Windows Azure Conference 2014 Windows Azure Virtual Networks

Windows Azure Conference 2014 Windows Azure Virtual Networks

Windows Azure Conference 2014

Cloud Services Fundamentals Networking Windows Azure Conference 2014

Cloud Service is a management, configuration, security, networking and service model boundary AZURE LOAD BALANCER PUBLIC IP CLOUD SERVICE ROLES VM 1 VM 3 WORKER ROLE VM 4 Windows Azure Conference 2014 VM 2 VM 5 VM… INSTANCES WEB ROLE

Virtual Machines are roles with exactly one instance AZURE LOAD BALANCER IMPLICIT CLOUD SERVICE VIRTUAL MACHINE (~ROLE) VM Windows Azure Conference 2014 PUBLIC IP

Multiple Virtual Machines can be hosted within the same cloud service AZURE LOAD BALANCER PUBLIC IP CLOUD SERVICE AVAILABILITY SET Windows Azure Conference 2014 VIRTUAL MACHINE VM 1 VM 2

DNS and External Connectivity Windows Azure Conference 2014

Full control over machine names Set during provisioning, similar to on-premises server naming Windows Azure provided DNS name resolution Resolves VMs by name within the same cloud service Machine names are modeled explicitly and registered in the DNS service Bring your own DNS server Use your on-premises DNS servers Deploy a DNS server in Windows Azure Use public DNS services Windows Azure Conference 2014

A. Simple app stack requiring connectivity between the VMs SQL Analysis Service Open User Access (Website) SQL Service Cloud Service DC Share. Point Front. End. VM Persistent Role Local DNS Cloud Service SQL Persistent VM Role LB Share. Point Front. End. VM Persistent Role Internet Search and Indes Persistent VM SQL Service Role SQL Persistent VM Role C. Hybrid connectivity with on-premise (DNS on-premise) Web Tier UI Process Components AD / DNS SQL Service Windows Azure Conference 2014 App Logic Business Components & Entities Azure Virtual Machine(s) Domain joined to On. Premises Network SQL Always. On SQL Reporting Service B. Share. Point with custom DNS running on Iaa. S VM

TCP and UDP Traffic Supported in WA Applies to both incoming and outbound traffic Support for All IP-Based Protocols VM to VM Instance-to-instance communication (subject to OS firewall rules on the VMs) TCP, UDP and ICMP, dynamic ports Load Balanced vs Port-Forwarding Traffic Routing Load-balanced vs direct communication to multiple VMs in the same cloud app Custom Load Balancer Health Probes Health check with probe timeouts HTTP based probing, allowing granular control of health checks Windows Azure Conference 2014

Endpoint Name Public Port Local Port Protocol (TCP/UDP) Cloud Service Port Y PORT x LB Port Y Windows Azure Conference 2014 VM 1 LBHTTP VM 2 LBHTTP VM 3 LBHTTP

Load Balancer Probe (Preview for VMs) Name Protocol (HTTP) Probe Path (/healthcheck. aspx) Looks for HTTP < 400 Cloud Service VM 1 /healthcheck. aspx PORT 80 LB VM 2 /healthcheck. aspx VM 3 /healthcheck. aspx Windows Azure Conference 2014

Endpoint Name Public Port Local Port Protocol (TCP/UDP) Cloud Service PORT 5586 VM 1 PORT 3389 VM 2 LB/IP PORT 5587 Windows Azure Conference 2014 PORT 3389

DEMO Windows Azure Endpoints Windows Azure Conference 2014

Virtual Networks (VNETs) Windows Azure Conference 2014

Fabrikam. VNet (10. 0/8) Cloud Service 1 Front. End. Subnet (10. 0/16) Load Balancer IIS VMs Direct Access via VNET Cloud Service 2 SQLSubnet (10. 1. 0. 0/16) SQL Always. On VMS Windows Azure Conference 2014 Provide direct IP connectivity across cloud services hosting web, worker roles, and/or VMs External Connectivity controlled by Cloud Service Endpoints Windows Azure-provided DNS does not span cloud services Use Direct IP or custom DNS for full name resolution

Windows Azure VM 1 Subnet 2 VM 2 ROLE 1 Subnet 1 A protected private virtual network in the cloud An Azure VPN Gateway connects VNETs to corporate networks as a “virtual branch office” or datacenter extension in the cloud Windows Azure Conference 2014

Cisco Juniper Examples Platform OS Family Examples ASA 5500 Series (Adaptive ASA Software Security Appliances) 8. 4+ 5505, 5550 SRX Series Routers Jun. OS 10. 2+ 210, 650 ASR 1000 Series Aggregation Services Routers IOS XE 2. 1+ 1002 J Series Routers Jun. OS 9. 4+ 4350 ISG Series Routers Screen. OS 6. 2+ SX 2 ISR Series Integrated Services Routers IOS 12. 2+ SSG Series Routers Screen. OS 6. 2+ 550 Platform OS Family 2801, 2911 Generic VPN devices must support • IKE v 1 • AES 128, 256 • SHA 1, SHA 2 Windows Azure Conference 2014

Customer-managed private virtual networks within Windows Azure “Bring your own IPv 4 addresses” Control over placement of Windows Azure VMs and Paa. S Roles within the network Stable IPv 4 addresses for VM’s lifetime Hosted VPN Gateway that enables site-to-site connectivity Automated provisioning & management Support for existing on-premises VPN devices Use on-prem or custom DNS servers (Azure VMs) for name resolution Enables customers to use their on-premises DNS servers for name resolution Enables VMs running in Windows Azure to be joined to on-premises Active Directory corporate domains Windows Azure Conference 2014

Virtual Network Topologies Windows Azure Conference 2014

(10. 1. 0. 0/16) (10. 0/16) 131. 57. 23. 120 10. 0. 0. 11 10. 1. 2. 0/24 10. 1. 3. 0/24 65. 52. 249. 22 10. 1. 0. 4 10. 1. 1. 4 S 2 S VPN tunnels (10. 2. 0. 0/16) 10. 2. 2. 0/24 Windows Azure Conference 2014 10. 2. 3. 0/24

APPVNET – Virtual Network (10. 1. 0. 0/16) VNET Provides Direct Network Access Front. End. Subnet (10. 1. 1. 0/24) IIS Servers ccess Data A Fabrikam-Cloud. Web AD Auth DNSSubnet (10. 1. 3. 0/24) Fabrikam-Cloud. DC Back. End. Subnet (10. 1. 2. 0/24) Corp-On. Prem (192. 168. 1. 0/24) SQL Always. On Fabrikam-Cloud. Data Windows Azure Conference 2014 192. 168. 1. 6 (Local AD)

Windows Azure Conference 2014

Paa. S is faster Reason: There’s less work for developers to do Benefit: Applications can go from idea to availability more quickly Paa. S is cheaper Reason: There’s less admin and management work to do Benefit: Organisations spend less supporting applications Paa. S is lower risk Reason: The platform does more, leaving fewer opportunities for error Benefit: Creating and running applications gets more reliable and secure Windows Azure Conference 2014

Connect Cloud Services via VIPs Easily compose services by connecting via their public endpoints Mixed Mode: VMs and Paa. S Roles via VNET Simple, secure and highly efficient method of using Iaa. S and Paa. S side-by-side Windows Azure Conference 2014

Strengths § § § Simplicity Tenant/Cloud Service Autonomy VIP Swap (web/worker roles) SQL Data Access Traffic Through Easy Local Dev/Test Public Endpoint Easily Access from other services Weaknesses § § § Higher Latency Less Secure* Management/ Deployment Overhead (endpoints) Windows Azure Conference 2014 Cloud Service 1 Load Balancer WA Web Role Secure Endpoints with ACLs + Firewall Cloud Service 2 SQL Server Always. On Load Balancer

Strengths Contoso. VNet (10. 0/8) More Secure § Lower Latency § Advanced Connectivity Requirements § Front. End. Subnet (10. 0/16) WA Web Role Load Balancer Direct Access via VNET Weaknesses § § VNET setup and configuration Requires custom DNS for cross-Cloud Service name resolution Windows Azure Conference 2014 Cloud Service 1 Cloud Service 2 AD AD Subnet (10. 2. 0. 0/16) SQLSubnet (10. 1. 0. 0/16) SQL Always. On

APPVNET – Virtual Network (10. 1. 0. 0/16) VNET Provides Direct Network Access Front. End. Subnet (10. 1. 1. 0/24) WA Web Role ccess Data A Fabrikam-Cloud. Web AD Auth DNSSubnet (10. 1. 3. 0/24) Fabrikam-Cloud. DC Back. End. Subnet (10. 1. 2. 0/24) Corp-On. Prem (192. 168. 1. 0/24) SQL Always. On Fabrikam-Cloud. Data Windows Azure Conference 2014 192. 168. 1. 6 (Local AD)

Network Admin Network configuratio n IT Admin Deployment package Corp. Office (10. 1. 0. 0/16) (10. 1. 1. 0/24) (10. 1. 2. 0/24) (10. 1. 3. 0/24) (10. 1. 4. 0/24) VPNGWSubnet 131. 57. 23. 45 Internet (10. 1. 3. 0/24) GW IP 65. 57. 23. 45 10. 0. 0. 21 Windows Azure Conference 2014 10. 0. 0. 20

DEMO Virtual Network Walk-Through Windows Azure Conference 2014

Traffic Management Windows Azure Conference 2014

Performance Failover Geomapping Ratio Directs the user to the “best”/”closest” deployment One deployment is primary Allows users from defined geographic locations to be directed to particular deployment Sends traffic to different deployments based on fixed ratio (N/M) Example: Direct the user to the “best” deployment between US South and West Europe Windows Azure Conference 2014 Traffic is redirected to another deployment if the primary goes down All traffic is directed to US North; if it goes down, send all traffic to US South all users from US -> US North, all users from Asia > US North, all users from Europe ‑> West Europe Direct 20% of user traffic to US South and 80% to US North.

North America Region Asia Pacific Region 130 ms 240 ms www. contoso. com Windows Azure Conference 2014 Europe Region

North America Region 30 ms Europe Region Asia Pacific Region 20 ms 40 ms www. contoso. com www-contoso. ctp. trafficmgr. com Windows Azure Conference 2014

North America Region 30 ms Europe Region Asia Pacific Region 20 ms 40 ms www. contoso. com www-contoso. ctp. trafficmgr. com Windows Azure Conference 2014

North America Region 120 ms Europe Region Asia Pacific Region 20 ms 40 ms www. contoso. com www-contoso. ctp. trafficmgr. com Windows Azure Conference 2014

Windows Azure Conference 2014