Partner Practice Enablement - Overview This session is focused on networking with Microsoft Azure Infrastructure Services. Learn how to enable, secure and load balance network endpoints. Learn about hybrid connectivity options with Microsoft Azure Virtual Networks as well as distributing traffic globally with Microsoft Azure Traffic Manager. Audience: IT Professionals, Architects Module 1 – Introduction to Microsoft Azure Module 2 – Microsoft Azure Virtual Machines Module 3 – Microsoft Azure Networking Module 4 – Microsoft Azure Active Directory Module 5 - Cloud Services and Web Sites Module 6 - SQL Server and SharePoint Module 7 - Management and Monitoring

CEO & Co-Founder of Opsgility, Experts in Instructor-Led Microsoft Azure Training. Prior to starting Opsgility Michael was a Principal Cloud Architect with a leading Solution Integrator and a fifteen year Microsoft veteran. While at Microsoft Michael's roles included being a Senior Program Manager on the Microsoft Azure Runtime team and a Senior Technical Evangelist for Microsoft Azure Infrastructure Services. Michael was the original developer of the Microsoft Azure PowerShell Cmdlets and is a globally recognized speaker for conferences such as TechEd and BUILD. About the Instructor Michael Washam Microsoft Azure Trainer

Microsoft Azure Networking

Agenda Endpoints Virtual Networks Point to Site Site to Site ExpressRoute Traffic Manager

Endpoints

Overview: Connectivity in Azure VIP: Input Endpoint Input Endpoint cloudservice.cloudapp.net  VIP Public Virtual IP Address (VIP) Internal IP Address(s) Internal IP Address

Reserved IP Addresses Reserved IP Addresses for Cloud Service IPs Persistent external IP address even if all virtual machines are stopped or deleted. Set via the Azure PowerShell Cmdlets New-AzureReservedIP -ReservedIPName "myIP" ` -Location "West US" New-AzureVM -ReservedIPName "myIP"...

Port Forwarding Input Endpoints Single Public IP Per Cloud Service Multiple VMs cannot share the same public port

Per Virtual Machine Public IP Addresses Each virtual machine can be assigned a public IP address IP is not load balanced or behind firewall Not available in all regions New-AzureVMConfig -Name "vm1"... | Add-AzureProvisioningConfig -Windows... | Set-AzurePublicIP -PublicIPName "vm1ip" | New-AzureVM...

DEMO Default Networking Configuration

Using the External Load Balancer Single Public IP Per Cloud Service Multiple VMs can share the same public port

TCP Health Probe

Health probe every 15 seconds HTTP 200 means healthy Traffic stops until 200 received (two failures) Continues polling until healthy Allows deeper inspection into the health of a web application via custom code. HTTP Health Probe

Load Balancer: Custom Health Probe

LAB 3 Load Balancer

Public Endpoint Access Control Lists Tighten security with public Access Control Lists

Configuring ACLs Rule Configuration Specify Remote Subnet(s) Permit or Deny and Rule Processing Order Description for each Rule Configuration Portal or PowerShell

LAB 4 Access Control Lists

Virtual Networks

Virtual Network Logical isolation with control over the network Create subnets; use your private IP addresses Support for Static IP addresses Support for Internal Load Balancing DNS options – BYO or Microsoft Azure-provided Extend your trust boundary – VMs and Cloud Services on the same Network Virtual Network subnetXsubnetY subnetZ DNS Server

Bring Your Own DNS Specify DNS Servers in the Virtual Network Hosted in an Azure VM External On-Premises (with hybrid connection) VMs are assigned specified DNS at boot. TIP: if DNS is added after a virtual machine is running a reboot is required for assignment.

Internal Load Balancing with Virtual Networks Virtual Network Address Space: /16 On Premises /16 Active Directory Replication Access on-premises resources Access intranet over hybrid connection Map to: Set Internal Load Balancer IP New-AzureInternalLoadBalancerConfig Hybrid Connection

Static IP Addresses Use Static IP addresses to request a specific IP address be assigned to the virtual machine. Addresses available from assigned virtual network subnet. Will fail if another virtual machine has already been assigned the IP. Deploy Virtual Machines with Static IP addresses into their own subnets to avoid conflict with other virtual machines. Set via PowerShell (Set-AzureStaticVNetIP)

Microsoft Azure Hybrid Options CustomerDescription

Comparing Hybrid Options BandwidthSecurityManagementWorkloads ExpressRoute 10 Mbps – 10 Gbps Committed Bandwidth Private isolated network between provider and Azure. Control over routing and traffic. Configure once, simple to add new virtual networks Enterprise Connectivity Mission Critical Disaster Recovery Hybrid Applications Site-to-Site 80 Mbps No performance commitment Encrypted tunnel over the Internet Configuration of IPSEC VPN device for each Virtual Network Created Hybrid Applications Dev/Test Secure Management Point-to-Site 80 Mbps No performance commitment Encrypted tunnel over the Internet Configuration with each individual client machine. Dev/Test Secure Management CAPABILITIES

Hardware VPN or Windows RRAS Virtual Network WFEApp VPN Gateway Extend on-premises to the cloud securely (IPSec) On-ramp for migrating services to the cloud Use on-prem resources in Microsoft Azure (monitoring, AD, etc.) IPSec (IKEv1 and IKEv2) SQL DC/DNS Site-to-Site Virtual Network

Regional Virtual Networks Connect Virtual Networks Across Azure Regions or Subscriptions West US East US INTERNET IPSEC

Multi-Site Virtual Networks Secure IPSEC

Virtual Networks & P2S Connectivity Connect from anywhere securely Secure Sockets Tunneling Protocol (SSTP) Easy to setup and use Ideal for prototyping, dev, & demos P2S and S2S coexist Virtual Network WFEApp VPN Gateway SQL DC/DNS

LAB 5 POINT TO SITE

Virtual Network Device Options Generic VPN devices must support: IKE v1, v2 AES 128, 256 SHA1, SHA2

Creating a Virtual Network Always plan and create the virtual network first VMs are provisioned into a virtual network (cannot easily move an existing virtual machine to a VNET) Virtual Network configuration file Import/Export from the management portal – use as a template Applies to all VNETs in the selected subscription Create via Microsoft Azure management portal Create via PowerShell get-help azurevnet

Gateway redundancy and availability Gateway roles in Microsoft Azure has 2 instances (active-passive mode) A pair of VPN devices can be a redundant (i.e. F5 Big IP) and the RRAS service on Windows Server is supported in a clustered configuration.

Pricing and SLA $0.05/hour (~$37/month) Standard data transfer rates apply 99.9% Virtual Network gateway availability

Video Site-to-Site Virtual Networks

ExpressRoute

What is ExpressRoute? ExpressRoute provides organizations a private, dedicated, high-throughput network connection between Microsoft Azure datacenters and their on-premises IT environment.

ExpressRoute Providers WAN

Network Service Providers High Performance and Predictable Exchange Providers Monthly fee with included outbound data transfer. Unlimited inbound data transfer included Monthly dual-port fee. Unlimited data transfer (in and out) included

Enable mission critical workloads

Security and Privacy Direct connect to your infrastructure hosted in Microsoft Azure by passing the public Internet Direct connect to Microsoft Azure Services such as SQL Database and Microsoft Azure Storage Azure Edge Connectivity Provider Infrastructure ExpressRoute Circuit Dedicated and Private Traffic to Microsoft Azure Public Services Traffic to Microsoft Azure Virtual Networks Microsoft Azure Compute PUBLIC INTERNET

Public and Private peering Provider Infrastructure Direct internet traffic Cross Premises Internet bound Azure service access PUBLIC INTERNET

Public Services (West US) Virtual Network (West US) Public Peering Private Peering Express Route Circuit Isolated VLANs Microsoft Azure Private Network Virtual Network (East US) Public Services (East US) Traffic to on-premises Cross Region Connectivity

ExpressRoute and Disaster Recovery Active Directory SharePoint WEB Equinix – Silicon Valley Active Directory SharePoint App F5 BIG IP Load Balancer SharePoint App SQL Witness SQL Primary SharePoint WEB SQL Always On AVSET: SPWEB AVSET: SPAPP SQL Replica AVSET: AD ExpressRoute Circuit (1Gps) Sync Commit for Auto-Failover Domain Controller Microsoft Azure - West US

Deploying Globally with Traffic Manager

Traffic Manager – DNS Based Load Balancer Three Load Balancing Algorithms Performance, Round Robin, Fail Over Map your domain name to yourservice.trafficmanager.net with CNAME contoso.com -> contosotm.trafficmanager.net Map cloud service URLs in global data centers to Traffic Manager Profile. contosoeast.cloudapp.net contosowest.cloudapp.net Built in HTTP Health Probes for High Availability

Performance Traffic Manager determines fastest route for the client and returns IP for the appropriate cloud service.

Round Robin Traffic Manager returns IPs in a round robin fashion regardless of client location.

Failover Traffic Manager always returns the IP address of the primary cloud service unless it fails a health check. X

DEMO Microsoft Azure Traffic Manager

Summary Endpoints Virtual Networks Point to Site Site to Site ExpressRoute Traffic Manager

Coming Up Next... Microsoft Azure Active Directory

Thank You