1. Microsoft Build 2016
11/13/2018 2:15 AM
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2. Building Network Aware Applications
Narayan Annamalai, Stephen Malone
Program Managers, Azure Networking

3. Goals
As an application developer how can you leverage the power software defined hyper scale network that Microsoft Azure provides.

4. Agenda Why should you care about Networking? Building Blocks Scale
Isolated private Network
Network Interface Card
IP Addresses
Scale
High Availability
Security
Containers

5. Networking – Why should developers care?
Build 2014
11/13/2018
Networking – Why should developers care?
Proprietary
Hardware
Appliance
Intelligent
Control
Plane
App
Host
VMs
SmartNIC
Controller
Azure
API
Management
Running
Across
Commodity
Data
DevOps
You own the E2E solutions including infrastructure!
The hidden costs of physical hardware
Lost weeks and $$$ due to hardware delivery/config lead times
Specialist per-device or per-vendor expertise required
Software Defined Networking (SDN) becoming the new norm
Programmable networks using standardized interfaces
Create, configure and deploy network solutions in minutes
Consistent troubleshooting across device types
Deliver projects faster and cheaper
Deliver predictability and repeatability
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6. The Big (Network) Picture
11/13/2018
Virtual Network
“Bring Your Own Network”
Segmentation with Subnets
Full control with Routes and Security groups
The Big (Network) Picture
Azure
Virtual Network
Users
Internet
Front-End Access
Reserved Public IPs
ACLs for security
Load balancing
DNS services
DDoS protection
Backend Connectivity
Point-to-site for dev / test
VPN Gateways for secure site-to-site connectivity
ExpressRoute for private enterprise grade connectivity
Backend Connectivity
ExpressRoute
VPN Gateways
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7. Azure Resource Manager (ARM) 101
Build 2014
11/13/2018
Azure Resource Manager (ARM) 101
Azure components as Resources through Resource Providers (RP) and REST APIs
Orchestrates changes across Azure Resource Providers
Imperatively manage disparate resources using consistent REST APIs and experiences (portal, PowerShell, Azure CLI)
Resource
Providers
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8. Managing ARM and Core RP Resources

9. Build complete apps in minutes with templates
Zookeeper

10. Demo Microsoft Build 2016 11/13/2018 2:15 AM
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11. ARM – regional management, regional resilience
North Central US
Illinois
North Europe
Ireland
West Europe
Netherlands
Canada Central
Toronto
Central US
Iowa
Canada East
Quebec City
China North *
Beijing
US Gov
Iowa
Japan East
Saitama
China South *
Shanghai
West US
California
East US
Virginia
Japan West
Osaka
India Central
Pune
East US 2
Virginia
South Central US
Texas
India West
Mumbai
US Gov
Virginia
India South
Chennai
East Asia
Hong Kong
SE Asia
Singapore
Australia East
New South Wales
Brazil South
Sao Paulo
Australia South East
Victoria
Operational
Announced/Not Operational
* Operated by 21Vianet

12. Virtual Private Network (VNet)
Microsoft Azure
Microsoft Azure Virtual Networks VNet - Isolated section of the public cloud Can connect to Internet, on-premises, other Deployment in Azure based on policies
10.1/16
10.1/16
Internet
ISP/MPLS QoS
Secure Tunnel
L3 Tunnel

13. Network Interface Card
NIC is the network connection to the VM
Every VM gets a default NIC
NICs can be programmed independent of the VM
Up to 8 NICs per VM
Can separate frontend, backend, and management
Virtual Machine
NIC2
NIC1
Default
Virtual Network
VIP
Internet
Backend
Subnet
Mgmt
Subnet
Frontend
Subnet

14. Internet IP Addresses & Load Balancing
11/13/2018
Internet IP Addresses & Load Balancing
Public IP Addresses in Azure
Can be used for instance (VM) level access or load balancing
Instance-level IP
Internet IP assigned exclusively to a single VM Entire port range is accessible by default
Primarily for targeting a specific VM
Load balanced IP (VIP)
Internet IP load balanced among one or more VM instances
Allows port redirection
Primarily for load balanced, highly available, or auto-scale scenarios
Internet
(VIP) LB
(Instance-level IP)
(Instance-level IP)
VM1
VM2
IP1
Microsoft Azure
IP2
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15. Multiple Load-balanced IPs
Microsoft Ignite 2015
11/13/2018 2:15 AM
Multiple Load-balanced IPs
Common use case: multiple SSL end points
Across one or more VMs
443
443
SSL Website 1
IP1 A Z U R E L B
444
Internet
443
SSL Website 2
IP2
443
445
SSL Website 3
IP3
446
SSL Website 4
443
IP4
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16. Reserved IPs Retain your IP addresses
Microsoft Ignite 2015
11/13/2018 2:15 AM
Reserved IPs
Internet
Retain your IP addresses
IPs on existing services can be reserved
IPs can be moved between services in seconds
Reserved IP
Azure Load Balancer
Reserved IP Moves
Service 1
Service 2
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17. Demo Microsoft Build 2016 11/13/2018 2:15 AM
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18. Scale, Availability, Security – Leverage Azure SDN

19. Typical application pattern
Internet
Web
Availability
Performance
Security
Monitoring
Database
Diagnostics
Scale
Policies
Manageability

20. Software defined Datacenter
11/13/2018
Software defined Datacenter
Users
Independently scalable Management, Control and Data plane
All controlled through software
Elastic resources configured by controllers
SDN at the host
Management API
Regional Controllers NW
CMP
STG
Regional Controllers NW
CMP
STG
Distributed Computing VM HA
SDN VM HA
SDN
© 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

21. Worldwide Partner Conference 2015
11/13/2018 2:15 AM
Subsea
Azure Fiber Infrastructure
Subsea
Subsea, Terrestrial, Metro
Microsoft owned / managed -- SDN
Stretch globally to the eyeballs
Software managed
Self Healing
L3/Global Crossing
Terrestrial
Azure (Logical) SDN WAN
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

22. Networking Inside the Datacenters
Row Spine
T2-2-1
T2-2-2
T2-2-4
Data Center Spine
T1-1
T1-8
T1-7 …
T1-2
Regional Spine
Rack
T0-1
T0-2
T0-20
Servers
Scale-out, active-active

23. What’s in it for you Global presence Availability set – lowest latency
Dedicated private network connecting the globe
Optimized path from Internet
Availability set – lowest latency

24. Availability

25. Global – Traffic Manager
11/13/2018 2:15 AM
Global – Traffic Manager
Routing Policies
Performance – Direct to “closest” service
Round Robin – Distribute across all services
Failover – Direct to “backup” if primary fails
Nested Profiles
Flexible multi-level policies
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

26. Layer7 – Application Gateway
11/13/2018
Layer7 – Application Gateway
HTTP load-balancing
SSL Offload
Cookie-based session affinity
Azure
© 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

27. Layer4 – Software Load balancer
11/13/2018
Layer4 – Software Load balancer
High performance, scalable Network load balancer
Muti tenant, native
NAT and load balancing
Hash based distribution method, 5/3/2 tuple
Azure
© 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

28. HA and Scale for Enterprise Apps
11/13/2018
HA and Scale for Enterprise Apps
Internet
Azure
© 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

29. Security

30. Network Security Groups
Segment network to meet security needs
5 tuple ACLs on both directions
Can protect Internet and internal traffic
Enables DMZ subnets
Associated to subnets/VMs and now NICs
ACLs can be updated independent of VMs
On Premises 10.0/16
Internet
ExpressRoute and VPNs √ √ √ √
VPN GW
Backend
10.3/16
Mid-tier
10.2/16
Frontend
10.1/16
Virtual Network

31. Service chaining – Network Appliances
11/13/2018
Internet
Introduce hops in the traffic flow by controlling routing
Filter traffic using IDS/IPS appliances
Tip:
NVA should be deployed in a separate subnet from originating traffic. Deploying in the same subnet will cause an infinite loop .
IDS/IPS
Security Subnet
( /24)
Route Table:
NextHop
NSG
NSG
Route Table:
NextHop
Frontend Subnet
( /24)
Backend Subnet
( /24)
VIRTUAL NETWORK
( /16)
© 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

32. Layered Security, Protection, and Isolation
Cloud Services
& Virtual Machines
Virtual
Network
Isolation
Internet VM
Firewall
DDoS
Protection
NSG
ACLs

33. Demo
NSG

34. Networking for Containers

35. Container Networking - Today
Microsoft Build 2016
11/13/2018 2:15 AM
Container Networking - Today
VIRTUAL NETWORK
Azure provides VM to VM communication within Vnet
Containers inside a VM can talk to each other – BRIDGE
Inter-Container communication is through VM IP
Overlay, Port-remaps
Port-remap: Two services cannot expose the same port
Overlay: adds overhead
Azure VM C
Bridge
Azure VM C
Bridge
IP1
IP2
Inter-VM Communication
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

36. IP Per Container Multiple Ips on the NIC
VIRTUAL NETWORK
Multiple Ips on the NIC
Each IP assigned to a container
Enables direct container to container communication
All ports can be used
No overhead, most efficient
DNS resolution for containers
Extend Azure SDN to Containers
Azure VM
Azure VM C C C C
IP2
IP100
IP102
IP200
NIC1 – supports IP1 to IP100
NIC2 – supports IP101 to IP200
NIC1
NIC2
IP2:3000  IP102:80 Direct Communication is possible

37. Demo – Container Networking

38. Summary

39. Virtual Private Cloud in Azure
11/13/2018
Internet
On Premise
VIRTUAL NETWORK
Azure LB
DMZ
Database Subnet
NFV
WAF
NSG
NSG
Frontend Subnet
UDR
ExpressRoute or
S2S VPN
NSG
UDR
Azure ILB
App Subnet
SDN
© 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

40. Follow-up
Re-visit Build on Channel 9.
Continue your education at Microsoft Virtual Academy online.

41. Please Complete An Evaluation Form Your input is important!
11/13/2018
Please Complete An Evaluation Form Your input is important! or
© 2016 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.