The document discusses various Azure networking patterns and concepts. It begins with an overview of networking patterns like island mode, hybrid connections, and using a network virtual appliance with a northbound and southbound configuration. It then covers routing basics in Azure like longest prefix matching and custom routes. Other sections discuss routing beyond the basics with service endpoints and injections. It also discusses outbound connections, load balancers, network virtual appliances, and cost drivers. The document provides explanations and examples throughout to illustrate Azure networking concepts.

2. https://blog.kvaes.be/@kvaes
Karim Vaes

3. Agenda
Networking
Patterns
01
Routing
02
Outbound
Connections
03
Network
Virtual
Appliance
04
Cost Drivers
05
One More
Thing
06
Q&A
07

4. Networking
Patterns

6. Island Mode

7. Hybrid Connection

8. Network Virtual Appliance

9. Northbound
Southbound

10. WAF
NGFW

11. Hub &
Spoke
Model

12. Growth Model
https://kvaes.wordpress.com/2017/10/02/azure-networking-blueprint-patterns-for-enterprises/
Island Mode
Hybrid
Connection
NGFW
+WAF
+NGFW
Hub
&
Spoke

13. Routing “Basics”

14. Azure Routing Explained
• Longest Prefix Matching Wins
• In case of tie…
1. User Defined Route (Custom)
2. Border Gateway Protocol (BGP)
3. System Route (Azure Default)
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview

15. Longest Prefix Matching
Target IP = 10.100.200.97
Configured Routes
• 10.0.0.0/8
• 10.100.0.0/16
• 10.100.200.0/24
• 10.100.200.97/32 => WINS (LPM)

16. Routing “Beyond
the Basics”

17. Service Endpoints & Service Injection
Injection
Dedicated PaaS Services,
like for example
App Service Environment
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview
https://kvaes.wordpress.com/2018/06/08/taking-a-look-at-azure-service-endpoints/
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-for-azure-services

18. VNET Peering
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview

19. Layer 2
• Is not under –your- control…
(due to the network virtualization layer)
• Azure is all about Layer 3 in terms of
design.
• Use the Load Balancer to “work
around” this.

20. One more
thing
Conflicting / overlapping IP
plans

21. Outbound
Connections

22. What IP will be seen externally?
Scenario Method Protocols Description
VM with own
PIP
SNAT only TCP, UDP, ICMP,
ESP
Azure uses the public IP assigned to the IP
configuration of the instance's NIC. The instance has all
ephemeral ports available.
VM behind LB SNAT with PAT
using LB PIP
TCP, UDP Azure shares the public IP address of the public Load
Balancer frontends with multiple private IP addresses.
Azure uses ephemeral ports of the frontends to PAT.
VM without
PIP or LB
SNAT with PAT
using shared
PIP
TCP, UDP Azure automatically designates a public IP address for SNAT,
shares this public IP address with multiple private IP addresses
of the availability set, and uses ephemeral ports of this public IP
address. This is a fallback scenario for the preceding scenarios.
We don't recommend it if you need visibility and control.

23. Gotcha of the
day
• Using an Internal Standard Load
Balancer?
• Assign a PIP per node
or
• Add the nodes to a External Load
Balancer with “dummy” rules
• Or the nodes won’t be able to reach
the outside world…

24. Load Balancer
Trivia
• Using an External Standard Load
Balancer
• “Secure by Default”
• “Closed by default for public IP and
Load Balancer endpoints and a network
security group must be used to
explicitly whitelist for traffic to flow!”

25. Network Virtual
Appliance

26. Before anything
Draw a high level
10 mile high
overview of your
security rules!

27. ... which everyone can understand!

28. … and then start discussing the NVA

29. Now let’s talk
about…
Network Virtual Appliances

30. NICNIC
NICNIC
NIC NIC
NIC NIC
Firewalls in Physical Networks

31. Azure = Layer 3 +
NICNIC
NICNIC
NIC NIC
Trusted subnet
10.10.0.0/16
Untrusted subnet
10.20.0.0/16
Address Space
10.0.0.0/8

32. Floating IP = Load Balancer
NIC
NIC
Are you
alive?
All good
Are you
alive?
All good

33. How many NICs does it take…

34. Flow Symmetry – Single NIC
NIC
NIC
NIC
NIC
Src IP Addr
Trusted VM IP
Dest IP Addr:
Untrusted VM IP Payload
Src Port:
X
Dest Port:
Y
Src IP Addr
Untrusted VM IP
Dest IP Addr:
Trusted VM IP Payload
Src Port:
Y
Dest Port:
X

35. Flow Symmetry – Single NIC
https://azure.microsoft.com/en-us/blog/azure-load-balancer-new-distribution-mode/

36. Flow Symmetry – Single NIC
NIC
NIC
NIC
NIC
Src IP Addr
Trusted VM IP
Dest IP Addr:
Untrusted VM IP Payload
Src Port:
X
Dest Port:
Y
Src IP Addr
Untrusted VM IP
Dest IP Addr:
Trusted VM IP Payload
Src Port:
Y
Dest Port:
X

37. Flow Symmetry – Dual NIC
NICNIC
NIC
NIC
NIC
NIC
SNAT
SNAT
reversed

38. Responding to probes
NICNIC
NIC
NIC
NIC
NIC
From: 168.63.129.16
From: 168.63.129.16
From: 168.63.129.16
From: 168.63.129.16

39. Key Takeaways
• Floating IP = Load Balancer IP
• Dual NIC = Complex
• Require SNAT
• Test NVA response to
probes
• Single NIC (recommended)
• No SNAT needed

40. Cost Drivers

41. https://kvaes.wordpress.com/2018/01/04/understanding-the-budget-impact-of-azure-networking-on-your-architecture/

42. What to remember?
• Understand cost drivers
• Design accordingly
• Network is mostly <2-3% of
the cost

43. One More Thing

44. Azure Firewall
What is it?
• Stateful firewall as a Service
• Built-in high availability with unrestricted cloud
scalability
• Centrally create, enforce, and log application and network
connectivity policies across subscriptions and VNETs
• Inbound NAT & Outbound SNAT support
• Rule base works with DNS naming
• First tier Azure service
Diff with NGFW
• Cannot be deployed outside of Azure
• No IPS/DPI

45. Azure Virtual WAN
When to use?
• Bigger VPN scale needed
(10Gbit & 100 connections)
• O365 Integration
• Breakout via Azure
(0.0.0.0/0 to Azure)
• Neutral Network HUB
Gotcha
• Virtual HUB is not global
• O365 is currently Citrix only

46. Azure ExpressRoute
Global Reach
Global reach is an enhancement to Azure ER offering end to
end IP transport. Compared to current functionality which
allows customers to attach Azure to their WAN to consume
services, Global Reach adds endpoint to end point transit
allowing customers to the Azure backbone to route traffic
between connected offices or entities.
Direct
ExpressRoute Direct provides customers with the ability to
connect directly into Microsoft’s global network at peering
locations strategically distributed across the world.
ExpressRoute Direct provides dual 100Gbps connectivity,
which supports Active/Active connectivity at scale.

47. Microsoft Azure Front Door (AFD) is a
service that offers a single global entry
point for customers accessing web apps,
APIs, content and cloud services. Through
a single pane of glass and global
infrastructure, AFD enables Azure customers
to build, manage and secure their global
applications and content, migrate to cloud
and modern microservice based
architectures while improving their users’
experience.
Cloud native, integrated
Enables real-time hyperscale for single domain
microservice apps where DNS traffic management
cannot
Provides applications with premium edge
performance acceleration and caching via Microsoft’s
unique global WAN
Customers get a single pane of glass for service
orchestration and global traffic optics
Learn more.
Microsoft Azure Front Door services
Front Door
global WAN
global
orchestration global optics
end-user
Regional
App
Stamp
Regional
App
Stamp
Regional
App
Stamp
https://kvaes.wordpress.com/2018/10/03/trying-out-the-azure-front-door-service/

48. If you are reading this…
You made it to the end!
(withoutfallingasleep)

49. Surely there must
be questions
which I can answer for you!

50. Feedback?
I would love to hear from you!
For example : Please use another speaker next time!