Professional Documents
Culture Documents
Architecting Enterprise-Ready
www.AzurePlatformExperts.com
Online Conference
EVENTS.COLLAB365.COMMUNI June 17th and 18th 2015
Peter De Tender Insert Your Picture
here
www.AzurePlatformExperts.com
Microsoft Azure Architect & Trainer
Microsoft Certified Trainer – MCT
Microsoft Learning Regional Lead
Microsoft Azure MVP (2013-2017) Email :
Ex-Microsoft Azure Engineering PM apes@azureplatformexperts.com
Twitter :
@AzureAPEs
Facebook :
Book author for Packt Publishing & Apress www.facebook.com/AzureAPEs
Courseware Author and Trainer LinkedIn :
http://www.linkedin.com/in/pdtit
Technical Writer
EVENTS.COLLAB365.COMMUNI
TY
• Azure Networking Resources
AGENDA
• Building a Hybrid Network
Topology
• Demos
EVENTS.COLLAB365.COMMUNI
TY
Agenda
EVENTS.COLLAB365.COMMUNIT
Y
Virtual Network
Azure Networking Picture • “Bring your own network”
EVENTS.COLLAB365.COMMUNI
TY
Virtual Network
Azure Networking Picture • “Bring your own network”
Front-End Access
• Load Balancing Solutions
• Azure DNS
• DDoS Protection
EVENTS.COLLAB365.COMMUNI
• Direct
TY VM Access (RDP/SSH)
Virtual Network
Back-End Access
• VPN Gateways
Front-End Access
• Point-to-Site VPN
• Load Balancing Solutions
• Site-to-Site VPN
• Public & Private Ips • ExpressRoute
• Azure DNS
• VNet Peering
• DDoS Protection
• EVENTS.COLLAB365.COMMUNI
Direct VM Access (RDP/SSH)
TY
Azure Networking Picture
Virtual Network
• “Bring your own network”
Back-End Access
Front-End Access • VPN Gateways
• Load Balancing Solutions • Point-to-Site VPN
• Site-to-Site VPN
• Public & Private Ips • ExpressRoute
EVENTS.COLLAB365.COMMUNI
TY
Azure Networking Components
4 6
5
4
3
2 2
1
EVENTS.COLLAB365.COMMUNI
TY
Microsoft Azure Virtual Networks (VNETs)
• Logical isolation with control over the network
• Create subnets and isolate traffic with Virtual Network
Address Space: 10.0.0.0/16
network security groups DNS: 10.0.0.4 & 10.0.0.5
• ExpressRoute Subnet: AD
CIDR: 10.0.0.0/24
Subnet: WEB
CIDR: 10.0.1.0/24
EVENTS.COLLAB365.COMMUNI
TY
Address Space and Subnets
• One more non-overlapping address spaces
• Define subnets out of the available address spaces in the virtual network
using Classless Internet Domain Routing (CIDR)
EVENTS.COLLAB365.COMMUNI
TY
Bring Your Own DNS
• Specify DNS Servers at the Virtual Network Level
• Hosted in an Azure VM
• External
• On-Premises (with hybrid connection) Virtual Network
Address Space: 10.0.0.0/16
DNS: 10.0.1.100 & 10.0.1.101
AD-VM-02 IIS-VM-02
10.0.1.101 10.0.2.5
VM1
App-lb.westus.cloudapp.azure.com
104.40.27.222
54.67.27.87 VM2
EVENTS.COLLAB365.COMMUNI vm2.westus.cloudapp.azure.com
TY
Private IP Assignment Rules
• IPs are allocated based on order of provisioning of Network Interface
Cards
• (1st 4 IPs are reserved)
• Subnet Web: 10.0.1.0/24
• 1. NIC-01 = 10.0.1.4 Initial Provisioning
• 2. NIC-02 = 10.0.1.5 Initial Provisioning
EVENTS.COLLAB365.COMMUNI
TY
DEMO
EVENTS.COLLAB365.COMMUNI
TY
Azure Load
Balancing
EVENTS.COLLAB365.COMMUNI
TY
Azure Load Balancing Solutions
1) Azure Loadbalancer
• “Typical Load Balancing” on Layer 4
• External or Internal Load Balancing
• Support for TCP and UDP Protocols
• Health Probe (http or tcp)
EVENTS.COLLAB365.COMMUNI
TY
Intranet Solution using Internal Load Balancer
Address Space: 10.0.0.0/16
On Premises Subnet Web: 10.0.1.0/24
192.168.0.0/16
AV Set: WEB
AD-DC-01
192.168.0.1 WEB-01
Subnet WEB
10.0.1.4
Hybrid Connection
http://intranet
AD-DC-02 WEB-02
192.168.0.2 Subnet WEB
10.0.1.5
https://intranetapp
Load Balanced IP: 10.0.1.100
Other WEB-03
Servers Subnet WEB
10.0.1.6
EVENTS.COLLAB365.COMMUNI
TY
N-Tier Application with Load-Balanced
Middle Tier Virtual Network Address Space: 10.0.0.0/16
External
Load-Balanced
Endpoint Internal
137.135.67.39 WEB-01 Load-Balanced APP-01
Subnet WEB Endpoint Subnet APPS
10.0.1.4 10.0.2.100 10.0.2.4
http://company.com
WEB-02 APP-02
Subnet WEB Subnet APPS
10.0.1.5 10.0.2.5
WEB-03 APP-03
Subnet WEB Subnet APPS
10.0.1.6 10.0.2.5
EVENTS.COLLAB365.COMMUNI
TY
Azure Load Balancing Solutions
• Load Balancing
• Cookie Affinity
• Web Application Firewall (WAF)
2) Azure Application Gateway
IIS-VM-01
• Application Load Balancing on App
Gateway HTTP & HTTPS
Layer 7
• HTTP/HTTPS protocols only
• Session cookie affinity IIS-VM-02
• SSL offloading • SSL Offload
• URL rerouting
IIS-VM-03
EVENTS.COLLAB365.COMMUNI
TY
Network Security
Groups (NSG)
EVENTS.COLLAB365.COMMUNI
TY
Network Security Groups Overview
• Enables network segmentation &
DMZ scenarios
EVENTS.COLLAB365.COMMUNI
TY
Network Security Groups Example
Virtual Network
Address Space: 10.0.0.0/16
EVENTS.COLLAB365.COMMUNI
TY
DEMO
EVENTS.COLLAB365.COMMUNI
TY
User Defined
Routing
EVENTS.COLLAB365.COMMUNI
TY
Azure Default Network Routing
• Traffic automatically flows between virtual machines in different subnets
and even address spaces
EVENTS.COLLAB365.COMMUNI
TY
User Defined Routes
Internet
EVENTS.COLLAB365.COMMUNI
TY
On-Premise Network
Virtual Network
• Needed by many scenarios for
critical security and IT policy requirements
Subnet BackEnd Subnet FrontEnd
EVENTS.COLLAB365.COMMUNI
TY
VNET Peering
• Connect two VNETs in the same region
• Utilizes the Azure Backbone network
• Appear as one network for connectivity
• Managed as separate resources
EVENTS.COLLAB365.COMMUNI
TY
Why Have Multiple VNets?
• Most common in Enterprise Agreements with multiple subscriptions
• Segregating Billing
• Segregating Admin
External LB External LB External LB
Marketing IT HR
EVENTS.COLLAB365.COMMUNI
TY
Benefits of VNET Peering
• Low-latency, high-bandwidth connection
between resources in different VNETs
• No bandwidth restriction (besides those imposed on
VM series/size) Resource Manager
EVENTS.COLLAB365.COMMUNI
TY
Caveats of VNET Peering
• Vnet peering is between 2 A
virtual networks, Peering (A-B)
and there is no derived
transitive relationship No
• Vnet address spaces cannot Implied
(A-C) B
overlap
• Peered Vnets can be in Peering (B-C)
different subscriptions
• Must be linked to the same Azure AD
tenant
• Exception – If 1 Vnet is ARM and the
other is Classic C
EVENTS.COLLAB365.COMMUNI
TY
DEMO
• VNet Peering
EVENTS.COLLAB365.COMMUNI
TY
Azure Networking
Monitoring
EVENTS.COLLAB365.COMMUNI
TY
Azure Network Watcher
• Recently added Networking feature, providing
– Topology
– Variable Packet Capture
– IP Flow Verify
– Next Hop
– Diagnostics Logging
– Security Group View
– NSG Flow Logging
– VPN Gateway Troubleshooting
– Network Subscription Limits
– Role Based Access Control
– Connectivity
EVENTS.COLLAB365.COMMUNI
TY
Azure Network Monitor
• Centralized hub for different Azure Resources Monitoring aspects:
• Alerts
• Metrics
• Log Analytics
• Service Health
• Application Insights
• Network Watcher
EVENTS.COLLAB365.COMMUNI
TY
Azure Security Center
• Centralized Dashboard, focusing on Security posture of Azure and hybrid
systems and applications
• Networking Features:
• Networking Recommendations
• Internet Facing Endpoints security view
• Networking Topology security view
EVENTS.COLLAB365.COMMUNI
TY
DEMO
EVENTS.COLLAB365.COMMUNI
TY
• Azure Networking Resources
AGENDA
• Building a Hybrid Network
Topology
• Demos
EVENTS.COLLAB365.COMMUNI
TY
Stay tuned for more great sessions …
EVENTS.COLLAB365.COMMUNIT
Y