Post on 18-May-2020
transcript
Microsoft Networking Academywith the C+E Global Black Belts
Olivier Martin (@omartin) – Networking TSP GBB
Kevin Lopez (@kevlopez) – ER Partner Sales Executive GBB
Jaime Schmidtke (@jaimesc) – ER Partner Sales Executive GBB
Eddie Villalba (@edvilla) – Networking and Open Source TSP GBB
Bryan Woodworth (@brwoodwo) – Networking TSP GBB
Before we get started
• Welcome customers and partners!!!
• Material is public information No NDA info here.
• Use the IM window for questions.
• Sessions are recorded and posted here :
https://aka.ms/mna
• Introductory Sessions (200 level)• Quick overview or what’s new this week (5-10 minutes)
• Partner Spotlight of the week (35-45 minutes)
• Q&A (10 minutes)
• Deep Dive Sessions (300-400 level)• Short introduction (5 minutes)
• Deeper dive topic of the week (35-45 minutes)
• Q&A (10 minutes)
• Email GBB-ANF@microsoft.com to receive detailed schedules for upcoming sessions!
• Available on Channel 9!
Microsoft Networking Academy
• Intro – Networking from 0-60
• Partner Spotlight – Security in the Azure cloud using Palo Alto Network’s virtual appliances
• Ask the Experts Q&A
Agenda for May 26th, 2017 – Episode #9
Atlanta
Chicago
Los Angeles
Seattle
Silicon Valley Washington DC
AmsterdamDublin
London
Sao Paulo
Chennai
Hong Kong
Mumbai
Melbourne
Osaka
Singapore
Sydney
TokyoLas Vegas
TorontoMontreal
Quebec City
New York City
Dallas
Newport, WalesParis Beijing
Shanghai
Berlin
Frankfurt
Dallas
Washington DC
New York
Chicago
US Government
Germany
China
Azure Active Directory
Azure subscription
Azure subscription
Azure subscription
AccessControl
AccessControl
AccessControl
Virtual Network Virtual Network Virtual NetworkVirtual Network
FW FW
IIS IIS
SQL
IIS IIS
SQL
FW FW
IIS IIS
SQL
FW FW
IIS IIS
SQLExpressRoute ExpressRoute
Internet Internet Internet Internet
Azure load balancer
Azure load balancer
Azure load balancer
Azure load balancer
Azure load balancer
Azure load balancer
Azure load balancer
Partner SpotlightPalo Alto Networks
PALO ALTO NETWORKSNEXT-GENERATION SECURITY PLATFORM
14
To protect our way of
life in the digital age
by preventing
successful cyber
attacks.
Mission
15
To be the leading
independent security
company by building
the world’s most
innovative and
effective security
platform.
Strategic Direction
-
5,000
10,000
15,000
20,000
25,000
30,000
35,000
40,000
16
Q2 FY17 Highlights
15,500+ Wildfire Customers
875 Traps CustomersMore than 1M Nodes Protected
2,500+ VM-Series Customers
What’s changed?
17 | © 2015, Palo Alto Networks. Confidential and Proprietary.
THE EVOLUTION OF THE ATTACKER
$445CYBERCRIME NOW
billion industry
100+ nations
CYBER WARFARE
What’s changed?
Known threats
Org
an
iza
tion
al riskIdentity compromise
Zero-day exploits / vulnerabilities
Evasive command-and-control
Unknown & polymorphic malware
Mobility threat
THE EVOLUTION OF THE ATTACK
4 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Failure of legacy security architectures
19 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Anti-APT for
port 80 APTs
Anti-APT for
port 25 APTs
Endpoint AV
DNS protection cloud
Network AV
DNS protection for
outbound DNS
Anti-APT cloud
Internet
Enterprise Network
UTM/Blades
Limited visibility Manual responseLacks correlation
Vendor 1
Vendor 2
Vendor 3
Vendor 4
Internet Connection
Malware Intelligence
DNS AlertEndpoint Alert
AV Alert
SMTP Alert
AV Alert
Web Alert
Web Alert
SMTP Alert
DNS Alert
AV Alert
DNS Alert
Web Alert
Endpoint Alert
Requirements for the future
DETECT AND PREVENT THREATS AT EVERY POINT ACROSS THE ORGANIZATION
At the internet
edge
Between employees
and devices within
the LAN
At the data center
edge, and
between VM’s
At the mobile
device
Cloud
Within private,
public and hybrid
clouds
6 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Traps
Delivering continuous innovation
GlobalProtect
WildFire
AutoFocus
Aperture
Threat Prevention
URL Filtering
10 | © 2015, Palo Alto Networks. Confidential and Proprietary.
A complete security architecture
Enterprise network
Public
cloud
Private
Cloud
9 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Security: A Shared Responsibility
Cloud Infrastructure & Services
Compute Storage Database Networking
Encryption Key
Management
Client & Server
EncryptionNetwork Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Customers are responsible for their security IN the cloud
Azure looks after security OF the cloud
VM-Series for Microsoft Azure
Deployment Use CasesProtect your Azure deployment just as you would your data center
Hybrid Segmentation Internet Gateway Remote Access
Securely deploy applications in your data
center or in the cloud
Separate data and applications for compliance
and security
Protect Internet facing applications
Security consistency for your network, your cloud,
and your devices
Bring your own license (BYOL) Pay as you go (PAYG)
Best suited for: Long running, steady-state deployments that
may scale over time
On-demand, utility-style, elastic deployments
Comparable to: Buy Rent
Costs? CapEx (initial purchase in year 1)
Opex (annual renewal after that)
Fixed rate for duration of use, initial annual
license and subsequent renewal. OPEX
Supported environments All hypervisors supported - move licenses
between any supported hypervisor or public
cloud
Azure only
Licensing, Subscription,
Support options?
Use any combination of capacity SKU (VM-
100, -200, -300, -1000-HV), subscriptions
and support
Bundle 1 or Bundle 2 with no option to mix and
match licenses, subscriptions or support
programs
US Gov. Support? Yes. Federal Agencies can purchase USG
support for the VM-Series
No. Premium support is included with both
bundles; no option to purchase USG
Pricing flexibility? High volume purchase discounts apply Fixed pricing in Azure Marketplace: Azure -
hourly subscription for Bundle 1 or Bundle 2.
No annual option.
Licensing Models: BYOL or PAYG Subscription?
26 | © 2015, Palo Alto Networks. Confidential and Proprietary.
The VM-Series ELA
27 | © 2015, Palo Alto Networks. Confidential and Proprietary.
▪ Launched worldwide in November 2016
▪ Based on existing and projected use of VM-Series firewalls
▪ One ELA per model
▪ Designed to incent fast adoption
▪ Unbounded with no true up within term
▪ Designed to account for customer ramp
▪ 1 and 3 Year term options
▪ Works in all supported environments
▪ ~$150k list price is target minimum*
Term VM-Series VM-Panorama
Support and
updates
Subscriptions
The VM-Series ELA is an unbounded subscription based model that includes a specific VM-Series model, VM Panorama, subscriptions and support into a single, easy to order
and easy to deploy bundle
New
*Minimum still being finalized
• Consistent security on all supported platforms
• Cost savings as more of the platform is utilized
• Predictable opex even if deployments happen faster than planned
• No true ups and ability to reset plan at term end
• Greatly simplifies operations with single auth code (vs. 100’s to 1,000’s)
28 | ©2014, Palo Alto Networks. Confidential and Proprietary.
What are the benefits of the VM-Series ELA?
in
VNET / User Defined Routes Introduction
Zero Trust
Assume that no user, interface, application, etc. is automatically trusted
Segment the network and force all traffic through a control point for inspection.
The cloud makes this easier to do at scale
MGMTPrivate IP: 10.0.2.4
MGMTSubnet: 10.0.0.0/24
UntrustPrivate IP: 10.0.1.4
UntrustSubnet: 10.0.1.0/24
TrustPrivate IP: 10.0.2.4
TrustSubnet: 10.0.2.0/24
DMZPrivate IP: 10.0.3.4
DMZSubnet: 10.0.3.0/24
NATPrivate IP: 10.0.10.4
NATSubnet: 10.0.10.0/24
Internal-LBPrivate IP: 10.0.4.4
Internal-LBSubnet: 10.0.4.0/24
WEBPrivate IP: 10.0.5.4
WEBSubnet: 10.0.5.0/24
VNET setup in Azure
MGMTPrivate IP: 10.0.2.4
UntrustPrivate IP: 10.0.1.4
UntrustSubnet: 10.0.1.0/24
TrustPrivate IP: 10.0.2.4
TrustSubnet: 10.0.2.0/24
DMZPrivate IP: 10.0.3.4
DMZSubnet: 10.0.3.0/24
NATPrivate IP: 10.0.10.4
NATSubnet: 10.0.10.0/24
Internal-LBPrivate IP: 10.0.4.4
Internal-LBSubnet: 10.0.4.0/24
WEBPrivate IP: 10.0.5.4
WEBSubnet: 10.0.5.0/24
How new VNETers think VNETs workMGMTSubnet: 10.0.0.0/24
MGMTSubnet: 10.0.0.0/24
WEBSubnet: 10.0.5.0/24
NATSubnet: 10.0.10.0/24
Internal-LBSubnet: 10.0.4.0/24
DMZSubnet: 10.0.3.0/24
TrustSubnet: 10.0.2.0/24
UntrustSubnet: 10.0.1.0/24
WEBPrivate IP: 10.0.5.5
NATPrivate IP: 10.0.10.6
How new VNETers think VNETs work
MGMTSubnet: 10.0.0.0/24
WEBSubnet: 10.0.5.0/24
NATSubnet: 10.0.10.0/24
Internal-LBSubnet: 10.0.4.0/24
DMZSubnet: 10.0.3.0/24
TrustSubnet: 10.0.2.0/24
UntrustSubnet: 10.0.1.0/24
NATPrivate IP: 10.0.10.6 WEB
Private IP: 10.0.5.5
.1.1
.1
.1
.1
.1 .1
How new VNETers think VNETs work
MGMTSubnet: 10.0.0.0/24
WEBSubnet: 10.0.5.0/24
NATSubnet: 10.0.10.0/24
Internal-LBSubnet: 10.0.4.0/24
DMZSubnet: 10.0.3.0/24
TrustSubnet: 10.0.2.0/24
UntrustSubnet: 10.0.1.0/24
.1.1
.1
.1
.1
.1 .1
NATPrivate IP: 10.0.10.6 WEB
Private IP: 10.0.5.5
How new VNETers think VNETs work
MGMTSubnet: 10.0.0.0/24
WEBSubnet: 10.0.5.0/24
NATSubnet: 10.0.10.0/24
Internal-LBSubnet: 10.0.4.0/24
DMZSubnet: 10.0.3.0/24
TrustSubnet: 10.0.2.0/24
UntrustSubnet: 10.0.1.0/24
.1.1
.1
.1
.1
.1 .1
NATPrivate IP: 10.0.10.6 WEB
Private IP: 10.0.5.5
How VNETs ACTUALLY work
MGMTSubnet: 10.0.0.0/24
WEBSubnet: 10.0.5.0/24
NATSubnet: 10.0.10.0/24
Internal-LBSubnet: 10.0.4.0/24
DMZSubnet: 10.0.3.0/24
TrustSubnet: 10.0.2.0/24
UntrustSubnet: 10.0.1.0/24
NATPrivate IP: 10.0.10.6 WEB
Private IP: 10.0.5.5
User Defined Routes- UDRs
MGMTSubnet: 10.0.0.0/24
WEBSubnet: 10.0.5.0/24
NATSubnet: 10.0.10.0/24
Internal-LBSubnet: 10.0.4.0/24
DMZSubnet: 10.0.3.0/24
TrustSubnet: 10.0.2.0/24
UntrustSubnet: 10.0.1.0/24
NATPrivate IP: 10.0.10.6 WEB
Private IP: 10.0.5.5
.4
.4
User Defined Routes- UDRs
MGMTSubnet: 10.0.0.0/24
WEBSubnet: 10.0.5.0/24
NATSubnet: 10.0.10.0/24
Internal-LBSubnet: 10.0.4.0/24
DMZSubnet: 10.0.3.0/24
TrustSubnet: 10.0.2.0/24
UntrustSubnet: 10.0.1.0/24
NATPrivate IP: 10.0.10.6 WEB
Private IP: 10.0.5.5
.4
.4
Basic Three-Tier Application
WebPrivate IP: 10.0.2.5
WebSubnet: 10.0.2.0/24
eth2 -> ethernet1/2Private IP: 10.0.7.4
eth1 -> ethernet1/1Private IP: 10.0.1.4Public IP: 52.173.129.45
UntrustSubnet: 10.0.1.0/24
TrustSubnet: 10.0.7.0/24UDR: 0.0.0.0/0 -> 10.0.7.4
APPPrivate IP: 10.0.3.5
APPSubnet: 10.0.3.0/24
DBPrivate IP: 10.0.4.5
DBSubnet: 10.0.4.0/24
Internet
UserIP: 199.167.52.5
Express Route GatewaySubnet: 10.0.9.0/28
Express Route / VPN TunnelPrivate Peering
Customer DCSubnet: 172.16.0.0/16
Typical Deployment Model
WebPrivate IP: 10.0.2.5
WebSubnet: 10.0.2.0/24UDR: 10.0.3.0/24 -> 10.0.7.4UDR: 10.0.4.0/24 -> 10.0.7.4UDR: 172.16.0.0/16 -> 10.0.7.4UDR: 0.0.0.0/0 -> 10.0.7.4
eth2 -> ethernet1/2Private IP: 10.0.7.4
eth1 -> ethernet1/1Private IP: 10.0.1.4Public IP: 52.173.129.45
UntrustSubnet: 10.0.1.0/24UDR: 0.0.0.0/0 -> InternetUDR: 10.0.2.0/24 -> 10.0.1.4UDR: 10.0.3.0/24 -> 10.0.1.4UDR: 10.0.4.0/24 -> 10.0.1.4UDR: 10.0.7.0/24 -> 10.0.1.4UDR: 172.16.2.0/16 -> Express Route.Trust
Subnet: 10.0.7.0/24UDR: 0.0.0.0/0 -> 10.0.7,4
Routing Table0.0.0.0/0 -> 10.0.1.110.0.2.0/24-> 10.0.7.110.0.3.0/24-> 10.0.7.110.0.4.0/24-> 10.0.7.1172.16.0.0/16 ->10.0.1.1
APPPrivate IP: 10.0.3.5
APPSubnet: 10.0.3.0/24UDR: 10.0.2.0/24 -> 10.0.7.4UDR: 10.0.4.0/24 -> 10.0.7.4UDR: 172.16.0.0/16 -> 10.0.7.4UDR: 0.0.0.0/0 -> 10.0.7.4
DBPrivate IP: 10.0.4.5
DBSubnet: 10.0.4.0/24UDR: 10.0.3.0/24 -> 10.0.7.4UDR: 10.0.2.0/24 -> 10.0.7.4UDR: 172.16.0.0/16 -> 10.0.7.4UDR: 0.0.0.0/0 -> 10.0.7.4
Express Route UDRSubnet: 10.0.9.0/24UDR: 10.0.2.0/24 -> 10.0.1.4UDR: 10.0.3.0/24 -> 10.0.1.4UDR: 10.0.4.0/24 -> 10.0.1.4UDR: 10.0.7.0/24 -> 10.0.1.4UDR: 10.0.8.0/24->10.0.1.4
Internet
UserIP: 199.167.52.5
Express Route GatewaySubnet: 10.0.9.0/28
Express Route / VPN TunnelPrivate Peering
Customer DCSubnet: 172.16.0.0/16
Typical Deployment ModelUDRs
WebPrivate IP: 10.0.2.5
WebSubnet: 10.0.2.0/24UDR: 10.0.3.0/24 -> 10.0.7.4UDR: 10.0.4.0/24 -> 10.0.7.4UDR: 172.16.0.0/16 -> 10.0.7.4UDR: 0.0.0.0/0 -> 10.0.7.4
eth2 -> ethernet1/2Private IP: 10.0.7.4
eth1 -> ethernet1/1Private IP: 10.0.1.4Public IP: 52.173.129.45 Untrust
Subnet: 10.0.1.0/24UDR: 0.0.0.0/0 -> InternetUDR: 10.0.2.0/24 -> 10.0.1.4UDR: 10.0.3.0/24 -> 10.0.1.4UDR: 10.0.4.0/24 -> 10.0.1.4UDR: 10.0.7.0/24 -> 10.0.1.4UDR: 172.16.2.0/16 -> Express Route.
TrustSubnet: 10.0.7.0/24UDR: 0.0.0.0/0 -> 10.0.7,4
Routing Table0.0.0.0/0 -> 10.0.1.110.0.2.0/24-> 10.0.7.110.0.3.0/24-> 10.0.7.110.0.4.0/24-> 10.0.7.1172.16.0.0/16 ->10.0.1.1
eth2 -> ethernet1/2Private IP: 10.0.8.4
eth1 -> ethernet1/1Private IP: 10.0.1.5
APPPrivate IP: 10.0.3.5
APPSubnet: 10.0.3.0/24UDR: 10.0.2.0/24 -> 10.0.7.4UDR: 10.0.4.0/24 -> 10.0.7.4UDR: 172.16.0.0/16 -> 10.0.7.4UDR: 0.0.0.0/0 -> 10.0.7.4
DBPrivate IP: 10.0.4.5
DBSubnet: 10.0.4.0/24UDR: 10.0.3.0/24 -> 10.0.7.4UDR: 10.0.2.0/24 -> 10.0.7.4UDR: 172.16.0.0/16 -> 10.0.7.4UDR: 0.0.0.0/0 -> 10.0.7.4
Express RoutePrivate Peering
Domain TrustSubnet: 10.0.8.0/24UDR: 0.0.0.0/0 -> 10.0.8.4
Customer DCSubnet: 172.16.0.0/16
Express Route GatewaySubnet: 10.0.9.0/28
Express Route UDRSubnet: 10.0.9.0/24UDR: 10.0.2.0/24 -> 10.0.1.4UDR: 10.0.3.0/24 -> 10.0.1.4UDR: 10.0.4.0/24 -> 10.0.1.4UDR: 10.0.7.0/24 -> 10.0.1.4UDR: 10.0.8.0/24->10.0.1.5
Routing Table0.0.0.0/0 -> 10.0.1.110.0.2.0/24-> 10.0.1.110.0.3.0/24-> 10.0.1.110.0.4.0/24-> 10.0.1.110.0.7.0/24-> 10.0.1.1172.16.0.0/16 ->10.0.1.1
Internet
Typical Deployment Model Express Route Connection
Multi-IP Recommended Architectures
Base Infrastructure
InternetUser
VM-Web1
VM-Web2INT-Web210.0.4.51/24
INT-Web110.0.4.50/2
AS-Web
Web - 10.0.4.0/24
HTTP/80
AS-Web
10.0.4.100
LB-WebRT-Web
0.0.0.0/0 > 10.0.3.100
10.0.0.0/16 > 10.0.3.100
10.0.4.0/24 > Virtual Network
10.0.2.0/24 > Virtual Network
168.63.129.16/32 > Virtual Network
TCP/22
AS-FW-Trust
10.0.3.100
LB-Egress
Egress - 10.0.3.0/24
Trust - 10.0.2.0/24
INT-FW2-Trust10.0.2.6/24
INT-FW1-Trust10.0.2.5/24
AS-FW-Trust
VM-FW1
VM-FW2
AS-FW
Untrust - 10.0.1.0/24
INT-FW2-Untrust10.0.1.6/24
INT-FW1-Untrust10.0.1.5/24
AS-FW-Untrust
TCP/22
AS-FW-Untrust
IP-LB-Public
LB-Public
IP-FW1-Egress
IP-FW2-Egress
SNAT: INT-FWX-Trust
DNAT: 10.0.4.100
Inbound Request
InternetUser
VM-Web1
VM-Web2INT-Web210.0.4.51/24
INT-Web110.0.4.50/2
AS-Web
Web - 10.0.4.0/24
HTTP/80
AS-Web
10.0.4.100
LB-WebRT-Web
0.0.0.0/0 > 10.0.3.100
10.0.0.0/16 > 10.0.3.100
10.0.4.0/24 > Virtual Network
10.0.2.0/24 > Virtual Network
168.63.129.16/32 > Virtual Network
Trust - 10.0.2.0/24
INT-FW2-Trust10.0.2.6/24
INT-FW1-Trust10.0.2.5/24
AS-FW-Trust
VM-FW1
VM-FW2
AS-FW
Untrust - 10.0.1.0/24
INT-FW2-Untrust10.0.1.6/24
INT-FW1-Untrust10.0.1.5/24
AS-FW-Untrust
TCP/22
AS-FW-Untrust
IP-LB-Public
LB-Public
IP-FW1-Egress
IP-FW2-Egress
SNAT: INT-FWX-Trust
DNAT: 10.0.4.100
Enable Floating IP
Inbound Response
InternetUser
VM-Web1
VM-Web2INT-Web210.0.4.51/24
INT-Web110.0.4.50/2
AS-Web
Web - 10.0.4.0/24
HTTP/80
AS-Web
10.0.4.100
LB-WebRT-Web
0.0.0.0/0 > 10.0.3.100
10.0.0.0/16 > 10.0.3.100
10.0.4.0/24 > Virtual Network
10.0.2.0/24 > Virtual Network
168.63.129.16/32 > Virtual Network
Trust - 10.0.2.0/24
INT-FW2-Trust10.0.2.6/24
INT-FW1-Trust10.0.2.5/24
AS-FW-Trust
VM-FW1
VM-FW2
AS-FW
Untrust - 10.0.1.0/24
INT-FW2-Untrust10.0.1.6/24
INT-FW1-Untrust10.0.1.5/24
AS-FW-Untrust
TCP/22
AS-FW-Untrust
IP-LB-Public
LB-Public
IP-FW1-Egress
IP-FW2-Egress
The load balancer will transparently SNAT
the outbound response to IP-LB-Public
SNAT: INT-FWX-Trust
DNAT: 10.0.4.100
Enable Floating IP
Outbound Request
InternetUser
VM-Web1
VM-Web2INT-Web210.0.4.51/24
INT-Web110.0.4.50/2
AS-Web
Web - 10.0.4.0/24
RT-Web
0.0.0.0/0 > 10.0.3.100
10.0.0.0/16 > 10.0.3.100
10.0.4.0/24 > Virtual Network
10.0.2.0/24 > Virtual Network
168.63.129.16/32 > Virtual Network
TCP/22
AS-FW-Trust
10.0.3.100
LB-Egress
Egress - 10.0.3.0/24
Trust - 10.0.2.0/24
INT-FW2-Trust10.0.2.6/24
INT-FW1-Trust10.0.2.5/24
AS-FW-Trust
VM-FW1
VM-FW2
AS-FW
Untrust - 10.0.1.0/24
INT-FW2-Untrust10.0.1.6/24
INT-FW1-Untrust10.0.1.5/24
AS-FW-Untrust
IP-FW1-Egress
IP-FW2-Egress
SNAT: INT-FWX-Untrust
Enable Floating IP
IP-FW1-Egress
Outbound Response
InternetUser
VM-Web1
VM-Web2INT-Web210.0.4.51/24
INT-Web110.0.4.50/2
AS-Web
Web - 10.0.4.0/24
RT-Web
0.0.0.0/0 > 10.0.3.100
10.0.0.0/16 > 10.0.3.100
10.0.4.0/24 > Virtual Network
10.0.2.0/24 > Virtual Network
168.63.129.16/32 > Virtual Network
TCP/22
AS-FW-Trust
10.0.3.100
LB-Egress
Egress - 10.0.3.0/24
Trust - 10.0.2.0/24
INT-FW2-Trust10.0.2.6/24
INT-FW1-Trust10.0.2.5/24
AS-FW-Trust
VM-FW1
VM-FW2
AS-FW
Untrust - 10.0.1.0/24
INT-FW2-Untrust10.0.1.6/24
INT-FW1-Untrust10.0.1.5/24
AS-FW-Untrust
IP-FW2-Egress
SNAT: INT-FWX-Untrust
Health Probes
TCP/22
AS-FW-Trust
10.0.3.100
LB-Egress
Trust - 10.0.2.0/24
INT-FW2-Trust10.0.2.6/24
INT-FW1-Trust10.0.2.5/24
AS-FW-Trust
VM-FW1
VM-FW2
AS-FW
Untrust - 10.0.1.0/24
INT-FW2-Untrust10.0.1.6/24
INT-FW1-Untrust10.0.1.5/24
AS-FW-Untrust
TCP/22
AS-FW-Untrust
IP-LB-Public
LB-Public
The Problem:
• Health checks always source from 168.63.129.16
• A virtual router can only route an IP address one direction
High Availability Notes
Challenges
- Speed
- Connectivity
Solutions (Hint: Think “Cloudy”)
- Use services with high reliability and redundancy
- Scale out instead of up
- Spread the risk
Templates
ARM template
• Two JSON files
• Build the entire resource group, or create specific resources
• You can use more to separate resources and make it modular
• ResGp1.parameters.json: User needs to fill in: VM size, username, password…
• ResGp1.json: Main resources file{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "", // user-assigned label or version number of the template file
"parameters": { }, // declare stuff from the .parameters.json file
"variables": { }, // define static values you use repeatedly in the file
"resources": [ ], // this is where you ask for stuff: VM, NIC, IP... can configure their properties
"outputs": { } // output of this deployment request sent to Azure
}
For more see: https://azure.microsoft.com/en-us/documentation/articles/resource-group-authoring-templates/
Overview
• Review ARM template for deploying VM-Series• vmseries.json and vmseries.parameters.json
• Deploy via Azure CLI
azure group deployment create -g <ResourceGroup> -n <DeploymentName> \
–f vmseries.json \
-e vmseries.parameters.json -v
• Monitor progress of deployment in Azure web portal and on CLI
• Play around the Azure portal: resource group, VNET, subnets, VM’s
• Connect into VM-Series, configure DHCP on dataplane interfaces
• Review UDR route tables in Azure portal
• Learn basic debugging in Azure portal
Miscellaneous
Features Not Supported (Yet)
• (native) VM Monitoring
• Customers can create Azure PowerShell scripts to feed in DAGs for this
▪ VM Monitoring will be available in future as an addon component (scripts) similar to support for KVM/OpenStack
Questions?
Resources
- https://github.com/PaloAltoNetworks/azure/tree/master/two-tier-sample
- https://azure.microsoft.com/en-us/offers/ms-azr-0044p/
Open Q&A