Microsoft Ignite 2016 12/19/2017 5:07 PM

Microsoft Ignite 2016 12/19/2017 5:07 PM Gain insight into real-world usage of the Microsoft cloud using Azure ExpressRoute INF332 Bala Natarajan Senior PM , Azure CAT Balaji Navaneethan, Senior PFE © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Agenda Azure Networking features Overview
Microsoft Ignite 2016 12/19/2017 5:07 PM Agenda Azure Networking features Overview Enterprise Reference Architecture Hybrid connectivity ExpressRoute Learnings from large customer deployments Real customer scenario #1 Real customer scenario #2 End-to-End Azure Networking Demo © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Azure Networking Features Overview
Microsoft Ignite 2016 12/19/2017 5:07 PM Azure Networking Features Overview © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Enterprise requirements for Azure
Microsoft Ignite 2016 12/19/2017 5:07 PM Enterprise requirements for Azure Business requirements Central IT offering services to departments Departments using their own subscription Departments own/deploy their applications, but use shared services from Central IT Security requirements Incoming/outgoing traffic inspection Allow / block internet access High availability requirements Global connectivity options Redundant paths in case of link failure Connecting to Azure PaaS and Office 365 © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Enterprise Reference Architecture
Microsoft Ignite 2016 12/19/2017 5:07 PM Enterprise Reference Architecture vNet Hub Spokes Hybrid Connectivity S2S VPN ExpressRoute Security controls NSG Network Virtual Appliance Department isolation Traffic inspection (NVA / UDR) © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Microsoft Ignite 2016 12/19/2017 5:07 PM Enterprise Reference Architecture Security Controls (2) Force tunneling / Split tunneling Accessing Azure PaaS and Office 365 High availability ER and S2S VPN coexistence Using both ER links Additional ER circuits Geo-connectivity considerations Managing routing © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Microsoft Ignite 2016 12/19/2017 5:07 PM Enterprise Reference Architecture Accessing Azure PaaS NAT Public/Private IP? ASN? Address prefixes (link XML file) BGP Communities (location-based) Accessing Office 365 Approval required Public IP and ASN Route Symmetry Address prefixes (link to XML file) BGP Communities (service-based) © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Microsoft Ignite 2016 12/19/2017 5:07 PM Enterprise Reference Architecture vNet Hub Spokes Security controls NSG Network Virtual Appliance Department isolation Traffic inspection (NVA / UDR) Hybrid Connectivity S2S VPN ExpressRoute © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

VNet peering VNet-to-VNet connection option:
Microsoft Ignite 2016 12/19/2017 5:07 PM VNet peering Azure Region /16 VNet-to-VNet connection option: Private connectivity from VM to VM in different VNets Latency and throughput at par as single VNet! PEER IPSec VPN Tunnel /16 © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

VNet Peering Hub and spoke
Microsoft Ignite 2016 12/19/2017 5:07 PM VNet Peering Hub and spoke Full-mesh direct connectivity High bandwidth Low latency Cross subscription Hub and Spoke configuration © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Network Security Groups
Microsoft Ignite 2016 12/19/2017 5:07 PM Network Security Groups Segment network to meet security needs 5 tuple ACLs on both directions Can protect Internet and internal traffic Enables DMZ subnets Associated to subnets/VMs and now NICs ACLs can be updated independent of VMs Internet √ √ √ √ VPN GW Backend 10.3/16 Mid-tier 10.2/16 Frontend 10.1/16 © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Securing Internet-Bound Traffic
12/19/2017 5:07 PM Securing Internet-Bound Traffic On Premises Default Site Force Internet-bound traffic to an on-premises site Auditing and inspecting Internet traffic Set default site on Azure VPN or advertise default route via BGP On Premises Site2 Internet Internet Forced Tunneled via S2S VPN S2S VPNs On Premises Site3 VPN GW Backend 10.3/16 Mid-tier 10.2/16 Frontend 10.1/16 Virtual Network © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Application Gateway: Layer 7 ADC Features
fabrikam.com contoso.com/video/* Videos Images contoso.com/images/* Application Gateway contoso.com Security SSL termination Allow/block SSL protocol versions Session & site management Cookie based session affinity Multi-site hosting Content management URL based routing Backend management Rich diagnostics including Access and Performance logs VM Scale Set support Custom health probes

Web Application Firewall (WAF) - Preview
Security Protect applications from web based intrusions Built using ModSecurity and Core Rule Set Availability Highly available, fully managed Preconfigured OWASP* core rule set for most common top 10 web vulnerabilities protection such as SQL Injection XSS attacks XSS attack × Site 1 Application Gateway WAF Valid request Valid request Site 2 SQL Injection × Valid request L7 LB *Open Web Application Security Project (owasp.org)

Web Application Firewall (WAF) - preview
Application Gateway Provisioning WAF SKU for Application Gateway Available for public and private endpoints Detection and Prevention modes Real time Monitoring WAF logs integrated with Azure Insights Azure Security Center provides central view of security state Manage Portal, PowerShell, SDK supported WAF Portal PowerShell Recommends L7 LB Alerts WAF logs Azure Security Center Azure Insights Storage

12/19/2017 5:07 PM User Defined Routes Internet Control traffic flow in your network with custom routes Attach route tables to subnets Specify next hop for any address prefix Set default route to force tunnel all traffic to on-premises or appliance Virtual Network VM with “IP Forwarding” System Route FrontEnd Subnet BackEnd Subnet Default Route System Route VM/Appliance User Defined Route © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

S2S VPN Taxonomy Route-Based VPN Policy-Based VPN
Microsoft Ignite 2016 12/19/2017 5:07 PM S2S VPN Taxonomy Route-Based VPN Traffic Selector: Any-to-Any /0  /0 Routing tables to direct traffic into different tunnels Multiple sites Routing features BGP & Transit dynamically update routes Forced Tunneling re-direct all Internet-bound traffic to on-premises Policy-Based VPN Traffic Selector: Prefix-to-Prefix /16  / /16  /16 “Firewall”-based VPN Single site only Does not support routing features © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12/19/2017 Secure VPN transit BGP for redundant paths and dynamic routing Automatic shortest path selection and failover Transit over Microsoft global network Secure connectivity using Internet only for “last mile” VNet 3 Central US ASN 65030 Full mesh Redundant paths BGP BGP On-Premises Site 4 ASN 65040 On-Premises Site 5 ASN 65050 VNet 2 West US VNet 1 East US BGP BGP BGP S2S VPN S2S VPN ASN 65020 ASN 65010 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Path diversity for on premises networks
12/19/2017 Path diversity for on premises networks Multiple tunnels/paths between Azure VNet and on premises site Use BGP for reachability detection and path failover Support on-premises network with multiple ISPs and VPN devices On Premises Site 5 ASN65050 /16 /16 On Premises VPN 1 On Premises VPN 2 Azure VPN Active tunnels with BGP failover IPsec/IKE S2S VPN tunnel 1 IPsec/IKE S2S VPN tunnel 2 VNet1 East US ASN 65010 /16 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Dual Redundancy with Active-Active gateways
12/19/2017 Dual Redundancy with Active-Active gateways Zero downtime during planned maintenance From active-standby to active-active Support both cross-premises and VNet-to-VNet connectivity Spreading traffic over multiple tunnels simultaneously On Premises Site 5 ASN65050 /16 /16 On Premises VPN 1 On Premises VPN 2 Azure VPN VNet1 East US ASN 65010 /16 Azure VPN 2 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

ExpressRoute and Microsoft Clouds
Microsoft Ignite 2016 12/19/2017 5:07 PM ExpressRoute and Microsoft Clouds Microsoft peering Telstra, Equinix, etc. ExpressRoute circuit Public peering Partner Edge Primary circuit Microsoft Edge Customer’s network Secondary circuit Traffic to Office 365 Services Traffic to public IP addresses in Azure Traffic to Virtual Networks (VNets) Private peering © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

ExpressRoute Setup ExpressRoute Meet-Me Site 12/19/2017 5:07 PM
Provider Device 1 “demarcation” MSFT Router 1 BGP sessions Physical Virtual connection ExpressRoute circuit Customer’s network Provider Device 2 MSFT Router 2 Physical BGP sessions Virtual connection IP VPN or Ethernet © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Microsoft Ignite 2016 12/19/2017 5:07 PM Enterprise Reference Architecture Influencing traffic flow Force tunneling / Split tunneling ER and S2S VPN coexistence High availability Using both ER links Additional ER circuits Geo-connectivity considerations Managing routing © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Azure Private Peering VNET gateway is required
12/19/2017 5:07 PM Azure Private Peering VNET gateway is required Any address, bidirectional connections “Force-tunnel” VNET traffic to customer’s network Set up DMZ for cross-premises traffic Link multiple VNETs on the same circuit Side-to-Site VPN can be used as a back-up GW2 DMZ Azure Virtual Network (VNET2) Internet ExpressRoute VPN BGP ( /0) Azure Virtual Network (VNET1) DMZ Customer’s network GW1 © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Azure Private Peering VNet and Gateway sizing are important!
12/19/2017 5:07 PM Azure Private Peering VNet and Gateway sizing are important! Gateway subnet is a /28 or /27 Standard , High or Ultra High Perf. GW GW2 DMZ Azure Virtual Network (VNET2) Internet ExpressRoute VPN BGP ( /0) Azure Virtual Network (VNET1) DMZ Customer’s network GW1 © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Microsoft Ignite 2016 12/19/2017 5:07 PM Enterprise Reference Architecture Influencing traffic flow Force tunneling / Split tunneling Accessing Azure PaaS and Office 365 ER and S2S VPN coexistence High availability Using both ER links Additional ER circuits Geo-connectivity considerations Managing routing © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

ExpressRoute Disaster Recovery
12/19/2017 5:07 PM ExpressRoute Disaster Recovery ExpressRoute gateways can connect to ExpressRoute circuits in multiple locations ExpressRoute circuits can be connected to multiple ExpressRoute gateways The solution for disaster recovery is multiple ExpressRoute © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Multi-path ExpressRoute
12/19/2017 5:07 PM Multi-path ExpressRoute What the Aus.East Gateway “sees” Range AS Path From /16 64496 SYD MELB /16 ExpressRoute gateway is connected to at least two ExpressRoute circuits All on-premises routes are broadcast to Azure from each ExpressRoute locations Each individual prefix should have an appropriate AS Path weighting to indicate path preference ExpressRoute gateway will send traffic to the route with shortest AS Path For reverse flow use local preference values on routes advertised from Azure as they arrive to backbone edge routers Sent to Azure from SYD Sent to Azure from MELB Range AS Path /16 64496 /16 Range AS Path /16 /16 64496 © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Multi-path ExpressRoute
12/19/2017 5:07 PM Multi-path ExpressRoute What the Aus.East Gateway “sees” Range AS Path From /16 64496 SYD MELB /16 In this example; Aus.East Gateway would send down the Sydney ExpressRoute circuit If Sydney ER fails, BGP will drop the routes from Sydney The Melbourne path would be used to get to the Sydney office To influence traffic flow, use AS Path or Local Preference settings Sent to Azure from SYD Sent to Azure from MELB Range AS Path /16 64496 /16 Range AS Path /16 /16 64496 © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Azure Public Peering Unidirectional connections
12/19/2017 5:07 PM Azure Public Peering Unidirectional connections Public IP addresses only to Microsoft ExpressRoute Azure Public Services Customer’s network NAT © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Microsoft Peering Bidirectional connections Customer’s network
12/19/2017 5:07 PM Premium Add-on is required QoS support for Skype for Business Public Internet is required Bidirectional connections Public IP addresses only to Microsoft Microsoft Peering Public Internet DNS CDN Required Bidirectional connections Voice Video & Interactive Best effort NAT Customer’s network NAT © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Microsoft Ignite 2016 12/19/2017 5:07 PM Enterprise Reference Architecture Azure IaaS  Azure PaaS © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Virtual Data Center Emerges
12/19/2017 5:07 PM Virtual Data Center Emerges RBAC allows segregation of duties between centralized and specialized teams Common components are minimized (reduced cost and complexity) DevOps is enabled where possible (workload subscriptions) Centralized IT is enabled at the Security and Infrastructure components Central security/infra team manage the edges (Internet and to on-premises) © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Customer scenario #1 Large Retailer in France
Microsoft Ignite 2016 12/19/2017 5:07 PM Customer scenario #1 Large Retailer in France © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12/19/2017 Customer Profile © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Business requirements
12/19/2017 5:07 PM Business requirements Shutting down their datacenter hosted with Service Provider X Compete situation, and main driver for this project Build a mixture of a hybrid and private Cloud Chosen cloud provider needs to have a strong private & hybrid cloud story Start with France and Europe but then scale to WW branches France will start with Dev/test and then production, and if all is validated, the momentum needs to be expanded WW Stop their outsourcing contract with an IT services company Customer used to outsource administration and maintenance of resources, and now wants to allocate these tasks internally © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Technical Requirements
12/19/2017 5:07 PM Technical Requirements Have Full redundancy per Region (Europe, US, Asia) Customer has global presence worldwide, and design per region needed to be redundant Private connection from on premise datacenters to Azure Different providers are in stake depending on the countries/regions ExpressRoute is an enabler for the project Security & Firewall mechanisms with possibility of logging Condition to be able to inspect traffic before it enters or leaves Azure vNets Keep logs for auditing purposes A scalable and manageable administration system Customers IT teams are dispatched around the world, and IT is not fully centralized © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Design Considerations
12/19/2017 5:07 PM Design Considerations What does a vNet represent? Customer chose that each vNet would represent a project within the group. Traffic leaving vNet must use NVA Hub & Spoke model used with Vnet peering, UDRs applied to force traffic coming through the GW to the NVA Connect Azure regions to each other Use Vnet-to-Vnet VPN to connect Azure vNets in Europe with Asia & Americas Create full redundancy on the Azure side Design built including a disaster recovery plan in Azure, and plans to include DR from on prem ressources Create full redundancy on the connectivity side ExpressRoute partner offers built-in redundancy to two peering locations in Europe © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Target high-level design, France
12/19/2017 5:07 PM Virtual Network - VNET Hub VNET Peering Spoke VNETs Project 2 Europe North Production Env Firewall Spoke VNETs Project 1 Customer’s WAN VNET Peering Target high-level design, France © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Virtual Network - VNET Hub
12/19/2017 5:07 PM Microsoft Network Virtual Network - VNET Hub VNET Peering Spoke VNETs Project 2 ER GW Europe North Production Env ExpressRoute Peering Location London Firewall Spoke VNETs Project 1 Customer’s WAN ER provider Network VNET Peering Target high-level design, France © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Virtual Network - VNET Hub Virtual Network - VNET Hub
12/19/2017 5:07 PM Microsoft Network Virtual Network - VNET Hub VNET Peering ER GW Spoke VNETs Project 2 Europe North Production Env ExpressRoute Peering Location London Firewall Spoke VNETs Project 1 Customer’s WAN ER provider Network VNET Peering Virtual Network - VNET Hub VNET Peering Spoke VNETs Project 2 ER GW Europe West Disaster Recovery Env Firewall Spoke VNETs Project 1 VNET Peering Target high-level design, France © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Virtual Network - VNET Hub Virtual Network - VNET Hub
12/19/2017 5:07 PM Microsoft Network Virtual Network - VNET Hub VNET Peering ER GW Spoke VNETs Project 2 Europe North Production Env ExpressRoute Peering Location London Firewall Spoke VNETs Project 1 Customer’s WAN ER provider Network VNET Peering Virtual Network - VNET Hub VNET Peering Spoke VNETs Project 2 ER GW ER provider Network Europe West Disaster Recovery Env Firewall Spoke VNETs Project 1 ExpressRoute Peering Location Paris VNET Peering Target high-level design, France © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12/19/2017 5:07 PM Microsoft Network Virtual Network - VNET Hub VNET Peering ER GW Spoke VNETs Project 2 Europe North Production Env ExpressRoute Peering Location London Firewall Spoke VNETs Project 1 Customer’s WAN ER provider Network VNET Peering Virtual Network - VNET Hub VNET Peering Spoke VNETs Project 2 ER GW ER provider Network Europe West Disaster Recovery Env Firewall Spoke VNETs Project 1 ExpressRoute Peering Location Paris VNET Peering Target high-level design, France Virtual Network - VNET Hub South East Asia Spoke VNETs Project 1 Firewall VNET Peering © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12/19/2017 5:07 PM Microsoft Network Virtual Network - VNET Hub VNET Peering Spoke VNETs Project 2 ER GW Europe North Production Env ExpressRoute Peering Location London Firewall Spoke VNETs Project 1 Customer’s WAN ER provider Network VPN GW VNET Peering Virtual Network - VNET Hub VNET Peering Spoke VNETs Project 2 ER GW ER provider Network Europe West Disaster Recovery Env Firewall Spoke VNETs Project 1 ExpressRoute Peering Location Paris VNET Peering VPN GW Target high-level design, France Virtual Network - VNET Hub South East Asia Spoke VNETs Project 1 VPN GW Firewall VNET Peering © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Customer scenario #2 European customer in the renewable energy sector
Microsoft Ignite 2016 12/19/2017 5:07 PM Customer scenario #2 European customer in the renewable energy sector © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12/19/2017 Customer Profile © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Existing network environment
Microsoft Ignite 2016 12/19/2017 5:07 PM Existing network environment © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Business requirements
12/19/2017 5:07 PM Business requirements Shutting down on-premises datacenter Won’t renew the lease contract for their datacenter Move everything to the cloud Lift & Shift approach Moving everything to the cloud (no equipment or server left behind) The cloud as the central location With the datacenter being shutdown, MPLS and all VPN connections must be connected to each other via the Cloud Meet/exceed solution from competition Competition provided a network solution Customer to validate both solutions and chose the best © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Technical Requirements
12/19/2017 5:07 PM Technical Requirements Full routing across locations MPLS  Azure  VPN Tunnels Some file services will be left in the MPLS, and remote offices must be able to access them Private connection from MPLS to Azure ExpressRoute to enable connectivity between MPLS and Azure Firewall security and protection in Azure Desire to analyze traffic entering/leaving the vNet with NVA Segregation of assets, duties and responsibilities Customer IT should manage central infrastructure (ER, NVA, Shared Services) Departments must have full flexibility to own and deploy their own resources © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12/19/2017 5:07 PM Design Considerations One vs Multiple vNets One large vNet and leverage NSG and RBAC for segmentation and delegation or Hub & Spoke model with vNet peering Traffic leaving vNet must use NVA Hub & Spoke model is cheaper and most efficient, but it does require UDR on GW Subnet, Shared Services subnet(s) and spokes. Also, this can be a SPOF How remote sites connect to Azure VPN tunnels using Microsoft VPN GW Enabling full routing across MPLS, Azure vNets and VPN locations (Challenge) Transit routing is not supported in the ExpressRoute and VPN coexistence model (Challenge) GW limitations in vNet peering Improving connectivity from offices in other regions Internet connections in South American can be unreliable and/or with high latency © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12/19/2017 5:07 PM Design Considerations One vs Multiple vNets One large vNet and leverage NSG and RBAC for segmentation and delegation or Hub & Spoke model with vNet peering © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

VNet design Single vNet Multiple vNets Microsoft Ignite 2016
12/19/2017 5:07 PM VNet design Single vNet Multiple vNets © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12/19/2017 5:07 PM Design Considerations One vs Multiple vNets One large vNet and leverage NSG and RBAC for segmentation and delegation or Hub & Spoke model with vNet peering Traffic leaving vNet must use NVA Hub & Spoke model is cheaper and most efficient, but it does require UDR on GW Subnet, Shared Services subnet(s) and spokes. Also, this can be a SPOF © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Force incoming / outgoing traffic thru NVA
Microsoft Ignite 2016 12/19/2017 5:07 PM Force incoming / outgoing traffic thru NVA © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12/19/2017 5:07 PM Design Considerations One vs Multiple vNets One large vNet and leverage NSG and RBAC for segmentation and delegation or Hub & Spoke model with vNet peering Traffic leaving vNet must use NVA Hub & Spoke model is cheaper and most efficient, but it does require UDR on GW Subnet, Shared Services subnet(s) and spokes. Also, this can be a SPOF VPN Tunnel termination 25 locations connecting through S2S VPN connections © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

VPN Connections Microsoft Ignite 2016 12/19/2017 5:07 PM High-Perf SKU
Up to 30 IPSec tunnels © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12/19/2017 5:07 PM Design Considerations One vs Multiple vNets One large vNet and leverage NSG and RBAC for segmentation and delegation or Hub & Spoke model with vNet peering Traffic leaving vNet must use NVA Hub & Spoke model is cheaper and most efficient, but it does require UDR on GW Subnet, Shared Services subnet(s) and spokes. Also, this can be a SPOF VPN Tunnel termination 25 locations connecting through S2S VPN connections High-performance SKU required (up to 30 IPSec tunnels) Enabling full routing across MPLS, Azure vNets and VPN locations Transit routing is not supported in the ExpressRoute and VPN coexistence model In vNet peering, there can be only one GW (either local or remote) © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Enabling full routing across the environment
Microsoft Ignite 2016 12/19/2017 5:07 PM Enabling full routing across the environment © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12/19/2017 5:07 PM Design Considerations One vs Multiple vNets One large vNet and leverage NSG and RBAC for segmentation and delegation or Hub & Spoke model with vNet peering Traffic leaving vNet must use NVA Hub & Spoke model is cheaper and most efficient, but it does require UDR on GW Subnet, Shared Services subnet(s) and spokes. Also, this can be a SPOF VPN Tunnel termination 25 locations connecting through S2S VPN connections High-performance SKU required (up to 30 IPSec tunnels) Enable full routing across MPLS, Azure vNets and VPN locations Transit routing is not supported in the ExpressRoute and VPN coexistence model In vNet peering, there can be only one GW (either local or remote) Improve connectivity from offices in other regions Internet connections in South American can be unreliable and/or with high latency © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Optimizing connectivity from remote locations
12/19/2017 Optimizing connectivity from remote locations © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Optimizing connectivity from remote locations
12/19/2017 Optimizing connectivity from remote locations Msft Backbone © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12/19/2017 5:07 PM Design Considerations One vs Multiple vNets One large vNet and leverage NSG and RBAC for segmentation and delegation or Hub & Spoke model with vNet peering Traffic leaving vNet must use NVA Hub & Spoke model is cheaper and most efficient, but it does require UDR on GW Subnet, Shared Services subnet(s) and spokes. Also, this can be a SPOF VPN Tunnel termination 25 locations connecting through S2S VPN connections High-performance SKU required (up to 30 IPSec tunnels) Enable full routing across MPLS, Azure vNets and VPN locations Transit routing is not supported in the ExpressRoute and VPN coexistence model In vNet peering, there can be only one GW (either local or remote) Improve connectivity from offices in other regions Internet connections in South American can be unreliable and/or with high latency © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Final Solution Microsoft Ignite 2016 12/19/2017 5:07 PM
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

End-to-End Azure Networking Demo
Microsoft Ignite 2016 12/19/2017 5:07 PM End-to-End Azure Networking Demo © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Demo Setup - http://104.42.197.112/ Microsoft Ignite 2016
/16 /16 /24 © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

In review: session objectives and takeaways
Tech Ready 15 12/19/2017 In review: session objectives and takeaways Session objective(s): Describe how multiple Azure Networking features work together to meet customer requirements Describe how large enterprises built highly available hybrid connectivity Describe interoperability between multiple public cloud deployments Key takeaway 1 Be able to describe Azure Networking capabilities and limitations Key takeaway 2 Understand how some large customers are extending their networks to Azure © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Continue your Ignite learning path
12/19/2017 5:07 PM Continue your Ignite learning path Visit Channel 9 to access a wide range of Microsoft training and event recordings Head to the TechNet Eval Centre to download trials of the latest Microsoft products Visit Microsoft Virtual Academy for free online training visit © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Thank you Chat with me in the Speaker Lounge
12/19/2017 5:07 PM Thank you Chat with me in the Speaker Lounge © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Microsoft Ignite 2016 12/19/2017 5:07 PM

Similar presentations

Presentation on theme: "Microsoft Ignite 2016 12/19/2017 5:07 PM"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Microsoft Ignite 2016 12/19/2017 5:07 PM

Similar presentations

Presentation on theme: "Microsoft Ignite 2016 12/19/2017 5:07 PM"— Presentation transcript:

Similar presentations

About project

Feedback