Customers Network Primary Connection Partner Edge Secondary Connection

✔ ✔ Customer’s Network Primary Connection Partner Edge Secondary Connection Express. Route Circuit Microsoft Peering for Office 365 and Dynamics 365 Azure Public Peering for Azure public IPs Azure Private Peering for Virtual Networks Microsoft Edge

Marseille Johannesburg Cape Town Coming soon

Germany Cloud Berlin Frankfurt Phoenix Coming soon China Cloud Beijing Shanghai San Antonio

Zero down time gateway upgrade Planned maintenance notifications Connection weight Route filter for Microsoft Peering

Monitoring Preview IPv 6 support Merging of Microsoft Peering and Azure Public Peering Preview Customer’s network Partner Edge Microsoft Edge Express. Route Circuit

More Details in BRK 2212 12: 45 – 1: 30 PM, Sept 28, OCCC W 240

v. EOS Router Arista Cloud. Vision Uniform operational model & standard APIs Provisioning, orchestration, telemetry & analytics Arista virtual EOS Router ü Same as on Arista Hardware Universal Cloud Network ü Secure VPN Tunneling and High Availability ü Traffic Engineering ü Standard APIs Private Clouds Public Clouds Cloud Exchanges Enterprise Datacenters Any Place-In-the-Cloud

Private Cloud Exchanges Public Clouds Any Cloud API v. EOS Router in Azure West Automation Analytics Agile Work-X Available Architecture v. EOS Router in Azure East Enterprise Datacenter with Arista Universal Cloud Network Arista 7500 R at Equinix Cloud Exchange v. EOS Router in Azure Stack Consistent hybrid cloud connectivity, seamlessly extended…

Private Cloud Exchanges Public Clouds Cloud Tracer™ Telemetry Probe Cloud Tracer™ Integrated with Cloud. Vision Telemetry Analytics Cloud Exchange Probe v. EOS Router in Azure West v. EOS Router in Azure East v. EOS Router in Azure Stack Instrumenting for Visibility across the Hybrid Cloud

Single flow performance UDP fragmentation Express. Route circuit deletion workflow Troubleshooting during initial setup

Select services, reduce routes No effect on existing circuits with Microsoft Peering New Microsoft Peering Steps to create a route filter Opt-in for current customers

Supported on Azure commercial cloud and Government Cloud Dual stack and BGP sessions on Microsoft Peering IPv 4 must always be enabled Route filters can be applied independently for IPv 4 and IPv 6

Two scenarios Site-to-Site VPN faster gateways Limitations Azure VNET Site-to-Site VPN Express. Route

Run BGP on Site-to-Site VPN connections Site-to-Site VPN Longest Prefix Match rules! “Force-tunneling” Azure VNET Site-to-Site VPN Express. Route

Force traffic to on-premises network for security, compliance enforcement Break Azure services in VNet Azure App Service Azure Batch Azure HDInsight Apply UDR to subnet Express. Route BGP: 0. 0/0 GW subnet HDInsight subnet Customer VNET Narrow down to specific IPs Public IP Return traffic

Microsoft Network US East Express. Route “local preference” Express. Route US West “AS-Path prepending” Customer’s Network Office in Los Angeles Office in New York

Sub-optimal routing between VNets US West 2 US East US Eest 2 Set weight on the VNet. W = 100 to-ER connection San Jose Washington DC

Microsoft Network US West US East W=100 Express. Route connection weight Express. Route W=100 connection weight AS-path prepending Customer’s Network Office in Los Angeles Office in New York

Saa. S on Azure can initiate connection Internet Public IP Customer has Azure Public Peering only Use NAT to enforce symmetry NAT Customer’s premises Microsoft Azure

Customer has both Microsoft Peering and Azure Public Peering Internet Public IP NAT Microsoft peering Two solutions Customer’s premises Microsoft Azure

DMZ NAT Prefix Z NAT DMZ Express. Route Prefix Y Express. Route Prefix X Express. Route Microsoft Azure NAT WAN Customer’s premises Advertise unique (NAT) IPs for connections from you to Microsoft

Prefix X Express. Route Microsoft Azure Stateless extranet Firewall DMZ NAT Firewall DMZ Customer’s premises Apply NAT to connections from Microsoft to you NAT

Peering Use VNet Peering for VNet-to -VNet communication Enable “Hub & Spoke” Peering

Use Express. Route connections for on-premises communication Reachability summary Peering US East Peering Use global VNet Peering for Hub to Hub communication US West Peering “Hub and Spoke” at each site for performance and scale

VNet Service Endpoints extends VNet to multitenant Azure services Microsoft Azure Internet Azure Storage Azure SQL VNet-to-service traffic always stays on Microsoft network GW subnet App subnet Customer VNET Private access Express. Route provides onpremises access

“Bring your own VPN” Customer VNET GW subnet Use Azure VPN gateway (after merging of Microsoft Peering and Azure Public Peering) ILB App subnet Customer VNET GW subnet App subnet

Whitelist Azure public IPs Internet Whitelist Microsoft public IPs Firewall Microsoft peering Apply URL-based filtering Customer’s premise Microsoft Azure

Azure Networking @ T-Mobile GOPALA GADDIPATTI Principal Architect T-Mobile Confidential

About T-Mobile ▪ As America's Un-carrier, T-Mobile US, Inc. is redefining the way consumers and businesses buy wireless services through leading product and service innovation. ▪ NASDAQ traded public company – TMUS ▪ Operating two flagship brands: TMobile and Metro. PCS ▪ Based in Bellevue, Washington

Q 2 2017 HIGHLIGHTS 1. 3 315 14 69. 6 1. 10% Million Quarters Million Phone Churn Net Adds 17 th consecutive quarter of over 1 million Americans covered by TMobile LTE today In a row with the fastest download speeds Total Customers Record. Low Targeting 321 million by the end of 2017

40 Cloud Center of Excellence

T-Mobile Digital Strategy Self Service ▪ ▪ ▪ Unified User Experience Web Transformation Application Transformation Cloud. Centerofof. Excellence Cloud Agile Platforms ▪ Simple to Deploy ▪ Automation ▪ No Capacity challenges Dev. Ops ▪ ▪ ▪ Dev & Ops A & B - Deployment CI/CD Everything as Code Immutable Infra

Customer Security is Important to T-Mobile 42 Network Security Application Security ▪ Secure Connectivity ▪ Network Segregation ▪ Intrusion Detection & Prevention ▪ Access Control ▪ Security throughout SDLC ▪ Data Security ▪ Http Vulnerabilities, Do. S/DDo. S protection ▪ Authentication and Authorization Cloud. Centerofof. Excellence Cloud Audit + Compliance ▪ External Audits ▪ Security Monitoring ▪ Vulnerability Management ▪ SIEM Management

Express. Route – Azure Connectivity with T-Mobile 1 Azure West Cloud. Centerofof. Excellence Cloud —Two 10 G circuits 2 Geo Redundancy 3 Port redundancy 4 Segregation 5 Azure Central Physical Circuit redundancy — Azure West and Central — Two physical ports — Virtual circuits based on Inf. Security Monitoring — ARP Records, Route Table

T-Mobile Azure Network Cloud. Centerofof. Excellence Cloud 1 Separate Subscriptions for PCI and CPNI applications 2 Dedicated Resource Group for Network (Vnet’s, Express route etc) 3 RBAC’s to limit network management 4 Default Deny policy 5 Dedicated Virtual Circuits 6 Each Vnet connected with two express route circuits

We Love Azure Networking Features Dev. Ops Friendly 45 Cloud. Centerofof. Excellence Cloud Expand Contract Vnet’s Network Monitoring Cost Effective

Most Popular T-Mobile Application On Azure Every Tuesday Users receive Free gifts T-Mobile Tuesday Customer appreciation application Chance to win a big prizes Every day exclusives 46 Cloud. Centerofof. Excellence Cloud

T-Mobile Confidential

Express. Route for Office 365 is only recommended in specific scenarios Enabling Office 365 requires review and approval from Microsoft

Dynamics 365 on Express. Route is self-service Dynamics 365 Customer Engagement applications (i. e. CRM Online) is available on Microsoft Peering Dynamics 365 for Finance and Operations (i. e. Dynamics AX Online) is available on Azure Public Peering or new Microsoft Peering

Please evaluate this session Your input is important! https: //myignite. microsoft. com/evaluations https: //aka. ms/ignite. mobileapp