View
13
Download
0
Category
Preview:
Citation preview
AZURE
A deep-dive into
Azure Networking!
Karim Vaes
AZURE
Karim VaesFormer Azure MVP,
Now TSP AppDev @ Microsoft
or …
“Cloud Solution Architect with a focus on
Application Development on Azure”
@kvaes https://blog.kvaes.be/
AZURE
Agenda
Networking
PatternsRouting
Outbound
Connections
Network
Virtual
Appliance
Cost Drivers Q&A
AZUREAZURE
Networking Patterns
AZURE
AZURE
Island Mode
AZURE
Hybrid Connection
AZURE
Network Virtual Appliance
AZURE
Northbound
Southbound
AZURE
WAF
NGFW
AZURE
Hub & Spoke Model
AZURE
Growth Model
https://kvaes.wordpress.com/2017/10/02/azure-networking-blueprint-patterns-for-enterprises/
Island ModeHybrid
Connection
NGFW
+WAF
+NGFW
Hub
&
Spoke
AZUREAZURE
Routing “Basics”
AZURE
Azure Routing Explained
• Longest Prefix Matching Wins
• In case of tie…
1. User Defined Route (Custom)
2. Border Gateway Protocol (BGP)
3. System Route (Azure Default)
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview
AZURE
Longest Prefix Matching
Target IP = 10.100.200.97
Configured Routes
• 10.0.0.0/8
• 10.100.0.0/16
• 10.100.200.0/24
• 10.100.200.97/32 => WINS (LPM)
AZUREAZURE
Routing “Beyond the Basics”
AZURE
Service Endpoints & Service Injection
Injection
Dedicated PaaS Services,
like for example
App Service Environment
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview
https://kvaes.wordpress.com/2018/06/08/taking-a-look-at-azure-service-endpoints/
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-for-azure-services
AZURE
VNET Peeringhttps://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview
AZURE
One more thing
Conflicting / overlapping IP plans
AZUREAZURE
Outbound Connections
AZURE
What IP will be seen externally?
Scenario Method Protocols Description
VM with own
PIP
SNAT only TCP, UDP, ICMP,
ESP
Azure uses the public IP assigned to the IP configuration
of the instance's NIC. The instance has all ephemeral
ports available.
VM behind LB SNAT with PAT
using LB PIP
TCP, UDP Azure shares the public IP address of the public Load
Balancer frontends with multiple private IP addresses.
Azure uses ephemeral ports of the frontends to PAT.
VM without
PIP or LB
SNAT with PAT
using shared
PIP
TCP, UDP Azure automatically designates a public IP address for SNAT,
shares this public IP address with multiple private IP addresses
of the availability set, and uses ephemeral ports of this public
IP address. This is a fallback scenario for the preceding
scenarios. We don't recommend it if you need visibility and
control.
AZURE
Gotcha of the dayUsing an Internal Standard Load Balancer?
• Assign a PIP per nodeor
• Add the nodes to a External Load Balancer with “dummy” rules
Or the nodes won’t be able to reach the outside world…
AZURE
Load Balancer Trivia
Using an External Standard Load Balancer
“Secure by Default”
“Closed by default for public IP and Load Balancer endpoints and
a network security group must be used to explicitly whitelist for
traffic to flow!”
AZUREAZURE
Network Virtual Appliance
AZURE
Before anythingDraw a high level 10 mile high overview of your security rules!
AZURE
... which everyone can understand!
AZURE
… and then start discussing the NVA
AZURE
Now let’s talk about… Network Virtual Appliances
AZURE
NICNIC
NICNIC
NIC NICNIC NIC
Firewalls in Physical Networks
AZURE
Azure = Layer 3 +
NICNIC
NICNIC
NIC NIC
Trusted subnet10.10.0.0/16
Untrusted subnet10.20.0.0/16
Address Space10.0.0.0/8
AZURE
Floating IP = Load Balancer
NIC
NIC
Are you alive?
All good
Are you alive?
All good
AZURE
How many NICs does it take…
AZURE
Flow Symmetry – Single NIC
NIC
NIC
NIC
NIC
Src IP AddrTrusted VM IP
Dest IP Addr:Untrusted VM IP
PayloadSrc Port:
XDest Port:
Y
Src IP AddrUntrusted VM IP
Dest IP Addr:Trusted VM IP
PayloadSrc Port:
YDest Port:
X
AZURE
Flow Symmetry – Single NIC
https://azure.microsoft.com/en-us/blog/azure-load-balancer-new-distribution-mode/
AZURE
Flow Symmetry – Single NIC
NIC
NIC
NIC
NIC
Src IP AddrTrusted VM IP
Dest IP Addr:Untrusted VM IP
PayloadSrc Port:
XDest Port:
Y
Src IP AddrUntrusted VM IP
Dest IP Addr:Trusted VM IP
PayloadSrc Port:
YDest Port:
X
AZURE
Flow Symmetry – Dual NIC
NICNIC
NIC
NIC
NIC
NIC
SNAT
SNAT reversed
AZURE
Responding to probes
NICNIC
NIC
NIC
NIC
NIC
From: 168.63.129.16
From: 168.63.129.16
From: 168.63.129.16
From: 168.63.129.16
AZURE
Key Takeaways
• Floating IP = Load Balancer IP
• Dual NIC = Complex
• Require SNAT
• Test NVA response to probes
• Single NIC (recommended)
• No SNAT needed
AZUREAZURE
Cost Drivers
AZURE
https://kvaes.wordpress.com/2018/01/04/understanding-the-budget-impact-of-azure-networking-on-your-architecture/
AZURE
What to remember?
• Understand cost drivers
• Design accordingly
• Network is mostly <1% of the cost
AZURE If you are reading this…
You made it to the end!(without falling asleep)
AZURE
Surely there must be...
questions
… which I can answer for you!
http://feedback.expertslive.nl/
AZUREDo you want to gain more
knowledge about Microsoft
technology?
The Future Ready Skills program
offers online courseware, online
labs, live Q&A’s and expert
sessions, so you can acquire
your official Microsoft Certificate
in the most efficient way.
For more information:
aka.ms/frsblog
FUTURE READY
SKILLS
AZURE
Next Session 17:30 – 18:30
Windows 10 is not your Daddy’s Windows anymore… Security improvements in the last builds
Kim Oppalfens & Tom Degreef
Recommended