Brk30176 enterprise class networking in azure
Download as PPTX, PDF0 likes66 views
The document discusses Microsoft's global network and Azure networking services. It highlights four pillars of Azure networking including connectivity options like ExpressRoute and VPN, security with features such as Azure Firewall and DDoS protection, traffic management with load balancing and content delivery, and monitoring. It provides overviews and updates on various Azure networking technologies and services.
Brk30176 enterprise class networking in azure
- 4. Agenda Network infrastructure Four pillars of Azure Networking Multi-access edge compute tech preview
- 5. Our mission To provide the most secure, trusted, reliable and performant network for your workloads, delivered and managed from the Intelligent Cloud to the Intelligent Edge
- 7. Microsoft global network 54 Azure regions 130k+ miles of fiber + subsea cables 160+edge sites 500+network partners 20k+peering connections Region Edge Network
- 9. Connecting Azure regions to the global network Edge Enterprise peering P R I V A T E Internet peering P U B L I C Microsoft Wide Area Network Regional Gateways Availability Zone D C D C D C Availability Zone D C D C D C Availability Zone D C D C D C Azure Region
- 10. Microsoft Global Network (WAN) The Azure Network Edge Traffic to and between DCs WAN core routers Azure ExpressRoute Azure Front Door, CDN, WAF Azure Network Edge Internet and private network
- 13. Azure Peering Service Monitoring Peering service platform Operational insights MS Peering partner Internet Customer Enterprise grade Internet connectivity User telemetry RADAR Connectivity partners • • • Telemetry platform • • • Route Anomalies Detection and Auto Remediation (RADAR) Delivering optimal public Internet connectivity to Microsoft Cloud PREVIEW BRK2144 | 11/05 (3:30 - 4:15 PM) | Selecting the correct network connectivity service for your workloads
- 14. Azure Virtual WAN Region 2 Region 1 Region 3 Datacenter Point-to-site VPN ExpressRoute VNet VNet VNet Corp HQ Branch Branch Branch Branch VNet • ExpressRoute Integration • Point to site VPN Integration • Path selection from branch GA PREVIEW • Hub/Any-to-any connectivity • Azure Firewall integration Provides optimized and automated branch connectivity to, and through Azure BRK3138 | 11/06 (9:15 - 10 AM) | Global transit network architectures with Azure Virtual WAN
- 15. ExpressRoute Fast Path • Improved throughput, packets/sec, connections/sec, number of flows ExpressRoute Site Customer Cage Microsoft Cage GA PREVIEW MACsec encryption • Secures physical links at ExpressRoute sites • Bring-your-own-key, store keys in Azure Key Vault • Available on ER Direct ExpressRoute Local • No egress charges from Azure to local ER site Continued expansion of ER locations BRK3172 | 11/06 (3:30 – 4:15 PM) | Advanced networking best practices with Azure ExpressRoute MACsec
- 16. SKUs Aggregate throughput P2S connections IKEv1/v2 VpnGw1 650 Mbps 250 IKEv1+IKEv2 VpnGw2 1 Gbps 500 IKEv1+IKEv2 VpnGw3 2.5 Gbps 1000 IKEv1+IKEv2 VpnGw4 5 Gbps 5,000 IKEv1+IKEv2 VpnGw5 10 Gbps 10,000 IKEv1+IKEv2 VPN PREVIEW PREVIEWAAD auth + MFA Azure VPN Client (Windows App) • OpenVPN protocol • Native AAD authentication with MFA • Client-side Diagnostics, Logs, & Metrics High throughput VPN – 10Gbps • New Azure VPN gateways – VpnGw3/4/5 • Up to 10 Gbps aggregate • Up to 10,000 P2S connections IKEv1 + IKEv2 on VpnGw1-5 • IKEv1 on new VpnGw SKUs (1 ~ 5) • Multiple IKEv1 S2S tunnels • IKEv1 and IKEv2 on the same VPN gateway VPN gateway packet capture • With 5-tuple packet filter • ETW or PCAP formats Custom IKE traffic selectors PREVIEW GA GA COMING SOON BRK2144 | 11/05 (3:30 - 4:15 PM) | Selecting the correct network connectivity service for your workloads
- 17. IPv6 in Azure VNETs THR3111 | 11/05 (4:20 - 4:40 PM) | GA launch of IPv6 for Azure VNETs "We've grown to value and trust the stability and reliability of IPv6 connectivity in Azure. As we look to expand our cloud-based portfolio and offer additional services for the 65 million endpoints we manage globally, IPv6 capability is a key enabler for adapting our IoT framework to the cloud.” Greg Richards, SVP, Technology & Research, Itron Native IPv6 all the way to the VMs Private IPv6 addresses for VMs and NICs Dual stacked IPv4/IPv6 VMs for max flexibility GA Internet IPv6 User- Defined Routes IPv6 NSG Rules IPv6 Load Balancer IPv6 IPv6 IPv4 Windows VM Front-End Subnet IPv6 NSG RulesApplication Subnet DDoS Protection IPv6 IPv4 Linux VM Azure Virtual Network Dual Stacked (IPv4+IPv6)
- 20. Achieving Zero Trust with Azure Networking Cloud-native network security services Defense-in-depth + Software Defined Network (SDN) Virtual Networks Network Security Groups User Defined Routes Load Balancer Azure Firewall Azure DDoS Protection Azure Web Application Firewall Azure Private Link
- 21. Azure Private Link Highly secure and private connectivity to Azure services Private access from VNets, peered VNets and on-premises In-built Data Exfiltration Protection Predictable private IP addresses for PaaS resources Unified experience across PaaS, Customer Owned and marketplace Services Private Link for Azure Storage, SQL DB and data exfiltration protection PREVIEW BRK3168 | 11/07 (9:15 - 10 AM) | Delivering services privately in your VNet with Azure Private Link Azure PaaS and marketplace services ER Gateway Private endpoint 10.0.0.5 Deny Internet On-premises Virtual Network (10.0.0.0/16) Private Link Storage SQL DWSQL Marketplace
- 22. Azure Firewall Manager Central deployment and configuration • • Automated routing • Advanced security with 3rd party SECaaS • • PREVIEW Virtual Network support, Split routing • • ROADMAP Central network security policy and route management for globally distributed, software-defined perimeters Global admin Global policy Azure region 1 Azure region N Azure Firewall Secured vHub Azure Firewall Secured vHub Local admin HQ/ branch Virtual WAN ER/VPN Datacenter Virtual WAN ER/VPN End-user devices VPN VNet 3rd party partners 3rd party partners
- 23. Azure Firewall Manager Trusted security partners Use Azure as your Secured Internet Edge Use best-in-breed third- party Security-as-a- Service (SECaaS) partners with Azure Firewall Manager Protect VNet-to- Internet or Branch-to- Internet user traffic Combine with Azure Firewall for layered security Breakout Office 365 traffic directly at branch; filter rest of Internet traffic using SECaaS on Azure BRK3170 | 11/07 (3:30 - 4:15 PM) | Building and Managing distributed micro-perimeters with Azure Firewall AVAILABLE IN PREVIEW COMING SOON
- 24. BRK3185 | 11/06 (2:15 - 3 PM) | Securing your cloud perimeter with Azure Network Security Azure Bastion Secure and seamless RDP and SSH access to your virtual machines GA RDP/SSH to your workload using HTML5 standards- based web-browser, directly in Azure Portal Resources can be accessed without public IP addresses Supported Azure resources include VMs, VM Scale Sets, Dev-Test Labs Azure Portal Remote Protocol (RDP, SSH, et al) SSL 443, Internet AzureBastionSubnet Port: 3389/22 “AzureBastionSubnet” Target VM Subnet(s) Private IP Azure VM Azure VM Azure VM Customer’s Virtual Network SSL Azure Bastion
- 25. Azure WAF BRK3171 | 11/08 (9:15 - 10 AM) | Using Azure Web Application Firewall to protect your web applications and web APIs Azure Global WAF (Front Door) Azure Regional WAF (Application Gateway) Uniform policy WAF policy PaaS, IaaS and on-premises backends OWASP rules Bot management Custom rules Microsoft threat intelligence • • Site and URI path specific WAF policies Geo filtering on regional WAF PREVIEW Unified WAF offering • Web Application Firewall
- 28. BRK3169 | 11/07 (2:15 - 3 PM) | Deliver highly available and secure web applications with Azure Application Gateway and WAF Application Gateway Azure Kubernetes Services (AKS) Ingress Controller • • Azure Key Vault integration • Enhanced Metrics • GA Wildcard listener • COMING SOON Application Gateway Azure ARM Azure Key Vault Azure Kubernetes Services (AKS) AKS API server AG Ingress Controller Pods Application Gateway routing rules Application Delivery Controller
- 29. BRK2146 | 11/07 (11:45 AM - 12:30 PM) | Taking applications and content to the edge Azure Front Door Global entry point for high performance, high availability web applications GA Single or multi-region app and API acceleration Load balancing at the Edge and fast-failover Integrated SSL, WAF and DDoS Single region apps Network Edge POP Azure region www.contoso.com Global Network /* /search/* Accelerate Multi-region apps Network Edge POP Azure region 1 www.contoso.com Global Network Accelerate Azure region 2 Failover
- 30. Azure CDN Cost efficient, reliable global content distribution GA Reduced Azure egress pricing • PREVIEW Easy to use and highly customizable rules engine • • Azure Region On-premise/external Media services Storage App service Edge delivery partners www.contoso.com vod.contoso.com API Mobile Media IoT Updates Files BRK2146 | 11/07 (11:45 AM - 12:30 PM) | Taking applications and content to the edge
- 33. Internet Analyzer Easily measure and compare end user experience for your application Cloud migration Measure the impact of moving the web app to cloud PREVIEW CDN and app acceleration Measure the performance impact of Front Door and CDN Perform A/B measurements Measure end user performance of two versions of app or impact of multiple region deployments Your real end users, your customers around the globe 2 Configure your tests 3 Get your global perf scorecards 1 Deploy internet analyzer client Delivered with your app Your current application architecture “What-if” application architecture The internet A C T I V E P E R F O R M A N C E M E A S U R E M E N T S Test configuration Measurement data BRK2146 | 11/07 (11:45 AM - 12:30 PM) | Taking applications and content to the edge
- 34. Azure monitor for networks Traffic analytics – accelerated processing From hours to minutes, faster insights into application and network activity GA Enhanced troubleshooting • Improved connectivity checks for load balancers, global peering, cross region connectivity, User Defined Routes, NVAs, ExpressRoute Monitoring and troubleshooting for cloud and hybrid networks Network insights • Single health console for the entire cloud network • No agent/configuration required PREVIEW