azure networking fridays · pdf fileapm access policy manager ... big-ip advanced firewall...
TRANSCRIPT
Azure Networking Fridayswith the C+E Black Belts
Olivier Martin (@omartin) – Azure Networking Black Belt
Kevin Lopez (@kevlopez) – ER Partner Sales Executive
Jaime Schmidtke (@jaimesc) – ER Partner Sales Executive
Before we get started
• Welcome customers and partners!!!
• Material is public information. No NDA info here.
• Use the IM window for questions.
• Sessions are recorded.
• We’ll post material @
http://aka.ms/AzureNetworkingFridays
• Azure Networking from 0 to 60
• Azure Networking Partner Spotlight : F5 Big IP
• Deep dive topic of the week : • Guest Speaker : Telmo Sampaio (Principal Program Manager, Azure CAT)
• Open Q&A !
Agenda for October 28th, 2016
Platform Services
Security & Management
Infrastructure Services
Web Apps
MobileApps
APIManagement
APIApps
LogicApps
NotificationHubs
Content DeliveryNetwork (CDN)
MediaServices
HDInsight MachineLearning
StreamAnalytics
DataFactory
EventHubs
MobileEngagement
ActiveDirectory
Multi-FactorAuthentication
Automation
Portal
Key Vault
BiztalkServices
HybridConnections
ServiceBus
StorageQueues
Store /Marketplace
HybridOperations
Backup
StorSimple
SiteRecovery
Import/Export
SQLDatabase
DocumentDB
RedisCache Search
Tables
SQL DataWarehouse
Azure AD Connect Health
AD PrivilegedIdentity Management
OperationalInsights
CloudServices
Batch Remote App
ServiceFabric Visual Studio
ApplicationInsights
Azure SDK
Team Project
VM Image Gallery& VM Depot
BGP for redundant paths and dynamic routingAutomatic shortest path selection and failover
Transit over Microsoft global networkSecure connectivity using Internet only for “last mile”
Support on-premises network with multiple ISPs and VPN devices
From active-standby to active-active
Support both cross-premises and VNet-to-VNet connectivity
Spreading traffic over multiple tunnels simultaneously
Atlanta
Chicago
Los Angeles
Seattle
Silicon Valley Washington DC
AmsterdamDublin
London
Sao Paulo
Chennai
Hong Kong
Mumbai
Melbourne
Osaka
Singapore
Sydney
TokyoLas Vegas
TorontoMontreal
Quebec City
New York City
Dallas
Newport, WalesParis Beijing
Shanghai
Berlin
Frankfurt
Dallas
Washington DC
New York
Chicago
US Government
Germany
China
Azure Active Directory
Azure subscription
Azure subscription
Azure subscription
AccessControl
AccessControl
AccessControl
Virtual Network Virtual Network Virtual NetworkVirtual Network
FW FW
IIS IIS
SQL
IIS IIS
SQL
FW FW
IIS IIS
SQL
FW FW
IIS IIS
SQLExpressRoute ExpressRoute
Internet Internet Internet Internet
Azure load balancer
Azure load balancer
Azure load balancer
Azure load balancer
Azure load balancer
Azure load balancer
Azure load balancer
ExpressRoute and Virtual Appliance Partner ContactsEquinix Professional Services [email protected] ExpressRoute SI Partner
Perficient [email protected] ExpressRoute SI Partner
Project Leadership [email protected] ExpressRoute SI Partner
Aryaka [email protected] ExpressRoute Connectivity Partner
AT&T AT&T Information Request Form ExpressRoute Connectivity Partner
Cologix [email protected] ExpressRoute Connectivity Partner
Comcast http://business.comcast.com/landingpage/microsoft-azure ExpressRoute Connectivity Partner
CoreSite [email protected] ExpressRoute Connectivity Partner
Equinix [email protected] ExpressRoute Connectivity Partner
Level 3 http://Level3.com/Azure ExpressRoute Connectivity Partner
Megaport [email protected] ExpressRoute Connectivity Partner
Orange [email protected] ExpressRoute Connectivity Partner
Tata Communication [email protected] ExpressRoute Connectivity Partner
Verizon [email protected] ExpressRoute Connectivity Partner
Zayo [email protected] ExpressRoute Connectivity Partner
Barracuda [email protected] Network Virtual Appliance Partner
Check Point http://www.checkpoint.com/vsec Network Virtual Appliance Partner
F5 [email protected] Network Virtual Appliance Partner
Riverbed [email protected] Network Virtual Appliance Partner
Partner Spotlight :
F5 | Microsoft Azure Solutions Overview
Gregory Coward, Solutions Architect, F5 Business Development
[email protected] – Technical [email protected] – Sales Follow-up
“Leverages the same user interface, management, and breadth of features as on BIG-IP Hardware”
BIG-IP L4-L7 Services in Azure
Advanced Global Server Load Balancing
Remote Access, Pre-Authentication, SSO, and
Multi-Factor Authentication
SAML 2.0 Federation IdP/SP
ICSA Certified Web Application Firewall / WAF
ICSA Certified L3/4 Network Firewall
Intelligent L7 Load Balancing
F5 | The BIG-IP in Azure “Available in Classic and ARM modes”
F5 | BIG-IP MODULES
VIPRION PlatformBIG-IP PlatformBIG-IP Virtual Edition
High Performance Fabric
TMOS
PERFORMANCE AVAILABLITY SECURITY
LTM
LTM
• Intelligent L4-L7 Load Balancing
• Traffic Optimization - (Caching & Compression)
• Deep Packet Inspection
• Intelligent Traffic Steering
• Full-Proxy Architecture
Local Traffic Manager
DNS
DNS
• Global Server Load Balancing (GSLB)
• Application availability Awareness
• Geolocation
• DNS services
• DNSSEC
Global Traffic Manager
APM Access Policy Manager
• Strategic Point of Control for Application Delivery
• Multi-Factor = Integrates with RSA, SecurID,
RADIUS, OTP, certificates, etc.
• Device-based access controls
• Single Sign-On (SSO)
F5 | BIG-IP Modules
APM
ASM
• ICSA Labs Certified Layer 7 firewall
• Web Application Firewall
• Positive and Negative Security Models
• Mitigate Layer 7 attacks – DDoS, SQL injection,
OWASP Top Ten
Application Security Manager
AFM
• ICSA Labs Certified
• Stateful firewall
• Processes 8x more traffic than closest competitor
• Access rules applied at multiple levels, (virtual
server, VLAN, route domain)
Advanced Firewall Manager
AAM Application Acceleration Manager
• Web performance optimization
• Mobile optimization
• WAN Optimization
• SaaS acceleration
F5 | BIG-IP Modules
VIPRION PlatformBIG-IP PlatformBIG-IP Virtual Edition
High Performance Fabric
TMOS
PERFORMANCE AVAILABLITY SECURITY
LTM
DNS
APM
ASM
AFM
AAM
F5 | BIG-IP In Azure
F5 | The BIG-IP in Azure
Technical Specifics and Limitations• Functions as any other Linux-based VM deployment
• Availability Sets
• Azure native HA/LB
• User Defined Routing
• Single-NIC & Multi-NIC deployments
• DHCP by default and only option via Azure Web Portal
• Static IP can be configured via PowerShell
• Each Host (including BIGIP) is limited to 1 External IP.
• Automatically assigned
• Utilizes DNAT
• Public IP addresses can be dynamic or static
F5 | The BIG-IP in Azure
Technical Specifics and Limitations• Deploys pre-configured with VLAN and Self-IP
• Initial deployment/configuration has idiosyncrasies
• Deployed via PowerShell or Web Portal
• Maximum Throughput per instance 1GB*
• Can be deployed in a variety of Virtual Machine sizes, (minimum 1core, 1.75GB)
Multi-NIC Version Available
• Still limited to one external facing IP
• Must be installed via PowerShell, CLI, ARM templates
* Higher throughput possible via larger instance sizes and/or multi-NIC
F5 | Azure Security Center Deployment
• BIG-IP VE w/ASM as a service
• Three levels of WAF Policy Enforcement
• Currently only supported in ARM mode
• 1 to 2 instances can be deployed
• One Application per WAF deployment
• BYOL
F5 | Azure Security Center
WAF Considerations
F5 | User Experience Demo
End Users
Internet
LTM
APM
BIG-IP Global Traffic Manager
BIG-IP Local Traffic Manager
BIG-IP Access Policy Manager
BIG-IP Application Security Manager
BIG-IP Advanced Firewall Manager
DNS
ASM
AFM
Europe
F5 | The BIG-IP in Azure – DEMO
Technical Deep Dive with special guest :
Telmo SampaioSenior Program Manager, Azure CAT
Reference Architectures: Goal
• Proven by AzureCAT customers
• Golden path per each scenario with recommendations and considerations
• ARM templates to provision recommended architecture
Reference ArchitecturesRunning virtual machines on Azure:
• Running a Windows VM on Azure
• Running a Linux VM on Azure
• Running multiple VMs for scalability and availability
• Running VMs for an N-tier architecture
• Adding reliability to an N-tier architecture (Windows)
• Adding reliability to an N-tier architecture (Linux)
• Running VMs in multiple regions for high availability (Windows)
• Running VMs in multiple regions for high availability (Linux)
Hybrid network architectures:
• Implementing a hybrid network architecture with Azure and on-premises VPN
• Implementing a hybrid network architecture with Azure ExpressRoute
• Implementing a highly available hybrid network architecture
• Implementing a DMZ between Azure and your on-premises datacenter
• Implementing a DMZ between Azure and the Internet
Identity:
• Extending Active Directory to Azure
• Implementing a secure hybrid network architecture with federated identities in Azure
Web applications (PaaS):
• Basic web application
• Improving scalability in a web application
• Web application with high availability
From RAs to composable elementsAzure Vnet
10.0.0.0/16
Management subnet
10.0.0.128/25
Jump box Monitoring
NSG
Web tier
10.0.1.0/24
Availability
setNSG
Business tier
10.0.2.0/24
Availability
setNSG
Data tier
10.0.3.0/24
Availability
setNSG
PIP
DevOps
PIP
Rep
lica
tio
n
Azure Vnet
10.0.0.0/16
Gateway subnet
10.0.255.224/27
VPN Gateway
Management subnet
10.0.0.128/25
Jump box Monitoring
NSG
On-premises network
192.168.0.0/16
Gateway
Web tier
10.0.1.0/24
Availability
setNSG
Business tier
10.0.2.0/24
Availability
setNSG
Data tier
10.0.3.0/24
Availability
setNSG
Azure Vnet
10.0.0.0/16
Gateway subnet
10.0.255.224/27
UDR
Private DMZ in
10.0.0.0/27
Internal load
balancer
N
I
C
N
I
C
Private DMZ out
10.0.0.32/27
NVA
NVA
NSGN
I
C
N
I
C
NSG
Management subnet
10.0.0.128/25
Jump box Monitoring
NSG
Public DMZ in
10.0.0.64/27
N
I
C
N
I
C
Public DMZ out
10.0.0.96/27
NVA
NVA
NSGN
I
C
N
I
C
NSGPIP
PIP
Web tier
10.0.1.0/24
Availability
set
AD FS proxy subnet
10.0.4.128/27
Availability
set
Availability
set
Availability
set
NSG
NSG
Business tier
10.0.2.0/24
Availability
setNSG
Data tier
10.0.3.0/24
Availability
setNSG
AD FS subnet
10.0.4.32/27
Availability
setNSG
AD DS subnet
10.0.4.0/27
Availability
setNSG
On-premises network
192.168.0.0/16
Gateway
Partner network
Federation server
Trust relationship
Web app request
Federated authentication request
Authentication request
Open Q&A
Thank you!Session recording will be posted shortly here :http://aka.ms/AzureNetworkingFridays