Using private routing with the Teams Connector

Private routing enables traffic between Pexip Infinity and a Teams Connector to go over a private/internal network instead of the public internet.

Standard Teams Connector deployments require public-facing Proxying Edge Nodes to establish connectivity between Pexip Infinity and the Teams Connector in Azure (this still applies even if the Pexip Infinity deployment resides solely in Azure). In addition to increased privacy and security, enabling private routing between the Pexip Infinity and Teams Connector deployments also has the benefit of removing the dependency on proxying nodes — instead you can set up virtual network peering between your Pexip Infinity platform and the Teams Connector.

Deployment environments and inter-network connectivity options

Your Pexip Infinity platform can be hosted in any of our supported deployment environments. Your choice of environment influences how you can set up links between your Pexip Infinity network and the Teams Connector network in Azure:

  • If your Pexip Infinity deployment is also in Azure you can use VNET peering. Hosting everything in Azure may provide the best security/isolation, and Azure Virtual Network Peering should also offer the lowest latency between the two platforms if your Pexip Infinity deployment resides entirely within the same Azure region as your Teams Connector (although you must also consider the latency between your endpoints and Pexip Infinity).
  • If your Pexip Infinity deployment is hosted in another cloud provider such as AWS or GCP, you will need to use some form of cross-cloud interconnect solution, such as a VPN Gateway to set up a VPN connection between the two environments.
  • If you have an on-premises Pexip Infinity deployment you can use a site-to-site VPN between the on-premises network and Azure, or use a solution such as Azure ExpressRoute.

Requirements

Here are the requirements for setting up private routing:

  • The link that connects the Teams Connector VNET to the other private network where Pexip Infinity is deployed (by whichever method — VNET peering within Azure, a site-to-site VPN, ExpressRoute to an on-premises network, or a cross-cloud interconnect) must be configured to:

    • Route the IP address range of the Teams Connector VNET from the private network to the Teams Connector VNET, and
    • Route the IP address range of Pexip Infinity from the Teams Connector VNET to the private network.

    To achieve this, the following requirements must be met:

    • Unique addressability within the entire private network: when you connect the VNET of a Teams Connector installation to another private network, you need to ensure that the address space of the Teams Connector VNET and its subnets is unique, i.e. it cannot overlap with any existing VLAN, subnet or other network resource in the connected private network. This ensures the link can route requests to the correct destination.
    • Two-way routability between Pexip Infinity and the Teams Connector: the network must be able to route requests from Pexip Infinity to the Teams Connector deployment and requests from the Teams Connector deployment to Pexip Infinity over the link that connects the existing private network to the Teams Connector VNET.
  • A split-DNS setup is required as Pexip Infinity must be able to resolve the FQDN of the Teams Connector load balancer to its private IP address, but Microsoft Teams must also be able to resolve the FQDN to its public IP address. Thus you must have the relevant A records both in internal DNS and public DNS. You can achieve the necessary internal DNS requirements by configuring a DNS A record in a private DNS zone in Azure, if required.
  • Note that the TLS certificates installed on the Teams Connectors, and the Conferencing Nodes that communicate with the Teams Connectors, still must be a publicly-signed certificate.

Enabling private routing

The following instructions explain how to set up and enable private routing.

Note that steps 1 to 4 can be performed in advance of deploying the Teams Connector.

  1. Create a Teams Connector VNET:

    • You must use the create_vnet_deployment.ps1 script from the Teams Connector ZIP file. If you create the VNET manually it will not contain the prerequisites required by the Teams Connector deployment.

    • This VNET cannot overlap with the IP address space of the Pexip Infinity VNET.

      • The create_vnet_deployment.ps1 script creates a /23 VNET by default. The range of this VNET as well as its subnets can be adjusted so that they do not overlap with the Pexip Infinity VNET.
      • For example, if you deployed the Pexip Infinity VNET/subnet with range of 10.0.0.0/24, you could use a range of 10.20.0.0/23 for the Teams Connector VNET and with subnets with ranges 10.20.0.0/24 and 10.20.1.0/28.
      • If you use a smaller subnet size, such as /28, for a small Teams Connector deployment, note that Azure uses 5 of the addresses in the subnet range (see this article for details).
    • The VNET must be in the same subscription as your Teams Connector.
    • We recommend that you assign the $resourceGroupName variable in the following example script to use the static resource group for the VNET (i.e. $PxTeamsConnStaticResourceGroupName in the variables initialization script). It will be created if it does not already exist.
    • You should run your variables initialization script to set the $PxAzureLocation and $PxSubscriptionId variables.

    Using the example subnet ranges described above, you could run the create_vnet_deployment.ps1 script as:

    Copy to clipboard 
    # Name of the resource group to use. We recommend using the static resource group i.e. $PxTeamsConnStaticResourceGroupName
    # in the variable script. For example "pexip-TeamsConn-blue-static-RG"
    # The resource group is created if it does not already exist
    $resourceGroupName = ""

    # Azure Region (must be a supported region) in lowercase: uses $PxAzureLocation in the variable script

    # Optional tags (name-value pairs) to apply to Azure resources and resource groups ($tags in the variable script)
    # For example $tags= @{"ResourceOwner"="user@domain"; "CostCenter"="Video Services";}
    $tags = @{}

    Connect-AzAccount

    Set-AzContext -SubscriptionId $PxSubscriptionId

    $exists = Get-AzResourceGroup -Name $resourceGroupName -Location $PxAzureLocation -ErrorAction SilentlyContinue
    if (!$exists) {
      New-AzResourceGroup -Name $resourceGroupName -Location $PxAzureLocation -Tag $tags
    } else {
      Write-Host "The resource group $($exists.ResourceGroupName) already exists."
    }

    # Make sure to call this script from the expanded TeamsConnector ZIP folder
    # You can assign a custom VNET name by providing a -VnetName parameter, otherwise "pexip-tc-{uid}-VNET" is used

    ./create_vnet_deployment.ps1 -ResourceGroupName $resourceGroupName -VnetAddressPrefixes @("10.20.0.0/23") -VmssSubnetAddressPrefix "10.20.0.0/24"  -FuncSubnetAddressPrefix "10.20.1.0/28" -Tags $tags

    # Example of script output:
    # Deploying VNET
    # Deployed VNET: "pexip-tc-{uid}-VNET"
    # Deployed VNET resource ID: {VNET resource ID}

  2. Set up VNET peering between the Pexip Infinity VNET and the Teams Connector VNET.

    The specific details of how you set up peering to the Teams Connector VNET depends on your Pexip Infinity environment — see the Deployment environments and inter-network connectivity options section above for more information. Also, if relevant, see Setting up peering where the Pexip Infinity platform is in Azure.

  3. If you are following (or planning to follow) a blue-green deployment strategy, you should repeat steps 1 and 2 to set up a second VNET in the other static resource group and configure VNET peering for it:

    • Use the name of the other e.g. "green" static resource group for the $resourceGroupName variable.
    • Ensure that the second VNET's address space does not overlap with the first VNET or the Pexip Infinity subnet range.

    We recommend setting up both VNETs as part of the initial setup so that you can plan all of your subnet assignments and simplify the first upgrade process as you will have the alternative VNET and peering already in place.

  4. Set the variables in the variable initialization script:

    $PxExistingVNETResourceId

    You must set this variable to the resource ID of the VNET created in step 1.

    • Use the output of the create_vnet_deployment.ps1 script — line "Deployed VNET resource ID: {VNET resource ID}".
    • The resource ID can also be retrieved from Azure Portal > VNET resource > JSON view > Resource ID.
    $PxUsePrivateRouting

    Set this to $true to enable private routing.

    The deployment process will create an additional internal load balancer, allowing traffic to be routed between Pexip Infinity and the Teams Connector through Microsoft's private network only.

    Note that these variables are passed as parameters (-ExistingVNETResourceId and -UsePrivateRouting) to create_vmss_deployment.ps1 in the installation and redeploy scripts.

  5. You can configure the deployed Teams Connector in the Pexip Infinity Management Node according to the main documentation.

  6. After the Teams Connector deployment has finished you must configure an additional DNS record:

    • In addition to creating a public A record pointing to the external IP of the Azure load balancer, you must also create an internal DNS record pointing to the (private) frontend IP of the internal load balancer.
    • Our recommended method for this is to create an Azure private DNS zone and set it up in the Management Node as described below. However, this could also be configured using an external DNS provider.
  7. Test that calls are working.

Setting up a private DNS zone in Azure

To create and use an Azure private DNS zone:

  1. Set up a private DNS zone in Azure for your Teams Connector domain:

  2. Create an A record specifying your Teams Connector hostname ($PxTeamsConnFqdn) pointing to the (private) frontend IP address of the load balancer.
  3. Link your DNS zone to your Pexip Infinity deployment VNET (go to Virtual Network Links > Add).

  4. In the Pexip Infinity Management Node:

    1. Add the Azure DNS zone as a DNS server (System > DNS Servers > Add DNS server).

      Use an IP address of 168.63.129.16 for the DNS virtual server (this is the Azure DNS IP address).

    2. Assign this DNS server to all the relevant system locations that need to resolve to your Teams Connector FQDN (the Outgoing location used by your Call Routing Rules used for Teams calls).

Setting up peering where the Pexip Infinity platform is in Azure

The example here shows how you would set up peering to the Teams Connector VNET via the Azure portal, if your Pexip Infinity platform is also in Azure: