1. Mastering Azure Connectivity to the Microsoft Cloud
Day One - Session 4 of 4

2. Agenda Outline Time Duration Topic 09:00 30 mins Intro and Overview
09:30
SDN, Virtual Network, and Azure Network Overview
10:00
RDFE / ARM Overview
10:30
15 mins
Break
10:45
45 mins
VNet Deep Dive
11:30
Hybrid Network Overview
12:00
90 mins
Lunch
13:30
75 mins
ExpressRoute Deep Dive
14:45
15:00
60 mins
ExpressRoute Demo’s and Q&A
16:00
Roadmap and Futures

3. Demos Anatomy of a VNet - Portal
Creating an ExpressRoute circuit – Portal
Get ARP and Route Summaries – Portal
Get ARP and Route Summaries – PowerShell
What else would you like to see?

4. Roadmap

5. Azure Planning – Behind the scenes
We do high level planning in 6-month semesters
Each semester is named after an element following the periodic table
December ends Argon and in January we start Potassium (then Calcium next July)
We are here

6. Chlorine Delivered ExpressRoute
Application Gateway, Net Virtual Appliances
Margin-neutral pricing for Premium
Route Tables, Stats, ARP
Application Gateway
BGP Communities Preview
Request/response logs, SSL Config, ScaleSet Integration, E2E SSL
ExpressRoute/VPN coexistence in ARM
ARM Parity: VPN and ExpressRoute
NVAs in Marketplace
ASM/ARM Coexistence
Cisco (ASA, CSR), F5, Fortinet, Riverbed, Palo Alto, Threatstop
Simplified NAT specification
Gov Cloud: O365 GA, Dallas , New York
Prod: Las Vegas (July), Newport(July), Paris, Toronto
VPN
BGP, multiple tunnels to same site
ARM Coexistence
SDN
Route tables on gateway subnet 6

7. Application Gateway: Layer 7 ADC Features
VM Scale Set
Security
SSL termination
Allow/block SSL protocols
End to end SSL encryption
Session & site management
Cookie based session affinity
Multi-site hosting – up to 20 web applications or sites
Content management
URL based routing
Backend management
Rich diagnostics including Access and Performance logs. Health logs at Ignite
VM Scale Set support
Custom health probes
fabrikam.com
contoso.com
App Gateway
Videos
contoso.com/video/*
fabrikam.com
Images
contoso.com/images/*

8. WAF – Web Application Firewall [1]
Ignite
Web Application Firewall features
Highly available, fully managed
OWASP top 10 web vulnerabilities protection
Custom Rules for IP blocks and string matches
Global and site specific policies
Banned IP/Agent
Application Gateway
Backend Pool
Allowed Requests
ADC Module
Allowed Request
WAF Module
SQL Injection/XSS

9. WAF – Web Application Firewall [2]
Ignite
WAF Support
Premium SKU of Application Gateway
ARM stack only
Configure via Portal, ARM templates, PowerShell, or SDKs
Azure Security Center
Best security practice & recommendation for WAF
Health alerts
Azure Insights for WAF log access
Application Gateway Premium
Portal
ADC Module
PowerShell
WAF Module
Recommends
Alerts
WAF logs
Azure Security Center
Azure Insights
Storage

10. Announcing IPv6 for Azure VMs
Native IPv6 to VMs
Azure-based services can now reach IPv6 Internet clients
Native Dual-stack (IPv4+IPv6) VMs for maximum service flexibility
Available globally
Linux & Windows VMs
Maximize the Reach of Your Azure Applications
IPv6 now required by many governments and their suppliers worldwide
Reach mobile (4G) & IoT devices
Apple highlighting IPv6 support in iOS app submissions
Azure
Azure VMs (IaaS) VM VM VM
IPv6
IPv4
Azure Services & Storage
IPv6 (AAAA)
Record
IPv6
VIP
IPv4
VIP
Azure
Load Balancer
Inbound
&
Outbound
Internet
IPv6 Clients & Services
IPv4 Clients and Services

11. VNet Peering VPN Peering Gateway transit via Peering
TechReady 23
8/24/2018 2:21 PM
VNet Peering
Ignite
10.0/16
On-Premises
ARM VNet10.1/16
ARM VNet10.2/16
VPN
Peering
Gateway transit via Peering
Direct and bidirectional L3 connectivity between VNets in same region
High throughput, low latency connectivity
Bypass gateway, no bandwidth bottleneck
Supports NVA and Gateway Transit (ARM-to-ARM only)
Peer ASM and ARM VNets
Peer across subscriptions
NSGs and UDRs will work across the link
Public preview – end of July
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12. Multiple IP addresses on VM NICs
8/24/2018
Multiple IP addresses on VM NICs
Ignite
IP1
Public IPs
Multiple Private IPs per NIC
Up to 250 IPs per NIC
NSGs, UDRs, Load Balancers on all IPs
Multiple Public IPs per VM
Public IP to any IP on any NIC
Any IP on any NIC to load balancer
Enables NVA-based scenarios
Multiple web & app services using the same standard ports
Failover/portability by moving secondary private IP addresses
Scale out NVAs by adding IP addresses on secondary NICs to load balancer
151.1
151.2
151.3
Availability Set
Backend Pool
151.4
“Any VIP to Any IP on Any NIC”
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

13. Multiple VIPs on Internal Load Balancer
TechReady 23
8/24/2018 2:21 PM
Multiple VIPs on Internal Load Balancer
Ignite
Add multiple VIPs to Internal Load Balancer
Enables critical scenarios, including
SQL AlwaysOn with Multiple Listeners for Availability Groups
Supports standard backend pools as well as DSR (“floating IP”)
Multiple VMs exposing services on VIPs with same port #
SQL AlwaysOn, multiple AG
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14. Accelerated Networking
TechReady 23
8/24/2018 2:21 PM
Accelerated Networking
Ignite
High throughput, low latency network performance
Enables SR-IOV – direct VM-to-NIC path bypassing Hyper-V (Host OS) layer
Low latency (15~25 µs)
High throughput (20+Gbps)
Increased number of packets per second (pps) & reduces jitter
Compete
AWS Enhanced Networking & Elastic Network Adapter
No Google equivalent
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15. How it works
Roadmap
Today every packet traverses the host, going through the VMSwitch to apply policy and then to the VM
With SR-IOV, the VMSwitch processing is removed from the path and is reduced significantly
Physical NIC
Physical NIC
Physical NIC
Physical NIC

16. S2S VPN BGP and Transport Routing
8/24/2018
S2S VPN BGP and Transport Routing
New
BGP support for Azure S2S VPN gateways
VNet-to-VNet connections
e.g. VNet1 can communicate to VNet2 via VNet3 gateway
Cross-premises connections
E.g. Site4 can communicate with VNet1 via VNet2 or even with Site5 via VNet2 and VNet1
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17. S2S VPN Redundant Tunnels (New)
8/24/2018
S2S VPN Redundant Tunnels (New)
New
Multiple tunnels/paths between Azure VNet and on premises site
Leverage BGP for reachability detection & path failover
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18. S2S VPN Active-Active Gateways
8/24/2018
S2S VPN Active-Active Gateways
Ignite
Active-Active gateways provide dual redundancy
Traffic can be distributed onto both tunnels
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

19. ExpressRoute Enhancements
TechReady 23
8/24/2018 2:21 PM
ExpressRoute Enhancements
Ignite
Ultra performance ExpressRoute gateways
Support up to 10G throughput to VMs
Improved SLA – 99.9% to 99.95%
Further enhance reliability
More insights
Self help and troubleshooting tools
Improved monitoring, diagnostics, and alerting
BGP routes, traffic statistics, ARP tables
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20. © 2016 Microsoft Corporation. All rights reserved
© 2016 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.