Microsoft Azure networking: Sve što trebate znati 10/25/2017 4:11 PM Microsoft Azure networking: Sve što trebate znati Mustafa Toroman Senior System Engineer@Authority Partners © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10/25/2017 4:11 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10/25/2017 4:11 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Microsoft Azure networking: Sve što trebate znati 10/25/2017 4:11 PM Microsoft Azure networking: Sve što trebate znati Mustafa Toroman Senior System Engineer © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Senior System Engineer MVP Microsoft Azure @Authority Partners MCP,MCSE,MCITP, MCSD, MCT, MS v-TSP

The Big (Network) Picture Build 2012 10/25/2017 Virtual Network “Bring Your Own Network” Segment with subnets and security groups Control traffic flow with User Defined Routes The Big (Network) Picture Azure Virtual Network Users Internet Front-End Access Dynamic/Reserved Public IP addresses Direct VM access, ACLs for security Load balancing DNS services: hosting, traffic management DDoS protection Backend Connectivity Point-to-site for dev / test VPN Gateways for secure site- to-site connectivity ExpressRoute for private enterprise grade connectivity Backend Connectivity ExpressRoute VPN Gateways © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

DNS Services DNS Azure DNS Traffic Manager Host your DNS domains in Azure Integrate your Web and Domain hosting Globally route user traffic with flexible policies Enable best-of-class end to end user experience

Azure DNS Global footprint 10/25/2017 Azure DNS Global footprint Global footprint of DNS servers Anycast fast query performance Ultra-available © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Traffic Manager Traffic Management Policies www.contoso.com 10/25/2017 4:11 PM Traffic Manager Traffic Management Policies Latency – Direct to “closest” service Round Robin – Distribute across all services Failover – Direct to “backup” if primary fails Nested – Flexible multi-level policies www.contoso.com © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Internet IP Addresses & Load Balancing 10/25/2017 Internet IP Addresses & Load Balancing Public IP Addresses in Azure Can be used for instance (VM) level access or load balancing Instance-level IP Internet IP assigned exclusively to a single VM Entire port range is accessible by default Primarily for targeting a specific VM Load balanced IP (VIP) Internet IP load balanced among one or more VM instances Allows port redirection Primarily for load balanced, highly available, or auto-scale scenarios Internet 151.2.3.4 (VIP) LB 131.3.3.3 (Instance-level IP) 131.3.4.4 (Instance-level IP) VM1 VM2 IP1 Microsoft Azure IP2 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Reserved IPs Retain your IP addresses Microsoft Ignite 2015 10/25/2017 4:11 PM Reserved IPs Internet Retain your IP addresses IPs on existing services can be reserved IPs can be moved between services in seconds Reserved IP Azure Load Balancer Reserved IP Moves Cloud Service 1 Cloud Service 2 © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Webrole.0.contoso.cloudapp.net 130.26.10.80 DNS Names for Public IP Internet FQDN access to a virtual machine Available for virtual machines and web/worker roles Automatic DNS registration/de- registration during scale-up, scale-down Webrole.1.contoso.cloudapp.net 130.26.5.120 Webrole.0.contoso.cloudapp.net 130.26.10.80 Contoso App with 2 virtual machines VM Instance 1 VM Instance 2

Virtual Network Azure Bring your own network On Premises 10.0/16 Bring your own network Create subnets with your private or public IP addresses Bring your own DNS or use Azure-provided DNS Secure with Network Security Group ACLs Control traffic flow with User Defined Routes Internet VPN & ExpressRoute Direct Internet Connectivity Azure VPN GW Backend 10.3/16 Mid-tier 10.2/16 Frontend 10.1/16 AD / DNS Virtual Network

User Defined Routes Internet Control traffic flow in your network with custom routes Attach route tables to subnets Specify next hop for any address prefix Set default route to force tunnel all traffic to on-premises or appliance Virtual Network VM with “IP Forwarding” System Route FrontEnd Subnet BackEnd Subnet Default Route System Route VM/Appliance User Defined Route

Multiple NICs in Azure VMs Up to 16 NICs per VM NSG and Routes on all NICs Can separate frontend, backend, and management Virtual Machine NIC2 NIC1 Default 10.3.3.33 10.2.2.22 10.1.1.11 Virtual Network VIP 133.44.55.66 Internet Backend Subnet Mgmt Subnet Frontend Subnet

Layered Security, Protection, and Isolation Cloud Services & Virtual Machines Virtual Network Isolation Internet VM Firewall DDoS Protection NSG ACLs

Network Security Groups Segment network to meet security needs Can protect Internet and internal traffic Enables DMZ subnets Associated to subnets/VMs and now NICs ACLs can be updated independent of VMs On Premises 10.0/16 Internet ExpressRoute and VPNs √ √ √ √ VPN GW Backend 10.3/16 Mid-tier 10.2/16 Frontend 10.1/16 Virtual Network

Network Virtual Appliances 10/25/2017 Network Virtual Appliances Overview VMs that perform specific network functions Focus: Security (Firewall, IDS , IPS), Router/VPN, ADC (Application Delivery Controller), WAN Optimization Typically Linux or FreeBSD-based platforms Scenarios IT Policy & Compliance – Consistency between on premises & Azure Supplement/complement Azure capabilities Azure Marketplace Available through Azure Certified Program to ensure quality and simplify deployment You can also bring your own appliance and license © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Virtual Appliances - Firewalls, IDS/IPS, VPNs Secure your virtual networks in Azure Internet Azure Virtual Network DMZ Cross-premises connectivity IDS IPS

Scenario – Application Delivery Controller Frontend load balancing and delivery control Applications Virtual Network ADC & Load Balancer Internet Web Farms

Network Virtual Appliance Ecosystem Build 2012 10/25/2017 Network Virtual Appliance Ecosystem © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Cross premises connectivity

Connectivity Options and Hybrid Offerings Cloud Customer Segment and workloads Internet Connectivity Consumers Access over public IP DNS resolution Connect from anywhere Secure point-to-site connectivity Developers POC Efforts Small scale deployments Connect from anywhere Secure site-to-site VPN connectivity SMB, Enterprises Connect to Azure compute ExpressRoute private connectivity SMB & Enterprises Mission critical workloads Backup/DR, media, HPC Connect to Microsoft services

On-premises VPN Ecosystem Build 2012 10/25/2017 On-premises VPN Ecosystem © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Connectivity choices: Internet or Private Branch Office 2 Cloud on your WAN Traffic flows directly from customer WAN to Microsoft Reduces complexity Lower latency, higher bandwidth and higher availability Microsoft WAN Corp HQ Branch office 1 Branch office 2 Public internet Microsoft WAN Branch office 1 Public internet Corp HQ IPsec VPN over Internet Encrypted data traverses Internet to reach Azure Limited bandwidth and higher availability

ExpressRoute Predictable performance Security High throughput Microsoft WAN Corp HQ Branch office 1 Branch office 2 Public internet Predictable performance Security High throughput Lower cost ExpressRoute provides a private, dedicated, high-throughput network connection to Microsoft

ExpressRoute Partners 10/25/2017 ExpressRoute Partners Exchange Provider Network Service Provider Exchange Public internet Customer site Microsoft Customer site 1 Customer site 2 Customer site 3 WAN © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

VPN Gateways for Virtual Network NEW VPN Gateways for Virtual Network ExpressRoute gateway or VPN gateway needed to access a virtual network Introducing a new Standard Gateway Supports ExpressRoute and VPN coexistence Improved throughput for ExpressRoute Virtual Network Gateway SKU ExpressRoute GW Throughput VPN GW ExpressRoute Coexistence VPN GW Throughput VPN GW Max IPsec Tunnels Cost (USD) / Hour Basic 500 Mbps No 100 Mbps 10 $0.04 Standard 1000 Mbps Yes $0.19 Performance 2000 Mbps 200 Mbps 30 $0.49 Note that ExpressRoute traffic for Azure public services, O365, and Skype for Business does NOT go through a Virtual Network gateway

Network Resource Provider NEW Network Resource Provider New REST API surface Loosely coupled network resource model Fine grained access/control of networking resource RBAC of networking resources Support for logging and tagging Highly performant & scalable Regional resiliency Imperative and declarative management style

Click To Deploy in Cloud NEW Click To Deploy in Cloud Readily available templates to Click and Deploy from GitHub Rapidly customize and automate your build & deployment Versatile management interfaces REST API PowerShell Azure CLI SDK(.NET, Node.JS, Java) Azure Portal

10/25/2017 4:11 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.