Question

AirGap in another Azure Tenant

  • 16 May 2023
  • 1 reply
  • 130 views

Badge +1

Hi all,
We are creating an AirGap Solution towards another Azure tenant.
The AirGap solution contains multiple Network Gateways and MediaAgents with Storage Accounts attached.

Question:
1. Does anyone have experience using a Azure Private Link Service to sent AirGap Copies using the Azure Backbone Network?
2. If yes, how did you configure the Azure Load Balancing?

How I think it’s working:

 


1 reply

Userlevel 2
Badge +3

Hi Vjduuren,

 

I’ve used a Private link and load balancer to install Commvault software as the diagram below (the goal was to install Commvault software on 192.168.1.5 (left side) when Commserve resides on the right side (different subscription), and the only way to go through is the Azure Private link that connects between them. 

 

Even if it’s a different operation (install vs Aux copy in your case), it goes through the private link from site a (Company.BV in your case, my example subscription f90) to site b (Recovery.BV in your case, my example subscription 710), so I believe it’s essentially the same if you want to know how to configure the private link and load balancer between them.

 

Where is your Commserve located? If it’s on Company.BV, and you haven’t installed Media agent on Recovery.BV, please see below on how to install & how to configure. 

 

I’ll just copy and paste my note (note for installation). If you have finished installation, please skip installation part and see the Azure configuration part. 

 

Directly Copied from my note, please adjust to your environment______________________

In this example diagram above, consumer side (left) represents end customer and Provider side (right) represents MSP who provides backup as service.

 

CS will reside in MSP Azure network and end customer will use this CS and resources on MSP to protect their data (for example, WFS on 192.168.1.5). 

 

The purpose of Azure Private endpoint and Azure Private link is to connect to Provider's side network through Microsoft backbone network ( ====> in the diagram under 2.Azure private link). This will prevents traffic from going through the Internet. 

 

Consumer will have 1. "Private endpoint" on their side, and this will go through 2. "Azure Private link" to reach to 3. "Private link service" on Provider side. The Private link service is attached to 4. "Standard load balancer". All traffic destined for this service will reach the frontend of the SLB (Standard Load Balancer). SLB will have SLB rules that will direct this traffic to appropriate 5. VMs (CS) or any services in backend pools. Backend pools basically means something behind Load balancer. 

 

When consumer (192.168.1.5) tries to connect to CS (10.0.0.5) through their private endpoint (192.168.1.4), it will be NATed and will use NAT IP (10.0.0.6) to communicate with CS (10.0.0.5). 

 

When consumer (192.168.1.5) installs iDA (WFS iDA for example), in this example above, they will select "this machine can open connection to CommServe on tunnel port" pastedImage_8.png

 

Then put CommServe hostname as private endpoint IP (192.168.1.4)

pastedImage_9.png

 

When the one way firewall from 192.168.1.5 to 10.0.0.5 is established during installation,

 

netstat on CS would show:

pastedImage_15.png

netstat on 192.168.1.5 would show:

pastedImage_16.png

 

If it's Proxy instead of CS that's behind SLB, they would need to select "The CommServe computer can only be reached through a network gateway" and put proxy hostname as 192.168.1.4 during installation. 

pastedImage_10.png

 

In the example, I put private endpoint hostname as IP but you can have FQDN.

 

Configuration (on Azure) in a nut shell: 

 

Provider side:

1. Create SLB

2. Create VM (CS), and during creation, select the option to put behind SLB

3. Create Private link service, and when creating it, specify NAT IP (or leave it to dynamic) and select SLB created above. Ensure Private link service accepts traffic from the other subscription. 

4. Specify SLB rule to port forward traffic to CS in backend pools. 

 

Consumer side:

1. Create Private endpoint and when creating it, specify Private link service on the provider network 

 

Configuration with screenshots:

 

Provider side:

SLB: 

1. Login to portal.azure.com and click 'Create a resource'

pastedImage_22.png

2. Type load balancer

pastedImage_24.png

3. Click Create

pastedImage_25.png

4. Create with 'standard'. Internal will have internal frontend IP and external will have public frontend IP. Specify the subnet 10.0.0.0/24 in this example. 

pastedImage_30.png

 

VM:

While creating VM, on 'Networking', select load balancer. You can create backend pool by using 'Create new' if you don't have existing one. 

pastedImage_33.png

... 

pastedImage_34.png

 

pastedImage_37.png

 

Private link service: 

1. "Create a resource" and select "Private link service (your service) "

pastedImage_39.png

2. Click Create

pastedImage_40.png

3. Put name 

pastedImage_42.png

4. Select SLB

pastedImage_43.png

5. On Access Security, select 'Restricted by subscription' and add subcription

pastedImage_44.png

 

7. Then add other side subscription 

pastedImage_45.png

 

8. Leave it to auto approve and click 'Review + Create' 

pastedImage_46.png

 

Specify on SLB to forward traffic to CS

1. Go to SLB > Inbound NAT rules > Add

pastedImage_62.png

 

2. Port mapping default will forward from 10.0.0.8:8403 to 10.0.0.5:8403

pastedImage_64.png

 

You can change it to 'Custom' so it forwards 10.0.0.8:55555 to 10.0.0.5:8403

pastedImage_66.png

 

Consumer side:

Private endpoint:

1. Click 'Create a resource'

2. Type Private endpoint

pastedImage_47.png

3. Click create

pastedImage_48.png

 

4. Specify the name 

pastedImage_53.png

 

5. If it's in your directory (it is because it's in my lab), select that option, or you can connect by resource ID/alias. Specify privateLinkService on the other side.  

pastedImage_59.png

 

How to get alias for private link service you've created:

Go to private link service you've created and it's on Overview tab: 

pastedImage_56.png

 

6. Specify Network (your side 192.168.1.0) 

pastedImage_60.png

7. Click Review + create. 

 

What it should look like (for cross check)

Provider side:

1. Private link service

NAT IP in same network as NAT subnet, Load balancer pointing to correct load balancer

pastedImage_68.png

 

2. Private link accepting traffic from the other side (subscription_f90)

pastedImage_78.png

 

3. Load balancer 

NAT rule has rule that forwards to CS on port 8403. 

pastedImage_69.pngpastedImage_70.png

 

Consumer side:

Private endpoint pointing to correct private link service in provider side

pastedImage_71.png

 

 

It was from 2020 so the GUI above may look different on today’s Azure portal (should be really similar though).

 

if anything is unclear, please let me know, and I’ll try to remember. 

 

Thank you. 

Kind regards,

Jiye Lee

Reply