Microsoft Build 2016 11/13/2018 2:15 AM © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Building Network Aware Applications Narayan Annamalai, Stephen Malone Program Managers, Azure Networking

Goals As an application developer how can you leverage the power software defined hyper scale network that Microsoft Azure provides.

Agenda Why should you care about Networking? Building Blocks Scale Isolated private Network Network Interface Card IP Addresses Scale High Availability Security Containers

Networking – Why should developers care? Build 2014 11/13/2018 Networking – Why should developers care? Proprietary Hardware Appliance Intelligent Control Plane App Host VMs SmartNIC Controller Azure API Management Running Across Commodity Data DevOps You own the E2E solutions including infrastructure! The hidden costs of physical hardware Lost weeks and $$$ due to hardware delivery/config lead times Specialist per-device or per-vendor expertise required Software Defined Networking (SDN) becoming the new norm Programmable networks using standardized interfaces Create, configure and deploy network solutions in minutes Consistent troubleshooting across device types Deliver projects faster and cheaper Deliver predictability and repeatability © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

The Big (Network) Picture 11/13/2018 Virtual Network “Bring Your Own Network” Segmentation with Subnets Full control with Routes and Security groups The Big (Network) Picture Azure Virtual Network Users Internet Front-End Access Reserved Public IPs ACLs for security Load balancing DNS services DDoS protection Backend Connectivity Point-to-site for dev / test VPN Gateways for secure site-to-site connectivity ExpressRoute for private enterprise grade connectivity Backend Connectivity ExpressRoute VPN Gateways © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Azure Resource Manager (ARM) 101 Build 2014 11/13/2018 Azure Resource Manager (ARM) 101 Azure components as Resources through Resource Providers (RP) and REST APIs Orchestrates changes across Azure Resource Providers Imperatively manage disparate resources using consistent REST APIs and experiences (portal, PowerShell, Azure CLI) Resource Providers © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Managing ARM and Core RP Resources

Build complete apps in minutes with templates Zookeeper

Demo Microsoft Build 2016 11/13/2018 2:15 AM © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

ARM – regional management, regional resilience North Central US Illinois North Europe Ireland West Europe Netherlands Canada Central Toronto Central US Iowa Canada East Quebec City China North * Beijing US Gov Iowa Japan East Saitama China South * Shanghai West US California East US Virginia Japan West Osaka India Central Pune East US 2 Virginia South Central US Texas India West Mumbai US Gov Virginia India South Chennai East Asia Hong Kong SE Asia Singapore Australia East New South Wales Brazil South Sao Paulo Australia South East Victoria Operational Announced/Not Operational * Operated by 21Vianet

Virtual Private Network (VNet) Microsoft Azure Microsoft Azure Virtual Networks VNet - Isolated section of the public cloud Can connect to Internet, on-premises, other Deployment in Azure based on policies 10.1/16 10.1/16 Internet ISP/MPLS QoS Secure Tunnel L3 Tunnel

Network Interface Card NIC is the network connection to the VM Every VM gets a default NIC NICs can be programmed independent of the VM Up to 8 NICs per VM Can separate frontend, backend, and management Virtual Machine NIC2 NIC1 Default 10.3.3.33 10.2.2.22 10.1.1.11 Virtual Network VIP 133.44.55.66 Internet Backend Subnet Mgmt Subnet Frontend Subnet

Internet IP Addresses & Load Balancing 11/13/2018 Internet IP Addresses & Load Balancing Public IP Addresses in Azure Can be used for instance (VM) level access or load balancing Instance-level IP Internet IP assigned exclusively to a single VM Entire port range is accessible by default Primarily for targeting a specific VM Load balanced IP (VIP) Internet IP load balanced among one or more VM instances Allows port redirection Primarily for load balanced, highly available, or auto-scale scenarios Internet 151.2.3.4 (VIP) LB 131.3.3.3 (Instance-level IP) 131.3.4.4 (Instance-level IP) VM1 VM2 IP1 Microsoft Azure IP2 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Multiple Load-balanced IPs Microsoft Ignite 2015 11/13/2018 2:15 AM Multiple Load-balanced IPs Common use case: multiple SSL end points Across one or more VMs 443 443 SSL Website 1 IP1 A Z U R E L B 444 Internet 443 SSL Website 2 IP2 443 445 SSL Website 3 IP3 446 SSL Website 4 443 IP4 © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Reserved IPs Retain your IP addresses Microsoft Ignite 2015 11/13/2018 2:15 AM Reserved IPs Internet Retain your IP addresses IPs on existing services can be reserved IPs can be moved between services in seconds Reserved IP Azure Load Balancer Reserved IP Moves Service 1 Service 2 © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Demo Microsoft Build 2016 11/13/2018 2:15 AM © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Scale, Availability, Security – Leverage Azure SDN

Typical application pattern Internet Web Availability Performance Security Monitoring Database Diagnostics Scale Policies Manageability

Software defined Datacenter 11/13/2018 Software defined Datacenter Users Independently scalable Management, Control and Data plane All controlled through software Elastic resources configured by controllers SDN at the host Management API Regional Controllers NW CMP STG Regional Controllers NW CMP STG Distributed Computing VM HA SDN VM HA SDN © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Worldwide Partner Conference 2015 11/13/2018 2:15 AM Subsea Azure Fiber Infrastructure Subsea Subsea, Terrestrial, Metro Microsoft owned / managed -- SDN Stretch globally to the eyeballs Software managed Self Healing L3/Global Crossing Terrestrial Azure (Logical) SDN WAN © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Networking Inside the Datacenters Row Spine T2-2-1 T2-2-2 T2-2-4 Data Center Spine T1-1 T1-8 T1-7 … T1-2 Regional Spine Rack T0-1 T0-2 T0-20 Servers Scale-out, active-active

What’s in it for you Global presence Availability set – lowest latency Dedicated private network connecting the globe Optimized path from Internet Availability set – lowest latency

Availability

Global – Traffic Manager 11/13/2018 2:15 AM Global – Traffic Manager Routing Policies Performance – Direct to “closest” service Round Robin – Distribute across all services Failover – Direct to “backup” if primary fails Nested Profiles Flexible multi-level policies www.contoso.com © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Layer7 – Application Gateway 11/13/2018 Layer7 – Application Gateway HTTP load-balancing SSL Offload Cookie-based session affinity Azure © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Layer4 – Software Load balancer 11/13/2018 Layer4 – Software Load balancer High performance, scalable Network load balancer Muti tenant, native NAT and load balancing Hash based distribution method, 5/3/2 tuple Azure © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

HA and Scale for Enterprise Apps 11/13/2018 HA and Scale for Enterprise Apps Internet Azure © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Security

Network Security Groups Segment network to meet security needs 5 tuple ACLs on both directions Can protect Internet and internal traffic Enables DMZ subnets Associated to subnets/VMs and now NICs ACLs can be updated independent of VMs On Premises 10.0/16 Internet ExpressRoute and VPNs √ √ √ √ VPN GW Backend 10.3/16 Mid-tier 10.2/16 Frontend 10.1/16 Virtual Network

Service chaining – Network Appliances 11/13/2018 Internet Introduce hops in the traffic flow by controlling routing Filter traffic using IDS/IPS appliances Tip: NVA should be deployed in a separate subnet from originating traffic. Deploying in the same subnet will cause an infinite loop . IDS/IPS 10.0.0.4 Security Subnet (10.0.0.0/24) Route Table: NextHop 10.0.0.4 NSG NSG Route Table: NextHop 10.0.0.4 Frontend Subnet (10.0.1.0/24) Backend Subnet (10.0.2.0/24) VIRTUAL NETWORK (10.0.0.0/16) © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Layered Security, Protection, and Isolation Cloud Services & Virtual Machines Virtual Network Isolation Internet VM Firewall DDoS Protection NSG ACLs

Demo NSG

Networking for Containers

Container Networking - Today Microsoft Build 2016 11/13/2018 2:15 AM Container Networking - Today VIRTUAL NETWORK Azure provides VM to VM communication within Vnet Containers inside a VM can talk to each other – BRIDGE Inter-Container communication is through VM IP Overlay, Port-remaps Port-remap: Two services cannot expose the same port Overlay: adds overhead Azure VM C Bridge Azure VM C Bridge IP1 IP2 Inter-VM Communication © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

IP Per Container Multiple Ips on the NIC VIRTUAL NETWORK Multiple Ips on the NIC Each IP assigned to a container Enables direct container to container communication All ports can be used No overhead, most efficient DNS resolution for containers Extend Azure SDN to Containers Azure VM Azure VM C C C C IP2 IP100 IP102 IP200 NIC1 – supports IP1 to IP100 NIC2 – supports IP101 to IP200 NIC1 NIC2 IP2:3000  IP102:80 Direct Communication is possible

Demo – Container Networking

Summary

Virtual Private Cloud in Azure 11/13/2018 Internet On Premise VIRTUAL NETWORK Azure LB DMZ Database Subnet NFV WAF NSG NSG Frontend Subnet UDR ExpressRoute or S2S VPN NSG UDR Azure ILB App Subnet SDN © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Follow-up https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-overview/ https://azure.microsoft.com/en-us/services/virtual-network/ Re-visit Build on Channel 9. Continue your education at Microsoft Virtual Academy online.

Please Complete An Evaluation Form Your input is important! 11/13/2018 Please Complete An Evaluation Form Your input is important! or © 2016 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.