View
264
Download
1
Category
Preview:
Citation preview
Spark the future.
May 4 – 8, 2015Chicago, IL
An Overview of Microsoft Azure New Networking CapabilitiesYousef KhalidiDistinguished EngineerMicrosoft Azure Networking
BRK2456
What’s new at Ignite Virtual Networking
User Defined Routes Public IP address mobility Multiple load-balanced IPs
DNS Services Azure DNS – Domain hosting
Azure Resource Manager New network APIs, PowerShell New JSON-based templates
Network Virtual Appliances New partners and scenarios
ExpressRoute ExpressRoute Premium add-
on ExpressRoute for Office 365
VPN ExpressRoute coexistence New Standard Gateway
Hybrid
Hyper-scale
Enterprise
Grade
Azure compute regions
Hyper-scale Footprint
Azure compute regions
19Azure compute regions open todayMore than AWS and Google Cloud combined
Hyper-scale Footprint
Hyper-Growth
5.1T
AZURE STORAGE TRANS. IN MARCH 2015
50T
STORAGE OBJECTS IN AZURE
425M
AZURE ACTIVEDIRECTORY USERS
20M
SQL DATABASE HOURS USED EVERYDAY
-- Hyper-Scale
85 iXP
4400+ CONNECTIONS TO 1695 NETWORKS
1.4M
MILES OF FIBER IN OUR DATA CENTERS
4x
WRAP THE EARTH IN NORTH AMER FIBER
$15B
MICROSOFT CLOUD INVESTMENT
Internet users
■500,000,000+
■100,000,000 – 499,999,999
■50,000,000 – 99,999,999
■25,000,000 – 49,999,999
■5,000,000 – 24,999,999
■100,000 – 4,999,999
■50,000 – 999,999
■0 – 49,999
*Operated by 21Vianet
Microsoft’s network is one of the largest in the worldMicrosoft Azure datacenter regionsInternet connectivity by country
INDIA NORTHTBD
Classic vs. Hyper-scale networksLarge L2 Domains
HW-based Service
Simple Tree Design
L3 at all Layers
SoftwareService
Clos-based design
Diversity and manual provisioning
Complex hardware and lack of automated operations
High complexity and human error Resilient, automated monitoring and remediation, low human involvement
Simplify requirements, optimized design, and unify infrastructure
Automated provisioning, integrated processAgility
Efficiency
Availability
L3
L3
L2
LB/FW LB/FW LB/FW LB/FW
L2
Software-defined networking (SDN)
PhysicalTransport
Plane
Control Plane
ApplicationPlane
Switch
Controller
AzureFrontEnd
ManagementPlane
ControlPlane
Proprietary HardwareAppliance
Building the right abstractions to enable Scale and Agility
CommodityHardware
Abstract Management, Control, and Data planes
TenantCompose compute & storage roles and networks
Tell & ProgramInstead of Discover and react
Management
Create a tenant
ControlPlumb tenant ACLs to switches
Data Apply ACLs to these flows
Example: ACLs
Users
Internet
The Big (Network) PictureAzure
Virtual Network
Front-End Access
Dynamic/Reserved Public IP addresses
Direct VM access, ACLs for security
Load balancing
DNS services: hosting, traffic management
DDoS protection
Virtual Network
“Bring Your Own Network”
Segment with subnets and security groups
Control traffic flow with User Defined Routes
Backend Connectivity
Point-to-site for dev / test
VPN Gateways for secure site-to-site connectivity
ExpressRoute for private enterprise grade connectivity
Backend ConnectivityExpressRouteVPN Gateways
Internet Connectivity
DNS Services
Traffic Manager
DNS
Azure DNSNew
Host your DNS domains in AzureIntegrate your Web and Domain hosting
Globally route user traffic with flexible policiesEnable best-of-class end to end user experience
Azure DNS Global footprint
Global footprint of DNS servers Anycast fast query
performance Ultra-available
New
Traffic Manager
www.contoso.com
Traffic Management Policies
Latency – Direct to “closest” serviceRound Robin – Distribute across all servicesFailover – Direct to “backup” if primary failsNested – Flexible multi-level policies
Internet IP Addresses & Load BalancingPublic IP Addresses in Azure
Can be used for instance (VM) level access or load balancing
Instance-level IPInternet IP assigned exclusively to a single VM Entire port range is accessible by defaultPrimarily for targeting a specific VM
Load balanced IP (VIP)Internet IP load balanced among one or more VM instancesAllows port redirectionPrimarily for load balanced, highly available, or auto-scale scenarios
Internet
IP1 IP2
VM1 VM2
LB
Microsoft Azure
151.2.3.4 (VIP)
131.3.3.3
(Instance-level IP)
131.3.4.4
(Instance-level IP)
Multiple Load-balanced IPs• Common use case: multiple SSL end points• Across one or more VMs
Internet
IP1
IP3
IP2
IP4
AZURE
LB
SSL Website 1
SSL Website 2
SSL Website 3
SSL Website 4
443
443
443
443
443
444
445
446
New
Reserved IPs•Retain your IP addresses
•IPs on existing services can be reserved
•IPs can be moved between services in seconds
Cloud Service 1 Cloud Service 2
Azure Load Balancer
New
Reserved IP Moves
Reserved IP
Internet
DNS Names for Public IP FQDN access to a virtual
machine Available for virtual
machines and web/worker roles
Automatic DNS registration/de-registration during scale-up, scale-down
Internet
Webrole.1.contoso.cloudapp.net 130.26.5.120
VM Instance 1 VM Instance 2
Contoso App with 2 virtual machines
New
Webrole.0.contoso.cloudapp.net 130.26.10.80
Virtual Networks
Bring your own network
Create subnets with your private or public IP addresses
Bring your own DNS or use Azure-provided DNS
Secure with Network Security Group ACLs
Control traffic flow withUser Defined Routes
Virtual Network
Virtual Network
VPN GW
Frontend10.1/16
Mid-tier10.2/16
Backend10.3/16
Internet
On Premises10.0/16
VPN &ExpressRoute
AD / DNS
Azure
Direct InternetConnectivity
User Defined Routes Control traffic flow in your
network with custom routes
Attach route tables to subnets
Specify next hop for any address prefix
Set default route to force tunnel all traffic to on-premises or appliance
Internet
Virtual Network
FrontEnd Subnet
BackEnd Subnet
SystemRoute
User Defined Route
Default Route
System Route
New
VM/Appliance
VM with “IP Forwarding”
Multiple NICs in Azure VMs Up to 16 NICs per VM
NSG and Routes on all NICs
Can separate frontend, backend, and management
Virtual Machine
NIC2 NIC1Defaul
t
Virtual Network
Frontend
Subnet
MgmtSubnet
BackendSubnet
Internet
10.2.2.22
10.3.3.33
10.1.1.11
VIP 133.44.55.
66
Update
Securing the Network
Layered Security, Protection, and Isolation
DDoSProtection
Virtual Networ
kIsolatio
n
NSGVM
Firewall
Cloud Services &
Virtual Machines InternetACLs
Network Security Groups Segment network to meet
security needs 5 tuple ACLs on both
directions Can protect Internet and
internal traffic Enables DMZ subnets Associated to subnets/VMs
and now NICs ACLs can be updated
independent of VMs Virtual Network
Backend10.3/16
Mid-tier10.2/16
Frontend10.1/16
VPN GW
Internet
On Premises 10.0/16
ExpressRouteand VPNs
√ √
√ √
Network Virtual Appliances
Overview VMs that perform specific network functions Focus: Security (Firewall, IDS , IPS), Router/VPN, ADC (Application
Delivery Controller), WAN Optimization Typically Linux or FreeBSD-based platforms
Scenarios IT Policy & Compliance – Consistency between on premises & Azure Supplement/complement Azure capabilities
Azure Marketplace Available through Azure Certified Program to ensure quality
and simplify deployment You can also bring your own appliance and license
Network Virtual Appliances
Azure Virtual Network
Virtual Appliances - Firewalls, IDS/IPS, VPNsSecure your virtual networks in Azure
DMZ
IDSIPS
Internet
Cross-premises connectivity
Frontend load balancing and delivery control
Scenario – Application Delivery Controller
Applications
Web Farms Internet
ADC & Load
Balancer
Virtual Network
Optimizing cross premises traffic
Scenario – WAN Optimization
CustomerOn Premises
Microsoft Azure
Compress/Optimize
Network Virtual Appliance Ecosystem
Cross premises connectivity
Connectivity Options and Hybrid OfferingsCloud Customer Segment and
workloads
Secure site-to-site VPN connectivity
• SMB, Enterprises• Connect to Azure
compute
Secure point-to-site connectivity
• Developers• POC Efforts• Small scale
deployments• Connect from
anywhere
ExpressRoute private connectivity
• SMB & Enterprises• Mission critical workloads• Backup/DR, media, HPC• Connect to Microsoft
services
Internet Connectivity
• Consumers• Access over public IP• DNS resolution• Connect from anywhere
On-premises VPN Ecosystem
Cloud on your WANTraffic flows directly from customer WAN to MicrosoftReduces complexityLower latency, higher bandwidth and higher availability
Microsoft
WAN
Corp HQ
Branch office 1
Branch office 2
Public internet
Connectivity choices: Internet or Private
IPsec VPN over InternetEncrypted data traverses Internet to reach AzureLimited bandwidth and higher availability
Microsoft
WAN
Corp HQ
Branch office 1
Branch Office 2
Public internet
ExpressRoute
Microsoft
WAN
Corp HQ
Branch office 1
Branch office 2
Public internet
ExpressRoute provides a private, dedicated, high-throughput network
connection to Microsoft
Security
Lower cost
Predictable performance
High throughput
ExpressRoute Connectivity
Microsoft Edge
Customer’s network
Customer’sconnection
Partner Edge
Traffic to public IP addresses in Azure
Traffic to Virtual Networks
Traffic to Office 365 Services
ExpressRoute PartnersExchange Provider Network Service Provider
Exchange
Publicinternet
Customer site
Microsoft
Customer site 1
Customer site 2
Customer site 3
WANPublic
internet
Microsoft
ExpressRoute Sites and Partners
AtlantaChicagoChicago (Gov Cloud)*DallasLANYSeattleSilicon ValleyWashington DCWashington DC (Gov Cloud)*
Sao Paulo
AmsterdamDublin*London
Chennai*Hong KongMumbai*Melbourne*Osaka*SingaporeSydneyTokyo
ExpressRoute
ExpressRoute and S2S VPN CoexistenceS2S VPN as a backup for ExpressRoute
S2S connectivity to branch offices
Connecting Virtual Networks in other Azure regions
Contoso HQ
Exchange
AD/DNS
IIS ServersSQL Farm
Monitoring
Contoso virtual networks/VMs
Internet
NEW
Services on public IPs
VPN Gateway(Internet Edge)
ExpressRoute Premium Add OnNEW
Global connectivity Link a Virtual Network from any Azure Region to your ExpressRoute
circuit
More routes (IP prefixes) Supports up to 10,000 routes, increase from 4,000 routes
Connect more Virtual Networks Up to 100 virtual networks depending on bandwidth option
ExpressRoute gateway or VPN gateway needed to access a virtual network
Introducing a new Standard Gateway Supports ExpressRoute and VPN coexistence Improved throughput for ExpressRoute
VPN Gateways for Virtual NetworkNEW
Virtual Network Gateway
SKU
ExpressRoute GW
Throughput
VPN GW ExpressRouteCoexistence
VPN GWThroughput
VPN GW Max IPsec
Tunnels
Cost (USD) / Hour
Basic 500 Mbps No 100 Mbps 10 $0.04
Standard 1000 Mbps Yes 100 Mbps 10 $0.19
Performance 2000 Mbps Yes 200 Mbps 30 $0.49
Note that ExpressRoute traffic for Azure public services, O365, and
Skype for Business does NOT go through a Virtual Network gateway
Office 365 Timelines and PartnersLaunch Partners
Other providers soon to follow
LocationsAll Microsoft Regions.
General AvailabilityQ3 CY 2015
Supported WorkloadsExchange Online & Exchange Online Protection
SharePoint Online, OneDrive for Business, Office 365 Video, Delve
Skype for Business Online (formerly Lync Online)
Office Online
Power BI and Project Online
Azure Resource Manager – a new way to provision services
Network Resource Provider• New REST API surface
• Loosely coupled network resource model
• Fine grained access/control of networking resource
• RBAC of networking resources
• Support for logging and tagging
• Highly performant & scalable
• Regional resiliency
• Imperative and declarative management style
NEW
StorageAccount
VirtualMachine
VMExtension
AvailabilitySet
VirtualNetwork
Subnet
NetworkInterfaceCard
PublicIPAddress
LoadBalancer
NetworkSecurityGroup
NetworkSecurityRule
TrafficManager VirtualNetworkGateway
Click To Deploy in Cloud Readily available
templates to Click and Deploy from GitHub
Rapidly customize and automate your build & deployment
Versatile management interfaces
REST API
PowerShell
Azure CLI
SDK(.NET, Node.JS, Java)
Azure Portal
NEW
Putting it all together
ExpressRoute
Infrastructure (protected)
Middle Tier (exposed to FE and Infra)
Front End – through firewalls
• User Defined Routes on subnets to direct flows to appliances
• Network Security Groups to secure subnets• Network Virtual Appliances for security, routing and
ADC• Secure cross-premises connectivity with
ExpressRoute and VPN Gateways
Site-to-site
VPN
Internet connectivity
Demo
Summary Azure Networking
New at Ignite User Defined Routes Public IP address mobility Multiple load-balanced IPs Azure DNS – Domain hosting New network APIs, PowerShell New JSON-based templates Network Virtual Appliances ExpressRoute Premium and
O365 VPN ExpressRoute
Coexistence
Enterprise-Ready Global Scale
Strong Partners
Complete Solutions
Learn more with FREE IT Pro Resources
Free technical training resources: On-demand online training: http://aka.ms/learnhybrid
Expand your Hybrid Infrastructure Knowledge
Free ebooks:Rethinking Enterprise Storage: A Hybrid Cloud Model: http://aka.ms/hybrid-storage-ebookMicrosoft Azure Essentials: Fundamentals of Azure: http://aka.ms/azure-fundamentals-ebook
Join the IT Pro community: Twitter @MS_ITPro
Ignite Azure Challenge Sweepstakes
Attend Azure sessions and activities, track your progress online, win raffle tickets for great prizes!
Aka.ms/MyAzureChallenge
Enter this session code online: BRK2456
NO PURCHASE NECESSARY. Open only to event attendees. Winners must be present to win. Game ends May 9th, 2015. For Official Rules, see The Cloud and Enterprise Lounge or myignite.com/challenge
Visit Myignite at http://myignite.microsoft.com or download and use the Ignite Mobile App with the QR code above.
Please evaluate this sessionYour feedback is important to us!
© 2015 Microsoft Corporation. All rights reserved.
Recommended