Post on 01-Jun-2020
transcript
Learn. Connect. Explore.Learn. Connect. Explore.
Nuts & Bolts of Networking in Azure
Pracheta Budhwar
Technology Evangelist, Microsoft India
@prachetab
Agenda
• Must know concepts of networking on Azure
• Scenarios - Most commonly & asked for scenarios
• Recent announcements
• Demos
• Q&A
Customer needs
Availability
Policy
Ecosystem
Global presence
Global connectivity
Scale out
Seamless
Performance
SecurityEnterprise
Grade
HyperScale
Hybrid
The Big (Network) Picture
Internet Clients
On premises Datacenter
Azure
Virtual Network
Frontend Connectivity
Load-balanced and direct IPs
ACLs & DDoS protection
Traffic Manager & Azure DNS
Virtual Networks
Flexible multi-tier topologies
Backend Connectivity
Secure Internet cross premises
VPN connectivity
ExpressRoute – direct
connectivity
foo.cloudapp.net VIP
IP AddressesThere are multiple ways to access a VM by IP address
VIP – Virtual IP address• An internet-facing IP address that is not bound to a specific computer or network interface card.
• The cloud service that the VM sits within is assigned the VIP.
• You can have multiple VMs in a cloud service. They share the same VIP.
DIP – Dynamic IP address• This IP address is dynamically assigned (via DHCP) to your virtual machine by Azure. You rely on
DHCP – Do NOT statically configure your IP address. Even for DCs.
• The IP address lease directly equates to the lifetime of the VM.
• If you create a virtual network, the VM will receive its DIP from that range.
IP Addresses
Protocols and Endpoints
DNS Scenarios
SQL Service
SQL Reporting
Service
SQL Analysis Service
AD / DNS
SQL ServiceDomain joined to On-
Premises Network
Azure Virtual Machine(s)
Business Components & Entities
App Logic
UI Process Components
Web Tier
Internet
Persistent VM Role
SharePoint FrontEnd
Persistent VM Role
SharePoint FrontEnd
Persistent VM Role
Search and Indes
SQL Service
Cloud Service
DC DNS
Persistent VM Role
SQL
Persistent VM Role
SQL
Local DNS
SQ
L A
lwaysO
n
Open User Access (Website)
Connecting Cloud Services with VNET
P2SVPNs
Existing datacenter
S2S VPN
On-premises
Your datacenter
Hardware VPN or Windows RRAS
Microsoft Azure
Virtual Network
<subnet 1> <subnet 2> <subnet 3>
DNS Server
HA VPN Gateway
• Extend your premises to the cloud securely
• On-ramp for migrating services to the cloud
• Use your on-prem resources in Azure (monitoring, AD, …)
Traffic Manager: DNS-based Load Balancing
www.yourapp.com
Performance - Direct to “closest” service based on network latency
Round-robin - Distribute equally across all services
Failover - Direct to “backup” service if primary fails—also included in other policies
Traffic Management Fundamentals
Announcements in last 6 months..
• Internet connectivity• Traffic Manager External Endpoints
• Instance Level Public IP (Preview)
• IP Reservation for VIPs
• Intra-region communication• Internal Load Balancing
• In-Region VNet to VNet
• Cross-premises connectivity• Multiple-Site VPN
• Cross-Region Vnet to Vnet
• ExpressRoute
Before With multi-site Vnet Connectivity
VNet1US West
VNet2East Asia
Before With multi-site and cross-region VNet to VNet
VNet1US West
VNet2East Asia
WAN
Corp HQ
Branch office 1
Branch office 2
Public internet
Express Route - Customer want Azure on their Network
WAN
Corp HQ
Branch office 1
Branch Office 2
Public internet
Announcements in last 1 week..
Internet connectivity• Reverse DNS (PTR) Support
• Traffic Manager Nested Profiles
• Instance Level Public IP GA
• Source IP-based Affinity
• TCP flow idle connection timeout
Virtual network• Network Security Group
• Public non-RFC1918 IPs in VNet
• ILB for SQL Always On
Cross-premises connectivity• Forced Tunneling for IPsec VPNs
• ExpressRoute Multi-Subscription Circuit Sharing
• ExpressRoute Multi-Circuit VNet
• High Performance VPN gateway
• VPN/ExpressRoute Operation Logs
• IPsec VPN NULL encryption & PFS
Network Virtual Appliance• Multiple NICs per VM
• MAC persistence
Internet Conectivity
Enable richer profiles with greater flexibility for large/complex deployments
Traffic Manager Nested Profiles
Level 2: Route to nearest Region, with cross-region failover within the Geo
Level 3: Load-balance within the region, divert 1% for flighting
US West US East Europe Europe
Cloud Services
Example: Cross-region failover within a Geo, plus in-region flighting
Instance-Level Public IP GA
• Internet IP assigned to a single VM
• Entire port ranges are accessible
• Support applications with dynamic public ports; e.g., FTP, multi-media
• Ideal for workloads with heavy outbound connections
Instance level public IPs
Internet
VM1 VM2
Cloud service Reserved VIP
LB
Source IP-based Affinity
• All connections from the same Internet client IP to the same backend server• 2-tuple/3-tuple hash
• Scenarios• Applications that require multiple
connections to the same server
• Example: media streaming to establish control and data channel to same backend server
Azure Load Balancer
Increasing Idle Connection Timeout
Configurable connection timeout to VIPs
Idle connection timeout as high as 30 minutes
Better experience for mobile clients connecting to Azure
Client
Idle Connection Timeout increased up to 30 minutes
Traffic to the VIP
Server 1 Server 2
Virtual Network & Security
Network Security Groups (NSG)
• Enables network segmentation & DMZ scenarios
• Access Control List
• Filter conditions with allow/deny
• Individual addresses, address prefixes,
wildcards
• Associate with VMs or subnets
• ACLs can be updated independent of VMs
Virtual Network
On Premises 10.0/16
Backend10.3/16
Mid-tier10.2/16
Frontend10.1/16
VPN GW
Internet
S2SVPNs
Internet
DMZ in a Virtual Network
NSG
NSG
NSG
NSG
Multiple NICs in Azure VMs
• Multiple NICs enable virtual appliances in Azure
• MAC/IP addresses persist through VM life cycle
• Separate frontend-backend traffic, and management-data planes
Internet
Azure Virtual Machine
NIC2 NIC1 Default
FrontendSubnet
AppSubnet
BackendSubnet
10.2.2.2210.2.3.33 10.2.1.11
VIP: 133.44.55.66
Up to 4 NICs per VM
Bring Your Appliances to the Cloud
• Building blocks• Multiple NICs
• MAC address persistence
• Appliance ecosystem• Barracuda NG Firewall
• Citrix NetScaler
• Riverbed Steelhead, SteelApp, SteelStore
• More to come!
“Azure Certified”
Hybrid Networking Services
Microsoft Azure hybrid offerings
Cloud Customer Segment and workloads
Secure point-to-site connectivity
Developers• POC Efforts• Small scale deployments• Connect from anywhere
Secure site-to-site VPN connectivity
SMB, Enterprises
• Connect to Azure compute
ExpressRoute private connectivity
SMB & Enterprises• Mission critical workloads• Backup/DR, media, HPC• Connect to all Azure services
Forced Tunneling
• “Force” or redirect customer Internet-bound traffic to an on-premises site
• Auditing & inspecting outbound traffic from Azure
• Needed by many scenarios for critical security and IT policy requirements
Virtual Network
Backend10.3/16
Mid-tier10.2/16
Frontend10.1/16
VPN GW
Internet
On Premises
S2SVPNs
Forced Tunneledvia S2S VPN Internet
Gateway Enhancements• High Performance Gateway
• Better throughput
• More S2S tunnels
• Pricing
• $0.49 per gateway hour
• Data transfer & VNet traffic rates unchanged
• No Encryption option• Better throughput for Vnet-to-
Vnet within Azure
• Intra-/Inter-region Vnet-to-Vnettraffic stays within Microsoft networks, not Internet
• PFS Support for IKE• Compliance requirements &
better security
• Operations Logs• Visibility into critical gateway
events
Gateway
SKU
ExpressRoute
Throughput*
S2S
Throughput*
Max
Tunnels
Default 500 Mbps 100 Mbps 10
Performance 1000 Mbps 200 Mbps 30* Subject to traffic conditions and application behavior
US
• Atlanta
• Chicago
• Dallas
• Los Angeles
• New York
• Seattle
• Silicon Valley, CA
• Washington D.C.
EMEA
• Amsterdam
• London, UK
APAC
• Hong Kong
• Singapore
• Sydney
• Tokyo
• AT&T
• British Telecom
• Colt
• Equinix
• Internet Initiative Japan (IIJ)
• Level3
• Orange
• SingTel
• Tata Communications
• Telecity Group
• Telstra
• Verizon
Azure datacenters
ExpressRoute Locations (today)
New Locations and coming soon
North Europe
WestEurope
London Amsterdam
Sharing ExpressRoute Connections• Share an ExpressRoute circuit across other subscriptions
• Circuit owner must authorize and can revoke
• Owner gets billed for usage Microsoft Azure
ExpressRoute
Marketing
Sales
R&D
IT
Q&A
Follow us online
Facebookfacebook.com/MicrosoftDeveloper.India
twitter.com/msdevindia
Twitter: prachetab
Email: Pracheta.budhwar@microsoft.com
Your Feedback is Important
OPTION 3: Feedback stations outside the hall
Fill out evaluation of this session and help shape future events.
OPTION 1 OPTION 2
Replace this space with the
actual QR Code