Learn. Connect. Explore.Learn. Connect. Explore.

Nuts & Bolts of Networking in Azure

Pracheta Budhwar

Technology Evangelist, Microsoft India

@prachetab

Agenda

• Must know concepts of networking on Azure

• Scenarios - Most commonly & asked for scenarios

• Recent announcements

• Demos

• Q&A

Customer needs

Availability

Policy

Ecosystem

Global presence

Global connectivity

Scale out

Seamless

Performance

SecurityEnterprise

Grade

HyperScale

Hybrid

The Big (Network) Picture

Internet Clients

On premises Datacenter

Azure

Virtual Network

Frontend Connectivity

Load-balanced and direct IPs

ACLs & DDoS protection

Traffic Manager & Azure DNS

Virtual Networks

Flexible multi-tier topologies

Backend Connectivity

Secure Internet cross premises

VPN connectivity

ExpressRoute – direct

connectivity

foo.cloudapp.net VIP

IP AddressesThere are multiple ways to access a VM by IP address

VIP – Virtual IP address• An internet-facing IP address that is not bound to a specific computer or network interface card.

• The cloud service that the VM sits within is assigned the VIP.

• You can have multiple VMs in a cloud service. They share the same VIP.

DIP – Dynamic IP address• This IP address is dynamically assigned (via DHCP) to your virtual machine by Azure. You rely on

DHCP – Do NOT statically configure your IP address. Even for DCs.

• The IP address lease directly equates to the lifetime of the VM.

• If you create a virtual network, the VM will receive its DIP from that range.

IP Addresses

Protocols and Endpoints

DNS Scenarios

SQL Service

SQL Reporting

Service

SQL Analysis Service

AD / DNS

SQL ServiceDomain joined to On-

Premises Network

Azure Virtual Machine(s)

Business Components & Entities

App Logic

UI Process Components

Web Tier

Internet

Persistent VM Role

SharePoint FrontEnd

Persistent VM Role

SharePoint FrontEnd

Persistent VM Role

Search and Indes

SQL Service

Cloud Service

DC DNS

Persistent VM Role

SQL

Persistent VM Role

SQL

Local DNS

SQ

L A

lwaysO

n

Open User Access (Website)

Connecting Cloud Services with VNET

P2SVPNs

Existing datacenter

S2S VPN

On-premises

Your datacenter

Hardware VPN or Windows RRAS

Microsoft Azure

Virtual Network

<subnet 1> <subnet 2> <subnet 3>

DNS Server

HA VPN Gateway

• Extend your premises to the cloud securely

• On-ramp for migrating services to the cloud

• Use your on-prem resources in Azure (monitoring, AD, …)

Traffic Manager: DNS-based Load Balancing

www.yourapp.com

Performance - Direct to “closest” service based on network latency

Round-robin - Distribute equally across all services

Failover - Direct to “backup” service if primary fails—also included in other policies

Traffic Management Fundamentals

Announcements in last 6 months..

• Internet connectivity• Traffic Manager External Endpoints

• Instance Level Public IP (Preview)

• IP Reservation for VIPs

• Intra-region communication• Internal Load Balancing

• In-Region VNet to VNet

• Cross-premises connectivity• Multiple-Site VPN

• Cross-Region Vnet to Vnet

• ExpressRoute

Before With multi-site Vnet Connectivity

VNet1US West

VNet2East Asia

Before With multi-site and cross-region VNet to VNet

VNet1US West

VNet2East Asia

WAN

Corp HQ

Branch office 1

Branch office 2

Public internet

Express Route - Customer want Azure on their Network

WAN

Corp HQ

Branch office 1

Branch Office 2

Public internet

Announcements in last 1 week..

Internet connectivity• Reverse DNS (PTR) Support

• Traffic Manager Nested Profiles

• Instance Level Public IP GA

• Source IP-based Affinity

• TCP flow idle connection timeout

Virtual network• Network Security Group

• Public non-RFC1918 IPs in VNet

• ILB for SQL Always On

Cross-premises connectivity• Forced Tunneling for IPsec VPNs

• ExpressRoute Multi-Subscription Circuit Sharing

• ExpressRoute Multi-Circuit VNet

• High Performance VPN gateway

• VPN/ExpressRoute Operation Logs

• IPsec VPN NULL encryption & PFS

Network Virtual Appliance• Multiple NICs per VM

• MAC persistence

Internet Conectivity

Enable richer profiles with greater flexibility for large/complex deployments

Traffic Manager Nested Profiles

Level 2: Route to nearest Region, with cross-region failover within the Geo

Level 3: Load-balance within the region, divert 1% for flighting

US West US East Europe Europe

Cloud Services

Example: Cross-region failover within a Geo, plus in-region flighting

Instance-Level Public IP GA

• Internet IP assigned to a single VM

• Entire port ranges are accessible

• Support applications with dynamic public ports; e.g., FTP, multi-media

• Ideal for workloads with heavy outbound connections

Instance level public IPs

Internet

VM1 VM2

Cloud service Reserved VIP

LB

Source IP-based Affinity

• All connections from the same Internet client IP to the same backend server• 2-tuple/3-tuple hash

• Scenarios• Applications that require multiple

connections to the same server

• Example: media streaming to establish control and data channel to same backend server

Azure Load Balancer

Increasing Idle Connection Timeout

Configurable connection timeout to VIPs

Idle connection timeout as high as 30 minutes

Better experience for mobile clients connecting to Azure

Client

Idle Connection Timeout increased up to 30 minutes

Traffic to the VIP

Server 1 Server 2

Virtual Network & Security

Network Security Groups (NSG)

• Enables network segmentation & DMZ scenarios

• Access Control List

• Filter conditions with allow/deny

• Individual addresses, address prefixes,

wildcards

• Associate with VMs or subnets

• ACLs can be updated independent of VMs

Virtual Network

On Premises 10.0/16

Backend10.3/16

Mid-tier10.2/16

Frontend10.1/16

VPN GW

Internet

S2SVPNs

Internet

DMZ in a Virtual Network

NSG

NSG

NSG

NSG

Multiple NICs in Azure VMs

• Multiple NICs enable virtual appliances in Azure

• MAC/IP addresses persist through VM life cycle

• Separate frontend-backend traffic, and management-data planes

Internet

Azure Virtual Machine

NIC2 NIC1 Default

FrontendSubnet

AppSubnet

BackendSubnet

10.2.2.2210.2.3.33 10.2.1.11

VIP: 133.44.55.66

Up to 4 NICs per VM

Bring Your Appliances to the Cloud

• Building blocks• Multiple NICs

• MAC address persistence

• Appliance ecosystem• Barracuda NG Firewall

• Citrix NetScaler

• Riverbed Steelhead, SteelApp, SteelStore

• More to come!

“Azure Certified”

Hybrid Networking Services

Microsoft Azure hybrid offerings

Cloud Customer Segment and workloads

Secure point-to-site connectivity

Developers• POC Efforts• Small scale deployments• Connect from anywhere

Secure site-to-site VPN connectivity

SMB, Enterprises

• Connect to Azure compute

ExpressRoute private connectivity

SMB & Enterprises• Mission critical workloads• Backup/DR, media, HPC• Connect to all Azure services

Forced Tunneling

• “Force” or redirect customer Internet-bound traffic to an on-premises site

• Auditing & inspecting outbound traffic from Azure

• Needed by many scenarios for critical security and IT policy requirements

Virtual Network

Backend10.3/16

Mid-tier10.2/16

Frontend10.1/16

VPN GW

Internet

On Premises

S2SVPNs

Forced Tunneledvia S2S VPN Internet

Gateway Enhancements• High Performance Gateway

• Better throughput

• More S2S tunnels

• Pricing

• $0.49 per gateway hour

• Data transfer & VNet traffic rates unchanged

• No Encryption option• Better throughput for Vnet-to-

Vnet within Azure

• Intra-/Inter-region Vnet-to-Vnettraffic stays within Microsoft networks, not Internet

• PFS Support for IKE• Compliance requirements &

better security

• Operations Logs• Visibility into critical gateway

events

Gateway

SKU

ExpressRoute

Throughput*

S2S

Throughput*

Max

Tunnels

Default 500 Mbps 100 Mbps 10

Performance 1000 Mbps 200 Mbps 30* Subject to traffic conditions and application behavior

US

• Atlanta

• Chicago

• Dallas

• Los Angeles

• New York

• Seattle

• Silicon Valley, CA

• Washington D.C.

EMEA

• Amsterdam

• London, UK

APAC

• Hong Kong

• Singapore

• Sydney

• Tokyo

• AT&T

• British Telecom

• Colt

• Equinix

• Internet Initiative Japan (IIJ)

• Level3

• Orange

• SingTel

• Tata Communications

• Telecity Group

• Telstra

• Verizon

Azure datacenters

ExpressRoute Locations (today)

New Locations and coming soon

North Europe

WestEurope

London Amsterdam

Sharing ExpressRoute Connections• Share an ExpressRoute circuit across other subscriptions

• Circuit owner must authorize and can revoke

• Owner gets billed for usage Microsoft Azure

ExpressRoute

Marketing

Sales

R&D

IT

Q&A

Follow us online

Facebookfacebook.com/MicrosoftDeveloper.India

twitter.com/msdevindia

Twitter

Twitter: prachetab

Email: Pracheta.budhwar@microsoft.com

Your Feedback is Important

OPTION 3: Feedback stations outside the hall

Fill out evaluation of this session and help shape future events.

OPTION 1 OPTION 2

Replace this space with the

actual QR Code