Azure Networking Fridayswith the C+E Black Belts

Olivier Martin (@omartin) – Azure Networking Black Belt

Kevin Lopez (@kevlopez) – ER Partner Sales Executive

Jaime Schmidtke (@jaimesc) – ER Partner Sales Executive

Before we get started

• Welcome customers and partners!!!

• Material is public information. No NDA info here.

• Use the IM window for questions.

• Sessions are recorded.

• We’ll post material @

http://aka.ms/AzureNetworkingFridays

• Azure Networking from 0 to 60

• Azure Networking Partner Spotlight : F5 Big IP

• Deep dive topic of the week : • Guest Speaker : Telmo Sampaio (Principal Program Manager, Azure CAT)

• Open Q&A !

Agenda for October 28th, 2016

Platform Services

Security & Management

Infrastructure Services

Web Apps

MobileApps

APIManagement

APIApps

LogicApps

NotificationHubs

Content DeliveryNetwork (CDN)

MediaServices

HDInsight MachineLearning

StreamAnalytics

DataFactory

EventHubs

MobileEngagement

ActiveDirectory

Multi-FactorAuthentication

Automation

Portal

Key Vault

BiztalkServices

HybridConnections

ServiceBus

StorageQueues

Store /Marketplace

HybridOperations

Backup

StorSimple

SiteRecovery

Import/Export

SQLDatabase

DocumentDB

RedisCache Search

Tables

SQL DataWarehouse

Azure AD Connect Health

AD PrivilegedIdentity Management

OperationalInsights

CloudServices

Batch Remote App

ServiceFabric Visual Studio

ApplicationInsights

Azure SDK

Team Project

VM Image Gallery& VM Depot

BGP for redundant paths and dynamic routingAutomatic shortest path selection and failover

Transit over Microsoft global networkSecure connectivity using Internet only for “last mile”

Support on-premises network with multiple ISPs and VPN devices

From active-standby to active-active

Support both cross-premises and VNet-to-VNet connectivity

Spreading traffic over multiple tunnels simultaneously

Atlanta

Chicago

Los Angeles

Seattle

Silicon Valley Washington DC

AmsterdamDublin

London

Sao Paulo

Chennai

Hong Kong

Mumbai

Melbourne

Osaka

Singapore

Sydney

TokyoLas Vegas

TorontoMontreal

Quebec City

New York City

Dallas

Newport, WalesParis Beijing

Shanghai

Berlin

Frankfurt

Dallas

Washington DC

New York

Chicago

US Government

Germany

China

Azure Active Directory

Azure subscription

Azure subscription

Azure subscription

AccessControl

AccessControl

AccessControl

Virtual Network Virtual Network Virtual NetworkVirtual Network

FW FW

IIS IIS

SQL

IIS IIS

SQL

FW FW

IIS IIS

SQL

FW FW

IIS IIS

SQLExpressRoute ExpressRoute

Internet Internet Internet Internet

Azure load balancer

Azure load balancer

Azure load balancer

Azure load balancer

Azure load balancer

Azure load balancer

Azure load balancer

ExpressRoute and Virtual Appliance Partner ContactsEquinix Professional Services epssales@equinix.com ExpressRoute SI Partner

Perficient ExpressRoute@perficient.com ExpressRoute SI Partner

Project Leadership ExpressRoute@projectleadership.net ExpressRoute SI Partner

Aryaka AzureExpressRoute@aryaka.com ExpressRoute Connectivity Partner

AT&T AT&T Information Request Form ExpressRoute Connectivity Partner

Cologix sales@cologix.com ExpressRoute Connectivity Partner

Comcast http://business.comcast.com/landingpage/microsoft-azure ExpressRoute Connectivity Partner

CoreSite ExpressRoute@coresite.com ExpressRoute Connectivity Partner

Equinix ExpressRoute@equinix.com ExpressRoute Connectivity Partner

Level 3 http://Level3.com/Azure ExpressRoute Connectivity Partner

Megaport ExpressRoute@megaport.com ExpressRoute Connectivity Partner

Orange galerie.contact@orange.com ExpressRoute Connectivity Partner

Tata Communication ER@TataCommuniccations.com ExpressRoute Connectivity Partner

Verizon Microsoft.SCILeads@verizonwireless.com ExpressRoute Connectivity Partner

Zayo azureleads@zayo.com ExpressRoute Connectivity Partner

Barracuda azure_support@barracuda.com Network Virtual Appliance Partner

Check Point http://www.checkpoint.com/vsec Network Virtual Appliance Partner

F5 azureinfo@f5.com Network Virtual Appliance Partner

Riverbed msftcloudsales@riverbed.com Network Virtual Appliance Partner

Partner Spotlight :

F5 | Microsoft Azure Solutions Overview

Gregory Coward, Solutions Architect, F5 Business Development

azureinfo@f5.com – Technical Follow-upt.dorscht@f5.com – Sales Follow-up

“Leverages the same user interface, management, and breadth of features as on BIG-IP Hardware”

BIG-IP L4-L7 Services in Azure

Advanced Global Server Load Balancing

Remote Access, Pre-Authentication, SSO, and

Multi-Factor Authentication

SAML 2.0 Federation IdP/SP

ICSA Certified Web Application Firewall / WAF

ICSA Certified L3/4 Network Firewall

Intelligent L7 Load Balancing

F5 | The BIG-IP in Azure “Available in Classic and ARM modes”

F5 | BIG-IP MODULES

VIPRION PlatformBIG-IP PlatformBIG-IP Virtual Edition

High Performance Fabric

TMOS

PERFORMANCE AVAILABLITY SECURITY

LTM

LTM

• Intelligent L4-L7 Load Balancing

• Traffic Optimization - (Caching & Compression)

• Deep Packet Inspection

• Intelligent Traffic Steering

• Full-Proxy Architecture

Local Traffic Manager

DNS

DNS

• Global Server Load Balancing (GSLB)

• Application availability Awareness

• Geolocation

• DNS services

• DNSSEC

Global Traffic Manager

APM Access Policy Manager

• Strategic Point of Control for Application Delivery

• Multi-Factor = Integrates with RSA, SecurID,

RADIUS, OTP, certificates, etc.

• Device-based access controls

• Single Sign-On (SSO)

F5 | BIG-IP Modules

APM

ASM

• ICSA Labs Certified Layer 7 firewall

• Web Application Firewall

• Positive and Negative Security Models

• Mitigate Layer 7 attacks – DDoS, SQL injection,

OWASP Top Ten

Application Security Manager

AFM

• ICSA Labs Certified

• Stateful firewall

• Processes 8x more traffic than closest competitor

• Access rules applied at multiple levels, (virtual

server, VLAN, route domain)

Advanced Firewall Manager

AAM Application Acceleration Manager

• Web performance optimization

• Mobile optimization

• WAN Optimization

• SaaS acceleration

F5 | BIG-IP Modules

VIPRION PlatformBIG-IP PlatformBIG-IP Virtual Edition

High Performance Fabric

TMOS

PERFORMANCE AVAILABLITY SECURITY

LTM

DNS

APM

ASM

AFM

AAM

F5 | BIG-IP In Azure

F5 | The BIG-IP in Azure

Technical Specifics and Limitations• Functions as any other Linux-based VM deployment

• Availability Sets

• Azure native HA/LB

• User Defined Routing

• Single-NIC & Multi-NIC deployments

• DHCP by default and only option via Azure Web Portal

• Static IP can be configured via PowerShell

• Each Host (including BIGIP) is limited to 1 External IP.

• Automatically assigned

• Utilizes DNAT

• Public IP addresses can be dynamic or static

F5 | The BIG-IP in Azure

Technical Specifics and Limitations• Deploys pre-configured with VLAN and Self-IP

• Initial deployment/configuration has idiosyncrasies

• Deployed via PowerShell or Web Portal

• Maximum Throughput per instance 1GB*

• Can be deployed in a variety of Virtual Machine sizes, (minimum 1core, 1.75GB)

Multi-NIC Version Available

• Still limited to one external facing IP

• Must be installed via PowerShell, CLI, ARM templates

* Higher throughput possible via larger instance sizes and/or multi-NIC

F5 | Azure Security Center Deployment

• BIG-IP VE w/ASM as a service

• Three levels of WAF Policy Enforcement

• Currently only supported in ARM mode

• 1 to 2 instances can be deployed

• One Application per WAF deployment

• BYOL

F5 | Azure Security Center

WAF Considerations

F5 | User Experience Demo

End Users

Internet

LTM

APM

BIG-IP Global Traffic Manager

BIG-IP Local Traffic Manager

BIG-IP Access Policy Manager

BIG-IP Application Security Manager

BIG-IP Advanced Firewall Manager

DNS

ASM

AFM

Europe

F5 | The BIG-IP in Azure – DEMO

Technical Deep Dive with special guest :

Telmo SampaioSenior Program Manager, Azure CAT

Reference Architectures: Goal

• Proven by AzureCAT customers

• Golden path per each scenario with recommendations and considerations

• ARM templates to provision recommended architecture

Reference ArchitecturesRunning virtual machines on Azure:

• Running a Windows VM on Azure

• Running a Linux VM on Azure

• Running multiple VMs for scalability and availability

• Running VMs for an N-tier architecture

• Adding reliability to an N-tier architecture (Windows)

• Adding reliability to an N-tier architecture (Linux)

• Running VMs in multiple regions for high availability (Windows)

• Running VMs in multiple regions for high availability (Linux)

Hybrid network architectures:

• Implementing a hybrid network architecture with Azure and on-premises VPN

• Implementing a hybrid network architecture with Azure ExpressRoute

• Implementing a highly available hybrid network architecture

• Implementing a DMZ between Azure and your on-premises datacenter

• Implementing a DMZ between Azure and the Internet

Identity:

• Extending Active Directory to Azure

• Implementing a secure hybrid network architecture with federated identities in Azure

Web applications (PaaS):

• Basic web application

• Improving scalability in a web application

• Web application with high availability

From RAs to composable elementsAzure Vnet

10.0.0.0/16

Management subnet

10.0.0.128/25

Jump box Monitoring

NSG

Web tier

10.0.1.0/24

Availability

setNSG

Business tier

10.0.2.0/24

Availability

setNSG

Data tier

10.0.3.0/24

Availability

setNSG

PIP

DevOps

PIP

Rep

lica

tio

n

Azure Vnet

10.0.0.0/16

Gateway subnet

10.0.255.224/27

VPN Gateway

Management subnet

10.0.0.128/25

Jump box Monitoring

NSG

On-premises network

192.168.0.0/16

Gateway

Web tier

10.0.1.0/24

Availability

setNSG

Business tier

10.0.2.0/24

Availability

setNSG

Data tier

10.0.3.0/24

Availability

setNSG

Azure Vnet

10.0.0.0/16

Gateway subnet

10.0.255.224/27

UDR

Private DMZ in

10.0.0.0/27

Internal load

balancer

N

I

C

N

I

C

Private DMZ out

10.0.0.32/27

NVA

NVA

NSGN

I

C

N

I

C

NSG

Management subnet

10.0.0.128/25

Jump box Monitoring

NSG

Public DMZ in

10.0.0.64/27

N

I

C

N

I

C

Public DMZ out

10.0.0.96/27

NVA

NVA

NSGN

I

C

N

I

C

NSGPIP

PIP

Web tier

10.0.1.0/24

Availability

set

AD FS proxy subnet

10.0.4.128/27

Availability

set

Availability

set

Availability

set

NSG

NSG

Business tier

10.0.2.0/24

Availability

setNSG

Data tier

10.0.3.0/24

Availability

setNSG

AD FS subnet

10.0.4.32/27

Availability

setNSG

AD DS subnet

10.0.4.0/27

Availability

setNSG

On-premises network

192.168.0.0/16

Gateway

Partner network

Federation server

Trust relationship

Web app request

Federated authentication request

Authentication request

Open Q&A

Thank you!Session recording will be posted shortly here :http://aka.ms/AzureNetworkingFridays