Home / Nerdio Academy / Nerdio / Nerdio Fundamentals: On-Ramp Regions

Nerdio Fundamentals: On-Ramp Regions

0 commentsJune 20, 2019Videos

Joseph Landes
in this session, we are going to cover a very interesting topic and piece of functionality known as on ramp regions. Oftentimes, a company may have their headquarters let’s say, in Chicago and are primarily using Azure services in the central region data center from Microsoft. but they may also have employees scattered around other parts of the United States or the world and want those employees to have their virtual desktops closer to them and served out of Microsoft’s Azure regions in closer proximity to the employee. For example, their employee in New York could now have her desktop served up to her from east US data center to minimize latency. This is the beauty of on ramp regions, bringing the resources of Microsoft Azure closer to where they will be consumed. In this session, we will show you how to implement on ramp regions in Nerdio for Azure. Enjoy the session.

Vadim Vladimirskiy
A bit of terminology first and then what it is and why we’re using on ramp regions. So first terminology to keep in mind is a something called the primary region. The primary region is the region you select in Azure when deploying a new environment. I remember an Azure region is a collection of data centers that are located geographically close to each other with pretty low latency and connectivity between them. You don’t really create resources in individual data centers. You create them inside of regions which may go into a data center that’s not really exposed to the end customer. So you don’t really know which of the data centers they are in, but you know the rough geographic location. So as an example, account, Morhart Inc. ID 5009, the primary region is the south central region. We have it configured here to be labeled as a GPU capable region.

Vadim Vladimirskiy
What that means is the following, if you search for Azure products by region, there is a nice little grid here. They’ve changed it from a grid, I guess to a searchable thing. So let’s say you want to find what kind of virtual machines are available where, so you have along the left side here, the rows are the different types of VM’s and then across the top you have your various regions. So, for instance, if you wanted to know, you know there’s a new instance of the and Nvidia based VM. So right here, and you can see at the top, it’s not available in Canada, it’s not available in central US, it is available in east, east two, north central, south central, not west central, et cetera. So you can see that this is the place you would go to see which services are available in what locations.

Vadim Vladimirskiy
For example, if you’re looking for something like automation, you would notice that that is available, you know, in a handful of regions with some expected GA in 2009. Let’s see if windows virtual desktop, okay, it looks like that’s not even in the list yet. All right, so this is what we mean when we talk about the primary region. This is where you deploy your primary environment. Once you’ve deployed the environment, there may be some scenarios where you want to take and either play some resources in another region or you want to route users through another region to your infrastructure that’s in the primary region. So again, primary region is for everything else and then every other deployment you create is going to be in an on ramp region.

Vadim Vladimirskiy
Creating an on ramp region, super easy. You go to network on ramp regions, it opens up the page actually, the same page where the VPN configuration is, the VPN configuration is required to be turned on in order for on ramp regions to work. So once we come to this page, if the VPN is turned off, which it is by default, it’s going to require you to turn it on before you can go in and actually create on ramp regents. And with on ramp regions you only have two actions. You can either add a new region and it simply gives you a drop down of the various regions, the ones you already have provisioned are going to be greyed out. So I cannot select these US two, but I can select another region anywhere else that I am entitled to. And you click confirm. That’s the only thing you’ve got to do from a UI perspective, and then once the region is added, which takes about an hour, you can go in and you can delete the region, which probably takes about, you know, half an hour, 45 minutes to clean everything up.

Vadim Vladimirskiy
Okay. What does that actually do when you add an on ramp region? So what actually happens? So if we go into Azure, so recall here we have an on ramp region added for east US two was added back in December. If we go into the Azure subscription and we look at let’s say, our resource group, we have our Nerdio resource group right here. Now let’s take a look at the virtual network view. So now we have ignored this one for now, we have two Nerdio of V-Nets. We have our primary V-Net, which is what you’re familiar with. This is where we deployed all of our primary region resources into, this is where all the VM’s exist. And now we have a new V-Net, which is Nerdio V-Net Dash East US Two, which is based on that selection we made. And then you can also see the location as east US two.

Vadim Vladimirskiy
So that’s the first thing that happens when you set up an on ramp region. It creates a V-net with a unique name in the region that you selected, but still within the resource group where the Nerdio deployment is. Quick click here, you’ll notice some similar configurations, familiar configurations. There will still be a LAN, there’s not going to be a DMZ just because we’re not setting up a full deployment in an on ramp region. We’re just going to have certain components. So you can see there’s a LAN configuration and here the IP address is slightly different than what you were seeing in the primary region.

Vadim Vladimirskiy
In the primary region that’s 10.125 / 17, here it’s 10.126. For every subsequent on ramp region, this number, this 125, 126 is going to be incremented by one. So if we add an additional on ramp region, it’s sub-net is going to be 10.127 and then 128 et cetera. So we have a land sub net. We have a gateway subnet, which is where a VPM gateway is going to be placed. So we, during creation of the on ramp region, it spins up a virtual network, it creates a sub net. It then creates a VPN gateway inside of the gateway subnet in this newly created virtual network and then it establishes a site to site VPN connection between the two VPN gateways. So let’s search for VPN gateway.

Vadim Vladimirskiy
All right. So we have two gateways. We have this one, which is our original one sitting in the primary region. We have this new one, which is the one sitting here. And if we click on it, and we look at connections, we’ll notice that there’s going to be a connection from the primary to this one. Right? So we have these two connections. So you don’t see them in the UI here just because they’re sort of behind the scenes, a system type connections. So they’re not visible here, but we’ve basically just taken a VPN from the LAN here and connected it to a VPN gateway on the LAN of this on ramp region.

Vadim Vladimirskiy
We also, so that that sets up the networking infrastructure, so a virtual network, a sub net, a gateway subnet, VPN gateway, and then a connection to them back together, so now the two networks can talk to each other. We then spin up an RD gateway VM inside of this new network. So again, let’s go back into our network view. So we have our virtual networks, we have our on ramp region east US two, and then we can go to connected devices and boom you see there is an RD GW 02 network card. You can see it’s got 10.126.1.18 you will recall that the RD gateway over here is 10.125.254.18, so that is the difference in IP address there.

Vadim Vladimirskiy
The subnet, the second active is different and the third octave is different because this is on the LAN and then associated with this particular nick, is obviously the server that it’s connected to, it’s connected to a server called RDGW02, this is a new VM that was created. And if you look at the network security group configuration that it is assigned, so if we look at effective security groups, you’ll notice that it has some inbound rules. Soon as those come up, you’ll notice that the inbound rules allow internet traffic into that VM over the http, https, and RDP port. So users can actually connect to this RD gateway. Okay?

Vadim Vladimirskiy
Now let’s look at it from the Nerdio UI perspective. If we go under servers, we’ll have two RD gateways. One is going to be in the primary region, so there’s nothing really highlighted here of where it’s at. And now you have a new one. Okay? So you see this one is in the primary region and now you have RDGW02 and this guy is in an on ramp region east US too. Okay? So that’s what happens when you click to add a new region. And you let it go over the course of an hour. It builds a network, sets up a site to site VPN, spins up a RDGW02 and adds it into the network.

Vadim Vladimirskiy
All right, now why would you want to do something like that? Right? What is the purpose of setting up an on ramp region? So there are a few things that change in the UI when you add an on ramp region. So first you can see that every VM will now have a region specified cause you can have VM’s in all different regions. And it’s important to know where a particular VM is, so that’s number one. Number two, the most common and easy change is visible on the generate RDP file box, right? So you’ll notice there’s a new checkbox right here that says connect via on ramp region and it gives you the option to select from a dropdown of available on ramp regions. So by default, this is not checked. So let’s see what happens if we download an RDP file just without checking that box, which is what it would look like if we did not have an on ramp region defined in the first place.

Vadim Vladimirskiy
When you click on it, you’ll see that the remote gateway did it. Sending me through is this RDS5009@Nerdio.net, which is the default gateway, which is that RDGW01 VM. Now if we do the same thing except we select our on ramp region and click confirm, you will notice that now it’s sending me through a different gateway. So if you look at it from a diagram perspective, the first RDP file was sending me through this RD gateway and it would be appropriate for a user who is geographically close to the primary region.

Vadim Vladimirskiy
Now assuming this on ramp region that we added this far away and there is a user close by to that region, giving them an RDP file that routes them through this gateway is going to probably improve their performance. Why would it do that? Because you are connecting to the gateway over the public internet. And then from that point forward you’re streaming your desktop over a site to site VPN connection within the Azure’s network backbone. So you have higher network connectivity or better network quality within Azure than you have from the end user to the gateway. So this is what that file does. So let’s see if we can go ahead and connect via East US two, you’ll see this will even be listed in the name of the RDP file.

Vadim Vladimirskiy
Okay, so we’re now connecting to this VM, which is W001 through the East US gateway. So now let’s try connecting to the same desktop over a different gateway. And as you would expect, because we were still connecting to the very same desktop, my previous session should end. Okay, that session ended, as you see. And now I have, I picked up that session so I’m still connecting to the same desktop except I’m connecting to that desktop through a different gateway. So my public internet, a leg of the trip of the traffic is much shorter because I’m connecting through a gateway that’s in a region that’s physically closest to me.

Vadim Vladimirskiy
Imagine a scenario where you have a deployment in the US, and you have users in the UK for instance, you could spin up a UK region with a remote gateway in it and you can your users RDP files by doing what I showed you just now too, that on ramp region, the UK users would use that file when they’re in their home office, get onto the network, get onto the Azure backbone locally, then traverse that network over a site to site VPN back to the US primary region. Okay, so that’s one way to do it.

Vadim Vladimirskiy
The next thing to keep in mind is that you can actually place the users desktop into that on ramp region. So for instance, if we are going to be adding a new VDI user, we now have a checkbox here, and if I don’t check it, it’s going to place the VM like it normally would in the primary region. But if I do check this box, it’s actually going to create that VM in our East US two on ramp region. And then once the user is connecting to that VM, not only will they be routing through a gateway that’s in this on ramp region, but their actual desktop is going to be sitting here as well. So the desktop performance is going to be better, right? It’s not only that we’re shortening the internet, the public internet leg of the journey, but we’re actually shortening the entire journey to the desktop.

Vadim Vladimirskiy
Now what we are lengthening, is we are taking this desktop, putting it in the on ramp region, which means we’re moving it farther away from any data and applications that may be in the primary region. So imagine there is, you know, QuickBooks running on an application server. If you have a VM that’s over here, it’s communicating to that QuickBooks application, QuickBooks data over local LAN, right? So gigabit or more, ten gigabit type of connectivity. If I place a user’s desktop into the on ramp region, my desktop streaming performance is going to be great cause it’s going to be very close to me geographically, low latency and everything. But my QuickBooks client is going to have to be pulling data over a site to site VPN across our LAN effectively from another region. So you really have to make an architectural decision, what makes more sense? Does it make sense to move the entire desktop and make it closer to the user? or is it sufficient to just point the user to the remote gateway and testing that is pretty easy.

Vadim Vladimirskiy
So you can start out by just pointing the user the gateway and see how the performance is, and if that’s not sufficiently good, then you move the desktop. Again, the trade off is that you’re moving the client PC or the client desktop farther away from its data, if there’s any data in this particular environment. Okay, so this makes sense for VDI. When you’re creating a new VDI user, you get to choose where to place that desktop, when you are creating an RDS user, so if you’re creating an RDS user, you don’t really get to choose which region to place the desk up in, but it does tell you which region each of these possible RDS servers or RDS collections are located in. Right? So it kind of lists it down here.

Vadim Vladimirskiy
Now how do you put an RDS collection into an on ramp region? That’s pretty easy. You go back to the server screen and remember we now have a new line item down here that shows you what region it’s in. So here we’ve have, when you add a new server, for instance, you now have another checkbox, you can do this, select East US two and now this server that I’ll create will end up being in the East US two location in that network, behind that VPN connection. And it will talk to the RD gateway, I’m sorry, it will talk to the domain controller over that site to site VPN connection as well. So that’s one thing you can do, when you clone and the RDS session host, it does kind of the same thing. It gives you the option of placing that session host into the on ramp region, or when you adding a collection, you now also have another option where you can decide to place it into that region.

Vadim Vladimirskiy
Okay, so basically it’s a way of extending geographically the functionality of the Nerdio deployment across server VM’s by deciding where to place them and across desktop VM’s by either deciding where to place those desktop BMS RD session hosts or collections or at the very least routing the data through the on ramp region using just the gateway. Okay, so the minimum required infrastructure is a VPN gateway and RDGW02, 003, et cetera. So let’s say that’s going to be list price, $100 for that additional VM, plus about $25, $27 for the VPN connection.

Vadim Vladimirskiy
And it’s also important to remember that the way bandwidth pricing works in Azure or transfer pricing, is when you are connecting to an Azure region, you’re not thanked for any bandwidth ingress or anything coming into the region from your client device that may be right here. There’s no charge for that. But anything leaving a region, no matter where it goes, is billable. So if you have a user that is sitting let’s say right here, and connecting to this rd gateway, and they’re consuming, you know, X amount of bandwidth, so they’re going to be charged whatever the cost of that bandwidth is leaving the primary region and going out arriving at that user’s computer. If you have a user over here that is sitting and connecting to an RD gateway in the on ramp region. And then that RD gateway tunnels that traffic over decide the site to site VPN to a particular desktop. So the traffic is now traversing to data center regions, it leaves from this desktop out of this region, right?

Vadim Vladimirskiy
So it leaves the primary region, enters the on ramp region, and then leaves again out of the on ramp region. So you basically just doubled the cost of your RDP streaming traffic by having an on ramp region and having user connected on preacher. Now the cost of bandwidth is fairly minimal. We see somewhere between a dollar and $3 for RDP traffic per user per month. So it’s not a huge amount of cost. And certainly may be well worth it for improved performance, but it is going to be an increased bandwidth consumption. Now, if you were to place the desktop here, what would happen is now you’re only transferring that RDP streaming bandwidth only once, right? Because you have your desktop right here, you have your client right here and you have the data that’s going from the desktop to the client leaving only one region.

Vadim Vladimirskiy
However, depending on how chatty that desktop is to whatever application their databases are on the LAN, you now have data that’s leaving this region over the VPN coming into this on ramp region to the desktop. Whereas if the desktop was right here, this would all be within the same region and there would be no bandwidth costs for that data transfer.

Videos in the series