Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

A Deepdive into Azure Networking

800 Aufrufe

Veröffentlicht am

A Deepdive into Azure Networking ;
Networking Patterns
Outbound Connections
Network Virtual Appliance
Cost Drivers
One More Thing

Veröffentlicht in: Technologie
  • Thank you for sharing this incredible advanced information.
    Sind Sie sicher, dass Sie …  Ja  Nein
    Ihre Nachricht erscheint hier

A Deepdive into Azure Networking

  1. 1. https://blog.kvaes.be/@kvaes Karim Vaes
  2. 2. Agenda Networking Patterns 01 Routing 02 Outbound Connections 03 Network Virtual Appliance 04 Cost Drivers 05 One More Thing 06 Q&A 07
  3. 3. Networking Patterns
  4. 4. Island Mode
  5. 5. Hybrid Connection
  6. 6. Network Virtual Appliance
  7. 7. Northbound Southbound
  8. 8. WAF NGFW
  9. 9. Hub & Spoke Model
  10. 10. Growth Model https://kvaes.wordpress.com/2017/10/02/azure-networking-blueprint-patterns-for-enterprises/ Island Mode Hybrid Connection NGFW +WAF +NGFW Hub & Spoke
  11. 11. Routing “Basics”
  12. 12. Azure Routing Explained • Longest Prefix Matching Wins • In case of tie… 1. User Defined Route (Custom) 2. Border Gateway Protocol (BGP) 3. System Route (Azure Default) https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview
  13. 13. Longest Prefix Matching Target IP = Configured Routes • • • • => WINS (LPM)
  14. 14. Routing “Beyond the Basics”
  15. 15. Service Endpoints & Service Injection Injection Dedicated PaaS Services, like for example App Service Environment https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview https://kvaes.wordpress.com/2018/06/08/taking-a-look-at-azure-service-endpoints/ https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-for-azure-services
  16. 16. VNET Peering https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview
  17. 17. Layer 2 • Is not under –your- control… (due to the network virtualization layer) • Azure is all about Layer 3 in terms of design. • Use the Load Balancer to “work around” this.
  18. 18. One more thing Conflicting / overlapping IP plans
  19. 19. Outbound Connections
  20. 20. What IP will be seen externally? Scenario Method Protocols Description VM with own PIP SNAT only TCP, UDP, ICMP, ESP Azure uses the public IP assigned to the IP configuration of the instance's NIC. The instance has all ephemeral ports available. VM behind LB SNAT with PAT using LB PIP TCP, UDP Azure shares the public IP address of the public Load Balancer frontends with multiple private IP addresses. Azure uses ephemeral ports of the frontends to PAT. VM without PIP or LB SNAT with PAT using shared PIP TCP, UDP Azure automatically designates a public IP address for SNAT, shares this public IP address with multiple private IP addresses of the availability set, and uses ephemeral ports of this public IP address. This is a fallback scenario for the preceding scenarios. We don't recommend it if you need visibility and control.
  21. 21. Gotcha of the day • Using an Internal Standard Load Balancer? • Assign a PIP per node or • Add the nodes to a External Load Balancer with “dummy” rules • Or the nodes won’t be able to reach the outside world…
  22. 22. Load Balancer Trivia • Using an External Standard Load Balancer • “Secure by Default” • “Closed by default for public IP and Load Balancer endpoints and a network security group must be used to explicitly whitelist for traffic to flow!”
  23. 23. Network Virtual Appliance
  24. 24. Before anything Draw a high level 10 mile high overview of your security rules!
  25. 25. ... which everyone can understand!
  26. 26. … and then start discussing the NVA
  27. 27. Now let’s talk about… Network Virtual Appliances
  28. 28. NICNIC NICNIC NIC NIC NIC NIC Firewalls in Physical Networks
  29. 29. Azure = Layer 3 + NICNIC NICNIC NIC NIC Trusted subnet Untrusted subnet Address Space
  30. 30. Floating IP = Load Balancer NIC NIC Are you alive? All good Are you alive? All good
  31. 31. How many NICs does it take…
  32. 32. Flow Symmetry – Single NIC NIC NIC NIC NIC Src IP Addr Trusted VM IP Dest IP Addr: Untrusted VM IP Payload Src Port: X Dest Port: Y Src IP Addr Untrusted VM IP Dest IP Addr: Trusted VM IP Payload Src Port: Y Dest Port: X
  33. 33. Flow Symmetry – Single NIC https://azure.microsoft.com/en-us/blog/azure-load-balancer-new-distribution-mode/
  34. 34. Flow Symmetry – Single NIC NIC NIC NIC NIC Src IP Addr Trusted VM IP Dest IP Addr: Untrusted VM IP Payload Src Port: X Dest Port: Y Src IP Addr Untrusted VM IP Dest IP Addr: Trusted VM IP Payload Src Port: Y Dest Port: X
  35. 35. Flow Symmetry – Dual NIC NICNIC NIC NIC NIC NIC SNAT SNAT reversed
  36. 36. Responding to probes NICNIC NIC NIC NIC NIC From: From: From: From:
  37. 37. Key Takeaways • Floating IP = Load Balancer IP • Dual NIC = Complex • Require SNAT • Test NVA response to probes • Single NIC (recommended) • No SNAT needed
  38. 38. Cost Drivers
  39. 39. https://kvaes.wordpress.com/2018/01/04/understanding-the-budget-impact-of-azure-networking-on-your-architecture/
  40. 40. What to remember? • Understand cost drivers • Design accordingly • Network is mostly <2-3% of the cost
  41. 41. One More Thing
  42. 42. Azure Firewall What is it? • Stateful firewall as a Service • Built-in high availability with unrestricted cloud scalability • Centrally create, enforce, and log application and network connectivity policies across subscriptions and VNETs • Inbound NAT & Outbound SNAT support • Rule base works with DNS naming • First tier Azure service Diff with NGFW • Cannot be deployed outside of Azure • No IPS/DPI
  43. 43. Azure Virtual WAN When to use? • Bigger VPN scale needed (10Gbit & 100 connections) • O365 Integration • Breakout via Azure ( to Azure) • Neutral Network HUB Gotcha • Virtual HUB is not global • O365 is currently Citrix only
  44. 44. Azure ExpressRoute Global Reach Global reach is an enhancement to Azure ER offering end to end IP transport. Compared to current functionality which allows customers to attach Azure to their WAN to consume services, Global Reach adds endpoint to end point transit allowing customers to the Azure backbone to route traffic between connected offices or entities. Direct ExpressRoute Direct provides customers with the ability to connect directly into Microsoft’s global network at peering locations strategically distributed across the world. ExpressRoute Direct provides dual 100Gbps connectivity, which supports Active/Active connectivity at scale.
  45. 45. Microsoft Azure Front Door (AFD) is a service that offers a single global entry point for customers accessing web apps, APIs, content and cloud services. Through a single pane of glass and global infrastructure, AFD enables Azure customers to build, manage and secure their global applications and content, migrate to cloud and modern microservice based architectures while improving their users’ experience. Cloud native, integrated Enables real-time hyperscale for single domain microservice apps where DNS traffic management cannot Provides applications with premium edge performance acceleration and caching via Microsoft’s unique global WAN Customers get a single pane of glass for service orchestration and global traffic optics Learn more. Microsoft Azure Front Door services Front Door global WAN global orchestration global optics end-user Regional App Stamp Regional App Stamp Regional App Stamp https://kvaes.wordpress.com/2018/10/03/trying-out-the-azure-front-door-service/
  46. 46. If you are reading this… You made it to the end! (withoutfallingasleep)
  47. 47. Surely there must be questions which I can answer for you!
  48. 48. Feedback? I would love to hear from you! For example : Please use another speaker next time!