnet subnet0

17. Navigate back to Route tables blade and click + Add.

18. Create a route table with the following settings (leave others with their default values):

 Note: Wait for the route table to be created. This should take about 3 minutes.

Setting Value

Name az104-06-rt32

Subscription the name of the Azure subscription you are using in this lab

Resource group az104-06-rg3

Location West US 2

19. Back on the Route tables blade, click Refresh and then click az104-06-rt32.

20. On the az104-06-rt32 route table blade, click Routes and then click + Add.

21. Add a new route with the following settings (leave others with their default values):

Setting Value

Route name az104-06-route-vnet3-to-vnet2

Address prefix 10.62.0.0/20

Next hop type Virtual appliance

Next hop address 10.60.0.4

22. Back on the az104-06-rt32 route table blade, click Subnets and then click + Associate.

23. Associate the route table az104-06-rt32 with the following subnet:

Setting Value

Virtual network az104-06-vnet3

Subnet subnet0

24. In the Azure portal, navigate back to the Network Watcher - Connection troubleshoot blade.

25. On the Network Watcher - Connection troubleshoot blade, initiate a check with the following settings (leave others with their default values):

Setting Value

Subscription the name of the Azure subscription you are using in this lab

Resource group az104-06-rg2-XXXXXX

Source type Virtual machine

Virtual machine az104-06-vm2

Destination Specify manually

URI, FQDN or IPv4 10.63.0.4

Protocol TCP

Destination Port 3389

26. Click Check and wait until results of the connectivity check are returned. Verify that the status is Reachable. Review the network path and note that
the traffic was routed via 10.60.0.4, assigned to the az104-06-nic0 network adapter.

 Note: This is expected, since the traffic between spoke virtual networks is now routed via the virtual machine located in the hub virtual
network, which functions as a router.

 Note: You can use Network Watcher to view topology of the network.

Task 5: Implement Azure Load Balancer

https://lms.godeploy.it/Labs/LabGuide/278b5f91-c3db-eb11-abe8-00155de2c911# 5/9
7/3/2021 AZ-104T00 (CS) | Lab 06 - go deploy

 In this task, you will implement an Azure Load Balancer in front of the two Azure virtual machines in the hub virtual network

1. In the Azure portal, search and select Load balancers and, on the Load balancers blade, click + Add.

2. Create a load balancer with the following settings (leave others with their default values):

 Note: Wait for the Azure load balancer to be provisioned. This should take about 2 minutes.

Setting Value

Subscription the name of the Azure subscription you are using in this lab

Resource group select az104-06-rg1-XXXXXX

Name az104-06-lb4

Region West US

Type Public

SKU Standard

Public IP address Create new

Public IP address name az104-06-pip4

Availability zone Zone-redundant

Add a public IPv6 address No

3. On the deployment blade, click Go to resource.

4. On the az104-06-lb4 load balancer blade, click Backend pools and click + Add.

5. Add a backend pool with the following settings (leave others with their default values):

Setting Value

Name az104-06-lb4-be1

Virtual network az104-06-vnet01

IP version IPv4

Virtual machine az104-06-vm0

Virtual machine IP address ipconfig1 (10.60.0.4)

Virtual machine az104-06-vm1

Virtual machine IP address ipconfig1 (10.60.1.4)

6. Wait for the backend pool to be created, click Health probes, and then click + Add.

7. Add a health probe with the following settings (leave others with their default values):

Setting Value

Name az104-06-lb4-hp1

Protocol TCP

Port 80

Interval 5

Unhealthy threshold 2

8. Wait for the health probe to be created, click Load balancing rules, and then click + Add.

9. Add a load balancing rule with the following settings (leave others with their default values):

Setting Value

Name az104-06-lb4-lbrule1

IP Version IPv4

Protocol TCP

Port 80

Backend port 80

Backend pool az104-06-lb4-be1

Health probe az104-06-lb4-hp1

https://lms.godeploy.it/Labs/LabGuide/278b5f91-c3db-eb11-abe8-00155de2c911# 6/9
7/3/2021 AZ-104T00 (CS) | Lab 06 - go deploy

Setting Value

Session persistence None

Idle timeout (minutes) 4

TCP reset Disabled

Floating IP (direct server return) Disabled

Use outbound rules to provide backend pool members access to the internet. Enabled

10. Wait for the load balancing rule to be created, click Overview, and note the value of the Public IP address.

11. Start another browser window and navigate to the IP address you identified in the previous step.

12. Verify that the browser window displays the message Hello World from az104-06-vm0 or Hello World from az104-06-vm1.

13. Open another browser window but this time by using InPrivate mode and verify whether the target vm changes (as indicated by the message).

 Note: You might need to refresh the browser window or open it again by using InPrivate mode.

Task 6: Implement Azure Application Gateway

 In this task, you will implement an Azure Application Gateway in front of the two Azure virtual machines in the spoke virtual networks.

1. In the Azure portal, search and select Virtual networks.

2. On the Virtual networks blade, in the list of virtual networks, click az104-06-vnet01.

3. On the az104-06-vnet01 virtual network blade, in the Settings section, click Subnets, and then click + Add.

4. Add a subnet with the following settings (leave others with their default values):

 Note: This subnet will be used by the Azure Application Gateway instances, which you will deploy later in this task. The Application
Gateway requires a dedicated subnet of /27 or larger size.

Setting Value

Name subnet-appgw

Address range (CIDR block) 10.60.3.224/27

Network security group None

Route table None

5. In the Azure portal, search and select Application Gateways and, on the Application Gateways blade, click + Add.

6. On the Basics tab of the Create an application gateway blade, specify the following settings (leave others with their default values):

Setting Value

Subscription the name of the Azure subscription you are using in this lab

Resource group az104-06-rg1-XXXXXX

Application gateway name az104-06-appgw5

Region West US

Tier Standard V2

Enable autoscaling No

Instances 1

Availability zone 1, 2, 3

HTTP/2 Disabled

Virtual network az104-06-vnet01

Subnet subnet-appgw

7. Click Next: Frontends > and, on the Frontends tab of the Create an application gateway blade, specify the following settings (leave others with
their default values):

Setting Value

Frontend IP address type Public

Public IP address the name of a new public ip address az104-06-pip5

https://lms.godeploy.it/Labs/LabGuide/278b5f91-c3db-eb11-abe8-00155de2c911# 7/9
7/3/2021 AZ-104T00 (CS) | Lab 06 - go deploy

8. Click Next: Backends >, on the Backends tab of the Create an application gateway blade, click + Add a backend pool, and, on the Add a
backend pool blade, specify the following settings (leave others with their default values):

 Note: The targets represent the private IP addresses of virtual machines in the spoke virtual networks az104-06-vm2 and az104-06-vm3.

Setting Value

Name az104-06-appgw5-be1

Add backend pool without targets No

Target type IP address or hostname

Target 10.62.0.4

Target type IP address or hostname

Target 10.63.0.4

9. Click Add, click Next: Configuration > and, on the Configuration tab of the Create an application gateway blade, click + Add a rule.

10. On the Add a routing rule blade, on the Listener tab, specify the following settings (leave others with their default values):

Setting Value

Rule name az104-06-appgw5-rl1

Listener name az104-06-appgw5-rl1l1

Frontend IP Public

Protocol HTTP

Port 80

Listener type Basic

Error page url No

11. Switch to the Backend targets tab of the Add a routing rule blade and specify the following settings (leave others with their default values):

Setting Value

Target type Backend pool

Backend target az104-06-appgw5-be1

12. On the Backend targets tab of the Add a routing rule blade, click Create new next to the HTTP setting text box, and, on the Add an HTTP
setting blade, specify the following settings (leave others with their default values):

Setting Value

HTTP setting name az104-06-appgw5-http1

Backend protocol HTTP

Backend port 80

Cookie-based affinity Disable

Connection draining Disable

Request time-out (seconds) 20

13. Click Add on the Add an HTTP setting blade, and back on the Add a routing rule blade, clik Add.

14. Click Next: Tags >, followed by Next: Review + create > and then click Create.

 Note: Wait for the Application Gateway instance to be created. This might take about 8 minutes.

15. In the Azure portal, search and select Application Gateways and, on the Application Gateways blade, click az104-06-appgw5.

16. On the az104-06-appgw5 Application Gateway blade, note the value of the Frontend public IP address.

17. Start another browser window and navigate to the IP address you identified in the previous step.

18. Verify that the browser window displays the message Hello World from az104-06-vm2 or Hello World from az104-06-vm3.

19. Open another browser window but this time by using InPrivate mode and verify whether the target vm changes (based on the message displayed
on the web page).

 Note: You might need to refresh the browser window or open it again by using InPrivate mode.

https://lms.godeploy.it/Labs/LabGuide/278b5f91-c3db-eb11-abe8-00155de2c911# 8/9
7/3/2021 AZ-104T00 (CS) | Lab 06 - go deploy

 Note: Targeting virtual machines on multiple virtual networks is not a common configuration, but it is meant to illustrate the point that
Application Gateway is capable of targeting virtual machines on multiple virtual networks (as well as endpoints in other Azure regions or
even outside of Azure), unlike Azure Load Balancer, which load balances across virtual machines in the same virtual network.

 Review

In this lab, you have:

Task 1: Provisioned the lab environment

Task 2: Configured the hub and spoke network topology
Task 3: ested transitivity of virtual network peering
Task 4: Configure routing in the hub and spoke topology
Task 5: Implement Azure Load Balancer
Task 6: Implement Azure Application Gateway

 Congratulations, you have now completed this lab. You can safely end your lab.

https://lms.godeploy.it/Labs/LabGuide/278b5f91-c3db-eb11-abe8-00155de2c911# 9/9