Embed Size (px)
Citation preview
MICROSOFT STORSIMPLE CONFIGURATION WITH
EXPRESSROUTE
Version: 1.0
Copyright
This document is provided "as-is". Information and views expressed in this document, including URL and other
Internet Web site references, may change without notice. Some examples depicted herein are provided for
illustration only and are fictitious. No real association or connection is intended or should be inferred.
This document does not provide you with any legal rights to any intellectual property in any Microsoft product.
You may copy, use and modify this document for your internal, reference purposes.
© 2016 Microsoft Corporation. All rights reserved.
Microsoft, Windows Azure, StorSimple, Hyper-V, Internet Explorer, Silverlight, SQL Server, Windows,
Windows PowerShell, and Windows Server are trademarks of the Microsoft group of companies. All other
trademarks are property of their respective owners.
Table of contents
Introduction .............................................................................................................................................................................................. 4
Physical Appliance High Level Solution Architecture................................................................................................................... 5
Virtual Appliance High Level Solution Architecture ..................................................................................................................... 6
Physical Appliance Detailed Traffic Matrix ...................................................................................................................................... 7
Virtual Appliance Detailed Traffic Matrix ........................................................................................................................................ 11
StorSimple Appliance Registration Process .................................................................................................................................. 16
ExpressRoute Supported Configuration for StorSimple............................................................................................................ 17
Routing with Expressroute ................................................................................................................................................................. 18
Introduction
This document is intended to describe the required configuration/considerations when StorSimple is being used
over ExpressRoute network.
Physical Appliance High Level Solution Architecture
The below diagram show high level solution architecture with different types of traffic flow
Virtual Appliance High Level Solution Architecture
The below diagram show high level solution architecture with different types of traffic flow
Physical Appliance Detailed Traffic Matrix
The below table show the traffic matrix with destinations required for StorSimple appliance
Component/
Functionality
URL pattern Device specific URLs [Device specific
means these urls are related to test device
and will vary between different appliances]
Source
IPs
Destination
IPs
Port Inbound/
Outbound
Traffic flow
ACS https://*.accesscontrol.windows.net/* wuspod01rp1users.accesscontrol.wind
ows.net
Appliances will always try to reach
One Stop Authenticator “the above
URL” which is located in West US
datacenter first time and then it will
acquire the respective URL according
to the SS registration GEO
Cloud
enabled
NICs
Azure
Datacenter
IP ranges
TCP 443
(HTTPS)
Required
OUT Initially WAN if
ExpressRoute is
not in West US
geo, otherwise
EXPRESSROUTE
StorSimple
Service
https://*.storsimple.windowsazure.com
/*
pod01-
cis1.wus.storsimple.windowsazure.com
This is dynamically generated URL for
each appliance and passed thru the
initial registration process [The above
URL is related to our testing lab
appliance only]
Cloud
enabled
NICs
Azure
Datacenter
IP ranges
TCP 443
(HTTPS)
Required
OUT ExpressRoute
Azure Service
Bus
https://*.servicebus.windows.net/* wuspod01cis1sbns95jfo.servicebus.win
dows.net
This is dynamically generated URL for
each appliance and passed thru the
initial registration process [The above
URL is related to our testing lab
appliance only]
Cloud
enabled
NICs
Azure
Datacenter
IP ranges
TCP 9354
TCP 443
(HTTPS)
OUT ExpressRoute
Azure
Storage
Accounts
https://*.core.windows.net/* Cloud
enabled
NICs
Azure
Datacenter
IP ranges
TCP 443
(HTTPS)
OUT ExpressRoute
Monitoring
Storage
Accounts
https://*.core.windows.net/* Cloud
enabled
NICs
Azure
Datacenter
IP ranges
TCP 443
(HTTPS)
OUT ExpressRoute
Registration
services
https://*.backup.windowsazure.co
m
Cloud
enabled
NICs
Azure
Datacenter
IP ranges
TCP 443
(HTTPS)
Required
OUT Initially WAN if
ExpressRoute is
not in West US
geo, otherwise
EXPRESSROUTE
Microsoft
Update
Servers
http://*.windowsupdate.microsoft.com
https://*.update.microsoft.com
http://*.windowsupdate.com
http://download.microsoft.com
http://wustat.windows.com
http://ntservicepack.microsoft.com
Controller
Fixed IPs
only
Public
Internet
none azure
hosted IPs
TCP 80
(HTTP)
TCP 443
(HTTPS)
OUT
Internet
Certificate
Revocation
Lists
http://crl.microsoft.com/pki/*
http://pki.microsoft.com/pki/*
Controller
Fixed IPs
only
Public
Internet
none azure
hosted IPs
TCP 80
(HTTP)
TCP 443
(HTTPS)
OUT Internet
Akamai CDN
(for updates)
http://*.deploy.akamaitechnologies.co
m
Controller
Fixed IPs
only
NA TCP 80
(HTTP)
OUT Internet
Microsoft network connectivity status
http://*.msftncsi.com
Controller
Fixed IPs
only
NA TCP 80
(HTTP)
OUT Internet
DNS Server - Cloud
enabled
NICs
Internet
based DNS
server
UDP 53
(DNS) – If
external
DNS is
configure
d
OUT Internet or
Internal DNS
servers with
forwarders
NTP Server - Cloud
enabled
NICs
Internet
based NTP
server
UDP 123
(NTP) - If
external
NTP is
configure
d
OUT Internet
Support
package
https://*.partners.extranet.microsoft.co
m/*
Cloud
enabled
NICs
NA 443
HTTPS
OUT Internet
Remote
PowerShell
HTTP
- All
enabled
NICs
5985 IN LAN
Remote
PowerShell
HTTPS
-
All
enabled
NICs
5986 IN LAN
iSCSI - iSCSI
enabled
NICs
3260
(iSCSI)
IN LAN
Snapshot
Manager
- All
enabled
NICs
5985 IN LAN
Virtual Appliance Detailed Traffic Matrix
The below table show the traffic matrix with destinations required for StorSimple appliance
Component/
Functionality
URL pattern Device specific URLs [Device specific
means these urls are related to test device
and will vary between different appliances]
Source
IPs
Destination
IPs
Port Inbound/
Outbound
Traffic flow
ACS https://*.accesscontrol.windows.net/* wuspod01rp1users.accesscontrol.wind
ows.net
Appliances will always try to reach
One Stop Authenticator “the above
URL” which is located in West US
datacenter first time and then it will
acquire the respective URL according
to the SS registration GEO
Cloud
enabled
NICs
Azure
Datacenter
IP ranges
TCP 443
(HTTPS)
Required
OUT Initially WAN if
ExpressRoute is
not in West US
geo, otherwise
EXPRESSROUTE
StorSimple
Service
https://*.storsimple.windowsazure.com
/*
pod01-
cis1.wus.storsimple.windowsazure.com
This is dynamically generated URL for
each appliance and passed thru the
initial registration process [The above
URL is related to our testing lab
appliance only]
Cloud
enabled
NICs
Azure
Datacenter
IP ranges
TCP 443
(HTTPS)
Required
OUT ExpressRoute
Azure Service
Bus
https://*.servicebus.windows.net/* wuspod01cis1sbns95jfo.servicebus.win
dows.net
This is dynamically generated URL for
each appliance and passed thru the
initial registration process [The above
URL is related to our testing lab
appliance only]
Cloud
enabled
NICs
Azure
Datacenter
IP ranges
TCP 9354
TCP 443
(HTTPS)
OUT ExpressRoute
Azure
Storage
Accounts
https://*.core.windows.net/* Cloud
enabled
NICs
Azure
Datacenter
IP ranges
TCP 443
(HTTPS)
OUT ExpressRoute
Monitoring
Storage
Accounts
https://*.core.windows.net/* Cloud
enabled
NICs
Azure
Datacenter
IP ranges
TCP 443
(HTTPS)
OUT ExpressRoute
Registration
services
https://*.backup.windowsazure.co
m
Cloud
enabled
NICs
Azure
Datacenter
IP ranges
TCP 443
(HTTPS)
Required
OUT Initially WAN if
ExpressRoute is
not in West US
geo, otherwise
EXPRESSROUTE
Microsoft
Telemetry
https://*.data.microsoft.com Controller
Fixed IPs
only
Public
Internet
none azure
hosted IPs
TCP 443
(HTTPS)
OUT
Internet
Microsoft
Update
Servers
http://*.windowsupdate.microsoft.com
https://*.update.microsoft.com
http://*.windowsupdate.com
http://download.microsoft.com
http://wustat.windows.com
http://ntservicepack.microsoft.com
Controller
Fixed IPs
only
Public
Internet
none azure
hosted IPs
TCP 80
(HTTP)
TCP 443
(HTTPS)
OUT
Internet
Certificate
Revocation
Lists
http://www.microsoft.com/pki/*
http://crl.microsoft.com/pki/*
Controller
Fixed IPs
only
Public
Internet
none azure
hosted IPs
TCP 80
(HTTP)
TCP 443
(HTTPS)
OUT Internet
Akamai CDN
(for updates)
http://*.deploy.akamaitechnologies.co
m
Controller
Fixed IPs
only
NA TCP 80
(HTTP)
OUT Internet
Microsoft network connectivity status
http://*.msftncsi.com
Controller
Fixed IPs
only
NA TCP 80
(HTTP)
OUT Internet
DNS Server - Cloud
enabled
NICs
Internet
based DNS
server
UDP 53
(DNS) – If
external
DNS is
configure
d
OUT Internet or
Internal DNS
servers with
forwarders
NTP Server - Cloud
enabled
NICs
Internet
based NTP
server
UDP 123
(NTP) - If
external
NTP is
configure
d
OUT Internet
Support
package
https://*.partners.extranet.microsoft.co
m/*
Cloud
enabled
NICs
NA 443
HTTPS
OUT Internet
Remote
PowerShell
HTTP
- All
enabled
NICs
5985 IN LAN
Remote
PowerShell
HTTPS
-
All
enabled
NICs
5986 IN LAN
iSCSI - iSCSI
enabled
NICs
3260
(iSCSI)
IN LAN
Snapshot
Manager
- All
enabled
NICs
5985 IN LAN
16
StorSimple Appliance Registration Process
In order to be able to configure ExpressRoute, firewall rules and name resolution it’s important to understand
how the appliance registration process works [The following steps are internal process which runs by the
appliance itself with no manual intervention needed]
1. Appliance will always go to One Stop Authenticator wuspod01rp1users.accesscontrol.windows.net
located in Azure West US Datacenter.
2. Upon authentication with the machine namespace it will get the StorSimple service url which is again
geo specific and looks in this case like pod01-cis1.wus.storsimple.windowsazure.com
3. Appliance has to be able to reach crl.microsoft.com which is a public non-azure hosted web services to
be able to complete the registration process
4. Once registration is completed the device will get the respective URLs according to the service
registration geo based datacenter for Service Bus.
5. Other services like support package upload, updates, certificate CRL verification are always accessed
through internet routable Public IP addresses which is not hosted in our Azure datacenters
Conclusion of the above:
During first-time registration if the ExpressRoute geo is not created with West US datacenter the
appliance will fail to reach StorSimple Service and fail to register
Internet connectivity is required for two reasons:
1. Reach Azure One Stop authentication if the customer ExpressRoute subscription is not in West
US datacenter
2. Reach non Azure hosted services
Accessing over ExpressRoute network will be limited to (StorSimple Service, ACS, Service Bus and
Storage Accounts)
17
ExpressRoute Supported Configuration for
StorSimple
This section lists a quick ExpressRoute terms definition and the supported configuration for StorSimple
ExpressRoute terms definition:
Private Peering: Private IP-based traffic among a customer’s network and VNET and VMs running in
Azure. [no involvement in StorSimple scenarios]
Public Peering: Traffic between a customer’s network with Azure-based Public services that have a
public endpoint (such as Azure Storage, StorSimple Service,..Etc.) [Needed for StorSimple traffic]
Forced tunneling: Is to allow VMs and VNET associated resources to route all Internet-bound traffic
back to your on-premises location/gateway via a ExpressRoute for inspection and auditing by on-
premises policies, only for private peering. [no involvement in StorSimple scenarios]
ExpressRoute Configuration:
ExpressRoute circuit has to be configured for public peering as all of StorSimple services are Azure
public endpoints which gets its subnets advertised to the circuit routers in case of Public peering
configuration
ExpressRoute circuit provider has to be accepting public peering advertised subnets “this is could be up
to 500 subnets per Azure datacenter geo”
Any firewalls in the ExpressRoute path has to allow all the required ports
Verification of traffic routing can be done through some of the below methods:
Monitoring traffic on the Exchange provider router
Trace route StorSimple respective GEO subscription Azure datacenter IP addresses “these IPs are
publically available on http://www.microsoft.com/en-us/download/details.aspx?id=41653”
Trace route the storage account url which can be pulled from azure portal “this will verify only the
storage account traffic”
ExpressRoute overview and configuration steps are found here https://azure.microsoft.com/en-
us/documentation/articles/expressroute-introduction/
18
Routing with Expressroute
It’s important to understand that in case of Expressroute usage not everything will be routed over Expressroute
network hence gateway routers should be able to route only designated traffic to Azure Datacenter IP ranges
over Expressroute and the rest to internet.
