Extending Enterprise Networks to Windows AzureGanesh SrinivasanProgram Manager, Windows Azure NetworkingMicrosoft Corporation

AZR316

Agenda

Overview of Windows Azure Virtual NetworkTypical use cases and scenariosSetting up Virtual NetworksWhat’s in our preview release

Overview of Hybrid Options in Windows Azure

Secure Site-to-Site Network Connectivity

Windows Azure Virtual Network

Secure Site-to-Site Network Connectivity

Windows Azure Virtual Network

Windows Azure Hybrid and Connectivity Options

Windows Azure ENTERPRISE

Data Synchronization

SQL Data Sync

Application-Layer Connectivity & Messaging

Service Bus

Secure Machine-to-Machine Network

ConnectivityWindows Azure Connect

WINDOWS AZURE CONNECT WINDOWS AZURE VIRTUAL NETWORK

Azure Cross-premises Connectivity

Windows Azure

SIMPLE TO SETUP AND MANAGE

E2E SECURITYRAPID PROVISIONING

EASYCOMPLETE CONTROLSCALABLECOMPLEX SCENARIOS

ENTERPRISE-READY

On-premises

Windows Azure

On-premises

A protected private virtual network in the cloud

Setup secure private IPv4 networks fully contained within Windows AzureIP address persistenceInter-service DIP-to-DIP communication

Networking on-ramp for migrating existing apps and services to Windows AzureVirtual private networks in Windows AzureConnect to on-premises resources securely over industry standard site-to-site VPN

Currently Available in Preview

Windows Azure Virtual Network

Extend your Enterprise Networks to Windows Azure securely over S2S VPNRun “hybrid” apps that span cloud and their premisesIP level connectivity between Windows Azure and your premises

Your “virtual” branch office / datacenter in the cloud Enables many new scenarios

Hybrid Public / Private CloudEnterprise Identity and Access ControlMonitoring and ManagementSharePoint in Windows AzurePaaS and IaaS working together

Virtual Network FeaturesUse on-premises DNS servers for name resolution

Use your on-premises DNS servers for name resolutionJoin VMs running in Windows Azure to your corporate domains (running on-premises)Run DNS servers in Windows Azure Run Active Directory Domain Controller in Windows Azure

“Bring your own IPv4 addresses”Control over placement of Windows Azure Roles within the network using IP subnetsStable IPv4 addresses for VMs

Customer-managed private virtual networks within Windows Azure

Automated provisioning & managementSupport existing on-premises S2S VPN devices

Hosted VPN Gateway that enables site-to-site connectivity

Example: Contoso’s Deployment

Contoso HQ (10.0.0.0/16)

Contoso Test in Windows Azure

(10.2.0.0/16)

Contoso Production VNet in Windows Azure (10.1.0.0/16)

S2S VPN Device

IIS Servers

AD / DNS

SQL Farm

Exchange BRK Gateway

S2S VPN tunnels10.0.0.1010.0.0.11

131.57.23.120

10.2.2.0/24

10.2.3.0/24

10.1.2.0/24

10.1.3.0/24

65.52.249.2210.1.0.4 10.1.1.4

Windows Azure Virtual Network Scenarios

Monitoring and ManagementRemote monitoring and trouble-shooting of resources running in Windows Azure

Enterprise app in Windows Azure requiring connectivity to on-premise resourcesPhased Migration of services from premises to Windows Azure

Hybrid Public/Private Cloud

Advanced Connectivity Requirements

Cloud deployments requiring persistent IP addresses and direct connectivity across services

Manage identity and access control with on-premise resources (on-premises Active Directory)

Enterprise Identity and Access Control

The Corp. HQ

IIS Servers

AD / DNS

SQL Farm

App Servers

Application Migration

VPN Tunnel

WA Web Role

Domain joining VMs to a domain on-premises

Deploying VMs using PowerShell$dns1 = New-AzureDns -Name 'DCReplicainVnet' -IPAddress '10.100.4.4'$vmname = 'TechEdVNetVM4'$imagename = 'MSFT__Win2K8R2SP1-120514-1520-141205-01-en-us-30GB.vhd'$servicename = 'MyTechEdVNetDemo'

$TechEdVNetVM4 = New-AzureVMConfig -Name $vmname -InstanceSize 'Small' -ImageName $imagename |

Add-AzureProvisioningConfig -WindowsDomain -Password 'rdPa$$w0rd' `-Domain 'vnetdemo' -DomainPassword 'rdPa$$w0rd' `-DomainUserName 'ganesh' -JoinDomain 'vnetdemo.com' |

Set-AzureSubnet -SubnetNames 'TestSubnet1'

New-AzureVM –ServiceName $servicename -AffinityGroup 'VNetDemoAffinityGroup' -VMs $TechEdVNetVM4 -DnsSettings $dns1 -VNetName 'MyvNet'

Monitoring

VPN Tunnel

The Corp. HQ

IIS Servers

AD / DNS

SQL Farm

Monitoring Service

WA Web Role

SharePoint in Windows Azure

Virtual Machine

SharePoint FrontEnd

Virtual Machine

SharePoint FrontEnd

Virtual Machine

DC DNS

Server Account

Virtual Machine

Local DNS

SQL Mirroring

Load balancer

IPsec Tunnel

User AccountsOn

PremisesDC DNS

10.0.0.x

Domain Joined to On-Premises Network

Persistent VM Role

SQL

SQL

Virtual Machine

Search and Index

SQLPersistent Disk

Internet

Demo SharePoint in Windows Azure

Connecting Cloud Services with Virtual Network

DIP level Direct

Access

FrontEndSubnet

(10.0.0.0/16)

SQLSubnet (10.1.0.0/16)

Load Balancer

80WA Web Role

Cloud Service

1

Cloud Service 2

AD

SQL Mirror

AD Subnet(10.2.0.0/16)

Contoso VNet (10.0.0.0/8)

More SecureLow LatencyCloud App AutonomyVIP Swap (stateless roles)Advanced Connectivity Requirements

Strengths

Hosting Multiple Customers with Overlapping Address Spaces

Contoso (10.0.0.0/16)

IIS Servers

AD / DNS

SQL Farm

Woodgrove (10.0.0.0/16)

IIS Servers

AD / DNS

SQL Farm

Contoso’s VNet in Windows Azure

(10.1.0.0/16)

Svc1

10.1.2.0/24

Svc2

10.1.3.0/24

65.52.249.22

Woodgrove’s VNet in Windows Azure

(10.1.0.0/16)

Svc1

10.1.2.0/24

Svc2

10.1.3.0/24

65.22.192.5

Exchange

Exchange

S2S VPN

Device

S2S VPN

Device

132.27.23.20

131.57.23.120

Setting up Virtual Networks

Configuration steps

DNS1 10.0.0.20

DNS2 10.0.0.21

S2S VPN device

131.57.23.45

IT Admin

Network Admin

ContosoVNet (10.1.0.0/16)

MyAffinityGroupFrontEndSubnet

(10.1.1.0/24)

SQLSubnet (10.1.3.0/24)

ADSubnet (10.1.2.0/24)

BESubnet (10.1.4.0/24)

GatewaySubnet

(10.1.0.0/24)GW IP65.57.23.45

Windows Azure Portal (API)

VPN device config script

Network configuratio

n

Deployment package

ContosoCorpOffice (10.0.0.0/16)

Portal Experience, APIs and Service Models

Operations on Net ConfigSet Network ConfigurationGet Network Configuration

Wizard to create, and update virtual networksManage Gateway Lifecycle

Portal

Create GatewayDelete GatewayGet GatewayGet Gateway SharedKeyReset Gateway SharedKeyList Connections

Operations on GW ManagerConnect To Local Network SiteDisconnect From Local Network SiteTest Local Network SiteList Operation Status

REST APIsPowerShell Cmdlets

APIs and Scripting

Network Configuration

Service Model

DemoSetting up Virtual Networks using the Windows Azure Portal

Deploying PaaS instances into a VNet

<ServiceConfiguration …><NetworkConfiguration><DnsServers><DnsServer name=“MyDNS" IPAddress=“10.1.0.5" /></DnsServers><VirtualNetworkSite name=“MyVNet"/><AddressAssignments><InstanceAddress roleName=“MyWebRole"><Subnets><Subnet name=“TestSubnet1" /><Subnet name=“TestSubnet2" /></Subnets></InstanceAddress></AddressAssignments></NetworkConfiguration>

</ServiceConfiguration>

Service Definition Schema

Deploying PaaS Services to a VNet

Supported VPN device families

JuniperSRX Series RoutersJ Series RoutersISG Series Routers

IKE v13DES, AES128SHA1

Industry standard VPN devices

More VPN device families soon ASA 5500 Series (Adaptive Security Appliances)ASR 1000 Series Aggregation Services Routers ISR Series Integrated Services Routers

Cisco

Preview release capabilities

Local Network SitePublic and Private IP addresses allowedOnly one gateway per siteOnly one active tunnel between site and VNet

Up to 5 VNets and 5 sites per subscriptionUp to 9 DNS Servers per subscription

Subscription Limits (soft limits)

IPv4 addresses limited to IP addresses in RFC1918Can connect to only one site per VNetNo limit on subnets

Virtual Network Site

Summary

Feedback and SupportFeedback to vnetfeedback@microsoft.comSupport Forum: http://social.msdn.microsoft.com/Forums/en-US/WAVirtualMachinesVirtualNetwork

Enables you to run hybrid scenarios in Windows Azure Networking on-ramp for migrating existing apps and services to Windows Azure

Windows Azure Virtual Network is

Customer-managed private virtual networks within Windows AzureHosted VPN Gateway that enables site-to-site connectivityOn-premises DNS servers for name resolution

Windows Azure supports

Call To ActionSign up for Windows Azure Virtual Machines and Virtual Networks previewUse Windows Azure Virtual Network features and provide feedback to vnetfeedback@microsoft.com

Visit Virtual Network Support Forum for support and tips

Useful Documents OnlineOverview of Windows Azure Virtual NetworkConfiguring a Virtual Network using the Windows Azure PortalNetwork Configuration schema documentationNotes on supported VPN devicesName resolution support

Related ContentAZR201Overview Windows Azure Virtual Machines and how they workAZR304Overview of Windows Azure Networking FeaturesAZR202An Overview of Managing Applications, Services, and Virtual Machines in Windows AzureAZR203Business Continuity in the Windows Azure CloudAZR313Deep Dive into Windows Azure Virtual MachinesAZR314Migrating Applications to Windows Azure Virtual MachinesAZR204Hybrid Will Rule: Options to Connect, Extend and Integrate Applications in Your Data Center and Windows AzureAZR307Running Linux in Windows Azure Virtual MachinesAZR327Deploying SharePoint Farms on Windows Azure Virtual MachinesAZR319Monitoring and Managing Your Windows Azure Applications and Services

Track Resources

Meetwindowsazure.com

@WindowsAzure @ms_teched

DOWNLOAD Windows Azure

Windowsazure.com/teched

Hands-On Labs

Resources

Connect. Share. Discuss.http://northamerica.msteched.com

Learning

Microsoft Certification & Training Resourceswww.microsoft.com/learning

TechNet

Resources for IT Professionalshttp://microsoft.com/technet

Resources for Developershttp://microsoft.com/msdn

Complete an evaluation on CommNet and enter to win!

Please Complete an Evaluation Your feedback is important!

Multipleways to Evaluate Sessions

Scan the Tagto evaluate thissession now on myTechEd Mobile

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS

PRESENTATION.