What are some of the uses for service chaining? So you have workloads that are deployed in different environments such as deploying testing and production, they required shared services such as DNS, IDS, NTP, or Active Directory Domain Services. Shared services are placed in a hub VNet while each environment is deployed to a spoke to maintain isolation. Another scenario is where workloads that does not require connectivity to each other, but they require access to shared services. Enterprises that require centralized control over security concerns,such as firewall in the Hub as a DMZ, and segregated management for the workloads on each spoke,. Each VNet, including a peered VNet can have it's own gateway. A VNet can use its gateway to connect to an on-premises network. You can also configure VNet to VNet connections by using Gateway's even for peered VNets. When you configure both options for VNet interconnectivity. The traffic between Venus flows through the Peering configuration. The traffic uses the Azure backbone. You can figure gateways and peer Virtual network as a transit point on an on-premises network. In this case, the virtual network that is using the remote gateway can't have it's own gateway. So VNet has only one gateway. The gateway is either a local or remote gateway and a peered VNet. You can see this in the diagram. Both VNet Peering and global VNet Peering support gateway transit. Gateway transit between the networks created through a Deployment Models is also supported. The gateway must be in the v-not and a resource manager model. When you peer the VNet that share in a single Azure Express Route connection, the traffic between them goes through the Peering relationship that traffic uses the Azure backbone network. You can still use local gateways and each VNet to connect to the on-premises circuit. You could also configure a shared gateway and configure gateway transit for your on-premises environment. To confirm VNet are peered, you can check effective routes. Check routes for network in a sub net and a Virtual Network. If a virtual network peering exists, all sub nets with the VNet have routes with the next Hub type being VNet Peering for each of the address space in each peered VNet. You can also troubleshoot connectivity to a VNet and a peered VNet using Azure network watcher and connectivity check. Lets you see how the traffic is routed from a source VMs, network interface to a destination VMs and network interface. We'll be talking about network watcher later on and show you some examples. Now you have two VNets that are peered across regions using global VNet Peering, you cannot connect to the resources that are behind the internal load balancer. This does not affect the external load balancer. Now, global VNet Peering can provide access to resources directly by using private VNet IPs and permitted such as VMs behind internal load balancer or VM scale sets with the internal load balancer regist cache, application gateways, skew VERSION_one, fabric, SQL managed instance, API management, Active Directory Domain Services, Logic Apps, HDInsight, Azure Batch, and also the App services environment, which is called an ACE. You can also connect these resources via express route or VNet to VNet through the VPN gateways. So what we've done is we've gone over and we're working with the Azure portal and so right now we have two resource groups. Remember we looked at before had load balancer, I got rid of all the assets within the load balancer, RG resource group. But the thing is that there's still the recovery services vault. The reason is because recovery services vault, they keep a soft delete. So if you have any backups, even though you deleted the backups and everything, they keep a soft delete in case you want to go and restore later on. So what I'm going to do is I'm going to create two VNets. So I'm just going to type VNet here and go ahead and create it. Now, when you're creating the VNet, you just give it a name. So we'll call this VNet one. You have to put in a region, and next we go ahead and decide on the actual address space. It's an IP version four address space. So you can see that it's 10.0.0.0/16. So that means we have 65,536 addresses. You can add also IP version six address space also. Our default subnet is going to be 10.0.0.0/24. Next, we have the ability of implementing DDoS protection. So that way if any applications that we have in here, we can stop things like SQL injection or things like that. We can also add firewalls too, I'm not going to do that. The tags are there, is used for reporting purposes. We're going to go ahead and create. So you'll see that the actual VNet has been created. So we can click on "Go to resource" and we're in VNet1. Now within VNet1, what we have is, we have the settings that we just looked at before. We can also implement a DNS server here. We can go and look at the address space and so the address space is 10.0.0.0/16. What we are going to do, is we're going to do peering in a couple of minutes So before we can do the peering, what we need to do is we need to create another VNet. So we'll go back over to our resource groups and I'm going to use regional peering. So that means that I'm willing to peer two VNets within the same region. So I'm going to go ahead and add another VNet and that's VNet2. Next is the IP addresses. So you can see it was automatically put in 10.1.0.0/16 and then we have our subnet. Now if you didn't want to use that name, we can go ahead and change that name. We're just going to keep it as a default. Then we have our security settings, DDoS protection, the firewall and we have our next tag. So I'm going to go ahead and create, review and create. So now that VNet is now created. So if we go into our resource groups, we'll see that we have two VNets. Now thing is, is you got to understand, I don't have anything else in here, except for the VNets. So I'll do a refresh here and I should have VNet2 and there is VNet2. Now, what we're going to do, is we're going to do the VNet peering. Now this is the simplest way to be able to connect two VNets together. We'll talk about VNet to VNet and you'll see it's a lot more involved than it is with VNet peering. So I'm going to go ahead and do a VNet peering. So I just go and click on "Peerings" and I click on "Add". So I'm going to give it a name. So I'm going to say VNet1-to-VNet2. Now the thing is, is that it'll just ask me which is the Virtual Network, VNet2 and the name of the peering on the other side is VNet2-to-VNet1. Now, what we can do is we allow the Virtual Network access to VNet1-to-VNet2 to VNet2-to-VNet1 and then we can allow the traffic configure forwarding, I'll enable that also. Then the other thing is, is allow gateway transit, which is also checked, which we talked about before. That's when we have a VPN gateway. So we'll go ahead and click on "Okay". Now you can see that we have the VNet1-to-VNet2 on a peering. Let's go check the other one on VNet2 and look at the peering. So we have VNet2-to-VNet1. Now, let's go ahead and create a third one. Now when I create the third one, the VNets are not transitivity, don't have transitivity, what it means is that, when I create the third VNet and a peering, is not going to automatically go from one to three, if I have VNet peered to two, from two to three, it doesn't automatically go to one. Let's go ahead and create a third one. What I could do is actually put this into a different region. If I did it through a different region, then I'd be able to peer them together also. I'm just going to keep it as regional. Make it simple. So you'll see the IP address is 10.2.0.0/16 and our subnet is 10.2.0.0/24. We have our security is the same, like I said and here's the tags. Go ahead and create. Now we have our third VNet. So let's go back into the resource group. Go ahead and refresh here and now we have our third VNet. Now thing is, is if I wanted to peer between them, then I go ahead and do my peering and we just go through the same process. So you can see that VNet peering is very simple but very powerful and remember all the traffic is going to stay onto Microsoft backbone.
