Architecting EnterpriseReady Networking Solutions in Azure EVENTS COLLAB
Architecting Enterprise-Ready Networking Solutions in Azure EVENTS. COLLAB 365. COMMUNITY Online Conference June 17 th and 18 th 2015
Peter De Tender www. Azure. Platform. Experts. com Microsoft Azure Architect & Trainer Microsoft Certified Trainer – MCT Microsoft Learning Regional Lead Microsoft Azure MVP (2013 -2017) Ex-Microsoft Azure Engineering PM Book author for Packt Publishing & Apress Courseware Author and Trainer Technical Writer EVENTS. COLLAB 365. COMMUNITY Email : apes@azureplatformexperts. com Twitter : @Azure. APEs Facebook : www. facebook. com/Azure. APEs Linked. In : http: //www. linkedin. com/in/pdtit
AGENDA • Azure Networking Resources • Building a Hybrid Network Topology • Advanced Azure Networking features • Demos EVENTS. COLLAB 365. COMMUNITY
Agenda EVENTS. COLLAB 365. COMMUNITY
Azure Networking Picture Virtual Network • “Bring your own network” • Segment with subnets and security groups Azure Datacenters all over the globe, running cloud workloads • Control traffic flow with user defined routes • Network Security Groups EVENTS. COLLAB 365. COMMUNITY
Azure Networking Picture Azure Datacenters all over the globe, running cloud workloads Front-End Access • Load Balancing Solutions • Public & Private Ips • Azure DNS • DDo. S Protection EVENTS. COLLAB 365. COMMUNITY • Direct VM Access (RDP/SSH) Virtual Network • “Bring your own network” • Segment with subnets and security groups • Control traffic flow with user defined routes • Network Security Groups
Azure Networking Picture Azure Datacenters all over the globe, running cloud workloads Virtual Network • “Bring your own network” • Segment with subnets and security groups • Control traffic flow with user defined routes • Network Security Groups Back-End Access Front-End Access • Load Balancing Solutions • Public & Private Ips • Azure DNS • DDo. S Protection • Direct VM Access (RDP/SSH) EVENTS. COLLAB 365. COMMUNITY • VPN Gateways • Point-to-Site VPN • Site-to-Site VPN • Express. Route • VNet Peering
Azure Networking Picture Azure Datacenters all over the globe, running cloud workloads Virtual Network • “Bring your own network” • Segment with subnets and security groups • Control traffic flow with user defined routes • Network Security Groups Back-End Access Front-End Access • • Load Balancing Solutions • Public & Private Ips • Azure DNS • DDo. S Protection • Direct VM Access (RDP/SSH) EVENTS. COLLAB 365. COMMUNITY • Azure Provides End-to-End Enterprise Ready Networking Solutions VPN Gateways • Point-to-Site VPN • Site-to-Site VPN • Express. Route VNet Peering
Azure Core Networking EVENTS. COLLAB 365. COMMUNITY
Azure Networking Components 6 4 5 3 1 2 EVENTS. COLLAB 365. COMMUNITY 4 2
Microsoft Azure Virtual Networks (VNETs) • Logical isolation with control over the network • Create subnets and isolate traffic with network security groups Virtual Network Address Space: 10. 0/16 DNS: 10. 0. 0. 4 & 10. 0. 0. 5 • Support for Static IP addresses • Support for Internal Load Balancing • DNS support • Hybrid Connectivity Support • Site-to-Site • Point-to-Site • Express. Route EVENTS. COLLAB 365. COMMUNITY AD-VM-01 10. 0. 0. 4 IIS-VM-01 10. 0. 1. 4 AD-VM-02 10. 0. 0. 5 IIS-VM-02 10. 0. 1. 5 Subnet: AD CIDR: 10. 0/24 Subnet: WEB CIDR: 10. 0. 1. 0/24
Address Space and Subnets • One more non-overlapping address spaces • Define subnets out of the available address spaces in the virtual network using Classless Internet Domain Routing (CIDR) Address Spaces EVENTS. COLLAB 365. COMMUNITY Subnets
Bring Your Own DNS • Specify DNS Servers at the Virtual Network Level • Hosted in an Azure VM • External • On-Premises (with hybrid connection) Virtual Network Address Space: 10. 0/16 DNS: 10. 0. 1. 100 & 10. 0. 1. 101 • Virtual Machines are assigned specified DNS at boot • If DNS is added after a virtual machine is running a reboot is required for assignment. EVENTS. COLLAB 365. COMMUNITY AD-VM-01 10. 0. 1. 100 IIS-VM-01 10. 0. 2. 4 AD-VM-02 10. 0. 1. 101 IIS-VM-02 10. 0. 2. 5 Subnet: AD CIDR: 10. 0. 1. 0/24 Subnet: WEB CIDR: 10. 0. 2. 0/24
Public IP Address • A public IP can be assigned directly to a network interface or a load balancer • Supports static (reserved) or dynamic assignment • Optionally supports specifying a DNS label • Configurable idle timeout • First 5 static IPs are free vm 1. westus. cloudapp. azure. com 41. 67. 231. 67 VM 1 App-lb. westus. cloudapp. azure. com 104. 40. 27. 222 54. 67. 27. 87 EVENTS. COLLAB 365. COMMUNITY VM 2 vm 2. westus. cloudapp. azure. com
Private IP Assignment Rules • IPs are allocated based on order of provisioning of Network Interface Cards • (1 st 4 IPs are reserved) • Subnet Web: 10. 0. 1. 0/24 • 1. NIC-01 = 10. 0. 1. 4 Initial Provisioning • 2. NIC-02 = 10. 0. 1. 5 Initial Provisioning • Use Static Private IP addresses to retain IP regardless of order EVENTS. COLLAB 365. COMMUNITY
DEMO • Azure Core Networking EVENTS. COLLAB 365. COMMUNITY
Azure Load Balancing EVENTS. COLLAB 365. COMMUNITY
Azure Load Balancing Solutions 1) Azure Loadbalancer • • “Typical Load Balancing” on Layer 4 External or Internal Load Balancing Support for TCP and UDP Protocols Health Probe (http or tcp) EVENTS. COLLAB 365. COMMUNITY
Intranet Solution using Internal Load Balancer Address Space: 10. 0/16 Subnet Web: 10. 0. 1. 0/24 On Premises 192. 168. 0. 0/16 AV Set: WEB Access intranet over hybrid connection WEB-01 Subnet WEB 10. 0. 1. 4 http: //intranet Hybrid Connection https: //intranetapp Load Balanced IP: 10. 0. 1. 100 WEB-02 Subnet WEB 10. 0. 1. 5 WEB-03 Subnet WEB 10. 0. 1. 6 EVENTS. COLLAB 365. COMMUNITY
N-Tier Application with Load-Balanced Middle Tier Virtual Network Address Space: 10. 0/16 AV Set: APP AV Set: WEB External Load-Balanced Endpoint 137. 135. 67. 39 WEB-01 Subnet WEB 10. 0. 1. 4 Internal Load-Balanced Endpoint 10. 0. 2. 100 APP-01 Subnet APPS 10. 0. 2. 4 http: //company. com EVENTS. COLLAB 365. COMMUNITY WEB-02 Subnet WEB 10. 0. 1. 5 APP-02 Subnet APPS 10. 0. 2. 5 WEB-03 Subnet WEB 10. 0. 1. 6 APP-03 Subnet APPS 10. 0. 2. 5
Azure Load Balancing Solutions 2) Azure Application Gateway • Application Load Balancing on Layer 7 • HTTP/HTTPS protocols only • Session cookie affinity • SSL offloading • URL rerouting • Load Balancing • Cookie Affinity • Web Application Firewall (WAF) IIS-VM-01 IIS-VM-02 • SSL Offload IIS-VM-03 EVENTS. COLLAB 365. COMMUNITY App Gateway HTTP & HTTPS
Network Security Groups (NSG) EVENTS. COLLAB 365. COMMUNITY
Network Security Groups Overview • Enables network segmentation & DMZ scenarios • NSG contains a list of ACL Rules that Allow/Deny Network Traffic to VMs in a Virtual Network • Restrict traffic from or to external or internal sources, but only within the region where it was created • Manage using Portal, Template, or Command line EVENTS. COLLAB 365. COMMUNITY Property Limits Number of NSGs associated to a subnet, VM, or Network Interface 1 NSGs per region per subscription 100* NSG rules per NSG 200*
Network Security Groups Example Virtual Network Address Space: 10. 0/16 Subnet Web: 10. 20. 1. 0/24 Allowed via Web. Security. Group IIS-VM-01 IIS-VM-02 Subnet Web 10. 20. 1. 4 10. 20. 1. 5 Allowed via SQLSecurity. Group Subnet SQL: 10. 2. 0/24 SQLSecurity. Group SQL-VM-01 SQL-VM-02 SQL-VM-03 Subnet SQL 10. 20. 0. 6 10. 2. 4 10. 2. 5 EVENTS. COLLAB 365. COMMUNITY
DEMO • Network Security Group EVENTS. COLLAB 365. COMMUNITY
User Defined Routing EVENTS. COLLAB 365. COMMUNITY
Azure Default Network Routing • Traffic automatically flows between virtual machines in different subnets and even address spaces • Azure has built in default routes: • • • Routing within a subnet From a subnet to another subnet in the same virtual network To the Internet Virtual Network to Virtual Network using a VPN Gateway Virtual Network to on-premises using a VPN Gateway EVENTS. COLLAB 365. COMMUNITY
User Defined Routes Internet • Control traffic flow in your network with custom routes VM with IP Forwarding • Attach route tables to subnets Back. End Subnet Front. End Subnet • Specify next hop for any address prefix • Set default route to force tunnel all traffic to on-premises or appliance EVENTS. COLLAB 365. COMMUNITY VM/Appliance
Forced Tunneling Security Device Internet • “Force” or redirect Internet-bound traffic to an on-premises site (per subnet) • Auditing & inspecting outbound traffic from Azure INTERNET - IPSEC • Needed by many scenarios for critical security and IT policy requirements Subnet Back. End • Requires a Route-based Gateway EVENTS. COLLAB 365. COMMUNITY Subnet Front. End
VNet Peering EVENTS. COLLAB 365. COMMUNITY
VNET Peering • Connect two VNETs in the same region • Utilizes the Azure Backbone network • Appear as one network for connectivity • Managed as separate resources Virtual Machines will experience the exact same throughput for Peered VNET as they do on the same VNET EVENTS. COLLAB 365. COMMUNITY
Why Have Multiple VNets? • Most common in Enterprise Agreements with multiple subscriptions • Segregating Billing • Segregating Admin • A VNet cannot span subscriptions External LB FW FW Internal LB ADDC IIS ADDC FW Internal LB IIS SQL Monitoring Marketing EVENTS. COLLAB 365. COMMUNITY IIS ADDC FW Internal LB IIS SQL Monitoring IT IIS HR
Benefits of VNET Peering • Low-latency, high-bandwidth connection between resources in different VNETs • No bandwidth restriction (besides those imposed on VM series/size) Resource Manager • Ability to use resources as transit points in a peered VNET (between ARM VNets only) • Reduced Infrastructure • Connect VNETs that use ARM model to a VNET that uses Classic model and enable full connectivity between resources (same subscription only) EVENTS. COLLAB 365. COMMUNITY Classic
Caveats of VNET Peering • Vnet peering is between 2 virtual networks, and there is no derived transitive relationship • Vnet address spaces cannot overlap • Peered Vnets can be in different subscriptions • Must be linked to the same Azure AD tenant • Exception – If 1 Vnet is ARM and the other is Classic EVENTS. COLLAB 365. COMMUNITY A Peering (A-B) No Implied (A-C) B Peering (B-C) C
DEMO • VNet Peering EVENTS. COLLAB 365. COMMUNITY
Azure Networking Monitoring EVENTS. COLLAB 365. COMMUNITY
Azure Network Watcher • Recently added Networking feature, providing – Topology – Variable Packet Capture – IP Flow Verify – Next Hop – Diagnostics Logging – Security Group View – NSG Flow Logging – VPN Gateway Troubleshooting – Network Subscription Limits – Role Based Access Control – Connectivity EVENTS. COLLAB 365. COMMUNITY
Azure Network Monitor • Centralized hub for different Azure Resources Monitoring aspects: • • • Alerts Metrics Log Analytics Service Health Application Insights Network Watcher EVENTS. COLLAB 365. COMMUNITY
Azure Security Center • Centralized Dashboard, focusing on Security posture of Azure and hybrid systems and applications • Active in 3 different areas: • General Security View • Prevention • Detection • Networking Features: • Networking Recommendations • Internet Facing Endpoints security view • Networking Topology security view EVENTS. COLLAB 365. COMMUNITY
DEMO • Azure Network Watcher • Azure Security Center EVENTS. COLLAB 365. COMMUNITY
AGENDA • Azure Networking Resources • Building a Hybrid Network Topology • Advanced Azure Networking features • Demos EVENTS. COLLAB 365. COMMUNITY
Stay tuned for more great sessions … EVENTS. COLLAB 365. COMMUNITY
- Slides: 42