Architecting Enterprise-Ready Networking Solutions in Azure Peter

Architecting Enterprise-Ready Networking Solutions in Azure Peter De Tender [email protected] @pdtit www.AzurePlatformExperts.com Online Conference EVENTS.COLLAB365.COMMU June 17th and 18th 2015

Peter De Tender Insert Your Picture here www.AzurePlatformExperts. Microsoft Azure Architect & Trainer com Microsoft Certified Trainer – MCT Microsoft Learning Regional Lead Microsoft Azure MVP (2013-2017) Ex-Microsoft Azure Engineering PM Book author for Packt Publishing & Apress Courseware Author and Trainer Technical Writer EVENTS.COLLAB365.COMMU NITY Email : apes@azureplatformexpe rts.com Twitter : @AzureAPEs Facebook : www.facebook.com/Azure APEs LinkedIn : http://www.linkedin.com/i n/pdtit

AGENDA Azure Networking Resources Building a Hybrid Network Topology Advanced Azure Networking features Demos EVENTS.COLLAB365.COMMU NITY

Agenda EVENTS.COLLAB365.COMMUN ITY

Azure Networking Picture Virtual Network “Bring your own network” Segment with subnets and security groups Control traffic flow with user defined routes Network Security Groups Azure Datacenters all over the globe, running cloud workloads EVENTS.COLLAB365.COMMU NITY

Azure Networking Picture Azure Datacenters all over the globe, running cloud workloads Front-End Access Load Balancing Solutions Public & Private Ips Azure DNS DDoS Protection Direct NITY VM Access (RDP/SSH) EVENTS.COLLAB365.COMMU Virtual Network “Bring your own network” Segment with subnets and security groups Control traffic flow with user defined routes Network Security Groups

Azure Networking Picture Virtual Network Azure Datacenters all over the globe, running cloud workloads “Bring your own network” Segment with subnets and security groups Control traffic flow with user defined routes Network Security Groups Back-End Access Front-End Access Load Balancing Solutions Public & Private Ips Azure DNS DDoS Protection EVENTS.COLLAB365.COMMU Direct VM Access (RDP/SSH) NITY VPN Gateways Point-to-Site VPN Site-to-Site VPN ExpressRoute VNet Peering

Azure Networking Picture Azure Datacenters all over the globe, running cloud workloads Virtual Network “Bring your own network” Segment with subnets and security groups Control traffic flow with user defined routes Network Security Groups Back-End Access Front-End Access Load Balancing Solutions Public & Private Ips Azure DNS DDoS Protection EVENTS.COLLAB365.COMMU Direct VM Access (RDP/SSH) NITY Azure Provides End-to-End Enterprise Ready Networking Solutions VPN Gateways Point-to-Site VPN Site-to-Site VPN ExpressRoute VNet Peering

Azure Core Networking EVENTS.COLLAB365.COMMU NITY

Azure Networking Components 6 4 5 4 3 1 EVENTS.COLLAB365.COMMU NITY 2 2

Microsoft Azure Virtual Networks (VNETs) Logical isolation with control over the network Create subnets and isolate traffic with network security groups Virtual Network Address Space: 10.0.0.0/16 DNS: 10.0.0.4 & 10.0.0.5 Support for Static IP addresses Support for Internal Load Balancing DNS support Hybrid Connectivity Support Site-to-Site Point-to-Site ExpressRoute EVENTS.COLLAB365.COMMU NITY AD-VM-01 10.0.0.4 IIS-VM-01 10.0.1.4 AD-VM-02 10.0.0.5 IIS-VM-02 10.0.1.5 Subnet: AD CIDR: 10.0.0.0/24 Subnet: WEB CIDR: 10.0.1.0/24

Address Space and Subnets One more non-overlapping address spaces Define subnets out of the available address spaces in the virtual network using Classless Internet Domain Routing (CIDR) Address Spaces EVENTS.COLLAB365.COMMU NITY Subnets

Bring Your Own DNS Specify DNS Servers at the Virtual Network Level Hosted in an Azure VM External On-Premises (with hybrid connection) Virtual Network Address Space: 10.0.0.0/16 DNS: 10.0.1.100 & 10.0.1.101 Virtual Machines are assigned specified DNS at boot If DNS is added after a virtual machine is running a reboot is required for assignment. EVENTS.COLLAB365.COMMU NITY AD-VM-01 10.0.1.100 IIS-VM-01 10.0.2.4 AD-VM-02 10.0.1.101 IIS-VM-02 10.0.2.5 Subnet: AD CIDR: 10.0.1.0/24 Subnet: WEB CIDR: 10.0.2.0/24

Public IP Address A public IP can be assigned directly to a network interface or a load balancer Supports static (reserved) or dynamic assignment Optionally supports specifying a DNS label Configurable idle timeout First 5 static IPs are free vm1.westus.cloudapp.azure.com 41.67.231.67 VM1 App-lb.westus.cloudapp.azure.com 104.40.27.222 54.67.27.87 EVENTS.COLLAB365.COMMU NITY VM2 vm2.westus.cloudapp.azure.com

Private IP Assignment Rules IPs are allocated based on order of provisioning of Network Interface Cards (1st 4 IPs are reserved) Subnet Web: 10.0.1.0/24 1. NIC-01 10.0.1.4 Initial Provisioning 2. NIC-02 10.0.1.5 Initial Provisioning Use Static Private IP addresses to retain IP regardless of order EVENTS.COLLAB365.COMMU NITY

DEMO Azure Core Networking EVENTS.COLLAB365.COMMU NITY

Azure Load Balancing EVENTS.COLLAB365.COMMU NITY

Azure Load Balancing Solutions 1) Azure Loadbalancer “Typical Load Balancing” on Layer 4 External or Internal Load Balancing Support for TCP and UDP Protocols Health Probe (http or tcp) EVENTS.COLLAB365.COMMU NITY

Intranet Solution using Internal Load Balancer Address Space: 10.0.0.0/16 Subnet Web: 10.0.1.0/24 On Premises 192.168.0.0/16 AV Set: WEB Access intranet over hybrid connection AD-DC-01 192.168.0 .1 WEB-01 Subnet WEB 10.0.1.4 http://intranet AD-DC-02 192.168.0 .2 Other Server s EVENTS.COLLAB365.COMMU NITY Hybrid Connection https://intranetapp Load Balanced IP: 10.0.1.100 WEB-02 Subnet WEB 10.0.1.5 WEB-03 Subnet WEB 10.0.1.6

N-Tier Application with LoadBalanced Middle Tier Virtual Network Address Space: 10.0.0.0/16 AV Set: WEB External Load-Balanced Endpoint 137.135.67.39 AV Set: APP WEB-01 Subnet WEB 10.0.1.4 Internal Load-Balanced APP-01 Endpoint Subnet APPS 10.0.2.100 10.0.2.4 WEB-02 Subnet WEB 10.0.1.5 APP-02 Subnet APPS 10.0.2.5 WEB-03 Subnet WEB 10.0.1.6 APP-03 Subnet APPS 10.0.2.5 http:// company.com EVENTS.COLLAB365.COMMU NITY

Azure Load Balancing Solutions 2) Azure Application Gateway Application Load Balancing on Layer 7 HTTP/HTTPS protocols only Session cookie affinity SSL offloading URL rerouting Load Balancing Cookie Affinity Web Application Firewall (WAF) IIS-VM-01 IIS-VM-02 SSL Offload IIS-VM-03 EVENTS.COLLAB365.COMMU NITY App Gateway HTTP & HTTPS

Network Security Groups (NSG) EVENTS.COLLAB365.COMMU NITY

Network Security Groups Overview Enables network segmentation & DMZ scenarios NSG contains a list of ACL Rules that Allow/Deny Network Traffic to VMs in a Virtual Network Restrict traffic from or to external or internal sources, but only within the region where it was created Manage using Portal, Template, or Command line EVENTS.COLLAB365.COMMU NITY Property Limits Number of NSGs associated to a subnet, VM, or Network Interface 1 NSGs per region per subscription 100* NSG rules per NSG 200*

Network Security Groups Example Virtual Network Address Space: 10.0.0.0/16 Subnet Web: 10.20.1.0/24 WebSecurityGroup SRC ADDRESS PREFIX: INTERNET SRC PORT RANGE: * DEST PORT RANGE: 80 DEST ADDRESS PREFIX: 10.20.1.0/24 Allowed via WebSecurityGroup IIS-VM-01 IIS-VM-02 Subnet Web Subnet Web 10.20.1.4 10.20.1.5 Allowed via SQLSecurityGroup SQLSecurityGroup SRC ADDRESS PREFIX: 10.20.1.0/24 SRC PORT RANGE: * DEST PORT RANGE: 1433 DEST ADDRESS PREFIX: 10.20.2.0/24 EVENTS.COLLAB365.COMMU NITY Subnet SQL: 10.20.2.0/24 SQL-VM-01SQL-VM-02SQL-VM-03 Subnet SQL Subnet SQL Subnet SQL 10.20.2.4 10.20.2.5 10.20.0.6

DEMO Network Security Group EVENTS.COLLAB365.COMMU NITY

User Defined Routing EVENTS.COLLAB365.COMMU NITY

Azure Default Network Routing Traffic automatically flows between virtual machines in different subnets and even address spaces Azure has built in default routes: Routing within a subnet From a subnet to another subnet in the same virtual network To the Internet Virtual Network to Virtual Network using a VPN Gateway Virtual Network to on-premises using a VPN Gateway EVENTS.COLLAB365.COMMU NITY

User Defined Routes Internet Control traffic flow in your network with custom routes Virtual Network System Route Attach route tables to subnets BackEnd Subnet FrontEnd Subnet Specify next hop for any address prefix Set default route to force tunnel all traffic to on-premises or appliance EVENTS.COLLAB365.COMMU NITY Default Route VM/Appliance User Defined Route VM with IP Forwarding

Forced Tunneling On-Premise Network Security Device Internet “Force” or redirect Internet-bound traffic to an on-premises site (per subnet) Auditing & inspecting outbound traffic from Azure INTERNET - IPSEC Virtual Network Needed by many scenarios for critical security and IT policy requirements Subnet BackEnd Requires a Route-based Gateway EVENTS.COLLAB365.COMMU NITY Subnet FrontEnd

VNet Peering EVENTS.COLLAB365.COMMU NITY

VNET Peering Connect two VNETs in the same region Utilizes the Azure Backbone network Appear as one network for connectivity Managed as separate resources Virtual Machines will experience the exact same throughput for Peered VNET as they do on the same VNET EVENTS.COLLAB365.COMMU NITY

Why Have Multiple VNets? Most common in Enterprise Agreements with multiple subscriptions Segregating Billing Segregating Admin External LB A VNet cannot span subscriptions FW FW FW Internal LB ADD C External LB IIS ADD C FW Monitori ng Marketi ng ADD C FW Internal LB IIS IIS ADD C IIS ADD C SQL EVENTS.COLLAB365.COMMU NITY FW Internal LB IIS IIS ADD C External LB SQL Monitori ng SQL Monitori ng IT HR

Benefits of VNET Peering Low-latency, high-bandwidth connection between resources in different VNETs No bandwidth restriction (besides those imposed on VM series/size) Ability to use resources as transit points in a peered VNET (between ARM VNets only) Reduced Infrastructure Connect VNETs that use ARM model to a VNET that uses Classic model and enable full connectivity between resources (same subscription only) EVENTS.COLLAB365.COMMU NITY Resource Manager P E E R Classic

Caveats of VNET Peering Vnet peering is between 2 virtual networks, and there is no derived transitive relationship Vnet address spaces cannot overlap Peered Vnets can be in different subscriptions Must be linked to the same Azure AD tenant Exception – If 1 Vnet is ARM and the other is Classic EVENTS.COLLAB365.COMMU NITY A Peering (AB) No Implied (A-C) B Peering (BC) C

DEMO VNet Peering EVENTS.COLLAB365.COMMU NITY

Azure Networking Monitoring EVENTS.COLLAB365.COMMU NITY

Azure Network Watcher Recently added Networking feature, providing – Topology – Variable Packet Capture – IP Flow Verify – Next Hop – Diagnostics Logging – Security Group View – NSG Flow Logging – VPN Gateway Troubleshooting – Network Subscription Limits – Role Based Access Control – Connectivity EVENTS.COLLAB365.COMMU NITY

Azure Network Monitor Centralized hub for different Azure Resources Monitoring aspects: Alerts Metrics Log Analytics Service Health Application Insights Network Watcher EVENTS.COLLAB365.COMMU NITY

Azure Security Center Centralized Dashboard, focusing on Security posture of Azure and hybrid systems and applications Active in 3 different areas: General Security View Prevention Detection Networking Features: Networking Recommendations Internet Facing Endpoints security view Networking Topology security view EVENTS.COLLAB365.COMMU NITY

DEMO Azure Network Watcher Azure Security Center EVENTS.COLLAB365.COMMU NITY

AGENDA Azure Networking Resources Building a Hybrid Network Topology Advanced Azure Networking features Demos EVENTS.COLLAB365.COMMU NITY

Stay tuned for more great sessions EVENTS.COLLAB365.COMMUNI TY