Transcript Virtual Network

An Overview of Microsoft Azure
Networking Capabilities
Emil Velinov
Senior Program Manager, AzureCAT
M261
Virtual Networking
Network Virtual Appliances
ExpressRoute
DNS Services
Azure Resource Manager (GA)
VPN
Hyper-scale
Enterprise
Grade
Hybrid
Azure regions
Microsoftconnectivity
Azure datacenter
regions
Internet
by country
Microsoft’s network is one of the largest in the world
Internet users
■ 500,000,000+
■ 100,000,000 – 499,999,999
■ 50,000,000 – 99,999,999
■ 25,000,000 – 49,999,999
■ 5,000,000 – 24,999,999
■ 100,000 – 4,999,999
■*Operated
50,000by
– 999,999
21Vianet
■ 0 – 49,999
Classic vs. Hyper-scale networks
Large L2
Domains
L3 at all
Layers
HW-based
Service
Software
Service
Simple Tree
Design
L2
Diversity and manual
provisioning
Complex hardware and lack of
automated operations
High complexity and human
error
L3
Clos-based
design
Agility
Efficiency
Availability
Automated provisioning,
integrated process
Simplify requirements, optimized
design, and unify infrastructure
Resilient, automated monitoring and
remediation, low human involvement
Building the right abstractions to enable Scale and Agility
Abstract
Management, Control, and Data planes
Azure
FrontEnd
Proprietary
Hardware
Appliance
Application
Plane
Control
Plane
Physical
Transport
Plane
Tenant
Management
Plane
Controller
Control
Plane
Switch
Compose compute & storage roles and
networks
Commodity
Hardware
Tell & Program
Instead of Discover and react
Example: Network ACLs
Management
Control
Data
Create a tenant
Plumb tenant ACLs to switches
Apply ACLs to these flows
Virtual Network
Users
Azure
Virtual Network
Internet
Front-End Access
Backend
Connectivity
ExpressRoute
VPN Gateways
Backend Connectivity
Azure DNS
DNS
New
Traffic Manager
www.contoso.com
Public IP Addresses in Azure
Internet
Instance-level IP
LB
Load balanced IP (VIP)
VM1
VM2
IP1
IP2
Microsoft Azure
IP1
IP2
Internet
IP3
IP4
Internet
Retain your IP addresses
Reserved IP
Internet
Webrole.1.contoso.cloudapp.net
130.26.5.120
Webrole.0.contoso.cloudapp.net
130.26.10.80
Contoso App
VM Instance 1
VM Instance 2
Bring your own network
On Premises
10.0/16
Internet
Direct Internet
connectivity
VPN and/or
ExpressRoute
Azure
VPN
GW
Backend
10.3/16
Mid-tier
10.2/16
Virtual Network
Frontend
10.1/16
On Premises 10.0/16
Internet
ExpressRoute
and/or VPNs
VPN
GW
Backend
10.0.1/24
Virtual Network
Mid-tier
10.0.2/24
Frontend
10.0.3/24
Control traffic flow in your
network with custom
routes
Internet
Virtual Network
Virtual Machine
NIC2
10.3.3.33
NIC1
10.2.2.22
Default
10.1.1.11
VIP
133.44.55.66
Internet
Backend
Subnet
Mgmt
Subnet
Virtual Network
Frontend
Subnet
Cloud Services
&
Virtual Machines
VM
Firewall
DMZ &
NSGs
Virtual
Network
Isolation
ACLs
DDoS
Protection
Internet
Overview
VMs that perform specific network functions
Focus: Security (Firewall, IDS , IPS), Router/VPN, ADC
(Application Delivery Controller), WAN Optimization
Typically Linux or FreeBSD-based platforms
1st and 3rd Party Appliances
ExpressRoute / Virtual Networks make
Azure part of customer’s network driving
demand for security, compliance,
performance, scalability
Scenarios
IT Policy & Compliance – Consistency between on premises &
Azure
Supplement/complement Azure capabilities
Azure Marketplace
Available through Azure Certified Program to ensure quality
and simplify deployment
You can also bring your own
appliance and license
1st Party
Appliances
L7 Load Balancer
Cookie Session Affinity
SSL Offload
3rd Party
Appliances
WAN Accelerator
WAF
Load Balancer
Intrusion Prevention
Bring Your Own Appliance
Customer VMs
Load Balancing
Cookie Affinity
App
Gateway
HTTP & HTTPS
SSL Offload
Azure
Service
Function
Example
Internet
Traffic
Manager
Cross-region
DNS-based
redirection &
availability
http://news.com
 apac.news.com
 emea.news.com
 us.news.com
ALB
In-region
scalability &
availability
emea.news.com
Application
Gateway
URL/contentbased routing &
load balancing
news.com/topnews
news.com/sports
news.com/images
Azure Traffic Manager (DNS Load Balancer)
 AppGw1
 AppGw2
 AppGw2
Application Application Application
Gateway
Gateway
Gateway
VM
VMs
Web Servers
VM
VM
VM
VM
Application
Gateway
VM
VM
VM
ADC &
Load
Balancer
Internet
Corporate Networks
“Protected”
Network
DMZ
IIS Servers
AD/DNS
Internet
SQL Farm
Frontend
Subnet
S2S VPNs or
ExpressRoute
Branch
Offices
Microsoft Azure
Customer
On-Premises
Compress / Optimize
Internet Connectivity
Consumers
 Access over public IP
 DNS resolution
 Connect from anywhere
Secure point-to-site
connectivity
Developers
 POC Efforts
 Small scale deployments
 Connect from anywhere
Secure site-to-site
VPN connectivity
ExpressRoute private
connectivity
SMB, Enterprises
 Connect to Azure compute
SMB & Enterprises
 Mission critical workloads
 Backup/DR, media, HPC
 Connect to Microsoft services
WAN
IPsec VPN over Internet
WAN
Cloud on your WAN
WAN
ExpressRoute provides a private,
dedicated, high-throughput network
connection to Microsoft
Customer
network
Partner
Edge
Customer’s
connection
Traffic to Office 365 Services
Traffic to public IP addresses in Azure
Traffic to Virtual Networks
Microsoft
Edge
Microsoft
Microsoft
Public
internet
Customer site 3
Customer site 2
WAN
Customer site
Exchange
Customer site 1
Public
internet
Atlanta
Chicago
Chicago (Gov Cloud)*
Dallas
LA
NY
Seattle
Silicon Valley
Washington DC
Washington DC (Gov Cloud)*
Amsterdam
Dublin*
London
Sao Paulo
Chennai*
Hong Kong
Mumbai*
Melbourne*
Osaka*
Singapore
Sydney
Tokyo
S2S VPN as a backup for ExpressRoute
S2S connectivity to branch offices
Connecting Virtual Networks in other Azure regions
VPN Gateway
(Internet Edge)
Internet
Services on public IPs
ExpressRoute
Contoso virtual networks/VMs
ExpressRoute or VPN gateway needed to access a VNet
New Standard Gateway
Virtual
Network
Gateway SKU
ExpressRoute
GW
Throughput
VPN GW
ExpressRoute
Coexistence
VPN GW
Throughput
VPN GW
Max IPsec Tunnels
Cost (USD) /
Hour
Basic
500 Mbps
No
100 Mbps
10
$0.04
Standard
1000 Mbps
Yes
100 Mbps
10
$0.19
Performance
2000 Mbps
Yes
200 Mbps
30
$0.49
AZURE RESOURCE MANAGER API
StorageAccount
VirtualMachine
NetworkSecurityGroup
VirtualNetwork
NetworkSecurityRule
Subnet
NetworkInterfaceCard
LoadBalancer
AvailabilitySet
PublicIPAddress
VMExtension
TrafficManager
VirtualNetworkGateway
User-defined routes
Public IP address mobility
Multiple load-balanced IPs
ExpressRoute Premium and O365
VPN ExpressRoute coexistence
Azure Application Gateway GA
Azure DNS – Domain hosting
Network Virtual Appliances
New network APIs, PowerShell
ARM / NRP GA & New JSON-based templates
1
Azure Consistent Service
Delivery Overview
NZ1 Wed 10:00am
2
Server Virtualisation Overview
3
Networking Overview
4
Storage Overview
NZ2 Wed 1:30pm
SKYCITY Theatre Thu 11:00am
SKYCITY Theatre Thu 3:30pm
5
Security and Assurance Overview
6
What’s New in System Centre
for Management
NZ4 Fri 9:00am
NZ1 Fri 11:00am
Find me later at…
 Hub Happy Hour Wed 5:30-6:30pm
 Hub Happy Hour Thu 5:30-6:30pm
 Closing drinks Fri 3:00-4:30pm
Free Online Learning
http://aka.ms/mva
Subscribe to our fortnightly newsletter
http://aka.ms/technetnz
http://aka.ms/msdnnz
Sessions on Demand
http://aka.ms/ch9nz
© 2015 Microsoft Corporation. All rights reserved.
Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.