1. IaaS Part I Stefan Geiger Gerry Keune @trivadis.com
Microsoft Azure
IaaS Part I
Stefan Geiger Gerry Keune
@trivadis.com
IaaS Part I

2. Agenda IaaS Networking Azure Active Directory & MFA für Cloud Apps
IaaS Part I

3. The Big (Network) Picture
TechReady 18
9/21/2018
The Big (Network) Picture
Virtual Networks
Flexible multi-tier topologies
Azure
Virtual Network
Internet Clients
Frontend Connectivity
Load-balanced and direct IPs
ACLs & DDoS protection
Traffic Manager & Azure DNS
On premises Datacenter
Backend Connectivity
Secure Internet cross premises VPN connectivity
ExpressRoute – direct connectivity
IaaS Part I
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

4. Virtual Network Hybrid and Private Cloud scenarios
Connect On-Premise and Cloud applications
A private space dedicated to your company
Virtual network uses IPsec to secure the connection between your datacenter, through its VPN gateway and Microsoft Azure
Full control of the network topology
configure IP addresses (static & dynamic)
NIC
Security Groups
Upon creation of VM’s they can immediately be added to configured subnets
IaaS Part I

5. Virtual Network
Virtual Machines deployed into a virtual network have an infinite DHCP lease
Subnet 1
VM1
VM2
Subnet 2
(Role)
IaaS Part I

6. Traffic Manager: DNS-based Load Balancing
Performance - Direct to “closest” service based on network latency
Round-robin - Distribute equally across all services
Failover - Direct to “backup” service if primary fails —also included in other policies
Load balancing policies 6
Iaas Part I

7. Microsoft Azure hybrid offerings
Cloud
Customer
Segment and workloads
Secure point-to-site connectivity
Developers
POC Efforts
Small scale deployments
Connect from anywhere
SMB, Enterprises
Connect to Azure compute
Secure site-to-site
VPN connectivity
ExpressRoute private connectivity
SMB & Enterprises
Mission critical workloads
Backup/DR, media, HPC
Connect to all Azure services 7
Iaas Part I

8. Virtual Network Connectivity
Provides network-level bridge between cloud and on-premises environments
Enables cross-premises connectivity
Simple setup and management
Point to Site
No VPN device or network configuration required
Iaas Part I
IaaS Part I

9. Virtual Network VPN Device List
Cisco
Juniper
Generic VPN devices must support
IKE v1
AES 128, 256
SHA1, SHA2
Platform
OS Family
Examples
ASA 5500 Series (Adaptive Security Appliances)
ASA Software 8.4+
5505, 5550
ASR 1000 Series Aggregation Services Routers
IOS XE 2.1+
1002
ISR Series Integrated Services Routers
IOS 12.2+
2801, 2901, 2911
Platform
OS Family
Examples
SRX Series Routers
JunOS 10.2+
210, 650
J Series Routers
JunOS 9.4+
4350
ISG Series Routers
ScreenOS 6.2+
SX2
SSG Series Routers
550
IaaS Part I

10. Demo
Point to Site Connectivity
IaaS Part I

11. Internet connectivity
9/21/2018
What’s New
Internet connectivity
Reverse DNS (PTR) Support
Traffic Manager Nested Profiles
Instance Level Public IP GA
Source IP-based Affinity
TCP flow idle connection timeout
Virtual network
Network Security Group
Public non-RFC1918 IPs in VNet
ILB for SQL Always On
Cross-premises connectivity
Forced Tunneling for IPsec VPNs
ExpressRoute Multi-Subscription Circuit Sharing
ExpressRoute Multi-Circuit VNet
High Performance VPN gateway
VPN/ExpressRoute Operation Logs
IPsec VPN NULL encryption & PFS
Network Virtual Appliance
Multiple NICs per VM
MAC persistence 11
Iaas Part I
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12. Instance-Level Public IP GA
Internet IP assigned to a single VM
Entire port ranges are accessible
Support applications with dynamic public ports; e.g., FTP, multi-media
Ideal for workloads with heavy outbound connections
Internet
Microsoft Azure LB
Instance level public IPs
Cloud service Reserved VIP
VM1
VM2 12
Iaas Part I

13. Source IP-based Affinity
All connections from the same Internet client IP to the same backend server
2-tuple/3-tuple hash
Scenarios
Applications that require multiple connections to the same server
Example: media streaming to establish control and data channel to same backend server
Client 1
Client 2
Client 3
VIP
Azure Load Balancer
VM Server Instance 1
VM Server Instance 2
IaaS Part I

14. Increasing Idle Connection Timeout
Build 2012
9/21/2018
Increasing Idle Connection Timeout
Configurable connection timeout to VIPs
Idle connection timeout as high as 30 minutes
Better experience for mobile clients connecting to Azure
Client
Idle Connection Timeout increased up to 30 minutes
Traffic to the VIP LB
Server 1
Server 2 14
Iaas Part I
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

15. Network Security Groups (NSG)
Enables network segmentation & DMZ scenarios
Access Control List
Filter conditions with allow/deny
Individual addresses, address prefixes, wildcards
Associate with VMs or subnets
ACLs can be updated independent of VMs
On Premises 10.0/16
Internet
S2S
VPNs
Internet √ √ √ √
VPN GW
Backend
10.3/16
Mid-tier
10.2/16
Frontend
10.1/16
Virtual Network 15
Iaas Part I

16. DMZ in a Virtual Network
9/21/2018
DMZ in a Virtual Network
Internet
VIRTUAL NETWORK
DMZ
Database
DNS Servers
NSG
Load Balancer
Internal
Load Balancer
NSG
Web Proxy
App Servers
NSG
NSG 16
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17. Multiple NICs in Azure VMs
Up to 4 NICs per VM
Multiple NICs enable virtual appliances in Azure
MAC/IP addresses persist through VM life cycle
Separate frontend-backend traffic, and management-data planes
Azure Virtual Machine
NIC2
NIC1
Default
Azure Virtual Network
VIP:
Internet
Backend
Subnet
App
Subnet
Frontend
Subnet 17
Iaas Part I

18. Forced Tunneling
NEW
“Force” or redirect customer Internet-bound traffic to an on- premises site
Auditing & inspecting outbound traffic from Azure
Needed by many scenarios for critical security and IT policy requirements
On Premises
Internet
Forced Tunneled
via S2S VPN
S2S
VPNs
Internet
VPN GW
Backend
10.3/16
Mid-tier
10.2/16
Frontend
10.1/16
Virtual Network 18
Iaas Part I

19. ExpressRoute IPsec VPN over Internet WAN Cloud on your WAN WAN
Encrypted data traverses Internet to reach Azure
Limited bandwidth and higher availability
Azure
WAN
Corp HQ
Branch office 1
Branch Office 2
Public internet
Cloud on your WAN
Traffic flows directly from customer WAN to Azure
Reduces complexity
Provides lower latency, higher bandwidth and greater availability
Azure
WAN
Corp HQ
Branch office 1
Branch office 2
Public internet 19
Iaas Part I

20. Agenda IaaS Networking Azure Active Directory & MFA für Cloud Apps
IaaS Part I

21. Security Authentication and Authorization Use Claims-based Identity
Authentication and access management based on open protocols
Reduces infrastructure dependencies
can be hosted on-premises or in the cloud without changes
Factoring authentication out of applications
Identity technologies and services used with Azure
Windows Identity Foundation (WIF)
Active Directory
Active Directory Federation Services 2.0
Azure Access Control Service (ACS)
IaaS Part I

22. Claims-based solution
Stop building custom identification and user account databases into every new application
One approach to identity that works in various scenarios
Factoring out authentication of applications
Easy upgrade to stronger authentication methods
Identity Federation
WIF (Windows Identity Foundation) Framework simplifies implementing claims-based identity in your applications
IaaS Part I

23. Claims-based Identity Model
User’s identity to your application as a set of claims
Claims are attributes made by an issuer (e.g. adress, username)
Identity data you receive comes from a trusted source
If you trust the issuer you will trust the claim
claim is a statement about a user made from a authority
Releases Application from
Authenticating users, storing user accounts and passwords
Calling to enterprise directories to look up user identity details.
Integrating with identity systems from other platforms or companies.
Web
App
User Name:
Roles:
IsSpeaker:
Gerry
Consultant, Trainer
true
IaaS Part I

24. Security Token
The user delivers a set of claims to your application piggybacked along with her request
Token is a Serialized set of claims digitally signed by the issuing authority
Signature assures authenticity of claims
Web-Service carries the claim in the security header of the SOAP envelope.
Browser-based Web application sends claims via an HTTP POST from the user’s browser
Can be cached in a cookie if a session is desired
The user delivers a set of claims to your application piggybacked along with her request. In a Web service, these claims are carried in the security header of the SOAP envelope. In a browser-based Web application, the claims arrive via an HTTP POST from the user’s browser, and may later be cached in a cookie if a session is desired. Regardless of how they arrive, they must be serialized somehow, and this is where security tokens come in. A security token is a serialized set of claims that is digitally signed by the issuing authority. The signature is important – it gives you assurance that the user didn’t just make up a bunch of claims and send them to you.
IaaS Part I

25. Security Token Service (STS)
STS builds, signs, and issues security tokens
Claims, tokens, and STSs are the foundation of claims-based identity
Claim 4
Use claims in token
Authority
(Web App)
STS
List of Trusted STS
Relying Party
(Web App)
Identity Lib (WIF) 3
Verfify token’s
signature
and STS is trusted 1
Authenticate user,
return token
Token
Token
Browser 2
Submit token
The user delivers a set of claims to your application piggybacked along with her request. In a Web service, these claims are carried in the security header of the SOAP envelope. In a browser-based Web application, the claims arrive via an HTTP POST from the user’s browser, and may later be cached in a cookie if a session is desired. Regardless of how they arrive, they must be serialized somehow, and this is where security tokens come in. A security token is a serialized set of claims that is digitally signed by the issuing authority. The signature is important – it gives you assurance that the user didn’t just make up a bunch of claims and send them to you.
IaaS Part I

26. Azure Active Directory Overview
A modern identity management system spanning cloud and on- premises
Provides federation, identity management, device registration, user provisioning, application access control & data protection
Probably the largest enterprise identity and access solution on the planet
18 Billion authentications in a single week
Every time you sign in with Office 365 or Azure, you are using Azure AD
IaaS Part I

27. Enterprise Grade, at Cloud Scale
9/21/2018
Enterprise Grade, at Cloud Scale
99.9% SLA
3x redundancy across datacenters throughout the world 27
Iaas Part I
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

28. Platforms, Form Factors, Protocols
9/21/2018
Platforms, Form Factors, Protocols
OAuth2 &
OpenID Connect
Azure Active Directory
SAML
WS-Federation
REST based Graph API 28
Iaas Part I
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

29. What is Azure Multi-Factor Authentication?
An Azure Identity and Access management service that prevents unauthorized access to both on-premises and cloud applications by providing an additional level of authentication Trusted by thousands of enterprises to authenticate employee, customer, and partner access. 29
Iaas Part I

30. Mobile Apps Phone calls Text messages How It Works Build 2012
9/21/2018
How It Works
Mobile Apps
Phone calls
Text messages
ALERT 30
Iaas Part I
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

31. Microsoft Azure Multi-Factor Authentication flavors
Build 2012
9/21/2018
Microsoft Azure Multi-Factor Authentication flavors
Azure Multi-Factor Authentication stand-alone
Included in Azure Active Directory Premium
Free for Azure administrators
A subset of Azure MFA functionality included in Office 365 31
Iaas Part I
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

32. Windows Server AD or Other LDAP
9/21/2018 1
Users sign in from any device using their existing username/password. 2
Users must also authenticate using their phone or mobile device before access is granted.
Cloud Apps
On-Premises Apps
RADIUS
LDAP IIS
RDS/VDI
.NET, Java, PHP…
SAML
Active Directory
Multi-Factor
Authentication
Service
Multi-Factor
Authentication Server
Windows Server AD or Other LDAP
IaaS Part I
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

33. Demo
Azure AD with MFA
IaaS Part I

34. Thank You
Q & A
IaaS Part I