The document discusses various Azure networking patterns and concepts. It begins with an overview of networking patterns like island mode, hybrid connections, and using a network virtual appliance with a northbound and southbound configuration. It then covers routing basics in Azure like longest prefix matching and custom routes. Other sections discuss routing beyond the basics with service endpoints and injections. It also discusses outbound connections, load balancers, network virtual appliances, and cost drivers. The document provides explanations and examples throughout to illustrate Azure networking concepts.
14. Azure Routing Explained
• Longest Prefix Matching Wins
• In case of tie…
1. User Defined Route (Custom)
2. Border Gateway Protocol (BGP)
3. System Route (Azure Default)
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview
17. Service Endpoints & Service Injection
Injection
Dedicated PaaS Services,
like for example
App Service Environment
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview
https://kvaes.wordpress.com/2018/06/08/taking-a-look-at-azure-service-endpoints/
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-for-azure-services
19. Layer 2
• Is not under –your- control…
(due to the network virtualization layer)
• Azure is all about Layer 3 in terms of
design.
• Use the Load Balancer to “work
around” this.
22. What IP will be seen externally?
Scenario Method Protocols Description
VM with own
PIP
SNAT only TCP, UDP, ICMP,
ESP
Azure uses the public IP assigned to the IP
configuration of the instance's NIC. The instance has all
ephemeral ports available.
VM behind LB SNAT with PAT
using LB PIP
TCP, UDP Azure shares the public IP address of the public Load
Balancer frontends with multiple private IP addresses.
Azure uses ephemeral ports of the frontends to PAT.
VM without
PIP or LB
SNAT with PAT
using shared
PIP
TCP, UDP Azure automatically designates a public IP address for SNAT,
shares this public IP address with multiple private IP addresses
of the availability set, and uses ephemeral ports of this public IP
address. This is a fallback scenario for the preceding scenarios.
We don't recommend it if you need visibility and control.
23. Gotcha of the
day
• Using an Internal Standard Load
Balancer?
• Assign a PIP per node
or
• Add the nodes to a External Load
Balancer with “dummy” rules
• Or the nodes won’t be able to reach
the outside world…
24. Load Balancer
Trivia
• Using an External Standard Load
Balancer
• “Secure by Default”
• “Closed by default for public IP and
Load Balancer endpoints and a network
security group must be used to
explicitly whitelist for traffic to flow!”
34. Flow Symmetry – Single NIC
NIC
NIC
NIC
NIC
Src IP Addr
Trusted VM IP
Dest IP Addr:
Untrusted VM IP Payload
Src Port:
X
Dest Port:
Y
Src IP Addr
Untrusted VM IP
Dest IP Addr:
Trusted VM IP Payload
Src Port:
Y
Dest Port:
X
35. Flow Symmetry – Single NIC
https://azure.microsoft.com/en-us/blog/azure-load-balancer-new-distribution-mode/
36. Flow Symmetry – Single NIC
NIC
NIC
NIC
NIC
Src IP Addr
Trusted VM IP
Dest IP Addr:
Untrusted VM IP Payload
Src Port:
X
Dest Port:
Y
Src IP Addr
Untrusted VM IP
Dest IP Addr:
Trusted VM IP Payload
Src Port:
Y
Dest Port:
X
37. Flow Symmetry – Dual NIC
NICNIC
NIC
NIC
NIC
NIC
SNAT
SNAT
reversed
39. Key Takeaways
• Floating IP = Load Balancer IP
• Dual NIC = Complex
• Require SNAT
• Test NVA response to
probes
• Single NIC (recommended)
• No SNAT needed
44. Azure Firewall
What is it?
• Stateful firewall as a Service
• Built-in high availability with unrestricted cloud
scalability
• Centrally create, enforce, and log application and network
connectivity policies across subscriptions and VNETs
• Inbound NAT & Outbound SNAT support
• Rule base works with DNS naming
• First tier Azure service
Diff with NGFW
• Cannot be deployed outside of Azure
• No IPS/DPI
45. Azure Virtual WAN
When to use?
• Bigger VPN scale needed
(10Gbit & 100 connections)
• O365 Integration
• Breakout via Azure
(0.0.0.0/0 to Azure)
• Neutral Network HUB
Gotcha
• Virtual HUB is not global
• O365 is currently Citrix only
46. Azure ExpressRoute
Global Reach
Global reach is an enhancement to Azure ER offering end to
end IP transport. Compared to current functionality which
allows customers to attach Azure to their WAN to consume
services, Global Reach adds endpoint to end point transit
allowing customers to the Azure backbone to route traffic
between connected offices or entities.
Direct
ExpressRoute Direct provides customers with the ability to
connect directly into Microsoft’s global network at peering
locations strategically distributed across the world.
ExpressRoute Direct provides dual 100Gbps connectivity,
which supports Active/Active connectivity at scale.
47. Microsoft Azure Front Door (AFD) is a
service that offers a single global entry
point for customers accessing web apps,
APIs, content and cloud services. Through
a single pane of glass and global
infrastructure, AFD enables Azure customers
to build, manage and secure their global
applications and content, migrate to cloud
and modern microservice based
architectures while improving their users’
experience.
Cloud native, integrated
Enables real-time hyperscale for single domain
microservice apps where DNS traffic management
cannot
Provides applications with premium edge
performance acceleration and caching via Microsoft’s
unique global WAN
Customers get a single pane of glass for service
orchestration and global traffic optics
Learn more.
Microsoft Azure Front Door services
Front Door
global WAN
global
orchestration global optics
end-user
Regional
App
Stamp
Regional
App
Stamp
Regional
App
Stamp
https://kvaes.wordpress.com/2018/10/03/trying-out-the-azure-front-door-service/
48. If you are reading this…
You made it to the end!
(withoutfallingasleep)