Architecting EnterpriseReady Networking Solutions in Azure EVENTS COLLAB

Architecting Enterprise-Ready Networking Solutions in Azure EVENTS. COLLAB 365. COMMUNITY Online Conference June 17 th and 18 th 2015

Peter De Tender www. Azure. Platform. Experts. com Microsoft Azure Architect & Trainer Microsoft Certified Trainer – MCT Microsoft Learning Regional Lead Microsoft Azure MVP (2013 -2017) Ex-Microsoft Azure Engineering PM Book author for Packt Publishing & Apress Courseware Author and Trainer Technical Writer EVENTS. COLLAB 365. COMMUNITY Email : apes@azureplatformexperts. com Twitter : @Azure. APEs Facebook : www. facebook. com/Azure. APEs Linked. In : http: //www. linkedin. com/in/pdtit

AGENDA • Azure Networking Resources • Building a Hybrid Network Topology • Advanced Azure Networking features • Demos EVENTS. COLLAB 365. COMMUNITY

Agenda EVENTS. COLLAB 365. COMMUNITY

Azure Networking Picture Virtual Network • “Bring your own network” • Segment with subnets and security groups Azure Datacenters all over the globe, running cloud workloads • Control traffic flow with user defined routes • Network Security Groups EVENTS. COLLAB 365. COMMUNITY

Azure Networking Picture Azure Datacenters all over the globe, running cloud workloads Front-End Access • Load Balancing Solutions • Public & Private Ips • Azure DNS • DDo. S Protection EVENTS. COLLAB 365. COMMUNITY • Direct VM Access (RDP/SSH) Virtual Network • “Bring your own network” • Segment with subnets and security groups • Control traffic flow with user defined routes • Network Security Groups

Azure Networking Picture Azure Datacenters all over the globe, running cloud workloads Virtual Network • “Bring your own network” • Segment with subnets and security groups • Control traffic flow with user defined routes • Network Security Groups Back-End Access Front-End Access • Load Balancing Solutions • Public & Private Ips • Azure DNS • DDo. S Protection • Direct VM Access (RDP/SSH) EVENTS. COLLAB 365. COMMUNITY • VPN Gateways • Point-to-Site VPN • Site-to-Site VPN • Express. Route • VNet Peering

Azure Networking Picture Azure Datacenters all over the globe, running cloud workloads Virtual Network • “Bring your own network” • Segment with subnets and security groups • Control traffic flow with user defined routes • Network Security Groups Back-End Access Front-End Access • • Load Balancing Solutions • Public & Private Ips • Azure DNS • DDo. S Protection • Direct VM Access (RDP/SSH) EVENTS. COLLAB 365. COMMUNITY • Azure Provides End-to-End Enterprise Ready Networking Solutions VPN Gateways • Point-to-Site VPN • Site-to-Site VPN • Express. Route VNet Peering

Azure Core Networking EVENTS. COLLAB 365. COMMUNITY

Azure Networking Components 6 4 5 3 1 2 EVENTS. COLLAB 365. COMMUNITY 4 2

Microsoft Azure Virtual Networks (VNETs) • Logical isolation with control over the network • Create subnets and isolate traffic with network security groups Virtual Network Address Space: 10. 0/16 DNS: 10. 0. 0. 4 & 10. 0. 0. 5 • Support for Static IP addresses • Support for Internal Load Balancing • DNS support • Hybrid Connectivity Support • Site-to-Site • Point-to-Site • Express. Route EVENTS. COLLAB 365. COMMUNITY AD-VM-01 10. 0. 0. 4 IIS-VM-01 10. 0. 1. 4 AD-VM-02 10. 0. 0. 5 IIS-VM-02 10. 0. 1. 5 Subnet: AD CIDR: 10. 0/24 Subnet: WEB CIDR: 10. 0. 1. 0/24

Address Space and Subnets • One more non-overlapping address spaces • Define subnets out of the available address spaces in the virtual network using Classless Internet Domain Routing (CIDR) Address Spaces EVENTS. COLLAB 365. COMMUNITY Subnets

Bring Your Own DNS • Specify DNS Servers at the Virtual Network Level • Hosted in an Azure VM • External • On-Premises (with hybrid connection) Virtual Network Address Space: 10. 0/16 DNS: 10. 0. 1. 100 & 10. 0. 1. 101 • Virtual Machines are assigned specified DNS at boot • If DNS is added after a virtual machine is running a reboot is required for assignment. EVENTS. COLLAB 365. COMMUNITY AD-VM-01 10. 0. 1. 100 IIS-VM-01 10. 0. 2. 4 AD-VM-02 10. 0. 1. 101 IIS-VM-02 10. 0. 2. 5 Subnet: AD CIDR: 10. 0. 1. 0/24 Subnet: WEB CIDR: 10. 0. 2. 0/24

Public IP Address • A public IP can be assigned directly to a network interface or a load balancer • Supports static (reserved) or dynamic assignment • Optionally supports specifying a DNS label • Configurable idle timeout • First 5 static IPs are free vm 1. westus. cloudapp. azure. com 41. 67. 231. 67 VM 1 App-lb. westus. cloudapp. azure. com 104. 40. 27. 222 54. 67. 27. 87 EVENTS. COLLAB 365. COMMUNITY VM 2 vm 2. westus. cloudapp. azure. com

Private IP Assignment Rules • IPs are allocated based on order of provisioning of Network Interface Cards • (1 st 4 IPs are reserved) • Subnet Web: 10. 0. 1. 0/24 • 1. NIC-01 = 10. 0. 1. 4 Initial Provisioning • 2. NIC-02 = 10. 0. 1. 5 Initial Provisioning • Use Static Private IP addresses to retain IP regardless of order EVENTS. COLLAB 365. COMMUNITY

DEMO • Azure Core Networking EVENTS. COLLAB 365. COMMUNITY

Azure Load Balancing EVENTS. COLLAB 365. COMMUNITY

Azure Load Balancing Solutions 1) Azure Loadbalancer • • “Typical Load Balancing” on Layer 4 External or Internal Load Balancing Support for TCP and UDP Protocols Health Probe (http or tcp) EVENTS. COLLAB 365. COMMUNITY

Intranet Solution using Internal Load Balancer Address Space: 10. 0/16 Subnet Web: 10. 0. 1. 0/24 On Premises 192. 168. 0. 0/16 AV Set: WEB Access intranet over hybrid connection WEB-01 Subnet WEB 10. 0. 1. 4 http: //intranet Hybrid Connection https: //intranetapp Load Balanced IP: 10. 0. 1. 100 WEB-02 Subnet WEB 10. 0. 1. 5 WEB-03 Subnet WEB 10. 0. 1. 6 EVENTS. COLLAB 365. COMMUNITY

N-Tier Application with Load-Balanced Middle Tier Virtual Network Address Space: 10. 0/16 AV Set: APP AV Set: WEB External Load-Balanced Endpoint 137. 135. 67. 39 WEB-01 Subnet WEB 10. 0. 1. 4 Internal Load-Balanced Endpoint 10. 0. 2. 100 APP-01 Subnet APPS 10. 0. 2. 4 http: //company. com EVENTS. COLLAB 365. COMMUNITY WEB-02 Subnet WEB 10. 0. 1. 5 APP-02 Subnet APPS 10. 0. 2. 5 WEB-03 Subnet WEB 10. 0. 1. 6 APP-03 Subnet APPS 10. 0. 2. 5

Azure Load Balancing Solutions 2) Azure Application Gateway • Application Load Balancing on Layer 7 • HTTP/HTTPS protocols only • Session cookie affinity • SSL offloading • URL rerouting • Load Balancing • Cookie Affinity • Web Application Firewall (WAF) IIS-VM-01 IIS-VM-02 • SSL Offload IIS-VM-03 EVENTS. COLLAB 365. COMMUNITY App Gateway HTTP & HTTPS

Network Security Groups (NSG) EVENTS. COLLAB 365. COMMUNITY

Network Security Groups Overview • Enables network segmentation & DMZ scenarios • NSG contains a list of ACL Rules that Allow/Deny Network Traffic to VMs in a Virtual Network • Restrict traffic from or to external or internal sources, but only within the region where it was created • Manage using Portal, Template, or Command line EVENTS. COLLAB 365. COMMUNITY Property Limits Number of NSGs associated to a subnet, VM, or Network Interface 1 NSGs per region per subscription 100* NSG rules per NSG 200*

Network Security Groups Example Virtual Network Address Space: 10. 0/16 Subnet Web: 10. 20. 1. 0/24 Allowed via Web. Security. Group IIS-VM-01 IIS-VM-02 Subnet Web 10. 20. 1. 4 10. 20. 1. 5 Allowed via SQLSecurity. Group Subnet SQL: 10. 2. 0/24 SQLSecurity. Group SQL-VM-01 SQL-VM-02 SQL-VM-03 Subnet SQL 10. 20. 0. 6 10. 2. 4 10. 2. 5 EVENTS. COLLAB 365. COMMUNITY

DEMO • Network Security Group EVENTS. COLLAB 365. COMMUNITY

User Defined Routing EVENTS. COLLAB 365. COMMUNITY

Azure Default Network Routing • Traffic automatically flows between virtual machines in different subnets and even address spaces • Azure has built in default routes: • • • Routing within a subnet From a subnet to another subnet in the same virtual network To the Internet Virtual Network to Virtual Network using a VPN Gateway Virtual Network to on-premises using a VPN Gateway EVENTS. COLLAB 365. COMMUNITY

User Defined Routes Internet • Control traffic flow in your network with custom routes VM with IP Forwarding • Attach route tables to subnets Back. End Subnet Front. End Subnet • Specify next hop for any address prefix • Set default route to force tunnel all traffic to on-premises or appliance EVENTS. COLLAB 365. COMMUNITY VM/Appliance

Forced Tunneling Security Device Internet • “Force” or redirect Internet-bound traffic to an on-premises site (per subnet) • Auditing & inspecting outbound traffic from Azure INTERNET - IPSEC • Needed by many scenarios for critical security and IT policy requirements Subnet Back. End • Requires a Route-based Gateway EVENTS. COLLAB 365. COMMUNITY Subnet Front. End

VNet Peering EVENTS. COLLAB 365. COMMUNITY

VNET Peering • Connect two VNETs in the same region • Utilizes the Azure Backbone network • Appear as one network for connectivity • Managed as separate resources Virtual Machines will experience the exact same throughput for Peered VNET as they do on the same VNET EVENTS. COLLAB 365. COMMUNITY

Why Have Multiple VNets? • Most common in Enterprise Agreements with multiple subscriptions • Segregating Billing • Segregating Admin • A VNet cannot span subscriptions External LB FW FW Internal LB ADDC IIS ADDC FW Internal LB IIS SQL Monitoring Marketing EVENTS. COLLAB 365. COMMUNITY IIS ADDC FW Internal LB IIS SQL Monitoring IT IIS HR

Benefits of VNET Peering • Low-latency, high-bandwidth connection between resources in different VNETs • No bandwidth restriction (besides those imposed on VM series/size) Resource Manager • Ability to use resources as transit points in a peered VNET (between ARM VNets only) • Reduced Infrastructure • Connect VNETs that use ARM model to a VNET that uses Classic model and enable full connectivity between resources (same subscription only) EVENTS. COLLAB 365. COMMUNITY Classic

Caveats of VNET Peering • Vnet peering is between 2 virtual networks, and there is no derived transitive relationship • Vnet address spaces cannot overlap • Peered Vnets can be in different subscriptions • Must be linked to the same Azure AD tenant • Exception – If 1 Vnet is ARM and the other is Classic EVENTS. COLLAB 365. COMMUNITY A Peering (A-B) No Implied (A-C) B Peering (B-C) C

DEMO • VNet Peering EVENTS. COLLAB 365. COMMUNITY

Azure Networking Monitoring EVENTS. COLLAB 365. COMMUNITY

Azure Network Watcher • Recently added Networking feature, providing – Topology – Variable Packet Capture – IP Flow Verify – Next Hop – Diagnostics Logging – Security Group View – NSG Flow Logging – VPN Gateway Troubleshooting – Network Subscription Limits – Role Based Access Control – Connectivity EVENTS. COLLAB 365. COMMUNITY

Azure Network Monitor • Centralized hub for different Azure Resources Monitoring aspects: • • • Alerts Metrics Log Analytics Service Health Application Insights Network Watcher EVENTS. COLLAB 365. COMMUNITY

Azure Security Center • Centralized Dashboard, focusing on Security posture of Azure and hybrid systems and applications • Active in 3 different areas: • General Security View • Prevention • Detection • Networking Features: • Networking Recommendations • Internet Facing Endpoints security view • Networking Topology security view EVENTS. COLLAB 365. COMMUNITY

DEMO • Azure Network Watcher • Azure Security Center EVENTS. COLLAB 365. COMMUNITY

AGENDA • Azure Networking Resources • Building a Hybrid Network Topology • Advanced Azure Networking features • Demos EVENTS. COLLAB 365. COMMUNITY

Stay tuned for more great sessions … EVENTS. COLLAB 365. COMMUNITY