Mastering Azure Connectivity to the Microsoft Cloud Day One - Session 2 of 4
Agenda Outline Time Duration Topic 09:00 30 mins Intro and Overview 09:30 SDN, Virtual Network, and Azure Network Overview 10:00 RDFE / ARM Overview 10:30 15 mins Break 10:45 45 mins VNet Deep Dive 11:30 Hybrid Network Overview 12:00 90 mins Lunch 13:30 75 mins ExpressRoute Deep Dive 14:45 15:00 60 mins ExpressRoute Demo’s and Q&A 16:00 Roadmap and Futures
VNet Deep Dive
Azure Virtual Network Bring your own network Internet Bring your own network Logical isolation with control over network Create subnets with your private or public IP address spaces Bring your own DNS or use Azure-provided DNS Secure VMs with Network Security Groups Run highly available internal services behind internal load balancer Direct Internet Connectivity Virtual Network Azure Infra Network Security Group DNS WEB SERVER AD FE Subnet Azure Internal LB APP SERVERS DB SERVERS BE Subnet
How Does Isolation Work? 10/22/2017 8:31 AM How Does Isolation Work? The fabric manages the controller The controller provides policy to the switch The switch encapsulates the traffic Each tunnel has a unique key per VNet Policy ensures only proper packets get to the proper Azure resource (VM) For new flows, and periodically thereafter, in or out of a virtual switch, the switch checks with the controller to allow or deny the flow. © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
VNet Deep Dive “Address Prefixes” Microsoft Ignite 2015 10/22/2017 8:31 AM VNet Deep Dive “Address Prefixes” CIDR Notation for the address range you want to use. Example: 192.168.0.1 – 192.168.0.254 = 192.168.0.0/24 Look up CIDR on Wikipedia for more info (“CIDR Calc” is a really helpful Windows Phone App) "resources": [ { "apiVersion": "[variables('apiVersion')]", "type": "Microsoft.Network/virtualNetworks", "name": "[parameters('vnetName')]", "location": "[parameters('location')]", "properties": { "addressSpace": { "addressPrefixes": [ "[parameters('vnetAddressPrefix')]" ] }, "subnets": [ "name": "[parameters('subnet1Name')]", "addressPrefix": "[parameters('subnet1Prefix')]" } "name": "[parameters('subnet2Name')]", "addressPrefix": "[parameters('subnet2Prefix')]" } } ] } } ] CIDR = Classless Inter-Domain Routing © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Using Security to expose network features
What is a DMZ? Allow access to internet facing resources 10/22/2017 8:31 AM What is a DMZ? Allow access to internet facing resources Protects backend networks Inspection and auditing throughout Security policy at/in each layer The key to a good DMZ are the devices, policies, and controls at each boundary © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Visualizing a Corporate DMZ 10/22/2017 8:31 AM Visualizing a Corporate DMZ © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Native Azure security features 10/22/2017 8:31 AM Native Azure security features Network Isolation Network Security Groups User Defined Routing Network Virtual Appliance Combine these features to meet your exact security requirements! © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Visualizing the security layers 10/22/2017 8:31 AM Visualizing the security layers © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Visualizing the Azure DMZ 10/22/2017 8:31 AM Visualizing the Azure DMZ © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Modeling security techniques 10/22/2017 8:31 AM Modeling security techniques © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Modeling security techniques 10/22/2017 8:31 AM Modeling security techniques © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
NSG code walkthrough # Create the NSG New-AzureNetworkSecurityGroup -Name $NSGName -Location $DeploymentLocation ` -Label "Security group for $VNetName subnets in $DeploymentLocation" # Add NSG Rule to Deny Inbound Internet Traffic Get-AzureNetworkSecurityGroup -Name $NSGName | ` Set-AzureNetworkSecurityRule -Name "Isolate the $VNetName VNet from the Internet" ` -Type Inbound -Priority 100 -Action Deny ` -SourceAddressPrefix INTERNET -SourcePortRange '*' ` -DestinationAddressPrefix VIRTUAL_NETWORK -DestinationPortRange '*' ` -Protocol * # Bind the NSG to a Subnet Set-AzureNetworkSecurityGroupToSubnet -Name $NSGName -SubnetName $FESubnet ` -VirtualNetworkName $VNetName Set-AzureNetworkSecurityGroupToSubnet -Name $NSGName -SubnetName $BESubnet `
UDR code walkthrough # Create Route Table New-AzureRouteTable -Name $BERouteTableName -Location $DeploymentLocation ` -Label "Route table for $BESubnet subnet" # Add Routes to Route Table Get-AzureRouteTable $BERouteTableName | ` Set-AzureRoute -RouteName "All traffic to FW" -AddressPrefix “0.0.0.0/0” ` -NextHopType VirtualAppliance -NextHopIpAddress “10.0.0.4” # Associate the Route Tables with the Subnets Set-AzureSubnetRouteTable -VirtualNetworkName $VNetName ` -SubnetName $BESubnet ` -RouteTableName $BERouteTableName
Connecting a hybrid network 10/22/2017 8:31 AM Connecting a hybrid network © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Hybrid Connectivity
Connectivity options and hybrid offerings Azure Customer Segment and workloads Internet connectivity Consumers Access over public IP DNS resolution Connect from anywhere Secure point-to-site VPN connectivity Developers POC Efforts Small scale deployments Connect from anywhere Secure site-to-site VPN connectivity SMB & Enterprises Connect to Azure compute ExpressRoute private connectivity SMB & Enterprises Mission critical workloads Backup/DR, media, HPC Connect to all Azure services
Hybrid Options Point-to-Site Site-to-Site ExpressRoute Microsoft Ignite 2015 10/22/2017 8:31 AM Hybrid Options Point-to-Site Site-to-Site ExpressRoute Azure Supported Services Cloud Services and Virtual Machines Services list Typical Bandwidths Typically < 100 Mbps aggregate Typically < 200 Mbps aggregate 50 Mbps, 100 Mbps, 200 Mbps, 500 Mbps, 1 Gbps, 2 Gbps, 5 Gbps, 10 Gbps Protocols Supported Secure Sockets Tunneling Protocol (SSTP) Ipsec Direct connection over VLANs, NSP's VPN technologies (MPLS, VPLS,...) Routing Route-based (dynamic) We support policy-based (static routing) and route-based (dynamic routing VPN) BGP Connection resiliency active-passive active-passive, active-active active-active Typical use case Prototyping, dev / test / lab scenarios for cloud services and virtual machines Dev / test / lab scenarios and small scale production workloads for cloud services and virtual machines Access to all Azure service (validated list), Enterprise-class and mission critical workloads, Backup, Big Data, Azure as a DR site Technical Documentation VPN Gateway Documentation ExpressRoute Documentation **FAQ ** VPN Gateway FAQ ExpressRoute FAQ © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
© 2016 Microsoft Corporation. All rights reserved © 2016 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.