Azure Enterprise-Ready Networking

Architecting Enterprise-Ready

Networking Solutions in Azure

Peter De Tender | peter@pdtit.be | @pdtit

www.AzurePlatformExperts.com
Online Conference

EVENTS.COLLAB365.COMMUNI June 17th and 18th 2015
Peter De Tender Insert Your Picture
here
www.AzurePlatformExperts.com
Microsoft Azure Architect & Trainer
Microsoft Certified Trainer – MCT
Microsoft Learning Regional Lead
Microsoft Azure MVP (2013-2017) Email :
Ex-Microsoft Azure Engineering PM apes@azureplatformexperts.com
Twitter :
@AzureAPEs
Facebook :
Book author for Packt Publishing & Apress www.facebook.com/AzureAPEs
Courseware Author and Trainer LinkedIn :
http://www.linkedin.com/in/pdtit
Technical Writer
EVENTS.COLLAB365.COMMUNI
TY
• Azure Networking Resources
AGENDA
• Building a Hybrid Network
Topology
• Advanced Azure Networking

features
• Demos
TY
Agenda
EVENTS.COLLAB365.COMMUNIT
Y
Virtual Network
Azure Networking Picture • “Bring your own network”
• Segment with subnets and

security groups
• Control traffic flow with

Azure Datacenters all over the user defined routes
globe, running cloud workloads
• Network Security Groups
TY
Virtual Network

security groups
• Control traffic flow with user

defined routes
Azure Datacenters all over the • Network Security Groups

Front-End Access
• Load Balancing Solutions
• Public & Private Ips
• Azure DNS
• DDoS Protection
• Direct
TY VM Access (RDP/SSH)
Virtual Network

security groups

defined routes

Back-End Access
• VPN Gateways
Front-End Access
• Point-to-Site VPN
• Load Balancing Solutions
• Site-to-Site VPN
• Public & Private Ips • ExpressRoute
• Azure DNS
• VNet Peering
• DDoS Protection
• EVENTS.COLLAB365.COMMUNI
Direct VM Access (RDP/SSH)
TY
Azure Networking Picture
Virtual Network
• “Bring your own network”

security groups

defined routes

Back-End Access
Front-End Access • VPN Gateways
• Load Balancing Solutions • Point-to-Site VPN
• Site-to-Site VPN
• Public & Private Ips • ExpressRoute
• Azure DNS • VNet Peering
• DDoS Protection Azure Provides End-to-End Enterprise Ready Networking

Solutions
• EVENTS.COLLAB365.COMMUNI
Direct VM Access (RDP/SSH)
TY
Azure Core
Networking
TY
Azure Networking Components
4 6
5
4
3
2 2
1
TY
Microsoft Azure Virtual Networks (VNETs)
• Logical isolation with control over the network
• Create subnets and isolate traffic with Virtual Network
Address Space: 10.0.0.0/16
network security groups DNS: 10.0.0.4 & 10.0.0.5
• Support for Static IP addresses

• Support for Internal Load Balancing
• DNS support AD-VM-01
10.0.0.4
IIS-VM-01
10.0.1.4
• Hybrid Connectivity Support

• Site-to-Site
AD-VM-02 IIS-VM-02
• Point-to-Site 10.0.0.5 10.0.1.5
• ExpressRoute Subnet: AD
CIDR: 10.0.0.0/24
Subnet: WEB
CIDR: 10.0.1.0/24
TY
Address Space and Subnets
• One more non-overlapping address spaces
• Define subnets out of the available address spaces in the virtual network
using Classless Internet Domain Routing (CIDR)
Address Spaces Subnets
TY
Bring Your Own DNS
• Specify DNS Servers at the Virtual Network Level
• Hosted in an Azure VM
• External
• On-Premises (with hybrid connection) Virtual Network
DNS: 10.0.1.100 & 10.0.1.101
• Virtual Machines are assigned specified DNS at boot

• If DNS is added after a virtual machine is running a
reboot is required for assignment.
AD-VM-01 IIS-VM-01
10.0.1.100 10.0.2.4
AD-VM-02 IIS-VM-02
10.0.1.101 10.0.2.5
Subnet: AD Subnet: WEB

CIDR: 10.0.1.0/24 CIDR: 10.0.2.0/24
TY
Public IP Address
• A public IP can be assigned directly to a network
interface or a load balancer
• Supports static (reserved) or dynamic assignment
• Optionally supports specifying a DNS label
• Configurable idle timeout
• First 5 static IPs are free vm1.westus.cloudapp.azure.com
41.67.231.67
VM1
App-lb.westus.cloudapp.azure.com
104.40.27.222
54.67.27.87 VM2
EVENTS.COLLAB365.COMMUNI vm2.westus.cloudapp.azure.com
TY
Private IP Assignment Rules
• IPs are allocated based on order of provisioning of Network Interface
Cards
• (1st 4 IPs are reserved)
• Subnet Web: 10.0.1.0/24
• 1. NIC-01 = 10.0.1.4 Initial Provisioning
• 2. NIC-02 = 10.0.1.5 Initial Provisioning
• Use Static Private IP addresses to retain IP regardless of order
TY
DEMO
• Azure Core Networking
TY
Azure Load
Balancing
TY
Azure Load Balancing Solutions
1) Azure Loadbalancer
• “Typical Load Balancing” on Layer 4
• External or Internal Load Balancing
• Support for TCP and UDP Protocols
• Health Probe (http or tcp)
TY
Intranet Solution using Internal Load Balancer
On Premises Subnet Web: 10.0.1.0/24
192.168.0.0/16
AV Set: WEB
Access intranet over hybrid connection
AD-DC-01
192.168.0.1 WEB-01
Subnet WEB
10.0.1.4
Hybrid Connection
http://intranet
AD-DC-02 WEB-02
192.168.0.2 Subnet WEB
10.0.1.5
https://intranetapp
Load Balanced IP: 10.0.1.100
Other WEB-03
Servers Subnet WEB
10.0.1.6
TY
N-Tier Application with Load-Balanced
Middle Tier Virtual Network Address Space: 10.0.0.0/16
AV Set: WEB AV Set: APP
External
Load-Balanced
Endpoint Internal
137.135.67.39 WEB-01 Load-Balanced APP-01
Subnet WEB Endpoint Subnet APPS
10.0.1.4 10.0.2.100 10.0.2.4
http://company.com
WEB-02 APP-02
Subnet WEB Subnet APPS
10.0.1.5 10.0.2.5
WEB-03 APP-03
Subnet WEB Subnet APPS
10.0.1.6 10.0.2.5
TY
Azure Load Balancing Solutions
• Load Balancing
• Cookie Affinity
• Web Application Firewall (WAF)
2) Azure Application Gateway
IIS-VM-01
• Application Load Balancing on App
Gateway HTTP & HTTPS
Layer 7
• HTTP/HTTPS protocols only
• Session cookie affinity IIS-VM-02
• SSL offloading • SSL Offload
• URL rerouting
IIS-VM-03
TY
Network Security
Groups (NSG)
TY
Network Security Groups Overview
• Enables network segmentation &
DMZ scenarios
• NSG contains a list of ACL Rules

that Allow/Deny Network Traffic to
VMs in a Virtual Network
• Restrict traffic from or to external Property Limits

or internal sources, but only within
Number of NSGs associated to a
the region where it was created subnet, VM, or Network Interface
1
NSGs per region per subscription 100*

• Manage using Portal, Template, or
Command line NSG rules per NSG 200*
TY
Network Security Groups Example
Virtual Network
Subnet Web: 10.20.1.0/24 Allowed via WebSecurityGroup

WebSecurityGroup
SRC ADDRESS PREFIX: INTERNET
SRC PORT RANGE: *
IIS-VM-01 IIS-VM-02
DEST PORT RANGE: 80
Subnet WebSubnet Web
DEST ADDRESS PREFIX: 10.20.1.0/24
10.20.1.4 10.20.1.5
Allowed via SQLSecurityGroup
Subnet SQL: 10.20.2.0/24

SQLSecurityGroup
SRC ADDRESS PREFIX: 10.20.1.0/24
SRC PORT RANGE: *
DEST PORT RANGE: 1433 SQL-VM-01 SQL-VM-02 SQL-VM-03
DEST ADDRESS PREFIX: 10.20.2.0/24 Subnet SQL Subnet SQL Subnet SQL
10.20.2.4 10.20.2.5 10.20.0.6
TY
DEMO
• Network Security Group
TY
User Defined
Routing
TY
Azure Default Network Routing
• Traffic automatically flows between virtual machines in different subnets
and even address spaces
• Azure has built in default routes:

• Routing within a subnet
• From a subnet to another subnet in the same virtual network
• To the Internet
• Virtual Network to Virtual Network using a VPN Gateway
• Virtual Network to on-premises using a VPN Gateway
TY
User Defined Routes
Internet
• Control traffic flow in your network

with custom routes Virtual Network
System VM with IP Forwarding
Route
• Attach route tables to subnets
FrontEnd Subnet BackEnd Subnet
• Specify next hop for any address prefix Default

Route
• Set default route to force tunnel VM/Appliance

all traffic to on-premises or appliance User Defined
Route
TY
On-Premise Network
Forced Tunneling Security

Device
Internet
• “Force” or redirect Internet-bound
traffic to an on-premises site
(per subnet)
• Auditing & inspecting outbound INTERNET - IPSEC

traffic from Azure
Virtual Network
• Needed by many scenarios for
critical security and IT policy requirements
Subnet BackEnd Subnet FrontEnd
• Requires a Route-based Gateway

TY
VNet Peering
TY
VNET Peering
• Connect two VNETs in the same region
• Utilizes the Azure Backbone network
• Appear as one network for connectivity
• Managed as separate resources
Virtual Machines will experience

the exact same throughput for
Peered VNET as they do on the
same VNET
TY
Why Have Multiple VNets?
• Most common in Enterprise Agreements with multiple subscriptions
• Segregating Billing
• Segregating Admin
External LB External LB External LB
• A VNet cannot span

FW FW FW FW FW FW
subscriptions
ADDC Internal LB ADDC Internal LB ADDC Internal LB
IIS IIS IIS IIS IIS IIS

ADDC ADDC ADDC
SQL SQL SQL

Monitoring Monitoring Monitoring
Marketing IT HR
TY
Benefits of VNET Peering
• Low-latency, high-bandwidth connection
between resources in different VNETs
• No bandwidth restriction (besides those imposed on
VM series/size) Resource Manager
• Ability to use resources as transit points in a P

peered VNET (between ARM VNets only) E
• Reduced Infrastructure E
R
• Connect VNETs that use ARM model to a
VNET that uses Classic model and enable full
connectivity between resources (same
subscription only)
Classic
TY
Caveats of VNET Peering
• Vnet peering is between 2 A
virtual networks, Peering (A-B)
and there is no derived
transitive relationship No
• Vnet address spaces cannot Implied
(A-C) B
overlap
• Peered Vnets can be in Peering (B-C)
different subscriptions
• Must be linked to the same Azure AD
tenant
• Exception – If 1 Vnet is ARM and the
other is Classic C
TY
DEMO
• VNet Peering
TY
Azure Networking
Monitoring
TY
Azure Network Watcher
• Recently added Networking feature, providing
– Topology
– Variable Packet Capture
– IP Flow Verify
– Next Hop
– Diagnostics Logging
– Security Group View
– NSG Flow Logging
– VPN Gateway Troubleshooting
– Network Subscription Limits
– Role Based Access Control
– Connectivity
TY
Azure Network Monitor
• Centralized hub for different Azure Resources Monitoring aspects:
• Alerts
• Metrics
• Log Analytics
• Service Health
• Application Insights
• Network Watcher
TY
Azure Security Center
• Centralized Dashboard, focusing on Security posture of Azure and hybrid
systems and applications
• Active in 3 different areas:

• General Security View
• Prevention
• Detection
• Networking Features:
• Networking Recommendations
• Internet Facing Endpoints security view
• Networking Topology security view
TY
DEMO
• Azure Network Watcher

• Azure Security Center
TY
• Azure Networking Resources
AGENDA
• Building a Hybrid Network
Topology
• Advanced Azure Networking

features
• Demos
TY
Stay tuned for more great sessions …
EVENTS.COLLAB365.COMMUNIT
Y

Azure Enterprise-Ready Networking

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Azure Enterprise-Ready Networking

Uploaded by

Copyright:

Available Formats

Networking Solutions in Azure

Peter De Tender | peter@pdtit.be | @pdtit

• Advanced Azure Networking

• Segment with subnets and

• Control traffic flow with

• Segment with subnets and

• Control traffic flow with user

Azure Datacenters all over the • Network Security Groups

• Public & Private Ips

Azure Networking Picture • “Bring your own network”

• Segment with subnets and

• Control traffic flow with user

Azure Datacenters all over the • Network Security Groups

• Segment with subnets and

• Control traffic flow with user

Azure Datacenters all over the • Network Security Groups

• Azure DNS • VNet Peering

• DDoS Protection Azure Provides End-to-End Enterprise Ready Networking

• Support for Static IP addresses

• Hybrid Connectivity Support

Address Spaces Subnets

• Virtual Machines are assigned specified DNS at boot

Subnet: AD Subnet: WEB

• Use Static Private IP addresses to retain IP regardless of order

• Azure Core Networking

Access intranet over hybrid connection

AV Set: WEB AV Set: APP

• NSG contains a list of ACL Rules

• Restrict traffic from or to external Property Limits

NSGs per region per subscription 100*

Subnet Web: 10.20.1.0/24 Allowed via WebSecurityGroup

Allowed via SQLSecurityGroup

Subnet SQL: 10.20.2.0/24

• Network Security Group

• Azure has built in default routes:

• Control traffic flow in your network

• Specify next hop for any address prefix Default

• Set default route to force tunnel VM/Appliance

Forced Tunneling Security

• Auditing & inspecting outbound INTERNET - IPSEC

• Requires a Route-based Gateway

Virtual Machines will experience

• A VNet cannot span

IIS IIS IIS IIS IIS IIS

SQL SQL SQL

• Ability to use resources as transit points in a P

• Active in 3 different areas:

• Azure Network Watcher

• Advanced Azure Networking

You might also like