Una conoscenza approfondita dei vari aspetti legati al networking di Azure è fondamentale per implementare cloud ibridi in modo sicuro e allo stesso tempo funzionale. In questa sessione saranno esplorati a 360° gli elementi chiave da tenere in considerazione per realizzare architetture di rete ibride, sfruttando al meglio i vari servizi offerti dalla piattaforma Azure, al fine di realizzare la miglior integrazione con l’ambiente on-premises, senza mai trascurare la sicurezza. Durante l’intervento si scenderà nel dettaglio di architetture di rete ibride avanzate, mostrando esempi reali, frutto di un'esperienza diretta sul campo.
By Francesco Molfese
4. WHO AM I?
Francesco Molfese
Senior Consultant presso Progel
Spa, Microsoft MVP Cloud and
Datacenter Management
Francesco Molfese
francesco.molfese@progel.it
Linkedin: francescomolfese
Twitter: @FrancescoMolf
Microsoft MVP, MCT
6. ZERO TRUST NETWORKING MATURITY MODEL
Security
Enforcement
ty and Analytics
utomation
Data
Apps
Infrastructure
Network
Network
7. Segment
Prevent lateral
movement and
data exfiltration
Protect
Secure network
with threat
intelligence
Deploy securely across DevOps process
AZURE NETWORK SECURITY
Connect
Embrace
distributed
connectivity
8. ACHIEVING ZERO TRUST WITH AZURE NETWORKING
Cloud-Native Network Security Services
Networking Partner Solutions
Defense-in-Depth
+
Software Defined Network (SDN)
Virtual
Networks
Network
Security Groups
User Defined
Routes
Load Balancer
Azure
Firewall
Azure DDoS
Protection
Azure Web
Application Firewall
Azure
PrivateLink
11. NETWORK AND APPLICATION SECURITY GROUPS
Network Security Groups
Protects your workloads with distributed ACLs
Simplified configuration with augmented security rules
Enforced at every host, applied on multiple subnets
Application Security Groups
Micro-segmentation for dynamic workloads
Named monikers for groups of VMs
Removes management of IP addresses
Service Tags
Named monikers for Azure service IPs
Many Services tagged including AzureCloud
Logging and troubleshooting
NSG flow logs for traffic monitoring
Integrated with Network Watcher
JIT access policies with Azure Security Center
12. Monitoring VMs App Servers
Database Servers Log Servers
Web Servers
Domain Servers
Quarantine VMs
Domain Clients
Network Security Group (NSG)
Action Name Source Destination Port
Deny QurantineVMs Any QurantineVMs Any
Allow AllowInternetToWebServers Internet WebServers 80,443(HTTP)
Allow AllowWebToApp WebServers AppServers 443 (HTTPS)
Allow AllowAppToDb AppServers DatabaseServers 1443 (MSSQL)
Allow AllowAppToLogServers AppServers LogServers 8089
Allow AllowOnPrem
10.10.0.0/16
192.168.10.0/24
MonitoingVMs 80 (HTTP)
Deny DenyAllInbound Any Any Any
NETWORK SECURITY FOR YOUR VNET TRAFFIC
13. AZURE PRIVATE LINK
HIGHLY SECURE AND PRIVATE CONNECTIVITY SOLUTION FOR AZURE PLATFORM
Private
endpoint
Storage
10.0.0.5
SQL DWSQL
Private Link
Service
Deny Internet
Deny Internet
ER Gateway
On-premises
Private
Link
Customer
owned
services
Azure
PaaS
services
Marketplace
services
Virtual Network (10.0.0.0/16)
ER Private
Peering
Private access from Virtual
Network resources,
peered networks and
on-premise networks
In-built Data
Exfiltration Protection
Predictable private IP addresses
for PaaS resources
Unified experience across PaaS,
Customer Owned and
marketplace Services
15. HYBRID CONNECTIVITY OPTIONS
Secure site-to-site
VPN connectivity
• Connect to Azure compute
from on-premises or another
Azure region
Secure point-to-site
connectivity
• POC Efforts
• Small scale deployments
• Connect from anywhere
ExpressRoute
connectivity
• Connectivity from your on-
premises data center to Azure
virtual networks and PaaS
Services
VNet Peering
• VNet-to-VNet connectivity
• Direct VM-to-VM connectivity
• Peer VNets for routing and transit
16. SKUs
Aggregate
throughput
P2S
connections
IKEv1/v2
VpnGw1 650 Mbps 250 IKEv1+IKEv2
VpnGw2 1 Gbps 500 IKEv1+IKEv2
VpnGw3 2.5 Gbps 1000 IKEv1+IKEv2
VpnGw4 5 Gbps 5,000 IKEv1+IKEv2
VpnGw5 10 Gbps 10,000 IKEv1+IKEv2
VPN
PREVIEW
PREVIEW
P2S
AAD auth + MFA
Azure VPN Client (Windows App)
OpenVPN protocol
Native AAD authentication with MFA
Client-side Diagnostics, Logs, & Metrics
S2S
High throughput VPN – 10Gbps
New Azure VPN gateways – VpnGw3/4/5
Up to 10 Gbps aggregate
Up to 10,000 P2S connections
IKEv1 + IKEv2 on VpnGw1-5
IKEv1 on new VpnGw SKUs (1 ~ 5)
Multiple IKEv1 S2S tunnels
IKEv1 and IKEv2 on the same VPN gateway
VPN gateway packet capture
With 5-tuple packet filter
ETW or PCAP formats
Custom IKE traffic selectors
PREVIEW
GA
GA
COMING SOON
19. HUB-SPOKE BENEFITS
Cost savings by centralizing services that can be shared by
multiple workloads, such as network virtual appliances (NVAs) and
DNS servers, in a single location.
Overcome subscriptions limits by peering VNets from different
subscriptions to the central hub.
Separation of concerns between central IT (SecOps, InfraOps) and
workloads (DevOps).
20. Region 1
Private WAN
THE BEGINNING….
Branch Office
HQ/Bigger Office
Users
Private WAN
Shared Services
21. Region 1
Private WAN
Region 2 Region 3
More…Branch Office
More…HQ/Bigger Office
More….Users
Private WAN
Shared Services
MORE………..
23. Region 1
Private WAN
Region 2 Region 3
GETTING ADVANCED…
• Need to simplify network
• Need ease of use
• Need operational savings
24. AZURE VIRTUAL WAN
Region 2
Region 1
Region 3
Datacenter
Point-to-site VPN
ExpressRoute
VNet
VNet
VNet
Corp HQ
Branch Branch Branch Branch
VNet
ExpressRoute Integration
Point to site VPN Integration
Path selection from branch
GA
PREVIEW
Hub/Any-to-any connectivity
Azure Firewall integration
Managed Hub-and-Spoke Architecture
Public (VPN) and Private (ExpressRoute)
Connectivity
Global Scale
20 Gbps S2S VPN + 20 Gbps ER + 20 Gbps
User VPN (P2S)
10K Users per hub
1000 sites per hub
Transit Routing
25. Region 1
Private WAN
Region 2 Region 3
Simplified
network
Ease of use
Operational
savings
Region 1 Region 2
Region 3
Global Transit Architecture with Azure Virtual WAN
Branch to Azure
Branch to Branch
VNet to VNet
VPN<->ER
Full mesh hubs
Any-to-any connectivity
User VPN<->Site
30. PROTECTION SERVICES ENABLING ZERO TRUST
Azure FirewallDDoS protection Web Application Firewall Network Security Groups VNET Integration
Application protection Segmentation
31. AZURE FIREWALL
Central governance of all traffic flows
Built-in high availability and auto scale
Network and application traffic filtering
Centralized policy across VNets and subscriptions
Complete VNET protection
Filter Outbound, Inbound, Spoke-Spoke & Hybrid
Connections traffic (VPN and ExpressRoute)
Centralized logging
Archive logs to a storage account, stream events to
your Event Hub, or send them to Log Analytics or
Security Integration and Event Management (SIEM)
system of choice
Best for Azure
DevOps integration, FQDN Tags, Service Tags,
Integration with ASE, Backup and other Azure
services
CLOUD NATIVE STATEFUL FIREWALL AS A SERVICE
Spoke VNets
On-Premises
32. AZURE FIREWALL MANAGER
CENTRAL NETWORK SECURITY POLICY AND ROUTE MANAGEMENT
FOR GLOBALLY DISTRIBUTED, SOFTWARE-DEFINED PERIMETERS
Deploy and configure multiple Azure Firewall
instances
Optimized for DevOps with Hierarchical policies
Easily attract traffic to your secured hub for
filtering
and logging using central routing config.
Use best-in-breed third party Security as a Service
(SECaaS) partners for advanced internet security
Combine with Azure Firewall for private traffic
PREVIEW
3rd party
SecSaaS
3rd party
Sec SaaS
ROADMAP
Support Azure Firewall in a Virtual Network
Optimized O365 and Azure public PaaS access
33. A secured virtual hub is
an Azure
Virtual WAN Hub with
associated security and routing
policies configured by
Azure Firewall Manager
Easily create hub-and-spoke
architectures with cloud native
security services for traffic
governance and protection
Azure Firewall now integrated
with Virtual WAN Hubs
Secured virtual hub can be
used as a managed central
virtual network with no on-
prem connectivity
SECURED VIRTUAL HUBS
EXTEND YOUR SECURITY EDGE TO AZURE
WITH SECURED VIRTUAL HUBS
On-premises
VNet
Azure Firewall
VNet
HQ/Branch Datacenter
vWAN
ER/VPN
Direct Internet
Breakout for O365
Secure Internet access
via Azure, based on
IPs/FQDNs/Tags
PaaS
User-aware Internet
access via 3rd Party
Azure Firewall Manager
Secured Virtual Hub - Region n
Secured vHub
InternetPREVIEW
34. CENTRAL SECURITY AND ROUTE POLICY MANAGEMENT
Azure Firewall
Manager
Global
Admin
Prod Hub:
Global Policy
Staging hub:
Global Policy
Dev Hub:
Global Policy + Local Policy
Deploy and configure multiple
Azure Firewall instances
Span different Azure regions and
subscriptions from a single pane of
glass
DevOps optimized hierarchical Azure
Firewall policies
Global firewall policies authored by
Central IT with local derived firewall
policies for DevOps self-service for
better agility
Centralized routing configuration
Easily attract traffic to your secured
virtual hub for filtering and logging
without manipulating User Defined
Routes
Secured
vHub
VNet
Secured
vHub
VNet
Secured
vHub
VNet
Local
Admin
36. AZURE BASTION
SECURE AND SEAMLESS RDP AND SSH ACCESS TO
YOUR VIRTUAL MACHINES USING ZERO TRUST
GA
RDP/SSH to your workload using HTML5
standards-based web-browser, directly in
Azure Portal
Resources can be accessed without public IP
addresses
Supported Azure resources include VMs, VM
Scale Sets, Dev-Test Labs
No agent required
Azure Portal
Remote Protocol
(RDP, SSH, et al)
SSL
443,
Internet
AzureBastionSubnet
Port: 3389/22
“AzureBastionSubnet”
Target VM Subnet(s)
Private IP
Azure VM
Azure VM
Azure VM
Customer’s Virtual Network
SSL
Azure Bastion
37. CLOUD SCALE DDOS PROTECTION FOR AZURE
AZURE DDOS PROTECTION STANDARD
Azure
Spoke
VNET
Central VNET
Azure Firewall
Spoke
VNET
Azure WAF
Azure DDoS
Public Internet
Inbound
Inbound /
Outbound
Internet
Public IP 1 Public IP 2
DDoS Protection
Standard
Adaptive
Tuning
Engine
Web Application 1
Web Application 2
Azure global
network
1 2
Adaptive
tuning
3
Attack analytics
and metrics
4
DDoS Rapid
Response (DRR)
5
SLA guarantee and
cost protection
38. PROTECTION SERVICES ENABLING ZERO TRUST
Centralized
outbound and
inbound (non-HTTP/S)
network and
application (L3-L7)
filtering
Distributed inbound
& outbound network
(L3-L4) traffic
filtering on VM,
Container or subnet
Restrict access to
Azure service
resources (PaaS) to
only your Virtual
Network
Centralized
inbound web
application
protection from
common exploits
and vulnerabilities
AZURE
FIREWALL
DDOS
PROTECTION
WEB
APPLICATION
FIREWALL
NETWORK
SECURITY
GROUPS
VNET
INTEGRATION
DDOS protection
tuned to your
application traffic
patterns
Prevent SQL injection, stop
cross site scripting and an array
of other types of attacks using
cloud native approach
Better central governance of all
traffic flows, full devops
integration using cloud native
high availability with autoscale
Full granular distributed end
node control at VM/subnet for
all network traffic flows
Extend your Virtual Network
controls to lock down Azure
service resources (PaaS) access
SEGMENTATIONAPPLICATION PROTECTION
39. HOW IT ALL WORKS TOGETHER
Azure
Hub VNET
Public Internet
Express RouteVPN Gateway & Virtual WAN
On-Premises Data Center,
Branch Offices, Mobile Workers
Azure Firewall
Azure Regional
WAF
Azure DDoS
Inbound
Inbound /
Outbound
Azure Global WAF
Private Link
PaaS Services
IaaS/PaaS
Spoke VNET
App on IaaSApp on PaaS
=
Network
Service Group
+
Private
Link
PRIVATE PaaS
IaaS/PaaS
Spoke VNET
App on IaaS App on PaaS
=
Public PaaS
Services
Network
Service Group
Service
Endpoints
+
PUBLIC PaaS
40. KEY TAKEAWAYS
Embrace zero trust networking model
Segment your network and create micro-perimeters with Azure Firewall,
NSG etc.
Use a defense in depth security strategy with cloud native services
Enable WAF and DDoS for Web/API/Mobile application
Explore Azure as your secured Internet edge with Azure Firewall Manager